Skip to content
Permalink
master
Go to file
 
 
Cannot retrieve contributors at this time
1124 lines (1049 sloc) 145 KB

List of verification and synthesis tools. Please clone, contribute and send pull requests. Minimal markdown knowledge needed to add links:

- [Tool name](link url) (license, coded in language): brief description (Institution/other maintainer)

Please list only Open Source/research tools, proprietary ones are not widely and unconditionally useful. Conditionally (sufficiently) free tools are welcome, e.g., some closed source tools, provided they remain free for educational/research use.

Would you like to suggest a/your tool for addition, but skip cloning/pull requests, please email jfilippidis@gmail.com.

To the extent possible under law, the authors have waived all copyright and related or neighboring rights to this text. You should have received a copy of the CC0 Public Domain Dedication along with this text. If not, see http://creativecommons.org/publicdomain/zero/1.0/.

Table of Contents

Verification with Model Checking

Closed Systems (Everything controlled)

Enumerative

  • SPIN (BSD-3, C): LTL model checking for closed systems in Promela (JPL/Caltech, Bell Labs)
    • modex (FUSC, C): C -> Promela: model extractor (JPL/Caltech, Bell Labs)
    • spin: Debian Linux package, apt install spin
    • spinja (Apache-2.0, Java): Promela model checker (Univ. of Twente, TNO)
      • SpinS (Apache-2.0, Java): an LTSmin language frontend for Promela (Univ. of Twente)
    • HSF-SPIN: SPIN directed model checking extension (IMT Lucca)
    • Promela Vim Syntax (?, VimL): highlighting plugin
    • Promela Vim Indent (?, VimL)
    • Promela Emacs major mode (?, Emacs LISP)
    • Promela for Sublime Text 3 (MIT, several): Sublime Text 3 syntax highlighting of Promela
    • Promela -> NuSMV (?, C): translator (Peking Univ.)
    • Promela -> Timed automata with discrete data: translator, part of Verics
    • Promela -> C (OCaml): translator (Uppsala Univ.)
    • Promela -> C: translator (Univ. Stuttgart)
    • Promela -> Java (?, Java): translator (TU Delft)
    • LLVM -> Promela (C++, MIT): LLVM-to-Promela Compiler
    • jSpin (GPLv2, Java): GUI for SPIN and Erigone (The Weizmann Institute of Science)
    • Erigone (GPLv2, Ada/Java): partial SPIN re-implementation for educational purposes (The Weizmann Institute of Science)
    • EpiSpin: Eclipse plug-in for editing & verifying Promela using Spin (TU Delft)
    • promela parser (BSD-3, Python): parser for Promela using PLY (Python lex-yacc) (Caltech)
    • language-promela (MIT, CoffeeScript): Promela support in Atom
    • Eclipse Pug-In for SPIN (?): (Univ. Maribor, TU Braunschweigin)
    • st2msc (?, Java): SPIN trail -> Message Sequence Chart (Univ. Maribor)
    • Real-Time SPIN: quantitative dense time SPIN extension using Real-Time Promela (VERIMAG/CNRS)
    • nano-Promela: tools for nano-Promela language
    • v-Promela: visual Promela (Albert-Ludwigs-Univ. Freiburg)
    • promela-metamodel: used to generate Promela from BPEL
    • Promela library (BSD-3, OCaml): types for Promela expressions, statements, procs and models as OCaml datastructures, with export to Promela for model checking with SPIN (TU Munchen)
    • LWAASpin (SPIN's license): SPIN modified to use linear weak alternating automata instead of Buchi automata (Univ. Munchen)
    • Hugo/RT (? src by email): XMI | ArgoUML | UTE -> Promela | UPPAAL | KIV | Java | SystemC | Smile machines | UTE model | dot (state machines | interactions) and SPIN | UPPAAL trail -> UML run: UML model translator for model checking, theorem proving, code generation (Univ. Munchen, LORIA/INRIA Nancy)
    • SCTranslator (?, XSL): UML XMI2 -> Promela (Saint-Petersburg State Polytechnic University)
    • Pi2Promela (?, C/Java): compiler from pi-calculus models to Promela, includes GUI (Chinese Acad. Sciences)
    • pspin (?, Python/C): Parallel PROMELA model checker
    • prob-Promela: Promela Compiler / Interpreter for ProB (Dusseldorf Univ.)
    • Promela parser/pretty printer (?, Haskell)
    • sudoku-Promela (EUPL, Shell): mini-project about generating Sudoku grids in Promela
    • VMSSG: Model checker state space visualization (Ludwig-Maximilians Univ. Munchen)
    • promela-metamodel (GPL-3)
    • 3Spin (FUSC, C): modified version of the Spin model checker version 5.1.7 with advances in the efficiency, configurability, and usability of probabilistic state storage (Northeastern Univ.)
    • POR (FUSC, C): partial-order reduction package for SPIN (Univ. de Liege)
    • ARINC tester (?, Java): GUI for SPIN to verify application that contain API calls compliant to ARINC 653 (UMalaga)
    • SpinRCP (?, Java): An Eclipse-based IDE for Spin. (Univ. of Maribor)
    • DTSpin (FUSC, C): extension of Spin with discrete time, is intended for verification of concurrent systems that depend on timing parameters, and uses the specification language DTPromela (Eindhoven Univ. of Technology)
      • Dtp2dtp (?, ?): translator from discrete-time Promela to discrete-time Promela, for proving an embedding of nondeterministic transitions that automatically closes open systems
    • CPOR-Spin (FUSC, C): extension of Spin which exploits the hierarchy of the verified system for more efficient verification, using Clustered Partial Order Reduction (CPOR) (Eindhoven Univ. of Technology)
    • MPI-Spin (GPLv3, C): extension of Spin that adds to Promela functions, types, and constants for modeling parallel programs that use the Message Passing Interface (Univ. of Delaware)
  • TLA+: The Temporal Logic of Actions for specifying systems (Microsoft Research)
  • LTSmin (BSD-3): model checking, LTS minimization, interface to other tools (Univ. Twente)
  • MoonWalker (Apache-2, C#): model check CIL bytecode programs (Mono .NET platform apps), MoonWalker src(Univ. Twente)
  • DIVINE-2 (BSD-3): Parallel LTL model checking, DIVINE (Masaryk Univ.)
  • PRISM (GPLv2, Java/C): Probabilistic Model Checker: discrete/continuous-time Markov chains, timed automata, etc. (Univ. Birmingham, Univ. Oxford)
  • STORM (GPL-3, C++): Probabilistic model checker: Markov chains, MDPs, Markov automata, SMPT, (MI)LP, LP, Bellman, games, parameter synthesis, discrete-time MDPs
  • ePMC (GPLv3, Java/C): an extendible probabilistic model checker, reasons about continuous- anhd discrete-time Markov chains, Markov decision processes, stochastic multi-player games, probabilistic parity games, the logics PCTL, PLTL, PCTL*, with input in formats PRISM and JANI, is successor of the model checker IscasMC (Institute of Software Chinese Academy of Sciences)
  • SPOT (GPL, C++/Python): object-oriented model checking library using TGBA
  • JPF (NOSA-1.3): Java Pathfinder: Java model checking & extensions (NASA Ames)
  • HELENA (GPL-2): high-level Petri nets (Paris 13 Univ.)
  • StEAM (C++ ?): C++ model checker (deadlocks, segmentation faults, out of range variables and non-terminating loops) (LS5 Univ. Dortmund)
  • Tulip: LTL model checker of interval Markov chains (recursive also) (Univ. Oxford)
  • PROD (GPL): efficient reachability analysis (Helsinki Univ. Tech.)
  • KBDD: BDD-based satisfiability solver for modal logic K
  • neco (LGPL, Python/Cython): Petri Net compiler & LTL model checker (Univ. d'Evry-Val d'Essonne, Univ. Evry)
  • PEP (GPL-2): modelling and verification framework for parallel systems, interfaces to SPIN, SMV, INA, FC2Tools (SDL, Petri nets)
  • cunf (GPL-3): Toolset for unfolding-based verification of Petri nets extended with read arcs (ENS Cachan)
  • daj (GPLv2, Java): interactive, visual aid for studying execution of distributed algorithms (The Weizmann Institute of Science)
  • FC2Tools & Autograph: implementation of process algebra theory, verification by compositional reductions and abstraction, explicit/implicit BDD, FC2 file exchange format (INRIA, Ecole des Mines/CMA)
  • Murphi, original Murphi (BSD-like, C++): enumerative, own input language (Unity style: guard -> action), e.g. used by Microprocessor industry to verify cache coherence protocols (Univ. Utah, Stanford)
    • Eddy Murphi: parallel version of Murphi (Univ. Utah)
    • CMurphy (Univ. Roma)
    • CMurphi (L'Aquila Univ.)
    • PReach (BSD, Erlang): Distributed Explicit State Model Checker based on Erlang and Murphi (Univ. British Columbia, Intel)
    • MPI Murphi port (Univ. Utah)
  • APMC (FUSC, C/Java): approximate distributed for fully probabilistic systems, PCTL, PLTL (Univ. de Caen Basse-Normandie)
  • Vaucanson (GNU, C++): finite state machine manipulation platform, lib of tools on top (EPITA)
  • Genealogy of Emptiness-Checking Algorithms (EPITA)
  • NIPS (GNU, C/Perl): A virtual machine for state space generation (RWTH Aachen)
  • VMSSG Statespace Converter (GPL, Java): process, analyze, display statespace graphs produced by modified VMSSG virtual machine, state space gallery, (Univ. Munchen)
  • Synet (OCaml): Synthesizer of distributable bounded Petri nets from Finite Automata (INRIA/IRISA)
  • Motion Grammar Kit (BSD-2, Common Lisp/C): Automata manipulation, supervisory control, C code generation (Georgia Tech.)
  • PAT (?, C#): Process Analysis Toolkit, a model checker, with GUI, model editor, simulator, POR, symmetry reduction (Nat. Univ. Singapore)
  • NorMC (BSD-3, Haskell): Norm compliance temporal logic model checker (Univ. Bergen)
  • Copper (FUSC, ?): MC for concurrent message-passing C programs (CMU)
  • Magic (?): Check C language conformance between component specifications and their implementations using counterexample guided abstraction refinement, concurrent and compositional (CMU, Univ. Wisconsin, Univ. Oxford, TU Vienna, Univ. Lugano)
  • Bogor
  • BLAST (Apache, OCaml/C): MC for C programs using counterexample-driven automatic abstraction refinement (UC Berkeley, EPFL, UCSD, UCLA, Simon Fraser Univ.)
  • Scoot (?): Static analysis of SystemC, model extraction to pass to SatAbs | CBMC, C++ re-synthesis (ETH)
  • VCEGAR (?): Check safety (assertions) of Verilog, using word level predicate abstraction and refinement (CMU, Oxford Univ.)
  • GMC (LGPL, C/C++): MC for C/C++ taking GIMPLE as input (Charles Univ. Prague)
  • AIR (?): Safety MC of Assembly using predicate abstraction and counterexample guided abstraction refinement (CMU)
  • FShell (Apache): Interactive & Scripting testing environment for C programs, frontend for software model checkers, dispatches queries to analysis tools (TU Wien)
  • CPA/Tiger (?): Predicate-abstraction based test input generator for C programs, uses CPAchecker (TU Wien)
  • CPAchecker (Apache-2.0, SWIG/Java/C): Configurable software verification (Univ. Passau)
  • crest (BSD-3): Automatic test generation tool for C, inserts instrumentation code and solves the generated symbolic constraints using Yices (UC Berkeley)
    • ConCREST (?): Concolic testing tool for multi-threaded C programs (Univ. Toronto, TU Wien)
  • ByMC (?, OCaml): Byzantine MC for parameterized model checking of (threshold-guarded) fault-tolerant distributed algorithms in Promela extension using SPIN, Yices (TU Wien)
  • iLTL (BSD): MC for iLTL, which specifies temporal changes of expected rewards of a Markov process (UIUC)
  • Copilot (BSD-3, Haskell): A (Haskell DSL) stream language for generating hard real-time C code (NASA, galois Inc., National Inst. Aerospace, Ecole Normale Superieure, TU Ilmenau, Univ. Copenhagen)
  • mCRL2 (Boost Software License, C++): Formal specification language with an associated toolset for modelling, validation and verification of concurrent systems and protocols: linearisation, simulation, state-space exploration, visualization and tools to optimise and analyse specifications, μ-calculus (TU Eindhoven, LaQuSo, CWI, Univ. Twente)
  • Mobility Workbench (?, SML): π-calculus MC for mobile concurrent systems (Uppsala Univ.)
  • MMC (?, ?): π-calculus and alternation-free μ-calculus Local MC, implemented using the XSB tabled logic programming system (Stony Brook Univ.)
  • XMC (?, ?): Local MC for processes specified in XL, a version of value-passing CCS, and the alternation-free modal μ-calculus, implemented using the XSB tabled logic programming system (Stony Brook Univ.)
  • MMCsp (?, C/Java): Compiler from simple probabilistic π-calculus to PRISM models, built on XSB (Ecole Polytechnique, Oxford, INRIA)
  • ASTG (?, OCaml/C): TLCE-based symbolic test generator (Chinese Acad. Sciences)
  • LMNtal, LaViT (BSD, C/C++/Java): MC and graphical tools LMNTal language based on hierarchical graph rewriting (Waseda Univ.)
  • Finite Automata Model Checker (CCAS-3, C++)
  • v-n (GPL-2, Java): NDFA visualization and (random or guided) simulation, find and display accepting computations (The Weizmann Institute of Science)
  • py-powerset-construction (GPL-3, Python): convert NFA-\lambda to DFA, using dot as input
  • Zing (Non-com, C#): State exploration of concurrent software systems (Microsoft research)
  • [SeaHorn] (https://github.com/seahorn/seahorn) (BSD, C): an LLVM based verification framework
  • SCRAM(GPL-3, C++/Python): Probabilistic risk analysis (static fault trees, common cause failure models, Monte Carlo) with input from and output to Open-PSA model exchange format files
  • RISCAL (GPL-3, Java): Specification language and software system for describing mathematical algorithms, and validating their correctness by execution/evaluation (JKU/RISC)
  • Properties of State Spaces
  • symmetrytools (?, Java): Tools for symmetry reduction in model checking (Univ. of Glasgow)
  • Mscgen (GPLv2, C): Message Sequence Chart Renderer (wiki entry)
    • mscgen-preview (GPLv3, CoffeeScript/JavaScript): Write and preview sequence charts with MscGen and its brethren with ctrl-shift-G
    • sphinxcontrib-mscgen (Public Domain, Python): Allow mscgen-formatted Message Sequence Chart (MSC) graphs to be included in Sphinx-generated documents inline
  • TTool (CeCILL, Java/C++): toolkit dedicated to the edition of UML and SysML diagrams, and to the simulation and formal verification (safety, security, performance) of those diagrams
  • Gadara (?, Java): discrete-control synthesis from Petri nets (Univ. of Michigan):
  • PROD (GPLv2, C): reachability analyzer for Pr/T-nets with: stubborn sets, sleep sets, on-the-fly tester based verification, on-the-fly LTL model checking, CTL model checking (Helsinki Univ. of Technology)

Symbolic

  • Apalache (Apache-2, Scala): symbolic model checker for TLA+
  • SMV (?): CTL symbolic model checker (CMU)
    • Cadence SMV (FUSC): CMU SMV extension: backward compatible more expressive mode description language, synthesizable VERILOG, compositional verification, CTL | LTL | FSA | embedded assertions, GUI (Cadence)
  • NuSMV (LGPL): Symbolic model checking (FBK, CMU, Univ. Genoa, Univ. Trento)
    • PyNuSMV (LGPL-2, Python): python interface to NuSMV (UCLouvain)
    • SMView (BSD, JavaScript/Python): web interface to NuSMV (TU Eindhoven)
    • gNuSMV (LGPL, ?): GUI for NuSMV v2 (FBK)
    • nusmv-tools: two metamodels based on Eclipse modeling framework, Eclipse editor, model analyzer, Java API to NuSMV
    • nuseen: Eclipse-based environment for NuSMV
  • nuXmv: extends NuSMV using state-of-the-art SAT-based algorithms and MathSAT5 (Fondazione Bruno Kessler)
  • [abc] (https://www.eecs.berkeley.edu/~alanmi/abc/abc.htm) (FOSS, C): System for Sequential Logic Synthesis and Formal Verification: A growing software system for synthesis and verification of binary sequential logic circuits appearing in synchronous hardware designs; ABC combines scalable logic optimization based on And-Inverter Graphs (AIGs), optimal-delay DAG-based technology mapping for look-up tables and standard cells, and innovative algorithms for sequential synthesis and verification (UC Berkeley)
  • Mocha, also here (BSD, Java | C/Tcl/Tk): Interactive environment for system specification (reactive modules language), execution (randomized, guided, mixed), requirement specification (Alternating Temporal Logic, superset of CTL), ATL MC, implementation verification (EPFL, UC Berkeley, UPenn, SUNYSB)
  • CBMC (BSD-4, SWIG/C++/C): Bounded model checker for ANSI-C, C++, SystemC, Scoot, uses Boolector or MathSAT or Z3 (CMU, Oxford Univ.)
    • Eclipse plugin (EPL, Java): Eclipse plugin for CBMC
    • Visual Studio plugin
    • JBMC (BSD-4, C++): bounded model checking tool for verifying Java bytecode
    • Symex (BSD-4, C++): symbolic execution tool for C and C++ programs, based on CBMC. It supports C89, C99, most of C11 and most compiler extensions provided by gcc and Visual Studio (CMU, Oxford Univ.)
    • EBMC and HW-CBMC (BSD-3, C++): bounded model checker for the Verilog language (and other HW specification languages), based on CBMC (CMU, Oxford Univ.)
    • 2LS (BSD-4, C++): Static Analyzer and Verifier for C programs, built upon the CPROVER framework (CMU, Oxford Univ.)
    • k-induction (MIT, Python): enables any C bounded model checker to be employed for k-induction over one-loop embedded-style C programs. Tested with CBMC.
    • ESBMC (several, C++): context-bounded model checker based on a satisfiability modulo theories (SMT) solver for the verification of single- and multi-threaded C/C++ programs, with Python and C++ APIs, and based on CBMC (Federal Univ. of Amazonas, Univ. of Bristol, Univ. of Manchester, Univ. of Stellenbosch, and Univ. of Southampton)
  • EBMC (BSD-5): Bounded Model Checker for hardware designs, inputs: Netlists/ISCAS89 | Verilog | SMV, exports: DIMACS CNF | SMT-LIB (CMU, ETHZ, Oxford Univ.)
  • jStar (BSD-3, OCaml): (Queen Mary Univ. London, Cambridge Univ., ETH)
  • coreStar (BSD-3, OCaml): symbolic execution engine for analysis and verification with separation logic (Queen Mary Univ. London, Univ. Cambridge)
  • JSCert JuS: Certified JavaScript (Imperial College, INRIA)
    • jabstr (LGPL, Ocaml): jStar plugin for numerical abstractions
  • LStar (BSD-3, OCaml): automatic prover for programs written in bitcode using separation logic (UCL)
  • VIS: logic circuit simulation, circuit verification, fair CTL model checking, logic synthesis via hierarchy restructuring [UC Berkeley, Univ. Colorado at Boulder, Univ. Texas at Austin]
  • VerICS (FUSC, Java): SAT verification of timed & multi-agent systems modeled by networks of communicating automata (Polish Academy of Sciences)
  • Augur 2 (GPL-2, C++): verification of systems described by (attributed) graph transformations using approximated unfoldings (Univ. Duisburg-Essen)
  • Mercury: Parallel Local Sub-CTL Model Checking [LAAS-CNRS]
  • Boogie (Ms-PL, F#/C#): Intermediate verification language, intended as a layer on which to build program verifiers for other languages (Microsoft Research)
    • SymDiff: Language-independent differential program analysis (C, Boogie front-ends available) (Microsoft Research)
  • VCC (MIT, C#/F#/C/Perl): static verifier for concurrent C programs (Microsoft Research)
  • HAVOC (?): for C in the presence of pointer manipulations, unsafe casts and dynamic memory allocation (Microsoft Research)
  • Dafny (MIT, C#): imperative object-based language with built-in specification constructs and static program verifier for functional correctness, try it online (Microsoft Research)
    • vim plugin (MS-PL, Vim script): Vim plugin for Dafny, with .dfy file extension, syntax highlighting, syntax checking
    • vim-dafny (BSD-3, Vim script): Dafny language plugin for vim, based on the previous tool
    • sublime Dafny: Sublime Text 2 plugin for Dafny. Provides verifing and syntax highlighting (Imperial College London)
    • Dafny VSCode (MIT, TypeScript): infrastructure necessary to support Dafny for Visual Studio Code
    • eclipse-dafny (GPLv3, Java): enables Dafny language support in Eclipse
    • spacemacs-boogie-friends (GPLv3, Emacs Lisp): Spacemacs layer for working with Dafny, Boogie, and Z3
    • DIVE (GPLv3, Java): graphical proof front end for programs written and specified in Dafny that supports different types of user guidance for proofs
    • DafnyR (MIT, C#): experimental tool for sequential program specification and verification. Variant of Dafny inspired by region logic. Built on a fine-grained region logic, allows one to use several styles of specifying the frame properties in sequential programs: dynamic frames, region logic and separation logic.
    • dfydoc (?, Scala): documentation generator for Dafny
    • python-to-dafny-converter (GPLv3, Python): translates Python code to Dafny (UC Berkeley)
    • dafny-to-c (?, Shell): basic sed-based translator from Dafny to C
    • Dione (NCSA, Python/Dafny): protocol verification system built with Dafny for Input/Output Automata (UIUC)
  • Spec# (FUSC, C#): Object-oriented .NET programming language with design-by-contract features for method pre-/postconditions & object invariants, non-null type system (Microsoft Research)
  • Whiley (BSD-3, Java/C/): Object-oriented and functional programming language with static checking, including: divide-by-zero, array out-of-bounds and null dereference errors (Victoria Univ. of Wellington)
  • Why3 (GPl-2, OCaml): platform for deductive program verification in WhyML, uses external theorem provers, extracts OCaml from WhyML (INRIA, Univ. Paris Sud, CNRS, LRI)
    • EasyCrypt (?, OCaml): toolset for reasoning about relational properties of probabilistic computations with adversarial code (IMDEA Software Institute, Microsoft Research)
    • GNATprove (GPL): Ada 2012 prover
    • Krakatoa: Java verification
    • BWare: discharging proof obligations generated by Atelier B using multiple provers
    • MiniMaple (GPL-3, Java): Software for formal specification and verification of Maple programs by translation to Why3ML (JKU)
  • KeY (GPL, Java): Formal verifier of HML | OCL specs for JAVA, via dynamic logic thms (Karlsruhe Inst. Tech., TU Darmstadt, Chalmers Univ. Tech.)
    • KeY-Hoare (GPL, Java): Hoare calculus with updates, extension of KeY (KIT, TUD, Chalmers)
    • KeYmaera (GPL, Java): Theorem prover for hybrid systems: deductive, real algebraic, and computer algebraic prover technologies (CMU)
    • KeYmaeraD, its github (BSD-3, Scala): Distributed theorem prover for distributed hybrid systems using Quantified differential dynamic logic (QdL) (CMU)
    • SPHINX (?): Eclipse plugin for textual & graphical modeling editors to define cyber-physical system structure, discrete/continuous dynamics (CMU)
  • j-algo (GPL, Java): Algorithm visualization tool (TU Dresden)
  • Verus (?): Language for real-time systems, CTL symbolic MC, compilation into state-transition graph (CMU)
  • UCLID (BSD-like, Moscow ML): Model & verify nfinite-state systems with variables of integer, Boolean, function, and array types, term-level bounded model checking, correspondence checking, deductive verification, and predicate abstraction-based verification, and stand-alone decision procedure for the theories of uninterpreted functions and equality, integer linear arithmetic, and arrays (CMU, UC Berkeley)
  • CBMC-GC (?): C compiler in the context of Secure Two-party Computation (STC) (TU Wien, TU Darmstadt, CASED, CrypTool Project)
  • Chic (BSD, Java): Modular verifier for behavioral compatibility checking of hardware and software systems (UC Berkeley)
  • BLAST (Apache, OCaml): software MC for C using Lazy abstraction (UC Berkeley, EPFL)
  • CRefine (?, Java): Verifies Circus specs purely by applying various well-proved refinement laws, requires veriT (Univ. York)
  • UTP and Cirus Theories in ProofPower-Z (?, ?): embedding the theories (relations, designs, reactive processes) of UTP in the theorem prover ProofPower-Z, formal proofs can be mechanically constructed (Univ. York)
  • Circus Type Checker (? , Java): Syntax type checker for Circus specifications (Univ. York, UFPCI)
  • JCircus (?, Java): Automatically translate Circus programs into Java, for the purpose of animation and simulation (Univ. York)
  • ClawCircus (?, Java): Java-based tools primarily for generating Circus models from Simulink (Univ. York)
  • Circus Parser (GPL-2, Java): Included in Community Z tools (Univ. York)
  • Rodin (EPL, Eclipse): Eclipse-based platform for refinement and mathematical proof of Event-B (Univ. Southampton)
  • CheckFence (BSD, OCaml): SAT-based analysis of C code implementing concurrent data types (UPenn)
  • Daikon (MIT, Java): Dynamic invariant detection for C/C++, Eiffel, IOA, Perl (MIT)
  • Tip (?, C++/C): (Temporal Induction Prover) SAT based model checker (Chalmers Univ.)
  • alloy: Language inspired by Z spec language and Tarski's relational calculus for implicitly describing structures and tool for exploring and generating counterexamples (MIT)
  • Kodkod (MIT, Java): SAT-based constraint solver for first order logic with relations, transitive closure, bit-vector arithmetic, and partial models, with finite model finder and minimal unsatisfiable core extractor (MIT)
  • Rebeca (GPLv2, Java): Reactive Objects Language is an actor-based language with a formal foundation, designed in an effort to bridge the gap between formal verification approaches and real applications, with a set of tools
  • IVy (MIT, Python): A tool for specifying, modeling, implementing and verifying protocols (MSR, Tel Aviv Univ., UCB)
  • mypyvy (MIT, Python): language for symbolic transition systems, inspired by Ivy, and tool that takes an input file describing a symbolic transition system and can perform various tasks such as inductive invariant checking and inference (Univ. of Washington)
  • PyCSP (MIT, Python): communicating sequential processes in Python (Aarhus Univ.)
  • FDR2: Refinement checker for communicating sequential processes (Oxford Univ.)
  • KRATOS: MC for sequential and cooperative multi-threaded C programs, verifying safety properties (Bruno Kessler Found.)
  • Mr. Waffles (GPL-2, Python): bare-bones CTL MC (Nancy Univ., LHS/LORIA, ESEC R&D)
  • Peirce-Logic (BSD-3, JS): Existential Graph proof system (RPI)
  • VSE: verification support environment (DFKI, IST, Univ. Ulm, DASA)
    • VSE II: Enhancing VSE with concurrency, structural deduction, and an integrated theorem prover
  • Leon (Scala): automated synthesis and verification of Scala programs (EPFL)
  • Eldarica (Java): predicate abstraction engine, generates Abstract Reachability Tree (ART) using lazy abstraction (EPFL)
    • Eldarica-P (?, Java): reachability checker for unbounded Petri nets (EPFL)
  • Bug-Assist (?): error localization in ANSI-C solving MAX-SAT (Max Planck Inst.)
  • CADP (FUSC): compilers, equivalence checking tools, model-checkers for temporal logics & μ-calculus, verifications: enumerative, on-the-fly, symbolic using BDD, etc. (INRIA)
  • MONA (GPL-2, C/C++): Decision procedure for monadic second-order logic on finite strings and trees (Aarhus Univ.)
  • Boom (BSD): Model checking of Boolean programs (ETHZ, Oxford Univ.)
  • MCTK (LGPL, C): model checker for epistemic logic as modification of CUDD and NuSMV (Griffith Univ.)
  • SMCDEL (GPL-2, Haskell): model checker for Dynamic Epistemic Logic. (ILLC, University of Amsterdam)
  • SymDIVINE (MIT, C++): a tool for control explicit/data symbolic bit-precise LTL verification of parallel C/C++ programs using LLVM bitcode as intermediate representation Masaryk Univ.
  • IC3 (MIT, C++): IC3 reference implementation (Stanford)
  • Overture (GPL-3.0, Java): An IDE for developing and analyzing VDM models.
  • Smallfoot (QPL, OCaml): Automatic verification tool that checks separation logic specifications of sequential and concurrent programs that manipulate recursive dynamically-allocated (linked) data structures.
  • Cave (BSD-style, OCaml): automated verification tool for proving memory safety and linearizability (that is, atomicity and functional correctness) of concurrent data structures
  • sally (GPLv2, C++): Model checker for infinite-state systems described as transition systems, includes BMC, k-induction, IC3 (SRI/CSL)
  • Sviss (?, C++): Symbolic CTL model checker with symmetry reduction, using CUDD 2.4.1 (ETHZ, UT Austin, Univ. of Oxford)
  • Symbolic Java Pathfinder (Apache-2.0, Java): symbolic execution for Java bytecode (NASA, Univ. of Nebraska)
  • ProVerif (GPLv2, OCaml): automatic cryptographic protocol verifier, in the Dolev-Yao model. Based on a representation of the protocol by Horn clauses. It can handle many different cryptographic primitives, including shared- and public-key cryptography (encryption and signatures), hash functions, and Diffie-Hellman key agreements, specified both as rewrite rules or as equations. Can prove secrecy, authentication, strong secrecy, equivalences between processes that differ only by terms (Inria, École Polytechnique)
    • StateVerif (GPLv2, OCaml): extends the ProVerif process calculus with constructs for explicit state, in order to be able to reason about protocols that manipulate global state
    • ProVerif-ATP (MIT and GPLv2, OCaml): Combining ProVerif and Automated Theorem Provers for Security Protocol Verification
  • CryptoVerif (CeCILL-B, OCaml): automatic protocol prover sound in the computational model. It can prove secrecy, correspondences, which include in particular authentication. It can handle in particular symmetric encryption, message authentication codes, public-key encryption, signatures, hash functions. (Inria)
    • cryptoverif-completion (?, Configure/Makefile): Using the readline wrapper rlwrap it introduces line editing, history and also some very basic completion support to the interactive mode in CryptoVerif without the need to modify CryptoVerif itself.
    • CyrptoVerif fork (CeCILL-B, OCaml): Python implementations for CryptoVerif 1.23
    • Cyrptoverif fork Python library (MIT and CeCILL-B, Python): contains the supporting library for the CryptoVerif Python implementations fork
  • FS2PV (FUSC, F#/OCaml): verification tool that compiles cryptographic-protocol implementations in a first-order subset of F# to a formal pi-calculus model. This pi-calculus model then can be analyzed using ProVerif to prove the desired security properties or to find security flaws. (Microsoft Research)
  • TulaFale: specification language for writing machine-checkable descriptions of SOAP-based security protocols and their properties, based on the pi calculus plus XML syntax, logical predicates, and correspondence assertions. The tool compiles TulaFale into the applied pi calculus, and then runs Blanchet's resolution-based protocol verifier. (Microsoft Research)
  • sqifc (?, C/C++): symbolic quantitative information flow analysis for C
  • QILURA (GPLv3, Java): quantifying information leaks using reliability analysis, using Symbolic PathFinder, z3, Omega, Latte
  • KITTeL/KoAT (Apache-2.0, F*/OCaml):
    • KITTeL: automatic termination prover for integer transition systems and imperative programs written in a fragment of Simple
    • KoAT: automatic complexity analyzer taking the same kinds of inputs as KITTeL
  • llvm2KITTeL (NCSA, C++): converter from LLVM's intermediate representation into a format that can be handled by the automatic termination prover KITTeL (UIUC)
  • TVLA (FUSC, Java): language for expressing concrete semantics, automatic generation of abstract interpreters from concrete semantics, tunable abstractions and tunable transformers (Tel Aviv Univ.)
  • SAFE (EPL, Java): Scalable And Flexible Error detection and verification of Java programs with respect to a set of specifications, applying static program analysis (Tel Aviv Univ.)
  • Tools:
    • boundsmodels (GPLv2, C++): LTL-X model checker for 1-safe Petri nets, which generates logic programs with stable model semantics from the Petri nets. It supports step and interleaving semantics. (Helsinki Univ. of Technology)
    • punroll (GPLv2, C++): bounded reachability checker which generates constrained Boolean circuits from 1-bounded Petri nets. It supports process, step, and interleaving semantics. (Helsinki Univ. of Technology)
    • unfsmodels (GPLv2, C++): LTL-X model checker with net unfoldings (Helsinki Univ. of Technology)
    • mcsmodels (GPLv2, C++): deadlock and reachability checker using finite complete prefixes generated by the PEP tool from 1-bounded Petri nets. It uses the smodels constraint-based logic programming system as its computational engine. (Helsinki Univ. of Technology)
      • dlsmodels (GPLv2, C++): older version of mcsmodels limited to deadlock checking only (Helsinki Univ. of Technology)
  • Smodels (GPLv2, C++): implementation of the stable model semantics for logic programs (Helsinki Univ. of Technology)
  • TASS (GPLv3, C/Java): tools for the formal verification of programs used in computational science, including message-passing-based parallel programs. It uses symbolic execution and model checking techniques to verify a number of standard safety properties (such as absence of deadlocks and out-of-bound references), and can establish that two programs are functionally equivalent. (Univ. of Delaware)

logic -> automata & automata tools

LTL -> *BA

  • ltl2ba: LTL -> BA (ENS de Cachan)
  • LTL -> NBA (Python)
  • lbtt (GPL): tool for testing programs translating LTL -> BA
  • Wring (Perl): LTL -> GBA (TU Graz)
  • Temporal Massage Parlor: Optimized Translator of an Extended Linear Temporal Logic into Büchi automata and Promela (Bell Labs)
  • LBT: LTL-> BA
  • ltl2tgba: LTL or PSL-> Transition-based GBA | BA (part of SPOT)
  • LTL2AUT (C++): LTL-> BA
  • DBA Minimizer (FUSC, C++): uses external SAT solver for DBA minimization
  • Wring (Perl): translate LTL formulae to generalized Buechi automata (TU Graz)
  • GOAL: graphical interactive tool for defining and manipulating Büchi automata and temporal logic formulae (NTU)
  • LTL -> Buchi Genealogy (EPITA)
  • LTSA (?, Java): Labelled Transition System Analyzer (Imperial College London)
    • OLTSA: ontology-based LTSA extension (INRIA)
  • WDBA (BSD, OCaml): Reads safety property BA and negation BA as SPIN never claims -> outputs weak deterministic BA (ETHZ)
  • psl2ba (BSD-3, OCaml/uses CUDD): Translator from Property Specification Language (PSL) or LTL -> BA for SMV or SPIN (ETHZ)
  • rltl2ba (BSD, OCaml/C++/uses psl2ba, CUDD): Translator from Regular LTL (RLTL) -> BA (IMDEA)
  • aalta: LTL -> BA using obligation sets (East China Normal Univ.)

LTL -> DRA

other

  • dk.brics.automaton: DFA/NFA implementation with UTF16 alphabet & support for (&non-) standard regexp
  • FSA function library (MATLAB): doc here (ISR-Lisbon)
  • Hessen (?, C++): Automata Library (TU Wien)
  • FSME, FSMC, FSMD (GPL-2, Qt): FSM editor, compiler, debugger for drawing, exports: XML | C++ | Python
  • Kermeta (EPL): Metamodel programming environment: editor, OCL, compiler to Java | OSGI, kermeta <-> ecore | XMI (IRISA)
  • Papyrus (EPL): Graphical UML2 modeling in Eclipse (CEA LIST)
  • Topcased (EPL): Graphical editors for: Ecore, UML, SAM, AADL, SysML, and doc generator, model transformations (INRIA)
  • MARTE: UML extension for model-driven development of real-time and embedded systems (OMG)
  • timesquare (EPL): Model development kit as Eclipse plugings based on formal Clock Constraint Specification Language (CCSL) to manipulate logical time (INRIA)
  • libalf (LGPL-3, C++/C/Java): Learning finite-state automata: DFA: Angluin's L*, L* (adding counter-examples to columns), Kearns / Vazirani, Rivest / Schapire, Regular positive negative inference (RPNI), Biermann & Feldman's algorithm (using SAT-solving), and NFA: NL*, DeLeTe2, Biermann & Feldman's (RWTH Aachen Univ., ENS Cachan, TU Munchen)
    • AMoRE (GPL-2, C/Java): Automata, Monoids, and Regular Expressions (RWTH Aaachen Univ., Univ. Kiel)
    • [libmVCA]
    • [liblangen]
    • [finite automata tool]
  • APHMIN (?, ?): Tools to generate, manipulate, and minimize acyclic phase-type representations (Saarland Univ.)
  • FlowSim (GPL-3, ?): Measure resources needed to find maximal strong simulation relation for a model under different optimizations (Saarland Univ.)
  • fc2symbmin: Finite State Mealy Machine analyzer (INRIA)
  • PyFMI (LGPL-3, Python): Load and interact with Functional Mock-Up Units (FMU)
  • FMU SDK (?, C): FMU SDK (Qtronic)
  • hoaf (?, text): Text file format for omega-automata (Masaryk Univ., EPITA, IST Austria, TU Dresden)
  • JFLAP: experiment with NFA, NPA, multi-tape Turing machines
  • ltlmp_sat (?, Python): LTL mean-payoff satisfiability checker
  • LtlSharp (MIT, C#): Library for parsing and manipulating LTL formulae (U Catholique Louvain)
  • safety (?, C++): tool to translate co-safety linear temporal logic formulas into finite automata
  • RABIT and Reduce (?, Java):
    • RABIT (LGPL, Java): checks language inclusion between Buchi automata and Nondeterministic Finite Automata (NFA), and thus also language equivalence and language universality, using generalized simulation relations, and the Ramsey method for finding counterexamples.
    • Reduce: minimizes Buchi automata, and NFA
    • BA inclusion testing (?, Java): Ramsey-based Buchi Automata inclusion testing
  • automata-lib (MIT, Python): library for finite automata, pushdown automata, and Turing machines, available on PyPI
  • automata-python (GPLv3, Python): library implementing finite automata, finite automata with output, pushdown automata and Turing machines
  • pythomata (LGPLv3, Python): package for automata theory
  • python-automata (BSD-3, Python): library for deterministic finite automata, including simulation, negation, classical minimization, DFCA minimization, generalized cross-product, including union, intersection, and symmetric difference
  • Sage (GPLv3, Python): finite state machines, automata, transducers
  • python-statemachine (MIT, Python): package for finite state machines
  • roll-library (GPLv3, Java): Regular Omega Language Learning, library of learning algorithms for ω-regular languages (Institute of Software Chinese Academy of Sciences)

Term rewrite systems

  • Autowrite (?, Lisp): check properties of term rewrite systems and manipulate tree automata
  • Timbuk (GPL-2, OCaml): Tools for reachability proofs over term rewriting systems and manipulate bottom-up non-deterministic finite tree automata (IRISA)
  • JITty (C): term rewriter with strategy annotations
  • K: rewrite-based executable semantic framework (UIUC)
  • ELAN: Rule based programming using strategic rewriting (LORIA)

Open Systems

Synchronous Languages

Synthesis in this context refers to compilation from source, not from temporal logic. This distinguishes it from synthesis from temporal logic by solving games. In some sense the latter is from an "even more declarative" problem description.

Imperative

  • Esterel, old, old: Synchronous reactive programming language & compiler to FSM (C language), Graphical symbolic debugger, explicit/BDD verification for bisimulation reduction | safety checking (Ecole des Mines de Paris, INRIA)
    • CEC (BSD-3, C++/ANTLR): Esterel V5 compiler to C | Verilog | BLIF (Columbia Univ.)
    • scdata (?): Boolean datapath generator for Esterel: translates action calls in sc code over boolean variables into standard nets also in sc (INRIA, Ecole des Mines de Paris)
    • Ocjava (?): Esterel Java code generator (INRIA)
  • Quartz: derivative of Esterel that includes: * non-determinism * asynchronous execution * hybrid systems (Kaiserslautern Univ.)
    • Averest: Synchronous programming language Quartz and compiler to TS, symbolic model checker, tool for hardware/software synthesis from Quartz (TU Kaiserslautern)
    • ECL (RSCPL, Java): system-level specification language for HW/SW designs and is based on Esterel and C. The ECL compiler parses ECL, writes Esterel and C, and uses the Esterel compiler to produce an implementation. (Cadence Berkeley Labs)
  • Xeve: Esterel verification environment (INRIA)

Declarative

  • Lustre: Declarative, synchronous dataflow programminglanguage for reactive systems
    • Lustre (?, OCaml): Lustre interpreter
    • Lustre-V6 (CeCILL, OCaml): the Lustre V6 compiler (Verimag)
    • Zustre (BSD-3, Python): SMT-based PDR-style verification engine for Lustre programs, also an engine for generating assume/guarantee contracts (NASA/CMU/SEI)
    • MATOU (?): Implementation of mode-automata on top of Lustre (VERIMAG)
      • KIND (BSD-3, OCaml): K-induction based for safety properties of Lustre programs, Automatic invariant generation, parallel: PKIND (Univ. Iowa, NASA/CMU, ONERA)
    • KIND2 (Apache-2, OCaml/C++): Multi-engine SMT-based automatic model checker for safety properties of Lustre programs, successor of KIND (Univ. Iowa)
    • JKind (BSD-3, Java): SMT-based infinite-state model checker for safety properties in Lustre, based on k-induction and property-directed reachability (Rockwell Collins)
      • SpeAR (BSD-3, Java): Specification and Analysis for Requirements tool, a frontend for writing formal specifications, translating them to Lustre, and then using the model checker JKind (Rockwell Collins, AFRL)
      • jkind-xtext (BSD-3, Java): Lustre Plug-in for Eclipse with JKind Analysis Support (Rockwell Collins)
      • AGREE (BSD-3, Java): Assume Guarantee REasoning Environment, compositional, assume-guarantee-style model checker for AADL models, using k-induction (Collins Aerospace)
      • SIMPAL (?, Java): Static IMPerative AnaLyzer, performs compositional reasoning of imperative programs written in Limp (Lustre imperative), which it translates to Lustre, and analyzes this with JKind
  • NBAC (OCaml): Co-/Reachability, slicing of synchronous deterministic reactive systems with Boolean, numerical variables (VERIMAG)
  • SIGNAL: Synchronized data-flow programming language for systems with multiple clocks (INRIA)
  • Sigali, old (FUSC): Model check implicit labeled transition systems (INRIA)
  • TGV (?): Generation of conformance test suites for protocols, based on I/O transition systems (IOLTS) (IRISA)

Statecharts

Synthesis

Open Systems (Games: System & UnControlled Environment)

Discrete games

GR(1) games (= Generalized Reactivity 1)

  • gr1c (BSD-3, C, uses CUDD): checking realizability of and synthesizing strategies for GR(1) specifications & much more (Caltech.CDS)
  • gr1py (BSD-3, Python): an enumerative reactive synthesis tool for the GR(1) fragment of LTL (Caltech CDS, rerobots)
  • omega (BSD-3, Python): Specify and synthesize systems using symbolic algorithms (Caltech CDS)
  • slugs (BSD-3, C++, uses CUDD): a stand-alone reactive synthesis tool for GR(1) synthesis (Cornell)
  • JTLV (LGPLv2, Java/C): unified framework for the development of formal verification algorithms in Java, with GR(1) and GR(k) synthesizers, uses JavaBDD, can interface to BDD libraries in C, has parsers for SMV and FDS written using ANTLR v3 (The Weizmann Institute of Science)
    • TLV (?, C): based on the SMV model checker, with a scripting language called TLV-Basic, users can write TLV-Basic procedures for implementing model checking or deductive verification rules, predecessor of JTLV (NYU)
      • synthesis.tlv (?, TLV): GR(1) synthesis implemented in TLV (The Weizmann Institute of Science)
  • RATSY (LGPL-2+, Python/PyGTK): PSL | BA specs -> gr1 synthesis, game-based debug approach, circuit synthesis (TU Graz)
    • Anzu (Perl, uses CUDD): synthesizes Verilog (TU Graz)
    • RAT (?, Python): RATSY's pedecessor (FBK, TU Graz)
    • marduk (Python, needs NuSMV): game solver used by RATSY
  • NuGAT (LGPL-2+): Game solver on top NuSMV
  • AspectLTL (?, Java): Aspect programming paradigm language (The Weizmann Institute of Science)
  • open Promela (BSD-3, Python): synthesize reactive(1) designs from multi-paradigm specifications written in an extension of Promela for open systems (Caltech)

Full LTL games

  • Acacia+ (GPL, Python/C): LTL Realizability check & winning strategy synthesis using AntiChains repo (Univ. Mons)

    • Acacia (GPL-2, Perl)
    • Alaska (GPL-2, Python): Antichains for Logic, Automata and Symbolic Kripke structure Analysis (predecessor of Acacia) (ULB)
    • jorro (?, Java/Perl): visualize transition systems synthesized by Acacia+ and Lily
    • ltl2aig (GPL, Python): LTL -> And-inverter graph format
  • Lily (Perl): synthesizes from PSL | LTL & I/O signal partition, works on top of Wring, outputs VERILOG | dot (TU Graz)

  • GAVS+ (GPL-3, Java): visualize algorithmic games used in verification and synthesis (TU Munchen)

  • Unbeast (C++, FUSC) symbolic bounded synthesis, depends on either ltl2ba or spot (Saarland Univ.)

  • GASt experimental platform:

    • NBA determinization:
      • Safra
      • Muller-Schupp
      • improved Muller-Schupp
      • Miyano/Hayashi breakpoint construction
    • game synthesis:
      • reachability
      • safety
      • weak parity
      • Staiger-Wagner
      • request-response
      • Buchi
      • generalized Buchi
      • parity
      • Muller
      • simple Streett
      • Streett
      • mean payoff
    • live sequence charts

    (RRWTH Aaachen)

  • party-elli (MIT, Python): SMT based bounded synthesis (TU Graz)

  • Rabin (?, C++): Rabin game solver (Masaryk Univ.)

  • BoSy (Swift): Constraint-based (SAT,SMT,QBF,DQBF) bounded synthesis (Saarland Univ.)

Safety specs (controller synthesis)

  • AbsSynthe (GPL-3, C/Python): controller synthesis from succinct safety specs
  • demiurge (GLGPL3, C++): SAT based controller synthesizer from SYNTCOMP specs (TU Graz)
  • SafetySynth (Swift): symbolic BDD-based safety game solver for SYNTCOMP (Saarland Univ.)
  • Reglisse (GPL-2, OCaml): Generate hardware description from safety conditions given by regular languages

Parity Game solvers

  • PGSolver (OCaml): tools for generating, manipulating and solving parity games (Univ. Muchich, Univ. Kassel)
  • PDSolver (OCaml): evaluating both mu-calculus formulas over pushdown systems and pushdown parity games (Oxford Univ.)
  • alpaga and github (Python, uses PyCUDD): solver parity games with imperfect information using antichains (ULB)
  • oink (Apache-2.0, C++): High-performance implementations of state-of-the-art algorithms representing different approaches to solving parity games (JKU)

Quantitative games

  • Quasy (Scala, Java, C++): Quantitative synthesis of reactive systems from qualitative & quantitative GOAL specs, in/out: GOAL format (IST Austria)
  • GIST (?): solving probabilistic games with ω-regular objectives qualitatively (IST Austria)
  • mpg-solver (GPL-2, C/C++/Python): Mean-payoff game solver (Univ. Libre de Bruxelles)

Other

  • MLSolver (?, OCaml): solving the satisfiability and validity problems for modal fixpoint logics (Univs. Munich, Kassel)
  • aisy (?, Python): safety synthesis from AIGER circuits format, using PyCUDD
  • BluSTL (BSD-3, MATLAB): BluSTL (pronounced "blue steel") is a MATLAB toolkit for automatically generating hybrid controllers from specifications written in Signal Temporal Logic.
  • [G4LTL-ST] (http://sourceforge.net/projects/g4ltl/) (BSD, Java): automatically generates industrial control software (supporting IEC-61131-3 Structure Text) from extended logic specifications.

Hybrid games

  • TuLiP (BSD-3, Python): Receding Horizon Temporal Logic Planning Toolbox (Caltech.CDS)
  • LTLMoP (GPL-3, Python): designing, testing, and implementing hybrid controllers generated automatically from task specifications written in Structured English or Temporal Logic (Cornell)
    • SLURP (GPL-3, Python): situation and language understanding robot platform, uses LTLmop (UPenn)
  • Tools from Boston Univ. (?, MATLAB)
  • Tools from Saarland University (Saarland Univ.)
  • Synthia (GPL-3, C/C++): Verification certificates (deductive proofs) and synthesis for partially implemented systems, abstraction refinement (Saarland Uni.)
  • PESSOA (FUSC, MATLAB): synthesis of correct-by-design embedded control software based on approximate bisimulations (UCLA)
  • TALIRO (GPL, MATLAB) (ASU)
  • SCOTS (BSD-3, C++/MATLAB): computation of discrete abstractions and symbolic controllers (TUM)
  • ARCS (MIT, C/MATLAB): abstraction-refinement-based incremental synthesis for switched systems (Univ. of Michigan)

Contracts

  • Mica (CeCILL-C-1, OCaml): Modal Interface algebra for contract based design (INRIA/IRISA)
  • OCRA (closed, ?): verification of logic-based contract refinement, uses NuSMV3 (Bruno Kessler Found.)

Hardware

  • Yosys (ISC, C++): a framework for RTL synthesis tools
  • Clash (?, Haskell) generates VHDL from Haskell
  • Lava (?, Haskell): generates circuits from FSMs, behavioural specs (VHDL, Verilog) + verif via NuSMV
  • Chisel (?, Scala): supports advanced hardware design using highly parameterized generators and layered domain-specific hardware languages; Chisel can generate a high-speed C++-based cycle-accurate software simulator, or low-level Verilog designed to pass on to standard ASIC or FPGA tools for synthesis and place and route

Other

  • Times (?): Tool for Modeling & Implementation of Embedded Systems (GUI editor, simulator, verifier for schedulability analysis) (Uppsala Univ.)
  • BigMC (GPL, C++/C/PHP/...): Bigraphical reactive systems (IT Univ. Copenhagen)
  • Ticc (GPL-2, ?): Interface compatibility and composition, components specify own behavior and that expected by others, CTL properties checked and propagated (UCSC)

Timed Systems

  • UPPAAL, UPPAAL-Tiga (FUSC): Timed automata (Uppsala Univ., Aalborg Univ.)
    • manipulate UPPAAL XML (GPL-3, Python)
    • Yggdrasil (?, ?): UML (subset) -> Uppaal, intended for test generation (Aalborg Univ.)
    • METAMOC (GPL-3, Python): WCET Analysis of ARM Processors using Real-Time model-checking (Aalborg Univ.)
    • SARTS (?, Java): Model Based Schedulability Analysis of Real-Time Systems, SCJ2, UPPAAL (Aalborg Univ.)
    • UPPAAL DBM Library (GPLv2, C++): efficient data structures to represent clock constraints in timed automata (Aalborg Univ.)
      • Python bindings (GPLv3, Python/SWIG/C): to UPPAAL (Aalborg Univ.)
      • Ruby bindings (GPLv2, Ruby/C++): to UPPAAL (Aalborg Univ.)
      • udbml (AGPL-3, C++/OCaml): OCaml wrapper for the UPPAAL DBM library
  • OPAAL (GPL-3, Python): distributed/parallel (discrete time) model checker for networks of timed automata using MPI
  • ECDAR (FUSC): timed interface theory (Aalborg, INRIA, ITU)
  • PyECDAR (GPL-2, Python): solve timed games based on timed automata models (ITU)
  • IOA (MIT, Java): I/O automata formal language (MIT)
  • TEMPO (closed, Java): Formal language for modeling distributed systems w/ | w/o timing constraints as collections of interacting state machines, i.e., timed input/output automata (TIOA) (UIUC)
    • Tempo2HSal (?, Python): Tempo (.tioa) -> HybridSAL (.hsal) translator (SRI)
  • ATAS (GPL-3, Python): Alternating 1-clock (fully decidable) Timed Automata Solver
  • PPL binding (GPL-2, Python): for Parma Polyhedral Lib features some specific methods for Timed Automata analysis
  • MCPTA (FUSC, ?): Probabilistic Timed Automata model checker for MoDeST | UPPAAL | PRISM - maps on PRISM (Saarland Univ.)
  • SAAtRE (?): Abstraction refinement model checker for Timed Automata based on extended SAT-solving, UPPAAL-like input format (Univ. Oldenburg, CWI)
  • Fortuna (GPL-3, C++/Eclipse): MC priced probabilistic timed automata (PPTAs) (Univ. Twente)
  • COSPAN (?, ?): Automata-theoretic verification of coordinating processes with timing constraints (UPenn)
  • Romeo: timed Petri nets (IRCCyN)
  • ExSched: develop operating system schedulers for VxWorks and Linux w/o modifying the underlying kernel ([Malardalen Univ.]http://www.es.mdh.se/staff/197-Mikael__sberg))
  • RTComposer (Java): classes and utilities for predictable real-time scheduling (BenGurion, UPenn)
  • ASTRAL: MC of real-time systems (UCSB)
  • PAT (?, C#): simulator, MC, refinement checker for concurrent and RT systems (Nanyang Tech. Univ.)
  • HCMC (? , C++): Compositional model checking for real-time systems (ENS-Cachan)
  • [IMITATOR] (http://www.imitator.fr/index.html) (GPL, Python?): is a tool for parametric verification and robustness analysis of real-time systems. It relies on the formalism of networks of parametric timed automata, augmented with integer variables and stopwatches.
  • [CoVerTS] (https://github.com/astefano/CoVerTS) (Scala): compositional verification of state properties for timed systems

Hybrid Systems

  • Ptolemy (BSD-3, Java): modeling, simulation, and design of concurrent, real-time, embedded systems (UC Berkeley)
  • HyLink (FUSC, Python): Restricted Simulink/Stateflow models -> HyXML-> HyTech | UPPAAL (UIUC)
  • CHARON (?, Java): Language and implementation (editor, model browser, visual simulator) for modular specification of interacting hybrid systems based on the notions of agent and mode (UPenn)
  • CARTS (FUSC, Java): Compositional Analysis of Real-Time Systems (UPenn)
  • START: time-bounded static analysis of concurrency properties of Real-Time Embedded Software
  • IF (FUSC): static analysis, model-checking, test generation, Open-Kronos, Kronos: TCTL verification of Timed Automata (VERIMAG)
  • CIF: Compositional Interchange Format for Hybrid Systems toolset
  • Passel (closed, C#/Python): invariant synthesis and inductive invariant proving (UIUC)
  • Rabbit (Apache): RTS modular spec: timed (and hybrid) automata: CottbusTimed Automata, MC for reachability analysis and refinement check (Bradenburg TU)
  • Mobius (?, Java/C++): Model-based environment for validation of system reliability, availability, security, and performance (UIUC)
  • [HYMITATOR] (GLP, OCaml) (https://lipn.univ-paris13.fr/~andre/software/hymitator/): is a tool dedicated to the synthesis of parameters for hybrid automata

Linear

  • HyTech (FUSC, C): computes condition under which a linear hybrid system satisfies a temporal requirement (UC Berkeley)
  • d/dt (?, ?): Reachability analysis of Continuous and Hybrid Systems with linear differential inclusions (VERIMAG)
  • HARE (?): Abstraction refinement for safety
  • PHAVer (GPL-2, C++): verifying safety properies of hybrid systems (exact arithmetic, on-the-fly over-approximation of PWA dynamics, compositional & assume-guarantee reasoning) (Verimag)
    • vim highlight, its github
    • ProHVer (GPL-3, C++): Unbounded reachability probability for probabilistic hybrid automata (Univ. Saarland)
  • CheckMate (MATLAB) modeling, simulation & investigation, demos
  • HYSDEL (GPL, C++/MATLAB): (Hybrid Systems Description Language) HYSDEL -> MLD compiler, also language to model interconnected linear systems and automata (ETHZ)
  • Hybrid Toolbox for MATLAB (FUSC, MATLAB/Simulink): Modeling, simulation, verification, constrained MPC, generate linear & hybrid MPC PWA control laws (IMT Lucca)
  • Ellipsoidal Toolbox for MATLAB (BSD-3, MATLAB): External and internal ellipsoidal approximations of geometric (Minkowski) sums and differences of ellipsoids, intersections of ellipsoids and intersections of ellipsoids with halfspaces and polytopes; distances between ellipsoids, between ellipsoids and hyperplanes, between ellipsoids and polytopes; and projections onto given subspaces. For forward and backward reach sets of continuous- and discrete-time PWA systems (UC Berkeley)
  • MATISSE (GPL-3, MATLAB): Approximate bisimulations: safety verification and reachable set computation of large dimensional, constrained linear systems. Needs: MPT, YALMIP, SEDUMI (UPenn, IMAG)
  • BACH: bounded model checker for Linear Hybrid Systems (Nanjing Univ.)
  • tltk-mtl (?, Python): tool for computing Metric Temporal logic robustness

Non-Linear

  • HTV (closed, MATLAB): verify systems from their simulation and run-time traces using imprecise samples and possibly incomplete models to compute overapproximations of bounded reach sets (UIUC)
  • SpaceEx (GPL-3, C++): Reachability & safety verification (Verimag, Lab Jean Kuntzmann, DGA-MI)
  • Ariadne (GPL-3, C++/Python): Dynamical systems set-based analysis (reachability analysis, robust simulation, safety verification - reset, flow, guard predicates given by nonlinear functions) (Univ. Udine, PARADES, CWI, Univ. Verona)
  • MPT (GPL, MATLAB): Design, analysis and deployment of optimal controllers for constrained linear, nonlinear and hybrid systems (ETHZ)
  • HybridSal (GPLv2, Java/Python): Language extension to SAL for specifying Hybrid Systems & hybrid abstraction tool to discrete SAL specifications for model checking with other SAL tools (SRI)
    • Relational Abstraction (GPL-2, LISP): creating relational abstractions of HybridSAL models (SRI)
    • hsal2xml (GPL-2, Java): HybridSAL -> XML
  • NLToolbox (u, C/C++): Non-linear dynamical system reachability: polynomial using Bernstein expansion, more general using hybridization (VERIMAG)
  • Flow* (GPL-3, C++): Over-approximation Taylor model flowpipes: polynomial ODEs, polynomial invariants, guards, resets (RWTH Aaachen, Univ. Colorado Boulder)
  • HSolver (LGPL): based on RSOLVER constraint solver, correctness does not depend on floating point rounding errors, handles non-linear ODEs (Academy of Sciences Czech Republic)
  • AMC (?, Mathematica): model checker for non-linear hybrid systems based on the abstraction refinement framework (CMU, Univ. Oldenburg)
  • pyHybridAnalysis (LGPL-3, Python): ε-semantics reachability (VERIMAG, Udine Univ., Trieste Univ.)
  • LtlOpt (BSD-3, MATLAB): optimal control of high-dimensional, nonlinear systems using LTL specs (Caltech)
  • reasys (BSD-3, MATLAB): Reactive synthesis for nonlinear systems (Cornell, Toyota)
  • c2e2 (?, Assembly): tool for verifying bounded-time invariant properties of Stateflow models (UIUC)
  • HyST (LGPLv3, Java / Python / Matlab): transformation and semantics-preserving translation (to Flow*, dReach, HyComp, HyCreate) of hybrid automata networks from SpaceEx format (AFRL, IST, UTA)
  • VeriSiMPL (GPLv3, C++): constructs finite abstractions of autonomous Max-Plus-Linear (MPL) systems over R^n, as finite-state Labeled Transition Systems (LTS), exported to the NuSMV language for verification using NuSMV
  • HyCOMP (FUSC, ?): model checker for asynchronous hybrid systems, built on top of the nuXmv model checker, and of the Mathsat5 SMT solver (FBK)

Stochastic

  • MoToR (GPL, ?): Macro-preprocessor for MoDeST, a stochastic real-time systems formalism, interfacing to UPPAAL, CADP, Eclipse, Mobius (Univ. Saarlandes)
  • MRMC (GPL-3, C): MC for: Discrete/Continuous Markov Chains, Reward models, decision processes (Univ. Twente, RWTH Aachen)
  • PASS (bin, ?): CEGAR MC for infinite-state probabilistic models, MDPs (Saarland Univ.)
  • INFAMY (bin, ?): CSL Model Checker for infinite-state Markov chains - CTMCs (Saarland Univ.)
  • PARAM (GPL-3, C++): Reachability probability computation for parametric Markov chains - DTMCs (Saarland Univ.)

Theorem Provers

  • TLAPS (BSD-2, OCaml/C/Perl): Theorem prover for TLA+ using: Isabelle, Zenon, Z3 (INRIA/MSR)
    • TLAPM v2 (BSD-3, OCaml): TLAPS proof manager >= v2 (INRIA/MSR)
    • TLAPM v1 (BSD-2, OCaml): TLAPS proof manager < v2 (INRIA/MSR)
    • pf2 (LaTeX): package for writing structured proofs of the form described in "How to write a 21st century proof"
    • pfnum (C): Rewrites structured proofs in a LaTeX file to renumber proofs steps as they will appear after typesetting
    • pf2html home (GPL-2, Perl): adds functionality to LATEX2HTML such that LATEX documents written with pf.sty can be viewed in a web browser up to the desired level of detail for each branch of a structured proof (TU Wien)
    • hyperpf (C): HyperTeXt structured proof reader
    • Verifying TLA+ invariants using ACL2 (UT Austin)
  • Isabelle github (BSD-3, ML): (Univ. Cabridge, TU Munchen, Univ. Paris-Sud)
    • Isabelle/TLA github: encoding of Lamport's TLA in Isabelle, ships with Isabelle's standard distribution (INRIA)
    • APL: Archive of Formal Proofs
    • VHDL semantics (BSD-2, Isabelle): formalization of the language VHDL in the Isabelle theorem prover (Nanyang Technological Univ.)
    • PSL (CSIRO, Isabelle/ML): implementation of proof strategy language (PSL) and its default strategy, for Isabelle (CSIRO)
  • HOL (BSD-3, ML): Interative Theorem proving in higher-order logic (Univ. Cambridge)
    • Holfoot (BSD, ML): Implementation of Smallfoot inside of HOL 4
    • HOLBDDlib (BSD-3, ML): kernel of representation judgement rules as infrastructure for building fully-expansive combinations of HOL theorem proving and BDD-based symbolic calculation algorithms, uses the BuDDy BDD package
  • [HOL Light] (https://www.cl.cam.ac.uk/~jrh13/hol-light/) (BSD-2, OCaml): Interactive Theorem Proving in higher-order logic (Cambridge Univ., AWS)
  • HOL Zero (BSD, OCaml): Basic theorem prover for the HOL logic for checking and/or consolidating proofs created on other theorem provers, and a pedagogical example
  • HOL-Omega (BSD-3, ML: Merging of HOL4, HOL2P by Völker, and major aspects of System Fω from chapter 30 of Types and Programming Languages by Pierce, implements a new logic, which is an extension of the existing higher order logic of the HOL4 system
  • Coq (LGPL-2.1, OCaml): formal proof management system. It provides a formal language to write mathematical definitions, executable algorithms and theorems together with an environment for semi-interactive development of machine-checked proofs. (INRIA, Ecole Polytechnique, Paris-Sud 11 Univ., Paris Diderot Univ., CNRS)
    • Vim:
      • Coqtail (MIT, Python/Vim script): interactive Coq Proofs in Vim
      • Coquille (ISC, Vim script/Python): interactive theorem proving with Coq in vim
    • IDE:
      • JsCoq (several, JavaScript): online Integrated Development Environment for the Coq proof assistant that runs in a browser (MINES ParisTech)
      • coq_jupyter (Apache-2.0, Python/JavaScript): Jupyter kernel for Coq, try it online
      • VsCoq (MIT, TypeScript): Visual Studio Code extension for Coq
    • Libraries:
      • HoTT library (BSD-2, Coq): a formalization of homotopy type theory in the Coq proof assistant
      • UniMath (FOSS, Coq): a library that aims to formalize a substantial body of mathematics using the univalent point of view.
      • Coq-Polyhedra (CeCILL-B, Coq): Formalizing convex polyhedra in Coq (INRIA/École Polytechnique)
      • ControlHTT (?, Coq): an adaptation of Hoare Type Theory for control software (Galois)
      • Categories (?, Coq): a formalization of category theory in the Coq proof assistant (Aarhus Univ.)
      • proofs (MIT, Coq): a selection of formal proofs in Coq (Google)
    • Embeddings:
      • TLA^{Coq} (?, Coq): Deep embedding of TLA in Coq (Univ. of Oregon, Sandia)
    • Tools:
      • Ynot (BSD-3, Coq/OCaml): library for the Coq proof assistant which turns it into a full-fledged environment for writing and verifying imperative programs (Harvard Univ.)
      • verdi (BSD-2, Coq): framework for formally verifying distributed systems implementations in Coq
      • coq-lit (?, Python): script that processes special commands inside comments in Coq source files to produce Markdown and raw HTML that generates a blog post (Univ. of Washington)
      • CompCert (FUSC, Coq/OCaml): a formally-verified compiler for a large subset of the C programming language that generates code for the PowerPC, ARM, x86 and RISC-V processors, the compiler has been verified in Coq (Inria)
  • PVS (GPL-3, Common LISP/C/Emacs LISP/others): Specification language and theorem prover, based Church's type theory extended with dependent types (SRI CSL)
    • NASA PVS Library (Various, Python/Lisp): Collection of formal PVS developments (NASA Langley)
    • Invariant-Checker: predicate abstraction and verification of invariance reactive properties using theorem-proving and MC, front to PVS (IMAG)
    • PVSPackrat (?, PVS): PVS proofs for PEG grammars and Packrat parsers (SRI CSL)
  • Lean (Apache-2, C++/Python): Theorem prover (Microsoft Research)
    • Spectral (Apache-2.0, Lean): Formalization of the Serre spectral sequence in Lean 2.
  • Zenon (BSD-3, OCaml): FOL with equality based on tableau, generates Coq proofs OPAM (INRIA)
    • Zenon arith (BSD-3, OCaml): extension to handle linear arithmetic (INRIA)
    • Zenon modulo (BSD-3, OCaml): extension to deduction modulo (INRIA)
    • Super Zenon (?, ?): extension using superdeduction (CEDRIC/CNAM, Siemens IC-MOL)
  • AIMA logic.py (MIT, Python): Artificial Intelligence - A Modern Approach: Representations and Inference for Logic (UC Berkeley, Google)
  • Nunchaku (BSD-2, OCaml): A counter-example finder for higher-order logic, designed to be used from various proof assistants (INRIA)
  • Nitpick (BSD-3, Isabelle): Counterexample generator for Isabelle/HOL
  • Walnut (GPLv3, Java): Automated Theorem Prover for Automatic Words
  • Phox (LGPL-3.0, OCaml): Proof assistant based on High Order logic which is eXtensible (Université de Savoie)
  • Dedukti (CecILL-B, OCaml): Implementation of the λΠ-calculus modulo rewriting
    • Dedukti libraries (?, Dedukti): A collection of hand-written files for Dedukti
    • Lamdapi (CeCILL-2.1, OCaml): Proof assistant based on the λΠ-calculus modulo rewriting, mostly compatible with the proof checker Dedukti
  • Automath (?, ?): One of the first formal proof languages and proof checker (Eindhoven Univ.)
  • TPS: (CMU)
  • ALF (Univ. Goterborg/Chalmers)
  • Alfa: successor of ALF
  • Agda (MIT and BSD-2, Haskell): An interactive system for writing and checking proofs, based on intuitionistic type theory. A dependently typed functional programming language.
    • HoTT-Agda (MIT, Agda): A library of homotopy type theory and univalent foundations
  • Cedille (MIT, Agda/Haskell): interactive theorem-prover and dependently typed programming language, based on extrinsic (aka Curry-style) type theory
  • ACL2 (BSD-3, Lisp): logic and programming language in which you can model computer systems, together with a tool to help you prove properties of those models. "ACL2" denotes "A Computational Logic for Applicative Common Lisp", part of Boyer-Moore family of provers (Univ. Texas at Austin)
    • Nqthm (GPL-2, ?): Boyer–Moore TP using Pure LISP variant, precursor to ACL2 (Univ. Texas, Austin)
    • Milawa (MIT, Lisp): "Self-verifying" theorem prover for an ACL2-like logic (UT Austin)
    • Jitawa (?, Lisp): Verified Lisp runtime that hosts Milawa and ensures its soundness, as formally proved (Cambridge Univ.)
    • ivy (BSD-3, Lisp): Preprocessor and proof checker for resolution/paramodulation theorem provers, coded in ACL2 and proved sound for finite interpretations (Univ. of New Mexico)
  • INKA5, INKA: Inductive Theorem Prover
  • Otter & Mace2: first-order and equational logic
  • Prover9 & Mace4: Successors of Otter & Mace2
  • EQP: first-order equational logic: associative-commutative unification and matching, a variety of strategies for equational reasoning, and fast search
  • TWELF (BSD-2, ML): a language used to specify, implement, and prove properties of deductive systems such as programming languages and logics
  • Maude (GPLv2, ?): high-performance reflective language and system supporting both equational and rewriting logic specification and programming for a wide range of applications, with tools (UIUC)
    • Maude ITP: Inductive Theorem Prover
    • C-Reducer: Automatic c-reduction of object based modules for the Maude system (IMT Lucca)
    • MESSI: Design, validation and performance evaluation of self-assembly strategies with Maude (IMT Lucca)
    • Circ: automated behavioral prover based on the circularity principle for Maude (UIUC)
    • LTLR: LTL rewriting model checker within Maude (UIUC)
    • IMaude (?, NewLisp/Maude/C/Python): Interactive Maude (SRI CSL)
  • Vampire (FUSC, C++): FOL (Novosibirsk, Univ. Machester, Chalmers UT, Vienna UT)
    • Drakosha (?, LISP): Vampire's predecessor
  • LP: Larch Prover (?): Multisorted first-order logic, interactive (MIT)
  • SAL (GPL-2, Scheme): Language for specifying concurrent systems in a compositional way. BDD-based & SAT-based MC, experimental "Witness" MC, "infinite" bounded MC based on SMT solving, simulator, deadlock checker, automated test generator (SRI, Stanford, Berkeley)
    • Z2SAL (?, Java): transator that generates a SAL automaton from a single Z specification (Univ. of Sheffield)
  • Gappa (GPL-3, CeCILL): for numerical programs dealing with floating-point or fixed-point arithmetic (INRIA)
  • Mizar
  • NuPRL: Formal Digital Library (Cornell)
  • MuPRL (BSD-3, Haskell): small, mainly instructional, proof assistant in the style of NuPRL
  • MetaPRL
  • Matita (GPLv3, OCaml): Interactive theorem prover based on calculus of inductive constructions (Univ. of Bologna)
  • Gandalf
  • E-SETHEO: strategy-parallel compositional theorem prover for first-order logic with equality
  • SPASS: First-Order Logic with Equality (Max Planck Inst. Inf.)
  • Omega (?, Isabelle/Lisp): for higher-order logic based on proof planning
  • Omega (BSD-3): cross between a purely functional programming language and a theorem prover
  • wikipedia list
  • this thread
  • jImp (binary, Java): based on set of support and ordered resolution for first-order logic, supports: clause indexing techniques, subsumption, and tautology elimination, Davis-Putnam-Loveland-Logemann (DPLL) inference procedure (CMU)
  • QEPCAD and github (BSD-like, C): Quantifier elimination by partial cylindrical algebraic decomposition (US Naval Academy, Drexel Univ., North Carolina State Univ.)
  • E (GPL-2, C): Full first-order logic with equality (TU Munchen)
  • Community Z Tools (GPL-2, Java): Tools for editing, typechecking and animating Z specifications and related notations, including Java framework for building formal methods tools (Univ. Oxford, contrib)
  • ProofPower (GPL, ?): Tool suite supporting specification and proof in HOL and Z notation (Lemma 1 Ltd)
  • ClawZ (?, ?): Simulink -> Z notation (Lemma 1 Ltd)
  • Waldmesiter (FUSC, ?): TP for unit equational logic (Max Planck Inst. Informatik)
  • Spear (?, ?): fast bit-vector arithmetic theorem prover (Google)
  • Metamath: Tiny language based on ZFC, and also database of proved theorems
  • Theorema (GPLv3, Mathematica): a system for automated reasoning (theorem proving) and automated theory exploration based on Mathematica (JKU)
  • Princess (GPL-3, Scala): FOL modulo linear integer arithmetic
    • Seneschal (GPL-3, Java): synthesising linear ranking functions for programs expressible in Presburger arithmetic
  • FOL prover (BSD, Python): automated theorem prover for first-order logic, guaranteed to prove any provable formula (MIT)
  • hemera (?, Python): yet another simple theorem prover (PUC-Rio)
  • FLiP (GPL, Python): Library for defining logics and writing theorem prover applications, e.g., a proof checker for natural deduction proofs (Univ. Wasignton)
  • ATS (GPL-3, C): A statically typed multiparadigm programming language that unifies implementation with formal specification, using theorem proving (Boston Univ.)
  • F* (Apache 2.0, OCaml, F#): ML-like functional programming language aimed at program verification. Its type system includes polymorphism, dependent types, monadic effects, refinement types, and a weakest precondition calculus (MSR, INRIA)
  • proofcheck (GPL, Python): Checks mathematical proofs written in La/TeX, attempts to handle mathematical language formalized according to the author's preferences as much as possible (PyPI) (Widener Univ.)
  • ProofPeer (MIT, Scala/Isabelle): Collaborative theorem proving (Edinburgh Univ.)
  • Nitpick (?): Checker for Z specifications (CMU)
  • Globular (WTFPL, JavaScript): An online proof assistant for hiher-dimensional rewriting, produces graphical visualizations of higher-dimensional proofs, used for category theory proofs
  • Abella (GPLv3, OCaml): Interactive theorem prover based on lambda-tree syntax, well-suited for reasoning about the meta-theory of programming languages and other logical systems that manipulate objects with binding (Univ. of Minnesota, LIX/École polytechnique, INRIA/Saclay)
  • GAPT (GPLv3, Scala): Framework for transforming and processing proofs, and interfaces to automated reasoning tools (provers, SMT solvers, SAT solvers)
  • homotopy.io (CC BY-NC 3.0, JavaScript): A proof assistant for n-categories
  • Andromeda (BSD-2, OCaml): A proof assistant for general type theories, LCF-style, with statically typed meta-language Andromeda ML
  • Cyclist (BSD-3, OCaml/C++: framework for building cyclic theorem provers based on a sequent calculus (Facebook, Middlesex Univ.)
  • LaTTe (MIT, Clojure): proof assistant designed as a library for the Clojure programming language and environment, based on a simple dependent-typed lambda-calculus (a variant of λD)
  • Alg (BSD-2, OCaml): A program that generates all finite models of a first-order theory. It is optimized for equational theories.
  • RZ (MIT, OCaml): A tool for automatic generation of specifications based on realizability theory
  • LEGO (?, ML): an interactive proof development system (proof assistant), implementing various related type systems: the Edinburgh Logical Framework (LF), the Calculus of Constructions (CC), the Generalized Calculus of Constructions (GCC) and the Unified Theory of Dependent Types (UTT) (Univ. of Edinburgh)
  • IMPS (MITRE, Perl/Lisp): Intended to provide mechanical support for traditional mathematical techniques and styles of practice, with underlying logic simple type theory (MITRE)
  • Museum of theorem provers: front-end to a collection of source code repositories for theorem provers, hosted on GitHub
  • Scriptie (?, Python): theorem prover for Lambek-Grishin calculus
  • set-theory-prover (BSD-3, Haskell): simple LCF-style proof assistant for ZFC
  • Jape (GPLv2, OCaml/Java): a configurable proof editor, best at natural deduction and sequent calculus

Theorem provers for modal logics

  • ls4 (MIT, C++, C): PLTL prover based on labelled superposition with partial model guidance, with MiniSAT behind, and used as backend by TLAPS (Univ. Manchester)
  • T2 (F#, Mono, MIT): Prover of CTL* of programs, with z3 behind (replaces TERMINATOR) (MSR, UCL)
  • TRP++ files (GPL-2, C++): theorem prover for PLTL based on the temporal resolution calculus (Univ. Liverpool)
    • TRP (?, Prolog): earlier implementation of TRP++
  • LWB (EPL, Clojure): The Logics Workbench, prover for propositional, predicate and linear temporal logic
    • lwb-gui (EPL, Clojure): simple GUI for the Logic Workbench lwb
  • TRS (?, ?): Resolution-based theorem prover for PLTL, online interface only (UBC)
  • TLPVS: PVS implementation of an LTL verification system (NYU)
  • STeP: Stanford temporal prover
  • CTLSAT (?, C++): CTL satisfiability solver
  • MLSolver (?, Ocaml): Solver for satisfiability and validity of modal fixpoint logics (Univ. Munich, Univ. Kassel)
  • Leviathan (BSD-3, C++): Tableau prover for LTL satisfiability (Univ. Udine)
  • PLTLProvers: (?, OCaml): 3 PLTL theorem prover variants
  • LoTREC (FSLA): Generic tableau prover
  • MleanTAP (?, Prolog): Sound and complete theorem prover based on free-variable semantic tableaux extended by an additional prefix unification (logics: D, T, S4, S5) (TU Darmstadt)
  • List of tools for modal logics (Univ. Manchester)
  • Schuppan-Darmawan benchmark results of LTL satisfiability solvers
  • TPTP: Problem library for automated theorem proving (Univ. Miami)
  • QMLTP: Benchmarking results for theorem provers for first-order modal logics
  • Modal Logic Playground (MIT, JavaScript, HTML): a graphical semantic calculator for modal propositional logic

QBF

  • QBF Solvers (C++)
  • RAReQS (GPL, C++/uses MiniSAT): Recursive abstraction refinement QBF solver (INESC-ID Lisboa)
  • Quantor (BSD-4, C): QDIMACS input (ETHZ, JKU)
  • DepQBF (GPL, C): search-based (TU Wien, JKU)
  • nenofex (GPL, C): expansion-based for NNF (TU Wien, JKU)
  • CAQE (Apache-2, C): certifying solver based on CEGAR-based clausal abstraction (Saarland Univ., UC Berkeley)
  • QBFLIB: Collection of benchmark problems, solvers, and tools related to Quantified Boolean Formula (QBF) satisfiability (Univ. Michigan)

SAT

CDCL

Stochastic local search

  • UBCSAT: (Univ. British Columbia)

Parallel

  • PeneLoPe (BSD-like C++) (CRIL)
  • CombiSAT (?, Python): Portfolio solver running multiple sequential solvers with different strategies (EPFL)
  • PWBO

Unsorted

  • zChaff (Princeton Open Source): Chaff algorithm (Princeton)
  • SATABS (BSD, C): ANSI-C, C++ verification via Boolean program abstraction (Univ. Oxford, Imperial College, Univ. Lugano, CMU)
  • NanoSAT (BSD): (JKU)
  • Boppo (?): MC for Boolean programs featuring: POR, Fixpoint detection using QBF, support for constraint construct (Univ. Oxford, Microsoft Research, Univ. Lugano, CMU)
  • CSIsat (Apache): Interpolating decision procedure for the quantifier-free theory of rational linear arithmetic and equality with uninterpreted function symbols (EPFL, SFU)
  • MSUnCore: solving (Weighted) (Partial) Maximum Satisfiability (MaxSAT)
  • antom (C++): Lib solving: SAT, Unweighted MaxSAT, Partial MaxSAT, #SAT (Uni. Freiburg)
  • SCIP: Mixed int programming (MIP), constraint int programming and branch-cut-and-price
  • GLPK
  • PrecoSAT (MIT-like)
  • RSat
  • fss (GPL-3, C++/GAlib): Genetic algorithms
  • MiFuMaX (GPL-3)
  • Shaowei Cai solvers
  • algorithms
  • WBO: Weighted Boolean Optimization Solver that extends Weighted-Partial MaxSAT and Pseudo-Boolean Optimization
    • open-WBO (MIT, C++): open source version of WBO
  • ToulBar2 (GPL, C++): weighted constraint satisfaction solver (INRA)
  • march: DPLL with lookahead heuristics (TU Delft)
  • march_eq: (TU Delft)
  • march_dl: (TU Delft)
  • CryptoMiniSat, its github (LGPL, C++, Python)
  • WinSAT
  • HyperSAT (FUSC, C): research SAT solver written to experiment with B-cubing search space pruning
  • iSAT: DPLL-style solver developed for large Boolean combinations of non-linear arithmetic constraints involving transcendental functions
  • HySAT
  • Scarab (BSD, Scala): SAT-based constraint programming
  • Limboole (Unlicense, ?): satisfiability of arbitrary structural formulas, not just CNF
  • MiFuMaX
  • UBCSAT (FUSC, C): Stochastic local search solver (Univ. British Columbia)
  • QNF2z3 (FUSC, Python/Bash): invoking Z3 on QDIMACS instances (INESC Lisboa)
  • ToughSAT: generates "difficult" SAT instances
  • minibones (FUSC): computing backbone literals
  • SBSAT: state-based (U Cincinnati)
  • satsolver (?, Python): DPLL implementation for educational purposes
  • Potassco: answer set programming collection: Clasp, Gringo, Clingo, Aspcud, Clingcon, claspfolio, coala solvers
  • miniC2D (?): knowledge compilation and model counting based on exhaustive DPLL (UCLA)
  • toulbar2 (GPL, C++): Exact solver for cost function networks (INRIA, Barcelona)

SMT

  • CVC4 (BSD-3, C++): built-in base theories, quantifiers, interactive text-based interface, interfaces to: C/C++, Python, Java, OCaml, PHP, Perl, Ruby, Tcl, model generation, (NYU, Univ. Iowa)
  • CV3 (BSD-3, C++): predecessor of CVC4 (Stanford, NYU, Univ. Iowa)
  • Z3 (MIT, C++/Python): .smt2, .dimacs, .cnf, .dl, .smt (Microsoft Research)
    • Z3_Haskell (BSD, Haskell): bindings for Z3 (Cambridge Univ.)
    • hz3 (BSD, Haskell): bindings to low-level API for Z3
    • ScalaZ3 (Apache-2.0, Scala): bindings for Z3 (EPFL)
    • bapa-z3 (BSD, Scala): Boolean algebra with Presburger arithmetic constraints plug-in for Z3 (EPFL)
    • Z3-str (MIT, C++/Python): string theory plug-in for Z3 (Purdue)
    • Z3Fs (MIT, F#): DSL for SMT problems using Z3 API in F#
    • z3-turnkey (ISC, Kotlin/Java): Build system for Z3 that creates a self-unpacking, standalone JAR file that ships all required native support code and automatically unpacks it at runtime
    • z3-floating-point-proofs (MIT, Python): automated proofs about floating-point numbers using the Z3 theorem prover
  • iZ3 (FUSC, C++/Python): Interpolating, supports: arithmetic, arrays, uninterpreted functions, and quantifiers (Microsoft Research)
  • Yices (GPLv3, C): SMT solver that decides the satisfiability of formulas containing uninterpreted function symbols with equality, real and integer arithmetic, bitvectors, scalar types, and tuples. Supports both linear and nonlinear arithmetic. Reads input from SMT-LIB or Yices' own specification language, includes Python bindings (SRI/CSL)
    • yices (MIT, Python): Python bindings for yices2 (SRI CSL)
  • Boolector (GPL-3): bit-vectors and arrays (Johannes Kepler Univ. Linz, Upper Austrian Univ. of Applied Sciences)
  • MathSAT (FUSC, C++, Python/Java bindings): Theories: equality and uninterpreted functions, linear arithmetic, bit-vectors, and arrays, and Functionalities: computation of Craig interpolants, extraction of unsatisfiable cores, generation of models and proofs, and the ability of working incrementally (FBK, Univ. Trento)
  • SMT-LIB (?, C++): format for Finite lists, sets, maps (Oxford Univ.)
  • Alt-ERGO (FUSC, OCaml): built upon CC(X) algorithm (INRIA, Univ. Paris Sud, CNRS, Lri)
  • mSAT (Apache-2.0, OCaml): Modular SAT/SMT solver with proof output, derives from ERGO (INRIA)
  • veriT (BSD-2, C/C++): Complete for quantifier-free formulas with uninterpreted functions and difference logic on real numbers and integers (INRIA, Nancy Univ., UFRN, CNPq, Loria)
    • haRVey (LGPL/BSD-2, C/C++): Predecessor of veriT: haRVey-FOL (LGPL), haRVey-SAT (BSD-2) (INRIA, Nancy Univ., UFRN, CNPq, Loria)
  • Simplify, its github (?, Modula-III): (SRC)
  • Beaver (BSD, OCaml): for the theory of quantifier-free finite-precision bit-vector arithmetic (UC Berkeley)
  • SBV (BSD-3, Haskell): SMT based verification in Haskell: Express properties about Haskell programs and automatically prove them using SMT solvers (ABC, Boolector, CVC4, MathSAT, Yices, Z3). (Intel)
  • list of SMT solvers (Univ. Iowa)
  • Decision Procedures: An Algorithmic Point of View (BSD-4, C++): software that accompanies the book Decision Procedures
  • llvm2smt (MIT, OCaml): Experimental translation of LLVM (3.5ish) IR to SMT-LIB (SRI CSL)
  • JavaSMT (Apache-2.0, Java/C): unified Java API for SMT solvers
  • bv2epr (GPLv3, C): tool for translating a QF_BV formula in SMT2 format into an EPR clause set in TPTP format (JKU)

Constraint Solving Problem (CSP) solvers

  • constraint (BSD-2, Python): Constraint Solving Problem resolver for Python (on PyPI) (Canonical)
  • Cassowary: incremental constraint solving toolkit that efficiently solves systems of linear equalities and inequalities. Constraints may be either requirements or preferences. Client code specifies the constraints to be maintained, and the solver updates the constrained variables to have values that satisfy the constraints, site source on GitHub
    • Cassowary (LGPLv2, C++): (original implementation) incremental constraint solving toolkit that efficiently solves systems of linear equalities and inequalities. Constraints may be either requirements or preferences. Re-solving the system happens rapidly, supporting UI applications. (Univ. of Washington)
    • RHEA (MIT, C++): modernized C++ version of the original Cassowary implementation
    • Kiwi (BSD-3, C++/Python): new implementation of the algorithm based on the Cassowary paper, 10x to 500x faster than the original, with Python bindings (Nucleic Development Team)
    • cassowary (BSD-3 and Apache-2.0, Python): pure python implementation of the Cassowary constraint solving algorithm, available on PyPI (Auburn Univ.)
    • Casuarius (LGPLv2.1, C++/Python): Cython bindings for the Cassowary Constraint Solving Toolkit version 0.6
    • Aqt.Cassowary (MIT, QML/C++/JavaScript): Qt plugin that allows running an incremental linear constraint solver in QML applications, and wraps RHEA
  • Babelsberg:
    • Babelsberg/JS (BSD-3, JavaScript): object constraint programming language and implementation, using the solvers Z3, DeltaBlue, and Cassowary
    • pybelsberg (BSD-3, Python): implementation of Babelsberg allowing constraint-based programming in Python, using the Z3 theorem prover

Other solvers

Logic programming

Software Synthesis

  • Leon, its github (BSD-2, Scala): Automated system for synthesizing and verifying functional Scala programs (EPFL)
    • COMFUSY (BSD-2, Scala): tool for synthesizing executable code from specifications in linear integer arithmetic and constraints on sets of objects (EPFL)
    • Kaplan (?, Scala): Scala extension that supports constraint-solving (EPFL)
    • RegSy (?, Scala): synthesis tool that can be used to build functions from specification written in WS1S (EPFL)
  • AutoBayes (NOSA, Prolog): automatic generation of customized algorithms from compact, declarative specifications in the data analysis domain, requires SWI Prolog, generates OCtave/Matlab code (NASA)
  • Jeeves (MIT, Python): programming language for automatically enforcing privacy policies and Python implementation (MIT)
  • MCGP (?, ?): automatic generation and correction of programs, based on model cheking and genetic programming (Bar-Ilan Univ.)

Runtime Verification

  • MOP (Java): Monitoring-Oriented Programming (UIUC)
    • JavaMOP (MIT, Java): Runtime verification system for Java, using AspectJ for instrumentation (UIUC)
    • ROSMOP (?, Java): Monitor Oriented Programming for ROS (UIUC)
  • CHIMP: LTL -> monitors: nondeterministic finite-word automata that accept all illegal executions (Rice Univ.)
  • LTL_3 (GPL): LTL -> Moore FSM monitor
  • TOPL (OCaml): monitor Java programs
  • Breach Toolbox(BSD-3, MATLAB/C++): Simulation-based design of dynamical, cyber-physical, and hybrid systems (UC Berkeley, Decyphir)
  • JTorX (BSD-3, Java): Model-based testing: Spec: Aldebaran | GraphML | dot | Jararaca | .sax | muCRL | .bcg | LOTOS, Implementation either these or real program (Univ. Twente)
  • TorX (Apache, ?): Conformance testing of reactive software (Univ. Twente, TU Eindhoven, Philips, Lucent)
  • [MonPoly] (http://sourceforge.net/projects/monpoly/) (?, OCaml): a prototype monitoring tool that checks compliance of log files with respect to policies specified in MFOTL (Metric First-Order Temporal Logic)
  • Montre (GPL-3, Pure/C++): A timed regular expression matcher (Verimag)
  • ROSRV (NCSA, C++/Java): runtime verification framework for the Robot Operating System (ROS) (Univ. of Illinois at Urbana-Champaign)

Yet un-categorized

TypeSetting

  • LTL (LPPL, LaTeX/TikZ): Configurable LTL math operators with LaTeX and TikZ or LTLFonts
  • fsmtex (?, Perl/TeX): FSM drawing in LaTeX using TikZ (Univ. Marseille)

Other tool lists

databases and benchmarks

  • Model checking benchmarking scripts (NASA SA, Perl): details on the experiments described in "LTL satisfiability checking" (NASA)
  • VLTS: MC benchmarks (CWI/SEN2, INRIA/VASY)
  • BEEM: MC benchmarks (Masaryk Univ.)
  • Mutual Exclusion Promela Source Codes: (Waseda Univ.)
  • Buchi Store
  • Promela Database: (IMT Lucca)
  • Spec Patterns: patterns commonly occuring in specs of concurrent/reactive systems (LTL, CTL, GIL, QRE, ACTL, RAFMC) (Univ. Massachusetts Amherst)
  • Hybrid system safety verification benchmarks
  • TPTP: Thousands of Problems for Theorem Provers (Univ. Miami)
  • Benchmark Verification Tasks: Benchmark verification tasks in software verification, as used in SV-COMP
  • Larry Wos' Notebooks: series of notebooks presenting some of Larry Wos’s most recent and hitherto unpublished research in automated reasoning (also in 1st order logic) (Argon Nat. Lab)
  • SMT-LIB: benchmarks for SMT
  • DPPD: The Dozens of Problems for Partial Deduction (DPPD) Library of Benchmarks aims at being a standard suite of benchmarks for partial deduction (Univ. Dusseldorf)
  • QMLTP: Quantified Modal Logics Theorem Proving (QMLTP) library provides a platform for testing and benchmarking ATP systems for first-order modal logics (Univ. Potsdam)
  • ILTP: Intuitionistic Logic Theorem Proving (ILTP) library provides a platform for testing and benchmarking ATP systems for first-order and propositional intuitionistic logic (Univ. Potsdam)
  • asparagus: Environment for submitting and archiving benchmarking Answer-Set Programming (ASP) problems and instances (Univ. Potsdam)
  • TPDB: Termination Problems Database of test problems for termination provers: term rewrite systems and logic programs (LRI)
  • CSPLib: Benchmark library of problems for constraint solvers (Izmir Univ. Economics, Univ. St Andrews, Univ. New South Wales)
  • OR-library: Test data sets for a variety of Operations Research (OR) problems (Imperial College London)
  • SATLIB: Benchmark problems, solvers, and tools for SAT related research (TU Darmstadt, Univ. British Columbia)
  • SatEx: Experiments and execution traces of SAT solvers, on all benchmarks that are provided
  • FEVS: set of programs designed to be used as a test suite for tools that verify functional equivalence (Univ. of Delaware)

(non-common) abbreviations

  • u: unspecified license

  • FUSC: Free Under Specific Condition (wikipedia term), usually free for academic/research use

  • closed: no source available, common situation: jar files

  • LPPL: LaTeX Project Public License

  • EPL: Eclipse Public License

  • BA: Buchi Automaton

  • GBA: Generalized BA

  • TP: Theorem Prover

  • ATP: Automatic TP

  • RTS: Real-time System(s)

  • PWA: PieceWise-Affine

  • MLD: Mixed Logical Dynamical

  • TU: Technical University

  • UT: University of Technology

  • MSR: Microsoft Research

  • FOL: First-order logic

  • HOL: Higher-order logic

  • bin: binary, no sources available/found

  • ?: absent either due to time-constrained browsing (please complete) | not found

You can’t perform that action at this time.