Tools for Formal Methods: Tools

2LS

2LS ("tools") is a verification tool for C programs, built upon the CPROVER framework. It allows one to verify user-specified assertions, undefined behaviour, memory leaks, and termination properties. The analysis is performed by translating the verification task into a second-order logic formula over bitvector, array, and floating-point arithmetic theories. The formula is solved by a modular combination of algorithms involving unfolding and template-based invariant synthesis with the help of incremental SAT solving.

aise

AISE is a software verifer that verifes C programs with respect to reachability properties. The key idea of AISE is to synergize symbolic execution (SE) and abstract interpretation (AI).

AProVE (KoAT + LoAT)

AProVE (KoAT + LoAT) is a system for automated termination proofs for C / LLVM programs. To (dis)prove termination of C programs, AProVE uses symbolic execution to transform the program's LLVM code into an integer transition system (ITS). These ITSs are analyzed by our backend tools KoAT (for termination) and LoAT (for non-termination).

BLAST

BRICK

Bubaak

Bubaak-SpLit

CADP

CADP is a verification toolbox developed initially at Verimag, then at INRIA Grenoble. It provides compilers for concurrent languages (message-passing communication), as well as tools for model checking (value-passing modal mu-calculus), equivalence checking (bisimulations and behavioural preorders), simulation, and test-case generation. The first version of CADP was released in 1989.

CBMC

cetfuzz

COASTAL

ConcurrentWitness2Test

ConcurrentWitness2Test is a violation witness validator for concurrent software. Taking both data-nondeterminism and interleaving-based nondeterminism into account, the tool aims to use the metadata described in the violation witnesses to synthesize an executable test harness.

CoOpeRace

CoVeriTeam-Verifier-AlgoSelection

CoVeriTeam-Verifier-ParallelPortfolio

CoVeriTest

CoVeriTest is a test-case generation approach based on the analysis framework CPAchecker. It mainly uses verification techniques to detect the (un)reachability of test goals and generates test cases from the counterexamples to unreachability of the test goals. More concretely, it is a hybrid approach that interleaves expicit value analysis and predicate analysis to check the reachability of test goals.

CPA-BAM-BnB

CPA-BAM-SMG

CPA-witness2test

CPA-witness2test is an execution-based validator for violation witnesses on C programs. It derives a test case from a violation witness and executes the input program on the derived test case. If CPA-witness2test observes that the execution triggers a property violation, then the witness under validation is confirmed.

CPAchecker Logo of a tool

CPAchecker is a configurable framework for software verification that is based on configurable program analysis and implements many model-checking algorithms to check for software errors and to verify program properties.

CPALockator

CProver-witness2test

CPV Logo of a tool

Crux

CSeq

Dartagnan

DASA

Deagle

Deagle is an partial-order-based bounded model checker for concurrent program verification. It is built on top of CBMC-5 (front-end) and MiniSAT-2.2.1 (back-end), majorly enhancing them with an ordering consistency theory which handles ordering relations over shared memory accesses in concurrent programs.

DIVINE

EBF

EmergenTheta

EmergenTheta is a variant of Theta utilizing emerging techniques previously missing from Theta. We step away from Theta's conventional, abstraction-based techniques and use a portfolio of BMC, IMC, k-induction, and saturation based techniques, with possible implicit predicate abstraction.

ESBMC-incr Logo of a tool

ESBMC-kind Logo of a tool

FDSE

Fizzer

Fizzer is a gray-box fuzzer focussing of coverage of atomic Boolean expressions (mainly number comparison instructions). It uses dynamic taint-flow analysis and local space fuzzing (gradient descent, bit and random mutations performed in local spaces).

Frama-C-SV

FuSeBMC Logo of a tool

FuSeBMC is an award-winning automated software testing tool that integrates Bounded Model Checking (BMC), Fuzzing, and Artificial Intelligence (AI) to enhance software security and reliability. Designed to detect and repair security vulnerabilities in C programs, FuSeBMC improves code quality while reducing false positives and operational disruptions.

FuSeBMC-AI

Gazer-Theta

GDart

GDart-LLVM

Goblint Logo of a tool

Goblint Logo of a tool

Goblint is an abstract interpretation framework that is dedicated to the sound thread-modular analysis of multi-threaded programs, especially for data races.

Goblint-Par Logo of a tool

Goblint-Par is a parallel variant of Goblint.

Goblitch

Goblitch combines Goblint's abstract interpretation with the Witch validator. It iteratively refines Goblint's precision by generating candidate error paths and using symbolic execution to confirm or refute the paths until a feasible counterexample is found or the search is exhausted.

Graves-CPA

Graves-Par

GWIT

Hornix

Hornix is a software-verification tool based on the LLVM framework, aiming to verify C/C++ code by employing a custom LLVM pass on the LLVM IR level. It transforms the LLVM IR into a system of constrained Horn clauses (CHC) and uses Z3 to decide about its satisfiability.

HybridTiger

iekke

Iekke is an partial-order-based bounded model checker for concurrent program verification. It is built on top of Deagle (front-end) and MiniSAT-2.2.1 (back-end).

Infer

Java-Ranger

JayHorn

JBMC

JBMC is an open-source SAT- and SMT-based bounded model checking tool for verifying Java bytecode. JBMC can be used to verify or falsify functional properties and show the absence or presence of runtime errors. JBMC relies on an operational model of the Java libraries optimized for program analysis.

JCWIT

JDart

JLiSA

KeY

KeY is a tool for deductive verification to prove the correctness of Java programs.

KLEE

KLEEF

Korn

Korn is a software verifier for the C programming language. It translates the input program to a representation with constrained Horn clauses (CHCs) and uses off-the-shelf solvers to find loop invariants and function summaries.

Lazy-CSeq

Legion

Legion/SymCC

LF-checker

LIV

LIV is a witness validator that splits the input program into straight-line programs based on the rules of hoare logic. It tries to prove or refute the invariants provided in the input correctness witnesses based on the straight-line programs.

Locksmith

LTSmin

LTSmin is a language-independent model-checking toolset supporting multiple input languages and advanced state-space generation techniques via a unified PINS interface. It features modular architecture, symbolic/distributed/multi-core reachability, and easy extensibility for new languages.

MetaVal

MetaVal is an annotation-based witness validator that uses an 'off-the-shelf' verifier to re-establish the verification result using a program expressing the product automaton of the witness and input program. From the verification verdict of the product program the witness validation verdict is obtained.

MetaVal++

MetaVal++ is the successor of MetaVal. It validates witnesses by transforming a validation task (a specification, a program, and a verification witness) into a validation or verification task. MetaVal++ provides multiple different frontends for the task transformation. Each produced task can then be verified using multiple verification backends.

MLB

Mopsa Logo of a tool

Nacpa

Nacpa is a meta-verifier for C programs. It is based on strategy selection, parallel portfolios, and native compilation of Java.

NITWIT

OGChecker

OGChecker is built on top of CPAchecker4.1 and utilizes the observing graph-based partial-order technique for efficient verification of concurrent programs.

Owi

PeSCo-CPA

PIChecker

Pinaka

PredatorHP

PRISM

PRISM is a probabilistic model checker. It has been developed and maintained at Oxford University over the past 25 years. At its core, the tool supports formal modeling and analysis of systems with random or probabilistic behavior, and it can analyze a wide spectrum of models based on Markov chains and probabilistic automata.

PROTON

PRTest

PRTest is a plain random black-box test-case generator that uses random generation of input values and coverage checks to find input values that improve the coverage. The purpose of PRTest is to provide a base line for performance evaluation of test-generation tools, and therefore, it does not employ any complementing techniques, such as symbolic reasoning or evolutionary algorithms.

RacerF

RacerF is a static analyser for detection of data races in multithreaded C programs implemented as a plugin of the Frama-C platform. The tool is based on a combination of under- and over-approximation techniques to provide fast and scalable analysis, without sacrificing too much precision.

Re3ver

Re3ver is a tool for reachability analysis, integrating a preprocessor which reverses the input programs into the verifier Symbiotic.

RELAY-SV

Rizzer

SEAL

SEAL is a static analyzer aimed at verifying programs that work with dynamic memory, especially linked lists. It is implemented as a plugin for the Frama-C framework. The analysis is based on abstract interpretation with a domain of separation logic formulae representing abstract memory states. For deciding SL formulae, SEAL uses Astral, a dedicated solver for separation logic.

Sikraken

SPF

SV-sanitizers

SV-COMP wrapper for sanitizers (ThreadSanitizer, AddressSanitizer, LeakSanitizer, UndefinedBehaviorSanitizer).

SVF-SVC

SVF-SVC is an SV-COMP compatibility wrapper around the Static Value-Flow Analysis Framework (SVF) which leverages sparse and on-demand analysis to check for software vulnerabilities and verify program invariants.

SWAT

Symbiotic

Symbiotic is a configurable framework for program analysis and verification combining static analyses, program slicing, and several tools as verification engines, in particular (a fork of) Klee and Slowbeast.

Symbiotic-Witch

Symbiotic-Witch is a tool validating violation witnesses of verification results in the witness format 1.0. The tool uses some components of Symbiotic and (a fork of) Klee.

TestCoCa

TestCov

Theta Logo of a tool

Theta is a model checking framework, with a strong emphasis on effectively handling concurrency in software using abstraction refinement algorithms. We utilize our portfolio with dynamic algorithm selection to guide configuration synthesis and ordering, thus providing an automatic, adaptive verification solution.

Thorn

Thorn is a variant of Theta, utilizing CHC solvers as backends instead of the conventional model checking algorithms of Theta.

TracerX

TracerX is a dynamic symbolic executor that uses interpolation to prune subtrees whose traversal is no longer necessary due to their similarity with previously visited paths.

TracerX-WP

TracerX-WP is a dynamic symbolic execution engine that employs abstraction learning to prune subtrees which are not necessary for traversal, based on their similarity to previously explored paths. It leverages Weakest Precondition interpolation to represent the learned abstractions effectively.

UAutomizer Logo of a tool

Ultimate Automizer is a software model checker that is based on automata-based techniques and interpolation to check for software errors and to verify program properties.

UGemCutter Logo of a tool

GemCutter is a verifier for concurrent programs based on commutativity, i.e., the observation that for certain statements from different threads, the execution order does not matter. It integrates partial order reduction algorithms (that take advantage of commutativity) with a trace abstraction-based CEGAR scheme.

UKojak Logo of a tool

Kojak analyses programs using an extension of the Lazy Interpolants CEGAR scheme.

UParalizer

Ultimate Paralizer is a software model checker that is based on parallel trace abstraction. It analyis multiple counterexample in parallel, including: feasibility checks, interpolation and refinements.

UReferee Logo of a tool

Ultimate Referee is a correctness witness validator.

UTaipan Logo of a tool

Ultimate Taipan checks if a program satisifes some safety property by combining trace abstraction with abstract interpretation. Instead of only generating proofs from single traces with an SMT solver, it also uses an abstract interpreter applied to the path program induced by a trace. For concurrency, it uses an explicit product of finite automata.

UTestGen Logo of a tool

Ultimate TestGen is a tool for automatic test-case generation. It checks the (un)reachability of test goals and generates test cases from counterexamples by extending trace abstraction with error automata.

VerCors Logo of a tool

The VerCors verifier is a tool for deductive verification of concurrent and parallel software. VerCors can reason about programs written in different programming languages, such as Java, C and OpenCL, where the specifications are written in terms of pre-post-condition contracts using permission-based separation logic. VerCors is able to reason about data-race freedom, memory safety, and functional correctness, and it has been applied on several realistic case studies. Several tools are being developed directly on top of VerCors by encoding their input languages to VerCors' internal representation, allowing reuse of the existing infrastructure for verification. These tools are Alpinist, Vesuv, and VeyMont.

VeriAbs

VeriAbsL

VeriFuzz

VeriOover

WASP-C

Wit4Java

Witch

Witch is a tool validating violation witnesses of verification results in the witness format 2.0. The tool uses some components of Symbiotic and (a fork of) Klee.

WitnessLint

WitnessLint is a simple witness validator that rejects only witnesses that do not adhere to the witness format specification. It does this through syntactic checks of the verification witnesses. It is used by the competition SV-COMP to 'desk-reject' witnesses that do not adhere to the format specification, such that invalid witnesses do not yield points in the competition.

WitnessMap

WitnessMap is a simple tool with the same input and output as a verifier that only copies witnesses contained in validation tasks to its output folder. It is used by SV-COMP to place existing verification witnesses at the location where the competition infrastructure expects them (this way, the witness is technically 'produced' by a tool with the same interface as a verifier).