March 8, 2013
LTSmin offers different analysis algorithms covering four disciplines (algorithmic backends):
- Symbolic CTL/mu-calculus model checking using different BDD/MDD packages, including the parallel BDD package Sylvan,
- Multi-core LTL model checking using tree compression,
- Sequential LTL model checking, with partial-order reduction and optional BDD-based state storage, and
- Distributed LTS instantiation, export, and minimization modulo branching/strong bisimulation.
These algorithms each have their own strength, depending on the input model's structure and verification problem. For models with combinatorial state structure, the symbolic tools can process billions of states per second using only few memory. Models that exhibit much concurrency can be reduced significantly using partial-order reduction. Models with more dependencies can be explored with LTSmin's multi-core algorithms, which employ aggressive lossless state compression using a concurrent tree data structure. Finally, our distributed minimization techniques can aid the verification of multiple properties on a single state space.
LTSmin supports language independence via its definition of a Partitioned Next-State Interface (PINS), which exposes enough internal structure of the input model to enable the highly effective algorithms above, while at the same time making it easy to connect your own language module. The interface is also simple enough to support very fast next-state functions such as SPIN's (performance comparison here). LTSmin already connects a sizeable number of existing verification tools as language modules, enabling the use of their modeling formalisms:
- muCRL's process algebra,
- mcrl2's process algebra,
- DiVinE's DVE language, based on extended state machines,
- the builtin symbolic ETF format
- SPIN's Promela via the included SpinS, a SpinJa spinoff, and
- UPPAAL's timed automata via opaal.
The Partitioned Next-State Interface (PINS) splits up the next-state function in different groups. For example, each transition group can represent a line of code in an imperative language module or a summand in a process-algebraic language module. Using the static dependency information between transition groups and state vector variables (most groups only depend on a few variables), LTSmin's algorithms can exploit the combinatorial structure of the state space. This leads to exponential gains in performance for the symbolic algorithms, which can now learn the transition relation on-the-fly in a very effectively way, because it is partitioned. Using the same principle, LTSmin provides transition storing for transition caching with negligible memory overhead.
To connect a new language module, one merely needs to implement the PINS next-state functions and provide some type information on the state vector contents, which should be encoded according to PINS unifying integer vector format. By providing additional transition/state dependency information via the PINS dependency matrices, the symbolic exploration algorithms and PINS2PINS modules (see below) can exploit their full potential. Finally, by providing few additional information on transition guards the partial order reduction algorithms become enabled.
The PINS interface divides our model checking tools cleanly into the two independent parts discussed above: language modules and model checking algorithms. However it also enables us to create PINS2PINS modules, that reside between the language module and the algorithm, and modify or optimize the next-state function. These PINS2PINS modules can benefit all algorithmic backends and can be turned on and off on demand:
- transition storing/caching speeds up slow language modules,
- regrouping speeds up the symbolic algorithms by optimizing dependencies, and
- partial order reduction reduces the state space by dropping irrelevant transitions.
Download shortcut: http://fmt.cs.utwente.nl/tools/ltsmin/ltsmin.tar.gz
- Alfons Laarman. Scalable Multi-Core Model Checking. 2014. PhD Thesis
- Alfons Laarman, Elwin Pater, Jaco van de Pol and Michael Weber. Guard-based Partial-Order Reduction . SPIN 2013
- Alfons Laarman, Mads Chr. Olesen and Andreas Dalsgaard, Kim G. Larsen, Jaco van de Pol. Multi-Core Emptiness Checking of Timed Büchi Automata using Inclusion Abstraction . CAV 2013
- Alfons Laarman and David Farago. Improved On-The-Fly Livelock Detection: Combining Partial Order Reduction and Parallelism for DFSFIFO . NASA FM 2013
- Tom van Dijk, Alfons Laarman and Jaco van de Pol. Multi-core and/or Symbolic Model Checking. AVOCS 2012
- Freark van der Berg and Alfons Laarman. SpinS: Extending LTSmin with Promela through SpinJa. PDMC 2012
- Tom van Dijk, Alfons Laarman and Jaco van de Pol. Multi-core BDD Operations for Symbolic Reachability. PDMC 2012
- Tom van Dijk. The parallelization of binary decision diagram operations for model checking. 2012. MSc Thesis
- Sami Evangelista, Alfons Laarman, Laure Petrucci and Jaco van de Pol. Improved Multi-Core Nested Depth-First Search. ATVA 2012
- Andreas Dalsgaard, Alfons Laarman, Kim G. Larsen, Mads Chr. Olesen and Jaco van de Pol. Multi-Core Reachability for Timed Automata. FORMATS 2012
- Gijs Kant and Jaco van de Pol. Efficient Instantiation of Parameterised Boolean Equation Systems to Parity Games. Graphite 2012
- Alfons Laarman and Jaco van de Pol. Variations on Multi-Core Nested Depth-First Search. PDMC 2011
- Elwin Pater. Partial Order Reduction for PINS. 2011. MSc Thesis
- Tien Loong Siaw. Saturation for LTSmin. 2012. MSc Thesis
- Alfons Laarman, Rom Langerak, Jaco van de Pol, Michael Weber and Anton Wijs. Multi-Core Nested Depth-First Search. ATVA 2011
- Alfons Laarman, Jaco van de Pol and Michael Weber. Multi-Core LTSmin: Marrying Modularity and Scalability . NFM 2011
- Alfons Laarman, Jaco van de Pol and Michael Weber. Parallel Recursive State Compression for Free . SPIN 2011
- Alfons Laarman, Jaco van de Pol and Michael Weber. Boosting Multi-Core Reachability Performance with Shared Hash Tables. FMCAD 2010
- Stefan Blom, Jaco van de Pol and Michael Weber. LTSmin: Distributed and Symbolic Reachability. CAV 2010, LNCS 6174, pp. 354–359.
- Stefan Blom, Jaco van de Pol and Michael Weber. Bridging the Gap between Enumerative and Symbolic Model Checkers, Technical Report TR-CTIT-09-30, CTIT, University of Twente, Enschede. (2009)
- Stefan Blom, Bert Lisser, Jaco van de Pol, and Michael Weber. A Database Approach to Distributed State Space Generation. J Logic Computation (2009)
- Stefan Blom, Jaco van de Pol: Symbolic Reachability for Process Algebras with Recursive Data Types. ICTAC 2008: pp. 81–95
- Stefan Blom, Bert Lisser, Jaco van de Pol, and Michael Weber. A Database Approach to Distributed State Space Generation. ENTCS 198(1): pp. 17–32 (2007)
- Stefan Blom, Simona Orzan: Distributed state space minimization. STTT 7(3): pp. 280–291 (2005)
- Stefan Blom, Simona Orzan: A distributed algorithm for strong bisimulation reduction of state spaces. STTT 7(1): pp. 74–86 (2005)
- Stefan Blom, Izak van Langevelde, Bert Lisser: Compressed and Distributed File Formats for Labeled Transition Systems. ENTCS 89(1): (2003)
- Stefan Blom, Simona Orzan: Distributed Branching Bisimulation Reduction of State Spaces. ENTCS 89(1): (2003)
- lps2lts-sym (BDD-based reachability with mcrl2 frontend)
- dve2lts-mc (multi-core reachability with DiVinE 2 frontend)
- prom2lts-mc (multi-core reachability with Promela SpinS frontend)
- lpo2lts-seq (sequential enumerative reachability with muCRL frontend)
- etf2lts-dist (distributed reachability with ETF frontend)
- lps2torx (TorX testing tool connector with mcrl2 frontend)
- pbes2lts-sym (Symbolic tool reachability tool with PBES frontend: example)
- GNU/Linux (tested on Ubuntu, Debian, OpenSuSE 11.2)
- MacOS X, version 10.8 "Mountain Lion"
- MacOS X, version 10.7 "Lion"
- MacOS X, version 10.6 "Snow Leopard" (except multi-core muCRL/mCRL2)
- MacOS X, version 10.5 "Leopard" (except multi-core muCRL/mCRL2)
- Cygwin/Windows (tested on Windows 7 with Cygwin 1.7)
- Released Versions
- Snapshots (consult the build server for their constitution)
- ltsmin-master.tar.gz (current snapshot of the master release branch)
- ltsmin-maint.tar.gz (current snapshot of the maint maintenance branch)
- ltsmin-next.tar.gz (current snapshot of the next test branch)
- ltsmin.git (browsable Git repository) This is a read-only Git repository, where the master branch is equal to the released tarball, the maint branch contains fixes on top of master, and the next branch is our development branch containing (unstable) features that will be included in the next release. For direct checkout using git:
$ git clone -b next http://fmt.cs.utwente.nl/tools/scm/ltsmin.git
First, install the dependencies listed in Section "Build Dependencies" below.Next, if you are building the software from a Git repository or release snapshot, refer to Section "Building from a Git Repository" for additional set-up instructions. Otherwise, continue by executing the following build instructions:
# Unpack the tarball $ tar xvzf ltsmin-<version>.tar.gz $ cd ltsmin-<version> # Configure $ ./configure --disable-dependency-tracking --prefix /path/
It is a good idea to check the output of
./configure, to see whether
all dependencies were found.
# Build $ make # Install $ make installFor compilation with debug options, use the following command line:
$ make CFLAGS="-DLTSMIN_DEBUG -g -O0"LTSmin's tools can then be run with an option --debug=file.c, to enable debug output from a specific source code file.
Additional Build Options
For one-shot builds, the following option speeds up the build process by not recording dependencies:
./configure --disable-dependency-tracking ...
Non-standard compilers, etc., can be configured by using variables:
./configure CFLAGS='-O3' CXXFLAGS='-O3' \ CC='gcc -m64' \ MPICC='/sw/openmpi/1.2.8/bin/mpicc -m64' \ MPICXX='/sw/openmpi/1.2.8/bin/mpicxx -m64' \ ...
This would add some options to the standard
settings used for building to enable more optimizations and force a
64-bit build (for the GCC C compiler). Furthermore, the MPI compiler
wrappers are set explicitly instead of searching them in the current
Note that libraries installed in non-standard places need special attention: to be picked up by the configure script, library and header search paths must be added, e.g.:
./configure LDFLAGS=-L/opt/local/lib CPPFLAGS=-I/opt/local/include
Additional setting of
(DY)LD_LIBRARY_PATH might be needed for the
dynamic linker/loader (see, e.g., "
man ld.so" or "
./configure --help for the list of available variables,
and file INSTALL for further details.
The following additional
make targets are supported:
- Builds everything.
Installs the software into path
Clean the source tree to various degrees. Using
mostlycleanis enough in many cases.
- Builds Doxygen documentation for the source code.
The following external libraries and tools are required for building LTSmin:
Download popt (>= 1.7) from <http://rpm5.org/files/popt/>. We tested with popt 1.14.
Download zlib from <http://www.zlib.net/>.
Download GNU make from <http://www.gnu.org/software/make/>.
Download Flex (>= 2.5.35) from <http://flex.sourceforge.net/>.
Download Apache Ant from <http://ant.apache.org/>. We tested with ant-1.8.2. Note that ant is not required for building from a distribution tarball (unless Java files were modified). Note that we require JavaCC task support for Ant.
Download muCRL (>= 2.18.5) from <http://www.cwi.nl/~mcrl/mutool.html>. We tested with muCRL-2.18.5. Without muCRL, the AtermDD decision diagram package will not be built.
Note that for 64-bit builds, you have to explicitly configure muCRL for this (otherwise, a faulty version is silently build):
For best performance, we advise to configure muCRL like this:
./configure CC='gcc -O2' --with-64bit
Download the latest version of mCRL2 from <http://www.mcrl2.org/>. We tested with mCRL2 release 201202.0. Note that all versions before SVN rev.10225 are insufficient (in particular, all versions of mCRL2 up to and including the July 2011 release).
Build and install mCRL2:
cmake . -DCMAKE_INSTALL_PREFIX=... -DBUILD_SHARED_LIBS=ON make make install
The graphical tools of mCRL2 are not required for ltsmin to work, hence you can also build mCRL2 without:
cmake . -DMCRL2_ENABLE_GUI_TOOLS=OFF -DCMAKE_INSTALL_PREFIX=... -DBUILD_SHARED_LIBS=ON
Download libDDD (>= 1.7) from <http://move.lip6.fr/software/DDD/>. We tested with libDDD 1.7 (version 1.8 seems to work, but the included headers of google sparsehash need to be installed manually, otherwise LTSmin does not compile).
In principle, any MPI library which supports MPI-IO should work. However, we tested only with Open MPI <http://www.open-mpi.org/>. Without MPI, the distributed tools (xxx2lts-dits, ltsmin-mpi) will not be built.
Download AsciiDoc (>= 8.4.4) from <http://www.methods.co.nz/asciidoc/>. We tested with asciidoc-8.4.4. Without asciidoc, documentation cannot be rebuilt. For convenience, release tarballs are shipping with pre-built man pages and HTML documentation.
Download xmlto from <http://cyberelk.net/tim/software/xmlto/>. We tested with xmlto-0.0.18. Without xmlto, man pages cannot be rebuilt. Note that xmlto in turn requires docbook-xsl to be installed. We tested with docbook-xsl-1.76.1.
Download Doxygen from <http://www.doxygen.org/>. We tested with doxygen-1.5.5. Without doxygen, internal source code documentation cannot be generated.
See the CADP website on how to obtain a license and download the CADP toolkit.
For cross-compilation builds on MacOS X, the Apple Developer SDKs must be installed. They are available from Apple <http://developer.apple.com/tools/download/>, or from the MacOS X installation CDs.
Before building the software as described above, the following commands have to be executed in the top-level source directory:
# Rebuid autotools support $ git submodule update --init $ ./ltsminreconfMake sure you have installed the dependencies below and then continue with the normal installation instructions.
Building from another source than a release tarball requires some extra tools to be installed:
Download automake (>= 1.10) from <http://www.gnu.org/software/automake/>. We tested with automake-1.10.
Download autoconf (>= 2.60) from <http://www.gnu.org/software/autoconf/>. We tested with autoconf-2.68.
Download libtool (>= 2.2.6) from <http://www.gnu.org/software/libtool/>. We tested with libtool-2.4.SpinS. Promela models can compiled as follows:
spins model.promThis yields a library model.prom.spins, which can be loaded by LTSmin's prom2* tools.
Download a patched version of DiVinE 2.4:
git clone http://fmt.cs.utwente.nl/tools/scm/divine2.git
cd divine2 mkdir _build && cd _build cmake .. -DGUI=OFF -DRX_PATH= -DCMAKE_INSTALL_PREFIX=... -DMURPHI=OFF make make install
(On MacOS X, option -DHOARD=OFF might have to be added to the
cmake command line to make it compile without errors.
The LTSmin configure script will find the DiVinE installation automatically, if the divine binary is in the search path. With suitable options, the divine compile DVE compiler produces LTSmin compatible libraries:
divine compile -l model.dve
This produces a file "model.dve2C", which can also be passed to LTSmin tools. (This step is done automatically by the LTSmin dve2* tools when passing a ".dve" model, doing it manually is rarely needed.)
$ opaal_ltsmin --only-compile model.xml
This produces a PINS library called "model.so", which can be passed to LTSmin tool opaal2lts-mc (only multi-core reachability and LTL model checking with tree compression is support at the moment).
Scalability of the UPPAAL DBM library required by opaal can be limited without a concurrent allocator. Therefore, we recommend the installation of TBB malloc. The TBB allocator can be loaded transparently using library preloading:
export LD_PRELOAD=libtbbmalloc_proxy.so opaal2lts-mc model.so
Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, Formal Methods and Tools, University of Twente
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the University of Twente nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
For support/questions, email:
For bug reports and feature suggestions, visit: LTSmin bug tracker
For news and updates, subscribe to our mailing list: firstname.lastname@example.org