package kind2

  1. Overview
  2. Docs
Multi-engine, parallel, SMT-based automatic model checker for safety properties of Lustre programs

Install

Dune Dependency

kind2-mc.github.io Readme Changelog Apache-2.0 License Edit opam file Versions (12)

Authors

  1. T
    The Kind 2 development team

Maintainers

  1. D
    Daniel Larraz <daniel-larraz@uiowa.edu>

Sources

v2.1.1.tar.gz
md5=1d6cb59c9c73125486be32ce06f07ac4
sha512=92cd29dde9629fac5c2412909208cf435a93a1736b6355a802f6143959f14d0ee3bfa5366dfbf9866dfc42f7986725d711252a1bded5bee04b0ea17843d7d06f

CHANGES.md.html

Kind 2 v2.1.1

This release includes some minor improvements and various fixes. Notably:

  • Fix soundness bug in IC3IA engine

  • Allow variables with subrange types in the interface of a contract node

  • Accept new versions of cvc5 for proof production (up to 1.1.0)

Kind 2 v2.1.0

This release includes multiple improvements and bug fixes. Notably:

  • Add new option for printing the set of viable states of a realizable contract (--print_viable_states).

  • Allow the second argument of a shift operator to be non-constant.

  • Add support for the latest versions of SMT solver Bitwuzla (v0.1.1 and above).

  • Fix compatibility issue with OCaml 5.0.0+

  • Fix printing of values of stateless variables in counterexamples (bug introduced in v2.0.0).

  • Fix several bugs related to the definition and use of arrays in Lustre models.

  • Add static checks on the definition of global subrange constants.

  • Accept param keyword for the declaration of system parameters (global constants without a definition).

  • Add subrange and enum constraints on system parameters.

  • Fix type checking and handling of constant node arguments.

  • Other improvements and bug fixes in the Lustre front end.

Kind 2 v2.0.0

New features:

  • Support for SMTInterpol as a backend solver.

  • New IC3 engine based on Implicit (Predicate) Abstraction:

    • Supported interpolating SMT solvers: MathSAT, SMTInterpol, and OpenSMT.

    • Generation of interpolants with Z3 and cvc5 supported through built-in method based on QE.

    • See documentation for more details.

  • Support for subrange types with an open end:

    • type T = subrange [*,N] of int

    • type T = subrange [N,*] of int

Improvements:

  • Add additional non-vacuity check for contract modes.

    • The new check considers only the info of the contract.

  • Optimize performance of counterexample reconstruction.

  • Fix handling of reachability properties in compositional-modular analysis.

  • Fix simulation of systems with imported subnodes.

  • Fix logic setting for Yices 2.

  • Fix logic setting and constant declaration in certificates.

Changes:

  • Add --exit_code_mode option to control exit code convention.

Kind 2 v1.9.0

New features:

  • Add support for elsif clauses in If-Then-Else constraints.

  • Add dedicated syntax for reachability properties of the form:

    • check reachable P [from <int>] [within <int>]

    • check reachable P at <int> The modifiers from, within and at allow users to specify a lower and upper bound on the number of execution steps in the witness trace.

  • Add dedicated syntax for conditional properties of the form:

    • check A provided B

  • Add non-vacuity checks for conditional properties and contract mode implications.

  • Add command-line options --check_reach and --check_nonvacuity that allow users to enable/disable reachability and non-vacuity checks.

  • Add command-line options --print_cex and --print_witness that allow users to enable/disable printing of counterexamples and reachability witnesses.

  • Add command-line options --dump_witness and --dump_deadlock that allow users to dump witnesses and deadlocks to files. Note: Kind 2 already supported the command-line option --dump_cex.

Improvements:

  • Fix underreporting issue in the computation of conflicting constraints (bug introduced in v1.6.0).

  • Fix reporting of contract mode elements in IVCs and conflicting constraints (bug introduced in v1.8.0).

  • Fix setting of SMT-LIB logic for the non-linear combination of integers and reals.

  • Fix computation of dependencies for clock operators in new the Lustre front-end.

  • Other fixes and improvements in the new front-end.

Changes:

  • New backward-incompatible convention for exit codes.

    • Now Kind 2 follows the POSIX convention of returning 0 for successful checks.

    • See documentation for more details.

  • Add --fake_filepath option for LSP server.

Kind 2 v1.8.0

New features:

  • Add syntax for If-Then-Else constraints and Frame Condition constraints (see documentation).

  • Add support for SMT solver Bitwuzla.

    • Its predecessor, Boolector, is no longer supported.

  • Add option --flatten_proof to break down LFSC proofs into a sequence of lemmas.

    • This option helps reduce the memory footprint of the LFSC checker and improve its performance as the proof for each lemma is verified by the LFSC checker independently.

Improvements:

  • Fixes and improvements solving machine integer problems:

    • Support for non-standard bit-vector constants and symbols returned by MathSAT and Z3

    • Fix path compression bit-vector encoding in minimization of set of invariants.

  • Fixes and improvements in the new Lustre front-end.

Kind 2 v1.7.0

New features:

  • Support for new SMT solver cvc5.

    • Its predecessor, CVC4, is no longer supported.

  • A revamp of Kind 2's proof production facility:

    • The new version replaces CVC4 with cvc5 as the main back-end proof-producing SMT solver.

    • It produces more detailed proofs and covers a wider range of input models.

    • The new proofs are still processable by the external proof checker LFSC.

Improvements:

  • Support for unary negation and subtraction of unsigned machine integers.

  • Fix invariant pruner: some non-trivial one-state invariants were not included in certificates.

  • Fix problem with reported locations in IVC output.

  • Fix selection of logic in computation of MCS.

  • Fix version detection of SMT solvers.

  • Multiple fixes and improvements in the new Lustre front-end.

Kind 2 v1.6.0

New features:

  • A new implementation of Kind 2's language front-end with:

    • Support for forward references to nodes and modes in contracts.

    • Individual namespaces for imported contracts.

    • Enhanced type checking of composite data types.

    Internally, the new implementation follows a multi-pass approach more strictly. This should facilitate the extensibility and maintenance of the new front-end. Although we strongly encourage users to use the new front-end, the old front-end can still be enabled for now by passing --old_frontend true to Kind 2.

Improvements:

  • Fix issue where the inductive step check could incorrectly declare a property k-inductive after a contract has been refined in compositional verification.

  • Fix bug in minimization of set of invariants.

  • Fix XML and JSON output produced by the certificate generation post-analysis.

  • Include various updates and fixes to the realizability and satisfiability checks of contracts. Now there is a flag to (de)activate the computation of a deadlocking trace, --print_deadlock, and a flag to (de)activate the satisfiability check of an unrealizable contract, --check_contract_is_sat.

Changes:

  • New default behavior: if no node is marked as a main node, Kind 2 considers all the top nodes for analysis.

  • Functional congruence is only enforced on abstract functions when the flag --enforce_func_congruence is true (default: false).

  • Make Kind 2 compatible with recent versions of Menhir (20211230 and later).

  • Remove two experimental post-analyses: invariant logging and silent contract loading.

  • Remove support for automata.

Kind 2 v1.5.1

This release includes performance improvements and various fixes. Notably:

  • Improve performance of realizability checks with Z3.

  • Fix realizability check of imported functions.

  • Fix realizability check when --ae_val_use_ctx is false (bug introduced in v1.5.0).

  • Fix generation of tracing information when a contract is proven unrealizable.

  • Fix shape of generated invariant candidates when --invgen_all_out is true.

  • Fix generation of SMT-LIB 2 certificates.

  • Make Kind 2 compatible with the latest version (5.1.4) of the OCaml bindings for ZMQ.

In addition, this version adds support for a new Visual Studio Code extension for Kind 2.

Thanks to Andreas Katis for his feedback and bug reports.

Kind 2 v1.5.0

New features:

  • Print a deadlocking trace and a set of conflicting constraints when a contract is proven unrealizable.

  • Multiple nodes can be annotated as main nodes so that analysis results for common subnodes are shared in modular analysis.

  • New option to dump each counterexample to a file (--dump_cex).

Improvements:

  • Require and ensure clauses of contract modes are eligible elements for IVCs and MCSs when the contracts category is selected.

  • Print values of (free) constants in counterexamples.

  • Print summary before terminating when CTRL-C is pressed.

  • Prevent invariant generation engine from crashing when processing global constants.

  • Fix handling of XOR operator in IC3.

  • Fix minor issues in IVC/MCS module.

  • Other bug fixes and enhancements.

Changes:

  • Kind 2 now requires:

    • OCaml 4.09 or later

    • Dune 2.7 or later

Thanks to M. Anthony Aiello, Andreas Katis, and Amos Robinson for their feedback and suggestions.

Kind 2 v1.4.0

New features:

  • New option for checking contracts of imported nodes (see documentation).

    • Current checks: realizability and satisfiability checking.

Improvements:

  • Improve compositional reasoning about assumptions of called nodes.

    • See issue #736 for more details (thanks to Amos Robinson).

  • Print values of ghost variables in counterexamples.

  • Fix and update bounds checking feature for subrange streams.

    • Thanks to Aaron Carroll, Amos Robinson, and Vivian Ye-Ting Dang for their bug reports.

  • Fix issue in MUST set generation when a single MIVC is computed.

  • Accept fractions in JSON input for interpreter.

  • Other bug fixes.

Changes:

  • Always check node calls are safe, not only in compositional mode.

  • Set check_subproperties flag to true by default.

    • Ignored if modular analysis is true.

  • Abstract call only if contract has at least one guarantee or one mode.

Kind 2 v1.3.1

This release includes performance improvements and various fixes. Notably:

  • Fix soundness issue in path compression when there are temporal dependencies between input values.

    • Thank you to M. Anthony Aiello for finding this bug.

  • Fix bug in extraction of an active path during IC3 generalization.

  • Improve IC3 performance over large models that contain reals or machine integers.

  • Fix issue reading models from the latest version of Z3 (4.8.10). It caused a runtime error during IVC generation.

Kind 2 v1.3.0

New features:

  • Computation of Inductive Validity Cores and Minimal Cut Sets.

  • Invariant generation for machine integers.

    • Engine names: INVGENMACH and INVGENMACHOS.

  • IC3 model checking engine for machine integers.

    • The pre-image computation is based on quantifier elimination over bit-vectors.

    • It requires SMT solver Z3 at this time.

  • Support for abstract types (#594, thanks to Amos Robinson).

  • Support for SMT solvers Boolector and MathSAT.

    • It requires the develop version of Boolector at this time (commit 5d18baa and later).

  • New command-line option to only parse Lustre inputs (--only_parse true).

Improvements:

  • Support for version 1.8 of SMT solver CVC4.

  • Improved support for machine integers.

  • Reduced number of activation literals used in BMC encoding.

  • Fixed returned exit code for modular analysis (#684).

  • Other bug fixes.

Changes:

  • Removed CZMQ sources and OCaml bindings for CZMQ from the Kind 2 repository.

    • Kind 2 now requires ZMQ 4.x or later to be installed on your system.

  • Replaced old build system with new one based on dune and OPAM.

    • See README file for new requirements and installation instructions.

Kind 2 v1.2.0

New features:

Many bug fixes!

Kind 2 v1.1.0

This new version features many internal improvements as well as several new features over v1.0.1 (more than 300 commits):

  • Support for Scade 6 automata (see documentation)

  • Support for Scade 6 arrays

  • Arithmetic invariant generation: up to v1.0.1, the main invariant generation technique besides the IC3 engine was boolean template-based invariant generation. This technique can discover equalities and implications between predicates over the state variables of the system.

    The technique has been extended to arithmetic terms (int and real): Kind 2 can discover equalities and orderings (<=) between arithmetic terms mined from the input system.

    The boolean, integer and real template-based invariant generation techniques all come in two flavors: one-state which can only relate terms over the current state, and two-state which can relate terms mentioning the current and the previous state.

    Each of them runs as a different process at runtime. By default, only the following are active:

    • INVGENOS (one-state boolean)

    • INVGEN (two-state boolean)

    • INVGENINTOS (one-state integer)

    • INVGENREALOS (one-state real)

  • Several features distinct from the actual verification process were introduced in Kind 2 v1.0.0: certification, contract generation, compilation to Rust, and test generation.

    These features are now aggregated under the term post-analyses. Most of them have been improved and v1.1.0 introduces a post-analysis: invariant logging. This feature attempts to log strengthening invariants discovered by Kind 2 as a contract.

  • Silent contract loading attempts to load contracts generated by Kind 2 during previous runs as candidate properties for the current run (see documentation)

Kind 2 v1.0.1

  • Read files on standard input in Lustre format

Kind 2 v1.0.0

This new version brings many new features and improvements over v0.8 (more than 800 commits).

NB:

  • Kind 2 now requires OCaml 4.03 or higher

New features:

  • 2-induction: makes Kind 2 react quicker to good strengthening invariants discovered by invariant generation

  • Assume/guarantee-based contract language with modes as Lustre annotations (see documentation)

    • specification-checking: before checking a node with a contract, check that the modes from the contract cover all situations allowed by the assumptions (implementation-agnostic mode exhaustiveness)

  • Compositional reasoning: --compositional (see contract semantics)

    • abstraction of subnodes by their contract

  • Modular analyses: --modular

    • Kind 2 traverses the node hierarchy bottom-up

    • applying the analysis specified by the other flags to each node

    • reusing results (invariants) from previous analyses when relevant

    • allows refinement when used with compositional reasoning

  • Compilation from Lustre to Rust: --compile

  • Mode-based test generation: --testgen

    • explores the DAG of activeable modes from the initial state up to a depth

    • generates witnesses as traces of inputs logged as XML files

    • compiles the contract as an executable oracle in Rust: reads a sequence of inputs/outputs values for the original node on stdin and prints on stdout the boolean values the different parts of the contract evaluate to

  • Generation of certificates and proofs: --proof and --certif

    • produces either SMTLIB-2 certificates or LFSC proofs

    • distributed with LFSC proof rules for k-induction

    • requires CVC4, JKind and the LFSC checker for proofs

    • generate proofs skeletons for potential holes

  • Support for forward references on nodes, types, constants and contracts

  • Output and parser for native (internal) transition system format

  • Contract generation: --contract_gen

    • Very experimental: the modes generated might not be exhaustive and the check exhaustiveness check might fail

    • This feature's main goal, for now, is to help users get started with contracts by generating a contract stub partially filled with invariants discovered by invariant generation

Improvements:

  • Flags are now organized into modules, see --help and --help_of <module>

  • Mode information (when available) to counterexample output

  • Optimized invariant generation

  • Named properties and guarantees

  • Colored output

  • No more dependencies on Camlp4

  • Strict mode to disallow unguarded pre and undefined local variables

  • Many bug fixes and performance improvements

  • Added mode information (when available) to counterexample output

  • Rewrote invariant generation from scratch: much faster now

  • czmq fixes: there should be no process still running after Kind 2 exits

Refer to the user documentation online for more details.

Kind 2 v0.8.0

  • Optimize IC3/PDR engine, add experimental IC3 with implicit abstraction

  • Add two modular versions of the graph-based invariant generation from PKind.

  • Add path compression in k-induction

  • Support Yices 1 and 2 as SMT solvers

  • Optimize Lustre translation and internal term data structures

  • Optimize queries to SMT solvers with check-sat with assumption instead of push/pop

  • Return Lustre counterexamples faithful to input by undoing optimizations in translation

  • Improve output and logging

  • Many bug and performance fixes

  • Web service to accept jobs from remote clients

Refer to the user documentation for more details.