The JKind Model Checker

JKind is an open-source industrial model checker developed by Rockwell Collins and the University of Minnesota. JKind uses multiple parallel engines to prove or falsify safety properties of infinite state models. It is performance competitive with other state-of-the-art model checkers and serves as the back-end for various industrial applications.


Introduction
JKind is an open-source 3 industrial infinite-state inductive model checker for safety properties. Models and properties in JKind are specified in Lustre [7], a synchronous data-flow language, using the theories of linear real and integer arithmetic. JKind uses SMT-solvers to prove and falsify multiple properties in parallel.
A distinguishing characteristic of JKind is its focus on the quality of results. For a proven property, JKind provides traceability between the property and individual model elements. For a falsified property, JKind provides options for simplifying and generalizing the counterexample in order to highlight the root cause of the failure. In industrial applications, we have found this additional quality of the results to be at least as important as the primary results.
Another important characteristic of JKind is that is it designed to be integrated directly into user-facing applications. Written in Java, JKind runs on all major platforms and is easily compiled into other Java applications. JKind bundles the Java-based SMTInterpol solver and has no external dependencies. However, it can optionally call Z3, Yices 1, Yices 2, CVC4, and MathSAT if they are available.  Figure 1. Although displayed as point-to-point connections, information between engines is actually broadcast so any engine may pick the information it wants.
The post-processing engines are the greatest difference between JKind and more traditional model checkers. In industrial application, the quality of an answer is just as important as the answer itself. For example, more than knowing a property is true, we want to know why it is true. We want to trace the property back to the model and see which parts were exercised. This type of coverage and traceability information is often required for certification of safety critical systems [10].
Each engine of JKind is described below.
Bounded Model Checking (BMC). The BMC engine performs a standard iterative unrolling of the transition relation to find counterexamples and to serve as the base case of k-induction. The BMC engine guarantees that any counterexample it finds is minimal in length.
k-induction. The k-induction engine performs the inductive step of k-induction, possibly using invariants generated by other engines.
Invariant Generation. The invariant generation engine uses a template-based invariant generation technique [8] using its own k-induction loop.
Property Directed Reachability (PDR). The PDR engine performs property directed reachability [4] using the implicit abstraction technique [2]. Unlike BMC and k-induction, each property is handled separately by a different PDR sub-engine. Invariants generated as a side-product of PDR are shared with the k-induction process.
Inductive Validity Cores (IVC). For a proven property, an inductive validity core is a subset of Lustre equations from the input model for which the property still holds [6]. It indicates which part of the model is relevant to the proof of the property. The IVC engine uses a heuristic algorithm to efficiently produce nearly minimal inductive validity cores. As a side-product, the IVC algorithm also minimizes the set of invariants used to prove a property and reports back this reduced set.
Advice. The advice engine saves and re-uses results between runs of JKind, improving performance. When enabled, a set of invariant from a previous run of JKind, so called advice, is read in and (hopefully) re-verified. Because advice is re-verified, it does not need to be completely accurate. In particular, advice from a previous run of JKind can be used on a model even if that model is further modified. Pieces of advice that successfully re-verify are used as invariants while those that do not are discarded.
Smoothing. Counterexamples generated from BMC and PDR are not always easily understood, so as an optional post-processing step we smooth counterexamples to minimize the number of changes to the input variables. The smoothing engine uses a MaxSat query over the original BMC-style unrolling of the transition relation combined with weighted assertions that each input variable does not change on each step. The MaxSat query therefore tries (as best as possible) to hold all inputs constant while still falsifying the original property. This engine is only available with SMT-solvers that support MaxSat such as Yices and Z3.
Interval Generalization. Another post-processing step available for counterexamples is to perform interval generalization where individual values in a counterexample are replaced by intervals that still falsify the property. This analysis is done purely through simulation, without using an SMT-solver. It is useful in showing that, for example, the value of a variable on a given step only needs to be positive and its particular value does not matter.

Integration & Applications
JKind is the back-end for a variety of user-facing applications. In this section, we briefly highlight a few and how they employ the features discussed previously. We wrote JKind in Java which makes it multi-platform and very easy to integrate into other Java applications. Moreover, we created the JKindApi package which contains utilities for creating Lustre specifications, calling JKind, processing JKind results, graphically displaying real-time results, and nicely formatting counterexamples. Many of the applications in this section make heavy use of JKindApi.

Specification and Analysis of Requirements
Open Source The Specification and Analysis of Requirements tool, SpeAR for short, is a prototyping and analysis tool for requirements expressed in formal notations [5]. SpeAR captures requirements in a way that is backed by the formal semantics of Lustre, which enables them to be analyzed using model checking to ensure they are correct and consistent.
SpeAR uses JKind to prove properties over requirements, and uses IVC to create a traceability matrix between requirements and properties. This quickly highlights unused requirements, over-constrained properties, and other common problems. SpeAR also uses JKind for test case generation using the Unique First Cause criteria [12] by creating trap properties. Each trap property is expected to be falsifiable, but in such a way that the counterexample has exactly the desired properties for a given test case. SpeAR uses smoothing in JKind to ensure the resulting test cases are simple and understandable.

Assume Guarantee Reasoning Environment
Open Source JKind is used as the default model checker for the Assume Guarantee Reasoning Environment (AGREE) [3]. AGREE refers to both an embedded language annex in the Architectural Analysis and Design Language (AADL) and to a plugin for the OSATE AADL Integrated Development Environment. The AGREE annex annotates the AADL model with formal requirements, and the plugin reasons about these requirements. The purpose of AGREE is to model behavioral requirements of an embedded system using formal assume guarantee contracts. The plugin generates Lustre specifications that are checked by JKind. AGREE makes use of multiple JKind features including smoothing and interval generalization to present clear counterexamples, IVC to show requirements traceability, and counterexample generation to check the consistency of an AADL component's contract. AGREE also uses JKind to generate various test cases for component contracts. The test case generator uses counterexamples (or lack thereof) to demonstrate requirements coverage.

Flight Control Logic
Proprietary A flight control group at Rockwell Collins develops state machines which manage flight modes of an aircraft. These state machines often have few states, but many possible transitions between states. There is a priority ordering to resolve conflicts between transitions, but this can make it hard to fully exercise the behavior of a state machine. The flight controls group has developed a particular graphical representation to manage this complexity.
We have developed a tool which formalizes these state machine models. It translates the state machine to Lustre and uses JKind to check properties over the state machine. We use IVCs to establish traceability, i.e. which transitions are covered by which properties. We also use trap properties to generate test cases exercising transitions. Here IVCs are used when a trap property is true which means it failed to generate a test case. The IVC indicates which transitions are blocking the transition we wish to exercise in the test case. The tool presents all this information graphically to its users.

MC/DC Test Case Generation
Proprietary The Engine-Indicating and Crew-Alerting System (EICAS) group at Rockwell Collins develops equations which determine which messages and alerts should be delivered to pilots. Certification for this system requires extensive test cases which must satisfy criteria such as the Modified Condition/Decision Coverage (MC/DC) metric. We have developed a tool which generates these tests by trans-lating the EICAS equations into Lustre and generating MC/DC trap properties in JKind. Smoothing is very important in this context as test cases need to be run on the actual hardware where timing is not precisely controllable. Thus, test cases with a minimum of changes to the inputs are ideal.

Model-based Fuzzing
Open Source As part of an ongoing DARPA program, Rockwell Collins is developing a tool for generating fuzz tests from system models. This tool takes a Lustre description of a system and uses JKind to generate test cases which exercise different portions of the model. Effective fuzz testing requires a huge number of test cases which is not feasible to generate solely with a model checker. Instead, this fuzzing tool uses interval generalization in JKind to generate generalized counterexamples which it then randomly samples at high speed. In fact, research in this area has recently expanded interval generalization to trapezoidal generalization which is strictly more general, but still allows very fast random sampling.

Static IMPerative AnaLyzer
Open Source The Static IMPerative AnaLyzer (SIMPAL) is a tool for performing compositional reasoning over software [11]. SIMPAL features a specification language, called Limp, for modeling programs that utilize preexisting components. Limp is a Lustre-like imperative language. It provides control flow elements, global variables, and a syntax for specifying preconditions, postconditions, and global variable interactions of preexisting components. SIMPAL translates Limp programs to an equivalent Lustre representation which is passed to the JKind to perform assume-guarantee reasoning, reachability, and viability analyses. The feedback from these analyses is used to refine the program to ensure that the software functions as intended.

Discussion
Related Work JKind is one of a number of similar infinite-state inductive model checkers including Kind 2, Kind, NuXmv, and Zustre. These tools each offer multi-engine solvers that utilize both k-induction and some variant of IC3/PDR. In a recent comparison [1], JKind was the second most capable solver in terms of the number of problems solved (behind Kind 2) and had competitive performance across a large benchmark suite. The most noticeable bottleneck in JKind is the start-up time for the Java Virtual Machine (JVM). This cost is insignificant for larger models but causes decreased performance for benchmarks consisting of many very small models.

Conclusion
JKind is similar to a number of other solvers that each solve infinite state sequential analysis problems. Nevertheless, it has some important features that distinguish it. First, a focus on quality of feedback to users for both valid properties (using IVCs) and invalid properties (using smoothing and counterexample generalization). Second, it is supported across all major platforms and is straightforward to port due to its implementation in Java. Third, it is small, modular, and well-architected, allowing straightforward extension with new engines. Fourth, it is open source with a liberal distribution license (BSD), so it can be adapted for various purposes, as demonstrated by the number of tools that have incorporated it.