0.1 NAME

SyMP - Symbolic Model Prover

0.2 SYNOPSIS

symp [ options ] input-file

0.3 DESCRIPTION

SyMP stands for Symbolic Model Prover, and is a general purpose prover generator for generating special purpose theorem provers in various application domains. The core of the tool is a generic prover which is connected to several proof system modules. Each such module defines an input specification language, a proof system, and a rule application mechanism, and the generic prover provides all the proof management and an interactive user interface.

Currently, SyMP has two proof systems: the default and Athena.

The default proof system implements a general framework for combining model checking and theorem proving, and has a hardware-oriented specification language that resembles SML. Programs in the default input language should be saved in files with extension `.symp'. The main purpose of the language is to provide a convenient environment for fast and clean prototyping of new (mostly hardware) verification methodologies based on model checking with some elements of theorem proving. It can also be used as an intermediate representation in translations between other specification languages.

The Athena proof system is specialized in verifying security protocols, and is based on Strand Spaces and the algorithms developed for them by Dawn Song. We believe, it is fairly complete at this point, however, the automatic proof search is not as good as it should be yet. File extension for the Athena programs is `.ath'.

0.4 RUN

The tool is best run interactively from emacs. There is a limited command-line interface, but it is not supported, at least in this release.

0.5 COMMAND LINE OPTIONS

--spec theorem [broken]

Generate a transition system for the spec (theorem). Specs are full SyMP theorem expressions. There can be several --spec instances in one call.

-mc name

modelchecker name - the name of the back-end model checker. Currently, only `smv' is supported, and is the default.

-o file, --output-file file [broken]

the name of the output file. A dash `-' means stdout. default is `out.smv'. This is a temporary option before the call to the back-end model checker is automated.

--limit N

set the threshold on the type size after which the type is considered too large or infinite for translation purposes.

--version

print a version string and exit

-h, -help, --help

print this help and exit

-v, --verbose

verbose mode

-q --quiet

quiet mode (default)

--debug debug-spec

dump (a lot of!) debug output where debug-spec stands for:

all

dump all possible debug info

f1[,f2,...]

print debug info only for the functions f1, f2, etc.. The function names must be separated by commas or spaces, but in the latter case they must be enclosed in quotes.

0.6 INSTALLATION

Read the README file in the distribution.

0.7 FEATURES

SyMP is now considered relavitely mature as a general purpose prover generator. It provides a well-defined API to custom-built proof systems, the unified proof management mechanism, and the abstract layer of the interactive user interface. Concrete user interface modules are plugged in through another well-defined API. The reason it is still in beta is because the provided proof systems modules are still being developed. The core of the tool, however, is reasonably stable and hasn't changed much from the previous version.

Currently, SyMP has two proof systems: the default and Athena. The only interactive user interface is implemented in Emacs. The default proof system implements our general idea of a ``model prover'' with many theorem proving as well as model checking and abstraction capabilities built-in. The Athena proof system is designed for security protocols verification, and is believed to be a complete implementation of what is described in our original journal paper.

For more features, read the User's Guide and the BUGS section below.

0.8 BUGS

The central core (proof manager, user interface, etc.) seems to be rather stable, and no new bugs were discovered from the previous release, even after a few small optimizations.

The Athena proof system probably still have some bugs, but we haven't seen any for a few days. Anyway, this code is pretty new and should be considered alpha-stage.

However, there are plenty of bugs in the default proof system, and we are working on them. To mention a few:

• The default proof still contains too few rules. This is not exactly a bug, but we are constantly working on it to make the tool more usable. (It carries over from the previous release :)
• The manual is in a very alpha stage, pretty much like the tool itself. It describes most of what you need to start using both proof systems, but not much more. We are also working on it.
• Some proof rules in the default system are not quite correct. The replace rule will not replace everything that it should in the model (due to its being too conservative in preserving soundness). The typechecker still breaks quite often as soon as we try some new example. Eventually, it should be rewritten in a much cleaner way, it is virtually impossible to debug it completely as it is now.

If you find a serious bug, please report it to sergey.berezin@cs.cmu.edu .

0.9 WHERE TO GET SYMP

CMU Model Checking Page:

http://www.cs.cmu.edu/~modelcheck/symp.html. It is highly recommended that you download the latest release of the tool and upgrade often, as we are in the process of rapid developement, and a lot of bug fixes and improvements are under way.

CVS-Web Repository:

http://teapot.modck.cs.cmu.edu/symp/ Here you can download the latest (but probably unstable) daily CVS snapshot of the tool.

0.10 AUTHORS

Main author:

Sergey Berezin, Carnegie Mellon University. sergey.berezin@cs.cmu.edu,

Co-developer:

Alex Groce, Carnegie Mellon University. agroce+@cs.cmu.edu.

June 2001