Deploy LTSmin to Europe β Jaco van de Pol π³π± (University of Twente β Aarhus π©π°), the Language-Independent Multi-Core Symbolic Model Checker with PINS Architecture, on EU Infrastructure in 2026
Every model checker in existence faces the same engineering problem: the state space exploration algorithms β BFS, DFS, partial-order reduction, symbolic BDD traversal, multi-core work-stealing, MPI-distributed verification β are largely independent of the modeling language. Yet historically, every tool reimplemented them from scratch. PROMELA/SPIN had its own explicit-state engine. mCRL2 had its own symbolic back-end. UPPAAL had its own timed automaton reachability. DIVINE had its own parallel state space generator. The algorithmic cores were duplicated in every tool, with subtle differences in efficiency, correctness, and scalability.
In 2010, a team at the University of Twente π³π± published a solution: LTSmin β a model checking framework built around a clean abstraction called the Partitioned Next-State Interface (PINS). The idea was simple and powerful: separate the modeling language front-end (what states and transitions mean) from the verification back-end (how to explore them). Any language tool that implements PINS can immediately access LTSmin's full verification arsenal β multi-core explicit-state search, symbolic BDD-based reachability, MPI-distributed exploration, LTL model checking with counterexample traces, and CTL* fixed-point algorithms β without reimplementing any of it.
The paper appeared at CAV 2010 β the premier conference for computer-aided verification. The authors were Stefan Blom π³π±, Jaco van de Pol π³π±, and Michael Weber π³π±, all from the University of Twente, the Netherlands β one of Europe's foremost formal methods research centers, home to the LOTOS, E-LOTOS, mCRL2, and now LTSmin lineage of process algebra and model checking research that spans four decades of EU-funded computer science.
The PINS Architecture: Language-Agnostic Model Checking
The central abstraction of LTSmin is the Labelled Transition System (LTS) β a mathematical structure of states, transitions labelled with actions, and an initial state. Every model checking problem reduces to reasoning about an LTS: reachability (can we reach a bad state?), deadlock detection (can we reach a state with no outgoing transitions?), LTL verification (does every infinite path satisfy a temporal property?), CTL* verification (does the initial state satisfy a branching-time formula?).
PINS exposes the LTS through a partitioned interface. Instead of asking "what is the full set of next states from state s?" β which would require generating all successors at once β PINS partitions the transition relation into N groups, each group containing transitions that depend on only a subset of state variables. This partition is captured by a dependency matrix D where D[i][j] = 1 means transition group i reads or writes state variable j.
State variables: [x1, x2, ..., xk]
Group 1: transitions on process 1 β reads {x1, x3}, writes {x1}
Group 2: transitions on process 2 β reads {x2, x4}, writes {x2, x4}
Group 3: synchronisation β reads {x1, x2}, writes {x1, x2}
Dependency matrix D (rows=groups, cols=variables):
x1 x2 x3 x4
Grp1 [1 0 1 0] β process 1 local transitions
Grp2 [0 1 0 1] β process 2 local transitions
Grp3 [1 1 0 0] β synchronisation
This partition enables structural partial-order reduction (POR) at the interface level: if two groups have disjoint read/write sets, their transitions are independent and can be explored in either order without missing any reachable state or violating any trace property. POR reduces the state space exponentially in the number of independent concurrent components β precisely the bottleneck in verification of concurrent systems.
Frontends: PINS Adapters for Every Major Language
LTSmin's value comes from its ecosystem of PINS adapters β language front-ends that translate model descriptions into the PINS interface, immediately making those models accessible to all LTSmin back-ends.
mCRL2 front-end (mcrl2-ltsmin): The process algebra mCRL2 β developed at TU Eindhoven π³π± by Jan Friso Groote and successors β interfaces to LTSmin via a PINS adapter. This gives mCRL2 models access to LTSmin's multi-core and distributed back-ends, supplementing mCRL2's own symbolic tools with explicit-state parallelism.
Promela/SPIN front-end (spins): SPIN β Gerard Holzmann's π©π° protocol verifier β models using PROMELA. LTSmin's spins front-end compiles PROMELA to a PINS adapter via source-to-source translation, enabling multi-core state space exploration of concurrent C-like models that SPIN would explore sequentially. The same PROMELA models that SPIN verifies up to ~10βΈ states can reach ~10ΒΉβ° states with LTSmin's parallel exploration on multi-core hardware.
DVE front-end (divine-cluster): DVE β the modeling language of DIVINE, developed at Masaryk University π¨πΏ β interfaces to LTSmin via a PINS adapter, giving DVE models access to LTSmin's symbolic BDD back-end.
opaal (UPPAAL networks of timed automata): UPPAAL β developed at Uppsala University πΈπͺ and Aalborg University π©π° β models networks of timed automata. LTSmin's opaal front-end converts UPPAAL XML models into PINS adapters for untimed reachability analysis (treating clock constraints symbolically or ignoring clocks for structural analysis).
ETF (Explicit state format): LTSmin's own interchange format β any tool can dump a state space in ETF for minimisation, bisimulation reduction, and property checking by LTSmin's back-ends.
Three Exploration Backends
Multi-core explicit-state (mc-reachability): LTSmin implements a work-stealing parallel BFS algorithm for multi-core shared-memory machines. Worker threads maintain local queues of states to explore; when a worker's queue empties, it steals from another worker's queue. State storage uses lockless hash maps (concurrent open addressing with compare-and-swap). For 16-core machines, LTSmin achieves near-linear scaling on models with independent concurrent components β the dependency matrix guides work distribution.
Symbolic BDD-based (sym-reachability): LTSmin implements chained saturation over multi-valued decision diagrams (BDDs/MTBDDs) representing the set of reachable states. The key optimisation is disjunctive partitioning: instead of applying all N transition groups simultaneously (a single large BDD image computation), LTSmin applies groups one at a time in a chained fixed-point, exploiting the partition to keep BDD sizes manageable. This is the symbolic algorithm of choice for models with large structured state spaces where explicit enumeration is infeasible.
The BDD engine is Sylvan β a multi-core BDD library developed by Tom van Dijk π³π± at the University of Twente π³π±, later Radboud University π³π±. Sylvan runs BDD operations in a shared work-stealing pool across all CPU cores, applying memoisation (BDD operation cache) with lockless hash maps. For a 64-core server, Sylvan achieves 20β40Γ speedup over single-threaded BDD computation on structured models.
Distributed MPI (dist-reachability): LTSmin implements a distributed BFS over MPI for computing clusters. States are distributed across nodes by hash function; frontier states are exchanged via MPI message passing. This enables verification of state spaces exceeding available RAM on any single node β the combined memory of a cluster handles models up to ~10ΒΉΒ² states that no single machine could hold.
LTL Model Checking and Counterexample Generation
LTSmin verifies LTL (Linear Temporal Logic) properties over the state space by constructing the synchronous product of the model's LTS with a BΓΌchi automaton derived from the negation of the LTL formula. A reachable accepting cycle in the product corresponds to an LTL violation.
Model M (LTS) Γ Β¬Ο_BΓΌchi = product LTS P
Reachable accepting SCC in P β counterexample trace for Ο
LTSmin implements nested DFS (NDFS) for single-core LTL verification and parallel NDFS variants β cyan-blue-red NDFS β for multi-core. The counterexample extractor produces a concrete state sequence from the initial state to the accepting cycle, making bug diagnosis tractable.
For CTL* (branching-time temporal logic), LTSmin implements symbolic backward fixed-point computation over the BDD representation of the state space β the classical Emerson-Clarke CTL model checking algorithm adapted to the BDD symbolic representation.
EU Research Lineage: University of Twente and Dutch Formal Methods
Jaco van de Pol π³π± completed his PhD at Utrecht University π³π± in 1996 on process algebras with rewriting. He joined the University of Twente π³π± in 1999 (Department of Formal Methods and Tools), becoming full professor and leading the Formal Methods and Tools group. In 2018, he moved to Aarhus University π©π° as full professor of computer science β making LTSmin jointly Dutch and Danish intellectual property. Van de Pol holds multiple NWO (Netherlands Organisation for Scientific Research) project grants and ERC (European Research Council) grants for concurrent and symbolic verification.
Stefan Blom π³π± defended his PhD at the University of Twente on PINS and LTSmin, then moved to CWI (Centrum Wiskunde & Informatica) π³π± in Amsterdam β the Dutch national research center for mathematics and computer science, host institution of Dijkstra, Hoare visitors, and the birthplace of process algebra CWI research.
Michael Weber completed his doctorate at the University of Twente on distributed state space generation, then joined CWI π³π±. Both Blom and Weber contributed the distributed MPI backend and the PINS abstraction.
Tom van Dijk π³π± (University of Twente β Radboud University π³π±) built Sylvan, LTSmin's multi-core BDD library, as part of his doctoral research β another layer of EU-native tooling within the LTSmin ecosystem.
The University of Twente formal methods lineage: Ed Brinksma π³π± (LOTOS, E-LOTOS, ISO standardisation) β Jan Tretmans π³π± (ioco conformance testing) β Jaco van de Pol π³π± (LTSmin, PINS, Sylvan) β four decades of continuous Dutch-European contribution to formal verification infrastructure now deployed across EU industry for IEC 61508, EN 50128, and DO-254 certification.
Docker Deployment on sota.io
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y \
build-essential cmake git wget \
libgmp-dev zlib1g-dev libbz2-dev \
libboost-all-dev flex bison \
mcrl2 \
&& rm -rf /var/lib/apt/lists/*
# Install LTSmin binary release
RUN wget -qO- https://github.com/utwente-fmt/ltsmin/releases/download/v3.1.0/ltsmin-v3.1.0-linux.tar.gz \
| tar xz -C /usr/local --strip-components=1
# Install SPIN for Promela front-end
RUN wget -q https://spinroot.com/spin/Src/spin651.tar.gz \
| tar xz -C /tmp && cd /tmp/Src && make && cp spin /usr/local/bin/
WORKDIR /models
COPY models/ /models/
# Run LTSmin with mCRL2 front-end: explicit multi-core reachability
# mcrl22lps -v model.mcrl2 | lps2lts --strategy=bfs --threads=4 model.lts
CMD ["bash", "-c", "mcrl22lps -v /models/model.mcrl2 | lps2lts --strategy=bfs --threads=$(nproc) model.lts && echo 'State space: complete'"]
Multi-core reachability via mCRL2 front-end:
# Convert mCRL2 to LPS (Linear Process Specification)
mcrl22lps -v model.mcrl2 model.lps
# Generate full state space with 8 threads
lps2lts --strategy=bfs --threads=8 --verbose model.lps model.lts
# Verify LTL property: absence of deadlock
ltsmin-mc --threads=8 --property="!(<true>true && []<>false)" model.lps
Promela/SPIN front-end β verifying concurrent C protocols:
# Compile Promela model to PINS adapter
spins -t model.pml
# Multi-core BFS (16 cores, 64GB state storage)
mc-reachability --threads=16 --table-size=26 model.spins
# LTL verification: mutual exclusion property
mc-reachability --threads=16 \
--property="[](cs1 -> !cs2)" \
model.spins
Symbolic BDD exploration (large state spaces):
# Symbolic reachability β handles 10^12 states where explicit fails
sym-reachability --order=bfs-tight model.spins
# CTL model checking: AG(request -> AF(grant))
sym-reachability --ctl="AG(request -> AF grant)" model.spins
GitHub Actions CI pipeline:
name: LTSmin Verification
on: [push, pull_request]
jobs:
verify:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Install LTSmin
run: |
wget -qO- https://github.com/utwente-fmt/ltsmin/releases/download/v3.1.0/ltsmin-v3.1.0-linux.tar.gz \
| sudo tar xz -C /usr/local --strip-components=1
sudo apt-get install -y mcrl2
- name: Verify protocol model
run: |
mcrl22lps protocol.mcrl2 protocol.lps
lps2lts --threads=4 protocol.lps protocol.lts
echo "State space generated: $?"
- name: Check safety property
run: |
ltsmin-mc --threads=4 \
--property="!(<true*>deadlock)" \
protocol.lps
EU Regulatory Angles
IEC 61508 SIL 3/SIL 4 (functional safety): IEC 61508 Annex B lists model checking as a recommended technique for software safety validation at SIL 3 and SIL 4 levels. LTSmin's multi-core symbolic exploration makes exhaustive state space verification practical for industrial-scale concurrent control software β the dependency matrix enables POR reductions that make formally complete verification achievable within certification timelines.
EN 50128 SIL 4 (railway software): European railway certification follows EN 50128, which mandates formal verification for the highest integrity levels. LTSmin's mCRL2 and Promela front-ends allow verification of interlocking logic, communication protocols, and ETCS/ERTMS components with the same scalable algorithms used in research.
NIS2 Art. 21 (network and information security): Concurrent network protocols β TLS state machines, BGP session negotiation, firewall rule interaction β can be modelled in PROMELA and exhaustively verified by LTSmin for security properties (absence of state confusion, authentication, session integrity). NIS2's requirement for systematic security testing of critical infrastructure software is satisfied by tool-supported exhaustive verification.
EU AI Act Art. 9 (high-risk AI risk management): Concurrent AI inference services β multi-threaded inference pipelines, shared model parameter access, distributed decision-making β exhibit the class of concurrency bugs that LTSmin's explicit multi-core model checker is designed to find. For high-risk AI systems under EU AI Act Annex III, machine-checked absence of deadlock and race conditions provides auditable evidence of systematic risk management.
IEC 62304 Class C (medical device software): Multi-threaded medical device software β infusion pumps, patient monitoring, diagnostic imaging β requires exhaustive concurrency testing under IEC 62304 Class C. LTSmin's Promela front-end enables formal concurrent protocol verification as part of the software validation package.
GDPR Art. 32 (security of processing): Concurrent data processing pipelines that handle personal data are subject to GDPR Art. 32 security requirements. LTSmin verification of concurrent access patterns provides machine-checked evidence that no data race can corrupt personal data β supporting the "state of the art" security argument required under GDPR.
Deploy LTSmin on sota.io β EU-Native Infrastructure
LTSmin is developed entirely within the European Union β University of Twente π³π±, CWI Amsterdam π³π±, Aarhus University π©π° β funded by NWO (Dutch national science foundation) and ERC (European Research Council). Running LTSmin on European infrastructure preserves the EU intellectual and legal provenance of the verification results: no US Cloud Act exposure, no GDPR Art. 46 transfer restrictions, no third-country jurisdiction over formal verification evidence used in EU certification processes.
Deploy to sota.io β EU-native PaaS, GDPR-compliant, free tier β
sota.io runs on German infrastructure π©πͺ β Deutsche Telekom backbone, Frankfurt data centers, GDPR Art. 25 privacy by design. Managed PostgreSQL 17 for storing verification results, state space metrics, and counterexample databases. Zero DevOps: push your Dockerfile, get a running LTSmin verification service in minutes.
See Also
- mCRL2 β TU Eindhoven π³π± process algebra and verification toolset
- DIVINE β Masaryk University π¨πΏ DVE/LLVM parallel model checker
- UPPAAL β Uppsala πΈπͺ + Aalborg π©π° timed automata verification
- Storm β RWTH Aachen π©πͺ probabilistic model checker
- Promela/SPIN β Gerard Holzmann π©π° (Bell Labs), concurrent protocol model checker whose PROMELA models run directly on LTSmin via the spins frontend