Download Latest Version

PaMC is a model checker specialised for verifying safety properties of parameterized systems which consists of an indefinite number of identical processes running in parallel. It implements a very powerful abstraction technique known as parameter abstraction and guard strengthening, using a heuristics-based automatic procedure to compute auxiliary invariants. Experiments show that PaMC is powerful enough to verify complex real-life parameterized systems such as Godson-T cache coherence protocol.


PaMC is a model checker designed for verifying safety properties of parameterized systems. A parameterized systems P(N), where N is the parameter of the system, consists of N identical processes running in parallel. Example parameterized systems include many network protocols and cache coherence protocols. Although the model checking problem for such systems is undecidable in general, many abstraction techniques have been proposed for various subclasses of parameterized systems which work well in practice. PaMC is based on a very powerful abstraction technique known as parameter abstraction and guard strengthening.

PaMC is written in C. Its syntax parser and BDD library operation procedure are adapted from TLV. PaMC implements the parameter abstraction, invariants computing and guard strengthening procedure. However, we do not try to make PaMC a stand-alone model checker. Instead, it can use any model checker which accepts SMV input language, such as TLV, Cadence SMV or NuSMV, as its model checking engine.


You can download the source and the binary of the latest version of PaMC PaMC-0.3.1-src.tgz and PaMC-0.3.1-bin.tgz. You can download the manual of PaMC here. Cubicle code for German-2004 and Godson-T can be downloaded here.

We suggest that the user installs Cadence SMV as the model checking engine of PaMC.


Following shows a small example muxsem protocol of PaMC.

  • 1--muxsem.pam--
  • 2MODULEmain
  • 3VAR
  • 4x:boolean;
  • 5arrayNode[Proc]:node_module;
  • 6arrayRequest[Proc]:transitionrequest(Node[Proc].State,x);
  • 7arrayEnter[Proc]:transitionenter(Node[Proc].State,x);
  • 8arrayRelease[Proc]:transitionrelease(Node[Proc].State,x);
  • 9arrayIdling[Proc]:transitionidling(Node[Proc].State,x);
  • 10ASSIGN
  • 11init(x):=1;
  • 12SPEC
  • 13FORALL(i,j)(i!=j->!(Node[i].State=crit&Node[j].State=crit))
  • 14MODULEnode_module
  • 15VAR
  • 16State:{idle,try,crit,exiting};
  • 17ASSIGN
  • 18init(State):=idle;
  • 19MODULErequest(state,semaphore)
  • 20ASSIGN
  • 21next(state):=
  • 22case
  • 23state=idle:try;
  • 241:state;
  • 25esac;
  • 26MODULEenter(state,semaphore)
  • 27ASSIGN
  • 28next(state):=
  • 29case
  • 30state=try&semaphore:crit;
  • 311:state;
  • 32esac;
  • 33next(semaphore):=
  • 34case
  • 35state=try&semaphore:0;
  • 361:semaphore;
  • 37esac;
  • 38MODULErelease(state,semaphore)
  • 39ASSIGN
  • 40next(state):=
  • 41case
  • 42state=crit:exiting;
  • 431:state;
  • 44esac;
  • 45MODULEidling(state,semaphore)
  • 46ASSIGN
  • 47next(state):=
  • 48case
  • 49state=exiting:idle;
  • 501:state;
  • 51esac;
  • 52next(semaphore):=
  • 53case
  • 54state=exiting:1;
  • 551:semaphore;
  • 56esac;


You can contact us at our respective email addresses.