MCMT: Model Checker Modulo Theories

Last Release: version 3.0 -- Last Update: 21/09/2020

MCMT is a model checker for infinite state systems based on the integration of Satisfiability Modulo Theories (SMT) solving and backward reachability. In its actual implementation, MCMT is capable of model checking invariant (safety) properties of a large class of infinite state systems called array-based systems.


MCMT is distributed "as is" without warranty of any kind; it is free for non-commercial use. It is possible to download the executables for Linux 64 bit and for Mac_OS systems together with some examples. The executables for the old versions can be required to the author. A version 3.0 linked to the SMT solver Z3 from Microsoft Research is available here.


You can run MCMT via command line; for detailed explanations, please, have a look at the User Manual. MCMT must be linked to the SMT solvers Yices1 or Z3.


We run MCMT on various examples: parametrized mutual exclusion and cache coherence protocols, timed systems, imperative programs, etc. These experiments show the great flexibility of the tool. All the files for these examples are included in the distribution (in each file, a brief description of the source and the meaning of the example is supplied). Table with experimental statistics (concerning the old version 1.0) are available here. Further case studies have been analyzed:

  • Parameterized Timed Systems: some benchmarks in this area (Fischer mutual exclusion, csma, etc.) are available in the distribution;

  • Mutual exclusion, deadlock freedom and waiting time bounds for Fischer and Lynch-Shavit algorithms: see the related paper here;

  • Fault Tolerant Systems: reliable broadcast algorithms from Chandra-Toueg papers have been studied with MCMT; see here and here for more information;

  • ARP Internet protocol: the protocol, as well as known attacks, has been analyzed with MCMT, see here for more information;

  • Imperative programs: these benchmarks concern standard functions on strings and unbounded arrays (like copying, comparing, searching, etc.) where the abstraction and acceleration features of version 2.0 are exploited; benchmarks files are available in the distribution.

  • Database driven systems: these benchmarks are supported in the new version 2.8 (see the User Manual and the benchmarks in the distribution).

Related Tools

Swarm Safety Detector SAFE is a web tool that employs verification techniques on parameterized multi-agent systems (PMASs), and, in particular, checks whether states satisfying a given goal formula, which existentially quantifies over the existence of agents, are reachable in a given MAS. SAFE automatically transforms PMASs into an array-based system representation, ready to be verified by MCMT. More information and download here.

The tools ArCa and ArCa_Sat analyze model-checking and satisfiability problems involving arrays and cardinality constraints; the tool ArCa_Sim produces counters simulations for such problems. Click here for more information and for for download.

The tool Booster is an integrated framework: it supplies a front-end to a C fragment and is able to run different copies of MCMT, trying in parallel the most promising settings. Booster is recommended for people interested in software model checking applications (contact T. Alberti for more information).

The tool ASASP analyzes security access policies within the model checking modulo theories framework. SAFARI (no longer maintained) is a re-implementation of MCMT, comprising abstraction/refinement capabilities. Cubicle implements the array-based MCMT framework in a parallel architecture.


The tool is currently developed and maintained by Silvio Ghilardi. Other people were involved in the history of the tool. Silvio Ranise was part of the MCMT project since the very beginning, co-founded it and contributed to it until he left for an FBK position. Thanks are due to R. Bruttomesso and F. Alberti for various help in the developement of past versions of the tool.

Some Publications