Reachable state space analysis of LOTOS specifications

We present a symbolic analysis technique for Lotos programs with integer variables on which only linear expressions are allowed. The technique is applicable to models generated by the Lotos compiler of the CCsar-Ald ebaran toolbox which are Petri nets extended with guarded commands. It allows to compute a predicate on variables characterizing the set of the reachable states or an upper approximation of it. Predicates are represented as systems of linear inequalities on program variables. We implemented a tool for performing the operations necessary for the analysis such as conjunction, disjunction, widening operation as well as comparison of predicates. The method is applied to two examples showing that non trivial relations between program variables can be discovered 1. Motivations Most formal veriication methods are based on model checking: starting from a speciica-tion written in any Formal Description Technique with well deened operational semantics, a model is build and properties are checked on this model. The majority of the model checking veriication techniques are based on a more or less exhaustive exploration of the graph, either for deadlock searching, checking of logical properties or checking of equivalence between the model and a property. The performances and applicability of these methods depend greatly on the size of the model to be checked. Unfortunately, real life examples tend to produce huge models: this problem is known as the state explosion problem. Various improvements have been introduced on the classical enumerative exploration of the fully generated model in order to cope with this problem. The rst class of improvement try to optimize the exploration of the model, either by avoiding its complete generation (\on the y" techniques 11, 24]) or its complete exploration (Partial order techniques 15, 24]), or by exploration of an abstraction of the model 16]. A second class of improvement concerns the representation of the model: the aim of symbolic techniques is to avoid the explosive enumerative representation of a model by the representation and manipulation of sets of states instead of individual states. One particular technique , Binary Decision Diagrams 5] (BDD) has already a story of success in hardware veriication 7, 23] and has been applied successfully in other concurrent programming domains 3, 12]. However, the eeectiveness of BDDs depends greatly on the structure Fourier and Verilog SA associated with IMAG.