We consider the problem of verifying automatically infinitestate systems that are systems of finite machines that communicate by exchanging messages through unbounded lossy fifo channels. In a previous work [1], we proposed an algorithmic approach based on constructing a symbolic representation of the set of reachable configurations of a system by means of a class of regular expressions (SREs). The construction of such a representation consists of an iterative computation with an acceleration technique which enhance the chance of convergence. This technique is based on the analysis of the effect of iterating control loops. In the work we present here, we experiment our approach and show how it can be effectively applied. For that, we developed a tool prototype based on the results in [1]. Using this tool, we provide a fully automatic verification of (the parameterized version of) the Bounded Retransmission Protocol, for arbitrary values of the size of the transmitted files, and the allowed number of retransmissions. ? Contact author. 1 1

A configuration of a timed automaton is given by a control state and finitely many clock (real) values. We show here that the binary reachability relation between configurations of a timed automaton is definable in an additive theory of real numbers, which is decidable. This result implies the decidability of model checking for some properties which cannot be expressed in timed temporal logics and provide with alternative proofs of some known decidable properties. Our proof is based on two intermediate results: 1. Every timed automaton can be effectively emulated by a timed automaton which does not contain nested loops. 2. The binary reachability relation for counter automata without nested loops (called here flat automata) is expressible in the additive theory of integers (resp. real numbers). The second result can be derived from [10]. 1 Introduction Timed automata have been introduced in [4] to model real time systems and became quickly a standard. They roughly consist in adding to...

. In this paper, we address the issue of reachability analysis for Petri nets, viewed as automata with counters. We show that exact reachability analysis can be achieved by treating Petri nets integer variables (counters) as real-valued variables, and using Fourier-Motzkin procedure instead of Presburger elimination procedure. As a consequence, one can safely analyse Petri nets with performant tools, e.g. HyTech, originally designed for analysing automata with real-valued variables (clocks). We also investigate the use of meta-transitions (iterative application of a transition in a single step) and give sufficient conditions ensuring an exact computation in this case. Experimental results with HyTech show an impressive speed-up with respect to previous experiences performed with a Presburger arithmetic solver. The method extends for analysing Petri nets with timing constraints, but difficulties arise for the treatment of meta-transitions in this case. 1 Introduction Reac...

Action Language is a specification language for reactive software systems. In this paper we present the Action Language Verifier which consists of 1) a compiler that converts Action Language specifications to composite symbolic representations, and 2) an infinite-state symbolic model checker which verifies (or falsifies) CTL properties of Action Language specifications. Our symbolic manipulator (Composite Symbolic Library) combines a BDD manipulator (for boolean and enumerated types) and a Presburger arithmetic manipulator (for integers) to handle multiple variable types. Since we allow unbounded integer variables, model checking queries become undecidable. We present several heuristics used by the Action Language Verifier to achieve convergence.

ion The main problem with model checking is the state explosion problem -- the state space grows exponentially with system size. Two methods have some popularity in attacking this problem: compositional methods and abstraction. While they cannot solve the problem in general, they do offer significant improvements in performance. The direct method of verifying that a circuit has a property f is to show the model M satisfies f . The idea behind abstraction is that instead of verifying property f of model M , we verify property f A of model MA and the answer we get helps us answer the original problem. The system MA is an abstraction of the system M . One possibility is to build an abstraction MA that is equivalent (e.g. bisimilar [48]) to M . This sometimes leads to performance advantages if the state space of MA is smaller than M . This type of abstraction would more likely be used in model comparison (e.g. as in [38]). Typically, the behaviour of an abstraction is not equivalent...

Implicit state enumeration for extended finite state machines relies on a decision procedure for Presburger arithmetic. We compare the performance of two Presburger packages, the automata-based Shasta package and the polyhedrabased Omega package. While the raw speed of each of these two packages can be superior to the other by a factor of 50 or more, we found the asymptotic performance of Shasta to be equal or superior to that of Omega for the experiments we performed.

This paper addresses the exact computation of the set of reachable states of a strongly linear hybrid system. It proposes an approach that is an extension of classical state-space exploration. This approach uses a new operation, based on a cycle analysis in the control graph of the system, for generating sets of reachable states, as well as a powerful representation system for sets of values. The method broadens the range of hybrid systems for which a finite and exact representation of the set of reachable states can be computed. In particular, the state-space exploration may be performed even if the set of variable values reachable at a given control location cannot be expressed as a finite union of convex regions. The technique is illustrated on a very simple example.

We consider symbolic on-the-fly verification methods for systems of finite-state machines that communicate by exchanging messages via unbounded and lossy FIFO queues. We propose a novel representation formalism, called simple regular expressions (SREs), for representing sets of states of protocols with lossy FIFO channels. We show that the class of languages representable by SREs is exactly the class of downward closed languages that arise in the analysis of such protocols. We give methods for (i) computing inclusion between SREs, (ii) an SRE representing the set of states reachable by executing a single transition in a system, and (iii) an SRE representing the set of states reachable by an arbitrary number of executions of a control loop of a program. All these operations are rather simple and can be carried out in polynomial time. With these techniques, one can straightforwardly construct an algorithm which explores the set of reachable states of a protocol, in order t...

ion and Reachability Analysis ? Parosh Aziz Abdulla 1 Aurore Annichini 2 Saddek Bensalem 2 Ahmed Bouajjani 2 Peter Habermehl 3 Yassine Lakhnech 4 1 Dept. of Computer Systems, P.O. Box 325, 75105 Uppsala, Sweden. 2 Verimag, Centre Equation, 2 av. de Vignate, 38610 Gi`eres, France. 3 Liafa - Case 7014, 2 place Jussieu, 75251 Paris Cedex 05, France. 4 Institut fur Informatik und Praktishe Mathematik, Christian-Albrechts-Universitat zu Kiel, Preußerstr. 1-9, 24105 Kiel, Germany. Abstract. We address the problem of verifying systems operating on different types of variables ranging over infinite domains. We consider in particular systems modeled by means of extended automata communicating through unbounded fifo channels. We develop a general methodology for analyzing such systems based on combining automatic generation of abstract models (not necessarily finite-state) with symbolic reachability analysis. Reachability analysis procedures allow to verify automatically prope...

In this paper, we study the problem of solving integer range constraints that arise in many static program analysis problems. In particular, we present the first polynomial time algorithm for a general class of integer range constraints. In contrast with abstract interpretation techniques based on widenings and narrowings, our algorithm computes, in polynomial time, the optimal solution of the arising fixpoint equations. Our result implies that "precise" range analysis can be performed in polynomial time without widening and narrowing operations.