A tool for symbolic program verification and abstraction* Susanne Graf and Claire Loiseaux VERIMAG, BP 53X, F-38041 Grenoble, e-mail : {graf,loiseaux}@imag.fr Abstract: ~,Ve give the description of a verification tool taking boolean programs of guarded commands as input; internal representation of programs are sets of Binary Decision Diagrams (BDD) (one for each guarded command). It allows to construct an abstract program of the same form obtained using an abstraction relation given by a boolean expression on "concrete" and "abstract" ~riables. The tool allows the verification of CTL formulas on programs. Vv'e illustrate its possibilities on an example. 1 Introduction In the domain of program verification an obvious idea is to verify some abstract program instead of the complete specification (called concrete program) depending on the prop- erties to be verified. The motivation is to make the representation of the program model smaller and this for two reasons: one is to make the verification faster; the other is that in most practical cases the model of the concrete program is too large to be verified, whereas an abstraction of it may be sufficiently small and still contain sut~cient information with respect to the properties to be verified. However, this approach rises the problem of property preservation, i.e., we have to know which properties holding on the abstract program hold also on the concrete one. The investigation of property preserving abstractions of reactive systems has been the object of intensive research during the last years. Results have been given e.g. in [Kur89,CGLgLBBLS92,GL92]. One way to define abstractions is via a behavioral equivalence, such as observational equivalence [Mil80]; in this case: an abstract program can be calculated by constructing an equivalent program which is minimal with respect to the used equivalence by using for example the algorithm of minimal model generation given in [Ferg0] or [BFHg0]. These algorithms calculate the largest possible partition on the domain (set of states) of the progranh such that the following program is equivalent to the original program: take as domain the set of the calculated classes, and as transition relation the one relating two abstract states if and only if two elements in the corresponding classes are related. The advantage of this method is that for a large class of properties, the abstract program satisfies a property if and only if the concrete program satisfies it (i.e. one has strong preservation); its disadvantage is the high cost you have to pay in order to get such an abstract program. Here: we present a tool implementing the ideas presented recently in [BBLS92.GL92] and before in [Sif83] and in some sense also in [CC77]. Instead of calculating the largest partition on the domain of the concrete program., such that the obtained abstraction is " This work was partially supported by ESPRIT Basic Research Actions "SPEC" and "REACT"