Arend Rensink

The GROOVE Simulator: A Tool for State Space Generation

The tool described here is the first part of a tool set called GROOVE (GRaph-based Object-Oriented VErification) for software model checking of object-oriented systems. The special feature of GROOVE, which sets it apart from other model checking approaches, is that it is based on graph transformations. It uses graphs to represent state snapshots; transitions arise from the application of graph production rules. This yields so-called Graph Transition Systems (GTSrsquos) as computational models.

Model Checking Graph Transformations: A Comparison of Two Approaches

Abstract. Model checking is increasingly popular for hardware and, more recently, software verification. In this paper we describe two different approaches to extend the benefits of model checking to systems whose behavior is specified by graph transformation systems. One approach is to encode the graphs into the fixed state vectors and the transformation rules into guarded commands that modify these state vectors appropriately to enjoy all the benefits of the years of experience incorporated in existing model checking tools. The other approach is to simulate the graph production rules directly and build the state space directly from the resultant graphs and derivations. This avoids the preprocessing phase, and makes additional abstraction techniques available to handle symmetries and dynamic allocation. In this paper we compare these approaches on the basis of three case studies elaborated in both of them, and we evaluate the results. Our conclusion is that the first approach outperforms the second if the dynamic and/or symmetric nature of the problem under analysis is limited, while the second shows its superiority for inherently dynamic and symmetric problems.

Model checking dynamic states in GROOVE

Much research has been done in the field of model-checking complex systems (either hardware or software). Approaches that use explicit state modelling mostly use bit vectors to represent the states of such systems. Unfortunately, that kind of representation does not extend smoothly to systems in which the states contain values from a domain other than primitive types, such as reference values commonly used in object-oriented systems. In this paper we report preliminary results on applying CTL model checking on state spaces generated using graph transformations. The states of such state spaces have an internal graph structure which makes it possible to represent complex system states without the need to know the exact structure beforehand as when using bit vectors.

Modelling and analysis using GROOVE

In this paper we present case studies that describe how the graph transformation tool groove has been used to model problems from a wide variety of domains. These case studies highlight the wide applicability of groove in particular, and of graph transformation in general. They also give concrete templates for using groove in practice. Furthermore, we use the case studies to analyse the main strong and weak points of groove.

Representing First-Order Logic Using Graphs

Abstract. We show how edge-labelled graphs can be used to represent first-order logic formulae. This gives rise to recursively nested structures, in which each level of nesting corresponds to the negation of a set of existentials. The model is a direct generalisation of the negative application conditions used in graph rewriting, which count a single level of nesting and are thereby shown to correspond to the fragment ∃¬∃ of first-order logic. Vice versa, this generalisation may be used to strengthen the notion of application conditions. We then proceed to show how these nested models may be flattened to (sets of) plain graphs, by allowing some structure on the labels. The resulting formulae-as-graphs may form the basis of a unification of the theories of graph transformation and predicate transformation.

Canonical Graph Shapes

Abstract. Graphs are an intuitive model for states of a (software) system that include pointer structures — for instance, object-oriented programs. However, a naive encoding results in large individual states and large, or even unbounded, state spaces. As usual, some form of abstraction is necessary in order to arrive at a tractable model. In this paper we propose a decidable fragment of first-order graph logic that we call local shape logic (LSL) as a possible abstraction mechanism, inspired by previous work of Sagiv, Reps and Wilhelm. An LSL formula constrains the multiplicities of nodes and edges in state graphs; abstraction is achieved by reasoning not about individual, concrete state graphs but about their characteristic shape properties. We go on to define the concept of the canonical shape of a state graph, which is expressed in a monomorphic sub-fragment of LSL, for which we define a graphical representation. We show that the canonical shapes give rise to an automatic finite abstraction of the state space of a software system, and we give an upper bound to the size of this abstract state space.

Ensuring structural constraints in graph-based models with type inheritance

Graphs are a common means to represent structures in models and meta-models of software systems. In this context, the description of model domains by classifying the domain entities and their relations using class diagrams or type graphs has emerged as a very valuable principle. The constraints that can be imposed by pure typing are, however, relatively weak; it is therefore common practice to enrich type information with structural properties (such as local invariants or multiplicity conditions) or inheritance. In this paper, we show how to formulate structural properties using graph constraints in type graphs with inheritance, and we show how to translate constrained type graphs with inheritance to equivalent constrained simple type graphs. From existing theory it then follows that graph constraints can be translated into pre-conditions for productions of a typed graph transformation system which ensures those graph constraints. This result can be regarded as a further important step of integrating graph transformation with object-orientation concepts.

Weakest preconditions for high-level programs

In proof theory, a standard method for showing the correctness of a program w.r.t. given pre- and postconditions is to construct a weakest precondition and to show that the precondition implies the weakest precondition. In this paper, graph programs in the sense of Habel and Plump 2001 are extended to programs over high-level rules with application conditions, a formal definition of weakest preconditions for high-level programs in the sense of Dijkstra 1975 is given, and a construction of weakest preconditions is presented.

Bisimilarity of Open Terms

Traditionally, in process calculi, relations over open terms, i.e., terms with free process variables, are defined as extensions of closed-term relations: two open terms are related if and only if all their closed instantiations are related. Working in the context of bisimulation, in this paper we study a different approach; we define semantic models for open terms, so-called conditional transition systems, and define bisimulation directly on those models. It turns out that this can be done in at least two different ways, one giving rise to De Simones formal hypothesis bisimilarity and the other to a variation which we call hypothesis-preserving bisimilarity (denoted ~fh and ~hp, respectively). For open terms, we have (strict) inclusions ~fh c ~hp c ~ci (the latter denoting the standard “closed instance” extension); for closed terms, the three coincide. Each of these relations is a congruence in the usual sense. We also give an alternative characterisation of ~hp in terms of nonconditional transitions, as substitution-closed bisimilarity (denoted ~sb). Finally, we study the issue of recursion congruence: we prove that each of the above relations is a congruence with respect to the recursion operator; however, for ~ci this result holds under more restrictive conditions than for ~fh and ~hp.

A graph-transformation-based simulation approach for analysing aspect interference on shared join points

Aspects that in isolation behave correctly, may interact when being combined. When interaction changes an aspects behaviour or disables an aspect, we call this interference. One particular type of interference occurs when aspects are applied to shared join points, since then the ordering of the aspects can also influence the behaviour of the composition. We present an approach to detect aspect interference at shared join points. Aspect compositions are modelled by using a graph production system for modelling aspect-language semantics. A graph-based model of a join point is generated from the source-code of the system. This graph is transformed into a runtime-state representation. Combined with the production system (and the correct tooling) the execution of the aspects is simulated. This simulation results in a labelled transition system that can be used to analyse and verify different properties of the system at the join point. Simulation of the entire system can be computationally expensive. In our approach, we decide to abstract base system execution into non-deterministic valuation and carefully choosing advice semantics, such that simulation of the entire system can be avoided.