The GROOVE Simulator: A Tool for State Space Generation Arend Rensink University of Twente P.O.Box 217, 7500 AE Enschede, The Netherlands rensink@cs.utwente.nl Presented at AGTIVE, September 2003, Charlottesville, Virginia. To appear in Lecture Notes in Computer Science, Springer-Verlag. 1 Introduction The tool described here is the first part of a tool set called GROOVE (GRaph-based Object-Oriented VErification) for software model checking of object-oriented systems. The special feature of GROOVE, which sets it apart from other model checking ap- proaches, is that it is based on graph transformations. It uses graphs to represent state snapshots; transitions arise from the application of graph production rules. This yields so-called Graph Transition Systems (GTS’s) as computational models. The simulator does a small part of the job of a model checker: it attempts to generate the full state space of a given graph grammar. This entails recursively computing and applying all enabled graph production rules at each state. Each newly generated state is compared to all known states up to isomorphism; matching states are merged, in the way proposed in [1]. No provisions are currently made for detecting or modelling infinite state spaces. Alternatively, one may choose to simulate productions manually. This paper describes two examples: Sect. 2 shows the behaviour of a circular buffer and Sect. 3 the concurrent invocation of a list append method. In both cases the be- haviour is defined by a graph grammar, but to provide some intuition, Fig. 1 approxi- mately describes the behaviour, using Java code. We conclude in Sect. 4 with a summary of tool design, implementation and planned future extensions. 2 Circular buffer operations We assume the principles of circular buffers to be known. Their representation as graphs is relatively straightforward (see also Fig. 1). The buffer has a set of cells connected by next-edges. One of the cells is designated first and one last. Insertion will occur at last (provided this cell is empty) and retrieval at first (provided this is filled). A value contained in a cell is modelled by a val-labelled edge to an unlabelled node. The cell is empty if and only if there is no outgoing val-edge. (In the Java code of Fig. 1 this corresponds to a null value of the val attribute.) Fig. 2 shows the simulator tool after loading the relevant graph grammar. The GUI of the simulator has two panels: a directory of the available rules with their matches in the current graph, and the current graph itself — in this case the initial graph, mod- elling a three-cell empty circular buffer. The latter panel can also display the currently selected rule and the resulting GTS (insofar generated), instead of the current graph.