Explicit State Model Checking for Graph Grammars Arend Rensink Department of Computer Science, University of Twente, The Netherlands rensink@cs.utwente.nl Abstract. In this paper we present the philosophy behind the GROOVE project, in which graph transformation is used as a modelling formalism on top of which a model checking approach to software verification is being built. We describe the basic formalism, the current state of the project, and (current and future) challenges. 1 Introduction Our primary interest in this paper is software model checking, in particular of object- oriented programs. Model checking has been quite successful as a hardware verification technique and its potential application to software is receiving wide research interest. Indeed, software model checkers are being developed and applied at several research institutes; we mention Bogor [32] and Java Pathfinder [17] as two well-known examples of model checkers for Java. Despite these developments, we claim that there is an aspect of software that does not occur in this form in hardware, and which is only poorly covered by existing model checking theory: dynamic (de)allocation, both on the heap (due to object creation and garbage collection) and on the stack (due to mutual and recursive method calls and returns). Classical model checking approaches are based on propositional logic with a fixed number of propositions; this does not allow a straightforward representation of systems that may involve variable, possibly unbounded numbers of objects. Although there exist workarounds for this (as evidenced by the fact that, as we have already seen, there are working model checkers for Java) we strongly feel that a better theoretical understanding of the issues involved is needed. Graphs are an obvious choice for modelling the structures involved, at least informally; direct evidence of this can be found in the fact that any textbook of object-oriented pro- gramming uses graphs (of some form) for illustrative purposes. Indeed, a graph model is a very straightforward way to visualise and reason about heap and stack structures, at least when they are of restricted size. In fact, there is no a priori reason why this con- nection cannot be exploited beyond the informal, given the existence of a rich theory of (in particular) graph transformation — see for instance the handbook [33], or the more recent textbook [8]. By adopting graph transformation, one can model the computation steps of object-oriented systems through rules working directly on the graphs, rather than through some intermediate modelling language, such as a process algebra. This insight has been the inspiration for the GROOVE project and tool. 1 Though the idea is in itself not revolutionary or unique, the approach we have followed differs 1 GROOVE stands for “GRaphs for Object-Oriented VErification. P. Degano et al. (Eds.): Montanari Festschrift, LNCS 5065, pp. 114–132, 2008. c  Springer-Verlag Berlin Heidelberg 2008