Model and Program Repair via Group Actions

Abstract

AbstractGiven a textual representation of a finite-state concurrent program $$P$$ P , one can construct the corresponding Kripke structure $$\mathcal {M}$$ M . However, the size of $$\mathcal {M}$$ M can be exponentially larger than the textual size of $$P$$ P . This state explosion can make model checking properties of $$P$$ P via $$\mathcal {M}$$ M expensive or even infeasible. The action of a symmetry group $$G$$ G on $$\mathcal {M}$$ M can be used to produce a smaller Kripke structure $$\overline{\mathcal {M}}$$ M ¯ . Various authors have exploited the direct correspondence between $$\mathcal {M}$$ M and $$\overline{\mathcal {M}}$$ M ¯ to perform model checking. When the structure $$\mathcal {M}$$ M does not satisfy a formula, one can look for a substructure that will satisfy the formula. We call this substructure-repair: identifying a substructure $$\mathcal {N}$$ N of $$\mathcal {M}$$ M that satisfies a given temporal logic formula.In this paper we extend previous work by showing that repairs of $$\overline{\mathcal {M}}$$ M ¯ lift to repairs of $$\mathcal {M}$$ M . In other words, we can repair a computer program $$P$$ P , which exhibits a high degree of symmetry, by repairing the smaller Kripke structure $$\overline{\mathcal {M}}$$ M ¯ and then symmetrizing the corresponding program. To do this we arrange the substructures of $$\mathcal {M}$$ M and $$\overline{\mathcal {M}}$$ M ¯ into substructure lattices that are ordered by substructure inclusion. We show that the substructures of $$\mathcal {M}$$ M preserved by $$G$$ G form a (sub)lattice that maps to the substructure lattice of $$\overline{\mathcal {M}}$$ M ¯ . When restricted to the lattice of substructures of $$\mathcal {M}$$ M that are “maximal” with the action of $$G$$ G on $$\mathcal {M}$$ M , the above map is a lattice isomorphism.These results enable us to repair $$\overline{\mathcal {M}}$$ M ¯ and then to lift the repair to $$\mathcal {M}$$ M . In cases where a program has a high degree of symmetry, such as in many concurrent programs, we can repair the program by repairing the small Kripke structure $$\overline{\mathcal {M}}$$ M ¯ .