Results 1 
9 of
9
Explaining Counterexamples Using Causality
"... Abstract. When a model does not satisfy a given specification, a counterexample is produced by the model checker to demonstrate the failure. A user must then examine the counterexample trace, in order to visually identify the failure that it demonstrates. If the trace is long, or the specification i ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
(Show Context)
Abstract. When a model does not satisfy a given specification, a counterexample is produced by the model checker to demonstrate the failure. A user must then examine the counterexample trace, in order to visually identify the failure that it demonstrates. If the trace is long, or the specification is complex, finding the failure in the trace becomes a nontrivial task. In this paper, we address the problem of analyzing a counterexample trace and highlighting the failure that it demonstrates. Using the notion of causality, introduced by Halpern and Pearl, we formally define a set of causes for the failure of the specification on the given counterexample trace. These causes are marked as red dots and presented to the user as a visual explanation of the failure. We study the complexity of computing the exact set of causes, and provide a polynomialtime algorithm that approximates it. This algorithm is implemented as a feature in the IBM formal verification platform RuleBase PE, where these visual explanations are an integral part of every counterexample trace. Our approach is independent of the tool that produced the counterexample, and can be applied as a lightweight external layer to any model checking tool, or used to explain simulation traces. 1
A Framework for Counterexample Generation and Exploration
 In Proceedings of Fundamental Approaches to Software Engineering (FASE’05), volume 3442 of LNCS
, 2005
"... Abstract. Modelchecking is becoming an accepted technique for debugging hardware and software systems. Debugging is based on the “Check / Analyze / Fix ” loop: check the system against a desired property, producing a counterexample when the property fails to hold; analyze the generated counterexamp ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Modelchecking is becoming an accepted technique for debugging hardware and software systems. Debugging is based on the “Check / Analyze / Fix ” loop: check the system against a desired property, producing a counterexample when the property fails to hold; analyze the generated counterexample to locate the source of the error; fix the flawed artifact – the property or the model. The success of modelchecking nontrivial systems critically depends on making this Check / Analyze / Fix loop as tight as possible. In this paper, we concentrate on the Analyze part of the debugging loop. To this end, we present a framework for generating, structuring and exploring counterexamples either interactively or with the help of userspecified strategies. 1
Temporal Logic Query Checking: A Tool for Model Exploration
 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING
, 2003
"... Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol?1, known as a placeholder. Given a Kripke structure and a propositional formula’, we ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
(Show Context)
Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol?1, known as a placeholder. Given a Kripke structure and a propositional formula’, we say that’satisfies the query if replacing the placeholder by’results in a temporal logic formula satisfied by the Kripke structure. A solution to a temporal logic query on a Kripke structure is the set of all propositional formulas that satisfy the query. Query checking helps discover temporal properties of a system and, as such, is a useful tool for model exploration. In this paper, we show that query checking is applicable to a variety of model exploration tasks, ranging from invariant computation to test case generation. We illustrate these using a Cruise Control System. Additionally, we show that query checking is an instance of a multivalued model checking of Chechik et al. This approach enables us to build an implementation of a temporal logic query checker, TLQSolver, on top of our existing multivalued model checker Chek. It also allows us to decide a large class of queries and introduce witnesses for temporal logic queries—an essential notion for effective model exploration.
Evidence Explorer: A Tool for Exploring ModelChecking Proofs
 In Proceedings of CAV’03, volume 2725 of LNCS
, 2003
"... new tool for assisting users in navigating the proof structure, or evidence, produced by a model checker when attempting to verify a system specification for a temporallogic property. Due to the sheer size of such evidence, singlestep traversal ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
new tool for assisting users in navigating the proof structure, or evidence, produced by a model checker when attempting to verify a system specification for a temporallogic property. Due to the sheer size of such evidence, singlestep traversal
M.: CTL ModelChecking with Graded Quantifiers
 ATVA 2008. LNCS
, 2008
"... Abstract. The use of the universal and existential quantifiers with the capability to express the concept of at least k or all but k, for a nonnegative integer k, has been thoroughly studied in various kinds of logics. In classical logic there are counting quantifiers, in modal logics graded modali ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Abstract. The use of the universal and existential quantifiers with the capability to express the concept of at least k or all but k, for a nonnegative integer k, has been thoroughly studied in various kinds of logics. In classical logic there are counting quantifiers, in modal logics graded modalities, in description logics number restrictions. Recently, the complexity issues related to the decidability of the μcalculus, when the universal and existential quantifiers are augmented with graded modalities, have been investigated by Kupfermann, Sattler and Vardi. They have shown that this problem is ExpTimecomplete. In this paper we consider another extension of modal logic, the Computational Tree Logic CTL, augmented with graded modalities generalizing standard quantifiers and investigate the complexity issues, with respect to the modelchecking problem. We consider a system model represented by a pointed Kripke structure K and give an algorithm to solve the modelchecking problem running in time O(K  · ϕ) which is hence tight for the problem (where ϕ  is the number of temporal and boolean operators and does not include the values occurring in the graded modalities). In this framework, the graded modalities express the ability to generate a userdefined number of counterexamples (or evidences) to a specification ϕ given in CTL. However these multiple counterexamples can partially overlap, that is they may share some behavior. We have hence investigated the case when all of them are completely disjoint. In this case we prove that the modelchecking problem is both NPhard and coNPhard and give an algorithm for solving it running in polynomial space. We have thus studied a fragment of this gradedCTL logic, and have proved that the modelchecking problem is solvable in polynomial time. 1
GradedCTL: Satisfiability and Symbolic Model Checking
 In ICFEM’10, LNCS 5885
, 2009
"... Abstract. In this paper we continue the study of a strict extension of the Computation Tree Logic, called gradedCTL, recently introduced by the same authors. This new logic augments the standard quantifiers with graded modalities, being able thus to express “There exist at least k ” or “For all but ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. In this paper we continue the study of a strict extension of the Computation Tree Logic, called gradedCTL, recently introduced by the same authors. This new logic augments the standard quantifiers with graded modalities, being able thus to express “There exist at least k ” or “For all but k ” futures, for some constant k. One can thus describe properties useful in system design, which cannot be expressed with CTL, like a sort of redundant liveness property asking whether there is more than one path satisfying that “something good eventually happens”, making thus the system more tolerant to possible faults. GradedCTL formulas can also be used to determine whether there are more than a given number of bad behaviors of a system: this, in the modelchecking framework, means that one can verify the existence of a userdefined number of counterexamples for a given specification and generate them, in a unique run of the modelchecker. Here we show both theoretical and applicative contributions. On the
Incremental Construction of Counterexamples in Model Checking Web Documents
"... A new algorithm for incrementally generating counterexamples for the temporal description logic ALCCTL is presented. ALCCTL is a decidable combination of the description logic ALC and computation tree logicCTL that is expressive for content and structurerelated properties of web documents being ve ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
A new algorithm for incrementally generating counterexamples for the temporal description logic ALCCTL is presented. ALCCTL is a decidable combination of the description logic ALC and computation tree logicCTL that is expressive for content and structurerelated properties of web documents being verified by model checking. In the case of a specification violation, existing model checkers provide a single counterexample which may be large and complex. We extend existing algorithms for generating counterexamples in two ways. First, a coarse counterexample is generated initially that can be refined subsequently to the desired level of detail in an incremental manner. Second, the user can choose where and in which way a counterexample is refined. This enables the interactive stepbystep analysis of error scenarios according to the user’s interest. We demonstrate in a case study on a webbased training document that the proposed approach reveals more errors and explains the cause of errors more precisely than the counterexamples of existing model checkers. In addition, we demonstrate that the proposed algorithm is sufficiently fast to enable smooth interaction even in the case of large documents. 1
Structured counterexamples for the temporal description logic A L CCTL
 In Proceedings of the 8th IEEE International Conference on Software Engineering and Formal Methods (SEFM 2010
, 2010
"... Abstract—A new algorithm for generating counterexamples for the temporal description logic ALCCTL is presented. ALCCTL is a decidable combination of the description logic ALC and computation tree logic CTL. It extends CTL by first order quantified expressions over unary and binary predicates. Predic ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract—A new algorithm for generating counterexamples for the temporal description logic ALCCTL is presented. ALCCTL is a decidable combination of the description logic ALC and computation tree logic CTL. It extends CTL by first order quantified expressions over unary and binary predicates. Predicates and quantified expressions are required for representing properties in application domains such as structured web documents and they are frequently used in software and hardware specifications which are verified by model checking. In the case of a specification violation, existing algorithms generate counterexamples that tend to be complex yet imprecise if specifications range over sets of objects. The presented algorithm is the first algorithm for generating counterexamples for a temporal description logic that considers first order predicates and quantification. The algorithm is sound and semicomplete for ALCCTL. The generated counterexamples are both more precise and comprehensible than counterexamples generated by the previous algorithms. Keywordsmodel checking; counterexamples; CTL; temporal description logics; ALCCTL; I.