Results 1 
6 of
6
Explaining Counterexamples Using Causality
"... Abstract. When a model does not satisfy a given specification, a counterexample is produced by the model checker to demonstrate the failure. A user must then examine the counterexample trace, in order to visually identify the failure that it demonstrates. If the trace is long, or the specification i ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. When a model does not satisfy a given specification, a counterexample is produced by the model checker to demonstrate the failure. A user must then examine the counterexample trace, in order to visually identify the failure that it demonstrates. If the trace is long, or the specification is complex, finding the failure in the trace becomes a nontrivial task. In this paper, we address the problem of analyzing a counterexample trace and highlighting the failure that it demonstrates. Using the notion of causality, introduced by Halpern and Pearl, we formally define a set of causes for the failure of the specification on the given counterexample trace. These causes are marked as red dots and presented to the user as a visual explanation of the failure. We study the complexity of computing the exact set of causes, and provide a polynomialtime algorithm that approximates it. This algorithm is implemented as a feature in the IBM formal verification platform RuleBase PE, where these visual explanations are an integral part of every counterexample trace. Our approach is independent of the tool that produced the counterexample, and can be applied as a lightweight external layer to any model checking tool, or used to explain simulation traces. 1
A Framework for Counterexample Generation and Exploration
 In Proceedings of Fundamental Approaches to Software Engineering (FASE’05), volume 3442 of LNCS
, 2005
"... Abstract. Modelchecking is becoming an accepted technique for debugging hardware and software systems. Debugging is based on the “Check / Analyze / Fix ” loop: check the system against a desired property, producing a counterexample when the property fails to hold; analyze the generated counterexamp ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. Modelchecking is becoming an accepted technique for debugging hardware and software systems. Debugging is based on the “Check / Analyze / Fix ” loop: check the system against a desired property, producing a counterexample when the property fails to hold; analyze the generated counterexample to locate the source of the error; fix the flawed artifact – the property or the model. The success of modelchecking nontrivial systems critically depends on making this Check / Analyze / Fix loop as tight as possible. In this paper, we concentrate on the Analyze part of the debugging loop. To this end, we present a framework for generating, structuring and exploring counterexamples either interactively or with the help of userspecified strategies. 1
Temporal Logic Query Checking: A Tool for Model Exploration
 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING
, 2003
"... Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol?1, known as a placeholder. Given a Kripke structure and a propositional formula’, we ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol?1, known as a placeholder. Given a Kripke structure and a propositional formula’, we say that’satisfies the query if replacing the placeholder by’results in a temporal logic formula satisfied by the Kripke structure. A solution to a temporal logic query on a Kripke structure is the set of all propositional formulas that satisfy the query. Query checking helps discover temporal properties of a system and, as such, is a useful tool for model exploration. In this paper, we show that query checking is applicable to a variety of model exploration tasks, ranging from invariant computation to test case generation. We illustrate these using a Cruise Control System. Additionally, we show that query checking is an instance of a multivalued model checking of Chechik et al. This approach enables us to build an implementation of a temporal logic query checker, TLQSolver, on top of our existing multivalued model checker Chek. It also allows us to decide a large class of queries and introduce witnesses for temporal logic queries—an essential notion for effective model exploration.
Evidence Explorer: A Tool for Exploring ModelChecking Proofs
 In Proceedings of CAV’03, volume 2725 of LNCS
, 2003
"... new tool for assisting users in navigating the proof structure, or evidence, produced by a model checker when attempting to verify a system specification for a temporallogic property. Due to the sheer size of such evidence, singlestep traversal ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
new tool for assisting users in navigating the proof structure, or evidence, produced by a model checker when attempting to verify a system specification for a temporallogic property. Due to the sheer size of such evidence, singlestep traversal
Incremental Construction of Counterexamples in Model Checking Web Documents
"... A new algorithm for incrementally generating counterexamples for the temporal description logic ALCCTL is presented. ALCCTL is a decidable combination of the description logic ALC and computation tree logicCTL that is expressive for content and structurerelated properties of web documents being ve ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
A new algorithm for incrementally generating counterexamples for the temporal description logic ALCCTL is presented. ALCCTL is a decidable combination of the description logic ALC and computation tree logicCTL that is expressive for content and structurerelated properties of web documents being verified by model checking. In the case of a specification violation, existing model checkers provide a single counterexample which may be large and complex. We extend existing algorithms for generating counterexamples in two ways. First, a coarse counterexample is generated initially that can be refined subsequently to the desired level of detail in an incremental manner. Second, the user can choose where and in which way a counterexample is refined. This enables the interactive stepbystep analysis of error scenarios according to the user’s interest. We demonstrate in a case study on a webbased training document that the proposed approach reveals more errors and explains the cause of errors more precisely than the counterexamples of existing model checkers. In addition, we demonstrate that the proposed algorithm is sufficiently fast to enable smooth interaction even in the case of large documents. 1
Structured counterexamples for the temporal description logic A L CCTL
 In Proceedings of the 8th IEEE International Conference on Software Engineering and Formal Methods (SEFM 2010
, 2010
"... Abstract—A new algorithm for generating counterexamples for the temporal description logic ALCCTL is presented. ALCCTL is a decidable combination of the description logic ALC and computation tree logic CTL. It extends CTL by first order quantified expressions over unary and binary predicates. Predic ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract—A new algorithm for generating counterexamples for the temporal description logic ALCCTL is presented. ALCCTL is a decidable combination of the description logic ALC and computation tree logic CTL. It extends CTL by first order quantified expressions over unary and binary predicates. Predicates and quantified expressions are required for representing properties in application domains such as structured web documents and they are frequently used in software and hardware specifications which are verified by model checking. In the case of a specification violation, existing algorithms generate counterexamples that tend to be complex yet imprecise if specifications range over sets of objects. The presented algorithm is the first algorithm for generating counterexamples for a temporal description logic that considers first order predicates and quantification. The algorithm is sound and semicomplete for ALCCTL. The generated counterexamples are both more precise and comprehensible than counterexamples generated by the previous algorithms. Keywordsmodel checking; counterexamples; CTL; temporal description logics; ALCCTL; I.