## Finding and fixing faults (2005)

### Cached

### Download Links

- [mtc.epfl.ch]
- [www-verimag.imag.fr]
- [www-verimag.imag.fr]
- [verify.iaik.tugraz.at]
- DBLP

### Other Repositories/Bibliography

Venue: | Paul (Eds.), 13th Conference on Correct Hardware Design and Verification Methods (CHARME ’05 |

Citations: | 26 - 5 self |

### BibTeX

@INPROCEEDINGS{Staber05findingand,

author = {Stefan Staber and Roderick Bloem},

title = {Finding and fixing faults},

booktitle = {Paul (Eds.), 13th Conference on Correct Hardware Design and Verification Methods (CHARME ’05},

year = {2005},

pages = {35--49},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Knowing that a program has a bug is good, knowing its location is better, but a fix is best. We present a method to automatically locate and correct faults in a finite state system, either at the gate level or at the source level. We assume that the specification is given in Linear Temporal Logic, and state the correction problem as a game, in which the protagonist selects a faulty component and suggests alternative behavior. The basic approach is complete but as complex as synthesis. It also suffers from problems of readability: the correction may add state and logic to the system. We present two heuristics. The first avoids the doubly exponential blowup associated with synthesis by using nondeterministic automata. The second heuristic finds a memoryless strategy, which we show is an NP-complete problem. A memoryless strategy corresponds to a simple, local correction that does not add any state. The drawback of the two heuristics is that they are not complete unless the specification is an invariant. Our approach is general: the user can define what constitutes a component, and the suggested correction can be an arbitrary combinational function of the current state and the inputs. We show experimental results supporting the applicability of our approach.

### Citations

2675 | Model Checking
- Clarke, Grumberg, et al.
- 2002
(Show Context)
Citation Context ...true Uϕ and Gψ = false R ψ. Note that our LTL formulas are defined in negation normal form. We define L(ϕ) = {w ∈ (2 AP ) ω | w |= ϕ}. For an intuitive explanation and a formal definition of LTL, see =-=[44]-=-. 3.2 Finite State Machines and Circuits A finite state machine (FSM) over a finite alphabet AP is a tuple M = (S, s0, I, δ, λ), where S is a finite set of states, s0 ∈ S is the initial state, I is a ... |

947 | A theory of diagnosis from first principles
- Reiter
- 1987
(Show Context)
Citation Context ...es of the system, which is doubly exponential. Thus, we do not consider it wise to enumerate all possible fault models and our approach should not be considered abductive. Consistency-based diagnosis =-=[36,37]-=- does not require the possible faults to be known and does not produce a correction. Rather, it considers the faulty behavior as a contradiction between the actual and the expected behavior of the sys... |

698 |
Diagnosing multiple faults
- Kleer, Williams
- 1987
(Show Context)
Citation Context ...es of the system, which is doubly exponential. Thus, we do not consider it wise to enumerate all possible fault models and our approach should not be considered abductive. Consistency-based diagnosis =-=[36,37]-=- does not require the possible faults to be known and does not produce a correction. Rather, it considers the faulty behavior as a contradiction between the actual and the expected behavior of the sys... |

628 | The control of discrete event systems
- Ramadge, Wonham
- 1989
(Show Context)
Citation Context ...a set of infinite sequences of states. With the exception of this section and Section 5.3, we will assume that δ is a complete function. In the terminology of control theory of discrete event systems =-=[45]-=-, our game is a plant with a specification. The environment actions are given by the set I and the plant can be controlled by a set of actions C. The challenge is to find a controller that delivers th... |

486 | Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...rumented versions of the examples are available at:http://www.ist.tugraz.at/verify/view/Projects/FindAndFix. 7.1 Locking Example Fig. 10 shows an abstract program that realizes simple lock operations =-=[64,16]-=-. Nondeterministic choices in the program are represented by *. The specification should hold regardless of the nondeterministic choices taken, and thus the program abstracts a set of concrete program... |

408 | Automatically validating temporal safety properties of interfaces - Ball, Rajamani |

357 | On the synthesis of a reactive module - Pnueli, Rosner - 1989 |

288 | Simple onthe-fly automatic verification of linear temporal logic
- Gerth, Peled, et al.
- 1995
(Show Context)
Citation Context ...lowup, we can either use heuristics to reduce the number of nondeterministic states in the automaton [50], or we can use a restricted subset of LTL. Maidl [51] shows that translations in the style of =-=[52]-=- (of which we use a variant, [53]) yield deterministic automata for the formulas in the set LTL det , which is defined as follows: If ϕ1 and ϕ2 are LTL det formulas, and p is a predicate, then p, ϕ1 ∧... |

264 | Reasoning about infinite computations
- Vardi, Wolper
- 1994
(Show Context)
Citation Context ...fix a simple fault by the addition of a large amount of state. Therefore, [JGB05] proposes a heuristic approach. The approach constructs a nondeterministic Büchi automaton from ' in the standard way =-=[VW94]-=-, which causes only a singly exponential blowup. It then constructs the product of the Büchi automaton and the game. The result is a Büchi game, which in general has a finite-state strategy. To avoi... |

247 | Checking that Finite State Concurrent Programs Satisfy their Specifica- tions
- Lichtenstein
- 1985
(Show Context)
Citation Context ...uch games, we will write B for F. We can convert an LTL formula ϕ over the set of atomic propositions AP to a Büchi game A = (Q, q0, 2 AP , C, δ, λ, B) such that I(A) is the set of words satisfying ϕ =-=[46,47]-=-. The system choice C models the nondeterminism of the automaton. The size of the resulting automaton is exponential in the length of the formula in the worst case. (See [44] for an introduction.) 3.4... |

239 |
Efficient model checking in fragments of the propositional mu-calculus
- Emerson, Lei
- 1986
(Show Context)
Citation Context ...analysis remains valid for any fixed number of simultaneous faults, it is exponential in the number of simultaneous faults.) Like the Emerson-Lei algorithm, which is typically used for model checking =-=[60,61]-=-, a symbolic implementation needs a quadratic number of preimage computations to compute the winning region of a Büchi game. (The number of preimages is an important measure of complexity [62].) For i... |

219 | Simplifying and isolating failure-inducing input
- Zeller, Hildebrandt
- 2002
(Show Context)
Citation Context ... More recently, [12] proposes a method to remove irrelevant variables from a counterexample derived using bounded model checking. Similarly, in the setting of software testing, Zeller and Hildebrandt =-=[13]-=- consider the problem of simplifying the input that causes the failure. The authors of [14] show how to help the user understand the counterexample. The user partitions the inputs in to signals contro... |

204 | Isolating cause-effect chains from computer programs - Zeller |

182 | Supporting controlled experimentation with testing techniques: An infrastructure and its potential impact
- Do, Elbaum, et al.
- 2005
(Show Context)
Citation Context ...ty of our results with related work, we use the TCAS example used in a number of papers on error localization [18,19,66]. TCAS (Traffic Collision Avoidance System) is a task of the Siemens test suite =-=[67]-=- and consists of about 150 lines of C-code in 41 different versions with known errors. The suite also contains a set of test cases and their results for the different TCAS-versions. We consider a prog... |

177 |
The Directed Subgraph Homeomorphism Problem
- Fortune, Hopcroft, et al.
- 1980
(Show Context)
Citation Context ...n P from v to w is mapped to a simple path in G from f(v) to f(w). The subgraph homeomorphism problem is to decide, given G, P, and f, whether 18G is homeomorphic to P. Fortune, Hopcroft, and Wyllie =-=[55]-=- study the fixed pattern graph homeomorphism problem, in which P is fixed. They partition the set of pattern graphs in two subsets. First, if all edges in the pattern graph are outgoing from or ingoin... |

167 | On the synthesis of strategies in infinite games
- Thomas
- 1995
(Show Context)
Citation Context ...king of fair CTL and are easily implemented symbolically. The difference is the use of MX instead of EX. Using these fixpoint formulas, we can compute memoryless strategies for safety and Büchi games =-=[48]-=-. For a safety game with condition A, the strategy σ(s, i) = {c ∈ C | ∃s ′ ∈ MG A : (s, i, c, s ′ ) ∈ δ} is winning if and only if s0 ∈ MGA. For a Büchi game, we define W = νZ.MX MZ U(Z ∩ B). The set ... |

159 | Fault Localization with Nearest Neighbor Queries
- Renieris, Reiss
- 2003
(Show Context)
Citation Context ...s only one suggestion corresponding to the change in Line 2. 7.5 TCAS To compare the quality of our results with related work, we use the TCAS example used in a number of papers on error localization =-=[18,19,66]-=-. TCAS (Traffic Collision Avoidance System) is a task of the Siemens test suite [67] and consists of about 150 lines of C-code in 41 different versions with known errors. The suite also contains a set... |

159 |
Myths about the mutual exclusion problem
- Peterson
- 1981
(Show Context)
Citation Context ...t have no deterministic automaton (see Section 5.1). The example from [25] depicts two processes that share flag and turn variables, which are used to avoid concurrent access to the variables x and y =-=[65]-=-. The example contains an arbiter (not shown) that nondeterministically yields control to either Process A or B, and records its choice in the variablearbiter. The fault is thatturn1B is set to false ... |

151 | F.: Logic synthesis and verification algorithms
- Hachtel, Somenzi
- 1996
(Show Context)
Citation Context ...ad of simultaneously. Extracting a simple correction is similar to multi-level logic synthesis in the presence of satisfiability don’t cares and may be amenable to multi-level minimization techniques =-=[59]-=-; the problem of finding the smallest expression for a given relation is NP-hard by reduction from 3SAT. One optimization we may attempt is to vary the order of the Ajs, but in our experience, the sug... |

136 | On observability of discrete-event systems - Lin, Wonham - 1988 |

135 |
A spectrum of logical definitions of model-based diagnosis 1
- Console, Torasso
- 1991
(Show Context)
Citation Context ...xtended to functional programs [31], hardware description languages [32], and object oriented programs [33]. Model based diagnosis comes in two flavors: abduction-based and consistencybased diagnosis =-=[34]-=-. Abduction-based diagnosis [35] assumes that the set of fault models is enumerated, i.e., it is known in which ways a component can fail. Using these fault models, it tries to find a component of the... |

133 |
Theorist: A logical reasoning system for defaults and diagnosis
- Poole, Goebel, et al.
- 1987
(Show Context)
Citation Context ...31], hardware description languages [32], and object oriented programs [33]. Model based diagnosis comes in two flavors: abduction-based and consistencybased diagnosis [34]. Abduction-based diagnosis =-=[35]-=- assumes that the set of fault models is enumerated, i.e., it is known in which ways a component can fail. Using these fault models, it tries to find a component of the model and a corresponding fault... |

126 | VIS: A system for verification and synthesis
- Brayton, Hachtel, et al.
- 1996
(Show Context)
Citation Context ... possible. 7 Examples In this section we present experiments that demonstrate the applicability of our approach using examples on the source level. We have implemented our algorithm on top of VIS-2.1 =-=[63]-=-. We turn our examples into games by instrumenting them using a simple Perl script. The game constructed from a program proceeds as follows. First, the system decides which component is faulty. Next, ... |

115 | From symptom to cause: localizing errors in counterexample traces - Ball, Naik, et al. - 2003 |

110 | Efficient Büchi automata from LTL Formulae
- Somenzi, Bloem
- 2000
(Show Context)
Citation Context ...cs to reduce the number of nondeterministic states in the automaton [50], or we can use a restricted subset of LTL. Maidl [51] shows that translations in the style of [52] (of which we use a variant, =-=[53]-=-) yield deterministic automata for the formulas in the set LTL det , which is defined as follows: If ϕ1 and ϕ2 are LTL det formulas, and p is a predicate, then p, ϕ1 ∧ϕ2, Xϕ1, (p ∧ϕ1) ∨(¬p ∧ϕ2), (p ∧ϕ... |

86 | What went wrong: Explaining counterexamples
- Groce, Visser
- 2003
(Show Context)
Citation Context ...rumented versions of the examples are available at:http://www.ist.tugraz.at/verify/view/Projects/FindAndFix. 7.1 Locking Example Fig. 10 shows an abstract program that realizes simple lock operations =-=[64,16]-=-. Nondeterministic choices in the program are represented by *. The specification should hold regardless of the nondeterministic choices taken, and thus the program abstracts a set of concrete program... |

78 | Logic, arithmetic and automata - Church - 1963 |

77 |
Reasoning about infinite computation paths
- Wolper, Vardi, et al.
- 1983
(Show Context)
Citation Context ...uch games, we will write B for F. We can convert an LTL formula ϕ over the set of atomic propositions AP to a Büchi game A = (Q, q0, 2 AP , C, δ, λ, B) such that I(A) is the set of words satisfying ϕ =-=[46,47]-=-. The system choice C models the nondeterminism of the automaton. The size of the resulting automaton is exponential in the length of the formula in the worst case. (See [44] for an introduction.) 3.4... |

65 | Modelbased diagnosis of hardware designs
- Friedrich, Stumptner, et al.
- 1999
(Show Context)
Citation Context ...or that is inconsistent with the behavior of the program. The reasoning is performed on the faulty program. This approach has been extended to functional programs [31], hardware description languages =-=[32]-=-, and object oriented programs [33]. Model based diagnosis comes in two flavors: abduction-based and consistencybased diagnosis [34]. Abduction-based diagnosis [35] assumes that the set of fault model... |

63 | Brayton et al. VIS: A system for verification and synthesis - K - 1996 |

62 | Error explanation with distance metrics
- Groce, Chaki, et al.
- 2006
(Show Context)
Citation Context ...ogram that are likely to be involved in the failure. The selection of the traces is crucial and the methods to select them range from user provided traces to automated computation of similar runs. In =-=[19]-=-, Groce et al. show how to generate a successful trace that is close to a given counterexample with respect to a distance metric. They use a SAT based model checker, which generates a propositional fo... |

53 | Efficient generation of counterexamples and witnesses in symbolic model checking, 32nd design Automation Conference, DAC’95. A. Fantechi et al
- Clarke, Grumberg, et al.
- 2005
(Show Context)
Citation Context ...rent approaches to make debugging easier. One approach is to make the “failure-inducing input” easier to understand. In the setting of model checking, this has been a concern all along. For instance, =-=[10]-=- and [11] consider generating short counterexamples as these are likely to be easier to read. More recently, [12] proposes a method to remove irrelevant variables from a counterexample derived using b... |

53 | Combinatorial sketching for finite programs
- Solar-Lezama, Tancau, et al.
- 2006
(Show Context)
Citation Context ...ng the repair process. Janjua and Mycroft [28] describe how to automatically insert synchronization statements in a multithreaded program in order to prevent bugs due to an unfortunate scheduling. In =-=[29]-=-, a C-like language is presented in which programs can be sketched: unknown constants can be represented by ??. A synthesizer then completes the sketch to adhere to a specification. 62.3 Model Based ... |

51 | An algorithm for strongly connected component analysis in n log n symbolic steps
- Bloem, Gabow, et al.
- 2000
(Show Context)
Citation Context ...king [60,61], a symbolic implementation needs a quadratic number of preimage computations to compute the winning region of a Büchi game. (The number of preimages is an important measure of complexity =-=[62]-=-.) For invariants, 25model checking and correction both need a linear number of preimage computations. Thus, the time complexity of our algorithm matches that of LTL model checking, both in terms of ... |

48 | Software inspection using CodeSurfer
- Anderson, Teitelbaum
- 2001
(Show Context)
Citation Context ...eported in the tool and the lines where the faults were introduced. Higher numbers are better and reflect a small amount of lines that have to be searched before reaching the fault. We use CodeSurfer =-=[69]-=- to generate the PDG, the score is computed using code provided by Manos Renieris. The approach performes very well for all of the examples used in [19]. The score for all five examples is higher than... |

41 | The common fragment of CTL and LTL
- Maidl
- 2000
(Show Context)
Citation Context ... possible is EXPSPACE [49]. To prevent this blowup, we can either use heuristics to reduce the number of nondeterministic states in the automaton [50], or we can use a restricted subset of LTL. Maidl =-=[51]-=- shows that translations in the style of [52] (of which we use a variant, [53]) yield deterministic automata for the formulas in the set LTL det , which is defined as follows: If ϕ1 and ϕ2 are LTL det... |

39 | A comparative study of symbolic algorithms for the computation of fair cycles
- Ravi, Bloem, et al.
- 2000
(Show Context)
Citation Context ...analysis remains valid for any fixed number of simultaneous faults, it is exponential in the number of simultaneous faults.) Like the Emerson-Lei algorithm, which is typically used for model checking =-=[60,61]-=-, a symbolic implementation needs a quadratic number of preimage computations to compute the winning region of a Büchi game. (The number of preimages is an important measure of complexity [62].) For i... |

39 | Reducing bdd size by exploiting functional dependencies
- Hu, Dill
- 1993
(Show Context)
Citation Context ...before computing a strategy. It would also be interesting to examine to what extent we can minimize the negative effects of using a finite state strategy, e.g., by using a dependent variable analysis =-=[71]-=- to minimize the amount of added state. The corrections produced by our approach are Boolean expressions. Although such corrections are very readable when it comes to control logic, they are not well ... |

38 | Program repair as a game
- Jobstmann, Bloem
- 2005
(Show Context)
Citation Context ...its complexity is comparable to that of model checking in section 6.3. We have implemented the algorithm in VIS and we present our experience with the algorithm in Section 7. This article is based on =-=[7]-=-, [8], and [9]. 2 Related Work 2.1 Understanding Failure Researchers have taken different approaches to make debugging easier. One approach is to make the “failure-inducing input” easier to understand... |

37 | M.S.Abadir, “Debugging sequential circuits using Boolean satisfiability
- Ali, Veneris, et al.
(Show Context)
Citation Context ...0 D0 G1 D1 0 G1 0 G1 D1 D1 D1 out 0 0 Fig. 1. Simple circuit. The initial state is D0=0, D1=0. Fig. 2. Unrolling of circuit in Fig. 1 [38]. (Although alternatives are possible [39].) Fahim Ali et al. =-=[40]-=-, for example, present a SAT-based method for consistency-based diagnosis that is based on this principle. Instead of using “faulty” predicates, they use multiplexers with one free input. Consistency-... |

37 | An automata-theoretic approach to fair realizability and synthesis - Vardi - 1995 |

36 | R.: Optimizations for LTL synthesis - Jobstmann, Bloem |

30 | Fate and free will in error traces - Jin, Ravi, et al. - 2002 |

29 |
Minimal Assignments for Bounded Model Checking
- Ravi, Somenzi
(Show Context)
Citation Context ...nd. In the setting of model checking, this has been a concern all along. For instance, [10] and [11] consider generating short counterexamples as these are likely to be easier to read. More recently, =-=[12]-=- proposes a method to remove irrelevant variables from a counterexample derived using bounded model checking. Similarly, in the setting of software testing, Zeller and Hildebrandt [13] consider the pr... |

29 | Debugging Functional Programs
- Stumptner, Wotawa
- 1999
(Show Context)
Citation Context ...sistency-based reasoning has weaknesses when multiple instances of a component appear: components may be reported as diagnoses, although no consistent repair exists. (A similar observation is made in =-=[41]-=- for multiple test cases.) Hamscher and Davis [42] show that consistency-based diagnosis is indiscriminate in the sequential case. For instance, if dropping the constraints of a component removes any ... |

26 | Automating the diagnosis and rectification of design errors - Madre, Coudert - 1989 |

26 |
Theseider Dupré. Model-based diagnosis meets error diagnosis in logic programs
- Console, Friedrich, et al.
- 1993
(Show Context)
Citation Context ...h with model based diagnosis, as it is one of the few systematic approaches to fault localization. Model based diagnosis originates with the localization of faults in physical systems. Console et al. =-=[30]-=- show its applicability to fault localization in logic programs. In model based diagnosis, a correct model is not assumed to exist. Rather, an oracle provides an example of correct behavior that is in... |

26 |
Automatic fault localization for property checking
- Fey, Staber, et al.
- 2008
(Show Context)
Citation Context ...all occurrences of a given component 7in 0 0 G0 D0 D0 0 G0 D0 0 G0 D0 G1 D1 0 G1 0 G1 D1 D1 D1 out 0 0 Fig. 1. Simple circuit. The initial state is D0=0, D1=0. Fig. 2. Unrolling of circuit in Fig. 1 =-=[38]-=-. (Although alternatives are possible [39].) Fahim Ali et al. [40], for example, present a SAT-based method for consistency-based diagnosis that is based on this principle. Instead of using “faulty” p... |

25 |
A Tool for Checking ANSI-C Programs, Tools and Algorithms for the Construction and Analysis
- Clarke, Kroening, et al.
- 2004
(Show Context)
Citation Context ...e for the Verilog example is reduced to 8 Bit. Verification that these changes do not change the relevant behavior of the correct and faulty versions of TCAS is performed using the CBMC model checker =-=[68]-=- on appropriately modified versions of the C code. As our tool reports repairs as Boolean expressions, arbitrary repairs on the data path are hard to recognize by the human user. (See also future 32w... |

24 | More deterministic” vs. “smaller" Büchi automata for efficient LTL model checking
- Sebastiani, Tonetta
(Show Context)
Citation Context ...nown upper bound for deciding whether a translation is possible is EXPSPACE [49]. To prevent this blowup, we can either use heuristics to reduce the number of nondeterministic states in the automaton =-=[50]-=-, or we can use a restricted subset of LTL. Maidl [51] shows that translations in the style of [52] (of which we use a variant, [53]) yield deterministic automata for the formulas in the set LTL det ,... |