Results 1  10
of
19
Error Explanation with Distance Metrics
 In Tools and Algorithms for the Construction and Analysis of Systems
, 2004
"... In the event that a system does not satisfy a speci cation, a model checker will typically automatically produce a counterexample trace that shows a particular instance of the undesirable behavior. ..."
Abstract

Cited by 83 (8 self)
 Add to MetaCart
(Show Context)
In the event that a system does not satisfy a speci cation, a model checker will typically automatically produce a counterexample trace that shows a particular instance of the undesirable behavior.
B.: Counterexample generation in probabilistic model checking
 IEEE Trans. on Software Engineering
"... Abstract—Providing evidence for the refutation of a property is an essential, if not the most important, feature of model checking. This paper considers algorithms for counterexample generation for probabilistic CTL formulas in discretetime Markov chains. Finding the strongest evidence (i.e., the m ..."
Abstract

Cited by 33 (9 self)
 Add to MetaCart
(Show Context)
Abstract—Providing evidence for the refutation of a property is an essential, if not the most important, feature of model checking. This paper considers algorithms for counterexample generation for probabilistic CTL formulas in discretetime Markov chains. Finding the strongest evidence (i.e., the most probable path) violating a (bounded) untilformula is shown to be reducible to a singlesource (hopconstrained) shortest path problem. Counterexamples of smallest size that deviate most from the required probability bound can be obtained by applying (small amendments to) kshortest (hopconstrained) paths algorithms. These results can be extended to Markov chains with rewards, to LTL model checking, and are useful for Markov decision processes. Experimental results show that, typically, the size of a counterexample is excessive. To obtain much more compact representations, we present a simple algorithm to generate (minimal) regular expressions that can act as counterexamples. The feasibility of our approach is illustrated by means of two communication protocols: leader election in an anonymous ring network and the Crowds protocol. Index Terms—Diagnostic feedback, Markov chain, model checking, regular expression, shortest path. Ç 1
J.P.: Counterexamples in probabilistic model checking
 In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 13th International Conference. (2007
"... ..."
A gamebased framework for CTL counterexamples and 3valued abstractionrefinement
 In Computer Aided Verification (CAV), LNCS 2725
, 2003
"... Abstract. This work exploits and extends the gamebased framework of CTL model checking for counterexample and incremental abstractionrefinement. We define a gamebased CTL model checking for abstract models over the 3valued semantics, which can be used for verification as well as refutation. The ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
(Show Context)
Abstract. This work exploits and extends the gamebased framework of CTL model checking for counterexample and incremental abstractionrefinement. We define a gamebased CTL model checking for abstract models over the 3valued semantics, which can be used for verification as well as refutation. The model checking may end with an indefinite result, in which case we suggest a new notion of refinement, which eliminates indefinite results of the model checking. This provides an iterative abstractionrefinement framework. It is enhanced by an incremental algorithm, where refinement is applied only where indefinite results exist and definite results from prior iterations are used within the model checking algorithm. We also define the notion of annotated counterexamples, which are sufficient and minimal counterexamples for full CTL. We present an algorithm that uses the game board of the model checking game to derive an annotated counterexample in case the examined system model refutes the checked formula. 1
Making the Most of BMC Counterexamples
, 2004
"... The value of model checking counterexamples for debugging programs (and speci cations) is widely recognized. Unfortunately, bounded model checkers often produce counterexamples that are dicult to understand due to the values chosen by a SAT solver. This paper presents two approaches to making bette ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
The value of model checking counterexamples for debugging programs (and speci cations) is widely recognized. Unfortunately, bounded model checkers often produce counterexamples that are dicult to understand due to the values chosen by a SAT solver. This paper presents two approaches to making better use of BMC counterexamples. The rst contribution is a new notion of counterexample minimization that minimizes values with respect to the type system of the language being model checked, rather than at the level of SAT variables. Greedy and optimal approaches to the minimization problem are presented and compared. The second contribution extends a BMCbased error explanation approach to automatically hypothesize causes for the error in a counterexample. These hypotheses (in terms of relationships between variables) can be automatically checked to determine if a causal dependence exists. Experimental results show that causes can be automatically determined for errors in interesting ANSI C programs.
A Framework for Counterexample Generation and Exploration
 In Proceedings of Fundamental Approaches to Software Engineering (FASE’05), volume 3442 of LNCS
, 2005
"... Abstract. Modelchecking is becoming an accepted technique for debugging hardware and software systems. Debugging is based on the “Check / Analyze / Fix ” loop: check the system against a desired property, producing a counterexample when the property fails to hold; analyze the generated counterexamp ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Modelchecking is becoming an accepted technique for debugging hardware and software systems. Debugging is based on the “Check / Analyze / Fix ” loop: check the system against a desired property, producing a counterexample when the property fails to hold; analyze the generated counterexample to locate the source of the error; fix the flawed artifact – the property or the model. The success of modelchecking nontrivial systems critically depends on making this Check / Analyze / Fix loop as tight as possible. In this paper, we concentrate on the Analyze part of the debugging loop. To this end, we present a framework for generating, structuring and exploring counterexamples either interactively or with the help of userspecified strategies. 1
Temporal Logic Query Checking: A Tool for Model Exploration
 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING
, 2003
"... Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol?1, known as a placeholder. Given a Kripke structure and a propositional formula’, we ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol?1, known as a placeholder. Given a Kripke structure and a propositional formula’, we say that’satisfies the query if replacing the placeholder by’results in a temporal logic formula satisfied by the Kripke structure. A solution to a temporal logic query on a Kripke structure is the set of all propositional formulas that satisfy the query. Query checking helps discover temporal properties of a system and, as such, is a useful tool for model exploration. In this paper, we show that query checking is applicable to a variety of model exploration tasks, ranging from invariant computation to test case generation. We illustrate these using a Cruise Control System. Additionally, we show that query checking is an instance of a multivalued model checking of Chechik et al. This approach enables us to build an implementation of a temporal logic query checker, TLQSolver, on top of our existing multivalued model checker Chek. It also allows us to decide a large class of queries and introduce witnesses for temporal logic queries—an essential notion for effective model exploration.
TLQSolver: A Temporal Logic Query Checker
 In Proc. of CAV’03, volume 2725 of LNCS
, 2003
"... ..."
(Show Context)
Generating Counterexamples for MultiValued ModelChecking
 In Proceedings of Formal Methods Europe (FME’03
, 2003
"... Counterexamples explain why a desired temporal logic property fails to hold, and as such are considered to be the most useful form of output from modelcheckers. Multivalued modelchecking, introduced in [4] is an extension of classical modelchecking. Instead of classical logic, it operates on ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
Counterexamples explain why a desired temporal logic property fails to hold, and as such are considered to be the most useful form of output from modelcheckers. Multivalued modelchecking, introduced in [4] is an extension of classical modelchecking. Instead of classical logic, it operates on elements of a given De Morgan algebra, e.g. the Kleene algebra [13]. Multivalued modelchecking has been used in a number of applications, primarily when reasoning about partial [2] and inconsistent [10] systems. In this paper we show how to generate counterexamples for multivalued modelchecking. We describe the proof system for a multivalued variant of CTL, discuss how to use it to generate counterexamples.
MultiValued Symbolic ModelChecking: Fairness, CounterExamples, Running Time
, 2003
"... Multivalued modelchecking is an effective technique for reasoning about systems with incomplete or inconsistent information. In particular, it is well suited for reasoning about abstract, partial, and featurebased system descriptions. The technique is based on extending the classical modelchec ..."
Abstract

Cited by 8 (7 self)
 Add to MetaCart
Multivalued modelchecking is an effective technique for reasoning about systems with incomplete or inconsistent information. In particular, it is well suited for reasoning about abstract, partial, and featurebased system descriptions. The technique is based on extending the classical modelchecking algorithm over twovalued logic to arbitrary finite logics whose truth values form a distributive De Morgan lattice. In this thesis we address several issues surrounding the usability of multivalued modelchecking. Firstly, we provide an improved analysis of the worstcase complexity of the symbolic multivalued modelchecking algorithm, and show that it is independent of the height of the lattice. Secondly, we extend the notion of fairness to a multivalued models, thus enabling application of multivalued modelchecking to asynchronous concurrent systems. Thirdly, we introduce multivalued witnesses and counterexamples that aid in interpreting the results of the modelchecker. Finally, we describe the design and implementation of a multivalued modelchecker χChek.