ABSTRACT
There is significant room for improving users' experiences with model checking tools. An error trace produced by a model checker can be lengthy and is indicative of a symptom of an error. As a result, users can spend considerable time examining an error trace in order to understand the cause of the error. Moreover, even state-of-the-art model checkers provide an experience akin to that provided by parsers before syntactic error recovery was invented: they report a single error trace per run. The user has to fix the error and run the model checker again to find more error traces.We present an algorithm that exploits the existence of correct traces in order to localize the error cause in an error trace, report a single error trace per error cause, and generate multiple error traces having independent causes. We have implemented this algorithm in the context of slam, a software model checker that automatically verifies temporal safety properties of C programs, and report on our experience using it to find and localize errors in device drivers. The algorithm typically narrows the location of a cause down to a few lines, even in traces consisting of hundreds of statements.
- T. Ball, R. Majumdar, T. Millstein, and S. K. Rajamani. Automatic predicate abstraction of C programs. In PLDI 01: Programming Language Design and Implementation, pages 203--213. ACM, 2001. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. Bebop: A symbolic model checker for Boolean programs. In SPIN 00: SPIN Workshop, LNCS 1885, pages 113--130. Springer-Verlag, 2000. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. The SLAM project: Debugging system software via static analysis. In POPL 02: Principles of Programming Languages, pages 1--3. ACM, 2002. Google ScholarDigital Library
- M. Beaven and R. Stansifer. Explaining type errors in polymorphic languages. ACM Letters on Programming Languages and Systems, 2(1-4):17--30, 1993. Google ScholarDigital Library
- K. Bhargavan, C. A. Gunter, M. Kim, I. Lee, D. Obradovic, O. Sokolsky, and M. Viswanathan. Verisim: Formal analysis of network simulations. IEEE Transactions on Software Engineering, 28(2):129--145, Feb. 2002. Google ScholarDigital Library
- O. Chitil. Compositional explanation of types and algorithmic debugging of type errors. In ICFP 01: International Conference on Functional Programming, pages 193--204. ACM, 2001. Google ScholarDigital Library
- J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: Extracting finite-state models from Java source code. In ICSE 2000: International Conference on Software Engineering, pages 439--448. ACM, 2000. Google ScholarDigital Library
- D. Duggan and F. Bent. Explaining type inference. Science of Computer Programming, 27(1):37--83, July 1996. Google ScholarDigital Library
- M. D. Ernst, J. Cockrell, W. G. Griswold, and D. Notkin. Dynamically discovering likely program invariants to support program evolution. IEEE Transactions in Software Engineering, 27(2):1--25, February 2001. Google ScholarDigital Library
- A. Groce and W. Visser. What went wrong: Explaining counterexamples. Technical Report 02-08, RIACS, USRA, 2002.Google Scholar
- S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In PLDI~02: Programming Language Design and Implementation, pages 69--82. ACM, 2002. Google ScholarDigital Library
- S. Hangal and M. S. Lam. Tracking down software bugs using automatic anomaly detection. In ICSE 2000: International Conference on Software Engineering, pages 291--301. ACM, 2002. Google ScholarDigital Library
- G. Holzmann. Logic verification of ANSI-C code with Spin. In SPIN 00: SPIN Workshop, LNCS 1885, pages 131--147. Springer-Verlag, 2000. Google ScholarDigital Library
- S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems, 12(1):26--60, Jan. 1990. Google ScholarDigital Library
- H. Jin, K. Ravi, and F. Somenzi. Fate and free will in error traces. In TACAS 02: Tools and Algorithms for Construction and Analysis of Systems, LNCS 2031, pages 445--459. Springer-Verlag, 2002. Google ScholarDigital Library
- G. F. Johnson and J. A. Walz. A maximum flow approach to anomaly isolation in unification-based incremental type inference. In POPL 86: Principles of Programming Languages, pages 44--57. ACM, 1986. Google ScholarDigital Library
- B. Korel and J. Laski. Dynamic program slicing. Information Processing Letters, 29(10):155--163, October 1988. Google ScholarDigital Library
- T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL 95: Principles of Programming Languages, pages 49--61. ACM, 1995. Google ScholarCross Ref
- S. Savage, M. Burrows, G. Nelson, P. Sobalvarro, and T. Anderson. Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems, 15(4):391--411, Nov. 1997. Google ScholarDigital Library
- E. Y. Shapiro. Algorithmic Program Debugging. MIT Press, 1982. ACM Distinguished Dissertation. Google ScholarDigital Library
- O. Sheyner, S. Jha, and J. M. Wing. Automated generation and analysis of attack graphs. In IEEE Symposium on Security and Privacy, pages 273--284. IEEE, 2002. Google ScholarDigital Library
- F. Tip and T. B. Dinesh. A slicing-based approach for locating type errors. ACM Transactions on Software Engineering and Methodology, 10(1):5--55, Jan. 2001. Google ScholarDigital Library
- M. Wand. Finding the source of type errors. In POPL 86: Principles of Programming Languages, pages 38--43. ACM, 1986. Google ScholarDigital Library
- M. Weiser. Program slicing. IEEE Transactions on Software Engineering, SE-10(4):352--357, July 1984.Google ScholarDigital Library
- A. Zeller. Yesterday, my program worked. today, it does not. why? In FSE 99: Foundations of Software Engineering, pages 253--267. ACM, 1999. Google ScholarDigital Library
Index Terms
- From symptom to cause: localizing errors in counterexample traces
Recommendations
From symptom to cause: localizing errors in counterexample traces
There is significant room for improving users' experiences with model checking tools. An error trace produced by a model checker can be lengthy and is indicative of a symptom of an error. As a result, users can spend considerable time examining an error ...
Transition predicate abstraction and fair termination
POPL '05: Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesPredicate abstraction is the basis of many program verification tools. Until now, the only known way to overcome the inherent limitation of predicate abstraction to safety properties was to manually annotate the finite-state abstraction of a program. We ...
Transition predicate abstraction and fair termination
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesPredicate abstraction is the basis of many program verification tools. Until now, the only known way to overcome the inherent limitation of predicate abstraction to safety properties was to manually annotate the finite-state abstraction of a program. We ...
Comments