Making the Most of BMC Counterexamples

Groce, Alex; Kroening, Daniel

doi:10.1016/j.entcs.2004.12.023

Cited by 48 publications

(26 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The algorithm was able to greatly reduce bug traces in Mozilla, which is a popular web browser. A recent contribution that draws upon counterexamples found by model checking is by Groce and Kroening [9]. Their solution focuses on minimizing a trace with respect to the primitive constructs available in the language used to describe the hardware or software system and on trying to highlight the causes of the error in the counterexample to produce a simplified trace that is more understandable by a software designer.…”

Section: Techniques In Software Verificationmentioning

confidence: 99%

Simulation-Based Bug Trace Minimization With BMC-Based Refinement

Chang

Bertacco

Markov

2007

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

View full text Add to dashboard Cite

Abstract-Finding the cause of a bug can be one of the most time-consuming activities in design verification. This is particularly true in the case of bugs discovered in the context of a random-simulation-based methodology, where bug traces, or counterexamples, may be several hundred thousand cycles long. In this paper, BUg TRAce MINimization (Butramin), which is a bug trace minimizer, is proposed. Butramin considers a bug trace produced by a random simulator or semiformal verification software and produces an equivalent trace of shorter length. Butramin applies a range of minimization techniques, deploying both simulation-based and formal methods, with the objective of producing highly reduced traces that still expose the original bug. Butramin was evaluated on a range of designs, including the publicly available picoJava microprocessor, and bug traces up to one million cycles long. Experiments show that in most cases, Butramin is able to reduce traces to a very small fraction of their initial sizes, in terms of cycle length and signals involved. The minimized traces can greatly facilitate bug analysis and reduce regression runtime.

show abstract

Section: Techniques In Software Verificationmentioning

confidence: 99%

Simulation-Based Bug Trace Minimization With BMC-Based Refinement

Chang

Bertacco

Markov

2007

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

View full text Add to dashboard Cite

show abstract

“…Finding the shortest bad prefix for safety formulae can be done in parallel, using the (doubly exponential) method proposed in [17]. The solution to the second problem is left as future work; for approaches and more references see [13].…”

Section: Shortest Counterexamples For Pltlbmentioning

confidence: 99%

Shortest Counterexamples for Symbolic Model Checking of LTL with Past

Schuppan

Biere

2005

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

Abstract. Shorter counterexamples are typically easier to understand. The length of a counterexample, as reported by a model checker, depends on both the algorithm used for state space exploration and the way the property is encoded. We provide necessary and sufficient criteria for a Büchi automaton to accept shortest counterexamples. We prove that Büchi automata constructed using the approach of Clarke, Grumberg, and Hamaguchi accept shortest counterexamples of future time LTL formulae, while an automaton generated with the algorithm of Gerth et al. (GPVW) may lead to unnecessary long counterexamples. Optimality is lost in the first case as soon as past time operators are included. Adapting a recently proposed encoding for bounded model checking of LTL with past, we construct a Büchi automaton that accepts shortest counterexamples for full LTL. We use our method of translating liveness into safety to find shortest counterexamples with a BDD-based symbolic model checker without modifying the model checker itself. Though our method involves a quadratic blowup of the state space, it outperforms SAT-based bounded model checking on a number of examples.

show abstract

“…They isolate parts of a counterexample that do not occur on feasible traces. Groce et al [7][8][9] use causal dependencies (see, e.g. [2]) and distance metrics for program executions to find minimal abstractions of error traces.…”

Section: Introductionmentioning

confidence: 99%

“…A common approach to fault localization is to compare failing with successful executions (e.g., [1,7,8,14,15,17,19,20]). These approaches differ in the way the failing and successful executions are obtained, the way they compare executions, and in the information they report to the user.…”

Section: Introductionmentioning

confidence: 99%

Flow-Sensitive Fault Localization

Christ

Ermis

Schäf³

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Identifying the cause of an error is often the most timeconsuming part in program debugging. Fault localization techniques can help to automate this task. Particularly promising are static proof-based techniques that rely on an encoding of error traces into trace formulas. By identifying irrelevant portions of the trace formula, the possible causes of the error can be isolated. One limitation of these approaches is that they do not take into account the control flow of the program and therefore miss common causes of errors, such as faulty branching conditions. This limitation is inherent to the way the error traces are encoded. In this paper, we present a new flow-sensitive encoding of error traces into trace formulas. The new encoding enables proof-based techniques to identify irrelevant conditional choices in an error trace and to include a justification for the truth value of branching conditions that are relevant for the localized cause of an error. We apply our new encoding to the fault localization technique based on error invariants and show that it produces more meaningful error explanations than previous approaches.

show abstract

Making the Most of BMC Counterexamples

Cited by 48 publications

References 25 publications

Simulation-Based Bug Trace Minimization With BMC-Based Refinement

Simulation-Based Bug Trace Minimization With BMC-Based Refinement

Shortest Counterexamples for Symbolic Model Checking of LTL with Past

Flow-Sensitive Fault Localization

Contact Info

Product

Resources

About