Abstract
In model checking, when a model fails to satisfy the desired specification, a typical model checker provides a counterexample that illustrates how the violation occurs. In general, there exist many diverse counterexamples that exhibit distinct violating behaviors, which the user may wish to examine before deciding how to repair the model. Unfortunately, (1) the number of counterexamples may be too large to enumerate one by one, and (2) many of these counterexamples are redundant, in that they describe the same type of violating behavior. In this paper, we propose a technique called counterexample classification. The goal of classification is to cover the space of all counterexamples into a finite set of counterexample classes, each of which describes a distinct type of violating behavior for the given specification. These classes are then presented as a summary of possible violating behaviors in the system, freeing the user from manually having to inspect or analyze numerous counterexamples to extract the same information. We have implemented a prototype of our technique on top of an existing formal modeling and verification tool, the Alloy Analyzer, and evaluated the effectiveness of the technique on case studies involving the well-known Needham–Schroeder and TCP protocols with promising results.
Similar content being viewed by others
Data availability statement
All of the material needed to reproduce the results from the paper are freely available in the Zenodo artifact published here: https://zenodo.org/record/7095162#.ZD7NS-zMJQI.
Notes
The traces in this section have labels, i.e., Message s on their transitions. We do this to make it clear how messages are sent and how different messages affect the state. Our formal definition will not include labels as they may be encoded directly into the state.
As an example where this happens, recall in the increment-decrement example from Sect. 3.3 how the single predicate lessThanOne could not classify all violating behavior.
The high-level algorithm shown is simplified as it only deals with unary predicates, but this technique can be extended to n-ary predicates. Our implementation is able to generate facts for predicates with an arbitrary number of arguments.
Our tool allows users to toggle checking for redundancy as a user may want to inspect all generated classes, even if some may be redundant.
Note that the newest trace constraint is never redundant because of the \({\textsf{block}}\) procedure.
The Alloy models and code for our tool can be found at https://github.com/cvick32/CounterexampleClassificiation.
Times were measured using the Java built-in System.nano Time().
References
Ball, T., Naik, M., Rajamani, S.K.: From symptom to cause: localizing errors in counterexample traces. In: Proceedings of the 30th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL’03, pp. 97–105. Association for Computing Machinery, New York, NY, USA, January 2003
Barrett, C., Fontaine, P., Tinelli, C.: The satisfiability modulo theories library (SMT-LIB). www.SMT-LIB.org (2016)
Beer, I., Ben-David, S., Chockler, H., Orni, A., Trefler, R.: Explaining counterexamples using causality. In: A Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, Lecture Notes in Computer Science, pp. 94–108. Springer: Berlin (2009)
Chechik, M., Gurfinkel, A.: A framework for counterexample generation and exploration. In: FASE, pp. 220–236 (2005)
Christiansen, H., Dahl, V.: Hyprolog: a new logic programming language with assumptions and abduction. In: ICLP, pp. 159–173 (2005)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL ’77, pp. 238–252. Association for Computing Machinery, New York, NY, USA, January 1977
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, pp. 337–340. Springer, Berlin (2008)
Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981)
Dominguez, A., Day, N., Cheriton: generating multiple diverse counterexamples for an EFSM (2013)
Gomes, C.P., Sabharwal, A., Selman, B.: Chapter 25. Model counting. In: Biere, A., Heule, M., Van Maaren, H., Walsh, T. (eds.) Frontiers in Artificial Intelligence and Applications. IOS Press, Amsterdam (2021)
Groce, A., Visser, W.: What went wrong: explaining counterexamples. In: Ball, T., Rajamani, S.K. (eds.) Model Checking Software. Lecture Notes in Computer Science, pp. 121–136. Springer, Berlin (2003)
Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. (TOSEM) 11(2), 256–290 (2002)
Jhala, R., Podelski, A., Rybalchenko, A.: Predicate abstraction for program verification. In: Clarke, E.M., Henzinger, T.A., Veith, H., Bloem, R. (eds.) Handbook of Model Checking, pp. 447–491. Springer, Cham (2018)
Josephson, S.G., Josephson, J.R.: Abductive Inference: Computation, Philosophy, and Technology. Cambridge University Press, Cambridge (1994)
Kakas, A.C., Kowalski, R.A., Toni, F.: Abductive logic programming. J. Log. Comput. 2(6), 719–770 (1992)
Kakas, A.C., Van Nuffelen, B., Denecker, M.: A-system: problem solving through abduction. In: IJCAI, pp. 591–596 (2001)
Kashyap, S., Garg, V.K.: Producing short counter examples using “Crucial Events”. In: Gupta, A., Malik, S. (eds.) Computer Aided Verification. Lecture Notes in Computer Science, pp. 491–503. Springer, Berlin, Heidelberg (2008)
Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Inf. Process. Lett. 56(3), 131–133 (1995)
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)
Postel, J.: Transmission Control Protocol. RFC 793, September 1981. Available at: https://www.rfc-editor.org/info/rfc793
Shen, S., Qin, Y., Li, S.: Minimizing counterexample with unit core extraction and incremental sat. In: VMCAI, pp. 298–312 (2005)
Shlyakhter, I., Seater, R., Jackson, D., Sridharan, M., Taghdiri, M.: Debugging over constrained declarative models using unsatisfiable cores. In: ASE, pp. 94–105 (2003)
Solar-Lezama, A., Tancau, L., Bodik, R., Saraswat, V., Seshia, S.: Combinatorial sketching for finite programs. In: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating System (ASPLOS), p. 12 (2006)
Song, M., Günther, C.W., van der Aalst, W.M.P.: Trace clustering in process mining. In: Ardagna, D., Mecella, M., Yang, J. (eds.) Business Process Management Workshops. Lecture Notes in Business Information Processing, pp. 109–120. Springer, Berlin (2009)
Sülflow, A., Fey, G., Bloem, R., Drechsler, R.: Using unsatisfiable cores to debug multiple design errors. In: ACM Great Lakes Symposium on VLSI, pp. 77–82 (2008)
Torlak, E., Chang, F.S.-H., Jackson, D.: Finding minimal unsatisfiable cores of declarative specifications. In: Cuellar, J., Maibaum, T., Sere, K. (eds.) FM 2008: Formal Methods. Lecture Notes in Computer Science, pp. 326–341. Springer, Berlin, Heidelberg (2008)
Vick, C., Kang, E., Tripakis, S.: Counterexample classification. In: Calinescu, R., Păsăreanu, C.S. (eds.) Software Engineering and Formal Methods, pp. 312–331. Springer, Cham (2021)
von Hippel, M., Vick, C., Tripakis, S., Nita-Rotaru, C.: Automated attacker synthesis for distributed protocols. In: Casimiro, A., Ortmeier, F., Bitsch, F., Ferreira, P. (eds.) Computer Safety, Reliability, and Security, pp. 133–149. Springer, Cham (2020)
Zeller, A.: The debugging book. CISPA Helmholtz Center for Information Security (2021). Retrieved 2021-03-12 18:02:07+01:00
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Antonio Cerone and Frank de Boer.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This work has been supported by the National Science Foundation under NSF SaTC award CNS-1801546.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Vick, C., Kang, E. & Tripakis, S. Counterexample classification. Softw Syst Model 23, 455–472 (2024). https://doi.org/10.1007/s10270-023-01118-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-023-01118-0