Skip to main content
SpringerLink
Log in

Counterexample classification

  • Special Section Paper
  • Published:
Software and Systems Modeling Aims and scope Submit manuscript

Abstract

In model checking, when a model fails to satisfy the desired specification, a typical model checker provides a counterexample that illustrates how the violation occurs. In general, there exist many diverse counterexamples that exhibit distinct violating behaviors, which the user may wish to examine before deciding how to repair the model. Unfortunately, (1) the number of counterexamples may be too large to enumerate one by one, and (2) many of these counterexamples are redundant, in that they describe the same type of violating behavior. In this paper, we propose a technique called counterexample classification. The goal of classification is to cover the space of all counterexamples into a finite set of counterexample classes, each of which describes a distinct type of violating behavior for the given specification. These classes are then presented as a summary of possible violating behaviors in the system, freeing the user from manually having to inspect or analyze numerous counterexamples to extract the same information. We have implemented a prototype of our technique on top of an existing formal modeling and verification tool, the Alloy Analyzer, and evaluated the effectiveness of the technique on case studies involving the well-known Needham–Schroeder and TCP protocols with promising results.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Algorithm 1
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Data availability statement

All of the material needed to reproduce the results from the paper are freely available in the Zenodo artifact published here: https://zenodo.org/record/7095162#.ZD7NS-zMJQI.

Notes

  1. The traces in this section have labels, i.e., Message s on their transitions. We do this to make it clear how messages are sent and how different messages affect the state. Our formal definition will not include labels as they may be encoded directly into the state.

  2. As an example where this happens, recall in the increment-decrement example from Sect. 3.3 how the single predicate lessThanOne could not classify all violating behavior.

  3. The high-level algorithm shown is simplified as it only deals with unary predicates, but this technique can be extended to n-ary predicates. Our implementation is able to generate facts for predicates with an arbitrary number of arguments.

  4. Our tool allows users to toggle checking for redundancy as a user may want to inspect all generated classes, even if some may be redundant.

  5. Note that the newest trace constraint is never redundant because of the \({\textsf{block}}\) procedure.

  6. The Alloy models and code for our tool can be found at https://github.com/cvick32/CounterexampleClassificiation.

  7. Times were measured using the Java built-in System.nano Time().

References

  1. Ball, T., Naik, M., Rajamani, S.K.: From symptom to cause: localizing errors in counterexample traces. In: Proceedings of the 30th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL’03, pp. 97–105. Association for Computing Machinery, New York, NY, USA, January 2003

  2. Barrett, C., Fontaine, P., Tinelli, C.: The satisfiability modulo theories library (SMT-LIB). www.SMT-LIB.org (2016)

  3. Beer, I., Ben-David, S., Chockler, H., Orni, A., Trefler, R.: Explaining counterexamples using causality. In: A Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, Lecture Notes in Computer Science, pp. 94–108. Springer: Berlin (2009)

  4. Chechik, M., Gurfinkel, A.: A framework for counterexample generation and exploration. In: FASE, pp. 220–236 (2005)

  5. Christiansen, H., Dahl, V.: Hyprolog: a new logic programming language with assumptions and abduction. In: ICLP, pp. 159–173 (2005)

  6. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL ’77, pp. 238–252. Association for Computing Machinery, New York, NY, USA, January 1977

  7. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, pp. 337–340. Springer, Berlin (2008)

  8. Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981)

    Article  Google Scholar 

  9. Dominguez, A., Day, N., Cheriton: generating multiple diverse counterexamples for an EFSM (2013)

  10. Gomes, C.P., Sabharwal, A., Selman, B.: Chapter 25. Model counting. In: Biere, A., Heule, M., Van Maaren, H., Walsh, T. (eds.) Frontiers in Artificial Intelligence and Applications. IOS Press, Amsterdam (2021)

    Google Scholar 

  11. Groce, A., Visser, W.: What went wrong: explaining counterexamples. In: Ball, T., Rajamani, S.K. (eds.) Model Checking Software. Lecture Notes in Computer Science, pp. 121–136. Springer, Berlin (2003)

    Chapter  Google Scholar 

  12. Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. (TOSEM) 11(2), 256–290 (2002)

    Article  MathSciNet  Google Scholar 

  13. Jhala, R., Podelski, A., Rybalchenko, A.: Predicate abstraction for program verification. In: Clarke, E.M., Henzinger, T.A., Veith, H., Bloem, R. (eds.) Handbook of Model Checking, pp. 447–491. Springer, Cham (2018)

    Chapter  Google Scholar 

  14. Josephson, S.G., Josephson, J.R.: Abductive Inference: Computation, Philosophy, and Technology. Cambridge University Press, Cambridge (1994)

    Book  Google Scholar 

  15. Kakas, A.C., Kowalski, R.A., Toni, F.: Abductive logic programming. J. Log. Comput. 2(6), 719–770 (1992)

    Article  MathSciNet  Google Scholar 

  16. Kakas, A.C., Van Nuffelen, B., Denecker, M.: A-system: problem solving through abduction. In: IJCAI, pp. 591–596 (2001)

  17. Kashyap, S., Garg, V.K.: Producing short counter examples using “Crucial Events”. In: Gupta, A., Malik, S. (eds.) Computer Aided Verification. Lecture Notes in Computer Science, pp. 491–503. Springer, Berlin, Heidelberg (2008)

  18. Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Inf. Process. Lett. 56(3), 131–133 (1995)

    Article  Google Scholar 

  19. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)

    Article  Google Scholar 

  20. Postel, J.: Transmission Control Protocol. RFC 793, September 1981. Available at: https://www.rfc-editor.org/info/rfc793

  21. Shen, S., Qin, Y., Li, S.: Minimizing counterexample with unit core extraction and incremental sat. In: VMCAI, pp. 298–312 (2005)

  22. Shlyakhter, I., Seater, R., Jackson, D., Sridharan, M., Taghdiri, M.: Debugging over constrained declarative models using unsatisfiable cores. In: ASE, pp. 94–105 (2003)

  23. Solar-Lezama, A., Tancau, L., Bodik, R., Saraswat, V., Seshia, S.: Combinatorial sketching for finite programs. In: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating System (ASPLOS), p. 12 (2006)

  24. Song, M., Günther, C.W., van der Aalst, W.M.P.: Trace clustering in process mining. In: Ardagna, D., Mecella, M., Yang, J. (eds.) Business Process Management Workshops. Lecture Notes in Business Information Processing, pp. 109–120. Springer, Berlin (2009)

    Google Scholar 

  25. Sülflow, A., Fey, G., Bloem, R., Drechsler, R.: Using unsatisfiable cores to debug multiple design errors. In: ACM Great Lakes Symposium on VLSI, pp. 77–82 (2008)

  26. Torlak, E., Chang, F.S.-H., Jackson, D.: Finding minimal unsatisfiable cores of declarative specifications. In: Cuellar, J., Maibaum, T., Sere, K. (eds.) FM 2008: Formal Methods. Lecture Notes in Computer Science, pp. 326–341. Springer, Berlin, Heidelberg (2008)

  27. Vick, C., Kang, E., Tripakis, S.: Counterexample classification. In: Calinescu, R., Păsăreanu, C.S. (eds.) Software Engineering and Formal Methods, pp. 312–331. Springer, Cham (2021)

    Chapter  Google Scholar 

  28. von Hippel, M., Vick, C., Tripakis, S., Nita-Rotaru, C.: Automated attacker synthesis for distributed protocols. In: Casimiro, A., Ortmeier, F., Bitsch, F., Ferreira, P. (eds.) Computer Safety, Reliability, and Security, pp. 133–149. Springer, Cham (2020)

  29. Zeller, A.: The debugging book. CISPA Helmholtz Center for Information Security (2021). Retrieved 2021-03-12 18:02:07+01:00

Download references

Author information

Authors and Affiliations

  1. Univeristy of Texas at Austin, Austin, TX, USA

    Cole Vick

  2. Carnegie Mellon University, Pittsburgh, PA, USA

    Eunsuk Kang

  3. Northeastern University, Boston, MA, USA

    Stavros Tripakis

Authors
  1. Cole Vick
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eunsuk Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stavros Tripakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cole Vick.

Additional information

Communicated by Antonio Cerone and Frank de Boer.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This work has been supported by the National Science Foundation under NSF SaTC award CNS-1801546.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Vick, C., Kang, E. & Tripakis, S. Counterexample classification. Softw Syst Model 23, 455–472 (2024). https://doi.org/10.1007/s10270-023-01118-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-023-01118-0

Keywords

Search

Navigation