Paths to Property Violation: A Structural Approach for Analyzing Counter-Examples

At Airbus, flight control software is developed using SCADE formal models, from which 90% of the code can be generated. Having a formal design leaves open the possibility of introducing model checking techniques. But, from our analysis of cases extracted from real software, a key issue concerns the exploitation of counterexamples showing property violation. Understanding the causes of the violation is not trivial, and the (unique) counterexample returned by a model checker is not necessarily realistic from an operational viewpoint. To address this issue, we propose an automated structural analysis that identifies paths of the model that are activated by a counterexample over time. This analysis allows us to extract relevant information to explain the observed violation. It may also serve to guide the model checker toward the search for different counterexamples, exhibiting new path activation patterns.

[1]  Husain Aljazzar,et al.  Debugging of Dependability Models Using Interactive Visualization of Counterexamples , 2008, 2008 Fifth International Conference on Quantitative Evaluation of Systems.

[2]  Bruno Marre,et al.  Test sequences generation from LUSTRE descriptions: GATEL , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[3]  Abdesselam Lakehal,et al.  Structural coverage criteria for LUSTRE/SCADE programs , 2009, Softw. Test. Verification Reliab..

[4]  Bertrand Jeannet,et al.  Automatic State Reaching for Debugging Reactive Programs , 2003 .

[5]  Ilan Beer,et al.  Explaining Counterexamples Using Causality , 2009, CAV.

[6]  Paul A. Strooper,et al.  An Automated Approach for the Interpretation of Counter-Examples , 2007, Electron. Notes Theor. Comput. Sci..

[7]  Mayur Naik,et al.  From symptom to cause: localizing errors in counterexample traces , 2003, POPL '03.

[8]  Bruno Marre,et al.  On-the-fly generation of k-path tests for C functions , 2004, Proceedings. 19th International Conference on Automated Software Engineering, 2004..

[9]  C. R. Ramakrishnan,et al.  Evidence Explorer: A Tool for Exploring Model-Checking Proofs , 2003, CAV.

[10]  Alex Groce,et al.  What Went Wrong: Explaining Counterexamples , 2003, SPIN.

[11]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[12]  Thomas Bochot Vérification par Model Checking des commandes de vol : applicabilité industrielle et analyse de contre-exemples , 2009 .

[13]  Vishwani D. Agrawal,et al.  Essentials of electronic testing for digital, memory, and mixed-signal VLSI circuits [Book Review] , 2000, IEEE Circuits and Devices Magazine.

[14]  Cyrille Artho,et al.  Visualization of Concurrent Program Executions , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[15]  Marsha Chechik,et al.  A framework for counterexample generation and exploration , 2005, International Journal on Software Tools for Technology Transfer.

[16]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[17]  Bruno Marre,et al.  On-the-fly generation of k-path tests for C functions , 2004 .

[18]  Virginie Wiels,et al.  Model checking flight control systems: The Airbus experience , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[19]  Nicolas Halbwachs,et al.  Synchronous Observers and the Verification of Reactive Systems , 1993, AMAST.