Generation of All Counter-Examples for Push-Down Systems

We present a new, on-the-fly algorithm that given a push-down model representing a sequential program with (recursive) procedure calls and an extended finite-state automaton representing (the negation of) a safety property, produces a succinct, symbolic representation of all counter-examples; i.e., traces of system behaviors that violate the property. The class of what we call minimum-recursion loop-free counter-examples can then be generated from this representation on an as-needed basis and presented to the user. Our algorithm is also applicable, without modification, to finite-state system models. Simultaneous consideration of multiple counter-examples can minimize the number of model-checking runs needed to recognize common root causes of property violations. We illustrate the use of our techniques via application to a Java-Tar utility and an FTP-server program, and discuss a prototype tool implementation which offers several abstraction techniques for easy-viewing of generated counter-examples.

[1]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[2]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[3]  Moshe Y. Vardi,et al.  Multiple-Counterexample Guided Iterative Abstraction Refinement: An Industrial Evaluation , 2003, TACAS.

[4]  C. R. Ramakrishnan,et al.  Resource-Constrained Model Checking of Recursive Programs , 2002, TACAS.

[5]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[6]  Georg Sander,et al.  Graph Layout through the VCG Tool , 1994, GD.

[7]  David L. Dill,et al.  Counter-Example Based Predicate Discovery in Predicate Abstraction , 2002, FMCAD.

[8]  C. R. Ramakrishnan,et al.  Model-Carrying Code (MCC): a new paradigm for mobile-code security , 2001, NSPW '01.

[9]  Alex Groce,et al.  Adaptive Model Checking , 2002, Log. J. IGPL.

[10]  Alex Groce,et al.  What Went Wrong: Explaining Counterexamples , 2003, SPIN.

[11]  Joseph Sifakis,et al.  Specification and verification of concurrent systems in CESAR , 1982, Symposium on Programming.

[12]  C. A. Petri,et al.  Concurrency Theory , 1986, Advances in Petri Nets.

[13]  Nicolas Halbwachs,et al.  Counter-example generation in symbolic abstract model-checking , 2004, International Journal on Software Tools for Technology Transfer.

[14]  Hassen Saïdi,et al.  Model Checking Guided Abstraction and Analysis , 2000, SAS.

[15]  C. Rattray,et al.  Specification and Verification of Concurrent Systems , 1990, Workshops in Computing.

[16]  Rajeev Alur,et al.  Counterexample-guided predicate abstraction of hybrid systems , 2003, Theor. Comput. Sci..

[17]  Ugo Montanari,et al.  International Symposium on Programming , 1982, Lecture Notes in Computer Science.

[18]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[19]  Kedar S. Namjoshi,et al.  Certifying Model Checkers , 2001, CAV.

[20]  Javier Esparza,et al.  A BDD-Based Model Checker for Recursive Programs , 2001, CAV.

[21]  Christos H. Papadimitriou,et al.  Elements of the Theory of Computation , 1997, SIGA.

[22]  Matthew B. Dwyer,et al.  Finding Feasible Counter-examples when Model Checking Abstracted Java Programs , 2001, TACAS.

[23]  Mayur Naik,et al.  From symptom to cause: localizing errors in counterexample traces , 2003, POPL '03.

[24]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.