


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The model checker supports pointer constructs, dynamic memory allo- cation, recursion, and the float and double data types. CBMC also features a graphical user ...
Typology: Slides
1 / 4
This page cannot be seen from the preview
Don't miss anything!



Alex Groce, Daniel Kroening, and Flavio Lerda
Computer Science Department, Carnegie Mellon University Pittsburgh, PA 15213
Abstract. The counterexamples produced by model checkers are often lengthy and difficult to understand. In practical verification, showing the existence of a (potential) bug is not enough: the error must be under- stood, determined to not be a result of faulty specification or assump- tions, and, finally, located and corrected. The explain tool uses distance metrics on program executions to provide automated assistance in under- standing and localizing errors in ANSI-C programs. explain is integrated with CBMC, a bounded model checker for the C language, and features a GUI front-end that presents error explanations to the user.
In an ideal world, given a detailed error trace, a programmer would always be able to quickly identify and correct the faulty portion of the code or specification. Practical experience, however, indicates that this is not the case. Understanding a counterexample often requires as much effort as preparing a program for model checking. As software model checking has become more concerned with practical applicability, the need for automated assistance in understanding counterexam- ples has been recognized [2, 6]. The explain tool provides users with assistance in focusing on the relevant portions of source code and in understanding the causal dependencies involved in an error. CBMC [7] is a tool for verifying ANSI-C programs. CBMC is a bounded model checker (BMC) [3]: it produces from a C program a Boolean formula satisfiable by executions of the program that violate its specification (counterex- amples). The model checker supports pointer constructs, dynamic memory allo- cation, recursion, and the float and double data types. CBMC also features a graphical user interface designed to resemble an IDE (Integrated Development Environment) that allows users to interactively step through counterexample traces. explain uses the same bounded model checking engine to further analyze counterexample traces produced by CBMC. In particular, explain uses distance metrics on program executions [5], in a manner inspired by the counterfactual theory of causality [8], to provide a number of automatic analyses:
explain is used through the same GUI as CBMC. The interface allows users to step through explanatory traces as they would in a debugger (with the ability to step forwards and backwards). Portions of the code that explain suggests may be faulty are highlighted for the user.
Using explain is an interactive process. The tool assists the user in understand- ing counterexamples, but knowledge of the program (and the specification) is necessary to guide the tool. As an example, we will use explain to narrow in on an error in a small but non-trivial C program.
2.1 Debugging TCAS
TCAS (Traffic Alert and Collision Avoidance System) is an aircraft conflict de- tection and resolution system used by all US commercial aircraft. The Georgia Tech version of the Siemens suite [9] includes 41 buggy versions of ANSI-C code for the Resolution Advisory (RA) component of the TCAS system. A specifica- tion for this code (in the form of assertions) is available from another study [4]. The first step in using explain to understand an error is to produce a coun- terexample. We load tcas.c into the GUI and run the CBMC model checker. After a few seconds, the GUI reports that the assertion on line 257 has been violated. The counterexample execution passes through 112 states. Single-stepping through the trace looking for a bug is not an appealing prospect, so we turn to explain for assistance in understanding what is wrong with our code. We run explain on the counterexample to find a successful execution that is as similar as possible to the failing run. explain uses the PBS [1] pseudo-Boolean solver to produce this trace, and lists the changes made to the original counterexample. The GUI highlights the lines that are involved in the changes^1. Unfortunately, the explanation is less than useful. The failed assertion in the counterexample is an implication: P3 BCond = ((Input Up Separation >= Layer Positive RA Alt Thresh)&& (Input Down Separation >= Layer Positive RA Alt Thresh)&& (Input Own Tracked Alt < Input Other Tracked Alt)); assert(!(P3 BCond && PrB)); // P3 BCond ->! PrB The successful execution most similar to the counterexample changes the value of Input Down Separation such that it is now < Layer Positive RA Alt Thresh, and no other values. We are really interested in finding out why, given that (^1) explain uses a causal slicing algorithm [5] to remove changes unrelated to the error.
expression’s value in the faulty run match the value in the successful run, we need to change the > into a >= comparison. We modify the source code to reflect our hypothesis about the source of the error and rerun CBMC. This time, the model checker reports that verification is successful: the program satisfies its specification. In other experiments, explain produced a 1 line (correct) localization of a 127 state locking-protocol counterexample for a 2991 line fragment of a real-time OS microkernel.
explain is a tool that uses a model checker to assist users in debugging programs (or specifications). The tool is fully integrated with a model checker that precisely handles a rich variety of the features of the ANSI-C language, and provides a graphical front-end for user interactions. Case studies have demonstrated that explain can successfully localize errors in a number of programs. In the future, we hope to improve both the graphical interface to explain and the underlying explanation algorithms, based on experience with more case studies and user feedback.