From Symptom to Cause: Localizing Errors in Counterexample Traces
description
Transcript of From Symptom to Cause: Localizing Errors in Counterexample Traces
![Page 1: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/1.jpg)
From Symptom to Cause:
Localizing Errors in Counterexample Traces
Mayur Naik, Purdue University
Thomas Ball, Microsoft Research
Sriram K. Rajamani, Microsoft Research
![Page 2: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/2.jpg)
Model Checking
+ Fully automatic: Does not require the user to provide annotations.
+ Transparent: Produces a source-level error trace (counterexample).
− An error trace represents a symptom of the error as opposed to its cause.
− State-of-the-art model checkers report only one error trace.
![Page 3: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/3.jpg)
The Problem
1. How do we localize the cause of the errorin an error trace?
2. How do we produce multiple error traces having distinct causes?
Note: Problem is relevant to other error-detection
techniques as well.
![Page 4: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/4.jpg)
What is a “Cause”?
We define a “cause” to be those parts of an error trace not contained in any correct trace.
The program fragments containing the cause are rendered unreachable.
The model checker is invoked again to produce additional error traces.
![Page 5: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/5.jpg)
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
Example
![Page 6: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/6.jpg)
Error #1: Lock acquired in succession
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
![Page 7: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/7.jpg)
Correct Trace Computation
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
![Page 8: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/8.jpg)
Error Cause Localization
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
![Page 9: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/9.jpg)
Error Recovery
Insert halt Unreachable from entry of main in future runs of the model checker
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
![Page 10: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/10.jpg)
Error #2: Lock held on exit
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
halt; ...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
![Page 11: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/11.jpg)
Correct Trace Computation
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
halt; ...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
![Page 12: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/12.jpg)
Error Cause Localization
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
halt; ...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
![Page 13: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/13.jpg)
Error Recovery
Insert halt Unreachable from entry of main in future runs of the model checker
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
halt; ...
}
AcquireLock();
if (...)
ReleaseLock();
else {
...
}
return;
}
![Page 14: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/14.jpg)
Final (Error-Free) Program
main()
{
AcquireLock();
if (...)
ReleaseLock();
else {
halt; ...
}
AcquireLock();
if (...)
ReleaseLock();
else {
halt; ...
}
return;
}
![Page 15: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/15.jpg)
A technique that exploits correct traces for error cause localization.
Efficient algorithm for computing correct traces.
Experimental results in the context of the SLAM toolkit.
Our Results
![Page 16: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/16.jpg)
Transitions and Edges
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 AcquireLock();
![Page 17: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/17.jpg)
Transitions and Edges
<(3, L), (5, U)>
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 AcquireLock();
![Page 18: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/18.jpg)
Transitions and Edges
project(<(3, L), (5, U)>) = (3, 5)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 AcquireLock();
![Page 19: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/19.jpg)
High-Level Algorithm
while true do
switch ModelCheck(G, ve) of // ve is of the form assert(e)
case FAILURE(T):
let C = GetCorrectTransitions(G, ve) and
K = project(T) \ project(C) in
if K = Ø then
break
for each (vi, vj) in K do
insert a halt statement between vi and vj case SUCCESS:
break
![Page 20: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/20.jpg)
Computing Correct Transitions
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
Transitions in Error Trace (T)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 AcquireLock();
Reachable state-space computed by model checker
(4,L)
(1,U)
(2,L)
(3,L)
(5,U)
(5,L)
ve ≡ assert(s==U)
![Page 21: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/21.jpg)
Computing Correct Transitions
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
Transitions in Error Trace (T) Correct Transitions (C)
(4,L)
(1,U)
(2,L)
(3,L)
(5,U)
(5,L)
ve ≡ assert(s==U)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 AcquireLock();
![Page 22: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/22.jpg)
Computing Correct Transitions
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
Transitions in Error Trace (T)
<(3, L), (5, U)>
Correct Transitions (C)
(4,L)
(1,U)
(2,L)
(3,L)
(5,U)
(5,L)
ve ≡ assert(s==U)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 AcquireLock();
![Page 23: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/23.jpg)
Computing Correct Transitions
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
Transitions in Error Trace (T)
<(2, L), (3, L)>
<(3, L), (5, U)>
Correct Transitions (C)
ve ≡ assert(s==U)
(4,L)
(1,U)
(2,L)
(3,L)
(5,U)
(5,L)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 AcquireLock();
![Page 24: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/24.jpg)
Computing Correct Transitions
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
Transitions in Error Trace (T)
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
Correct Transitions (C)
ve ≡ assert(s==U)
(4,L)
(1,U)
(2,L)
(3,L)
(5,U)
(5,L)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 AcquireLock();
![Page 25: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/25.jpg)
Example 1: An omission error
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
Correct Transitions (C)
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
Transitions in Error Trace (T)
![Page 26: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/26.jpg)
Error Cause Localization
K = project (T) \ project (C)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
Correct Transitions (C)
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
Transitions in Error Trace (T)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
![Page 27: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/27.jpg)
Error Cause Localization
K = project (T) \ project (C)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
Correct Transitions (C)
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
Transitions in Error Trace (T)
![Page 28: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/28.jpg)
Error Cause Localization
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
Correct Transitions (C)
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
Transitions in Error Trace (T)
K = project (T) \ project (C)
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
![Page 29: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/29.jpg)
Error Cause Localization
K = project (T) \ project (C)
= { (2, 4), (4, 5) }
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
Correct Transitions (C)
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
Transitions in Error Trace (T)
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
![Page 30: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/30.jpg)
Experimental ResultsName of driver LOC
mouse packet filter 984
serial mouse port 7441
keyboard packet filter 1067
IEEE 1394 bus driver 5818
keyboard class driver 13161
i8042 port 22168
packet-based DMA 24971
serial port 30905
![Page 31: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/31.jpg)
Experimental ResultsName of driver LOC Number of edges in
error trace error cause
mouse packet filter 984 73 0
110 4
serial mouse port 7441 56 1
keyboard packet filter 1067 73 0
107 4
IEEE 1394 bus driver 5818 45 7
44 7
60 1
81 3
85 0
keyboard class driver 13161 158 0
i8042 port 22168 127 1
124 5
packet-based DMA 24971 75 1
serial port 30905 248 3
![Page 32: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/32.jpg)
Experimental ResultsName of driver LOC Number of edges in Error cause
localized?error trace error cause
mouse packet filter 984 73 0 No
110 4 Yes
serial mouse port 7441 56 1 Yes
keyboard packet filter 1067 73 0 No
107 4 Yes
IEEE 1394 bus driver 5818 45 7 Yes
44 7 Yes
60 1 Yes
81 3 Yes
85 0 No
keyboard class driver 13161 158 0 No
i8042 port 22168 127 1 Yes
124 5 Yes
packet-based DMA 24971 75 1 Yes
serial port 30905 248 3 Yes
![Page 33: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/33.jpg)
main() {
1 int status = S;
2 if (*)
3 status = foo();
else {
4 foo();
5 status = S;
}
6 assert(status==x);
}
Example 2: A variable-value error
Program state is of the form (status, x)
enum { S, F } x = S;
int foo() {
if (*)
x = S;
else
x = F;
return x;
}
(2,(S,S))
(4,(S,S))
(5,(S,F))
(1,(S,S))
(6,(S,F))
Error Trace
(6,(S,S))
(3,(S,S))
Correct Traces
(2,(S,S))
(1,(S,S))
(6,(F,F))
![Page 34: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/34.jpg)
main() {
1 int status = S;
2 if (*)
3 status = foo();
else {
4 foo();
5 status = S;
}
6 assert(status==x);
}
Example 2: A variable-value error
Program state is of the form (status, x)
enum { S, F } x = S;
int foo() {
if (*)
x = S;
else
x = F;
return x;
}
(2,(S,S))
(4,(S,S))
(5,(S,F))
(1,(S,S))
(6,(S,F))
Error Trace
(6,(S,S))
(3,(S,S))
Correct Traces
(2,(S,S))
(4,(S,S))
(5,(S,S))
(1,(S,S))
(6,(F,F))
![Page 35: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/35.jpg)
Error Cause Localization
K = project (T) \ project (C)
= Ø
(2,(S,S))
(4,(S,S))
(5,(S,F))
(1,(S,S))
(6,(S,F))
Error Trace
(6,(S,S))
(3,(S,S))
Correct Traces
(2,(S,S))
(4,(S,S))
(5,(S,S))
(1,(S,S))
(6,(F,F))
main() {
1 int status = S;
2 if (*)
3 status = foo();
else {
4 foo();
5 status = S;
}
6 assert(status==x);
}
enum { S, F } x = S;
int foo() {
if (*)
x = S;
else
x = F;
return x;
}
![Page 36: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/36.jpg)
High-Level Algorithm
while true do
switch ModelCheck(G, ve) of // ve is of the form assert(e)
case FAILURE(T):
let C = GetCorrectTransitions(G, ve) and
K = project(T) \ project(C) in
if K = Ø then
break
for each (vi, vj) in K do
insert a halt statement between vi and vj case SUCCESS:
break
![Page 37: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/37.jpg)
High-Level Algorithm
while true do
switch ModelCheck(G, ve) of // ve is of the form assert(e)
case FAILURE(T):
let C = GetCorrectTransitions(G, ve) and
K = project(T \ C) in
if K = Ø then
break
for each (vi, vj) in K do
insert a halt statement between vi and vj case SUCCESS:
break
![Page 38: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/38.jpg)
main() {
1 int status = S;
2 if (*)
3 status = foo();
else {
4 foo();
5 status = S;
}
6 assert(status==x);
}
Example 2: A variable-value error
Program state is of the form (status, x)
enum { S, F } x = S;
int foo() {
if (*)
x = S;
else
x = F;
return x;
}
(2,(S,S))
(4,(S,S))
(5,(S,F))
(1,(S,S))
(6,(S,F))
Error Trace
(6,(S,S))
(3,(S,S))
Correct Traces
(2,(S,S))
(4,(S,S))
(5,(S,S))
(1,(S,S))
(6,(F,F))
![Page 39: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/39.jpg)
K = project (T \ C)
= { (4, 5), (5, 6) }
Error Cause Localization
enum { S, F } x = S;
int foo() {
if (*)
x = S;
else
x = F;
return x;
}
(2,(S,S))
(4,(S,S))
(5,(S,F))
(1,(S,S))
(6,(S,F))
Error Trace
(6,(S,S))
(3,(S,S))
Correct Traces
(2,(S,S))
(4,(S,S))
(5,(S,S))
(1,(S,S))
(6,(F,F))
main() {
1 int status = S;
2 if (*)
3 status = foo();
else {
4 foo();
5 status = S;
}
6 assert(status==x);
}
![Page 40: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/40.jpg)
Example 1: An omission error
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
Correct Transitions (C)
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
Transitions in Error Trace (T)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
![Page 41: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/41.jpg)
Error Cause Localization
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
Correct Transitions (C)
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
Transitions in Error Trace (T)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
K = project (T \ C)
![Page 42: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/42.jpg)
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
Correct Transitions (C)
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
Transitions in Error Trace (T)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
K = project (T \ C)
Error Cause Localization
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
![Page 43: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/43.jpg)
Error Cause Localization
Correct Transitions (C)
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
Transitions in Error Trace (T)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
K = project (T \ C)
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
![Page 44: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/44.jpg)
K = project (T \ C)
= { (2, 4), (4, 5), (5, 6) }
1 AcquireLock();
2 if (...)
3 ReleaseLock();
else {
4 ...
}
5 ...
6 AcquireLock();
...
(1,U)
(2,L)
(5,U)
(3,L)
(6,U)
(1,U)
(2,L)
(5,L)
(4,L)
(6,L)
Correct Transitions (C)Transitions in Error Trace (T)
Error Cause Localization
<(1, U), (2, L)>
<(2, L), (4, L)>
<(4, L), (5, L)>
<(5, L), (6, L)>
<(1, U), (2, L)>
<(2, L), (3, L)>
<(3, L), (5, U)>
<(5, U), (6, U)>
![Page 45: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/45.jpg)
Limitations
Control-based approach fails to localize the cause when every edge in the error trace is contained in some correct trace.
Transition-based approach localizes the cause to a suffix of the error trace.
Model Imprecision: Infeasible paths can misguide error cause localization using either approach.
![Page 46: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/46.jpg)
Multiple Counterexamples Verisim [Bhargavan et al., TSE ’02]
Error Cause Localization Explaining counterexamples [Jin et al., TACAS ’02] Explaining type errors [Wand, POPL ’86; Johnson & Walz, POPL ’86;
Beaven & Stansifer, LOPLAS ’93; Duggan & Bent, SCP ’96; Chitil, ICFP ’01; Tip & Dinesh, TOSEM ’01]
Program Slicing [Weiser, TSE ’84] Algorithmic Debugging [Shapiro, Ph.D. thesis ’82] Delta Debugging [Zeller, FSE ’99]
Anomaly Detection Static: Meta-Level Compilation [Hallem et al., PLDI ’02] Dynamic: Daikon [Ernst et al., TSE ’01], DIDUCE [Hangal &
Lam, ICSE ’02]
Related Work
![Page 47: From Symptom to Cause: Localizing Errors in Counterexample Traces](https://reader036.fdocuments.us/reader036/viewer/2022062309/568145fc550346895db3088a/html5/thumbnails/47.jpg)
Conclusions
We have presented a technique for localizing the causes of errors in counterexample traces.
A combination of the control-based and transition-based approaches appears promising.
Our technique is quite general and should be applicable to error detection tools based on data-flow analysis as well.