Bounded transaction model checking

technical reportIndustrial cache coherence protocol models often have too many reachable states, preventing full reachability analysis even for small model instances (number of processors, addresses, etc.). Several partial search debugging methods are, therefore, employed, including lossy state compression using hash compaction, and bounded model checking (BMC, or equivalently, depth-bounded search). We show that instead of a BMC approach, a bounded transaction approach is much more effective for debugging. This is because of the fact that the basic unit of activity in a cache coherence protocol is that of a transaction - e.g., a complete causal cycle of actions beginning with a node making a request for a line and obtaining the line. The reduced effectiveness of BMC mainly stems from the fact that by limiting only the search depth, it cannot be guaranteed that complete transactions get selected, or that the right kind maximal number of interacting transactions. Thus, instead of bounded model-checking, which explores all possible interleavings in BFS, we propose a bounded transaction model-checking approach for debugging cache coherence protocols, where the criterion is to allow a certain number of transactions chosen from a set of potentially interfering set of transactions, to be explored. We have built a bounded transaction version for the Murphi model checker and shown that it can find seeded bugs in protocols far more effectively, especially when full BFS runs out of memory and misses these bugs. We compare our work with similar ideas - such as debugging communicating push-down systems[1] by bounding the number of interleavings (a similar idea, but different in detail)

Fault Localization in Multi-Threaded C Programs using Bounded Model Checking (extended version)

Software debugging is a very time-consuming process, which is even worse for multi-threaded programs, due to the non-deterministic behavior of thread-scheduling algorithms. However, the debugging time may be greatly reduced, if automatic methods are used for localizing faults. In this study, a new method for fault localization, in multi-threaded C programs, is proposed. It transforms a multi-threaded program into a corresponding sequential one and then uses a fault-diagnosis method suitable for this type of program, in order to localize faults. The code transformation is implemented with rules and context switch information from counterexamples, which are typically generated by bounded model checkers. Experimental results show that the proposed method is effective, in such a way that sequential fault-localization methods can be extended to multi-threaded programs.Comment: extended version of paper published at SBESC'1

A methodology for the capture and analysis of hybrid data: a case study of program debugging

No description supplie

Cause Clue Clauses: Error Localization using Maximum Satisfiability

Much effort is spent everyday by programmers in trying to reduce long, failing execution traces to the cause of the error. We present a new algorithm for error cause localization based on a reduction to the maximal satisfiability problem (MAX-SAT), which asks what is the maximum number of clauses of a Boolean formula that can be simultaneously satisfied by an assignment. At an intuitive level, our algorithm takes as input a program and a failing test, and comprises the following three steps. First, using symbolic execution, we encode a trace of a program as a Boolean trace formula which is satisfiable iff the trace is feasible. Second, for a failing program execution (e.g., one that violates an assertion or a post-condition), we construct an unsatisfiable formula by taking the trace formula and additionally asserting that the input is the failing test and that the assertion condition does hold at the end. Third, using MAX-SAT, we find a maximal set of clauses in this formula that can be satisfied together, and output the complement set as a potential cause of the error. We have implemented our algorithm in a tool called bug-assist for C programs. We demonstrate the surprising effectiveness of the tool on a set of benchmark examples with injected faults, and show that in most cases, bug-assist can quickly and precisely isolate the exact few lines of code whose change eliminates the error. We also demonstrate how our algorithm can be modified to automatically suggest fixes for common classes of errors such as off-by-one.Comment: The pre-alpha version of the tool can be downloaded from http://bugassist.mpi-sws.or

Enhanced Formal Verification Flow for Circuits Integrating Debugging and Coverage Analysis

In this paper we briefly review techniques used in formal hardware verification. An advanced flow emerges from integrating two major methodological improvements: debugging support and coverage analysis. The verification engineer can locate the source of a failure with an automatic debugging support. Components are identified which explain the discrepancy between the property and the circuit behavior.This method is complemented by an approach to analyze functional coverage of the proven Bounded Model Checking(BMC) properties. The approach automatically determines whether the property set is complete or not. In the latter case coverage gaps are returned. Both techniques are integrated in an enhanced verification flow. A running example demonstrates the resulting advantages

Contradictory antecedent debugging in bounded model checking

In the context of formal verification Bounded Model Check-ing (BMC) has shown to be very powerful for large industrial designs. BMC is used to check whether a circuit satisfies a temporal property or not. Typically, such a property is for-mulated as an implication. In the antecedent of the property the verification engineer specifies the assumptions about the design environment and joins the respective expressions by logical AND. However, the overall conjunction may have no solution, i.e. the antecedent is contradictory. Since in this case a property trivially holds this situation has to be avoided. Furthermore, the root cause of a contradictory an-tecedent has to be identified which is a manual and very time-consuming process. In this paper we propose a fully automatic approach for presenting all reasons of a contradictory antecedent to the verification engineer, i.e. the approach pinpoints to the sub-expressions in the antecedent that form a contradiction. Hence, our approach reduces the debugging time of a con-tradictory antecedent significantly