Bug Hunting with False Negatives

  • Jens Calamé
  • Natalia Ioustinova
  • Jaco van de Pol
  • Natalia Sidorova
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4591)


Safe data abstractions are widely used for verification purposes. Positive verification results can be transferred from the abstract to the concrete system. When a property is violated in the abstract system, one still has to check whether a concrete violation scenario exists. However, even when the violation scenario is not reproducible in the concrete system (a false negative), it may still contain information on possible sources of bugs.

Here, we propose a bug hunting framework based on abstract violation scenarios. We first extract a violation pattern from one abstract violation scenario. The violation pattern represents multiple abstract violation scenarios, increasing the chance that a corresponding concrete violation exists. Then, we look for a concrete violation that corresponds to the violation pattern by using constraint solving techniques. Finally, we define the class of counterexamples that we can handle and argue correctness of the proposed framework.

Our method combines two formal techniques, model checking and constraint solving. Through an analysis of contracting and precise abstractions, we are able to integrate overapproximation by abstraction with concrete counterexample generation.


False Negative Model Check Data Abstraction Abstract Interpretation Label Transition System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brisset, P., et al.: ECLIPSe Constraint Library Manual, version 5.9 edn. (May 2006),
  2. 2.
    Calamé, J.R., Ioustinova, N., v.d. Pol, J.C.: Towards Automatic Generation of Parameterized Test Cases from Abstractions. Technical Report SEN-E0602, Centrum voor Wiskunde en Informatica. ENTCS (March 2006) (to appear)Google Scholar
  3. 3.
    Chaki, S., Clarke, E., Grumberg, O., Ouaknine, J., Sharygina, N., Touili, T., Veith, H.: State/Event Software Verification for Branching-Time Specifications. In: Romijn, J.M.T., Smith, G.P., van de Pol, J. (eds.) IFM 2005. LNCS, vol. 3771, pp. 53–69. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided Abstraction Refinement for Symbolic Model Checking. Journ. of the ACM 50(5), 752–794 (2003)CrossRefMathSciNetGoogle Scholar
  5. 5.
    Clarke, E.M., Grumberg, O., Long, D.E.: Model Checking and Abstraction. ACM Transactions on Programming Languages and Systems 16(5), 1512–1542 (1994) A preliminary version appeared in the Proc. of the POPL 1992CrossRefGoogle Scholar
  6. 6.
    Cousot, P., Cousot, R.: Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In: Proc. of the 4th ACM SIGACT-SIGPLAN Symp. on Principles of programming languages (POPL 1977), pp. 238–252. ACM Press, New York (1977)CrossRefGoogle Scholar
  7. 7.
    Dams, D.: Abstract Interpretation and Partition Refinement for Model Checking. PhD dissertation, Eindhoven University of Technology (July 1996)Google Scholar
  8. 8.
    Dams, D., Gerth, R.: The Bounded Retransmission Protocol Revisited. Electronic Notes in Theoretical Computer Science 9, 26 (1999)CrossRefGoogle Scholar
  9. 9.
    Dams, D., Gerth, R., Grumberg, O.: Abstract Interpretation of Reactive Systems. ACM Transactions on Programming Languages and Systems (TOPLAS) 19(2), 253–291 (1997)CrossRefGoogle Scholar
  10. 10.
    Das, S., Dill, D.L.: Counter-Example Based Predicate Discovery in Predicate Abstraction. In: FMCAD, pp. 19–32 (2002)Google Scholar
  11. 11.
    Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in Property Specifications for Finite-state Verification. In: Proc. of the 21st Intl. Conf. on Software Engineering, pp. 411–420. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  12. 12.
    Giannakopoulou, D.: Model Checking for Concurrent Software Architectures. PhD thesis, Imperial College of Science Techn. and Med., Univ. of London (March 1999)Google Scholar
  13. 13.
    Graf, S., Saïdi, H.: Construction of Abstract State Graphs with PVS. In: Proc. of the 9th Intl. Conf. on Computer-Aided Verification, pp. 72–83 (1997)Google Scholar
  14. 14.
    Groote, J.F., Ponse, A.: The Syntax and Semantics of μCRL. In: Ponse, A., Verhoef, C., van Vlijmen, S. (eds.) Algebra of Communicating Processes. Workshops in Computing, pp. 26–62. Springer, Heidelberg (1994)Google Scholar
  15. 15.
    Grumberg, O., Lerda, F., Strichman, O., Theobald, M.: Proof-guided Underapproximation-Widening for Multi-Process Systems. In: Proc. of the Ann. Symp. on Principles of Programming Languages, pp. 122–131 (2005)Google Scholar
  16. 16.
    Kesten, Y., Pnueli, A.: Control and Data Abstraction: The Cornerstones of Practical Formal Verification. Intl. Journ. on Software Tools for Technology Transfer 2(4), 328–342 (2000)zbMATHCrossRefGoogle Scholar
  17. 17.
    Lakhnech, Y., Bensalem, S., Berezin, S., Owre, S.: Incremental Verification by Abstraction. In: Proc. of the Intl. Conf. on Tools and Algorithms for the Construction and Analysis of Systems, pp. 98–112 (2001)Google Scholar
  18. 18.
    Loiseaux, C., Graf, S., Sifakis, J., Bouajjani, A., Bensalem, S.: Property Preserving Abstractions for the Verification of Concurrent Systems. Formal Methods in System Design 6(1), 11–44 (1995)zbMATHCrossRefGoogle Scholar
  19. 19.
    Marriott, K., Stuckey, P.J.: Programming with Constraints – An Introduction. MIT Press, Cambridge (1998)zbMATHGoogle Scholar
  20. 20.
    Pace, G., Halbwachs, N., Raymond, P.: Counter-example Generation in Symbolic Abstract Model-Checking. Intl. Journ. on Software Tools for Technology Transfer 5(2), 158–164 (2004)CrossRefGoogle Scholar
  21. 21.
    Pasareanu, C.S., Dwyer, M.B., Visser, W.: Finding Feasible Counter-examples when Model Checking Abstracted Java Programs. In: Proc. of the Intl. Conf. on Tools and Algorithms for the Construction and Analysis of Systems, pp. 284–298 (2001)Google Scholar
  22. 22.
    Pasareanu, C.S., Pelánek, R., Visser, W.: Concrete Model Checking with Abstract Matching and Refinement. In: Proc. of the Intl. Conf. on Computer-Aided Verification, pp. 52–66 (2005)Google Scholar
  23. 23.
    v.d. Pol, J.C., Espada, M.A.V.: Modal Abstractions in μCRL. In: Rattray, C., Maharaj, S., Shankland, C. (eds.) AMAST 2004. LNCS, vol. 3116, Springer, Heidelberg (2004)Google Scholar
  24. 24.
    Rusu, V., du Bousquet, L., Jéron, T.: An Approach to Symbolic Test Generation. In: Grieskamp, W., Santen, T., Stoddart, B. (eds.) IFM 2000. LNCS, vol. 1945, pp. 338–357. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Tanenbaum, A.S.: Computer Networks. Prentice Hall International, Englewood Cliffs (1981)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Jens Calamé
    • 1
  • Natalia Ioustinova
    • 1
  • Jaco van de Pol
    • 1
    • 2
  • Natalia Sidorova
    • 2
  1. 1.Centrum voor Wiskunde en Informatica, P.O.Box 94079, 1090 GB AmsterdamThe Netherlands
  2. 2.Eindhoven University of Technology, P.O.Box 513, 5600 MB EindhovenThe Netherlands

Personalised recommendations