Whodunit? Causal Analysis for Counterexamples

  • Chao Wang
  • Zijiang Yang
  • Franjo Ivančić
  • Aarti Gupta
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4218)


Although the counterexample returned by a model checker can help in reproducing the symptom related to a defect, a significant amount of effort is often required for the programmer to interpret it in order to locate the cause. In this paper, we provide an automated procedure to zoom in to potential software defects by analyzing a single concrete counterexample. Our analysis relies on extracting from the counterexample a syntactic-level proof of infeasibility, i.e., a minimal set of word-level predicates that contradict with each other. The procedure uses an efficient weakest pre-condition algorithm carried out on a single concrete execution path, which is significantly more scalable than other model checking based approaches. Unlike most of the existing methods, we do not need additional execution traces other than the buggy one. We use public-domain examples to demonstrate the effectiveness of our new algorithm.


Model Check Causal Analysis Execution Path Execution Trace Symbolic Execution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, H., DeMillo, R.A., Spafford, E.H.: Debugging with dynamic slicing and backtracking. Software - Practice and Experience 23(6), 589–616 (1993)CrossRefGoogle Scholar
  2. 2.
    Aloul, F.A., Sierawski, B.D., Sakallah, K.A.: Satometer: How much have we searched? In: Proceedings of the Design Automation Conference, New Orleans, LA, June 2002, pp. 737–742 (2002)Google Scholar
  3. 3.
    Ball, T., Naik, M., Rajamani, S.K.: From symptom to cause: Localizing errors in counterexample traces. In: Symposium on Principles of Programming Languages (POPL 2003), January 2003, pp. 97–105 (2003)Google Scholar
  4. 4.
    Beer, I., Ben-David, S., Eisner, C., Rodeh, Y.: Efficient detection of vacuity in ACTL formulas. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 279–290. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: Kozen, D. (ed.) Logic of Programs 1981. LNCS, vol. 131, pp. 52–71. Springer, Heidelberg (1982)CrossRefGoogle Scholar
  6. 6.
    Cleve, H., Zeller, A.: Locating causes of program failures. In: ACM/IEEE International Conference on Software Engineering (2005)Google Scholar
  7. 7.
    Coen-Porisini, A., Denaro, G., Ghezzi, C., Pezze, M.: Using symbolic execution for verifying safety-critical systems. In: European Software Engineering Conference/Foundations of Software Engineering, pp. 142–151 (2001)Google Scholar
  8. 8.
    Dijkstra, E.: A Discipline of Programming. Prentice Hall, Englewood Cliffs (1976)MATHGoogle Scholar
  9. 9.
    Griesmayer, A., Bloem, R., Cook, B.: Repair of boolean programs with an application to c. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Groce, A., Chaki, S., Kroening, D., Strichman, O.: Error explanation with distance metrics. International Journal on Software Tools for Technology Transfer (2005)Google Scholar
  11. 11.
    Groce, A., Visser, W.: What went wrong: Explaining counterexamples. In: Ball, T., Rajamani, S.K. (eds.) SPIN 2003. LNCS, vol. 2648, pp. 121–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Gyimóthy, T., Beszédes, Á., Forgács, I.: An efficient relevant slicing method for debugging. In: Nierstrasz, O., Lemoine, M. (eds.) ESEC 1999 and ESEC-FSE 1999. LNCS, vol. 1687, pp. 303–321. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  13. 13.
    Jain, H., Ivančić, F., Gupta, A., Ganai, M.: Localization and register sharing for predicate abstraction. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 394–409. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Jain, H., Ivančić, F., Gupta, A., Shlyakhter, I., Wang, C.: Using statically computed invariants inside the predicate abstraction and refinement loop. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Jobstmann, B., Griesmayer, A., Bloem, R.: Program repair as a game. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 226–238. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Jones, J.A., Harrold, M.J., Stasko, J.: Visualization of test information to assist fault localization. In: ACM/IEEE International Conference on Software Engineering (2002)Google Scholar
  17. 17.
    Korel, B., Laski, J.W.: Dynamic slicing of computer programs. Journal of Systems and Software 13(3), 187–195 (1990)CrossRefGoogle Scholar
  18. 18.
    Kupferman, O., Vardi, M.Y.: Vacuity detection in temporal model checking. In: Pierre, L., Kropf, T. (eds.) CHARME 1999. LNCS, vol. 1703, pp. 82–96. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  19. 19.
    McMillan, K.L., Amla, N.: Automatic abstraction without counterexamples. In: Garavel, H., Hatcliff, J. (eds.) ETAPS 2003 and TACAS 2003. LNCS, vol. 2619, pp. 2–17. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Namjoshi, K.S., Kurshan, R.P.: Syntactic program transformations for automatic abstraction. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 435–449. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  21. 21.
    Purandare, M., Somenzi, F.: Vacuum cleaning CTL formulae. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 485–499. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    Quielle, J.P., Sifakis, J.: Specification and verification of concurrent systems in CESAR. In: Proceedings of the Fifth Annual Symposium on Programming (1981)Google Scholar
  23. 23.
    Renieris, M., Reiss, S.P.: Fault localization with nearest neighbor queries. In: International Conference on Automated Software Engineering, Montreal, Canada, October 2003, pp. 30–39 (2003)Google Scholar
  24. 24.
    Rothermel, G., Harrold, M.J.: Empirical studies of a safe regression test selection technique. Software Engineering 24, 401–419 (1999)CrossRefGoogle Scholar
  25. 25.
    Staber, S., Jobstmann, B., Bloem, R.: Finding and fixing faults. In: Borrione, D., Paul, W. (eds.) CHARME 2005. LNCS, vol. 3725, pp. 35–49. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Zeller, A.: Isolating cause-effect chains from computer programs. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 1–10. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Chao Wang
    • 1
  • Zijiang Yang
    • 2
  • Franjo Ivančić
    • 1
  • Aarti Gupta
    • 1
  1. 1.NEC Laboratories AmericaPrincetonUSA
  2. 2.Department of Computer ScienceWestern Michigan UniversityKalamazooUSA

Personalised recommendations