1. Error Explanation with Distance Metrics
최윤라

2. Contents Overview Distance Metric d Producing Explanation (s)
-Slicing
Experiments

3. Overview CBMC explain S S’ SAT solver PBS s P + spec counterexample
closest successful execution S S’
SAT solver
PBS
finds closest successful execution as measured by distance metric
finds a counterexample

4. Explanation with distance metrics
The metric d is based on Static Single Assignment (SSA) (plus loop unrolling).
CBMC model checker (bounded model checker for C programs) translates an ANSI C program into a set of equations.
An execution of the program is just a solution to this set of equations.

5. SSA Transformation int main () { int input1#0,input2#0,input3#0;
int least#0 = input1#0;
int most#0 = input1#0;
most#1 = input2#0;
guard#1 = most#0<input2#0;
most#2=guard#1?most#1:most#0;
most#3 = input3#0;
guard#2 = most#2<input3#0;
most#4=guard#2?most#3:most#2;
most#5 = input2#0;
guard#3 = least#0input2#0;
most#6=guard#3?most#5:most#4;
least#1 = input3#0;
guard#4 = least#0input3#0;
least#2=
guard#4?least#1:least#0;
assert(least#2<=most#6); }
int main () {
int input1, input2, input3;
int least = input1;
int most = input1;
if (most < input2)
most = input2;
if (most < input3)
most = input3;
if (least > input2)
if (least > input3)
least = input3;
assert(least<=most); }

6. Transformation to Equations
int main () {
int input1#0,input2#0,input3#0;
int least#0 = input1#0;
int most#0 = input1#0;
most#1 = input2#0;
guard#1 = most#0<input2#0;
most#2=guard#1?most#1:most#0;
most#3 = input3#0;
guard#2 = most#2<input3#0;
most#4=guard#2?most#3:most#2;
most#5 = input2#0;
guard#3 = least#0input2#0;
most#6=guard#3?most#5:most#4;
least#1 = input3#0;
guard#4 = least#0input3#0;
least#2=
guard#4?least#1:least#0;
assert(least#2<=most#6); }
(least#0 == input1#0 
most#0 == input1#0 
most#1 == input2#0 
guard#1 == most#0<input2#0 
most#2==guard#1?most#1:most#0
most#3 == input3#0 
guard#2 == most#2<input3#0 
most#4==guard#2?most#3:most#2
most#5 == input2#0 
guard#3 == least#0input2#0 
most#6==guard#3?most#5:most#4
least#1 == input3#0 
guard#4 == least#0input3#0 
least#2==
guard#4?least#1:least#0 
least#2<=most#6)

7. Negation of Claim int main () { int input1#0,input2#0,input3#0;
int least#0 = input1#0;
int most#0 = input1#0;
most#1 = input2#0;
guard#1 = most#0<input2#0;
most#2=guard#1?most#1:most#0;
most#3 = input3#0;
guard#2 = most#2<input3#0;
most#4=guard#2?most#3:most#2;
most#5 = input2#0;
guard#3 = least#0input2#0;
most#6=guard#3?most#5:most#4;
least#1 = input3#0;
guard#4 = least#0input3#0;
least#2=
guard#4?least#1:least#0;
assert(least#2<=most#6); }
(least#0 == input1#0 
most#0 == input1#0 
most#1 == input2#0 
guard#1 == most#0<input2#0 
most#2==guard#1?most#1:most#0
most#3 == input3#0 
guard#2 == most#2<input3#0 
most#4==guard#2?most#3:most#2
most#5 == input2#0 
guard#3 == least#0input2#0 
most#6==guard#3?most#5:most#4
least#1 == input3#0 
guard#4 == least#0input3#0 
least#2==
guard#4?least#1:least#0 
least#2>most#6)

8. Execution Representation
counterexample
input1#0 = 1
input2#0 = 0
input3#0 = 1
least#0 = 1
most#0 = 0
\guard#1 = FALSE
most#1 = 0
most#2 = 1
\guard#2 = FALSE
most#3 = 1
most#4 = 1
\guard#3 = TRUE
most#5 = 0
most#6 = 0
\guard#4 = FALSE
\least#1 = 1
\least#2 = 1
(least#0 == input1#0 
most#0 == input1#0 
most#1 == input2#0 
guard#1 == most#0<input2#0 
most#2==guard#1?most#1:most#0
most#3 == input3#0 
guard#2 == most#2<input3#0 
most#4==guard#2?most#3:most#2
most#5 == input2#0 
guard#3 == least#0input2#0 
most#6==guard#3?most#5:most#4
least#1 == input3#0 
guard#4 == least#0input3#0 
least#2==
guard#4?least#1:least#0 
least#2>most#6)

9. Distance Metric d counterexample successful execution d=5 input1#0 = 1
least#0 = 1
most#0 = 1
\guard#1 = FALSE
most#1 = 0
most#2 = 1
\guard#2 = FALSE
most#3 = 1
most#4 = 1
\guard#3 = TRUE
most#5 = 0
most#6 = 0
\guard#4 = FALSE
\least#1 = 1
\least#2 = 1
input1#0 = 1
input2#0 = 1
input3#0 = 1
least#0 = 1
most#0 = 1
\guard#1 = FALSE
most#1 = 1
most#2 = 1
\guard#2 = FALSE
most#3 = 1
most#4 = 1
\guard#3 = FALSE
most#5 = 1
most#6 = 1
\guard#4 = FALSE
\least#1 = 1
\least#2 = 1
d=5

10. New SAT variables counterexample input1#0 = 1
least#0 = 1
most#0 = 1
\guard#1 = FALSE
most#1 = 0
most#2 = 1
\guard#2 = FALSE
most#3 = 1
most#4 = 1
\guard#3 = TRUE
most#5 = 0
most#6 = 0
\guard#4 = FALSE
\least#1 = 1
\least#2 = 1
input1#0 == (input1#0 != 1)
input2#0 == (input2#0 != 0)
input3#0 == (input3#0 != 1)
least#0 == (least#0 != 1)
most#0 == (most#0 != 1)
\guard#1 == (\guard#1 != FALSE)
most#1 == (most#1 == 0)
most#2 == (most#2 == 1)
\guard#2 == (\guard#2 != FALSE)
most#3 == (most#3 != 1)
most#4 == (most#4 != 1)
\guard#3 == (\guard#3 != TRUE)
most#5 == (most#5 != 0)
most#6 == (most#6 != 0)
\guard#4 == (\guard#4 != FALSE)
\least#1 == (\least#1 != 1)
\least#2 == (\least#2 != 1)

11. -Slicing irrelevant to assertion !
int main () {
int input1,input2;
int x=1,y=1,z=1;
if (input1 > 0) {
x += 5;
y += 6;
z += 4; }
if (input2 > 0) {
x += 6;
y += 5;
assert((x<10)||(y<10));
irrelevant to assertion !
What is the smallest subset of changes in values between two executions that result in a change in the value of the predicate?

12. algorithm Produce an explanation (a set of s) for a counterexample.
Modify the SAT constraints
replace the constraints for variables in s with
(vi=valia)((vi=valib)(vi=expr))
replace the constraints for all other vars with
vi=valia
Find a new solution to the modified constraint system.

13. -Slicing for the Example
partial constraints for slice.c
-slicing constraints for slice.c
-slice for slice.c

14. Experiments
Scores were generally much better than other methods—when they could be applied at all.
Much more consistent.
Testing-based methods of Renieris and Reiss occasionally worked better
Also gave useless (score 0) explanations much of the time.