A systematic literature review on counterexample explanation


The intricacy of modern, software-intensive systems remains to raise as a result of the climbing number of functions and functionalities. When complicated software-intensive systems are used in safety-critical domain names such as auto, robotics, and also avionics, their breakdown could bring about severe damages or even death. Subsequently, safety of these systems is of paramount relevance. To ensure safety and security, these systems need to be developed according to requirements such as IEC 61508, and also ISO 26262 in the vehicle domain name. These standards require security techniques such as Failing Mode and Impact Analysis, Mistake Tree Analysis, or Hazard and Operability. Still today, such security analysis is commonly done by hand by designers to identify possible security problems. Maker support to automate the analysis process is a method to conquer this time-consuming, expensive, and error-prone process.

Design checking is a computer-assisted confirmation method for systems that were modeled in a formal method by state-transition systems. Drawing from study in mathematical logic, shows languages, equipment style, as well as theoretical computer science, model checking is now commonly utilized for the verification of software and hardware in industry.

Model inspecting validates whether a demand is satisfied by a system or otherwise. For this purpose, it needs a formal requirements of the requirement, generally as a temporal-logic formula, and also a formal summary of the system, for instance, as a Kripke framework. After that, a model checker as a tool carries out the verification by inspecting whether the requirements is satisfied by the system model, that is. The result of the version checking is either that is satisfied by, or that is not satisfied by. In the latter situation, the design checker returns a counterexample to on. Such a counterexample explains an implementation path over system states that leads from the preliminary state to a state that breaches. Each state of such a path contains atomic propositions () over the variables defined by.


Once the system as well as demands are formalized, model checking is appealing as it is a computerized approach as well as offers counterexamples if a system model fails to please a demand, working as essential debugging details. Nevertheless, counterexamples are just the signs and symptoms of faults and also understanding a counterexample to determine a fault in the system version is a complicated job for a number of reasons: a counterexample is typically puzzling as well as lengthy, not all the states in a counterexample are relevant to an error not all the variables in a state have any connection to the gone against spec the debugging job is done by hand, which is lengthy as well as error-prone as well as the counterexample does not clearly highlight the source of the error that is concealed in the design. These obstacles call for an approach to describe counterexamples, aiding system designers in centering mistakes in their models.

Consequently, we offer a summary of the modern in study on describing counterexamples and also exactly how system designers are supported in analyzing counterexamples. This permits us to analyze the cutting-edge and also determine needs for future job. For this purpose, we carried out a system literary works evaluation on counterexample description with the major focus on the various kinds to describe a counterexample, the various techniques to transform or optimize a counterexample in order to offer an explanation, affects of the input system as well as need on counterexample description, and also the different domain names and applications to examine approaches to counterexample description.

By collecting and evaluating literature for these aspects, our survey gives an extensive summary of counterexample explanation. To framework as well as overview our survey, introduce the theoretical model with its terms that we make use of in our survey.

In our survey, we utilize the term design version to refer to an informal or formal description of the system that can be revealed in any modeling language such as the Equipments Modeling Language and also Unified Modeling Language. To execute design monitoring, the design model has to be converted to a verification design that is revealed in a details formalism needed by the made use of design checker. As an example, the version mosaic New Symbolic Design Verifier uses the formalism of a Kripke framework to define a system.

As a system specification we generally consider technological and system requirements that are usually defined informally. To do model checking, requirements need to be formally specified by equating them right into a spec revealed in a temporal logic. For instance, NuSMV supports, among others, Linear Temporal Logic as well as Computation Tree Reasoning. To reduce this formalization step, residential or commercial property spec patterns have been suggested.

Provided a confirmation model as well as spec, a version checker verifies whether the version satisfies the specification. The outcome of the verification is either the truth that the model satisfies the requirements or a counterexample showing a series of state changes of the version that breaches the spec: the counterexample. Such a counterexample is generated in a particular format depending on the model checker. For instance, a counterexample produced by NuSMV adheres to the Kripke structure of the verification version.

The input to the counterexample explanation procedure is the counterexample returned by a version checker and additionally the artifacts of what we call the input domain name comprising the confirmation design, requirements, design model, and also needs of the system. First, the counterexample is refined to produce a processed counterexample that may be much easier to interpret. As an example, it can be a minimized variation of the initial counterexample minimized to the components that matter for the infraction as well as error. Afterwards, a representation of the refined counterexample is produced that serves as the explanation of the counterexample. The description may connect to artefacts of the input domain name, which have been offered by the system engineer. Lastly, the explanation exists to a system designer that translates it, normally by hand, to understand the error.