finding and fixing faults

Finding and Fixing Faults

Roderick Bloem

Graz University of TechnologyAlpine Verification Meeting, October 2005

Barbara Jobstmann, Stefan Staber, Andreas Griesmayer, and

Fault Localization and Correction 2Roderick Bloem, Alpine Verification Meeting October 2005Dr Seuss, Did I Ever Tell You how Lucky You Are?

Fault Localization and Correction 3Roderick Bloem, Alpine Verification Meeting October 2005

More Motivation

Debugging consists of 1. Detecting failure

2. Localizing fault

3. Correcting fault

Manual Localization & Correction takes significant time Bugs fixes at very end of design cycle (high risk)

Important problem, but little research!

Time

Design CorrectSpecify Localize

Debug

Detect


Previous Work

Understandability of counterexamples Clarke et al 95: original work Ravi, Somenzi, Jin: decision points, length and

“width” of counterexample

Comparing good and bad traces to find suspicious points Groce, Zeller, Ball and Rajamani

Diagnosis & Repair for combinational circuits [various] or sequential circuits with very simple fault models

[Wahba&Borrione]


Our Idea

Find (and correct) faulty component

But: what is a component You tell me! Expressions, gates are typical choices Ideas presented here work for any

component model


Outline

1. Localization Finds suspect components Works with a set of traces BMC-like

2. Correction Localizes fault and finds repair that is

good for all inputs About as fast as BDD-based model

checking (with some heuristics)


Localization: Setting

Identify components responsible for a failure

Input Faulty design Finite failure traces LTL specification (liveness aspects are ignored)

Output Set of suspect components Suspicion is for the given traces


Localization: Idea

Given a failure trace

Approach1. Unroll the circuit; introduce “abnormal

predicates,” fixing inputs to failure trace

2. Unroll the LTL property using expansion rules

3. Combine circuits & property

4. Call a SAT-Solver and find valid assignment for the variables (notably the abnormal predicates)

Mix of BMC [Biere] and Model-Based Diagnosis [Reiter 87, De Kleer and Williams 87]


Localization: Example

Property G(req (ack X ack) (ack X ack))

fails for two consecutive requests (failure trace: req = 1; req = 1)(We get no acks; G2 should be G1 D1)

initial stateD0=0, D1=0


1: Unroll, Introduce Predicates

Components: G1: not ABG1 -> (outG1t0 = in1G1t0 + in2G1t0), not ABG1 -> (outG1t1 = in1G1t1 + in2G1t1)G2: not ABG2 -> (outG2t0 = in1G2t0 * in2G2t0), not ABG2 -> (outG2t1 = in1G2t1 * in2G2t1)

in1G1t0 = 1 (failure trace t0: req = 1), etc.


Step 2: Unroll Property

G((req (ack X ack)) (ack X ack))

Note: Free inputs on the right can be set to 1 (or left free): represent liveness part


Step 3: Combine

property violated

unrolling of circuit

representation of property


Step 4: SAT-SolverRemove constraints

Property satisfied


The Formula

With a SAT solver: Single fault:

SAT(cex(k) circuit(k) property(k) oneAbnormal valid=1)

Two faults: SAT(cex(k) circuit(k) property(k) twoAbnormal

valid=1)

0/1 ILP (PBS): Minimize |abnormal| subject to cex(k) SAT(circuit(k) property(k) valid=1

Correction


Correction

Localize faulty component and find correction Given

Faulty (finite state) system LTL specification (No trace)

Goal Localize fault and find repair for all inputs:

replace component c by function f(s,i), where s is state, i input.

Exact results for invariants Heuristic for other LTL properties (exact solution

very expensive)


Correction: Idea

Infinite two-person games (= controller synthesis = AI planning)

Approach1. Extend the faulty system to a game

2. Find a strategy

3. Extract a correction (like symbolic model checking)


Correction: Example

Property

G(req (ack X ack) (ack X ack))

D0=0D1=0

D0=1D1=0

req=0ack=0

req=1ack=0

req=1ack=0

req=0ack=0


1: Build Game

Environment decides input values

System decides Faulty component at the begin of the play New value at each time step

initial stateD0=0, D1=0

Environment

System


1: Build Game

D0=0D1=0

diag=G2ack=0

D0=1D1=0

diag=G2ack=0

Suspect G2

req=0choice=0

req=1choice=0

req=0choice=0

req=1choice=0

D0=0D1=1

diag=G2ack=1

req= -choice=1

req=0choice=0

req= -choice=1

D0=0D1=0

diag=G3ack=0

D0=1D1=0

diag=G3ack=0

Suspect G3

req= -choice=0

req= -choice=1

req= -choice=0

req= -choice=1

D0=0D1=0

diag=G1ack=0

D0=1D1=0

diag=G1ack=0

Suspect G1

req=0choice= -

req=1choice= -

req=0choice= -

req=1choice= -

Init

choice=G1 choice=G2 choice=G3

req= -choice=1

req=1choice=0

Environment

System

choice


1: Build Game

D0=0D1=0

diag=G2ack=0

D0=1D1=0

diag=G2ack=0

Suspect G2

req=0choice=0

req=1choice=0

req=0choice=0

req=1choice=0

D0=0D1=1

diag=G2ack=1

req= -choice=1

req=0choice=0

req= -choice=1

D0=0D1=0

diag=G3ack=0

D0=1D1=0

diag=G3ack=0

Suspect G3

req= -choice=0

req= -choice=1

req= -choice=0

req= -choice=1

D0=0D1=0

diag=G1ack=0

D0=1D1=0

diag=G1ack=0

Suspect G1

req=0choice= -

req=1choice= -

req=0choice= -

req=1choice= -

Init


req= -choice=1

req=1choice=0


2: Find Strategy

D0=0D1=0

diag=G2ack=0

D0=1D1=0

diag=G2ack=0

Suspect G2

req=0choice=0

req=1choice=0

req=0choice=0

req=1choice=0

D0=0D1=1

diag=G2ack=1

req= -choice=1

req=0choice=0

req= -choice=1

D0=0D1=0

diag=G3ack=0

D0=1D1=0

diag=G3ack=0

Suspect G3

req= -choice=0

req= -choice=1

req= -choice=0

req= -choice=1

D0=0D1=0

diag=G1ack=0

D0=1D1=0

diag=G1ack=0

Suspect G1

req=0choice= -

req=1choice= -

req=0choice= -

req=1choice= -

Init


req= -choice=1

req=1choice=0


Step 4: Extract a Correction

Table for G2

Simplest implementation:

G2 = ¬D1

Note: our spec is incomplete!

D1

ack

State Input System

D0 D1 req choice

0 0 0 -

0 0 1 1

0 1 0 0

0 1 1 0

1 0 - 1

1 1 - -

0

0


Computing the strategy

Like BDD-based model checking, a little more expensive Replace EX by

MX(A) = { s’ | i c s in A: s (s,i,c,s’) } For invariants, compute MG A = Y. A MX(Y)

For LTL, we use heuristics1. Avoid doubly exponential blowup for deterministic automaton

build a NBW automaton heuristic: trade completeness for efficiency

2. Prevent adding new state bits Find a memoryless strategy Is NP complete heuristic: trade completeness for efficiency

Compute strategy by Emerson-Lei algorithm with MX instead of EX


Correction: Experience

about 10 handpicked examples

correction works well one specification needed updating one repair was simpler than the original

Implementation needs work


Conclusion

Localization Find gates that may be incorrect Based on BMC (with one extra variable

per component)

Correction Find faulty component & correction A bit harder than BDD-based model

checking

One more slide…


Workshop: Verification & Debugging

Proposed workshop

Associated with CAV’06

Topic: getting rid of the bugs you found

(I’m done. Thanks!)

finding and fixing faults

Documents