Fault localization using a model checker



If a program does not fulfill its specification, a model checker can deliver a counterexample. However, although such a counterexample shows how the specification can be violated, it typically comprises large parts of the program and gives little information about which of the visited statements is responsible for the error. In this article, we show that model checkers can also be used to perform model-based diagnosis and thus fault localization. The approach leads to significantly more precise diagnoses than the state-of-the-art and typically rules out 90–99% of the code as possible fault locations. The approach is general and can be applied to any system that is amenable to model checking (with respect to language and complexity). To demonstrate the applicability and high precision of our approach, we present implementations for C programs using two different model checking tools and show experimental results from the TCAS case study and an integration with the DDVerify framework to debug Linux device drivers. Copyright © 2009 John Wiley & Sons, Ltd.