In model checking, when a given model fails to satisfy the desired specification, a typical model checker provides a counterexample that illustrates how the violation occurs. In general, there exist many diverse counterexamples that exhibit distinct violating behaviors, which the user may wish to examine before deciding how to repair the model. Unfortunately, obtaining this information is challenging in existing model checkers since (1) the number of counterexamples may be too large to enumerate one by one, and (2) many of these counterexamples are redundant, in that they describe the same type of violating behavior. In this paper, we propose a technique called counterexample classification. The goal of classification is to partition the space of all counterexamples into a finite set of counterexample classes, each of which describes a distinct type of violating behavior for the given specification. These classes are then presented as a summary of possible violating behaviors in the system, freeing the user from manually having to inspect or analyze numerous counterexamples to extract the same information. We have implemented a prototype of our technique on top of an existing formal modeling and verification tool, the Alloy Analyzer, and evaluated the effectiveness of the technique on case studies involving the well-known Needham-Schroeder protocol with promising results.

中文翻译：

---

反例分类

在模型检查中，当给定的模型不能满足所需的规范时，典型的模型检查器会提供一个反例来说明违规是如何发生的。一般来说，存在许多不同的反例，它们表现出不同的违规行为，用户可能希望在决定如何修复模型之前检查这些反例。不幸的是，在现有的模型检查器中获取此信息具有挑战性，因为 (1) 反例的数量可能太大而无法一一列举，以及 (2) 这些反例中的许多都是多余的，因为它们描述了相同类型的违规行为. 在本文中，我们提出了一种称为反例分类的技术。分类的目标是将所有反例的空间划分为一组有限的反例类，每个都描述了给定规范的不同类型的违规行为。然后将这些类作为系统中可能的违规行为的摘要呈现，使用户无需手动检查或分析大量反例来提取相同的信息。我们在现有的正式建模和验证工具 Alloy Analyzer 之上实现了我们技术的原型，并评估了该技术在涉及著名的 Needham-Schroeder 协议的案例研究中的有效性，并取得了有希望的结果。