Model checking typically compares a system description with a formal specification, and returns either a counterexample or an affirmation of compatibility between the two descriptions. Counterexamples provide evidence to the existence of an error, but it can still be very difficult to understand what is the cause for that error. We propose a model checking methodology which uses two levels of specification. Under this methodology, we group executions as good and bad with respect to satisfying a base LTL specification. We use an analysis specification, in CTL~* style, quantifying over the good and bad executions. This specification allows checking not only whether the base specification holds or fails to hold in a system, but also how it does so. We propose a model checking algorithm in the style of the standard CTL~* decision procedure. This framework can be used for comparing between good and bad executions in a system and outside it, providing assistance in locating the design or programming errors.
展开▼