What Causes a System to Satisfy a Specification?

TL;DR

This paper explores the relationship between causality and coverage in system verification, introducing a responsibility metric to quantify component relevance to specification satisfaction.

Contribution

It relates Halpern and Pearl's causality framework to coverage, proposing a responsibility measure for system components.

Findings

Responsibility provides a quantitative relevance measure.

Causality insights improve coverage analysis.

Extensions to coverage metrics are proposed.

Abstract

Even when a system is proven to be correct with respect to a specification, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. Coverage metrics attempt to check which parts of a system are actually relevant for the verification process to succeed. Recent work on coverage in model checking suggests several coverage metrics and algorithms for finding parts of the system that are not covered by the specification. The work has already proven to be effective in practice, detecting design errors that escape early verification efforts in industrial settings. In this paper, we relate a formal definition of causality given by Halpern and Pearl [2001] to coverage. We show that it gives significant insight into unresolved issues regarding the definition of coverage and leads to potentially useful extensions of coverage. In particular, we introduce the notion of responsibility, which assigns to components of a system a quantitative measure of their relevance to the satisfaction of the specification.