Assume-Guarantee

Learning Assumptions for
Compositional Verification
J. M. Cobleigh, D. Giannakopoulou and
C. S. Pasareanu
Presented by: Sharon Shoham
1
Main Limitation of Model Checking:
The state explosion problem
• The number of states in the system model
grows exponentially with
 the number of variables
 the number of components in the system
• One solution to state explosion problem:
Abstraction
• Another: Compositional Verification
2
Compositional Verification
• Inputs:
– composite system M1║M2
– property P
• Goal: check if M1║M2 ² P
• First attempt: “divide and conquer” approach
• Problem: usually impossible to verify each
component separately.
– a component is typically designed to satisfy its
requirements in specific environments (contexts)
3
Compositional Verification
 Assume-Guarantee (AG) paradigm:
introduces assumptions representing a
component’s environment
Instead of: Does component satisfy property?
Ask: Under assumption A on its environment, does
the component guarantee the property?
<A> M : whenever M is part of a system
satisfying the assumption A, then the system
must also guarantee P
4
Useful AG Rule for Safety Properties
1. check if a component M1 guarantees P when it
is a part of a system satisfying assumption A.
2. discharge assumption: show that the remaining
component M2 (the environment) satisfies A.
<A> M1 
<true> M2 <A>
A
M1
║
M2
²P
<true> M1║M2 
5
Assume-Guarantee
<A> M1 
<true> M2 <A>
<true> M1║M2 
• Crucial element: assumption A.
• Has to be strong enough to eliminate
violations of P, but also general enough to
reflect the environment M2 appropriately.
• requires non-trivial human input in defining
assumptions.
How to automatically construct assumptions ?
6
Outline
•
•
•
•
•
•
Motivation
Setting
Automatic Generation of Assumptions for
the AG Rule
Learning algorithm
Assume-Guarantee with Learning
Example
7
Labeled Transition Systems (LTS)
• Act – set of observable actions
– LTSs communicate using observable actions
• τ – local \ internal action
LTS M = (Q, q0, αM,
)
• Q : finite non-empty set of states
• q0 ∈ Q : initial state
Alphabet
• αM µ Act : observable actions
µ Q x (αM [ {τ }) x Q : transition
relation
8
Labeled Transition Systems (LTS)
in
0
send
1
2
Traces:
<in>, <in, send>,…
ack
• Trace of an LTS M : finite sequence of
observable actions that M can perform
starting at the initial state.
• L(M) = the Language of M : the set of all
traces of M.
9
Parallel Composition M1║M2
• Components synchronize on common observable
actions (communication).
• The remaining actions are interleaved.
M1 = (Q1,q01,αM1, 1), M2 = (Q2,q02,αM2,
 M1║M2 = (Q,q0,αM, )
2)
• Q = Q1 x Q2
• q0 = (q01, q02)
• αM = αM1 [ αM2
10
Transition Relation
Synchronization on a ∈ αM1 Å αM2 :
(q1,a,q1’) ∈ 1 and (q2,a,q2’) ∈ 2 :
 ((q1,q2), a, (q1’,q2’)) ∈
Interleaving on a ∈ (αM \ (αM1 Å αM2)) [ {τ} :
• (q1, a, q1’) ∈ 1 and a ∉ αM2 :
((q1,q2), a, (q1’,q2)) ∈
for any q2 ∈ Q2
• (q2, a, q2’) ∈ 2 and a ∉ αM1 :
((q1,q2), a, (q1,q2’)) ∈
for any q1 ∈ Q1
11
Example
Input
Output
in
0
send
1
ack
send
2
║
a
out
b
c
ack
12
Input
Output
in
0
send
1
send
║
2
a
out
b
ack
c
ack
Input ║ Output
0,
ack
0,
a
b
0,
c
in
1,
1,
a
b
1,
c
send
2,
a
out
2,
2,b
b
2,
c
13
Input
Output
in
0
send
1
send
║
2
a
out
b
ack
c
ack
Input ║ Output
0,
1,
0,
a
in
ack
out
b
in
1,
a
0,
c
in
out
b
1,
c
send
2,
a
2,
out
b
2,
c
14
Safety Properties
Also expressed as LTSs, but of a special kind:
Safety LTS :
• Deterministic:
– Does not contain τ -transitions, and
– every state has at most one outgoing
transition for each action:
(q,a,q’), (q,a,q’’) ∈
 q’ = q’’
15
Safety Properties
For a safety LTS, P:
• L(P) describes the set of legal (acceptable)
behaviors over αP.
Language Containment
L(M) αP µ L(P)
M ² P iff ∀σ ∈ L(M) : (σαP) ∈ L(P)
• For Σ µ Act, σΣ is the trace obtained from σ
by removing all occurrences of actions a ∉ Σ.
Example: <in, send, ack>{in, ack} = <in, ack>
16
Example
Input ║ Output
0,
a
in
1,
Order
ack
0,
out
b
in
1,
a
P
0,
in
c
in
out
b
1,
?
|=
c
out
send
2,
a
2,
out
b
2,
c
Pref(<in,send,out,ack>*)
{in,out}
?


Pref(<in,out>*)
17
Model Checking M ² P
Safety LTS P  an Error LTS, Perr :
• “traps” violations with special error state .
P = (Q, q0, αP, )
 Perr = (Q [ {}, q0, αP, ’), where:
’=
[ {(q,a,) | a ∈ αP and ∄q’ ∈ Q:
(q,a,q’)
∈
}
• Error LTS is complete.
18
•  is a deadend state: has no outgoing transitions.
Example
Ordererr
in
out
out
in
19
Model Checking M ² P
In automata:
M ²  iff
L(AM Å A)
=;
Theorem:
• M ² P iff  is unreachable in M ║ Perr
Remark: composition M ║ Perr is defined as
before with a small exception:
If the target state of a transition in Perr is , so
is the target state of the corresponding
transitions in the composed system M ║ Perr
20
Transition Relation
1:
M, 2:
Perr
δ: M║Perr
Synchronization on a ∈ αM1 Å αM2 :
π
(q1,a,q1’) ∈ 1 and (q2,a,q2’) ∈ 2 :
π
 ((q1,q2), a, (q1’,q2’)) ∈
Interleaving on a ∈ (αM \ (αM1 Å αM2)) [ {τ} :
• (q1, a, q1’) ∈ 1 and a ∉ αM2 :
((q1,q2), a, (q1’,q2)) ∈
for any q2 ∈ Q2
• (q2, a, π
q2’) ∈ 2 and a ∉ αM1 :
π
((q1,q2), a, (q1,q2’)) ∈
for any q1 ∈ Q1
21
Example
Input ║ Output
0,
in
1,
ack
0,
a
Ordererr
in
out
b
in
1,
a
0,
c
in
out
b
1,
a
2,
out
b
2,
out
c
send
2,
║
out
in
c
22
Example
Input ║ Output
0,
Ordererr
ack
in
║
a
in
1,
out
a
send
2,
out
b
2,
out
in
c
23
Input ║ Output
Ordererr
in
ack
0,
a
1,
in
a send
2,
b out
2,
c
ii
i
║
out
out
 unreachable
ack
0,a,i
1,a,i
send
in
2,b,i
2,c,i
in
ack
0,a,i
i
1,a,i
i
send
out
out
2,b,i
2,b,ii
i
2,c,i
i
in
24
Input ║ Output
Ordererr
in
ack
0,
a
1,
in
a send
2,
b out
2,
c
i
║
out
in
out
1,a,i
in
0,a,i
i
in
1,a,i
i
in
send
2,b,i
ack
send
in
counterexample
!
ack
0,a,i
ii
2,c,i
out
out
2,b,i
i
2,c,i
i
in
25
Assume Guarantee Reasoning
• Assumptions: also expressed as safety LTSs.
• <A> M is true iff A ║ M ² P
i.e.  is unreachable in A ║ M ║ Perr
<A> M1 
<true> M2 <A>
A ║ M1 ² P
M2 ² A
<true> M1║M2 
M1║M2 ² P
M1, M2 : LTSs
P, A : safety LTSs
26
Outline
•
•
•
•
•
•
Motivation
Setting
Automatic Generation of Assumptions for
the AG Rule
Learning algorithm
Assume-Guarantee with Learning
Example
27
Observation 1
A ║ M1 ² P
M2 ² A
M1║M2 ² P
• AG Rule will return conclusive results with:
Weakest assumption Aw under which M1 satisfies P:
• Under assumption Aw on M1‘s environment, M1
satisfies P , i.e. Aw ║ M1 ² P
• Weakest: forall env. M’2: M1║M’2 ² P IFF M’2 ²Aw
 Given Aw, to check if M1║M2 ² P, check if M2
meets the assumption Aw.
sufficient and necessary assumption on M1’s env.
28
How to Obtain Aw ?
M1║M’2 ² P
IFF M’2 ² Aw
• Given module M1, property P and M1‘s interface
with its environment Σ = (αM1 [ αP) Å αM2 :
Aw describes exactly all traces  over Σ such
that in the context of , M1 satisfies P
– Expressible as a safety LTS
– Can be computed algorithmically
Drawback of using Aw : if the computation runs
out of memory, no assumption is obtained.
29
Observation 2
A ║ M1 ² P
M2 ² A
M1║M2 ² P
• No need to use the weakest env. assumption Aw.
• AG rule might be applicable with stronger (less
general) assumption.
 Instead of finding Aw:
• Use learning algorithm to learn Aw .
• Use candidates Ai produced by learning
algorithm as candidate assumptions:
try to apply AG rule with Ai.
30
Given a Candidate
Assumption Ai
A ║ M1 ² P
M2 ² A
M1║M2 ² P
If Ai ║ M1 ² P does not hold:
Assumption Ai is not tight enough
 need to strengthen Ai
31
Given a Candidate
Assumption Ai
A ║ M1 ² P
M2 ² A
M1║M2 ² P
Suppose Ai║ M1 ² P holds:
If M2 ² Ai also holds  M1║M2 ² P verified!.
Otherwise: σ ∈ L(M2) but (σαΣ) ∉ L(Ai) -- cex
P violated by M1 in the context of cex=(σαΣ) ?
Yes: real violation !
 M1║M2 ² P falsified !
“cex║M1” |≠ P ?
No: spurious violation.
 need to find better approximation of Aw.
32
“cex ∊ L(Aw)” ?
“cex║M1” ² P ?
Compose M1 with LTS Acex over αΣ
cex=a1,…ak  Acex :
q
q
0
Q={q0,…,qk} , q0 = q0
={ (qi,ai+1,qi+1) | 0  i < k }
a1
Model check Acex║M1 ² P
Is  reachable in Acex║M1║Perr ?
1
a2
yes
no
…
q
k
ak
Real violation
Spurious cex
Alternatively: simulate cex on M1║ Perr
cex║M1² P iff when cex is simulated on M1║Perr
it cannot lead to  (error) state.
33
Assume-Guarantee Framework
counterexample – strengthen assumption
Model Checking
Learning
Ai
1. Ai║ M1 |= P
true
2. M2 |= Ai
false
For Aw :
conclusive results
guaranteed 
termination!
true
P holds
in M1||M2
false
cex  L(Ai)
N
real
counterexample – weaken assumption error?
Y
cex║M1 | P ?
P violated
in M1||M2
34
Outline
•
•
•
Motivation
Setting
Automatic Generation of Assumptions for
the AG Rule
• Learning algorithm
• Assume-Guarantee with Learning
• Example
35
Learning Algorithm for DFA – L*
• L*: by Angluin, improved by Rivest & Schapire
• learns an unknown regular language U
• produces a Deterministic Finite state
Automaton (DFA) C such that L(C) = U
DFA M = (Q, q0, αM, , F) :
• Q, q0, αM,
: as in deterministic LTS
• F µ Q : accepting states
• L(M) = {σ | (q0, σ) ∈ F}
36
Learning Algorithm for DFA – L*
• L* interacts with a Teacher to answer two
types of questions:
– Membership queries: is string σ in U ?
– Conjectures: for a candidate DFA Ci, is L(Ci) = U ?
• answers are (true) or (false + counterexample)
Conjectures C1, C2, … converge to C
Equivalenc
e
Queries
37
Learning Algorithm for DFA – L*
Myhill-Nerode Thm.
For every regular set U ⊆∑* there exists a
unique minimal deterministic automaton whose
states are isomorphic to the set of
equivalence classes of the following relation:
w ≈ w’ iff
∀u ∈∑* : wu ∈U ⇔ w’u ∈U
Basic idea: learn the equivalence classes
• Two prefixes are not in the same class iff
there is a distinguishing suffix u
38
General Method
• L* maintains a table that records whether
strings in  belong to U
– makes membership queries to update it
• Once all currently distinguishable strings are in
different classes (table is closed), uses table to
build a candidate Ci -- makes a conjecture :
– if Teacher replies true, done!
– if Teacher replies false, uses counterexample to
update the table
39
Learning Algorithm for DFA – L*
Observation Table: (S, E, T)
S 2 – prefixes (represent. of equiv. classes / states)
∈U
∉U
E 2 – suffixes (distinguishing)
T: mapping (S ∪ S·∑) · E  {true, false}
T:
·
s1
S s2
...
s1·a
1·b
S  s…
s2·a
s2·b
…
e1
true
false
...
true
true
…
E
e2 …
false
…
false
…
40
L* Algorithm
·
s1
S s2
...
s1·a
T: (S ∪ S·∑) ·E  {true, false}
1·b
S  s…
∈U
∉U
s2·a
s2·b
…
e1
true
false
...
true
true
…
E
e2 …
false
…
false
…
(S,E,T) is closed if
∀s∈S ∀a∈∑ ∃s’∈S ∀e∈E: T(sae)=T(s’e)
represents the next state
from s after seeing a
sa is undistinguishable from
s’ by any of the suffixes
i.e. Every row sa of S has a matching row s’ inS
41
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}
sa has no
Loop {
matching
update T using membership queries
row
while (S,E,T) is not closed {
s’ inS
add sa to S where sa has no repr. prefix s’
update T using membership queries
}
from a closed (S,E,T) construct a candidate DFA - C
present an equivalence query: L(C) = U ?
}
42
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}
Candidate
DFA from a closed (S,E,T):
Loop
{
update
TS
using membership queries
States:
while
(S,E,T)
Initial
state:isλnot closed {
add sa to
S where sa has no repr. prefix s’
Accepting
states:
update
T using
queries
s ∈S such
thatmembership
T(s) [= T(s¢λ)]
= true
} Transition relation:
from δ(s,a)
a closed
(S,E,T)
a candidate DFA - C
= s’
whereconstruct
∀e∈E: T(sae)=T(s’e)
present an equivalence query: L(C) = U ?
[ closed: ∀s∈S ∀a∈∑ ∃s’∈S ∀e∈E: T(sae)=T(s’e) ]
}
43
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}
Loop {
update T using membership queries
while (S,E,T) is not closed {
add sa to S where sa has no repr. prefix s’
update T using membership queries
}
from a closed (S,E,T) construct a candidate DFA - C
present an equivalence query: L(C) = U ?
if C is correct return C
else add e∈∑* that witnesses the cex to E
44
}
Choosing e
• e must be such that adding it to E will
eliminate the current cex in the next
conjecture.
• e is a suffix of cex that witnesses a
difference between L(Ci) and U
• Adding e to E will cause an addition of a
prefix (state) to S  splitting states
45
Characteristics of L*
• Terminates with minimal automaton C for U
• Each candidate Ci is smallest
– any DFA consistent with table has at least as
many states as Ci
– |C1| < | C2| < … < |C|
• Produces at most n candidates, where n = |C|
• # membership queries: O(kn2 + n logm)
– m: size of largest counterexample
– k: size of ∑
46
Outline
•
•
•
Motivation
Setting
Automatic Generation of Assumptions for
the AG Rule
 • Learning algorithm
• Assume-Guarantee with Learning
• Example
47
Assume-Guarantee with Learning
Reminder:
• Use learning algorithm to learn Aw .
• Use candidates produced by learning as
candidate assumptions Ai for AG rule.
In order to use L* to produce assumptions Ai:
• Show that L(Aw) is regular
• Translate DFA to safety LTS (assumption)
• Implement the teacher
48
L(Aw) is Regular
• Aw is expressible as a safety LTS
• Translation of safety LTS A into DFA C:
A = (Q, q0, αM, ) 
C = (Q, q0, αM, , Q)
 There exists a DFA C s.t. L(C) = L(Aw)
 L* can be used to learn a DFA that accepts
L(Aw)
49
DFA to Safety LTS
Weakest
assumption is
prefix-closed
• DFAs Ci returned by L* are complete, minimal
and in this setting also prefix-closed:
– if  2 L(Ci), then every prefix of  is also in L(Ci).
 Ci contains a single non-accepting state qnf and
no accepting state is reachable from qnf.
 To get a safety LTS simply remove nonaccepting state and all its ingoing transitions :
Ci = (Q [ {qnf}, q0, αM, , Q) 
Ai = (Q, q0, αM,  Å (Q £ αM £ Q) )
50
Implementing the Teacher
Aw is unknown…
• Membership query:  ∈ L(Aw)?
 L(Aw) iff
in context of ,
M1 satisfies P
 Check if “ ║M1” ⊨ P :
– Model checking: is  reachable in A║M1║Perr ?
or – Simulation: is  (error) state reachable when
simulating  on M1║ Perr ?
• Equivalence query: L(Ci) = L(Aw) ?
– Translate Ci into a safety LTS Ai
– Use it as candidate assumption for AG rule
51
L(Ai) = L(Aw) ?
counterexample – strengthen assumption
Learning
Ai
Aw contains all traces
that can be
composed with M1
without violating P.
Model Checking
1. Ai║ M1 |= P
true
2. M2 |= Ai
false
true
P holds
in M1||M2
false
cex  L(Ai)
N
real
counterexample – weaken assumption error?
Y
cex║M1 | P ?
P violated
in M1||M2
52
L(Ai) = L(Aw) ?
counterexample – strengthen assumption
Aw contains all traces
that can be
composed with M1
without violating P.
L(Ai) ⊆
L(Aw)?
Model Checking
Learning
Ai
1. Ai║ M1 |= P
true
2. M2 |= Ai
false
cex  L(Ai)
cex  L(Aw)
true
P holds
in M1||M2
false
cex  L(Ai)
N
real
counterexample – weaken assumption error?
Y
cex║M1 | P ?
P violated
in M1||M2
53
L(Ai) = L(Aw) ?
counterexample – strengthen assumption
Aw contains all traces
that can be
composed with M1
without violating P.
L(Ai) ⊆ L(Aw)
Model Checking
Learning
Ai
1. Ai║ M1 |= P
true
2. M2 |= Ai
false
true
P holds
in M1||M2
false
cex  L(Ai)
N
real
counterexample – weaken assumption error?
Y
cex║M1 | P ?
P violated
in M1||M2
54
L(Ai) = L(Aw) ?
counterexample – strengthen assumption
Aw contains all traces
that can be
composed with M1
without violating P.
L(Ai) ⊆ L(Aw)
Model Checking
Learning
Ai
1. Ai║ M1 |= P
true
2. M2 |= Ai
false
true
P holds
in M1||M2
false
cex  L(Ai)
N
real
counterexample – weaken assumption error?
Y
cex║M1 | P ?
P violated
in M1||M2
55
L(Ai) = L(Aw) ?
counterexample – strengthen assumption
Aw contains all traces
that can be
composed with M1
without violating P.
L(Ai) ⊆ L(Aw)
Model Checking
Learning
Ai
1. Ai║ M1 |= P
true
2. M2 |= Ai
false
true
L(AiP) holds
⊇ L(Aw)?
in M1||M2
false
cex  L(Ai)
N
real
counterexample – weaken assumption error?
Y
cex║M1 | P ?
P violated
in M1||M2
56
L(Ai) = L(Aw) ?
counterexample – strengthen assumption
L(Ai) ⊆ L(Aw)
Model Checking
Learning
Ai
1. Ai║ M1 |= P
true
2. M2 |= Ai
Aw contains all traces
that can be
composed with M1
without violating P.
false
true
L(AiP) holds
⊇ L(Aw)?
false
cex  L(Ai)
N
Y
real
cex  L(Ai)
counterexample – weaken assumption error?
cex  L(Aw)
cex║M1 | P ?
in M1||M2
P violated
in M1||M2
57
Equivalence Query - Summary
cex
2 applications of
model checking
+ 1 model checking
or simulation
Model Checking
1. Ai║ M1 |= P
true
false
true
2. M2 |= Ai
!
false
cex
N
real
error?
58
Y
!
Equivalence Query - Summary
cex
If L(Ai) = L(Aw):
AG rule returns
conclusive results 
No need to continue with L*
If L(Ai) ≠ L(Aw):
Can terminate and abort L*.
Otherwise, cex is returned in
1 if L(Ai) ⊈ L(Aw), or
2 if L(Ai) ⊊ L(Aw)
Model Checking
1. Ai║ M1 |= P
true
false
true
2. M2 |= Ai
!
false
cex
N
real
error?
59
Y
!
Assume-Guarantee Framework
counterexample – strengthen assumption
Model Checking
Learning
Ai
1. Ai║ M1 |= P
true
2. M2 |= Ai
false
true
P holds
in M1||M2
false
cex  L(Ai)
N
real
counterexample – weaken assumption error?
Y
cex║M1 | P ?
P violated
in M1||M2
60
Characteristics of Framework
• AG uses conjectures produced by L* as
candidate assumptions Ai
• L* uses AG as teacher
• L* terminates
 Framework guaranteed to terminate:
– At latest terminates when Aw is produced.
– Possibly terminates before Aw is produced!
61
Characteristics of Framework
• L* makes at most n = |Aw| equivalence queries
• # membership queries: O(kn2 + n logm)
– m: size of largest counterexample
– k: size of ∑
or simulation
• membership query  Model checking X 1
• equivalence query  Model checking X 3
 O(kn2 + n logm) simulations
+ O(n) model checking applications.
Each MC involves either M1 or M2 - not both!
62
Outline
•
•
•
Motivation
Setting
Automatic Generation of Assumptions for
the AG Rule
 • Learning algorithm
 • Assume-Guarantee with Learning
• Example
63
Example
Ordererr
Input
Output
in
send
in
send
out
out
out
in
ack
ack
Check: Input║Output ² Order ?
M1
M2
P
 (assumption’s alphabet) : {send, out, ack}
Σ = (αM1 [ αP) Å αM2
64
Membership Queries
Input
Ordererr
Output
in
send
in
send
out
out
in
ack
ack
S = set of prefixes
E = set of suffixes
S
S 
Table T

ack
out
send
out

?
E
 L(Aw)?
Simulate  on Input║Ordererr
Σ = {send, out, ack}
65
Simulate  on Input║Ordererr
Σ = {send, out, ack}
Ordererr
Input
in
Output
in
send
send
out
out
out
in
ack
ack
Input ║ Ordererr
out
0,
in
1,
a
out
0,
ack
in
b
a
out
1,
b
send 2,
out
send 2,
a
 unreachable
  L(Aw)
b
ack
66
Membership Queries
Input
Ordererr
in
Output
in
send
send
out
out
in
ack
S = set of prefixes
E = set of suffixes
S
S 
out
ack
E
Table T 
true

?
ack
out
send
yes!
 L(Aw)?
Simulate  on Input║Ordererr
Σ = {send, out, ack}
67
Membership Queries
Input
Ordererr
in
Output
in
send
send
out
out
in
ack
S = set of prefixes
E = set of suffixes
S
S 
out
ack
E
Table T 
true

?
true
ack
?
out
send
yes!
<ack> L(Aw)?
Simulate <ack> on Input║Ordererr
Σ = {send, out, ack}
68
Membership Queries
Input
Ordererr
in
Output
in
send
send
out
out
in
ack
S = set of prefixes
E = set of suffixes
S
S 
out
ack
E
Table T 
true

?
true
ack
out
?
send
<out> L(Aw)?
Simulate <out> on Input║Ordererr
Σ = {send, out, ack}
69
Simulate <out> on Input║Ordererr
Σ = {send, out, ack}
Ordererr
Input
Output
in
send
in
send
out
out
out
in
ack
ack
Input ║ Ordererr
out
0,
in
1,
a
out
0,
ack
in
b
a
out
1,
b
send 2,
out
send 2,
a
 reachable
 <out>∉ L(Aw)
b
ack
70
Membership Queries
Input
Ordererr
Output
in
send
in
send
out
out
in
ack
S = set of prefixes
E = set of suffixes
S
S 
out
ack
E
Table T 
true

?
ack
true
false
out
?
send
no!
<out> L(Aw)?
Simulate <out> on Input║Ordererr
Σ = {send, out, ack}
71
Membership Queries
Input
Ordererr
send
in
send
out
ack
S = set of prefixes
E = set of suffixes
S
S 
Output
in
out
out
in
ack
E
Table T 
true

?
ack
true
out
false
send
true
Σ = {send, out, ack}
72
Candidate Construction
Input
Ordererr
send
in
send
out
ack
S = set of prefixes
E = set of suffixes
S
S 
Output
in
Table T

out
ack
out
send
out, ack
out, out
out, send
out
out
in
ack
E

true
false
true
false
true
Σ = {send, out, ack}
73
Candidate Construction
Input
Ordererr
send
in
send
out
ack
S = set of prefixes
E = set of suffixes
S
S 
Output
in
Table T

out
ack
out
send
out, ack
out, out
out, send
out
out
in
ack
E

true
false
true
false
true
false
false
false
Σ = {send, out, ack}
74
Candidate Construction
Input
Ordererr
Output
in
send
in
send
out
out
in
ack
S = set of prefixes
E = set of suffixes
S
S 
Table T

out
ack
out
send
out, ack
out, out
out, send
out
ack
E

true
false
true
false
true
false
false
false
Table closed !
2 states – non accepting state
not added to assumption
Assumption A1
ack
send
Σ = {send, out, ack}
75
Conjectures
Input
Ordererr
Output
in
send
in
out
out
in
ack
A 1:
ack
send
out
send
ack
Step 1:
A1║Input ²
Order
A1║Input ≡ Input
Input
A1 ║Input
║ Order
║Order
err
err
out
0,
Σ = {send, out, ack}
0,
in
1,
a
out
in
b
ack
a
out
1,
b
ack
send 2,
out
send 2,
a
b
76
Conjectures
Input
Ordererr
Output
in
send
in
out
out
in
ack
A 1:
ack
send
out
send
ack
Step 1:
A1║Input |=
Order
Counterexample:
c = in,send,ack,in
A1 ║Input ║Ordererr
out
0,
out
Σ = {send, out, ack}
0,
in
in
b
 L(A1)\L(Aw)
ack
1,
a
Return to L*:
c = send,ack
a
out
1,
b
ack
send 2,
out
send 2,
a
b
77
Membership Queries
Input
Ordererr
send
in
send
out
ack
S = set of prefixes
E = set of suffixes
S
S 
Output
in
Table T

out
ack
out
send
out, ack
out, out
out, send
out
out
in
ack
E '

true
false
true
false
true
false
false
false
ack
Return to L*:
c = send,ack
 L(A1)\L(Aw)
Σ = {send, out, ack}
78
Membership Queries
Input
Ordererr
send
in
send
out
ack
S = set of prefixes
E = set of suffixes
S
S 
Output
in
Table T

out
ack
out
send
out, ack
out, out
out, send
out
out
in
ack
E '

true
false
true
false
true
false
false
false
ack
true
false
true
false
false
false
false
false
Σ = {send, out, ack}
79
Input
Ordererr
Output
in
send
in
send
out
out
in
ack
S
S 
Table T

out
send
ack
out
send
out, ack
out, out
out,send
send,ack
send,out
send,send
out
ack

true
false
true
true
false
true
false
false
false
false
true
true
ack
true
false
false
true
false
false
false
false
false
false
true
true
E '
Σ = {send, out, ack}
80
Input
Ordererr
Output
in
send
in
send
out
out
in
ack
S
S 
Table T

out
send
ack
out
send
out, ack
out, out
out,send
send,ack
send,out
send,send
out
ack

true
false
true
true
false
true
false
false
false
false
true
true
ack
true
false
false
true
false
false
false
false
false
false
true
true
E '
Table closed !
3 states – non accepting state
not added to assumption
Assumption A2
send
ack
out, send
Σ = {send, out, ack}
81
Conjectures
Input
Ordererr
Output
in
send
in
out
out
in
ack
A 1:
ack
send
Queries
ack
Step 1:
A1║Input ²
Order
A 2:
ack
out
send
send
out, send
c ∉ L(A2)
Σ = {send, out, ack}
Counterexample:
c = in,send,ack,in
Step 1:
A2║Input ² Order
True
Return to L*:
c = send,ack
 L(A1)\L(Aw)
Step 2:
Output ² A2
True
property Order holds
on Input║Output
82
Another Example
Input
Ordererr
Output
in
send
in
out
in
ack
A 2:
ack
send
out
send
out
Step 2:
Output’ ² A2
send
ack
real error?
Counterexample:
c=send,send,out
Simulate c =
send,send,out
on Input║Ordererr
out, send
Σ = {send, out, ack}
83
Another Example
Input
Ordererr
Output
in
send
in
out
in
ack
 unreachable
not a real error!
ack
real error?
Simulate c =
send,send,out
on Input║Ordererr
Counterexample:
c=send,send,out
Input ║ Ordererr
out
0,
0,
in
ack
1,
a
out
Σ = {send, out, ack}
out
send
out
Step 2:
Output’ ² A2
send
in
b
a
out
1,
b
ack
send 2,
out
send 2,
2,
a
bb
84
Another Example
Input
Ordererr
Output
in
send
in
send
out
out
in
ack
Step 2:
Output’ |=A2
 unreachable
not a real error!
Return c to L*
 L(Aw)\L(A2)
Σ = {send, out, ack}
out
send
ack
real error?
Counterexample:
c=send,send,out
A 4:
Simulate c =
send,send,out
on Input║Ordererr
ack
send
ack
out
send
send
ack,out,send
property
Order holds
on Input║Output’
Aw
85
Conclusion
• Generate assumptions for assume-guarantee
reasoning in an incremental and fully automatic
fashion, using learning.
• Each iteration of assume-guarantee may
conclude that the required property is
satisfied or violated in the system.
• Assumption generation converges to an
assumption that is necessary and sufficient
for the property to hold in the specific
system.
86
The End
87

Download Report

Assume-Guarantee

Paperzz.com

Your Paperzz