Learning Assumptions for Compositional Verification

1

Learning Assumptions for Compositional Verification

J. M. Cobleigh, D. Giannakopoulou and C. S. Pasareanu

Presented by: Sharon Shoham

2

Main Limitation of Model Checking:

The state explosion problem

• The number of states in the system model grows exponentially with the number of variables the number of components in the system

• One solution to state explosion problem: Abstraction

• Another: Compositional Verification

3

Compositional Verification

• Inputs: – composite system M1║M2

– property P

• Goal: check if M1║M2 ² P

• First attempt: “divide and conquer” approach

• Problem: usually impossible to verify each component separately.– a component is typically designed to satisfy its

requirements in specific environments (contexts)

4

Compositional Verification

Assume-Guarantee (AG) paradigm:introduces assumptions representing a component’s environment

Instead of: Does component satisfy property?Ask: Under assumption A on its environment,

does the component guarantee the property?

<A> M : whenever M is part of a system satisfying the assumption A, then the system must also guarantee P

5

Useful AG Rule for Safety Properties

1. check if a component M1 guarantees P when it is a part of a system satisfying assumption A.

2. discharge assumption: show that the remaining component M2 (the environment) satisfies A.

<A> M1 

<true> M2 <A>

<true> M1║M2 

M1 ║ M2 ² P

A

6

Assume-Guarantee

• Crucial element: assumption A. • Has to be strong enough to eliminate

violations of P, but also general enough to reflect the environment M2 appropriately.

• requires non-trivial human input in defining assumptions.

How to automatically construct assumptions ?

<A> M1 

<true> M2 <A>

<true> M1║M2 

7

Outline

• Motivation • Setting• Automatic Generation of Assumptions

for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example

8

Labeled Transition Systems (LTS)

• Act – set of observable actions– LTSs communicate using observable actions

• τ – local \ internal action

LTS M = (Q, q0, αM, δ)• Q : finite non-empty set of states • q0 ∈ Q : initial state• αM µ Act : observable actions δµQ x (αM [ {τ }) x Q : transition

relation

Alphabet

9

Labeled Transition Systems (LTS)

in

0 1 2

send

ack

• Trace of an LTS M : finite sequence of observable actions that M can perform starting at the initial state.

• L(M) = the Language of M : the set of all traces of M.

Traces:<in>, <in, send>,

…

10

Parallel Composition M1║M2

• Components synchronize on common observable actions (communication).

• The remaining actions are interleaved.

M1 = (Q1,q01,αM1,δ1), M2 = (Q2,q0

2,αM2,δ2)

M1║M2 = (Q,q0,αM,δ)

• Q = Q1 x Q2

• q0 = (q01, q0

2)

• αM = αM1 [ αM2

11

Transition Relation δ

Synchronization on a ∈ αM1 Å αM2 :

(q1,a,q1’) ∈ δ1 and (q2,a,q2’) ∈ δ2 :

((q1,q2), a, (q1’,q2’)) ∈ δ

Interleaving on a ∈ (αM \ (αM1 Å αM2)) [ {τ} :

• (q1, a, q1’) ∈ δ1 and a ∉ αM2 :

((q1,q2), a, (q1’,q2)) ∈ δfor any q2 ∈ Q2

• (q2, a, q2’) ∈ δ2 and a ∉ αM1 :

((q1,q2), a, (q1,q2’)) ∈ δfor any q1 ∈ Q1

12

ExampleInput

in

0 1 2

send

ack

Output

out

a b c

send

ack

║

13

Input

in

0 1 2

send

ack

Output

out

a b c

send

ack

║

Input ║ Output

in

0,a

send

ack

0,b

0,c

1,a

2,a

1,b

2,b

1,c

2,c

out

0 a

0,a

1

1,a

2,b

b2 c

2,c

14

Input

in

0 1 2

send

ack

Output

out

a b c

send

ack

║

Input ║ Output

0,a

in

send

ack

0,b

0,c

1,a

2,a

1,b

2,b

1,c

2,c

out

in in out

out

15

Safety Properties

Also expressed as LTSs, but of a special kind:

Safety LTS :• Deterministic:

– Does not contain τ -transitions, and– every state has at most one outgoing

transition for each action: (q,a,q’), (q,a,q’’) ∈ δ q’ = q’’

16

Safety Properties

For a safety LTS, P:• L(P) describes the set of legal

(acceptable) behaviors over αP.

M ² P iff ∀σ ∈ L(M) : (σαP) ∈ L(P)

• For Σ µ Act, σΣ is the trace obtained from σ by removing all occurrences of actions a ∉ Σ.

Example: <in, send, ack>{in, ack} = <in, ack>

Language Containment

L(M) αP µ L(P)

17

Example

Order

in

out

Input ║ Output

0,a

in

send

ack

0,b

0,c

1,a

2,a

1,b

2,b

1,c

2,c

out

in in out

out

|=?

Pref(<in,send,out,ack>*)

Pref(<in,out>*)?

{in,out}

P

18

Model Checking M ² P

Safety LTS P an Error LTS, Perr :

• “traps” violations with special error state .

P = (Q, q0, αP, δ) Perr = (Q [ {}, q0, αP, δ’), where: δ’= δ[ {(q,a,) | a ∈ αP and ∄q’ ∈ Q:

(q,a,q’) ∈ δ}

• Error LTS is complete. is a deadend state: has no outgoing transitions.

19

Example

Ordererr

in

out

Order

in out

20

Model Checking M ² P

Theorem:

• M ² P iff is unreachable in M ║ Perr

Remark: composition M ║ Perr is defined as before with a small exception:

If the target state of a transition in Perr is , so is the target state of the corresponding transitions in the composed system M ║ Perr

In automata

: M ² iff

L(AM Å A) =;

21

Transition Relation δ

Synchronization on a ∈ αM1 Å αM2 :

(q1,a,q1’) ∈ δ1 and (q2,a,q2’) ∈ δ2 :

((q1,q2), a, (q1’,q2’)) ∈ δ

Interleaving on a ∈ (αM \ (αM1 Å αM2)) [ {τ} :

• (q1, a, q1’) ∈ δ1 and a ∉ αM2 :

((q1,q2), a, (q1’,q2)) ∈ δfor any q2 ∈ Q2

• (q2, a, q2’) ∈ δ2 and a ∉ αM1 :

((q1,q2), a, (q1,q2’)) ∈ δfor any q1 ∈ Q1

ππ

ππ

δ1: M, δ2: Perr

δ: M║Perr

22

Example

Ordererr in

out

Order

in out

║

Input ║ Output

0,a

in

send

ack

0,b

0,c

1,a

2,a

1,b

2,b

1,c

2,c

out

in in out

out

23

Example

Ordererr in

out

Order

in out

║

Input ║ Output

0,a

in

send

ack

1,a

2,b

2,c

out

24

║

Input ║ Output

0,a in send

ack

1,a

2,b

2,c out

i ii

Ordererr in

out

Order

in out

0,a,i

in

send

ack

1,a,i 2,b,i 2,c,i

out

0,a,ii

in

send

ack

1,a,ii

2,b,ii

2,c,ii

out

unreachable

0,a,i 2,c,i

1,a,ii

2,b,ii

0,a

1,a

ii

0,a,ii

25

in

║

Input ║ Output

0,a in send

ack

1,a

2,b

2,c out

i ii

Ordererr in

out

Order

in out

0,a,i

in

send

ack

1,a,i 2,b,i 2,c,i

out

0,a,ii

in

send

ack

1,a,ii

2,b,ii

2,c,ii

out

in

in

counter- exampl

e!

0,a,i

1,a,ii

26

Assume Guarantee Reasoning

• Assumptions: also expressed as safety LTSs.

• <A> M is true iff A ║ M ² P i.e. is unreachable in A ║ M ║ Perr

<A> M1 

<true> M2 <A>

<true> M1║M2 

A ║ M1 ² P

M2 ² A

M1║M2 ² P

M1, M2 : LTSs

P, A : safety LTSs

27

Outline

• Motivation• Setting• Automatic Generation of Assumptions


28

Observation 1

• AG Rule will return conclusive results with:

Weakest assumption Aw under which M1 satisfies P:

• Under assumption Aw on M1‘s environment, M1 satisfies P , i.e. Aw ║ M1 ² P

• Weakest: forall env. M’2: M1║M’2 ² P IFF M’2 ²Aw

Given Aw, to check if M1║M2 ² P, check if M2 meets the assumption Aw.

sufficient and necessary assumption on M1’s env.

A ║ M1 ² P

M2 ² A

M1║M2 ² P

29

How to Obtain Aw ?

• Given module M1, property P and M1‘s interface with its environment Σ = (αM1 [ αP) Å αM2 :

Aw describes exactly all traces over Σ such

that in the context of , M1 satisfies P

– Expressible as a safety LTS– Can be computed algorithmically

Drawback of using Aw : if the computation runs out of memory, no assumption is obtained.

M1║M’2 ² P

IFF M’2 ² Aw

30

Observation 2

• No need to use the weakest env. assumption Aw.

• AG rule might be applicable with stronger (less general) assumption.

Instead of finding Aw:

• Use learning algorithm to learn Aw .

• Use candidates Ai produced by learning algorithm as candidate assumptions: try to apply AG rule with Ai.

A ║ M1 ² P

M2 ² A

M1║M2 ² P

31

Given a Candidate Assumption Ai

If Ai ║ M1 ² P does not hold:

Assumption Ai is not tight enough

need to strengthen Ai

A ║ M1 ² P

M2 ² A

M1║M2 ² P

32

Given a Candidate Assumption Ai

Suppose Ai║ M1 ² P holds:

If M2 ² Ai also holds M1║M2 ² P verified!.

Otherwise: σ ∈ L(M2) but (σαΣ) ∉ L(Ai) -- cex

P violated by M1 in the context of cex=(σαΣ) ?

Yes: real violation ! M1║M2 ² P falsified !

No: spurious violation. need to find better approximation of Aw.

“cex║M1” |≠ P ?

A ║ M1 ² P

M2 ² A

M1║M2 ² P

33

“cex║M1” ² P ?

Compose M1 with LTS Acex over αΣ

cex=a1,…ak Acex : Q={q0,…,qk} , q0 = q0

δ ={ (qi,ai+1,qi+1) | 0 i < k }

Model check Acex║M1 ² P

Is reachable in Acex║M1║Perr ?

Alternatively: simulate cex on M1║ Perr

cex║M1² P iff when cex is simulated on M1║Perr it cannot lead to (error) state.

yesno

Real violation

Spurious cex

q0 a1 a2

q1

qk ak

…

“cex ∊ L(Aw)” ?

34

Assume-Guarantee Framework

Model Checking

1. Ai║ M1 |= P

Learning

realerror?

2. M2 |= Ai

Ai

counterexample – strengthen assumption

counterexample – weaken assumption

false

truetrue

false

YN

P holds in M1||M2

P violated in M1||M2

Learning 1. Ai║ M1 |= P

realerror?

2. M2 |= Ai

cex║M1 | P ?

cex L(Ai)

For Aw :

conclusive results guaranteed

termination!

35

Outline



36

Learning Algorithm for DFA – L*

• L*: by Angluin, improved by Rivest & Schapire

• learns an unknown regular language U • produces a Deterministic Finite state

Automaton (DFA) C such that L(C) = U

DFA M = (Q, q0, αM, δ, F) :• Q, q0, αM, δ: as in deterministic LTS• F µ Q : accepting states• L(M) = {σ | δ(q0, σ) ∈ F}

37


• L* interacts with a Teacher to answer two types of questions:– Membership queries: is string σ in U ?

– Conjectures: for a candidate DFA Ci, is L(Ci) = U ?• answers are (true) or (false +

counterexample)

Conjectures C1, C2, … converge to C

Equivalence

Queries

38


Myhill-Nerode Thm.

For every regular set U ⊆∑* there exists a unique minimal deterministic automaton whose states are isomorphic to the set of equivalence classes of the following relation:

w ≈ w’ iff ∀u ∈∑* : wu ∈U ⇔ w’u ∈U

Basic idea: learn the equivalence classes

• Two prefixes are not in the same class iff there is a distinguishing suffix u

39

General Method

• L* maintains a table that records whether strings in belong to U– makes membership queries to update it

• Once all currently distinguishable strings are in different classes (table is closed), uses table to build a candidate Ci -- makes a conjecture :– if Teacher replies true, done!– if Teacher replies false, uses counterexample

to update the table

40


Observation Table: (S, E, T)S 2 – prefixes (represent. of equiv. classes /

states)E 2 – suffixes (distinguishing)T: mapping (S ∪ S·∑) · E {true, false}

∈U

∉U

E· e1 e2 …

s1 true false S s2...

false …...

S

s1·a true falses1·b…

true ……

s2·a

s2·b…

T :

41

T: (S ∪ S·∑) ·E {true, false}

(S,E,T) is closed if

∀s∈S ∀a∈∑ ∃s’∈S ∀e∈E: T(sae)=T(s’e)

∈U ∉U

represents the next state from s after

seeing a

sa is undistinguishable

from s’ by any of the suffixes

L* Algorithm

i.e. Every row sa of S has a matching row s’ inS

E· e1 e2 …

s1 true false S s2...

false …...

S

s1·a true falses1·b…

true ……

s2·a

s2·b…

42


Initially: S={λ}, E= {λ}Loop {

update T using membership querieswhile (S,E,T) is not closed {

add sa to S where sa has no repr. prefix s’update T using membership queries

}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?

}

sa has no matching

rows’ inS

43





}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?

}

Candidate DFA from a closed (S,E,T):States: SInitial state: λAccepting states:

s ∈S such that T(s) [= T(s¢λ)] = trueTransition relation:

δ(s,a) = s’ where ∀e∈E: T(sae)=T(s’e)

[ closed: ∀s∈S ∀a∈∑ ∃s’∈S ∀e∈E:

T(sae)=T(s’e) ]

44





}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?if C is correct return Celse add e∈∑* that witnesses the cex to E

}

45

Choosing e

• e must be such that adding it to E will eliminate the current cex in the next conjecture.

• e is a suffix of cex that witnesses a difference between L(Ci) and U

• Adding e to E will cause an addition of a prefix (state) to S splitting states

46

Characteristics of L*

• Terminates with minimal automaton C for U

• Each candidate Ci is smallest– any DFA consistent with table has at least as

many states as Ci

– |C1| < | C2| < … < |C|

• Produces at most n candidates, where n = |C|

• # membership queries: O(kn2 + n logm) – m: size of largest counterexample– k: size of ∑

47

Outline



48

Assume-Guarantee with Learning

Reminder:• Use learning algorithm to learn Aw .• Use candidates produced by learning as

candidate assumptions Ai for AG rule.

In order to use L* to produce assumptions Ai:• Show that L(Aw) is regular• Translate DFA to safety LTS (assumption)• Implement the teacher

49

L(Aw) is Regular

• Aw is expressible as a safety LTS• Translation of safety LTS A into DFA C:

A = (Q, q0, αM, δ) C = (Q, q0, αM, δ, Q)

There exists a DFA C s.t. L(C) = L(Aw)

L* can be used to learn a DFA that accepts L(Aw)

50

DFA to Safety LTS

• DFAs Ci returned by L* are complete, minimal and in this setting also prefix-closed:

– if 2 L(Ci), then every prefix of is also in L(Ci).

Ci contains a single non-accepting state qnf and no accepting state is reachable from qnf.

To get a safety LTS simply remove non-accepting state and all its ingoing transitions :

Ci = (Q [ {qnf}, q0, αM, δ, Q)

Ai = (Q, q0, αM, δ Å (Q £ αM £ Q) )

Weakestassumption

is prefix-closed

51

Implementing the Teacher

Aw is unknown…

• Membership query: ∈ L(Aw)?

Check if “║M1” ⊨ P :– Model checking: is reachable in

A║M1║Perr ?

– Simulation: is (error) state reachable when simulating on M1║ Perr ?

• Equivalence query: L(Ci) = L(Aw) ?

– Translate Ci into a safety LTS Ai

– Use it as candidate assumption for AG rule

L(Aw) iff

in context of ,M1 satisfies P

or

52

P holds in M1||M2

Model Checking

1. Ai║ M1 |= P

realerror?

2. M2 |= Ai

Ai



false

truetrue

YN

P holds in M1||M2


false

cex║M1 | P ?

cex L(Ai)

Model Checking

1. Ai║ M1 |= P

Learning

realerror?

2. M2 |= Ai

Ai



false

truetrue

YN P violated in M1||M2

L(Ai) = L(Aw) ?

false

cex║M1 | P ?

cex L(Ai)

Aw contains all traces that can be composed with M1 without violating P.

53

Model Checking

1. Ai║ M1 |= P

Learning

realerror?

2. M2 |= Ai

Ai



false

truetrue

YN

P holds in M1||M2


1. Ai║ M1 |= P

L(Ai) = L(Aw) ?

L(Ai) ⊆ L(Aw)?

cex L(Ai)

cex L(Aw)

false

cex║M1 | P ?

cex L(Ai)


54

Model Checking

1. Ai║ M1 |= P

Learning

realerror?

2. M2 |= Ai

Ai



false

truetrue

YN

P holds in M1||M2


L(Ai) = L(Aw) ?

L(Ai) ⊆ L(Aw)

false

cex║M1 | P ?

cex L(Ai)


55

Model Checking

1. Ai║ M1 |= P

Learning

realerror?

2. M2 |= Ai

Ai



false

truetrue

YN

P holds in M1||M2


realerror?

2. M2 |= Ai

L(Ai) = L(Aw) ?

L(Ai) ⊆ L(Aw)

false

cex║M1 | P ?

cex L(Ai)


56

Model Checking

1. Ai║ M1 |= P

Learning

realerror?

2. M2 |= Ai

Ai



false

truetrue

YN

P holds in M1||M2


realerror?

2. M2 |= Ai

L(Ai) = L(Aw) ?

L(Ai) ⊆ L(Aw)

false

cex║M1 | P ?

cex L(Ai)


L(Ai) ⊇ L(Aw)?

57

Model Checking

1. Ai║ M1 |= P

Learning

realerror?

2. M2 |= Ai

Ai



false

truetrue

YN

P holds in M1||M2


realerror?

2. M2 |= Ai

L(Ai) = L(Aw) ?

L(Ai) ⊆ L(Aw)

false

cex║M1 | P ?

cex L(Ai)


cex L(Ai)

cex L(Aw)

L(Ai) ⊇ L(Aw)?

58

Equivalence Query - Summary

2 applications of model checking + 1 model checking

or simulation

Model Checking

1. Ai║ M1 |= P

realerror?

2. M2 |= Ai

truetrue

YN

false

false

!

!cex

cex

59

Equivalence Query - Summary

If L(Ai) = L(Aw):AG rule returns conclusive results No need to continue with L*

If L(Ai) ≠ L(Aw):Can terminate and abort L*. Otherwise, cex is returned in1 if L(Ai) ⊈ L(Aw), or

2 if L(Ai) ⊊ L(Aw)

Model Checking

1. Ai║ M1 |= P

realerror?

2. M2 |= Ai

truetrue

YN

false

false

!

!cex

cex

60

Assume-Guarantee Framework

Model Checking

1. Ai║ M1 |= P

Learning

realerror?

2. M2 |= Ai

Ai



false

truetrue

false

YN

P holds in M1||M2


Learning 1. Ai║ M1 |= P

realerror?

2. M2 |= Ai

cex║M1 | P ?

cex L(Ai)

61

Characteristics of Framework

• AG uses conjectures produced by L* as candidate assumptions Ai

• L* uses AG as teacher

• L* terminates Framework guaranteed to terminate:

– At latest terminates when Aw is produced.

– Possibly terminates before Aw is produced!

62

Characteristics of Framework

• L* makes at most n = |Aw| equivalence queries

• # membership queries: O(kn2 + n logm) – m: size of largest counterexample– k: size of ∑

• membership query Model checking X 1• equivalence query Model checking X 3 O(kn2 + n logm) simulations

+ O(n) model checking applications.

Each MC involves either M1 or M2 - not both!

or simulation

63

Outline



64

Output

send

ack

out

Ordererr in

out out in

Example Input

in

ack

send

Check: Input║Output ² Order ?

M1 M2 P

(assumption’s alphabet) : {send, out, ack}

Σ = (αM1 [ αP) Å αM2

65

Ordererr in

out in

Output

send

ack

out

Membership Queries Input

in

ack

send

E

Table T S ?

S ack

out

send

S = set of prefixesE = set of suffixes

L(Aw)?

Simulate on Input║Ordererr

Σ = {send, out, ack}

out

66

Input ║ Ordererr

0,a

out

ack

1,a

2,a

0,b

1,b

2,b

out out send

send

Ordererr in

out out in

Inputin

ack

send

in

inack

out



0,a

1,b

unreachable L(Aw)

Output

send

ack

out

67

Ordererr in

out out in

Output

send

ack

out

Input in

ack

send

Membership Queries


L(Aw)?


yes!


E

Table T S ?

S ack out

send

true

68

Ordererr in

out out in

Output

send

ack

out

Input in

ack

send

Membership Queries



E

Table T S ?

S ack ?out

send

true<ack> L(Aw)?

yes!

Simulate<ack> on Input║Ordererr

true

69

true

Ordererr in

out out in

Output

send

ack

out

Input in

ack

send

Membership Queries



E

Table T S ?

S ack out ?send

true

Simulate<out> on Input║Ordererr

<out> L(Aw)?

70

Input ║ Ordererr

0,a

out

ack

1,a

2,a

0,b

1,b

2,b

out out send

send

Ordererr in

out out in

Input

in

ack

send

in

inack

out



reachable<out>∉ L(Aw)

0,a

Output

send

ack

out

71

Ordererr in

out out in

Output

send

ack

out

Input

in

ack

send

Membership Queries


<out> L(Aw)?



no!E

Table T S ?

S ack trueout ?send

true

false

72

Ordererr in

out out in

Output

send

ack

out

Input

in

ack

send

Membership Queries



E

Table T S ?

S ack trueout falsesend true

true

73

Ordererr in

out out in

Output

send

ack

out

Candidate Construction Input

in

ack

send

S = set of prefixesE = set of suffixes E

Table T S true

out false

S ack

out

send

out, ack

out, out

out, send

truefalsetrue


74

Ordererr in

out out in

Output

send

ack

out


in

ack

send


Table T S true

out false

S ack

out

send

out, ack

out, out

out, send

truefalsetruefalsefalsefalse


75

Ordererr in

out out in

Output

send

ack

out


in

ack

send

acksend

2 states – non accepting state not added to assumption

Assumption A1


Table T S true

out false

S ack

out

send

out, ack

out, out

out, send


Table closed !


76

Ordererr in

out out in

Output

send

ack

out

Conjectures Input

in

ack

send

A1: Step 1: A1║Input ²

Order

acksend


Input ║ Ordererr

0,a

out

ack

1,a

2,a

0,b

1,b

2,b

out out send

send

in

inack

out

A1║Input ≡ InputA1 ║Input ║Ordererr

0,a

1,b

0,b

2,b

77

Ordererr in

out out in

Output

send

ack

out

Conjectures Input

in

ack

send

A1: Step 1: A1║Input |=

Order

Counterexample:c = in,send,ack,in ack

send


Return to L*:c = send,ack

L(A1)\L(Aw)

0,a

out

ack

1,a

2,a

0,b

1,b

2,b

out out send

send

in

inack

out

A1 ║Input ║Ordererr

0,a

1,b

0,b

2,b

78

Ordererr in

out in

Output

send

ack

out


in

ack

send



out

E '

Table T ack

S true out false

S ack

out

send

out, ack

out, out

out, send



L(A1)\L(Aw)

79

Ordererr in

out in

Output

send

ack

out


in

ack

send



out

E '

Table T ack

S true out false

S ack

out

send

out, ack

out, out

out, send


truefalse

false

falsefalsefalse

false

true

80

Ordererr in

out in

Output

send

ack

out

Input in

ack

send


out

Table T ack

S true out false

send true

S ack

out

send

out, ack

out, out

out,send

send,ack

send,out

send,send

truefalse


false

falsefalsefalse

false

true

E '

false

false

falsetruetrue

truetrue

81

3 states – non accepting state not added to assumption

Assumption A2

Table closed !


Ordererr in

out in

Output

send

ack

out

Input in

ack

send

out

E 'Table T ack

S true out false

send true

S ack

out

send

out, ack

out, out

out,send

send,ack

send,out

send,send


false

falsefalsefalse

false

true

false

falsetruetrue

truetrue

truefalsefalse

ack

send

out, send

82

Ordererr in

out out in

Output

send

ack

out

Conjectures Input

in

ack

send

A1: Step 1: A1║Input ²

Order

Counterexample:c = in,send,ack,in


Step 1: A2║Input ² Order

True

Step 2: Output ² A2

True

property Order holds on Input║Output

ack

send

out, send

A2:Queries

acksend


L(A1)\L(Aw)

c ∉ L(A2)

83

Output

send

ack

out

sendOrdererr in

out out in

Input

in

ack

send

Step 2: Output’ ² A2

Counterexample:c=send,send,out

Simulate c= send,send,out

on Input║Ordererr

real error?


Another Example

ack

send

out, send

A2:

84

Output

send

ack

out

sendOrdererr in

out out in

Input

in

ack

send

Step 2: Output’ ² A2



on Input║Ordererr

real error?


Another Example

Input ║ Ordererr

0,a

out

ack

1,a

2,a

0,b

1,b

2,b

out out send

send

in

inack

out0,

a

1,b

2,b

not a real error!unreachable

85

Return c to L*

Output

send

ack

out

sendOrdererr in

out out in

Input

in

ack

send

Step 2: Output’ |=A2



on Input║Ordererr

real error?

Another Example

ack,out,send

ack

send out

ack send

send

A4: property

Order holds on Input║Output’

not a real error!

Aw

L(Aw)\L(A2)


unreachable

86

Conclusion

• Generate assumptions for assume-guarantee reasoning in an incremental and fully automatic fashion, using learning.

• Each iteration of assume-guarantee may conclude that the required property is satisfied or violated in the system.

• Assumption generation converges to an assumption that is necessary and sufficient for the property to hold in the specific system.

87

The End

Documents

Learning Assumptions for Compositional Verification