![Page 1: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/1.jpg)
1
Learning Assumptions for Compositional Verification
J. M. Cobleigh, D. Giannakopoulou and C. S. Pasareanu
Presented by: Sharon Shoham
![Page 2: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/2.jpg)
2
Main Limitation of Model Checking:
The state explosion problem
• The number of states in the system model grows exponentially with the number of variables the number of components in the system
• One solution to state explosion problem: Abstraction
• Another: Compositional Verification
![Page 3: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/3.jpg)
3
Compositional Verification
• Inputs: – composite system M1║M2
– property P
• Goal: check if M1║M2 ² P
• First attempt: “divide and conquer” approach
• Problem: usually impossible to verify each component separately.– a component is typically designed to satisfy its
requirements in specific environments (contexts)
![Page 4: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/4.jpg)
4
Compositional Verification
Assume-Guarantee (AG) paradigm:introduces assumptions representing a component’s environment
Instead of: Does component satisfy property?Ask: Under assumption A on its environment,
does the component guarantee the property?
<A> M <P>: whenever M is part of a system satisfying the assumption A, then the system must also guarantee P
![Page 5: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/5.jpg)
5
Useful AG Rule for Safety Properties
1. check if a component M1 guarantees P when it is a part of a system satisfying assumption A.
2. discharge assumption: show that the remaining component M2 (the environment) satisfies A.
<A> M1 <P>
<true> M2 <A>
<true> M1║M2 <P>
M1 ║ M2 ² P
A
![Page 6: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/6.jpg)
6
Assume-Guarantee
• Crucial element: assumption A. • Has to be strong enough to eliminate
violations of P, but also general enough to reflect the environment M2 appropriately.
• requires non-trivial human input in defining assumptions.
How to automatically construct assumptions ?
<A> M1 <P>
<true> M2 <A>
<true> M1║M2 <P>
![Page 7: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/7.jpg)
7
Outline
• Motivation • Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
![Page 8: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/8.jpg)
8
Labeled Transition Systems (LTS)
• Act – set of observable actions– LTSs communicate using observable actions
• τ – local \ internal action
LTS M = (Q, q0, αM, δ)• Q : finite non-empty set of states • q0 ∈ Q : initial state• αM µ Act : observable actions δµQ x (αM [ {τ }) x Q : transition
relation
Alphabet
![Page 9: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/9.jpg)
9
Labeled Transition Systems (LTS)
in
0 1 2
send
ack
• Trace of an LTS M : finite sequence of observable actions that M can perform starting at the initial state.
• L(M) = the Language of M : the set of all traces of M.
Traces:<in>, <in, send>,
…
![Page 10: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/10.jpg)
10
Parallel Composition M1║M2
• Components synchronize on common observable actions (communication).
• The remaining actions are interleaved.
M1 = (Q1,q01,αM1,δ1), M2 = (Q2,q0
2,αM2,δ2)
M1║M2 = (Q,q0,αM,δ)
• Q = Q1 x Q2
• q0 = (q01, q0
2)
• αM = αM1 [ αM2
![Page 11: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/11.jpg)
11
Transition Relation δ
Synchronization on a ∈ αM1 Å αM2 :
(q1,a,q1’) ∈ δ1 and (q2,a,q2’) ∈ δ2 :
((q1,q2), a, (q1’,q2’)) ∈ δ
Interleaving on a ∈ (αM \ (αM1 Å αM2)) [ {τ} :
• (q1, a, q1’) ∈ δ1 and a ∉ αM2 :
((q1,q2), a, (q1’,q2)) ∈ δfor any q2 ∈ Q2
• (q2, a, q2’) ∈ δ2 and a ∉ αM1 :
((q1,q2), a, (q1,q2’)) ∈ δfor any q1 ∈ Q1
![Page 12: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/12.jpg)
12
ExampleInput
in
0 1 2
send
ack
Output
out
a b c
send
ack
║
![Page 13: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/13.jpg)
13
Input
in
0 1 2
send
ack
Output
out
a b c
send
ack
║
Input ║ Output
in
0,a
send
ack
0,b
0,c
1,a
2,a
1,b
2,b
1,c
2,c
out
0 a
0,a
1
1,a
2,b
b2 c
2,c
![Page 14: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/14.jpg)
14
Input
in
0 1 2
send
ack
Output
out
a b c
send
ack
║
Input ║ Output
0,a
in
send
ack
0,b
0,c
1,a
2,a
1,b
2,b
1,c
2,c
out
in in out
out
![Page 15: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/15.jpg)
15
Safety Properties
Also expressed as LTSs, but of a special kind:
Safety LTS :• Deterministic:
– Does not contain τ -transitions, and– every state has at most one outgoing
transition for each action: (q,a,q’), (q,a,q’’) ∈ δ q’ = q’’
![Page 16: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/16.jpg)
16
Safety Properties
For a safety LTS, P:• L(P) describes the set of legal
(acceptable) behaviors over αP.
M ² P iff ∀σ ∈ L(M) : (σαP) ∈ L(P)
• For Σ µ Act, σΣ is the trace obtained from σ by removing all occurrences of actions a ∉ Σ.
Example: <in, send, ack>{in, ack} = <in, ack>
Language Containment
L(M) αP µ L(P)
![Page 17: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/17.jpg)
17
Example
Order
in
out
Input ║ Output
0,a
in
send
ack
0,b
0,c
1,a
2,a
1,b
2,b
1,c
2,c
out
in in out
out
|=?
Pref(<in,send,out,ack>*)
Pref(<in,out>*)?
{in,out}
P
![Page 18: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/18.jpg)
18
Model Checking M ² P
Safety LTS P an Error LTS, Perr :
• “traps” violations with special error state .
P = (Q, q0, αP, δ) Perr = (Q [ {}, q0, αP, δ’), where: δ’= δ[ {(q,a,) | a ∈ αP and ∄q’ ∈ Q:
(q,a,q’) ∈ δ}
• Error LTS is complete. is a deadend state: has no outgoing transitions.
![Page 19: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/19.jpg)
19
Example
Ordererr
in
out
Order
in out
![Page 20: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/20.jpg)
20
Model Checking M ² P
Theorem:
• M ² P iff is unreachable in M ║ Perr
Remark: composition M ║ Perr is defined as before with a small exception:
If the target state of a transition in Perr is , so is the target state of the corresponding transitions in the composed system M ║ Perr
In automata
: M ² iff
L(AM Å A) =;
![Page 21: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/21.jpg)
21
Transition Relation δ
Synchronization on a ∈ αM1 Å αM2 :
(q1,a,q1’) ∈ δ1 and (q2,a,q2’) ∈ δ2 :
((q1,q2), a, (q1’,q2’)) ∈ δ
Interleaving on a ∈ (αM \ (αM1 Å αM2)) [ {τ} :
• (q1, a, q1’) ∈ δ1 and a ∉ αM2 :
((q1,q2), a, (q1’,q2)) ∈ δfor any q2 ∈ Q2
• (q2, a, q2’) ∈ δ2 and a ∉ αM1 :
((q1,q2), a, (q1,q2’)) ∈ δfor any q1 ∈ Q1
ππ
ππ
δ1: M, δ2: Perr
δ: M║Perr
![Page 22: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/22.jpg)
22
Example
Ordererr in
out
Order
in out
║
Input ║ Output
0,a
in
send
ack
0,b
0,c
1,a
2,a
1,b
2,b
1,c
2,c
out
in in out
out
![Page 23: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/23.jpg)
23
Example
Ordererr in
out
Order
in out
║
Input ║ Output
0,a
in
send
ack
1,a
2,b
2,c
out
![Page 24: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/24.jpg)
24
║
Input ║ Output
0,a in send
ack
1,a
2,b
2,c out
i ii
Ordererr in
out
Order
in out
0,a,i
in
send
ack
1,a,i 2,b,i 2,c,i
out
0,a,ii
in
send
ack
1,a,ii
2,b,ii
2,c,ii
out
unreachable
0,a,i 2,c,i
1,a,ii
2,b,ii
0,a
1,a
ii
0,a,ii
![Page 25: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/25.jpg)
25
in
║
Input ║ Output
0,a in send
ack
1,a
2,b
2,c out
i ii
Ordererr in
out
Order
in out
0,a,i
in
send
ack
1,a,i 2,b,i 2,c,i
out
0,a,ii
in
send
ack
1,a,ii
2,b,ii
2,c,ii
out
in
in
counter- exampl
e!
0,a,i
1,a,ii
![Page 26: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/26.jpg)
26
Assume Guarantee Reasoning
• Assumptions: also expressed as safety LTSs.
• <A> M <P> is true iff A ║ M ² P i.e. is unreachable in A ║ M ║ Perr
<A> M1 <P>
<true> M2 <A>
<true> M1║M2 <P>
A ║ M1 ² P
M2 ² A
M1║M2 ² P
M1, M2 : LTSs
P, A : safety LTSs
![Page 27: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/27.jpg)
27
Outline
• Motivation• Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
![Page 28: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/28.jpg)
28
Observation 1
• AG Rule will return conclusive results with:
Weakest assumption Aw under which M1 satisfies P:
• Under assumption Aw on M1‘s environment, M1 satisfies P , i.e. Aw ║ M1 ² P
• Weakest: forall env. M’2: M1║M’2 ² P IFF M’2 ²Aw
Given Aw, to check if M1║M2 ² P, check if M2 meets the assumption Aw.
sufficient and necessary assumption on M1’s env.
A ║ M1 ² P
M2 ² A
M1║M2 ² P
![Page 29: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/29.jpg)
29
How to Obtain Aw ?
• Given module M1, property P and M1‘s interface with its environment Σ = (αM1 [ αP) Å αM2 :
Aw describes exactly all traces over Σ such
that in the context of , M1 satisfies P
– Expressible as a safety LTS– Can be computed algorithmically
Drawback of using Aw : if the computation runs out of memory, no assumption is obtained.
M1║M’2 ² P
IFF M’2 ² Aw
![Page 30: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/30.jpg)
30
Observation 2
• No need to use the weakest env. assumption Aw.
• AG rule might be applicable with stronger (less general) assumption.
Instead of finding Aw:
• Use learning algorithm to learn Aw .
• Use candidates Ai produced by learning algorithm as candidate assumptions: try to apply AG rule with Ai.
A ║ M1 ² P
M2 ² A
M1║M2 ² P
![Page 31: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/31.jpg)
31
Given a Candidate Assumption Ai
If Ai ║ M1 ² P does not hold:
Assumption Ai is not tight enough
need to strengthen Ai
A ║ M1 ² P
M2 ² A
M1║M2 ² P
![Page 32: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/32.jpg)
32
Given a Candidate Assumption Ai
Suppose Ai║ M1 ² P holds:
If M2 ² Ai also holds M1║M2 ² P verified!.
Otherwise: σ ∈ L(M2) but (σαΣ) ∉ L(Ai) -- cex
P violated by M1 in the context of cex=(σαΣ) ?
Yes: real violation ! M1║M2 ² P falsified !
No: spurious violation. need to find better approximation of Aw.
“cex║M1” |≠ P ?
A ║ M1 ² P
M2 ² A
M1║M2 ² P
![Page 33: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/33.jpg)
33
“cex║M1” ² P ?
Compose M1 with LTS Acex over αΣ
cex=a1,…ak Acex : Q={q0,…,qk} , q0 = q0
δ ={ (qi,ai+1,qi+1) | 0 i < k }
Model check Acex║M1 ² P
Is reachable in Acex║M1║Perr ?
Alternatively: simulate cex on M1║ Perr
cex║M1² P iff when cex is simulated on M1║Perr it cannot lead to (error) state.
yesno
Real violation
Spurious cex
q0 a1 a2
q1
qk ak
…
“cex ∊ L(Aw)” ?
![Page 34: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/34.jpg)
34
Assume-Guarantee Framework
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
false
YN
P holds in M1||M2
P violated in M1||M2
Learning 1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
cex║M1 | P ?
cex L(Ai)
For Aw :
conclusive results guaranteed
termination!
![Page 35: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/35.jpg)
35
Outline
• Motivation• Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
![Page 36: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/36.jpg)
36
Learning Algorithm for DFA – L*
• L*: by Angluin, improved by Rivest & Schapire
• learns an unknown regular language U • produces a Deterministic Finite state
Automaton (DFA) C such that L(C) = U
DFA M = (Q, q0, αM, δ, F) :• Q, q0, αM, δ: as in deterministic LTS• F µ Q : accepting states• L(M) = {σ | δ(q0, σ) ∈ F}
![Page 37: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/37.jpg)
37
Learning Algorithm for DFA – L*
• L* interacts with a Teacher to answer two types of questions:– Membership queries: is string σ in U ?
– Conjectures: for a candidate DFA Ci, is L(Ci) = U ?• answers are (true) or (false +
counterexample)
Conjectures C1, C2, … converge to C
Equivalence
Queries
![Page 38: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/38.jpg)
38
Learning Algorithm for DFA – L*
Myhill-Nerode Thm.
For every regular set U ⊆∑* there exists a unique minimal deterministic automaton whose states are isomorphic to the set of equivalence classes of the following relation:
w ≈ w’ iff ∀u ∈∑* : wu ∈U ⇔ w’u ∈U
Basic idea: learn the equivalence classes
• Two prefixes are not in the same class iff there is a distinguishing suffix u
![Page 39: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/39.jpg)
39
General Method
• L* maintains a table that records whether strings in belong to U– makes membership queries to update it
• Once all currently distinguishable strings are in different classes (table is closed), uses table to build a candidate Ci -- makes a conjecture :– if Teacher replies true, done!– if Teacher replies false, uses counterexample
to update the table
![Page 40: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/40.jpg)
40
Learning Algorithm for DFA – L*
Observation Table: (S, E, T)S 2 – prefixes (represent. of equiv. classes /
states)E 2 – suffixes (distinguishing)T: mapping (S ∪ S·∑) · E {true, false}
∈U
∉U
E· e1 e2 …
s1 true false S s2...
false …...
S
s1·a true falses1·b…
true ……
s2·a
s2·b…
T :
![Page 41: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/41.jpg)
41
T: (S ∪ S·∑) ·E {true, false}
(S,E,T) is closed if
∀s∈S ∀a∈∑ ∃s’∈S ∀e∈E: T(sae)=T(s’e)
∈U ∉U
represents the next state from s after
seeing a
sa is undistinguishable
from s’ by any of the suffixes
L* Algorithm
i.e. Every row sa of S has a matching row s’ inS
E· e1 e2 …
s1 true false S s2...
false …...
S
s1·a true falses1·b…
true ……
s2·a
s2·b…
![Page 42: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/42.jpg)
42
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}Loop {
update T using membership querieswhile (S,E,T) is not closed {
add sa to S where sa has no repr. prefix s’update T using membership queries
}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?
}
sa has no matching
rows’ inS
![Page 43: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/43.jpg)
43
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}Loop {
update T using membership querieswhile (S,E,T) is not closed {
add sa to S where sa has no repr. prefix s’update T using membership queries
}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?
}
Candidate DFA from a closed (S,E,T):States: SInitial state: λAccepting states:
s ∈S such that T(s) [= T(s¢λ)] = trueTransition relation:
δ(s,a) = s’ where ∀e∈E: T(sae)=T(s’e)
[ closed: ∀s∈S ∀a∈∑ ∃s’∈S ∀e∈E:
T(sae)=T(s’e) ]
![Page 44: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/44.jpg)
44
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}Loop {
update T using membership querieswhile (S,E,T) is not closed {
add sa to S where sa has no repr. prefix s’update T using membership queries
}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?if C is correct return Celse add e∈∑* that witnesses the cex to E
}
![Page 45: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/45.jpg)
45
Choosing e
• e must be such that adding it to E will eliminate the current cex in the next conjecture.
• e is a suffix of cex that witnesses a difference between L(Ci) and U
• Adding e to E will cause an addition of a prefix (state) to S splitting states
![Page 46: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/46.jpg)
46
Characteristics of L*
• Terminates with minimal automaton C for U
• Each candidate Ci is smallest– any DFA consistent with table has at least as
many states as Ci
– |C1| < | C2| < … < |C|
• Produces at most n candidates, where n = |C|
• # membership queries: O(kn2 + n logm) – m: size of largest counterexample– k: size of ∑
![Page 47: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/47.jpg)
47
Outline
• Motivation• Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
![Page 48: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/48.jpg)
48
Assume-Guarantee with Learning
Reminder:• Use learning algorithm to learn Aw .• Use candidates produced by learning as
candidate assumptions Ai for AG rule.
In order to use L* to produce assumptions Ai:• Show that L(Aw) is regular• Translate DFA to safety LTS (assumption)• Implement the teacher
![Page 49: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/49.jpg)
49
L(Aw) is Regular
• Aw is expressible as a safety LTS• Translation of safety LTS A into DFA C:
A = (Q, q0, αM, δ) C = (Q, q0, αM, δ, Q)
There exists a DFA C s.t. L(C) = L(Aw)
L* can be used to learn a DFA that accepts L(Aw)
![Page 50: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/50.jpg)
50
DFA to Safety LTS
• DFAs Ci returned by L* are complete, minimal and in this setting also prefix-closed:
– if 2 L(Ci), then every prefix of is also in L(Ci).
Ci contains a single non-accepting state qnf and no accepting state is reachable from qnf.
To get a safety LTS simply remove non-accepting state and all its ingoing transitions :
Ci = (Q [ {qnf}, q0, αM, δ, Q)
Ai = (Q, q0, αM, δ Å (Q £ αM £ Q) )
Weakestassumption
is prefix-closed
![Page 51: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/51.jpg)
51
Implementing the Teacher
Aw is unknown…
• Membership query: ∈ L(Aw)?
Check if “║M1” ⊨ P :– Model checking: is reachable in
A║M1║Perr ?
– Simulation: is (error) state reachable when simulating on M1║ Perr ?
• Equivalence query: L(Ci) = L(Aw) ?
– Translate Ci into a safety LTS Ai
– Use it as candidate assumption for AG rule
L(Aw) iff
in context of ,M1 satisfies P
or
![Page 52: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/52.jpg)
52
P holds in M1||M2
Model Checking
1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
false
cex║M1 | P ?
cex L(Ai)
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN P violated in M1||M2
L(Ai) = L(Aw) ?
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
![Page 53: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/53.jpg)
53
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
1. Ai║ M1 |= P
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)?
cex L(Ai)
cex L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
![Page 54: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/54.jpg)
54
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
![Page 55: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/55.jpg)
55
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
realerror?
2. M2 |= Ai
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
![Page 56: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/56.jpg)
56
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
realerror?
2. M2 |= Ai
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
L(Ai) ⊇ L(Aw)?
![Page 57: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/57.jpg)
57
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
realerror?
2. M2 |= Ai
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
cex L(Ai)
cex L(Aw)
L(Ai) ⊇ L(Aw)?
![Page 58: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/58.jpg)
58
Equivalence Query - Summary
2 applications of model checking + 1 model checking
or simulation
Model Checking
1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
truetrue
YN
false
false
!
!cex
cex
![Page 59: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/59.jpg)
59
Equivalence Query - Summary
If L(Ai) = L(Aw):AG rule returns conclusive results No need to continue with L*
If L(Ai) ≠ L(Aw):Can terminate and abort L*. Otherwise, cex is returned in1 if L(Ai) ⊈ L(Aw), or
2 if L(Ai) ⊊ L(Aw)
Model Checking
1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
truetrue
YN
false
false
!
!cex
cex
![Page 60: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/60.jpg)
60
Assume-Guarantee Framework
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
false
YN
P holds in M1||M2
P violated in M1||M2
Learning 1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
cex║M1 | P ?
cex L(Ai)
![Page 61: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/61.jpg)
61
Characteristics of Framework
• AG uses conjectures produced by L* as candidate assumptions Ai
• L* uses AG as teacher
• L* terminates Framework guaranteed to terminate:
– At latest terminates when Aw is produced.
– Possibly terminates before Aw is produced!
![Page 62: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/62.jpg)
62
Characteristics of Framework
• L* makes at most n = |Aw| equivalence queries
• # membership queries: O(kn2 + n logm) – m: size of largest counterexample– k: size of ∑
• membership query Model checking X 1• equivalence query Model checking X 3 O(kn2 + n logm) simulations
+ O(n) model checking applications.
Each MC involves either M1 or M2 - not both!
or simulation
![Page 63: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/63.jpg)
63
Outline
• Motivation• Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
![Page 64: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/64.jpg)
64
Output
send
ack
out
Ordererr in
out out in
Example Input
in
ack
send
Check: Input║Output ² Order ?
M1 M2 P
(assumption’s alphabet) : {send, out, ack}
Σ = (αM1 [ αP) Å αM2
![Page 65: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/65.jpg)
65
Ordererr in
out in
Output
send
ack
out
Membership Queries Input
in
ack
send
E
Table T S ?
S ack
out
send
S = set of prefixesE = set of suffixes
L(Aw)?
Simulate on Input║Ordererr
Σ = {send, out, ack}
out
![Page 66: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/66.jpg)
66
Input ║ Ordererr
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
Ordererr in
out out in
Inputin
ack
send
in
inack
out
Simulate on Input║Ordererr
Σ = {send, out, ack}
0,a
1,b
unreachable L(Aw)
Output
send
ack
out
![Page 67: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/67.jpg)
67
Ordererr in
out out in
Output
send
ack
out
Input in
ack
send
Membership Queries
S = set of prefixesE = set of suffixes
L(Aw)?
Simulate on Input║Ordererr
yes!
Σ = {send, out, ack}
E
Table T S ?
S ack out
send
true
![Page 68: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/68.jpg)
68
Ordererr in
out out in
Output
send
ack
out
Input in
ack
send
Membership Queries
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
E
Table T S ?
S ack ?out
send
true<ack> L(Aw)?
yes!
Simulate<ack> on Input║Ordererr
true
![Page 69: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/69.jpg)
69
true
Ordererr in
out out in
Output
send
ack
out
Input in
ack
send
Membership Queries
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
E
Table T S ?
S ack out ?send
true
Simulate<out> on Input║Ordererr
<out> L(Aw)?
![Page 70: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/70.jpg)
70
Input ║ Ordererr
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
Ordererr in
out out in
Input
in
ack
send
in
inack
out
Simulate<out> on Input║Ordererr
Σ = {send, out, ack}
reachable<out>∉ L(Aw)
0,a
Output
send
ack
out
![Page 71: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/71.jpg)
71
Ordererr in
out out in
Output
send
ack
out
Input
in
ack
send
Membership Queries
Simulate<out> on Input║Ordererr
<out> L(Aw)?
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
no!E
Table T S ?
S ack trueout ?send
true
false
![Page 72: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/72.jpg)
72
Ordererr in
out out in
Output
send
ack
out
Input
in
ack
send
Membership Queries
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
E
Table T S ?
S ack trueout falsesend true
true
![Page 73: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/73.jpg)
73
Ordererr in
out out in
Output
send
ack
out
Candidate Construction Input
in
ack
send
S = set of prefixesE = set of suffixes E
Table T S true
out false
S ack
out
send
out, ack
out, out
out, send
truefalsetrue
Σ = {send, out, ack}
![Page 74: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/74.jpg)
74
Ordererr in
out out in
Output
send
ack
out
Candidate Construction Input
in
ack
send
S = set of prefixesE = set of suffixes E
Table T S true
out false
S ack
out
send
out, ack
out, out
out, send
truefalsetruefalsefalsefalse
Σ = {send, out, ack}
![Page 75: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/75.jpg)
75
Ordererr in
out out in
Output
send
ack
out
Candidate Construction Input
in
ack
send
acksend
2 states – non accepting state not added to assumption
Assumption A1
S = set of prefixesE = set of suffixes E
Table T S true
out false
S ack
out
send
out, ack
out, out
out, send
truefalsetruefalsefalsefalse
Table closed !
Σ = {send, out, ack}
![Page 76: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/76.jpg)
76
Ordererr in
out out in
Output
send
ack
out
Conjectures Input
in
ack
send
A1: Step 1: A1║Input ²
Order
acksend
Σ = {send, out, ack}
Input ║ Ordererr
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
in
inack
out
A1║Input ≡ InputA1 ║Input ║Ordererr
0,a
1,b
0,b
2,b
![Page 77: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/77.jpg)
77
Ordererr in
out out in
Output
send
ack
out
Conjectures Input
in
ack
send
A1: Step 1: A1║Input |=
Order
Counterexample:c = in,send,ack,in ack
send
Σ = {send, out, ack}
Return to L*:c = send,ack
L(A1)\L(Aw)
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
in
inack
out
A1 ║Input ║Ordererr
0,a
1,b
0,b
2,b
![Page 78: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/78.jpg)
78
Ordererr in
out in
Output
send
ack
out
Membership Queries Input
in
ack
send
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
out
E '
Table T ack
S true out false
S ack
out
send
out, ack
out, out
out, send
truefalsetruefalsefalsefalse
Return to L*:c = send,ack
L(A1)\L(Aw)
![Page 79: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/79.jpg)
79
Ordererr in
out in
Output
send
ack
out
Membership Queries Input
in
ack
send
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
out
E '
Table T ack
S true out false
S ack
out
send
out, ack
out, out
out, send
truefalsetruefalsefalsefalse
truefalse
false
falsefalsefalse
false
true
![Page 80: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/80.jpg)
80
Ordererr in
out in
Output
send
ack
out
Input in
ack
send
Σ = {send, out, ack}
out
Table T ack
S true out false
send true
S ack
out
send
out, ack
out, out
out,send
send,ack
send,out
send,send
truefalse
truefalsetruefalsefalsefalse
false
falsefalsefalse
false
true
E '
false
false
falsetruetrue
truetrue
![Page 81: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/81.jpg)
81
3 states – non accepting state not added to assumption
Assumption A2
Table closed !
Σ = {send, out, ack}
Ordererr in
out in
Output
send
ack
out
Input in
ack
send
out
E 'Table T ack
S true out false
send true
S ack
out
send
out, ack
out, out
out,send
send,ack
send,out
send,send
truefalsetruefalsefalsefalse
false
falsefalsefalse
false
true
false
falsetruetrue
truetrue
truefalsefalse
ack
send
out, send
![Page 82: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/82.jpg)
82
Ordererr in
out out in
Output
send
ack
out
Conjectures Input
in
ack
send
A1: Step 1: A1║Input ²
Order
Counterexample:c = in,send,ack,in
Return to L*:c = send,ack
Step 1: A2║Input ² Order
True
Step 2: Output ² A2
True
property Order holds on Input║Output
ack
send
out, send
A2:Queries
acksend
Σ = {send, out, ack}
L(A1)\L(Aw)
c ∉ L(A2)
![Page 83: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/83.jpg)
83
Output
send
ack
out
sendOrdererr in
out out in
Input
in
ack
send
Step 2: Output’ ² A2
Counterexample:c=send,send,out
Simulate c= send,send,out
on Input║Ordererr
real error?
Σ = {send, out, ack}
Another Example
ack
send
out, send
A2:
![Page 84: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/84.jpg)
84
Output
send
ack
out
sendOrdererr in
out out in
Input
in
ack
send
Step 2: Output’ ² A2
Counterexample:c=send,send,out
Simulate c= send,send,out
on Input║Ordererr
real error?
Σ = {send, out, ack}
Another Example
Input ║ Ordererr
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
in
inack
out0,
a
1,b
2,b
not a real error!unreachable
![Page 85: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/85.jpg)
85
Return c to L*
Output
send
ack
out
sendOrdererr in
out out in
Input
in
ack
send
Step 2: Output’ |=A2
Counterexample:c=send,send,out
Simulate c= send,send,out
on Input║Ordererr
real error?
Another Example
ack,out,send
ack
send out
ack send
send
A4: property
Order holds on Input║Output’
not a real error!
Aw
L(Aw)\L(A2)
Σ = {send, out, ack}
unreachable
![Page 86: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/86.jpg)
86
Conclusion
• Generate assumptions for assume-guarantee reasoning in an incremental and fully automatic fashion, using learning.
• Each iteration of assume-guarantee may conclude that the required property is satisfied or violated in the system.
• Assumption generation converges to an assumption that is necessary and sufficient for the property to hold in the specific system.
![Page 87: Learning Assumptions for Compositional Verification](https://reader035.vdocument.in/reader035/viewer/2022062722/56813ac3550346895da2d4da/html5/thumbnails/87.jpg)
87
The End