learning assumptions for compositional verification
DESCRIPTION
Learning Assumptions for Compositional Verification. J. M. Cobleigh, D. Giannakopoulou and C. S. Pasareanu. Presented by: Sharon Shoham. Main Limitation of Model Checking:. The state explosion problem The number of states in the system model grows exponentially with the number of variables - PowerPoint PPT PresentationTRANSCRIPT
1
Learning Assumptions for Compositional Verification
J. M. Cobleigh, D. Giannakopoulou and C. S. Pasareanu
Presented by: Sharon Shoham
2
Main Limitation of Model Checking:
The state explosion problem
• The number of states in the system model grows exponentially with the number of variables the number of components in the system
• One solution to state explosion problem: Abstraction
• Another: Compositional Verification
3
Compositional Verification
• Inputs: – composite system M1║M2
– property P
• Goal: check if M1║M2 ² P
• First attempt: “divide and conquer” approach
• Problem: usually impossible to verify each component separately.– a component is typically designed to satisfy its
requirements in specific environments (contexts)
4
Compositional Verification
Assume-Guarantee (AG) paradigm:introduces assumptions representing a component’s environment
Instead of: Does component satisfy property?Ask: Under assumption A on its environment,
does the component guarantee the property?
<A> M <P>: whenever M is part of a system satisfying the assumption A, then the system must also guarantee P
5
Useful AG Rule for Safety Properties
1. check if a component M1 guarantees P when it is a part of a system satisfying assumption A.
2. discharge assumption: show that the remaining component M2 (the environment) satisfies A.
<A> M1 <P>
<true> M2 <A>
<true> M1║M2 <P>
M1 ║ M2 ² P
A
6
Assume-Guarantee
• Crucial element: assumption A. • Has to be strong enough to eliminate
violations of P, but also general enough to reflect the environment M2 appropriately.
• requires non-trivial human input in defining assumptions.
How to automatically construct assumptions ?
<A> M1 <P>
<true> M2 <A>
<true> M1║M2 <P>
7
Outline
• Motivation • Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
8
Labeled Transition Systems (LTS)
• Act – set of observable actions– LTSs communicate using observable actions
• τ – local \ internal action
LTS M = (Q, q0, αM, δ)• Q : finite non-empty set of states • q0 ∈ Q : initial state• αM µ Act : observable actions δµQ x (αM [ {τ }) x Q : transition
relation
Alphabet
9
Labeled Transition Systems (LTS)
in
0 1 2
send
ack
• Trace of an LTS M : finite sequence of observable actions that M can perform starting at the initial state.
• L(M) = the Language of M : the set of all traces of M.
Traces:<in>, <in, send>,
…
10
Parallel Composition M1║M2
• Components synchronize on common observable actions (communication).
• The remaining actions are interleaved.
M1 = (Q1,q01,αM1,δ1), M2 = (Q2,q0
2,αM2,δ2)
M1║M2 = (Q,q0,αM,δ)
• Q = Q1 x Q2
• q0 = (q01, q0
2)
• αM = αM1 [ αM2
11
Transition Relation δ
Synchronization on a ∈ αM1 Å αM2 :
(q1,a,q1’) ∈ δ1 and (q2,a,q2’) ∈ δ2 :
((q1,q2), a, (q1’,q2’)) ∈ δ
Interleaving on a ∈ (αM \ (αM1 Å αM2)) [ {τ} :
• (q1, a, q1’) ∈ δ1 and a ∉ αM2 :
((q1,q2), a, (q1’,q2)) ∈ δfor any q2 ∈ Q2
• (q2, a, q2’) ∈ δ2 and a ∉ αM1 :
((q1,q2), a, (q1,q2’)) ∈ δfor any q1 ∈ Q1
12
ExampleInput
in
0 1 2
send
ack
Output
out
a b c
send
ack
║
13
Input
in
0 1 2
send
ack
Output
out
a b c
send
ack
║
Input ║ Output
in
0,a
send
ack
0,b
0,c
1,a
2,a
1,b
2,b
1,c
2,c
out
0 a
0,a
1
1,a
2,b
b2 c
2,c
14
Input
in
0 1 2
send
ack
Output
out
a b c
send
ack
║
Input ║ Output
0,a
in
send
ack
0,b
0,c
1,a
2,a
1,b
2,b
1,c
2,c
out
in in out
out
15
Safety Properties
Also expressed as LTSs, but of a special kind:
Safety LTS :• Deterministic:
– Does not contain τ -transitions, and– every state has at most one outgoing
transition for each action: (q,a,q’), (q,a,q’’) ∈ δ q’ = q’’
16
Safety Properties
For a safety LTS, P:• L(P) describes the set of legal
(acceptable) behaviors over αP.
M ² P iff ∀σ ∈ L(M) : (σαP) ∈ L(P)
• For Σ µ Act, σΣ is the trace obtained from σ by removing all occurrences of actions a ∉ Σ.
Example: <in, send, ack>{in, ack} = <in, ack>
Language Containment
L(M) αP µ L(P)
17
Example
Order
in
out
Input ║ Output
0,a
in
send
ack
0,b
0,c
1,a
2,a
1,b
2,b
1,c
2,c
out
in in out
out
|=?
Pref(<in,send,out,ack>*)
Pref(<in,out>*)?
{in,out}
P
18
Model Checking M ² P
Safety LTS P an Error LTS, Perr :
• “traps” violations with special error state .
P = (Q, q0, αP, δ) Perr = (Q [ {}, q0, αP, δ’), where: δ’= δ[ {(q,a,) | a ∈ αP and ∄q’ ∈ Q:
(q,a,q’) ∈ δ}
• Error LTS is complete. is a deadend state: has no outgoing transitions.
19
Example
Ordererr
in
out
Order
in out
20
Model Checking M ² P
Theorem:
• M ² P iff is unreachable in M ║ Perr
Remark: composition M ║ Perr is defined as before with a small exception:
If the target state of a transition in Perr is , so is the target state of the corresponding transitions in the composed system M ║ Perr
In automata
: M ² iff
L(AM Å A) =;
21
Transition Relation δ
Synchronization on a ∈ αM1 Å αM2 :
(q1,a,q1’) ∈ δ1 and (q2,a,q2’) ∈ δ2 :
((q1,q2), a, (q1’,q2’)) ∈ δ
Interleaving on a ∈ (αM \ (αM1 Å αM2)) [ {τ} :
• (q1, a, q1’) ∈ δ1 and a ∉ αM2 :
((q1,q2), a, (q1’,q2)) ∈ δfor any q2 ∈ Q2
• (q2, a, q2’) ∈ δ2 and a ∉ αM1 :
((q1,q2), a, (q1,q2’)) ∈ δfor any q1 ∈ Q1
ππ
ππ
δ1: M, δ2: Perr
δ: M║Perr
22
Example
Ordererr in
out
Order
in out
║
Input ║ Output
0,a
in
send
ack
0,b
0,c
1,a
2,a
1,b
2,b
1,c
2,c
out
in in out
out
23
Example
Ordererr in
out
Order
in out
║
Input ║ Output
0,a
in
send
ack
1,a
2,b
2,c
out
24
║
Input ║ Output
0,a in send
ack
1,a
2,b
2,c out
i ii
Ordererr in
out
Order
in out
0,a,i
in
send
ack
1,a,i 2,b,i 2,c,i
out
0,a,ii
in
send
ack
1,a,ii
2,b,ii
2,c,ii
out
unreachable
0,a,i 2,c,i
1,a,ii
2,b,ii
0,a
1,a
ii
0,a,ii
25
in
║
Input ║ Output
0,a in send
ack
1,a
2,b
2,c out
i ii
Ordererr in
out
Order
in out
0,a,i
in
send
ack
1,a,i 2,b,i 2,c,i
out
0,a,ii
in
send
ack
1,a,ii
2,b,ii
2,c,ii
out
in
in
counter- exampl
e!
0,a,i
1,a,ii
26
Assume Guarantee Reasoning
• Assumptions: also expressed as safety LTSs.
• <A> M <P> is true iff A ║ M ² P i.e. is unreachable in A ║ M ║ Perr
<A> M1 <P>
<true> M2 <A>
<true> M1║M2 <P>
A ║ M1 ² P
M2 ² A
M1║M2 ² P
M1, M2 : LTSs
P, A : safety LTSs
27
Outline
• Motivation• Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
28
Observation 1
• AG Rule will return conclusive results with:
Weakest assumption Aw under which M1 satisfies P:
• Under assumption Aw on M1‘s environment, M1 satisfies P , i.e. Aw ║ M1 ² P
• Weakest: forall env. M’2: M1║M’2 ² P IFF M’2 ²Aw
Given Aw, to check if M1║M2 ² P, check if M2 meets the assumption Aw.
sufficient and necessary assumption on M1’s env.
A ║ M1 ² P
M2 ² A
M1║M2 ² P
29
How to Obtain Aw ?
• Given module M1, property P and M1‘s interface with its environment Σ = (αM1 [ αP) Å αM2 :
Aw describes exactly all traces over Σ such
that in the context of , M1 satisfies P
– Expressible as a safety LTS– Can be computed algorithmically
Drawback of using Aw : if the computation runs out of memory, no assumption is obtained.
M1║M’2 ² P
IFF M’2 ² Aw
30
Observation 2
• No need to use the weakest env. assumption Aw.
• AG rule might be applicable with stronger (less general) assumption.
Instead of finding Aw:
• Use learning algorithm to learn Aw .
• Use candidates Ai produced by learning algorithm as candidate assumptions: try to apply AG rule with Ai.
A ║ M1 ² P
M2 ² A
M1║M2 ² P
31
Given a Candidate Assumption Ai
If Ai ║ M1 ² P does not hold:
Assumption Ai is not tight enough
need to strengthen Ai
A ║ M1 ² P
M2 ² A
M1║M2 ² P
32
Given a Candidate Assumption Ai
Suppose Ai║ M1 ² P holds:
If M2 ² Ai also holds M1║M2 ² P verified!.
Otherwise: σ ∈ L(M2) but (σαΣ) ∉ L(Ai) -- cex
P violated by M1 in the context of cex=(σαΣ) ?
Yes: real violation ! M1║M2 ² P falsified !
No: spurious violation. need to find better approximation of Aw.
“cex║M1” |≠ P ?
A ║ M1 ² P
M2 ² A
M1║M2 ² P
33
“cex║M1” ² P ?
Compose M1 with LTS Acex over αΣ
cex=a1,…ak Acex : Q={q0,…,qk} , q0 = q0
δ ={ (qi,ai+1,qi+1) | 0 i < k }
Model check Acex║M1 ² P
Is reachable in Acex║M1║Perr ?
Alternatively: simulate cex on M1║ Perr
cex║M1² P iff when cex is simulated on M1║Perr it cannot lead to (error) state.
yesno
Real violation
Spurious cex
q0 a1 a2
q1
qk ak
…
“cex ∊ L(Aw)” ?
34
Assume-Guarantee Framework
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
false
YN
P holds in M1||M2
P violated in M1||M2
Learning 1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
cex║M1 | P ?
cex L(Ai)
For Aw :
conclusive results guaranteed
termination!
35
Outline
• Motivation• Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
36
Learning Algorithm for DFA – L*
• L*: by Angluin, improved by Rivest & Schapire
• learns an unknown regular language U • produces a Deterministic Finite state
Automaton (DFA) C such that L(C) = U
DFA M = (Q, q0, αM, δ, F) :• Q, q0, αM, δ: as in deterministic LTS• F µ Q : accepting states• L(M) = {σ | δ(q0, σ) ∈ F}
37
Learning Algorithm for DFA – L*
• L* interacts with a Teacher to answer two types of questions:– Membership queries: is string σ in U ?
– Conjectures: for a candidate DFA Ci, is L(Ci) = U ?• answers are (true) or (false +
counterexample)
Conjectures C1, C2, … converge to C
Equivalence
Queries
38
Learning Algorithm for DFA – L*
Myhill-Nerode Thm.
For every regular set U ⊆∑* there exists a unique minimal deterministic automaton whose states are isomorphic to the set of equivalence classes of the following relation:
w ≈ w’ iff ∀u ∈∑* : wu ∈U ⇔ w’u ∈U
Basic idea: learn the equivalence classes
• Two prefixes are not in the same class iff there is a distinguishing suffix u
39
General Method
• L* maintains a table that records whether strings in belong to U– makes membership queries to update it
• Once all currently distinguishable strings are in different classes (table is closed), uses table to build a candidate Ci -- makes a conjecture :– if Teacher replies true, done!– if Teacher replies false, uses counterexample
to update the table
40
Learning Algorithm for DFA – L*
Observation Table: (S, E, T)S 2 – prefixes (represent. of equiv. classes /
states)E 2 – suffixes (distinguishing)T: mapping (S ∪ S·∑) · E {true, false}
∈U
∉U
E· e1 e2 …
s1 true false S s2...
false …...
S
s1·a true falses1·b…
true ……
s2·a
s2·b…
T :
41
T: (S ∪ S·∑) ·E {true, false}
(S,E,T) is closed if
∀s∈S ∀a∈∑ ∃s’∈S ∀e∈E: T(sae)=T(s’e)
∈U ∉U
represents the next state from s after
seeing a
sa is undistinguishable
from s’ by any of the suffixes
L* Algorithm
i.e. Every row sa of S has a matching row s’ inS
E· e1 e2 …
s1 true false S s2...
false …...
S
s1·a true falses1·b…
true ……
s2·a
s2·b…
42
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}Loop {
update T using membership querieswhile (S,E,T) is not closed {
add sa to S where sa has no repr. prefix s’update T using membership queries
}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?
}
sa has no matching
rows’ inS
43
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}Loop {
update T using membership querieswhile (S,E,T) is not closed {
add sa to S where sa has no repr. prefix s’update T using membership queries
}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?
}
Candidate DFA from a closed (S,E,T):States: SInitial state: λAccepting states:
s ∈S such that T(s) [= T(s¢λ)] = trueTransition relation:
δ(s,a) = s’ where ∀e∈E: T(sae)=T(s’e)
[ closed: ∀s∈S ∀a∈∑ ∃s’∈S ∀e∈E:
T(sae)=T(s’e) ]
44
Learning Algorithm for DFA – L*
Initially: S={λ}, E= {λ}Loop {
update T using membership querieswhile (S,E,T) is not closed {
add sa to S where sa has no repr. prefix s’update T using membership queries
}from a closed (S,E,T) construct a candidate DFA - Cpresent an equivalence query: L(C) = U ?if C is correct return Celse add e∈∑* that witnesses the cex to E
}
45
Choosing e
• e must be such that adding it to E will eliminate the current cex in the next conjecture.
• e is a suffix of cex that witnesses a difference between L(Ci) and U
• Adding e to E will cause an addition of a prefix (state) to S splitting states
46
Characteristics of L*
• Terminates with minimal automaton C for U
• Each candidate Ci is smallest– any DFA consistent with table has at least as
many states as Ci
– |C1| < | C2| < … < |C|
• Produces at most n candidates, where n = |C|
• # membership queries: O(kn2 + n logm) – m: size of largest counterexample– k: size of ∑
47
Outline
• Motivation• Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
48
Assume-Guarantee with Learning
Reminder:• Use learning algorithm to learn Aw .• Use candidates produced by learning as
candidate assumptions Ai for AG rule.
In order to use L* to produce assumptions Ai:• Show that L(Aw) is regular• Translate DFA to safety LTS (assumption)• Implement the teacher
49
L(Aw) is Regular
• Aw is expressible as a safety LTS• Translation of safety LTS A into DFA C:
A = (Q, q0, αM, δ) C = (Q, q0, αM, δ, Q)
There exists a DFA C s.t. L(C) = L(Aw)
L* can be used to learn a DFA that accepts L(Aw)
50
DFA to Safety LTS
• DFAs Ci returned by L* are complete, minimal and in this setting also prefix-closed:
– if 2 L(Ci), then every prefix of is also in L(Ci).
Ci contains a single non-accepting state qnf and no accepting state is reachable from qnf.
To get a safety LTS simply remove non-accepting state and all its ingoing transitions :
Ci = (Q [ {qnf}, q0, αM, δ, Q)
Ai = (Q, q0, αM, δ Å (Q £ αM £ Q) )
Weakestassumption
is prefix-closed
51
Implementing the Teacher
Aw is unknown…
• Membership query: ∈ L(Aw)?
Check if “║M1” ⊨ P :– Model checking: is reachable in
A║M1║Perr ?
– Simulation: is (error) state reachable when simulating on M1║ Perr ?
• Equivalence query: L(Ci) = L(Aw) ?
– Translate Ci into a safety LTS Ai
– Use it as candidate assumption for AG rule
L(Aw) iff
in context of ,M1 satisfies P
or
52
P holds in M1||M2
Model Checking
1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
false
cex║M1 | P ?
cex L(Ai)
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN P violated in M1||M2
L(Ai) = L(Aw) ?
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
53
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
1. Ai║ M1 |= P
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)?
cex L(Ai)
cex L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
54
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
55
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
realerror?
2. M2 |= Ai
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
56
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
realerror?
2. M2 |= Ai
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
L(Ai) ⊇ L(Aw)?
57
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
YN
P holds in M1||M2
P violated in M1||M2
realerror?
2. M2 |= Ai
L(Ai) = L(Aw) ?
L(Ai) ⊆ L(Aw)
false
cex║M1 | P ?
cex L(Ai)
Aw contains all traces that can be composed with M1 without violating P.
cex L(Ai)
cex L(Aw)
L(Ai) ⊇ L(Aw)?
58
Equivalence Query - Summary
2 applications of model checking + 1 model checking
or simulation
Model Checking
1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
truetrue
YN
false
false
!
!cex
cex
59
Equivalence Query - Summary
If L(Ai) = L(Aw):AG rule returns conclusive results No need to continue with L*
If L(Ai) ≠ L(Aw):Can terminate and abort L*. Otherwise, cex is returned in1 if L(Ai) ⊈ L(Aw), or
2 if L(Ai) ⊊ L(Aw)
Model Checking
1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
truetrue
YN
false
false
!
!cex
cex
60
Assume-Guarantee Framework
Model Checking
1. Ai║ M1 |= P
Learning
realerror?
2. M2 |= Ai
Ai
counterexample – strengthen assumption
counterexample – weaken assumption
false
truetrue
false
YN
P holds in M1||M2
P violated in M1||M2
Learning 1. Ai║ M1 |= P
realerror?
2. M2 |= Ai
cex║M1 | P ?
cex L(Ai)
61
Characteristics of Framework
• AG uses conjectures produced by L* as candidate assumptions Ai
• L* uses AG as teacher
• L* terminates Framework guaranteed to terminate:
– At latest terminates when Aw is produced.
– Possibly terminates before Aw is produced!
62
Characteristics of Framework
• L* makes at most n = |Aw| equivalence queries
• # membership queries: O(kn2 + n logm) – m: size of largest counterexample– k: size of ∑
• membership query Model checking X 1• equivalence query Model checking X 3 O(kn2 + n logm) simulations
+ O(n) model checking applications.
Each MC involves either M1 or M2 - not both!
or simulation
63
Outline
• Motivation• Setting• Automatic Generation of Assumptions
for the AG Rule • Learning algorithm • Assume-Guarantee with Learning• Example
64
Output
send
ack
out
Ordererr in
out out in
Example Input
in
ack
send
Check: Input║Output ² Order ?
M1 M2 P
(assumption’s alphabet) : {send, out, ack}
Σ = (αM1 [ αP) Å αM2
65
Ordererr in
out in
Output
send
ack
out
Membership Queries Input
in
ack
send
E
Table T S ?
S ack
out
send
S = set of prefixesE = set of suffixes
L(Aw)?
Simulate on Input║Ordererr
Σ = {send, out, ack}
out
66
Input ║ Ordererr
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
Ordererr in
out out in
Inputin
ack
send
in
inack
out
Simulate on Input║Ordererr
Σ = {send, out, ack}
0,a
1,b
unreachable L(Aw)
Output
send
ack
out
67
Ordererr in
out out in
Output
send
ack
out
Input in
ack
send
Membership Queries
S = set of prefixesE = set of suffixes
L(Aw)?
Simulate on Input║Ordererr
yes!
Σ = {send, out, ack}
E
Table T S ?
S ack out
send
true
68
Ordererr in
out out in
Output
send
ack
out
Input in
ack
send
Membership Queries
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
E
Table T S ?
S ack ?out
send
true<ack> L(Aw)?
yes!
Simulate<ack> on Input║Ordererr
true
69
true
Ordererr in
out out in
Output
send
ack
out
Input in
ack
send
Membership Queries
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
E
Table T S ?
S ack out ?send
true
Simulate<out> on Input║Ordererr
<out> L(Aw)?
70
Input ║ Ordererr
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
Ordererr in
out out in
Input
in
ack
send
in
inack
out
Simulate<out> on Input║Ordererr
Σ = {send, out, ack}
reachable<out>∉ L(Aw)
0,a
Output
send
ack
out
71
Ordererr in
out out in
Output
send
ack
out
Input
in
ack
send
Membership Queries
Simulate<out> on Input║Ordererr
<out> L(Aw)?
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
no!E
Table T S ?
S ack trueout ?send
true
false
72
Ordererr in
out out in
Output
send
ack
out
Input
in
ack
send
Membership Queries
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
E
Table T S ?
S ack trueout falsesend true
true
73
Ordererr in
out out in
Output
send
ack
out
Candidate Construction Input
in
ack
send
S = set of prefixesE = set of suffixes E
Table T S true
out false
S ack
out
send
out, ack
out, out
out, send
truefalsetrue
Σ = {send, out, ack}
74
Ordererr in
out out in
Output
send
ack
out
Candidate Construction Input
in
ack
send
S = set of prefixesE = set of suffixes E
Table T S true
out false
S ack
out
send
out, ack
out, out
out, send
truefalsetruefalsefalsefalse
Σ = {send, out, ack}
75
Ordererr in
out out in
Output
send
ack
out
Candidate Construction Input
in
ack
send
acksend
2 states – non accepting state not added to assumption
Assumption A1
S = set of prefixesE = set of suffixes E
Table T S true
out false
S ack
out
send
out, ack
out, out
out, send
truefalsetruefalsefalsefalse
Table closed !
Σ = {send, out, ack}
76
Ordererr in
out out in
Output
send
ack
out
Conjectures Input
in
ack
send
A1: Step 1: A1║Input ²
Order
acksend
Σ = {send, out, ack}
Input ║ Ordererr
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
in
inack
out
A1║Input ≡ InputA1 ║Input ║Ordererr
0,a
1,b
0,b
2,b
77
Ordererr in
out out in
Output
send
ack
out
Conjectures Input
in
ack
send
A1: Step 1: A1║Input |=
Order
Counterexample:c = in,send,ack,in ack
send
Σ = {send, out, ack}
Return to L*:c = send,ack
L(A1)\L(Aw)
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
in
inack
out
A1 ║Input ║Ordererr
0,a
1,b
0,b
2,b
78
Ordererr in
out in
Output
send
ack
out
Membership Queries Input
in
ack
send
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
out
E '
Table T ack
S true out false
S ack
out
send
out, ack
out, out
out, send
truefalsetruefalsefalsefalse
Return to L*:c = send,ack
L(A1)\L(Aw)
79
Ordererr in
out in
Output
send
ack
out
Membership Queries Input
in
ack
send
S = set of prefixesE = set of suffixes
Σ = {send, out, ack}
out
E '
Table T ack
S true out false
S ack
out
send
out, ack
out, out
out, send
truefalsetruefalsefalsefalse
truefalse
false
falsefalsefalse
false
true
80
Ordererr in
out in
Output
send
ack
out
Input in
ack
send
Σ = {send, out, ack}
out
Table T ack
S true out false
send true
S ack
out
send
out, ack
out, out
out,send
send,ack
send,out
send,send
truefalse
truefalsetruefalsefalsefalse
false
falsefalsefalse
false
true
E '
false
false
falsetruetrue
truetrue
81
3 states – non accepting state not added to assumption
Assumption A2
Table closed !
Σ = {send, out, ack}
Ordererr in
out in
Output
send
ack
out
Input in
ack
send
out
E 'Table T ack
S true out false
send true
S ack
out
send
out, ack
out, out
out,send
send,ack
send,out
send,send
truefalsetruefalsefalsefalse
false
falsefalsefalse
false
true
false
falsetruetrue
truetrue
truefalsefalse
ack
send
out, send
82
Ordererr in
out out in
Output
send
ack
out
Conjectures Input
in
ack
send
A1: Step 1: A1║Input ²
Order
Counterexample:c = in,send,ack,in
Return to L*:c = send,ack
Step 1: A2║Input ² Order
True
Step 2: Output ² A2
True
property Order holds on Input║Output
ack
send
out, send
A2:Queries
acksend
Σ = {send, out, ack}
L(A1)\L(Aw)
c ∉ L(A2)
83
Output
send
ack
out
sendOrdererr in
out out in
Input
in
ack
send
Step 2: Output’ ² A2
Counterexample:c=send,send,out
Simulate c= send,send,out
on Input║Ordererr
real error?
Σ = {send, out, ack}
Another Example
ack
send
out, send
A2:
84
Output
send
ack
out
sendOrdererr in
out out in
Input
in
ack
send
Step 2: Output’ ² A2
Counterexample:c=send,send,out
Simulate c= send,send,out
on Input║Ordererr
real error?
Σ = {send, out, ack}
Another Example
Input ║ Ordererr
0,a
out
ack
1,a
2,a
0,b
1,b
2,b
out out send
send
in
inack
out0,
a
1,b
2,b
not a real error!unreachable
85
Return c to L*
Output
send
ack
out
sendOrdererr in
out out in
Input
in
ack
send
Step 2: Output’ |=A2
Counterexample:c=send,send,out
Simulate c= send,send,out
on Input║Ordererr
real error?
Another Example
ack,out,send
ack
send out
ack send
send
A4: property
Order holds on Input║Output’
not a real error!
Aw
L(Aw)\L(A2)
Σ = {send, out, ack}
unreachable
86
Conclusion
• Generate assumptions for assume-guarantee reasoning in an incremental and fully automatic fashion, using learning.
• Each iteration of assume-guarantee may conclude that the required property is satisfied or violated in the system.
• Assumption generation converges to an assumption that is necessary and sufficient for the property to hold in the specific system.
87
The End