automated assume- guarantee reasoning for … assume-guarantee reasoning for omega-regular systems...

© 2010 Carnegie Mellon University

Automated Assume-

Guarantee Reasoning for

Omega-Regular Systems and

Specifications

Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213

Arie Gurfinkel and Sagar ChakiApril 13, 2010Second NASA Formal Methods Symposium

2

Automated AG for Omega-Regular

Arie Gurfinkel and Sagar Chaki


NO WARRANTY

THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.

This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].

This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013.

mailto:[email protected]

3




When Failure is Not an Option

Failure is not an option for

• Safety Critical Systems (e.g., X-rays machines)

• Medical Devices (e.g., infusion pumps, …)

• Embedded Software (e.g., cars, airplanes)

• Security Vulnerabilities (e.g., nuclear plants)

• …

Formal software verification is essential to guarantee absence of failures

• Automated techniques include model checking and static analysis …

• which can be used to validate, for example, safety and security, behavior prior to program execution

• and provide objective evidence of safe behavior

4




Assume Guarantee Reasoning

M1 || A ² S M2 ² A

M1 || M2 ² S

How to automatically find a sufficiently good assumption?!

System M1 in parallel with system M2 satisfies specification S

iff there exists an assumption A such that

• M1 in parallel with A satisfies S

• M2 satisfies the assumption A

5




Related Work

Safety properties

• Giannakopoulou et al. ASE 2002 – computing weakest assumption

• Cobliegh et al. TACAS 2003 – using L* to learn “good-enough” assumption

• Barringer et al. SAVCBS 2003 – AG proof rules, soundness, completeness

• many follow up works to improve algorithms, complexity, applicability, etc.

Liveness properties

• Farzan et al. TACAS 2008 – L$ a learning algorithm for omega-regular languages

• THIS PAPER

– Assume-Guarantee proof rules for reactive (omega-regular) systems

– Soundness and (in)completeness

– Two new learning algorithms for infinitary (finite + infinite) languages

– A unifying framework for learning-based automated AG (see paper)

6




Outline

Background

• Model of concurrency: LTS, composition, specifications, etc.

• Active learning of regular languages: L*

• Learning-based Automated Assume Guarantee Framework

Non-Circular Assume Guarantee Rule (AG-NC)

• Soundness and in-completeness for omega-regular languages

• Soundness and completeness for -regular languages

• Learning algorithms for -regular languages

Circular Assume Guarantee Rule (AG-C)

• Soundness and completeness

Conclusion and Future Work

7




Labeled Transition System (LTS)

M = (Q, I, , T)

• Q -- non-empty set of states

• I Q an initial state

• -- set of actions (a.k.a, the alphabet)

• T Q Q – a transition relation

a

a

b

c d

e

M

(M) = {a,b,c,d,e,f}

FA or Buchi

acceptance condition+

8




Operational Semantics

CSP Semantics

• handshake (synchronize) over shared actions

• otherwise, proceed independently (asynchronously)

Composition M1 || M2

is

• State of M1

|| M2

is of the form (s1,s2), where si is a state of Mi

s1 t1 a ( M2) a

(s1,s2) (t1,s2)a

s2 t2 a ( M1) a

(s1,s2) (s1,t2)a

s1 t1 s2 t2a

(s1,s2) (t1,t2)a

a

9




Example of Composition

1 2 3 4a b c

1’ 2’ 3’ 4’a d c

M1 = {a,b,c} M2 = {a,d,c}

1,1’ 2,2’a

3,2’b

2,3’d’

3,3’

d’

b

4,4’c

M1 k M2 = {a,b,d,c}

10




L* (Angluin 1987, Rivest & Schapire 1993)

s 2 U ?

yes/no

L(A) = U ?

No. 2 U ∆ L(A)

yes. L(A) = U

Membership

Query

Candidate

Query

L* learner Minimally Adequate Teacher (MAT)

U -- regular languageΣ(U)

DFA A

L(A) = U

11




Assume Guarantee with Learning

Model Checking

A || M1 ² p

M2 ² A

A

true

true

Negative feedback

N

M1 || M2 ² p

Positive feedback

N

Y

M1 || M2 2 p

² M2

false,

false, ² M1 || :pY

L*

12




Outline

Background

• Model of concurrency: LTS, composition, specifications, etc.

• Active learning of regular languages: L*

• Learning-based Automated Assume Guarantee Framework

Non-Circular Assume Guarantee Rule (AG-NC)

• Soundness and in-completeness for omega-regular languages

• Soundness and completeness for -regular languages

• Learning algorithms for -regular languages

Circular Assume Guarantee Rule (AG-C)

• Soundness and completeness


13




AG-NC: Non-Circular Assume Guarantee Rule

(L1 || LA) ¹ LS L2 ¹ LA

(L1 || L2) ¹ LS

A = ( S)

Complete for Safety (regular) properties ( )

Incomplete for Liveness (omega-regular) properties ( )

L ¹ S iff L¼ΣS µ S

14




Proof of Incompleteness (by Counterexample)

= {a, b} = {a, c} S = {a, b}

L1 = (a+b) L2 = a*c LS = (a+b)*b

Assumption alphabet: = {a}

BUT, there is no assumption LA µ ! to apply AG-NC

a,b cc

a

|| ²b

ba,b

A ; A a!L2 ⋠ A1 L1 || A2 ⋠LS

15




AG-NC: Infinite Trace Containment

(L1 || LA) ¹! LS L2 ¹! LA

(L1 || L2) ¹! LS

A = ( S)

NOT SOUND!

L ¹! S iff !(L¼ΣS) µ !(S)

16




Proof of Unsoundness (by Counterexample)

= {a, b} = {a, c} S = {a, b}

L1 = (a+b) L2 = a*c LS = b

= {a}

BUT, LA = ; satisfies all premises of (modified) AG-NC

a,b cc

a

|| 2b

17




AG-NC: Relaxing Assumption Alphabet

(L1 || LA) ¹ LS L2 ¹ LA

(L1 || L2) ¹ LS

A = ( S)

Assumption “knows” about internal actions of L1 and L2

Not “truly” compositional

Complete for Safety (regular) properties ( )

Complete for Liveness (omega-regular) properties ( )

18




AG-NC: Restoring Completeness

Theorem: Let L1 and LS be two languages, and an alphabet s.t.

= S. Then, LA = {((L1 || {(LS))¼ ) is the weakest

assumption such that L1 || LA ¹ LS

AG-NC is complete for any class of languages closed under

projection and complement

AG-NC is complete for

AG-NC is complete for

Need a learning algorithm for !

Corollaries:

19




Learning Infinitary Language U: Approach 1

Use L* and L$ simultaneously to learn a DFA D and a BA B such that L(DFA) = *(U) and L(BA) = !(U)

Assume M is a MAT for U

Use M to answer membership queries until both learners generate a candidate query

Use M to verify the candidate query: L(D) [ L(B) = U

• on success, stop

• if counterexample is finite, send to L* and resume until next DFA candidate

• if counterexample is infinite, send to L$ and resume until next BA candidate

Two learners. Possibly a lot of redundancy.

20




Learning Infinitary Language U: Approach 2

Use L$ to learn U.¿!, where ¿ is a “fresh” symbol not in §U

Assume M is a MAT for U

To answer a membership query infinite word s

• if s = t.¿! and t 2 §U1 then ask M whether t 2 U and forward answer back

• Otherwise, answer “no”

To answer a candidate query with candidate BA C

• if L(C) * §U1.¿! return ¼ 2 L(C) n §U

1.¿!

• otherwise, forward candidate query *(L(A)¼ , !(L(A)¼ ) to M

Single learner, BUT larger alphabet

21




Circular AG-rule (AG-C): Summary

L1 || LA1 ¹ LS L2 || LA2 ¹ LS {(LA1) || {(LA2) ¹ LS

L1 || L2 ¹ LS

ΣA1= ΣA2= (Σ1∩Σ2) ∪ ΣS

Complete for Safety (regular) properties (Σ1)

Complete for Liveness (omega-regular) properties (Σ!)

BUT need to learn 2 assumptions AND assumption alphabet is larger

22




Learning-Based AG (LAG) Framework

Conformance Rule A Learner(s) Oracle(s) Checker

Regular Trace AG-NC DFA P1 = P (L¤) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)

Containment [?]

Regular Trace AG-C DFA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)

Containment [?] P (L¤) Q2 = Q(L2; LS ;§C)

1-regular Trace AG-NC DFA £ BA P1 = P (L) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)

Containment

1-regular Trace AG-C DFA £ BA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)

Containment P (L) Q2 = Q(L2; LS ;§C)

!-regular Trace AG-NC DFA £ BA P1 = P (L) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)

Containment

!-regular Trace AG-C BA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)

Containment P (L!) Q2 = Q(L2; LS ;§C)



Containment [?]


Containment [?] P (L¤) Q2 = Q(L2; LS ;§C)


Containment




Containment





Containment [1]


Containment [2] P (L¤) Q2 = Q(L2; LS ;§C)


Containment




Containment



[1] Cobleigh, Giannakopoulou, Pasareanu, TACAS’03

[2] Barringer, Giannakopoulou, Pasareanu, SAVCBS’03

The last four rows are contributions of THIS PAPER

23





Compositional approach to verification is fundamental for scalability!

Automated AG for Liveness (omega-regular) properties

• Non-Circular Rule: soundness, (in)completeness

• Circular rule – remains sound and complete

• Two new learning algorithms for infinitary languages

Unified Framework for Learning-based Assume Guarantee Reasoning

Future Work

• implementation and empirical evaluation

• experiments with other learning algorithms


THE END

25




Contact Information

Presenter

Arie Gurfinkel

RTSS

Telephone: +1 412-268-5800

Email: [email protected]

U.S. mail:

Software Engineering Institute

Customer Relations

4500 Fifth Avenue

Pittsburgh, PA 15213-2612

USA

Web:

www.sei.cmu.edu

http://www.sei.cmu.edu/contact.cfm

Customer Relations

Email: [email protected]

Telephone: +1 412-268-5800

SEI Phone: +1 412-268-5800

SEI Fax: +1 412-268-6257

mailto:[email protected]

automated assume- guarantee reasoning for … assume-guarantee reasoning for omega-regular systems...

Documents