Learning-based Assume-Guarantee Reasoning

In 2003, Cobleigh et al. [Cobleigh et al., 2003] introduced the application of learning- based frameworks to compositional reasoning. Concisely, their idea was to apply an off-the-shelf learning algorithm to automatically generate assumptions in an iterative, incremental and automated fashion. The high-level methodology attempted in these works [Cobleigh et al., 2003; Nam and Alur, 2006; Cobleigh et al., 2008] is shown in Figure 2.2 (reproduced from [Giannakopoulou and Pasareanu, 2013]).

At a high-level, and as shown in Figure 2.2, the L∗learning algorithm (Section 2.1.2.1) is used to construct incrementally an assumption for assume-guarantee reasoning. The technique starts by learning those strings s that keep M1“safe” relative to the property

P. Eventually, L∗will generate a “candidate assumption” Aiencapsulating all known

“safe” strings. If M1, when composed with Ai, is also safe with respect to P, it is then

necessary to check if Aiis a valid assumption to abstract the module M2. If either of

these two checks fail, the evidence generated by the model checker for this failure can be used to refine and re-learn the next candidate assumption.

2.1.2.1 L∗Algorithm

The L∗ algorithm was originally introduced by Angluin [Angluin, 1987], while the complexity bounds and efficiency of the original procedure were later improved by Rivest and Schapire [Rivest and Schapire, 1993].

2.1 Compositional Verification 33

conjecture:  Ai  

safe?   true   false  +  cex  c   true   permissive?   c  ↑αAi   1.       〈A〉  M1    〈P〉   2.  〈true〉  M2  〈A〉   〈true〉  M1||M2  〈P〉   〈true〉  M2  〈Ai〉   false  +  cex  c   false   true   〈Ai〉  M1  〈P〉  

query  c  ↑αAi  

〈true〉M1||M2〈P〉  

holds  

〈true〉M1||M2〈P〉  

does  not  hold   query:  string  s  

〈s〉 M1 〈P〉

true/false  

L*  

Fig. 2.2. Learning Assumptions for Assume-Guarantee Reasoning

L∗ learns an unknown regular language U , over an alphabet Σ , and produces a deterministic finite automaton (DFA) C, such that the language accepted by C is U .

To learn U , the L∗algorithm interacts with a “minimally adequate teacher” (teacher). The algorithm queries the teacher with two kinds of question:

1. Membership Query – this asks, given a string σ ∈ Σ∗, whether σ ∈ U . When σ ∈ U the teacher returns true, and false in all other cases.

2. Equivalence Query – an equivalence query takes the form of a conjecture by L∗, i.e., the algorithm generates a possible candidate DFA C and asks if L(C), the language accepted by C, is the same as U . When L(C) = U the teacher returns true. When it returns false, the teacher also returns a counterexample, which is an element in the symmetric difference between L and U (i.e., a member of ((L (C) \ U ) ∪ (U \ L (C)))).

L∗collects information about strings which are, or are not, members of the language U. This is done by building an observation table containing the set of suffixes and prefixes that have been learnt to be included in the language.

2.1.2.2 Assume-Guarantee Reasoning for Labelled Transition Systems

Various authors [Cobleigh et al., 2003; Cobleigh et al., 2008; Pasareanu et al., 2008] have applied L∗-based learning for assumptions to the problem of compositional verification for labelled transition systems (LTS) and trace-based properties. For further details on LTS, we refer the reader to [Magee and Kramer, 1999].

In the following, let Act be a set of universal observable actions and letπ denote an error state. Trivially, for a given safety property, when an LTS enters an error state, then it is in violation of the property.

Properties.

An LTS that contains no π states is called a “safety LTS”. A safety property is specified as a safety LTS P, where the language of L(P) specifies all of the safe behaviours over a set of actions αP.

An LTS M “satisfies” the safety LTS P iff:

∀σ ∈ L(M) (σ ↓ αP) ∈ L(P)

i.e., all of the traces of M, when restricted (denoted ↓ αP in the above) to the alphabet of P, are also traces of P.

To check an LTS safety property P, an “error LTS” Perris constructed, which traps

violations of P in the error state π. Given an LTS safety property P = hQ, αP, δ , q0i,

Perr= hQ ∪ {π} , αPerr, δ0, q0i, where αPerr= αP and:

δ0= δ ∪(q, a, π) | a ∈ αP and @q0∈ Q : q, a, q0
∈ δ

That is, the transition relation δ0for the safety LTS Perris the (potentially non-serial)

transition relation for P, but for every transition that does not exist in P, Perrtransitions

to the error state π.

To check the conformance of M to P, the parallel composition of MkPerr is con-

structed, and then it is verified if M |= P is true by checking if π is not reachable in MkPerr.

Learning-based assume-guarantee reasoning.

To check if an assume-guarantee triple hAi M hPi holds for a component M, where both A and P are given as safety LTS, it is possible to simply check if the state π is accessible in AkMkPerr. If π is not reachable, then hAi M hPi is satisfied. The learning-

based approaches consider the application of learning in the context of the following assume-guarantee rule with safety properties:

htruei M1hAi

hAi M2hPi

htruei M1kM2hPi

as per Section 2.1.1.1.

The learning algorithm L∗is applied to learn a candidate assumption A representing M1. This abstraction A must be strong enough to allow M2, when composed with A,