1 / 24

Automated Assume-Guarantee Reasoning for Simulation Conformance

Automated Assume-Guarantee Reasoning for Simulation Conformance Sagar Chaki , Edmund Clarke, Nishant Sinha, Prasanna Thati. Overview. Assume-guarantee style simulation checking between labeled transition systems in an automated manner.

erv
Download Presentation

Automated Assume-Guarantee Reasoning for Simulation Conformance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Automated Assume-Guarantee Reasoning for Simulation Conformance Sagar Chaki, Edmund Clarke, Nishant Sinha, Prasanna Thati

  2. Overview • Assume-guarantee style simulation checking between labeled transition systems in an automated manner. • Automated learning of assumptions. Assumptions are expressible as regular tree languages. • Efficient algorithm LT to learn minimal deterministic tree automata using queries and counterexamples. • Experimental results, implications and future work.

  3. Labeled Transition System • Directed graph with an initial node. Edges labeled with actions drawn from an alphabet. e a b a c d M (M) = {a,b,c,d,e,f}

  4. M1 || A¹S M2¹A M1 || M2¹S A-G Simulation between LTSs • We have a concurrent implementation M1|| M2 and a specification S. We wish to check if M1 || M2¹S. • We wish to use the A-G rule: (AG-NC) • We also want to construct a counterexample if simulation does not hold.

  5. a a c b Simulation between LTS and tree • t¹M´ there exists a homomorphism between t and M a c b a a t M

  6. Simulation ´ Language Containment • L(M) = The set of trees that M can simulate a a a a c c b b M M1¹M2 iff L(M1)µL(M2) L(M)

  7. L(M1|| M2)µL(S) , L(M1)ÅL(M2)µL(S) , L(M2)µL(M1)nL(S) = W Weakest assumption • The weakest assumption that satisfies the first premise of AG-NC corresponds to the language: • W = L(M1) n L(S) • In fact:

  8. Initial Idea • Check if L(M2)µW = L(M1)nL(S). • If so, we are done. • Otherwise let t be a tree such that: • t2L(M2) and t2L(M1)nL(S). • Hence t 2L(M1|| M2)nL(S). • Report t as a counterexample.

  9. Problems and Solutions • How do we represent W? • The tree languages we encounter are regular. We will use tree automata to represent them. • How do we check L(M2) µ W efficiently? • Naïve approach composes M1, M2 and S. Instead we will incrementally learn an approximation to W using the two AG-NC premises.

  10. Tree Automaton • A = (S, S0, , , ­, F) • S, S0, ,  and F are exactly like finite automata. ­ is a cross-transition relation. • A reads a binary tree t in a bottom-up manner. a c b

  11. Tree Automaton • A = (S, S0, , , ­, F) • S, S0, ,  and F are exactly like finite automata. ­ is a cross-transition relation. • A reads a binary tree t in a bottom-up manner. (X,a) a X = (S0,b) ­(S0,c) c b (S0,c) (S0,b) S0 S0

  12. Facts about Tree Automata • Theory of tree automata mirror that of finite automata. Deterministic TA have same accepting power as ND-TA. • Languages accepted by TA are said to be regular. Regular languages are closed under standard set operations. • There is a version of Myhill-Nerode theorem for TA. Every regular language is accepted by an unique minimal DTA. • The tree language of any LTS M is regular. • Hence W = L(M1) n L(S) is a regular language and is accepted by a minimal DTA A(W). We will learnA(W).

  13. Algorithm LT • Learns a minimal DTA that accepts an unknown regular tree language W. Uses a minimally adequate teacher (MAT) that can answer two kinds of queries: • Membership: Is a tree t in W, i.e., t 2 W? • Candidate: Is a proposed DTA C the correct answer, i.e., L(C) = W? If not return a counterexample tree t. • LT is a generalization of the L*algorithm by Angluin. It is closer in spirit to the improved L* by Rivest et al.

  14. Context • A context is a tree with a hole where you can plug-in other trees and contexts. a a = + c c b b t c[t] c

  15. Overview of LT • LT uses an observation table to record information obtained by querying the MAT. It iteratively: • Augments rows of the table using membership queries till the table is closed. • Constructs a candidate DTAC from the table and makes a candidate query. • If the answer is yes, then LTterminates with C. • Otherwise adds a single context to E and repeats. • LTterminates due to upper bound on number of rows. • Space and time complexity of LT is polynomial in the size of A(W) assuming each MAT query takes unit resource.

  16. Observation Table experiments that can distinguish between states of A(W) states of A(W) s 0 1 0 1 1 1 0 0 … transitions cross transitions

  17. -Closure s (s, ) = s’ s’ s ²

  18. ­-Closure s1 s2 ­(s1,s2) = s’ s’ (s1 , s2)

  19. Learning A(W) • We have a concurrent implementation M1 || M2 and a specification S. We wish to check if M1|| M2¹ S. • Membership: t 2 W iff M1|| t ¹ S • Candidate: To answer if L(C) = W • Phase 1: M1|| C ¹ S • return t 2 L(C) n W or proceed to phase 2. • Phase 2: M2¹ C • return t 2 W n L(C) or global counterexample.

  20. Candidate Query Check M1 || C¹S Premise 1 no yes 1 L(C) µ W :(L(C) µ W) Premise 2 return t2L(C)nW Check M2¹ C no yes Check M1 || t’¹S C satisfies AG premises M1 || M2¹S let t’2L(M2)nL(C) no yes 2 return t’2WnL(C) return CE t’ to M1|| M2¹S

  21. Results

  22. Results

  23. Related Work • MAT-based learning for DFA : Angluin (1987), improved by Rivest and Schapire (1993). • MAT-based learning for DTA : Sakakibara (1990), Drewes and Hogberg (2003) asymptotically more expensive than ours. • Automated assume-guarantee using DFA learning : Cobleigh et al. (2003), Barringer et al. (2003) explore various assume-guarantee proof-rules, dynamic A-G (Chaki, Clarke, Sharygina, Sinha : FM 2005) • Other kinds of automata learning : Buchi automata (Maler et al.), Timed automata (Jonsson et al.)

  24. Future work • We could explore the use of other assume-guarantee rules and the effect of ordering of the components on overall complexity. • We could learning non-deterministic automata. These may be exponentially more compact than the corresponding deterministic versions. However, we might have to sacrifice canonicity. • We could apply this automated assume-guarantee reasoning via learning to other types of verification problems such as LTL model checking and deadlock detection.

More Related