Compositional Design and Verification of Componen t- Based Information Systems
Automatic Assumption Generation for Compositional Verification
description
Transcript of Automatic Assumption Generation for Compositional Verification
![Page 1: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/1.jpg)
Automatic Assumption Generation for Compositional Verification
Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel)
Automated Software EngineeringNASA Ames Research CenterMoffett Field, CA, USA
![Page 2: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/2.jpg)
Component VerificationChecking component C against property P :
YES: in all environments E : (C╞ P )
NO: in some environment E : ¬ (C╞ P ) Typically a component is designed to satisfy its requirements in specific environments
Environment
Component
Assumption
Developer encodes them explicitly
Abstractions of environment, if known
how are assumptions obtained?
Introduce environment assumption A and check:
assuming A, C ╞ P – assume / guarantee
E ╞ A – discharge the assumption
satisfies P?
![Page 3: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/3.jpg)
Approach
Infer assumptions automatically
Two novel solutions developed1. Algorithmic generation of assumption;
knowledge of environment is not required2. Incremental assumption computation based on
counterexamples, learning and knowledge of environment
![Page 4: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/4.jpg)
ApplicationsVerification produces more precise answers
true – property satisfied in all environmentsfalse – property falsified in all environmentsassumption A – property true in environments where A is true
Support for compositional verificationProperty decomposition Assumptions for assume-guarantee reasoning
Runtime monitoring of environmentassumption monitors actual environment during deployment may trigger recovery actions
Component retrieval, sub-module construction, …
![Page 5: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/5.jpg)
Solution 1in collaboration with Prof. Howard Barringer, Univ. of Manchester, UK
Giannakopoulou, D., Păsăreanu, C., and Barringer, H., “Assumption Generation for Software Component Verification”, in Proc. of the 17th IEEE International Conference on Automated Software Engineering (ASE 2002).
Awards: Best paper, ACM Distinguished Paper Award
![Page 6: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/6.jpg)
The Problem
Given component C, property P, and the interface of C with its environment, generate the weakest environment assumption A such that: assuming A, C ╞ P
Weakest means that for all environments E:
(E || C ╞ P) IFF E╞ A
![Page 7: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/7.jpg)
ImplementationLabeled Transition Systems Analyzer (LTSA)
Components modeled as labelled transition systems (LTSs)– communicate by rendezvous through shared actions – internal actions represented by action “ τ ”
Compositional reachability analysis– hiding of internal actions– minimization w.r.t. observational equivalence
Properties also expressed as LTSsDescribe all legal behaviors
– Deterministic– Completed for verification – bad behaviors lead to “error state”
Composed with components – verification is postponed until the system is “closed”An LTS can be used as a property or an assumption
![Page 8: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/8.jpg)
E.acquire
E.release
W.acquire
W.release
Mutex:
Example
W.acquire
W.release
W.enterCS
W.exitCS
Writer:
|| ||
Mutual Exclusion Property:
E.enterCS
E.exitCS
W.enterCS
W.exitCS
W.enterCS
W.exitCS E.exitCS
W.exitCS E.enterCS
W.enterCS
E.exitCS E.enterCS
![Page 9: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/9.jpg)
Assumption Generation
Step 1: composition, hiding, minimization
Property true!(all environments)
Step 2: backward propagationof error with
Property false!(all environments)
Step 3: property extraction (subset construction and completion)
Assumption
![Page 10: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/10.jpg)
Composite System E.enterCS
E.acquire
E.release
E.enterCS
E.exitCS
E.exitCS
E.release
E.acquire
E.enterCS
E.enterCS
E.enterCSE.exitCS
E.exitCS
![Page 11: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/11.jpg)
Error Propagation (with )
E.acquire
E.release
E.enterCS
E.exitCS
E.enterCS
E.release
E.exitCS
E.acquire
E.enterCS
E.enterCS
E.enterCSE.exitCS
E.exitCS
![Page 12: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/12.jpg)
Error Propagation (with )
E.acquire
E.release
E.enterCS
E.exitCS
E.enterCS
E.release
E.enterCS
E.enterCSE.exitCS
E.exitCS
![Page 13: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/13.jpg)
Error Propagation (with )
E.acquire
E.release
E.enterCS
E.exitCS
E.enterCS
E.enterCSE.exitCS
E.exitCS E.release
![Page 14: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/14.jpg)
Property Extraction
E.acquire
E.release
E.enterCS
E.exitCS
E.enterCS E.release
E.exitCSE.enterCS E.exitCS
E.acquire E.release E.acquire
E.acquire, E.release E.enterCS, E.exitCS
![Page 15: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/15.jpg)
Generated Assumption
E.acquire
E.release
E.enterCS
E.exitCS
E.acquire E.release E.acquire
E.acquire, E.release E.enterCS, E.exitCS
![Page 16: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/16.jpg)
Ames Rover ExecutiveExecutes flexible plans for autonomy
branching on state / temporal conditions
Multi-threaded systemcommunication through shared variablessynchronization through mutexes and condition variables
Systematic translation of design documents into input language of LTSA
Several synchronization issues mutual exclusiondata racesproperties specified by developer
![Page 17: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/17.jpg)
PropertiesFirst property: mutual exclusion
– 426 states 18 states – assumption: 12 states
Second property:
– 544 states 10 states – assumption: 6 states
{hiding + minimization}
{hiding + minimization}
If the Executive thread reads the value of variable savedWakeupStruct, the ExecCondChecker thread should not read this value unless the Executive clears it first.
![Page 18: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/18.jpg)
Resulting AssumptionAssumption_Property2 = Q0,
Q0 = ( external.exec.lock -> Q2),Q2 = ( external.exec.unlock -> Q0
| external.savedWakeupStruct.read[1] -> Q3 | external.savedWakeupStruct.assign[0] -> Q4 | external.savedWakeupStruct.read[0] -> Q5),
Q3 = ( external.savedWakeupStruct.read[1] -> Q3 | external.savedWakeupStruct.assign[0] -> Q4),
Q4 = ( external.exec.unlock -> Q0 | external.savedWakeupStruct.assign[0] -> Q4 | external.savedWakeupStruct.read[0] -> Q5),
Q5 = ( external.savedWakeupStruct.assign[0] -> Q4 | external.savedWakeupStruct.read[0] -> Q5).
not displaying sink state Q1
![Page 19: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/19.jpg)
Solution 2in collaboration with RIACS SSRP student Jamieson Cobleigh, Univ. of Massachusetts, Amherst
Cobleigh, J.M., Giannakopoulou, D., and Pasareanu, C.S. “Learning Assumptions for Compositional Verification”, in Proc. of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2003). April 2003, Warsaw, Poland.
![Page 20: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/20.jpg)
Automate assume guarantee reasoning
Simplest assume-guarantee rule, no circularity, useful for safety properties:
The problem
M2M1
satisfies P?
A
1. A M1 P2. true M2 A
3. true M1 || M2 P
![Page 21: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/21.jpg)
Our Framework
Model Checking
Ai
counterexample – weaken assumption
counterexample – strengthen assumption
P holds in M1||M2
P violated in M1||M2
true
false
true
false2. true M2 Ai
real error?
1. Ai M1 PLearning
yesno
Incremental Compositional Verification
![Page 22: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/22.jpg)
Learning with L*L* – learning algorithm by Angluin, improved by Rivest & Schapire
based on queries and counterexamples
learns an unknown regular language (U over alphabet ) and produces a DFA C such that L (C) = U
constructs a sequence of DFAs C1, C2, … converging to C
needs a Teacher to answer two types of questions:membership queries: is string s in U ?
conjectures: for a candidate DFA Ci, is L(Ci) = U ?– answers are (true) or (false + counterexample)
![Page 23: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/23.jpg)
The L* Algorithmmaintains a table that records whether strings in belong to U
makes membership queries to update it
decides to make a conjecture – uses table to build a candidate Ci
if Teacher replies true, done!if Teacher replies false, uses counterexample to update the table
General method:
Characteristics:terminates with minimal automaton C for unknown language U
each candidate Ci is smallestany DFA consistent with table has at least as many states as Ci
|C1| < | C2| < … < |C|
produces at most n candidates, where n = |C|
![Page 24: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/24.jpg)
Learning for Assume-Guarantee Reasoning
L* learns the language of weakest assumption Aw for M1
Alphabet = (M1 P) M2
Conjectures are intermediate assumptions Ai
Algorithm may terminate before computing Aw
Aw is not available – how do we implement the Teacher ?Use model checking
M2M1
satisfies P? 1. A M1 P2. true M2 A
3. true M1 || M2 P
![Page 25: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/25.jpg)
The TeacherMembership query: trace s
Simulate s on M1 || Perr
– If it leads to error state, reply false ( s L(Aw) )– Otherwise, reply true ( s L(Aw) )
Conjecture: Ai
Oracle 1: performs (Step 1) Ai M1 P– If false (with counterexample c): provide c to L* (assumption is too weak)– If true: forward Ai to Oracle 2
Oracle 2: performs (Step 2) true M2 Ai – If true: done! (P holds on M1 || M2)– If false (with counterexample c): forward c to analysis
Counterexample analysisSimulate c on M1 || Perr
– If it leads to the error state: done! (P does not hold on M1 || M2)– Otherwise, provide c to L* (assumption is too strong)
![Page 26: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/26.jpg)
Output: send
ack
outOrdererr: in
out out in
Example Input:
in
ack
send
We check: true Input || Output OrderM1 = Input, M2 = Output, Property = Order
Assumption’s alphabet: {send, out, ack}
![Page 27: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/27.jpg)
Ordererr: in
out out in
Output: send
ack
out
Membership Queries Input:
in
ack
send
ETable T
S ?out
S ackoutsendout, ackout, outout, sendS = set of prefixes
E = set of suffixes
L(Aw)?
Simulate on Input || Ordererr
Yes!
![Page 28: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/28.jpg)
Ordererr: in
out out in
Output: send
ack
out
Membership Queries Input:
in
ack
send
ETable T
S trueout
S ackoutsendout, ackout, outout, sendS = set of prefixes
E = set of suffixes
L(Aw)?
Simulate on Input || Ordererr
Yes!
![Page 29: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/29.jpg)
Ordererr: in
out out in
Output: send
ack
out
Membership Queries Input:
in
ack
send
ETable T
S trueout ?
S ackoutsendout, ackout, outout, sendS = set of prefixes
E = set of suffixes
<out> L(Aw)?
Simulate<out> on Input || Ordererr
No!
![Page 30: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/30.jpg)
Ordererr: in
out out in
Output: send
ack
out
Membership Queries Input:
in
ack
send
ETable T
S trueout false
S ackoutsendout, ackout, outout, sendS = set of prefixes
E = set of suffixes
<out> L(Aw)?
Simulate<out> on Input || Ordererr
No!
![Page 31: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/31.jpg)
Ordererr: in
out out in
Output: send
ack
out
Membership Queries Input:
in
ack
send
ETable T
S trueout false
S ackoutsendout, ackout, outout, sendS = set of prefixes
E = set of suffixes
truefalsetruefalsefalsefalse
![Page 32: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/32.jpg)
Ordererr: in
out out in
Output: send
ack
out
Candidate Construction Input:
in
ack
send
ETable T
S trueout false
S ackoutsendout, ackout, outout, sendS = set of prefixes
E = set of suffixes
truefalsetruefalsefalsefalse
acksend
2 states – error state not added to assumption
Assumption A1:
![Page 33: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/33.jpg)
Ordererr: in
out out in
Output: send
ack
out
Conjectures Input:
in
ack
send
acksend
A1: Oracle 1: A1 Input Order
Counterexample:c=in,send,ack,in
Return to L*:c=send,ack
Oracle 1: A2 Input Order
True
Oracle 2: true Output A2
True
property Order holds on Input || Output
ack send
outsend
A2:Queries
![Page 34: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/34.jpg)
Output’: send
ack
out sendOrdererr: in
out out in
Another Example Input:
in
ack
send
acksend
A1: ack
send
out,send
A2:Oracle 2:
true Output’ A2Counterexample:c=send,send,out
send
ack,out,send
send
ack out
A3:
ack,out,send
ack
send out
ack
send send
A4:
property Order holds on Input || Output’
Simulate cc on M1||Ordererr
Return c to L*Not a real error!
![Page 35: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/35.jpg)
Case Study: K9 Rover again
iteration |Ai| (#states, #trans) result
1 – Oracle 1 1 (5, 24) too weak2 – Oracle 1 2 (268, 1408) too weak3 – Oracle 1 3 (235, 1209) too weak4 – Oracle 1 5 (464, 2500) not too weak Oracle 2
(32, 197) false
![Page 36: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/36.jpg)
ComparisonsPentium III, 500 MHz, 1 Gb of memory
check P on M1 || M2 » (3630 sts, 34653 trans), 0.535 secs.
using weakest assumption6 statesgeneration: (544 sts, 6314 trans), 24.623 secsdischarging assumption: (32 sts, 197 trans), 0.504 secs
using incremental assume-guarantee reasoning5 states(max: 464 sts, 2500 trans), 8.639 secs
![Page 37: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/37.jpg)
Related WorkInterface automata (de Alfaro, Henzinger)
component compatibility
Assume-guarantee frameworksMOCHA, Calvin (extended static checking of Java), …
Interfaces for Compositional Reachability AnalysisGraf-Steffen-Lüttgen, Cheung-Kramer, Krimm-Mounier
Controller synthesisInterface equation / sub-module construction
Merlin-Bochmann, Shields, Parrow, Larsen-Xinxin
Synthesis of deadlock-free connectorsInverardi-Scriboni-Wolf-Yankelevich
![Page 38: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/38.jpg)
Conclusions & ExtensionsModel checking components as open systems
Assumptions can be further analyzed do components that implement them, or the resulting system, have any useful behavior?
Incremental framework is generalrelies on standard features of model checkersexperimenting with JPF
More case studies
Learning box – improve / change algorithm?
Extended properties (deadlock, liveness, fairness)
Timed systems
![Page 39: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/39.jpg)
Contact
{dimitra, pcorina} @ email.arc.nasa.govhttp://ase.arc.nasa.gov/
![Page 40: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/40.jpg)
DEMO
![Page 41: Automatic Assumption Generation for Compositional Verification](https://reader035.fdocuments.net/reader035/viewer/2022062521/568167b8550346895ddd0645/html5/thumbnails/41.jpg)
Contact
{dimitra, pcorina} @ email.arc.nasa.govhttp://ase.arc.nasa.gov/