automated assume- guarantee reasoning for … assume-guarantee reasoning for omega-regular systems...
Post on 26-May-2018
214 Views
Preview:
TRANSCRIPT
© 2010 Carnegie Mellon University
Automated Assume-
Guarantee Reasoning for
Omega-Regular Systems and
Specifications
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
Arie Gurfinkel and Sagar ChakiApril 13, 2010Second NASA Formal Methods Symposium
2
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.
This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.
This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013.
3
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
When Failure is Not an Option
Failure is not an option for
• Safety Critical Systems (e.g., X-rays machines)
• Medical Devices (e.g., infusion pumps, …)
• Embedded Software (e.g., cars, airplanes)
• Security Vulnerabilities (e.g., nuclear plants)
• …
Formal software verification is essential to guarantee absence of failures
• Automated techniques include model checking and static analysis …
• which can be used to validate, for example, safety and security, behavior prior to program execution
• and provide objective evidence of safe behavior
4
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Assume Guarantee Reasoning
M1 || A ² S M2 ² A
M1 || M2 ² S
How to automatically find a sufficiently good assumption?!
System M1 in parallel with system M2 satisfies specification S
iff there exists an assumption A such that
• M1 in parallel with A satisfies S
• M2 satisfies the assumption A
5
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Related Work
Safety properties
• Giannakopoulou et al. ASE 2002 – computing weakest assumption
• Cobliegh et al. TACAS 2003 – using L* to learn “good-enough” assumption
• Barringer et al. SAVCBS 2003 – AG proof rules, soundness, completeness
• many follow up works to improve algorithms, complexity, applicability, etc.
Liveness properties
• Farzan et al. TACAS 2008 – L$ a learning algorithm for omega-regular languages
• THIS PAPER
– Assume-Guarantee proof rules for reactive (omega-regular) systems
– Soundness and (in)completeness
– Two new learning algorithms for infinitary (finite + infinite) languages
– A unifying framework for learning-based automated AG (see paper)
6
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Outline
Background
• Model of concurrency: LTS, composition, specifications, etc.
• Active learning of regular languages: L*
• Learning-based Automated Assume Guarantee Framework
Non-Circular Assume Guarantee Rule (AG-NC)
• Soundness and in-completeness for omega-regular languages
• Soundness and completeness for -regular languages
• Learning algorithms for -regular languages
Circular Assume Guarantee Rule (AG-C)
• Soundness and completeness
Conclusion and Future Work
7
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Labeled Transition System (LTS)
M = (Q, I, , T)
• Q -- non-empty set of states
• I Q an initial state
• -- set of actions (a.k.a, the alphabet)
• T Q Q – a transition relation
a
a
b
c d
e
M
(M) = {a,b,c,d,e,f}
FA or Buchi
acceptance condition+
8
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Operational Semantics
CSP Semantics
• handshake (synchronize) over shared actions
• otherwise, proceed independently (asynchronously)
Composition M1 || M2
is
• State of M1
|| M2
is of the form (s1,s2), where si is a state of Mi
s1 t1 a ( M2) a
(s1,s2) (t1,s2)a
s2 t2 a ( M1) a
(s1,s2) (s1,t2)a
s1 t1 s2 t2a
(s1,s2) (t1,t2)a
a
9
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Example of Composition
1 2 3 4a b c
1’ 2’ 3’ 4’a d c
M1 = {a,b,c} M2 = {a,d,c}
1,1’ 2,2’a
3,2’b
2,3’d’
3,3’
d’
b
4,4’c
M1 k M2 = {a,b,d,c}
10
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
L* (Angluin 1987, Rivest & Schapire 1993)
s 2 U ?
yes/no
L(A) = U ?
No. 2 U ∆ L(A)
yes. L(A) = U
Membership
Query
Candidate
Query
L* learner Minimally Adequate Teacher (MAT)
U -- regular languageΣ(U)
DFA A
L(A) = U
11
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Assume Guarantee with Learning
Model Checking
A || M1 ² p
M2 ² A
A
true
true
Negative feedback
N
M1 || M2 ² p
Positive feedback
N
Y
M1 || M2 2 p
² M2
false,
false, ² M1 || :pY
L*
12
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Outline
Background
• Model of concurrency: LTS, composition, specifications, etc.
• Active learning of regular languages: L*
• Learning-based Automated Assume Guarantee Framework
Non-Circular Assume Guarantee Rule (AG-NC)
• Soundness and in-completeness for omega-regular languages
• Soundness and completeness for -regular languages
• Learning algorithms for -regular languages
Circular Assume Guarantee Rule (AG-C)
• Soundness and completeness
Conclusion and Future Work
13
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
AG-NC: Non-Circular Assume Guarantee Rule
(L1 || LA) ¹ LS L2 ¹ LA
(L1 || L2) ¹ LS
A = ( S)
Complete for Safety (regular) properties ( )
Incomplete for Liveness (omega-regular) properties ( )
L ¹ S iff L¼ΣS µ S
14
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Proof of Incompleteness (by Counterexample)
= {a, b} = {a, c} S = {a, b}
L1 = (a+b) L2 = a*c LS = (a+b)*b
Assumption alphabet: = {a}
BUT, there is no assumption LA µ ! to apply AG-NC
a,b cc
a
|| ²b
ba,b
A ; A a!L2 ⋠ A1 L1 || A2 ⋠LS
15
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
AG-NC: Infinite Trace Containment
(L1 || LA) ¹! LS L2 ¹! LA
(L1 || L2) ¹! LS
A = ( S)
NOT SOUND!
L ¹! S iff !(L¼ΣS) µ !(S)
16
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Proof of Unsoundness (by Counterexample)
= {a, b} = {a, c} S = {a, b}
L1 = (a+b) L2 = a*c LS = b
= {a}
BUT, LA = ; satisfies all premises of (modified) AG-NC
a,b cc
a
|| 2b
17
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
AG-NC: Relaxing Assumption Alphabet
(L1 || LA) ¹ LS L2 ¹ LA
(L1 || L2) ¹ LS
A = ( S)
Assumption “knows” about internal actions of L1 and L2
Not “truly” compositional
Complete for Safety (regular) properties ( )
Complete for Liveness (omega-regular) properties ( )
18
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
AG-NC: Restoring Completeness
Theorem: Let L1 and LS be two languages, and an alphabet s.t.
= S. Then, LA = {((L1 || {(LS))¼ ) is the weakest
assumption such that L1 || LA ¹ LS
AG-NC is complete for any class of languages closed under
projection and complement
AG-NC is complete for
AG-NC is complete for
Need a learning algorithm for !
Corollaries:
19
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Learning Infinitary Language U: Approach 1
Use L* and L$ simultaneously to learn a DFA D and a BA B such that L(DFA) = *(U) and L(BA) = !(U)
Assume M is a MAT for U
Use M to answer membership queries until both learners generate a candidate query
Use M to verify the candidate query: L(D) [ L(B) = U
• on success, stop
• if counterexample is finite, send to L* and resume until next DFA candidate
• if counterexample is infinite, send to L$ and resume until next BA candidate
Two learners. Possibly a lot of redundancy.
20
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Learning Infinitary Language U: Approach 2
Use L$ to learn U.¿!, where ¿ is a “fresh” symbol not in §U
Assume M is a MAT for U
To answer a membership query infinite word s
• if s = t.¿! and t 2 §U1 then ask M whether t 2 U and forward answer back
• Otherwise, answer “no”
To answer a candidate query with candidate BA C
• if L(C) * §U1.¿! return ¼ 2 L(C) n §U
1.¿!
• otherwise, forward candidate query *(L(A)¼ , !(L(A)¼ ) to M
Single learner, BUT larger alphabet
21
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Circular AG-rule (AG-C): Summary
L1 || LA1 ¹ LS L2 || LA2 ¹ LS {(LA1) || {(LA2) ¹ LS
L1 || L2 ¹ LS
ΣA1= ΣA2= (Σ1∩Σ2) ∪ ΣS
Complete for Safety (regular) properties (Σ1)
Complete for Liveness (omega-regular) properties (Σ!)
BUT need to learn 2 assumptions AND assumption alphabet is larger
22
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Learning-Based AG (LAG) Framework
Conformance Rule A Learner(s) Oracle(s) Checker
Regular Trace AG-NC DFA P1 = P (L¤) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment [?]
Regular Trace AG-C DFA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment [?] P (L¤) Q2 = Q(L2; LS ;§C)
1-regular Trace AG-NC DFA £ BA P1 = P (L) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment
1-regular Trace AG-C DFA £ BA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment P (L) Q2 = Q(L2; LS ;§C)
!-regular Trace AG-NC DFA £ BA P1 = P (L) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment
!-regular Trace AG-C BA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment P (L!) Q2 = Q(L2; LS ;§C)
Conformance Rule A Learner(s) Oracle(s) Checker
Regular Trace AG-NC DFA P1 = P (L¤) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment [?]
Regular Trace AG-C DFA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment [?] P (L¤) Q2 = Q(L2; LS ;§C)
1-regular Trace AG-NC DFA £ BA P1 = P (L) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment
1-regular Trace AG-C DFA £ BA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment P (L) Q2 = Q(L2; LS ;§C)
!-regular Trace AG-NC DFA £ BA P1 = P (L) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment
!-regular Trace AG-C BA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment P (L!) Q2 = Q(L2; LS ;§C)
Conformance Rule A Learner(s) Oracle(s) Checker
Regular Trace AG-NC DFA P1 = P (L¤) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment [1]
Regular Trace AG-C DFA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment [2] P (L¤) Q2 = Q(L2; LS ;§C)
1-regular Trace AG-NC DFA £ BA P1 = P (L) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment
1-regular Trace AG-C DFA £ BA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment P (L) Q2 = Q(L2; LS ;§C)
!-regular Trace AG-NC DFA £ BA P1 = P (L) Q1 = Q(L1; LS ;§NC) VNC(L1; L2; LS)
Containment
!-regular Trace AG-C BA P1 = P2 = Q1 = Q(L1; LS ;§C) VC(L1; L2; LS)
Containment P (L!) Q2 = Q(L2; LS ;§C)
[1] Cobleigh, Giannakopoulou, Pasareanu, TACAS’03
[2] Barringer, Giannakopoulou, Pasareanu, SAVCBS’03
The last four rows are contributions of THIS PAPER
23
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Conclusion and Future Work
Compositional approach to verification is fundamental for scalability!
Automated AG for Liveness (omega-regular) properties
• Non-Circular Rule: soundness, (in)completeness
• Circular rule – remains sound and complete
• Two new learning algorithms for infinitary languages
Unified Framework for Learning-based Assume Guarantee Reasoning
Future Work
• implementation and empirical evaluation
• experiments with other learning algorithms
25
Automated AG for Omega-Regular
Arie Gurfinkel and Sagar Chaki
© 2010 Carnegie Mellon University
Contact Information
Presenter
Arie Gurfinkel
RTSS
Telephone: +1 412-268-5800
Email: arie@cmu.edu
U.S. mail:
Software Engineering Institute
Customer Relations
4500 Fifth Avenue
Pittsburgh, PA 15213-2612
USA
Web:
www.sei.cmu.edu
http://www.sei.cmu.edu/contact.cfm
Customer Relations
Email: info@sei.cmu.edu
Telephone: +1 412-268-5800
SEI Phone: +1 412-268-5800
SEI Fax: +1 412-268-6257
top related