DSpace at VNU: Assume-guarantee tools for component-based software verification

Assume-Guarantee Tools for Component-Based Software VerificationPham Ngoc Hung Viet-Ha Nguyen College of Technology, Vietnam National University, Hanoi {hungpn, hanv}@vnu.edu.vn Toshiaki

Assume-Guarantee Tools for Component-Based Software Verification

Pham Ngoc Hung Viet-Ha Nguyen

College of Technology, Vietnam National University, Hanoi

{hungpn, hanv}@vnu.edu.vn

Toshiaki Aoki Takuya Katayama School of Information Science, Japan Advanced Institute

of Science and Technology

{toshiaki, katayama}@jaist.ac.jp

Abstract

This paper presents a minimized assumption

genera-tion method and its associated tools for L*-based

assume-guarantee verification of component-based software by

model checking The method is not only fitted to

component-based software but also has a potential to solve the state

space explosion problem in model checking In the

pro-posed method, a verification target is decompro-posed into

com-ponents so that we can model check each of them

sepa-rately The key idea of this method is finding the minimal

assumptions in the search spaces of the candidate

assump-tions The minimal assumptions generated by the proposed

method can be used to recheck the whole system at much

lower computational cost Our experience so far indicates

that the implemented tools are potential for verifying

prac-tical component-based software.

1 Introduction

Although model checking has been recognized as a

promising approach for improving software reliability, a

major problem is the state space explosion for applying

large-scale systems [2] The assume-guarantee approach

proposed in [9, 13, 14] is a potential solution to deal with

the problem It is a “divide and conquer” mechanism for

breaking up the verification task of a component-based

sys-tem (CBS) into smaller tasks that involve the verification of

its individual components

The L*-based assumption generation method proposed

in [3] is a promising, incremental and fully automatic

ap-proach for modular verification of component-based

soft-ware This work proposes an iterative approach based on

sumptions should be minimized because the computational cost of model checking is influenced by that number More-over, when a component is evolved in the context of the software evolution, the whole evolved CBS of many exist-ing components and the evolved component is required to

be rechecked [5, 6, 8] In this case, we also can reduce the cost of rechecking the evolved CBS by reusing the smaller assumption The facts imply that the sizes of the generated assumptions are of primary importance Furthermore, al-though the assume-guarantee verification has been received

a widespread attention from the software engineering com-munity, there is not any available tool which supports this approach Thus, an available tool for the approach should

be implemented

We have proposed a method for generating minimal as-sumptions for the assume-guarantee verification of CBS

in [7] The key idea of this method is finding the mini-mal assumptions that satisfies the assume-guarantee rules

in the search spaces of the candidate assumptions by using the breadth-first search algorithm The generated assump-tions are seen as the environments needed for components

to satisfy a property and for the rest of the CBS to be satis-fied In order to evaluate the effectiveness of the proposed method, we have implemented two tools for the assump-tion generaassump-tion method proposed in [3] and the proposed method respectively Some typical CBS are applied to com-pare our method with that proposed in [3] Our obtained experimental results shows that the our method can gener-ate the minimal assumptions which have the minimal sizes and a smaller number of transitions than the assumptions generated by the method proposed in [3] These minimal as-sumptions generated by the proposed method can be used to recheck the whole CBS by checking the assume-guarantee rules at much lower computational costs The experiment

2010 Second International Conference on Knowledge and Systems Engineering

our minimized assumption generation method to find the

minimal assumptions for component-based software

verifi-cation Section 4 discusses the tool support for our method

and experimental results obtained from the application of

our method to some typical case studies Finally, we

con-clude the paper in Sect 5

2 L*-Based Assumption Generation Method

The L* learning algorithms was developed by Angluin

[1] and later was improved by Rivest and Schapire [15] L*

learns an unknown regular language and produces a

deter-ministic finite state automata (DFA) that accepts it The

main idea of the L* learning algorithms is based on the

“Myhill-Nerode Theorem” [11] in the theory of formal

lan-guages It said that for every regular set U ⊆ Σ ∗whereΣ

is the alphabet, there exists a unique minimal deterministic

automata whose states are isomorphic to the set of

equiva-lence classes of the following relation:w ≈w iff∀u ∈ Σ ∗:

wu ∈ U ⇐⇒ w  u ∈ U Therefore, the main idea of L*

is to learn the equivalence classes, i.e., two prefix are not in

the same class if and only if there is a distinguishing suffix

u [7]

LetU be an unknown regular language over some

alpha-betΣ L* will produce a DFA M such that M is a minimal

deterministic automata corresponding toU and L (M) = U.

In order to learnU , L* needs to interact with a Minimally

Adequate Teacher, called Teacher The Teacher must be

able to correctly answer two types of questions from L*

The first type is a membership query, consisting of a string

σ ∈ Σ ∗; the answer istrue if σ ∈ U, and false otherwise.

The second type of these questions is a conjecture, i.e., a

candidate DFAM whose language the algorithm believes

to be identical toU The answer is true if L (M) = U.

Otherwise the Teacher returns a counterexample, which is a

stringσ in the symmetric difference of L (M) and U.

At a higher level, L* maintains a table T that records

whether strings inΣ∗belong toU It does this by

mak-ing membership queries to the Teacher to update the

ta-ble At various stages L* decides to make a conjecture It

uses the tableT to build a candidate DFA M iand asks the

Teacher whether the conjecture is correct If the Teacher

repliestrue, the algorithm terminates Otherwise, L* uses

the counterexample returned by the Teacher to maintain the

table with strings that witness differences between L (M i)

andU

Method

The assume-guarantee paradigm is a powerful

“divide-and-conquer” mechanism for decomposing a verification

process of a CBS into subtasks about the individual compo-nents Consider a simple case where a system is made up of two components including a frameworkM1and an exten-sionM2 The goal of this approach is to verify whether this system satisfies a property p without composing M1 with

M2 For this purpose, if there exists an assumptionA (p)

such that A (p) is strong enough for M1 to satisfy p but

weak enough to be discharged byM2(i.e.,A(p) M1p

andtrue M2A(p) which are called assume-guarantee

rules, both hold), the compositional systemM1 2 satis-fies p Unfortunately, it is often difficult to find such

as-sumption

An assumption generation method proposed in [3] ap-plies the assume-guarantee rules in an iterative approach illustrated in Fig 1 At each iteration i, a candidate

as-sumptionA iis produced based on some knowledge about the system and the results of the previous iteration The two steps of the assume-guarantee rules are then applied Step 1 checks whetherM1satisfiesp in an environment that

guaranteesA iby computing formulaA i M1p If the

result isf alse, it means that this candidate assumption is too weak The candidate assumption A i therefore must be strengthened with the help of the counterexamplecex

pro-duced by this step Otherwise, the result istrue, it means

thatA iis strong enough for the property to be satisfied The step 2 is then applied to check that if componentM2 satis-fiesA iby computing formulatrue M2A i If this step

returnstrue, the property p holds in the compositional

sys-temM1 2and the algorithm terminates Otherwise, this step returnsf alse; further analysis is required to identify

whetherp is indeed violated in M1 2 or the candidate

A i is too strong to be satisfied byM2 Such analysis is based on the counterexamplecex returned by this step The

L* algorithm must check that the counterexamplecex

be-long to the unknown languageU = L(A W) If it does not, the propertyp does not hold in the system M1 2 Other-wise,A iis too strong The candidate assumptionA imust

be weakened (i.e., behaviors must be added with the help of

cex) in iteration i+ 1 A new candidate assumption may of course be too weak, and therefore the entire process must

be repeated

Method

We have proven that the assumptions generated by the L*-based assumption generation method proposed in [3] are not minimal (i.e., the numbers of states of the generated

as-Figure 1 A framework for L*-based

assump-tion generaassump-tion.

sumption are not smallest) Thus, we have proposed the

method for generating minimal assumptions for the

assume-guarantee verification of component-based software

pre-sented in [7] In this method, finding a minimal

assump-tion is considered as a search problem in a search space of

all candidate assumptions The proposed method is a

com-bination of the L* learning algorithm and the breadth-first

search algorithm We use the breadth-first search strategy

because this strategy ensures that the generated assumption

is minimal (see Theorem 2 in [7]) In order to learn a

can-didate assumption, L* builds an observation table(S, E, T )

defined as follows:

Definition 1 (Observation table) (S, E, T ) is an

observa-tion table built by L*, where:

• S ⊆ Σ ∗ is a set of prefixes It presents equivalence

classes or states.

• E ⊆ Σ ∗ is a set of suffixes It presents the

distinguish-ing.

• T : (S ∪ S.Σ).E → {true, false} where, the operator

“.” means that given two sets of event sequences P

and Q, P Q = {pq | p ∈ P, q ∈ Q}, where pq presents

the concatenation of the event sequences p and q With

a string s inΣ∗ , T (s) = true means s ∈ U, otherwise

s ∈ U.

Remark 1 An observation table (S, E, T ) is closed if ∀s ∈

S, ∀a ∈ Σ, ∃s  ∈ S, ∀e ∈ E: T (sae) = T (s  e ) In this

case, s  presents the next state from s after seeing a, sa is

undistinguishable form s  by any of suffixes Intuitively, the

observation table (S, E, T ) is closed means that every row

sa of S Σ has a matching row s  in S.

Algorithm 1 presents the proposed algorithm for

gen-use a queue data structure which contains the generated

observation tables with the first-in first-out order These

observation tables are used for generating the candidate assumptions Initially, the algorithm sets the queueq to the

empty queue (line 1) We then put the initial observation tableOT0= (S0, E0, T0) into the queue q as the root of the

search space of observation tables, whereS0= E0= {λ}

(λ represents the empty string) (line 2). Subsequently, the algorithm gets a tableOT i from the top of the queue

q (line 4) If OT i contains the “don’t know” value “?” (line 5), we obtain all instances of OT i by replacing all

“?” entries inOT iwith bothtrue and f alse (line 6) The

obtained instances then are put into the queueq (line 7).

Otherwise, the table OT i does not contain the “?” value (line 9) In this case, if OT i is not closed (line 10), an updated table OT is obtained by calling the procedure

namedmake closed (OT i ) (line 11) OT then is put into q

(line 12) In the case where the tableOT iis closed (line 13),

a candidate assumptionA iis generated fromOT i(line 14) The candidate assumption A i is used to check whether

it satisfies the two steps of the assume-guarantee rules The step 1 (corresponding to the first assume-guarantee rule) is applied by calling the procedure namedStep 1(A i)

to check whether M1 satisfies p in an environment that

guarantees A i by computing the formula A i M1 p

If Step 1(A i ) fails with a counterexample cex (line 15),

A i is too weak for M1 to satisfyp Thus, the candidate

assumptionA i must be strengthened by adding a suffixe

ofcex that witnesses a difference between L (A i) and the language of the assumption being learned toE iof the table

OT i(line 16) After that, an updated tableOT is obtained

by calling the procedure named update (OT i) (line 17)

OT then is put into q (line 18) Otherwise, Step 1(A i) returntrue (line 19) This means that A iis strong enough forM1to satisfy the propertyp The step2 (corresponding

to the second assume-guarantee rule) is then applied by calling the procedure named Step 2(A i) to check that if

M2satisfiesA iby computing the formulatrue M2A i

If Step 2(A i ) fails with a counterexample cex (line 20),

further analysis is required to identify whetherp is indeed

violated in M1 2 or A i is too strong to be satisfied

by M2 Such analysis is based on the counterexample

cex If cex witnesses the violation of p in the system

M1 2(line 21), the algorithm terminates and returnscex

(line 22) Otherwise,A iis too strong to be satisfied byM2

(line 23) The candidate assumptionA i therefore must be weakened by adding a suffixe of cex to E iof the tableOT i

(line 24) After that, an updated tableOT is obtained by

calling the procedure namedupdate (OT i ) (line 25) OT

then is put intoq (line 26) Otherwise, Step 2(A i) return

true (line 28) This means that the property p holds in the

compositional system M1 2 The algorithm terminates and returnsA i as the minimal assumption (line 29) The

algorithm iterates the entire process by looping from

line 3 to line 34 until the queueq is empty or a minimal

assumption is generated

Termination and correctness of the proposed algorithm

presented in Algorithm 1 have been proven by the

Theo-rem 2 in [7]

4 Tool Support

We have implemented the assumption generation

method proposed in [3] (called AG tool) and our

pro-posed minimized assumption generation method presented

in Sect 3 (called MAG tool) in a functional programming

language named Objective Caml (OCaml) [12] Although

the AG tool for L*-based assumption generation method

proposed in [3] has been implemented and presented in [4],

this tool is not available This means that there is not any

available tool which supports the assume-guarantee

verifi-cation Thus, in order to compare the effectiveness of both

methods, we also have to implement the AG tool The AG

tool and MAG tool have the same architecture shown in

Fig 2 Inputs of these tools are two modelM1 andM2,

and a required property p where M1, M2, and p are

rep-resented by LTSs The AG tool returns an assumption A

whereas the MAG tool returns a minimal assumptionA m

if the CBSM1 2satisfiesp, and a counterexample cex

to show thatM1 2 violatesp otherwise For example,

Fig 3 shows an applied system of these tools Given two

modelsM1as the LTSInput and M2as the LTSOutput,

and a property as the LTSp, the AG tool returns an

assump-tionA while the MAG tool returns a minimized assumption

A m A command line interface of the MAG tool is shown in

Fig 4 which corresponds to the generated assumptionA m

presented in Fig 3

Figure 2 Architecture of the implemented

tools.

Algorithm 1 Minimized assumption generation

Input: M1, M2, p: two models M1andM2, and a required propertyp

Output: A m (p) or cex: an assumption A m (p) with a

smallest size if M1 2 satisfies p, and a

counterex-amplecex otherwise

1: Initially,q = empty {q is an empty queue}

2: q.put (OT0) {OT0 = (S0, E0, T0), S0 = E0 = {λ},

whereλ is the empty string }

3: while q = empty do

4: OT i = q.get() {getting OT ifrom the top ofq }

5: if OT icontains “?” value then 6: for each instance OT of OT ido 7: q.put (OT ) {putting OT into q}

8: end for 9: else 10: if OT iis not closed then 11: OT = make closed(OT i) 12: q.put (OT )

13: else 14: construct a candidate DFAA i from the closed

OT i

15: if Step1(A i ) fails with cex then

16: add the suffixe of the counterexample cex to

E i

17: OT = update(OT i)

20: if Step 2(A i ) fails with cex then

21: if cex witnesses violation of p then

24: add the suffixe of the counterexample

cex to E i

25: OT = update(OT i)

29: return A i

30: end if 31: end if 32: end if 33: end if 34: end while

Figure 3 An applied example.

Figure 4 Command line interface of the MAG

tool.

We have applied the proposed method to several

sys-tems and compared the method with that proposed in [3]

The applied systems are the typical concurrent system

In-put/Output channel (I/O ver.1) and its evolved versions (I/O

ver.2 shown in Fig 3 and I/O ver.3) shown in [5], gas oven

control system (GOCS), and banking subsystem (BS)

The size (Ass Size), the number of transitions (Trans of

Ass.), and the generating time of the generated

assump-tions are evaluated in this experiment We also evaluate the

rechecking time for each system by reusing the generated

assumptions for checking the assume-guarantee rules on a

PC with Intel(R) Pentium(R)4 CPU 3.20GHz and 512MB

RAM Table 1 shows experimental results for the described

purpose In the results, the system size is the product of

the sizes of the software components and the size of the

re-quired property for each CBS Our obtained experimental

results imply that the generated minimal assumptions have

smaller sizes and number of transitions than the generated

ones by the method proposed in [3] These minimal

as-sumptions are effective for rechecking the systems with a

lower cost However, our method has a higher cost for gen-erating the assumption

The experiment also implies that our method is potential for verifying large-scale CBS When verifying large-scale CBS, even the behaviors of the software components are very complex, our work only focuses on the observable be-haviors of each component With this approach, we hope that our method is potential for verifying practical soft-ware In fact, our experiment shown in Table 1 is clear to show the effectiveness of the proposed method because the sizes of GOCS and BS are quite large We did not per-form big experiment but we think that this is another issue Moreover, though the proposed method considers the sim-ple case where the CBS only consists of two components

M1andM2, the experiment presents how to generalize the proposed approach for larger CBS (e.g., GOCS contains five components) We generalize the method for a larger CBS containing n-componentsM1, M2, , M n (n ≥ 2) by

considering the such CBS as a software system which con-tains two components, i.e., the compositional component

M1 2 n−1 andM n The method for larger CBS consists of the similarly steps as described in Algorithm 1 The implemented tools and the applied systems which are used in our experimental results are available at the site http://www.coltech.vnu.edu.vn/∼hungpn/AGTools/.

Checking correctness is a big issue for any implemented tool However, we have a nice solution to deal with the problem The correctness of the implemented tools (AG and MAG) means that we have to check whether the as-sumptions generated by these tools are the actual assump-tions by checking that each generated assumptionA

satis-fies the compositional rules (i.e., checking that ifA M1

p and true M2A both hold) For this purpose, we use

a tool named LTSA [10] for verifying concurrent systems to check correctness of the generated assumptionA by

check-ing the compositional systemsA 1 err andM2 err For each such compositional system, the LTSA tool returns the same result as our verification result for each applied system This means that the correctness of each assumption generated by our tools is ensured by the correctness of the LTSA tool

5 Conclusion

We have presented a method and its associated tools for generating minimal assumptions of component-based soft-ware verification The method is an improvement of the de-scribed L*-based assumption generation method proposed

in [3] The key idea of the proposed method is to find a minimal assumption in the search spaces of the candidate

Table 1 Experimental results

System Sys.

Ass Trans Generating Rechecking Ass Trans Generating Rechecking Size Size of Ass Time (ms) Time (ms) Size of Ass Time (ms) Time (ms)

assumptions These minimal assumptions are seen as the

environments needed for the components to satisfy a

prop-erty and for the rest of the system to be satisfied The search

space is seen as a search tree where its root is the initial

ob-servation table Finding an assumption with a minimal size

such that it satisfies the compositional rules thus is

consid-ered a search problem in this search tree

We have implemented two tools (AG and MAG) for

the assumption generation method proposed in [3] and our

method proposed in [7] These implementation is used to

verify some typical CBS systems to show the effectiveness

of the proposed method Our experience so far indicates

that the proposed method is potential for verifying practical

CBS

We are investigating to apply some CBS with their sizes

are larger than the sizes of the applied CBS in our

ex-periment to show the practical usefulness of our proposed

method Moreover, because the interface of the

imple-mented tools is command line, the generated assumptions

are represented in plain text Thus, we are also improving

the implemented tools which features graphical display and

developing the tools as plugins of the LTSA tool to make

our tools more usable

Acknowledgments

This work is partly supported by the research project

No CN 10 03 granted by College of Technology, Vietnam

National University, Hanoi

References

[1] D Angluin Learning Regular Sets from Queries and

Coun-terexamples Information and Computation, 75(2): 87-106,

Nov 1987

[2] E M Clarke, O Grumberg, and D Peled Model Checking.

The MIT Press, 1999

[3] J.M Cobleigh, D Giannakopoulou, and C S Pasareanu

Learning assumptions for compositional verification In Proc.

9th International Conference on Tools and Algorithms for the

Construction and Analysis of Systems (TACAS), pp 331–346,

Poland, April 2003

[4] D Giannakopoulou and C S Pasareanu Learning-based

assume-guarantee verification In Proc 12th International

SPIN Workshop on Model Checking Software, pp 282–287,

San Francisco, USA, Aug 2005

[5] P N Hung, T Aoki, and T Katayama Modular confor-mance testing and assume-guarantee verification for

evolv-ing component-based software IEICE Transactions on

Fun-damentals, E92-A(11): 2772–2780, Nov 2009.

[6] P N Hung, T Aoki, and T Katayama An effective framework for assume-guarantee verification of evolving

component-based software In Proc of the IWPSE-EVOL

Workshops, pp 109–118, ACM, New York, Aug 2009.

[7] P N Hung, T Aoki, and T Katayama A minimized assump-tion Generaassump-tion method for component-based software

ver-ification In Proc 6th International Colloquium on

Theoreti-cal Aspects of Computing (ICTAC), LNCS 5684, pp 277-291,

Springer-Verlag Berlin Heidelberg, Aug 2009

[8] P N Hung and T Katayama Modular conformance testing and assume-guarantee verification for evolving

component-based software In Proc 15th Asia-Pacific Software

Engineer-ing Conference (APSEC), pp 479–486, IEEE Computer

So-ciety, Washington, DC, Dec 2008

[9] C B Jones Tentative steps toward a development method

for interfering programs ACM Transactions on Programming

Languages and Systems (TOPLAS), 5(4): 596–619, Oct 1983.

[10] J Magee and J Kramer Concurrency: State Models & Java

Programs John Wiley & Sons, 1999.

[11] A Nerode Linear automaton transformations Proc of the

American Mathematical Society, no 9, pp 541–544, 1958.

[12] French national institute for research in computer science and control (INRIA), Objective caml, http://caml.inria.fr/ ocaml/index.en.html, 2004

[13] A Pnueli In transition from global to modular temporal

rea-soning about programs In Logics and Models of Concurrent

Systems, K R.Apt, Ed Nato Asi Series F: Computer And Sys-tems Sciences, Springer-Verlag New York, vol 13, pp 123–

144, 1985

[14] E W Stark A proof technique for rely/guarantee properties

In Proc 5th Conference on Foundations of Software Technol-ogy and Theoretical Computer Science, pp 369–391, 1985.

[15] R L Rivest and R E Schapire Inference of finite

au-tomata using homing sequences Information and

Computa-tion, 103(2): 299-347, April 1993.

[8] P N Hung and T Katayama Modular conformance testing and assume-guarantee verification for evolving

component-based software In Proc 15th Asia-Pacific Software

Engineer-ing... 2005

[5] P N Hung, T Aoki, and T Katayama Modular confor-mance testing and assume-guarantee verification for

evolv-ing component-based software IEICE Transactions on

Fun-damentals,... generating time of the generated

assump-tions are evaluated in this experiment We also evaluate the

rechecking time for each system by reusing the generated

assumptions for