DSpace at VNU: An improvement of minimized assumption generation method for component-based software verification

An Improvement of Minimized AssumptionGeneration Method for Component-based Software Verification Pham Ngoc Hung Viet-Ha Nguyen University of Engineering and Technology Vietnam National

An Improvement of Minimized Assumption

Generation Method for Component-based Software

Verification

Pham Ngoc Hung Viet-Ha Nguyen

University of Engineering and Technology

Vietnam National University, Hanoi

144 Xuan Thuy, Cau Giay, Hanoi, Vietnam

{hungpn, hanv}@vnu.edu.vn

Toshiaki Aoki Takuya Katayama

School of Information Science Japan Advanced Institute of Science & Technology 1-1 Asahidai, Nomi, Ishikawa 923-1292 Japan

{toshiaki, katayama}@jaist.ac.jp

Abstract—The minimized assumption generation has been

recognized as an improved method of the assume-guarantee

verification for generating minimal assumptions This method

is not only fitted to component-based software but also has a

potential to solve the state space explosion problem in model

checking However, the computational cost for generating the

minimal assumption is very high so the method is difficult to

be applied in practice This paper presents an optimization

as a continuous work of the minimized assumption generation

method in order to reduce the complexity of the method The

key idea of this method is to find a smaller assumption in a

sub-tree of the search tree containing the candidate assumptions

using the depth-limited search strategy With this approach,

the improved method can generate smaller assumptions with a

lower computational cost and consumption memory than the

minimized method The generated assumptions are also effective

for rechecking the systems at much lower computational cost in

the context of software evolution We have implemented a tool

supporting the improved method Experimental results are also

presented and discussed.

I INTRODUCTION The assume-guarantee verification method proposed in [3],

[4] has been recognized as a promising, incremental and fully

automatic fashion for verifying component-based software

(CBS) by model checking [2] This method decomposes a

ver-ification target about a CBS into smaller parts corresponding

to the individual components such that we can model check

each of them separately Thus, the method has a potential to

deal with the state space explosion problem in model checking

The key idea of this method is to generate an assumption such

that it is strong enough for the component to satisfy a required

property and weak enough to be discharged by the rest of the

system In order to generate such assumption, the method uses

a learning algorithm named L* [1], [9] for learning regular

languages However, the L* learning algorithm often

termi-nates before reaching this point and returns the first assumption

that satisfies the requirements of the verification For instance,

given a simple CBS made up of two componentsM1andM2,

the method proposed in [3], [4] generates an assumptionA(p)

satisfying the following formulas (called assume-guarantee

rules): A(p) M1 p and true M2 A(p) In fact, there

exists many candidate assumptions satisfying the assume-guarantee rules (e.g., M2 is a candidate assumption) The problem is how to find a minimal assumption from these can-didate assumptions because the computational cost for assume-guarantee verification of the CBS almost depends on the size

of the generated assumption Moreover, when a component

is evolved in the context of the software evolution, we can recheck the evolved CBS effectively by reusing the generated assumption with a smaller size [6] These observations imply that the sizes of the generated assumptions are of primary importance and it should be minimized Furthermore, the assumptions generated by the assume-guarantee verification method proposed in [3], [4] are not minimal [5]

The minimized assumption generation method proposed

in [5] focuses on solving the above problem by considering the candidate assumptions as a search tree and finding a minimal assumption using the breadth-first search strategy However, the complexity of this method is very high because it finds the minimal assumption in the whole search tree containing all possible candidate assumptions As a result, the minimized assumption generation method is unpractical for verifying CBS In this method, the size of a candidate assumption corresponds to it’s depth in the search tree Moreover, the assume-guarantee verification method is only effective when the size of the generated assumption is less than the size of the componentM2 (i.e.,|A(p)| < |M2|) Thus, we only need

to find an assumption with it’s size less than|M2|.

This paper presents an improved method for optimizing the minimized assumption generation method proposed in [5] in order to reduce the complexity of the method In this method, instead of using the breadth-first search strategy in the whole search space of observation tables as a search tree, we use the depth-limited search (DLS) for finding an assumption

in a sub-tree of the search tree with the maximum depth

dmax = |M2| With this approach, the improved method

can generate smaller assumptions with a lower computational cost and consumption memory than the minimized method Although the assumptions generated by the improved method may not minimal in some cases, they have smaller sizes

978-1-4673-0309-5/12/$31.00 ©2012 IEEE

than the sizes of the assumptions generated by the

assume-guarantee verification method proposed in [3], [4] As a result,

the generated assumptions are also effective for rechecking the

whole systems at much lower computational cost in the context

of software evolution [6]

The rest of this paper is organized as follows We first

describes the L*-based assumption generation method in

Section II Section III introduces our previous work about

minimized assumption generation method We present an

op-timization of the minimized assumption generation method in

Sect IV Section V shows experimental results and discussion

Finally, we conclude the paper in Sect VI

II L*-BASEDASSUMPTIONGENERATIONMETHOD

The assume-guarantee paradigm is a powerful

“divide-and-conquer” mechanism for decomposing a verification target of a

CBS system into smaller parts corresponding to the individual

components such that we can check each of them separately

Consider a simple case where a CBS system is made up of

two components including a frameworkM1and an extension

M2 The goal of this method is to verify whether this system

satisfies a propertyp without composing M1withM2 For this

purpose, an assumptionA(p) is generated [3] by applying the

L* learning algorithm such that A(p) is strong enough for

M1 to satisfy p but weak enough to be discharged by M2

(i.e., the assume-guarantee rules both hold) If we can find a

such assumption, this system satisfiesp.

For the described purpose, this method applies the

assume-guarantee rules in an iterative fashion illustrated in Fig 1

At each iteration i, a candidate assumption A i is produced

based on some knowledge about the system and the results of

the previous iterations The two steps of the assume-guarantee

rules are then applied Step 1 checks whetherM1satisfiesp in

an environment that guaranteesA i by computing the formula

A i  M1p If the result is false, it means that this candidate

assumption is too weak for M1 to satisfy p The candidate

assumption A i therefore must be strengthened with the help

of the produced counterexample cex Otherwise, the result is

true In this case, A i is strong enough for the property to be

satisfied Then the step 2 is applied for checking whether the

component M2satisfies A i by computing the formulatrue

M2A i  If this step returns true, the property p holds in the

Fig 1 An iterative fashion for L*-based assumption generation.

Fig 2 A counterexample proves that the assumptions generated in [3] are not minimal.

compositional system M1M2 and the algorithm terminates Otherwise, this step returns f alse In this case, a further

analysis is required to identify whetherp is indeed violated in

M1M2 or the candidate A i is too strong to be satisfied by

M2 Such analysis is based on the produced counterexample

cex For the purpose, the L* algorithm must check whether

the counterexample cex belongs to the unknown language

U = L(A W ) If it does not, the property p does not hold in the

systemM1M2 Otherwise,A iis too strong forM2to satisfy. The consequence of this is the candidate assumptionA imust

be weakened (i.e., behaviors must be added with the help of

cex) in the next iteration i + 1 A new candidate assumption

may of course be too weak, and therefore the entire process must be repeated

III MINIMIZEDASSUMPTIONGENERATIONMETHOD

As mentioned in Sect I, given a simple CBS system containing two componentsM1andM2, the assume-guarantee verification method proposed in [3], [4] is only effective for checking the system when the size of the generated assumption

is less than the size of the component M2 Thus, the size

of the generated assumptions should be minimized However, the assumptions generated by the method proposed in [3], [4] are not minimal Figure 2 shows a counterexample to witness this fact In this counterexample, given two component models

M1 (Input) and M2(Output), and a required property p, the

method proposed in [3] generates the assumptionA(p) which

has five states, whereas there is a smaller assumption with it’s size is two states This section presents our previous work proposed in [5] in order to generate minimal assumptions for assume-guarantee verification of component-based software

A Answering Membership Queries

We use the L* algorithm for learning the language of the weakest assumptionA W over the alphabetΣ = (αM1∪ αp) ∩

αM2[4] and produces a DFA that accepts it in order to gener-ate an assumption that satisfies the assume-guarantee rules For this purpose, L* builds an observation table(S, E, T ) where S

andE are a set of prefixes and suffixes respectively, both over

Σ∗.T is a function which maps (S ∪ S.Σ).E to {true, f alse},

where the operator “.” is defined as follows

Definition 1: (Operation “.”) Given two sets of event

se-quences P and Q, P Q = {pq | p ∈ P, q ∈ Q}, where pq

presents the concatenation of the event sequencesp and q.

Fig 3 The reason shows why the assumptions generated in [3] are not

minimal.

The function for answering membership queries used in the

method proposed in [3] is defined as follows

Definition 2: (Function for answering membership queries).

Given an observation table (S, E, T ), T is a function which

maps (S ∪ S.Σ).E to {true, f alse} such that for any string

s ∈ (S ∪ S.Σ).E, T (s) = true if s ∈ L(A W ), and false

otherwise

We find out the reason why the assumptions generated by

the method in [3] are not minimal shown in Fig 3 Let s

be a sequence of actions, A(p) be the assumption generated

by the method in [3], and L(A m(p)) be the minimized

assumption being learned In the case where s ∈ L(A W) but

s ∈ L(A m(p)), the method sets T (s) to true (in this case,

T (s) should be f alse) It means that if s ∈ L(A W), then

we do not know whether s belongs to the language being

learned The consequence of this is the assumption generated

A(p) contains such strings/traces which do not belong to the

language of the minimized assumption being learned

In order to solve the above problem, we use a new value as

“don’t know” value denoted “?” to represent the value ofT (s)

in such cases We define an improved technique for answering

membership queries as follows For the purpose to generate

a minimal assumption, the L* learning algorithm builds an

observation table(S, E, T ) T is a function which maps (S ∪

S.Σ).E to {true, f alse, “?”} The “don’t know” value means

that for each string s ∈ (S ∪ S.Σ).E, even if s ∈ L(A W),

we do not know whether s belongs to the language of the

assumption being learned This function is defined as follows

Definition 3: (Improved function for answering

member-ship queries) Given an observation table (S, E, T ), T is a

function which maps (S ∪ S.Σ).E to {true, f alse, “?”} such

that for any string s ∈ (S ∪ S.Σ).E, if s is the empty string

(s = λ) then T (s) = true, else T (s) = f alse if s / ∈ L(A W),

and “?” otherwise

B Minimal Assumption Generation

The purpose of the minimized assumption generation

method is to find an assumption where it has a smallest

size that satisfies the assume-guarantee rules in a search

space This search space is seen as a search tree

contain-ing observation tables Such observation tables are used to

generate the candidate assumptions The root of this search

tree is the initial observation table corresponding the strongest

candidate assumption We use the breadth-first search strategy

because this strategy ensures that the generated assumption

is minimal [5] This method is an improvement of the

L*-based assumption generation method proposed in [3], [4] With

the approach, the minimized method can generate minimal

assumptions which have the smallest sizes and smaller

num-Fig 4 The initial observation table and one of its instances.

Fig 5 The generated candidate assumptions.

bers of transitions than the assumptions generated by the L*-based assumption generation method proposed in [3] These minimal assumptions generated by the proposed method can

be used to recheck the whole CBS by checking the assume-guarantee rules at much lower computational costs, specially

in the context of software evolution Details of the algorithm for generating minimal assumptions of this method and it’s characteristics can be found in [5]

Example 1: Given M1, M2, and the required property p

shown in Fig 2, the Algorithm 1 proposed in [5] starts to generate a minimal assumption from the initial observation table presented in Fig 4 At the first iteration, the algorithm producesA1shown in Fig 5 as a candidate minimal assump-tion The step 1 is applied and the procedureStep1(A1) fails with a counterexample cex = send ack A suffix e = ack

is added to E1 for producing the next candidate assumption

A2 presented in Fig 2 This candidate satisfies both steps in the algorithm (i.e., Step1(A2) and Step2(A2) return true).

Therefore, the proposed algorithm terminates and returns A2

as the minimal assumption

IV IMPROVEMENT OF THEMINIMIZEDASSUMPTION

GENERATIONMETHOD Consider again the simple case where a system is made

up of two components including a framework M1 and an extension M2 Our goal is to verify whether this system satisfies a required property p without composing M1 with

M2 For this purpose, the algorithm proposed in [5] generates

a minimal assumption which satisfies the assume-guarantee rules by using the breadth-first search strategy in a search tree The algorithm uses a queue data structure which contains the

generated observation tables with the first-in first-out order.

However, the queue holds an exponentially growing of the number of the observation tables because the algorithm tries

to explore all possible candidate assumptions As a result, the method is difficult to be applied in practice In order to reduce the complexity of the method, we replace the breadth-first search with the depth-limited search (DLS) as an improved algorithm namedDLS(dmax) for generating an assumption

which satisfies the assume-guarantee rules In the algorithm shown in Algorithm 1, the size of a candidate assumption corresponds to it’s depth in the search tree Moreover, the assume-guarantee verification method is only effective when

the size of the generated assumption is less than the size of

the component M2 Thus, instead of finding an assumption in

the whole search space of observation tables as a search tree,

the algorithm only finds an assumption in a sub-tree of the

search tree with the maximum depth dmax = |M2|.

We use a stack data structure which contains the generated

observation tables with the last-in first-out order for

imple-menting the depth-limited search strategy These observation

tables are used for generating the candidate assumptions

Only a path from the root of the search tree (i.e., the initial

observation table named OT0) to the current instance has to

be kept in the stacks Thus, the improved algorithm can use a

much lower consumption memory than the minimized method

proposed in [5] The improved algorithmDLS(dmax) returns

an assumption A(p) with a smaller size than the size of the

assumption generated in [3] if M1M2 satisfies p It returns

a counterexample cex if M1M2 violates p Otherwise, it

returns a value named notf ound to show that DLS(dmax)

cannot find any assumption in the search space with the depth

limit dmax In this case, the assume-guarantee approach is

not effective for verifying the system

At the beginning of the algorithm, the stack s is set as

the empty stack initially (line 1) The algorithm then puts the

initial observation table OT0 = (S0, E0, T0) into the top of

the stack s as the root of the search space containing the

observation tables, where S0 = E0 = {λ} (λ represents the

empty string) (line 2) We also set the depth of OT0 to 0

(line 3) The algorithm iterates the entire process for finding

an assumption by looping from line 4 to line 43 until the stack

s is empty or an assumption is generated or a counterexample

is found At the beginning of the loop, the algorithm gets an

observable table OT i from the top of the stack s (line 5).

If the depth of OT i is greater than the depth limit dmax,

the algorithm terminates and returns the value notf ound to

show that we cannot find an assumption in the search space

with the depth limitdmax (line 41) Otherwise, we check that

whether OT i contains the “don’t know” value “?” (line 7) If

this is so, we compute all instances ofOT i as it’s children in

the search tree by replacing all “?” entries in OT i with both

true and f alse (line 8) The obtained instances then are put

into the top of the stack s (line 9) and their depth is set to

depth(OT i) + 1 (line 10) In the case where the observable

table OT i does not contain the “?” value (line 12), if OT i

is not closed (line 13) then OT i is updated to be closed by

calling the procedure named make closed(OT i) (line 14).

The obtained closed table OT then is put into the top of s

(line 15) and it’s depth is set to depth(OT i) + 1 (line 16)

If OT i which is gotten from top of s is closed (line 17), a

candidate assumption A i is generated from OT i (line 18).

In this case, we have to check whether the generated A i

satisfies the assume-guarantee rules For this purpose, the step

1 is applied by calling the procedure named Step1(A i) for

checking whether A i is strong enough forM1 to satisfyp by

computing the formula A i  M1 p If Step1(A i) fails with

a counterexample cex (line 19) then A i is too weak for M1

to satisfyp As a result, A iis strengthened by adding a suffix

Algorithm 1 DLS(dmax)

Input: dmax: the given depth limit for the depth-limited

search

Output: A(p) or cex or notf ound

1: Initially, s = empty {s is an empty stack}

2: s.push(OT0) {putting OT0 into the top of s, where

OT0= (S0, E0, T0), S0= E0= {λ}, and λ is denoted to

the empty string}

3: depth(OT0) = 0 4: while s = empty do

5: OT i = s.pop() {getting OT i from the top ofs}

6: if depth(OT i ) ≤ dmax then

7: if OT i contains “?” value then

8: for each instanceOT of OT i do

9: s.push(OT ) {putting OT into the top of s}

10: depth(OT ) = depth(OT i) + 1

11: end for

12: else

13: if OT i is not closed then

14: OT = make closed(OT i)

15: s.push(OT ) {putting OT into the top of s}

16: depth(OT ) = depth(OT i) + 1

18: construct a candidate DFA A i from the closed

OT i

19: if Step1(A i ) fails with cex then

20: add the suffixe of the counterexample cex to

E i

22: s.push(OT ) {putting OT into the top of s}

23: depth(OT ) = depth(OT i) + 1

25: ifStep2(A i) fails with cex then

26: ifcex witnesses violation of p then

cex to E i

31: s.push(OT ) {putting OT into the top of

s}

32: depth(OT ) = depth(OT i) + 1

38: end if

39: end if

40: else

41: return notf ound

42: end if

43: end while

e of cex that witnesses a difference between L(A i) and the

language of the assumption being learned to E i of the table

OT i (line 20) The consequence of this task is the table OT i

must be updated by calling the procedure namedupdate(OT i)

(line 21) The updated tableOT then is put into the top of s

(line 22) and it’s depth is set to depth(OT i) +1 (line 23) In the

case whereStep1(A i ) returns true (line 24), the generated A i

is strong enough forM1to satisfy the required propertyp The

step2 is then applied for checking whether A iis week enough

to be discharged byM2 by computing the formulatrue M2

A i  If Step2(A i ) fails with a counterexample cex (line 25),

a further analysis is required to identify whether p is indeed

violated in the compositional system M1M2 or A i is too

strong to be satisfied by M2 Such analysis is based on the

obtained counterexample cex If cex witnesses the violation

ofp in the system M1M2(line 26), the algorithm terminates

and returns cex (line 27) Otherwise, A i is too strong to be

satisfied by M2 (line 28) In order to deal with this case, the

candidate assumption A i is weakened by adding a suffixe of

cex to E i of the table OT i (line 29) As a result, the table

OT i must be updated by calling the procedure update(OT i)

(line 30) The updated tableOT from OT ithen is put into the

top of the stacks (line 31) and it’s depth is set to depth(OT i)

+ 1 (line 32) If Step2(A i ) returns true (line 34) then the

propertyp holds in the compositional system M1M2 In this

case, the algorithm terminates and returnsA ias the generated

assumption (line 35)

V EXPERIMENT ANDDISCUSSION

A Experiment

In order to evaluate effectiveness of the improved method,

we have implemented the assumption generation method

pro-posed in [3], the minimized assumption generation method

proposed in [5], and the improved method in a functional

programming language named Objective Caml (OCaml) [8]

We tested our method by using several typical systems (i.e.,

five versions of the gas oven control system (GOCS), the

automobile cruise control system (ACCS), three versions of

the concurrent Input/Output system (I/O), a version of the

banking sub-system (BS), and the Peterson problem) For each

system, we compared the improved method with that proposed

in [3] and the minimized method in [5] In this experiment,

the size, the number of transitions, and the generating time of

the generated assumptions are evaluated We do not evaluate

memory costs in this experiment because the memory

com-plexity of depth-first search (used in the improved method) is

always much lower than the breadth-first search (used in the

minimized method) Table I shows experimental results for the

purpose In the results, the system size is the product of the

sizes of the software components and the size of the required

property for each applied system The - sign stands for

“out-of-time-and-patience” (more than one hour of computation) or

“out-of-memory”

Although the assumptions generated by the improved

method may be not minimal assumptions comparing with

the assumption generated by the minimized method in [5], the obtained experimental results imply that the assumptions generated by the improved method have smaller sizes and number of transitions than the generated ones by the method proposed in [3] In some applied systems, the generated assumptions of the improved method are minimal Moreover, the improved method generates the assumptions with a lower time than the minimized method proposed in [5] (excepting the applied system GOCS ver 5) Specially, in some cases (i.e., GOCS ver 4, I/O ver 3, BS ver 2, and Peterson), the improved method generated the smaller assumptions with lower times whereas the minimized method is “out-of-time-and-patience” or “out-of-memory” This fact is clear to show the effectiveness of the improved method

The implemented tool and the applied systems which are used in our experimental results are available at the site http://www.uet.vnu.edu.vn/∼hungpn/IMAGTool/.

In order to check the correctness of the assumptions which are generated by the implemented tools, we use the tool for verifying concurrent systems named LTSA [7] In the LTSA tool, for each generated assumption A(p), we check

whether A(p) satisfies the assume-guarantee rules For each

compositional system, the LTSA tool returns the same result

as our verification result for the corresponding system With these obtained results, we can ensure the correctness of the implemented tools

B Discussion

When verifying large-scale CBS, even the behaviors of the software components are very complex, our work only focuses on the observable behaviors of each component This means that the components are seen as black-boxes and we

do not consider the inside behaviors of these components Thus, the sizes of the models describing behaviors of large-scale components are not so great As mentioned above, the minimized assumption generation method proposed in [5] has been recognized as an important optimization of the assume-guarantee verification for generating minimal assumptions These minimal assumptions can be used to recheck the whole system at much lower computational cost, specially in the context of software evolution However, the method is un-practical due to it’s high complexity The improved method presented in this paper is a potential solution to deal with the problem In the experiment shown in Table I, for any applied system, the improved method often produces an assumption with a lower generating time than the minimized method The experimental results are clear to show the limitations of the minimized method In some applied systems, the minimized method is out of memory or runs a long time, while the improved method terminates with a short generating time With this approach, we hope that the improved method is potential for verifying practical CBS However, we did not perform big experiment but we think that this is another issue Moreover, the method proposed in [3] usually generates the assumptions at a lower generating time If we are not interested

in the above advantages, the method proposed in [3] is better

TABLE I

E XPERIMENTAL RESULTS

Applied Systems Sys.

AG Method Minimized AG Method Improved MAGM

Ass Trans Generating Ass Trans Generating Ass Trans Generating Size Size of Ass Time (ms) Size of Ass Time (ms) Size of Ass Time (ms)

than our methods for generating assumptions Otherwise, the

smaller assumptions generated by the improved method are

effective for rechecking the systems with a lower cost in the

context of the component evolution [6]

However, the generated assumptions by the improved

method may not minimal An idea to solve this issue is using

the iterative-deepening depth first search This search strategy

combines the space efficiency of the depth-first search with

the optimality of breadth-first search It proceeds by running a

depth-limited depth-first search repeatedly, each time

increas-ing the depth limit by one The assumptions generated by usincreas-ing

this search strategy are still minimal We are investigating to

implement the idea in order to compare it’s effectiveness with

the minimized method Moreover, the improved method only

focuses on optimizing the size of the generated assumption

With a same alphabet, a minimal assumption with a smallest

size does not correspond to the minimal language Instead

of focusing on the size, it should be better to focus on the

weakness of the language of the generated assumptions

VI CONCLUSION

We have presented an improved method for

assume-guarantee verification of component-based software in order to

reduce the complexity of the minimized assumption generation

method proposed in [5] The key idea of the improved method

is to find a smaller assumption that satisfies the

assume-guarantee rules in a sub-tree of the search tree containing

all possible candidate assumptions using the depth-limited

search strategy With this approach, the improved method can

generate assumptions with a lower computational cost than

the minimized method in most cases Moreover, the improved

method also uses a smaller consumption memory because

it uses the depth-limited search Although the assumptions

generated by the improved method may not minimal in some

cases, they have smaller sizes than the assumptions generated

by the method proposed in [3] As a result, the generated

assumptions are useful for rechecking the systems effectively

in the context of software evolution We have implemented

three tools corresponding to the assumption generation method

proposed in [3], the minimized assumption generation method

proposed in [5], and the improved method These support tools

are used to verify some typical component-based software in order to show the effectiveness of the improved method

We are continuous to improve our method in order to gen-erate minimal assumptions with a lower cost and applying for some other systems where their sizes are bigger than the sizes

of the applied systems in our experiment to show the practical usefulness of the improved method Moreover, the presented methods only focus on checking the CBS systems where their components can be represented by LTSs We are going

to apply other specification methods to model behaviors of software components, e.g., modal transition systems (MTSs) Furthermore, the improved method focuses only on optimizing the size of the generated assumptions Instead of focusing on the size, it should be better to focus on the languages of the generated assumptions

ACKNOWLEDGMENTS This work is supported by the research project no 102.02– 2010.06 granted by Vietnam National Foundation for Science and Technology Development (Nafosted)

REFERENCES [1] D Angluin, “Learning regular sets from queries and counterexamples”, Information and Computation, vol 75, no 2, pp 87-106, Nov 1987 [2] E M Clarke, O Grumberg, and D Peled, Model Checking, The MIT Press, 1999.

[3] J.M Cobleigh, D Giannakopoulou, and C Pasareanu, “Learning assump-tions for compositional verification”, Proc 9th TACAS, pp 331–346, Poland, April 2003.

[4] D Giannakopoulou, C Pasareanu, and H Barringer, “Assumption gen-eration for software component verification”, Proc 17th IEEE Int Conf.

on Automated Softw Eng., pp 3–12, Edinburgh, UK, Sept 2002 [5] P N Hung, T Aoki, and T Katayama, “A minimized assumption generation method for component-based software verification”, Proc 6th International Colloquium on Theoretical Aspects of Computing (ICTAC), LNCS 5684, pp 277-291, Springer-Verlag Berlin Heidelberg, Aug 2009 [6] P N Hung and T Katayama, “Modular conformance testing and assume-guarantee verification for evolving component-based software”, Proc 15th Asia-Pacific Softw Eng Conf (APSEC), pp 479–486, IEEE Computer Society, Washington, DC, Dec 2008.

[7] J Magee and J Kramer, Concurrency: State Models & Java Programs, John Wiley & Sons, 1999.

[8] French national institute for research in computer science and control (INRIA), Objective caml, http://caml.inria.fr/ocaml/index.en.html, 2004 [9] R L Rivest and R E Schapire, “Inference of finite automata using homing sequences”, Information and Computation, vol 103, no 2,

pp 299-347, April 1993.