## Symbolic compositional verification by learning assumptions (2005)

### Cached

### Download Links

- [www-faculty.cs.uiuc.edu]
- [dblpseer.psu.edu]
- [dblpseer.psu.edu]
- [dblpseer.psu.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In CAV |

Citations: | 52 - 7 self |

### BibTeX

@INPROCEEDINGS{Alur05symboliccompositional,

author = {Rajeev Alur and P. Madhusudan and Wonhong Nam},

title = {Symbolic compositional verification by learning assumptions},

booktitle = {In CAV},

year = {2005},

pages = {548--562},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assume-guarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we propose an automated solution for discovering assumptions based on the L \Lambda algorithm for active learning of regular languages. We present a symbolic implementation of the learning algorithm, and incorporate it in the model checker NuSMV. Our experiments demonstrate significant savings in the computational requirements of symbolic model checking.

### Citations

1298 |
Symbolic Model Checking
- McMillan
- 1993
(Show Context)
Citation Context ... the communication variables belongs to the desired assumption. We implement this as a symbolic invariant verification query that checks whether the module M1 composed with the sequence σ satisfies ϕ =-=[16]-=-. For an equivalence query, given a current conjecture assumption A, we first test whether M1 composed with A satisfies ϕ using symbolic state-space exploration. If not, the counter-example provided b... |

1050 |
An ef�cient heuristic procedure for partitioning graphs
- Kernighan, Lin
- 1970
(Show Context)
Citation Context ... arising in various domains including VLSI, databases and data mining show that hMETIS produces partitions that are consistently better than those produced by other widely used algorithms, such as KL =-=[27]-=- andFM[16]. In addition, it is fast enough to produce high quality bisections of hypergraphs with 100,000 vertices in 3 minutes [25]. 4 L* algorithm According to the literature on active learning1 for... |

708 | Symbolic model checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...t is worth pointing out that, while our prototype uses BDD-based state-space exploration, the approach can easily be adopted to permit other model checking strategies such as SAT-based model checking =-=[8, 18]-=- and counterexample guided abstraction refinement [15, 11]. Related Work. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature [22, 13, 1, 4, 1... |

603 | Counterexample-guided abstraction refinement
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ...D-based state-space exploration, the approach can easily be adopted to permit other model checking strategies such as SAT-based model checking [8, 18] and counterexample guided abstraction refinement =-=[15, 11]-=-. Related Work. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature [22, 13, 1, 4, 17, 14, 19]. While such reasoning is supported by some tool... |

594 |
An Introduction to Computational Learning Theory
- Kearns, Vazirani
- 1994
(Show Context)
Citation Context ...epting the language by asking membership and equivalence queries to a teacher. This algorithm had been introduced by Angluin [7], but later its efficiency was improved by Rivest and Schapire [37] (see=-=[26]-=- for a gentle introduction to these algorithms). In this paper, we employ the improved version. The algorithm infers the structure of the DFA by asking a teacher membership and equivalence queries. Fi... |

536 | Conjoining Specifications
- Abadi, Lamport
- 1995
(Show Context)
Citation Context ...checking [8, 18] and counterexample guided abstraction refinement [15, 11]. Related Work. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature =-=[22, 13, 1, 4, 17, 14, 19]-=-. While such reasoning is supported by some tools (e.g. Mocha [5]), the challenging550 R. Alur, P. Madhusudan, and W. Nam task of finding the appropriate assumptions is typically left to the user and... |

510 |
Learning regular sets from queries and counterexamples
- Angluin
- 1987
(Show Context)
Citation Context ...s, then the assumption A can be viewed as a language over the alphabet 2 X .We compute this assumption using the L ∗ algorithm for learning a regular language using membership and equivalence queries =-=[6, 21]-=-. The learning-based approach ⋆ This research was partially supported by ARO grant DAAD19-01-1-0473, and NSF grants ITR/SY 0121431 and CCR0306382. K. Etessami and S.K. Rajamani (Eds.): CAV 2005, LNCS ... |

427 |
Mattheyses, A linear-time heuristic for improving network partitions
- Fiduccia, M
- 1982
(Show Context)
Citation Context ...n various domains including VLSI, databases and data mining show that hMETIS produces partitions that are consistently better than those produced by other widely used algorithms, such as KL [27] andFM=-=[16]-=-. In addition, it is fast enough to produce high quality bisections of hypergraphs with 100,000 vertices in 3 minutes [25]. 4 L* algorithm According to the literature on active learning1 for regular l... |

416 |
Computer--aided verification of coordinated processes--an automata theoretic approach
- Kurshan
- 1994
(Show Context)
Citation Context ...D-based state-space exploration, the approach can easily be adopted to permit other model checking strategies such as SAT-based model checking [8, 18] and counterexample guided abstraction refinement =-=[15, 11]-=-. Related Work. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature [22, 13, 1, 4, 17, 14, 19]. While such reasoning is supported by some tool... |

272 | Model Checking and Modular Verification
- Grumberg, Long
- 1994
(Show Context)
Citation Context ...checking [8, 18] and counterexample guided abstraction refinement [15, 11]. Related Work. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature =-=[22, 13, 1, 4, 17, 14, 19]-=-. While such reasoning is supported by some tools (e.g. Mocha [5]), the challenging550 R. Alur, P. Madhusudan, and W. Nam task of finding the appropriate assumptions is typically left to the user and... |

241 | hekhar, "Multilevel Hypergraph Partitioning : Application in VLSI Domain
- Karypis, Aggarwal, et al.
- 1997
(Show Context)
Citation Context ...table for compositional reasoning, either in terms of the number of components or the partitioning of functionality among components. Our solution is based on an algorithm for hypergraph partitioning =-=[24, 25]-=-. Given a system S with a set of variables X and a desired number n of components, we decompose the set X into n disjoint subsets X1,...,Xn so that each set Xi contains approximately the same number o... |

168 | Inference of finite automata using homing sequences
- Rivest, Schapire
- 1993
(Show Context)
Citation Context ...s, then the assumption A can be viewed as a language over the alphabet 2 X .We compute this assumption using the L ∗ algorithm for learning a regular language using membership and equivalence queries =-=[6, 21]-=-. The learning-based approach ⋆ This research was partially supported by ARO grant DAAD19-01-1-0473, and NSF grants ITR/SY 0121431 and CCR0306382. K. Etessami and S.K. Rajamani (Eds.): CAV 2005, LNCS ... |

156 | MOCHA: Modularity in model checking
- Alur, Henzinger, et al.
(Show Context)
Citation Context .... Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature [22, 13, 1, 4, 17, 14, 19]. While such reasoning is supported by some tools (e.g. Mocha =-=[5]-=-), the challenging550 R. Alur, P. Madhusudan, and W. Nam task of finding the appropriate assumptions is typically left to the user and only a few attempts have been made to automate the assumption ge... |

128 | Multilevel k-way hypergraph partitioning
- Karypis, Kumar
- 2000
(Show Context)
Citation Context ...table for compositional reasoning, either in terms of the number of components or the partitioning of functionality among components. Our solution is based on an algorithm for hypergraph partitioning =-=[24, 25]-=-. Given a system S with a set of variables X and a desired number n of components, we decompose the set X into n disjoint subsets X1,...,Xn so that each set Xi contains approximately the same number o... |

126 | Aplying SAT methods in unbounded symbolic model checking
- McMillan
- 2002
(Show Context)
Citation Context ...t is worth pointing out that, while our prototype uses BDD-based state-space exploration, the approach can easily be adopted to permit other model checking strategies such as SAT-based model checking =-=[8, 18]-=- and counterexample guided abstraction refinement [15, 11]. Related Work. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature [22, 13, 1, 4, 1... |

110 | W.: Synthesis of interface specifications for java classes
- Alur, Cerny, et al.
(Show Context)
Citation Context ...n formal verification besides automating assume-guarantee reasoning: our software verification project JIST uses predicate abstraction and learning to synthesize (dynamic) interfaces for Java classes =-=[2]-=-; [23] uses learning to compute the set of reachable states for verifying infinite-state systems; while [20] uses learning for black box checking, that is, verifying properties of partially specified ... |

106 | C.S.: Learning assumptions for compositional verification
- Cobleigh, Giannakopoulou, et al.
(Show Context)
Citation Context ...tomatically constructing assumptions using game-theoretic techniques). Our work is inspired by the recent series of papers by the researchers at NASA Ames on compositional verification using learning =-=[12, 7]-=-. Compared to these papers, we believe that our work makes three contributions. First, we present a symbolic implementation of the learning algorithm, and this is essential since the alphabet is expon... |

97 | You assume, we guarantee: Methodology and case studies
- Henzinger, Qadeer, et al.
- 1998
(Show Context)
Citation Context ...checking [8, 18] and counterexample guided abstraction refinement [15, 11]. Related Work. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature =-=[22, 13, 1, 4, 17, 14, 19]-=-. While such reasoning is supported by some tools (e.g. Mocha [5]), the challenging550 R. Alur, P. Madhusudan, and W. Nam task of finding the appropriate assumptions is typically left to the user and... |

93 |
NuSMV Version 2: An OpenSource Tool for Symbolic Model Checking
- Cimatti, Clarke, et al.
- 2002
(Show Context)
Citation Context ...tomaton are maintained compactly using ordered BDDs [9] for processing the communication variables. For evaluating the proposed approach, we modified the state-of-the-art symbolic model checker NuSMV =-=[10]-=-. In Section 5, we report on a few examples where the original models contain around 100 variables, and the computational requirements of NuSMV are significant. The only manual step in the current pro... |

93 |
Development methods for computer programs including a notion of interference
- Jones
- 1981
(Show Context)
Citation Context ...symbolic alphabet clustering and iterative counter-example driven localized partitioning. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature =-=[1, 2, 19, 21, 23, 29, 31, 34, 36, 40]-=-. While such reasoning is supported by some tools (e.g. MOCHA [3]), the challenging task of finding the appropriate assumptions is typically left to the user and only a few attempts have been made to ... |

85 | Assumption generation for software component verification
- Giannakopoulou, Păsăreanu, et al.
- 2002
(Show Context)
Citation Context ...n if the assumption A satisfies Pr1-S (i.e. S[X1]‖A |= ϕ), and an assumption A is called an appropriate assumption if the assumption A satisfies both of Pr1-S and Pr2-S. The weakest safe assumption W =-=[18]-=- is a module such that S[X1]‖W |= ϕ and L(W ) ⊇ L(A) for every safe assumption A (i.e. S[X1]‖A |= ϕ). For a given module and a safety property, it is easy to see that W is guaranteed to exist, and is ... |

69 |
A compositional rule for hardware design refinement
- McMillan
- 1997
(Show Context)
Citation Context |

53 | A proof technique for rely/guarantee properties
- Stark
- 1985
(Show Context)
Citation Context |

41 | Black box checking
- PELED, VARDI, et al.
(Show Context)
Citation Context ... uses predicate abstraction and learning to synthesize (dynamic) interfaces for Java classes [2]; [23] uses learning to compute the set of reachable states for verifying infinite-state systems; while =-=[20]-=- uses learning for black box checking, that is, verifying properties of partially specified implementations. 2 Symbolic Modules In this section, we formalize the notion of a symbolic module, the notio... |

35 | Automating modular verification
- Alur, Alfaro, et al.
- 1999
(Show Context)
Citation Context ...nging550 R. Alur, P. Madhusudan, and W. Nam task of finding the appropriate assumptions is typically left to the user and only a few attempts have been made to automate the assumption generation (in =-=[3]-=-, the authors present some heuristics for automatically constructing assumptions using game-theoretic techniques). Our work is inspired by the recent series of papers by the researchers at NASA Ames o... |

31 |
Graph-based algorithms for boolean-function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...pose a symbolic implementation of the L ∗ algorithm where the required data structures for representing membership information and the assumption automaton are maintained compactly using ordered BDDs =-=[9]-=- for processing the communication variables. For evaluating the proposed approach, we modified the state-of-the-art symbolic model checker NuSMV [10]. In Section 5, we report on a few examples where t... |

27 | Proof Rules for Automated Compositional Verification through Learning
- Barringer, Giannakopoulou, et al.
(Show Context)
Citation Context ...tomatically constructing assumptions using game-theoretic techniques). Our work is inspired by the recent series of papers by the researchers at NASA Ames on compositional verification using learning =-=[12, 7]-=-. Compared to these papers, we believe that our work makes three contributions. First, we present a symbolic implementation of the learning algorithm, and this is essential since the alphabet is expon... |

24 | On the competeness of compositional reasoning
- Namjoshi, Trefler
- 2000
(Show Context)
Citation Context |

20 |
Reactive Modules,” Formal Methods
- Alur, Henzinger
- 1999
(Show Context)
Citation Context |

16 |
Learning regular languages from counterexamples
- Ibarra, Jiang
- 1988
(Show Context)
Citation Context ...s they use: (1) a teacher answering membership and equivalence queries [7, 37], and (2) a teacher answering only equivalence queries but she always provides the lexicographically first counterexample =-=[10, 22]-=-. To the best of our knowledge, the best result of the first techniques requires O(|Σ|n2 + n log m) membership queries and at most n − 1 equivalence queries, where n is the number of states in the tar... |

14 | Breaking up is hard to do: An investigation of decomposition for assume-guarantee reasoning
- Cobleigh, Avrunin, et al.
(Show Context)
Citation Context ...ider the problem of substituting one component with another and how to reuse the conjecture machines computed in the original version while checking properties of the revised version; Cobleigh et al. =-=[15]-=- report several experiments to test whether assume-guarantee reasoning could provide an advantage over monolithic verification. The work of Vardhan et al. [41, 42] uses learning to compute the set of ... |

13 | R.: Learning-based symbolic assume-guarantee reasoning with automatic decomposition
- Nam, Alur
(Show Context)
Citation Context ...in problem of compositional reasoning is to identify appropriate assumptions for all the components so that the assumption checking phase will succeed, and one promising solution is based on learning =-=[6, 8, 14, 17, 32]-=-. If a component Mi communicates with its environment via a set IOi of boolean variables, then the assumption Ai can be viewed as a language over the alphabet 2 IOi . The assumption checking constrain... |

9 | Sat-based compositional verification using lazy learning
- Sinha, Clarke
- 2007
(Show Context)
Citation Context ...lver, a k-state automaton with the guarantee that the minimal DFA for every language between the lower and upper bounds for the language we are hoping to learn has at least k states. Sinha and Clarke =-=[39]-=- propose a lazy approach to assumption learning, which avoids an explicit enumeration of the exponential alphabet set by using symbolic alphabet clustering and iterative counter-example driven localiz... |

6 | modularity in model checking - Mocha - 1998 |

6 |
Giunchiglia E, Giunchiglia F, Pistore M, Roveri M, Sebastiani R, Tacchella A (2002) NuSMV version 2: An opensource tool for symbolic model checking
- Cimatti, Clarke
(Show Context)
Citation Context ... a witness of the requirement ϕ, the algorithm will stop and use it to prove the property. We present our implementations of the automated compositional reasoning using a symbolic model checker NUSMV =-=[12]-=-. In our context, the size of the alphabet itself grows exponentially with the number of communication variables. Consequently, we propose a symbolic implementation of the L ∗ algorithm where the requ... |

3 |
Cerný P, Madhusudan P, Nam W (2005) Synthesis of interface specifications for Java classes
- Alur
(Show Context)
Citation Context ... Cobleigh et al., the use of learning algorithms has been further developed by many researchers: Alur et al. use predicate abstraction and learning to synthesize (dynamic) interfaces for Java classes =-=[5]-=-; Sharygina et al. [38] consider the problem of substituting one component with another and how to reuse the conjecture machines computed in the original version while checking properties of the revis... |

3 |
2003. Learning assumptions for compositional verification
- Cobleigh, Giannakopoulou, et al.
(Show Context)
Citation Context ...in problem of compositional reasoning is to identify appropriate assumptions for all the components so that the assumption checking phase will succeed, and one promising solution is based on learning =-=[6, 8, 14, 17, 32]-=-. If a component Mi communicates with its environment via a set IOi of boolean variables, then the assumption Ai can be viewed as a language over the alphabet 2 IOi . The assumption checking constrain... |

2 |
Actively learning to verify safety properties for FIFO automata
- Vardhan, Sen, et al.
- 2004
(Show Context)
Citation Context ...mal verification besides automating assume-guarantee reasoning: our software verification project JIST uses predicate abstraction and learning to synthesize (dynamic) interfaces for Java classes [2]; =-=[23]-=- uses learning to compute the set of reachable states for verifying infinite-state systems; while [20] uses learning for black box checking, that is, verifying properties of partially specified implem... |

1 |
Reactive modules. Form Methods Syst Des 15(1):7–48. Invited submission to FLoC’96 special issue. A preliminary version appears
- Alur, Henzinger
- 1999
(Show Context)
Citation Context ...ositional reasoning to verify that a system S satisfies a requirement ϕ typically consists of the following three steps: (1) System Decomposition: partitioning the system S into components M1,...,Mn, =-=(2)-=-Assumption Discovery: finding an environment assumption Ai for each component Mi, and(3)Assumption Checking: verifying that the assumptions Ai are appropriate for proving or disproving the satisfactio... |

1 |
Rajamani S, Tasiran S
- Alur, Henzinger, et al.
- 1998
(Show Context)
Citation Context ...ts of the following three steps: (1) System Decomposition: partitioning the system S into components M1,...,Mn, (2)Assumption Discovery: finding an environment assumption Ai for each component Mi, and=-=(3)-=-Assumption Checking: verifying that the assumptions Ai are appropriate for proving or disproving the satisfaction of ϕ by S. In this paper, we develop a fully automated framework for symbolic composit... |

1 |
de Alfaro L, Henzinger T, Mang F
- Alur
- 1999
(Show Context)
Citation Context ...3]), the challenging task of finding the appropriate assumptions is typically left to the user and only a few attempts have been made to automate the assumption generation (in the work of Alur et al. =-=[4]-=-, the authors present some heuristics for automatically constructing assumptions using game-theoretic techniques). Organization The rest of this paper is organized as follows. In Sect. 2, we lay out t... |

1 |
Pasareanu C, Giannakopoulou D (2003) Proof rules for automated compositional verification through learning
- Barringer
(Show Context)
Citation Context ...in problem of compositional reasoning is to identify appropriate assumptions for all the components so that the assumption checking phase will succeed, and one promising solution is based on learning =-=[6, 8, 14, 17, 32]-=-. If a component Mi communicates with its environment via a set IOi of boolean variables, then the assumption Ai can be viewed as a language over the alphabet 2 IOi . The assumption checking constrain... |

1 |
Böker A, Simon H-U (2000) Learning deterministic finite automata from smallest counterexamples
- Birkendorf
(Show Context)
Citation Context ...s they use: (1) a teacher answering membership and equivalence queries [7, 37], and (2) a teacher answering only equivalence queries but she always provides the lexicographically first counterexample =-=[10, 22]-=-. To the best of our knowledge, the best result of the first techniques requires O(|Σ|n2 + n log m) membership queries and at most n − 1 equivalence queries, where n is the number of states in the tar... |

1 |
Pasareanu C (2005) Learning-based assume-guarantee verification
- Giannakopoulou
(Show Context)
Citation Context |

1 |
Fu Z (2007) Automated assumption generation for compositional verification
- Gupta, McMillan
(Show Context)
Citation Context ...ifying properties of partially specified implementations. In addition, Nam and Alur [33] have applied this learning technique to a planning problem under partial observability. Recently, Gupta et al. =-=[20]-=- showhowto210 Form Methods Syst Des (2008) 32: 207–234 construct, using a SAT solver, a k-state automaton with the guarantee that the minimal DFA for every language between the lower and upper bounds... |

1 |
Chandy K
- Misra
- 1981
(Show Context)
Citation Context ...symbolic alphabet clustering and iterative counter-example driven localized partitioning. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature =-=[1, 2, 19, 21, 23, 29, 31, 34, 36, 40]-=-. While such reasoning is supported by some tools (e.g. MOCHA [3]), the challenging task of finding the appropriate assumptions is typically left to the user and only a few attempts have been made to ... |

1 |
Alur R (2007) Learning plans for safety and reachability goals with partial observability
- Nam
(Show Context)
Citation Context ...ates for verifying infinite-state systems, while Peled et al. [35] use learning for black box checking, that is, verifying properties of partially specified implementations. In addition, Nam and Alur =-=[33]-=- have applied this learning technique to a planning problem under partial observability. Recently, Gupta et al. [20] showhowto210 Form Methods Syst Des (2008) 32: 207–234 construct, using a SAT solve... |

1 |
Trefler R (2000) On the completeness of compositional reasoning
- Namjoshi
(Show Context)
Citation Context ...symbolic alphabet clustering and iterative counter-example driven localized partitioning. Compositional reasoning using assume-guarantee rules has a long history in the formal verification literature =-=[1, 2, 19, 21, 23, 29, 31, 34, 36, 40]-=-. While such reasoning is supported by some tools (e.g. MOCHA [3]), the challenging task of finding the appropriate assumptions is typically left to the user and only a few attempts have been made to ... |

1 |
Vardi M, Yannakakis M (2002) Black box checking
- Peled
(Show Context)
Citation Context ...ld provide an advantage over monolithic verification. The work of Vardhan et al. [41, 42] uses learning to compute the set of reachable states for verifying infinite-state systems, while Peled et al. =-=[35]-=- use learning for black box checking, that is, verifying properties of partially specified implementations. In addition, Nam and Alur [33] have applied this learning technique to a planning problem un... |

1 |
Schapire R
- Rivest
- 1993
(Show Context)
Citation Context ...ith two components, and the other is for an arbitrary number of components. We compute this assumption using the L ∗ algorithm for learning a regular language using membership and equivalence queries =-=[7, 37]-=-. The learning-based approach produces a DFA, and the number of queries made by the learner is only polynomial in the size of the output automaton. The membership query is to test whether a given trac... |