Compositional Analysis Using ComponentOriented Interpolation
 509 Downloads
Abstract
We present a novel abstraction technique that exploits the compositionality of a concurrent system consisting of interacting components. It uses, given an invariant and a component of interest, bounded model checking (BMC) to quickly interpolate an abstraction of that component’s environment. The abstraction may be refined by increasing the BMC bound. Furthermore, it is only defined over variables shared between the component and its environment, resulting in an aggressive abstraction with several applications. We demonstrate its use in a verification setting, as we report on our open source implementation in the NuSMV model checker which was used to perform a practical assessment with industriallysized models from satellite case studies of ongoing missions. These models are expressed in a formalized dialect of the componentoriented and industrially standardized Architecture Analysis and Design Language (AADL).
Keywords
Architecture Analysis And Design Language (AADL) Bounded Model Checking (BMC) Industrialsized Models Aggressive Abstraction Ongoing Mission1 Introduction
An earlier work [11] reports on the application of a wide range of model checking techniques for validating a satellite platform of an ongoing mission. This industriallysized model was expressed in a formalized dialect [2] of the Architecture Analysis and Design Language [12]. This AADL dialect is a componentoriented formalism in which components interact through data and event ports (i.e. shared variables). The sheer size of models was particularly visible once failures were injected. The nominal state space of roughly 48 million states exploded by a factor 213563 due to the activation of failure modes and the fault management functionality for handling it. The model checkers used in literature had a hard time on this model. Various techniques have been proposed in literature to cope with similar instances of the infamous state space explosion problem. In the context of this paper, compositional reasoning and interpolation are particularly relevant.
The compositional reasoning technique by [8] was our starting point. It generates a socalled split invariant defined over the system’s global variables for each parallel process. The split invariants are then checked against the property instead of the full composition of processes. It was shown later [15, 18] that this technique, along with Cartesian abstract interpretation [18] and threadmodular verification [13], is conceptually the same as the classical OwickiGries paradigm, but differs in the details. They generally work well for parallel systems where processes communicate over a small set of global variables, i.e. variables that are visible to all processes. In the satellite models, components are highly cohesive through shared variables, as variables of one component are only visible to a handful of other components. The techniques from the OwickiGries paradigm are ineffective here as naively all shared variables would have to be interpreted as global variables, which would make it a nearmonolithic model checking problem again. Another branch of compositional reasoning is the rely/assume guarantee/provide techniques. There is a huge body of work behind this. The most related ones are the automated methods that use learning techniques to generate assumptions [5]. Our work is a twist on this, because instead of learning we use interpolation to generate an environment. That environment can be then viewed as an assumption for which the property of interest may hold. The use of interpolation techniques [9] in model checking was pioneered by McMillan [19]. Also this led to a substantial body of work. To our knowledge, it however has not been cast into a compositional reasoning scheme as we describe in this paper.
Contributions: The contributions of this paper are as follows.

A theory inspired by Craig interpolation that results in an aggressive abstraction of the environment of a component of interest, resulting into a componentoriented interpolant.

A rudimentary (re)verification algorithm that exploits this theory.

An open source implementation of the algorithm in NuSMV 2.5.4 [4].

An evaluation of the theory and implementation using industriallysized models from satellite platform case studies of ongoing missions.
2 Preliminaries
Our work builds upon existing works in satisfiability (SAT) solving, bounded model checking and Craig interpolation. These are discussed in the following.
SAT Solving: Propositional formulae consist of literals, which are Boolean variables (e.g. \(x_1\)) that can be negated (e.g. \(\lnot x_1\)), and are combined by AND (i.e. \(\wedge \)) and OR (i.e. \(\vee \)) operators. They are typically processed from their conjunctive normal form (CNF) where the formula consists of conjuncted clauses (e.g. \((\lnot x_1) \wedge (x_1 \vee \lnot x_2)\)) and each clause is a disjunction of literals (e.g. \((x_1 \vee \lnot x_2)\)). As we can view CNF formulae as a set of clauses, we use the set membership notation to check whether a clause is part of a CNF formulae, e.g. \((x_1 \vee \lnot x_2) \in A\) with \(A\) being a CNF formula. A classical decision problem is whether, given a propositional formula, there exists a satisfying assignment, i.e. a vector of values holding either true (i.e. \(\top \)) or false (i.e. \(\bot \)) for each variable. This is the NPcomplete SAT problem. Yearly competitions have highly stimulated research in this area, progressing modern SATsolvers to handle formulae with thousands of variables in mere seconds. They typically generate the satisfying assignment, denoted as \(\sigma \), as a proof of satisfiability. In case of unsatisfiability, some SATsolvers provide a resolution refutation graph as a proof [19]. An example of a resolution refutation graph is shown in Fig. 2. It is a directed acyclic graph \(G = (V, E)\), where \(V\) is a set of clauses (not necessarily a subset of the original formula). If a vertex \(v \in V\) is a root (there are usually multiple), then it is a clause in the original formula. Otherwise the vertex has exactly two predecessors, \(v_1\) and \(v_2\) of the form \(v_1 = x \vee D\) and \(v_2 = \lnot x \vee D'\). The clause \(v\) is the simplification of \(D \vee D'\) and \(x\) is its pivot variable. There is only one leaf which is the empty clause \(\bot \). The resolution graph reasons how clauses, starting from the root clauses, have pivot variables that can be eliminated, as they contribute to the inconsistency. Once all variables are eliminated, the empty clause \(\bot \) is reached, indicating unsatisfiability.
Bounded Model Checking: Propositional formulae can be used to verify a property (e.g. \(\phi \)) of a model \(M = (I,T)\). The initial condition \(I(\bar{s})\) is a Boolean formula over a finite set of variables, e.g. \(\bar{s} = s_1,\ldots ,s_n\). The set of occurring variables is denoted by the predicate \(var\), e.g. \(var(I) = \{ s_1, \ldots , s_n\}\). Whenever a particular valuation \(\sigma \) of \(\bar{s}\) satisfies \(I\), i.e. \(\sigma (I) = \top \), then \(\sigma \) is an initial state. Multiple distinct initial states may satisfy \(I\). The transition function, denoted as \(T(\bar{s} \times \bar{s}')\), is a propositional function with \(\bar{s} = s_1,\ldots ,s_n\) and \(\bar{s}' = s_1',\ldots ,s_n'\). Note that the cardinalities of \(\bar{s}\) and \(\bar{s}'\) are equal. If for a pair of valuations \(\sigma \) and \(\sigma '\) the transition function holds, i.e. \(\sigma \sigma '(T) = \top \), then \(\sigma '\) is a valid successor state to state \(\sigma \). The initial condition and the transition function are used to compute the reachable states up to a natural bound \(k\) using the formula \(I[\bar{s}/\bar{r}_0] \wedge \bigwedge _{i=1}^k T[\bar{s}/\bar{r}_{i1},\bar{s}'/\bar{r}_i]\). It uses the substitution operator \(T[x/y]\) to denote that all occurrences of \(x\) in \(T\) are substituted by \(y\). We refer to \(I_0 \wedge T_1 \wedge \dots \wedge T_k\) as its simplified notation. An invariant \(\phi \) can be verified by conjuncting its negated unrolling, \(\bigvee _{i=0}^k \lnot \phi [\bar{s}/\bar{r}_i]\), to it. To ease notation, we simply refer to this formula as \(\lnot \phi \). The resulting formula, \(I_0 \wedge \bigwedge _{i=1}^k T_i \wedge \lnot \phi \), can be checked for satisfiability. If it is satisfiable, the satisfying assignment is a counterexample to the invariant. If it is unsatisfiable, then the invariant holds up to bound \(k\), which is denoted by \(M\;\models _k\; \phi \). An outcome w.r.t. the full state space is however inconclusive [1].
Example 1
Interpolation: Our work is heavily inspired by Craig’s seminal result [9].
Theorem 1
(Craig’s Interpolation Theorem). Let \(A\) and \(B\) be formulae of firstorder logic. If \(A \implies B\) holds, then there exists an interpolant \(C\) expressed using the common variables of \(A\) and \(B\), i.e. \(var(C) \subseteq var(A) \cap var(B)\), such that \(A \implies C\) and \(C \implies B\) holds.
A proof of this theorem restricted to propositional logic can be found in [3]. The beauty of this theorem is that the interpolant \(C\) is expressed using a subset of the variables in \(A\). This powerful notion inspired us for developing our compositional reasoning technique.
Note that Craig’s theorem only postulates the existence of an interpolant when \(A \implies B\). This can be verified with a SATsolver. Observe that \(A \implies B\) is equivalent to \(\lnot (A \wedge \lnot B)\). This means its tautology infers the contradiction of \(A \wedge \lnot B\). By Craig’s interpolation theorem it follows that if \(A \wedge \lnot B\) is unsatisfiable, there exists an interpolant \(C\) such that \(A \implies C\) holds and \(C \wedge \lnot B\) is unsatisfiable. Thus in this shape, the unsatisfiability of a formula indicates the existence of an interpolant. It is shown in [20] how an interpolant \(C\) is generated from the resolution refutation proof resulting from the unsatisfiability of \(A \wedge \lnot B\). We use a similar approach to abstract a component’s environment as a transition function.
3 ComponentOriented Interpolation
Our setting is a concurrent system composed of processes (also referred to as components with behavior) using a parallel composition operator. We leverage this composition to reason over its behaviour in a compositional manner. In the upcoming, we will describe our approach in the synchronous case only, i.e. all components transit per global transition. It can however be extended to the asynchronous case (i.e. interleaving transitions) by complementing the asynchronous model with an interleaving scheduler component that regulates which component progresses upon a transition.
Example 2
To this end, let us have a closer look at the sharing of variables in the componentoriented interpolation setting, as it is slightly different from Craig interpolation. In the latter, there are two sets of variables that can be partitioned into three disjoint sets of variables, namely \(var(A)\backslash var(B)\), \(var(B)\backslash var(A)\) and \(var(A) \cap var(B)\). This is shown in Fig. 1a where the sets are respectively denoted as \(\bar{a}\), \(\bar{b}\), \(\bar{c}\). In our componentoriented setting, there are three sets of variables which can be partitioned into seven disjoint sets. See Fig. 1b. Consider any step \(i\) by component \(p\)’s environment, i.e. \(T_i^{\ne p}(\bar{a},\bar{b},\bar{c},\bar{d})\). The remainder environment transition steps are \(T_{\ne i}^{\ne p}(\bar{e},\bar{d},\bar{c},\bar{f})\) and the transition steps by component \(p\) and the property \(\phi \) are \(B(\bar{g},\bar{f},\bar{c},\bar{b})\). The variables of \(I^{\ne p}_0\) are omitted here for clarity and are covered w.l.o.g. by the variables of \(T^{\ne p}_1\).
Example 3
(Variable Sharing in Counter Monitor). Reconsider Eq. (2), the twostep BMC unrolling of the counter monitor (cf. Example 2). The variable partitioning of that unrolling in the Craig interpolation case is: \( \bar{a} = \{ \alpha _2, \beta _2 \}\), \(\bar{b} = \{ \alpha _0, \alpha _1, \beta _0, \beta _1, \gamma _0, \gamma _1, \gamma _2\}\) and \(\bar{c} = \{ \delta _0, \delta _1, \delta _2\}\).
(end of example)
We use the finer grained notion of variable sharing in Fig. 1b to construct componentoriented interpolants by traversing the resolution refutation graph of Eq. (1) for each step \(i\) of component \(p\)’s environment:
Definition 1
If Definition 1 is applied starting from the leaf \(\bot \), one gets a componentoriented interpolant for \(T_i^{\ne p}\).
Example 4
(ComponentOriented Interpolation on Counter Monitor). Consider Fig. 2. As it is an unrolling for two steps, there are partial interpolants for the first and second step, i.e. respectively \(C_v^1\) and a \(C_v^2\). Take for example the upperleft threenode subtree. That is \(v = \lnot \gamma _1\) and its two predecessors as \(v_1 = \alpha _0 \vee \lnot \gamma _1\) and \(v_2 = \lnot \alpha _0\). The pivot is therefore \(\alpha _0\). As we determined earlier in Example 3 that \(\alpha _0\) is in \(\bar{b}\), the partial interpolant of \(v\) for transition step 1 becomes \((\lnot \alpha _0 \wedge C^1_{v_1}) \vee (\alpha _0 \wedge C^1_{v_2})\). Since \(C^1_{v_1} = \bot \) and \(C^1_{v_2} = \top \), this is simplified to \(C^1_v = \alpha _0\). (end of example)
This interpolant is weak enough to preserve the overapproximation from Craig interpolation, i.e. \(T_i^{\ne p} \implies C^i_\bot \). This is captured by the following lemma:
Lemma 1
Proof
Due to paper size constraints, we only provide a proof sketch. The full proof is by induction on the structure of \(C^i_v\) and follows the reasoning in [21]. The base case is trivial to show. For the inductive step, there are three cases, namely that the pivot variable \(x\) of vertex \(v\) is either in \(\bar{b} \cup \bar{c}\) or in \(\bar{a} \cup \bar{d}\) or in \(\bar{g} \cup \bar{f} \cup \bar{e}\). See Fig. 1.
By the definition of the resolution refutation graph, each nonroot vertex has two predecessors \(v_1\) and \(v_2\). It can be shown that regardless of each of the three cases, whenever \(\sigma (C^i_v) = \bot \) either predecessor branch evaluates to false for both the intermediate componentoriented interpolant and the predecessor vertex, e.g. \(\sigma (v_1) = \bot \) and \(\sigma (C^i_{v_1}) = \bot \). Then by induction, Eq. (3) can be concluded. \(\square \)
Contrary to Craig interpolation, we cannot conclude \(\sigma (C^i_v) = \top \implies \exists b \in B\;{:}{:}\; \sigma (b) = \bot \) and thus preserve the unsatisfiability of Eq. (1) using the componentoriented interpolant. It could also be that whenever the componentoriented interpolant evaluates to true, a clause in \(T_{\ne i}^{\ne p}\) evaluates to false. Or that a clause in \(I^{\ne p}\) evaluates to false. In that sense, the componentoriented interpolant is significantly weaker than a Craig interpolant. It is however strong enough for our practical purposes, as is demonstrated later in Sect. 4.
The componentoriented interpolant \(C^i_\bot \) only derives an interpolated environment for transition step \(i\), i.e. \(T^{\ne p}_i \implies C^i_\bot \). By substitution of the occurring variables to current and successorstate variables, it can be used as a transition function for the unbounded case. This holds for each \(1 \le i \le k\). So in general, the following definition and theorem are applicable:
Definition 2
Theorem 2
Proof
This follows from Lemma 1 which shows that \(T^{\ne p}_i \implies C^i_\bot \). As \(var(C^i_\bot ) \subseteq var(T^{\ne p}_i)\), it follows that \(T^{\ne p} \implies C^i_\bot [\bar{r}_{i1}/\bar{s},\bar{r}_i/\bar{s'}]\). By composition of implications of each \(i\), Eq. (4) follows. \(\square \)
Example 5
Applications: Theorem 2 can be applied in several ways. We elaborate on a few possible applications in the following.
Manual inspection for example becomes more feasible. Models as large and complex as the one mentioned in Sect. 1 are laborintensive to analyze manually, yet this is often the pragmatical approach by industry for verifying/validating involved requirements. The interpolated environment of Theorem 2 can support this. Assume one is intimate with a particular (set of) component(s), e.g. the power system. The remainder components can be viewed as a rather unfamiliar environment that can be abstracted in terms of variables shared with the power system. Such an abstraction is significantly smaller and thus eases manual inspection. The abstraction is cheap to compute, as it can be obtained for a bound as small as \(k = 1\), although a larger \(k\) is preferable since this possibly strengthens the accuracy of the environment.
It can also be used as an abstraction method in model checking. Consider the invariant checking case and assume a tractable bound \(k\) for \(M\;\models _k\;\phi \). Yet it is unclear whether it holds beyond the tractable bound \(k\). One can pick a component \(p\) and use Theorem 2 to overapproximate the remainder to \(E^{p}\). Heuristically it is wise to include at least the component directly referred to by \(\phi \) as \(p\), as they directly affect the property of interest. Then the smaller model \((I^p, T^p \wedge E^{p})\) can be subjected to unbounded model checking to verify \(M\; \models \; \phi \). An example of such an algorithm is discussed later in Sect. 4. Note that the transition function \(T^p \wedge E^{p}\) could be too weak. Thus, if a counterexample is found during unbounded model checking, one has to distinguish whether it is a falsenegative due to overapproximation of \(E^{p}\), or whether it is a counterexample that also occurs in the original model. Techniques from CEGAR (counterexample guided abstraction refinement) [7, 10] can be utilized for this. Theorem 2 can also supplement existing CEGAR techniques, as it can generate computationally cheap abstractions.
Partial model reverification is also a suitable application. In monolithic model checking, refinements or changes of the model require a full reverification round. Theorem 2 can speed this up. Assume only a part of the model is changed, for example component \(p\). The unchanged environment can be interpolated from previous verifications. The resulting interpolated environment is smaller in size. Instead of reverifying the full model, the modified component \(p\) and the interpolant of the unchanged environment \(E^{p}\) can be used. Since reverification with the smaller model \((I^p, T^p \wedge E^{p})\) is likely to be faster, as less variables are present, it can be used less reluctantly upon changes to component \(p\), thus providing more direct and continuous feedback during the construction of the model. Note that here overapproximation might cause false counterexamples as well and therefore warrant the use of CEGAR techniques.
4 Evaluation on Satellite Case Studies
We developed a prototype implementation utilizing Theorem 2 in NuSMV 2.5.4 and applied it to industriallysized models of satellite case studies reported in [11]. The resulting data provides an indication of the quality of the abstraction, as well as its effectiveness when used for manual inspection or (re)verification.
Tool Implementation: The prototype implementation is an extension of NuSMV 2.5.4 [4]. We reused NuSMV’s data structures and functionality for representing and handling propositional formulae. The SATsolving was performed by MiniSAT 1.14p. We deliberately chose version 1.14p over newer versions, as it is – at the moment – the only publicly available version that can generate resolution refutation graphs upon unsatisfiability. Additionally, NuSMV has a preexisting integration with MiniSAT which we extended for handling those graphs. The models are expressed in SLIM, a formalized dialect of AADL. We used the SLIMtoSMV translator built in the COMPASS toolset for obtaining their SMV representations [2].
The first model is from the case study reported in [11]. We call it the PDR satellite platform model. It was constructed from the design data available during the satellite’s preliminary design review (PDR). Its global decomposition into subsystems is shown in Fig. 3. The OCS consists of a series of controllable thrusters for orbital corrections. The AOCS is a control system consisting of several kinds of sensors for acquiring and maintaining a correct attitude and orbit. The CDU is the main computer. The EPS consists of solar arrays and batteries for powering the satellite and the TT&C is the radio communication interface for ground control on Earth. The focus of the PDR model is the relation of the system’s nominal behavior, its erroneous behavior (e.g. faults) and the subsequent behaviors resulting from the fault tolerance strategies by the fault management design. Its nominal state space is roughly 48 million states. This number multiplies rapidly when failures are injected, thus activating failure modes and the associated fault management strategies. The case is modeled in our AADL dialect and comprises 3,831 lines of code, not counting comments.
The second model is a refinement of the PDR model. We call it the CDR model. It was crafted from the design data available during the critical design review (CDR) of the same satellite mission. During the CDR, more design details have been decided upon. It is estimated that the amount of design data increased twofold. The CDR model’s nominal behavior state space nevertheless counts 2,341 states thanks to the effective modeling lessons learned from the PDR case study. The CDR model is however more detailed, more complex and more difficult to analyze. Akin to the PDR model, its state space multiplies once failures are injected. It is composed of 6,357 lines of AADL code, not counting comments. A more detailed report of this model is currently being prepared for publication.
Model  Fault injections  Property 

PDR1  Earth sensor failure  Failoperational flag is set 
PDR2  Propulsion failure  AOCS status flags are consistent 
CDR3  Various platform failures  Not in safe mode 
CDR4  (none, i.e. nominal behaviour)  Solar voltage level is consistent 
CDR5  (none, i.e. nominal behaviour)  Not in safe mode 
Comparison Factors: All experiments were run on a Linux 64bits machine equipped with a 2.33 GHz multicore CPU and 32 GB RAM. We set the maximum computation time to 900 s. Our implementation is however singlethreaded. The exploitation of the multiple cores in a multithreaded fashion is future work.
We intended to use NuSMV’s BDDbased verification as the baseline. We however quickly learned that the BDDs were ineffective on both the PDR and CDR model. BDDbased verification was a magnitude slower on PDR configurations than the other techniques we considered (see Table 1). On CDR configurations, the time for constructing the transition functions exceeded the 900 s by far, thus leaving no time for the verification. We therefore omit BDDverification data and decided upon another technique as the baseline.
We used McMillan’s interpolationbased unbounded model checking technique for invariants [20] instead. It starts by \(k\)bounded model checking the property. Then it (Craig) interpolates the first transition step \(C \implies I \wedge T_1\). This interpolant is a weakened characterization of onestep successor states \(\bar{s}_1\). These states are added to \(I\) by variable substitution, i.e. \(I \leftarrow I \vee C[\bar{s}_1/\bar{s}_0]\). The new \(I\) is a characterization of the original initial states and the onestep successor states. It is then used to bounded model check the property up to bound \(k\), thus reaching a search depth of \(k+1\). This is repeated until a fixpoint is reached. A sketch of the algorithm can be found in [20]. It is furthermore also part of Algorithm 1 from lines 5 to 8, which we shall explain shortly after. We implemented the algorithm in NuSMV as there was no preexisting implementation. The interpolation scheme we implemented is by McMillan as well [19] and it has been studied thoroughly for use in this setting [10].
Summary of verification outcome, needed bound \(k\), verification time and peak memory consumption for McMillan’s interpolationbased invariant checking (MCM) and the componentoriented interpolationbased invariant checking (COMP).
Case  Technique  Outcome  Bound  Time (sec)  Mem (Mb) 

PDR1  MCM  Counterexample  3  2.42  95.9 
COMP  Counterexample  3  3.52  111.9  
PDR2  MCM  Counterexample  2  1.77  92.0 
COMP  Counterexample  2  2.28  100.4  
CDR3  MCM  Counterexample  11  486.06  651.0 
COMP  Counterexample  11  338.56  865.5  
CDR4  MCM  Holds  4  7.10  125.7 
COMP  Holds  3  7.00  138.0  
CDR5  MCM  Holds  7  69.20  171.5 
COMP  Holds  3  8.10  137.0 
The results indicate that the CDR model has a higher complexity than the PDR model. This was expected due to the doubling of design details in the CDR design data. The results furthermore indicate that the verification by the componentoriented interpolation method is competitive. This is in particular visible for CDR3 and CDR5, where the computation time is significantly better. The reason for this is the needed bound \(k\). A small \(k\) appears to suffice for a quality abstraction. Note that these measures cannot be trivially generalized. Timings depend heavily on the used SATsolver, in particular on the heuristics it employs, the possibly imposed randomness influenced by the order of clauses, or by the choice of the target system. These factors are inherent to the nature of currentday SATsolvers. The numbers should therefore be interpreted as indications.
As elaborated in Sect. 3, there are other applications for the componentoriented interpolated environment, like manual inspection or partial model reverification. Their algorithms look slightly different from Algorithm 1, but the essential computational steps are there. For manual inspection, the emphasis is on the bounded model checking step (line 2) and componentoriented interpolation (line 3). For reverification on the other hand, the emphasis lies on inner reachability (lines 5–10). To extrapolate the effectiveness of componentoriented interpolation for those two applications, we logged the time spent on parts of Algorithm 1 at each step \(k\). A summary is shown in Fig. 4 for experiment configuration CDR3, which is representative for the other experiment configurations. Note that the yaxis has a logarithmic scale. The bottom line is that the step for constructing the interpolated environment has little impact on the overall running time, as it only takes a fraction of the time spent on bounded model checking and inner reachability. Note that the (most timecostly) bounded model checking step is avoided for partial model reverification, whereas inner reachability is omitted for manual inspection. This is where time is saved for the overall analysis.
5 Related Work
There is a huge body of work on compositional analysis in literature. In the introduction, Sect. 1, we have briefly explained the main differences between our work and what has been reported in literature. We continue this discussion in this section.
Contrary to many works from the OwickiGries paradigm, which often make distinctions between global and local variables, our work fits the shared variables paradigm. Global variables are typical to parallel systems, where multiple (identical) concurrent processes are active at the same time and interact with each others through a small set of global variables. The technique by [7] essentially abstracts and redefines the concurrent processes in terms of those global variables and calls this notion the split invariant. The technique by [13] is similar to that, as well as the technique by [18]. Our work expresses environments in terms of those variables that are shared with other components, thus not requiring a model structure in which global variables are explicitly defined by the user. The shared variable paradigm is therefore a generalization of the global/local variables paradigm.
In this work, we show, so far, how the environments are interpolated using the unsatisfiability proof from bounded model checking of an invariant. This can be extended to a larger class of properties. Akin to [8], where the notion of a process environment is described, the interpolated environments, as it currently is formalized, can also be used to verify safety and liveness properties. In fact, our notion of the interpolated environment was inspired by that. We however foresee that the interpolated environment is not strong enough for verifying liveness properties and that techniques from CEGAR are a necessity here. Particular techniques in this setting are by [8, 17]. As these works were carried out for the global/local variables paradigm, it requires further investigation how these techniques are extendable to the shared variables paradigm. For the moment, Algorithm 1 naively increases the bound \(k\) as a refinement step without checking whether an abstract counterexample is a falsepositive or not.
With regard to rely/assume guarantee/provide reasoning, we remarked in the introduction that the automated approaches are closely related to ours. In [14], a technique based on automata determinization is described to generate weakest assumptions. In subsequent work [5], assumptions are learned using an automaton learning algorithm, like L*. Our work is a twist on this, as we describe a method using Craig interpolation.
Rely/assume guarantee/provide reasoning has also been applied to AADL models, like for example [6]. The scope and semantic base of [6] differs from ours. Our satellite models for example are expressed in a formalized dialect of AADL by [2]. It is designed to provide a rigorous and coherent semantics for a system’s nominal, erroneous and degraded behavior. The work by [6] appears to focus only on the nominal behavior. Furthermore, their approach does not generate assumptions nor guarantuees as we do, but rather provides a toolsupported reasoning framework over them once provided by the user.
Interpolation in model checking has become an active field since the pioneering work by [19]. It has been further studied since, covering applications such as a monolithic abstraction of the transition relation [16], or more theoretical investigations studying the differences in strength of interpolants as a consequence of a chosen interpolation generation scheme [10]. We were inspired by [20] and devised a modified interpolation scheme that is suitable for compositional reasoning that is reported in this paper.
6 Conclusions
We have described and experimentally evaluated a technique for deriving an abstract environment transition condition from a componentoriented model using a Craig interpolationinspired method. We call it the componentoriented interpolant. It particularly fits models where highly cohesive components communicate through shared variables, which is a generalization over the global/local variables setting. To our knowledge it is the first application of interpolationlike techniques to exploit a model’s composition of components.
Through our work, we identified several open points for future work. In particular a study of the componentoriented interpolant’s strength would be interesting. We know from Lemma 1 that the componentoriented interpolant overapproximates, but we do not know how strong it is such that the property still holds up to bound \(k\). This is in contrast to classical Craig interpolation, where its interpolant does have this property. It requires further study to understand how and whether the componentoriented interpolant can be strengthened. Inspiration can be drawn from the strengthening techniques for classical interpolation, where the reordering of vertices in the resolution refutation proof and asymmetric interpolation schemes have been studied for this purpose [10].
Studying the strength of the componentoriented interpolant also benefits its suitability for verifying more expressive properties, like safety and liveness properties. We estimate that the componentoriented interpolation scheme of Definition 2 overapproximates too much for that purpose and thus the straightforward usage of the interpolated environment to safety/liveness properties would yield too many falsepositive counterexamples.
Furthermore, Algorithm 1 in Sect. 4 is open for further investigation. It suffers from double abstraction, because it does not perform an exact inner reachability analysis using the interpolated environment. Exact methods would alleviate that. Especially ones that work in a SATbased context are preferable, because that would avoid the overhead of converting the used datastructures.
We have made our implementation available on http://wwwi2.informatik.rwthaachen.de/~nguyen/coi/ under the LGPL open source license.
Notes
Acknowledgements
This work was partially supported by ESA/ESTEC (contract no. 4000100798), Thales Alenia Space (contract no. 1520014509/01) and EU FP7ICT DMILS (reference 318772).
References
 1.Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BDDs. In: Cleaveland, W.R. (ed.) TACAS 1999. LNCS, vol. 1579, pp. 193–207. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 2.Bozzano, M., Cimatti, A., Katoen, J.P., Nguyen, V.Y., Noll, T., Roveri, M.: Safety, dependability and performance analysis of extended AADL models. Comput. J. 54(5), 754–775 (2011)CrossRefGoogle Scholar
 3.Buss, S.R.: Propositional proof complexity. In: Berger, U., Schwichtenberg, H. (eds.) Computational Logic. Springer, Heidelberg (1997)Google Scholar
 4.Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: an opensource tool for symbolic model checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 359–364. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 5.Cobleigh, J.M., Giannakopoulou, D., Păsăreanu, C.S.: Learning assumptions for compositional verification. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 331–346. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 6.Cofer, D., Gacek, A., Miller, S., Whalen, M.W., LaValley, B., Sha, L.: Compositional verification of architectural models. In: Goodloe, A.E., Person, S. (eds.) NFM 2012. LNCS, vol. 7226, pp. 126–140. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 7.Cohen, A., Namjoshi, K.S.: Local proofs for global safety properties. Formal Methods Syst. Des. 34(2), 104–125 (2009)CrossRefzbMATHGoogle Scholar
 8.Cohen, A., Namjoshi, K.S.: Local proofs for lineartime properties of concurrent programs. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 149–161. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 9.Craig, W.: Three uses of the HerbrandGentzen theorem in relating model theory and proof theory. J. Symb. Log. 22(3), 269–285 (1957)CrossRefzbMATHMathSciNetGoogle Scholar
 10.D’Silva, V., Kroening, D., Purandare, M., Weissenbacher, G.: Interpolant strength. In: Barthe, G., Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 129–145. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 11.Esteve, M.A., Katoen, J.P., Nguyen, V.Y., Postma, B., Yushtein, Y.: Formal correctness, safety, dependability and performance analysis of a satellite. In: Proceedings of 34th Software Engineering (ICSE), pp. 1022–1031. IEEE (2012)Google Scholar
 12.Feiler, P.H., Gluch, D.P.: ModelBased Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language. AddisonWesley, Upper Saddle River (2012)Google Scholar
 13.Flanagan, C., Qadeer, S.: Threadmodular model checking. In: Ball, T., Rajamani, S.K. (eds.) SPIN 2003. LNCS, vol. 2648, pp. 213–224. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 14.Giannakopoulou, D., Pasareanu, C.S., Barringer, H.: Assumption generation for software component verification. In: Proceedings of 17th Automated Software Engineering (ASE), pp. 3–12. IEEE (2002)Google Scholar
 15.Gupta, A., Popeea, C., Rybalchenko, A.: Threader: a constraintbased verifier for multithreaded programs. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 412–417. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 16.Jhala, R., McMillan, K.L.: Interpolantbased transition relation approximation. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 39–51. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 17.Malkis, A., Podelski, A., Rybalchenko, A.: Threadmodular counterexampleguided abstraction refinement. In: Cousot, R., Martel, M. (eds.) SAS 2010. LNCS, vol. 6337, pp. 356–372. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 18.Malkis, A., Podelski, A., Rybalchenko, A.: Threadmodular verification is Cartesian abstract interpretation. In: Barkaoui, K., Cavalcanti, A., Cerone, A. (eds.) ICTAC 2006. LNCS, vol. 4281, pp. 183–197. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 19.McMillan, K.L.: Interpolation and SATbased model checking. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 20.McMillan, K.L.: Applications of Craig interpolants in model checking. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 1–12. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 21.Nguyen, V.Y.: Trustworthy spacecraft design using formal methods. Ph.D. thesis, RWTH Aachen University, Germany (2012)Google Scholar