Compositional Automata Learning of Synchronous Systems

. Automata learning is a technique to infer an automaton model of a black-box system via queries to the system. In recent years it has found widespread use both in industry and academia, as it enables formal verification when no model is available or it is too complex to create one manually. In this paper we consider the problem of learning the individual components of a black-box synchronous system, assuming we can only query the whole system. We introduce a compositional learning approach in which several learners cooperate, each aiming to learn one of the components. Our experiments show that, in many cases, our approach requires significantly fewer queries than a widely-used non-compositional algorithm such as L ∗ .


Introduction
Automata learning is a technique for inferring an automaton from a black-box system by interacting with it and observing its responses.It can be seen as a game in which a learner poses queries to a teacher -an abstraction of the target system -with the intent of inferring a model of the system.The learner can ask two types of queries: a membership query, asking if a given sequence of actions is allowed in the system; and an equivalence query, asking if a given model is correct.The teacher must provide a counter-example in case the model is incorrect.In practice, membership queries are implemented as tests on the system, and equivalence queries as conformance test suites.
The original algorithm L * proposed by Dana Angluin in 1987 [3] allowed learning DFAs; since then it has been extended to a variety of richer automata models, including symbolic [5] and register [7,26] automata, automata for ωregular languages [4], and automata with fork-join parallelism [18], to mention recent work.Automata learning enables formal verification when no formal model is available and also reverse engineering of various systems.Automata learning has found wide application in both academia and industry.Examples are: the verification of neural networks [31], finding bugs in specific implementations of security [29,12] and network protocols [11], or refactoring legacy software [30].
In this paper we consider the case when the system to be learned consists of several concurrent components that interact in a synchronous way; the components themselves are not accessible, but their number and respective input alphabets are known.It is well-known that the composite state-space can grow exponentially with the number of components.If we use L * to learn such a system as a whole, it will take a number of queries that is proportional to the whole statespace -many more than if we were able to apply L * to the individual components.Since in practice queries are implemented as tests performed on the system (in the case of equivalence queries, exponentially many tests are required), learning the whole system may be impractical if tests take a non-negligible amount of time, e.g., if each test needs to be repeated to ensure accuracy of results or when each test requires physical interaction with a system.
In this work we introduce a compositional approach that is capable of learning models for the individual components, by interacting with an ordinary teacher for the whole system.This is achieved by translating queries on a single component to queries on the whole system and interpreting their results on the level of a single component.The fundamental challenge is that components are not independent: they interact synchronously, meaning that sequences of actions in the composite system are realised by the individual components performing their actions in a certain relative order.The implications are that: (i) the answer to some membership queries for a specific component may be unknown if the correct sequence of interactions with other components has not yet been discovered; and (ii) counter-examples for the global system cannot univocally be decomposed into counter-examples for individual components, therefore some of them may result in spurious counter-examples that need to be corrected later.
To tackle these issues, we make the following contributions: -A compositional learning framework, orchestrating several instances of (an extension of) L * with the purpose to learn models for the individual components from an ordinary monolithic teacher.An adapter transforms queries on single components into queries to the monolithic teacher.-An extension of L * that can deal with unknown membership query results and spurious counter-examples; when plugged into the aforementioned framework, we obtain a learning algorithm for our setting.-An implementation of our approach as a tool Coal based on the state-of-theart automata learning library LearnLib [22], accompanied by a comprehensive set of experiments: for some of the larger systems, our approach requires up to six orders of magnitude fewer membership queries and up to ten times fewer equivalence queries than L * (applied to the monolithic system).
The rest of this paper is structured as follows.We introduce preliminary concepts and notation in Section 2. Our learning framework is presented in Section 3. Section 4 discusses the details of our implementation and the results of our experiments.Related work is highlighted in Section 5 and Section 6 concludes.

Preliminaries
Notation and terminology.We use Σ to denote a finite alphabet of action symbols, and Σ * to denote the set of finite sequences of symbols in Σ, which we call traces; we use ϵ to denote the empty trace.Given two traces s 1 , s 2 ∈ Σ * , we denote their concatenation by s 1 • s 2 ; for two sets S 1 , S 2 ⊆ Σ * , S 1 • S 2 denotes element-wise concatenation.Given s ∈ Σ * , we denote by Pref (s) the set of prefixes of s, and by Suff (s) the set of its suffixes; the notation lifts to sets S ⊆ Σ * as expected.We say that S ⊆ Σ * is prefix-closed (resp.suffix-closed ) whenever S = Pref (S) (resp.S = Suff (S)).The projection σ ↾Σ ′ of σ on an alphabet Σ ′ ⊆ Σ is the sequence of symbols in σ that are also contained in Σ ′ .Finally, given a set S, we write |S| for its cardinality.
In this work we represent the state-based behaviour of a system as a labelled transition system.Definition 1 (Labelled Transition System).A labelled transition system (LTS) is a four-tuple L = (S, →, ŝ, Σ), where -S is a set of states, which we refer to as the state space; -→ ⊆ S × Σ × S is a transition relation, which we write in infix notation as s a − → t, for (s, a, t) ∈ →. ŝ ∈ S is an initial state; and -Σ is a finite set of actions, called the alphabet.
We say that L is deterministic whenever for each s ∈ S, a ∈ Σ there is at most one transition from s labelled by a.Some actions in Σ may not be allowed from a given state.We say that an action a is enabled in s, written s a − →, if there is t such that s a − → t.This notation is also extended to traces σ ∈ Σ * , yielding s σ − → t and s σ − →.The language of L is the set of traces enabled from the starting state, formally: From here on, we only consider deterministic LTSs.Note that this does not reduce the expressivity, in terms of the languages that can be encoded.
Remark 1. Languages of LTSs are always prefix-closed, because every prefix of an enabled trace is necessarily enabled.Prefix-closed languages are accepted by a special class of deterministic finite automata (DFA), where all states are final except for a sink state, from which all transitions are self-loops.Our implementation (see Section 4) uses these models as underlying representation of LTSs.
We now introduce a notion of parallel composition of LTSs, which must synchronise on shared actions.

Definition 2. Given n LTSs where
Here a and b are local actions, whereas c is synchronising.Note that, despite L 1 being able to perform c from its initial state s 0 , there is no c transition from (s 0 , t 0 ), because c is not initially enabled in L 2 .First L 2 will have to perform b to reach t 1 , where c is enabled, which will allow L 1 ∥ L 2 to perform c.

⊓ ⊔
We sometimes also apply parallel composition to sets of traces: ∥ i S i is equivalent to ∥ T i , where each T i is a tree-shaped LTS that accepts exactly S i , i.e., L(T i ) = S i .In such cases, we will explicitly mention the alphabet each T i is assigned.This notation furthermore applies to single traces: ∥ i σ i = ∥ i {σ i }.

L * algorithm
We now recall the basic L * algorithm.Although the algorithm targets DFAs, we will present it in terms of deterministic LTSs, which we use in this paper (these are a sub-class of DFAs, see Remark 1).The algorithm can be seen as a game in which a learner poses queries to a teacher about a target language L that only the teacher knows.The goal of the learner is to learn a minimal deterministic LTS with language L. In practical scenarios, the teacher is an abstraction of the target system we wish to learn a model of.The learner can ask two types of queries: Fig. 1 Example 2. Consider the prefix-closed language L over the alphabet Σ = {a, b} consisting of traces where a and b alternate, starting with a; for instance aba ∈ L but abb / ∈ L.An observation table generated by a run of L * targeting this language is shown in Figure 1a.
) denote the function row T (s)(e) = T (s•e) mapping each row of T to its content (we omit the subscript T when clear from the context).The crucial observation is that T approximates the Nerode congruence [28] for L as follows: s 1 and s 2 are in the same congruence class only if row(s 1 ) = row(s 2 ), for s 1 , s 2 ∈ S. Based on this fact, the learner can construct a hypothesis LTS from the table, in the same way the minimal DFA accepting a given language is built via its Nerode congruence: the initial state is row(ϵ); the transition relation is given by row(s) a − → row(s • a), for all s ∈ S and a ∈ Σ.
In order for the transition relation to be well-defined, the table has to satisfy the following conditions: The algorithm is guaranteed to eventually produce a hypothesis H such that L(H) = L, for which an equivalence query will be answered positively, causing the algorithm to terminate.

Learning Synchronous Components Compositionally
In this section, we show how to compositionally learn an unknown system To achieve this, we assume that we are given: (i) a teacher for M ; and (ii) the respective alphabets Σ 1 , . . ., Σ n of M 1 , . . ., M n .To achieve this, we propose the architecture in Figure 2. We have n leaners, which are instances of (an extension of) the L * algorithm, one for each component M i .The instance L * i can pose queries for M i to an adapter, which converts them to queries on M .The resulting yes/no answer (and possibly counter-example) is translated back to information about M i , which is returned to leaner L * i .To achieve this, the adapter moreover choreographs the learners to some extent: before an equivalence query H ? = M can be sent to the teacher, the adapter must first receive equivalence queries H i ?= M i from each learner.We first discuss the implementation of the adapter and show its limitations.To deal with these limitations, we next propose a couple of extensions to L * (Section 3.2).Completeness claims are stated in Section 3.3.Several optimisations are discussed in Section 3.4.Fig. 3: Running example consisting of two LTSs L 1 and L 2 and their parallel composition L. The respective alphabets are {a, c}, {b, c} and {a, b, c}.

Query Adapter
As sketched above, our adapter answers queries on each of the LTSs M i , based on information obtained from queries on M .However, the application of the parallel operator causes loss of information, as the following example illustrates.We will use the LTSs below as a running example throughout this section.
Example 4. Consider the LTSs L 1 , L 2 and L = L 1 ∥ L 2 depicted in Figure 3. Their alphabets are {a, c}, {b, c} and {a, b, c}, respectively.Suppose we sent a membership query bc to the teacher and we receive as answer that bc / ∈ L(L).At this point, we do not have sufficient information to deduce about the respective projections whether bc ↾{a,c} = c / ∈ L(L 1 ) or bc ↾{b,c} = bc / ∈ L(L 2 ) (or both).In this case, only the latter holds.Similarly, if a composite hypothesis H = H 1 ∥ H 2 is rejected with a negative counterexample ccc / ∈ L(L), we cannot deduce whether this is because ccc / ∈ L(L 1 ) or ccc / ∈ L(L 2 ) (or both).Here, however, the former is true but the latter is not, i.e., ccc is not a counter-example for H 2 at all.⊓ ⊔ Generally, given negative information on the composite level (σ / ∈ L(M )), it is hard to infer information for a single component M i , whereas positive information (σ ∈ L(M )) easily translates back to the level of individual components.
We thus need to relax the guarantees on the answers given by the adapter in the following way: 1.Not all membership queries can be answered, the adapter may return the answer 'unknown'.2.An equivalence query for component i can be answered with a spurious counter-example The procedures that implement the adapter are stated in Listing 1.For each 1 ≤ i ≤ n, we have one instance of each of the functions Member i and Equiv i , used by the ith learner to pose its queries.Here, we assume that for each component i, a copy of the latest hypothesis H i is stored, as well as a set P i which contains traces that are certainly in L(M i ).Membership and equivalence queries on M will be forwarded to the teacher via the functions Member (σ) and Equiv (H), respectively.
Membership Queries A membership query σ ∈ L(M i ) can be answered directly by posing σ ∈ L(M ) to the teacher if σ contains only actions local to M i .However, in the case where σ contains synchronising actions, cooperation from other components M j is required.So, during the runtime of the program, for each i we collect traces in a set P i , for which it is certain that P i ⊆ L(M i ).That is, P i contains traces which were returned as positive counter-examples (line 16) or membership queries (line 5).Recall from Section 2 that we can construct tree-LTSs to compute ∥ j̸ =i P j , where each P i has alphabet Σ i .By construction, we have L(∥ j̸ =i P j ) ⊆ L(∥ j̸ =i M j ), and so we have an under-approximation of the behaviour of other components, possibly including some synchronising actions they can perform.If we find in L(∥ j̸ =i P j ) a trace σ ′ such that σ and σ ′ contain the same sequence of synchronising actions (line 2, stored in set Π), we construct an arbitrary interleaving (respecting synchronising actions) of σ and σ ′ and forward it to the teacher (line 4).Such an interleaving is a trace σ int ∈ L(σ ∥ σ ′ ) of maximal length.Note that a σ ′ ∈ Π trivially exists if σ does not contain synchronising actions.If, on the other hand, no such σ ′ exists, we do not have sufficient information on how other LTSs M j can cooperate, and we return 'unknown' (line 7).
Example 5. Refer to the running example in Figure 3. Suppose that the current knowledge about L 2 is H 2 = {ϵ, b}.When Member 1 (c) is called, Π = ∅, because there is no trace σ ′ ∈ P 2 that is equal to c when restricted to {a, c}, therefore unknown is returned.Intuitively, since the second learner has not yet discovered that c or bc (or some other trace containing a c) is in its language, the adapter is unable to turn the query c on L 1 into a query for the composite system.⊓ ⊔ Example 6. Suppose now that cac ∈ P 1 , i.e., we already learned that cac ∈ L(L 1 ).When posing the membership query cbc ∈ L(L 2 ), the adapter finds that cac and cbc contain the same synchronising actions (viz.cc) and constructs an interleaving, for example cabc.The teacher answers negatively to the query cabc ∈ L(L), and thus we learn that cbc / ∈ L(L 2 ).⊓ ⊔ Listing 1: Membership and equivalence query procedures for component i.
Input: Alphabets Σ1, . . ., Σn of the components Data: for each i, the latest hypothesis Hi and a set Pi of traces, initially {ϵ}.Equivalence Queries For equivalence queries, the adapter offers functions Equiv i .To construct a corresponding query on the composite level, we first need to gather a hypothesis H i for each i.Thus, we synchronise all learners in a barrier (line 11), after which a composite hypothesis can be constructed and forwarded to the teacher (lines 12,13).An affirmative answer can be returned directly, while in the negative case we investigate the returned counter-example σ.If σ is a positive counter-example, we add its projection to P i (line 16).By the assumption that σ is shortest 4 , H and M agree on all σ ′ ∈ Pref (σ)\{σ}.Thus, σ only concerns H i if the last action in σ is contained in Σ i .Furthermore, we need to check whether H and H i agree on σ: it can happen that σ ↾Σi ∈ L(H i ) but σ / ∈ L(H) due to other hypotheses not providing the necessary communication opportunities.If both conditions are satisfied (line 17), we return the projection of σ on Σ i (line 18).Otherwise, we cannot conclude anything about H i at this moment and we iterate (line 10).In that case, we effectively wait for other hypotheses H j , with j ̸ = i, to be updated before trying again.A termination argument is provided later in this section.
Example 7. Again considering our running example (Figure 3), suppose the two learners call in parallel the functions Equiv 1 (H 1 ) and Equiv 2 (H 2 ).The provided hypotheses and their parallel composition are as follows: The adapter forwards H = H 1 ∥ H 2 to the teacher, which returns the counterexample cc.The last symbol, c, occurs in both alphabets, but cc ∈ L(H) does not hold and cc ↾Σ2 ∈ L(H 2 ) does, so only Equiv 1 (H 1 ) returns (no, cc).The call to Equiv 2 (H 2 ) hangs in the while loop of line 10 until Equiv 1 is invoked with a different hypothesis.⊓ ⊔ Example 8. Suppose now that the hypotheses and their composition are: When we submit Equiv (H 1 ∥ H 2 ), we may receive the negative counter-example ccc, which is a shortest counter-example.This counter-example does not contain any information to suggest that it only applies to H 1 .It is a spurious counterexample for H 2 , since that should contain the trace ccc.⊓ ⊔

L * extensions
As explained in the previous section, the capabilities of our adapter are limited compared to an ordinary teacher.We thus extend L * to deal with the answer 'unknown' to membership queries and to deal with spurious counter-examples.
Answer 'unknown'.The setting of receiving incomplete information through membership queries first occurred in [15], and is also discussed in [24].Here we briefly recall the ideas of [15].To deal with partial information from membership queries, the concept of an observation table is generalised such that the function T : (S ∪ S • Σ) • E → {0, 1} is a partial function, that is, for some cells we have no information.Based on T , we now define the function row : S ∪ S • Σ → E → {0, 1, ?} to fill the cells of the table: row T (s)(e) = T (se) if T (se) is defined and ?otherwise.We refer to '?' as a wildcard ; its actual value is currently unknown and might be learned at a later time or never at all.To deal with the uncertain nature of wildcards, we introduce a relation ≈ on rows, where row (s 1 ) ≈ row (s 2 ) iff for every e ∈ E, row (s 1 )(e) ̸ = row (s 2 )(e) implies that row (s 1 )(e) = ?or row (s 2 )(e) = ?.Note that ≈ is not an equivalence relation since it is not transitive.Closedness and consistency are defined as before, but now use the new relation ≈.We say an LTS M is consistent with T iff for all s ∈ Σ * such that T (s) is defined, we have T (s) = 1 iff s ∈ L(M ).As discussed earlier, Angluin's original L * algorithm relies on the fact that, for a closed and consistent table, there is a unique minimal DFA (or, in our case, LTS) that is consistent with T .However, the occurrence of wildcards in the observation table may allow multiple minimal LTSs that are consistent with T .Such a minimal consistent LTS can be obtained with a SAT solver, as described in [19].
Similar to Angluin's original algorithm, this extension comes with some correctness theorems.First of all, it terminates outputting the minimal LTS for the target language.Furthermore, each hypothesis is consistent with all membership queries and counter-examples that were provided so far.Lastly, each subsequent hypothesis has at least as many states as the previous one, but never more than the minimal LTS for the target language.
Spurious Counter-Examples.We now extend this algorithm with the ability to deal with spurious counter-examples.Any negative counter-example σ ∈ L(H i ) might be spurious, i.e., it is actually the case that σ ∈ L(M i ).Since L * excludes σ from the language of all subsequent hypotheses, we might later get the same trace σ, but now as a positive counter-example.In that case, the initial negative judgment from the equivalence teacher was spurious.
One possible way of dealing with spurious counter-examples, is adding to L * the ability to overwrite entries in the observation table in case a spurious counter-example is corrected.However, this may cause the learner to diverge if infinitely many spurious counter-examples are returned.Therefore, we instead choose to add a backtracking mechanism to ensure our search will converge.The pseudo code is listed in Listing 2; we refer to this as L * ?,b (L * with wildcards and backtracking).
We have a mapping BT that stores backtracking points; BT is initialised to the empty mapping (line 1).Lines 5-11 ensure the observation table is closed and consistent in the same way as L * , but use the relation ≈ on rows instead.Next, we construct a minimal hypothesis that is consistent with the observations in T (line 12).This hypothesis is posed as an equivalence query.If the teacher replies with a counter-example σ for which T (σ) = 0, then σ was a spurious counterexample, so we backtrack and restore the observation table from just before T (σ) was introduced (line 15).Otherwise, we store a backtracking point for when σ later turns out to be spurious (line 17); this is only necessary if σ is a negative counter-example.Note that not all information is lost when backtracking: the set P i stored in the adapter is unaffected, so some positive traces are carried over after backtracking.Finally, we incorporate σ into the observation table (line 18).When the teacher accepts our hypothesis, we terminate.
We finish this section with an example that shows how spurious counterexamples may be resolved.
Example 9. Refer again to the LTSs of our running example in Figure 3. Consider the situation after proposing the hypotheses of Example 8 and receiving the counter-example ccc, which is spurious for the second learner.
In the next iteration, Member 2 can answer some membership queries, such as cbc, necessary to expand the table of the second learner.This is enabled by the fact that P 1 contains cc from the positive counter-example of Example 7 (line 2 of Listing 1).The resulting updated hypotheses are as follows.
The projection on Σ 2 is ccc, which directly contradicts the counter-example received in the previous iteration.This spurious counter-example is thus repaired by backtracking in the second learner.The invocation of Equiv 1 (H ′ 1 ) by the first learner does not return this counter-example, since H ′ 1 ∥ H ′ 2 and H ′ 1 do not agree on cacc, so the check on line 17 of Listing 1 fails.
Finally, in the next iteration, the respective hypotheses coincide with L 1 and L 2 and both learners terminate.⊓ ⊔

Correctness
As a first result, we show that our adapter provides correct information on each of the components when asking membership queries.This is required to ensure that information obtained by membership queries does not conflict with counterexamples.Proofs are omitted for space reasons.
Theorem 1. Answers from Member i are consistent with L(M i ).
Before presenting the main theorem on correctness of our learning framework, we first introduce several auxiliary lemmas.In the following, we assume n instances of L * ?,b run concurrently and each queries the corresponding functions Member i and Equiv i , as per our architecture (Figure 2).First, a counter-example cannot be spurious for all learners; thus at least one learner obtains valid information to progress its learning.
Lemma 1.Every counter-example obtained from Equiv (H) is valid for at least one learner.
The next lemma shows that even if a spurious counter-example occurs, this does not induce divergence, since it is always repaired by a corresponding positive counter-example in finite time.
Lemma 2. If Equiv (H) always returns a shortest counter-example, then each spurious counter-example is repaired by another counter-example within a finite number of invocations of Equiv (H), the monolithic teacher.
Our main theorem states that a composite system is learned by n copies of L * ?,b that each call our adapter (see Figure 2).
Theorem 2. Running n instances of L * ?,b terminates, and on termination we have Remark 2. We cannot claim the stronger result that H i = M i for all i, since different component LTSs can result in the same parallel composition.For example, consider the below LTSs, both with alphabet {a}: Here we have The equivalence oracle thus may also return yes even when the component LTSs differ slightly.

Optimisations
There are a number of optimisations that can dramatically improve the practical performance of our learning framework.We briefly discuss them here.First, finding whether there is a trace σ ′ ∈ Π (line 2 of Listing 1) can quickly become expensive once the sets P i grow larger.We thus try to limit the size of each P i without impacting the amount of information it provides on the synchronisation opportunities offered by component M i .Therefore, when we derive that σ ∈ L(M i ), we only store the shortest prefix ρ of σ such that ρ and σ contain the same synchronising actions.That is, σ = ρ • ρ ′ and ρ ′ contains only actions local to M i .Furthermore, we construct ∥ j̸ =i P j only once after each call to Equiv i and we cache accesses to ∥ j̸ =i P j , such that it is only traversed once when performing multiple queries σ 1 , σ 2 for which it holds that σ 1 ↾Σ other = σ 2 ↾Σ other .A possibility that we have not explored is applying partial-order reduction to eliminate redundant interleavings in ∥ j̸ =i P j .
Since the language of an LTS is prefix-closed, we can -in some casesextend the function T that is part of the observation table without performing membership queries.Concretely, if T (σ) = 0 then we can set T (σ

Experiments
We created an experimental implementation of our algorithms in a tool called Coal (COmpositional Automata Learner) [27], implemented in Java.It relies on LearnLib [22], a library for automata learning, which allows us to re-use standard data structures, such as observation tables, and compare our framework to a state-of-the-art implementation of L * .To extract a minimal LTS from an observation table, we first attempt the inexact blue-fringe variant of RPNI [20] (as implemented in LearnLib).If this does not result in an LTS that is minimal, we resort to an exact procedure based on a SAT translation; we use the Z3 solver [10].
Our experiments are run on a machine with an Intel Core i3 3.6GHz, with 16GB of RAM, running Ubuntu 20.04.For each experiment, we use a time-out of 30 minutes.

Random Systems
We first experiment with a large number of composite systems where each of the component LTSs is randomly generated.This yields an accurate reflection of actual behavioural transition systems [16].Each component LTS has a random number of states between 5 and 9 (inclusive, uniformly distributed) and a maximum number of outgoing edges per state between 2 and 4 (inclusive, uniformly distributed).
We assign alphabets to the components LTSs in five different ways that reflect real-world communication structures, see edges, where n is the number of components, each consisting of one action; we furthermore ensure the random graph is connected.
For our five communication structures, we create ten instances for each number of components between 4 and 9; this leads to a total benchmark set of 300 LTSs.Out of these, 47 have more than 10,000 states, including 12 LTSs of more than 100,000 states.The largest LTS contains 379,034 states.Bipartite often leads to relatively small LTSs, due to its high number of synchronising actions.On each LTS, we run the classic L * algorithm and Coal, and record the number of queries posed to the teacher. 5The result is plotted in Figure 5; note the log scale.Here, marks that lie on the dashed line indicate a time-out or out-of-memory for one of the two algorithms.
Coal outperforms the monolithic L * algorithm in the number of membership queries for all cases (unless it fails).In more than half of the cases, the difference is at least three orders of magnitude; it can even reach six orders of magnitude.For equivalence queries, the difference is less obvious, but our compositional approach scales better for larger systems.This is especially relevant, because in practice implementations equivalence queries may require a number of membership queries that is exponential in the size of the system.Multiparty communication systems benefit most from compositional learning.The number of spurious counter-examples that occurs for these models is limited: about one on average.Only twelve models require more than five spurious counterexamples; the maximum number required is thirteen.This is encouraging, since even for this varied set of LTSs the amount of duplicate work performed by Coal is limited.

Realistic Systems
Next, we investigate the performance of Coal on two realistic systems that were originally modelled as a Petri net.These Petri nets can be scaled according to some parameters to yield various instances.The ProdCons system models a buffer of size K that is accessed by P producers and C consumers; it is described in [32, Fig. 8].The CloudOpsManagement net is obtained from the 2019 Model Checking Contest [2], and describes the operation of C containers and operating systems and W application runtimes in a cloud environment.Furthermore, we scale the number N of application runtime components.We generate the LTS that represents the marking graph of these nets and run L * and Coal; the results are listed in Table 1.For each system, we list the values of scaling parameters, the number of components and the number of states of the LTS.For Coal and L * , we list the runtime and the number of membership and equivalence queries; for Coal we also list the number of spurious counter-examples (column spCE).
The results are comparable to our random experiments: Coal outperforms L * in number of queries, especially for larger systems.For the two larger CloudOps-Management instances, the increasing runtime of Coal is due to the fact that two of the components grow as the parameter W increases.The larger number of states causes a higher runtime of the SAT procedure for constructing a minimal LTS.
We remark that in our experiments, the teacher has direct access to the LTS we aim to learn, leading to cheap membership and equivalence queries.Thus, in this idealised setting, L * incurs barely any runtime penalty for the large number of queries it requires.Using a realistic teacher implementation would quickly cause time-outs for L * , making the results of our experiments less insightful.

Related Work
Finding ways of projecting a known concurrent system down into its components is the subject of several works, e.g., [8,17].In principle, it would be possible to learn the system monolithically and use the aforementioned results.However, as shown in Section 4, this may result in a substantial query blow-up.
Learning approach targeting various concurrent systems exist in the literature.As an example of the monolithic approach above, the approach of [6] learns asynchronously-communicating finite state machines via queries in the form of message sequence charts.The result is a monolithic DFA that is later broken down into components via an additional synthesis procedure.This approach thus does not avoid the exponential blow-up in queries.Another difference with our work is that we consider synchronous communication.
Another monolithic approach is [18], which provides an extension of L * to pomset automata.These automata are acceptors of partially-ordered multisets, which model concurrent computations.Accordingly, this relies on an oracle capable of processing pomset-shaped queries; adapting the approach to an ordinary sequential oracle -as in our setting -may cause a query blow-up.
A severely restricted variant of our setting is considered in [13], which introduces an approach to learn Systems of Procedural Automata.Here, DFAs representing procedures are learned independently.The constrained interaction of such DFAs allows for deterministically translating between component-level and system-level queries, and for univocally determining the target of a counterexample.Our setting is more general -arbitrary (not just pair-wise) synchronisations are allowed at any time -hence these abilities are lost.
Two works that do not allow synchronisation at all are [23,25].In [23] individual components are learned without any knowledge of the component number and their individual alphabets, however components cannot synchronise (alphabets are assumed to be disjoint).This is a crucial difference with our approach, which instead has to deal with unknown query results and spurious counterexamples precisely due to the presence of synchronising actions.An algorithm for learning Moore machines with decomposable outputs is propose in [25].This algorithm spawns several copies of L * , one per component.This approach is not applicable to our setting, as we do not assume decomposable output and allow dependencies between components.
Other approaches consider teachers that are unable to reply to membership queries [1,14,15,24]; they all use SAT-based techniques to construct automata.The closest works to ours are: [24], considering the problem of compositionally learning a property of a concurrent system with full knowledge of the components; and [1], learning an unknown component of the serial composition of two automata.In none of these works spurious counter-examples arise.

Conclusion
We have shown how to learn component systems with synchronous communication in a compositional way.Our framework uses an adapter and a number of concurrent learners.Several extensions to L * were necessary to circumvent the fundamental limitations of the adapter.Experiments with our tool Coal show that our compositional approach offers much better scalability than a standard monolithic approach.
In future work, we aim to build on our framework in a couple of ways.First, we want to apply these ideas to all kinds of extensions of L * such as TTT [21] (for reducing the number of queries) and algorithms for learning extended finite state machines [7].Our expectation is that the underlying learning algorithm can be replaced with little effort.Next, we want to eliminate the assumption that the alphabets of individual components are known a priori.We envisage this can be achieved by combining our work and [23].
We also would like to explore the integration of learning and model-checking.A promising direction is learning-based assume-guarantee reasoning, originally introduced by Cobleigh et.al. in [9].This approach assumes that models for the individual components are available.Using our approach, we may be able to drop this assumption, and enable a fully black-box compositional verification approach.

Fig. 5 :
Fig. 5: Performance of L * and compositional learning on random models.
Consider the left two LTSs below with the respective alphabets {a, c} and {b, c}.Their parallel composition is depicted on the right.
: A closed and consistent observation table and the LTS that can be constructed from it.
* , a finite, suffix-closed set E ⊆ Σ * , and a function T : (S ∪ S • Σ) • E → {0, 1}.The function T can be seen as a table in which rows are labelled by traces in S ∪ S • Σ, columns by traces in E, and cells T (s • e) contain 1 if s • e ∈ L and 0 otherwise.

Table 1 :
Performance of Coal and L * for realistic composite systems.