An Improvement of Minimized Assumption Generation Method for Component-based Software Verification Pham Ngoc Hung Viet-Ha Nguyen University of Engineering and Technology Vietnam National University, Hanoi 144 Xuan Thuy, Cau Giay, Hanoi, Vietnam {hungpn, hanv}@vnu.edu.vn Abstract—The minimized assumption generation has been recognized as an improved method of the assume-guarantee verification for generating minimal assumptions This method is not only fitted to component-based software but also has a potential to solve the state space explosion problem in model checking However, the computational cost for generating the minimal assumption is very high so the method is difficult to be applied in practice This paper presents an optimization as a continuous work of the minimized assumption generation method in order to reduce the complexity of the method The key idea of this method is to find a smaller assumption in a sub-tree of the search tree containing the candidate assumptions using the depth-limited search strategy With this approach, the improved method can generate smaller assumptions with a lower computational cost and consumption memory than the minimized method The generated assumptions are also effective for rechecking the systems at much lower computational cost in the context of software evolution We have implemented a tool supporting the improved method Experimental results are also presented and discussed I I NTRODUCTION The assume-guarantee verification method proposed in [3], [4] has been recognized as a promising, incremental and fully automatic fashion for verifying component-based software (CBS) by model checking [2] This method decomposes a verification target about a CBS into smaller parts corresponding to the individual components such that we can model check each of them separately Thus, the method has a potential to deal with the state space explosion problem in model checking The key idea of this method is to generate an assumption such that it is strong enough for the component to satisfy a required property and weak enough to be discharged by the rest of the system In order to generate such assumption, the method uses a learning algorithm named L* [1], [9] for learning regular languages However, the L* learning algorithm often terminates before reaching this point and returns the first assumption that satisfies the requirements of the verification For instance, given a simple CBS made up of two components M1 and M2 , the method proposed in [3], [4] generates an assumption A(p) satisfying the following formulas (called assume-guarantee rules): A(p) M1 p and true M2 A(p) In fact, there Toshiaki Aoki Takuya Katayama School of Information Science Japan Advanced Institute of Science & Technology 1-1 Asahidai, Nomi, Ishikawa 923-1292 Japan {toshiaki, katayama}@jaist.ac.jp exists many candidate assumptions satisfying the assumeguarantee rules (e.g., M2 is a candidate assumption) The problem is how to find a minimal assumption from these candidate assumptions because the computational cost for assumeguarantee verification of the CBS almost depends on the size of the generated assumption Moreover, when a component is evolved in the context of the software evolution, we can recheck the evolved CBS effectively by reusing the generated assumption with a smaller size [6] These observations imply that the sizes of the generated assumptions are of primary importance and it should be minimized Furthermore, the assumptions generated by the assume-guarantee verification method proposed in [3], [4] are not minimal [5] The minimized assumption generation method proposed in [5] focuses on solving the above problem by considering the candidate assumptions as a search tree and finding a minimal assumption using the breadth-first search strategy However, the complexity of this method is very high because it finds the minimal assumption in the whole search tree containing all possible candidate assumptions As a result, the minimized assumption generation method is unpractical for verifying CBS In this method, the size of a candidate assumption corresponds to it’s depth in the search tree Moreover, the assume-guarantee verification method is only effective when the size of the generated assumption is less than the size of the component M2 (i.e., |A(p)| < |M2 |) Thus, we only need to find an assumption with it’s size less than |M2 | This paper presents an improved method for optimizing the minimized assumption generation method proposed in [5] in order to reduce the complexity of the method In this method, instead of using the breadth-first search strategy in the whole search space of observation tables as a search tree, we use the depth-limited search (DLS) for finding an assumption in a sub-tree of the search tree with the maximum depth dmax = |M2 | With this approach, the improved method can generate smaller assumptions with a lower computational cost and consumption memory than the minimized method Although the assumptions generated by the improved method may not minimal in some cases, they have smaller sizes 978-1-4673-0309-5/12/$31.00 ©2012 IEEE than the sizes of the assumptions generated by the assumeguarantee verification method proposed in [3], [4] As a result, the generated assumptions are also effective for rechecking the whole systems at much lower computational cost in the context of software evolution [6] The rest of this paper is organized as follows We first describes the L*-based assumption generation method in Section II Section III introduces our previous work about minimized assumption generation method We present an optimization of the minimized assumption generation method in Sect IV Section V shows experimental results and discussion Finally, we conclude the paper in Sect VI II L*-BASED A SSUMPTION G ENERATION M ETHOD The assume-guarantee paradigm is a powerful “divide-andconquer” mechanism for decomposing a verification target of a CBS system into smaller parts corresponding to the individual components such that we can check each of them separately Consider a simple case where a CBS system is made up of two components including a framework M1 and an extension M2 The goal of this method is to verify whether this system satisfies a property p without composing M1 with M2 For this purpose, an assumption A(p) is generated [3] by applying the L* learning algorithm such that A(p) is strong enough for M1 to satisfy p but weak enough to be discharged by M2 (i.e., the assume-guarantee rules both hold) If we can find a such assumption, this system satisfies p For the described purpose, this method applies the assumeguarantee rules in an iterative fashion illustrated in Fig At each iteration i, a candidate assumption Ai is produced based on some knowledge about the system and the results of the previous iterations The two steps of the assume-guarantee rules are then applied Step checks whether M1 satisfies p in an environment that guarantees Ai by computing the formula Ai M1 p If the result is f alse, it means that this candidate assumption is too weak for M1 to satisfy p The candidate assumption Ai therefore must be strengthened with the help of the produced counterexample cex Otherwise, the result is true In this case, Ai is strong enough for the property to be satisfied Then the step is applied for checking whether the component M2 satisfies Ai by computing the formula true M2 Ai If this step returns true, the property p holds in the Fig A counterexample proves that the assumptions generated in [3] are not minimal compositional system M1 M2 and the algorithm terminates Otherwise, this step returns f alse In this case, a further analysis is required to identify whether p is indeed violated in M1 M2 or the candidate Ai is too strong to be satisfied by M2 Such analysis is based on the produced counterexample cex For the purpose, the L* algorithm must check whether the counterexample cex belongs to the unknown language U = L(AW ) If it does not, the property p does not hold in the system M1 M2 Otherwise, Ai is too strong for M2 to satisfy The consequence of this is the candidate assumption Ai must be weakened (i.e., behaviors must be added with the help of cex) in the next iteration i + A new candidate assumption may of course be too weak, and therefore the entire process must be repeated III M INIMIZED A SSUMPTION G ENERATION M ETHOD As mentioned in Sect I, given a simple CBS system containing two components M1 and M2 , the assume-guarantee verification method proposed in [3], [4] is only effective for checking the system when the size of the generated assumption is less than the size of the component M2 Thus, the size of the generated assumptions should be minimized However, the assumptions generated by the method proposed in [3], [4] are not minimal Figure shows a counterexample to witness this fact In this counterexample, given two component models M1 (Input) and M2 (Output), and a required property p, the method proposed in [3] generates the assumption A(p) which has five states, whereas there is a smaller assumption with it’s size is two states This section presents our previous work proposed in [5] in order to generate minimal assumptions for assume-guarantee verification of component-based software A Answering Membership Queries We use the L* algorithm for learning the language of the weakest assumption AW over the alphabet Σ = (αM1 ∪ αp) ∩ αM2 [4] and produces a DFA that accepts it in order to generate an assumption that satisfies the assume-guarantee rules For this purpose, L* builds an observation table (S, E, T ) where S and E are a set of prefixes and suffixes respectively, both over Σ∗ T is a function which maps (S ∪ S.Σ).E to {true, f alse}, where the operator “.” is defined as follows Definition 1: (Operation “.”) Given two sets of event sequences P and Q, P Q = {pq | p ∈ P, q ∈ Q}, where pq presents the concatenation of the event sequences p and q Fig An iterative fashion for L*-based assumption generation Fig The reason shows why the assumptions generated in [3] are not minimal The function for answering membership queries used in the method proposed in [3] is defined as follows Definition 2: (Function for answering membership queries) Given an observation table (S, E, T ), T is a function which maps (S ∪ S.Σ).E to {true, f alse} such that for any string s ∈ (S ∪ S.Σ).E, T (s) = true if s ∈ L(AW ), and f alse otherwise We find out the reason why the assumptions generated by the method in [3] are not minimal shown in Fig Let s be a sequence of actions, A(p) be the assumption generated by the method in [3], and L(Am (p)) be the minimized assumption being learned In the case where s ∈ L(AW ) but s ∈ L(Am (p)), the method sets T (s) to true (in this case, T (s) should be f alse) It means that if s ∈ L(AW ), then we not know whether s belongs to the language being learned The consequence of this is the assumption generated A(p) contains such strings/traces which not belong to the language of the minimized assumption being learned In order to solve the above problem, we use a new value as “don’t know” value denoted “?” to represent the value of T (s) in such cases We define an improved technique for answering membership queries as follows For the purpose to generate a minimal assumption, the L* learning algorithm builds an observation table (S, E, T ) T is a function which maps (S ∪ S.Σ).E to {true, f alse, “?”} The “don’t know” value means that for each string s ∈ (S ∪ S.Σ).E, even if s ∈ L(AW ), we not know whether s belongs to the language of the assumption being learned This function is defined as follows Definition 3: (Improved function for answering membership queries) Given an observation table (S, E, T ), T is a function which maps (S ∪ S.Σ).E to {true, f alse, “?”} such that for any string s ∈ (S ∪ S.Σ).E, if s is the empty string (s = λ) then T (s) = true, else T (s) = f alse if s ∈ / L(AW ), and “?” otherwise B Minimal Assumption Generation The purpose of the minimized assumption generation method is to find an assumption where it has a smallest size that satisfies the assume-guarantee rules in a search space This search space is seen as a search tree containing observation tables Such observation tables are used to generate the candidate assumptions The root of this search tree is the initial observation table corresponding the strongest candidate assumption We use the breadth-first search strategy because this strategy ensures that the generated assumption is minimal [5] This method is an improvement of the L*based assumption generation method proposed in [3], [4] With the approach, the minimized method can generate minimal assumptions which have the smallest sizes and smaller num- Fig The initial observation table and one of its instances Fig The generated candidate assumptions bers of transitions than the assumptions generated by the L*based assumption generation method proposed in [3] These minimal assumptions generated by the proposed method can be used to recheck the whole CBS by checking the assumeguarantee rules at much lower computational costs, specially in the context of software evolution Details of the algorithm for generating minimal assumptions of this method and it’s characteristics can be found in [5] Example 1: Given M1 , M2 , and the required property p shown in Fig 2, the Algorithm proposed in [5] starts to generate a minimal assumption from the initial observation table presented in Fig At the first iteration, the algorithm produces A1 shown in Fig as a candidate minimal assumption The step is applied and the procedure Step1(A1 ) fails with a counterexample cex = send ack A suffix e = ack is added to E1 for producing the next candidate assumption A2 presented in Fig This candidate satisfies both steps in the algorithm (i.e., Step1(A2 ) and Step2(A2 ) return true) Therefore, the proposed algorithm terminates and returns A2 as the minimal assumption IV I MPROVEMENT OF THE M INIMIZED A SSUMPTION G ENERATION M ETHOD Consider again the simple case where a system is made up of two components including a framework M1 and an extension M2 Our goal is to verify whether this system satisfies a required property p without composing M1 with M2 For this purpose, the algorithm proposed in [5] generates a minimal assumption which satisfies the assume-guarantee rules by using the breadth-first search strategy in a search tree The algorithm uses a queue data structure which contains the generated observation tables with the first-in first-out order However, the queue holds an exponentially growing of the number of the observation tables because the algorithm tries to explore all possible candidate assumptions As a result, the method is difficult to be applied in practice In order to reduce the complexity of the method, we replace the breadth-first search with the depth-limited search (DLS) as an improved algorithm named DLS(dmax) for generating an assumption which satisfies the assume-guarantee rules In the algorithm shown in Algorithm 1, the size of a candidate assumption corresponds to it’s depth in the search tree Moreover, the assume-guarantee verification method is only effective when the size of the generated assumption is less than the size of the component M2 Thus, instead of finding an assumption in the whole search space of observation tables as a search tree, the algorithm only finds an assumption in a sub-tree of the search tree with the maximum depth dmax = |M2 | We use a stack data structure which contains the generated observation tables with the last-in first-out order for implementing the depth-limited search strategy These observation tables are used for generating the candidate assumptions Only a path from the root of the search tree (i.e., the initial observation table named OT0 ) to the current instance has to be kept in the stack s Thus, the improved algorithm can use a much lower consumption memory than the minimized method proposed in [5] The improved algorithm DLS(dmax) returns an assumption A(p) with a smaller size than the size of the assumption generated in [3] if M1 M2 satisfies p It returns a counterexample cex if M1 M2 violates p Otherwise, it returns a value named notf ound to show that DLS(dmax) cannot find any assumption in the search space with the depth limit dmax In this case, the assume-guarantee approach is not effective for verifying the system At the beginning of the algorithm, the stack s is set as the empty stack initially (line 1) The algorithm then puts the initial observation table OT0 = (S0 , E0 , T0 ) into the top of the stack s as the root of the search space containing the observation tables, where S0 = E0 = {λ} (λ represents the empty string) (line 2) We also set the depth of OT0 to (line 3) The algorithm iterates the entire process for finding an assumption by looping from line to line 43 until the stack s is empty or an assumption is generated or a counterexample is found At the beginning of the loop, the algorithm gets an observable table OTi from the top of the stack s (line 5) If the depth of OTi is greater than the depth limit dmax, the algorithm terminates and returns the value notf ound to show that we cannot find an assumption in the search space with the depth limit dmax (line 41) Otherwise, we check that whether OTi contains the “don’t know” value “?” (line 7) If this is so, we compute all instances of OTi as it’s children in the search tree by replacing all “?” entries in OTi with both true and f alse (line 8) The obtained instances then are put into the top of the stack s (line 9) and their depth is set to depth(OTi ) + (line 10) In the case where the observable table OTi does not contain the “?” value (line 12), if OTi is not closed (line 13) then OTi is updated to be closed by calling the procedure named make closed(OTi ) (line 14) The obtained closed table OT then is put into the top of s (line 15) and it’s depth is set to depth(OTi ) + (line 16) If OTi which is gotten from top of s is closed (line 17), a candidate assumption Ai is generated from OTi (line 18) In this case, we have to check whether the generated Ai satisfies the assume-guarantee rules For this purpose, the step is applied by calling the procedure named Step1(Ai ) for checking whether Ai is strong enough for M1 to satisfy p by computing the formula Ai M1 p If Step1(Ai ) fails with a counterexample cex (line 19) then Ai is too weak for M1 to satisfy p As a result, Ai is strengthened by adding a suffix Algorithm DLS(dmax) Input: dmax: the given depth limit for the depth-limited search Output: A(p) or cex or notf ound 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: Initially, s = empty {s is an empty stack} s.push(OT0 ) {putting OT0 into the top of s, where OT0 = (S0 , E0 , T0 ), S0 = E0 = {λ}, and λ is denoted to the empty string} depth(OT0 ) = while s = empty OTi = s.pop() {getting OTi from the top of s} if depth(OTi ) ≤ dmax then if OTi contains “?” value then for each instance OT of OTi s.push(OT ) {putting OT into the top of s} depth(OT ) = depth(OTi ) + end for else if OTi is not closed then OT = make closed(OTi ) s.push(OT ) {putting OT into the top of s} depth(OT ) = depth(OTi ) + else construct a candidate DFA Ai from the closed OTi if Step1(Ai ) fails with cex then add the suffix e of the counterexample cex to Ei OT = update(OTi ) s.push(OT ) {putting OT into the top of s} depth(OT ) = depth(OTi ) + else if Step2(Ai ) fails with cex then if cex witnesses violation of p then return cex else add the suffix e of the counterexample cex to Ei OT = update(OTi ) s.push(OT ) {putting OT into the top of s} depth(OT ) = depth(OTi ) + end if else return Ai end if end if end if end if else return notf ound end if end while e of cex that witnesses a difference between L(Ai ) and the language of the assumption being learned to Ei of the table OTi (line 20) The consequence of this task is the table OTi must be updated by calling the procedure named update(OTi ) (line 21) The updated table OT then is put into the top of s (line 22) and it’s depth is set to depth(OTi ) + (line 23) In the case where Step1(Ai ) returns true (line 24), the generated Ai is strong enough for M1 to satisfy the required property p The step is then applied for checking whether Ai is week enough to be discharged by M2 by computing the formula true M2 Ai If Step2(Ai ) fails with a counterexample cex (line 25), a further analysis is required to identify whether p is indeed violated in the compositional system M1 M2 or Ai is too strong to be satisfied by M2 Such analysis is based on the obtained counterexample cex If cex witnesses the violation of p in the system M1 M2 (line 26), the algorithm terminates and returns cex (line 27) Otherwise, Ai is too strong to be satisfied by M2 (line 28) In order to deal with this case, the candidate assumption Ai is weakened by adding a suffix e of cex to Ei of the table OTi (line 29) As a result, the table OTi must be updated by calling the procedure update(OTi ) (line 30) The updated table OT from OTi then is put into the top of the stack s (line 31) and it’s depth is set to depth(OTi ) + (line 32) If Step2(Ai ) returns true (line 34) then the property p holds in the compositional system M1 M2 In this case, the algorithm terminates and returns Ai as the generated assumption (line 35) the assumption generated by the minimized method in [5], the obtained experimental results imply that the assumptions generated by the improved method have smaller sizes and number of transitions than the generated ones by the method proposed in [3] In some applied systems, the generated assumptions of the improved method are minimal Moreover, the improved method generates the assumptions with a lower time than the minimized method proposed in [5] (excepting the applied system GOCS ver 5) Specially, in some cases (i.e., GOCS ver 4, I/O ver 3, BS ver 2, and Peterson), the improved method generated the smaller assumptions with lower times whereas the minimized method is “out-of-timeand-patience” or “out-of-memory” This fact is clear to show the effectiveness of the improved method The implemented tool and the applied systems which are used in our experimental results are available at the site http://www.uet.vnu.edu.vn/∼hungpn/IMAGTool/ In order to check the correctness of the assumptions which are generated by the implemented tools, we use the tool for verifying concurrent systems named LTSA [7] In the LTSA tool, for each generated assumption A(p), we check whether A(p) satisfies the assume-guarantee rules For each compositional system, the LTSA tool returns the same result as our verification result for the corresponding system With these obtained results, we can ensure the correctness of the implemented tools V E XPERIMENT AND D ISCUSSION When verifying large-scale CBS, even the behaviors of the software components are very complex, our work only focuses on the observable behaviors of each component This means that the components are seen as black-boxes and we not consider the inside behaviors of these components Thus, the sizes of the models describing behaviors of largescale components are not so great As mentioned above, the minimized assumption generation method proposed in [5] has been recognized as an important optimization of the assumeguarantee verification for generating minimal assumptions These minimal assumptions can be used to recheck the whole system at much lower computational cost, specially in the context of software evolution However, the method is unpractical due to it’s high complexity The improved method presented in this paper is a potential solution to deal with the problem In the experiment shown in Table I, for any applied system, the improved method often produces an assumption with a lower generating time than the minimized method The experimental results are clear to show the limitations of the minimized method In some applied systems, the minimized method is out of memory or runs a long time, while the improved method terminates with a short generating time With this approach, we hope that the improved method is potential for verifying practical CBS However, we did not perform big experiment but we think that this is another issue Moreover, the method proposed in [3] usually generates the assumptions at a lower generating time If we are not interested in the above advantages, the method proposed in [3] is better A Experiment In order to evaluate effectiveness of the improved method, we have implemented the assumption generation method proposed in [3], the minimized assumption generation method proposed in [5], and the improved method in a functional programming language named Objective Caml (OCaml) [8] We tested our method by using several typical systems (i.e., five versions of the gas oven control system (GOCS), the automobile cruise control system (ACCS), three versions of the concurrent Input/Output system (I/O), a version of the banking sub-system (BS), and the Peterson problem) For each system, we compared the improved method with that proposed in [3] and the minimized method in [5] In this experiment, the size, the number of transitions, and the generating time of the generated assumptions are evaluated We not evaluate memory costs in this experiment because the memory complexity of depth-first search (used in the improved method) is always much lower than the breadth-first search (used in the minimized method) Table I shows experimental results for the purpose In the results, the system size is the product of the sizes of the software components and the size of the required property for each applied system The - sign stands for “outof-time-and-patience” (more than one hour of computation) or “out-of-memory” Although the assumptions generated by the improved method may be not minimal assumptions comparing with B Discussion TABLE I E XPERIMENTAL RESULTS Applied Systems GOCS ver GOCS ver GOCS ver GOCS ver GOCS ver ACCS I/O ver I/O ver I/O ver BS ver Peterson Sys Size 180 84 126 180 126 360 18 18 100 1444 1600 Ass Size 11 1 13 13 AG Method Trans Generating of Ass Time (ms) 63 80 20 32 14 11 21 14 11 26 25 102 170 87 190 than our methods for generating assumptions Otherwise, the smaller assumptions generated by the improved method are effective for rechecking the systems with a lower cost in the context of the component evolution [6] However, the generated assumptions by the improved method may not minimal An idea to solve this issue is using the iterative-deepening depth first search This search strategy combines the space efficiency of the depth-first search with the optimality of breadth-first search It proceeds by running a depth-limited depth-first search repeatedly, each time increasing the depth limit by one The assumptions generated by using this search strategy are still minimal We are investigating to implement the idea in order to compare it’s effectiveness with the minimized method Moreover, the improved method only focuses on optimizing the size of the generated assumption With a same alphabet, a minimal assumption with a smallest size does not correspond to the minimal language Instead of focusing on the size, it should be better to focus on the weakness of the language of the generated assumptions VI C ONCLUSION We have presented an improved method for assumeguarantee verification of component-based software in order to reduce the complexity of the minimized assumption generation method proposed in [5] The key idea of the improved method is to find a smaller assumption that satisfies the assumeguarantee rules in a sub-tree of the search tree containing all possible candidate assumptions using the depth-limited search strategy With this approach, the improved method can generate assumptions with a lower computational cost than the minimized method in most cases Moreover, the improved method also uses a smaller consumption memory because it uses the depth-limited search Although the assumptions generated by the improved method may not minimal in some cases, they have smaller sizes than the assumptions generated by the method proposed in [3] As a result, the generated assumptions are useful for rechecking the systems effectively in the context of software evolution We have implemented three tools corresponding to the assumption generation method proposed in [3], the minimized assumption generation method proposed in [5], and the improved method These support tools Minimized AG Method Ass Trans Generating Size of Ass Time (ms) 16 1330 4048 21 13 40 20 19 - Ass Size 2 12 12 Improved MAGM Trans Generating of Ass Time (ms) 16 21 1430 10 14 20 20 30 12 15 28 48 350 47 350 are used to verify some typical component-based software in order to show the effectiveness of the improved method We are continuous to improve our method in order to generate minimal assumptions with a lower cost and applying for some other systems where their sizes are bigger than the sizes of the applied systems in our experiment to show the practical usefulness of the improved method Moreover, the presented methods only focus on checking the CBS systems where their components can be represented by LTSs We are going to apply other specification methods to model behaviors of software components, e.g., modal transition systems (MTSs) Furthermore, the improved method focuses only on optimizing the size of the generated assumptions Instead of focusing on the size, it should be better to focus on the languages of the generated assumptions ACKNOWLEDGMENTS This work is supported by the research project no 102.02– 2010.06 granted by Vietnam National Foundation for Science and Technology Development (Nafosted) R EFERENCES [1] D Angluin, “Learning regular sets from queries and counterexamples”, Information and Computation, vol 75, no 2, pp 87-106, Nov 1987 [2] E M Clarke, O Grumberg, and D Peled, Model Checking, The MIT Press, 1999 [3] J.M Cobleigh, D Giannakopoulou, and C Pasareanu, “Learning assumptions for compositional verification”, Proc 9th TACAS, pp 331–346, Poland, April 2003 [4] D Giannakopoulou, C Pasareanu, and H Barringer, “Assumption generation for software component verification”, Proc 17th IEEE Int Conf on Automated Softw Eng., pp 3–12, Edinburgh, UK, Sept 2002 [5] P N Hung, T Aoki, and T Katayama, “A minimized assumption generation method for component-based software verification”, Proc 6th International Colloquium on Theoretical Aspects of Computing (ICTAC), LNCS 5684, pp 277-291, Springer-Verlag Berlin Heidelberg, Aug 2009 [6] P N Hung and T Katayama, “Modular conformance testing and assumeguarantee verification for evolving component-based software”, Proc 15th Asia-Pacific Softw Eng Conf (APSEC), pp 479–486, IEEE Computer Society, Washington, DC, Dec 2008 [7] J Magee and J Kramer, Concurrency: State Models & Java Programs, John Wiley & Sons, 1999 [8] French national institute for research in computer science and control (INRIA), Objective caml, http://caml.inria.fr/ocaml/index.en.html, 2004 [9] R L Rivest and R E Schapire, “Inference of finite automata using homing sequences”, Information and Computation, vol 103, no 2, pp 299-347, April 1993  ... great As mentioned above, the minimized assumption generation method proposed in [5] has been recognized as an important optimization of the assumeguarantee verification for generating minimal assumptions... generate minimal assumptions for assume-guarantee verification of component-based software A Answering Membership Queries We use the L* algorithm for learning the language of the weakest assumption. .. product of the sizes of the software components and the size of the required property for each applied system The - sign stands for “outof-time-and-patience” (more than one hour of computation)