Abstract State Machines,and lessons of

an ASM-based project at Microsoft

Yuri Gurevich (Erdos #2)Microsoft Research

Modeling

No science without modeling The virtuous cycle Maybe even no life without modeling

Physics uses PDEs for modeling.

What are the PDEs of computer science?

2

Turing’s analysis of computation

GreatYet limited

3

Improving on Turing’s analysis

Emile PostAndrei Kolmogorov“Algorithms compute in steps of bounded complexity.”

Pointer machinesRobin Gandy

4

Another line of analysis

Recursive functionsSkolem to Gödel

Lambda calculusChurch’s thesisComparing the two lines

5

6

A Thought Experiment

A perfect machine modelStep-for-step simulationof any algorithm

Uses: software specs, model based testing

What would the model look like?

Postulate 1: Sequential Time

An algorithm is a transition system.

What are states?What are transitions?

7

8

States

The state is information that, given the program, determines the ensuing computation(s). More than the values of the

variables.

What is the form of states? Or what is is?

9

Postulate 2: Abstract State

The states are structuresin the sense of mathematical logic. Same vocabulary Transitions preserve the state domain. Everything is preserved under

isomorphism.

What are transitions?

Deterministic or nondeterministic?More generally,interactive or non-interactive?

Let’s consider first the classical case of non-interactive algorithms.

10

What are transitions? (cont.)

How powerful steps are?Let’s consider first the classical case

of “steps of bounded complexity.”How to bound the complexity?

11

12

Locations and updates

Locations = (f,(a1,..,aj))

Content() = f(a1,..,aj)

Updates (,v)The update set of state X is

(X) = { (,v) : v = Content() in Next(X) Content() in X }

13

Postulate 3: Bounded Exploration

There is a finite set t1,..,tn of critical terms such that

(X) = (Y) if every ValX(ti) = ValY(ti).

14

Definition

A sequential algorithm is an abstract-state bounded-exploration transition system.

15

Sequential ASMs

Syntax Semantics = ?

f(t1,..,tj):= t0 {(,a0)} where =(f,(a1,..,aj)) and each ai = Val(ti)

do in parallel R1 … Rk

(R1) … (Rk)

if t then R1 else R2

if Val(t) = true then (R1) else (R2)

16

Example

if b = 0 then d := aelse

[do in-parallel]a := bb := a mod b

Nullary dynamic functions: a, b, dStatic functions: =, 0,

mod

17

Example (cont.)

if a(s)=0 then

d(s) := b(s)

s := s+1

else

a(s) := b(s) mod a(s) b(s) := a(s)

18

Seq Characterization Theorem

For any seq algorithm A there is a seq ASM B such that

states of A are states of B and every NextA(X) = NextB(X).

#141

Interaction

The ASM model is relatively straightforward: External functions Choice and import operators

The from-the-first-principles analysis is not straightforward.

19

20

In-place one-swap-a-time sorting

var A as Seq of Integer = [3,1,2]

Swap() choose i,j in Indices(A) where i<j and A(i)>A(j) A(i) := A(j) A(j) := A(i)

Sort() step until fixpoint Swap()

A = [2,3,1]

A = [1,3,2]

A = [1,2,3]

A = [2,1,3]

Nondeterminsm

Parallelism

21

Wide stepsAgain, the ASM model is relatively straightforward do-for-all

The from-the-first-principles analysis is not straightforward.

Topological Sorting Example

22

23

Distributed algorithms

Distributed ASMs were defined long ago, but the axiomatization problem is wide (and maybe forever) open.To simulate, one can interleave (sets of) actions of the computing agents.

24

Early ASM engines

ASM Workbench Uni Paderborn, Siemens

ASM Gopher Uni Ulm, Siemens

XASM Uni Berlin, Kestrel

25

AsmL creators

In the hiring order: Wolfram Schulte, Margus Veanes, Colin Campbell, Lev Nachmanson, Mike Barnett, Wolfgang Grieskamp, Nikolai Tillmann

26

Modeling

Validation

Refinement Verification

AsmL Model

Implementation

C, C++, C#, ...

Product Idea / Informal Spec

Are you building the product right ?

Are you building the

right product?

What product are you building?

FSE propaganda example

27

Spec

Validate Enforce

Comprehend

Play scenarios

Test

Model check

Prove properties

Generatetest suites

Lockstep runtimeverification

On-the-fly testing

28

Conformance testing

I

AsmLmodel

Test harness

I

Implementationunder test

Discrepancies flagged

Anyclient

I

Spec Explorer

Original purposeModel based testing Why model-based testing? Arguably the largest model-based-

testing operation anywhere. Success of sorts

29

Probability of success

Coburn:

(pain of crisis)divided by(pain of adoption)

where pain meansperceived pain.

30

Love triangle

31