1
Generating FSMs from Abstract State Machines
Wolfgang GrieskampYuri Gurevich
Wolfram SchulteMargus Veanes
Foundations of Software EngineeringMicrosoft Research
ISSTA 2002, Rome, July 22-24
2
Outline
Background What is an ASM? Why use ASMs? Modeling with ASMs
Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution
Demo
3
Abstract State Machines
Introduced by Yuri Gurevich
Deep mathematical theory
World wide user community (academia + industry)
The Idea:
• A machine that describes a system on any (but particular) level of abstraction
• An operational specification of a system• A very high-level program
4
A Sample ASM
var A as Seq of Integer
Swap()choose i,j in indices(A) where i<j and A(i)>A(j) A(i) := A(j) A(j) := A(i)
Sort() step until fixpoint Swap()
A = [2,3,1]
A = [1,3,2]
A = [1,2,3]
A = [2,1,3]
Nondeterminsm
Parallelism
5
ASMs are evolving structures
An ASM is a mathematical machine that represents a system as evolving state
A state is given by the current values of the variables
A step is a transaction (synchronous parallelism) that may update many variables at once
In the sequential case, a program describes one step, a run is a sequence of consecutive steps.
In the distributed case, each agent has a program, a distributed run is a partial order of agents’ steps (asynchronous parallelism)
6
Why is software error-prone?
Some reasons: Premature coding Lack of confidence in descriptions Late feedback from customer Unforeseen feature interaction Lack of understanding in maintenance phase
7
Models solve these problems
Engineering models help you to gain confidence in requirements and designs. Examples: Architectural, Mechanical, Electrical, etc.
Software models help you understand the behavior of each level of abstraction, examples are: Steps required to carry out the system’s user scenarios How features/components interact with each other The behavior of subsystems like file storage and messaging
8
Models can be used everywhere
Modeling
Validation
Refinement Verification
ASMModel
Implementation
C/C++/C#/…
Product Idea
Are you building the product right ?
Are you building the right product?
What product are you building?
9
AsmL: A modeling toolkit
AsmL is a powerful, ASM-based specification language
Combines mathematical, object-oriented and component-oriented approaches Fully integrated with the .Net framework
Can be used for documentation Integrated with MS Word and XML
Can be used for testing Ongoing Integration with existing testing tools
10
A guideline for AsmL users
1. Begin building a model by considering its purpose; this guides abstraction decisions during development
1. Define model state2. Define model transitions
2. Validate the model early and often to increase confidence that the model is faithful.
Check internal consistency Check against customer expectations
11
Outline
Background What is an ASM? Why use ASMs? Modeling with ASMs
Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution
Demo
12
Using AsmL models for conformance testing
ASM-Model
Implementation
Test OracleTest Cases
Are run by Providesactual results for
PassNo pass
Provides expected results for
Generates
UserInfo
13
AsmL Model M
The dual role of ASM models
Test cases
Random generation
Reduce
FSMtool
IUTCall next action
Get state
AsmL Model M
Testing harness
Is Svalid according
to M?
Fail: witness
Pass Sview
view
view
FSM
14
FSM Generation
Typically ASMs have infinite state space We introduce indistinguishability properties to
group states into equivalence classes called hyperstates The non-discovery problem
The problem of reaching all hyperstates is in general undecidable
Improvement relations provide a partial solution to this problem A way to encode domain specific search strategies
15
FSM generation sample
Generate an FSM from the stack specification.
class Stackvar s as Seq of Integer = []
Top() as Integer require s <> [] return first(stack)
Pop() require s <> [] stack := rest(stack)
Push(x as Integer) s := [x] + s
Indistinguishability property: s=[]
16
The FSM construction
[]
[0]
Push(0)
[]
Pop()Push(0)
[0,0] [0,0]
Top()
The tree can be pruned,if a hyperstate is reachedthat has “already” been visited
[]
[0,..]
Push(0)
Push(0) Pop
Top
The generated FSM
Pop()
17
The algorithm
generate() step s = head(frontier) frontier := tail(frontier) step foreach a in Actions nextStates = explore Fire(s,a) step foreach t in nextStates transitions(s,a,t) := true if relevant(s,a,t) then frontier := frontier + [t] hypers := hypers union {GetHyperstate(t)}
18
Improvement relations
relevant(s as State, a as Action, t as State) as Boolean forall g in goals where improved(bestState(g),t,g) bestState(g) := t return (h.GetHyperstate(t) notin hypers) or (exists g in h.goals() where h.improved(bestState(g),t,g))
19
Outline
Background What is an ASM? Why use ASMs? Modeling with ASMs
Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution
Demo
20
Demo
“Run” the paper
21
Current Work
Generalized properties (non-Boolean finite valued properties)
Parameter generation for actions with parameters
.Net attribute scheme design for annotating the model with test related meta information
22
For more information
Check out the public website of AsmL: research.microsoft.com/fse/asml You can download AsmL 2
You need VS.NET You need Office XP for Word integration
Top Related