Transcript Abstract State Machines

The Semantics of AsmL
in a Proper Perspective
Yuri Gurevich
Microsoft Research
Preamble
The intention was to present a
forthcoming paper “Semantics of AsmL”
by YG and Wolfram Schulte.
But what’s good for a paper is not
necessarily good for a talk. Hence a
more general view.
2
Agenda
A few words on the ASM project and
executable specifications
An AsmL demo
AsmL-S


Why not full AsmL?
Abstract syntax, type system, operational
semantics
The proof of pudding
3
In the beginning, there was
a foundational investigation
PDEs model physical world.
What are the PDEs of CS?
How CS is different?



Not a natural science: we study artificial world.
In seq case, a state is examinable and – unless
the process stops – the next state exists.
The traditional math ways to deal with dynamics
(math as autopsy) may be insufficient.
Hence a machine approach may be apt
if we can improve on Turing’s machine.
4
The ASM thesis
Every computer system, at any level
of abstraction, is an ASM
as far as behavior is concerned.



Ref: Lipari Guide, #103 at my webpage
There is experimental and theoretical confirmation
of the thesis but this belongs to a different talk.
Natural ASM applications: modeling existing
systems, executable specifications of future systems
5
Executable Specifications
One needs a practical spec language to write
and execute ASM models. Hence ASM
engines:

ASM Workbench (U Paderborn, Siemens)
XASM (TU Berlin, Kestrel)
ASM Gofer (U Ulm, Siemens)
AsmL = ASM Language (Microsoft)
AsmL specs do include declarations:
invariants, pre- and post-conditions
But isn’t an exec spec just a prototype?
6
In-place one-swap-a-time sorting
var A as Seq of Integer = [3,1,2]
Nondeterminsm
Swap()
choose i,j in Indices(A)
where i<j and A(i)>A(j)
A(i) := A(j)
A(j) := A(i)
A = [2,3,1]
A = [1,3,2]
A = [2,1,3]
Parallelism
Sort()
step until fixpoint
Swap()
A = [1,2,3]
7
Topological Sorting
Requirement: Given an acyclic digraph G =
(V,E), sort the vertices into a sequence S
where each edge (u,v) leads forward.
Observe: there is a v with no (u,v), and the
remainder is still acyclic. Use the observation
repeatedly to build the desired sequence S.
Modula-2 implementation by Niklaus Wirth
AsmL spec
8
How to validate, enforce a spec? Again, a different talk.
Product Idea
/ Informal Spec
What product
are you
building?
Modeling
AsmL Model
Refinement
Are you
building the
right product?
Validation
Verification
Implementation
C, C++, C#, ...
Are you building
the product right ?
9
AsmL
http://research.microsoft.com/fse/asml
Math e.g. set comprehension {e(x) | x ∊ r | φ(x)}
as well as sequence and map comprehension
OO
Transaction programming
and massive synch. parallelism
Nondeterminism
Interoperability via .NET
Literate programming via MS Word and
automated programming via XML
10
ASMs in AsmL
Universes are approximated by
semantic subtypes.
Remark on typing: pragmatically
necessary, semantically a drag.

Set theory is untyped for a reason.
Dynamic functions are represented by
map variables.
11
More Highlights of AsmL
Advanced type system:
Disjunctive types, Semantic Subtypes, Generics
Pattern Matching: Structures and Classes
Intra-step communication with outside world
and among submachines
Reflection over execution

Data access, structural coverage
State as first class citizen: Explore command,
etc.
Processes (coming)
Bootstrapping
12
Why AsmL-S?
The full AsmL is rich
(numerous features are needed for the .NET
integration and to support various tools)
and evolving.
A smaller core fragment may be useful


to study semantics, refinements
for initial experimentation with e.g.
FSM generation, model checking,
parameter generation
13
AsmL-S at a glance
Math: only maps (with partial updates)

no tuples, sets, sequences
OO
Restricted type system

no interfaces, union types
Compositions – a;b a∥b a⌷b –
as well as – while, forall, choose
Exceptions
An interpreter
14
A core of AsmL?
It would be great to claim that the full
AsmL is a definable extension of AsmL-S
but this is not literally so.
The typing discipline does not allow us
even to define sets via maps.
T → Unit
does not work, for example.
15
Abstract Syntax
pgm = cls e
cls = class c extends c {fld mth}
fld = f as t
mth = m(l as t) as t e
t = b | c | t→t
b = Bool | Int | ... | Null | Thrown | Void
v = void | null | true | 0 | ...
o = + | - | ...
e=
16
Abstract syntax of exprs
v | l | o(e) | let l = e : e | if e then e else e |
new c(e) | new t→t (e↦e) | e.f | e.m | e[e] |
e.f:=e | e[e]:=e | remove e[e] | e is t | e as t |
e;e | e ∥ e | e⌷e | while(e) do e |
forall l in e : e | choose l in e : e |
try e catch(l as t) e | throw e | skip
17
Subyping rules
Program specific:
c extends c’...
c < c’
General:
Trown < t Null < c, t→t’ < Object
t3<t1 t2<t4
t1→t2 < t3<t4
< if reflexive, transitive
Basic types are not objects in AsmL-S though
they are in AsmL.
------------------------------------------------------------------------ ----------------
------------------------------------------------------------------------------------
18
Static semantics
Class table (as in Featherweight Java)
and lookup functions, like fields(c)
An example rule
T⊦ e1 :: Bool
T ⊦ e2 :: t
---------------------------------------------------------------------------------------
T⊦ (while (e1) do e2) :: Void
19
Semantic domains
Value = Literal ∪ ObjId
Location = ObjectId × (FieldId ∪ Value)
Store = (ObjId ∪ Location) × (Type ∪ Value)
Update = Location × (Value ∪ {⊥})
Updates = Set{Update}
Status = {X,OK}
Effect = Store × Updates × Status
Binding = LocalId → Value
20
Judgements
⊦ cls e ⇓ φ,v
B,S ⊦ e ⇓ φ,v
where φ is an effect and v is a value.
φ gives object types, location values,
updates and status.
21
A couple of evaluation rules
B,S ⊦ e ⇓ φ,v
v ≠ null
B,S ⊦ e.f ⇓ φ,(S + store(φ))(v.f)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
B,S ⊦ e ⇓ φ,null
B,S ⊦ (throw new NullX()) ⇓ φ’,v’
B,S ⊦ e.f ⇓ φ + φ’, v’
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Remark on natural semantics.
22
Proof of pudding
Who uses AsmL?



Some MS product groups, e.g. XAF.
Some academics (who complain that there
is no book)
Dogfooding
Architects, PMs, devs and testers.
ESTATE(?)
23