1. 1 Generating FSMs from Abstract State Machines Wolfgang Grieskamp Yuri Gurevich Wolfram Schulte Margus Veanes Foundations of Software Engineering Microsoft Research ISSTA 2002, Rome, July 22-24

2. 2 Outline Background What is an ASM? Why use ASMs? Modeling with ASMs Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution Demo

3. 3 Abstract State Machines Introduced by Yuri Gurevich Deep mathematical theory World wide user community (academia + industry) The Idea: A machine that describes a system on any (but particular) level of abstraction An operational specification of a system A very high-level program

4. 4 A Sample ASM var A as Seq of Integer Swap() choose i,j in indices(A) where i A(j) A(i) := A(j) A(j) := A(i) Sort() step until fixpoint Swap() A = [2,3,1] A = [1,3,2] A = [1,2,3] A = [2,1,3] Nondeterminsm Parallelism

5. 5 ASMs are evolving structures An ASM is a mathematical machine that represents a system as evolving state A state is given by the current values of the variables A step is a transaction (synchronous parallelism) that may update many variables at once In the sequential case, a program describes one step, a run is a sequence of consecutive steps. In the distributed case, each agent has a program, a distributed run is a partial order of agents’ steps (asynchronous parallelism)

6. 6 Why is software error-prone? Some reasons: Premature coding Lack of confidence in descriptions Late feedback from customer Unforeseen feature interaction Lack of understanding in maintenance phase

7. 7 Models solve these problems Engineering models help you to gain confidence in requirements and designs. Examples: Architectural, Mechanical, Electrical, etc. Software models help you understand the behavior of each level of abstraction, examples are: Steps required to carry out the system’s user scenarios How features/components interact with each other The behavior of subsystems like file storage and messaging

8. 8 Models can be used everywhere ModelingValidation Refinement Verification ASM Model Implementation C/C++/C#/… Product Idea Are you building the product right ? Are you building the right product? What product are you building?

9. 9 AsmL: A modeling toolkit AsmL is a powerful, ASM-based specification language Combines mathematical, object-oriented and component-oriented approaches Fully integrated with the.Net framework Can be used for documentation Integrated with MS Word and XML Can be used for testing Ongoing Integration with existing testing tools

10. 10 A guideline for AsmL users 1. Begin building a model by considering its purpose; this guides abstraction decisions during development 1. Define model state 2. Define model transitions 2. Validate the model early and often to increase confidence that the model is faithful.  Check internal consistency  Check against customer expectations

11. 11 Outline Background What is an ASM? Why use ASMs? Modeling with ASMs Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution Demo

12. 12 Using AsmL models for conformance testing ASM-Model Implementation Test OracleTest Cases Are run by Provides actual results for Pass No pass Provides expected results for Generates User Info

13. 13 AsmL Model M The dual role of ASM models Test cases Random generation Reduce FSM tool IUT Call next action Get state AsmL Model M Testing harness Is S valid according to M? Fail: witness Pass S view FSM

14. 14 FSM Generation Typically ASMs have infinite state space We introduce indistinguishability properties to group states into equivalence classes called hyperstates The non-discovery problem The problem of reaching all hyperstates is in general undecidable Improvement relations provide a partial solution to this problem A way to encode domain specific search strategies

15. 15 FSM generation sample Generate an FSM from the stack specification. class Stack var s as Seq of Integer = [] Top() as Integerrequire s <> [] return first(stack) Pop() require s <> [] stack := rest(stack) Push(x as Integer) s := [x] + s Indistinguishability property: s=[]

16. 16 The FSM construction [] [0] Push(0) [] Pop()Push(0) [0,0] Top() The tree can be pruned, if a hyperstate is reached that has “already” been visited [] [0,..] Push(0) Pop Top The generated FSM Pop()

17. 17 The algorithm generate() step s = head(frontier) frontier := tail(frontier) step foreach a in Actions nextStates = explore Fire(s,a) step foreach t in nextStates transitions(s,a,t) := true if relevant(s,a,t) then frontier := frontier + [t] hypers := hypers union {GetHyperstate(t)}

18. 18 Improvement relations relevant(s as State, a as Action, t as State) as Boolean forall g in goals where improved(bestState(g),t,g) bestState(g) := t return (h.GetHyperstate(t) notin hypers) or (exists g in h.goals() where h.improved(bestState(g),t,g))

19. 19 Outline Background What is an ASM? Why use ASMs? Modeling with ASMs Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution Demo

20. 20 Demo “Run” the paper

21. 21 Current Work Generalized properties (non-Boolean finite valued properties) Parameter generation for actions with parameters.Net attribute scheme design for annotating the model with test related meta information

22. 22 For more information Check out the public website of AsmL: research.microsoft.com/fse/asml You can download AsmL 2 You need VS.NET You need Office XP for Word integration