Abstract State Machines, and lessons of an ASM-based project at Microsoft Yuri Gurevich ( Erdos #2 ) Microsoft Research

Modeling No science without modeling The virtuous cycle Maybe even no life without modeling Physics uses PDEs for modeling. What are the PDEs of computer science? 2

Turing’s analysis of computation Great Yet limited 3

Improving on Turing’s analysis Emile Post Andrei Kolmogorov “Algorithms compute in steps of bounded complexity.” Pointer machines Robin Gandy 4

Another line of analysis Recursive functions Skolem to Gödel Lambda calculus Church’s thesis Comparing the two lines 5

6 A Thought Experiment A perfect machine model Step-for-step simulation of any algorithm Uses: software specs, model based testing What would the model look like?

Postulate 1: Sequential Time An algorithm is a transition system. What are states? What are transitions? 7

8 States The state is information that, given the program, determines the ensuing computation(s). More than the values of the variables. What is the form of states? Or what is is?

9 Postulate 2: Abstract State The states are structures in the sense of mathematical logic. Same vocabulary Transitions preserve the state domain. Everything is preserved under isomorphism.

What are transitions? Deterministic or nondeterministic? More generally, interactive or non-interactive? Let’s consider first the classical case of non-interactive algorithms. 10

What are transitions? (cont.) How powerful steps are? Let’s consider first the classical case of “steps of bounded complexity.” How to bound the complexity? 11

12 Locations and updates Locations = (f,(a 1,..,a j )) Content( ) = f(a 1,..,a j ) Updates (,v) The update set of state X is  (X) = { (,v) : v = Content( ) in Next(X)  Content( ) in X }

13 Postulate 3: Bounded Exploration There is a finite set t 1,..,t n of critical terms such that  (X) =  (Y) if every Val X (t i ) = Val Y (t i ).

14 Definition A sequential algorithm is an abstract-state bounded-exploration transition system.

15 Sequential ASMs SyntaxSemantics  = ? f(t 1,..,t j ):= t 0 {(,a 0 )} where = (f,(a 1,..,a j )) and each a i = Val(t i ) do in parallel R 1 … R k  (R 1 )  …   (R k ) if t then R 1 else R 2 if Val(t) = true then  (R 1 ) else  (R 2 )

16 Example if b = 0 then d := a else [do in-parallel] a := b b := a mod b Nullary dynamic functions:a, b, d Static functions: =, 0, mod

17 Example (cont.) if a(s)=0 then d(s) := b(s) s := s+1 else a(s) := b(s) mod a(s) b(s) := a(s)

18 Seq Characterization Theorem For any seq algorithm A there is a seq ASM B such that states of A are states of B and every Next A (X) = Next B (X). #141

Interaction The ASM model is relatively straightforward: External functions Choice and import operators The from-the-first-principles analysis is not straightforward. 19

20 In-place one-swap-a-time sorting var A as Seq of Integer = [3,1,2] Swap() choose i,j in Indices(A) where i A(j) A(i) := A(j) A(j) := A(i) Sort() step until fixpoint Swap() A = [2,3,1] A = [1,3,2] A = [1,2,3] A = [2,1,3] Nondeterminsm Parallelism

21 Wide steps Again, the ASM model is relatively straightforward do-for-all The from-the-first-principles analysis is not straightforward.

Topological Sorting Example 22

23 Distributed algorithms Distributed ASMs were defined long ago, but the axiomatization problem is wide (and maybe forever) open. To simulate, one can interleave (sets of) actions of the computing agents.

24 Early ASM engines ASM Workbench Uni Paderborn, Siemens ASM Gopher Uni Ulm, Siemens XASM Uni Berlin, Kestrel

25 AsmL creators In the hiring order: Wolfram Schulte, Margus Veanes, Colin Campbell, Lev Nachmanson, Mike Barnett, Wolfgang Grieskamp, Nikolai Tillmann

26 ModelingValidation Refinement Verification AsmL Model Implementation C, C++, C#,... Product Idea / Informal Spec Are you building the product right ? Are you building the right product? What product are you building? FSE propaganda example

27 Spec ValidateEnforce Comprehend Play scenarios Test Model check Prove properties Generate test suites Lockstep runtime verification On-the-fly testing

28 Conformance testing I AsmL model Test harness I Implementation under test Discrepancies flagged Any client I

Spec Explorer Original purpose Model based testing Why model-based testing? Arguably the largest model-based-testing operation anywhere. Success of sorts 29

Probability of success Coburn: (pain of crisis) divided by (pain of adoption) where pain means perceived pain. 30

Love triangle 31