Introduction to ASMs Dumitru Roman Digital Enterprise Research Institute
2 Outline ASMs Characteristics ASMs Definition –Abstract States –Abstract Instructions for Changing States AsmL: an ASM engine –An example DASMs for formalizing BPEL4WS
ASMs overview A practical method for rigorous system development which has been used successfully under industrial constraints for design and analysis of complex hardware/software systems. Formalism for modelling/formalising algorithms Previously known as Evolving algebras An attempt to bridge the gap between formal models of computation and practical specification methods. ASM Model Informal specification of the hardware/software system Implementation of the system (C, Java, etc) Modeling What System are you building? Validation Are you building the right system? Refinement Verification Are you building the system right?
ASM methodology characteristics Precision: ASMs use classical mathematical structures that are well-understood Faithfulness: ASMs require a minimal amount of notational coding Understandability: ASMs use an extremely simple syntax, which can be read as a form of pseudo-code Executablity: ASMs can be tested by executing them Scalability: ASMs can describe a system/algorithm on different levels of abstraction Generality: ASMs have been shown to be useful in many different application domains
Abstract States (1) States can be viewed as (first-order) structures of mathematical logic Structures - syntax –A vocabulary contains: A finite collection of function names, each of a fixed arity The equality sign, and nullary names true, false, undef, and unary name Boole, and the names of the usual Boolean operations –Terms - defined by the usual induction: A nullary function name is a term. If f is a function name of positive arity j and if t 1,…,t j are terms, then f(t 1,…,t j ) is a term.
Abstract States (2) Structures – semantics –A structure X of vocabulary T is a nonempty set S together with interpretations of the function names in T over S –A j-ary function name is interpreted as a function from S j to S –A nullary function is identified with its value. –The interpretation of a j-ary relation R is a function from S j to {true; false} –The equality sign is interpreted as the identity relation S
Abstract Instructions for Changing States The most general structure transforming machine instructions (called ASM rules) are guarded assignments to functions at given arguments expressable in the following form if Cond then Updates Cond is an arbitrary condition statement formulated in the given vocabulary Updates consists of finitely many function updates f(t 1,…,t n ):= t which are executed simultaneously
ASMs Definition Egon Börger, "High Level System Design and Analysis using Abstract State Machines". Current Trends in Applied Formal Methods (FM-Trends 98). Springer LNCS 1641, Egon Börger An ASM M is a finite set of rules for guarded multiple function updates Applying one step of M to a state (algebra) A produces as next state another algebra A’ of the same signature obtained as follows: –First evaluate in A using the standard interpretation of classical logic all the guards of all the rules of M –Compute in A for each of the rules of M whose guard evaluates to true all the arguments and all the values appearing in the updates of this rule –Replace simultaneously for each rule and for all the locations in question the previous A-function value by the newly computed value –The algebra A’ thus obtained differs from A by the new values for those functions at those arguments where the values are updated by a rule of M which could fire in A
ASMs thesis “Sequential Abstract State Machines Capture Sequential Algorithms”, by Yuri Gurevich; ACM Transactions on Computational Logic, July 2000 “Abstract State Machines Capture Parallel Algorithms”, by Andreas Blass and Yuri Gurevich; ACM Transactions on Computational Logic (TOCL), October 2003 The methodology is not proved yet for distributed algorithms
ASM engines A practical specification language is needed to write and execute ASM models => ASM engines: –ASM Workbench ( U Paderborn, Siemens ) –XASM ( TU Berlin, Kestrel ) –ASM Gofer ( U Ulm, Siemens ) –AsmL = ASM Language ( Microsoft )
AsmL An AsmL model (or program) - defined using a fixed vocabulary of symbols of our choosing. –The names of its state variables –A fixed set of operations Values - simple elements like numbers and strings State - a particular association of variable names to values: {(name1, val1), (name2, val2), … } A run of the machine - a series of states connected by state transitions Each state transition, or step, occurs when the machine's control logic (the set of operations) is applied to an input state and produces an output state. A program consists of statements; a typical statement is the conditional update “if condition then update.“ - each update is in the form "a := b" The program never alters the input state. An inconsistent update error occurs if the update set contains conflicting information (e.g. the program cannot update a variable to two different values in a single step)
AsmL – an example: reading a file (1) Main() initially F as File? = null initially FContents = "" initially Mode = "Initial" step until fixpoint if Mode = "Initial" then F := new Open("MyFile.txt") Mode := "Reading" if Mode = "Reading“ and Length(FContents) = 0 then FContents := Read(F, 1) if Mode = "Reading" and Length(FContents) = 1 then FContents := FContents + Read(F, 1) if Mode = "Reading" and Length(FContents) > 1 then WriteLine(FContents) Mode := "Finished" State Variables declaration and initialization Precedes the block of statements that will be repeatedly run until no state changes result A typical statement
AsmL – an example: reading a file (2) How this approach is different from finite state machines, or other kinds of “automata”? –Our machines may have state variables with very large (even infinite) ranges as well as complex structure (such as a graph of interconnected nodes –The operations corresponding to the state transitions may interact with the external environment in a flexible way ASMs - more general than other kinds of machines and automata It is possible for state variables to have complex nested data structures as their values, or come from infinite sets like real numbers.
DASMs for formalizing BPEL4WS (1) A DASM M has a finite set AGENT of autonomously operating agents. –The set of agents changes dynamically over runs of M –The behavior of an agent a in a given state S of M is defined by its program program S (a) –To introduce a new agent a in state S, a valid program has to be assigned to program S (a); to terminate a, program S (a) is reset to the distinguished value undef –In any state S reachable from an initial state of M, the set of agents is well defined as AGENT S ≡ {x € S : program S (x) ≠ undef}. –The collection of all the programs that agents of M potentially can execute forms the distributed program PM.
DASMs for formalizing BPEL4WS (2) Three layers of abstraction: High-level structure of BPEL Abstract Machine: –Inbox manager, outbox manager, process instances: different types of DASM agents –Activity agents - created dynamically by process agents for executing BPEL structured activities
Introduction to ASMs Q & A