![Page 1: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/1.jpg)
Executable Specifications: Foundations MS Tools
Yuri GurevichMicrosoft Research
![Page 2: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/2.jpg)
2
Agenda
A short version of the talkA piece of theoryExecutable specificationsOur languages Our tools
![Page 3: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/3.jpg)
3
The Short Version
![Page 4: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/4.jpg)
4
Genesis
This project started about 20 years ago when this logician moved to computer science. What is CS about? While it is about many things, the central role is played by algorithms (in a broad sense of the term). Operating systems, programming languages, compilers, etc. are all algorithms.
![Page 5: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/5.jpg)
5
Key Question
What’s an algorithm?The Turing machine is not adequate anymore. What is, if anything?
![Page 6: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/6.jpg)
6
The Proposed Solution
A long analysis led to abstract state machines and the ASM thesis: For every algorithm there is a behaviorally identical ASM.
![Page 7: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/7.jpg)
7
Experimental Confirmation
By the thesis, ASMs fit to model and specify algorithms. Many applications are found, in academia and industry.In the process, experimental confirmation of the thesis accumulates.
![Page 8: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/8.jpg)
8
The group on Foundations of Software Engineering at MSR
Wolfram SchulteMargus VeanesColin CampbellLev NachmansonMike BarnettWolfgang GrieskampNikolai Tillman
![Page 9: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/9.jpg)
9
Behavioral theory of computation
Increasing parts of the ASM thesis are proven from first principles.In the process, axiomatic definitions of sequential, parallel, etc. algorithms emerge.
![Page 10: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/10.jpg)
10
A piece of theory
![Page 11: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/11.jpg)
11
Sequential Time PostulateAny algorithm determines
the set of states, the subset of initial states, the transition function.
Def. Two seq-time algorithms are behaviorally equivalent if they have the same states, initial states and the transition function.
![Page 12: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/12.jpg)
12
What are states of an algorithm?
What are states of, say, a C program?Transparent (or explicit, or honest) states
![Page 13: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/13.jpg)
13
Abstract State Postulate
The states are logic structures....
![Page 14: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/14.jpg)
14
Seq algorithms
Seq-time algorithms with bounded-work steps.How to measure work?
![Page 15: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/15.jpg)
15
Definition
A sequential algorithm is any entity that satisfies the three postulates:sequential time,abstract state, bounded-exploration.
![Page 16: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/16.jpg)
16
Euclid’s algorithm
if b = 0 then d := aelse
[do in-parallel]a := bb := a mod b
![Page 17: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/17.jpg)
17
Seq Characterization Theorem
For every sequential algorithm A,there exists a behaviorally equivalent sequential ASM .
Ref. #141 at the speaker’s website
![Page 18: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/18.jpg)
18
Parallel algorithmsExampleSlicing a dag
0
1
2
3
4
5
6
7
8
9
![Page 19: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/19.jpg)
19
Slicing a Dag in AsmL
forall v in V
if forall u in V holds (u,v) in E implies u in X
then add v to X
![Page 20: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/20.jpg)
20
Par Characterization Thm
AnalysisTheorem: For every parallel algorithm A, there is a behaviorally equivalent parallel ASM .Ref. #157
![Page 21: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/21.jpg)
21
Intra-step interaction
New object creation, choice, remote procedure calls, messagesThe characterization theorems
Ref: #166, 170, 171, and forthcomingby Andreas Blass, YG, Dean Rosenzweig and Benjamin Rossman
![Page 22: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/22.jpg)
22
Distributed algorithms
Distributed ASMs were defined long ago, and most ASM applications, at least at Microsoft, are distributed, butthe axiomatization problem is still open.
![Page 23: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/23.jpg)
23
Executable specifications
![Page 24: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/24.jpg)
24
In-place one-swap-a-time sorting
var A as Seq of Integer = [3,1,2]
Swap() choose i,j in Indices(A) where i<j and A(i)>A(j) A(i) := A(j) A(j) := A(i)
Sort() step until fixpoint Swap()
A = [2,3,1]
A = [1,3,2]
A = [1,2,3]
A = [2,1,3]
Nondeterminsm
Parallelism
![Page 25: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/25.jpg)
25
Our Languages
![Page 26: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/26.jpg)
26
AsmL and C# http://research.microsoft.com/fse/asml
Math e.g. set comprehension{x2 | x ∊ {1,..,10} where x = 0 mod 2}
Transactions, nondeterminismOO, interoperability via .NETLiterate programming via Word, automated programming via XML
![Page 27: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/27.jpg)
27
Topological Sorting
step while ToSet(S) ne V
let X = V - ToSet(S)
if X <> {} then
S := S + [(any v | v in X where not(exists u in X where (u,v) in E))]
![Page 28: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/28.jpg)
28
Our Tools
![Page 29: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/29.jpg)
29
Dev
Arch/PM/Lead Test
Software development process
Time
Abs
trac
tion
System Design
System Test
Class Design
UnitTest
SpecsParameterizedUnit Tests
Specs Spec Explorer
Coding Spec#
Specs
CurrentProjects
![Page 30: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/30.jpg)
30
Validating the spec
Human comprehensionPlaying scenariosDeriving an FSM and then testing (including model checking) it
![Page 31: Executable Specifications: Foundations MS Tools](https://reader035.vdocuments.site/reader035/viewer/2022062301/56814fc8550346895dbd86d4/html5/thumbnails/31.jpg)
31
Enforcing the spec
In the deterministic case, generate a test suite with results, and run the suit on various implementations.Execute the model and implementation in lock step.Play to test