Generating FSMs from Abstract State Machines

1

Generating FSMs from Abstract State Machines

Wolfgang GrieskampYuri Gurevich

Wolfram SchulteMargus Veanes

Foundations of Software EngineeringMicrosoft Research

ISSTA 2002, Rome, July 22-24

2

Outline

Background What is an ASM? Why use ASMs? Modeling with ASMs

Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution

Demo

3

Abstract State Machines

Introduced by Yuri Gurevich

Deep mathematical theory

World wide user community (academia + industry)

The Idea:

• A machine that describes a system on any (but particular) level of abstraction

• An operational specification of a system• A very high-level program

4

A Sample ASM

var A as Seq of Integer

Swap()choose i,j in indices(A) where i<j and A(i)>A(j) A(i) := A(j) A(j) := A(i)

Sort() step until fixpoint Swap()

A = [2,3,1]

A = [1,3,2]

A = [1,2,3]

A = [2,1,3]

Nondeterminsm

Parallelism

5

ASMs are evolving structures

An ASM is a mathematical machine that represents a system as evolving state

A state is given by the current values of the variables

A step is a transaction (synchronous parallelism) that may update many variables at once

In the sequential case, a program describes one step, a run is a sequence of consecutive steps.

In the distributed case, each agent has a program, a distributed run is a partial order of agents’ steps (asynchronous parallelism)

6

Why is software error-prone?

Some reasons: Premature coding Lack of confidence in descriptions Late feedback from customer Unforeseen feature interaction Lack of understanding in maintenance phase

7

Models solve these problems

Engineering models help you to gain confidence in requirements and designs. Examples: Architectural, Mechanical, Electrical, etc.

Software models help you understand the behavior of each level of abstraction, examples are: Steps required to carry out the system’s user scenarios How features/components interact with each other The behavior of subsystems like file storage and messaging

8

Models can be used everywhere

Modeling

Validation

Refinement Verification

ASMModel

Implementation

C/C++/C#/…

Product Idea

Are you building the product right ?

Are you building the right product?

What product are you building?

9

AsmL: A modeling toolkit

AsmL is a powerful, ASM-based specification language

Combines mathematical, object-oriented and component-oriented approaches Fully integrated with the .Net framework

Can be used for documentation Integrated with MS Word and XML

Can be used for testing Ongoing Integration with existing testing tools

10

A guideline for AsmL users

1. Begin building a model by considering its purpose; this guides abstraction decisions during development

1. Define model state2. Define model transitions

2. Validate the model early and often to increase confidence that the model is faithful.

Check internal consistency Check against customer expectations

11

Outline

Background What is an ASM? Why use ASMs? Modeling with ASMs

Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution

Demo

12

Using AsmL models for conformance testing

ASM-Model

Implementation

Test OracleTest Cases

Are run by Providesactual results for

PassNo pass

Provides expected results for

Generates

UserInfo

13

AsmL Model M

The dual role of ASM models

Test cases

Random generation

Reduce

FSMtool

IUTCall next action

Get state

AsmL Model M

Testing harness

Is Svalid according

to M?

Fail: witness

Pass Sview

view

view

FSM

14

FSM Generation

Typically ASMs have infinite state space We introduce indistinguishability properties to

group states into equivalence classes called hyperstates The non-discovery problem

The problem of reaching all hyperstates is in general undecidable

Improvement relations provide a partial solution to this problem A way to encode domain specific search strategies

15

FSM generation sample

Generate an FSM from the stack specification.

class Stackvar s as Seq of Integer = []

Top() as Integer require s <> [] return first(stack)

Pop() require s <> [] stack := rest(stack)

Push(x as Integer) s := [x] + s

Indistinguishability property: s=[]

16

The FSM construction

[]

[0]

Push(0)

[]

Pop()Push(0)

[0,0] [0,0]

Top()

The tree can be pruned,if a hyperstate is reachedthat has “already” been visited

[]

[0,..]

Push(0)

Push(0) Pop

Top

The generated FSM

Pop()

17

The algorithm

generate() step s = head(frontier) frontier := tail(frontier) step foreach a in Actions nextStates = explore Fire(s,a) step foreach t in nextStates transitions(s,a,t) := true if relevant(s,a,t) then frontier := frontier + [t] hypers := hypers union {GetHyperstate(t)}

18

Improvement relations

relevant(s as State, a as Action, t as State) as Boolean forall g in goals where improved(bestState(g),t,g) bestState(g) := t return (h.GetHyperstate(t) notin hypers) or (exists g in h.goals() where h.improved(bestState(g),t,g))

19

Outline

Background What is an ASM? Why use ASMs? Modeling with ASMs

Conformance Testing with ASMs FSM Generation Exploration of the FSM Test Execution

Demo

20

Demo

“Run” the paper

21

Current Work

Generalized properties (non-Boolean finite valued properties)

Parameter generation for actions with parameters

.Net attribute scheme design for annotating the model with test related meta information

22

For more information

Check out the public website of AsmL: research.microsoft.com/fse/asml You can download AsmL 2

You need VS.NET You need Office XP for Word integration