Executable Specifications: Foundations MS Tools Yuri Gurevich Microsoft Research
Agenda A short version of the talk A piece of theory Executable specifications Our languages Our tools 2
The Short Version 3
Genesis This project started about 20 years ago when this logician moved to computer science. What is CS about? While it is about many things, the central role is played by algorithms (in a broad sense of the term). Operating systems, programming languages, compilers, etc. are all algorithms. 4
Key Question What’s an algorithm? The Turing machine is not adequate anymore. What is, if anything? 5
The Proposed Solution A long analysis led to abstract state machines and the ASM thesis: For every algorithm there is a behaviorally identical ASM. 6
Experimental Confirmation By thesis, ASMs fit to model and specify algorithms. Many applications are found, in academia and industry. In the process, experimental confirmation of thesis accumulates. 7
The group on Foundations of Software Engineering at MSR Wolfram Schulte Margus Veanes Colin Campbell Lev Nachmanson Mike Barnett Wolfgang Grieskamp Nikolai Tillman 8
Behavioral theory of computation Increasing parts of the ASM thesis are proven from first principles. In the process, axiomatic definitions of sequential, parallel, etc. algorithms emerge. 9
A piece of theory 10
Sequential Time Postulate Any algorithm determines n n n the set of states, the subset of initial states, the transition function. Def. Two seq-time algorithms are behaviorally equivalent if they have the same states, initial states and the transition function. 11
What are states of an algorithm? What are states of, say, a C program? Transparent (or explicit, or honest) states 12
Abstract State Postulate The states are logic structures. . 13
Seq algorithms Seq-time algorithms with bounded-work steps. How to measure work? 14
Definition A sequential algorithm is any entity that satisfies the three postulates: sequential time, abstract state, bounded-exploration. 15
![Euclid’s algorithm if b = 0 then d : = a else [do in-parallel]](https://present5.com/presentation/6ee573207dde684ded69caf54e77c076/image-16.jpg "Euclid’s algorithm if b = 0 then d : = a else [do in-parallel]")
Euclid’s algorithm if b = 0 then d : = a else [do in-parallel] a : = b b : = a mod b 16
Seq Characterization Theorem For every sequential algorithm A, there exists a behaviorally equivalent sequential ASM. Ref. #141 at the speaker’s website 17
Parallel algorithms 7 Example Slicing a dag 9 3 5 8 4 1 2 6 0 18
Slicing a Dag in Asm. L forall v in V if forall u in V holds (u, v) in E implies u in X then add v to X 19
Par Characterization Thm Analysis Theorem: For every parallel algorithm A, there is a behaviorally equivalent parallel ASM. Ref. #157 20
Intra-step interaction New object creation, choice, remote procedure calls, messages The characterization theorems Ref: #166, 170, 171, and forthcoming by Andreas Blass, YG, Dean Rosenzweig and Benjamin Rossman 21
Distributed algorithms Distributed ASMs were defined long ago, and most ASM applications, at least at Microsoft, are distributed, but the axiomatization problem is still open. 22
Executable specifications 23
![In-place one-swap-a-time sorting var A as Seq of Integer = [3, 1, 2] Nondeterminsm](https://present5.com/presentation/6ee573207dde684ded69caf54e77c076/image-24.jpg "In-place one-swap-a-time sorting var A as Seq of Integer = [3, 1, 2] Nondeterminsm")
In-place one-swap-a-time sorting var A as Seq of Integer = [3, 1, 2] Nondeterminsm Swap() choose i, j in Indices(A) where i<j and A(i)>A(j) A(i) : = A(j) : = A(i) A = [2, 3, 1] A = [1, 3, 2] A = [2, 1, 3] Parallelism Sort() step until fixpoint Swap() A = [1, 2, 3] 24
Our Languages 25
Asm. L and C# http: //research. microsoft. com/fse/asml Math e. g. set comprehension {x 2 | x ∊ {1, . . , 10} where x = 0 mod 2} Transactions, nondeterminism OO, interoperability via. NET Literate programming via Word, automated programming via XML 26
Topological Sorting step let if S while To. Set(S) ne V X = V - To. Set(S) X <> {} then : = S + [(any v | v in X where not(exists u in X where (u, v) in E))] 27
Our Tools 28
Software development process Current Projects System Design System Test Specs Arch/PM/Lead Class Design Spec Explorer Test Specs Parameterized Unit Tests Unit Test Abstraction Specs Coding Time Dev Spec# 29
Validating the spec Human comprehension Playing scenarios Deriving an FSM and then testing (including model checking) it 30
Enforcing the spec In the deterministic case, generate a test suite with results, and run the suit on various implementations. Execute the model and implementation in lock step. Play to test 31
Скачать презентацию Executable Specifications Foundations MS Tools Yuri Gurevich Microsoft
6ee573207dde684ded69caf54e77c076.ppt