Abstract State Machine TutorialThe

Abstract State Machine Tutorial

The method built around the notion of Abstract State Machine (ASM) has been proved to be a scientifically well founded and an industrially viable method for the design and analysis of complex systems, which has been applied successfully to programming languages, protocols, embedded systems, architectures, requirements engineering, etc. The analysis covers both verification and validation, using mathematical reasoning (possibly theorem-prover-verified or model-checked) or experimental simulation (by running the executable models). The tutorial, presented by Egon Börger, starts from scratch by introducing the definition and simple examples of ASMs. Their major scientific and industrial applications are surveyed, covering the period from 1990 to 2000. Then an outstanding case study is presented, namely the ASM Definition and Analysis (Verification and Validation) of Java and the Java Virtual Machine (book by Robert Stärk, Joachim Schmid, and Egon Börger). The tutorial concludes with an introduction, presented by Joachim Schmid, of AsmGofer, an ASM programming system making ASM models executable by programming the external functions in Haskell. The AsmGofer introduction includes a demo of the executable versions of the Java/JVM ASM models.
What are Abstract State Machines

The advances in the theory, the tool development, and the progressive industrial employment of Abstract State Machines (ASMs) in the 90's have turned ASMs into a practical technique for disciplined rigorous system engineering in the large. See www.eecs.umich.edu/gasm for the hundreds of papers published on ASMs and their applications, covering high-level design and analysis of real-life programming languages and their implementations on virtual or real machines (e.g. Java/JVM, C, VHDL, SDL), of protocols (e.g. Kermit, Kerberos), embedded system control programs, architectures (RISC processors, PVM, APE, ASIC components), requirements capture, etc.
Although the definition of ASMs is surprisingly simple (see below), Abstract State Machines offer a certain number of theoretically well-founded and industrially useful methods that support the entire software development cycle. These include rigorous modelling and analysis methods (both mathematical verification and experimental validation) for

(i) the requirements, during the early phases of software development, supporting their elicitation, specification, inspection, and testing through so-called ground models, and

(ii) the refinement of the high level models, through a design process which reliably connects the requirements to the code, supporting a practical documentation discipline for code maintenance and reuse.

The operational and abstract character of ASMs
makes the faithfulness of the definitions with respect to the design intentions checkable by direct inspection (falsifiable in the Popperian sense),
supports, by stepwise refinements, linking the high-level definition in a transparent way to its implementation, where each refinement step reflects design decisions one wants to be documented for future reference (reuse, maintenance),
· provides a convenient basis for turning the abstract definitions into executable models which can be used for validation and experiments,

· simplifies the (mathematical or machine checked) justification of the correctness of the design offering a rigorous framework for the analysis of run-time properties at the appropriate level of abstraction.

For a non-technical introduction explaining the ASM method, surveying its major applications prior to 1999, and comparing it to other major modelling approaches in the literature, see High Level System Design and Analysis using Abstract State Machines .ps (also in .pdf format) ( Abstract)

Definition of Abstract State Machines (Yuri Gurevich 1988)

A sequential ASM is defined as a set of transition rules of form


if Condition then Updates
which transform first-order structures (the states of the machine), where the guard Condition, which has to be satisfied for a rule to be applicable, is a variable free first-order formula, and Updates is a finite set of function updates (containing only variable free terms) of form


f (t1,...,tn) := t
The execution of these rules is understood as updating, in the given state and in the indicated way, the value of the function f at the indicated parameters, leaving everything else unchanged. (This proviso avoids the frame problem of declarative approaches.) In every state, all the rules which are applicable are simultaneously applied (if the updates are consistent) to produce the next state. If desired or useful, declarative features can be built into an ASM by integrity constraints and by assumptions on the state, on the environment, and on the applicability of rules.

For distributed ASMs, the notion of run, which is defined for sequential systems as sequence of computation steps of a