microsoft research, foundations of software engineeringw. grieskamp et. al: behavioral compositions...

Microsoft Research, Foundations of Software Engineering W. Grieskamp et. al: Behavioral Compositions in Symbolic Domains

Behavioral Composition in Symbolic Domains

Wolfgang GrieskampNicolas KicillofColin Campbell

Foundations of Software EngineeringMicrosoft Research, Redmond

10/2/2005 @ AOM 2005


Model-based testing at Microsoft

• Success story– approx. 1k users and growing

• Smart testers like modeling– Backdoor entry

• Models given as– Plain state machines – Model programs (abstract state machines)


Model-based testing with Spec Explorer

Spec Explorer [ISSTA02, FATES03, QSIC03, ISSTA04, FATES05, FSE05,…] supports analysis and conformance testing of concurrent systems with model programs

Model Program

State Graph

Test cases

Pass/Fail

Implementation

Exploration & Scenario control

Modeling (in Spec# or AsmL)

Test Generation

Test Execution Coding


Users want more!

• Notational diversity– Models in state-based and interaction-based paradigms– Models as diagrams and in textual notations

• Compositionality– Combining feature models – Merging aspect models (like test purpose)

• Analyzability– Property checking– Refinement checking– Doing this independently or in composition


Addressing the requirements: Action Machines

• Language-agnostic representation of behavior– Represent various modeling styles (state-based,

scenario-based) as well as programs uniformly

• Allow for many composition types– Product, alternating simulation, substitution, etc.

• Incorporate symbolic state and computation– Allow for partial, aspect-oriented models – Allow to close environment symbolically (e.g.

parameters to method calls)


Example of basic action machines: Abstract State Machines

• Methods describe state transitions (Spec Explorer methodology)

• State can be symbolic • Parameters of method invocations can be symbolic

S0

int count;

[Action]bool Add(int x){ requires x >= 0; if (x < 10){ count += x; return true; } else return false;}

S1 S2

0 >= u & u < 10:Add(u)/true

0 >= u & !(u < 10):Add(u)/false

count := v

count:=v+u count:=v


Example of basic action machines:Scenario machines

• Control-flow oriented description of behavior• Invocations to designated actions “abstracted”• Can use symbolic parameters, choices

S0[Action] Client.Enter();[Action] Client.Send(object msg);[Action] Client.Recv(object msg);

[Scenario] void S(){ Client c = Any<Client>; c.Enter(); while (Any<bool>) c.Send(Any<object>); while (Any<bool>) Any<Client>.Recv(Any<object>);}

S1

v.Enter()

v.Send(_)

S2

_.Recv(_)

_.Recv(_)


Compound Action Machines:Product

• Contains steps both machines can do• Unification of symbolic state part• Can be used for

– Scenario control (restrict behavior)– Property checking (one machine is the “anti-machine” and the

product is empty if the property holds)

A(v) B()

v > 0

A(u) C()

u <= 1

X =A(1)

u = vv > 0u <= 1


More composition operators

• Process algebra– Product, interleaving, renaming (translation)

• Temporal logics and regular expressions– Sequencing, repetition, joker, …

• Refinement– Alternating simulation (conformance notion of

Spec Explorer)

• AOM– Substitution


Conclusion• Notation independence achieved

– We plan to combine action machines with VS DSL tools/software factories

• Model-checking and model-based testing possible – benefiting from strict semantics

• No difference between a “main” model and an “aspect” model– the later is just more partial

• Symbolic state exploration is key technology– helps us to naturally describe and analyze partial models

and model compositions

microsoft research, foundations of software engineeringw. grieskamp et. al: behavioral compositions...

Documents