The ASM Method: a Cornerstone in Computer Science Education

The versatility and wide applicability of the Abstract State Machines Method for the design and the analysis of computational systems has not yet been fully exploited for teaching. We suggest to use it for introducing basic algorithmic concepts in a succinct and uniform way, which makes the definitions adoptable in traditionally unrelated courses, covering the full range of computing science curricula from computation theory to the engineering of software systems. Through 15 years of successful applications of the Abstract State Machines method for highlevel system design and analysis, ASMs became visible in practically every branch of the science of computing and found their way into industrial practice. The same cannot be said for the role ASMs play in the current practice of teaching, although they provide a simple foundation for the notions of pseudo-code and of virtual machines which pervade current curricula. 1 Reasons for the success of the ASM Method To understand this gap let us step back and look for the reason of the success of the wide-spectrum ASM method, which has been developed in the 90’ies on the basis of the notion of ASMs through the work of numerous researchers who formed the still growing ASM community (see the ASM web site [43] and the annotated ASM bibliography in the AsmBook [20]). The method starts with the mathematical definition of the concept of ASMs discovered by Gurevich in [39] and exploits its versatility in two directions, namely through the following two activities: construction of faithful models (so-called ASM ground models), formulated in terms of a given type of application or domain of discourse, transforming models in a mathematically controllable way by further detailing, leading through a sequence of so-called ASM refinement steps from ground models to machine code. Construction of faithful models is supported by the possibility to fine-tune ASMs to express intuitive ideas about specific algorithmic processes or systems directly. 15 years of modeling experience with ASMs show that one can faithfully and rigorously capture one’s algorithmic ideas by ‘tailoring’ their ASM descriptions in terms of the investigated application domain (universe of discourse), ‘at the given level of abstraction’, avoiding any deviation from the problem analysis which could result from an encoding into a priori determined structures (of data and operations). This versatility of ASMs constitutes the content of Gurevich’s ASM Thesis—formulated for the first time in [38], ten years before the definition of ASMs in [39]—and of the convincing epistemological analysis of this thesis provided 15 years later for the sequential case [40]. The practical exploitation of this adaptability of the language of ASMs— to describe the mathematical algorithmic content underlying real-life phenomena by a rigorous dynamic model, which provides the basis for a rational justification of its ‘correctness’ with respect to the original intentions—led me at the beginning of the 90’ies to the formulation of the ground model concept [9,11]. ASM 1 I do not include here the analysis of the concept of bounded synchronous parallelism in [8] because of some reservation about the ‘naturalness’ of the concepts brought forward through that investigation; see the discussion in [14, Sect.1]. ground models constitute a mathematical form of accurate high-level system blueprints, which play a central role in requirements engineering, software contract formulations, standardization efforts and the correctness analysis for complex algorithms, protocols and processes in various domains: technical (device or plant) control, administrative, economical (business processes or web services [57,31,32,33,29]), medical, biological, etc. The wide range of processes one can capture with ASM ground models is well illustrated also in these Proceedings where the use of ASMs is reported to model such different things as urban crime patterns [23], fault and event handlers in web services [30,7], data warehouses [53], an interpreter for the extension C#2.0 of C# [44], the runtime environment CLR for executing .NET applications [37], security protocols [41], GUIs [48] and object-oriented programming design patterns [15]. Mathematically controllable model transformations leading from ground models to machine code are supported by the comprehensive mathematical ASM refinement notion, to whose definition I was led again by practical concerns and experience [9,12], generalizing the great variety of refinement definitions in the literature. The definition of ASM refinement puts the abstraction potential of ASMs to use for a combination of static data refinement and dynamic action refinement in a coherent framework, which supports the piecemeal introduction and documentation of relevant design decisions in such a way that even for complex real-life systems, their mathematical verification and experimental validation can be achieved. The arguably most general ASM refinement definition supports as special case also the incremental program development and verification endeavor, which has been advocated in the structural programming program [58,28,25] and has been studied intensively in numerous algebraic, set-theoretic and logical specification and verification approaches [59,6,26,34,27]. The ASM refinement notion also generalizes the standard paradigm of implementing abstract methods (interfaces) by (sub)classes, as used in particular in object-oriented programming (see the discussion of some typical object-oriented design patterns in [15]). The success of the ASM method is due to the possibility of systematically exploiting ASMs in those two directions. In system development applications it allows one to link the typically notcomputer-centric application-domain-view of a system, determined by objects and concepts related to the real world surrounding the to-be-constructed or to-be-analyzed system, in a coherent and mathematically checkable way to the implementation view of the finished computer-based system. In design and analysis of algorithms it allows one to split the verification of properties into two usually simpler tasks: a) the proof of the properties from some axioms for an abstract model, b) a proof that the refinement of the abstract model satisfies the axioms. 2 Transfer of the ASM method to teaching The double use of ASMs analyzed above, as ground models and as refinements of abstract models, is what can be exploited with advantage also for teaching computing science subjects. Lecturers have to teach in one way or the other both of those two activities involved in algorithm and system design and analysis. This holds even in the traditional view, shared by many practitioners, where besides the requirements there is nothing else than their implementations; in fact a) incomplete or not sufficiently precise requirements documents have to be turned anyway into some rigorous form (read: a ground model), whether right from the beginning or piecemeal during the coding work, and b) every implementation is a special case of refinement, namely of the requirements into code (read: a target programmming language model). One can exploit ASMs and their refinements as a once-explained, simple and uniform concept of a computational system and of its piecemeal definition by successive detailing (in a full system development cycle this also covers later extensions), in courses whose themes range from purely theoretical issues—e.g. classical computation and complexity theory—over algorithms, protocols, specification and programming concepts to requirements capture and high-level hw/sw system design and analysis. First of all this helps to not repeat again and again, in varying notations, the same fundamental computational concepts. For example, standard textbooks on the theory of computation define the 2 See Schellhorn’s detailed technical analysis in [50,51,52].