- Dipartimento di Informatica
Universita di Pisa
Largo Bruno Pontecorvo, n.3
I - 56127 PISA
Italy - +39 - 050 2212 730
Egon Boerger
University of Pisa, Dipartimento di Informatica/Dept of CS, Faculty Member
- My research area since 1990 is Software Technology, where I am interested in rigorous methods and their practical app... moreMy research area since 1990 is Software Technology, where I am interested in rigorous methods and their practical applications for the development and the maintenance of hardware/software systems---with a focus on relating requirements capture by high-level specifications to detailed design and their analysis (both mathematical verification and experimental validation). The main vehicle I use is the ASM Method whose development and industrial applications I have shaped since 1989. See http://www.di.unipi.it/AsmBook and http://www.inf.ethz.ch/personal/staerk/jbook
From 1969-1989 I have worked in Logic and Complexity Theory (see http://www.di.unipi.it/~boerger/decpblbook.html and http://www.di.unipi.it/~boerger/cclbook.html) --- which still influences the way I address the investigation of hw/sw systems.edit
This book is about--as its title suggests--the classical decision problem, also known as Hilbert's Entscheidungsproblem. The preface promises a comprehensive modern treatment of the subject; indeed it does, in a very thorough but still, I... more
This book is about--as its title suggests--the classical decision problem, also known as Hilbert's Entscheidungsproblem. The preface promises a comprehensive modern treatment of the subject; indeed it does, in a very thorough but still, I think, to most of the intended audience (logicians, computer scientists, mathematicians and philosophers of science) rather accessible manner.
Nowadays, the major problems of software engineering are encountered at the high levels of system development, both scientifically and in the industrial practice. The modern software life-cycle models recognize that defects injected in... more
Nowadays, the major problems of software engineering are encountered at the high levels of system development, both scientifically and in the industrial practice. The modern software life-cycle models recognize that defects injected in the initial software development phases are the most expensive ones.
We provide a rigorous semantics for one of the central diagram types which are used in UML for the description of dynamical system behavior, namely activity diagrams. We resolve for these diagrams some of the ambiguities which arise from... more
We provide a rigorous semantics for one of the central diagram types which are used in UML for the description of dynamical system behavior, namely activity diagrams. We resolve for these diagrams some of the ambiguities which arise from different interpretations of UML models. Since we phrase our definition in terms of Abstract State Machines, we define at the same time an interesting subclass of ASMs, offering the possibility to exploit the UML tool support for using these special ASMs in the practice of software design.
Abstract: The recent literature on business process modeling notations contains numerous contributions to the so-called OR-join (or inclusive merge gateway) problem.
In this paper we model as Abstract State Machines (ASMs) some object-oriented design patterns, which have been introduced in [12] in the context of object-oriented programmming principles. We hope to trigger by this work some... more
In this paper we model as Abstract State Machines (ASMs) some object-oriented design patterns, which have been introduced in [12] in the context of object-oriented programmming principles. We hope to trigger by this work some investigation of genuine modeling patterns, which are placed at a higher level of abstraction than object-oriented class structures and related programming structures.
We define the dynamic semantics of UML State Machines which integrate statecharts with the UML object model.
We define a flexible abstract ambient concept which turned out to support current programming practice, in fact can be instantiated to apparently any environment paradigm in use in frameworks for distributed computing with heterogeneous... more
We define a flexible abstract ambient concept which turned out to support current programming practice, in fact can be instantiated to apparently any environment paradigm in use in frameworks for distributed computing with heterogeneous components. For the sake of generality and to also support rigorous high-level system design practice we give the definition in terms of Abstract State Machines.
• Theorem: For each DLX program P, let Ppar be its transformation obtained by inserting two empty instructions after each occurrence of a jump or branch instruction (“instruction scheduling”). Let C be the DLXseq computation with input P... more
• Theorem: For each DLX program P, let Ppar be its transformation obtained by inserting two empty instructions after each occurrence of a jump or branch instruction (“instruction scheduling”). Let C be the DLXseq computation with input P and Cpar the corresponding DLXpar computation with input Ppar. Then C and Cpar have the same result if Cpar is datahazard-free.
In hardware and software design model checkers are nowadays used with success to verify properties of system components [23]. The limits of the approach to cope with the size and the complexity of modern computerbased systems are felt... more
In hardware and software design model checkers are nowadays used with success to verify properties of system components [23]. The limits of the approach to cope with the size and the complexity of modern computerbased systems are felt when it comes to provide evidence of the trustworthiness of the entire system that has been built out of verified components. To achieve this task one has to experimentally validate or to mathematically verify the composition of the system.
In this paper the abstract state machine (ASM) refinement method is presented. Its characteristics compared to other refinement approaches in the literature are explained. Some frequently occurring forms of ASM refinements are identified... more
In this paper the abstract state machine (ASM) refinement method is presented. Its characteristics compared to other refinement approaches in the literature are explained. Some frequently occurring forms of ASM refinements are identified and illustrated by examples from the design and verification of architectures and protocols, from the semantics and the implementation of programming languages and from requirements engineering.
We propose a simple foundation for a practice-oriented undergraduate course that links seamlessly computation theory to principles and methods for high-level computer-based system development and analysis.
We provide precise high-level models for eight fundamental service interaction patterns, together with schemes for their composition into complex service-based business process interconnections and interaction flows, supporting... more
We provide precise high-level models for eight fundamental service interaction patterns, together with schemes for their composition into complex service-based business process interconnections and interaction flows, supporting software-engineered business process management in multi-party collaborative environments. The mathematical nature of our models provides a basis for a rigorous execution-platform-independent analysis, in particular for benchmarking web services functionality.
The systems engineering method proposed in this book, which is based on Abstract State Machines (ASMs), guides the development of software and embedded hardware-software systems seamlessly from requirements capture to actual... more
The systems engineering method proposed in this book, which is based on Abstract State Machines (ASMs), guides the development of software and embedded hardware-software systems seamlessly from requirements capture to actual implementation and documentation. The method bridges the gap between the human understanding and formulation of real-world problems and the deployment of their algorithmic solutions by code-executing machines.
Abstract This is a tutorial introduction into the evolving algebra approach to design and verification of complex computing systems. It is written to be used by the working computer scientist. We explain the salient features of the... more
Abstract This is a tutorial introduction into the evolving algebra approach to design and verification of complex computing systems. It is written to be used by the working computer scientist. We explain the salient features of the methodology by showing how one can develop from scratch an easily understandable and transparent evolving algebra model for PVM, the widespread virtual architecture for heterogeneous distributed computing.
The question raised in [15] is answered how to naturally model widely used forms of recursion by abstract machines. We show that turbo ASMs as defined in [7] allow one to faithfully reflect the common intuitive single-agent understanding... more
The question raised in [15] is answered how to naturally model widely used forms of recursion by abstract machines. We show that turbo ASMs as defined in [7] allow one to faithfully reflect the common intuitive single-agent understanding of recursion. The argument is illustrated by turbo ASMs for Mergesort and Quicksort. Using turbo ASMs for returning function values allows one to seamlessly integrate functional description and programming techniques into the high-level 'abstract programming'by state transforming ASM rules.
ABSTRACT We provide a complete mathematical model for the exception handling mechanism of the Common Language Runtime (CLR), the virtual machine underlying the interpretation of .NET programs. The goal is to use this rigorous model in the... more
ABSTRACT We provide a complete mathematical model for the exception handling mechanism of the Common Language Runtime (CLR), the virtual machine underlying the interpretation of .NET programs. The goal is to use this rigorous model in the corresponding part of the still-to-be-developed soundness proof for the CLR bytecode verifier.
We propose in this paper a definition of the semantics of Java programs which can be used as a basis for the standardization of the language and of its implementation on the Java Virtual Machine. The definition provides a machine and... more
We propose in this paper a definition of the semantics of Java programs which can be used as a basis for the standardization of the language and of its implementation on the Java Virtual Machine. The definition provides a machine and system independent view of the language as it is seen by the Java programmer. It takes care to directly reflect the description in the Java language reference manual so that the basic design decisions can be checked by standardizers and implementors against a mathematical model.
We reveal a grey area in the specification of Java and of its implementation through the Java Virtual Machine (JVM): the treatment of initialization of classes and interfaces. We report the results of our experiments with different... more
We reveal a grey area in the specification of Java and of its implementation through the Java Virtual Machine (JVM): the treatment of initialization of classes and interfaces. We report the results of our experiments with different implementations of Java, which confirm the theoretical prediction of our work on mathematical models for Java [4] and the JVM [3], namely that the designers of Java and the JVM have used notions of initialization which do not match and which afflict the portability of Java programs.
We refine the mathematical specification of a WAM extension to typeconstraint logic programming given in [BeB96]. We provide a full specification and correctness proof of the PROTOS Abstract Machine (PAM), an extension of the WAM by... more
We refine the mathematical specification of a WAM extension to typeconstraint logic programming given in [BeB96]. We provide a full specification and correctness proof of the PROTOS Abstract Machine (PAM), an extension of the WAM by polymorphic order-sorted unification as required by the logic programming language PROTOS-L, by refining the abstract type constraints used in [BeB96] to the polymorphic order-sorted types of PROTOS-L.
We formulate some research and development challenges that relate what a verifying compiler can verify to the definition and analysis of the application-content of programs, where the analysis comprises both experimental validation and... more
We formulate some research and development challenges that relate what a verifying compiler can verify to the definition and analysis of the application-content of programs, where the analysis comprises both experimental validation and mathematical verification. We also point to a practical framework to deal with theses challenges, namely the Abstract State Machines (ASM) method for high-level system design and analysis.
Abstract. 20 years ago Gurevich formulated A New Thesis [10], soliciting descriptions of computational devices to unfold the underlying notion of “dynamic structures”. 10 years later, after extensive experimentation with “dynamic... more
Abstract. 20 years ago Gurevich formulated A New Thesis [10], soliciting descriptions of computational devices to unfold the underlying notion of “dynamic structures”. 10 years later, after extensive experimentation with “dynamic algebras” by a at the time still small community, Gurevich discovered a mathematical definition for “evolving algebras”[11], which remained stable except for the final name change in 1996 to Abstract State Machines.
Abstract: The research belonging to the Abstract State Machines approach to system design and analysis is surveyed and documented in an annotated ASM bibliography.
Abstract: A goal of software product lines is the economical assembly of programs in a family of programs. In this paper, we explore how theorems about program properties may be integrated into feature-based development of software... more
Abstract: A goal of software product lines is the economical assembly of programs in a family of programs. In this paper, we explore how theorems about program properties may be integrated into feature-based development of software product lines. As a case study, we analyze an existing Java/JVM compilation correctness proof for defining, interpreting, compiling, and executing bytecode for the Java language. We show how features modularize program source, theorem statements and their proofs.
Abstract In a meeting at Schloss Dagstuhl in June 1993, Uri Abraham and Menachem Magidor have challenged the thesis that an evolving algebra can be tailored to any algorithm at its own abstraction level. As example they gave an... more
Abstract In a meeting at Schloss Dagstuhl in June 1993, Uri Abraham and Menachem Magidor have challenged the thesis that an evolving algebra can be tailored to any algorithm at its own abstraction level. As example they gave an instructive proof which uses lower and higher views to show correctness of Lamport's bakery algorithm. We construct two evolving algebras capturing lower and higher view respectively, enabling a simple and concise proof of correctness for the bakery algorithm.
• Stability of local views. Once a processor joins a group g, it stays in g until either a processor fails or one recovers and attempts to rejoin.• Agreement on history. If two processors are joined to a common group g and none of them... more
• Stability of local views. Once a processor joins a group g, it stays in g until either a processor fails or one recovers and attempts to rejoin.• Agreement on history. If two processors are joined to a common group g and none of them crashes between joining g and joining the next group, then that next group is the same for both processors.
Abstract We explain why for the verified software challenge proposed in Hoare (J ACM 50 (1): 63–69, 2003), Hoare and Misra (Verified software: theories, tools, experiments. Vision of a Grand Challenge project. In:[Meyer05]) to gain... more
Abstract We explain why for the verified software challenge proposed in Hoare (J ACM 50 (1): 63–69, 2003), Hoare and Misra (Verified software: theories, tools, experiments. Vision of a Grand Challenge project. In:[Meyer05]) to gain practical impact, one needs to include rigorous definitions and analysis, prior to code development and comprising both experimental validation and mathematical verification, of ground models, ie, blueprints that describe the required application-content of programs.
In this paper I answer the question how evolving algebras can be used for the design and analysis of complex hardware and software systems. I present the salient features of this new method and illustrate them through several examples... more
In this paper I answer the question how evolving algebras can be used for the design and analysis of complex hardware and software systems. I present the salient features of this new method and illustrate them through several examples from my work on specification and verification of programming languages, compilers, protocols and architectures.
We provide a mathematical specification of an extension of Warren's Abstract Machine (WAM) for executing Prolog to type-constraint logic programming and prove its correctness. Our aim is to provide a full specification and correctness... more
We provide a mathematical specification of an extension of Warren's Abstract Machine (WAM) for executing Prolog to type-constraint logic programming and prove its correctness. Our aim is to provide a full specification and correctness proof of a concrete system, the PROTOS Abstract Machine (PAM), an extension of the WAM by polymorphic order-sorted unification as required by the logic programming language PROTOS-L.
With pleasure I use the occasion of the European Association for Computer Science Logic 1997 membership meeting and of the election of the new EACSL Board for the term 1997-2002, during CSL'97 at BRICS in Aarhus (Danemark), to report on... more
With pleasure I use the occasion of the European Association for Computer Science Logic 1997 membership meeting and of the election of the new EACSL Board for the term 1997-2002, during CSL'97 at BRICS in Aarhus (Danemark), to report on the first ten years of the series of CSL conferences (and on the first five years 1992-1997 of activities of the EACSL which have been directed by the exiting Board).
We define an abstract model for the dynamic semantics of the core process modeling concepts in the OMG standard for BPMN 2.0. The UML class diagrams associated therein with each flow element are extendedwith a rigorous behavior... more
We define an abstract model for the dynamic semantics of the core process modeling concepts in the OMG standard for BPMN 2.0. The UML class diagrams associated therein with each flow element are extendedwith a rigorous behavior definition, which reflects the inheritance hierarchy structure by refinement steps. The correctness of the resulting precise algorithmic model for an execution semantics for BPMN can be checked by comparing the model directly with the verbal explanations in [8].
Building ground models is one of the three constituents of the engineering method for computer-based systems which is known as Abstract State Machine (ASM) method [16]. In this note we characterize ground models, whose epistemological... more
Building ground models is one of the three constituents of the engineering method for computer-based systems which is known as Abstract State Machine (ASM) method [16]. In this note we characterize ground models, whose epistemological role for a foundation of system design resembles the one Aristotle assigned to axioms to ground science in reality, avoiding infinite regress.
Abstract. The versatility and wide applicability of the Abstract State Machines Method for the design and the analysis of computational systems has not yet been fully exploited for teaching. We suggest to use it for introducing basic... more
Abstract. The versatility and wide applicability of the Abstract State Machines Method for the design and the analysis of computational systems has not yet been fully exploited for teaching. We suggest to use it for introducing basic algorithmic concepts in a succinct and uniform way, which makes the definitions adoptable in traditionally unrelated courses, covering the full range of computing science curricula from computation theory to the engineering of software systems.
The Abstract State Machine (ASM) method is a systems engineering method that guides the development of software and embedded hardware-software systems seamlessly from requirements capture to their implementation. Within a single precise... more
The Abstract State Machine (ASM) method is a systems engineering method that guides the development of software and embedded hardware-software systems seamlessly from requirements capture to their implementation. Within a single precise yet simple conceptual framework, the ASM method supports and uniformly integrates the major software life cycle activities of the development of complex software systems.
We provide an introduction to a practical method for rigorous system development which has been used successfully, under industrial constraints, for design and analysis of complex hardware/software systems. The method allows one to start... more
We provide an introduction to a practical method for rigorous system development which has been used successfully, under industrial constraints, for design and analysis of complex hardware/software systems. The method allows one to start system development with a trustworthy high level system specification and to link such a “ground model” in a well documented and inspectable way through intermediate design steps to its implementation.
A natural encoding of synchronous message exchange with direct wait-control is proved to be equivalent in a distributed environment to a refinement which uses semaphores to implement wait control. The proof uses a most general scheduler,... more
A natural encoding of synchronous message exchange with direct wait-control is proved to be equivalent in a distributed environment to a refinement which uses semaphores to implement wait control. The proof uses a most general scheduler, which is left as abstract and assumed to satisfy a few realistic, explicitly stated assumptions. We hope to provide a scheme that can be implemented by current theorem provers.
The Theory Panel was established at the VSTTE conference, Zurich, October 2005, with the purpose of formulating, within nine months, a roadmap for the theory dimension of the Verified Software grand challenge. Such a roadmap would... more
The Theory Panel was established at the VSTTE conference, Zurich, October 2005, with the purpose of formulating, within nine months, a roadmap for the theory dimension of the Verified Software grand challenge. Such a roadmap would identify research challenges in the theory of program construction and analysis that are critical for the overall goals of the Verified Software grand challenge.
Abstract: In an attempt to capture the fundamental features that are common to neural networks, we define a parameterized Neural Abstract Machine (NAM) in such a way that the major neural networks in the literature can be described as... more
Abstract: In an attempt to capture the fundamental features that are common to neural networks, we define a parameterized Neural Abstract Machine (NAM) in such a way that the major neural networks in the literature can be described as natural extensions or refinements of the NAM. We illustrate the refinement for feedforward networks with back-propagation training.
Current process specification approaches like BPEL [3], WS-CDL [6], and RosettaNet [1] describe processes using different vocabularies. However, common interaction patterns can be identified throughout different languages [8,7]. We see... more
Current process specification approaches like BPEL [3], WS-CDL [6], and RosettaNet [1] describe processes using different vocabularies. However, common interaction patterns can be identified throughout different languages [8,7]. We see these patterns as an abstraction from the underlying real workflow languages. But still, even using the same process language, a workflow can be expressed in different ways, ie by using different workflow pattern combinations performing an equivalent task.
Abstract When discussing properties such as type safety for the Java language, it is necessary to have formal semantics. The complex type system involving parameterized types with wildcards, combined with the fact that some constructs are... more
Abstract When discussing properties such as type safety for the Java language, it is necessary to have formal semantics. The complex type system involving parameterized types with wildcards, combined with the fact that some constructs are underspecified in the current version of the language specification, is making a complete formalization difficult.
We define an extensible semantical framework for business process modeling notations. Since our definition starts from scratch, it helps to faithfully link the understanding of business processes by analysts and operators, on the process... more
We define an extensible semantical framework for business process modeling notations. Since our definition starts from scratch, it helps to faithfully link the understanding of business processes by analysts and operators, on the process design and management side, by IT technologists and programmers, on the implementation side, and by users, on the application side. We illustrate the framework by a high-level operational definition of the semantics of the BPMN standard of OMG.
We provide a logical specification of set predicates findall and bagof of Prolog. The specification is given in proof theoretic terms, and pertains to any SLD-resolution based language. The order dependent aspects, relevant for languages... more
We provide a logical specification of set predicates findall and bagof of Prolog. The specification is given in proof theoretic terms, and pertains to any SLD-resolution based language. The order dependent aspects, relevant for languages embodying a sequential proof search strategy (possibly with side effects), can be added in an orthogonal way. The specification also allows us to prove that bagof cannot be defined by SLD-resolution alone.
ASMs have been used at Siemens Corporate Technology to design a component in a software package called FALKO. Main purpose of FALKO is the construction and validation of timetables for railway systems. For simulation the whole closed-loop... more
ASMs have been used at Siemens Corporate Technology to design a component in a software package called FALKO. Main purpose of FALKO is the construction and validation of timetables for railway systems. For simulation the whole closed-loop trafic control system is modelled within FALKO. The railway process model part of FALKO was formally specified using the ASM approach.
The origin of this book goes back to the Dagstuhl seminar on Logic for System Engineering, organized during the first week of March 1997 by S. Jähnichen, J. Loeckx, and M. Wirsing.
We provide a mathematical reference model for the exception handling mechanism of the Common Language Runtime (CLR), the virtual machine underlying the interpretation of .NET programs. The model filles some gap in the ECMA standard for... more
We provide a mathematical reference model for the exception handling mechanism of the Common Language Runtime (CLR), the virtual machine underlying the interpretation of .NET programs. The model filles some gap in the ECMA standard for CLR and is used to sketch the exception handling related part of a soundness proof for the CLR bytecode verifier.
Gurevich's [26] Abstract State Machines (ASMs), characterized by the parallel execution of abstract atomic actions in a global state, have been equipped in [13] with a refinement by standard composition concepts for structuring large... more
Gurevich's [26] Abstract State Machines (ASMs), characterized by the parallel execution of abstract atomic actions in a global state, have been equipped in [13] with a refinement by standard composition concepts for structuring large machines that allows reusing machine components. Among these concepts are parameterized (possibly recursive) sub-ASMs.
In [32] we have shown that the system which implements the Subject-oriented approach to Business Process Modeling (S-BPM) has a precise semantical foundation in terms of Abstract State Machines (ASMs). The construction of an ASM model for... more
In [32] we have shown that the system which implements the Subject-oriented approach to Business Process Modeling (S-BPM) has a precise semantical foundation in terms of Abstract State Machines (ASMs). The construction of an ASM model for the basic S-BPM concepts revealed a strong relation between S-BPM and the ASM method for software design and analysis. In this paper we investigate this relation more closely.
We propose a small set of parameterized abstract models for workflow patterns, starting from first principles for sequential and distributed control. Appropriate instantiations yield the 43 workflow patterns that have been listed recently... more
We propose a small set of parameterized abstract models for workflow patterns, starting from first principles for sequential and distributed control. Appropriate instantiations yield the 43 workflow patterns that have been listed recently by the Business Process Modeling Center. The resulting structural classification of those patterns into eight basic categories, four for sequential and four for parallel workflows, provides a semantical foundation for a rational evaluation of workflow patterns.