In this paper we present a source transformation-based framework to support uniform testing and model checking of implicit-invocation software systems. The framework includes a new domain-specific programming language, the Implicit-Invocation Language (IIL), explicitly designed for directly expressing implicit-invocation software systems, and a set of formal rule-based source transformation tools that allow automatic generation of both executable and formal verification artifacts. We provide details of these transformation tools, evaluate the framework in practice, and discuss the benefits of formal automatic transformation in this context. Our approach is designed not only to advance the state-of-the-art in validating implicitinvocation systems, but also to further explore the use of automated source transformation as a uniform vehicle to assist in the implementation, validation and verification of programming languages and software systems in general.
Introduction
With the growing size and complexity of software systems, software verification and validation techniques such as testing and model checking are increasingly important. While testing focuses on the actual behaviour of the program, model checking focuses on its mathematical model. Testing and model checking are complementary: testing is lightweight but incomplete while model checking is heavyweight but complete.
A major problem with testing and model checking is that they require different software artifacts. In fact, there is often a big semantic gap between the code artifacts that can be executed and tested and the modelling artifacts that can be verified using model checkers. This gap must typically be bridged by hand with little tool support, leading to a real possibility of errors and spurious results when the finite-state model does not correspond exactly to the implemented software system. Corbett, Dwyer, et al. note that hand-constructed models are "expensive, prone to errors, and difficult to optimize" [1] . The time required to convert artifacts by hand and the possibility of spurious results can be greatly reduced using automated transformations.
One kind of software system which is particularly difficult to validate is implicit invocation (II) or publish-subscribe systems, which are increasingly popular as an integration mechanism for loosely coupled components in software systems. II systems feature a lot of non-determinism due to concurrent execution of components. This high degree of non-determinism makes them particularly challenging to certify and hence a good proving ground for comparing and combining software verification and validation methods such as testing and model checking.
In previous work we proposed a framework for the uniform testing and model checking of II systems [2, 3] based on an II model checking system originally developed by Garlan and Khersonsky [4, 5] and extended by Bradbury and Dingel [6] . Our framework leverages Garlan and Khersonsky's XML intermediate representation for II systems and its automated translation to finite state models checkable by the Cadence SMV model checker [7] , a tool for exploring the state space of a program to check formal properties such as freedom from deadlock. Our previous short paper focussed on the testing and modelchecking framework itself. In this paper we concentrate on the details of its implementation using source transformations.
At the core of our framework is the Implicit-Invocation Language (IIL), a new special purpose language specifically designed for expressing verifiable software systems that use the II architectural style. IIL is designed to address several problems: the lack of explicit features for II in existing programming languages, leading to code that does not well express its real semantics; the large gap between II code and its hand-created modelling representation, for example as Garlan and Khersonsky's XML representation; the lack of any convenient simulation and testing framework for II systems; the lack of the ability to both test and model check II systems in a uniform and consistent manner; and the lack of automated tools to assist in these processes.
We have chosen to implement IIL entirely using formal source transformations, both as an experiment in that technique and in order to allow for the future possibility of formal verification of the translations to execution and In the remainder of this paper, we provide a quick overview of the II architectural style in Section 2 and introduce the Implicit-Invocation Language (IIL) in Section 3. Section 4 discusses the programming, execution, and verification artifacts of our transformational framework. In section 5 we present the details of our automated source transformations to both execution and modelling artifacts. We describe experience using our system to both test and model check three II examples as well as discuss future directions for exploring the complementary relationship between testing and model checking in Section 6. Finally, we discuss related work and draw conclusions in Sections 7 and 8.
II Systems
II systems are characterized by six parameters: components, events, eventmethod bindings, an event delivery policy, a shared state, and a concurrency model. Components in the system can announce events, which are the primary method of communication between components. Upon receiving events from the components, the event dispatcher sends the events out to all subscriber components that have requested to receive that particular type of event.
The correspondence between announced events and the methods to be invoked in response to these announcements is defined in the event-method bindings. Event-method bindings instruct the dispatcher where to send events. The event delivery policy, a set of conditional delivery rules, instructs the dispatcher on when and how to send them.
II systems we have studied include [6] : a Set-Counter example in which one component stores elements in a set and another keeps count of the number of elements; the Active Badge Location System (ABLS), an electronic tagging alternative to pagers, in which different components issue requests, store information, and announce the location of users; and the Unmanned Vehicle Control System (UVCS), in which vehicle components announce information such as their movement plan, and other components monitor the movement to ensure vehicles reach their destinations without collision. All of these systems are specified and integrated using implicit invocation.
3 The Implicit-Invocation Language IIL
To help bridge the gaps between coding, testing and verifying implicit-invocation systems we have designed the special-purpose programming language IIL. IIL is explicitly designed to allow for direct expression of implicit-invocation semantics using custom syntax for II features and concepts on top of a Java-like core. In order to guarantee that all programs can be executed and tested, only features that can be directly implemented or transformed to simulated concurrent execution are included. In order to guarantee that all programs can be modelled, only language features that can be directly represented or transformed to Garlan and Kershonsky's XML intermediate modelling language are included. And to attach verification closely to code, properties to be verified are directly expressed as part of the program.
As an illustrative example, Figure 2 shows a standard implicit-invocation example, the Set-Counter system [9] expressed in IIL. In order to directly express verifiable II systems, IIL includes the following special features: component declarations, event declarations, announcement statements, a dispatcher declaration, delivery statements, event-method bindings, and property declarations.
The Set-Counter system declares two components: a Set and a Counter. The Set component contains a set of objects and the Counter component keeps count of the objects in the set. Figure 2 shows the IIL representation of both the Set and Counter components. All components in IIL can contain variables and methods.
The Set-Counter example declares four events. EnvAdd and EnvRemove are external or environment events, which represent external behaviour affecting the II system. Their declarations give the event name and its announcement properties. The other declared events Insert and Delete are local events which give the event name and optional data. Components in IIL use announce statements to send local events to the dispatcher. For example, an Insert event is announced in the Add method of the Set component.
As well as components and events, an event dispatcher is declared. The dispatcher is responsible for event delivery and defines the delivery policy. Environment events are delivered immediately, while local events are delivered according to the policy using deliver statements. In our Set-Counter example the delivery policy says that if there are more Insert events waiting to be delivered than Delete events, then an Insert event is delivered immediately and a Delete event is delivered randomly, otherwise the opposite occurs.
Event-method bindings are needed to register the methods to the events for event delivery. For example, in the Set-Counter example the EnvAdd event is bound to the Add method in the Set component s. That is, when an EnvAdd event is announced the Add method in s will be invoked.
IIL also allows for direct expression of the temporal logic property declarations to be verified for the program using the model checking process. For example the property AlwaysCatchesUp in the Set-Counter example says that global variable setSize will always eventually equal the counter variable in the Counter component c.
II Framework Artifacts
Our transformational framework for running, testing and verifying IIL consists of three main types of artifacts:
• Programming/specification artifacts in IIL itself • Execution/testing artifacts in the Turing Plus language • Verification artifacts in the XML intermediate language and the SMV modelling language
Programs are expressed entirely in IIL, then automatically transformed to Turing Plus [8] for execution and testing and to the XML intermediate representation for modelling and SMV for verification. Because it is explicitly designed to express II systems, IIL programs are very concise -up to ten times smaller than both the corresponding Turing Plus implementations used for testing and the XML and SMV representations used for model checking.
Execution Artifacts in Turing Plus
Execution and testing artifacts are derived from IIL using a formal source transformation to Turing Plus [8] , a general-purpose concurrent extension of the programming language Turing [10] . We decided to target Turing Plus for execution of II systems because of its simple, general concurrency model and randomized simulation scheduling framework, which allows for lightweight, realistic testing of concurrent programs.
A critical part of our transformation from IIL to Turing Plus is the design of a representation for implicit method invocation and component concurrency in Turing Plus that accurately reflects IIL semantics. In designing these, we used as a reference semantics for IIL the corresponding features of Garlan and Kershonsky's XML notation for II systems [4, 5] .
Turing Plus does not support implicit method invocation directly, so in our Turing Plus model we used explicit invocation to implement implicit-invocation. Thus the Turing Plus implementation uses explicit method calls in event announcement, in event delivery, and in components to invoke bound methods when a delivered event is received.
The concurrency model determines how to assign and manage threads in the system. Based on the Garlan and Kershonsky modelling semantics, our implementation fixes the concurrency model to use a separate Turing Plus thread for each component, the event dispatcher, and the system itself. To ensure that the execution semantics of an IIL program in Turing Plus matches its model checking semantics in SMV, all of the threads in the Turing Plus implementation of an II system are synchronized using barrier synchronization.
Structurally, the Turing Plus implementation consists of a module and nested monitor for each component declaration and the dispatcher, and a main procedure that handles environment event generation. These vary with system and are derived from the IIL program by source transformation.
The Turing Plus implementation is based on a set of common definitions for the underlying mechanisms of II that are program independent, such as type definitions for events, event queues, and event warehouses (collections of event queues), as well as modules to manage the system event warehouse, component event warehouses, and thread synchronization. These modules are independent of the IIL program being transformed and are included from a library using generated include directives in each transformed result.
Verification Artifacts in SMV
To model check systems written in IIL, we use the approach previously presented in [6, 4, 5] . This approach focuses on the automatic analysis of II by representing an II system in an XML intermediate representation and using an existing Java tool to transform it into an SMV model accepted by the Cadence SMV model checker. The challenge therefore was to create a source transformation for IIL programs to the limited features of the XML modelling representation.
The SMV model for an IIL program represents each component and the dispatcher as an SMV module. There is also a main module which instantiates the other components. Modules in SMV have input and output parameters which are used for event announcement. For example, in the Set-Counter example an output parameter of the Set component is connected to an input parameter of the Dispatcher for the announcement of an Add event, and an output parameter of the Dispatcher is connected to an input parameter of the Counter component for delivery of the event. The model checking semantics of the SMV program is (by design) identical to the execution semantics of the Turing Plus program outlined above.
Transformations in the II Framework
Now that we have introduced the artifacts involved in our framework, we can discuss TXL and our automated transformation tools for artifact conversion. Figure 3 shows an overall summary of how the parts of an IIL program are used to automatically transform IIL programs into a Turing Plus program for execution and an SMV model for verification.
Source Transformation using TXL
TXL [11] is a programming language designed to support source transformation tasks. It combines features of both functional and rule-based programming, and supports unification, implied iteration and deep pattern match. A TXL program consists of two parts: a context-free, possibly ambiguous grammar describing the syntactic structure of the artifacts to be transformed, and a set of by-example formal transformation rules that use pattern-replacement pairs to describe the desired transformations. TXL has been used in a range of applications from software design recovery to artificial intelligence, in both academic and industrial contexts [12] . Although we use TXL to express the source transformations in our framework, our method does not depend on any particular tool and other source transformation languages and systems such as Stratego [13] , ASF+SDF [14] , ANTLR [15] and others have their own advantages and could serve as well.
Transformation to Execution Artifacts
Our automated tool for transforming IIL to Turing Plus consists of a set of transformation rules written in TXL. The structure and syntax of Turing Plus programs is very different from IIL -some of these differences have been discussed in Section 4.1. The transformation to Turing Plus is divided into four steps: component transformation, dispatcher transformation, system and environment setup generation, and restructuring of the resulting system body.
The fours steps form a tightly coupled transformation: each must be completely consistent with the other for the combined result to be correct. In order to facilitate this consistency, each of the steps is derived by formal source transformation from the same source artifact: the entire IIL source program itself. This demonstrates the advantages of the main design goal of IIL: to capture all aspects of the II system in one uniform source artifact. Each step takes as input the entire source program in IIL, using different parts of the source as needed to transform or generate its result.
Step First, module and monitor names for components in the Turing Plus program are generated from the component names in IIL (lines 1,8 ). Second, an event warehouse (a collection of event queues) is created for each type of event that a component accepts (lines 4,5 ). Third, each method in a component is added to the export list for its monitor (line 9 ). This makes the methods public, so that they can be called from outside the monitor, for example in the run process (line 48 ).
Fourth, the method bodies for each component are generated. In addition to the syntactic transformation of the method bodies from IIL to Turing Plus, the invoking event must be retrieved (lines 45-48 ). A method requires the retrieval of the invoking event in order to use data contained in the event. Since the information about the invoking event is not included in the method body of the IIL program, we must extract this information from the remote component instantiations and the event-method bindings during transformation.
Fifth, the run process (lines 42-51 ) needs to check each event queue and invoke the appropriate bound method if the event queue is not empty. During transformation, the accepts statements in the IIL program are used to generate the conditional expression of the if statement in the run process, and event-method binding information is used to generate the method call. As an example of the TXL transformation rules used in this step, Figure 5 shows the main rule used to generate the module and monitor structure from an IIL component. As is evident in this example, TXL's by-example concrete syntactic patterns and functional decomposition style help make it convenient to express and validate our source transformations.
Step 2: Dispatcher transformation. The dispatcher in Turing Plus is constructed using the event declarations, the dispatcher declaration, and the system constructor of the IIL program. All of this remote information must be combined using a global-to-local transformation to generate the result.
For each event in a system the dispatcher creates a queue in the system event warehouse. Event queues are not represented in the IIL program and are generated using the same method as described for component queues above. The event delivery policy is translated directly from the dispatcher body of the IIL program into code for the Turing Plus dispatcher module. In order to complete the event delivery transformation we also need to use information from the component instantiations and the event-method bindings. Figure 6 shows the result of generating the Dispatcher for the Set-Counter example. Random delivery is simulated using the Turing Plus randint library routine to flip a coin. The main TXL rule to generate the Dispatcher module from the dispatcher section of the IIL program is similar in form to the rule Step 3: System and environment setup. In this step we generate declarations for global variables specified in the IIL program and initialize system constants of the Turing Plus implementation. We incorporate the parts common to all systems (discussed in Section 4.1) by generating file includes such as the include "rendezvous.i", which adds the module that handles barrier synchronization. Finally, we generate statements at the end of the program to fork a concurrent process for each of the component and dispatcher modules.
Environment setup generates a procedure using a method call for each external event. An example TXL function from this step is shown in Figure 7 . This function demonstrates the use of TXL's functional control paradigm to implement a source transformation that inherits global contextual information to generate its result -in this case the list of events passed in from the main system setup generation rule.
Step 4: System body re-ordering. Unlike IIL, Turing Plus is a declarationbefore-use language, and Turing Plus programs must follow a strict order and structure of declaration. In order to separate concerns and avoid overly constraining transformation rules, the previous three transformation steps ignore these constraints. This leaves the ordering problem to this last separate transformation, which involves reordering the program elements to match the order in Figure 3 . In essence, this transformation is a topological sort of the program into declaration-before-use dependency order. A simple TXL rule used in this step is shown in Figure 8 . 
Transformation to Verification Artifacts
A major drawback to the model checking work we presented in [6] was that it was not completely automated, since user interaction was required to develop the XML modelling representation for the program. Our current approach overcomes this deficiency and bridges the gap between artifacts by completely automating the process of generating finite state models for software systems written in IIL.
The transformation from IIL to SMV finite state models involves three steps: program restructuring, conversion to XML, and finite state machine translation. The first two steps convert IIL into the XML modelling notation using cascaded TXL source transformations of the IIL program. The third step uses an existing Java tool to transform the XML representation to a set of finite state machine models in SMV that can then be verified using the Cadence SMV model checker.
Step 1: Program restructuring. The original goal of the IIL language was as a convenient replacement for the verbose XML representation that would be easier to read, write and understand. In the end, IIL has evolved into a full special-purpose language that includes many other notational conveniences, such as true global variables, local variables in methods, for loops and switch statements, none of which are in the XML intermediate language. In this first step of our modeling transformation, these notational conveniences are resolved, in essence by compiling and reordering the IIL program using source transformation. The result is a simplified IIL program which is isomorphic to its XML modelling language equivalent, but not yet in XML notation.
Three main language features of IIL are not present in the XML representation and must be converted. First, global variable access is transformed to match the indirect global variable access of the XML representation. IIL components have direct access to globals, while the XML representation uses the SMV model, in which global variables must be accessed indirectly through special local input/output variables.
Second, IIL supports variable declaration at both the component and method level while the XML modelling representation allows variables at the component level only. This step involves moving all method level variables to the component level. To avoid potential name clashes, method variables are uniquely renamed using the method name as a prefix.
Third, IIL allows the convenience of switch statements in the dispatcher and both switch statements and for loops in component methods, while the XML modelling representation has only if-then-else statements in order to simplify its modelling task. The transformation therefore transforms switch statements into if-then-else and unrolls for loops into statement sequences, using classic transformations borrowed from the compiler community.
Recall that by design IIL is restricted to expressing programs that have a modelling language equivalent -thus because the XML modelling representation does not have loops, IIL for loops are constant bounded and can always be unrolled. Similarly, although the XML modelling representation has no switch statement, the transformation can convert them to their if-then-else equivalents. The TXL rule for converting switch statements used in this stage is shown in Figure 9 .
Finally, the program is restructured into the strict order required by the XML modelling representation. In IIL there are no restrictions on ordering, but the XML representation must be strictly structured according to its schema. As in the transformation to Turing Plus, we simplify the previous steps by implementing the ordering constraints as a separate source transformation on the result. The TXL rule for the XML markup translation of bind statements is shown in Figure 10 . The rule matches every IIL bind statement and captures its event name and list of method invocations. The event name is quoted so that it can be used in the XML tag, and a sequence of XML method-binding tags for the bound method invocations is generated by the subrule construct method binding. The rule then replaces the bind statement by an XML tag with the event name around the tagged sequence of method bindings. Step 3: Generation of finite state machines. Following the transformation from IIL to the XML modelling notation, we use the Java tool developed by Garlan and Khersonsky [4] (modified in [6] ) to transform the XML representation of the program into a set of finite state machines in SMV. These can then be checked using the Cadence SMV model checker to verify the property constraints declared in the IIL program. Figure 11 shows an abbreviated Set-Counter system in SMV. In the example we see the definitions of the Insert and Delete event type (lines 1,2) as well as the definition of 4 modules: Set (lines 4,5) , Counter (lines 7,8), Dispatcher (lines 10-12), and main (lines 14-67). The Set and Counter components communicate with the Dispatcher component using input and output parameters. For example, announce Insert (line 4) is an output parameter of the Set component. The main component serves 3 purposes. First, it is the source of all environment events. For example, the EnvAdd event and EnvRemove event announcement is defined by the ComponentConsistency assertion (lines 57-63) which is assumed to be true. Specifically, ComponentConsistency described the behavior of the environment events using temporal logic. For example, it states that EnvAdd will eventually be announced by the Dispatcher and eventually it will always not be announced. Second, the main module declares all of the local variables required for component communication and maps them to the corresponding modules through module instantiation. For example, theSet out announce Insert is a local variable that is serves as an output parameter of theSet (lines 43,44), an instantiation of the Set module. The parameters of the instantiation modules are connected together via local variable assignments. For example (line 49), evtDispatcher_in_theSet_announce_Insert := theSet_out_announce_Insert maps an output parameter of theSet module instance to an input parameter of evtDispatcher. Third, the main module contains all of the properties that we will verify using the Cadence SMV model checker (lines 65,66). Additional details of this step can be found in [6, 4, 5] .
Evaluation of Transformations
To evaluate our framework we used the three examples introduced in Section 2: the Set-Counter System, the Active Badge Location System (ABLS) and the Unmanned Vehicle Control System (UVCS). For each example, our evaluation involved programming the system in the IIL language and verifying (by hand) that our transformation tools from IIL to Turing Plus and from IIL to the XML representation performed correctly. We demonstrated that semantics was well preserved across all of the transformations by checking that the execution behaviour and the model checking behaviour matched the original semantics of the IIL programs. Finally, we verified that the specified properties of the IIL programs held, both empirically and formally, by testing and model checking the results of our transformations (described in Section 6.2). Up to this point we have primarily described our transformations in the context of the simplest example: the Set-Counter System. We will now provide more detail on the 2 real-world examples: ABLS and UVCS.
ABLS. Our IIL program of the ABLS consists of three types of components: request workstation(s), a main workstation, and sensor workstation(s) (see Figure 12(b) ). In addition to these components, the ABLS also interacts with Active Badges which are carried by all people in range of the system. Active Badges communicate directly with the sensor workstations via sensors and are not considered part of the IIL program. The request workstations randomly issue the following events: Find an Active Badge's location, determine which other badges an Active Badge is With, Look at one location and return all of the badges that are there, Notify an Active Badge holder via an audible or vibration notification, and obtain a History location report of an Active Badge. The main workstation has three primary responsibilities: information retrieval, information storage, and command execution. Information about the location of Active Badges is received by polling the sensor workstations (sending a Poll event and receiving back PollRequest events from all sensor workstations). Information received from sensor workstations on the current and previous locations of Active Badges is stored in a database. Events from the request workstations are received and fulfilled using information in the database. For example, a FindResult event is sent in response to a receiving a Find event. The sensor workstations are only responsible for sending polling results to the main workstation whenever a polling event is received.
A partial example of the transformation of the ABLS IIL program is presented in Figure 13 . In the example the request workstation is transformed into Turing Plus using the TXL rules described in Step 1 of the IIL to Turing Plus transformation (Section 5.2). This example is similar to the transformation of the Set component discussed previously. The request workstation is also transformed into an SMV module using the TXL rules described in Sec- 3 to go from IIL to XML and using our modified version of the Garlan and Khersonsky Java tool to go from XML to SMV. In SMV the behaviour of a component is modeled using case statements which define next values based on the current state of the component. Due to space restrictions not all of the SMV code for the request workstation is be shown in Figure 13 .
UVCS. The UVCS IIL program contains four types of components: vehicle, region, visualizer, and rules injector. Vehicle components contain information including the identity, long-term goal, rule version, and position of the corresponding vehicle. A vehicle component is also responsible for transmitting the identity, position, rule version, and short-term plan to other interested components by announcing a VehicleInfo event. Region components collect data on all vehicles in their region by receiving VehicleInfo events. This information is compiled to create a summary of information which is announced as a RegionInfo event. The visualizer component gathers the summary information from all regions and displays it externally. The visualizer also has the ability to zoom in on a region process by receiving events from vehicle components. To avoid collisions the system supports a set of traffic rules to govern the movement of vehicles. The version of the rules being used can be updated by the rules injector component, which publishes new rules via event announcement of the RulesInfo event. Vehicle components usually subscribe to these events and listen for new versions of the traffic rules. To avoid rule version conflict in the case of a possible collision, vehicles announce the version of the rules they are using along with their short-term plan. If a collision is possible, the traffic rules are used to decide which vehicle should wait. In case vehicles are using different rule versions a default rule is used instead.
In our IIL representation of this system, there is only one visualizer component, only one rules injector component, at least one region component, and possibly multiple vehicle components. Figure 12 (c) is a generalized representation of the UVCS that shows the components of the system and their event-based communication. The transformation of the IIL program to Turing Plus and SMV was also used to evaluate our transformation framework. The UVCS was over twice as large as either of the previously described examples which unfortunately makes it infeasible to include any meaningful IIL, Turing Plus, or SMV code.
Testing and Model Checking using the II Framework
We have discussed the programming, execution and verification artifacts and the automated transformations used in our framework. We now detail how the framework can be used in both testing and model checking. In these examples we have as output the clock tick, the name of each announced event, and the new values of updated global and local variables. Consider the Set-Counter trace in Figure 14 (a) from clock tick 56 to clock tick 59. The trace shows an announcement of the EnvRemove event by the environment, which causes the number of elements in the set (the variable setSize) to be decreased. The Set component then announces a Delete event which is delivered to the Counter component causing the counter variable to be decreased.
We have used execution traces to perform standard non-deterministic testing on all three of our concurrent example II systems. Specifically, because Turing Plus uses a randomized simulation scheduler, multiple executions of the same program with the same inputs generally result in different execution traces, allowing for bulk testing of many different concurrent executions. Moreover, our Turing Plus programs are convenient for testing because the test harness for environment events is generated automatically as part of our transformation. We will discuss our testing results further in Section 6.2 when we compare them to our model checking results.
Model Checking
Our second automated transformation converts IIL programs to the XML modelling representation and then to SMV finite state models for formal verification. We have verified a variety of liveness and safety properties in the context of our IIL examples. IIL currently allows for expression of properties written in Linear Temporal Logic (LTL) but we also have the ability to check Computational Tree Logic (CTL). The LTL operators used in the expression of properties are: X φ (in the next state φ holds), G φ (φ holds globally), F φ (φ holds eventually), φ 1 U φ 2 (φ 1 holds at least until φ 2 does). Detailed results of our model checking experiments are presented in a previous paper [6] . Next we will highlight some of these results and explain them in the comparison to our testing results.
Set-Counter model checking. In the Set-Counter System we verified 3 properties including AlwaysCatchesUp which determines if the number of items in the set will eventually be equal to the value stored in the counter (G F (setSize = c.counter)). We verified this property using several different delivery policies including one in which all events are delivered immediately (property verified to true), and others in which some event types are delivered randomly. For a given Set-Counter System with a particular delivery policy, we both verify the results and check them against all of the execution traces of the Turing Plus program. For example, in Figure 14 (a) we can see that after each change in the value of the variable setSize the Insert or Delete is announced by the Set component and delivered to the Counter component where the variable counter is updated to reflect the change in the set. In this case there does not appear to be any violations of the property AlwaysCatchesUp. Note that the more execution traces we generate the higher our confidence that the corresponding model checking result is correct.
ABLS model checking.
In the ABLS the properties we verified include:
• Event Delivery Guarantees: We want to determine the number of transitions required for the request workstation to receive a result from a command such as Find. Table 1 Analysis Results of ABLS System is at Location 1 and no badge is at Location 1. In the case where Badge 2 is at Location 1 we verify that the location returned in the FindResult event will be 1 and badgesAtLocation in the LookResult event will return true indicating that at least one badge is in Location 1. In the case where no badge is at Location 1 we verify that the FindResult event will not return 1 as the location for Badge 2 and badgesAtLocation will be f alse. Table 1 presents analysis results for the above properties using two different delivery policies. Policy 1 involves using immediate delivery for all events related to polling (Poll, PollResult) and using a random delivery for all events related to command requests (Find, FindResult, Look, LookResult). Policy 2 is similar except polling events are delivered randomly and command requests are delivered immediately. We are interested in these two policies to determine a priority for event types. We achieve the same verification results for Policy 1 and Policy 2 except that Policy 2 can provide guarantees on the properties FindCorrectnessInNextState and FindLookCorrectness. In our ABLS program using Policy 2 it takes one state transition for the request workstation to receive the Find command results from the dispatcher. In other words, we can guarantee that the location information received in a FindResult event is equal to the location in the master workstation database exactly one state ago. In Figure 14 (b) we see partial execution trace that confirms that using Policy 2 the FindResult event is received one clock tick after it is announced. This execution trace also provides a counter example to the properties FindCorrectnessImmediate and FindCorrectnessInTwoStates. In conclusion, based on the results of both model checking and testing Policy 2 provides a better event type priority and is the appropriate choice for the ABLS system.
UVCS model checking. The properties that we verified for the UVCS include:
• ruleVersionCurrentandConsistentAlways: This property verifies that within UVCS with 5 vehicles that all of the rules versions used by the vehicles are equivalent to each other and equal to the current version.
• vehicleMovementCorrectness: This property is used to ensure that when a vehicle moves from one region to another the change is handled correctly. Table 2 Analysis Results of UVCS System
Results

Property
• collisonAvoidanceGuaranteed: This safety property verifies that two vehicles moving in the same region will never crash.
G (~(Vehicle1.currRegion = Vehicle2.currRegion) |~(Vehicle1.xpos = Vehicle2.xpos) |~(Vehicle1.ypos = Vehicle2.ypos))
• longTermGoalAchieved: This liveness property verifies that a vehicle will reach its long term goal.
We verified the above properties using three different delivery policies (see Table 2 for verification results). The goal of this analysis was to determine which of the delivery policies, when used, will cause the system properties to hold. We use iterative model checking to determine an appropriate delivery policy. An interesting result of verifying the properties for the different delivery policies is that it turned out that the properties collisionAvoidanceGuaranteed and ruleVersionCurrentandConsistentAlways conflict. Upon reaching a conflict, using our Turing Plus test results is an ideal method to confirm our analysis results. Figure 14 (c) shows a partial execution trace instrumented to output event announcement information and local variable values related to our properties. The partial trace is related to Policy 3 and shows an instance where the property ruleVersionCurrentandConsistentAlways is not violated. Due to these analysis results, the requirements for the UVCS had to be weakened. We discuss several solutions to this conflict in [6] .
Future Directions
Although the design purpose of our IIL language and transformational framework is the comparison and exploration of the synergy between testing and verification, thus far we have primarily evaluated testing and model checking independently. Next we plan to use our framework to explore the relationship between testing and model checking. We believe that it provides a good testbed for studying the synergies between these two verification and validation methods, and in particular can allow us to investigate questions such as:
To what extent can testing be used to increase confidence in model checking results and in the correctness of the model checker? One possibility which we have already been exploring is that for a given LTL or CTL property we can generate and analyze execution traces to ensure that the traces do not violate the property. This type of check would provide confidence that a verified property does not conflict with the behavior of the real system.
Conversely, for a given execution trace we could represent the trace as a CTL property and use model checking to verify that the trace is also possible in the model. For example, we could represent the partial execution trace in Figure 14 (a) using the following CTL fragment. In the property fragment, EXφ means that along at least one path, in the next state, φ holds. Might it be useful to integrate temporal logic properties into the testing effort through, for instance, run-time safety analysis? One possibility would be to use safety specifications of a program to automatically generate a run-time monitor. For example, safety properties could be used to generate a monitor that checks if a finite execution trace satisfies the property [16] . This type of run-time monitor could also be used to increase confidence in model checking.
How can testing be used to simplify or optimize model checking? One of the primary optimizations in model checking is decomposition. Testing could be used to identify parts of the system which can safely be abstracted or removed in the context of model checking a particular property. For example, if a component is not used in a test trace it may be safe to remove it for the verification. The abstraction would take place at the IIL level thus allowing for us to check the testing and model checking results of the abstracted program against the original testing results.
Can model checking be used to evaluate the coverage offered by a test suite? Model checking could be used to guarantee output coverage in black box testing. For a given variable we could verify that the variable will always take on one of a set of values that covers the outputs. For example, if we wanted to know if a variable output could be 10 when the program is done we could analyze the system with respect to the following property to see if it is true. In the property, EFφ means along at least one path, in some future state, φ holds. Moreover, done is true if and only if the program has terminated.
EF (done & output=10)
Alternatively, we could model check the negation of the above property and possibly get a counter example with information about input values that would cause the output variable to be 10 upon program termination.
Model checking could also provide guarantees in white box testing. For example, if we wanted to provide statement coverage for an IIL program we could instrument the program to include a program counter whose values would be recorded in the execution trace produced by Turing Plus. If we noticed that certain statements were not being covered we could determine that they are unreachable. This could be done by using the model checker to verify that the program counter is never set to the statements in question. If this is true we can be more certain that we have statement coverage. If it is false and a counter example is provided we can use the counter example to determine input values that would cause the execution of the statements. Furthermore, we could also use model checking for branch coverage. This would be similar to statement coverage except that we would need to model check if it is possible for the system to reach a state in which the program counter has a particular value and a branch condition is true.
How good is model checking at finding program bugs in comparison to testing?
This question attempts to determine the difference between the quantity of bugs found, the types of bugs found, and the efficiency of bug detection in model checking vs. testing. One way to address this question is to use a technique such as mutation [17] to create versions of a program that each contain a seeded syntactic fault. Mutation testing is a well known comparative technique for comparing different test suites and can be generalized to mutation analysis where test suites can be compared to properties verified in formal analysis tools such as model checkers.
Mutation analysis could be used to compare how good model checking is at finding bugs in IIL programs in comparison to execution using Turing Plus. For example, in the Remove() method of the Set component from our SetCounter System we could apply the following mutation:
if ((setSize-value) >= -1) // > has been changed to >= { ... }
We can then both test and model check the mutated version of the Set-Counter System and compare the results to the original program to determine if any differences were observed. A difference would indicate that the bug has been detected. We are currently addressing this question in a separate research project [18] . tended for modeling the architectures of concurrent and distributed systems. A Rapide program can include specification of different components within the language or can be connected to implementations written in standard programming languages. Eventua is an object-oriented language that includes native support for events. Eventua programs can be transformed to the ς-calculus for execution. Our work differs from these approaches in that we focus on formal analysis in addition to execution traces.
As an alternative to using a special purpose language, it would be interesting to explore using Java to represent event-based systems (e.g. using the Message-Driven Thread API for Java [21] , or publish/subscribe infrastructures like Elvin [22] or Siena [23] ). Our IIL work differs from this work because we express implicit invocation semantics and verification conditions in custom syntax rather than through library calls. Through the use of a single uniform notation, the program, its execution and modelling are encoded much more directly.
Furthermore, if we did explore using Java to represent event-based systems we could leverage existing work on testing and model checking of Java programs. On one hand, we could test the Java programs using an existing approach to testing concurrent Java [24] . On the other hand, we could use the model checker Bogor [25] (with the Bandera plugin [1] ) to provide automatic translation and analysis. Our model checking approach differs in that we achieve all our results using formal source transformation rules which at least in theory allow for formal verification of the translations themselves.
Other existing work has proposed using formal source transformation to bridge gaps between verification and practice. In our own previous research we have used formal source transformation to extend the capabilities of the VeriSoft C++ model checker to handle Java RMI verification [26] , and at Microsoft Research formal source transformation has been used to transform concurrent device drivers to sequential approximations that can be checked for some concurrency properties using sequential model checking [27] .
Conclusion
We have presented a uniform source transformation-based framework for specifying, testing, and model checking implicit-invocation (II) systems. It consists of IIL, a special purpose high-level language for specifying II systems, and two fully automatic, formally specified source translations: one to the Turing Plus language for execution and testing, and one to the input language of a standard model checker for verification. The framework demonstrates how formal source transformation can be used to combine the convenience of a specialpurpose language with the benefits of two complementary quality assurance techniques: testing and model checking. Furthermore, it shows how the signif-icant gaps between artifacts can be bridged using transformation. Automatic source translation makes the analysis in our framework less error prone, less time consuming and more reliable.
The contribution of our work lies not only in the development of the transformation framework but also in the opportunities for future research. The framework provides an excellent testbed for exploring both automated transformation and the synergies between testing and model checking.
