Automating the Design of Specification Interpreters by Stirewalt, R. E. Kurt et al.
Automating The Design of Specication Interpreters
Kurt Stirewalt, Spencer Rugaber, Gregory Abowd
College of Computing
Georgia Institute of Technology
Atlanta, Georgia 30332-0280
Abstract
In this paper, we demonstrate the use of model check-
ing in an automated technique to verify the opera-
tionalization of a declarative specication language.
We refer to an interpreter synthesizer as a software
tool that transforms a declarative specication into
an executable interpreter. Iterative approaches to
synthesizer generation rene initial synthesizer de-
signs by validating them over a test suite of specica-
tions. Carefully chosen test suites and structural con-
straints enable inductive reasoning with support from
a model checker to assert the correctness of gener-
ated interpreters. This iterative approach to synthe-
sizer generation occurred naturally in our work on de-
veloping interpreters for declarative human-computer
dialogue languages as part of the DARPA MASTER-
MIND project. We will discuss the issues underly-
ing the translation, operationalization and verica-
tion of the hierarchical task language for MASTER-
MIND. We will also discuss the importance of this
semi-automated, iterative approach for assessing non-
functional design tradeos.
Keywords: model checking, declarative speci-
cation languages, model-based user interfaces, auto-
mated verication
1 Introduction
Reactive, or event-driven, software systems are di-
cult to build and maintain. A good example of such
an event-driven system is the graphical user interface,
in which the behavior of the system is driven by user
activity. A declarative specication language can ease
the initial description of such a reactive system, and
in the case of graphical user interfaces, the speci-
cation language is referred to as dialogue, or task,
language [4]. In the MASTERMIND project, we are
concerned with the development of tools to automate
the generation of graphical user interfaces based on
declarative task specications. Our approach is sim-
ilar to that taken in the model-based user interface
community [11].
One problem that we encountered is the diculty
of formally proving the correctness of an interpreter
built for the task specication language. This is
a general problem of operationalizing a declarative
specication language. Operationalization is the pro-
cess of generating an interpreter synthesizer for a
declarative specication language. The synthesizer
generates a reactive state-based interpreter to imple-
ment the specied behavior. Operationalized speci-
cation languages enable engineers to specify and rea-
son over systems and then feed the specications into
a compiler that generates an executable simulator.
Operationalization as a process is inherently an
engineering activity. Analysts design synthesizers
that satisfy interdependent constraints from two ma-
jor sources: specication language semantics and
customer eciency requirements. Variations in the
specication language imply changing semantic con-
straints on the design of the synthesizer. Likewise,
requirements on the synthesized interpreters mani-
fest themselves as constraints on synthesizer design.
An engineering process for operationalization must
support the generation of synthesizers that simulta-
neously satisfy constraints from both sources. We
Page 1
found symbolic model checking technology useful in
automating this simultaneous solution process. The
results we present in this paper directly address the
translation from a specication language|in our case
the MASTERMIND task modeling language|to an
executable interpreter consisting of communicating
state machines. We describe an approach that ad-
dresses the treatment of non-functional eciency re-
quirements. The end result of the design process is
a set of tools to generate and verify a synthesizer
and partial results that could be used to reapply the
process in the face of change (e.g., if the language
changes, or the eciency requirements of the cus-
tomer change.)
Overview of paper
In Section 2, we relate this application of model
checking to other work on applying model checking
to software systems. Using the specic example of
the MASTERMIND task modeling language, we ex-
plore in Section 3 the issues surrounding the intro-
duction of automation into the engineering process
of generating an interpreter from a declarative spec-
ication language. The approach we use is to trans-
late the language into an interpreter using concurrent
state machines. There are then trade-o issues deal-
ing with the mechanics of how communication occurs
between these state machines. In order to follow an
engineering approach to examining these alternatives,
we need to invoke some automated support, and this
is where we employ modern model checking technol-
ogy. In Section 4, we discuss how we use a partic-
ular model checking technology, the Symbolic Model
Verier (SMV)[9]. Using this tool we were able to
experiment with design tradeos to ensure the prod-
uct meets its functional requirements, and to quickly
understand how inconsistency arises. Additionally,
the infrastructure facilitates tuning a design to non{
functional user requirements without sacricing cor-
rectness. In Section 5, we outline a procedure for this
automated trade-o analysis.
2 Related Work
There has been increasing attention given by the soft-
ware engineering community to the merits of model
checking. On the surface, the approach is very sim-
ple. A problem is described in terms of a state-based
model description and that model is exhaustively
searched in order to verify that it upholds certain
properties. The cause for the recent surge in interest
can be linked to developments that have provided for
ecient search across very large nite state spaces us-
ing symbolic instead of explicit means of representa-
tion [3, 9]. The majority of the work in model check-
ing has been demonstrated on hardware problems,
because they are better suited to model checking tech-
nology's restriction to nite models. Applications
of model checking to event-based software systems
which have a nite state representation have been
demonstrated for examining timing requirements [2]
and for verifying properties of production rule dia-
logues in a human-computer interface [1].
Model checking is good at pointing out errors in a
specication, but it requires a nite state representa-
tion of a problem. Wing and Vaziri-Farahani [12] pro-
vide an elegant argument justifying the application of
model checking technology to software problems with
innite state spaces through nite abstractions. Jack-
son [8] used model checking technology to eciently
search a nite pruning of a Z specication state space
to detect errors. We are also taking advantage of the
error spotting in our iterative approach to verifying a
synthesizer generator in this paper. Our work here is
a unique application of model checking to the prob-
lem of matching a declarative language to an auto-
matically generated interpreter. Our tools not only
employ a symbolic model checker to do exhaustive
search, as done by all of the approaches listed above,
but they also generate the properties of specications
that need to be checked.
Page 2
3 Case Study: The MASTER-
MIND Task Language
A reactive system specication environment provides
designers with a language for specifying reactive sys-
tems, a suite of tools for reasoning over specications,
and a compiler that generates executable run{time
systems from specications. Such environments dif-
fer in the nature of the specication language, the
degree of support for reasoning, and the extent to
which the generation of run{time systems is fully au-
tomated. MASTERMIND is an environment that
specializes in generating highly interactive user in-
terfaces and attaching them to applications [10]. The
MASTERMIND project involves a number of dier-
ent models that are relevant for interactive systems
design (presentation, application, and task) and we
are focusing here on the task model and its associ-
ated specication language. A suite of design critics
help designers reason about these specications, and
the task interpreter synthesizer generates executable
run{time interface drivers from these specications.
The MASTERMIND approach is useful because its
task specication language directly supports hierar-
chical task analysis. Features of the language compli-
cated the design of the interpreter synthesizer. This
section explores those complications.
3.1 The Language
Research in human{computer interaction suggests
that hierarchical task analysis is a natural means of
dialogue specication [4]. The MASTERMIND task
language is a visual language for expressing the re-
sults of such analysis. It allows designers to spec-
ify task hierarchies, hierarchical ordering constraints,
and interaction with an external environment in the
form of preconditions and eects. The visual lan-
guage has a textual analogue (which we will use in
this paper) containing only hierarchy and ordering
information.
An example helps motivate the language. Suppose
we are to design the interface for a simple e{mail pro-
gram. Users of this program want to accomplish two
main tasks: sending mail and reading mail. In the
designer's mind, users perform one of these tasks or
the other, but not both at the same time. This is
expressed in the task language by declaring the Mail
task to decompose alternatively into the Send Mail
task and the Read Mail task:
Mail ::= alt(Send Mail ;
Read Mail)
The keyword alt species that one and only one of
the subtasks may be performed. The designer must
now rene the two subtasks. The Send Mail task has
three major subtasks: enter the name of the recipi-
ent, compose the message to be sent, and send the
message. The designer rationalizes that these sub-
tasks must be performed in that order and declares
the following:
Send Mail ::= seq(Enter Recipient ;
Compose Message;
Press Send)
Each of these subtasks must be rened. The simplest
is Press Send which represents an atomic user inter-
action via a mouse press. It has no subtasks, and so
is declared as a leaf task:
Press Send ::= leaf
In addition to those already described, the lan-
guage provides the following ordering operators:
par species that subtasks may be performed in
any order and interleaved. For example, the
Enter Recipient and Compose Message tasks
might be ordered in this fashion rather than
sequentially, allowing users to perform parts of
both both tasks in any order.
opt species that a single subtask may execute, or
may be skipped if the user chooses to perform a
subsequent subtask. An opt task in the e{mail
example might be the a task to enter Carbon
copy (Cc) recipients.
cond species that a single subtask will execute in
the situation where an environmental condition
is initially satised. If an e{mail user imports
Page 3
non{ASCII data in the text of the message, the
system could issue a warning to inform this per-
son that some mailers might have diculty with
the message. A cond task could be used to place
the warning at an appropriate point relative to
other tasks.
continuous species that a subtask executes contin-
uously as long as some environmental condition
is satised. The Read Mail task, for example,
might reissue the read prompt as long as there
are unread messages in the mail box.
repeat species that a single subtask executes re-
peatedly as long as the user chooses to request
it. Rather than choosing to return the user to the
read prompt based on the mail box contents, the
Read Mail task could instead allow the user to
explicitly repeat the task or continue with some
subsequent task.
The opt, cond, continuous, and repeat ordering
operators are required to operate over a single sub-
task. The seq, par, and alt operators operate over
any nite set of subtasks.
3.2 State Machine Interpretation
Since the task language expresses hierarchical order-
ing invariants over subtasks, its operationalization
was dicult. The rst issue we faced was deciding
the representation of the interpreter. Task speci-
cations express the legal orderings of user and sys-
tem interactions. Operational interpretations must
actively monitor interaction and constrain the system
so that only legal orderings may occur. Specically,
if in some state only a certain set of interactions is
legal, the interpreter enables only the widgets associ-
ated with this set of interactions. Enabling a widget
means allowing that widget to accept mouse and/or
keyboard events. When the system changes state in
response to an interaction, the set of legal leaf tasks
will likely change. The interpreter handles this by
disabling enabled widgets not in the new set and en-
abling those in the new set that were not in the old
set. This is typically indicated by greying out but-
tons, menu items, etc. The legality of a given inter-
action changes depending upon temporal context.
If, for example, we declare that the tasks En-
ter Recipient and Compose Message are to be
strictly sequenced, interactions that comprise En-
ter Recipient must be enabled for the duration of
that task but disabled when Compose Message
begins. Our language is such that the legal inter-
actions associated with a state are statically deter-
minable. Given this behavior it seems natural to as-
sociate sets of legal interactions with states in the
generated interpreter.
3.3 Correctness by Induction
Engineers are obliged to show that synthesizer designs
yield a generator that produces correct interpreters.
Deductive proofs of correctness are ideal, but they
are dicult to construct. If some aspect of the prob-
lem can be shown to have inductive structure, then we
could exhaustively show correctness on a small collec-
tion of tests and use the induction principle to assert
correctness on any specication. An inductive proof
of design correctness utilizes a technique called struc-
tural induction. Structural induction establishes the
correctness of a synthesizer over a set of atomic tasks
(the base case) and then argues that simple compo-
sitions of these tasks are correct (the inductive step).
The induction principle then says that the synthe-
sizer generates a consistent machine for specications
of any size.
We developed a test suite of example specications
that exhaustively exercises both the base case and the
inductive step. If a synthesizer passes the test suite,
we assert semantic condence in that product. For
the proof to hold, we must argue that specications
not in the set behave like compositions of specica-
tions in the set (the structural induction argument).
Specically, the synthesizer must generate inter-
preter components that communicate hierarchically
because the ordering operators correspond to tasks
with hierarchical subtasks. This means that the out-
put representation cannot be a simple state machine.
Simple state machines retain compositional structure
for some of the task language operators but not all of
Page 4
them. Composition using the seq operator, for exam-
ple, can be preserved by making the nal state of the
machine synthesized from the rst subtask the start
state of the machine generated by the second sub-
task. The alternative operator is likewise preserved.
The par operator, however, is not preserved in the
structure of the machines. The only general way to
implement the par of two state machines is to gen-
erate a machine whose states are the cross product
of the states of the constituent subtasks, yielding an
explosion of states. This problem necessitates a dif-
ferent representation for the output of the synthe-
sizer. Since simple state machines cannot deal well
with parallelism, we look to a system of concurrent
state machines [6].
3.4 Concurrent Mealy Machines
We chose to make the synthesizer translate each task
into a Concurrent Mealy Machine. Mealy Machines[7]
are deterministic nite state machines that consume
and then produce a symbol at every state transition.
Concurrent Mealy Machines treat the produced sym-
bols as events and allow the produced events of one
machine to be the consumed events of others. Mealy
Machines compose by synchronous parallel composi-
tion [5] With only seven types of tasks in the lan-
guage, we need only seven classes of Mealy Machine.
Each dierent class of task ordering is captured by a
canonical machine that controls the execution of sub-
tasks by issuing control events. Interaction tasks are
also associated with machines and respond to En-
able and Disable control events issued by machines
upholding ordering invariants.
Mealy Machines enforce ordering invariants by ob-
serving the behavior of other machines and issuing
control events that enable or disable these machines.
Subtask machines must have facilities to respond to
control events, and control events must be targetted
to particular machines. Since tasks compose hierar-
chically, any type of task might be the subtask of an-
other task. The following states exist in all machine
classes for ordering control:
notready indicates this machine is not able to do
anything because of ordering constraints.
ready indicates this machine is able to perform an
activity but has not yet begun.
active indicates this machine is presently participat-
ing in some form of activity.
With these canonical states there are canonical events
that cycle through them.
Enable forces a machine in the notready state to
transition to the ready state.
Disable forces a machine in the ready state to tran-
sition back to the notready state.
3.5 Example Design Decision
Consider modeling part of the dialogue of a World
Wide Web browser. Users may move forward one
page or back one page by pressing arrow buttons on
the toolbar. One cannot, however, do both at once.
The tasks associated with this choice are modeled in
our formalism as follows:
History ::= alt(Move Forward ;
Move Back)
(where Move Forward and Move Back are interac-
tion tasks). The synthesizer generates a Mealy ma-
chine for each of the three tasks. At some point, the
History machine enables its subtasks by issuing an
Enable event to bothMove Forward andMove Back .
Once enabled, widgets associated with these ma-
chines are enabled, and the user may physically in-
teract with one of them to communicate a choice.
If the user clicks on the widget associated with the
Move Forward machine, the History machine must
issue a Disable event to the Move Back machine.
The alt machine (History) must respond to the
activity of subtask machines to know when to issue
Disable events to others. One way to implement this
is to make the ordering machines like alt peek into the
states of subtask machines and transition based on
the results of these peeks. Another implementation
forces subtasks to announce activity to parent tasks.
Each approach has advantages, and the decision to
use one or the other is a trade{o between time and
space requirements. Peeking is the least sensitive to
Page 5
race conditions, but uses a lot of space for deep hi-
erarchies. The announce option, on the other hand,
uses constant space but must make a number of steps
to get to its destination. The dierence between the
two becomes more noticeable with deeper hierarchies:
Mail ::= alt(Send Mail ;
Read Mail)
Send Mail ::= seq(Enter Recipient ;
Compose Message;
Press Send)
Read Mail ::= seq(Select Mailbox ;
Select Message)
The Mail task controls the exclusive choice of interac-
tion tasks Enter Recipient and Select Mailbox which
are not its immediate subtasks.
If the machine associated with Mail uses peeking
to detect activity, it must be able to peek into the
internal state of both interaction tasks. There could
be many of these interaction tasks. The ordering ma-
chine might need to peek into as many as 2k machines
where k is the depth of the hierarchy rooted by the
alternative task. Peeking clearly gives up space to
achieve more rapid switching.
Instead of peeking, machines could announce ac-
tivity by issuing an Activate event to their imme-
diate parent. The parent would then perform any
ordering activity appropriate at its level in the hier-
archy and issue another Activate event to its parent.
In the Mail example, when the Enter Recipient ma-
chine notices interaction, it issues an Activate event
to Send Mail . Send Mail will then issue an Activate
event to Mail . At this point, the Mail task issues a
Disable event to Read Mail which in turn sends a
Disable event to Select Mailbox . Announcing activ-
ity clearly introduces delay in terms of propagation
to achieve constant space increase.
The mechanism for responding to activity poses a
design choice. Engineers can weigh the cost/benets
of time and space usage, but they have no way of
knowing the solution is correct. Both approaches
seem to work for this small example, but there are
six other types of ordering operators. A tool that
judges the validity of such design decisions would be
benecial.
4 Model Checking
Which observation mechanism should we use? Both
solutions have good and bad properties. The peeking
solution is easier to reason about because it subsumes
the need to propagate events throughout the hierar-
chy. Unfortunately, it comes with a possibly expo-
nential cost in terms of added states. The announce-
ment of activity solution, on the other hand, is not as
easy to reason about but uses much less space. Ulti-
mately, engineers will decide which strategy to apply
and will need to demonstrate the correctness of the
choice with respect to the task language. Some of
these solutions are dicult to reason about, and deci-
sions tend to be subtly inter{related. If tradeos like
peek vs. announce come up for each ordering mecha-
nism, decisions made in one case will likely invalidate
assumptions made in others. Fortunately, automated
tools can be applied to assist in the validation.
In our approach, engineers associate each type of
task in the specication language with a unique class
of state machine and a schema of temporal invariants
demonstrating the ordering semantics of the task. A
tool instantiates specications into a collection of con-
current Mealy Machines and a collection of temporal
invariants whose composition demonstrates the cor-
rectness of the machines. The output of the transla-
tion tool can be fed into the SMV Model Checker to
be veried. When this step passes for each specicifa-
tion in the test suite, the design is correct.
4.1 The SMV Model Checker
The SMV model checker reads the specication of
a system of concurrent state machines and a collec-
tion of temporal specications over the states of these
machines. SMV state machines are dened in two
parts. VAR blocks declare variables that retain in-
ternal state. States of the machine are taken to be all
combinations of variable values. ASSIGN blocks ex-
press transition functions. Initial values are assigned
to each of the state variables through the init(: : :) as-
signment. The transition function is constructed by
associating a state (set of variable values) with a set
of possible next states (new values of variables) using
Page 6
the next(: : :) state feature.
A MODULE in SMV is a parameterized encapsu-
lation of state machine declarations. MODULES can
be instantiated into the state of other MODULES. An
unparameterized distinguished MODULE main con-
tains the concurrent state machine instantiations that
make up a system. During instantiation, MODULE
parameters of a machine can be bound to internal
state variables of other machines.
4.2 State Machine Conventions
Engineers dene classes of Mealy machines corre-
sponding to the dierent features of the specication
language. Since machines must compose hierarchi-
cally, we provide a template of minimal state function-
ality that each class must possess. Machine classes
take the form of parameterized SMV modules1. Ma-
chine instantiation then corresponds to MODULE in-
stantiation. A template addresses two needs:
1. support for general hierarchical composition, and
2. augmentation with ordering invariants.
The template reserves the names of two internal
state variables: state and event. The state variable
maintains the state of the particular machine. In-
teraction widgets and application service invocations
are associated with these states. The event vari-
able remembers an event issued to this machine by
some other. This is necessary because SMV does not
directly support event/broadcast mechanisms. Ma-
chines must inuence the state of other machines by
issuing events. A machine may not directly modify
the state variable of another machine.
For machines to issue events to other machines,
they must be connected. Connections represent the
minimal state required for two machines to commu-
nicate (access each other's internal states and issue
events to one another). Connections are directed in
the sense that they always match a parent machine to
a child machine, but both machines can issue events
1
To Referee: We have included two such classes in the ap-
pendix. The classes for the other ordering operators can be
included if you think they would be instructive. We did not
include them for reasons of space.
to each other. To support connection, all classes of
machine have the following two MODULE parame-
ters for each machine with which they might need
to communicate. One of these parameters is bound
to the machine, and the other parameter is bound to
the event variable of the machine. The binding of the
event variable of other machines allows this machine
to modify the eld (issue the other machine an event).
Two parameters are necessary because SMV visibil-
ity rules only allow modication of variables that are
explicitly passed as parameters. Those variables that
are brought into scope by the machine binding are
eectively read{only.
The hierarchy:
History ::= alt(Move Forward ;
Move Back)
Move Forward ::= leaf
Move Back ::= leaf








Move_Forward : process leaf(History
History.event);
Move_Back : process leaf(History,
History.event);
The machine History has a connection with the ma-
chine Move_Forward. Move_Forward is instantiated with
History's event variable and so may issue an event
to History. Likewise, History is instantiated with
Move_Forward's event variable.
4.3 Invariant Conventions
To validate the instantiated machines we must also
instantiate the invariants that express their correct-
ness. SMV expresses state machine invariants using
Computation Tree Logic (CTL). CTL is a subset of
branching time temporal logic that allows the speci-
cation of temporal properties over paths execution.
SMV uses model checking to verify or refute CTL
formulae over classes of concurrent state machines.
Page 7
When the CTL expression is of a certain form, SMV
can actually construct a counter{example to demon-
strate a failure case. To the extent possible, we ex-
ploit that form in the invariants we instantiate so that
engineers will get constructive feedback when their
designs are awed.
The semantics of the various task language features
are captured in a quantied tree language that facil-
itates instantiation alongside the state machines. In
general the ordering operators demonstrate semantics
by proving two types of properties:
safety which demonstrate that the orderings are not
violated, and
liveness which demonstrate that a maximal number
of legal choices are presented to the user.
We take as an example the semantics of the alt order-
ing operator. Alternative ordering explicitly prohibits
concurrent activity between machines in disjoint sub-
tasks. The disjointness can be captured by the CTL
expression:
AG !((t1.state = active) & (t2.state = active))
where t1 and t2 are machines associated with sub-
tasks at some level from the two disjoint subtasks.
The semantics of alternatives imply that the user can
make a choice. This liveness property is captured
with the following CTL expression:
EF ((t1.state = ready) & (t2.state = ready))
where t1 and t2 are machines associated with the
direct subtasks of the particular task.
Interestingly, liveness properties tend to be ade-
quately captured by temporal constraints over im-
mediate subtasks; whereas safety properties tend to
require temporal constraints over all possible pairs of
descendant subtasks.
4.4 Announce Example
The MODULE leaf (shown in Figure 1) represents
an interaction task. Needing to communicate only
with its parent in the hierarchy, it takes two parame-
ters. From the ready state, the machine could receive
an Activate event. Since parent tasks assume sub-
tasks notify them of activity, this task must issue an
MODULE leaf(parent,parevent)
VAR
event : fNull, Disable, Enable, Activateg;






(state = notready) &
(event = Enable) : ready;
(state = ready) &
(event = Disable) : notready;
(state = ready) &
(event = Activate) : active;










next(state) = active : Activate;
1 : parevent;
esac;
Figure 1: SMV description of a leaf interaction task.
Activate event to its parent. This is achieved through
the assignment next(parevent) := .... Each class
of machine has similar functionality to support the
propagation of Activate events up the hierarchy.
MODULEs representing the alt and seq ordering ma-
chines appear in the appendix.
Unfortunately, when we apply SMV to the ma-
chine instantiation and invariant instantiations of the
History hierarchy, the invariant does not hold. SMV
provides us with the counterexample of Figure 2. The
inconsistency arises from an event propagation race
condition. The counterexample shows an execution
sequence in which both Move_Forward and Move_Back
become active before History is scheduled to run.
Perhaps machines should check for sibling activity
rather than relying on control events to arrive. This
observation led us to the peeking solution.
4.5 Peek Example
The next design makes use of the DEFINE primitive
in SMV which allows designers to associate a symbolic































Figure 2: SMV counterexample for the activity an-
nouncement solution of the History hierarchy.
are recursive with respect to MODULE instantiation
which allows one to compactly dene modules that
can peek at the states of arbitrarily many machines.
The actual state duplication to support this peeking
is done at MODULE instantiation time. The expres-
sion is powerful and particularly useful for quantify-
ing over the behavior of all machines in an inductive
structure like a task hierarchy. As with any pow-
erful feature, it must be applied symmetrically and
methodically.
Machines are extended with the DEFINE macro
BUSY that summarizes activity in the hierarchy rooted
by the machine. For leaf machines, the declaration is:
BUSY := (state = active)
whereas for machines like alt that represent internal
nodes in hierarchies, the BUSYmacro includes the BUSY
for each subtask:
BUSY := (state = active) | child1.BUSY | child2.BUSY
With this macro dened for each class of machine,
other machines can compactly ascertain the activ-
ity of all machines in a sub{hierarchy by referring
to the BUSY macro of the machine that tops the hi-
erarchy. Ordering task machines are extended with
two macros: PAREXCL1 and PAREXCL2 that encapsulate
exclusion criteria induced by parent machines. Ex-
clusion criteria are built up from logical conditions
about the BUSY{ness of sibling hierarchies according
to parent tasks. For alternative machines, the exclu-
sion criteria for the rst subtask machine (PAREXCL1)
states that the second subtask machine is not experi-
encing activity at any level in its hierarchy. If the rst
subtask machine could somehow access this knowl-
edge, it could use in as a precondition for becoming
active.
By supplying these exclusion criteria as MODULE
parameters, leaf machines will have access to the ex-
clusion appropriate to their level in the hierarchy.
The leaf transition to the active state can then have
the additional condition that there is no sibling ac-
tivity that would preclude this machine going active.
The peeking declarations for leaf and alt appear in
the appendix. SMV conrms that this design upholds
the safety specication for the History example.
5 Addressing Design Tradeos
The iterative approach addresses correctness require-
ments but does not directly address eciency require-
ments. Typical specication languages might have
a collection of correct operationalizations. Some of
these will have more desirable non{functional prop-
erties than others. Ideally, a mechanized design pro-
cess converges to a solution that is both correct and
ecient.
5.1 An Example Tradeo
The tradeo between peeking and announcement is il-
lustrative. Peeking at the internal state of concurrent
machines requires support from the run{time inter-
preter. When the degree of peeking is excessive, this
support can be prohibitively expensive. The SMV
macros we use to implement peeking expand into an
amount of state proportional to the depth of a leaf
node in a hierarchy. In the worst case, this expansion
is exponential. The alternative to intrusive peeking
is to communicate control by issuing events. The an-
Page 9
nouncement based design failed because control was
delocalized and sometimes machines could carry out
illegal behavior before the control events disabling
such behavior had time to arrive. Though the ap-
proach failed to hold up under correctness scrutiny,
it has very desirable eciency properties. The two
approaches are at opposite end points of a design
spectrum. Perhaps a hybrid design exists that has the
correctness properties of the peeking solution and the
eciency properties of the announcement solution.
What makes the announcement solution fail is that
it assumes too much about the relative scheduling
of concurrent machines. The model checker looks at
all possible interleavings to make sure that designs
are not sensitive to such orderings. Delivered inter-
preters, however, will only simulate parallel execution
on a sequential machine. If the scheduling policy is
xed by the design, the engineer could use knowledge
of the schedule when designing state machines to re-
duce the amount of duplicated state. Conversely, if
the engineer determines that a scheduling assumption
enables an ecient state machine design, he could x
the interpreter scheduling policy to be one that re-
ects that assumption. This adds another degree of
freedom to the design process.
For example, we believe a prioritized scheduling
policy enables an ecient compromise between the
peeking and event announcement solutions. If ma-
chines only need to peek at parent states to guard
themselves from going active, the amount of repli-
cated state would be linear in the depth of the hier-
archy as opposed to exponential. This is safe as long
as events issued to parent machines reach those ma-
chines before other machines that the parent controls
can execute. Since Activate events propagate up the
hierarchy, we believe that a prioritized scheduling al-
gorithm in concert with parent peeking would uphold
the safety semantics of the ordering operators.
5.2 Automated Design Support
This opens an interesting question regarding the au-
tomation of interpreter design: Can we extend the
model checking framework to enable engineers to
experiment with tradeos of state machine design
and scheduling policy? Extension requires a suitable
metaphor for scheduling policy in terms understood
by model checking technology.
Scheduling policies can be thought of as con-
straints on the sequences of feasible machine execu-
tions. The SMV model checker associates a boolean
value running with each state machine. The running
value is true when the associated machine is execut-
ing in that state and false otherwise. With the in-
terleaved process model of execution, only one ma-
chine is ever running in any given state. The running
value is treated as just another state variable and
can be referred to in CTL expressions. This allows
engineers to express execution ordering constraints|
scheduling policies|using CTL. Conceptually, these
expressions represent path lters, and invariant spec-
ications should only be applied to paths that are
not ltered out by these expressions. The feasibil-
ity of reasoning about design tradeos between state
complexity and scheduling policy now rests on two
assumptions:
1. CTL is a comfortable mechanism for denoting
the scheduling policies engineers want to reason
about, and
2. The path lter architecture has a realization ei-
ther through some CTL construct or some ex-
plicit facility in a given model checker.
5.3 Diculties Using CTL
We believe that CTL is a comfortable schedule spec-
ication mechanism. Consider the proposed priori-
tized scheduling policy acting on the WWW browser
history interaction example. All paths that are con-
sistent with this policy will uphold the following in-
variant at every point along those paths:
((Move_Forward.running -> (!(EX History.running) |
(AX History.running))) &
(Move_Back.running -> (!(EX History.running) |
(AX History.running))))
This says that if Move_Forward or Move_Back is running
in the current state, then either History cannot run in
the next state or it necessarily runs in the next state.
The condition can be synthesized for an arbitrary task
hierarchy.
Page 10
We rst attempted to bring scheduling reasoning
into our framework by guarding the correctness in-
variant specications with these schedule invariants.




Unfortunately, this formadmits paths for which the
scheduling-invariant does not hold globally. Con-
sider a path p1p2 : : :pkq1q2 : : :. The pi states are
such that the scheduling invariant is not true, and
the qi states are such that it is true. When the an-
tecedent of an implication is false, the implication is
true. This path would be admissible according to the
specication. Scheduling invariants cannot be com-
bined with correctness invariants in this manner be-
cause too many paths are admissible.
A mechanism is needed that will apply the correct-
ness invariant only to paths for which the scheduling
invariant holds globally. Functionality for this path
selection mechanism must be provided by the model
checker. SMV takes steps in this direction. In SMV,
specications are only quantied over what it calls
fair paths. Fair paths are specied with FAIRNESS
constraints of the form:
FAIRNESS
ctl-form
where ctl-form is any CTL expression. SMV deter-
mines paths for which these constraints are true \in-
nitely often" and uses only these paths when check-
ing specications.
Unfortunately, our problem dictates the need to de-
clare ctl-form to be true globally over all fair paths.
Without this ability, we cannot use SMV as the en-
abling technology for our approach. However, if SMV
could be extended to restrict its attention to paths
for which a given CTL expression holds globally, we
believe that our framework will support design trade-
os between state machine complexity and scheduling
policy.
6 Conclusion
We have demonstrated the utility of model check-
ing in supporting the operationalization of a declar-
ative specication language. By providing support
to check correctness, the model checker frees engi-
neers to explore design tradeos between compet-
ing non-functional requirements. In the MASTER-
MIND example, the primary non-functional require-
ment was ecient interpretation. The optimal solu-
tion is a compromise between scheduling policy and
state space representation. The formalization of this
compromise is easily expressed in second order CTL.
Some model checkers provide limited second order ca-
pabilities (such as SMV's FAIRNESS constraints). Our
framework suggests the usefulness of more general
second order facilities in model checking technology.
References
[1] Gregory D. Abowd, Hung-Ming Wang, and An-
drew F. Monk. A formal techniqe for automated
dialogue development. In Gary M. Olson and
Sue Schuon, editors, Proceedings of the Sym-
posium on Designing Interactive Systems: Pro-
cesses, Practices, Methods & Techniques, pages
219{226. ACM Press, August 1995.
[2] Joanne Atlee and John Gannon. State-based
model checking of event driven systems require-
ments. IEEE Transactions on Software Engi-
neering, 19(3), January 1993.
[3] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L.
Dill, and L.J. Hwang. Symbolic model checking:
1020 states and beyond. In Proceedings of the 5th
International Symposium on Logic in Computer
Science, June 1990.
[4] Alan Dix, Janet Finlay, Gergory Abowd, and
Russell Beale. Human-Computer Interaction.
Prentice Hall, New York, 1993.
[5] Nicolas Halbwachs. About synchronous pro-
gramming and abstract interpretation. In
First International Static Analysis Symposium,
SAS'94, pages 179{192, 1994.
[6] David Harel. On visual formalisms. Communi-
cations of the ACM, 31(5), 1988.
Page 11
[7] John E. Hopcroft and Jerey D. Ullman. In-
troduction to Automata Theory, Languages, and
Computation. Addison Wesley Publishing Com-
pany, 1979.
[8] Daniel Jackson and Craig A. Damon. Elements
of style: Analyzing a software design feature
with a counterexample detector. In Interna-
tional Symposium on Software Testing and Anal-
ysis (ISSTA'96), 1996.
[9] K. L. McMillan. Symbolic Model Checking: An
Approach to the State Explosion Problem. PhD
thesis, Carnegie Mellon University, 1992. CMU-
CS-92-131.
[10] R. Neches, J. Foley, P. Szekely, P. Sukaviriya,
P. Luo, S. Kovacevic, and S. Hudson.
Knowledgeable development environments using
shared design models. In Intelligent Interfaces
Workshop, pages 63{70, January 1993.
[11] Pedro Szekely, Ping Luo, and Robert Neches. Be-
yond interface builders: Model-based interface
tools. In Human Factors in Computing Systems
| INTERCHI'93, pages 383{390. Addison Wes-
ley, April 1993.
[12] Jeannette M. Wing and Mandana Vaziri-
Farahani. Model checking software systems: A
case study. In Third ACM SIGSOFT Symposium
on the Foundations of Software Engineering, Oc-
tober 1995.
Appendix
This is the complete specication for the peeking so-
lution with an instantiation for the WWW browser
History task hierarchy.
The MODULE leaf represents an interaction task.
MODULE leaf(parent,parevent, pexcl)
VAR
event : Null, Disable, Enable, Activate;






(state = notready) &
(event = Enable) : ready;
(state = ready) &
(event = Disable) : notready;
(state = ready) &
!pexcl &
(event = Activate) : active;





(state = ready) &





(state = ready) &
!pexcl &




BUSY := (state = active);
The MODULE alt enforces an alternative decom-
position between two subtask machines:
Page 12




event : Null, Disable, Enable, Activate;






(state = notready) &
(event = Enable) : ready;
(state = ready) &
(event = Disable) : notready;
(state = ready) &
(event = Activate) : active;
(state = active) &
(child1.state = notready) &





(next(state) = ready) : Enable;
(next(state) = notready) : Disable;
(next(state) = active) &





(next(state) = ready) : Enable;
(next(state) = notready) : Disable;
(next(state) = active) &





(state = ready) &




BUSY := (state = active) |
child1.BUSY |
child2.BUSY;
PAREXCL1 := (pexcl | (child2.BUSY));
PAREXCL2 := (pexcl | (child1.BUSY));
Since machines compose hierarchically with con-
nections to parent machines, we need a machine with
no parent to be the top of the hierarchy:
MODULE top(cevent)
VAR
event : Null, Disable, Enable, Activate;











(state = notready) &
(event = Enable) : ready;
(state = ready) &





PAREXCL := (state = active);
This MODULE main instantiates the History hi-





















AG !((Move_Forward.state = active) &
(Move_Back.state = active))
SPEC
EF((Move_Back.state = ready) &
(Move_Forward.state = ready))
Page 13
