Editorial I am pleased to announce some changes in the composition of the TOSEM Editorial Board. The 3-year term expired for the following Associate Editors: Prem Devanbu, Constance Heitmeyer, Kevin Sullivan, and Catalin Roman. I wish to thank them publicly for the their service to the journal and, more generally,tothesoftwareengineeringcommunity. The following colleagues joined the Board in January 2004: Laura Dillon, Paola Inverardi, Mehdi Jazayeri, and Pamela Zave. The group was expanded inJanuary2005toincludeGeorgeAvrunin,MaryJeanHarrold,GailMurphy, OscarNierstrasz,DavidRosenblum,andTetsuoTamai.Theirbriefbiosketches arelistedbelow.Iwishtowelcomeallofthemandthanktheminadvancefor thecontributiontheywillprovideinkeepingthehighstandardsandscientific reputationofthejournal. CARLOGHEZZI Editor-in-Chief AssociateEditorsEffectiveJanuary2004 Prof.LauraK.Dillon DepartmentofComputerScienceandEngineering MichiganStateUniversity 3115EngineeringBuilding EastLansing,MI48824-1226,USA email:[email protected] http://www.cse.msu.edu/∼ldillon Dr. Laura (Laurie) K. Dillon received her Ph.D. degree in Computer Science from the University of Massachusetts, Amherst (1984). She previously served onthefacultyattheUniversityofCalifornia,SantaBarbara(1985–1998).Cur- rently, she is a professor and interim chair of Computer Science at Michigan StateUniversity.Laurie’sresearchinterestscenteronformalmethodsforspec- ification,analysis,andtestingofsoftwaresystems.Shehasservedthesoftware engineeringcommunityonvariouseditorialboards,programcommittees,fund- ing panels, and professional advisory committees. Most recently, she was pro- gram co-Chair of ICSE’03 and she sits on the Executive Committee of ACM SIGSOFT. Prof.PaolaInverardi DipartimentodiInformatica ViaVetoio,Loc.Coppito I-67100L’Aquila,Italy email:[email protected] http://www.di.univaq.it/inverard/paola.html Paola Inverardi is full professor at the University of L’Aquila. Previously she hasworkedatIEI-CNRinPisaandatOlivettiResearchLabinPisa.Sheishead ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005,Pages119–123. 120 • Editorial oftheDepartmentofComputerScienceattheUniversityofL’Aquilawhereshe leads the Software Engineering and Architecture Research Group. Her main researchareaisintheapplicationofformalmethodstosoftwaredevelopment. Her research interests primarily concentrate in the field of software architec- tures.Shehasactivelyworkedontheverificationandanalysisofsoftwarear- chitectureproperties,bothbehaviouralandquantitativeforcomponent-based, distributedandmobilesystems.Shehasservedasgeneralchair,programchair, andprogramcommitteememberformanyinternationalconferences.Sheiscur- rentlyChairoftheSteeringCommitteefortheEuropeanSoftwareEngineering Conferences(ESEC). Prof.MehdiJazayeri FacultyofInformatics UniversityofLugano 6900Lugano,Switzerland email:[email protected] ttp://www.infosys.tuwien.ac.at/Staff/mj MehdiJazayeriiscurrentlydeanoftheFacultyofInformaticsandprofessorof ComputerScienceattheUniversityofLugano,Switzerland.Healsoholdsthe chair of distributed systems at the Technical University of Vienna. He spent many years in software research and development at several Silicon Valley companies, including ten years at Hewlett-Packard Laboratories in Palo Alto, California.Hisrecentworkhasbeenconcernedwithcomponent-basedsoftware engineeringofdistributedsystems,particularlyWeb-basedsystems.Heisaco- authorofProgrammingLanguageConcepts(JohnWiley,1998),Fundamentals of Software Engineering (Prentice-Hall, 2002), and Software Architecture for ProductFamilies(Addison-Wesley,2000). Dr.PamelaZave AT&TLaboratories 80ParkAvenue,RoomD205 FlorhamPark,NewJersey07932,USA email:[email protected] http://www.research.att.com/info/pamela Pamela Zave received a Ph.D. in Computer Sciences from the University of Wisconsin, Madison. She taught at the University of Maryland before joining AT&T Bell Laboratories in 1981. Dr. Zave’s chief interests are requirements engineeringandformalmethodsforsoftwaredevelopment.Sheisbestknown for her work on multiparadigm specification, the executable specification lan- guagePAISLey,andtheDistributedFeatureCompositionarchitecture.In2002, shewasnamedaFellowoftheACMforhercontributionstotheuseofformal methodsintelecommunicationsoftware. AssociateEditorsEffectiveJanuary2005 Prof.GeorgeAvrunin DepartmentofMathematicsandStatistics ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005. Editorial • 121 UniversityofMassachusetts 710NorthPleasantStreet Amherst,MA01003-09305,USA email:[email protected] http://ext.math.umass.edu/∼avrunin/ GeorgeAvruninisaprofessorintheDepartmentofMathematicsandStatistics andanadjunctprofessorintheDepartmentofComputerScienceattheUniver- sity of Massachusetts. His primary research interests are in formal methods, especiallyfinite-stateverificationandmodelchecking,andrequirementsengi- neering. He has served as conference chair for the International Symposium onSoftwareTestingandAnalysisandasaprogramcommitteememberfornu- merousconferences.HereceivedhisPh.D.inMathematicsfromtheUniversity ofMichiganin1976. Prof.MaryJeanHarrold NSFADVANCEProfessorofComputing CollegeofComputing GeorgiaInstituteofTechnology 801AtlanticDrive Atlanta,GA30032-0280 [email protected] http://www.cc.gatech.edu/∼harrold MaryJeanHarroldistheNSFADVANCEProfessorofComputingatGeorgia Tech.Sheperformsresearchinanalysisandtestingoflarge,evolvingsoftware, fault-localization using statistical analysis and visualization, monitoring de- ployedsoftwaretoimprovequality,andsoftwareself-awarenessthroughreal- timeassessmentandresponse.ProfessorHarroldreceivedanNSFNYIAward and was named an ACM Fellow. She serves on the editorial board of ACM TOPLAS, on the Board of Directors for the Computing Research Association (CRA), as vice chair of ACM SIGSOFT, as co-chair of the CRA Committee on theStatusofWomeninComputing(CRA-W),andasamemberoftheLeader- shipTeamoftheNationalCenterforWomenandInformationTechnology.She receivedherPh.D.fromtheUniversityofPittsburgh. Prof.GailMurphy DepartmentofComputerScience UniversityofBritishColumbia 201-2366MainMall VancouverBCCanadaV6T1Z4 e-mail:[email protected] http://www.cs.ubc.ca/∼murphy/ GailMurphyisanassociateprofessorintheDepartmentofComputerScience attheUniversityofBritishColumbiainVancouver,Canada.Shereceivedher M.S. degree and Ph.D. degree in Computer Science and Engineering from the University of Washington in 1994 and 1996, respectively, and B.S. (Honors) degreefromtheUniversityofAlbertain1987.From1987to1992,sheworked ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005. 122 • Editorial asasoftwaredesigneratatelecommunicationsfirm. Herresearchfocuseson creatingandevaluatingmethodsandtoolstohelpsoftwaredevelopersmanage and evolve the structure of the software systems they are developing both at designtimeandinsourcecode. Prof.Dr.OscarNierstrasz Institutfu¨rInformatik(IAM) Universita¨tBern Neubru¨ckstrasse10,CH-3012Bern,Switzerland E-mail:[email protected] http://www.iam.unibe.ch/∼oscar/bio.html Oscar Nierstrasz has been a professor of Computer Science at the Institute of Computer Science (IAM) of the University of Bern since 1994, where he leads the Software Composition Group. He is the author of over a hundred publicationsandco-authorofthebookObject-OrientedReengineeringPatterns (MorganKaufmann,2003).Prof.Nierstraszhasbeenactiveintheinternational object-oriented research community, serving on the programme committees of the ECOOP, OOPSLA, ESEC and many other conferences, and as the programme chair of ECOOP ’93 and ESEC ’99. He completed his B.S. (Math) attheUniversityofWaterlooin1979,hisM.S.in1981,andhisPh.D.in1984 at the University of Toronto, in the area of Office Information Systems. Since then he has worked at the Institute of Computer Science in Crete (1985) and intheObjectSystemsGroupattheCentreUniversitaired’Informatiqueofthe UniversityofGeneva,Switzerland(1985–1994). Prof.DavidS.Rosenblum DepartmentofComputerScience UniversityCollegeLondon GowerStreet LondonWC1E6BT,UnitedKingdom Prof.DavidS.RosenblumholdstheChairinSoftwareSystemsintheDepart- ment of Computer Science at University College London and is Director of London Software Systems, a research institute established jointly with Impe- rial College London. He received his Ph.D. in 1988 from Stanford University, USA,andhecurrentlyholdsaWolfsonResearchMeritAwardfromtheRoyal SocietyoftheUK. Hehaspublishedwidelyintestingandrun-timemonitoring of software and in event-based computing, and his recent research has been investigatingproblemsinInternet-scalepublish/subscribeinfrastructures. In 2002,hereceivedtheInternationalConferenceonSoftwareEngineering’sMost Influential Paper Award for his ICSE 1992 paper on assertion checking in C programs. He previously served on the editorial board of the IEEE Transac- tionsonSoftwareEngineeringandiscurrentlytheChairoftheICSESteering Committee. Prof.TetsuoTamai GraduateSchoolofArtsandSciences TheUniversityofTokyo ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005. Editorial • 123 3-8-1Komaba,Meguro-ku Tokyo153-8902,Japan email:[email protected] http://www.graco.c.u-tokyo.ac.jp/∼tamai/ Tetsuo Tamai received the B.S., M.S. and D.S. degrees in mathematical engi- neering from the University of Tokyo. He became a professor of the Graduate SchoolofArtsandSciences,theUniversityofTokyoin1994andhasbeeninthat position ever since. His current research includes high reliability component- based software engineering, collaboration and role modelling, formal analysis ofsoftwarearchitectures,andsoftwareevolutionprocess.Hehasbeensharing responsibilites of a number of international academic conferences, including PCofICSE’s,RE’s,ESEC/FSE’s,ICSM’sandmanyothers,aswellassteering committeeofAPSECandIWPSE. ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005. A Scalable Formal Method for Design and Automatic Checking of User Interfaces JEANBERSTEL InstitutGaspard-Monge,Universite´ deMarne-la-Valle´e STEFANOCRESPIREGHIZZI PolitecnicodiMilano GILLESROUSSEL InstitutGaspard-Monge,Universite´ deMarne-la-Valle´e and PIERLUIGISANPIETRO PolitecnicodiMilano Thearticleaddressestheformalspecification,designandimplementationofthebehavioralcom- ponentofgraphicaluserinterfaces.Thecomplexsequencesofvisualeventsandactionsthatcon- stitutedialogsarespecifiedbymeansofmodular,communicatinggrammarscalledVEG(Visual Event Grammars), which extend traditional BNF grammars to make them more convenient to modeldialogs. AVEGspecificationisindependentoftheactuallayoutoftheGUI,butitcaneasilybeintegrated withvariouslayoutdesigntoolkits.Moreover,aVEGspecificationmaybeverifiedwiththemodel checkerSPIN,inordertotestconsistencyandcorrectness,todetectdeadlocksandunreachable states,andalsotogeneratetestcasesforvalidationpurposes. Efficient code is automatically generated by the VEG toolkit, based on compiler technology. Realisticapplicationshavebeenspecified,verifiedandimplemented,likeaNotepad-styleeditor, a graph construction library and a large real application to medical software. It is also argued that VEG can be used to specify and test voice interfaces and multimodal dialogs. The major contributionofourworkisblendingtogetherasetoffeaturescomingfromGUIdesign,compilers, softwareengineeringandformalverification.Eventhoughwedonotclaimnoveltyineachofthe ApreliminaryversionofthisarticleappearedinProceedingsoftheInternationalConferenceon SoftwareEngineering(ICSE2001)(Toronto,Ont.,Canada,May12–19).IEEEPress,NewYork, 2001,pp.453–462. ThisresearchwaspartiallysupportedbyEspritOpenLTRProject“Gedisac”andbyMiurProject “FirbRBAU01MCAC:ApplicazionidellaTeoriadegliAutomiall’Analisi,allaCompilazioneealla VerificadiSoftwareCriticoeinTempoReale.” Authors’addresses:J.BerstelandG.Roussel:InstitutGaspard-Monge,Universite´ deMarne-la- Valle´e, 5, Bd Descartes, 77454 Marne-la-Valle´e Cedex 2, France; email: {berstel,roussel}@univ- mlv.fr;S.CrespiReghizziandP.SanPietro:DipartimentodeElettronicaeInformazione,Politecnico diMilano,P.zzaLeonardodaVinci,32,20133Milano,Italia;email:{crespi,sanpietr}@elet.polimi.it. Permissiontomakedigitalorhardcopiesofpartorallofthisworkforpersonalorclassroomuseis grantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprofitordirectcommercial advantageandthatcopiesshowthisnoticeonthefirstpageorinitialscreenofadisplayalong withthefullcitation.CopyrightsforcomponentsofthisworkownedbyothersthanACMmustbe honored.Abstractingwithcreditispermitted.Tocopyotherwise,torepublish,topostonservers, toredistributetolists,ortouseanycomponentofthisworkinotherworksrequirespriorspecific permissionand/orafee.PermissionsmayberequestedfromPublicationsDept.,ACM,Inc.,1515 Broadway,NewYork,NY10036USA,fax:+1(212)869-0481,[email protected]. (cid:1)C 2005ACM1049-331X/05/0400-0124$5.00 ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005,Pages124–167. DesignandAutomaticCheckingMethodforUserInterfaces • 125 techniquesadoptedforVEG,theyhavebeenunitedintoatoolkitsupportingallGUIdesignphases, thatis,specification,design,verificationandvalidation,linkingtoapplicationsandcoding. Categories and Subject Descriptors: D.2.2 [Software Engineering]: Design Tools and Techniques—User interfaces; D.2.4 [Software Engineering]: Software/Program Verification— Formal methods, model checking; H5.2 [Information Interfaces and Presentation]: User Interfaces—Theoryandmethods GeneralTerms:Design,Verification Additional Key Words and Phrases: Human-computer interaction (HCI), applications of model checking,GUIdesign 1. INTRODUCTION Currentindustrialpracticefordesigninggraphicaluserinterfaces(GUI)uses toolkitsandinterfacebuilders,mostlybasedonvisualprogramminglanguages, for producing the layout. These tools allow a simple and quick description of the geometric display, and may even give some support for designing interac- tionofcomponents(e.g.,QTDesignerbyTrolltech,JavaBeanBoxinSun’sBDK, Visual C++ or Glade). However, the dialog control must be hand-coded with conventionalprogrammingtechniquesandthereisnosupportforcheckingthe dynamicbehavioroftheinterfaceotherthantesting. This situation is unsatisfactory at best, since the resulting systems may be unreliableanddifficulttoreviseandextend.Inparticular,thereactivenature of event-driven systems (such as a GUI) makes them much more difficult to test, since the output values strongly depend on the interaction that may oc- curduringthecomputation.Traditionaltestingtechniquesmaybecostlyand inadequateforcomplexGUI,yettheimportanceofverificationandvalidation cannot be underestimated, since the majority of software applications in any domain have a complex GUI. The current inadequacy of existing techniques for GUI design and verification is particularly felt for safety-critical software, where, disregarding also the important ergonomic needs pointed out by Gray et al. [1999], rich and potentially useful user interfaces may be discarded in favorofprimitiveinterfacesthatareeasiertotestandmoredependable. Formal techniques may allow one to perform systematically, or even au- tomatically, validation and verification activities like testing, simulation and model checking [Clarke et al. 1986; Holzmann 1997], and to prove that the modeled systems possess desired properties. Hence, the validity of the design may be assessed ahead of development. Formality is widely acknowledged to support the construction of more reliable software, and hence is becoming more popular in critical areas. Many formal methods have been proposed for GUI design [Palanque and Paterno` 1997], such as (augmented) transition diagrams in Hendricksen [1989], Petri nets in Bastide and Palanque [1995], formal grammars in Reisner [1981], process algebras in Paterno` and Faconti [1992], and temporal logic in Brun [1997]. However, general formal methods are considered difficult to use by most engineers, and often get unwieldy as the system complexity grows (i.e., they are beneficial only for small systems or single components). Also, the methods proposed to give complete support ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005. 126 • J.Bersteletal. to GUI design so far are not amenable to automatic verification techniques, supporting mainly simulation and testing. As pointed out by Shneiderman, [1997, p. 159]: “Scalable formal methods and automatic checking of user interfacefeatureswouldbeamajorcontribution”. We propose a new simple formal method, which combines various features such as modularity, code generation and automatic verification, to give a scal- ablenotationtospecify,design,validateandverifyGUIs.Ourapproach,called Visual Event Grammars (VEG) is based on decomposing the specification of a large GUI into communicating automata. Breaking a complex scene down intocommunicatingpiecesmaydramaticallydiminishthenumberofstates,as shownbypopularnotationssuchasStatecharts[Harel1987].Eachautomaton is an object, described by means of a grammar, specifying a small part of the control of the scene, such as the behavior of a window or a widget. Automata maysharecommonbehaviorandhencebeseenasinstancesofgeneralmodels. Automatainteractbysendingandreceivingcommunicationeventsinorderto realizetheexpectedglobalbehavior.Datavalues,suchastheactualcontentsof atextfieldorthecolorofawidget,maybeassociatedwitheventsandstates,and Javacodecanmanipulatethem,followinganattributegrammarstyle[Knuth 1968] of computation. The VEG approach allows the automatic generation of efficient code from the specification of the interface, and its integration with commercial design tools, by implementing the various automata as interact- ing parsers (where the input stream of each parser is the sequence of input eventsforthecorrespondingwindoworwidget).Atoolkithasbeenprototyped, to produce Java classes that implement the logical behavior of the GUI and tointegratethemwiththelayout.Uptonow,thetoolkithandlesinterfacesof WIMP (Window, Icon, Menu, Pointer) style. Extensions to more sophisticated interactionparadigmslikevirtualrealityorvoiceinteractionsarepossible,and discussedinSection7. TheVEGapproachalsoallowscleanseparationbothofdatavs.controland layoutvs.behavior.Moreprecisely,separationofdataandcontrolmeansthat every VEG specification is composed of a “purely syntactical” part, describing the event-driven behavior of a GUI (the control), and of a “semantical” part, implementing data manipulation. In fact, as already remarked, a VEG spec- ification is akin to an attribute grammar, where the syntax aspects are com- plementedbysemanticfunctions.TheVEGapproachthusfollowstheclassical Model-View-ControllerarchitecturepioneeredbySmallTalk80:thecontroller is specified with the syntax, and it interacts with the model and the view by means of input events and attributes. In particular, the specification and de- sign of a GUI is independent of its actual layout. This allows portability and ease of modification, but also the reuse of the same logic in implementing dif- ferentinterfacesforthesameservice(suchasintheSislapproachofBalletal. [2000]), possibly with different data manipulation. Web services are a typical applicationthatmaybenefitfromthisseparation.Forinstance,thewebsiteof Politecnico di Milano has been redone a few times, mostly because the layout wasunsatisfactory:eachtimethesameserviceshadtobepartlyreprogrammed, whilewithVEGthiswouldhavebeenunnecessary.Alsobankingsystemsmay benefitfromthelayout/logicseparation:theyoffermultichannelaccessthrough ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005. DesignandAutomaticCheckingMethodforUserInterfaces • 127 anautomatedtellermachine,aweb-basedinterfaceorbank-by-phoneinterface [Godefroidetal.2000].Usually,codeduplicationoccurs,withtheassociatedrise indevelopmentandmaintenancecosts,butthiscanbeavoidedwiththepresent approach. The separation of data and control, together with the independence of the layout,isconvenientnotonlyformaintenanceandreuse,butalsoforfastpro- totyping. GUI prototyping is often necessary for the customer to understand whether the GUI is the right one. The layout may be very changeable in this phase. With VEG, we can quickly specify the logic, choose a layout, give it to theuseroftheapplicationandverifywhathastobechanged.Thelayoutmay bethrownawayafterwards,butVEGspecificationsremain.Dataprocessingis not needed at this moment: only the control part of the GUI is programmed. Usually, the additional cost of rapid prototyping is that an expensive proto- type must be thrown away. With VEG, the initial prototype may be a less costly VEG specification that can often be reused and extended into the final system. Apartfromthemeritsofindividualnotations,oneofthemajorobstaclesin thediffusionofformalmethodsoutsideacademicresearchistheperceiveddiffi- cultyintheiruse.Formalspecificationlanguagesareconsideredhardtomaster, andformalverificationtechniques,suchastheoremproving,tobeforrealex- pertsonly.Ontheotherhand,automata,suchasthoseusedinVEG,areamong the easiest formalisms, and every software engineer is familiar with them. Moreover,advancesinautomaticverificationtoolkits,suchasmodelchecking, aregreatlysimplifyingformalverification,sinceinprinciple“pushbutton”ver- ificationispossibleformanysystemsspecifiedwithautomata. In general, however, a specification or a program has to be “abstracted” to beamenableforautomaticverificationwithmodelcheckers.Infact,thenum- ber of states of even simple programs is typically too high for model checkers, especially because of the large range of data values. Constructing a powerful enough, sound abstraction may require considerable ingenuity, since the ab- stractedprogrammustbeacompromisebetweenefficiency(i.e.,thesizeofthe statespaceforconcretemodelcheckerssuchasSPIN[Holzmann1997],orthe sizeofformulasencodingthesystemforsymbolicmodelcheckerssuchasSMV [Clarke et al. 1986]) and effectiveness (i.e., the meaningfulness of the verifi- cation results on the abstracted program). In particular, the abstraction must besafewithrespecttothepropertiesofinterest(e.g.,deadlockfreedom):ifthe propertyholdsintheabstractedsystemthenitholdsintheoriginalprogram.A lotofresearcheffortsarecurrentlyunderwaytoallowthedevelopmentofsafe abstractions for programming languages such as C and Java (e.g., Ball et al. [2000] and Corbett et al. [2000], but the results still seem hard to generalize and use. In the VEG toolkit, however, an abstraction that is safe with respect tomanyimportantproperties(suchasdeadlock-freedomandstateinvariants) can automatically be derived from the original specification, with a meaning thatisveryclosetotheoriginalone.Typically,inVEG,theabstractedversion isthecontrol(finite-state)partofthespecification,whiledataandrelatedfunc- tionsareignored.Whendealingwithabstractedprograms,however,evenwhen anabstractionisshownorisknowntobesafe,spuriouscounterexamplesmay ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005. 128 • J.Bersteletal. occur,thatis,errorsintheabstractedprogramthatdonotcorrespondtofeasi- ble computations on the original program. In this case, one may either accept the result (and then try to fix a program that is already correct) or use some formofprooforsymbolicexecutionofthecounterexampleontheoriginalpro- gram,tounderstandwhetherthepositiveisatrueone.Inourexperiencewith VEGspecifications,theproblemofspuriouscounterexamplesdoesnotseemto hamper verification as much as in software model checking. An explanation for this is that the notation and the methodology used tend to enforce a clear separationbetweencontrolanddata,whileintraditionalprograms,wherethis distinctionisusuallynotpresent,thecontrolflowgraphisaverypoorabstrac- tion.Moreover,sinceGUIsareusuallyevent-driven,control-intensivesystems, oftentheabstractedVEGspecificationisveryclosetotheoneusedtoproduce theapplication:thereisahighlevelofcoherencebetweentheapplicationand itsformalmodel. WebasedverificationandvalidationonSPIN,awidelydisseminatedmodel- checking tool. Communicating automata fit particularly well into the domain of automatic verification: the VEG notation can be easily translated into the Promelalanguage,whichistheinputlanguageofSPIN.Currently,ourtoolkit supports, with simple “pushbutton” options, automatic detection of design er- rorssuchasdeadlockandunreachablestates,butitalsoallowsstateinvariant verification,simulationandtestcasegeneration.TheVEGsupportforverifica- tionmayalsohelpincheckingfeaturesofaninterfaceandindetectingrequire- ment errors. For instance, a Save button in an Editor application should be reachablefromeverystatewherethedocumenthasbeenmodified.Thismeans that the GUI will never run into a configuration where a user will no longer be allowed to save her data. This is a liveness property, which can be easily verifiedbyamodelchecker.Anotherexampleistheverificationthatallneeded resourcesareavailablebeforeaprocesscanstart:inatexteditor,adocument mustbecreatedoropenedbeforewritingintoit.Wefoundthatevenverylarge GUI can easily be checked, since usually the number of its (control) states is muchsmallerthanthecurrentlimitsofmodelcheckers. Our work draws on a long, well-established tradition of user interface de- sign,calleddialogindependence[HartsonandHix1989;Hill1986]orsyntax- semantics dichotomy [Foley 1987; Foley et al. 1989; Jacob 1982; Olsen 1983, 1984; Reisner 1981; Shneiderman 1982 and others], and in particular on the SeeheimmodelofGreen[1983].Thegoalofthesemodelsistheseparationofthe application from its user interface. Some of these works also applied context- free or regular grammars to the description of dialogs (already in 1981). The reason is that grammars have various advantages over other approaches. For instance, the terminal alphabet of a grammar is usually composed of high- level events at the application level, such as Start, Quit, Cut, etc., allowing platform-independence and often also widget-independence. Also, some au- thors introduced a special notation to supplement grammars whenever they seem unsuited to describe some features. For instance, Van den Boss [1988] has proposed and developed a special rich notation, exceeding the power of context-freegrammars.Forthisandsimilarapproaches,however,thepossibil- ityofautomaticverificationofthespecificationbecomesquitesmall,sincethe ACMTransactionsonSoftwareEngineeringandMethodology,Vol.14,No.2,April2005.