Introduction to Alloy

L. Dillon

CSE 814 Overview of Alloy 1

CSE 814 Overview of Alloy 2

Acknowledgements Excerpted (mostly) and adapted from:

!  One day tutorial at http://alloy.mit.edu/fm06/

!  SBMF/ICGT 2006 keynote at http://people.csail.mit.edu/dnj/talks/brazil06/brazil06.pdf

!  Lipari talk at http://people.csail.mit.edu/dnj/talks/

!  SAIL Tutorial at http://alloy.mit.edu/alloy/tutorials/day-course/

! 

CSE 814 Overview of Alloy 3

Trans-atlantic analysis

Oxford, home of Z

Pittsburgh, home of SMV

!  Notation inspired by Z •  declarative and uniform •  sets and relations •  but not easily analyzed

!  Analysis inspired by SMV •  billions of cases in seconds •  counterexamples not proofs •  but not declarative

CSE 814 Overview of Alloy 4

Why declarative design? I conclude there are two ways of constructing a software design.

One way is to make it so simple there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.

– Tony Hoare [Turing Award Lecture, 1980]

CSE 814 Overview of Alloy 5

Imperative v.s. declarative

"  The more you add, the less happens

"  Good for partial descriptions

"  Good for incremental modeling

CSE 814 Overview of Alloy 6

Why automated analysis? Software development needs

"  Simple, expressive and precise notations

"  Deep and automatic analysis, especially in the early stages

The first principle is that you must not fool yourself, and you are the easiest person to fool.

– Richard P. Feynman

CSE 814 Overview of Alloy 7

Four key ideas . . . 1)  everything is a relation

2)  non-specialized logic

3)  counterexamples & scope

4)  analysis by SAT

CSE 814 Overview of Alloy 8

Everything is a relation !  Alloy uses relations for

•  all datatypes: sets, scalars, tuples, graphs, etc. •  structures in space and time

!  key operator is dot join •  relational join, field navigation, function application, ...

CSE 814 Overview of Alloy 9

Non-specialized logic

!  No special constructs for •  state machines •  traces •  synchronization •  concurrency •  . . .

CSE 814 Overview of Alloy 10

Non-specialized logic

Use constraints for describing models: •  Subtypes & classification •  Declarations & multiplicity •  Invariants, operations & traces •  Assertions, including temporal ones •  . . .

CSE 814 Overview of Alloy 11

Counterexamples & scope

testing: a few cases of arbitrary size

scope-complete: all cases within a small bound

!  observations about design analysis: •  most assertions are wrong •  most flaws have small counterexamples

CSE 814 Overview of Alloy 12

Analysis by SAT

Stephen Cook

Eugene Goldberg

Sharad Malik

Henry Kautz

!  SAT, the quintessential hard problem (Cook 1971) •  SAT is hard, so reduce SAT to your problem

!  SAT, the universal constraint solver (Kautz, Selman, 1990's) •  SAT is easy, so reduce your problem to SAT •  solvers: Chaff (Malik), Berkmin (Goldberg & Novikov), ...

Yakov Novikov

Moore’s Law

CSE 814 Overview of Alloy 13

SAT Performance

CSE 814 Overview of Alloy 14

CSE 814 Overview of Alloy 15

Run the Alloy Analyzer Download Alloy

–  http://alloy.mit.edu/alloy4/ –  run the Analyzer

!  double click alloy.jar or !  execute java -jar alloy.jar

at the command line

Open example –  (In top toolbar) File => Open Sample Models =>

Examples => Toys => ceilingsAndFloors.als

CSE 814 Overview of Alloy 16

“ceilings and floors” example sig Platform {} there are “Platform” things

sig Man {ceiling, floor: Platform} each Man has a ceiling and a floor Platform

pred Above(m, n: Man) {m.floor = n.ceiling Man m is “above” Man n if m's floor is n's ceiling

fact PaulSimon {all m: Man | some n: Man | n.Above[m]} "One Man's Ceiling Is Another Man's Floor"

CSE 814 Overview of Alloy 17

Checking “BelowToo”

assert BelowToo {

all m: Man | some n: Man | m.Above[n]

} "One Man's Floor Is Another Man's Ceiling” check BelowToo for 2

check "BelowToo" in models with no more than two platforms and no more than two men

“Execute” finds a counterexample

CSE 814 Overview of Alloy 18

Counterexample to “BelowToo”

McNaughton

CSE 814 Overview of Alloy 19

Checking “BelowToo” pred Geometry {no m: Man | m.floor = m.ceiling} no man’s floor and ceiling are the same

assert BelowToo’ { Geometry => (all m: Man | some n: Man | m.Above[n]) } if no man’s floor and ceiling are the same, then "One Man's Floor Is Another Man's Ceiling”

check BelowToo' for 2 expect 0 it is true for up to 2 men and 2 platforms

check BelowToo' for 3 expect 1 but not for up to 3 men and 3 platforms

CSE 814 Overview of Alloy 20

Checking “BelowToo” pred NoSharing { no m,n: Man | m!=n && (m.floor = n.floor || m.ceiling = n.ceiling)

}

assert BelowToo'' { NoSharing => (all m: Man | some n: Man | m.Above[n]) }

check BelowToo'' for 6 expect 0

check BelowToo'' for 10 expect 0

Alloy Case Studies

CSE 814 Overview of Alloy 21

Alloy = logic + language + analysis

•  logic –  first order logic + relational calculus

•  language –  syntax for structuring specifications in the logic

•  analysis –  bounded exhaustive search for counterexample

to a claimed property using SAT

CSE 814 Overview of Alloy 22