A Gentle Introduction to Software Modeling & Analysis

A Gentle Introduction to Software Modeling & Analysis
Roger L. Costello July 30, 2017

Table of Contents Introduction
Learn a bit about the tool we will model/analyze – lots of screenshots A model of the tool Analysis of the model The model, expressed in a modeling language Analysis, expressed in a modeling language

What is a model?

A map is a model of the physical world
This is a model of an actual airplane

A model is the essence of something, it is an abstraction of something

What is analysis?

Aircraft companies create models before building an aircraft.
Why?

Answer: Because models are more convenient to analyze, and because the actual aircraft contains lots of details that are irrelevant for analysis. Aircraft models can be analyzed: they can be put through wind tunnels to check for aerodynamic efficiency, computers can check flight behavior, and so forth.

Why do people create software models?
model of the software software (application)

Answer: Because models are more convenient to analyze, and because the actual software contains lots of details that are irrelevant for analysis. Software models can be analyzed: they can be checked for security vulnerabilities, checked for the presence (or absence) of required properties, and so forth. model of the software software (application) key point key point

We will model a tool that manages photos
The tool is called Phase One ( We will model a few of its essential commands

We will model a tool that manages photos
The tool is called Phase One ( We will model a few of its essential commands a.k.a., the “application” (I will use the terms “tool” and “application” interchangeably)

Benefit of modeling an existing tool
Ideally, models are created first and then the tool (software) is built. Analogously, aircraft models are created first, before building the actual aircraft. Nonetheless, it is useful to model an existing tool: Get deep insight into the tool's commands. At first glance a tool's commands may seem obvious, but are subtler when examined carefully. A model can expose errors and confusions in the tool. If there are plans to extend the tool, a model can identify if the new functionality will compromise the clarity of existing key abstractions.

Acknowledgement The model shown in these slides comes from this fantastic book, pages

This is the first screen you see when you open the application

Import your photos into the tool

Open a folder and select a photo

The tool organizes photos into “catalogs”

You can give the catalog a name

Butterfly catalog

Let's create a second catalog

Drag and drop photos in here

A bunch of photos placed into this catalog

Save the catalog under a name

Bruce Lee catalog

Create more catalogs …

Arnold Schwarzenneger catalog

Bodybuilder catalog

Summary The tool (application) contains catalogs
Each catalog contains photos (assets)

Summary The tool (application) contains catalogs
Each catalog contains photos (assets) I will often use the general term “assets” because the tool can manage more than just photos. It can also manage movies and soundtracks.

“select” photos

Two photos were “selected” by clicking on them

No photos selected i.e., selection = empty (Undefined)

Five photos “showing” Two photos “selected”

2 “hidden” photos

Can only select photos that are showing (i. e
Can only select photos that are showing (i.e., cannot select hidden photos)

“selection” is either Undefined (empty) or a subset of “showing”

“selection” is either Undefined (empty) or a subset of “showing”
This is always true (for every catalog), i.e., it's an invariant. “selection” is either Undefined (empty) or a subset of “showing”

Let's cut two photos from the Bodybuilder catalog and paste them to the Arnold Schwarzenegger catalog

Bodybuilder catalog Arnold Schwarzenegger catalog Clipboard cut paste

Select the photos to be cut

“Cut” the selected photos

The cut photos are stored in the application's clipboard

Here's the catalog after executing the cut command

Can we execute a “cut” command if nothing is selected?

Notice that no photos are selected

“Cut” is grayed out

The cut command can only be executed when one or more photos are selected

Now let's paste the photos in the clipboard to the Arnold Schwarzenegger catalog

Clipboard paste

Clipboard Notice that this photo already exists in the catalog

“Paste” the photos in the clipboard into this catalog

Here's the catalog after executing the paste command

Notice that the pasted photo is “selected” and the other photo is not pasted since it already existed in the catalog

Now let's see how to hide assets

Select one or more photos. Here I selected one photo.

“Hide Selected” command

1 hidden photo

Let's hide this photo as well

2 hidden photos

Can we execute a hide command if no photos are selected?

“Hide Selected” is grayed out

The hide selected command can only be executed when one or more photos are selected

After executing a hide selected command, are the photos still selected?

After executing a hide selected command, are the photos still selected?
How can we tell? After all, we can't see the hidden photos.

See if the “cut” command is grayed out – recall that it is available only if assets are selected

I just finished the “Hide Selected” command
I just finished the “Hide Selected” command. Are any of the hidden photos selected?

“Cut” is grayed out

There are no selected photos after executing the “Hide Selected” command, either in the visible section or in the hidden section

What's the relationship between hidden photos and showing photos?

1 photo showing 2 hidden photos

hidden + showing = assets

What happens if we paste a photo that is already present in the hidden area? Will the hidden photo move to showing?

Show All

All the photos in this catalog are showing

Copy the selected photo

Create a new catalog and paste the photo into it. Here's the result.

Back to the other catalog. Hide the photo.

1 hidden photo

The photo is in two catalogs

Cut the photo from here and paste it into this catalog

Here's the result. You can see that the photo remains hidden
1 hidden photo

Pasting does not cause a photo to go from hidden to showing

Let's see how to show only the photos that are selected

Select some photos

We want the tool to show only the selected photos

“Show Selected” command

Here's the catalog after executing the “Show Selected” command

2 hidden photos

Notice that the selected assets remain selected

Now let's show just one photo, so select it

“Show Selected” command

Here's the catalog after executing the “Show Selected” command

3 hidden photos

What will happen if we execute “Show Selected” when no photos are selected?

“Show Selected” is grayed out

The “Show Selected” command can be executed only when one or more photos are selected

Both “Hide Selected” and “Show Selected” hide assets
After the “Hide Selected” command After the “Show Selected” command hidden photos hidden photos

Difference between “Hide Selected” and “Show Selected”
After the “Hide Selected” command After the “Show Selected” command selection (after) = empty selection (after) = selection (before)

Phew! Time for a breather
We've seen a few of the tool's commands. Even with these few commands, the details are getting a bit complex – after executing this command the remaining assets are not selected, after executing that command the remaining assets are selected. A model would be very helpful. It would enable us to capture these details, without getting mired in irrelevant details. Okay, let's start modeling! key point

3 parts to modeling Structure: The things that are relevant to us, such as catalogs, assets, hidden assets, showing assets, etc. Behavior: The effect of the commands on the things in (1). For example, the “Hide Selected” command augments the hidden assets and subtracts from the showing assets. Analysis: Analysis of (1) and (2). For example, if we execute a cut followed by a paste is the application the same after as before?

(1) Structure: Identify relevant things

Catalogs

Assets

Selection Two photos “selected”

Hidden 2 “hidden” photos

Showing Five photos “showing”

Clipboard Bodybuilder catalog Clipboard Arnold Schwarzenegger catalog
cut paste

Summary of relevant things
- catalogs - assets - selection (set of selected assets) - hidden (set of hidden assets) - showing (set of assets that are showing) - clipboard

Summary of relevant things
- catalogs - assets - selection (set of selected assets) - hidden (set of hidden assets) - showing (set of assets that are showing) - clipboard key point If we were to look inside the tool would we see these things? Is this all we would see? No. This is our “abstraction” of the tool. It is a collection of things that represent our understanding of the tool. It is part of our model of the tool.

Next, identify things that describe the state of the application

Open catalogs These are the catalogs that I have open

For each open catalog, the catalog's state
state of this catalog state of this catalog state of this catalog state of this catalog

The “current” catalog This is the catalog that I am working on at this moment

Assets on the clipboard

Summary of things that describe the state of the application
- open catalogs - for each open catalog, its state - the “current” catalog - assets on the clipboard

Next, identify things that describe the state of a catalog

Catalog's assets These are the photos (assets) that are in the Bruce Lee catalog

Catalog's assets that are showing, that are hidden

Catalog's assets that are selected

Summary of the things that describe the state of a catalog
- catalog's assets - catalog's assets that are showing - catalog's assets that are hidden - catalog's assets that are selected (or none selected)

(2) Behavior: Describe the effects of each command on the things in the previous slides

But first, some notation
Let: xs denote the application’s state before executing the command xs' denote the application’s state after executing the command cs denote the state of the current catalog before executing the command cs' denote the state of the current catalog after executing the command buffer denote the application’s clipboard Undefined denote no selection (selection is empty)

Describe the effects of the “cut” command

Precondition to using the cut command: photos must be selected
No photos selected

Precondition to using the cut command: photos must be selected
cs.selection != Undefined

An effect of the cut command is to replace the content of the clipboard with the selection

An effect of the cut command is to replace the content of the clipboard with the selection
xs'.buffer = cs.selection

Contrast with the behavior of the emacs editor
cut The stuff in the clipboard is not overwritten. It is pushed onto a stack. stack

An effect of the cut command is to remove the selected assets from the catalog

An effect of the cut command is to remove the selected assets from the catalog
cs'.assets = cs.assets - cs.selection

An effect of the cut command is to remove the selected assets from the set of showing assets

An effect of the cut command is to remove the selected assets from the set of showing assets
cs'.showing = cs.showing - cs.selection

An effect of the cut command is to clear selection

An effect of the cut command is to clear selection
cs'.selection = Undefined

Only the current catalog changes

xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' Update the application's record of catalog states to reflect the modified catalog

No change to the set of open catalogs

xs'.catalogs = xs.catalogs

No change to the choice of the “current” catalog

xs'.currentCatalog = xs.currentCatalog

Summary of the effects of the “cut” command
Precondition: cs.selection != Undefined xs'.buffer = cs.selection cs'.assets = cs.assets - cs.selection cs'.showing = cs.showing - cs.selection cs'.selection = Undefined xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog

Describe the effects of the “paste” command

Notation Let: new denote the photos to be pasted into the catalog which are not already present in the catalog

An effect of the paste command is to add the new assets in the clipboard to the current catalog

An effect of the paste command is to add the new assets in the clipboard to the current catalog
cs'.assets = cs.assets + new

An effect of the paste command is to augment the set of showing assets with the new assets

An effect of the paste command is to augment the set of showing assets with the new assets
cs'.showing = cs.showing + new

An effect of the paste command is for selection to become the newly added assets (if there are some new assets, else Undefined) paste

An effect of the paste command is for selection to become the newly added assets (if there are some new assets, else Undefined) paste cs'.selection = (some new => new else Undefined)

xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' Update the application's record of catalog states to reflect the modified catalog

xs'.catalogs = xs.catalogs

xs'.currentCatalog = xs.currentCatalog

Summary of the effects of the “paste” command
xs'.buffer = xs.buffer cs'.assets = cs.assets + new cs'.showing = cs.showing + new cs'.selection = (some new => new else Undefined) xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog

Describe the effects of the “hide selected” command

Precondition to executing the hide selected command: photos must be selected
No photos selected

Precondition to executing the hide selected command: photos must be selected

An effect of the hide selected command is to augment the set of hidden assets
1 hidden photo

An effect of the hide selected command is to augment the set of hidden assets
cs'.hidden = cs.hidden + cs.selection

An effect of the hide selected command is to clear the selection
1 hidden photo

An effect of the hide selected command is to clear the selection
cs'.selection = Undefined

No change to the set of assets in the catalog
1 hidden photo

cs'.assets = cs.assets

Summary of the effects of the “hide selected” command
Precondition: cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = Undefined cs'.assets = cs.assets

Precondition: cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = Undefined cs'.assets = cs.assets cs'.showing = cs.showing - cs.selection Why didn’t the previous slide have this?

Precondition: cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = Undefined cs'.assets = cs.assets cs'.showing = cs.showing - cs.selection Recall from an earlier slide: showing + hidden = assets If you know the hidden assets and the total assets, then you know the showing assets. The statement circled above is true, but redundant.

Describe the effects of the “show selected” command

Precondition to executing the show selected command: photos must be selected
No photos selected

Precondition to executing the show selected command: photos must be selected

An effect of the show selected command is to replace the set of showing assets
2 hidden photos

An effect of the show selected command is to replace the set of showing assets
cs'.showing = cs.selected

No change to the set of selected assets
show selected 2 hidden photos

No change to the set of selected assets
show selected cs'.selection = cs.selection

2 hidden photos

cs'.assets = cs.assets

Summary of the effects of the “show selected” command
Precondition: cs.selection != Undefined cs'.showing = cs.selected cs'.selection = cs.selection cs'.assets = cs.assets

Recap of the model The model identifies things that are relevant to us
catalogs, assets, selection, hidden, showing, clipboard The model defines the state of the application the set of open catalogs, the state of each open catalog, the “current” catalog, the assets on the clipboard The model defines the state of each catalog catalog's assets, catalog's assets that are showing, catalog's assets that are hidden, catalog's assets that are selected The model describes the effects of each command cut, paste, hide selected, show selected

Hey computer, please analyze the model: does paste undo cut?

Does paste undo cut? Suppose we execute a cut command followed by a paste (to the same catalog). Is the application the same after as before?

Does paste undo cut? Suppose we execute a cut command followed by a paste (to the same catalog). Is the application the same after as before? This is analogous to an algebra expression where we add b to “a” and then subtract b: a - b + b = a

Does paste undo cut? Suppose we execute a cut command followed by a paste (to the same catalog). Is the application the same after as before? In other words, does the application have algebraic properties?

Results: the computer found examples of where the application is not the same after as before
Here's one example

First, cut this photo of Schwarzenegger, Katz, & Draper

This is on the clipboard

If we desired, we could paste the stuff in the clipboard to a catalog

This is the “before state” of the application
This is the “before state” of the application. We're ready to start our analysis.

Select this photo and then do a cut command

Here's the catalog after doing the cut command

Next, do the paste command

Here's the catalog after doing the paste command

Before After

More precisely, this is the before and after state

Before After

Before After Before and after are different.  The clipboards differ.

The application does not have the algebraic property

Paste does not undo cut

Paste does not undo cut The reason that paste does not undo cut is because cut replaces (overwrites) the contents of the clipboard and the paste doesn't retrieve the previous content.

Let's do a second analysis

Would that violate anything?
Hey computer, suppose I changed the model so that the “hide selected” command retains the selection, i.e. cs'.selection = cs.selection Would that violate anything?

Recall the invariant:

Results: the computer found examples of where the application violates the invariant
Here's one example

I used the hide selected command to hide two photos
I used the hide selected command to hide two photos. The (erroneous) model says cs'.selected = cs.selected

cs'.selected = cs.selected
I used the hide selected command to hide two photos. The (erroneous) model says cs'.selected = cs.selected The selected assets are not a subset of showing. That violates the invariant.

Wow, a computer is able to analyze models and find examples like those?

Yes, provided you express the model in the right language – Alloy
Yes, provided you express the model in the right language – Alloy. Then the Alloy Analyzer will find examples like that.

Alloy was created at MIT by Daniel Jackson

The Alloy language Alloy is a language. Like all languages, it takes study and practice to become fluent. The previous slides gave you a sense for these modeling activities: abstract the application identify relevant items describe the effects of the application's commands on the items ask questions about the model -- ask the computer to analyze the model Now it’s time to express these things using the Alloy language.

Set of catalogs sig Catalog {}

sig Catalog {} sig = signature, use to define a set of values, in this case a set of catalogs.

sig Catalog {}

sig Catalog {} This represents the set of all past, present and future catalogs. Wow! That is cool.

Run Alloy (double click on this jar file)

Type sig Catalog {} in here

This is a (simple) model! Expressed in the Alloy language.

Select Execute >> Show Metamodel

This is a model diagram. Box denotes a set of values
This is a model diagram. Box denotes a set of values. The label inside the box is the name of the set of values. Thus, this model diagram says that Catalog is a set of values.

Hover your mouse over this icon, then you can see that there are two documents, the text and graphic version of the model.

Save the (text) model. Select File >> Save As…

Name the file this.

Alloy files end with the suffix .als

Set of assets sig Asset {}

sig Asset {}

sig Asset {} This represents the set of all past, present and future assets. Awesome!

Add this signature declaration. Then view the model diagram.

Two boxes = two sets. The model (currently) consists of a set of Catalogs and a set of Assets.

A singleton set, used to indicate an empty selection
one sig Undefined {}

one sig Undefined {} Multiplicity, how many values in the set. If not specified, the multiplicity is set. I.e., the default multiplicity is set.

Add this signature declaration. Then view the model diagram.

Catalog and Asset sets contain an unbounded number of values
Catalog and Asset sets contain an unbounded number of values. Undefined contains just one value.

(2) state of each catalog (3) catalog that is the “current” catalog
Previously, we saw that the state of the application is specified by the: set of open catalogs (2) state of each catalog (3) catalog that is the “current” catalog (4) clipboard (buffer) content Let’s specify “application state” using the Alloy language.

sig ApplicationState { catalogs: set Catalog,
catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset } Explanation on following slides

Set of application states
sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset }

Set of open catalogs sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset }

Open catalogs For example, at one point these are the catalogs that I had open.

Open catalogs i.e., at one application state
For example, at one point these are the catalogs that I had open.

Set of open catalogs Each ApplicationState has a set of open catalogs sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset }

This is a field within ApplicationState. sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset }

This is a field within ApplicationState. It maps each value of ApplicationState to a set of values of Catalog. sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset }

This multiplicity indicates how many values of Catalog may be associated to a value of ApplicationState. If not specified, the multiplicity is one. I.e., the default multiplicity is one. sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset }

ApplicationState Catalog catalogs ApplicationStatei

Arnold-Schwarzenneger
catalogs ApplicationStatei Arnold-Schwarzenneger ApplicationStatei Bodybuilder ApplicationStatei Bruce-Lee ApplicationStatei Butterfly

ApplicationState = { (ApplicationState1), (ApplicationState2), …, (ApplicationStatei), … } Catalog = { (Africa), (Albert-Einstein), (Alex-Grey), (Arnold-Schwarzenneger), (Ballerina), (Bodybuilder), (Bruce-Lee), (Butterfly), (Crossfit), (Echart-Tolle), (Mars), (Yogi) } catalogs = { …, (ApplicationStatei, Arnold-Schwarzenneger), (ApplicationStatei, Bodybuilder), (ApplicationStatei, Bruce-Lee), (ApplicationStatei, Butterfly), … }

Three ways to depict what is meant by this

Arnold-Schwarzenneger
Catalog Catalog The Alloy tools (i.e., the Alloy Analyzer) treats sets abstractly. It names the values generically, with the set name followed by a number. Arnold-Schwarzenneger Bodybuilder Bruce-Lee Butterfly Africa Albert-Einstein Alex-Grey Ballerina . . . Catalog0 Catalog1 Catalog2 Catalog3 Catalog4 Catalog5 Catalog6 Catalog7 . . .

. . . . . . ApplicationState ApplicationState ApplicationState3

catalogs ApplicationState5 Catalog3 ApplicationState5 Catalog5

catalogs This is a binary relation. That is, it’s a mapping between two sets. ApplicationState5 Catalog3 ApplicationState5 Catalog5 ApplicationState5 Catalog6 ApplicationState5 Catalog7

State of each open catalog

Map each value in catalogs to exactly one CatalogState. sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset }

catalogState

catalogs is the set of open catalogs, at ApplicationStatei.
catalogState

catalogState is the state of each open catalog (at ApplicationStatei).

catalogState ApplicationStatei Arnold-Schwarzenneger
ArnoldCatalogState ApplicationStatei Bodybuilder BodybuilderCatalogState ApplicationStatei Bruce-Lee Bruce-LeeCatalogState ApplicationStatei Butterfly ButterflyCatalogState

This is a ternary relation
catalogState This is a ternary relation ApplicationStatei Arnold-Schwarzenneger ArnoldCatalogState ApplicationStatei Bodybuilder BodybuilderCatalogState ApplicationStatei Bruce-Lee Bruce-LeeCatalogState ApplicationStatei Butterfly ButterflyCatalogState

The arrow operator. sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset }

A -> B means all possible pairings between values in A with values in B.
{ (A0,B0), (A0,B1), (A0,B2), …, (A1,B0), (A1,B1), (A1, B2), … }

A -> one B means pair each value in A to exactly one value in B.
{ (A0,B5), (A1,B0), (A2,B9), … }

Catalog that is the “current” catalog

The Bruce-Lee catalog is the current catalog

This field declaration has a multiplicity sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset } This field declaration does not have a multiplicity. The default multiplicity is one.

Equivalent currentCatalog: catalogs currentCatalog: one catalogs
currentCatalog maps an ApplicationState to one of the open catalogs.

currentCatalog ApplicationStatei Bruce-Lee

Set of assets in the clipboard (buffer)

buffer: set Asset

buffer ApplicationStatei Schwarzenneger, Katz, Draper photo
Schwarzenneger, Zane, Jacobs, Draper photo

Set of application states

Each state of the application is described by these fields

Type this into the Alloy tool.
Then, select Execute >> Show Metamodel

Error because the signature for CatalogState has not (yet) been defined.

Previously, we saw that the state of a catalog is described by the catalog's:
assets (2) assets that are showing (3) assets that are hidden (4) assets that are selected (or Undefined)

Assets

All the assets are showing

No hidden assets

Selected assets

Let’s specify “catalog state” using the Alloy language.

disj hidden, showing: set assets, selection: set showing + Undefined
sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets } Explanation on following slides

Set of catalog states sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

Each catalog has a series of states.
hide selected 1 hidden photo

Set of assets sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

Set of assets Each CatalogState has a set of assets sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

Hidden assets and showing assets are disjoint
sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

Showing assets 1 hidden photo Hidden assets Catalog assets

Selection may be either a set of values from showing or Undefined
sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

union operator sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

This is called a signature fact. sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

This is called a signature fact. It specifies a constraint on each CatalogState value. sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

The set of hidden assets plus the set of showing assets equals the set of assets sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets }

Type this into the Alloy tool.
Then, select Execute >> Show Metamodel

The bold words are Alloy keywords.
sig Catalog {} sig Asset {} one sig Undefined {} sig ApplicationState { catalogs: set Catalog, catalogState: catalogs -> one CatalogState, currentCatalog: catalogs, buffer: set Asset } sig CatalogState { assets: set Asset, disj hidden, showing: set assets, selection: set showing + Undefined } { hidden + showing = assets This is how we describe the application and its catalogs. It is our abstraction of the tool. It is our model of the tool. It is expressed using the Alloy language. The bold words are Alloy keywords.

“selection” is either Undefined or a subset of “showing”
Express this invariant “selection” is either Undefined or a subset of “showing”

pred catalogInv (cs: CatalogState) { cs.selection = Undefined or
(some cs.selection and cs.selection in cs.showing) } For any catalog cs the selected assets is either empty (Undefined) or the selected assets is non-empty and the selected assets are a subset of the showing assets. pred = predicate (define a constraint, in this case a constraint on “selection”)

pred appInv (xs: ApplicationState) {
all cs: xs.catalogs | catalogInv [xs.catalogState[cs]] } The invariant on the previous slide applies to all catalogs in the application.

Now let's describe the tool's commands

First, the “cut” command

Explanation on following slides
pred cut (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), sel = cs.selection { sel != Undefined xs'.buffer = sel some cs': CatalogState { cs'.assets = cs.assets - sel cs'.showing = cs.showing - sel cs'.selection = Undefined xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog Explanation on following slides

Let cs denote the application's current catalog
pred cut (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), sel = cs.selection { sel != Undefined xs'.buffer = sel some cs': CatalogState { cs'.assets = cs.assets - sel cs'.showing = cs.showing - sel cs'.selection = Undefined xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog

Let sel denote the set of selected assets in the current catalog

The precondition for the cut command is that at least one asset is selected

After the cut command has been executed, the clipboard (buffer) contains the selected assets

After the cut command has been executed, there is a catalog state cs' satisfying these properties …

… its assets are the catalog's original assets minus the selected assets

… its assets that are showing are those that were originally showing minus the selected assets

… it has no selected assets.

The application's record of each catalog's state is updated to reflect the change to the current catalog pred cut (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), sel = cs.selection { sel != Undefined xs'.buffer = sel some cs': CatalogState { cs'.assets = cs.assets - sel cs'.showing = cs.showing - sel cs'.selection = Undefined xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog

The set of open catalogs doesn't change with the cut command

The current catalog doesn't change with the cut command

Next, the “paste” command

pred paste (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), buf = xs.buffer, new = buf - cs.assets { xs'.buffer = buf some cs': CatalogState { cs'.assets = cs.assets + new cs'.showing = cs.showing + new cs'.selection = (some new => new else Undefined) xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog Explanation on following slides

Let cs denote the application's current catalog
pred paste (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), buf = xs.buffer, new = buf - cs.assets { xs'.buffer = buf some cs': CatalogState { cs'.assets = cs.assets + new cs'.showing = cs.showing + new cs'.selection = (some new => new else Undefined) xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog

Let buf denote the clipboard (buffer)

Let new denote the assets that are in the clipboard but not in the catalog

The clipboard (buffer) doesn't change with the execution of the paste command

After the paste command has been executed, there is a catalog state cs' satisfying these properties … pred paste (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), buf = xs.buffer, new = buf - cs.assets { xs'.buffer = buf some cs': CatalogState { cs'.assets = cs.assets + new cs'.showing = cs.showing + new cs'.selection = (some new => new else Undefined) xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog

… it has more assets – the new assets in the clipboard

… it is showing more assets – the new assets in the clipboard

… if the value of “new” is non-empty, then the selected assets are the new assets, otherwise the selected assets is empty (Undefined). pred paste (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), buf = xs.buffer, new = buf - cs.assets { xs'.buffer = buf some cs': CatalogState { cs'.assets = cs.assets + new cs'.showing = cs.showing + new cs'.selection = (some new => new else Undefined) xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog

The application's record of each catalog's state is updated to reflect the change to the current catalog pred paste (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), buf = xs.buffer, new = buf - cs.assets { xs'.buffer = buf some cs': CatalogState { cs'.assets = cs.assets + new cs'.showing = cs.showing + new cs'.selection = (some new => new else Undefined) xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog

The set of open catalogs doesn't change with the paste command

The current catalog doesn't change with the paste command

Next, the “hide selected” command

pred hideSelected (cs, cs': CatalogState) { cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = Undefined cs'.assets = cs.assets } Explanation on following slides

Precondition – can't do the hide selected command unless something is selected
pred hideSelected (cs, cs': CatalogState) { cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = Undefined cs'.assets = cs.assets }

As a result of executing the hide selected command there are more hidden assets – the existing hidden assets plus the selected assets pred hideSelected (cs, cs': CatalogState) { cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = Undefined cs'.assets = cs.assets }

After executing the hide selected command there are no selected assets

The hide selected command doesn't change the assets in the catalog

Next, the “show selected” command

pred showSelected (cs, cs': CatalogState) { cs.selection != Undefined cs'.showing = cs.selection cs'.selection = cs.selection cs'.assets = cs.assets } Explanation on following slides

Precondition – can't do the show selected command unless something is selected
pred showSelected (cs, cs': CatalogState) { cs.selection != Undefined cs'.showing = cs.selection cs'.selection = cs.selection cs'.assets = cs.assets }

After executing the show selected command only the selected assets are showing

The show selected command doesn't change the set of selected assets

The show selected command doesn't change the set of assets in the catalog

Here is our model of the tool's commands, expressed in the Alloy language

pred cut (xs, xs': ApplicationState) {
let cs = xs.currentCatalog.(xs.catalogState), sel = cs.selection { sel != Undefined xs'.buffer = sel some cs': CatalogState { cs'.assets = cs.assets - sel cs'.showing = cs.showing - sel cs'.selection = Undefined xs'.catalogState = xs.catalogState ++ xs.currentCatalog -> cs' } xs'.catalogs = xs.catalogs xs'.currentCatalog = xs.currentCatalog pred paste (xs, xs': ApplicationState) { let cs = xs.currentCatalog.(xs.catalogState), buf = xs.buffer, new = buf - cs.assets { xs'.buffer = buf cs'.assets = cs.assets + new cs'.showing = cs.showing + new cs'.selection = (some new => new else Undefined) pred hideSelected (cs, cs': CatalogState) { cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = Undefined cs'.assets = cs.assets } pred showSelected (cs, cs': CatalogState) { cs'.showing = cs.selection cs'.selection = cs.selection

Alloy = modeling language + analyzer
Alloy Analyzer Model (expressed using the Alloy language) COTS SAT solver

(expressed using the Alloy language)
Alloy Analyzer Model (expressed using the Alloy language) COTS SAT solver Hey Alloy Analyzer, please analyze the photo model – does paste undo cut?

assert CutPaste { all xs, xs', xs'': ApplicationState | appInv [xs] and cut [xs, xs'] and paste [xs', xs''] => sameApplicationState [xs, xs''] } check CutPaste Explanation on following slides

The cut command results in the application going from state xs to xs'
The cut command results in the application going from state xs to xs'. If we then execute a paste command, the application goes from state xs' to xs''. I hereby assert that application state xs is the same as application state xs''. assert CutPaste { all xs, xs', xs'': ApplicationState | appInv [xs] and cut [xs, xs'] and paste [xs', xs''] => sameApplicationState [xs, xs''] } check CutPaste

assert CutPaste { all xs, xs', xs'': ApplicationState | appInv [xs] and cut [xs, xs'] and paste [xs', xs''] => sameApplicationState [xs, xs''] } check CutPaste pred sameApplicationState (xs, xs': ApplicationState) { xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection Here's our definition of what it means for two application states to be the “same”

The set of open catalogs is the same before and after
pred sameApplicationState (xs, xs': ApplicationState) { xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection The set of open catalogs is the same before and after

The state of all catalogs is the same before and after
pred sameApplicationState (xs, xs': ApplicationState) { xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection The state of all catalogs is the same before and after

The catalog that is the current catalog is the same before and after
pred sameApplicationState (xs, xs': ApplicationState) { xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection The catalog that is the current catalog is the same before and after

The clipboard (buffer) is the same before and after
pred sameApplicationState (xs, xs': ApplicationState) { xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection The clipboard (buffer) is the same before and after

pred sameApplicationState (xs, xs': ApplicationState) {
xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection Here's our definition of what it means for two catalog states to be the same

The catalog's assets are the same before and after
pred sameApplicationState (xs, xs': ApplicationState) { xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection The catalog's assets are the same before and after

The assets that are showing are the same before and after
pred sameApplicationState (xs, xs': ApplicationState) { xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection The assets that are showing are the same before and after

The assets that are selected are the same before and after
pred sameApplicationState (xs, xs': ApplicationState) { xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection The assets that are selected are the same before and after

Alloy Analyzer, see if you can find a counterexample to the assert, i
Alloy Analyzer, see if you can find a counterexample to the assert, i.e., see if you can find an example where paste does not undo cut. assert CutPaste { all xs, xs', xs'': ApplicationState | appInv [xs] and cut [xs, xs'] and paste [xs', xs''] => sameApplicationState [xs, xs''] } check CutPaste

The Alloy Analyzer finds a counterexample

Before After Before and after are different.  The clipboards differ.

Suppose we decide that it's acceptable for the buffers to differ, how to revise the model?

Simply modify the definition of “same”

pred sameApplicationState (xs, xs': ApplicationState) {
xs'.catalogs = xs.catalogs all c: xs.catalogs | sameCatalogState [c.(xs.catalogState), c.(xs'.catalogState)] xs'.currentCatalog = xs.currentCatalog // xs'.buffer = xs.buffer } pred sameCatalogState (cs, cs': CatalogState) { cs'.assets = cs.assets cs'.showing = cs.showing cs'.selection = cs.selection I commented out the line that says the buffers must be the same before and after

Now the Alloy Analyzer does not find a counterexample

Next, let's analyze the model's definition of how the “hide selected” command effects selection

change to pred hideSelected (cs, cs': CatalogState) {
cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = Undefined cs'.assets = cs.assets } pred hideSelected (cs, cs': CatalogState) { cs.selection != Undefined cs'.hidden = cs.hidden + cs.selection cs'.selection = cs.selection cs'.assets = cs.assets } change to

Does the “hide selected” command preserve the invariant?

assert HidePreserveInv { all cs, cs': CatalogState | catalogInv [cs] and hideSelected [cs, cs'] => catalogInv [cs'] } check HidePreserveInv Explanation on following slides

I hereby assert that for all catalogs, if catalog cs satisfies the catalog invariant and the hide selected command is executed, then the resulting catalog cs' satisfies the catalog invariant. assert HidePreserveInv { all cs, cs': CatalogState | catalogInv [cs] and hideSelected [cs, cs'] => catalogInv [cs'] } check HidePreserveInv

Alloy Analyzer, see if you can find a counterexample to the assert, i
Alloy Analyzer, see if you can find a counterexample to the assert, i.e., see if you can find an example where the hide selected command yields a catalog that does not satisfy the catalog invariant. assert HidePreserveInv { all cs, cs': CatalogState | catalogInv [cs] and hideSelected [cs, cs'] => catalogInv [cs'] } check HidePreserveInv

The Alloy Analyzer finds a counterexample

cs'.selected = cs.selected
I used the hide selected command to hide two photos. The (erroneous) model says cs'.selected = cs.selected The selected assets are not a subset of showing. That violates the invariant.

I hope you've enjoyed this tutorial
The End I hope you've enjoyed this tutorial Roger Costello, July

A Gentle Introduction to Software Modeling & Analysis

Similar presentations

Presentation on theme: "A Gentle Introduction to Software Modeling & Analysis"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

A Gentle Introduction to Software Modeling & Analysis

Similar presentations

Presentation on theme: "A Gentle Introduction to Software Modeling & Analysis"— Presentation transcript:

Similar presentations

About project

Feedback