Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session 4: Dynamic Modeling

Published byMelanie Fisher Modified over 6 years ago

Similar presentations

Presentation on theme: "Session 4: Dynamic Modeling"— Presentation transcript:

1 Session 4: Dynamic Modeling
Alloy Analyzer 4 Tutorial Session 4: Dynamic Modeling Greg Dennis and Rob Seater Software Design Group, MIT

2 model of an address book
abstract sig Target {} sig Name extends Target {} sig Addr extends Target {} sig Book { addr: Name -> Target } pred init [b: Book] { no b.addr } pred inv [b: Book] { let addr = b.addr | all n: Name { n not in n.^addr some addr.n => some n.addr } fun lookup [b: Book, n: Name] : set Addr { n.^(b.addr) & Addr assert namesResolve { all b: Book | inv[b] => all n: Name | some b.addr[n] => some lookup[b, n] check namesResolve for 4

3 what about operations? how is a name & address added to a book?
no built-in model of execution no notion of time or mutable state need to model time/state explicitly can use a new “book” after each mutation: pred add [b, b': Book, n: Name, t: Target] { b'.addr = b.addr + n->t }

4 address book: operation simulation
simulates an operation's executions download addressBook.als from the tutorial website execute run command to simulate the add operation simulated execution can begin from invalid state! create and run the predicate showAdd simulates the add method only from valid states modify showAdd to force interesting executions pred showAdd [b, b': Book, n: Name, t: Target] { inv[b] add[b, b', n, t] }

5 address book: delete operation
write a predicate for a delete operation removes a name-target pair from a book simulate interesting executions assert and check that delete is the undo of add adding a name-target pair and then deleting that pair yields a book equivalent to original why does this fail? modify the assertion so that it only checks the case when the added pair is not in the pre-state book, and check

6 pattern: abstract machine
treat actions as operations on global state in addressBook, State is Book each Book represents a new system state sig State {…} pred init [s: State] {…} pred inv [s: State] {…} pred op1 [s, s’: State] {…} pred opN [s, s’: State] {…}

7 pattern: invariant preservation
check that an operation preserves an invariant apply this pattern to the addressBook model do the add and delete ops preserve the invariant? assert initEstablishes { all s: State | init[s] => inv[s] } check initEstablishes // for each operation assert opPreserves { all s, s': State | inv[s] && op[s, s'] => inv[s'] check opPreserves

8 pattern: operation preconditions
include precondition constraints in an operation operations no longer total the add operation with a precondition: check that add now preserves the invariant add a sensible precondition to the delete operation check that it now preserves the invariant pred add[b, b': Book, n: Name, t: Target] { // precondition t in Name => (n !in t.*(b.addr) && some b.addr[t]) // postcondition b’.addr = b.addr + n->t }

9 what about traces? we can check properties of individual transitions
what about properties of sequences of transitions? entire system simulation simulate the execution of a sequence of operations algorithm correctness check that all traces end in a desired final state planning problems find a trace that ends in a desired final state

10 pattern: traces model sequences of executions of abstract machine
create linear (total) ordering over states connect successive states by operations constrains all states to be reachable apply traces pattern to the address book model open util/ordering[State] as ord fact traces { init [ord/first] all s: State - ord/last | let s' = s.next | op1[s, s'] or … or opN[s, s'] }

11 ordering module establishes linear ordering over atoms of signature S
open util/ordering[S] S = s0 + s1 + s2 + s3 + s4 s0 s1 s2 s3 s4 first = s0 last = s4 s2.next = s3 s2.prev = s1 s2.nexts = s3 + s4 s2.prevs = s0 + s1 lt[s1, s2] = true lt[s1, s1] = false gt[s1, s2] = false lte[s0, s3] = true lte[s0, s0] = true gte[s2, s4] = false

12 address book simulation
simulate addressBook trace write and run an empty predicate customize and cleanup visualization remove all components of the Ord module but visualization is still complicated need to use projection . . .

13 without projection

14 still without projection

15 with projection

16 with projection and more

17 checking safety properties
can check safety property with one assertion because now all states are reachable check addressBook invariant with one assertion what's the difference between this safety check and checking that each operation preserves the invariant? pred safe[s: State] {…} assert allReachableSafe { all s: State | safe[s] }

18 non-modularity of abstract machine
static traffic light model dynamic traffic light model with abstract machine all dynamic components collected in one sig sig Color {} sig Light { color: Color } sig Color {} sig Light {} sig State { color: Light -> one Color }

19 pattern: local state embed state in individual objects
variant of abstract machine move state/time signature out of first column typically most convenient in last column global state local state sig Color {} sig Light {} sig State { color: Light -> one Color } sig Time {} sig Color {} sig Light { color: Color one -> Time }

20 example: leader election in a ring
many distributed protocols require “leader” process leader coordinates the other processes leader “elected” by processes, not assigned in advance leader is the process with the largest identifier each process has unique identifier leader election in a ring processes pass identifiers around ring if identifier less than own, drops it if identifier greater, passes it on if identifier equal, elects itself leader 2 3 7 1 5 4 8 6

21 leader election: topology
beginning of model using local state abstract machine: processes are ordered instead of given ids download ringElection.als from the tutorial website constrain the successor relation to form a ring open util/ordering[Time] as to open util/ordering[Process] as po sig Time {} sig Process { succ: Process, toSend: Process -> Time, elected: set Time }

22 leader election: notes
topology of the ring is static succ field has no Time column no constraint that there be one elected process that's a property we'd like to check set of elected processes is a definition “elected” at one time instance then no longer fact defineElected { no elected.(to/first) all t: Time – to/first | elected.t = {p:Process | p in (p.toSend.t – p.toSend.(t.prev))} }

23 leader election: operations
write initialization condition init[t: Time] every process has exactly itself to send write no-op operation skip[t, t': Time, p: Process] process p send no ids during that time step write send operation step[t, t': Time, p: Process] process p sends one id to successor successor keeps it or drops it

24 leader election: traces
use the following traces constraint why does traces fact need step(t, t', succ.p)? what's the disadvantage to writing this instead? fact traces { init[to/first] all t: Time – to/last | let t' = t.next | all p: Process | step[t, t', p] || step[t, t', succ.p] || skip[t, t', p] } some p: Process | step[t, t', p] && all p': Process – (p + p.succ) | skip[t, t', p]

25 leader election: analysis
simulate interesting leader elections create intuitive visualization with projection check that at most one process is ever elected no more than one process is deemed elected no process is deemed elected more than once check that at least one process is elected check for 3 processes and 7 time instances write additional constraint to make this succeed

26 ordering module and exact scopes
ordering module forces signature scopes to be exact to analyze rings up to k processes in size: open util/ordering[Time] as to open util/ordering[Process] as po 3 Process, 7 Time exactly 3 Process, exactly 7 Time sig Process {} sig RingProcess extends Process { succ: RingProcess, toSend: RingProcess -> Time, elected: set Time } fact {all p: RingProcess | RingProcess in p.^succ }

27 machine diameter what trace length is long enough to catch all bugs?
does “at most one elected” fail in a longer trace? machine diameter = max steps from initial state longest loopless path is an upper bound run this predicate for longer traces until no solution for three processes, what trace length is sufficient to explore all possible states? pred looplessPath { no disj t, t': Time | toSend.t = toSend.t' } run looplessPath for 3 Process, ? Time

28 thank you! website http://alloy.mit.edu/ provides . . .
online tutorial reference manual research papers academic courses sample case studies alloy-discuss yahoo group

Download ppt "Session 4: Dynamic Modeling"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 4.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 4.
CS 542: Topics in Distributed Systems Diganta Goswami.

CS 542: Topics in Distributed Systems Diganta Goswami.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Alloy Vatche Ishakian Boston University- CS511 March/24/2008 Contributors: Andrei Lapets, Michalis Potamias, Mark Reynolds.

Alloy Vatche Ishakian Boston University- CS511 March/24/2008 Contributors: Andrei Lapets, Michalis Potamias, Mark Reynolds.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.

Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.

Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Chapter 15 Basic Asynchronous Network Algorithms

Chapter 15 Basic Asynchronous Network Algorithms
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
FIT1002 2006 1 FIT1002 Computer Programming Unit 19 Testing and Debugging.

FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Similar presentations

Ads by Google