Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alloy Daniel Jackson MIT Lab for Computer Science 6898: Advanced Topics in Software Design February 11, 2002.

Published bySiegfried Bretz Modified over 6 years ago

Similar presentations

Presentation on theme: "Alloy Daniel Jackson MIT Lab for Computer Science 6898: Advanced Topics in Software Design February 11, 2002."— Presentation transcript:

1 alloy Daniel Jackson MIT Lab for Computer Science 6898: Advanced Topics in Software Design February 11, 2002

2 new version of bill’s notes online
course admin new version of bill’s notes online schedule today: Alloy language weds: modelling idioms first problem set out; due 2 weeks later mon: holiday weds: peer review mon: JML, OCL, Z peer review 4 students present models for discussion tasks scribe for today organizer for peer review presenters on JML, OCL, Z 2

3 software blueprints what? clear abstract design captures just essence
why? fewer showstopper flaws major refactoring less likely easier coding, better performance how? identify risky aspects develop model incrementally simulate & analyze as you go 3

4 alloy: a new approach alloy language & analyzer designed hand-in-hand
fully automatic checking of theorems simulation without test cases language a flexible notation for describing structure static structures, or dynamic behaviours a logic, so declarative: incremental & implicit analyzer mouse-click automation generates counterexamples to theorems based on new SAT technology Q: Since Alloy just gives counterexamples, it can’t actually prove things? A: It’s true that it can’t prove things, but the small scope hypothesis (later in lecture) suggests that checking for small scopes is good enough. For any scope that you check with, you can always come up with some bug that it will not find, but most natural bugs are simple enough that a small scope will find them. 4

5 roots & influences Z notation (Oxford, 1980-1992)
elegant & powerful, but no automation SMV model checker (CMU, 1989) 10100 states, but low-level & for hardware Nitpick (Jackson & Damon, 1995) Z subset (no quantifiers), explicit search Alloy (Jackson, Shlyakhter, Sridharan, ) full logic with quantifiers & any-arity relations flexible structuring mechanisms SAT backend, new solvers every month Q: How does states in SMV compare to what the Alloy analyzer can handle? A: Alloy can handle up to around 1000 bits wide, so states. 5

6 experience with alloy applications Chord peer-to-peer lookup (Wee)
Access control (Wee) Intentional Naming (Khurshid) Microsoft COM (Sullivan) Classic distributed algorithms (Shlyakhter) Firewire leader election (Jackson) Red-black tree invariants (Vaziri) taught in courses at CMU, Waterloo, Wisconsin, Rochester, Kansas State, Irvine, Georgia Tech, Queen’s, Michigan State, Imperial, Colorado State, Twente 6

7 elements of alloy project
language design flexible, clean syntax, all F.O. scheme for translation to SAT skolemization, grounding out exploiting symmetry & sharing customizable visualization framework for plug-in solvers currently Chaff & BerkMin decouples Alloy from SAT type checker translator visualizer dot SATLab Chaff Berkmin RelSAT 7

8 alloy type system types
a universe of atoms, partitioned into basic types relational type is sequence of basic types sets are unary relations; scalars are singleton sets examples basic types ROUTER, IP, LINK relations Up: hROUTERi the set of routers that’s up ip: hROUTER, IPi maps router to its IP addr from, to: hLINK,ROUTERi maps link to routers table: hROUTER, IP, LINKi maps router to table DNJ: “The only thing hard about understanding the type system is how simple it is” Q: What’s with the uppercase vs. lowercase letters? A: It means nothing in Alloy, but DNJ’s notation is uppercase first letter for names of sets and lowercase for relations. Q: So is Up a type? A: No, it is a set. So x:Up means x is an element of Up (not that x’s type is Up). 8

9 relational operators join
p.q = {(p1, …pn-1, q2, … qm) |(p1, …pn)2p ^ (q1, … qm)2q ^ pn=q1} for binary relations, p.q is composition for set s and relation r, s.r is relational image q[p] is syntactic variant of p.q product p->q = {(p1, …pn, q1, … qm) | (p1, …pn)2p ^ (q1, … qm) 2q} for sets s and t, s->t is cross product set operators p+q, p-q, p&q union, difference, intersection p in q = ‘every tuple in p is also in q’ for scalar e and set s, e in s is set membership for relations p and q, p in q is set subset Q: Is relational join associative? A: No. 9

10 alloy declarations module routing -- declare sets & relations sig IP {} sig Link {from, to: Router} sig Router { ip: IP, table: IP ->? Link, nexts: set Router } sig Up extends Router {} IP: hIPi Link: hLINKi from, to: hLINK,ROUTERi Router: hROUTERi ip: hROUTER, IPi table: hROUTER, IP, LINKi nexts: hROUTER,ROUTERi Up: hROUTERi 10

11 a sample network 11

12 interlude: identity etc
constants iden[t] identity: maps each atom of type of t to itself univ [t] universal: contains every tuple of type t none [t] zero: contains no tuple of type t examples sig Router { ip: IP, table: IP ->? Link, nexts: set Router } fact NoSelfLinks {all r: Router | r !in r.nexts} fact NoSelfLinks’ {no Router$nexts & iden [Router]} 12

13 alloy constraints fact Basics { all r: Router { // router table refers only to router's links r.table[IP].from = r // nexts are routers reachable in one step r.nexts = r.table[IP].to // router doesn't forward to itself no r.table[r.ip] } // ip addresses are unique no disj r1, r2: Router | r1.ip = r2.ip } fun Consistent () { // table forwards on plausible link all r: Router, i: IP | r.table[i].to in i.~ip.*~nexts } Q: What does r.table[IP] mean? A: It is equivalent to IP.(r.table). [ ] means the same thing as dot, but it has lower precedence (so in r.table[IP], it is the join of IP and r.table). Q: What is the type of r.table[IP] and what does it mean? A: r.table: IP->Link, so r.table[IP] is a set of Links. This expression gets the links for each IP address in the table. 13

14 simulation commands -- show me a network that satisfies the Consistent constraint run Consistent for 2 -- show me one that doesn’t fun Inconsistent () {not Consistent ()} run Inconsistent for 2 Q: If Alloy finds no instance when you run a fun, what does that mean? A: It means that there are conflicting constraints in the model (the model is overconstrained). 14

15 an inconsistent state 15

16 assertions & commands -- define forwarding operation -- packet with destination d goes from at to at’ fun Forward (d: IP, at, at': Router) { at' = at.table[d].to } -- assert that packet doesn’t get stuck in a loop assert Progress { all d: IP, at, at': Router | Consistent() && Forward (d, at, at') => at != at’ } -- issue command to check assertion check Progress for 4 16

17 lack of progress 17

18 introducing mutation -- links now depend on state sig Link {from, to: State ->! Router} -- one table per state sig Router {ip: IP, table: State -> IP ->? Link} -- state is just an atom -- put router connectivity here sig State {nexts: Router -> Router} 18

19 state in constraints fact { all r: Router, s: State { (r.table[s][IP].from)[s] = r s.nexts[r] = (r.table[s] [IP].to)[s] no r.table[s][r.ip] } no disj r1, r2: Router | r1.ip = r2.ip } fun Consistent (s: State) { all r: Router, i: IP | (r.table[s][i].to)[s] in i.~ip.*~(s.nexts) } 19

20 propagation in one step, each router can …
incorporate a neighbour’s entries drop entries fun Propagate (s, s': State) { all r: Router | r.table[s'] in r.table[s] + r.~(s.nexts).table[s] } declarative spec more possibilities, better checking easier than writing operationally 20

21 does propagation work? assert PropagationOK { all s, s': State | Consistent (s) && Propagate (s,s') => Consistent (s') } check PropagationOK for 2 21

22 no! 22

23 try again… fun NoTopologyChange (s,s': State) { all x: Link { x.from[s] = x.from[s'] x.to[s] = x.to[s'] } } assert PropagationOK' { all s, s': State | Consistent (s) && NoTopologyChange (s,s') && Propagate (s,s') => Consistent (s') } check PropagationOK' for 4 but 2 State 23

24 still broken! 24

25 language recap (1) sig X {f: Y} declares a set X
a type TX associated with X a relation f with type hTX,TYi a constraint (all x: X | x.f in Y && one x.f) fact {…} introduces a global constraint fun F (…) {…} declares a constraint to be instantiated assert A {…} declares a theorem intended to follow from the facts 25

26 language recap (2) run F for 3 instructs analyzer to find example of F
using 3 atoms for each type check A for 5 but 2 X instructs analyzer to find counterexample of A using 5 atoms for each type, but 2 for type TX 26

27 other features (3) arbitrary expressions in decls
sig PhoneBook {friends: set Friend, number: friends -> Num} signature extensions sig Man extends Person {wife: option Woman} polymorphism fun Acyclic[t] (r: t->t) {no ^r & iden[t]} modules open models/trees integers #r.table[IP] < r.fanout 27

28 models, validity & scopes
semantic elements assignment: function from free variables to values meaning functions E : Expression -> Ass -> Relation F : Formula -> Ass -> Bool examples expression: Alice.~likes assignment: Alice = {(alice)} Person = {(alice),(bob),(carol)} likes = {(bob, alice),(carol, alice)} value: {(bob),(carol)} 28

29 formula: Alice in p.likes assignment: p = {(bob)} Alice = {(alice)}
Person = {(alice),(bob),(carol)} likes = {(bob, alice),(carol, alice)} value: true formula: all p: Person | Alice in p.likes assignment: Alice = {(alice)} value: false 29

30 validity, satisfiability, etc
meaning of a formula Ass (f) = {set of all well-typed assignments for formula f} Models (f) = {a: Ass(f) | F[f]a = true} Valid (f) = all a: Ass (f) | a in Models(f) Satisfiable (f) = some a: Ass (f) | a in Models(f) ! Valid (f) = Satisfiable (!f) checking assertion SYSTEM => PROPERTY intended to be valid, so try to show that negation is sat model of negation of theorem is a counterexample 30

31 scope a scope is a function from basic types to natural numbers
assignment a is within scope s iff for basic type t, #a(t) ≤ s(t) ‘small scope hypothesis’ many errors can be found in small scopes ie, for the theorems f that arise in practice if f has a counterexample, it has one in a small scope Q: If you get a counterexample in a scope of k, does that mean you will get a counterexample in a scope of k+1? A: Usually, but if you use univ, this is not always the case. Q: Is there some scope that is usually enough to find a counterexample? A: No, this really depends on the model and the complexity of the error. 31

32 what you’ve seen simple notation expressive but first-order
expressive intractable tractable inexpressive simple notation expressive but first-order properties in same notation static & dynamic constraints flexible: no fixed idiom fully automatic analysis simulation, even of implicit operations checking over large spaces concrete output 32

33 incrementality all behaviours declarative operational
a safety property no behaviours 33

34 next time idioms mutation frame conditions object-oriented structure
operations and traces reading questions are on web page answers to me by mail before class 34

Download ppt "Alloy Daniel Jackson MIT Lab for Computer Science 6898: Advanced Topics in Software Design February 11, 2002."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 2.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 2.
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 4.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 4.
– Seminar in Software Engineering Cynthia Disenfeld

– Seminar in Software Engineering Cynthia Disenfeld
Micromodels of Software

Micromodels of Software
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Alloy Vatche Ishakian Boston University- CS511 March/24/2008 Contributors: Andrei Lapets, Michalis Potamias, Mark Reynolds.

Alloy Vatche Ishakian Boston University- CS511 March/24/2008 Contributors: Andrei Lapets, Michalis Potamias, Mark Reynolds.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
1 A UML Class Diagram Analyzer Tiago Massoni Rohit Gheyi Paulo Borba Software Productivity Group Informatics Center – UFPE October 2004.

1 A UML Class Diagram Analyzer Tiago Massoni Rohit Gheyi Paulo Borba Software Productivity Group Informatics Center – UFPE October 2004.
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.

Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lectures 5, 6, and 7: Alloy and Alloy Analyzer.

272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lectures 5, 6, and 7: Alloy and Alloy Analyzer.
Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
CSC3315 (Spring 2009)1 CSC 3315 Programming Languages Hamid Harroud School of Science and Engineering, Akhawayn University

CSC3315 (Spring 2009)1 CSC 3315 Programming Languages Hamid Harroud School of Science and Engineering, Akhawayn University

Similar presentations

Ads by Google