fm 2006 alloy tutorial - tuhh · fm 2006 alloy tutorial ... abstract sig target {} sig addr extends...
TRANSCRIPT
![Page 1: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/1.jpg)
FM 2006 Alloy Tutorial
Dynamic Modeling
Greg Dennis and Rob SeaterSoftware Design Group, MIT
![Page 2: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/2.jpg)
static vs. dynamic models
� static models� describes states, not behaviors� properties are invariants� e.g. that a list is sorted
� dynamic models� describe transitions between states� properties are operations� e.g. how a sorting algorithm works
![Page 3: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/3.jpg)
model of an address bookmodule tour/addressBook2abstract sig Target {}sig Addr extends Target {}abstract sig Name extends Target {}sig Alias, Group extends Name {}
sig Book { names: set Name, addr: names -> some Target } { no n: Name | n in n.^(addr) all a: Alias | lone a.addr }
fun lookup (b: Book, n: Name): set Addr { n.^(b.addr) & Addr}
assert lookupYields { all b: Book, n: b.names | some lookup(b,n)}check lookupYields for 4 but 1 Book
![Page 4: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/4.jpg)
what about operations?
� how is a name & address added to a book?
� no built-in model of execution� no notion of time or mutable state
� need to model time/state explicitly
� can use a new “book” after each mutation:
pred add (b, b': Book, n: Name, t: Target) { b'.addr = b.addr + n->t }
![Page 5: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/5.jpg)
address book: delete operation
� The delete should remove a name mapping
� Check whether delete undoes addassert delUndoesAdd { all b,b’,b“: Book, n: Name, t: Target | add (b,b’,n,t) and del (b’,b”,n,t) implies b.addr = b“.addr}check delUndoesAdd for 3 ???????
pred del (b, b’: Book, n: Name, t: Target) {b’.addr = b.addr - n -> t
}
![Page 6: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/6.jpg)
Counter Example
![Page 7: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/7.jpg)
address book: delete operation - 2
� Check whether delete undoes add
assert delUndoesAdd { all b,b’,b“: Book, n: Name, t: Target | no n.(b.addr) and add (b,b’,n,t) and del (b’,b”,n,t) implies b.addr = b“.addr}check delUndoesAdd for 3 --> no counter example
![Page 8: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/8.jpg)
what about traces?
� we can check properties of individual transitions� what about properties of sequences of transitions?
� entire system simulation� simulate the execution of a sequence of operations
� algorithm correctness� check that all traces end in a desired final state
� planning problems� find a trace that ends in a desired final state
![Page 9: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/9.jpg)
pattern: traces
� model sequences of executions of abstract machine� create linear (total) ordering over states� connect successive states by operations
� constrains all states to be reachable
� apply traces pattern to the address book model
open util/ordering[State] as ord…fact traces { init (ord/first()) all s: State - ord/last() | let s' = ord/next(s) | op1(s, s') or … or opN(s, s')}
![Page 10: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/10.jpg)
ordering module
� establishes linear ordering over atoms of signature S
open util/ordering[S]
s0 s1 s2 s3prevprevprev
S = s0 + s1 + s2 + s3 + s4
first() = s0last() = s4next(s2) = s3prev(s2) = s1nexts(s2) = s3 + s4prevs(s2) = s0 + s1
s4prev
lt(s1, s2) = truelt(s1, s1) = falsegt(s1, s2) = falselte(s0, s3) = truelte(s0, s0) = truegte(s2, s4) = false
next next next next
![Page 11: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/11.jpg)
Initialize
![Page 12: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/12.jpg)
run show for 4
The last book is interesting: it creates two routes to the same address. Should that be possible???
NOWcheck the empty lookup by using traces.
![Page 13: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/13.jpg)
Empty lookups
pred add (b, b': Book, n: Name, t: Target) { b'.addr = b.addr + n->t }
Counter example
![Page 14: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/14.jpg)
Solving meaningless adds
![Page 15: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/15.jpg)
Violation again because of deletion
![Page 16: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/16.jpg)
Fix: Restrict deletion
![Page 17: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/17.jpg)
Summary
� Just modeled the domain and the correct states (predicates, facts, assertions).
� No code was written.� Used only logic to describe valid states.
But:� How about generating code???
![Page 18: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/18.jpg)
pattern: operation preconditions
� include precondition constraints in an operation� operations no longer total
� the add operation with a precondition:
� check that add now preserves the invariant� add a sensible precondition to the delete operation
� check that it now preserves the invariant
pred add(b, b': Book, n: Name, t: Target) { // precondition t in Name => (n !in t.*(b.addr) && some b.addr[t]) // postcondition b’.addr = b.addr + n->t }
![Page 19: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/19.jpg)
address book simulation
� simulate addressBook trace� write and run an empty predicate
� customize and cleanup visualization� remove all components of the Ord module
� but visualization is still complicated
� need to use projection . . .
![Page 20: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/20.jpg)
without projection
![Page 21: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/21.jpg)
still without projection
![Page 22: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/22.jpg)
selecting projection
![Page 23: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/23.jpg)
with projection
![Page 24: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/24.jpg)
with projection and more
![Page 25: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/25.jpg)
checking safety properties
� can check safety property with one assertion� because now all states are reachable
� check addressBook invariant with one assertion� what's the difference between this safety check and
checking that each operation preserves the invariant?
pred safe(s: State) {…}
assert allReachableSafe { all s: State | safe(s)}
![Page 26: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/26.jpg)
non-modularity of abstract machine
� static traffic light model
� dynamic traffic light model with abstract machine� all dynamic components collected in one sig
sig Color {}sig Light { color: Color}
sig Color {}sig Light {}sig State { color: Light -> one Color}
![Page 27: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/27.jpg)
pattern: local state
� embed state in individual objects� variant of abstract machine
� move state/time signature out of first column� typically most convenient in last column
sig Time {}
sig Color {}
sig Light { color: Color one -> Time}
sig Color {}
sig Light {}
sig State { color: Light -> one Color}
global state local state
![Page 28: FM 2006 Alloy Tutorial - TUHH · FM 2006 Alloy Tutorial ... abstract sig Target {} sig Addr extends Target {} ... s0 s1 s2 s3 prev prev prev S = s0 + s1 + s2 + s3 + s4 first()](https://reader031.vdocuments.net/reader031/viewer/2022020315/5aeaddd87f8b9a585f8ce29e/html5/thumbnails/28.jpg)
thank you!
� websites� http://alloy.mit.edu/� http://alloy.mit.edu/fm06/
� provides . . .� online tutorial� reference manual� research papers� academic courses� sample case studies� alloy-discuss yahoo group