introduction to alloy - cse.msu.edu
TRANSCRIPT
![Page 1: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/1.jpg)
Introduction to Alloy
L. Dillon
CSE 814 Overview of Alloy 1
![Page 2: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/2.jpg)
CSE 814 Overview of Alloy 2
Acknowledgements Excerpted (mostly) and adapted from:
! One day tutorial at http://alloy.mit.edu/fm06/
! SBMF/ICGT 2006 keynote at http://people.csail.mit.edu/dnj/talks/brazil06/brazil06.pdf
! Lipari talk at http://people.csail.mit.edu/dnj/talks/
! SAIL Tutorial at http://alloy.mit.edu/alloy/tutorials/day-course/
!
![Page 3: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/3.jpg)
CSE 814 Overview of Alloy 3
Trans-atlantic analysis
Oxford, home of Z
Pittsburgh, home of SMV
! Notation inspired by Z • declarative and uniform • sets and relations • but not easily analyzed
! Analysis inspired by SMV • billions of cases in seconds • counterexamples not proofs • but not declarative
![Page 4: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/4.jpg)
CSE 814 Overview of Alloy 4
Why declarative design? I conclude there are two ways of constructing a software design.
One way is to make it so simple there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.
– Tony Hoare [Turing Award Lecture, 1980]
![Page 5: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/5.jpg)
CSE 814 Overview of Alloy 5
Imperative v.s. declarative
" The more you add, the less happens
" Good for partial descriptions
" Good for incremental modeling
![Page 6: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/6.jpg)
CSE 814 Overview of Alloy 6
Why automated analysis? Software development needs
" Simple, expressive and precise notations
" Deep and automatic analysis, especially in the early stages
The first principle is that you must not fool yourself, and you are the easiest person to fool.
– Richard P. Feynman
![Page 7: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/7.jpg)
CSE 814 Overview of Alloy 7
Four key ideas . . . 1) everything is a relation
2) non-specialized logic
3) counterexamples & scope
4) analysis by SAT
![Page 8: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/8.jpg)
CSE 814 Overview of Alloy 8
Everything is a relation ! Alloy uses relations for
• all datatypes: sets, scalars, tuples, graphs, etc. • structures in space and time
! key operator is dot join • relational join, field navigation, function application, ...
![Page 9: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/9.jpg)
CSE 814 Overview of Alloy 9
Non-specialized logic
! No special constructs for • state machines • traces • synchronization • concurrency • . . .
![Page 10: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/10.jpg)
CSE 814 Overview of Alloy 10
Non-specialized logic
Use constraints for describing models: • Subtypes & classification • Declarations & multiplicity • Invariants, operations & traces • Assertions, including temporal ones • . . .
![Page 11: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/11.jpg)
CSE 814 Overview of Alloy 11
Counterexamples & scope
testing: a few cases of arbitrary size
scope-complete: all cases within a small bound
! observations about design analysis: • most assertions are wrong • most flaws have small counterexamples
![Page 12: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/12.jpg)
CSE 814 Overview of Alloy 12
Analysis by SAT
Stephen Cook
Eugene Goldberg
Sharad Malik
Henry Kautz
! SAT, the quintessential hard problem (Cook 1971) • SAT is hard, so reduce SAT to your problem
! SAT, the universal constraint solver (Kautz, Selman, 1990's) • SAT is easy, so reduce your problem to SAT • solvers: Chaff (Malik), Berkmin (Goldberg & Novikov), ...
Yakov Novikov
![Page 13: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/13.jpg)
Moore’s Law
CSE 814 Overview of Alloy 13
![Page 14: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/14.jpg)
SAT Performance
CSE 814 Overview of Alloy 14
![Page 15: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/15.jpg)
CSE 814 Overview of Alloy 15
Run the Alloy Analyzer Download Alloy
– http://alloy.mit.edu/alloy4/ – run the Analyzer
! double click alloy.jar or ! execute java -jar alloy.jar
at the command line
Open example – (In top toolbar) File => Open Sample Models =>
Examples => Toys => ceilingsAndFloors.als
![Page 16: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/16.jpg)
CSE 814 Overview of Alloy 16
“ceilings and floors” example sig Platform {} there are “Platform” things
sig Man {ceiling, floor: Platform} each Man has a ceiling and a floor Platform
pred Above(m, n: Man) {m.floor = n.ceiling Man m is “above” Man n if m's floor is n's ceiling
fact PaulSimon {all m: Man | some n: Man | n.Above[m]} "One Man's Ceiling Is Another Man's Floor"
![Page 17: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/17.jpg)
CSE 814 Overview of Alloy 17
Checking “BelowToo”
assert BelowToo {
all m: Man | some n: Man | m.Above[n]
} "One Man's Floor Is Another Man's Ceiling” check BelowToo for 2
check "BelowToo" in models with no more than two platforms and no more than two men
“Execute” finds a counterexample
![Page 18: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/18.jpg)
CSE 814 Overview of Alloy 18
Counterexample to “BelowToo”
McNaughton
![Page 19: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/19.jpg)
CSE 814 Overview of Alloy 19
Checking “BelowToo” pred Geometry {no m: Man | m.floor = m.ceiling} no man’s floor and ceiling are the same
assert BelowToo’ { Geometry => (all m: Man | some n: Man | m.Above[n]) } if no man’s floor and ceiling are the same, then "One Man's Floor Is Another Man's Ceiling”
check BelowToo' for 2 expect 0 it is true for up to 2 men and 2 platforms
check BelowToo' for 3 expect 1 but not for up to 3 men and 3 platforms
![Page 20: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/20.jpg)
CSE 814 Overview of Alloy 20
Checking “BelowToo” pred NoSharing { no m,n: Man | m!=n && (m.floor = n.floor || m.ceiling = n.ceiling)
}
assert BelowToo'' { NoSharing => (all m: Man | some n: Man | m.Above[n]) }
check BelowToo'' for 6 expect 0
check BelowToo'' for 10 expect 0
![Page 21: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/21.jpg)
Alloy Case Studies
CSE 814 Overview of Alloy 21
![Page 22: Introduction to Alloy - cse.msu.edu](https://reader036.vdocuments.net/reader036/viewer/2022062306/589c35df1a28ab4e4a8b4b90/html5/thumbnails/22.jpg)
Alloy = logic + language + analysis
• logic – first order logic + relational calculus
• language – syntax for structuring specifications in the logic
• analysis – bounded exhaustive search for counterexample
to a claimed property using SAT
CSE 814 Overview of Alloy 22