Introduction to Alloy - cse.msu.edu
Transcript of Introduction to Alloy - cse.msu.edu
Introduction to Alloy
L. Dillon
CSE 814 Overview of Alloy 1
CSE 814 Overview of Alloy 2
Acknowledgements Excerpted (mostly) and adapted from:
! One day tutorial at http://alloy.mit.edu/fm06/
! SBMF/ICGT 2006 keynote at http://people.csail.mit.edu/dnj/talks/brazil06/brazil06.pdf
! Lipari talk at http://people.csail.mit.edu/dnj/talks/
! SAIL Tutorial at http://alloy.mit.edu/alloy/tutorials/day-course/
!
CSE 814 Overview of Alloy 3
Trans-atlantic analysis
Oxford, home of Z
Pittsburgh, home of SMV
! Notation inspired by Z • declarative and uniform • sets and relations • but not easily analyzed
! Analysis inspired by SMV • billions of cases in seconds • counterexamples not proofs • but not declarative
CSE 814 Overview of Alloy 4
Why declarative design? I conclude there are two ways of constructing a software design.
One way is to make it so simple there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.
– Tony Hoare [Turing Award Lecture, 1980]
CSE 814 Overview of Alloy 5
Imperative v.s. declarative
" The more you add, the less happens
" Good for partial descriptions
" Good for incremental modeling
CSE 814 Overview of Alloy 6
Why automated analysis? Software development needs
" Simple, expressive and precise notations
" Deep and automatic analysis, especially in the early stages
The first principle is that you must not fool yourself, and you are the easiest person to fool.
– Richard P. Feynman
CSE 814 Overview of Alloy 7
Four key ideas . . . 1) everything is a relation
2) non-specialized logic
3) counterexamples & scope
4) analysis by SAT
CSE 814 Overview of Alloy 8
Everything is a relation ! Alloy uses relations for
• all datatypes: sets, scalars, tuples, graphs, etc. • structures in space and time
! key operator is dot join • relational join, field navigation, function application, ...
CSE 814 Overview of Alloy 9
Non-specialized logic
! No special constructs for • state machines • traces • synchronization • concurrency • . . .
CSE 814 Overview of Alloy 10
Non-specialized logic
Use constraints for describing models: • Subtypes & classification • Declarations & multiplicity • Invariants, operations & traces • Assertions, including temporal ones • . . .
CSE 814 Overview of Alloy 11
Counterexamples & scope
testing: a few cases of arbitrary size
scope-complete: all cases within a small bound
! observations about design analysis: • most assertions are wrong • most flaws have small counterexamples
CSE 814 Overview of Alloy 12
Analysis by SAT
Stephen Cook
Eugene Goldberg
Sharad Malik
Henry Kautz
! SAT, the quintessential hard problem (Cook 1971) • SAT is hard, so reduce SAT to your problem
! SAT, the universal constraint solver (Kautz, Selman, 1990's) • SAT is easy, so reduce your problem to SAT • solvers: Chaff (Malik), Berkmin (Goldberg & Novikov), ...
Yakov Novikov
Moore’s Law
CSE 814 Overview of Alloy 13
SAT Performance
CSE 814 Overview of Alloy 14
CSE 814 Overview of Alloy 15
Run the Alloy Analyzer Download Alloy
– http://alloy.mit.edu/alloy4/ – run the Analyzer
! double click alloy.jar or ! execute java -jar alloy.jar
at the command line
Open example – (In top toolbar) File => Open Sample Models =>
Examples => Toys => ceilingsAndFloors.als
CSE 814 Overview of Alloy 16
“ceilings and floors” example sig Platform {} there are “Platform” things
sig Man {ceiling, floor: Platform} each Man has a ceiling and a floor Platform
pred Above(m, n: Man) {m.floor = n.ceiling Man m is “above” Man n if m's floor is n's ceiling
fact PaulSimon {all m: Man | some n: Man | n.Above[m]} "One Man's Ceiling Is Another Man's Floor"
CSE 814 Overview of Alloy 17
Checking “BelowToo”
assert BelowToo {
all m: Man | some n: Man | m.Above[n]
} "One Man's Floor Is Another Man's Ceiling” check BelowToo for 2
check "BelowToo" in models with no more than two platforms and no more than two men
“Execute” finds a counterexample
CSE 814 Overview of Alloy 18
Counterexample to “BelowToo”
McNaughton
CSE 814 Overview of Alloy 19
Checking “BelowToo” pred Geometry {no m: Man | m.floor = m.ceiling} no man’s floor and ceiling are the same
assert BelowToo’ { Geometry => (all m: Man | some n: Man | m.Above[n]) } if no man’s floor and ceiling are the same, then "One Man's Floor Is Another Man's Ceiling”
check BelowToo' for 2 expect 0 it is true for up to 2 men and 2 platforms
check BelowToo' for 3 expect 1 but not for up to 3 men and 3 platforms
CSE 814 Overview of Alloy 20
Checking “BelowToo” pred NoSharing { no m,n: Man | m!=n && (m.floor = n.floor || m.ceiling = n.ceiling)
}
assert BelowToo'' { NoSharing => (all m: Man | some n: Man | m.Above[n]) }
check BelowToo'' for 6 expect 0
check BelowToo'' for 10 expect 0
Alloy Case Studies
CSE 814 Overview of Alloy 21
Alloy = logic + language + analysis
• logic – first order logic + relational calculus
• language – syntax for structuring specifications in the logic
• analysis – bounded exhaustive search for counterexample
to a claimed property using SAT
CSE 814 Overview of Alloy 22