alloy: an analyzable modelling language
|
|
- Janel Miles
- 5 years ago
- Views:
Transcription
1 alloy: an analyzable modelling language Daniel Jackson, MIT Ilya Shlyakhter Manu Sridharan Praxis Critical Systems April 25, 2003 Small Tower of 6 Gears, Arthur Ganson
2 preaching to the choir 2
3 preaching to the choir explicit models before code higher quality easier coding 2
4 preaching to the choir explicit models before code higher quality easier coding formalism helps forces simplicity no wishful thinking potential for tools 2
5 assurance/cost tradeoffs 3
6 assurance/cost tradeoffs cost assurance 3
7 assurance/cost tradeoffs hacking cost assurance 3
8 assurance/cost tradeoffs hacking cost assurance 3
9 assurance/cost tradeoffs hacking sketching cost assurance 3
10 assurance/cost tradeoffs cost hacking sketching write-only models assurance 3
11 assurance/cost tradeoffs cost hacking sketching write-only models type-checked models assurance 3
12 assurance/cost tradeoffs cost hacking sketching write-only models type-checked models proven models assurance 3
13 assurance/cost tradeoffs cost hacking sketching write-only models type-checked models analyzed models proven models assurance 3
14 lightweight formal methods 4
15 lightweight formal methods language must be small and simple well defined expressive enough 4
16 lightweight formal methods language must be small and simple well defined expressive enough analysis must be fully automatic semantically deep 4
17 lightweight formal methods language must be small and simple well defined expressive enough analysis must be fully automatic semantically deep user doesn t want to provide test cases invent lemmas 4
18 alloy: a structural, analyzable logic 5
19 alloy: a structural, analyzable logic a notation inspired by Z just sets and relations familiar logical quantifiers simpler, less expressive, all ASCII 5
20 alloy: a structural, analyzable logic a notation inspired by Z just sets and relations familiar logical quantifiers simpler, less expressive, all ASCII an analysis inspired by SMV billions of cases in second counterexamples, not proof declarative logic, not state machines 5
21 alloy: a structural, analyzable logic a notation inspired by Z just sets and relations familiar logical quantifiers simpler, less expressive, all ASCII an analysis inspired by SMV billions of cases in second counterexamples, not proof declarative logic, not state machines Oxford, home of Z 5
22 alloy: a structural, analyzable logic a notation inspired by Z just sets and relations familiar logical quantifiers simpler, less expressive, all ASCII an analysis inspired by SMV billions of cases in second counterexamples, not proof declarative logic, not state machines Oxford, home of Z Pittsburgh, home of SMV 5
23 what to look out for 6
24 what to look out for the language all structure by relations composites by higher-arity entirely first order familiar syntax by puns 6
25 what to look out for the language all structure by relations composites by higher-arity entirely first order familiar syntax by puns the analysis as in Z, everything s a formula tool tries all small tests within a scope model itself is unbounded 6
26 a first alloy model 7
27 a first alloy model module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 7
28 a first alloy model introduces sets of atoms Name and Addr module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 7
29 a first alloy model module an assertion to be checked sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 7
30 a first alloy model module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 set difference 7
31 a first alloy model module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 relational image 7
32 a first alloy model module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 a command the tool executes 7
33 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 8
34 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 to check, first negate conjecture 8
35 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 to check, first negate conjecture some f, s: set N, a: N -> A not (f-s).a = f.a - s.a 8
36 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 to check, first negate conjecture some f, s: set N, a: N -> A not (f-s).a = f.a - s.a then skolemize away quantifiers 8
37 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 to check, first negate conjecture some f, s: set N, a: N -> A not (f-s).a = f.a - s.a then skolemize away quantifiers not (f-s).a = f.a - s.a 8
38 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 to check, first negate conjecture some f, s: set N, a: N -> A not (f-s).a = f.a - s.a then skolemize away quantifiers not (f-s).a = f.a - s.a and now solve for constants 8
39 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 to check, first negate conjecture some f, s: set N, a: N -> A not (f-s).a = f.a - s.a then skolemize away quantifiers not (f-s).a = f.a - s.a and now solve for constants f = {N0, N1}, s = {N1}, a = {N0->A1, N1->A1} 8
40 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 9
41 analysis by constraint solving module sig Name, Addr {} assert A { all friends, spammers: set Name, addr: Name -> Addr (friends - spammers).addr = friends.addr - spammers.addr } check A for 3 9
42 try all small tests 10
43 try all small tests language is undecidable so no sound & complete algorithm 10
44 try all small tests language is undecidable so no sound & complete algorithm alloy s analysis is refutation look for a counterexample consider all assignments of values to constants user selects scope (here, 3 names and 3 addrs) 10
45 try all small tests language is undecidable so no sound & complete algorithm alloy s analysis is refutation look for a counterexample consider all assignments of values to constants user selects scope (here, 3 names and 3 addrs) properties of models usually flawed, especially in early stages many bugs, even subtle ones, have small counterexamples 10
46 all small tests 5 smallest revealing scope catch miss cumulative invalid assertions 90% 11
47 all small tests 5 smallest revealing scope catch miss cumulative invalid assertions 90% consequences sound: no false alarms incomplete: can t prove anything 11
48 simulating an operation 12
49 simulating an operation module sig Name, Addr {} fun add (addr, addr : Name -> Addr, n: Name, a: Addr) { addr = addr + (n -> a) } run add for 2 12
50 simulating an operation declares a parameterized formula module sig Name, Addr {} fun add (addr, addr : Name -> Addr, n: Name, a: Addr) { addr = addr + (n -> a) } run add for 2 12
51 simulating an operation module sig Name, Addr {} fun add (addr, addr : Name -> Addr, n: Name, a: Addr) { addr = addr + (n -> a) } forms a tuple run add for 2 12
52 simulating an operation module sig Name, Addr {} fun add (addr, addr : Name -> Addr, n: Name, a: Addr) { addr = addr + (n -> a) } run add for 2 set union 12
53 simulating an operation module sig Name, Addr {} fun add (addr, addr : Name -> Addr, n: Name, a: Addr) { addr = addr + (n -> a) } run add for 2 12
54 alloy semantics 13
55 alloy semantics all values are relations {(a),(b)} is a set {(a)} is a scalar {(a,b)} is a tuple 13
56 alloy semantics all values are relations {(a),(b)} is a set {(a)} is a scalar {(a,b)} is a tuple higher-order values can t be represented directly AddrBook = P(P(Name Addr)) can often be represented with higher-arity AddrBook -> Name -> Addr 13
57 expressions 14
58 expressions expressions are made from variables and set operators p + q, p - q, p & q relational operators p.q, p->q, *p, ^p, ~p ßp. qà = {(p 1, p n-1, q 2, q m ) (p 1, p n ) ` ßpà. (q 1, q m ) ` ßqà. p n = q 1 } p -> q = {(p 1, p n, q 1, q m ) (p 1, p n ) ` ßpà. (q 1, q m ) ` ßqà} 14
59 expressions expressions are made from variables and set operators p + q, p - q, p & q relational operators p.q, p->q, *p, ^p, ~p ßp. qà = {(p 1, p n-1, q 2, q m ) (p 1, p n ) ` ßpà. (q 1, q m ) ` ßqà. p n = q 1 } p -> q = {(p 1, p n, q 1, q m ) (p 1, p n ) ` ßpà. (q 1, q m ) ` ßqà} puns for scalars a, b, sets S, T and relations p, q a -> b is a tuple; S -> T is a relation S.p is image; p.q is join 14
60 formulas 15
61 formulas e in e e is a subset of e not F F and G F or G F => G { F G } implicit conjunction all x: X F some x: X F one x: X F there is exactly one x such that F sole x: X F there is at most one x such that F no x: X F no e there is no tuple in e; e is empty some e there is some tuple in e; e is non-empty sole e there is at most one tuple in e 15
62 fields 16
63 fields module sig Name, Addr {} sig AddrBook { map: Name -> Addr } fun add (b, b : AddrBook, n: Name, a: Addr) { b.map = b.map + n->a } run add 16
64 fields module declares a ternary relation on AddrBook, Name, Addr sig Name, Addr {} sig AddrBook { map: Name -> Addr } fun add (b, b : AddrBook, n: Name, a: Addr) { b.map = b.map + n->a } run add 16
65 fields module sig Name, Addr {} sig AddrBook { map: Name -> Addr } fun add (b, b : AddrBook, n: Name, a: Addr) { b.map = b.map + n->a } run add an instance map = {AB2->N2->A2} b = AB2, b = AB2 a = A2, n = N2 16
66 fields module sig Name, Addr {} sig AddrBook { map: Name -> Addr } fun add (b, b : AddrBook, n: Name, a: Addr) { b.map = b.map + n->a } run add an instance map = {AB2->N2->A2} b = AB2, b = AB2 a = A2, n = N2 16
67 projection (a visualization technique) to show ternary relations index the arcs or project a type 17
68 projection (a visualization technique) to show ternary relations index the arcs or project a type 17
69 projection (a visualization technique) to show ternary relations index the arcs or project a type 17
70 some conjectures 18
71 some conjectures module sig Name, Addr {} sig AddrBook {map: Name -> Addr} fun add (b, b : AddrBook, n: Name, a: Addr) {b.map = b.map + n->a} fun del (b, b : AddrBook, n: Name) {b.map = b.map - n->addr} fun lookup (b: AddrBook, n: Name): set Addr {result = b.map[n]} 18
72 some conjectures equivalent to n.(b.map) module sig Name, Addr {} sig AddrBook {map: Name -> Addr} fun add (b, b : AddrBook, n: Name, a: Addr) {b.map = b.map + n->a} fun del (b, b : AddrBook, n: Name) {b.map = b.map - n->addr} fun lookup (b: AddrBook, n: Name): set Addr {result = b.map[n]} 18
73 some conjectures module sig Name, Addr {} sig AddrBook {map: Name -> Addr} fun add (b, b : AddrBook, n: Name, a: Addr) {b.map = b.map + n->a} fun del (b, b : AddrBook, n: Name) {b.map = b.map - n->addr} fun lookup (b: AddrBook, n: Name): set Addr {result = b.map[n]} assert delundoesadd {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and del (b,b,n) => b.map = b.map } assert addidempotent {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and add (b,b,n,a) => b.map = b.map } assert addlocal {all b,b : AddrBook, n,n : Name, a: Addr add (b,b,n,a) and n!= n => lookup (b,n ) = lookup (b,n ) } 18
74 some conjectures module sig Name, Addr {} sig AddrBook {map: Name -> Addr} fun add (b, b : AddrBook, n: Name, a: Addr) {b.map = b.map + n->a} fun del (b, b : AddrBook, n: Name) {b.map = b.map - n->addr} fun lookup (b: AddrBook, n: Name): set Addr {result = b.map[n]} 7 assert delundoesadd {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and del (b,b,n) => b.map = b.map } assert addidempotent {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and add (b,b,n,a) => b.map = b.map } assert addlocal {all b,b : AddrBook, n,n : Name, a: Addr add (b,b,n,a) and n!= n => lookup (b,n ) = lookup (b,n ) } 18
75 some conjectures module sig Name, Addr {} sig AddrBook {map: Name -> Addr} fun add (b, b : AddrBook, n: Name, a: Addr) {b.map = b.map + n->a} fun del (b, b : AddrBook, n: Name) {b.map = b.map - n->addr} fun lookup (b: AddrBook, n: Name): set Addr {result = b.map[n]} 7assert delundoesadd {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and del (b,b,n) => b.map = b.map } 3assert addidempotent {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and add (b,b,n,a) => b.map = b.map } assert addlocal {all b,b : AddrBook, n,n : Name, a: Addr add (b,b,n,a) and n!= n => lookup (b,n ) = lookup (b,n ) } 18
76 some conjectures module sig Name, Addr {} sig AddrBook {map: Name -> Addr} fun add (b, b : AddrBook, n: Name, a: Addr) {b.map = b.map + n->a} fun del (b, b : AddrBook, n: Name) {b.map = b.map - n->addr} fun lookup (b: AddrBook, n: Name): set Addr {result = b.map[n]} assert delundoesadd {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and del (b,b,n) => b.map = b.map } assert addidempotent {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and add (b,b,n,a) => b.map = b.map } assert addlocal {all b,b : AddrBook, n,n : Name, a: Addr add (b,b,n,a) and n!= n => lookup (b,n ) = lookup (b,n ) } 18
77 a counterexample assert delundoesadd {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and del (b,b,n) => b.map = b.map } 19
78 a counterexample assert delundoesadd {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and del (b,b,n) => b.map = b.map } b,b 19
79 a counterexample assert delundoesadd {all b,b,b : AddrBook, n: Name, a: Addr add (b,b,n,a) and del (b,b,n) => b.map = b.map } b,b b 19
80 subsignatures 20
81 subsignatures module sig Target part sig Addr, Name extends Target {} part sig Alias, Group extends Name {} sig AddrBook { map: Name -> Target } 20
82 subsignatures Target module sig Target part sig Addr, Name extends Target {} part sig Alias, Group extends Name {} sig AddrBook { map: Name -> Target } Addr Alias Name Group 20
83 subsignatures Target module sig Target part sig Addr, Name extends Target {} part sig Alias, Group extends Name {} sig AddrBook { map: Name -> Target } Addr Alias Name Group fun add (b, b : AddrBook, n: Name, t: Target) {b.map = b.map + n->t} fun lookup (b: AddrBook, n: Name): set Addr { result = n.^(b.map) & Addr } 20
84 counterexample assert addlocal {all b,b : AddrBook, n,n : Name, a: Addr add (b,b,n,a) and n!= n => lookup (b,n ) = lookup (b,n ) } 21
85 counterexample assert addlocal {all b,b : AddrBook, n,n : Name, a: Addr add (b,b,n,a) and n!= n => lookup (b,n ) = lookup (b,n ) } 21
86 counterexample assert addlocal {all b,b : AddrBook, n,n : Name, a: Addr add (b,b,n,a) and n!= n => lookup (b,n ) = lookup (b,n ) } 21
87 fields of subsignatures module sig Host, Target {} disj sig Name extends Target {} disj sig Addr extends Target {host: Host} part sig Alias, Group extends Name {} sig AddrBook { map: Name -> Target }{all a: Alias sole map[a]} fun gethosts (b: AddrBook, n: Name): set Hosts { result = n.^(b.map).host } 22
88 fields of subsignatures defines field host such that no t.host if t!in Addr module sig Host, Target {} disj sig Name extends Target {} disj sig Addr extends Target {host: Host} part sig Alias, Group extends Name {} sig AddrBook { map: Name -> Target }{all a: Alias sole map[a]} fun gethosts (b: AddrBook, n: Name): set Hosts { result = n.^(b.map).host } 22
89 fields of subsignatures module sig Host, Target {} disj sig Name extends Target {} disj sig Addr extends Target {host: Host} part sig Alias, Group extends Name {} sig AddrBook { map: Name -> Target }{all a: Alias sole map[a]} fun gethosts (b: AddrBook, n: Name): set Hosts { result = n.^(b.map).host } applies host to set of Target; no need to write (expr & Addr).host 22
90 fields of subsignatures module sig Host, Target {} disj sig Name extends Target {} disj sig Addr extends Target {host: Host} part sig Alias, Group extends Name {} sig AddrBook { map: Name -> Target }{all a: Alias sole map[a]} fun gethosts (b: AddrBook, n: Name): set Hosts { result = n.^(b.map).host } signature fact: all this: AddrBook implicit 22
91 fields of subsignatures module sig Host, Target {} disj sig Name extends Target {} disj sig Addr extends Target {host: Host} part sig Alias, Group extends Name {} sig AddrBook { map: Name -> Target }{all a: Alias sole map[a]} fun gethosts (b: AddrBook, n: Name): set Hosts { result = n.^(b.map).host } no partial functions, undefinedness, third logical value type casts 22
92 flexible declarations module sig Target {} part sig Addr, Name extends Target {} part sig Alias, Group extends Name {} sig AddrBook {names: set Name, map: names ->+ Target} 23
93 flexible declarations decl says names is domain of map module sig Target {} part sig Addr, Name extends Target {} part sig Alias, Group extends Name {} sig AddrBook {names: set Name, map: names ->+ Target} 23
94 flexible declarations decl says names is domain of map module sig Target {} part sig Addr, Name extends Target {} part sig Alias, Group extends Name {} sig AddrBook {names: set Name, map: names ->+ Target} fun lookup (b: AddrBook, n: Name): set Addr { result = n.^(b.map) & Addr } fun add (b, b': AddrBook, n: Name, a: Target) { a in Addr or some lookup(b,a) b'.map = b.map + n->a} fun del (b, b': AddrBook, n: Name) {b'.map = b.map - n->addr} 23
95 traces 24
96 traces module 24
97 traces module open std/ord 24
98 traces module open std/ord sig Target {} sig AddrBook {names: set Name, map: names ->+ Target} fun lookup (b: AddrBook, n: Name): set Addr { } fun add (b, b': AddrBook, n: Name, a: Target) { } fun del (b, b': AddrBook, n: Name) { } 24
99 traces module open std/ord sig Target {} sig AddrBook {names: set Name, map: names ->+ Target} fun lookup (b: AddrBook, n: Name): set Addr { } fun add (b, b': AddrBook, n: Name, a: Target) { } fun del (b, b': AddrBook, n: Name) { } fun init (b: AddrBook) {no b.map} 24
100 traces module open std/ord sig Target {} sig AddrBook {names: set Name, map: names ->+ Target} fun lookup (b: AddrBook, n: Name): set Addr { } fun add (b, b': AddrBook, n: Name, a: Target) { } fun del (b, b': AddrBook, n: Name) { } fun init (b: AddrBook) {no b.map} fact traces { 24
101 traces module open std/ord sig Target {} sig AddrBook {names: set Name, map: names ->+ Target} fun lookup (b: AddrBook, n: Name): set Addr { } fun add (b, b': AddrBook, n: Name, a: Target) { } fun del (b, b': AddrBook, n: Name) { } fun init (b: AddrBook) {no b.map} fact traces { all b: AddrBook - Ord[AddrBook].last let b' = OrdNext(b) 24
102 traces module open std/ord sig Target {} sig AddrBook {names: set Name, map: names ->+ Target} fun lookup (b: AddrBook, n: Name): set Addr { } fun add (b, b': AddrBook, n: Name, a: Target) { } fun del (b, b': AddrBook, n: Name) { } fun init (b: AddrBook) {no b.map} fact traces { all b: AddrBook - Ord[AddrBook].last let b' = OrdNext(b) some n: Name, a: Target add (b, b', n, a) or del (b, b', n) 24
103 traces module open std/ord sig Target {} sig AddrBook {names: set Name, map: names ->+ Target} fun lookup (b: AddrBook, n: Name): set Addr { } fun add (b, b': AddrBook, n: Name, a: Target) { } fun del (b, b': AddrBook, n: Name) { } fun init (b: AddrBook) {no b.map} fact traces { all b: AddrBook - Ord[AddrBook].last let b' = OrdNext(b) some n: Name, a: Target add (b, b', n, a) or del (b, b', n) init (Ord[AddrBook].first) } 24
104 traces module open std/ord sig Target {} sig AddrBook {names: set Name, map: names ->+ Target} fun lookup (b: AddrBook, n: Name): set Addr { } fun add (b, b': AddrBook, n: Name, a: Target) { } fun del (b, b': AddrBook, n: Name) { } fun init (b: AddrBook) {no b.map} fact traces { all b: AddrBook - Ord[AddrBook].last let b' = OrdNext(b) some n: Name, a: Target add (b, b', n, a) or del (b, b', n) init (Ord[AddrBook].first) } assert lookupyields {all b: AddrBook, n: b.names some lookup(b,n)} 24
105 counterexample 25
106 counterexample 25
107 counterexample 25
108 counterexample 25
109 counterexample 25
110 what you ve seen 26
111 what you ve seen language first-order encoding r: A -> B looks like r Œ P(A B) but means r Õ A B instead of AddrBook = P(P(Name Addr)) define map: AddrBook -> Name -> Addr simple and uniform syntax navigational dot, rich declarations explicit parameterization 26
112 what you ve seen language first-order encoding r: A -> B looks like r Œ P(A B) but means r Õ A B instead of AddrBook = P(P(Name Addr)) define map: AddrBook -> Name -> Addr simple and uniform syntax navigational dot, rich declarations explicit parameterization analysis executable and declarative no ad hoc constraint on language no test cases 26
113 not seen: modelling idioms 27
114 not seen: modelling idioms schema extension sig AddrBook extends AddrBook {cache: Name -> Addr} 27
115 not seen: modelling idioms schema extension sig AddrBook extends AddrBook {cache: Name -> Addr} object-oriented heap sig State {obj: Ref -> Obj} 27
116 not seen: modelling idioms schema extension sig AddrBook extends AddrBook {cache: Name -> Addr} object-oriented heap sig State {obj: Ref -> Obj} asynchronous processes sig Process {state: Time ->! State} 27
117 not seen: modelling idioms schema extension sig AddrBook extends AddrBook {cache: Name -> Addr} object-oriented heap sig State {obj: Ref -> Obj} asynchronous processes sig Process {state: Time ->! State} explicit events sig Event {t: Time} sig AddEvent extends Event {n: Name, a: Addr} 27
118 not seen: analysis idioms 28
119 not seen: analysis idioms refactoring fun lookup (b: AddrBook, n: Name): set Target { } fun lookup (b: AddrBook, n: Name): set Target { } assert same {all b: AddrBook, n: Name lookup(b,n) = lookup(b,n) 28
120 not seen: analysis idioms refactoring fun lookup (b: AddrBook, n: Name): set Target { } fun lookup (b: AddrBook, n: Name): set Target { } assert same {all b: AddrBook, n: Name lookup(b,n) = lookup(b,n) abstraction fun abstract {c: ConcreteState, a: AbstractState) { } fun opc (c, c : ConcreteState) { } fun opa (a, a : AbstractState) { } assert refines {all a, a : AbstractState, c, c : ConcreteState opc(c,c ) and abstract(c,a) and abstract(c,a ) => opa(a,a ) } 28
121 not seen: analysis idioms refactoring fun lookup (b: AddrBook, n: Name): set Target { } fun lookup (b: AddrBook, n: Name): set Target { } assert same {all b: AddrBook, n: Name lookup(b,n) = lookup(b,n) abstraction fun abstract {c: ConcreteState, a: AbstractState) { } fun opc (c, c : ConcreteState) { } fun opa (a, a : AbstractState) { } assert refines {all a, a : AbstractState, c, c : ConcreteState opc(c,c ) and abstract(c,a) and abstract(c,a ) => opa(a,a ) } machine diameter fun norepeats {no disj b, b : AddrBook b.map = b.map} -- when norepeats is unsatisfiable, trace is long enough 28
122 how analyzer works 29
123 how analyzer works space is huge in scope of 5, each relation has 2 25 possible values 10 relations gives possible assignments 29
124 how analyzer works space is huge in scope of 5, each relation has 2 25 possible values 10 relations gives possible assignments SAT to the rescue 1971: satisfiability problem to be shown NP-complete 1990 s: shown to be easy in practice fastest solvers (Chaff, Berkmin) can handle thousands of boolean variables, millions of clauses 29
125 how analyzer works space is huge in scope of 5, each relation has 2 25 possible values 10 relations gives possible assignments SAT to the rescue 1971: satisfiability problem to be shown NP-complete 1990 s: shown to be easy in practice fastest solvers (Chaff, Berkmin) can handle thousands of boolean variables, millions of clauses translating to SAT an instance is a graph for space of instances, label arcs with boolean variables 29
126 analyzer architecture alloy formula alloy instance scope translate formula mapping translate model boolean formula SAT solver boolean instance 30
127 analyzer architecture alloy formula alloy instance scope translate formula mapping translate model symmetry breaking, template detection, optimizations boolean formula SAT solver boolean instance 30
128 analyzer architecture alloy formula alloy instance customized visualization scope translate formula mapping translate model symmetry breaking, template detection, optimizations boolean formula SAT solver boolean instance 30
129 experience: general 31
130 experience: general amazing number of flaws blatant and subtle in every model 31
131 experience: general amazing number of flaws blatant and subtle in every model good things raises the bar sense of confidence compelling and fun 31
132 experience: general amazing number of flaws blatant and subtle in every model good things raises the bar sense of confidence compelling and fun bad things encourages hacking over confidence 31
133 experience: design analyses 32
134 experience: design analyses about 20 small case studies completed Key management (Taghdiri) Chord peer-to-peer storage (Wee) Firewire leader election (Jackson) Intentional Naming (Khurshid) Query Interface in COM (Sullivan) Unison file synchronizer (Nolte) Cellular automata (Sridharan) Role-based access control (Schaad et al) Ideal Address Translation (Seater & Dennis) 32
135 experience: design analyses about 20 small case studies completed Key management (Taghdiri) Chord peer-to-peer storage (Wee) Firewire leader election (Jackson) Intentional Naming (Khurshid) Query Interface in COM (Sullivan) Unison file synchronizer (Nolte) Cellular automata (Sridharan) Role-based access control (Schaad et al) Ideal Address Translation (Seater & Dennis) typically a few hundred lines of Alloy longest analysis time: 10 mins to 1 hour 32
136 experience: education 33
137 experience: education helps teach modelling abstract descriptions, concrete cases very close to standard first-order logic 33
138 experience: education helps teach modelling abstract descriptions, concrete cases very close to standard first-order logic major part of a course Imperial, U. Iowa, Kansas State 33
139 experience: education helps teach modelling abstract descriptions, concrete cases very close to standard first-order logic major part of a course Imperial, U. Iowa, Kansas State taught, usually with project CMU, Waterloo, Wisconsin, Rochester, Irvine, Georgia Tech, Queen s, Michigan State, Colorado State, Twente, WPI, USC, MIT 33
140 experience: education helps teach modelling abstract descriptions, concrete cases very close to standard first-order logic major part of a course Imperial, U. Iowa, Kansas State taught, usually with project CMU, Waterloo, Wisconsin, Rochester, Irvine, Georgia Tech, Queen s, Michigan State, Colorado State, Twente, WPI, USC, MIT how long? undergraduate with no formal methods background can build small models in 2 weeks 33
141 applications: code analysis procedure specification NOT AND alloy formula instance is counter trace procedure source code unroll loops, bound heap alloy formula instance is execution trace 34
142 applications: code analysis procedure specification NOT AND alloy formula instance is counter trace procedure source code unroll loops, bound heap alloy formula instance is execution trace applied to small, complex algorithms Schorr-Waite garbage collection red-black trees 34
143 applications: code analysis procedure specification NOT AND alloy formula instance is counter trace procedure source code unroll loops, bound heap alloy formula instance is execution trace applied to small, complex algorithms Schorr-Waite garbage collection red-black trees Mandana Vaziri s doctoral thesis 34
144 applications: test case generation invariant, precondition Alloy Analyzer Alloy instances Concretizer test cases 35
145 applications: test case generation invariant, precondition Alloy Analyzer Alloy instances Concretizer test cases why? easier to write invariant than test cases all test cases within scope give better coverage symmetry breaking gives good quality quite 35
146 applications: test case generation invariant, precondition Alloy Analyzer Alloy instances Concretizer test cases why? easier to write invariant than test cases all test cases within scope give better coverage symmetry breaking gives good quality quite applied to Galileo, a NASA fault tree tool generated about 50,000 input trees, each less than 5 nodes found unknown subtle flaws 35
147 applications: test case generation invariant, precondition Alloy Analyzer Alloy instances Concretizer test cases why? easier to write invariant than test cases all test cases within scope give better coverage symmetry breaking gives good quality quite applied to Galileo, a NASA fault tree tool generated about 50,000 input trees, each less than 5 nodes found unknown subtle flaws Sarfraz Khurshid s doctoral thesis 35
148 research challenges 36
149 research challenges scalability: dancing around the intractability tarpit circuit minimization 36
150 research challenges scalability: dancing around the intractability tarpit circuit minimization overconstraint: the dark side of declarative models unsat core prototype highlights contradicting formulas 36
151 research challenges scalability: dancing around the intractability tarpit circuit minimization overconstraint: the dark side of declarative models unsat core prototype highlights contradicting formulas new type system: real subtypes makes semantics fully untyped still no casts, down or up catches more errors, more flexible, better performance 36
152 research challenges scalability: dancing around the intractability tarpit circuit minimization overconstraint: the dark side of declarative models unsat core prototype highlights contradicting formulas new type system: real subtypes makes semantics fully untyped still no casts, down or up catches more errors, more flexible, better performance model extraction looking at how to extract models from code 36
153 for more information alloy.mit.edu downloads for windows, unix, macintosh courses, talks, case studies, papers 37
alloy: an analyzable modelling language
alloy: an analyzable modelling language Daniel Jackson, MIT Ilya Shlyakhter Manu Sridharan Praxis Critical Systems April 25, 2003 Small Tower of 6 Gears, Arthur Ganson preaching to the choir explicit models
More informationalloy: a logical modelling language
alloy: a logical modelling language Daniel Jackson, MIT Ilya Shlyakhter Manu Sridharan ZB 2003 Turku, June 4, 2003 Small Tower of 6 Gears, Arthur Ganson lightweight formal methods ingredients incremental,
More informationanalyzable models for software design Daniel Jackson, MIT University of York February 4, 2004
analyzable models for software design Daniel Jackson, MIT University of York February 4, 2004 why analyzable models? why models? figure out what problem you re solving explore invented concepts communicate
More informationlecture 1: introduction
micromodels of software declarative modelling and analysis with Alloy lecture 1: introduction Daniel Jackson MIT Lab for Computer Science Marktoberdorf, August 2002 lightweight models 2 lightweight models
More informationlecture 1: introduction
micromodels of software declarative modelling and analysis with Alloy lecture 1: introduction Daniel Jackson MIT Lab for Computer Science Marktoberdorf, August 2002 lightweight models a foundation for
More informationDaniel Jackson Computer Science & Artificial Intelligence Lab MIT Microsoft Research March 21, 2005
modelling & analyzing software abstractions Daniel Jackson Computer Science & Artificial Intelligence Lab MIT Microsoft Research March 21, 2005 premise #1: abstractions the design of software abstractions
More informationlogic & language Daniel Jackson Lipari Summer School July 18-22, 2005
logic & language Daniel Jackson Lipari Summer School July 18-22, 2005 handshaking solution what this lecture s about a relational logic first-order logic + relational operators Alloy language signatures
More informationAlloy: A Lightweight Object Modelling Notation
Alloy: A Lightweight Object Modelling Notation Daniel Jackson, ACM Transactions on Software Engineering, 2002 Presented By: Steven Stewart, 2012-January-23 1 Alloy: 2002 to present Software is built on
More informationAn Overview of the Alloy Language & Analyzer. What is Alloy?
An Overview of the Alloy Language & Analyzer Slides contain some modified content from the Alloy Tutorial by G. Dennis & R. Seater (see alloy.mit.edu) Alloy Lecture 1 1 What is Alloy? A formal language
More informationFrom: FM 2006 Alloy Intro and Logic. Greg Dennis and Rob Seater Software Design Group, MIT
From: FM 2006 Alloy Intro and Logic Greg Dennis and Rob Seater Software Design Group, MIT agenda Intro & Logic Language & Analysis Dynamic Modeling M.C. Escher Observations Software is built on abstractions
More informationB.6 Types and Overloading
266 appendix b: alloy language reference B.6 Types and Overloading Alloy s type system was designed with a different aim from that of a programming language. There is no notion in a modeling language of
More informationStatic Program Checking
Bounded Verification Jalloy Automated Software Analysis Group, Institute of Theoretical Informatics Jun.-prof. Mana Taghdiri June 5, 2014 KIT University of the State of Baden-Wuerttemberg and National
More informationAlloy 3.0 Reference Manual
Alloy 3.0 Reference Manual Daniel Jackson May 10, 2004 2004 Daniel Jackson Contributors to the design of the Alloy language include: Daniel Jackson, Manu Sridharan, Ilya Shlyakhter, Emina Torlak, Jonathan
More informationFM 2006 Alloy Tutorial. Dynamic Modeling. Greg Dennis and Rob Seater Software Design Group, MIT
FM 2006 Alloy Tutorial Dynamic Modeling Greg Dennis and Rob Seater Software Design Group, MIT static vs. dynamic models static models describes states, not behaviors properties are invariants e.g. that
More informationCS:5810 Formal Methods in Software Engineering
CS:5810 Formal Methods in Software Engineering Introduction to Alloy Part 1 Copyright 2001-17, Matt Dwyer, John Hatcliff, Rod Howell, Laurence Pilard, and Cesare Tinelli. Created by Cesare Tinelli and
More informationEvaluating State Modeling Techniques in Alloy
16 Evaluating State Modeling Techniques in Alloy ALLISON SULLIVAN, KAIYUAN WANG, and SARFRAZ KHURSHID, The University of Texas at Austin, USA DARKO MARINOV, University of Illinois at Urbana-Champaign,
More informationαrby An Embedding of Alloy in Ruby
αrby An Embedding of Alloy in Ruby September 20, 2013 Aleksandar Milicevic Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology {aleks@csail.mit.edu Abstract. A
More informationCS:5810 Formal Methods in Software Engineering
CS:5810 Formal Methods in Software Engineering Introduction to Alloy Part 2 Copyright 2001-17, Matt Dwyer, John Hatcliff, Rod Howell, Laurence Pilard, and Cesare Tinelli. Created by Cesare Tinelli and
More informationlecture 4: the Alloy language
micromodels of software declarative modelling and analysis with Alloy lecture 4: the Alloy language Daniel Jackson MIT Lab for Computer Science Marktoberdorf, August 2002 the Alloy language syntactic constructs
More informationSoftware Abstractions
Software Abstractions By Isaac Yoshino Sahar Jambi CSCI 5828 Software Engineering Spring 2010 Introduction Software development is difficult. Choosing correct abstractions to base your design around is
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationConceptual modeling of entities and relationships using Alloy
Conceptual modeling of entities and relationships using Alloy K. V. Raghavan Indian Institute of Science, Bangalore Conceptual modeling What is it? Capture requirements, other essential aspects of software
More informationNP and computational intractability. Kleinberg and Tardos, chapter 8
NP and computational intractability Kleinberg and Tardos, chapter 8 1 Major Transition So far we have studied certain algorithmic patterns Greedy, Divide and conquer, Dynamic programming to develop efficient
More informationrethinking the role of design in software development Daniel Jackson Computer Science & Artificial Intelligence Lab MIT
rethinking the role of design in software development Daniel Jackson Computer Science & Artificial Intelligence Lab MIT traditional engineers use models of different sorts three central software models
More informationSWEN-220 Mathematical Models of Software
SWEN-220 Mathematical Models of Software Introduction to Alloy Signatures, Fields, Facts, Predicates, and Assertions 2017 - Thomas Reichlmayr & Michael Lutz 1 Topics What is Alloy? Atoms, Sets, Relations
More informationAppendix B: Alloy Language Reference B.1 Lexical Issues
Appendix B: Alloy Language Reference B.1 Lexical Issues The permitted characters are the printing characters of the ASCII character set, with the exception of backslash \ backquote ` and, of the ASCII
More informationTransitive Closure A binary relation is transitive if, whenever it contains the tuples
logic 63 Some useful facts about transpose: s.~r is equal to r.s, and is the image of the set s navigating backward through the relation r; r.~r is the relation that associates two atoms in the domain
More informationResearch Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
More informationFormal Modeling and Analysis of a Flash File System in Alloy
Formal Modeling and Analysis of a Flash File System in Alloy Eunsuk Kang & Daniel Jackson MIT ABZ 2008 September 17, London, UK Flash memory Increasingly popular as storage device Benefits: High durability,
More informationconceptual models & modern software construction Daniel Jackson Computer Science & Artificial Intelligence Lab MIT
conceptual models & modern software construction Daniel Jackson Computer Science & Artificial Intelligence Lab MIT what makes software different? ISO speed shutter speed aperture focus depth of field ISO
More informationBounded Model Checking. Mooly Sagiv Slides from Arie Gurfinkel & Sagar Chaki, Daniel Jackson, Shahar Maoz
Bounded Model Checking Mooly Sagiv Slides from Arie Gurfinkel & Sagar Chaki, Daniel Jackson, Shahar Maoz Automatic Program Verification Program P Desired Properties Solver Is there a behavior of P that
More informationFORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY
FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY Pamela Zave AT&T Laboratories Research Florham Park, New Jersey, USA
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationCIS 771: Software Specifications. Lecture: Alloy Logic (part D)
CIS 771: Software Specifications Lecture: Alloy Logic (part D) Copyright 2007, John Hatcliff, and Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationLecture Notes on Real-world SMT
15-414: Bug Catching: Automated Program Verification Lecture Notes on Real-world SMT Matt Fredrikson Ruben Martins Carnegie Mellon University Lecture 15 1 Introduction In the previous lecture we studied
More information1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.
1. true / false By a compiler we mean a program that translates to code that will run natively on some machine. 2. true / false ML can be compiled. 3. true / false FORTRAN can reasonably be considered
More informationDefinition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,
CMPSCI 601: Recall From Last Time Lecture 5 Definition: A context-free grammar (CFG) is a 4- tuple, variables = nonterminals, terminals, rules = productions,,, are all finite. 1 ( ) $ Pumping Lemma for
More informationAlcoa: The Alloy Constraint Analyzer
Alcoa: The Alloy Constraint Analyzer Daniel Jackson, Ian Schechter and Ilya Shlyakhter Laboratory for Computer Science Massachusetts Institute of Technology dnj@lcs.mit.edu ABSTRACT Alcoa is a tool for
More informationAlloy Language and Analysis based on slides from. Greg Dennis and Rob Seater Software Design Group, MIT
Alloy Language and Analysis based on slides from Greg Dennis and Rob Seater Software Design Group, MIT alloy language & analysis language = syntax for structuring specifications in logic shorthands, puns,
More informationCIS 771: Software Specifications. Lecture: Alloy Whirlwind Tour (part A)
CIS 771: Software Specifications Lecture: Alloy Whirlwind Tour (part A) Copyright 2007, John Hatcliff, and Robby. The syllabus and all lectures for this course are copyrighted materials and may not be
More informationComparison of the Modeling Languages Alloy and UML
Comparison of the Modeling Languages Alloy and UML Yujing He Department of Computer Science Portland State University Portland, Oregon, USA Abstract - Alloy is a new modeling language for software design,
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationExhaustive Testing Revisited: A New Look at an Old Idea. David Coppit
Exhaustive Testing Revisited: A New Look at an Old Idea David Coppit The College of William and Mary Collaborators: Sullivan, Khurshid 9/11/13 1 Software Verification Through Testing Exhaustive testing
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationLecture 3: Recursion; Structural Induction
15-150 Lecture 3: Recursion; Structural Induction Lecture by Dan Licata January 24, 2012 Today, we are going to talk about one of the most important ideas in functional programming, structural recursion
More informationFinite State Verification. CSCE Lecture 21-03/28/2017
Finite State Verification CSCE 747 - Lecture 21-03/28/2017 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More information1 Definition of Reduction
1 Definition of Reduction Problem A is reducible, or more technically Turing reducible, to problem B, denoted A B if there a main program M to solve problem A that lacks only a procedure to solve problem
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationWe ve studied the main models and concepts of the theory of computation:
CMPSCI 601: Summary & Conclusions Lecture 27 We ve studied the main models and concepts of the theory of computation: Computability: what can be computed in principle Logic: how can we express our requirements
More informationProgram verification. Generalities about software Verification Model Checking. September 20, 2016
Program verification Generalities about software Verification Model Checking Laure Gonnord David Monniaux September 20, 2016 1 / 43 The teaching staff Laure Gonnord, associate professor, LIP laboratory,
More informationOverview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.
Overview CS389L: Automated Logical Reasoning Lecture 6: First Order Logic Syntax and Semantics Işıl Dillig So far: Automated reasoning in propositional logic. Propositional logic is simple and easy to
More informationAn Evolution of Mathematical Tools
An Evolution of Mathematical Tools From Conceptualization to Formalization Here's what we do when we build a formal model (or do a computation): 0. Identify a collection of objects/events in the real world.
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationHoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic
Introduction Hoare logic Lecture 5: Introduction to separation logic In the previous lectures, we have considered a language, WHILE, where mutability only concerned program variables. Jean Pichon-Pharabod
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationHoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE, where
More informationUsing the Alloy Analyzer to Verify Data Refinement in Z
Electronic Notes in Theoretical Computer Science 137 (2005) 23 44 www.elsevier.com/locate/entcs Using the Alloy Analyzer to Verify Data Refinement in Z Christie Bolton 1,2 Department of Computer Science
More informationIvy: Safety Verification by Interactive Generalization
Consistent * Complete * Well Documented * Easy to Reuse * * Evaluated * PLDI * Artifact * AEC Ivy: Safety Verification by Interactive Generalization Oded Padon Tel Aviv University, Israel odedp@mail.tau.ac.il
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationDebugging Overconstrained Declarative Models Using Unsatisfiable Cores
Debugging Overconstrained Declarative Models Using Unsatisfiable Cores Ilya Shlyakhter MIT CSAIL, Cambridge, MA ilya shl@mit.edu Manu Sridharan UC Berkeley, Berkeley, CA manu s@cs.berkeley.edu Robert Seater
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationA Constraint Solver for Software Engineering: Finding Models and Cores of Large Relational Specifications. Emina Torlak
A Constraint Solver for Software Engineering: Finding Models and Cores of Large Relational Specifications by Emina Torlak M.Eng., Massachusetts Institute of Technology (2004) B.Sc., Massachusetts Institute
More information8.1 Polynomial-Time Reductions
8.1 Polynomial-Time Reductions Classify Problems According to Computational Requirements Q. Which problems will we be able to solve in practice? A working definition. Those with polynomial-time algorithms.
More informationA Relational Framework for Bounded Program Verification. Gregory D. Dennis
A Relational Framework for Bounded Program Verification by Gregory D. Dennis B.S., Massachusetts Institute of Technology (2002) M.Eng., Massachusetts Institute of Technology (2003) Submitted to the Department
More informationFunctional Alloy Modules
Functional Alloy Modules Loïc Gammaitoni and Pierre Kelsen Laboratory for Advanced Software Systems University of Luxembourg 6, rue R. Coudenhove-Kalergi L-1359 Luxembourg TR-LASSY-14-02 Abstract. The
More informationResolution (14A) Young W. Lim 6/14/14
Copyright (c) 2013-2014. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
More informationType Systems. Pierce Ch. 3, 8, 11, 15 CSE
Type Systems Pierce Ch. 3, 8, 11, 15 CSE 6341 1 A Simple Language ::= true false if then else 0 succ pred iszero Simple untyped expressions Natural numbers encoded as succ succ
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationAutomated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania
Automated Refinement Checking of Asynchronous Processes Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ Intel Formal Verification Seminar, July 2001 Problem Refinement Checking Given two
More informationData Integration: Logic Query Languages
Data Integration: Logic Query Languages Jan Chomicki University at Buffalo Datalog Datalog A logic language Datalog programs consist of logical facts and rules Datalog is a subset of Prolog (no data structures)
More informationFORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY
FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 58D, SPRING 20 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY Pamela Zave AT&T Laboratories Research Florham Park, New Jersey, USA THE
More informationNetwork Verification: Reflections from Electronic Design Automation (EDA)
Network Verification: Reflections from Electronic Design Automation (EDA) Sharad Malik Princeton University MSR Faculty Summit: 7/8/2015 $4 Billion EDA industry EDA Consortium $350 Billion Semiconductor
More informationMulti-event IDS Categories. Introduction to Misuse Intrusion Detection Systems (IDS) Formal Specification of Intrusion Signatures and Detection Rules
Formal Specification of Intrusion Signatures and Detection Rules By Jean-Philippe Pouzol and Mireille Ducassé 15 th IEEE Computer Security Foundations Workshop 2002 Presented by Brian Kellogg CSE914: Formal
More informationAssistant for Language Theory. SASyLF: An Educational Proof. Corporation. Microsoft. Key Shin. Workshop on Mechanizing Metatheory
SASyLF: An Educational Proof Assistant for Language Theory Jonathan Aldrich Robert J. Simmons Key Shin School of Computer Science Carnegie Mellon University Microsoft Corporation Workshop on Mechanizing
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More information3.4 Deduction and Evaluation: Tools Conditional-Equational Logic
3.4 Deduction and Evaluation: Tools 3.4.1 Conditional-Equational Logic The general definition of a formal specification from above was based on the existence of a precisely defined semantics for the syntax
More informationAlloy Language & Analysis
Alloy Language & Analysis Excerpted (mostly), adapted (a bit) from: SAIL Tutorial at http://alloy.mit.edu/alloy/tutorials/daycourse/ by Greg Dennis and Rob Seater 1 Alloy = logic + language + analysis
More informationA Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm
Appears as Technical Memo MIT/LCS/TM-590, MIT Laboratory for Computer Science, June 1999 A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Miguel Castro and Barbara Liskov
More informationSubtyping in Alloy by Emina Torlak
Subtyping in Alloy by Emina Torlak Submitted to the Department of Electrical Engineering and Computer Science in Partial Fulfillment of the Requirements for the Degree of Master of Engineering in Computer
More informationBoolean Functions (Formulas) and Propositional Logic
EECS 219C: Computer-Aided Verification Boolean Satisfiability Solving Part I: Basics Sanjit A. Seshia EECS, UC Berkeley Boolean Functions (Formulas) and Propositional Logic Variables: x 1, x 2, x 3,, x
More informationIncremental Proof Development in Dafny
15-414 Lecture 17 1 Instructor: Matt Fredrikson Incremental Proof Development in Dafny TA: Ryan Wagner In this discussion, we ll see in more detail how to go about proving the total correctness of imperative
More informationSome Hardness Proofs
Some Hardness Proofs Magnus Lie Hetland January 2011 This is a very brief overview of some well-known hard (NP Hard and NP complete) problems, and the main ideas behind their hardness proofs. The document
More informationA Michael Jackson presentation. CSE503: Software Engineering. The following slides are from his keynote at ICSE 1995
A Michael Jackson presentation CSE503: Software Engineering The following slides are from his keynote at ICSE 1995 David Notkin University of Washington Computer Science & Engineering Spring 2006 1 2 3
More informationSemantic Errors in Database Queries
Semantic Errors in Database Queries 1 Semantic Errors in Database Queries Stefan Brass TU Clausthal, Germany From April: University of Halle, Germany Semantic Errors in Database Queries 2 Classification
More informationA Constraint Solver for Software Engineering: Finding Models and Cores of Large Relational Specifications. Emina Torlak
A Constraint Solver for Software Engineering: Finding Models and Cores of Large Relational Specifications by Emina Torlak M.Eng., Massachusetts Institute of Technology (2004) B.Sc., Massachusetts Institute
More information( ) Software Abstractions. With Alloy Analyzer
Software Abstractions With Alloy Analyzer Formal methods In software engineering,formal methods are a particular kind of mathematically-based techniques for the specification,development and verification
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More informationFinite State Verification. CSCE Lecture 14-02/25/2016
Finite State Verification CSCE 747 - Lecture 14-02/25/2016 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationThe Relational Model
The Relational Model David Toman School of Computer Science University of Waterloo Introduction to Databases CS348 David Toman (University of Waterloo) The Relational Model 1 / 28 The Relational Model
More informationNP-Hardness. We start by defining types of problem, and then move on to defining the polynomial-time reductions.
CS 787: Advanced Algorithms NP-Hardness Instructor: Dieter van Melkebeek We review the concept of polynomial-time reductions, define various classes of problems including NP-complete, and show that 3-SAT
More informationFinding Minimal Unsatisfiable Cores of Declarative Specifications
Finding Minimal Unsatisfiable Cores of Declarative Specifications Emina Torlak, Felix Sheng-Ho Chang and Daniel Jackson MIT Computer Science and Artificial Intelligence Laboratory {emina, fschang, dnj}@mit.edu
More informationFinding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar
Finding and Fixing Bugs in Liquid Haskell Anish Tondwalkar Overview Motivation Liquid Haskell Fault Localization Fault Localization Evaluation Predicate Discovery Predicate Discovery Evaluation Conclusion
More informationGenerating Structurally Complex Tests from Declarative Constraints. Sarfraz Khurshid
Generating Structurally Complex Tests from Declarative Constraints by Sarfraz Khurshid S.M., Massachusetts Institute of Technology (2000) Part III of the Mathematical Tripos, Trinity College Cambridge
More informationAnalyzing the Uses of a Software Modeling Tool
LDTA 2006 Preliminary Version Analyzing the Uses of a Software Modeling Tool Xiaoming Li 1, Daryl Shannon 2, Jabari Walker 1 Sarfraz Khurshid 2, Darko Marinov 1 1 Dept. of Computer Science, University
More informationSpark verification features
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether
More informationA Case for Efficient Solution Enumeration
A Case for Efficient Solution Enumeration Sarfraz Khurshid Darko Marinov Ilya Shlyakhter Daniel Jackson MIT Laboratory for Computer Science 200 Technology Square Cambridge, MA 02139 USA {khurshid,marinov,ilya
More information