Alloy: A Lightweight Object Modelling Notation

Similar documents
Model Finder. Lawrence Chung 1

From: FM 2006 Alloy Intro and Logic. Greg Dennis and Rob Seater Software Design Group, MIT

logic & language Daniel Jackson Lipari Summer School July 18-22, 2005

Conceptual modeling of entities and relationships using Alloy

Software Abstractions

An Overview of the Alloy Language & Analyzer. What is Alloy?

Alloy: A Lightweight Object Modelling Notation

CS:5810 Formal Methods in Software Engineering

CSC 501 Semantics of Programming Languages

Comparison of the Modeling Languages Alloy and UML

Evaluating State Modeling Techniques in Alloy

LOGIC AND DISCRETE MATHEMATICS

B.6 Types and Overloading

Static Program Checking

Transitive Closure A binary relation is transitive if, whenever it contains the tuples

CIS 771: Software Specifications. Lecture: Alloy Logic (part D)

Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley. Chapter 6 Outline. Unary Relational Operations: SELECT and

SWEN-220 Mathematical Models of Software

Programming Languages Third Edition

Comp 411 Principles of Programming Languages Lecture 7 Meta-interpreters. Corky Cartwright January 26, 2018

αrby An Embedding of Alloy in Ruby

Appendix 1. Description Logic Terminology

Appendix 1. Description Logic Terminology

Appendix B: Alloy Language Reference B.1 Lexical Issues

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

rethinking the role of design in software development Daniel Jackson Computer Science & Artificial Intelligence Lab MIT

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

CS:5810 Formal Methods in Software Engineering

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

Lecture 5 - Axiomatic semantics

TITANIUM: Efficient Analysis of Evolving Alloy

Daniel Jackson Computer Science & Artificial Intelligence Lab MIT Microsoft Research March 21, 2005

alloy: a logical modelling language

Alloy 3.0 Reference Manual

Reading part: Design-Space Exploration with Alloy

Quantification. Using the suggested notation, symbolize the statements expressed by the following sentences.

SOFTWARE ENGINEERING DESIGN I

Towards a Logical Reconstruction of Relational Database Theory

lecture 1: introduction

22c:181 / 55:181 Formal Methods in Software Engineering. Introduction to Alloy

Example problems. Combinatorial auction. Towers of Hanoi Rectangle packing Shortest route. 8 queens Soduko Maximizing (minimizing) costs

15-819M: Data, Code, Decisions

rethinking software design by analyzing state

lecture 1: introduction

Proving the Correctness of Distributed Algorithms using TLA

Functional Alloy Modules

Semantic Characterizations of XPath

conceptual models & modern software construction Daniel Jackson Computer Science & Artificial Intelligence Lab MIT

Finding Deadlocks of Event-B Models by Constraint Solving

Distributed Systems Programming (F21DS1) Formal Verification

Tarski: A Platform for Automated Analysis of Dynamically Configurable Traceability Semantics

TITANIUM: Efficient Analysis of Evolving Alloy

Formal Modeling and Analysis of a Flash File System in Alloy

Lectures 20, 21: Axiomatic Semantics

Using Model Checking to Analyze Static Properties of Declarative Models: Extended Version

Part I Logic programming paradigm

Induction and Semantics in Dafny

A fuzzy subset of a set A is any mapping f : A [0, 1], where [0, 1] is the real unit closed interval. the degree of membership of x to f

Lecture 1: Conjunctive Queries

Specifications and Assertions

Software Engineering Lecture Notes

Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis

6. Hoare Logic and Weakest Preconditions

A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm

Introduction to Axiomatic Semantics (1/2)

CSC Discrete Math I, Spring Sets

A Michael Jackson presentation. CSE503: Software Engineering. The following slides are from his keynote at ICSE 1995

CIS 771: Software Specifications. Lecture 4: More Alloy Basics

Alcoa: The Alloy Constraint Analyzer

Computer Science Technical Report

Z Notation. June 21, 2018

Chapter 3: Propositional Languages

Foundations of Databases

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

CS Bootcamp Boolean Logic Autumn 2015 A B A B T T T T F F F T F F F F T T T T F T F T T F F F

alloy: an analyzable modelling language

Query Processing & Optimization

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

Chapter 13: Query Optimization. Chapter 13: Query Optimization

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

The Invariant Problem for Binary String Structures and the Parallel Complexity Theory of Queries

Amalgam - An Alloy extension for equivalence checking of models

Topic Maps Reference Model, version 6.0

TIME-BASED CONSTRAINTS IN THE OBJECT CONSTRAINT LANGUAGE OCL

Foundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution

A UML Class Diagram Analyzer

Alloy Language and Analysis based on slides from. Greg Dennis and Rob Seater Software Design Group, MIT

Operations of Relational Algebra

7. Relational Calculus (Part I) 7.1 Introduction

An incremental approach to scope-bounded checking using a lightweight formal method

Contents Contents Introduction Basic Steps in Query Processing Introduction Transformation of Relational Expressions...

Schema Mappings and Data Exchange

Relational Databases

Type Checking in COOL (II) Lecture 10

An Annotated Language

A Static Semantics for Alloy and its Impact in Refactorings

(Refer Slide Time: 4:00)

Lecture 3: Recursion; Structural Induction

Programming Languages Assignment #7

Slides for Faculty Oxford University Press All rights reserved.

Transcription:

Alloy: A Lightweight Object Modelling Notation Daniel Jackson, ACM Transactions on Software Engineering, 2002 Presented By: Steven Stewart, 2012-January-23 1

Alloy: 2002 to present Software is built on abstractions. Pick the right ones, and programming will flow naturally from design... Software Abstractions: Logic, Language, and Analysis (Revised Ed.)! Daniel Jackson (MIT Software Design Group) 2

Modelling Almost all recent development methods factor out the structural aspect of a software system, usually called the object model Lightweight models description (or specification) of basic structures based on a small syntax automation and analysis 3

What is Alloy? (2002) A modelling notation that can express a useful range of structural properties Alloy is a lightweight object modelling notation for describing... basic structure intricate constraints operations (how structures change dynamically) 4

What is Alloy? (2012) A modelling notation that can express a useful range of structural properties Alloy is a structural modelling language based on first-order logic for expressing complex constraints and behaviours http://alloy.mit.edu/alloy/faq.html Alloy is a declarative specification language for expressing complex structural constraints and behaviour in a software system http://en.wikipedia.org/wiki/alloy_(specification_language 5

What is Alloy? (2012) Logic, Language, and Analysis Logic:! all structures are represented as relations; structural!!! properties are expressed with a few simple operators;!!!! states and executions both described using constraints 6

What is Alloy? (2012) Logic, Language, and Analysis Logic:! all structures are represented as relations; structural!!! properties are expressed with a few simple operators;!!!! states and executions both described using constraints Language:! syntax added to logic for structuring descriptions; a!!!! flexible type system; simple module system 7

What is Alloy? (2012) Logic, Language, and Analysis Logic:! all structures are represented as relations; structural!!! properties are expressed with a few simple operators;!!!! states and executions both described using constraints Language:! syntax added to logic for structuring descriptions; a!!!! flexible type system; simple module system Analysis:! constraint solving; simulation (finding instances of states!!!! or executions); checking (finding counterexamples) 8

What is Alloy? (1997-2012) Logic, Language, and Analysis Logic: first-order logic + transitive closure (for describing reachability constraints 9

What is Alloy? (1997-2012) Logic, Language, and Analysis Logic: first-order logic + transitive closure (for describing reachability constraints Language: declarative: describe the effect of a behaviour, not the mechanism 10

What is Alloy? (1997-2012) Logic, Language, and Analysis Logic: first-order logic + transitive closure (for describing reachability constraints Language: declarative: describe the effect of a behaviour, not the mechanism Analysis (we ll get to this later) 11

What Alloy is not? A modelling notation that can express a useful range of structural properties Alloy is not for describing... dynamic interactions between objects syntactic structure in an implementation (i.e., class hierarchy and packages) 12

What Alloy is not? A modelling notation that can express a useful range of structural properties Alloy is not for describing... dynamic interactions between objects syntactic structure in an implementation (i.e., class hierarchy and packages) DynAlloy (Frias, Galeotti, and Pombo, 2005-present), an extension to Alloy to describe dynamic properties of systems using actions 13

Comparisons...a large class of structural models can be described in Z without higher order features, and can thus be analyzed efficiently Alloy is based on Z, but simplifies the underlying semantics Z was not as amenable to analysis, so Alloy eliminates features that make analysis hard OCL deemed too complicated -- a consequence of trying to accommodate notions from object-oriented programming 14

Alloy: Language (2002) Language syntax, type rules, and semantics -- simple and concise. problem ::= decl* formula decl ::= var : typexpr typexpr ::= type type -> type type => typexpr formula ::= expr in expr subset! formula negation formula && formula conjunction formula formula disjunction all v : type formula universal some v : type formula existential expr ::= expr + expr union expr & expr intersection expr - expr difference expr. expr navigation ~ expr transpose + expr closure {v : t formula} set former Var Var ::= var variable Var [var] application E G a: S, E G b: S E G a in b E, v: T G F E G all v : T F E Ga: S T, E Gb: S T E Ga + b : S T E G a: S T, E G b: S U E G a. b : U T E G a: S T E G ~a : T S E G a: T T E G +a : T T E, v: T G F E G {v: T F} : T E G a: T t, E G v: T E G a[v]: t M : formula env boolean X : expr env value env = (var + type) value value = P (atom atom) + (atom value) M [a in b] e = X[a] e X[b] e M [! F] e = M [F] e M [F && G] e = M [F] e M [G] e M [F G] e = M [F] e M [G] e M [all v: t F] e = {M [F](e v [ x) (x,unit) e(t)} M [some v: t F] e = {M [F](e v [ x) (x, unit) e(t)} X [a + b] e = X [a] e X [b] e X [a & b] e = X [a] e X [b] e X [a - b] e = X [a] e \ X [b] e X [a. b] e = {(x,z) y. (y,z) X [a] e (y,x) X [b] e} X [~a] e = {(x,y) (y,x) X [a] e} X [+a] e = the smallest r such that r ; r r X [a] e r X [{v: t F}] e = {(x,unit) e(t) M [F](e v [ x)} X [v] e = e(v) X [a[v]] e = (e(a)) (e(v)) 15

Alloy: Relations In fact, beneath the surface, everything in Alloy is a relation 16

Alloy: Relations In fact, beneath the surface, everything in Alloy is a relation Scalars are simply unary relations with a single tuple e.g., RootDir = {<d0>} 17

Alloy: Relations In fact, beneath the surface, everything in Alloy is a relation Scalars are simply unary relations with a single tuple e.g., RootDir = {<d0>} We can express structure with relations, using three different styles of logic supplemented with set, relational, and logical operators 18

Alloy: Language (2012) Supports three styles of expressing logic predicate calculus, navigation expression, relational calculus 19

Alloy: Language (2011) Supports three styles of expressing logic predicate calculus, navigation expression, relational calculus two kinds of expressions: relation names (used as predicates) and tuples formed from quantified variables names in an address book are mapped to at most one address all n: Name, d, d : Address n->d in address and n->d in address implies d = d 20

Alloy: Language (2011) Supports three styles of expressing logic predicate calculus, navigation expression, relational calculus expressions denote sets that are formed by navigating from quantified variables along relations names in an address book are mapped to at most one address all n: Name lone n.address 21

Alloy: Language (2011) Supports three styles of expressing logic predicate calculus, navigation expression, relational calculus expressions denote relations, and there are no quantifiers names in an address book are mapped to at most one address no ~address.address - iden 22

Alloy: Language (2011) Set operators: union, intersection, difference, subset, equality 23

Alloy: Language (2011) Set operators: union, intersection, difference, subset, equality Relational operators: product, join, transpose, transitive-closure, reflexive closure 24

Alloy: Language (2011) Set operators: union, intersection, difference, subset, equality Relational operators: product, join, transpose, transitive-closure, reflexive closure Logical operators: negation, conjunction, disjunction, implication, bi-implication 25

Alloy: Analysis The relational specification is translated into a boolean formula, which is handed over to a backend SAT-solver If a model has at least one instance satisfying all constraints, then the model is said to be consistent To check an assertion, we look for a model (or instance) of its negation in order to produce a counter-example The Alloy Analyzer enables the ability to check models within a finite scope -- failure to find a model within that scope does not prove that the formula is inconsistent An exhaustive scope of 10 gives more coverage of a model than handwritten test cases ever could! (D. Jackson: small scope hypothesis ) 26

Alloy: Analysis Program testing can be used to show the presence of bugs, but never to show their absence Edsger W. Dijkstra Small-scope hypothesis (from Software Abstractions) Most bugs in code elude testing 27

Alloy: Analysis Program testing can be used to show the presence of bugs, but never to show their absence Edsger W. Dijkstra Small-scope hypothesis (from Software Abstractions) Most bugs in code elude testing Instance finding has more extensive coverage than traditional testing 28

Alloy: Analysis Program testing can be used to show the presence of bugs, but never to show their absence Edsger W. Dijkstra Small-scope hypothesis (from Software Abstractions) Most bugs in code elude testing Instance finding has more extensive coverage than traditional testing Most bugs have small counterexamples -- if you examine all small cases, you re likely to find a counterexample 29

Alloy: Analysis Program testing can be used to show the presence of bugs, but never to show their absence Edsger W. Dijkstra Small-scope hypothesis (from Software Abstractions) Most bugs in code elude testing Instance finding has more extensive coverage than traditional testing Most bugs have small counterexamples -- if you examine all small cases, you re likely to find a counterexample Summary: covering of ALL cases (potentially billions) in a small scope will uncover most flaws! 30

The Alloy Style of Modelling Alloy is amenable to fully automatic semantic analysis that can provide checking of consequences and consistency In this style of modelling, a model can be developed incrementally, and explored at each step using the analyzer 31

Alloy: Analysis Alloy is amenable to fully automatic semantic analysis that can provide checking of consequences and consistency Simulation View instances of your model. Correct model. Fix them. Try again. Checking Check assertions against the specification. Find counterexamples. Correct model (fix bugs). Save yourself from future hassles! 32

The clock is ticking... If we have enough time, I ll show you a sample Alloy specification for a file system -- somewhat similar to the one in the paper, but simpler... Until then, we will move on to Experience and Evaluation 33

Experience and Evaluation 2000-2002 analysis of a resource discovery system design of an air traffic control system component reformulation of some essential properties of Microsoft COM s query interface translation from OCL to Alloy of UML core metamodel, which was shown to be consistent using the Alloy Analyzer 34

Experience and Evaluation 1997 - present addition of quantifiers, higher arity, relations, polymorphism, subtyping, and signatures Alloy4 uses a model finder called Kodkod, demonstrating significant improvements in performance and scalability Alloy has been used to model... name servers, network configuration protocols, access control, telephony, scheduling, document structuring, key management, cryptography, instant messaging, railway switching, filesystem synchronization, semantic web http://alloy.mit.edu/alloy/faq.html 35

Experience and Evaluation Over 600 citations (Google Scholar) Over 100 case studies A dozen languages translated to Alloy Select tools built on Alloy4 (Alloy + Kodkod) Forge, Squander, Alloy4Eclipse, DynAlloy, TACO, Equals Checker, Nitpick, Margrave http://alloy.mit.edu/alloy/applications.html 36

Concluding Remarks A modelling notation that can express a useful range of structural properties Alloy emerged from a series of observations a large class of structural models can be described in Z without higher-order features, and can thus be analyzed efficiently 37

Concluding Remarks A modelling notation that can express a useful range of structural properties Alloy emerged from a series of observations a large class of structural models can be described in Z without higher-order features, and can thus be analyzed efficiently Alloy combines familiar and well-tested ideas from existing notations 38

Concluding Remarks A modelling notation that can express a useful range of structural properties Alloy emerged from a series of observations a large class of structural models can be described in Z without higher-order features, and can thus be analyzed efficiently Alloy combines familiar and well-tested ideas from existing notations Alloy s kernel language represents an attempt to capture the essence of object modelling 39

Concluding Remarks A modelling notation that can express a useful range of structural properties Alloy emerged from a series of observations a large class of structural models can be described in Z without higher-order features, and can thus be analyzed efficiently Alloy combines familiar and well-tested ideas from existing notations Alloy s kernel language represents an attempt to capture the essence of object modelling The ability to experiment with a model and check properties changes the very nature of modelling 40

Alloy Specification (2002) The model is divided into paragraphs... domain paragraph: declares sets of atoms (e.g., file system objects, directory entries, names) state paragraph: declares state components, which are static sets representing fixed classifications of objects (e.g., File and Dir) definition paragraph: used to define relations in terms of other state components (e.g., the parent of o follows the entries relation backward) invariants: these are facts about the model (e.g., any two distinct entries have different names) 41

Alloy Specification (2012) Signatures -- introduces a set of atoms Facts -- constraints that are assumed always to hold Assertions -- constraints that are expected to follow from the facts of the model; the analyzer checks assertions to detect design flaws Predicates -- constraints that you don t want to record as facts; (e.g., you might want to analyze a model with a particular constraint included, and then excluded) Functions -- a named expression intended for reuse 42

Example Alloy Specification A file system is composed of file system objects (FSObject), which are files (File) and directories (Dir) A FileSystem has a root directory, a live set of files and directories, a relation describing the contents of directories, and a parent relation that describes parent/sub-directory relationships Facts about our model: no root has a parent FSObjects are reachable from root parent is the inverse of contents relation contents only defined on live FSObjects 43

Example Alloy Specification We expect that a file system will have only one root directory, which we can check via an assertion and a check command. If one exists, the analyzer will find a counterexample within the specified scope (5, here), which advises us to revise our model. 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback