and analy larative sis w - mit csaillarative m o d e llin g and analy sis w ith allo y le c tu re 1:...

microm

odels of software

declarative modelling

and analysis with A

lloy

lecture 1: introduction

Daniel JacksonM

IT Lab for Computer Science

Marktoberdorf, August 2002

2

lightweight m

odels

2

lightweight m

odels

a foundation for robust, useable programs

2

lightweight m

odels


elements

›small & sim

ple notations›partial m

odels & analyses›full autom

ation

2

lightweight m

odels


elements

›small & sim



ation

focus on risky aspects›hard to get right, or to check›structure-determ

ining›high cost of failure

3

what assurance costs

3

cost

assurance


3

cost

assurance

hacking


3

cost

assurance

hackingsketching


3

cost

assurance

hackingsketchingw

rite-only models


3

cost

assurance

hackingsketchingw

rite-only models

type-checked models


3

cost

assurance

hackingsketchingw

rite-only models

type-checked models

proven models


3

cost

assurance

hackingsketchingw

rite-only models

type-checked models

analyzed models

proven models


4

my w

ork in marktoberdorf context

4

my w


computation, not interaction

›complem

entary to Harel & Pnueli›relational, not algebraic (cf. Tarlecki and M

eseguer)›underlying idiom

s due to Hoare, Woodcock et al

4

my w



›complem




designed for experts, but not super-experts›like Harel, not Rushby & M

oore›sim

ulation, not just checking

4

my w



›complem





oore›sim


role of mathem

atics›only way to m

ake things simple

›semantics in term

s of sets, and SAT

4

my w



›complem





oore›sim


role of mathem

atics›only way to m

ake things simple

›semantics in term

s of sets, and SAT

started this in 1994, and have had some successes

but much less m

ature than ACL2, PVS, Statemate, etc

5

features of Alloy

5

features of Alloy

structural›express com

plex structure, static and dynamic

›with just a few powerful operators

5

features of Alloy




declarative›a full logic, with conjunction and negation›describe system

as collection of constraints

5

features of Alloy




declarative›a full logic, with conjunction and negation›describe system

as collection of constraints

analyzable›sim

ulation & checking›fully autom

atic

6

structural

6

structural

structure is everywhere›highway system

s, postal routes, company organizations,

library catalogues, address books, phone networks, …

6

structural




structure is becoming m

ore pervasive›self-assem

bling software (eg, Observer pattern)

›mem

ory gets cheaper: address books in every phone

6

structural







›mem


tool researchers have neglected structure›one traffic light is a state m

achine, but a city’s lights are a net

6

structural







›mem


tool researchers have neglected structure›one traffic light is a state m

achine, but a city’s lights are a net

There is no problem in com

puter science that cannot be solvedby introducing another level of indirection, but that usuallyreveals new problem

s --David Wheeler

7

declarative

7

declarative

declarative description›m

odel is collection of properties›the m

ore you say, the less happens

7

declarative




advantages›increm

entality: to say more, add a property

›partiality: doesn’t require special constructs›sim

plicity: no separate language of propertiesSys m

eets Prop: Sys => Prop

7

declarative




advantages›increm

entality: to say more, add a property

›partiality: doesn’t require special constructs›sim

plicity: no separate language of propertiesSys m

eets Prop: Sys => Prop

why less is more

›less constrained system m

eans implem

entation freedom›less constrained environm

ent means greater safety

8

analyzable

8

analyzable

‘write-only’ models

›useful if precise enough›but m

issed opportunity (and wishful thinking)

8

analyzable




tool-assisted modelling

›simulate and check increm

entally›catch errors early, develop confidence›optim

ize for failing case: most of m

y examples will be wrong

8

analyzable




tool-assisted modelling

›simulate and check increm

entally›catch errors early, develop confidence›optim

ize for failing case: most of m

y examples will be wrong

Alloy’s analysis›fully autom

atic, with no user intervention›concrete: generates sam

ples & counterexamples

›like testing, sound but not complete

›unlike testing, billions cases/second

9

declarative & executable?

Small Tow

er of 6 Gears, Arthur Ganson

9


traditionally›declarative XO

R executable›good argum

ents for both

Small Tow


9




ents for both

but can have cake and eat it›with right analysis technology

Small Tow


9




ents for both

but can have cake and eat it›with right analysis technology

Alloy’s analysis can ‘execute’ a model

›forwards or backwards›without test cases›no ad hoc restrictions on logic

Small Tow


10

a numbering problem

10

a numbering problem

given›docum

ent whose paragraphs are tagged with styles›style sheet that gives num

bering rules for styles

10

a numbering problem

given›docum



produce›docum

ent with numbered paragraphs

(like my M

arktoberdorf notes)

10

a numbering problem

given›docum



produce›docum


(like my M

arktoberdorf notes)

\part Introduction\section M

otivation\subsection W

hy?\section Overview\part Conclusions\section Unrelated W

ork




ork

10

a numbering problem

given›docum



produce›docum


(like my M

arktoberdorf notes)




ork




ork

Part A: IntroductionA.1 M

otivationA.1.1 W

hy?A.2 OverviewPart B: ConclusionsB.1 Unrelated W

ork


otivationA.1.1 W


ork

11

a candidate solution

style sheet assigns to each style›an initial value for num

bering›optionally, a parent

11




section1

section1 partA

partA

subsection1

subsection1

parent<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>

<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>

11







ork




ork

section1

section1 partA

partA

subsection1

subsection1


<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>

11







ork




ork

section1

section1 partA

partA

subsection1

subsection1


<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>Part A: Introduction

A.1 Motivation

A.1.1 Why?

A.2 OverviewPart B: ConclusionsB.1 Unrelated W

ork


otivationA.1.1 W


ork

12

styles

12

styles

declare styles & parent relationsig Style {parent: option Style}

12

styles


ask for a sample

fun Show () {som

e parent}run Show

12

styles


ask for a sample

fun Show () {som

e parent}run Show

constrain parent relation to be acyclicfact {Acyclic (parent)}

12

styles


ask for a sample

fun Show () {som

e parent}run Show

how to define acyclicfun Acyclic [t] (r: t -> t) {no iden[t] & ^r}

constrain parent relation to be acyclicfact {Acyclic (parent)}

13

numbers

13

numbers

introduce numbers

sig Number {

next: option Number

}{this != next}

13

numbers

introduce numbers

sig Number {

next: option Number

}{this != next}

add numbers to styles

sig NumberedStyle extends Style {init: Num

ber}fact {Style = Num

beredStyle}

13

numbers

introduce numbers

sig Number {

next: option Number

}{this != next}

add numbers to styles

sig NumberedStyle extends Style {init: Num

ber}fact {Style = Num

beredStyle}

ask for a sample

fun Show () {

some parent}

run Show

14

numbering

14

numbering

declare numbering

sig Numbering {

num: Style ->? Num

ber}

14

numbering

declare numbering

sig Numbering {

num: Style ->? Num

ber}

ask for a sample

fun ShowNum

bering () {some num

}run Show

Numbering

for 2 but 1 Numbering

15

numbering algorithm

15

numbering algorithm

what numbering n’ follows n for paragraph of style s?

›ie, just gave numbering n

›encounter paragraph with style s›m

ust now generate numbering n’

15

numbering algorithm

what numbering n’ follows n for paragraph of style s?

›ie, just gave numbering n

›encounter paragraph with style s›m

ust now generate numbering n’

an attempt:

fun Next (n,n': Numbering, s: Style) {

n'.num =

{d: s.^parent, x: Number | x = n.num

[d]} +s -> if no n.num

[s] then s.init else n.num[s].next

}

16

showing next

16

showing next

run Next for 3 but 2 Numbering

16

showing next


n

16

showing next


n

n’

16

showing next


n

n’

grandchild style sis num

beredw

ith initial value

17

guiding the simulation

17


fun ShowNext (n,n': Num

bering, s: Style) {Next (n,n',s)

&& some n.num

[s.~parent]}run Show

Next for 3 but 2 Numbering

17




&& some n.num



n

17




&& some n.num



nn’

17




&& some n.num



nn’

root style sloses its num

berbecause no next!

18

fixing the operation

18

fixing the operationfun Next (n,n': Num

bering, s: Style) {let i = n.num

[s] | some i => som

e i.nextn'.num

= {d: s.^parent, x: Number | x = n.num


[s] then s.init else n.num[s].next }

18

fixing the operationfun Next (n,n': Num

bering, s: Style) {let i = n.num

[s] | some i => som

e i.nextn'.num

= {d: s.^parent, x: Number | x = n.num


[s] then s.init else n.num[s].next } style s gets

numbered w

ithinitial value

19


19




&& some n.num

[s.~parent] && some n.num

[s]}run Show


20

checking a property

20

checking a property

if style is not a parent, step is reversibleassert Reversible {

all n0, n1, n: Numbering, s: Style - Style.parent |

Next(n0,n,s) && Next(n1,n,s) => n0.num = n1.num

}

check Reversible

21

trying again…

21

trying again…m

ake numbering injective

fact {Injective (next)}

21

trying again…m

ake numbering injective

fact {Injective (next)}

does this fix the problem?

22

counterexample

22

counterexample

after numbering n

22

counterexample

after numbering n

adjacent stylehas no num

berafterw

ards

23

counterexample, ctd

23

counterexample, ctd

beforenum

beringsn0 and n1

23

counterexample, ctd

beforenum

beringsn0 and n1

adjacent style’s number

eliminated, so value

before was irrelevant!

24

masking

24

masking

check again, assuming styles form

a lineassert ReversibleW

henLine {Injective(parent)&& (som

e root: Style | Style in root.*~parent) =>all n0, n1, n: Num

bering, s: Style - Style.parent |Next(n0,n,s) && Next(n1,n,s) => n0.num

= n1.num}

check ReversibleWhenLine

25

counterexample, again

25

counterexample, again

initialization andincrem

ent aredistinct: theorem

is confused!

26

checking a refactoring

26


are these equivalent?fun Next1 (n,n’: Num

bering, s: Style) {n’.num

={d: s.^parent, x: Num

ber | x = n.num[d]} +

s -> if no n.num[s] then s.init else n.num

[s].next}fun Next2 (n,n’: Num

bering, s: Style) {all d: s.^parent | n’.num

[d] = n.num[d]

n’.num[s] = if no n.num


}

26


are these equivalent?fun Next1 (n,n’: Num

bering, s: Style) {n’.num

={d: s.^parent, x: Num

ber | x = n.num[d]} +

s -> if no n.num[s] then s.init else n.num

[s].next}fun Next2 (n,n’: Num

bering, s: Style) {all d: s.^parent | n’.num

[d] = n.num[d]

n’.num[s] = if no n.num


}

ask the tool:assert Sam

e {all n,n’: Num

bering, s: Style | Next1(n,n’,s) iff Next2(n,n’,s)}

27

what happened

27

what happened

incrementality

›write a bit, analyze a bit›constrain just enough

to get key properties›avoids wasted tim

e,encourages sm

all models

27

what happened

incrementality

›write a bit, analyze a bit›constrain just enough

to get key properties›avoids wasted tim

e,encourages sm

all models

analysis prompted questions

›number m

ust have next?›two num

bers have same next?

›style hierarchy a tree? line?

28

declarative vs. operational development

all behaviours;satisfies no safety properties

a safety property

declarative

operational

no behaviours;satisfies all safety properties

29

what’s been done?

29

what’s been done?

analyzing implem

ented systems

›Intentional naming (Khurshid)

›Chord peer-to-peer lookup (Wee)

›Transaction cache (Tucker)

29

what’s been done?

analyzing implem

ented systems




analyzing existing models

›Microsoft CO

M (Sullivan, from

Z)›Firewire leader election (m

e, from Vaandrager’s IO

A)›Unison file synchronizer (Nolte, from

Pierce’s maths)

›UML m

eta model (Vaziri, from

OCL)

›Classic distributed algorithms (Shlyakhter, from

SMV)

29

what’s been done?

analyzing implem

ented systems




analyzing existing models

›Microsoft CO

M (Sullivan, from

Z)›Firewire leader election (m

e, from Vaandrager’s IO

A)›Unison file synchronizer (Nolte, from

Pierce’s maths)

›UML m

eta model (Vaziri, from

OCL)

›Classic distributed algorithms (Shlyakhter, from

SMV)

typically›200 lines of Alloy, 30-200 hours work

30

example: intentional nam

ing

30


ing

query scheme

›intentional names are trees

›result of query is set of simple nam

es

30


ing

n1n0

building

camera

service

ne43printer

database

query scheme



es

30


ing

building

camera

service

ne43

query

n1n0

building

camera

service

ne43printer

database

query scheme



es

30


ing

building

camera

service

ne43

query

n1n0

building

camera

service

ne43printer

database

n0n1

n0

n0

query scheme



es

31

results

31

results

what we did

31

results

what we did›analyzed claim

s made in paper: m

ostly untrue

31

results


s made in paper: m

ostly untrue›analyzed algebraic properties: also untrue

eg, add is monotonic

31

results


s made in paper: m



›adapted model for fixes in code: also broken

31

results


s made in paper: m




›developed new semantics & checked it

31

results


s made in paper: m





reflections

31

results


s made in paper: m





reflections›initial analysis took 2 weeks and 100 lines of Alloy

31

results


s made in paper: m





reflections›initial analysis took 2 weeks and 100 lines of Alloy›found all bugs in trees of 4 nodes or less -- approx 10 secs

31

results


s made in paper: m





reflections›initial analysis took 2 weeks and 100 lines of Alloy›found all bugs in trees of 4 nodes or less -- approx 10 secs›2000 lines of tests hadn’t found bugs in a year

32

challenge: get numbering right

32

challenge: get numbering right

fix the numbering m

echanism to handle

›multiple childrensection and figure have parent chapter

›multiple parentssection has parent chapter and appendix

33

what is a m

odel?

33

what is a m

odel?

a representation of a system›m

ore or less useful, not more or less correct [Fowler]

›useful to the extent that it answers questions [Ross]

33

what is a m

odel?

a representation of a system›m

ore or less useful, not more or less correct [Fowler]

›useful to the extent that it answers questions [Ross]

role of a model

›to explain & evaluate existing system›to explore design of system

to be built

34

why m

odel?

34

why m

odel?

‘plan to throw one away’ [Brooks]›100 line m

odel or 100k lines of code?›nasty surprises happen sooner

34

why m

odel?



designs with clear conceptual models

›easier to use and implem

ent›allow delegation & division of labour

34

why m

odel?



designs with clear conceptual models

›easier to use and implem

ent›allow delegation & division of labour

separation of concerns›conceptual flaws get m

ired in code›not a good use of testing

35

lightweight form

al methods

35

lightweight form

al methods

elements

›small & sim



ation

35

lightweight form

al methods

elements

›small & sim



ation

focus on risky aspects›hard to get right, or to check›structure-determ

ining›high cost of failure

and analy larative sis w - mit csaillarative m o d e llin g and analy sis w ith allo y le c tu re 1:...

Documents