11CS 580: Software SpecificationsCS 580: Software SpecificationsCS 580: Software SpecificationsCS 580: Software SpecificationsLecture 3: Introduction to AlloyCopyright 2001-2002, Matt Dwyer, John Hatcliff, and Rod Howell. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders. Used and modified with permission by Robert Stehwien2 Introduction to basic Alloy constructs using a simple example of a static model How to define domains, subsets, relations with multiplicity constraints How to use Alloy’s quantifiers and predicate forms Basic use of the Alloy Constraint Analyzer (ACA)  Loading, compiling, and analyzing a simple Alloy specification Adjusting basic tool parameters Using the visualization tool to view instances of modelsOutlineOutlineOutlineOutline3Example: Family StructureExample: Family StructureExample: Family StructureExample: Family Structure We want to… Model parent/child relationships as primitive relations Model spousal relationships as primitive relations  Model relationships such as “sibling” as derivedrelations Enforce certain biological constraints via 1st-order predicates(e.g., only one mother, can’t be own ancestor) Enforce certain social constraints via 1st-order predicates (e.g., a wife isn’t a sibling) Confirm or refute the existence of certain derived relationships(e.g., no one has a wife with whom he shares a parent)24DomainsDomainsDomainsDomains Domains are basic sets they are disjoint represent the individual objects that are modeled Typical Alloy modeling strategy Identify basic domains, then declare other sets of interest as subsets Simple example with three domains:domain {A, B, C}5State Components : SetsState Components : SetsState Components : SetsState Components : Sets Sets are introduced as subsets defined over domains either directlyS1 : A //S1 is a subset of domain A or indirectlyS2 : S1 //S2 is a subset of S1 Sets can be introduced in groupsS3,S4,S5 : B //S3,S4,S5 subsets of B6State Components : SetsState Components : SetsState Components : SetsState Components : Sets Groups of sets can have additional constraints Using the disjoint keyworddisjoint S3,S4,S5 : B…guarantees that S3,S4,S5 are disjoint Using the partition keywordpartition S3,S4,S5 : B…guarantees that S3,S4,S5 partition B. That is, S3,S4,S5are disjoint and they cover B---every element from Bmust appear in either S3,S4,or S5.BS3S4S5BS4S3S537Example: Family StructureExample: Family StructureExample: Family StructureExample: Family Structuremodel Family {domain {Person}state {partition Man, Woman : Person Married : Person}Alloy Model Graphical RepresentationPersonManWomanMarried8Model InstancesModel InstancesModel InstancesModel InstancesThe Alloy Constraint Analyzer will generate instances of models so that we can see if they match our intentions. Which of the following are instances of our current model?model Family {model Family {model Family {model Family {domain {Person}domain {Person}domain {Person}domain {Person}state {state {state {state {partition partition partition partition Man, Woman : Person Man, Woman : Person Man, Woman : Person Man, Woman : Person Married : PersonMarried : PersonMarried : PersonMarried : Person}}}}B.Domains:Person = {P0,P1,P2}Sets:Man = {P1,P2}Married = {}Woman = {P0,P1}Domains:Person = {P0,P1,P2}Sets:Man = {P1,P2}Married = {}Woman = {P0}A.C.Domains:Person = {P0,P1,P2,P3}Sets:Man = {P0,P1,P2,P3}Married = {P2,P3}Woman = {}D.Domains:Person = {P0,P1}Sets:Man = {P0}Married = {P1}Woman = {}E.Domains:Person = {P0,P1}Sets:Man = {P0}Married = {P1,P0}Woman = {P1}9State Components: RelationsState Components: RelationsState Components: RelationsState Components: Relations Declaring a relations between two sets A and Br : A -> Br1,r2 : A -> B Comments on notation… denotes r is a subset of A x B Written with -> because we will often think of r as a “mapping” from A to B… but r is not necessarily a function410Example: Family StructureExample: Family StructureExample: Family StructureExample: Family Structuremodel Family {domain {Person}state {// Setspartition Man, Woman : Person Married : Person// Relationssiblings : Person -> Person}}Alloy Model with siblingsDomains:Person = {P0,P1,P2,P3}Sets:Man = {P1,P2}Married = {}Woman = {P0,P3}Relations:siblings = {P0 -> {P1,P2}, P1 -> {P0,P2}, P2 -> {P0,P1}}Example instance(P0,P1)(P0,P2)(P1,P0)(P1,P2)(P2,P0)(P2,P1)Intuition: P0,P1,P2 are siblings11Relation OperatorsRelation OperatorsRelation OperatorsRelation Operators ~ : transpose of relation runs the relational mapping backward (image to ddomain) we can introduce a named transpose at declarationR (~T) : A R (~T) : A R (~T) : A R (~T) : A ----> B> B> B> B What’s a good use of ~ in our Family Structure example?children (~parents) : Person -> Person12MultiplicitiesMultiplicitiesMultiplicitiesMultiplicities Allow us to constrain the sizes of sets, including the definition domain and the image of a relation There are three multiplicities + : one or more ? : zero or one ! : exactly one Examplesred : Color!red : Color!red : Color!red : Color! // set red contains exactly one colorfavorite : Person? favorite : Person? favorite : Person? favorite : Person? // at most one favorite person513MultplicitiesMultplicitiesMultplicitiesMultplicities and Relationsand Relationsand Relationsand RelationsMultiplicities can be applied to the domain, image/range or both of a relation.s1s2s3s4t1t2t3t4C.s1s2s3s4t1t2t3t4A.s1s2s3s4t1t2t3t4B.s1s2s3s4t1t2t3t4D.Conventional name:partial function f : S f : S f : S f : S ----> T?> T?> T?> T? says that, for each element s of S, f maps s to at mosta single value in T Potential instances:14MultplicitiesMultplicitiesMultplicitiesMultplicities and Relationsand Relationsand Relationsand RelationsMultiplicities can be applied to the domain, range or both of a relation.s1s2s3s4t1t2t3t4C.s1s2s3s4t1t2t3t4A.s1s2s3s4t1t2t3t4B.s1s2s3s4t1t2t3t4D.Conventional