analyzing relational logic daniel jackson, mit wg 2.3 · newcastle april 2000

analyzing relational logic

Daniel Jackson, MITWG 2.3 · NewcastleApril 2000

2

language assumptions

language·first-order logic·set & relation operators·uninterpreted types

3

analysis desired

simulationfind a state that satisfies invariant J… and additionally condition C·find an execution of operation O… resulting in a state satisfying P… from a state satisfying P… that changes the component x… that is not an execution of operation Ov

checking·does invariant J imply invariant Jv?·does operation O preserve invariant J ?·does operation Oc refine Oa under abstraction A?

4

analyses not possible

refinement·does Oc refines Oa for some abstraction?·are all executions of O also executions of O1;O2?

spec by minimization·make smallest change to connections that satisfies C …

precondition checks·does O have an execution from every state satisfying C?

temporal checks·do reachable states satisfy J ?

5

semantics: formulas

M : formula env booleanX : expr env valueenv = (var + type) valuevalue = (atom atom) + (atom value)

M [a in b] e = X[a]e X[b]eM [! F] e = M[F]eM [F && G] e = M[F]e M[G]eM [all v: t | F] e = {M[F] (e v x) | x e(t)}

6

semantics: expressions

X : expr env valueenv = (var + type) valuevalue = (atom atom) + (atom value)

X [a + b] e = X[a]e X[b]eX [a . b] e = {y | x. x X[a]e (x,y) X[b]e}X [~a] e = {(x,y) | (y,x) X[a]e}X [+a] e = the smallest r such that r ; r x X[a]e xX [{v: t | F}] e = {x e(t) | M[F] (e v x)}X [v] e = e(v)X [a[v]] e = e(a)(v)

7

models

models are well-formed environments for which formula holdsM : formula env booleanModels (F) = {e | M[f]e}

environment e is well formed iff·tight: only bind variables declared along with formula·type correct: if expression a has type T, X[a]e X[T]e

e is within scope k iff·for all basic types T, #X[T]e = k·write Modelsk (F) for models within scope k

8

small scope hypothesis

% bugscaught

scope

90

4

most bugs can be caught by considering only small instances

9

example

problema, b : Sp : S -> T! (a – b).p in (a.p – b.p)

a model in a scope of 2S = {S0, S1}T = {T0, T1}p = {(S0, T0), (S1, T0)}a = {S0}b = {S1}

S0

S1

T0

T1

a

b

10

what Alcoa does

alcoa : formula, scope env·does not always succeed (ie, may return nothing)

properties·termination: always, with deterministic solvers·soundness: alcoa (F, k) Modelsk (F)·relative completeness: Modelsk (F) {} alcoa (F, k)

succeeds

non-properties·minimality: alcoa (F, k) not the smallest model of F in k·completeness: Models (F) {} alcoa (F, k) succeeds

so counterexamples are real, but can’t prove theorems

11

scope monotonicity

Alcoa is scope monotonic·alcoa (F, k) succeeds alcoa (F, k+1) succeeds· if scope of 7 fails, no need to try 6, 5, …

because models are scope monotonic·Modelsk (F) Modelsk+1 (F)

·property of Alloy, not kernel

12

every analysis is model finding

does operation O preserve invariant J ?alcoa (O && J && !J’ , 3)

show me how O1 and O2 differalcoa ((O1 && !O2) || (O2 && !O1) , 3)

show me an execution of O that changes xalcoa (O && !x = x’ , 3)

13

alcoa architecture

TRANSLATEPROBLEM

TRANSLATESOLUTION

MAPPING

BOOLEANFORMULA

BOOLEANASSIGNMENT

SATSOLVER

DESIGNPROBLEM

DESIGNANALYSIS

alcoa

14

overview of method

from alloy formula F and scope k generateboolean formula BFmapping : BoolAssignment Environmentsuch that

maps every solution of BFn Modelsk (F) n Models (BF)

15

SAT solvers

in theory·3-SAT is NP-complete

in practice·solvers work well for <1000 variables and <100,000 clauses

·usually give small models

kinds of solver· local search (eg, WalkSAT)·Davis-Putnam (eg, RelSAT, SATO)·non-clausal (eg, Prover)

16

example

problema, b : Sp : S -> T! (a – b).p in (a.p – b.p)

translation in scope of 2· formula becomes((a0b0 p00) (a1b1 p10) ((a0 p00) (a1 p10)) ((b0 p00) (b1 p10))) …

·a model isa0 , a1 , b0 , b1 , p00 , p01 , p10 ,

p11

mapping function ·set to vector of bool var

a [a0 a1]b [b0 b1]

· relation to matrixp [p00 p01 , p10 p11]

final resultS = {S0, S1}T = {T0, T1}p = {(S0, T0), (S1, T0)}

a = {S0}b = {S1}

17

compositional translation

translating relation r: S -> TXT [r]ij boolean var, true when r contains (Si, Tj)

translating expression e: TXT [a]i boolean formula, true when a contains Ti

translating formulasMT [F] boolean formula, true for models of F

sample rulesMT [F && G] = MT[F] MT[F] XT [a - b]i = XT [a]i XT [b]iXT [a . b]i = j. XT [a]j XT [b]ji

18

example

a [a0 a1]b [b0 b1]p [p00 p01 , p10 p11]a – b [a0b0 a1b1](a – b).p [(a0b0 p00) (a1b1 p10) …]a.p [(a0 p00) (a1 p10) (a0 p01) (a1 p11)]b.p [(b0 p00) (b1 p10) (b0 p01) (b1 p11)]a.p – b.p [((a0 p00) (a1 p10)) ((b0 p00) (b1 p10)) …]

! (a – b).p in (a.p – b.p) (((a0b0 p00) (a1b1 p10)

((a0 p00) (a1 p10)) ((b0 p00) (b1 p10))))

…

19

quantifiers

example!((all x | x in x.p) -> (all x | x in x.p.p))

put in negation normal form(all x | x in x.p) && (some x | ! x in x.p.p)

skolemize(all x | x in x.p) && ! (xc in xc.p.p)

how to translate remaining universal quantifiers?

20

environments & trees

semanticsM : formula env booleanX : expr env valueenv = (var + type) valuevalue = (atom atom) + (atom value)

translationMT : formula boolFormula treeXT : expr boolValue tree tree = (var (index tree) + boolValue = booleanFormulaMatrix + (index boolValue)

env becomes (tree, boolean encoding of relations)

21

examples

x

[1 0] [0 1]

0 1x : T

x

[p00 p01]

0 1

[p10 p11]

x.p

x

p00

0 1

p11

x in x.p

p00 p11

all x | x in x.p

22

compositional rules

MT [a in b] = merge (MT[a], MT[b], u,v. i (ui vj) )

MT [all x | F] = fold (MT[F], )

merging·subexpressions may have different variables·so interpose layers as necessary, then merge·maintain consistent ordering from root to leaf

x

[1 0] [0 1]

0 1y

[1 0] [0 1]

0 1

x0 1

y0 1

y0 1

0 11

x yx in y

23

symmetry

observation·types are uninterpreted·permuting elements of a type preserves modelhood

examplea = {S0} , b = {S1}, p = {(S0, T0), (S1, T0)}a = {S1} , b = {S0}, p = {(S0, T0), (S1, T0)}both models of !(a – b).p in (a.p – b.p)

exploitation·environments form equivalence classes·avoid considering all elements of a class

environments

24

symmetry in boolean formula

preserved!·express symmetry as permutation on boolean vars·then is a symmetry of the boolean formula too·want to rule out one of A, A

Crawford’s idea·order boolean vars into sequence V·view assignments as binary numbers & pick smaller· for each , add constraint V V

example·A = 0123, A = 0123, = (02)·V V is 0123 < 2103 = 0 < 2

25

symmetry constraint for a relation

suppose we translated relation p: S -> T to the matrix0 1 23 4 56 7 8

symmetry (S0 S1) exchanges top two rows3 4 50 1 26 7 8

constraint obtained is0 1 2 3 4 5 6 7 8 < 3 4 5 0 1 2 6 7 8= 0 1 2 < 3 4 5= 03 (03 14) (03 14 25)

26

generalizing symmetry

extend to·multiple relations and sets·multiple types

but·diminishing returns·pick ordering of vars carefully·homogeneous relations tricky

27

results

observations·solver time dominates·RelSAT dominates other solvers·symmetry gives 100x speedup for ‘proofs’·bugs in boolean code not translation

so end-to-end check

where are we?· interactive analysis up to 200 bits·small but real specs (longest so far is 400 lines)·30loc list-processing procedures

28

challenges

symmetry·why do a few symmetries seem to work so well?·what symmetries should be used?

progress bar·will symmetry spoil our heuristics?

visualization of models·key for novice use

language extensions·numbers (easy?)·sequences (hard?)

29

allex

30

allox

31

allix