![Page 1: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/1.jpg)
analyzing relational logic
Daniel Jackson, MITWG 2.3 · NewcastleApril 2000
![Page 2: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/2.jpg)
2
language assumptions
language·first-order logic·set & relation operators·uninterpreted types
![Page 3: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/3.jpg)
3
analysis desired
simulationfind a state that satisfies invariant J… and additionally condition C·find an execution of operation O… resulting in a state satisfying P… from a state satisfying P… that changes the component x… that is not an execution of operation Ov
checking·does invariant J imply invariant Jv?·does operation O preserve invariant J ?·does operation Oc refine Oa under abstraction A?
![Page 4: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/4.jpg)
4
analyses not possible
refinement·does Oc refines Oa for some abstraction?·are all executions of O also executions of O1;O2?
spec by minimization·make smallest change to connections that satisfies C …
precondition checks·does O have an execution from every state satisfying C?
temporal checks·do reachable states satisfy J ?
![Page 5: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/5.jpg)
5
semantics: formulas
M : formula env booleanX : expr env valueenv = (var + type) valuevalue = (atom atom) + (atom value)
M [a in b] e = X[a]e X[b]eM [! F] e = M[F]eM [F && G] e = M[F]e M[G]eM [all v: t | F] e = {M[F] (e v x) | x e(t)}
![Page 6: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/6.jpg)
6
semantics: expressions
X : expr env valueenv = (var + type) valuevalue = (atom atom) + (atom value)
X [a + b] e = X[a]e X[b]eX [a . b] e = {y | x. x X[a]e (x,y) X[b]e}X [~a] e = {(x,y) | (y,x) X[a]e}X [+a] e = the smallest r such that r ; r x X[a]e xX [{v: t | F}] e = {x e(t) | M[F] (e v x)}X [v] e = e(v)X [a[v]] e = e(a)(v)
![Page 7: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/7.jpg)
7
models
models are well-formed environments for which formula holdsM : formula env booleanModels (F) = {e | M[f]e}
environment e is well formed iff·tight: only bind variables declared along with formula·type correct: if expression a has type T, X[a]e X[T]e
e is within scope k iff·for all basic types T, #X[T]e = k·write Modelsk (F) for models within scope k
![Page 8: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/8.jpg)
8
small scope hypothesis
% bugscaught
scope
90
4
most bugs can be caught by considering only small instances
![Page 9: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/9.jpg)
9
example
problema, b : Sp : S -> T! (a – b).p in (a.p – b.p)
a model in a scope of 2S = {S0, S1}T = {T0, T1}p = {(S0, T0), (S1, T0)}a = {S0}b = {S1}
S0
S1
T0
T1
a
b
![Page 10: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/10.jpg)
10
what Alcoa does
alcoa : formula, scope env·does not always succeed (ie, may return nothing)
properties·termination: always, with deterministic solvers·soundness: alcoa (F, k) Modelsk (F)·relative completeness: Modelsk (F) {} alcoa (F, k)
succeeds
non-properties·minimality: alcoa (F, k) not the smallest model of F in k·completeness: Models (F) {} alcoa (F, k) succeeds
so counterexamples are real, but can’t prove theorems
![Page 11: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/11.jpg)
11
scope monotonicity
Alcoa is scope monotonic·alcoa (F, k) succeeds alcoa (F, k+1) succeeds· if scope of 7 fails, no need to try 6, 5, …
because models are scope monotonic·Modelsk (F) Modelsk+1 (F)
·property of Alloy, not kernel
![Page 12: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/12.jpg)
12
every analysis is model finding
does operation O preserve invariant J ?alcoa (O && J && !J’ , 3)
show me how O1 and O2 differalcoa ((O1 && !O2) || (O2 && !O1) , 3)
show me an execution of O that changes xalcoa (O && !x = x’ , 3)
![Page 13: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/13.jpg)
13
alcoa architecture
TRANSLATEPROBLEM
TRANSLATESOLUTION
MAPPING
BOOLEANFORMULA
BOOLEANASSIGNMENT
SATSOLVER
DESIGNPROBLEM
DESIGNANALYSIS
alcoa
![Page 14: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/14.jpg)
14
overview of method
from alloy formula F and scope k generateboolean formula BFmapping : BoolAssignment Environmentsuch that
maps every solution of BFn Modelsk (F) n Models (BF)
![Page 15: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/15.jpg)
15
SAT solvers
in theory·3-SAT is NP-complete
in practice·solvers work well for <1000 variables and <100,000 clauses
·usually give small models
kinds of solver· local search (eg, WalkSAT)·Davis-Putnam (eg, RelSAT, SATO)·non-clausal (eg, Prover)
![Page 16: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/16.jpg)
16
example
problema, b : Sp : S -> T! (a – b).p in (a.p – b.p)
translation in scope of 2· formula becomes((a0b0 p00) (a1b1 p10) ((a0 p00) (a1 p10)) ((b0 p00) (b1 p10))) …
·a model isa0 , a1 , b0 , b1 , p00 , p01 , p10 ,
p11
mapping function ·set to vector of bool var
a [a0 a1]b [b0 b1]
· relation to matrixp [p00 p01 , p10 p11]
final resultS = {S0, S1}T = {T0, T1}p = {(S0, T0), (S1, T0)}
a = {S0}b = {S1}
![Page 17: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/17.jpg)
17
compositional translation
translating relation r: S -> TXT [r]ij boolean var, true when r contains (Si, Tj)
translating expression e: TXT [a]i boolean formula, true when a contains Ti
translating formulasMT [F] boolean formula, true for models of F
sample rulesMT [F && G] = MT[F] MT[F] XT [a - b]i = XT [a]i XT [b]iXT [a . b]i = j. XT [a]j XT [b]ji
![Page 18: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/18.jpg)
18
example
a [a0 a1]b [b0 b1]p [p00 p01 , p10 p11]a – b [a0b0 a1b1](a – b).p [(a0b0 p00) (a1b1 p10) …]a.p [(a0 p00) (a1 p10) (a0 p01) (a1 p11)]b.p [(b0 p00) (b1 p10) (b0 p01) (b1 p11)]a.p – b.p [((a0 p00) (a1 p10)) ((b0 p00) (b1 p10)) …]
! (a – b).p in (a.p – b.p) (((a0b0 p00) (a1b1 p10)
((a0 p00) (a1 p10)) ((b0 p00) (b1 p10))))
…
![Page 19: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/19.jpg)
19
quantifiers
example!((all x | x in x.p) -> (all x | x in x.p.p))
put in negation normal form(all x | x in x.p) && (some x | ! x in x.p.p)
skolemize(all x | x in x.p) && ! (xc in xc.p.p)
how to translate remaining universal quantifiers?
![Page 20: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/20.jpg)
20
environments & trees
semanticsM : formula env booleanX : expr env valueenv = (var + type) valuevalue = (atom atom) + (atom value)
translationMT : formula boolFormula treeXT : expr boolValue tree tree = (var (index tree) + boolValue = booleanFormulaMatrix + (index boolValue)
env becomes (tree, boolean encoding of relations)
![Page 21: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/21.jpg)
21
examples
x
[1 0] [0 1]
0 1x : T
x
[p00 p01]
0 1
[p10 p11]
x.p
x
p00
0 1
p11
x in x.p
p00 p11
all x | x in x.p
![Page 22: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/22.jpg)
22
compositional rules
MT [a in b] = merge (MT[a], MT[b], u,v. i (ui vj) )
MT [all x | F] = fold (MT[F], )
merging·subexpressions may have different variables·so interpose layers as necessary, then merge·maintain consistent ordering from root to leaf
x
[1 0] [0 1]
0 1y
[1 0] [0 1]
0 1
x0 1
y0 1
y0 1
0 11
x yx in y
![Page 23: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/23.jpg)
23
symmetry
observation·types are uninterpreted·permuting elements of a type preserves modelhood
examplea = {S0} , b = {S1}, p = {(S0, T0), (S1, T0)}a = {S1} , b = {S0}, p = {(S0, T0), (S1, T0)}both models of !(a – b).p in (a.p – b.p)
exploitation·environments form equivalence classes·avoid considering all elements of a class
environments
![Page 24: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/24.jpg)
24
symmetry in boolean formula
preserved!·express symmetry as permutation on boolean vars·then is a symmetry of the boolean formula too·want to rule out one of A, A
Crawford’s idea·order boolean vars into sequence V·view assignments as binary numbers & pick smaller· for each , add constraint V V
example·A = 0123, A = 0123, = (02)·V V is 0123 < 2103 = 0 < 2
![Page 25: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/25.jpg)
25
symmetry constraint for a relation
suppose we translated relation p: S -> T to the matrix0 1 23 4 56 7 8
symmetry (S0 S1) exchanges top two rows3 4 50 1 26 7 8
constraint obtained is0 1 2 3 4 5 6 7 8 < 3 4 5 0 1 2 6 7 8= 0 1 2 < 3 4 5= 03 (03 14) (03 14 25)
![Page 26: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/26.jpg)
26
generalizing symmetry
extend to·multiple relations and sets·multiple types
but·diminishing returns·pick ordering of vars carefully·homogeneous relations tricky
![Page 27: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/27.jpg)
27
results
observations·solver time dominates·RelSAT dominates other solvers·symmetry gives 100x speedup for ‘proofs’·bugs in boolean code not translation
so end-to-end check
where are we?· interactive analysis up to 200 bits·small but real specs (longest so far is 400 lines)·30loc list-processing procedures
![Page 28: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/28.jpg)
28
challenges
symmetry·why do a few symmetries seem to work so well?·what symmetries should be used?
progress bar·will symmetry spoil our heuristics?
visualization of models·key for novice use
language extensions·numbers (easy?)·sequences (hard?)
![Page 29: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/29.jpg)
29
allex
![Page 30: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/30.jpg)
30
allox
![Page 31: Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000](https://reader030.vdocuments.site/reader030/viewer/2022033103/56649f215503460f94c396fe/html5/thumbnails/31.jpg)
31
allix