and analy larative sis w - MIT CSAILlarative m o d e llin g and analy sis w ith Allo y le c tu re 1:...
Transcript of and analy larative sis w - MIT CSAILlarative m o d e llin g and analy sis w ith Allo y le c tu re 1:...
microm
odels of software
declarative modelling
and analysis with A
lloy
lecture 1: introduction
Daniel JacksonM
IT Lab for Computer Science
Marktoberdorf, August 2002
2
lightweight m
odels
2
lightweight m
odels
a foundation for robust, useable programs
2
lightweight m
odels
a foundation for robust, useable programs
elements
›small & sim
ple notations›partial m
odels & analyses›full autom
ation
2
lightweight m
odels
a foundation for robust, useable programs
elements
›small & sim
ple notations›partial m
odels & analyses›full autom
ation
focus on risky aspects›hard to get right, or to check›structure-determ
ining›high cost of failure
3
what assurance costs
3
cost
assurance
what assurance costs
3
cost
assurance
hacking
what assurance costs
3
cost
assurance
hacking
what assurance costs
3
cost
assurance
hackingsketching
what assurance costs
3
cost
assurance
hackingsketchingw
rite-only models
what assurance costs
3
cost
assurance
hackingsketchingw
rite-only models
type-checked models
what assurance costs
3
cost
assurance
hackingsketchingw
rite-only models
type-checked models
proven models
what assurance costs
3
cost
assurance
hackingsketchingw
rite-only models
type-checked models
analyzed models
proven models
what assurance costs
4
my w
ork in marktoberdorf context
4
my w
ork in marktoberdorf context
computation, not interaction
›complem
entary to Harel & Pnueli›relational, not algebraic (cf. Tarlecki and M
eseguer)›underlying idiom
s due to Hoare, Woodcock et al
4
my w
ork in marktoberdorf context
computation, not interaction
›complem
entary to Harel & Pnueli›relational, not algebraic (cf. Tarlecki and M
eseguer)›underlying idiom
s due to Hoare, Woodcock et al
designed for experts, but not super-experts›like Harel, not Rushby & M
oore›sim
ulation, not just checking
4
my w
ork in marktoberdorf context
computation, not interaction
›complem
entary to Harel & Pnueli›relational, not algebraic (cf. Tarlecki and M
eseguer)›underlying idiom
s due to Hoare, Woodcock et al
designed for experts, but not super-experts›like Harel, not Rushby & M
oore›sim
ulation, not just checking
role of mathem
atics›only way to m
ake things simple
›semantics in term
s of sets, and SAT
4
my w
ork in marktoberdorf context
computation, not interaction
›complem
entary to Harel & Pnueli›relational, not algebraic (cf. Tarlecki and M
eseguer)›underlying idiom
s due to Hoare, Woodcock et al
designed for experts, but not super-experts›like Harel, not Rushby & M
oore›sim
ulation, not just checking
role of mathem
atics›only way to m
ake things simple
›semantics in term
s of sets, and SAT
started this in 1994, and have had some successes
but much less m
ature than ACL2, PVS, Statemate, etc
5
features of Alloy
5
features of Alloy
structural›express com
plex structure, static and dynamic
›with just a few powerful operators
5
features of Alloy
structural›express com
plex structure, static and dynamic
›with just a few powerful operators
declarative›a full logic, with conjunction and negation›describe system
as collection of constraints
5
features of Alloy
structural›express com
plex structure, static and dynamic
›with just a few powerful operators
declarative›a full logic, with conjunction and negation›describe system
as collection of constraints
analyzable›sim
ulation & checking›fully autom
atic
6
structural
6
structural
structure is everywhere›highway system
s, postal routes, company organizations,
library catalogues, address books, phone networks, …
6
structural
structure is everywhere›highway system
s, postal routes, company organizations,
library catalogues, address books, phone networks, …
structure is becoming m
ore pervasive›self-assem
bling software (eg, Observer pattern)
›mem
ory gets cheaper: address books in every phone
6
structural
structure is everywhere›highway system
s, postal routes, company organizations,
library catalogues, address books, phone networks, …
structure is becoming m
ore pervasive›self-assem
bling software (eg, Observer pattern)
›mem
ory gets cheaper: address books in every phone
tool researchers have neglected structure›one traffic light is a state m
achine, but a city’s lights are a net
6
structural
structure is everywhere›highway system
s, postal routes, company organizations,
library catalogues, address books, phone networks, …
structure is becoming m
ore pervasive›self-assem
bling software (eg, Observer pattern)
›mem
ory gets cheaper: address books in every phone
tool researchers have neglected structure›one traffic light is a state m
achine, but a city’s lights are a net
There is no problem in com
puter science that cannot be solvedby introducing another level of indirection, but that usuallyreveals new problem
s --David Wheeler
7
declarative
7
declarative
declarative description›m
odel is collection of properties›the m
ore you say, the less happens
7
declarative
declarative description›m
odel is collection of properties›the m
ore you say, the less happens
advantages›increm
entality: to say more, add a property
›partiality: doesn’t require special constructs›sim
plicity: no separate language of propertiesSys m
eets Prop: Sys => Prop
7
declarative
declarative description›m
odel is collection of properties›the m
ore you say, the less happens
advantages›increm
entality: to say more, add a property
›partiality: doesn’t require special constructs›sim
plicity: no separate language of propertiesSys m
eets Prop: Sys => Prop
why less is more
›less constrained system m
eans implem
entation freedom›less constrained environm
ent means greater safety
8
analyzable
8
analyzable
‘write-only’ models
›useful if precise enough›but m
issed opportunity (and wishful thinking)
8
analyzable
‘write-only’ models
›useful if precise enough›but m
issed opportunity (and wishful thinking)
tool-assisted modelling
›simulate and check increm
entally›catch errors early, develop confidence›optim
ize for failing case: most of m
y examples will be wrong
8
analyzable
‘write-only’ models
›useful if precise enough›but m
issed opportunity (and wishful thinking)
tool-assisted modelling
›simulate and check increm
entally›catch errors early, develop confidence›optim
ize for failing case: most of m
y examples will be wrong
Alloy’s analysis›fully autom
atic, with no user intervention›concrete: generates sam
ples & counterexamples
›like testing, sound but not complete
›unlike testing, billions cases/second
9
declarative & executable?
Small Tow
er of 6 Gears, Arthur Ganson
9
declarative & executable?
traditionally›declarative XO
R executable›good argum
ents for both
Small Tow
er of 6 Gears, Arthur Ganson
9
declarative & executable?
traditionally›declarative XO
R executable›good argum
ents for both
but can have cake and eat it›with right analysis technology
Small Tow
er of 6 Gears, Arthur Ganson
9
declarative & executable?
traditionally›declarative XO
R executable›good argum
ents for both
but can have cake and eat it›with right analysis technology
Alloy’s analysis can ‘execute’ a model
›forwards or backwards›without test cases›no ad hoc restrictions on logic
Small Tow
er of 6 Gears, Arthur Ganson
10
a numbering problem
10
a numbering problem
given›docum
ent whose paragraphs are tagged with styles›style sheet that gives num
bering rules for styles
10
a numbering problem
given›docum
ent whose paragraphs are tagged with styles›style sheet that gives num
bering rules for styles
produce›docum
ent with numbered paragraphs
(like my M
arktoberdorf notes)
10
a numbering problem
given›docum
ent whose paragraphs are tagged with styles›style sheet that gives num
bering rules for styles
produce›docum
ent with numbered paragraphs
(like my M
arktoberdorf notes)
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
10
a numbering problem
given›docum
ent whose paragraphs are tagged with styles›style sheet that gives num
bering rules for styles
produce›docum
ent with numbered paragraphs
(like my M
arktoberdorf notes)
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
Part A: IntroductionA.1 M
otivationA.1.1 W
hy?A.2 OverviewPart B: ConclusionsB.1 Unrelated W
ork
Part A: IntroductionA.1 M
otivationA.1.1 W
hy?A.2 OverviewPart B: ConclusionsB.1 Unrelated W
ork
11
a candidate solution
style sheet assigns to each style›an initial value for num
bering›optionally, a parent
11
a candidate solution
style sheet assigns to each style›an initial value for num
bering›optionally, a parent
section1
section1 partA
partA
subsection1
subsection1
parent<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>
<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>
11
a candidate solution
style sheet assigns to each style›an initial value for num
bering›optionally, a parent
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
section1
section1 partA
partA
subsection1
subsection1
parent<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>
<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>
11
a candidate solution
style sheet assigns to each style›an initial value for num
bering›optionally, a parent
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
section1
section1 partA
partA
subsection1
subsection1
parent<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>
<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>Part A: Introduction
A.1 Motivation
A.1.1 Why?
A.2 OverviewPart B: ConclusionsB.1 Unrelated W
ork
Part A: IntroductionA.1 M
otivationA.1.1 W
hy?A.2 OverviewPart B: ConclusionsB.1 Unrelated W
ork
12
styles
12
styles
declare styles & parent relationsig Style {parent: option Style}
12
styles
declare styles & parent relationsig Style {parent: option Style}
ask for a sample
fun Show () {som
e parent}run Show
12
styles
declare styles & parent relationsig Style {parent: option Style}
ask for a sample
fun Show () {som
e parent}run Show
12
styles
declare styles & parent relationsig Style {parent: option Style}
ask for a sample
fun Show () {som
e parent}run Show
constrain parent relation to be acyclicfact {Acyclic (parent)}
12
styles
declare styles & parent relationsig Style {parent: option Style}
ask for a sample
fun Show () {som
e parent}run Show
constrain parent relation to be acyclicfact {Acyclic (parent)}
12
styles
declare styles & parent relationsig Style {parent: option Style}
ask for a sample
fun Show () {som
e parent}run Show
how to define acyclicfun Acyclic [t] (r: t -> t) {no iden[t] & ^r}
constrain parent relation to be acyclicfact {Acyclic (parent)}
13
numbers
13
numbers
introduce numbers
sig Number {
next: option Number
}{this != next}
13
numbers
introduce numbers
sig Number {
next: option Number
}{this != next}
add numbers to styles
sig NumberedStyle extends Style {init: Num
ber}fact {Style = Num
beredStyle}
13
numbers
introduce numbers
sig Number {
next: option Number
}{this != next}
add numbers to styles
sig NumberedStyle extends Style {init: Num
ber}fact {Style = Num
beredStyle}
ask for a sample
fun Show () {
some parent}
run Show
13
numbers
introduce numbers
sig Number {
next: option Number
}{this != next}
add numbers to styles
sig NumberedStyle extends Style {init: Num
ber}fact {Style = Num
beredStyle}
ask for a sample
fun Show () {
some parent}
run Show
14
numbering
14
numbering
declare numbering
sig Numbering {
num: Style ->? Num
ber}
14
numbering
declare numbering
sig Numbering {
num: Style ->? Num
ber}
ask for a sample
fun ShowNum
bering () {some num
}run Show
Numbering
for 2 but 1 Numbering
14
numbering
declare numbering
sig Numbering {
num: Style ->? Num
ber}
ask for a sample
fun ShowNum
bering () {some num
}run Show
Numbering
for 2 but 1 Numbering
14
numbering
declare numbering
sig Numbering {
num: Style ->? Num
ber}
ask for a sample
fun ShowNum
bering () {some num
}run Show
Numbering
for 2 but 1 Numbering
15
numbering algorithm
15
numbering algorithm
what numbering n’ follows n for paragraph of style s?
›ie, just gave numbering n
›encounter paragraph with style s›m
ust now generate numbering n’
15
numbering algorithm
what numbering n’ follows n for paragraph of style s?
›ie, just gave numbering n
›encounter paragraph with style s›m
ust now generate numbering n’
an attempt:
fun Next (n,n': Numbering, s: Style) {
n'.num =
{d: s.^parent, x: Number | x = n.num
[d]} +s -> if no n.num
[s] then s.init else n.num[s].next
}
16
showing next
16
showing next
run Next for 3 but 2 Numbering
16
showing next
run Next for 3 but 2 Numbering
n
16
showing next
run Next for 3 but 2 Numbering
n
n’
16
showing next
run Next for 3 but 2 Numbering
n
n’
grandchild style sis num
beredw
ith initial value
17
guiding the simulation
17
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent]}run Show
Next for 3 but 2 Numbering
17
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent]}run Show
Next for 3 but 2 Numbering
n
17
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent]}run Show
Next for 3 but 2 Numbering
nn’
17
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent]}run Show
Next for 3 but 2 Numbering
nn’
root style sloses its num
berbecause no next!
18
fixing the operation
18
fixing the operationfun Next (n,n': Num
bering, s: Style) {let i = n.num
[s] | some i => som
e i.nextn'.num
= {d: s.^parent, x: Number | x = n.num
[d]} +s -> if no n.num
[s] then s.init else n.num[s].next }
18
fixing the operationfun Next (n,n': Num
bering, s: Style) {let i = n.num
[s] | some i => som
e i.nextn'.num
= {d: s.^parent, x: Number | x = n.num
[d]} +s -> if no n.num
[s] then s.init else n.num[s].next }
18
fixing the operationfun Next (n,n': Num
bering, s: Style) {let i = n.num
[s] | some i => som
e i.nextn'.num
= {d: s.^parent, x: Number | x = n.num
[d]} +s -> if no n.num
[s] then s.init else n.num[s].next }
18
fixing the operationfun Next (n,n': Num
bering, s: Style) {let i = n.num
[s] | some i => som
e i.nextn'.num
= {d: s.^parent, x: Number | x = n.num
[d]} +s -> if no n.num
[s] then s.init else n.num[s].next } style s gets
numbered w
ithinitial value
19
guiding the simulation
19
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent] && some n.num
[s]}run Show
Next for 3 but 2 Numbering
19
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent] && some n.num
[s]}run Show
Next for 3 but 2 Numbering
19
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent] && some n.num
[s]}run Show
Next for 3 but 2 Numbering
20
checking a property
20
checking a property
if style is not a parent, step is reversibleassert Reversible {
all n0, n1, n: Numbering, s: Style - Style.parent |
Next(n0,n,s) && Next(n1,n,s) => n0.num = n1.num
}
check Reversible
20
checking a property
if style is not a parent, step is reversibleassert Reversible {
all n0, n1, n: Numbering, s: Style - Style.parent |
Next(n0,n,s) && Next(n1,n,s) => n0.num = n1.num
}
check Reversible
21
trying again…
21
trying again…m
ake numbering injective
fact {Injective (next)}
21
trying again…m
ake numbering injective
fact {Injective (next)}
does this fix the problem?
22
counterexample
22
counterexample
after numbering n
22
counterexample
after numbering n
22
counterexample
after numbering n
adjacent stylehas no num
berafterw
ards
23
counterexample, ctd
23
counterexample, ctd
beforenum
beringsn0 and n1
23
counterexample, ctd
beforenum
beringsn0 and n1
23
counterexample, ctd
beforenum
beringsn0 and n1
23
counterexample, ctd
beforenum
beringsn0 and n1
adjacent style’s number
eliminated, so value
before was irrelevant!
24
masking
24
masking
check again, assuming styles form
a lineassert ReversibleW
henLine {Injective(parent)&& (som
e root: Style | Style in root.*~parent) =>all n0, n1, n: Num
bering, s: Style - Style.parent |Next(n0,n,s) && Next(n1,n,s) => n0.num
= n1.num}
check ReversibleWhenLine
25
counterexample, again
25
counterexample, again
25
counterexample, again
25
counterexample, again
25
counterexample, again
initialization andincrem
ent aredistinct: theorem
is confused!
26
checking a refactoring
26
checking a refactoring
are these equivalent?fun Next1 (n,n’: Num
bering, s: Style) {n’.num
={d: s.^parent, x: Num
ber | x = n.num[d]} +
s -> if no n.num[s] then s.init else n.num
[s].next}fun Next2 (n,n’: Num
bering, s: Style) {all d: s.^parent | n’.num
[d] = n.num[d]
n’.num[s] = if no n.num
[s] then s.init else n.num[s].next
}
26
checking a refactoring
are these equivalent?fun Next1 (n,n’: Num
bering, s: Style) {n’.num
={d: s.^parent, x: Num
ber | x = n.num[d]} +
s -> if no n.num[s] then s.init else n.num
[s].next}fun Next2 (n,n’: Num
bering, s: Style) {all d: s.^parent | n’.num
[d] = n.num[d]
n’.num[s] = if no n.num
[s] then s.init else n.num[s].next
}
ask the tool:assert Sam
e {all n,n’: Num
bering, s: Style | Next1(n,n’,s) iff Next2(n,n’,s)}
27
what happened
27
what happened
incrementality
›write a bit, analyze a bit›constrain just enough
to get key properties›avoids wasted tim
e,encourages sm
all models
27
what happened
incrementality
›write a bit, analyze a bit›constrain just enough
to get key properties›avoids wasted tim
e,encourages sm
all models
analysis prompted questions
›number m
ust have next?›two num
bers have same next?
›style hierarchy a tree? line?
27
what happened
incrementality
›write a bit, analyze a bit›constrain just enough
to get key properties›avoids wasted tim
e,encourages sm
all models
analysis prompted questions
›number m
ust have next?›two num
bers have same next?
›style hierarchy a tree? line?
28
declarative vs. operational development
all behaviours;satisfies no safety properties
a safety property
declarative
operational
no behaviours;satisfies all safety properties
29
what’s been done?
29
what’s been done?
analyzing implem
ented systems
›Intentional naming (Khurshid)
›Chord peer-to-peer lookup (Wee)
›Transaction cache (Tucker)
29
what’s been done?
analyzing implem
ented systems
›Intentional naming (Khurshid)
›Chord peer-to-peer lookup (Wee)
›Transaction cache (Tucker)
analyzing existing models
›Microsoft CO
M (Sullivan, from
Z)›Firewire leader election (m
e, from Vaandrager’s IO
A)›Unison file synchronizer (Nolte, from
Pierce’s maths)
›UML m
eta model (Vaziri, from
OCL)
›Classic distributed algorithms (Shlyakhter, from
SMV)
29
what’s been done?
analyzing implem
ented systems
›Intentional naming (Khurshid)
›Chord peer-to-peer lookup (Wee)
›Transaction cache (Tucker)
analyzing existing models
›Microsoft CO
M (Sullivan, from
Z)›Firewire leader election (m
e, from Vaandrager’s IO
A)›Unison file synchronizer (Nolte, from
Pierce’s maths)
›UML m
eta model (Vaziri, from
OCL)
›Classic distributed algorithms (Shlyakhter, from
SMV)
typically›200 lines of Alloy, 30-200 hours work
30
example: intentional nam
ing
30
example: intentional nam
ing
query scheme
›intentional names are trees
›result of query is set of simple nam
es
30
example: intentional nam
ing
n1n0
building
camera
service
ne43printer
database
query scheme
›intentional names are trees
›result of query is set of simple nam
es
30
example: intentional nam
ing
building
camera
service
ne43
query
n1n0
building
camera
service
ne43printer
database
query scheme
›intentional names are trees
›result of query is set of simple nam
es
30
example: intentional nam
ing
building
camera
service
ne43
query
n1n0
building
camera
service
ne43printer
database
n0n1
n0
n0
query scheme
›intentional names are trees
›result of query is set of simple nam
es
31
results
31
results
31
results
what we did
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue›analyzed algebraic properties: also untrue
eg, add is monotonic
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue›analyzed algebraic properties: also untrue
eg, add is monotonic
›adapted model for fixes in code: also broken
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue›analyzed algebraic properties: also untrue
eg, add is monotonic
›adapted model for fixes in code: also broken
›developed new semantics & checked it
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue›analyzed algebraic properties: also untrue
eg, add is monotonic
›adapted model for fixes in code: also broken
›developed new semantics & checked it
reflections
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue›analyzed algebraic properties: also untrue
eg, add is monotonic
›adapted model for fixes in code: also broken
›developed new semantics & checked it
reflections›initial analysis took 2 weeks and 100 lines of Alloy
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue›analyzed algebraic properties: also untrue
eg, add is monotonic
›adapted model for fixes in code: also broken
›developed new semantics & checked it
reflections›initial analysis took 2 weeks and 100 lines of Alloy›found all bugs in trees of 4 nodes or less -- approx 10 secs
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue›analyzed algebraic properties: also untrue
eg, add is monotonic
›adapted model for fixes in code: also broken
›developed new semantics & checked it
reflections›initial analysis took 2 weeks and 100 lines of Alloy›found all bugs in trees of 4 nodes or less -- approx 10 secs›2000 lines of tests hadn’t found bugs in a year
32
challenge: get numbering right
32
challenge: get numbering right
fix the numbering m
echanism to handle
›multiple childrensection and figure have parent chapter
›multiple parentssection has parent chapter and appendix
33
what is a m
odel?
33
what is a m
odel?
a representation of a system›m
ore or less useful, not more or less correct [Fowler]
›useful to the extent that it answers questions [Ross]
33
what is a m
odel?
a representation of a system›m
ore or less useful, not more or less correct [Fowler]
›useful to the extent that it answers questions [Ross]
role of a model
›to explain & evaluate existing system›to explore design of system
to be built
34
why m
odel?
34
why m
odel?
‘plan to throw one away’ [Brooks]›100 line m
odel or 100k lines of code?›nasty surprises happen sooner
34
why m
odel?
‘plan to throw one away’ [Brooks]›100 line m
odel or 100k lines of code?›nasty surprises happen sooner
designs with clear conceptual models
›easier to use and implem
ent›allow delegation & division of labour
34
why m
odel?
‘plan to throw one away’ [Brooks]›100 line m
odel or 100k lines of code?›nasty surprises happen sooner
designs with clear conceptual models
›easier to use and implem
ent›allow delegation & division of labour
separation of concerns›conceptual flaws get m
ired in code›not a good use of testing
35
lightweight form
al methods
35
lightweight form
al methods
elements
›small & sim
ple notations›partial m
odels & analyses›full autom
ation
35
lightweight form
al methods
elements
›small & sim
ple notations›partial m
odels & analyses›full autom
ation
focus on risky aspects›hard to get right, or to check›structure-determ
ining›high cost of failure