Introduction to Alloy

Atoms = the individuals in a model instance

• indivisible
• immutable
• uninterpreted

pair = (x, y)

triple = (x, y, z)

quadruple = (x, y, z, w)

...

n-tuple = (x₁, x₂, ... x_n)

Cf. sequences, lists.

A relation is a set of tuples.

Binary relation = set of pairs

Ternary relation = set of triples

etc.

In Alloy, sets are unary relations (i.e. sets of 1-tuples).

There are no sets of sets! (Alloy is first-order.)

In Alloy, sets are unary relations (i.e. sets of 1-tuples).

Tuples are singleton multi-relations.

Scalars are singleton sets (singleton unary relations).

In conventional logic,

• x ≠ {x}
• (x ⊆ y) differs crucially from (x ∈ y)

How does that work in Alloy without scalars?

No scalars. Everything's a relation.

In Alloy,

• “x” denotes a set.
• “{x}” is not an formula.
• (x in y) applies to singleton x as well as other x.

Cf. Goodman's calculus of individuals, later mereology. (Also XPath 2.0, relational model of dbms.)

A signature “introduces a set of atoms”.

Signatures say what kinds of things there are.

sig X {}

means “Xs (may) exist.”

sig X extends Y {}

means “every X is a Y.”

sig X in Y {}

means “every X is a Y.”

Extensions of a signature are mutually disjoint.

sig human {}
sig males extends human {}
sig females extends human {}

means

• Every male is a human.
• Every female is a human.
• No one is both a male and a female.

Subsets of a signature are mutually disjoint.

sig cat {}
sig stray in cat {}
sig lovable in cat {}

means

• Cats may exist.
• Some cats may be lovable.
• Some cats may be strays.
• Some may be both.

Abstract signatures have no elements outside their extensions.

abstract sig poets_goal {}
// Aut prodesse volunt aut delectare poetae. -Horace
sig be_useful extends poets_goal {} 
sig be_pleasing extends poets_goal {}

means

• A poet's goal may be to be useful.
• A poet's goal may be to be pleasant.
• But not both. Unless there is another extension of poets_goal! sig be_pleasing_and_useful extends poets_goal {}

The monotheist:

one sig God {}

The agnostic:

lone sig God {}

The polytheist:

some sig God {}

Meaning: there is (exactly) one God, at most one God, or one-or-more gods.

A signature introduces a set of atoms.

And composite objects? What do we do about them?

Surely you can't just ignore the existence of compound objects.

How do we deal with compound objects in a logic that only has atoms?

Signatures can specify fields:

sig person, org, word_or_phrase, year {}   
sig book {
  author : person,
  title : word_or_phrase,
  publisher : org,
  date : year
} 

Here

• Persons, organizations, words-or-phrases, and years (can) exist.
• Books (can) exist.
• Each book has an author, a title, a publisher, and a date.

Q. If books can have fields for author, title, publisher, and date, then how can they be atomic?

A. What do instances of this model look like in the Analyzer? (Brief hands-on exercise.)

Relations between signatures are specified just like fields:

sig language {
  derived_from : language
}

The keywords one, lone, some, and set can be used to specify relation arities:

sig person, org, word_or_phrase, year {}   
sig text {
  author : lone person,
  title : word_or_phrase,
  publisher : some org,
  date : year
} 
sig anthology {
  compiler : person + org,
  contents : set text
}

Here

• Persons (etc.) can exist.
• Each text has at most one author (lone = less than or equal to one).
• Each text has one or more publishers.
• An anthology has a compiler (either a person or an organization) and a set of (zero or more) texts.

First-order logic is not decidable.

No automatic theorem prover can always succeed.

What can we do about that?

• We can guide the theorem prover.
• We can do something simpler.

Alloy examines all model-instances of a given maximum size (scope).

If there is an instance with property X in that scope, Alloy will find it.

The run and check commands can specify a scope:

• To examine all universes with up to 5 members of each signature:*

  run Pred23 for 5

• To allow 3 of most things, but only two states, and seven manuscripts:

  check Assertion33 for 3 but 2 state, 7 MS

* Subsignatures sometimes complicate the arithmetic.

For every problem, there is a small example that exhibits it.

Cf. the software principle: For every bug, there is some short input that exercises the bug.

Obviously not always true. But true often enough to be useful.

N.B. scope part of the run and check commands.

NOT part of the model.

Alloy models can be infinite.

Alloy snapshot diagrams show

• atoms
• relations

See handout.

Standard set operations can be expressed:

• union: x + y
• intersection: x & y
• difference: x - y
• equality: x = y
• subset: x in y

See the handout.

Alloy has the standard logical operators; each has terse and verbose form:

• not (or !): negation
• and (or &&): conjunction
• or (or ||): disjunction
• implies (or =>): implication
• iff (or <=>): bi-implication

Any need for reviewing the truth-tables and the truth-functional connectives?

Conjunctions have an even terser form. For any formulas F₁, F₂, ... F_n,

F₁ and F₂ and ... and F_n

can be written

{ F₁ F₂ ... F_n }

F₁ implies F₂ else F₃

Means:

(F₁ and F₂) or (not F₁ and F₃)

See the handout.