Evaluating State Modeling Techniques in Alloy

sig State {} sig List { header: Node -> State } fact { all l: List | all s: State | lone l.(header.s) } State is an abstract sig, i.e., it contains only atoms that are strictly necessary for the constraint solved. The symbol ‘->’ denotes the Cartesian product in expressions and adds arity in declarations. The field header is now a ternary relation of type List × Node × State, which allows a list to have different nodes as its header in different states. Note that the state need not be the last type; it can be in any position, e.g., in the first position where the sig State would have other relations (such as header and link) as its fields. We use state in the last position because it allows us to preserve the declaration structure of the original model. A fact in Alloy is a formula that must always hold. We use a fact to require each list to have at most one header node in each state to conform to the partial function relation in the original model (without state). The following snippet shows how the predicate Acyclic can be written in the presence of state: pred Acyclic(l: List, s: State) { all n: l.(header.s).*(link.s) | n !in n.^(link.s) } 0:4 • A. Sullivan, K. Wang, S. Khurshid, and D. Marinov Note the new state parameter s for which the predicate holds, and also the new composition of each relation with a state to represent the field values in the desired state, e.g., l.(header.s) is the header of the list l in the state s. Consider next modeling state mutation. This snippet defines removal of the first node from the list: pred RemoveFirst(l: List, s: State, s’: State) { s != s’ -states are unique RepOk[l, s] -l satisfies RepOk in s l.(header.s).*(link.s).(elem.s) l.(header.s).(elem.s) = l.(header.s’).*(link.s’).(elem.s’) RepOk[l, s’] -l satisfies RepOk in s’ } run RemoveFirst for 2 State, 1 List, 3 Node, 2 int The predicate has two state parameters: s represents the pre-state, and s’ represents the post-state. The operator ‘-’ is set difference. (The symbol ‘-’ is used for comments.) The predicate encodes that the two states are distinct; l satisfies RepOk in the pre-state; the set of elements in the pre-state minus the header element in the pre-state is the set of elements in the post-state; and l satisfies RepOk in the post-state. Figure 1 graphically illustrates an instance for RemoveFirst. Consider next using the analyzer to check whether RemoveFirst has a specific property. The following snippet uses an Alloy assertion (assert) to encode that RemoveFirst implies that the header element in the post-state is the second element from the pre-state: assert PartialCorrectnessOnce { all disj s, s’: State | all l: List | RemoveFirst[l, s, s’] => l.(header.s’).(elem.s’) = l.(header.s).(link.s).(elem.s) } check PartialCorrectnessOnce for 3 The keyword disj requires s and s’ to be distinct. The command check instructs the analyzer to find a counterexample to the named assertion, i.e., PartialCorrectnessOnce. However, the analyzer does not find a counterexample for this command in this example for the given scope of 3. (There could exist a counterexample in a larger scope.) 2.3 Relation duplication

[1]  Derek Rayside,et al.  Unifying execution of imperative and declarative code , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[2]  Daniel Jackson,et al.  Multi-representational security analysis , 2016, SIGSOFT FSE.

[3]  Mana Taghdiri Lightweight Modelling and Automatic Analysis of Multicast Key Management Schemes , 2002 .

[4]  Sarfraz Khurshid,et al.  TestEra: a novel framework for automated testing of Java programs , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[5]  Felix Sheng-Ho Chang,et al.  Modular verification of code with SAT , 2006, ISSTA '06.

[6]  Alan Fekete,et al.  Lightweight Analysis of Object Interactions , 2001, TACS.

[7]  Daniel Jackson,et al.  Finding bugs with a constraint solver , 2000, ISSTA '00.

[8]  Nazareno Aguirre,et al.  DynAlloy: upgrading alloy with actions , 2005, ICSE.

[9]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[10]  Marcelo F. Frias,et al.  TACO: Efficient SAT-Based Bounded Verification Using Symmetry Breaking and Tight Bounds , 2013, IEEE Transactions on Software Engineering.