analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000

2 language assumptions language ·first-order logic ·set & relation operators ·uninterpreted types

3 analysis desired simulation find a state that satisfies invariant J … and additionally condition C ·find an execution of operation O … resulting in a state satisfying P … from a state satisfying P … that changes the component x … that is not an execution of operation Ov checking ·does invariant J imply invariant Jv? ·does operation O preserve invariant J ? ·does operation Oc refine Oa under abstraction A?

4 analyses not possible refinement ·does Oc refines Oa for some abstraction? ·are all executions of O also executions of O1;O2? spec by minimization ·make smallest change to connections that satisfies C … precondition checks ·does O have an execution from every state satisfying C? temporal checks ·do reachable states satisfy J ?

5 semantics: formulas M : formula  env  boolean X : expr  env  value env = (var + type)  value value =  (atom  atom) + (atom  value) M [a in b] e = X[a]e  X[b]e M [! F] e =  M[F]e M [F && G] e = M[F]e  M[G]e M [all v: t | F] e =  {M[F] (e  v  x) | x  e(t)}

6 semantics: expressions X : expr  env  value env = (var + type)  value value =  (atom  atom) + (atom  value) X [a + b] e = X[a]e  X[b]e X [a. b] e = {y |  x. x  X[a]e  (x,y)  X[b]e} X [~a] e = {(x,y) | (y,x)  X[a]e} X [+a] e = the smallest r such that r ; r  x  X[a]e  x X [{v: t | F}] e = {x  e(t) | M[F] (e  v  x)} X [v] e = e(v) X [a[v]] e = e(a)(v)

7 models models are well-formed environments for which formula holds M : formula  env  boolean Models (F) = {e | M[f]e} environment e is well formed iff ·tight: only bind variables declared along with formula ·type correct: if expression a has type T, X[a]e  X[T]e e is within scope k iff ·for all basic types T, #X[T]e = k ·write Models k (F) for models within scope k

8 small scope hypothesis % bugs caught scope 90 4 most bugs can be caught by considering only small instances

9 example problem a, b : S p : S -> T ! (a – b).p in (a.p – b.p) a model in a scope of 2 S = {S0, S1} T = {T0, T1} p = {(S0, T0), (S1, T0)} a = {S0} b = {S1} S0 S1 T0 T1 a b

10 what Alcoa does alcoa : formula, scope  env ·does not always succeed (ie, may return nothing) properties ·termination: always, with deterministic solvers ·soundness: alcoa (F, k)  Models k (F) ·relative completeness: Models k (F)  {}  alcoa (F, k) succeeds non-properties ·minimality: alcoa (F, k) not the smallest model of F in k ·completeness: Models (F)  {}  alcoa (F, k) succeeds so counterexamples are real, but can’t prove theorems

11 scope monotonicity Alcoa is scope monotonic ·alcoa (F, k) succeeds  alcoa (F, k+1) succeeds ·if scope of 7 fails, no need to try 6, 5, … because models are scope monotonic ·Models k (F)  Models k+1 (F) ·property of Alloy, not kernel

12 every analysis is model finding does operation O preserve invariant J ? alcoa (O && J && !J’, 3) show me how O1 and O2 differ alcoa ((O1 && !O2) || (O2 && !O1), 3) show me an execution of O that changes x alcoa (O && !x = x’, 3)

13 alcoa architecture TRANSLATE PROBLEM TRANSLATE SOLUTION MAPPING BOOLEAN FORMULA BOOLEAN ASSIGNMENT SAT SOLVER DESIGN PROBLEM DESIGN ANALYSIS alcoa

14 overview of method from alloy formula F and scope k generate boolean formula BF mapping  : BoolAssignment  Environment such that  maps every solution of BF  n  Models k (F)  n  Models (BF)

15 SAT solvers in theory ·3-SAT is NP-complete in practice ·solvers work well for <1000 variables and <100,000 clauses ·usually give small models kinds of solver ·local search (eg, WalkSAT) ·Davis-Putnam (eg, RelSAT, SATO) ·non-clausal (eg, Prover)

16 example problem a, b : S p : S -> T ! (a – b).p in (a.p – b.p) translation in scope of 2 ·formula becomes  ((a 0  b 0  p 00 )  (a 1  b 1  p 10 )  ((a 0  p 00 )  (a 1  p 10 ))  ((b 0  p 00 )  (b 1  p 10 )))  … ·a model is a 0,  a 1,  b 0, b 1, p 00,  p 01, p 10,  p 11 mapping function  ·set to vector of bool var a [a 0 a 1 ] b [b 0 b 1 ] ·relation to matrix p [p 00 p 01, p 10 p 11 ] final result S = {S0, S1} T = {T0, T1} p = {(S0, T0), (S1, T0)} a = {S0} b = {S1}

17 compositional translation translating relation r: S -> T XT [r] ij boolean var, true when r contains (S i, T j ) translating expression e: T XT [a] i boolean formula, true when a contains T i translating formulas MT [F]boolean formula, true for models of F sample rules MT [F && G] = MT[F]  MT[F] XT [a - b] i = XT [a] i   XT [b] i XT [a. b] i =  j. XT [a] j  XT [b] ji

18 example a [a 0 a 1 ] b [b 0 b 1 ] p [p 00 p 01, p 10 p 11 ] a – b[a 0  b 0 a 1  b 1 ] (a – b).p[(a 0  b 0  p 00 )  (a 1  b 1  p 10 ) …] a.p[(a 0  p 00 )  (a 1  p 10 ) (a 0  p 01 )  (a 1  p 11 )] b.p[(b 0  p 00 )  (b 1  p 10 ) (b 0  p 01 )  (b 1  p 11 )] a.p – b.p[((a 0  p 00 )  (a 1  p 10 ))  ((b 0  p 00 )  (b 1  p 10 )) …] ! (a – b).p in (a.p – b.p)  (((a 0  b 0  p 00 )  (a 1  b 1  p 10 )  ((a 0  p 00 )  (a 1  p 10 ))  ((b 0  p 00 )  (b 1  p 10 ))))  …

19 quantifiers example !((all x | x in x.p) -> (all x | x in x.p.p)) put in negation normal form (all x | x in x.p) && (some x | ! x in x.p.p) skolemize (all x | x in x.p) && ! (xc in xc.p.p) how to translate remaining universal quantifiers?

20 environments & trees semantics M : formula  env  boolean X : expr  env  value env = (var + type)  value value =  (atom  atom) + (atom  value) translation MT : formula  boolFormula tree XT : expr  boolValue tree  tree = (var  (index   tree) +  boolValue = booleanFormulaMatrix + (index  boolValue) env becomes (tree, boolean encoding of relations)

21 examples x [1 0][0 1] 01 x : T x [p00 p01][p00 p01] 01 [p10 p11][p10 p11] x.p x p00p00 01 p11p11 x in x.p p 00  p 11 all x | x in x.p

22 compositional rules MT [a in b] = merge (MT[a], MT[b], u,v.  i (u i  v j ) ) MT [all x | F] = fold (MT[F],  ) merging ·subexpressions may have different variables ·so interpose layers as necessary, then merge ·maintain consistent ordering from root to leaf x [1 0][0 1] 01 y [1 0][0 1] 01 x 01 y 01 y xy x in y

23 symmetry observation ·types are uninterpreted ·permuting elements of a type preserves modelhood example a = {S0}, b = {S1}, p = {(S0, T0), (S1, T0)} a = {S1}, b = {S0}, p = {(S0, T0), (S1, T0)} both models of !(a – b).p in (a.p – b.p) exploitation ·environments form equivalence classes ·avoid considering all elements of a class   environments

24 symmetry in boolean formula preserved! ·express symmetry  as permutation on boolean vars ·then  is a symmetry of the boolean formula too ·want to rule out one of A,  A Crawford’s idea ·order boolean vars into sequence V ·view assignments as binary numbers & pick smaller ·for each , add constraint V   V example ·A = 0123,  A = 0123,  = (02) ·V   V is 0123 < 2103 = 0 < 2

25 symmetry constraint for a relation suppose we translated relation p: S -> T to the matrix symmetry (S0 S1) exchanges top two rows constraint obtained is < = < =  0  3  (0  3   1  4)  (0  3  1  4   2  5)

26 generalizing symmetry extend to ·multiple relations and sets ·multiple types but ·diminishing returns ·pick ordering of vars carefully ·homogeneous relations tricky

27 results observations ·solver time dominates ·RelSAT dominates other solvers ·symmetry gives 100x speedup for ‘proofs’ ·bugs in boolean code not translation so end-to-end check where are we? ·interactive analysis up to 200 bits ·small but real specs (longest so far is 400 lines) ·30loc list-processing procedures

28 challenges symmetry ·why do a few symmetries seem to work so well? ·what symmetries should be used? progress bar ·will symmetry spoil our heuristics? visualization of models ·key for novice use language extensions ·numbers (easy?) ·sequences (hard?)

29 allex

30 allox

31 allix