Alloy: A Lightweight Object Modelling Notation
Laboratory for Computer Science
Massachusetts Institute of Technology
November 27, 2001
Alloy is a little language for describing structural properties. It offers a declaration syntax compati-
ble with graphical object models, and a set-based formula syntax powerful enough to express com-
plex constraints and yet amenable to a fully automatic semantic analysis. Its meaning is given by
translation to an even smaller (formally defined) kernel. This paper presents the language in its
entirety, and explains its motivation, contributions and deficiencies.
What is the smallest modelling notation that can express a useful range of structural properties, is
easy to read and write, and can be analyzed automatically? This paper describes an attempt to
answer this question. Alloy is an experimental language with a small syntax, built on an even
smaller kernel. The kernel has a precise semantics, and is expressive enough to capture complex
properties, while remaining amenable to efficient analysis.
Almost all recent development methods factor out the structural aspect of a software system for
separate description, usually called the ‘object model’. Alloy supports the description of basic struc-
ture (graphically, or as textual declarations), as well as more intricate constraints and operations
describing how structures change dynamically (both expressed as logical formulas). It thus incor-
porates not only the object model, but also the ‘operation model’ of Fusion , or the ‘behaviour
model’ of Catalysis , and is comparable to the Object Constraint Language  of UML .
Alloy is not for describing dynamic interactions between objects, nor for describing syntactic struc-
ture in an implementation, such as the class hierarchy and packaging.
Alloy is amenable to a fully automatic semantic analysis that can provide checking of conse-
quences and consistency, and simulated execution [31,40]. To gain ‘executability’, Alloy does not
sacrifice abstraction: it can generate sample transitions of an operation described implicitly, using
negation and conjunction .
Alloy and its predecessor NP [30,34] have been used to model and analyze a variety of artifacts,
including architectural frameworks [12,37], a mobile internet protocol , a naming scheme ,
the UML core metamodel , and a message filtering device .
Alloy’s starting point is Z , an elegant and powerful language with a particularly simple
mathematical foundation. It selects from Z those features that are essential for object modelling,
and incorporates a few constructs that are ubiquitous in more recent (but less formal) notations.
The semantics of Alloy thus bridges the gap between Z and object models, and shows how to give