s4_dynamic - Alloy Analyzer 4 Tutorial Session 4: Dynamic...

Info iconThis preview shows pages 1–8. Sign up to view the full content.

View Full Document Right Arrow Icon
Alloy Analyzer 4 Tutorial Session 4: Dynamic Modeling Greg Dennis and Rob Seater Software Design Group, MIT
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
model of an address book abstract sig  Target {} sig  Name  extends  Target {} sig  Addr  extends  Target {} sig  Book { addr: Name -> Target } pred  init [b: Book] {  no  b.addr } pred  inv [b: Book] {   let  addr = b.addr |  all  n: Name {     n  not in  n.^addr     some  addr.n =>  some  n.addr   } } fun  lookup [b: Book, n: Name] :  set  Addr {   n.^(b.addr) & Addr } assert  namesResolve {    all  b: Book | inv[b] =>     all  n: Name |  some  b.addr[n] =>  some  lookup[b, n] } check  namesResolve for 4
Background image of page 2
what about operations? how is a name & address added to a book? no built-in model of execution no notion of time or mutable state need to model time/state explicitly can use a new “book” after each mutation: pred  add [b, b': Book, n: Name, t: Target] {   b'.addr = b.addr + n->t  }
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
address book: operation simulation simulates an operation's executions download addressBook.als from the tutorial website execute run command to simulate the add operation simulated execution can begin from invalid state! create and run the predicate showAdd simulates the add method only from valid states modify showAdd to force interesting executions pred  showAdd [b, b': Book, n: Name, t: Target] {   inv[b]   add[b, b', n, t] }
Background image of page 4
address book: delete operation write a predicate for a delete operation removes a name-target pair from a book simulate interesting executions assert and check that delete is the undo of add adding a name-target pair and then deleting that pair yields a book equivalent to original why does this fail? modify the assertion so that it only checks the case when the added pair is not in the pre-state book, and check
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
pattern: abstract machine treat actions as operations on global state in addressBook, State is Book each Book represents a new system state sig  State {…} pred  init [s: State] {…} pred  inv [s: State] {…} pred  op1  [s, s’: State] {…} pred  opN  [s, s’: State] {…}
Background image of page 6
pattern: invariant preservation check that an operation preserves an invariant apply this pattern to the addressBook model do the add and
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 8
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/24/2012 for the course CSE 503 taught by Professor Davidnotikin during the Spring '11 term at University of Washington.

Page1 / 28

s4_dynamic - Alloy Analyzer 4 Tutorial Session 4: Dynamic...

This preview shows document pages 1 - 8. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online