Skip to main content
SpringerLink
Log in

Transitive-closure-based model checking (TCMC) in Alloy

  • Regular Paper
  • Published:
Software and Systems Modeling Aims and scope Submit manuscript

Abstract

We present transitive-closure-based model checking (TCMC): a symbolic representation of the semantics of computational tree logic with fairness constraints (CTLFC) for finite models in first-order logic with transitive closure (FOLTC). TCMC is an expression of the complete model checking problem for CTLFC as a set of constraints in FOLTC without induction, iteration, or invariants. We implement TCMC in the Alloy Analyzer, showing how a transition system can be expressed declaratively and concisely in the Alloy language. Since the total state space is rarely representable due to the state-space explosion problem, we present scoped TCMC where the property is checked for state spaces of a size smaller than the total state space. We address the problem of spurious instances and carefully describe the meaning of results from scoped TCMC with respect to the complete model checking problem. Using case studies, we demonstrate scoped TCMC and compare it with bounded model checking, highlighting how TCMC can check infinite paths.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24

Similar content being viewed by others

Notes

  1. This translation increases the size of a transition system.

  2. https://cs.uwaterloo.ca/~nday/artifacts/.

  3. A full subgraph of a graph is a subset of the nodes with all edges between these nodes that are found in the original graph.

  4. Infinite liveness, also described in this figure, is explained in a later subsection.

  5. The use of id[X] in EG (from which AF and AU are derived) in the TCMC implementation in Fig. 2 requires there to be a looping path from a state back to itself to make an infinite path.

  6. Existential TCMC requires the satisfying TS instance to have some path from all initial states of the TS instance; however, unless the model requires there to be multiple initial states, usually there is a TS instance with only one initial state meaning there is some path from some initial state.

  7. https://cs.uwaterloo.ca/~nday/artifacts/.

References

  1. Abrial, J.R.: The B Book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996)

    Book  Google Scholar 

  2. Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BDDs. In: Chechik, M. (ed.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 193–207. Springer, Berlin (1999)

  3. Börger, E.: The ASM method for system design and analysis. A tutorial introduction. In: Frontiers of Combining Systems, Lecture Notes in Computer Science, vol. 3717, pp. 264–283. Springer (2005)

  4. Bradley, A.R.: SAT-based model checking without unrolling. In: International Conference on Verification, Model Checking, and Abstract Interpretation, Lecture Notes in Computer Science, vol. 6538, pp. 70–87. Springer (2011)

  5. Chang, F.S.H., Jackson, D.: Symbolic model checking of declarative relational models. In: International Conference on Software Engineering, pp. 312–320. ACM (2006)

  6. Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: An opensource tool for symbolic model checking. In: Computer Aided Verification, Lecture Notes In Computer Science, vol. 2404, pp. 241–268. Springer (2002)

  7. Clarke, E., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Boca Raton (1999)

    MATH  Google Scholar 

  8. Clarke, E.M., Grumberg, O., Hamaguchi, K.: Another look at LTL model checking. Form. Methods Syst. Design 10, 47–71 (1997)

    Article  Google Scholar 

  9. Cunha, A.: Bounded model checking of temporal formulas with Alloy. In: International Conference on Abstract State Machines. Alloy, B, VDM, and Z, pp. 303–308. Springer, Berlin (2014)

  10. Del Castillo, G., Winter, K.: Model checking support for the ASM high-level language. In: Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes In Computer Science, vol. 1785, pp. 331–346. Springer (2000)

  11. Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)

    Article  MathSciNet  Google Scholar 

  12. Dold, A.: A formal representation of abstract state machines using PVS. Verifix Technical Report Ulm/6.2, Universität Ulm (1998)

  13. Eén, N., Sörensson, N.: An Extensible SAT-solver. In: Theory and Applications of Satisfiability Testing, Lecture Notes in Computer Science, vol. 2919, pp. 333–336. Springer (2004)

  14. Farheen, S.: Improvements to transitive-closure-based model checking in Alloy. M.Math thesis, University of Waterloo, David R. Cheriton School of Computer Science (2018)

  15. Frias, M.F., Galeotti, J.P., López Pombo, C.G., Aguirre, N.M.: DynAlloy: upgrading Alloy with actions. In: International Conference on Software Engineering, pp. 442–451. ACM (2005)

  16. Grumberg, O., Long, D.E.: Model checking and modular verification. In: Proccedings of 2nd International Conference on Concurrency Theory. Lecture Notes in Computer Science, vol. 527, pp. 250–265. Springer (1991)

  17. Immerman, N., Vardi, M.: Model checking and transitive-closure logic. In: Computer-Aided Verification, Lecture Notes in Computer Science, vol. 1254, pp. 291–302. Springer (1997)

  18. International Organisation for Standardization. Information Technology Z Formal Specification Notation Syntax, Type System and Semantics (2000)

  19. Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2002)

    Article  Google Scholar 

  20. Jackson, D.: Software Abstractions—Logic, Language, and Analysis. MIT Press, Cambridge (2012)

    Google Scholar 

  21. Kember, M., Tran, L., Gao, G., Day, N.A.: Extracting counterexamples from transitive-closure-based model checking. In: Workshop on Modelling in Software Engineering (MISE)@ International Conference on Software Engineering (ICSE), pp. 47–54. ACM (2019)

  22. Krings, S., Leuschel, M.: Proof assisted bounded and unbounded symbolic model checking of software and system models. Sci. Comput. Program. 15, 41–63 (2018)

    Article  Google Scholar 

  23. Leuschel, M., Butler, M.: ProB: an automated analysis toolset for the B method. Int. J. Softw. Tools Technol. Transf. 10, 185–203 (2008)

    Article  Google Scholar 

  24. Macedo, N., Brunel, J., Chemouil, D., Cunha, A., Kuperberg, D.: Lightweight specification and analysis of dynamic systems with rich configurations. In: Foundations of Software Engineering, pp. 373–383. ACM (2016)

  25. McMillan, K.: Symbolic model checking: an approach to the state explosion problem. Ph.D. thesis, Pittsburgh, PA, USA (1992)

  26. Milicevic, A., Near, J.P., Kang, E., Jackson, D.: Alloy*: a general-purpose higher-order relational constraint solver. In: International Conference on Software Engineering, vol. 1, 609–619. IEEE (2015)

  27. Nissanke, N.: Formal Specification: Techniques and Applications, 1st edn. Springer, Berlin (1999)

    Book  Google Scholar 

  28. Plath, M., Ryan, M.: Feature integration using a feature construct. Sci. Comput. Program. 41(1), 53–84 (2001)

    Article  Google Scholar 

  29. Regis, G., Cornejo, C., Gutiérrez Brida, S., Politano, M., Raverta, F., Ponzio, P., Aguirre, N., Galeotti, J.P., Frias, M.: DynAlloy analyzer: a tool for the specification and analysis of alloy models with dynamic behaviour. In: Foundations of Software Engineering, pp. 969–973. ACM (2017)

  30. Schellhorn, G., Ahrendt, W.: Reasoning about abstract state machines: the WAM case study. J. Univers. Comput. Sci. 3(4), 377–413 (1997)

    MathSciNet  MATH  Google Scholar 

  31. Selic, B.: From model-driven development to model-driven engineering. In: Euromicro Conference on Real-Time Systems. IEEE Computer Society (2007)

  32. Serna, J., Day, N.A., Farheen, S.: DASH: a new language for declarative behavioural requirements with control state hierarchy. In: International workshop on model-driven requirements engineering (MoDRE)@ IEEE international requirements engineering conference (RE), pp. 64–68 (2017)

  33. Vakili, A.: Temporal logic model checking as automated theorem proving. Ph.D. thesis, University of Waterloo, David R. Cheriton School of Computer Science (2016)

  34. Vakili, A., Day, N.A.: Temporal model checking in alloy. In: International Conference on Abstract State Machines, Alloy, B, VDM, and Z, Lecture Notes In Computer Science, vol. 7316, pp. 150–163. Springer (2012)

  35. Vardi, M.Y., Wolper, P.: Reasoning about infinite computations. Inf. Comput. 115, 1–37 (1994)

    Article  MathSciNet  Google Scholar 

  36. Yu, Y., Manolios, P., Lamport, L.: Model checking TLA+ specifications. In: IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods, pp. 54–66. Springer (1999)

Download references

Acknowledgements

We thank Amin Bandali, George Gao, Eunsuk Kang, Mitchell Kember, Joseph Poremba, Jose Serna, Khadija Tariq and Lynn Tran for their help in discussions regarding Alloy. This research was supported in part by the Natural Sciences and Engineering Research Council of Canada (NSERC).

Author information

Authors and Affiliations

  1. David R. Cheriton School of Computer Science, University of Waterloo, Waterloo, ON, N2L 3G1, Canada

    Sabria Farheen, Nancy A. Day, Amirhossein Vakili & Ali Abbassi

Authors
  1. Sabria Farheen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nancy A. Day
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Amirhossein Vakili
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ali Abbassi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nancy A. Day.

Additional information

Communicated by Dr. Antonio Cerone.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Farheen, S., Day, N.A., Vakili, A. et al. Transitive-closure-based model checking (TCMC) in Alloy. Softw Syst Model 19, 721–740 (2020). https://doi.org/10.1007/s10270-019-00763-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-019-00763-8

Keywords

Search

Navigation