CS 525V (S02) : Introduction to Computer-Aided Verification

Homework 4: Modeling with Alloy

Exercises

This assignment explores how well-suited Alloy is to modeling and verifying small systems that we've already studied.

  1. Traffic Light: (30 points)

    1. (10 points) Create an Alloy model of the individual state machines in the traffic light controller (two lights and a timer).

    2. (5 points) Augment the model with the cross-product of these three machines.

    3. (5 points) Without making any modifications to your model (other than adding the SPEC declarations), try to verify the two SPECs given in the smv file (no two lights green at once, green eventually red if car present). Which ones fail to verify and why?

    4. (10 points) Make a copy of the model (into another file). Try to modify it to allow you to verify the two SPECs. Describe what modifications you made. For each SPEC, indicate whether you can verify it. If you can, but couldn't verify it in the previous model, explain how your modifications enable Alloy to verify the property. If you can't, state whether you think Alloy can be used to verify the SPEC at all and justify your answer.

  2. The Library System: (50 points)

    1. (15 points) Model the structural aspects of the library system from homework 3 in Alloy (the books, patrons, requests, etc). If you leave out part of the system because you feel you can't model it well in Alloy, provide a comment justifying your decision.

    2. (10 points) Augment your core model with sufficient facts so that Alloy generates realistic models of the library system (for example, having people be their own spouses was unrealistic in the family tree example from class).

    3. (15 points) Model the check-out, check-in, and make-request operations, and verify that checking-out followed by checking-in the same book from the same patron restores the original library system.

    4. (10 points) Try to verify that your Alloy model satisfies the consistency property from homework 3 (the second property). Describe any additional facts or invariants that you added to the model to verify the property. If you can't get the property to verify, provide a concrete counterexample that Alloy generates and explain why you can't augment the model to eliminate the counterexample.

  3. (10 points) Contrast Alloy and SMV based on these two examples. What is each tool suitable/unsuitable for modeling and verifying? In what stages of software development would you expect each to be useful and why ("none" is a valid answer if you back it up).

This page maintained by Kathi Fisler
Department of Computer Science Worcester Polytechnic Institute