CS1950Y Lecture 5: Relational Expressions 2
2/2/18


Make sure you do the reading! It is very important! We won't have time to go over all of the alloy features, so the textbook will introduce them to you.

Section

Oracle

What can go horribly wrong when you write an oracle?

Answer: The produced input could be very biased. You could produce false positives, or false negatives. You could reject something that actually is okay. When a test case fails, you go fix it. But what happens when your oracle produces a false positive? You have to go fix the oracle, not your program. We aren't looking for complete 100% verification (it takes a lot of time and energy to model all potential input)

Tic Tac Toe Review

What happens if there are no moves to make?

Answer: You won't be able to see if there are any moves that are counter examples, because we have a bug somewhere else in our program.

How many boards do we need to model a move?

Answer: Two! We need a pre-board and a post-board

Tim will upload a ~bonus~ model of the Alice, Bob, Charlene (Brown/Harvale) puzzle from the first day of class. In this bonus model, take a look at the property and the counterexample. They are only different by a ! (not), and you can use either of them.

Alloy syntax

Alloy is built on top of relational logic.

What is relational logic?

Answer: A relation is a set of tuples. Tuples are immutable and ordered. An example is say this class. Whenever someone is sitting next to someone else, let's call that a tuple for this example. So each pair of people is a concrete relation. Another example that is not symmetric is for the class, if our relation is "is to the left of", so for each person, their relation is whoever is left of them (this is not symmetric because not everyone has someone to their left). Another example is a family tree!

Tuples are sequences of elements.

Modeling Directed Graphs

What makes up a directed graph? What do we need to model?

Answer: Nodes, edges, colors!

Let's start with our nodes:

		
			sig Node {
				edges: set Node
			}
			run {} for exactly 5 Node
		
	
Even just with this code snippet, we were able to get an example of a directed graph.

Alloy gives us this cool tool: The Evaluator! (You should definitely use this to help you debug! It's amazing!)
When we type Node we get a set of all of the nodes: {Node$0, Node$1, Node$2, Node$3, Node$4}
When we type edges, we see that each edge is a set of ordered tuples, containing Nodes. For example, Node$0 -> Node$4.
Next, when we type Node$1.edges, we are asking to see Node$1's edges (specifically the edges that start at Node$1).

How would we model an undirected graph in alloy?

Relations have to be ordered, so we can't get rid of that. Instead, we can write:
		
			fact undirected {
				all x, y: Node | x->y in edges implies y->x in edges
			}
		
	
Alloy models everything as relations under the hood.

So far, we've seen how we can use . to get a node's edges. What else can we do with sets?

Answer: Intersection, set subtraction, union. We can do this in our alloy specs and in the Evaluator!

If we add in our colors to our edges:
		
			sig Node {
				edgesB: set Node,
				edgesR: set Node
			}
			run {} for exactly 5 Node, 5 int
		
	
Now we have edgesB and edgesR. In the evaluator we can see if they are equal: edgesB = edgesR. We can check the intersection: edgesB & edgesR, the union: edgesR + edgesB, the subtraction: edgesR - edgesB.

Next, we tried in the evaluator: add[1,2] we got {} and add[1,2] is {3}. But add[1,2] + add[2,3] is {3,5}. This is an easy mistake to make! + is set union, not addition!

If we use the ->, we can create relations. For example: Node$0 -> Node$1 gives us {Node$0->Node$1}. So if we then do Node$0 -> edgesR, we get a relation from Node$0 to each edge relation in edgesR.

Takeaway: Everything in alloy is a relation!

So what happens if we try (Node$0 -> edgesR) - edgesR in the evaluator?

Answer: An arity error is thrown! Arity refers to the size of relations. So this throws an error because (Node$0 -> edgesR) is larger than edgesR, so we can not perform set subtraction.

We can also test containment: edgesR in edgesB. We can also use not, for example: not edgesR in edgesB or edgesR not in edgesB. We can check if there are some edges in edgesB: some edgesB. Using some and no result in booleans instead of relations.

Student Question: In the evaluator, are we only working with the current alloy run example?

Answer: Yes, until we click the next button to see the next model.

Student Question: When we hit the next button, is the sequence always the same?

Answer: Usually yes. It is based on the underlying logic in the solver. You will be implementing a similar solver later on in class, so stay tuned!

We can also use lone and one in the evaluator, like how we use them in our alloy models.

We can also use ~ to transpose a relation. Transposing a relation is basically swapping the elements of a relation. For example: {Node$0->Node$3} becomes {Node$3->Node$0}

Lastly, we have the .. This is a relational join! Stay tuned next time for more!