Final Project Help Lecture (4/16)

Alloy Bounds

How do you come up with reasonable bounds to use in Alloy?

For example, those doing graph algorithms want to know how many nodes to use to run their models.

There is no absolute answer. It is dependent on your spec and your goals.

Pick reasonable bounds. For finding a minimum spanning tree, 3 is probably not enough. Twenty, on the other hand, is too much for Alloy to scale to. Meeting in the middle around a 7 or 8 node bound should be sufficient.

What is a good reach goal?

This could be adding another algorithm or puzzle under your topic. Or you may want to model another component of the protocol your project deals with.

To get an A on the project, you must demonstrate a serious attempt at your reach goal. You do not need to completely succeed, but the immediate roadblocks should not be where you stopped working.

Knowledge

There's a great book called One hundred prisoners and a light bulb (which you can download for free through the Brown library). It's a great resource for learning about how to reason about knowledge.

Exercise: Tim and Eleanor both flip a coin. They each know the result of their coin, but not the other's. This is a situation involving knowledge. There are several possible worlds.

Worlds are pairs of results: (Tim, Eleanor). Our possible worlds are (H,H), (H,T), (T,H), (T,T). How do we use a Kripke structure to represent this? Keep in mind Kripke structures are just a graph in which edges represent agents' knowledge.

Let Tim be blue and Eleanor be red. Let Tim be in the (H,H) world. He does not know he is in this world, but he does know that he flipped heads. Given his knowledge it's possible he's in the (H,H) world or the (H,T) world. We draw two blue edges from (H,H) going into each of these worlds. We can repeat this for Tim for each of the worlds:

HH HT TT TH

Same deal for Eleanor.

HH HT TT TH

To summarize: an edge exists from world 1 to world 2 if an agent in world 1 believes world 2 could be possible.

If Tim is in the (H,H) world and we take the statement 'Tim knows (E flipped tails)', can we prove this statement is false? If in all worlds accessible from the current one, the statement is true, then it is true. Here the accessible worlds are (H,H) and (H,T). Since Eleanor did not flip tails in (H,H), that statement is not true for Tim in world (H,H).

Question: How do we model the timefulness of these puzzles?
Answer: We consider our graphs to be the main component of state. The worlds in the graph (nodes) do not change between states, but knowledge (edges) does. Events that update our knowledge connect states together.

Example: If Tim sneaks a look at Eleanor's coin, we treat this as a transition event. Eleanor's knowledge does not change between states, but Tim's does. Since Tim now has full information, only self loops can exist for Tim's knowledge; whatever world Tim is in, he cannot believe any other world to be possible. Now we can evaluate statements like 'Tim knows Tim flipped heads' in each of the worlds to figure out where it could be true. When we evaluate the statement 'Tim knows Tim flipped heads and Tim knows Eleanor flipped heads', we will find the one world for which this is true.

Question: How do we model one agent having knowlede of another agent's knowledge?
Answer: Because we have access to the entire Kripke structure (and all colored edges), we can evaluate any knowledge statement. As mentioned, to evaluate something like 'Tim knows X', we check whether it is true in all worlds reachable from a given world using Tim's edges. We can do the same thing for a statement like 'Tim knows that Eleanor knows X.'

Common Mistakes / Useful techniques

Finding a minimum/maximum

Imagine we have a world with a bunch of objects; each has a color and a value between 1 and 3. Let's say we want to get objects such that we have one of each color and a maximal value. This is a problem involving optimization for maximization / minimization.

Take this Alloy code: let options = {o: Object | o.value = 3}. What if there's multiple objects in this set? How do we just pick one? Can we do this code:

let options = {o: Object | o.value = 3} |
    one pick: options |
            ...\alpha(pick)

This code can lead to subtle bugs because it restricts alloy to cases where there is only one option. Instead use some so that you assert there is at least one (what we really want), and Alloy will pick just one for you and assign it to the identifier.

Summing values
all s': set Object | 
    let total = sum[s'.value]
    -- OR
    let total = sum o': s' | o'.value

Be careful using the first statement. Alloy doesn't have multi sets, so using the whole set s'.value will not count duplicate values. For example, objects o1->3, o2->2, o3->3 would produce total = 5 for the first statement, but total = 8 for the second one.

Higher-order Quantification

How should you deal with the error from higher order quantification that Alloy couldn't skolemize?

You can use Alloy*, which handles higher order quantification better. You are allowed to use this in your project.

You can also limit yourself to a given number of objects and do multiple steps of first order quantification:


all o1, o2, o3, o4: Object |
    let mySet = (o1 + o2 + o3 + o4) |
        let total = sum o' : mySet | o'.value