Last week we talked about symmetry breaking in Alloy. Why would we want Alloy to do this? What kind of search is most expensive for Alloy? One where the model is unsat. This is because to be unsat we must look through every possible instance. To increase performance in this case, we can turn symmetry breaking on by putting expect 0 at the end of our run statement. If we think it's sat then we can put expect 1 at the end.
sig Node {edges : set Node}
run {#N = 9} for exactly 9 N
What will happen here? Let's try it! In the evaluator, we ask what #N is and it's -7 but we have 9 nodes. What could be going on? Is integer a sig in Alloy? Yes, Integer is a sig but we have none of these sigs in our instace. What if we change 9 to 1?
sig Node {edges : set Node}
run {#N = 1} for 9 N
Now we get an instance! But the evaluator says 1 = -1 is true? Let's try something else.
sig Node {edges : set Node}
run {#N = 9} for exactly 9 N, 5 int
This time we've told Alloy something about the integers we're going to need. To do this we need to define the bitwidth which is the number of bits needed to represent the number in bits using two's complement. Make sure you have enough intergers to work with in your models, If you don'y strange, strange things will happen.
Moving on to something even more interesting. Let's codify the natural numbers in Alloy.
sig N {succ : one N}
sig Z extends N {}
fact {
all n: N | n not in n .^succ
}
run {} for 12
If we cannot codify every possible natural number, how can we prove anything about natural numbers in general. But think about the other examples weve used in class, we haven't used particularly large numbers to ceck for correct behavior. There are a loy more than 6 cities in the world. Q: But why is it okay to only check for counterexamples up to a certain size? A: Most bugs have small examples of them, thus when we check on small numbers we'll see a small instance of the bug. We are looking for bugs by using Alloy, rather than proving absolute correctness.
One last depressing thing to see today
Going back to tic tac toe...
pred hopelessX[b : Board]{
all b2 : Board -b |
(b.places in b2.places and validBoard[b2])
implies not win[b2, X]
}
run { some b : Board | hopelessX[b] and no b.places and #Board > 1} for 10 Board