Lecture 2 Q&A

Slide 4

Q: Since Alloy just gives counterexamples, it can’t actually prove things?
A: It’s true that it can’t prove things, but the small scope hypothesis (later in lecture) suggests that checking for small scopes is good enough. For any scope that you check with, you can always come up with some bug that it will not find, but most natural bugs are simple enough that a small scope will find them.

Slide 5

Q: How does 10¹⁰⁰ states in SMV compare to what the Alloy analyzer can handle?
A: Alloy can handle up to around 1000 bits wide, so 2¹⁰⁰⁰ states.

Slide 8

Q: What’s with the uppercase vs. lowercase letters?
A: It means nothing in Alloy, but DNJ’s notation is uppercase first letter for names of sets and lowercase for relations.

Q: So is Up a type?
A: No, it is a set. So x:Up means x is an element of Up (not that x’s type is Up).

Slide 9

Q: Is relational join associative?
A: No.

Slide 13

Q: What does r.table[IP] mean?
A: It is equivalent to IP.(r.table). [] means the same thing as . but it has lower precedence (so in r.table[IP], it is the join of IP and r.table).

Q: What is the type of r.table[IP] and what does it mean?
A: r.table: IP->Link, so r.table[IP] is a set of Links. This expression gets the links for each IP address in the table.

Slide 14

Q: If Alloy finds no instance when you run a fun, what does that mean?
A: It means that there are conflicting constraints in the model (the model is overconstrained).

Slide 31

Q: If you get a counterexample in a scope of k, does that mean you will get a counterexample in a scope of k+1?
A: Usually, but if you use univ, this is not always the case.

Q: Is there some scope that is usually enough to find a counterexample?
A: No, this really depends on the model and the complexity of the error.