Logic, Language, and Analysis Daniel Jackson Software Abstractions Software Abstractions Jackson computer science/software engineering Software Abstractions Logic, Language, and Analysis Daniel Jackson In Software Abstractions Daniel Jackson introduces a new approach to software design that draws on traditional formal methods but exploits automated tools to find flaws as early as possible. This approach—which Jackson calls “lightweight formal methods” or “agile model- ing”—takes from formal specification the idea of a precise and expressive notation based on a tiny core of simple and robust concepts but replaces conventional analysis based on theo- rem proving with a fully automated analysis that gives designers immediate feedback. Jackson has developed Alloy, a language that captures the essence of software abstractions simply and succinctly, using a minimal toolkit of mathematical notions. The designer can use automated analysis not only to correct errors but also to make models that are more precise and elegant. This approach, Jackson says, can rescue designers from “the tarpit of implementation tech- nologies” and return them to thinking deeply about underlying concepts. Software Abstractions introduces the key elements of the approach: a logic, which pro- vides the building blocks of the language; a language, which adds a small amount of syntax to the logic for structuring descriptions; and an analysis, a form of constraint solving that offers both simulation (generating sample states and executions) and checking (finding coun- terexamples to claimed properties). The book uses Alloy as a vehicle because of its simplici- ty and tool support, but the book’s lessons are mostly language-independent, and could also be applied in the context of other modeling languages. Daniel Jackson is Professor in the Department of Electrical Engineering and Computer Science and leads the Software Design Group at the Computer Science and Artificial Intelligence Lab at MIT. “Abstraction is the essence of simple and effective software design, and logic is the essential tool for exploring and validating abstractions. These basic insights, which have been labori- ously rediscovered by many practicing programmers, are now accessible to students and pro- fessionals at all levels of experience. Daniel Jackson supports his clear and elegant text with a powerful logical analysis tool that brings his witty examples to life.” —Tony Hoare, Senior Researcher, Microsoft “Alloy’s streamlined combination of predicate logic and relational algebra makes modeling a pleasure. I rely on the Alloy Analyzer, and this book shows how easy it is to start using it.” —Pamela Zave, AT&T Research “Alloy is to modeling what Excel is to office work: an incredibly powerful way to make mod- els into concrete, tangible objects. Jackson’s book is essential for practitioners to master the power of this new tool.” —Alain Wegmann, Ecole Polytechnique Fédérale de Lausanne The MIT Press Massachusetts Institute of Technology Cambridge, Massachusetts 02142 http://mitpress.mit.edu 0-262-10114-9 49194Jackson 1/31/06 9:30 AM Page 1 Software Abstractions: Logic, Language, and Analysis Software Abstractions Logic, Language, and Analysis Daniel Jackson e MIT Press Cambridge, Massachusetts London, England © 2006 Daniel Jackson All rights reserved. No part of this book may be reproduced in any form by any electronic or mechanical means (including photocopying, recording, or information storage and retrieval) without permission in writing from the publisher. MIT Press books may be purchased at special quantity discounts for busi- ness or sales promotion use. For information, please email special_sales@ mitpress.mit.edu or write to Special Sales Department, e MIT Press, 55 Hayward Street, Cambridge, MA 02142. is book was set in Adobe Warnock and ITC Officina Sans, by the author, using Adobe Indesign and his own software, on Apple computers. Diagrams were drawn with OmniGraffle Pro. Printed and bound in the United States of America. Library of Congress Cataloguing-in-Publication Data Jackson, Daniel. Software abstractions : logic, language, and analysis / Daniel Jackson. p. cm. Includes bibliographical references and index. ISBN 0-262-10114-9 (alk. paper) 1. Computer software—Development. I. Title. QA76.76.D47J29 2006 005.1—dc22 2005056155 10 9 8 7 6 5 4 3 2 1 to Claudia Contents Preface xi Acknowledgments xv 1: Introduction 1 2: A Whirlwind Tour 5 2.1 Statics: Exploring States 6 2.2 Dynamics: Adding Operations 9 2.3 Classification Hierarchy 17 2.4 Execution Traces 22 2.5 Summary 28 3: Logic 33 3.1 ree Logics in One 33 3.2 Atoms and Relations 35 3.3 Snapshots 48 3.4 Operators 50 3.5 Constraints 69 3.6 Declarations and Multiplicity Constraints 74 3.7 Cardinality Constraints 80 4: Language 83 4.1 An Example: Self-Grandpas 83 4.2 Signatures and Fields 91 4.3 Model Diagrams 101 4.4 Types and Type Checking 107 4.5 Facts, Predicates, Functions, and Assertions 117 4.6 Commands and Scope 127 4.7 Modules and Polymorphism 130 4.8 Integers and Arithmetic 134   5: Analysis 139 5.1 Scope-Complete Analysis 139 5.2 Instances, Examples, and Counterexamples 144 5.3 Unbounded Universal Quantifiers 155 5.4 Scope Selection and Monotonicity 163 6: Examples 169 6.1 Leader Election in a Ring 169 6.2 Hotel Room Locking 185 6.3 Media Asset Management 203 6.4 Memory Abstractions 216 Appendix A: Exercises 229 A.1 Logic Exercises 230 A.2 Extending Simple Models 239 A.3 Classic Puzzles 242 A.4 Metamodels 245 A.5 Small Case Studies 247 A.6 Open-Ended Case Studies 251 Appendix B: Alloy Language Reference 253 B.1 Lexical Issues 253 B.2 Namespaces 254 B.3 Grammar 255 B.4 Precedence and Associativity 257 B.5 Semantic Basis 258 B.6 Types and Overloading 260 B.7 Language Features 265 Appendix C: Kernel Semantics 291 C.1 Semantics of the Alloy Kernel 291 C.2 Semantics of Integer Expressions and Formulas 293 Appendix D: Diagrammatic Notation 295   Appendix E: Alternative Approaches 297 E.1 An Example 299 E.2 B 306 E.3 OCL 312 E.4 VDM 318 E.5 Z 324 References 333 Index 341 [...]... of a 10-year effort to bridge this gap, to develop a language that captures the essence of software abstractions simply and succinctly, with an analysis that is fully automatic, and can expose the subtlest of flaws The language, Alloy, is deeply rooted in Z Like Z, it describes all structures (in space and time) with a minimal toolkit of mathematical notions, but its toolkit is even smaller and simpler... better and simpler software than we have today 1: Introduction Software is built on abstractions Pick the right ones, and programming will flow naturally from design; modules will have small and simple interfaces; and new functionality will more likely fit in without extensive reorganization Pick the wrong ones, and programming will be a series of nasty surprises: interfaces will become baroque and clumsy... involved A ten-line program can’t do very much, and has almost nothing in common with a thousand-line program But a ten-line model can be very useful, and doesn’t differ that much from a hundred-line model, which is often all that’s needed to explore a difficult design issue By developing the example in a series of small additions and modifications, I’ve attempted to convey the lightweight and incremental... designing abstractions can save days of refactoring In this respect, the Alloy language and its analysis are a Trojan horse: an attempt to capture the attention of software developers, who are mired in the tar pit of implementation technologies, and to bring them back to thinking deeply about underlying concepts That is why I have chosen the title Software Abstractions for this book The lure of coding, and. .. unanticipated interactions, and even the simplest of changes will be hard to make No amount of refactoring, bar starting again from scratch, can rescue a system built on flawed concepts Abstractions matter to users too Novice users want programs whose abstractions are simple and easy to understand; experts want abstractions that are robust and general enough to be combined in new ways When good abstractions are... structures and algorithms (or in object-oriented parlance, the class hierarchy, datatype representations, and methods) Unfortunately, this approach rarely works The problem, as Bertrand Meyer once called it, is wishful thinking You come up with a collection of abstractions that seem to be simple and robust But when you implement them, they turn out to be incoherent and perhaps even inconsis-  introduction... to use Like the best artifacts of civil and mechanical engineering, the best software systems would be a marriage of utility and beauty And as software designers, we’d have more fun: we’d spend less time working around basic structural flaws in our software, and our ideas would have more lasting impact Acknowledgments I am deeply grateful to the many friends and colleagues who have helped in the writing... Vaziri; and especially to Michael Jackson, Jeremy Jacob, Viktor Kuncak, Butler Lampson, Chris Wallace, David Wilczynski, and Pamela Zave, who read the book in its entirety and together found something to fix on almost every page They have saved me from many embarrassments and the reader from countless frustrations and confusions To the National Science Foundation, NASA, IBM, Microsoft, and Doug and Pat... outside the software The best abstractions, however, capture their underlying ideas so naturally and convincingly that they seem more like discoveries The process of software development should be straightforward First, you design the abstractions, from a careful consideration of the problem to be solved and its likely future variants Then you develop its embodiments in code: the interfaces and modules,... when replies became short and infrequent To my brother, Adam Jackson, who insisted that my text be optically aligned (and showed me how to do it) And finally, to my wife Claudia, to whom I dedicate this book, who has taught me so much, especially that analysis isn’t everything (and that the New Yorker is much more fun than the Economist) And to my children Rachel, Rebecca and Akiva, who will grow up, . Logic, Language, and Analysis Daniel Jackson Software Abstractions Software Abstractions Jackson computer science /software engineering Software Abstractions Logic, Language, and Analysis Daniel. 02142 http://mitpress.mit.edu 0-2 6 2-1 011 4-9 49194Jackson 1/31/06 9:30 AM Page 1 Software Abstractions: Logic, Language, and Analysis Software Abstractions Logic, Language, and Analysis Daniel Jackson. Cataloguing-in-Publication Data Jackson, Daniel. Software abstractions : logic, language, and analysis / Daniel Jackson. p. cm. Includes bibliographical references and index. ISBN 0-2 6 2-1 011 4-9