A Comparison of the Declarative Modelling Languages B, Dash, and TLA+

Declarative behavioural modelling is a powerful modelling paradigm that enables users to model system func- tionality abstractly and concisely. We compare two well-used formal declarative modelling languages, B and TLA+, with a new modelling language called Dash. Dash is an extension of Alloy with explicit syntactic constructs for modelling transition systems, and it includes control state hierarchy and events. Particular topics that we cover in our comparison are: differences in the datatypes and type systems; how the transitions/operations can be described; how the transition relation is a combination of the transitions; and the default choice each language makes regarding permitted variable changes in a transition. Our goal is to discuss the interesting differentiating characteristics of each language to aid users in determining which language is the most suitable for their system

A Comprehensive Study of Declarative Modelling Languages

Declarative behavioural modelling is a powerful modelling paradigm that enables users to model system functionality abstractly and formally. An abstract model is a concise and compact representation of key characteristics of a system, and enables the stakeholders to reason about the correctness of the system in the early stages of development. There are many different declarative languages and they have greatly varying constructs for representing a transition system, and they sometimes differ in rather subtle ways. In this thesis, we compare seven formal declarative modelling languages B, Event-B, Alloy, Dash, TLA+, PlusCal, and AsmetaL on several criteria. We classify these criteria under three main categories: structuring transition systems (control modelling), data descriptions in transition systems (data modelling), and modularity aspects of modelling. We developed this comparison by completing a set of case studies across the data- vs. control-oriented spectrum in all of the above languages. Structurally, a transition system is comprised of a snapshot declaration and snapshot space, initialization, and a transition relation, which is potentially composed of individual transitions. We meticulously outline the differences between the languages with respect to how the modeller would express each of the above components of a transition system in each language, and include discussions regarding stuttering and inconsistencies in the transition relation. Data-related aspects of a formal model include use of basic and composite datatypes, well-formedness and typechecking, and separation of name spaces with respect to global and local variables. Modularity criteria includes subtransition systems and data decomposition. We employ a series of small and concise exemplars we have devised to highlight these differences in each language. To help modellers answer the important question of which declarative modelling language may be most suited for modelling their system, we present recommendations based on our observations about the differentiating characteristics of each of these languages

DASH: Declarative Modelling with Control State Hierarchy (Preliminary Version)

We present a new language, called DASH, for describing formal behavioural models. DASH combines common modelling constructs to describe abstractly both data and control in an integrated manner. DASH uses the Alloy language for describing data and its operations declaratively, and adds syntax for labelled control state hierarchy common in Statecharts descriptions of transition systems. In addition, DASH accommodates multiple factoring paradigms for modelling (control states, events, and conditions) and includes syntactic sugar (e.g., transition comprehension, transition templates) to write models that are concise and easy to understand. We describe the formal semantics of DASH, which carefully mix the usual semantic understanding of control state hierarchy with the declarative perspective, for creating abstract models early in system development. We implement these semantics in a translator from DASH to Alloy taking advantage of Alloy language features. We demonstrate DASH, our tool, and model checking analysis in the Alloy Analyzer using several case studies. The key novel insight of our work is in combining seamlessly common data and control modelling paradigms in a way that will be intuitive for those used to either paradigm, and enabling automatic analysis of the integrated model

Dash: Declarative Behavioural Modelling in Alloy

An abstract model is a representation of the fundamental characteristics and properties of a system, and its purpose is to provide feedback to stakeholders about the correctness of the system during the early stages of development. This thesis presents Dash, a new language for the formal specification of abstract behavioural models, which combines the control-oriented constructs of statecharts with the declarative modelling of Alloy. From statecharts, Dash inherits a means to specify hierarchy, concurrency, and communication, three useful aspects to describe the behaviour of reactive systems. From Alloy, Dash uses the expressiveness of relational logic and set theory to abstractly and declaratively describe structures, data, and operations. The purpose of a Dash model is to formally describe a transition system, and for this reason transitions are first-class constructs of the language. Dash provides features such as factoring, transition comprehension, and layering, to systematically declare and organise the transitions of a model. The integration between statecharts and Alloy is done in Dash at the semantic level. The semantics of Dash use the notion of big steps and small steps to formally describe changes in a system, and address the mismatch between declarative and control-oriented formalisms regarding the frame problem. This thesis presents several case studies to demonstrate the modelling capabilities and automated analysis of Dash models. The case studies range from heavily data-oriented systems to highly hierarchical and concurrent systems. Behaviours can be specified using a temporal logic and the Alloy Analyzer is used for performing analyses. We extended the notion of significance axioms and significant scopes to concurrent Dash models, to avoid spurious instances of a model and ensure that a big enough search space is explored by the Analyzer to check for interesting behaviours and provide useful feedback about a model

Dash+: Extending Alloy with Hierarchical States and Replicated Processes for Modelling Transition Systems

© 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Modelling systems abstractly shows great promise to uncover bugs early in system development. The formal language Alloy provides the means of writing constraints abstractly, but lacks explicit constructs for describing transition systems. Extensions to Alloy, such as Electrum, DynAlloy, and Dash, provide such constructs. However, still missing are language constructs to describe easily multiple processes with the same behaviour (replicated processes) running in parallel as is found in languages such as PlusCal and PROMELA. In this paper, we describe our proposal for adding explicit constructs to Dash for replicated processes. The result is Dash+: an Alloy language extension for describing transition systems that include both concurrent and hierarchical states and parametrized concurrent processes.Natural Sciences and Engineering Research Council of Canada (NSERC)

Dash: declarative behavioural modelling in Alloy with control state hierarchy

This is a post-peer-review, pre-copyedit version of an article published in Software and Systems Modeling. The final authenticated version is available online at: https://doi.org/10.1007/s10270-022-01012-1We present Dash, an extension to the Alloy language to model dynamic behaviour using the labelled control state hierarchy of Statecharts. From Statecharts, Dash borrows the concepts to specify hierarchy, concurrency, and communication for describing behaviour in a compositional manner. From Alloy, Dash uses the expressiveness of relational logic and set theory to abstractly and declaratively describe structures, data, and operations. We justify our semantic design decisions for Dash, which carefully mix the usual semantic understanding of control state hierarchy with the declarative perspective. We describe and implement the semantics of a Dash model by translating it to Alloy, taking advantage of Alloy language features. We evaluate our Dash translation and perform model checking analysis, enabled by our translation, in the Alloy Analyzer using several case studies. Dash provides modellers with a language that seamlessly combines the semantics of control-modelling paradigms with Alloy’s existing strengths in modelling data and operations abstractly

Dash+: Extending Alloy with Replicated Processes for Modelling Transition Systems

Modelling systems abstractly shows great promise to uncover bugs early in system development. The formal language Alloy provides the means of writing constraints abstractly but lacks explicit constructs for describing transition systems. Extensions to Alloy, such as Electrum, DynAlloy, and Dash, provide such constructs. However, still missing are language constructs to describe easily multiple processes with the same behavior (replicated processes) running in parallel as is found in languages such as PlusCal and Promela. We propose extensions to Dash for replicated processes. The result is Dash+: an Alloy language extension for describing transition systems that include both concurrent and hierarchical states and replicated concurrent processes. The processes can communicate via buffers or exchange information through variables and events. The key contributions of our novel approach are: 1) Replicated and non-replicated components can be nested arbitrarily at any level in the state hierarchy 2) Replicated components can exchange information directly without resorting to global variables as is the case in PlusCal and Promela 3) A modeller can abstractly model the topology of the processes (ring, list, etc.) through constraints on the set indexing the processes 4) Buffers can be used to facilitate communication between replicated components Dash+ stays consistent with the semantics of Dash and uses the notion of big steps and small steps to describe changes in the system. The semantics are implemented in a translation to Alloy in a way that accommodates the following model checking options: traces-based model checking, transitive closure-based model checking (TCMC), and Electrum. Our implementation is fully integrated into the Alloy Analyzer. This thesis presents case studies to demonstrate the features of Dash+ in modelling systems with concurrent processes and the benefits that Dash+ offers over existing languages. We check for properties in each of the models in the case studies to demonstrate how different model checking options can be used

Extracting Counterexamples from Transitive-Closure-Based Model Checking

© 2019 IEEEWe address the problem of how to extract counterexamples for the transitive-closure-based model checking (TCMC) technique. TCMC is a representation of the CTLFC (CTL with fairness constraints) model checking problem in first-order logic with transitive closure (FOLTC) and has been implemented in the Alloy Analyzer. It is a declarative, symbolic model checking method. As a CTL model checking method, TCMC is defined over transition systems and states (rather than paths) and therefore, returns a transition system with a bug as a counterexample. Our contribution is to isolate a counterexample path/subgraph in a declarative manner by adding constraints that do not depend on the property. Our method does not require extensions to Alloy

Transitive-closure-based model checking (TCMC) in Alloy

This is a post-peer-review, pre-copyedit version of an article published in Software and Systems Modeling. The final authenticated version is available online at: https://doi.org/10.1007/s10270-019-00763-8We present transitive-closure-based model checking (TCMC): a symbolic representation of the semantics of computational tree logic with fairness constraints (CTLFC) for finite models in first-order logic with transitive closure (FOLTC). TCMC is an expression of the complete model checking problem for CTLFC as a set of constraints in FOLTC without induction, iteration, or invariants. We implement TCMC in the Alloy Analyzer, showing how a transition system can be expressed declaratively and concisely in the Alloy language. Since the total state space is rarely representable due to the state-space explosion problem, we present scoped TCMC where the property is checked for state spaces of a size smaller than the total state space. We address the problem of spurious instances and carefully describe the meaning of results from scoped TCMC with respect to the complete model checking problem. Using case studies, we demonstrate scoped TCMC and compare it with bounded model checking, highlighting how TCMC can check infinite paths

Static Profiling of Alloy Models

© 2022 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Modeling of software-intensive systems using formal declarative modeling languages offers a means of managing software complexity through the use of abstraction and early identification of correctness issues by formal analysis. Alloy is one such language used for modeling systems early in the development process. Little work has been done to study the styles and techniques commonly used in Alloy models. We present the first static analysis study of Alloy models. We investigate research questions that examine a large corpus of 1,652 Alloy models. To evaluate these research questions, we create a methodology that leverages the power of ANTLR pattern matching and the query language XPath. Our research questions are split into two categories depending on their purpose. The Model Characteristics category aims to identify what language constructs are used commonly. Modeling Practices questions are considerably more complex and identify how modelers are using Alloy's constructs. We also evaluate our research questions on a subset of models from our corpus written by expert modelers. We compare the results of the expert corpus to the results obtained from the general corpus to gain insight into how expert modelers use the Alloy language. We draw conclusions from the findings of our research questions and present actionable items for educators, language and environment designers, and tool developers. Actionable items for educators are intended to highlight underutilized language constructs and features, and help student modelers avoid discouraged practices. Actionable items aimed at language designers present ways to improve the Alloy language by adding constructs or removing unused ones based on trends identified in our corpus of models. The actionable items aimed at environment designers address features to facilitate model creation. Actionable items for tool developers provide suggestions for back-end optimizations.Natural Sciences and Engineering Research Council of Canada