Aluminum: Principled scenario exploration through minimality

Tim Nelson, Salman Saghafi, Daniel J. Dougherty, Kathi Fisler, Shriram Krishnamurthi
2013 2013 35th International Conference on Software Engineering (ICSE)  
Scenario-finding tools such as Alloy are widely used to understand the consequences of specifications, with applications to software modeling, security analysis, and verification. This paper focuses on the exploration of scenarios: which scenarios are presented first, and how to traverse them in a well-defined way. We present Aluminum, a modification of Alloy that presents only minimal scenarios: those that contain no more than is necessary. Aluminum lets users explore the scenario space by
more » ... ng to scenarios and backtracking. It also provides the ability to find what can consistently be used to extend each scenario. We describe the semantic basis of Aluminum in terms of minimal models of first-order logic formulas. We show how this theory can be implemented atop existing SAT-solvers and quantify both the benefits of minimality and its small computational overhead. Finally, we offer some qualitative observations about scenario exploration in Aluminum. Because of this unique combination of characteristics, scenarios are attractive software engineering tools. B. Scenarios, Formally Because the term "scenario" has many informal meanings, it helps to pin down our terminology. A specification is a firstorder logic description written by a user, e.g., in Alloy syntax. This will include an (Alloy) command to be run: the result of running a command is a set of models. Here "model" has its traditional meaning from logic: an assignment of values to variables that makes a formula true. A model can be either propositional or relational, the latter being the structures appropriate to first-order logic; we need to refer to both, because our specifications are first-order but the underlying SAT-solver produces propositional models. Which one we mean will usually be clear from context, but where necessary we will disambiguate. Finally, a scenario is a relational model that is shown to the user. It may thus have embellishments for compelling visual presentation, such as atom names drawn from the specification. Nevertheless, because its semantic content is just a relational model, we will feel free to use "scenario" and "model" interchangeably whenever it is clear that we are in a non-propositional context.
doi:10.1109/icse.2013.6606569 dblp:conf/icse/NelsonSDFK13 fatcat:7n7s7ubw75e7dfgt7sad5t6rca