## Kodkod: A relational model finder (2007)

Venue: | In Tools and Algorithms for Construction and Analysis of Systems (TACAS |

Citations: | 60 - 4 self |

### BibTeX

@INPROCEEDINGS{Torlak07kodkod:a,

author = {Emina Torlak and Daniel Jackson},

title = {Kodkod: A relational model finder},

booktitle = {In Tools and Algorithms for Construction and Analysis of Systems (TACAS},

year = {2007},

pages = {632--647},

publisher = {Wiley}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The key design challenges in the construction of a SAT-based relational model finder are described, and novel techniques are proposed to address them. An efficient model finder must have a mechanism for specifying partial solutions, an effective symmetry detection and breaking scheme, and an economical translation from relational to boolean logic. These desiderata are addressed with three new techniques: a symmetry detection algorithm that works in the presence of partial solutions, a sparse-matrix representation of relations, and a compact representation of boolean formulas inspired by boolean expression diagrams and reduced boolean circuits. The presented techniques have been implemented and evaluated, with promising results. 1

### Citations

467 |
An Extensible SAT-solver
- Eén, Sörensson
- 2003
(Show Context)
Citation Context ...formed using the standard translation from boolean logic to conjunctive normal form (see, for example, [29]). The last step is delegated to an off-the-shelf SAT solver, such as zchaff [30] or MiniSat =-=[31]-=-. 4.1 Symmetry Detection Many problems exhibit symmetries. For example, the pigeons in the pigeonhole problem are symmetric, as are the pigeonholes; if there were a solution with a particular assignme... |

339 |
Co-operating sequential processes
- Dijkstra
- 1968
(Show Context)
Citation Context ... these mathematical problems, tend to have less regular structure, despite the grounding out of quantifiers. We compared Kodkod to Alloy 3 on three design problems: Dijkstra’s mutual exclusion scheme =-=[38]-=-, leader election in a ring [39], and the transfer protocol of the Mondex smart card [40].s14 The results are shown in Fig. 7. For the mutual exclusion and leader election problems, we use two differe... |

159 | Symmetry-breaking predicates for search problems
- Crawford, Ginsberg, et al.
- 1996
(Show Context)
Citation Context ...The analysis of a Kodkod problem P involves four steps: 1. Detecting P ’s symmetries. 5s6 2. Translating P into a Compact Boolean Circuit, CBC(P ). 3. Computing SBP(P ), a symmetry breaking predicate =-=[27, 28]-=- for P . 4. Transforming CBC(P ) ∧ SBP(P ) into conjunctive normal form, CNF(P ). 5. Applying a SAT solver to CNF(P ), and, if CNF(P ) is satisfiable, interpreting its model as an instance of P . The ... |

127 |
The TPTP Problem Library: CNF Release v1.2.1
- G, Suttner
- 1998
(Show Context)
Citation Context ...ology that we describe, outperforms Alloy even on the problems for which Alloy was designed. It also outperforms other SAT-based logic engines (such as Paradox [7] and MACE2 [8]) on a variety of TPTP =-=[9]-=- benchmarks. The underlying technology involves translation from relational to boolean logic, and the application of an off-the-shelf SAT solver on the resulting boolean formula. The contributions of ... |

120 | Translating pseudo-Boolean constraints into SAT
- Een, Sörensson
(Show Context)
Citation Context ...ry breaking predicate for the symmetry classes detected in the first step. The fourth step is performed using the standard translation from boolean logic to conjunctive normal form (see, for example, =-=[29]-=-). The last step is delegated to an off-the-shelf SAT solver, such as zchaff [30] or MiniSat [31]. 4.1 Symmetry Detection Many problems exhibit symmetries. For example, the pigeons in the pigeonhole p... |

96 |
A micromodularity mechanism
- Jackson, Shlyakhter, et al.
- 2001
(Show Context)
Citation Context ...es are offered in, and a set of courses already taken, a relational engine can plan a student’s course schedule.s2 We have established the feasibility of using a relational engine for design analysis =-=[1]-=-, code analysis [2, 3] and test case generation [4] in earlier work. The prototype tool that we describe in this paper has been applied to design analysis, code analysis [5], and course scheduling [6]... |

95 | A Davis-Putnam program and its application to finite first-order model seach: Quasigroup existence problems
- McCune
- 1994
(Show Context)
Citation Context ...ovements in the core technology that we describe, outperforms Alloy even on the problems for which Alloy was designed. It also outperforms other SAT-based logic engines (such as Paradox [7] and MACE2 =-=[8]-=-) on a variety of TPTP [9] benchmarks. The underlying technology involves translation from relational to boolean logic, and the application of an off-the-shelf SAT solver on the resulting boolean form... |

90 |
An improved algorithm for decentralized extremafinding in circular configuration of processors
- Chang, Roberts
- 1979
(Show Context)
Citation Context ...nd to have less regular structure, despite the grounding out of quantifiers. We compared Kodkod to Alloy 3 on three design problems: Dijkstra’s mutual exclusion scheme [38], leader election in a ring =-=[39]-=-, and the transfer protocol of the Mondex smart card [40].s14 The results are shown in Fig. 7. For the mutual exclusion and leader election problems, we use two different universe sizes; for the Monde... |

79 | Symbolic reachability analysis based on sat-solvers. TACAS-00
- Abdulla, Bjesse, et al.
- 2000
(Show Context)
Citation Context ...tomization’ used in Alloy [10]. · A new scheme for detecting opportunities for sharing in the constraint abstract syntax tree inspired by boolean expression diagrams [11] and reduced boolean circuits =-=[12]-=-. Another major difference between the new tool and Alloy is its implementation as an API rather than as a standalone application. Alloy can in fact be accessed as an API, but the interface is string-... |

72 | Sem: a system for enumerating models
- Zhang, Zhang
- 1995
(Show Context)
Citation Context ...e the task of solving it to a SAT solver.sMost research on model finding has focused on producing high-performance tools for group-theoretic investigations. LDPP [14], MACE2 [8], FALCON [18], and SEM =-=[19]-=- have all been used to solve open problems in abstract algebra. Formulation of group-theoretic problems requires only a minimal logic. SEM and FINDER, for example, work on a quantifier-free many-sorte... |

70 |
Elements of style: Analyzing a software design feature with a counterexample detector
- Jackson, Damon
- 1996
(Show Context)
Citation Context ...e first model finder to handle binary relations and transitive closure in addition to quantifier-free FOL. This made it an attractive choice for analyzing small problems that involve structured state =-=[20, 21]-=-. The usefulness of Nitpick was, however, limited by its poor scalability and lack of support for quantifiers and higher-arity relations. The Alloy language and its analyzer [15] addressed both the sc... |

64 |
Berkmin: a fast and robust SAT solver
- Goldberg, Novikov
- 2002
(Show Context)
Citation Context ..., we check a variety of assertions in the same universe. The performance data includes the size of the generated CNF and the time, in seconds, taken to generate and solve it using various SAT engines =-=[41, 31, 30]-=-. In all cases, Kodkod produces smaller formulas, which are solved faster by BerkMin [41] and zChaff [30]. Interestingly, on the Mondex problem (and a few others we encountered), MiniSat actually perf... |

62 | New techniques that improve mace-style finite model finding
- Claessen, Sorensson
- 2003
(Show Context)
Citation Context ...d, due to improvements in the core technology that we describe, outperforms Alloy even on the problems for which Alloy was designed. It also outperforms other SAT-based logic engines (such as Paradox =-=[7]-=- and MACE2 [8]) on a variety of TPTP [9] benchmarks. The underlying technology involves translation from relational to boolean logic, and the application of an off-the-shelf SAT solver on the resultin... |

53 |
Automatic generation of some results in finite algebra
- Fujita, Slaney, et al.
- 1993
(Show Context)
Citation Context ...e models of first order logic (FOL) formulas [7, 8, 14–19]. Several of these [16–19] implement specialized search algorithms for exploring the space of possible interpretations of a formula. The rest =-=[7, 8, 14, 15]-=- are essentially compilers. Given a FOL formula and a finite universe of uninterpreted atoms, they construct an equivalent propositional satisfiability problem and delegate the task of solving it to a... |

46 | Boolean expression diagrams
- Andersen, Hulgaard
- 2002
(Show Context)
Citation Context ... and better performing than the ‘atomization’ used in Alloy [10]. · A new scheme for detecting opportunities for sharing in the constraint abstract syntax tree inspired by boolean expression diagrams =-=[11]-=- and reduced boolean circuits [12]. Another major difference between the new tool and Alloy is its implementation as an API rather than as a standalone application. Alloy can in fact be accessed as an... |

41 | Zchaff2004: An efficient sat solver
- Mahajan, Fu, et al.
- 2005
(Show Context)
Citation Context ...urth step is performed using the standard translation from boolean logic to conjunctive normal form (see, for example, [29]). The last step is delegated to an off-the-shelf SAT solver, such as zchaff =-=[30]-=- or MiniSat [31]. 4.1 Symmetry Detection Many problems exhibit symmetries. For example, the pigeons in the pigeonhole problem are symmetric, as are the pigeonholes; if there were a solution with a par... |

41 |
Groups and Symmetry
- Armstrong
- 1988
(Show Context)
Citation Context ...the task of finding Sym(P ) to that of computing the automorphisms of the graphs that correspond to the constants in D—a problem with no known polynomial 1 Recall that cycle notation for permutations =-=[34]-=- indicates that each element in a pair of parenthesis is mapped to the one following it, with the last element being mapped to the first. The elements that are fixed under a permutation are not mentio... |

39 | TestEra: Specification-based Testing of Java Programs using SAT
- Khurshid, Marinov
- 2004
(Show Context)
Citation Context ...en, a relational engine can plan a student’s course schedule.s2 We have established the feasibility of using a relational engine for design analysis [1], code analysis [2, 3] and test case generation =-=[4]-=- in earlier work. The prototype tool that we describe in this paper has been applied to design analysis, code analysis [5], and course scheduling [6]; it is also a mean Sudoku player. Our earlier work... |

36 |
Checking properties of heap-manipulating procedures with a constraint solver
- Vaziri, Jackson
- 2003
(Show Context)
Citation Context ...and a set of courses already taken, a relational engine can plan a student’s course schedule.s2 We have established the feasibility of using a relational engine for design analysis [1], code analysis =-=[2, 3]-=- and test case generation [4] in earlier work. The prototype tool that we describe in this paper has been applied to design analysis, code analysis [5], and course scheduling [6]; it is also a mean Su... |

30 |
D.: Exploring the design of an intentional naming scheme with an automatic constraint analyzer
- Khurshid, Jackson
- 2000
(Show Context)
Citation Context ...rts first order quantifiers, connectives, arbitrary-arity relations, and transitive closure. Alloy has been applied to a wide variety of problems, including the design of an intentional naming scheme =-=[22]-=-, the safety properties of the beam scheduler for a proton therapy machine [23], code analysis [2, 3], test-case generation [4], and network configuration [24]. Alloy’s main deficiency as a general-pu... |

27 | FINDER: Finite Domain Enumerator, System Description - Slaney - 1994 |

27 | Network Configuration Management via Model Finding
- Narain
- 2004
(Show Context)
Citation Context ...e design of an intentional naming scheme [22], the safety properties of the beam scheduler for a proton therapy machine [23], code analysis [2, 3], test-case generation [4], and network configuration =-=[24]-=-. Alloy’s main deficiency as a general-purpose problem description language is its lack of support for partial instances. Logic programming languages such as Prolog [25] and Oz [26] provide mechanisms... |

27 |
Computational complexity and classification of finite simple groups
- BABAI, KANTOR, et al.
- 1983
(Show Context)
Citation Context ... E)(Y R)(G). 2 The proofs of all assertions and theorems stated in this section can be found in the technical report on Kodkod [35], available at http://hdl.handle.net/1721.1/34218. 7s8 time solution =-=[36]-=-. So, we use the algorithm in Fig. 3 to find a polynomially computable subset of Sym(P ) that is equal to Sym(P ) for many problems, including the pigeonhole, traffic lights, and all problems in Secti... |

26 | Inferring specifications to detect errors in code
- Taghdiri
- 2004
(Show Context)
Citation Context ...and a set of courses already taken, a relational engine can plan a student’s course schedule.s2 We have established the feasibility of using a relational engine for design analysis [1], code analysis =-=[2, 3]-=- and test case generation [4] in earlier work. The prototype tool that we describe in this paper has been applied to design analysis, code analysis [5], and course scheduling [6]; it is also a mean Su... |

18 | Isomorph-free model enumeration: A new method for checking relational specifications
- JACKSON, JHA, et al.
- 1998
(Show Context)
Citation Context ...-black trees or binomial heaps). Furthermore, lack of a closure operator, which cannot be encoded using first order constructs, makes it impossible to express common reachability constraints. Nitpick =-=[16]-=- was the first model finder to handle binary relations and transitive closure in addition to quantifier-free FOL. This made it an attractive choice for analyzing small problems that involve structured... |

16 | Automating Commutativity Analysis at the Design Level
- Dennis, Seater, et al.
(Show Context)
Citation Context ...tive closure. Alloy has been applied to a wide variety of problems, including the design of an intentional naming scheme [22], the safety properties of the beam scheduler for a proton therapy machine =-=[23]-=-, code analysis [2, 3], test-case generation [4], and network configuration [24]. Alloy’s main deficiency as a general-purpose problem description language is its lack of support for partial instances... |

11 | Exploiting Subformula Sharing in Automatic Analysis of Quantified Formulas - Shlyakhter, Sridharan, et al. - 2003 |

8 |
The Craft of Prolog. Logic Programming
- O'Keefe
- 1990
(Show Context)
Citation Context ...[4], and network configuration [24]. Alloy’s main deficiency as a general-purpose problem description language is its lack of support for partial instances. Logic programming languages such as Prolog =-=[25]-=- and Oz [26] provide mechanisms for taking advantage of partial knowledge to speed up constraint solving, but they lack quantifiers, relational operators, and transitive closure. The logic presented i... |

8 |
Declarative Symbolic Pure Logic Model Checking
- Shlyakhter
- 2005
(Show Context)
Citation Context ...lence class induced by Sym(P ) to find a model of P . Isomorph elimination (a.k.a. symmetry breaking), using either a symmetry-aware model finder on P [18, 19, 16] or a SAT solver on CNF(P ∧ SBP(P )) =-=[7, 32]-=-, typically speeds up the model search by orders of magnitude. Many interesting problems are intractable without symmetry breaking [27, 33]. In the case of a standard typed logic such as the Alloy lan... |

8 | SymChaff: A structure-aware satisfiability solver
- Sabharwal
- 2005
(Show Context)
Citation Context ... finder on P [18, 19, 16] or a SAT solver on CNF(P ∧ SBP(P )) [7, 32], typically speeds up the model search by orders of magnitude. Many interesting problems are intractable without symmetry breaking =-=[27, 33]-=-. In the case of a standard typed logic such as the Alloy language or SEM’s logic, symmetry detection in a universe of uninterpreted atoms is straightforward: Sym(P ) is the set of all permutations th... |

7 |
Faster Constraint Solving with Subtypes
- Edwards, Jackson, et al.
- 2004
(Show Context)
Citation Context ...tial instances was a key reason for not supporting them. · A new sparse-matrix representation of relations that is both simpler to implement and better performing than the ‘atomization’ used in Alloy =-=[10]-=-. · A new scheme for detecting opportunities for sharing in the constraint abstract syntax tree inspired by boolean expression diagrams [11] and reduced boolean circuits [12]. Another major difference... |

7 | The design of a relational engine
- Torlak, Jackson
- 2006
(Show Context)
Citation Context ... that are fixed under a permutation are not mentioned, i.e. (N E)(Y R)=(N E)(Y R)(G). 2 The proofs of all assertions and theorems stated in this section can be found in the technical report on Kodkod =-=[35]-=-, available at http://hdl.handle.net/1721.1/34218. 7s8 time solution [36]. So, we use the algorithm in Fig. 3 to find a polynomially computable subset of Sym(P ) that is equal to Sym(P ) for many prob... |

5 | Declarative Configuration Applied to Course Scheduling
- Yeung
- 2006
(Show Context)
Citation Context ...[1], code analysis [2, 3] and test case generation [4] in earlier work. The prototype tool that we describe in this paper has been applied to design analysis, code analysis [5], and course scheduling =-=[6]-=-; it is also a mean Sudoku player. Our earlier work involved the development of the Alloy modeling language [1] and its analyzer. The Alloy Analyzer was designed for the analysis of software models, a... |

4 |
Modular verification of code
- Dennis, Chang, et al.
- 2006
(Show Context)
Citation Context ...engine for design analysis [1], code analysis [2, 3] and test case generation [4] in earlier work. The prototype tool that we describe in this paper has been applied to design analysis, code analysis =-=[5]-=-, and course scheduling [6]; it is also a mean Sudoku player. Our earlier work involved the development of the Alloy modeling language [1] and its analyzer. The Alloy Analyzer was designed for the ana... |

4 |
Kodkod for alloy users
- Torlak, Dennis
- 2006
(Show Context)
Citation Context ...awkward to use. The new tool is designed to be a plugin component that can easily be incorporated as a backend of another tool. These considerations, however, while crucial motivations of the project =-=[13]-=-, are not the topic of the present paper. 2 Related Work A variety of tools have been developed for finding finite models of first order logic (FOL) formulas [7, 8, 14–19]. Several of these [16–19] im... |

4 |
Generating effective symmetry breaking predicates for search problems
- Shlyakhter
- 2001
(Show Context)
Citation Context ...The analysis of a Kodkod problem P involves four steps: 1. Detecting P ’s symmetries. 5s6 2. Translating P into a Compact Boolean Circuit, CBC(P ). 3. Computing SBP(P ), a symmetry breaking predicate =-=[27, 28]-=- for P . 4. Transforming CBC(P ) ∧ SBP(P ) into conjunctive normal form, CNF(P ). 5. Applying a SAT solver to CNF(P ), and, if CNF(P ) is satisfiable, interpreting its model as an instance of P . The ... |

3 |
The generation and application of finite models
- Zhang
- 1994
(Show Context)
Citation Context ...em and delegate the task of solving it to a SAT solver.sMost research on model finding has focused on producing high-performance tools for group-theoretic investigations. LDPP [14], MACE2 [8], FALCON =-=[18]-=-, and SEM [19] have all been used to solve open problems in abstract algebra. Formulation of group-theoretic problems requires only a minimal logic. SEM and FINDER, for example, work on a quantifier-f... |

3 |
A Nitpick specification of IPv6. Senior Honors thesis
- NG
- 1997
(Show Context)
Citation Context ...e first model finder to handle binary relations and transitive closure in addition to quantifier-free FOL. This made it an attractive choice for analyzing small problems that involve structured state =-=[20, 21]-=-. The usefulness of Nitpick was, however, limited by its poor scalability and lack of support for quantifiers and higher-arity relations. The Alloy language and its analyzer [15] addressed both the sc... |

2 |
Automating first order relational logic
- Jackson
- 2000
(Show Context)
Citation Context ...e models of first order logic (FOL) formulas [7, 8, 14–19]. Several of these [16–19] implement specialized search algorithms for exploring the space of possible interpretations of a formula. The rest =-=[7, 8, 14, 15]-=- are essentially compilers. Given a FOL formula and a finite universe of uninterpreted atoms, they construct an equivalent propositional satisfiability problem and delegate the task of solving it to a... |

2 |
The Mondex case study with Alloy. http://www.eleves.ens.fr/ home/ramanana/work/mondex
- Ramananandro
- 2006
(Show Context)
Citation Context ...out of quantifiers. We compared Kodkod to Alloy 3 on three design problems: Dijkstra’s mutual exclusion scheme [38], leader election in a ring [39], and the transfer protocol of the Mondex smart card =-=[40]-=-.s14 The results are shown in Fig. 7. For the mutual exclusion and leader election problems, we use two different universe sizes; for the Mondex problem, we check a variety of assertions in the same u... |