Transitive-closure-based model checking (TCMC) in Alloy

  • 25 Accesses


We present transitive-closure-based model checking (TCMC): a symbolic representation of the semantics of computational tree logic with fairness constraints (CTLFC) for finite models in first-order logic with transitive closure (FOLTC). TCMC is an expression of the complete model checking problem for CTLFC as a set of constraints in FOLTC without induction, iteration, or invariants. We implement TCMC in the Alloy Analyzer, showing how a transition system can be expressed declaratively and concisely in the Alloy language. Since the total state space is rarely representable due to the state-space explosion problem, we present scoped TCMC where the property is checked for state spaces of a size smaller than the total state space. We address the problem of spurious instances and carefully describe the meaning of results from scoped TCMC with respect to the complete model checking problem. Using case studies, we demonstrate scoped TCMC and compare it with bounded model checking, highlighting how TCMC can check infinite paths.

This is a preview of subscription content, log in to check access.

Access options

Buy single article

Instant unlimited access to the full article PDF.

US$ 39.95

Price includes VAT for USA

Subscribe to journal

Immediate online access to all issues from 2019. Subscription will auto renew annually.

US$ 99

This is the net price. Taxes to be calculated in checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24


  1. 1.

    This translation increases the size of a transition system.

  2. 2.

  3. 3.

    A full subgraph of a graph is a subset of the nodes with all edges between these nodes that are found in the original graph.

  4. 4.

    Infinite liveness, also described in this figure, is explained in a later subsection.

  5. 5.

    The use of id[X] in EG (from which AF and AU are derived) in the TCMC implementation in Fig. 2 requires there to be a looping path from a state back to itself to make an infinite path.

  6. 6.

    Existential TCMC requires the satisfying TS instance to have some path from all initial states of the TS instance; however, unless the model requires there to be multiple initial states, usually there is a TS instance with only one initial state meaning there is some path from some initial state.

  7. 7.


  1. 1.

    Abrial, J.R.: The B Book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996)

  2. 2.

    Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BDDs. In: Chechik, M. (ed.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 193–207. Springer, Berlin (1999)

  3. 3.

    Börger, E.: The ASM method for system design and analysis. A tutorial introduction. In: Frontiers of Combining Systems, Lecture Notes in Computer Science, vol. 3717, pp. 264–283. Springer (2005)

  4. 4.

    Bradley, A.R.: SAT-based model checking without unrolling. In: International Conference on Verification, Model Checking, and Abstract Interpretation, Lecture Notes in Computer Science, vol. 6538, pp. 70–87. Springer (2011)

  5. 5.

    Chang, F.S.H., Jackson, D.: Symbolic model checking of declarative relational models. In: International Conference on Software Engineering, pp. 312–320. ACM (2006)

  6. 6.

    Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: An opensource tool for symbolic model checking. In: Computer Aided Verification, Lecture Notes In Computer Science, vol. 2404, pp. 241–268. Springer (2002)

  7. 7.

    Clarke, E., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Boca Raton (1999)

  8. 8.

    Clarke, E.M., Grumberg, O., Hamaguchi, K.: Another look at LTL model checking. Form. Methods Syst. Design 10, 47–71 (1997)

  9. 9.

    Cunha, A.: Bounded model checking of temporal formulas with Alloy. In: International Conference on Abstract State Machines. Alloy, B, VDM, and Z, pp. 303–308. Springer, Berlin (2014)

  10. 10.

    Del Castillo, G., Winter, K.: Model checking support for the ASM high-level language. In: Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes In Computer Science, vol. 1785, pp. 331–346. Springer (2000)

  11. 11.

    Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)

  12. 12.

    Dold, A.: A formal representation of abstract state machines using PVS. Verifix Technical Report Ulm/6.2, Universität Ulm (1998)

  13. 13.

    Eén, N., Sörensson, N.: An Extensible SAT-solver. In: Theory and Applications of Satisfiability Testing, Lecture Notes in Computer Science, vol. 2919, pp. 333–336. Springer (2004)

  14. 14.

    Farheen, S.: Improvements to transitive-closure-based model checking in Alloy. M.Math thesis, University of Waterloo, David R. Cheriton School of Computer Science (2018)

  15. 15.

    Frias, M.F., Galeotti, J.P., López Pombo, C.G., Aguirre, N.M.: DynAlloy: upgrading Alloy with actions. In: International Conference on Software Engineering, pp. 442–451. ACM (2005)

  16. 16.

    Grumberg, O., Long, D.E.: Model checking and modular verification. In: Proccedings of 2nd International Conference on Concurrency Theory. Lecture Notes in Computer Science, vol. 527, pp. 250–265. Springer (1991)

  17. 17.

    Immerman, N., Vardi, M.: Model checking and transitive-closure logic. In: Computer-Aided Verification, Lecture Notes in Computer Science, vol. 1254, pp. 291–302. Springer (1997)

  18. 18.

    International Organisation for Standardization. Information Technology Z Formal Specification Notation Syntax, Type System and Semantics (2000)

  19. 19.

    Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2002)

  20. 20.

    Jackson, D.: Software Abstractions—Logic, Language, and Analysis. MIT Press, Cambridge (2012)

  21. 21.

    Kember, M., Tran, L., Gao, G., Day, N.A.: Extracting counterexamples from transitive-closure-based model checking. In: Workshop on Modelling in Software Engineering (MISE)@ International Conference on Software Engineering (ICSE), pp. 47–54. ACM (2019)

  22. 22.

    Krings, S., Leuschel, M.: Proof assisted bounded and unbounded symbolic model checking of software and system models. Sci. Comput. Program. 15, 41–63 (2018)

  23. 23.

    Leuschel, M., Butler, M.: ProB: an automated analysis toolset for the B method. Int. J. Softw. Tools Technol. Transf. 10, 185–203 (2008)

  24. 24.

    Macedo, N., Brunel, J., Chemouil, D., Cunha, A., Kuperberg, D.: Lightweight specification and analysis of dynamic systems with rich configurations. In: Foundations of Software Engineering, pp. 373–383. ACM (2016)

  25. 25.

    McMillan, K.: Symbolic model checking: an approach to the state explosion problem. Ph.D. thesis, Pittsburgh, PA, USA (1992)

  26. 26.

    Milicevic, A., Near, J.P., Kang, E., Jackson, D.: Alloy*: a general-purpose higher-order relational constraint solver. In: International Conference on Software Engineering, vol. 1, 609–619. IEEE (2015)

  27. 27.

    Nissanke, N.: Formal Specification: Techniques and Applications, 1st edn. Springer, Berlin (1999)

  28. 28.

    Plath, M., Ryan, M.: Feature integration using a feature construct. Sci. Comput. Program. 41(1), 53–84 (2001)

  29. 29.

    Regis, G., Cornejo, C., Gutiérrez Brida, S., Politano, M., Raverta, F., Ponzio, P., Aguirre, N., Galeotti, J.P., Frias, M.: DynAlloy analyzer: a tool for the specification and analysis of alloy models with dynamic behaviour. In: Foundations of Software Engineering, pp. 969–973. ACM (2017)

  30. 30.

    Schellhorn, G., Ahrendt, W.: Reasoning about abstract state machines: the WAM case study. J. Univers. Comput. Sci. 3(4), 377–413 (1997)

  31. 31.

    Selic, B.: From model-driven development to model-driven engineering. In: Euromicro Conference on Real-Time Systems. IEEE Computer Society (2007)

  32. 32.

    Serna, J., Day, N.A., Farheen, S.: DASH: a new language for declarative behavioural requirements with control state hierarchy. In: International workshop on model-driven requirements engineering (MoDRE)@ IEEE international requirements engineering conference (RE), pp. 64–68 (2017)

  33. 33.

    Vakili, A.: Temporal logic model checking as automated theorem proving. Ph.D. thesis, University of Waterloo, David R. Cheriton School of Computer Science (2016)

  34. 34.

    Vakili, A., Day, N.A.: Temporal model checking in alloy. In: International Conference on Abstract State Machines, Alloy, B, VDM, and Z, Lecture Notes In Computer Science, vol. 7316, pp. 150–163. Springer (2012)

  35. 35.

    Vardi, M.Y., Wolper, P.: Reasoning about infinite computations. Inf. Comput. 115, 1–37 (1994)

  36. 36.

    Yu, Y., Manolios, P., Lamport, L.: Model checking TLA+ specifications. In: IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods, pp. 54–66. Springer (1999)

Download references


We thank Amin Bandali, George Gao, Eunsuk Kang, Mitchell Kember, Joseph Poremba, Jose Serna, Khadija Tariq and Lynn Tran for their help in discussions regarding Alloy. This research was supported in part by the Natural Sciences and Engineering Research Council of Canada (NSERC).

Author information

Correspondence to Nancy A. Day.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Communicated by Dr. Antonio Cerone.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Farheen, S., Day, N.A., Vakili, A. et al. Transitive-closure-based model checking (TCMC) in Alloy. Softw Syst Model (2020).

Download citation


  • Symbolic model checking
  • Alloy
  • Declarative models