Purpose of Assignment: ------------------------ To help you... (1) learn how to enrich Alloy specifications with more detail, (2) learn how to define dynamic Alloy specifications, (3) learn to use the Alloy Constraint Analyzer to check that operations preserve system invariants, and (4) learn how to interpret the results of assertion checks. Problem Description: ------------------------ You are to extend the simple model of the system for managing "ground traffic" at an airport that was developed in the first airport problem. This extension will happen in three different areas: more detailed modeling of physical constraints, more detailed modeling of ground traffic control policies, and modeling the movement of mobile resources. Recall that for the purposes of this problem we can consider an airport to have two kinds of resources: fixed resources and mobile resources. Fixed resources include gates, runways, and taxi-ways. In this problem we would like to enrich the model of these fixed resources to capture constraints on their topology and inter-connections. Examples constraints (which are detailed below) include: that a gate is comprised of a single location, that runways are comprised of multiple locations, and that runways may intersect but no other fixed resource may. The novelty here is the decoupling of the notion of location from the fixed resources. In the enriched model fixed resources are related to the locations that constitute the resource rather than being thought of as locations themselves. Airports have mobile resources like planes and service vehicles (trucks for delivering fuel/food/etc.). In addition to the constraints from problem #1 you will model the movement of mobile resources (e.g., takeoff, land, taxi, etc.). Definition of operations that model the movement of mobile resource together with an increased level of detail in modeling fixed resources will enable the enforcement of ground traffic control policies that could not be expressed in the model developed for problem #1. For example, your model will be able to describe the landing of a plane. Problem Constraints: ------------------------ The following constraints dictate the structure of the airport's fixed resources. All of these must be incorporated into your model: 1) Mobile resources can be at one location at a time 2) A location can hold at most one plane 3) Fixed resources consist of some number of adjacent locations 4) Gates consist of a single location that is adjacent to a single taxiway at a single location 5) Runways consist of multiple locations 6) Of the fixed resources, only runways can intersect and at atmost one location 7) Taxiways are adjacent to other fixed resources at atmost one location 8) Planes can reach a runway from any gate We will reuse the constraints that governed policies on mobile resources in the static model from problem #1. We restate the constraints to be incorporated into your model here: 9) Mobile resources can only move between adjacent locations 10) Only planes can be on runways. 11) At most one plane can be on a runway. 12) Gates can have a single plane. 13) Gates can have multiple service vehicles. 14) If a plane is at a gate, then a vehicle should be there to service it. In addition to the definition of legal states of the model we want to be able to model the movement of mobile resources. There are lots of constraints one could imagine to enforce reasonable and safe movement of planes and vehicles at an airport. You are to incorporate the following constraints in your model: 15) A plane can take off on a runway when all intersecting runways are empty. 16) A plane can land on a runway when it is empty Taking these constraints into account you are to define the following operations a) Takeoff(plane, runway) : a plane on the runway takes off b) Land(plane, runway) : a plane in the air lands on the runway As in problem #1 you will want to establish a few realism constraints to insure that you produce non-trivial instances of your model. Here are two such constraints that you should consider: 1) at least one gate, runway, vehicle and plane 2) some intersecting runways Do the following (reset scopes before each numbered step): 1) Schema Instantiation a) What are the minimal scope settings needed to produce an instance of your model? b) Insert the instance into your solution Add the 2 realism constraints c) Do the minimal scopes needed to produce an instance change? d) If so, include the instances and the settings into your solution. e) Explain any differences between part b and c 2) Operation Instantiation a) Generate an instance of a takeoff and include it in your solution b) What is the minimal scope for which an instance is possible? c) Explain why no smaller scope is satisfiable 3) Check Operations vs. Invariants For both the Takeoff and Land operations answer the following a) Are the preconditions satisfiable? b) If so, include the instance in your solution c) If not, adjust the scopes until they are and indicate those scopes If you cannot satisfy your operation's preconditions then you need to fix the pre-conditions. d) With the scope settings from c, include the results from checking that invariants 10 and 11 preserved If your operations do not preserve the invariants then fix them so that they do. 4) Check Assertions Assert that a plane can taxi from a gate to any runway a) Does this assertion hold, if not include a counter-example b) If so, what conclusions can you draw Adjust the model or the analyzer settings to insure that a collection of non-trivial models for this assertion will be considered c) Describe those adjustments d) Does the assertion hold, if not include a counter-example What to submit: -------------------- A single text file containing... (0) The standard assignment header constructed from the template linked off of the assignment web page. (1) Your final Alloy model. Note: you will receive no credit if we cannot compile your Alloy model in the constraint analyzer. (2) Below the model, give the answers to each of the questions above. Notes and Hints: -------------------- Build your model up incrementally using the idea of layering mentioned in the previous assignment. In particular you will find it useful to build the static part of the model first and use ACA to check for appropriate instantiations. After that is done then you can add operations and assertions one at a time. You will need to define a suitable notion of adjacency. Try to think abstractly and enforce only the essential aspects of what it means for two locations to be adjacent. It is not necessary to model the real world too accurately, e.g., using a rectilinear coordinate system. If you do that your model will be very large and complex. You may need to adjust the scopes to be able to generate instantiations for this problem. Rather than just boosting all scope limits, try to understand the resource demands of your definitions and only increase the scopes that need it. Note also that scopes cannot be set below 1. Remember a constraint can be enforced through a number of means, e.g., mutabilities, multiplicities or invariants. You aren't required to write a separate invariant for each of the numbered constraints above. In fact there are many constraints that can be captured in set and relation definitions. As mentioned in class you should attempt to identify global frame conditions and encode those as mutabilities. Only use operation specific frame conditions when they are in addition to the the global conditions. Alloy is whitespace sensitive in some cases. For example, "Runway-Gate" is a legal set name but it looks like an expression (set difference). To write that expression one must include white-space around the operator, e.g., "Runway - Gate". We spoke a bit about designing models to support efficient analysis. You will need to do that for this problem. If you don't some of your analyses will take a long time. Sometimes ACA will act strange after you have been running it for a long time. If it gives you different answers to the same analyses and you have not changed the model, exit the analyzer and restart it. After carrying the requirements above, our model solution consisted of: 3 domains, 5 sets, 5 relations (including transposes), 1 definition, 11 invariants, 3 conditions, 2 operations and 1 assertion. All of the checks completed in less than 17 seconds on a 700 Mhz Pentium III (39 seconds on a 400Mhz UltraSparc).