Using Alloy to model-check visual design notations

This paper explores the process of validation for the abstract syntax of a graphical notation. We define an unified specification for five of the UML diagrams used by the Discovery Method and, in this document, we illustrate how diagrams can be represented in Alloy and checked against our specification in order to know if these are valid under the Discovery notation.

💡 Research Summary

The paper investigates how to formally validate the abstract syntax of visual design notations, focusing on the Discovery Method—a lightweight, UML‑based methodology that defines five core diagram types (Task Structure, Task Flow, Object, State, and Collaboration). The authors first critique UML’s open‑ended semantics, noting that its flexibility can lead to ambiguous or illegal graphical constructs. They argue that a precise abstract syntax is a prerequisite for any model‑checking effort.

To address this, they construct a unified abstract syntax that captures the essential elements and constraints of the five Discovery diagrams. This syntax is organized into four hierarchical layers: the System view (a complete specification comprising at most one instance of each model type), the Model view (individual models containing diagrams), the Diagram view (single diagrams without inter‑diagram relations), and the Base level (primitive notation elements and their basic relationships). By separating concerns across these layers, the approach enables verification at three granularities: per‑diagram, per‑model, and whole‑system.

Alloy, a lightweight relational model‑finder, is chosen as the formal tool. The paper explains Alloy’s “refutation” mode (searching for counter‑examples) and “satisfaction” mode (searching for a model that satisfies a predicate). Initially, the authors use refutation to test whether the abstract syntax correctly rejects malformed diagrams. Later they switch to satisfaction, encoding each concrete diagram as an Alloy predicate and asking the analyzer to find an instance that fulfills both the diagram‑specific constraints and the global abstract‑syntax constraints.

The methodology is illustrated with a concrete case study: a library circulation system. Two Task Structure diagrams—one describing circulation tasks and another describing loan‑transaction tasks—are each encoded as separate Alloy signatures extending a generic TaskStDiagramView. Elements such as tasks, actors, aggregations, generalisations, and participations are declared, and diagram‑specific constraints are expressed in predicate blocks. A higher‑level TaskStModel signature then merges the two diagrams, asserting that the shared task (LoanTransaction) is identified as the same element in both diagrams.

Verification is performed by issuing a run command with an exact scope that fixes the number of each element type (e.g., exactly one Model, exactly two DiagramView, exactly four Relationship, etc.). The empty predicate forces Alloy to simply find any instance that satisfies all declared constraints within that scope. The analyzer succeeds, producing a unique instance, which demonstrates that the combined model conforms to the Discovery abstract syntax. The authors note that reducing the scope leads to unsatisfiable instances (revealing errors), while enlarging the scope can generate spurious elements that make the instance valid but no longer correspond to the intended model—highlighting the critical role of precise scope selection.

The paper evaluates Alloy’s suitability for this task. Advantages include its declarative nature, rapid counter‑example generation, and ability to handle hierarchical specifications. Limitations involve sensitivity to scope size, potential state‑space explosion for larger models, and the current focus on static diagram structure rather than dynamic behavior. The authors suggest future work to extend the abstract syntax to additional UML subsets (e.g., sequence or component diagrams), incorporate behavioral semantics, and develop automated techniques for optimal scope determination.

In conclusion, the study demonstrates that Alloy can effectively encode and check the well‑formedness of Discovery Method diagrams against a formally defined abstract syntax. The layered modeling approach, combined with careful scope management, provides a practical pathway for ensuring consistency and completeness of visual design notations in model‑driven development.