Portus: Linking Alloy with SMT-based Finite Model Finding

Alloy is a well-known, formal, declarative language for modelling systems early in the software development process. Currently, it uses the Kodkod library as a back-end for finite model finding. Kodkod translates the model to a SAT problem; however, this method can often handle only problems of fairly low-size sets and is inherently finite. We present Portus, a method for translating Alloy into an equivalent many-sorted first-order logic problem (MSFOL). Once in MSFOL, the problem can be evaluated by an SMT-based finite model finding method implemented in the Fortress library, creating an alternative back-end for the Alloy Analyzer. Fortress converts the MSFOL finite model finding problem into the logic of uninterpreted functions with equality (EUF), a decidable fragment of first-order logic that is well-supported in many SMT solvers. We compare the performance of Portus with Kodkod on a corpus of 63 Alloy models written by experts. Our method is fully integrated into the Alloy Analyzer.

💡 Research Summary

The paper introduces Portus, a novel back‑end for the Alloy Analyzer that replaces the traditional Kodkod‑SAT pipeline with an SMT‑based finite model finding approach. Portus first translates an Alloy model into many‑sorted first‑order logic (MSFOL). This translation respects Alloy’s signature hierarchy by employing a “sort policy” and a “sort resolvant” mechanism, which assign each Alloy atom to a concrete sort in the target logic. Two policies are offered: a default policy that maps all signatures to a universal sort, and an optimized policy that gives more specific sorts to improve quantifier handling and reduce auxiliary definitions.

In the translation, each signature becomes a membership predicate (inS) whose arguments are of the appropriate sort, and the scope of the signature (exact or non‑exact) is encoded as range constraints on these predicates. Fields (relations) are represented as functions between sorts, with multiplicity constraints (one, lone, some, etc.) expressed as additional axioms limiting function outputs. Alloy’s logical operators, set operations, relational joins, and the second‑order constructs transitive closure and cardinality are systematically mapped to equivalent MSFOL formulas. Transitive closure, for instance, is encoded using the iterative squaring technique of Burch et al., requiring only ⌈log k⌉ auxiliary definitions for a domain of size k.

The resulting MSFOL theory is handed to the Fortress library, which converts it into the logic of Equality with Uninterpreted Functions (EUF). EUF is a decidable fragment well‑supported by modern SMT solvers such as Z3 and CVC4. Fortress adds range formulas to enforce finiteness, employs overflow‑preventing finite integers (OPFI) to safely handle integer arithmetic, and applies extensive symmetry‑breaking schemes to prune the search space. The EUF problem is then solved by an SMT solver, which either returns a satisfying interpretation (a concrete Alloy instance) or reports unsatisfiability.

The authors evaluated Portus on a benchmark of 63 expert‑authored Alloy models covering a variety of domains (software design, security protocols, database schemas, etc.). Performance comparison with the existing Kodkod back‑end shows that Portus is competitive on small‑scope models and outperforms Kodkod on larger, more complex models, especially those with deep signature hierarchies and extensive relational constraints. The results demonstrate that SMT solvers can exploit the structure of functions and integers to achieve better scalability than pure SAT encodings, though SAT remains faster for very small, purely Boolean problems.

Portus is fully integrated into the Alloy Analyzer as a selectable back‑end; the user interface remains unchanged, and instances produced by the SMT solver are displayed using the standard Alloy visualizer. This seamless integration provides Alloy users with an alternative solving engine that can handle larger scopes without sacrificing the rapid feedback that makes Alloy popular for early‑stage design exploration.

The paper concludes by outlining future work: extending the approach to support unbounded scopes and hybrid bounded/unbounded analyses, leveraging richer SMT theories (arrays, non‑linear arithmetic, recursive functions), refining sort policies and symmetry‑breaking heuristics, and exploring applicability to other relational modeling languages such as TLA+ or B. Portus thus opens a pathway for combining Alloy’s expressive relational modeling with the powerful reasoning capabilities of modern SMT technology.