Preventing arithmetic overflows in Alloy

• A new treatment of partial functions in classical logic.
• Goal: suppress variable bindings causing out-of-domain applications.
• Idea: assign truth values to undefined formulas to make them globally irrelevant.
• Applied to Alloy (a bounded model finder) to prevent arithmetic overflows.
• Result: the Alloy Analyzer made sound with respect to counterexamples.

In a bounded analysis, arithmetic operators become partial, and a different semantics becomes necessary. One approach, mimicking programming languages, is for overflow to result in wrap-around. Although easy to implement, wrap-around produces unexpected counterexamples that do not correspond to cases that would arise in the unbounded setting. This paper describes a new approach, implemented in the latest version of the Alloy Analyzer, in which instances that would involve overflow are suppressed, and consequently, spurious counterexamples are eliminated. The key idea is to interpret quantifiers so that bound variables range only over values that do not cause overflow.