问题
Apologies for any newbie errors - this is my first ever posting here.
I am not sure if this is a bug, or is the result of some subtlety in Alloy's typechecking. In the example below, I would expect the predicate "strange" to be inconsistent, because B and C are disjoint sets. However, Alloy (version 4.2) claims to find models of the predicate. The models it displays look wrong. For example, there is a model containing just one atom, B$0, labelled as the witness $strange_a. In this model, the Evaluator tells me that isB[B$0] is true, and isC[B$0] gives me a type error, as expected. However, strange[B$0] evaluates as true. The Alloy code I'm using is:
abstract sig A {}
sig B, C extends A {}
pred isB [b:B] { }
pred isC [c:C] { }
pred strange [a:A] {isB[a] and isC[a]}
run strange
回答1:
You're right: it's surprising. Alloy's type checker uses the decls of predicates and functions to check their bodies but it does not impose them as constraints except when the predicate or function is run at the top level. We did this because we couldn't find a coherent semantics for these constraints in all usage contexts (for example, when a predicate is invoked inside a quantifier, or under negation).
来源:https://stackoverflow.com/questions/42976585/possibly-inconsistent-behaviour-in-alloys-typechecking-of-predicates