Why is possible Alloy negative cardinality

Question

I am describing some models in Alloy language. In order to describe a finite state machine I provided this few lines of code:

sig FSA_state {
    transitions: some FSA_state,
    initial: lone InitialState
}

sig InitialState {}

fact i {
    all f: FSA_state | #(f.transitions) <= 0
}

pred show {
}

run show for 5 but 1 InitialState

Now I am trying to figure out why it makes more than zero transitions on a single state. Using "Evaluator" instrument I found that some world has negative cardinality on set transitions, how is it possible (a set can't has less than zero elements)? The instruction that I used in Evaluator is #(FSA_state.transitions)

Answer 1

In your fact i you enforce that the number of transition for each FSA_state should be negative. In your signature FSA_state the use of the keyword "some" enforces that the number of transition is at least one.

In the instance you managed to generate, Alloy took advantage of the limited scope of the Integer signature in order to satisfy both contradicting constraints.

Indeed, if Integers ranges from -2 to 3 for example, then if the number of transition for each state is 4, #(f.transition) would be -2.

TL;DR: remove the i fact ( the keyword some is already enforcing that there is at least one transition per FSA_state)

Answer 2

If you want to exclude all models that have overflows, you can set the "forbid overflows" available in version 4.2.