Quantifiers in Alloy

Acknowledgement: Most of this content is taken directly from the Alloy 3.0 Tutorial, although a few annotations and re-phrasings have been made.

The Alloy quantifiers are

all x:X | formula — every x of type X satisfies formula. If there are no X's, then this statement is trivially true.
some x:X | formula — one or more x's of type X satisfy formula
no x:X | formula — exactly zero x's of type X satisfy formula
one x:X | formula — exactly one x of type X satisfies formula
lone x:X | formula — either zero or one x of type X satisfies formula

Note that a 'formula' is something that evaluates to a boolean value, as opposed to an 'expression' which evaluates to a (relational) value. Also note that X can be any expression that yields a set, and thus need not be simply the name of a signature in the module. An example (which happens to use multiple dummies associated to the same quantifier) is

all d: Dir, o: d.contents | o.parent = d

Here the expression d.contents is used to indicate the "type" of dummy o.

One can leave out the variable and the formula. Alloy will then act as though you had entered a trivially true formula. That is, the abbreviated expression quantifier X means the same thing as quantifier x:X | true. To spell it out in gory detail:

all X — trivially true (i.e., regardless of what X is)
some X — there is at least one X (i.e., X is not empty)
no X — there are no X's (i.e., X is empty)
one X — there is exactly one X (i.e., either X is empty or has exactly one member)
lone X — there are either zero or one X's (i.e., X has either no members or exactly one member)

In effect, each of these boolean expressions says something about the cardinality (i.e., number of tuples in) relation X.

The basic format for a quantifier is

quantifier variable:type | formula

where the formula may includes references to the quantifier variable (i.e., dummy). An alternative notation is:

quantifier variable:type { formula }

Examples:

  // At least one directory has itself as a parent
  some d: Dir | d.parent = d

You can also opt to leave out the formula and variable.

Examples:

  // no root has a parent
  no Root.parent

  //there is exactly one root
  one r: Root

Multiple variables can be used in the same quantifier, like so:

quantifier variable:type, variable':type' | formula

which desugars to

quantifier variable:type | quantifier variable':type' | formula

Examples:

  // every file has as a parent some directory
  all f:File | some d:Dir | f.parent = d

Multiple variables of the same type can be abbreviated as a comma-delimited list, like so:

quantifier variable,variable':type | formula

Examples:

  // no two directories have exactly the same contents
  no d,s:Dir | d.contents = s.contents

Editor's Note: The above should be false, as long as Dir has at least one member, because instantiating both dummies to the same member of Dir provides a counterexample. End of Note.

The above features can, of course, be combined to produce arbitrarily complex formulas.

However, be warned that nested quantifiers may cause your model to become intractable. In general, try not to stack more than two or three of them together.