Course introduction and administration. Introduction to Formal Methods. What are formal methods and how they help in software development.

Required Readings:

• Syllabus
• Course overview [pdf] and introduction [pdf]
• [Haxt10] An introduction to formal methods, with examples of industrial usage

Recommended Readings:

• [vLam00] An introduction to formal specifications, and a survey of formal specification approaches.
• Chap. 1-2 of [Gara13] A fairly comprehensive recent survey on the use and practice of FM.
• [Barr13] Notes on expert reports and testimony of the Toyota Unintended Acceleration Litigation.

More on Formal Methods.

Introduction to sets and relations. Recap of basic notions in set theory. Relations and relational operators.

• Course introduction [pdf]
• Lecture notes on sets and relations [pdf]
• Chap. 4 of CGFM (as needed)

• All exercises in set and relations notes

Relations. Functions as relations. Operations on relations.

Modeling general software systems. Introduction to the Alloy modeling language. Alloy's foundations. Signatures, fields and multiplicity constraints.

Modeling simple domains in Alloy. Generating and analyzing model instances with the Alloy Analyzer.

Relations and operations on them. Formulas, Boolean operators and quantifiers.

• Lecture notes on sets and relations [pdf]
• Lecture notes: An introduction to Alloy 6 - Part 1 [pdf] and 2 [pdf]
• Chapter Structural Modeling of PA

• Alloy FAQ
• Alloy online tutorial

• All exercises in lecture notes

Relational operators in Alloy. Expressing constraints on relations using Alloy formulas. Examples of constraints. Operator precedence and parsing. Facts: constraining models with formulas. In-class exercises.

Required Readings:

• Lecture notes: an introduction to Alloy 6 - Part 2 [pdf]
• Family examples from the notes
• Lecture notes on First Order Logic [pdf] (up to slide 31)
• Chapter Structural Modeling of PA

Recommended Readings:

• Alloy 6 book chapter: A relational logic primer
• A hands-on introduction to Alloy by Michael Sperberg-McQueen
• Alloy Reference manual (as needed)

Exercises:

• Exercises in Part 2 of lecture notes

More on Alloy models. Checking models with the Alloy Analyzer. Signature scopes. Assertions. Checking assertions. Scope restrictions. Functions and predicates. Examples and in-class exercises.

Practice with modeling in Alloy: the Academia domain.

Required Readings:

• Lecture notes: an introduction to Alloy 6 - Part 2 [pdf] and 3 [pdf]
• Family examples from the notes
• Chapter Structural Modeling of PA
• Lecture notes: the Academia model [pdf]
• Academia examples from the notes

Recommended Readings:

• Notes on translating English to propositions logic [pdf]
• Alloy Reference manual (as needed)

Exercises:

• All exercises in Part 3 of lecture notes

More practice with modeling in Alloy: the Academia domain.

Modeling dynamic systems in Alloy. Explicit time modeling. Example: making the family model dynamic.

Required Readings:

• Lecture notes: the Academia model [pdf]
• Academia examples from the notes
• Lecture notes: Dynamic Models in Alloy [pdf]

Exercises:

• All exercises in Academia Model notes
• First exercise in Dynamic Models notes

Explicit vs. implicit time modelling in Alloy 6. Trace semantics. Temporal operators and their semantics. Examples.

General approach to model dynamic systems: state transition systems. Operators. Preconditions, postconditions and frame conditions. Examples of operators for the family model.

Required Readings:

• Lecture notes: Dynamic Models in Alloy [pdf]
• Chapter Behavioral Modeling of PA
• Examples of equivalences in Alloy
• Dynamic systems examples from class and the notes

Recommended Readings:

• Alloy Reference manual (as needed)

Exercises:

• All exercises in the Dynamic Models notes

More on modeling and analyzing dynamic systems in Alloy. Family and traffic light examples. Group exercises.

A complete Alloy modeling case study: the hotel room lock system.

Required Readings:

• Dynamic systems examples from class and the notes
• Chapter Behavioral Modeling of PA
• Lecture notes: Hotel Lock System [pdf]

Recommended Readings:

• Lecture notes: Alloy Modules [pdf]
• util/ordering.als sample model in the Alloy Analyzer

Specifying and verifying programs in high-level programming languages.

Introduction to Dafny. Method contracts in Dafny. Specifying pre and post-conditions. Compositional verification of methods through the use of contracts.

Introduction to Floyd-Hoare logic. Formalizing program behavior with Hoare triples. Strongest postconditions and weakest preconditions. The WP and SP operators. Computing WPs and SPs for assignments. Weakest preconditions and strongest postconditions for variable introduction, and sequential composition.

Required Readings:

• Lecture notes: Reasoning About Programs in Dafny [pdf]
• Lecture notes: Floyd-Hoare logic [pdf]
• Chapters 0 and 1 of the Program Proofs textbook
• Chapter 2 of the textbook up to Section 2.3.4

Recommended Readings:

• [Wing95], which provides several hints to specifiers
• Appendix A and B of the textbook (as needed)

Exercises:

• Exercises in lecture notes

Weakest preconditions and strongest postconditions for conditional statements, methods calls, and assert and assume statements. Method vs function calls in Dafny. Partial expressions. Examples in Dafny.

Termination of recursive methods and functions. Well founded orders.

Required Readings:

• Lecture notes: Floyd-Hoare logic [pdf]
• Lecture notes: Recursion and termination
• Chapter 2 of the textbook except for 2.9
• Chapter 3.1, 3.2 of the textbook

Recommended Readings:

• Appendix A and B of the textbook (as needed)
• Chapter 2.9 of the textbook

Exercises:

• Exercises in lecture notes
• Exercises 2.4-2.8, 2.11, 2.15, 2.20-2.23, 2.25, 2.26, 2.29(a), 2.32, 2.33, 2.36, 2.40, 2.41 from the textbook

Inductive datatypes. Definition and examples.

Lemmas and proofs. Motivation, uses and examples.

Required Readings:

• Lecture notes: Recursion and termination
• Chapters 3 and 4 of the textbook
• Chapter 5 of the textbook except for 5.8
• Mini-tutorial on sets in Dafny

Recommended Readings:

• Appendix A and B of the textbook (as needed)

Exercises:

• Exercises 3.1-3.6, 3.11, 4.1, 4.3, 4.6, 4.7, 5.4, 5.5, 5.11-5.13 from the textbook

Verifying functional programs over lists. More on lemmas and proofs.

Specifying and verifying sorting algorithms.

Required Readings:

• Chapters 5 and 6 of the textbook except for 5.8
• Mini-tutorial on sequences in Dafny

Recommended Readings:

• Appendix A and B of the textbook (as needed)

Exercises:

• Exercises 6.2, 6.3, 6.6, 6.8, 6.13 from the textbook

Specifying and verifying list sorting algorithms. Insert sort and merge sort.

Specifying and verifying while loops. Examples. Loop termination.
Recursive specifications of iterative programs. Arrays. Checking iterative programs with arrays. Examples.

Required Readings:

• Chapter 8 of the textbook
• Chapters 11-13 of the textbook except for 12.3, 13.4-7
• Lecture notes: Reasoning about Loops
• Lecture notes: Reasoning about Iterative Programs
• Lecture notes: Reasoning about Programs with Arrays

Exercises:

• Exercises 8.0, 8.6, 11.0-11.3, 11.5-11.18 from the textbook

Fall break

Linear and binary search.
Reading and writing frames for reference variables. Methods that modify arrays. Examples.

Classes and Objects in Dafny. Specifying classes as abstract data types to separate observable behavior from internal implementation. Examples: counters and alternative implementations of FIFO queues.

• Lecture notes: Reasoning about Programs with Arrays
• Chap. 13.0-13.4 of the textbook
• Chap. 14 of the textbook
• Chap 16.0-1 of the textbook
• Examples seen in class:
  • linear search
  • binary search
  • modifying arrays
  • fancy counter
  • array-based FIFO queue

Exercises:

• Exercises 13.2, 13.8, 13.12, 14.0, 14.5, 14.8 from the textbook

More on abstract view vs. concrete implementation of classes. The FIFO queue example.

The use of dynamic frames in Dafny to specify and verify programs using objects. Motivation and uses. Counter, bank account and linked list examples.

• Chap 16 of the textbook
• Examples seen in class:
  • sequence-based FIFO queue
  • abstract counter with dynamic frames
  • bank account
  • linked list

• Lecture notes: Objects in Dafny
• Dafny Collection Types

Final Exam