Course introduction and administration. Introduction to Formal Methods.

Introduction to sets and relations.

• Syllabus
• Course overview [pdf] and introduction (revised) [pdf]
• [Haxt10] An introduction to formal methods, with examples of industrial usage
• Lecture notes on sets and relations (as needed) [pdf]

• [vLam00] An introduction to formal specifications, and a survey of formal specification approaches.
• Chap. 1-2 of [Gara13] A fairly comprehensive recent survey on the use and practice of FM.
• [Barr13] Notes on expert reports and testimony of the Toyota Unintended Acceleration Litigation.

Recap of basic notions in set theory. Relations and relational operators.

Modeling general software systems. Introduction to the Alloy modeling language. Alloy's foundations. Signatures, fields and multiplicity constraints.

Modeling simple domains in Alloy. Generating and analyzing model instances with the Alloy Analyzer.

Relations and operations on them. Formulas, Boolean operators and quantifiers. Expressing constraints on relations using Alloy formulas.

• Lecture notes on sets and relations (as needed) [pdf]
• Lecture notes: An introduction to Alloy 4 - Part 1 [pdf] and 2 [pdf]

• Alloy FAQ
• Lecture notes on First Order Logic [pdf]
• Alloy 4 tutorial, notes by Greg Dennis and Rob Seater, Part I [pdf] and II [pdf]
• A hands-on introduction to Alloy, by Michael Sperberg-McQueen

More on the Alloy language. Facts and assertions. Checking models and assertions with the Alloy Analyzer. Examples and exercises.

• Lecture notes: an introduction to Alloy 4 - Part 2 [pdf]
• Family examples from the notes

• Alloy 4 tutorial, notes by Greg Dennis and Rob Seater, Part I [pdf] and II [pdf]
• A hands-on introduction to Alloy, by Michael Sperberg-McQueen

Functions and predicates. Examples.
Practice with modeling in Alloy: the Academia domain. Examples and exercises.
Alloy's module system. Motivations and uses. Parametric modules. An example: the predefined Ordering module.

• Lecture notes: an introduction to Alloy 4 - Part 2 [pdf]
• Lecture notes: the Academia model [pdf]
• Academia examples from the notes
• Lecture notes: Alloy Modules [pdf]

• util/ordering.als sample model in the Alloy Analyzer
• Alloy language reference (as needed) [pdf]
• A hands-on introduction to Alloy, by Michael Sperberg-McQueen

Modeling dynamic systems in Alloy. Example: making the family model dynamic. General approach: dynamic systems as state transition systems. Operators. Preconditions, postconditions and frame conditions. Examples of operators for the family model.

• Lecture notes: Dynamic Models in Alloy [pdf]
• Family examples from the notes
• Posted solutions for Homework 1

More on modeling dynamic systems in Alloy. Example: rovers on a two-dimensional space. Group exercises.
A complete Alloy modeling case study: the hotel room lock system.

• Lecture notes on Autonomous Rovers [pdf]
• The rover.als rover model in dynamic systems examples
• Lecture notes: Hotel Lock System [pdf]
• The book/chapter6/hotel*.als sample models (first 2 only) in the Alloy Analyzer

Introduction to reactive systems. Introduction to the Lustre specification language.
Examples of Lustre programs. Specifying simple reactive systems in Lustre. Simulating Lustre programs with the Kind 2 tool (online examples).

• Lecture notes: Reactive Systems and the Lustre language, Part 1 [pdf]
• Chap. 1 of [Halb02], a Lustre tutorial

• Original paper on Lustre [Halb92]

Practice with writing Lustre models and expressing their properties.
Simulating Lustre programs with the Kind 2 tool (online examples).

• Lecture notes: Reactive Systems and the Lustre language, Part 1 [pdf] and 2 [pdf]
• Chap. 1 of [Halb02], a Lustre tutorial

• [Halb91], the main reference paper for Lustre
• [Halb99], an introduction to verification and testing with Lustre

Midterm exam

More practice with writing Lustre models and expressing their properties. Checking properties via synchronous observers. Useful temporal operators. A few examples.
Checking properties. Boolean Switches and traffic light examples. In-class exercises.

• Lustre examples on the Kind 2 online page except for CruiseController.

Contract-based specification and compositional verification. Motivation and uses. Extending Lustre with contracts. Contract basics: assumptions, guarantees and execution modes. Examples of contracts.

• Lecture notes: A Mode-aware Contract Language for Reactive System [pdf]
• StopwatchSpec and ElevatorSpec examples on the Kind 2 online page.

• [Cham16], a paper introducing Kind 2's contract language
• Kind 2 User Documentation

Specifying and verifying programs in high-level programming languages. Introduction to Dafny. Main features. Method contracts in Dafny. Specifying pre and post-conditions. Compositional verification of methods through the use of contracts. Abstraction of while loops by loop invariants. Examples.

• Sections 1-5 of [Koen12], an introduction to the Dafny language
  (also available as an online tutorial)

• [Wing95], which provides several hints to specifiers

More on loop invariants in Dafny. Functions and predicates. Complex specifications using recursive functions. Reading Frames. Termination of while loops and recursive functions in Dafny. Arrays and quantified verification conditions. Loop invariants for arrays. Examples.

• [Koen12], an introduction to the Dafny language
• Linear search and Fibonacci examples seen in class

• Dafny on-line tutorials

Introduction to value types in Dafny: sets and sequences. Classes. Constructors, fields and class methods. Class invariants. Ghost fields. Using ghost fields to represent abstract states. Connecting concrete and abstract state in a class. Examples.

• [Lein13] and [Herb11], tutorial and lecture notes on Dafny
• Dafny on-line tutorials on collections
• Abstract counter and FIFO queue example seen in class

No class (Thanksgiving recess)

Specifying classes as abstract datatypes to separate observable behavior from internal implementation. Two examples of FIFO queue implementation.
The use of dynamic frames in Dafny to specify and verify programs using objects. Motivation and uses. Queue, counter, bank account and linked list examples.

• [Lein13] and [Herb11], tutorial and lecture notes on Dafny
• FIFO queue examples: with arrays and with sequences.
• Counter and bank account example, using static frames
• Linked list example, using a dynamic frame

Introduction to the Lean prover. Motivation and uses. The Lean logic. Examples.

• Introduction to Lean: on-line tutorial
• Theorem Proving in Lean: on-line tutorial

Final Exam