Course introduction and administration. Introduction to Formal Methods. What are formal methods and how they help in software development.

• Syllabus
• Course overview [pdf] and introduction [pdf]
• [Haxt10] An introduction to formal methods, with examples of industrial usage

• [vLam00] An introduction to formal specifications, and a survey of formal specification approaches.
• Chap. 1-2 of [Gara13] A fairly comprehensive recent survey on the use and practice of FM.
• [Barr13] Notes on expert reports and testimony of the Toyota Unintended Acceleration Litigation.

More on Formal Methods.

Introduction to sets and relations. Recap of basic notions in set theory. Relations and relational operators.

• Course introduction [pdf]
• Lecture notes on sets and relations [pdf]

All exercises in set and relations notes

More on relations. Functions as relations. Operations on relations.

Modeling general software systems. Introduction to the Alloy modeling language. Alloy's foundations. Signatures, fields and multiplicity constraints.

Modeling simple domains in Alloy. Generating and analyzing model instances with the Alloy Analyzer.

Relations and operations on them. Formulas, Boolean operators and quantifiers.

• Lecture notes on sets and relations [pdf]
• Lecture notes: An introduction to Alloy 6 - Part 1 [pdf] and 2 [pdf]

• Alloy FAQ
• Alloy online tutorial
• Alloy one-day tutorial

All exercises in lecture notes notes

Relational operators in Alloy. Expressing constraints on relations using Alloy formulas. Examples of constraints. Operator precedence and parsing. Facts. Checking models with the Alloy Analyzer. Signature scopes. Exercises.

• Lecture notes: an introduction to Alloy 6 - Part 2 [pdf] (revised) and 3 [pdf]
• Family examples from the notes

• Alloy online tutorial
• A hands-on introduction to Alloy by Michael Sperberg-McQueen
• Alloy Reference manual (as needed)
• Lecture notes on First Order Logic [pdf] (up to slide 31)

In-class modeling exercises. Assertions. Checking assertions. Scope restrictions. Functions and predicates. Examples and exercises.

Practice with modeling in Alloy: the Academia domain.

• Lecture notes: an introduction to Alloy 6 - Part 2 (revised) [pdf] and 3 (revised) [pdf]
• Family examples from the notes
• Lecture notes: the Academia model [pdf]
• Academia examples from the notes

• Alloy Reference manual (as needed)
• A hands-on introduction to Alloy, by Michael Sperberg-McQueen

More practice with modeling in Alloy: the Academia domain. Examples and exercises.

Modeling dynamic systems in Alloy. Explicit time modeling time modelling. Example: making the family model dynamic.

• Lecture notes: the Academia model (revised) [pdf]
• Academia examples from the notes
• Lecture notes: Dynamic Models in Alloy [pdf]

More on dynamic models. Explicit time implicit time modelling in Alloy 6. Trace semantics. Temporal operators and their semantics. Examples. General approach to model dynamic systems: state transition systems. Operators. Preconditions, postconditions and frame conditions. Examples of operators for the family model.

• Lecture notes: Dynamic Models in Alloy (revised) [pdf]
• Examples of equivalences in Alloy
• Dynamic systems examples from class and the notes

• Alloy Reference manual (as needed)
• Lecture notes on Alloy 6 (aka, Electrum Alloy) by A. Cunha and N. Macedo on
  • Electrum overview [pdf]
  • First Order Logic [pdf]
  • Relational Logic [pdf]
  • Alloy's type system [pdf]
  • Relational model finding [pdf]

More on modeling and analyzing dynamic systems in Alloy. Family and traffic light examples.
A complete Alloy modeling case study: the hotel room lock system.

Introduction to reactive systems. Introduction to the Lustre specification language. Main constructs and operators. Examples of Lustre programs.

• Dynamic systems examples from class and the notes
• Lecture notes: Hotel Lock System [pdf]
• Lecture notes: Reactive Systems and the Lustre language, Part 1 [pdf]

• Lecture notes: Alloy Modules [pdf]
• util/ordering.als sample model in the Alloy Analyzer

Specifying simple reactive systems in Lustre. Practice with writing Lustre models and expressing their properties. Simulating and checking Lustre models with Kind 2 (online examples) In-class exercises. Checking properties via synchronous observers. Useful temporal operators. Examples.

• Lecture notes: Reactive Systems and the Lustre language, Part 1 [pdf] and 2 [pdf]
• Chap. 1 of [Halb02], a Lustre tutorial
• (Superset of) Lustre examples seen in class

• Original paper on Lustre [Halb92]
• [Halb91], the main reference paper for Lustre
• [Halb99], an introduction to verification and testing with Lustre

Midterm exam

More practice with writing Lustre models and expressing their properties. Using counterexamples to debug the model. Switch examples.

• (Superset of) Lustre examples seen in class

Comparing systems for (conditional) observational equivalence in Lustre. Examples in Lustre. Specifying and analyzing the behavior of a simple traffic light controller.

Contract-based specification and compositional verification. Motivation and uses. Extending Lustre with contracts. Contract basics: assumptions and guarantees. Examples of contracts.

• (Superset of) Lustre examples seen in class
• Lecture notes: A Mode-aware Contract Language for Reactive Systems [pdf] (revised)
• ReqTrafficLight1-3 examples on the Kind 2 online page

More on contract-based specification. Specifying system modes in Kind 2's contract language. Modular and compositional analysis in Kind 2. Motivation and examples.

• Lecture notes: A Mode-aware Contract Language for Reactive Systems [pdf]
• Examples seen in class:
  • Stopwatch
  • Elevator
  • Door Lock
  • Thermostat
• Kind 2 User Documentation

Specifying and verifying programs in high-level programming languages. Introduction to Dafny. Method contracts in Dafny. Specifying pre and post-conditions. Compositional verification of methods through the use of contracts.

Introduction to Floyd-Hoare logic. Formalizing program behavior with Hoare triples. Strongest postconditions and weakest preconditions. The WP and SP operators. Computing WPs and SPs for assignments, variable introduction and sequential composition.

• Lecture notes: Reasoning About Programs with Dafny [pdf]
• Chap. 1, 2.1 of Program Proofs (textbook)
• Lecture notes: Floyd-Hoare logic [pdf] (revised)
• Chap. 2 of Program Proofs except for 2.9

• [Wing95], which provides several hints to specifiers
• Chap. 2.9 of Program Proofs

WPs and SPs for conditional statements and methods calls. Assert and assume statements. Method vs function calls in Dafny. Partial expressions.

Dafny in action. Various examples.
Loops in Dafny. The loop rule in Floyd-Hoare logic. Loop specifications and implementations. Deriving correct by construction implementations from specs.

• Lecture notes: Loops in Dafny [pdf]
• Chap. 11, 12 of Program Proofs except 12.3

• Chap. 3 of Program Proofs

Fall break

More on loops. Examples. Loop termination.
Arrays. Checking iterative programs with arrays. Binary search.
Reading and writing frames for reference variables. Methods that modify arrays. Examples.

• Lecture notes: Arrays in Dafny [pdf]
• Chap. 13.0-13.4 of Program Proofs
• Chap. 14 of Program Proofs
• Examples seen in class:
  • linear search
  • binary search
  • modifying arrays
  • selection sort

Classes and Objects in Dafny. Specifying classes as abstract data types to separate observable behavior from internal implementation. Examples: counters and alternative implementations of FIFO queues.

The use of dynamic frames in Dafny to specify and verify programs using objects. Motivation and uses. Queue, counter, bank account and linked list examples.

• Chap 16 of Program Proofs
• Dafny Collection Types
• Examples seen in class:
  • fancy counter
  • array-based FIFO queue
  • sequence-based FIFO queue
  • abstract counter with dynamic frames
  • bank account

• Lecture notes: Objects in Dafny [pdf]
• Examples seen in class:
  • linked list

Final Exam