|
Aug 26
|
Course introduction and administration.
Introduction to Formal Methods.
Required Readings:
Recommended Readings:
- [Clar96] A survey of the state of the art in formal methods in 1996.
Although the survey proper is now dated, the paper still provides a good overview of the field.
- [Beck06] A more up-to-date look at the state of the art in FMs and a discussion of the developments that make successful applications possible.
- [vLam00] An introduction to formal specifications, and a survey of formal specification approaches.
|
|
|
Aug 28
|
Introduction to Formal Methods continued.
Required Readings:
- Course introduction [pdf]
- [Medv00] Excellent complementary class notes introducing FM's.
-
Lecture notes on sets and relations (as needed)
[pdf]
Recommended Readings:
- [Wood09] An up-to-date survey on the use and practice of FM.
|
Exercises in lecture notes
|
| |
|
Sep 2
|
No class (Labor day)
|
|
|
Sep 4
|
Modeling general software systems.
Introduction to the Alloy modeling language.
Required Readings:
-
Lecture notes: An introduction to Alloy 4 [pdf]
Recommended Readings:
-
Alloy FAQ
-
Alloy 4 tutorial Part 1, notes by Greg Dennis and Rob Seater [pdf]
|
Exercises on p. 36 of lecture notes
|
| |
Sep 09
Sep 11
|
Alloy's foundations.
Relations and operations on them.
Formulas, Boolean operators and quantifiers.
Expressing constraints on relations using Alloy formulas.
Modeling simple domains in Alloy.
Generating and analyzing model instances with the Alloy Analyzer.
Practice with writing Alloys constraints.
Required Readings:
-
Lecture notes: an introduction to Alloy 4 [pdf]
-
Family examples from the notes
-
models/examples/toys/genealogy.als sample model in the Alloy Analyzer
|
Exercises in lecture notes, up to p. 87
|
| |
Sep 16
Sep 18
|
More features of the Alloy language:
functions and predicates, facts and assertions.
Practice with modeling in Alloy: the Academia domain.
Examples and exercises.
Required Readings:
|
All exercises in the lecture notes
|
| |
Sep 23
Sep 25
|
Alloy's module system. Motivations and uses.
Parametric modules.
An example: the predefined Ordering module.
Modeling dynamic systems in Alloy.
General approach: dymanic systems as state transition systems.
Operators. Preconditions, postconditions and frame conditions.
Traces.
Required Readings:
-
Lecture notes: Alloy Modules [pdf]
-
Lecture notes: Dynamic Models in Alloy [pdf] (revised)
-
Family examples
Recommended Readings:
-
util/ordering.als sample model in the Alloy Analyzer
|
All exercises in Dynamic Models notes
|
| |
Sep 30
Oct 2
|
More on modeling dynamic systems in Alloy.
A complete Alloy modeling case study: the hotel room lock system.
Discussion of Homework 1 and its solution.
Required Readings:
-
Lecture notes: Hotel Lock System [pdf] (revised)
-
book/chapter6/hotel*.als sample models (first 2 only) in the Alloy Analyzer
|
|
| |
Oct 7
Oct 9
|
Introduction to reactive systems and the Lustre language.
Examples of Lustre programs.
Specifying simple reactive systems in Lustre.
Required Readings:
- Lecture notes: Reactive Systems and the Lustre language [pdf]
- The Lustre Language, notes by P. Raymond and N. Halbwachs [pdf]
- Lustre/Luke examples
Recommended Readings:
|
|
| |
Oct 14
Oct 16
|
Simulating Lustre programs with the Luke tool (online examples).
Checking properties with synchronous observers.
Useful temporal operators. A few examples.
Required Readings:
Recommended Readings:
- Chap. 1 of [Halb02], a Lustre tutorial
- [Halb91], the main reference paper for Lustre
|
Exercise 5:
Simple nodes
|
| |
Oct 21
Oct 22
|
Modeling systems and building simulators.
The elevator case study.
Modeling and requirement specification.
Debugging and repairing the model.
In-class exercises.
Discussion of Mini-project 1 solutions.
Required Readings:
- Lecture notes: Exercises [pdf]
- Description of Elevator problem in Exercise 5
|
Exercise 5:
Problems 1,2 in
Elevator I and
Elevator II
|
| |
Oct 28
Oct 30
|
Checking invariant properties of Lustre programs using Kind.
More modeling in Lustre.
Train switch case study.
Modeling and requirement specification.
Temporal operators.
Environmental assumptions.
In-class exercises.
Required Readings:
- Train switch model [lustre]
- [Halb92], original source of the train switch problem
|
Use jKind with the train model.
|
| |
Nov 4
Nov 6
|
Specifying and verifying programs in high-level programming languages.
Introduction to Dafny.
Main features.
Specifying pre and post-conditions. Functions.
Examples.
Discussion of Homework 2 solutions.
Required Readings:
- [Koen12], an introduction to the Dafny language
|
Exercises 0-6 in [Koen12]
|
| |
Nov 11
Nov 13
|
Quantified verification conditions in Dafny.
Loop invariants.
Termination.
Frames. Predicates.
Examples.
Required Readings:
- [Koen12], an introduction to the Dafny language
Recommended Readings:
|
Exercises 7-15 in [Koen12]
|
| |
Nov 18
Nov 20
|
Dafny classes.
Class invariants.
Constructors, fields and class methods.
Ghost fields. Using ghost fields to represent abstract states.
Connecting concrete and abstract state in class.
Examples.
Predefined structures data types: finite sets.
Required Readings:
Recommended Readings:
|
All exercises in [Koen12]
|
| |
Nov 25
Nov 27
|
No class (Thanksgiving recess)
|
|
| |
Dec 2
Dec 4
|
More on specifying classes and methods in terms of abstract state.
Abstract counter example.
Abstract FIFO queue example.
Immutable data structures in Dafny: sequences, sets and multi-sets.
Discussion of Homework 3 solutions.
Required Readings:
|
|
| |
Dec 9
Dec 11
|
More on the abstract FIFO queue example.
Dynamic Frames in Dafny. Motivation and uses. Counter example revised.
Required Readings:
|
|
| |
