CS:5810 Formal Methods in Software Engineering
Fall 2015

Course introduction and administration. Introduction to Formal Methods.

• Syllabus
• Course overview [pdf] and introduction [pdf]
• [Haxt10] An introduction to formal methods, with examples of industrial usage

• [vLam00] An introduction to formal specifications, and a survey of formal specification approaches.
• Chap. 1-2 of [Gara13] A fairly comprehensive recent survey on the use and practice of FM.

Recap of basic notions in set theory. Relations and relational operators.
Modeling general software systems. Introduction to the Alloy modeling language. Alloy's foundations. Signatures, fields and multiplicity constraints.
Modeling simple domains in Alloy. Generating and analyzing model instances with the Alloy Analyzer.

• Lecture notes on sets and relations (as needed) [pdf]
• Lecture notes: An introduction to Alloy 4 - Part 1 [pdf]

• Alloy FAQ

More on the Alloy language. Relations and operations on them. Formulas, Boolean operators and quantifiers. Expressing constraints on relations using Alloy formulas. Facts and assertions. Checking models and assertions with the Alloy Analyzer.

• Lecture notes: an introduction to Alloy 4 - Part 1 [pdf] and 2 [pdf]
• Family examples from the notes

• Lecture notes by Dana Nau on First Order Logic, pages 1-22 [pdf]
• Alloy 4 tutorial, notes by Greg Dennis and Rob Seater, Part I [pdf] and II [pdf]

Functions and predicates. Practice with modeling in Alloy: the Academia domain.
Examples and exercises.

• Lecture notes: an introduction to Alloy 4 - Part 1 [pdf] and 2 [pdf]
• Family examples from the notes
• Lecture notes: the Academia model [pdf]
• Academia examples from the notes

• Alloy language reference (as needed) [pdf]

More on the Academia model. Alloy's module system. Motivations and uses. Parametric modules. An example: the predefined Ordering module.

• Lecture notes: Alloy Modules [pdf]
• Academia examples from the notes

• util/ordering.als sample model in the Alloy Analyzer

Modeling dynamic systems in Alloy. General approach: dynamic systems as state transition systems. Operators. Preconditions, postconditions and frame conditions. Example: making the family model dynamic.

• Lecture notes: Dynamic Models in Alloy [pdf]
• Family examples from the notes
• Rover model in dynamic systems examples (rover.als)
• Posted solutions for Homework 1

Discussion of homework 1 and sample solution.
Introduction to reactive systems. Introduction to the Lustre specification language.
Examples of Lustre programs. Specifying simple reactive systems in Lustre.

• Lecture notes: Reactive Systems and the Lustre language, Part 1 [pdf]

• Chap. 1 of [Halb02], a Lustre tutorial

Practice with writing Lustre models and expressing their properties. Checking properties via synchronous observers.
Simulating Lustre programs with the Kind 2 tool (online examples).

• Lecture notes: Reactive Systems and the Lustre language, Part 1 [pdf] and 2 [pdf]
• Lustre examples seens in class
• Notes on synchronous observers
• Chap. 1 of [Halb02], a Lustre tutorial

• [Halb91], the main reference paper for Lustre
• [Halb99], an introduction to verification and testing with Lustre

More practice with writing Lustre models and expressing their properties. Useful temporal operators. A few examples.
Checking properties via synchronous observers. Boolean Switches and traffic light examples. In-class exercises.

• Lustre examples seens in class
• Notes on synchronous observers

• [Halb91], the main reference paper for Lustre
• [Halb99], an introduction to verification and testing with Lustre

More group exercises on writing requirements for the traffic light example.
Modeling systems and building simulators. The elevator case study.

Discussion of Homework 2 and its solution.

• Description of Elevator problem in Exercise 5

Midterm exam.

Specifying and verifying programs in high-level programming languages. Introduction to Dafny. Main features. Specifying pre and post-conditions. Examples.

• Sections 1-5 of [Koen12], an introduction to the Dafny language
  (also available as an online tutorial)

Discussion of midterm solutions.

• [Koen12], an introduction to the Dafny language

• Dafny on-line tutorials

Complex specifications using recursive functions. Arrays and quantified verification conditions. Loop invariants for arrays. Predicates. Termination of while loops and recursive functions in Dafny. Reading Frames.
Discussion of sample solutions for Mini-project 2.

• [Koen12], an introduction to the Dafny language
• Linear search example seen in class

• Dafny quick reference
• Language reference for the Dafny type system
  (which also describes available expressions for each type)

No class (Thanksgiving recess)

More on loop invariants for arrays, predicates and termination.
Introduction to value types in Dafny: sequences. Classes. Constructors, fields and class methods. Class invariants. Ghost fields. Using ghost fields to represent abstract states. Connecting concrete and abstract state in a class. Examples.

• [Lein13] and [Herb11], tutorial and lecture notes on Dafny
• Dafny on-line tutorial on termination
• Dafny on-line tutorials on sets, multisets and sequences
• FIFO queue example and abstract integer set example seen in class

Specifying classes as abstract datatypes to separate observable behavior from internal implementation. Two examples of FIFO queue implementation.
The use of dynamic frames in Dafny to specify and verify programs using objects. Motivation and uses. Bank account and linked list examples.

• [Lein13] and [Herb11], tutorial and lecture notes on Dafny
• FIFO queue examples: with arrays and with sequences.
• Bank account example, using a static frame
• Linked list example, using a dynamic frame