Course introduction and administration. Introduction to Formal Methods. What are formal methods and how they help in software development.

• Syllabus
• Course overview [pdf] and introduction [pdf]
• [Haxt10] An introduction to formal methods, with examples of industrial usage

• [vLam00] An introduction to formal specifications, and a survey of formal specification approaches.
• Chap. 1-2 of [Gara13] A fairly comprehensive recent survey on the use and practice of FM.
• [Barr13] Notes on expert reports and testimony of the Toyota Unintended Acceleration Litigation.

Introduction to sets and relations. Recap of basic notions in set theory. Relations and relational operators.

Modeling general software systems. Introduction to the Alloy modeling language. Alloy's foundations. Signatures, fields and multiplicity constraints.

Modeling simple domains in Alloy. Generating and analyzing model instances with the Alloy Analyzer.

• Lecture notes on sets and relations [pdf] (revised)
• Lecture notes: An introduction to Alloy 5 - Part 1 [pdf]

• Alloy FAQ
• Alloy 5 online tutorial
• Alloy 5 one-day tutorial

All exercises in set and relations notes

Relations and operations on them. Formulas, Boolean operators and quantifiers. Expressing constraints on relations using Alloy formulas. Examples of constraints. Exercises.

• Lecture notes: an introduction to Alloy 5 - Part 1 [pdf] and 2 (revised) [pdf]
• Family examples from the notes

• Alloy 5 online tutorial
• A hands-on introduction to Alloy, by Michael Sperberg-McQueen
• Alloy language reference (as needed) [pdf]

More Alloy operators. Operator precedence and parsing. Facts and assertions. Checking models and assertions with the Alloy Analyzer. Signature scopes. Functions and predicates. Examples and exercises.

Practice with modeling in Alloy: the Academia domain.

• Lecture notes: an introduction to Alloy 5 - Part 2 (revised) [pdf] and 3 (revised) [pdf]
• Lecture notes: the Academia model [pdf]
• Academia examples from the notes

• Alloy language reference (as needed) [pdf]
• A hands-on introduction to Alloy, by Michael Sperberg-McQueen

More practice with modeling in Alloy: the Academia domain. Examples and exercises.

Alloy's module system. Motivations and uses. Parametric modules. An example: the predefined Ordering module.

Modeling dynamic systems in Alloy. Example: making the family model dynamic.

• Lecture notes: the Academia model (revised) [pdf]
• Academia examples from the notes
• Lecture notes: Dynamic Models in Alloy (revised) [pdf]

• Lecture notes: Alloy Modules [pdf]
• util/ordering.als sample model in the Alloy Analyzer

More on dynamic models. Explicit time modeling and implicit time modelling in Alloy 5 (Electrum Alloy). General approach: dynamic systems as state transition systems. Operators. Preconditions, postconditions and frame conditions. Examples of operators for the family model.

Introduction to Electrum Alloy (Alloy 5). Modeling dynamic systems in Alloy 5. Examples. Group exercises.
A complete Alloy modeling case study: the hotel room lock system.

• Lecture notes: Dynamic Models in Alloy (revised) [pdf] (revised)
• Lecture notes: Hotel Lock System [pdf]
• Electrum tutorial

• Examples of equivalences in Alloy
• Electrum Alloy reference
• Lecture notes on Electrum Alloy by Alcino Cunha and Nuno Macedo on
  • Electrum overview [pdf]
  • First Order Logic [pdf]
  • Relational Logic [pdf]
  • Alloy's type system [pdf]
  • Relational model finding [pdf]
  • First-order Linear Temporal Logic [pdf]
  • Safety, liveness, and fairness [pdf]

Introduction to reactive systems. Introduction to the Lustre specification language.
Examples of Lustre programs. Specifying simple reactive systems in Lustre. Simulating Lustre programs with the Kind 2 tool (online examples).

• Lecture notes: Reactive Systems and the Lustre language, Part 1 [pdf]
• Chap. 1 of [Halb02], a Lustre tutorial
• (Superset of) Lustre examples seen in class

• Original paper on Lustre [Halb92]

Practice with writing Lustre models and expressing their properties. Simulating and checking Lustre models with Kind 2 (online examples).
Checking properties via synchronous observers. Useful temporal operators. Examples. In-class exercise.

• Lecture notes: Reactive Systems and the Lustre language, Part 1 [pdf] and 2 [pdf]
• Lustre examples seen in class
• Chap. 1 of [Halb02], a Lustre tutorial

• [Halb91], the main reference paper for Lustre
• [Halb99], an introduction to verification and testing with Lustre

Midterm exam

More practice with writing Lustre models and expressing their properties. Using counterexamples to debug the model. Traffic light examples.

• ReqTrafficLight examples on the Kind 2 online page

Contract-based specification and compositional verification. Motivation and uses. Extending Lustre with contracts. Contract basics: assumptions, guarantees and execution modes. Examples of contracts.

• Lecture notes: A Mode-aware Contract Language for Reactive System [pdf] (revised)
• StopwatchSpec and ElevatorSpec examples on the Kind 2 online page

• [Cham16], a paper introducing Kind 2's contract language
• Kind 2 User Documentation on contract syntax and semantics

More on contract-based specification. Specifying system modes in Kind 2's contract language. Modular and compositional analysis in Kind 2. Motivation and examples.

• Lecture notes: A Mode-aware Contract Language for Reactive System [pdf]
• Door Lock and Thermostat examples

• Kind 2 User Documentation

Specifying and verifying programs in high-level programming languages. Introduction to Dafny. Method contracts in Dafny. Specifying pre and post-conditions. Compositional verification of methods through the use of contracts.

• Lecture notes: Reasoning About Programs with Dafny [pdf]
• Chap. 1, 2.1 of Program Proofs (textbook)

• [Wing95], which provides several hints to specifiers

Introduction to Floyd-Hoare logic. Formalizing program behavior with Hoare triples. Strongest postconditions and weakest preconditions. The WP and SP operators. Computing WPs and SPs for assignments, sequential compositions, conditional statements, and methods calls. Assert and assume statements. Method vs function calls in Dafny. Partial expressions.
Dafny in action. Some initial examples.

• Lecture notes: Floyd-Hoare logic [pdf] (revised)
• Chap. 2 of Program Proofs except for 2.9

• Chap. 2.9 of Program Proofs

Dafny in action. Various examples.
Loops in Dafny. The loop rule in Floyd-Hoare logic. Loop specifications and implementations. Deriving correct by construction implementations from specs. Loop termination. Examples.
Recursive specifications of iterative programs. Examples.
Arrays. Checking iterative programs with arrays.

• Lecture notes: Loops in Dafny [pdf] (revised)
• Lecture notes: Iterative programs in Dafny [pdf] (revised)
• Lecture notes: Arrays in Dafny [pdf] (revised)
• Chap. 11, 12 of Program Proofs except 12.3
• Chap. 13.0-13.3 of Program Proofs

• Chap. 3 of Program Proofs

No class (Thanksgiving recess)

More on arrays. Binary search. Reading and writing frames for reference variables. Methods that modify arrays. Examples.

Classes and Objects in Dafny. Specifying classes as abstract data types to separate observable behavior from internal implementation. Examples: counters and alternative implementations of FIFO queues.

• Lecture notes: Arrays in Dafny [pdf] (revised)
• Lecture notes: Arrays in Dafny - Part II [pdf]
• Chap. 13.0-13.4 of Program Proofs
• Chap. 14, 15 of Program Proofs
• Chap 16.0-1 of Program Proofs
• Examples seen in class:
  • linear search
  • binary search
  • modifying arrays
  • selection sort
  • fancy counter
  • array-based FIFO queue
  • sequence-based FIFO queue

The use of dynamic frames in Dafny to specify and verify programs using objects. Motivation and uses. Queue, counter, bank account and linked list examples.

• Chap 16 of Program Proofs
• Dafny Collection Types
• Examples seen in class:
  • abstract counter with dynamic frames
  • bank account
  • linked list

• Lecture notes: Objects in Dafny [pdf]

Final Exam