Lecture Notes

Course introduction and administration. Introduction to Formal Methods.

Introduction to sets and relations

• Syllabus
• Course overview [pdf] and introduction [pdf]
• [Haxt10] An introduction to formal methods, with examples of industrial usage
• Lecture notes on sets and relations (as needed) [pdf]

• [vLam00] An introduction to formal specifications, and a survey of formal specification approaches.
• Chap. 1-2 of [Gara13] A fairly comprehensive recent survey on the use and practice of FM.
• [Barr13] Notes on expert reports and testimony of the Toyota Unintended Acceleration Litigation.

Modeling general software systems. Introduction tothe Alloy modeling language. Alloy's foundadiots. Signatures, fields, and multiplicity constrainst.

Modeling simple domains in Alloy. Generating and analyzing model instances with the Alloy Analyzer. Alloy's foundations. Signatures, fields and multiplicity constraints.

Modeling simple domains in Alloy. Generating and analyzing model instances with the Alloy Analyzer.

Relations and operations on them. Formulas, Boolean operators and quantifiers. Expressing constraints on relations using Alloy formulas.

Functions and predicates. Examples.

• Lecture notes on sets and relations (as needed) [pdf]
• Lecture notes on: An introduction to Alloy 4 [part 1, part 2]

• Alloy FAQ
• Lecture notes on First Order Logic [pdf]
• Alloy 4 tutorial, notes by Greg Dennis and Rob Seater [part 1, part 2]
• A hands-on introduction to Alloy, by Michael Sperberg-McQueen

Practice with modeling in Alloy: the Academia domain. Examples and exercises.

Alloy's module system. Motivations and uses. Parametric modules. An example: the predefined Ordering module.

• Lecture notes: the Academia model [pdf]
• Academia examples from the notes
• Lecture notes: Alloy Modules [pdf]

• util/ordering.als sample model in the Alloy Analyzer
• A hands-on introduction to Alloy, by Michael Sperberg-McQueen

Modeling dynamic systems in Alloy. Example: making the family model dynamic.

General approach: dynamic systems as state transition systems. Operators. Preconditions, postconditions and frame conditions.

Examples of operators for the family model.

• Lecture notes: Dynamic Models in Alloy [pdf]
• Family examples from the notes

More on modeling dynamic systems in Alloy. Example: rovers on a two-dimensional space. Group exercises.

A complete Alloy modeling case study: the hotel room lock system.

• Lecture notes: Autonomous Rovers [pdf]
• The rover.als rover model in dynamic systems examples
• Lecture notes: Hotel Lock System [pdf]
• The book/chapter6/hotel*.als sample models (first 2 only) in the Alloy Analyzer

Introduction to reactive systems. Introduction to the Lustre specification language.

Examples of Lustre programs. Specifying simple reactive systems in Lustre. Simulating Lustre programs with the Kind 2 tool (online examples).

Practice with writing Lustre models and expressing their properties.

Simulating Lustre programs with the Kind 2 tool (online examples).

• Lecture notes: Reactive Systems and the Lustre Language [Part 1, Part 2]
• Chap. 1 of [Halb02], a Lustre tutorial

First midterm exam.

More practice with writing Lustre models and expressnig their properties.

Checking properties via synchronous observers. Useful temporal operators.

A few examples. Checking properties. Boolean Switches and traffic light examples. In-class exercises.

• Lustre examples on the Kind 2 online page except for CruiseController.

Contract-based specification and compositional verification.

Motivation and uses. Extending Lustre with contracts. Contract basics: assumptions, guarantees and execution modes. Example of contracts.

• Lecture notes: a Mode-aware Contract Language for Reactive Systems [pdf]
• StopwatchSpec and ElevatorSpec examples on the Kind 2 online page.

• [Cham16], a paper introducing Kind 2's contract language
• Kind 2 User Documentation

Specifying and verifying programs in high-level programming languages. Introduction to Dafny. Main features. Method contracts in Dafny. Specifying pre and post-conditions. Compositional verification of methods through the use of contracts. Abstraction of while loops by loop invariants. Examples.

• Sections 1-5 of [Koen12], an introduction to the Dafny language
  (also available as an online tutorial)
• Examples

• [Wing95], which provides several hints to specifiers

More on loop invariants in Dafny. Functions and predicates. Complex specifications using recursive functions. Reading Frames. Termination of while loops and recursive functions in Dafny. Arrays and quantified verification conditions. Loop invariants for arrays. Examples.

• [Koen12], an introduction to the Dafny language
  
• Examples of max, Fibonacci, summing arrays and binary search

• Dafny online tutorials

Thanksgiving break.

Introduction to value types in Dafny: sets and sequences.

• [Lein13] and [Herb11], tutorial and lecture notes on Dafny
  
• Dafny online tutorials on collections
• Examples with sets and sequences

Second midterm exam.

Classes. Constructors, fields and class methods. Class invariants. Ghost fields. Using ghost fields to represent abstract states. Connecting concrete and abstract state in a class. Examples.

• [Lein13] and [Herb11], tutorial and lecture notes on Dafny
  
• "Class types" section of the reference manual
• Examples with abstract counter and FIFO queue