22c:181 Formal Methods in Software Engineering

Course introduction and administration. Introduction to Formal Methods.

• Course overview
• Course introduction

• [Clar96] A survey of the state of the art in formal methods in 1996. Although the survey proper is now dated, the paper still provides a good overview of the field.
• [Beck06] A more up-to-date look at the state of the art in FMs and a discussion of the developments that make successful applications possible.
• [vLam00] An introduction to formal specifications, and a survey of formal specification approaches.

Introduction to Formal Methods continued.
Recap of basic notions in set theory.

• Course introduction
• [Medv00] Excellent complementary class notes introducing FM's.
• Lecture notes on sets and relations (as needed)

• [Wood09] An up-to-date survey on the use and practice of FM.

Modeling general software systems. Introduction to the Alloy modeling language.

• Lecture notes: an introduction to Alloy 4

• Alloy FAQ
• Alloy 4 tutorial Part 1, notes by Greg Dennis and Rob Seater
• [Jack04], reference manual for Version 3 of Alloy
• Quick guide on the differences between Alloy 4 and 3.

Alloy's foundations. Relations and operations on them. Formulas, Boolean operators and quantifiers.
Expressing constraints on relations using Alloy formulas.
Modeling simple domains in Alloy. Generating and analyzing model instances with the Alloy Analyzer

• Lecture notes: an introduction to Alloy 4
• Family examples from the notes
• models/examples/toys/genealogy.als sample model in the Alloy Analyzer

Functions and predicates in Alloy.
Practice with modeling in Alloy: the Academia domain.
Examples and exercises.

• Lecture notes: the Academia model
• Academia examples from the notes

Alloy's module system. Motivations and uses. Parametric modules. An example: the predefined Ordering module.
Modeling dynamic systems in Alloy. General approach.

• Lecture notes: Alloy Modules
• Lecture notes: Dynamic Models in Alloy
• Family examples

• util/ordering.als sample model in the Alloy Analyzer

More on modeling dynamic systems in Alloy.
A complete Alloy modeling case study: the hotel room lock system.
Brief discussion of Homework 1 and its solution.

• Lecture notes: Dynamic Models in Alloy
• Lecture notes: Hotel model
• book/chapter6/hotel*.als sample models in the Alloy Analyzer

Introduction to reactive systems and the Lustre language.
Examples of Lustre programs.

• The Lustre Language, notes by P. Raymond and N. Halbwachs
• Lustre/Luke examples

• Chap. 1 of [Halb02], a Lustre tutorial

More on Lustre and its features. Specifying simple reactive systems in Lustre.
Simulating Lustre programs with the Luke tool (available in the Tools section).
Checking properties with synchronous observers.
Useful temporal operators. A few examples.
Verifying properties with Luke.

• The Lustre Language, notes by P. Raymond and N. Halbwachs
• Lustre/Luke examples
• Lecture notes: Synchronous observers

• Chap. 1 of [Halb02], a Lustre tutorial
• [Halb91], the main reference paper for Lustre

Spring break

Discussion of Miniproject 1 and its solutions.
More on checking properties with synchronous observers.

Midterm

Checking temporal properties in Lustre.
A few examples (including the integer switch from the lecture notes below).

• Lecture notes: Synchronous observers
• Lustre/Luke examples

• Solutions of Exercise 5: Simple nodes

Discussion of Lustre problems in the midterm and their solutions.
Modeling systems and building simulators.
The elevator case study.

• Description of Elevator problem in Exercise 5
• Midterm sample solutions

More on the elevator case study. Modeling and requirement specification. Debugging and repairing the model. In-class exercises.

• Description of Elevator II problem in Exercise 5

Introduction to source-code-level formal methods. A guiding methodology: Design by Contract.
Discussion of Homework 2 solutions.

• Lecture notes: Design by contract

More on design by constract. Exercises.
Introduction to the Java Modeling Language.

• Lecture notes: Design by contract
• Introduction to JML, notes by D. Cok, J. Kiniry, and E. Poll
• [Leav06], tutorial paper on Design by Contract in JML.

• A JML tutorial, notes by G. Leavens, J. Kiniry, and E. Poll

Introduction to the ESC/Java2 extended static checker.
Design by contract with ESC/Java 2. A demo and case study.

• ESC/Java2 Use and Features, notes by D. Cok, J. Kiniry, and E. Poll
• Addendum to the notes above
• Priority queue example
• ESC/Java2 demo, notes by E. Poll, J. Kiniry, and D. Cok

• JML reference manual (as needed)
• [Chal06], a description of JML and its tools

Writing more abstract JML specifications with model fields. Priority queue example revisited.
Behavioral subtyping in OO languages and in JML.
More on ESC/Java2 features and limits. Challenges with aliasing.

• Revised Priority queue example
• Specification tips and pitfalls, notes by D. Cok, J. Kiniry, and E. Poll
• ESC/Java2 Warnings, notes by D. Cok, J. Kiniry, and E. Poll

Discussion of sample solutions for Miniproject 2.
More on specification and verification challenges with OO languages, and their occurrence in ESC/Java2: invariants, reference exposure, etc.

• Specification tips and pitfalls, notes by D. Cok, J. Kiniry, and E. Poll
• Advanced JML, notes by D. Cok, J. Kiniry, and E. Poll

Brief discussion of Mini Project 3. Review of Homework 3's solution.
More on invariants and aliasing. Partial solution approaches in JML and ESC/Java2.

• Advanced JML, notes by D. Cok, J. Kiniry, and E. Poll

Introduction to Dafny. Examples.

• [Lein10a], an introduction to Dafny.
• [Lein10b], an description of verification problems in Dafny.
• Dafny examples