(The syllabus can be downloaded as a pdf.)Next offered: Fall 2017
Focuses on the formal specification and verification of reactive systems, most notably concurrent and distributed systems. Topics relevant to these systems, such as nondeterminism, safety and liveness properties, asynchronous communication or compositional reasoning, are discussed. We rely on a notation (TLA+, the Temporal Logic of Actions) and a support tool (TLC, the TLA+ Model Checker). Prereqs: CS520 & CS659.
Formal methods can be used to complement other validation techniques (like testing) by providing a more rigorous, mathematically grounded view of software and hardware systems. Specifications (intended behavior) and implementations (actual systems) can be modeled with various degrees of abstraction. Such models can then be used to better track bugs or to verify correctness. Formal methods techniques are particularly beneficial to safety-critical systems, for which faults can have dramatic consequences (e.g., automated systems in transportation, medical equipment, industrial processes or infrastructure).
This course is an introduction to two formal methods techniques. First, one can try to mechanically check that a model satisfies its specification by basically enumerating all its possible behaviors. This technique, known as model checking, has been quite popular in industry and applied to both hardware and software systems. It is attractive because it can be mostly automated once a system and its specification have been modeled. Model checking has proven to be very valuable in finding tricky bugs and the behaviors that trigger them, especially in (nondeterministic) concurrent and distributed systems. Its main limitation, however, is that it does not scale well as a verification tool, due to the massive growth in the number of possible behaviors as systems become more complex (a phenomenon know as state (or state space) explosion).
In logic, the validity of a Boolean propositional formula can be shown by enumeration in a truth table, or proven using inference rules like modus ponens. In the same way, correctness of a model can be shown by enumeration (model checking) or by proof. This course also introduces the concept of formal correctness proofs, using two classic techniques: inductive invariants (for safety proofs) and well-founded sets (for liveness proofs).
The class spends about half a semester on modeling and model checking and half a semester on proofs. The same formalism, TLA+, is used throughout. TLC is used as the model checker; TLAPS, the TLA+ proof assistant currently being developed by Microsoft and INRIA, is not used. Coursework is identical for graduate (CS-845) and undergraduate (CS-745) students, but graduate students need to achieve at least a B– grade to pass the course.
Seven homework assignments (20%), one project (30%) and two exams (50%).
Minimum score for each grade: A: 90, A–: 87, B+: 83, B: 80, B–: 77, C+: 73, C: 70, C–: 67, D+: 63, D: 60, D–: 57.
WF1rule, Lattice Rule