*(The syllabus can be downloaded as a pdf.)*

Focuses on the formal specification and verification of reactive systems, most notably concurrent and distributed systems. Topics relevant to these systems, such as nondeterminism, safety and liveness properties, asynchronous communication or compositional reasoning, are discussed. We rely on a notation (TLA^{+}, the Temporal Logic of Actions) and a support tool (TLC, the TLA^{+} Model Checker). Prereqs: CS520 & CS659.

*Formal methods* can be used to complement other validation techniques (like testing) by providing a more rigorous, mathematically grounded view of software and hardware systems. Specifications (intended behavior) and implementations (actual systems) can be modeled with various degrees of abstraction. Such models can then be used to better track bugs or to verify correctness. Formal methods techniques are particularly beneficial to *safety-critical* systems, for which faults can have dramatic consequences (e.g., automated systems in transportation, medical equipment, industrial processes or infrastructure).

This course is an introduction to two formal methods techniques. First, one can try to mechanically check that a model satisfies its specification by basically enumerating all its possible behaviors. This technique, known as *model checking*, has been quite popular in industry and applied to both hardware and software systems. It is attractive because it can be mostly automated once a system and its specification have been modeled. Model checking has proven to be very valuable in finding tricky bugs and the behaviors that trigger them, especially in (nondeterministic) concurrent and distributed systems. Its main limitation, however, is that it does not scale well as a verification tool, due to the massive growth in the number of possible behaviors as systems become more complex (a phenomenon know as *state* (or *state space*) *explosion*).

In logic, the validity of a Boolean propositional formula can be shown by enumeration in a *truth table*, or proven using inference rules like *modus ponens*. In the same way, correctness of a model can be shown by enumeration (model checking) or by proof. This course also introduces the concept of formal correctness proofs, using two classic techniques: *inductive invariants* (for safety proofs) and *well-founded sets* (for liveness proofs).

The class spends about two thirds of the semester on modeling and model checking and one third on proofs. The same formalism, TLA^{+}, is used throughout. TLC is used as the model checker; TLAPS, the TLA^{+} proof assistant currently being developed by Microsoft and INRIA, is not used. Coursework is identical for graduate (CS-845) and undergraduate (CS-745) students, but graduate students need to achieve at least a B^{–} grade to pass the course.

- An example of TLA
^{+}modeling of a faulty Java program and use of TLC to track the bug. - A recent paper by Amazon on their use of TLA
^{+}and TLC.

- This course is one of the CS electives designated as
*theory*. - This course can be taken as CS745H by honors students.

**models & abstractions:**formal specification, program correctness, semantics of parallelism, safety and liveness, transition systems, symbolic logic and formal proof, induction, variants and invariants, temporal logic.

**applications:**model-checking as a verification and debugging tool.

Seven homework assignments (20%), one project (30%) and two exams (50%).

Minimum score for each grade: A: 90, A^{–}: 87, B^{+}: 83, B: 80, B^{–}: 77, C^{+}: 73, C: 70, C^{–}: 67, D^{+}: 63, D: 60, D^{–}: 57.

**Formal specification and verification:**- implementation vs specification
- functional correctness, typical properties (precondition, postcondition, invariants, termination)

**Reactive systems as state transition systems:**- reactive systems vs transformational systems
- system states, initial states, state transitions, behaviors
- linear-time temporal logic (LTL), safety and liveness
- formal definition of correctness

**Modeling of reactive systems:**- state predicates
- state modeling using sets and functions
- sequentiality, parallelism, nondeterminism, atomicity
- weak and strong fairness

**Reactive systems in TLA**^{+}:- state transitions as binary predicates
- stuttering and termination
- “next-state” predicates as disjunctive formulas

**TLA**^{+}syntax and semantics:- sets and functions in TLA
^{+} - tuples, sequences and records as functions
- quantifiers and set builder notation
- finite sets and cardinality
- ∧ and ∨ in bulleted lists form
`IF-THEN-ELSE`

,`EXCEPT`

,`UNION`

and`CHOOSE`

operators

- sets and functions in TLA
**System properties in TLA**^{+}:- □, ◇ and ⤳ properties
- state-based and action-based properties
- correctness as logical implication

**Model checking with TLC:**- Explicit-state model checking
- using TLC, configuration files
- limitations of TLC

**Proving properties in TLA**^{+}:- inductive invariants,
`INV1`

rule - proving action properties
- well-founded sets (variants),
`WF1`

rule,*Lattice Rule*

- inductive invariants,

- Leslie Lamport.
*Specifying Systems: The TLA*, Addison-Wesley, 2003. ISBN: 0-321-14306-X.^{+}Language and Tools for Hardware and Software Engineers - Leslie Lamport.
*The Temporal Logic of Actions*, ACM Trans. Program. Lang. Syst., 16(3):872-923, 1994.

- James L. Hein.
*Discrete Mathematics*, Jones and Bartlett Computer Science, 2003, second edition. ISBN: 0-7637-2210-3.

- TLA
^{+} - TLC, as part of the TLA Toolbox
- An example of modelling/debugging with TLA
^{+}/TLC - A paper by Amazon on their use of TLA
^{+}/TLC