Formal Methods in Software Development (326.053, SS 2005)
Time: Thursday, 8:30-11:45
Room: KHG II
Start: March 10

---

Final Exam: the written exam will take place on Wednesday, October 12 , 17:15-18:45 in T211. No material is allowed, please do not forget your Kepler identity card.

Questions will focus on the theoretical background (Hoare calculus, predicate transformers, concurrency/model checking) and on small practical exercises (JML specifications, verifications of small code sniplets, modeling of and reasoning about small concurrent systems).

---

To take part in the course, you have to register in the KUSSS system.

Please also register in Moodle ("Login" at the upper right corner) such that you will receive per email all announcements that I post in the "News Forum". You may use the "Discussion Forum" for your own purpose.

Please note the changed lecture rooms (see the calendar and the announcement in the "Discussion Forum").

Contents and Organization

This course gives a survey on the use of formal methods for the development of reliable software. More specifically, we will deal with

• program specification,
• extended static checking,
• model checking,
• computer-supported proving,
• proof-carrying code.

The course consists of two parts:

1. a lecture part where the fundamental issues of the field are taught, and
2. an exercise part where practical skills are trained using freely available software tools.

The grading of the course will be based on a couple of exercises and a final exam.

Program Specification

Here we deal with the Java Modeling Language (JML).

Course Presentations

• The Java Modeling Language JML: Part 1 (4 on 1, Example Programs)
• The Java Modeling Language JML: Part 2 (4 on 1, Example Programs)
  

Background Material

• Tutorial Paper: Design by Contract with JML
• More Details: Preliminary Design of JML
  
• Tool Overview: An overview of JML tools and applications
• Tutorial Slides: Introduction to JML
• Hands-on Work: JML Exercises

Download JML Tools (local copy) (please note that the tools only work with Java 1.4.2, not with Java 5).

Extended Static Checking

Here we deal with the ESC/Java2 Extended Static Checker for Java.

Course Presentations

• Hoare Calculus and Predicate Transformers (4 on 1)
• Extended Static Checking with ESC/Java2 (4 on 1)
  

Background Material

• Introduction Paper (ESC/Java): Extended Static Checking for Java
• Introduction Paper: ESC/Java2: Uniting ESC/Java and JML
• Manual (ESC/Java): ESC/Java User's Manual
• Background paper: Checking Java programs via guarded commands
• Tutorial slides (basis): ESC/Java2 : Use and Features
• Tutorial slides (demo): ESC/Java: Extended Static Checking for Java
• Hands-on work: ESC/Java Homework Exercises

Download ESC/Java2 (local copy) (please note that ESC/Java2 only works with Java 1.4.2, not with Java 5).

Model Checking

Here we deal with the Spin model checker.

Course Presentations

• Model Checking: Part 1 (4 on 1)
• clientServer.spin: mutex.ltl, progress.ltl, progress2.ltl
• roads.spin: roads.ltl
  
• Model Checking: Part 2 (4 on 1)
• Model Checking: Part 3 (4 on 1)
• Model Checking: Part 4 (4 on 1)
  

Background Material

• Survey paper: The Model Checker Spin
• Article (German): Fehler finden durch Model Checker
• Course Slides: Logical Model Checking
• Tutorial Slides: Spin Beginner's Tutorial and Advanced Spin Tutorial
• Manual: Spin Online References (Basic Spin Manual)
  
• Hands-On Work: Verification Examples and Exercises
  
• Book: The Spin Model Checker (Amazon)
  
• Book: Model Checking (Amazon)
  

See also the course Systemtheory 2: Model Checking given by Prof. Armin Biere of the Institute for Formal Methods and Verification.

Download Spin (local copy)

Computer-Supported Proving

Here we deal with the PVS Specification and Verification System.

Course Presentations

• System Verification by Proving with PVS (4 on 1)
• Verifying Concurrent Systems with PVS (4 on 1)
• Bit Protocol: protocol.pvs, protocol.prf
• Client/Server System: clientServer.pvs, clientServer.prf
  

Background Material

• Starting Point: A Tutorial Introduction to PVS (original source)
  
• System Use: PVS System Guide
• Prover Details: PVS Prover Guide
• Specification Language: PVS Language Reference
  

Download PVS for Linux
(local copy: linux executable, system, libraries).

Proof-Carrying Code
Applying formal methods in a distributed world

This part is given by Hans-Wolfgang Loidl who works in the MRG (Mobile Resource Guarantees) project at the LMU university in Munich.

• Presentation 1
• Presentation 2
• Presentation 3
• Presentation 4
• Reading List

1. General PCC
   
1. Motivation
   
2. Basic Concepts
   
3. Main challenges
   
4. Components of the PCC Architecture
   
5. An Example
   
2. Concrete infrastructures
   
1. Details of PCC infrastructures
   
2. CCured
   
3. ConCert/Hemlock
   
4. Foundational PCC
   
5. Other relevant projects
   
3. PCC for resources
   
1. MRG: PCC for Resources
   
2. Camelot: Our High-level Language
   
3. Space Inference
   
4. Grail: Our intermediate language
   
5. A Program Logic for Grail
   
6. Termination Logic
   
7. Heap Space Logic
   
8. A PCC infrastructure for resource bounds
   
4. Hands-on Session
   
1. The MRG infrastructure
   
2. The CCured infrastructure
   
3. The Ciao infrastructure
   
4. Other stuff
   

Exercises

• Exercise 1 (April 21): Exercise, Array.java, Queue.java
• Sample Solutions: Array.java, Queue.java.
  
• Exercise 2 (May 10): Exercise
• Exercise 3 (June 9): Exercise
• Sample Solutions (Explanation): protocol.spin
  
• Exercise 4 (July 11): Exercise, exercise.pvs, arrays.pvs
  

Additional Material

The password for this section will be handed out in class. It is strongly forbidden to forward this password to anyone not participating in the course.