CISC422/853: Formal Methods in Software Engineering: Computer-aided Verification (Winter 2009)

Home page

[Home] [Content] [Schedule] [Readings] [Assignments] [Tools] [Projects] [Messages]

Instructor: Juergen Dingel, Goodwin Hall 723, dingel@cs, office hours: Wednesdays, 11-12
TA: Scott Grant, Goodwin Hall 624, scott@cs, office hours: Thursdays, 4-5pm, in Goodwin 248

Time and place
Monday 8:30-9:30am, Tuesday 10:30-11:30am and Thursday at 9:30-10:30am, Jeffrey Hall, Room 102.

Audience
CISC 853 is an introduction to software model checking, that is, the automated, functional analysis of software using finite-state exploration techniques. It is suitable for students with a general background in computer science or electrical and computer engineering.

General Description
This course is motivated by two trends in modern software development:

Increase in complexity of software: The size of the software we built is ever increasing (in 1983, Microsoft Word had 27,000 lines of code; now it has over a million). In addition, more and more software is built using several concurrently executing processes or machines that are distributed over a network. The complexity of the resulting systems renders traditional quality assurance techniques such as inspection and testing insufficient to ensure reasonable degrees of reliability.

Increase in reliance on software: We increasingly rely on computers and the software they run to keep our society functioning. In addition, the amount of software in embedded systems such as micro-controllers in automobiles, aircraft, medical devices, military equipment, etc is increasingly dramatically. Most of this software must be extremely reliable. Failures can result in huge financial costs or even loss of life.

The combination of these two trends means that in the future, the potential costs of software failure will grow while the likelihood of failure will increase. Experts in academia and industry agree that this situation is worrying and must be addressed by increasing our ability to control the complexities of the present and future software systems. Recent advances in computer-aided verification have made various kinds of fully automatic formal analyses of software feasible even in large-scale industrial contexts. In particular, finite-state verification (FSV) techniques such as model checking are emerging as viable means to ensure high-quality of software. In FSV, systems are modeled as finite-state automata and the properties they should satisfy are expressed in some formal notation such as temporal logic. The analysis of the system then proceeds by exhaustively exploring the state space of the system and checking that the property is met in every state. Although this technique is exponential in the worst case, it is now used in many parts of industry (e.g., INTEL, Motorola, Siemens, Bell Labs, IBM, NASA, Cadence, and Microsoft) and has helped to validate crucial properties of, e.g., on-board spacecraft controllers, network protocols, graphical user interfaces, railway interlocking systems, and industrial control systems.

The goals of this course are to

present the fundamental concepts, techniques, and research challenges of software model checking
give students an in-depth understanding of existing software model checking tools. In particular, the Bogor software model checker developed at Kansas State University and the Spin model checker developed at Bell Labs will be presented in detail, but other software model checkers such as VeriSoft (Bell Labs), JPF2 (NASA Ames), SLAM (Microsoft), and Blast (UC Berkeley) will also be discussed
give students some practical experience with the use, advantages and disadvantages of existing software model checkers
introduce students to the research in the field.

The course balances theoretical and practical elements and is most suitable for graduate students interested in the theory and practice of software development in general and of software analysis in particular.

Material

Text book: Gerard Holzmann. The Spin Model Checker: Primer and Reference Manual. Addison Wesley. 2004. Purchase of the book is recommended, but not required.
Slides: The lecture slides will be made available.
On-line material: Most of the tools discussed in the course have extensive publically accessible web pages.
Some course notes will be provided by the instructor.

Prerequisites
Mathematical maturity on the level of CISC 203 and 204 and programming experience (preferably in Java). Some knowledge of concurrent programming.

Evaluation

For undergraduate students:
1. 4 assignments (60%)
  - groups of 1-2 students, 15% each
2. Final exam (40%)
For graduate students:
1. 4 assignments (50%)
  - groups of 1-2 students, 15% each
2. Final exam (20%)
3. Project (30%)
  - groups of 1-2 students
  - proposal, presentation, summary