A method of verification in design: an operating system case study by John A. Keane (7169261) & Walter Hussak (1257717)
 
 
 
This item was submitted to Loughborough’s Institutional Repository 
(https://dspace.lboro.ac.uk/) by the author and is made available under the 
following Creative Commons Licence conditions. 
 
 
 
 
 
For the full text of this licence, please go to: 
http://creativecommons.org/licenses/by-nc-nd/2.5/ 
 
A Method of Verication in Design: an operating system case study
John A. Keane Walter Hussak
Department of Computation Department of Computer Science
UMIST University of Loughborough
Manchester, UK UK
Abstract
This paper reports a study of verication in the
high-level design phase of operating system develop-
ment in which both rigorous and formal verication
are used, where the rigorous argument is used to de-
termine a manageable formal proof to be carried out.
A 2-sorted rst order temporal language is used to
express several possible high-level designs and the re-
quired properties of an operating system store man-
ager. The case of large system limits is reduced to a
case of small system limits by use of a rigorous ar-
gument. Corresponding propositional temporal logic
(PTL) formulae are then veried using a PTL theo-
rem prover.
Keywords
High-level design, Operating Systems, Rigorous Proof,
Temporal Logic Theorem Provers.
1 Introduction
Software development is recognised as being highly
complex and thus error-prone. The general aim of
software engineering techniques is to ensure the pro-
duction of correct and reliable software that meets re-
quirements. The validation of these requirements is a
major aspect of software engineering. There are many
approaches to validation, one of which being the use of
formal methods to provide some form of verication.
Formal methods have long been proposed as an
antidote to some of the complexity of system de-
sign and validation. The proposed use of formality
ranges from specication of requirements through to
full-blown verication of systems with increasing cost,
time and eort. For safety-critical systems there has
been a recognition of the value, indeed necessity, of for-
mality at various stage of development. Increasingly
as computer systems become mission-critical for busi-
ness, it is being recognised that 24 hours, 7 days
a week up-time is required. Such up-time mean im-
pacts the underlying hardware and systems software.
Generally for hardware, such availability is ensured
by techniques such as duplication of component. In
software a number of approaches are available at im-
plementation level such as triple modular redundancy.
Nevertheless such does not detract from the need for
better methods of validation and verication.
In terms of operating system development of en-
terprise servers, it is becoming increasingly necessary
to provide some formal treatment of validation and
verication. Such systems play a critical role in the
provision of service, and are highly complex: they of-
ten have real-time components, deal with an unpre-
dictable load, handle security of information, tend to
have very long installation lives (30+ years), and ad-
dress a large and, at design-time, unknown set of ap-
plication requirements. Perhaps most of all, they ex-
hibit as an integral design rationale the presence of
concurrency: many of the techniques and notations
for reasoning about concurrency (semaphores, condi-
tional critical regions, monitors, CSP etc) arose in the
context of operating system design.
The authors' role in the development of two
industrial-scale operating systems was to consider the
most cost-eective and useful role of formal methods,
given a small amount of human resource. In such a
system, whilst it is potentially desirable to provide
full-blown verication to the level of source code, to
meet the cost of developing theorem provers or proof
assistants that would be practical for use with the par-
ticular system is simply impossible due to resource
constraints. The emphasis of the formal process there-
fore should be on the formal specication of require-
ments and the rigorous verication of design prop-
erties. A rigorous verication uses arguments that
a mathematically educated person could understand
and accept as constituting a valid proof. It need not
be presented entirely symbolically with every minute
Proceedings of the 33rd Hawaii International Conference on System Sciences - 2000
0-7695-0493-0/00 $10.00 (c) 2000 IEEE 1
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:45 from IEEE Xplore.  Restrictions apply.
step of an argument justied by use of a computer, as
is the case with a formal proof.
An issue arises as to how to validate high level de-
sign: one approach is to test the developed system
to see if the system (and thus the high-level design to
which the implemented system should correspond) has
certain required properties. The approach here is to
provide proofs for certain cases so that the high-level
design can be evaluated at design time. Rather than
argue whether the approach here constitutes testing or
verication, we suggest that the common aim of both
testing and the approach here is to validate that the
developed system satises requirements.
This paper discusses an approach to formal spec-
ication and verication derived from work on these
industrial-scale projects. In the context of the oper-
ating system design and development, the approach is
cost-eective at providing rigorous analysis of design
properties before embarking upon costly and dicult-
to-change implementation. The method allows a rst-
order temporal language to be used abstractly at the
specication stage, yet requires only a propositional
temporal logic theorem prover to be used to verify
properties of the system.
The paper is structured as follows: x2 describes the
approach within the context of operating system de-
sign and development; in x3 store manager designs
are specied in a 2-sorted rst order temporal lan-
guage; the reduction of these specications to simple
propositional temporal formulae is given in x4; in x5
the verication of the PTL properties using tempo-
ral logic theorem provers is discussed; Finally, further
work and conclusions are discussed in x6.
2 A Practical Approach to Specica-
tion and Verication of Design
As with other software developers, operating sys-
tem designers express and document requirements us-
ing natural language. It is important that when these
high-level design requirements are expressed formally
the correspondence between informal and formal is
transparent to the designers.
A typical such specication involves processes and
various shared resource types, as seen in [4] and [7].
The system is naturally specied in a rst order tem-
poral language representing a large number of pro-
cesses and resource instances corresponding to the sys-
tem limits. Following this specication activity, there
is a need for verify properties of the system design. In
view of the problem of using theorem provers at the
actual system limits, the alternatives to full-blown for-
mal verication appear to be:
A: (i) specify for actual system limits
(ii) verify directly by rigorous argument
B: (i) specify for actual system limits
(ii) give temporal formulae for a small
number of processes and resource
instances
(iii) formally verify formulae in B(ii)
C: perform both A and B
The style of verication using a rigorous argument in-
volves the use of much less detailed proof and provides
much of the benet of formal proof gained at a much
lower cost. From this point of view the rst approach
might be advised.
However, there are two reasons why a formal ele-
ment to the proof should be considered at the high-
level design phase:
1. A greater assurance of correctness may be desired
at the high-level design phase of system develop-
ment because of the greater cost of incorrectness
at this level.
2. The smaller amount of detail at the higher level
actually makes it more practically viable for au-
tomated formal proof than lower levels of design.
If greater assurance is required then approach C may
be considered, where a rigorous proof is accompanied
by a formal proof of the temporal formulae resulting
from giving small values to the number of processes
and resource instances. The question is which small
values should be given for the number of processes and
resource instances if the formal proof is to reinforce the
rigorous proof? The proof with the chosen values is
useless if it does not reect the case of large values.
As a consequence, the following approach, D, is pro-
posed which combines the benets of both rigorous
and formal proof, and where the formal proof is a log-
ical extension of the rigorous argument.
D: (i) specify first order
(ii) rigorous argument reduction to a
small number of processes and
resource instances
(iii) give (propositional) temporal
formulae for this small number of
processes and resource instances
(iv) formally verify formulae in D(iii)
2
Proceedings of the 33rd Hawaii International Conference on System Sciences - 2000
0-7695-0493-0/00 $10.00 (c) 2000 IEEE 2
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:45 from IEEE Xplore.  Restrictions apply.
A practical case study is given here to demonstrate
how this approach can be used at the high-level design
phase of operating system development. The context
is the design methodology in [7] which analysed the
informal design processes that took place in the high-
level design of two industrially linked parallel operat-
ing systems projects - the UK Alvey Flagship project
[6] and the Esprit EDS project [9]. As a result of this
a design process to be put in place at the high-level
design phase of system development was formulated.
A feature of this design process is the use of a design
space language BSL ('Binding Strategy Language'),
which aims to provide some sort of guidance as to the
design options. The later stages of the design pro-
cess suggest formal verication of required properties
of viable designs before the costly task of implementa-
tion is embarked upon. Precisely, the design process
means formally specifying each design (the 'binding'),
the system that it will run on (the 'architectural con-
straints') and the required properties, and then veri-
fying that the overall design+system has the required
properties.
The case study is of the design of a store manager.
This will involve:
1. Specifying the design, system and properties for
dierent store managers in a rst-order temporal
language;
2. Showing that validity for temporal formulae cor-
responding to actual system limits is equivalent
to validity for valuations in a certain small case;
3. Verifying the formulae for the small case using a
theorem prover.
It should be noted that the approach described does
not help with nding required properties but rather
verifying and validating them, and in a wider context
achieving these properties in a developed system. The
assumption is that the designers (by experience and
consideration) have expressed the required properties
- of course consistency of store is a major property for
an operating system.
Related work on reducing large system limits to
small values includes [2] and [8]. The contribution
here is doing so in the context of the use of temporal
logic in the high-level design of operating systems.
3 Formal Specication of Store Man-
ager Designs
The rst order temporal language used in this sec-
tion, FLTL-2, is a 2-sorted language with time depen-
dent predicates; for further language details the inter-
ested reader is directed to [5]. The language is eas-
ily understood by operating system designers in that
FLTL-2 formulae correspond closely to the informal
English description. At a high-level, store manage-
ment comprises:
 user processes
 a system process
 a store map
 a physical store
The idea is that there is a shared virtual address
space such that each user process accesses virtual store
by rst accessing the store map to nd which physical
address corresponds to a virtual address, and then the
user process accesses the physical store.
The system process also accesses the store map and
physical store in order to reorganise the store. This
might be an access by the system process to change the
store map, later followed by an access by the system
to physical store, so that the new physical addresses of
virtual addresses, receive the data that the old physi-
cal addresses of those virtual addresses contained.
The temporal specication of the store manager de-
signs, the architectural constraints and the required
properties involve specifying the sequence of events in
time that each allows to occur. The events which are
accesses to the store map and physical store are as-
sumed to last the duration of a single point in time.
Overall, the events that may or may not be occurring
at a given point in time break down into statements
about processes and the store map. These are treated
as two sorts N and M respectively in the use of FLTL-
2. The M-sorted predicate sm, the N-sorted predicates
usm and uph, and the propositions ssm and sph have
the following meaning:
 usm(n): user process n is accessing the store map
 uph(n): user process n is accessing physical store
 sm(m): the m-th store map is in operation
 ssm: the system process is accessing the store
map
 sph: the system process is accessing physical store
A pleasant feature of temporal logic is that specica-
tions can be appreciated with only the following brief
description of the temporal operators
1
:
1
Equivalence of informal and formal specication cannot be
proved, however, it is possible to consider subjectively how clear
3
Proceedings of the 33rd Hawaii International Conference on System Sciences - 2000
0-7695-0493-0/00 $10.00 (c) 2000 IEEE 3
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:45 from IEEE Xplore.  Restrictions apply.
1. 2p (always p) is true if the formula p is true now
and in every future moment;
2. p (at the next moment p) is true now if the
formula p is true at the next instant;
3. pUq (p until q) is true if q becomes true at some
point in time and until that happens p will be
true.
First of all, two dierent system architectures (given
abstractly
2
in terms of 'architectural constraints'),
that the store manager might run on, are specied.
3.1 System 1 Architecture
3.1.1 Store map properties
At every point in time, there is some store
map in operation
 constr1
def
= 2 9m:sm(m)
Only one store map is in operation at any
instant
 constr2
def
= 8m
1
8m
2
: 2 (sm(m
1
)^ sm(m
2
))
m
1
= m
2
)
A store map can only change when the system
process accesses it
 constr3
def
= 8m
1
8m
2
: :(m
1
= m
2
) )
2 (sm(m
1
) ^sm(m
2
))ssm)
3.1.2 Concurrent Access
A user cannot be accessing the store map and
physical store at the same time
 constr4
def
= 8n: 2 :(usm(n) ^ uph(n))
The system can only access the store map and
physical store one at a time
 constr5
def
= 2 :(ssm ^ sph)
Only one user can access the store map at
any given time
 constr6
def
= 8n
1
8n
2
: 2 (usm(n
1
)^usm(n
2
))
n
1
= n
2
)
is the correspondence between informal and formal. To assess
this, a formalism needs to be tried: here the correspondence
of the formal (temporal logic) to the informal (English) "looks
good".
2
An architecture of a system can be dened abstractly in
terms of the properties that the system should exhibit. In this
context the system is the store manager.
Only one user can access the physical store
at any given time
 constr7
def
= 8n
1
8n
2
: 2 (uph(n
1
) ^ uph(n
2
) )
n
1
= n
2
)
The system cannot access the store map if a
user is accessing the store map (and
vice-versa)
 constr8
def
= 8n: 2 :(usm(n) ^ ssm)
The system cannot access the store map
whilst a user is accessing physical store
 constr9
def
= 8n: 2 :(uph(n) ^ ssm)
The system cannot access physical store
whilst the user is accessing physical store
 constr10
def
= 8n: 2 :(uph(n) ^ sph)
Notice that it is allowed for the system to access
physical store when the user is accessing the store
map. This might occur if the system is completing its
latest reorganisation of store by performing the neces-
sary physical store updates corresponding to changes
it made to the virtual to real address store map earlier
on. It is safe for a user to access the new store map at
this point as a subsequent access by the user to phys-
ical store will occur after the system has nished with
the physical store and will pick up the corresponding
new state of the physical store.
3.2 System 2 Architecture
System 2 has all the architectural constraints con-
str1 to constr10 and has the additional constraint
that,
after a change to the store map by the
system, a user cannot access physical store
until that user has observed (accessed) this
store map
 constr11
def
= 2 (ssm) 8n:(:uph(n)Uusm(n)))
3.3 First Design Option
A design option comprises a specication of the ini-
tial conditions and the 'binding' in the terminology of
[7]. The initial conditions for the rst design are that
the rst two users access the store map without a need
for an intervention by the system
4
Proceedings of the 33rd Hawaii International Conference on System Sciences - 2000
0-7695-0493-0/00 $10.00 (c) 2000 IEEE 4
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:45 from IEEE Xplore.  Restrictions apply.
 init1
def
= 9n
1
9n
2
: :(n
1
= n
2
) ^ usm(n
1
) ^
usm(n
2
)
The 'binding' condition states that if the user accesses
the store map, the next access by the user will be to
physical store at some later point in time
 bind
((U)(sm))(ph)
3
def
= 8n: 2 (usm(n) )
(:usm(n)Uuph(n)))
3.4 Second Design Option
In the second design, the initial conditions are that
rst a user accesses the store map, and then the second
user accesses the store map at some later point in time
(not necessarily immediately)
 init2
def
= 9n
1
9n
2
: :(n
1
= n
2
) ^ usm(n
1
) ^
3usm(n
2
)
For the binding, the user accesses physical store as
soon as (at the very next instant in time) the physical
address of the virtual address is obtained
 bind
(U)((sm)(ph))
4
def
= 8n: 2 (usm(n) )
uph(n))
3.5 Required Properties
The required (safety) property of the overall system
is that the store is kept consistent. In other words,
if a user accesses a store map, then the next access
to physical store cannot occur when a dierent store
map is in operation if the user has not accessed the
store map in the meantime. This is expressed by the
following equation
 prop
def
= 8n8m: 2 (usm(n) ^ sm(m) )
:((:usm(n) ^ :uph(n))U(uph(n) ^ :sm(m))))
3.6 Proof Obligations
The three proof obligations that will be considered
are as follows. Firstly, to see if the rst design running
on System 1 satises the required properties. For this,
it is necessary to show that
 eq1
def
= (init1 ^ bind
((U)(sm))(ph)
^
V
10
i=1
constr
i
)) prop
3
The subscript uses the notation of BSL, a language for gen-
erating design options. By a design option we mean a plausible
design of a system. The role of a design option is to direct the
designer at the next level of design [7].
4
Notice that, here, the subscript associates to the right,
whereas in the rst design option the subscript associated to
the left.
is valid. Secondly, to determine whether the second
design running on System 1 is correct the validity of
 eq2
def
= (init2 ^ bind
(U)((sm)(ph))
^
V
10
i=1
constr
i
)) prop
needs to be demonstrated. Finally, to see if the rst
design running on System 2 is correct, the validity of
 eq3
def
= (init1 ^ bind
((U)(sm))(ph)
^
V
11
i=1
constr
i
)) prop
needs to be shown.
4 Rigirous Argument
The next stage of the process involves:
1. producing a rigorous argument that reduces the
specication to one with a small number of pro-
cesses and resource instances;
2. providing the (propositional) temporal logic for-
mulae corresponding to these small number of
processes and resource instances.
4.1 Reduction to Small System Limits
For our case study, this involves showing that that
the proof obligations of x3- eq1, eq2 and eq3 - are each
valid for the actual system limits if and only if they
are valid for the case of 2 store maps and 2 processes.
Precisely, this means proving (rigorously):
(i) j=
(i
M
;i
N
)
eq1 , j=
(2;2)
eq1
(ii) j=
(i
M
;i
N
)
eq2 , j=
(2;2)
eq2
(iii) j=
(i
M
;i
N
)
eq3 , j=
(2;2)
eq3
where j=
(;)
eq denotes validity of the FLTL-2 for-
mula eq interpreted over domains of cardinality  and
 for the two sorts M and N respectively. The inte-
gers i
M
and i
N
are the actual system limits in our case
study. The rigorous argument for (i), (ii) and (iii) is
too large to include here but represents 3-4 pages of
hand-proof. The interested reader is referred to [5] for
the full details.
4.2 Propositional Formulae for Small Sys-
tem Limits
This involves listing the propositional temporal for-
mulae corresponding to the formulae in x3 for the case
of 2 users and 2 store maps.
5
Proceedings of the 33rd Hawaii International Conference on System Sciences - 2000
0-7695-0493-0/00 $10.00 (c) 2000 IEEE 5
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:45 from IEEE Xplore.  Restrictions apply.
4.2.1 Propositional Variables
 sm1, sm2, usm1, usm2, uph1, uph2, ssm, sph
4.2.2 System 1 and System 2 Constraints
 constr1
def
= 2(sm1 _ sm2)
 constr2
def
= 2:(sm1 ^ sm2)
 constr3
def
= 2(((sm1 ^ sm2) ) ssm) ^
((sm2 ^sm1))ssm))
 constr4
def
= 2(:(usm1 ^ uph1) ^ :(usm2 ^
uph2))
 constr5
def
= 2:(ssm ^ sph)
 constr6
def
= 2:(usm1 ^ usm2)
 constr7
def
= 2:(uph1 ^ uph2)
 constr8
def
= 2(:(usm1^ssm)^:(usm2^ssm))
 constr9
def
= 2(:(uph1^ ssm)^:(uph2^ ssm))
 constr10
def
= 2(:(uph1^ sph)^:(uph2^ sph))
4.2.3 System 2 Additional Constraint
 constr11
def
= 2((ssm ) (:uph1Uusm1)) ^
(ssm) (:uph2Uusm2)))
4.2.4 First Design Option
 init1
def
=
(usm1 ^usm2)
_
(usm2 ^usm1)
 bind
((U)(sm))(ph)
def
=
2((usm1)(:usm1Uuph1))
^
(usm2)(:usm2Uuph2)))
4.2.5 Second Design Option
 init2
def
=
(usm1 ^3usm2)
_
(usm2 ^3usm1)
 bind
(U)((sm)(ph))
def
= 2((usm1 ) uph1) ^
(usm2)uph2))
4.2.6 Required Properties
 prop
def
=
2(:(usm1^sm1^((:usm1^:uph1)U(uph1^:sm1)))
^
:(usm1^sm2^((:usm1^:uph1)U(uph1^:sm2)))
^
:(usm2^sm1^((:usm2^:uph2)U(uph2^:sm1)))
^
:(usm2^sm2^((:usm2^:uph2)U(uph2^:sm2))))
5 Formal Verication of the Designs
At this stage suitable PTL formulae have been es-
tablished, based on the rigorous argument. Hence this
stage is concerned with a formal verication of the
PTL formulae.
The three equations eq1, eq2, and eq3 were run
on the dp temporal theorem prover [3]. dp is a decision
procedure for a future linear time temporal logic over
innite time models. In the way it is used here dp
attempts to show that a given formula is valid, i.e.
that its negation has no model. Readers interested in
the detailed output of dp are referred to [5], here a
part of the verication is given.
Using dp involves having to prepare the temporal
logic formulae in an input le according to the dp syn-
tax as follows:
 G corresponds to always, i.e. 2,
 U corresponds to until, i.e. U ,
 F corresponds to sometimes, i.e. 3,
 X corresponds to next, i.e. ,
 & corresponds to and, i.e. ^,
6
Proceedings of the 33rd Hawaii International Conference on System Sciences - 2000
0-7695-0493-0/00 $10.00 (c) 2000 IEEE 6
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:45 from IEEE Xplore.  Restrictions apply.
 | corresponds to or, i.e. _,
 ~ corresponds to not, i.e. :,
 > corresponds to implies, i.e ).
For example, the formula constr8
2(:(usm1 ^ ssm) ^ :(usm2 ^ ssm))
is translated to be
G(~(usm1 & usm) & ~(usm2 & ssm))
Given this translation, dp informs the user as to the
validity of the entered formula.
The output from dp has been laid out slightly dier-
ently for appearance purposes. In addition, dp inserts
left associating brackets. Thus
(((A&B)&C)&D)
is displayed instead of
A&B&C&D
Apart from this, the correspondence between formulae
in dp and those given in x4 should be obvious.
5.1 First Design/System 1
eq1, i.e. (init1^bind
((U)(sm))(ph)
^
V
10
i=1
constr
i
))
prop, was shown to be invalid. Recall this is the design
that states that if the user accesses the store map, the
next access by the user will be to the physical store at
some later point in time. System 1 is dened as the set
of constraints, [const1,...,constr10]. The interaction
with the theorem prover was as follows:
dp> (((((((((((
((usm1 & Xusm2) | (usm2 & Xusm1))
& G((usm1 > X(~usm1 U uph1))
& (usm2 > X(~usm2 U uph2))))
& G(sm1 | sm2))
& G~(sm1 & sm2))
& G(((sm1 & Xsm2) > Xssm)
& ((sm2 & Xsm1) > Xssm)))
& G(~(usm1 & uph1) & ~(usm2 & uph2)))
& G~(ssm & sph))
& G~(usm1 & usm2))
& G~(uph1 & uph2))
& G(~(usm1 & ssm) & ~(usm2 & ssm)))
& G(~(uph1 & ssm) & ~(uph2 & ssm)))
& G(~(uph1 & sph) & ~(uph2 & sph)))
G(((((usm1 & sm1) > X~((~usm1 & ~uph1)
U (uph1 & ~sm1)))
& ((usm1 & sm2) > X~((~usm1 & ~uph1)
U (uph1 & ~sm2))))
& ((usm2 & sm1) > X~((~usm2 & ~uph2)
U (uph2 & ~sm1))))
& ((usm2 & sm2) > X~((~usm2 & ~uph2)
U (uph2 & ~sm2))))
Invalid
(142.4s)
5.2 Second Design/System 1
eq2, i.e. (init2^bind
(U)((sm)(ph))
^
V
10
i=1
constr
i
))
prop, was shown to be valid. Recall this is the design
that states that the user accesses physical store as soon
as (at the very next instant in time) the physical ad-
dress of the virtual address is obtained.
5.3 First Design/System 2
eq3, i.e. (init1^bind
((U)(sm))(ph)
^
V
11
i=1
constr
i
))
prop, was also shown to be valid. Recall this is
the same design as eq1 species, except there is an
additional architectural constraint, constr11, which
serves to make the design valid.
5.4 Summary
It has thus been shown that the rst design option
is invalid with System 1 but is valid with System 2,
where System 2 is equivalent to System 1 with the
addition of constr11. The second design option has
been shown to be valid for System 1.
6 Conclusions and Further Work
Within the context of industrial-scale operating
system development, the use of a formal treatment
is increasingly considered essential. The question is
more where can the necessarily limited resource for
formal approaches be used for most benet?
Here a method has been presented for verifying re-
quirements expressed in temporal logic by using both
a rigorous and a formal proof. The rigorous argu-
ment has been used to determine the appropriate for-
mal proof to be discharged. The temporal logic used
FLTL-2, although having a rst-order language, has
an intended interpretation over the actual operating
system limits which are large but nevertheless nite.
This makes FLTL-2 decidable even for the actual sys-
tem limits and means that in theory designs could be
7
Proceedings of the 33rd Hawaii International Conference on System Sciences - 2000
0-7695-0493-0/00 $10.00 (c) 2000 IEEE 7
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:45 from IEEE Xplore.  Restrictions apply.
proved correct without recourse to any rigorous argu-
ment. In practice even the most powerful temporal
logic theorem provers have a far more modest capa-
bility and would be of little use in producing such a
proof. The method here enables use to be made of
such theorem provers to benet the correctness of the
design. Indeed, the machine proofs of the case study
in this paper were carried out on a small in-house theo-
rem prover. The approach appears both cost-eective
and thorough. Tool support is envisaged for the pro-
duction of the PTL formulae based on the FLTL-2
formula and the numbers of processes and resources
derived in the rigorous argument. Similarly, tool sup-
port to translate the form of PTL used here to that
used as input of a particular theorem prover is also
envisaged.
The case study example, whist small enough to be
described here, is complex enough to involve concur-
rent and dierent levels of users. Other case studies
with this method are being considered, for example a
weakened requirements prop has been suggested, and
distributed store management is under consideration.
Following these, it is hoped that heuristics for the type
of rigorous argument required for concurrent system
development may be derived.
Acknowledgements
Thanks to all ex-colleagues in the Flagship and EDS
projects, and to the anonymous referees and the at-
tendees of ICSE-16 who encouraged us to carry out
verications and thus motivated much of this work.
References
[1] Abadi, M., Temporal-Logic Theorem Proving,
PhD Thesis, Stanford University, USA, Report No.
STAN-CS-87-1151, 1987.
[2] E.M.Clarke, O.Grumberg and D.E.Long, Model
Checking and Abstraction, ACM TOPLAS 16:5,
1994.
[3] G.D. Gough, Decision Procedures for Tempo-
ral Logic, MSc. Dissertation, Department of
Computer Science, University of Manchester, UK,
Technical Report Series UMCS-89-10-1, 1984.
[4] W. Hussak, Temporal Analysis of a Microkernel,
Software Engineering Journal 10:1, 1995.
[5] W. Hussak and J.A. Keane, Cost-eective Speci-
cation and verication of an Operating Systems
case study, Technical Report, department of Com-
putation, UMIST, 1998.
[6] J.A. Keane, An Overview of the Flagship System,
Journal of Functional Programming 4:1, 1994.
[7] J.A. Keane and W. Hussak, A Formal Approach to
Determining Parallel Resource Bindings, In Proc.
of 16th International Conference on Software En-
gineering, IEEE Press, 1994.
[8] F. Pong and M. Dubois, A New Approach for the
Verication of Cache Coherence Protocols, IEEE
Transactions on Parallel and Distributed Systems
6:8, 1995.
[9] C.J. Skelton, C. Hammer, M. Lopez et al., EDS: A
Parallel Computer System for Advanced Informa-
tion Processing, In PARLE'92, D. Etiemble and J.-
C. Syre (Eds.) LNCS-605, Springer-Verlag, 1992,
8
Proceedings of the 33rd Hawaii International Conference on System Sciences - 2000
0-7695-0493-0/00 $10.00 (c) 2000 IEEE 8
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:45 from IEEE Xplore.  Restrictions apply.
