The use of formal methods in parallel operating systems by John A. Keane (7169261) & Walter Hussak (1257717)
 
 
 
This item was submitted to Loughborough’s Institutional Repository 
(https://dspace.lboro.ac.uk/) by the author and is made available under the 
following Creative Commons Licence conditions. 
 
 
 
 
 
For the full text of this licence, please go to: 
http://creativecommons.org/licenses/by-nc-nd/2.5/ 
 
The Use of Formal Methods in Parallel Operating Systems 
John A. Keane 
Centre for Novel Computing, 
Department of Computer Science, 
The University, Manchester, UK. 
Abstract 
Work on parallel operating systems has been in 
progress at the University of Manchester for  the past 
5 years. In  this time the operating systems for two ex- 
perimental parallel machines have been developed. A 
common specification approach has evolved as part of 
the development of these two very diflerent systems. 
In  this paper a description of how both a technique 
for  formally specifying sequential systems (VDM)  and 
a technique for  specifying concurrent systems (Tempo- 
ral Logic) have been used compatibly. In  both cases the 
issue of verification i s  addressed. 
1 Introduction 
This paper reports on the use of formal methods 
in the development of parallel operating systems for 
two experimental declarative systems over a 5 year 
period. A common specification approach has evolved 
as part of the development of these two very differ- 
ent systems: one being for a parallel graph reduc- 
tion machine and written in a functional language en- 
hanced with state-based objects, the other is a dis- 
tributed UNIX lightweight process model and is writ- 
ten in C++. Given that these were parallel operating 
systems projects and collaborative with industry, the 
actual use of formal methods in an exhaustive way 
was not feasible. Consequently it has been necessary 
to apply formal methods in what has been considered 
the "most beneficial" way. 
In the approach described here, operations that af- 
fect different parts of state have been developed top- 
down using VDM [6]. These are decomposed into 
finer-grained operations as part of the reification pro- 
cess. Ultimately, operations are a sequence of atomic 
low-level operations. It is at  this stage that sequencing 
concerns appear. High-level concurrent requirements 
are expressed as required properties, in temporal logic, 
and the temporal description of the implementation is 
0730-3157/92 $3.00 0 1992 IEEE 
245 
Walter Hussak 
Department of Computer Studies, 
University of Technology, 
Loughborough, UK. 
verified against this. 
In section 2 the operating system for the Flag- 
ship parallel graph reduction system is discussed, and 
in section 3 the lightweight process model for the 
EDS parallel declarative system is considered. A brief 
overview of each system is given before concentrating 
on the use of formal methods. 
2 The Flagship Operating System 
The Flagship project aimed to build a complete 
computing system based on a functional programming 
style, using a packet-based fine-grained graph reduc- 
tion model of computation. The machine is made up 
of a set of processor-memory pairs (PES). The dis- 
tributed store is globally addressable. 
The kernel of the system software was decomposed 
into a structure of components designed to  work con- 
currently with each other [8]. A process at the sys- 
tem software level corresponds to a functional pro- 
gram, more fine-grained execution is provided by the 
reduction of the graph of packets representing the pro- 
gram. The system software was implemented above 
the graph reduction computational model. As a re- 
sult a functional language (with the possibilities of 
efficient parallel execution) was used for implementa- 
tion. However, the necessity for some form of muta- 
ble state and non-determinism for the system software 
meant that the pure functional language Hope+ [lo]) 
was extended with state-based object-like structures, 
termed Flagship ADTs (FADTs). 
FADTs were the unit of abstraction, design and de- 
composition for the system software. The subsystems 
of the kernel were composed of these FADTS. The 
most important characteristic of an FADT is encap- 
sulated state. Each instance of an FADT can have its 
own state. The state is encapsulated in that access 
to it, from outside the FADT, can only occur via the 
interfaces provided by the FADT. State is introduced 
as part of the basic building block. Its encapsulation 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:54 from IEEE Xplore.  Restrictions apply.
is based on the principle of information hiding. In 
addition, a mechanism ensures the consistency of the 
state of an FADT, thus each operation that updates 
the state of an FADT is an atomic action. Each FADT 
with state resides on a particular PE. 
Flagship VDM (FVDM) [2], a hybrid version of 
VDM, was developed to specify FADTs. FVDM in- 
cludes properties of Hope+, such as polymorphic data 
types. A specification of an FADT in FVDM consists 
of type definitions together with functions and opera- 
tions (which specify state changes) on those types. 
An Example Kernel Subsystem 
To indicate the use of FVDM parts of an exam- 
ple subsystem will be specified. It is not intended to 
describe the subsystem in detail. 
The subsystem of interest managed the Static 
Copying Environment Table (SCET) [7]. The SCET 
mechanism enables locality of reference within func- 
tional programs to be exploited on Flagship. Briefly 
the purpose of this mechanism is to ensure that when- 
ever a copy of a function definition or constant data is 
held in one of the PES, it is always located in a well- 
known place. A SCET is conceptually a tuple (Master 
SCET,  set (Local SCET)) ,  where each master SCET 
and its associated local SCETs reside on separate PES. 
Each Master and Local SCET consist of (SCET indez, 
SCET entry) tuples, where the SCET entry is con- 
ceptually another tuple (global address, local address). 
This mechanism essentially provides a local copy of a 
“packet” at  local address, if no local copy exists then 
one is made from the global address and stored at  the 
local address (recall the store is globally addressable). 
Global SCET Manager: which acts as the interface 
to SCET Manager from other subsystems. This is 
partly specified below. 
Global-to-Local SCET Manager: which directs calls 
to the appropriate PE where the call is to be serviced. 
This is partly specified below. 
Hardware SCET Manager: the system software 
model regards Hardware SCET Manager as an FADT 
with state and operations. On the actual machine this 
state and operations existed as part of the basic exe- 
cution mechanism. 
GLOBAL SCET MANAGER FADT: 
The subsystem is made up of three FADTs: 
props PURE-FADT; 1. 
pubtype SCETM-Table,SCETM-Ptr,SCETM-Entry; 2. 
pubfun SCETM-Mk-Entry; 3. 
data SCETM-Table == HU-SCET-Table; 4. 
data SCETM-Ptr == HW-SECT-Ptr; 5. 
data SCETM-Entry == HW-SCET-Entry; 6. 
dec SCETM-Mk-Entry: 
Env-Id X HY-Packet -> SCETM-Pt 7. 
! Allocates a packet to a SCET entry, returns ! 
! the pointer to that entry (i.e. the address of ! 
! a function definition). env-id indicates the ! 
! Environments in Flagship provided the context ! 
--- SCETM-Mk-Entry (env, pkt) <= 8. 
let env == Execute-On-PE 
let root-pe == ROOT-PROCESSOR (env) in 10. 
let neighbourhood=NEIGHBOURHOOD (env) in 11. 
Mk-Master-Entry(root-pe.env-id,pkt) 13. 
in let dummy == map-set (lambda pe-id => 14. 
Mkk,Local_Entry (pe-id,env-id, 
! environment associated vith this entry. ! 
! information necessary for a graph rewrite. ! 
(0, HW-Read-Env, env-id) in 9. 
let (scet-ptr, global-ptr) == 12. 
scet-ptr, global-ptr, pkt-1) 
end ; 
neighbourhood) 
in scet-ptr; 15. 
e Line 1 gives the properties of the FADT being de- 
fined. In this case it is a purely functional FADT, i.e. 
with no state. Thus copies of the function definition 
could be located on each PE in the system. Con- 
sequently all calls to the SCET Manager subsystem 
could be handled locally. The properties of an FADT 
are used in the compilation of Hope+ generated from 
this specification [2]. 
e Line 3 indicates that the function SCETM-Mk-Entry 
is “public”, i.e. callable by other FADTs. 
0 Lines 4-6 give data type definitions (all being syn- 
onyms for data defined in Hardware SCET Manager). 
e Lines 7-15 define the public function SCETM-Mk- 
Entry. Lines 9-11 establish the environment, of the 
current computation. Lines 12-15 associate the Mas- 
ter, and each of the Local, SCET entries with the 
packet pk t .  
GLOBAL-TO-LOCAL SCET MANAGER FADT 
props STATE-BASED-FADT; 16. 
pubtype GLSCETM-MANAGER; 17. 
pubfun Init-GLSCETM; 18. 
pubop Execute-On-PE; 19. 
data HY-SECT-Stf Jap-Type == 20. 
state GLSCETM-MANAGER == REC OF [( 22. 
map OF [[PE-id, SCETM-HWII ; 21. 
HY-STF-MAP,!STF=state transition function! 
HW-SCET-STF-Map-Type) 1 ; 23. 
dec Init-GLSCETM: GLSCETM-MANAGER; 24. 
--- Init-GLSCETH <= mk-GLSCETH-MANAGER 
(map-abstract ( 
246 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:54 from IEEE Xplore.  Restrictions apply.
CO, 1, 2, 31, ! pe set ! 
(lambda pe-id => 
HY-SCET-HK-MANAGER (pe-id) 
end) ) 1 ; 2 5 .  
OP Execute-On-PE: pe-id: PE-id X f:(SCETM-HU-> 
(alpha->beta))Xarg:alpha -> result: beta; 26. 
!f is a state transition function (stf) ! 
ext rd GLSCETH: GLSCETH-MANAGER; 27. 
pre pe-id is-in doa HY-STF-MAP(GLSCETl4); 28. 
post let this-stf-set == map-lookup 29. 
(HU-STF-MAP (GLSCETH) , pe-id) in 
let func == f(this-stf-set) in 
let result == func (arg) 
in (result, GLSCETM); 30. 
This FADT receives requests to the SCET Manager 
subsystem (via the Global SCET Manager) and directs 
them on to  the appropriate Hardware SCET Manager. 
Only points new facilities of FVDM will be stressed. 
e Line 16 indicates that  this is a state-based FADT. 
e Line 22-23 defines this state. 
e Line 24-25 define the function Init-GLSCETM, 
which creates an instance of this FADT (and its asso- 
ciated state) on each P E  (0,1,2, & 3). 
e Line 26-30 define the operation Execute-On-PE 
which is higher-order in the sense that it takes a func- 
tion name, f and its arguments and a designated PE, 
and calls the instance o f f  associated with the FADT 
that resides on the designated PE. Execute-On-PE is 
specified in terms of its pre (line 28) and post (lines 
29-30) conditions. Line 27 lists the state that it reads. 
Verification of Individual Operations 
All of the Flagship Kernel operations were specified 
in FVDM. Explicit functions are expressed as normal 
Hope+ functions. Operations that manipulate state 
were expressed in terms of pre and post conditions. 
These FVDM specifications could then be trans- 
formed into Hope+ executable models with minimum 
effort and the model could then be tested. For ex- 
ample, the pre and post conditions for an operation f 
generate truth-valued functions pre-f and post-f, which 
are tested before and after the call to f. In a simi- 
lar way data type invariants [6] could be tested.This 
form of executable model, allied to testing and fur- 
ther Fagan inspections, of the specifications, provided 
a limited form of verification of the required sequential 
behaviour of the individual Kernel operations. 
binator 11, as in [5], in an understood language for the 
FADT operations (Kernel operations). The FVDM 
specifications ‘work’ in the sense of [5] with suitable 
rely and guarantee conditions. The conditions are as- 
sumed to be: 
e I rely on no other operation updating the piece of 
state that I am undating. 
e I guarantee to only update the state indicated in my 
post-condition. 
Thus, for O P 1  and O P 2  in the FADT system, 
OP1 0 P2 
ext U ext U 
post post-OPl(u1, U;) 
rely u1 = u; I 
post post-OP2(uz, 6;) 
rely u2 = U; I 
guar U1 = 6 1  guar U2 = 6 2  
OP1 ‘works’ with the perfectly acceptable interfer- 
ence of OP2, both operating on disjoint state. It is 
now possible to provide a meaning for 
OPl)lOP2 
as in [5]. In [5] 11 is used when decomposing a higher 
level operation O P  into 
OP = OPlllOP2 
Here, there is no higher level operation - OPll lOP2 
with the disjunction of their post-conditions constitute 
OP.  The only proof obligation to be discharged is that 
of co-existence, in other words 
I I 
guar-Ti(a, U ) * reZy-T,(u, U ) 
Clearly, this is the case as 
guar-OPl(u, U ) = a2 = u2 e- rely_OP2(o, U ) = u2 = u2 
and 
guar_0~2(u ,  u = u1 = ui + rely-OPl(u, 6’) = u1 = ai 
Therefore, the existing FADTs could be composed in 
parallel as in [5], and this provides a semantics. All 
the above is the rigorous argument contained in the 
informal definition of the concurrent kernel implied in 
[8]: given a Flagship concurrent FADT system, the be- 
haviour of each FADT is to a certain extent, equivalent 
to the behaviour of the FADTs in isolation. 
I I I I 
I 
3 EDS: Lightweight Process Model 
Verification of Concurrent Behaviour 
An informal definition of the Flagship concurrent 
Kernel was given in terms of an implicit parallel com- 
The European Declarative System (EDS) is in- 
tended to support various declarative languages. The 
machine architecture is made up of a set of nodes, each 
241 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:54 from IEEE Xplore.  Restrictions apply.
node contains 2 processors and a store unit. The oper- 
ating system is intended to be UNIX-like with a 4-level 
process model. To experiment with this model a light- 
weight micro-kernel was layered on top of standard 
UNIX processes. This micro-kernel enabled light- 
weight micro-processes to be scheduled, thus providing 
fine-grained non-deterministic multi-programming [3]. 
Essentially, at  an abstract level the system comprises 
processes being serviced by the processor and being 
switched on expiry of their allotted timeslice. This is 
caused by a timer signal. However, a problem arises: 
“ ... when the timer causes a signal to occur whilst a pro- 
cess is in kernel mode. The switcher (scheduler) must not 
schedule another process since to do so might lead to the 
corruption of kernel data structures, but on the other hand 
to give the currently executing process another timeslice 
would be unfair to other processes which are ready to run. 
Indeed if this solution was adopted then a process could 
continue indefinitely by always being in kernel when the 
timer signal is received. A compromise solution is to allow 
a process to continue after its timeslice ends if it is in ker- 
nel mode when this happens, but to force a context switch 
when kernel mode is left ... ” [3]. 
It is necessary to place all the aspects of the sys- 
tem in a formal setting, in order to translate this into 
a formal requirement. In common with many methods 
for specifying concurrency including [l], the first step 
is to identify the observable events. 
Observable Events 
The system comprises the components: processes, 
a processor, a scheduler and a timer signal. 
Concurrent systems are to be specified as sets of 
sequences of observable events that are allowed to oc- 
cur over the passage of time. The observable events 
are represented, formally, by propositions which are 
to be true at  a given point in time if the event can be 
deemed to be occurring at  that point in time. 
p(n): process n is active 
k(n): process n is active and in kernel mode 
start(n): process n performing start of kernel work 
end(n): process n on the point of completing kernel work 
t(n): process n is about to terminate 
sg: a timer signal is occurring 
sw: a new process will be scheduled at the next instant 
For the above informal requirements to be pre- 
sented formally a set of sequences of these events need 
to be specified. As is shown below, this is expressed 
very naturally in temporal logic. Precisely, the allow- 
able set of sequences of events are given as the set of 
solutions to a temporal logic formula over w-sequences. 
The formal semantics of the temporal logic used are 
given in [l], but the power of the intuitive appeal of 
the logic means that the specification can largely be 
understood with only a brief description of the oper- 
ators used. The specification below make use of three 
temporal operators (4 and $ are temporal formulae): 
1. 0 4  (“always 4”) is true if the formula 4 is true 
now and in every future moment. 
2. 0 4  (“at  the next moment 4”) is true now if the 
formula 4 is true at the next instant. 
3. ~ U $ J  (“4 until $”) is true if $ becomes true at  
some point in time and until that happens 4 will be 
true. 
Formal Requirements 
The following are the constraints on how the pro- 
cesses may be scheduled. From the informal require- 
ments, a process is to continue after its timeslice ends 
if it is in kernel mode, but to force a context switch 
when kernel mode is left. From this it is clear that 
three situations are allowed to arise: 
1. The process terminates before its timeslice expires. 
2. The process is switched at  the end of its timeslice 
as it is not in kernel mode. 
3. The process is in kernel mode when its timeslice 
expires, so it continues in an active state until i t  has 
completed that block of kernel work and at  the end of 
that a process switch occurs. 
This behaviour is expressed formally by describ- 
ing what may happen between consecutive process 
switches. In other words, if a switch occurs at  some 
point in time, what can happen up to the next process 
switch? The appropriate condition for the switching 
constraints is thus of the form: 
switching-constr ef 0 (sw * 441 v 442 v 43), 
where 41, 4 2  and 43 correspond to the three situations 
given above: 
41 ‘2 v o ( ( - s w  A Tsg A p ( n ) )  ( t ( n )  A S W ) )  
n 
states that after a process switch there is no process 
switch, no timer signal and the process remains active 
until it terminates at  which point a process switch does 
occur; 
442 %f vn O ( ( 1 s w  A Tsg A p ( n ) )  
(sg A sw A p ( n )  A (-k(n) V e n d ( n ) ) ) )  
is the normal situation where after a process switch 
there is no process switch, no timer signal and the 
process is active until a timer signal does occur at  
which point there is a process switch as the active 
248 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:54 from IEEE Xplore.  Restrictions apply.
process was either not in kernel or at  the point of exit 
from kernel mode; 
43 E v, O( 
(-sw A T s g  A p ( n ) )  t?d ( 
(-sg A -sw A p ( n )  A -start(n))  t?d ( 
(sg A l s w  A k(n) A l end(?%) )  A o( 
(sw A end - k ( n ) ) ) ) ) )  
is when after a process switch there is a period of no 
switching and no timer signal, until a timer signal oc- 
curs when the active process is in kernel mode and 
so it continues, without being interrupted by either a 
timer signal or process switch and not starting new 
kernel work, up to the point at  which it completes its 
portion of kernel work and finally a process switch oc- 
curs. Notice how closely the verbal description follows 
the temporal logic. 
This forms the basis of the formal requirements 
f ormal-req given in full in [4]. 
Actual Behaviour of the Implementation 
The required process scheduling is implemented by 
use of flags which are set at  various times, and on the 
basis of which a‘process switch is invoked either by a 
scheduler or a process. Thus, the implementation level 
is more detailed and has observable events denoted by 
psw, ssw, c,  setc, psetc, ssetc, sx, setsx, psetxs, ssetsx. 
There are two propositions psw and s sw ,  which in- 
dicate whether a process switch is initiated by a pro- 
cess or by the scheduler as the result of a timer signal. 
The remaining propositions relate to flags that control 
the scheduling of processes. There are two flags - the 
critical and switch-on-exit flags (see [3]). The propo- 
sitions c and sx respectively, indicate the truth value 
of these flags at any given moment in time. In order to 
change their value the flags need to be set. This calls 
for propositions setc and setsx to indicate when a flag 
is being set. As with process switching, flags can be 
set either by a process or by the scheduler. Thus there 
are the propositions psetc,  ssetc,  psetsx and sse tsx .  
The temporal behaviour of the processes in the im- 
plemented system is extracted from the code as shown 
below. One of nine statements of interest, with respect 
to process switching and flag setting, can be true for 
a process at  any instant: 
action1 (n) %if 
actionz(n) %if 
actions(n) - dLf 
dLf 
action4(n) - 
p(n)  A -k(n) A -start(n) A -end(n) 
ATt(n)  A -ysw A lpsetc A lpsetsx 
p(n)  A k(n) A -start(n) A l e n d ( n )  
A+(n) A ~ p s w  A lpsetc A ipsetsx 
p(n)  A k(n) A start(n) A -end(n) 
A-d(n)  A ~ p s w  A psetc A c A Tpsetsx 
p (n )  A k(n) A - -start(n) A end(n) 
A-t(n) A ipsw A psetc A -c A Tpsetsx 
dzf 
actions(n) - p(n)  A k(n) A Tstar t (n)  A -end(n)A 
-.t(n) A ~ p s w  A psetc A c A lpsetsx 
actions(n) Z p(n)  A k(n) A -start(n) A --end(n) 
- t (n )  A ~ p s w  A Tpsetc A psetsx A l s z  
action.r(n) = p(n)  A k ( n )  A -rstart(n) A end(n) 
ATt (n )  A psw A psetc A psetsx 
actiona(n) %if p(n)  A l k ( n )  A -wtar t (n)  A -end(n) 
At (n)  A psw A psetc A psetsx 
actions(n) %if T p ( n )  A +n) A lS tQr t (n )  A lend(n) 
A-t(n) 
def 
These reflect whether a process is inside or outside a 
critical section (kernel), and, if inside, whether i t  is at  
the start, in the middle or at  the end of it. Whether 
process switching is about to take place and the flag 
setting is given, in each case. Consider the structure 
of the code each process executes (taken from [3]): 
void P(s) 
Semaphore * s  ; 
c 
struct process *ptemp; 
-critical = TRUE; 
1. 
2. 
3. 
4.  
5. 
if (s->sem-tag == COUNT) 6. 
8. 
if (s->sem-value.sem-count > 0) { 7. 
/* Semaphore request granted */ 
s-hem-value.sem-count -= 1; 9. 
-critical = FALSE; 10. 
if (svitch-on-exit) 11. 
-critical = TRUE; 12. 
svitch-on-exit = FALSE; 13. 
if (-save-regs (&-pcurr->context) ) 14. 
15. -do-svitchO ; 
Line 4 corresponds to actions, line 5 corresponds to 
actions, lines 6-9 correspond to action2, line 10 cor- 
responds to action4, line 11 to action*, line 12 to 
actions, line 13 to actions, and line 15 to action7. The 
behaviour of all the processes together interleaves the 
actions of the individual processes, so that each pro- 
cess “performs” its own actions in the order that the 
displayed code dictates. The temporal logic formula 
in terms of 0,  0 and U is rather messy. An abbrevi- 
ated notation using an intuitive notation period and 
point is used in [4]. It is intended to indicate whether, 
conceptually, something occurs for a period or for the 
duration of one instantaneous point. 
interleaving %if A, O (actions(n) 
* 
249 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:54 from IEEE Xplore.  Restrictions apply.
period (actionE(n) v actionl(n)) 
point (actionJ(n)) 
period (actiong(n) v actionz(n)) 
point (action4 (n)) 
period (actiong(n)) 
point (sz A actaonl(n)) 
period (actiong(n)) 
point (actions (n)) 
period (actiong(n)) 
point (actions(n)) 
period (actiong(n)) 
point (action,(n)) 
period (actions ( n ) )  
point (actions(n) v t ( n ) )  
period (actionE(n) v actionl(n)) 
point (actiona(n)) 
period (actions(n) V actionz(n)) 
point (action4 ( n ) )  
period (actiong(n)) 
point (792 A act:onl(n)) 
period (actiong(n)) 
point (actionE(n) v t ( n ) ) )  
A 
(A, A, 0 (actionl(n) * AI+, A,,,+,, action1(m))) 
The large disjunction results from the testing of the 
switch-on-exit flag in line 11 of the code above and the 
execution of additional code if the value is true. 
Other features of process behaviour are given in [4]; 
they are denoted by processes here. The overall tem- 
poral behaviour of the implementation is: 
implementation gf f lag-conds A interleaving Aprocesses. 
v 
Proof Obligation 
The proof obligation is simply: 
implementation + f ormal-req. 
In the original specification a hand proof was car- 
ried out. A complete specification is contained in [4]. 
The specification reduces to a specification in ordinary 
propositional temporal logic with the not unrealistic 
assumption that there is a (known) finite limit to the 
number of processes. This means that the proof of 
the temporal properties can be mechanised, indeed the 
area of mechanising proofs in propositional temporal 
logic is currently an active area of research. In partic- 
ular, it demonstrates that the specification techniques 
of [l] can be used in the production of real systems. 
4 Conclusions 
Various approaches such as [9] have tried to recon- 
cile relational methods of specification such as VDM 
and trace-based methods such as temporal logic. How- 
ever, the problems are great and a theoretical solution 
is not feasible as an objective for a project produc- 
ing a real system. The pragmatic solution that  has 
been adopted on these projects, was to only introduce 
formality where informality was present, whether it 
be written in English or in the mind of the designer. 
This paper has described the systems that  the projects 
have developed and has illustrated the transition from 
informality to formality. The resulting formal tech- 
niques have demonstrated that the two distinct meth- 
ods of specification can be used compatibly and effec- 
tively in the development of real systems. 
Acknowledgements 
The authors wish to thank all members of the Flag- 
ship and EDS groups at the University of Manchester and 
ICL, in particular Graham Boddy, Sean Holdsworth, Steve 
Leunig and Ian Watson. 
The Flagship work was supported by a UK SERC grant 
GR/E 21070. The EDS work is supported by a European 
ESPRIT I1 grant EP2025. 
References 
[l] H. Barringer, Up and down the Temporal Way, The 
Computer Journal 30 (2), pp. 134-148, 1987. 
[2] G.S. Boddy, The Use of VDM within the Alvey Flag- 
ship Project, pp. 153-166, VDM '88 - The Way Ahead, 
LNCS-328, Springer-Verlag, 1988. 
[3] S. Holdsworth, A Proposal for the Provision of an 
Environment for Studying Distributed Operating Sys- 
tem Issues, Dept. of Comp. Sci., Univ. of Manchester, 
1990. 
[4] W. Hussak & J.A. Keane, Formal Specification ap- 
plied to Parallel Operating Systems, Dept. of Com- 
puter Science, University of Manchester, 1992. 
[5] C.B. Jones, Tentative Steps Toward a Development 
Method for Interfering Programs, ACM TOPLAS, 
vo1.5, No.4, 1983. 
[6] C.B. Jones, Systematic Software Development Using 
VDM, Prentice Hall International, (2nd. Edition), 
1990. 
[7] J.A. Keane, Aspects of Binding in a Declarative Sys- 
tem, MSc. Thesis, Department of Computer Science, 
University of Manchester, 1989. 
[8] S.R. Leunig, Design Description of the Flagship Sys- 
tem Software, Flagship Document, ICL, 1988. 
[9] C.A. Middleburg, Syntax and Semantics of VVSL, 
PhD. Thesis, University of Amsterdam, 1990. 
[lo] N. Perry, Hopet, IC/FPR/LANG/2.5.1, Department 
of Computing, Imperial College, London, 1987. 
250 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:54 from IEEE Xplore.  Restrictions apply.
