Temporal analysis of a microkernel by Walter Hussak (1257717)
 
 
 
This item was submitted to Loughborough’s Institutional Repository 
(https://dspace.lboro.ac.uk/) by the author and is made available under the 
following Creative Commons Licence conditions. 
 
 
 
 
 
For the full text of this licence, please go to: 
http://creativecommons.org/licenses/by-nc-nd/2.5/ 
 
Temporal analysis of a 
micro kernel 
by Walter Hussa k 
Temporal logic techniques have been 
proposed as a way of achieving a very natural 
transition from informal requirements to a 
formal specification of the requirements. The 
paper presents a case study of a real-life 
system developed using such techniques. 
Both a top-level specification and 
implementation semantics are given in 
temporal logic. In particular, the progression 
from statements in English to temporal logic 
is highlighted. A correctness proof that the 
implemented system satisfies the 
specification has been produced. 
1 Introduction 
In the formal development of any system, an important 
issue is the clarity of the formalisms used. Ultimately, 
formal methods can only give assurance of the correct 
functioning of the system. At the transition from informal 
to top-level formal specification stage of development, 
comprehension of the formalisms used increases assur- 
ance that the customers’ requirements have been properiy 
represented. Thus, the clarity of the formalisms contribute 
directly to this assurance of the system. A discussion of 
this aspect of assurance has been described elsewhere 111. 
Formal developments of concurrent systems have to 
address additional problems. For example, what consti- 
tutes a high-level requirements specification on the concur- 
rent system? The best known approaches are the process 
algebras such as  CCS [2] and the rr-calculus [3], along with 
tools such as  the Concurrency Workbench [4] which 
support the verification methods offered by these 
approaches. 
In this paper, we report on the formal development of a 
real-life concurrent system using temporal logic. The diffi. 
culty of producing the formal high-level requirements 
amounts to analysing existing informal requirements 
witten in English. The advantage of using temporal logic 
is that it addresses concurrency as well as providing an 
easy transition from informal to formal requirements. A 
good illustration of this is the specification of a lift system 
151, where it is shown how an informal specification can 
translate very naturally into temporal logic. In this paper, a 
real-life system is developed in a similar manner [SI. Fur- 
thermore, two levels of development are given, for which a 
proof has been produced. The stages of development are 
as follows. 
Specification 
1. Give informal high-level requirements in English. 
2. Perform a temporal analysis of the informal require- 
ments. 
3. Produce a temporal specification U of the requirements. 
lrnplernentation 
1. Implement the system. 
2. Perform a temporal analysis of the implemented 
system. 
3. Produce a temporal I semantics of the implemented 
system. 
Verification 
1. Prove the formula i =. U valid. 
The specified system is a microkernel used on the Esprit II 
European Declarative System (EDS) Project. The oper- 
ating system for the EDS [6] was to be UNIX-like with a 
multikvel process model. As part of the early experimen- 
tation with this type of model, a lightweight microkernel 
was layered on top of standard UNIX processes. This 
microkernel enabled lightweight microprocesses to be 
scheduled, thus providing fine-grained non-deterministic 
multi-programming. The microkernel is documented infor- 
mally elsewhere [7].* The formal specification of the micro- 
kemel contained in this paper is a derivative of the original 
version [8] and gives full semantics for the temporal logic 
used. A correctness proof for the version in this paper is 
documented elsewhere 191. 
In the next Section, a firstader temporal logic with a 
slightly unusual semantics is defined. It is used to specify 
the microkernel. We describe a top-level formal specifi- 
cation of the microkernel by analysing the informal 
requirements given previously [7]. This is followed by the 
temporal semantics of the implementation produced by a 
temporal analysis of the implemented system as  described 
previously [7]. 
The parts of that work 171 that relate to the formal specification 
here are reproduced in this paper. 
Software Engineering Journal January 1995 21 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:12 from IEEE Xplore.  Restrictions apply.
2 Temporal language 
The system is specified in a first.order temporal logic 
where predicates as well as  propositions have time 
dependent meaning. This differs from possibly the more 
common usage where predicates have time-independent 
meanings. The latter are termed ‘rigid predicates and the 
former ‘flexible’ predicates [lo], and so the language below 
is denoted FLTL Flexible predicates are useful for 
specifying resources shared by several processes, as seen 
in examples elsewhere [I  1, 121. The domain of the predi. 
cates is understood to be the non-negative integers N. 
These represent processes in the microkernel specifi- 
cation, and the predicates are statements about the pro- 
cesses. The full syntax and semantics of FLTL are given 
below. 
2.1 Syntax 
symbols 
The language FLTL has the following symbols: 
0 a set of proposition symbols Pro 
0 a set of predicate symbols Pre 
0 the equality symbol = 
0 global variable symbols m, n, . . . 
0 connectives 1, A ,  and V 
0 temporal operators 0, U, 0 and 9 
0 quantifiers V and 3 
Formation rules 
The formulae of FLTL are as follows : 
0 a proposition symbol Pis a formula 
0 if p is a predicates symbol and n is a variable symbol, 
then p(n) is a formula 
0 if m and n are variables, then m = n is a formula 
0 if 4, and d 2  are formulae, then so are 14,, 4, A $ 2  
0 if 4, and 42 are formulae, then so are 04,, 04,, 
0 if n is a variable and 4 is a formula, then V n .  4 and 
3n .  are formulae 
and 41 v 4 2  
04, and 41e42 
2.2 Semantics 
Time is assumed to be linear and discrete. Thus, a model 
A is a pair (a, I ) ,  where 
0 a is an assignment to variables, i.e. a function from the 
set of variables to the non-negative integers. 
0 the interpretation / gives a meaning to proposition and 
predicate symbols at each state, so I = (lp,o,  lPJ ,  where 
/p,o: Pro x N -+ {true, false), 
/p,e: Pre x N + (N -+ {true, false}) 
The semantics is given by a satisfaction relation C between 
modeVcurrent state pairs and formulae 
.X,,~dJ 
If a,, . . . , a, are integers and n,, . . . , n, are variables, then 
.X.(n, t a,, ..., nk t a,) 
22 
denotes the model obtained from A by modifying its 
assignment function a to map the variables n,, . . . , n, to 
a,, . . . , a,, respedvely. 
A’,,kP 0 l P , , ( P ,  so) 
A s o k ~ ( 4  * L(P, so)(n) 
AsoCnl = n2*a(n1) = a(n2) 
As,C 14 9 As&$ is false 
A30~41 A 4 2  -=-ASOW, and Aso% 
A,,k4, v42 9 J 4 s 0 k 4 1  or -K,,142 
AM,,CVn.4 *A.(nta) , ,C4,foral laEN 
Ak,,C3n.q5 o A . ( n e a ) , o k 4 , f o r s o m e a ~ N  
Ak,,kO4 9 A S 0 + 1 k 4  
ASO~U4 
AE’,,C 0 4  
A30k41%42 o f o r  some i e  N, Asu+ik42 and 
-A3u+ik4 ,  for all i E N 
eAso+iC4 ,  for some i E  N 
A S O + j %  (0 < j <  i) 
Despite the unpleasant appearance of the semantics, it is 
shown below that the specifications can be easily under- 
stood by reading 0 as ‘next point in time’, 0 as ‘always’, 
0 as  ‘sometimes’ and % as ‘until’. 
3 Specification of requirements 
Informally, the system has the following components; pro- 
cesses and a scheduler. 
The system involves processes being serviced by the 
processor and switched by the scheduler on expiry of their 
alloted time slice. This is caused by a timer signal. 
However, a problem arises 
‘. . . when the timer causes a signal to occur whilst a 
process is in kernel mode. The switcher (scheduler) 
must not schedule another process since to do so might 
lead to the corruption of kernel data structures, but on 
the other hand to giue the currently executing process 
another time slice would be unfair to other processes 
which are ready to run. lndeed if this solution was 
adopted then a process could continue indefinitely by 
always being in kernel when the timer signal is 
received. A compromise solution is to allow a process to 
continue aper its time slice ends if it is in kernel mode 
when this happens, but to force a context switch when 
kernel mode is left.. . ’ [7]. 
In order to provide a formal specification of this, it is neces- 
sary to define a system state formally. 
3.1 Aspects of system state 
The full overall system state of the implemented system is 
described later. The aspects of this state that appear in the 
high-level specification are discussed here. They corre- 
spond to predicates which are either true or false at a 
Software Engineering Journal January 1995 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:12 from IEEE Xplore.  Restrictions apply.
given point in time: 
0 p ( n ) :  process n is active 
0 k(n):  process n is active and in kernel mode 
0 starf(n): process n performing start of kemel work 
0 end(n): process n on the point of completing kernel 
work 
0 sg : a timer signal is occurring 
0 sw : a new process will be scheduled at the next instant 
The required system is a set of sequences of states rep 
resented by a formula in FLTL whose set of models yield 
this set of sequences precisely. 
3.2 Temporal specification of requirements 
The following are the constraints on how the processes 
may be scheduled. From the informal requirements, a 
process is to continue after its time slice ends if it is in 
kernel mode, but is to force a context switch when kernel 
mode is lek From this, it is clear that two situations are 
allowed to occur. 
1.  The process is switched at the end of its time slice as  it 
is not in kernel mode. 
2. The process is in kernel mode when its time slice 
expires, and so it continues in an active state until it has 
completed that block of kernel work and, at the end of 
that, a process switch occurs. 
This behaviour is expressed formally by describing what 
may happen between consecutive process switches. In 
other words, if a switch occurs at some point in time, what 
can happen up to the next process switch? The appropri- 
ate condition for the switching constraints is thus of the 
form 
def 
U = O(SW * u1 v U * )  
where u1 and u2 correspond to the two situations given 
above. 
def 
u1 = I n .  O((1swA i .sgAp(n))% 
(sg A sw A p(n) A ( 1 k(n)  V end)))) 
is the normal situation where, after a process switch, there 
is no process switch, no timer signal and the process is 
active until a timer signal does occur, at which point there 
is a process switch as the active process was either not in 
kernel or at the point of exit from kernel mode. 
dcf 
u2 = 3n. o( 
(1 sw A i sg  A p(n))W 
(sgA l s w A k ( n ) A  l e n d ( n ) ) A O (  
( i sg A 7 sw A 1 start(n))W 
(sw A end(n)))))) 
is when, after a process switch, there is a period of no 
switching and no timer signal until a timer signal occurs 
when the active process is in kernel mode. Thus, it con- 
tinues, without being interrupted by either a timer signal or 
process switch and without starting new kernel work, up to 
Software Engineering Journal January 1995 
the point at which it completes its portion of kernel work 
and finally a process switch occurs. Notice how closely the 
verbal description follows the temporal logic. 
4 Implementation semantics 
4.1 System state 
The implemented system has as its parallel components 
an arbitrary number of processes and a scheduler. 
The execution of the overall system takes place in dis- 
crete steps. Each discrete step is associated with an overall 
system state or program state [13]. A program state I131 
comprises 
1. the values of variables accessed by the components. 
2. the label of the next instruction to be executed in each 
individual component. 
3. the next component to be scheduled. 
Condition 1 is a statement about the values of variables. 
Conditions 2 and 3 are statements relating to the sched- 
uling of components. Here, the system (program) state is 
given by 21 propositions or predicates as follows: 
1. (Boolean) variables: 
c : the critical flag is set to true 
sy : the switch-on-exit flag is set to true 
(a) Label of instruction being executed by a process n, 
one of: 
label I(n), label2(n), label3(n), label4(n), 
label5(n), label6(n), label7(n), label8(n) 
p(n): process n is active 
k(n):  process n is in kernel mode 
start(n): process n is performing start of kernel 
work 
end(n): process n on the point of completing 
kernel work 
setc: the critical flag is being set 
psetsu: the switch-on-exit flag is being set by a 
process 
psw: a process switch is being initiated by a 
process 
Scheduling : 
sw : a process switch is being initiated 
ssw: a process switch is being initiated by the sched- 
uler 
se&:  the switch-on-exit flag is being set by the 
scheduler 
sg: a timer signal is occurring 
(b) Properties of instruction being executed: 
Remarks 
(i) The required scheduling is implemented by the use of 
two flags, critical and switch-on-exit, which are set at 
various times, and on the basis of which a process switch 
is initiated either by a process or the scheduler com- 
ponent. 
(U) The system state is seen to last for the whole duration 
of the current time, rather than be some entry or exit con- 
dition [13]. For example, if sw  is true, a process switch is 
being initiated, although the old process remains active 
23 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:12 from IEEE Xplore.  Restrictions apply.
throughout this point in time. A new process will be active 
throughout the next point in time. As another example, 
the setting of a flag, such as described by setc, lasts for 
the duration of current time and is deemed to coincide 
with c obtaining and having this new value throughout this 
current time (and so, in this last respect, it differs from the 
process switching situation). 
(iii) As is seen below, the test of the condition in an if state- 
ment executed by a process takes an instant in time. 
The semantics of the system are the sequences of system 
states that are allowed to occur. These will be expressed as 
solutions to FLTL formulae. The allowable sequences of 
states are affected by the constraints of the process com- 
ponents and the constraints of the scheduler component. 
The constraints of the process components are given 
below, by analysing the previous C code [7]. The scheduler 
constraints are given by analysing the description of the 
low-level scheduler used previously [7]. 
4.2 Process component constraints 
4.2.1 lnterleaoing of labelled statements: each process 
is modelled as executing infinitely, occasionally in kernel 
mode. and sometimes executing an exit protocol on com- 
pletion of kernel mode. Precisely, each process n repeat. 
edly executes the 'cycle' of labelled statements given below 
............................................................... 
label8(n): (some non-kernel mode instruction); 
labell(n): -critical = TRUE: 
label2(n): (some kernel mode instruction); 
............................................................... 
label2(n): (some kernel mode instruction): 
label3(n): -critical = FALSE; 
label4(n): if (switch-on-&) { 
label5(n): -critical = TRUE; 
labelan): -switch-on-exit = FALSE; 
label7(n): -do-switch()} ; 
labeld(n): (some non-kemel mode instruction); 
............................................................... 
where the C code on the right-hand side of the labels is 
taken from the earlier work [71. The function -do-switch is 
a routine which performs a process switch and resets the 
-critical flag. 
The behaviour of all the processes together is an inter- 
leaving of the labelled statements executed by the individ- 
ual processes. To avoid excessive use of brackets, the 
following notation is used:t 
period 4I point ... period 42 i -  point 42, 
... period &,,, - point 42n 
def - 
41W4z A O(.. . ( 4 2 , -  1 * 0 ( 4 z ; A  O(.. . 4 z m - I  
WdZm )) .. .)) 
2 m -  I brackeln 
t The intention in this paper is to keep the basic connectives as 
simple as possible and to introduce suitable 'higher level' ones to 
aid readability. More brwity was achieved previousiy [SI. by use of 
the 'chop' operator and a hed-point constructor, at the expense 
of readability. A compositional (141 specification was also given. 
It indicates several steps taking place over a period of time 
alternated with a step at a single point in time. The inter. 
leaving of the processes is given by the following four for- 
mulae: 
dsf 
I ,  = 0 Vn.  (labell(n) 
3 (( 
period (1 p(n)) 
point (labelI(n)) 
period (label2(n) V i p ( n ) )  
point (label3(n)) 
period (1 p(n)) 
point (=A label4(n)) 
period ( l p ( n ) )  
point (label5(n)) 
period ( i p ( n ) )  
point (labelqn)) 
period ( l p ( n ) )  
point (label7(n)) 
period ( ( ~ ( f i )  A 1 k(n)) V i p(nN 
point (labelI(n))) 
V (  
period ( l p ( n ) )  
point (labell(n)) 
period (label2(n) V 1 p(n)) 
point (label3(n)) 
period (1 p(n)) 
point ( 1 s x A  label4(n)) 
period ( W n )  A 1 k(n)) V l p ( n ) )  
point (labell(n))))) 
i 2  Er Vn . ( l p ( n )  v (p(n) A 1 k(n)))Q(labelI(n)) 
i 3  = 3n 3 i .  labeli(n) 
i4 = 0 Vn Vm V i  V j  . (( 1 m = n) V (1 i = j ) )  
def 
dsf 
* l(labeli(m) A labelj(n))$ 
The effect of these four expressions is to say that the 
behaviour of all the processes together is an interleaving of 
the 'cycles' of labelled statements executed by the individ- 
ual processes. The last two expressions state that exactly 
one labelled statement is being executed at a given time. 
In the first expression, the large disjunction results from 
the testing of the switch-on-exit flag and the execution of 
additional code if the value is true. 
4.2.2 Properties of labelled statements: the interpreta- 
tion of the labelled statements in terms of p(n), k(n), 
start(n), end(n), psw, setc, psetwc, c and sx based on the 
C code given above is as  follows: 
labell(n)o p(n) A k(n)  A start(n) A i end (n )  
label2(n) 9 p(n) A k(n) A istart(n) A i end(n) 
label3(n)op(n) A k(n)  A istart(n) A end(n) 
A 1pswAsetcAcA ipsetwc 
A 7 psw A 1 setc A 1 psetsx 
A 1pswAsetcA i c A  ipsetsx 
5 Quantifying over i in labeli is a slight abuse of notation used to 
shorten the expression. The meaning should be clear. 
Software Engineering Journal January 1995 24 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:12 from IEEE Xplore.  Restrictions apply.
label4(n)op(n) A 1 k(n)  A lstart(n) A 1 end(n) 
labe15(n)op(n)A k(n)A istart(n) A l end (n )  
labelqn)op(n)A k(n)A i s ta r t (n )A  l end (n )  
labe17(n)op(n)A k(n)A istart(n)A end(n) 
label8(n)op(n)A l k ( n ) A  istart(n)A l end(n )  
A i p s w A  isetcA lpsetsx 
A 1pswAsetcAcA lpsetsx 
A 1pswA 1setcApsetsxA 1s 
ApswAsetcA 1 c A  lpsetsx 
A i p s w A  1setcA lpsetsx 
and 
p(n) V k(n) V start(n) V end(n) * 3i.labeli(n) 
The conjunction of these nine conditions is denoted by is. 
4.2.3 Propettks of flag uariables: if the critical and 
switch-on-exit flags are not set, conditions have to be 
given to indicate that they do not change 
is 2‘ 0 ((CA 0 1 c )  V (1 cA Oc) =. Osetc) 
I , ~ ~ O ( ( S ) ( A O ~ S ) ( ) V ( ~ S Y A O S T ) * O ~ ~ ~ ~ ~ )  
The switch-on-ewit flag may be set either by a process or 
the scheduler (see below) 
dcf 
i g  = O(setsxopsetsxVssetsx) 
Initially, both flags are false 
dcf 
l g  = 1 c A  IS)( 
4.3 Scheduler component constraints 
4.3.1 Basic process switching constraints: first, the 
basic property of process switching is given. A process 
remains active if no switch occurs 
dcf 
i l 0 =  OVn. ( l swAp(n ) -Op(n ) )  
If a switch occurs, there is a change in process at the next 
instant in time 
del 
i l l  = 0 Vn . (swAp(n) 0 l p ( n ) )  
A switch may be initiated by a process or by the scheduler 
dcf 
112 = o(swopswvssw)  
4.3.2 Low-lewl scheduler constraints: the low-level 
scheduler used has the following properties [7]: 
‘A scheduler initiated action can only occur at a point at 
which a timer signal is occurring‘ 
dcf 
t 1 3  = osswvssetcvs5e~=.sg 
‘At the instant of a process switch the timer is set up for 
the next time slice’ 
I 14 zf O(sw =. O(( 1 sg A 1 sw)%!(sg V sw))) 
This last requirement states that a switch is followed by a 
period of no switching and no timer signal until a timer 
signal or another switch occurs. 
Software Engineering Journal January 1995 
‘ I f  there is a timer signal but no process switch, then the 
timer signal will not be reset, and hence will not go off 
until after the next process switch occurs’ 
i I 5 z f  O((sgA 1 s w ) -  O((1sgA l swW(swA l sg ) ) )  
When the timer signal occurs the scheduler tests the 
critical flag. I f  it is false then a scheduler initiated 
process switch occurs and the switch-on-exit flag is 
cleared. Otherwise, i f  the critical flag is true, no timer 
initiated switch occurs and the switckon-exit flag is set 
to true’ 
dcf 
l I 6  = Osg*((lc*(sswAwtsvA 1%)) 
A (c =. (1sswA ssetsxA a))) 
lmplicit in the English statement of the last property is that 
the only time that a scheduler initiated process switch 
occurs is when the timer signal occurs and the critical flag 
is false. The following condition is needed for verification:* 
dcf 
117 = O(sW*(%A 1 C ) )  
4.4 Overall semantics 
The overall temporal behaviour I of the implementation 
can now be given 
dcf I =  A l j  
j =  1 
5 Conclusions and future work 
This case study has demonstrated the use of temporal 
logic, with a real-life system, to produce a formal specifi- 
cation of the requirements and implementation for the 
purpose of verifying the system. The route from informal 
description to formal specification has followed a very 
natural path. As such it proved to be a low-cost activity in 
the development of the system. 
A formal proof obligation for the correctness of the 
system is construaed vely easily. To prove the micro- 
kemel correct, it is necessary to show that the implementa- 
tion satisfies the specification, which amounts to 
demonstrating the validity of the FLTL formula 
1-0 
An extended version of this paper [9] contains a lengthy 
correctness proof of this formula based on a rigorous 
argumenf which details how a formal proof would 
proceed. The rigorous proof was used to establish the 
absence of errors in the system after the system had 
undergone extensive testing to remove errors. 
There are numerous reasons why a formal proof was 
not envisaged. First, formal proofs are theoretically impos- 
sible for the whole of FLTL. Even with finiteness assump 
tions on the number of processes to reduce formulae to 
propositional logic (PTL). the scale of the problem would 
preclude the use of any of the PTL theorem-provers in 
*The condition was only noticed later when difficulties were 
encountered in verifying the system. 
25 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:12 from IEEE Xplore.  Restrictions apply.
existence such as dp 1151. However, it is hoped that having 
available a temporal development of a real4ife system will 
suggest suitable proof assistants that might be produced 
and used, perhaps in conjunction with the development of 
improved theorem-provers, to elevate such rigorous argu- 
ments to full formal proofs. At the very least, it provides an 
idea of what it will take to formally develop and verify such 
a real-life concurrent system. 
6 Ac knowiedgments 
The author would like to thank Sean Holdsworth who 
designed the microkernel and the referee who made 
extensive comments on a previous version of this paper. 
This work was partly supported under ESPRIT II grant 
EP2025, the EDS Project. 
7 References 
[I]  BARRoCq L.M. and McDERMID, JA: 'Formal methods: 
use and relevance for the development of safety-critical 
systems'. Cornput. J., 1992,35, (6). pp. 579-599 
[2] MILNER, R: 'Communication and concurrency, (Prentice 
Hall, 1989) 
[3] MILNER, R., PARROW, J.G., and WALKER, D.J.: 'A calculus 
of mobile processes 11, Inf. Cornputat.. 1992, 100, pp. 1-40 
[4] CLEAVELAND, R., PARROW, J., and STEFFEN, B.: 'The 
Concurrency Workbench: a semantics-based tool for the 
verification of concurrent systems', ACM TOPIAS, 1993, 
15, (I), pp. 36-72 
[5] BARRINGER. H.: 'Up and down the temporal way', Cornput. 
J., 1987,30. (2), pp. 134-148 
[6] ISTAVRINOS, P.: 'Spdfication of the process control lan- 
guage (PCL)'. EDS Project document, EDS.DD. 1S.0007 
[71 HOLDSWORTH, S.: 'A proposal for the provision of an 
environment for studying distributed operating system 
issues'. EDS Project document, Department of Computer 
Science, University of Manchester, UK, 1989 
[8] HUSSAK, W.: 'Specification of a distributed operating 
system environment'. EDS Project document, Department 
of Computer Science, University of Manchester, UK, 1989 
[9] HUSSAK, W.: 'Correctness proof for a microkernel'. Internal 
Report 884, Department of Computer Studies, Loughbo- 
rough University of Technology, UK, 1994 
[IO] ABADI, M: Temporal-logic theorem proving'. PhD Thesis, 
Stanford University, California, STAN-CS87-1151 
(1 I] BARRINGER, H., FISHER, M, GABBAY, D., GOUGH, G., and 
OWENS, R: 'MerateM: a framework for programming in 
temporal logic'. REX Workshop on Stepwise Refinement of 
Distributed Systems (Led. Notes Cornput. Sci., 1989,430) 
(121 KEANE, JA, and HUSSAK, W.: 'A formal approach to 
determining parallel resource bindings'. Proc. 16th Int C o d  
on Software Engineering, ICSE '94, Italy, May 1994, pp. 
15-22 (IEEE Press) 
[I31 KROGER, F.: Temporal logic of programs' (Springer-Verlag, 
1987) 
114) BARRINGER, H.: 'Using temporal logic in the compositional 
specification of concurrent systems'. UMCS.8610-3, Depart- 
ment of Computer Science, University of Manchester, UK, 
1986 
[I51 GOUGH, G.: 'Decision procedures for temporal logic'. MSc 
Dissertation, Department of Computer Science, University of 
Manchester. UK, 1984 
C IEE: 1995 
The paper was first received 3 May and in revised form 24 
October 1994. 
The author is with the Department of Computer Studies, Lough- 
borough University of Technology, Loughborough, Leicestershire 
LEI 1 3TU. UK. 
26 Software Engineering Journal January 1995 
Authorized licensed use limited to: LOUGHBOROUGH UNIVERSITY. Downloaded on January 29, 2009 at 10:12 from IEEE Xplore.  Restrictions apply.
