Proving Determinacy of the PharOS Real-Time Operating System

Selma Azaiez, Damien Doligez, Matthieu Lemerre, Tomer Libal, and Stephan Merz

Abstract

Executions in the PharOS real-time system are deterministic in the sense that the sequence of local states for every process is independent of the order in which processes are scheduled. The essential ingredient for achieving this property is that a temporal window of execution is associated with every instruction. Messages become visible to receiving processes only after the time window of the sending message has elapsed. We present a high-level model of PharOS in TLA+ and formally state and prove determinacy using the TLA+ Proof System.

© Springer 2016

Available as: PDF | TLA+ modules

Reference

@InProceedings{azaiez:proving,
  author =       {Selma Azaiez and Damien Doligez and Matthieu Lemerre and Tomer Libal and Stephan Merz},
  title =        {Proving Determinacy of the {PharOS} Real-Time Operating System},
  booktitle =    {5th Intl. Conf. Abstract State Machines, Alloy, B, TLA, VDM, and Z (ABZ 2016)},
  publisher = {Springer},
  year =      2016,
  editor =    {Michael Butler and Klaus-Dieter Schewe and Atif Mashkoor and Mikl{\'o}s Bir{\'o}},
  series =    {LNCS},
  volume =    {9675},
  pages =     {70-85},
}

Stephan Merz