Proving Determinacy of the PharOS Real-Time Operating System

5th Intl. Conf. Abstract State Machines, Alloy, B, TLA, VDM, and Z, ABZ 2016
Toulouse, France


Executions in the PharOS real-time system are determin- istic in the sense that the sequence of local states for every process is independent of the order in which processes are scheduled. The essential ingredient for achieving this property is that a temporal window of ex- ecution is associated with every instruction. Messages become visible to receiving processes only after the time window of the sending message has elapsed. We present a high-level model of PharOS in TLA + and formally state and prove determinacy using the TLA + Proof System.