Abstract: All formally defined languages need to be given an unambiguous semantics such that the meaning of all models expressed using the language is clear. In this technical report a semantic model is provided for the Real-Time dialect of the Vienna Development Method (VDM). This builds upon both the formal semantics provided for the ISO standard VDM Specification Language, and on other work on the core of the VDM-RT notation. Although none of the VDM dialects are executable in general, the primary focus of the work presented here is on the executable subset. This focus is result of parallel work on an interpreter implementation for VDM-RT that chooses one of the possible interpretations of a given model that is expressed in VDM-RT, based on the semantics presented here.

Keywords: Vienna Development Method, VDM, real-time, VDM-RT.


Cover image: Created by Overture.

ISSN: 2245-2087

Reproduction permitted provided the source is explicitly acknowledged.
Abstract

All formally defined languages need to be given an unambiguous semantics such that the meaning of all models expressed using the language is clear. In this technical report a semantic model is provided for the Real-Time dialect of the Vienna Development Method (VDM). This builds upon both the formal semantics provided for the ISO standard VDM Specification Language, and on other work on the core of the VDM-RT notation. Although none of the VDM dialects are executable in general, the primary focus of the work presented here is on the executable subset. This focus is result of parallel work on an interpreter implementation for VDM-RT that chooses one of the possible interpretations of a given model that is expressed in VDM-RT, based on the semantics presented here.
# Contents

## 1 Introduction

1.1 Styles of Semantic Definitions ................................................. 4  
1.2 The Vienna Development Method ................................................. 4  
1.3 Structural Operational Semantics .............................................. 5  
1.4 Structure of this Technical report ............................................. 5

## 2 Overview of VDM and VDM-RT Features

2.1 System Modelling in VDM ........................................................... 6  
2.2 Model Structure ................................................................. 6  
2.3 Modelling Data ................................................................. 6  
2.4 Modelling Functionality ........................................................... 8  
2.5 Modelling State and Operations ................................................ 10  
2.6 Modelling Object-oriented and Concurrent Systems in VDM++ ............ 10  
2.7 Modelling using VDM Real-Time ................................................ 11

## 3 Related Semantic Models

3.1 The Semantics of VDM-SL ........................................................... 13  
3.1.1 SemSpec and IsAModelOf ...................................................... 13  
3.1.2 Definers and Loose Definers .................................................. 14  
3.1.3 The Semantics of Looseness ................................................. 14  
3.1.4 Internal versus External Looseness ......................................... 15  
3.1.5 Semantics of Expressions ...................................................... 16  
3.2 The Semantics of VDM++ .......................................................... 17  
3.3 The Semantics of VDM-RT ....................................................... 17

## 4 Semantics of VDM-RT

4.1 Overview of Structure & Entities ................................................. 19  
4.1.1 Durations and Transaction Synchronization ................................ 21  
4.1.2 Duration Composability ......................................................... 21  
4.2 Top-level Execution Rule .......................................................... 22  
4.3 Initialization ................................................................. 23  
4.4 Operation Calls ................................................................. 23  
4.5 Periodic Threads ................................................................. 28  
4.6 Committing Pending Values ..................................................... 29  
4.7 Dealing with Durations and Context Switching ................................ 30

## 5 Concluding Remarks

2
## A Complete VDM-RT Semantics

<table>
<thead>
<tr>
<th>Section</th>
<th>Title</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>A.1</td>
<td>VDM-RT Abstract Syntax</td>
<td>38</td>
</tr>
<tr>
<td>A.1.1</td>
<td>Structure</td>
<td>38</td>
</tr>
<tr>
<td>A.2</td>
<td>Context Conditions/Typechecking</td>
<td>42</td>
</tr>
<tr>
<td>A.3</td>
<td>Rules</td>
<td>44</td>
</tr>
<tr>
<td>A.3.1</td>
<td>Signatures</td>
<td>44</td>
</tr>
<tr>
<td>A.3.2</td>
<td>Top level rules</td>
<td>45</td>
</tr>
<tr>
<td>A.4</td>
<td>Utility Functions</td>
<td>61</td>
</tr>
</tbody>
</table>
Chapter 1

Introduction

1.1 Styles of Semantic Definitions

Semantic models can be given in many different styles (e.g. axiomatic, denotational and operational). When using an *axiomatic* definition style, the meaning of a model expressed in a formal language is provided by describing its effect on assertions about the state of the model. The most well-known axiomatic definition style is known as Hoare Logic [Hoa69]. When using a *denotational* definition style, the meaning of a model expressed in a formal language is provided in a compositional way using mathematical objects [Str67, Sto77]. Here there is a clear distinction between syntactic and semantic domains [Sco82]. When using an *operational* definition style, the meaning of a model expressed in a formal language is provided through the definition of computational steps that may be taken [Plo81]. Here there is a distinction between the notions of small-step semantic definitions and big-step semantic definitions. Both of these are used in the semantic model given in this technical report.

1.2 The Vienna Development Method

VDM’s origins lie in the work on semantics of programming languages at IBM’s Vienna Laboratory [BJ78]. The basic modelling language is based on discrete mathematics with set theory, and its denotational semantics have been standardised [LP95]. A proof theory has also been defined, based on the typed Logic of Partial Functions (LPF) [BCJ84, JM93, BFL+94].

Basic VDM models are expressed in a specification language (VDM-SL) that supports the description of data and functionality. Data is defined by means of types built using constructors that define structured data and collections such as sets, sequences and mappings from basic values such as Booleans and numbers. These types are very abstract, allowing the user to add any relevant constraints as data type invariants. Functionality is defined in terms of functions and operations over these data types. Functions and operations can be defined implicitly using pre-conditions and post-conditions that characterize their behaviour, or explicitly with specific algorithms. The syntax of VDM may be expressed either by using a mathematical notation or by using an ASCII syntax that can be readily input on an ordinary keyboard.\footnote{In this technical report we will consistently use the ASCII syntax when we show example models that we give semantics for, and the mathematical syntax whenever we provide auxiliary functions/expressions used in the definition of the semantic model.}

An extension of VDM-SL, called VDM++, supports the object-oriented structuring of models and permits direct modelling of concurrency [FLM+05]. VDM++ was originally developed in the European research project “Afrodite”. A further extension of VDM++ is VDM Real-Time (VDM-RT), which enables modelling of real-time and distributed systems. VDM-RT was first developed in the European research project “VDM In Constrained Environments” (VICE), but this initial version only allowed for...
a single CPU \cite{MBD00}. This was extended to cope with distributed systems in Marcel Verhoe
f’s PhD thesis \cite{Ver09, VLH06}.

Using VDM-RT it is possible to define a distributed architecture with multiple CPUs and the busses that connect them. Multiple threads may be present on each CPU and the scheduling policy for these is parametrized per CPU.

All three VDM dialects are supported by an open source tool called Overture \cite{LBF10}. An executable subset of the VDM dialects —including non-deterministic elements— can be simulated using the built-in interpreter \cite{LLB11}. The simulation will exhibit the behaviour of one of the valid semantic interpretations in the presence of looseness\footnote{The notion of looseness is explained in Section \ref{section looseness}.}

\section{Structural Operational Semantics}

We use the Structural Operational Semantics (SOS) format \cite{Plo81, Plo04} to present the semantic definitions in this technical report. An SOS description consists of two major elements: a set of type definitions that describe the static structure of the system; and the definitions of the transition relations that describe the behaviour of the system. The type definitions may also be accompanied by context conditions — further constraints on the types that are analogous to the static checking done by a programming language compiler.

The logical notation used in this technical report is the basic VDM-SL type system and expressions. This notation is used to define the static structure of the VDM-RT language.

In an SOS definition, the entire system is modelled as a configuration containing all of the information needed to capture the state of a system at any given point. A configuration is typically given as a tuple, in this case of the listed components.

The behaviour of a system is defined through the use of transition relations, at least one of which must involve the system’s configuration type. In a small-step SOS definition the overall system behaviour is typically defined using a transition relation from configurations to configurations.

The transition relations are defined through the use of inference rule schemata where each rule’s conclusion defines a subset of the entire transition relation. The least relation that satisfies all of the inference rules is taken to be the relation defined.

In the work presented here we focus on the executable subset of VDM-RT and thus the collection of SOS rules defined will be incomplete in the sense that it is not supplying the SOS rules for the semantics of VDM expressions. For VDM-RT expressions we take the semantic model provided for VDM-SL \cite{LP95} (described further below in Section \ref{section vdm-sl}). This also means that we do not go into the rules relevant to deal with undefinedness, i.e. using LPF.

\section{Structure of this Technical report}

After this introduction, Chapter \ref{chapter overview} provides an overview of the main concepts in VDM and the specific features of VDM-RT. Then Chapter \ref{chapter related work} provides an overview of the existing related work on semantics of VDM dialects. Afterwards Chapter \ref{chapter sos semantics} illustrates how SOS is used to give the semantics of VDM-RT, building on top of the previous semantic efforts. Finally, Chapter \ref{chapter conclusions} provides concluding remarks about the work presented here. Appendix \ref{appendix sos} provides the full SOS semantics of VDM-RT.
Chapter 2

Overview of VDM and VDM-RT Features

2.1 System Modelling in VDM

The use of VDM involves the development and analysis of models to help understand systems and predict their properties. Good models exhibit abstraction and rigour. Abstraction is the suppression of detail that is not relevant to the purpose for which a model is constructed [Kra07]. The decision about what to include and what to omit from an abstract model requires good engineering judgement. A guiding principle in VDM is that only elements relevant to the model’s purpose should be included; it follows that the model’s purpose should be clearly understood and described. Rigour in the semantics makes it possible to perform a mathematical analysis of the model’s properties in order to gain confidence that an accurate implementation of the modelled system will have certain key characteristics.

In computing systems development, modelling and design notations with a strong mathematical basis are termed formal. VDM models, although often expressed in an executable subset, are developed primarily for analysis such as formal proofs rather than serving as final implementations.

2.2 Model Structure

In VDM, models consist of representations of the data on which a system operates and the functionality that is to be performed. The data represented includes the externally visible input/output and internal state data. The functionality includes the operations that may be invoked at the system interface as well as auxiliary functions that exist mainly to assist in the definition of the operations.

The VDM++ language extends VDM-SL (without modules) with facilities for specification of object-oriented systems, and structures models into class definitions. Each of the class definitions has similar elements to a single VDM-SL specification and, relative to the usual object-oriented languages, state variables take on the role of instance variables and operations play the part of methods. The remainder of this section will restrict consideration to VDM-SL, with VDM++ considered at a later stage.

2.3 Modelling Data

Data models in VDM are built on basic abstract data types together with a collection of type constructors. A full account of VDM-SL data types and type constructors is provided in current texts [FL98, FL09].

Basic types include Booleans, numbers (natural, integer, rational and real) and characters. Note that, in accordance with VDM’s abstraction principle, these correspond the mathematical notions of numbers, and are not bounded by constraints due to their representations in computing hardware[1]. If a user wishes

---

[1] Naturally, tools that support VDM have the same sort of representational constraints as are found in most programming languages.
to specify these limits because they are relevant to the problem being modelled, it is possible to do so explicitly by means of invariants. Invariants are logical expressions (predicates) that represent conditions to be respected by all elements of the data type to which they are attached.

The VDM ISO Standard permits both an ASCII and mathematical syntax; where the ASCII syntax is considered more accessible for readers unfamiliar with the notations of discrete mathematics. Keywords are, by convention, shown in bold face. Consider, as a simple example, a system for monitoring the flight paths of aircraft in a controlled airspace. A simple data type definition representing the Latitude of an aircraft would be given as follows:

\[
\text{Latitude} = \text{real}
\]

If it is desired to restrict the Latitude to the range of numbers from -90 to 90 inclusive, an additional condition is added to the data type in the form of an invariant. This extended type definition is as follows:

\[
\text{Latitude} = \text{real} \\
\text{inv lat} == -90 <= \text{lat} \text{ and } \text{lat} <= 90
\]

The invariant is an integral part of the data type. Thus, it is not possible to create a value of type Latitude that does not respect the invariant. The modeller must ensure that all functions and operations that create such elements respect the invariant.

More sophisticated data types are built using constructors. A record type constructor permits the definition of tuples with named fields. For example, assuming definitions of types representing Latitude, Longitude and Altitude, it is possible to define a type of values representing aircraft position, as follows:

\[
\text{Position} :: \text{lat : Latitude} \\
\text{long : Longitude} \\
\text{alt : Altitude}
\]

A value of type Position is a composite whose component values can be extracted by giving the field names. Thus, the Longitude component of a position 'p' is given by 'p.long'. VDM-SL also contains type constructors for building union and Cartesian product types.

Models are typically built around structured collections of values, so VDM-SL provides type constructors that support several collection types: sets (finite unordered collections), sequences (finite ordered collections), which both uses 1-relative indexes, and mappings (finite functions). For example, one may wish to define a type to model the path of an aircraft as a finite sequence of positions. The corresponding definition is:

\[
\text{FlightPath} = \text{seq of Position}
\]

Thus, an element of type FlightPath is a finite sequence of position records. Given a value fp of type FlightPath, the initial Altitude is expressed as fp(1).alt. If modelling a flight control system that must manage several aircraft, it would be appropriate to define a type that relates aircraft identifiers to their flight paths as a mapping:

\[
\text{FlightDetails} = \text{map AircraftId to FlightPath}
\]
A mapping in VDM is the abstract model of an associative array; individual associations are represented using an “arrow” notation, e.g. \( \{3 \mapsto \text{"text1"}, 7 \mapsto \text{"text2"}\} \) represents an association between numbers and character strings. In the flight details example, the mapping represents a finite collection of flight paths indexed by the aircraft identifier. Given a flight details mapping \( fd \) and an aircraft identifier \( a \), the following expression denotes the initial Altitude of \( a \):

\[
fd(a)(1).alt
\]

Several special basic types also facilitate abstraction. The token type is used to denote values whose representations are immaterial. Tokens can be compared for equality, but have no internal representation so no other operators may be applied to them. Tokens are particularly useful for defining types that are necessary to a model but for which no individual elements are required. For example, if the air traffic model is concerned primarily with flight paths rather than call signs, the modeller may choose not to give a detailed representation for the AircraftId type, preferring to use a token type:

\[
\text{AircraftId} = \text{token}
\]

### 2.4 Modelling Functionality

Functionality is described in terms of functions and operations that accept input values and deliver output values belonging to the types defined in the model. As with data, VDM-SL contains features to support abstraction of functionality.

Each basic type and type constructor has associated syntax allowing values to be expressed. For example, a sequence of four natural numbers might be expressed directly as follows:

\[
[3, 7, 7, 2]
\]

Comprehension notations allow more sophisticated constructions. For example, the following expression represents a sequence of all the squares of numbers up to 25:

\[
[n**2 | n \in \text{set } \{1, \ldots, 25\}]
\]

The types are equipped with operators that allow complex expressions to be constructed. For example, given a value \( s \) belonging to a sequence type, the expression \( \text{len } s \) denotes the length of the sequence. Two sequences \( s1 \) and \( s2 \) may be concatenated by an infix operator: \( s1 \hat{\text{^}} s2 \).

As in programming languages, some operators are partial, i.e., undefined for certain values of their arguments. For example, a sequence look-up such as the expression \( s(i) \) is undefined if the sequence \( s \) contains fewer than \( i \) elements. Such misapplications of partial operators correspond to potential runtime errors in a corresponding implementation. The behaviour of a real computing system when such an error occurs is not usually predictable. An error message may be returned, or an infinite loop may be entered, for example. Since such behaviour can rarely be known at modelling time, VDM treats them all as mathematically undefined in the semantics. From a tool perspective it is possible to automatically generate proof obligations ensuring that such internal consistencies will never appear [AL97, RL10].

Functions may be described explicitly or implicitly. An explicit function definition is an expression that denotes the result to be returned in terms of input parameters. Returning to the air space management example, the modeller may wish to specify a function that adds a new position on to the end of a flight
Implicit function definitions provide an important abstraction capability in VDM. While an explicit
definition like the one shown above is concise, the presence of the concrete algorithm in the definition’s
body may bias a reader implementing the model towards a particular implementation, for example by
using a corresponding concatenation operator built in the implementation’s programming language. An
implicit definition describes a function purely in terms of the result to be delivered, with no direct
reference to any algorithm to be used in the computation. This definition is given in terms of a logical
(Boolean) expression that must be satisfied by the result. This expression is termed a post-condition. A
classical example is a specification of a function for computing the square root $r$ of a natural number $n$:

$$\text{SQRT}(n: \text{nat}) r: \text{real}$$

$$\text{post } r * r = n$$

Here the required result is merely characterized, with no bias towards any particular implementation.
In particular, it will be noted that the post-condition does not constrain the result to be either positive
or negative; the modeller has indicated that either result will suffice provided that it is a square root of
the input $n$. Such implicit specifications are valuable when the provision of an algorithmic description
would obscure the meaning of the model. The disadvantage is that an implicit operation specification is
not directly executable. In the airspace management example, an implicit specification might be used
for a function to select a specific aircraft for landing, as in the following example. Here the \text{in set}
construction means that the result returned is present in the domain of the flight details mapping structure:

$$\text{Select}(fd: \text{FlightDetails}) a: \text{AircraftId}$$

$$\text{post } a \text{ in set dom } fd$$

There are cases where neither explicitly- nor implicitly-defined functions are sufficient. For example,
the function above would not be able to return a result if the flight details mapping $fd$ were empty. The
function description is thus not satisfiable for all valid inputs. Therefore, the non-emptiness of the input
$fd$ is a pre-condition on the successful application of the function. Such pre-conditions are recorded
explicitly in VDM. So, a satisfiable specification of the $\text{Select}$ function would be as follows:

$$\text{Select}(fd: \text{FlightDetails}) a: \text{AircraftId}$$

$$\text{pre } \text{dom } fd <> {}$$

$$\text{post } a \text{ in set dom } fd$$

Conditions, like invariants, provide a means of recording constraints that are often left unrecorded
in informal descriptions of computer-based systems. In the example above, the pre-condition is required
in order to ensure that the function is capable of returning a correct result in accordance with the post-
condition. An implicit specification can be considered a contract: an implementation of the operation
promises to return a result satisfying the post-condition provided the calling environment ensures that
the pre-condition is satisfied. If the pre-condition is not satisfied, no guarantees about behaviour are
made.

---

2 Although the desirability of direct execution has been debated in the literature [HJ89], [Fuc92].
### 2.5  Modelling State and Operations

Many systems have persistent state variables that are read and modified by operations, and which retain data between operation invocations. In VDM, such systems are modelled by defining a distinguished state variable of a defined type, and operations that, like functions, deliver outputs from inputs but which may also have side effects on the state variables.

A state-based version of the airspace management system might have a single state variable of type `FlightDetails`, modelling the current state of the airspace:

```
state Airspace of
  fd: FlightDetails
end
```

An operation to add a new aircraft with a single position \( p \) in its flight path might be specified implicitly as follows. Note the use of \( \sim fd \) to denote the state variable’s value before execution of the operation. This decorated version is required since the post-condition describes a mathematical relation between the pre-operation and post-operation state. The `munion` operator used in the post-condition here forms the union of two mappings provided the two mappings do not disagree (any values that are in both domains must map to the same range value).

```
New(a:AircraftId, p:Position)
  ext wr fd: FlightDetails
  pre a not in set dom fd
  post fd = \( \sim fd \) munion \{ a |-> [p]\}
```

Operations may be specified explicitly as well as implicitly. Where state variables may be modified, the language for expressing such explicit operation definitions is close to that of a classical imperative programming language, albeit one with very abstract data types. For example, the following explicit definition of the `NewOp` operation contains a single assignment to describe the updating of the `fd` state component.

```
NewOp: AircraftId * Position ==> ()
NewOp(a, p) == fd := fd munion \{ a |-> [p]\}
pre a not in set dom fd
```

Full details of implicit and explicit specification styles for both functions and operations can be found in the VDM-SL literature [FL98, FL09].

### 2.6  Modelling Object-oriented and Concurrent Systems in VDM++

VDM++ provides facilities for the creation of object-oriented descriptions of systems. The core elements of classical VDM-SL—types, values, expressions, functions, and operations—are present. The extended language also provides for models based on class definitions in which each object’s local state is represented as instance variables. Information hiding and multiple inheritance is also supported.

VDM-SL is limited to the description of sequential system models, although such models may be implemented in a parallel computing framework. The challenge in modelling concurrent computation is that separate threads (independent sequences of computations) may communicate through shared variables and inconsistencies can arise when two or more independent threads access a shared instance variable simultaneously. There has been considerable research on handling shared variable concurrency.
in VDM, notably by extending the pre/post-condition framework with rely and guarantee conditions that state, respectively, the properties that an operation requires to be invariant and the properties that it guarantees to maintain during its execution [Jon96].

The rely/guarantee approach has been a significant contribution to design methodologies for concurrent systems generally. VDM++ takes a rather pragmatic line. Here inconsistencies may arise through simultaneous access to shared objects by separate threads. These are avoided by providing synchronization constraints in the form of permission predicates that describe the conditions under which an operation may be carried out. A permission predicate may refer to an instance variable used as a flag to prevent other threads from using an object that is being used in a critical way by another thread. It may also access special variables representing the number of times each operation in an object has been requested, activated or completed, or representing the number of currently active invocations of the current operation. Consider a simple model in which a sensor produces data, writes it to a buffer object and this data is consumed by a consumer object. The buffer object provides a data model of the buffer and operations to put and get data. The consumer object should only invoke the get operation on the buffer when there is actually data to get. This restriction could be modelled by allowing a special value nil to indicate emptiness of the buffer, in which case the permission predicate (denoted by the keyword per) on the get operation in the buffer object is of the form shown below:

\[
\text{per get} \Rightarrow \text{data } \triangleleft \text{ nil}
\]

If such a special nil flag is not available, one could count the number of completed put and get operations and permit a get operation under the condition specified as follows:

\[
\begin{align*}
\text{per get} & \Rightarrow \#\text{fin(put)} - \#\text{fin(get)} = 1; \\
\text{mutex}(\text{put},\text{get})
\end{align*}
\]

Here \#\text{fin(op)} represents the number of completed occurrences of the operation op. The mutex condition enforces mutual exclusion of the put and get operations.

Permission predicates are different from operation pre-conditions. A permission predicate determines whether a request to perform an operation will be granted or blocked. If the permission is denied, another thread may be executing. A pre-condition is a well-formedness constraint on an operation invocation; if it evaluates to false when an operation call is requested, the modelling equivalent of a run-time error occurs because the caller has not satisfied the pre-condition, and has thus broken the contract.

### 2.7 Modelling using VDM Real-Time

The VDM-RT extensions to VDM support the description and analysis of real-time and distributed systems. They include primitives for modelling deployment over a distributed hardware architecture and support for asynchronous communication. Within a special system class, the modeller can specify computation resources (CPUs) connected in a communication topology by busses. Two predefined classes, CPU and BUS allow scheduling and performance characteristics of CPUs and busses to be readily expressed. The system class is a definition that groups an architectural model described using CPUs and busses with the instances that must be deployed onto that architecture.

The semantics of VDM have been extended with a notion of time so that any thread running on a computation resource and any message in transit on a communication resource can cause time to elapse. Each construct in the modelling language has a default time associated with it. Models that contain only one computation resource are compatible with models in plain VDM++.

Operations may be specified as asynchronous, allowing the caller to resume computation in its own
A new thread is created, automatically started and scheduled to execute the body of the asynchronous operation (without return values). Special (duration and cycles) statements may be used in operation bodies to specify time delays that are either independent of or dependent upon processor capacity. The time delay incurred by a message transfer over a bus can be made dependent on the size of the message being transferred and on the bandwidth of the bus.

The semantic model given for duration statements is compositional and enables validation of the runtime execution time. As a result, a top-down design approach can be used that delegates the implementation of sub-components to individual teams. The validation of runtime execution time checks the runtime execution time the body of a duration against the specified runtime of the duration to ensure that it not exceed the maximum allowed time. Furthermore, duration statements are also used as synchronization barriers in the semantic model. A thread synchronizes its transactional state when it completes a duration from its body. A more detailed description of durations is provided in Chapter 4.

In VDM-RT where time is explicit it is also possible to make threads periodic, so that their behaviour is repeated over time. The syntax of this is:

\[ \text{periodic} \ (\text{period}, \text{jitter}, \text{delay}, \text{offset})(\text{op}) \]

where:

- **period** is a non-negative, non-zero value that describes the length of the time interval between two adjacent events in a strictly periodic event stream (where jitter = 0).
- **jitter** is a non-negative value that describes the amount of time variance that is allowed around a single event. We assume that the interval is balanced \([-j, j]\). Note that jitter is allowed to be bigger than the period to characterize so-called event bursts.
- **delay** is a non-negative value smaller than the period which is used to denote the minimum inter-arrival distance between two adjacent events.
- **offset** is a non-negative value which is used to denote the absolute time value at which the first period of the event stream starts. Note that the first event occurs in the interval \([\text{offset}, \text{offset}+\text{jitter}]\).
- **op** is the operation that will be invoked in the object, in a new thread.

The relationship between the time-based fields in the Periodic construct is illustrated in Figure 2.1.
Chapter 3

Related Semantic Models

3.1 The Semantics of VDM-SL

The formal semantics of VDM-SL is included in the VDM-SL ISO standard [LHB+96]. It is written in a denotational style based on basic set theory with least fixed point semantics for recursive definitions [LP95]. The domain universe for VDM-SL has been inspired by [TW90]; it provides denotations for all values expressible in VDM-SL. The meta-notation used for expressing the formal methods has itself be precisely described but here we refer the reader to [LP95] for an explanation of these. In this section we intend to give the reader a little insight into the style of the formal semantics of VDM-SL.

In traditional denotational semantics it is customary to provide a meaning function for each kind of syntactic component. Such a meaning function is a mapping from a syntax category to its meaning. This is done by means of a composition of the meaning of the components of the abstract syntax category. This means that in the case of a specification language with looseness, this approach would explicitly map the abstract syntax of the entire specification to the set of models which the specification denotes. However, this explicit style traditionally uses an order in which the definitions from the object language (in this case VDM-SL) must appear. In VDM-SL such an ordering is not defined and in general there can be mutual dependencies between definitions in different syntactic categories. The presence of looseness also makes definitions formulated with the explicit style more difficult to read [AL88]. Therefore the dynamic semantics of VDM-SL has been formulated in an implicit relational style instead of the traditional constructive style of denotational semantics.

3.1.1 SemSpec and IsAModelOf

The top-level function which gives meaning to a syntactic specification is defined as:

\[
\text{SemSpec} : \text{Document} \rightarrow \mathcal{P}(\text{ENV})
\]

\[
\text{SemSpec}(\text{doc}) \triangleq \{ \text{env} \mid \text{env} \in \text{ENV} \cdot \text{IsAModelOf}(\text{env}; \text{doc}) \}
\]

“Candidate” models (also called environments) are taken from the set \(\text{ENV}\) which contains all maps from identifiers to possible denotations for VDM-SL constructs (including all values \(\text{VAL}\) and possible types, the so-called domain universe). For any set \(A\), \(\mathcal{P}(A)\) denotes the powerset of \(A\), i.e. the set of all subsets of \(A\). \text{IsAModelOf} is a predicate which checks whether a given environment satisfies (in a formal sense) a given specification. If it does, it is called a model of the specification. The semantic function \text{SemSpec} for a given specification yields the set of all its models. The predicate \text{IsAModelOf} naturally needs to check whether all of the identifiers that have been defined in the specification are present in the environment. If this is the case, the environment is expanded with a number of constructs, with the
definitions from the specification implicitly defined. Each component of the specification is now verified according to such an expanded environment.

Because the definitions can be mutually dependent upon constructs from different categories, this is done for each category (functions, types, operations, etc.) by a meaning function for that category. Here it is important that the denotation of the constructs from the category being verified is removed from the environment. The remaining part of the environment provides the context in which the meaning of the constructs in this category is to be found. In this way an order between the definitions becomes available because of the implicit style of definition. The rationale behind the removal of the constructs from the category being verified is that in case of mutual recursion between constructs in such a category the semantics of these constructs should not be affected by the denotations of those constructs in the candidate model.

3.1.2 Definers and Loose Definers

The meaning of the different kinds of definitions can be considered as an environment-to-environment transformation, adding more information to the environment. We call such transformations definers and loose definers (in case a construct can be potentially loosely specified). These can be explained by:

\[
\text{Def} = \text{ENV} \rightarrow (\text{ENV} \cup \{ \text{err} \})
\]

\[
\text{LDef} = \mathcal{P}(\text{Def})
\]

where \text{err} is a special symbol indicating that in the given environment the syntactic definition cannot be given any sensible meaning.

Semantics of Constructs

Type definitions in VDM-SL are given a least fixed point semantics using the domain universe \cite{Sch86}. No looseness is permitted in invariant expressions so types denote unique domain values from \(\text{DOM}\).

Value (i.e. constant) definitions and function definitions can be loose, and the interpretation of this looseness will be discussed in the remaining part of this section. Mutually recursive definitions are given a least-fixed-point semantics unless they involve implicitly defined functions. In this case they are given an all-fixed-point semantics to keep all possible explicit definitions available. Functions can also be polymorphic, but for simplicity, we do not take that into account in this report.

Operation definitions can also contain looseness but here it is treated as non-determinism. Thus, an operation will denote a relation between input value (and state) and corresponding output value (and state). Implicitly defined operations are given an all-fixed-point semantics like for implicitly defined functions. The semantics of explicitly defined operations resembles a least-fixed-point semantics, but we cannot claim it to be so because there is no proper ordering between the operation denotations.

3.1.3 The Semantics of Looseness

We have mentioned the concept of ‘looseness’ a number of times above without being precise about its semantics. In this section explain how looseness can be interpreted.

Looseness can be interpreted in at least two different ways: as under-determinedness (allowing several different deterministic implementations) or as non-determinism (allowing non-deterministic implementations). As illustrated in \cite{SS87, SS92} there are different types of behaviour that a non-deterministic semantics can exhibit, specifically demonic, angelic, and erratic. With the under-determined interpretation of looseness, functions are referentially transparent, as discussed in \cite{SS88, SS90}. In VDM-SL,
functions are given an under-determined semantics, while operations are given a non-deterministic semantics\textsuperscript{1}. The complexity of an arbitrary combination of these can be found in [Wie89].

The difference between using the classical Hilbert epsilon operator [Lei69], the under-determined semantics and the non-deterministic semantics can be illustrated by a few examples. The expression:

\[
\text{let } x = \text{set\{1,2\}} \text{ in } (\text{lambda } v: \text{nat} \in \text{set\{1,2\}} \text{ in } x)(5)
\]

is True in the Hilbert framework (using epsilon for the let-be expression) because the two choices from the same set must yield the same result. If we instead have two non-deterministic choices from the set, the comparison yields a non-deterministic choice between True and False. Considering the under-determined interpretation, we cannot use the same approach as Hilbert; choices in different parts of a program might be implemented differently even if they are made from sets that are equal\textsuperscript{2}. However, due to the nature of the under-determined semantics, this is not a set of constant evaluators, since the choice of the resulting value (in this case either True or False) may of course depend on the argument environment, even when it does not depend syntactically upon the environment at all.

The difference between non-deterministic and under-determined semantics can be illustrated by another example. Consider the expression:

\[
\text{let } func = (\text{lambda } v: \text{nat} \in \text{set\{1,2\}} \text{ in } x) \text{ in } (\text{lambda } f: \text{nat} \rightarrow \text{nat} \in f(5) = f(5))(func)
\]

It yields True with the under-determined semantics because the two function applications yield the same result no matter which of the possible deterministic implementations of the function is considered. In a typical non-deterministic framework, non-deterministic implementations of the function would be allowed so the result would be a non-deterministic choice between True and False.

Also note that the first of the above examples is the result of \(\beta\)-reducing the second example. The two examples do, however, have different semantics, so \(\beta\)-reduction is not valid in general for VDM-SL functions. It is valid, however, if the argument evaluates, semantically, to a singleton set. For example, it would be valid when it did not contain any uses of the let-be expression (or other constructs where looseness is introduced).

### 3.1.4 Internal versus External Looseness

For some systems, the behaviour should not be too precisely determined by the specification. The notion of looseness enables the designer to postpone certain decisions to a later stage of development (e.g. the final implementation stage). In general, looseness can be seen as a means to specify at a much higher level of abstraction than that of a final implementation, and in this way leave as much freedom as possible to the implementor.

The kind of looseness presented in the examples above is known as external looseness [HJ89] because the external behaviour of these expressions is not fully determined. This kind of external looseness is commonly used when the external behaviour must satisfy certain conditions that do not necessarily restrict the result to a unique value. We use the term external looseness when it is visible at a given abstraction level that different behaviour is permitted for a given specification.

\textsuperscript{1}Using the terminology from the referenced papers, the kind of non-determinism used in operations in VDM-SL is strong, unbounded, erratic and loose non-determinism with singular binding.

\textsuperscript{2}The rationale behind this is that even in cases where two functions are syntactically identical it is desirable that such loose functions can be implemented independently of each other.
Another kind of looseness is known as internal looseness. This may be used when the external behaviour of a system is defined to be deterministic, but freedom in some of the components of a specification is desirable. Such freedom can be used by the implementor to develop more efficient implementations of a given system. An obvious example of this would be an allocation of additional storage in a computer system. As a user of such storage we do not care about its physical location as long as we can use it freely (and possibly release it again later). Design decisions about the storage management inside a larger system could be left open by using looseness, but it would (hopefully) not be visible in the external behaviour of our system. Note that the given abstraction level is essential for this distinction, because the actual allocation function naturally is externally loose (at the function level), but if we look at the system level (and consider the allocation function to be hidden inside) the looseness is only visible internally.

3.1.5 Semantics of Expressions

An environment associates identifiers with values. Expression evaluation can be described as replacing each identifier in the expression by its value from the environment, and computing the result. Thus, the value of an expression is dependent on the environment in which it is being evaluated. So, one could take the type of the evaluation function for expressions (as used in [Mon85]) as:

\[ \text{EvalExpr} : \text{Expr} \rightarrow \text{ENV} \rightarrow \text{VAL} \]

However, because expressions can be loose, it is possible for an expression to yield more than one value. A next attempt (used in [AL88] and [LAMB89]) could be:

\[ \text{EvalExpr} : \text{Expr} \rightarrow \text{ENV} \rightarrow \mathbb{P}(\text{VAL}) \]

Unfortunately this leads to very serious problems with the least-fixed-point semantics for recursive loose definitions. Therefore, the type of the evaluation function \( \text{EvalExpr} \) must ultimately be:

\[ \text{EvalExpr} : \text{Expr} \rightarrow \mathbb{P}(\text{ENV} \rightarrow \text{VAL}) \]

where the looseness has been abstracted ‘one level up’. We can now talk about deterministic expression evaluators for which least fixed points can be found. An expression will denote a set of such expression evaluators, which we call a loose expression evaluator. Because this technique is used for all kinds of expressions we define:

\[ \text{EEval} = \text{ENV} \rightarrow \text{VAL} \]
\[ \text{LEEval} = \mathbb{P}(\text{EEval}) \]

Sub-functions of \( \text{EvalExpr} \) are defined for all expression kinds. These functions are all written in roughly the same style:
EvalAnExpr : AnExpr → LEEval

EvalAnExpr(MkTag('AnExpr', (expr₁,...,op,...,exprₙ))) △
{ λenv . let val₁ = ev₁(env),
    ....,
    valₙ = evₙ(env) in
    AnOp(val₁,...,valₙ,op)
    | ev₁ ∈ EvalExpr(expr₁),..., evₙ ∈ EvalExpr(exprₙ) }
Any state changes that are a result of computation are not made visible to other threads or resources until the time required for the state change has passed. Then the state change is committed and becomes visible to other threads, as the internal record of time is updated and time-related bookkeeping is dealt with.

The VDM-RT semantic model given in this report is underspecified with respect to some of the standard VDM++ constructs. There are cases where the standard behaviour of VDM++ is not appropriate for VDM-RT, and this is described in [LVLW10]. These cases include the following:

- Static access to variables in a distributed setting.
- Static operation calls in a distributed setting.
- Read of distributed variables without a bus.

The core issue is that the distributed nature of variables and calls would be ignored if the VDM++ semantics were directly adopted. Unfortunately, this is the case in the current implementation of the VDM-RT interpreter. The present solution is to disallow static access to variables, and to force cross-CPU reads of variables to use bus communication.
Chapter 4
Semantics of VDM-RT

4.1 Overview of Structure & Entities

To describe the VDM-RT semantic model we start with an overview of its static structure, giving the entities used in the semantic description, then we describe the semantic model’s behaviour.

The entities used to describe the VDM-RT semantics form a hierarchy starting with the VDMRT structure. At the top level, the VDMRT structure records the CPUs in the system (cpus), the busses connecting the CPUs (busses), the current time that the model has reached (time), and the defined classes in the model (classes).

VDMRT :: cpus : CPUs
busses : Busses
time : Time
classes : Classes

CPUs = Id_c  m  CPU

Busses = Id_b  m  Bus

Classes = Id_cl  m  Class

The types Id_x where x is one of b, c, cl, f, o, op, v represent disjoint sets of identifiers for, respectively, busses, cpus, classes, functions, objects, operations, and variables. These identifier sets are arbitrarily large and, for the purposes of the semantics, inexhaustible. The use of disjoint sets allows a simplification in the semantics when a fresh identifier is needed.

CPUs in the VDM-RT semantics are a record of three fields: a map for the instantiated classes (objects), a map for all threads that exist over the course of execution (threads), and a natural number representing the speed of the CPU.

CPU :: objects : Id_o  m  Object
threads : Id_t  m  Thread
speed : N_1

The topology of connections between CPUs is recorded in the busses map in the VDMRT record; each bus connects a (non-strict) subset of CPUs from the VDMRT record’s cpus field. A single bus records the set of CPUs it connects (cpus); a natural number that represents the speed of communication over the bus, typically much lower than the speed of a CPU (speed); and a queue of call and return messages, tagged with the target CPU.

Bus :: cpus : Id_c-set
speed : N_1
queue : (Id_c × (CMessage | RMessage))*
We record the notion of states, Σ, as mappings from variable identifiers to VDM values.

\[ Σ = Id_v \stackrel{m}{\rightarrow} VDMValue \]

The Class structure contains all of the static detail of a class (as opposed to the Object structure, below, that contains the dynamic details of instantiated classes). In this structure we record super classes (parents), constant values (values), the types of instantiated variables (vars), the set of associated operations and functions of the class (ops and funs, respectively), a set of class invariant functions (invs), and the initial action (initial) that an instantiated class should perform when it is started.

The behaviour of class records in this semantic model is such that, though they reference their parent classes initially, the post-initialization class record will be changed to becomes the “union” of it and all of its parent classes. So in the initialization step of the semantic model all of the defined classes in a subject model will be “flattened” into independent classes.

Class :: parents : Id_v
values : Σ
vars : Id_v \stackrel{m}{\rightarrow} Type \times Expr
ops : Id_op \stackrel{m}{\rightarrow} Op
funs : Id_f \stackrel{m}{\rightarrow} Fun
invs : Fun-set
initial : Duration* | Periodic

Instantiated classes are represented by the Object record. These structures contain only a reference to the static class details (class), the current state of variables in the class (state) and, optionally, a value giving a countdown until the next time a periodic thread needs to be created in the context of that object (periodicCountdown). This countdown value is pre-calculated every time a periodic thread is launched, based on the values in a Periodic record in the initial field of the class definition.

Object :: class : Id_cl
state : Σ
periodicCountdown : [Time]

The Thread structure records a thread’s current status (status), the values of variables in objects that are held aside pending a commit (pending), the object that gives the current execution of the thread (context), and the remaining statements to be executed by the thread (body). When the value of a variable has been changed by a thread but not yet committed, the new value is kept aside in the thread’s pending field until a certain amount of time has passed; this behaviour is described in Section 4.6.

Thread :: status : RUNNING | RUNNABLE | WAITING | PENDING | COMPLETED
pending : Pending
context : Id_o
body : (Duration | PartialDuration)*

The PartialDuration and Duration statements that comprise the body of the thread are used to indicate the expected execution time of the contained block of statements. A Duration statement has a duration field that represents the expected execution time bound, and a body field containing the sequence of statements to be executed. The expected time bound may be an expression that initially needs to be calculated, but it will be a constant value when the body actually starts execution; alternatively, the duration may be EXEC_TIME, indicating that even though this duration has no time bound, recording the execution time is still necessary. A Duration structure becomes a PartialDuration structure if the execution of the duration’s body cannot be completed during one step of the interpreter’s execution. As an example, this will happen if the body invokes a synchronous operation in an object on a different CPU.

Duration :: duration : EXEC_TIME | Exp
            body : Stm
The atomicity of the outermost PartialDurations and Durations in a thread is all-or-nothing, but only so long as no operations are invoked on remote CPUs. If an operation is invoked on a remote CPU then the data associated with the parameters will be sent outside of the scope of the Duration; this allows intermediate data to ‘leak’ out of the duration and thus destroys the atomicity of the Duration block. Atomicity in the sense of instantaneous execution is possible in the semantics by using a zero in the time field of a Duration; however, in the concrete language a zero value in the time field becomes a EXECTime value in the semantics. This means that it is not actually possible to specify instantaneous durations.

The Duration structure is included in the Stm type and, therefore, statements can contain nested durations. The behaviour of nested durations, and durations in general, is described in Section 4.7.

4.1.1 Durations and Transaction Synchronization

The Duration record is used as a synchronization point in the semantics. When a Duration construct has been completely evaluated the thread state is updated with all pending values that were calculated during the execution of the duration. The commitPendingValuesAndUpdateTime function performs this update, and is found in the first hypothesis of the Big Step rule. The behaviour of thread state update is described in Section 4.6.

The overall time represented by each step of the whole semantic model is calculated for the next step at the top level, based on the next expected commit of pending values and the next expected start of a periodic thread.

4.1.2 Duration Composability

The semantic model of VDM-RT models time using semantic durations that are compositional. This allows a top-down specification approach where the time of sub-components are added together, thus enabling validation of runtime execution of durations. Validation checks that sub-durations do not exceed the given value of their containing duration.

The interpreter for VDM-RT described in [LLB11] implements a different semantic model that is non-compositional, and does not support a top-down design approach with respect to the time specifications of durations. Further, the interpreter does not implement any runtime validation of durations and it simply ignores the time values of nested durations. The result of this is that sub-components cannot easily be given to independent teams to implement without providing information outside the specification itself.

Consider the case of a duration with a 5 second time bound, and this duration has two sub-durations, composed sequentially, each with a 4 second time bound. In the semantic model described in [LLB11], this is valid, and the overall duration still has a 5 second time bound as the bounds of the sub-durations are ignored.

That semantic model leads to the problem that it is difficult to hand the specifications of the sub-durations off to implementor without changing their specification; clearly, to satisfy the overall duration’s 5 second limit, the sub-durations must always complete in a time which sums to less than 5 seconds. However, their specifications allow for a sum of 8 seconds. Use of this semantic model means that, for the purposes of top-down design, the specifications are incomplete and require that additional information be known to the user of the duration blocks.

The semantic model presented in this report adds the validation of duration time bounds into the semantic model. This has the effect of making the specifications complete for the purposes of durations.
A sub-duration can be decomposed out of a larger one and implemented according to the given sub-specification without the need of additional knowledge.

### 4.2 Top-level Execution Rule

Sufficient structure has been described so far to move on to the behavioural rules of VDM-RT; the full set of structures and rules are found in Appendix A. The top-level rule, *Big Step* in Figure 4.1, gives the whole semantics of a running VDM-RT model. There are six hypotheses to this rule, and each represents a phase in an execution step.

1. The first hypothesis is the internal update of the model state. It updates the model’s present time, and then commits all of the pending values held in threads up to that point. Races between updates—where two or more threads would update the same variable— are handled in a non-deterministic manner, and no particular resolution mechanism is specified in this semantic model.

    A thread only has its pending values committed when the head of the thread’s body is not a *PartialDuration*: this indicates that any previous duration had completed and any values in pending are ready to be made visible. This hypothesis also serves to decrement the *periodicCountdown* fields of those objects that use it.

2. The second hypothesis is in the form of a transition relation as the action of the busses is inherently non-deterministic. This phase actually delivers messages on the busses to their target CPUs if sufficient time has passed. Where the message is an operation call, a new thread will be created on the target CPU to run the operation.

3. The third hypothesis potentially creates more new threads based on the timing of periodic threads. If there are objects with *periodicCountdown* fields that have reached zero then the appropriate new threads are created for those and the *periodicCountdown* field is recalculated based on the *Periodic* record in that object’s class definition.

4. The fourth hypothesis performs any potential context switches, allowing a CPU to change from one running thread to another. Note that this phase happens after the creation of new threads so that those new threads have the potential to start execution within this step of the execution.

5. The fifth hypothesis is also a transition relation, as the execution of VDM-RT statements may be non-deterministic. This transition attempts to execute the first duration of the body of every active, running thread in the model. The number of threads attempted will be no greater than the number of CPUs in the system, as each CPU may only execute in one thread per step. If it is not possible to fully execute the duration at the head of a thread’s body, then a *PartialDuration* will replace that duration on the head of the body. The partial duration will have the remainder of the original duration’s body that remains to be executed, and execution will continue during the next step that the thread is active. This hypothesis also exposes the minimum time until the next commit of pending values.

6. The sixth hypothesis calculates the time at which the next action in the interpreter must happen. This may be due to things such as threads with pending variables, the creation of a new periodic thread, and so forth. This results in the minimum amount of the time until the next action that the interpreter handle and this serves as $\tau$ for the next *Big Step*.

---

1Note that for readability purposes the central rules have numbered hypothesis lines to allow for easier reference in the explanation.
Big Step

\[
\begin{align*}
\text{vdmrt}_1 &= \text{commitPendingValuesAndUpdateTime}(\text{vdmrt}, \tau) \quad (1) \\
\text{vdmrt}_1 \xrightarrow{\text{busses}} &\text{vdmrt}_2 \quad (2) \\
\text{vdmrt}_3 &= \text{createPeriodicThreads}(\text{vdmrt}_2) \quad (3) \\
\text{vdmrt}_4 &= \text{doContextSwitches}(\text{vdmrt}_3) \quad (4) \\
\text{vdmrt}_4 \xrightarrow{\text{exec}} (\text{vdmrt}_5, \tau_b) \quad (5) \\
\tau'_b &= \min(\tau_b, \minPendingCommitTime(\text{vdmrt}_5)) \quad (6) \\
(\text{vdmrt}, \tau) &\xrightarrow{\text{vdmrt}} (\text{vdmrt}_5, \tau'_b)
\end{align*}
\]

Figure 4.1: Definition of the Big Step rule.

Init

\[
\begin{align*}
\text{cpus} &= \text{createBareCPUs} (\text{demodel}) \quad (1) \\
\text{busses} &= \text{createBusses} (\text{cpus}, \text{demodel}) \quad (2) \\
\text{classes} &= \text{createClasses} (\text{demodel}) \quad (3) \\
\text{cpus}' &= \text{createInitialInstances} (\text{cpus}, \text{classes}, \text{demodel}) \quad (4) \\
(\text{vdmmodel}) &\xrightarrow{\text{init}} \text{mk-VDMRT}(\text{cpus}', \text{busses}, 0, \text{classes})
\end{align*}
\]

Figure 4.2: Definition of the VDM-RT initialization rule.

An execution trace based on the Big Step rule shown above and the Init from Section 4.3 would look like this:

\[
(\text{VDMRTModel}) \xrightarrow{\text{init}} (\text{vdmrt}) \\
(\text{vdmrt}, 0) \xrightarrow{\text{vdmrt}} (\text{vdmrt}_1, \tau_1) \xrightarrow{\text{vdmrt}}^* (\text{vdmrt}_n, \tau_n)
\]

4.3 Initialization

Before the main portion of the VDM-RT semantics applies, we must deal with the creation of a VDMRT construct based on an input model and contract. The initialization inference rule, Init, has the type

\[
\xrightarrow{\text{init}}: \mathcal{P}((\text{VDMRTModel}) \times (\text{VDMRT}))
\]

where the VDMRTModel is the input model (the sources of the model).

The first two hypotheses of the Init rule in Figure 4.2 deal with bare CPU creation (createBareCPUs) and the bus creation (createBusses); the CPUs are given as an additional argument along with the input model as the busses record the links between CPUs. The class mapping is created in the third hypothesis (createClasses) which includes the copying of all definitions from any parent classes to the actual classes and thus resolving any inherited definitions. The classes is used as a parameter in the fourth hypothesis to populate the mapping of bare CPUs with the initial instances of objects defined in the input model (createInitialInstances); this populated mapping is stored within a new CPU map. Finally, in the conclusion these components are combined into a VDMRT construct (with its initial time set to zero) that is ready for use in the main portion of the VDM-RT semantics.

4.4 Operation Calls

This semantics describes four types of operation calls: the combination of synchronous/asynchronous and local/remote. Synchronous calls require that the caller wait for the called operation to complete
before it continues, whereas the caller of an asynchronous operation continues execution without waiting for the call to complete. Local calls take place completely on a single CPU, whereas remote calls require the use of the busses in the model to cause the operation to execute on a different CPU, and the caller may wait for a return message indicating that the called operation has completed.

Same-CPU synchronous calls continue execution in the same thread by inserting the content of the called operation at the head of that thread’s body; this is done to avoid the non-deterministic properties of a thread context switch. All other calls create a new thread (on the appropriate CPU) to execute the content of the called operation; the original thread (eventually) continues execution as it is. In the semantic model calls are represented as a type union of SyncCall and AsyncCall:

\[
\text{Call} = \text{SyncCall} \mid \text{AsyncCall}
\]

Both SyncCall and AsyncCall have nearly the same structure: since asynchronous calls do not return a value, those operations do not need a target for any such value. Shown here is the definition of the SyncCall construct; the AsyncCall construct omits the target field:

\[
\begin{align*}
\text{SyncCall} &:: \text{target} : [\text{Id}_o \mid (\text{Id}_c \times \text{Id}_o)] \\
& \quad \text{name} : \text{Id}_o \times \text{Id}_{op} \mid \text{Id}_c \times \text{Id}_o \times \text{Id}_{op} \\
& \quad \text{args} : \text{Expr}^*
\end{align*}
\]

where the target field records the destination for the return value from the call in the calling thread’s pending map, if it is to be kept; the name field identifies the operation or function which should be called and finally args are the argument expressions of the call.

It is notable both the target and name fields of the SyncCall construct are actually union types. For the name field, the reference operation may not be on the same CPU as the calling thread; hence the need for the union type. When the object which has the operation to be called is not on the current CPU we must also record the CPU identifier referencing the remote CPU. The values for the target field are similar: in the simple case the field may simply be a variable identifier; in the complex case the field takes on the pair of a CPU and a thread identifier that references the thread that originally invoked the operation, as this case corresponds to a remote synchronous operation call.

To handle return values the semantics makes use of two constructs, the first of which is for use in the operation bodies, Return:

\[
\text{Return} :: \text{exp} : [\text{Exp}]
\]

It has a single expression that is evaluated to a VDMValue in the context of the call body. The VDMValue type represents all literals and is a subset of syntactic expressions. The Return construct is used to evaluate the expression in the correct context where it is rewritten by replacing the original return expression with a VDMValue that then later can be matched up with a Wait record.

The second record used to link the calling thread with the return of the call body is Wait:

\[
\text{Wait} :: \text{target} : \text{Id}_o \mid (\text{Id}_c \times \text{Id}_o)
\]

where the target field holds the identifier that will be assigned the eventual return value. Note that the target field of the Wait construct takes on the same union type as the target field of the SyncCall construct. This allows us to use a Wait construct in the calling thread regardless of whether the call was local or remote. When a synchronous remote operation call reaches its target CPU, it is instantiated as a SyncCall construct with the identifiers of the calling CPU and thread, and as this is now a local synchronous call, the eventual Wait construct uses those identifiers as its target. This allows the semantics to determine that a return message must be sent across the bus to the calling CPU, where a new Return construct will be created and ultimately resolved with the local Wait construct.

The initial setup resulting from a SyncCall on single CPU is defined by the inference rule Stmt Call Op Local Sync shown in Figure 4.4. The whole process of execution is illustrated abstractly in Figure 4.3, where the body of a thread contains a SyncCall at the head. The first step of the execution is to match
Figure 4.3: Illustration of the semantic evaluation of a synchronous local call.

the **SyncCall** and rewrite it as an **ObjectContext** followed by a **Wait** construct; the **Wait** can then later be used to match the **Return** of the body. The **ObjectContext** construct has the form:

\[
\text{ObjectContext} :: \quad \text{object} : \text{Id}_o \\
\text{body} : \text{Stm} \\
\text{callCtx} : \text{CallContext}
\]

where the **object** field refers to the object in which the **body** must be executed, and **callCtx** contains a **CallContext** construct that records information about the call. The **CallContext** construct has the form:

\[
\text{CallContext} :: \quad \text{pending} : \text{Pending} \\
\text{state} : \Sigma \\
\text{post} : [\text{Expr}]
\]

The **Stmt Call Op Local Sync** rule shown in Figure 4.4 applies to **SyncCall** constructs. It evaluates the call’s arguments in the calling context (line 2), and records the time taken to evaluate the arguments at line 13, where the total time of the operation is summarized. The pre-condition is checked in the calling context at line 6 using the actual values for the arguments: this is followed by the creation of a new **ObjectContext** in lines 7–9; this is then concatenated with a **Wait** statement in line 10, where the **Wait** statement specifies the target of the **SyncCall** used to store the operation’s return value. The **callBlock** defined in line 10 is prefixed to the remainder of the current thread’s body in line 11, and in line 12 the remainder of the thread’s body is executed.

The purpose of the **CallContext** structure is to record state information for a call such that post-conditions can be evaluated at the completion of a call. The **pending** field holds the **pending** state of the calling thread at the moment the operation is called; **state** is a map holding the evaluated arguments; and the optional post-condition comes from the operation being called. Then the body of the call is executed, and is stored in the **ObjectContext**. The inference rules **Stmt ObjectContext Step** (see the Appendix) and **Stmt ObjectContext Complete** (Figure 4.7) execute all of the statements in the body of the object context until a **Return** statement has been fully evaluated by the **Stmt Return Eval** rule shown in Figure 4.5. The **Stmt Return Eval** rule checks that return value is an expression (line 1), and then evaluates this in the current context (line 2). This is followed by a rewrite of the **Return** where the expression is replaced with the actual value (line 3). The evaluation is continued in line 4 and finally the total time used is calculated in line 5.

Any remaining statements present in the sequence after the **Return** construct will be removed by
\textbf{Stmt Call Op Local Sync}

\begin{equation}
\text{optTarget} = (\text{oid}, \text{op})
\end{equation}

\begin{equation}
\text{argsTimed} = \{\text{value}, \delta_e\} | \text{arg} \in \text{args} \land (\text{classes}, \text{cpus}, \text{pending}, o \vdash [e] = (\text{value}, \delta_e))
\end{equation}

\begin{equation}
\text{args} = \{\text{value} | (\text{value}, -) \in \text{argsTimed}\}
\end{equation}

\begin{equation}
\text{mk-Op}(\cdot, \text{params}, \text{ret}, \text{body}, \text{pre}, \text{post}) = \text{classes(\text{cpu.objects(oid).class}).ops(\text{op})}
\end{equation}

\begin{equation}
\sigma = \{p \mapsto a | i \in \text{inds \args} \land a = \text{args}(i) \land \text{params}(i) = (p,-)\}
\end{equation}

\begin{equation}
\text{checkCallPre(\text{classes}, \text{cpus}, \text{pending}, \text{args}, \text{params}, \text{oid}, \text{pre})} = \text{true}
\end{equation}

\begin{equation}
\text{callContext} = \text{mk-CallContext(\text{pending}, \sigma, \text{post})}
\end{equation}

\begin{equation}
\text{partialLetDef} = \text{mk-PartialLetDef(\sigma, [], \text{mk-SimpleBlock(\text{body})})}
\end{equation}

\begin{equation}
\text{objContext} = \text{mk-ObjectContext(\text{oid}, \text{partialLetDef}, \text{callContext})}
\end{equation}

\begin{equation}
\text{callBlock} = [\text{objContext}, \text{mk-Wait(\text{target})}]
\end{equation}

\begin{equation}
\text{stmts} = \text{callBlock} \xrightarrow{\text{stmt}} \tau, \text{classes}, \text{cpus}, c, t, o \vdash
\end{equation}

\begin{equation}
\left(\text{stmts}, \text{pending}, \text{cpu}, \text{busses}\right) \xrightarrow{\text{stmt}} \left(\text{stmt'}, \text{pending'}, \text{cpu'}, \text{busses'}, \delta'\right)
\end{equation}

\begin{equation}
\delta' = \text{sum}(\delta_e | (-, \delta_e) \in \text{argsTimed}) + \delta_{\text{rest}} + \text{LocalSyncCallTime}
\end{equation}

\begin{equation}
\left(\left[\text{mk-SyncCall(\text{target}, \text{optTarget}, \text{args})}\right] \xrightarrow{\text{stmt}} \text{stmt'}\right)
\end{equation}

\begin{equation}
\left(\text{stmt'}, \text{pending}, \text{cpu}, \text{busses}\right) \xrightarrow{\text{stmt}} \left(\text{stmt'', pending'', cpu'', busses'', \delta''}\right)
\end{equation}

\textbf{Figure 4.4: Definition of the Stmt Call Op Local Sync rule.}

\textbf{Stmt Return Eval}

\begin{equation}
\text{exp} \notin \text{VDMValue}
\end{equation}

\begin{equation}
\text{classes, cpus, pending, o} \vdash [\text{exp}] = (\text{retValue}, \delta_e)
\end{equation}

\begin{equation}
\text{stmt'} = [\text{mk-Return(\text{retValue})}] \xrightarrow{\text{stmt}} \text{stmt}
\end{equation}

\begin{equation}
\tau, \text{classes}, \text{cpus}, c, t, o \vdash
\end{equation}

\begin{equation}
\left(\text{stmt'}, \text{pending}, \text{cpu}, \text{busses}\right) \xrightarrow{\text{stmt}} \left(\text{stmt'', pending', cpu', busses', \delta}\right)
\end{equation}

\begin{equation}
\delta' = \delta_e + \text{ReturnTime}
\end{equation}

\begin{equation}
\left(\left[\text{mk-Return(\text{exp})}\right] \xrightarrow{\text{stmt}} \text{stmt'}\right)
\end{equation}

\begin{equation}
\left(\text{stmt'}, \text{pending}, \text{cpu}, \text{busses}\right) \xrightarrow{\text{stmt}} \left(\text{stmt'', pending', cpu', busses', \delta''}\right)
\end{equation}

\textbf{Figure 4.5: Definition of the Stmt Return Eval rule.}

\textbf{Stmt Return Eat}

\begin{equation}
\text{rest} \neq []
\end{equation}

\begin{equation}
\text{hd rest} \notin \text{Wait}
\end{equation}

\begin{equation}
\text{stmt'} = [\text{mk-Return(\text{v})}] \xrightarrow{\text{stmt}} \text{stmt}
\end{equation}

\begin{equation}
\tau, \text{classes}, \text{cpus}, c, t, o \vdash
\end{equation}

\begin{equation}
\left(\text{stmt'}, \text{pending}, \text{cpu}, \text{busses}\right) \xrightarrow{\text{stmt}} \left(\text{stmt'', pending', cpu', busses', \delta}\right)
\end{equation}

\begin{equation}
\left(\left[\text{mk-Return(\text{v})}\right] \xrightarrow{\text{stmt}} \text{stmt'}\right)
\end{equation}

\begin{equation}
\left(\text{stmt'}, \text{pending}, \text{cpu}, \text{busses}\right) \xrightarrow{\text{stmt}} \left(\text{stmt'', pending', cpu', busses', \delta''}\right)
\end{equation}

\textbf{Figure 4.6: Definition of the Stmt Return Eat rule.}

26
the Stmt Return Eat construct and return messages are RMessage constructs. The CMessage construct is defined as:

Figure 4.7: Definition of the Stmt ObjectContext Complete rule.

Figure 4.8: Definition of the Stmt Return Wait rule.

the Stmt Return Eat rule as shown in Figure 4.6. The rule checks that the head is a Return statement, and that the first statement of the remaining statements (the rest meta-variable) is not a Wait statement. If this is satisfied then the Return statement and the tail of the rest (line 3) is used to continue execution (line 4). When the ObjectContext is fully evaluated –containing only a Return construct that has a VDMValue– the post-condition is checked (line 4) and the entire ObjectContext is removed (line 5) in the Stmt ObjectContext Complete rule shown in Figure 4.7 leaving in its place just the contained Return construct.

The last step is to match that Return construct with the corresponding Wait construct that was created when the operation was called, and then insert the value returned into the thread’s pending field; this is defined in the inference rule Stmt Return Wait as shown in Figure 4.8 Where the return value is mapped by the target in the executing object.

The evaluation of AsyncCall on the same CPU differs from the SyncCall in that it creates a new thread to execute the called operation’s body and simply removes the AsyncCall from the head of the active thread’s body.

Remote, cross-CPU calls–where the target operation is in an object on a different CPU– differ from local-CPU calls in that they must use a bus to communicate the call request and return values. The communications are queued on the bus as messages, where call requests are recorded as CMessage constructs and return messages are RMessage constructs.
Figure 4.9: Illustration of the semantic evaluation of a CMessage from the bus queue.

\[
CMessage :: \quad \text{obj} : \text{Id}_o \\
\text{op} : \text{Id}_o \\
\text{args} : \text{VDMValue}^* \\
\text{replyTo} : [\text{Id}_c \times \text{Id}_t] \\
\text{sendTime} : \text{Time}
\]

where \( \text{obj} \) is the target object; \( \text{op} \) the target operation in that object; \( \text{args} \) is a sequence of arguments evaluated in the sender’s context to \( \text{VDMValues} \); \( \text{replyTo} \) identifies the CPU and thread of the caller and \( \text{sendTime} \) is the time when the message was placed on the bus. The \( \text{sendTime} \) field is used to calculate the time at which the message arrived at the remote CPU. The \( \text{RMessage} \) construct is defined as:

\[
RMessage :: \quad \text{value} : \text{VDMValue}^* \\
\text{replyTo} : \text{Id}_c \times \text{Id}_t \\
\text{sendTime} : \text{Time}
\]

where \( \text{value} \) is the sequence of \( \text{VDMValues} \) being returned. The fields \( \text{replyTo} \) and \( \text{sendTime} \) have the same purpose as in the \( \text{CMessage} \) construct.

A remote SyncCall places a \( \text{CMessage} \) on the appropriate bus and changes the thread status to WAITING (thus excluding the thread from normal scheduling), instead of evaluating the call body locally; this is described in the Stmt Call Op Remote Sync rule. The \( \text{CMessage} \) is matched by the inference rule Bus Call, during the next step of the interpreter. This is illustrated abstractly in Figure 4.9 where processing of the head of the bus queue checks first that the message has arrived (by the use of message’s \( \text{sendTime} \) field) and then, for a \( \text{CMessage} \) construct, a new thread is created in the appropriate object where the call will be executed. Eventually, the return value is enqueued back on the bus queue in a \( \text{RMessage} \) construct, targeted at the calling CPU. When an \( \text{RMessage} \) is processed, a Return\((v)\) statement is pushed onto the head of the original calling thread’s body, immediately in front of the existing Wait construct. This allows the Stmt Return Wait rule to complete the call and handle the return value in the same way as a local sync call would. Asynchronous remote calls are initiated in the same way as synchronous calls, except that the thread status of the calling thread is not changed, and no value is returned.

4.5 Periodic Threads

One of the phases in a step of the execution involves handling the periodic threads. This appeared in the Big Step rule as the hypothesis

\[
vdmrt_3 = createPeriodicThreads(vdmrt_2)
\]

where \( vdmrt_3 \) represents the state of the execution after new threads have been created.

The creation of periodic threads is given by the \( \text{createPeriodicThreads} \) function in Figure 4.10. The function’s post-condition applies to every object for which its \textit{periodicCountdown} field has reached
createPeriodicThreads: VDMRT → VDMRT
createPeriodicThreads(vdm)vdm′ ==
post
∀(id, cpu) ∈ vdm.cpus ·
∀(id, obj) ∈ cpu.objects · 
let periodic = vdm.classes(obj.class).initial in
let cpu′ = vdm′.cpus(id) in
let obj′ = cpu′.objects(id) in
(obj.periodicCountdown = 0 ⇒ 
obj′.periodicCountdown = precalculateNextPeriodicCountdown(periodic) ∧
let stm = mk-SyncCall(nil, (io, periodic.op), []),
body = [mk-Duration(EXECTIME, [stm])] in
∃ idt ∈ Idt ·
(idt ∉ dom cpu.threads) ∧
(cpu′.threads(idt) = mk-Thread(RUNNABLE, [], ido, body))) ∧
(obj.periodicCountdown ≠ 0 ⇒ obj = obj′)

Figure 4.10: Definition of createPeriodicThreads

zero; i.e. all those objects that are periodic and are ready to start a new periodic thread. Those objects will have a new thread created that is ready to invoke the operation defined in the object’s class’s periodic construct, and they will also have their periodicCountdown field recalculated for the next time their periodic thread should happen. Note that this calculation may be non-deterministic due to the fields in the Periodic construct.

The Periodic construct is defined as

Periodic ::
  op : Id
  period : Expr
  jitter : Expr
  delay : Expr
  offset : Expr

where the fields are defined as explained in Section 2.7

4.6 Committing Pending Values

During an execution step, threads may change the values of instance variables in objects. However, such changes are not committed to the object state immediately: instead they are stored in the pending field of the Thread constructs, hiding the values from other threads until time has progressed sufficiently to cover the time specified by the active PartialDuration of the Thread.

The resolution of pending values and durations are handled in the Big Step rule by the

```
vdmr1 = commitPendingValuesAndUpdateTime(vdmr1, τ)
```

hypothesis, which considers the prior state of the executing model and the time that the model will be updated to. The vdmr1 object represents the state of the interpreter after the time is set to τ and all pending values are committed for threads currently ready to commit, i.e. those with PENDING status and with remaining elapsed time equal to the time delta between the old and updated times.

Furthermore, all pending threads that have their values committed are returned to Runnable status if they have remaining work to do, and the remaining pending threads have their elapsed time field
commitPendingValuesAndUpdateTime: \text{VDMRT} \times \text{Time} \rightarrow \text{VDMRT}

\text{commitPendingValuesAndUpdateTime}(\text{vdm}, \tau)\text{vdm}' ==

\text{pre } \tau \geq \text{vdm.}\tau

\text{post } \text{vdm}'.\tau = \tau \land

\forall \text{id}_c \in \text{dom vdm.cpus}.

\forall \text{id}_t \in \text{dom vdm.cpus(id}_c).\text{threads}.

\text{let } (\text{thr}, \text{thr}') = (\text{vdm.cpus(id}_c).\text{threads(id}_t), \text{vdm}'.\text{cpus(id}_c).\text{threads(id}_t)) \text{ in}

\text{let } (\text{step}_t = \tau - \text{vdm.}\tau) \text{ in}

\text{let } (\text{d}_t, \text{d}'_t) = ((\text{hd thr.body}).\text{elapsed}, (\text{hd thr'.body}).\text{elapsed}) \text{ in}

\begin{align*}
\text{let } (\text{thr'.pending} = \emptyset) \land \\
\text{thr'.body} = \text{tl thr.body} \land \\
(\text{thr'.body} \neq \emptyset) \implies \text{thr'.status = RUNNABLE} \land \\
\text{vdm'.cpus(id}_c).\text{objects = mergePending(vdm.cpus(id}_c).\text{objects, thr.pending}))\land \\
\text{let } (\text{step}_t \implies \text{d}'_t = \text{d}_t - \text{step}_t)
\end{align*}

Figure 4.11: Definition of \text{commitPendingValuesAndUpdateTime}

decremented by the time delta between the old and updated times. Note that those threads whose new
\text{elapsed} time is zero are precisely those threads that have their values committed; those threads with a
new, non-zero \text{elapsed} time must still wait before they commit their pending values. All threads with
empty bodies are checked to ensure they have \text{COMPLETED} status and altered if necessary.

The behaviour of value commit and time update is contained in the semantic function shown in
Figure 4.11. Note that the post-condition of the function depends on the \text{mergePending} function, which
is a helper function that merges the pending values of a thread into the object states that those values are
associated with.

4.7 Dealing with Durations and Context Switching

The execution cycle of the VDM-RT semantics is centred around \text{Duration} statements that are used to
indicate execution times for blocks of statements. These \text{Duration} statements hide all changes made
to the containing object’s state until sufficient time has passed in the simulation for the time value of
the \text{Duration} to reach zero, at which point the changes become visible. Also, \text{Duration} statements and
\text{PartialDuration} constructs –the partially-executed form of a \text{Duration} statement– have the effect of
blocking other threads from executing on that CPU.

It is important to note that the time value in a \text{Duration} statement represents information from the
user about the temporal characteristics of the eventual implementation. During the execution of the
body of a \text{Duration} statement the durations of each contained instruction are tallied and (eventually)
compared to the user-specified time value. At present the semantics requires that the tally is less than
the given time value, otherwise the semantics reaches a state for which there are no possible transitions.
Future development of the semantics will transition to an error state in the case where the semantics
presently halts.

The only exception to this behaviour is if the time value is set to the \text{EXECETIME} constant (the user
would specify a 0 duration value for this), in which case there is no constraint on the execution duration.
The time value of a duration can be interpreted as a strict deadline on the execution of the contained
statements.

30
doContextSwitches: VDMRT → VDMRT
doContextSwitches(vdm) vdm′ ==

pre
  \exists id_c \in \text{dom} vdm.cpus \cdot vdm.cpus(id_c).threads \neq \{ \}

post
  \forall id_c \in \text{dom} vdm.cpus. \forall id_t \in \text{dom} vdm.cpus(id_c).threads.
  
  let (thr, thr′) = (vdm.cpus(id_c).threads(id_t), vdm′.cpus(id_c).threads(id_t)) in
  thr.status = \text{RUNNING} \Rightarrow thr′.status = \text{RUNNING} \land
  (\exists thr \in \text{rng} vdm.cpus(id_c).threads \cdot thr.status \in \{ \text{RUNNING, RUNNABLE} \}) \Rightarrow
  (\exists thr′ \in \text{rng} vdm′.cpus(id_c).threads \cdot thr′.status = \text{RUNNING})

Figure 4.12: Definition of doContextSwitches

The checking of time values in a Duration is handled by the commitPendingValuesAndUpdateTime function, used in the Big Step. In addition to updating the current time value in the execution, the function also performs the necessary bookkeeping on the time values in (Partial) Duration constructs. First, the function will decrement all positive-valued duration fields in completed (Partial) Durations by the amount of time passed since the previous step. Then, the function will commit the values held in the containing Thread’s pending field for those (Partial) Durations that have complete and have a zero- or EXEC_TIME-valued duration field. Once the containing Thread’s held values have been committed, the pending field is cleared, the completed (Partial) Duration is removed from the Thread’s body field, and the Thread’s status field is set to RUNNABLE.

The change of thread status allows the interpreter to later switch to a different thread on that CPU; unless there is no RUNNING thread on a CPU, the doContextSwitches function (see Figure 4.12) will not change the state of that CPU. A context switch selects a thread on a CPU for execution from the set of threads in the RUNNABLE state. This selection is specified in a non-deterministic manner.\footnote{Note that the Overture tool implementation, as described in [LLB11], does a deterministic selection. This is one of the points on which the tool is a refinement of the semantics.}
Chapter 5

Concluding Remarks

In this technical report we have provided a semantic model for VDM-RT using structural operational semantics. We have clarified some aspects of the VDM-RT semantic model that were not covered in sufficient detail in earlier work. The focus of the work presented here has been on the executable subset of VDM-RT, as is supported by the Overture interpreter. However, the relatively narrow nature of our focus means that there remains further work to be done for a complete independent semantics of the whole VDM-RT language.

The semantics presented here of the VDM-RT notation can also be seen in a larger context where VDM-RT is used in a collaborative simulation (co-simulation) setting. Here [CLL13] provides a semantics of a generic co-simulation framework enabling semantically well-founded co-simulation of models in different notations. In [LCL13] the VDM-RT semantics in this report is slightly adjusted to match the co-simulation framework. Note that the adjustments necessary here are very small.
Acknowledgement

The authors gratefully acknowledge funding from the European Commission through the FP7 DESTECS project (grant agreement number 248134) and the FP7 COMPASS project (grant agreement number 287829).

We thank our collaborators in the DESTECS project for feedback on elements of this work. We would also like to give special thanks to Nick Battle and Stefan Hallerstede for feedback on earlier drafts of this report.
Bibliography


Appendix A

Complete VDM-RT Semantics

A.1 VDM-RT Abstract Syntax

The VDM-RT abstract syntax only considers a subset of the full VDM++ language dialect. It includes classes and concurrency but excludes inheritance and static access.

A.1.1 Structure

The VDM-RT expressions (Expr) and types (Type) are imported from the VDM-SL denotational semantics [LHB+96].

\[
\begin{align*}
\text{Type} &= \ldots \\
\text{Expr} &= \ldots
\end{align*}
\]

and where the type \(VDMRTModel\) represents a textual representation of a specification:

\[
VDMRTModel = \cdots
\]

Toplevel

\[
\begin{align*}
\Sigma &= \text{Id}_v \xrightarrow{m} \text{VDMValue} \\
\text{Classes} &= \text{Id}_{cl} \xrightarrow{m} \text{Class} \\
\text{Busses} &= \text{Id}_b \xrightarrow{m} \text{Bus} \\
\text{CPUs} &= \text{Id}_c \xrightarrow{m} \text{CPU} \\
\text{Pending} &= \text{Id}_o \xrightarrow{m} \Sigma
\end{align*}
\]

\[
\text{VDMRT :: } \begin{array}{l}
\text{cpus} : \text{CPUs} \\
\text{busses} : \text{Busses} \\
\text{time} : \text{Time} \\
\text{classes} : \text{Classes}
\end{array}
\]

where
\[\text{inv-VDMRT}(\text{mk-VDMRT}(\text{cpus, busses, time, classes})) \triangleq\]
\[
\forall \text{cpu} \in \text{rng cpus} \cdot \\
\forall \text{obj} \in \text{rng cpu.objects} \cdot \\
(\text{classes(obj.class)}.\text{initial} \in \text{Period} \Rightarrow \text{obj.periodicCountdown} \neq \text{nil}) \\
\land \text{obj.class} \in \text{dom classes}
\]

**Definitions**

**Bus ::**

\[\text{cpus} : \text{Id}_c-\text{set}\]
\[\text{speed} : \mathbb{N}_1\]
\[\text{queue} : (\text{Id}_c \times (\text{CMessage} \mid \text{RMessage}))^*\]

**CMessage ::**

\[\text{obj} : \text{Id}_o\]
\[\text{op} : \text{Id}_{op}\]
\[\text{args} : \text{VDMValue}^*\]
\[\text{replyto} : [\text{Id}_c \times \text{Id}_t]\]
\[\text{sendTime} : \text{Time}\]

**RMessage ::**

\[\text{value} : \text{VDMValue}^*\]
\[\text{replyto} : \text{Id}_c \times \text{Id}_t\]
\[\text{sendTime} : \text{Time}\]

**CPU ::**

\[\text{objects} : \text{Id}_o \xrightarrow{m} \text{Object}\]
\[\text{threads} : \text{Id}_t \xrightarrow{m} \text{Thread}\]
\[\text{speed} : \mathbb{N}_1\]

**where**

\[\text{inv-CPU}(\text{mk-CPU}(\text{objects}, \text{threads}, \text{speed})) \triangleq\]
\[
\forall t \in \text{dom threads} \cdot \text{let} \text{pending} = \text{threads}(t).\text{pending} \text{ in} \\
\text{dom pending} \subseteq \text{dom objects} \land \\
\forall \text{obj} \in \text{dom pending} \cdot \\
\text{pending(obj)} \subseteq \text{dom objects(obj).}\sigma
\]

**Thread ::**

\[\text{status} : \text{RUNNING} \mid \text{RUNNABLE} \mid \text{WAITING} \mid \text{PENDING} \mid \text{COMPLETED}\]
\[\text{pending} : \text{Pending}\]
\[\text{context} : \text{Id}_o\]
\[\text{body} : (\text{Duration} \mid \text{PartialDuration})^*\]

**Class ::**

\[\text{parents} : \text{Id}_c^*\]
\[\text{values} : \Sigma^*\]
\[\text{vars} : \text{Id}_o \xrightarrow{m} \text{Type} \times \text{Expr}\]
\[\text{ops} : \text{Id}_{op} \xrightarrow{m} \text{Op}\]
\[\text{funs} : \text{Id}_f \xrightarrow{m} \text{Fun}\]
\[\text{invs} : \text{Fun-set}\]
\[\text{initial} : \text{Duration}^* \mid \text{Periodic}\]

**Op ::**

\[\text{async} : \mathbb{B}\]
\[\text{args} : (\text{Id}_o \times \text{Type})^*\]
\[\text{ret} : \text{Type}^*\]
\[\text{body} : \text{Duration}^*\]
\[\text{pre} : [\text{Expr}]\]
\[\text{post} : [\text{Expr}]\]

39
where

\[ \text{inv-Op}(\text{mk-Op}(\text{async, args, ret, body, pre, post})) \triangleq (\text{async } \Rightarrow \text{ret }= []) \land \\
\text{let arguments }= \text{elems}[i \mid (i, t) \in \text{args}] \text{ in} \\
\text{len args }= \text{card arguments} \land \\
\text{FV}(\text{pre}) \subseteq \text{arguments} \land \\
\text{collapseOld}(\text{FV}(\text{post})) \subseteq \text{arguments sure} \Rightarrow \text{args }= \text{args} \land \text{measure ret }= \mathbb{N} \]

Fun ::\hspace{1em} \text{args} : (\text{Id}_a \times \text{Type})^* \\
\text{ret} : \text{Type}^* \\
\text{body} : \text{Expr} \\
\text{pre} : \text{Expr} \\
\text{post} : \text{Expr} \\
where

\[ \text{inv-Fun}(\text{mk-Fun}(\text{args, ret, body, pre, post})) \triangleq \\
\text{let arguments }= \text{elems}[i \mid (i, t) \in \text{args}] \text{ in} \\
\land \text{FV(\text{body})} \subseteq \text{arguments} \land \\
\land \text{FV(\text{pre})} \subseteq \text{arguments} \land \\
\land \text{FV(\text{post})} \subseteq \text{arguments} \]

\[ \text{Periodic} :: \hspace{1em} \text{op} : \text{Id}_\text{op} \\
\text{period} : \text{Expr} \\
\text{jitter} : \text{Expr} \\
\text{delay} : \text{Expr} \\
\text{offset} : \text{Expr} \]

where

\[ \text{inv-Periodic}(\text{mk-Periodic}(\text{op, period, jitter, delay, offset})) \triangleq \\
\{\text{period, jitter, delay, offset}\} \text{ must all evaluate to Time} \]

Object :: \hspace{1em} \text{class } : \text{Id}_\text{cl} \\
\text{state} : \Sigma \\
\text{periodicCountdown} : [\text{Time}] \\

Pattern and Bind

Pattern :: \hspace{1em} \text{type} : \text{Type} \\
\text{names} : [\text{Id}^*] \\
\text{cTypes} : (\text{Type} \mid \text{Pattern})^* \\

\[ \text{PatternBind }= \text{Pattern} \mid \text{Bind} \]

Bind = \text{SetBind} \mid \text{TypeBind} \\

SetBind ::\hspace{1em} \text{pattern} : \text{Pattern}^+ \\
\text{exp} : \text{Exp} \\

TypeBind ::\hspace{1em} \text{pattern} : \text{Pattern}^+ \\
\text{type} : \text{Type} \\

40
Statements

\[ Stm = \text{SKIP} \]
\[ \text{Assignment} \mid \text{Atomic} \mid \text{Call} \mid \text{Cases} \mid \text{Cycles} \mid \text{Duration} \]
\[ \text{ForSet} \mid \text{ForSeq} \mid \text{ForIndex} \mid \text{If} \mid \text{LetBeStm} \mid \text{LetDef} \mid \text{New} \mid \text{Return} \]
\[ \text{SemanticStm} \mid \text{SimpleBlock} \mid \text{Start} \mid \text{While} \]

Note that SemanticStm does not have syntax and is only included in the semantics to handle return of a call and durations.

\[ \text{SemanticStm} = \text{PartialLetDef} \mid \text{ObjectContext} \mid \text{Wait} \mid \text{PartialDuration} \mid \text{PartialAtomic} \]

Assignment :: target : Id_o | (Id_o × Id_v)
\[ \text{exp} : \text{Exp} \]

Atomic :: assignments : Assignment*

PartialAtomic :: assignments : Assignment*
\[ \text{oids} : \text{Id}_o\text{-set} \]

Call = SyncCall \mid AsyncCall

SyncCall :: target : \[\text{[Id}_o \mid (\text{Id}_c \times \text{Id}_i)\]
\[ \text{name} : \text{Id}_o \times \text{Id}_o \mid \text{Id}_c \times \text{Id}_o \times \text{Id}_{op} \]
\[ \text{args} : \text{Expr}^* \]

AsyncCall :: name : \text{Id}_o \times \text{Id}_{op} \mid \text{Id}_c \times \text{Id}_o \times \text{Id}_{op}
\[ \text{args} : \text{Expr}^* \]

Wait :: target : \text{Id}_o \mid (\text{Id}_c \times \text{Id}_i)

Return :: \text{exp} : \text{[Exp]}\]

ObjectContext :: object : \text{Id}_o
\[ \text{body} : \text{Stm} \]
\[ \text{callCtx} : \text{CallContext} \]

CallContext :: pending : \text{Pending}
\[ \text{state} : \Sigma \]
\[ \text{post} : \text{[Expr]} \]

Cases :: \text{exp} : \text{Exp}
\[ \text{cases} : (\text{Pattern} \times \text{Stm})^* \]
\[ \text{others} : \text{[Stm]} \]

Cycles :: cycles : \text{Exp}
\[ \text{body} : \text{Stm} \]

Duration :: duration : \text{EXEC_TIME} \mid \text{Exp}
\[ \text{body} : \text{Stm} \]

PartialDuration :: duration : \text{EXEC_TIME} \mid \text{Time}
\[ \text{elapsed} : \text{Time}
\[ \text{body} : \text{Stm} \]
ForIndex :: var : Id_v
from : Exp
to : Exp
by : Exp
body : Stm

ForSet :: pattern : Pattern
setExp : Exp
body : Stm

ForSeq :: pattern : Pattern
seqExp : Exp
body : Stm

If :: exp : Exp
then : Stm
else : Stm

LetBe :: bind : MultipleBind
suchThat : Exp
body : Stm

Definition = Id_v \xrightarrow{m} Expr

LetDef :: localDefs : Definition+
body : Stm

PartialLetDef :: context : Σ
localDefs : Definition*
body : Stm

SimpleBlock :: body : Stm*

Start :: obj : Id_o

While :: exp : Exp
body : Stm

New :: class : Id_c
target : Id_v

A.2 Context Conditions/Typechecking

This section lists the top level context conditions for a subset of the types specified in Section A.1.1.

\[
TypeMap = (\text{Id}_c \times \text{Id}_v) \xrightarrow{m} \text{Type}
\]

[\text{wf-VDMRT} : \text{VDMRT} \times \text{TypeMap} \rightarrow B\]

[\text{wf-VDMRT}(mk-\text{VDMRT}(\text{cpus}, \text{busses}, 0, \text{classes}, \text{types})) ==
\forall \text{bid} \in \text{dom} \text{busses} \cdot \text{wf-Bus}(\text{busses}(\text{bid}), \text{classes}, \text{cpus}, \text{types})
\land \forall \text{cid} \in \text{dom} \text{cpus} \cdot \text{wf-CPU}(\text{cpus}(\text{cid}), \text{classes}, \text{cpus}, \text{types})
\land \forall \text{clid} \in \text{dom} \text{classes} \cdot \text{wf-Class}(\text{clid}, \text{classes}(\text{clid}), \text{classes}, \text{cpus}, \text{types})
\land \forall \text{clid}_p \in \text{classes}(\text{clid}).\text{parents} \land \text{clid}_p \in \text{dom} \text{classes}]
Definitions

\[
\begin{align*}
\text{wf-Bus: } & \text{BUS} \times \text{CPUs} \to \mathbb{B} \\
\text{wf-Bus}(\text{mk-BUS}(\text{cpus}, \text{speed}, \text{queue}), \text{cpus}) == \forall \text{id}_c \in \text{cpus} \cdot \text{id}_c \in \text{dom} \text{ cpus} \\
\text{wf-CPU: } & \text{CPU} \times \text{Classes} \times \text{CPUs} \times \text{TypeMap} \to \mathbb{B} \\
\text{wf-CPU}(\text{mk-CPU}(\text{objects}, \text{threads}, \text{speed}), \text{classes, cpus, types}) == \\
& \text{objects} = \{ \} \land \text{threads} = \{ \} \\
\text{wf-Class: } & \text{Id}_{cl} \times \text{Class} \times \text{Classes} \times \text{CPUs} \times \text{TypeMap} \to \mathbb{B} \\
\text{wf-Class}(\text{clid, mk-Class}(\text{parents, values, vars, ops, funs, invs, initial}), \text{classes, cpus, types}) == \\
& \text{cid} \in \text{Id}_c \\
& \land \text{oid} \in \text{Id}_o \\
& \land \exists \text{any} \in \text{Id}_o \cdot (\text{cid, oid, any}) \in \text{dom} \text{ types} \\
& \land \text{types}' = \text{types} \upharpoonright \{(\text{cid, oid, id}_o) \mapsto t \mid \text{id}_o \in \text{dom} \text{ values} \land t = \text{typeOf}(\text{values}(\text{id}_o))\} \\
& \land \text{types}'' = \text{types}' \upharpoonright \{(\text{cid, oid, id}_o) \mapsto t \mid \text{id}_o \in \text{dom} \text{ vars} \land (t, -) = \text{vars}(\text{id}_o)\} \\
& \land \forall \text{id}_c \in \text{dom} \text{ vars} \cdot (\text{type, exp}) = \text{vars}(\text{id}_c) \\
& \land \exists \text{oid}_o \in \text{dom} \text{ ops} \cdot \text{wf-Op}(\text{clid, oid}_o, \text{cid, oid, classes, cpus, types}'') \\
& \land \forall \text{fun} \in \text{invs} \cdot \text{wf-Fun}(\text{clid, fun, cid, oid, classes, cpus, types}'') \land \text{fun}.\text{ret} = [\text{BOOL}] \\
& \land \left( \forall \text{initial} \in \text{Duration} \Rightarrow \text{wf-StatementSeq}(\text{initial, cid, clidclasses, cpus, types}'') \right) \\
\text{wf-Op: } & \text{Id}_{cl} \times \text{Id}_{op} \times \text{Id}_c \times \text{Id}_o \times \text{Classes} \times \text{CPUs} \times \text{TypeMap} \to \mathbb{B} \\
\text{wf-Op}(\text{clid, id}_{op}, \text{cid, oid, classes, cpus, types}) == \\
& \text{mk-Op}(\text{async, args, ret, body, pre, post}) = \text{classes}(\text{clid}).\text{ops}(\text{id}_{op}) \land \\
& \text{types}' = \text{types} \upharpoonright \{(\text{clid, idv}) \mapsto \text{type} \mid (\text{idv, type}) \in \text{args}\} \land \\
& \text{async = true} \Rightarrow \text{len} \text{ ret} = 0 \land \\
& \text{wf-Statement}(\text{body, cid, clid, classes, cpus, types}') \land \\
& \forall \text{exp} \in \{\text{pre, post}\} \cdot \text{exp} \neq \text{nil} \Rightarrow \text{contextTypeOf}(\text{exp, classes, types}') = \text{BOOL} \\
\text{wf-Fun: } & \text{Id}_{cl} \times \text{Fun} \times \text{Id}_c \times \text{Id}_o \times \text{Classes} \times \text{CPUs} \times \text{TypeMap} \to \mathbb{B} \\
\text{wf-Fun}(\text{clid, mk-Fun}(\text{args, ret, body, pre, post}), \text{cid, oid, classes, cpus, types}) == \\
& \text{types}' = \text{types} \upharpoonright \{(\text{clid, idv}) \mapsto \text{type} \mid (\text{idv, type}) \in \text{args}\} \land \\
& \text{contextTypeOf}(\text{body, classes, types}') = \text{ret} \land \\
& \forall \text{exp} \in \{\text{pre, post}\} \cdot \text{exp} \neq \text{nil} \Rightarrow \text{contextTypeOf}(\text{exp, classes, types}') = \text{BOOL} \\
\text{wf-Periodic: } & \text{Periodic} \times \text{Id}_c \times \text{Id}_{cl} \times \text{Classes} \times \text{CPUs} \times \text{TypeMap} \to \mathbb{B} \\
\text{wf-Periodic}(\text{mk-Periodic}(\text{op, period, jitter, delay, offset}), \text{cid, clid, classes, cpus, types}) == \\
& \text{op} \in \text{rng} \text{ classes}(\text{clid}).\text{ops} \land \\
& \left( \forall \text{exp} \in \{\text{period, jitter, delay, offset}\} \cdot \text{contextTypeOf}(\text{exp, classes, types}) = \text{TIME} \land \text{exp} \geq 0\right) \land \\
& \text{period} > 0 \land \text{delay} < \text{period}
\end{align*}
\]

43
Statements

\( \text{wf-StatementSeq: Stm}^* \times \text{Id}_c \times \text{Id}_cl \times \text{Classes} \times \text{CPUs} \times \text{TypeMap} \rightarrow \mathbb{B} \)

\( \text{wf-StatementSeq(stms, cid, clid, classes, cpus, types) ==} \)

\[
\text{if stms} = [] \text{ then true} \ \\
\text{else } \text{wf-Statement}(\text{hd stms, cid, clid, classes, cpus, types}) \&\  \\
\text{wf-StatementSeq}(\text{tl stms, cid, clid, classes, cpus, types)}
\]

\( \text{wf-Statement: Stm} \times \text{Id}_c \times \text{Id}_cl \times \text{Classes} \times \text{CPUs} \times \text{TypeMap} \rightarrow \mathbb{B} \)

The context conditions for statements have been omitted, but follow the general pattern of ensuring that all variable references are valid, all operation calls are to objects of the correct type, and so on.

A.3 Rules

This section describes all inference rules used in this work including the inference rule signatures.

\{ \text{SkipTime, IfTime, WhileTime, CasesTime, NewTime, ForIndexTime,} \\
\text{ForSeqTime, ForSetTime, LetDefTime, LetBeTime, LocalAssignmentTime,} \\
\text{RemoteAssignmentTime, AtomicTime, StartTime, LocalSyncCallTime,} \\
\text{LocalAsyncCallTime, RemoteSyncCallTime, RemoteAsyncCallTime,} \\
\text{ReturnTime} \} \subseteq \text{Time}

A.3.1 Signatures

\[ \text{vdmrt} \rightarrow: (\text{VDMRT} \times \text{Time}) \times (\text{VDMRT} \times \text{Time}) \]

\[ \text{init} \rightarrow: (\text{VDMRTModel}) \times (\text{VDMRT}) \]

\[ \text{exec} \rightarrow: (\text{VDMRT}) \times (\text{VDMRT} \times \text{Time}) \]

\[ \text{busses} \rightarrow: (\text{VDMRT}) \times (\text{VDMRT}) \]

\[ \text{Time} \times \text{Classes} \vdash \]

\[ \text{cpus} \rightarrow: (\text{Cpus} \times \text{Busses}) \times (\text{Cpus} \times \text{Busses} \times \text{Time}) \]

\[ \text{Time} \times \text{Classes} \vdash \]

\[ \text{bus} \rightarrow: (\text{BUS} \times \text{Cpus}) \times (\text{BUS} \times \text{Cpus}) \]

\[ \text{Time} \times \text{Classes} \times \text{Cpus} \times \text{Id}_c \vdash \]

\[ \text{cpu} \rightarrow: (\text{CPU} \times \text{Busses}) \times (\text{CPU} \times \text{Busses} \times \text{Time}) \]

\[ \text{Time} \times \text{Classes} \times \text{Cpus} \times \text{Id}_c \times \text{Id}_t \times \text{Id}_o \vdash \]

\[ \text{dur} \rightarrow: (\text{Duration}^* \times \text{Pending} \times \text{CPU} \times \text{Busses}) \times \]

\[ (\text{Duration}^* \times \text{Pending} \times \text{CPU} \times \text{Busses} \times \text{Time}) \]

\[ \text{Time} \times \text{Classes} \times \text{Cpus} \times \text{Id}_c \times \text{Id}_t \times \text{Id}_o \vdash \]

\[ \text{stmt} \rightarrow: (\text{Stm}^* \times \text{Pending} \times \text{CPU} \times \text{Busses}) \times (\text{Stm}^* \times \text{Pending} \times \text{CPU} \times \text{Busses} \times \text{Time}) \]
\[
\text{bind} : (\text{Bind} \times \text{Pending} \times \text{CPU}) \times (\text{Pattern} \times \Sigma)
\]

\[
\text{Classes, Cpus, Pending, Id} \vdash \llbracket \text{Exp} \rrbracket \rightarrow (\text{VDMValue} \times \text{Time})
\]

### A.3.2 Top level rules

The \text{Init} rule initializes the \text{vdmrt} record from a source \text{model} by creating the CPUs, busses and classes.

\[
\text{Init}
\]

\[
\begin{align*}
\text{cpus} &= \text{createCpus}(\text{demodel}) \\
\text{busses} &= \text{createBusses}(\text{cpus}, \text{demodel}) \\
\text{classes} &= \text{createClasses}(\text{demodel}) \\
\text{cpus}' &= \text{createInitialInstances}(\text{cpus}, \text{classes}, \text{demodel}) \\
\text{vdmrt} &= \text{mk-VDMRT}(\text{cpus}', \text{busses}, 0, \text{classes})
\end{align*}
\]

The \text{Big Step} rule is the top level rule of the semantics. It is a big step rule that first deals with the creation of a new execution context by committing ready pending variables and updating time, and then handles the activity of the busses, creation of periodic threads and context switches. The \text{exec} transition relation is used to execute the model in the updated context. Lastly, this rule calculates the minimum time until next pending commit.

\[
\text{Big Step}
\]

\[
\begin{align*}
\text{vdmrt}^1 &= \text{commitPendingValuesAndUpdateTime}(\text{vdmrt}, \tau) \\
\text{vdmrt}^1 \overset{\text{busses}}{\rightarrow} \text{vdmrt}^2 \\
\text{vdmrt}^3 &= \text{createPeriodicThreads}(\text{vdmrt}^2) \\
\text{vdmrt}^4 &= \text{doContextSwitches}(\text{vdmrt}^3) \\
\text{vdmrt}^4 \overset{\text{exec}}{\rightarrow} (\text{vdmrt}^5, \tau_b) \\
\tau_b' &= \min(\tau_b, \min\text{PendingCommitTime}(\text{vdmrt}^5)) \\
\text{vdmrt} \overset{\text{exec}}{\rightarrow} (\text{vdmrt}^5, \tau_b')
\end{align*}
\]

The \text{Exec} rule uses the \text{cpus} transition rule to execute the CPUs and calculate a new time bound.

\[
\text{Exec}
\]

\[
\begin{align*}
\tau, \text{classes} \vdash (\text{cpus}, \text{busses}) \overset{\text{cpus}}{\rightarrow} (\text{cpus}', \text{busses}', \tau_b) \\
\text{mk-VDMRT}(\text{cpus}, \text{busses}, \tau, \text{cls}) \overset{\text{exec}}{\rightarrow} \text{mk-VDMRT}(\text{cpus}', \text{busses}', \tau, \text{cls}, \tau_b)
\end{align*}
\]

### Bus rules

The two rules, \text{Busses} and \text{Busses Base}, deal with bus activity. The \text{Busses} rule selects a bus from the set of all busses and uses the \text{Rdebus} transition relation to execute a single bus’ activity and continues with the remaining busses using down with the \text{Rdebucks} transition relation recursively. The recursive base case is handled by the \text{Busses Base} rule.

\[
\text{Busses}
\]

\[
\begin{align*}
\text{busses}(b) &= \text{bus} \\
\tau, \text{classes} \vdash (\text{bus}, \text{cpus}) \overset{\text{bus}}{\rightarrow} (\text{bus}', \text{cpus}') \\
\text{busses}' &= \{ \text{bus} \} \downset \text{busses} \\
\text{mk-VDMRT}(\text{cpus}', \text{busses}', \tau, \text{cls}) \overset{\text{busses}}{\rightarrow} \text{mk-VDMRT}(\text{cpus}'', \text{busses}'', \tau, \text{cls}) \\
\text{busses}''' &= \text{busses} \upset \{ b \rightarrow \text{bus}' \} \\
\text{mk-VDMRT}(\text{cpus}, \text{busses}, \tau, \text{cls}) \overset{\text{busses}}{\rightarrow} \text{mk-VDMRT}(\text{cpus}'', \text{busses}'', \tau, \text{cls})
\end{align*}
\]

45
There are three rules that deal with individual bus activity: Bus Base, Bus Call and Bus Return. The rules assume that the queue on the bus is sorted by time that the messages were added to the bus queue. The Bus Base rule serves as the base case when the message at the top of the bus queue has an arrival time later than the current time.

**Bus Base**

\[
\begin{align*}
\text{bus.queue} &= [(c, \text{msg})]\sim \text{queue'} \\
\tau &\geq \text{arrivalTime}(\text{bus.speed, msg}) \\
\text{mk-CMessage}(id_o, \text{op, args, replyto, sendTime}) &= \text{msg} \\
\text{id}_o &\in \text{dom} \text{cpu}(c).\text{objects} \\
\text{cpu'} &= \text{createThread}(\text{cpu}, \text{id}_o, [\text{mk-Duration}(0, [\text{mk-SyncCall}(\text{replyto, (id}_o, \text{op, args)}))] ) \\
\text{cpus'} &= \text{cpus} \uplus \{ c \mapsto \text{cpu'} \} \\
\text{bus'} &= \text{mk-Bus}(\text{bus}.\text{cpus}, \text{bus.speed, queue'}) \\
\tau, \text{classes} &\vdash (\text{bus}, \text{cpus}) \xrightarrow{\text{bus}} (\text{bus}', \text{cpus'})
\end{align*}
\]

The Bus Call rule reduces the bus queue if the queue has a CMessage at the queue head and the arrival time of that message is earlier than or equal to the current time \(\tau\). The message is removed from the queue and a new thread is created on the receiving CPU. The body of the newly created thread is created with a SyncCall matching the requested call from the message. Finally, the rule makes a recursive call to \(\xrightarrow{\text{bus}}\) to further process the bus queue.

**Bus Call**

\[
\begin{align*}
\text{bus.queue} &= [(c, \text{msg})]\sim \text{queue'} \\
\tau &\geq \text{arrivalTime}(\text{bus.speed, msg}) \\
\text{mk-CMessage}(id_o, \text{op, args, replyto, sendTime}) &= \text{msg} \\
\text{id}_o &\in \text{dom} \text{cpus}(c).\text{objects} \\
\text{cpu'} &= \text{createThread}(\text{cpu}, \text{id}_o, [\text{mk-Duration}(0, [\text{mk-SyncCall}(\text{replyto, (id}_o, \text{op, args)}))] ) \\
\text{cpus'} &= \text{cpus} \uplus \{ c \mapsto \text{cpu'} \} \\
\text{bus'} &= \text{mk-Bus}(\text{bus}.\text{cpus}, \text{bus.speed, queue'}) \\
\tau, \text{classes} &\vdash (\text{bus}, \text{cpus}) \xrightarrow{\text{bus}} (\text{bus}', \text{cpus'})
\end{align*}
\]

The Bus Return rule is similar to Bus Call but handles return messages (RMessage). The return message is transformed into a Return statement in the target thread which must have the status WAITING. The Return is inserted into the body of the duration at the head of the thread body. When the new return is inserted the thread status is changed into RUNNABLE allowing its execution to resume.

**Bus Return**

\[
\begin{align*}
\text{bus.queue} &= [(c, \text{msg})]\sim \text{queue'} \\
\tau &\geq \text{arrivalTime}(\text{bus.speed, msg}) \\
\text{mk-RMessage}(\text{values, replyto, sendTime}) &= \text{msg} \\
\text{replyto} &= (c, t) \\
\text{cpus}(c) &= \text{mk-CPU}(\text{objects, threads, speed}) \\
\text{threads}(t) &= \text{mk-Thread}([\text{WAITING}, \text{pending, context, body}) \\
\text{body} &= [\tau_d, \text{stms}] \sim \text{remainder} \\
\text{stms'} &= \text{insertReturn}(\text{stms, mk-Return(values))} \\
\text{body'} &= [\tau_d, \text{stms'}] \sim \text{remainder} \\
\text{threads'} &= \text{mk-Thread}([\text{RUNNABLE}, \text{pending, context, body'}]) \\
\text{cpus'} &= \text{cpus} \uplus \{ c \mapsto \text{mk-CPU}(\text{objects, threads', speed}) \} \\
\text{bus'} &= \text{mk-Bus}(\text{bus}.\text{cpus}, \text{bus.speed, queue'}) \\
\tau, \text{classes} &\vdash (\text{bus}, \text{cpus}) \xrightarrow{\text{bus}} (\text{bus}', \text{cpus'})
\end{align*}
\]
CPU rules

Rules for all CPUs The following two inference rules describe how all CPUs are executed. The rule CPUs Step selects a single CPU and uses the $\text{Rdecpu}$ transition relation to execute a single CPU before it uses the $\text{CPU} \xrightarrow{\text{cpus}}$ transition relation to recursively execute the rest of the CPUs, where the CPU Base rule serves as the base case.

\[
\begin{align*}
\tau, \text{classes} \vdash (\emptyset, \text{busses}) & \xrightarrow{\text{cpus}} (\emptyset, \text{busses}, \infty) \\
\end{align*}
\]

Rules for single CPUs The following two inference rules, CPU Pending and CPU Running, describe how a single CPU schedules execution. Both rules select a thread, execute its body with the $\xrightarrow{\text{dur}}$ transition relation and updates the thread status, pending and body. The new thread status is handled differently in the two rules. The CPU Pending rule sets the thread status to PENDING if the new thread body is empty after applying the $\xrightarrow{\text{dur}}$ transition relation to the thread body. Whereas the CPU Running sets the status to RUNNING indicating that it can continue to execute if the new thread body is not empty. Note that a thread with status PENDING is handled in the commitPendingValuesAndUpdateTime function of the top level rule Big Step.

\[
\begin{align*}
\text{CPU Pending} & \\
\text{CPU Running} & \\
\end{align*}
\]

Durations The duration rules are split up into three steps starting with the rule Duration Eval which evaluates the time of the duration and replaces the expression in the duration with the calculated value. The second
rule, Duration Step to PartialDuration, converts a duration into a partial duration, executing at least part of the duration’s body in the process. Finally, the Duration Step PartialDuration takes a partial duration and executes it; the rest in the result of the $\xrightarrow{\text{stmt}}$ transition relation is then encapsulated into a new partial duration that replaces the original partial duration. While executing, it uses the partial duration to record the total time taken to execute and the remaining statements that still require execution. The CPU Pending rule removes those partial durations that have empty body fields, and it also changes the thread status to PENDING enabling the top level rule Big Step to commit the changes made in the duration.

\[\begin{align*}
\text{Duration Eval} & \text{ } \\
\text{EXPR} \notin (\text{Time} \cup \{\text{EXEC_TIME}\}) \\
\text{classes, cpus, pending, o} \vdash [\text{EXPR}] = (\text{value}, -) \\
\text{body} = [\text{mk-Duration}(\text{EXPR}, \text{stmts})] \xrightarrow{\text{rest}} \\
\text{body'} = [\text{mk-Duration}(\text{value, stmts})] \xrightarrow{\text{rest}} \\
\tau, \text{classes, cpus, c, t, o} \vdash (\text{stmts, pending, cpu, busses}) \xrightarrow{\text{stmt}} (\text{rest, pending'}, \text{cpu'}, \text{busses'}, \delta) \\
\tau, \text{classes, cpus, c, t, o} \vdash (\text{body, pending, cpu, busses}) \xrightarrow{\text{dur}} (\text{body', pending'}, \text{cpu'}, \text{busses'}, \delta)
\end{align*}\]

\[\begin{align*}
\text{Duration Step to PartialDuration} & \text{ } \\
n \neq \text{EXEC_TIME} \Rightarrow \delta \leq n \\
\text{body} = [\text{mk-Duration}(n, \text{stmts})] \xrightarrow{\text{tail}} \\
\tau, \text{classes, cpus, c, t, o} \vdash (\text{stmts, pending, cpu, busses}) \xrightarrow{\text{stmt}} (\text{rest, pending'}, \text{cpu'}, \text{busses'}, \delta) \\
\text{body'} = [\text{mk-PartialDuration}(n, \delta, \text{rest})] \xrightarrow{\text{tail}} \\
\tau, \text{classes, cpus, c, t, o} \vdash (\text{body, pending, cpu, busses}) \xrightarrow{\text{dur}} (\text{body', pending'}, \text{cpu'}, \text{busses'}, \delta)
\end{align*}\]

\[\begin{align*}
\text{Duration Step PartialDuration} & \text{ } \\
n \neq \text{EXEC_TIME} \Rightarrow \delta \leq (n - \text{elapsed}) \\
\text{body} = [\text{mk-PartialDuration}(n, \text{elapsed}, \text{stmts})] \xrightarrow{\text{tail}} \\
\tau, \text{classes, cpus, c, t, o} \vdash (\text{stmts, pending, cpu, busses}) \xrightarrow{\text{stmt}} (\text{rest, pending'}, \text{cpu'}, \text{busses'}, \delta) \\
\text{body'} = [\text{mk-PartialDuration}(n, \text{elapsed} + \delta, \text{rest})] \xrightarrow{\text{tail}} \\
\tau, \text{classes, cpus, c, t, o} \vdash (\text{body, pending, cpu, busses}) \xrightarrow{\text{dur}} (\text{body', pending'}, \text{cpu'}, \text{busses'}, \delta)
\end{align*}\]

**General Statements**

The inference rules for statements use a small step semantics to step statements through recursive application of the $\xrightarrow{\text{stmt}}$ rule until the time bound is reached. When the time bound is reached the rules return as a big step. The Stmt Base is the base case of the recursive application and stops the statement execution and returns with an empty set of statements. The Stmt rule strips a statement from the sequence of statements which is either evaluated and removed or rewritten due to a partial evaluation. The rule always returns the combined time it took to execute the statements and inner expressions.

\[\begin{align*}
\text{Stmt Base} & \text{ } \\
\tau, \text{classes, cpus, c, t, o} \vdash ([], \text{pending, cpu, busses}) \xrightarrow{\text{stmt}} ([], \text{pending, cpu, busses}, 0)
\end{align*}\]

The Stmt Skip rule removes the skip statement from the head of a sequence of statements and increments time accordingly.

\[\begin{align*}
\text{Stmt Skip} & \text{ } \\
\tau, \text{classes, cpus, c, t, o} \vdash (\text{rest, pending, cpu, busses}) \xrightarrow{\text{stmt}} (\text{rest'}, \text{pending, cpu, busses}, \delta) \\
\delta' = \text{SkipTime} + \delta \\
\tau, \text{classes, cpus, c, t, o} \vdash ([\text{SKIP}] \xrightarrow{\text{rest, pending, cpu, busses}} \xrightarrow{\text{stmt}} (\text{rest'}, \text{pending, cpu, busses,} \delta')
\end{align*}\]
The Stmt SimpleBlock executes the statements of the block and removes it from the sequence of statements.

\[
\begin{align*}
\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{stmts} \leftarrow \text{rest}, \text{pending}', \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta) \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-SimpleBlock(stmts)}] \leftarrow \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta)
\end{align*}
\]

The Stmt If True and Stmt If False both removes the if-statement from the sequence of statements and replaces it with either with the then or else depending on the evaluated value of the test expression in the if-statement.

\[
\begin{align*}
\tau, \text{classes}, \text{cpus}, \text{pending}, o \vdash [e] = (\text{true}, \delta_e) \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{th}] \leftarrow \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta) \\
\delta' = \delta_e + \delta + \text{IfTime} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-If}(e, \text{th}, \text{el})] \leftarrow \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta')
\end{align*}
\]

\[
\begin{align*}
\tau, \text{classes}, \text{cpus}, \text{pending}, o \vdash [e] = (\text{false}, \delta_e) \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{el}] \leftarrow \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta) \\
\delta' = \delta_e + \delta + \text{IfTime} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-If}(e, \text{th}, \text{el})] \leftarrow \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta')
\end{align*}
\]

The Stmt While True rule prefixes the sequence of statements with the while statement’s body if the test expression is true, whereas the Stmt While False simply removes the while statement when the test expression is false.

\[
\begin{align*}
\tau, \text{classes}, \text{cpus}, \text{pending}, o \vdash [e] = (\text{true}, \delta_e) \\
\text{stmts} = [\text{body}, \text{mk-While}(e, \text{body})] \leftarrow \text{rest} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{stmts}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta) \\
\delta' = \delta_e + \delta + \text{WhileTime} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-While}(e, \text{body})] \leftarrow \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta')
\end{align*}
\]

\[
\begin{align*}
\tau, \text{classes}, \text{cpus}, \text{pending}, o \vdash [e] = (\text{false}, \delta_e) \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta) \\
\delta' = \delta_e + \delta + \text{WhileTime} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-While}(e, \text{body})] \leftarrow \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}')
\end{align*}
\]

The Stmt Cases rule starts by evaluating the expression of the cases statement, and then it constructs a list (alts) of cases where the pattern matched combined with the others statement if it is given and a skip statement in case no cases matched or no others statement were given. Then a PartialLetDef is
created with the state and statement from the head of the list $alts$ which then is appended to the rest and executed.

### Stmt Cases

$classes, \; cpus, \; pending, \; o \vdash [e] = (value, \delta_{e})$

$alts = [(\sigma, \; stm) \; | \; i \in ind cases \bullet (p, \; stm) = cases(i) \land \sigma = match(p, \; value) \land \sigma \neq \emptyset ] ^{\rightsquigarrow} [[\{\}, \; others] \; | \; others \neq \emptyset] ^{\rightsquigarrow} [(\{\}, \; \text{SKIP})]$

$(\sigma, \; stm) = \text{hd} \; alts$

$let = \text{mk-PartialLetDef}(\sigma, \; [], \; stm)$

$\tau, \; classes, \; cpus, \; c, \; t, \; o \vdash ([let] \; \rightsquigarrow \; \text{rest, pending, cpu, busses}) \xrightarrow{\text{stmt}} (\text{rest'}, \; \text{pending'}, \; \text{cpu'}, \; \text{busses'}, \; \delta)$

$\delta' = \delta + \text{CasesTime}$

$\tau, \; classes, \; cpus, \; c, \; t, \; o \vdash (\text{mk-Cases}(e, \; cases, \; others)) \; \rightsquigarrow \; \text{rest, pending, cpu, busses} \xrightarrow{\text{stmt}} (\text{rest'}, \; \text{pending'}, \; \text{cpu'}, \; \text{busses'}, \; \delta')$

The Stmt New rule creates a new object of the $cl$ class and both adds the object to the CPU but also updates pending with $target$ pointing to the new object. The class instantiated must not be an active thread, therefore, the initial field must not be periodic or contain a set of durations. When the new object is created a fresh $oid$ is selected and all initial values and variables are evaluated to the new object state $\sigma$ used in the new object. The object is then added to the CPU and the $target$ is pointed at the new object in the pending map using in further evaluation. It is important to note that this rule is not type correct since the $pending$ map does not allow for $Id_{o}$ but only $Id_{c}$, further work is needed to update the pending lookup in the cases where an object id is encountered since this requires the state of the object to be made accessible.

### Stmt New

$classes(cl), \; \text{initial} \notin \text{Periodic} \cup \{\text{nil}\}$

$oid \in Id_{o}$

$oid \notin \bigcup \{\text{dom acpu.objects} \mid \text{acpu} \in (\text{rng cpus} \cup \{cpu\})\}$

$\text{initVals} = \text{classes}(cl), \; \text{values}$

$\text{initVars} = \text{classes}(cl), \; \text{vars}$

$\text{inits} = \{id \mapsto (v, \delta_{e}) \mid id \in \text{dom initVars} \land \text{classes}, \; cpus, \; \text{initVals} \vdash [e] = (v, \delta_{e})\}$

$\sigma = \text{initVals} \upharpoonright \{id \mapsto v \mid id \in \text{dom inits} \land (v, \cdot) = \text{inits}(id)\}$

$\delta_{e} = \text{sumMapRange}(id \mapsto \delta \mid id \in \text{dom inits} \land \text{inits}(id) = (\cdot, \delta))$

$\text{obj} = \text{mk-Object}(cl, \; \sigma, \; \text{nil})$

$\text{cpu'} = \text{mk-CPU}(\text{cpu.objects} \upharpoonright \{oid \mapsto \text{obj}\}, \text{cpu.threads}, \text{cpu.speed})$

$\text{pending'} = \text{pending} \upharpoonright \{o \mapsto (\text{pending}(o) \upharpoonright \{\text{target} \mapsto \text{oid}\})\}$

$\tau, \; classes, \; cpus, \; c, \; t, \; o \vdash (\text{rest, pending'}, \; \text{cpu'}, \; \text{busses}) \xrightarrow{\text{stmt}} (\text{rest'}, \; \text{pending''}, \; \text{cpu''}, \; \text{busses'}, \; \delta)$

$\delta' = \delta + \text{NewTime}$

$\tau, \; classes, \; cpus, \; c, \; t, \; o \vdash (\text{mk-New}(cl, \; target)) \; \rightsquigarrow \; \text{rest, pending, cpu, busses} \xrightarrow{\text{stmt}} (\text{rest'}, \; \text{pending''}, \; \text{cpu''}, \; \text{busses'}, \; \delta')$

### Duration

The duration statements always start with the Stmt Duration Eval which evaluates the time expression and replaces it with the actual value. Then either the duration is executed by Stmt Duration Complete, and fully completes with an empty rest or a return statement fully evaluated which results in the duration being removed or the if a rest exists then the duration is replaced with a partial duration and execution is contained.
The three rules Stmnt Duration to PartialDuration wrap the rest from a duration step that did not complete, and the Stmnt Duration Step PartialDuration executes the statements of the partial duration in the case where the head of the statements is different from a return statement.

\[\text{Stmnt Duration Eval}\]

\[
\begin{align*}
\text{expr} & \not\in \text{Time} \cup \{\text{EXECTime}\} \\
\text{classes}, \text{cpus}, \text{pending}, o \vdash [\text{expr}] = (\text{value}, -) \\
\text{rest}' &= [\text{mk-Duration(value, stm)}] \triangledown \text{rest} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{rest}', \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta') \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-Duration(exp, stm)}] \triangledown \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}', \text{cpu}', \text{busses}', \delta'')
\end{align*}
\]

\[\text{Stmnt Duration Complete}\]

\[
\begin{align*}
\text{dur} &= \text{mk-Duration(value, stm)} \\
\text{value} &\in \text{Time} \cup \{\text{EXECTime}\} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{stm}], \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta) \\
\text{rest}' &= [[] \lor (\text{rest}' = [\text{mk-Return(v)}] \land v \in \text{VDMValue}) \\
\text{rest}'' &= \text{rest}' \triangledown \text{rest} \\
\text{value} \not\in \text{EXECTime} &\Rightarrow \delta \leq \text{value} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{rest}'', \text{pending}', \text{cpu}', \text{busses}') \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}'', \text{cpu}'', \text{busses}'', \delta'') \\
\text{value} \not\in \text{EXECTime} &\Rightarrow \delta'' = \text{value} + \delta' \\
\text{value} = \text{EXECTime} &\Rightarrow \delta'' = \delta + \delta'
\end{align*}
\]

\[
\begin{align*}
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{dur}] \triangledown \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}'', \text{cpu}'', \text{busses}'', \delta'')
\end{align*}
\]

The three rules Stmnt Duration to PartialDuration wrap the rest from a duration step that did not complete, and the Stmnt Duration Step PartialDuration executes the statements of the partial duration in the case where the head of the statements is different from a return statement.

\[\text{Stmnt Duration to PartialDuration}\]

\[
\begin{align*}
\text{value} &\in \text{Time} \cup \{\text{EXECTime}\} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{stm}], \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta) \\
\text{hd} \text{rest} &\not\in \text{Return} \\
\text{value} \not\in \text{EXECTime} &\Rightarrow \delta \leq \text{value} \\
\text{rest}'' &= [\text{mk-PartialDuration(value, \delta, \text{mk-SimpleBlock(rest')})} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-Duration(value, stm)}] \triangledown \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}', \text{cpu}', \text{busses}', \delta)
\end{align*}
\]

\[\text{Stmnt Duration Step PartialDuration}\]

\[
\begin{align*}
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{stm}], \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta) \\
\text{hd} \text{rest} &\not\in \text{Return} \\
\text{value} \not\in \text{EXECTime} &\Rightarrow \delta \leq (\text{value} - \delta_{\text{elapsed}}) \\
\text{rest}'' &= [\text{mk-PartialDuration(value, \delta_{\text{elapsed}} + \delta, \text{mk-SimpleBlock(rest')})} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-PartialDuration(value, \delta_{\text{elapsed}} + \delta, \text{mk-SimpleBlock(rest')})}] \triangledown \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} \\
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-PartialDuration(value, \delta_{\text{elapsed}} + \delta, \text{mk-SimpleBlock(rest')})}] \triangledown \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}}
\end{align*}
\]

Finally, the Stmnt Duration Complete PartialDuration combined the rest of the evaluation of statements from the partial duration with the rest of the current thread body and continues execution. The two rests can be combined because either the rest is an empty sequence or it contains a fully evaluated return statement.
### Stmt Duration Complete PartialDuration

\[
\text{partialduration} = \text{mk-PartialDuration}(\text{value}, \delta_{\text{elapsed}}, \text{stm})
\]

<table>
<thead>
<tr>
<th>(\tau, \text{classes}, \text{cpus}, c, t, o \vdash [\text{stm}])</th>
<th>(\text{pending}, \text{cpu}, \text{busses})</th>
<th>(\text{stmt})</th>
<th>(\text{rest}' = [\text{stm}] \cup {\text{v} \in \text{VDMValue}})</th>
<th>(\text{rest}'' = \text{rest}' \bowtie \text{rest})</th>
</tr>
</thead>
<tbody>
<tr>
<td>(\text{value} \neq \text{EXECTIME} \Rightarrow \delta \leq (\text{value} - \delta_{\text{elapsed}}))</td>
<td>(\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{rest}'', \text{pending}'', \text{cpu}, \text{busses}'', \delta))</td>
<td>(\text{stmt})</td>
<td>(\text{rest}'' \Rightarrow \text{rest}'' = \text{value} + \delta')</td>
<td>(\text{value} = \text{EXECTIME} \Rightarrow \delta'' = \delta + \delta')</td>
</tr>
</tbody>
</table>

### For

The for statements are divided into three groups: Stmt ForIndex, Stmt ForSeq and Stmt ForSet. They are all unfolded to a sequence of partial let defs representing the loops of the for statement. The Stmt ForIndex starts out by evaluating the from, to and by, and then calculates the number of partial let defs needed to unfold the loop. The Stmt ForSeq starts by evaluating the \(\text{seqExp}\) to a set value, and then unfolding the loop where the state in each partial let def has the pattern \(p\) bound to an element of the sequence represented by \(\text{seqExp}\). The Stmt ForSet converts the set represented by \(\text{setExp}\) to a sequence, and then follows the same procedure as Stmt ForSeq.

#### Stmt ForIndex

\[
\text{forindex} = \text{mk-ForIndex}(\text{id}_v, e_{\text{from}}, e_{\text{to}}, e_{\text{by}}, \text{stm})
\]

<table>
<thead>
<tr>
<th>(\text{classes}, \text{cpus}, \text{pending}, o \vdash [e_{\text{from}}] = (v_{\text{from}}, \delta_{\text{from}}))</th>
<th>(\text{classes}, \text{cpus}, \text{pending}, o \vdash [e_{\text{to}}] = (v_{\text{to}}, \delta_{\text{to}}))</th>
<th>(\text{classes}, \text{cpus}, \text{pending}, o \vdash [e_{\text{by}}] = (v_{\text{by}}, \delta_{\text{by}}))</th>
</tr>
</thead>
<tbody>
<tr>
<td>(\text{stmts} = \text{mk-PartialLetDef}({\text{id}_v \rightarrow v}, [], \text{stm}))</td>
<td>(\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{stmts} \bowtie \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \Rightarrow (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta))</td>
<td></td>
</tr>
<tr>
<td>(\delta' = \delta_{\text{from}} + \delta_{\text{to}} + \delta_{\text{by}} + \delta + \text{ForIndexTime})</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

### Stmt ForSeq

\[
\text{stmts} = \text{mk-PartialLetDef}(\text{seq}, \sigma, \{\text{stm}\})\]

<table>
<thead>
<tr>
<th>(\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{stmts} \bowtie \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \Rightarrow (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta))</th>
</tr>
</thead>
<tbody>
<tr>
<td>(\delta' = \delta_{\text{e}} + \delta + \text{ForSeqTime})</td>
</tr>
</tbody>
</table>

| \(\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{mk-ForSeq}(p, \text{seqExp}, \text{stm})) \bowtie \text{rest}, \text{pending}, \text{cpu}, \text{busses} \Rightarrow (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta')\) |
Stmt LetDef

The let-statements are divided into two groups: lets and let defs. The
Stmt Cycle rule converts the cycle statement into a duration where the time is calculated based on the current CPU speed.

Stmt LetDef

\[ \begin{align*}
classes, cpus, pending, o \vdash \llbracket setExp \rrbracket &= (set, \delta_e) \\
stms &= \{ mk-PartialLetDef(\sigma, [], stms) \mid i \in \text{inds set2seq(set)} \land \sigma = \text{match}(p, \text{seq}(i)) \} \\
\tau, classes, cpus, c, t, o \vdash (stms \bowtie rest, pending, cpu, busses) \xrightarrow{\text{stmt}} (rest', pending', cpu', busses', \delta) \\
\delta' &= \delta_e + \delta + \text{ForSetTime} \\
\tau, classes, cpus, c, t, o \vdash (mk-ForSet(p, setExp, stms)) \bowtie rest, pending, cpu, busses \xrightarrow{\text{stmt}} (rest', pending', cpu', busses', \delta')
\end{align*} \]

Other VDM-Rt specific

The Stmt Cycle rule converts the cycle statement into a duration where the time is calculated based on the current CPU speed.

Stmt LetDef

\[ \begin{align*}
classes, cpus, pending, o \vdash \llbracket e \rrbracket &= (value, -) \\
value &\geq 0 \\
time &= \text{convertCyclesToTime}(value, cpu.speed) \\
dur &= \text{mk-Duration}(time, stms) \\
\tau, classes, cpus, c, t, o \vdash (\llbracket dur \rrbracket \bowtie rest, pending, cpu, busses) \xrightarrow{\text{stmt}} (rest', pending', cpu', busses', \delta) \\
\tau, classes, cpus, c, t, o \vdash (mk-Cycles(e, stms)) \bowtie rest, pending, cpu, busses \xrightarrow{\text{stmt}} (rest', pending', cpu', busses', \delta)
\end{align*} \]

Stmt LetBe

The let-statements are divided into two groups: Stmt LetDef and Stmt LetBe. Both are converted into partial let defs. The Stmt LetDef rule directly rewrites the let def statement into a partial let def whereas the Stmt LetBe rules first bind the patterns and then tests if the expression evaluates to true.

Stmt LetDef

\[ \begin{align*}
stms &= \{ mk-PartialLetDef(\{ \}, \text{defs}, \text{body}) \} \bowtie rest \\
\tau, classes, cpus, c, t, o \vdash (stms, pending, cpu, busses) \xrightarrow{\text{stmt}} (rest', pending', cpu', busses', \delta) \\
\delta' &= \delta + \text{LetDefTime} \\
\tau, classes, cpus, c, t, o \vdash ([mk-LetDef(\text{defs}, \text{body})] \bowtie rest, pending, cpu, busses) \xrightarrow{\text{stmt}} (rest', pending', cpu', busses', \delta')
\end{align*} \]

Stmt LetBe

\[ \begin{align*}
\tau, classes, cpus, c, t, o \vdash (\text{bind}, pending, cpu) \xrightarrow{\text{bind}} (ps, \sigma') \\
pending' &= pending \uplus \{ o \mapsto (pending(o) \uplus \sigma') \} \\
classes, cpus, pending', o \vdash \llbracket e \rrbracket &= (true, \delta_e) \\
stms &= \{ mk-PartialLetDef(\sigma', [], \text{body}) \} \bowtie rest \\
\tau, classes, cpus, c, t, o \vdash (stms, pending, cpu, busses) \xrightarrow{\text{stmt}} (rest', pending', cpu', busses', \delta) \\
\delta' &= \delta_e + \delta + \text{LetBeTime} \\
\tau, classes, cpus, c, t, o \vdash ([mk-LetBe(\text{bind}, e, \text{body})] \bowtie rest, pending, cpu, busses) \xrightarrow{\text{stmt}} (rest', pending', cpu', busses', \delta')
\end{align*} \]

The Stmt PartialLetDef Step rule steps through the definitions and evaluates each definition until the sequence of definitions becomes empty.
 partialletdef = mk-PartialLetDef (σ, defs, body)
 (idv, e) = hd defs
 pending' = pending ⊢ σ
 classes, cpus, pending', o ⊢ [e] = (v, δv)
 σ' = σ ⊢ {idv → v}
 stms = [mk-PartialLetDef (σ', tl defs, body)] □ rest
 τ, classes, cpus, c, t, o ⊢ (stms, pending, cpu, busses) △→ (rest', pending'', cpu', busses', δ)
 δ' = δv + δ

The Stmt PartialLetDef Eval Complete does a full evaluation of the partial let def in a way that either the sequence of statements becomes empty or is a single, fully evaluated return statement. In either case, the sequence of statements resulting from the partial let def is concatenated with the sequence of statements from the thread body and evaluation is continued.

 partialletdef = mk-PartialLetDef (σ, [], body)
 pending' = pending ⊢ σ
 τ, classes, cpus, c, t, o ⊢ ([body], pending', cpu, busses) △→ (rest', pending'', cpu', busses', δbody)
 rest' = [] ∨ (rest' = [mk-Return(v)] ∧ v ∈ VDMValue)
 rest'' = rest' □ rest
 pending''' = (dom σ ⊨ pending) ⊢ (dom σ ⊨ pending)
 τ, classes, cpus, c, t, o ⊢ (rest'', pending''', cpu', busses') △→ (rest''', pending''', cpu'', busses'', δ)
 δ' = δbody + δ

The Stmt PartialLetDef Eval Waiting rule evaluates a part of the statements in the partial let def. It wraps the rest in a new partial let def and adds the new partial let def at the head of the thread body.

 partialletdef = mk-PartialLetDef (σ, [], body)
 pending' = pending ⊢ σ
 τ, classes, cpus, c, t, o ⊢ ([body], pending', cpu, busses) △→ (rest', pending'', cpu', busses', δ)
 rest' ≠ [] ∧ rest' ≠ [mk-Return(-)]
 pending''' = (dom σ ⊨ pending) ⊢ (dom σ ⊨ pending)
 σ' = dom σ ⊨ pending'''
 rest'' = [mk-PartialLetDef (σ', [], mk-SimpleBlock (rest'))] □ rest
 τ, classes, cpus, c, t, o ⊢ ([partialletdef] □ rest, pending, cpu, busses) △→ (rest'', pending''', cpu', busses', δ)

Assignments

There are two kinds of assignment/atomic statements, either the target has a Idv indicating a local assignment or it has a Idv x Idv indicating that it is a remote assignment. The assignment evaluates the expression and stores the result in pending for the object specified followed by an invariant check.
target ∈ Id_v
classes, cpus, pending, o ⊢ [e] = (value, δ_e)
σ' = pending(o) † {target ⇝ value}
pending' = pending † {o ↦ σ'}
obj = cpu.objects(o)
checkInvs(classes(obj.class).invs, obj.state † σ')

\[ \tau, \text{classes, cpus, c, t, o} \vdash (\text{rest, pending}', \text{cpu, busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}'', \text{cpu}', \text{busses}', \delta') \]

The atomic statements are defined into three steps. First of all, the Stmt Atomic Start rule converts the atomic statement into a partial atomic statement. Secondly, either the Stmt Atomic Local or Stmt Atomic Remote performs the actual assignment. And finally, the Stmt Atomic Base is the recursive base case for the atomic assignments that when all assignments are done checks that the invariants still hold.

Stmt Atomic Start

\[ \text{stmts} = \text{[mk-Partial Atomic(assigns, \{\})]} \]

\[ \tau, \text{classes, cpus, c, t, o} \vdash \text{(stmts, pending, cpu, busses)} \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}'', \text{cpu}', \text{busses}', \delta') \]
hd assigns = mk-Assignment(target, exp)

\[\text{target} \in \text{Id}_v\]

classes, cpus, pending, o \triangleright [e] = (value, \delta_e)

\[\sigma' = \text{pending}(o) \uplus \{\text{target} \mapsto \text{value}\}\]

\[\text{pending}' = \text{pending} \uplus \{o \mapsto \sigma'\}\]

oids' = oids' \cup \{o\}

rest' = [mk-PartialAtomic(\text{tl assigns, oids'})] \sim rest

\[\tau, \text{classes, cpus, c, t, o} \vdash (\text{rest}', \text{pending}', \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}'', \text{cpu}', \text{busses}', \delta)\]

\[\delta' = \delta_e + \delta + \text{LocalAssignmentTime}\]

Threads

The \text{Stmt Start} rule starts a new thread for an object and updates the CPU with the new thread. The rule requires that no other thread exists for the \text{obj} in the start statement. The new thread will be created with the set to the initial field of the its class.

\text{Stmt Start}

\[\forall \text{thread} \in \text{rng} \text{cpu}.\text{threads} : \text{thread.\text{context}} \neq \text{obj}\]

body = \text{classes(cpu.\text{objects(obj)}.\text{class}).}\text{initial}\]

body \in (\text{Duration} | \text{PartialDuration})^*\]

cpu' = \text{createThread(cpu, obj, body)}\]

\[\tau, \text{classes, cpus, c, t, o} \vdash (\text{rest}, \text{pending}, \text{cpu', busses}) \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}'', \text{cpu'}, \text{busses}', \delta)\]

\[\delta' = \delta + \text{StartTime}\]

Object Context Switch

The two object context rules are used to control under what object the execution takes place. The \text{ObjectContext} record contains the \text{oid} that should be used to execute the \text{body} and the \text{cetz} contains the call context that should be used to check any post-conditions.
The **Stmt ObjectContext Step** rule executes a part of the body of the object context and creates a new object context with the remainder of the body.

\[
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{body}], \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}', \text{pending}', \text{cpu}', \text{busses}', \delta)
\]

\[
\text{rest}' \neq [] \land \text{hd rest}' \notin \text{Return}
\]

\[
\text{rest}'' = [\text{mk-ObjectContext}(\text{oid}, \text{mk-SimpleBlock} (\text{rest}'), \text{ctx}x)] \llrest \text{rest}
\]

The **Stmt ObjectContext Complete** rule completes the execution of the body until it is empty or contains a fully evaluated return statement. Then it uses the call context to check the post condition of the call.

\[
\tau, \text{classes}, \text{cpus}, c, t, o \vdash ([\text{mk-ObjectContext}(\text{oid}, \text{body}, \text{ctx}x)] \llrest \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}'', \text{cpu}'', \text{busses}'', \delta')
\]

### Bindings

**Type-Bind**

\[
\text{len } p = 1
\]

\[
x \in t
\]

\[
\sigma' = \text{match}(p(1), x)
\]

\[
\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{mk-TypeBind}(p, t), \text{pending}, \text{cpu}) \xrightarrow{\text{bind}} (p, \sigma')
\]

**Multi-Type-Bind**

\[
\sigma' = \text{merge} \{ \text{match}(p, x) \mid p \in \text{ps} \bullet x \in t \}
\]

\[
\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{mk-TypeBind}(\text{ps}, t), \text{pending}, \text{cpu}) \xrightarrow{\text{bind}} (\text{ps}, \sigma')
\]

**Set-Bind**

\[
\text{len } p = 1
\]

\[
\text{classes}, \text{cpus}, \text{pending}, o \vdash [e] = \text{valueSet}
\]

\[
x \in \text{valueSet}
\]

\[
\sigma' = \text{match}(p(1), x)
\]

\[
\tau, \text{classes}, \text{cpus}, c, t, o \vdash (\text{mk-SetBind}(p, \text{set}), \text{pending}, \text{cpu}) \xrightarrow{\text{bind}} (p, \sigma')
\]
it just adds a new synchronous call with the intended object identifier. The two remote call rules use the bus to communicate the call to the receiver instead of directly creating a CallContext but common to all is that they all evaluate the arguments for the call and lookup the operation that should be executed. The Stmt Call Op Local Sync rule then performs the execution of the operation body through a CallContext and ObjectContext. The Stmt Call Op Local Async rule instead creates a new thread with a synchronous call to the operation.

The two remote call rules use the bus to communicate the call to the receiver instead of directly creating a synchronous call with the intended object identifier. The Stmt Call Op Remote Async is the simplest rule since it just adds a new CMessage to the bus connecting the current CPU with the receiving CPU.
There are three rules that handle return statement evaluation. The \texttt{Stmt Return Eval} just evaluates the return expression in the current context and replaces the expression with its value.

\begin{verbatim}
exp \notin \textit{VDMValue} \\
classes, cpus, pending, o \vdash [\text{exp}] = (\text{returnValue}, \delta_e) \\
rest' = [\text{mk-Return}](\text{returnValue}) \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}', \text{cpu}', \text{busses}'', \delta) \\
\delta' = \delta_e + \text{ReturnTime} \\
\text{stmt, cpu, c, t, o} \vdash ([\text{mk-Return}](\text{exp})) \xrightarrow{\text{stmt}} (\text{rest}'', \text{pending}', \text{cpu}', \text{busses}'', \delta')
\end{verbatim}

The \texttt{Stmt Return Eval} rule activates if the head of the statement is a return statement. The rule then removes the subsequent statement if it is not a wait statement.
The Stmt Return Base is the base case for the recursive calls and stops the recursion when the statement being executed only contains a fully evaluated return statement.

**Stmt Return Base**

\[
\begin{align*}
\text{Stmt Return Eat} & \\
\text{rest} \not\in [\text{\}] \\
\text{hd} \text{ rest} & \not\in \text{Wait} \\
\text{rest}^\prime & = [\text{mk-Return}(v)] \sim \text{tl rest} \\
\tau, \text{classes}, \text{cpus}, \text{c}, \text{t}, \text{o} & \vdash (\text{rest}^\prime, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}^\prime, \text{pending}^\prime, \text{cpu}^\prime, \text{busses}^\prime, \delta) \\
\tau, \text{classes}, \text{cpus}, \text{c}, \text{t}, \text{o} & \vdash ([\text{mk-Return}(v)] \sim \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}^\prime, \text{pending}^\prime, \text{cpu}^\prime, \text{busses}^\prime, \delta)
\end{align*}
\]

The following rules deal with the final evaluation of the return from a function. The Stmt Wait Nil rule handles the cases where an async call was made and thus no thread is waiting for a reply; in this case the return and wait statements are removed from the rest.

**Stmt Wait Nil**

\[
\begin{align*}
\tau, \text{classes}, \text{cpus}, \text{c}, \text{t}, \text{obj} & \vdash (\text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}^\prime, \text{pending}^\prime, \text{cpu}^\prime, \text{busses}^\prime, \delta) \\
\tau, \text{classes}, \text{cpus}, \text{c}, \text{t}, \text{o} & \vdash ([\text{mk-Return}(-), \text{mk-Wait}(@\text{nil})] \sim \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} \\
& (\text{rest}^\prime, \text{pending}^\prime, \text{cpu}^\prime, \text{busses}^\prime, \delta)
\end{align*}
\]

The Stmt Return Wait rule handles local calls and updates the pending map with the return value and removed the return and wait from the rest.

**Stmt Return Wait**

\[
\begin{align*}
\text{target} & \in \text{Id}_v \\
\sigma^\prime & = \text{pending}(o) \uparrow \{\text{target} \mapsto v\} \\
\text{pending}^\prime & = \text{pending} \uparrow \{o \mapsto \sigma^\prime\} \\
\tau, \text{classes}, \text{cpus}, \text{c}, \text{t}, \text{o} & \vdash (\text{rest}, \text{pending}^\prime, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} (\text{rest}^\prime, \text{pending}^\prime, \text{cpu}^\prime, \text{busses}^\prime, \delta) \\
\tau, \text{classes}, \text{cpus}, \text{c}, \text{t}, \text{o} & \vdash ([\text{mk-Return}(v), \text{mk-Wait}(@\text{target})] \sim \text{rest}, \text{pending}, \text{cpu}, \text{busses}) \xrightarrow{\text{stmt}} \\
& (\text{rest}^\prime, \text{pending}^\prime, \text{cpu}^\prime, \text{busses}^\prime, \delta)
\end{align*}
\]

The Stmt Wait Message Return handles remove sync calls where a thread on another CPU is waiting for a reply. The return value is added to a RMessage where the destination is defined by the target of the wait statement. The new message is then added to the bus and both the return and wait statement is removed from the sequence of statements.
Stmt Wait Message Return

target = (rc, rt)
rmmsg = mk-RMessage(v, target, τ)
busses(bus) = mk-Bus({rc, c} ∪ connected, speed, queue)
busses' = busses † {bus → mk-Bus({rc, c} ∪ connected, speed, queue ▷ [(rc, rmmsg)])}

A.4 Utility Functions

match: Pattern × VDMValue → Σ
match(p, v)σ' ==
Returns a new map with all variables that could be bound to the pattern

Figure A.1: Pattern matching function

FV: Pattern → Id-set
FV(p)ids' ==
Returns a set of all free variables in the pattern

Figure A.2: Returns a set of free variables from a Pattern

collapseOld: Id-set → Id-set
collapseOld(p)ids' ==
Replaces all old ids in the set with the original id

Figure A.3: Returns a set of ids consisting of all ids from the input set, old ids are resolved to the original id

Old: Ido-set → Ido-set
Old(p)ids' ==
returns the old id for a given object

Figure A.4: Returns a set of old ids for the set of Ido given

checkInvs: Fun-set × Σ → B
checkInvs(invs, σ)b' ==
∀f ∈ invs · σ ⊢ [f.body] = true

Figure A.5: Checks the set of boolean functions against the current state

convertCyclesToTime: VDMValue × CPU → Σ
convertCyclesToTime(v, c)time' == \frac{v}{c.speed}
Returns a time based on the number of cycles and the speed of the cpu

Figure A.6: Cycles conversion function
\[\text{checkCallPre} : \text{Classes} \times \text{Cpus} \times \text{Pending} \times \text{VDMValue}^* \times (\text{Id}_o \times \text{Type})^* \times \text{Id}_o \times \text{Exp} \to \mathbb{B}\]
\[\text{checkCallPre}(\text{classes}, \text{cpus}, \text{pending}, \text{args}, \text{params}, \text{obj}, \text{pre}) \text{result}' ==\]
\[\text{typeCheck}(\text{params}, \text{args})\]
\[\land \text{classes}, \text{cpus}, \text{pending}, \text{obj} \vdash [\text{pre}] = \text{true}\]

Figure A.7: Check pre-conditions for operation calls

\[\text{checkCallPost} : \text{Classes} \times \text{Cpus} \times \text{Id}_o \times \text{Pending} \times \text{Pending} \times \Sigma \times \text{VDMValue}^* \times \text{Exp} \to \mathbb{B}\]
\[\text{checkCallPost}(\text{classes}, \text{cpus}, \text{oid}, \text{prepending}, \text{pending}, \text{args}, \text{post}) \text{result}' ==\]
\[\text{let oldPending} = \{\text{old}(v) \mapsto \text{prepending}(v) \mid v \in \text{dom} \text{prepending}\}, \]
\[\text{state} = \text{pending} \uplus \text{pending} \text{ in}\]
\[\text{classes}, \text{cpus}, \text{state}, \text{obj} \vdash [\text{post}] = \text{true}\]

Figure A.8: Check post-conditions for operation calls

\[\text{typeCheck} : (\text{Id}_v \times \text{Type})^* \times \text{VDMValue}^* \to \mathbb{B}\]
\[\text{typeCheck}(\text{params}, \text{args}) \text{result}' ==\]
\[\text{len params} = \text{len args} \land \]
\[\text{false} \notin [\text{typeOf}(v) = \text{type} \mid i \in \text{inds} \text{params} \land (-, \text{type}) = \text{params}(i) \land v = \text{args}(i)]\]

Figure A.9: Type check operation call arguments

\[\text{typeOf} : \text{VDMValue} \to \text{Type}\]
\[\text{typeOf}(v) \text{type}' ==\]
\[\text{Returns the type of a VDMValue}\]

Figure A.10: Gives the type of a VDMValue

\[\text{changeThreadStatus} : \text{CPU} \times \text{Id}_o \times (\text{RUNNING} \mid \text{RUNNABLE} \mid \text{WAITING} \mid \text{PENDING} \mid \text{COMPLETED}) \to \text{CPU}\]
\[\text{changeThreadStatus}(\text{cpu}, \text{t}, \text{newStatus}) \text{cpu}' ==\]
\[\text{let mk-CPU}(\text{objects}, \text{threads}, \text{speed}) = \text{cpu}, \]
\[\text{mk-Thread}(-, \text{pending}, \text{context}, \text{body}) = \text{threads}(\text{t}), \]
\[\text{threads}' = \text{threads} \uplus \{t \mapsto \text{mk-Thread}(\text{newStatus}, \text{pending}, \text{context}, \text{body})\}\]
\[\text{in}\]
\[\text{mk-CPU}(\text{objects}, \text{threads}', \text{speed})\]

Figure A.11: Change the status of a thread

\[\text{createThread} : \text{CPU} \times \text{Id}_o \times \text{Duration}^* \to \text{CPU}\]
\[\text{createThread}(\text{cpu}, \text{oid}, \text{body}) \text{cpu}' ==\]
\[\text{let } t \in \text{Thread}\]
\[t \notin \text{dom} \text{cpu.threads}\]
\[\text{thread} = \text{mk-Thread}([\text{RUNNABLE}, \{\}], \text{oid}, \text{body}, \text{nil})\]
\[\text{threads} = \text{cpu.threads} \uplus \{t \mapsto \text{thread}\}\]
\[\text{in}\]
\[\text{mk-CPU}(\text{cpu.objects}, \text{threads}, \text{cpu.speed})\]

Figure A.12: Creates a new thread
\[\text{insertReturn}: \text{Stm}^* \times \text{Return} \rightarrow [\text{Stm}]\]
\[\text{insertReturn}([\text{stms}], \text{return})\]
\[\text{stms}' = \begin{cases} \text{mk-Wait}(\text{target}) \rightarrow [\text{return}, \text{mk-Wait}(\text{target})] \pmb{\bigcirc} \text{tl rest} \\
\text{mk-ObjectContext}(\text{id}_o, \text{body}) \rightarrow \begin{cases} \text{let } b = \text{insertReturn}(\text{body}, \text{return}) \\
\text{r} = [\text{mk-ObjectContext}(\text{id}_o, b)] \text{ in} \\
\text{r} \pmb{\bigcirc} \text{tl rest} \\
\text{mk-PartialLetDef}(\sigma, [\ ], \text{stm}) \rightarrow \begin{cases} \text{let } sb = \text{mk-SimpleBlock}(\text{insertReturn}([\text{stm}], \text{return})) \text{ in} \\
[mk-\text{PartialLetDef}(\sigma, [\ ], sb)] \pmb{\bigcirc} \text{tl rest} \end{cases} \end{cases} \]
\end{cases}

Figure A.13: Inserts a return next to a inner Wait statement

\[\text{sumMapRange}: \text{VDMValue} \rightarrow \text{Number} \rightarrow \text{Number}\]
\[\text{sumMapRange}(\text{map}) =\]
\[\begin{cases} \text{if } \text{map} = \{\} \\
\text{then } 0 \\
\text{else let } key \in \text{dom} \text{ map } \text{ in } \text{map(key)} + \text{sumMapRange}([key] \pmb{\bigcirc} \text{map}) \end{cases} \]

Figure A.14: Sums the range of a map structure

\[\text{sum}: \text{Number}^* \rightarrow \text{Number}\]
\[\text{sum}(\text{seq}) =\]
\[\begin{cases} \text{if } \text{seq} = [\] \\
\text{then } 0 \\
\text{else hd seq + sum(tl seq)} \end{cases} \]

Figure A.15: Sums a sequence of numbers

\[\text{set2seq}: \text{VDMValue-set} \rightarrow \text{VDMValue}^*\]
\[\text{set2seq}(\text{set}) =\]
\[\begin{cases} \text{if } \text{set} = \{\} \\
\text{then } [\] \\
\text{else let } item \in \text{set } \text{ in } [item] \pmb{\bigcirc} \text{set2seq(set - {item})} \end{cases} \]

Figure A.16: Sums the range of a map structure
# Index of Rules and Definitions

<table>
<thead>
<tr>
<th>Term</th>
<th>Page(s)</th>
</tr>
</thead>
<tbody>
<tr>
<td>(\Sigma)</td>
<td>20, 38</td>
</tr>
<tr>
<td>Assignment</td>
<td>41</td>
</tr>
<tr>
<td>AsyncCall</td>
<td>41</td>
</tr>
<tr>
<td>Atomic</td>
<td>41</td>
</tr>
<tr>
<td>Big Step</td>
<td>21, 23, 28, 29, 31, 45, 47, 48</td>
</tr>
<tr>
<td>Bind</td>
<td>40</td>
</tr>
<tr>
<td>BOOL</td>
<td>43</td>
</tr>
<tr>
<td>Bus</td>
<td>19, 39</td>
</tr>
<tr>
<td>Bus Base</td>
<td>46</td>
</tr>
<tr>
<td>Bus Call</td>
<td>28, 46</td>
</tr>
<tr>
<td>Bus Return</td>
<td>46</td>
</tr>
<tr>
<td>Busses</td>
<td>19, 38</td>
</tr>
<tr>
<td>Busses Base</td>
<td>45, 46</td>
</tr>
<tr>
<td>Call</td>
<td>24, 41</td>
</tr>
<tr>
<td>CallContext</td>
<td>25, 41</td>
</tr>
<tr>
<td>Cases</td>
<td>41</td>
</tr>
<tr>
<td>changeThreadStatus</td>
<td>62</td>
</tr>
<tr>
<td>checkCallPost</td>
<td>62</td>
</tr>
<tr>
<td>checkCallPre</td>
<td>62</td>
</tr>
<tr>
<td>checkInvs</td>
<td>61</td>
</tr>
<tr>
<td>Class</td>
<td>20, 39</td>
</tr>
<tr>
<td>Classes</td>
<td>19, 38</td>
</tr>
<tr>
<td>CMessage</td>
<td>28, 39</td>
</tr>
<tr>
<td>collapseOld</td>
<td>61</td>
</tr>
<tr>
<td>commitPendingValuesAndUpdateTime</td>
<td>30</td>
</tr>
<tr>
<td>COMPLETED</td>
<td>20, 30, 39, 62</td>
</tr>
<tr>
<td>convertCyclesToTime</td>
<td>61</td>
</tr>
<tr>
<td>CPU</td>
<td>19, 39</td>
</tr>
<tr>
<td>CPU Pending</td>
<td>47, 48</td>
</tr>
<tr>
<td>CPU Running</td>
<td>47</td>
</tr>
<tr>
<td>CPUs</td>
<td>19, 38</td>
</tr>
<tr>
<td>CPUs Base</td>
<td>47</td>
</tr>
<tr>
<td>CPUs Step</td>
<td>47</td>
</tr>
<tr>
<td>createPeriodicThreads</td>
<td>29</td>
</tr>
<tr>
<td>createThread</td>
<td>62</td>
</tr>
<tr>
<td>Cycles</td>
<td>41</td>
</tr>
<tr>
<td>Definition</td>
<td>42</td>
</tr>
<tr>
<td>doContextSwitches</td>
<td>31</td>
</tr>
<tr>
<td>Duration</td>
<td>20, 41</td>
</tr>
<tr>
<td>Duration Eval</td>
<td>47, 48</td>
</tr>
<tr>
<td>Duration Step PartialDuration</td>
<td>48</td>
</tr>
<tr>
<td>Duration Step to PartialDuration</td>
<td>48</td>
</tr>
<tr>
<td>Exec</td>
<td>45</td>
</tr>
<tr>
<td>EXECETIME</td>
<td>20, 21, 29, 31, 41, 48, 51, 52, 58</td>
</tr>
<tr>
<td>ForIndex</td>
<td>42</td>
</tr>
<tr>
<td>ForSeq</td>
<td>42</td>
</tr>
<tr>
<td>ForSet</td>
<td>42</td>
</tr>
<tr>
<td>Fun</td>
<td>40</td>
</tr>
<tr>
<td>FV</td>
<td>61</td>
</tr>
<tr>
<td>If</td>
<td>42</td>
</tr>
<tr>
<td>Init</td>
<td>23, 45</td>
</tr>
<tr>
<td>insertReturn</td>
<td>63</td>
</tr>
<tr>
<td>LetBe</td>
<td>42</td>
</tr>
<tr>
<td>LetDef</td>
<td>42</td>
</tr>
<tr>
<td>match</td>
<td>61</td>
</tr>
<tr>
<td>Multi-Set-Bind</td>
<td>58</td>
</tr>
<tr>
<td>Multi-Type-Bind</td>
<td>57</td>
</tr>
<tr>
<td>New</td>
<td>42</td>
</tr>
<tr>
<td>Object</td>
<td>20, 40</td>
</tr>
<tr>
<td>ObjectContext</td>
<td>25, 41</td>
</tr>
<tr>
<td>Old</td>
<td>61</td>
</tr>
<tr>
<td>Op</td>
<td>39</td>
</tr>
<tr>
<td>PartialAtomic</td>
<td>41</td>
</tr>
<tr>
<td>PartialDuration</td>
<td>21, 41</td>
</tr>
<tr>
<td>PartialLetDef</td>
<td>42</td>
</tr>
<tr>
<td>Pattern</td>
<td>40</td>
</tr>
<tr>
<td>PatternBind</td>
<td>40</td>
</tr>
<tr>
<td>Pending</td>
<td>38</td>
</tr>
<tr>
<td>PENDING</td>
<td>20, 29, 30, 39, 47, 48, 62</td>
</tr>
<tr>
<td>Periodic</td>
<td>29, 40</td>
</tr>
<tr>
<td>Return</td>
<td>24, 41</td>
</tr>
<tr>
<td>RMessage</td>
<td>28, 39</td>
</tr>
</tbody>
</table>
Kenneth Lausdahl, Joey W. Coleman and Peter Gorm Larsen, Semantics of the VDM Real-Time Dialect, 2013