|
200
|
1 |
\documentclass{article}
|
|
201
|
2 |
\usepackage{journal/pdfsetup}
|
|
200
|
3 |
|
|
|
4 |
\begin{document}
|
|
|
5 |
|
|
|
6 |
%%%%
|
|
|
7 |
% Reviewer 1.
|
|
|
8 |
\section*{Comments by Reviewer \#1}
|
|
|
9 |
|
|
|
10 |
|
|
|
11 |
\begin{itemize}
|
|
|
12 |
\item {\it 1.) I don't see the point of working with a more general
|
|
|
13 |
library of possibly infinite graphs when it is clear that no
|
|
|
14 |
(necessarily finite) evolution of the state could ever generate an
|
|
|
15 |
infinite graph.}
|
|
|
16 |
|
|
|
17 |
It seemed the most convenient approach for us and we added the following
|
|
|
18 |
comment on page 8 about justifying our choice. There was already a
|
|
|
19 |
comment about having finiteness as a property, rather than a built-in
|
|
|
20 |
assumption.
|
|
|
21 |
|
|
|
22 |
\begin{quote}
|
|
|
23 |
It seems for our purposes the most convenient representation of
|
|
|
24 |
graphs are binary relations given by sets of pairs. The pairs
|
|
|
25 |
stand for the edges in graphs. This relation-based representation
|
|
|
26 |
has the advantage that the notions \textit{waiting} and
|
|
|
27 |
\textit{holding} are already defined in terms of relations
|
|
|
28 |
amongst threads and resources. Also, we can easily re-use the
|
|
|
29 |
standard notions of transitive closure operations $\_*$ and $\_+$,
|
|
|
30 |
as well as relation composition for our graphs.
|
|
|
31 |
\end{quote}
|
|
|
32 |
|
|
|
33 |
\item {\it 2.) Later, the release function is defined using Hilbert
|
|
|
34 |
choice (Isabelle/HOL's \texttt{SOME} function) as a method for emulating
|
|
|
35 |
non-determinism. This is horrid. The highest level generation of
|
|
|
36 |
traces handles non-determinism beautifully; using choice at a
|
|
|
37 |
lower level lets you keep things functional, but hides the fact
|
|
|
38 |
that you want to model non-determinism at the lower level as
|
|
|
39 |
well. I agree that the final theorem does imply that the way in
|
|
|
40 |
which the new waiting list is chosen is irrelevant, but this
|
|
|
41 |
implication is only apparent through a close reading of that
|
|
|
42 |
definition. Better I think to lift the non-determinism and make it
|
|
|
43 |
more apparent at the top level.}
|
|
|
44 |
|
|
|
45 |
\begin{quote}
|
|
|
46 |
We generally agree with the reviewer about the use of
|
|
201
|
47 |
\texttt{SOME}, but in this instance we cannot see a way to make
|
|
|
48 |
this nondeterminism explicit without complicating the
|
|
203
|
49 |
toplevel rules about \textit{PIP} on page 12. By using
|
|
201
|
50 |
\texttt{SOME}, we can leave implicit the order of the waiting
|
|
|
51 |
queue returned by release (which corresponds to the original
|
|
|
52 |
system call from Sha et al). If we represent the non-determinism
|
|
|
53 |
explicitly, we would need to add another argument to $V$
|
|
|
54 |
specifying which thread is the next one that obtains the lock and
|
|
|
55 |
add another premise to the \textit{PIP} rule for ensuring that
|
|
|
56 |
this thread is member of the waiting queue.
|
|
200
|
57 |
\end{quote}
|
|
|
58 |
|
|
201
|
59 |
\item {\it 3.) In \S 4, there is an assumption made about the number of
|
|
200
|
60 |
threads allowed to be created. Given the form of theorem 2, this
|
|
|
61 |
seems to me to be unnecessary. It's certainly extremely weird and
|
|
|
62 |
ugly because it says that there are at most BC many thread
|
|
|
63 |
creation events in all possible future traces (of which there are
|
|
|
64 |
of course infinitely many). \ldots}
|
|
|
65 |
|
|
201
|
66 |
\begin{quote}
|
|
200
|
67 |
We think this mis-reads our theorem: Although the constrains we
|
|
|
68 |
put on thread creation prohibit the creation of higher priority
|
|
|
69 |
threads, the creation of lower priority threads may still consume
|
|
|
70 |
CPU time and prevent \textit{th} from accomplishing its task. That
|
|
|
71 |
is the purpose we put in the \textit{BC} constraint to limit the
|
|
|
72 |
overall number of thread creations. We slightly augmented the
|
|
|
73 |
sentence on page 15 by:
|
|
|
74 |
|
|
|
75 |
\begin{quote}
|
|
|
76 |
Otherwise our PIP scheduler could be ``swamped'' with
|
|
|
77 |
\textit{Create}-requests of lower priority threads.
|
|
|
78 |
\end{quote}
|
|
201
|
79 |
\end{quote}
|
|
200
|
80 |
|
|
|
81 |
\item {\it Why are variables corresponding to resources given the name
|
|
201
|
82 |
\textit{cs}? This is confusing. \textit{rsc} or \textit{r} would be
|
|
200
|
83 |
better.}
|
|
|
84 |
|
|
|
85 |
\begin{quote}
|
|
|
86 |
\textit{cs} stands for ``critical section'', which is the original name
|
|
|
87 |
used by Sha et al to represent ``critical resources''.
|
|
|
88 |
\end{quote}
|
|
|
89 |
|
|
|
90 |
\item All other comments of the reviewer have been implemented.
|
|
|
91 |
|
|
|
92 |
\end{itemize}
|
|
|
93 |
|
|
|
94 |
%%%%
|
|
|
95 |
% Reviever 2.
|
|
|
96 |
\section*{Comments by Reviewer \#2}
|
|
|
97 |
|
|
|
98 |
\begin{itemize}
|
|
203
|
99 |
\item {\it Well-founded comment:} We updated the paragraph where
|
|
201
|
100 |
\textit{acyclic} and \textit{well-founded} are used for the first
|
|
|
101 |
time.
|
|
200
|
102 |
|
|
|
103 |
\begin{quote}
|
|
203
|
104 |
Note that forests can have trees with infinite depth and containing
|
|
200
|
105 |
nodes with infinitely many children. A \emph{finite forest} is a
|
|
|
106 |
forest whose underlying relation is well-founded and every node
|
|
|
107 |
has finitely many children (is only finitely branching).
|
|
201
|
108 |
|
|
|
109 |
|
|
|
110 |
We also added a footnote that we are using the standard definition of
|
|
|
111 |
well-foundedness from Isabelle.
|
|
200
|
112 |
\end{quote}
|
|
|
113 |
|
|
201
|
114 |
\item {\it Comment about graph-library:} This point was also raised by
|
|
200
|
115 |
Reviewer~\#1 and we gave a better justification on page 8 (see
|
|
|
116 |
answer to first point of Reviewer~\#1).
|
|
|
117 |
|
|
|
118 |
|
|
|
119 |
\item {\it 20.) In the case of "Set th prio:", it is not declared what
|
|
|
120 |
the cprec (e::s) th should be (presumably it is something like
|
|
|
121 |
Max((prio,|s|),prec th s) or possibly just prec th (e::s) given
|
|
|
122 |
the assumptions on Set events listed before).}
|
|
|
123 |
|
|
201
|
124 |
\begin{quote}
|
|
|
125 |
We note the concern of the reviewer about the effect of the
|
|
200
|
126 |
Set-operation on the \textit{cprec} value of a thread. According to
|
|
|
127 |
equation (6) on page 11, the \textit{cprec} of a thread is
|
|
|
128 |
determined by the precedence values in its subtree, while the Set
|
|
|
129 |
operation only changes the precedence of the `Set' thread. If the
|
|
|
130 |
reviewer thinks we should add this explanation again, then we are
|
|
|
131 |
happy to do so.
|
|
201
|
132 |
\end{quote}
|
|
200
|
133 |
|
|
|
134 |
\end{itemize}
|
|
201
|
135 |
|
|
|
136 |
\section*{Comments by Reviewer \#3}
|
|
|
137 |
|
|
|
138 |
\begin{itemize}
|
|
|
139 |
\item {\it The verification is at the model level, instead of code level:...}
|
|
|
140 |
|
|
|
141 |
\begin{quote}
|
|
|
142 |
The verification is indeed on the level of the algorithm. A
|
|
|
143 |
verification of the C-code is *well* beyond the scope of the
|
|
203
|
144 |
paper. For example, it would require a formalised semantics for C
|
|
201
|
145 |
(as for example given in the seL4-project). This and interfacing
|
|
|
146 |
with it would be a tremendous amount of work and we are not sure
|
|
203
|
147 |
whether their results would actually sufficient for the code we
|
|
201
|
148 |
wrote.
|
|
|
149 |
|
|
|
150 |
In light of this, we have made it clearer in the abstract and in a
|
|
|
151 |
footnote on the first page that our C-code is unverified. Additionally
|
|
|
152 |
we added the following sentence in Section 5 before we describe the
|
|
|
153 |
C-code:
|
|
|
154 |
|
|
|
155 |
\begin{quote}
|
|
|
156 |
While there is no formal connection between our formalisation
|
|
|
157 |
and the C-code shown below, the results of the formalisation
|
|
|
158 |
clearly shine through in the design of the code.
|
|
|
159 |
\end{quote}
|
|
|
160 |
\end{quote}
|
|
|
161 |
|
|
|
162 |
\item{\it The model cannot express the execution of instructions. As a
|
|
|
163 |
result, it is difficult to express the case that the critical
|
|
|
164 |
region does infinite loops without generating events for system
|
|
|
165 |
calls.}
|
|
|
166 |
|
|
|
167 |
\begin{quote}
|
|
|
168 |
Yes, we discuss this limitation in the first paragraph of section
|
|
|
169 |
4 and already wrote that in this aspect we do not
|
|
|
170 |
improve the limitations of the original paper by Sha et al.
|
|
|
171 |
\end{quote}
|
|
|
172 |
|
|
|
173 |
\item{\it The authors should have provided URL of their mechanized
|
|
|
174 |
proofs for the review process.}
|
|
|
175 |
|
|
|
176 |
\begin{quote}
|
|
203
|
177 |
As is custom, we have given a link to the sources.
|
|
201
|
178 |
It is mentioned in the last
|
|
|
179 |
sentence of the conclusion.
|
|
|
180 |
|
|
|
181 |
The code of our formalisation can be downloaded from the Mercurial
|
|
|
182 |
repository at \url{http://talisker.inf.kcl.ac.uk/cgi-bin/repos.cgi/pip}.
|
|
|
183 |
\end{quote}
|
|
|
184 |
|
|
|
185 |
\item{\it It is more like engineering work. It's unclear what general
|
|
|
186 |
principles or theories are proposed.}
|
|
|
187 |
|
|
203
|
188 |
\begin{quote}
|
|
201
|
189 |
The general point we are making is that a `proof-by-hand' is
|
|
|
190 |
generally worthless in this area for ensuring the correctness of
|
|
|
191 |
an algorithm. We underline this point by listing the references
|
|
|
192 |
[13, 14, 15, 20, 24, 25], which all repeat the error from the
|
|
|
193 |
original paper.
|
|
|
194 |
|
|
|
195 |
More specifically we extend the claims of Sha at al and give
|
|
|
196 |
a machine-checked formalisation of our claims (the first such
|
|
|
197 |
formalisation for PIP). We also wrote about our experiences:
|
|
|
198 |
|
|
|
199 |
\begin{quote}
|
|
|
200 |
Following good experience in earlier work [27], our model of PIP
|
|
|
201 |
is based on Paulson’s inductive approach for protocol
|
|
|
202 |
verification [18].
|
|
|
203 |
\end{quote}
|
|
203
|
204 |
\end{quote}
|
|
|
205 |
|
|
|
206 |
\item{\it 1) There are some places that the authors follow the Isabelle
|
|
|
207 |
syntax, which require more explanation. For instance, in the
|
|
|
208 |
definitions of "threads" and "priority" in page 5, I had trouble
|
|
|
209 |
understanding the underscore until I realized that the 4 cases are
|
|
|
210 |
pattern matching and they have orders.}
|
|
|
211 |
|
|
|
212 |
\begin{quote}
|
|
|
213 |
We have added the sentence after the definition of \textit{threads}:
|
|
|
214 |
|
|
|
215 |
\begin{quote}
|
|
|
216 |
We use \_ to match any pattern, like in functional programming.
|
|
|
217 |
\end{quote}
|
|
|
218 |
\end{quote}
|
|
|
219 |
|
|
|
220 |
\item{\it 2) The last assumption on page 13: the assumption seems very
|
|
|
221 |
strong. If you prove Theorem 1 inductively on all s (which means
|
|
|
222 |
you have to consider s of length 1), then following the assumption
|
|
|
223 |
you essentially require that the highest priority task is the
|
|
|
224 |
first task created.}
|
|
|
225 |
|
|
|
226 |
\begin{quote}
|
|
|
227 |
We feel like this mis-reads what we are proving and how we
|
|
|
228 |
organised the statements. The thread \textit{th} is the thread
|
|
|
229 |
with the highest priority in the state \textit{s}. It can be in
|
|
|
230 |
\textit{s} at any `place'---it does not need to be the first
|
|
|
231 |
one. What we prove is what happens to \textit{th} in the state
|
|
|
232 |
\textit{$s' @ s$} which happens after \textit{s}. We only require
|
|
|
233 |
that threads created after \textit{s} need to have a lower
|
|
|
234 |
priority.
|
|
|
235 |
\end{quote}
|
|
|
236 |
|
|
|
237 |
\item{\it 3) 2nd line of the proofs of Lemma 1: th should be th' ?}
|
|
|
238 |
|
|
|
239 |
\begin{quote}
|
|
|
240 |
Yes, we corrected this error.
|
|
|
241 |
\end{quote}
|
|
|
242 |
|
|
|
243 |
\item{\it 4) Is your state (event traces) finite or infinite?}
|
|
|
244 |
|
|
|
245 |
\begin{quote}
|
|
|
246 |
Yes, they are always finite, but can be arbitrary long.
|
|
|
247 |
\end{quote}
|
|
|
248 |
|
|
|
249 |
\item{\it 5) Assumption at the bottom of page 15: I don't understand
|
|
|
250 |
why this assumption is necessary. First, is es a finite or
|
|
|
251 |
infinite trace? If es is finite, of course there's limited number
|
|
|
252 |
of Create-requests. Even if it can be infinite, I don't see how
|
|
|
253 |
the PIP scheduler could be "swamped" with create requests. You
|
|
|
254 |
already assumed that there are no threads of precedence higher
|
|
|
255 |
than th created in es. If all the newly created threads have lower
|
|
|
256 |
precedence, they have no chance to run anyway (because of the low
|
|
|
257 |
precedence). Then why should we care?}
|
|
|
258 |
|
|
|
259 |
\begin{quote}
|
|
|
260 |
Yes, \textit{es} and \textit{$es @ s$} are finite traces (finite
|
|
|
261 |
list of events), but they can be arbitrarily long.
|
|
|
262 |
|
|
|
263 |
This means that knowing that \text{es} is finite, does *not* bound
|
|
|
264 |
the number of create events.
|
|
|
265 |
|
|
|
266 |
We also understand that newly created threads have no chance to
|
|
|
267 |
run (because of the lower priority), but the process of creating
|
|
|
268 |
any processes consumes according to our model some time and
|
|
|
269 |
therefore needs to be bounded. A Create event is not assumed to be
|
|
|
270 |
`instantaneously'.
|
|
|
271 |
\end{quote}
|
|
|
272 |
|
|
|
273 |
\item {\it 6) The next assumption in page 16 does not look right to me
|
|
|
274 |
either. What if there are no actions of th' in es at all, which
|
|
|
275 |
may be caused by infinite loop inside the critical region of th'
|
|
|
276 |
(but the loop does not generate any events)? In this case, the
|
|
|
277 |
assumption is still satisfied because the length is 0, which is
|
|
|
278 |
less than BND(th').}
|
|
|
279 |
|
|
|
280 |
\begin{quote}
|
|
|
281 |
We made this point clearer (it was also requested by another reviewer).
|
|
|
282 |
We discuss this limitation in more depth in the first paragraph of section
|
|
|
283 |
4 and already wrote that in this aspect we do not
|
|
|
284 |
improve the limitations of the original paper by Sha et al.
|
|
|
285 |
\end{quote}
|
|
|
286 |
|
|
|
287 |
\item All other comments have been implemented.
|
|
201
|
288 |
|
|
200
|
289 |
\end{document} |