| author | Christian Urban <christian dot urban at kcl dot ac dot uk> |
| Mon, 20 Feb 2017 15:53:22 +0000 | |
| changeset 154 | 9756a51f2223 |
| parent 145 | 188fe0c81ac7 |
| child 156 | 550ab0f68960 |
| permissions | -rw-r--r-- |
|
93
524bd3caa6b6
The overwriten original .thy files are working now. The ones in last revision aren't.
zhangx
parents:
92
diff
changeset
|
1 |
theory Correctness |
|
524bd3caa6b6
The overwriten original .thy files are working now. The ones in last revision aren't.
zhangx
parents:
92
diff
changeset
|
2 |
imports PIPBasics |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
3 |
begin |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
4 |
|
|
154
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
5 |
lemma actions_of_len_cons [iff]: |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
6 |
"length (actions_of ts (e#t)) \<le> length ((actions_of ts t)) + 1" |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
7 |
by (unfold actions_of_def, simp) |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
8 |
|
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
9 |
|
| 63 | 10 |
text {*
|
11 |
The following two auxiliary lemmas are used to reason about @{term Max}.
|
|
12 |
*} |
|
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
13 |
|
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
14 |
lemma subset_Max: |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
15 |
assumes "finite A" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
16 |
and "B \<subseteq> A" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
17 |
and "c \<in> B" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
18 |
and "Max A = c" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
19 |
shows "Max B = c" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
20 |
using Max.subset assms |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
21 |
by (metis Max.coboundedI Max_eqI rev_finite_subset subset_eq) |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
22 |
|
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
23 |
|
| 63 | 24 |
lemma image_Max_eqI: |
25 |
assumes "finite B" |
|
26 |
and "b \<in> B" |
|
27 |
and "\<forall> x \<in> B. f x \<le> f b" |
|
28 |
shows "Max (f ` B) = f b" |
|
29 |
using assms |
|
30 |
using Max_eqI by blast |
|
31 |
||
32 |
lemma image_Max_subset: |
|
33 |
assumes "finite A" |
|
34 |
and "B \<subseteq> A" |
|
35 |
and "a \<in> B" |
|
36 |
and "Max (f ` A) = f a" |
|
37 |
shows "Max (f ` B) = f a" |
|
38 |
proof(rule image_Max_eqI) |
|
39 |
show "finite B" |
|
40 |
using assms(1) assms(2) finite_subset by auto |
|
41 |
next |
|
42 |
show "a \<in> B" using assms by simp |
|
43 |
next |
|
44 |
show "\<forall>x\<in>B. f x \<le> f a" |
|
45 |
by (metis Max_ge assms(1) assms(2) assms(4) |
|
46 |
finite_imageI image_eqI subsetCE) |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
47 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
48 |
|
| 63 | 49 |
text {*
|
50 |
The following locale @{text "highest_gen"} sets the basic context for our
|
|
51 |
investigation: supposing thread @{text th} holds the highest @{term cp}-value
|
|
52 |
in state @{text s}, which means the task for @{text th} is the
|
|
53 |
most urgent. We want to show that |
|
54 |
@{text th} is treated correctly by PIP, which means
|
|
55 |
@{text th} will not be blocked unreasonably by other less urgent
|
|
56 |
threads. |
|
57 |
*} |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
58 |
locale highest_gen = |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
59 |
fixes s th prio tm |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
60 |
assumes vt_s: "vt s" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
61 |
and threads_s: "th \<in> threads s" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
62 |
and highest: "preced th s = Max ((cp s)`threads s)" |
| 63 | 63 |
-- {* The internal structure of @{term th}'s precedence is exposed:*}
|
64 |
and preced_th: "preced th s = Prc prio tm" |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
65 |
|
| 63 | 66 |
-- {* @{term s} is a valid trace, so it will inherit all results derived for
|
67 |
a valid trace: *} |
|
|
122
420e03a2d9cc
all updated to Isabelle 2016
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
116
diff
changeset
|
68 |
sublocale highest_gen < vat_s?: valid_trace "s" |
| 62 | 69 |
by (unfold_locales, insert vt_s, simp) |
70 |
||
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
71 |
fun occs where |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
72 |
"occs Q [] = (if Q [] then 1 else 0::nat)" | |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
73 |
"occs Q (x#xs) = (if Q (x#xs) then (1 + occs Q xs) else occs Q xs)" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
74 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
75 |
lemma occs_le: "occs Q t + occs (\<lambda> e. \<not> Q e) t \<le> (1 + length t)" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
76 |
by (induct t, auto) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
77 |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
78 |
context highest_gen |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
79 |
begin |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
80 |
|
| 63 | 81 |
text {*
|
82 |
@{term tm} is the time when the precedence of @{term th} is set, so
|
|
83 |
@{term tm} must be a valid moment index into @{term s}.
|
|
84 |
*} |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
85 |
lemma lt_tm: "tm < length s" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
86 |
by (insert preced_tm_lt[OF threads_s preced_th], simp) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
87 |
|
| 63 | 88 |
text {*
|
89 |
Since @{term th} holds the highest precedence and @{text "cp"}
|
|
90 |
is the highest precedence of all threads in the sub-tree of |
|
91 |
@{text "th"} and @{text th} is among these threads,
|
|
92 |
its @{term cp} must equal to its precedence:
|
|
93 |
*} |
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
94 |
|
| 62 | 95 |
lemma eq_cp_s_th: "cp s th = preced th s" (is "?L = ?R") |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
96 |
proof - |
| 62 | 97 |
have "?L \<le> ?R" |
98 |
by (unfold highest, rule Max_ge, |
|
| 63 | 99 |
auto simp:threads_s finite_threads) |
| 62 | 100 |
moreover have "?R \<le> ?L" |
101 |
by (unfold vat_s.cp_rec, rule Max_ge, |
|
102 |
auto simp:the_preced_def vat_s.fsbttRAGs.finite_children) |
|
103 |
ultimately show ?thesis by auto |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
104 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
105 |
|
| 68 | 106 |
lemma highest_cp_preced: "cp s th = Max (the_preced s ` threads s)" |
107 |
using eq_cp_s_th highest max_cp_eq the_preced_def by presburger |
|
108 |
||
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
109 |
|
| 68 | 110 |
lemma highest_preced_thread: "preced th s = Max (the_preced s ` threads s)" |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
111 |
by (fold eq_cp_s_th, unfold highest_cp_preced, simp) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
112 |
|
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
113 |
lemma highest': "cp s th = Max (cp s ` threads s)" |
| 68 | 114 |
by (simp add: eq_cp_s_th highest) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
115 |
|
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
116 |
end |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
117 |
|
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
118 |
locale extend_highest_gen = highest_gen + |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
119 |
fixes t |
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
120 |
assumes vt_t: "vt (t @ s)" |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
121 |
and create_low: "Create th' prio' \<in> set t \<Longrightarrow> prio' \<le> prio" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
122 |
and set_diff_low: "Set th' prio' \<in> set t \<Longrightarrow> th' \<noteq> th \<and> prio' \<le> prio" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
123 |
and exit_diff: "Exit th' \<in> set t \<Longrightarrow> th' \<noteq> th" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
124 |
|
|
122
420e03a2d9cc
all updated to Isabelle 2016
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
116
diff
changeset
|
125 |
sublocale extend_highest_gen < vat_t?: valid_trace "t@s" |
| 63 | 126 |
by (unfold_locales, insert vt_t, simp) |
127 |
||
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
128 |
lemma step_back_vt_app: |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
129 |
assumes vt_ts: "vt (t@s)" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
130 |
shows "vt s" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
131 |
proof - |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
132 |
from vt_ts show ?thesis |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
133 |
proof(induct t) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
134 |
case Nil |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
135 |
from Nil show ?case by auto |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
136 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
137 |
case (Cons e t) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
138 |
assume ih: " vt (t @ s) \<Longrightarrow> vt s" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
139 |
and vt_et: "vt ((e # t) @ s)" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
140 |
show ?case |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
141 |
proof(rule ih) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
142 |
show "vt (t @ s)" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
143 |
proof(rule step_back_vt) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
144 |
from vt_et show "vt (e # t @ s)" by simp |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
145 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
146 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
147 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
148 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
149 |
|
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
150 |
|
| 62 | 151 |
context extend_highest_gen |
152 |
begin |
|
153 |
||
154 |
lemma ind [consumes 0, case_names Nil Cons, induct type]: |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
155 |
assumes |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
156 |
h0: "R []" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
157 |
and h2: "\<And> e t. \<lbrakk>vt (t@s); step (t@s) e; |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
158 |
extend_highest_gen s th prio tm t; |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
159 |
extend_highest_gen s th prio tm (e#t); R t\<rbrakk> \<Longrightarrow> R (e#t)" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
160 |
shows "R t" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
161 |
proof - |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
162 |
from vt_t extend_highest_gen_axioms show ?thesis |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
163 |
proof(induct t) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
164 |
from h0 show "R []" . |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
165 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
166 |
case (Cons e t') |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
167 |
assume ih: "\<lbrakk>vt (t' @ s); extend_highest_gen s th prio tm t'\<rbrakk> \<Longrightarrow> R t'" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
168 |
and vt_e: "vt ((e # t') @ s)" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
169 |
and et: "extend_highest_gen s th prio tm (e # t')" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
170 |
from vt_e and step_back_step have stp: "step (t'@s) e" by auto |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
171 |
from vt_e and step_back_vt have vt_ts: "vt (t'@s)" by auto |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
172 |
show ?case |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
173 |
proof(rule h2 [OF vt_ts stp _ _ _ ]) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
174 |
show "R t'" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
175 |
proof(rule ih) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
176 |
from et show ext': "extend_highest_gen s th prio tm t'" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
177 |
by (unfold extend_highest_gen_def extend_highest_gen_axioms_def, auto dest:step_back_vt) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
178 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
179 |
from vt_ts show "vt (t' @ s)" . |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
180 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
181 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
182 |
from et show "extend_highest_gen s th prio tm (e # t')" . |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
183 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
184 |
from et show ext': "extend_highest_gen s th prio tm t'" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
185 |
by (unfold extend_highest_gen_def extend_highest_gen_axioms_def, auto dest:step_back_vt) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
186 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
187 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
188 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
189 |
|
| 62 | 190 |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
191 |
lemma th_kept: "th \<in> threads (t @ s) \<and> |
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
192 |
preced th (t @ s) = preced th s" (is "?Q t") |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
193 |
proof - |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
194 |
show ?thesis |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
195 |
proof(induct rule:ind) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
196 |
case Nil |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
197 |
from threads_s |
| 62 | 198 |
show ?case |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
199 |
by auto |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
200 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
201 |
case (Cons e t) |
| 62 | 202 |
interpret h_e: extend_highest_gen _ _ _ _ "(e # t)" using Cons by auto |
203 |
interpret h_t: extend_highest_gen _ _ _ _ t using Cons by auto |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
204 |
show ?case |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
205 |
proof(cases e) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
206 |
case (Create thread prio) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
207 |
show ?thesis |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
208 |
proof - |
| 62 | 209 |
from Cons and Create have "step (t@s) (Create thread prio)" by auto |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
210 |
hence "th \<noteq> thread" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
211 |
proof(cases) |
| 62 | 212 |
case thread_create |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
213 |
with Cons show ?thesis by auto |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
214 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
215 |
hence "preced th ((e # t) @ s) = preced th (t @ s)" |
| 62 | 216 |
by (unfold Create, auto simp:preced_def) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
217 |
moreover note Cons |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
218 |
ultimately show ?thesis |
| 62 | 219 |
by (auto simp:Create) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
220 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
221 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
222 |
case (Exit thread) |
| 62 | 223 |
from h_e.exit_diff and Exit |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
224 |
have neq_th: "thread \<noteq> th" by auto |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
225 |
with Cons |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
226 |
show ?thesis |
| 62 | 227 |
by (unfold Exit, auto simp:preced_def) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
228 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
229 |
case (P thread cs) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
230 |
with Cons |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
231 |
show ?thesis |
| 62 | 232 |
by (auto simp:P preced_def) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
233 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
234 |
case (V thread cs) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
235 |
with Cons |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
236 |
show ?thesis |
| 62 | 237 |
by (auto simp:V preced_def) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
238 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
239 |
case (Set thread prio') |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
240 |
show ?thesis |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
241 |
proof - |
| 62 | 242 |
from h_e.set_diff_low and Set |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
243 |
have "th \<noteq> thread" by auto |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
244 |
hence "preced th ((e # t) @ s) = preced th (t @ s)" |
| 62 | 245 |
by (unfold Set, auto simp:preced_def) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
246 |
moreover note Cons |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
247 |
ultimately show ?thesis |
| 62 | 248 |
by (auto simp:Set) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
249 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
250 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
251 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
252 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
253 |
|
| 63 | 254 |
text {*
|
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
255 |
According to @{thm th_kept}, thread @{text "th"} has its liveness status
|
| 63 | 256 |
and precedence kept along the way of @{text "t"}. The following lemma
|
257 |
shows that this preserved precedence of @{text "th"} remains as the highest
|
|
258 |
along the way of @{text "t"}.
|
|
| 62 | 259 |
|
| 63 | 260 |
The proof goes by induction over @{text "t"} using the specialized
|
261 |
induction rule @{thm ind}, followed by case analysis of each possible
|
|
262 |
operations of PIP. All cases follow the same pattern rendered by the |
|
263 |
generalized introduction rule @{thm "image_Max_eqI"}.
|
|
264 |
||
| 68 | 265 |
The very essence is to show that precedences, no matter whether they |
266 |
are newly introduced or modified, are always lower than the one held |
|
267 |
by @{term "th"}, which by @{thm th_kept} is preserved along the way.
|
|
| 63 | 268 |
*} |
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
269 |
lemma max_kept: |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
270 |
shows "Max (the_preced (t @ s) ` (threads (t@s))) = preced th s" |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
271 |
proof(induct rule:ind) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
272 |
case Nil |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
273 |
from highest_preced_thread |
| 68 | 274 |
show ?case by simp |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
275 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
276 |
case (Cons e t) |
| 62 | 277 |
interpret h_e: extend_highest_gen _ _ _ _ "(e # t)" using Cons by auto |
278 |
interpret h_t: extend_highest_gen _ _ _ _ t using Cons by auto |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
279 |
show ?case |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
280 |
proof(cases e) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
281 |
case (Create thread prio') |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
282 |
show ?thesis (is "Max (?f ` ?A) = ?t") |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
283 |
proof - |
| 63 | 284 |
-- {* The following is the common pattern of each branch of the case analysis. *}
|
285 |
-- {* The major part is to show that @{text "th"} holds the highest precedence: *}
|
|
286 |
have "Max (?f ` ?A) = ?f th" |
|
287 |
proof(rule image_Max_eqI) |
|
288 |
show "finite ?A" using h_e.finite_threads by auto |
|
289 |
next |
|
290 |
show "th \<in> ?A" using h_e.th_kept by auto |
|
291 |
next |
|
292 |
show "\<forall>x\<in>?A. ?f x \<le> ?f th" |
|
293 |
proof |
|
294 |
fix x |
|
295 |
assume "x \<in> ?A" |
|
296 |
hence "x = thread \<or> x \<in> threads (t@s)" by (auto simp:Create) |
|
297 |
thus "?f x \<le> ?f th" |
|
298 |
proof |
|
299 |
assume "x = thread" |
|
300 |
thus ?thesis |
|
301 |
apply (simp add:Create the_preced_def preced_def, fold preced_def) |
|
| 68 | 302 |
using Create h_e.create_low h_t.th_kept lt_tm preced_leI2 |
303 |
preced_th by force |
|
| 63 | 304 |
next |
305 |
assume h: "x \<in> threads (t @ s)" |
|
306 |
from Cons(2)[unfolded Create] |
|
307 |
have "x \<noteq> thread" using h by (cases, auto) |
|
308 |
hence "?f x = the_preced (t@s) x" |
|
309 |
by (simp add:Create the_preced_def preced_def) |
|
310 |
hence "?f x \<le> Max (the_preced (t@s) ` threads (t@s))" |
|
311 |
by (simp add: h_t.finite_threads h) |
|
312 |
also have "... = ?f th" |
|
313 |
by (metis Cons.hyps(5) h_e.th_kept the_preced_def) |
|
314 |
finally show ?thesis . |
|
315 |
qed |
|
316 |
qed |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
317 |
qed |
| 63 | 318 |
-- {* The minor part is to show that the precedence of @{text "th"}
|
319 |
equals to preserved one, given by the foregoing lemma @{thm th_kept} *}
|
|
320 |
also have "... = ?t" using h_e.th_kept the_preced_def by auto |
|
321 |
-- {* Then it follows trivially that the precedence preserved
|
|
322 |
for @{term "th"} remains the maximum of all living threads along the way. *}
|
|
323 |
finally show ?thesis . |
|
324 |
qed |
|
| 62 | 325 |
next |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
326 |
case (Exit thread) |
| 63 | 327 |
show ?thesis (is "Max (?f ` ?A) = ?t") |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
328 |
proof - |
| 63 | 329 |
have "Max (?f ` ?A) = ?f th" |
330 |
proof(rule image_Max_eqI) |
|
331 |
show "finite ?A" using h_e.finite_threads by auto |
|
| 62 | 332 |
next |
| 63 | 333 |
show "th \<in> ?A" using h_e.th_kept by auto |
| 62 | 334 |
next |
| 63 | 335 |
show "\<forall>x\<in>?A. ?f x \<le> ?f th" |
336 |
proof |
|
337 |
fix x |
|
338 |
assume "x \<in> ?A" |
|
339 |
hence "x \<in> threads (t@s)" by (simp add: Exit) |
|
340 |
hence "?f x \<le> Max (?f ` threads (t@s))" |
|
341 |
by (simp add: h_t.finite_threads) |
|
342 |
also have "... \<le> ?f th" |
|
343 |
apply (simp add:Exit the_preced_def preced_def, fold preced_def) |
|
344 |
using Cons.hyps(5) h_t.th_kept the_preced_def by auto |
|
345 |
finally show "?f x \<le> ?f th" . |
|
346 |
qed |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
347 |
qed |
| 63 | 348 |
also have "... = ?t" using h_e.th_kept the_preced_def by auto |
349 |
finally show ?thesis . |
|
350 |
qed |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
351 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
352 |
case (P thread cs) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
353 |
with Cons |
| 62 | 354 |
show ?thesis by (auto simp:preced_def the_preced_def) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
355 |
next |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
356 |
case (V thread cs) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
357 |
with Cons |
| 62 | 358 |
show ?thesis by (auto simp:preced_def the_preced_def) |
| 63 | 359 |
next |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
360 |
case (Set thread prio') |
| 63 | 361 |
show ?thesis (is "Max (?f ` ?A) = ?t") |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
362 |
proof - |
| 63 | 363 |
have "Max (?f ` ?A) = ?f th" |
364 |
proof(rule image_Max_eqI) |
|
365 |
show "finite ?A" using h_e.finite_threads by auto |
|
366 |
next |
|
367 |
show "th \<in> ?A" using h_e.th_kept by auto |
|
368 |
next |
|
369 |
show "\<forall>x\<in>?A. ?f x \<le> ?f th" |
|
370 |
proof |
|
371 |
fix x |
|
372 |
assume h: "x \<in> ?A" |
|
373 |
show "?f x \<le> ?f th" |
|
374 |
proof(cases "x = thread") |
|
375 |
case True |
|
376 |
moreover have "the_preced (Set thread prio' # t @ s) thread \<le> the_preced (t @ s) th" |
|
377 |
proof - |
|
378 |
have "the_preced (t @ s) th = Prc prio tm" |
|
379 |
using h_t.th_kept preced_th by (simp add:the_preced_def) |
|
380 |
moreover have "prio' \<le> prio" using Set h_e.set_diff_low by auto |
|
381 |
ultimately show ?thesis by (insert lt_tm, auto simp:the_preced_def preced_def) |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
382 |
qed |
| 63 | 383 |
ultimately show ?thesis |
384 |
by (unfold Set, simp add:the_preced_def preced_def) |
|
385 |
next |
|
386 |
case False |
|
387 |
then have "?f x = the_preced (t@s) x" |
|
388 |
by (simp add:the_preced_def preced_def Set) |
|
389 |
also have "... \<le> Max (the_preced (t@s) ` threads (t@s))" |
|
390 |
using Set h h_t.finite_threads by auto |
|
391 |
also have "... = ?f th" by (metis Cons.hyps(5) h_e.th_kept the_preced_def) |
|
392 |
finally show ?thesis . |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
393 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
394 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
395 |
qed |
| 63 | 396 |
also have "... = ?t" using h_e.th_kept the_preced_def by auto |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
397 |
finally show ?thesis . |
| 63 | 398 |
qed |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
399 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
400 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
401 |
|
| 63 | 402 |
lemma max_preced: "preced th (t@s) = Max (the_preced (t@s) ` (threads (t@s)))" |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
403 |
by (insert th_kept max_kept, auto) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
404 |
|
| 63 | 405 |
text {*
|
406 |
The reason behind the following lemma is that: |
|
407 |
Since @{term "cp"} is defined as the maximum precedence
|
|
408 |
of those threads contained in the sub-tree of node @{term "Th th"}
|
|
409 |
in @{term "RAG (t@s)"}, and all these threads are living threads, and
|
|
410 |
@{term "th"} is also among them, the maximum precedence of
|
|
411 |
them all must be the one for @{text "th"}.
|
|
412 |
*} |
|
413 |
lemma th_cp_max_preced: |
|
414 |
"cp (t@s) th = Max (the_preced (t@s) ` (threads (t@s)))" (is "?L = ?R") |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
415 |
proof - |
| 63 | 416 |
let ?f = "the_preced (t@s)" |
417 |
have "?L = ?f th" |
|
418 |
proof(unfold cp_alt_def, rule image_Max_eqI) |
|
419 |
show "finite {th'. Th th' \<in> subtree (RAG (t @ s)) (Th th)}"
|
|
420 |
proof - |
|
421 |
have "{th'. Th th' \<in> subtree (RAG (t @ s)) (Th th)} =
|
|
422 |
the_thread ` {n . n \<in> subtree (RAG (t @ s)) (Th th) \<and>
|
|
423 |
(\<exists> th'. n = Th th')}" |
|
|
107
30ed212f268a
updated Correctness, Implementation and PIPBasics so that they work with Isabelle 2014 and 2015
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
106
diff
changeset
|
424 |
by (force) |
| 63 | 425 |
moreover have "finite ..." by (simp add: vat_t.fsbtRAGs.finite_subtree) |
426 |
ultimately show ?thesis by simp |
|
427 |
qed |
|
428 |
next |
|
429 |
show "th \<in> {th'. Th th' \<in> subtree (RAG (t @ s)) (Th th)}"
|
|
430 |
by (auto simp:subtree_def) |
|
431 |
next |
|
432 |
show "\<forall>x\<in>{th'. Th th' \<in> subtree (RAG (t @ s)) (Th th)}.
|
|
433 |
the_preced (t @ s) x \<le> the_preced (t @ s) th" |
|
434 |
proof |
|
435 |
fix th' |
|
436 |
assume "th' \<in> {th'. Th th' \<in> subtree (RAG (t @ s)) (Th th)}"
|
|
437 |
hence "Th th' \<in> subtree (RAG (t @ s)) (Th th)" by auto |
|
438 |
moreover have "... \<subseteq> Field (RAG (t @ s)) \<union> {Th th}"
|
|
439 |
by (meson subtree_Field) |
|
440 |
ultimately have "Th th' \<in> ..." by auto |
|
441 |
hence "th' \<in> threads (t@s)" |
|
442 |
proof |
|
443 |
assume "Th th' \<in> {Th th}"
|
|
444 |
thus ?thesis using th_kept by auto |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
445 |
next |
| 63 | 446 |
assume "Th th' \<in> Field (RAG (t @ s))" |
447 |
thus ?thesis using vat_t.not_in_thread_isolated by blast |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
448 |
qed |
| 63 | 449 |
thus "the_preced (t @ s) th' \<le> the_preced (t @ s) th" |
450 |
by (metis Max_ge finite_imageI finite_threads image_eqI |
|
451 |
max_kept th_kept the_preced_def) |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
452 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
453 |
qed |
| 63 | 454 |
also have "... = ?R" by (simp add: max_preced the_preced_def) |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
455 |
finally show ?thesis . |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
456 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
457 |
|
| 68 | 458 |
lemma th_cp_max[simp]: "Max (cp (t@s) ` threads (t@s)) = cp (t@s) th" |
| 63 | 459 |
using max_cp_eq th_cp_max_preced the_preced_def vt_t by presburger |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
460 |
|
| 68 | 461 |
lemma [simp]: "Max (cp (t@s) ` threads (t@s)) = Max (the_preced (t@s) ` threads (t@s))" |
462 |
by (simp add: th_cp_max_preced) |
|
463 |
||
464 |
lemma [simp]: "Max (the_preced (t@s) ` threads (t@s)) = the_preced (t@s) th" |
|
465 |
using max_kept th_kept the_preced_def by auto |
|
466 |
||
467 |
lemma [simp]: "the_preced (t@s) th = preced th (t@s)" |
|
468 |
using the_preced_def by auto |
|
469 |
||
470 |
lemma [simp]: "preced th (t@s) = preced th s" |
|
471 |
by (simp add: th_kept) |
|
472 |
||
473 |
lemma [simp]: "cp s th = preced th s" |
|
474 |
by (simp add: eq_cp_s_th) |
|
475 |
||
476 |
lemma th_cp_preced [simp]: "cp (t@s) th = preced th s" |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
477 |
by (fold max_kept, unfold th_cp_max_preced, simp) |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
478 |
|
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
479 |
lemma preced_less: |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
480 |
assumes th'_in: "th' \<in> threads s" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
481 |
and neq_th': "th' \<noteq> th" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
482 |
shows "preced th' s < preced th s" |
| 63 | 483 |
using assms |
484 |
by (metis Max.coboundedI finite_imageI highest not_le order.trans |
|
485 |
preced_linorder rev_image_eqI threads_s vat_s.finite_threads |
|
486 |
vat_s.le_cp) |
|
487 |
||
| 68 | 488 |
section {* The `blocking thread` *}
|
489 |
||
490 |
text {*
|
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
491 |
The purpose of PIP is to ensure that the most |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
492 |
urgent thread @{term th} is not blocked unreasonably.
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
493 |
Therefore, a clear picture of the blocking thread is essential |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
494 |
to assure people that the purpose is fulfilled. |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
495 |
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
496 |
In this section, we are going to derive a series of lemmas |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
497 |
with finally give rise to a picture of the blocking thread. |
| 68 | 498 |
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
499 |
By `blocking thread`, we mean a thread in running state but |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
500 |
different from thread @{term th}.
|
| 68 | 501 |
*} |
502 |
||
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
503 |
text {*
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
504 |
The following lemmas shows that the @{term cp}-value
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
505 |
of the blocking thread @{text th'} equals to the highest
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
506 |
precedence in the whole system. |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
507 |
*} |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
508 |
lemma running_preced_inversion: |
|
140
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
509 |
assumes running': "th' \<in> running (t @ s)" |
|
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
510 |
shows "cp (t @ s) th' = preced th s" |
| 63 | 511 |
proof - |
|
141
f70344294e99
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
140
diff
changeset
|
512 |
have "th' \<in> readys (t @ s)" using assms |
|
f70344294e99
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
140
diff
changeset
|
513 |
using running_ready subsetCE by blast |
|
f70344294e99
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
140
diff
changeset
|
514 |
|
|
140
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
515 |
have "cp (t @ s) th' = Max (cp (t @ s) ` readys (t @ s))" using assms |
|
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
516 |
unfolding running_def by simp |
|
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
517 |
also have "... = Max (cp (t @ s) ` threads (t @ s))" |
|
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
518 |
using vat_t.max_cp_readys_threads . |
|
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
519 |
also have "... = cp (t @ s) th" |
|
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
520 |
using th_cp_max . |
|
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
521 |
also have "\<dots> = preced th s" |
|
389ef8b1959c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
138
diff
changeset
|
522 |
using th_cp_preced . |
| 63 | 523 |
finally show ?thesis . |
524 |
qed |
|
525 |
||
| 68 | 526 |
text {*
|
527 |
||
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
528 |
The following lemma shows how the counters for @{term "P"} and
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
529 |
@{term "V"} operations relate to the running threads in the states
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
530 |
@{term s} and @{term "t @ s"}. The lemma shows that if a thread's
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
531 |
@{term "P"}-count equals its @{term "V"}-count (which means it no
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
532 |
longer has any resource in its possession), it cannot be a running |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
533 |
thread. |
| 67 | 534 |
|
|
76
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
535 |
The proof is by contraction with the assumption @{text "th' \<noteq> th"}.
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
536 |
The key is the use of @{thm eq_pv_dependants} to derive the
|
|
76
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
537 |
emptiness of @{text th'}s @{term dependants}-set from the balance of
|
|
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
538 |
its @{term P} and @{term V} counts. From this, it can be shown
|
|
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
539 |
@{text th'}s @{term cp}-value equals to its own precedence.
|
| 67 | 540 |
|
|
76
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
541 |
On the other hand, since @{text th'} is running, by @{thm
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
542 |
running_preced_inversion}, its @{term cp}-value equals to the
|
|
76
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
543 |
precedence of @{term th}.
|
| 68 | 544 |
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
545 |
Combining the above two resukts we have that @{text th'} and @{term
|
|
76
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
546 |
th} have the same precedence. By uniqueness of precedences, we have |
|
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
547 |
@{text "th' = th"}, which is in contradiction with the assumption
|
|
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
548 |
@{text "th' \<noteq> th"}.
|
|
b6ea51cd2e88
some small changes to the paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
73
diff
changeset
|
549 |
|
| 68 | 550 |
*} |
| 67 | 551 |
|
552 |
lemma eq_pv_blocked: (* ddd *) |
|
553 |
assumes neq_th': "th' \<noteq> th" |
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
554 |
and eq_pv: "cntP (t@s) th' = cntV (t@s) th'" |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
555 |
shows "th' \<notin> running (t@s)" |
| 67 | 556 |
proof |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
557 |
assume otherwise: "th' \<in> running (t@s)" |
| 67 | 558 |
show False |
559 |
proof - |
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
560 |
have th'_in: "th' \<in> threads (t@s)" |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
561 |
using otherwise readys_threads running_def by auto |
| 67 | 562 |
have "th' = th" |
563 |
proof(rule preced_unique) |
|
564 |
-- {* The proof goes like this:
|
|
565 |
it is first shown that the @{term preced}-value of @{term th'}
|
|
566 |
equals to that of @{term th}, then by uniqueness
|
|
567 |
of @{term preced}-values (given by lemma @{thm preced_unique}),
|
|
568 |
@{term th'} equals to @{term th}: *}
|
|
569 |
show "preced th' (t @ s) = preced th (t @ s)" (is "?L = ?R") |
|
570 |
proof - |
|
571 |
-- {* Since the counts of @{term th'} are balanced, the subtree
|
|
572 |
of it contains only itself, so, its @{term cp}-value
|
|
573 |
equals its @{term preced}-value: *}
|
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
574 |
have "?L = cp (t@s) th'" |
|
130
0f124691c191
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
127
diff
changeset
|
575 |
by (simp add: detached_cp_preced eq_pv vat_t.detached_intro) |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
576 |
-- {* Since @{term "th'"} is running, by @{thm running_preced_inversion},
|
| 68 | 577 |
its @{term cp}-value equals @{term "preced th s"},
|
578 |
which equals to @{term "?R"} by simplification: *}
|
|
| 67 | 579 |
also have "... = ?R" |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
580 |
thm running_preced_inversion |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
581 |
using running_preced_inversion[OF otherwise] by simp |
| 67 | 582 |
finally show ?thesis . |
583 |
qed |
|
584 |
qed (auto simp: th'_in th_kept) |
|
| 68 | 585 |
with `th' \<noteq> th` show ?thesis by simp |
| 67 | 586 |
qed |
587 |
qed |
|
588 |
||
589 |
text {*
|
|
590 |
The following lemma is the extrapolation of @{thm eq_pv_blocked}.
|
|
591 |
It says if a thread, different from @{term th},
|
|
592 |
does not hold any resource at the very beginning, |
|
593 |
it will keep hand-emptied in the future @{term "t@s"}.
|
|
594 |
*} |
|
595 |
lemma eq_pv_persist: (* ddd *) |
|
596 |
assumes neq_th': "th' \<noteq> th" |
|
597 |
and eq_pv: "cntP s th' = cntV s th'" |
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
598 |
shows "cntP (t@s) th' = cntV (t@s) th'" |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
599 |
proof(induction rule:ind) -- {* The proof goes by induction. *}
|
| 67 | 600 |
-- {* The nontrivial case is for the @{term Cons}: *}
|
601 |
case (Cons e t) |
|
602 |
-- {* All results derived so far hold for both @{term s} and @{term "t@s"}: *}
|
|
603 |
interpret vat_t: extend_highest_gen s th prio tm t using Cons by simp |
|
604 |
interpret vat_e: extend_highest_gen s th prio tm "(e # t)" using Cons by simp |
|
|
102
3a801bbd2687
Reorganizing PIPBasics.thy and making small changes to Implementation.thy and Correctness.thy.
zhangx
parents:
93
diff
changeset
|
605 |
interpret vat_es: valid_trace_e "t@s" e using Cons(1,2) by (unfold_locales, auto) |
| 67 | 606 |
show ?case |
607 |
proof - |
|
608 |
-- {* It can be proved that @{term cntP}-value of @{term th'} does not change
|
|
609 |
by the happening of event @{term e}: *}
|
|
610 |
have "cntP ((e#t)@s) th' = cntP (t@s) th'" |
|
611 |
proof(rule ccontr) -- {* Proof by contradiction. *}
|
|
612 |
-- {* Suppose @{term cntP}-value of @{term th'} is changed by @{term e}: *}
|
|
613 |
assume otherwise: "cntP ((e # t) @ s) th' \<noteq> cntP (t @ s) th'" |
|
| 116 | 614 |
from cntP_diff_inv[OF this[simplified]] |
615 |
obtain cs' where "e = P th' cs'" by auto |
|
616 |
from vat_es.pip_e[unfolded this] |
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
617 |
have "th' \<in> running (t@s)" |
| 116 | 618 |
by (cases, simp) |
| 67 | 619 |
-- {* However, an application of @{thm eq_pv_blocked} to induction hypothesis
|
620 |
shows @{term th'} can not be running at moment @{term "t@s"}: *}
|
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
621 |
moreover have "th' \<notin> running (t@s)" |
| 67 | 622 |
using vat_t.eq_pv_blocked[OF neq_th' Cons(5)] . |
623 |
-- {* Contradiction is finally derived: *}
|
|
624 |
ultimately show False by simp |
|
625 |
qed |
|
626 |
-- {* It can also be proved that @{term cntV}-value of @{term th'} does not change
|
|
627 |
by the happening of event @{term e}: *}
|
|
628 |
-- {* The proof follows exactly the same pattern as the case for @{term cntP}-value: *}
|
|
629 |
moreover have "cntV ((e#t)@s) th' = cntV (t@s) th'" |
|
630 |
proof(rule ccontr) -- {* Proof by contradiction. *}
|
|
631 |
assume otherwise: "cntV ((e # t) @ s) th' \<noteq> cntV (t @ s) th'" |
|
| 116 | 632 |
from cntV_diff_inv[OF this[simplified]] |
633 |
obtain cs' where "e = V th' cs'" by auto |
|
634 |
from vat_es.pip_e[unfolded this] |
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
635 |
have "th' \<in> running (t@s)" by (cases, auto) |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
636 |
moreover have "th' \<notin> running (t@s)" |
| 67 | 637 |
using vat_t.eq_pv_blocked[OF neq_th' Cons(5)] . |
638 |
ultimately show False by simp |
|
639 |
qed |
|
640 |
-- {* Finally, it can be shown that the @{term cntP} and @{term cntV}
|
|
641 |
value for @{term th'} are still in balance, so @{term th'}
|
|
642 |
is still hand-emptied after the execution of event @{term e}: *}
|
|
643 |
ultimately show ?thesis using Cons(5) by metis |
|
644 |
qed |
|
645 |
qed (auto simp:eq_pv) |
|
646 |
||
647 |
text {*
|
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
648 |
By combining @{thm eq_pv_blocked} and @{thm eq_pv_persist},
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
649 |
it can be derived easily that @{term th'} can not be running in the future:
|
| 67 | 650 |
*} |
651 |
lemma eq_pv_blocked_persist: |
|
652 |
assumes neq_th': "th' \<noteq> th" |
|
653 |
and eq_pv: "cntP s th' = cntV s th'" |
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
654 |
shows "th' \<notin> running (t@s)" |
| 67 | 655 |
using assms |
656 |
by (simp add: eq_pv_blocked eq_pv_persist) |
|
657 |
||
658 |
text {*
|
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
659 |
The following lemma shows the blocking thread @{term th'}
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
660 |
must hold some resource in the very beginning. |
| 67 | 661 |
*} |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
662 |
lemma running_cntP_cntV_inv: (* ddd *) |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
663 |
assumes is_running: "th' \<in> running (t@s)" |
| 67 | 664 |
and neq_th': "th' \<noteq> th" |
665 |
shows "cntP s th' > cntV s th'" |
|
666 |
using assms |
|
667 |
proof - |
|
668 |
-- {* First, it can be shown that the number of @{term P} and
|
|
669 |
@{term V} operations can not be equal for thred @{term th'} *}
|
|
670 |
have "cntP s th' \<noteq> cntV s th'" |
|
671 |
proof |
|
672 |
-- {* The proof goes by contradiction, suppose otherwise: *}
|
|
673 |
assume otherwise: "cntP s th' = cntV s th'" |
|
674 |
-- {* By applying @{thm eq_pv_blocked_persist} to this: *}
|
|
675 |
from eq_pv_blocked_persist[OF neq_th' otherwise] |
|
676 |
-- {* we have that @{term th'} can not be running at moment @{term "t@s"}: *}
|
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
677 |
have "th' \<notin> running (t@s)" . |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
678 |
-- {* This is obvious in contradiction with assumption @{thm is_running} *}
|
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
679 |
thus False using is_running by simp |
| 67 | 680 |
qed |
681 |
-- {* However, the number of @{term V} is always less or equal to @{term P}: *}
|
|
682 |
moreover have "cntV s th' \<le> cntP s th'" using vat_s.cnp_cnv_cncs by auto |
|
683 |
-- {* Thesis is finally derived by combining the these two results: *}
|
|
684 |
ultimately show ?thesis by auto |
|
685 |
qed |
|
686 |
||
| 63 | 687 |
|
688 |
text {*
|
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
689 |
The following lemmas shows the blocking thread @{text th'} must be live
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
690 |
at the very beginning, i.e. the moment (or state) @{term s}.
|
| 67 | 691 |
|
692 |
The proof is a simple combination of the results above: |
|
| 63 | 693 |
*} |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
694 |
lemma running_threads_inv: |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
695 |
assumes running': "th' \<in> running (t@s)" |
| 66 | 696 |
and neq_th': "th' \<noteq> th" |
| 63 | 697 |
shows "th' \<in> threads s" |
| 67 | 698 |
proof(rule ccontr) -- {* Proof by contradiction: *}
|
699 |
assume otherwise: "th' \<notin> threads s" |
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
700 |
have "th' \<notin> running (t @ s)" |
| 67 | 701 |
proof - |
702 |
from vat_s.cnp_cnv_eq[OF otherwise] |
|
703 |
have "cntP s th' = cntV s th'" . |
|
704 |
from eq_pv_blocked_persist[OF neq_th' this] |
|
705 |
show ?thesis . |
|
706 |
qed |
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
707 |
with running' show False by simp |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
708 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
709 |
|
| 66 | 710 |
text {*
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
711 |
The following lemma summarizes several foregoing |
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
712 |
lemmas to give an overall picture of the blocking thread @{text "th'"}:
|
| 63 | 713 |
*} |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
714 |
lemma running_inversion: (* ddd, one of the main lemmas to present *) |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
715 |
assumes running': "th' \<in> running (t@s)" |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
716 |
and neq_th: "th' \<noteq> th" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
717 |
shows "th' \<in> threads s" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
718 |
and "\<not>detached s th'" |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
719 |
and "cp (t@s) th' = preced th s" |
| 66 | 720 |
proof - |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
721 |
from running_threads_inv[OF assms] |
| 66 | 722 |
show "th' \<in> threads s" . |
723 |
next |
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
724 |
from running_cntP_cntV_inv[OF running' neq_th] |
| 66 | 725 |
show "\<not>detached s th'" using vat_s.detached_eq by simp |
726 |
next |
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
727 |
from running_preced_inversion[OF running'] |
| 66 | 728 |
show "cp (t@s) th' = preced th s" . |
729 |
qed |
|
| 63 | 730 |
|
| 67 | 731 |
section {* The existence of `blocking thread` *}
|
732 |
||
|
145
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
733 |
lemma th_ancestor_has_max_ready: |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
734 |
assumes th'_in: "th' \<in> readys (t@s)" |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
735 |
and dp: "th' \<in> nancestors (tG (t @ s)) th" |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
736 |
shows "cp (t @ s) th' = Max (cp (t @ s) ` readys (t @ s))" (is "?L = ?R") |
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
737 |
proof - |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
738 |
-- {* First, by the alternative definition of @{term cp} (I mean @{thm cp_alt_def1}),
|
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
739 |
the @{term cp}-value of @{term th'} is the maximum of
|
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
740 |
all precedences of all thread nodes in its @{term tRAG}-subtree: *}
|
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
741 |
have "?L = Max (the_preced (t @ s) ` (subtree (tG (t @ s)) th'))" |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
742 |
by (unfold cp_alt_def2, simp) |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
743 |
also have "... = (the_preced (t @ s) th)" |
| 63 | 744 |
proof(rule image_Max_subset) |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
745 |
show "finite (threads (t @ s))" by (simp add: vat_t.finite_threads) |
| 63 | 746 |
next |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
747 |
show "subtree (tG (t @ s)) th' \<subseteq> threads (t @ s)" |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
748 |
using readys_def th'_in vat_t.subtree_tG_thread by auto |
| 63 | 749 |
next |
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
750 |
show "th \<in> subtree (tG (t @ s)) th'" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
751 |
using dp unfolding subtree_def nancestors_def2 by simp |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
752 |
next |
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
753 |
show " Max (the_preced (t @ s) ` threads (t @ s)) = the_preced (t @ s) th" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
754 |
by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
755 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
756 |
also have "... = ?R" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
757 |
using th_cp_max th_cp_preced th_kept |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
758 |
the_preced_def vat_t.max_cp_readys_threads by auto |
|
126
a88af0e4731f
minor update
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
125
diff
changeset
|
759 |
finally show "cp (t @ s) th' = Max (cp (t @ s) ` readys (t @ s))" . |
|
145
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
760 |
qed |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
761 |
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
762 |
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
763 |
text {*
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
764 |
Suppose @{term th} is not running, it is first shown that
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
765 |
there is a path in RAG leading from node @{term th} to another thread @{text "th'"}
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
766 |
in the @{term readys}-set (So @{text "th'"} is an ancestor of @{term th}}).
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
767 |
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
768 |
Now, since @{term readys}-set is non-empty, there must be
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
769 |
one in it which holds the highest @{term cp}-value, which, by definition,
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
770 |
is the @{term running}-thread. However, we are going to show more: this
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
771 |
running thread is exactly @{term "th'"}. *}
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
772 |
|
|
126
a88af0e4731f
minor update
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
125
diff
changeset
|
773 |
|
|
145
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
774 |
lemma th_blockedE: (* ddd, the other main lemma to be presented: *) |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
775 |
obtains th' where "th' \<in> nancestors (tG (t @ s)) th" |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
776 |
"th' \<in> running (t @ s)" |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
777 |
proof - |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
778 |
-- {* According to @{thm vat_t.th_chain_to_ready}, there is a
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
779 |
ready ancestor of @{term th}. *}
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
780 |
have "\<exists>th' \<in> nancestors (tG (t @ s)) th. th' \<in> readys (t @ s)" |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
781 |
using th_kept vat_t.th_chain_to_ready_tG by auto |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
782 |
then obtain th' where th'_in: "th' \<in> readys (t @ s)" |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
783 |
and dp: "th' \<in> nancestors (tG (t @ s)) th" |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
784 |
by blast |
|
126
a88af0e4731f
minor update
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
125
diff
changeset
|
785 |
|
|
145
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
786 |
-- {* We are going to first show that this @{term th'} is running. *}
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
787 |
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
788 |
from th'_in dp |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
789 |
have "cp (t @ s) th' = Max (cp (t @ s) ` readys (t @ s))" |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
790 |
by (rule th_ancestor_has_max_ready) |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
791 |
with `th' \<in> readys (t @ s)` |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
792 |
have "th' \<in> running (t @ s)" by (simp add: running_def) |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
793 |
|
| 63 | 794 |
-- {* It is easy to show @{term th'} is an ancestor of @{term th}: *}
|
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
795 |
moreover have "th' \<in> nancestors (tG (t @ s)) th" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
796 |
using dp unfolding nancestors_def2 by simp |
| 63 | 797 |
ultimately show ?thesis using that by metis |
798 |
qed |
|
799 |
||
|
126
a88af0e4731f
minor update
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
125
diff
changeset
|
800 |
lemma th_blockedE_pretty: |
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
801 |
shows "\<exists>th' \<in> nancestors (tG (t @ s)) th. th' \<in> running (t @ s)" |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
802 |
using th_blockedE assms |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
803 |
by blast |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
804 |
|
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
805 |
|
| 63 | 806 |
text {*
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
807 |
Now it is easy to see there is always a thread to run by case analysis |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
808 |
on whether thread @{term th} is running: if the answer is yes, the
|
|
106
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
809 |
the running thread is obviously @{term th} itself; otherwise, the running
|
|
5454387e42ce
updated files
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
104
diff
changeset
|
810 |
thread is the @{text th'} given by lemma @{thm th_blockedE}.
|
| 63 | 811 |
*} |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
812 |
lemma live: "running (t @ s) \<noteq> {}"
|
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
813 |
using th_blockedE by auto |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
814 |
|
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
815 |
lemma blockedE: |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
816 |
assumes "th \<notin> running (t @ s)" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
817 |
obtains th' where "th' \<in> nancestors (tG (t @ s)) th" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
818 |
"th' \<in> running (t @ s)" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
819 |
"th' \<in> threads s" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
820 |
"\<not>detached s th'" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
821 |
"cp (t @ s) th' = preced th s" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
822 |
"th' \<noteq> th" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
823 |
proof - |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
824 |
obtain th' where a: "th' \<in> nancestors (tG (t @ s)) th" "th' \<in> running (t @ s)" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
825 |
using th_blockedE by blast |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
826 |
moreover |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
827 |
from a(2) have b: "th' \<in> threads s" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
828 |
using running_threads_inv assms by metis |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
829 |
moreover |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
830 |
from a(2) have "\<not>detached s th'" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
831 |
using running_inversion(2) assms by metis |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
832 |
moreover |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
833 |
from a(2) have "cp (t @ s) th' = preced th s" |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
834 |
using running_preced_inversion by blast |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
835 |
moreover |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
836 |
from a(2) have "th' \<noteq> th" using assms a(2) by blast |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
837 |
ultimately show ?thesis using that by metis |
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
838 |
qed |
|
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
839 |
|
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
840 |
|
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
841 |
lemma nblockedE: |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
842 |
assumes "th \<notin> running (t @ s)" |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
843 |
obtains th' where "th' \<in> ancestors (tG (t @ s)) th" |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
844 |
"th' \<in> running (t @ s)" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
845 |
"th' \<in> threads s" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
846 |
"\<not>detached s th'" |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
847 |
"cp (t @ s) th' = preced th s" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
848 |
"th' \<noteq> th" |
|
138
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
849 |
using blockedE unfolding nancestors_def |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
850 |
using assms nancestors3 by auto |
|
20c1d3a14143
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
137
diff
changeset
|
851 |
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
852 |
|
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
853 |
lemma detached_not_running: |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
854 |
assumes "detached (t @ s) th'" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
855 |
and "th' \<noteq> th" |
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
856 |
shows "th' \<notin> running (t @ s)" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
857 |
proof |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
858 |
assume otherwise: "th' \<in> running (t @ s)" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
859 |
have "cp (t@s) th' = cp (t@s) th" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
860 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
861 |
have "cp (t@s) th' = Max (cp (t@s) ` readys (t@s))" using otherwise |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
862 |
by (simp add:running_def) |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
863 |
moreover have "cp (t@s) th = ..." by (simp add: vat_t.max_cp_readys_threads) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
864 |
ultimately show ?thesis by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
865 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
866 |
moreover have "cp (t@s) th' = preced th' (t@s)" using assms(1) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
867 |
by (simp add: detached_cp_preced) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
868 |
moreover have "cp (t@s) th = preced th (t@s)" by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
869 |
ultimately have "preced th' (t@s) = preced th (t@s)" by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
870 |
from preced_unique[OF this] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
871 |
have "th' \<in> threads (t @ s) \<Longrightarrow> th \<in> threads (t @ s) \<Longrightarrow> th' = th" . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
872 |
moreover have "th' \<in> threads (t@s)" |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
873 |
using otherwise by (unfold running_def readys_def, auto) |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
874 |
moreover have "th \<in> threads (t@s)" by (simp add: th_kept) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
875 |
ultimately have "th' = th" by metis |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
876 |
with assms(2) show False by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
877 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
878 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
879 |
section {* The correctness theorem of PIP *}
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
880 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
881 |
text {*
|
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
882 |
|
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
883 |
In this section, we identify two more conditions in addition to the ones |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
884 |
already specified in the current locale, based on which the correctness |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
885 |
of PIP is formally proved. |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
886 |
|
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
887 |
Note that Priority Inversion refers to the phenomenon where the thread |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
888 |
with highest priority is blocked by one with lower priority because the |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
889 |
resource it is requesting is currently held by the later. The objective of |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
890 |
PIP is to avoid {\em Indefinite Priority Inversion}, i.e. the number of
|
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
891 |
occurrences of {\em Priority Inversion} becomes indefinitely large.
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
892 |
|
|
137
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
893 |
For PIP to be correct, a finite upper bound needs to be found for the |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
894 |
occurrence number, and the existence. This section makes explicit two more |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
895 |
conditions so that the existence of such a upper bound can be proved to |
|
785c0f6b8184
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
136
diff
changeset
|
896 |
exist. *} |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
897 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
898 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
899 |
The following set @{text "blockers"} characterizes the set of threads which
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
900 |
might block @{term th} in @{term t}:
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
901 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
902 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
903 |
definition "blockers = {th'. \<not>detached s th' \<and> th' \<noteq> th}"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
904 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
905 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
906 |
The following lemma shows that the definition of @{term "blockers"} is correct,
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
907 |
i.e. blockers do block @{term "th"}. It is a very simple corollary of @{thm blockedE}.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
908 |
*} |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
909 |
lemma runningE: |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
910 |
assumes "th' \<in> running (t@s)" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
911 |
obtains (is_th) "th' = th" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
912 |
| (is_other) "th' \<in> blockers" |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
913 |
using assms blockers_def running_inversion(2) by auto |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
914 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
915 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
916 |
The following lemma shows that the number of blockers are finite. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
917 |
The reason is simple, because blockers are subset of thread set, which |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
918 |
has been shown finite. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
919 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
920 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
921 |
lemma finite_blockers: "finite blockers" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
922 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
923 |
have "finite {th'. \<not>detached s th'}"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
924 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
925 |
have "finite {th'. Th th' \<in> Field (RAG s)}"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
926 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
927 |
have "{th'. Th th' \<in> Field (RAG s)} \<subseteq> threads s"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
928 |
proof |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
929 |
fix x |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
930 |
assume "x \<in> {th'. Th th' \<in> Field (RAG s)}"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
931 |
thus "x \<in> threads s" using vat_s.RAG_threads by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
932 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
933 |
moreover have "finite ..." by (simp add: vat_s.finite_threads) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
934 |
ultimately show ?thesis using rev_finite_subset by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
935 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
936 |
thus ?thesis by (unfold detached_test, auto) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
937 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
938 |
thus ?thesis unfolding blockers_def by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
939 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
940 |
|
|
145
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
941 |
text {* The following lemma shows that a blocker does not die as long as the
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
942 |
highest thread @{term th} is live.
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
943 |
|
|
145
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
944 |
The reason for this is that, before a thread can execute an @{term Exit}
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
945 |
operation, it must give up all its resource. However, the high priority |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
946 |
inherited by a blocker thread also goes with the resources it once held, |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
947 |
and the consequence is the lost of right to run, the other precondition |
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
948 |
for it to execute its own @{term Exit} operation. For this reason, a
|
|
188fe0c81ac7
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
142
diff
changeset
|
949 |
blocker may never exit before the exit of the highest thread @{term th}.
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
950 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
951 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
952 |
lemma blockers_kept: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
953 |
assumes "th' \<in> blockers" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
954 |
shows "th' \<in> threads (t@s)" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
955 |
proof(induct rule:ind) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
956 |
case Nil |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
957 |
from assms[unfolded blockers_def detached_test] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
958 |
have "Th th' \<in> Field (RAG s)" by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
959 |
from vat_s.RAG_threads[OF this] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
960 |
show ?case by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
961 |
next |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
962 |
case h: (Cons e t) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
963 |
interpret et: extend_highest_gen s th prio tm t |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
964 |
using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
965 |
show ?case |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
966 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
967 |
{ assume otherwise: "th' \<notin> threads ((e # t) @ s)"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
968 |
from threads_Exit[OF h(5)] this have eq_e: "e = Exit th'" by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
969 |
from h(2)[unfolded this] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
970 |
have False |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
971 |
proof(cases) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
972 |
case h: (thread_exit) |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
973 |
hence "th' \<in> readys (t@s)" by (auto simp:running_def) |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
974 |
from readys_holdents_detached[OF this h(2)] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
975 |
have "detached (t @ s) th'" . |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
976 |
from et.detached_not_running[OF this] assms[unfolded blockers_def] |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
977 |
have "th' \<notin> running (t @ s)" by auto |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
978 |
with h(1) show ?thesis by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
979 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
980 |
} thus ?thesis by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
981 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
982 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
983 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
984 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
985 |
The following lemma shows that a blocker may never execute its @{term Create}-operation
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
986 |
during the period of @{term t}. The reason is that for a thread to be created
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
987 |
(or executing its @{term Create} operation), it must be non-existing (or dead).
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
988 |
However, since lemma @{thm blockers_kept} shows that blockers are always living,
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
989 |
it can not be created. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
990 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
991 |
A thread is created only when there is some external reason, there is need for it to run. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
992 |
The precondition for this is that it has already died (or get out of existence). |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
993 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
994 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
995 |
lemma blockers_no_create: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
996 |
assumes "th' \<in> blockers" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
997 |
and "e \<in> set t" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
998 |
and "actor e = th'" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
999 |
shows "\<not> isCreate e" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1000 |
using assms(2,3) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1001 |
proof(induct rule:ind) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1002 |
case h: (Cons e' t) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1003 |
interpret et: extend_highest_gen s th prio tm t |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1004 |
using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1005 |
{ assume eq_e: "e = e'"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1006 |
from et.blockers_kept assms |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1007 |
have "th' \<in> threads (t @ s)" by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1008 |
with h(2,7) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1009 |
have ?case |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1010 |
by (unfold eq_e, cases, auto simp:blockers_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1011 |
} with h |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1012 |
show ?case by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1013 |
qed auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1014 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1015 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1016 |
The following lemma shows that, same as blockers, |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1017 |
the highest thread @{term th} also can not execute its @{term Create}-operation.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1018 |
And the reason is similar: since @{thm th_kept} says that thread @{term th} is kept live
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1019 |
during @{term t}, it can not (or need not) be created another time.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1020 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1021 |
lemma th_no_create: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1022 |
assumes "e \<in> set t" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1023 |
and "actor e = th" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1024 |
shows "\<not> isCreate e" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1025 |
using assms |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1026 |
proof(induct rule:ind) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1027 |
case h:(Cons e' t) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1028 |
interpret et: extend_highest_gen s th prio tm t |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1029 |
using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1030 |
{ assume eq_e: "e = e'"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1031 |
from et.th_kept have "th \<in> threads (t @ s)" by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1032 |
with h(2,7) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1033 |
have ?case by (unfold eq_e, cases, auto) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1034 |
} with h |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1035 |
show ?case by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1036 |
qed auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1037 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1038 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1039 |
The following is a preliminary lemma in order to show that the number of |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1040 |
actions (or operations) taken by the highest thread @{term th} is
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1041 |
less or equal to the number of occurrences when @{term th} is in running
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1042 |
state. What is proved in this lemma is essentially a strengthening, which |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1043 |
says the inequality holds even if the occurrence at the very beginning is |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1044 |
ignored. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1045 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1046 |
The reason for this lemma is that for every operation to be executed, its actor must |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1047 |
be in running state. Therefore, there is one occurrence of running state |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1048 |
behind every action. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1049 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1050 |
However, this property does not hold in general, because, for |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1051 |
the execution of @{term Create}-operation, the actor does not have to be in running state.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1052 |
Actually, the actor must be in dead state, in order to be created. For @{term th}, this
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1053 |
property holds because, according to lemma @{thm th_no_create}, @{term th} can not execute
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1054 |
any @{term Create}-operation during the period of @{term t}.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1055 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1056 |
lemma actions_th_occs_pre: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1057 |
assumes "t = e'#t'" |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1058 |
shows "length (actions_of {th} t) \<le> occs (\<lambda> t'. th \<in> running (t'@s)) t'"
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1059 |
using assms |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1060 |
proof(induct arbitrary: e' t' rule:ind) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1061 |
case h: (Cons e t e' t') |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1062 |
interpret vt: valid_trace "(t@s)" using h(1) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1063 |
by (unfold_locales, simp) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1064 |
interpret ve: extend_highest_gen s th prio tm t using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1065 |
interpret ve': extend_highest_gen s th prio tm "e#t" using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1066 |
show ?case (is "?L \<le> ?R") |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1067 |
proof(cases t) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1068 |
case Nil |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1069 |
show ?thesis |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1070 |
proof(cases "actor e = th") |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1071 |
case True |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1072 |
from ve'.th_no_create[OF _ this] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1073 |
have "\<not> isCreate e" by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1074 |
from PIP_actorE[OF h(2) True this] Nil |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1075 |
have "th \<in> running s" by simp |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1076 |
hence "?R = 1" using Nil h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1077 |
moreover have "?L = 1" using True Nil by (simp add:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1078 |
ultimately show ?thesis by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1079 |
next |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1080 |
case False |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1081 |
with Nil |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1082 |
show ?thesis by (auto simp:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1083 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1084 |
next |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1085 |
case h1: (Cons e1 t1) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1086 |
hence eq_t': "t' = e1#t1" using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1087 |
from h(5)[OF h1] |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1088 |
have le: "length (actions_of {th} t) \<le> occs (\<lambda>t'. th \<in> running (t' @ s)) t1"
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1089 |
(is "?F t \<le> ?G t1") . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1090 |
show ?thesis |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1091 |
proof(cases "actor e = th") |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1092 |
case True |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1093 |
from ve'.th_no_create[OF _ this] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1094 |
have "\<not> isCreate e" by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1095 |
from PIP_actorE[OF h(2) True this] |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1096 |
have "th \<in> running (t@s)" by simp |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1097 |
hence "?R = 1 + ?G t1" by (unfold h1 eq_t', simp) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1098 |
moreover have "?L = 1 + ?F t" using True by (simp add:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1099 |
ultimately show ?thesis using le by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1100 |
next |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1101 |
case False |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1102 |
with le |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1103 |
show ?thesis by (unfold h1 eq_t', simp add:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1104 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1105 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1106 |
qed auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1107 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1108 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1109 |
The following lemma is a simple corollary of @{thm actions_th_occs_pre}. It is the
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1110 |
lemma really needed in later proofs. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1111 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1112 |
lemma actions_th_occs: |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1113 |
shows "length (actions_of {th} t) \<le> occs (\<lambda> t'. th \<in> running (t'@s)) t"
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1114 |
proof(cases t) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1115 |
case (Cons e' t') |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1116 |
from actions_th_occs_pre[OF this] |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1117 |
have "length (actions_of {th} t) \<le> occs (\<lambda>t'. th \<in> running (t' @ s)) t'" .
|
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1118 |
moreover have "... \<le> occs (\<lambda>t'. th \<in> running (t' @ s)) t" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1119 |
by (unfold Cons, auto) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1120 |
ultimately show ?thesis by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1121 |
qed (auto simp:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1122 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1123 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1124 |
The following lemma splits all the operations in @{term t} into three
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1125 |
disjoint sets, namely the operations of @{term th}, the operations of
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1126 |
blockers and @{term Create}-operations. These sets are mutually disjoint
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1127 |
because: @{term "{th}"} and @{term blockers} are disjoint by definition,
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1128 |
and neither @{term th} nor any blocker can execute @{term Create}-operation
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1129 |
(according to lemma @{thm th_no_create} and @{thm blockers_no_create}).
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1130 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1131 |
One important caveat noted by this lemma is that: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1132 |
Although according to assumption @{thm create_low}, each thread created in
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1133 |
@{term t} has precedence lower than @{term th}, therefore, will get no
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1134 |
change to run after creation, therefore, can not acquire any resource |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1135 |
to become a blocker, the @{term Create}-operations of such
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1136 |
lower threads may still consume overall execution time of duration @{term t}, therefore,
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1137 |
may compete for execution time with the most urgent thread @{term th}.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1138 |
For PIP to be correct, the number of such competing operations needs to be |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1139 |
bounded somehow. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1140 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1141 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1142 |
lemma actions_split: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1143 |
"length t = length (actions_of {th} t) +
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1144 |
length (actions_of blockers t) + |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1145 |
length (filter (isCreate) t)" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1146 |
proof(induct rule:ind) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1147 |
case h: (Cons e t) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1148 |
interpret ve : extend_highest_gen s th prio tm t using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1149 |
interpret ve': extend_highest_gen s th prio tm "e#t" using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1150 |
show ?case (is "?L (e#t) = ?T (e#t) + ?O (e#t) + ?C (e#t)") |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1151 |
proof(cases "actor e \<in> running (t@s)") |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1152 |
case True |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1153 |
thus ?thesis |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1154 |
proof(rule ve.runningE) |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1155 |
assume 1: "actor e = th" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1156 |
have "?T (e#t) = 1 + ?T (t)" using 1 by (simp add:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1157 |
moreover have "?O (e#t) = ?O t" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1158 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1159 |
have "actor e \<notin> blockers" using 1 |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1160 |
by (simp add:actions_of_def blockers_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1161 |
thus ?thesis by (simp add:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1162 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1163 |
moreover have "?C (e#t) = ?C t" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1164 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1165 |
from ve'.th_no_create[OF _ 1] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1166 |
have "\<not> isCreate e" by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1167 |
thus ?thesis by (simp add:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1168 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1169 |
ultimately show ?thesis using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1170 |
next |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1171 |
assume 2: "actor e \<in> ve'.blockers" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1172 |
have "?T (e#t) = ?T (t)" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1173 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1174 |
from 2 have "actor e \<noteq> th" by (auto simp:blockers_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1175 |
thus ?thesis by (auto simp:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1176 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1177 |
moreover have "?O (e#t) = 1 + ?O(t)" using 2 |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1178 |
by (auto simp:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1179 |
moreover have "?C (e#t) = ?C(t)" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1180 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1181 |
from ve'.blockers_no_create[OF 2, of e] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1182 |
have "\<not> isCreate e" by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1183 |
thus ?thesis by (simp add:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1184 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1185 |
ultimately show ?thesis using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1186 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1187 |
next |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1188 |
case False |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1189 |
from h(2) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1190 |
have is_create: "isCreate e" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1191 |
by (cases; insert False, auto) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1192 |
have "?T (e#t) = ?T t" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1193 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1194 |
have "actor e \<noteq> th" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1195 |
proof |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1196 |
assume "actor e = th" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1197 |
from ve'.th_no_create[OF _ this] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1198 |
have "\<not> isCreate e" by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1199 |
with is_create show False by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1200 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1201 |
thus ?thesis by (auto simp:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1202 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1203 |
moreover have "?O (e#t) = ?O t" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1204 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1205 |
have "actor e \<notin> blockers" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1206 |
proof |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1207 |
assume "actor e \<in> blockers" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1208 |
from ve'.blockers_no_create[OF this, of e] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1209 |
have "\<not> isCreate e" by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1210 |
with is_create show False by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1211 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1212 |
thus ?thesis by (simp add:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1213 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1214 |
moreover have "?C (e#t) = 1 + ?C t" using is_create |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1215 |
by (auto simp:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1216 |
ultimately show ?thesis using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1217 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1218 |
qed (auto simp:actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1219 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1220 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1221 |
By combining several of forging lemmas, this lemma gives a upper bound |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1222 |
of the occurrence number when the most urgent thread @{term th} is blocked.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1223 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1224 |
It says, the occasions when @{term th} is blocked during period @{term t}
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1225 |
is no more than the number of @{term Create}-operations and
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1226 |
the operations taken by blockers plus one. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1227 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1228 |
Since the length of @{term t} may extend indefinitely, if @{term t} is full
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1229 |
of the above mentioned blocking operations, @{term th} may have not chance to run.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1230 |
And, since @{term t} can extend indefinitely, @{term th} my be blocked indefinitely
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1231 |
with the growth of @{term t}. Therefore, this lemma alone does not ensure
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1232 |
the correctness of PIP. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1233 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1234 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1235 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1236 |
theorem bound_priority_inversion: |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1237 |
"occs (\<lambda> t'. th \<notin> running (t'@s)) t \<le> |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1238 |
1 + (length (actions_of blockers t) + length (filter (isCreate) t))" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1239 |
(is "?L \<le> ?R") |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1240 |
proof - |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1241 |
let ?Q = "(\<lambda> t'. th \<in> running (t'@s))" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1242 |
from occs_le[of ?Q t] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1243 |
have "?L \<le> (1 + length t) - occs ?Q t" by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1244 |
also have "... \<le> ?R" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1245 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1246 |
have "length t - (length (actions_of blockers t) + length (filter (isCreate) t)) |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1247 |
\<le> occs (\<lambda> t'. th \<in> running (t'@s)) t" (is "?L1 \<le> ?R1") |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1248 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1249 |
have "?L1 = length (actions_of {th} t)" using actions_split by arith
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1250 |
also have "... \<le> ?R1" using actions_th_occs by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1251 |
finally show ?thesis . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1252 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1253 |
thus ?thesis by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1254 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1255 |
finally show ?thesis . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1256 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1257 |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1258 |
end |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1259 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1260 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1261 |
As explained before, lemma @{text bound_priority_inversion} alone does not
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1262 |
ensure the correctness of PIP. For PIP to be correct, the number of blocking operations |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1263 |
(by {\em blocking operation}, we mean the @{term Create}-operations and
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1264 |
operations taken by blockers) has to be bounded somehow. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1265 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1266 |
And the following lemma is for this purpose. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1267 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1268 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1269 |
locale bounded_extend_highest = extend_highest_gen + |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1270 |
-- {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1271 |
To bound operations of blockers, the locale specifies that each blocker |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1272 |
releases all resources and becomes detached after a certain number |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1273 |
of operations. In the assumption, this number is given by the |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1274 |
existential variable @{text span}. Notice that this number is fixed for each
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1275 |
blocker regardless of any particular instance of @{term t} in which it operates.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1276 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1277 |
This assumption is reasonable, because it is a common sense that |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1278 |
the total number of operations take by any standalone thread (or process) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1279 |
is only determined by its own input, and should not be affected by |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1280 |
the particular environment in which it operates. In this particular case, |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1281 |
we regard the @{term t} as the environment of thread @{term th}.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1282 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1283 |
assumes finite_span: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1284 |
"th' \<in> blockers \<Longrightarrow> |
|
154
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1285 |
(\<exists> span. \<forall> t'. extend_highest_gen s th prio tm t' \<longrightarrow> |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1286 |
\<not> detached (t'@s) th' \<longrightarrow> length (actions_of {th'} t') < span)"
|
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1287 |
|
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1288 |
-- {*
|
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1289 |
The difference between this @{text finite_span} and the former one is to allow the number
|
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1290 |
of action steps to change with execution paths (i.e. different value of @{term "t'@s"}}).
|
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1291 |
The @{term span} is a upper bound on these step numbers.
|
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1292 |
*} |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1293 |
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1294 |
fixes BC |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1295 |
-- {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1296 |
The following assumption requires the number of @{term Create}-operations is
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1297 |
less or equal to @{term BC} regardless of any particular extension of @{term t}.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1298 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1299 |
Although this assumption might seem doubtful at first sight, it is necessary |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1300 |
to ensure the occasions when @{term th} is blocked to be finite. Just consider
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1301 |
the extreme case when @{term Create}-operations consume all the time in duration
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1302 |
@{term "t"} and leave no space for neither @{term "th"} nor blockers to operate.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1303 |
An investigate of the precondition for @{term Create}-operation in the definition
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1304 |
of @{term PIP} may reveal that such extreme cases are well possible, because it
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1305 |
is only required the thread to be created be a fresh (or dead one), and there |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1306 |
are infinitely many such threads. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1307 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1308 |
However, if we relax the correctness criterion of PIP, allowing @{term th} to be
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1309 |
blocked indefinitely while still attaining a certain portion of @{term t} to complete
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1310 |
its task, then this bound @{term BC} can be lifted to function depending on @{term t}
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1311 |
where @{text "BC t"} is of a certain proportion of @{term "length t"}.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1312 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1313 |
assumes finite_create: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1314 |
"\<forall> t'. extend_highest_gen s th prio tm t' \<longrightarrow> length (filter isCreate t') \<le> BC" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1315 |
begin |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1316 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1317 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1318 |
The following lemmas show that the number of @{term Create}-operations is bound by @{term BC}:
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1319 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1320 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1321 |
lemma create_bc: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1322 |
shows "length (filter isCreate t) \<le> BC" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1323 |
by (meson extend_highest_gen_axioms finite_create) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1324 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1325 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1326 |
The following @{term span}-function gives the upper bound of
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1327 |
operations take by each particular blocker. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1328 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1329 |
definition "span th' = (SOME span. |
|
154
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1330 |
\<forall> t'. extend_highest_gen s th prio tm t' \<longrightarrow> |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1331 |
\<not> detached (t'@s) th' \<longrightarrow> length (actions_of {th'} t') < span)"
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1332 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1333 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1334 |
The following lemmas shows the correctness of @{term span}, i.e.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1335 |
the number of operations of taken by @{term th'} is given by
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1336 |
@{term "span th"}.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1337 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1338 |
The reason for this lemma is that since @{term th'} gives up all resources
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1339 |
after @{term "span th'"} operations and becomes detached,
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1340 |
its inherited high priority is lost, with which the right to run goes as well. |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1341 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1342 |
lemma le_span: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1343 |
assumes "th' \<in> blockers" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1344 |
shows "length (actions_of {th'} t) \<le> span th'"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1345 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1346 |
from finite_span[OF assms(1)] obtain span' |
|
154
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1347 |
where span': "\<forall> t'. extend_highest_gen s th prio tm t' \<longrightarrow> |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1348 |
\<not> detached (t'@s) th' \<longrightarrow> length (actions_of {th'} t') < span'" (is "?P span'")
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1349 |
by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1350 |
have "length (actions_of {th'} t) \<le> (SOME span. ?P span)"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1351 |
proof(rule someI2[where a = span']) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1352 |
fix span |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1353 |
assume fs: "?P span" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1354 |
show "length (actions_of {th'} t) \<le> span"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1355 |
proof(induct rule:ind) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1356 |
case h: (Cons e t) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1357 |
interpret ve': extend_highest_gen s th prio tm "e#t" using h by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1358 |
show ?case |
|
154
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1359 |
proof(cases "detached (t@s) th'") |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1360 |
case True |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1361 |
have "actor e \<noteq> th'" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1362 |
proof |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1363 |
assume otherwise: "actor e = th'" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1364 |
from ve'.blockers_no_create [OF assms _ this] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1365 |
have "\<not> isCreate e" by auto |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1366 |
from PIP_actorE[OF h(2) otherwise this] |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1367 |
have "th' \<in> running (t @ s)" . |
|
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1368 |
moreover have "th' \<notin> running (t @ s)" |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1369 |
proof - |
|
154
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1370 |
from extend_highest_gen.detached_not_running[OF h(3) True] assms |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1371 |
show ?thesis by (auto simp:blockers_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1372 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1373 |
ultimately show False by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1374 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1375 |
with h show ?thesis by (auto simp:actions_of_def) |
|
154
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1376 |
next |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1377 |
case False |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1378 |
from fs[rule_format, OF h(3) this] and actions_of_len_cons |
|
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1379 |
show ?thesis by (meson discrete order.trans) |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1380 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1381 |
qed (simp add: actions_of_def) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1382 |
next |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1383 |
from span' |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1384 |
show "?P span'" . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1385 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1386 |
thus ?thesis by (unfold span_def, auto) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1387 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1388 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1389 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1390 |
The following lemma is a corollary of @{thm le_span}, which says
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1391 |
the total operations of blockers is bounded by the |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1392 |
sum of @{term span}-values of all blockers.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1393 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1394 |
lemma len_action_blockers: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1395 |
"length (actions_of blockers t) \<le> (\<Sum> th' \<in> blockers . span th')" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1396 |
(is "?L \<le> ?R") |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1397 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1398 |
from len_actions_of_sigma[OF finite_blockers] |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1399 |
have "?L = (\<Sum>th'\<in>blockers. length (actions_of {th'} t))" by simp
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1400 |
also have "... \<le> ?R" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1401 |
by (rule Groups_Big.setsum_mono, insert le_span, auto) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1402 |
finally show ?thesis . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1403 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1404 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1405 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1406 |
By combining forgoing lemmas, it is proved that the number of |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1407 |
blocked occurrences of the most urgent thread @{term th} is finitely bounded:
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1408 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1409 |
theorem priority_inversion_is_finite: |
|
127
38c6acf03f68
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
126
diff
changeset
|
1410 |
"occs (\<lambda> t'. th \<notin> running (t'@s)) t \<le> |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1411 |
1 + ((\<Sum> th' \<in> blockers . span th') + BC)" (is "?L \<le> ?R" is "_ \<le> 1 + (?A + ?B)" ) |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1412 |
proof - |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1413 |
from bound_priority_inversion |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1414 |
have "?L \<le> 1 + (length (actions_of blockers t) + length (filter isCreate t))" |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1415 |
(is "_ \<le> 1 + (?A' + ?B')") . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1416 |
moreover have "?A' \<le> ?A" using len_action_blockers . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1417 |
moreover have "?B' \<le> ?B" using create_bc . |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1418 |
ultimately show ?thesis by simp |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1419 |
qed |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1420 |
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1421 |
text {*
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1422 |
The following lemma says the most urgent thread @{term th} will get as many
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1423 |
as operations it wishes, provided @{term t} is long enough.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1424 |
Similar result can also be obtained under the slightly weaker assumption where |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1425 |
@{term BC} is lifted to a function and @{text "BC t"} is a portion of
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1426 |
@{term "length t"}.
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1427 |
*} |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1428 |
theorem enough_actions_for_the_highest: |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1429 |
"length t - ((\<Sum> th' \<in> blockers . span th') + BC) \<le> length (actions_of {th} t)"
|
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1430 |
using actions_split create_bc len_action_blockers by linarith |
|
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1431 |
|
|
0
110247f9d47e
added
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1432 |
end |
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1433 |
|
|
136
fb3f52fe99d1
updated tG definition
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
130
diff
changeset
|
1434 |
|
|
154
9756a51f2223
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
145
diff
changeset
|
1435 |
|
|
136
fb3f52fe99d1
updated tG definition
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
130
diff
changeset
|
1436 |
|
|
125
95e7933968f8
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
122
diff
changeset
|
1437 |
end |