pip: comparison Journal/Paper.thy

equal deleted inserted replaced

-:83ba2d8c859a
+:2aa37de77f31
 imports "../Implementation"
 "../Correctness"
 "~~/src/HOL/Library/LaTeXsugar"
 begin
 declare [[show_question_marks = false]]
 notation (latex output)
 Cons ("_::_" [78,77] 73) and
 If  ("(\<^raw:\textrm{>if\<^raw:}> (_)/ \<^raw:\textrm{>then\<^raw:}> (_)/ \<^raw:\textrm{>else\<^raw:}> (_))" 10) and
 vt ("valid'_state") and
 (*>*)
 section {* Introduction *}
 text {*
-Many real-time systems need to support threads involving priorities and
-locking of resources. Locking of resources ensures mutual exclusion
+Many real-time systems need to support threads involving priorities
-when accessing shared data or devices that cannot be
+and locking of resources. Locking of resources ensures mutual
+exclusion when accessing shared data or devices that cannot be
 preempted. Priorities allow scheduling of threads that need to
 finish their work within deadlines.  Unfortunately, both features
 can interact in subtle ways leading to a problem, called
 \emph{Priority Inversion}. Suppose three threads having priorities
 $H$(igh), $M$(edium) and $L$(ow). We would expect that the thread
-$H$ blocks any other thread with lower priority and the thread itself cannot
+$H$ blocks any other thread with lower priority and the thread
-be blocked indefinitely by threads with lower priority. Alas, in a naive
+itself cannot be blocked indefinitely by threads with lower
-implementation of resource locking and priorities this property can
+priority. Alas, in a naive implementation of resource locking and
-be violated. For this let $L$ be in the
+priorities this property can be violated. For this let $L$ be in the
 possession of a lock for a resource that $H$ also needs. $H$ must
 therefore wait for $L$ to exit the critical section and release this
-lock. The problem is that $L$ might in turn be blocked by any
+lock. The problem is that $L$ might in turn be blocked by any thread
-thread with priority $M$, and so $H$ sits there potentially waiting
+with priority $M$, and so $H$ sits there potentially waiting
-indefinitely. Since $H$ is blocked by threads with lower
+indefinitely. Since $H$ is blocked by threads with lower priorities,
-priorities, the problem is called Priority Inversion. It was first
+the problem is called Priority Inversion. It was first described in
-described in \cite{Lampson80} in the context of the
+\cite{Lampson80} in the context of the Mesa programming language
-Mesa programming language designed for concurrent programming.
+designed for concurrent programming.
 If the problem of Priority Inversion is ignored, real-time systems
 can become unpredictable and resulting bugs can be hard to diagnose.
 The classic example where this happened is the software that
-controlled the Mars Pathfinder mission in 1997 \cite{Reeves98}.
+controlled the Mars Pathfinder mission in 1997 \cite{Reeves98}.  On
-On Earth the software run mostly without any problem, but
+Earth the software run mostly without any problem, but once the
-once the spacecraft landed on Mars, it shut down at irregular, but frequent,
+spacecraft landed on Mars, it shut down at irregular, but frequent,
 intervals leading to loss of project time as normal operation of the
 craft could only resume the next day (the mission and data already
 collected were fortunately not lost, because of a clever system
 design).  The reason for the shutdowns was that the scheduling
 software fell victim to Priority Inversion: a low priority thread
 locking a resource prevented a high priority thread from running in
 time, leading to a system reset. Once the problem was found, it was
 rectified by enabling the \emph{Priority Inheritance Protocol} (PIP)
 \cite{Sha90}\footnote{Sha et al.~call it the \emph{Basic Priority
 Inheritance Protocol} \cite{Sha90} and others sometimes also call it
-\emph{Priority Boosting}, \emph{Priority Donation} or \emph{Priority Lending}.}
+\emph{Priority Boosting}, \emph{Priority Donation} or \emph{Priority
-in the scheduling software.
+Lending}.}  in the scheduling software.
-The idea behind PIP is to let the thread $L$ temporarily inherit
+The idea behind PIP is to let the thread $L$ temporarily inherit the
-the high priority from $H$ until $L$ leaves the critical section
+high priority from $H$ until $L$ leaves the critical section
 unlocking the resource. This solves the problem of $H$ having to
 wait indefinitely, because $L$ cannot be blocked by threads having
 priority $M$. While a few other solutions exist for the Priority
 Inversion problem, PIP is one that is widely deployed and
 implemented. This includes VxWorks (a proprietary real-time OS used
 in the Mars Pathfinder mission, in Boeing's 787 Dreamliner, Honda's
 ASIMO robot, etc.) and ThreadX (another proprietary real-time OS
-used in nearly all HP inkjet printers \cite{ThreadX}), but also
+used in nearly all HP inkjet printers \cite{ThreadX}), but also the
-the POSIX 1003.1c Standard realised for
+POSIX 1003.1c Standard realised for example in libraries for
-example in libraries for FreeBSD, Solaris and Linux.
+FreeBSD, Solaris and Linux.
-Two advantages of PIP are that it is deterministic and that increasing the priority of a thread
+Two advantages of PIP are that it is deterministic and that
-can be performed dynamically by the scheduler.
+increasing the priority of a thread can be performed dynamically by
-This is in contrast to \emph{Priority Ceiling}
+the scheduler.  This is in contrast to \emph{Priority Ceiling}
 \cite{Sha90}, another solution to the Priority Inversion problem,
 which requires static analysis of the program in order to prevent
-Priority Inversion, and also in contrast to the approach taken in the Windows NT scheduler, which avoids
+Priority Inversion, and also in contrast to the approach taken in
-this problem by randomly boosting the priority of ready low-priority threads
+the Windows NT scheduler, which avoids this problem by randomly
-(see for instance~\cite{WINDOWSNT}).
+boosting the priority of ready low-priority threads (see for
-However, there has also been strong criticism against
+instance~\cite{WINDOWSNT}).  However, there has also been strong
-PIP. For instance, PIP cannot prevent deadlocks when lock
+criticism against PIP. For instance, PIP cannot prevent deadlocks
-dependencies are circular, and also blocking times can be
+when lock dependencies are circular, and also blocking times can be
 substantial (more than just the duration of a critical section).
 Though, most criticism against PIP centres around unreliable
 implementations and PIP being too complicated and too inefficient.
 For example, Yodaiken writes in \cite{Yodaiken02}:
 \begin{quote}
 \it{}``Priority inheritance is neither efficient nor reliable. Implementations
 are either incomplete (and unreliable) or surprisingly complex and intrusive.''
 \end{quote}
-\noindent
+\noindent He suggests avoiding PIP altogether by designing the
-He suggests avoiding PIP altogether by designing the system so that no
+system so that no priority inversion may happen in the first
-priority inversion may happen in the first place. However, such ideal designs may
+place. However, such ideal designs may not always be achievable in
-not always be achievable in practice.
+practice.
 In our opinion, there is clearly a need for investigating correct
-algorithms for PIP. A few specifications for PIP exist (in English)
+algorithms for PIP. A few specifications for PIP exist (in informal
-and also a few high-level descriptions of implementations (e.g.~in
+English) and also a few high-level descriptions of implementations
-the textbooks \cite[Section 12.3.1]{Liu00} and \cite[Section 5.6.5]{Vahalia96}),
+(e.g.~in the textbooks \cite[Section 12.3.1]{Liu00} and
-but they help little with actual implementations. That this is a problem in
+\cite[Section 5.6.5]{Vahalia96}), but they help little with actual
-practice is proved by an email by Baker, who wrote on 13 July 2009 on the Linux
+implementations. That this is a problem in practice is proved by an
-Kernel mailing list:
+email by Baker, who wrote on 13 July 2009 on the Linux Kernel
+mailing list:
 \begin{quote}
 \it{}``I observed in the kernel code (to my disgust), the Linux PIP
 implementation is a nightmare: extremely heavy weight, involving
 maintenance of a full wait-for graph, and requiring updates for a
 range of events, including priority changes and interruptions of
 wait operations.''
 \end{quote}
-\noindent
+\noindent The criticism by Yodaiken, Baker and others suggests
-The criticism by Yodaiken, Baker and others suggests another look
+another look at PIP from a more abstract level (but still concrete
-at PIP from a more abstract level (but still concrete enough
+enough to inform an implementation), and makes PIP a good candidate
-to inform an implementation), and makes PIP a good candidate for a
+for a formal verification. An additional reason is that the original
-formal verification. An additional reason is that the original
 specification of PIP~\cite{Sha90}, despite being informally
 ``proved'' correct, is actually \emph{flawed}.
 Yodaiken \cite{Yodaiken02} and also Moylan et
 al.~\cite{deinheritance} point to a subtlety that had been
-overlooked in the informal proof by Sha et al. They specify in
+overlooked in the informal proof by Sha et al. They specify PIP in
-\cite{Sha90} that after the thread (whose priority has been raised)
+\cite{Sha90} so that after the thread (whose priority has been
-completes its critical section and releases the lock, it ``{\it
+raised) completes its critical section and releases the lock, it
-returns to its original priority level}''. This leads them to
+``{\it returns to its original priority level}''. This leads them to
 believe that an implementation of PIP is ``{\it rather
 straightforward}''~\cite{Sha90}.  Unfortunately, as Yodaiken and
 Moylan et al.~point out, this behaviour is too simplistic. Moylan et
-al.~write that there are ``{\it some hidden traps}''~\cite{deinheritance}.  Consider the
+al.~write that there are ``{\it some hidden
-case where the low priority thread $L$ locks \emph{two} resources,
+traps}''~\cite{deinheritance}.  Consider the case where the low
-and two high-priority threads $H$ and $H'$ each wait for one of
+priority thread $L$ locks \emph{two} resources, and two
-them.  If $L$ releases one resource so that $H$, say, can proceed,
+high-priority threads $H$ and $H'$ each wait for one of them.  If
-then we still have Priority Inversion with $H'$ (which waits for the
+$L$ releases one resource so that $H$, say, can proceed, then we
-other resource). The correct behaviour for $L$ is to switch to the
+still have Priority Inversion with $H'$ (which waits for the other
-highest remaining priority of the threads that it blocks.
+resource). The correct behaviour for $L$ is to switch to the highest
-A similar
+remaining priority of the threads that it blocks.  A similar error
-error is made in the textbook \cite[Section 2.3.1]{book} which
+is made in the textbook \cite[Section 2.3.1]{book} which specifies
-specifies for a process that inherited a higher priority and exits a
+for a process that inherited a higher priority and exits a critical
-critical section ``{\it it resumes the priority it had at the point
+section ``{\it it resumes the priority it had at the point of entry
-of entry into the critical section}''.  This error can also be
+into the critical section}''.  This error can also be found in the
-found in the more recent textbook \cite[Page 119]{Laplante11} where the
+more recent textbook \cite[Page 119]{Laplante11} where the authors
-authors state: ``{\it when [the task] exits the critical section that caused
+state: ``{\it when [the task] exits the critical section that caused
 the block, it reverts to the priority it had when it entered that
 section}''. The textbook \cite[Page 286]{Liu00} contains a simlar
-flawed specification and even goes on to develop pseudo-code based on this
+flawed specification and even goes on to develop pseudo-code based
-flawed specification. Accordingly, the operating system primitives
+on this flawed specification. Accordingly, the operating system
-for inheritance and restoration of priorities in \cite{Liu00} depend on
+primitives for inheritance and restoration of priorities in
-maintaining a  data structure called \emph{inheritance log}. This log
+\cite{Liu00} depend on maintaining a data structure called
-is maintained for every thread and broadly specified as containing ``{\it
+\emph{inheritance log}. This log is maintained for every thread and
-[h]istorical information on how the thread inherited its current
+broadly specified as containing ``{\it [h]istorical information on
-priority}'' \cite[Page 527]{Liu00}. Unfortunately, the important
+how the thread inherited its current priority}'' \cite[Page
-information about actually
+527]{Liu00}. Unfortunately, the important information about actually
-computing the priority to be restored solely from this log is  not explained in
+computing the priority to be restored solely from this log is not
-\cite{Liu00} but left as an ``{\it excercise}'' to the reader.
+explained in \cite{Liu00} but left as an ``{\it excercise}'' to the
-Of course, a correct version of PIP does not need to maintain
+reader.  Of course, a correct version of PIP does not need to
-this (potentially expensive) data structure at all. Surprisingly
+maintain this (potentially expensive) data structure at
-also the widely read and frequently updated textbook \cite{Silberschatz13} gives
+all. Surprisingly also the widely read and frequently updated
-the wrong specification. For example on Page 254 the
+textbook \cite{Silberschatz13} gives the wrong specification. For
-authors write: ``{\it Upon releasing the lock, the [low-priority] thread
+example on Page 254 the authors write: ``{\it Upon releasing the
-will revert to its original priority.}'' The same error is also repeated
+lock, the [low-priority] thread will revert to its original
-later in this textbook.
+priority.}'' The same error is also repeated later in this textbook.
 While \cite{Laplante11,Liu00,book,Sha90,Silberschatz13} are the only formal publications we have
 found that specify the incorrect behaviour, it seems also many
 informal descriptions of PIP overlook the possibility that another

changeset 75	2aa37de77f31
parent 70	92ca2410b3d9
child 76	b6ea51cd2e88