409 when a thread \emph{holds}, respectively \emph{waits} for, a |
409 when a thread \emph{holds}, respectively \emph{waits} for, a |
410 resource @{text cs} given a waiting queue function @{text wq}. |
410 resource @{text cs} given a waiting queue function @{text wq}. |
411 |
411 |
412 \begin{isabelle}\ \ \ \ \ %%% |
412 \begin{isabelle}\ \ \ \ \ %%% |
413 \begin{tabular}{@ {}l} |
413 \begin{tabular}{@ {}l} |
414 @{thm cs_holding_def[where thread="th"]}\\ |
414 @{thm cs_holding_raw[where thread="th"]}\\ |
415 @{thm cs_waiting_def[where thread="th"]} |
415 @{thm cs_waiting_raw[where thread="th"]} |
416 \end{tabular} |
416 \end{tabular} |
417 \end{isabelle} |
417 \end{isabelle} |
418 |
418 |
419 \noindent |
419 \noindent |
420 In this definition we assume @{text "set"} converts a list into a set. |
420 In this definition we assume @{text "set"} converts a list into a set. |
1051 \begin{isabelle}\ \ \ \ \ %%% |
1051 \begin{isabelle}\ \ \ \ \ %%% |
1052 \begin{tabular}{@ {}l} |
1052 \begin{tabular}{@ {}l} |
1053 HERE?? %@{text If}~@ {thm (prem 1) acyclic_RAG}~@{text "then"}:\\ |
1053 HERE?? %@{text If}~@ {thm (prem 1) acyclic_RAG}~@{text "then"}:\\ |
1054 \hspace{5mm}@{thm (concl) acyclic_RAG}, |
1054 \hspace{5mm}@{thm (concl) acyclic_RAG}, |
1055 @{thm (concl) finite_RAG} and |
1055 @{thm (concl) finite_RAG} and |
1056 @{thm (concl) wf_dep_converse},\\ |
1056 %@ {thm (concl) wf_dep_converse},\\ |
1057 %\hspace{5mm}@{text "if"}~@ {thm (prem 2) dm_RAG_threads}~@{text "then"}~@{thm (concl) dm_RAG_threads} |
1057 %\hspace{5mm}@{text "if"}~@ {thm (prem 2) dm_RAG_threads}~@{text "then"}~@{thm (concl) dm_RAG_threads} |
1058 and\\ |
1058 and\\ |
1059 %\hspace{5mm}@{text "if"}~@ {thm (prem 2) range_in}~@{text "then"}~@{thm (concl) range_in}. |
1059 %\hspace{5mm}@{text "if"}~@ {thm (prem 2) range_in}~@{text "then"}~% @ {thm (concl) range_in}. |
1060 \end{tabular} |
1060 \end{tabular} |
1061 \end{isabelle} |
1061 \end{isabelle} |
1062 |
1062 |
1063 \noindent |
1063 \noindent |
1064 The acyclicity property follows from how we restricted the events in |
1064 The acyclicity property follows from how we restricted the events in |
1133 %The following lemmas show how every node in RAG can be chased to ready threads: |
1133 %The following lemmas show how every node in RAG can be chased to ready threads: |
1134 %\begin{enumerate} |
1134 %\begin{enumerate} |
1135 %\item Every node in RAG can be chased to a ready thread (@{text "chain_building"}): |
1135 %\item Every node in RAG can be chased to a ready thread (@{text "chain_building"}): |
1136 % @ {thm [display] chain_building[rule_format]} |
1136 % @ {thm [display] chain_building[rule_format]} |
1137 %\item The ready thread chased to is unique (@{text "dchain_unique"}): |
1137 %\item The ready thread chased to is unique (@{text "dchain_unique"}): |
1138 % @ {thm [display] dchain_unique[of _ _ "th\<^sub>1" "th\<^sub>2"]} |
1138 % @ {thm [display] dchain_unique[of _ _ "th1" "th2"]} |
1139 %\end{enumerate} |
1139 %\end{enumerate} |
1140 |
1140 |
1141 %Some deeper results about the system: |
1141 %Some deeper results about the system: |
1142 %\begin{enumerate} |
1142 %\begin{enumerate} |
1143 %\item The maximum of @{term "cp"} and @{term "preced"} are equal (@{text "max_cp_eq"}): |
1143 %\item The maximum of @{term "cp"} and @{term "preced"} are equal (@{text "max_cp_eq"}): |
1303 scheduler and coding how it should react to events. Below we |
1303 scheduler and coding how it should react to events. Below we |
1304 outline how our formalisation guides this implementation for each |
1304 outline how our formalisation guides this implementation for each |
1305 kind of events.\smallskip |
1305 kind of events.\smallskip |
1306 *} |
1306 *} |
1307 |
1307 |
1308 (*<*) |
|
1309 context step_create_cps |
|
1310 begin |
|
1311 (*>*) |
|
1312 text {* |
1308 text {* |
1313 \noindent |
1309 \noindent |
1314 \colorbox{mygrey}{@{term "Create th prio"}:} We assume that the current state @{text s'} and |
1310 \colorbox{mygrey}{@{term "Create th prio"}:} We assume that the current state @{text s'} and |
1315 the next state @{term "s \<equiv> Create th prio#s'"} are both valid (meaning the event |
1311 the next state @{term "s \<equiv> Create th prio#s'"} are both valid (meaning the event |
1316 is allowed to occur). In this situation we can show that |
1312 is allowed to occur). In this situation we can show that |
1317 |
1313 |
1318 \begin{isabelle}\ \ \ \ \ %%% |
1314 \begin{isabelle}\ \ \ \ \ %%% |
1319 \begin{tabular}{@ {}l} |
1315 \begin{tabular}{@ {}l} |
1320 HERE ?? %@ {thm eq_dep},\\ |
1316 HERE ?? %@ {thm eq_dep},\\ |
1321 @{thm eq_cp_th}, and\\ |
1317 @{thm valid_trace_create.eq_cp_th}, and\\ |
1322 @{thm[mode=IfThen] eq_cp} |
1318 @{thm[mode=IfThen] valid_trace_create.eq_cp} |
1323 \end{tabular} |
1319 \end{tabular} |
1324 \end{isabelle} |
1320 \end{isabelle} |
1325 |
1321 |
1326 \noindent |
1322 \noindent |
1327 This means in an implementation we do not have to recalculate the @{text RAG} and also none of the |
1323 This means in an implementation we do not have to recalculate the @{text RAG} and also none of the |
1328 current precedences of the other threads. The current precedence of the created |
1324 current precedences of the other threads. The current precedence of the created |
1329 thread @{text th} is just its precedence, namely the pair @{term "(prio, length (s::event list))"}. |
1325 thread @{text th} is just its precedence, namely the pair @{term "(prio, length (s::event list))"}. |
1330 \smallskip |
1326 \smallskip |
1331 *} |
1327 *} |
1332 (*<*) |
1328 |
1333 end |
|
1334 context step_exit_cps |
|
1335 begin |
|
1336 (*>*) |
|
1337 text {* |
1329 text {* |
1338 \noindent |
1330 \noindent |
1339 \colorbox{mygrey}{@{term "Exit th"}:} We again assume that the current state @{text s'} and |
1331 \colorbox{mygrey}{@{term "Exit th"}:} We again assume that the current state @{text s'} and |
1340 the next state @{term "s \<equiv> Exit th#s'"} are both valid. We can show that |
1332 the next state @{term "s \<equiv> Exit th#s'"} are both valid. We can show that |
1341 |
1333 |
1342 \begin{isabelle}\ \ \ \ \ %%% |
1334 \begin{isabelle}\ \ \ \ \ %%% |
1343 \begin{tabular}{@ {}l} |
1335 \begin{tabular}{@ {}l} |
1344 HERE %@ {thm eq_dep}, and\\ |
1336 HERE %@ {thm valid_trace_create.eq_dep}, and\\ |
1345 @{thm[mode=IfThen] eq_cp} |
1337 @{thm[mode=IfThen] valid_trace_create.eq_cp} |
1346 \end{tabular} |
1338 \end{tabular} |
1347 \end{isabelle} |
1339 \end{isabelle} |
1348 |
1340 |
1349 \noindent |
1341 \noindent |
1350 This means again we do not have to recalculate the @{text RAG} and |
1342 This means again we do not have to recalculate the @{text RAG} and |
1351 also not the current precedences for the other threads. Since @{term th} is not |
1343 also not the current precedences for the other threads. Since @{term th} is not |
1352 alive anymore in state @{term "s"}, there is no need to calculate its |
1344 alive anymore in state @{term "s"}, there is no need to calculate its |
1353 current precedence. |
1345 current precedence. |
1354 \smallskip |
1346 \smallskip |
1355 *} |
1347 *} |
1356 (*<*) |
1348 |
1357 end |
|
1358 context step_set_cps |
|
1359 begin |
|
1360 (*>*) |
|
1361 text {* |
1349 text {* |
1362 \noindent |
1350 \noindent |
1363 \colorbox{mygrey}{@{term "Set th prio"}:} We assume that @{text s'} and |
1351 \colorbox{mygrey}{@{term "Set th prio"}:} We assume that @{text s'} and |
1364 @{term "s \<equiv> Set th prio#s'"} are both valid. We can show that |
1352 @{term "s \<equiv> Set th prio#s'"} are both valid. We can show that |
1365 |
1353 |
1366 \begin{isabelle}\ \ \ \ \ %%% |
1354 \begin{isabelle}\ \ \ \ \ %%% |
1367 \begin{tabular}{@ {}l} |
1355 \begin{tabular}{@ {}l} |
1368 @{thm[mode=IfThen] eq_dep}, and\\ |
1356 %@ {thm[mode=IfThen] eq_dep}, and\\ |
1369 @{thm[mode=IfThen] eq_cp_pre} |
1357 %@ {thm[mode=IfThen] valid_trace_create.eq_cp_pre} |
1370 \end{tabular} |
1358 \end{tabular} |
1371 \end{isabelle} |
1359 \end{isabelle} |
1372 |
1360 |
1373 \noindent |
1361 \noindent |
1374 The first property is again telling us we do not need to change the @{text RAG}. |
1362 The first property is again telling us we do not need to change the @{text RAG}. |
1402 %The second states that if an intermediate @{term cp}-value does not change, then |
1390 %The second states that if an intermediate @{term cp}-value does not change, then |
1403 %the procedure can also stop, because none of its dependent threads will |
1391 %the procedure can also stop, because none of its dependent threads will |
1404 %have their current precedence changed. |
1392 %have their current precedence changed. |
1405 \smallskip |
1393 \smallskip |
1406 *} |
1394 *} |
1407 (*<*) |
1395 |
1408 end |
|
1409 context step_v_cps_nt |
|
1410 begin |
|
1411 (*>*) |
|
1412 text {* |
1396 text {* |
1413 \noindent |
1397 \noindent |
1414 \colorbox{mygrey}{@{term "V th cs"}:} We assume that @{text s'} and |
1398 \colorbox{mygrey}{@{term "V th cs"}:} We assume that @{text s'} and |
1415 @{term "s \<equiv> V th cs#s'"} are both valid. We have to consider two |
1399 @{term "s \<equiv> V th cs#s'"} are both valid. We have to consider two |
1416 subcases: one where there is a thread to ``take over'' the released |
1400 subcases: one where there is a thread to ``take over'' the released |
1418 in turn. Suppose in state @{text s}, the thread @{text th'} takes over |
1402 in turn. Suppose in state @{text s}, the thread @{text th'} takes over |
1419 resource @{text cs} from thread @{text th}. We can prove |
1403 resource @{text cs} from thread @{text th}. We can prove |
1420 |
1404 |
1421 |
1405 |
1422 \begin{isabelle}\ \ \ \ \ %%% |
1406 \begin{isabelle}\ \ \ \ \ %%% |
1423 @{thm RAG_s} |
1407 %@ {thm RAG_s} |
1424 \end{isabelle} |
1408 \end{isabelle} |
1425 |
1409 |
1426 \noindent |
1410 \noindent |
1427 which shows how the @{text RAG} needs to be changed. The next lemma suggests |
1411 which shows how the @{text RAG} needs to be changed. The next lemma suggests |
1428 how the current precedences need to be recalculated. For threads that are |
1412 how the current precedences need to be recalculated. For threads that are |
1429 not @{text "th"} and @{text "th'"} nothing needs to be changed, since we |
1413 not @{text "th"} and @{text "th'"} nothing needs to be changed, since we |
1430 can show |
1414 can show |
1431 |
1415 |
1432 \begin{isabelle}\ \ \ \ \ %%% |
1416 \begin{isabelle}\ \ \ \ \ %%% |
1433 @{thm[mode=IfThen] cp_kept} |
1417 %@ {thm[mode=IfThen] cp_kept} |
1434 \end{isabelle} |
1418 \end{isabelle} |
1435 |
1419 |
1436 \noindent |
1420 \noindent |
1437 For @{text th} and @{text th'} we need to use Lemma~\ref{childrenlem} to |
1421 For @{text th} and @{text th'} we need to use Lemma~\ref{childrenlem} to |
1438 recalculate their current precedence since their children have changed. *}(*<*)end context step_v_cps_nnt begin (*>*)text {* |
1422 recalculate their current precedence since their children have changed. *} |
|
1423 |
|
1424 text {* |
1439 \noindent |
1425 \noindent |
1440 In the other case where there is no thread that takes over @{text cs}, we can show how |
1426 In the other case where there is no thread that takes over @{text cs}, we can show how |
1441 to recalculate the @{text RAG} and also show that no current precedence needs |
1427 to recalculate the @{text RAG} and also show that no current precedence needs |
1442 to be recalculated. |
1428 to be recalculated. |
1443 |
1429 |
1444 \begin{isabelle}\ \ \ \ \ %%% |
1430 \begin{isabelle}\ \ \ \ \ %%% |
1445 \begin{tabular}{@ {}l} |
1431 \begin{tabular}{@ {}l} |
1446 @{thm RAG_s}\\ |
1432 %@ {thm RAG_s}\\ |
1447 @{thm eq_cp} |
1433 %@ {thm eq_cp} |
1448 \end{tabular} |
1434 \end{tabular} |
1449 \end{isabelle} |
1435 \end{isabelle} |
1450 *} |
1436 *} |
1451 (*<*) |
1437 |
1452 end |
|
1453 context step_P_cps_e |
|
1454 begin |
|
1455 (*>*) |
|
1456 text {* |
1438 text {* |
1457 \noindent |
1439 \noindent |
1458 \colorbox{mygrey}{@{term "P th cs"}:} We assume that @{text s'} and |
1440 \colorbox{mygrey}{@{term "P th cs"}:} We assume that @{text s'} and |
1459 @{term "s \<equiv> P th cs#s'"} are both valid. We again have to analyse two subcases, namely |
1441 @{term "s \<equiv> P th cs#s'"} are both valid. We again have to analyse two subcases, namely |
1460 the one where @{text cs} is not locked, and one where it is. We treat the former case |
1442 the one where @{text cs} is not locked, and one where it is. We treat the former case |
1461 first by showing that |
1443 first by showing that |
1462 |
1444 |
1463 \begin{isabelle}\ \ \ \ \ %%% |
1445 \begin{isabelle}\ \ \ \ \ %%% |
1464 \begin{tabular}{@ {}l} |
1446 \begin{tabular}{@ {}l} |
1465 @{thm RAG_s}\\ |
1447 %@ {thm RAG_s}\\ |
1466 HERE %@ {thm eq_cp} |
1448 HERE %@ {thm eq_cp} |
1467 \end{tabular} |
1449 \end{tabular} |
1468 \end{isabelle} |
1450 \end{isabelle} |
1469 |
1451 |
1470 \noindent |
1452 \noindent |
1471 This means we need to add a holding edge to the @{text RAG} and no |
1453 This means we need to add a holding edge to the @{text RAG} and no |
1472 current precedence needs to be recalculated.*}(*<*)end context step_P_cps_ne begin(*>*) text {* |
1454 current precedence needs to be recalculated.*} |
|
1455 |
|
1456 text {* |
1473 \noindent |
1457 \noindent |
1474 In the second case we know that resource @{text cs} is locked. We can show that |
1458 In the second case we know that resource @{text cs} is locked. We can show that |
1475 |
1459 |
1476 \begin{isabelle}\ \ \ \ \ %%% |
1460 \begin{isabelle}\ \ \ \ \ %%% |
1477 \begin{tabular}{@ {}l} |
1461 \begin{tabular}{@ {}l} |
1478 @{thm RAG_s}\\ |
1462 %@ {thm RAG_s}\\ |
1479 HERE %@ {thm[mode=IfThen] eq_cp} |
1463 HERE %@ {thm[mode=IfThen] eq_cp} |
1480 \end{tabular} |
1464 \end{tabular} |
1481 \end{isabelle} |
1465 \end{isabelle} |
1482 |
1466 |
1483 \noindent |
1467 \noindent |
1503 |
1487 |
1504 \noindent |
1488 \noindent |
1505 This lemma states that if an intermediate @{term cp}-value does not change, then |
1489 This lemma states that if an intermediate @{term cp}-value does not change, then |
1506 the procedure can also stop, because none of its dependent threads will |
1490 the procedure can also stop, because none of its dependent threads will |
1507 have their current precedence changed. |
1491 have their current precedence changed. |
1508 *}(*<*)end(*>*)text {* |
1492 *} |
|
1493 |
|
1494 text {* |
1509 As can be seen, a pleasing byproduct of our formalisation is that the properties in |
1495 As can be seen, a pleasing byproduct of our formalisation is that the properties in |
1510 this section closely inform an implementation of PIP, namely whether the |
1496 this section closely inform an implementation of PIP, namely whether the |
1511 RAG needs to be reconfigured or current precedences need to |
1497 RAG needs to be reconfigured or current precedences need to |
1512 be recalculated for an event. This information is provided by the lemmas we proved. |
1498 be recalculated for an event. This information is provided by the lemmas we proved. |
1513 We confirmed that our observations translate into practice by implementing |
1499 We confirmed that our observations translate into practice by implementing |