pip: comparison Journal/Paper.thy

equal deleted inserted replaced

-:313acffe63b6
+:92f61f6a0fe7
 declare [[show_question_marks = false]]
 notation (latex output)
 Cons ("_::_" [78,77] 73) and
+If  ("(\<^raw:\textrm{>if\<^raw:}> (_)/ \<^raw:\textrm{>then\<^raw:}> (_)/ \<^raw:\textrm{>else\<^raw:}> (_))" 10) and
 vt ("valid'_state") and
 runing ("running") and
-If  ("(\<^raw:\textrm{>if\<^raw:}> (_)/ \<^raw:\textrm{>then\<^raw:}> (_)/ \<^raw:\textrm{>else\<^raw:}> (_))" 10) and
 Prc ("'(_, _')") and
 holding ("holds") and
 waiting ("waits") and
 Th ("T") and
 Cs ("C") and
 readys ("ready") and
-depend ("RAG") and
 preced ("prec") and
+preceds ("precs") and
 cpreced ("cprec") and
 cp ("cprec") and
 holdents ("resources") and
 DUMMY  ("\<^raw:\mbox{$\_\!\_$}>")
 (*>*)
 section {* Introduction *}
 text {*
 to the thread with the highest priority so that it terminates more
 quickly.  We were also being able to generalise the scheduler of Sha
 et al.~\cite{Sha90} to the practically relevant case where critical
 sections can overlap; see Figure~\ref{overlap} below for an example of
 this restriction. In the existing literature there is no
-proof and also no prove method that cover this generalised case.
+proof and also no proving method that cover this generalised case.
 \begin{figure}
 \begin{center}
 \begin{tikzpicture}[scale=1]
 %%\draw[step=2mm] (0,0) grid (10,2);
 \begin{isabelle}\ \ \ \ \ %%%
 @{thm preced_def[where thread="th"]}
 \end{isabelle}
 \noindent
+We also use the abbreviation
+\begin{isabelle}\ \ \ \ \ %%%
+@{abbrev "preceds s ths"}
+\end{isabelle}
+\noindent
+for the set of precedences of threads @{text ths} in state @{text s}.
 The point of precedences is to schedule threads not according to priorities (because what should
 we do in case two threads have the same priority), but according to precedences.
 Precedences allow us to always discriminate between two threads with equal priority by
 taking into account the time when the priority was last set. We order precedences so
 that threads with the same priority get a higher precedence if their priority has been
 \emph{holding edge} (@{term Cs} and @{term Th} are constructors of a
 datatype for vertices). Given a waiting queue function, a RAG is defined
 as the union of the sets of waiting and holding edges, namely
 \begin{isabelle}\ \ \ \ \ %%%
-@{thm cs_depend_def}
+@{thm cs_RAG_def}
 \end{isabelle}
 \begin{figure}[t]
 \begin{center}
 @{thm cpreced_def2}\hfill\numbered{cpreced}
 \end{isabelle}
 \noindent
 where the dependants of @{text th} are given by the waiting queue function.
-While the precedence @{term prec} of a thread is determined statically
+While the precedence @{term prec} of any thread is determined statically
 (for example when the thread is
 created), the point of the current precedence is to let the scheduler increase this
 precedence, if needed according to PIP. Therefore the current precedence of @{text th} is
 given as the maximum of the precedence @{text th} has in state @{text s} \emph{and} all
 threads that are dependants of @{text th}. Since the notion @{term "dependants"} is
 defined as the transitive closure of all dependent threads, we deal correctly with the
 problem in the informal algorithm by Sha et al.~\cite{Sha90} where a priority of a thread is
-lowered prematurely.
+lowered prematurely. We again introduce an abbreviation for current precedeces of
+a set of threads, written @{term "cprecs wq s ths"}.
 The next function, called @{term schs}, defines the behaviour of the scheduler. It will be defined
 by recursion on the state (a list of events); this function returns a \emph{schedule state}, which
 we represent as a record consisting of two
 functions:
 \hspace{5mm}@{text "let"} @{text "new_wq = wq(cs := release (wq cs))"} @{text "in"}\\
 \hspace{8mm}@{term "(|wq_fun = new_wq, cprec_fun = cpreced new_wq (V th cs # s)|)"}
 \end{tabular}
 \end{isabelle}
-Having the scheduler function @{term schs} at our disposal, we can ``lift'', or
+Having the scheduler function @{term schs} at our disposal, we can
-overload, the notions
+``lift'', or overload, the notions @{term waiting}, @{term holding},
-@{term waiting}, @{term holding}, @{term depend} and @{term cp} to operate on states only.
+@{term RAG}, @{term dependants} and @{term cp} to operate on states
+only.
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}rcl}
-@{thm (lhs) s_holding_abv} & @{text "\<equiv>"} & @{thm (rhs) s_holding_abv}\\
+@{thm (lhs) s_holding_abv}  & @{text "\<equiv>"} & @{thm (rhs) s_holding_abv}\\
-@{thm (lhs) s_waiting_abv} & @{text "\<equiv>"} & @{thm (rhs) s_waiting_abv}\\
+@{thm (lhs) s_waiting_abv}  & @{text "\<equiv>"} & @{thm (rhs) s_waiting_abv}\\
-@{thm (lhs) s_depend_abv}  & @{text "\<equiv>"} & @{thm (rhs) s_depend_abv}\\
+@{thm (lhs) s_RAG_abv}      & @{text "\<equiv>"} & @{thm (rhs) s_RAG_abv}\\
-@{thm (lhs) cp_def}        & @{text "\<equiv>"} & @{thm (rhs) cp_def}
+@{thm (lhs) s_dependants_abv}& @{text "\<equiv>"} & @{thm (rhs) s_dependants_abv}\\
+@{thm (lhs) cp_def}         & @{text "\<equiv>"} & @{thm (rhs) cp_def}\\
 \end{tabular}
 \end{isabelle}
 \noindent
 With these abbreviations in place we can introduce
 @{thm runing_def}
 \end{tabular}
 \end{isabelle}
 \noindent
-In the second definition @{term "DUMMY ` DUMMY"} stands for the image of a set under a function.
+%%In the second definition @{term "DUMMY ` DUMMY"} stands for the image of a set under a function.
 Note that in the initial state, that is where the list of events is empty, the set
 @{term threads} is empty and therefore there is neither a thread ready nor running.
 If there is one or more threads ready, then there can only be \emph{one} thread
 running, namely the one whose current precedence is equal to the maximum of all ready
 threads. We use sets to capture both possibilities.
 has the highest precedence of all alive threads in @{text s}. Furthermore the
 priority of @{text th} is @{text prio} (we need this in the next assumptions).
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{l}
 @{term "th \<in> threads s"}\\
-@{term "prec th s = Max (cprec s ` threads s)"}\\
+@{term "prec th s = Max (cprecs s (threads s))"}\\
 @{term "prec th s = (prio, DUMMY)"}
 \end{tabular}
 \end{isabelle}
 \end{quote}
 one resource---that means the thread was not \emph{detached} in @{text s}.
 As we shall see shortly, that means there are only finitely
 many threads that can block @{text th} in this way and then they
 need to run with the same precedence as @{text th}.
-Like in the argument by Sha et al.~our
+Like in the argument by Sha et al.~our finite bound does not
-finite bound does not guarantee absence of indefinite Priority
+guarantee absence of indefinite Priority Inversion. For this we
-Inversion. For this we further have to assume that every thread
+further have to assume that every thread gives up its resources
-gives up its resources after a finite amount of time. We found that
+after a finite amount of time. We found that this assumption is
-this assumption is awkward to formalise in our model. There are mainly
+awkward to formalise in our model. There are mainly two reasons:
-two reasons: First, we do not specify what ``running'' the code of a
+First, we do not specify what ``running'' the code of a thread
-thread means, for example by giving an operational semantics for
+means, for example by giving an operational semantics for machine
-machine instructions. Therefore we cannot characterise what are ``good''
+instructions. Therefore we cannot characterise what are ``good''
 programs that contain for every looking request also a corresponding
-unlocking request for a resource.
+unlocking request for a resource. Second, we would need to specify a
-%
+kind of global clock that tracks the time how long a thread locks a
-%(HERE)
+resource. But this seems difficult, because how do we conveninet
-%
+distinguish between a thread that ``just'' lock a resource for a
-Therefore we
+very long time and one that locks it forever.  Therefore we decided
-leave it out and let the programmer assume the responsibility to
+to leave it out this property and let the programmer assume the
-program threads in such a benign manner (in addition to causing no
+responsibility to program threads in such a benign manner (in
-circularity in the RAG). In this detail, we do not
+addition to causing no circularity in the RAG). In this detail, we
-make any progress in comparison with the work by Sha et al.
+do not make any progress in comparison with the work by Sha et al.
 However, we are able to combine their two separate bounds into a
 single theorem improving their bound.
 In what follows we will describe properties of PIP that allow us to prove
 Theorem~\ref{mainthm} and, when instructive, briefly describe our argument.
-It is relatively easy to see that
+It is relatively easy to see that:
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{text "running s \<subseteq> ready s \<subseteq> threads s"}\\
 @{thm[mode=IfThen]  finite_threads}
 \end{tabular}
 \end{isabelle}
 \noindent
 The second property is by induction of @{term vt}. The next three
-properties are
+properties are:
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{thm[mode=IfThen] waiting_unique[of _ _ "cs\<^sub>1" "cs\<^sub>2"]}\\
 @{thm[mode=IfThen] held_unique[of _ "th\<^sub>1" _ "th\<^sub>2"]}\\
 at most one running thread. We can also show the following properties
 about the @{term RAG} in @{text "s"}.
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
-@{text If}~@{thm (prem 1) acyclic_depend}~@{text "then"}:\\
+@{text If}~@{thm (prem 1) acyclic_RAG}~@{text "then"}:\\
-\hspace{5mm}@{thm (concl) acyclic_depend},
+\hspace{5mm}@{thm (concl) acyclic_RAG},
-@{thm (concl) finite_depend} and
+@{thm (concl) finite_RAG} and
 @{thm (concl) wf_dep_converse},\\
-\hspace{5mm}@{text "if"}~@{thm (prem 2) dm_depend_threads}~@{text "then"}~@{thm (concl) dm_depend_threads}
+\hspace{5mm}@{text "if"}~@{thm (prem 2) dm_RAG_threads}~@{text "then"}~@{thm (concl) dm_RAG_threads}
 and\\
 \hspace{5mm}@{text "if"}~@{thm (prem 2) range_in}~@{text "then"}~@{thm (concl) range_in}.
 \end{tabular}
 \end{isabelle}
 \end{center}
 \end{lemma}
 \noindent
 That means the current precedence of a thread @{text th} can be
-computed locally by considering only the children of @{text th}. In
+computed locally by considering only the current precedences of the children of @{text th}. In
 effect, it only needs to be recomputed for @{text th} when one of
 its children changes its current precedence.  Once the current
 precedence is computed in this more efficient manner, the selection
 of the thread with highest precedence from a set of ready threads is
 a standard scheduling operation implemented in most operating
 systems.
+\begin{proof}[of Lemma~\ref{childrenlem}]
+Test
+\end{proof}
 Of course the main work for implementing PIP involves the
 scheduler and coding how it should react to events.  Below we
 outline how our formalisation guides this implementation for each
 kind of events.\smallskip
 in turn. Suppose in state @{text s}, the thread @{text th'} takes over
 resource @{text cs} from thread @{text th}. We can prove
 \begin{isabelle}\ \ \ \ \ %%%
-@{thm depend_s}
+@{thm RAG_s}
 \end{isabelle}
 \noindent
 which shows how the @{text RAG} needs to be changed. The next lemma suggests
 how the current precedences need to be recalculated. For threads that are
 to recalculate the @{text RAG} and also show that no current precedence needs
 to be recalculated.
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
-@{thm depend_s}\\
+@{thm RAG_s}\\
 @{thm eq_cp}
 \end{tabular}
 \end{isabelle}
 *}
 (*<*)
 the one where @{text cs} is not locked, and one where it is. We treat the former case
 first by showing that
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
-@{thm depend_s}\\
+@{thm RAG_s}\\
 @{thm eq_cp}
 \end{tabular}
 \end{isabelle}
 \noindent
 \noindent
 In the second case we know that resource @{text cs} is locked. We can show that
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
-@{thm depend_s}\\
+@{thm RAG_s}\\
 @{thm[mode=IfThen] eq_cp}
 \end{tabular}
 \end{isabelle}
 \noindent

changeset 35	92f61f6a0fe7
parent 33	9b9f2117561f
child 38	c89013dca1aa