183 is made in the textbook \cite[Section 2.3.1]{book} which specifies |
183 is made in the textbook \cite[Section 2.3.1]{book} which specifies |
184 for a process that inherited a higher priority and exits a critical |
184 for a process that inherited a higher priority and exits a critical |
185 section ``{\it it resumes the priority it had at the point of entry |
185 section ``{\it it resumes the priority it had at the point of entry |
186 into the critical section}''. This error can also be found in the |
186 into the critical section}''. This error can also be found in the |
187 textbook \cite[Section 16.4.1]{LiYao03} where the authors write |
187 textbook \cite[Section 16.4.1]{LiYao03} where the authors write |
188 ``{\it its priority is immediately lowered to the level originally assigned}''; |
188 about this process: ``{\it its priority is immediately lowered to the level originally assigned}''; |
189 or in the |
189 and also in the |
190 more recent textbook \cite[Page 119]{Laplante11} where the authors |
190 more recent textbook \cite[Page 119]{Laplante11} where the authors |
191 state: ``{\it when [the task] exits the critical section that caused |
191 state: ``{\it when [the task] exits the critical section that caused |
192 the block, it reverts to the priority it had when it entered that |
192 the block, it reverts to the priority it had when it entered that |
193 section}''. The textbook \cite[Page 286]{Liu00} contains a simlar |
193 section}''. The textbook \cite[Page 286]{Liu00} contains a simlar |
194 flawed specification and even goes on to develop pseudo-code based |
194 flawed specification and even goes on to develop pseudo-code based |
199 broadly specified as containing ``{\it [h]istorical information on |
199 broadly specified as containing ``{\it [h]istorical information on |
200 how the thread inherited its current priority}'' \cite[Page |
200 how the thread inherited its current priority}'' \cite[Page |
201 527]{Liu00}. Unfortunately, the important information about actually |
201 527]{Liu00}. Unfortunately, the important information about actually |
202 computing the priority to be restored solely from this log is not |
202 computing the priority to be restored solely from this log is not |
203 explained in \cite{Liu00} but left as an ``{\it excercise}'' to the |
203 explained in \cite{Liu00} but left as an ``{\it excercise}'' to the |
204 reader. Of course, a correct version of PIP does not need to |
204 reader. As we shall see, a correct version of PIP does not need to |
205 maintain this (potentially expensive) data structure at |
205 maintain this (potentially expensive) data structure at |
206 all. Surprisingly also the widely read and frequently updated |
206 all. Surprisingly also the widely read and frequently updated |
207 textbook \cite{Silberschatz13} gives the wrong specification. For |
207 textbook \cite{Silberschatz13} gives the wrong specification. For |
208 example on Page 254 the authors write: ``{\it Upon releasing the |
208 example on Page 254 the authors write: ``{\it Upon releasing the |
209 lock, the [low-priority] thread will revert to its original |
209 lock, the [low-priority] thread will revert to its original |
210 priority.}'' The same error is also repeated later in this textbook. |
210 priority.}'' The same error is also repeated later in this popular textbook. |
211 |
211 |
212 |
212 |
213 While \cite{Laplante11,LiYao03,Liu00,book,Sha90,Silberschatz13} are the only |
213 While \cite{Laplante11,LiYao03,Liu00,book,Sha90,Silberschatz13} are the only |
214 formal publications we have found that specify the incorrect |
214 formal publications we have found that specify the incorrect |
215 behaviour, it seems also many informal descriptions of PIP overlook |
215 behaviour, it seems also many informal descriptions of PIP overlook |
244 for PIP being correct---a fact that has not been mentioned in the |
244 for PIP being correct---a fact that has not been mentioned in the |
245 literature and not been used in the reference implementation of PIP |
245 literature and not been used in the reference implementation of PIP |
246 in PINTOS. This fact, however, is important for an efficient |
246 in PINTOS. This fact, however, is important for an efficient |
247 implementation of PIP, because we can give the lock to the thread |
247 implementation of PIP, because we can give the lock to the thread |
248 with the highest priority so that it terminates more quickly. We |
248 with the highest priority so that it terminates more quickly. We |
249 were also being able to generalise the scheduler of Sha et |
249 are also being able to generalise the scheduler of Sha et |
250 al.~\cite{Sha90} to the practically relevant case where critical |
250 al.~\cite{Sha90} to the practically relevant case where critical |
251 sections can overlap; see Figure~\ref{overlap} \emph{a)} below for |
251 sections can overlap; see Figure~\ref{overlap} \emph{a)} below for |
252 an example of this restriction. In the existing literature there is |
252 an example of this restriction. In the existing literature there is |
253 no proof and also no proving method that cover this generalised |
253 no proof and also no proving method that cover this generalised |
254 case. |
254 case. |
328 |
328 |
329 \noindent |
329 \noindent |
330 whereby threads, priorities and (critical) resources are represented |
330 whereby threads, priorities and (critical) resources are represented |
331 as natural numbers. The event @{term Set} models the situation that |
331 as natural numbers. The event @{term Set} models the situation that |
332 a thread obtains a new priority given by the programmer or |
332 a thread obtains a new priority given by the programmer or |
333 user (for example via the {\tt nice} utility under UNIX). As in Paulson's work, we |
333 user (for example via the {\tt nice} utility under UNIX). For states |
334 need to define functions that allow us to make some observations |
334 we define the following type-synonym: |
335 about states. One, called @{term threads}, calculates the set of |
335 |
336 ``live'' threads that we have seen so far: |
336 \begin{isabelle}\ \ \ \ \ %%% |
|
337 \isacommand{type\_synonym} @{text "state = event list"} |
|
338 \end{isabelle} |
|
339 |
|
340 \noindent As in Paulson's work, we need to define functions that |
|
341 allow us to make some observations about states. One function, |
|
342 called @{term threads}, calculates the set of ``live'' threads that |
|
343 we have seen so far in a state: |
337 |
344 |
338 \begin{isabelle}\ \ \ \ \ %%% |
345 \begin{isabelle}\ \ \ \ \ %%% |
339 \mbox{\begin{tabular}{lcl} |
346 \mbox{\begin{tabular}{lcl} |
340 @{thm (lhs) threads.simps(1)} & @{text "\<equiv>"} & |
347 @{thm (lhs) threads.simps(1)} & @{text "\<equiv>"} & |
341 @{thm (rhs) threads.simps(1)}\\ |
348 @{thm (rhs) threads.simps(1)}\\ |
415 advantages in practice. On the contrary, according to their work having a policy |
422 advantages in practice. On the contrary, according to their work having a policy |
416 like our FIFO-scheduling of threads with equal priority reduces the number of |
423 like our FIFO-scheduling of threads with equal priority reduces the number of |
417 tasks involved in the inheritance process and thus minimises the number |
424 tasks involved in the inheritance process and thus minimises the number |
418 of potentially expensive thread-switches. |
425 of potentially expensive thread-switches. |
419 |
426 |
420 We will also need counters for @{term P} and @{term V} events of a thread @{term th} |
427 {\bf NEEDED?} We will also need counters for @{term P} and @{term V} events of a thread @{term th} |
421 in a state @{term s}. This can be straightforwardly defined in Isabelle as |
428 in a state @{term s}. This can be straightforwardly defined in Isabelle as |
422 |
429 |
423 \begin{isabelle}\ \ \ \ \ %%% |
430 \begin{isabelle}\ \ \ \ \ %%% |
424 \mbox{\begin{tabular}{@ {}l} |
431 \mbox{\begin{tabular}{@ {}l} |
425 @{thm cntP_def}\\ |
432 @{thm cntP_def}\\ |
519 |
526 |
520 \noindent |
527 \noindent |
521 If there is no cycle, then every RAG can be pictured as a forrest of trees, as |
528 If there is no cycle, then every RAG can be pictured as a forrest of trees, as |
522 for example in Figure~\ref{RAGgraph}. |
529 for example in Figure~\ref{RAGgraph}. |
523 |
530 |
524 We will design our scheduler |
531 While there are few formalisations for graphs already implemented in |
|
532 Isabelle, we choose to introduce our own library of graphs for |
|
533 PIP. The reason for this is that we wanted to be able to reason with |
|
534 potentially infinite graphs (in the sense of infinitely branching |
|
535 and infinite size): the property that our RAGs are forrests of |
|
536 finitely branching trees having only an finite depth should be a |
|
537 something we can \emph{prove} for our model of PIP---it should not |
|
538 be an assumption we build already into our model. It seemed for our purposes the most convenient |
|
539 represeantation of graphs are binary relations given by |
|
540 sets of pairs. The pairs stand for the edges in graphs. This |
|
541 relation-based representation is convenient since we can use the notions |
|
542 of transitive closure operations @{term "trancl DUMMY"} and |
|
543 @{term "rtrancl DUMMY"}, as well as relation composition @{term "DUMMY O DUMMY"}. |
|
544 A \emph{forrest} is defined as the relation @{text rel} that is \emph{single valued} |
|
545 and \emph{acyclic}: |
|
546 |
|
547 \begin{isabelle}\ \ \ \ \ %%% |
|
548 \begin{tabular}{@ {}l} |
|
549 @{thm single_valued_def[where ?r="rel", THEN eq_reflection]}\\ |
|
550 @{thm acyclic_def[where ?r="rel", THEN eq_reflection]} |
|
551 \end{tabular} |
|
552 \end{isabelle} |
|
553 |
|
554 \noindent |
|
555 The \emph{children}, \emph{subtree} and \emph{ancestors} of a node in a graph are |
|
556 defined as |
|
557 |
|
558 \begin{isabelle}\ \ \ \ \ %%% |
|
559 \begin{tabular}{@ {}l} |
|
560 @{thm children_def[where ?r="rel" and ?x="node", THEN eq_reflection]}\\ |
|
561 @{thm subtree_def[where ?r="rel" and ?x="node", THEN eq_reflection]}\\ |
|
562 @{thm ancestors_def[where ?r="rel" and ?x="node", THEN eq_reflection]}\\ |
|
563 \end{tabular} |
|
564 \end{isabelle} |
|
565 |
|
566 \noindent Note that forests can have trees with infinte depth and |
|
567 containing nodes with infinitely many children. A \emph{finite |
|
568 forrest} is a forest which is well-founded and every node has |
|
569 finitely many children (is only finitely branching). |
|
570 |
|
571 |
|
572 We will design our PIP-scheduler |
525 so that every thread can be in the possession of several resources, that is |
573 so that every thread can be in the possession of several resources, that is |
526 it has potentially several incoming holding edges in the RAG, but has at most one outgoing |
574 it has potentially several incoming holding edges in the RAG, but has at most one outgoing |
527 waiting edge. The reason is that when a thread asks for resource that is locked |
575 waiting edge. The reason is that when a thread asks for resource that is locked |
528 already, then the thread is blocked and cannot ask for another resource. |
576 already, then the thread is blocked and cannot ask for another resource. |
529 Clearly, also every resource can only have at most one outgoing holding edge---indicating |
577 Clearly, also every resource can only have at most one outgoing holding edge---indicating |