pip: comparison Journal/Paper.thy

equal deleted inserted replaced

-:d37703e0c5c4
+:df0334468335
 imports "../Implementation"
 "../Correctness"
 "~~/src/HOL/Library/LaTeXsugar"
 begin
 declare [[show_question_marks = false]]
 notation (latex output)
 Cons ("_::_" [78,77] 73) and
 If  ("(\<^raw:\textrm{>if\<^raw:}> (_)/ \<^raw:\textrm{>then\<^raw:}> (_)/ \<^raw:\textrm{>else\<^raw:}> (_))" 10) and
 vt ("valid'_state") and
 preced ("prec") and
 (*  preceds ("precs") and*)
 cpreced ("cprec") and
 cp ("cprec") and
 holdents ("resources") and
-DUMMY  ("\<^raw:\mbox{$\_\!\_$}>")
+DUMMY  ("\<^raw:\mbox{$\_\!\_$}>") and
+cntP ("c\<^bsub>P\<^esub>") and
+cntV ("c\<^bsub>V\<^esub>")
 (*>*)
 section {* Introduction *}
 text {*
-Many real-time systems need to support threads involving priorities and
-locking of resources. Locking of resources ensures mutual exclusion
+Many real-time systems need to support threads involving priorities
-when accessing shared data or devices that cannot be
+and locking of resources. Locking of resources ensures mutual
+exclusion when accessing shared data or devices that cannot be
 preempted. Priorities allow scheduling of threads that need to
 finish their work within deadlines.  Unfortunately, both features
 can interact in subtle ways leading to a problem, called
 \emph{Priority Inversion}. Suppose three threads having priorities
 $H$(igh), $M$(edium) and $L$(ow). We would expect that the thread
-$H$ blocks any other thread with lower priority and the thread itself cannot
+$H$ blocks any other thread with lower priority and the thread
-be blocked indefinitely by threads with lower priority. Alas, in a naive
+itself cannot be blocked indefinitely by threads with lower
-implementation of resource locking and priorities this property can
+priority. Alas, in a naive implementation of resource locking and
-be violated. For this let $L$ be in the
+priorities this property can be violated. For this let $L$ be in the
 possession of a lock for a resource that $H$ also needs. $H$ must
 therefore wait for $L$ to exit the critical section and release this
-lock. The problem is that $L$ might in turn be blocked by any
+lock. The problem is that $L$ might in turn be blocked by any thread
-thread with priority $M$, and so $H$ sits there potentially waiting
+with priority $M$, and so $H$ sits there potentially waiting
-indefinitely. Since $H$ is blocked by threads with lower
+indefinitely. Since $H$ is blocked by threads with lower priorities,
-priorities, the problem is called Priority Inversion. It was first
+the problem is called Priority Inversion. It was first described in
-described in \cite{Lampson80} in the context of the
+\cite{Lampson80} in the context of the Mesa programming language
-Mesa programming language designed for concurrent programming.
+designed for concurrent programming.
 If the problem of Priority Inversion is ignored, real-time systems
 can become unpredictable and resulting bugs can be hard to diagnose.
 The classic example where this happened is the software that
-controlled the Mars Pathfinder mission in 1997 \cite{Reeves98}.
+controlled the Mars Pathfinder mission in 1997 \cite{Reeves98}.  On
-On Earth the software run mostly without any problem, but
+Earth the software run mostly without any problem, but once the
-once the spacecraft landed on Mars, it shut down at irregular, but frequent,
+spacecraft landed on Mars, it shut down at irregular, but frequent,
 intervals leading to loss of project time as normal operation of the
 craft could only resume the next day (the mission and data already
 collected were fortunately not lost, because of a clever system
 design).  The reason for the shutdowns was that the scheduling
 software fell victim to Priority Inversion: a low priority thread
 locking a resource prevented a high priority thread from running in
 time, leading to a system reset. Once the problem was found, it was
 rectified by enabling the \emph{Priority Inheritance Protocol} (PIP)
 \cite{Sha90}\footnote{Sha et al.~call it the \emph{Basic Priority
 Inheritance Protocol} \cite{Sha90} and others sometimes also call it
-\emph{Priority Boosting}, \emph{Priority Donation} or \emph{Priority Lending}.}
+\emph{Priority Boosting}, \emph{Priority Donation} or \emph{Priority
-in the scheduling software.
+Lending}.}  in the scheduling software.
-The idea behind PIP is to let the thread $L$ temporarily inherit
+The idea behind PIP is to let the thread $L$ temporarily inherit the
-the high priority from $H$ until $L$ leaves the critical section
+high priority from $H$ until $L$ leaves the critical section
 unlocking the resource. This solves the problem of $H$ having to
 wait indefinitely, because $L$ cannot be blocked by threads having
 priority $M$. While a few other solutions exist for the Priority
 Inversion problem, PIP is one that is widely deployed and
 implemented. This includes VxWorks (a proprietary real-time OS used
 in the Mars Pathfinder mission, in Boeing's 787 Dreamliner, Honda's
 ASIMO robot, etc.) and ThreadX (another proprietary real-time OS
-used in nearly all HP inkjet printers \cite{ThreadX}), but also
+used in nearly all HP inkjet printers \cite{ThreadX}), but also the
-the POSIX 1003.1c Standard realised for
+POSIX 1003.1c Standard realised for example in libraries for
-example in libraries for FreeBSD, Solaris and Linux.
+FreeBSD, Solaris and Linux.
-Two advantages of PIP are that it is deterministic and that increasing the priority of a thread
+Two advantages of PIP are that it is deterministic and that
-can be performed dynamically by the scheduler.
+increasing the priority of a thread can be performed dynamically by
-This is in contrast to \emph{Priority Ceiling}
+the scheduler.  This is in contrast to \emph{Priority Ceiling}
 \cite{Sha90}, another solution to the Priority Inversion problem,
 which requires static analysis of the program in order to prevent
-Priority Inversion, and also in contrast to the approach taken in the Windows NT scheduler, which avoids
+Priority Inversion, and also in contrast to the approach taken in
-this problem by randomly boosting the priority of ready low-priority threads
+the Windows NT scheduler, which avoids this problem by randomly
-(see for instance~\cite{WINDOWSNT}).
+boosting the priority of ready low-priority threads (see for
-However, there has also been strong criticism against
+instance~\cite{WINDOWSNT}).  However, there has also been strong
-PIP. For instance, PIP cannot prevent deadlocks when lock
+criticism against PIP. For instance, PIP cannot prevent deadlocks
-dependencies are circular, and also blocking times can be
+when lock dependencies are circular, and also blocking times can be
 substantial (more than just the duration of a critical section).
 Though, most criticism against PIP centres around unreliable
 implementations and PIP being too complicated and too inefficient.
 For example, Yodaiken writes in \cite{Yodaiken02}:
 \begin{quote}
 \it{}``Priority inheritance is neither efficient nor reliable. Implementations
 are either incomplete (and unreliable) or surprisingly complex and intrusive.''
 \end{quote}
-\noindent
+\noindent He suggests avoiding PIP altogether by designing the
-He suggests avoiding PIP altogether by designing the system so that no
+system so that no priority inversion may happen in the first
-priority inversion may happen in the first place. However, such ideal designs may
+place. However, such ideal designs may not always be achievable in
-not always be achievable in practice.
+practice.
 In our opinion, there is clearly a need for investigating correct
-algorithms for PIP. A few specifications for PIP exist (in English)
+algorithms for PIP. A few specifications for PIP exist (in informal
-and also a few high-level descriptions of implementations (e.g.~in
+English) and also a few high-level descriptions of implementations
-the textbooks \cite[Section 12.3.1]{Liu00} and \cite[Section 5.6.5]{Vahalia96}),
+(e.g.~in the textbooks \cite[Section 12.3.1]{Liu00} and
-but they help little with actual implementations. That this is a problem in
+\cite[Section 5.6.5]{Vahalia96}), but they help little with actual
-practice is proved by an email by Baker, who wrote on 13 July 2009 on the Linux
+implementations. That this is a problem in practice is proved by an
-Kernel mailing list:
+email by Baker, who wrote on 13 July 2009 on the Linux Kernel
+mailing list:
 \begin{quote}
 \it{}``I observed in the kernel code (to my disgust), the Linux PIP
 implementation is a nightmare: extremely heavy weight, involving
 maintenance of a full wait-for graph, and requiring updates for a
 range of events, including priority changes and interruptions of
 wait operations.''
 \end{quote}
-\noindent
+\noindent The criticism by Yodaiken, Baker and others suggests
-The criticism by Yodaiken, Baker and others suggests another look
+another look at PIP from a more abstract level (but still concrete
-at PIP from a more abstract level (but still concrete enough
+enough to inform an implementation), and makes PIP a good candidate
-to inform an implementation), and makes PIP a good candidate for a
+for a formal verification. An additional reason is that the original
-formal verification. An additional reason is that the original
 specification of PIP~\cite{Sha90}, despite being informally
 ``proved'' correct, is actually \emph{flawed}.
 Yodaiken \cite{Yodaiken02} and also Moylan et
 al.~\cite{deinheritance} point to a subtlety that had been
-overlooked in the informal proof by Sha et al. They specify in
+overlooked in the informal proof by Sha et al. They specify PIP in
-\cite{Sha90} that after the thread (whose priority has been raised)
+\cite{Sha90} so that after the thread (whose priority has been
-completes its critical section and releases the lock, it ``{\it
+raised) completes its critical section and releases the lock, it
-returns to its original priority level}''. This leads them to
+``{\it returns to its original priority level}''. This leads them to
 believe that an implementation of PIP is ``{\it rather
 straightforward}''~\cite{Sha90}.  Unfortunately, as Yodaiken and
 Moylan et al.~point out, this behaviour is too simplistic. Moylan et
-al.~write that there are ``{\it some hidden traps}''~\cite{deinheritance}.  Consider the
+al.~write that there are ``{\it some hidden
-case where the low priority thread $L$ locks \emph{two} resources,
+traps}''~\cite{deinheritance}.  Consider the case where the low
-and two high-priority threads $H$ and $H'$ each wait for one of
+priority thread $L$ locks \emph{two} resources, and two
-them.  If $L$ releases one resource so that $H$, say, can proceed,
+high-priority threads $H$ and $H'$ each wait for one of them.  If
-then we still have Priority Inversion with $H'$ (which waits for the
+$L$ releases one resource so that $H$, say, can proceed, then we
-other resource). The correct behaviour for $L$ is to switch to the
+still have Priority Inversion with $H'$ (which waits for the other
-highest remaining priority of the threads that it blocks.
+resource). The correct behaviour for $L$ is to switch to the highest
-A similar
+remaining priority of the threads that it blocks.  A similar error
-error is made in the textbook \cite[Section 2.3.1]{book} which
+is made in the textbook \cite[Section 2.3.1]{book} which specifies
-specifies for a process that inherited a higher priority and exits a
+for a process that inherited a higher priority and exits a critical
-critical section ``{\it it resumes the priority it had at the point
+section ``{\it it resumes the priority it had at the point of entry
-of entry into the critical section}''.  This error can also be
+into the critical section}''.  This error can also be found in the
-found in the more recent textbook \cite[Page 119]{Laplante11} where the
+more recent textbook \cite[Page 119]{Laplante11} where the authors
-authors state: ``{\it when [the task] exits the critical section that caused
+state: ``{\it when [the task] exits the critical section that caused
 the block, it reverts to the priority it had when it entered that
 section}''. The textbook \cite[Page 286]{Liu00} contains a simlar
-flawed specification and even goes on to develop pseudo-code based on this
+flawed specification and even goes on to develop pseudo-code based
-flawed specification. Accordingly, the operating system primitives
+on this flawed specification. Accordingly, the operating system
-for inheritance and restoration of priorities in \cite{Liu00} depend on
+primitives for inheritance and restoration of priorities in
-maintaining a  data structure called \emph{inheritance log}. This log
+\cite{Liu00} depend on maintaining a data structure called
-is maintained for every thread and broadly specified as containing ``{\it
+\emph{inheritance log}. This log is maintained for every thread and
-[h]istorical information on how the thread inherited its current
+broadly specified as containing ``{\it [h]istorical information on
-priority}'' \cite[Page 527]{Liu00}. Unfortunately, the important
+how the thread inherited its current priority}'' \cite[Page
-information about actually
+527]{Liu00}. Unfortunately, the important information about actually
-computing the priority to be restored solely from this log is  not explained in
+computing the priority to be restored solely from this log is not
-\cite{Liu00} but left as an ``{\it excercise}'' to the reader.
+explained in \cite{Liu00} but left as an ``{\it excercise}'' to the
-Of course, a correct version of PIP does not need to maintain
+reader.  Of course, a correct version of PIP does not need to
-this (potentially expensive) data structure at all. Surprisingly
+maintain this (potentially expensive) data structure at
-also the widely read and frequently updated textbook \cite{Silberschatz13} gives
+all. Surprisingly also the widely read and frequently updated
-the wrong specification. For example on Page 254 the
+textbook \cite{Silberschatz13} gives the wrong specification. For
-authors write: ``{\it Upon releasing the lock, the [low-priority] thread
+example on Page 254 the authors write: ``{\it Upon releasing the
-will revert to its original priority.}'' The same error is also repeated
+lock, the [low-priority] thread will revert to its original
-later in this textbook.
+priority.}'' The same error is also repeated later in this textbook.
-While \cite{Laplante11,Liu00,book,Sha90,Silberschatz13} are the only formal publications we have
+While \cite{Laplante11,Liu00,book,Sha90,Silberschatz13} are the only
-found that specify the incorrect behaviour, it seems also many
+formal publications we have found that specify the incorrect
-informal descriptions of PIP overlook the possibility that another
+behaviour, it seems also many informal descriptions of PIP overlook
-high-priority might wait for a low-priority process to finish.
+the possibility that another high-priority might wait for a
-A notable exception is the texbook \cite{buttazzo}, which gives the correct
+low-priority process to finish.  A notable exception is the texbook
-behaviour of resetting the priority of a thread to the highest remaining priority of the
+\cite{buttazzo}, which gives the correct behaviour of resetting the
-threads it blocks. This textbook also gives an informal proof for
+priority of a thread to the highest remaining priority of the
-the correctness of PIP in the style of Sha et al. Unfortunately, this informal
+threads it blocks. This textbook also gives an informal proof for
-proof is too vague to be useful for formalising the correctness of PIP
+the correctness of PIP in the style of Sha et al. Unfortunately,
-and the specification leaves out nearly all details in order
+this informal proof is too vague to be useful for formalising the
-to implement PIP efficiently.\medskip\smallskip
+correctness of PIP and the specification leaves out nearly all
+details in order to implement PIP efficiently.\medskip\smallskip
 %
 %The advantage of formalising the
 %correctness of a high-level specification of PIP in a theorem prover
 %is that such issues clearly show up and cannot be overlooked as in
 %informal reasoning (since we have to analyse all possible behaviours
 %of threads, i.e.~\emph{traces}, that could possibly happen).
-\noindent
+\noindent {\bf Contributions:} There have been earlier formal
-{\bf Contributions:} There have been earlier formal investigations
+investigations into PIP \cite{Faria08,Jahier09,Wellings07}, but they
-into PIP \cite{Faria08,Jahier09,Wellings07}, but they employ model
+employ model checking techniques. This paper presents a formalised
-checking techniques. This paper presents a formalised and
+and mechanically checked proof for the correctness of PIP. For this
-mechanically checked proof for the correctness of PIP. For this we
+we needed to design a new correctness criterion for PIP. In contrast
-needed to design a new correctness criterion for PIP. In contrast to model checking, our
+to model checking, our formalisation provides insight into why PIP
-formalisation provides insight into why PIP is correct and allows us
+is correct and allows us to prove stronger properties that, as we
-to prove stronger properties that, as we will show, can help with an
+will show, can help with an efficient implementation of PIP. We
-efficient implementation of PIP in the educational PINTOS operating
+illustrate this with an implementation of PIP in the educational
-system \cite{PINTOS}.  For example, we found by ``playing'' with the
+PINTOS operating system \cite{PINTOS}.  For example, we found by
-formalisation that the choice of the next thread to take over a lock
+``playing'' with the formalisation that the choice of the next
-when a resource is released is irrelevant for PIP being correct---a
+thread to take over a lock when a resource is released is irrelevant
-fact that has not been mentioned in the literature and not been used
+for PIP being correct---a fact that has not been mentioned in the
-in the reference implementation of PIP in PINTOS.  This fact, however, is important
+literature and not been used in the reference implementation of PIP
-for an efficient implementation of PIP, because we can give the lock
+in PINTOS.  This fact, however, is important for an efficient
-to the thread with the highest priority so that it terminates more
+implementation of PIP, because we can give the lock to the thread
-quickly.  We were also being able to generalise the scheduler of Sha
+with the highest priority so that it terminates more quickly.  We
-et al.~\cite{Sha90} to the practically relevant case where critical
+were also being able to generalise the scheduler of Sha et
-sections can overlap; see Figure~\ref{overlap} \emph{a)} below for an example of
+al.~\cite{Sha90} to the practically relevant case where critical
-this restriction. %In the existing literature there is no
+sections can overlap; see Figure~\ref{overlap} \emph{a)} below for
-%proof and also no proving method that cover this generalised case.
+an example of this restriction. In the existing literature there is
+no proof and also no proving method that cover this generalised
+case.
 \begin{figure}
 \begin{center}
 \begin{tikzpicture}[scale=1]
 %%\draw[step=2mm] (0,0) grid (10,2);
 ``time-slicing'' threads with equal priority, but found that it does not lead to
 advantages in practice. On the contrary, according to their work having a policy
 like our FIFO-scheduling of threads with equal priority reduces the number of
 tasks involved in the inheritance process and thus minimises the number
 of potentially expensive thread-switches.
+We will also need counters for @{term P} and @{term V} events of a thread @{term th}
+in a state @{term s}. This can be straightforwardly defined in Isabelle as
+\begin{isabelle}\ \ \ \ \ %%%
+\mbox{\begin{tabular}{@ {}l}
+@{thm cntP_def}\\
+@{thm cntV_def}
+\end{tabular}}
+\end{isabelle}
+\noindent using the predefined function @{const count} for lists.
 Next, we introduce the concept of \emph{waiting queues}. They are
 lists of threads associated with every resource. The first thread in
 this list (i.e.~the head, or short @{term hd}) is chosen to be the one
 that is in possession of the
 To see what kind of thread can block @{term th}.
 From these two lemmas we can see the correctness of PIP, which is
 that: the blockage of th is reasonable and under control.
+Lemmas we want to describe:
+\begin{lemma}
+@{thm eq_pv_persist}
+\end{lemma}
+\begin{lemma}
+@{thm eq_pv_blocked}
+\end{lemma}
+\begin{lemma}
+@{thm runing_cntP_cntV_inv}
+\end{lemma}
+\noindent
+Remember we do not have the well-nestedness restriction in our
+proof, which means the difference between the counters @{const cntV}
+and @{const cntP} can be larger than @{term 1}.
+\begin{lemma}
+@{thm runing_inversion}
+\end{lemma}
+\begin{lemma}
+@{thm th_blockedE}
+\end{lemma}
 \subsection*{END OUTLINE}
 In what follows we will describe properties of PIP that allow us to prove
 Theorem~\ref{mainthm} and, when instructive, briefly describe our argument.
 It is relatively easy to see that:
 @{thm[mode=IfThen]  finite_threads}
 \end{tabular}
 \end{isabelle}
 \noindent
-The second property is by induction of @{term vt}. The next three
+The second property is by induction on @{term vt}. The next three
 properties are:
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 HERE??

changeset 78	df0334468335
parent 76	b6ea51cd2e88
child 82	c0a4e840aefe