  \item I also found a (fixable) mistake in my PhD thesis\bigskip
  \item Nominal Isabelle: found out that the variable convention 
  can be used to prove false (a surprising result in PL-research)\bigskip

  \item Computability and Logic Book (5th ed.)\\ by Boolos, Burgess and Jeffrey ---
  two definitions about halting computations in UTMs are inconsistent

  \item RTOS: priorities and resource locking

  \item Purpose:\\
  guarantee tasks to be completed in time\medskip\pause

  \item \alert{this already results into a surprisingly non-trivial algorithmic problem}



  \alert{H}igh-priority process (waits)\\[4mm]
  \onslide<2->{\alert{M}edium-priority process}\\[4mm]
  \alert{L}ow-priority process (has a lock)\\[4mm]

  \item \alert{priority inversion}\\ \hspace{2cm}@{text "\<equiv>"} H waits for a process\\ 
  \mbox{}\hfill with lower priority
  \item<4> avoid \alert{indefinite} priority inversion



  \item the lander reset frequently on Mars
  \item the problem: priority inversion


  \alert{Priority Inheritance Protocol (PIP):}\bigskip

  \alert{H}igh-priority process\\[4mm]
  \textcolor{gray}{Medium-priority process}\\[4mm]
  \alert{L}ow-priority process\\[15mm]
  {\normalsize (temporarily raise the priority of \alert{L})}


  \item the paper$^\star$ first describing  PIP ``proved'' also its 
correctness\bigskip 

  \ldots{}after the thread (whose priority has been raised) completes its 
  critical section and releases the lock, it ``returns to its original 
  priority level''.

  $^\star$ in IEEE Transactions on Computers in 1990 by Sha et al.

  \alert{H}igh-priority process 1 (waits)\\[2mm]
  \alert{H}igh-priority process 2 (waits)\\[8mm]
  \alert{L}ow-priority process (has a lock)

  \item Solution: return to the highest
  \phantom{Solution:} \alert{remaining} priority\\


  Create \textcolor{gray}{thread priority}\\
  Exit \textcolor{gray}{thread}\\
  Set \textcolor{gray}{thread priority}\\
  Lock \textcolor{gray}{thread cs}\\
  Unlock \textcolor{gray}{thread cs}\\


  \item A \alert{state s} is a list of events\bigskip
  \item Scheduling according to \alert{precedences}:
  \begin{tabular}{@ {}l@ {}}
  \large @{thm preced_def[where thread="th"]} 


  \item A \alert{waiting queue} function returns a list of threads
  associated with every resource
  \item The head of the list is the thread holding the resource.

  \begin{tabular}{@ {}l}
  @{thm cs_holding_def[where thread="th"]}\\
  @{thm cs_waiting_def[where thread="th"]}


  \node (A) at (0,0) [draw, rounded corners=1mm, rectangle, very thick] {@{text "th\<^isub>0"}};
  \node (B) at (2,0) [draw, circle, very thick, inner sep=0.4mm] {@{text "cs\<^isub>1"}};
  \node (C) at (4,0.7) [draw, rounded corners=1mm, rectangle, very thick] {@{text "th\<^isub>1"}};
  \node (D) at (4,-0.7) [draw, rounded corners=1mm, rectangle, very thick] {@{text "th\<^isub>2"}};
  \node (E) at (6,-0.7) [draw, circle, very thick, inner sep=0.4mm] {@{text "cs\<^isub>2"}};
  \node (E1) at (6, 0.3) [draw, circle, very thick, inner sep=0.4mm] {@{text "cs\<^isub>3"}};
  \node (F) at (8,-0.7) [draw, rounded corners=1mm, rectangle, very thick] {@{text "th\<^isub>3"}};

  \draw [<-,line width=0.6mm] (A) to node [pos=0.54,sloped,above=-0.5mm] {\fnt{}holds}  (B);
  \draw [->,line width=0.6mm] (C) to node [pos=0.4,sloped,above=-0.5mm] {\fnt{}waits}  (B);
  \draw [->,line width=0.6mm] (D) to node [pos=0.4,sloped,below=-0.5mm] {\fnt{}waits}  (B);
  \draw [<-,line width=0.6mm] (D) to node [pos=0.54,sloped,below=-0.5mm] {\fnt{}holds}  (E);
  \draw [<-,line width=0.6mm] (D) to node [pos=0.54,sloped,above=-0.5mm] {\fnt{}holds}  (E1);
  \draw [->,line width=0.6mm] (F) to node [pos=0.45,sloped,below=-0.5mm] {\fnt{}waits}  (E);

  @{thm cs_depend_def}
  @{thm cs_dependents_def}
  \alert{cprec wq s th} $\dn$\\
  \mbox{}\hspace{1cm}Max(\{prec th s\} $\cup$\\ 
  \mbox{}\hspace{1cm}\phantom{Max(}\{prec th' s $\mid$ th' $\in$ dependants wq th\})



  \item \underline{Start}: all priorities/precedences are 0, all resources are unlocked
  \item \underline{Create th p}: set precedence of th
  \item \underline{Exit th}: reset precedence to 0
  \item \underline{Set th p}: reset precedence of th
  \item \underline{Lock th cs}: add th to the end of the waiting queue of cs
  \item \underline{Unlock th cs}:\\ delete th from the waiting queue of cs\\
  \hspace{1cm}\alert{and who to give the resource next?}


  \item \large threads ready to run\normalsize

  \begin{tabular}{@ {}l}
  @{thm (lhs) readys_def} $\dn$\\
  \;@{thm (rhs) readys_def}

  \item \large the thread that is running in a state:\\[-10mm]\normalsize
  \begin{tabular}{@ {}l@ {}}
  @{thm (lhs) runing_def} $\dn$\\
  \;@{thm (rhs) runing_def}



  \item We have to exclude situations where there is a deadlock,
  a thread exited before created, \ldots


  \item In a state s, the following events can occur:

  @{thm[mode=Rule] thread_create[where thread=th]}\bigskip

  @{thm[mode=Rule] thread_exit[where thread=th]}\bigskip

  @{thm[mode=Rule] thread_set[where thread=th]}



  @{thm[mode=Rule] thread_P[where thread=th]}\bigskip
  @{thm[mode=Rule] thread_V[where thread=th]}\bigskip

  \item Done with the specification. \ldots


  \item {\bf If} th is alive in s and has the highest precedence
  \item plus some further assumption (like th not reset, not exited, no higher precedences in s - s')
  \item and th is {\bf not} running in s', \\ {\bf then} the running
  thread th' (in s') is a thread that was alive in {\bf s} and has in s' the same 
  precedence as th in s.


  \item Create/Exit events:
  \item we do not have to recalculate the RAG
  \item we do not have to recalculate the other precedences
  \item Set event:
  \item we do not have to recalculate the RAG
  \item also the other precedences do not have to be recalculated
  (since this is the currently running thread, it cannot affect
  other threads)
  \item Unlock event (2 cases: a thread to take over, no thread to take over)
  \item case 1: RAG needs to be modified, but apart from th and th' no
  other precedence needs to be recalculated
  \item case 2: RAG needs to be prunned, no precedence needs to be recalculated


  \item Unlock event (2 cases: a thread to take over, no thread to take over)
  \item case 1: RAG needs to be modified, but apart from th and th' no
  other precedence needs to be recalculated
  \item case 2: RAG needs to be pruned, no precedence needs to be recalculated
  \item Lock event (2 cases: cs is locked, not locked)
  \item case 1: a waiting edge needs to be added to the RAG, precedences of 
  all dependants need to recalculated (where there is a change)  
  \item case 2: a holding edge needs to be added to the RAG, no
  precedences need to be recalculated


  \item in PINTOS (Stanford), written in C for educational purposes\bigskip
  \begin{tabular}{|l@ {\hspace{2mm}}|l@ {\hspace{2mm}}|}
  {\bf Event} & {\bf PINTOS function} \\
  @{text Create} & @{text "thread_create"}\\
  @{text Exit}   & @{text "thread_exit"}\\
  @{text Set}    & @{text "thread_set_priority"}\\
  @{text Lock}      & @{text "lock_acquire"}\\
  @{text Unlock}      & @{text "lock_release"}\\ 

  \item \alert{We did not verify our C-code!}\pause
  \item We were much faster: we gave an unlocked resource to
  the thread with the highest precedence

  \item Did we make any impact? No!\medskip\pause
  \item real-time scheduling on multiprocessors seems to be a very
  underdeveloped area 
  \item implementations exist, e.g.~RT-Linux

  \item We found a mistake in a refereed paper by Harper \& Pfenning
  \item I also found a mistake in my PhD thesis
  \item also a popular textbook book on Computability contained an
  \item scratching on the surface of an completely ``alien'' subject 
  to us --- we were able to make progress


  \item the inductive method was developed/used by Larry Paulson
  for verifying security protocols\bigskip\bigskip
  \item we used it for a different `kind' of protocols (scheduling)
  \item but this was restricted to only single-processors, no timing information


  \item Mahyar Malekpour introduced a distributed clock-synchronisation
  algorithm\\ (perfect example for us)\bigskip\bigskip

  \item connected units exchange messages according to a protocol
  and reach a stable, synchronised state
  \item messages have to reach the receiver within a time-window\pause

  \item \alert{verification still ongoing}

