prio/Paper/tt.thy
author urbanc
Sun, 12 Feb 2012 23:20:06 +0000
changeset 304 bd05c5011c0f
parent 262 4190df6f4488
permissions -rwxr-xr-x
contribution section
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
262
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     1
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     2
There are several works on inversion avoidance:
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     3
\begin{enumerate}
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     4
\item {\em Solving the group priority inversion problem in a timed asynchronous system}. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     5
The notion of \<exclamdown>\<degree>Group Priority Inversion\<exclamdown>\<plusminus> is introduced. The main strategy is still inversion avoidance. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     6
The method is by reordering requests in the setting of Client-Server.
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     7
\item {\em Examples of inaccurate specification of the protocol}.
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     8
\end{enumerate}
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
     9
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    10
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    11
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    12
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    13
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    14
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    15
section{* Related works *}
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    16
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    17
text {*
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    18
1.	<<Integrating Priority Inheritance Algorithms in the Real-Time Specification for Java>> models and 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    19
verifies the combination of Priority Inheritance (PI) and Priority Ceiling Emulation (PCE) protocols in 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    20
the setting of Java virtual machine using extended Timed Automata(TA) formalism of the UPPAAL tool. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    21
Although a detailed formal model of combined PI and PCE is given, the number of properties is quite 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    22
small and the focus is put on the harmonious working of PI and PCE. Most key features of PI 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    23
(as well as PCE) are not shown. Because of the limitation of the model checking technique
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    24
 used there, properties are shown only for a small number of scenarios. Therefore, the verification 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    25
does not show the correctness of the formal model itself in a convincing way.  
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    26
2.	<< Formal Development of Solutions for Real-Time Operating Systems with TLA+/TLC>>. A formal model 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    27
of PI is given in TLA+. Only 3 properties are shown for PI using model checking. The limitation of 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    28
model checking is intrinsic to the work.
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    29
3.	<<Synchronous modeling and validation of priority inheritance schedulers>>. Gives a formal model 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    30
of PI and PCE in AADL (Architecture Analysis & Design Language) and checked several properties 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    31
using model checking. The number of properties shown there is less than here and the scale 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    32
is also limited by the model checking technique. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    33
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    34
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    35
There are several works on inversion avoidance:
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    36
1.	<<Solving the group priority inversion problem in a timed asynchronous system>>. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    37
The notion of \<exclamdown>\<degree>Group Priority Inversion\<exclamdown>\<plusminus> is introduced. The main strategy is still inversion avoidance. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    38
The method is by reordering requests in the setting of Client-Server.
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    39
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    40
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    41
<<Examples of inaccurate specification of the protocol>>.
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    42
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    43
*}
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    44
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    45
text {*
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    46
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    47
\section{An overview of priority inversion and priority inheritance}
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    48
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    49
Priority inversion refers to the phenomenon when a thread with high priority is blocked 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    50
by a thread with low priority. Priority happens when the high priority thread requests 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    51
for some critical resource already taken by the low priority thread. Since the high 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    52
priority thread has to wait for the low priority thread to complete, it is said to be 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    53
blocked by the low priority thread. Priority inversion might prevent high priority 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    54
thread from fulfill its task in time if the duration of priority inversion is indefinite 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    55
and unpredictable. Indefinite priority inversion happens when indefinite number 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    56
of threads with medium priorities is activated during the period when the high 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    57
priority thread is blocked by the low priority thread. Although these medium 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    58
priority threads can not preempt the high priority thread directly, they are able 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    59
to preempt the low priority threads and cause it to stay in critical section for 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    60
an indefinite long duration. In this way, the high priority thread may be blocked indefinitely. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    61
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    62
Priority inheritance is one protocol proposed to avoid indefinite priority inversion. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    63
The basic idea is to let the high priority thread donate its priority to the low priority 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    64
thread holding the critical resource, so that it will not be preempted by medium priority 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    65
threads. The thread with highest priority will not be blocked unless it is requesting 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    66
some critical resource already taken by other threads. Viewed from a different angle, 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    67
any thread which is able to block the highest priority threads must already hold some 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    68
critical resource. Further more, it must have hold some critical resource at the 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    69
moment the highest priority is created, otherwise, it may never get change to run and 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    70
get hold. Since the number of such resource holding lower priority threads is finite, 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    71
if every one of them finishes with its own critical section in a definite duration, 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    72
the duration the highest priority thread is blocked is definite as well. The key to 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    73
guarantee lower priority threads to finish in definite is to donate them the highest 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    74
priority. In such cases, the lower priority threads is said to have inherited the 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    75
highest priority. And this explains the name of the protocol: 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    76
{\em Priority Inheritance} and how Priority Inheritance prevents indefinite delay.
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    77
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    78
The objectives of this paper are:
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    79
\begin{enumerate}
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    80
\item Build the above mentioned idea into formal model and prove a series of properties 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    81
until we are convinced that the formal model does fulfill the original idea. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    82
\item Show how formally derived properties can be used as guidelines for correct 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    83
and efficient implementation.
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    84
\end{enumerate}.
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    85
The proof is totally formal in the sense that every detail is reduced to the 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    86
very first principles of Higher Order Logic. The nature of interactive theorem 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    87
proving is for the human user to persuade computer program to accept its arguments. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    88
A clear and simple understanding of the problem at hand is both a prerequisite and a 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    89
byproduct of such an effort, because everything has finally be reduced to the very 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    90
first principle to be checked mechanically. The former intuitive explanation of 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    91
Priority Inheritance is just such a byproduct. 
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    92
*}
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    93
4190df6f4488 initial version of the PIP formalisation
urbanc
parents:
diff changeset
    94
*)