regexp: comparison prio/Paper/Paper.thy

equal deleted inserted replaced

-:41e4b331ce08
+:163cd8034e5b
 dependents ("dependants") and
 cp ("cprec") and
 holdents ("resources") and
 original_priority ("priority") and
 DUMMY  ("\<^raw:\mbox{$\_\!\_$}>")
+abbreviation
+"detached s th \<equiv> cntP s th = cntV s th"
 (*>*)
 section {* Introduction *}
 text {*
 section {* The Correctness Proof *}
 (*<*)
 context extend_highest_gen
 begin
-print_locale extend_highest_gen
-thm extend_highest_gen_def
-thm extend_highest_gen_axioms_def
-thm highest_gen_def
 (*>*)
 text {*
 Sha et al.~\cite[Theorem 6]{Sha90} state their correctness criterion
 for PIP in terms of the number of critical resources: if there are
 @{text m} critical resources, then a blocked job with high priority
 finite bound does not guarantee absence of indefinite Priority
 Inversion. For this we further have to assume that every thread
 gives up its resources after a finite amount of time. We found that
 this assumption is awkward to formalise in our model. Therefore we
 leave it out and let the programmer assume the responsibility to
-program threads in such a benign manner. In this detail, we do not
+program threads in such a benign manner (in addition to causeing no
+circularity in the @{text RAG}). In this detail, we do not
 make any progress in comparison with the work by Sha et al.
 In what follows we will describe properties of PIP that allow us to prove
-Theorem~\ref{mainthm}. It is relatively easily to see that
+Theorem~\ref{mainthm} and, when instructive, briefly describe our argument.
+It is relatively easily to see that
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{text "running s \<subseteq> ready s \<subseteq> threads s"}\\
 @{thm[mode=IfThen]  finite_threads}
 \end{tabular}
 \end{isabelle}
 \noindent
-where the second property is by induction of @{term vt}. The next three
+whereby the second property is by induction of @{term vt}. The next three
 properties are
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{thm[mode=IfThen] waiting_unique[of _ _ "cs\<^isub>1" "cs\<^isub>2"]}\\
 @{thm[mode=IfThen] runing_unique[of _ "th\<^isub>1" "th\<^isub>2"]}
 \end{tabular}
 \end{isabelle}
 \noindent
-The first one states that every waiting thread can only wait for a single
+The first property states that every waiting thread can only wait for a single
-resource (because it gets suspended after requesting that resource and having
+resource (because it gets suspended after requesting that resource); the second
-to wait for it); the second that every resource can only be held by a single thread;
+that every resource can only be held by a single thread;
 the third property establishes that in every given valid state, there is
 at most one running thread. We can also show the following properties
-about the RAG in @{text "s"}.
+about the @{term RAG} in @{text "s"}.
 \begin{isabelle}\ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{text If}~@{thm (prem 1) acyclic_depend}~@{text "then"}:\\
 \hspace{5mm}@{thm (concl) acyclic_depend},
 @{thm (concl) finite_depend} and
 @{thm (concl) wf_dep_converse},\\
-\hspace{5mm}@{text "if"}~@{thm (prem 2) dm_depend_threads}~@{text "then"}~@{thm (concl) dm_depend_threads}\\
+\hspace{5mm}@{text "if"}~@{thm (prem 2) dm_depend_threads}~@{text "then"}~@{thm (concl) dm_depend_threads}
-\hspace{5mm}@{text "if"}~@{thm (prem 2) range_in}~@{text "then"}~@{thm (concl) range_in}
+and\\
-\end{tabular}
+\hspace{5mm}@{text "if"}~@{thm (prem 2) range_in}~@{text "then"}~@{thm (concl) range_in}.
-\end{isabelle}
+\end{tabular}
+\end{isabelle}
-TODO
+\noindent
-\noindent
+The acyclicity property follow from how we restricted the events in
-The following lemmas show how RAG is changed with the execution of events:
+@{text step}; similarly the finiteness and well-foundedness property.
-\begin{enumerate}
+The last two properties establish that every thread in a @{text "RAG"}
-\item Execution of @{term "Set"} does not change RAG (@{text "depend_set_unchanged"}):
+(either holding or waiting for a resource) is a live thread.
-@{thm[display] depend_set_unchanged}
-\item Execution of @{term "Create"} does not change RAG (@{text "depend_create_unchanged"}):
+To state the key lemma in our proof, it will be convenient to introduce the notion
-@{thm[display] depend_create_unchanged}
+of a \emph{detached} thread in a state, that is one which does not hold any
-\item Execution of @{term "Exit"} does not change RAG (@{text "depend_exit_unchanged"}):
+critical resource nor requests one.
-@{thm[display] depend_exit_unchanged}
-\item Execution of @{term "P"} (@{text "step_depend_p"}):
+\begin{lemma}\label{mainlem}
-@{thm[display] step_depend_p}
+Given the assumptions about states @{text "s"} and @{text "s' @ s"},
-\item Execution of @{term "V"} (@{text "step_depend_v"}):
+the thread @{text th} and the events in @{text "s'"},
-@{thm[display] step_depend_v}
+if @{term "th' \<in> treads (s' @ s)"}, @{text "th' \<noteq> th"} and @{text "detached (s' @ s) th'"}\\
-\end{enumerate}
+then @{text "th' \<notin> running (s' @ s)"}.
-*}
+\end{lemma}
-text {* \noindent
+\noindent
-These properties are used to derive the following important results about RAG:
+The point of this lemma is that a thread different from @{text th} (which has the highest
-\begin{enumerate}
+precedence in @{text s}) not holding any resource cannot be running
-\item RAG is loop free (@{text "acyclic_depend"}):
+in the state @{text "s' @ s"}.
-@{thm [display] acyclic_depend}
-\item RAGs are finite (@{text "finite_depend"}):
+\begin{proof}
-@{thm [display] finite_depend}
+Since thread @{text "th'"} does not hold any resource, no thread can depend on it.
-\item Reverse paths in RAG are well founded (@{text "wf_dep_converse"}):
+Therefore its current precedence @{term "cp (s' @ s) th'"} equals its own precedence
-@{thm [display] wf_dep_converse}
+@{term "prec th' (s' @ s)"}. Since @{text "th"} has the highest precedence in the
-\item The dependence relation represented by RAG has a tree structure (@{text "unique_depend"}):
+state @{text "(s' @ s)"} and precedences are distinct among threads, we have
-@{thm [display] unique_depend[of _ _ "n\<^isub>1" "n\<^isub>2"]}
+@{term "prec th' (s' @s ) < prec th (s' @ s)"}. From this
-\item All threads in RAG are living threads
+we have @{term "cp (s' @ s) th' < prec th (s' @ s)"}.
-(@{text "dm_depend_threads"} and @{text "range_in"}):
+Since @{text "prec th (s' @ s)"} is already the highest
-@{thm [display] dm_depend_threads range_in}
+@{term "cp (s' @ s) th"} can not be higher than this and can not be lower either (by
-\end{enumerate}
+definition of @{term "cp"}). Consequently, we have @{term "prec th (s' @ s) = cp (s' @ s) th"}.
-*}
+Finally we have @{term "cp (s' @ s) th' < cp (s' @ s) th"}.
+By defintion of @{text "running"}, @{text "th'"} can not be running in state
-text {* \noindent
+@{text "s' @ s"}, as we had to show.\qed
+\end{proof}
+\noindent
+Since @{text "th'"} is not able to run at state @{text "s' @ s"}, it is not able to
+issue a {text "P"} or @{text "V"} event. Therefore if @{text "s' @ s"} is extended
+one step further, @{text "th'"} still cannot hold any resource. The situation will
+not change in further extensions as long as @{text "th"} holds the highest precedence.
 The following lemmas show how every node in RAG can be chased to ready threads:
 \begin{enumerate}
 \item Every node in RAG can be chased to a ready thread (@{text "chain_building"}):
 @{thm [display] chain_building[rule_format]}
 \item The ready thread chased to is unique (@{text "dchain_unique"}):
 @{thm [display] dchain_unique[of _ _ "th\<^isub>1" "th\<^isub>2"]}
 \end{enumerate}
 *}
-text {* \noindent
-Properties about @{term "next_th"}:
-\begin{enumerate}
-\item The thread taking over is different from the thread which is releasing
-(@{text "next_th_neq"}):
-@{thm [display] next_th_neq}
-\item The thread taking over is unique
-(@{text "next_th_unique"}):
-@{thm [display] next_th_unique[of _ _ _ "th\<^isub>1" "th\<^isub>2"]}
-\end{enumerate}
-*}
 text {* \noindent
 Some deeper results about the system:
 \begin{enumerate}
 \item The maximum of @{term "cp"} and @{term "preced"} are equal (@{text "max_cp_eq"}):
 \item When the number of @{text "P"} equals the number of @{text "V"}, the relevant
 thread does not hold any critical resource, therefore no thread can depend on it
 (@{text "count_eq_dependents"}):
 @{thm [display] count_eq_dependents}
 \end{enumerate}
+@{thm[display] live}
 *}
-(*<*)
-end
-(*>*)
 subsection {* Proof idea *}
-(*<*)
-context extend_highest_gen
-begin
-print_locale extend_highest_gen
-thm extend_highest_gen_def
-thm extend_highest_gen_axioms_def
-thm highest_gen_def
-(*>*)
 text {*
 The reason that only threads which already held some resoures
 can be runing and block @{text "th"} is that if , otherwise, one thread
 does not hold any resource, it may never have its prioirty raised
 if a thread releases all its resources at some moment in @{text "t"}, after that,
 it may never get a change to run. If every thread releases its resource in finite duration,
 then after a while, only thread @{text "th"} is left running. This shows how indefinite
 priority inversion can be avoided.
-So, the key of the proof is to establish the correctness of @{text "moment_blocked"}.
-We are going to show how this lemma is proved. At the heart of this proof, is
-lemma @{text "pv_blocked"}:
-@{thm [display] pv_blocked}
-This lemma says: for any @{text "s"}-extension {text "t"}, if thread @{text "th'"}
-does not hold any resource, it can not be running at @{text "t@s"}.
-\noindent Proof:
-\begin{enumerate}
-\item Since thread @{text "th'"} does not hold any resource, no thread may depend on it,
-so its current precedence @{text "cp (t@s) th'"} equals to its own precedence
-@{text "preced th' (t@s)"}.  \label{arg_1}
-\item Since @{text "th"} has the highest precedence in the system and
-precedences are distinct among threads, we have
-@{text "preced th' (t@s) < preced th (t@s)"}. From this and item \ref{arg_1},
-we have @{text "cp (t@s) th' < preced th (t@s)"}.
-\item Since @{text "preced th (t@s)"} is already the highest in the system,
-@{text "cp (t@s) th"} can not be higher than this and can not be lower neither (by
-the definition of @{text "cp"}), we have @{text "preced th (t@s) = cp (t@s) th"}.
-\item Finally we have @{text "cp (t@s) th' < cp (t@s) th"}.
-\item By defintion of @{text "running"}, @{text "th'"} can not be runing at
-@{text "t@s"}.
-\end{enumerate}
-Since @{text "th'"} is not able to run at state @{text "t@s"}, it is not able to
-make either {text "P"} or @{text "V"} action, so if @{text "t@s"} is extended
-one step further, @{text "th'"} still does not hold any resource.
-The situation will not unchanged in further extensions as long as
-@{text "th"} holds the highest precedence. Since this @{text "t"} is arbitarily chosen
-except being constrained by predicate @{text "extend_highest_gen"} and
-this predicate has the property that if it holds for @{text "t"}, it also holds
-for any moment @{text "i"} inside @{text "t"}, as shown by lemma @{text "red_moment"}:
-@{thm [display] "extend_highest_gen.red_moment"}
-so @{text "pv_blocked"} can be applied to any @{text "moment i t"}.
-From this, lemma @{text "moment_blocked"} follows.
 *}
-(*<*)
-end
-(*>*)
-section {* Properties for an Implementation\label{implement} *}
-text {*
-While a formal correctness proof for our model of PIP is certainly
-attractive (especially in light of the flawed proof by Sha et
-al.~\cite{Sha90}), we found that the formalisation can even help us
-with efficiently implementing PIP.
-For example Baker complained that calculating the current precedence
-in PIP is quite ``heavy weight'' in Linux (see the Introduction).
-In our model of PIP the current precedence of a thread in a state s
-depends on all its dependants---a ``global'' transitive notion,
-which is indeed heavy weight (see Def.~shown in \eqref{cpreced}).
-We can however improve upon this. For this let us define the notion
-of @{term children} of a thread @{text th} in a state @{text s} as
-\begin{isabelle}\ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm children_def2}
-\end{tabular}
-\end{isabelle}
-\noindent
-where a child is a thread that is one ``hop'' away from the tread
-@{text th} in the @{term RAG} (and waiting for @{text th} to release
-a resource). We can prove that
-\begin{lemma}\label{childrenlem}
-@{text "If"} @{thm (prem 1) cp_rec} @{text "then"}
-\begin{center}
-@{thm (concl) cp_rec}.
-\end{center}
-\end{lemma}
-\noindent
-That means the current precedence of a thread @{text th} can be
-computed locally by considering only the children of @{text th}. In
-effect, it only needs to be recomputed for @{text th} when one of
-its children changes its current precedence.  Once the current
-precedence is computed in this more efficient manner, the selection
-of the thread with highest precedence from a set of ready threads is
-a standard scheduling operation implemented in most operating
-systems.
-Of course the main implementation work for PIP involves the
-scheduler and coding how it should react to events.  Below we
-outline how our formalisation guides this implementation for each
-kind of event.\smallskip
-*}
-(*<*)
-context step_create_cps
-begin
-(*>*)
-text {*
-\noindent
-\colorbox{mygrey}{@{term "Create th prio"}:} We assume that the current state @{text s'} and
-the next state @{term "s \<equiv> Create th prio#s'"} are both valid (meaning the event
-is allowed to occur). In this situation we can show that
-\begin{isabelle}\ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm eq_dep},\\
-@{thm eq_cp_th}, and\\
-@{thm[mode=IfThen] eq_cp}
-\end{tabular}
-\end{isabelle}
-\noindent
-This means we do not have recalculate the @{text RAG} and also none of the
-current precedences of the other threads. The current precedence of the created
-thread @{text th} is just its precedence, namely the pair @{term "(prio, length (s::event list))"}.
-\smallskip
-*}
-(*<*)
-end
-context step_exit_cps
-begin
-(*>*)
-text {*
-\noindent
-\colorbox{mygrey}{@{term "Exit th"}:} We again assume that the current state @{text s'} and
-the next state @{term "s \<equiv> Exit th#s'"} are both valid. We can show that
-\begin{isabelle}\ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm eq_dep}, and\\
-@{thm[mode=IfThen] eq_cp}
-\end{tabular}
-\end{isabelle}
-\noindent
-This means again we do not have to recalculate the @{text RAG} and
-also not the current precedences for the other threads. Since @{term th} is not
-alive anymore in state @{term "s"}, there is no need to calculate its
-current precedence.
-\smallskip
-*}
-(*<*)
-end
-context step_set_cps
-begin
-(*>*)
-text {*
-\noindent
-\colorbox{mygrey}{@{term "Set th prio"}:} We assume that @{text s'} and
-@{term "s \<equiv> Set th prio#s'"} are both valid. We can show that
-\begin{isabelle}\ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm[mode=IfThen] eq_dep}, and\\
-@{thm[mode=IfThen] eq_cp}
-\end{tabular}
-\end{isabelle}
-\noindent
-The first property is again telling us we do not need to change the @{text RAG}. The second
-however states that only threads that are \emph{not} dependants of @{text th} have their
-current precedence unchanged. For the others we have to recalculate the current
-precedence. To do this we can start from @{term "th"}
-and follow the @{term "depend"}-chains to recompute the @{term "cp"} of every
-thread encountered on the way using Lemma~\ref{childrenlem}. Since the @{term "depend"}
-is loop free, this procedure will always stop. The following two lemmas show, however,
-that this procedure can actually stop often earlier without having to consider all
-dependants.
-\begin{isabelle}\ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm[mode=IfThen] eq_up_self}\\
-@{text "If"} @{thm (prem 1) eq_up}, @{thm (prem 2) eq_up} and @{thm (prem 3) eq_up}\\
-@{text "then"} @{thm (concl) eq_up}.
-\end{tabular}
-\end{isabelle}
-\noindent
-The first states that if the current precedence of @{text th} is unchanged,
-then the procedure can stop immediately (all dependent threads have their @{term cp}-value unchanged).
-The second states that if an intermediate @{term cp}-value does not change, then
-the procedure can also stop, because none of its dependent threads will
-have their current precedence changed.
-\smallskip
-*}
-(*<*)
-end
-context step_v_cps_nt
-begin
-(*>*)
-text {*
-\noindent
-\colorbox{mygrey}{@{term "V th cs"}:} We assume that @{text s'} and
-@{term "s \<equiv> V th cs#s'"} are both valid. We have to consider two
-subcases: one where there is a thread to ``take over'' the released
-resource @{text cs}, and one where there is not. Let us consider them
-in turn. Suppose in state @{text s}, the thread @{text th'} takes over
-resource @{text cs} from thread @{text th}. We can show
-\begin{isabelle}\ \ \ \ \ %%%
-@{thm depend_s}
-\end{isabelle}
-\noindent
-which shows how the @{text RAG} needs to be changed. This also suggests
-how the current precedences need to be recalculated. For threads that are
-not @{text "th"} and @{text "th'"} nothing needs to be changed, since we
-can show
-\begin{isabelle}\ \ \ \ \ %%%
-@{thm[mode=IfThen] cp_kept}
-\end{isabelle}
-\noindent
-For @{text th} and @{text th'} we need to use Lemma~\ref{childrenlem} to
-recalculate their current prcedence since their children have changed. *}(*<*)end context step_v_cps_nnt begin (*>*)text {*
-\noindent
-In the other case where there is no thread that takes over @{text cs}, we can show how
-to recalculate the @{text RAG} and also show that no current precedence needs
-to be recalculated.
-\begin{isabelle}\ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm depend_s}\\
-@{thm eq_cp}
-\end{tabular}
-\end{isabelle}
-*}
-(*<*)
-end
-context step_P_cps_e
-begin
-(*>*)
-text {*
-\noindent
-\colorbox{mygrey}{@{term "P th cs"}:} We assume that @{text s'} and
-@{term "s \<equiv> P th cs#s'"} are both valid. We again have to analyse two subcases, namely
-the one where @{text cs} is locked, and where it is not. We treat the second case
-first by showing that
-\begin{isabelle}\ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm depend_s}\\
-@{thm eq_cp}
-\end{tabular}
-\end{isabelle}
-\noindent
-This means we do not need to add a holding edge to the @{text RAG} and no
-current precedence needs to be recalculated.*}(*<*)end context step_P_cps_ne begin(*>*) text {*
-\noindent
-In the second case we know that resouce @{text cs} is locked. We can show that
-\begin{isabelle}\ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm depend_s}\\
-@{thm[mode=IfThen] eq_cp}
-\end{tabular}
-\end{isabelle}
-\noindent
-That means we have to add a waiting edge to the @{text RAG}. Furthermore
-the current precedence for all threads that are not dependants of @{text th}
-are unchanged. For the others we need to follow the edges
-in the @{text RAG} and recompute the @{term "cp"}. However, like in the
-@case of {text Set}, this operation can stop often earlier, namely when intermediate
-values do not change.
-*}
-(*<*)
-end
-(*>*)
-text {*
-\noindent
-A pleasing result of our formalisation is that the properties in
-this section closely inform an implementation of PIP:  Whether the
-@{text RAG} needs to be reconfigured or current precedences need to
-recalculated for an event is given by a lemma we proved.
-*}
-section {* Conclusion *}
-text {*
-The Priority Inheritance Protocol (PIP) is a classic textbook
-algorithm used in real-time operating systems in order to avoid the problem of
-Priority Inversion.  Although classic and widely used, PIP does have
-its faults: for example it does not prevent deadlocks in cases where threads
-have circular lock dependencies.
-We had two goals in mind with our formalisation of PIP: One is to
-make the notions in the correctness proof by Sha et al.~\cite{Sha90}
-precise so that they can be processed by a theorem prover. The reason is
-that a mechanically checked proof avoids the flaws that crept into their
-informal reasoning. We achieved this goal: The correctness of PIP now
-only hinges on the assumptions behind our formal model. The reasoning, which is
-sometimes quite intricate and tedious, has been checked beyond any
-reasonable doubt by Isabelle/HOL. We can also confirm that Paulson's
-inductive method for protocol verification~\cite{Paulson98} is quite
-suitable for our formal model and proof. The traditional application
-area of this method is security protocols.  The only other
-application of Paulson's method we know of outside this area is
-\cite{Wang09}.
-The second goal of our formalisation is to provide a specification for actually
-implementing PIP. Textbooks, for example \cite[Section 5.6.5]{Vahalia96},
-explain how to use various implementations of PIP and abstractly
-discuss their properties, but surprisingly lack most details for a
-programmer who wants to implement PIP.  That this is an issue in practice is illustrated by the
-email from Baker we cited in the Introduction. We achieved also this
-goal: The formalisation gives the first author enough data to enable
-his undergraduate students to implement PIP (as part of their OS course)
-on top of PINTOS, a small operating system for teaching
-purposes. A byproduct of our formalisation effort is that nearly all
-design choices for the PIP scheduler are backed up with a proved
-lemma. We were also able to establish the property that the choice of
-the next thread which takes over a lock is irrelevant for the correctness
-of PIP. Earlier model checking approaches which verified implementations
-of PIP \cite{Faria08,Jahier09,Wellings07} cannot
-provide this kind of ``deep understanding'' about the principles behind
-PIP and its correctness.
-PIP is a scheduling algorithm for single-processor systems. We are
-now living in a multi-processor world. So the question naturally
-arises whether PIP has any relevance in such a world beyond
-teaching. Priority Inversion certainly occurs also in
-multi-processor systems.  However, the surprising answer, according
-to \cite{Steinberg10}, is that except for one unsatisfactory
-proposal nobody has a good idea for how PIP should be modified to
-work correctly on multi-processor systems. The difficulties become
-clear when considering that locking and releasing a resource always
-requires a small amount of time. If processes work independently,
-then a low priority process can ``steal'' in such an unguarded
-moment a lock for a resource that was supposed allow a high-priority
-process to run next. Thus the problem of Priority Inversion is not
-really prevented. It seems difficult to design a PIP-algorithm with
-a meaningful correctness property on a multi-processor systems where
-processes work independently.  We can imagine PIP to be of use in
-situations where processes are \emph{not} independent, but
-coordinated via a master process that distributes work over some
-slave processes. However, a formal investigation of this is beyond
-the scope of this paper.  We are not aware of any proofs in this
-area, not even informal ones.
-The most closely related work to ours is the formal verification in
-PVS for Priority Ceiling done by Dutertre \cite{dutertre99b}. His formalisation
-consists of 407 lemmas and 2500 lines of ``specification'' (we do not
-know whether this includes also code for proofs).  Our formalisation
-consists of around 210 lemmas and overall 6950 lines of readable Isabelle/Isar
-code with a few apply-scripts interspersed. The formal model of PIP
-is 385 lines long; the formal correctness proof 3800 lines. Some auxiliary
-definitions and proofs took 770 lines of code. The properties relevant
-for an implementation took 2000 lines.  Our code can be downloaded from
-...
-\bibliographystyle{plain}
-\bibliography{root}
-*}
 section {* Key properties \label{extension} *}
-(*<*)
-context extend_highest_gen
-begin
-(*>*)
-text {*
-The essential of {\em Priority Inheritance} is to avoid indefinite priority inversion. For this
-purpose, we need to investigate what happens after one thread takes the highest precedence.
-A locale is used to describe such a situation, which assumes:
-\begin{enumerate}
-\item @{term "s"} is a valid state (@{text "vt_s"}):
-@{thm  vt_s}.
-\item @{term "th"} is a living thread in @{term "s"} (@{text "threads_s"}):
-@{thm threads_s}.
-\item @{term "th"} has the highest precedence in @{term "s"} (@{text "highest"}):
-@{thm highest}.
-\item The precedence of @{term "th"} is @{term "Prc prio tm"} (@{text "preced_th"}):
-@{thm preced_th}.
-\end{enumerate}
-*}
-text {* \noindent
-Under these assumptions, some basic priority can be derived for @{term "th"}:
-\begin{enumerate}
-\item The current precedence of @{term "th"} equals its own precedence (@{text "eq_cp_s_th"}):
-@{thm [display] eq_cp_s_th}
-\item The current precedence of @{term "th"} is the highest precedence in
-the system (@{text "highest_cp_preced"}):
-@{thm [display] highest_cp_preced}
-\item The precedence of @{term "th"} is the highest precedence
-in the system (@{text "highest_preced_thread"}):
-@{thm [display] highest_preced_thread}
-\item The current precedence of @{term "th"} is the highest current precedence
-in the system (@{text "highest'"}):
-@{thm [display] highest'}
-\end{enumerate}
-*}
-text {* \noindent
-To analysis what happens after state @{term "s"} a sub-locale is defined, which
-assumes:
-\begin{enumerate}
-\item @{term "t"} is a valid extension of @{term "s"} (@{text "vt_t"}): @{thm vt_t}.
-\item Any thread created in @{term "t"} has priority no higher than @{term "prio"}, therefore
-its precedence can not be higher than @{term "th"},  therefore
-@{term "th"} remain to be the one with the highest precedence
-(@{text "create_low"}):
-@{thm [display] create_low}
-\item Any adjustment of priority in
-@{term "t"} does not happen to @{term "th"} and
-the priority set is no higher than @{term "prio"}, therefore
-@{term "th"} remain to be the one with the highest precedence (@{text "set_diff_low"}):
-@{thm [display] set_diff_low}
-\item Since we are investigating what happens to @{term "th"}, it is assumed
-@{term "th"} does not exit during @{term "t"} (@{text "exit_diff"}):
-@{thm [display] exit_diff}
-\end{enumerate}
-*}
 text {* \noindent
 All these assumptions are put into a predicate @{term "extend_highest_gen"}.
 It can be proved that @{term "extend_highest_gen"} holds
 for any moment @{text "i"} in it @{term "t"} (@{text "red_moment"}):
 then.
 *}
 (*<*)
 end
+(*>*)
+section {* Properties for an Implementation\label{implement} *}
+text {*
+While a formal correctness proof for our model of PIP is certainly
+attractive (especially in light of the flawed proof by Sha et
+al.~\cite{Sha90}), we found that the formalisation can even help us
+with efficiently implementing PIP.
+For example Baker complained that calculating the current precedence
+in PIP is quite ``heavy weight'' in Linux (see the Introduction).
+In our model of PIP the current precedence of a thread in a state s
+depends on all its dependants---a ``global'' transitive notion,
+which is indeed heavy weight (see Def.~shown in \eqref{cpreced}).
+We can however improve upon this. For this let us define the notion
+of @{term children} of a thread @{text th} in a state @{text s} as
+\begin{isabelle}\ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm children_def2}
+\end{tabular}
+\end{isabelle}
+\noindent
+where a child is a thread that is one ``hop'' away from the tread
+@{text th} in the @{term RAG} (and waiting for @{text th} to release
+a resource). We can prove that
+\begin{lemma}\label{childrenlem}
+@{text "If"} @{thm (prem 1) cp_rec} @{text "then"}
+\begin{center}
+@{thm (concl) cp_rec}.
+\end{center}
+\end{lemma}
+\noindent
+That means the current precedence of a thread @{text th} can be
+computed locally by considering only the children of @{text th}. In
+effect, it only needs to be recomputed for @{text th} when one of
+its children changes its current precedence.  Once the current
+precedence is computed in this more efficient manner, the selection
+of the thread with highest precedence from a set of ready threads is
+a standard scheduling operation implemented in most operating
+systems.
+Of course the main implementation work for PIP involves the
+scheduler and coding how it should react to events.  Below we
+outline how our formalisation guides this implementation for each
+kind of event.\smallskip
+*}
+(*<*)
+context step_create_cps
+begin
+(*>*)
+text {*
+\noindent
+\colorbox{mygrey}{@{term "Create th prio"}:} We assume that the current state @{text s'} and
+the next state @{term "s \<equiv> Create th prio#s'"} are both valid (meaning the event
+is allowed to occur). In this situation we can show that
+\begin{isabelle}\ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm eq_dep},\\
+@{thm eq_cp_th}, and\\
+@{thm[mode=IfThen] eq_cp}
+\end{tabular}
+\end{isabelle}
+\noindent
+This means we do not have recalculate the @{text RAG} and also none of the
+current precedences of the other threads. The current precedence of the created
+thread @{text th} is just its precedence, namely the pair @{term "(prio, length (s::event list))"}.
+\smallskip
+*}
+(*<*)
+end
+context step_exit_cps
+begin
+(*>*)
+text {*
+\noindent
+\colorbox{mygrey}{@{term "Exit th"}:} We again assume that the current state @{text s'} and
+the next state @{term "s \<equiv> Exit th#s'"} are both valid. We can show that
+\begin{isabelle}\ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm eq_dep}, and\\
+@{thm[mode=IfThen] eq_cp}
+\end{tabular}
+\end{isabelle}
+\noindent
+This means again we do not have to recalculate the @{text RAG} and
+also not the current precedences for the other threads. Since @{term th} is not
+alive anymore in state @{term "s"}, there is no need to calculate its
+current precedence.
+\smallskip
+*}
+(*<*)
+end
+context step_set_cps
+begin
+(*>*)
+text {*
+\noindent
+\colorbox{mygrey}{@{term "Set th prio"}:} We assume that @{text s'} and
+@{term "s \<equiv> Set th prio#s'"} are both valid. We can show that
+\begin{isabelle}\ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm[mode=IfThen] eq_dep}, and\\
+@{thm[mode=IfThen] eq_cp}
+\end{tabular}
+\end{isabelle}
+\noindent
+The first property is again telling us we do not need to change the @{text RAG}. The second
+however states that only threads that are \emph{not} dependants of @{text th} have their
+current precedence unchanged. For the others we have to recalculate the current
+precedence. To do this we can start from @{term "th"}
+and follow the @{term "depend"}-chains to recompute the @{term "cp"} of every
+thread encountered on the way using Lemma~\ref{childrenlem}. Since the @{term "depend"}
+is loop free, this procedure will always stop. The following two lemmas show, however,
+that this procedure can actually stop often earlier without having to consider all
+dependants.
+\begin{isabelle}\ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm[mode=IfThen] eq_up_self}\\
+@{text "If"} @{thm (prem 1) eq_up}, @{thm (prem 2) eq_up} and @{thm (prem 3) eq_up}\\
+@{text "then"} @{thm (concl) eq_up}.
+\end{tabular}
+\end{isabelle}
+\noindent
+The first states that if the current precedence of @{text th} is unchanged,
+then the procedure can stop immediately (all dependent threads have their @{term cp}-value unchanged).
+The second states that if an intermediate @{term cp}-value does not change, then
+the procedure can also stop, because none of its dependent threads will
+have their current precedence changed.
+\smallskip
+*}
+(*<*)
+end
+context step_v_cps_nt
+begin
+(*>*)
+text {*
+\noindent
+\colorbox{mygrey}{@{term "V th cs"}:} We assume that @{text s'} and
+@{term "s \<equiv> V th cs#s'"} are both valid. We have to consider two
+subcases: one where there is a thread to ``take over'' the released
+resource @{text cs}, and one where there is not. Let us consider them
+in turn. Suppose in state @{text s}, the thread @{text th'} takes over
+resource @{text cs} from thread @{text th}. We can show
+\begin{isabelle}\ \ \ \ \ %%%
+@{thm depend_s}
+\end{isabelle}
+\noindent
+which shows how the @{text RAG} needs to be changed. This also suggests
+how the current precedences need to be recalculated. For threads that are
+not @{text "th"} and @{text "th'"} nothing needs to be changed, since we
+can show
+\begin{isabelle}\ \ \ \ \ %%%
+@{thm[mode=IfThen] cp_kept}
+\end{isabelle}
+\noindent
+For @{text th} and @{text th'} we need to use Lemma~\ref{childrenlem} to
+recalculate their current prcedence since their children have changed. *}(*<*)end context step_v_cps_nnt begin (*>*)text {*
+\noindent
+In the other case where there is no thread that takes over @{text cs}, we can show how
+to recalculate the @{text RAG} and also show that no current precedence needs
+to be recalculated.
+\begin{isabelle}\ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm depend_s}\\
+@{thm eq_cp}
+\end{tabular}
+\end{isabelle}
+*}
+(*<*)
+end
+context step_P_cps_e
+begin
+(*>*)
+text {*
+\noindent
+\colorbox{mygrey}{@{term "P th cs"}:} We assume that @{text s'} and
+@{term "s \<equiv> P th cs#s'"} are both valid. We again have to analyse two subcases, namely
+the one where @{text cs} is locked, and where it is not. We treat the second case
+first by showing that
+\begin{isabelle}\ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm depend_s}\\
+@{thm eq_cp}
+\end{tabular}
+\end{isabelle}
+\noindent
+This means we do not need to add a holding edge to the @{text RAG} and no
+current precedence needs to be recalculated.*}(*<*)end context step_P_cps_ne begin(*>*) text {*
+\noindent
+In the second case we know that resouce @{text cs} is locked. We can show that
+\begin{isabelle}\ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm depend_s}\\
+@{thm[mode=IfThen] eq_cp}
+\end{tabular}
+\end{isabelle}
+\noindent
+That means we have to add a waiting edge to the @{text RAG}. Furthermore
+the current precedence for all threads that are not dependants of @{text th}
+are unchanged. For the others we need to follow the edges
+in the @{text RAG} and recompute the @{term "cp"}. However, like in the
+@case of {text Set}, this operation can stop often earlier, namely when intermediate
+values do not change.
+*}
+(*<*)
 end
 (*>*)
+text {*
+\noindent
+A pleasing result of our formalisation is that the properties in
+this section closely inform an implementation of PIP:  Whether the
+@{text RAG} needs to be reconfigured or current precedences need to
+recalculated for an event is given by a lemma we proved.
+*}
+section {* Conclusion *}
+text {*
+The Priority Inheritance Protocol (PIP) is a classic textbook
+algorithm used in real-time operating systems in order to avoid the problem of
+Priority Inversion.  Although classic and widely used, PIP does have
+its faults: for example it does not prevent deadlocks in cases where threads
+have circular lock dependencies.
+We had two goals in mind with our formalisation of PIP: One is to
+make the notions in the correctness proof by Sha et al.~\cite{Sha90}
+precise so that they can be processed by a theorem prover. The reason is
+that a mechanically checked proof avoids the flaws that crept into their
+informal reasoning. We achieved this goal: The correctness of PIP now
+only hinges on the assumptions behind our formal model. The reasoning, which is
+sometimes quite intricate and tedious, has been checked beyond any
+reasonable doubt by Isabelle/HOL. We can also confirm that Paulson's
+inductive method for protocol verification~\cite{Paulson98} is quite
+suitable for our formal model and proof. The traditional application
+area of this method is security protocols.  The only other
+application of Paulson's method we know of outside this area is
+\cite{Wang09}.
+The second goal of our formalisation is to provide a specification for actually
+implementing PIP. Textbooks, for example \cite[Section 5.6.5]{Vahalia96},
+explain how to use various implementations of PIP and abstractly
+discuss their properties, but surprisingly lack most details for a
+programmer who wants to implement PIP.  That this is an issue in practice is illustrated by the
+email from Baker we cited in the Introduction. We achieved also this
+goal: The formalisation gives the first author enough data to enable
+his undergraduate students to implement PIP (as part of their OS course)
+on top of PINTOS, a small operating system for teaching
+purposes. A byproduct of our formalisation effort is that nearly all
+design choices for the PIP scheduler are backed up with a proved
+lemma. We were also able to establish the property that the choice of
+the next thread which takes over a lock is irrelevant for the correctness
+of PIP. Earlier model checking approaches which verified implementations
+of PIP \cite{Faria08,Jahier09,Wellings07} cannot
+provide this kind of ``deep understanding'' about the principles behind
+PIP and its correctness.
+PIP is a scheduling algorithm for single-processor systems. We are
+now living in a multi-processor world. So the question naturally
+arises whether PIP has any relevance in such a world beyond
+teaching. Priority Inversion certainly occurs also in
+multi-processor systems.  However, the surprising answer, according
+to \cite{Steinberg10}, is that except for one unsatisfactory
+proposal nobody has a good idea for how PIP should be modified to
+work correctly on multi-processor systems. The difficulties become
+clear when considering that locking and releasing a resource always
+requires a small amount of time. If processes work independently,
+then a low priority process can ``steal'' in such an unguarded
+moment a lock for a resource that was supposed allow a high-priority
+process to run next. Thus the problem of Priority Inversion is not
+really prevented. It seems difficult to design a PIP-algorithm with
+a meaningful correctness property on a multi-processor systems where
+processes work independently.  We can imagine PIP to be of use in
+situations where processes are \emph{not} independent, but
+coordinated via a master process that distributes work over some
+slave processes. However, a formal investigation of this is beyond
+the scope of this paper.  We are not aware of any proofs in this
+area, not even informal ones.
+The most closely related work to ours is the formal verification in
+PVS for Priority Ceiling done by Dutertre \cite{dutertre99b}. His formalisation
+consists of 407 lemmas and 2500 lines of ``specification'' (we do not
+know whether this includes also code for proofs).  Our formalisation
+consists of around 210 lemmas and overall 6950 lines of readable Isabelle/Isar
+code with a few apply-scripts interspersed. The formal model of PIP
+is 385 lines long; the formal correctness proof 3800 lines. Some auxiliary
+definitions and proofs took 770 lines of code. The properties relevant
+for an implementation took 2000 lines.  Our code can be downloaded from
+...
+\bibliographystyle{plain}
+\bibliography{root}
+*}
+(*<*)
+end
+(*>*)

changeset 325	163cd8034e5b
parent 324	41e4b331ce08
child 326	8f256104e4f3