52 finish their work within deadlines. Unfortunately, both features |
52 finish their work within deadlines. Unfortunately, both features |
53 can interact in subtle ways leading to a problem, called |
53 can interact in subtle ways leading to a problem, called |
54 \emph{Priority Inversion}. Suppose three threads having priorities |
54 \emph{Priority Inversion}. Suppose three threads having priorities |
55 $H$(igh), $M$(edium) and $L$(ow). We would expect that the thread |
55 $H$(igh), $M$(edium) and $L$(ow). We would expect that the thread |
56 $H$ blocks any other thread with lower priority and the thread itself cannot |
56 $H$ blocks any other thread with lower priority and the thread itself cannot |
57 be blocked indefinitely by any thread with lower priority. Alas, in a naive |
57 be blocked indefinitely by threads with lower priority. Alas, in a naive |
58 implementation of resource locking and priorities this property can |
58 implementation of resource locking and priorities this property can |
59 be violated. Even worse, $H$ can be delayed indefinitely by |
59 be violated. For this let $L$ be in the |
60 threads with lower priorities. For this let $L$ be in the |
|
61 possession of a lock for a resource that $H$ also needs. $H$ must |
60 possession of a lock for a resource that $H$ also needs. $H$ must |
62 therefore wait for $L$ to exit the critical section and release this |
61 therefore wait for $L$ to exit the critical section and release this |
63 lock. The problem is that $L$ might in turn be blocked by any |
62 lock. The problem is that $L$ might in turn be blocked by any |
64 thread with priority $M$, and so $H$ sits there potentially waiting |
63 thread with priority $M$, and so $H$ sits there potentially waiting |
65 indefinitely. Since $H$ is blocked by threads with lower |
64 indefinitely. Since $H$ is blocked by threads with lower |
91 priority $M$. While a few other solutions exist for the Priority |
90 priority $M$. While a few other solutions exist for the Priority |
92 Inversion problem, PIP is one that is widely deployed and |
91 Inversion problem, PIP is one that is widely deployed and |
93 implemented. This includes VxWorks (a proprietary real-time OS used |
92 implemented. This includes VxWorks (a proprietary real-time OS used |
94 in the Mars Pathfinder mission, in Boeing's 787 Dreamliner, Honda's |
93 in the Mars Pathfinder mission, in Boeing's 787 Dreamliner, Honda's |
95 ASIMO robot, etc.), but also the POSIX 1003.1c Standard realised for |
94 ASIMO robot, etc.), but also the POSIX 1003.1c Standard realised for |
96 example in libraries for FreeBSD, Solaris and Linux. ({\bf ??? Is this True?}) |
95 example in libraries for FreeBSD, Solaris and Linux. |
97 |
96 |
98 One advantage of PIP is that increasing the priority of a thread |
97 One advantage of PIP is that increasing the priority of a thread |
99 can be dynamically calculated by the scheduler. This is in contrast |
98 can be dynamically calculated by the scheduler. This is in contrast |
100 to, for example, \emph{Priority Ceiling} \cite{Sha90}, another |
99 to, for example, \emph{Priority Ceiling} \cite{Sha90}, another |
101 solution to the Priority Inversion problem, which requires static |
100 solution to the Priority Inversion problem, which requires static |
122 In our opinion, there is clearly a need for investigating correct |
121 In our opinion, there is clearly a need for investigating correct |
123 algorithms for PIP. A few specifications for PIP exist (in English) |
122 algorithms for PIP. A few specifications for PIP exist (in English) |
124 and also a few high-level descriptions of implementations (e.g.~in |
123 and also a few high-level descriptions of implementations (e.g.~in |
125 the textbook \cite[Section 5.6.5]{Vahalia96}), but they help little |
124 the textbook \cite[Section 5.6.5]{Vahalia96}), but they help little |
126 with actual implementations. That this is a problem in practice is |
125 with actual implementations. That this is a problem in practice is |
127 proved by an email from Baker, who wrote on 13 July 2009 on the Linux |
126 proved by an email by Baker, who wrote on 13 July 2009 on the Linux |
128 Kernel mailing list: |
127 Kernel mailing list: |
129 |
128 |
130 \begin{quote} |
129 \begin{quote} |
131 \it{}``I observed in the kernel code (to my disgust), the Linux PIP |
130 \it{}``I observed in the kernel code (to my disgust), the Linux PIP |
132 implementation is a nightmare: extremely heavy weight, involving |
131 implementation is a nightmare: extremely heavy weight, involving |
1080 |
1079 |
1081 \noindent |
1080 \noindent |
1082 The first property is again telling us we do not need to change the @{text RAG}. |
1081 The first property is again telling us we do not need to change the @{text RAG}. |
1083 The second shows that the @{term cp}-values of all threads other than @{text th} |
1082 The second shows that the @{term cp}-values of all threads other than @{text th} |
1084 are unchanged. The reason is that @{text th} is running; therefore it is not in |
1083 are unchanged. The reason is that @{text th} is running; therefore it is not in |
1085 the @{term dependants} relation of any thread. This in turn means that the |
1084 the @{term dependants} relation of any other thread. This in turn means that the |
1086 change of its priority cannot affect the threads. |
1085 change of its priority cannot affect other threads. |
1087 |
1086 |
1088 %The second |
1087 %The second |
1089 %however states that only threads that are \emph{not} dependants of @{text th} have their |
1088 %however states that only threads that are \emph{not} dependants of @{text th} have their |
1090 %current precedence unchanged. For the others we have to recalculate the current |
1089 %current precedence unchanged. For the others we have to recalculate the current |
1091 %precedence. To do this we can start from @{term "th"} |
1090 %precedence. To do this we can start from @{term "th"} |
1203 \noindent |
1202 \noindent |
1204 As can be seen, a pleasing byproduct of our formalisation is that the properties in |
1203 As can be seen, a pleasing byproduct of our formalisation is that the properties in |
1205 this section closely inform an implementation of PIP, namely whether the |
1204 this section closely inform an implementation of PIP, namely whether the |
1206 @{text RAG} needs to be reconfigured or current precedences need to |
1205 @{text RAG} needs to be reconfigured or current precedences need to |
1207 be recalculated for an event. This information is provided by the lemmas we proved. |
1206 be recalculated for an event. This information is provided by the lemmas we proved. |
|
1207 We confirmened that our observations translate into practice by implementing |
|
1208 a PIP-scheduler on top of PINTOS, a small operating system for teaching purposes \cite{PINTOS}. |
1208 *} |
1209 *} |
1209 |
1210 |
1210 section {* Conclusion *} |
1211 section {* Conclusion *} |
1211 |
1212 |
1212 text {* |
1213 text {* |
1235 programmer who wants to implement PIP (similarly Sha et al.~\cite{Sha90}). |
1236 programmer who wants to implement PIP (similarly Sha et al.~\cite{Sha90}). |
1236 That this is an issue in practice is illustrated by the |
1237 That this is an issue in practice is illustrated by the |
1237 email from Baker we cited in the Introduction. We achieved also this |
1238 email from Baker we cited in the Introduction. We achieved also this |
1238 goal: The formalisation gives the first author enough data to enable |
1239 goal: The formalisation gives the first author enough data to enable |
1239 his undergraduate students to implement PIP (as part of their OS course) |
1240 his undergraduate students to implement PIP (as part of their OS course) |
1240 on top of PINTOS, a small operating system for teaching |
1241 on top of PINTOS, a simple instructional operating system for the x86 |
1241 purposes. A byproduct of our formalisation effort is that nearly all |
1242 architecture \cite{PINTOS}. A byproduct of our formalisation effort is that nearly all |
1242 design choices for the PIP scheduler are backed up with a proved |
1243 design choices for the PIP scheduler are backed up with a proved |
1243 lemma. We were also able to establish the property that the choice of |
1244 lemma. We were also able to establish the property that the choice of |
1244 the next thread which takes over a lock is irrelevant for the correctness |
1245 the next thread which takes over a lock is irrelevant for the correctness |
1245 of PIP. Earlier model checking approaches which verified particular implementations |
1246 of PIP. Earlier model checking approaches which verified particular implementations |
1246 of PIP \cite{Faria08,Jahier09,Wellings07} cannot |
1247 of PIP \cite{Faria08,Jahier09,Wellings07} cannot |
1273 |
1274 |
1274 The most closely related work to ours is the formal verification in |
1275 The most closely related work to ours is the formal verification in |
1275 PVS of the Priority Ceiling Protocol done by Dutertre |
1276 PVS of the Priority Ceiling Protocol done by Dutertre |
1276 \cite{dutertre99b}---another solution to the Priority Inversion |
1277 \cite{dutertre99b}---another solution to the Priority Inversion |
1277 problem, which however needs static analysis of programs in order to |
1278 problem, which however needs static analysis of programs in order to |
1278 avoid it. {\bf ??? mention model-checking approaches} |
1279 avoid it. There have been earlier formal investigations |
|
1280 into PIP \cite{Faria08,Jahier09,Wellings07}, but they employ model |
|
1281 checking techniques. In this way they are limited to validating |
|
1282 one particular implementation. In contrast, our paper is a good |
|
1283 witness for one of the major reasons to be interested in machine checked |
|
1284 reasoning: gaining deeper understanding of the subject matter. |
1279 |
1285 |
1280 Our formalisation |
1286 Our formalisation |
1281 consists of around 210 lemmas and overall 6950 lines of readable Isabelle/Isar |
1287 consists of around 210 lemmas and overall 6950 lines of readable Isabelle/Isar |
1282 code with a few apply-scripts interspersed. The formal model of PIP |
1288 code with a few apply-scripts interspersed. The formal model of PIP |
1283 is 385 lines long; the formal correctness proof 3800 lines. Some auxiliary |
1289 is 385 lines long; the formal correctness proof 3800 lines. Some auxiliary |
1284 definitions and proofs span over 770 lines of code. The properties relevant |
1290 definitions and proofs span over 770 lines of code. The properties relevant |
1285 for an implementation require 2000 lines. The code of our formalisation |
1291 for an implementation require 2000 lines. The code of our formalisation |
1286 can be downloaded from |
1292 can be downloaded from |
1287 \url{http://www.inf.kcl.ac.uk/staff/urbanc/pip.html}. |
1293 \url{http://www.inf.kcl.ac.uk/staff/urbanc/pip.html}. |
1288 |
1294 |
1289 {\bf ??? say: |
|
1290 So this paper is a good witness for one |
|
1291 of the major reasons to be interested in machine checked reasoning: |
|
1292 gaining deeper understanding of the subject matter. |
|
1293 } |
|
1294 |
|
1295 |
|
1296 \bibliographystyle{plain} |
1295 \bibliographystyle{plain} |
1297 \bibliography{root} |
1296 \bibliography{root} |
1298 *} |
1297 *} |
1299 |
1298 |
1300 |
1299 |