|
1 (*<*) |
|
2 theory Paper |
|
3 imports CpsG ExtGG |
|
4 begin |
|
5 (*>*) |
|
6 |
|
7 section {* Introduction *} |
|
8 |
|
9 text {* |
|
10 |
|
11 Priority inversion referrers to the phenomena where tasks with higher |
|
12 priority are blocked by ones with lower priority. If priority inversion |
|
13 is not controlled, there will be no guarantee the urgent tasks will be |
|
14 processed in time. As reported in \cite{Reeves-Glenn-1998}, |
|
15 priority inversion used to cause software system resets and data lose in |
|
16 JPL's Mars pathfinder project. Therefore, the avoiding, detecting and controlling |
|
17 of priority inversion is a key issue to attain predictability in priority |
|
18 based real-time systems. |
|
19 |
|
20 The priority inversion phenomenon was first published in \cite{Lampson:Redell:cacm:1980}. |
|
21 The two protocols widely used to eliminate priority inversion, namely |
|
22 PI (Priority Inheritance) and PCE (Priority Ceiling Emulation), were proposed |
|
23 in \cite{journals/tc/ShaRL90}. PCE is less convenient to use because it requires |
|
24 static analysis of programs. Therefore, PI is more commonly used in |
|
25 practice\cite{locke-july02}. However, as pointed out in the literature, |
|
26 the analysis of priority inheritance protocol is quite subtle\cite{yodaiken-july02}. |
|
27 A formal analysis will certainly be helpful for us to understand and correctly |
|
28 implement PI. All existing formal analysis of PI |
|
29 \cite{conf/fase/JahierHR09,WellingsBSB07,Faria08} are based on the model checking |
|
30 technology. Because of the state explosion problem, model check |
|
31 is much like an exhaustive testing of finite models with limited size. |
|
32 The results obtained can not be safely generalized to models with arbitrarily |
|
33 large size. Worse still, since model checking is fully automatic, it give little |
|
34 insight on why the formal model is correct. It is therefore |
|
35 definitely desirable to analyze PI using theorem proving, which gives |
|
36 more general results as well as deeper insight. And this is the purpose |
|
37 of this paper which gives a formal analysis of PI in the interactive |
|
38 theorem prover Isabelle using Higher Order Logic (HOL). The formalization |
|
39 focuses on on two issues: |
|
40 |
|
41 \begin{enumerate} |
|
42 \item The correctness of the protocol model itself. A series of desirable properties is |
|
43 derived until we are fully convinced that the formal model of PI does |
|
44 eliminate priority inversion. And a better understanding of PI is so obtained |
|
45 in due course. For example, we find through formalization that the choice of |
|
46 next thread to take hold when a |
|
47 resource is released is irrelevant for the very basic property of PI to hold. |
|
48 A point never mentioned in literature. |
|
49 \item The correctness of the implementation. A series of properties is derived the meaning |
|
50 of which can be used as guidelines on how PI can be implemented efficiently and correctly. |
|
51 \end{enumerate} |
|
52 |
|
53 The rest of the paper is organized as follows: Section \ref{overview} gives an overview |
|
54 of PI. Section \ref{model} introduces the formal model of PI. Section \ref{general} |
|
55 discusses a series of basic properties of PI. Section \ref{extension} shows formally |
|
56 how priority inversion is controlled by PI. Section \ref{implement} gives properties |
|
57 which can be used for guidelines of implementation. Section \ref{related} discusses |
|
58 related works. Section \ref{conclusion} concludes the whole paper. |
|
59 *} |
|
60 |
|
61 section {* An overview of priority inversion and priority inheritance \label{overview} *} |
|
62 |
|
63 text {* |
|
64 |
|
65 Priority inversion refers to the phenomenon when a thread with high priority is blocked |
|
66 by a thread with low priority. Priority happens when the high priority thread requests |
|
67 for some critical resource already taken by the low priority thread. Since the high |
|
68 priority thread has to wait for the low priority thread to complete, it is said to be |
|
69 blocked by the low priority thread. Priority inversion might prevent high priority |
|
70 thread from fulfill its task in time if the duration of priority inversion is indefinite |
|
71 and unpredictable. Indefinite priority inversion happens when indefinite number |
|
72 of threads with medium priorities is activated during the period when the high |
|
73 priority thread is blocked by the low priority thread. Although these medium |
|
74 priority threads can not preempt the high priority thread directly, they are able |
|
75 to preempt the low priority threads and cause it to stay in critical section for |
|
76 an indefinite long duration. In this way, the high priority thread may be blocked indefinitely. |
|
77 |
|
78 Priority inheritance is one protocol proposed to avoid indefinite priority inversion. |
|
79 The basic idea is to let the high priority thread donate its priority to the low priority |
|
80 thread holding the critical resource, so that it will not be preempted by medium priority |
|
81 threads. The thread with highest priority will not be blocked unless it is requesting |
|
82 some critical resource already taken by other threads. Viewed from a different angle, |
|
83 any thread which is able to block the highest priority threads must already hold some |
|
84 critical resource. Further more, it must have hold some critical resource at the |
|
85 moment the highest priority is created, otherwise, it may never get change to run and |
|
86 get hold. Since the number of such resource holding lower priority threads is finite, |
|
87 if every one of them finishes with its own critical section in a definite duration, |
|
88 the duration the highest priority thread is blocked is definite as well. The key to |
|
89 guarantee lower priority threads to finish in definite is to donate them the highest |
|
90 priority. In such cases, the lower priority threads is said to have inherited the |
|
91 highest priority. And this explains the name of the protocol: |
|
92 {\em Priority Inheritance} and how Priority Inheritance prevents indefinite delay. |
|
93 |
|
94 The objectives of this paper are: |
|
95 \begin{enumerate} |
|
96 \item Build the above mentioned idea into formal model and prove a series of properties |
|
97 until we are convinced that the formal model does fulfill the original idea. |
|
98 \item Show how formally derived properties can be used as guidelines for correct |
|
99 and efficient implementation. |
|
100 \end{enumerate} |
|
101 The proof is totally formal in the sense that every detail is reduced to the |
|
102 very first principles of Higher Order Logic. The nature of interactive theorem |
|
103 proving is for the human user to persuade computer program to accept its arguments. |
|
104 A clear and simple understanding of the problem at hand is both a prerequisite and a |
|
105 byproduct of such an effort, because everything has finally be reduced to the very |
|
106 first principle to be checked mechanically. The former intuitive explanation of |
|
107 Priority Inheritance is just such a byproduct. |
|
108 *} |
|
109 |
|
110 section {* Formal model of Priority Inheritance \label{model} *} |
|
111 text {* |
|
112 \input{../../generated/PrioGDef} |
|
113 *} |
|
114 |
|
115 section {* General properties of Priority Inheritance \label{general} *} |
|
116 |
|
117 section {* Key properties \label{extension} *} |
|
118 |
|
119 section {* Properties to guide implementation \label{implement} *} |
|
120 |
|
121 section {* Related works \label{related} *} |
|
122 |
|
123 text {* |
|
124 \begin{enumerate} |
|
125 \item {\em Integrating Priority Inheritance Algorithms in the Real-Time Specification for Java} |
|
126 \cite{WellingsBSB07} models and verifies the combination of Priority Inheritance (PI) and |
|
127 Priority Ceiling Emulation (PCE) protocols in the setting of Java virtual machine |
|
128 using extended Timed Automata(TA) formalism of the UPPAAL tool. Although a detailed |
|
129 formal model of combined PI and PCE is given, the number of properties is quite |
|
130 small and the focus is put on the harmonious working of PI and PCE. Most key features of PI |
|
131 (as well as PCE) are not shown. Because of the limitation of the model checking technique |
|
132 used there, properties are shown only for a small number of scenarios. Therefore, |
|
133 the verification does not show the correctness of the formal model itself in a |
|
134 convincing way. |
|
135 \item {\em Formal Development of Solutions for Real-Time Operating Systems with TLA+/TLC} |
|
136 \cite{Faria08}. A formal model of PI is given in TLA+. Only 3 properties are shown |
|
137 for PI using model checking. The limitation of model checking is intrinsic to the work. |
|
138 \item {\em Synchronous modeling and validation of priority inheritance schedulers} |
|
139 \cite{conf/fase/JahierHR09}. Gives a formal model |
|
140 of PI and PCE in AADL (Architecture Analysis \& Design Language) and checked |
|
141 several properties using model checking. The number of properties shown there is |
|
142 less than here and the scale is also limited by the model checking technique. |
|
143 \item {\em The Priority Ceiling Protocol: Formalization and Analysis Using PVS} |
|
144 \cite{dutertre99b}. Formalized another protocol for Priority Inversion in the |
|
145 interactive theorem proving system PVS. |
|
146 \end{enumerate} |
|
147 |
|
148 |
|
149 There are several works on inversion avoidance: |
|
150 \begin{enumerate} |
|
151 \item {\em Solving the group priority inversion problem in a timed asynchronous system} |
|
152 \cite{Wang:2002:SGP}. The notion of Group Priority Inversion is introduced. The main |
|
153 strategy is still inversion avoidance. The method is by reordering requests |
|
154 in the setting of Client-Server. |
|
155 \item {\em A Formalization of Priority Inversion} \cite{journals/rts/BabaogluMS93}. |
|
156 Formalized the notion of Priority |
|
157 Inversion and proposes methods to avoid it. |
|
158 \end{enumerate} |
|
159 |
|
160 {\em Examples of inaccurate specification of the protocol ???}. |
|
161 |
|
162 *} |
|
163 |
|
164 section {* Conclusions \label{conclusion} *} |
|
165 |
|
166 (*<*) |
|
167 end |
|
168 (*>*) |