595 (*<*) |
595 (*<*) |
596 context extend_highest_gen |
596 context extend_highest_gen |
597 begin |
597 begin |
598 (*>*) |
598 (*>*) |
599 text {* |
599 text {* |
600 Sha et al.~\cite[Theorem 6]{Sha90} state their correctness criterion |
600 Sha et al.~state their first correctness criterion for PIP in terms |
601 for PIP in terms of the number of critical resources: if there are |
601 of the number of low-priority threads \cite[Theorem 3]{Sha90}: if |
|
602 there are @{text n} low-priority threads, then a blocked job with |
|
603 high priority can only be blocked @{text n} times. |
|
604 Their second correctness criterion is stated |
|
605 in terms of the number of critical resources \cite[Theorem 6]{Sha90}: if there are |
602 @{text m} critical resources, then a blocked job with high priority |
606 @{text m} critical resources, then a blocked job with high priority |
603 can only be blocked @{text m} times---that is a \emph{bounded} |
607 can only be blocked @{text m} times. Both results on their own, strictly speaking, do |
604 number of times. This result on its own, strictly speaking, does |
|
605 \emph{not} prevent indefinite, or unbounded, Priority Inversion, |
608 \emph{not} prevent indefinite, or unbounded, Priority Inversion, |
606 because if one low-priority thread does not give up its critical |
609 because if a low-priority thread does not give up its critical |
607 resource (the one the high-priority thread is waiting for), then the |
610 resource (the one the high-priority thread is waiting for), then the |
608 high-priority thread can never run. The argument of Sha et al.~is |
611 high-priority thread can never run. The argument of Sha et al.~is |
609 that \emph{if} threads release locked resources in a finite amount |
612 that \emph{if} threads release locked resources in a finite amount |
610 of time, then indefinite Priority Inversion cannot occur---the high-priority |
613 of time, then indefinite Priority Inversion cannot occur---the high-priority |
611 thread is guaranteed to run eventually. The assumption is that |
614 thread is guaranteed to run eventually. The assumption is that |
612 programmers always ensure that this is the case. However, even |
615 programmers always ensure that this is the case. However, even |
613 taking this assumption into account, ther correctness property is |
616 taking this assumption into account, their correctness properties are |
614 \emph{not} true for their version of PIP. As Yodaiken |
617 \emph{not} true for their version of PIP. As Yodaiken |
615 \cite{Yodaiken02} pointed out: If a low-priority thread possesses |
618 \cite{Yodaiken02} pointed out: If a low-priority thread possesses |
616 locks to two resources for which two high-priority threads are |
619 locks to two resources for which two high-priority threads are |
617 waiting for, then lowering the priority prematurely after giving up |
620 waiting for, then lowering the priority prematurely after giving up |
618 only one lock, can cause indefinite Priority Inversion for one of the |
621 only one lock, can cause indefinite Priority Inversion for one of the |
619 high-priority threads, invalidating their bound. |
622 high-priority threads, invalidating their two bounds. |
620 |
623 |
621 Even when fixed, their proof idea does not seem to go through for |
624 Even when fixed, their proof idea does not seem to go through for |
622 us, because of the way we have set up our formal model of PIP. The |
625 us, because of the way we have set up our formal model of PIP. The |
623 reason is that we allow that critical sections can intersect |
626 reason is that we allow that critical sections can intersect |
624 (something Sha et al.~explicitly exclude). Therefore we have a |
627 (something Sha et al.~explicitly exclude). Therefore we have a |
626 criterion is as follows: for all states @{text |
629 criterion is as follows: for all states @{text |
627 s}, we know the corresponding thread @{text th} with the highest |
630 s}, we know the corresponding thread @{text th} with the highest |
628 precedence; we show that in every future state (denoted by @{text |
631 precedence; we show that in every future state (denoted by @{text |
629 "s' @ s"}) in which @{text th} is still alive, either @{text th} is |
632 "s' @ s"}) in which @{text th} is still alive, either @{text th} is |
630 running or it is blocked by a thread that was alive in the state |
633 running or it is blocked by a thread that was alive in the state |
631 @{text s}. Since in @{text s}, as in every state, the set of alive |
634 @{text s} and was in the possession of a lock in @{text s}. Since in @{text s}, as in every state, the set of alive |
632 threads is finite, @{text th} can only be blocked a finite number of |
635 threads is finite, @{text th} can only be blocked a finite number of |
633 times. We will actually prove a stricter bound below. However, this |
636 times. We will actually prove astronger statement where we also provide |
|
637 the current precedence of the blocking thread. However, this |
634 correctness criterion hinges upon a number of assumptions about the |
638 correctness criterion hinges upon a number of assumptions about the |
635 states @{text s} and @{text "s' @ s"}, the thread @{text th} and the |
639 states @{text s} and @{text "s' @ s"}, the thread @{text th} and the |
636 events happening in @{text s'}. We list them next: |
640 events happening in @{text s'}. We list them next: |
637 |
641 |
638 \begin{quote} |
642 \begin{quote} |
682 |
686 |
683 \begin{theorem}\label{mainthm} |
687 \begin{theorem}\label{mainthm} |
684 Given the assumptions about states @{text "s"} and @{text "s' @ s"}, |
688 Given the assumptions about states @{text "s"} and @{text "s' @ s"}, |
685 the thread @{text th} and the events in @{text "s'"}, |
689 the thread @{text th} and the events in @{text "s'"}, |
686 if @{term "th' \<in> running (s' @ s)"} and @{text "th' \<noteq> th"} then |
690 if @{term "th' \<in> running (s' @ s)"} and @{text "th' \<noteq> th"} then |
687 @{text "th' \<in> threads s"}. |
691 @{text "th' \<in> threads s"}, @{text "\<not> detached s th'"} and |
|
692 @{term "cp (s' @ s) th' = prec th s"}. |
688 \end{theorem} |
693 \end{theorem} |
689 |
694 |
690 \noindent |
695 \noindent |
691 This theorem ensures that the thread @{text th}, which has the |
696 This theorem ensures that the thread @{text th}, which has the |
692 highest precedence in the state @{text s}, can only be blocked in |
697 highest precedence in the state @{text s}, can only be blocked in |
693 the state @{text "s' @ s"} by a thread @{text th'} that already |
698 the state @{text "s' @ s"} by a thread @{text th'} that already |
694 existed in @{text s}. As we shall see shortly, that means by only |
699 existed in @{text s} and requested or had a lock on at least |
695 finitely many threads. Like in the argument by Sha et al.~this |
700 one resource---that means the thread was not \emph{detached} in @{text s}. |
|
701 As we shall see shortly, that means there are only finitely |
|
702 many threads that can block @{text th} and then need to run |
|
703 with the same current precedence as @{text th}. |
|
704 |
|
705 Like in the argument by Sha et al.~our |
696 finite bound does not guarantee absence of indefinite Priority |
706 finite bound does not guarantee absence of indefinite Priority |
697 Inversion. For this we further have to assume that every thread |
707 Inversion. For this we further have to assume that every thread |
698 gives up its resources after a finite amount of time. We found that |
708 gives up its resources after a finite amount of time. We found that |
699 this assumption is awkward to formalise in our model. Therefore we |
709 this assumption is awkward to formalise in our model. Therefore we |
700 leave it out and let the programmer assume the responsibility to |
710 leave it out and let the programmer assume the responsibility to |
701 program threads in such a benign manner (in addition to causeing no |
711 program threads in such a benign manner (in addition to causeing no |
702 circularity in the @{text RAG}). In this detail, we do not |
712 circularity in the @{text RAG}). In this detail, we do not |
703 make any progress in comparison with the work by Sha et al. |
713 make any progress in comparison with the work by Sha et al. |
|
714 However, we are able to combine their two separate bounds into a |
|
715 single theorem. |
704 |
716 |
705 In what follows we will describe properties of PIP that allow us to prove |
717 In what follows we will describe properties of PIP that allow us to prove |
706 Theorem~\ref{mainthm} and, when instructive, briefly describe our argument. |
718 Theorem~\ref{mainthm} and, when instructive, briefly describe our argument. |
707 It is relatively easily to see that |
719 It is relatively easily to see that |
708 |
720 |
749 The acyclicity property follow from how we restricted the events in |
761 The acyclicity property follow from how we restricted the events in |
750 @{text step}; similarly the finiteness and well-foundedness property. |
762 @{text step}; similarly the finiteness and well-foundedness property. |
751 The last two properties establish that every thread in a @{text "RAG"} |
763 The last two properties establish that every thread in a @{text "RAG"} |
752 (either holding or waiting for a resource) is a live thread. |
764 (either holding or waiting for a resource) is a live thread. |
753 |
765 |
754 To state the key lemma in our proof, it will be convenient to introduce the notion |
766 The key lemma in our proof of Theorem~\ref{mainthm} is as follows: |
755 of a \emph{detached} thread in a state, that is one which does not hold any |
|
756 critical resource nor requests one. |
|
757 |
767 |
758 \begin{lemma}\label{mainlem} |
768 \begin{lemma}\label{mainlem} |
759 Given the assumptions about states @{text "s"} and @{text "s' @ s"}, |
769 Given the assumptions about states @{text "s"} and @{text "s' @ s"}, |
760 the thread @{text th} and the events in @{text "s'"}, |
770 the thread @{text th} and the events in @{text "s'"}, |
761 if @{term "th' \<in> treads (s' @ s)"}, @{text "th' \<noteq> th"} and @{text "detached (s' @ s) th'"}\\ |
771 if @{term "th' \<in> treads (s' @ s)"}, @{text "th' \<noteq> th"} and @{text "detached (s' @ s) th'"}\\ |
786 Since @{text "th'"} is not able to run at state @{text "s' @ s"}, it is not able to |
796 Since @{text "th'"} is not able to run at state @{text "s' @ s"}, it is not able to |
787 issue a @{text "P"} or @{text "V"} event. Therefore if @{text "s' @ s"} is extended |
797 issue a @{text "P"} or @{text "V"} event. Therefore if @{text "s' @ s"} is extended |
788 one step further, @{text "th'"} still cannot hold any resource. The situation will |
798 one step further, @{text "th'"} still cannot hold any resource. The situation will |
789 not change in further extensions as long as @{text "th"} holds the highest precedence. |
799 not change in further extensions as long as @{text "th"} holds the highest precedence. |
790 |
800 |
791 From this lemma we can infer that @{text th} can only be blocked by a thread @{text th'} that |
801 From this lemma we can deduce Theorem~\ref{mainthm}: that @{text th} can only be |
|
802 blocked by a thread @{text th'} that |
792 held some resource in state @{text s} (that is not @{text "detached"}). And furthermore |
803 held some resource in state @{text s} (that is not @{text "detached"}). And furthermore |
793 that the current precedence of @{text th'} in state @{text "(s' @ s)"} must be equal to the |
804 that the current precedence of @{text th'} in state @{text "(s' @ s)"} must be equal to the |
794 precedence of @{text th} in @{text "s"}. |
805 precedence of @{text th} in @{text "s"}. |
795 |
|
796 \begin{theorem} |
|
797 Given the assumptions about states @{text "s"} and @{text "s' @ s"}, |
|
798 the thread @{text th} and the events in @{text "s'"}, if |
|
799 @{term "th' \<in> running (s' @ s)"}, @{text "th' \<noteq> th"}, then |
|
800 @{text "th' \<in> threads s"}, @{text "\<not> detached s th'"} and |
|
801 @{term "cp (s' @ s) th' = prec th s"}. |
|
802 \end{theorem} |
|
803 |
|
804 \noindent |
|
805 We show this theorem by induction on @{text "s'"} using Lemma~\ref{mainlem}. |
806 We show this theorem by induction on @{text "s'"} using Lemma~\ref{mainlem}. |
806 This theorem gives a stricter bound on the processes that can block @{text th}: |
807 This theorem gives a stricter bound on the processes that can block @{text th}: |
807 only threads that were alive in state @{text s} and moreover held a resource. |
808 only threads that were alive in state @{text s} and moreover held a resource. |
808 Finally, the theorem establishes that the blocking threads have the |
809 This means our bound is in terms of both---alive threads in state @{text s} |
|
810 and number of critical resources. Finally, the theorem establishes that the blocking threads have the |
809 current precedence raised to the precedence of @{text th}. |
811 current precedence raised to the precedence of @{text th}. |
810 |
812 |
811 We can furthermore prove that no deadlock exists in the state @{text "s' @ s"} |
813 We can furthermore prove that under our assumptions no deadlock exists in the state @{text "s' @ s"} |
812 by showing that @{text "running (s' @ s)"} is not empty. |
814 by showing that @{text "running (s' @ s)"} is not empty. |
813 |
815 |
814 \begin{lemma} |
816 \begin{lemma} |
815 Given the assumptions about states @{text "s"} and @{text "s' @ s"}, |
817 Given the assumptions about states @{text "s"} and @{text "s' @ s"}, |
816 the thread @{text th} and the events in @{text "s'"}, |
818 the thread @{text th} and the events in @{text "s'"}, |
1241 know whether this includes also code for proofs). Our formalisation |
1243 know whether this includes also code for proofs). Our formalisation |
1242 consists of around 210 lemmas and overall 6950 lines of readable Isabelle/Isar |
1244 consists of around 210 lemmas and overall 6950 lines of readable Isabelle/Isar |
1243 code with a few apply-scripts interspersed. The formal model of PIP |
1245 code with a few apply-scripts interspersed. The formal model of PIP |
1244 is 385 lines long; the formal correctness proof 3800 lines. Some auxiliary |
1246 is 385 lines long; the formal correctness proof 3800 lines. Some auxiliary |
1245 definitions and proofs took 770 lines of code. The properties relevant |
1247 definitions and proofs took 770 lines of code. The properties relevant |
1246 for an implementation took 2000 lines. %%Our code can be downloaded from |
1248 for an implementation took 2000 lines. The code of our formalisation |
1247 %%... |
1249 can be downloaded from\\ |
|
1250 \url{http://www.dcs.kcl.ac.uk/staff/urbanc/pip.html}. |
1248 |
1251 |
1249 \bibliographystyle{plain} |
1252 \bibliographystyle{plain} |
1250 \bibliography{root} |
1253 \bibliography{root} |
1251 *} |
1254 *} |
1252 |
1255 |