507 \end{isabelle} |
507 \end{isabelle} |
508 |
508 |
509 \noindent |
509 \noindent |
510 In this definition @{term "DUMMY ` DUMMY"} stands for the image of a set under a function. |
510 In this definition @{term "DUMMY ` DUMMY"} stands for the image of a set under a function. |
511 Note that in the initial state, that is where the list of events is empty, the set |
511 Note that in the initial state, that is where the list of events is empty, the set |
512 @{term threads} is empty and therefore there is no thread ready nor a running. |
512 @{term threads} is empty and therefore there is neither a thread ready nor running. |
513 If there is one or more threads ready, then there can only be \emph{one} thread |
513 If there is one or more threads ready, then there can only be \emph{one} thread |
514 running, namely the one whose current precedence is equal to the maximum of all ready |
514 running, namely the one whose current precedence is equal to the maximum of all ready |
515 threads. We use the set-comprehension to capture both possibilities. |
515 threads. We use the set-comprehension to capture both possibilities. |
516 We can now also conveniently define the set of resources that are locked by a thread in a |
516 We can now also conveniently define the set of resources that are locked by a thread in a |
517 given state. |
517 given state. |
598 text {* |
598 text {* |
599 Sha et al.~\cite{Sha90} state their correctness criterion of PIP in terms |
599 Sha et al.~\cite{Sha90} state their correctness criterion of PIP in terms |
600 of the number of critical resources: if there are @{text m} critical |
600 of the number of critical resources: if there are @{text m} critical |
601 resources, then a blocked job can only be blocked @{text m} times---that is |
601 resources, then a blocked job can only be blocked @{text m} times---that is |
602 a bounded number of times. |
602 a bounded number of times. |
603 For their version of PIP, this is \emph{not} true (as pointed out by |
603 For their version of PIP, this property is \emph{not} true (as pointed out by |
604 Yodaiken \cite{Yodaiken02}) as a high-priority thread can be |
604 Yodaiken \cite{Yodaiken02}) as a high-priority thread can be |
605 blocked an unbounded number of times by creating medium-priority |
605 blocked an unbounded number of times by creating medium-priority |
606 threads that block a thread locking a critical resource and having |
606 threads that block a thread locking a critical resource and having |
607 a too low priority. In the way we have set up our formal model of PIP, |
607 a too low priority. In the way we have set up our formal model of PIP, |
608 their proof idea, even when fixed, does not seem to go through. |
608 their proof idea, even when fixed, does not seem to go through. |
610 The idea behind our correctness criterion of PIP is as follows: for all states |
610 The idea behind our correctness criterion of PIP is as follows: for all states |
611 @{text s}, we know the corresponding thread @{text th} with the highest precedence; |
611 @{text s}, we know the corresponding thread @{text th} with the highest precedence; |
612 we show that in every future state (denoted by @{text "s' @ s"}) in which |
612 we show that in every future state (denoted by @{text "s' @ s"}) in which |
613 @{text th} is still active, either @{text th} is running or it is blocked by a |
613 @{text th} is still active, either @{text th} is running or it is blocked by a |
614 thread that was active in the state @{text s}. Since in @{text s}, as in every |
614 thread that was active in the state @{text s}. Since in @{text s}, as in every |
615 state, the set of active threads is finite, @{text th} can only blocked a |
615 state, the set of active threads is finite, @{text th} can only be blocked a |
616 finite number of time. We will actually prove a stricter bound. However, |
616 finite number of times. We will actually prove a stricter bound. However, |
617 this correctness criterion depends on a number of assumptions about the states |
617 this correctness criterion hinges on a number of assumptions about the states |
618 @{text s} and @{text "s' @ s"}, the thread @{text th} and the events happening |
618 @{text s} and @{text "s' @ s"}, the thread @{text th} and the events happening |
619 in @{text s'}. |
619 in @{text s'}. We list them next. |
620 |
620 |
621 \begin{quote} |
621 \begin{quote} |
622 {\bf Assumptions on the states @{text s} and @{text "s' @ s"}:} In order to make |
622 {\bf Assumptions on the states @{text s} and @{text "s' @ s"}:} In order to make |
623 any meaningful statement, we need to require that @{text "s"} and |
623 any meaningful statement, we need to require that @{text "s"} and |
624 @{text "s' @ s"} are valid states, namely |
624 @{text "s' @ s"} are valid states, namely |
643 \end{isabelle} |
643 \end{isabelle} |
644 \end{quote} |
644 \end{quote} |
645 |
645 |
646 \begin{quote} |
646 \begin{quote} |
647 {\bf Assumptions on the events in @{text "s'"}:} We want to prove that @{text th} cannot |
647 {\bf Assumptions on the events in @{text "s'"}:} We want to prove that @{text th} cannot |
648 be blocked indefinitely. Of course this can by violated if threads with higher priority |
648 be blocked indefinitely. Of course this can happen if threads with higher priority |
649 than @{text th} are created in @{text s'}. Therefore we have to assume that |
649 than @{text th} are continously created in @{text s'}. Therefore we have to assume that |
650 events in @{text s'} can only create (respectively set) threads with lower or equal |
650 events in @{text s'} can only create (respectively set) threads with equal or lower |
651 priority than @{text prio} of @{text th}. We also have to assume that @{text th} does |
651 priority than @{text prio} of the thread @{text th}. We also have to assume that @{text th} does |
652 not get ``exited'' in @{text "s'"}. |
652 not get ``exited'' in @{text "s'"}. |
653 \begin{isabelle}\ \ \ \ \ %%% |
653 \begin{isabelle}\ \ \ \ \ %%% |
654 \begin{tabular}{l} |
654 \begin{tabular}{l} |
655 {If}~~@{text "Create _ prio' \<in> set s'"}~~{then}~~@{text "prio' \<le> prio"}\\ |
655 {If}~~@{text "Create _ prio' \<in> set s'"}~~{then}~~@{text "prio' \<le> prio"}\\ |
656 {If}~~@{text "Set th' prio' \<in> set s'"}~~{then}~~@{text "th' \<noteq> th"}~~{and}~~@{text "prio' \<le> prio"}\\ |
656 {If}~~@{text "Set th' prio' \<in> set s'"}~~{then}~~@{text "th' \<noteq> th"}~~{and}~~@{text "prio' \<le> prio"}\\ |
672 \noindent |
672 \noindent |
673 This theorem ensures that the thread @{text th}, which has the highest |
673 This theorem ensures that the thread @{text th}, which has the highest |
674 precedence in the state @{text s}, can only be blocked in the state @{text "s' @ s"} |
674 precedence in the state @{text s}, can only be blocked in the state @{text "s' @ s"} |
675 by a thread @{text th'} that already existed in @{text s}. As we shall see shortly, |
675 by a thread @{text th'} that already existed in @{text s}. As we shall see shortly, |
676 that means by only finitely many threads. Consequently, indefinite wait of |
676 that means by only finitely many threads. Consequently, indefinite wait of |
677 @{text th}, that is Priority Inversion, cannot occur. |
677 @{text th}---whcih is Priority Inversion---cannot occur. |
678 |
678 |
679 The following are several very basic prioprites: |
679 In what follows we will describe properties of PIP that allow us to prove |
680 \begin{enumerate} |
680 Theorem~\ref{mainthm}. It is relatively easily to see that |
681 \item All runing threads must be ready (@{text "runing_ready"}): |
681 |
682 @{thm[display] "runing_ready"} |
682 \begin{isabelle}\ \ \ \ \ %%% |
683 \item All ready threads must be living (@{text "readys_threads"}): |
683 \begin{tabular}{@ {}l} |
684 @{thm[display] "readys_threads"} |
684 @{text "running s \<subseteq> ready s \<subseteq> threads s"}\\ |
685 \item There are finite many living threads at any moment (@{text "finite_threads"}): |
685 @{thm[mode=IfThen] finite_threads} |
686 @{thm[display] "finite_threads"} |
686 \end{tabular} |
687 \item Every waiting queue does not contain duplcated elements (@{text "wq_distinct"}): |
687 \end{isabelle} |
688 @{thm[display] "wq_distinct"} |
688 |
689 \item All threads in waiting queues are living threads (@{text "wq_threads"}): |
689 \noindent |
690 @{thm[display] "wq_threads"} |
690 where the second property is by induction of @{term vt}. The next three |
691 \item The event which can get a thread into waiting queue must be @{term "P"}-events |
691 properties are |
692 (@{text "block_pre"}): |
692 |
693 @{thm[display] "block_pre"} |
693 \begin{isabelle}\ \ \ \ \ %%% |
694 \item A thread may never wait for two different critical resources |
694 \begin{tabular}{@ {}l} |
695 (@{text "waiting_unique"}): |
695 @{thm[mode=IfThen] waiting_unique[of _ _ "cs\<^isub>1" "cs\<^isub>2"]}\\ |
696 @{thm[display] waiting_unique[of _ _ "cs\<^isub>1" "cs\<^isub>2"]} |
696 @{thm[mode=IfThen] held_unique[of _ "th\<^isub>1" _ "th\<^isub>2"]}\\ |
697 \item Every resource can only be held by one thread |
697 @{thm[mode=IfThen] runing_unique[of _ "th\<^isub>1" "th\<^isub>2"]} |
698 (@{text "held_unique"}): |
698 \end{tabular} |
699 @{thm[display] held_unique[of _ "th\<^isub>1" _ "th\<^isub>2"]} |
699 \end{isabelle} |
700 \item Every living thread has an unique precedence |
700 |
701 (@{text "preced_unique"}): |
701 \noindent |
702 @{thm[display] preced_unique[of "th\<^isub>1" _ "th\<^isub>2"]} |
702 The first one states that every waiting thread can only wait for a single |
703 \end{enumerate} |
703 resource (because it gets suspended after requesting that resource), and |
704 *} |
704 the second that every resource can only be held by a single thread. The |
705 |
705 third property establishes that in every given valid state, there is |
706 text {* \noindent |
706 at most one running thread. |
|
707 |
|
708 TODO |
|
709 |
|
710 \noindent |
707 The following lemmas show how RAG is changed with the execution of events: |
711 The following lemmas show how RAG is changed with the execution of events: |
708 \begin{enumerate} |
712 \begin{enumerate} |
709 \item Execution of @{term "Set"} does not change RAG (@{text "depend_set_unchanged"}): |
713 \item Execution of @{term "Set"} does not change RAG (@{text "depend_set_unchanged"}): |
710 @{thm[display] depend_set_unchanged} |
714 @{thm[display] depend_set_unchanged} |
711 \item Execution of @{term "Create"} does not change RAG (@{text "depend_create_unchanged"}): |
715 \item Execution of @{term "Create"} does not change RAG (@{text "depend_create_unchanged"}): |
759 *} |
763 *} |
760 |
764 |
761 text {* \noindent |
765 text {* \noindent |
762 Some deeper results about the system: |
766 Some deeper results about the system: |
763 \begin{enumerate} |
767 \begin{enumerate} |
764 \item There can only be one running thread (@{text "runing_unique"}): |
|
765 @{thm [display] runing_unique[of _ "th\<^isub>1" "th\<^isub>2"]} |
|
766 \item The maximum of @{term "cp"} and @{term "preced"} are equal (@{text "max_cp_eq"}): |
768 \item The maximum of @{term "cp"} and @{term "preced"} are equal (@{text "max_cp_eq"}): |
767 @{thm [display] max_cp_eq} |
769 @{thm [display] max_cp_eq} |
768 \item There must be one ready thread having the max @{term "cp"}-value |
770 \item There must be one ready thread having the max @{term "cp"}-value |
769 (@{text "max_cp_readys_threads"}): |
771 (@{text "max_cp_readys_threads"}): |
770 @{thm [display] max_cp_readys_threads} |
772 @{thm [display] max_cp_readys_threads} |