112 \it{}``Priority inheritance is neither efficient nor reliable. Implementations |
112 \it{}``Priority inheritance is neither efficient nor reliable. Implementations |
113 are either incomplete (and unreliable) or surprisingly complex and intrusive.'' |
113 are either incomplete (and unreliable) or surprisingly complex and intrusive.'' |
114 \end{quote} |
114 \end{quote} |
115 |
115 |
116 \noindent |
116 \noindent |
117 He suggests avoiding PIP altogether by not allowing critical |
117 He suggests avoiding PIP altogether by designing the system so that no |
118 sections to be preempted. Unfortunately, this solution does not |
118 priority inversion may happen in the first place. However, such ideal designs may |
119 help in real-time systems with hard deadlines for high-priority |
119 not always be achievable in practice. |
120 threads. |
|
121 |
120 |
122 In our opinion, there is clearly a need for investigating correct |
121 In our opinion, there is clearly a need for investigating correct |
123 algorithms for PIP. A few specifications for PIP exist (in English) |
122 algorithms for PIP. A few specifications for PIP exist (in English) |
124 and also a few high-level descriptions of implementations (e.g.~in |
123 and also a few high-level descriptions of implementations (e.g.~in |
125 the textbook \cite[Section 5.6.5]{Vahalia96}), but they help little |
124 the textbook \cite[Section 5.6.5]{Vahalia96}), but they help little |
173 efficient implementation of PIP in the educational PINTOS operating |
172 efficient implementation of PIP in the educational PINTOS operating |
174 system \cite{PINTOS}. For example, we found by ``playing'' with the |
173 system \cite{PINTOS}. For example, we found by ``playing'' with the |
175 formalisation that the choice of the next thread to take over a lock |
174 formalisation that the choice of the next thread to take over a lock |
176 when a resource is released is irrelevant for PIP being correct---a |
175 when a resource is released is irrelevant for PIP being correct---a |
177 fact that has not been mentioned in the literature and not been used |
176 fact that has not been mentioned in the literature and not been used |
178 in the reference implementation of PIP in PINTOS. This is important |
177 in the reference implementation of PIP in PINTOS. This fact, however, is important |
179 for an efficient implementation of PIP, because we can give the lock |
178 for an efficient implementation of PIP, because we can give the lock |
180 to the thread with the highest priority so that it terminates more |
179 to the thread with the highest priority so that it terminates more |
181 quickly. |
180 quickly. |
182 *} |
181 *} |
183 |
182 |
536 @{term threads} is empty and therefore there is neither a thread ready nor running. |
535 @{term threads} is empty and therefore there is neither a thread ready nor running. |
537 If there is one or more threads ready, then there can only be \emph{one} thread |
536 If there is one or more threads ready, then there can only be \emph{one} thread |
538 running, namely the one whose current precedence is equal to the maximum of all ready |
537 running, namely the one whose current precedence is equal to the maximum of all ready |
539 threads. We use sets to capture both possibilities. |
538 threads. We use sets to capture both possibilities. |
540 We can now also conveniently define the set of resources that are locked by a thread in a |
539 We can now also conveniently define the set of resources that are locked by a thread in a |
541 given state |
540 given state and also when a thread is detached that state (meaning the thread neither |
542 |
541 holds nor waits for a resource): |
543 \begin{isabelle}\ \ \ \ \ %%% |
542 |
544 @{thm holdents_def} |
543 \begin{isabelle}\ \ \ \ \ %%% |
545 \end{isabelle} |
544 \begin{tabular}{@ {}l} |
546 |
545 @{thm holdents_def}\\ |
547 \noindent |
|
548 and also when a thread is detached |
|
549 |
|
550 \begin{isabelle}\ \ \ \ \ %%% |
|
551 @{thm detached_def} |
546 @{thm detached_def} |
552 \end{isabelle} |
547 \end{tabular} |
553 |
548 \end{isabelle} |
554 \noindent |
549 |
555 which means that @{text th} neither holds nor waits for a resource in @{text s}. |
550 \noindent |
|
551 The second definition states that @{text th} in @{text s}. |
556 |
552 |
557 Finally we can define what a \emph{valid state} is in our model of PIP. For |
553 Finally we can define what a \emph{valid state} is in our model of PIP. For |
558 example we cannot expect to be able to exit a thread, if it was not |
554 example we cannot expect to be able to exit a thread, if it was not |
559 created yet. |
555 created yet. |
560 These validity constraints on states are characterised by the |
556 These validity constraints on states are characterised by the |
678 {\bf Assumptions on the states {\boldmath@{text s}} and |
674 {\bf Assumptions on the states {\boldmath@{text s}} and |
679 {\boldmath@{text "s' @ s"}:}} We need to require that @{text "s"} and |
675 {\boldmath@{text "s' @ s"}:}} We need to require that @{text "s"} and |
680 @{text "s' @ s"} are valid states: |
676 @{text "s' @ s"} are valid states: |
681 \begin{isabelle}\ \ \ \ \ %%% |
677 \begin{isabelle}\ \ \ \ \ %%% |
682 \begin{tabular}{l} |
678 \begin{tabular}{l} |
683 @{term "vt s"}\\ |
679 @{term "vt s"}, @{term "vt (s' @ s)"} |
684 @{term "vt (s' @ s)"} |
|
685 \end{tabular} |
680 \end{tabular} |
686 \end{isabelle} |
681 \end{isabelle} |
687 \end{quote} |
682 \end{quote} |
688 |
683 |
689 \begin{quote} |
684 \begin{quote} |
1199 |
1194 |
1200 \noindent |
1195 \noindent |
1201 That means we have to add a waiting edge to the @{text RAG}. Furthermore |
1196 That means we have to add a waiting edge to the @{text RAG}. Furthermore |
1202 the current precedence for all threads that are not dependants of @{text th} |
1197 the current precedence for all threads that are not dependants of @{text th} |
1203 are unchanged. For the others we need to follow the edges |
1198 are unchanged. For the others we need to follow the edges |
1204 in the @{text RAG} and recompute the @{term "cp"}. However, like in the |
1199 in the @{text RAG} and recompute the @{term "cp"}. To do this we can start from @{term "th"} |
1205 case of @{text Set}, this operation can stop often earlier, namely when intermediate |
1200 and follow the @{term "depend"}-edges to recompute using Lemma~\ref{childrenlem} |
1206 values do not change. |
1201 the @{term "cp"} of every |
|
1202 thread encountered on the way. Since the @{term "depend"} |
|
1203 is loop free, this procedure will always stop. The following lemma shows, however, |
|
1204 that this procedure can actually stop often earlier without having to consider all |
|
1205 dependants. |
|
1206 |
|
1207 \begin{isabelle}\ \ \ \ \ %%% |
|
1208 \begin{tabular}{@ {}l} |
|
1209 %%@ {t hm[mode=IfThen] eq_up_self}\\ |
|
1210 @{text "If"} @{thm (prem 1) eq_up}, @{thm (prem 2) eq_up} and @{thm (prem 3) eq_up}\\ |
|
1211 @{text "then"} @{thm (concl) eq_up}. |
|
1212 \end{tabular} |
|
1213 \end{isabelle} |
|
1214 |
|
1215 \noindent |
|
1216 This lemma states that if an intermediate @{term cp}-value does not change, then |
|
1217 the procedure can also stop, because none of its dependent threads will |
|
1218 have their current precedence changed. |
1207 *} |
1219 *} |
1208 (*<*) |
1220 (*<*) |
1209 end |
1221 end |
1210 (*>*) |
1222 (*>*) |
1211 text {* |
1223 text {* |
1299 PVS of the Priority Ceiling Protocol done by Dutertre |
1311 PVS of the Priority Ceiling Protocol done by Dutertre |
1300 \cite{dutertre99b}---another solution to the Priority Inversion |
1312 \cite{dutertre99b}---another solution to the Priority Inversion |
1301 problem, which however needs static analysis of programs in order to |
1313 problem, which however needs static analysis of programs in order to |
1302 avoid it. There have been earlier formal investigations |
1314 avoid it. There have been earlier formal investigations |
1303 into PIP \cite{Faria08,Jahier09,Wellings07}, but they employ model |
1315 into PIP \cite{Faria08,Jahier09,Wellings07}, but they employ model |
1304 checking techniques. In this way they are limited to validating |
1316 checking techniques. The results obtained by them apply, |
1305 one particular implementation. In contrast, our paper is a good |
1317 however, only to systems with a fixed size, such as a fixed number of |
|
1318 events and threads. In contrast, our result applies to systems of arbitrary |
|
1319 size. Moreover, our result is a good |
1306 witness for one of the major reasons to be interested in machine checked |
1320 witness for one of the major reasons to be interested in machine checked |
1307 reasoning: gaining deeper understanding of the subject matter. |
1321 reasoning: gaining deeper understanding of the subject matter. |
1308 |
1322 |
1309 Our formalisation |
1323 Our formalisation |
1310 consists of around 210 lemmas and overall 6950 lines of readable Isabelle/Isar |
1324 consists of around 210 lemmas and overall 6950 lines of readable Isabelle/Isar |
1311 code with a few apply-scripts interspersed. The formal model of PIP |
1325 code with a few apply-scripts interspersed. The formal model of PIP |
1312 is 385 lines long; the formal correctness proof 3800 lines. Some auxiliary |
1326 is 385 lines long; the formal correctness proof 3800 lines. Some auxiliary |
1313 definitions and proofs span over 770 lines of code. The properties relevant |
1327 definitions and proofs span over 770 lines of code. The properties relevant |
1314 for an implementation require 2000 lines. The code of our formalisation |
1328 for an implementation require 2000 lines. |
1315 can be downloaded from |
1329 %The code of our formalisation |
1316 \url{http://www.inf.kcl.ac.uk/staff/urbanc/pip.html}.\medskip |
1330 %can be downloaded from |
|
1331 %\url{http://www.inf.kcl.ac.uk/staff/urbanc/pip.html}.\medskip |
1317 |
1332 |
1318 \noindent |
1333 \noindent |
1319 {\bf Acknowledgements:} |
1334 {\bf Acknowledgements:} |
1320 We are grateful for the comments we received from anonymous |
1335 We are grateful for the comments we received from anonymous |
1321 referees. |
1336 referees. |