prio/Paper/Paper.thy
changeset 278 3e2c006e7d6c
parent 277 541bfdf1fa36
child 279 7911439863b0
--- a/prio/Paper/Paper.thy	Thu Feb 02 13:58:16 2012 +0000
+++ b/prio/Paper/Paper.thy	Fri Feb 03 11:26:11 2012 +0000
@@ -50,7 +50,7 @@
 
   The idea behind PIP is to let the process $L$ temporarily
   inherit the high priority from $H$ until $L$ leaves the critical
-  section unlocking the resource. This solves the problem of $H$
+  section by unlocking the resource. This solves the problem of $H$
   having to wait indefinitely, because $L$ cannot, for example, be
   blocked by processes having priority $M$. While a few other
   solutions exist for the Priority Inversion problem, PIP is one that is widely deployed
@@ -80,14 +80,17 @@
   He suggests to avoid PIP altogether by not allowing critical
   sections to be preempted. While this might have been a reasonable
   solution in 2002, in our modern multiprocessor world, this seems out
-  of date.  However, there is clearly a need for investigating correct
-  and efficient algorithms for PIP. A few specifications for PIP exist
-  (in English) and also a few high-level descriptions of
-  implementations (e.g.~in the textbook \cite[Section
-  5.6.5]{Vahalia96}), but they help little with actual
-  implementations. That this is a problem in practise is proved by an
-  email by Baker, who wrote on 13 July 2009 on the Linux Kernel
-  mailing list:
+  of date. The reason is that this precludes other high-priority 
+  processes from running that do not make any use of the locked
+  resource.
+
+  However, there is clearly a need for investigating correct
+  algorithms for PIP. A few specifications for PIP exist (in English)
+  and also a few high-level descriptions of implementations (e.g.~in
+  the textbook \cite[Section 5.6.5]{Vahalia96}), but they help little
+  with actual implementations. That this is a problem in practise is
+  proved by an email by Baker, who wrote on 13 July 2009 on the Linux
+  Kernel mailing list:
 
   \begin{quote}
   \it{}``I observed in the kernel code (to my disgust), the Linux PIP
@@ -102,13 +105,28 @@
   again at PIP from a more abstract level (but still concrete enough
   to inform an implementation) and makes PIP an ideal candidate for a
   formal verification. One reason, of course, is that the original
-  presentation of PIP \cite{Sha90}, despite being
-  informally ``proved'' correct, is actually \emph{flawed}. Yodaiken
+  presentation of PIP \cite{Sha90}, despite being informally
+  ``proved'' correct, is actually \emph{flawed}. Yodaiken
   \cite{Yodaiken02} points to a subtlety that had been overlooked by
-  Sha et al. They write in \cite{Sha90}
+  Sha et al. They specify in \cite{Sha90} that after the process whose
+  priority has been raised completes its critical section and releases
+  the lock, it ``returns to its original priority level.'' This leads
+  them to believe that an implementation of PIP is ``rather
+  straightforward'' \cite{Sha90}.  Unfortunately, as Yodaiken pointed
+  out, this behaviour is too simplistic.  Consider the case where the
+  low priority process $L$ locks \emph{two} resources, and two
+  high-priority processes $H$ and $H'$, respectively, wait for one of
+  them.  If $L$ releases only one of them so that $H$, say, can
+  proceed, then we still have Priority Inversion with $H'$: according
+  to Sha et al., $L$ already dropped back to its low priority, but has not yet
+  released the lock $H'$ is waiting for. Therefore the correct behaviour for $L$
+  is to revert to the highest remaining priority of processes which it
+  blocks. The advantage of a formalisation of PIP in a theorem prover 
+  is that such issues clearly show up and cannot be dodged. 
 
-  But this is too
-  simplistic. Consider
+  There have been earlier formal investigations into PIP, but ...
+
+  \bigskip
   Priority Inversion problem has been known since 1980
   \cite{Lampson80}, but Sha et al.~give the first
   thorough analysis and present an informal correctness proof for PIP