prio/Paper/Paper.thy
changeset 333 813e7257c7c3
parent 332 5faa1b59e870
child 335 7fe2a20017c0
--- a/prio/Paper/Paper.thy	Thu Feb 16 08:12:01 2012 +0000
+++ b/prio/Paper/Paper.thy	Mon Feb 20 11:02:50 2012 +0000
@@ -541,7 +541,7 @@
   \end{center}
 
   \noindent
-  The first rule states that a thread can only be created, if it does not yet exists.
+  The first rule states that a thread can only be created, if it is not alive yet.
   Similarly, the second rule states that a thread can only be terminated if it was
   running and does not lock any resources anymore (this simplifies slightly our model;
   in practice we would expect the operating system releases all locks held by a
@@ -559,7 +559,7 @@
   the responsibility of the programmer.  In our formal
   model we brush aside these problematic cases in order to be able to make
   some meaningful statements about PIP.\footnote{This situation is
-  similar to the infamous occurs check in Prolog: In order to say
+  similar to the infamous \emph{occurs check} in Prolog: In order to say
   anything meaningful about unification, one needs to perform an occurs
   check. But in practice the occurs check is omitted and the
   responsibility for avoiding problems rests with the programmer.}
@@ -602,11 +602,11 @@
   Sha et al.~state their first correctness criterion for PIP in terms
   of the number of low-priority threads \cite[Theorem 3]{Sha90}: if
   there are @{text n} low-priority threads, then a blocked job with
-  high priority can only be blocked @{text n} times.
+  high priority can only be blocked a maximum of @{text n} times.
   Their second correctness criterion is given
   in terms of the number of critical resources \cite[Theorem 6]{Sha90}: if there are
   @{text m} critical resources, then a blocked job with high priority
-  can only be blocked @{text m} times. Both results on their own, strictly speaking, do
+  can only be blocked a maximum of @{text m} times. Both results on their own, strictly speaking, do
   \emph{not} prevent indefinite, or unbounded, Priority Inversion,
   because if a low-priority thread does not give up its critical
   resource (the one the high-priority thread is waiting for), then the
@@ -627,23 +627,26 @@
   Even when fixed, their proof idea does not seem to go through for
   us, because of the way we have set up our formal model of PIP.  One
   reason is that we allow that critical sections can intersect
-  (something Sha et al.~explicitly exclude).  Therefore we have designed a 
-  different correctness criterion for PIP. The idea behind our
-  criterion is as follows: for all states @{text
-  s}, we know the corresponding thread @{text th} with the highest
-  precedence; we show that in every future state (denoted by @{text
-  "s' @ s"}) in which @{text th} is still alive, either @{text th} is
-  running or it is blocked by a thread that was alive in the state
-  @{text s} and was in the possession of a lock in @{text s}. Since in @{text s}, as in every state, the set of alive
-  threads is finite, @{text th} can only be blocked a finite number of
-  times. We will actually prove a stronger statement where we also provide
-  the current precedence of the blocking thread. However, this
-  correctness criterion hinges upon a number of assumptions about the
-  states @{text s} and @{text "s' @ s"}, the thread @{text th} and the
-  events happening in @{text s'}. We list them next:
+  (something Sha et al.~explicitly exclude).  Therefore we have
+  designed a different correctness criterion for PIP. The idea behind
+  our criterion is as follows: for all states @{text s}, we know the
+  corresponding thread @{text th} with the highest precedence; we show
+  that in every future state (denoted by @{text "s' @ s"}) in which
+  @{text th} is still alive, either @{text th} is running or it is
+  blocked by a thread that was alive in the state @{text s} and was in
+  the possession of a lock in @{text s}. Since in @{text s}, as in
+  every state, the set of alive threads is finite, @{text th} can only
+  be blocked a finite number of times. This is independent of how many
+  threads of lower priority are created in @{text "s'"}. We will actually prove a
+  stronger statement where we also provide the current precedence of
+  the blocking thread. However, this correctness criterion hinges upon
+  a number of assumptions about the states @{text s} and @{text "s' @
+  s"}, the thread @{text th} and the events happening in @{text
+  s'}. We list them next:
 
   \begin{quote}
-  {\bf Assumptions on the states @{text s} and @{text "s' @ s"}:} In order to make 
+  {\bf Assumptions on the states {\boldmath@{text s}} and 
+  {\boldmath@{text "s' @ s"}:}} In order to make 
   any meaningful statement, we need to require that @{text "s"} and 
   @{text "s' @ s"} are valid states, namely
   \begin{isabelle}\ \ \ \ \ %%%
@@ -655,7 +658,8 @@
   \end{quote}
 
   \begin{quote}
-  {\bf Assumptions on the thread @{text "th"}:} The thread @{text th} must be alive in @{text s} and 
+  {\bf Assumptions on the thread {\boldmath@{text "th"}:}} 
+  The thread @{text th} must be alive in @{text s} and 
   has the highest precedence of all alive threads in @{text s}. Furthermore the
   priority of @{text th} is @{text prio} (we need this in the next assumptions).
   \begin{isabelle}\ \ \ \ \ %%%
@@ -668,7 +672,7 @@
   \end{quote}
   
   \begin{quote}
-  {\bf Assumptions on the events in @{text "s'"}:} We want to prove that @{text th} cannot
+  {\bf Assumptions on the events in {\boldmath@{text "s'"}:}} We want to prove that @{text th} cannot
   be blocked indefinitely. Of course this can happen if threads with higher priority
   than @{text th} are continuously created in @{text s'}. Therefore we have to assume that  
   events in @{text s'} can only create (respectively set) threads with equal or lower 
@@ -686,7 +690,7 @@
 
   \noindent
   The locale mechanism of Isabelle helps us to manage conveniently such assumptions~\cite{Haftmann08}.
-  Under these assumptions we will prove the following correctness property:
+  Under these assumptions we shall prove the following correctness property:
 
   \begin{theorem}\label{mainthm}
   Given the assumptions about states @{text "s"} and @{text "s' @ s"},
@@ -808,7 +812,7 @@
   that the current precedence of @{text th'} in state @{text "(s' @ s)"} must be equal to the 
   precedence of @{text th} in @{text "s"}.
   We show this theorem by induction on @{text "s'"} using Lemma~\ref{mainlem}.
-  This theorem gives a stricter bound on the processes that can block @{text th} than the
+  This theorem gives a stricter bound on the threads that can block @{text th} than the
   one obtained by Sha et al.~\cite{Sha90}:
   only threads that were alive in state @{text s} and moreover held a resource.
   This means our bound is in terms of both---alive threads in state @{text s}
@@ -1229,7 +1233,7 @@
   to \cite{Steinberg10}, is that except for one unsatisfactory
   proposal nobody has a good idea for how PIP should be modified to
   work correctly on multi-processor systems. The difficulties become
-  clear when considering the fact that locking and releasing a resource always
+  clear when considering the fact that releasing and re-locking a resource always
   requires a small amount of time. If processes work independently,
   then a low priority process can ``steal'' in such an unguarded
   moment a lock for a resource that was supposed to allow a high-priority