--- a/prio/IsaMakefile Fri Jan 27 13:50:02 2012 +0000
+++ b/prio/IsaMakefile Fri Jan 27 23:19:10 2012 +0000
@@ -1,7 +1,7 @@
## targets
-default: paper
+default: itp
all: session paper
## global settings
@@ -18,9 +18,8 @@
session: ./ROOT.ML ./*.thy
@$(USEDIR) -b -D generated -f ROOT.ML HOL Prio
-
-paper: Paper/ROOT.ML \
- Paper/*.thy
+
+itp: Paper/*.thy Paper/*.ML
@$(USEDIR) -D generated -f ROOT.ML Prio Paper
rm -f Paper/generated/*.aux # otherwise latex will fall over
cd Paper/generated ; $(ISABELLE_TOOL) latex -o pdf root.tex
--- a/prio/Paper/Paper.thy Fri Jan 27 13:50:02 2012 +0000
+++ b/prio/Paper/Paper.thy Fri Jan 27 23:19:10 2012 +0000
@@ -7,6 +7,30 @@
section {* Introduction *}
text {*
+ Many realtime systems need to support processes with priorities and
+ locking of resources. Locking of resources ensures... Priorities
+ are needed so that some processes can finish their work within ``hard''
+ deadlines. Unfortunately both features interact in subtle ways
+ leading to the problem, called Priority Inversion. Suppose three
+ processes with priorities $H$(igh), $M$(edium) and $L$(ow). We would
+ assume that process $H$ cannot be blocked by any process with lower
+ priority. Unfortunately in a naive implementation, this can happen
+ and $H$ even can be delayed indefinitely by processes with lower
+ priorities. For this let $L$ be in the posession of lock for a
+ research which also $H$ needs. $H$ must therefore wait for $L$ to
+ release this lock. Unfortunately, $L$ can in turn be blocked by any
+ process with priority $M$, and so $H$ sits there potentially waiting
+ indefinitely.
+
+ If this problem of inversion of priorities is left untreated,
+ systems can become unpredictable and have dire consequences. The
+ classic example where this happened in practice is the software on
+ the Mars pathfinder project. This software shut down at irregulare
+ intervals leading to loss of project time (the mission and data was
+ fortunately not lost, because of clever system design). The problem
+ was that a high priority process and could only be restarted the
+ next day.
+
Priority inversion referrers to the phenomena where tasks with higher
priority are blocked by ones with lower priority. If priority inversion
@@ -56,6 +80,22 @@
how priority inversion is controlled by PI. Section \ref{implement} gives properties
which can be used for guidelines of implementation. Section \ref{related} discusses
related works. Section \ref{conclusion} concludes the whole paper.
+
+
+ Contributions
+
+ Despite the wide use of Priority Inheritance Protocol in real time operating
+ system, it's correctness has never been formally proved and mechanically checked.
+ All existing verification are based on model checking technology. Full automatic
+ verification gives little help to understand why the protocol is correct.
+ And results such obtained only apply to models of limited size.
+ This paper presents a formal verification based on theorem proving.
+ Machine checked formal proof does help to get deeper understanding. We found
+ the fact which is not mentioned in the literature, that the choice of next
+ thread to take over when an critical resource is release does not affect the correctness
+ of the protocol. The paper also shows how formal proof can help to construct
+ correct and efficient implementation.\bigskip
+
*}
section {* An overview of priority inversion and priority inheritance \label{overview} *}
@@ -115,7 +155,7 @@
section {* General properties of Priority Inheritance \label{general} *}
(*<*)
ML {*
- val () = show_question_marks_default := false;
+ (*val () = show_question_marks_default := false;*)
*}
(*>*)
--- a/prio/Paper/document/root.tex Fri Jan 27 13:50:02 2012 +0000
+++ b/prio/Paper/document/root.tex Fri Jan 27 23:19:10 2012 +0000
@@ -41,28 +41,34 @@
for Correct and Efficient Implementation}
\author{Xingyuan Zhang\inst{1} \and Christian Urban\inst{2} \and Chunhan Wu\inst{1}}
\institute{PLA University of Science and Technology, China \and
- King's College London, U.K.}
+ King's College London, United Kingdom}
\maketitle
-%\mbox{}\\[-10mm]
\begin{abstract}
-Despite the wide use of Priority Inheritance Protocol in real time operating
-system, it's correctness has never been formally proved and mechanically checked.
-All existing verification are based on model checking technology. Full automatic
-verification gives little help to understand why the protocol is correct.
-And results such obtained only apply to models of limited size.
-This paper presents a formal verification based on theorem proving.
-Machine checked formal proof does help to get deeper understanding. We found
-the fact which is not mentioned in the literature, that the choice of next
-thread to take over when an critical resource is release does not affect the correctness
-of the protocol. The paper also shows how formal proof can help to construct
-correct and efficient implementation.
+In realtime systems with support for resource locking and
+processes involving priorities, one faces the problem of
+priority inversion. This problem can make the behaviour of processes unpredictable
+and the resulting bugs can be hard to find. The Priority Inheritance
+Protocol is one solution implemented in many systems for
+solving the priority inversion problem, but the correctness of this solution has never
+been formally verified in a theorem prover. The original description
+of the Property Inheritance Protocol presents a ``correctness proof''
+done with pencil-and-paper for an \emph{incorrect} algorithm. This has
+already been pointed out in the literature. In this paper we fix the
+problem of the original proof by making all notions precise and implement a
+variant of a solution proposed earlier. Our formalisation in
+Isabelle/HOL uncovered facts not mentioned in the literature, but also
+shows how to efficiently implement this protocol. Earlier correct
+implementations were criticised as too inefficient. Our formalisation
+is based on Paulson's inductive approach to verifying
+protocols.\medskip
+
+{\bf Keywords:} Priority Inheritance Protocol, formal connectness proof,
+realtime systems
\end{abstract}
-
\input{session}
-%%\mbox{}\\[-10mm]
\bibliographystyle{plain}
\bibliography{root}
Binary file prio/paper.pdf has changed