Mercurial Mercurial > hg > regexp / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | gz | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
lates
authorurbanc
Sun, 12 Feb 2012 14:58:47 +0000
changeset 301 e820ee5f76f7
parent 300 8524f94d251b
child 302 06241c45cb17
lates
prio/Paper/Paper.thy file | annotate | diff | comparison | revisions
prio/paper.pdf file | annotate | diff | comparison | revisions 
--- a/prio/Paper/Paper.thy	Sun Feb 12 11:30:17 2012 +0000
+++ b/prio/Paper/Paper.thy	Sun Feb 12 14:58:47 2012 +0000
@@ -1,6 +1,6 @@
 (*<*)
 theory Paper
-imports CpsG ExtGG "~~/src/HOL/Library/LaTeXsugar"
+imports "../CpsG" "../ExtGG" "~~/src/HOL/Library/LaTeXsugar"
 begin
 ML {*
   open Printer;
@@ -149,17 +149,39 @@
   of threads, i.e.~\emph{traces}, that could possibly happen).\medskip
 
   \noindent
-  {\bf Contributions:} There have been earlier formal investigations 
-  into PIP, but ...\cite{Faria08}
+  {\bf Contributions:} There have been earlier formal investigations
+  into PIP \cite{conf/fase/JahierHR09,WellingsBSB07,Faria08}, but they
+  are using model checking technology. As far as we are aware, this is
+  the first formalised proof for the correctness of PIP. In contrast
+  to model checking, our formalisation provides insight into why PIP
+  is correct and allows us to prove stronger properties. For this Isar
+  and Isabelle/HOL is an attractive tool for exploring definitions and
+  keeping proofs consistent.
+
+  For example, we find through formalization that the choice of next 
+  thread to take a lock when a resource is released is irrelevant for 
+  the very basic property of PIP to hold.
+
+  Despite the wide use of Priority Inheritance Protocol in real time
+  operating system, it’s correctness has never been formally proved
+  and mechanically checked. All existing verification are based on
+  model checking technology. Full automatic verification gives little
+  help to understand why the protocol is correct. And results such
+  obtained only apply to models of limited size. This paper presents a
+  formal verification based on theorem proving. Machine checked formal
+  proof does help to get deeper understanding. We found the fact which
+  is not mentioned in the literature, that the choice of next thread
+  to take over when an critical resource is release does not affect
+  the correctness of the protocol. The paper also shows how formal
+  proof can help to construct correct and efficient implementation.
 
   vt (valid trace) was introduced earlier, cite
   
-  distributed PIP
-
+  
   Paulson's method has not been used outside security field, except
   work by Zhang et al.
 
-  no clue about multi-processor case according to \cite{Steinberg10} 
+  How did Sha et al prove it....they did not use Paulson's method.
 *}
 
 section {* Formal Model of the Priority Inheritance Protocol *}
@@ -284,7 +306,7 @@
   empty list for every resource.
 
   \begin{isabelle}\ \ \ \ \ %%%
-  @{abbrev all_unlocked}
+  @{abbrev all_unlocked}\hfill\numbered{allunlocked}
   \end{isabelle}
 
   \noindent
@@ -383,7 +405,7 @@
   a thread and returns its current precedence (see \eqref{cpreced}). We assume the usual getter and 
   setter methods for such records.
 
-  In the initial state, the scheduler starts with all resources unlocked and the
+  In the initial state, the scheduler starts with all resources unlocked (see \eqref{allunlocked}) and the
   current precedence of every thread is initialised with @{term "Prc 0 0"}; that means 
   \mbox{@{abbrev initial_cprec}}. Therefore
   we have
@@ -435,7 +457,8 @@
 
   \noindent
   The clause for event @{term "V th cs"} is similar, except that we need to update the waiting queue function
-  so that the thread that possessed the lock is deleted from the corresponding thread list. For this we use
+  so that the thread that possessed the lock is deleted from the corresponding thread list. For this 
+  list transformation, we use
   the auxiliary function @{term release}. A simple version of @{term release} would
   just delete this thread and return the rest, namely
 
@@ -531,7 +554,7 @@
   \noindent
   The first rule states that a thread can only be created, if it does not yet exists.
   Similarly, the second rule states that a thread can only be terminated if it was
-  running and does not lock any resources anymore. The event @{text Set} can happen
+  running and does not lock any resources anymore (to simplify ). The event @{text Set} can happen
   if the corresponding thread is running. 
 
   \begin{center}
@@ -539,11 +562,19 @@
   \end{center}
 
   \noindent
-  If a thread wants to lock a resource, then the thread needs to be running and
-  also we have to make sure that the resource lock doe not lead to a cycle in the 
-  RAG. Similarly, if a thread wants to release a lock on a resource, then it must 
-  be running and in the possession of that lock. This is formally given by the 
-  last two inference rules of @{term step}.
+  If a thread wants to lock a resource, then the thread needs to be
+  running and also we have to make sure that the resource lock does
+  not lead to a cycle in the RAG. In practice, ensuring the latter is
+  of course the responsibility of the programmer.  Here in our formal
+  model we just exclude such problematic cases in order to make
+  some meaningful statements about PIP.\footnote{This situation is
+  similar to the infamous occurs check in Prolog: in order to say
+  anything meaningful about unification, we need to perform an occurs
+  check; but in practice the occurs check is ommited and the
+  responsibility to avoid problems rests with the programmer.}
+  Similarly, if a thread wants to release a lock on a resource, then
+  it must be running and in the possession of that lock. This is
+  formally given by the last two inference rules of @{term step}.
 
   \begin{center}
   \begin{tabular}{c}
@@ -569,7 +600,49 @@
 
 section {* Correctness Proof *}
 
-text {* TO DO *}
+
+(*<*)
+context extend_highest_gen
+begin
+(*>*)
+
+print_locale extend_highest_gen
+thm extend_highest_gen_def
+thm extend_highest_gen_axioms_def
+thm highest_gen_def
+text {* 
+  Main lemma
+
+  \begin{enumerate}
+  \item @{term "s"} is a valid state (@{text "vt_s"}):
+    @{thm  vt_s}.
+  \item @{term "th"} is a living thread in @{term "s"} (@{text "threads_s"}):
+    @{thm threads_s}.
+  \item @{term "th"} has the highest precedence in @{term "s"} (@{text "highest"}):
+    @{thm highest}.
+  \item The precedence of @{term "th"} is @{term "Prc prio tm"} (@{text "preced_th"}):
+    @{thm preced_th}.
+  \end{enumerate}
+
+
+  \begin{lemma}
+  @{thm[mode=IfThen] moment_blocked}
+  \end{lemma}
+
+  \begin{theorem}
+  @{thm[mode=IfThen] runing_inversion_2}
+  \end{theorem}
+
+  
+
+
+TO DO 
+
+*}
+
+(*<*)
+end
+(*>*)
 
 section {* Properties for an Implementation *}
 
@@ -582,8 +655,15 @@
   used in real-time systems in order to avoid the problem of Priority
   Inversion.
 
+  A clear and simple understanding of the problem at hand is both a
+  prerequisite and a byproduct of such an effort, because everything
+  has finally be reduced to the very first principle to be checked
+  mechanically.
+
   TO DO 
 
+  no clue about multi-processor case according to \cite{Steinberg10} 
+
 *}
 
 text {*
Binary file prio/paper.pdf has changed
regexp