diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 9b31025e8cd7598445892a77f27c917736b9f875..05715d77c234d51dadcd2571c8ef67ec36c3ff0a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -77,7 +77,7 @@ compile-and-doc:
- .preferred-stable-version
script:
- !reference [.install-dependencies, script]
- - ./create_makefile.sh --without-classic
+ - ./create_makefile.sh
- make -j ${NJOBS}
- !reference [.make-html, script]
artifacts:
@@ -95,45 +95,13 @@ compile-and-doc-and-validate:
- .preferred-stable-version
script:
- !reference [.install-dependencies, script]
- - ./create_makefile.sh --without-classic
+ - ./create_makefile.sh
- make -j ${NJOBS}
- !reference [.make-html, script]
- make validate 2>&1 | tee validation-results.txt
- - scripts/check-validation-output.sh --accept-proof-irrelevance validation-results.txt
- artifacts:
- name: "prosa-spec-$CI_COMMIT_REF_NAME"
- paths:
- - "with-proofs/"
- - "without-proofs/"
- - "pretty/"
- expire_in: 1 week
-
-# Check that proof irrelevance shows up only due to refinements.
-compile-and-validate:
- stage: build
- extends:
- - .not_in_wip_branches
- - .preferred-stable-version
- script:
- - !reference [.install-dependencies, script]
- - ./create_makefile.sh --without-classic --without-refinements
- - make -j ${NJOBS}
- - make validate 2>&1 | tee validation-results.txt
- scripts/check-validation-output.sh validation-results.txt
-
-classic-compile-and-doc-and-validate:
- stage: build
- extends:
- - .preferred-stable-version
- - .not_in_wip_branches
- script:
- - !reference [.install-dependencies, script]
- - ./create_makefile.sh --only-classic
- - make -j ${NJOBS}
- - !reference [.make-html, script]
- - make validate
artifacts:
- name: "prosa-classic-spec-$CI_COMMIT_REF_NAME"
+ name: "prosa-spec-$CI_COMMIT_REF_NAME"
paths:
- "with-proofs/"
- "without-proofs/"
@@ -146,42 +114,3 @@ proof-length:
script:
- scripts/proofloc.py --check --long-proofs scripts/known-long-proofs.json `find . -iname *.v`
-spell-check:
- extends:
- - .not_in_wip_branches
- stage: build
- image: bbbrandenburg/aspell-ci
- script:
- - scripts/flag-typos-in-comments.sh `find . -iname '*.v' ! -path './classic/*'`
-
-# mathcomp-dev with stable Coq
-#coq-8.15:
-# extends:
-# - .build-dev
-# - .not_in_wip_branches
-# # it's ok to fail with an unreleased version of ssreflect
-# allow_failure: true
-
-# mathcomp-dev with coq-dev
-#coq-dev:
-# extends:
-# - .build-dev
-# - .not_in_wip_branches
-# # it's ok to fail with an unreleased version of ssreflect and Coq
-# allow_failure: true
-
-proof-state:
- extends:
- - .not_in_wip_branches
- stage: build
- image: bbbrandenburg/alectryon-ci:1.14.0-coq-8.15.0
- script:
- - eval $(opam env "--switch=${COMPILER_EDGE}" --set-switch)
- - !reference [.install-dependencies, script]
- - ./create_makefile.sh --without-classic
- - make -j ${NJOBS} alectryon
- artifacts:
- name: "prosa-proof-state-$CI_COMMIT_REF_NAME"
- paths:
- - "html-alectryon/"
- expire_in: 1 week
diff --git a/README.md b/README.md
index 577b8997aaa380b27e4708b031ebddbf6a94059c..af727c29d6041c9ed16e468c74c687c434754b70 100644
--- a/README.md
+++ b/README.md
@@ -1,50 +1,38 @@
-# Prosa: Formally Proven Schedulability Analysis
+# Classic Prosa (2015-2019)
-This repository contains the main Coq specification & proof development of the [Prosa open-source project](https://prosa.mpi-sws.org), which was launched in 2016. As of 2018, Prosa is primarily being developed in the context of the [RT-Proofs research project](https://rt-proofs.inria.fr/) (kindly funded jointly by ANR and DFG, projects ANR-17-CE25-0016 and DFG-391919384, respectively).
+---
-<center><img alt="RT-Proofs logo" src="http://prosa.mpi-sws.org/figures/rt-proofs-logo.png" width="300px"></center>
+**Deprecation warning:** Classic Prosa is no longer being maintained. Please base any new developments on "modern" Prosa.
-## Documentation
+---
-Up-to-date documentation for all branches of the main Prosa repository is available on the Prosa homepage:
+This branch preserves the *classic* version of the [Prosa open-source project](https://prosa.mpi-sws.org), as originally presented at ECRTS'16. This version of Prosa was developed from 2015 until 2019, and further maintained until 2022.
-- <https://prosa.mpi-sws.org/branches>
+Throughout 2018–2021, Prosa was developed in the context of the [RT-Proofs research project](https://rt-proofs.inria.fr/) (funded jointly by ANR and DFG, projects ANR-17-CE25-0016 and DFG-391919384, respectively).
-## Publications
+<center><img alt="RT-Proofs logo" src="http://prosa.mpi-sws.org/figures/rt-proofs-logo.png" width="300px"></center>
-Please see the [list of publications](https://prosa.mpi-sws.org/publications.html) on the Prosa project's homepage.
-## Directory and Module Structure
+As of now, classic Prosa has been superseded by "modern Prosa" (as tracked in the main branch of this repository), which is under active development. Classic Prosa is no longer being maintained.
-The directory and module structure is organized as follows. First, the main parts, of which there are currently four.
+This branch serves to preserve a working snapshot based on **Coq 8.16** and **mathcomp 1.15.0**.
-- [behavior/](behavior/): The `behavior` namespace collects basic definitions and properties of system behavior (i.e., it defines Prosa's **trace-based semantics**). There are *no* proofs here. This module is mandatory: *all* results in Prosa rely on the basic trace-based semantics defined in this module.
-- [model/](model/): The `model` namespace collects all definitions and basic properties of various **system models** (e.g., sporadic tasks, arrival curves, various scheduling policies, etc.). There are only few proofs here. This module contains multiple, mutually exclusive alternatives (e.g., periodic vs. sporadic tasks, uni- vs. multiprocessor models, constrained vs. arbitrary deadlines, etc.), and higher-level results are expected "pick and choose" whatever definitions and assumptions are appropriate.
-- [analysis/](analysis/): The `analysis` namespace collects all definitions and proof libraries needed to establish **system properties** (e.g., schedulability, response time, etc.). This includes a substantial library of *basic facts* that follow directly from the trace-based semantics or specific modelling assumptions. Virtually all intermediate steps and low-level proofs will be found here.
-- [results/](results/): The `results` namespace contains all **high-level analysis results**.
+## Documentation
-In future work, there will also (again) be an `implementation` or `examples` namespace in which important high-level results are instantiated (i.e., applied) in an assumption-free environment for concrete job and task types to establish the absence of any contradiction in assumptions.
+Up-to-date documentation for all branches of the main Prosa repository is available on the Prosa homepage:
-Furthermore, there are a couple of additional folders and namespaces.
+- <https://prosa.mpi-sws.org/branches>
-- [classic/](classic/): This module contains the "classic" version of Prosa as first presented at ECRTS'16.
-All results published prior to 2020 build on this "classic" version of Prosa.
-- [util/](util/): A collection of miscellaneous "helper" lemmas and tactics. Used throughout the rest of Prosa.
-- [scripts/](scripts/): Scripts and supporting resources required for continuous integration and documentation generation.
+## Publications
-## Installation
+Please see the [list of publications](https://prosa.mpi-sws.org/publications.html) on the Prosa project's homepage.
-### With OPAM
+All results published prior to 2020 build on this "classic" version of Prosa.
-Prosa can be installed using the [OPAM package manager](https://opam.ocaml.org/) (>= 2.0).
+## Installation
-```bash
-opam repo add coq-released https://coq.inria.fr/opam/released
-# or for the dev version (git master): https://coq.inria.fr/opam/extra-dev
-opam update
-opam install coq-prosa
-```
+First, make sure you have **Coq 8.16** and **mathcomp 1.15.0** installed.
### From Sources with `opam`
@@ -57,32 +45,6 @@ opam pin add -n -y -k path coq-prosa .
opam install coq-prosa
```
-### From Sources With `esy`
-
-Prosa can be installed using [esy](https://esy.sh/).
-
-#### Installing `esy`
-
-`esy` itself can typically be installed through `npm`.
-It should look something like this on most `apt`-based systems:
-
-```bash
-sudo apt install npm
-sudo npm install --global esy@latest
-```
-
-#### Installing Prosa
-
-With `esy` in place, it is easy to compile Prosa in one go. To download and compile all of Prosa's dependencies (including Coq), and then to compile Prosa itself, simply issue the command:
-
-```bash
-esy
-```
-
-Note that `esy` uses an internal compilation environment, which is not exported to the current shell.
-To work within this environment, prefix any command with `esy`: for instance `esy coqide` to run your system’s coqIDE within the right environment.
-Alternatively, `esy shell` opens a shell within its environment.
-
### Manually From Sources
#### Dependencies
@@ -91,16 +53,13 @@ Besides on Coq itself, Prosa depends on
1. the `ssreflect` library of the [Mathematical Components project](https://math-comp.github.io),
2. the [Micromega support for the Mathematical Components library](https://github.com/math-comp/mczify) provided by `mczify`, and
-3. the [The Coq Effective Algebra Library](https://github.com/coq-community/coqeal) (optional, needed only for POET-related refinements).
-These dependencies can be easily installed with OPAM.
+These dependencies can be easily installed with OPAM.
```bash
-opam install -y coq-mathcomp-ssreflect coq-mathcomp-zify coq-coqeal
+opam install -y coq-mathcomp-ssreflect<=1.15.0 coq-mathcomp-zify
```
-Prosa always tracks the latest stable versions of Coq and ssreflect. We do not maintain compatibility with older versions of either Coq or ssreflect.
-
#### Compiling Prosa
Assuming all dependencies are available (either via OPAM or compiled from source, see the [Prosa setup instructions](http://prosa.mpi-sws.org/setup-instructions.html)), compiling Prosa consists of only two steps.
@@ -111,18 +70,6 @@ First, create an appropriate `Makefile`.
./create_makefile.sh
```
-Alternatively, to avoid compiling the older "classic" Prosa, specify the `--without-classic` option. This can speed up compilation considerably and is a good idea during development. (It's also possible to *only* compile the "classic" Prosa by specifying the `--only-classic` option, but this is rarely needed.)
-
-```bash
-./create_makefile.sh --without-classic
-```
-
-To avoid compiling the POET-related refinements (which require CoqEAL to be installed and inject a dependency on the *proof irrelevance* axiom), specify the switch `--without-refinements`. For example, to skip both "classic" Prosa and the refinements library, use the following command:
-
-```bash
-./create_makefile.sh --without-classic --without-refinements
-```
-
Second, compile the library.
```bash
@@ -139,29 +86,3 @@ The Coqdoc documentation (as shown on the [webpage](http://prosa.mpi-sws.org/doc
- `make gallinahtml -j` --- just the specification, without proofs,
- `make html -j` --- full specification with all proofs.
-
-Since Coqdoc requires object files (`*.vo`) as input, please make sure that the code is compilable.
-
-## Commit and Development Rules
-
-We very much welcome external contributions. Please don't hesitate to [get in touch](http://prosa.mpi-sws.org/get-in-touch.html)!
-
-To make things as smooth as possible, here are a couple of rules and guidelines that we seek to abide by.
-
-1. Always follow the project [coding and writing guidelines](doc/guidelines.md).
-
-2. Make sure the master branch "compiles" at each commit. This is not true for the early history of the repository, and during certain stretches of heavy refactoring, but going forward we should strive to keep it working at all times.
-
-3. It's ok (and even recommended) to develop in a (private) dirty branch, but clean up and rebase (i.e., `git-rebase -i`) on top of the current master branch before opening a merge request.
-
-4. Create merge requests liberally. No improvement is too small or too insignificant for a merge request. This applies to documentation fixes (e.g., typo fixes, grammar fixes, clarifications, etc.) as well.
-
-5. If you are unsure whether a proposed change is even acceptable or the right way to go about things, create a work-in-progress (WIP) merge request as a basis for discussion. A WIP merge request is prefixed by "WIP:".
-
-6. We strive to have only "fast-forward merges" without merge commits, so always rebase your branch to linearize the history before merging. (WIP branches do not need to be linear.)
-
-7. Recommendation: Document the tactics that you use in the [list of tactics](doc/tactics.md), especially when introducing/using non-standard tactics.
-
-8. If something seems confusing, please help with improving the documentation. :-)
-
-9. If you don't know how to fix or improve something, or if you have an open-ended suggestion in need of discusion, please file a ticket.
diff --git a/analysis/README.md b/analysis/README.md
deleted file mode 100644
index b4ad6d4356d19c820b7d6a3ac05dfaef87af7025..0000000000000000000000000000000000000000
--- a/analysis/README.md
+++ /dev/null
@@ -1,24 +0,0 @@
-# Prosa Analysis Library
-
-This module provides virtually all **analysis concepts and definitions** and encapsulates the bulk of the **intermediate proofs** in Prosa.
-
-More precisely, this module collects all definitions that are not needed to define the behavioral semantics (found in [prosa.behavior](../behavior)) and that also do not conceptually form part of the task and system model (found in [prosa.model](../model)). For example, precise notions of "schedulability," "busy window," or "response time" are clearly analysis concepts and consequently defined here.
-
-The proofs found in this module are "intermediate proofs" in the sense that they are not an end in of themselves; rather, they are a means to enable the proofs of the high-level results provided in the [prosa.results](../results) module.
-
-## Structure
-
-The Prosa analysis library is currently organized as follows:
-
-- [abstract](./abstract): This provides **abstract RTA** analysis framework, a general and extensible approach to response-time analysis (RTA).
-- [definitions](./definitions): This folder currently collects all major and minor **analysis definitions** (such as schedulability, priority inversion, etc.).
-- [transform](./transform): This folder contains procedures for transforming schedules, to be used in proofs that rely on modifying a given reference schedule in some way (e.g., the EDF "swapping argument").
-- [facts](./facts): Currently the home of virtually all **intermediate proofs**. In particular, [facts.behavior](./facts/behavior) provides a library of basic facts that follow (mostly) directly from Prosa's trace semantics (as given in [prosa.behavior](../behavior)).
-
-**NB**: It is expected that the analysis module will be further (re)organized and (re)structured in future versions of Prosa.
-
-## Guidelines
-
-- As a general rule, keep definitions and proofs separate, so that casual readers may read and understand the Prosa specification without encountering intermediate lemmas and proofs.
-- Prefer subfolders with many short files over fewer, longer files.
-- In each file that is specific to some system model, explicitly `Require` the specific modules that jointly constitute the assumed system model (e.g., `Require prosa.model.processor.ideal` to express that the results in a file depend on the ideal-uniprocessor assumption).
\ No newline at end of file
diff --git a/analysis/abstract/abstract_rta.v b/analysis/abstract/abstract_rta.v
deleted file mode 100644
index 95c1d76377c3f9b1e10721e99a57c57fac10498d..0000000000000000000000000000000000000000
--- a/analysis/abstract/abstract_rta.v
+++ /dev/null
@@ -1,532 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Export prosa.analysis.definitions.schedulability.
-Require Export prosa.analysis.abstract.search_space.
-Require Export prosa.analysis.abstract.run_to_completion.
-
-(** * Abstract Response-Time Analysis *)
-(** In this module, we propose the general framework for response-time analysis (RTA)
- of uni-processor scheduling of real-time tasks with arbitrary arrival models. *)
-(** We prove that the maximum (with respect to the set of offsets) among the solutions
- of the response-time bound recurrence is a response time bound for [tsk]. Note that
- in this section we do not rely on any hypotheses about job sequentiality. *)
-Section Abstract_RTA.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskRunToCompletionThreshold Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context {JA : JobArrival Job}.
- Context {JC : JobCost Job}.
- Context `{JobPreemptable Job}.
-
- (** Consider any kind of uni-service ideal processor state model. *)
- Context {PState : ProcessorState Job}.
- Hypothesis H_ideal_progress_proc_model : ideal_progress_proc_model PState.
- Hypothesis H_unit_service_proc_model : unit_service_proc_model PState.
-
- (** Consider any valid arrival sequence with consistent, non-duplicate arrivals... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any schedule of this arrival sequence... *)
- Variable sched : schedule PState.
-
- (** ... where jobs do not execute before their arrival nor after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Assume that the job costs are no larger than the task costs. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Consider a task set ts... *)
- Variable ts : list Task.
-
- (** ... and a task [tsk] of ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Consider a valid preemption model... *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** ...and a valid task run-to-completion threshold function. That
- is, [task_rtct tsk] is (1) no bigger than [tsk]'s cost, (2) for
- any job of task [tsk] [job_rtct] is bounded by [task_rtct]. *)
- Hypothesis H_valid_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
-
- (** Let's define some local names for clarity. *)
- Let work_conserving := work_conserving arr_seq sched.
- Let busy_intervals_are_bounded_by := busy_intervals_are_bounded_by arr_seq sched tsk.
- Let job_interference_is_bounded_by := job_interference_is_bounded_by arr_seq sched tsk.
-
- (** Assume we are provided with abstract functions for interference and interfering workload. *)
- Variable interference : Job -> instant -> bool.
- Variable interfering_workload : Job -> instant -> duration.
-
- (** We assume that the scheduler is work-conserving. *)
- Hypothesis H_work_conserving : work_conserving interference interfering_workload.
-
- (** For simplicity, let's define some local names. *)
- Let cumul_interference := cumul_interference interference.
- Let cumul_interfering_workload := cumul_interfering_workload interfering_workload.
- Let busy_interval := busy_interval sched interference interfering_workload.
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- (** Let L be a constant which bounds any busy interval of task [tsk]. *)
- Variable L : duration.
- Hypothesis H_busy_interval_exists:
- busy_intervals_are_bounded_by interference interfering_workload L.
-
- (** Next, assume that interference_bound_function is a bound on
- the interference incurred by jobs of task [tsk]. *)
- Variable interference_bound_function : Task -> duration -> duration -> duration.
- Hypothesis H_job_interference_is_bounded:
- job_interference_is_bounded_by
- interference interfering_workload interference_bound_function.
-
- (** For simplicity, let's define a local name for the search space. *)
- Let is_in_search_space A := is_in_search_space tsk L interference_bound_function A.
-
- (** Consider any value [R] that upper-bounds the solution of each
- response-time recurrence, i.e., for any relative arrival time [A]
- in the search space, there exists a corresponding solution [F]
- such that [R >= F + (task_cost tsk - task_rtct tsk)]. *)
- Variable R: nat.
- Hypothesis H_R_is_maximum:
- forall A,
- is_in_search_space A ->
- exists F,
- A + F >= task_rtct tsk
- + interference_bound_function tsk A (A + F) /\
- R >= F + (task_cost tsk - task_rtct tsk).
-
- (** In this section we show a detailed proof of the main theorem
- that establishes that R is a response-time bound of task [tsk]. *)
- Section ProofOfTheorem.
-
- (** Consider any job j of [tsk] with positive cost. *)
- Variable j: Job.
- Hypothesis H_j_arrives: arrives_in arr_seq j.
- Hypothesis H_job_of_tsk: job_of_task tsk j.
- Hypothesis H_job_cost_positive: job_cost_positive j.
-
- (** Assume we have a busy interval <<[t1, t2)>> of job j that is bounded by L. *)
- Variable t1 t2: instant.
- Hypothesis H_busy_interval: busy_interval j t1 t2.
-
- (** Let's define A as a relative arrival time of job j (with respect to time t1). *)
- Let A := job_arrival j - t1.
-
- (** In order to prove that R is a response-time bound of job j, we use hypothesis H_R_is_maximum.
- Note that the relative arrival time (A) is not necessarily from the search space. However,
- earlier we have proven that for any A there exists another [A_sp] from the search space that
- shares the same IBF value. Moreover, we've also shown that there exists an [F_sp] such that
- [F_sp] is a solution of the response time recurrence for parameter [A_sp]. Thus, despite the
- fact that the relative arrival time may not lie in the search space, we can still use
- the assumption H_R_is_maximum. *)
-
- (** More formally, consider any [A_sp] and [F_sp] such that:.. *)
- Variable A_sp F_sp : duration.
-
- (** (a) [A_sp] is less than or equal to [A]... *)
- Hypothesis H_A_gt_Asp : A_sp <= A.
-
- (** (b) [interference_bound_function(A, x)] is equal to
- [interference_bound_function(A_sp, x)] for all [x] less than [L]... *)
- Hypothesis H_equivalent :
- are_equivalent_at_values_less_than
- (interference_bound_function tsk A)
- (interference_bound_function tsk A_sp) L.
-
- (** (c) [A_sp] is in the search space, ... *)
- Hypothesis H_Asp_is_in_search_space : is_in_search_space A_sp.
-
- (** (d) [A_sp + F_sp] is a solution of the response time recurrence... *)
- Hypothesis H_Asp_Fsp_fixpoint :
- A_sp + F_sp >= task_rtct tsk + interference_bound_function tsk A_sp (A_sp + F_sp).
-
- (** (e) and finally, [F_sp + (task_last - ε)] is no greater than R. *)
- Hypothesis H_R_gt_Fsp : R >= F_sp + (task_cost tsk - task_rtct tsk).
-
- (** In this section, we consider the case where the solution is so large
- that the value of [t1 + A_sp + F_sp] goes beyond the busy interval.
- Although this case may be impossible in some scenarios, it can be
- easily proven, since any job that completes by the end of the busy
- interval remains completed. *)
- Section FixpointOutsideBusyInterval.
-
- (** By assumption, suppose that t2 is less than or equal to [t1 + A_sp + F_sp]. *)
- Hypothesis H_big_fixpoint_solution : t2 <= t1 + (A_sp + F_sp).
-
- (** Then we prove that [job_arrival j + R] is no less than [t2]. *)
- Lemma t2_le_arrival_plus_R:
- t2 <= job_arrival j + R.
- Proof.
- move: H_busy_interval => [[/andP [GT LT] [QT1 NTQ]] QT2].
- apply leq_trans with (t1 + (A_sp + F_sp)); first by done.
- apply leq_trans with (t1 + A + F_sp).
- { by rewrite !addnA leq_add2r leq_add2l. }
- rewrite /A subnKC; last by done.
- rewrite leq_add2l.
- by apply leq_trans with (F_sp + (task_cost tsk - task_rtct tsk));
- first rewrite leq_addr.
- Qed.
-
- (** But since we know that the job is completed by the end of its busy interval,
- we can show that job j is completed by [job arrival j + R]. *)
- Lemma job_completed_by_arrival_plus_R_1:
- completed_by sched j (job_arrival j + R).
- Proof.
- move: H_busy_interval => [[/andP [GT LT] [QT1 NTQ]] QT2].
- apply completion_monotonic with t2; try done.
- apply t2_le_arrival_plus_R.
- eapply job_completes_within_busy_interval; eauto 2.
- Qed.
-
- End FixpointOutsideBusyInterval.
-
- (** In this section, we consider the complementary case where
- [t1 + A_sp + F_sp] lies inside the busy interval. *)
- Section FixpointInsideBusyInterval.
-
- (** So, assume that [t1 + A_sp + F_sp] is less than t2. *)
- Hypothesis H_small_fixpoint_solution : t1 + (A_sp + F_sp) < t2.
-
- (** Next, let's consider two other cases: *)
- (** CASE 1: the value of the fix-point is no less than the relative arrival time of job [j]. *)
- Section FixpointIsNoLessThanArrival.
-
- (** Suppose that [A_sp + F_sp] is no less than relative arrival of job [j]. *)
- Hypothesis H_fixpoint_is_no_less_than_relative_arrival_of_j : A <= A_sp + F_sp.
-
- (** In this section, we prove that the fact that job [j] is not completed by
- time [job_arrival j + R] leads to a contradiction. Which in turn implies
- that the opposite is true -- job [j] completes by time [job_arrival j + R]. *)
- Section ProofByContradiction.
-
- (** Recall that by lemma "solution_for_A_exists" there is a solution [F]
- of the response-time recurrence for the given relative arrival time [A]
- (which is not necessarily from the search space). *)
-
- (** Thus, consider a constant [F] such that:.. *)
- Variable F : duration.
- (** (a) the sum of [A_sp] and [F_sp] is equal to the sum of [A] and [F]... *)
- Hypothesis H_Asp_Fsp_eq_A_F : A_sp + F_sp = A + F.
- (** (b) [F] is at mo1st [F_sp]... *)
- Hypothesis H_F_le_Fsp : F <= F_sp.
- (** (c) and [A + F] is a solution for the response-time recurrence for [A]. *)
- Hypothesis H_A_F_fixpoint:
- A + F >= task_rtct tsk + interference_bound_function tsk A (A + F).
-
- (** Next, we assume that job [j] is not completed by time [job_arrival j + R]. *)
- Hypothesis H_j_not_completed : ~~ completed_by sched j (job_arrival j + R).
-
- (** Some additional reasoning is required since the term [task_cost tsk - task_rtct tsk]
- does not necessarily bound the term [job_cost j - job_rtct j]. That is, a job can
- have a small run-to-completion threshold, thereby becoming non-preemptive much earlier than guaranteed
- according to task run-to-completion threshold, while simultaneously executing the last non-preemptive
- segment that is longer than [task_cost tsk - task_rtct tsk] (e.g., this is possible
- in the case of floating non-preemptive sections).
-
- In this case we cannot directly apply lemma "j_receives_at_least_run_to_completion_threshold". Therefore
- we introduce two temporal notions of the last non-preemptive region of job j and an execution
- optimism. We use these notions inside this proof, so we define them only locally. *)
-
- (** Let the last non-preemptive region of job [j] (last) be
- the difference between the cost of the job and the [j]'s
- run-to-completion threshold (i.e. [job_cost j - job_rtct j]).
- We know that after j has reached its
- run-to-completion threshold, it will additionally be
- executed [job_last j] units of time. *)
- Let job_last := job_cost j - job_rtct j.
-
- (** And let execution optimism (optimism) be the difference
- between the [tsk]'s run-to-completion threshold and the
- [j]'s run-to-completion threshold (i.e. [task_rtct -
- job_rtct]). Intuitively, optimism is how much earlier
- job j has received its run-to-completion threshold than
- it could at worst. *)
- Let optimism := task_rtct tsk - job_rtct j.
-
- (** From lemma "j_receives_at_least_run_to_completion_threshold"
- with parameters [progress_of_job := job_rtct j] and [delta :=
- (A + F) - optimism)] we know that service of [j] by time
- [t1 + (A + F) - optimism] is no less than [job_rtct
- j]. Hence, job [j] is completed by time [t1 + (A + F) -
- optimism + last]. *)
- Lemma j_is_completed_by_t1_A_F_optimist_last :
- completed_by sched j (t1 + (A + F - optimism) + job_last).
- Proof.
- move: H_busy_interval => [[/andP [GT LT] _] _].
- have ESERV :=
- @j_receives_at_least_run_to_completion_threshold
- _ _ _ PState _ _ arr_seq sched interference interfering_workload
- _ j _ _ t1 t2 _ (job_rtct j) _ ((A + F) - optimism).
- specialize (ESERV JA JC).
- feed_n 6 ESERV; eauto 2.
- specialize (ESERV JC _).
- feed_n 2 ESERV.
- { eapply job_run_to_completion_threshold_le_job_cost; eauto. }
- { rewrite -{2}(leqRW H_A_F_fixpoint).
- rewrite /definitions.cumul_interference.
- rewrite -[in X in _ <= X]addnBAC; last by rewrite leq_subr.
- rewrite {2}/optimism.
- rewrite subKn; last by apply H_valid_run_to_completion_threshold.
- rewrite leq_add2l.
- apply leq_trans with (cumul_interference j t1 (t1 + (A + F))).
- { rewrite /cumul_interference /definitions.cumul_interference
- [in X in _ <= X](@big_cat_nat _ _ _ (t1 + (A + F - optimism))) //=.
- all: by lia. }
- { apply H_job_interference_is_bounded with t2; try done.
- - by rewrite -H_Asp_Fsp_eq_A_F.
- - apply/negP; intros CONTR.
- move: H_j_not_completed => /negP C; apply: C.
- apply completion_monotonic with (t1 + (A + F)); try done.
- rewrite addnA subnKC // leq_add2l.
- apply leq_trans with F_sp; first by done.
- by lia. } }
- apply: job_completes_after_reaching_run_to_completion_threshold; rt_eauto.
- Qed.
-
- (** However, [t1 + (A + F) - optimism + last ≤ job_arrival j + R]!
- To prove this fact we need a few auxiliary inequalities that are
- needed because we use the truncated subtraction in our development.
- So, for example [a + (b - c) = a + b - c] only if [b ≥ c]. *)
- Section AuxiliaryInequalities.
-
- (** Recall that we consider a busy interval of a job [j], and [j] has arrived [A] time units
- after the beginning the busy interval. From basic properties of a busy interval it
- follows that job [j] incurs interference at any time instant t ∈ <<[t1, t1 + A)>>.
- Therefore [interference_bound_function(tsk, A, A + F)] is at least [A]. *)
- Lemma relative_arrival_le_interference_bound:
- A <= interference_bound_function tsk A (A + F).
- Proof.
- move: H_j_not_completed; clear H_j_not_completed; move => /negP CONTRc.
- move: (H_busy_interval) => [[/andP [GT LT] _] _].
- apply leq_trans with (cumul_interference j t1 (t1 + (A+F))).
- { rewrite /cumul_interference.
- apply leq_trans with
- (\sum_(t1 <= t < t1 + A) interference j t);last by
- rewrite /definitions.cumul_interference [in X in _ <= X](@big_cat_nat _ _ _ (t1 + A)) //=; try by lia.
- { rewrite -{1}[A](sum_of_ones t1).
- rewrite [in X in X <= _]big_nat_cond [in X in _ <= X]big_nat_cond.
- rewrite leq_sum //.
- move => t /andP [/andP [NEQ1 NEQ2] _].
- rewrite lt0b.
- move: (H_work_conserving j t1 t2 t) => CONS.
- feed_n 4 CONS; try done.
- { apply/andP; split; first by done.
- by apply leq_trans with (t1 + A); [done | lia]. }
- move: CONS => [CONS1 _].
- apply/negP; intros CONTR.
- move: (CONS1 CONTR) => SCHED; clear CONS1 CONTR.
- move: NEQ2; rewrite ltnNge; move => /negP NEQ2; apply: NEQ2.
- rewrite /A subnKC; last by done.
- by apply : has_arrived_scheduled; rt_eauto. } }
- { apply H_job_interference_is_bounded with t2; try done.
- - by rewrite -H_Asp_Fsp_eq_A_F.
- - apply /negP; move => CONTR.
- apply: CONTRc.
- by apply completion_monotonic with (t1 + (A + F)); [lia | done]. }
- Qed.
-
- (** As two trivial corollaries, we show that
- [tsk]'s run-to-completion threshold is at most [F_sp]... *)
- Corollary tsk_run_to_completion_threshold_le_Fsp :
- task_rtct tsk <= F_sp.
- Proof.
- move: H_A_F_fixpoint => EQ.
- have L1 := relative_arrival_le_interference_bound.
- by lia.
- Qed.
-
- (** ... and optimism is at most [F]. *)
- Corollary optimism_le_F :
- optimism <= F.
- Proof.
- move: H_A_F_fixpoint => EQ.
- have L1 := relative_arrival_le_interference_bound.
- by lia.
- Qed.
-
- End AuxiliaryInequalities.
-
- (** Next we show that [t1 + (A + F) - optimism + last] is at most [job_arrival j + R],
- which is easy to see from the following sequence of inequalities:
-
- [t1 + (A + F) - optimism + last]
- [≤ job_arrival j + (F - optimism) + job_last]
- [≤ job_arrival j + (F_sp - optimism) + job_last]
- [≤ job_arrival j + F_sp + (job_last - optimism)]
- [≤ job_arrival j + F_sp + job_cost j - task_rtct tsk]
- [≤ job_arrival j + F_sp + task_cost tsk - task_rtct tsk]
- [≤ job_arrival j + R]. *)
- Lemma t1_A_F_optimist_last_le_arrival_R :
- t1 + (A + F - optimism) + job_last <= job_arrival j + R.
- Proof.
- move: (H_busy_interval) => [[/andP [GT LT] _] _].
- have L1 := tsk_run_to_completion_threshold_le_Fsp.
- have L2 := optimism_le_F.
- apply leq_trans with (job_arrival j + (F - optimism) + job_last).
- { rewrite leq_add2r addnBA.
- - by rewrite /A !addnA subnKC // addnBA.
- - by apply leq_trans with F; last rewrite leq_addl.
- }
- { move: H_valid_run_to_completion_threshold => [PRT1 PRT2].
- rewrite -addnA leq_add2l.
- apply leq_trans with (F_sp - optimism + job_last ); first by rewrite leq_add2r leq_sub2r.
- apply leq_trans with (F_sp + (task_cost tsk - task_rtct tsk)); last by done.
- rewrite /optimism subnBA; last by apply PRT2.
- rewrite -addnBAC // /job_last.
- rewrite addnBA; last by eapply job_run_to_completion_threshold_le_job_cost; eauto 2.
- rewrite -addnBAC; last by lia.
- rewrite -addnBA // subnn addn0.
- rewrite addnBA; last by apply PRT1.
- rewrite addnBAC; last by done.
- rewrite leq_sub2r // leq_add2l.
- by move: H_job_of_tsk => /eqP <-; apply H_valid_job_cost.
- }
- Qed.
-
- (** ... which contradicts the initial assumption about [j] is not
- completed by time [job_arrival j + R]. *)
- Lemma j_is_completed_earlier_contradiction : False.
- Proof.
- move: H_j_not_completed => /negP C; apply: C.
- apply completion_monotonic with (t1 + ((A + F) - optimism) + job_last);
- auto using j_is_completed_by_t1_A_F_optimist_last, t1_A_F_optimist_last_le_arrival_R.
- Qed.
-
- End ProofByContradiction.
-
- (** Putting everything together, we conclude that [j] is completed by [job_arrival j + R]. *)
- Lemma job_completed_by_arrival_plus_R_2:
- completed_by sched j (job_arrival j + R).
- Proof.
- move: H_busy_interval => [[/andP [GT LT] _] _].
- have L1 := solution_for_A_exists
- tsk L (fun tsk A R => task_rtct tsk
- + interference_bound_function tsk A R) A_sp F_sp.
- specialize (L1 _).
- feed_n 2 L1; try done.
- { move: (H_busy_interval_exists j H_j_arrives H_job_of_tsk H_job_cost_positive)
- => [t1' [t2' [BOUND BUSY]]].
- have EQ:= busy_interval_is_unique _ _ _ _ _ _ _ _ H_busy_interval BUSY.
- move : EQ => [EQ1 EQ2].
- subst t1' t2'; clear BUSY.
- by rewrite -(ltn_add2l t1); apply leq_trans with t2.
- }
- specialize (L1 A); feed_n 2 L1; first by apply/andP; split.
- + by intros x LTG; apply/eqP; rewrite eqn_add2l H_equivalent.
- move: L1 => [F [EQSUM [F2LEF1 FIX2]]].
- apply/negP; intros CONTRc; move: CONTRc => /negP CONTRc.
- by eapply j_is_completed_earlier_contradiction in CONTRc; eauto 2.
- Qed.
-
- End FixpointIsNoLessThanArrival.
-
- (** CASE 2: the value of the fix-point is less than the relative arrival time of
- job j (which turns out to be impossible, i.e. the solution of the response-time
- recurrence is always equal to or greater than the relative arrival time). *)
- Section FixpointCannotBeSmallerThanArrival.
-
- (** Assume that [A_sp + F_sp] is less than A. *)
- Hypothesis H_fixpoint_is_less_that_relative_arrival_of_j: A_sp + F_sp < A.
-
- (** Note that the relative arrival time of job j is less than L. *)
- Lemma relative_arrival_is_bounded: A < L.
- Proof.
- rewrite /A.
- move: (H_busy_interval_exists j H_j_arrives H_job_of_tsk H_job_cost_positive) => [t1' [t2' [BOUND BUSY]]].
- have EQ:= busy_interval_is_unique _ _ _ _ _ _ _ _ H_busy_interval BUSY. destruct EQ as [EQ1 EQ2].
- subst t1' t2'; clear BUSY.
- apply leq_trans with (t2 - t1); last by rewrite leq_subLR.
- move: (H_busy_interval)=> [[/andP [T1 T3] [_ _]] _].
- by apply ltn_sub2r; first apply leq_ltn_trans with (job_arrival j).
- Qed.
-
- (** We can use [j_receives_at_least_run_to_completion_threshold] to prove that the service
- received by j by time [t1 + (A_sp + F_sp)] is no less than run-to-completion threshold. *)
- Lemma service_of_job_ge_run_to_completion_threshold:
- service sched j (t1 + (A_sp + F_sp)) >= job_rtct j.
- Proof.
- move: (H_busy_interval) => [[NEQ [QT1 NTQ]] QT2].
- move: (NEQ) => /andP [GT LT].
- move: (H_job_interference_is_bounded t1 t2 (A_sp + F_sp) j) => IB.
- feed_n 5 IB; try done.
- { apply/negP => COMPL.
- apply completion_monotonic with (t' := t1 + A) in COMPL; try done; last first.
- { by rewrite leq_add2l; apply ltnW. }
- { rewrite /A subnKC in COMPL; last by done.
- move: COMPL; rewrite /completed_by leqNgt; move => /negP COMPL; apply: COMPL.
- rewrite /service -(service_during_cat _ _ _ (job_arrival j)); last by apply/andP; split.
- rewrite (cumulative_service_before_job_arrival_zero) //; rt_eauto.
- by rewrite add0n /service_during big_geq //.
- }
- }
- rewrite -/A in IB.
- have ALTT := relative_arrival_is_bounded.
- simpl in IB; rewrite H_equivalent in IB; last by apply ltn_trans with A.
- have ESERV :=
- @j_receives_at_least_run_to_completion_threshold
- _ _ _ PState _ _ arr_seq sched interference interfering_workload
- _ j _ _ t1 t2 _ (job_rtct j) _ (A_sp + F_sp).
- specialize (ESERV JA JC).
- feed_n 6 ESERV; eauto 2.
- specialize (ESERV JC _).
- feed_n 2 ESERV; eauto using job_run_to_completion_threshold_le_job_cost.
- by rewrite -{2}(leqRW H_Asp_Fsp_fixpoint) leq_add //; apply H_valid_run_to_completion_threshold.
- Qed.
-
- (** However, this is a contradiction. Since job [j] has not yet arrived, its service
- is equal to [0]. However, run-to-completion threshold is always positive. *)
- Lemma relative_arrival_time_is_no_less_than_fixpoint:
- False.
- Proof.
- move: (H_busy_interval) => [[NEQ [QT1 NTQ]] QT2].
- move: (NEQ) => /andP [GT LT].
- have ESERV := service_of_job_ge_run_to_completion_threshold.
- move: ESERV; rewrite leqNgt; move => /negP ESERV; apply: ESERV.
- rewrite /service cumulative_service_before_job_arrival_zero;
- eauto 5 using job_run_to_completion_threshold_positive; rt_eauto.
- rewrite -[X in _ <= X](@subnKC t1) //.
- by rewrite -/A leq_add2l ltnW.
- Qed.
-
- End FixpointCannotBeSmallerThanArrival.
-
- End FixpointInsideBusyInterval.
-
- End ProofOfTheorem.
-
- (** Using the lemmas above, we prove that [R] is a response-time bound. *)
- Theorem uniprocessor_response_time_bound:
- response_time_bounded_by tsk R.
- Proof.
- intros j ARR JOBtsk. unfold job_response_time_bound.
- move: (posnP (@job_cost _ JC j)) => [ZERO|POS].
- { by rewrite /completed_by ZERO. }
- move: (H_busy_interval_exists j ARR JOBtsk POS) => [t1 [t2 [T2 BUSY]]].
- move: (BUSY) => [[/andP [GE LT] _] QTt2].
- have A2LTL := relative_arrival_is_bounded _ ARR JOBtsk POS _ _ BUSY.
- set (A2 := job_arrival j - t1) in *.
- move: (representative_exists tsk _ interference_bound_function _ A2LTL) => [A1 [ALEA2 [EQΦ INSP]]].
- move: (H_R_is_maximum _ INSP) => [F1 [FIX1 LE1]].
- destruct (t1 + (A1 + F1) >= t2) eqn:BIG.
- - eapply job_completed_by_arrival_plus_R_1; eauto 2.
- - apply negbT in BIG; rewrite -ltnNge in BIG.
- destruct (A2 <= A1 + F1) eqn:BOUND.
- + eapply job_completed_by_arrival_plus_R_2; eauto 2.
- + apply negbT in BOUND; rewrite -ltnNge in BOUND.
- exfalso; apply relative_arrival_time_is_no_less_than_fixpoint
- with (j := j) (t1 := t1) (t2 := t2) (A_sp := A1) (F_sp := F1); auto.
- Qed.
-
-End Abstract_RTA.
diff --git a/analysis/abstract/abstract_seq_rta.v b/analysis/abstract/abstract_seq_rta.v
deleted file mode 100644
index 8c59748e207f0632aa2c27d479b967f37e21e2ec..0000000000000000000000000000000000000000
--- a/analysis/abstract/abstract_seq_rta.v
+++ /dev/null
@@ -1,698 +0,0 @@
-Require Export prosa.analysis.definitions.task_schedule.
-Require Export prosa.analysis.facts.model.rbf.
-Require Export prosa.analysis.facts.model.task_arrivals.
-Require Export prosa.analysis.facts.model.sequential.
-Require Export prosa.analysis.abstract.abstract_rta.
-
-(** * Abstract Response-Time Analysis with sequential tasks *)
-(** In this section we propose the general framework for response-time analysis (RTA)
- of uni-processor scheduling of real-time tasks with arbitrary arrival models
- and sequential tasks. *)
-
- (** We prove that the maximum among the solutions of the response-time bound
- recurrence for some set of parameters is a response-time bound for [tsk].
- Note that in this section we _do_ rely on the hypothesis about task
- sequentiality. This allows us to provide a more precise response-time
- bound function, since jobs of the same task will be executed strictly
- in the order they arrive. *)
-Section Sequential_Abstract_RTA.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskRunToCompletionThreshold Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobPreemptable Job}.
-
- (** Consider any valid arrival sequence with consistent, non-duplicate arrivals...*)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any ideal schedule of this arrival sequence. *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_jobs_come_from_arrival_sequence : jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival nor after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Assume that the job costs are no larger than the task costs. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Consider an arbitrary task set. *)
- Variable ts : list Task.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Consider a valid preemption model... *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** ...and a valid task run-to-completion threshold function. That
- is, [task_rtct tsk] is (1) no bigger than [tsk]'s cost, (2) for
- any job of task [tsk] [job_rtct] is bounded by [task_rtct]. *)
- Hypothesis H_valid_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for any task [tsk] in ts
- [max_arrival tsk] is (1) an arrival bound of [tsk], and (2) it is a monotonic function
- that equals [0] for the empty interval [delta = 0]. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Assume we are provided with abstract functions for interference and interfering workload. *)
- Variable interference : Job -> instant -> bool.
- Variable interfering_workload : Job -> instant -> duration.
-
- (** Let's define some local names for clarity. *)
- Let task_rbf := task_request_bound_function tsk.
- Let busy_interval := busy_interval sched interference interfering_workload.
- Let arrivals_between := arrivals_between arr_seq.
- Let service_of_jobs_at := service_of_jobs_at sched.
- Let task_workload_between := task_workload_between arr_seq tsk.
- Let task_service_of_jobs_in := task_service_of_jobs_in sched tsk.
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- (** In this section, we introduce a few new definitions to make it easier
- to express the new bound of the worst-case execution time. *)
- Section Definitions.
-
- (** When assuming sequential tasks, we can introduce an additional hypothesis that
- ensures that the values of interference and workload remain consistent. It states
- that any of [tsk]'s job, that arrived before the busy interval, should be
- completed by the beginning of the busy interval. *)
- Definition interference_and_workload_consistent_with_sequential_tasks :=
- forall (j : Job) (t1 t2 : instant),
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- job_cost j > 0 ->
- busy_interval j t1 t2 ->
- task_workload_between 0 t1 = task_service_of_jobs_in (arrivals_between 0 t1) 0 t1.
-
- (** Next we introduce the notion of task interference. Intuitively, task [tsk] incurs
- interference when some of the jobs of task [tsk] incur interference. As a result,
- [tsk] cannot make any progress. More formally, task [tsk] experiences interference at
- a time instant time [t], if at time t task [tsk] is not scheduled and there exists
- a job of [tsk] that (1) experiences interference and (2) has arrived before some
- time instant [upper_bound].
-
- It is important to note two subtle points: according to our semantics of the
- interference function, jobs from the same task can cause interference to each other.
- In the definition of interference of a task we want to avoid such situations. That
- is why we use the term [~~ task_scheduled_at tsk t].
-
- Moreover, in order to make the definition constructive, we introduce an upper bound
- on the arrival time of jobs from task [tsk]. As a result, we need to consider only a
- finite number of jobs. For the function to produce the correct values it is enough
- to specify a sufficiently large upper_bound. Usually as upper_bound one can use the
- end of the corresponding busy interval. *)
- Definition task_interference_received_before (tsk : Task) (upper_bound : instant) (t : instant) :=
- (~~ task_scheduled_at sched tsk t)
- && has (fun j => interference j t) (task_arrivals_before arr_seq tsk upper_bound).
-
- (** Next we define the cumulative task interference. *)
- Definition cumul_task_interference tsk upper_bound t1 t2 :=
- \sum_(t1 <= t < t2) task_interference_received_before tsk upper_bound t.
-
- (** We say that task interference is bounded by task_interference_bound_function ([tIBF])
- iff for any job [j] of task [tsk] cumulative _task_ interference within the interval
- [t1, t1 + R) is bounded by function [tIBF(tsk, A, R)].
- Note that this definition is almost the same as the definition of job_interference_is_bounded_by
- from the non-necessary-sequential case. However, in this case we ignore the
- interference that comes from jobs from the same task. *)
- Definition task_interference_is_bounded_by
- (task_interference_bound_function : Task -> duration -> duration -> duration) :=
- forall j R t1 t2,
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- t1 + R < t2 ->
- ~~ completed_by sched j (t1 + R) ->
- busy_interval j t1 t2 ->
- let offset := job_arrival j - t1 in
- cumul_task_interference tsk t2 t1 (t1 + R) <= task_interference_bound_function tsk offset R.
-
- End Definitions.
-
- (** In this section, we prove that the maximum among the solutions of the
- response-time bound recurrence is a response-time bound for [tsk]. *)
- Section ResponseTimeBound.
-
- (** For simplicity, let's define some local names. *)
- Let cumul_interference := cumul_interference interference.
- Let cumul_workload := cumul_interfering_workload interfering_workload.
- Let cumul_task_interference := cumul_task_interference tsk.
-
- (** We assume that the schedule is work-conserving. *)
- Hypothesis H_work_conserving:
- work_conserving arr_seq sched interference interfering_workload.
-
- (** Unlike the previous theorem [uniprocessor_response_time_bound], we assume
- that (1) tasks are sequential, moreover (2) functions interference and
- interfering_workload are consistent with the hypothesis of sequential tasks. *)
- Hypothesis H_sequential_tasks : sequential_tasks arr_seq sched.
- Hypothesis H_interference_and_workload_consistent_with_sequential_tasks:
- interference_and_workload_consistent_with_sequential_tasks.
-
- (** Assume we have a constant L which bounds the busy interval of any of [tsk]'s jobs. *)
- Variable L : duration.
- Hypothesis H_busy_interval_exists:
- busy_intervals_are_bounded_by arr_seq sched tsk interference interfering_workload L.
-
- (** Next, we assume that task_interference_bound_function is a bound on interference incurred by the task. *)
- Variable task_interference_bound_function : Task -> duration -> duration -> duration.
- Hypothesis H_task_interference_is_bounded:
- task_interference_is_bounded_by task_interference_bound_function.
-
- (** Given any job [j] of task [tsk] that arrives exactly [A] units after the beginning of the busy
- interval, the bound on the total interference incurred by [j] within an interval of length [Δ]
- is no greater than [task_rbf (A + ε) - task_cost tsk + task's IBF Δ]. Note that in case of
- sequential tasks the bound consists of two parts: (1) the part that bounds the interference
- received from other jobs of task [tsk] -- [task_rbf (A + ε) - task_cost tsk] and (2) any other
- interference that is bounded by [task_IBF(tsk, A, Δ)]. *)
- Let total_interference_bound (tsk : Task) (A Δ : duration) :=
- task_rbf (A + ε) - task_cost tsk + task_interference_bound_function tsk A Δ.
-
- (** Note that since we consider the modified interference bound function, the search space has
- also changed. One can see that the new search space is guaranteed to include any A for which
- [task_rbf (A) ≠task_rbf (A + ε)], since this implies the fact that
- [total_interference_bound (tsk, A, Δ) ≠total_interference_bound (tsk, A + ε, Δ)]. *)
- Let is_in_search_space_seq := is_in_search_space tsk L total_interference_bound.
-
- (** Consider any value [R], and assume that for any relative arrival time [A] from the search
- space there is a solution [F] of the response-time recurrence that is bounded by [R]. In
- contrast to the formula in "non-sequential" Abstract RTA, assuming that tasks are
- sequential leads to a more precise response-time bound. Now we can explicitly express
- the interference caused by other jobs of the task under consideration.
-
- To understand the right part of the fix-point in the equation it is helpful to note
- that the bound on the total interference ([bound_of_total_interference]) is equal to
- [task_rbf (A + ε) - task_cost tsk + tIBF tsk A Δ]. Besides, a job must receive
- enough service to become non-preemptive [task_lock_in_service tsk]. The sum of
- these two quantities is exactly the right-hand side of the equation. *)
- Variable R : nat.
- Hypothesis H_R_is_maximum_seq:
- forall (A : duration),
- is_in_search_space_seq A ->
- exists (F : duration),
- A + F >= (task_rbf (A + ε) - (task_cost tsk - task_rtct tsk))
- + task_interference_bound_function tsk A (A + F) /\
- R >= F + (task_cost tsk - task_rtct tsk).
-
- (** In this section we prove a few simple lemmas about the completion of jobs from the task
- considering the busy interval of the job under consideration. *)
- Section CompletionOfJobsFromSameTask.
-
- (** Consider any two jobs [j1] [j2] of [tsk]. *)
- Variable j1 j2 : Job.
- Hypothesis H_j1_arrives: arrives_in arr_seq j1.
- Hypothesis H_j2_arrives: arrives_in arr_seq j2.
- Hypothesis H_j1_from_tsk: job_of_task tsk j1.
- Hypothesis H_j2_from_tsk: job_of_task tsk j2.
- Hypothesis H_j1_cost_positive: job_cost_positive j1.
-
- (** Consider the busy interval <<[t1, t2)>> of job j1. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_interval : busy_interval j1 t1 t2.
-
- (** We prove that if a job from task [tsk] arrived before the beginning of the busy
- interval, then it must be completed before the beginning of the busy interval *)
- Lemma completed_before_beginning_of_busy_interval:
- job_arrival j2 < t1 ->
- completed_by sched j2 t1.
- Proof.
- move => JA; move: (H_j2_from_tsk) => /eqP TSK2eq.
- rewrite /completed_by.
- move: (posnP (@job_cost _ H3 j2)) => [-> | POS]; first by done.
- move: (H_interference_and_workload_consistent_with_sequential_tasks j1 t1 t2) => SWEQ.
- feed_n 4 SWEQ; try by done.
- by apply all_jobs_have_completed_equiv_workload_eq_service with (j := j2) in SWEQ => //; rt_eauto.
- Qed.
-
- (** Next we prove that if a job is pending after the beginning
- of the busy interval <<[t1, t2)>> then it arrives after t1. *)
- Lemma arrives_after_beginning_of_busy_interval:
- forall t,
- t1 <= t ->
- pending sched j2 t ->
- arrived_between j2 t1 t.+1.
- Proof.
- intros t GE PEND.
- rewrite /arrived_between; apply/andP; split; last first.
- { by move: PEND => /andP [ARR _]; rewrite ltnS. }
- rewrite leqNgt; apply/negP; intros LT.
- move: (H_busy_interval) => [[/andP [AFR1 AFR2] [QT _]] _].
- have L12 := completed_before_beginning_of_busy_interval LT.
- apply completion_monotonic with (t' := t) in L12; try done.
- by move: PEND => /andP [_ /negP T2].
- Qed.
-
- End CompletionOfJobsFromSameTask.
-
- (** Since we are going to use the [uniprocessor_response_time_bound] theorem to prove
- the theorem of this section, we have to show that all the hypotheses are satisfied.
- Namely, we need to show that hypotheses [H_sequential_tasks, H_i_w_are_task_consistent
- and H_task_interference_is_bounded_by] imply [H_job_interference_is_bounded], and the
- fact that [H_R_is_maximum_seq] implies [H_R_is_maximum]. *)
-
- (** In this section we show that there exists a bound for cumulative interference for any
- job of task [tsk], i.e., the hypothesis [H_job_interference_is_bounded] holds. *)
- Section BoundOfCumulativeJobInterference.
-
- (** Consider any job [j] of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** Consider the busy interval <<[t1, t2)>> of job j. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_interval : busy_interval j t1 t2.
-
- (** Let's define A as a relative arrival time of job j (with respect to time t1). *)
- Let A : duration := job_arrival j - t1.
-
- (** Consider an arbitrary time x ... *)
- Variable x : duration.
- (** ... such that (t1 + x) is inside the busy interval... *)
- Hypothesis H_inside_busy_interval : t1 + x < t2.
- (** ... and job j is not completed by time (t1 + x). *)
- Hypothesis H_job_j_is_not_completed : ~~ completed_by sched j (t1 + x).
-
- (** In this section, we show that the cumulative interference of job j in the interval <<[t1, t1 + x)>>
- is bounded by the sum of the task workload in the interval [t1, t1 + A + ε) and the cumulative
- interference of [j]'s task in the interval [t1, t1 + x). Note that the task workload is computed
- only on the interval [t1, t1 + A + ε). Thanks to the hypothesis about sequential tasks, jobs of
- task [tsk] that arrive after [t1 + A + ε] cannot interfere with j. *)
- Section TaskInterferenceBoundsInterference.
-
- (** We start by proving a simpler analog of the lemma which states that at
- any time instant t ∈ <<[t1, t1 + x)>> the sum of [interference j t] and
- [scheduled_at j t] is no larger than the sum of [the service received
- by jobs of task tsk at time t] and [task_iterference tsk t]. *)
-
- (** Next we consider 4 cases. *)
- Section CaseAnalysis.
-
- (** Consider an arbitrary time instant t ∈ <<[t1, t1 + x)>>. *)
- Variable t : instant.
- Hypothesis H_t_in_interval : t1 <= t < t1 + x.
-
- Section Case1.
-
- (** Assume the processor is idle at time [t]. *)
- Hypothesis H_idle : sched t = None.
-
- (** In case when the processor is idle, one can show that
- [interference j t = 1, scheduled_at j t = 0]. But since
- interference doesn't come from a job of task [tsk]
- [task_interference tsk = 1]. Which reduces to [1 ≤ 1]. *)
- Lemma interference_plus_sched_le_serv_of_task_plus_task_interference_idle:
- interference j t + scheduled_at sched j t <=
- service_of_jobs_at (job_of_task tsk) (arrivals_between t1 (t1 + A + ε)) t +
- task_interference_received_before tsk t2 t.
- Proof.
- move: (H_busy_interval) => [[/andP [BUS LT] _] _].
- rewrite /cumul_task_interference /definitions.cumul_interference
- /Sequential_Abstract_RTA.cumul_task_interference /task_interference_received_before
- /task_scheduled_at /task_schedule.task_scheduled_at /service_of_jobs_at
- /service_of_jobs.service_of_jobs_at/= scheduled_at_def.
- erewrite eq_bigr; last by move => i j' /=; rewrite service_at_def H_idle /=.
- rewrite /= big1_eq add0n H_idle addn0.
- case INT: (interference j t); last by done.
- rewrite /= lt0b.
- apply/hasP; exists j; last by done.
- by rewrite mem_filter; apply/andP; split; rt_eauto.
- Qed.
-
- End Case1.
-
- Section Case2.
-
- (** Assume a job [j'] from another task is scheduled at time [t]. *)
- Variable j' : Job.
- Hypothesis H_sched : sched t = Some j'.
- Hypothesis H_not_job_of_tsk : ~~ job_of_task tsk j'.
-
- (** If a job [j]' from another task is scheduled at time [t],
- then [interference j t = 1, scheduled_at j t = 0]. But
- since interference doesn't come from a job of task [tsk]
- [task_interference tsk = 1]. Which reduces to [1 ≤ 1]. *)
- Lemma interference_plus_sched_le_serv_of_task_plus_task_interference_task:
- interference j t + scheduled_at sched j t <=
- service_of_jobs_at (job_of_task tsk) (arrivals_between t1 (t1 + A + ε)) t +
- task_interference_received_before tsk t2 t.
- Proof.
- move: (H_busy_interval) => [[/andP [BUS LT] _] _].
- rewrite /cumul_task_interference /definitions.cumul_interference
- /Sequential_Abstract_RTA.cumul_task_interference /task_interference_received_before
- /task_scheduled_at /task_schedule.task_scheduled_at /service_of_jobs_at
- /service_of_jobs.service_of_jobs_at scheduled_at_def/=.
- move : H_sched => /eqP SCHED.
- have ARRs: arrives_in arr_seq j' by rewrite -scheduled_at_def in SCHED;rt_eauto.
- rewrite H_sched H_not_job_of_tsk; simpl.
- have ->: Some j' == Some j = false; last rewrite addn0.
- { apply/negP => /eqP CONTR; inversion CONTR; subst j'.
- by move: (H_not_job_of_tsk); rewrite H_job_of_tsk. }
- erewrite eq_bigr; last by move=> i _; rewrite service_at_def H_sched.
- have ZERO: \sum_(i <- arrivals_between t1 (t1 + A + ε) | job_task i == tsk) (Some j' == Some i) = 0.
- { apply big1 => j2 TSK.
- apply/eqP; rewrite eqb0; apply/negP => /eqP EQ; inversion EQ; subst j'.
- by move: (H_not_job_of_tsk); rewrite / job_of_task TSK.
- }
- rewrite {}ZERO ?addn0 add0n /=.
- case INT: (interference j t); last by done.
- rewrite /= lt0b.
- apply/hasP; exists j; last by done.
- by rewrite mem_filter; apply/andP; split; rt_eauto.
- Qed.
-
- End Case2.
-
- Section Case3.
-
- (** Assume a job [j'] (different from j) of task [tsk] is scheduled at time [t]. *)
- Variable j' : Job.
- Hypothesis H_sched : sched t = Some j'.
- Hypothesis H_not_job_of_tsk : job_of_task tsk j'.
- Hypothesis H_j_neq_j' : j != j'.
-
- (** If a job [j'] (different from [j]) of task [tsk] is scheduled at time [t], then
- [interference j t = 1, scheduled_at j t = 0]. Moreover, since interference
- comes from a job of the same task [task_interference tsk = 0]. However,
- in this case [service_of_jobs of tsk = 1]. Which reduces to [1 ≤ 1]. *)
- Lemma interference_plus_sched_le_serv_of_task_plus_task_interference_job:
- interference j t + scheduled_at sched j t <=
- service_of_jobs_at (job_of_task tsk) (arrivals_between t1 (t1 + A + ε)) t +
- task_interference_received_before tsk t2 t.
- Proof.
- move: (H_busy_interval) => [[/andP [BUS LT] _] _].
- rewrite /cumul_task_interference /definitions.cumul_interference
- /Sequential_Abstract_RTA.cumul_task_interference /task_interference_received_before
- /task_scheduled_at /task_schedule.task_scheduled_at /service_of_jobs_at
- /service_of_jobs.service_of_jobs_at scheduled_at_def/=.
- move : H_sched =>/eqP SCHED.
- rewrite -scheduled_at_def in SCHED.
- have ARRs: arrives_in arr_seq j' by rt_eauto.
- move: (H_not_job_of_tsk) => /eqP; rewrite H_sched => ->; rewrite eq_refl addn0; simpl.
- have ->: Some j' == Some j = false by
- apply/negP => /eqP EQ; inversion EQ; subst j'; move:H_j_neq_j' => /negP NEQ; apply: NEQ.
- replace (interference j t) with true; last first.
- { have NEQT: t1 <= t < t2.
- { by move: H_t_in_interval => /andP [NEQ1 NEQ2]; apply/andP; split; last apply ltn_trans with (t1 + x). }
- move: (H_work_conserving j t1 t2 t H_j_arrives H_job_cost_positive H_busy_interval NEQT) => [Hn _].
- apply/eqP;rewrite eq_sym eqb_id; apply/negPn/negP; intros CONTR; move: CONTR => /negP CONTR.
- apply Hn in CONTR; rewrite scheduled_at_def in CONTR; simpl in CONTR.
- by move: CONTR; rewrite H_sched => /eqP EQ; inversion EQ; subst; move: H_j_neq_j' => /eqP.
- }
- rewrite big_mkcond sum_nat_gt0 filter_predT; apply/hasP; exists j'; last first.
- { move: H_not_job_of_tsk => /eqP TSK.
- by rewrite /job_of_task TSK eq_refl service_at_def H_sched eq_refl. }
- { intros. have ARR:= arrives_after_beginning_of_busy_interval j j' _ _ _ _ _ t1 t2 _ t.
- feed_n 8 ARR; try (done || by move: H_t_in_interval => /andP [T1 T2]).
- { move: H_sched => /eqP SCHEDt.
- apply scheduled_implies_pending; rt_eauto. }
- case_eq (job_arrival j' <= job_arrival j) => ARRNEQ.
- { move: ARR => /andP [Ð Ð _].
- eapply arrived_between_implies_in_arrivals; rt_eauto.
- by apply/andP; split; last rewrite /A subnKC // addn1 ltnS. }
- { exfalso.
- apply negbT in ARRNEQ; rewrite -ltnNge in ARRNEQ.
- move: (H_sequential_tasks j j' t) => CONTR.
- feed_n 5 CONTR; try done.
- { by rewrite /same_task eq_sym; move: (H_job_of_tsk) => /eqP ->. }
- move: H_job_j_is_not_completed => /negP T; apply: T.
- apply completion_monotonic with t; try done.
- by apply ltnW; move: H_t_in_interval => /andP [_ NEQ]. } }
- Qed.
-
- End Case3.
-
- Section Case4.
-
- (** Assume that job [j] is scheduled at time [t]. *)
- Hypothesis H_sched : sched t = Some j.
-
- (** If job [j] is scheduled at time [t], then [interference = 0, scheduled_at = 1], but
- note that [service_of_jobs of tsk = 1], therefore inequality reduces to [1 ≤ 1]. *)
- Lemma interference_plus_sched_le_serv_of_task_plus_task_interference_j:
- interference j t + scheduled_at sched j t <=
- service_of_jobs_at (job_of_task tsk) (arrivals_between t1 (t1 + A + ε)) t +
- task_interference_received_before tsk t2 t.
- Proof.
- have j_is_in_arrivals_between: j \in arrivals_between t1 (t1 + A + ε).
- { eapply arrived_between_implies_in_arrivals; rt_eauto.
- move: (H_busy_interval) => [[/andP [GE _] [_ _]] _].
- by apply/andP; split; last rewrite /A subnKC // addn1.
- } intros.
- rewrite /cumul_task_interference /definitions.cumul_interference
- /Sequential_Abstract_RTA.cumul_task_interference /task_interference_received_before
- /task_scheduled_at /task_schedule.task_scheduled_at /service_of_jobs_at
- /service_of_jobs.service_of_jobs_at scheduled_at_def.
- rewrite H_sched; move: H_job_of_tsk => /eqP ->; rewrite eq_refl eq_refl addn0 //=.
- move: (H_work_conserving j _ _ t H_j_arrives H_job_cost_positive H_busy_interval) => WORK.
- feed WORK.
- { move: H_t_in_interval => /andP [NEQ1 NEQ2].
- by apply/andP; split; last apply ltn_trans with (t1 + x). }
- move: WORK => [_ ZIJT].
- feed ZIJT; first by rewrite scheduled_at_def H_sched; simpl.
- move: ZIJT => /negP /eqP; rewrite eqb_negLR; simpl; move => /eqP ZIJT; rewrite ZIJT; simpl; rewrite add0n.
- rewrite big_mkcond //= sum_nat_gt0 filter_predT; apply/hasP.
- exists j; first by apply j_is_in_arrivals_between.
- by move: (H_job_of_tsk) => ->; rewrite service_at_def H_sched eq_refl.
- Qed.
-
- End Case4.
-
- (** We use the above case analysis to prove that any time instant
- t ∈ <<[t1, t1 + x)>> the sum of [interference j t] and [scheduled_at j t]
- is no larger than the sum of [the service received by jobs of task
- tsk at time t] and [task_iterference tsk t]. *)
- Lemma interference_plus_sched_le_serv_of_task_plus_task_interference:
- interference j t + scheduled_at sched j t
- <= service_of_jobs_at (job_of_task tsk) (arrivals_between t1 (t1 + A + ε)) t
- + task_interference_received_before tsk t2 t.
- Proof.
- move: (H_busy_interval) => [[/andP [BUS LT] _] _].
- case SCHEDt: (sched t) => [j1 | ];
- last by apply interference_plus_sched_le_serv_of_task_plus_task_interference_idle.
- have ARRs: arrives_in arr_seq j1
- by move: SCHEDt => /eqP; rewrite -scheduled_at_def; rt_eauto.
- case_eq (job_task j1 == tsk) => TSK;
- last by eapply interference_plus_sched_le_serv_of_task_plus_task_interference_task; [eassumption| apply/negbT].
- case EQ: (j == j1); [move: EQ => /eqP EQ; subst j1 | ];
- first by apply interference_plus_sched_le_serv_of_task_plus_task_interference_j.
- by eapply interference_plus_sched_le_serv_of_task_plus_task_interference_job;
- auto; repeat split; eauto; apply/eqP; move: EQ => /eqP EQ; auto.
- Qed.
-
- End CaseAnalysis.
-
- (** Next we prove cumulative version of the lemma above. *)
- Lemma cumul_interference_plus_sched_le_serv_of_task_plus_cumul_task_interference:
- cumul_interference j t1 (t1 + x)
- <= (task_service_of_jobs_in (arrivals_between t1 (t1 + A + ε)) t1 (t1 + x)
- - service_during sched j t1 (t1 + x)) + cumul_task_interference t2 t1 (t1 + x).
- Proof.
- have j_is_in_arrivals_between: j \in arrivals_between t1 (t1 + A + ε).
- { eapply arrived_between_implies_in_arrivals; rt_eauto.
- move: (H_busy_interval) => [[/andP [GE _] [_ _]] _].
- by apply/andP; split; last rewrite /A subnKC // addn1.
- }
- rewrite /cumul_interference /cumul_interference /task_service_of_jobs_in
- /service_of_jobs.task_service_of_jobs_in
- /service_of_jobs exchange_big //=.
- rewrite -(leq_add2r (\sum_(t1 <= t < (t1 + x)) service_at sched j t)).
- rewrite [X in _ <= X]addnC addnA subnKC; last first.
- { rewrite (exchange_big _ _ (arrivals_between _ _)) /= (big_rem j) //=.
- by rewrite H_job_of_tsk leq_addr. }
- rewrite -big_split -big_split //=.
- rewrite big_nat_cond [X in _ <= X]big_nat_cond leq_sum //; move => t /andP [NEQ _].
- rewrite {1}service_at_def -scheduled_at_def.
- by apply interference_plus_sched_le_serv_of_task_plus_task_interference.
- Qed.
-
- (** On the other hand, the service terms in the inequality
- above can be upper-bound by the workload terms. *)
- Lemma serv_of_task_le_workload_of_task_plus:
- task_service_of_jobs_in (arrivals_between t1 (t1 + A + ε)) t1 (t1 + x)
- - service_during sched j t1 (t1 + x) + cumul_task_interference t2 t1 (t1 + x)
- <= (task_workload_between t1 (t1 + A + ε) - job_cost j)
- + cumul_task_interference t2 t1 (t1 + x).
- Proof.
- have j_is_in_arrivals_between: j \in arrivals_between t1 (t1 + A + ε).
- { eapply arrived_between_implies_in_arrivals; rt_eauto.
- move: (H_busy_interval) => [[/andP [GE _] [_ _]] _].
- by apply/andP; split; last rewrite /A subnKC // addn1.
- }
- rewrite leq_add2r.
- rewrite /task_workload /task_service_of_jobs_in
- /service_of_jobs.task_service_of_jobs_in/service_of_jobs /workload_of_jobs.
- rewrite (big_rem j) ?[X in _ <= X - _](big_rem j) //=; auto using j_is_in_arrivals_between.
- rewrite H_job_of_tsk addnC -addnBA; last by done.
- rewrite [X in _ <= X - _]addnC -addnBA; last by done.
- rewrite !subnn !addn0.
- by apply service_of_jobs_le_workload; rt_eauto.
- Qed.
-
- (** Finally, we show that the cumulative interference of job j in the interval <<[t1, t1 + x)>>
- is bounded by the sum of the task workload in the interval [t1, t1 + A + ε) and
- the cumulative interference of [j]'s task in the interval [t1, t1 + x). *)
- Lemma cumulative_job_interference_le_task_interference_bound:
- cumul_interference j t1 (t1 + x)
- <= (task_workload_between t1 (t1 + A + ε) - job_cost j)
- + cumul_task_interference t2 t1 (t1 + x).
- Proof.
- apply leq_trans with
- (task_service_of_jobs_in (arrivals_between t1 (t1 + A + ε)) t1 (t1 + x)
- - service_during sched j t1 (t1 + x)
- + cumul_task_interference t2 t1 (t1 + x));
- [ by apply cumul_interference_plus_sched_le_serv_of_task_plus_cumul_task_interference
- | by apply serv_of_task_le_workload_of_task_plus].
- Qed.
-
- End TaskInterferenceBoundsInterference.
-
- (** In order to obtain a more convenient bound of the cumulative interference, we need to
- abandon the actual workload in favor of a bound which depends on task parameters only.
- So, we show that actual workload of the task excluding workload of any job [j] is no
- greater than bound of workload excluding the cost of job [j]'s task. *)
- Lemma task_rbf_excl_tsk_bounds_task_workload_excl_j:
- task_workload_between t1 (t1 + A + ε) - job_cost j <= task_rbf (A + ε) - task_cost tsk.
- Proof.
- move: H_j_arrives H_job_of_tsk H_busy_interval => ARR TSK [[/andP [JAGET1 JALTT2] _] _].
- apply leq_trans with
- (task_cost tsk * number_of_task_arrivals arr_seq tsk t1 (t1 + A + ε) - task_cost tsk); last first.
- { rewrite leq_sub2r // leq_mul2l; apply/orP; right.
- rewrite -addnA -{2}[(A+1)](addKn t1).
- by apply H_is_arrival_curve; auto using leq_addr. }
- have Fact6: j \in arrivals_between (t1 + A) (t1 + A + ε).
- { apply arrived_between_implies_in_arrivals; rt_eauto.
- apply/andP; split; rewrite /A subnKC //.
- by rewrite addn1 ltnSn //. }
- have Fact4: j \in arrivals_at arr_seq (t1 + A).
- {
- have CONSISTENT : consistent_arrival_times arr_seq by rt_eauto.
- by move: ARR => [t ARR]; rewrite subnKC //; feed (CONSISTENT j t); try (subst t).
- }
- have Fact1: 1 <= number_of_task_arrivals arr_seq tsk (t1 + A) (t1 + A + ε).
- { rewrite /number_of_task_arrivals /task_arrivals_between /arrival_sequence.arrivals_between.
- by rewrite size_filter -has_count; apply/hasP; exists j; last rewrite TSK.
- }
- rewrite (@num_arrivals_of_task_cat _ _ _ _ _ (t1 + A)); last by apply/andP; split; rewrite leq_addr //.
- rewrite mulnDr.
- have Step1: task_workload_between t1 (t1 + A + ε)
- = task_workload_between t1 (t1 + A) + task_workload_between (t1 + A) (t1 + A + ε).
- { by apply workload_of_jobs_cat; apply/andP; split; rewrite leq_addr. } rewrite Step1; clear Step1.
- rewrite -!addnBA; first last.
- { by rewrite /task_workload_between /workload.task_workload_between /task_workload
- /workload_of_jobs (big_rem j) //= TSK leq_addr. }
- { apply leq_trans with (task_cost tsk); first by done.
- by rewrite -{1}[task_cost tsk]muln1 leq_mul2l; apply/orP; right. }
- rewrite leq_add; [by done | by eapply task_workload_le_num_of_arrivals_times_cost; eauto | ].
- rewrite /task_workload_between /workload.task_workload_between /task_workload /workload_of_jobs
- /arrival_sequence.arrivals_between /number_of_task_arrivals /task_arrivals_between
- /arrival_sequence.arrivals_between.
- rewrite {1}addn1 big_nat1 addn1 big_nat1.
- rewrite (big_rem j) //= TSK //= addnC -addnBA // subnn addn0.
- rewrite (filter_size_rem j); [ | by done | by rewrite TSK].
- rewrite mulnDr mulnC muln1 -addnBA // subnn addn0 mulnC.
- apply sum_majorant_constant.
- move => j' ARR' /eqP TSK2.
- by rewrite -TSK2; apply H_valid_job_cost; exists (t1 + A); apply rem_in in ARR'.
- Qed.
-
- (** Finally, we use the lemmas above to obtain the bound on
- [interference] in terms of [task_rbf] and [task_interference]. *)
- Lemma cumulative_job_interference_bound:
- cumul_interference j t1 (t1 + x)
- <= (task_rbf (A + ε) - task_cost tsk) + cumul_task_interference t2 t1 (t1 + x).
- Proof.
- set (y := t1 + x) in *.
- have IN: j \in arrivals_between t1 (t1 + A + ε).
- { eapply arrived_between_implies_in_arrivals; rt_eauto.
- move: (H_busy_interval) => [[/andP [GE _] _] _].
- by apply/andP; split; last rewrite /A subnKC // addn1.
- }
- apply leq_trans with (task_workload_between t1 (t1+A+ε) - job_cost j + cumul_task_interference t2 t1 y).
- - by apply cumulative_job_interference_le_task_interference_bound.
- - rewrite leq_add2r.
- by eapply task_rbf_excl_tsk_bounds_task_workload_excl_j; eauto 2.
- Qed.
-
- End BoundOfCumulativeJobInterference.
-
- (** In this section, we prove that [H_R_is_maximum_seq] implies [H_R_is_maximum]. *)
- Section MaxInSeqHypothesisImpMaxInNonseqHypothesis.
-
- (** Consider any job [j] of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
-
- (** For simplicity, let's define a local name for the search space. *)
- Let is_in_search_space A :=
- is_in_search_space tsk L total_interference_bound A.
-
- (** We prove that [H_R_is_maximum] holds. *)
- Lemma max_in_seq_hypothesis_implies_max_in_nonseq_hypothesis:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= task_rtct tsk +
- (task_rbf (A + ε) - task_cost tsk + task_interference_bound_function tsk A (A + F)) /\
- R >= F + (task_cost tsk - task_rtct tsk).
- Proof.
- move: H_valid_run_to_completion_threshold => [PRT1 PRT2].
- intros A INSP.
- clear H_sequential_tasks H_interference_and_workload_consistent_with_sequential_tasks.
- move: (H_R_is_maximum_seq _ INSP) => [F [FIX LE]].
- exists F; split; last by done.
- rewrite -{2}(leqRW FIX).
- rewrite addnA leq_add2r.
- rewrite addnBA; last first.
- { apply leq_trans with (task_rbf 1).
- eapply task_rbf_1_ge_task_cost; rt_eauto.
- eapply task_rbf_monotone; eauto 2.
- by rewrite addn1.
- }
- by rewrite subnBA; auto; rewrite addnC.
- Qed.
-
- End MaxInSeqHypothesisImpMaxInNonseqHypothesis.
-
- (** Finally, we apply the [uniprocessor_response_time_bound] theorem, and using the
- lemmas above, we prove that all the requirements are satisfied. So, R is a response
- time bound. *)
- Theorem uniprocessor_response_time_bound_seq:
- response_time_bounded_by tsk R.
- Proof.
- intros j ARR TSK.
- eapply uniprocessor_response_time_bound with
- (interference_bound_function :=
- fun tsk A R => task_rbf (A + ε) - task_cost tsk + task_interference_bound_function tsk A R); rt_eauto.
- { clear ARR TSK j.
- intros t1 t2 R' j BUSY NEQ ARR TSK COMPL.
- move: (posnP (@job_cost _ H3 j)) => [ZERO|POS].
- { exfalso.
- move: COMPL => /negP COMPL; apply: COMPL.
- by rewrite /service.completed_by /completed_by ZERO. }
- set (A := job_arrival j - t1) in *.
- apply leq_trans with
- (task_rbf (A + ε) - task_cost tsk + cumul_task_interference t2 t1 (t1 + R')).
- - by eapply cumulative_job_interference_bound; eauto 2.
- - by rewrite leq_add2l; apply H_task_interference_is_bounded. }
- { by eapply max_in_seq_hypothesis_implies_max_in_nonseq_hypothesis; eauto. }
- Qed.
-
- End ResponseTimeBound.
-
-End Sequential_Abstract_RTA.
diff --git a/analysis/abstract/definitions.v b/analysis/abstract/definitions.v
deleted file mode 100644
index a37648ea58d0be8a4c68e7929f2797697fff0f09..0000000000000000000000000000000000000000
--- a/analysis/abstract/definitions.v
+++ /dev/null
@@ -1,212 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-Require Export prosa.model.task.concept.
-
-(** * Definitions for Abstract Response-Time Analysis *)
-(** In this module, we propose a set of definitions for the general framework for response-time analysis (RTA)
- of uni-processor scheduling of real-time tasks with arbitrary arrival models. *)
-Section AbstractRTADefinitions.
-
- (** In this section, we introduce all the abstract notions required by the analysis. *)
- Section Definitions.
-
- (** Consider any type of job associated with any type of tasks... *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
-
- (** ... with arrival times and costs. *)
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any kind of processor state model. *)
- Context {PState : ProcessorState Job}.
-
- (** Consider any arrival sequence... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any schedule of this arrival sequence. *)
- Variable sched : schedule PState.
-
- (** Let [tsk] be any task that is to be analyzed *)
- Variable tsk : Task.
-
- (** We are going to introduce two main variables of the analysis:
- (a) interference, and (b) interfering workload. *)
-
- (** ** (a) Interference *)
- (** Execution of a job may be postponed by the environment and/or the system due to different
- factors (preemption by higher-priority jobs, jitter, black-out periods in hierarchical
- scheduling, lack of budget, etc.), which we call interference.
-
- Besides, note that even the subsequent activation of a task can suffer from interference at
- the beginning of its busy interval (despite the fact that this job hasn’t even arrived
- at that moment!). Thus, it makes more sense (at least for the current busy-interval
- analysis) to think about interference of a job as any interference within the
- corresponding busy interval, and not after release of the job.
-
- Based on that, assume a predicate that expresses whether a job [j] under consideration
- incurs interference at a given time [t] (in the context of the schedule under consideration).
- This will be used later to upper-bound job [j]'s response time. Note that a concrete
- realization of the function may depend on the schedule, but here we do not require this
- for the sake of simplicity and generality. *)
- Variable interference : Job -> instant -> bool.
-
- (** ** (b) Interfering Workload *)
- (** In addition to interference, the analysis assumes that at any time [t], we know an upper
- bound on the potential cumulative interference that can be incurred in the future by any
- job (i.e., the total remaining potential delays). Based on that, assume a function
- interfering_workload that indicates for any job [j], at any time [t], the amount of potential
- interference for job [j] that is introduced into the system at time [t]. This function will be
- later used to upper-bound the length of the busy window of a job.
- One example of workload function is the "total cost of jobs that arrive at time [t] and
- have higher-or-equal priority than job j". In some task models, this function expresses
- the amount of the potential interference on job [j] that "arrives" in the system at time [t]. *)
- Variable interfering_workload : Job -> instant -> duration.
-
- (** In order to bound the response time of a job, we must to consider the cumulative
- interference and cumulative interfering workload. *)
- Definition cumul_interference j t1 t2 := \sum_(t1 <= t < t2) interference j t.
- Definition cumul_interfering_workload j t1 t2 := \sum_(t1 <= t < t2) interfering_workload j t.
-
- (** ** Definition of Busy Interval *)
- (** Further analysis will be based on the notion of a busy interval. The overall idea of the
- busy interval is to take into account the workload that cause a job under consideration to
- incur interference. In this section, we provide a definition of an abstract busy interval. *)
- Section BusyInterval.
-
- (** We say that time instant [t] is a quiet time for job [j] iff two conditions hold.
- First, the cumulative interference at time [t] must be equal to the cumulative
- interfering workload, to indicate that the potential interference seen so far
- has been fully "consumed" (i.e., there is no more higher-priority work or other
- kinds of delay pending). Second, job [j] cannot be pending at any time earlier
- than [t] _and_ at time instant [t] (i.e., either it was pending earlier but is no
- longer pending now, or it was previously not pending and may or may not be
- released now), to ensure that the busy window captures the execution of job [j]. *)
- Definition quiet_time (j : Job) (t : instant) :=
- cumul_interference j 0 t = cumul_interfering_workload j 0 t /\
- ~~ pending_earlier_and_at sched j t.
-
- (** Based on the definition of quiet time, we say that interval <<[t1, t2)>> is
- a (potentially unbounded) busy-interval prefix w.r.t. job [j] iff the
- interval (a) contains the arrival of job j, (b) starts with a quiet
- time and (c) remains non-quiet. *)
- Definition busy_interval_prefix (j : Job) (t1 t2 : instant) :=
- t1 <= job_arrival j < t2 /\
- quiet_time j t1 /\
- (forall t, t1 < t < t2 -> ~ quiet_time j t).
-
- (** Next, we say that an interval <<[t1, t2)>> is a busy interval iff
- [t1, t2) is a busy-interval prefix and t2 is a quiet time. *)
- Definition busy_interval (j : Job) (t1 t2 : instant) :=
- busy_interval_prefix j t1 t2 /\
- quiet_time j t2.
-
- (** Note that the busy interval, if it exists, is unique. *)
- Lemma busy_interval_is_unique:
- forall j t1 t2 t1' t2',
- busy_interval j t1 t2 ->
- busy_interval j t1' t2' ->
- t1 = t1' /\ t2 = t2'.
- Proof.
- intros ? ? ? ? ? BUSY BUSY'.
- have EQ: t1 = t1'.
- { apply/eqP.
- apply/negPn/negP; intros CONTR.
- move: BUSY => [[IN [QT1 NQ]] _].
- move: BUSY' => [[IN' [QT1' NQ']] _].
- move: CONTR; rewrite neq_ltn; move => /orP [LT|GT].
- { apply NQ with t1'; try done; clear NQ.
- apply/andP; split; first by done.
- move: IN IN' => /andP [_ T1] /andP [T2 _].
- by apply leq_ltn_trans with (job_arrival j).
- }
- { apply NQ' with t1; try done; clear NQ'.
- apply/andP; split; first by done.
- move: IN IN' => /andP [T1 _] /andP [_ T2].
- by apply leq_ltn_trans with (job_arrival j).
- }
- } subst t1'.
- have EQ: t2 = t2'.
- { apply/eqP.
- apply/negPn/negP; intros CONTR.
- move: BUSY => [[IN [_ NQ]] QT2].
- move: BUSY' => [[IN' [_ NQ']] QT2'].
- move: CONTR; rewrite neq_ltn; move => /orP [LT|GT].
- { apply NQ' with t2; try done; clear NQ'.
- apply/andP; split; last by done.
- move: IN IN' => /andP [_ T1] /andP [T2 _].
- by apply leq_ltn_trans with (job_arrival j).
- }
- { apply NQ with t2'; try done; clear NQ.
- apply/andP; split; last by done.
- move: IN IN' => /andP [T1 _] /andP [_ T2].
- by apply leq_ltn_trans with (job_arrival j).
- }
- } by subst t2'.
- Qed.
-
- End BusyInterval.
-
- (** In this section, we introduce some assumptions about the
- busy interval that are fundamental for the analysis. *)
- Section BusyIntervalProperties.
-
- (** We say that a schedule is "work_conserving" iff for any job [j] from task [tsk] and
- at any time [t] within a busy interval, there are only two options:
- either (a) interference(j, t) holds or (b) job [j] is scheduled at time [t]. *)
- Definition work_conserving :=
- forall j t1 t2 t,
- arrives_in arr_seq j ->
- job_cost j > 0 ->
- busy_interval j t1 t2 ->
- t1 <= t < t2 ->
- ~ interference j t <-> scheduled_at sched j t.
-
- (** Next, we say that busy intervals of task [tsk] are bounded by [L] iff,
- for any job [j] of task [tsk], there exists a busy interval with
- length at most [L]. Note that the existence of such a bounded busy
- interval is not guaranteed if the system is overloaded. Therefore, in
- the later concrete analyses, we will have to introduce an additional
- condition that rules out overload. *)
- Definition busy_intervals_are_bounded_by L :=
- forall j,
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- job_cost j > 0 ->
- exists t1 t2,
- t2 <= t1 + L /\
- busy_interval j t1 t2.
-
- (** Although we have defined the notion of cumulative interference of a job, it cannot be used in
- a response-time analysis because of the variability of job parameters. To address this
- issue, we define the notion of an interference bound. Note that according to the definition of
- a work conserving schedule, interference does _not_ include execution of a job itself. Therefore,
- an interference bound is not obliged to take into account the execution of this job. We say that
- the job interference is bounded by an interference_bound_function ([IBF]) iff for any job [j] of
- task [tsk] the cumulative interference incurred by [j] in the sub-interval [t1, t1 + delta) of busy
- interval [t1, t2) does not exceed [interference_bound_function(tsk, A, delta)], where [A] is a
- relative arrival time of job [j] (with respect to time [t1]). *)
- Definition job_interference_is_bounded_by (interference_bound_function: Task -> duration -> duration -> duration) :=
- (** Let's examine this definition in more detail. *)
- forall t1 t2 delta j,
- (** First, we require [j] to be a job of task [tsk]. *)
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- (** Next, we require the IBF to bound the interference only within the interval <<[t1, t1 + delta)>>. *)
- busy_interval j t1 t2 ->
- t1 + delta < t2 ->
- (** Next, we require the IBF to bound the interference only until the job is
- completed, after which the function can behave arbitrarily. *)
- ~~ completed_by sched j (t1 + delta) ->
- (** And finally, the IBF function might depend not only on the length
- of the interval, but also on the relative arrival time of job [j] (offset). *)
- (** While the first three conditions are needed for discarding excessive cases, offset adds
- flexibility to the IBF, which is important, for instance, when analyzing EDF scheduling. *)
- let offset := job_arrival j - t1 in
- cumul_interference j t1 (t1 + delta) <= interference_bound_function tsk offset delta.
-
- End BusyIntervalProperties.
-
- End Definitions.
-
-End AbstractRTADefinitions.
diff --git a/analysis/abstract/ideal_jlfp_rta.v b/analysis/abstract/ideal_jlfp_rta.v
deleted file mode 100644
index a8af8a98c066f626c56c46a588d0967dee5a03cb..0000000000000000000000000000000000000000
--- a/analysis/abstract/ideal_jlfp_rta.v
+++ /dev/null
@@ -1,931 +0,0 @@
-Require Export prosa.analysis.abstract.abstract_seq_rta.
-Require Export prosa.analysis.definitions.priority_inversion.
-Require Export prosa.analysis.definitions.work_bearing_readiness.
-Require Export prosa.analysis.facts.busy_interval.carry_in.
-
-(** Throughout this file, we assume ideal uni-processor schedules. *)
-Require Import prosa.model.processor.ideal.
-Require Export prosa.analysis.facts.busy_interval.ideal.priority_inversion.
-
-
-(** * JLFP instantiation of Interference and Interfering Workload for ideal uni-processor. *)
-(** In this module we instantiate functions Interference and Interfering Workload
- for an arbitrary JLFP-policy that satisfies the sequential tasks hypothesis.
- We also prove equivalence of Interference and Interfering Workload to the
- more conventional notions of service or workload. *)
-Section JLFPInstantiation.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any valid arrival sequence with consistent arrivals... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any ideal uni-processor schedule of this arrival sequence... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_jobs_come_from_arrival_sequence : jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival nor after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Assume we have sequential tasks, i.e., jobs of the
- same task execute in the order of their arrival. *)
- Hypothesis H_sequential_tasks : sequential_tasks arr_seq sched.
-
- (** Consider a JLFP-policy that indicates a higher-or-equal priority relation,
- and assume that this relation is reflexive and transitive. *)
- Context `{JLFP_policy Job}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
- Hypothesis H_priority_is_transitive : transitive_priorities.
-
- (** We also assume that the policy respects sequential tasks, meaning
- that later-arrived jobs of a task don't have higher priority than
- earlier-arrived jobs of the same task. *)
- Hypothesis H_JLFP_respects_sequential_tasks : policy_respects_sequential_tasks.
-
- (** Let [tsk] be any task to be analyzed. *)
- Variable tsk : Task.
-
- (** For simplicity, let's define some local names. *)
- Let job_scheduled_at := scheduled_at sched.
- Let job_completed_by := completed_by sched.
- Let cumulative_task_interference := cumul_task_interference arr_seq sched.
-
- (** ** Interference and Interfering Workload *)
- (** In this section, we introduce definitions of interference,
- interfering workload, and a function that bounds cumulative interference. *)
-
- (** In order to introduce the interference, first we need to recall
- the definition of priority inversion. We say that job [j] is
- incurring a priority inversion at time [t] if there exists a job
- with lower priority that executes at time [t]. In order to
- simplify things, we ignore the fact that according to this
- definition a job can incur priority inversion even before its
- release (or after completion). All such (potentially bad) cases
- do not cause problems, as each job is analyzed only within the
- corresponding busy interval where the priority inversion behaves
- in the expected way. *)
- Let is_priority_inversion (j : Job) (t : instant) :=
- priority_inversion_dec arr_seq sched j t.
-
- (** Next, we say that job [j] is incurring interference from another
- job with higher or equal priority at time [t], if there exists a
- job [jhp] (different from [j]) with higher or equal priority
- that executes at time [t]. *)
- Definition is_interference_from_another_hep_job (j : Job) (t : instant) :=
- if sched t is Some jhp then
- another_hep_job jhp j
- else false.
-
- (** Similarly, we say that job [j] is incurring interference from a
- job with higher or equal priority of another task at time [t],
- if there exists a job [jhp] (of a different task) with higher or
- equal priority that executes at time [t]. *)
- Definition is_interference_from_hep_job_from_another_task (j : Job) (t : instant) :=
- if sched t is Some jhp then
- another_task_hep_job jhp j
- else false.
-
- (** Now, we define the notion of cumulative interference, called
- [interfering_workload_of_hep_jobs], that says how many units of
- workload are generated by jobs with higher or equal priority
- released at time [t]. *)
- Definition interfering_workload_of_hep_jobs (j : Job) (t : instant) :=
- \sum_(jhp <- arrivals_at arr_seq t | another_hep_job jhp j) job_cost jhp.
-
- (** Instantiation of Interference *)
- (** We say that job [j] incurs interference at time [t] iff it
- cannot execute due to a higher-or-equal-priority job being
- scheduled, or if it incurs a priority inversion. *)
- Definition interference (j : Job) (t : instant) :=
- is_priority_inversion j t || is_interference_from_another_hep_job j t.
-
- (** Instantiation of Interfering Workload *)
- (** The interfering workload, in turn, is defined as the sum of the
- priority inversion function and interfering workload of jobs
- with higher or equal priority. *)
- Definition interfering_workload (j : Job) (t : instant) :=
- is_priority_inversion j t + interfering_workload_of_hep_jobs j t.
-
- (** For each of the concepts defined above, we introduce a corresponding cumulative function: *)
- (** (a) cumulative priority inversion... *)
- Definition cumulative_priority_inversion (j : Job) (t1 t2 : instant) :=
- \sum_(t1 <= t < t2) is_priority_inversion j t.
-
- (** ... (b) cumulative interference from other jobs with higher or equal priority... *)
- Let cumulative_interference_from_other_hep_jobs (j : Job) (t1 t2 : instant) :=
- \sum_(t1 <= t < t2) is_interference_from_another_hep_job j t.
-
- (** ... (c) and cumulative interference from jobs with higher or equal priority from other tasks... *)
- Definition cumulative_interference_from_hep_jobs_from_other_tasks (j : Job) (t1 t2 : instant) :=
- \sum_(t1 <= t < t2) is_interference_from_hep_job_from_another_task j t.
-
- (** ... (d) cumulative interference... *)
- Let cumulative_interference (j : Job) (t1 t2 : instant) := \sum_(t1 <= t < t2) interference j t.
-
- (** ... (e) cumulative workload from jobs with higher or equal priority... *)
- Let cumulative_interfering_workload_of_hep_jobs (j : Job) (t1 t2 : instant) :=
- \sum_(t1 <= t < t2) interfering_workload_of_hep_jobs j t.
-
- (** ... (f) and cumulative interfering workload. *)
- Let cumulative_interfering_workload (j : Job) (t1 t2 : instant) :=
- \sum_(t1 <= t < t2) interfering_workload j t.
-
- (** Instantiated functions usually do not have any useful lemmas about them. In order to
- reuse existing lemmas, we need to prove equivalence of the instantiated functions to
- some conventional notions. The instantiations given in this file are equivalent to
- service and workload. Further, we prove these equivalences formally. *)
-
- (** In order to avoid confusion, we denote the notion of a quiet
- time in the _classical_ sense as [quiet_time_cl], and the
- notion of quiet time in the _abstract_ sense as
- [quiet_time_ab]. *)
- Let quiet_time_cl := busy_interval.quiet_time arr_seq sched.
- Let quiet_time_ab := definitions.quiet_time sched interference interfering_workload.
-
- (** Same for the two notions of a busy interval. *)
- Let busy_interval_cl := busy_interval.busy_interval arr_seq sched.
- Let busy_interval_ab := definitions.busy_interval sched interference interfering_workload.
-
- (** Before we present the formal proofs of the equivalences, we recall
- the notion of workload of higher or equal priority jobs. *)
- Let workload_of_other_hep_jobs (j : Job) (t1 t2 : instant) :=
- workload_of_jobs (fun jhp => another_hep_job jhp j) (arrivals_between arr_seq t1 t2).
-
- (** Similarly, we recall notions of service of higher or equal priority jobs from other tasks... *)
- Let service_of_hep_jobs_from_other_tasks (j : Job) (t1 t2 : instant) :=
- service_of_jobs sched (fun jhp => another_task_hep_job jhp j)
- (arrivals_between arr_seq t1 t2) t1 t2.
-
- (** ... and service of all other jobs with higher or equal priority. *)
- Let service_of_other_hep_jobs (j : Job) (t1 t2 : instant) :=
- service_of_jobs sched (fun jhp => another_hep_job jhp j) (arrivals_between arr_seq t1 t2) t1 t2.
-
- (** ** Equivalences *)
- (** In this section we prove useful equivalences between the
- definitions obtained by instantiation of definitions from the
- Abstract RTA module (interference and interfering workload) and
- definitions corresponding to the conventional concepts.
-
- As it was mentioned previously, instantiated functions of
- interference and interfering workload usually do not have any
- useful lemmas about them. However, it is possible to prove their
- equivalence to the more conventional notions like service or
- workload. Next we prove the equivalence between the
- instantiations and conventional notions. *)
- Section Equivalences.
-
- (** In the following subsection, we prove properties of the
- introduced functions under the assumption that the schedule is
- idle. *)
- Section IdleSchedule.
-
- (** Consider a time instant [t] ... *)
- Variable t : instant.
-
- (** ... and assume that the schedule is idle at [t]. *)
- Hypothesis H_idle : is_idle sched t.
-
- (** We prove that in this case: ... *)
-
- (** ... interference from higher-or-equal priority jobs from
- another task is equal to [false], ... *)
- Lemma idle_implies_no_hep_task_interference :
- forall j, is_interference_from_hep_job_from_another_task j t = false.
- Proof.
- intros j.
- unfold is_interference_from_hep_job_from_another_task.
- by move: (H_idle) => /eqP ->.
- Qed.
-
- (** ... and interference for a task is equal to [false] as well. *)
- Lemma idle_implies_no_task_interference :
- forall upp, task_interference_received_before arr_seq sched interference tsk upp t = false.
- Proof.
- intros ?.
- apply/negP/negP.
- rewrite negb_and; apply/orP; right.
- rewrite -all_predC; apply /allP; intros s IN.
- rewrite //= /interference /is_priority_inversion.
- rewrite idle_implies_no_priority_inversion //.
- unfold is_interference_from_another_hep_job.
- by move: (H_idle) => /eqP ->.
- Qed.
-
- End IdleSchedule.
-
- (** Next, we prove properties of the introduced functions under
- the assumption that the scheduler is not idle. *)
- Section ScheduledJob.
-
- (** Consider a job [j] of task [tsk]. In this subsection, job
- [j] is deemed to be the main job with respect to which the
- functions are computed. *)
- Variable j : Job.
- Hypothesis H_j_tsk : job_of_task tsk j.
-
- (** Consider a time instant [t]. *)
- Variable t : instant.
-
- (** First, consider a case when _some_ jobs is scheduled at time [t]. *)
- Section SomeJobIsScheduled.
-
- (** Consider a job [j'] (not necessarily distinct from job
- [j]) that is scheduled at time [t]. *)
- Variable j' : Job.
- Hypothesis H_sched : scheduled_at sched j' t.
-
- (** Under the stated assumptions, we show that the
- interference from another higher-or-equal priority job is
- equal to the relation [another_hep_job]. *)
- Lemma interference_ahep_eq_ahep :
- is_interference_from_another_hep_job j t = another_hep_job j' j.
- Proof.
- unfold is_interference_from_another_hep_job.
- by move: (H_sched); rewrite scheduled_at_def; move => /eqP ->.
- Qed.
-
- End SomeJobIsScheduled.
-
- (** Next, consider a case when [j] itself is scheduled at [t]. *)
- Section JIsScheduled.
-
- (** Assume that [j] is scheduled at time [t]. *)
- Hypothesis H_j_sched : scheduled_at sched j t.
-
- (** Then there is no interference from higher-or-equal
- priority jobs at time [t]. *)
- Lemma interference_ahep_job_eq_false :
- is_interference_from_another_hep_job j t = false.
- Proof.
- erewrite interference_ahep_eq_ahep; last by eassumption.
- by rewrite /another_hep_job eq_refl //= Bool.andb_false_r.
- Qed.
-
- End JIsScheduled.
-
- (** In the next subsection, we consider a case when a job [j']
- from the same task (as job [j]) is scheduled. *)
- Section FromSameTask.
-
- (** Consider a job [j'] that comes from task [tsk] and is
- scheduled at time instant [t]. *)
- Variable j' : Job.
- Hypothesis H_j'_tsk : job_of_task tsk j'.
- Hypothesis H_j'_sched : scheduled_at sched j' t.
-
- (** Then we show that interference from higher-or-equal
- priority jobs from another task is false. *)
- Lemma interference_athep_eq_false :
- is_interference_from_hep_job_from_another_task j t = false.
- Proof.
- apply/eqP; rewrite eqbF_neg.
- unfold is_interference_from_hep_job_from_another_task.
- move: (H_j'_sched); rewrite scheduled_at_def; move => /eqP ->.
- rewrite negb_and; apply/orP; right.
- by move: (H_j_tsk) (H_j'_tsk) => /eqP -> /eqP ->; rewrite eq_refl.
- Qed.
-
- (** Similarly, task interference is equal to false, since in
- order to incur the task interference, a job from a
- distinct task must be scheduled. *)
- Lemma task_interference_eq_false :
- forall upp,
- task_interference_received_before arr_seq sched interference tsk upp t = false.
- Proof.
- intros ?; unfold task_interference_received_before.
- apply/eqP; rewrite eqbF_neg negb_and Bool.negb_involutive; apply/orP; left.
- rewrite /task_scheduled_at.
- by move: (H_j'_sched); rewrite scheduled_at_def => /eqP ->.
- Qed.
-
- End FromSameTask.
-
- (** In the next subsection, we consider a case when a job [j']
- from a task other than [j]'s task is scheduled. *)
- Section FromDifferentTask.
-
- (** Consider a job [j'] that _does_ _not_ comes from task
- [tsk] and is scheduled at time instant [t]. *)
- Variable j' : Job.
- Hypothesis H_j'_not_tsk : ~~ job_of_task tsk j'.
- Hypothesis H_j'_sched : scheduled_at sched j' t.
-
- (** We prove that then [j] incurs higher-or-equal priority
- interference from another task iff [j'] has
- higher-or-equal priority than [j]. *)
- Lemma sched_at_implies_interference_athep_eq_hep :
- is_interference_from_hep_job_from_another_task j t = hep_job j' j.
- Proof.
- unfold is_interference_from_hep_job_from_another_task.
- move: (H_j'_sched); rewrite scheduled_at_def; move => /eqP ->.
- apply/andP; destruct (hep_job).
- - by move: (H_j_tsk) => /eqP ->; rewrite H_j'_not_tsk.
- - by intros [F _].
- Qed.
-
- (** Hence, if we assume that [j'] has higher-or-equal priority, ... *)
- Hypothesis H_j'_hep : hep_job j' j.
-
- (** ... we will be able to show that [j] incurs
- higher-or-equal priority interference from another task. *)
- Lemma sched_athep_implies_interference_athep :
- is_interference_from_hep_job_from_another_task j t.
- Proof.
- unfold is_interference_from_hep_job_from_another_task.
- move: (H_j'_sched); rewrite scheduled_at_def => /eqP ->.
- rewrite /another_task_hep_job H_j'_hep.
- by move: (H_j_tsk) => /eqP ->.
- Qed.
-
- (** Moreover, in this case, task [tsk] also incurs interference. *)
- Lemma sched_athep_implies_task_interference :
- forall upp,
- j \in arrivals_between arr_seq 0 upp ->
- task_interference_received_before arr_seq sched interference tsk upp t.
- Proof.
- intros ? IN.
- apply/andP; split.
- - by move: (H_j'_sched); rewrite /task_scheduled_at scheduled_at_def => /eqP ->.
- - apply/hasP; exists j.
- + rewrite mem_filter; apply/andP; split; last by done.
- by rewrite H_j_tsk.
- + apply/orP; right.
- move: (H_j'_sched); rewrite /is_interference_from_another_hep_job scheduled_at_def => /eqP ->.
- apply/andP; split; first by done.
- apply/negP; move => /eqP EQ; subst.
- by move: (H_j'_not_tsk); rewrite H_j_tsk.
- Qed.
-
- End FromDifferentTask.
-
- (** In the last subsection, we consider a case when the
- scheduled job [j'] has lower priority than job [j]. *)
- Section LowerPriority.
-
- (** Consider a job [j'] that has lower priority than job [j]
- and is scheduled at time instant [t]. *)
- Variable j' : Job.
- Hypothesis H_j'_sched : scheduled_at sched j' t.
- Hypothesis H_j'_lp : ~~ hep_job j' j.
-
- Lemma sched_alp_implies_interference_ahep_false :
- is_interference_from_another_hep_job j t = false.
- Proof.
- apply/eqP; rewrite eqbF_neg.
- unfold is_interference_from_another_hep_job.
- move: (H_j'_sched); rewrite scheduled_at_def; move => /eqP ->.
- apply/negP; move => /andP [HEP _].
- by move: H_j'_lp => /negP T; apply: T.
- Qed.
-
- End LowerPriority.
-
- End ScheduledJob.
-
- (** We prove that we can split cumulative interference into two
- parts: (1) cumulative priority inversion and (2) cumulative
- interference from jobs with higher or equal priority. *)
- Lemma cumulative_interference_split :
- forall j t1 t2,
- cumulative_interference j t1 t2
- = cumulative_priority_inversion j t1 t2
- + cumulative_interference_from_other_hep_jobs j t1 t2.
- Proof.
- rewrite /cumulative_interference /interference.
- intros; rewrite -big_split //=.
- rewrite /is_priority_inversion.
- apply/eqP; rewrite eqn_leq; apply/andP; split; rewrite leq_sum; try done.
- { intros t _.
- destruct (ideal_proc_model_sched_case_analysis sched t) as [IDLE | [s SCHED]].
- - rewrite idle_implies_no_priority_inversion //.
- - destruct (hep_job s j) eqn:PRIO.
- + by destruct (priority_inversion_dec _ _ _), (is_interference_from_another_hep_job _ _).
- + erewrite sched_lp_implies_priority_inversion; rt_eauto.
- by rewrite PRIO.
- }
- { intros t _.
- destruct (ideal_proc_model_sched_case_analysis sched t) as [IDLE | [s SCHED]].
- - rewrite idle_implies_no_priority_inversion //.
- - destruct (hep_job s j) eqn:PRIO.
- + erewrite sched_hep_implies_no_priority_inversion; eauto 2.
- + erewrite sched_lp_implies_priority_inversion; rt_eauto.
- erewrite sched_alp_implies_interference_ahep_false; rt_eauto.
- all: by rewrite PRIO.
- }
- Qed.
-
- (** Similarly, we prove that we can split cumulative interfering
- workload into two parts: (1) cumulative priority inversion and
- (2) cumulative interfering workload from jobs with higher or
- equal priority. *)
- Lemma cumulative_interfering_workload_split :
- forall j t1 t2,
- cumul_interfering_workload interfering_workload j t1 t2 =
- cumulative_priority_inversion j t1 t2 + cumulative_interfering_workload_of_hep_jobs j t1 t2.
- Proof.
- rewrite /cumul_interfering_workload
- /cumulative_priority_inversion
- /cumulative_interfering_workload_of_hep_jobs.
- by intros; rewrite -big_split //=.
- Qed.
-
- (** Let [j] be any job of task [tsk], and let [upp_t] be any time
- instant after job [j]'s arrival. Then for any time interval
- lying before [upp_t], the cumulative interference received by
- [tsk] is equal to the sum of the cumulative priority inversion
- of job [j] and the cumulative interference incurred by task
- [tsk] due to other tasks. *)
- Lemma cumulative_task_interference_split :
- forall j t1 t2 upp_t,
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- j \in arrivals_before arr_seq upp_t ->
- ~~ job_completed_by j t2 ->
- cumulative_task_interference interference tsk upp_t t1 t2 =
- cumulative_priority_inversion j t1 t2 +
- cumulative_interference_from_hep_jobs_from_other_tasks j t1 t2.
- Proof.
- rewrite /cumulative_task_interference /cumul_task_interference; intros j t1 R upp ARRin TSK ARR NCOMPL.
- rewrite -big_split //= big_seq_cond [in X in _ = X]big_seq_cond; apply eq_bigr; move => t /andP [IN _].
- apply/eqP; rewrite eqn_leq; apply/andP; split.
- - unfold is_priority_inversion.
- ideal_proc_model_sched_case_analysis_eq sched t s; first by rewrite idle_implies_no_task_interference //=.
- destruct (hep_job s j) eqn:HP, (job_task s == tsk) eqn:TSKs.
- + by erewrite task_interference_eq_false; eauto 1.
- + move: TSKs => /eqP/eqP TSKs; erewrite sched_athep_implies_task_interference, sched_athep_implies_interference_athep; eauto 1.
- by destruct (priority_inversion_dec).
- + erewrite sched_lp_implies_priority_inversion; rt_eauto; last by rewrite HP.
- by destruct (task_interference_received_before), (is_interference_from_hep_job_from_another_task).
- + erewrite sched_lp_implies_priority_inversion; rt_eauto; last by rewrite HP.
- by destruct (task_interference_received_before), (is_interference_from_hep_job_from_another_task).
- - rewrite /is_priority_inversion; ideal_proc_model_sched_case_analysis_eq sched t s;
- first by rewrite idle_implies_no_priority_inversion //= idle_implies_no_hep_task_interference.
- destruct (job_task s == job_task j) eqn:TSKEQ.
- + erewrite priority_inversion_equiv_sched_lower_priority; rt_eauto.
- erewrite interference_athep_eq_false with (j' := s),
- ?task_interference_eq_false with (j' := s), leqn0, addn0, eqb0; eauto 2; try by move: TSK => /eqP <-.
- apply/negP; intros NEQ; move: NCOMPL => /negP NCOMPL; apply: NCOMPL.
- apply completion_monotonic with t; first by rewrite mem_iota in IN; apply ltnW; lia.
- apply/negP; intros NCOMPL; move: NCOMPL => /negP NCOMPL.
- move: NEQ => /negP NEQ; apply: NEQ; apply H_JLFP_respects_sequential_tasks; rt_eauto.
- by eapply scheduler_executes_job_with_earliest_arrival; rt_eauto.
- + erewrite priority_inversion_equiv_sched_lower_priority; rt_eauto.
- have TSKn : ~~ job_of_task tsk s.
- by apply/negP; intros ?; move: TSKEQ => /eqP TSKEQ; apply:TSKEQ; move: (H4) (TSK) => /eqP -> /eqP ->.
- erewrite sched_at_implies_interference_athep_eq_hep with (j' := s); eauto 2.
- have F: forall b, ~~ b + b = true; [ by intros b; destruct b | rewrite F lt0b; clear F ].
- apply/andP; split.
- * by move: (Sched_s); rewrite /task_scheduled_at scheduled_at_def => /eqP ->.
- * apply/hasP; exists j.
- -- rewrite mem_filter; apply/andP; split; first by done.
- by exact: arrivals_between_sub ARR.
- -- rewrite /interference /is_priority_inversion; erewrite priority_inversion_equiv_sched_lower_priority; rt_eauto.
- rewrite /is_interference_from_another_hep_job.
- destruct (hep_job s j) eqn:HP; apply/orP; [right| by left].
- move: (Sched_s); rewrite /task_scheduled_at scheduled_at_def => /eqP ->.
- rewrite /another_hep_job HP Bool.andb_true_l.
- by apply/eqP; intros EQ; subst s; rewrite TSK in TSKn.
- Qed.
-
- (** In this section we prove that the (abstract) cumulative interfering workload is equivalent to
- conventional workload, i.e., the one defined with concrete schedule parameters. *)
- Section InstantiatedWorkloadEquivalence.
-
- (** Let <<[t1,t2)>> be any time interval. *)
- Variables t1 t2 : instant.
-
- (** Consider any job [j] of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
-
- (** Then for any job [j], the cumulative interfering workload is
- equal to the conventional workload. *)
- Lemma cumulative_iw_hep_eq_workload_of_ohep :
- cumulative_interfering_workload_of_hep_jobs j t1 t2
- = workload_of_other_hep_jobs j t1 t2.
- Proof.
- intros.
- rewrite /cumulative_interfering_workload_of_hep_jobs
- /workload_of_other_hep_jobs.
- case NEQ: (t1 < t2); last first.
- { move: NEQ => /negP /negP; rewrite -leqNgt; move => NEQ.
- rewrite big_geq; last by done.
- rewrite /arrivals_between /arrival_sequence.arrivals_between big_geq; last by done.
- by rewrite /workload_of_jobs big_nil.
- }
- { unfold interfering_workload_of_hep_jobs, workload_of_jobs.
- interval_to_duration t1 t2 k.
- induction k.
- - rewrite !addn0.
- rewrite big_geq; last by done.
- rewrite /arrivals_between /arrival_sequence.arrivals_between big_geq; last by done.
- by rewrite /workload_of_jobs big_nil.
- - rewrite addnS big_nat_recr //=; last by rewrite leq_addr.
- rewrite IHk.
- rewrite /arrivals_between /arrival_sequence.arrivals_between big_nat_recr //=;
- last by rewrite leq_addr.
- by rewrite big_cat //=.
- }
- Qed.
-
- End InstantiatedWorkloadEquivalence.
-
- (** In this section we prove that the (abstract) cumulative interference of jobs with higher or
- equal priority is equal to total service of jobs with higher or equal priority. *)
- Section InstantiatedServiceEquivalences.
-
- (** Consider any job [j] of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
-
- (** We consider an arbitrary time interval <<[t1, t)>> that starts with a quiet time. *)
- Variable t1 t : instant.
- Hypothesis H_quiet_time : quiet_time_cl j t1.
-
- (** Then for any job j, the (abstract) instantiated function of interference is
- equal to the total service of jobs with higher or equal priority. *)
- Lemma cumulative_i_ohep_eq_service_of_ohep :
- cumulative_interference_from_other_hep_jobs j t1 t
- = service_of_other_hep_jobs j t1 t.
- Proof.
- rewrite /service_of_other_hep_jobs /service_of_jobs.
- rewrite /cumulative_interference_from_other_hep_jobs
- /is_interference_from_another_hep_job.
- rewrite exchange_big //= big_nat_cond [in X in _ = X]big_nat_cond.
- all: apply/eqP; rewrite eqn_leq; apply/andP; split.
- all: rewrite leq_sum //; move => x /andP [/andP [Ge Le] _].
- { ideal_proc_model_sched_case_analysis_eq sched x jo; first by done.
- move: (Sched_jo); rewrite scheduled_at_def; move => /eqP EQ; rewrite EQ.
- destruct (another_hep_job jo j) eqn:PRIO; last by done.
- rewrite (big_rem jo) /=; first by rewrite PRIO service_at_def EQ eq_refl.
- apply arrived_between_implies_in_arrivals; try done; rt_eauto.
- - rewrite /arrived_between; apply/andP; split.
- + move: PRIO => /andP [PRIO1 PRIO2].
- rewrite leqNgt; apply/negP; intros AB.
- move: (Sched_jo). rewrite -[scheduled_at _ _ _]Bool.negb_involutive;
- move => /negP SCHED2; apply: SCHED2.
- apply completed_implies_not_scheduled; rt_eauto.
- apply completion_monotonic with t1; try done.
- by apply H_quiet_time; try done; rt_eauto.
- move : EQ => /eqP EQ.
- rewrite -scheduled_at_def in EQ.
- eapply has_arrived_scheduled in EQ; rt_eauto.
- apply leq_ltn_trans with x; rt_eauto. }
- { erewrite eq_bigr; last by move=> i _; rewrite service_at_def /=.
- ideal_proc_model_sched_case_analysis_eq sched x jo; first by rewrite big1_eq.
- move: (Sched_jo); rewrite scheduled_at_def; move => /eqP EQ; rewrite EQ.
- destruct (another_hep_job jo j) eqn:PRIO.
- - rewrite -EQ. have SCH := service_of_jobs_le_1 _ _ sched _ (arrivals_between arr_seq t1 t) _ x.
- eapply leq_trans; last first.
- + apply SCH; rt_eauto.
- + rewrite /service_of_jobs_at; erewrite leq_sum => // i _.
- by rewrite service_at_def.
- - rewrite leqn0 big1 //; intros joo PRIO2.
- apply/eqP; rewrite eqb0; apply/eqP; intros C.
- inversion C; subst joo; clear C.
- by rewrite PRIO2 in PRIO. }
- Qed.
-
- (** The same applies to the alternative definition of interference. *)
- Lemma cumulative_i_thep_eq_service_of_othep :
- cumulative_interference_from_hep_jobs_from_other_tasks j t1 t
- = service_of_hep_jobs_from_other_tasks j t1 t.
- Proof.
- rewrite /service_of_hep_jobs_from_other_tasks /service_of_jobs.
- rewrite /cumulative_interference_from_hep_jobs_from_other_tasks
- /is_interference_from_hep_job_from_another_task.
- rewrite exchange_big //= big_nat_cond [in X in _ = X]big_nat_cond.
- all: apply/eqP; rewrite eqn_leq; apply/andP; split.
- all: rewrite leq_sum //; move => x /andP [/andP [Ge Le] _].
- { ideal_proc_model_sched_case_analysis_eq sched x jo; first by done.
- move: (Sched_jo); rewrite scheduled_at_def; move => /eqP EQ; rewrite EQ.
- destruct (another_task_hep_job jo j) eqn:PRIO; last by done.
- rewrite (big_rem jo) /=; first by rewrite PRIO service_at_def EQ eq_refl.
- apply arrived_between_implies_in_arrivals; try done; rt_eauto.
- - rewrite /arrived_between; apply/andP; split.
- + move: PRIO => /andP [PRIO1 PRIO2].
- rewrite leqNgt; apply/negP; intros AB.
- move: (Sched_jo). rewrite -[scheduled_at _ _ _]Bool.negb_involutive;
- move => /negP SCHED2; apply: SCHED2.
- apply completed_implies_not_scheduled; rt_eauto.
- apply completion_monotonic with t1; try done.
- apply H_quiet_time; try done; rt_eauto.
- + move : EQ => /eqP EQ; rewrite -scheduled_at_def in EQ.
- eapply has_arrived_scheduled in EQ; rt_eauto.
- by apply leq_ltn_trans with x; rt_eauto.
-
- }
- { erewrite eq_bigr; last by move=> i _; rewrite service_at_def /=.
- ideal_proc_model_sched_case_analysis_eq sched x jo; first by rewrite big1_eq.
- move: (Sched_jo); rewrite scheduled_at_def; move => /eqP EQ; rewrite EQ.
- destruct (another_task_hep_job jo j) eqn:PRIO.
- - rewrite -EQ. have SCH := service_of_jobs_le_1 _ _ sched _ (arrivals_between arr_seq t1 t) _ x.
- eapply leq_trans; last first.
- + by apply SCH; rt_eauto.
- + rewrite /service_of_jobs_at; erewrite leq_sum => // i _.
- by rewrite service_at_def.
- - rewrite leqn0 big1 //; intros joo PRIO2.
- apply/eqP; rewrite eqb0; apply/eqP; intros C.
- inversion C; subst joo; clear C.
- by rewrite PRIO2 in PRIO.
- }
- Qed.
-
- End InstantiatedServiceEquivalences.
-
- (** In this section we prove that the abstract definition of busy interval is equivalent to
- the conventional, concrete definition of busy interval for JLFP scheduling. *)
- Section BusyIntervalEquivalence.
-
- (** Consider any job j of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** To show the equivalence of the notions of busy intervals
- we first show that the notions of quiet time are also
- equivalent. *)
-
- Lemma quiet_time_cl_implies_quiet_time_ab:
- forall t, quiet_time_cl j t -> quiet_time_ab j t.
- Proof.
- have zero_is_quiet_time: forall j, quiet_time_cl j 0.
- { by intros jhp ARR HP AB; move: AB; rewrite /arrived_before ltn0. }
- intros t QT; split; last first.
- { rewrite negb_and Bool.negb_involutive; apply/orP.
- by case ARR: (arrived_before j t); [right | left]; [apply QT | ]; eauto.
- }
- { erewrite cumulative_interference_split, cumulative_interfering_workload_split; apply/eqP; rewrite eqn_add2l.
- rewrite cumulative_i_ohep_eq_service_of_ohep //= cumulative_iw_hep_eq_workload_of_ohep eq_sym; apply/eqP.
- apply all_jobs_have_completed_equiv_workload_eq_service;
- rt_eauto.
- intros j0 IN HEP; apply QT.
- - by apply in_arrivals_implies_arrived in IN.
- - by move: HEP => /andP [H6 H7].
- - by apply in_arrivals_implies_arrived_between in IN; rt_eauto.
- }
- Qed.
-
- Lemma quiet_time_ab_implies_quiet_time_cl:
- forall t, quiet_time_ab j t -> quiet_time_cl j t.
- Proof. clear H_job_of_tsk.
- have zero_is_quiet_time: forall j, quiet_time_cl j 0.
- { by intros jhp ARR HP AB; move: AB; rewrite /arrived_before ltn0. }
- intros t [T0 T1] jhp ARR HP ARB.
- eapply all_jobs_have_completed_equiv_workload_eq_service with
- (P := fun jhp => hep_job jhp j) (t1 := 0) (t2 := t); rt_eauto.
- erewrite service_of_jobs_case_on_pred with (P2 := fun j' => j' != j); rt_eauto.
- erewrite workload_of_jobs_case_on_pred with (P' := fun j' => j' != j); rt_eauto.
- replace ((fun j0 : Job => hep_job j0 j && (j0 != j))) with (another_hep_job^~j); last by rewrite /another_hep_job.
- rewrite -/(service_of_other_hep_jobs j 0 t) -cumulative_i_ohep_eq_service_of_ohep; eauto.
- rewrite -/(workload_of_other_hep_jobs j 0 t) -cumulative_iw_hep_eq_workload_of_ohep; eauto.
- move: T1; rewrite negb_and => /orP [NA | /negPn COMP].
- { have PRED__eq: {in arrivals_between arr_seq 0 t, (fun j__copy : Job => hep_job j__copy j && ~~ (j__copy != j)) =1 pred0}.
- { intros j__copy IN; apply negbTE.
- rewrite negb_and; apply/orP; right; apply/negPn/eqP => EQ; subst j__copy.
- move: NA => /negP CONTR; apply: CONTR.
- by apply in_arrivals_implies_arrived_between in IN; rt_eauto. }
- erewrite service_of_jobs_equiv_pred with (P2 := pred0); last by done.
- erewrite workload_of_jobs_equiv_pred with (P' := pred0); last by done.
- move: T0; erewrite cumulative_interference_split, cumulative_interfering_workload_split => /eqP; rewrite eqn_add2l => /eqP EQ.
- rewrite EQ; clear EQ; apply/eqP; rewrite eqn_add2l.
- by erewrite workload_of_jobs_pred0, service_of_jobs_pred0.
- }
- { have PRED__eq: {in arrivals_between arr_seq 0 t, (fun j0 : Job => hep_job j0 j && ~~ (j0 != j)) =1 eq_op j}.
- { intros j__copy IN.
- replace (~~ (j__copy != j)) with (j__copy == j); last by case: (j__copy == j).
- rewrite eq_sym; destruct (j == j__copy) eqn:EQ; last by rewrite Bool.andb_false_r.
- move: EQ => /eqP EQ; rewrite Bool.andb_true_r; apply/eqP; rewrite eqb_id; subst.
- by eapply (H_priority_is_reflexive 0). }
- erewrite service_of_jobs_equiv_pred with (P2 := eq_op j); last by done.
- erewrite workload_of_jobs_equiv_pred with (P' := eq_op j); last by done.
- move: T0; erewrite cumulative_interference_split, cumulative_interfering_workload_split => /eqP; rewrite eqn_add2l => /eqP EQ.
- rewrite EQ; clear EQ; apply/eqP; rewrite eqn_add2l.
- apply/eqP; eapply all_jobs_have_completed_equiv_workload_eq_service with
- (P := eq_op j) (t1 := 0) (t2 := t); rt_eauto.
- by move => j__copy _ /eqP EQ; subst j__copy. }
- Qed.
-
- (** The equivalence trivially follows from the lemmas above. *)
- Corollary instantiated_quiet_time_equivalent_quiet_time:
- forall t,
- quiet_time_cl j t <-> quiet_time_ab j t.
- Proof.
- clear H_job_of_tsk.
- intros ?; split.
- - apply quiet_time_cl_implies_quiet_time_ab.
- - apply quiet_time_ab_implies_quiet_time_cl.
- Qed.
-
- (** Based on that, we prove that the concept of busy interval obtained by instantiating the abstract
- definition of busy interval coincides with the conventional definition of busy interval. *)
- Lemma instantiated_busy_interval_equivalent_busy_interval:
- forall t1 t2,
- busy_interval_cl j t1 t2 <-> busy_interval_ab j t1 t2.
- Proof.
- clear H_job_of_tsk.
- split.
- { move => [[NEQ [QTt1 [NQT REL]] QTt2]].
- split; [split; [ |split] | ].
- - by done.
- - by apply instantiated_quiet_time_equivalent_quiet_time in QTt1.
- - by intros t NE QT; eapply NQT; eauto 2; apply instantiated_quiet_time_equivalent_quiet_time.
- - by eapply instantiated_quiet_time_equivalent_quiet_time in QTt2.
- }
- { move => [[/andP [NEQ1 NEQ2] [QTt1 NQT] QTt2]].
- split; [split; [ | split; [ |split] ] | ].
- - by apply leq_ltn_trans with (job_arrival j).
- - by eapply instantiated_quiet_time_equivalent_quiet_time; eauto 2.
- - by intros t NEQ QT; eapply NQT; eauto 2; eapply instantiated_quiet_time_equivalent_quiet_time in QT; eauto 2.
- - by apply/andP; split.
- - by eapply instantiated_quiet_time_equivalent_quiet_time; eauto 2.
- }
- Qed.
-
- End BusyIntervalEquivalence.
-
- End Equivalences.
-
- (** In this section we prove some properties about the interference
- and interfering workload as defined in this file. *)
- Section I_IW_correctness.
-
- (** Consider work-bearing readiness. *)
- Context `{@JobReady Job (ideal.processor_state Job) _ _}.
- Hypothesis H_work_bearing_readiness : work_bearing_readiness arr_seq sched.
-
- (** Assume that the schedule is valid and work-conserving. *)
- Hypothesis H_sched_valid : @valid_schedule Job (ideal.processor_state Job) sched _ _ _ arr_seq.
-
- (** Note that we differentiate between abstract and classical
- notions of work conserving schedule. *)
- Let work_conserving_ab := definitions.work_conserving arr_seq sched interference interfering_workload.
- Let work_conserving_cl := work_conserving.work_conserving arr_seq sched.
-
- (** We assume that the schedule is a work-conserving schedule in the
- _classical_ sense, and later prove that the hypothesis about
- abstract work-conservation also holds. *)
- Hypothesis H_work_conserving : work_conserving_cl.
-
- (** Assume the scheduling policy under consideration is reflexive. *)
- Hypothesis policy_reflexive : reflexive_priorities.
-
- (** In this section, we prove the correctness of interference
- inside the busy interval, i.e., we prove that if interference
- for a job is [false] then the job is scheduled and vice versa.
- This property is referred to as abstract work conservation. *)
-
- Section Abstract_Work_Conservation.
-
- (** Consider a job [j] that is in the arrival sequence
- and has a positive job cost. *)
- Variable j : Job.
- Hypothesis H_arrives : arrives_in arr_seq j.
- Hypothesis H_job_cost_positive : 0 < job_cost j.
-
- (** Let the busy interval of the job be <<[t1,t2)>>. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_interval : busy_interval_ab j t1 t2.
-
- (** Consider a time [t] inside the busy interval of the job. *)
- Variable t : instant.
- Hypothesis H_t_in_busy_interval : t1 <= t < t2.
-
- (** First, we prove that if interference is [false] at a time [t]
- then the job is scheduled. *)
- Lemma not_interference_implies_scheduled :
- ~ interference j t -> scheduled_at sched j t.
- Proof.
- move => /negP HYP; move : HYP.
- rewrite negb_or !/is_priority_inversion
- /is_interference_from_another_hep_job.
- move => /andP [HYP1 HYP2].
- ideal_proc_model_sched_case_analysis_eq sched t jo.
- { exfalso; clear HYP1 HYP2.
- eapply instantiated_busy_interval_equivalent_busy_interval in H_busy_interval; rt_eauto.
- move: H_busy_interval => [PREF _].
- eapply not_quiet_implies_not_idle; rt_eauto. }
- {
- clear EqSched_jo; move: Sched_jo; rewrite scheduled_at_def; move => /eqP EqSched_jo.
- rewrite EqSched_jo in HYP1, HYP2.
- move: HYP2; rewrite /another_hep_job negb_and => /orP [NHEP| EQ].
- { eapply sched_lp_implies_priority_inversion in NHEP; rt_eauto.
- - by rewrite NHEP in HYP1.
- - by erewrite scheduled_at_def, EqSched_jo.
- }
- { move: EQ; rewrite -Bool.negb_involutive_reverse => /eqP EQ.
- by subst jo; rewrite scheduled_at_def EqSched_jo.
- }
- }
- Qed.
-
- (** Conversely, if the job is scheduled at [t] then interference is [false]. *)
- Lemma scheduled_implies_no_interference :
- scheduled_at sched j t -> ~ interference j t.
- Proof.
- rewrite scheduled_at_def => /eqP HYP.
- apply /negP.
- rewrite /interference /is_priority_inversion
- /is_interference_from_another_hep_job
- HYP negb_or.
- apply/andP; split.
- - erewrite sched_hep_implies_no_priority_inversion; first by done.
- - by erewrite scheduled_at_def, HYP; apply/eqP; reflexivity.
- by apply (policy_reflexive 0).
- - rewrite negb_and.
- by apply /orP; right; apply /negPn.
- Qed.
-
- End Abstract_Work_Conservation.
-
- (** Using the above two lemmas, we can prove that abstract work conservation
- always holds for these instantiations of [I] and [IW]. *)
- Corollary instantiated_i_and_w_are_coherent_with_schedule :
- work_conserving_ab.
- Proof.
- move => j t1 t2 t ARR POS BUSY NEQ; split.
- + by apply (not_interference_implies_scheduled j ARR POS t1 t2); try done.
- + by apply (scheduled_implies_no_interference j t ); try done.
- Qed.
-
- (** Next, in order to prove that these definitions of [I] and [IW] are consistent
- with sequential tasks, we need to assume that the policy under consideration
- respects sequential tasks. *)
- Hypothesis H_policy_respects_sequential_tasks : policy_respects_sequential_tasks.
-
- (** We prove that these definitions of [I] and [IW] are consistent with sequential
- tasks. *)
- Lemma instantiated_interference_and_workload_consistent_with_sequential_tasks :
- interference_and_workload_consistent_with_sequential_tasks
- arr_seq sched tsk interference interfering_workload.
- Proof.
- move => j t1 t2 ARR /eqP TSK POS BUSY.
- eapply instantiated_busy_interval_equivalent_busy_interval in BUSY; rt_eauto.
- eapply all_jobs_have_completed_equiv_workload_eq_service; rt_eauto.
- move => s INs /eqP TSKs.
- move: (INs) => NEQ.
- eapply in_arrivals_implies_arrived_between in NEQ; rt_eauto.
- move: NEQ => /andP [_ JAs].
- move: (BUSY) => [[ _ [QT [_ /andP [JAj _]]] _]].
- apply QT; try done; first by eapply in_arrivals_implies_arrived; eauto 2.
- apply H_policy_respects_sequential_tasks; first by rewrite TSK TSKs.
- by apply leq_trans with t1; [lia | done].
- Qed.
-
- (** Since interfering and interfering workload are sufficient to define the busy window,
- next, we reason about the bound on the length of the busy window. *)
- Section BusyWindowBound.
-
- (** Consider an arrival curve. *)
- Context `{MaxArrivals Task}.
-
- (** Consider a set of tasks that respects the arrival curve. *)
- Variable ts : list Task.
- Hypothesis H_taskset_respects_max_arrivals : taskset_respects_max_arrivals arr_seq ts.
-
- (** Assume that all jobs come from this task set. *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** Consider a constant [L] such that... *)
- Variable L : duration.
- (** ... [L] is greater than [0], and... *)
- Hypothesis H_L_positive : L > 0.
-
- (** [L] is the fixed point of the following equation. *)
- Hypothesis H_fixed_point : L = total_request_bound_function ts L.
-
- (** Assume all jobs have a valid job cost. *)
- Hypothesis H_arrivals_have_valid_job_costs : arrivals_have_valid_job_costs arr_seq.
-
- (** Then, we prove that [L] is a bound on the length of the busy window. *)
- Lemma instantiated_busy_intervals_are_bounded:
- busy_intervals_are_bounded_by arr_seq sched tsk interference interfering_workload L.
- Proof.
- move => j ARR TSK POS.
- edestruct exists_busy_interval_from_total_workload_bound
- with (Δ := L) as [t1 [t2 [T1 [T2 GGG]]]]; rt_eauto.
- { intros; rewrite {2}H_fixed_point; apply total_workload_le_total_rbf; try by done. }
- exists t1, t2; split; first by done.
- by eapply instantiated_busy_interval_equivalent_busy_interval; rt_eauto.
- Qed.
-
- End BusyWindowBound.
-
- End I_IW_correctness.
-
-End JLFPInstantiation.
-
-Global Opaque is_interference_from_another_hep_job.
diff --git a/analysis/abstract/run_to_completion.v b/analysis/abstract/run_to_completion.v
deleted file mode 100644
index 2d442f5fc2b7f0dd798ede6d3e7aba8eb3cc85fe..0000000000000000000000000000000000000000
--- a/analysis/abstract/run_to_completion.v
+++ /dev/null
@@ -1,205 +0,0 @@
-Require Export prosa.analysis.facts.model.service_of_jobs.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.job_preemptable.
-Require Export prosa.analysis.abstract.definitions.
-
-(** * Run-to-Completion Threshold of a job *)
-(** In this module, we provide a sufficient condition under which a job
- receives enough service to become non-preemptive. *)
-(** Previously we defined the notion of run-to-completion threshold (see file
- abstract.run_to_completion_threshold.v). Run-to-completion threshold is the
- amount of service after which a job cannot be preempted until its completion.
- In this section we prove that if cumulative interference inside a busy interval
- is bounded by a certain constant then a job executes long enough to reach its
- run-to-completion threshold and become non-preemptive. *)
-Section AbstractRTARunToCompletionThreshold.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** In addition, we assume existence of a function
- mapping jobs to their preemption points. *)
- Context `{JobPreemptable Job}.
-
- (** Consider any kind of uni-service ideal processor state model. *)
- Context {PState : ProcessorState Job}.
- Hypothesis H_ideal_progress_proc_model : ideal_progress_proc_model PState.
- Hypothesis H_unit_service_proc_model : unit_service_proc_model PState.
-
- (** Consider any arrival sequence with consistent arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... and any schedule of this arrival sequence. *)
- Variable sched : schedule PState.
-
- (** Assume we are provided with abstract functions for interference and interfering workload. *)
- Variable interference : Job -> instant -> bool.
- Variable interfering_workload : Job -> instant -> duration.
-
- (** For simplicity, let's define some local names. *)
- Let work_conserving := work_conserving arr_seq sched.
- Let cumul_interference := cumul_interference interference.
- Let cumul_interfering_workload := cumul_interfering_workload interfering_workload.
- Let busy_interval := busy_interval sched interference interfering_workload.
-
- (** We assume that the schedule is work-conserving. *)
- Hypothesis H_work_conserving: work_conserving interference interfering_workload.
-
- (** Let [j] be any job of task [tsk] with positive cost. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** Next, consider any busy interval <<[t1, t2)>> of job [j]. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_interval : busy_interval j t1 t2.
-
- (** First, we prove that job [j] completes by the end of the busy interval.
- Note that the busy interval contains the execution of job j, in addition
- time instant t2 is a quiet time. Thus by the definition of a quiet time
- the job should be completed before time t2. *)
- Lemma job_completes_within_busy_interval:
- completed_by sched j t2.
- Proof.
- move: (H_busy_interval) => [[/andP [_ LT] [_ _]] [_ QT2]].
- unfold pending, has_arrived in QT2.
- move: QT2; rewrite /pending negb_and; move => /orP [QT2|QT2].
- { by move: QT2 => /negP QT2; exfalso; apply QT2, ltnW. }
- by rewrite Bool.negb_involutive in QT2.
- Qed.
-
- (** In this section we show that the cumulative interference is a complement to
- the total time where job [j] is scheduled inside the busy interval. *)
- Section InterferenceIsComplement.
-
- (** Consider any sub-interval <<[t, t + delta)>> inside the busy interval [t1, t2). *)
- Variables (t : instant) (delta : duration).
- Hypothesis H_greater_than_or_equal : t1 <= t.
- Hypothesis H_less_or_equal: t + delta <= t2.
-
- (** We prove that sum of cumulative service and cumulative interference
- in the interval <<[t, t + delta)>> is equal to delta. *)
- Lemma interference_is_complement_to_schedule:
- service_during sched j t (t + delta) + cumul_interference j t (t + delta) = delta.
- Proof.
- rewrite /service_during /cumul_interference/service_at.
- rewrite -big_split //=.
- rewrite -{2}(sum_of_ones t delta).
- rewrite big_nat [in RHS]big_nat.
- apply: eq_bigr=> x /andP[Lo Hi].
- move: (H_work_conserving j t1 t2 x) => Workj.
- feed_n 4 Workj; try done.
- { by apply/andP; split; eapply leq_trans; eauto 2. }
- destruct interference.
- - replace (service_in _ _) with 0; auto; symmetry.
- apply no_service_not_scheduled; auto.
- now apply/negP; intros SCHED; apply Workj in SCHED; apply SCHED.
- - replace (service_in _ _) with 1; auto; symmetry.
- apply/eqP; rewrite eqn_leq; apply/andP; split.
- + apply H_unit_service_proc_model.
- + now apply H_ideal_progress_proc_model, Workj.
- Qed.
-
- End InterferenceIsComplement.
-
- (** In this section, we prove a sufficient condition under which job [j] receives enough service. *)
- Section InterferenceBoundedImpliesEnoughService.
-
- (** Let progress_of_job be the desired service of job j. *)
- Variable progress_of_job : duration.
- Hypothesis H_progress_le_job_cost : progress_of_job <= job_cost j.
-
- (** Assume that for some delta, the sum of desired progress and cumulative
- interference is bounded by delta (i.e., the supply). *)
- Variable delta : duration.
- Hypothesis H_total_workload_is_bounded:
- progress_of_job + cumul_interference j t1 (t1 + delta) <= delta.
-
- (** Then, it must be the case that the job has received no less service than progress_of_job. *)
- Theorem j_receives_at_least_run_to_completion_threshold:
- service sched j (t1 + delta) >= progress_of_job.
- Proof.
- case NEQ: (t1 + delta <= t2); last first.
- { intros.
- have L8 := job_completes_within_busy_interval.
- apply leq_trans with (job_cost j); first by done.
- rewrite /service.
- rewrite -(service_during_cat _ _ _ t2).
- apply leq_trans with (service_during sched j 0 t2); [by done | by rewrite leq_addr].
- by apply/andP; split; last (apply negbT in NEQ; apply ltnW; rewrite ltnNge).
- }
- { move: H_total_workload_is_bounded => BOUND.
- rewrite addnC in BOUND.
- apply leq_subRL_impl in BOUND.
- apply leq_trans with (delta - cumul_interference j t1 (t1 + delta)); first by done.
- apply leq_trans with (service_during sched j t1 (t1 + delta)).
- { rewrite -{1}[delta](interference_is_complement_to_schedule t1) //.
- rewrite -addnBA // subnn addn0 //.
- }
- { rewrite /service -[X in _ <= X](service_during_cat _ _ _ t1).
- rewrite leq_addl //.
- by apply/andP; split; last rewrite leq_addr.
- }
- }
- Qed.
-
- End InterferenceBoundedImpliesEnoughService.
-
- (** In this section we prove a simple lemma about completion of
- a job after is reaches run-to-completion threshold. *)
- Section CompletionOfJobAfterRunToCompletionThreshold.
-
- (** Assume that completed jobs do not execute ... *)
- Hypothesis H_completed_jobs_dont_execute:
- completed_jobs_dont_execute sched.
-
- (** .. and the preemption model is valid. *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** Then, job [j] must complete in [job_cost j - job_rtct j] time
- units after it reaches run-to-completion threshold. *)
- Lemma job_completes_after_reaching_run_to_completion_threshold:
- forall t,
- job_rtct j <= service sched j t ->
- completed_by sched j (t + (job_cost j - job_rtct j)).
- Proof.
- move => t ES.
- set (job_cost j - job_rtct j) as job_last.
- have LSNP := @job_nonpreemptive_after_run_to_completion_threshold
- Job H0 H1 _ arr_seq sched _ j _ t.
- apply negbNE; apply/negP; intros CONTR.
- have SCHED: forall t', t <= t' <= t + job_last -> scheduled_at sched j t'.
- { move => t' /andP [GE LT].
- rewrite -[t'](@subnKC t) //.
- eapply LSNP; eauto 2; first by rewrite leq_addr.
- rewrite subnKC //.
- apply/negP; intros COMPL.
- move: CONTR => /negP Temp; apply: Temp.
- exact: completion_monotonic COMPL.
- }
- have SERV: job_last + 1 <= \sum_(t <= t' < t + (job_last + 1)) service_at sched j t'.
- { rewrite -{1}[job_last + 1]addn0 -{2}(subnn t) addnBA // addnC.
- rewrite -{1}[_+_-_]addn0 -[_+_-_]mul1n -iter_addn -big_const_nat.
- rewrite big_nat_cond [in X in _ <= X]big_nat_cond.
- rewrite leq_sum //.
- move => t' /andP [NEQ _].
- apply H_ideal_progress_proc_model; apply SCHED.
- by rewrite addn1 addnS ltnS in NEQ.
- }
- move: (service_at_most_cost
- _ H_completed_jobs_dont_execute j H_unit_service_proc_model
- (t + job_last.+1)).
- rewrite leqNgt; move => /negP T; apply: T.
- rewrite /service -(service_during_cat _ _ _ t); last by (apply/andP; split; last rewrite leq_addr).
- apply leq_trans with (job_rtct j + service_during sched j t (t + job_last.+1));
- last by rewrite leq_add2r.
- apply leq_trans with (job_rtct j + job_last.+1); last by rewrite leq_add2l /service_during -addn1.
- by rewrite addnS ltnS subnKC //; eapply job_run_to_completion_threshold_le_job_cost; eauto.
- Qed.
-
- End CompletionOfJobAfterRunToCompletionThreshold.
-
-End AbstractRTARunToCompletionThreshold.
diff --git a/analysis/abstract/search_space.v b/analysis/abstract/search_space.v
deleted file mode 100644
index ae74e993f8c9c0ff62efbc066fcf6e6ad4eab719..0000000000000000000000000000000000000000
--- a/analysis/abstract/search_space.v
+++ /dev/null
@@ -1,165 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-Require Import prosa.util.epsilon.
-Require Import prosa.util.tactics.
-Require Import prosa.model.task.concept.
-
-(** * Reduction of the search space for Abstract RTA *)
-(** In this file, we prove that in order to calculate the worst-case response time
- it is sufficient to consider only values of [A] that lie in the search space defined below. *)
-
-Section AbstractRTAReduction.
-
- (** The response-time analysis we are presenting in this series of documents is based on searching
- over all possible values of [A], the relative arrival time of the job respective to the beginning
- of the busy interval. However, to obtain a practically useful response-time bound, we need to
- constrain the search space of values of [A]. In this section, we define an approach to
- reduce the search space. *)
-
- Context {Task : TaskType}.
-
- (** First, we provide a constructive notion of equivalent functions. *)
- Section EquivalentFunctions.
-
- (** Consider an arbitrary type [T]... *)
- Context {T : eqType}.
-
- (** ...and two function from [nat] to [T]. *)
- Variables f1 f2 : nat -> T.
-
- (** Let [B] be an arbitrary constant. *)
- Variable B : nat.
-
- (** Then we say that [f1] and [f2] are equivalent at values less than [B] iff
- for any natural number [x] less than [B] [f1 x] is equal to [f2 x]. *)
- Definition are_equivalent_at_values_less_than :=
- forall x, x < B -> f1 x = f2 x.
-
- (** And vice versa, we say that [f1] and [f2] are not equivalent at values
- less than [B] iff there exists a natural number [x] less than [B] such
- that [f1 x] is not equal to [f2 x]. *)
- Definition are_not_equivalent_at_values_less_than :=
- exists x, x < B /\ f1 x <> f2 x.
-
- End EquivalentFunctions.
-
- (** Let [tsk] be any task that is to be analyzed *)
- Variable tsk : Task.
-
- (** To ensure that the analysis procedure terminates, we assume an upper bound [B] on
- the values of [A] that must be checked. The existence of [B] follows from the assumption
- that the system is not overloaded (i.e., it has bounded utilization). *)
- Variable B : duration.
-
- (** Instead of searching for the maximum interference of each individual job, we
- assume a per-task interference bound function [IBF(tsk, A, x)] that is parameterized
- by the relative arrival time [A] of a potential job (see abstract_RTA.definitions.v file). *)
- Variable interference_bound_function : Task -> duration -> duration -> duration.
-
- (** Recall the definition of [ε], which defines the neighborhood of a point in the timeline.
- Note that [ε = 1] under discrete time. *)
- (** To ensure that the search converges more quickly, we only check values of [A] in the interval
- <<[0, B)>> for which the interference bound function changes, i.e., every point [x] in which
- [interference_bound_function (A - ε, x)] is not equal to [interference_bound_function (A, x)]. *)
- Definition is_in_search_space A :=
- A = 0 \/
- 0 < A < B /\ are_not_equivalent_at_values_less_than
- (interference_bound_function tsk (A - ε)) (interference_bound_function tsk A) B.
-
- (** In this section we prove that for every [A] there exists a smaller [A_sp]
- in the search space such that [interference_bound_function(A_sp,x)] is
- equal to [interference_bound_function(A, x)]. *)
- Section ExistenceOfRepresentative.
-
- (** Let [A] be any constant less than [B]. *)
- Variable A : duration.
- Hypothesis H_A_less_than_B : A < B.
-
- (** We prove that there exists a constant [A_sp] such that:
- (a) [A_sp] is no greater than [A], (b) [interference_bound_function(A_sp, x)] is
- equal to [interference_bound_function(A, x)] and (c) [A_sp] is in the search space.
- In other words, either [A] is already inside the search space, or we can go
- to the "left" until we reach [A_sp], which will be inside the search space. *)
- Lemma representative_exists:
- exists A_sp,
- A_sp <= A /\
- are_equivalent_at_values_less_than (interference_bound_function tsk A)
- (interference_bound_function tsk A_sp) B /\
- is_in_search_space A_sp.
- Proof.
- induction A as [|n].
- - exists 0; repeat split.
- by rewrite /is_in_search_space; left.
- - have ALT:
- all (fun t => interference_bound_function tsk n t == interference_bound_function tsk n.+1 t) (iota 0 B)
- \/ has (fun t => interference_bound_function tsk n t != interference_bound_function tsk n.+1 t) (iota 0 B).
- { apply/orP.
- rewrite -[_ || _]Bool.negb_involutive Bool.negb_orb.
- apply/negP; intros CONTR.
- move: CONTR => /andP [NALL /negP NHAS]; apply: NHAS.
- by rewrite -has_predC /predC in NALL.
- }
- feed IHn; first by apply ltn_trans with n.+1.
- move: IHn => [ASP [NEQ [EQ SP]]].
- move: ALT => [/allP ALT| /hasP ALT].
- { exists ASP; repeat split; try done.
- { by apply leq_trans with n. }
- { intros x LT.
- move: (ALT x) => T. feed T; first by rewrite mem_iota; apply/andP; split.
- move: T => /eqP T.
- by rewrite -T EQ.
- }
- }
- { exists n.+1; repeat split; try done.
- rewrite /is_in_search_space; right.
- split; first by apply/andP; split.
- move: ALT => [y IN N].
- exists y.
- move: IN; rewrite mem_iota add0n. move => /andP [_ LT].
- split; first by done.
- rewrite subn1 -pred_Sn.
- intros CONTR; move: N => /negP N; apply: N.
- by rewrite CONTR.
- }
- Qed.
-
- End ExistenceOfRepresentative.
-
- (** In this section we prove that any solution of the response-time recurrence for
- a given point [A_sp] in the search space also gives a solution for any point
- A that shares the same interference bound. *)
- Section FixpointSolutionForAnotherA.
-
- (** Suppose [A_sp + F_sp] is a "small" solution (i.e. less than [B]) of the response-time recurrence. *)
- Variables A_sp F_sp : duration.
- Hypothesis H_less_than : A_sp + F_sp < B.
- Hypothesis H_fixpoint : A_sp + F_sp >= interference_bound_function tsk A_sp (A_sp + F_sp).
-
- (** Next, let [A] be any point such that: (a) [A_sp <= A <= A_sp + F_sp] and
- (b) [interference_bound_function(A, x)] is equal to
- [interference_bound_function(A_sp, x)] for all [x] less than [B]. *)
- Variable A : duration.
- Hypothesis H_bounds_for_A : A_sp <= A <= A_sp + F_sp.
- Hypothesis H_equivalent :
- are_equivalent_at_values_less_than
- (interference_bound_function tsk A)
- (interference_bound_function tsk A_sp) B.
-
- (** We prove that there exists a constant [F] such that [A + F] is equal to [A_sp + F_sp]
- and [A + F] is a solution for the response-time recurrence for [A]. *)
- Lemma solution_for_A_exists:
- exists F,
- A_sp + F_sp = A + F /\
- F <= F_sp /\
- A + F >= interference_bound_function tsk A (A + F).
- Proof.
- move: H_bounds_for_A => /andP [NEQ1 NEQ2].
- set (X := A_sp + F_sp) in *.
- exists (X - A); split; last split.
- - by rewrite subnKC.
- - by rewrite leq_subLR /X leq_add2r.
- - by rewrite subnKC // H_equivalent.
- Qed.
-
- End FixpointSolutionForAnotherA.
-
-End AbstractRTAReduction.
diff --git a/analysis/definitions/always_higher_priority.v b/analysis/definitions/always_higher_priority.v
deleted file mode 100644
index 34aa1696943361025d767bb9c13fc60425b48198..0000000000000000000000000000000000000000
--- a/analysis/definitions/always_higher_priority.v
+++ /dev/null
@@ -1,20 +0,0 @@
-Require Export prosa.model.priority.classes.
-
-(** * Always Higher Priority *)
-(** In this section, we define what it means for a job to always have
- a higher priority than another job. *)
-Section AlwaysHigherPriority.
-
- (** Consider any type of jobs ... *)
- Context {Job : JobType}.
-
- (** ... and any JLDP policy. *)
- Context `{JLDP_policy Job}.
-
- (** We say that a job [j1] always has higher priority than job [j2]
- if, at any time [t], the priority of job [j1] is strictly higher than
- the priority of job [j2]. *)
- Definition always_higher_priority (j1 j2 : Job) :=
- forall t, hep_job_at t j1 j2 && ~~ hep_job_at t j2 j1.
-
-End AlwaysHigherPriority.
diff --git a/analysis/definitions/busy_interval.v b/analysis/definitions/busy_interval.v
deleted file mode 100644
index 05f34720fbdc20a0f24e4944f6b33129f07be54a..0000000000000000000000000000000000000000
--- a/analysis/definitions/busy_interval.v
+++ /dev/null
@@ -1,92 +0,0 @@
-Require Export prosa.model.priority.classes.
-Require Export prosa.analysis.facts.behavior.completion.
-
-(** * Busy Interval for JLFP-models *)
-(** In this file we define the notion of busy intervals for uniprocessor for JLFP schedulers. *)
-Section BusyIntervalJLFP.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any kind of processor state model. *)
- Context {PState : ProcessorState Job}.
-
- (** Consider any arrival sequence with consistent arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... and a schedule of this arrival sequence. *)
- Variable sched : schedule PState.
-
- (** Assume a given JLFP policy. *)
- Context `{JLFP_policy Job}.
-
- (** In this section, we define the notion of a busy interval. *)
- Section BusyInterval.
-
- (** Consider any job j. *)
- Variable j : Job.
- Hypothesis H_from_arrival_sequence : arrives_in arr_seq j.
-
- (** We say that [t] is a quiet time for [j] iff every higher-priority job from
- the arrival sequence that arrived before [t] has completed by that time. *)
- Definition quiet_time (t : instant) :=
- forall (j_hp : Job),
- arrives_in arr_seq j_hp ->
- hep_job j_hp j ->
- arrived_before j_hp t ->
- completed_by sched j_hp t.
-
- (** Based on the definition of quiet time, we say that interval
- <<[t1, t_busy)>> is a (potentially unbounded) busy-interval prefix
- iff the interval starts with a quiet time where a higher or equal
- priority job is released and remains non-quiet. We also require
- job [j] to be released in the interval. *)
- Definition busy_interval_prefix (t1 t_busy : instant) :=
- t1 < t_busy /\
- quiet_time t1 /\
- (forall t, t1 < t < t_busy -> ~ quiet_time t) /\
- t1 <= job_arrival j < t_busy.
-
- (** Next, we say that an interval <<[t1, t2)>> is a busy interval iff
- <<[t1, t2)>> is a busy-interval prefix and [t2] is a quiet time. *)
- Definition busy_interval (t1 t2 : instant) :=
- busy_interval_prefix t1 t2 /\
- quiet_time t2.
-
- End BusyInterval.
-
- (** In this section we define the computational
- version of the notion of quiet time. *)
- Section DecidableQuietTime.
-
- (** We say that t is a quiet time for [j] iff every higher-priority job from
- the arrival sequence that arrived before [t] has completed by that time. *)
- Definition quiet_time_dec (j : Job) (t : instant) :=
- all
- (fun j_hp => hep_job j_hp j ==> (completed_by sched j_hp t))
- (arrivals_before arr_seq t).
-
- (** We also show that the computational and propositional definitions are equivalent. *)
- Lemma quiet_time_P :
- forall j t, reflect (quiet_time j t) (quiet_time_dec j t).
- Proof.
- intros; apply/introP.
- - intros QT s ARRs HPs BEFs.
- move: QT => /allP QT.
- specialize (QT s); feed QT.
- eapply arrived_between_implies_in_arrivals; eauto 2.
- by move: QT => /implyP Q; apply Q in HPs.
- - move => /negP DEC; intros QT; apply: DEC.
- apply/allP; intros s ARRs.
- apply/implyP; intros HPs.
- apply QT; try done.
- + by apply in_arrivals_implies_arrived in ARRs.
- + by eapply in_arrivals_implies_arrived_between in ARRs; eauto 2.
- Qed.
-
- End DecidableQuietTime.
-
-End BusyIntervalJLFP.
diff --git a/analysis/definitions/carry_in.v b/analysis/definitions/carry_in.v
deleted file mode 100644
index dc49b2269504061f28ea10255e5bcf37b86df564..0000000000000000000000000000000000000000
--- a/analysis/definitions/carry_in.v
+++ /dev/null
@@ -1,32 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq fintype bigop.
-Require Export prosa.model.priority.classes.
-
-(** * No Carry-In *)
-(** In this module, we define the notion of a time without any carry-in work. *)
-Section NoCarryIn.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks, where each
- job has an arrival time and a cost. *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job} `{JobCost Job}.
-
- (** Consider any arrival sequence of such jobs with consistent arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... and the resultant schedule. *)
- Context {PState : ProcessorState Job}.
- Variable sched : schedule PState.
-
- (** There is no carry-in at time [t] iff every job (regardless of priority)
- from the arrival sequence released before [t] has completed by that time. *)
- Definition no_carry_in (t : instant) :=
- forall j_o,
- arrives_in arr_seq j_o ->
- arrived_before j_o t ->
- completed_by sched j_o t.
-
-End NoCarryIn.
diff --git a/analysis/definitions/completion_sequence.v b/analysis/definitions/completion_sequence.v
deleted file mode 100644
index c3a34a49e704d4fdc6ee56e75cb03e268dc4069d..0000000000000000000000000000000000000000
--- a/analysis/definitions/completion_sequence.v
+++ /dev/null
@@ -1,27 +0,0 @@
-From mathcomp Require Export ssreflect seq ssrnat ssrbool eqtype.
-Require Import prosa.behavior.service.
-
-(** This module contains basic definitions and properties of job
- completion sequences. *)
-
-(** * Notion of a Completion Sequence *)
-
-(** We begin by defining a job completion sequence. *)
-Section CompletionSequence.
-
- (** Consider any kind of jobs with a cost
- and any kind of processor state. *)
- Context {Job : JobType} `{JobCost Job} {PState : ProcessorState Job}.
-
- (** Consider any job arrival sequence. *)
- Variable arr_seq: arrival_sequence Job.
-
- (** Consider any schedule. *)
- Variable sched : schedule PState.
-
- (** For each instant [t], the completion sequence returns all
- arrived jobs that have completed at [t]. *)
- Definition completion_sequence : arrival_sequence Job :=
- fun t => [seq j <- arrivals_up_to arr_seq t | completes_at sched j t].
-
-End CompletionSequence.
diff --git a/analysis/definitions/hyperperiod.v b/analysis/definitions/hyperperiod.v
deleted file mode 100644
index a3754188b6a3ff23a9ed690c87e488aae273aa75..0000000000000000000000000000000000000000
--- a/analysis/definitions/hyperperiod.v
+++ /dev/null
@@ -1,79 +0,0 @@
-From mathcomp Require Import div.
-Require Export prosa.model.task.arrival.periodic.
-Require Export prosa.util.lcmseq.
-
-(** In this file we define the notion of a hyperperiod for periodic tasks. *)
-Section Hyperperiod.
-
- (** Consider any type of periodic tasks ... *)
- Context {Task : TaskType} `{PeriodicModel Task}.
-
- (** ... and any task set [ts]. *)
- Variable ts : TaskSet Task.
-
- (** The hyperperiod of a task set is defined as the least common multiple
- (LCM) of the periods of all tasks in the task set. **)
- Definition hyperperiod : duration := lcml (map task_period ts).
-
-End Hyperperiod.
-
-(** In this section we provide basic definitions concerning the hyperperiod
- of all tasks in a task set. *)
-Section HyperperiodDefinitions.
-
- (** Consider any type of periodic tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskOffset Task}.
- Context `{PeriodicModel Task}.
-
- (** ... and any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any task set [ts] ... *)
- Variable ts : TaskSet Task.
-
- (** ... and any arrival sequence [arr_seq]. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Let [O_max] denote the maximum offset of all tasks in [ts] ... *)
- Let O_max := max_task_offset ts.
-
- (** ... and let [HP] denote the hyperperiod of all tasks in [ts]. *)
- Let HP := hyperperiod ts.
-
- (** We define a hyperperiod index based on an instant [t]
- which lies in it. *)
- (** Note that we consider the first hyperperiod to start at time [O_max],
- i.e., shifted by the maximum offset (and not at time zero as can also
- be found sometimes in the literature) *)
- Definition hyperperiod_index (t : instant) :=
- (t - O_max) %/ HP.
-
- (** Given an instant [t], we define the starting instant of the hyperperiod
- that contains [t]. *)
- Definition starting_instant_of_hyperperiod (t : instant) :=
- hyperperiod_index t * HP + O_max.
-
- (** Given a job [j], we define the starting instant of the hyperperiod
- in which [j] arrives. *)
- Definition starting_instant_of_corresponding_hyperperiod (j : Job) :=
- starting_instant_of_hyperperiod (job_arrival j).
-
- (** We define the sequence of jobs of a task [tsk] that arrive in a hyperperiod
- given the starting instant [h] of the hyperperiod. *)
- Definition jobs_in_hyperperiod (h : instant) (tsk : Task) :=
- task_arrivals_between arr_seq tsk h (h + HP).
-
- (** We define the index of a job [j] of task [tsk] in a hyperperiod starting at [h]. *)
- Definition job_index_in_hyperperiod (j : Job) (h : instant) (tsk : Task) :=
- index j (jobs_in_hyperperiod h tsk).
-
- (** Given a job [j] of task [tsk] and the hyperperiod starting at [h], we define a
- [corresponding_job_in_hyperperiod] which is the job that arrives in given hyperperiod
- and has the same [job_index] as [j]. *)
- Definition corresponding_job_in_hyperperiod (j : Job) (h : instant) (tsk : Task) :=
- nth j (jobs_in_hyperperiod h tsk) (job_index_in_hyperperiod j (starting_instant_of_corresponding_hyperperiod j) tsk).
-
-End HyperperiodDefinitions.
diff --git a/analysis/definitions/infinite_jobs.v b/analysis/definitions/infinite_jobs.v
deleted file mode 100644
index 07ab48a52ca2453563c71bb657149d605783e2fe..0000000000000000000000000000000000000000
--- a/analysis/definitions/infinite_jobs.v
+++ /dev/null
@@ -1,28 +0,0 @@
-Require Export prosa.model.task.arrivals.
-
-(** In this section we define the notion of an infinite release
- of jobs by a task. *)
-Section InfiniteJobs.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** We say that a task [tsk] releases an infinite number of jobs
- if for every integer [n] there exists a job [j] of task [tsk]
- such that [job_index] of [j] is equal to [n]. *)
- Definition infinite_jobs :=
- forall tsk n,
- exists j,
- arrives_in arr_seq j /\
- job_task j = tsk /\
- job_index arr_seq j = n.
-
-End InfiniteJobs.
diff --git a/analysis/definitions/job_properties.v b/analysis/definitions/job_properties.v
deleted file mode 100644
index 78443d3efde7ec863779d8f556b85dc69ce9ef42..0000000000000000000000000000000000000000
--- a/analysis/definitions/job_properties.v
+++ /dev/null
@@ -1,16 +0,0 @@
-Require Export prosa.behavior.all.
-
-(** In this section, we introduce properties of a job. *)
-Section PropertiesOfJob.
-
- (** Assume that job costs are known. *)
- Context {Job : JobType}.
- Context `{JobCost Job}.
-
- (** Consider an arbitrary job. *)
- Variable j : Job.
-
- (** The job cost must be positive. *)
- Definition job_cost_positive := job_cost j > 0.
-
-End PropertiesOfJob.
\ No newline at end of file
diff --git a/analysis/definitions/job_response_time.v b/analysis/definitions/job_response_time.v
deleted file mode 100644
index 9cc463eb11535419f6e0c00e4a7bfc2cb54bb8f1..0000000000000000000000000000000000000000
--- a/analysis/definitions/job_response_time.v
+++ /dev/null
@@ -1,23 +0,0 @@
-Require Export prosa.behavior.all.
-
-(** In this section we define what it means for the response time
- of a job to exceed some given duration. *)
-Section JobResponseTimeExceeds.
-
- (** Consider any kind of jobs ... *)
- Context {Job : JobType}.
- Context `{JobCost Job}.
- Context `{JobArrival Job}.
-
- (** ... and any kind of processor state. *)
- Context `{PState : ProcessorState Job}.
-
- (** Consider any schedule. *)
- Variable sched : schedule PState.
-
- (** We say that a job [j] has a response time exceeding a number [x]
- if [j] is pending [x] units of time after its arrival. *)
- Definition job_response_time_exceeds (j : Job) (x : duration) :=
- ~~ completed_by sched j ((job_arrival j) + x).
-
-End JobResponseTimeExceeds.
diff --git a/analysis/definitions/priority_inversion.v b/analysis/definitions/priority_inversion.v
deleted file mode 100644
index 8ea87fe7ddf5d59e112949201535644e3c7ad9d2..0000000000000000000000000000000000000000
--- a/analysis/definitions/priority_inversion.v
+++ /dev/null
@@ -1,164 +0,0 @@
-Require Export prosa.analysis.definitions.busy_interval.
-
-(** * Priority Inversion *)
-(** In this section, we define the notion of priority inversion for
- arbitrary processors. *)
-Section PriorityInversion.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Next, consider _any_ kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any schedule. *)
- Variable sched : schedule PState.
-
- (** Assume a given JLFP policy. *)
- Context `{JLFP_policy Job}.
-
- (** Consider an arbitrary job. *)
- Variable j : Job.
-
- (** We say that the job incurs priority inversion if it has higher
- priority than the scheduled job. Note that this definition
- implicitly assumes that the scheduler is
- work-conserving. Therefore, it cannot be applied to models with
- jitter or self-suspensions. *)
- Definition priority_inversion (t : instant) :=
- ~~ scheduled_at sched j t /\
- exists jlp,
- scheduled_at sched jlp t && ~~ hep_job jlp j.
-
- (** Similarly, we define a decidable counterpart of
- [priority_inversion]. *)
- Definition priority_inversion_dec (t : instant) :=
- ~~ scheduled_at sched j t &&
- has (fun jlp => scheduled_at sched jlp t && ~~ hep_job jlp j)
- (arrivals_before arr_seq t.+1).
-
- (** In the following short section we show that the propositional
- and computational versions of [priority_inversion] are
- equivalent. *)
- Section PriorityInversionReflection.
-
- (** We assume that all jobs come from the arrival sequence and do
- not execute before their arrival nor after completion. *)
- Hypothesis H_jobs_come_from_arrival_sequence : jobs_come_from_arrival_sequence sched arr_seq.
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Then the propositional and computational versions of
- [priority_inversion] are equivalent.*)
- Lemma priority_inversion_P :
- forall t, reflect (priority_inversion t) (priority_inversion_dec t).
- Proof.
- intros t; apply /introP.
- - move=> /andP [SCHED /hasP [jlp ARR PRIO]].
- by split => //; (exists jlp).
- - rewrite negb_and /priority_inversion; move=> /orP NPRIO.
- destruct NPRIO as [NSCHED | NHAS].
- + rewrite Bool.negb_involutive in NSCHED.
- by rewrite NSCHED; intros [F _].
- + move => [NSCHED [jlp /andP[SCHED_jlp NHEP]]].
- move: NHAS => /hasPn NJOBS.
- specialize (NJOBS jlp).
- have ARR: jlp \in arrivals_before arr_seq t.+1.
- { move: (H_jobs_must_arrive_to_execute jlp t SCHED_jlp) => ARR.
- apply arrived_between_implies_in_arrivals => //=.
- by apply (H_jobs_come_from_arrival_sequence jlp t).
- }
- move: (NJOBS ARR) => /negP NN.
- by apply NN; apply /andP; split => //.
- Qed.
-
- End PriorityInversionReflection.
-
- (** Cumulative priority inversion incurred by a job within some time
- interval <<[t1, t2)>> is the total number of time instances
- within <<[t1,t2)>> at which job [j] incurred priority
- inversion. *)
- Definition cumulative_priority_inversion (t1 t2 : instant) :=
- \sum_(t1 <= t < t2) priority_inversion_dec t.
-
- (** We say that the priority inversion experienced by a job [j] is
- bounded by a constant [B] if the cumulative priority inversion
- within any busy interval prefix is bounded by [B]. *)
- Definition priority_inversion_of_job_is_bounded_by_constant (B : duration) :=
- forall (t1 t2 : instant),
- busy_interval_prefix arr_seq sched j t1 t2 ->
- cumulative_priority_inversion t1 t2 <= B.
-
- (** More generally, if the priority inversion experienced by job [j]
- depends on its relative arrival time w.r.t. the beginning of its
- busy interval at a time [t1], we say that the priority inversion
- of job [j] is bounded by a function [B : duration -> duration] if
- the cumulative priority inversion within any busy interval
- prefix is bounded by [B (job_arrival j - t1)] *)
- Definition priority_inversion_of_job_is_bounded_by (B : duration -> duration) :=
- forall (t1 t2 : instant),
- busy_interval_prefix arr_seq sched j t1 t2 ->
- cumulative_priority_inversion t1 t2 <= B (job_arrival j - t1).
-
-End PriorityInversion.
-
-(** In this section, we define a notion of the bounded priority inversion for tasks. *)
-Section TaskPriorityInversionBound.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Next, consider _any_ kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any schedule. *)
- Variable sched : schedule PState.
-
- (** Assume a given JLFP policy. *)
- Context `{JLFP_policy Job}.
-
- (** Consider an arbitrary task [tsk]. *)
- Variable tsk : Task.
-
- (** We say that priority inversion of task [tsk] is bounded by a constant
- [B] if all jobs released by the task have cumulative priority inversion
- bounded by [B]. *)
- Definition priority_inversion_is_bounded_by_constant (B : duration) :=
- forall (j : Job),
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- job_cost j > 0 ->
- priority_inversion_of_job_is_bounded_by_constant arr_seq sched j B.
-
- (** We say that task [tsk] has bounded priority inversion if all its
- jobs have bounded cumulative priority inversion that depends on
- its relative arrival time w.r.t. the beginning of the busy
- interval. *)
- Definition priority_inversion_is_bounded_by (B : duration -> duration) :=
- forall (j : Job),
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- job_cost j > 0 ->
- priority_inversion_of_job_is_bounded_by arr_seq sched j B.
-
-End TaskPriorityInversionBound.
diff --git a/analysis/definitions/progress.v b/analysis/definitions/progress.v
deleted file mode 100644
index 40962cb310a3610e8043f6de9df7b2a1679fd1ae..0000000000000000000000000000000000000000
--- a/analysis/definitions/progress.v
+++ /dev/null
@@ -1,62 +0,0 @@
-Require Export prosa.analysis.facts.behavior.service.
-
-(** * Job Progress (or Lack Thereof) *)
-
-(** In the following section, we define a notion of "job progress", and
- conversely a notion of a lack of progress. *)
-
-Section Progress.
-
- (** Consider any type of jobs with a known cost... *)
- Context {Job : JobType}.
- Context `{JobCost Job}.
-
- (** ... and any kind of schedule. *)
- Context {PState : ProcessorState Job}.
-
- (** For a given job and a given schedule... *)
- Variable sched : schedule PState.
- Variable j : Job.
-
- Section NotionsOfProgress.
-
- (** ...and two ordered points in time... *)
- Variable t1 t2 : nat.
- Hypothesis H_t1_before_t2: t1 <= t2.
-
- (** ... we say that the job has progressed between the two points iff its
- total received service has increased. *)
- Definition job_has_progressed := service sched j t1 < service sched j t2.
-
- (** Conversely, if the accumulated service does not change, there is no
- progress. *)
- Definition no_progress := service sched j t1 == service sched j t2.
-
- (** We note that the negation of the former is equivalent to the latter
- definition. *)
- Lemma no_progress_equiv: ~~ job_has_progressed <-> no_progress.
- Proof.
- rewrite /job_has_progressed /no_progress.
- split.
- { rewrite -leqNgt leq_eqVlt => /orP [EQ|LT]; first by rewrite eq_sym.
- exfalso.
- have MONO: service sched j t1 <= service sched j t2
- by apply service_monotonic.
- have NOT_MONO: ~~ (service sched j t1 <= service sched j t2)
- by apply /negPf; apply ltn_geF.
- move: NOT_MONO => /negP NOT_MONO.
- contradiction. }
- { move => /eqP ->.
- rewrite -leqNgt.
- by apply service_monotonic. }
- Qed.
-
- End NotionsOfProgress.
-
- (** For convenience, we define a lack of progress also in terms of given
- reference point [t] and the length of the preceding interval of
- inactivity [delta], meaning that no progress has been made for at least
- [delta] time units. *)
- Definition no_progress_for (t : instant) (delta : duration) := no_progress (t - delta) t.
-
-End Progress.
diff --git a/analysis/definitions/readiness.v b/analysis/definitions/readiness.v
deleted file mode 100644
index 10ece80b735595f73c7eef36a2054d0a5beaf33b..0000000000000000000000000000000000000000
--- a/analysis/definitions/readiness.v
+++ /dev/null
@@ -1,48 +0,0 @@
-Require Export prosa.behavior.ready.
-Require Export prosa.analysis.definitions.schedule_prefix.
-Require Export prosa.model.preemption.parameter.
-Require Export prosa.model.priority.classes.
-
-(** * Properties of Readiness Models *)
-
-(** In this file, we define commonsense properties of readiness models. *)
-Section ReadinessModelProperties.
-
- (** For any type of jobs with costs and arrival times ... *)
- Context {Job : JobType} `{JobCost Job} `{JobArrival Job}.
-
- (** ... and any kind of processor model, ... *)
- Context {PState: ProcessorState Job}.
-
- (** ... consider a notion of job readiness. *)
- Variable ReadinessModel : JobReady Job PState.
-
- (** First, we define a notion of non-clairvoyance for readiness
- models. Intuitively, whether a job is ready or not should depend only on
- the past (i.e., prior allocation decisions and job behavior), not on
- future events. Formally, we say that the [ReadinessModel] is
- non-clairvoyant if a job's readiness at a given time does not vary across
- schedules with identical prefixes. That is, given two schedules [sched]
- and [sched'], the predicates [job_ready sched j t] and [job_ready sched'
- j t] may not differ if [sched] and [sched'] are identical prior to time
- [t]. *)
- Definition nonclairvoyant_readiness :=
- forall sched sched' j h,
- identical_prefix sched sched' h ->
- forall t,
- t <= h ->
- job_ready sched j t = job_ready sched' j t.
-
- (** Next, we relate the readiness model to the preemption model. *)
- Context `{JobPreemptable Job}.
-
- (** In a preemption-policy-compliant schedule, nonpreemptive jobs must remain
- scheduled. Further, in a valid schedule, scheduled jobs must be
- ready. Consequently, in a valid preemption-policy-compliant schedule, a
- nonpreemptive job must remain ready until at least the end of its
- nonpreemptive section. *)
- Definition valid_nonpreemptive_readiness sched :=
- forall j t,
- ~~ job_preemptable j (service sched j t) -> job_ready sched j t.
-
-End ReadinessModelProperties.
diff --git a/analysis/definitions/request_bound_function.v b/analysis/definitions/request_bound_function.v
deleted file mode 100644
index c612ec57389979b3c30bbcad40358fe51368382c..0000000000000000000000000000000000000000
--- a/analysis/definitions/request_bound_function.v
+++ /dev/null
@@ -1,85 +0,0 @@
-Require Export prosa.model.task.arrival.curves.
-Require Export prosa.model.priority.classes.
-
-(** * Request Bound Function (RBF) *)
-
-(** We define the notion of a task's request-bound function (RBF), as well as
- the total request bound function of a set of tasks. *)
-
-Section TaskWorkloadBoundedByArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks, where each task has
- a cost. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobCost Job}.
-
- (** ... and an FP policy that indicates a higher-or-equal priority
- relation. *)
- Context `{FP_policy Task}.
-
- (** Let [MaxArrivals] denote any function that takes a task and an interval length
- and returns the associated number of job arrivals of the task. *)
- Context `{MaxArrivals Task}.
-
- (** ** RBF of a Single Task *)
-
- (** In this section, we define a bound for the workload of a single task
- under uni-processor FP scheduling. *)
- Section SingleTask.
-
- (** Consider any task [tsk] that is to be scheduled in an interval of length delta. *)
- Variable tsk : Task.
- Variable delta : duration.
-
- (** We define the following workload bound for the task. *)
- Definition task_request_bound_function :=
- task_cost tsk * max_arrivals tsk delta.
-
- End SingleTask.
-
- (** ** Total RBF of Multiple Tasks *)
-
- (** In this section, we define a bound for the workload of multiple tasks. *)
- Section AllTasks.
-
- (** Consider a task set ts... *)
- Variable ts : list Task.
-
- (** ...and let [tsk] be any task in task set. *)
- Variable tsk : Task.
-
- (** Let delta be the length of the interval of interest. *)
- Variable delta : duration.
-
- (** Recall the definition of higher-or-equal-priority task and the per-task
- workload bound for FP scheduling. *)
- Let is_hep_task tsk_other := hep_task tsk_other tsk.
- Let is_other_hep_task tsk_other := hep_task tsk_other tsk && (tsk_other != tsk).
-
- (** Using the sum of individual workload bounds, we define the following
- bound for the total workload of tasks in any interval of length
- delta. *)
- Definition total_request_bound_function :=
- \sum_(tsk <- ts) task_request_bound_function tsk delta.
-
- (** Similarly, we define the following bound for the total workload of
- tasks of higher-or-equal priority (with respect to [tsk]) in any interval
- of length delta. *)
- Definition total_hep_request_bound_function_FP :=
- \sum_(tsk_other <- ts | is_hep_task tsk_other)
- task_request_bound_function tsk_other delta.
-
- (** We also define a bound for the total workload of higher-or-equal
- priority tasks other than [tsk] in any interval of length delta. *)
- Definition total_ohep_request_bound_function_FP :=
- \sum_(tsk_other <- ts | is_other_hep_task tsk_other)
- task_request_bound_function tsk_other delta.
-
- End AllTasks.
-
-End TaskWorkloadBoundedByArrivalCurves.
diff --git a/analysis/definitions/schedulability.v b/analysis/definitions/schedulability.v
deleted file mode 100644
index d3ee7d7bf68ed811545a1c7185f3dfe4c40821cf..0000000000000000000000000000000000000000
--- a/analysis/definitions/schedulability.v
+++ /dev/null
@@ -1,162 +0,0 @@
-Require Export prosa.analysis.facts.behavior.completion.
-Require Import prosa.model.task.absolute_deadline.
-
-(** * Schedulability *)
-
-(** In the following section we define the notion of schedulable
- task. *)
-Section Task.
-
- (** Consider any type of tasks, ... *)
- Context {Task : TaskType}.
-
- (** ... any type of jobs associated with these tasks, ... *)
- Context {Job: JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobDeadline Job}.
- Context `{JobTask Job Task}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Consider any job arrival sequence... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ...and any schedule of these jobs. *)
- Variable sched: schedule PState.
-
- (** Let [tsk] be any task that is to be analyzed. *)
- Variable tsk: Task.
-
- (** Then, we say that R is a response-time bound of [tsk] in this schedule ... *)
- Variable R: duration.
-
- (** ... iff any job [j] of [tsk] in this arrival sequence has
- completed by [job_arrival j + R]. *)
- Definition task_response_time_bound :=
- forall j,
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- job_response_time_bound sched j R.
-
- (** We say that a task is schedulable if all its jobs meet their deadline *)
- Definition schedulable_task :=
- forall j,
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- job_meets_deadline sched j.
-
-End Task.
-
-(** In this section we infer schedulability from a response-time bound
- of a task. *)
-Section Schedulability.
-
- (** Consider any type of tasks, ... *)
- Context {Task : TaskType}.
- Context `{TaskDeadline Task}.
-
- (** ... any type of jobs associated with these tasks, ... *)
- Context {Job: JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobTask Job Task}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Consider any job arrival sequence... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ...and any schedule of these jobs. *)
- Variable sched: schedule PState.
-
- (** Assume that jobs don't execute after completion. *)
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** Let [tsk] be any task that is to be analyzed. *)
- Variable tsk: Task.
-
- (** Given a response-time bound of [tsk] in this schedule no larger than its deadline, ... *)
- Variable R: duration.
-
- Hypothesis H_R_le_deadline: R <= task_deadline tsk.
- Hypothesis H_response_time_bounded: task_response_time_bound arr_seq sched tsk R.
-
- (** ...then [tsk] is schedulable. *)
- Lemma schedulability_from_response_time_bound:
- schedulable_task arr_seq sched tsk.
- Proof.
- intros j ARRj JOBtsk.
- rewrite /job_meets_deadline.
- apply completion_monotonic with (t := job_arrival j + R);
- [ | by apply H_response_time_bounded].
- rewrite /job_deadline leq_add2l.
- move: JOBtsk => /eqP ->.
- by erewrite leq_trans; eauto.
- Qed.
-
-End Schedulability.
-
-
-(** We further define two notions of "all deadlines met" that do not
- depend on a task abstraction: one w.r.t. all scheduled jobs in a
- given schedule and one w.r.t. all jobs that arrive in a given
- arrival sequence. *)
-Section AllDeadlinesMet.
-
- (** Consider any given type of jobs... *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobDeadline Job}.
-
- (** ... any given type of processor states. *)
- Context {PState: ProcessorState Job}.
-
- (** We say that all deadlines are met if every job scheduled at some
- point in the schedule meets its deadline. Note that this is a
- relatively weak definition since an "empty" schedule that is idle
- at all times trivially satisfies it (since the definition does
- not require any kind of work conservation). *)
- Definition all_deadlines_met (sched: schedule PState) :=
- forall j t,
- scheduled_at sched j t ->
- job_meets_deadline sched j.
-
- (** To augment the preceding definition, we also define an alternate
- notion of "all deadlines met" based on all jobs included in a
- given arrival sequence. *)
- Section DeadlinesOfArrivals.
-
- (** Given an arbitrary job arrival sequence ... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ... we say that all arrivals meet their deadline if every job
- that arrives at some point in time meets its deadline. Note
- that this definition does not preclude the existence of jobs in
- a schedule that miss their deadline (e.g., if they stem from
- another arrival sequence). *)
- Definition all_deadlines_of_arrivals_met (sched: schedule PState) :=
- forall j,
- arrives_in arr_seq j ->
- job_meets_deadline sched j.
-
- End DeadlinesOfArrivals.
-
- (** We observe that the latter definition, assuming a schedule in
- which all jobs come from the arrival sequence, implies the
- former definition. *)
- Lemma all_deadlines_met_in_valid_schedule:
- forall arr_seq sched,
- jobs_come_from_arrival_sequence sched arr_seq ->
- all_deadlines_of_arrivals_met arr_seq sched ->
- all_deadlines_met sched.
- Proof.
- move=> arr_seq sched FROM_ARR DL_ARR_MET j t SCHED.
- apply DL_ARR_MET.
- by apply (FROM_ARR _ t).
- Qed.
-
-End AllDeadlinesMet.
diff --git a/analysis/definitions/schedule_prefix.v b/analysis/definitions/schedule_prefix.v
deleted file mode 100644
index 570b86668e6b51d68dc65fa6d358218a9eeaa855..0000000000000000000000000000000000000000
--- a/analysis/definitions/schedule_prefix.v
+++ /dev/null
@@ -1,42 +0,0 @@
-Require Export prosa.behavior.ready.
-Require Export prosa.util.nat.
-
-(** We define the notion of prefix-equivalence of schedules. *)
-
-Section PrefixDefinition.
-
- (** For any type of jobs... *)
- Context {Job : JobType}.
-
- (** ... and any kind of processor model, ... *)
- Context {PState: ProcessorState Job}.
-
- (** ... two schedules share an identical prefix if they are pointwise
- identical (at least) up to a fixed horizon. *)
- Definition identical_prefix (sched sched' : schedule PState) (horizon : instant) :=
- forall t,
- t < horizon ->
- sched t = sched' t.
-
- (** In other words, two schedules with a shared prefix are completely
- interchangeable w.r.t. whether a job is scheduled (in the prefix). *)
- Fact identical_prefix_scheduled_at :
- forall sched sched' h,
- identical_prefix sched sched' h ->
- forall j t,
- t < h ->
- scheduled_at sched j t = scheduled_at sched' j t.
- Proof.
- move=> sched sched' h IDENT j t LT_h.
- now rewrite /scheduled_at (IDENT t LT_h).
- Qed.
-
- (** Trivially, any prefix of an identical prefix is also an identical
- prefix. *)
- Fact identical_prefix_inclusion :
- forall sched sched' h h',
- h' <= h ->
- identical_prefix sched sched' h -> identical_prefix sched sched' h'.
- Proof. by move=> sched sched' h h' h'_le_h + t t_lt_h'; apply; apply: leq_trans h'_le_h. Qed.
-
-End PrefixDefinition.
diff --git a/analysis/definitions/tardiness.v b/analysis/definitions/tardiness.v
deleted file mode 100644
index 5970274d43615e85824ba034e5a84c0657d9babd..0000000000000000000000000000000000000000
--- a/analysis/definitions/tardiness.v
+++ /dev/null
@@ -1,40 +0,0 @@
-Require Export prosa.analysis.definitions.schedulability.
-
-(** * Tardiness *)
-
-(** In the following section we define the notion of bounded tardiness,
- i.e., an upper-bound on the difference between the response time of
- any job of a task and its relative deadline. *)
-Section Tardiness.
-
- (** Consider any type of tasks and its deadline, ... *)
- Context {Task : TaskType}.
- Context `{TaskDeadline Task}.
-
- (** ... any type of jobs associated with these tasks, ... *)
- Context {Job: JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobTask Job Task}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Further, consider any job arrival sequence... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ...and any schedule of these jobs. *)
- Variable sched: schedule PState.
-
- (** Let [tsk] be any task that is to be analyzed. *)
- Variable tsk: Task.
-
- (** Then, we say that B is a tardiness bound of [tsk] in this schedule ... *)
- Variable B: duration.
-
- (** ... iff any job [j] of [tsk] in the arrival sequence has
- completed no more that [B] time units after its deadline. *)
- Definition task_tardiness_is_bounded arr_seq sched tsk B :=
- task_response_time_bound arr_seq sched tsk (task_deadline tsk + B).
-
-End Tardiness.
diff --git a/analysis/definitions/task_schedule.v b/analysis/definitions/task_schedule.v
deleted file mode 100644
index 04869234d8d02ef61ba8e771ccb994e5e2c22a05..0000000000000000000000000000000000000000
--- a/analysis/definitions/task_schedule.v
+++ /dev/null
@@ -1,47 +0,0 @@
-Require Export prosa.model.task.concept.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-
-(** Due to historical reasons this file defines the notion of a
- schedule of a task for the ideal uni-processor model. This is not
- a fundamental limitation and the notion can be further generalized
- to an arbitrary model. *)
-
-(** * Schedule of task *)
-(** In this section we define properties of the schedule of a task. *)
-Section ScheduleOfTask.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Let [sched] be any ideal uni-processor schedule. *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** Let [tsk] be any task. *)
- Variable tsk : Task.
-
- (** Next we define whether a task is scheduled at time [t], ... *)
- Definition task_scheduled_at (t : instant) :=
- if sched t is Some j then
- job_task j == tsk
- else false.
-
- (** ...which also corresponds to the instantaneous service it receives. *)
- Definition task_service_at (t : instant) := task_scheduled_at t.
-
- (** Based on the notion of instantaneous service, we define the
- cumulative service received by [tsk] during any interval <<[t1, t2)>>... *)
- Definition task_service_during (t1 t2 : instant) :=
- \sum_(t1 <= t < t2) task_service_at t.
-
- (** ...and the cumulative service received by [tsk] up to time [t2],
- i.e., in the interval <<[0, t2)>>. *)
- Definition task_service (t2 : instant) := task_service_during 0 t2.
-
-End ScheduleOfTask.
diff --git a/analysis/definitions/work_bearing_readiness.v b/analysis/definitions/work_bearing_readiness.v
deleted file mode 100644
index 9d5a80b0bf5ac615e2e9ab573d8902ebbe8c53a3..0000000000000000000000000000000000000000
--- a/analysis/definitions/work_bearing_readiness.v
+++ /dev/null
@@ -1,47 +0,0 @@
-Require Export prosa.model.priority.classes.
-
-(** * Work-Bearing Readiness *)
-
-(** In this module, we introduce a property of readiness models that
- is called work-bearing readiness. Work-bearing readiness extracts
- the useful property of the classic readiness model stating that,
- if there is a job pending at a time instant [t], then there also
- exists a job that is ready at time [t]. In other words, we say
- that a readiness model is a work-bearing readiness model if, for
- any job [j] and any time instant [t], if job [j] is pending but
- not ready at [t], then there is a job with higher or equal
- priority [j_hp] that is both pending and ready at time [t]. *)
-
-Section WorkBearingReadiness.
-
- (** Consider any type of job associated with any type of tasks ... *)
- Context {Job : JobType} {Task : TaskType} `{JobArrival Job} `{JobCost Job}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Further, allow for any notion of job readiness. *)
- Context {jr : JobReady Job PState}.
-
- (** Consider any job arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... any schedule of these jobs, ... *)
- Variable sched : schedule PState.
-
- (** ... and a JLFP policy that indicates a higher-or-equal priority relation. *)
- Context `{JLFP_policy Job}.
-
- (** If a job [j] is pending at a time instant [t], then (even if it
- is not ready at time [t]) there is a job [j_hp] with
- higher-or-equal priority that is ready at time instant [t]. *)
- Definition work_bearing_readiness :=
- forall (j : Job) (t : instant),
- arrives_in arr_seq j ->
- pending sched j t ->
- exists j_hp,
- arrives_in arr_seq j_hp /\
- job_ready sched j_hp t /\
- hep_job j_hp j.
-
-End WorkBearingReadiness.
diff --git a/analysis/facts/behavior/all.v b/analysis/facts/behavior/all.v
deleted file mode 100644
index 681ab5faef806ebcbca97d3f0768c2a2c0f9896a..0000000000000000000000000000000000000000
--- a/analysis/facts/behavior/all.v
+++ /dev/null
@@ -1,4 +0,0 @@
-Require Export prosa.analysis.facts.behavior.service.
-Require Export prosa.analysis.facts.behavior.completion.
-Require Export prosa.analysis.facts.behavior.arrivals.
-Require Export prosa.analysis.facts.behavior.deadlines.
diff --git a/analysis/facts/behavior/arrivals.v b/analysis/facts/behavior/arrivals.v
deleted file mode 100644
index 07844c5d40c882a6ea7b6a0ad114563146b61c89..0000000000000000000000000000000000000000
--- a/analysis/facts/behavior/arrivals.v
+++ /dev/null
@@ -1,545 +0,0 @@
-Require Export prosa.behavior.all.
-Require Export prosa.util.all.
-Require Export prosa.model.task.arrivals.
-
-(** * Arrival Sequence *)
-
-(** First, we relate the stronger to the weaker arrival predicates. *)
-Section ArrivalPredicates.
-
- (** Consider any kinds of jobs with arrival times. *)
- Context {Job : JobType} `{JobArrival Job}.
-
- (** A job that arrives in some interval <<[t1, t2)>> certainly arrives before
- time [t2]. *)
- Lemma arrived_between_before:
- forall j t1 t2,
- arrived_between j t1 t2 ->
- arrived_before j t2.
- Proof. by move=> ? ? ? /andP[]. Qed.
-
- (** A job that arrives before a time [t] certainly has arrived by time
- [t]. *)
- Lemma arrived_before_has_arrived:
- forall j t,
- arrived_before j t ->
- has_arrived j t.
- Proof. move=> ? ?; exact: ltnW. Qed.
-
- (** Furthermore, we restate a common hypothesis to make its
- implication easier to discover. *)
- Lemma consistent_times_valid_arrival :
- forall arr_seq,
- valid_arrival_sequence arr_seq -> consistent_arrival_times arr_seq.
- Proof. by move=> ? []. Qed.
-
- (** We restate another common hypothesis to make its implication
- easier to discover. *)
- Lemma uniq_valid_arrival :
- forall arr_seq,
- valid_arrival_sequence arr_seq -> arrival_sequence_uniq arr_seq.
- Proof. by move=> ? []. Qed.
-
-End ArrivalPredicates.
-
-(** In this section, we relate job readiness to [has_arrived]. *)
-Section Arrived.
-
- (** Consider any kinds of jobs and any kind of processor state. *)
- Context {Job : JobType} {PState : ProcessorState Job}.
-
- (** Consider any schedule... *)
- Variable sched : schedule PState.
-
- (** ...and suppose that jobs have a cost, an arrival time, and a
- notion of readiness. *)
- Context `{JobCost Job}.
- Context `{JobArrival Job}.
- Context {jr : JobReady Job PState}.
-
- (** First, we note that readiness models are by definition consistent
- w.r.t. [pending]. *)
- Lemma any_ready_job_is_pending:
- forall j t,
- job_ready sched j t -> pending sched j t.
- Proof. move: jr => [? +] /= ?; exact. Qed.
-
- (** Next, we observe that a given job must have arrived to be ready... *)
- Lemma ready_implies_arrived :
- forall j t, job_ready sched j t -> has_arrived j t.
- Proof. by move=> ? ? /any_ready_job_is_pending => /andP[]. Qed.
-
- (** ...and lift this observation also to the level of whole schedules. *)
- Lemma jobs_must_arrive_to_be_ready:
- jobs_must_be_ready_to_execute sched -> jobs_must_arrive_to_execute sched.
- Proof. move=> READY ? ? ?; exact/ready_implies_arrived/READY. Qed.
-
- (** Furthermore, in a valid schedule, jobs must arrive to execute. *)
- Corollary valid_schedule_implies_jobs_must_arrive_to_execute :
- forall arr_seq,
- valid_schedule sched arr_seq -> jobs_must_arrive_to_execute sched.
- Proof. move=> ? [? ?]; exact: jobs_must_arrive_to_be_ready. Qed.
-
- (** Since backlogged jobs are by definition ready, any backlogged job must have arrived. *)
- Corollary backlogged_implies_arrived:
- forall j t,
- backlogged sched j t -> has_arrived j t.
- Proof. move=> ? ? /andP[? ?]; exact: ready_implies_arrived. Qed.
-
- (** Similarly, since backlogged jobs are by definition pending, any
- backlogged job must be incomplete. *)
- Lemma backlogged_implies_incomplete:
- forall j t,
- backlogged sched j t -> ~~ completed_by sched j t.
- Proof. by move=> ? ? /andP[/any_ready_job_is_pending /andP[]]. Qed.
-
- (** Finally, we restate common hypotheses on the well-formedness of
- schedules to make their implications more easily
- discoverable. First, on the readiness of scheduled jobs, ... *)
- Lemma job_scheduled_implies_ready :
- jobs_must_be_ready_to_execute sched ->
- forall j t,
- scheduled_at sched j t -> job_ready sched j t.
- Proof. exact. Qed.
-
- (** ... second, on the origin of scheduled jobs, and ... *)
- Lemma valid_schedule_jobs_come_from_arrival_sequence :
- forall arr_seq,
- valid_schedule sched arr_seq ->
- jobs_come_from_arrival_sequence sched arr_seq.
- Proof. by move=> ? []. Qed.
-
- (** ... third, on the readiness of jobs in valid schedules. *)
- Lemma valid_schedule_jobs_must_be_ready_to_execute :
- forall arr_seq,
- valid_schedule sched arr_seq -> jobs_must_be_ready_to_execute sched.
- Proof. by move=> ? []. Qed.
-
-End Arrived.
-
-(** In this section, we establish useful facts about arrival sequence prefixes. *)
-Section ArrivalSequencePrefix.
-
- (** Consider any kind of tasks and jobs. *)
- Context {Job: JobType}.
- Context {Task : TaskType}.
- Context `{JobArrival Job}.
- Context `{JobTask Job Task}.
-
- (** Consider any job arrival sequence. *)
- Variable arr_seq: arrival_sequence Job.
-
- (** We begin with basic lemmas for manipulating the sequences. *)
- Section Composition.
-
- (** We show that the set of arriving jobs can be split
- into disjoint intervals. *)
- Lemma arrivals_between_cat:
- forall t1 t t2,
- t1 <= t ->
- t <= t2 ->
- arrivals_between arr_seq t1 t2 =
- arrivals_between arr_seq t1 t ++ arrivals_between arr_seq t t2.
- Proof. by move=> ? ? ? ? ?; rewrite -big_cat_nat. Qed.
-
- (** We also prove a stronger version of the above lemma
- in the case of arrivals that satisfy a predicate [P]. *)
- Lemma arrivals_P_cat:
- forall P t t1 t2,
- t1 <= t < t2 ->
- arrivals_between_P arr_seq P t1 t2 =
- arrivals_between_P arr_seq P t1 t ++ arrivals_between_P arr_seq P t t2.
- Proof.
- move=> P t t1 t2.
- by move=> /andP[? ?]; rewrite -filter_cat -arrivals_between_cat// ltnW.
- Qed.
-
- (** The same observation applies to membership in the set of
- arrived jobs. *)
- Lemma arrivals_between_mem_cat:
- forall j t1 t t2,
- t1 <= t ->
- t <= t2 ->
- j \in arrivals_between arr_seq t1 t2 =
- (j \in arrivals_between arr_seq t1 t ++ arrivals_between arr_seq t t2).
- Proof. by move=> ? ? ? ? ? ?; rewrite -arrivals_between_cat. Qed.
-
- (** We observe that we can grow the considered interval without
- "losing" any arrived jobs, i.e., membership in the set of arrived jobs
- is monotonic. *)
- Lemma arrivals_between_sub :
- forall j t1 t1' t2 t2',
- t1' <= t1 ->
- t2 <= t2' ->
- j \in arrivals_between arr_seq t1 t2 ->
- j \in arrivals_between arr_seq t1' t2'.
- Proof.
- move=> j t1 t1' t2 t2' t1'_le_t1 t2_le_t2' j_in.
- have /orP[t2_le_t1|t1_le_t2] := leq_total t2 t1.
- { by move: j_in; rewrite /arrivals_between big_geq. }
- rewrite (arrivals_between_mem_cat _ _ t1)// ?mem_cat.
- 2:{ exact: leq_trans t2_le_t2'. }
- rewrite [X in _ || X](arrivals_between_mem_cat _ _ t2)// mem_cat.
- by rewrite j_in orbT.
- Qed.
-
- End Composition.
-
- (** Next, we relate the arrival prefixes with job arrival times. *)
- Section ArrivalTimes.
-
- (** Assume that job arrival times are consistent. *)
- Hypothesis H_consistent_arrival_times : consistent_arrival_times arr_seq.
-
- (** To make the hypothesis and its implication easier to discover,
- we restate it as a trivial lemma. *)
- Lemma job_arrival_arrives_at :
- forall {j t},
- arrives_at arr_seq j t -> job_arrival j = t.
- Proof. exact: H_consistent_arrival_times. Qed.
-
- (** Similarly, to simplify subsequent proofs, we restate the
- [H_consistent_arrival_times] assumption as a trivial
- corollary. *)
- Lemma job_arrival_at :
- forall {j t},
- j \in arrivals_at arr_seq t -> job_arrival j = t.
- Proof. exact: H_consistent_arrival_times. Qed.
-
- (** Next, we prove that if [j] is a part of the arrival sequence,
- then the converse of the above also holds. *)
- Lemma job_in_arrivals_at :
- forall j t,
- arrives_in arr_seq j ->
- job_arrival j = t ->
- j \in arrivals_at arr_seq t.
- Proof.
- move => j t [t' IN] => /eqP.
- apply contraTT => /negP NOTIN.
- apply /neqP => ARR.
- have ARR' := (H_consistent_arrival_times _ t' IN).
- by move: IN; rewrite -ARR' ARR.
- Qed.
-
- (** To begin with actual properties, we observe that any job in
- the set of all arrivals between time instants [t1] and [t2]
- must arrive in the interval <<[t1,t2)>>. *)
- Lemma job_arrival_between :
- forall {j t1 t2},
- j \in arrivals_between arr_seq t1 t2 -> t1 <= job_arrival j < t2.
- Proof. by move=> ? ? ? /mem_bigcat_nat_exists[i [/job_arrival_at <-]]. Qed.
-
- (** For convenience, we restate the left bound of the above lemma... *)
- Corollary job_arrival_between_ge :
- forall {j t1 t2},
- j \in arrivals_between arr_seq t1 t2 -> t1 <= job_arrival j.
- Proof. by move=> ? ? ? /job_arrival_between/andP[]. Qed.
-
- (** ... as well as the right bound separately as corollaries. *)
- Corollary job_arrival_between_lt :
- forall {j t1 t2},
- j \in arrivals_between arr_seq t1 t2 -> job_arrival j < t2.
- Proof. by move=> ? ? ? /job_arrival_between/andP[]. Qed.
-
- (** Consequently, if we filter the list of arrivals in an interval
- <<[t1,t2)>> with an arrival-time threshold less than [t1], we are
- left with an empty list. *)
- Lemma arrivals_between_filter_nil :
- forall t1 t2 t,
- t < t1 ->
- [seq j <- arrivals_between arr_seq t1 t2 | job_arrival j < t] = [::].
- Proof.
- move=> t1 t2 t LT.
- case: (leqP t1 t2) => RANGE;
- last by rewrite /arrivals_between big_geq //=; lia.
- rewrite filter_in_pred0 // => j IN.
- rewrite -ltnNge.
- apply: (ltn_trans LT).
- rewrite ltnS.
- by apply: job_arrival_between_ge; eauto.
- Qed.
-
- (** Furthermore, if we filter the list of arrivals in an interval
- <<[t1,t2)>> with an arrival-time threshold less than [t2],
- we can simply discard the tail past the threshold. *)
- Lemma arrivals_between_filter :
- forall t1 t2 t,
- t <= t2 ->
- arrivals_between arr_seq t1 t
- = [seq j <- arrivals_between arr_seq t1 t2 | job_arrival j < t].
- Proof.
- move=> t1 t2 t LE2.
- case: (leqP t1 t2) => RANGE;
- last by rewrite /arrivals_between !big_geq //=; lia.
- case: (leqP t1 t) => LE1;
- last by rewrite [LHS]/arrivals_between big_geq; try lia; rewrite arrivals_between_filter_nil.
- rewrite /arrivals_between bigcat_nat_filter_eq_filter_bigcat_nat.
- rewrite (big_cat_nat _ _ _ LE1 LE2) //=.
- rewrite !big_nat [X in _ ++ X]big1; last first.
- { move=> t' /andP[LO HI].
- rewrite filter_in_pred0 // => j IN.
- have -> : job_arrival j = t' by apply: job_arrival_at; eauto.
- rewrite -leqNgt.
- exact: LO. }
- { rewrite cats0.
- apply: eq_bigr => t' /andP[LO HI].
- apply esym.
- apply /all_filterP/allP => j IN.
- have -> : job_arrival j = t' by apply: job_arrival_at; eauto.
- exact: HI. }
- Qed.
-
- (** Next, we prove that if a job belongs to the prefix
- (jobs_arrived_before t), then it arrives in the arrival
- sequence. *)
- Lemma in_arrivals_implies_arrived:
- forall j t1 t2,
- j \in arrivals_between arr_seq t1 t2 ->
- arrives_in arr_seq j.
- Proof. by move=> ? ? ? /mem_bigcat_nat_exists[arr [? _]]; exists arr. Qed.
-
- (** We also prove a weaker version of the above lemma. *)
- Lemma in_arrseq_implies_arrives:
- forall t j,
- j \in arr_seq t ->
- arrives_in arr_seq j.
- Proof. by move=> t ? ?; exists t. Qed.
-
- (** Next, we prove that if a job belongs to the prefix
- (jobs_arrived_between t1 t2), then it indeed arrives between t1 and
- t2. *)
- Lemma in_arrivals_implies_arrived_between:
- forall j t1 t2,
- j \in arrivals_between arr_seq t1 t2 ->
- arrived_between j t1 t2.
- Proof. by move=> ? ? ? /mem_bigcat_nat_exists[t0 [/job_arrival_at <-]]. Qed.
-
- (** Similarly, if a job belongs to the prefix (jobs_arrived_before t),
- then it indeed arrives before time t. *)
- Lemma in_arrivals_implies_arrived_before:
- forall j t,
- j \in arrivals_before arr_seq t ->
- arrived_before j t.
- Proof. by move=> ? ? /in_arrivals_implies_arrived_between. Qed.
-
- (** Similarly, we prove that if a job from the arrival sequence arrives
- before t, then it belongs to the sequence (jobs_arrived_before t). *)
- Lemma arrived_between_implies_in_arrivals:
- forall j t1 t2,
- arrives_in arr_seq j ->
- arrived_between j t1 t2 ->
- j \in arrivals_between arr_seq t1 t2.
- Proof.
- move=> j t1 t2 [a_j arrj] before; apply: mem_bigcat_nat (arrj).
- by rewrite -(job_arrival_at arrj).
- Qed.
-
- (** Any job in arrivals between time instants [t1] and [t2] must arrive
- in the interval <<[t1,t2)>>. *)
- Lemma job_arrival_between_P:
- forall j P t1 t2,
- j \in arrivals_between_P arr_seq P t1 t2 ->
- t1 <= job_arrival j < t2.
- Proof.
- move=> j P t1 t2.
- rewrite mem_filter => /andP[Pj /mem_bigcat_nat_exists[i [+ iitv]]].
- by move=> /job_arrival_at ->.
- Qed.
-
- (** Any job [j] is in the sequence [arrivals_between t1 t2] given
- that [j] arrives in the interval <<[t1,t2)>>. *)
- Lemma job_in_arrivals_between:
- forall j t1 t2,
- arrives_in arr_seq j ->
- t1 <= job_arrival j < t2 ->
- j \in arrivals_between arr_seq t1 t2.
- Proof.
- move=> j t1 t2 [t jarr] jitv; apply: mem_bigcat_nat (jarr).
- by rewrite -(job_arrival_at jarr).
- Qed.
-
- (** Next, we prove that if the arrival sequence doesn't contain duplicate
- jobs, the same applies for any of its prefixes. *)
- Lemma arrivals_uniq:
- arrival_sequence_uniq arr_seq ->
- forall t1 t2, uniq (arrivals_between arr_seq t1 t2).
- Proof.
- move=> SET t1 t2; apply: bigcat_nat_uniq => // j t1' t2'.
- by move=> /job_arrival_at <- /job_arrival_at <-.
- Qed.
-
- (** Also note that there can't by any arrivals in an empty time interval. *)
- Lemma arrivals_between_geq:
- forall t1 t2,
- t1 >= t2 ->
- arrivals_between arr_seq t1 t2 = [::].
- Proof. by move=> ? ? ?; rewrite /arrivals_between big_geq. Qed.
-
- (** Conversely, if a job arrives, the considered interval is non-empty. *)
- Corollary arrivals_between_nonempty :
- forall t1 t2 j,
- j \in arrivals_between arr_seq t1 t2 -> t1 < t2.
- Proof. by move=> j1 j2 t; apply: contraPltn=> LEQ; rewrite arrivals_between_geq. Qed.
-
- (** Given jobs [j1] and [j2] in [arrivals_between_P arr_seq P t1 t2], the fact that
- [j2] arrives strictly before [j1] implies that [j2] also belongs in the sequence
- [arrivals_between_P arr_seq P t1 (job_arrival j1)]. *)
- Lemma arrival_lt_implies_job_in_arrivals_between_P :
- forall (j1 j2 : Job) (P : Job -> bool) (t1 t2 : instant),
- j1 \in arrivals_between_P arr_seq P t1 t2 ->
- j2 \in arrivals_between_P arr_seq P t1 t2 ->
- job_arrival j2 < job_arrival j1 ->
- j2 \in arrivals_between_P arr_seq P t1 (job_arrival j1).
- Proof.
- move=> j1 j2 P t1 t2.
- rewrite !mem_filter => /andP[_ j1arr] /andP[Pj2 j2arr] arr_lt.
- rewrite Pj2/=; apply: job_in_arrivals_between.
- - exact: in_arrivals_implies_arrived j2arr.
- - by rewrite (job_arrival_between_ge j2arr).
- Qed.
-
-
- (** We observe that, by construction, the sequence of arrivals is
- sorted by arrival times. To this end, we first define the
- order relation. *)
- Definition by_arrival_times (j1 j2 : Job) : bool := job_arrival j1 <= job_arrival j2.
-
- (** Trivially, the arrivals at any one point in time are ordered
- w.r.t. arrival times. *)
- Lemma arrivals_at_sorted :
- forall t,
- sorted by_arrival_times (arrivals_at arr_seq t).
- Proof.
- move=> t.
- have AT_t : forall j, j \in (arrivals_at arr_seq t) -> job_arrival j = t
- by move=> j; apply job_arrival_at.
- case: (arrivals_at arr_seq t) AT_t => // j' js AT_t.
- apply /(pathP j') => i LT.
- rewrite /by_arrival_times !AT_t //;
- last by apply mem_nth; auto.
- rewrite in_cons; apply /orP; right.
- by exact: mem_nth.
- Qed.
-
- (** By design, the list of arrivals in any interval is sorted. *)
- Lemma arrivals_between_sorted :
- forall t1 t2,
- sorted by_arrival_times (arrivals_between arr_seq t1 t2).
- Proof.
- move=> t1 t2.
- rewrite /arrivals_between.
- elim: t2 => [|t2 SORTED];
- first by rewrite big_nil.
- case: (leqP t1 t2) => T1T2;
- last by rewrite big_geq.
- rewrite (big_cat_nat _ _ _ T1T2 _) //=.
- case A1: (\cat_(t1<=t<t2)arrivals_at arr_seq t) => [|j js];
- first by rewrite cat0s big_nat1; exact: arrivals_at_sorted.
- have CAT : path by_arrival_times j (\cat_(t1<=t<t2)arrivals_at arr_seq t ++ \cat_(t2<=i<t2.+1)arrivals_at arr_seq i).
- { rewrite cat_path; apply /andP; split.
- { move: SORTED. rewrite /sorted A1 => PATH_js.
- by rewrite /path -/(path _ _ js) /by_arrival_times; apply /andP; split. }
- { rewrite big_nat1.
- case A2: (arrivals_at arr_seq t2) => // [j' js'].
- apply path_le with (x' := j').
- { by rewrite /transitive/by_arrival_times; lia. }
- { rewrite /by_arrival_times.
- have -> : job_arrival j' = t2
- by apply job_arrival_at; rewrite A2; apply mem_head.
- set L := (last j (\cat_(t1<=t<t2)arrivals_at arr_seq t)).
- have EX : exists t', L \in arrivals_at arr_seq t' /\ t1 <= t' < t2
- by apply mem_bigcat_nat_exists; rewrite /L A1 last_cons; exact: mem_last.
- move: EX => [t' [IN /andP [t1t' t't2]]].
- have -> : job_arrival L = t' by apply job_arrival_at.
- by lia. }
- { move: (arrivals_at_sorted t2); rewrite /sorted A2 => PATH'.
- rewrite /path -/(path _ _ js') {1}/by_arrival_times.
- by apply /andP; split => //. } } }
- by move: CAT; rewrite /sorted A1 cat_cons {1}/path -/(path _ _ (js ++ _)) => /andP [_ CAT].
- Qed.
-
- End ArrivalTimes.
-
-End ArrivalSequencePrefix.
-
-(** In this section, we establish a few auxiliary facts about the
- relation between the property of being scheduled and arrival
- predicates to facilitate automation. *)
-Section ScheduledImpliesArrives.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
-
- (** Consider any kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence with consistent arrivals, .... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... and any schedule of this arrival sequence ... *)
- Variable sched : schedule PState.
- Hypothesis H_jobs_come_from_arrival_sequence : jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
-
-
- (** Next, consider a job [j] ... *)
- Variable j : Job.
-
- (** ... which is scheduled at a time instant [t]. *)
- Variable t : instant.
- Hypothesis H_scheduled_at : scheduled_at sched j t.
-
- (** Then we show that [j] arrives in [arr_seq]. *)
- Lemma arrives_in_jobs_come_from_arrival_sequence :
- arrives_in arr_seq j.
- Proof.
- by apply: H_jobs_come_from_arrival_sequence H_scheduled_at.
- Qed.
-
- (** Job [j] has arrived by time instant [t]. *)
- Lemma arrived_between_jobs_must_arrive_to_execute :
- has_arrived j t.
- Proof.
- by apply: H_jobs_must_arrive_to_execute H_scheduled_at.
- Qed.
-
- (** Finally, for any future time [t'], job [j] arrives before [t']. *)
- Lemma arrivals_before_scheduled_at :
- forall t',
- t < t' ->
- j \in arrivals_before arr_seq t'.
- Proof.
- move=> t' LTtt'.
- apply: arrived_between_implies_in_arrivals => //.
- - by apply: arrives_in_jobs_come_from_arrival_sequence.
- - apply: leq_ltn_trans LTtt'.
- by apply: arrived_between_jobs_must_arrive_to_execute.
- Qed.
-
-End ScheduledImpliesArrives.
-
-(** We add some of the above lemmas to the "Hint Database"
- [basic_rt_facts], so the [auto] tactic will be able to use them. *)
-Global Hint Resolve
- any_ready_job_is_pending
- arrivals_before_scheduled_at
- arrivals_uniq
- arrived_between_implies_in_arrivals
- arrived_between_jobs_must_arrive_to_execute
- arrives_in_jobs_come_from_arrival_sequence
- backlogged_implies_arrived
- job_scheduled_implies_ready
- jobs_must_arrive_to_be_ready
- jobs_must_arrive_to_be_ready
- ready_implies_arrived
- valid_schedule_implies_jobs_must_arrive_to_execute
- valid_schedule_jobs_come_from_arrival_sequence
- valid_schedule_jobs_must_be_ready_to_execute
- uniq_valid_arrival
- consistent_times_valid_arrival
- job_arrival_arrives_at
- : basic_rt_facts.
diff --git a/analysis/facts/behavior/completion.v b/analysis/facts/behavior/completion.v
deleted file mode 100644
index 3caae12cf0100b0ccdce6c869700ab6fc19c10e2..0000000000000000000000000000000000000000
--- a/analysis/facts/behavior/completion.v
+++ /dev/null
@@ -1,398 +0,0 @@
-Require Export prosa.analysis.facts.behavior.service.
-Require Export prosa.analysis.facts.behavior.arrivals.
-Require Export prosa.analysis.definitions.schedule_prefix.
-Require Export prosa.analysis.definitions.job_properties.
-
-(** * Completion *)
-
-(** In this file, we establish basic facts about job completions. *)
-Section CompletionFacts.
-
- (** Consider any job type,...*)
- Context {Job: JobType}.
- Context `{JobCost Job}.
- Context `{JobArrival Job}.
-
- (** ...any kind of processor model,... *)
- Context {PState: ProcessorState Job}.
-
- (** ...and a given schedule. *)
- Variable sched: schedule PState.
-
- (** Let [j] be any job that is to be scheduled. *)
- Variable j: Job.
-
- (** We prove that after job [j] completes, it remains completed. *)
- Lemma completion_monotonic:
- forall t t',
- t <= t' ->
- completed_by sched j t ->
- completed_by sched j t'.
- Proof. move=> ? ? ? /leq_trans; apply; exact: service_monotonic. Qed.
-
- (** We prove that if [j] is not completed by [t'], then it's also not
- completed by any earlier instant. *)
- Lemma incompletion_monotonic:
- forall t t',
- t <= t' ->
- ~~ completed_by sched j t' ->
- ~~ completed_by sched j t.
- Proof. move=> ? ? ?; exact/contra/completion_monotonic. Qed.
-
- (** We observe that being incomplete is the same as not having received
- sufficient service yet... *)
- Lemma less_service_than_cost_is_incomplete:
- forall t,
- service sched j t < job_cost j
- <-> ~~ completed_by sched j t.
- Proof. by move=> ?; rewrite -ltnNge. Qed.
-
- (** ...which is also the same as having positive remaining cost. *)
- Lemma incomplete_is_positive_remaining_cost:
- forall t,
- ~~ completed_by sched j t
- <-> remaining_cost sched j t > 0.
- Proof.
- by move=> ?; rewrite -less_service_than_cost_is_incomplete subn_gt0.
- Qed.
-
- (** Trivially, it follows that an incomplete job has a positive cost. *)
- Corollary incomplete_implies_positive_cost:
- forall t,
- ~~ completed_by sched j t ->
- job_cost_positive j.
- Proof.
- move=> t INCOMP; apply: leq_trans (leq_subr (service sched j t) _).
- by rewrite -incomplete_is_positive_remaining_cost.
- Qed.
-
-
- (** In the remainder of this section, we assume that schedules are
- "well-formed": jobs are scheduled neither before their arrival
- nor after their completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs : completed_jobs_dont_execute sched.
-
- (** To simplify subsequent proofs, we restate the assumption
- [H_completed_jobs] as a trivial corollary. *)
- Corollary service_lt_cost :
- forall t,
- scheduled_at sched j t -> service sched j t < job_cost j.
- Proof. exact: H_completed_jobs. Qed.
-
- (** We observe that a job that is completed at the instant of its
- arrival has a cost of zero. *)
- Lemma completed_on_arrival_implies_zero_cost :
- completed_by sched j (job_arrival j) ->
- job_cost j = 0.
- Proof.
- by rewrite /completed_by no_service_before_arrival// leqn0 => /eqP.
- Qed.
-
- (** Further, we note that if a job receives service at some time t, then its
- remaining cost at this time is positive. *)
- Lemma serviced_implies_positive_remaining_cost:
- forall t,
- service_at sched j t > 0 ->
- remaining_cost sched j t > 0.
- Proof.
- move=> t SERVICE.
- rewrite -incomplete_is_positive_remaining_cost.
- rewrite -less_service_than_cost_is_incomplete.
- exact/service_lt_cost/service_at_implies_scheduled_at.
- Qed.
-
- (** Consequently, if we have a have processor model where scheduled jobs
- necessarily receive service, we can conclude that scheduled jobs have
- remaining positive cost. *)
-
- (** Assume a scheduled job always receives some positive service. *)
- Hypothesis H_scheduled_implies_serviced: ideal_progress_proc_model PState.
-
- (** To simplify subsequent proofs, we restate the assumption
- [H_scheduled_implies_serviced] as a trivial corollary. *)
- Corollary scheduled_implies_serviced :
- forall s,
- scheduled_in j s -> 0 < service_in j s.
- Proof. exact: H_scheduled_implies_serviced. Qed.
-
- (** Then a scheduled job has positive remaining cost. *)
- Corollary scheduled_implies_positive_remaining_cost:
- forall t,
- scheduled_at sched j t ->
- remaining_cost sched j t > 0.
- Proof.
- move=> t sch.
- exact/serviced_implies_positive_remaining_cost/scheduled_implies_serviced.
- Qed.
-
- (** We also prove that a scheduled job cannot be completed... *)
- Lemma scheduled_implies_not_completed :
- forall t,
- scheduled_at sched j t -> ~~ completed_by sched j t.
- Proof.
- move=> t sch.
- by rewrite -less_service_than_cost_is_incomplete service_lt_cost.
- Qed.
-
- (** ... and that a completed job cannot be scheduled. *)
- Lemma completed_implies_not_scheduled :
- forall t,
- completed_by sched j t -> ~~ scheduled_at sched j t.
- Proof. move=> ? /negPn; exact/contra/scheduled_implies_not_completed. Qed.
-
-End CompletionFacts.
-
-(** In this section, we establish some facts that are really about service,
- but are also related to completion and rely on some of the above lemmas.
- Hence they are in this file rather than in the service facts file. *)
-Section ServiceAndCompletionFacts.
-
- (** Consider any job type,...*)
- Context {Job: JobType}.
- Context `{JobCost Job}.
-
- (** ...any kind of processor model,... *)
- Context {PState: ProcessorState Job}.
-
- (** ...and a given schedule. *)
- Variable sched: schedule PState.
-
- (** Assume that completed jobs do not execute. *)
- Hypothesis H_completed_jobs:
- completed_jobs_dont_execute sched.
-
- (** Let [j] be any job that is to be scheduled. *)
- Variable j: Job.
-
- (** Assume that a scheduled job receives exactly one time unit of service. *)
- Hypothesis H_unit_service: unit_service_proc_model PState.
-
- (** To simplify subsequent proofs, we restate the assumption
- [H_unit_service] as a trivial corollary. *)
- Lemma unit_service :
- forall s,
- service_in j s <= 1.
- Proof. exact: H_unit_service. Qed.
-
- (** To begin with, we establish that the cumulative service never exceeds a
- job's total cost if service increases only by one at each step since
- completed jobs don't execute. *)
- Lemma service_at_most_cost:
- forall t,
- service sched j t <= job_cost j.
- Proof.
- elim=> [|t]; first by rewrite service0.
- rewrite -service_last_plus_before.
- rewrite leq_eqVlt => /orP[/eqP EQ|LT].
- - rewrite not_scheduled_implies_no_service ?EQ ?addn0//.
- apply: completed_implies_not_scheduled => //.
- by rewrite /completed_by EQ.
- - have: service_at sched j t <= 1 by exact: unit_service.
- rewrite -(leq_add2l (service sched j t)) => /leq_trans; apply.
- by rewrite addn1.
- Qed.
-
- (** This lets us conclude that [service] and [remaining_cost] are complements
- of one another. *)
- Lemma service_cost_invariant:
- forall t,
- (service sched j t) + (remaining_cost sched j t) = job_cost j.
- Proof. by move=> ?; rewrite subnKC// service_at_most_cost. Qed.
-
- (** We show that the service received by job [j] in any interval is no larger
- than its cost. *)
- Lemma cumulative_service_le_job_cost:
- forall t t',
- service_during sched j t t' <= job_cost j.
- Proof.
- move=> t t'.
- have [t'_le_t|t_lt_t'] := leqP t' t; first by rewrite service_during_geq.
- apply: leq_trans (service_at_most_cost t').
- by rewrite -(service_cat _ _ _ _ (ltnW t_lt_t')) leq_addl.
- Qed.
-
- (** If a job isn't complete at time [t], it can't be completed at time [t +
- remaining_cost j t - 1]. *)
- Lemma job_doesnt_complete_before_remaining_cost:
- forall t,
- ~~ completed_by sched j t ->
- ~~ completed_by sched j (t + remaining_cost sched j t - 1).
- Proof.
- move=> t; rewrite incomplete_is_positive_remaining_cost => rem_cost.
- rewrite -less_service_than_cost_is_incomplete -(service_cat sched j t);
- last by rewrite -addnBA//; exact: leq_addr.
- have: service sched j t + remaining_cost sched j t - 1 < job_cost j.
- { rewrite service_cost_invariant -subn_gt0 subKn//.
- exact/(leq_trans rem_cost)/leq_subr. }
- apply: leq_ltn_trans.
- by rewrite -!addnBA// leq_add2l cumulative_service_le_delta.
- Qed.
-
- Section GuaranteedService.
-
- (** Assume a scheduled job always receives some positive service. *)
- Hypothesis H_scheduled_implies_serviced: ideal_progress_proc_model PState.
-
- (** Assume that jobs are not released early. *)
- Context `{JobArrival Job}.
- Hypothesis H_jobs_must_arrive: jobs_must_arrive_to_execute sched.
-
- (** To simplify subsequent proofs, we restate the assumption
- [H_jobs_must_arrive] as a trivial corollary. *)
- Corollary has_arrived_scheduled :
- forall t,
- scheduled_at sched j t -> has_arrived j t.
- Proof. exact: H_jobs_must_arrive. Qed.
-
- (** We show that if job j is scheduled, then it must be pending. *)
- Lemma scheduled_implies_pending:
- forall t,
- scheduled_at sched j t ->
- pending sched j t.
- Proof.
- move=> t sch; apply/andP; split; first exact: has_arrived_scheduled.
- exact: scheduled_implies_not_completed.
- Qed.
-
- End GuaranteedService.
-
-End ServiceAndCompletionFacts.
-
-(** In this section, we establish facts that on jobs with non-zero costs that
- must arrive to execute. *)
-Section PositiveCost.
-
- (** Consider any type of jobs with cost and arrival-time attributes,...*)
- Context {Job: JobType}.
- Context `{JobCost Job}.
- Context `{JobArrival Job}.
-
- (** ...any kind of processor model,... *)
- Context {PState: ProcessorState Job}.
-
- (** ...and a given schedule. *)
- Variable sched: schedule PState.
-
- (** Let [j] be any job that is to be scheduled. *)
- Variable j: Job.
-
- (** We assume that job [j] has positive cost, from which we can
- infer that there always is a time in which [j] is pending, ... *)
- Hypothesis H_positive_cost: job_cost j > 0.
-
- (** ...and that jobs must arrive to execute. *)
- Hypothesis H_jobs_must_arrive:
- jobs_must_arrive_to_execute sched.
-
- (** Then, we prove that the job with a positive cost
- must be scheduled to be completed. *)
- Lemma completed_implies_scheduled_before:
- forall t,
- completed_by sched j t ->
- exists t',
- job_arrival j <= t' < t
- /\ scheduled_at sched j t'.
- Proof.
- move=> t comp.
- have: 0 < service sched j t by exact: leq_trans comp.
- exact: positive_service_implies_scheduled_since_arrival.
- Qed.
-
- (** We also prove that the job is pending at the moment of its arrival. *)
- Lemma job_pending_at_arrival:
- pending sched j (job_arrival j).
- Proof.
- apply/andP; split; first by rewrite /has_arrived.
- by rewrite /completed_by no_service_before_arrival// -ltnNge.
- Qed.
-
-End PositiveCost.
-
-Section CompletedJobs.
-
- (** Consider any kinds of jobs and any kind of processor state. *)
- Context {Job : JobType} {PState : ProcessorState Job}.
-
- (** Consider any schedule... *)
- Variable sched : schedule PState.
-
- (** ...and suppose that jobs have a cost, an arrival time, and a notion of
- readiness. *)
- Context `{JobCost Job}.
- Context `{JobArrival Job}.
- Context {jr : JobReady Job PState}.
-
- (** We observe that a given job is ready only if it is also incomplete... *)
- Lemma ready_implies_incomplete:
- forall j t, job_ready sched j t -> ~~ completed_by sched j t.
- Proof. by move=> ? ? /any_ready_job_is_pending /andP[]. Qed.
-
- (** ...and lift this observation also to the level of whole schedules. *)
- Lemma completed_jobs_are_not_ready:
- jobs_must_be_ready_to_execute sched ->
- completed_jobs_dont_execute sched.
- Proof.
- move=> + j t sch => /(_ j t sch) ready.
- by rewrite less_service_than_cost_is_incomplete ready_implies_incomplete.
- Qed.
-
- (** Furthermore, in a valid schedule, completed jobs don't execute. *)
- Corollary valid_schedule_implies_completed_jobs_dont_execute:
- forall arr_seq,
- valid_schedule sched arr_seq ->
- completed_jobs_dont_execute sched.
- Proof. move=> ? [? ?]; exact: completed_jobs_are_not_ready. Qed.
-
- (** We further observe that completed jobs don't execute if scheduled jobs
- always receive non-zero service and cumulative service never exceeds job
- costs. *)
- Lemma ideal_progress_completed_jobs:
- ideal_progress_proc_model PState ->
- (forall j t, service sched j t <= job_cost j) ->
- completed_jobs_dont_execute sched.
- Proof.
- move=> IDEAL SERVICE_BOUND j t SCHED.
- apply: leq_trans (SERVICE_BOUND j t.+1).
- by rewrite -service_last_plus_before -addn1 leq_add2l IDEAL.
- Qed.
-
-End CompletedJobs.
-
-(** We add the above lemma into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply it automatically. *)
-Global Hint Resolve valid_schedule_implies_completed_jobs_dont_execute : basic_rt_facts.
-
-(** Next, we relate the completion of jobs in schedules with identical prefixes. *)
-Section CompletionInTwoSchedules.
- (** Consider any processor model and any type of jobs with costs, arrival times, and a notion of readiness. *)
- Context {Job: JobType} {PState: ProcessorState Job}.
- Context {jc : JobCost Job} {ja : JobArrival Job} {jr : JobReady Job PState}.
-
- (** If two schedules share a common prefix, then (in the prefix) jobs
- complete in one schedule iff they complete in the other. *)
- Lemma identical_prefix_completed_by:
- forall sched1 sched2 h,
- identical_prefix sched1 sched2 h ->
- forall j t,
- t <= h ->
- completed_by sched1 j t = completed_by sched2 j t.
- Proof.
- move=> sched1 sched2 h PREFIX j t LE_h.
- rewrite /completed_by (identical_prefix_service sched1 sched2)//.
- exact: identical_prefix_inclusion PREFIX.
- Qed.
-
- (** For convenience, we restate the previous lemma in terms of [pending]. *)
- Corollary identical_prefix_pending:
- forall sched1 sched2 h,
- identical_prefix sched1 sched2 h ->
- forall j t,
- t <= h ->
- pending sched1 j t = pending sched2 j t.
- Proof.
- move=> sched1 sched2 h PREFIX j t t_le_h.
- by rewrite /pending (identical_prefix_completed_by _ sched2 h).
- Qed.
-
-End CompletionInTwoSchedules.
diff --git a/analysis/facts/behavior/deadlines.v b/analysis/facts/behavior/deadlines.v
deleted file mode 100644
index 23dc60e5e58567e4ee5d4272a4da17fcaba452e7..0000000000000000000000000000000000000000
--- a/analysis/facts/behavior/deadlines.v
+++ /dev/null
@@ -1,104 +0,0 @@
-Require Export prosa.analysis.facts.behavior.completion.
-
-(** * Deadlines *)
-
-(** In this file, we observe basic properties of the behavioral job
- model w.r.t. deadlines. *)
-Section DeadlineFacts.
-
- (** Consider any given type of jobs with costs and deadlines... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job}.
-
- (** ... any given type of processor states. *)
- Context {PState: ProcessorState Job}.
-
- (** First, we derive two properties from the fact that a job is incomplete at
- some point in time. *)
- Section Incompletion.
-
- (** Consider any given schedule. *)
- Variable sched: schedule PState.
-
- (** Trivially, a job that both meets its deadline and is incomplete at a
- time [t] must have a deadline later than [t]. *)
- Lemma incomplete_implies_later_deadline:
- forall j t,
- job_meets_deadline sched j ->
- ~~ completed_by sched j t ->
- t < job_deadline j.
- Proof.
- move=> j t MET INCOMP; apply: contraT; rewrite -leqNgt => PAST_DL.
- have /negP// : ~~ completed_by sched j (job_deadline j).
- exact: incompletion_monotonic INCOMP.
- Qed.
-
- (** Furthermore, a job that both meets its deadline and is incomplete at a
- time [t] must be scheduled at some point between [t] and its
- deadline. *)
- Lemma incomplete_implies_scheduled_later:
- forall j t,
- job_meets_deadline sched j ->
- ~~ completed_by sched j t ->
- exists t', t <= t' < job_deadline j /\ scheduled_at sched j t'.
- Proof.
- move=> j t MET INCOMP.
- apply: cumulative_service_implies_scheduled.
- rewrite -(ltn_add2l (service sched j t)) addn0.
- rewrite service_cat; last exact/ltnW/incomplete_implies_later_deadline.
- by apply: leq_trans MET; rewrite less_service_than_cost_is_incomplete.
- Qed.
-
- End Incompletion.
-
- (** Next, we look at schedules / processor models in which scheduled jobs
- always receive service. *)
- Section IdealProgressSchedules.
-
- (** Consider a given reference schedule... *)
- Variable sched: schedule PState.
-
- (** ...in which complete jobs don't execute... *)
- Hypothesis H_completed_jobs: completed_jobs_dont_execute sched.
-
- (** ...and scheduled jobs always receive service. *)
- Hypothesis H_scheduled_implies_serviced: ideal_progress_proc_model PState.
-
- (** We observe that if a job meets its deadline and is scheduled at time
- [t], then then its deadline is at a time later than t. *)
- Lemma scheduled_at_implies_later_deadline:
- forall j t,
- job_meets_deadline sched j ->
- scheduled_at sched j t ->
- t < job_deadline j.
- Proof.
- move=> j t MET SCHED_AT.
- apply: (incomplete_implies_later_deadline sched) => //.
- exact: scheduled_implies_not_completed.
- Qed.
-
- End IdealProgressSchedules.
-
- (** In the following section, we observe that it is sufficient to
- establish that service is invariant across two schedules at a
- job's deadline to establish that it either meets its deadline in
- both schedules or none. *)
- Section EqualProgress.
-
- (** Consider any two schedules [sched] and [sched']. *)
- Variable sched sched': schedule PState.
-
- (** We observe that, if the service is invariant at the time of a
- job's absolute deadline, and if the job meets its deadline in one of the schedules,
- then it meets its deadline also in the other schedule. *)
- Lemma service_invariant_implies_deadline_met:
- forall j,
- service sched j (job_deadline j) = service sched' j (job_deadline j) ->
- (job_meets_deadline sched j <-> job_meets_deadline sched' j).
- Proof.
- move=> j SERVICE.
- by split; rewrite /job_meets_deadline /completed_by -SERVICE.
- Qed.
-
- End EqualProgress.
-
-End DeadlineFacts.
diff --git a/analysis/facts/behavior/service.v b/analysis/facts/behavior/service.v
deleted file mode 100644
index 14d7654b3b17acd80a436cb9e1c11f62a082e089..0000000000000000000000000000000000000000
--- a/analysis/facts/behavior/service.v
+++ /dev/null
@@ -1,567 +0,0 @@
-Require Export prosa.util.all.
-Require Export prosa.behavior.all.
-Require Export prosa.model.processor.platform_properties.
-Require Export prosa.analysis.definitions.schedule_prefix.
-
-(** * Service *)
-
-(** In this file, we establish basic facts about the service received by
- jobs. *)
-
-(** To begin with, we provide some simple but handy rewriting rules for
- [service] and [service_during]. *)
-Section Composition.
-
- (** Consider any job type and any processor state. *)
- Context {Job: JobType}.
- Context {PState: ProcessorState Job}.
-
- (** For any given schedule... *)
- Variable sched: schedule PState.
-
- (** ...and any given job... *)
- Variable j: Job.
-
- (** ...we establish a number of useful rewriting rules that decompose
- the service received during an interval into smaller intervals. *)
-
- (** As a trivial base case, no job receives any service during an empty
- interval. *)
- Lemma service_during_geq:
- forall t1 t2,
- t1 >= t2 -> service_during sched j t1 t2 = 0.
- Proof. by move=> ? ? ?; rewrite /service_during big_geq. Qed.
-
- (** Equally trivially, no job has received service prior to time zero. *)
- Corollary service0:
- service sched j 0 = 0.
- Proof. by rewrite /service service_during_geq. Qed.
-
- (** Trivially, an interval consisting of one time unit is equivalent to
- [service_at]. *)
- Lemma service_during_instant:
- forall t,
- service_during sched j t t.+1 = service_at sched j t.
- Proof. by move=> ?; rewrite /service_during big_nat_recr// big_geq. Qed.
-
- (** Next, we observe that we can look at the service received during an
- interval <<[t1, t3)>> as the sum of the service during [t1, t2) and [t2, t3)
- for any t2 \in [t1, t3]. (The "_cat" suffix denotes the concatenation of
- the two intervals.) *)
- Lemma service_during_cat:
- forall t1 t2 t3,
- t1 <= t2 <= t3 ->
- (service_during sched j t1 t2) + (service_during sched j t2 t3)
- = service_during sched j t1 t3.
- Proof. by move => ? ? ? /andP[? ?]; rewrite -big_cat_nat. Qed.
-
- (** Since [service] is just a special case of [service_during], the same holds
- for [service]. *)
- Lemma service_cat:
- forall t1 t2,
- t1 <= t2 ->
- (service sched j t1) + (service_during sched j t1 t2)
- = service sched j t2.
- Proof. move=> ? ? ?; exact: service_during_cat. Qed.
-
- (** As a special case, we observe that the service during an interval can be
- decomposed into the first instant and the rest of the interval. *)
- Lemma service_during_first_plus_later:
- forall t1 t2,
- t1 < t2 ->
- (service_at sched j t1) + (service_during sched j t1.+1 t2)
- = service_during sched j t1 t2.
- Proof.
- by move=> ? ? ?; rewrite -service_during_instant service_during_cat// leqnSn.
- Qed.
-
- (** Symmetrically, we have the same for the end of the interval. *)
- Lemma service_during_last_plus_before:
- forall t1 t2,
- t1 <= t2 ->
- (service_during sched j t1 t2) + (service_at sched j t2)
- = service_during sched j t1 t2.+1.
- Proof.
- move=> t1 t2 ?; rewrite -(service_during_cat t1 t2 t2.+1) ?leqnSn ?andbT//.
- by rewrite service_during_instant.
- Qed.
-
- (** And hence also for [service]. *)
- Corollary service_last_plus_before:
- forall t,
- (service sched j t) + (service_at sched j t)
- = service sched j t.+1.
- Proof. move=> ?; exact: service_during_last_plus_before. Qed.
-
- (** Finally, we deconstruct the service received during an interval <<[t1, t3)>>
- into the service at a midpoint t2 and the service in the intervals before
- and after. *)
- Lemma service_split_at_point:
- forall t1 t2 t3,
- t1 <= t2 < t3 ->
- (service_during sched j t1 t2) + (service_at sched j t2) + (service_during sched j t2.+1 t3)
- = service_during sched j t1 t3.
- Proof.
- move => t1 t2 t3 /andP[t1t2 t2t3].
- rewrite -addnA service_during_first_plus_later// service_during_cat//.
- by rewrite t1t2 ltnW.
- Qed.
-
-End Composition.
-
-(** As a common special case, we establish facts about schedules in which a
- job receives either 1 or 0 service units at all times. *)
-Section UnitService.
-
- (** Consider any job type and any processor state. *)
- Context {Job : JobType}.
- Context {PState : ProcessorState Job}.
-
- (** Let's consider a unit-service model... *)
- Hypothesis H_unit_service: unit_service_proc_model PState.
-
- (** ...and a given schedule. *)
- Variable sched : schedule PState.
-
- (** Let [j] be any job that is to be scheduled. *)
- Variable j : Job.
-
- (** First, we prove that the instantaneous service cannot be greater than 1, ... *)
- Lemma service_at_most_one:
- forall t, service_at sched j t <= 1.
- Proof. by rewrite /service_at. Qed.
-
- (** ... which implies that the instantaneous service always equals to 0 or 1. *)
- Corollary service_is_zero_or_one:
- forall t, service_at sched j t = 0 \/ service_at sched j t = 1.
- Proof.
- move=> t.
- by case: service_at (service_at_most_one t) => [|[|//]] _; [left|right].
- Qed.
-
- (** Next we prove that the cumulative service received by job [j] in
- any interval of length [delta] is at most [delta]. *)
- Lemma cumulative_service_le_delta:
- forall t delta, service_during sched j t (t + delta) <= delta.
- Proof.
- move=> t delta; rewrite -[X in _ <= X](sum_of_ones t).
- apply: leq_sum => t' _; exact: service_at_most_one.
- Qed.
-
- (** Conversely, we prove that if the cumulative service received by
- job [j] in an interval of length [delta] is greater than or
- equal to [Ï], then [Ï â‰¤ delta]. *)
- Lemma cumulative_service_ge_delta :
- forall t delta Ï,
- Ï <= service_during sched j t (t + delta) ->
- Ï <= delta.
- Proof. move=> ??? /leq_trans; apply; exact: cumulative_service_le_delta. Qed.
-
- Section ServiceIsUnitGrowthFunction.
-
- (** We show that the service received by any job [j] is a unit growth function. *)
- Lemma service_is_unit_growth_function :
- unit_growth_function (service sched j).
- Proof.
- move=> t; rewrite addn1 -service_last_plus_before leq_add2l.
- exact: service_at_most_one.
- Qed.
-
- (** Next, consider any time [t]... *)
- Variable t : instant.
-
- (** ...and let [s] be any value less than the service received
- by job [j] by time [t]. *)
- Variable s : duration.
- Hypothesis H_less_than_s: s < service sched j t.
-
- (** Then, we show that there exists an earlier time [t'] where job
- [j] had [s] units of service. *)
- Corollary exists_intermediate_service:
- exists t',
- t' < t /\
- service sched j t' = s.
- Proof.
- apply: (exists_intermediate_point _ service_is_unit_growth_function 0) => //.
- by rewrite service0.
- Qed.
-
- End ServiceIsUnitGrowthFunction.
-
-End UnitService.
-
-(** We establish a basic fact about the monotonicity of service. *)
-Section Monotonicity.
-
- (** Consider any job type and any processor model. *)
- Context {Job: JobType}.
- Context {PState: ProcessorState Job}.
-
- (** Consider any given schedule... *)
- Variable sched: schedule PState.
-
- (** ...and a given job that is to be scheduled. *)
- Variable j: Job.
-
- (** We observe that the amount of service received is monotonic by definition. *)
- Lemma service_monotonic:
- forall t1 t2,
- t1 <= t2 ->
- service sched j t1 <= service sched j t2.
- Proof. by move=> t1 t2 ?; rewrite -(service_cat _ _ t1 t2)// leq_addr. Qed.
-
-End Monotonicity.
-
-(** Consider any job type and any processor model. *)
-Section RelationToScheduled.
-
- Context {Job: JobType}.
- Context {PState: ProcessorState Job}.
-
- (** Consider any given schedule... *)
- Variable sched: schedule PState.
-
- (** ...and a given job that is to be scheduled. *)
- Variable j: Job.
-
- (** We observe that a job that isn't scheduled in a given processor
- state cannot possibly receive service in that state. *)
- Lemma service_in_implies_scheduled_in :
- forall s,
- ~~ scheduled_in j s -> service_in j s = 0.
- Proof.
- move=> s.
- move=> /existsP Hsched; apply/eqP; rewrite sum_nat_eq0; apply/forallP => c.
- rewrite service_on_implies_scheduled_on//.
- by apply/negP => ?; apply: Hsched; exists c.
- Qed.
-
- (** In particular, it cannot receive service at any given time. *)
- Corollary not_scheduled_implies_no_service:
- forall t,
- ~~ scheduled_at sched j t -> service_at sched j t = 0.
- Proof. move=> ?; exact: service_in_implies_scheduled_in. Qed.
-
- (** Conversely, if a job receives service, then it must be scheduled. *)
- Lemma service_at_implies_scheduled_at :
- forall t,
- service_at sched j t > 0 -> scheduled_at sched j t.
- Proof.
- move=> t; case SCHEDULED: scheduled_at => //.
- by rewrite not_scheduled_implies_no_service// negbT.
- Qed.
-
- (** Thus, if the cumulative amount of service changes, then it must be
- scheduled, too. *)
- Lemma service_delta_implies_scheduled:
- forall t,
- service sched j t < service sched j t.+1 -> scheduled_at sched j t.
- Proof.
- move=> t; rewrite -service_last_plus_before -ltn_subLR// subnn.
- exact: service_at_implies_scheduled_at.
- Qed.
-
- (** We observe that a job receives cumulative service during some interval iff
- it receives services at some specific time in the interval. *)
- Lemma service_during_service_at:
- forall t1 t2,
- service_during sched j t1 t2 > 0
- <->
- exists t,
- t1 <= t < t2 /\
- service_at sched j t > 0.
- Proof.
- move=> t1 t2.
- split=> [|[t [titv nz_serv]]].
- - rewrite sum_nat_gt0 filter_predT => /hasP [t IN GT0].
- by exists t; split; [rewrite -mem_index_iota|].
- - rewrite sum_nat_gt0; apply/hasP.
- by exists t; [rewrite filter_predT mem_index_iota|].
- Qed.
-
- (** Thus, any job that receives some service during an interval must be
- scheduled at some point during the interval... *)
- Corollary cumulative_service_implies_scheduled:
- forall t1 t2,
- service_during sched j t1 t2 > 0 ->
- exists t,
- t1 <= t < t2 /\
- scheduled_at sched j t.
- Proof.
- move=> t1 t2; rewrite service_during_service_at => -[t' [TIMES SERVICED]].
- exists t'; split=> //; exact: service_at_implies_scheduled_at.
- Qed.
-
- (** ...which implies that any job with positive cumulative service must have
- been scheduled at some point. *)
- Corollary positive_service_implies_scheduled_before:
- forall t,
- service sched j t > 0 -> exists t', (t' < t /\ scheduled_at sched j t').
- Proof.
- by move=> t /cumulative_service_implies_scheduled[t' ?]; exists t'.
- Qed.
-
- (** If we can assume that a scheduled job always receives service,
- we can further prove the converse. *)
- Section GuaranteedService.
-
- (** Assume [j] always receives some positive service. *)
- Hypothesis H_scheduled_implies_serviced: ideal_progress_proc_model PState.
-
- (** In other words, not being scheduled is equivalent to receiving zero
- service. *)
- Lemma no_service_not_scheduled:
- forall t,
- ~~ scheduled_at sched j t <-> service_at sched j t = 0.
- Proof.
- move=> t.
- split => [|NO_SERVICE]; first exact: service_in_implies_scheduled_in.
- apply: (contra (H_scheduled_implies_serviced j (sched t))).
- by rewrite -eqn0Ngt -NO_SERVICE.
- Qed.
-
- (** Then, if a job does not receive any service during an interval, it
- is not scheduled. *)
- Lemma no_service_during_implies_not_scheduled:
- forall t1 t2,
- service_during sched j t1 t2 = 0 ->
- forall t,
- t1 <= t < t2 -> ~~ scheduled_at sched j t.
- Proof.
- move=> t1 t2.
- by move=> + t titv; rewrite no_service_not_scheduled big_nat_eq0; apply.
- Qed.
-
- (** Conversely, if a job is not scheduled during an interval, then
- it does not receive any service in that interval *)
- Lemma not_scheduled_during_implies_zero_service:
- forall t1 t2,
- (forall t, t1 <= t < t2 -> ~~ scheduled_at sched j t) ->
- service_during sched j t1 t2 = 0.
- Proof.
- move=> t1 t2; rewrite big_nat_eq0 => + t titv => /(_ t titv).
- by rewrite no_service_not_scheduled.
- Qed.
-
- (** If a job is scheduled at some point in an interval, it receives
- positive cumulative service during the interval... *)
- Lemma scheduled_implies_cumulative_service:
- forall t1 t2,
- (exists t,
- t1 <= t < t2 /\
- scheduled_at sched j t) ->
- service_during sched j t1 t2 > 0.
- Proof.
- move=> t1 t2 [t [titv sch]]; rewrite service_during_service_at.
- exists t; split=> //; exact: H_scheduled_implies_serviced.
- Qed.
-
- (** ...which again applies to total service, too. *)
- Corollary scheduled_implies_nonzero_service:
- forall t,
- (exists t',
- t' < t /\
- scheduled_at sched j t') ->
- service sched j t > 0.
- Proof.
- move=> t.
- by move=> [t' ?]; apply: scheduled_implies_cumulative_service; exists t'.
- Qed.
-
- End GuaranteedService.
-
- (** Furthermore, if we know that jobs are not released early, then we can
- narrow the interval during which they must have been scheduled. *)
- Section AfterArrival.
-
- Context `{JobArrival Job}.
-
- (** Assume that jobs must arrive to execute. *)
- Hypothesis H_jobs_must_arrive:
- jobs_must_arrive_to_execute sched.
-
- (** We prove that any job with positive cumulative service at time [t] must
- have been scheduled some time since its arrival and before time [t]. *)
- Lemma positive_service_implies_scheduled_since_arrival:
- forall t,
- service sched j t > 0 ->
- exists t', (job_arrival j <= t' < t /\ scheduled_at sched j t').
- Proof.
- move=> t /positive_service_implies_scheduled_before[t' [t't sch]].
- exists t'; split=> //; rewrite t't andbT; exact: H_jobs_must_arrive.
- Qed.
-
- Lemma not_scheduled_before_arrival:
- forall t, t < job_arrival j -> ~~ scheduled_at sched j t.
- Proof.
- by move=> t ?; apply: (contra (H_jobs_must_arrive j t)); rewrite -ltnNge.
- Qed.
-
- (** We show that job [j] does not receive service at any time [t] prior to its
- arrival. *)
- Lemma service_before_job_arrival_zero:
- forall t,
- t < job_arrival j ->
- service_at sched j t = 0.
- Proof.
- move=> t NOT_ARR; rewrite not_scheduled_implies_no_service//.
- exact: not_scheduled_before_arrival.
- Qed.
-
- (** Note that the same property applies to the cumulative service. *)
- Lemma cumulative_service_before_job_arrival_zero :
- forall t1 t2 : instant,
- t2 <= job_arrival j ->
- service_during sched j t1 t2 = 0.
- Proof.
- move=> t1 t2 early; rewrite big_nat_eq0 => t /andP[_ t_lt_t2].
- apply: service_before_job_arrival_zero; exact: leq_trans early.
- Qed.
-
- (** Hence, one can ignore the service received by a job before its arrival
- time... *)
- Lemma ignore_service_before_arrival:
- forall t1 t2,
- t1 <= job_arrival j ->
- t2 >= job_arrival j ->
- service_during sched j t1 t2 = service_during sched j (job_arrival j) t2.
- Proof.
- move=> t1 t2 t1_le t2_ge.
- rewrite -(service_during_cat sched _ _ (job_arrival j)); last exact/andP.
- by rewrite cumulative_service_before_job_arrival_zero.
- Qed.
-
- (** ... which we can also state in terms of cumulative service. *)
- Corollary no_service_before_arrival:
- forall t,
- t <= job_arrival j -> service sched j t = 0.
- Proof. exact: cumulative_service_before_job_arrival_zero. Qed.
-
- End AfterArrival.
-
- (** In this section, we prove some lemmas about time instants with same
- service. *)
- Section TimesWithSameService.
-
- (** Consider any time instants [t1] and [t2]... *)
- Variable t1 t2: instant.
-
- (** ...where [t1] is no later than [t2]... *)
- Hypothesis H_t1_le_t2: t1 <= t2.
-
- (** ...and where job [j] has received the same amount of service. *)
- Hypothesis H_same_service: service sched j t1 = service sched j t2.
-
- (** First, we observe that this means that the job receives no service
- during <<[t1, t2)>>... *)
- Lemma constant_service_implies_no_service_during:
- service_during sched j t1 t2 = 0.
- Proof.
- move: H_same_service; rewrite -(service_cat _ _ t1 t2)// => /eqP.
- by rewrite -[X in X == _]addn0 eqn_add2l => /eqP.
- Qed.
-
- (** ...which of course implies that it does not receive service at any
- point, either. *)
- Lemma constant_service_implies_not_scheduled:
- forall t,
- t1 <= t < t2 -> service_at sched j t = 0.
- Proof.
- move=> t titv.
- have := constant_service_implies_no_service_during.
- rewrite big_nat_eq0; exact.
- Qed.
-
- (** We show that job [j] receives service at some point [t < t1]
- iff [j] receives service at some point [t' < t2]. *)
- Lemma same_service_implies_serviced_at_earlier_times:
- [exists t: 'I_t1, service_at sched j t > 0] =
- [exists t': 'I_t2, service_at sched j t' > 0].
- Proof.
- apply/idP/idP => /existsP[t serv].
- { by apply/existsP; exists (widen_ord H_t1_le_t2 t). }
- have [t_lt_t1|t1_le_t] := ltnP t t1.
- { by apply/existsP; exists (Ordinal t_lt_t1). }
- exfalso; move: serv; apply/negP; rewrite -eqn0Ngt.
- by apply/eqP/constant_service_implies_not_scheduled; rewrite t1_le_t /=.
- Qed.
-
- (** Then, under the assumption that scheduled jobs receives service,
- we can translate this into a claim about scheduled_at. *)
-
- (** Assume [j] always receives some positive service. *)
- Hypothesis H_scheduled_implies_serviced: ideal_progress_proc_model PState.
-
- (** We show that job [j] is scheduled at some point [t < t1] iff [j] is scheduled
- at some point [t' < t2]. *)
- Lemma same_service_implies_scheduled_at_earlier_times:
- [exists t: 'I_t1, scheduled_at sched j t] =
- [exists t': 'I_t2, scheduled_at sched j t'].
- Proof.
- have CONV B : [exists b: 'I_B, scheduled_at sched j b]
- = [exists b: 'I_B, service_at sched j b > 0].
- { apply/idP/idP => /existsP[b P]; apply/existsP; exists b.
- - exact: H_scheduled_implies_serviced.
- - exact: service_at_implies_scheduled_at. }
- by rewrite !CONV same_service_implies_serviced_at_earlier_times.
- Qed.
-
- End TimesWithSameService.
-
-End RelationToScheduled.
-
-Section ServiceInTwoSchedules.
-
- (** Consider any job type and any processor model. *)
- Context {Job: JobType}.
- Context {PState: ProcessorState Job}.
-
- (** Consider any two given schedules... *)
- Variable sched1 sched2: schedule PState.
-
- (** Given an interval in which the schedules provide the same service
- to a job at each instant, we can prove that the cumulative service
- received during the interval has to be the same. *)
- Section ServiceDuringEquivalentInterval.
-
- (** Consider two time instants... *)
- Variable t1 t2 : instant.
-
- (** ...and a given job that is to be scheduled. *)
- Variable j: Job.
-
- (** Assume that, in any instant between [t1] and [t2] the service
- provided to [j] from the two schedules is the same. *)
- Hypothesis H_sched1_sched2_same_service_at:
- forall t, t1 <= t < t2 ->
- service_at sched1 j t = service_at sched2 j t.
-
- (** It follows that the service provided during [t1] and [t2]
- is also the same. *)
- Lemma same_service_during:
- service_during sched1 j t1 t2 = service_during sched2 j t1 t2.
- Proof. exact/eq_big_nat/H_sched1_sched2_same_service_at. Qed.
-
- End ServiceDuringEquivalentInterval.
-
- (** We can leverage the previous lemma to conclude that two schedules
- that match in a given interval will also have the same cumulative
- service across the interval. *)
- Corollary equal_prefix_implies_same_service_during:
- forall t1 t2,
- (forall t, t1 <= t < t2 -> sched1 t = sched2 t) ->
- forall j, service_during sched1 j t1 t2 = service_during sched2 j t1 t2.
- Proof.
- move=> t1 t2 sch j; apply: same_service_during => t' t'itv.
- by rewrite /service_at sch.
- Qed.
-
- (** For convenience, we restate the corollary also at the level of
- [service] for identical prefixes. *)
- Corollary identical_prefix_service:
- forall h,
- identical_prefix sched1 sched2 h ->
- forall j, service sched1 j h = service sched2 j h.
- Proof. move=> ? ? ?; exact: equal_prefix_implies_same_service_during. Qed.
-
-End ServiceInTwoSchedules.
diff --git a/analysis/facts/busy_interval/busy_interval.v b/analysis/facts/busy_interval/busy_interval.v
deleted file mode 100644
index bf9b9460d3e9e9dec2bf5d669182d02c903326bc..0000000000000000000000000000000000000000
--- a/analysis/facts/busy_interval/busy_interval.v
+++ /dev/null
@@ -1,705 +0,0 @@
-Require Export prosa.model.schedule.work_conserving.
-Require Export prosa.analysis.definitions.job_properties.
-Require Export prosa.analysis.definitions.priority_inversion.
-Require Export prosa.analysis.facts.behavior.all.
-Require Export prosa.analysis.facts.model.service_of_jobs.
-Require Export prosa.analysis.definitions.work_bearing_readiness.
-
-(** Throughout this file, we assume ideal uni-processor schedules. *)
-Require Import prosa.model.processor.ideal.
-Require Import prosa.analysis.facts.model.ideal.schedule.
-Require Export prosa.analysis.facts.busy_interval.ideal.priority_inversion.
-
-(** * Existence of Busy Interval for JLFP-models *)
-(** In this module we derive a sufficient condition for existence of
- busy intervals for uni-processor for JLFP schedulers. *)
-Section ExistsBusyIntervalJLFP.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context {JobTask : JobTask Job Task}.
- Context {Arrival: JobArrival Job}.
- Context {Cost : JobCost Job}.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Assume a given JLFP policy. *)
- Context `{JLFP_policy Job}.
-
- (** Further, allow for any work-bearing notion of job readiness. *)
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** For simplicity, let's define some local names. *)
- Let job_pending_at := pending sched.
- Let job_completed_by := completed_by sched.
-
- (** Consider an arbitrary task [tsk]. *)
- Variable tsk : Task.
-
- (** Consider an arbitrary job [j]. *)
- Variable j : Job.
- Hypothesis H_from_arrival_sequence : arrives_in arr_seq j.
- Hypothesis H_job_task : job_of_task tsk j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** Recall the list of jobs that arrive in any interval. *)
- Let quiet_time t1 := quiet_time arr_seq sched j t1.
- Let quiet_time_dec t1 := quiet_time_dec arr_seq sched j t1.
- Let busy_interval_prefix t1 t2 := busy_interval_prefix arr_seq sched j t1 t2.
- Let busy_interval t1 t2 := busy_interval arr_seq sched j t1 t2.
- Let is_priority_inversion_bounded_by K := priority_inversion_of_job_is_bounded_by_constant arr_seq sched j K.
-
- (** We begin by proving a basic lemma about busy intervals. *)
- Section BasicLemma.
-
- (** Assume that the priority relation is reflexive. *)
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
-
- (** Consider any busy interval <<[t1, t2)>> of job [j]. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_interval : busy_interval t1 t2.
-
- (** We prove that job [j] completes by the end of the busy interval. *)
- Lemma job_completes_within_busy_interval:
- job_completed_by j t2.
- Proof.
- rename H_priority_is_reflexive into REFL, H_busy_interval into BUSY.
- move: BUSY => [[_ [_ [_ /andP [_ ARR]]]] QUIET].
- apply QUIET; try done.
- apply (REFL 0).
- Qed.
-
- End BasicLemma.
-
- (** In this section, we prove that during a busy interval there
- always exists a pending job. *)
- Section ExistsPendingJob.
-
- (** Let <<[t1, t2]>> be any interval where time [t1] is quiet and time [t2] is not quiet. *)
- Variable t1 t2 : instant.
- Hypothesis H_interval : t1 <= t2.
- Hypothesis H_quiet : quiet_time t1.
- Hypothesis H_not_quiet : ~ quiet_time t2.
-
- (** Then, we prove that there is a job pending at time [t2]
- that has higher or equal priority (with respect to [tsk]). *)
- Lemma not_quiet_implies_exists_pending_job:
- exists j_hp,
- arrives_in arr_seq j_hp /\
- arrived_between j_hp t1 t2 /\
- hep_job j_hp j /\
- ~ job_completed_by j_hp t2.
- Proof.
- rename H_quiet into QUIET, H_not_quiet into NOTQUIET.
- destruct (has (fun j_hp => (~~ job_completed_by j_hp t2) && hep_job j_hp j)
- (arrivals_between arr_seq t1 t2)) eqn:COMP.
- { move: COMP => /hasP [j_hp ARR /andP [NOTCOMP HP]].
- move: (ARR) => INarr.
- apply in_arrivals_implies_arrived_between in ARR; last by done.
- apply in_arrivals_implies_arrived in INarr.
- by exists j_hp; repeat split; last by apply/negP.
- }
- {
- apply negbT in COMP; rewrite -all_predC in COMP.
- move: COMP => /allP COMP.
- exfalso; apply NOTQUIET; intros j_hp IN HP ARR.
- destruct (ltnP (job_arrival j_hp) t1) as [BEFORE | AFTER];
- first by specialize (QUIET j_hp IN HP BEFORE); apply completion_monotonic with (t := t1).
- feed (COMP j_hp).
- { by eapply arrived_between_implies_in_arrivals; eauto 1; apply/andP; split. }
- by rewrite /= HP andbT negbK in COMP.
- }
- Qed.
-
- End ExistsPendingJob.
-
- (** In this section, we prove that during a busy interval the
- processor is never idle. *)
- Section ProcessorAlwaysBusy.
-
- (** Assume that the schedule is work-conserving ... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the priority relation is reflexive and transitive. *)
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
- Hypothesis H_priority_is_transitive : transitive_priorities.
-
- (** Consider any busy interval prefix <<[t1, t2)>>. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_interval_prefix : busy_interval_prefix t1 t2.
-
- (** We prove that if the processor is idle at a time instant [t],
- then the next time instant [t+1] will be a quiet time. *)
- Lemma idle_time_implies_quiet_time_at_the_next_time_instant:
- forall (t : instant),
- is_idle sched t ->
- quiet_time t.+1.
- Proof.
- intros t IDLE jhp ARR HP AB.
- apply negbNE; apply/negP; intros NCOMP.
- have PEND : job_pending_at jhp t.
- { apply/andP; split; first by done.
- by move: NCOMP; apply contra, completion_monotonic.
- }
- apply H_job_ready in PEND => //; destruct PEND as [j' [ARR' [READY' _]]].
- move:(H_work_conserving j' t) => WC.
- feed_n 2 WC; first by done.
- { apply/andP; split; first by done.
- by move: IDLE => /eqP IDLE; rewrite /scheduled_at scheduled_in_def IDLE.
- }
- move: IDLE WC => /eqP IDLE [jo SCHED].
- by rewrite scheduled_at_def IDLE in SCHED.
- Qed.
-
- (** Next, we prove that at any time instant [t] within the busy interval there exists a job
- [jhp] such that (1) job [jhp] is pending at time [t] and (2) job [jhp] has higher-or-equal
- priority than task [tsk]. *)
- Lemma pending_hp_job_exists:
- forall t,
- t1 <= t < t2 ->
- exists jhp,
- arrives_in arr_seq jhp /\
- job_pending_at jhp t /\
- hep_job jhp j.
- Proof.
- move => t /andP [GE LT]; move: (H_busy_interval_prefix) => [_ [QTt [NQT REL]]].
- move: (ltngtP t1.+1 t2) => [GT|CONTR|EQ]; first last.
- - subst t2; rewrite ltnS in LT.
- have EQ: t1 = t by apply/eqP; rewrite eqn_leq; apply/andP; split.
- subst t1; clear GE LT.
- exists j; repeat split; try done.
- + move: REL; rewrite ltnS -eqn_leq eq_sym; move => /eqP REL.
- by rewrite -REL; eapply job_pending_at_arrival; eauto 2.
- + by apply (H_priority_is_reflexive 0).
- - by exfalso; move_neq_down CONTR; eapply leq_ltn_trans; eauto 2.
- - have EX: exists hp__seq: seq Job,
- forall j__hp, j__hp \in hp__seq <-> arrives_in arr_seq j__hp /\ job_pending_at j__hp t /\ hep_job j__hp j.
- { exists (filter (fun jo => (job_pending_at jo t) && (hep_job jo j)) (arrivals_between arr_seq 0 t.+1)).
- intros; split; intros T.
- - move: T; rewrite mem_filter; move => /andP [/andP [PEN HP] IN].
- repeat split; eauto using in_arrivals_implies_arrived.
- - move: T => [ARR [PEN HP]].
- rewrite mem_filter; apply/andP; split; first (apply/andP; split); try done.
- eapply arrived_between_implies_in_arrivals; try done.
- by apply/andP; split; last rewrite ltnS; move: PEN => /andP [T _].
- } move: EX => [hp__seq SE]; case FL: (hp__seq) => [ | jhp jhps].
- + subst hp__seq; exfalso.
- move: GE; rewrite leq_eqVlt; move => /orP [/eqP EQ| GE].
- * subst t.
- apply NQT with t1.+1; first by apply/andP; split.
- intros jhp ARR HP ARRB; apply negbNE; apply/negP; intros NCOMP.
- move: (SE jhp) => [_ SE2].
- rewrite in_nil in SE2; feed SE2; [clear SE2 | by done].
- repeat split; try done; first apply/andP; split; try done.
- apply/negP; intros COMLP.
- move: NCOMP => /negP NCOMP; apply: NCOMP.
- by apply completion_monotonic with t1.
- * apply NQT with t; first by apply/andP; split.
- intros jhp ARR HP ARRB; apply negbNE; apply/negP; intros NCOMP.
- move: (SE jhp) => [_ SE2].
- rewrite in_nil in SE2; feed SE2; [clear SE2 | by done].
- by repeat split; auto; apply/andP; split; first apply ltnW.
- + move: (SE jhp)=> [SE1 _]; subst; clear SE.
- by exists jhp; apply SE1; rewrite in_cons; apply/orP; left.
- Qed.
-
- (** We prove that at any time instant [t] within <<[t1, t2)>> the processor is not idle. *)
- Lemma not_quiet_implies_not_idle:
- forall t,
- t1 <= t < t2 ->
- ~ is_idle sched t.
- Proof.
- intros t NEQ IDLE.
- move: (pending_hp_job_exists _ NEQ) => [jhp [ARR [PEND HP]]].
- apply H_job_ready in PEND => //; destruct PEND as [j' [ARR' [READY' _]]].
- feed (H_work_conserving _ t ARR').
- apply/andP; split; first by done.
- move: IDLE => /eqP IDLE; rewrite scheduled_at_def IDLE; by done.
- move: (H_work_conserving) => [jo SCHED].
- move: IDLE SCHED => /eqP IDLE SCHED.
- by rewrite scheduled_at_def IDLE in SCHED.
- Qed.
-
- End ProcessorAlwaysBusy.
-
- (** In section we prove a few auxiliary lemmas about quiet time and service. *)
- Section QuietTimeAndServiceOfJobs.
-
- (** Assume that the schedule is work-conserving ... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and there are no duplicate job arrivals. *)
- Hypothesis H_arrival_sequence_is_a_set:
- arrival_sequence_uniq arr_seq.
-
- (** Let [t1] be a quiet time. *)
- Variable t1 : instant.
- Hypothesis H_quiet_time : quiet_time t1.
-
- (** Assume that there is no quiet time in the interval <<(t1, t1 + Δ]>>. *)
- Variable Δ : duration.
- Hypothesis H_no_quiet_time : forall t, t1 < t <= t1 + Δ -> ~ quiet_time t.
-
- (** For clarity, we introduce a notion of the total service of
- jobs released in time interval <<[t_beg, t_end)>> during the
- time interval <<[t1, t1 + Δ)>>. *)
- Let service_received_by_hep_jobs_released_during t_beg t_end :=
- service_of_higher_or_equal_priority_jobs
- sched (arrivals_between arr_seq t_beg t_end) j t1 (t1 + Δ).
-
- (** We prove that jobs with higher-than-or-equal priority that
- released before time instant [t1] receive no service after time
- instant [t1]. *)
- Lemma hep_jobs_receive_no_service_before_quiet_time:
- service_received_by_hep_jobs_released_during t1 (t1 + Δ) =
- service_received_by_hep_jobs_released_during 0 (t1 + Δ).
- Proof.
- intros.
- rewrite /service_received_by_hep_jobs_released_during
- /service_of_higher_or_equal_priority_jobs /service_of_jobs.
- rewrite [in X in _ = X](arrivals_between_cat _ _ t1);
- [ | | rewrite leq_addr]; try done.
- rewrite big_cat //=.
- rewrite -{1}[\sum_(j <- arrivals_between arr_seq _ (t1 + Δ) | _)
- service_during sched j t1 (t1 + Δ)]add0n.
- apply/eqP. rewrite eqn_add2r eq_sym exchange_big //=.
- rewrite big1_seq //.
- move => t' /andP [_ NEQ]; rewrite mem_iota in NEQ.
- rewrite big1_seq //.
- move => jhp /andP [HP ARR].
- apply/eqP.
- rewrite service_at_def eqb0 -scheduled_at_def.
- apply (completed_implies_not_scheduled _ _ H_completed_jobs_dont_execute).
- apply completion_monotonic with t1; [ move: NEQ => /andP [T1 _] | ]; try done.
- apply H_quiet_time; try done.
- - by eapply in_arrivals_implies_arrived; eauto 2.
- - by eapply in_arrivals_implies_arrived_before; eauto 2.
- Qed.
-
- (** Next we prove that the total service within a "non-quiet"
- time interval <<[t1, t1 + Δ)>> is exactly [Δ]. *)
- Lemma no_idle_time_within_non_quiet_time_interval:
- total_service_of_jobs_in sched (arrivals_between arr_seq 0 (t1 + Δ)) t1 (t1 + Δ) = Δ.
- Proof.
- intros; unfold total_service_of_jobs_in, service_of_jobs, service_of_higher_or_equal_priority_jobs.
- rewrite -{3}[Δ](sum_of_ones t1) exchange_big //=.
- apply/eqP; rewrite eqn_leq; apply/andP; split.
- { rewrite leq_sum // => t' _.
- have SCH := @service_of_jobs_le_1 _ _ _ _ sched predT (arrivals_between arr_seq 0 (t1 + Δ)).
- by eapply leq_trans; [apply leqnn | apply SCH; eauto using arrivals_uniq with basic_rt_facts]. }
- { rewrite [in X in X <= _]big_nat_cond [in X in _ <= X]big_nat_cond //=
- leq_sum // => t' /andP [/andP [LT GT] _].
- rewrite sum_nat_gt0 filter_predT; apply/hasP.
- ideal_proc_model_sched_case_analysis_eq sched t' jo.
- { exfalso; move: LT; rewrite leq_eqVlt; move => /orP [/eqP EQ|LT].
- { subst t'.
- feed (H_no_quiet_time t1.+1); first by apply/andP; split.
- by apply H_no_quiet_time, idle_time_implies_quiet_time_at_the_next_time_instant. }
- { feed (H_no_quiet_time t'); first by apply/andP; split; last rewrite ltnW.
- apply: H_no_quiet_time; intros j_hp IN HP ARR.
- apply contraT; intros NCOMP.
- have PEND : job_pending_at j_hp t'.
- { apply/andP; split.
- - by rewrite /has_arrived ltnW.
- - by move: NCOMP; apply contra, completion_monotonic. }
- apply H_job_ready in PEND => //; destruct PEND as [j' [ARR' [READY' _]]].
- feed (H_work_conserving _ t' ARR').
- { by apply/andP; split; last rewrite scheduled_at_def EqIdle. }
- move: H_work_conserving => [j_other SCHEDother].
- by rewrite scheduled_at_def EqIdle in SCHEDother. } }
- { exists jo.
- - apply arrived_between_implies_in_arrivals; try done.
- apply H_jobs_come_from_arrival_sequence with t'; try done.
- apply/andP; split; first by done.
- apply H_jobs_must_arrive_to_execute in Sched_jo.
- by apply leq_ltn_trans with t'.
- - by rewrite service_at_def lt0b -scheduled_at_def.
- }
- }
- Qed.
-
- End QuietTimeAndServiceOfJobs.
-
- (** In this section, we show that the length of any busy interval
- is bounded, as long as there is enough supply to accommodate
- the workload of tasks with higher or equal priority. *)
- Section BoundingBusyInterval.
-
- (** Assume that the schedule is work-conserving, ... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and there are no duplicate job arrivals, ... *)
- Hypothesis H_arrival_sequence_is_a_set:
- arrival_sequence_uniq arr_seq.
-
- (** ... and the priority relation is reflexive and transitive. *)
- Hypothesis H_priority_is_reflexive: reflexive_priorities.
- Hypothesis H_priority_is_transitive: transitive_priorities.
-
- (** Next, we recall the notion of workload of all jobs released in
- a given interval <<[t1, t2)>> that have higher-or-equal
- priority w.r.t. the job [j] being analyzed. *)
- Let hp_workload t1 t2 :=
- workload_of_higher_or_equal_priority_jobs j (arrivals_between arr_seq t1 t2).
-
- (** With regard to the jobs with higher-or-equal priority that are released
- in a given interval <<[t1, t2)>>, we also recall the service received by these
- jobs in the same interval <<[t1, t2)>>. *)
- Let hp_service t1 t2 :=
- service_of_higher_or_equal_priority_jobs
- sched (arrivals_between arr_seq t1 t2) j t1 t2.
-
- (** Now we begin the proof. First, we show that the busy interval is bounded. *)
- Section BoundingBusyInterval.
-
- (** Suppose that job [j] is pending at time [t_busy]. *)
- Variable t_busy : instant.
- Hypothesis H_j_is_pending : job_pending_at j t_busy.
-
- (** First, we show that there must exist a busy interval prefix. *)
- Section LowerBound.
-
- (** Since job [j] is pending, there is a (potentially unbounded)
- busy interval that starts no later than with the arrival of [j]. *)
- Lemma exists_busy_interval_prefix:
- exists t1,
- busy_interval_prefix t1 t_busy.+1 /\
- t1 <= job_arrival j <= t_busy.
- Proof.
- rename H_j_is_pending into PEND, H_work_conserving into WORK.
- destruct ([exists t:'I_t_busy.+1, quiet_time_dec t]) eqn:EX.
- - set last0 := \max_(t < t_busy.+1 | quiet_time_dec t) t.
- move: EX => /existsP [t EX].
- have PRED: quiet_time_dec last0 by apply (bigmax_pred t_busy.+1 (quiet_time_dec) t).
- have QUIET: quiet_time last0.
- { intros j_hp IN HP ARR; move: PRED => /allP PRED; feed (PRED j_hp).
- - by eapply arrived_between_implies_in_arrivals; eauto.
- - by rewrite HP implyTb in PRED.
- }
- exists last0.
- have JAIN: last0 <= job_arrival j <= t_busy.
- { apply/andP; split; last by move: PEND => /andP [ARR _].
- move_neq_up BEFORE.
- move: PEND => /andP [_ NOTCOMP].
- feed (QUIET j H_from_arrival_sequence); first by apply (H_priority_is_reflexive 0).
- specialize (QUIET BEFORE).
- apply completion_monotonic with (t' := t_busy) in QUIET; first by rewrite QUIET in NOTCOMP.
- by apply bigmax_ltn_ord with (i0 := t).
- }
- repeat split; try done.
- + by apply bigmax_ltn_ord with (i0 := t).
- + move => t0 /andP [GTlast LTbusy] QUIET0.
- have PRED0: quiet_time_dec t0.
- apply/allP; intros j_hp ARR; apply/implyP; intros HP.
- apply QUIET0; eauto 2 using in_arrivals_implies_arrived, in_arrivals_implies_arrived_before.
- move_neq_down GTlast.
- by eapply (@leq_bigmax_cond _ (fun (x: 'I_t_busy.+1) => quiet_time_dec x) (fun x => x) (Ordinal LTbusy)).
- - apply negbT in EX; rewrite negb_exists in EX; move: EX => /forallP ALL.
- exists 0; split; last by apply/andP; split; last by move: PEND => /andP [ARR _].
- repeat split; first by intros j_hp _ _ ARR; rewrite /arrived_before ltn0 in ARR.
- move => t /andP [GE LT].
- specialize (ALL (Ordinal LT)); move: ALL => /negP ALL.
- intros QUIET; apply ALL; simpl.
- apply/allP; intros j_hp ARR; apply/implyP; intros HP.
- apply QUIET; eauto 2 using in_arrivals_implies_arrived, in_arrivals_implies_arrived_before.
- apply/andP; split; first by done.
- by move: PEND => /andP [ARR _].
- Qed.
-
- End LowerBound.
-
- (** Next we prove that, if there is a point where the requested
- workload is upper-bounded by the supply, then the busy
- interval eventually ends. *)
- Section UpperBound.
-
- (** Consider any busy interval prefix of job [j]. *)
- Variable t1 : instant.
- Hypothesis H_is_busy_prefix : busy_interval_prefix t1 t_busy.+1.
-
- (** Let [priority_inversion_bound] be a constant that bounds
- the length of any priority inversion. *)
- Variable priority_inversion_bound : instant.
- Hypothesis H_priority_inversion_is_bounded :
- is_priority_inversion_bounded_by priority_inversion_bound.
-
- (** Next, assume that for some positive delta, the sum of requested workload
- at time [t1 + delta] and constant priority_inversion_bound is bounded by
- delta (i.e., the supply). *)
- Variable delta : duration.
- Hypothesis H_delta_positive : delta > 0.
- Hypothesis H_workload_is_bounded :
- priority_inversion_bound + hp_workload t1 (t1 + delta) <= delta.
-
- (** If there is a quiet time by time [t1 + delta], it
- trivially follows that the busy interval is bounded.
- Thus, let's consider first the harder case where there is
- no quiet time, which turns out to be impossible. *)
- Section CannotBeBusyForSoLong.
-
- (** Assume that there is no quiet time in the interval <<(t1, t1 + delta]>>. *)
- Hypothesis H_no_quiet_time:
- forall t, t1 < t <= t1 + delta -> ~ quiet_time t.
-
- (** Since the interval is always non-quiet, the processor is
- always busy with tasks of higher-or-equal priority or
- some lower priority job which was scheduled, i.e., the
- sum of service done by jobs with actual arrival time in
- <<[t1, t1 + delta)>> and priority inversion equals
- [delta]. *)
- Lemma busy_interval_has_uninterrupted_service:
- delta <= priority_inversion_bound + hp_service t1 (t1 + delta).
- Proof.
- move: H_is_busy_prefix => [H_strictly_larger [H_quiet [_ EXj]]].
- destruct (delta <= priority_inversion_bound) eqn:KLEΔ.
- { by apply leq_trans with priority_inversion_bound; last rewrite leq_addr. }
- apply negbT in KLEΔ; rewrite -ltnNge in KLEΔ.
- apply leq_trans with (cumulative_priority_inversion arr_seq sched j t1 (t1 + delta) + hp_service t1 (t1 + delta)).
- { rewrite /hp_service hep_jobs_receive_no_service_before_quiet_time // /service_of_higher_or_equal_priority_jobs.
- rewrite service_of_jobs_negate_pred // addnBA; last by apply service_of_jobs_pred_impl; eauto 2.
- rewrite addnC -addnBA; first by rewrite no_idle_time_within_non_quiet_time_interval // leq_addr.
- rewrite service_of_jobs_sum_over_time_interval //.
- apply leq_sum_seq; move => t II _; rewrite mem_index_iota in II; move: II => /andP [GEi LEt].
- move: (@ideal_proc_model_sched_case_analysis _ sched t) => [IDLE | [j' SCHED]].
- { apply leq_trans with 0; [rewrite leqn0; apply/eqP | by apply leq0n].
- by apply big1; intros; apply ideal_not_idle_implies_sched. }
- { destruct (hep_job j' j) eqn:PRIO1.
- - rewrite service_of_jobs_nsched_or_unsat; first by done.
- intros j'' IN; apply/andP; intros [NHEP SCHED''].
- have EQ: j'' = j' by eapply ideal_proc_model_is_a_uniprocessor_model; eauto 2.
- by subst j''; rewrite PRIO1 in NHEP.
- - have SCH := @service_of_jobs_le_1 _ _ _ _ _ (fun i => ~~ hep_job i j) (arrivals_between arr_seq 0 (t1 + delta)).
- eapply leq_trans; first by apply: SCH; eauto using arrivals_uniq with basic_rt_facts.
- clear SCH; rewrite lt0b; apply/andP; split.
- + apply/negP; intros SCHED'.
- have EQ: j = j' by eapply ideal_proc_model_is_a_uniprocessor_model; eauto 2.
- subst; move: PRIO1 => /negP PRIO1; apply: PRIO1.
- by specialize (H_priority_is_reflexive 0 j').
- + apply/hasP; exists j'.
- * apply arrived_between_implies_in_arrivals; eauto 2.
- apply H_jobs_must_arrive_to_execute in SCHED.
- by unfold has_arrived, arrived_between in *; lia.
- * by apply/andP; split; [done | rewrite PRIO1]. } }
- { rewrite leq_add2r.
- destruct (t1 + delta <= t_busy.+1) eqn:NEQ; [ | apply negbT in NEQ; rewrite -ltnNge in NEQ].
- - apply leq_trans with (cumulative_priority_inversion arr_seq sched j t1 t_busy.+1); last eauto 2.
- by rewrite [in X in _ <= X](cumulative_priority_inversion_cat _ _ _ (t1 + delta)) //= leq_addr.
- - apply H_priority_inversion_is_bounded; repeat split; try done.
- + by rewrite -addn1 leq_add2l.
- + by move => t' /andP [LT GT]; apply H_no_quiet_time; apply/andP; split; last rewrite ltnW.
- + by move: EXj => /andP [T1 T2]; apply/andP; split; last apply ltn_trans with (t_busy.+1). }
- Qed.
-
- (** Moreover, the fact that the interval is not quiet also
- implies that there's more workload requested than
- service received. *)
- Lemma busy_interval_too_much_workload:
- hp_workload t1 (t1 + delta) > hp_service t1 (t1 + delta).
- Proof.
- have PEND := not_quiet_implies_exists_pending_job.
- rename H_no_quiet_time into NOTQUIET,
- H_is_busy_prefix into PREFIX.
- set l := arrivals_between arr_seq t1 (t1 + delta).
- set hep := hep_job.
- unfold hp_service, service_of_higher_or_equal_priority_jobs, service_of_jobs,
- hp_workload, workload_of_higher_or_equal_priority_jobs, workload_of_jobs.
- fold l hep.
- move: (PREFIX) => [_ [QUIET _]].
- move: (NOTQUIET) => NOTQUIET'.
- feed (NOTQUIET' (t1 + delta)).
- { by apply/andP; split; first rewrite -addn1 leq_add2l. }
- feed (PEND t1 (t1 + delta)); first by apply leq_addr.
- specialize (PEND QUIET NOTQUIET').
- move: PEND => [j0 [ARR0 [/andP [GE0 LT0] [HP0 NOTCOMP0]]]].
- have IN0: j0 \in l.
- { by eapply arrived_between_implies_in_arrivals; eauto 1; apply/andP; split. }
- have UNIQ: uniq l by eapply arrivals_uniq; eauto 1.
- rewrite big_mkcond [\sum_(_ <- _ | _ _ _)_]big_mkcond //=.
- rewrite (bigD1_seq j0); [simpl | by done | by done].
- rewrite (bigD1_seq j0); [simpl | by done | by done].
- rewrite /hep HP0.
- rewrite -add1n addnA [1 + _]addnC addn1.
- apply leq_add; last first.
- { apply leq_sum; intros j1 NEQ.
- destruct (hep_job j1 j); last by done.
- by apply cumulative_service_le_job_cost, ideal_proc_model_provides_unit_service.
- }
- rewrite ignore_service_before_arrival; rewrite //; [| by apply ltnW].
- rewrite -(ignore_service_before_arrival _ _ _ 0)//; [|exact: ltnW].
- by rewrite ltnNge; apply/negP.
- Qed.
-
- (** Using the two lemmas above, we infer that the workload
- is larger than the interval length. However, this
- contradicts the assumption [H_workload_is_bounded]. *)
- Corollary busy_interval_workload_larger_than_interval:
- priority_inversion_bound + hp_workload t1 (t1 + delta) > delta.
- Proof.
- apply leq_ltn_trans with (priority_inversion_bound + hp_service t1 (t1 + delta)).
- apply busy_interval_has_uninterrupted_service.
- rewrite ltn_add2l.
- by apply busy_interval_too_much_workload.
- Qed.
-
- End CannotBeBusyForSoLong.
-
- (** Since the interval cannot remain busy for so long, we
- prove that the busy interval finishes at some point [t2 <=
- t1 + delta]. *)
- Lemma busy_interval_is_bounded:
- exists t2,
- t2 <= t1 + delta /\
- busy_interval t1 t2.
- Proof.
- move: H_is_busy_prefix => [LT [QT [NQ NEQ]]].
- destruct ([exists t2:'I_(t1 + delta).+1, (t2 > t1) && quiet_time_dec t2]) eqn:EX.
- - have EX': exists (t2 : instant), ((t1 < t2 <= t1 + delta) && quiet_time_dec t2).
- { move: EX => /existsP [t2 /andP [LE QUIET]].
- exists t2; apply/andP; split; last by done.
- by apply/andP; split; last (rewrite -ltnS; apply ltn_ord). }
- move: (ex_minnP EX') => [t2 /andP [/andP [GT LE] QUIET] MIN]; clear EX EX'.
- exists t2; split; [ | split; [repeat split | ]]; try done.
- + move => t /andP [GT1 LT2] BUG.
- feed (MIN t); first (apply/andP; split).
- * by apply/andP; split; last by apply leq_trans with (n := t2); eauto using ltnW.
- * apply/allP; intros j_hp ARR; apply/implyP; intro HP.
- apply BUG; eauto 2 using in_arrivals_implies_arrived, ARR, in_arrivals_implies_arrived_before.
- by apply leq_ltn_trans with (p := t2) in MIN; first by rewrite ltnn in MIN.
- + move: NEQ => /andP [IN1 IN2].
- apply/andP; split; first by done.
- apply leq_ltn_trans with t_busy; eauto 2.
- rewrite ltnNge; apply/negP; intros CONTR.
- apply NQ with t2.
- * by apply/andP; split; last rewrite ltnS.
- * intros jhp ARR HP AB.
- move: QUIET => /allP QUIET; feed (QUIET jhp).
- eapply arrived_between_implies_in_arrivals; eauto 2.
- by move: QUIET => /implyP QUIET; apply QUIET.
- + intros j_hp IN HP ARR.
- move: QUIET => /allP QUIET; feed (QUIET j_hp).
- * by eapply arrived_between_implies_in_arrivals; last apply ARR.
- * by move: QUIET => /implyP QUIET; apply QUIET.
- - apply negbT in EX; rewrite negb_exists in EX; move: EX => /forallP ALL'.
- have ALL: forall t, t1 < t <= t1 + delta -> ~ quiet_time t.
- { move => t /andP [GTt LEt] QUIET; rewrite -ltnS in LEt.
- specialize (ALL' (Ordinal LEt)); rewrite negb_and /= GTt orFb in ALL'.
- move: ALL' => /negP ALL'; apply ALL'; clear ALL'.
- apply/allP; intros j_hp ARR; apply/implyP; intro HP.
- apply QUIET; eauto 2 using in_arrivals_implies_arrived, ARR, in_arrivals_implies_arrived_before.
- } clear ALL'; exfalso.
- have TOOMUCH := busy_interval_workload_larger_than_interval.
- have BOUNDED := H_workload_is_bounded.
- by move: (leq_trans (TOOMUCH ALL) BOUNDED); rewrite ltnn.
- Qed.
-
- End UpperBound.
-
- End BoundingBusyInterval.
-
- (** In this section, we show that from a workload bound we can
- infer the existence of a busy interval. *)
- Section BusyIntervalFromWorkloadBound.
-
- (** Let priority_inversion_bound be a constant that bounds the length of a priority inversion. *)
- Variable priority_inversion_bound: duration.
- Hypothesis H_priority_inversion_is_bounded:
- is_priority_inversion_bounded_by priority_inversion_bound.
-
- (** Assume that for some positive delta, the sum of requested workload at
- time [t1 + delta] and priority inversion is bounded by delta (i.e., the supply). *)
- Variable delta: duration.
- Hypothesis H_delta_positive: delta > 0.
- Hypothesis H_workload_is_bounded:
- forall t, priority_inversion_bound + hp_workload t (t + delta) <= delta.
-
- (** Next, we assume that job [j] has positive cost, from which we
- can infer that there is a time in which [j] is pending. *)
- Hypothesis H_positive_cost: job_cost j > 0.
-
- (** Therefore there must exists a busy interval <<[t1, t2)>> that
- contains the arrival time of [j]. *)
- Corollary exists_busy_interval:
- exists t1 t2,
- t1 <= job_arrival j < t2 /\
- t2 <= t1 + delta /\
- busy_interval t1 t2.
- Proof.
- have PREFIX := exists_busy_interval_prefix.
- move: (H_workload_is_bounded) => WORK.
- feed (PREFIX (job_arrival j)).
- { apply/andP; split; first by apply leqnn.
- rewrite /completed_by /service.
- rewrite ignore_service_before_arrival // /service_during.
- rewrite big_geq; last by apply leqnn.
- by rewrite -ltnNge.
- }
- move: PREFIX => [t1 [PREFIX /andP [GE1 GEarr]]].
- have BOUNDED := busy_interval_is_bounded
- (job_arrival j) _ t1 PREFIX priority_inversion_bound _ delta
- H_delta_positive.
- feed_n 3 BOUNDED; try done.
- { by apply job_pending_at_arrival. }
- move: BOUNDED => [t2 [GE2 BUSY]].
- exists t1, t2; split.
- { apply/andP; split; first by done.
- apply contraT; rewrite -leqNgt; intro BUG.
- move: BUSY PREFIX => [[LE12 _] QUIET] [_ [_ [NOTQUIET _]]].
- feed (NOTQUIET t2); first by apply/andP; split.
- by exfalso; apply NOTQUIET.
- }
- by split.
- Qed.
-
- End BusyIntervalFromWorkloadBound.
-
- (** If we know that the workload is bounded, we can also use the
- busy interval to infer a response-time bound. *)
- Section ResponseTimeBoundFromBusyInterval.
-
- (** Let priority_inversion_bound be a constant that bounds the length of a priority inversion. *)
- Variable priority_inversion_bound: duration.
- Hypothesis H_priority_inversion_is_bounded:
- is_priority_inversion_bounded_by priority_inversion_bound.
-
- (** Assume that for some positive delta, the sum of requested workload at
- time [t1 + delta] and priority inversion is bounded by delta (i.e., the supply). *)
- Variable delta: duration.
- Hypothesis H_delta_positive: delta > 0.
- Hypothesis H_workload_is_bounded:
- forall t, priority_inversion_bound + hp_workload t (t + delta) <= delta.
-
- (** Then, job [j] must complete by [job_arrival j + delta]. *)
- Lemma busy_interval_bounds_response_time:
- job_completed_by j (job_arrival j + delta).
- Proof.
- have BUSY := exists_busy_interval priority_inversion_bound _ delta.
- move: (posnP (@job_cost _ Cost j)) => [ZERO|POS].
- { by rewrite /job_completed_by /completed_by ZERO. }
- feed_n 4 BUSY; try by done.
- move: BUSY => [t1 [t2 [/andP [GE1 LT2] [GE2 BUSY]]]].
- apply completion_monotonic with (t := t2); try (by done);
- first by apply leq_trans with (n := t1 + delta); [| by rewrite leq_add2r].
- apply job_completes_within_busy_interval with (t1 := t1); try by done.
- Qed.
-
- End ResponseTimeBoundFromBusyInterval.
-
- End BoundingBusyInterval.
-
-End ExistsBusyIntervalJLFP.
diff --git a/analysis/facts/busy_interval/carry_in.v b/analysis/facts/busy_interval/carry_in.v
deleted file mode 100644
index ed26824115b484defbec5877a489639f7d95631b..0000000000000000000000000000000000000000
--- a/analysis/facts/busy_interval/carry_in.v
+++ /dev/null
@@ -1,326 +0,0 @@
-Require Export prosa.analysis.facts.model.workload.
-Require Export prosa.analysis.definitions.carry_in.
-Require Export prosa.analysis.facts.busy_interval.busy_interval.
-
-(** Throughout this file, we assume ideal uniprocessor schedules. *)
-Require Import prosa.model.processor.ideal.
-Require Export prosa.analysis.facts.model.ideal.service_of_jobs.
-
-(** * Existence of No Carry-In Instant *)
-
-(** In this section, we derive an alternative condition for the
- existence of a busy interval. The new condition requires the total
- workload (instead of the high-priority workload) generated by the
- task set to be bounded. *)
-
-(** Next, we derive a sufficient condition for existence of
- no carry-in instant for uniprocessor for JLFP schedulers *)
-Section ExistsNoCarryIn.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context {Arrival: JobArrival Job}.
- Context {Cost : JobCost Job}.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any ideal uniprocessor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Assume a given JLFP policy. *)
- Context `{JLFP_policy Job}.
-
- (** For simplicity, let's define some local names. *)
- Let job_pending_at := pending sched.
- Let job_completed_by := completed_by sched.
- Let arrivals_between := arrivals_between arr_seq.
- Let no_carry_in := no_carry_in arr_seq sched.
- Let quiet_time := quiet_time arr_seq sched.
-
- (** Further, allow for any work-bearing notion of job readiness. *)
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** Assume that the schedule is work-conserving, ... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and there are no duplicate job arrivals. *)
- Hypothesis H_arrival_sequence_is_a_set:
- arrival_sequence_uniq arr_seq.
-
- (** The fact that there is no carry-in at time instant [t] trivially
- implies that [t] is a quiet time. *)
- Lemma no_carry_in_implies_quiet_time :
- forall j t,
- no_carry_in t ->
- quiet_time j t.
- Proof.
- by intros j t FQT j_hp ARR HP BEF; apply FQT.
- Qed.
-
-
- (** We show that an idle time implies no carry in at this time instant. *)
- Lemma idle_instant_implies_no_carry_in_at_t :
- forall t,
- is_idle sched t ->
- no_carry_in t.
- Proof.
- intros ? IDLE j ARR HA.
- apply/negPn/negP; intros NCOMP.
- have PEND : job_pending_at j t.
- { apply/andP; split.
- - by rewrite /has_arrived ltnW.
- - by move: NCOMP; apply contra, completion_monotonic.
- }
- apply H_job_ready in PEND => //; destruct PEND as [jhp [ARRhp [READYhp _]]].
- move: IDLE => /eqP IDLE.
- move: (H_work_conserving _ t ARRhp) => NIDLE.
- feed NIDLE.
- { apply/andP; split; first by done.
- by rewrite scheduled_at_def IDLE.
- }
- move: NIDLE => [j' SCHED].
- by rewrite scheduled_at_def IDLE in SCHED.
- Qed.
-
- (** Moreover, an idle time implies no carry in at the next time instant. *)
- Lemma idle_instant_implies_no_carry_in_at_t_pl_1 :
- forall t,
- is_idle sched t ->
- no_carry_in t.+1.
- Proof.
- intros ? IDLE j ARR HA.
- apply/negPn/negP; intros NCOMP.
- have PEND : job_pending_at j t.
- { apply/andP; split.
- - by rewrite /has_arrived.
- - by move: NCOMP; apply contra, completion_monotonic.
- }
- apply H_job_ready in PEND => //; destruct PEND as [jhp [ARRhp [READYhp _]]].
- move: IDLE => /eqP IDLE.
- move: (H_work_conserving _ t ARRhp) => NIDLE.
- feed NIDLE.
- { apply/andP; split; first by done.
- by rewrite scheduled_at_def IDLE.
- }
- move: NIDLE => [j' SCHED].
- by rewrite scheduled_at_def IDLE in SCHED.
- Qed.
-
- (** Let the priority relation be reflexive. *)
- Hypothesis H_priority_is_reflexive: reflexive_priorities.
-
- (** Recall the notion of workload of all jobs released in a given interval <<[t1, t2)>>... *)
- Let total_workload t1 t2 :=
- workload_of_jobs predT (arrivals_between t1 t2).
-
- (** ... and total service of jobs within some time interval <<[t1, t2)>>. *)
- Let total_service t1 t2 :=
- service_of_jobs sched predT (arrivals_between 0 t2) t1 t2.
-
- (** Assume that for some positive [Δ], the sum of requested workload
- at time [t + Δ] is bounded by [Δ] (i.e., the supply). Note that
- this assumption bounds the total workload of jobs released in a
- time interval <<[t, t + Δ)>> regardless of their priorities. *)
- Variable Δ : duration.
- Hypothesis H_delta_positive : Δ > 0.
- Hypothesis H_workload_is_bounded : forall t, total_workload t (t + Δ) <= Δ.
-
- (** Next we prove that, since for any time instant [t] there is a
- point where the total workload is upper-bounded by the supply,
- the processor encounters no-carry-in instants at least every [Δ]
- time units. *)
- Section ProcessorIsNotTooBusy.
-
- (** We start by proving that the processor has no carry-in at the
- beginning (i.e., has no carry-in at time instant [0]). *)
- Lemma no_carry_in_at_the_beginning :
- no_carry_in 0.
- Proof.
- intros s ARR AB; exfalso.
- by rewrite /arrived_before ltn0 in AB.
- Qed.
-
- (** In this section, we prove that for any time instant [t] there
- exists another time instant <<t' ∈ (t, t + Δ]>> such that the
- processor has no carry-in at time [t']. *)
- Section ProcessorIsNotTooBusyInduction.
-
- (** Consider an arbitrary time instant [t]... *)
- Variable t : duration.
-
- (** ...such that the processor has no carry-in at time [t]. *)
- Hypothesis H_no_carry_in : no_carry_in t.
-
- (** First, recall that the total service is bounded by the total workload. Therefore
- the total service of jobs in the interval <<[t, t + Δ)>> is bounded by [Δ]. *)
- Lemma total_service_is_bounded_by_Δ :
- total_service t (t + Δ) <= Δ.
- Proof.
- unfold total_service.
- rewrite -{3}[Δ]addn0 -{2}(subnn t) addnBA // [in X in _ <= X]addnC.
- apply service_of_jobs_le_length_of_interval'; rt_auto.
- by eapply arrivals_uniq; eauto 2.
- Qed.
-
- (** Next we consider two cases:
- (1) The case when the total service is strictly less than [Δ], and
- (2) the case when the total service is equal to [Δ]. *)
-
- (** In the first case, we use the pigeonhole principle to
- conclude that there is an idle time instant; which in turn
- implies existence of a time instant with no carry-in. *)
- Lemma low_total_service_implies_existence_of_time_with_no_carry_in :
- total_service t (t + Δ) < Δ ->
- exists δ, δ < Δ /\ no_carry_in (t.+1 + δ).
- Proof.
- unfold total_service; intros LT.
- rewrite -{3}[Δ]addn0 -{2}(subnn t) addnBA // [Δ + t]addnC in LT.
- eapply low_service_implies_existence_of_idle_time in LT; eauto.
- move: LT => [t_idle [/andP [LEt GTe] IDLE]].
- move: LEt; rewrite leq_eqVlt; move => /orP [/eqP EQ|LT].
- { exists 0; split; first done.
- rewrite addn0; subst t_idle.
- intros s ARR BEF.
- apply idle_instant_implies_no_carry_in_at_t_pl_1 in IDLE; try done.
- by apply IDLE.
- }
- have EX: exists γ, t_idle = t + γ.
- { by exists (t_idle - t); rewrite subnKC // ltnW. }
- move: EX => [γ EQ]; subst t_idle; rewrite ltn_add2l in GTe.
- rewrite -{1}[t]addn0 ltn_add2l in LT.
- exists (γ.-1); split.
- - apply leq_trans with γ. by rewrite prednK. by rewrite ltnW.
- - rewrite -subn1 -addn1 -addnA subnKC //.
- intros s ARR BEF.
- by apply idle_instant_implies_no_carry_in_at_t.
- Qed.
-
- (** In the second case, the total service within the time
- interval <<[t, t + Δ)>> is equal to [Δ]. On the other hand,
- we know that the total workload is lower-bounded by the
- total service and upper-bounded by [Δ]. Therefore, the total
- workload is equal to the total service, which implies
- completion of all jobs by time [t + Δ] and hence no carry-in
- at time [t + Δ]. *)
- Lemma completion_of_all_jobs_implies_no_carry_in :
- total_service t (t + Δ) = Δ ->
- no_carry_in (t + Δ).
- Proof.
- unfold total_service; intros EQserv.
- move: (H_workload_is_bounded t); move => WORK.
- have EQ: total_workload 0 (t + Δ) = service_of_jobs sched predT (arrivals_between 0 (t + Δ)) 0 (t + Δ).
- { intros.
- have COMPL := all_jobs_have_completed_impl_workload_eq_service
- _ arr_seq H_arrival_times_are_consistent sched
- H_jobs_must_arrive_to_execute
- H_completed_jobs_dont_execute
- predT 0 t t.
- feed_n 2 COMPL; rt_auto.
- { intros j A B; apply H_no_carry_in.
- - eapply in_arrivals_implies_arrived; eauto 2.
- - eapply in_arrivals_implies_arrived_between in A; eauto 2.
- }
- apply/eqP; rewrite eqn_leq; apply/andP; split;
- last by apply service_of_jobs_le_workload;
- auto using ideal_proc_model_provides_unit_service.
- rewrite /total_workload (workload_of_jobs_cat arr_seq t); last first.
- apply/andP; split; [by done | by rewrite leq_addr].
- rewrite (service_of_jobs_cat_scheduling_interval _ _ _ _ _ _ _ t); try done; first last.
- { by apply/andP; split; [by done | by rewrite leq_addr]. }
- rewrite COMPL -addnA leq_add2l.
- rewrite -service_of_jobs_cat_arrival_interval; last first.
- apply/andP; split; [by done| by rewrite leq_addr].
- rewrite EQserv.
- by apply H_workload_is_bounded.
- }
- intros s ARR BEF.
- by eapply workload_eq_service_impl_all_jobs_have_completed; rt_eauto.
- Qed.
-
- End ProcessorIsNotTooBusyInduction.
-
- (** Finally, we show that any interval of length [Δ] contains a time instant with no carry-in. *)
- Lemma processor_is_not_too_busy :
- forall t, exists δ, δ < Δ /\ no_carry_in (t + δ).
- Proof.
- induction t.
- { by exists 0; split; [ | rewrite addn0; apply no_carry_in_at_the_beginning]. }
- { move: IHt => [δ [LE FQT]].
- move: (posnP δ) => [Z|POS]; last first.
- { exists (δ.-1); split.
- - by apply leq_trans with δ; [rewrite prednK | apply ltnW].
- - by rewrite -subn1 -addn1 -addnA subnKC //.
- } subst δ; rewrite addn0 in FQT; clear LE.
- move: (total_service_is_bounded_by_Δ t); rewrite leq_eqVlt; move => /orP [/eqP EQ | LT].
- - exists (Δ.-1); split.
- + by rewrite prednK.
- + by rewrite addSn -subn1 -addn1 -addnA subnK; first apply completion_of_all_jobs_implies_no_carry_in.
- - by apply low_total_service_implies_existence_of_time_with_no_carry_in.
- }
- Qed.
-
- End ProcessorIsNotTooBusy.
-
- (** Consider an arbitrary job [j] with positive cost. *)
- Variable j : Job.
- Hypothesis H_from_arrival_sequence : arrives_in arr_seq j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** We show that there must exist a busy interval <<[t1, t2)>> that
- contains the arrival time of [j]. *)
- Corollary exists_busy_interval_from_total_workload_bound :
- exists t1 t2,
- t1 <= job_arrival j < t2 /\
- t2 <= t1 + Δ /\
- busy_interval arr_seq sched j t1 t2.
- Proof.
- rename H_from_arrival_sequence into ARR, H_job_cost_positive into POS.
- edestruct (exists_busy_interval_prefix
- arr_seq H_arrival_times_are_consistent
- sched j ARR H_priority_is_reflexive (job_arrival j))
- as [t1 [PREFIX GE]]; first by apply job_pending_at_arrival; auto.
- move: GE => /andP [GE1 _].
- exists t1; move: (processor_is_not_too_busy t1.+1) => [δ [LE QT]].
- apply no_carry_in_implies_quiet_time with (j := j) in QT.
- have EX: exists t2, ((t1 < t2 <= t1.+1 + δ) && quiet_time_dec arr_seq sched j t2).
- { exists (t1.+1 + δ); apply/andP; split.
- - by apply/andP; split; first rewrite addSn ltnS leq_addr.
- - by apply/quiet_time_P. }
- move: (ex_minnP EX) => [t2 /andP [/andP [GTt2 LEt2] QUIET] MIN]; clear EX.
- have NEQ: t1 <= job_arrival j < t2.
- { apply/andP; split; first by done.
- rewrite ltnNge; apply/negP; intros CONTR.
- move: (PREFIX) => [_ [_ [NQT _]]].
- move: (NQT t2); clear NQT; move => NQT.
- feed NQT; first by (apply/andP; split; [|rewrite ltnS]).
- by apply: NQT; apply/quiet_time_P.
- }
- exists t2; split; last split; first by done.
- { apply leq_trans with (t1.+1 + δ); [by done | by rewrite addSn ltn_add2l]. }
- { move: PREFIX => [_ [QTt1 [NQT _]]]; repeat split; try done.
- - move => t /andP [GEt LTt] QTt.
- feed (MIN t).
- { apply/andP; split.
- + by apply/andP; split; last (apply leq_trans with t2; [apply ltnW | ]).
- + by apply/quiet_time_P.
- }
- by move: LTt; rewrite ltnNge; move => /negP LTt; apply: LTt.
- - by apply/quiet_time_P.
- }
- Qed.
-
-End ExistsNoCarryIn.
diff --git a/analysis/facts/busy_interval/ideal/hep_job_scheduled.v b/analysis/facts/busy_interval/ideal/hep_job_scheduled.v
deleted file mode 100644
index 3fdf28321614b2b24c6edbc76fb404c8969b2e86..0000000000000000000000000000000000000000
--- a/analysis/facts/busy_interval/ideal/hep_job_scheduled.v
+++ /dev/null
@@ -1,228 +0,0 @@
-Require Export prosa.model.schedule.priority_driven.
-Require Export prosa.analysis.facts.busy_interval.busy_interval.
-
-(** Throughout this file, we assume ideal uni-processor schedules. *)
-Require Import prosa.model.processor.ideal.
-
-(** * Processor Executes HEP jobs at Preemption Point *)
-
-(** In this file, we show that, given a busy interval of a job [j],
- the processor is always busy scheduling a higher-or-equal-priority
- job at any preemptive point inside the busy interval. *)
-Section ProcessorBusyWithHEPJobAtPreemptionPoints.
-
- (** Consider any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{Arrival : JobArrival Job}.
- Context `{Cost : JobCost Job}.
-
- (** Consider any arrival sequence with consistent arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... and any ideal uniprocessor schedule of this arrival sequence. *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** Consider a JLFP policy that indicates a higher-or-equal priority relation,
- and assume that the relation is reflexive and transitive. *)
- Context {JLFP : JLFP_policy Job}.
- Hypothesis H_priority_is_reflexive: reflexive_priorities.
- Hypothesis H_priority_is_transitive: transitive_priorities.
-
- (** In addition, we assume the existence of a function mapping a job
- and its progress to a boolean value saying whether this job is
- preemptable at its current point of execution. *)
- Context `{JobPreemptable Job}.
-
- (** Further, allow for any work-bearing notion of job readiness. *)
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** We assume that the schedule is valid and that all jobs come from the arrival sequence. *)
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
- Hypothesis H_jobs_come_from_arrival_sequence: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy at every preemption point. *)
- Hypothesis H_respects_policy :
- respects_JLFP_policy_at_preemption_point arr_seq sched JLFP.
-
- (** Consider any job [j] with positive job cost. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** Consider any busy interval prefix <<[t1, t2)>> of job [j]. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_interval_prefix :
- busy_interval_prefix arr_seq sched j t1 t2.
-
- (** Consider an arbitrary preemption time t ∈ <<[t1,t2)>>. *)
- Variable t : instant.
- Hypothesis H_t_in_busy_interval : t1 <= t < t2.
- Hypothesis H_t_preemption_time : preemption_time sched t.
-
- (** First note since [t] lies inside the busy interval,
- the processor cannot be idle at time [t]. *)
- Lemma instant_t_is_not_idle:
- ~ is_idle sched t.
- Proof.
- by move => IDLE; exfalso; apply: not_quiet_implies_not_idle; rt_eauto.
- Qed.
-
- (** Next we consider two cases:
- (1) [t] is less than [t2 - 1] and
- (2) [t] is equal to [t2 - 1]. *)
-
- (** In case when [t < t2 - 1], we use the fact that time instant
- [t+1] is not a quiet time. The later implies that there is a
- pending higher-or-equal priority job at time [t]. Thus, the
- assumption that the schedule respects priority policy at
- preemption points implies that the scheduled job must have a
- higher-or-equal priority. *)
- Lemma scheduled_at_preemption_time_implies_higher_or_equal_priority_lt:
- t < t2.-1 ->
- forall jhp,
- scheduled_at sched jhp t ->
- hep_job jhp j.
- Proof.
- intros LTt2m1 jlp Sched_jlp; apply contraT; move => /negP NOTHP; exfalso.
- move: (H_t_in_busy_interval) (H_busy_interval_prefix) => /andP [GEt LEt] [SL [QUIET [NOTQUIET INBI]]].
- apply NOTQUIET with (t := t.+1).
- { apply/andP; split.
- - by apply leq_ltn_trans with t1.
- - rewrite -subn1 ltn_subRL addnC in LTt2m1.
- by rewrite -[t.+1]addn1.
- }
- intros j_hp ARR HP BEF.
- apply contraT => NCOMP'; exfalso.
- have PEND : pending sched j_hp t.
- { apply/andP; split.
- - by rewrite /has_arrived.
- - by move: NCOMP'; apply contra, completion_monotonic.
- }
- apply H_job_ready in PEND => //; destruct PEND as [j' [ARR' [READY' HEP']]].
- have HEP : hep_job j' j by apply (H_priority_is_transitive t j_hp).
- clear HEP' NCOMP' BEF HP ARR j_hp.
- have BACK: backlogged sched j' t.
- { apply/andP; split; first by done.
- apply/negP; intro SCHED'.
- move: (ideal_proc_model_is_a_uniprocessor_model jlp j' sched t Sched_jlp SCHED') => EQ.
- by subst; apply: NOTHP.
- }
- apply NOTHP, (H_priority_is_transitive t j'); last by eapply HEP.
- by eapply H_respects_policy; eauto .
- Qed.
-
- (** In the case when [t = t2 - 1], we cannot use the same proof
- since [t+1 = t2], but [t2] is a quiet time. So we do a similar
- case analysis on the fact that [t1 = t ∨ t1 < t]. *)
- Lemma scheduled_at_preemption_time_implies_higher_or_equal_priority_eq:
- t = t2.-1 ->
- forall jhp,
- scheduled_at sched jhp t ->
- hep_job jhp j.
- Proof.
- intros EQUALt2m1 jlp Sched_jlp; apply contraT; move => /negP NOTHP; exfalso.
- move: (H_t_in_busy_interval) (H_busy_interval_prefix) => /andP [GEt LEt] [SL [QUIET [NOTQUIET INBI]]].
- rewrite leq_eqVlt in GEt; first move: GEt => /orP [/eqP EQUALt1 | LARGERt1].
- { subst t t1; clear LEt SL.
- have ARR : job_arrival j = t2.-1.
- { apply/eqP; rewrite eq_sym eqn_leq.
- destruct t2; first by done.
- rewrite ltnS -pred_Sn in INBI.
- now rewrite -pred_Sn.
- }
- have PEND: pending sched j t2.-1
- by rewrite -ARR; apply job_pending_at_arrival => //; rt_eauto.
- apply H_job_ready in PEND => //; destruct PEND as [jhp [ARRhp [PENDhp HEPhp]]].
- eapply NOTHP, (H_priority_is_transitive 0); last by apply HEPhp.
- apply (H_respects_policy _ _ t2.-1); auto.
- apply/andP; split; first by done.
- apply/negP; intros SCHED.
- move: (ideal_proc_model_is_a_uniprocessor_model _ _ sched _ SCHED Sched_jlp) => EQ.
- by subst; apply: NOTHP.
- }
- { feed (NOTQUIET t); first by apply/andP; split.
- apply NOTQUIET; intros j_hp' IN HP ARR.
- apply contraT => NOTCOMP'; exfalso.
- have PEND : pending sched j_hp' t.
- { apply/andP; split.
- - by rewrite /has_arrived ltnW.
- - by move: NOTCOMP'; apply contra, completion_monotonic.
- }
- apply H_job_ready in PEND => //; destruct PEND as [j' [ARR' [READY' HEP']]].
- have HEP : hep_job j' j by apply (H_priority_is_transitive t j_hp').
- clear ARR HP IN HEP' NOTCOMP' j_hp'.
- have BACK: backlogged sched j' t.
- { apply/andP; split; first by done.
- apply/negP; intro SCHED'.
- move: (ideal_proc_model_is_a_uniprocessor_model jlp j' sched t Sched_jlp SCHED') => EQ.
- by subst; apply: NOTHP.
- }
- apply NOTHP, (H_priority_is_transitive t j'); last by eapply HEP.
- by eapply H_respects_policy; eauto .
- }
- Qed.
-
- (** By combining the above facts we conclude that a job that is
- scheduled at time [t] has higher-or-equal priority. *)
- Corollary scheduled_at_preemption_time_implies_higher_or_equal_priority:
- forall jhp,
- scheduled_at sched jhp t ->
- hep_job jhp j.
- Proof.
- move: (H_t_in_busy_interval) (H_busy_interval_prefix) => /andP [GEt LEt] [SL [QUIET [NOTQUIET INBI]]].
- have: t <= t2.-1 by rewrite -subn1 leq_subRL_impl // addn1.
- rewrite leq_eqVlt => /orP [/eqP EQUALt2m1 | LTt2m1].
- - by apply scheduled_at_preemption_time_implies_higher_or_equal_priority_eq.
- - by apply scheduled_at_preemption_time_implies_higher_or_equal_priority_lt.
- Qed.
-
- (** Since a job that is scheduled at time [t] has higher-or-equal
- priority, by properties of a busy interval it cannot arrive
- before time instant [t1]. *)
- Lemma scheduled_at_preemption_time_implies_arrived_between_within_busy_interval:
- forall jhp,
- scheduled_at sched jhp t ->
- arrived_between jhp t1 t2.
- Proof.
- intros jhp Sched_jhp.
- rename H_work_conserving into WORK, H_jobs_come_from_arrival_sequence into CONS.
- move: (H_busy_interval_prefix) => [SL [QUIET [NOTQUIET INBI]]].
- move: (H_t_in_busy_interval) => /andP [GEt LEt].
- have HP := scheduled_at_preemption_time_implies_higher_or_equal_priority _ Sched_jhp.
- move: (Sched_jhp) => PENDING.
- eapply scheduled_implies_pending in PENDING; rt_eauto.
- apply/andP; split; last by apply leq_ltn_trans with (n := t); first by move: PENDING => /andP [ARR _].
- apply contraT; rewrite -ltnNge; intro LT; exfalso.
- feed (QUIET jhp); first by eapply CONS, Sched_jhp.
- specialize (QUIET HP LT).
- have COMP: completed_by sched jhp t by apply: completion_monotonic QUIET.
- apply completed_implies_not_scheduled in COMP; rt_eauto.
- by move: COMP => /negP COMP; apply COMP.
- Qed.
-
- (** From the above lemmas we prove that there is a job [jhp] that is
- (1) scheduled at time [t], (2) has higher-or-equal priority, and
- (3) arrived between [t1] and [t2]. *)
- Corollary not_quiet_implies_exists_scheduled_hp_job_at_preemption_point:
- exists j_hp,
- arrived_between j_hp t1 t2
- /\ hep_job j_hp j
- /\ scheduled_at sched j_hp t.
- Proof.
- move: (H_busy_interval_prefix) => [SL [QUIET [NOTQUIET INBI]]].
- move: (H_t_in_busy_interval) => /andP [GEt LEt].
- ideal_proc_model_sched_case_analysis sched t jhp.
- { by exfalso; apply instant_t_is_not_idle. }
- exists jhp.
- repeat split.
- - by apply scheduled_at_preemption_time_implies_arrived_between_within_busy_interval.
- - by apply scheduled_at_preemption_time_implies_higher_or_equal_priority.
- - by done.
- Qed.
-
-End ProcessorBusyWithHEPJobAtPreemptionPoints.
diff --git a/analysis/facts/busy_interval/ideal/inequalities.v b/analysis/facts/busy_interval/ideal/inequalities.v
deleted file mode 100644
index d4150a799ef6462d742327e516e24bd723b304ad..0000000000000000000000000000000000000000
--- a/analysis/facts/busy_interval/ideal/inequalities.v
+++ /dev/null
@@ -1,143 +0,0 @@
-Require Export analysis.abstract.ideal_jlfp_rta.
-
-(** In this file, we prove some inequalities that always
- hold inside the busy interval of a job. Throughout this file we
- assume the ideal uniprocessor model. *)
-Section BusyIntervalInequalities.
-
- (** Consider any kind of tasks and their jobs, each characterized by
- an arrival time, a cost, and an arbitrary notion of readiness. *)
- Context {Task : TaskType} {Job : JobType} `{JobTask Job Task}.
- Context `{JobArrival Job} `{JobCost Job} {JR :JobReady Job (ideal.processor_state Job)}.
-
- (** Consider a JLFP policy that is reflexive and respects sequential tasks. *)
- Context `{JLFP_policy Job}.
- Hypothesis H_policy_is_reflexive : reflexive_priorities.
- Hypothesis H_policy_respecsts_sequential_tasks : policy_respects_sequential_tasks.
-
- (** Consider a consistent arrival sequence that does not contain duplicates. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider any valid ideal uniprocessor schedule defined over this arrival sequence. *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_valid_schedule : valid_schedule sched arr_seq.
-
- (** Consider a set of tasks [ts] that contains all the jobs in the
- arrival sequence. *)
- Variable ts : list Task.
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** Consider a task [tsk]. *)
- Variable tsk : Task.
-
- (** Consider a job [j] of the task [tsk] that has a positive job cost. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive: job_cost_positive j.
-
- (** Consider the ideal JLFP definitions of interference and
- interfering workload. *)
- Let interference (j : Job) (t : instant) :=
- ideal_jlfp_rta.interference arr_seq sched j t.
-
- Let interfering_workload (j : Job) (t : instant) :=
- ideal_jlfp_rta.interfering_workload arr_seq sched j t.
-
- (** Consider the busy interval for j is given by <<[t1,t2)>>. *)
- Variable t1 t2 : duration.
- Hypothesis H_busy_interval :
- definitions.busy_interval sched interference interfering_workload j t1 t2.
-
- (** Let us denote the relative arrival time by [A]. *)
- Let A := job_arrival j - t1.
-
- (** Consider any arbitrary time [Δ] inside the busy interval. *)
- Variable Δ: duration.
- Hypothesis H_Δ_in_busy : t1 + Δ < t2.
-
- (** First, we prove that if the priority inversion is bounded then,
- the cumulative priority inversion is also bounded. *)
- Section PIBound.
-
- (** Consider the priority inversion in any given interval
- is bounded by a constant. *)
- Variable priority_inversion_bound: duration -> duration.
- Hypothesis H_priority_inversion_is_bounded:
- priority_inversion_is_bounded_by
- arr_seq sched tsk priority_inversion_bound.
-
- (** Then, the cumulative priority inversion in any interval
- is also bounded. *)
- Lemma cumulative_priority_inversion_is_bounded:
- cumulative_priority_inversion arr_seq sched j t1 (t1 + Δ) <=
- priority_inversion_bound (job_arrival j - t1).
- Proof.
- apply leq_trans with (cumulative_priority_inversion arr_seq sched j t1 t2).
- - rewrite [X in _ <= X](@big_cat_nat _ _ _ (t1 + Δ)) //=; try by lia.
- by rewrite /priority_inversion leq_addr.
- - apply H_priority_inversion_is_bounded; try done.
- eapply instantiated_busy_interval_equivalent_busy_interval in H_busy_interval; rt_eauto.
- by move: H_busy_interval => [PREF _].
- Qed.
-
- End PIBound.
-
- (** Let [jobs] denote the arrivals in the interval [Δ]. *)
- Let jobs := arrivals_between arr_seq t1 (t1 + Δ).
-
- (** Next, we prove that the cumulative interference from higher priority
- jobs of other tasks in an interval is bounded by the total service
- received by the higher priority jobs of those tasks. *)
- Lemma cumulative_interference_is_bounded_by_total_service:
- cumulative_interference_from_hep_jobs_from_other_tasks sched j t1 (t1 + Δ)
- <= service_of_jobs sched (fun jo => another_task_hep_job jo j) jobs t1 (t1 + Δ).
- Proof.
- move: (H_busy_interval) => [[/andP [JINBI JINBI2] [QT _]] _].
- erewrite cumulative_i_thep_eq_service_of_othep;
- rt_eauto.
- - move: (H_job_of_tsk) => /eqP TSK.
- by rewrite /another_task_hep_job /jobs /service_of_jobs.
- - by rewrite instantiated_quiet_time_equivalent_quiet_time; rt_eauto.
- Qed.
-
- Section WorkloadRBF.
-
- (** Consider a valid arrival curve that is followed by the task set [ts]. *)
- Context `{TaskCost Task} `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Suppose all arrivals have WCET-compliant job costs. *)
- Hypothesis H_valid_job_cost : arrivals_have_valid_job_costs arr_seq.
-
- (** Consider a task [tsk_o] that is not equal to [tsk]. *)
- Variable tsk_o : Task.
- Hypothesis H_tsko_in_ts: tsk_o \in ts.
- Hypothesis H_neq: tsk_o != tsk.
-
- (** We prove that the workload of higher priority jobs of a task [tsk] in
- any interval is bound by the request bound function of the task in that interval. *)
- Lemma workload_le_rbf:
- workload_of_jobs (fun jo => hep_job jo j && (job_task jo == tsk_o)) jobs <=
- task_request_bound_function tsk_o Δ.
- Proof.
- apply leq_trans with (task_cost tsk_o * number_of_task_arrivals arr_seq tsk_o t1 (t1 + Δ)).
- { apply leq_trans with (\sum_(j0 <- arrivals_between arr_seq t1 (t1 + Δ) | job_task j0 == tsk_o)
- job_cost j0).
- { rewrite /workload_of_jobs big_mkcond [X in _ <= X]big_mkcond //= leq_sum // => s _.
- by case (job_task s == tsk); case (hep_job s j).
- }
- { rewrite /number_of_task_arrivals /task.arrivals.number_of_task_arrivals
- -sum1_size big_distrr /= big_filter muln1.
- apply leq_sum_seq; move => jo IN0 /eqP EQ.
- by rewrite -EQ; apply H_valid_job_cost; apply in_arrivals_implies_arrived in IN0. } }
- { rewrite leq_mul2l; apply/orP; right.
- rewrite -{2}[Δ](addKn t1).
- apply H_is_arrival_curve; auto using leq_addr. }
- Qed.
-
- End WorkloadRBF.
-
-End BusyIntervalInequalities.
diff --git a/analysis/facts/busy_interval/ideal/priority_inversion.v b/analysis/facts/busy_interval/ideal/priority_inversion.v
deleted file mode 100644
index b61bb11bd1d16a6dc07cbc7180d4333090dcd14a..0000000000000000000000000000000000000000
--- a/analysis/facts/busy_interval/ideal/priority_inversion.v
+++ /dev/null
@@ -1,126 +0,0 @@
-Require Export prosa.analysis.definitions.priority_inversion.
-Require Export prosa.analysis.facts.busy_interval.priority_inversion.
-
-(** Throughout this file, we assume ideal uni-processor schedules. *)
-Require Import prosa.model.processor.ideal.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-
-(** * Lemmas about Priority Inversion for ideal uni-processors *)
-(** In this section, we prove a few useful properties about the notion
- of priority inversion for ideal uni-processors. *)
-Section PIIdealProcessorModelLemmas.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Consider a JLFP-policy that indicates a higher-or-equal priority relation,
- and assume that this relation is reflexive. *)
- Context `{JLFP_policy Job}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
-
- (** Let [tsk] be any task to be analyzed. *)
- Variable tsk : Task.
-
- (** Consider a job [j] of task [tsk]. In this subsection, job [j] is
- deemed to be the main job with respect to which the priority
- inversion is computed. *)
- Variable j : Job.
- Hypothesis H_j_tsk : job_of_task tsk j.
-
- (** Consider a time instant [t]. *)
- Variable t : instant.
-
- (** We prove that if the processor is idle at time [t], then there
- is no priority inversion. *)
- Lemma idle_implies_no_priority_inversion :
- is_idle sched t ->
- priority_inversion_dec arr_seq sched j t = false.
- Proof.
- unfold priority_inversion_dec; intros IDLE.
- apply/eqP; rewrite eqbF_neg negb_and Bool.negb_involutive; apply/orP; right.
- apply/hasPn; intros s IN.
- rewrite negb_and Bool.negb_involutive; apply/orP; left.
- by move: IDLE => /eqP; rewrite scheduled_at_def => ->.
- Qed.
-
- (** Next, consider an additional job [j'] and assume it is scheduled
- at time [t]. *)
- Variable j' : Job.
- Hypothesis H_j'_sched : scheduled_at sched j' t.
-
- (** Then, we prove that from point of view of job [j], priority
- inversion appears iff [s] has lower priority than job [j]. *)
- Lemma priority_inversion_equiv_sched_lower_priority :
- priority_inversion_dec arr_seq sched j t = ~~ hep_job j' j.
- Proof.
- rewrite /priority_inversion_dec.
- destruct (scheduled_at _ j _) eqn:SCHED2; rewrite //=.
- { have EQ: j = j' by eapply ideal_proc_model_is_a_uniprocessor_model; eauto.
- subst j'; symmetry; apply/eqP; rewrite eqbF_neg Bool.negb_involutive.
- by apply (H_priority_is_reflexive 0).
- }
- { destruct (hep_job) eqn:HEP; rewrite //=.
- - apply/eqP; rewrite eqbF_neg; apply/hasPn; intros l IN.
- destruct (scheduled_at _ l _) eqn:SCHED3; rewrite //=.
- have EQ: l = j' by eapply ideal_proc_model_is_a_uniprocessor_model; eauto.
- by subst j'; rewrite HEP.
- - apply/hasP; exists j'. rt_eauto.
- by rewrite H_j'_sched HEP.
- }
- Qed.
-
- (** Assume that [j'] has higher-or-equal priority than job [j], then
- we prove that there is no priority inversion for job [j]. *)
- Lemma sched_hep_implies_no_priority_inversion :
- hep_job j' j ->
- priority_inversion_dec arr_seq sched j t = false.
- Proof.
- intros HEP.
- apply/negP; intros CONTR; move: CONTR => /andP [NSCHED /hasP [j'' _ /andP [SCHED PRIO]]].
- have HF := ideal_proc_model_is_a_uniprocessor_model _ _ _ _ H_j'_sched SCHED; subst j'.
- by rewrite HEP in PRIO.
- Qed.
-
- (** Assume that [j'] has lower priority than job [j], then
- we prove that [j] incurs priority inversion. *)
- Lemma sched_lp_implies_priority_inversion :
- ~~ hep_job j' j ->
- priority_inversion_dec arr_seq sched j t.
- Proof.
- intros LP.
- apply/andP; split.
- - apply/negP; intros SCHED.
- have HF := ideal_proc_model_is_a_uniprocessor_model _ _ _ _ H_j'_sched SCHED; subst j'.
- move: (LP) => /negP HH; apply: HH.
- specialize (H_priority_is_reflexive 0).
- unfold hep_job_at, JLFP_to_JLDP in *.
- by erewrite H_priority_is_reflexive; eauto 2.
- - apply/hasP.
- exists j'.
- + apply arrived_between_implies_in_arrivals; eauto 2.
- apply/andP; split; try done.
- by rewrite ltnS; apply H_jobs_must_arrive_to_execute.
- + by apply/andP; split.
- Qed.
-
-End PIIdealProcessorModelLemmas.
diff --git a/analysis/facts/busy_interval/ideal/priority_inversion_bounded.v b/analysis/facts/busy_interval/ideal/priority_inversion_bounded.v
deleted file mode 100644
index 8d0a23606a60e1a2c5f895fe48b3e346851f9be5..0000000000000000000000000000000000000000
--- a/analysis/facts/busy_interval/ideal/priority_inversion_bounded.v
+++ /dev/null
@@ -1,536 +0,0 @@
-Require Export prosa.model.task.preemption.parameters.
-Require Export prosa.analysis.facts.busy_interval.ideal.hep_job_scheduled.
-Require Export prosa.analysis.facts.model.preemption.
-
-(** Throughout this file, we assume ideal uni-processor schedules. *)
-Require Import prosa.model.processor.ideal.
-
-(** * Priority inversion is bounded *)
-(** In this file, we prove that any priority inversion that occurs in
- the model with bounded nonpreemptive segments is bounded. *)
-Section PriorityInversionIsBounded.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{Arrival : JobArrival Job}.
- Context `{Cost : JobCost Job}.
-
- (** Consider any arrival sequence with consistent arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... and any ideal uniprocessor schedule of this arrival sequence. *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** Consider a JLFP policy that indicates a higher-or-equal priority relation,
- and assume that the relation is reflexive and transitive. *)
- Context {JLFP : JLFP_policy Job}.
- Hypothesis H_priority_is_reflexive: reflexive_priorities.
- Hypothesis H_priority_is_transitive: transitive_priorities.
-
- (** In addition, we assume the existence of a function mapping a
- task to its maximal non-preemptive segment ... *)
- Context `{TaskMaxNonpreemptiveSegment Task}.
-
- (** ... and the existence of a function mapping a job and its
- progress to a boolean value saying whether this job is
- preemptable at its current point of execution. *)
- Context `{JobPreemptable Job}.
-
- (** And assume that they define a valid preemption model with
- bounded nonpreemptive segments. *)
- Hypothesis H_valid_model_with_bounded_nonpreemptive_segments:
- valid_model_with_bounded_nonpreemptive_segments arr_seq sched.
-
- (** Further, allow for any work-bearing notion of job readiness. *)
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** We assume that the schedule is valid and that all jobs come from the arrival sequence. *)
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
- Hypothesis H_jobs_come_from_arrival_sequence: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy at every preemption point. *)
- Hypothesis H_respects_policy:
- respects_JLFP_policy_at_preemption_point arr_seq sched JLFP.
-
- (** Finally, we introduce the notion of the maximal length of
- (potential) priority inversion at a time instant [t], which is
- defined as the maximum length of nonpreemptive segments among
- all jobs that arrived so far. *)
- Definition max_length_of_priority_inversion (j : Job) (t : instant) :=
- \max_(j_lp <- arrivals_before arr_seq t | (~~ hep_job j_lp j) && (job_cost j_lp > 0))
- (job_max_nonpreemptive_segment j_lp - ε).
-
- (** Next we prove that a priority inversion of a job is bounded by
- function [max_length_of_priority_inversion]. *)
-
- (** Note that any bound on function
- [max_length_of_priority_inversion] will also be a bound on the
- maximal priority inversion. This bound may be different for
- different scheduler and/or task models. Thus, we don't define
- such a bound in this module. *)
-
- (** Consider any job [j] of [tsk] with positive job cost. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** Consider any busy interval prefix <<[t1, t2)>> of job j. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_interval_prefix:
- busy_interval_prefix arr_seq sched j t1 t2.
-
- (** * Processor Executes HEP jobs after Preemption Point *)
- (** In this section, we prove that at any time instant after any
- preemption point (inside the busy interval), the processor is
- always busy scheduling a job with higher or equal priority. *)
- Section PreemptionTimeAndPriorityInversion.
-
- (** First, recall from file [busy_interval/ideal/hep_job_scheduled]
- we already know that the processor at any preemptive point is always
- busy scheduling a job with higher or equal priority. *)
-
- (** We show that at any time instant after a preemption point the
- processor is always busy with a job with higher or equal
- priority. *)
- Lemma not_quiet_implies_exists_scheduled_hp_job_after_preemption_point:
- forall tp t,
- preemption_time sched tp ->
- t1 <= tp < t2 ->
- tp <= t < t2 ->
- exists j_hp,
- arrived_between j_hp t1 t.+1 /\
- hep_job j_hp j /\
- scheduled_at sched j_hp t.
- Proof.
- move => tp t PRPOINT /andP [GEtp LTtp] /andP [LEtp LTt].
- ideal_proc_model_sched_case_analysis_eq sched t jhp.
- { by eapply instant_t_is_not_idle in Idle; rt_eauto;
- [ | apply/andP; split; first apply leq_trans with tp]. }
- exists jhp.
- have HP: hep_job jhp j.
- { intros.
- move:(H_valid_model_with_bounded_nonpreemptive_segments) => [PREE ?].
- specialize (scheduling_of_any_segment_starts_with_preemption_time arr_seq sched H_sched_valid PREE jhp t Sched_jhp) => SOAS.
- move: SOAS => [prt [/andP [_ LE] [PR SCH]]].
- case E:(t1 <= prt).
- - move: E => /eqP /eqP E; rewrite subn_eq0 in E.
- edestruct not_quiet_implies_exists_scheduled_hp_job_at_preemption_point as [jlp [_ [HEP SCHEDjhp]]]; eauto 2.
- { by apply /andP; split; last by apply leq_ltn_trans with t. }
- enough (EQ : jhp = jlp); first by subst.
- apply: (ideal_proc_model_is_a_uniprocessor_model _ _ _ prt); eauto;
- by apply SCH; apply/andP; split.
- - move: E => /eqP /neqP E; rewrite -lt0n subn_gt0 in E.
- apply negbNE; apply/negP; intros LP; rename jhp into jlp.
- edestruct not_quiet_implies_exists_scheduled_hp_job_at_preemption_point
- as [jhp [_ [HEP SCHEDjhp]]]; try apply PRPOINT; rt_eauto; first by apply/andP; split.
- move: LP => /negP LP; apply: LP.
- enough (EQ : jhp = jlp); first by subst.
- apply: (ideal_proc_model_is_a_uniprocessor_model jhp _ _ tp); eauto.
- by apply SCH; apply/andP; split; first apply leq_trans with t1; auto.
- }
- repeat split; try done.
- move: (H_busy_interval_prefix) => [SL [QUIET [NOTQUIET EXj]]]; move: (Sched_jhp) => PENDING.
- eapply scheduled_implies_pending in PENDING; rt_eauto.
- apply/andP; split; last by apply leq_ltn_trans with (n := t); first by move: PENDING => /andP [ARR _].
- apply contraT; rewrite -ltnNge; intro LT; exfalso.
- feed (QUIET jhp); first by eapply H_jobs_come_from_arrival_sequence, Sched_jhp.
- specialize (QUIET HP LT).
- have COMP: completed_by sched jhp t.
- { apply: completion_monotonic QUIET; exact: leq_trans LEtp. }
- apply completed_implies_not_scheduled in COMP; rt_eauto.
- by move : COMP => /negP COMP; apply : COMP.
- Qed.
-
- (** Now, suppose there exists some constant K that bounds the
- distance to a preemption time from the beginning of the busy
- interval. *)
- Variable K : duration.
- Hypothesis H_preemption_time_exists:
- exists pr_t, preemption_time sched pr_t /\ t1 <= pr_t <= t1 + K.
-
- (** Then we prove that the processor is always busy with a job
- with higher-or-equal priority after time instant [t1 + K]. *)
- Lemma not_quiet_implies_exists_scheduled_hp_job:
- forall t,
- t1 + K <= t < t2 ->
- exists j_hp,
- arrived_between j_hp t1 t.+1 /\
- hep_job j_hp j /\
- scheduled_at sched j_hp t.
- Proof.
- move => t /andP [GE LT].
- move: H_preemption_time_exists => [prt [PR /andP [GEprt LEprt]]].
- apply not_quiet_implies_exists_scheduled_hp_job_after_preemption_point with (tp := prt); eauto 2.
- - apply/andP; split; first by done.
- apply leq_ltn_trans with (t1 + K); first by done.
- by apply leq_ltn_trans with t.
- - apply/andP; split; last by done.
- by apply leq_trans with (t1 + K).
- Qed.
-
- End PreemptionTimeAndPriorityInversion.
-
- (** * Preemption Time Exists *)
- (** In this section we prove that the function [max_length_of_priority_inversion]
- indeed upper-bounds the priority inversion length. *)
- Section PreemptionTimeExists.
-
- (** First, we prove that, if a job with higher-or-equal priority is scheduled at
- a quiet time [t+1], then this is the first time when this job is scheduled. *)
- Lemma hp_job_not_scheduled_before_quiet_time:
- forall jhp t,
- quiet_time arr_seq sched j t.+1 ->
- scheduled_at sched jhp t.+1 ->
- hep_job jhp j ->
- ~~ scheduled_at sched jhp t.
- Proof.
- intros jhp t QT SCHED1 HP.
- apply/negP; intros SCHED2.
- specialize (QT jhp).
- feed_n 3 QT; eauto.
- - have MATE: jobs_must_arrive_to_execute sched by rt_eauto.
- have HA: has_arrived jhp t by apply MATE.
- by done.
- apply completed_implies_not_scheduled in QT; rt_eauto.
- by move: QT => /negP NSCHED; apply: NSCHED.
- Qed.
-
- (** Also, we show that lower-priority jobs that are scheduled inside the
- busy-interval prefix <<[t1,t2)>> must arrive before that interval. *)
- Lemma low_priority_job_arrives_before_busy_interval_prefix:
- forall jlp t,
- t1 <= t < t2 ->
- scheduled_at sched jlp t ->
- ~~ hep_job jlp j ->
- job_arrival jlp < t1.
- Proof.
- move => jlp t /andP [GE LT] SCHED LP.
- move: (H_busy_interval_prefix) => [NEM [QT [NQT HPJ]]].
- apply negbNE; apply/negP; intros ARR; rewrite -leqNgt in ARR.
- move:(H_valid_model_with_bounded_nonpreemptive_segments) => [PREE ?].
- specialize (scheduling_of_any_segment_starts_with_preemption_time arr_seq sched H_sched_valid PREE jlp t SCHED) => SCH.
- move: SCH => [pt [/andP [NEQ1 NEQ2] [PT FA]]].
- have NEQ: t1 <= pt < t2.
- { apply/andP; split.
- - by apply leq_trans with (job_arrival jlp).
- - by apply leq_ltn_trans with t. }
- edestruct not_quiet_implies_exists_scheduled_hp_job_at_preemption_point as [jhp [_ [HEP SCHEDjhp]]]; rt_eauto.
- feed (FA pt); first (by apply/andP; split).
- move: LP => /negP LP; apply: LP.
- by have ->: jlp = jhp by eapply ideal_proc_model_is_a_uniprocessor_model; eauto.
- Qed.
-
- (** Moreover, we show that lower-priority jobs that are scheduled
- inside the busy-interval prefix <<[t1,t2)>> must be scheduled
- before that interval. *)
- Lemma low_priority_job_scheduled_before_busy_interval_prefix:
- forall jlp t,
- t1 <= t < t2 ->
- scheduled_at sched jlp t ->
- ~~ hep_job jlp j ->
- exists t', t' < t1 /\ scheduled_at sched jlp t'.
- Proof.
- move => jlp t NEQ SCHED LP; move: (NEQ) => /andP [GE LT].
- have ARR := low_priority_job_arrives_before_busy_interval_prefix _ _ NEQ SCHED LP.
- exists t1.-1; split.
- { by rewrite prednK; last apply leq_ltn_trans with (job_arrival jlp). }
- move: (H_busy_interval_prefix) => [NEM [QT [NQT HPJ]]].
- move:(H_valid_model_with_bounded_nonpreemptive_segments) => [PREE ?].
- specialize (scheduling_of_any_segment_starts_with_preemption_time arr_seq sched H_sched_valid PREE jlp t SCHED) => SCHEDST.
- move: SCHEDST => [pt [NEQpt [PT SCHEDc]]].
- have LT2: pt < t1.
- { rewrite ltnNge; apply/negP; intros CONTR.
- edestruct not_quiet_implies_exists_scheduled_hp_job_at_preemption_point
- as [jhp [_ [HEP SCHEDjhp]]]; try apply PT; rt_eauto; first lia.
- specialize (SCHEDc pt).
- feed SCHEDc; first by apply/andP; split; last move: NEQpt => /andP [_ T].
- move: LP => /negP LP; apply: LP.
- by have ->: jlp = jhp by eapply ideal_proc_model_is_a_uniprocessor_model; eauto.
- }
- apply SCHEDc; apply/andP; split.
- - by rewrite -add1n in LT2; apply leq_subRL_impl in LT2; rewrite subn1 in LT2.
- - by apply leq_trans with t1; first apply leq_pred.
- Qed.
-
- (** Thus, there must be a preemption time in the interval [t1, t1
- + max_priority_inversion t1]. That is, if a job with
- higher-or-equal priority is scheduled at time instant [t1], then
- [t1] is a preemption time. Otherwise, if a job with lower
- priority is scheduled at time [t1], then this job also should
- be scheduled before the beginning of the busy interval. So,
- the next preemption time will be no more than
- [max_priority_inversion t1] time units later. *)
-
- (** We proceed by doing a case analysis. *)
- Section CaseAnalysis.
-
- (** (1) Case when the schedule is idle at time [t1]. *)
- Section Case1.
-
- (** Assume that the schedule is idle at time [t1]. *)
- Hypothesis H_is_idle : is_idle sched t1.
-
- (** Then time instant [t1] is a preemption time. *)
- Lemma preemption_time_exists_case1:
- exists pr_t,
- preemption_time sched pr_t /\
- t1 <= pr_t <= t1 + max_length_of_priority_inversion j t1.
- Proof.
- set (service := service sched).
- move: (H_valid_model_with_bounded_nonpreemptive_segments) => CORR.
- move: (H_busy_interval_prefix) => [NEM [QT1 [NQT HPJ]]].
- exists t1; split.
- - by rewrite /preemption_time; move: H_is_idle => /eqP ->.
- - by apply/andP; split; last rewrite leq_addr.
- Qed.
-
- End Case1.
-
- (** (2) Case when a job with higher-or-equal priority is scheduled at time [t1]. *)
- Section Case2.
-
- (** Assume that a job [jhp] with higher-or-equal priority is scheduled at time [t1]. *)
- Variable jhp : Job.
- Hypothesis H_jhp_is_scheduled : scheduled_at sched jhp t1.
- Hypothesis H_jhp_hep_priority : hep_job jhp j.
-
- (** Then time instant [t1] is a preemption time. *)
- Lemma preemption_time_exists_case2:
- exists pr_t,
- preemption_time sched pr_t /\
- t1 <= pr_t <= t1 + max_length_of_priority_inversion j t1.
- Proof.
- set (service := service sched).
- move : (H_valid_model_with_bounded_nonpreemptive_segments) => [VALID BOUNDED].
- move: (H_valid_model_with_bounded_nonpreemptive_segments) => CORR.
- move: (H_busy_interval_prefix) => [NEM [QT1 [NQT HPJ]]].
- exists t1; split; last first.
- apply/andP; split; [by done | by rewrite leq_addr].
- destruct t1.
- - by eapply zero_is_pt; eauto 2.
- - apply: first_moment_is_pt H_jhp_is_scheduled; eauto 2.
- by eapply hp_job_not_scheduled_before_quiet_time; try by done.
- Qed.
-
- End Case2.
-
- (** (3) Case when a job with lower priority is scheduled at time [t1]. *)
- Section Case3.
-
- (** Assume that a job [jhp] with lower priority is scheduled at time [t1]. *)
- Variable jlp : Job.
- Hypothesis H_jlp_is_scheduled : scheduled_at sched jlp t1.
- Hypothesis H_jlp_low_priority : ~~ hep_job jlp j.
-
- (** To prove the lemma in this case we need a few auxiliary
- facts about the first preemption point of job [jlp]. *)
- Section FirstPreemptionPointOfjlp.
-
- (** Let's denote the progress of job [jlp] at time [t1] as [progr_t1]. *)
- Let progr_t1 := service sched jlp t1.
-
- (** Consider the first preemption point of job [jlp] after [progr_t1]. *)
- Variable fpt : instant.
- Hypothesis H_fpt_is_preemptio_point : job_preemptable jlp (progr_t1 + fpt).
- Hypothesis H_fpt_is_first_preemption_point:
- forall Ï,
- progr_t1 <= Ï <= progr_t1 + (job_max_nonpreemptive_segment jlp - ε) ->
- job_preemptable jlp Ï ->
- service sched jlp t1 + fpt <= Ï.
-
- (** For correctness, we also assume that [fpt] does not
- exceed the length of the maximum non-preemptive
- segment. *)
- Hypothesis H_progr_le_max_nonp_segment:
- fpt <= job_max_nonpreemptive_segment jlp - ε.
-
- (** First we show that [fpt] is indeed the first preemption point after [progr_t1]. *)
- Lemma no_intermediate_preemption_point:
- forall Ï,
- progr_t1 <= Ï < progr_t1 + fpt ->
- ~~ job_preemptable jlp Ï.
- Proof.
- move => prog /andP [GE LT].
- apply/negP; intros PPJ.
- move: H_fpt_is_first_preemption_point => K; specialize (K prog).
- feed_n 2 K; first (apply/andP; split); try done.
- { apply leq_trans with (service sched jlp t1 + fpt).
- + by apply ltnW.
- + by rewrite leq_add2l; apply H_progr_le_max_nonp_segment.
- }
- by move: K; rewrite leqNgt; move => /negP NLT; apply: NLT.
- Qed.
-
- (** Thanks to the fact that the scheduler respects the notion of preemption points
- we show that [jlp] is continuously scheduled in time interval <<[t1, t1 + fpt)>>. *)
- Lemma continuously_scheduled_between_preemption_points:
- forall t',
- t1 <= t' < t1 + fpt ->
- scheduled_at sched jlp t'.
- Proof.
- move: (H_valid_model_with_bounded_nonpreemptive_segments) => CORR.
- move: (H_jlp_is_scheduled) => ARRs; apply H_jobs_come_from_arrival_sequence in ARRs.
- move => t' /andP [GE LT].
- have Fact: exists Δ, t' = t1 + Δ.
- { by exists (t' - t1); apply/eqP; rewrite eq_sym; apply/eqP; rewrite subnKC. }
- move: Fact => [Δ EQ]; subst t'.
- have NPPJ := @no_intermediate_preemption_point (@service _ _ sched jlp (t1 + Δ)).
- apply proj1 in CORR; specialize (CORR jlp ARRs).
- move: CORR => [_ [_ [T _] ]].
- apply T; apply: NPPJ; apply/andP; split.
- { by apply service_monotonic; rewrite leq_addr. }
- rewrite /service -(service_during_cat _ _ _ t1).
- { rewrite ltn_add2l; rewrite ltn_add2l in LT.
- apply leq_ltn_trans with Δ; last by done.
- rewrite -{2}(sum_of_ones t1 Δ).
- rewrite leq_sum //; intros t _.
- apply service_at_most_one.
- by apply ideal_proc_model_provides_unit_service.
- }
- { by apply/andP; split; [done | rewrite leq_addr]. }
- Qed.
-
- (** Thus, job [jlp] reaches its preemption point at time instant [t1 + fpt],
- which implies that time instant [t1 + fpt] is a preemption time. *)
- Lemma first_preemption_time:
- preemption_time sched (t1 + fpt).
- Proof.
- rewrite /preemption_time.
- move: (H_valid_model_with_bounded_nonpreemptive_segments) => CORR.
- ideal_proc_model_sched_case_analysis_eq sched (t1 + fpt) s'; try done.
- clear EqSched_s'; move: (Sched_s'); rewrite scheduled_at_def;
- move => /eqP EqSched_s'; rewrite EqSched_s'.
- destruct (jlp == s') eqn: EQ.
- - move: EQ => /eqP EQ; subst s'.
- rewrite /service -(service_during_cat _ _ _ t1); last first.
- { by apply/andP; split; last rewrite leq_addr. }
- have ->: service_during sched jlp t1 (t1 + fpt) = fpt.
- { rewrite -{2}(sum_of_ones t1 fpt) /service_during.
- apply/eqP; rewrite eqn_leq //; apply/andP; split.
- + rewrite leq_sum //; intros t _.
- apply service_at_most_one.
- by apply ideal_proc_model_provides_unit_service.
- + rewrite big_nat_cond [in X in _ <= X]big_nat_cond.
- rewrite leq_sum //.
- move => x /andP [HYP _].
- rewrite service_at_def lt0b -scheduled_at_def.
- by apply continuously_scheduled_between_preemption_points.
- } by done.
- - case: (posnP fpt) => [ZERO|POS].
- { subst fpt.
- exfalso; move: EQ => /negP EQ; apply: EQ.
- move: H_jlp_is_scheduled; rewrite scheduled_at_def; move => /eqP SCHED2.
- rewrite addn0 in EqSched_s'; rewrite EqSched_s' in SCHED2.
- by inversion SCHED2.
- }
- { have EX: exists sm, sm.+1 = fpt.
- { exists fpt.-1. lia. }
- destruct EX as [sm EQ2]. rewrite -EQ2.
- rewrite addnS.
- move: ((proj1 CORR) s' (H_jobs_come_from_arrival_sequence _ _ Sched_s')) => T.
- apply T; clear T. apply /negP; intros CONTR.
- move: EQ => /negP EQ; apply: EQ.
- move: (continuously_scheduled_between_preemption_points (t1 + sm)) => SCHEDs0.
- feed SCHEDs0; first by apply/andP; split; [rewrite leq_addr | rewrite -EQ2 addnS].
- apply/eqP; eapply ideal_proc_model_is_a_uniprocessor_model; eauto 2.
- by rewrite -addnS EQ2.
- }
- Qed.
-
- (** And since [fpt <= max_length_of_priority_inversion j t1],
- [t1 <= t1 + fpt <= t1 + max_length_of_priority_inversion j t1]. *)
- Lemma preemption_time_le_max_len_of_priority_inversion:
- t1 <= t1 + fpt <= t1 + max_length_of_priority_inversion j t1.
- Proof.
- move: (H_jlp_is_scheduled) => ARRs; apply H_jobs_come_from_arrival_sequence in ARRs.
- apply/andP; split; first by rewrite leq_addr.
- rewrite leq_add2l.
- unfold max_length_of_priority_inversion.
- rewrite (big_rem jlp) //=.
- { rewrite H_jlp_low_priority //=.
- have NZ: service sched jlp t1 < job_cost jlp
- by apply: service_lt_cost; rt_eauto.
- rewrite ifT; last by lia.
- apply leq_trans with (job_max_nonpreemptive_segment jlp - ε).
- - by apply H_progr_le_max_nonp_segment.
- - by rewrite leq_maxl.
- }
- eapply arrived_between_implies_in_arrivals; eauto 2.
- apply/andP; split; first by done.
- eapply low_priority_job_arrives_before_busy_interval_prefix with t1; eauto 2.
- by move: (H_busy_interval_prefix) => [NEM [QT1 [NQT HPJ]]]; apply/andP; split.
- Qed.
-
- End FirstPreemptionPointOfjlp.
-
- (** Next, we combine the above facts to conclude the lemma. *)
- Lemma preemption_time_exists_case3:
- exists pr_t,
- preemption_time sched pr_t /\
- t1 <= pr_t <= t1 + max_length_of_priority_inversion j t1.
- Proof.
- set (service := service sched).
- have EX: exists pt,
- ((service jlp t1) <= pt <= (service jlp t1) + (job_max_nonpreemptive_segment jlp - 1)) && job_preemptable jlp pt.
- { move: (H_jlp_is_scheduled) => ARRs; apply H_jobs_come_from_arrival_sequence in ARRs.
- move: (proj2 (H_valid_model_with_bounded_nonpreemptive_segments) jlp ARRs) =>[_ EXPP].
- destruct H_sched_valid as [A B].
- specialize (EXPP (service jlp t1)).
- feed EXPP.
- { apply/andP; split; first by done.
- apply service_at_most_cost; rt_eauto.
- }
- move: EXPP => [pt [NEQ PP]].
- exists pt; apply/andP; split; by done.
- }
- move: (ex_minnP EX) => [sm_pt /andP [NEQ PP] MIN]; clear EX.
- have Fact: exists Δ, sm_pt = service jlp t1 + Δ.
- { exists (sm_pt - service jlp t1).
- apply/eqP; rewrite eq_sym; apply/eqP; rewrite subnKC //.
- by move: NEQ => /andP [T _]. }
- move: Fact => [Δ EQ]; subst sm_pt; rename Δ into sm_pt.
- exists (t1 + sm_pt); split.
- { apply first_preemption_time; rewrite /service.service; try done.
- + by intros; apply MIN; apply/andP; split.
- + by rewrite /ε; lia.
- }
- by apply preemption_time_le_max_len_of_priority_inversion;
- [ done | by rewrite /ε; lia].
- Qed.
-
- End Case3.
-
- End CaseAnalysis.
-
- (** By doing the case analysis, we show that indeed there is a
- preemption time in the time interval [[t1, t1 +
- max_length_of_priority_inversion j t1]]. *)
- Lemma preemption_time_exists:
- exists pr_t,
- preemption_time sched pr_t /\
- t1 <= pr_t <= t1 + max_length_of_priority_inversion j t1.
- Proof.
- set (service := service sched).
- move: (H_valid_model_with_bounded_nonpreemptive_segments) => CORR.
- move: (H_busy_interval_prefix) => [NEM [QT1 [NQT HPJ]]].
- ideal_proc_model_sched_case_analysis sched t1 s.
- - by apply preemption_time_exists_case1.
- - destruct (hep_job s j) eqn:PRIO.
- + by eapply preemption_time_exists_case2; eauto.
- + eapply preemption_time_exists_case3 with s; eauto.
- by rewrite -eqbF_neg; apply /eqP.
- Qed.
-
- End PreemptionTimeExists.
-
-End PriorityInversionIsBounded.
diff --git a/analysis/facts/busy_interval/priority_inversion.v b/analysis/facts/busy_interval/priority_inversion.v
deleted file mode 100644
index 341ec973c4058c7878e428953776bb476e27301e..0000000000000000000000000000000000000000
--- a/analysis/facts/busy_interval/priority_inversion.v
+++ /dev/null
@@ -1,64 +0,0 @@
-Require Export prosa.analysis.definitions.priority_inversion.
-
-(** * Lemma about Priority Inversion for arbitrary processors *)
-(** In this section, we prove a lemma about the notion of priority
- inversion for arbitrary processors. *)
-Section PIGenericProcessorModelLemma.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Next, consider _any_ kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any schedule. *)
- Variable sched : schedule PState.
-
- (** Assume a given JLFP policy. *)
- Context `{JLFP_policy Job}.
-
- (** Consider an arbitrary job. *)
- Variable j : Job.
-
-
- (** Then we prove that cumulative priority inversion (CPI) that job
- [j] incurs in an interval <<[t1, t2)>> is equal to the sum of
- CPI in an interval <<[t1, t_mid)>> and CPI in an interval
- <<[t_mid, t2)>>. *)
- Lemma cumulative_priority_inversion_cat:
- forall (t_mid t1 t2 : instant),
- t1 <= t_mid ->
- t_mid <= t2 ->
- cumulative_priority_inversion arr_seq sched j t1 t2 =
- cumulative_priority_inversion arr_seq sched j t1 t_mid
- + cumulative_priority_inversion arr_seq sched j t_mid t2.
- Proof.
- intros * LE1 LE2.
- rewrite /cumulative_priority_inversion -big_cat //=.
- replace (index_iota t1 t_mid ++ index_iota t_mid t2) with (index_iota t1 t2); first by reflexivity.
- interval_to_duration t1 t_mid δ1.
- interval_to_duration (t1 + δ1) t2 δ2.
- rewrite -!addnA /index_iota.
- erewrite iotaD_impl with (n_le := δ1); last by lia.
- by rewrite !addKn addnA addKn.
- Qed.
-
- (** Assume that [j] is scheduled at time [t], then there is no
- priority inversion at time [t]. *)
- Lemma sched_itself_implies_no_priority_inversion :
- forall t,
- scheduled_at sched j t ->
- priority_inversion_dec arr_seq sched j t = false.
- Proof. by move => t SCHED; rewrite /priority_inversion_dec SCHED. Qed.
-
-End PIGenericProcessorModelLemma.
diff --git a/analysis/facts/busy_interval/quiet_time.v b/analysis/facts/busy_interval/quiet_time.v
deleted file mode 100644
index f2b6f5655ac534162f33d652a1bd8937f50c8b0a..0000000000000000000000000000000000000000
--- a/analysis/facts/busy_interval/quiet_time.v
+++ /dev/null
@@ -1,24 +0,0 @@
-Require Export prosa.analysis.definitions.busy_interval.
-
-(** In this module we collect some basic facts about quiet times. *)
-
-Section Facts.
-
- (** Consider any kind of jobs... *)
- Context {Job : JobType} `{JobArrival Job} `{JobCost Job}.
- (** ... and a [JLFP] policy defined on these jobs. *)
- Context `{JLFP_policy Job}.
- (** Consider any processor state model. *)
- Context {PState : ProcessorState Job}.
-
- (** Consider any schedule and arrival sequence. *)
- Variable sched : schedule PState.
- Variable arr_seq : arrival_sequence Job.
-
- (** We prove that 0 is always a quiet time. *)
- Lemma zero_is_quiet_time (j : Job) : quiet_time arr_seq sched j 0.
- Proof.
- by intros jhp ARR HP AB; move: AB; rewrite /arrived_before ltn0.
- Qed.
-
-End Facts.
diff --git a/analysis/facts/edf_definitions.v b/analysis/facts/edf_definitions.v
deleted file mode 100644
index eea3d4451f3f953be6347ec91ad6ed21df6f8f7d..0000000000000000000000000000000000000000
--- a/analysis/facts/edf_definitions.v
+++ /dev/null
@@ -1,110 +0,0 @@
-Require Export prosa.analysis.facts.model.ideal.schedule.
-Require Export prosa.analysis.facts.behavior.deadlines.
-Require Export prosa.analysis.definitions.schedulability.
-Require Export prosa.model.priority.edf.
-Require Export prosa.model.schedule.edf.
-Require Export prosa.model.schedule.priority_driven.
-Require Import prosa.model.readiness.basic.
-Require Import prosa.model.preemption.fully_preemptive.
-
-(** * Equivalence of EDF Definitions *)
-
-(** Recall that we have defined "EDF schedules" in two ways.
-
- The generic way to define an EDF schedule is by using the EDF priority
- policy defined in [model.priority.edf] and the general notion of
- priority-compliant schedules defined in [model.schedule.priority_driven].
-
- Another, more straight-forward way to define an EDF schedule is the standalone
- definition given in [model.schedule.edf], which is less general but simpler
- and used in the EDF optimality proof.
-
- In this file, we show that both definitions are equivalent assuming:
-
- (1) ideal uniprocessor schedules,
-
- (2) the classic Liu & Layland model of readiness without jitter and
- without self-suspensions, where pending jobs are always ready, and
-
- (3) that jobs are fully preemptive. *)
-
-Section Equivalence.
-
- (** We assume the basic (i.e., Liu & Layland)
- readiness model under which any pending job is ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** We assume that jobs are fully preemptive. *)
- #[local] Existing Instance fully_preemptive_job_model.
-
- (** For any given type of jobs, each characterized by an arrival time,
- an execution cost, and an absolute deadline, ... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ...consider a given valid job arrival sequence ... *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** ...and a corresponding schedule. *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** Suppose jobs don't execute after their completion, ... *)
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** ...all jobs come from the arrival sequence [arr_seq], ...*)
- Hypothesis H_from_arr_seq: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ...and jobs from [arr_seq] don't miss their deadlines. *)
- Hypothesis H_no_deadline_misses: all_deadlines_of_arrivals_met arr_seq sched.
-
- (** We first show that a schedule that satisfies the standalone
- [EDF_schedule] predicate is also compliant with the generic notion of EDF
- policy defined in Prosa, namely the [respects_policy_at_preemption_point]
- predicate. *)
- Lemma EDF_schedule_implies_respects_policy_at_preemption_point :
- EDF_schedule sched ->
- respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
- Proof.
- move=> EDF j' j t ARR PREEMPTION BL SCHED.
- have suff: exists t' : nat, t <= t' < job_deadline j' /\ scheduled_at sched j' t'.
- { move=> [t' [/andP [LE _] SCHED']].
- apply: (EDF t); [done | exact LE | exact SCHED' |].
- by apply: (backlogged_implies_arrived sched j' t). }
- apply; apply: incomplete_implies_scheduled_later;
- first by apply: H_no_deadline_misses => //.
- by apply: (backlogged_implies_incomplete sched j' t).
- Qed.
-
- (** Conversely, the reverse direction also holds: a schedule that satisfies
- the [respects_policy_at_preemption_point] predicate is also an EDF
- schedule in the sense of [EDF_schedule]. *)
- Lemma respects_policy_at_preemption_point_implies_EDF_schedule :
- respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job) ->
- EDF_schedule sched.
- Proof.
- move=> H_priority_driven t j_hp SCHED t' j LEQ SCHED' EARLIER_ARR.
- case (boolP (j == j_hp)); first by move /eqP => EQ; subst.
- move /neqP => NEQ.
- exploit (H_priority_driven j j_hp t) => //.
- { by apply (H_from_arr_seq _ _ SCHED'). }
- { by rewrite /preemption_time; destruct (sched t). }
- { apply /andP; split => //.
- - apply /andP; split => //.
- apply (incompletion_monotonic _ j _ _ LEQ).
- by apply scheduled_implies_not_completed.
- - apply /negP; move => SCHED''.
- by exploit (ideal_proc_model_is_a_uniprocessor_model j j_hp sched t). }
- Qed.
-
- (** From the two preceding lemmas, it follows immediately that the two EDF
- definitions are indeed equivalent, which we note with the following
- corollary. *)
- Corollary EDF_schedule_equiv:
- EDF_schedule sched <-> respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
- Proof.
- split.
- - by apply EDF_schedule_implies_respects_policy_at_preemption_point.
- - by apply respects_policy_at_preemption_point_implies_EDF_schedule.
- Qed.
-
-End Equivalence.
diff --git a/analysis/facts/hyperperiod.v b/analysis/facts/hyperperiod.v
deleted file mode 100644
index 982bf1bf2a58733949f47fbb7f9a7e84b61615dd..0000000000000000000000000000000000000000
--- a/analysis/facts/hyperperiod.v
+++ /dev/null
@@ -1,244 +0,0 @@
-Require Export prosa.analysis.definitions.hyperperiod.
-Require Export prosa.analysis.facts.periodic.task_arrivals_size.
-Require Export prosa.util.div_mod.
-
-(** In this file we prove some simple properties of hyperperiods of periodic tasks. *)
-Section Hyperperiod.
-
- (** Consider any type of periodic tasks, ... *)
- Context {Task : TaskType} `{PeriodicModel Task}.
-
- (** ... any task set [ts], ... *)
- Variable ts : TaskSet Task.
-
- (** ... and any task [tsk] that belongs to this task set. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts: tsk \in ts.
-
- (** A task set's hyperperiod is an integral multiple
- of each task's period in the task set. **)
- Lemma hyperperiod_int_mult_of_any_task:
- exists (k : nat),
- hyperperiod ts = k * task_period tsk.
- Proof. by apply/dvdnP; apply lcm_seq_is_mult_of_all_ints, map_f, H_tsk_in_ts. Qed.
-
-End Hyperperiod.
-
-(** In this section we show a property of hyperperiod in context
- of task sets with valid periods. *)
-Section ValidPeriodsImplyPositiveHP.
-
- (** Consider any type of periodic tasks ... *)
- Context {Task : TaskType} `{PeriodicModel Task}.
-
- (** ... and any task set [ts] ... *)
- Variable ts : TaskSet Task.
-
- (** ... such that all tasks in [ts] have valid periods. *)
- Hypothesis H_valid_periods: valid_periods ts.
-
- (** We show that the hyperperiod of task set [ts]
- is positive. *)
- Lemma valid_periods_imply_pos_hp:
- hyperperiod ts > 0.
- Proof.
- apply all_pos_implies_lcml_pos.
- move => b /mapP [x IN EQ]; subst b.
- now apply H_valid_periods.
- Qed.
-
-End ValidPeriodsImplyPositiveHP.
-
-(** In this section we prove some lemmas about the hyperperiod
- in context of the periodic model. *)
-Section PeriodicLemmas.
-
- (** Consider any type of tasks, ... *)
- Context {Task : TaskType}.
- Context `{TaskOffset Task}.
- Context `{PeriodicModel Task}.
-
- (** ... any type of jobs, ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** ... and a consistent arrival sequence with non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider a task set [ts] such that all tasks in
- [ts] have valid periods. *)
- Variable ts : TaskSet Task.
- Hypothesis H_valid_periods: valid_periods ts.
-
- (** Let [tsk] be any periodic task in [ts] with a valid offset and period. *)
- Variable tsk : Task.
- Hypothesis H_task_in_ts: tsk \in ts.
- Hypothesis H_valid_offset: valid_offset arr_seq tsk.
- Hypothesis H_valid_period: valid_period tsk.
- Hypothesis H_periodic_task: respects_periodic_task_model arr_seq tsk.
-
- (** Assume we have an infinite sequence of jobs in the arrival sequence. *)
- Hypothesis H_infinite_jobs: infinite_jobs arr_seq.
-
- (** Let [O_max] denote the maximum task offset in [ts] and let
- [HP] denote the hyperperiod of all tasks in [ts]. *)
- Let O_max := max_task_offset ts.
- Let HP := hyperperiod ts.
-
- (** We show that the job corresponding to any job [j1] in any other
- hyperperiod is of the same task as [j1]. *)
- Lemma corresponding_jobs_have_same_task:
- forall j1 j2,
- job_task (corresponding_job_in_hyperperiod ts arr_seq j1
- (starting_instant_of_corresponding_hyperperiod ts j2) (job_task j1)) = job_task j1.
- Proof.
- clear H_task_in_ts H_valid_period.
- intros *.
- set ARRIVALS := (task_arrivals_between arr_seq (job_task j1) (starting_instant_of_hyperperiod ts (job_arrival j2))
- (starting_instant_of_hyperperiod ts (job_arrival j2) + HP)).
- set IND := (job_index_in_hyperperiod ts arr_seq j1 (starting_instant_of_hyperperiod ts (job_arrival j1)) (job_task j1)).
- have SIZE_G : size ARRIVALS <= IND -> job_task (nth j1 ARRIVALS IND) = job_task j1 by intro SG; rewrite nth_default.
- case: (boolP (size ARRIVALS == IND)) => [/eqP EQ|NEQ]; first by apply SIZE_G; lia.
- move : NEQ; rewrite neq_ltn; move => /orP [LT | G]; first by apply SIZE_G; lia.
- set jb := nth j1 ARRIVALS IND.
- have JOB_IN : jb \in ARRIVALS by apply mem_nth.
- rewrite /ARRIVALS /task_arrivals_between mem_filter in JOB_IN.
- now move : JOB_IN => /andP [/eqP TSK JB_IN].
- Qed.
-
- (** We show that if a job [j] lies in the hyperperiod starting
- at instant [t] then [j] arrives in the interval <<[t, t + HP)>>. *)
- Lemma all_jobs_arrive_within_hyperperiod:
- forall j t,
- j \in jobs_in_hyperperiod ts arr_seq t tsk->
- t <= job_arrival j < t + HP.
- Proof.
- intros * JB_IN_HP.
- rewrite mem_filter in JB_IN_HP.
- move : JB_IN_HP => /andP [/eqP TSK JB_IN]; apply mem_bigcat_nat_exists in JB_IN.
- destruct JB_IN as [i [JB_IN INEQ]].
- apply job_arrival_at in JB_IN; rt_auto.
- by rewrite JB_IN.
- Qed.
-
- (** We show that the number of jobs in a hyperperiod starting at [n1 * HP + O_max]
- is the same as the number of jobs in a hyperperiod starting at [n2 * HP + O_max] given
- that [n1] is less than or equal to [n2]. *)
- Lemma eq_size_hyp_lt:
- forall n1 n2,
- n1 <= n2 ->
- size (jobs_in_hyperperiod ts arr_seq (n1 * HP + O_max) tsk) =
- size (jobs_in_hyperperiod ts arr_seq (n2 * HP + O_max) tsk).
- Proof.
- intros * N1_LT.
- have -> : n2 * HP + O_max = n1 * HP + O_max + (n2 - n1) * HP.
- { by rewrite -[in LHS](subnKC N1_LT) mulnDl addnAC. }
- destruct (hyperperiod_int_mult_of_any_task ts tsk H_task_in_ts) as [k HYP]; rewrite !/HP.
- rewrite [in X in _ = size (_ (n1 * HP + O_max + _ * X) tsk)]HYP.
- rewrite mulnA /HP /jobs_in_hyperperiod !size_of_task_arrivals_between.
- erewrite big_sum_eq_in_eq_sized_intervals => //; intros g G_LT.
- have OFF_G : task_offset tsk <= O_max by apply max_offset_g.
- have FG : forall v b n, v + b + n = v + n + b by intros *; lia.
- erewrite eq_size_of_task_arrivals_seperated_by_period => //; rt_eauto; last by lia.
- by rewrite FG.
- Qed.
-
- (** We generalize the above lemma by lifting the condition on
- [n1] and [n2]. *)
- Lemma eq_size_of_arrivals_in_hyperperiod:
- forall n1 n2,
- size (jobs_in_hyperperiod ts arr_seq (n1 * HP + O_max) tsk) =
- size (jobs_in_hyperperiod ts arr_seq (n2 * HP + O_max) tsk).
- Proof.
- intros *.
- case : (boolP (n1 == n2)) => [/eqP EQ | NEQ]; first by rewrite EQ.
- move : NEQ; rewrite neq_ltn; move => /orP [LT | LT].
- + by apply eq_size_hyp_lt => //; lia.
- + move : (eq_size_hyp_lt n2 n1) => EQ_S.
- by feed_n 1 EQ_S => //; lia.
- Qed.
-
- (** Consider any two jobs [j1] and [j2] that stem from the arrival sequence
- [arr_seq] such that [j1] is of task [tsk]. *)
- Variable j1 : Job.
- Variable j2 : Job.
- Hypothesis H_j1_from_arr_seq: arrives_in arr_seq j1.
- Hypothesis H_j2_from_arr_seq: arrives_in arr_seq j2.
- Hypothesis H_j1_task: job_task j1 = tsk.
-
- (** Assume that both [j1] and [j2] arrive after [O_max]. *)
- Hypothesis H_j1_arr_after_O_max: O_max <= job_arrival j1.
- Hypothesis H_j2_arr_after_O_max: O_max <= job_arrival j2.
-
- (** We show that any job [j] that arrives in task arrivals in the same
- hyperperiod as [j2] also arrives in task arrivals up to [job_arrival j2 + HP]. *)
- Lemma job_in_hp_arrives_in_task_arrivals_up_to:
- forall j,
- j \in jobs_in_hyperperiod ts arr_seq ((job_arrival j2 - O_max) %/ HP * HP + O_max) tsk ->
- j \in task_arrivals_up_to arr_seq tsk (job_arrival j2 + HP).
- Proof.
- intros j J_IN.
- rewrite /task_arrivals_up_to.
- set jobs_in_hp := (jobs_in_hyperperiod ts arr_seq ((job_arrival j2 - O_max) %/ HP * HP + O_max) tsk).
- move : (J_IN) => J_ARR; apply all_jobs_arrive_within_hyperperiod in J_IN.
- rewrite /jobs_in_hp /jobs_in_hyperperiod /task_arrivals_up_to /task_arrivals_between mem_filter in J_ARR.
- move : J_ARR => /andP [/eqP TSK' NTH_IN].
- apply job_in_task_arrivals_between => //;
- first by apply in_arrivals_implies_arrived in NTH_IN; rt_eauto.
- eapply in_arrivals_implies_arrived; first by exact NTH_IN.
- apply mem_bigcat_nat_exists in NTH_IN.
- apply /andP; split => //.
- rewrite ltnS.
- apply leq_trans with (n := (job_arrival j2 - O_max) %/ HP * HP + O_max + HP); first by lia.
- rewrite leq_add2r.
- have O_M : (job_arrival j2 - O_max) %/ HP * HP <= job_arrival j2 - O_max by apply leq_trunc_div.
- have ARR_G : job_arrival j2 >= O_max by auto.
- by lia.
- Qed.
-
- (** We show that job [j1] arrives in its own hyperperiod. *)
- Lemma job_in_own_hp:
- j1 \in jobs_in_hyperperiod ts arr_seq ((job_arrival j1 - O_max) %/ HP * HP + O_max) tsk.
- Proof.
- apply job_in_task_arrivals_between => //; rt_eauto.
- apply /andP; split.
- + rewrite addnC -leq_subRL => //.
- by apply leq_trunc_div.
- + specialize (div_floor_add_g (job_arrival j1 - O_max) HP) => AB.
- feed_n 1 AB; first by apply valid_periods_imply_pos_hp => //.
- rewrite ltn_subLR // in AB.
- by rewrite -/(HP); lia.
- Qed.
-
- (** We show that the [corresponding_job_in_hyperperiod] of [j1] in [j2]'s hyperperiod
- arrives in task arrivals up to [job_arrival j2 + HP]. *)
- Lemma corr_job_in_task_arrivals_up_to:
- corresponding_job_in_hyperperiod ts arr_seq j1 (starting_instant_of_corresponding_hyperperiod ts j2) tsk \in
- task_arrivals_up_to arr_seq tsk (job_arrival j2 + HP).
- Proof.
- rewrite /corresponding_job_in_hyperperiod /starting_instant_of_corresponding_hyperperiod.
- rewrite /job_index_in_hyperperiod /starting_instant_of_hyperperiod /hyperperiod_index.
- set ind := (index j1 (jobs_in_hyperperiod ts arr_seq ((job_arrival j1 - O_max) %/ HP * HP + O_max) tsk)).
- set jobs_in_hp := (jobs_in_hyperperiod ts arr_seq ((job_arrival j2 - O_max) %/ HP * HP + O_max) tsk).
- set nj := nth j1 jobs_in_hp ind.
- apply job_in_hp_arrives_in_task_arrivals_up_to => //.
- rewrite mem_nth /jobs_in_hp => //.
- specialize (eq_size_of_arrivals_in_hyperperiod ((job_arrival j2 - O_max) %/ HP) ((job_arrival j1 - O_max) %/ HP)) => EQ.
- rewrite EQ /ind index_mem.
- by apply job_in_own_hp.
- Qed.
-
- (** Finally, we show that the [corresponding_job_in_hyperperiod] of [j1] in [j2]'s hyperperiod
- arrives in the arrival sequence [arr_seq]. *)
- Lemma corresponding_job_arrives:
- arrives_in arr_seq (corresponding_job_in_hyperperiod ts arr_seq j1 (starting_instant_of_corresponding_hyperperiod ts j2) tsk).
- Proof.
- move : (corr_job_in_task_arrivals_up_to) => ARR_G.
- rewrite /task_arrivals_up_to /task_arrivals_between mem_filter in ARR_G.
- move : ARR_G => /andP [/eqP TSK' NTH_IN].
- by apply in_arrivals_implies_arrived in NTH_IN.
- Qed.
-
-End PeriodicLemmas.
diff --git a/analysis/facts/job_index.v b/analysis/facts/job_index.v
deleted file mode 100644
index c541c23c546e18f88def7a4934eedbd9c33cb585..0000000000000000000000000000000000000000
--- a/analysis/facts/job_index.v
+++ /dev/null
@@ -1,382 +0,0 @@
-Require Export prosa.analysis.facts.model.task_arrivals.
-
-(** In this section, we prove some properties related to [job_index]. *)
-Section JobIndexLemmas.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any jobs associated with the tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any arrival sequence with consistent and non-duplicate arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any two jobs [j1] and [j2] from this arrival sequence
- that stem from the same task. *)
- Variable j1 j2 : Job.
- Hypothesis H_j1_from_arrival_sequence: arrives_in arr_seq j1.
- Hypothesis H_j2_from_arrival_sequence: arrives_in arr_seq j2.
- Hypothesis H_same_task: job_task j1 = job_task j2.
-
- (** In the next section, we prove some basic properties about jobs with equal indices. *)
- Section EqualJobIndex.
-
- (** Assume that the jobs [j1] and [j2] have the same [job_index]
- in the arrival sequence. *)
- Hypothesis H_equal_index: job_index arr_seq j1 = job_index arr_seq j2.
-
- (** To show that jobs [j1] and [j2] are equal, we'll perform case
- analysis on the relation between their arrival times. *)
-
- (** Jobs with equal indices have to be equal regardless of their
- arrival times because of the way [job_index] is defined (i.e.,
- jobs are first ordered according to their arrival times and ties are
- broken arbitrarily due to which no two unequal jobs have the same
- [job_index]). *)
-
- (** In case job [j2] arrives after or at the same time as [j1] arrives, we
- show that the jobs are equal. *)
- Lemma case_arrival_lte_implies_equal_job:
- job_arrival j1 <= job_arrival j2 -> j1 = j2.
- Proof.
- move => ARR_LT.
- move: H_equal_index => IND.
- try ( apply task_arrivals_up_to_prefix_cat with (arr_seq0 := arr_seq) in ARR_LT => // ) ||
- apply task_arrivals_up_to_prefix_cat with (arr_seq := arr_seq) in ARR_LT => //.
- move : ARR_LT => [xs ARR_CAT].
- try ( apply eq_ind_in_seq with (xs0 := task_arrivals_up_to_job_arrival arr_seq j2) => // ) ||
- apply eq_ind_in_seq with (xs := task_arrivals_up_to_job_arrival arr_seq j2) => //.
- - by rewrite -/(job_index _ _) -IND -ARR_CAT index_cat ifT;
- try apply arrives_in_task_arrivals_up_to; rt_eauto.
- - rewrite -ARR_CAT mem_cat; apply /orP.
- by left; apply arrives_in_task_arrivals_up_to; rt_eauto.
- - by apply arrives_in_task_arrivals_up_to; rt_eauto.
- Qed.
-
- (** And similarly if [j1] arrives after [j2], we show that
- the jobs are equal. *)
- Lemma case_arrival_gt_implies_equal_job:
- job_arrival j1 > job_arrival j2 -> j1 = j2.
- Proof.
- move=> LT.
- move: H_equal_index => IND.
- apply ltnW, (task_arrivals_up_to_prefix_cat arr_seq) in LT => //.
- move: LT => [xs ARR_CAT].
- apply (eq_ind_in_seq _ _ (task_arrivals_up_to_job_arrival arr_seq j1)) => //.
- - by rewrite -/(job_index _ _) IND -ARR_CAT index_cat ifT;
- try apply arrives_in_task_arrivals_up_to; rt_eauto.
- - by apply arrives_in_task_arrivals_up_to; rt_eauto.
- - rewrite -ARR_CAT mem_cat; apply /orP.
- by left; apply arrives_in_task_arrivals_up_to => //; rt_eauto.
- Qed.
-
- (** And finally we show that irrespective of the relation between the arrival
- of job [j1] and [j2], [j1] must be equal to [j2]. *)
- Lemma equal_index_implies_equal_jobs:
- j1 = j2.
- Proof.
- case: (ltngtP (job_arrival j1) (job_arrival j2)) => [LT|GT|EQ].
- - by apply case_arrival_lte_implies_equal_job; lia.
- - by apply case_arrival_gt_implies_equal_job; lia.
- - by apply case_arrival_lte_implies_equal_job; lia.
- Qed.
-
- End EqualJobIndex.
-
- (** We show that jobs of a task are different if and only if they
- have different indices. *)
- Lemma diff_jobs_iff_diff_indices:
- j1 <> j2 <->
- job_index arr_seq j1 <> job_index arr_seq j2.
- Proof.
- split.
- + move => NEQJ EQ.
- by apply equal_index_implies_equal_jobs in EQ.
- + move => NEQ EQ.
- by move: EQ NEQ => ->.
- Qed.
-
- (** We show that [job_index j] can be written as a sum of [size (task_arrivals_before_job_arrival j)]
- and [index j (task_arrivals_at arr_seq (job_task j) (job_arrival j))]. *)
- Lemma index_as_sum_size_and_index:
- job_index arr_seq j1 =
- size (task_arrivals_before_job_arrival arr_seq j1)
- + index j1 (task_arrivals_at_job_arrival arr_seq j1).
- Proof.
- rewrite /task_arrivals_at_job_arrival /job_index task_arrivals_up_to_cat //.
- rewrite index_cat ifF; first by reflexivity.
- apply Bool.not_true_is_false; intro T.
- move : T; rewrite mem_filter => /andP [/eqP SM_TSK JB_IN_ARR].
- apply mem_bigcat_nat_exists in JB_IN_ARR; move : JB_IN_ARR => [ind [JB_IN IND_INTR]].
- have ARR : job_arrival j1 = ind by rt_eauto.
- by lia.
- Qed.
-
- (** Given jobs [j1] and [j2] in [arrivals_between_P arr_seq P t1 t2], the fact that
- [j2] arrives strictly before [j1] implies that [j2] also belongs in the sequence
- [arrivals_between_P arr_seq P t1 (job_arrival j1)]. *)
- Lemma arrival_lt_implies_job_in_arrivals_between_P:
- forall (P : Job -> bool) (t1 t2 : instant),
- (j1 \in arrivals_between_P arr_seq P t1 t2) ->
- (j2 \in arrivals_between_P arr_seq P t1 t2) ->
- job_arrival j2 < job_arrival j1 ->
- j2 \in arrivals_between_P arr_seq P t1 (job_arrival j1).
- Proof.
- intros * J1_IN J2_IN ARR_LT.
- rewrite mem_filter in J2_IN; move : J2_IN => /andP [PJ2 J2ARR] => //.
- rewrite mem_filter; apply /andP; split => //.
- apply mem_bigcat_nat_exists in J2ARR; move : J2ARR => [i [J2_IN INEQ]].
- apply mem_bigcat_nat with (j := i) => //.
- apply job_arrival_at in J2_IN; rt_eauto.
- by lia.
- Qed.
-
- (** We show that jobs in the sequence [arrivals_between_P] are ordered by their arrival times, i.e.,
- if index of a job [j2] is greater than or equal to index of any other job [j1] in the sequence,
- then [job_arrival j2] must be greater than or equal to [job_arrival j1]. *)
- Lemma index_lte_implies_arrival_lte_P:
- forall (P : Job -> bool) (t1 t2 : instant),
- (j1 \in arrivals_between_P arr_seq P t1 t2) ->
- (j2 \in arrivals_between_P arr_seq P t1 t2) ->
- index j1 (arrivals_between_P arr_seq P t1 t2) <= index j2 (arrivals_between_P arr_seq P t1 t2) ->
- job_arrival j1 <= job_arrival j2.
- Proof.
- intros * IN1 IN2 LE.
- move_neq_up LT; move_neq_down LE.
- rewrite -> arrivals_P_cat with (t := job_arrival j1); last by apply job_arrival_between_P in IN1; rt_eauto.
- rewrite !index_cat ifT; last by eapply arrival_lt_implies_job_in_arrivals_between_P; eauto.
- rewrite ifF.
- - eapply leq_trans; [ | by erewrite leq_addr].
- rewrite index_mem.
- by eapply arrival_lt_implies_job_in_arrivals_between_P; eauto.
- - apply Bool.not_true_is_false; intro T.
- by apply job_arrival_between_P in T; try lia; rt_eauto.
- Qed.
-
- (** We observe that index of job [j1] is same in the
- sequences [task_arrivals_up_to_job_arrival j1] and [task_arrivals_up_to_job_arrival j2]
- provided [j2] arrives after [j1]. *)
- Lemma job_index_same_in_task_arrivals:
- job_arrival j1 <= job_arrival j2 ->
- index j1 (task_arrivals_up_to_job_arrival arr_seq j1) = index j1 (task_arrivals_up_to_job_arrival arr_seq j2).
- Proof.
- rewrite leq_eqVlt => /orP [/eqP LT|LT]; first by rewrite /task_arrivals_up_to_job_arrival LT H_same_task.
- have CONSISTENT : consistent_arrival_times arr_seq by rt_eauto.
- specialize (arrival_lt_implies_strict_prefix arr_seq CONSISTENT (job_task j1) j1 j2) => SUB.
- feed_n 5 SUB => //; move: SUB => [xs2 [NEMPT2 CAT2]].
- rewrite -CAT2 index_cat ifT //=.
- by apply arrives_in_task_arrivals_up_to => //.
- Qed.
-
- (** We show that the [job_index] of a job [j1] is strictly less than
- the size of [task_arrivals_up_to_job_arrival arr_seq j1]. *)
- Lemma index_job_lt_size_task_arrivals_up_to_job:
- job_index arr_seq j1 < size (task_arrivals_up_to_job_arrival arr_seq j1).
- Proof.
- rewrite /job_index index_mem.
- by apply arrives_in_task_arrivals_up_to; rt_eauto.
- Qed.
-
- (** Finally, we show that a lower job index implies an earlier arrival time. *)
- Lemma index_lte_implies_arrival_lte:
- job_index arr_seq j2 <= job_index arr_seq j1 ->
- job_arrival j2 <= job_arrival j1.
- Proof.
- intros IND_LT.
- rewrite /job_index in IND_LT.
- move_neq_up ARR_GT; move_neq_down IND_LT.
- rewrite job_index_same_in_task_arrivals /task_arrivals_up_to_job_arrival; try by lia.
- rewrite -> task_arrivals_cat with (t_m := job_arrival j1); try by lia.
- rewrite -H_same_task !index_cat ifT; try by apply arrives_in_task_arrivals_up_to; rt_eauto.
- rewrite ifF.
- - by eapply leq_trans;
- [apply index_job_lt_size_task_arrivals_up_to_job | rewrite leq_addr].
- - apply Bool.not_true_is_false; intro T.
- by apply job_arrival_between_P in T; try lia; rt_eauto.
- Qed.
-
- (** We show that if job [j1] arrives earlier than job [j2]
- then [job_index arr_seq j1] is strictly less than [job_index arr_seq j2]. *)
- Lemma earlier_arrival_implies_lower_index:
- job_arrival j1 < job_arrival j2 ->
- job_index arr_seq j1 < job_index arr_seq j2.
- Proof.
- intros ARR_LT.
- move_neq_up IND_LT; move_neq_down ARR_LT.
- by apply index_lte_implies_arrival_lte.
- Qed.
-
- (** We prove a weaker version of the lemma [index_job_lt_size_task_arrivals_up_to_job],
- given that the [job_index] of [j] is positive. *)
- Lemma job_index_minus_one_lt_size_task_arrivals_up_to:
- job_index arr_seq j1 - 1 < size (task_arrivals_up_to_job_arrival arr_seq j1).
- Proof.
- apply leq_ltn_trans with (n := job_index arr_seq j1); try by lia.
- by apply index_job_lt_size_task_arrivals_up_to_job.
- Qed.
-
- (** Since [task_arrivals_up_to_job_arrival arr_seq j] has at least the job
- [j] in it, its size has to be positive. *)
- Lemma positive_job_index_implies_positive_size_of_task_arrivals:
- size (task_arrivals_up_to_job_arrival arr_seq j1) > 0.
- Proof.
- rewrite lt0n; apply /eqP; intro Z.
- apply size0nil in Z.
- have J_IN : (j1 \in task_arrivals_up_to_job_arrival arr_seq j1)
- by apply arrives_in_task_arrivals_up_to => //; rt_eauto.
- by rewrite Z in J_IN.
- Qed.
-
-End JobIndexLemmas.
-
-(** In this section, we prove a few basic properties of
- function [prev_job]. *)
-Section PreviousJob.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any jobs associated with the tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any unique arrival sequence with consistent arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and an arbitrary job with a positive [job_index]. *)
- Variable j : Job.
- Hypothesis H_arrives_in_arr_seq: arrives_in arr_seq j.
- Hypothesis H_positive_job_index: job_index arr_seq j > 0.
-
- (** We observe that the fact that job [j] is in the arrival sequence
- implies that job [prev_job j] is in the arrival sequence. *)
- Lemma prev_job_arr:
- arrives_in arr_seq (prev_job arr_seq j).
- Proof.
- destruct (default_or_in (job_index arr_seq j - 1) j (task_arrivals_up_to_job_arrival arr_seq j)) as [EQ|IN].
- + by rewrite /prev_job EQ.
- + apply in_arrivals_implies_arrived with (t1 := 0) (t2 := (job_arrival j).+1).
- by move: IN; rewrite mem_filter => /andP [_ IN].
- Qed.
-
- (** We show that the index of [prev_job j] in task arrivals up to [j] is one less
- than [job_index arr_seq j]. *)
- Lemma prev_job_index:
- index (prev_job arr_seq j) (task_arrivals_up_to_job_arrival arr_seq j) = job_index arr_seq j - 1.
- Proof.
- apply index_uniq; last by apply uniq_task_arrivals; rt_eauto.
- apply leq_ltn_trans with (n := job_index arr_seq j); try by lia.
- by apply index_job_lt_size_task_arrivals_up_to_job.
- Qed.
-
- (** Observe that job [j] and [prev_job j] stem from the same task. *)
- Lemma prev_job_task:
- job_task (prev_job arr_seq j) = job_task j.
- Proof.
- specialize (job_index_minus_one_lt_size_task_arrivals_up_to arr_seq H_valid_arrival_sequence j H_arrives_in_arr_seq) => SIZEL.
- rewrite -prev_job_index index_mem mem_filter in SIZEL.
- by move : SIZEL => /andP [/eqP TSK PREV_IN].
- Qed.
-
- (** We show that [prev_job arr_seq j] belongs in [task_arrivals_up_to_job_arrival arr_seq j]. *)
- Lemma prev_job_in_task_arrivals_up_to_j:
- prev_job arr_seq j \in task_arrivals_up_to_job_arrival arr_seq j.
- Proof.
- rewrite /prev_job -index_mem index_uniq;
- try by apply job_index_minus_one_lt_size_task_arrivals_up_to.
- by apply uniq_task_arrivals; rt_eauto.
- Qed.
-
- (** We observe that for any job [j] the arrival time of [prev_job j] is
- strictly less than the arrival time of [j] in context of periodic tasks. *)
- Lemma prev_job_arr_lte:
- job_arrival (prev_job arr_seq j) <= job_arrival j.
- Proof.
- move : (prev_job_in_task_arrivals_up_to_j) => PREV_JOB_IN.
- rewrite mem_filter in PREV_JOB_IN; move : PREV_JOB_IN => /andP [TSK PREV_IN].
- apply mem_bigcat_nat_exists in PREV_IN; move : PREV_IN => [i [PREV_IN INEQ]].
- move : H_valid_arrival_sequence => [CONSISTENT UNIQ].
- apply CONSISTENT in PREV_IN; rewrite -PREV_IN in INEQ.
- by lia.
- Qed.
-
- (** We show that for any job [j] the job index of [prev_job j] is one less
- than the job index of [j]. *)
- Lemma prev_job_index_j:
- job_index arr_seq j > 0 ->
- job_index arr_seq (prev_job arr_seq j) = job_index arr_seq j - 1.
- Proof.
- intros NZ_IND.
- rewrite -prev_job_index.
- apply job_index_same_in_task_arrivals => //; rt_eauto.
- - by apply prev_job_arr.
- - by apply prev_job_task.
- - by apply prev_job_arr_lte.
- Qed.
-
- (** We also show that for any job [j] there are no task arrivals
- between [prev_job j] and [j].*)
- Lemma no_jobs_between_consecutive_jobs:
- job_index arr_seq j > 0 ->
- task_arrivals_between arr_seq (job_task j)
- (job_arrival (prev_job arr_seq j)).+1 (job_arrival j) = [::].
- Proof.
- move => POS_IND.
- move : (prev_job_arr_lte); rewrite leq_eqVlt; move => /orP [/eqP EQ | LT].
- - rewrite EQ.
- apply/eqP/negPn/negP; rewrite -has_filter => /hasP [j' IN /eqP TASK].
- apply mem_bigcat_nat_exists in IN; move : IN => [i [J'_IN ARR_INEQ]].
- by lia.
- - apply/eqP/negPn/negP; rewrite -has_filter => /hasP [j3 IN /eqP TASK].
- apply mem_bigcat_nat_exists in IN; move : IN => [i [J3_IN ARR_INEQ]].
- have J3_ARR : (arrives_in arr_seq j3) by apply in_arrseq_implies_arrives with (t := i).
- apply job_arrival_at in J3_IN; rt_eauto; rewrite -J3_IN in ARR_INEQ.
- move : ARR_INEQ => /andP [PJ_L_J3 J3_L_J].
- apply (earlier_arrival_implies_lower_index arr_seq H_valid_arrival_sequence _ _) in PJ_L_J3 => //; try by
- rewrite prev_job_task.
- + apply (earlier_arrival_implies_lower_index arr_seq H_valid_arrival_sequence _ _) in J3_L_J => //.
- by rewrite prev_job_index_j in PJ_L_J3; try by lia.
- + by apply prev_job_arr.
- Qed.
-
- (** We show that there always exists a job of lesser [job_index] than a
- job with a positive [job_index] that arrives in the arrival sequence. *)
- Lemma exists_jobs_before_j:
- forall k,
- k < job_index arr_seq j ->
- exists j',
- j <> j' /\
- job_task j' = job_task j /\
- arrives_in arr_seq j' /\
- job_index arr_seq j' = k.
- Proof.
- clear H_positive_job_index.
- intros k K_LT.
- exists (nth j (task_arrivals_up_to_job_arrival arr_seq j) k).
- set (jk := nth j (task_arrivals_up_to_job_arrival arr_seq j) k).
- have K_LT_SIZE : (k < size (task_arrivals_up_to_job_arrival arr_seq j)) by
- apply leq_trans with (n := job_index arr_seq j) => //; first by apply index_size.
- have JK_IN : (jk \in task_arrivals_up_to_job_arrival arr_seq j) by rewrite /jk; apply mem_nth => //.
- rewrite mem_filter in JK_IN; move : JK_IN => /andP [/eqP TSK JK_IN].
- apply mem_bigcat_nat_exists in JK_IN; move : JK_IN => [i [JK_IN I_INEQ]].
- have JK_ARR : (arrives_in arr_seq jk) by apply in_arrseq_implies_arrives with (t := i) => //.
- have INDJK : (index jk (task_arrivals_up_to_job_arrival arr_seq j) = k).
- { apply index_uniq => //.
- by apply uniq_task_arrivals => //; rt_eauto. }
- repeat split => //.
- { rewrite -> diff_jobs_iff_diff_indices => //; eauto.
- rewrite /job_index; rewrite [in X in _ <> X] (job_index_same_in_task_arrivals _ _ jk j) => //.
- - rewrite index_uniq -/(job_index arr_seq j)=> //; last by apply uniq_task_arrivals; rt_eauto.
- by lia.
- - by apply job_arrival_at in JK_IN; rt_eauto; rewrite -JK_IN in I_INEQ. }
- { rewrite /job_index; rewrite [in X in X = _] (job_index_same_in_task_arrivals _ _ jk j) => //.
- by apply job_arrival_at in JK_IN; rt_eauto; rewrite -JK_IN in I_INEQ. }
- Qed.
-
-End PreviousJob.
diff --git a/analysis/facts/model/arrival_curves.v b/analysis/facts/model/arrival_curves.v
deleted file mode 100644
index 0bcfa04b0bb3dc72f9c69ea88c56fdb7629f2ca8..0000000000000000000000000000000000000000
--- a/analysis/facts/model/arrival_curves.v
+++ /dev/null
@@ -1,49 +0,0 @@
-Require Export prosa.util.epsilon.
-Require Export prosa.model.task.arrival.curves.
-Require Export prosa.analysis.facts.model.task_arrivals.
-
-(** * Facts About Arrival Curves *)
-
-
-(** We observe that tasks that exhibit job arrivals must have non-pathological
- arrival curves. This allows excluding pathological cases in higher-level
- proofs. *)
-Section NonPathologicalCurve.
-
- (** Consider any kind of tasks characterized by an upper-bounding arrival curve... *)
- Context {Task : TaskType} `{MaxArrivals Task}.
- (** ... and the corresponding type of jobs. *)
- Context {Job : JobType} `{JobTask Job Task}.
-
- (** Consider an arbitrary task ... *)
- Variable tsk : Task.
-
- (** ... and an arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... that is compliant with the upper-bounding arrival curve. *)
- Hypothesis H_curve_is_valid : respects_max_arrivals arr_seq tsk (max_arrivals tsk).
-
- (** If we have evidence that a job of the task [tsk] ... *)
- Variable j : Job.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
-
- (** ... arrives at any point in time, ... *)
- Hypothesis H_arrives : arrives_in arr_seq j.
-
- (** ... then the maximum number of job arrivals in a non-empty interval cannot
- be zero. *)
- Lemma non_pathological_max_arrivals :
- max_arrivals tsk ε > 0.
- Proof.
- move: (H_arrives) => [t ARR].
- move: (H_curve_is_valid t t.+1) => VALID.
- have -> : ε = t.+1 - t by rewrite /ε; lia.
- apply: leq_trans; last by apply VALID.
- rewrite /number_of_task_arrivals size_of_task_arrivals_between.
- rewrite big_ltn // big_geq // addn0.
- rewrite /task_arrivals_at size_filter //= -has_count.
- by apply /hasP; exists j.
- Qed.
-
-End NonPathologicalCurve.
diff --git a/analysis/facts/model/ideal/schedule.v b/analysis/facts/model/ideal/schedule.v
deleted file mode 100644
index d60015e25e7b5b8778436f0a2e864e197bfe886e..0000000000000000000000000000000000000000
--- a/analysis/facts/model/ideal/schedule.v
+++ /dev/null
@@ -1,292 +0,0 @@
-Require Export prosa.util.all.
-Require Export prosa.model.processor.platform_properties.
-Require Export prosa.analysis.facts.behavior.service.
-Require Import prosa.model.processor.ideal.
-
-(** Note: we do not re-export the basic definitions to avoid littering the global
- namespace with type class instances. *)
-
-(** In this section we establish the classes to which an ideal schedule belongs. *)
-Section ScheduleClass.
-
- (** We assume ideal uni-processor schedules. *)
- #[local] Existing Instance ideal.processor_state.
-
- Local Transparent scheduled_in scheduled_on.
- (** Consider any job type and the ideal processor model. *)
- Context {Job: JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We note that the ideal processor model is indeed a uni-processor
- model. *)
- Lemma ideal_proc_model_is_a_uniprocessor_model:
- uniprocessor_model (processor_state Job).
- Proof.
- move=> j1 j2 sched t /existsP[[]/eqP E1] /existsP[[]/eqP E2].
- by move: E1 E2 =>->[].
- Qed.
-
- (** By definition, [service_in] is the sum of the service received
- in total across all cores. In the ideal uniprocessor model,
- however, there is only one "core," which is expressed by using
- [unit] as the type of cores. The type [unit] only has a single
- member [tt], which serves as a placeholder. Consequently, the
- definition of [service_in] simplifies to a single term of the
- sum, the service on the one core, which we note with the
- following lemma that relates [service_in] to [service_on]. *)
- Lemma service_in_service_on (j : Job) s :
- service_in j s = service_on j s tt.
- Proof.
- by rewrite /service_in /index_enum Finite.EnumDef.enumDef /= big_seq1.
- Qed.
-
- (** Furthermore, since the ideal uniprocessor state is represented
- by the [option Job] type, [service_in] further simplifies to a
- simple equality comparison, which we note next. *)
- Lemma service_in_def (j : Job) (s : processor_state Job) :
- service_in j s = (s == Some j).
- Proof.
- by rewrite service_in_service_on.
- Qed.
-
- (** We observe that the ideal processor model falls into the category
- of ideal-progress models, i.e., a scheduled job always receives
- service. *)
- Lemma ideal_proc_model_ensures_ideal_progress:
- ideal_progress_proc_model (processor_state Job).
- Proof.
- move=> j s /existsP[[]/eqP->] /=.
- by rewrite service_in_def /= eqxx /nat_of_bool.
- Qed.
-
- (** The ideal processor model is a unit-service model. *)
- Lemma ideal_proc_model_provides_unit_service:
- unit_service_proc_model (processor_state Job).
- Proof.
- move=> j s.
- rewrite service_in_def /= /nat_of_bool.
- by case:ifP.
- Qed.
-
- Lemma scheduled_in_def (j : Job) s :
- scheduled_in j s = (s == Some j).
- Proof.
- rewrite /scheduled_in/scheduled_on/=.
- case: existsP=>[[_->]//|].
- case: (s == Some j)=>//=[[]].
- by exists.
- Qed.
-
- Lemma scheduled_at_def sched (j : Job) t :
- scheduled_at sched j t = (sched t == Some j).
- Proof.
- by rewrite /scheduled_at scheduled_in_def.
- Qed.
-
- Lemma service_in_is_scheduled_in (j : Job) s :
- service_in j s = scheduled_in j s.
- Proof.
- by rewrite service_in_def scheduled_in_def.
- Qed.
-
- Lemma service_at_is_scheduled_at sched (j : Job) t :
- service_at sched j t = scheduled_at sched j t.
- Proof.
- by rewrite /service_at service_in_is_scheduled_in.
- Qed.
-
- Lemma service_on_def (j : Job) (s : processor_state Job) c :
- service_on j s c = (s == Some j).
- Proof.
- done.
- Qed.
-
- Lemma service_at_def sched (j : Job) t :
- service_at sched j t = (sched t == Some j).
- Proof.
- by rewrite /service_at service_in_def.
- Qed.
-
- (** Next we prove a lemma which helps us to do a case analysis on
- the state of an ideal schedule. *)
- Lemma ideal_proc_model_sched_case_analysis:
- forall (sched : schedule (ideal.processor_state Job)) (t : instant),
- is_idle sched t \/ exists j, scheduled_at sched j t.
- Proof.
- intros.
- unfold is_idle; simpl; destruct (sched t) eqn:EQ.
- - by right; exists s; auto; rewrite scheduled_at_def EQ.
- - by left; auto.
- Qed.
-
- (** We prove that if a job [j] is scheduled at a time instant [t],
- then the scheduler is not idle at [t]. *)
- Lemma ideal_sched_implies_not_idle sched (j : Job) t :
- scheduled_at sched j t ->
- ~ is_idle sched t.
- Proof.
- rewrite scheduled_at_def => /eqP SCHED /eqP IDLE.
- by rewrite IDLE in SCHED; inversion SCHED.
- Qed.
-
- (** On a similar note, if a scheduler is idle at a time instant [t],
- then no job can receive service at [t]. *)
- Lemma ideal_not_idle_implies_sched sched (j : Job) t :
- is_idle sched t ->
- service_at sched j t = 0.
- Proof. by rewrite service_at_is_scheduled_at scheduled_at_def => /eqP ->. Qed.
-
-End ScheduleClass.
-
-(** * Incremental Service in Ideal Schedule *)
-(** In the following section we prove a few facts about service in ideal schedule. *)
-(* Note that these lemmas can be generalized to an arbitrary scheduler. *)
-Section IncrementalService.
-
- (** Consider any job type, ... *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... any arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any ideal uni-processor schedule of this arrival sequence. *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** As a base case, we prove that if a job [j] receives service in
- some time interval <<[t1,t2)>>, then there exists a time instant
- <<t ∈ [t1,t2)>> such that [j] is scheduled at time [t] and [t] is
- the first instant where [j] receives service. *)
- Lemma positive_service_during:
- forall j t1 t2,
- 0 < service_during sched j t1 t2 ->
- exists t : nat, t1 <= t < t2 /\ scheduled_at sched j t /\ service_during sched j t1 t = 0.
- Proof.
- intros j t1 t2 SERV.
- have LE: t1 <= t2.
- { rewrite leqNgt; apply/negP; intros CONTR.
- by apply ltnW in CONTR; move: SERV; rewrite /service_during big_geq.
- }
- destruct (scheduled_at sched j t1) eqn:SCHED.
- { exists t1; repeat split; try done.
- - apply/andP; split; first by done.
- rewrite ltnNge; apply/negP; intros CONTR.
- by move: SERV; rewrite/service_during big_geq.
- - by rewrite /service_during big_geq.
- }
- { apply negbT in SCHED.
- move: SERV.
- rewrite /service_during sum_nat_gt0 filter_predT => /hasP[t IN SCHEDt].
- rewrite service_at_def /= lt0b in SCHEDt.
- rewrite mem_iota subnKC in IN; last by done.
- move: IN => /andP [IN1 IN2].
- move: (exists_first_intermediate_point
- ((fun t => scheduled_at sched j t)) t1 t IN1 SCHED) => A.
- feed A; first by rewrite scheduled_at_def/=.
- move: A => [x [/andP [T1 T4] [T2 T3]]].
- exists x; repeat split; try done.
- - apply/andP; split; first by apply ltnW.
- by apply leq_ltn_trans with t.
- - apply/eqP; rewrite big_nat_cond big1 //.
- move => y /andP [T5 _].
- apply/eqP.
- rewrite service_at_def /= eqb0.
- by specialize (T2 y); rewrite scheduled_at_def/= in T2; apply T2.
- }
- Qed.
-
- (** Furthermore, we observe that, if a job receives some positive
- amount of service during an interval <<[t1, t2)>>, then the
- interval can't be empty and hence [t1 < t2]. *)
- Lemma service_during_ge :
- forall j t1 t2 k,
- service_during sched j t1 t2 > k ->
- t1 < t2.
- Proof.
- move=> j t1 t2 k SERV.
- rewrite leqNgt.
- apply/negP => CONTR.
- move: SERV.
- by rewrite /service_during big_geq.
- Qed.
-
- (** Next, we prove that if in some time interval <<[t1,t2)>> a job [j]
- receives [k] units of service, then there exists a time instant
- <<t ∈ [t1,t2)>> such that [j] is scheduled at time [t] and service
- of job [j] within interval <<[t1,t)>> is equal to [k]. *)
- Lemma incremental_service_during:
- forall j t1 t2 k,
- service_during sched j t1 t2 > k ->
- exists t, t1 <= t < t2 /\ scheduled_at sched j t /\ service_during sched j t1 t = k.
- Proof.
- move=> j t1 t2 k SERV.
- have LE: t1 < t2 by move: (service_during_ge _ _ _ _ SERV).
- induction k; first by apply positive_service_during in SERV.
- feed IHk; first by apply ltn_trans with k.+1.
- move: IHk => [t [/andP [NEQ1 NEQ2] [SCHEDt SERVk]]].
- have SERVk1: service_during sched j t1 t.+1 = k.+1.
- { rewrite -(service_during_cat _ _ _ t); last by apply/andP; split.
- rewrite SERVk -[X in _ = X]addn1; apply/eqP; rewrite eqn_add2l.
- rewrite /service_during big_nat1 service_at_def /=.
- by rewrite eqb1 -scheduled_at_def /=.
- }
- move: SERV; rewrite -(service_during_cat _ _ _ t.+1); last first.
- { by apply/andP; split; first apply leq_trans with t. }
- rewrite SERVk1 -addn1 leq_add2l; move => SERV.
- destruct (scheduled_at sched j t.+1) eqn:SCHED.
- - exists t.+1; repeat split; try done. apply/andP; split.
- + apply leq_trans with t; by done.
- + rewrite ltnNge; apply/negP; intros CONTR.
- by move: SERV; rewrite /service_during big_geq.
- - apply negbT in SCHED.
- move: SERV; rewrite /service /service_during sum_nat_gt0 filter_predT; move => /hasP[x INx SCHEDx].
- rewrite service_at_def lt0b in SCHEDx.
- rewrite mem_iota subnKC in INx; last by done.
- move: INx => /andP [INx1 INx2].
- move: (exists_first_intermediate_point _ _ _ INx1 SCHED) => A.
- feed A; first by rewrite scheduled_at_def/=.
- move: A => [y [/andP [T1 T4] [T2 T3]]].
- exists y; repeat split => //.
- + apply/andP; split.
- apply leq_trans with t; first by done.
- apply ltnW, ltn_trans with t.+1; by done.
- by apply leq_ltn_trans with x.
- + rewrite (@big_cat_nat _ _ _ t.+1) //=; [ | by apply leq_trans with t | by apply ltn_trans with t.+1].
- unfold service_during in SERVk1; rewrite SERVk1; apply/eqP.
- rewrite -{2}[k.+1]addn0 eqn_add2l.
- rewrite big_nat_cond big1 //; move => z /andP [H5 _].
- apply/eqP.
- rewrite service_at_def eqb0.
- by specialize (T2 z); rewrite scheduled_at_def/= in T2; apply T2.
- Qed.
-
-End IncrementalService.
-
-(** * Automation *)
-(** We add the above lemmas into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply them automatically. *)
-Global Hint Resolve ideal_proc_model_is_a_uniprocessor_model
- ideal_proc_model_ensures_ideal_progress
- ideal_proc_model_provides_unit_service : basic_rt_facts.
-
-(** We also provide tactics for case analysis on ideal processor state. *)
-
-(** The first tactic generates two sub-goals: one with idle processor and
- the other with processor executing a job named [JobName]. *)
-Ltac ideal_proc_model_sched_case_analysis sched t JobName :=
- let Idle := fresh "Idle" in
- let Sched := fresh "Sched_" JobName in
- destruct (ideal_proc_model_sched_case_analysis sched t) as [Idle | [JobName Sched]].
-
-(** The second tactic is similar to the first, but it additionally generates
- two equalities: [sched t = None] and [sched t = Some j]. *)
-Ltac ideal_proc_model_sched_case_analysis_eq sched t JobName :=
- let Idle := fresh "Idle" in
- let IdleEq := fresh "Eq" Idle in
- let Sched := fresh "Sched_" JobName in
- let SchedEq := fresh "Eq" Sched in
- destruct (ideal_proc_model_sched_case_analysis sched t) as [Idle | [JobName Sched]];
- [move: (Idle) => /eqP IdleEq; rewrite ?IdleEq
- | move: (Sched); simpl; move => /eqP SchedEq; rewrite ?SchedEq].
diff --git a/analysis/facts/model/ideal/service_of_jobs.v b/analysis/facts/model/ideal/service_of_jobs.v
deleted file mode 100644
index 093ec21f3223f9a7e2cd52c00410db1db94e5420..0000000000000000000000000000000000000000
--- a/analysis/facts/model/ideal/service_of_jobs.v
+++ /dev/null
@@ -1,84 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq fintype bigop.
-
-Require Export prosa.model.aggregate.workload.
-Require Export prosa.model.aggregate.service_of_jobs.
-Require Export prosa.analysis.facts.model.service_of_jobs.
-Require Export prosa.analysis.facts.behavior.completion.
-
-(** Throughout this file, we assume ideal uni-processor schedules. *)
-Require Import prosa.model.processor.ideal.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-
-(** * Service Received by Sets of Jobs in Ideal Uni-Processor Schedules *)
-
-(** In this file, we establish a fact about the service received by _sets_ of
- jobs under ideal uni-processor schedule and the presence of idle times. The
- lemma is currently specific to ideal uniprocessors only because of the lack
- of a general notion of idle time, which should be added in the near
- future. Conceptually, the fact holds for any [ideal_progress_proc_model].
- Once a general notion of idle time has been defined, this file should be
- generalized. *)
-Section IdealModelLemmas.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Let [P] be any predicate over jobs. *)
- Variable P : pred Job.
-
- (** We prove that if the total service within some time interval <<[t1,t2)>>
- is smaller than <<t2 - t1>>, then there is an idle time instant [t ∈ [t1,t2)]. *)
- Lemma low_service_implies_existence_of_idle_time :
- forall t1 t2,
- service_of_jobs sched predT (arrivals_between arr_seq 0 t2) t1 t2 < t2 - t1 ->
- exists t, t1 <= t < t2 /\ is_idle sched t.
- Proof.
- intros ? ? SERV.
- destruct (t1 <= t2) eqn:LE; last first.
- { move: LE => /negP/negP; rewrite -ltnNge.
- move => LT; apply ltnW in LT; rewrite -subn_eq0 in LT.
- by move: LT => /eqP -> in SERV; rewrite ltn0 in SERV.
- }
- have EX: exists δ, t2 = t1 + δ.
- { by exists (t2 - t1); rewrite subnKC // ltnW. }
- move: EX => [δ EQ]; subst t2; clear LE.
- rewrite {3}[t1 + δ]addnC -addnBA // subnn addn0 in SERV.
- rewrite /service_of_jobs exchange_big //= in SERV.
- apply sum_le_summation_range in SERV.
- move: SERV => [x [/andP [GEx LEx] L]].
- exists x; split; first by apply/andP; split.
- apply/negPn; apply/negP; intros NIDLE.
- unfold is_idle in NIDLE.
- destruct(sched x) eqn:SCHED; last by done.
- move: SCHED => /eqP SCHED; clear NIDLE; rewrite -scheduled_at_def/= in SCHED.
- move: L => /eqP; rewrite sum_nat_eq0_nat filter_predT; move => /allP L.
- specialize (L s); feed L.
- { unfold arrivals_between.
- eapply arrived_between_implies_in_arrivals; eauto 2.
- by apply H_jobs_must_arrive_to_execute in SCHED; apply leq_ltn_trans with x.
- }
- move: SCHED L => /=.
- rewrite scheduled_at_def service_at_def => /eqP-> /eqP.
- by rewrite eqxx.
- Qed.
-
-End IdealModelLemmas.
diff --git a/analysis/facts/model/offset.v b/analysis/facts/model/offset.v
deleted file mode 100644
index 8f29fd3d826e8d8f10c9792a26f239218b4e9805..0000000000000000000000000000000000000000
--- a/analysis/facts/model/offset.v
+++ /dev/null
@@ -1,62 +0,0 @@
-Require Export prosa.model.task.offset.
-Require Export prosa.analysis.facts.job_index.
-
-(** In this module, we prove some properties of task offsets. *)
-Section OffsetLemmas.
-
- (** Consider any type of tasks with an offset ... *)
- Context {Task : TaskType}.
- Context `{TaskOffset Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any arrival sequence with consistent and non-duplicate arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any job [j] (that stems from the arrival sequence) of any
- task [tsk] with a valid offset. *)
- Variable tsk : Task.
- Variable j : Job.
- Hypothesis H_job_of_task: job_task j = tsk.
- Hypothesis H_valid_offset: valid_offset arr_seq tsk.
- Hypothesis H_job_from_arrseq: arrives_in arr_seq j.
-
- (** We show that the if [j] is the first job of task [tsk]
- then [j] arrives at [task_offset tsk]. *)
- Lemma first_job_arrival:
- job_index arr_seq j = 0 ->
- job_arrival j = task_offset tsk.
- Proof.
- intros INDX.
- move: H_valid_offset => [BEFORE [j' [ARR' [TSK ARRIVAL]]]].
- case: (boolP (j' == j)) => [/eqP EQ|NEQ]; first by rewrite -EQ.
- destruct (PeanoNat.Nat.zero_or_succ (job_index arr_seq j')) as [Z | [m N]].
- - move: NEQ => /eqP NEQ; contradict NEQ.
- by eapply equal_index_implies_equal_jobs; eauto;
- [rewrite TSK | rewrite Z INDX].
- - have IND_LTE : (job_index arr_seq j <= job_index arr_seq j') by rewrite INDX N.
- apply index_lte_implies_arrival_lte in IND_LTE => //; last by rewrite TSK.
- by apply/eqP; rewrite eqn_leq; apply/andP; split;
- [lia | apply H_valid_offset].
- Qed.
-
- (** Consider any task set [ts]. *)
- Variable ts : TaskSet Task.
-
- (** If task [tsk] is in [ts], then its offset
- is less than or equal to the maximum offset of all tasks
- in [ts]. *)
- Lemma max_offset_g:
- tsk \in ts ->
- task_offset tsk <= max_task_offset ts.
- Proof.
- intros TSK_IN.
- apply in_max0_le.
- by apply map_f.
- Qed.
-
-End OffsetLemmas.
diff --git a/analysis/facts/model/preemption.v b/analysis/facts/model/preemption.v
deleted file mode 100644
index 3d96f51ad7c02f557509b40d6373ae01160c60c7..0000000000000000000000000000000000000000
--- a/analysis/facts/model/preemption.v
+++ /dev/null
@@ -1,126 +0,0 @@
-Require Export prosa.model.schedule.priority_driven.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-Require Export prosa.analysis.facts.behavior.completion.
-
-(** In this section, we establish two basic facts about preemption times. *)
-Section PreemptionTimes.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** In addition, we assume the existence of a function mapping a job and
- its progress to a boolean value saying whether this job is
- preemptable at its current point of execution. *)
- Context `{JobPreemptable Job}.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any ideal uniprocessor schedule of this arrival sequence... *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** ...where, jobs come from the arrival sequence. *)
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** Consider a valid preemption model. *)
- Hypothesis H_valid_preemption_model : valid_preemption_model arr_seq sched.
-
- (** We show that time 0 is a preemption time. *)
- Lemma zero_is_pt: preemption_time sched 0.
- Proof.
- unfold preemption_time.
- case SCHED: (sched 0) => [j | ]; last by done.
- move: (SCHED) => /eqP; rewrite -scheduled_at_def; move => ARR.
- apply H_jobs_come_from_arrival_sequence in ARR.
- rewrite /service /service_during big_geq; last by done.
- by move: (H_valid_preemption_model j ARR) => [PP _].
- Qed.
- (** Also, we show that the first instant of execution is a preemption time. *)
- Lemma first_moment_is_pt:
- forall j prt,
- arrives_in arr_seq j ->
- ~~ scheduled_at sched j prt ->
- scheduled_at sched j prt.+1 ->
- preemption_time sched prt.+1.
- Proof.
- intros s pt ARR NSCHED SCHED.
- unfold preemption_time.
- move: (SCHED); rewrite scheduled_at_def; move => /eqP SCHED2; rewrite SCHED2; clear SCHED2.
- by move: (H_valid_preemption_model s ARR) => [_ [_ [_ P]]]; apply P.
- Qed.
-
-End PreemptionTimes.
-
-(** In this section, we prove a lemma relating scheduling and preemption times. *)
-Section PreemptionFacts.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{Arrival : JobArrival Job}.
- Context `{Cost : JobCost Job}.
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence, ... *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** ...and, assume that the schedule is valid. *)
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
-
- (** In addition, we assume the existence of a function mapping jobs to their preemption points ... *)
- Context `{JobPreemptable Job}.
-
- (** ... and assume that it defines a valid preemption model. *)
- Hypothesis H_valid_preemption_model : valid_preemption_model arr_seq sched.
-
- (** We prove that every nonpreemptive segment always begins with a preemption time. *)
- Lemma scheduling_of_any_segment_starts_with_preemption_time:
- forall j t,
- scheduled_at sched j t ->
- exists pt,
- job_arrival j <= pt <= t /\
- preemption_time sched pt /\
- (forall t', pt <= t' <= t -> scheduled_at sched j t').
- Proof.
- intros s t SCHEDst.
- have EX: exists t', (t' <= t) && (scheduled_at sched s t')
- && (all (fun t'' => scheduled_at sched s t'') (index_iota t' t.+1 )).
- { exists t. apply/andP; split; [ by apply/andP; split | ].
- apply/allP; intros t'.
- by rewrite mem_index_iota ltnS -eqn_leq; move => /eqP <-.
- }
- have MATE : jobs_must_arrive_to_execute sched by rt_eauto.
- move : (H_sched_valid) => [COME_ARR READY].
- have MIN := ex_minnP EX.
- move: MIN => [mpt /andP [/andP [LT1 SCHEDsmpt] /allP ALL] MIN]; clear EX.
- destruct mpt.
- - exists 0; repeat split.
- + by apply/andP; split => //; apply MATE.
- + eapply (zero_is_pt arr_seq); eauto 2.
- + by intros; apply ALL; rewrite mem_iota subn0 add0n ltnS.
- - have NSCHED: ~~ scheduled_at sched s mpt.
- { apply/negP; intros SCHED.
- enough (F : mpt < mpt); first by rewrite ltnn in F.
- apply MIN.
- apply/andP; split; [by apply/andP; split; [ apply ltnW | ] | ].
- apply/allP; intros t'.
- rewrite mem_index_iota; move => /andP [GE LE].
- move: GE; rewrite leq_eqVlt; move => /orP [/eqP EQ| LT].
- - by subst t'.
- - by apply ALL; rewrite mem_index_iota; apply/andP; split.
- }
- have PP: preemption_time sched mpt.+1 by eapply (first_moment_is_pt arr_seq) with (j := s); eauto 2.
- exists mpt.+1; repeat split; try done.
- + apply/andP; split; last by done.
- by apply MATE in SCHEDsmpt.
- + move => t' /andP [GE LE].
- by apply ALL; rewrite mem_index_iota; apply/andP; split.
- Qed.
-
-End PreemptionFacts.
diff --git a/analysis/facts/model/rbf.v b/analysis/facts/model/rbf.v
deleted file mode 100644
index 4bdea4d10491817cf00011f98315bf5a8f6d8c2f..0000000000000000000000000000000000000000
--- a/analysis/facts/model/rbf.v
+++ /dev/null
@@ -1,432 +0,0 @@
-Require Export prosa.analysis.facts.model.workload.
-Require Export prosa.analysis.facts.model.arrival_curves.
-Require Export prosa.analysis.definitions.job_properties.
-Require Export prosa.analysis.definitions.request_bound_function.
-Require Export prosa.analysis.definitions.schedulability.
-
-
-(** * Facts about Request Bound Functions (RBFs) *)
-
-(** In this file, we prove some lemmas about request bound functions. *)
-
-(** ** RBF is a Bound on Workload *)
-
-(** First, we show that a task's RBF is indeed an upper bound on its
- workload. *)
-Section ProofWorkloadBound.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... any schedule corresponding to this arrival sequence, ... *)
- Context {PState : ProcessorState Job}.
- Variable sched : schedule PState.
- Hypothesis H_jobs_come_from_arrival_sequence :
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... and an FP policy that indicates a higher-or-equal priority relation. *)
- Context `{FP_policy Task}.
-
- (** Further, consider a task set [ts]... *)
- Variable ts : seq Task.
-
- (** ... and let [tsk] be any task in [ts]. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Assume that the job costs are no larger than the task costs ... *)
- Hypothesis H_valid_job_cost :
- arrivals_have_valid_job_costs arr_seq.
-
- (** ... and that all jobs come from the task set. *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** Let [max_arrivals] be any arrival bound for task-set [ts]. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_is_arrival_bound : taskset_respects_max_arrivals arr_seq ts.
-
- (** Next, recall the notions of total workload of jobs... *)
- Let total_workload t1 t2 := workload_of_jobs predT (arrivals_between arr_seq t1 t2).
-
- (** ... and the workload of jobs of the same task as job j. *)
- Let task_workload t1 t2 :=
- workload_of_jobs (job_of_task tsk) (arrivals_between arr_seq t1 t2).
-
- (** Finally, let us define some local names for clarity. *)
- Let task_rbf := task_request_bound_function tsk.
- Let total_rbf := total_request_bound_function ts.
-
- (** In this section, we prove that the workload of all jobs is
- no larger than the request bound function. *)
- Section WorkloadIsBoundedByRBF.
-
- (** Consider any time [t] and any interval of length [Δ]. *)
- Variable t : instant.
- Variable Δ : instant.
-
- (** First, we show that workload of task [tsk] is bounded by the number of
- arrivals of the task times the cost of the task. *)
- Lemma task_workload_le_num_of_arrivals_times_cost:
- task_workload t (t + Δ)
- <= task_cost tsk * number_of_task_arrivals arr_seq tsk t (t + Δ).
- Proof.
- rewrite /task_workload /workload_of_jobs/ number_of_task_arrivals
- /task_arrivals_between -big_filter -sum1_size big_distrr big_filter.
- destruct (task_arrivals_between arr_seq tsk t (t + Δ)) eqn:TASK.
- { unfold task_arrivals_between in TASK.
- by rewrite -big_filter !TASK !big_nil. }
- { rewrite //= big_filter big_seq_cond [in X in _ <= X]big_seq_cond.
- apply leq_sum.
- move => j' /andP [IN TSKj'].
- rewrite muln1.
- move: TSKj' => /eqP TSKj'; rewrite -TSKj'.
- apply H_valid_job_cost.
- by apply in_arrivals_implies_arrived in IN. }
- Qed.
-
- (** As a corollary, we prove that workload of task is no larger the than
- task request bound function. *)
- Corollary task_workload_le_task_rbf:
- task_workload t (t + Δ) <= task_rbf Δ.
- Proof.
- eapply leq_trans; first by apply task_workload_le_num_of_arrivals_times_cost.
- rewrite leq_mul2l; apply/orP; right.
- rewrite -{2}[Δ](addKn t).
- by apply H_is_arrival_bound; last rewrite leq_addr.
- Qed.
-
- (** Next, we prove that total workload of tasks is no larger than the total
- request bound function. *)
- Lemma total_workload_le_total_rbf:
- total_workload t (t + Δ) <= total_rbf Δ.
- Proof.
- set l := arrivals_between arr_seq t (t + Δ).
- apply (@leq_trans (\sum_(tsk' <- ts) (\sum_(j0 <- l | job_task j0 == tsk') job_cost j0))).
- { rewrite /total_workload.
- have EXCHANGE := exchange_big_dep predT.
- rewrite EXCHANGE /=; clear EXCHANGE; last by done.
- rewrite /workload_of_jobs -/l big_seq_cond [X in _ <= X]big_seq_cond.
- apply leq_sum; move => j0 /andP [IN0 HP0].
- rewrite big_mkcond (big_rem (job_task j0)) /=.
- rewrite eq_refl; apply leq_addr.
- by apply in_arrivals_implies_arrived in IN0; apply H_all_jobs_from_taskset. }
- apply leq_sum_seq; intros tsk0 INtsk0 HP0.
- apply (@leq_trans (task_cost tsk0 * size (task_arrivals_between arr_seq tsk0 t (t + Δ)))).
- { rewrite -sum1_size big_distrr /= big_filter -/l /workload_of_jobs muln1.
- apply leq_sum_seq => j0 IN0 /eqP <-.
- apply H_valid_job_cost.
- by apply in_arrivals_implies_arrived in IN0. }
- { rewrite leq_mul2l; apply/orP; right.
- rewrite -{2}[Δ](addKn t).
- by apply H_is_arrival_bound; last rewrite leq_addr. }
- Qed.
-
- (** Next, we consider any job [j] of [tsk]. *)
- Variable j : Job.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
-
- (** Consider any general predicate defined on tasks. *)
- Variable pred : pred Task.
-
- (** We prove that the sum of job cost of jobs whose corresponding task satisfies the predicate
- [pred] is bound by the RBF of these tasks. *)
- Lemma sum_of_jobs_le_sum_rbf:
- \sum_(j' <- arrivals_between arr_seq t (t + Δ) | pred (job_task j'))
- job_cost j' <=
- \sum_(tsk' <- ts| pred tsk')
- task_request_bound_function tsk' Δ.
- Proof.
- apply (@leq_trans (\sum_(tsk' <- filter pred ts)
- (\sum_(j' <- arrivals_between arr_seq t (t + Δ)
- | job_task j' == tsk') job_cost j'))).
- - move: (H_job_of_tsk) => /eqP TSK.
- rewrite [X in _ <= X]big_filter.
- set P := fun x => pred (job_task x).
- rewrite (exchange_big_dep P) //=; last by rewrite /P; move => ???/eqP->.
- rewrite /P /workload_of_jobs big_seq_cond [X in _ <= X]big_seq_cond.
- apply leq_sum => j0 /andP [IN0 HP0].
- rewrite big_mkcond (big_rem (job_task j0)).
- + by rewrite HP0 andTb eq_refl; apply leq_addr.
- + by apply in_arrivals_implies_arrived in IN0; apply H_all_jobs_from_taskset.
- - rewrite big_filter.
- apply leq_sum_seq => tsk0 INtsk0 HP0.
- apply (@leq_trans (task_cost tsk0 * size (task_arrivals_between arr_seq tsk0 t (t + Δ)))).
- + rewrite -sum1_size big_distrr /= big_filter /workload_of_jobs.
- rewrite muln1 /arrivals_between /arrival_sequence.arrivals_between.
- apply leq_sum_seq; move => j0 IN0 /eqP EQ.
- by rewrite -EQ; apply H_valid_job_cost; apply in_arrivals_implies_arrived in IN0.
- + rewrite leq_mul2l; apply/orP; right.
- rewrite -{2}[Δ](addKn t).
- by apply H_is_arrival_bound; last by rewrite leq_addr.
- Qed.
-
- End WorkloadIsBoundedByRBF.
-
-End ProofWorkloadBound.
-
-(** ** RBF Properties *)
-(** In this section, we prove simple properties and identities of RBFs. *)
-Section RequestBoundFunctions.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent:
- consistent_arrival_times arr_seq.
-
- (** Let [tsk] be any task. *)
- Variable tsk : Task.
-
- (** Let [max_arrivals] be a family of valid arrival curves, i.e., for any task [tsk] in [ts]
- [max_arrival tsk] is (1) an arrival bound of [tsk], and (2) it is a monotonic function
- that equals 0 for the empty interval Δ = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_arrival_curve (max_arrivals tsk).
- Hypothesis H_is_arrival_curve : respects_max_arrivals arr_seq tsk (max_arrivals tsk).
-
- (** Let's define some local names for clarity. *)
- Let task_rbf := task_request_bound_function tsk.
-
- (** We prove that [task_rbf 0] is equal to [0]. *)
- Lemma task_rbf_0_zero:
- task_rbf 0 = 0.
- Proof.
- rewrite /task_rbf /task_request_bound_function.
- apply/eqP; rewrite muln_eq0; apply/orP; right; apply/eqP.
- by move: H_valid_arrival_curve => [T1 T2].
- Qed.
-
- (** We prove that [task_rbf] is monotone. *)
- Lemma task_rbf_monotone:
- monotone leq task_rbf.
- Proof.
- rewrite /monotone; intros ? ? LE.
- rewrite /task_rbf /task_request_bound_function leq_mul2l.
- apply/orP; right.
- by move: H_valid_arrival_curve => [_ T]; apply T.
- Qed.
-
- (** Consider any job [j] of [tsk]. This guarantees that there exists at least one
- job of task [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
-
- (** Then we prove that [task_rbf] at [ε] is greater than or equal to the task's WCET. *)
- Lemma task_rbf_1_ge_task_cost:
- task_rbf ε >= task_cost tsk.
- Proof.
- have ALT: forall n, n = 0 \/ n > 0 by clear; intros n; destruct n; [left | right].
- specialize (ALT (task_cost tsk)); destruct ALT as [Z | POS]; first by rewrite Z.
- rewrite leqNgt; apply/negP; intros CONTR.
- move: H_is_arrival_curve => ARRB.
- specialize (ARRB (job_arrival j) (job_arrival j + ε)).
- feed ARRB; first by rewrite leq_addr.
- move: CONTR; rewrite /task_rbf /task_request_bound_function.
- rewrite -{2}[task_cost tsk]muln1 ltn_mul2l => /andP [_ CONTR].
- move: CONTR; rewrite -addn1 -[1]add0n leq_add2r leqn0 => /eqP CONTR.
- move: ARRB; rewrite addKn CONTR leqn0 eqn0Ngt => /negP T; apply: T.
- rewrite /number_of_task_arrivals -has_predT /task_arrivals_between.
- apply/hasP; exists j; last by done.
- rewrite /arrivals_between addn1 big_nat_recl; last by done.
- rewrite big_geq ?cats0 //= mem_filter.
- apply/andP; split; first by done.
- move: H_j_arrives => [t ARR]; move: (ARR) => CONS.
- apply H_arrival_times_are_consistent in CONS.
- by rewrite CONS.
- Qed.
-
- (** As a corollary, we prove that the [task_rbf] at any point [A] greater than
- [0] is no less than the task's WCET. *)
- Lemma task_rbf_ge_task_cost:
- forall A,
- A > 0 ->
- task_rbf A >= task_cost tsk.
- Proof.
- case => // A GEQ.
- apply: (leq_trans task_rbf_1_ge_task_cost).
- exact: task_rbf_monotone.
- Qed.
-
- (** Assume that [tsk] has a positive cost. *)
- Hypothesis H_positive_cost : 0 < task_cost tsk.
-
- (** Then, we prove that [task_rbf] at [ε] is greater than [0]. *)
- Lemma task_rbf_epsilon_gt_0 : 0 < task_rbf ε.
- Proof.
- apply leq_trans with (task_cost tsk); first by done.
- by eapply task_rbf_1_ge_task_cost; eauto.
- Qed.
-
- (** Consider a set of tasks [ts] containing the task [tsk]. *)
- Variable ts : seq Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Next, we prove that cost of [tsk] is less than or equal to the
- [total_request_bound_function]. *)
- Lemma task_cost_le_sum_rbf :
- forall t,
- t > 0 ->
- task_cost tsk <= total_request_bound_function ts t.
- Proof.
- move => t GE.
- destruct t; first by done.
- eapply leq_trans; first by apply task_rbf_1_ge_task_cost; rt_eauto.
- rewrite /total_request_bound_function.
- erewrite big_rem; last by exact H_tsk_in_ts.
- apply leq_trans with (task_request_bound_function tsk t.+1); last by apply leq_addr.
- by apply task_rbf_monotone.
- Qed.
-
-End RequestBoundFunctions.
-
-
-(** ** Monotonicity of the Total RBF *)
-
-(** In the following section, we note some trivial facts about the monotonicity
- of various total RBF variants. *)
-Section TotalRBFMonotonic.
-
- (** Consider a set of tasks characterized by WCETs and arrival curves. *)
- Context {Task : TaskType} `{TaskCost Task} `{MaxArrivals Task}.
- Variable ts : seq Task.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
-
- (** We observe that the total RBF is monotonically increasing. *)
- Lemma total_rbf_monotone :
- monotone leq (total_request_bound_function ts).
- Proof.
- apply: sum_leq_mono => tsk IN.
- by apply task_rbf_monotone; rt_auto.
- Qed.
-
- (** Furthermore, for any fixed-priority policy, ... *)
- Context `{FP_policy Task}.
-
- (** ... the total RBF of higher- or equal-priority tasks is also monotonic, ... *)
- Lemma total_hep_rbf_monotone :
- forall tsk,
- monotone leq (total_hep_request_bound_function_FP ts tsk).
- Proof.
- move=> tsk.
- apply: sum_leq_mono => tsk' IN.
- by apply task_rbf_monotone; rt_auto.
- Qed.
-
- (** ... as is the variant that excludes the reference task. *)
- Lemma total_ohep_rbf_monotone :
- forall tsk,
- monotone leq (total_ohep_request_bound_function_FP ts tsk).
- Proof.
- move=> tsk.
- apply: sum_leq_mono => tsk' IN.
- by apply task_rbf_monotone; rt_auto.
- Qed.
-
-End TotalRBFMonotonic.
-
-(** ** RBFs Equal to Zero for Duration ε *)
-
-(** In the following section, we derive simple properties that follow in
- the pathological case of an RBF that yields zero for duration ε. *)
-Section DegenerateTotalRBFs.
-
- (** Consider a set of tasks characterized by WCETs and arrival curves ... *)
- Context {Task : TaskType} `{TaskCost Task} `{MaxArrivals Task}.
- Variable ts : seq Task.
-
- (** ... and any consistent arrival sequence of valid jobs of these tasks. *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job} `{JobCost Job}.
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent: consistent_arrival_times arr_seq.
- Hypothesis H_valid_job_cost: arrivals_have_valid_job_costs arr_seq.
-
- (** Suppose the arrival curves are correct. *)
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Consider any valid schedule corresponding to this arrival sequence. *)
- Context {PState : ProcessorState Job}.
- Variable sched : schedule PState.
- Hypothesis H_jobs_from_arr_seq : jobs_come_from_arrival_sequence sched arr_seq.
-
- (** First, we observe that, if a task's RBF is zero for a duration [ε], then it
- trivially has a response-time bound of zero. *)
- Lemma pathological_rbf_response_time_bound :
- forall tsk,
- tsk \in ts ->
- task_request_bound_function tsk ε = 0 ->
- task_response_time_bound arr_seq sched tsk 0.
- Proof.
- move=> tsk IN ZERO j ARR TASK.
- rewrite /job_response_time_bound/completed_by.
- move: ZERO. rewrite /task_request_bound_function => /eqP.
- rewrite muln_eq0 => /orP [/eqP COST|/eqP NEVER].
- { apply: leq_trans.
- - by apply: H_valid_job_cost.
- - move: TASK. rewrite /job_of_task => /eqP ->.
- by rewrite COST. }
- { exfalso.
- have: 0 < max_arrivals tsk ε
- by apply: (non_pathological_max_arrivals tsk arr_seq _ j); rt_auto.
- by rewrite NEVER. }
- Qed.
-
- (** Second, given a fixed-priority policy with reflexive priorities, ... *)
- Context `{FP_policy Task}.
- Hypothesis H_reflexive : reflexive_priorities.
-
- (** ... if the total RBF of all equal- and higher-priority tasks is zero, then
- the reference task's response-time bound is also trivially zero. *)
- Lemma pathological_total_hep_rbf_response_time_bound :
- forall tsk,
- tsk \in ts ->
- total_hep_request_bound_function_FP ts tsk ε = 0 ->
- task_response_time_bound arr_seq sched tsk 0.
- Proof.
- move=> tsk IN ZERO j ARR TASK.
- apply: pathological_rbf_response_time_bound; eauto.
- apply /eqP.
- move: ZERO => /eqP; rewrite sum_nat_eq0_nat => /allP; apply.
- rewrite mem_filter; apply /andP; split => //.
- move: (H_reflexive 0 j).
- rewrite /hep_job_at/JLFP_to_JLDP/hep_job/FP_to_JLFP.
- by move: TASK; rewrite /job_of_task => /eqP ->.
- Qed.
-
- (** Thus we we can prove any response-time bound from such a pathological
- case, which is useful to eliminate this case in higher-level analyses. *)
- Corollary pathological_total_hep_rbf_any_bound :
- forall tsk,
- tsk \in ts ->
- total_hep_request_bound_function_FP ts tsk ε = 0 ->
- forall R,
- task_response_time_bound arr_seq sched tsk R.
- Proof.
- move=> tsk IN ZERO R.
- move: (pathological_total_hep_rbf_response_time_bound tsk IN ZERO).
- rewrite /task_response_time_bound/job_response_time_bound => COMP j INj TASK.
- apply: completion_monotonic; last by apply: COMP.
- by lia.
- Qed.
-
-End DegenerateTotalRBFs.
diff --git a/analysis/facts/model/sequential.v b/analysis/facts/model/sequential.v
deleted file mode 100644
index c4a79f3a27279167677a296cc76db948a76d5786..0000000000000000000000000000000000000000
--- a/analysis/facts/model/sequential.v
+++ /dev/null
@@ -1,46 +0,0 @@
-Require Export prosa.model.task.sequentiality.
-
-Section ExecutionOrder.
-
- (** Consider any type of job associated with any type of tasks... *)
- Context {Job: JobType}.
- Context {Task: TaskType}.
- Context `{JobTask Job Task}.
-
- (** ... with arrival times and costs ... *)
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... and any kind of processor state model. *)
- Context {PState: ProcessorState Job}.
-
-
- (** Consider any arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any schedule of this arrival sequence ... *)
- Variable sched : schedule PState.
-
- (** ... in which the sequential tasks hypothesis holds. *)
- Hypothesis H_sequential_tasks: sequential_tasks arr_seq sched.
-
- (** A simple corollary of this hypothesis is that the scheduler
- executes a job with the earliest arrival time. *)
- Corollary scheduler_executes_job_with_earliest_arrival:
- forall j1 j2 t,
- arrives_in arr_seq j1 ->
- arrives_in arr_seq j2 ->
- same_task j1 j2 ->
- ~~ completed_by sched j2 t ->
- scheduled_at sched j1 t ->
- job_arrival j1 <= job_arrival j2.
- Proof.
- intros ? ? t ARR1 ARR2 TSK NCOMPL SCHED.
- rewrite /same_task eq_sym in TSK.
- have SEQ := H_sequential_tasks j2 j1 t ARR2 ARR1 TSK.
- rewrite leqNgt; apply/negP; intros ARR.
- move: NCOMPL => /negP NCOMPL; apply: NCOMPL.
- by apply SEQ.
- Qed.
-
-End ExecutionOrder.
diff --git a/analysis/facts/model/service_of_jobs.v b/analysis/facts/model/service_of_jobs.v
deleted file mode 100644
index 7e77616af04e0040977499620282505a6d037d2d..0000000000000000000000000000000000000000
--- a/analysis/facts/model/service_of_jobs.v
+++ /dev/null
@@ -1,439 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq fintype bigop.
-
-Require Export prosa.model.aggregate.workload.
-Require Export prosa.model.aggregate.service_of_jobs.
-Require Export prosa.analysis.facts.behavior.completion.
-
-
-(** * Lemmas about Service Received by Sets of Jobs *)
-(** In this file, we establish basic facts about the service received by _sets_ of jobs. *)
-
-(** To begin with, we provide some basic properties of service
- of a set of jobs in case of a generic scheduling model. *)
-Section GenericModelLemmas.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence with consistent arrivals, .... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... and any schedule of this arrival sequence ... *)
- Variable sched : schedule PState.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Let P be any predicate over jobs. *)
- Variable P : pred Job.
-
- (** We show that the total service of jobs released in a time interval <<[t1,t2)>>
- during <<[t1,t2)>> is equal to the sum of:
- (1) the total service of jobs released in time interval <<[t1, t)>> during time <<[t1, t)>>
- (2) the total service of jobs released in time interval <<[t1, t)>> during time <<[t, t2)>>
- and (3) the total service of jobs released in time interval <<[t, t2)>> during time <<[t, t2)>>. *)
- Lemma service_of_jobs_cat_scheduling_interval :
- forall t1 t2 t,
- t1 <= t <= t2 ->
- service_of_jobs sched P (arrivals_between arr_seq t1 t2) t1 t2
- = service_of_jobs sched P (arrivals_between arr_seq t1 t) t1 t
- + service_of_jobs sched P (arrivals_between arr_seq t1 t) t t2
- + service_of_jobs sched P (arrivals_between arr_seq t t2) t t2.
- Proof.
- move => t1 t2 t /andP [GEt LEt].
- rewrite (arrivals_between_cat _ _ t) //.
- rewrite {1}/service_of_jobs big_cat //=.
- rewrite exchange_big //= (@big_cat_nat _ _ _ t) //=;
- rewrite [in X in X + _ + _]exchange_big //= [in X in _ + X + _]exchange_big //=.
- apply/eqP; rewrite -!addnA eqn_add2l eqn_add2l.
- rewrite exchange_big //= (@big_cat_nat _ _ _ t) //= [in X in _ + X]exchange_big //=.
- rewrite -[service_of_jobs _ _ _ _ _]add0n /service_of_jobs eqn_add2r.
- rewrite big_nat_cond big1 //.
- move => x /andP [/andP [GEi LTi] _].
- rewrite big_seq_cond big1 //.
- move => j /andP [ARR Ps].
- apply service_before_job_arrival_zero with H0; auto.
- eapply in_arrivals_implies_arrived_between in ARR; eauto 2.
- by move: ARR => /andP [N1 N2]; apply leq_trans with t.
- Qed.
-
- (** We show that the total service of jobs released in a time interval <<[t1, t2)>>
- during <<[t, t2)>> is equal to the sum of:
- (1) the total service of jobs released in a time interval <<[t1, t)>> during <<[t, t2)>>
- and (2) the total service of jobs released in a time interval <<[t, t2)>> during <<[t, t2)>>. *)
- Lemma service_of_jobs_cat_arrival_interval :
- forall t1 t2 t,
- t1 <= t <= t2 ->
- service_of_jobs sched P (arrivals_between arr_seq t1 t2) t t2 =
- service_of_jobs sched P (arrivals_between arr_seq t1 t) t t2 +
- service_of_jobs sched P (arrivals_between arr_seq t t2) t t2.
- Proof.
- move => t1 t2 t /andP [GEt LEt].
- apply/eqP;rewrite eq_sym; apply/eqP.
- rewrite [in X in _ = X](arrivals_between_cat _ _ t) //.
- by rewrite {3}/service_of_jobs -big_cat //=.
- Qed.
-
-
- (** In the following, we consider an arbitrary sequence of jobs [jobs]. *)
- Variable jobs : seq Job.
-
- (** Also, consider an interval <<[t1, t2)>>... *)
- Variable t1 t2 : instant.
-
- (** ...and two additional predicates [P1] and [P2]. *)
- Variable P1 P2 : pred Job.
-
- (** For brevity, in the following comments we denote a subset of [jobs]
- satisfying a predicate [P] by [{jobs | P}]. *)
-
- (** First, we prove that the service received by [{jobs | P1}] can be split
- into: (1) the service received by [{jobs | P1 ∧ P2}] and (2) the service
- received by the a subset [{jobs | P1 ∧ ¬ P2}]. *)
- Lemma service_of_jobs_case_on_pred :
- service_of_jobs sched P1 jobs t1 t2 =
- service_of_jobs sched (fun j => P1 j && P2 j) jobs t1 t2
- + service_of_jobs sched (fun j => P1 j && ~~ P2 j) jobs t1 t2.
- Proof.
- rewrite /service_of_jobs big_mkcond //=.
- rewrite [in X in _ = X + _]big_mkcond //=.
- rewrite [in X in _ = _ + X]big_mkcond //=.
- rewrite -big_split; apply eq_big_seq; intros j IN.
- by destruct (P1 _), (P2 _); simpl; lia.
- Qed.
-
- (** We show that the service received by [{jobs | P}] is equal to the
- difference between the total service received by [jobs] and the service
- of [{jobs | ¬ P}]. *)
- Lemma service_of_jobs_negate_pred :
- service_of_jobs sched P jobs t1 t2 =
- total_service_of_jobs_in sched jobs t1 t2 - service_of_jobs sched (fun j => ~~ P j) jobs t1 t2.
- Proof.
- rewrite /total_service_of_jobs_in /service_of_jobs.
- rewrite big_mkcond [in X in _ = X - _]big_mkcond [in X in _ = _ - X]big_mkcond //=.
- rewrite -sumnB; last by move=> j _; case: (P j).
- apply: eq_big_seq => j IN.
- by case: (P j) => //=; lia.
- Qed.
-
- (** We show that [service_of_jobs] is monotone with respect to the
- predicate. That is, given the fact [∀ j ∈ jobs: P1 j ==> P2 j], we show
- that the service of [{jobs | P1}] is bounded by the service of [{jobs | P2}]. *)
- Lemma service_of_jobs_pred_impl :
- (forall j : Job, j \in jobs -> P1 j -> P2 j) ->
- service_of_jobs sched P1 jobs t1 t2 <= service_of_jobs sched P2 jobs t1 t2.
- Proof. by intros IMPL; apply leq_sum_seq_pred; eauto. Qed.
-
- (** Similarly, we show that if [P1] is equivalent to [P2], then the service
- of [{jobs | P1}] is equal to the service of [{jobs | P2}]. *)
- Lemma service_of_jobs_equiv_pred :
- {in jobs, P1 =1 P2} ->
- service_of_jobs sched P1 jobs t1 t2 = service_of_jobs sched P2 jobs t1 t2.
- Proof.
- intros * EQUIV.
- rewrite /service_of_jobs !big_mkcond [in X in _ = X]big_mkcond //=; apply: eq_big_seq.
- intros j IN; specialize (EQUIV j IN); simpl in EQUIV; rewrite EQUIV; clear EQUIV.
- by case: (P2 j) => //.
- Qed.
-
- (** Next, we show an auxiliary lemma that allows us to change the order of
- summation.
-
- Recall that [service_of_jobs] is defined as a sum over all jobs in
- [jobs] of <<[service_during j [t1,t2)]>>. We show that [service_of_jobs]
- over an interval <<[t1,t2)>> is equal to the sum over individual time
- instances (in <<[t1,t2)>>) of [service_of_jobs_at].
-
- In other words, we show that <<[∑_{j ∈ jobs} ∑_{t \in [t1,t2)} service
- of j at t]>> is equal to <<[∑_{t \in [t1,t2)} ∑_{j ∈ jobs} service of j
- at t]>>. *)
- Lemma service_of_jobs_sum_over_time_interval :
- service_of_jobs sched P jobs t1 t2
- = \sum_(t1 <= t < t2) service_of_jobs_at sched P jobs t.
- Proof. by apply exchange_big. Qed.
-
- (** We show that service of [{jobs | false}] is equal to 0. *)
- Lemma service_of_jobs_pred0 :
- service_of_jobs sched pred0 jobs t1 t2 = 0.
- Proof. by apply big_pred0. Qed.
-
- (** More generally, if none of the jobs inside [jobs] is scheduled
- at time [t] or satisfies [P], then total service of [jobs] at
- time [t] is equal to 0. *)
- Lemma service_of_jobs_nsched_or_unsat :
- forall (t : instant),
- (forall j, j \in jobs -> ~~ (P j && scheduled_at sched j t)) ->
- service_of_jobs_at sched P jobs t = 0.
- Proof.
- intros ? ALL.
- induction jobs.
- - by rewrite /service_of_jobs_at big_nil.
- - feed IHl.
- { by intros j' IN; apply ALL; rewrite in_cons; apply/orP; right. }
- rewrite /service_of_jobs_at big_cons; rewrite /service_of_jobs_at in IHl.
- destruct (P a) eqn: Pa; last by done.
- rewrite IHl addn0.
- specialize (ALL a); feed ALL.
- { by rewrite in_cons; apply/orP; left. }
- rewrite Pa Bool.andb_true_l in ALL.
- by apply not_scheduled_implies_no_service.
- Qed.
-
-
-End GenericModelLemmas.
-
-(** In this section, we prove some properties about service
- of sets of jobs for unit-service processor models. *)
-Section UnitServiceModelLemmas.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any kind of unit-service processor state model. *)
- Context {PState : ProcessorState Job}.
- Hypothesis H_unit_service_proc_model : unit_service_proc_model PState.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any unit-service schedule of this arrival sequence ... *)
- Variable sched : schedule PState.
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Let P be any predicate over jobs. *)
- Variable P : pred Job.
-
- (** First, we prove that the service received by any set of jobs is
- upper-bounded by the corresponding workload. *)
- Lemma service_of_jobs_le_workload:
- forall (jobs : seq Job) (t1 t2 : instant),
- service_of_jobs sched P jobs t1 t2 <= workload_of_jobs P jobs.
- Proof.
- intros jobs t1 t2.
- apply leq_sum; intros j _.
- by apply cumulative_service_le_job_cost.
- Qed.
-
- (** In this section, we introduce a connection between the cumulative
- service, cumulative workload, and completion of jobs. *)
- Section WorkloadServiceAndCompletion.
-
- (** Consider an arbitrary time interval <<[t1, t2)>>. *)
- Variables t1 t2 : instant.
-
- (** Let jobs be a set of all jobs arrived during <<[t1, t2)>>. *)
- Let jobs := arrivals_between arr_seq t1 t2.
-
- (** Next, we consider some time instant [t_compl]. *)
- Variable t_compl : instant.
-
- (** And state the proposition that all jobs are completed by time
- [t_compl]. Next we show that this proposition is equivalent to
- the fact that [workload of jobs = service of jobs]. *)
- Let all_jobs_completed_by t_compl :=
- forall j, j \in jobs -> P j -> completed_by sched j t_compl.
-
- (** First, we prove that if the workload of [jobs] is equal to the
- service of [jobs], then any job in [jobs] is completed by time
- [t_compl]. *)
- Lemma workload_eq_service_impl_all_jobs_have_completed :
- workload_of_jobs P jobs = service_of_jobs sched P jobs t1 t_compl ->
- all_jobs_completed_by t_compl.
- Proof.
- unfold jobs; intros EQ j ARR Pj; move: (ARR) => ARR2.
- apply in_arrivals_implies_arrived_between in ARR; last by done.
- move: ARR => /andP [T1 T2].
- have F1: forall a b, (a < b) || (a >= b).
- { by intros; destruct (a < b) eqn:EQU; apply/orP;
- [by left |right]; apply negbT in EQU; rewrite leqNgt. }
- move: (F1 t_compl t1) => /orP [LT | GT].
- - rewrite /service_of_jobs /service_during in EQ.
- rewrite exchange_big big_geq //= in EQ; last by rewrite ltnW.
- rewrite /workload_of_jobs in EQ.
- rewrite (big_rem j) ?Pj //= in EQ.
- move: EQ => /eqP; rewrite addn_eq0; move => /andP [CZ _].
- unfold completed_by, service.completed_by.
- by move: CZ => /eqP CZ; rewrite CZ.
- - unfold workload_of_jobs, service_of_jobs in EQ; unfold completed_by, service.completed_by.
- rewrite /service -(service_during_cat _ _ _ t1); last by apply/andP; split.
- rewrite cumulative_service_before_job_arrival_zero // add0n.
- apply: eq_leq; have /esym/eqP := EQ; rewrite eq_sum_leq_seq.
- { move=> /allP/(_ j) + /ltac:(apply/esym/eqP); apply.
- by rewrite mem_filter Pj. }
- by intros; apply cumulative_service_le_job_cost; eauto.
- Qed.
-
- (** And vice versa, the fact that any job in [jobs] is completed by time [t_compl]
- implies that the workload of [jobs] is equal to the service of [jobs]. *)
- Lemma all_jobs_have_completed_impl_workload_eq_service :
- all_jobs_completed_by t_compl ->
- workload_of_jobs P jobs =
- service_of_jobs sched P jobs t1 t_compl.
- Proof.
- unfold jobs; intros COMPL.
- have F: forall j t, t <= t1 -> j \in arrivals_between arr_seq t1 t2 -> service_during sched j 0 t = 0.
- { intros j t LE ARR.
- eapply in_arrivals_implies_arrived_between in ARR; eauto 2; move: ARR => /andP [GE LT].
- eapply cumulative_service_before_job_arrival_zero; eauto 2.
- by apply leq_trans with t1.
- }
- destruct (t_compl <= t1) eqn:EQ.
- - unfold service_of_jobs. unfold service_during.
- rewrite exchange_big //=.
- rewrite big_geq; last by done.
- rewrite /workload_of_jobs big1_seq //.
- move => j /andP [Pj ARR].
- specialize (COMPL _ ARR Pj).
- rewrite <- F with (j := j) (t := t_compl); try done.
- apply/eqP; rewrite eqn_leq; apply/andP; split.
- + by apply COMPL.
- + by apply service_at_most_cost.
- - apply/eqP; rewrite eqn_leq; apply/andP; split; first last.
- + by apply service_of_jobs_le_workload.
- + rewrite /workload_of_jobs big_seq_cond [X in _ <= X]big_seq_cond.
- rewrite leq_sum // => j /andP [ARR Pj].
- specialize (COMPL _ ARR Pj).
- rewrite -[service_during _ _ _ _ ]add0n -(F j t1) //= -(big_cat_nat) //=.
- move: EQ =>/negP /negP; rewrite -ltnNge => EQ.
- by apply ltnW.
- Qed.
-
- (** Using the lemmas above, we prove the equivalence. *)
- Corollary all_jobs_have_completed_equiv_workload_eq_service :
- all_jobs_completed_by t_compl <->
- workload_of_jobs P jobs = service_of_jobs sched P jobs t1 t_compl.
- Proof.
- split.
- - by apply all_jobs_have_completed_impl_workload_eq_service.
- - by apply workload_eq_service_impl_all_jobs_have_completed.
- Qed.
-
- End WorkloadServiceAndCompletion.
-
-End UnitServiceModelLemmas.
-
-(** In this section, we prove some properties about service
- of sets of jobs for unit-service uniprocessor models. *)
-Section UnitServiceUniProcessorModelLemmas.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any kind of unit-service uniprocessor state model. *)
- Context {PState : ProcessorState Job}.
- Hypothesis H_unit_service_proc_model : unit_service_proc_model PState.
- Hypothesis H_uniprocessor_model : uniprocessor_model PState.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any unit-service uni-processor schedule of this arrival sequence ... *)
- Variable sched : schedule PState.
- Hypothesis H_jobs_come_from_arrival_sequence :
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Let [P] be any predicate over jobs. *)
- Variable P : pred Job.
-
- (** In this section, we prove that the service received by any set of jobs
- is upper-bounded by the corresponding interval length. *)
- Section ServiceOfJobsIsBoundedByLength.
-
- (** Let [jobs] denote any set of jobs. *)
- Variable jobs : seq Job.
- Hypothesis H_no_duplicate_jobs : uniq jobs.
-
- (** We prove that the overall service of [jobs] at a single time instant is at most [1]. *)
- Lemma service_of_jobs_le_1:
- forall t, service_of_jobs_at sched P jobs t <= 1.
- Proof.
- intros t.
- eapply leq_trans.
- { by apply leq_sum_seq_pred with (P2 := predT); intros. }
- simpl; induction jobs as [ | j js].
- - by rewrite big_nil.
- - feed IHjs; first by move: H_no_duplicate_jobs; rewrite cons_uniq => /andP [_ U].
- rewrite big_cons.
- destruct (service_is_zero_or_one H_unit_service_proc_model sched j t) as [Z | O].
- + by rewrite Z (leqRW IHjs).
- + have -> : \sum_(j <- js) service_in j (sched t) = 0; last by rewrite O.
- have POS: service_at sched j t > 0 by rewrite O.
- apply service_at_implies_scheduled_at in POS.
- apply/eqP; rewrite big_seq big1 //; intros j' IN.
- apply/eqP; rewrite -leqn0 leqNgt.
- eapply contra with (b := scheduled_at sched j' t);
- first apply service_at_implies_scheduled_at.
- apply/negP; intros SCHED.
- specialize (H_uniprocessor_model _ _ _ _ POS SCHED); subst j'.
- by move: H_no_duplicate_jobs; rewrite cons_uniq => /andP [/negP NIN _].
- Qed.
-
- (** Next, we prove that the service received by those jobs is no larger
- than their workload. *)
- Corollary service_of_jobs_le_length_of_interval:
- forall (t : instant) (Δ : duration),
- service_of_jobs sched P jobs t (t + Δ) <= Δ.
- Proof.
- intros.
- have EQ: \sum_(t <= x < t + Δ) 1 = Δ.
- { by rewrite big_const_nat iter_addn mul1n addn0 -{2}[t]addn0 subnDl subn0. }
- rewrite -{2}EQ {EQ}.
- rewrite /service_of_jobs/service_during/service_at exchange_big //=.
- rewrite leq_sum //.
- move => t' _.
- by apply service_of_jobs_le_1.
- Qed.
-
- (** The same holds for two time instants. *)
- Corollary service_of_jobs_le_length_of_interval':
- forall (t1 t2 : instant),
- service_of_jobs sched P jobs t1 t2 <= t2 - t1.
- Proof.
- intros.
- have <-: \sum_(t1 <= x < t2) 1 = t2 - t1.
- { by rewrite big_const_nat iter_addn mul1n addn0. }
- rewrite /service_of_jobs exchange_big //=.
- rewrite leq_sum //.
- move => t' _.
- have SE := service_of_jobs_le_1 t'.
- eapply leq_trans; last by eassumption.
- by rewrite leq_sum.
- Qed.
-
- End ServiceOfJobsIsBoundedByLength.
-
-End UnitServiceUniProcessorModelLemmas.
diff --git a/analysis/facts/model/task_arrivals.v b/analysis/facts/model/task_arrivals.v
deleted file mode 100644
index 98aaeca102d4d8550e9c91097cc537f7c9143a4e..0000000000000000000000000000000000000000
--- a/analysis/facts/model/task_arrivals.v
+++ /dev/null
@@ -1,321 +0,0 @@
-Require Export prosa.model.task.arrivals.
-Require Export prosa.util.all.
-Require Export prosa.analysis.facts.behavior.arrivals.
-
-(** In this file we provide basic properties related to tasks on arrival sequences. *)
-Section TaskArrivals.
-
- (** Consider any type of job associated with any type of tasks. *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any job arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_consistent_arrivals: consistent_arrival_times arr_seq.
-
- (** We show that the number of arrivals of task can be split into disjoint intervals. *)
- Lemma num_arrivals_of_task_cat:
- forall tsk t t1 t2,
- t1 <= t <= t2 ->
- number_of_task_arrivals arr_seq tsk t1 t2 =
- number_of_task_arrivals arr_seq tsk t1 t + number_of_task_arrivals arr_seq tsk t t2.
- Proof.
- move => tsk t t1 t2 /andP [GE LE].
- rewrite /number_of_task_arrivals /task_arrivals_between /arrivals_between.
- now rewrite (@big_cat_nat _ _ _ t) //= filter_cat size_cat.
- Qed.
-
- (** To simplify subsequent proofs, we further lift [arrivals_between_cat] to
- the filtered version [task_arrivals_between]. *)
- Lemma task_arrivals_between_cat:
- forall tsk t1 t t2,
- t1 <= t ->
- t <= t2 ->
- task_arrivals_between arr_seq tsk t1 t2
- = task_arrivals_between arr_seq tsk t1 t ++ task_arrivals_between arr_seq tsk t t2.
- Proof.
- move=> tsk t1 t t2 LEQ_t1 LEQ_t2.
- now rewrite /task_arrivals_between -filter_cat -arrivals_between_cat.
- Qed.
-
- (** We show that [task_arrivals_up_to_job_arrival j1] is a prefix
- of [task_arrivals_up_to_job_arrival j2] if [j2] arrives at the same time
- or after [j1]. *)
- Lemma task_arrivals_up_to_prefix_cat:
- forall j1 j2,
- arrives_in arr_seq j1 ->
- arrives_in arr_seq j2 ->
- job_task j1 = job_task j2 ->
- job_arrival j1 <= job_arrival j2 ->
- prefix_of (task_arrivals_up_to_job_arrival arr_seq j1) (task_arrivals_up_to_job_arrival arr_seq j2).
- Proof.
- intros j1 j2 ARR1 ARR2 TSK ARR_LT.
- exists (task_arrivals_between arr_seq (job_task j1) (job_arrival j1 + 1) (job_arrival j2 + 1)).
- now rewrite /task_arrivals_up_to_job_arrival !addn1 TSK -task_arrivals_between_cat.
- Qed.
-
- (** Let [tsk] be any task. *)
- Variable tsk : Task.
-
- (** Any job [j] from the arrival sequence is contained in
- [task_arrivals_up_to_job_arrival j]. *)
- Lemma arrives_in_task_arrivals_up_to:
- forall j,
- arrives_in arr_seq j ->
- j \in task_arrivals_up_to_job_arrival arr_seq j.
- Proof.
- intros j ARR.
- rewrite mem_filter; apply /andP.
- split; first by apply /eqP => //.
- move : ARR => [t ARR]; move : (ARR) => EQ.
- apply H_consistent_arrivals in EQ.
- rewrite (mem_bigcat_nat _ (fun t => arrivals_at arr_seq t) j 0 _ (job_arrival j)) // EQ //.
- now lia.
- Qed.
-
- (** Also, any job [j] from the arrival sequence is contained in
- [task_arrivals_at_job_arrival j]. *)
- Lemma arrives_in_task_arrivals_at:
- forall j,
- arrives_in arr_seq j ->
- j \in task_arrivals_at_job_arrival arr_seq j.
- Proof.
- intros j ARR.
- rewrite mem_filter; apply /andP.
- split; first by apply /eqP => //.
- rewrite /arrivals_at.
- move : ARR => [t ARR].
- now rewrite (H_consistent_arrivals j t ARR).
- Qed.
-
- (** We show that for any time [t_m] less than or equal to [t],
- task arrivals up to [t_m] forms a prefix of task arrivals up to [t]. *)
- Lemma task_arrivals_cat:
- forall t_m t,
- t_m <= t ->
- task_arrivals_up_to arr_seq tsk t =
- task_arrivals_up_to arr_seq tsk t_m ++ task_arrivals_between arr_seq tsk t_m.+1 t.+1.
- Proof.
- intros t1 t2 INEQ.
- now rewrite -filter_cat -arrivals_between_cat.
- Qed.
-
- (** We observe that for any job [j], task arrivals up to [job_arrival j] is a
- concatenation of task arrivals before [job_arrival j] and task arrivals
- at [job_arrival j]. *)
- Lemma task_arrivals_up_to_cat:
- forall j,
- arrives_in arr_seq j ->
- task_arrivals_up_to_job_arrival arr_seq j =
- task_arrivals_before_job_arrival arr_seq j ++ task_arrivals_at_job_arrival arr_seq j.
- Proof.
- intros j ARR.
- rewrite /task_arrivals_up_to_job_arrival /task_arrivals_up_to
- /task_arrivals_before /task_arrivals_between.
- rewrite -filter_cat (arrivals_between_cat _ 0 (job_arrival j) (job_arrival j).+1) //.
- now rewrite /arrivals_between big_nat1.
- Qed.
-
- (** We show that any job [j] in the arrival sequence is also contained in task arrivals
- between time instants [t1] and [t2], if [job_arrival j] lies in the interval <<[t1,t2)>>. *)
- Lemma job_in_task_arrivals_between:
- forall j t1 t2,
- arrives_in arr_seq j ->
- job_task j = tsk ->
- t1 <= job_arrival j < t2 ->
- j \in task_arrivals_between arr_seq tsk t1 t2.
- Proof.
- intros * ARR TSK INEQ.
- rewrite mem_filter; apply/andP.
- split; first by apply /eqP => //.
- now apply arrived_between_implies_in_arrivals.
- Qed.
-
- (** Any job [j] in [task_arrivals_between arr_seq tsk t1 t2] is also
- contained in [arrivals_between arr_seq t1 t2]. *)
- Lemma task_arrivals_between_subset:
- forall t1 t2 j,
- j \in task_arrivals_between arr_seq tsk t1 t2 ->
- j \in arrivals_between arr_seq t1 t2.
- Proof. move=> t1 t2 j. by rewrite mem_filter; move => /andP [/eqP TSK JB_IN]. Qed.
-
- (** Any job [j] in [task_arrivals_between arr_seq tsk t1 t2] arrives
- in the arrival sequence [arr_seq]. *)
- Corollary arrives_in_task_arrivals_implies_arrived:
- forall t1 t2 j,
- j \in task_arrivals_between arr_seq tsk t1 t2 ->
- arrives_in arr_seq j.
- Proof. move=> t1 t2 j IN; apply/in_arrivals_implies_arrived/task_arrivals_between_subset; exact IN. Qed.
-
- (** Any job [j] in [task_arrivals_before arr_seq tsk t] has an arrival
- time earlier than [t]. *)
- Lemma arrives_in_task_arrivals_before_implies_arrives_before :
- forall j t,
- j \in task_arrivals_before arr_seq tsk t ->
- job_arrival j < t.
- Proof.
- intros * IN.
- unfold task_arrivals_before, task_arrivals_between in *.
- move: IN; rewrite mem_filter => /andP [_ IN].
- by apply in_arrivals_implies_arrived_between in IN => //.
- Qed.
-
- (** Any job [j] in [task_arrivals_before arr_seq tsk t] is a job of task [tsk]. *)
- Lemma arrives_in_task_arrivals_implies_job_task :
- forall j t,
- j \in task_arrivals_before arr_seq tsk t ->
- job_task j == tsk.
- Proof.
- intros * IN.
- unfold task_arrivals_before, task_arrivals_between in *.
- by move: IN; rewrite mem_filter => /andP [TSK _].
- Qed.
-
- (** We repeat the observation for [task_arrivals_between]. *)
- Lemma in_task_arrivals_between_implies_job_of_task :
- forall t1 t2 j,
- j \in task_arrivals_between arr_seq tsk t1 t2 ->
- job_task j = tsk.
- Proof.
- move=> t1 t2 j.
- rewrite mem_filter => /andP [JT _].
- by move: JT; rewrite /job_of_task => /eqP.
- Qed.
-
- (** If a job arrives between to points in time, then the corresponding interval is nonempty... *)
- Lemma task_arrivals_nonempty :
- forall t1 t2 j,
- j \in task_arrivals_between arr_seq tsk t1 t2 ->
- t1 < t2.
- Proof. move=> t1 t2 j IN. by apply /(arrivals_between_nonempty arr_seq _ _ j)/task_arrivals_between_subset. Qed.
-
- (** ... which we can also express in terms of [number_of_task_arrivals] being nonzero. *)
- Corollary number_of_task_arrivals_nonzero :
- forall t1 t2,
- number_of_task_arrivals arr_seq tsk t1 t2 > 0 ->
- t1 < t2.
- Proof. by move=> t1 t2; rewrite -has_predT => /hasP [j IN] _; eapply task_arrivals_nonempty; eauto. Qed.
-
- (** An arrival sequence with non-duplicate arrivals implies that the
- task arrivals also contain non-duplicate arrivals. *)
- Lemma uniq_task_arrivals:
- forall t,
- arrival_sequence_uniq arr_seq ->
- uniq (task_arrivals_up_to arr_seq tsk t).
- Proof.
- intros * UNQ_SEQ.
- apply filter_uniq.
- now apply arrivals_uniq.
- Qed.
-
- (** The same observation applies to [task_arrivals_between]. *)
- Lemma task_arrivals_between_uniq :
- forall t1 t2,
- arrival_sequence_uniq arr_seq ->
- uniq (task_arrivals_between arr_seq tsk t1 t2).
- Proof. move=> t1 t2 UNIQ. by apply/filter_uniq/arrivals_uniq. Qed.
-
- (** A job cannot arrive before it's arrival time. *)
- Lemma job_notin_task_arrivals_before :
- forall j t,
- arrives_in arr_seq j ->
- job_arrival j > t ->
- j \notin task_arrivals_up_to arr_seq (job_task j) t.
- Proof.
- intros j t ARR INEQ.
- apply /negP; rewrite mem_filter => /andP [_ IN].
- apply mem_bigcat_nat_exists in IN; move : IN => [t' [IN NEQt']].
- rewrite -(H_consistent_arrivals j t') in NEQt' => //.
- now lia.
- Qed.
-
- (** We show that for any two jobs [j1] and [j2], task arrivals up to arrival of job [j1] form a
- strict prefix of task arrivals up to arrival of job [j2]. *)
- Lemma arrival_lt_implies_strict_prefix:
- forall j1 j2,
- job_task j1 = tsk ->
- job_task j2 = tsk ->
- arrives_in arr_seq j1 ->
- arrives_in arr_seq j2 ->
- job_arrival j1 < job_arrival j2 ->
- strict_prefix_of (task_arrivals_up_to_job_arrival arr_seq j1) (task_arrivals_up_to_job_arrival arr_seq j2).
- Proof.
- intros j1 j2 TSK1 TSK2 ARR_1 ARR_2 ARR_INEQ.
- exists (task_arrivals_between arr_seq tsk ((job_arrival j1).+1) ((job_arrival j2).+1)).
- split.
- - move: (in_nil j2) => /negP => JIN NIL.
- rewrite -NIL in JIN; contradict JIN.
- now apply job_in_task_arrivals_between => //; lia.
- - rewrite /task_arrivals_up_to_job_arrival TSK1 TSK2.
- now rewrite -task_arrivals_cat; try by lia.
- Qed.
-
- (** For any job [j2] with [job_index] equal to [n], the nth job
- in the sequence [task_arrivals_up_to arr_seq tsk t] is [j2], given that
- [t] is not less than [job_arrival j2]. *)
- (** Note that [j_def] is used as a default job for the access function and
- has nothing to do with the lemma. *)
- Lemma nth_job_of_task_arrivals:
- forall n j_def j t,
- arrives_in arr_seq j ->
- job_task j = tsk ->
- job_index arr_seq j = n ->
- t >= job_arrival j ->
- nth j_def (task_arrivals_up_to arr_seq tsk t) n = j.
- Proof.
- intros * ARR TSK IND T_G.
- rewrite -IND.
- have EQ_IND : index j (task_arrivals_up_to_job_arrival arr_seq j) = index j (task_arrivals_up_to arr_seq tsk t).
- { have CAT : exists xs, task_arrivals_up_to_job_arrival arr_seq j ++ xs = task_arrivals_up_to arr_seq tsk t.
- { rewrite /task_arrivals_up_to_job_arrival TSK.
- exists (task_arrivals_between arr_seq tsk ((job_arrival j).+1) t.+1).
- now rewrite -task_arrivals_cat.
- }
- move : CAT => [xs ARR_CAT].
- now rewrite -ARR_CAT index_cat ifT; last by apply arrives_in_task_arrivals_up_to.
- }
- rewrite /job_index EQ_IND nth_index => //.
- rewrite mem_filter; apply /andP.
- split; first by apply /eqP.
- now apply job_in_arrivals_between => //.
- Qed.
-
- (** We show that task arrivals in the interval <<[t1, t2)>>
- is the same as concatenation of task arrivals at each instant in <<[t1, t2)>>. *)
- Lemma task_arrivals_between_is_cat_of_task_arrivals_at:
- forall t1 t2,
- task_arrivals_between arr_seq tsk t1 t2 = \cat_(t1 <= t < t2) task_arrivals_at arr_seq tsk t.
- Proof.
- intros *.
- rewrite /task_arrivals_between /task_arrivals_at /arrivals_between.
- now apply bigcat_nat_filter_eq_filter_bigcat_nat.
- Qed.
-
- (** The number of jobs of a task [tsk] in the interval <<[t1, t2)>> is the same
- as sum of the number of jobs of the task [tsk] at each instant in <<[t1, t2)>>. *)
- Lemma size_of_task_arrivals_between:
- forall t1 t2,
- size (task_arrivals_between arr_seq tsk t1 t2)
- = \sum_(t1 <= t < t2) size (task_arrivals_at arr_seq tsk t).
- Proof.
- intros *.
- rewrite /task_arrivals_between /task_arrivals_at /arrivals_between.
- now rewrite size_big_nat bigcat_nat_filter_eq_filter_bigcat_nat.
- Qed.
-
- (** We note that, trivially, the list of task arrivals
- [task_arrivals_between] is sorted by arrival times because the
- underlying [arrivals_between] is sorted, as established by the
- lemma [arrivals_between_sorted]. *)
- Corollary task_arrivals_between_sorted :
- forall t1 t2,
- sorted by_arrival_times (task_arrivals_between arr_seq tsk t1 t2).
- Proof.
- move=> t1 t2. apply sorted_filter;
- first by rewrite /by_arrival_times /transitive; lia.
- exact: arrivals_between_sorted.
- Qed.
-
-End TaskArrivals.
diff --git a/analysis/facts/model/task_cost.v b/analysis/facts/model/task_cost.v
deleted file mode 100644
index aa2f4bc60a1e673745e72db4d51c472721571bbc..0000000000000000000000000000000000000000
--- a/analysis/facts/model/task_cost.v
+++ /dev/null
@@ -1,33 +0,0 @@
-Require Import prosa.behavior.all.
-Require Import prosa.model.task.concept.
-Require Import prosa.analysis.definitions.job_properties.
-
-(** In this module, we state some general results about
- the [task_cost] parameter. *)
-Section TaskCost.
-
- (** Consider tasks and jobs with the following associated parameters. *)
- Context `{Task : TaskType} `{Job : JobType} `{JobTask Job Task} `{JobCost Job} `{TaskCost Task}.
-
- (** Consider a task [tsk] and a job of the task [j]. *)
- Variable tsk : Task.
- Variable j : Job.
- Hypothesis H_job_of_task : job_of_task tsk j.
-
- (** Assume [j] has a positive and valid cost. *)
- Hypothesis H_job_cost_positive : job_cost_positive j.
- Hypothesis H_valid_job_cost : valid_job_cost j.
-
- (** Then, the task cost of [tsk] is also positive. *)
- Lemma job_cost_positive_implies_task_cost_positive : 0 < task_cost tsk.
- Proof.
- apply leq_trans with (job_cost j); first by done.
- by move : H_job_of_task => /eqP TSK; rewrite -TSK.
- Qed.
-
-End TaskCost.
-
-(** We add the above lemma to the global hints database. *)
-Global Hint Resolve
- job_cost_positive_implies_task_cost_positive:
- basic_rt_facts.
diff --git a/analysis/facts/model/task_schedule.v b/analysis/facts/model/task_schedule.v
deleted file mode 100644
index dd13774206ca85f20c9c25036f0eb2ee04a2a915..0000000000000000000000000000000000000000
--- a/analysis/facts/model/task_schedule.v
+++ /dev/null
@@ -1,50 +0,0 @@
-Require Export prosa.model.task.concept.
-Require Export prosa.analysis.definitions.task_schedule.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-
-(** In this file we provide basic properties related to schedule of a task. *)
-Section TaskSchedule.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Let [sched] be any ideal uni-processor schedule. *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** Let [tsk] be any task. *)
- Variable tsk : Task.
-
- (** We show that if a job of task [tsk] is scheduled at time [t],
- then task [tsk] is scheduled at time [t]. *)
- Lemma job_of_task_scheduled_implies_task_scheduled :
- forall j t,
- job_of_task tsk j ->
- scheduled_at sched j t ->
- task_scheduled_at sched tsk t.
- Proof.
- intros ? ? TSK SCHED.
- unfold task_scheduled_at.
- by move: SCHED; rewrite scheduled_at_def => /eqP ->.
- Qed.
-
- (** And vice versa, if no job of task [tsk] is scheduled at time
- [t], then task [tsk] is not scheduled at time [t]. *)
- Lemma job_of_task_scheduled_implies_task_scheduled':
- forall j t,
- ~~ job_of_task tsk j ->
- scheduled_at sched j t ->
- ~~ task_scheduled_at sched tsk t.
- Proof.
- move => j t /negP TSK SCHED; apply /negP => TSCHED; apply: TSK.
- move: SCHED; rewrite scheduled_at_def => /eqP SCHED.
- by move: TSCHED; rewrite /task_scheduled_at SCHED.
- Qed.
-
-End TaskSchedule.
diff --git a/analysis/facts/model/workload.v b/analysis/facts/model/workload.v
deleted file mode 100644
index c196ef09243a5a37956565061a5cc4adf5afaec6..0000000000000000000000000000000000000000
--- a/analysis/facts/model/workload.v
+++ /dev/null
@@ -1,180 +0,0 @@
-Require Export prosa.model.aggregate.workload.
-Require Export prosa.analysis.facts.behavior.arrivals.
-
-(** * Lemmas about Workload of Sets of Jobs *)
-(** In this file, we establish basic facts about the workload of sets of jobs. *)
-Section WorkloadFacts.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** To begin with, we establish an auxiliary rewriting lemma that allows us to
- introduce a [filter] on the considered set of jobs, provided the filter
- predicate [P2] is implied by the job-selection predicate [P1]. *)
- Lemma workload_of_jobs_filter :
- forall (P1 P2 : pred Job) (jobs : seq Job),
- (forall j, j \in jobs -> P1 j -> P2 j) ->
- workload_of_jobs P1 jobs = workload_of_jobs P1 [seq j <- jobs | P2 j ].
- Proof.
- move=> P1 P2 jobs IMPL.
- rewrite /workload_of_jobs big_filter_cond big_seq_cond [RHS]big_seq_cond.
- apply: eq_bigl => j.
- case: (boolP (j \in jobs)) => // IN.
- rewrite !andTb.
- case: (boolP (P1 j)) => //= P1j; first by rewrite (IMPL j IN P1j).
- by rewrite andbF.
- Qed.
-
- (** Next, consider any job arrival sequence consistent with the arrival times
- of the jobs. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_consistent : consistent_arrival_times arr_seq.
-
- (** If at some point in time [t] the predicate [P] by which we select jobs
- from the set of arrivals in an interval <<[t1, t2)>> becomes certainly
- false, then we may disregard all jobs arriving at time [t] or later. *)
- Lemma workload_of_jobs_nil_tail :
- forall {P t1 t2 t},
- t <= t2 ->
- (forall j, j \in (arrivals_between arr_seq t1 t2) -> job_arrival j >= t -> ~~ P j) ->
- workload_of_jobs P (arrivals_between arr_seq t1 t2)
- = workload_of_jobs P (arrivals_between arr_seq t1 t).
- Proof.
- move=> P t1 t2 t LE IMPL.
- have -> : arrivals_between arr_seq t1 t = [seq j <- (arrivals_between arr_seq t1 t2) | job_arrival j < t]
- by apply: arrivals_between_filter.
- rewrite (workload_of_jobs_filter _ (fun j => job_arrival j < t)) // => j IN Pj.
- case: (leqP t (job_arrival j)) => // TAIL.
- by move: (IMPL j IN TAIL) => /negP.
- Qed.
-
- (** For simplicity, let's define a local name. *)
- Let arrivals_between := arrivals_between arr_seq.
-
- (** We observe that the cumulative workload of all jobs arriving in a time
- interval <<[t1, t2)>> and respecting a predicate [P] can be split into two parts. *)
- Lemma workload_of_jobs_cat:
- forall t t1 t2 P,
- t1 <= t <= t2 ->
- workload_of_jobs P (arrivals_between t1 t2) =
- workload_of_jobs P (arrivals_between t1 t) + workload_of_jobs P (arrivals_between t t2).
- Proof.
- move => t t1 t2 P /andP [GE LE].
- rewrite /workload_of_jobs /arrivals_between.
- by rewrite (arrivals_between_cat _ _ t) // big_cat.
- Qed.
-
- (** Consider a job [j] ... *)
- Variable j : Job.
-
- (** ... and a duplicate-free sequence of jobs [jobs]. *)
- Variable jobs : seq Job.
- Hypothesis H_jobs_uniq : uniq jobs.
-
- (** Further, assume that [j] is contained in [jobs]. *)
- Hypothesis H_j_in_jobs : j \in jobs.
-
- (** To help with rewriting, we prove that the workload of [jobs]
- minus the job cost of [j] is equal to the workload of all jobs
- except [j]. To define the workload of all jobs, since
- [workload_of_jobs] expects a predicate, we use [predT], which
- is the always-true predicate. *)
- Lemma workload_minus_job_cost :
- workload_of_jobs (fun jhp : Job => jhp != j) jobs =
- workload_of_jobs predT jobs - job_cost j.
- Proof.
- rewrite /workload_of_jobs (big_rem j) //= eq_refl //= add0n.
- rewrite [in RHS](big_rem j) //= addnC -subnBA //= subnn subn0.
- rewrite [in LHS]big_seq_cond [in RHS]big_seq_cond.
- apply eq_bigl => j'.
- rewrite Bool.andb_true_r.
- destruct (j' \in rem (T:=Job) j jobs) eqn:INjobs; last by done.
- apply /negP => /eqP EQUAL.
- by rewrite EQUAL mem_rem_uniqF in INjobs.
- Qed.
-
-
- (** In this section, we prove the relation between two different ways of constraining
- [workload_of_jobs] to only those jobs that arrive prior to a given time. *)
- Section Subset.
-
- (** Assume that arrival times are consistent and that arrivals are unique. *)
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider a time interval <<[t1, t2)>> and a time instant [t]. *)
- Variable t1 t2 t : instant.
- Hypothesis H_t1_le_t2 : t1 <= t2.
-
- (** Let [P] be an arbitrary predicate on jobs. *)
- Variable P : pred Job.
-
- (** Consider the window <<[t1,t2)>>. We prove that the total workload of the jobs
- arriving in this window before some [t] is the same as the workload of the jobs
- arriving in <<[t1,t)>>. Note that we only require [t1] to be less-or-equal
- than [t2]. Consequently, the interval <<[t1,t)>> may be empty. *)
- Lemma workload_equal_subset :
- workload_of_jobs (fun j => (job_arrival j <= t) && P j) (arrivals_between t1 t2)
- <= workload_of_jobs (fun j => P j) (arrivals_between t1 (t + ε)).
- Proof.
- clear H_jobs_uniq H_j_in_jobs H_t1_le_t2.
- rewrite /workload_of_jobs big_seq_cond.
- rewrite -[in X in X <= _]big_filter -[in X in _ <= X]big_filter.
- apply leq_sum_sub_uniq; first by apply filter_uniq, arrivals_uniq; rt_eauto.
- move => j'; rewrite mem_filter => [/andP [/andP [A /andP [C D]] _]].
- rewrite mem_filter; apply/andP; split; first by done.
- apply job_in_arrivals_between; eauto.
- - by eapply in_arrivals_implies_arrived; eauto 2.
- - apply in_arrivals_implies_arrived_between in A; auto; move: A => /andP [A E].
- by unfold ε; apply/andP; split; lia.
- Qed.
-
- End Subset.
-
- (** In this section, we prove a few useful properties regarding the
- predicate of [workload_of_jobs]. *)
- Section PredicateProperties.
-
- (** First, we show that workload of jobs for an unsatisfiable
- predicate is equal to 0. *)
- Lemma workload_of_jobs_pred0 :
- workload_of_jobs pred0 jobs = 0.
- Proof. by rewrite /workload_of_jobs; apply big_pred0. Qed.
-
- (** Next, consider two arbitrary predicates [P] and [P']. *)
- Variable P P' : pred Job.
-
- (** We show that [workload_of_jobs] conditioned on [P] can be split into two summands:
- (1) [workload_of_jobs] conditioned on [P /\ P'] and
- (2) [workload_of_jobs] conditioned on [P /\ ~~ P']. *)
- Lemma workload_of_jobs_case_on_pred :
- workload_of_jobs P jobs =
- workload_of_jobs (fun j => P j && P' j) jobs + workload_of_jobs (fun j => P j && ~~ P' j) jobs.
- Proof.
- rewrite /workload_of_jobs !big_mkcond [in X in _ = X]big_mkcond
- [in X in _ = _ + X]big_mkcond //= -big_split //=.
- apply: eq_big_seq => j' IN.
- by destruct (P _), (P' _); simpl; lia.
- Qed.
-
- (** We show that if [P] is indistinguishable from [P'] on set
- [jobs], then [workload_of_jobs] conditioned on [P] is equal to
- [workload_of_jobs] conditioned on [P']. *)
- Lemma workload_of_jobs_equiv_pred :
- {in jobs, P =1 P'} ->
- workload_of_jobs P jobs = workload_of_jobs P' jobs.
- Proof.
- intros * EQUIV.
- rewrite /workload_of_jobs !big_mkcond [in X in _ = X]big_mkcond //=.
- by apply: eq_big_seq => j' IN; rewrite EQUIV.
- Qed.
-
- End PredicateProperties.
-
-End WorkloadFacts.
diff --git a/analysis/facts/periodic/arrival_separation.v b/analysis/facts/periodic/arrival_separation.v
deleted file mode 100644
index d5ee84a5e22bea45f05d101b5935c9a352cd254a..0000000000000000000000000000000000000000
--- a/analysis/facts/periodic/arrival_separation.v
+++ /dev/null
@@ -1,155 +0,0 @@
-Require Export prosa.model.task.arrival.periodic_as_sporadic.
-Require Export prosa.analysis.facts.sporadic.arrival_times.
-
-(** In this section we show that the separation between job
- arrivals of a periodic task is some multiple of their
- corresponding task's period. *)
-Section JobArrivalSeparation.
-
- (** Consider periodic tasks with an offset ... *)
- Context {Task : TaskType}.
- Context `{PeriodicModel Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any unique arrival sequence with consistent arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any task [tsk] that is to be analyzed. *)
- Variable tsk : Task.
-
- (** Assume all tasks have a valid period and respect the periodic task model. *)
- Hypothesis H_periodic_model: respects_periodic_task_model arr_seq tsk.
- Hypothesis H_valid_period: valid_period tsk.
-
- (** In this section we show that two consecutive jobs of a periodic
- task have their arrival times separated by their task's
- period. *)
- Section ConsecutiveJobSeparation.
-
- (** Consider any two _consecutive_ jobs [j1] and [j2] of task [tsk]. *)
- Variable j1 : Job.
- Variable j2 : Job.
- Hypothesis H_j1_from_arr_seq: arrives_in arr_seq j1.
- Hypothesis H_j2_from_arr_seq: arrives_in arr_seq j2.
- Hypothesis H_j1_of_task: job_task j1 = tsk.
- Hypothesis H_j2_of_task: job_task j2 = tsk.
- Hypothesis H_consecutive_jobs: job_index arr_seq j2 = job_index arr_seq j1 + 1.
-
- (** We show that if job [j1] and [j2] are consecutive jobs with [j2]
- arriving after [j1], then their arrival times are separated by
- their task's period. *)
- Lemma consecutive_job_separation:
- job_arrival j2 = job_arrival j1 + task_period tsk.
- Proof.
- move : (H_periodic_model j2) => PERIODIC.
- feed_n 3 PERIODIC => //; first by rewrite H_consecutive_jobs; lia.
- move : PERIODIC => [pj' [ARR_IN_PJ' [INDPJ'J' [TSKPJ' ARRPJ']]]].
- rewrite H_consecutive_jobs addnK in INDPJ'J'.
- apply equal_index_implies_equal_jobs in INDPJ'J' => //; last by rewrite TSKPJ'.
- by rewrite INDPJ'J' in ARRPJ'; lia.
- Qed.
-
- End ConsecutiveJobSeparation.
-
- (** In this section we show that for two unequal jobs of a task,
- there exists a non-zero multiple of their task's period which separates
- their arrival times. *)
- Section ArrivalSeparationWithGivenIndexDifference.
-
- (** Consider any two _consecutive_ jobs [j1] and [j2] of task [tsk]
- that stem from the arrival sequence. *)
- Variable j1 j2 : Job.
- Hypothesis H_j1_from_arr_seq: arrives_in arr_seq j1.
- Hypothesis H_j2_from_arr_seq: arrives_in arr_seq j2.
- Hypothesis H_j1_of_task: job_task j1 = tsk.
- Hypothesis H_j2_of_task: job_task j2 = tsk.
-
- (** We'll assume that job [j1] arrives before [j2] and that
- their indices differ by an integer [k]. *)
- Variable k : nat.
- Hypothesis H_index_difference_k: job_index arr_seq j1 + k = job_index arr_seq j2 .
- Hypothesis H_job_arrival_lt: job_arrival j1 < job_arrival j2.
-
- (** We prove that arrival of unequal jobs of a task [tsk] are
- separated by a non-zero multiple of [task_period tsk] provided
- their index differs by a number [k]. *)
- Lemma job_arrival_separation_when_index_diff_is_k:
- exists n,
- n > 0 /\
- job_arrival j2 = job_arrival j1 + n * task_period tsk.
- Proof.
- move: j1 j2 H_j1_of_task H_j2_of_task H_index_difference_k H_job_arrival_lt H_j2_from_arr_seq H_j1_from_arr_seq;
- clear H_index_difference_k H_job_arrival_lt H_j2_from_arr_seq H_j1_from_arr_seq H_j1_of_task H_j2_of_task j1 j2.
- move: k => s.
- induction s.
- { intros j1 j2 TSKj1 TSKj2 STEP LT ARRj1 ARRj2; exfalso.
- specialize (earlier_arrival_implies_lower_index arr_seq H_valid_arrival_sequence j1 j2) => LT_IND.
- feed_n 4 LT_IND => //; first by rewrite TSKj2.
- by lia.
- }
- { intros j1 j2 TSKj1 TSKj2 STEP LT ARRj2 ARRj1.
- specialize (exists_jobs_before_j
- arr_seq H_valid_arrival_sequence j2 ARRj2 (job_index arr_seq j2 - s)) => BEFORE.
- destruct s.
- - exists 1; repeat split.
- by rewrite (consecutive_job_separation j1) //; lia.
- - feed BEFORE; first by lia.
- move : BEFORE => [nj [NEQNJ [TSKNJ [ARRNJ INDNJ]]]]; rewrite TSKj2 in TSKNJ.
- specialize (IHs nj j2); feed_n 6 IHs => //; first by lia.
- { by apply (lower_index_implies_earlier_arrival _ H_valid_arrival_sequence tsk);
- rt_eauto; lia.
- }
- move : IHs => [n [NZN ARRJ'NJ]].
- move: (H_periodic_model nj) => PERIODIC; feed_n 3 PERIODIC => //; first by lia.
- move : PERIODIC => [sj [ARR_IN_SJ [INDSJ [TSKSJ ARRSJ]]]]; rewrite ARRSJ in ARRJ'NJ.
- have INDJ : (job_index arr_seq j1 = job_index arr_seq j2 - s.+2) by lia.
- rewrite INDNJ -subnDA addn1 -INDJ in INDSJ.
- apply equal_index_implies_equal_jobs in INDSJ => //; last by rewrite TSKj1 => //.
- exists (n.+1); split; try by lia.
- rewrite INDSJ in ARRJ'NJ; rewrite mulSnr.
- by lia.
- }
- Qed.
-
- End ArrivalSeparationWithGivenIndexDifference.
-
- (** Consider any two _distinct_ jobs [j1] and [j2] of task [tsk]
- that stem from the arrival sequence. *)
- Variable j1 j2 : Job.
- Hypothesis H_j1_neq_j2: j1 <> j2.
- Hypothesis H_j1_from_arr_seq: arrives_in arr_seq j1.
- Hypothesis H_j2_from_arr_seq: arrives_in arr_seq j2.
- Hypothesis H_j1_of_task: job_task j1 = tsk.
- Hypothesis H_j2_of_task: job_task j2 = tsk.
-
- (** Without loss of generality, we assume that
- job [j1] arrives before job [j2]. *)
- Hypothesis H_j1_before_j2: job_arrival j1 <= job_arrival j2.
-
- (** We generalize the above lemma to show that any two unequal
- jobs of task [tsk] are separated by a non-zero multiple
- of [task_period tsk]. *)
- Lemma job_sep_periodic:
- exists n,
- n > 0 /\
- job_arrival j2 = job_arrival j1 + n * task_period tsk.
- Proof.
- apply job_arrival_separation_when_index_diff_is_k with (k := (job_index arr_seq j2 - job_index arr_seq j1)); try done.
- - apply subnKC.
- move_neq_up IND.
- eapply lower_index_implies_earlier_arrival in IND; rt_eauto.
- by move_neq_down IND.
- - case: (boolP (job_index arr_seq j1 == job_index arr_seq j2)) => [/eqP EQ_IND|NEQ_IND].
- + by apply equal_index_implies_equal_jobs in EQ_IND => //; rewrite H_j1_of_task.
- + move: NEQ_IND; rewrite neq_ltn => /orP [LT|LT].
- * by eapply (lower_index_implies_earlier_arrival) in LT; rt_eauto.
- * eapply (lower_index_implies_earlier_arrival) in LT; rt_eauto.
- by move_neq_down LT.
- Qed.
-
-End JobArrivalSeparation.
diff --git a/analysis/facts/periodic/arrival_times.v b/analysis/facts/periodic/arrival_times.v
deleted file mode 100644
index df1274b7f474b345368695c0b4010cfc7dbc7bad..0000000000000000000000000000000000000000
--- a/analysis/facts/periodic/arrival_times.v
+++ /dev/null
@@ -1,93 +0,0 @@
-Require Export prosa.model.task.arrival.periodic_as_sporadic.
-Require Export prosa.analysis.facts.periodic.max_inter_arrival.
-Require Export prosa.analysis.facts.model.offset.
-
-(** In this module, we'll prove the known arrival
- times of jobs that stem from periodic tasks. *)
-Section PeriodicArrivalTimes.
-
- (** Consider periodic tasks with an offset ... *)
- Context {Task : TaskType}.
- Context `{TaskOffset Task}.
- Context `{PeriodicModel Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any unique arrival sequence with consistent arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
- (** ... and any periodic task [tsk] with a valid offset and period. *)
- Variable tsk : Task.
- Hypothesis H_valid_offset: valid_offset arr_seq tsk.
- Hypothesis H_valid_period: valid_period tsk.
- Hypothesis H_task_respects_periodic_model: respects_periodic_task_model arr_seq tsk.
-
- (** We show that the nth job [j] of task [tsk]
- arrives at the instant [task_offset tsk + n * task_period tsk]. *)
- Lemma periodic_arrival_times:
- forall n (j : Job),
- arrives_in arr_seq j ->
- job_task j = tsk ->
- job_index arr_seq j = n ->
- job_arrival j = task_offset tsk + n * task_period tsk.
- Proof.
- induction n.
- { intros j ARR TSK_IN ZINDEX.
- rewrite mul0n addn0.
- exact: first_job_arrival ZINDEX.
- }
- { intros j ARR TSK_IN JB_INDEX.
- move : (H_task_respects_periodic_model j ARR) => PREV_JOB.
- feed_n 2 PREV_JOB => //; first by lia.
- move : PREV_JOB => [pj [ARR' [IND [TSK ARRIVAL]]]].
- specialize (IHn pj); feed_n 3 IHn => //; first by rewrite IND JB_INDEX; lia.
- rewrite ARRIVAL IHn; lia.
- }
- Qed.
-
- (** We show that for every job [j] of task [tsk] there exists a number
- [n] such that [j] arrives at the instant [task_offset tsk + n * task_period tsk]. *)
- Lemma job_arrival_times:
- forall j,
- arrives_in arr_seq j ->
- job_task j = tsk ->
- exists n, job_arrival j = task_offset tsk + n * task_period tsk.
- Proof.
- intros * ARR TSK.
- exists (job_index arr_seq j).
- specialize (periodic_arrival_times (job_index arr_seq j) j) => J_ARR.
- by feed_n 3 J_ARR => //.
- Qed.
-
- (** If a job [j] of task [tsk] arrives at [task_offset tsk + n * task_period tsk]
- then the [job_index] of [j] is equal to [n]. *)
- Lemma job_arr_index:
- forall n j,
- arrives_in arr_seq j ->
- job_task j = tsk ->
- job_arrival j = task_offset tsk + n * task_period tsk ->
- job_index arr_seq j = n.
- Proof.
- have F : task_period tsk > 0 by auto.
- induction n.
- + intros * ARR_J TSK ARR.
- destruct (PeanoNat.Nat.zero_or_succ (job_index arr_seq j)) as [Z | [m SUCC]] => //.
- by apply periodic_arrival_times in SUCC => //; lia.
- + intros * ARR_J TSK ARR.
- specialize (H_task_respects_periodic_model j); feed_n 3 H_task_respects_periodic_model => //.
- { rewrite lt0n; apply /eqP; intro EQ.
- apply (first_job_arrival _ H_valid_arrival_sequence tsk) in EQ => //.
- by rewrite EQ in ARR; lia.
- }
- move : H_task_respects_periodic_model => [j' [ARR' [IND' [TSK' ARRIVAL']]]].
- specialize (IHn j'); feed_n 3 IHn => //; first by rewrite ARR in ARRIVAL'; lia.
- rewrite IHn in IND'.
- destruct (PeanoNat.Nat.zero_or_succ (job_index arr_seq j)) as [Z | [m SUCC]]; last by lia.
- rewrite (first_job_arrival arr_seq _ tsk)// in ARR.
- by lia.
- Qed.
-
-End PeriodicArrivalTimes.
diff --git a/analysis/facts/periodic/max_inter_arrival.v b/analysis/facts/periodic/max_inter_arrival.v
deleted file mode 100644
index cd6830f242682be0e7b4897f9a60b33dc25d2fda..0000000000000000000000000000000000000000
--- a/analysis/facts/periodic/max_inter_arrival.v
+++ /dev/null
@@ -1,54 +0,0 @@
-Require Export prosa.analysis.facts.periodic.arrival_separation.
-
-(** ** Periodic Task Model respects the Task Max Inter-Arrival model. *)
-
-(** In this section, we show that the periodic task model
- respects the task max inter-arrival model (i.e. consecutive jobs
- of a task are separated at most by a certain duration specified by
- the [task_max_inter_arrival_time] parameter). *)
-Section PeriodicTasksRespectMaxInterArrivalModel.
-
- (** Consider any type of periodic tasks, ... *)
- Context {Task : TaskType} `{PeriodicModel Task}.
-
- (** ... any type of jobs associated with the tasks, ... *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job}.
-
- (** ... and any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** By using each task's period as its maximum inter-arrival time, ... *)
- Global Instance max_inter_eq_period : TaskMaxInterArrival Task :=
- {
- task_max_inter_arrival_time := task_period
- }.
-
- (** ... we observe that for any task [tsk],
- [task_max_inter_arrival_time tsk] is positive, ... *)
- Remark valid_period_is_valid_max_inter_arrival_time:
- forall tsk, valid_period tsk -> positive_task_max_inter_arrival_time tsk.
- Proof. trivial. Qed.
-
- (** ... and show that the periodic model respects the task max inter-arrival model. *)
- Remark periodic_model_respects_max_inter_arrival_model:
- forall tsk,
- valid_period tsk ->
- respects_periodic_task_model arr_seq tsk ->
- valid_task_max_inter_arrival_time arr_seq tsk.
- Proof.
- intros tsk VALID_PERIOD PERIODIC.
- split; first by apply VALID_PERIOD => //.
- intros j ARR TSK IND.
- specialize (PERIODIC j); feed_n 3 PERIODIC => //.
- move : PERIODIC => [j' [ARR' [IND' [TSK' ARRJ']]]].
- exists j'; repeat split => //.
- { case: (boolP (j == j')) => [/eqP EQ|NEQ].
- - have EQ_IND : (job_index arr_seq j' = job_index arr_seq j) by apply f_equal => //.
- now exfalso; lia.
- - now apply /eqP. }
- { have NZ_PERIOD : (task_period tsk > 0) by apply VALID_PERIOD.
- rewrite /max_inter_eq_period /task_max_inter_arrival_time ARRJ'.
- now lia. }
- Qed.
-
-End PeriodicTasksRespectMaxInterArrivalModel.
diff --git a/analysis/facts/periodic/task_arrivals_size.v b/analysis/facts/periodic/task_arrivals_size.v
deleted file mode 100644
index ff36dfb1a609bde9844e2af69daff119ea6f719a..0000000000000000000000000000000000000000
--- a/analysis/facts/periodic/task_arrivals_size.v
+++ /dev/null
@@ -1,205 +0,0 @@
-Require Export prosa.analysis.facts.periodic.arrival_times.
-Require Export prosa.analysis.definitions.infinite_jobs.
-Require Export prosa.analysis.facts.sporadic.arrival_sequence.
-
-(** In this file we prove some properties concerning the size
- of task arrivals in context of the periodic model. *)
-Section TaskArrivalsSize.
-
- (** Consider any type of periodic tasks with an offset ... *)
- Context {Task : TaskType}.
- Context `{TaskOffset Task}.
- Context `{PeriodicModel Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any unique arrival sequence with consistent arrivals ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any periodic task [tsk] with a valid offset and period. *)
- Variable tsk : Task.
- Hypothesis H_valid_offset : valid_offset arr_seq tsk.
- Hypothesis H_valid_period : valid_period tsk.
- Hypothesis H_task_respects_periodic_model : respects_periodic_task_model arr_seq tsk.
-
- (** We show that if an instant [t] is not an "arrival time" for
- task [tsk] then [task_arrivals_at arr_seq tsk t] is an empty sequence. *)
- Lemma task_arrivals_size_at_non_arrival:
- forall t,
- (forall n, t <> task_offset tsk + n * task_period tsk) ->
- task_arrivals_at arr_seq tsk t = [::].
- Proof.
- intros * T.
- have EMPT_OR_EXISTS : forall xs, xs = [::] \/ exists a, a \in xs.
- { intros *.
- induction xs; first by left.
- right; exists a.
- by apply mem_head.
- }
- destruct (EMPT_OR_EXISTS Job (task_arrivals_at arr_seq tsk t)) as [EMPT | [a A_IN]] => //.
- rewrite /task_arrivals_at mem_filter in A_IN; move : A_IN => /andP [/eqP TSK A_ARR].
- move : H_valid_arrival_sequence => [CONSISTENT UNIQ].
- move : (A_ARR) => A_IN; apply CONSISTENT in A_IN.
- rewrite -A_IN in T; rewrite /arrivals_at in A_ARR.
- apply in_arrseq_implies_arrives in A_ARR.
- have EXISTS_N : exists n, job_arrival a = task_offset tsk + n * task_period tsk.
- exact: (job_arrival_times arr_seq).
- move : EXISTS_N => [n A_ARRIVAL].
- by move : (T n) => T1.
- Qed.
-
- (** We show that at any instant [t], at most one job of task [tsk]
- can arrive (i.e. size of [task_arrivals_at arr_seq tsk t] is at most one). *)
- Lemma task_arrivals_at_size_cases:
- forall t,
- size (task_arrivals_at arr_seq tsk t) = 0 \/
- size (task_arrivals_at arr_seq tsk t) = 1.
- Proof.
- intro t.
- case: (ltngtP (size (task_arrivals_at arr_seq tsk t)) 1) => [LT|GT|EQ]; try by auto.
- destruct (size (task_arrivals_at arr_seq tsk t)); now left.
- specialize (exists_two (task_arrivals_at arr_seq tsk t)) => EXISTS_TWO.
- move : H_valid_arrival_sequence => [CONSISTENT UNIQ].
- destruct EXISTS_TWO as [a [b [NEQ [A_IN B_IN]]]]; [by done | by apply filter_uniq | ].
- rewrite mem_filter in A_IN; rewrite mem_filter in B_IN.
- move: A_IN B_IN => /andP [/eqP TSKA ARRA] /andP [/eqP TSKB ARRB].
- move: (ARRA); move: (ARRB); rewrite /arrivals_at => A_IN B_IN.
- apply in_arrseq_implies_arrives in A_IN; apply in_arrseq_implies_arrives in B_IN.
- have SPO : respects_sporadic_task_model arr_seq tsk; try by rt_auto.
- have EQ_ARR_A : (job_arrival a = t) by rt_eauto.
- have EQ_ARR_B : (job_arrival b = t) by rt_eauto.
- specialize (SPO a b); feed_n 6 SPO => //; try by lia.
- rewrite EQ_ARR_A EQ_ARR_B in SPO.
- rewrite /task_min_inter_arrival_time /periodic_as_sporadic in SPO.
- have POS : task_period tsk > 0 by auto.
- by lia.
- Qed.
-
- (** We show that the size of task arrivals (strictly) between two consecutive arrival
- times is zero. *)
- Lemma size_task_arrivals_between_eq0:
- forall n,
- let l := (task_offset tsk + n * task_period tsk).+1 in
- let r := (task_offset tsk + n.+1 * task_period tsk) in
- size (task_arrivals_between arr_seq tsk l r) = 0.
- Proof.
- intros n l r; rewrite /l /r.
- rewrite size_of_task_arrivals_between big_nat_eq0 => //; intros t INEQ.
- rewrite task_arrivals_size_at_non_arrival => //; intros n1 EQ.
- rewrite EQ in INEQ.
- move : INEQ => /andP [INEQ1 INEQ2].
- rewrite ltn_add2l ltn_mul2r in INEQ1; rewrite ltn_add2l ltn_mul2r in INEQ2.
- move : INEQ1 INEQ2 => /andP [A B] /andP [C D].
- by lia.
- Qed.
-
- (** In this section we show some properties of task arrivals in case
- of an infinite sequence of jobs. *)
- Section TaskArrivalsInCaseOfInfiniteJobs.
-
- (** Assume that we have an infinite sequence of jobs. *)
- Hypothesis H_infinite_jobs : infinite_jobs arr_seq.
-
- (** We show that for any number [n], there exists a job [j] of task [tsk]
- such that [job_index] of [j] is equal to [n] and [j] arrives
- at [task_offset tsk + n * task_period tsk]. *)
- Lemma jobs_exists_later:
- forall n,
- exists j,
- arrives_in arr_seq j /\
- job_task j = tsk /\
- job_arrival j = task_offset tsk + n * task_period tsk /\
- job_index arr_seq j = n.
- Proof.
- intros *.
- destruct (H_infinite_jobs tsk n) as [j [ARR [TSK IND]]].
- exists j; repeat split => //.
- exact: (periodic_arrival_times arr_seq).
- Qed.
-
- (** We show that the size of task arrivals at any arrival time is equal to one. *)
- Lemma task_arrivals_at_size:
- forall n,
- let l := (task_offset tsk + n * task_period tsk) in
- size (task_arrivals_at arr_seq tsk l) = 1.
- Proof.
- intros n l; rewrite /l.
- move : (jobs_exists_later n) => [j' [ARR [TSK [ARRIVAL IND]]]].
- apply (only_j_in_task_arrivals_at_j
- arr_seq H_valid_arrival_sequence tsk) in ARR => //;
- last by rt_auto.
- rewrite /task_arrivals_at_job_arrival TSK in ARR.
- by rewrite -ARRIVAL ARR.
- Qed.
-
- (** We show that the size of task arrivals up to [task_offset tsk] is equal to one. *)
- Lemma size_task_arrivals_up_to_offset:
- size (task_arrivals_up_to arr_seq tsk (task_offset tsk)) = 1.
- Proof.
- rewrite /task_arrivals_up_to.
- specialize (task_arrivals_between_cat arr_seq tsk 0 (task_offset tsk) (task_offset tsk).+1) => CAT.
- feed_n 2 CAT => //; rewrite CAT size_cat.
- have Z : size (task_arrivals_between arr_seq tsk 0 (task_offset tsk)) = 0.
- { rewrite size_of_task_arrivals_between big_nat_eq0 => //; intros t T_EQ.
- rewrite task_arrivals_size_at_non_arrival => //; intros n EQ.
- by lia.
- }
- rewrite Z add0n /task_arrivals_between /arrivals_between big_nat1.
- specialize (task_arrivals_at_size 0) => AT_SIZE.
- by rewrite mul0n addn0 in AT_SIZE.
- Qed.
-
- (** We show that for any number [n], the number of jobs released by task [tsk] up to
- [task_offset tsk + n * task_period tsk] is equal to [n + 1]. *)
- Lemma task_arrivals_up_to_size:
- forall n,
- let l := (task_offset tsk + n * task_period tsk) in
- let r := (task_offset tsk + n.+1 * task_period tsk) in
- size (task_arrivals_up_to arr_seq tsk l) = n + 1.
- Proof.
- induction n.
- intros l r; rewrite /l mul0n add0n addn0.
- by apply size_task_arrivals_up_to_offset.
- intros l r.
- specialize (task_arrivals_cat arr_seq tsk (task_offset tsk + n * task_period tsk)
- (task_offset tsk + n.+1 * task_period tsk)) => CAT.
- feed_n 1 CAT; first by lia.
- rewrite CAT size_cat IHn.
- specialize (task_arrivals_between_cat arr_seq tsk (task_offset tsk + n * task_period tsk).+1
- (task_offset tsk + n.+1 * task_period tsk) (task_offset tsk + n.+1 * task_period tsk).+1) => S_CAT.
- feed_n 2 S_CAT; try by lia.
- { rewrite ltn_add2l ltn_mul2r.
- by apply /andP; split => //.
- }
- rewrite S_CAT size_cat /task_arrivals_between /arrivals_between big_nat1.
- rewrite size_task_arrivals_between_eq0 task_arrivals_at_size => //.
- by lia.
- Qed.
-
- (** We show that the number of jobs released by task [tsk] at any instant [t]
- and [t + n * task_period tsk] is the same for any number [n]. *)
- Lemma eq_size_of_task_arrivals_seperated_by_period:
- forall n t,
- t >= task_offset tsk ->
- size (task_arrivals_at arr_seq tsk t) =
- size (task_arrivals_at arr_seq tsk (t + n * task_period tsk)).
- Proof.
- move=> n t o_le_t.
- have [tmo_eq0|tmo_neq0] :=
- @eqP _ ((t - task_offset tsk) %% task_period tsk) 0.
- - rewrite -(subnKC o_le_t) (divn_eq (t - _) (task_period tsk)).
- by rewrite tmo_eq0 addn0 -addnA -mulnDl !task_arrivals_at_size.
- - rewrite !task_arrivals_size_at_non_arrival// => n';
- move=> /(f_equal (subn^~(task_offset tsk))); rewrite addKn;
- move=> /(f_equal (modn^~(task_period tsk))).
- + by rewrite -addnBAC// addnC -[n' * _]addn0 !modnMDl mod0n.
- + by rewrite -[n' * _]addn0 modnMDl mod0n.
- Qed.
-
- End TaskArrivalsInCaseOfInfiniteJobs.
-
-End TaskArrivalsSize.
diff --git a/analysis/facts/preemption/job/limited.v b/analysis/facts/preemption/job/limited.v
deleted file mode 100644
index 19a62edee9be9d432b977bfac0d31a26bd95bee6..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/job/limited.v
+++ /dev/null
@@ -1,224 +0,0 @@
-Require Export prosa.model.schedule.limited_preemptive.
-Require Export prosa.analysis.definitions.job_properties.
-Require Export prosa.analysis.facts.behavior.all.
-Require Export prosa.analysis.facts.model.sequential.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-Require Export prosa.model.preemption.limited_preemptive.
-
-(** * Platform for Models with Limited Preemptions *)
-(** In this section, we prove that instantiation of predicate
- [job_preemptable] to the model with limited preemptions
- indeed defines a valid preemption model. *)
-Section ModelWithLimitedPreemptions.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** In addition, assume the existence of a function that maps a job
- to the sequence of its preemption points... *)
- Context `{JobPreemptionPoints Job}.
-
- (** ..., i.e., we assume limited-preemptive jobs. *)
- #[local] Existing Instance limited_preemptive_job_model.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Next, consider any limited ideal uni-processor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_schedule_respects_preemption_model:
- schedule_respects_preemption_model arr_seq sched.
-
- (** ...where jobs do not execute after their completion. *)
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** Next, we assume that preemption points are defined by the
- job-level model with limited preemptions. *)
- Hypothesis H_valid_limited_preemptions_job_model:
- valid_limited_preemptions_job_model arr_seq.
-
- (** First, we prove a few auxiliary lemmas. *)
- Section AuxiliaryLemmas.
-
- (** Consider a job j. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
-
- (** Recall that 0 is a preemption point. *)
- Remark zero_in_preemption_points: 0 \in job_preemptive_points j.
- Proof. by apply H_valid_limited_preemptions_job_model. Qed.
-
- (** Using the fact that [job_preemptive_points] is a
- non-decreasing sequence, we prove that the first element of
- [job_preemptive_points] is 0. *)
- Lemma zero_is_first_element: first0 (job_preemptive_points j) = 0.
- Proof.
- have F := zero_in_preemption_points.
- destruct H_valid_limited_preemptions_job_model as [_ [_ C]]; specialize (C j H_j_arrives).
- by apply nondec_seq_zero_first.
- Qed.
-
- (** We prove that the list of preemption points is not empty. *)
- Lemma list_of_preemption_point_is_not_empty:
- 0 < size (job_preemptive_points j).
- Proof.
- move: H_valid_limited_preemptions_job_model => [BEG [END _]].
- apply/negPn/negP; rewrite -eqn0Ngt; intros CONTR; rewrite size_eq0 in CONTR.
- specialize (BEG j H_j_arrives).
- by move: CONTR BEG => /eqP; rewrite /beginning_of_execution_in_preemption_points => ->.
- Qed.
-
- (** Next, we prove that the cost of a job is a preemption point. *)
- Lemma job_cost_in_nonpreemptive_points: job_cost j \in job_preemptive_points j.
- Proof.
- move: H_valid_limited_preemptions_job_model => [BEG [END _]].
- move: (END _ H_j_arrives) => EQ.
- rewrite -EQ; clear EQ.
- rewrite /last0 -nth_last.
- apply/(nthP 0).
- exists ((size (job_preemptive_points j)).-1); last by done.
- rewrite -(leq_add2r 1) !addn1 prednK //.
- by apply list_of_preemption_point_is_not_empty.
- Qed.
-
- (** As a corollary, we prove that the sequence of non-preemptive
- points of a job with positive cost contains at least 2
- points. *)
- Corollary number_of_preemption_points_at_least_two:
- job_cost_positive j ->
- 2 <= size (job_preemptive_points j).
- Proof.
- intros POS.
- move: H_valid_limited_preemptions_job_model => [BEG [END _]].
- have EQ: 2 = size [::0; job_cost j]; first by done.
- rewrite EQ; clear EQ.
- apply subseq_leq_size.
- rewrite !cons_uniq.
- { apply/andP; split.
- rewrite in_cons negb_or; apply/andP; split; last by done.
- rewrite neq_ltn; apply/orP; left; eauto 2.
- apply/andP; split; by done. }
- intros t EQ; move: EQ; rewrite !in_cons.
- move => /orP [/eqP EQ| /orP [/eqP EQ|EQ]]; last by done.
- - by rewrite EQ; apply zero_in_preemption_points.
- - by rewrite EQ; apply job_cost_in_nonpreemptive_points.
- Qed.
-
- (** Next we prove that "anti-density" property (from
- [preemption.util] file) holds for [job_preemption_point j]. *)
- Lemma antidensity_of_preemption_points:
- forall (Ï : work),
- Ï <= job_cost j ->
- ~~ (Ï \in job_preemptive_points j) ->
- first0 (job_preemptive_points j) <= Ï < last0 (job_preemptive_points j).
- Proof.
- intros Ï LE NotIN.
- move: H_valid_limited_preemptions_job_model => [BEG [END NDEC]].
- apply/andP; split.
- - by rewrite zero_is_first_element.
- - rewrite END; last by done.
- rewrite ltn_neqAle; apply/andP; split; last by done.
- apply/negP; intros CONTR; move: CONTR => /eqP CONTR.
- rewrite CONTR in NotIN.
- move: NotIN => /negP NIN; apply: NIN.
- by apply job_cost_in_nonpreemptive_points.
- Qed.
-
- (** We also prove that any work that doesn't belong to
- preemption points of job j is placed strictly between two
- neighboring preemption points. *)
- Lemma work_belongs_to_some_nonpreemptive_segment:
- forall (Ï : work),
- Ï <= job_cost j ->
- ~~ (Ï \in job_preemptive_points j) ->
- exists n,
- n.+1 < size (job_preemptive_points j) /\
- nth 0 (job_preemptive_points j) n < Ï < nth 0 (job_preemptive_points j) n.+1.
- Proof.
- intros Ï LE NotIN.
- case: (posnP (job_cost j)) => [ZERO|POS].
- { exfalso; move: NotIN => /negP NIN; apply: NIN.
- move: LE. rewrite ZERO leqn0; move => /eqP ->.
- by apply zero_in_preemption_points. }
- move: (belonging_to_segment_of_seq_is_total
- (job_preemptive_points j) Ï (number_of_preemption_points_at_least_two POS)
- (antidensity_of_preemption_points _ LE NotIN)) => [n [SIZE2 /andP [N1 N2]]].
- exists n; split; first by done.
- apply/andP; split; last by done.
- move: N1; rewrite leq_eqVlt; move => /orP [/eqP EQ | G]; last by done.
- exfalso.
- move: NotIN => /negP CONTR; apply: CONTR.
- rewrite -EQ; clear EQ.
- rewrite mem_nth //.
- by apply ltnW.
- Qed.
-
- (** Recall that the module [prosa.model.preemption.parameters] also defines
- a notion of preemption points, namely [job_preemption_points], which
- cannot have duplicated preemption points. Therefore, we need additional
- lemmas to relate [job_preemption_points] and [job_preemptive_points]. *)
-
- (** First we show that the length of the last non-preemptive segment in
- [job_preemption_points] is equal to the length of the last non-empty
- non-preemptive segment of [job_preemptive_points]. *)
- Lemma job_parameters_last_np_to_job_limited:
- last0 (distances (job_preemption_points j)) =
- last0 (filter (fun x => 0 < x) (distances (job_preemptive_points j))).
- Proof.
- destruct H_valid_limited_preemptions_job_model as [A1 [A2 A3]].
- unfold job_preemption_points, job_preemptable, limited_preemptive_job_model.
- intros; rewrite distances_iota_filtered; eauto.
- rewrite -A2 //.
- by intros; apply last_is_max_in_nondecreasing_seq; eauto 2.
- Qed.
-
- (** Next we show that the length of the max non-preemptive segment of
- [job_preemption_points] is equal to the length of the max non-preemptive
- segment of [job_preemptive_points]. *)
- Lemma job_parameters_max_np_to_job_limited:
- max0 (distances (job_preemption_points j)) =
- max0 (distances (job_preemptive_points j)).
- Proof.
- destruct H_valid_limited_preemptions_job_model as [A1 [A2 A3]].
- unfold job_preemption_points, job_preemptable, limited_preemptive_job_model.
- intros; rewrite distances_iota_filtered; eauto 2.
- rewrite max0_rem0 //.
- rewrite -A2 //.
- by intros; apply last_is_max_in_nondecreasing_seq; eauto 2.
- Qed.
-
- End AuxiliaryLemmas.
-
- (** We prove that the [fixed_preemption_point_model] function
- defines a valid preemption model. *)
- Lemma valid_fixed_preemption_points_model_lemma:
- valid_preemption_model arr_seq sched.
- Proof.
- intros j ARR; repeat split.
- { by apply zero_in_preemption_points. }
- { by apply job_cost_in_nonpreemptive_points. }
- { by move => t NPP; apply H_schedule_respects_preemption_model. }
- { intros t NSCHED SCHED.
- have SERV: service sched j t = service sched j t.+1.
- { rewrite -[service sched j t]addn0 /service /service_during; apply/eqP.
- rewrite big_nat_recr //=.
- rewrite eqn_add2l eq_sym.
- rewrite scheduled_at_def in NSCHED.
- by rewrite service_at_def eqb0. }
- rewrite -[job_preemptable _ _]Bool.negb_involutive.
- apply/negP; intros CONTR.
- move: NSCHED => /negP NSCHED; apply: NSCHED.
- apply H_schedule_respects_preemption_model; first by done.
- by rewrite SERV.
- }
- Qed.
-
-End ModelWithLimitedPreemptions.
-Global Hint Resolve valid_fixed_preemption_points_model_lemma : basic_rt_facts.
diff --git a/analysis/facts/preemption/job/nonpreemptive.v b/analysis/facts/preemption/job/nonpreemptive.v
deleted file mode 100644
index 28fc8a4d3f94f74d5f7b00e6089c67fd79bbc831..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/job/nonpreemptive.v
+++ /dev/null
@@ -1,173 +0,0 @@
-Require Export prosa.analysis.facts.behavior.all.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-Require Export prosa.analysis.definitions.job_properties.
-Require Export prosa.model.schedule.nonpreemptive.
-Require Export prosa.model.preemption.fully_nonpreemptive.
-
-(** * Platform for Fully Non-Preemptive model *)
-
-(** In this section, we prove that instantiation of predicate
- [job_preemptable] to the fully non-preemptive model indeed
- defines a valid preemption model. *)
-Section FullyNonPreemptiveModel.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume that jobs are fully non-preemptive. *)
- #[local] Existing Instance fully_nonpreemptive_job_model.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any non-preemptive ideal uniprocessor schedule of
- this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_nonpreemptive_sched : nonpreemptive_schedule sched.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** For simplicity, let's define some local names. *)
- Let job_pending := pending sched.
- Let job_completed_by := completed_by sched.
- Let job_scheduled_at := scheduled_at sched.
-
- (** Then, we prove that fully_nonpreemptive_model is a valid preemption model. *)
- Lemma valid_fully_nonpreemptive_model:
- valid_preemption_model arr_seq sched.
- Proof.
- intros j; split; [by apply/orP; left | split; [by apply/orP; right | split]].
- - move => t; rewrite /job_preemptable /fully_nonpreemptive_job_model Bool.negb_orb -lt0n; move => /andP [POS NCOMPL].
- move: (incremental_service_during _ _ _ _ _ POS) => [ft [/andP [_ LT] [SCHED SERV]]].
- apply H_nonpreemptive_sched with ft.
- + by apply ltnW.
- + by done.
- + rewrite /completed_by -ltnNge.
- move: NCOMPL; rewrite neq_ltn; move => /orP [LE|GE]; [by done | exfalso].
- move: GE; rewrite ltnNge; move => /negP GE; apply: GE.
- apply completion.service_at_most_cost; rt_eauto.
- - intros t NSCHED SCHED.
- rewrite /job_preemptable /fully_nonpreemptive_job_model.
- apply/orP; left.
- apply/negP; intros CONTR; move: CONTR => /negP; rewrite -lt0n; intros POS.
- move: (incremental_service_during _ _ _ _ _ POS) => [ft [/andP [_ LT] [SCHEDn SERV]]].
- move: NSCHED => /negP NSCHED; apply: NSCHED.
- apply H_nonpreemptive_sched with ft.
- + by rewrite -ltnS.
- + by done.
- + rewrite /completed_by -ltnNge.
- apply leq_ltn_trans with (service sched j t.+1).
- * by rewrite /service /service_during big_nat_recr //= leq_addr.
- * rewrite -addn1; apply leq_trans with (service sched j t.+2).
- have <-: (service_at sched j t.+1) = 1.
- { by apply/eqP; rewrite service_at_def eqb1 -scheduled_at_def. }
- by rewrite -big_nat_recr //=.
- by apply completion.service_at_most_cost; rt_eauto.
- Qed.
-
- (** We also prove that under the fully non-preemptive model
- [job_max_nonpreemptive_segment j] is equal to [job_cost j] ... *)
- Lemma job_max_nps_is_job_cost:
- forall j, job_max_nonpreemptive_segment j = job_cost j.
- Proof.
- intros.
- rewrite /job_max_nonpreemptive_segment /lengths_of_segments
- /job_preemption_points /job_preemptable /fully_nonpreemptive_job_model.
- case: (posnP (job_cost j)) => [ZERO|POS].
- { by rewrite ZERO; compute. }
- have ->: forall n, n>0 -> [seq Ï <- index_iota 0 n.+1 | (Ï == 0) || (Ï == n)] = [:: 0; n].
- { clear; simpl; intros.
- apply/eqP; rewrite eqseq_cons; apply/andP; split; first by done.
- have ->: forall xs P1 P2, (forall x, x \in xs -> ~~ P1 x) -> [seq x <- xs | P1 x || P2 x] = [seq x <- xs | P2 x].
- { clear; intros.
- apply eq_in_filter.
- intros ? IN. specialize (H _ IN).
- by destruct (P1 x), (P2 x).
- }
- rewrite filter_pred1_uniq; first by done.
- - by apply iota_uniq.
- - by rewrite mem_iota; apply/andP; split; [done | rewrite add1n].
- - intros x; rewrite mem_iota; move => /andP [POS _].
- by rewrite -lt0n.
- }
- by rewrite /distances; simpl; rewrite subn0 /max0; simpl; rewrite max0n.
- by done.
- Qed.
-
- (** ... and [job_last_nonpreemptive_segment j] is equal to [job_cost j]. *)
- Lemma job_last_nps_is_job_cost:
- forall j, job_last_nonpreemptive_segment j = job_cost j.
- Proof.
- intros.
- rewrite /job_last_nonpreemptive_segment /lengths_of_segments
- /job_preemption_points /job_preemptable /fully_nonpreemptive_job_model.
- case: (posnP (job_cost j)) => [ZERO|POS].
- { by rewrite ZERO; compute. }
- have ->: forall n, n>0 -> [seq Ï <- index_iota 0 n.+1 | (Ï == 0) || (Ï == n)] = [:: 0; n].
- { clear; simpl; intros.
- apply/eqP; rewrite eqseq_cons; apply/andP; split; first by done.
- have ->: forall xs P1 P2, (forall x, x \in xs -> ~~ P1 x) -> [seq x <- xs | P1 x || P2 x] = [seq x <- xs | P2 x].
- { clear; intros.
- apply eq_in_filter.
- intros ? IN. specialize (H _ IN).
- by destruct (P1 x), (P2 x).
- }
- rewrite filter_pred1_uniq; first by done.
- - by apply iota_uniq.
- - by rewrite mem_iota; apply/andP; split; [done | rewrite add1n].
- - intros x; rewrite mem_iota; move => /andP [POS _].
- by rewrite -lt0n.
- }
- by rewrite /distances; simpl; rewrite subn0 /last0; simpl.
- by done.
- Qed.
-
-End FullyNonPreemptiveModel.
-Global Hint Resolve valid_fully_nonpreemptive_model : basic_rt_facts.
-
-(** In this section, we prove the equivalence between no preemptions and a non-preemptive schedule. *)
-Section NoPreemptionsEquivalence.
-
- (** Consider any type of jobs with preemption points. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider an ideal uniprocessor schedule. *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** We prove that no preemptions in a schedule is equivalent to a non-preemptive schedule. *)
- Lemma no_preemptions_equiv_nonpreemptive :
- (forall j t, ~~preempted_at sched j t) <-> nonpreemptive_schedule sched.
- Proof.
- split.
- { move=> NOT_PREEMPTED j t t'.
- elim: t'; first by rewrite leqn0 => /eqP ->.
- move=> t' IH LE_tt' SCHEDULED INCOMP.
- apply contraT => NOT_SCHEDULED'.
- move: LE_tt'. rewrite leq_eqVlt => /orP [/eqP EQ |];
- first by move: NOT_SCHEDULED' SCHEDULED; rewrite -EQ => /negP //.
- rewrite ltnS => LEQ.
- have SCHEDULED': scheduled_at sched j t'
- by apply IH, (incompletion_monotonic _ _ _ t'.+1) => //.
- move: (NOT_PREEMPTED j t'.+1).
- rewrite /preempted_at -pred_Sn -andbA negb_and => /orP [/negP //|].
- rewrite negb_and => /orP [/negPn|/negPn].
- - by move: INCOMP => /negP.
- - by move: NOT_SCHEDULED' => /negP. }
- { move => NONPRE j t.
- apply contraT => /negPn /andP [/andP [SCHED_PREV INCOMP] NOT_SCHED].
- have SCHED: scheduled_at sched j t
- by apply: (NONPRE j t.-1 t) => //; apply leq_pred.
- contradict NOT_SCHED.
- apply /negP.
- by rewrite Bool.negb_involutive.
- }
- Qed.
-
-End NoPreemptionsEquivalence.
diff --git a/analysis/facts/preemption/job/preemptive.v b/analysis/facts/preemption/job/preemptive.v
deleted file mode 100644
index 8e58895ae723030bf6520fe191cc07cd46ba93e7..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/job/preemptive.v
+++ /dev/null
@@ -1,68 +0,0 @@
-Require Export prosa.model.task.preemption.parameters.
-Require Export prosa.model.preemption.fully_preemptive.
-
-(** * Preemptions in Fully Preemptive Model *)
-(** In this section, we prove that instantiation of predicate
- [job_preemptable] to the fully preemptive model indeed defines
- a valid preemption model. *)
-Section FullyPreemptiveModel.
-
- (** We assume that jobs are fully preemptive. *)
- #[local] Existing Instance fully_preemptive_job_model.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any given schedule. *)
- Variable sched : schedule PState.
-
- (** Then, we prove that fully_preemptive_model is a valid preemption model. *)
- Lemma valid_fully_preemptive_model:
- valid_preemption_model arr_seq sched.
- Proof.
- by intros j ARR; repeat split; intros t CONTR.
- Qed.
-
- (** We also prove that under the fully preemptive model
- [job_max_nonpreemptive_segment j] is equal to 0, when [job_cost
- j = 0] ... *)
- Lemma job_max_nps_is_0:
- forall j,
- job_cost j = 0 ->
- job_max_nonpreemptive_segment j = 0.
- Proof.
- intros.
- rewrite /job_max_nonpreemptive_segment /lengths_of_segments
- /job_preemption_points.
- by rewrite H1; compute.
- Qed.
-
- (** ... or ε when [job_cost j > 0]. *)
- Lemma job_max_nps_is_ε:
- forall j,
- job_cost j > 0 ->
- job_max_nonpreemptive_segment j = ε.
- Proof.
- intros ? POS.
- rewrite /job_max_nonpreemptive_segment /lengths_of_segments
- /job_preemption_points.
- rewrite /job_preemptable /fully_preemptive_job_model.
- rewrite filter_predT.
- apply max0_of_uniform_set.
- - rewrite /range /index_iota subn0.
- rewrite [size _]pred_Sn -[in X in _ <= X]addn1 -size_of_seq_of_distances size_iota.
- + by rewrite -pred_Sn.
- + by rewrite ltnS.
- - by apply distances_of_iota_ε.
- Qed.
-
-End FullyPreemptiveModel.
-Global Hint Resolve valid_fully_preemptive_model : basic_rt_facts.
diff --git a/analysis/facts/preemption/rtc_threshold/floating.v b/analysis/facts/preemption/rtc_threshold/floating.v
deleted file mode 100644
index 0c286cb6adb1cdd421a2f9853e9d75bbe26e448f..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/rtc_threshold/floating.v
+++ /dev/null
@@ -1,43 +0,0 @@
-Require Export prosa.analysis.facts.preemption.task.floating.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.job_preemptable.
-Require Export prosa.model.task.preemption.floating_nonpreemptive.
-
-(** * Task's Run to Completion Threshold *)
-(** In this section, we instantiate function [task run to completion
- threshold] for the model with floating non-preemptive regions. *)
-Section TaskRTCThresholdFloatingNonPreemptiveRegions.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobCost Job}.
- Context `{JobPreemptable Job}.
-
- (** We assume a task model with floating non-preemptive regions. *)
- #[local] Existing Instance floating_preemptive_rtc_threshold.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Assume that a job cost cannot be larger than a task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Then, we prove that [task_rtct] function
- defines a valid task's run to completion threshold. *)
- Lemma floating_preemptive_valid_task_run_to_completion_threshold:
- forall tsk, valid_task_run_to_completion_threshold arr_seq tsk.
- Proof.
- intros; split.
- - by rewrite /task_rtc_bounded_by_cost.
- - intros j ARR TSK.
- apply leq_trans with (job_cost j); rt_eauto.
- by move: TSK => /eqP <-; apply H_valid_job_cost.
- Qed.
-
-End TaskRTCThresholdFloatingNonPreemptiveRegions.
-Global Hint Resolve floating_preemptive_valid_task_run_to_completion_threshold : basic_rt_facts.
diff --git a/analysis/facts/preemption/rtc_threshold/job_preemptable.v b/analysis/facts/preemption/rtc_threshold/job_preemptable.v
deleted file mode 100644
index 451319b8af79ea8ce4667e1dbe02a6bb5f4a3bad..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/rtc_threshold/job_preemptable.v
+++ /dev/null
@@ -1,263 +0,0 @@
-Require Export prosa.analysis.definitions.job_properties.
-Require Export prosa.analysis.facts.behavior.all.
-Require Export prosa.model.task.preemption.parameters.
-
-(** * Run-to-Completion Threshold *)
-(** In this section, we provide a few basic properties
- of run-to-completion-threshold-compliant schedules. *)
-Section RunToCompletionThreshold.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** In addition, we assume existence of a function
- mapping jobs to their preemption points. *)
- Context `{JobPreemptable Job}.
-
- (** Consider any kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence, ... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ... and any given schedule. *)
- Variable sched: schedule PState.
-
- (** Assume that the preemption model is valid. *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** Consider an arbitrary job j from the arrival sequence. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
-
- (** First we prove a few auxiliary lemmas about
- [job_preemption_points]. *)
- Section AuxiliaryLemmas.
-
- (** We prove that the sequence of preemption points of a zero-cost
- job consists of one element -- 0. *)
- Lemma preemption_points_of_zero_cost_job:
- job_cost j = 0 ->
- job_preemption_points j = [::0].
- Proof.
- intros ZERO.
- destruct (H_valid_preemption_model j) as [A1 [A2 [A3 A4]]]; auto.
- unfold job_preemption_points; rewrite ZERO; simpl.
- simpl; unfold job_cannot_become_nonpreemptive_before_execution in *.
- by rewrite A1.
- Qed.
-
- (** For a positive-cost job, 0 ... *)
- Lemma zero_in_preemption_points:
- 0 < job_cost j ->
- 0 \in job_preemption_points j.
- Proof.
- intros POS.
- unfold job_preemption_points, range.
- destruct (H_valid_preemption_model j) as [A1 [A2 [A3 A4]]]; auto.
- unfold job_cannot_become_nonpreemptive_before_execution in *.
- rewrite index_iota_lt_step; last by done.
- by simpl; rewrite A1 in_cons eq_refl.
- Qed.
-
- (** ... and [job_cost] are in preemption points. *)
- Lemma job_cost_in_preemption_points:
- 0 < job_cost j ->
- job_cost j \in job_preemption_points j.
- Proof.
- intros POS.
- unfold job_preemption_points, range, index_iota; rewrite subn0 -addn1.
- rewrite iotaD add0n filter_cat mem_cat.
- apply/orP; right; simpl.
- destruct (H_valid_preemption_model j) as [A1 [A2 [A3 A4]]]; auto.
- unfold job_cannot_be_nonpreemptive_after_completion in *.
- by rewrite A2 in_cons eq_refl.
- Qed.
-
- (** Therefore, for a positive-cost job size of the sequence of
- preemption points is at least two. *)
- Lemma size_of_preemption_points:
- 0 < job_cost j ->
- 2 <= size (job_preemption_points j).
- Proof.
- intros POS.
- replace 2 with (size [::0; job_cost j]); last by done.
- apply subseq_leq_size.
- - apply/andP; split. rewrite !in_cons Bool.negb_orb.
- + apply/andP; split. by rewrite neq_ltn POS. by done.
- + apply/andP; split; by done.
- - intros Ï; rewrite !in_cons; move => /orP [/eqP EQ| /orP [/eqP Cost | C]].
- + by subst; apply zero_in_preemption_points.
- + by subst; apply job_cost_in_preemption_points.
- + by done.
- Qed.
-
- (** Next we show that the sequence of preemption points is a non-decreasing sequence. *)
- Lemma preemption_points_nondecreasing:
- nondecreasing_sequence (job_preemption_points j).
- Proof. by apply increasing_implies_nondecreasing, iota_is_increasing_sequence. Qed.
-
- (** Next, we prove that the last element of the sequence of
- preemption points is [job_cost]. *)
- Lemma job_cost_is_last_element_of_preemption_points:
- job_cost j = last0 (job_preemption_points j).
- Proof.
- unfold job_preemption_points.
- edestruct H_valid_preemption_model as [A1 [A2 [A3 A4]]]; eauto 2.
- erewrite last0_filter.
- + by apply/eqP; apply eq_refl.
- + unfold range, index_iota; rewrite subn0 -addn1.
- by rewrite iotaD; destruct (iota 0 (job_cost j)).
- + unfold range, index_iota; rewrite subn0 -addn1.
- by rewrite iotaD last0_cat //.
- + by apply A2.
- Qed.
-
- (** Last non-preemptive segment of a positive-cost job has positive length. *)
- Lemma job_last_nonpreemptive_segment_positive:
- job_cost_positive j ->
- 0 < job_last_nonpreemptive_segment j.
- Proof.
- intros COST. unfold job_last_nonpreemptive_segment.
- rewrite last0_nth function_of_distances_is_correct subn_gt0.
- rewrite [size _]pred_Sn -addn1-addn1.
- rewrite -size_of_seq_of_distances ?addn1; last by apply size_of_preemption_points.
- rewrite prednK; last first.
- { rewrite -(leq_add2r 1) !addn1 prednK.
- - apply size_of_preemption_points; eauto.
- - rewrite ltnW //; apply size_of_preemption_points; eauto.
- }
- apply iota_is_increasing_sequence; apply/andP; split.
- - rewrite -(leq_add2r 2) !addn2.
- rewrite prednK; first by done.
- rewrite -(leq_add2r 1) !addn1.
- rewrite prednK.
- + by apply size_of_preemption_points.
- + by rewrite ltnW //; apply size_of_preemption_points.
- - rewrite -(leq_add2r 1) !addn1.
- unfold job_preemption_points, range.
- rewrite prednK ?ltnS; first by done.
- by rewrite ltnW //; apply size_of_preemption_points.
- Qed.
-
- (** Max nonpreemptive segment of a positive-cost job has positive length. *)
- Lemma job_max_nonpreemptive_segment_positive:
- job_cost_positive j ->
- 0 < job_max_nonpreemptive_segment j.
- Proof.
- intros COST.
- eapply leq_trans.
- - by apply job_last_nonpreemptive_segment_positive.
- - by apply last_of_seq_le_max_of_seq.
- Qed.
-
- (** Next we show that max nonpreemptive segment is at most the
- cost of a job. *)
- Lemma job_max_nonpreemptive_segment_le_job_cost:
- job_max_nonpreemptive_segment j <= job_cost j.
- Proof.
- eapply leq_trans.
- apply max_distance_in_seq_le_last_element_of_seq; apply preemption_points_nondecreasing.
- destruct (H_valid_preemption_model j) as [A1 [A2 [A3 A4]]]; auto.
- case: (posnP (job_cost j)) => [ZERO|POSt].
- { unfold job_preemption_points; rewrite ZERO.
- simpl; unfold job_cannot_become_nonpreemptive_before_execution in *.
- by rewrite A1.
- }
- { eapply leq_trans; first apply last_of_seq_le_max_of_seq.
- rewrite job_cost_is_last_element_of_preemption_points.
- apply last_is_max_in_nondecreasing_seq; first by apply preemption_points_nondecreasing.
- apply max0_in_seq.
- have LL := size_of_preemption_points POSt.
- by destruct (job_preemption_points j).
- }
- Qed.
-
- (** We also show that last nonpreemptive segment is at most the
- cost of a job. *)
- Lemma job_last_nonpreemptive_segment_le_job_cost:
- job_last_nonpreemptive_segment j <= job_cost j.
- Proof.
- eapply leq_trans.
- - apply last_of_seq_le_max_of_seq.
- - apply job_max_nonpreemptive_segment_le_job_cost.
- Qed.
-
- End AuxiliaryLemmas.
-
- (** We prove that the run-to-completion threshold is positive for
- any job with positive cost. I.e., in order to become
- non-preemptive a job must receive at least one unit of
- service. *)
- Lemma job_run_to_completion_threshold_positive:
- job_cost_positive j ->
- 0 < job_rtct j.
- Proof.
- intros COST; unfold job_rtct, ε.
- have N1 := job_last_nonpreemptive_segment_positive COST.
- have N2 := job_last_nonpreemptive_segment_le_job_cost.
- lia.
- Qed.
-
- (** Next we show that the run-to-completion threshold is at most
- the cost of a job. *)
- Lemma job_run_to_completion_threshold_le_job_cost:
- job_rtct j <= job_cost j.
- Proof. by apply leq_subr. Qed.
-
-
- (** We prove that a job cannot be preempted
- during execution of the last segment. *)
- Lemma job_cannot_be_preempted_within_last_segment:
- forall (Ï : duration),
- job_rtct j <= Ï < job_cost j ->
- ~~ job_preemptable j Ï.
- Proof.
- move => Ï /andP [GE LT].
- apply/negP; intros C.
- have POS : 0 < job_cost j; first by lia.
- rewrite /job_rtct subnBA in GE; last by apply job_last_nonpreemptive_segment_positive.
- rewrite -addnBAC in GE; [rewrite addn1 in GE | by apply job_last_nonpreemptive_segment_le_job_cost].
- rewrite job_cost_is_last_element_of_preemption_points in LT, GE.
- rewrite last_seq_minus_last_distance_seq in GE; last by apply preemption_points_nondecreasing.
- have EQ := antidensity_of_nondecreasing_seq.
- specialize (EQ (job_preemption_points j) Ï (size (job_preemption_points j)).-2 ).
- feed_n 2 EQ; first by apply preemption_points_nondecreasing.
- { apply/andP; split; first by done.
- rewrite prednK; first by rewrite -last0_nth.
- rewrite -(leq_add2r 1) !addn1 prednK.
- - by apply size_of_preemption_points.
- - by eapply leq_trans; last apply size_of_preemption_points.
- }
- move: EQ => /negP EQ; apply: EQ.
- apply conversion_preserves_equivalence; try done.
- eapply leq_trans; first by apply ltnW; exact LT.
- by rewrite job_cost_is_last_element_of_preemption_points.
- Qed.
-
- (** In order to get a consistent schedule, the scheduler should respect
- the notion of run-to-completion threshold. We assume that, after
- a job reaches its run-to-completion threshold, it cannot be preempted
- until its completion. *)
- Lemma job_nonpreemptive_after_run_to_completion_threshold:
- forall t t',
- t <= t' ->
- job_rtct j <= service sched j t ->
- ~~ completed_by sched j t' ->
- scheduled_at sched j t'.
- Proof.
- intros ? ? LE TH COM.
- apply H_valid_preemption_model; first by done.
- apply job_cannot_be_preempted_within_last_segment; apply/andP; split.
- - by apply leq_trans with (service sched j t); last apply service_monotonic.
- - by rewrite ltnNge.
- Qed.
-
-End RunToCompletionThreshold.
-
-(** We add the above lemmas into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply them automatically. *)
-Global Hint Resolve job_run_to_completion_threshold_le_job_cost : basic_rt_facts.
diff --git a/analysis/facts/preemption/rtc_threshold/limited.v b/analysis/facts/preemption/rtc_threshold/limited.v
deleted file mode 100644
index 39edeba09d937633e38d48e55a8615087ac4e6af..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/rtc_threshold/limited.v
+++ /dev/null
@@ -1,144 +0,0 @@
-Require Export prosa.analysis.facts.preemption.task.limited.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.job_preemptable.
-Require Export prosa.model.task.preemption.limited_preemptive.
-
-(** * Task's Run to Completion Threshold *)
-(** In this section, we prove that instantiation of function [task run
- to completion threshold] to the model with limited preemptions
- indeed defines a valid run-to-completion threshold function. *)
-Section TaskRTCThresholdLimitedPreemptions.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskPreemptionPoints Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobPreemptionPoints Job}.
-
- (** We assume a task model with fixed preemption points. *)
- #[local] Existing Instance limited_preemptive_job_model.
- #[local] Existing Instance limited_preemptions_rtc_threshold.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any ideal uniprocessor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_schedule_respects_preemption_model:
- schedule_respects_preemption_model arr_seq sched.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Consider an arbitrary task set ts. *)
- Variable ts : seq Task.
-
- (** Assume that a job cost cannot be larger than a task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Consider the model with fixed preemption points. I.e., each task
- is divided into a number of non-preemptive segments by inserting
- statically predefined preemption points. *)
- Hypothesis H_valid_fixed_preemption_points_model:
- valid_fixed_preemption_points_model arr_seq ts.
-
- (** And consider any task from task set ts with positive cost. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
- Hypothesis H_positive_cost : 0 < task_cost tsk.
-
- (** We start by proving an auxiliary lemma. Note that since [tsk]
- has a positive cost, [task_preemption_points tsk] contains [0]
- and [task_cost tsk]. Thus, [2 <= size (task_preemption_points tsk)]. *)
- Remark number_of_preemption_points_in_task_at_least_two: 2 <= size (task_preemption_points tsk).
- Proof.
- move: (H_valid_fixed_preemption_points_model) => [MLP [BEG [END [INCR [HYP1 [HYP2 HYP3]]]]]].
- have Fact2: 0 < size (task_preemption_points tsk).
- { apply/negPn/negP; rewrite -eqn0Ngt; intros CONTR; move: CONTR => /eqP CONTR.
- move: (END _ H_tsk_in_ts) => EQ.
- move: EQ; rewrite /last0 -nth_last nth_default; last by rewrite CONTR.
- by intros; move: (H_positive_cost); rewrite EQ ltnn.
- }
- have EQ: 2 = size [::0; task_cost tsk]; first by done.
- rewrite EQ; clear EQ.
- apply subseq_leq_size.
- rewrite !cons_uniq.
- { apply/andP; split.
- rewrite in_cons negb_or; apply/andP; split; last by done.
- rewrite neq_ltn; apply/orP; left; eauto 2.
- apply/andP; split; by done. }
- intros t EQ; move: EQ; rewrite !in_cons.
- move => /orP [/eqP EQ| /orP [/eqP EQ|EQ]]; last by done.
- { rewrite EQ; clear EQ.
- move: (BEG _ H_tsk_in_ts) => EQ.
- rewrite -EQ; clear EQ.
- rewrite /first0 -nth0.
- apply/(nthP 0).
- exists 0; by done.
- }
- { rewrite EQ; clear EQ.
- move: (END _ H_tsk_in_ts) => EQ.
- rewrite -EQ; clear EQ.
- rewrite /last0 -nth_last.
- apply/(nthP 0).
- exists ((size (task_preemption_points tsk)).-1); last by done.
- by rewrite -(leq_add2r 1) !addn1 prednK //.
- }
- Qed.
-
- (** Then, we prove that [task_rtct] function
- defines a valid task's run to completion threshold. *)
- Lemma limited_valid_task_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
- Proof.
- split; first by rewrite /task_rtc_bounded_by_cost leq_subr.
- intros ? ARR__j TSK__j. move: (H_valid_fixed_preemption_points_model) => [LJ LT].
- move: (LJ) (LT) => [ZERO__job [COST__job SORT__job]] [ZERO__task [COST__task [SORT__task [T4 [T5 T6]]]]].
- rewrite /job_rtct /task_rtct /limited_preemptions_rtc_threshold
- /job_last_nonpreemptive_segment /task_last_nonpr_segment /lengths_of_segments.
- case: (posnP (job_cost j)) => [Z|POS]; first by rewrite Z; compute.
- have J_RTCT__pos : 0 < job_last_nonpreemptive_segment j
- by eapply job_last_nonpreemptive_segment_positive; eauto using valid_fixed_preemption_points_model_lemma.
- have T_RTCT__pos : 0 < task_last_nonpr_segment tsk.
- { unfold job_respects_segment_lengths, task_last_nonpr_segment in *.
- rewrite last0_nth; apply T6; eauto 2.
- have F: 1 <= size (distances (task_preemption_points tsk)).
- { apply leq_trans with (size (task_preemption_points tsk) - 1).
- - have F := number_of_preemption_points_in_task_at_least_two; lia.
- - rewrite [in X in X - 1]size_of_seq_of_distances; [lia | apply number_of_preemption_points_in_task_at_least_two].
- } lia.
- }
- have J_RTCT__le : job_last_nonpreemptive_segment j <= job_cost j
- by eapply job_last_nonpreemptive_segment_le_job_cost; eauto using valid_fixed_preemption_points_model_lemma.
- have T_RTCT__le : task_last_nonpr_segment tsk <= task_cost tsk.
- { unfold task_last_nonpr_segment. rewrite -COST__task //.
- eapply leq_trans; last by apply max_distance_in_seq_le_last_element_of_seq; eauto 2.
- by apply last_of_seq_le_max_of_seq.
- }
- rewrite subnBA // subnBA // -addnBAC // -addnBAC // !addn1 ltnS.
- erewrite job_parameters_last_np_to_job_limited; eauto 2.
- rewrite distances_positive_undup //; last by apply SORT__job.
- have -> : job_cost j = last0 (undup (job_preemptive_points j)) by rewrite last0_undup; [rewrite -COST__job | apply SORT__job].
- rewrite last_seq_minus_last_distance_seq; last by apply nondecreasing_sequence_undup, SORT__job.
- apply leq_trans with( nth 0 (job_preemptive_points j) ((size (job_preemptive_points j)).-2)); first by apply undup_nth_le; eauto 2.
- have -> : task_cost tsk = last0 (task_preemption_points tsk) by rewrite COST__task.
- rewrite last_seq_minus_last_distance_seq; last by apply SORT__task.
- move: TSK__j => /eqP TSK__j; rewrite -TSK__j.
- rewrite T4; last by done.
- apply domination_of_distances_implies_domination_of_seq; try eauto 2.
- - erewrite zero_is_first_element; eauto.
- - eapply number_of_preemption_points_at_least_two; eauto 2.
- - by rewrite TSK__j; eapply number_of_preemption_points_in_task_at_least_two.
- - by apply SORT__task; rewrite TSK__j.
- Qed.
-
-End TaskRTCThresholdLimitedPreemptions.
-Global Hint Resolve limited_valid_task_run_to_completion_threshold : basic_rt_facts.
diff --git a/analysis/facts/preemption/rtc_threshold/nonpreemptive.v b/analysis/facts/preemption/rtc_threshold/nonpreemptive.v
deleted file mode 100644
index 6b7ae3a73e7dc2d84ba308af36575fe8e3a9d99c..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/rtc_threshold/nonpreemptive.v
+++ /dev/null
@@ -1,82 +0,0 @@
-Require Export prosa.analysis.facts.preemption.job.nonpreemptive.
-Require Export prosa.model.task.preemption.fully_nonpreemptive.
-
-(** * Task's Run to Completion Threshold *)
-(** In this section, we prove that instantiation of function [task run
- to completion threshold] to the fully non-preemptive model
- indeed defines a valid run-to-completion threshold function. *)
-Section TaskRTCThresholdFullyNonPreemptive.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume a fully non-preemptive task model. *)
- #[local] Existing Instance fully_nonpreemptive_job_model.
- #[local] Existing Instance fully_nonpreemptive_task_model.
- #[local] Existing Instance fully_nonpreemptive_rtc_threshold.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any ideal non-preemptive uniprocessor schedule of
- this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_nonpreemptive_sched : nonpreemptive_schedule sched.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** First we prove that if the cost of a job j is equal to 0, then [job_rtct j = 0] ... *)
- Fact job_rtc_threshold_is_0:
- forall j,
- job_cost j = 0 ->
- job_rtct j = 0.
- Proof.
- intros.
- apply/eqP; rewrite eqn_leq; apply/andP; split; last by done.
- unfold job_rtct.
- by rewrite H3; compute.
- Qed.
-
- (** ... and ε otherwise. *)
- Fact job_rtc_threshold_is_ε:
- forall j,
- job_cost j > 0 ->
- arrives_in arr_seq j ->
- job_rtct j = ε.
- Proof.
- intros ? ARRj POSj; unfold ε in *.
- unfold job_rtct.
- rewrite job_last_nps_is_job_cost.
- by rewrite subKn.
- Qed.
-
- (** Consider a task with a positive cost. *)
- Variable tsk : Task.
- Hypothesis H_positive_cost : 0 < task_cost tsk.
-
- (** Then, we prove that [task_rtct] function defines a valid task's
- run to completion threshold. *)
- Lemma fully_nonpreemptive_valid_task_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
- Proof.
- intros; split.
- - by unfold task_rtc_bounded_by_cost.
- - intros j ARR TSK.
- move: TSK => /eqP <-; rewrite /fully_nonpreemptive_rtc_threshold.
- edestruct (posnP (job_cost j)) as [ZERO|POS].
- + by rewrite job_rtc_threshold_is_0.
- + by erewrite job_rtc_threshold_is_ε; eauto 2.
- Qed.
-
-End TaskRTCThresholdFullyNonPreemptive.
-Global Hint Resolve fully_nonpreemptive_valid_task_run_to_completion_threshold : basic_rt_facts.
diff --git a/analysis/facts/preemption/rtc_threshold/preemptive.v b/analysis/facts/preemption/rtc_threshold/preemptive.v
deleted file mode 100644
index aef7dc2d69ec6f0c1da6e877d24840fb00a8c207..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/rtc_threshold/preemptive.v
+++ /dev/null
@@ -1,45 +0,0 @@
-Require Export prosa.analysis.facts.preemption.rtc_threshold.job_preemptable.
-Require Export prosa.model.preemption.fully_preemptive.
-Require Export prosa.model.task.preemption.fully_preemptive.
-
-(** * Task's Run to Completion Threshold *)
-
-(** In this section, we prove that the instantiation of the task
- run-to-completion threshold for the fully preemptive model is valid. *)
-Section TaskRTCThresholdFullyPreemptiveModel.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobCost Job}.
-
- (** Assume that jobs and tasks are fully preemptive. *)
- #[local] Existing Instance fully_preemptive_job_model.
- #[local] Existing Instance fully_preemptive_task_model.
- #[local] Existing Instance fully_preemptive_rtc_threshold.
-
- (** Next, consider any arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and assume that a job cost cannot be larger than a task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Then, we prove that [task_rtct] function
- defines a valid task's run to completion threshold. *)
- Lemma fully_preemptive_valid_task_run_to_completion_threshold:
- forall tsk, valid_task_run_to_completion_threshold arr_seq tsk.
- Proof.
- intros; split.
- - by rewrite /task_rtc_bounded_by_cost.
- - intros j ARR TSK.
- apply leq_trans with (job_cost j); rt_eauto.
- by move: TSK => /eqP <-; apply H_valid_job_cost.
- Qed.
-
-End TaskRTCThresholdFullyPreemptiveModel.
-Global Hint Resolve fully_preemptive_valid_task_run_to_completion_threshold : basic_rt_facts.
diff --git a/analysis/facts/preemption/task/floating.v b/analysis/facts/preemption/task/floating.v
deleted file mode 100644
index 4849be03f14181b20cf476107b1d6ddd8a253946..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/task/floating.v
+++ /dev/null
@@ -1,114 +0,0 @@
-Require Export prosa.model.preemption.limited_preemptive.
-Require Export prosa.model.task.preemption.floating_nonpreemptive.
-Require Export prosa.analysis.facts.preemption.job.limited.
-
-(** * Platform for Floating Non-Preemptive Regions Model *)
-
-(** In this section, we prove that instantiation of functions
- [job_preemptable] and [task_max_nonpreemptive_segment] for the model
- with floating non-preemptive regions indeed defines a valid
- preemption model with bounded non-preemptive regions. *)
-Section FloatingNonPreemptiveRegionsModel.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** In addition, we assume the existence of a function mapping a
- task to its maximal non-preemptive segment ... *)
- Context `{TaskMaxNonpreemptiveSegment Task}.
-
- (** .. and the existence of functions mapping a
- job to the sequence of its preemption points, ... *)
- Context `{JobPreemptionPoints Job}.
- (** ... i.e., we assume limited-preemptive jobs. *)
- #[local] Existing Instance limited_preemptive_job_model.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Next, consider any ideal uni-processor preemption-aware schedule
- of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_preemption_aware_schedule:
- schedule_respects_preemption_model arr_seq sched.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Next, we assume that preemption points are defined by the model
- with floating non-preemptive regions. *)
- Hypothesis H_valid_model_with_floating_nonpreemptive_regions:
- valid_model_with_floating_nonpreemptive_regions arr_seq.
-
- (** Then, we prove that the [job_preemptable and
- task_max_nonpreemptive_segment] functions define
- a model with bounded non-preemptive regions. *)
- Lemma floating_preemption_points_model_is_model_with_bounded_nonpreemptive_regions:
- model_with_bounded_nonpreemptive_segments arr_seq.
- Proof.
- intros j ARR.
- move: (H_valid_model_with_floating_nonpreemptive_regions) => LIM; move: LIM (LIM) => [LIM L] [[BEG [END NDEC]] MAX].
- case: (posnP (job_cost j)) => [ZERO|POS].
- - split.
- rewrite /job_respects_max_nonpreemptive_segment /job_max_nonpreemptive_segment
- /lengths_of_segments /job_preemption_points; rewrite ZERO; simpl.
- rewrite /job_preemptable /limited_preemptive_job_model; erewrite zero_in_preemption_points; eauto 2.
- + move => progr; rewrite ZERO leqn0; move => /andP [_ /eqP LE].
- exists 0; rewrite LE; split; first by apply/andP; split.
- by eapply zero_in_preemption_points; eauto 2.
- - split; last (move => progr /andP [_ LE]; destruct (progr \in job_preemptive_points j) eqn:NotIN).
- + by apply MAX.
- + by exists progr; split; first apply/andP; first split; rewrite ?leq_addr // conversion_preserves_equivalence.
- + move: NotIN => /eqP; rewrite eqbF_neg; move => NotIN.
- edestruct (work_belongs_to_some_nonpreemptive_segment arr_seq) as [x [SIZE2 N]]; eauto 2. move: N => /andP [N1 N2].
- set ptl := nth 0 (job_preemptive_points j) x.
- set ptr := nth 0 (job_preemptive_points j) x.+1.
- exists ptr; split; first last.
- * by unfold job_preemptable, limited_preemptive_job_model; apply mem_nth.
- * apply/andP; split; first by apply ltnW.
- apply leq_trans with (ptl + (job_max_nonpreemptive_segment j - ε) + 1); first last.
- -- rewrite addn1 ltn_add2r; apply N1.
- -- unfold job_max_nonpreemptive_segment.
- rewrite -addnA -leq_subLR -(leq_add2r 1).
- rewrite [in X in _ <= X]addnC -leq_subLR.
- rewrite !subn1 !addn1 prednK.
- { rewrite -[_.+1.-1]pred_Sn. rewrite /lengths_of_segments.
- erewrite job_parameters_max_np_to_job_limited; eauto.
- by apply distance_between_neighboring_elements_le_max_distance_in_seq. }
- { rewrite /lengths_of_segments; erewrite job_parameters_max_np_to_job_limited; eauto.
- apply max_distance_in_nontrivial_seq_is_positive; first by eauto 2.
- exists 0, (job_cost j); repeat split.
- - by eapply zero_in_preemption_points; eauto.
- - by eapply job_cost_in_nonpreemptive_points; eauto.
- - by apply/eqP; rewrite eq_sym -lt0n; apply POS.
- }
- Qed.
-
- (** Which together with lemma [valid_fixed_preemption_points_model]
- gives us the fact that functions [job_preemptable and
- task_max_nonpreemptive_segment] define a valid preemption model
- with bounded non-preemptive regions. *)
- Corollary floating_preemption_points_model_is_valid_model_with_bounded_nonpreemptive_regions:
- valid_model_with_bounded_nonpreemptive_segments arr_seq sched.
- Proof.
- split.
- - apply valid_fixed_preemption_points_model_lemma; auto.
- by apply H_valid_model_with_floating_nonpreemptive_regions.
- - apply floating_preemption_points_model_is_model_with_bounded_nonpreemptive_regions.
- Qed.
-
-End FloatingNonPreemptiveRegionsModel.
-
-(** We add the above lemma into a "Hint Database" basic_rt_facts, so Coq will be able to apply them automatically. *)
-Global Hint Resolve
- valid_fixed_preemption_points_model_lemma
- floating_preemption_points_model_is_model_with_bounded_nonpreemptive_regions
- floating_preemption_points_model_is_valid_model_with_bounded_nonpreemptive_regions : basic_rt_facts.
diff --git a/analysis/facts/preemption/task/limited.v b/analysis/facts/preemption/task/limited.v
deleted file mode 100644
index 07ba4d876528dd4c2920982e5420bdea9b6de12a..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/task/limited.v
+++ /dev/null
@@ -1,114 +0,0 @@
-Require Export prosa.analysis.facts.preemption.job.limited.
-Require Export prosa.model.task.preemption.limited_preemptive.
-
-(** * Platform for Models with Limited Preemptions *)
-(** In this section, we prove that instantiation of functions
- [job_preemptable and task_preemption_points] to the
- limited preemptions model indeed defines a valid preemption model
- with bounded non-preemptive regions. *)
-Section LimitedPreemptionsModel.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume that jobs are preemptable only at specific points during their
- execution, ... *)
- Context `{JobPreemptionPoints Job}.
- Context `{TaskPreemptionPoints Task}.
- (** ... i.e., we assume limited-preemptive jobs. *)
- #[local] Existing Instance limited_preemptive_job_model.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Next, consider any ideal uni-processor preemption-aware schedule
- of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_schedule_respects_preemption_model:
- schedule_respects_preemption_model arr_seq sched.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Consider an arbitrary task set ts. *)
- Variable ts : list Task.
-
- (** Next, we assume that preemption points are defined by the model
- with fixed preemption points. *)
- Hypothesis H_valid_fixed_preemption_points_model:
- valid_fixed_preemption_points_model arr_seq ts.
-
- (** Then we prove that functions [job_preemptable and
- task_preemption_points] define a model with bounded non-preemptive
- regions. *)
- Lemma fixed_preemption_points_model_is_model_with_bounded_nonpreemptive_regions:
- model_with_bounded_nonpreemptive_segments arr_seq .
- Proof.
- intros j ARR.
- move: H_valid_fixed_preemption_points_model => [LIM FIX].
- move: (LIM) => [BEG [END NDEC]]; move: (FIX) => [A1 [A2 [A3 [A4 A5]]]].
- case: (posnP (job_cost j)) => [ZERO|POS].
- - split.
- rewrite /job_respects_max_nonpreemptive_segment /job_max_nonpreemptive_segment
- /lengths_of_segments /job_preemption_points; rewrite ZERO; simpl.
- rewrite /job_preemptable /limited_preemptive_job_model; erewrite zero_in_preemption_points; eauto 2.
- + move => progr; rewrite ZERO leqn0; move => /andP [_ /eqP LE].
- exists 0; rewrite LE; split; first by apply/andP; split.
- by eapply zero_in_preemption_points; eauto 2.
- - split; last (move => progr /andP [_ LE]; destruct (progr \in job_preemptive_points j) eqn:NotIN).
- + rewrite /job_respects_max_nonpreemptive_segment
- /job_max_nonpreemptive_segment /lengths_of_segments; erewrite job_parameters_max_np_to_job_limited; eauto.
- by apply max_of_dominating_seq; intros; apply A5.
- + exists progr; split; first apply/andP; first split; rewrite ?leq_addr; by done.
- + move: NotIN => /eqP; rewrite eqbF_neg; move => NotIN.
- edestruct (work_belongs_to_some_nonpreemptive_segment arr_seq) as [x [SIZE2 N]]; eauto 2. move: N => /andP [N1 N2].
- set ptl := nth 0 (job_preemptive_points j) x.
- set ptr := nth 0 (job_preemptive_points j) x.+1.
- exists ptr; split; first last.
- * by unfold job_preemptable, limited_preemptive_job_model; apply mem_nth.
- * apply/andP; split; first by apply ltnW.
- apply leq_trans with (ptl + (job_max_nonpreemptive_segment j - ε) + 1); first last.
- -- rewrite addn1 ltn_add2r; apply N1.
- -- unfold job_max_nonpreemptive_segment.
- rewrite -addnA -leq_subLR -(leq_add2r 1).
- rewrite [in X in _ <= X]addnC -leq_subLR.
- rewrite !subn1 !addn1 prednK.
- { rewrite -[_.+1.-1]pred_Sn. rewrite /lengths_of_segments.
- erewrite job_parameters_max_np_to_job_limited; eauto.
- by apply distance_between_neighboring_elements_le_max_distance_in_seq. }
- { rewrite /lengths_of_segments; erewrite job_parameters_max_np_to_job_limited; eauto.
- apply max_distance_in_nontrivial_seq_is_positive; first by eauto 2.
- exists 0, (job_cost j); repeat split.
- - by eapply zero_in_preemption_points; eauto.
- - by eapply job_cost_in_nonpreemptive_points; eauto.
- - by apply/eqP; rewrite eq_sym -lt0n; apply POS.
- }
- Qed.
-
- (** Which together with lemma [valid_fixed_preemption_points_model]
- gives us the fact that functions [job_preemptable and
- task_preemption_points] defines a valid preemption model with
- bounded non-preemptive regions. *)
- Corollary fixed_preemption_points_model_is_valid_model_with_bounded_nonpreemptive_regions:
- valid_model_with_bounded_nonpreemptive_segments arr_seq sched.
- Proof.
- split.
- - by apply valid_fixed_preemption_points_model_lemma; destruct H_valid_fixed_preemption_points_model.
- - by apply fixed_preemption_points_model_is_model_with_bounded_nonpreemptive_regions.
- Qed.
-
-End LimitedPreemptionsModel.
-
-(** We add the above lemma into a "Hint Database" basic_rt_facts, so Coq will be able to apply them automatically. *)
-Global Hint Resolve
- valid_fixed_preemption_points_model_lemma
- fixed_preemption_points_model_is_model_with_bounded_nonpreemptive_regions
- fixed_preemption_points_model_is_valid_model_with_bounded_nonpreemptive_regions : basic_rt_facts.
diff --git a/analysis/facts/preemption/task/nonpreemptive.v b/analysis/facts/preemption/task/nonpreemptive.v
deleted file mode 100644
index fbd95cd1b093fb094c7692bfbecf009f9b6008b2..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/task/nonpreemptive.v
+++ /dev/null
@@ -1,95 +0,0 @@
-Require Export prosa.analysis.facts.preemption.job.nonpreemptive.
-Require Export prosa.model.task.preemption.fully_nonpreemptive.
-
-(** * Platform for Fully Non-Preemptive Model *)
-
-(** In this section, we prove that instantiation of functions
- [job_preemptable] and [task_max_nonpreemptive_segment] to the fully
- non-preemptive model indeed defines a valid preemption model with
- bounded non-preemptive regions. *)
-Section FullyNonPreemptiveModel.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Assume a fully non-preemptive task model. *)
- #[local] Existing Instance fully_nonpreemptive_job_model.
- #[local] Existing Instance fully_nonpreemptive_task_model.
- #[local] Existing Instance fully_nonpreemptive_rtc_threshold.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Next, consider any ideal non-preemptive uni-processor schedule of this arrival sequence... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_nonpreemptive_sched : nonpreemptive_schedule sched.
-
- (** ... where jobs do not execute before their arrival or after completion. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.
-
- (** Assume that a job cost cannot be larger than a task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Then we prove that the [fully_nonpreemptive_model] function
- defines a model with bounded non-preemptive regions.*)
- Lemma fully_nonpreemptive_model_is_model_with_bounded_nonpreemptive_regions:
- model_with_bounded_nonpreemptive_segments arr_seq.
- Proof.
- have F: forall n, n = 0 \/ n > 0 by intros n; destruct n; [left | right].
- intros j; split.
- { rewrite /job_respects_max_nonpreemptive_segment; eauto 2.
- erewrite job_max_nps_is_job_cost; eauto 2.
- }
- move => progr /andP [_ GE].
- move: (F (progr)) => [EQ | GT].
- { exists progr; split.
- - by apply/andP; split; [done | rewrite leq_addr].
- - rewrite /job_preemptable /fully_nonpreemptive_job_model.
- by apply/orP; left; rewrite EQ.
- }
- { exists (maxn progr (job_cost j)).
- have POS: 0 < job_cost j by apply leq_trans with progr.
- split.
- { apply/andP; split; first by rewrite leq_maxl.
- erewrite job_max_nps_is_job_cost; eauto 2; rewrite addnBA; last eauto 2.
- rewrite geq_max; apply/andP; split.
- - rewrite -addnBA; last by eauto 2.
- by rewrite leq_addr.
- - by rewrite addnC -addnBA // leq_addr.
- }
- { apply/orP; right.
- rewrite eqn_leq; apply/andP; split.
- - by rewrite geq_max; apply/andP; split.
- - by rewrite leq_max; apply/orP; right.
- }
- }
- Qed.
-
- (** Which together with lemma [valid_fully_nonpreemptive_model]
- gives us the fact that [fully_nonpreemptive_model] defined a valid
- preemption model with bounded non-preemptive regions. *)
- Corollary fully_nonpreemptive_model_is_valid_model_with_bounded_nonpreemptive_regions:
- valid_model_with_bounded_nonpreemptive_segments arr_seq sched.
- Proof.
- split.
- - by apply valid_fully_nonpreemptive_model.
- - by apply fully_nonpreemptive_model_is_model_with_bounded_nonpreemptive_regions.
- Qed.
-
-End FullyNonPreemptiveModel.
-
-(** We add the above lemma into a "Hint Database" basic_rt_facts, so Coq will be able to apply them automatically. *)
-Global Hint Resolve
- valid_fully_nonpreemptive_model
- fully_nonpreemptive_model_is_model_with_bounded_nonpreemptive_regions
- fully_nonpreemptive_model_is_valid_model_with_bounded_nonpreemptive_regions : basic_rt_facts.
diff --git a/analysis/facts/preemption/task/preemptive.v b/analysis/facts/preemption/task/preemptive.v
deleted file mode 100644
index d73ba3edf288bf64a3e0e99c65bf1862fb4d6bc6..0000000000000000000000000000000000000000
--- a/analysis/facts/preemption/task/preemptive.v
+++ /dev/null
@@ -1,67 +0,0 @@
-Require Export prosa.analysis.facts.preemption.job.preemptive.
-Require Export prosa.model.task.preemption.fully_preemptive.
-
-(** * Platform for Fully Preemptive Model *)
-
-(** In this section, we prove that the instantiations of the functions
- [job_preemptable] and [task_max_nonpreemptive_segment] for the fully
- preemptive model indeed defines a valid preemption model with
- bounded non-preemptive regions. *)
-Section FullyPreemptiveModel.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Assume that jobs and tasks are fully preemptive. *)
- #[local] Existing Instance fully_preemptive_job_model.
- #[local] Existing Instance fully_preemptive_task_model.
- #[local] Existing Instance fully_preemptive_rtc_threshold.
-
- (** Consider any kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any given schedule. *)
- Variable sched : schedule PState.
-
- (** We prove that the [fully_preemptive_model] function
- defines a model with bounded non-preemptive regions.*)
- Lemma fully_preemptive_model_is_model_with_bounded_nonpreemptive_regions:
- model_with_bounded_nonpreemptive_segments arr_seq.
- Proof.
- intros j ARR; split.
- - case: (posnP (job_cost j)) => [ZERO|POS].
- + by rewrite /job_respects_max_nonpreemptive_segment job_max_nps_is_0.
- + by rewrite /job_respects_max_nonpreemptive_segment job_max_nps_is_ε.
- - intros t; exists t; split.
- + by apply/andP; split; [ done | rewrite leq_addr].
- + by done.
- Qed.
-
- (** Which together with lemma [valid_fully_preemptive_model] gives
- us the fact that [fully_preemptive_model] defined a valid
- preemption model with bounded non-preemptive regions. *)
- Corollary fully_preemptive_model_is_valid_model_with_bounded_nonpreemptive_segments:
- valid_model_with_bounded_nonpreemptive_segments arr_seq sched.
- Proof.
- split.
- apply valid_fully_preemptive_model.
- apply fully_preemptive_model_is_model_with_bounded_nonpreemptive_regions.
- Qed.
-
-End FullyPreemptiveModel.
-
-(** We add the above lemma into a "Hint Database" basic_rt_facts, so Coq will be able to apply them automatically. *)
-Global Hint Resolve
- valid_fully_preemptive_model
- fully_preemptive_model_is_model_with_bounded_nonpreemptive_regions
- fully_preemptive_model_is_valid_model_with_bounded_nonpreemptive_segments : basic_rt_facts.
diff --git a/analysis/facts/priority/edf.v b/analysis/facts/priority/edf.v
deleted file mode 100644
index 11635355faa937f2bacf7d70a6b4293ca03861f8..0000000000000000000000000000000000000000
--- a/analysis/facts/priority/edf.v
+++ /dev/null
@@ -1,104 +0,0 @@
-Require Import prosa.model.priority.edf.
-Require Import prosa.model.task.absolute_deadline.
-Require Import prosa.model.task.preemption.parameters.
-
-(** In this section, we prove a few properties about EDF policy. *)
-Section PropertiesOfEDF.
-
- (** Consider any type of tasks with relative deadlines ... *)
- Context {Task : TaskType}.
- Context `{TaskDeadline Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** EDF respects sequential tasks hypothesis. *)
- Lemma EDF_respects_sequential_tasks:
- policy_respects_sequential_tasks.
- Proof.
- move => j1 j2 /eqP TSK ARR.
- rewrite /hep_job /EDF /job_deadline /job_deadline_from_task_deadline TSK.
- by lia.
- Qed.
-
-End PropertiesOfEDF.
-
-(** We add the above lemma into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply it automatically. *)
-Global Hint Resolve EDF_respects_sequential_tasks : basic_rt_facts.
-
-
-Require Export prosa.model.task.sequentiality.
-Require Export prosa.analysis.facts.busy_interval.priority_inversion.
-Require Export prosa.analysis.facts.priority.sequential.
-
-(** In this section, we prove that EDF priority policy
- implies that tasks are sequential. *)
-Section SequentialEDF.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskDeadline Task}.
-
- (** ... with a bound on the maximum non-preemptive segment length.
- The bound is needed to ensure that, at any instant, it always
- exists a subsequent preemption time in which the scheduler can,
- if needed, switch to another higher-priority job. *)
- Context `{TaskMaxNonpreemptiveSegment Task}.
-
- (** Further, consider any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{Arrival : JobArrival Job}.
- Context `{Cost : JobCost Job}.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence, ... *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** ... allow for any work-bearing notion of job readiness, ... *)
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** ... and assume that the schedule is valid. *)
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
-
- (** In addition, we assume the existence of a function mapping jobs
- to their preemption points ... *)
- Context `{JobPreemptable Job}.
-
- (** ... and assume that it defines a valid preemption model with
- bounded non-preemptive segments. *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** Next, we assume that the schedule respects the scheduling policy at every preemption point. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
-
- (** To prove sequentiality, we use lemma
- [early_hep_job_is_scheduled]. Clearly, under the EDF priority
- policy, jobs satisfy the conditions described by the lemma
- (i.e., given two jobs [j1] and [j2] from the same task, if [j1]
- arrives earlier than [j2], then [j1] always has a higher
- priority than job [j2], and hence completes before [j2]);
- therefore EDF implies sequential tasks. *)
- Lemma EDF_implies_sequential_tasks:
- sequential_tasks arr_seq sched.
- Proof.
- move => j1 j2 t ARR1 ARR2 /eqP SAME LT.
- eapply early_hep_job_is_scheduled => //; rt_eauto => t'.
- rewrite /hep_job_at /JLFP_to_JLDP /hep_job /EDF /job_deadline
- /absolute_deadline.job_deadline_from_task_deadline SAME.
- by lia.
- Qed.
-
-End SequentialEDF.
diff --git a/analysis/facts/priority/fifo.v b/analysis/facts/priority/fifo.v
deleted file mode 100644
index 632ac5d59bbf7525266131831455d60b2e9b78b6..0000000000000000000000000000000000000000
--- a/analysis/facts/priority/fifo.v
+++ /dev/null
@@ -1,202 +0,0 @@
-Require Import prosa.model.readiness.basic.
-Require Export prosa.model.task.sequentiality.
-Require Export prosa.model.schedule.nonpreemptive.
-Require Export prosa.model.priority.fifo.
-Require Export prosa.model.schedule.work_conserving.
-Require Export prosa.analysis.definitions.priority_inversion.
-Require Export prosa.analysis.facts.priority.sequential.
-Require Export prosa.analysis.facts.readiness.basic.
-Require Export prosa.analysis.facts.preemption.job.nonpreemptive.
-Require Export prosa.analysis.abstract.ideal_jlfp_rta.
-
-(** In this section, we prove some fundamental properties of the FIFO policy. *)
-Section BasicLemmas.
-
- (** We assume the basic (i.e., Liu & Layland)
- readiness model under which any pending job is ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** Consider any type of jobs with arrival times and execution costs. *)
- Context `{Job : JobType} {Arrival : JobArrival Job} {Cost : JobCost Job}.
-
- (** Consider any arrival sequence of such jobs ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and the resulting ideal uniprocessor schedule. We assume that the
- schedule is valid and work-conserving. *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_schedule_is_valid : valid_schedule sched arr_seq.
- Hypothesis H_work_conservation : work_conserving arr_seq sched.
-
- (** Suppose jobs have preemption points ... *)
- Context `{JobPreemptable Job}.
-
- (** ...and that the preemption model is valid. *)
- Hypothesis H_valid_preemption_model :
- valid_preemption_model arr_seq sched.
-
- (** Assume that the schedule respects the FIFO scheduling policy whenever jobs
- are preemptable. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched (FIFO Job).
-
- (** We observe that there is no priority inversion in a
- FIFO-compliant schedule. *)
- Lemma FIFO_implies_no_priority_inversion :
- forall j t,
- arrives_in arr_seq j ->
- pending sched j t ->
- ~ priority_inversion sched j t.
- Proof.
- move => j t ARRIVES /andP [ARRIVED /negP NCOMPL] [NSCHED [jlp /andP [SCHED PRIO]]].
- move: PRIO; rewrite /hep_job /FIFO -ltnNge => LT.
- apply: NCOMPL; eapply early_hep_job_is_scheduled; rt_eauto.
- by intros t'; apply/andP; split; unfold hep_job_at, JLFP_to_JLDP, hep_job, FIFO; lia.
- Qed.
-
- (** In this section, we prove the cumulative priority inversion for any task
- is bounded by [0]. *)
- Section PriorityInversionBounded.
-
- (** Consider any kind of tasks. *)
- Context `{Task : TaskType} `{JobTask Job Task}.
-
- (** Consider a task [tsk]. *)
- Variable tsk : Task.
-
- (** Assume the arrival times are consistent. *)
- Hypothesis H_consistent_arrival_times : consistent_arrival_times arr_seq.
-
- (** Assume that the schedule follows the FIFO policy at preemption time. *)
- Hypothesis H_respects_policy_at_preemption_point :
- respects_JLFP_policy_at_preemption_point arr_seq sched (FIFO Job).
-
- (** Assume the schedule is valid. *)
- Hypothesis H_valid_schedule : valid_schedule sched arr_seq.
-
- (** Assume there are no duplicates in the arrival sequence. *)
- Hypothesis H_arrival_sequence_is_a_set : arrival_sequence_uniq arr_seq.
-
- (** Then we prove that the amount of priority inversion is bounded by 0. *)
- Lemma FIFO_implies_no_pi :
- priority_inversion_is_bounded_by_constant arr_seq sched tsk 0.
- Proof.
- move=> j ARRIN TASK POS t1 t2 BUSY.
- rewrite /priority_inversion.cumulative_priority_inversion.
- have -> : \sum_(t1 <= t < t2) priority_inversion_dec arr_seq sched j t = 0;
- last by done.
- rewrite big_nat_eq0 => t /andP[T1 T2].
- apply /eqP; rewrite eqb0.
- apply /negP => /priority_inversion_P INV.
- feed_n 3 INV; rt_eauto.
- move: INV => [NSCHED [j__lp /andP [SCHED LP]]].
- move: LP; rewrite /hep_job /FIFO -ltnNge => LT.
- have COMPL: completed_by sched j t.
- { apply: early_hep_job_is_scheduled; rt_eauto.
- move=> t'; rewrite /hep_job_at /JLFP_to_JLDP /hep_job /FIFO -ltnNge.
- by apply/andP; split; first apply ltnW. }
- move : BUSY => [LE [QT [NQT /andP[ARR1 ARR2]]]].
- move: T1; rewrite leq_eqVlt => /orP [/eqP EQ | GT].
- { subst t; apply completed_implies_scheduled_before in COMPL; rt_eauto.
- by case: COMPL => [t' [/andP [ARR3 LT__temp] SCHED__temp]]; lia. }
- { apply: NQT; first (apply/andP; split; [exact GT | lia]).
- intros ? ARR HEP ARRB; rewrite /hep_job /FIFO in HEP.
- eapply early_hep_job_is_scheduled; rt_eauto; first by lia.
- by move => t'; apply/andP; split; rewrite /hep_job_at /FIFO /JLFP_to_JLDP /hep_job //=; lia. }
- Qed.
-
- End PriorityInversionBounded.
-
- (** We prove that in a FIFO-compliant schedule, if a job [j] is
- scheduled, then all jobs with higher priority than [j] have been
- completed. *)
- Lemma scheduled_implies_higher_priority_completed :
- forall j t,
- scheduled_at sched j t ->
- forall j_hp,
- arrives_in arr_seq j_hp ->
- ~~hep_job j j_hp ->
- completed_by sched j_hp t.
- Proof.
- move => j' t SCHED j_hp ARRjhp HEP.
- have EARLIER: job_arrival j_hp < job_arrival j' by rewrite -ltnNge in HEP.
- eapply (early_hep_job_is_scheduled arr_seq _ sched _ _ _ _ j_hp j' _ _ _ t).
- Unshelve. all : rt_eauto.
- move=> t'; apply /andP; split => //.
- by apply ltnW.
- Qed.
-
- (** The next lemma considers FIFO schedules in the context of tasks. *)
- Section SequentialTasks.
-
- (** If the scheduled jobs stem from a set of tasks, ... *)
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
-
- (** ... then the tasks in a FIFO-compliant schedule necessarily
- execute sequentially. *)
- Lemma tasks_execute_sequentially : sequential_tasks arr_seq sched.
- Proof.
- move => j1 j2 t ARRj1 ARRj2 SAME_TASKx LT => //.
- eapply (early_hep_job_is_scheduled); try rt_eauto.
- by move=> ?; apply /andP; split; [apply ltnW | rewrite -ltnNge //=].
- Qed.
-
- (** We also note that the [FIFO] policy respects sequential tasks. *)
- Fact fifo_respects_sequential_tasks : policy_respects_sequential_tasks.
- Proof. by move => j1 j2 SAME ARRLE; rewrite /hep_job /FIFO. Qed.
-
- End SequentialTasks.
-
- (** Finally, let us further assume that there are no needless
- preemptions among jobs of equal priority. *)
- Hypothesis H_no_superfluous_preemptions : no_superfluous_preemptions sched.
-
- (** In the absence of superfluous preemptions and under assumption
- of the basic readiness model, there are no preemptions at all in
- a FIFO-compliant schedule. *)
- Lemma no_preemptions_under_FIFO :
- forall j t,
- ~~ preempted_at sched j t.
- Proof.
- move => j t.
- apply /negP.
- intros CONTR.
- move: CONTR => /andP [/andP [SCHED1 NCOMPL] SCHED2].
- move : H_schedule_is_valid => [COME MUST].
- move: (ideal_proc_model_sched_case_analysis sched t) => [IDLE |[s INTER]].
- { specialize (H_work_conservation j t).
- destruct H_work_conservation as [j_other SCHEDj_other]; first by eapply (COME j t.-1 SCHED1).
- - do 2 (apply /andP; split; last by done).
- eapply scheduled_implies_pending in SCHED1; try rt_eauto.
- move : SCHED1 => /andP [HAS COMPL].
- by apply leq_trans with t.-1; [exact HAS| lia].
- - move: SCHEDj_other IDLE.
- rewrite scheduled_at_def => /eqP SCHED /eqP IDLE.
- by rewrite IDLE in SCHED. }
- { specialize (H_no_superfluous_preemptions t j s).
- have HEP : ~~ hep_job j s.
- {
- apply H_no_superfluous_preemptions; last by done.
- by repeat (apply /andP ; split; try by done).
- }
- rewrite /hep_job /fifo.FIFO -ltnNge in HEP.
- eapply (early_hep_job_is_scheduled arr_seq ) in SCHED1; try rt_eauto.
- - apply scheduled_implies_not_completed in INTER; rt_eauto.
- by eapply (incompletion_monotonic sched s t.-1 t) in INTER; [move: INTER => /negP|lia].
- - by move=> ?; apply /andP; split; [apply ltnW | rewrite -ltnNge //=]. }
- Qed.
-
- (** It immediately follows that FIFO schedules are
- non-preemptive. *)
- Corollary FIFO_is_nonpreemptive : nonpreemptive_schedule sched.
- Proof.
- by rewrite -no_preemptions_equiv_nonpreemptive; apply no_preemptions_under_FIFO.
- Qed.
-
-End BasicLemmas.
-
-(** We add the following lemmas to the basic facts database *)
-Global Hint Resolve
- fifo_respects_sequential_tasks
- tasks_execute_sequentially
- : basic_rt_facts.
diff --git a/analysis/facts/priority/gel.v b/analysis/facts/priority/gel.v
deleted file mode 100644
index cae08214df245a66e1c10f959ae8d2162618cdfd..0000000000000000000000000000000000000000
--- a/analysis/facts/priority/gel.v
+++ /dev/null
@@ -1,109 +0,0 @@
-Require Import prosa.model.priority.gel.
-Require Import prosa.model.processor.ideal.
-Require Import prosa.model.schedule.priority_driven.
-Require Import prosa.model.task.sequentiality.
-Require Import prosa.analysis.facts.priority.sequential.
-
-(** In this file we state and prove some basic facts
- about the GEL scheduling policy. *)
-Section GELBasicFacts.
-
- (** Consider any type of tasks and jobs. *)
- Context `{Task : TaskType} {Job : JobType} `{JobTask Job Task} `{PriorityPoint Task}.
- Context `{JobArrival Job}.
-
- Section HEPJobArrival.
- (** Consider a job [j]... *)
- Variable j : Job.
-
- (** ... and a higher or equal priority job [j']. *)
- Variable j' : Job.
- Hypothesis H_j'_hep : hep_job j' j.
-
- (** The arrival time of [j'] is bounded as follows. *)
- Lemma hep_job_arrives_before :
- (Z.of_nat (job_arrival j') <=
- Z.of_nat (job_arrival j) +
- task_priority_point (job_task j) - task_priority_point (job_task j'))%Z.
- Proof.
- by move : H_j'_hep; rewrite /hep_job /GEL /job_priority_point; lia.
- Qed.
-
- (** Using the above lemma, we prove that for any
- higher-or-equal priority job [j'], the term
- [job_arrival j + task_priority_point (job_task j) -
- task_priority_point (job_task j')] is positive. Note that
- the function [Z.of_nat] is used to convert natural numbers
- to integers. *)
- Corollary hep_job_arrives_after_zero :
- (0 <= Z.of_nat (job_arrival j) +
- task_priority_point (job_task j) - task_priority_point (job_task j'))%Z.
- Proof.
- apply: (@Z.le_trans _ (Z.of_nat (job_arrival j'))); first by lia.
- by apply: hep_job_arrives_before.
- Qed.
-
- End HEPJobArrival.
-
- (** Next, we prove that the GEL policy respects sequential tasks. *)
- Lemma GEL_respects_sequential_tasks:
- policy_respects_sequential_tasks.
- Proof.
- move => j1 j2 /eqP TSK ARR.
- rewrite /hep_job /GEL /job_priority_point TSK.
- by lia.
- Qed.
-
- (** In this section, we prove that in a schedule following
- the GEL policy, tasks are always sequential. *)
- Section SequentialTasks.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence, ... *)
- Variable sched : schedule (ideal.processor_state Job).
-
- Context `{JobArrival Job} `{JobCost Job}.
- (** ... allow for any work-bearing notion of job readiness, ... *)
- Context `{@JobReady Job (ideal.processor_state Job) _ _}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** ... and assume that the schedule is valid. *)
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
-
- (** In addition, we assume the existence of a function mapping jobs
- to their preemption points ... *)
- Context `{JobPreemptable Job}.
-
- (** ... and assume that it defines a valid preemption model. *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** Next, we assume that the schedule respects the scheduling policy at every preemption point. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched (GEL Job Task).
-
- (** To prove sequentiality, we use the lemma
- [early_hep_job_is_scheduled]. Clearly, under the GEL priority
- policy, jobs satisfy the conditions described by the lemma
- (i.e., given two jobs [j1] and [j2] from the same task, if [j1]
- arrives earlier than [j2], then [j1] always has a higher
- priority than job [j2], and hence completes before [j2]);
- therefore GEL implies the [sequential_tasks] property. *)
- Lemma GEL_implies_sequential_tasks:
- sequential_tasks arr_seq sched.
- Proof.
- move => j1 j2 t ARR1 ARR2 /eqP SAME LT.
- eapply early_hep_job_is_scheduled => //; rt_eauto => t'.
- rewrite /hep_job_at /JLFP_to_JLDP /hep_job /GEL /job_priority_point SAME.
- by lia.
- Qed.
-
- End SequentialTasks.
-
-End GELBasicFacts.
-
-(** We add the following lemma to the basic facts database. *)
-Global Hint Resolve
-GEL_respects_sequential_tasks
- : basic_rt_facts.
diff --git a/analysis/facts/priority/sequential.v b/analysis/facts/priority/sequential.v
deleted file mode 100644
index 175fc78dbadd72aed29a946b82a92da30f0d56dd..0000000000000000000000000000000000000000
--- a/analysis/facts/priority/sequential.v
+++ /dev/null
@@ -1,81 +0,0 @@
-Require Export prosa.analysis.definitions.always_higher_priority.
-Require Export prosa.analysis.definitions.work_bearing_readiness.
-Require Export prosa.analysis.facts.model.preemption.
-
-(** In this section, we prove that, given two jobs [j1] and [j2], if
- job [j1] arrives earlier than job [j2] and [j1] always has higher
- priority than [j2], then [j2] is scheduled only after [j1] is
- completed. *)
-Section SequentialJLFP.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
- Context `{Arrival : JobArrival Job}.
- Context `{Cost : JobCost Job}.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Consider a JLFP-policy that indicates a higher-or-equal priority
- relation, and assume that this relation is transitive. *)
- Context {JLFP : JLFP_policy Job}.
- Hypothesis H_priority_is_transitive : transitive_priorities.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence, ... *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** ... allow for any work-bearing notion of job readiness, ... *)
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** ... and assume that the schedule is valid. *)
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
-
- (** In addition, we assume the existence of a function mapping jobs
- to their preemption points ... *)
- Context `{JobPreemptable Job}.
-
- (** ... and assume that it defines a valid preemption model. *)
- Hypothesis H_valid_preemption_model : valid_preemption_model arr_seq sched.
-
- (** Next, we assume that the schedule respects the scheduling policy at every preemption point.... *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched JLFP.
-
- (** ... and that jobs must arrive to execute. *)
- Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
-
- (** We show that, given two jobs [j1] and [j2], if job [j1] arrives
- earlier than job [j2] and [j1] always has higher priority than
- [j2], then [j2] is scheduled only after [j1] is completed. *)
- Lemma early_hep_job_is_scheduled :
- forall j1 j2,
- arrives_in arr_seq j1 ->
- job_arrival j1 < job_arrival j2 ->
- always_higher_priority j1 j2 ->
- forall t,
- scheduled_at sched j2 t ->
- completed_by sched j1 t.
- Proof.
- move=> j1 j2 ARR LE AHP t SCHED.
- apply/negPn/negP; intros NCOMPL.
- edestruct scheduling_of_any_segment_starts_with_preemption_time
- as [pt [LET [PT ALL_SCHED]]]; try eauto 2.
- move: LET => /andP [LE1 LE2].
- specialize (ALL_SCHED pt); feed ALL_SCHED; first by apply/andP; split.
- have PEND1: pending sched j1 pt.
- { apply/andP; split.
- - by rewrite /has_arrived; lia.
- - by move: NCOMPL; apply contra, completion_monotonic.
- }
- apply H_job_ready in PEND1 => //; destruct PEND1 as [j3 [ARR3 [READY3 HEP3]]].
- move: (AHP pt) => /andP[HEP /negP NHEP]; eapply NHEP.
- eapply H_priority_is_transitive; last by apply HEP3.
- eapply H_respects_policy; eauto 2.
- apply/andP; split; first by done.
- apply/negP; intros SCHED2.
- have EQ := ideal_proc_model_is_a_uniprocessor_model _ _ _ pt SCHED2 ALL_SCHED.
- subst j2; rename j3 into j.
- by specialize (AHP 0); destruct AHP; auto.
- Qed.
-
-End SequentialJLFP.
diff --git a/analysis/facts/readiness/backlogged.v b/analysis/facts/readiness/backlogged.v
deleted file mode 100644
index bae0ed03c722ceb089d96d4ee3c2d5bb88b5f1de..0000000000000000000000000000000000000000
--- a/analysis/facts/readiness/backlogged.v
+++ /dev/null
@@ -1,130 +0,0 @@
-Require Export prosa.model.schedule.work_conserving.
-Require Export prosa.analysis.facts.behavior.arrivals.
-Require Export prosa.analysis.definitions.readiness.
-
-(** In this file, we establish basic facts about backlogged jobs. *)
-
-Section BackloggedJobs.
-
- (** Consider any kind of jobs with arrival times and costs... *)
- Context {Job : JobType} `{JobCost Job} `{JobArrival Job}.
-
- (** ... and any kind of processor model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... and allow for any notion of job readiness. *)
- Context {jr : JobReady Job PState}.
-
- (** Given an arrival sequence and a schedule ... *)
- Variable arr_seq : arrival_sequence Job.
- Variable sched : schedule PState.
-
- (** ... with consistent arrival times, ... *)
- Hypothesis H_consistent_arrival_times: consistent_arrival_times arr_seq.
-
- (** ... we observe that any backlogged job is indeed in the set of backlogged
- jobs. *)
- Lemma mem_backlogged_jobs:
- forall j t,
- arrives_in arr_seq j ->
- backlogged sched j t ->
- j \in jobs_backlogged_at arr_seq sched t.
- Proof.
- move=> j t ARRIVES BACKLOGGED.
- rewrite /jobs_backlogged_at /arrivals_up_to.
- rewrite mem_filter.
- apply /andP; split; first by exact.
- apply arrived_between_implies_in_arrivals => //.
- rewrite /arrived_between.
- apply /andP; split => //.
- rewrite ltnS -/(has_arrived _ _).
- now apply (backlogged_implies_arrived sched).
- Qed.
-
- (** Trivially, it is also the case that any backlogged job comes from the
- respective arrival sequence. *)
- Lemma backlogged_job_arrives_in:
- forall j t,
- j \in jobs_backlogged_at arr_seq sched t ->
- arrives_in arr_seq j.
- Proof.
- move=> j t.
- rewrite /jobs_backlogged_at mem_filter => /andP [_ IN].
- move: IN. rewrite /arrivals_up_to.
- now apply in_arrivals_implies_arrived.
- Qed.
-
-End BackloggedJobs.
-
-(** In the following section, we make one more crucial assumption: namely, that
- the readiness model is non-clairvoyant, which allows us to relate
- backlogged jobs in schedules with a shared prefix. *)
-Section NonClairvoyance.
-
- (** Consider any kind of jobs with arrival times and costs... *)
- Context {Job : JobType} `{JobCost Job} `{JobArrival Job}.
-
- (** ... any kind of processor model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... and allow for any non-clairvoyant notion of job readiness. *)
- Context {RM : JobReady Job PState}.
- Hypothesis H_nonclairvoyant_job_readiness: nonclairvoyant_readiness RM.
-
- (** Consider any arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and two schedules ... *)
- Variable sched sched': schedule PState.
-
- (** ... with a shared prefix to a fixed horizon. *)
- Variable h : instant.
- Hypothesis H_shared_prefix: identical_prefix sched sched' h.
-
- (** We observe that a job is backlogged at a time in the prefix in one
- schedule iff it is backlogged in the other schedule due to the
- non-clairvoyance of the notion of job readiness ... *)
- Lemma backlogged_prefix_invariance:
- forall t j,
- t < h ->
- backlogged sched j t = backlogged sched' j t.
- Proof.
- move=> t j IN_PREFIX.
- rewrite /backlogged.
- rewrite (H_nonclairvoyant_job_readiness sched sched' j h) //.
- rewrite /scheduled_at H_shared_prefix //.
- now apply ltnW.
- Qed.
-
- (** As a corollary, if we further know that j is not scheduled at time [h],
- we can expand the previous lemma to [t <= h]. *)
- Corollary backlogged_prefix_invariance':
- forall t j,
- ~~ scheduled_at sched j t ->
- ~~ scheduled_at sched' j t ->
- t <= h ->
- backlogged sched j t = backlogged sched' j t.
- Proof.
- move=> t j NOT_SCHED NOT_SCHED'.
- rewrite leq_eqVlt => /orP [/eqP EQ | LT]; last by apply backlogged_prefix_invariance.
- rewrite /backlogged.
- rewrite (H_nonclairvoyant_job_readiness sched sched' j h) //;
- last by rewrite EQ.
- now rewrite NOT_SCHED NOT_SCHED'.
- Qed.
-
- (** ... and also lift this observation to the set of all backlogged jobs at
- any given time in the shared prefix. *)
- Lemma backlogged_jobs_prefix_invariance:
- forall t,
- t < h ->
- jobs_backlogged_at arr_seq sched t = jobs_backlogged_at arr_seq sched' t.
- Proof.
- move=> t IN_PREFIX.
- rewrite /jobs_backlogged_at.
- apply eq_filter.
- rewrite /eqfun => j.
- now apply backlogged_prefix_invariance.
- Qed.
-
-End NonClairvoyance.
diff --git a/analysis/facts/readiness/basic.v b/analysis/facts/readiness/basic.v
deleted file mode 100644
index 9f6cfcb5cb36411d5360efb4223e52355761971d..0000000000000000000000000000000000000000
--- a/analysis/facts/readiness/basic.v
+++ /dev/null
@@ -1,74 +0,0 @@
-Require Import prosa.model.readiness.basic.
-Require Export prosa.analysis.facts.behavior.completion.
-Require Export prosa.analysis.definitions.readiness.
-Require Export prosa.analysis.definitions.work_bearing_readiness.
-
-Section LiuAndLaylandReadiness.
-
- (** We assume the basic (i.e., Liu & Layland)
- readiness model under which any pending job is ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** Consider any kind of jobs ... *)
- Context {Job : JobType}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Suppose jobs have an arrival time and a cost. *)
- Context `{JobArrival Job} `{JobCost Job}.
-
- (** The Liu & Layland readiness model is trivially non-clairvoyant. *)
- Fact basic_readiness_nonclairvoyance :
- nonclairvoyant_readiness basic_ready_instance.
- Proof.
- move=> sched sched' j h PREFIX t IN.
- rewrite /job_ready /basic_ready_instance.
- now apply (identical_prefix_pending _ _ h).
- Qed.
-
- (** Consider any job arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any schedule of these jobs. *)
- Variable sched : schedule PState.
-
- (** In the basic Liu & Layland model, a schedule satisfies that only ready
- jobs execute as long as jobs must arrive to execute and completed jobs
- don't execute, which we note with the following theorem. *)
- Lemma basic_readiness_compliance :
- jobs_must_arrive_to_execute sched ->
- completed_jobs_dont_execute sched ->
- jobs_must_be_ready_to_execute sched.
- Proof.
- move=> ARR COMP.
- rewrite /jobs_must_be_ready_to_execute => j t SCHED.
- rewrite /job_ready /basic_ready_instance /pending.
- apply /andP; split.
- - by apply ARR.
- - rewrite -less_service_than_cost_is_incomplete.
- by apply COMP.
- Qed.
-
- (** Consider a JLFP policy that indicates a reflexive
- higher-or-equal priority relation. *)
- Context `{JLFP_policy Job}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
-
- (** We show that the basic readiness model is a work-bearing
- readiness model. That is, at any time instant [t], if a job [j]
- is pending, then there exists a job (namely [j] itself) with
- higher-or-equal priority that is ready at time [t]. *)
- Fact basic_readiness_is_work_bearing_readiness :
- work_bearing_readiness arr_seq sched.
- Proof.
- intros ? ? ARR PEND.
- exists j; repeat split => //.
- by eapply (H_priority_is_reflexive 0).
- Qed.
-
-End LiuAndLaylandReadiness.
-
-(** We add the above lemma into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply it automatically. *)
-Global Hint Resolve basic_readiness_is_work_bearing_readiness : basic_rt_facts.
diff --git a/analysis/facts/readiness/sequential.v b/analysis/facts/readiness/sequential.v
deleted file mode 100644
index 1ea83811ce1419ab4cb82964755043f5cee8d4ef..0000000000000000000000000000000000000000
--- a/analysis/facts/readiness/sequential.v
+++ /dev/null
@@ -1,114 +0,0 @@
-Require Export prosa.analysis.definitions.readiness.
-Require Export prosa.analysis.definitions.work_bearing_readiness.
-Require Export prosa.analysis.facts.behavior.completion.
-Require Export prosa.analysis.facts.model.task_arrivals.
-
-(** Throughout this file, we assume the sequential task readiness model, which
- means that a job is ready to execute only if all prior jobs of the same task
- have completed. *)
-Require Export prosa.model.readiness.sequential.
-
-(** In this section, we show some useful properties of the sequential
- task readiness model. *)
-Section SequentialTasksReadiness.
-
- (** Consider any type of job associated with any type of tasks ... *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Consider any arrival sequence with consistent arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** Recall that we assume sequential tasks. *)
- #[local] Instance sequential_readiness : JobReady Job PState :=
- sequential_ready_instance arr_seq.
-
- (** Consider any valid schedule of [arr_seq]. *)
- Variable sched : schedule PState.
- Hypothesis H_valid_schedule : valid_schedule sched arr_seq.
-
- (** Consider an FP policy that indicates a reflexive
- higher-or-equal priority relation. *)
- Context `{FP_policy Task}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
-
- (** First, we show that the sequential readiness model is non-clairvoyant. *)
- Fact sequential_readiness_nonclairvoyance :
- nonclairvoyant_readiness sequential_readiness.
- Proof.
- intros sched1 sched2 ? ? ID ? LE; rewrite //=.
- erewrite identical_prefix_pending; eauto 2.
- destruct (boolP (pending sched2 j t)) as [_ | _] => //=.
- destruct (boolP (prior_jobs_complete arr_seq sched2 j t)) as [ALL | NOT_ALL]; apply/eqP.
- - rewrite eqb_id; apply/allP; intros ? IN.
- move: ALL => /allP ALL; specialize (ALL x IN).
- by erewrite identical_prefix_completed_by; eauto 2.
- - move: NOT_ALL => /allPn [x IN NCOMP].
- rewrite eqbF_neg; apply/allPn; exists x => //.
- by erewrite identical_prefix_completed_by; eauto 2.
- Qed.
-
- (** Next, we show that the sequential readiness model ensures that
- tasks are sequential. That is, that jobs of the same task
- execute in order of their arrival. *)
- Lemma sequential_readiness_implies_sequential_tasks :
- sequential_tasks arr_seq sched.
- Proof.
- intros j1 j2 t ARR1 ARR2 SAME LT SCHED.
- destruct (boolP (job_ready sched j2 t)) as [READY | NREADY].
- - move: READY => /andP [PEND /allP ALL]; apply: ALL.
- rewrite mem_filter; apply/andP; split; first by done.
- by apply arrived_between_implies_in_arrivals => //.
- - exfalso; apply/(negP NREADY)/job_scheduled_implies_ready => //.
- exact: (valid_schedule_jobs_must_be_ready_to_execute sched arr_seq).
- Qed.
-
- (** Finally, we show that the sequential readiness model is a
- work-bearing readiness model. That is, if a job [j] is pending
- but not ready at a time instant [t], then there exists another
- (earlier) job of the same task that is pending and ready at time
- [t]. *)
- Lemma sequential_readiness_implies_work_bearing_readiness :
- work_bearing_readiness arr_seq sched.
- Proof.
- intros j.
- have EX: exists k, job_arrival j <= k by (exists (job_arrival j)).
- destruct EX as [k LE]; move: j LE.
- induction k; intros ? ? ? ARR PEND.
- { destruct (boolP (job_ready sched j t)) as [READY | NREADY].
- { by exists j; repeat split; eauto using (H_priority_is_reflexive 0). }
- { move: NREADY; rewrite //= PEND Bool.andb_true_l => /allPn [jhp IN NCOMP].
- apply arrives_in_task_arrivals_before_implies_arrives_before in IN; last by done.
- by exfalso; move: LE; rewrite leqn0 => /eqP EQ; rewrite EQ in IN.
- }
- }
- { move: LE; rewrite leq_eqVlt ltnS => /orP [/eqP EQ | LE]; last by apply IHk.
- destruct (boolP (job_ready sched j t)) as [READY | NREADY].
- { by exists j; repeat split; eauto using (H_priority_is_reflexive 0). }
- { move: NREADY; rewrite //= PEND Bool.andb_true_l => /allPn [j' IN NCOMP].
- have LE' : job_arrival j' <= k.
- { by apply arrives_in_task_arrivals_before_implies_arrives_before in IN; rewrite // -ltnS -EQ. }
- have ARR' : arrives_in arr_seq j'.
- { by eapply arrives_in_task_arrivals_implies_arrived; eauto 2. }
- have PEND' : pending sched j' t.
- { apply/andP; split; last by done.
- move: PEND => /andP [LE _].
- by unfold has_arrived in *; lia.
- }
- specialize (IHk j' LE' t ARR' PEND').
- destruct IHk as [j'' [ARR'' [READY'' HEP'']]].
- exists j''; repeat split; auto.
- clear EQ; apply arrives_in_task_arrivals_implies_job_task in IN; move: IN => /eqP EQ.
- by rewrite /hep_job /FP_to_JLFP -EQ.
- }
- }
- Qed.
-
-End SequentialTasksReadiness.
diff --git a/analysis/facts/shifted_job_costs.v b/analysis/facts/shifted_job_costs.v
deleted file mode 100644
index e0093916aa27ec07dd523bd1ca10c7ae09eb2ce8..0000000000000000000000000000000000000000
--- a/analysis/facts/shifted_job_costs.v
+++ /dev/null
@@ -1,88 +0,0 @@
-Require Export prosa.analysis.facts.periodic.arrival_times.
-Require Export prosa.analysis.facts.periodic.task_arrivals_size.
-Require Export prosa.model.task.concept.
-Require Export prosa.analysis.facts.hyperperiod.
-
-(** In this file we define a new function for job costs
- in an observation interval and prove its validity. *)
-Section ValidJobCostsShifted.
-
- (** Consider any type of periodic tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskOffset Task}.
- Context `{PeriodicModel Task}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobDeadline Job}.
-
- (** Consider a consistent arrival sequence with non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Furthermore, assume that arrivals have valid job costs. *)
- Hypothesis H_arrivals_have_valid_job_costs: arrivals_have_valid_job_costs arr_seq.
-
- (** Consider a periodic task set [ts] such that all tasks in
- [ts] have valid periods and offsets. *)
- Variable ts : TaskSet Task.
- Hypothesis H_periodic_taskset: taskset_respects_periodic_task_model arr_seq ts.
- Hypothesis H_valid_periods_in_taskset: valid_periods ts.
- Hypothesis H_valid_offsets_in_taskset: valid_offsets arr_seq ts.
-
- (** Consider a job [j] that stems from the arrival sequence. *)
- Variable j : Job.
- Hypothesis H_j_from_arrival_sequence: arrives_in arr_seq j.
-
- (** Let [O_max] denote the maximum task offset of all tasks in [ts] ... *)
- Let O_max := max_task_offset ts.
- (** ... and let [HP] denote the hyperperiod of all tasks in [ts]. *)
- Let HP := hyperperiod ts.
-
- (** We now define a new function for job costs in the observation interval. *)
-
- (** Given that job [j] arrives after [O_max], the cost of a job [j']
- that arrives in the interval <<[O_max + HP, O_max + 2HP)>> is defined to
- be the same as the job cost of its corresponding job in [j]'s hyperperiod. *)
- Definition job_costs_shifted (j' : Job) :=
- if (job_arrival j >= O_max) && (O_max + HP <= job_arrival j' < O_max + 2 * HP) then
- job_cost (corresponding_job_in_hyperperiod ts arr_seq j' (starting_instant_of_corresponding_hyperperiod ts j) (job_task j'))
- else job_cost j'.
-
- (** Assume that we have an infinite sequence of jobs. *)
- Hypothesis H_infinite_jobs: infinite_jobs arr_seq.
-
- (** Assume all jobs in the arrival sequence [arr_seq] belong to some task
- in [ts]. *)
- Hypothesis H_jobs_from_taskset: all_jobs_from_taskset arr_seq ts.
-
- (** We assign the job costs as defined by the [job_costs_shifted] function. *)
- Instance job_costs_in_oi : JobCost Job :=
- job_costs_shifted.
-
- (** We show that the [job_costs_shifted] function is valid. *)
- Lemma job_costs_shifted_valid: arrivals_have_valid_job_costs arr_seq.
- Proof.
- rewrite /arrivals_have_valid_job_costs /valid_job_cost.
- intros j' ARR.
- unfold job_cost; rewrite /job_costs_in_oi /job_costs_shifted.
- destruct (leqP O_max (job_arrival j)) as [A | B].
- destruct (leqP (O_max + HP) (job_arrival j')) as [NEQ | NEQ].
- destruct (leqP (O_max + 2 * HP) (job_arrival j')) as [LT | LT].
- all : try by apply H_arrivals_have_valid_job_costs => //.
- simpl.
- specialize (corresponding_jobs_have_same_task arr_seq ts j' j) => TSK.
- rewrite -[in X in _ <= task_cost X]TSK.
- have IN : job_task j' \in ts by apply H_jobs_from_taskset.
- apply H_arrivals_have_valid_job_costs, corresponding_job_arrives => //.
- + now apply H_valid_offsets_in_taskset.
- + now apply H_valid_periods_in_taskset.
- + now apply H_periodic_taskset.
- + now lia.
- Qed.
-
-End ValidJobCostsShifted.
diff --git a/analysis/facts/sporadic/arrival_bound.v b/analysis/facts/sporadic/arrival_bound.v
deleted file mode 100644
index 6f03d5291948ef84ceaa7198fcf354b8ac4cde65..0000000000000000000000000000000000000000
--- a/analysis/facts/sporadic/arrival_bound.v
+++ /dev/null
@@ -1,146 +0,0 @@
-Require Import prosa.util.all.
-Require Export prosa.model.task.arrival.sporadic.
-Require Export prosa.analysis.facts.model.task_arrivals.
-
-(** * Sporadic Arrival Bound *)
-
-(** In the following, we upper bound the number of jobs that can
- arrive in any interval as constrained by the sporadic task model's
- minimum inter-arrival time [task_min_inter_arrival_time]. *)
-Section SporadicArrivalBound.
-
- (** Consider any sporadic tasks ... *)
- Context {Task : TaskType} `{SporadicModel Task}.
-
- (** ... and their jobs. *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job}.
-
- (** We define the classic "ceiling of the interval length divided by
- minimum inter-arrival time", which we prove to be correct in the
- following. *)
- Definition max_sporadic_arrivals (tsk : Task) (delta : duration) :=
- div_ceil delta (task_min_inter_arrival_time tsk).
-
- (** To establish the bound's soundness, consider any well-formed
- arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any valid sporadic task [tsk] to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_sporadic_model: respects_sporadic_task_model arr_seq tsk.
- Hypothesis H_valid_inter_min_arrival: valid_task_min_inter_arrival_time tsk.
-
- (** Before we can establish the bound, we require two auxiliary
- bounds, which we derive next. First, we consider minimum offset
- of the <<n-th>> job of the task that arrives in a given interval. *)
- Section NthJob.
-
- (** For technical reasons, we require a "dummy" job in scope to
- use the [nth] function. In the proofs, we establish that the
- [dummy] job is never used, i.e., it is an irrelevant artifact
- induced by the ssreflect API. It may be safely ignored. *)
- Variable dummy : Job.
-
- (** We observe that the <<i-th>> job to arrive in an interval <<[t1,t2)>>
- arrives no earlier than [(task_min_inter_arrival_time tsk) *i]
- time units after the beginning of the interval due the minimum
- inter-arrival time of the sporadic task. *)
- Lemma arrival_of_nth_job :
- forall t1 t2 n i j,
- n = number_of_task_arrivals arr_seq tsk t1 t2 ->
- i < n ->
- j = nth dummy (task_arrivals_between arr_seq tsk t1 t2) i ->
- job_arrival j >= t1 + (task_min_inter_arrival_time tsk) * i.
- Proof.
- move=> t1 t2 n i j. rewrite /number_of_task_arrivals.
- case ARR : (task_arrivals_between arr_seq tsk t1 t2) => [|j' js'] -> // LIM JOB.
- elim: i LIM j JOB => [LIM j JOB|i IH LIM j JOB].
- { rewrite muln0 addn0.
- apply: job_arrival_between_ge; rt_eauto.
- apply: (task_arrivals_between_subset _ tsk _ t2).
- by rewrite JOB ARR; apply mem_nth. }
- { rewrite mulnSr addnA.
- pose prev_j := nth dummy (j' :: js') i.
- have prev_LIM : t1 + task_min_inter_arrival_time tsk * i + task_min_inter_arrival_time tsk
- <= job_arrival prev_j + task_min_inter_arrival_time tsk
- by rewrite leq_add2r; apply IH => //; lia.
- apply: (leq_trans prev_LIM).
- have IN_j : j \in task_arrivals_between arr_seq tsk t1 t2
- by rewrite JOB ARR; apply mem_nth.
- have IN_prev : prev_j \in task_arrivals_between arr_seq tsk t1 t2
- by rewrite /prev_j ARR; apply mem_nth; lia.
- apply: H_sporadic_model => //=.
- { rewrite JOB /prev_j => /eqP.
- rewrite nth_uniq; try lia; rewrite -ARR.
- by apply: task_arrivals_between_uniq;rt_eauto. }
- { by apply/in_arrivals_implies_arrived/(task_arrivals_between_subset _ tsk t1 t2). }
- { by apply/in_arrivals_implies_arrived/(task_arrivals_between_subset _ tsk t1 t2). }
- { apply: in_task_arrivals_between_implies_job_of_task.
- exact IN_prev. }
- { apply: in_task_arrivals_between_implies_job_of_task.
- exact: IN_j. }
- { rewrite /prev_j JOB.
- have SORTED : sorted by_arrival_times (j' :: js')
- by rewrite -ARR; apply task_arrivals_between_sorted; rt_eauto.
- eapply (sorted_leq_nth _ _ _ SORTED); try lia.
- - rewrite unfold_in simpl_predE; lia.
- - rewrite unfold_in simpl_predE; lia. } }
- Unshelve. all: by rewrite /by_arrival_times/transitive/reflexive; lia.
- Qed.
-
- End NthJob.
-
- (** As a second auxiliary lemma, we establish a minimum length on
- the interval for a given number of arrivals by applying the
- previous lemma to the last job in the interval. We consider only
- the case of "many" jobs, i.e., [n >= 2], which ensures that the
- interval <<[t1, t2)>> spans at least one inter-arrival time. *)
- Lemma minimum_distance_for_n_sporadic_arrivals:
- forall t1 t2 n,
- number_of_task_arrivals arr_seq tsk t1 t2 = n ->
- n >= 2 ->
- t2 > t1 + (task_min_inter_arrival_time tsk) * n.-1.
- Proof.
- move=> t1 t2 n H_num_arrivals H_many_jobs.
- (* First, let us get ourselves a job so we can discharge the dummy job parameter. *)
- destruct (task_arrivals_between arr_seq tsk t1 t2) as [|j js] eqn:ARR;
- first by move: ARR H_num_arrivals H_many_jobs; rewrite /number_of_task_arrivals => -> //= ->; lia.
- (* Now that we can use [nth], let's proceed with the actual proof. *)
- set j_last := (nth j (task_arrivals_between arr_seq tsk t1 t2) n.-1).
- have LAST : job_arrival j_last < t2.
- { apply: job_arrival_between_lt; rt_eauto.
- apply: task_arrivals_between_subset.
- apply mem_nth.
- by move: H_num_arrivals; rewrite /number_of_task_arrivals => ->; lia. }
- have DIST : t1 + task_min_inter_arrival_time tsk * n.-1 <= job_arrival j_last.
- { apply: arrival_of_nth_job; auto;
- first by rewrite [number_of_task_arrivals arr_seq tsk t1 _]H_num_arrivals; lia.
- by rewrite /j_last //=. }
- by lia.
- Qed.
-
- (** Based on the above lemma, it is easy to see that
- [max_sporadic_arrivals] is indeed a correct upper bound on the
- maximum number of arrivals in a given interval. *)
- Theorem sporadic_task_arrivals_bound:
- forall t1 t2,
- number_of_task_arrivals arr_seq tsk t1 t2 <= max_sporadic_arrivals tsk (t2 - t1).
- Proof.
- move=> t1 t2.
- case COUNT: (number_of_task_arrivals arr_seq tsk t1 t2) => // [n'].
- case COUNT: n' COUNT => // [|n] NARR.
- { (* one arrival *)
- apply div_ceil_gt0 => //; rewrite subn_gt0.
- by eapply number_of_task_arrivals_nonzero; eauto. }
- { (* two or more arrivals *)
- clear n' COUNT.
- move: NARR. set n' := n.+2 => NARR.
- have SEP: t2 > t1 + (task_min_inter_arrival_time tsk) * n'.-1
- by apply: minimum_distance_for_n_sporadic_arrivals.
- move: SEP. rewrite -ltn_subRL => SEP.
- by apply: div_ceil_multiple. }
- Qed.
-
-
-End SporadicArrivalBound.
diff --git a/analysis/facts/sporadic/arrival_sequence.v b/analysis/facts/sporadic/arrival_sequence.v
deleted file mode 100644
index 4c1bd9a01370cb1cef4b0ea9d30b1c45dc0dd8b7..0000000000000000000000000000000000000000
--- a/analysis/facts/sporadic/arrival_sequence.v
+++ /dev/null
@@ -1,150 +0,0 @@
-Require Export analysis.facts.sporadic.arrival_times.
-
-(** * Job Arrival Sequence in the Sporadic Model *)
-
-(** In this file, we prove basic facts about a task's arrival sequence
- in the sporadic task model. *)
-Section SporadicArrivals.
-
- (** Consider sporadic tasks ... *)
- Context {Task : TaskType} `{SporadicModel Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job}.
-
- (** Consider any unique arrival sequence with consistent arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any sporadic task [tsk] to be analyzed. *)
- Variable tsk : Task.
-
- (** Assume all tasks have valid minimum inter-arrival times, valid offsets, and respect the
- sporadic task model. *)
- Hypothesis H_sporadic_model: respects_sporadic_task_model arr_seq tsk.
- Hypothesis H_valid_inter_min_arrival: valid_task_min_inter_arrival_time tsk.
-
- (** Consider any two jobs from the arrival sequence that stem
- from task [tsk]. *)
- Variable j1 j2 : Job.
- Hypothesis H_j1_from_arrival_sequence: arrives_in arr_seq j1.
- Hypothesis H_j2_from_arrival_sequence: arrives_in arr_seq j2.
- Hypothesis H_j1_task: job_task j1 = tsk.
- Hypothesis H_j2_task: job_task j2 = tsk.
-
- (** We show that a sporadic task with valid min inter-arrival time cannot
- have more than one job arriving at any time. *)
- Lemma size_task_arrivals_at_leq_one:
- (exists j,
- size (task_arrivals_at_job_arrival arr_seq j) > 1 /\
- respects_sporadic_task_model arr_seq (job_task j) /\
- valid_task_min_inter_arrival_time (job_task j)) ->
- False.
- Proof.
- move => [j [SIZE_G [PERIODIC VALID_TMIA]]].
- specialize (exists_two (task_arrivals_at_job_arrival arr_seq j)) => EXISTS_TWO.
- move : H_valid_arrival_sequence => [CONSISTENT UNIQ].
- destruct EXISTS_TWO as [a [b [NEQ [A_IN B_IN]]]]; [by done | by apply filter_uniq | ].
- rewrite mem_filter in A_IN; rewrite mem_filter in B_IN.
- move: A_IN B_IN => /andP [/eqP TSKA ARRA] /andP [/eqP TSKB ARRB].
- move: (ARRA); move: (ARRB); rewrite /arrivals_at => A_IN B_IN.
- apply in_arrseq_implies_arrives in A_IN; apply in_arrseq_implies_arrives in B_IN.
- have EQ_ARR_A : (job_arrival a = job_arrival j) by rt_eauto.
- have EQ_ARR_B : (job_arrival b = job_arrival j) by rt_eauto.
- try ( apply uneq_job_uneq_arr with (arr_seq0 := arr_seq) (tsk0 := job_task j) in NEQ => // ) ||
- apply uneq_job_uneq_arr with (arr_seq := arr_seq) (tsk := job_task j) in NEQ => //.
- by rewrite EQ_ARR_A EQ_ARR_B in NEQ.
- Qed.
-
- (** We show that no jobs of the task [tsk] other than [j1] arrive at
- the same time as [j1], and thus the task arrivals at [job arrival j1]
- consists only of job [j1]. *)
- Lemma only_j_in_task_arrivals_at_j:
- task_arrivals_at_job_arrival arr_seq j1 = [::j1].
- Proof.
- set (task_arrivals_at_job_arrival arr_seq j1) as seq in *.
- have J_IN_FILTER : (j1 \in seq) by apply arrives_in_task_arrivals_at; rt_auto.
- have SIZE_CASE : size seq = 0 \/ size seq = 1 \/ size seq > 1
- by intros; now destruct (size seq) as [ | [ | ]]; try auto.
- move: SIZE_CASE => [Z|[ONE|GTONE]].
- - apply size0nil in Z.
- by rewrite Z in J_IN_FILTER.
- - repeat (destruct seq; try by done).
- rewrite mem_seq1 in J_IN_FILTER; move : J_IN_FILTER => /eqP J1_S.
- by rewrite J1_S.
- - exfalso.
- apply size_task_arrivals_at_leq_one.
- exists j1.
- by repeat split => //; try rewrite H_j1_task.
- Qed.
-
- (** We show that no jobs of the task [tsk] other than [j1] arrive at
- the same time as [j1], and thus the task arrivals at [job arrival j1]
- consists only of job [j1]. *)
- Lemma only_j_at_job_arrival_j:
- forall t,
- job_arrival j1 = t ->
- task_arrivals_at arr_seq tsk t = [::j1].
- Proof.
- intros t ARR.
- rewrite -ARR.
- specialize (only_j_in_task_arrivals_at_j) => J_AT.
- by rewrite /task_arrivals_at_job_arrival H_j1_task in J_AT.
- Qed.
-
- (** We show that a job [j1] is the first job that arrives
- in task arrivals at [job_arrival j1] by showing that the
- index of job [j1] in [task_arrivals_at_job_arrival arr_seq j1] is 0. *)
- Lemma index_j_in_task_arrivals_at:
- index j1 (task_arrivals_at_job_arrival arr_seq j1) = 0.
- Proof.
- by rewrite only_j_in_task_arrivals_at_j //= eq_refl.
- Qed.
-
- (** We observe that for any job [j] the arrival time of [prev_job j] is
- strictly less than the arrival time of [j] in context of periodic tasks. *)
- Lemma prev_job_arr_lt:
- job_index arr_seq j1 > 0 ->
- job_arrival (prev_job arr_seq j1) < job_arrival j1.
- Proof.
- intros IND.
- have PREV_ARR_LTE : job_arrival (prev_job arr_seq j1) <= job_arrival j1 by apply prev_job_arr_lte => //.
- rewrite ltn_neqAle; apply /andP.
- split => //; apply /eqP.
- try ( apply uneq_job_uneq_arr with (arr_seq0 := arr_seq) (tsk0 := job_task j1) => //; try by rewrite H_j1_task ) ||
- apply uneq_job_uneq_arr with (arr_seq := arr_seq) (tsk := job_task j1) => //; try by rewrite H_j1_task.
- - by apply prev_job_arr.
- - by apply prev_job_task.
- - intro EQ.
- have SM_IND: job_index arr_seq j1 - 1 = job_index arr_seq j1 by rewrite -prev_job_index // EQ.
- by lia.
- Qed.
-
- (** We show that task arrivals at [job_arrival j1] is the
- same as task arrivals that arrive between [job_arrival j1]
- and [job_arrival j1 + 1]. *)
- Lemma task_arrivals_at_as_task_arrivals_between:
- task_arrivals_at_job_arrival arr_seq j1 = task_arrivals_between arr_seq tsk (job_arrival j1) (job_arrival j1).+1.
- Proof.
- rewrite /task_arrivals_at_job_arrival /task_arrivals_at /task_arrivals_between /arrivals_between.
- by rewrite big_nat1 H_j1_task.
- Qed.
-
- (** We show that the task arrivals up to the previous job [j1] concatenated with
- the sequence [::j1] (the sequence containing only the job [j1]) is same as
- task arrivals up to [job_arrival j1]. *)
- Lemma prev_job_cat:
- job_index arr_seq j1 > 0 ->
- task_arrivals_up_to_job_arrival arr_seq (prev_job arr_seq j1) ++ [::j1] = task_arrivals_up_to_job_arrival arr_seq j1.
- Proof.
- intros JIND.
- rewrite -only_j_in_task_arrivals_at_j task_arrivals_at_as_task_arrivals_between.
- rewrite /task_arrivals_up_to_job_arrival prev_job_task => //.
- rewrite [in X in _ = X] (task_arrivals_cat _ _ (job_arrival (prev_job arr_seq j1))); last by
- apply ltnW; apply prev_job_arr_lt.
- rewrite [in X in _ = _ ++ X] (task_arrivals_between_cat _ _ _ (job_arrival j1) _) => //; last by apply prev_job_arr_lt.
- rewrite no_jobs_between_consecutive_jobs => //.
- by rewrite cat0s H_j1_task.
- Qed.
-
-End SporadicArrivals.
diff --git a/analysis/facts/sporadic/arrival_times.v b/analysis/facts/sporadic/arrival_times.v
deleted file mode 100644
index 16e6ca43a4693497e2035d83a65966a5ca5c857b..0000000000000000000000000000000000000000
--- a/analysis/facts/sporadic/arrival_times.v
+++ /dev/null
@@ -1,82 +0,0 @@
-Require Export prosa.model.task.arrival.sporadic.
-Require Export prosa.analysis.facts.job_index.
-
-(** * Job Arrival Times in the Sporadic Model *)
-
-(** In this file, we prove basic facts about the arrival times of jobs
- in the sporadic task model. *)
-Section ArrivalTimes.
-
- (** Consider sporadic tasks ... *)
- Context {Task : TaskType} `{SporadicModel Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job}.
-
- (** Consider any unique arrival sequence with consistent arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... and any sporadic task [tsk] that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_sporadic_model: respects_sporadic_task_model arr_seq tsk.
- Hypothesis H_valid_inter_min_arrival: valid_task_min_inter_arrival_time tsk.
-
- (** We first show that for any two jobs [j1] and [j2], [j2] arrives after [j1]
- provided [job_index] of [j2] strictly exceeds the [job_index] of [j1]. *)
- Lemma lower_index_implies_earlier_arrival:
- forall j1 j2,
- arrives_in arr_seq j1 ->
- arrives_in arr_seq j2 ->
- job_task j1 = tsk ->
- job_task j2 = tsk ->
- job_index arr_seq j1 < job_index arr_seq j2 ->
- job_arrival j1 < job_arrival j2.
- Proof.
- move=> j1 j2 ARR1 ARR2 TSK1 TSK2 LT_IND.
- move: (H_sporadic_model j1 j2) => SPORADIC; feed_n 6 SPORADIC => //.
- - rewrite -> diff_jobs_iff_diff_indices => //; eauto; first by lia.
- by subst.
- - apply (index_lte_implies_arrival_lte arr_seq); try eauto.
- by subst.
- - have POS_IA : task_min_inter_arrival_time tsk > 0 by auto.
- by lia.
- Qed.
-
- (** In the following, consider (again) any two jobs from the arrival
- sequence that stem from task [tsk].
-
- NB: The following variables and hypotheses match the premises of
- the preceding lemma. However, we cannot move these
- declarations before the prior lemma because we need
- [lower_index_implies_earlier_arrival] to be ∀-quantified in
- the next proof. *)
- Variable j1 : Job.
- Variable j2 : Job.
- Hypothesis H_j1_from_arrseq: arrives_in arr_seq j1.
- Hypothesis H_j2_from_arrseq: arrives_in arr_seq j2.
- Hypothesis H_j1_task: job_task j1 = tsk.
- Hypothesis H_j2_task: job_task j2 = tsk.
-
- (** We prove that jobs [j1] and [j2] are equal if and only if they
- arrive at the same time. *)
- Lemma same_jobs_iff_same_arr:
- j1 = j2 <->
- job_arrival j1 = job_arrival j2.
- Proof.
- split; first by move=> ->.
- move=> EQ_ARR.
- case: (boolP (j1 == j2)) => [/eqP EQ | /eqP NEQ] //; exfalso.
- rewrite -> diff_jobs_iff_diff_indices in NEQ => //; eauto; last by rewrite H_j1_task.
- move /neqP: NEQ; rewrite neq_ltn => /orP [LT|LT].
- all: by apply lower_index_implies_earlier_arrival in LT => //; lia.
- Qed.
-
- (** As a corollary, we observe that distinct jobs cannot have equal arrival times. *)
- Corollary uneq_job_uneq_arr:
- j1 <> j2 ->
- job_arrival j1 <> job_arrival j2.
- Proof. by rewrite -same_jobs_iff_same_arr. Qed.
-
-End ArrivalTimes.
-
diff --git a/analysis/facts/tdma.v b/analysis/facts/tdma.v
deleted file mode 100644
index 6d0bde3b7f0297f0c655e615457f762d09dad08d..0000000000000000000000000000000000000000
--- a/analysis/facts/tdma.v
+++ /dev/null
@@ -1,148 +0,0 @@
-From mathcomp Require Import div.
-Require Export prosa.model.schedule.tdma.
-Require Import prosa.util.all.
-
-(** In this section, we define the properties of TDMA and prove some basic lemmas. *)
-Section TDMAFacts.
- Context {Task:eqType}.
-
- (** Consider any task set ts... *)
- Variable ts: {set Task}.
-
- (** ... with a TDMA policy *)
- Context `{TDMAPolicy Task}.
-
- Section TimeSlotFacts.
- (** Consider any task in ts*)
- Variable task: Task.
- Hypothesis H_task_in_ts: task \in ts.
-
- (** Assume task_time_slot is valid time slot*)
- Hypothesis time_slot_positive:
- valid_time_slot ts.
-
- (** Obviously, the TDMA cycle is greater or equal than any task time slot which is
- in TDMA cycle *)
- Lemma TDMA_cycle_ge_each_time_slot:
- TDMA_cycle ts >= task_time_slot task.
- Proof.
- rewrite /TDMA_cycle (big_rem task) //.
- apply:leq_trans; last by exact: leq_addr.
- by apply leqnn.
- Qed.
-
- (** Thus, a TDMA cycle is always positive *)
- Lemma TDMA_cycle_positive:
- TDMA_cycle ts > 0.
- Proof.
- move:time_slot_positive=>/(_ task H_task_in_ts)/leq_trans;apply;apply TDMA_cycle_ge_each_time_slot.
- Qed.
-
- (** Slot offset is less then cycle *)
- Lemma Offset_lt_cycle:
- task_slot_offset ts task < TDMA_cycle ts.
- Proof.
- rewrite /task_slot_offset /TDMA_cycle big_mkcond.
- apply leq_ltn_trans with (n:=\sum_(prev_task <- ts )if prev_task!=task then task_time_slot prev_task else 0).
- - apply leq_sum. intros* T. case (slot_order i task);auto.
- - rewrite -big_mkcond (bigD1_seq task)?set_uniq//=.
- rewrite -subn_gt0 -addnBA. rewrite subnn addn0 //.
- exact: time_slot_positive.
- easy.
- Qed.
-
- (** For a task, the sum of its slot offset and its time slot is
- less then or equal to cycle. *)
- Lemma Offset_add_slot_leq_cycle:
- task_slot_offset ts task + task_time_slot task <= TDMA_cycle ts.
- Proof.
- rewrite /task_slot_offset /TDMA_cycle.
- rewrite addnC (bigD1_seq task) //=. rewrite leq_add2l.
- rewrite big_mkcond.
- replace (\sum_(i <- ts | i != task) task_time_slot i)
- with (\sum_(i <- ts ) if i != task then task_time_slot i else 0).
- apply leq_sum. intros*T. case (slot_order i task);auto.
- by rewrite -big_mkcond. apply (set_uniq ts).
- Qed.
- End TimeSlotFacts.
-
- (** Now we prove that no two tasks share the same time slot at any time. *)
- Section TimeSlotOrderFacts.
- (** Consider any task in ts*)
- Variable task: Task.
- Hypothesis H_task_in_ts: task \in ts.
-
- (** Assume task_time_slot is valid time slot*)
- Hypothesis time_slot_positive:
- valid_time_slot ts.
-
- (** Assume that slot order is total... *)
- Hypothesis slot_order_total:
- total_slot_order ts.
-
- (*..., antisymmetric... *)
- Hypothesis slot_order_antisymmetric:
- antisymmetric_slot_order ts.
-
- (*... and transitive. *)
- Hypothesis slot_order_transitive:
- transitive_slot_order.
-
- (** Then, we can prove that the difference value between two offsets is
- at least a slot *)
- Lemma relation_offset:
- forall tsk1 tsk2, tsk1 \in ts ->
- tsk2 \in ts ->
- slot_order tsk1 tsk2 ->
- tsk1 != tsk2 ->
- task_slot_offset ts tsk2 >=
- task_slot_offset ts tsk1 + task_time_slot tsk1 .
- Proof.
- intros* IN1 IN2 ORDER NEQ.
- rewrite /task_slot_offset big_mkcond addnC/=.
- replace (\sum_(tsk <- ts | slot_order tsk tsk2 && (tsk != tsk2)) task_time_slot tsk)
- with (task_time_slot tsk1 + \sum_(tsk <- ts )if slot_order tsk tsk2 && (tsk != tsk1) && (tsk!=tsk2) then task_time_slot tsk else O).
- rewrite leq_add2l. apply leq_sum_seq. intros* IN T.
- case (slot_order i tsk1)eqn:SI2;auto. case (i==tsk1)eqn:IT2;auto;simpl.
- case (i==tsk2)eqn:IT1;simpl;auto.
- - by move/eqP in IT1;rewrite IT1 in SI2;apply slot_order_antisymmetric in ORDER;auto;apply ORDER in SI2;move/eqP in NEQ.
- - by rewrite (slot_order_transitive _ _ _ SI2 ORDER).
- - symmetry. rewrite big_mkcond /=. rewrite->bigD1_seq with (j:=tsk1);auto;last by apply (set_uniq ts).
- move/eqP /eqP in ORDER. move/eqP in NEQ. rewrite ORDER //=. apply /eqP.
- have TS2: (tsk1 != tsk2) = true . apply /eqP;auto. rewrite TS2.
- rewrite eqn_add2l. rewrite big_mkcond. apply/eqP. apply eq_bigr;auto.
- intros* T. case(i!=tsk1);case (slot_order i tsk2);case (i!=tsk2) ;auto.
- Qed.
-
- (** Then, we proved that no two tasks share the same time slot at any time. *)
- Lemma task_in_time_slot_uniq:
- forall tsk1 tsk2 t,
- tsk1 \in ts -> task_time_slot tsk1 > 0 ->
- tsk2 \in ts -> task_time_slot tsk2 > 0 ->
- task_in_time_slot ts tsk1 t ->
- task_in_time_slot ts tsk2 t ->
- tsk1 = tsk2.
- Proof.
- intros * IN1 SLOT1 IN2 SLOT2.
- rewrite /task_in_time_slot.
- set cycle := TDMA_cycle ts.
- set O1 := task_slot_offset ts tsk1.
- set O2 := task_slot_offset ts tsk2.
- have CO1 : O1 < cycle by apply Offset_lt_cycle.
- have CO2 : O2 < cycle by apply Offset_lt_cycle.
- have C : cycle > 0 by apply (TDMA_cycle_positive tsk1).
- have -> : O1 %% cycle = O1 by apply modn_small, Offset_lt_cycle.
- have -> : O2 %% cycle = O2 by apply modn_small, Offset_lt_cycle.
- have SO1 : O1 + task_time_slot tsk1 <= cycle by apply (Offset_add_slot_leq_cycle tsk1).
- have SO2 : O2 + task_time_slot tsk2 <= cycle by apply (Offset_add_slot_leq_cycle tsk2).
- repeat rewrite mod_elim; auto.
- case (O1 <= t %% cycle) eqn:O1T; case (O2 <= t %% cycle) eqn:O2T; intros G1 G2; try lia.
- rewrite ltn_subLR // in G1; rewrite ltn_subLR // in G2.
- case (tsk1 == tsk2) eqn:NEQ; move/eqP in NEQ; auto.
- destruct (slot_order_total tsk1 tsk2) as [order | order]; auto.
- all: by apply relation_offset in order; fold O1 O2 in order; try lia; auto; apply/eqP; auto.
- Qed.
-
- End TimeSlotOrderFacts.
-
-End TDMAFacts.
diff --git a/analysis/facts/transform/edf_opt.v b/analysis/facts/transform/edf_opt.v
deleted file mode 100644
index ee45e95f195f5035b4e866092eafddce1cb9f55c..0000000000000000000000000000000000000000
--- a/analysis/facts/transform/edf_opt.v
+++ /dev/null
@@ -1,939 +0,0 @@
-From mathcomp Require Import ssrnat ssrbool fintype.
-Require Import prosa.model.readiness.basic.
-Require Export prosa.model.schedule.edf.
-Require Export prosa.analysis.definitions.schedulability.
-Require Export prosa.analysis.transform.edf_trans.
-Require Export prosa.analysis.facts.transform.swaps.
-Require Export prosa.analysis.facts.readiness.basic.
-
-(** This file contains the main argument of the EDF optimality proof,
- starting with an analysis of the individual functions that drive
- the piece-wise transformation of a given reference schedule in an
- EDF schedule, and ending with proofs of individual properties of
- the obtained EDF schedule. *)
-
-(** We start by analyzing the helper function [find_swap_candidate],
- which is a problem-specific wrapper around [search_arg]. *)
-Section FindSwapCandidateFacts.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ...consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...that is well-behaved (i.e., in which jobs execute only after
- having arrived and only if they are not yet complete). *)
- Hypothesis H_jobs_must_arrive_to_execute: jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** Suppose we are given a job [j1]... *)
- Variable j1: Job.
-
- (** ...and a point in time [t1]... *)
- Variable t1: instant.
-
- (** ...at which [j1] is scheduled... *)
- Hypothesis H_not_idle: scheduled_at sched j1 t1.
-
- (** ...and that is before its deadline. *)
- Hypothesis H_deadline_not_missed: t1 < job_deadline j1.
-
- (** First, we observe that under these assumptions the processor
- state at time [t1] is "relevant" according to the notion of
- relevance underlying the EDF transformation, namely
- [relevant_pstate]. *)
- Lemma t1_relevant: relevant_pstate t1 (sched t1).
- Proof.
- move: H_not_idle. rewrite scheduled_at_def => /eqP ->.
- rewrite /relevant_pstate -/(has_arrived j1 t1).
- move: (H_jobs_must_arrive_to_execute j1 t1) => SCHED_ARR.
- now apply SCHED_ARR.
- Qed.
-
- (** Since [t1] is relevant, we conclude that a search for a relevant
- state succeeds (if nothing else, it finds [t1]). *)
- Lemma fsc_search_successful:
- exists t, search_arg sched (relevant_pstate t1) earlier_deadline t1 (job_deadline j1) = Some t.
- Proof.
- apply search_arg_not_none.
- exists t1. split.
- - by apply /andP; split.
- - by apply t1_relevant.
- Qed.
-
- (** For rewriting purposes, we observe that the [search_arg]
- operation within [find_swap_candidate] yields the final result of
- [find_swap_candidate]. *)
- Corollary fsc_search_result:
- search_arg sched (relevant_pstate t1) earlier_deadline t1 (job_deadline j1) = Some (find_swap_candidate sched t1 j1).
- Proof.
- move: fsc_search_successful => [t FOUND].
- now rewrite /find_swap_candidate FOUND.
- Qed.
-
- (** There is a job that is scheduled at the time that
- [find_swap_candidate] returns, and that job arrives no later than
- at time [t1]. *)
- Lemma fsc_not_idle:
- exists j', (scheduled_at sched j' (find_swap_candidate sched t1 j1))
- /\ job_arrival j' <= t1.
- Proof.
- move: fsc_search_successful => [t FOUND].
- move: (search_arg_pred _ _ _ _ _ _ FOUND).
- rewrite /relevant_pstate.
- destruct (sched t) as [j'|] eqn:SCHED_t => // ARR_j'.
- exists j'. split => //.
- rewrite /find_swap_candidate FOUND.
- rewrite scheduled_at_def //.
- now apply /eqP.
- Qed.
-
- (** Since we are considering a uniprocessor model, only one job is
- scheduled at a time. Hence once we know that a job is scheduled
- at the time that [find_swap_candidate] returns, we can conclude
- that it arrives not later than at time t1. *)
- Corollary fsc_found_job_arrival:
- forall j2,
- scheduled_at sched j2 (find_swap_candidate sched t1 j1) ->
- job_arrival j2 <= t1.
- Proof.
- move=> j2 SCHED_j2.
- move: fsc_not_idle => [j' [SCHED_j' ARR]].
- now rewrite -(ideal_proc_model_is_a_uniprocessor_model _ _ _ _ SCHED_j' SCHED_j2).
- Qed.
-
- (** We observe that [find_swap_candidate] returns a value within a
- known finite interval. *)
- Lemma fsc_range:
- t1 <= find_swap_candidate sched t1 j1 < job_deadline j1.
- Proof. move: fsc_search_result. by apply search_arg_in_range. Qed.
-
- (** For convenience, since we often only require the lower bound on
- the interval, we re-state it as a corollary. *)
- Corollary fsc_range1:
- t1 <= find_swap_candidate sched t1 j1.
- Proof. by move: fsc_range => /andP [LE _]. Qed.
-
- (** The following lemma is a key step of the overall proof: the job
- scheduled at the time found by [find_swap_candidate] has the
- property that it has a deadline that is no later than that of any
- other job in the window given by time [t1] and the deadline of
- the job scheduled at time [t1]. *)
- Lemma fsc_found_job_deadline:
- forall j2,
- scheduled_at sched j2 (find_swap_candidate sched t1 j1) ->
- forall j t,
- t1 <= t < job_deadline j1 ->
- scheduled_at sched j t ->
- job_arrival j <= t1 ->
- job_deadline j2 <= job_deadline j.
- Proof.
- move=> j2 SCHED_j2 j t /andP [t1_le_t t_lt_dl1] SCHED_j ARR_j.
- have TOTAL: total earlier_deadline
- by rewrite /earlier_deadline => s1 s2; apply leq_total.
- have TRANS: transitive earlier_deadline
- by rewrite /earlier_deadline => s1 s2 s3; apply leq_trans.
- have REFL: reflexive earlier_deadline
- by rewrite /earlier_deadline => s; apply leqnn.
- move: SCHED_j SCHED_j2. rewrite !scheduled_at_def => /eqP SCHED_j /eqP SCHED_j2.
- have ED: earlier_deadline (sched (find_swap_candidate sched t1 j1)) (sched t).
- {
- move: (search_arg_extremum _ _ _ REFL TRANS TOTAL _ _ _ fsc_search_result) => MIN.
- apply (MIN t).
- - by apply /andP; split.
- - by rewrite /relevant_pstate SCHED_j.
- }
- now move: ED; rewrite /earlier_deadline /oapp SCHED_j SCHED_j2.
- Qed.
-
- (** As a special case of the above lemma, we observe that the job
- scheduled at the time given by [find_swap_candidate] in
- particular has a deadline no later than the job scheduled at time
- [t1]. *)
- Corollary fsc_no_later_deadline:
- forall j2,
- scheduled_at sched j2 (find_swap_candidate sched t1 j1) ->
- job_deadline j2 <= job_deadline j1.
- Proof.
- move=> j2 SCHED_j2.
- apply fsc_found_job_deadline with (t := t1) => //.
- - by apply /andP; split.
- - by apply H_jobs_must_arrive_to_execute.
- Qed.
-
-End FindSwapCandidateFacts.
-
-
-(** In the next section, we analyze properties of [make_edf_at], which
- we abbreviate as "[mea]" in the following. *)
-Section MakeEDFAtFacts.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ...consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...that is well-behaved... *)
- Hypothesis H_jobs_must_arrive_to_execute: jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** ...and in which no scheduled job misses a deadline. *)
- Hypothesis H_no_deadline_misses: all_deadlines_met sched.
-
- (** Since we will require this fact repeatedly, we briefly observe
- that, since no scheduled job misses its deadline, if a job is
- scheduled at some time [t], then its deadline is later than
- [t]. *)
- Fact scheduled_job_in_sched_has_later_deadline:
- forall j t,
- scheduled_at sched j t ->
- job_deadline j > t.
- Proof.
- move=> j t SCHED.
- apply: (scheduled_at_implies_later_deadline sched) => //.
- exact: (H_no_deadline_misses _ t).
- Qed.
-
- (** We analyze [make_edf_at] applied to an arbitrary point in time,
- which we denote [t_edf] in the following. *)
- Variable t_edf: instant.
-
- (** For brevity, let [sched'] denote the schedule obtained from
- [make_edf_at] applied to [sched] at time [t_edf]. *)
- Let sched' := make_edf_at sched t_edf.
-
- (** First, we observe that in [sched'] jobs still don't execute past
- completion. *)
- Lemma mea_completed_jobs:
- completed_jobs_dont_execute sched'.
- Proof.
- have IDEAL := @ideal_proc_model_ensures_ideal_progress Job.
- have UNIT := @ideal_proc_model_provides_unit_service Job.
- rewrite /sched' /make_edf_at.
- destruct (sched t_edf) as [j_orig|] eqn:SCHED; last by done.
- have SCHED': scheduled_at sched j_orig t_edf
- by rewrite scheduled_at_def; apply /eqP.
- apply swapped_completed_jobs_dont_execute => //.
- apply fsc_range1 => //.
- now apply scheduled_job_in_sched_has_later_deadline.
- Qed.
-
- (** Importantly, [make_edf_at] does not introduce any deadline
- misses, which is a crucial step in the EDF optimality
- argument. *)
- Lemma mea_no_deadline_misses:
- all_deadlines_met sched'.
- Proof.
- move=> j t SCHED.
- rewrite /sched' /make_edf_at.
- destruct (sched t_edf) as [j_orig|] eqn:SCHED_orig; last first.
- {
- apply (H_no_deadline_misses _ t).
- move: SCHED.
- now rewrite /sched' /make_edf_at SCHED_orig.
- }
- {
- have SCHED': scheduled_at sched j_orig t_edf
- by rewrite scheduled_at_def; apply /eqP.
- move: (scheduled_job_in_sched_has_later_deadline _ _ SCHED') => DL_orig.
- apply edf_swap_no_deadline_misses_introduced => //.
- - by apply fsc_range1 => //.
- - move=> j1 j2 SCHED_j1 SCHED_j2.
- apply: (fsc_found_job_deadline sched _ j_orig t_edf _ _ _ _ _ t_edf) => //.
- + by apply /andP; split.
- + by apply H_jobs_must_arrive_to_execute.
- - move=> j1 SCHED_j1.
- move: (fsc_not_idle sched H_jobs_must_arrive_to_execute j_orig t_edf SCHED' DL_orig) => [j' [SCHED_j' ARR_j']].
- exists j'. split => //.
- now apply scheduled_job_in_sched_has_later_deadline.
- - have EX: (exists t', scheduled_at sched j t').
- {
- try ( apply swap_job_scheduled with (t1 := t_edf) (t2 := find_swap_candidate sched t_edf j_orig) (t0 := t) ) ||
- apply swap_job_scheduled with (t1 := t_edf) (t2 := find_swap_candidate sched t_edf j_orig) (t := t).
- now move: SCHED; rewrite /sched' /make_edf_at SCHED_orig.
- }
- move: EX => [t' SCHED_t'].
- now apply H_no_deadline_misses with (t := t').
- }
- Qed.
-
- (** As a result, we may conclude that any job scheduled at a time t has a deadline later than t. *)
- Corollary mea_scheduled_job_has_later_deadline:
- forall j t,
- scheduled_at sched' j t ->
- job_deadline j > t.
- Proof.
- move=> j t SCHED.
- apply (scheduled_at_implies_later_deadline sched') => //.
- - by apply mea_completed_jobs.
- - by apply mea_no_deadline_misses with (t := t).
- Qed.
-
- (** Next comes a big step in the optimality proof: we observe that
- [make_edf_at] indeed ensures that [EDF_at] holds at time [t_edf] in
- [sched']. As this is a larger argument, we proceed by case analysis and
- first establish a couple of helper lemmas in the following section. *)
- Section GuaranteeCaseAnalysis.
-
- (** Let [j_orig] denote the job scheduled in [sched] at time
- [t_edf], let [j_edf] denote the job scheduled in [sched'] at
- time [t_edf], and let [j'] denote any job scheduled in
- [sched'] at some time [t'] after [t_edf]... *)
- Variable j_orig j_edf j': Job.
-
- Variable t': instant.
- Hypothesis H_t_edf_le_t' : t_edf <= t'.
-
- Hypothesis H_sched_orig: scheduled_at sched j_orig t_edf.
- Hypothesis H_sched_edf: scheduled_at sched' j_edf t_edf.
- Hypothesis H_sched': scheduled_at sched' j' t'.
-
- (** ... and that arrives before time [t_edf]. *)
- Hypothesis H_arrival_j' : job_arrival j' <= t_edf.
-
- (** We begin by observing three simple facts that will be used repeatedly in
- the case analysis. *)
-
- (** First, the deadline of [j_orig] is later than [t_edf]. *)
- Fact mea_guarantee_dl_orig: t_edf < job_deadline j_orig.
- Proof. by apply (scheduled_job_in_sched_has_later_deadline j_orig t_edf H_sched_orig). Qed.
-
- (** Second, by the definition of [sched'], [j_edf] is scheduled in
- [sched] at the time returned by [find_swap_candidate]. *)
- Fact mea_guarantee_fsc_is_j_edf: sched (find_swap_candidate sched t_edf j_orig) = Some j_edf.
- Proof.
- move: (H_sched_orig). rewrite scheduled_at_def => /eqP SCHED.
- move: (H_sched_edf). rewrite /sched' /make_edf_at /swapped /replace_at {1}SCHED //=.
- rewrite scheduled_at_def.
- destruct (find_swap_candidate sched t_edf j_orig == t_edf) eqn:FSC.
- - by move: FSC => /eqP -> /eqP.
- - by rewrite ifT // => /eqP.
- Qed.
-
- (** Third, the deadline of [j_edf] is no later than the deadline
- of [j_orig]. *)
- Fact mea_guarantee_deadlines: job_deadline j_edf <= job_deadline j_orig.
- Proof.
- apply: (fsc_no_later_deadline sched _ _ t_edf) => //.
- - by exact mea_guarantee_dl_orig.
- - by rewrite scheduled_at_def mea_guarantee_fsc_is_j_edf //=.
- Qed.
-
- (** With the setup in place, we are now ready to begin the case analysis. *)
-
- (** First, we consider the simpler case where [t'] is no earlier
- than the deadline of [j_orig]. This case is simpler because
- [t'] being no earlier than [j_orig]'s deadline implies that
- [j'] has deadline no earlier than [j_orig] (since no scheduled
- job in [sched] misses a deadline), which in turn has a
- deadline no earlier than [j_edf]. *)
- Lemma mea_guarantee_case_t'_past_deadline:
- job_deadline j_orig <= t' ->
- job_deadline j_edf <= job_deadline j'.
- Proof.
- move: (mea_scheduled_job_has_later_deadline j' t' H_sched') => DL_j' BOUND_t'.
- apply leq_trans with (n := job_deadline j_orig) => // ;
- first by exact mea_guarantee_deadlines.
- apply leq_trans with (n := t') => //.
- now apply ltnW.
- Qed.
-
- (** Next, we consider the more difficult case, where [t'] is
- before the deadline of [j_orig]. *)
- Lemma mea_guarantee_case_t'_before_deadline:
- t' < job_deadline j_orig ->
- job_deadline j_edf <= job_deadline j'.
- Proof.
- move: (H_sched_orig). rewrite scheduled_at_def => /eqP SCHED BOUND_t'.
- move: (mea_guarantee_fsc_is_j_edf) => FSC.
- have EX: (exists x, scheduled_at sched j' x /\ t_edf <= x < job_deadline j_orig).
- {
- case: (boolP(t_edf == t')) => [/eqP EQ| /eqP NEQ].
- - exists (find_swap_candidate sched t_edf j_orig).
- split; last by apply fsc_range => //; exact mea_guarantee_dl_orig.
- subst. rewrite -(ideal_proc_model_is_a_uniprocessor_model _ _ _ _ H_sched_edf H_sched').
- now rewrite scheduled_at_def FSC //=.
- - case: (boolP(find_swap_candidate sched t_edf j_orig == t')) => [/eqP EQ' | /eqP NEQ'].
- + exists t_edf.
- split; last by apply /andP; split => //; exact mea_guarantee_dl_orig.
- rewrite -(swap_job_scheduled_t2 _ _ (find_swap_candidate sched t_edf j_orig) _).
- move: H_sched'. rewrite /sched' /make_edf_at SCHED.
- now rewrite EQ'.
- + move: NEQ NEQ' => /eqP NEQ /eqP NEQ'. exists t'.
- split; last by apply /andP; split.
- rewrite -(swap_job_scheduled_other_times _ t_edf (find_swap_candidate sched t_edf j_orig)) //.
- move: H_sched'.
- now rewrite /sched' /make_edf_at SCHED.
- }
- move: EX => [t'' [SCHED'' RANGE]].
- apply: (fsc_found_job_deadline sched _ j_orig t_edf _ _ _ _ _ t'') => // ;
- first by exact mea_guarantee_dl_orig.
- now rewrite scheduled_at_def FSC //=.
- Qed.
-
- End GuaranteeCaseAnalysis.
-
- (** Finally, putting the preceding cases together, we obtain the
- result that [make_edf_at] establishes [EDF_at] at time
- [t_edf]. *)
- Lemma make_edf_at_guarantee:
- EDF_at sched' t_edf.
- Proof.
- move=> j_edf H_sched_edf t' j' t_edf_le_t' H_sched' H_arrival_j'.
- destruct (sched t_edf) as [j_orig|] eqn:SCHED;
- last by move: (H_sched_edf); rewrite /sched' /make_edf_at scheduled_at_def => /eqP; rewrite !SCHED.
- have H_sched: scheduled_at sched j_orig t_edf
- by rewrite scheduled_at_def; apply /eqP.
- case: (boolP (t' < job_deadline j_orig)).
- - by apply mea_guarantee_case_t'_before_deadline.
- - rewrite -leqNgt => BOUND_t'.
- now apply: (mea_guarantee_case_t'_past_deadline j_orig j_edf j' t').
- Qed.
-
- (** We observe that [make_edf_at] maintains the property that jobs
- must arrive to execute. *)
- Lemma mea_jobs_must_arrive:
- jobs_must_arrive_to_execute sched'.
- Proof.
- move=> j t.
- rewrite /has_arrived /sched' /make_edf_at.
- destruct (sched t_edf) as [j_orig|] eqn:SCHED_orig;
- last by move=> SCHED; by apply H_jobs_must_arrive_to_execute.
- have SCHED': scheduled_at sched j_orig t_edf
- by rewrite scheduled_at_def; apply /eqP.
- move: (scheduled_job_in_sched_has_later_deadline j_orig t_edf SCHED') => DL_orig.
- rewrite scheduled_at_def /swapped /replace_at.
- case: (boolP((find_swap_candidate sched t_edf j_orig) == t)) => [/eqP EQ| /eqP NEQ].
- - rewrite SCHED_orig => /eqP j_is_orig.
- injection j_is_orig => <-.
- apply leq_trans with (n := t_edf).
- + by apply H_jobs_must_arrive_to_execute.
- + by rewrite -EQ; apply fsc_range1.
- - case (boolP(t_edf == t)) => [/eqP EQ'| /eqP NEQ'].
- + move=> SCHED_j.
- try ( have ARR_j: job_arrival j <= t_edf by apply fsc_found_job_arrival with (sched0 := sched) (j1 := j_orig) => //; rewrite scheduled_at_def ) ||
- have ARR_j: job_arrival j <= t_edf by apply fsc_found_job_arrival with (sched := sched) (j1 := j_orig) => //; rewrite scheduled_at_def.
- now rewrite -EQ'.
- + move=> SCHED_j.
- by apply H_jobs_must_arrive_to_execute; rewrite scheduled_at_def.
- Qed.
-
- (** We connect the fact that a job is scheduled in [sched'] to the
- fact that it must be scheduled somewhere in [sched], too, since
- [make_edf_at] does not introduce any new jobs. *)
- Lemma mea_job_scheduled:
- forall j t,
- scheduled_at sched' j t ->
- exists t', scheduled_at sched j t'.
- Proof.
- rewrite /sched' /make_edf_at.
- move=> j t SCHED_j.
- destruct (sched t_edf) as [j_orig|] eqn:SCHED_orig; last by exists t.
- eapply swap_job_scheduled.
- now exact SCHED_j.
- Qed.
-
- (** Conversely, if a job is scheduled in [sched], it is also
- scheduled somewhere in [sched'] since [make_edf_at] does not lose
- any jobs. *)
- Lemma mea_job_scheduled':
- forall j t,
- scheduled_at sched j t ->
- exists t', scheduled_at sched' j t'.
- Proof.
- move=> j t SCHED_j.
- rewrite /sched' /make_edf_at.
- destruct (sched t_edf) as [j_orig|] eqn:SCHED_orig;
- last by exists t.
- eapply swap_job_scheduled_original.
- now exact SCHED_j.
- Qed.
-
- (** Next, we observe that if all jobs in [sched] come from a given
- arrival sequence, then that's still the case in [sched'], too. *)
- Section ArrivalSequence.
-
- (** For given arrival sequence,... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ...if all jobs in [sched] come from the arrival sequence,... *)
- Hypothesis H_from_arr_seq: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ...then all jobs in [sched'] do, too. *)
- Lemma mea_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched' arr_seq.
- Proof.
- rewrite /sched' /make_edf_at.
- destruct (sched t_edf) as [j_orig|] eqn:SCHED_orig;
- last by done.
- now apply swapped_jobs_come_from_arrival_sequence.
- Qed.
-
- End ArrivalSequence.
-
- (** For the final claim, assume that [EDF_at] already holds
- everywhere prior to time [t_edf], i.e., that [sched] consists of
- an EDF prefix. *)
- Hypothesis H_EDF_prefix: forall t, t < t_edf -> EDF_at sched t.
-
- (** We establish a key property of [make_edf_at]: not only does it
- ensure [EDF_at] at time [t_edf], it also maintains the fact that
- the schedule has an EDF prefix prior to time [t_edf]. In other
- words, it grows the EDF prefix by one time unit. *)
- Lemma mea_EDF_widen:
- forall t, t <= t_edf -> EDF_at sched' t.
- Proof.
- move=> t.
- rewrite leq_eqVlt => /orP [/eqP EQ|LT] ;
- first by rewrite EQ; apply make_edf_at_guarantee.
- rewrite /sched' /make_edf_at.
- destruct (sched t_edf) as [j_orig|] eqn:SCHED_edf; last by apply H_EDF_prefix.
- move=> j SCHED_j t' j' LE_t_t' SCHED_j' ARR_j'.
- have SCHED_edf': scheduled_at sched j_orig t_edf
- by rewrite scheduled_at_def; apply /eqP.
- have LT_t_fsc: t < find_swap_candidate sched t_edf j_orig.
- {
- apply leq_trans with (n := t_edf) => //.
- apply fsc_range1 => //.
- now apply scheduled_job_in_sched_has_later_deadline.
- }
- move: SCHED_j.
- have ->: scheduled_at (swapped sched t_edf (find_swap_candidate sched t_edf j_orig)) j t = scheduled_at sched j t
- by apply swap_job_scheduled_other_times; [move: LT | move: LT_t_fsc]; rewrite ltn_neqAle => /andP [NEQ _]; rewrite eq_sym.
- move => SCHED_j.
- move: (H_EDF_prefix t LT). rewrite /EDF_at => EDF.
- move: (SCHED_j').
- move: (swap_job_scheduled_cases _ _ _ _ _ SCHED_j') => [->|[[EQ ->]|[EQ ->]]] SCHED_j'_orig.
- - by apply EDF with (t' := t').
- - by apply EDF with (t' := (find_swap_candidate sched t_edf j_orig)) => //; apply ltnW.
- - by apply EDF with (t' := t_edf) => //; apply ltnW.
- Qed.
-
-End MakeEDFAtFacts.
-
-
-(** In the following section, we establish properties of [edf_transform_prefix]. *)
-Section EDFPrefixFacts.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ...consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...that is well-behaved... *)
- Hypothesis H_jobs_must_arrive_to_execute: jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** ...and in which no scheduled job misses a deadline. *)
- Hypothesis H_no_deadline_misses: all_deadlines_met sched.
-
- (** Consider any point in time, denoted [horizon], and... *)
- Variable horizon: instant.
-
- (** ...let [sched'] denote the schedule obtained by transforming
- [sched] up to the horizon. *)
- Let sched' := edf_transform_prefix sched horizon.
-
- (** To start, we observe that [sched'] is still well-behaved and
- without deadline misses. *)
- Lemma edf_prefix_well_formedness:
- completed_jobs_dont_execute sched'
- /\
- jobs_must_arrive_to_execute sched'
- /\
- all_deadlines_met sched'.
- Proof.
- rewrite /sched' /edf_transform_prefix.
- apply prefix_map_property_invariance; last by split.
- move=> sched'' t [COMP [ARR DL_MET]].
- split; last split.
- - apply mea_completed_jobs => //.
- - apply mea_jobs_must_arrive => //.
- - apply mea_no_deadline_misses => //.
- Qed.
-
- (** Because it is needed frequently, we extract the second clause of
- the above conjunction as a corollary. *)
- Corollary edf_prefix_jobs_must_arrive:
- jobs_must_arrive_to_execute sched'.
- Proof. by move: edf_prefix_well_formedness => [_ [ARR _]]. Qed.
-
- (** We similarly observe that the absence of deadline misses implies
- that any scheduled job must have a deadline at a time later then
- when it is scheduled. *)
- Corollary edf_prefix_scheduled_job_has_later_deadline:
- forall j t,
- scheduled_at sched' j t ->
- job_deadline j > t.
- Proof.
- move=> j t SCHED.
- move: edf_prefix_well_formedness => [COMP [ARR DL_MET]].
- apply (scheduled_at_implies_later_deadline sched') => //.
- exact: (DL_MET j t).
- Qed.
-
- (** Since no jobs are lost or added to the schedule by
- [edf_transform_prefix], we if a job is scheduled in the
- transformed schedule, then it is also scheduled at some point in
- the original schedule. *)
- Lemma edf_prefix_job_scheduled:
- forall j t,
- scheduled_at sched' j t ->
- exists t', scheduled_at sched j t'.
- Proof.
- rewrite /sched' /edf_transform_prefix.
- move=> j.
- apply prefix_map_property_invariance;
- last by move=> t SCHED; exists t.
- move=> sched'' t'' EX t''' SCHED_mea.
- move: (mea_job_scheduled _ _ _ _ SCHED_mea) => [t'''' SCHED''''].
- now apply: (EX t'''' SCHED'''').
- Qed.
-
- (** Conversely, if a job is scheduled in the original schedule, it is
- also scheduled at some point in the transformed schedule. *)
- Lemma edf_prefix_job_scheduled':
- forall j t,
- scheduled_at sched j t ->
- exists t', scheduled_at sched' j t'.
- Proof.
- move=> j t SCHED_j.
- rewrite /sched' /edf_transform_prefix.
- apply prefix_map_property_invariance; last by exists t.
- move=> schedX tx [t' SCHEDX_j].
- eapply mea_job_scheduled'.
- now exact SCHEDX_j.
- Qed.
-
- (** Next, we note that [edf_transform_prefix] maintains the
- property that all jobs stem from a given arrival sequence. *)
- Section ArrivalSequence.
-
- (** For any arrival sequence,... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ...if all jobs in the original schedule come from the arrival sequence,... *)
- Hypothesis H_from_arr_seq: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ...then all jobs in the transformed schedule still come from
- the same arrival sequence. *)
- Lemma edf_prefix_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched' arr_seq.
- Proof.
- rewrite /sched' /edf_transform_prefix.
- apply prefix_map_property_invariance; last by done.
- move => schedX t ARR.
- now apply mea_jobs_come_from_arrival_sequence.
- Qed.
-
- End ArrivalSequence.
-
- (** We establish the key property of [edf_transform_prefix]: that it indeed
- ensures that the resulting schedule ensures the EDF invariant up to the
- given [horizon]. *)
- Lemma edf_prefix_guarantee:
- forall t,
- t < horizon ->
- EDF_at sched' t.
- Proof.
- move=> t IN_PREFIX.
- rewrite /sched' /edf_transform_prefix.
- apply prefix_map_pointwise_property
- with (Q := EDF_at)
- (P := (fun sched => completed_jobs_dont_execute sched
- /\
- jobs_must_arrive_to_execute sched
- /\
- all_deadlines_met sched))=> //.
- - move=> schedX t_ref [COMP [ARR DL]].
- split; last split.
- + by apply mea_completed_jobs => //.
- + by apply mea_jobs_must_arrive => //.
- + by apply mea_no_deadline_misses => //.
- - move=> schedX t_ref [COMP [ARR DL]].
- now apply mea_EDF_widen.
- Qed.
-
-End EDFPrefixFacts.
-
-(** Finally, we observe that [edf_transform_prefix] is prefix-stable, which
- allows us to replace an earlier horizon with a later horizon. Note: this is
- in a separate section because we need [edf_prefix_jobs_must_arrive]
- generalized for any schedule. *)
-Section EDFPrefixInclusion.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ...consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...that is well-behaved... *)
- Hypothesis H_jobs_must_arrive_to_execute: jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** ...and in which no scheduled job misses a deadline. *)
- Hypothesis H_no_deadline_misses: all_deadlines_met sched.
-
- Lemma edf_prefix_inclusion:
- forall h1 h2,
- h1 <= h2 ->
- identical_prefix (edf_transform_prefix sched h1) (edf_transform_prefix sched h2) h1.
- Proof.
- move=> h1 h2 LE_h1_h2. rewrite /identical_prefix => t LT_t_h1.
- induction h2; first by move: (leq_trans LT_t_h1 LE_h1_h2).
- move: LE_h1_h2. rewrite leq_eqVlt => /orP [/eqP ->|LT]; first by done.
- move: LT. rewrite ltnS => LE_h1_h2.
- rewrite [RHS]/edf_transform_prefix /prefix_map -/prefix_map IHh2 //.
- rewrite {1}/make_edf_at.
- destruct (prefix_map sched make_edf_at h2 h2) as [j|] eqn:SCHED; last by done.
- rewrite -(swap_before_invariant _ h2 (find_swap_candidate (edf_transform_prefix sched h2) h2 j)) // ;
- last by apply leq_trans with (n := h1).
- have SCHED_j: scheduled_at (edf_transform_prefix sched h2) j h2
- by rewrite scheduled_at_def /edf_transform_prefix; apply /eqP.
- apply fsc_range1 => //.
- - by apply edf_prefix_jobs_must_arrive.
- - try ( apply edf_prefix_scheduled_job_has_later_deadline with (sched0 := sched) (horizon := h2) => // ) || apply edf_prefix_scheduled_job_has_later_deadline with (sched := sched) (horizon := h2) => //.
- Qed.
-
-End EDFPrefixInclusion.
-
-
-(** In the following section, we finally establish properties of the
- overall EDF transformation[edf_transform]. *)
-Section EDFTransformFacts.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ...consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...that is well-behaved... *)
- Hypothesis H_jobs_must_arrive_to_execute: jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** ...and in which no scheduled job misses a deadline. *)
- Hypothesis H_no_deadline_misses: all_deadlines_met sched.
-
- (** In the following, let [sched_edf] denote the EDF schedule obtained by
- transforming the given reference schedule. *)
- Let sched_edf := edf_transform sched.
-
- (** We begin with a simple lemma relating [sched_edf] to its definition that
- allows us to easily look at any finite prefix of the EDF-transformed
- scheduled. *)
- Lemma edf_finite_prefix:
- forall h,
- identical_prefix sched_edf (edf_transform_prefix sched h) h.
- Proof.
- move=> h. rewrite /sched_edf/edf_transform /identical_prefix => t LT_h.
- now apply edf_prefix_inclusion.
- Qed.
-
- (** From this, we move on to the defining property of the transformation: the
- resulting schedule is actually an EDF schedule. *)
- Theorem edf_transform_ensures_edf:
- EDF_schedule sched_edf.
- Proof.
- rewrite /EDF_schedule => t.
- rewrite /EDF_at //= => j SCHED_j t' j' LE_t_t' SCHED_j' ARR_j'.
- set S := (edf_transform_prefix sched t'.+1).
- have EDF: EDF_at S t by apply edf_prefix_guarantee.
- apply EDF with (t' := t') => //.
- rewrite -(identical_prefix_scheduled_at sched_edf _ t'.+1) //.
- now apply edf_finite_prefix.
- Qed.
-
- (** Next, we observe that completed jobs still don't execute in the resulting
- EDF schedule. This observation is needed to establish that the resulting
- EDF schedule is valid. *)
- Lemma edf_transform_completed_jobs_dont_execute:
- completed_jobs_dont_execute sched_edf.
- Proof.
- move=> j t.
- set S := (edf_transform_prefix sched t.+1).
- rewrite (identical_prefix_scheduled_at _ S t.+1) //;
- last by apply edf_finite_prefix.
- rewrite (identical_prefix_service _ S t) //;
- last by apply (identical_prefix_inclusion _ _ t.+1) => //; apply edf_finite_prefix.
- move: (edf_prefix_well_formedness sched H_jobs_must_arrive_to_execute
- H_completed_jobs_dont_execute H_no_deadline_misses t.+1) => [COMP _].
- now apply COMP.
- Qed.
-
- (** Similarly, we observe that no job is scheduled prior to its arrival. *)
- Lemma edf_transform_jobs_must_arrive:
- jobs_must_arrive_to_execute sched_edf.
- Proof.
- move=> j t.
- rewrite /sched_edf /edf_transform.
- move: (edf_prefix_well_formedness sched H_jobs_must_arrive_to_execute H_completed_jobs_dont_execute H_no_deadline_misses t.+1) => [_ [ARR _]].
- now apply ARR.
- Qed.
-
- (** We next establish the second key property: in the transformed EDF
- schedule, no scheduled job misses a deadline. *)
- Theorem edf_transform_deadlines_met:
- all_deadlines_met sched_edf.
- Proof.
- move=> j t.
- rewrite /sched_edf /job_meets_deadline.
- set t_dl := (job_deadline j).
- rewrite (identical_prefix_completed_by _ (edf_transform_prefix sched t_dl.+1) t_dl) //;
- last by apply (identical_prefix_inclusion _ _ t_dl.+1) => //; apply edf_finite_prefix.
- move=> SCHED_AT; move: (SCHED_AT).
- rewrite (identical_prefix_scheduled_at _ (edf_transform_prefix sched t_dl.+1) t_dl).
- - move: (edf_prefix_well_formedness sched H_jobs_must_arrive_to_execute
- H_completed_jobs_dont_execute H_no_deadline_misses t_dl.+1) => [_ [_ DL]].
- now apply (DL j t).
- - by apply (identical_prefix_inclusion _ _ t_dl.+1) => //; apply edf_finite_prefix.
- - try ( by apply edf_prefix_scheduled_job_has_later_deadline with (sched0 := sched) (horizon := t.+1) ) || by apply edf_prefix_scheduled_job_has_later_deadline with (sched := sched) (horizon := t.+1).
- Qed.
-
- (** We observe that no new jobs are introduced: any job scheduled in the EDF
- schedule were also present in the reference schedule. *)
- Lemma edf_transform_job_scheduled:
- forall j t, scheduled_at sched_edf j t -> exists t', scheduled_at sched j t'.
- Proof.
- move=> j t.
- rewrite /sched_edf /edf_transform {1}scheduled_at_def -scheduled_at_def.
- by apply edf_prefix_job_scheduled.
- Qed.
-
- (** Conversely, we observe that no jobs are lost: any job scheduled in the
- reference schedule is also present in the EDF schedule. *)
- Lemma edf_transform_job_scheduled':
- forall j t, scheduled_at sched j t -> exists t', scheduled_at sched_edf j t'.
- Proof.
- move=> j t SCHED_j.
- try ( have EX: exists t', scheduled_at (edf_transform_prefix sched (job_deadline j)) j t'
- by apply edf_prefix_job_scheduled' with (t0 := t) ) ||
- have EX: exists t', scheduled_at (edf_transform_prefix sched (job_deadline j)) j t'
- by apply edf_prefix_job_scheduled' with (t := t).
- move: EX => [t' SCHED'].
- exists t'.
- rewrite /sched_edf /edf_transform scheduled_at_def.
- rewrite (edf_prefix_inclusion _ _ _ _ t'.+1 (job_deadline j)) -?scheduled_at_def=> //.
- try ( now apply edf_prefix_scheduled_job_has_later_deadline with (sched0 := sched) (horizon := job_deadline j) ) ||
- now apply edf_prefix_scheduled_job_has_later_deadline with (sched := sched) (horizon := job_deadline j).
- Qed.
-
- (** Next, we note that [edf_transform] maintains the property that all jobs
- stem from a given arrival sequence. *)
- Section ArrivalSequence.
-
- (** For any arrival sequence,... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ...if all jobs in the original schedule come from the arrival sequence,... *)
- Hypothesis H_from_arr_seq: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ...then all jobs in the transformed EDF schedule still come from the
- same arrival sequence. *)
- Lemma edf_transform_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched_edf arr_seq.
- Proof.
- rewrite /sched_edf /edf_transform.
- move=> j t.
- rewrite scheduled_at_def - scheduled_at_def.
- now apply (edf_prefix_jobs_come_from_arrival_sequence sched t.+1 arr_seq H_from_arr_seq).
- Qed.
-
- End ArrivalSequence.
-
-End EDFTransformFacts.
-
-(** Finally, we state the theorems that jointly make up the EDF optimality claim. *)
-Section Optimality.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... consider an arbitrary valid job arrival sequence ... *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** ... and an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ... that corresponds to the given arrival sequence. *)
- Hypothesis H_sched_valid: valid_schedule sched arr_seq.
-
- (** In the following, let [equivalent_edf_schedule] denote the schedule that
- results from the EDF transformation. *)
- Let equivalent_edf_schedule := edf_transform sched.
-
- Section AllDeadlinesMet.
-
- (** Suppose no job scheduled in the given reference schedule misses a deadline. *)
- Hypothesis H_no_deadline_misses: all_deadlines_met sched.
-
- (** Then the resulting EDF schedule is a valid schedule for the given
- arrival sequence... *)
- Theorem edf_schedule_is_valid:
- valid_schedule equivalent_edf_schedule arr_seq.
- Proof.
- rewrite /valid_schedule; split;
- first by apply edf_transform_jobs_come_from_arrival_sequence; rt_eauto.
- apply basic_readiness_compliance.
- - by apply edf_transform_jobs_must_arrive; rt_eauto.
- - by apply edf_transform_completed_jobs_dont_execute; rt_eauto.
- Qed.
-
- (** ...and no scheduled job misses its deadline. *)
- Theorem edf_schedule_meets_all_deadlines:
- all_deadlines_met equivalent_edf_schedule.
- Proof.
- by apply edf_transform_deadlines_met; rt_eauto.
- Qed.
-
- End AllDeadlinesMet.
-
- (** Next, we strengthen the above "no deadline misses" claim by relating it
- not just to all scheduled jobs, but to all jobs in the given arrival
- sequence. *)
- Section AllDeadlinesOfArrivalsMet.
-
- (** Suppose no job that's part of the arrival sequence misses a deadline in
- the given reference schedule. *)
- Hypothesis H_no_deadline_misses_of_arrivals: all_deadlines_of_arrivals_met arr_seq sched.
-
- (** Then no job that's part of the arrival sequence misses a deadline in the
- EDF schedule, either. *)
- Theorem edf_schedule_meets_all_deadlines_wrt_arrivals:
- all_deadlines_of_arrivals_met arr_seq equivalent_edf_schedule.
- Proof.
- move=> j ARR_j.
- move: H_sched_valid => [COME READY].
- have ARR := jobs_must_arrive_to_be_ready sched READY.
- have COMP := completed_jobs_are_not_ready sched READY.
- destruct (job_cost j == 0) eqn:COST.
- - move: COST => /eqP COST.
- rewrite /job_meets_deadline /completed_by COST.
- by apply leq0n.
- - move: (neq0_lt0n COST) => NONZERO.
- move: (H_no_deadline_misses_of_arrivals j ARR_j). rewrite {1}/job_meets_deadline => COMP_j.
- move: (completed_implies_scheduled_before sched j NONZERO ARR (job_deadline j) COMP_j) => [t' [_ SCHED']].
- move: (all_deadlines_met_in_valid_schedule arr_seq sched COME H_no_deadline_misses_of_arrivals) => NO_MISSES.
- move: (edf_transform_job_scheduled' sched ARR COMP NO_MISSES j t' SCHED') => [t'' SCHED''].
- move: (edf_schedule_meets_all_deadlines NO_MISSES) => DL_MET.
- by apply: (DL_MET j t'' SCHED'').
- Qed.
-
- End AllDeadlinesOfArrivalsMet.
-
-End Optimality.
diff --git a/analysis/facts/transform/edf_wc.v b/analysis/facts/transform/edf_wc.v
deleted file mode 100644
index 9976ec343efb177704da670c62ad3e6fc8dd2a6b..0000000000000000000000000000000000000000
--- a/analysis/facts/transform/edf_wc.v
+++ /dev/null
@@ -1,402 +0,0 @@
-Require Import prosa.model.readiness.basic.
-Require Export prosa.analysis.facts.transform.edf_opt.
-Require Export prosa.analysis.facts.transform.wc_correctness.
-Require Export prosa.analysis.facts.behavior.deadlines.
-Require Export prosa.analysis.facts.readiness.backlogged.
-
-
-(** * Optimality of Work-Conserving EDF on Ideal Uniprocessors *)
-
-(** In this file, we establish the foundation needed to connect the EDF and
- work-conservation optimality theorems: if there is any work-conserving way
- to meet all deadlines (assuming an ideal uniprocessor schedule), then there
- is also an (ideal) EDF schedule that is work-conserving in which all
- deadlines are met. *)
-
-(** ** Non-Idle Swaps *)
-
-(** We start by showing that [swapped], a function used in the inner-most level
- of [edf_transform], maintains work conservation if the two instants being
- swapped are not idle. *)
-Section NonIdleSwapWorkConservationLemmas.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... and any valid job arrival sequence. *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** ...consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...that is well-behaved (i.e., in which jobs execute only after having
- arrived and only if they are not yet complete, and in which all jobs come
- from the arrival sequence). *)
- Hypothesis H_jobs_must_arrive_to_execute: jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
- Hypothesis H_from_arr_seq: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** Suppose we are given two specific times [t1] and [t2],... *)
- Variables t1 t2 : instant.
-
- (** ...which we assume to be ordered (to avoid dealing with symmetric cases),... *)
- Hypothesis H_well_ordered: t1 <= t2.
-
- (** ...and two jobs [j1] and [j2]... *)
- Variables j1 j2 : Job.
-
- (** ...such that [j2] arrives before time [t1],... *)
- Hypothesis H_arrival_j2 : job_arrival j2 <= t1.
-
- (** ...[j1] is scheduled at time [t1], and... *)
- Hypothesis H_t1_not_idle : scheduled_at sched j1 t1.
-
- (** ...[j2] is scheduled at time [t2]. *)
- Hypothesis H_t2_not_idle : scheduled_at sched j2 t2.
-
- (** We let [swap_sched] denote the schedule in which the allocations at
- [t1] and [t2] have been swapped. *)
- Let swap_sched := swapped sched t1 t2.
-
- (** Now consider an arbitrary job [j]... *)
- Variable j : Job.
-
- (** ...and an arbitrary instant [t]... *)
- Variable t : instant.
-
- (** ...such that [j] arrives in [arr_seq]... *)
- Hypothesis H_arrival_j : arrives_in arr_seq j.
-
- (** ...and is backlogged in [swap_sched] at instant [t]. *)
- Hypothesis H_backlogged_j_t : backlogged swap_sched j t.
-
- (** We proceed by case analysis. We first show that, if [t] equals [t1], then
- [swap_sched] maintains work conservation. That is, there exists some job
- that's scheduled in [swap_sched] at instant [t] *)
- Lemma non_idle_swap_maintains_work_conservation_t1 :
- work_conserving arr_seq sched ->
- t = t1 ->
- exists j_other, scheduled_at swap_sched j_other t.
- Proof.
- move=> _ EQ; rewrite EQ; by exists j2; rewrite swap_job_scheduled_t1.
- Qed.
-
- (** Similarly, if [t] equals [t2] then then [swap_sched] maintains work conservation. *)
- Lemma non_idle_swap_maintains_work_conservation_t2 :
- work_conserving arr_seq sched ->
- t = t2 ->
- exists j_other, scheduled_at swap_sched j_other t.
- Proof.
- move=> _ EQ; rewrite EQ; by exists j1; rewrite swap_job_scheduled_t2.
- Qed.
-
- (** If [t] is less than or equal to [t1] then then then [swap_sched] maintains work conservation. *)
- Lemma non_idle_swap_maintains_work_conservation_LEQ_t1 :
- work_conserving arr_seq sched ->
- t <= t1 ->
- exists j_other, scheduled_at swap_sched j_other t.
- Proof.
- move=> WC_sched LEQ.
- case: (boolP(t == t1)) => [/eqP EQ| /eqP NEQ]; first by apply non_idle_swap_maintains_work_conservation_t1.
- case: (boolP(t == t2)) => [/eqP EQ'| /eqP NEQ']; first by apply non_idle_swap_maintains_work_conservation_t2.
- have [j_other j_other_scheduled] : exists j_other, scheduled_at sched j_other t.
- { rewrite /work_conserving in WC_sched. apply (WC_sched j) => //; move :H_backlogged_j_t.
- rewrite /backlogged/job_ready/basic_ready_instance/pending/completed_by.
- move /andP => [ARR_INCOMP scheduled]; move :ARR_INCOMP; move /andP => [arrive not_comp].
- apply /andP; split; first (apply /andP; split) => //.
- + by rewrite (service_before_swap_invariant sched t1 t2 _ t).
- + by rewrite -(swap_job_scheduled_other_times _ t1 t2 j t) //; (apply /neqP; eauto).
- }
- exists j_other; by rewrite (swap_job_scheduled_other_times) //; do 2! (apply /neqP; eauto).
- Qed.
-
- (** Similarly, if [t] is greater than [t2] then then then [swap_sched] maintains work conservation. *)
- Lemma non_idle_swap_maintains_work_conservation_GT_t2 :
- work_conserving arr_seq sched ->
- t2 < t ->
- exists j_other, scheduled_at swap_sched j_other t.
- Proof.
- move=> WC_sched GT.
- case: (boolP(t == t1)) => [/eqP EQ| /eqP NEQ]; first by apply non_idle_swap_maintains_work_conservation_t1.
- case: (boolP(t == t2)) => [/eqP EQ'| /eqP NEQ']; first by apply non_idle_swap_maintains_work_conservation_t2.
- have [j_other j_other_scheduled] : exists j_other, scheduled_at sched j_other t.
- { rewrite /work_conserving in WC_sched. apply (WC_sched j) => //; move :H_backlogged_j_t.
- rewrite /backlogged/job_ready/basic_ready_instance/pending/completed_by.
- move /andP => [ARR_INCOMP scheduled]; move :ARR_INCOMP; move /andP => [arrive not_comp].
- apply /andP; split; first (apply /andP; split) => //.
- + by rewrite (service_after_swap_invariant sched t1 t2 _ t) // /t2; apply fsc_range1.
- + by rewrite -(swap_job_scheduled_other_times _ t1 t2 j t) //; (apply /neqP; eauto).
- }
- exists j_other; by rewrite (swap_job_scheduled_other_times) //; do 2! (apply /neqP; eauto).
- Qed.
-
- (** Lastly, we show that if [t] lies between [t1] and [t2] then work conservation is still maintained. *)
- Lemma non_idle_swap_maintains_work_conservation_BET_t1_t2 :
- work_conserving arr_seq sched ->
- t1 < t <= t2 ->
- exists j_other, scheduled_at swap_sched j_other t.
- Proof.
- move=> WC_sched H_range.
- case: (boolP(t == t1)) => [/eqP EQ| /eqP NEQ]; first by apply non_idle_swap_maintains_work_conservation_t1.
- case: (boolP(t == t2)) => [/eqP EQ'| /eqP NEQ']; first by apply non_idle_swap_maintains_work_conservation_t2.
- move: H_range. move /andP => [LT GE].
- case: (boolP(scheduled_at sched j2 t)) => Hj'.
- - exists j2; by rewrite (swap_job_scheduled_other_times _ t1 t2 j2 t) //; (apply /neqP; eauto).
- - have [j_other j_other_scheduled] : exists j_other, scheduled_at sched j_other t.
- { rewrite /work_conserving in WC_sched. apply (WC_sched j2).
- - by unfold jobs_come_from_arrival_sequence in H_from_arr_seq; apply (H_from_arr_seq _ t2) => //.
- - rewrite/backlogged/job_ready/basic_ready_instance/pending/completed_by.
- apply /andP; split; first (apply /andP; split) => //; last by done.
- + by rewrite /has_arrived; apply (leq_trans H_arrival_j2); apply ltnW.
- + rewrite -ltnNge. apply (leq_ltn_trans) with (service sched j2 t2).
- * by apply service_monotonic.
- * by apply H_completed_jobs_dont_execute. }
- exists j_other. now rewrite (swap_job_scheduled_other_times) //; (apply /neqP; eauto).
- Qed.
-
-End NonIdleSwapWorkConservationLemmas.
-
-(** ** Work-Conserving Swap Candidates *)
-
-(** Now, we show that work conservation is maintained by the inner-most level
- of [edf_transform], which is [find_swap_candidate]. *)
-Section FSCWorkConservationLemmas.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ...and any valid job arrival sequence,... *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** ...consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...that is well-behaved (i.e., in which jobs execute only after having
- arrived and only if they are not yet complete)... *)
- Hypothesis H_jobs_must_arrive_to_execute: jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** ...and in which all jobs come from the arrival sequence. *)
- Hypothesis H_from_arr_seq: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** Suppose we are given a job [j1]... *)
- Variable j1: Job.
-
- (** ...and a point in time [t1]... *)
- Variable t1: instant.
-
- (** ...at which [j1] is scheduled... *)
- Hypothesis H_not_idle: scheduled_at sched j1 t1.
-
- (** ...and that is before [j1]'s deadline. *)
- Hypothesis H_deadline_not_missed: t1 < job_deadline j1.
-
- (** We now show that, if [t2] is a swap candidate returned by
- [find_swap_candidate] for [t1], then swapping the processor allocations at
- the two instants maintains work conservation. *)
- Corollary fsc_swap_maintains_work_conservation :
- work_conserving arr_seq sched ->
- work_conserving arr_seq (swapped sched t1 (edf_trans.find_swap_candidate sched t1 j1)).
- Proof.
- set t2 := edf_trans.find_swap_candidate sched t1 j1.
- have [j2 [t2_not_idle t2_arrival]] : exists j2, scheduled_at sched j2 t2 /\ job_arrival j2 <= t1
- by apply fsc_not_idle.
- have H_range : t1 <= t2 by apply fsc_range1.
- move=> WC_sched j t ARR BL.
- case: (boolP(t == t1)) => [/eqP EQ| /eqP NEQ].
- - by apply (non_idle_swap_maintains_work_conservation_t1 arr_seq _ _ _ j2).
- - case: (boolP(t == t2)) => [/eqP EQ'| /eqP NEQ'].
- + by apply (non_idle_swap_maintains_work_conservation_t2 arr_seq _ _ _ j1).
- + case: (boolP((t <= t1) || (t2 < t))) => [NOT_BET | BET]. (* t <> t2 *)
- * move: NOT_BET; move/orP => [] => NOT_BET.
- { by apply (non_idle_swap_maintains_work_conservation_LEQ_t1 arr_seq _ _ _ H_range _ _ H_not_idle t2_not_idle j). }
- { by apply (non_idle_swap_maintains_work_conservation_GT_t2 arr_seq _ _ _ H_range _ _ H_not_idle t2_not_idle j). }
- * move: BET; rewrite negb_or. move /andP. case; rewrite <- ltnNge => range1; rewrite <- leqNgt => range2.
- have BET: (t1 < t) && (t <= t2) by apply /andP.
- now apply (non_idle_swap_maintains_work_conservation_BET_t1_t2 arr_seq _ H_completed_jobs_dont_execute H_from_arr_seq _ _ _ _ t2_arrival H_not_idle t2_not_idle ).
- Qed.
-
-End FSCWorkConservationLemmas.
-
-(** ** Work-Conservation of the Point-Wise EDF Transformation *)
-
-(** In the following section, we show that work conservation is maintained by the
- next level of [edf_transform], which is [make_edf_at]. *)
-Section MakeEDFWorkConservationLemmas.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... and any valid job arrival sequence, ... *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** ... consider an ideal uniprocessor schedule ... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ... in which all jobs come from the arrival sequence, ... *)
- Hypothesis H_from_arr_seq: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ...that is well-behaved,... *)
- Hypothesis H_jobs_must_arrive_to_execute: jobs_must_arrive_to_execute sched.
- Hypothesis H_completed_jobs_dont_execute: completed_jobs_dont_execute sched.
-
- (** ...and in which no scheduled job misses a deadline. *)
- Hypothesis H_no_deadline_misses: all_deadlines_met sched.
-
- (** We analyze [make_edf_at] applied to an arbitrary point in time,
- which we denote [t_edf] in the following. *)
- Variable t_edf: instant.
-
- (** For brevity, let [sched'] denote the schedule obtained from
- [make_edf_at] applied to [sched] at time [t_edf]. *)
- Let sched' := make_edf_at sched t_edf.
-
- (** We show that, if a schedule is work-conserving, then applying
- [make_edf_at] to it at an arbitrary instant [t_edf] maintains work
- conservation. *)
- Lemma mea_maintains_work_conservation :
- work_conserving arr_seq sched -> work_conserving arr_seq sched'.
- Proof. rewrite /sched'/make_edf_at => WC_sched. destruct (sched t_edf) eqn:E => //.
- apply fsc_swap_maintains_work_conservation => //.
- - by rewrite scheduled_at_def; apply /eqP => //.
- - apply (scheduled_at_implies_later_deadline sched) => //.
- + rewrite /all_deadlines_met in (H_no_deadline_misses).
- now apply (H_no_deadline_misses s t_edf); rewrite scheduled_at_def; apply /eqP.
- + by rewrite scheduled_at_def; apply/eqP => //.
- Qed.
-
-End MakeEDFWorkConservationLemmas.
-
-(** ** Work-Conserving EDF Prefix *)
-
-(** On to the next layer, we prove that the [transform_prefix] function at the
- core of the EDF transformation maintains work conservation *)
-Section EDFPrefixWorkConservationLemmas.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For any given type of jobs, each characterized by execution
- costs, an arrival time, and an absolute deadline,... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... and any valid job arrival sequence, ... *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** ... consider an ideal uniprocessor schedule,... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ... an arbitrary finite [horizon], and ... *)
- Variable horizon: instant.
-
- (** ...let [sched_trans] denote the schedule obtained by transforming
- [sched] up to the horizon. *)
- Let sched_trans := edf_transform_prefix sched horizon.
-
- (** Let [schedule_behavior_premises] define the premise that a schedule is:
- 1) well-behaved,
- 2) has all jobs coming from the arrival sequence [arr_seq], and
- 3) in which no scheduled job misses its deadline *)
- Definition scheduled_behavior_premises (sched : schedule (processor_state Job)) :=
- jobs_must_arrive_to_execute sched
- /\ completed_jobs_dont_execute sched
- /\ jobs_come_from_arrival_sequence sched arr_seq
- /\ all_deadlines_met sched.
-
- (** For brevity, let [P] denote the predicate that a schedule satisfies
- [scheduled_behavior_premises] and is work-conserving. *)
- Let P (sched : schedule (processor_state Job)) :=
- scheduled_behavior_premises sched /\ work_conserving arr_seq sched.
-
- (** We show that if [sched] is work-conserving, then so is [sched_trans]. *)
- Lemma edf_transform_prefix_maintains_work_conservation:
- P sched -> P sched_trans.
- Proof.
- rewrite/sched_trans/edf_transform_prefix. apply (prefix_map_property_invariance ). rewrite /P.
- move=> sched' t [[H_ARR [H_COMPLETED [H_COME H_all_deadlines_met]]] H_wc_sched].
- rewrite/scheduled_behavior_premises/valid_schedule; split; first split.
- - by apply mea_jobs_must_arrive.
- - split; last split.
- + by apply mea_completed_jobs.
- + by apply mea_jobs_come_from_arrival_sequence.
- + by apply mea_no_deadline_misses.
- - by apply mea_maintains_work_conservation.
- Qed.
-
-End EDFPrefixWorkConservationLemmas.
-
-(** ** Work-Conservation of the EDF Transformation *)
-
-(** Finally, having established that [edf_transform_prefix] maintains work
- conservation, we go ahead and prove that [edf_transform] maintains work
- conservation, too. *)
-Section EDFTransformWorkConservationLemmas.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For any given type of jobs, each characterized by execution
- costs, an arrival time, and an absolute deadline,... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... and any valid job arrival sequence, ... *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** ... consider a valid ideal uniprocessor schedule ... *)
- Variable sched: schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid: valid_schedule sched arr_seq.
-
- (** ...and in which no scheduled job misses a deadline. *)
- Hypothesis H_no_deadline_misses: all_deadlines_met sched.
-
- (** We first note that [sched] satisfies [scheduled_behavior_premises]. *)
- Lemma sched_satisfies_behavior_premises : scheduled_behavior_premises arr_seq sched.
- Proof.
- split; [ apply (jobs_must_arrive_to_be_ready sched) | split; [ apply (completed_jobs_are_not_ready sched) | split]].
- all: by try apply H_sched_valid.
- Qed.
-
- (** We prove that, if the given schedule [sched] is work-conserving, then the
- schedule that results from transforming it into an EDF schedule is also
- work-conserving. *)
- Lemma edf_transform_maintains_work_conservation :
- work_conserving arr_seq sched -> work_conserving arr_seq (edf_transform sched).
- Proof.
- move=> WC_sched j t ARR.
- set sched_edf := edf_transform sched.
- have IDENT: identical_prefix sched_edf (edf_transform_prefix sched t.+1) t.+1
- by rewrite /sched_edf/edf_transform => t' LE_t; apply (edf_prefix_inclusion) => //; apply sched_satisfies_behavior_premises.
- rewrite (backlogged_prefix_invariance _ _ (edf_transform_prefix sched t.+1) t.+1) // => BL;
- last by apply basic_readiness_nonclairvoyance.
- have WC_trans: work_conserving arr_seq (edf_transform_prefix sched (succn t))
- by apply edf_transform_prefix_maintains_work_conservation; split => //; apply sched_satisfies_behavior_premises.
- move: (WC_trans _ _ ARR BL) => [j_other SCHED_AT].
- exists j_other.
- now rewrite (identical_prefix_scheduled_at _ (edf_transform_prefix sched t.+1) t.+1) //.
- Qed.
-
-End EDFTransformWorkConservationLemmas.
diff --git a/analysis/facts/transform/replace_at.v b/analysis/facts/transform/replace_at.v
deleted file mode 100644
index ea0039ef41c70ebf1c3dac984f711cf5a05b9c82..0000000000000000000000000000000000000000
--- a/analysis/facts/transform/replace_at.v
+++ /dev/null
@@ -1,126 +0,0 @@
-Require Export prosa.analysis.transform.swap.
-Require Export prosa.analysis.facts.behavior.completion.
-
-(** In this file, we make a few simple observations about schedules with
- replacements. *)
-Section ReplaceAtFacts.
-
- (** For any given type of jobs... *)
- Context {Job : JobType}.
-
- (** ... and any given type of processor states, ... *)
- Context {PState: ProcessorState Job}.
-
- (** ...consider any given reference schedule. *)
- Variable sched: schedule PState.
-
- (** Suppose we are given a specific time [t'] ... *)
- Variable t': instant.
-
- (** ...and a replacement state [state]. *)
- Variable nstate: PState.
-
- (** In the following, let [sched'] denote the schedule with replacement at time
- t'. *)
- Let sched' := replace_at sched t' nstate.
-
- (** We begin with the trivial observation that [replace_at sched t' nstate]
- indeed returns [nstate] at time [t']. *)
- Lemma replace_at_def:
- sched' t' = nstate.
- Proof.
- rewrite /sched' /replace_at.
- now apply ifT.
- Qed.
-
- (** Equally trivially, the schedule doesn't change at other times. *)
- Lemma rest_of_schedule_invariant:
- forall t, t <> t' -> sched' t = sched t.
- Proof.
- move => t DIFF.
- rewrite /sched' /replace_at.
- case (t' == t) eqn:TT; last by done.
- by move/eqP in TT; rewrite TT in DIFF; contradiction.
- Qed.
-
- (** As a result, the service in intervals that do not intersect with
- [t'] is invariant, too. *)
- Lemma service_at_other_times_invariant:
- forall t1 t2,
- t2 <= t' \/ t' < t1 ->
- forall j,
- service_during sched j t1 t2
- =
- service_during sched' j t1 t2.
- Proof.
- move => t1 t2 SWAP_EXCLUDED j.
- rewrite /service_during /service_at.
- apply eq_big_nat => t /andP [le_t1t lt_tt2].
- rewrite rest_of_schedule_invariant//.
- eapply point_not_in_interval; eauto.
- apply /andP; by split.
- Qed.
-
- (** Next, we consider the amount of service received in intervals
- that do span across the replacement point. We can relate the
- service received in the original and the new schedules by adding
- the service in the respective "missing" state... *)
- Lemma service_delta:
- forall t1 t2,
- t1 <= t' < t2 ->
- forall j,
- service_during sched j t1 t2 + service_at sched' j t'
- =
- service_during sched' j t1 t2 + service_at sched j t'.
- Proof.
- move => t1 t2 TIMES j.
- rewrite -(service_split_at_point sched _ _ t' _) //
- -(service_split_at_point sched' _ _ t' _) //.
- by rewrite !service_at_other_times_invariant -/sched'; [ring | right | left].
- Qed.
-
- (** ...which we can also rewrite as follows. *)
- Corollary service_in_replaced:
- forall t1 t2,
- t1 <= t' < t2 ->
- forall j,
- service_during sched' j t1 t2
- =
- service_during sched j t1 t2 + service_at sched' j t' - service_at sched j t'.
- Proof. move => t1 t2 ORDER j. by rewrite service_delta// addnK. Qed.
-
- (** As another simple invariant (useful for case analysis), we
- observe that if a job is scheduled neither in the replaced nor
- in the new state, then at any time it receives exactly the same
- amount of service in the new schedule with replacements as in
- the original schedule. *)
- Lemma service_at_of_others_invariant (j: Job):
- ~~ scheduled_in j (sched' t') ->
- ~~ scheduled_in j (sched t') ->
- forall t,
- service_at sched j t = service_at sched' j t.
- Proof.
- move=> NOT_IN_NEW NOT_IN_OLD t.
- rewrite /service_at.
- case: (boolP (t == t')) => /eqP TT.
- - by rewrite !TT !service_in_implies_scheduled_in //; apply negbTE.
- - rewrite rest_of_schedule_invariant//.
- Qed.
-
- (** Based on the previous observation, we can trivially lift the
- invariant that jobs not involved in the replacement receive
- equal service to the cumulative service received in any
- interval. *)
- Corollary service_during_of_others_invariant (j: Job):
- ~~ scheduled_in j (sched' t') ->
- ~~ scheduled_in j (sched t') ->
- forall t1 t2,
- service_during sched j t1 t2 = service_during sched' j t1 t2.
- Proof.
- move=> NOT_IN_NEW NOT_IN_OLD t1 t2.
- rewrite /service_during.
- apply eq_big_nat => t /andP [le_t1t lt_tt2].
- rewrite service_at_of_others_invariant //.
- Qed.
-
-End ReplaceAtFacts.
diff --git a/analysis/facts/transform/swaps.v b/analysis/facts/transform/swaps.v
deleted file mode 100644
index c8cd39e47526e4d3fdf0d56fcd436f3c116c2abc..0000000000000000000000000000000000000000
--- a/analysis/facts/transform/swaps.v
+++ /dev/null
@@ -1,468 +0,0 @@
-Require Export prosa.analysis.facts.transform.replace_at.
-Require Export prosa.analysis.facts.behavior.deadlines.
-
-(** In this file, we establish invariants about schedules in which two
- allocations have been swapped, as for instance it is done in the
- classic EDF optimality proof. *)
-
-Section SwappedFacts.
- (** For any given type of jobs... *)
- Context {Job : JobType}.
- (** ... any given type of processor states: *)
- Context {PState: ProcessorState Job}.
-
- (** ...consider any given reference schedule. *)
- Variable sched: schedule PState.
-
- (** Suppose we are given two specific times [t1] and [t2]. *)
- Variable t1 t2: instant.
-
- (** In the following, let [sched'] denote the schedule in which the
- allocations at [t1] and [t2] have been swapped. *)
- Let sched' := swapped sched t1 t2.
-
- (** First, we note that the trivial case where t1 == t2 is not interesting
- because then the two schedules are identical. *)
- Lemma trivial_swap:
- t1 = t2 ->
- forall t,
- sched t = sched' t.
- Proof.
- rewrite /sched' => <- t.
- rewrite /swapped /replace_at.
- case: (boolP (t1 == t)); last by done.
- by move /eqP ->.
- Qed.
-
- (** In this trivial case, the amount of service received hence
- is obviously always identical. *)
- Lemma trivial_swap_service_invariant:
- t1 = t2 ->
- forall t j,
- service sched j t = service sched' j t.
- Proof.
- move=> SAME t j.
- rewrite /service /service_during /service_at.
- apply eq_big_nat => t' RANGE.
- by rewrite trivial_swap.
- Qed.
-
- (** In any case, the two schedules do not differ at non-swapped times. *)
- Lemma swap_other_times_invariant:
- forall t,
- t <> t1 ->
- t <> t2 ->
- sched t = sched' t.
- Proof.
- move=> t NOT_t1 NOT_t2.
- by rewrite /sched' /swapped !rest_of_schedule_invariant //.
- Qed.
-
- (** By definition, if a job is scheduled at t2 in the original
- schedule, then it is found at t1 in the new schedule. *)
- Lemma swap_job_scheduled_t1:
- forall j,
- scheduled_at sched' j t1 =
- scheduled_at sched j t2.
- Proof.
- move=> j.
- rewrite /scheduled_at /sched' /swapped /replace_at.
- case: (boolP(t2 == t1)) => [/eqP EQ|NE].
- - by rewrite EQ.
- - by rewrite ifT.
- Qed.
-
- (** Similarly, a job scheduled at t1 in the original schedule is
- scheduled at t2 after the swap. *)
- Lemma swap_job_scheduled_t2:
- forall j,
- scheduled_at sched' j t2 =
- scheduled_at sched j t1.
- Proof.
- move=> j.
- rewrite /sched' /scheduled_at /swapped /replace_at.
- case: (boolP(t2 == t1)) => [/eqP EQ|NE].
- - by rewrite ifT.
- - by rewrite ifT.
- Qed.
-
- (** If a job is scheduled at any time not involved in the swap, then
- it remains scheduled at that time in the new schedule. *)
- Lemma swap_job_scheduled_other_times:
- forall j t,
- t1 != t ->
- t2 != t ->
- scheduled_at sched' j t =
- scheduled_at sched j t.
- Proof.
- move=> j t /eqP NOT_t1 /eqP NOT_t2.
- rewrite /scheduled_at.
- by rewrite swap_other_times_invariant //; apply: not_eq_sym.
- Qed.
-
- (** To make case analysis more convenient, we summarize the preceding
- three lemmas as a disjunction. *)
- Corollary swap_job_scheduled_cases:
- forall j t,
- scheduled_at sched' j t ->
- scheduled_at sched' j t = scheduled_at sched j t
- \/
- t = t1 /\ scheduled_at sched' j t = scheduled_at sched j t2
- \/
- t = t2 /\ scheduled_at sched' j t = scheduled_at sched j t1.
- Proof.
- move=> j t SCHED.
- destruct (t1 == t) eqn:T1.
- - right. left. move: T1 => /eqP T1.
- split => //.
- by rewrite -swap_job_scheduled_t1 T1.
- - destruct (t2 == t) eqn:T2.
- + right. right. move: T2 => /eqP T2.
- split => //.
- by rewrite -swap_job_scheduled_t2 T2.
- + left. move: T1 T2 => /eqP/eqP T1 /eqP/eqP T2.
- by rewrite -swap_job_scheduled_other_times.
- Qed.
-
- (** From this, we can easily conclude that no jobs have appeared out
- of thin air: if a job scheduled at some time in the new schedule,
- then it was also scheduled at some time in the original
- schedule. *)
- Corollary swap_job_scheduled:
- forall j t,
- scheduled_at sched' j t ->
- exists t',
- scheduled_at sched j t'.
- Proof.
- move=> j t SCHED.
- move: (SCHED).
- move: (swap_job_scheduled_cases j t SCHED) => [->|[[_ ->] | [_ ->]]].
- - by exists t.
- - by exists t2.
- - by exists t1.
- Qed.
-
- (** Mirroring swap_job_scheduled_cases above, we also state a
- disjunction for case analysis under the premise that a job is
- scheduled in the original schedule. *)
- Lemma swap_job_scheduled_original_cases:
- forall j t,
- scheduled_at sched j t ->
- scheduled_at sched' j t = scheduled_at sched j t
- \/
- t = t1 /\ scheduled_at sched' j t2 = scheduled_at sched j t
- \/
- t = t2 /\ scheduled_at sched' j t1 = scheduled_at sched j t.
- Proof.
- move=> j t SCHED.
- destruct (t1 == t) eqn:T1.
- - right; left. move: T1 => /eqP T1.
- split => //.
- by rewrite swap_job_scheduled_t2 T1.
- - destruct (t2 == t) eqn:T2.
- + right; right. move: T2 => /eqP T2.
- split => //.
- by rewrite swap_job_scheduled_t1 T2.
- + left. move: T1 T2 => /eqP/eqP T1 /eqP/eqP T2.
- by rewrite swap_job_scheduled_other_times.
- Qed.
-
- (** Thus, we can conclude that no jobs are lost: if a job is
- scheduled at some point in the original schedule, then it is also
- scheduled at some point in the new schedule. *)
- Corollary swap_job_scheduled_original:
- forall j t,
- scheduled_at sched j t ->
- exists t',
- scheduled_at sched' j t'.
- Proof.
- move=> j t SCHED.
- move: (SCHED).
- move: (swap_job_scheduled_original_cases j t SCHED) => [<-|[[_ <-] | [_ <-]]].
- - by exists t.
- - by exists t2.
- - by exists t1.
- Qed.
-
- (** In the following, we lift the above basic invariants to
- statements about invariants about the cumulative amount of
- service received. *)
-
- (** To avoid dealing with symmetric cases, assume in the following
- that t1 and t2 are ordered. *)
- Hypothesis H_well_ordered: t1 <= t2.
-
- (** As another trivial invariant, we observe that nothing has changed
- before time t1. *)
- Lemma swap_before_invariant:
- forall t,
- t < t1 ->
- sched t = sched' t.
- Proof.
- move=> t t_lt_t1.
- move: (leq_trans t_lt_t1 H_well_ordered) => t_lt_t2.
- by apply swap_other_times_invariant => /eqP /eqP EQ; subst;
- [move: t_lt_t1|move: t_lt_t2]; rewrite ltnn.
- Qed.
-
- (** Similarly, nothing has changed after time t2. *)
- Lemma swap_after_invariant:
- forall t,
- t2 < t ->
- sched t = sched' t.
- Proof.
- move=> t t2_lt_t.
- move: (leq_ltn_trans H_well_ordered t2_lt_t) => t1_lt_t.
- by apply swap_other_times_invariant => /eqP /eqP EQ; subst;
- [move: t1_lt_t|move: t2_lt_t]; rewrite ltnn.
- Qed.
-
- (** Thus, we observe that, before t1, the two schedules are identical with
- regard to the service received by any job because they are identical. *)
- Corollary service_before_swap_invariant:
- forall t,
- t <= t1 ->
- forall (j : Job),
- service sched j t = service sched' j t.
- Proof.
- move => t le_tt1 j.
- rewrite /service.
- rewrite -!service_at_other_times_invariant //; left; first by done.
- apply leq_trans with (n := t1) => //;
- by apply ltnW.
- Qed.
-
- (** Likewise, we observe that, *after* t2, the swapped schedule again does not
- differ with regard to the service received by any job. *)
- Lemma service_after_swap_invariant:
- forall t,
- t2 < t ->
- forall (j : Job),
- service sched j t = service sched' j t.
- Proof.
- move => t t2t j.
- move: H_well_ordered. rewrite leq_eqVlt => /orP [/eqP EQ|t1_lt_t2];
- first by apply trivial_swap_service_invariant.
- have TIME: 0 <= t1 < t
- by apply /andP; split; try apply ltn_trans with (n := t2); done.
- rewrite /service !service_in_replaced// /service_at// /replace_at //.
- rewrite ifT// ifT// ifF;
- last by apply ltn_eqF; exact.
- have service_in_t1 : service_in j (sched t1) <= service_during sched j 0 t.
- { by rewrite -(service_split_at_point _ _ _ t1 _)// addnAC leq_addl. }
- by rewrite subnK ?(leq_trans service_in_t1) ?leq_addr// addnK.
- Qed.
-
- (** Finally, we note that, trivially, jobs that are not involved in
- the swap receive invariant service. *)
- Lemma service_of_others_invariant:
- forall t j,
- ~~ scheduled_in j (sched t1) ->
- ~~ scheduled_in j (sched t2) ->
- service sched j t = service sched' j t.
- Proof.
- move=> t j NOT1 NOT2.
- move: H_well_ordered. rewrite leq_eqVlt => /orP [/eqP EQ|t1_lt_t2];
- first by apply trivial_swap_service_invariant.
- rewrite /service.
- rewrite -!service_during_of_others_invariant // !/replace_at //;
- [rewrite ifT// | rewrite ifT// | rewrite ifF// ].
- by apply ltn_eqF.
- Qed.
-
-End SwappedFacts.
-
-(** In the following section, we observe that, if the original
- schedule satisfies certain properties, then so does the new
- scheduled obtained by swapping the allocations at times [t1] and
- [t2]. *)
-Section SwappedScheduleProperties.
- (** For any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
- (** ... any given type of processor states: *)
- Context {PState: ProcessorState Job}.
-
- (** ...consider any given reference schedule. *)
- Variable sched: schedule PState.
-
- (** Suppose we are given two specific times [t1] and [t2]... *)
- Variable t1 t2: instant.
-
- (** ...such that [t1] is no later than [t2]. *)
- Hypothesis H_order: t1 <= t2.
-
- (** We let [sched'] denote the schedule in which the allocations at
- [t1] and [t2] have been swapped. *)
- Let sched' := swapped sched t1 t2.
-
- (** First, we observe that if jobs never accumulate more service than
- required, then that's still the case after the swap. *)
- Lemma swapped_service_bound:
- (forall j t, service sched j t <= job_cost j) ->
- (forall j t, service sched' j t <= job_cost j).
- Proof.
- move=> COMP.
- rewrite /completed_jobs_dont_execute => j t.
- wlog: t / (t2 < t); last first.
- {
- move=> LATE.
- move: H_order. rewrite leq_eqVlt => /orP [/eqP EQ| LT].
- - by rewrite -(trivial_swap_service_invariant sched t1 t2) //.
- - by rewrite -(service_after_swap_invariant sched t1 t2) //.
- }
- {
- move=> ARGUMENT.
- case: (boolP (t2 < t)); first by apply (ARGUMENT t).
- rewrite -leqNgt => EARLY.
- apply leq_trans with (n := service sched' j t2.+1).
- - apply service_monotonic.
- by apply leq_trans with (n := t2) => //.
- - by apply (ARGUMENT t2.+1).
- }
- Qed.
-
- (** From the above service bound, we conclude that, if if completed jobs don't
- execute in the original schedule, then that's still the case after the
- swap, assuming an ideal unit-service model (i.e., scheduled jobs receive
- exactly one unit of service). *)
- Lemma swapped_completed_jobs_dont_execute:
- unit_service_proc_model PState ->
- ideal_progress_proc_model PState ->
- completed_jobs_dont_execute sched ->
- completed_jobs_dont_execute sched'.
- Proof.
- move=> UNIT IDEAL COMP.
- apply ideal_progress_completed_jobs => //.
- apply swapped_service_bound.
- by move=> j; apply service_at_most_cost.
- Qed.
-
- (** Suppose all jobs in the original schedule come from some arrival sequence... *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_from_arr_seq: jobs_come_from_arrival_sequence sched arr_seq.
-
- (** ...then that's still the case in the new schedule. *)
- Lemma swapped_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched' arr_seq.
- Proof.
- move: H_from_arr_seq. rewrite /jobs_come_from_arrival_sequence => ARR_sched j t SCHED.
- move: (swap_job_scheduled sched _ _ j t SCHED) => [t' SCHED'].
- by apply (ARR_sched j t' SCHED').
- Qed.
-
-End SwappedScheduleProperties.
-
-(** In the next section, we consider a special case of swaps: namely,
- when the job moved earlier has an earlier deadline than the job
- being moved to a later allocation, assuming that the former has
- not yet missed its deadline, which is the core transformation of
- the classic EDF optimality proof. *)
-Section EDFSwap.
- (** For any given type of jobs with costs and deadlines... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job}.
- (** ... any given type of processor states... *)
- Context {PState: ProcessorState Job}.
-
- (** ...consider a given reference schedule... *)
- Variable sched: schedule PState.
-
- (** ...in which complete jobs don't execute... *)
- Hypothesis H_completed_jobs:
- completed_jobs_dont_execute sched.
-
- (** ...and scheduled jobs always receive service. *)
- Hypothesis H_scheduled_implies_serviced: ideal_progress_proc_model PState.
-
- (** Suppose we are given two specific times [t1] and [t2]... *)
- Variable t1 t2: instant.
-
- (** ...that are ordered. *)
- Hypothesis H_well_ordered: t1 <= t2.
-
- (** Further, assume that, if there are jobs scheduled at times t1 and t2, then
- they either have the same deadline or violate EDF, ... *)
- Hypothesis H_not_EDF:
- forall j1 j2,
- scheduled_at sched j1 t1 ->
- scheduled_at sched j2 t2 ->
- job_deadline j1 >= job_deadline j2.
-
- (** ...and that we don't move idle times or deadline misses earlier,
- i.e., if t1 is not an idle time, then neither is t2 and whatever
- job is scheduled at time t2 has not yet missed its deadline. *)
- Hypothesis H_no_idle_time_at_t2:
- forall j1,
- scheduled_at sched j1 t1 ->
- exists j2, scheduled_at sched j2 t2 /\ job_deadline j2 > t2.
-
- (** Consider the schedule obtained from swapping the allocations at times t1 and t2. *)
- Let sched' := swapped sched t1 t2.
-
- (** The key property of this transformation is that, for any job that
- meets its deadline in the original schedule, we have not
- introduced any deadline misses, which we establish by considering
- a number of different cases. *)
- Section NoNewDeadlineMissesCases.
-
- (** Consider any job... *)
- Variable j: Job.
-
- (** ... that meets its deadline in the original schedule. *)
- Hypothesis H_deadline_met: job_meets_deadline sched j.
-
- (** First we observe that jobs that are not involved in the swap
- still meet their deadlines. *)
- Lemma uninvolved_implies_deadline_met:
- ~~ scheduled_at sched j t1 ->
- ~~ scheduled_at sched j t2 ->
- job_meets_deadline sched' j.
- Proof.
- rewrite /scheduled_at => NOT_t1 NOT_t2.
- rewrite -service_invariant_implies_deadline_met; first by exact H_deadline_met.
- by apply: service_of_others_invariant.
- Qed.
-
- (** Next, we observe that a swap is unproblematic for the job scheduled at
- time t2. *)
- Lemma moved_earlier_implies_deadline_met:
- scheduled_at sched j t2 ->
- job_meets_deadline sched' j.
- Proof.
- move=> AT_t2.
- rewrite -service_invariant_implies_deadline_met; first by exact H_deadline_met.
- apply service_after_swap_invariant => //.
- try ( by apply scheduled_at_implies_later_deadline with (sched0 := sched) => // ) ||
- by apply scheduled_at_implies_later_deadline with (sched := sched) => //.
- Qed.
-
- (** Finally, we observe is also unproblematic for the job that is
- moved to a later allocation. *)
- Lemma moved_later_implies_deadline_met:
- scheduled_at sched j t1 ->
- job_meets_deadline sched' j.
- Proof.
- move=> AT_t1.
- move: (H_no_idle_time_at_t2 j AT_t1) => [j2 [AT_t2 DL2]].
- move: (H_not_EDF j j2 AT_t1 AT_t2) => DL2_le_DL1.
- rewrite -service_invariant_implies_deadline_met; first by exact H_deadline_met.
- apply service_after_swap_invariant => //.
- apply leq_trans with (n := job_deadline j2) => //.
- Qed.
-
- End NoNewDeadlineMissesCases.
-
- (** From the above case analysis, we conclude that no deadline misses
- are introduced in the schedule obtained from swapping the
- allocations at times t1 and t2. *)
- Theorem edf_swap_no_deadline_misses_introduced:
- forall j, job_meets_deadline sched j -> job_meets_deadline sched' j.
- Proof.
- move=> j DL_MET.
- case: (boolP (scheduled_at sched j t1)) => AT_t1.
- - by apply moved_later_implies_deadline_met.
- - case (boolP (scheduled_at sched j t2)) => AT_t2.
- + by apply moved_earlier_implies_deadline_met.
- + by apply uninvolved_implies_deadline_met.
- Qed.
-
-End EDFSwap.
diff --git a/analysis/facts/transform/wc_correctness.v b/analysis/facts/transform/wc_correctness.v
deleted file mode 100644
index eaae5e785cf11f1f623b0c099d9f2746347dac6c..0000000000000000000000000000000000000000
--- a/analysis/facts/transform/wc_correctness.v
+++ /dev/null
@@ -1,697 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq fintype bigop.
-
-Require Export prosa.model.schedule.work_conserving.
-Require Import prosa.model.readiness.basic.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-Require Export prosa.analysis.transform.wc_trans.
-Require Export prosa.analysis.facts.transform.swaps.
-Require Export prosa.analysis.definitions.schedulability.
-Require Export prosa.util.list.
-
-(** * Correctness of the work-conservation transformation *)
-(** This file contains the main argument of the work-conservation proof,
- starting with an analysis of the individual functions that drive
- the work-conservation transformation of a given reference schedule
- and ending with the proofs of individual properties of the obtained
- work-conserving schedule. *)
-
-(** In order to discuss the correctness of the work-conservation transformation at a high level,
- we first need a set of lemmas about the inner parts of the procedure. *)
-Section AuxiliaryLemmasWorkConservingTransformation.
-
- (** We assume ideal uni-processor schedules. *)
- #[local] Existing Instance ideal.processor_state.
-
- (** We assume the basic (i.e., Liu & Layland)
- readiness model under which any pending job is ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** Consider any type of jobs with arrival times, costs, and deadlines... *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobDeadline Job}.
-
- (** ...and an arbitrary arrival sequence. *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** We introduce the notion of work-conservation at a
- given time [t]. The definition is based on the concept of readiness
- of a job, and states that the presence of a ready job implies that
- the processor is not idle. *)
- Definition is_work_conserving_at sched t :=
- (exists j, arrives_in arr_seq j /\ job_ready sched j t) ->
- exists j, sched t = Some j.
-
- (** First, we prove some useful properties about the most fundamental
- operation of the work-conservation transformation: swapping two processor
- states [t1] and [fsc], with [fsc] being a valid swap candidate of [t1]. *)
- Section JobsMustBeReadyFindSwapCandidate.
-
- (** Consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...in which jobs must be ready to execute. *)
- Hypothesis H_jobs_must_be_ready: jobs_must_be_ready_to_execute sched.
-
- (** Consider an arbitrary time instant [t1]. *)
- Variable t1: instant.
-
- (** Let us define [fsc] as the result of the search for a swap candidate
- starting from [t1]... *)
- Let fsc := find_swap_candidate arr_seq sched t1.
-
- (** ...and [sched'] as the schedule resulting from the swap. *)
- Let sched' := swapped sched t1 fsc.
-
- (** First, we show that, in any case, the result of the search will yield an
- instant that is in the future (or, in case of failure, equal to [t1]). *)
- Lemma swap_candidate_is_in_future:
- t1 <= fsc.
- Proof.
- rewrite /fsc /find_swap_candidate.
- destruct search_arg as [n|] eqn:search_result; last by done.
- apply search_arg_in_range in search_result.
- by move:search_result => /andP [LEQ LMAX].
- Qed.
-
- (** Also, we show that the search will not yield jobs that arrive later than the
- given reference time. *)
- Lemma fsc_respects_has_arrived:
- forall j t,
- sched (find_swap_candidate arr_seq sched t) == Some j ->
- has_arrived j t.
- Proof.
- move=> j t.
- rewrite /find_swap_candidate.
- destruct search_arg eqn:RES; last first.
- { rewrite -scheduled_in_def => sched_j.
- apply: (ready_implies_arrived sched).
- exact: job_scheduled_implies_ready. }
- { move=> /eqP SCHED_J.
- move: RES => /search_arg_pred.
- rewrite SCHED_J //. }
- Qed.
-
- (** Next, we extend the previous lemma by stating that no job in the transformed
- schedule is scheduled before its arrival. *)
- Lemma swap_jobs_must_arrive_to_execute:
- jobs_must_arrive_to_execute sched'.
- Proof.
- move=> j t SCHED_AT.
- move: (swap_job_scheduled_cases _ _ _ _ _ SCHED_AT)=> [OTHER |[AT_T1 | AT_T2]].
- { apply: (ready_implies_arrived sched).
- by apply: job_scheduled_implies_ready; rewrite // -OTHER. }
- { set t2 := find_swap_candidate arr_seq sched t1 in AT_T1.
- move: AT_T1 => [EQ_T1 SCHED_AT'].
- apply fsc_respects_has_arrived.
- move: SCHED_AT.
- rewrite EQ_T1 /SCHED_AT' /sched' -/t2.
- rewrite EQ_T1 in SCHED_AT'.
- rewrite SCHED_AT' /scheduled_at.
- by rewrite scheduled_in_def. }
- set t2 := find_swap_candidate arr_seq sched t1 in AT_T2.
- move: AT_T2 => [EQ_T2 SCHED_AT'].
- have ORDER: t1<=t2 by apply swap_candidate_is_in_future.
- have READY: job_ready sched j t1.
- { by apply: job_scheduled_implies_ready; rewrite // -SCHED_AT'. }
- rewrite /job_ready /basic_ready_instance /pending /completed_by in READY.
- move: READY => /andP [ARR _].
- rewrite EQ_T2.
- exact: (leq_trans ARR).
- Qed.
-
- (** Finally we show that, in the transformed schedule, jobs are scheduled
- only if they are ready. *)
- Lemma fsc_jobs_must_be_ready_to_execute:
- jobs_must_be_ready_to_execute sched'.
- Proof.
- move=> j t SCHED_AT.
- rewrite /sched'.
- set t2 := find_swap_candidate arr_seq sched t1.
- rewrite /job_ready /basic_ready_instance /pending.
- apply /andP; split; first by apply swap_jobs_must_arrive_to_execute.
- rewrite /completed_by; rewrite -ltnNge.
- apply swapped_completed_jobs_dont_execute => //.
- - by apply swap_candidate_is_in_future.
- - by apply ideal_proc_model_provides_unit_service.
- - by apply ideal_proc_model_ensures_ideal_progress.
- - by eapply completed_jobs_are_not_ready.
- Qed.
-
- End JobsMustBeReadyFindSwapCandidate.
-
- (** In the following section, we put our attention on the point-wise
- transformation performed at each point in time prior to the horizon. *)
- Section MakeWCAtFacts.
-
- (** Consider an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...and take an arbitrary point in time... *)
- Variable t: instant.
-
- (** ...we define [sched'] as the resulting schedule after one point-wise transformation. *)
- Let sched' := make_wc_at arr_seq sched t.
-
- (** We start by proving that the point-wise transformation can only lead
- to higher service for a job at a given time. This is true because we
- swap only idle processor states with ones in which a job is scheduled. *)
- Lemma mwa_service_bound:
- forall j t, service sched j t <= service sched' j t.
- Proof.
- intros j t'.
- rewrite /sched' /make_wc_at.
- destruct (sched t) eqn:PSTATE => //.
- set t2:= (find_swap_candidate arr_seq sched t).
- move: (swap_candidate_is_in_future sched t) => ORDER.
- destruct (leqP t' t) as [BOUND1|BOUND1];
- first by rewrite (service_before_swap_invariant _ t t2) => //.
- destruct (ltnP t2 t') as [BOUND2 | BOUND2];
- first by rewrite (service_after_swap_invariant _ t t2) => //.
- destruct (scheduled_at sched j t) eqn:SCHED_AT_T1;
- first by move:SCHED_AT_T1; rewrite scheduled_at_def PSTATE => /eqP.
- move: SCHED_AT_T1 => /negbT NOT_AT_t1.
- destruct (scheduled_at sched j t2) eqn:SCHED_AT_T2;
- last by move: SCHED_AT_T2 => /negbT NOT_AT_t2; rewrite (service_of_others_invariant _ t t2).
- rewrite /swapped /service -service_at_other_times_invariant; last by left.
- rewrite service_in_replaced; last by apply /andP; split => //.
- rewrite (not_scheduled_implies_no_service _ _ _ NOT_AT_t1) subn0.
- by apply leq_addr.
- Qed.
-
- (** Next, we show that any ready job in the transformed schedule must be ready also in
- the original one, since the transformation can only lead to higher service. *)
- Lemma mwa_ready_job_also_ready_in_original_schedule:
- forall j t, job_ready sched' j t -> job_ready sched j t.
- Proof.
- intros j t'.
- rewrite /job_ready /basic_ready_instance /pending.
- move=> /andP [ARR COMP_BY].
- rewrite ARR Bool.andb_true_l //.
- move: COMP_BY; apply contra.
- rewrite /completed_by.
- have LEQ: (service sched j t') <= (service sched' j t') by apply mwa_service_bound.
- move=> LEQ'; move:LEQ; move: LEQ'.
- by apply leq_trans.
- Qed.
-
- (** Since the search for a swap candidate is performed until the latest deadline
- among all the jobs arrived before the reference time, we need to show that the computed
- deadline is indeed the latest. *)
- Lemma max_dl_is_greatest_dl:
- forall j t,
- arrives_in arr_seq j ->
- job_arrival j <= t ->
- job_deadline j <= max_deadline_for_jobs_arrived_before arr_seq t.
- Proof.
- move=> j t' ARR_IN ARR.
- rewrite /max_deadline_for_jobs_arrived_before.
- apply in_max0_le; apply map_f.
- rewrite /arrivals_up_to.
- apply arrived_between_implies_in_arrivals;
- by move:H_arr_seq_valid => [CONS UNIQ].
- Qed.
-
- (** Next, we want to show that, if a job arriving from the arrival
- sequence is ready at some instant, then the point-wise transformation
- is guaranteed to find a job to swap with. We will proceed by doing a case
- analysis, and show that it is impossible that a swap candidate is not found. *)
- Section MakeWCAtFindsReadyJobs.
-
- (** We need to assume that, in the original schedule, all the deadlines of
- the jobs coming from the arrival sequence are met, in order to be sure that
- a ready job will be eventually scheduled. *)
- Hypothesis H_all_deadlines_of_arrivals_met: all_deadlines_of_arrivals_met arr_seq sched.
-
- (** We define [max_dl] as the maximum deadline for all jobs arrived before [t]. *)
- Let max_dl := max_deadline_for_jobs_arrived_before arr_seq t.
-
- (** Next, we define [search_result] as the result of the search for a swap candidate.
- In order to take the first result, it is sufficient to define the ordering function
- as a constant false. *)
- Definition order (_ _ : nat) := false.
- Definition search_result := search_arg sched (relevant_pstate t) order t max_dl.
-
- (** First, we consider the case in which the procedure finds a job to swap with. *)
- Section MakeWCAtFindsReadyJobs_CaseResultFound.
-
- (** Assuming that the processor is idle at time t... *)
- Hypothesis H_sched_t_idle: is_idle sched t.
-
- (** ...let [t_swap] be a time instant found by the search procedure. *)
- Variable t_swap: instant.
- Hypothesis search_result_found: search_result = Some t_swap.
-
- (** We show that, since the search only yields relevant processor states, a job is found. *)
- Lemma make_wc_at_case_result_found:
- exists j: Job,
- swapped sched t t_swap t = Some j.
- Proof.
- apply search_arg_pred in search_result_found.
- move:search_result_found; rewrite /relevant_pstate.
- destruct (sched t_swap) as [j_swap|] eqn:SCHED; last by done.
- move=>ARR. rewrite /swapped /replace_at.
- destruct (t_swap == t) eqn:SAME_SWAP.
- + move:SAME_SWAP => /eqP SAME_SWAP; subst t_swap.
- move:H_sched_t_idle => /eqP SCHED_NONE.
- by rewrite SCHED_NONE in SCHED; discriminate.
- + exists j_swap.
- by rewrite eq_refl; apply SCHED.
- Qed.
-
- End MakeWCAtFindsReadyJobs_CaseResultFound.
-
- (** Conversely, we prove that assuming that the search yields no
- result brings to a contradiction. *)
- Section MakeWCAtFindsReadyJobs_CaseResultNone.
-
- (** Consider a job that arrives in the arrival sequence, and assume that
- it is ready at time [t] in the transformed schedule. *)
- Variable j: Job.
- Hypothesis H_arrives_in: arrives_in arr_seq j.
- Hypothesis H_job_ready_sched': job_ready sched' j t.
-
- (** Moreover, assume the search for a swap candidate yields nothing. *)
- Hypothesis H_search_result_none: search_result = None.
-
- (** First, note that, since nothing was found, it means there is no relevant
- processor state between [t] and [max_dl]. *)
- Lemma no_relevant_state_in_range:
- forall t',
- t <= t' < max_dl ->
- ~~ (relevant_pstate t) (sched t').
- Proof.
- by apply (search_arg_none _ _ (fun _ _ => false)).
- Qed.
-
- (** Since [j] is ready at time [t], then it must be incomplete. *)
- Lemma service_of_j_is_less_than_cost: service sched j t < job_cost j.
- Proof.
- have READY_ORIG: job_ready sched j t
- by apply (mwa_ready_job_also_ready_in_original_schedule _ _); apply H_job_ready_sched'.
- rewrite /job_ready /basic_ready_instance /pending.
- move:READY_ORIG => /andP [ARR_ NOT_COMPL_ORIG].
- rewrite /completed_by in NOT_COMPL_ORIG.
- by rewrite leqNgt; apply NOT_COMPL_ORIG.
- Qed.
-
- (** And since [j] is incomplete and meets its deadline, the deadline of [j]
- is in the future. *)
- Lemma t_is_less_than_deadline_of_j: t <= job_deadline j.
- Proof.
- move: (H_all_deadlines_of_arrivals_met j H_arrives_in)=> MEETS_DL_j.
- move_neq_up LEQ_t1.
- unfold job_meets_deadline, completed_by in MEETS_DL_j; move_neq_down MEETS_DL_j.
- eapply leq_ltn_trans; last apply service_of_j_is_less_than_cost.
- by apply service_monotonic, ltnW.
- Qed.
-
- (** On the other hand, since we know that there is no relevant state between [t] and [max_dl],
- then it must be the case that [j] is never scheduled in this period, and hence gets no
- service. *)
- Lemma equal_service_t_max_dl: service sched j t = service sched j max_dl.
- Proof.
- move:(H_job_ready_sched') => /andP [ARR NOT_COMPL_sched'].
- rewrite -(service_cat sched j t max_dl);
- last by apply (leq_trans t_is_less_than_deadline_of_j), max_dl_is_greatest_dl.
- have ZERO_SERVICE: service_during sched j t max_dl = 0.
- { apply not_scheduled_during_implies_zero_service.
- apply ideal_proc_model_ensures_ideal_progress.
- move=> t_at RANGE.
- move:(no_relevant_state_in_range t_at RANGE) => NOT_REL.
- rewrite scheduled_at_def.
- apply/negP; move => /eqP EQ.
- by move: NOT_REL => /negP T; apply: T; rewrite EQ.
- }
- by rewrite ZERO_SERVICE; rewrite addn0.
- Qed.
-
- (** Combining the previous lemmas, we can deduce that [j] misses its deadline. *)
- Lemma j_misses_deadline: service sched j (job_deadline j) < job_cost j.
- Proof.
- move:(H_job_ready_sched') => /andP [ARR NOT_COMPL_sched'].
- have J_LESS := service_of_j_is_less_than_cost.
- rewrite equal_service_t_max_dl in J_LESS.
- specialize (H_all_deadlines_of_arrivals_met j H_arrives_in).
- unfold job_meets_deadline, completed_by in H_all_deadlines_of_arrivals_met.
- eapply leq_ltn_trans.
- - by apply service_monotonic, (max_dl_is_greatest_dl _ _ H_arrives_in ARR).
- - by apply J_LESS.
- Qed.
-
- (** The fact that [j] misses its deadline contradicts the fact that all deadlines
- of jobs coming from the arrival sequence are met. We have a contradiction. *)
- Lemma make_wc_at_case_result_none: False.
- Proof.
- move: (H_all_deadlines_of_arrivals_met j H_arrives_in) => NEQ.
- unfold job_meets_deadline, completed_by in NEQ.
- move_neq_down NEQ.
- by apply j_misses_deadline.
- Qed.
-
- End MakeWCAtFindsReadyJobs_CaseResultNone.
-
- (** Next, we show that [make_wc_at] always manages to establish the work-conservation property
- at the given time. Using the above case analysis, we can conclude that the presence of a
- ready job always leads to a valid swap. *)
- Lemma mwa_finds_ready_jobs:
- all_deadlines_of_arrivals_met arr_seq sched ->
- is_work_conserving_at sched' t.
- Proof.
- move=> ALL_DL_MET P_PREFIX.
- destruct (sched t) as [j'|] eqn:SCHED_WC_t;
- first by rewrite /sched' /make_wc_at SCHED_WC_t; exists j'.
- move: P_PREFIX => [j [ARR_IN READY]].
- rewrite /sched' /make_wc_at.
- rewrite SCHED_WC_t /find_swap_candidate.
- destruct search_arg as [t_swap| ] eqn:SEARCH_RES.
- - by apply make_wc_at_case_result_found; move:SCHED_WC_t => /eqP.
- - by exfalso; apply (make_wc_at_case_result_none j); eauto.
- Qed.
-
- End MakeWCAtFindsReadyJobs.
-
- (** Next we prove that, given a schedule that respects the work-conservation property until [t-1],
- applying the point-wise transformation at time [t] will extend the property until [t]. *)
- Lemma mwa_establishes_wc:
- all_deadlines_of_arrivals_met arr_seq sched ->
- (forall t_l, t_l < t -> is_work_conserving_at sched t_l) ->
- forall t_l, t_l <= t -> is_work_conserving_at sched' t_l.
- Proof.
- move=> PROP P_PREFIX t' T_MIN [j [ARR_IN READY]].
- set fsc := find_swap_candidate arr_seq sched t.
- have LEQ_fsc: t <= fsc by apply swap_candidate_is_in_future.
- destruct (ltnP t' t) as [tLT | tGE].
- { have SAME: sched' t' = sched t'.
- { rewrite /sched' /make_wc_at.
- destruct (sched t); first by done.
- by rewrite (swap_before_invariant sched t fsc) //. }
- rewrite SAME.
- apply P_PREFIX; eauto.
- exists j; split; auto.
- by eapply mwa_ready_job_also_ready_in_original_schedule, READY.
- }
- { have EQ: t' = t.
- { by apply /eqP; rewrite eqn_leq; apply /andP; split. }
- subst t'; clear T_MIN tGE.
- apply mwa_finds_ready_jobs => //.
- by exists j; split; eauto.
- }
- Qed.
-
- (** We now show that the point-wise transformation does not introduce any new job
- that does not come from the arrival sequence. *)
- Lemma mwa_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq ->
- jobs_come_from_arrival_sequence sched' arr_seq.
- Proof.
- rewrite /sched' /make_wc_at.
- destruct (sched t) as [j_orig|] eqn:SCHED_orig; first by done.
- by apply swapped_jobs_come_from_arrival_sequence.
- Qed.
-
- (** We also show that the point-wise transformation does not schedule jobs in instants
- in which they are not ready. *)
- Lemma mwa_jobs_must_be_ready_to_execute:
- jobs_must_be_ready_to_execute sched ->
- jobs_must_be_ready_to_execute sched'.
- Proof.
- move=> READY.
- rewrite /sched' /make_wc_at.
- destruct (sched t) as [j_orig|] eqn:SCHED_orig; first by done.
- by apply fsc_jobs_must_be_ready_to_execute.
- Qed.
-
- (** Finally, we show that the point-wise transformation does not introduce deadline misses. *)
- Lemma mwa_all_deadlines_of_arrivals_met:
- all_deadlines_of_arrivals_met arr_seq sched ->
- all_deadlines_of_arrivals_met arr_seq sched'.
- Proof.
- move=> ALL j ARR.
- specialize (ALL j ARR).
- unfold job_meets_deadline, completed_by in *.
- by apply (leq_trans ALL (mwa_service_bound _ _)).
- Qed.
-
- End MakeWCAtFacts.
-
- (** In the following section, we proceed by proving some useful properties respected by
- the partial schedule obtained by applying the work-conservation transformation up to
- an arbitrary horizon. *)
- Section PrefixFacts.
-
- (** Consider an ideal uniprocessor schedule. *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** We start by proving that the transformation performed with two different horizons
- will yield two schedules that are identical until the earlier horizon. *)
- Section PrefixInclusion.
-
- (** Consider two horizons... *)
- Variable h1 h2: instant.
-
- (** ...and assume w.l.o.g. that they are ordered... *)
- Hypothesis H_horizon_order: h1 <= h2.
-
- (** ...we define two schedules, resulting from the transformation
- performed, respectively, until the first and the second horizon. *)
- Let sched1 := wc_transform_prefix arr_seq sched h1.
- Let sched2 := wc_transform_prefix arr_seq sched h2.
-
- (** Then, we show that the two schedules are guaranteed to be equal until the
- earlier horizon. *)
- Lemma wc_transform_prefix_inclusion:
- forall t, t < h1 -> sched1 t = sched2 t.
- Proof.
- move=> t before_horizon.
- rewrite /sched1 /sched2.
- induction h2; first by move: (leq_trans before_horizon H_horizon_order).
- move: H_horizon_order. rewrite leq_eqVlt => /orP [/eqP ->|LT]; first by done.
- move: LT. rewrite ltnS => H_horizon_order_lt.
- rewrite [RHS]/wc_transform_prefix /prefix_map -/prefix_map IHi //.
- rewrite {1}/make_wc_at.
- destruct (prefix_map sched (make_wc_at arr_seq) i i) as [j|] eqn:SCHED; first by done.
- rewrite -(swap_before_invariant _ i (find_swap_candidate arr_seq (wc_transform_prefix arr_seq sched i) i));
- last by apply leq_trans with (n := h1).
- rewrite //.
- apply swap_candidate_is_in_future.
- Qed.
-
- End PrefixInclusion.
-
- (** Next, we show that repeating the point-wise transformation up to a given horizon
- does not introduce any deadline miss. *)
- Section JobsMeetDeadlinePrefix.
-
- (** Assuming that all deadlines of jobs coming from the arrival sequence are met... *)
- Hypothesis H_all_deadlines_of_arrivals_met: all_deadlines_of_arrivals_met arr_seq sched.
-
- (** ...let us define [sched'] as the schedule resulting from the
- full work-conservation transformation. Note that, if the schedule is sampled at time
- [t], the transformation is performed until [t+1]. *)
- Let sched' := wc_transform arr_seq sched.
-
- (** Consider a job from the arrival sequence. *)
- Variable j: Job.
- Hypothesis H_arrives_in: arrives_in arr_seq j.
-
- (** We show that, in the transformed schedule, the service of the job
- is always greater or equal than in the original one, at any given time. *)
- Lemma wc_prefix_service_bound:
- forall t, service sched j t <= service sched' j t.
- Proof.
- move=> t.
- rewrite /sched' /wc_transform.
- set serv := service (fun t0 : instant => wc_transform_prefix arr_seq sched t0.+1 t0) j t.
- set servp := service (wc_transform_prefix arr_seq sched t.+1) j t.
- have ->: serv = servp.
- { rewrite /serv /servp /service /service_during.
- apply eq_big_nat => t' /andP [_ LT_t].
- rewrite /service_at.
- rewrite (wc_transform_prefix_inclusion t'.+1 t.+1)=> //.
- by auto. }
- rewrite /servp /wc_transform_prefix.
- clear serv servp.
- apply prefix_map_property_invariance; last by done.
- intros. apply leq_trans with (service sched0 j t)=> //.
- by intros; apply mwa_service_bound.
- Qed.
-
- (** Finally, it follows directly that the transformed schedule cannot introduce
- a deadline miss for any job from the arrival sequence. *)
- Lemma wc_prefix_job_meets_deadline:
- job_meets_deadline sched' j.
- Proof.
- rewrite /job_meets_deadline /completed_by /sched'.
- apply leq_trans with (service sched j (job_deadline j));
- last by apply wc_prefix_service_bound.
- by apply H_all_deadlines_of_arrivals_met.
- Qed.
-
- End JobsMeetDeadlinePrefix.
-
- (** Next, consider a given time, used as horizon for the transformation... *)
- Variable h: instant.
-
- (** ...and let us call [sched'] the schedule resulting from the transformation
- performed until [h]. *)
- Let sched' := wc_transform_prefix arr_seq sched h.
-
- (** We prove that [sched'] will never introduce jobs not coming from the
- arrival sequence. *)
- Lemma wc_prefix_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq ->
- jobs_come_from_arrival_sequence sched' arr_seq.
- Proof.
- move=> FROM_ARR.
- rewrite /sched' /wc_transform_prefix.
- apply prefix_map_property_invariance; last by done.
- move => schedX t ARR.
- by apply mwa_jobs_come_from_arrival_sequence.
- Qed.
-
- (** Similarly, we can show that [sched'] will only schedule jobs if they are
- ready. *)
- Lemma wc_prefix_jobs_must_be_ready_to_execute:
- jobs_must_be_ready_to_execute sched ->
- jobs_must_be_ready_to_execute sched'.
- Proof.
- move=> READY.
- rewrite /sched' /wc_transform_prefix.
- apply prefix_map_property_invariance; last by done.
- move=> schedX t ARR.
- by apply mwa_jobs_must_be_ready_to_execute.
- Qed.
-
- End PrefixFacts.
-
-End AuxiliaryLemmasWorkConservingTransformation.
-
-(** Finally, we can leverage all the previous results to prove statements about the full
- work-conservation transformation. *)
-Section WorkConservingTransformation.
-
- (** We assume the basic (i.e., Liu & Layland)
- readiness model under which any pending job is ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** Consider any type of jobs with arrival times, costs, and deadlines... *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobDeadline Job}.
-
- (** ...an arbitrary valid arrival sequence... *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** ...and an ideal uniprocessor schedule... *)
- Variable sched: schedule (ideal.processor_state Job).
-
- (** ...in which jobs come from the arrival sequence, and must be ready to execute... *)
- Hypothesis H_sched_valid: valid_schedule sched arr_seq.
-
- (** ...and in which no job misses a deadline. *)
- Hypothesis H_all_deadlines_of_arrivals_met: all_deadlines_of_arrivals_met arr_seq sched.
-
- (** Let us call [sched_wc] the schedule obtained after applying the work-conservation transformation. *)
- Let sched_wc := wc_transform arr_seq sched.
-
- (** First, we show that any scheduled job still comes from the arrival sequence. *)
- Lemma wc_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched_wc arr_seq.
- Proof.
- move=> j t.
- rewrite /scheduled_at -/(scheduled_at _ j t).
- eapply (wc_prefix_jobs_come_from_arrival_sequence arr_seq sched t.+1); rt_eauto.
- Qed.
-
- (** Similarly, jobs are only scheduled if they are ready. *)
- Lemma wc_jobs_must_be_ready_to_execute:
- jobs_must_be_ready_to_execute sched_wc.
- Proof.
- move=> j t.
- rewrite /scheduled_at /sched_wc /wc_transform -/(scheduled_at _ j t) => SCHED_AT.
- have READY': job_ready (wc_transform_prefix arr_seq sched t.+1) j t
- by apply wc_prefix_jobs_must_be_ready_to_execute => //; rt_eauto.
- move: READY'.
- rewrite /job_ready /basic.basic_ready_instance
- /pending /completed_by /service.
- rewrite (equal_prefix_implies_same_service_during sched_wc (wc_transform_prefix arr_seq sched t.+1)) //.
- move=> t' /andP [_ BOUND_t'].
- rewrite /sched_wc /wc_transform.
- by apply wc_transform_prefix_inclusion => //; rewrite ltnS; apply ltnW.
- Qed.
-
- (** Also, no deadline misses are introduced. *)
- Lemma wc_all_deadlines_of_arrivals_met:
- all_deadlines_of_arrivals_met arr_seq sched_wc.
- Proof.
- move=> j ARR_IN.
- rewrite /sched_wc /wc_transform_prefix.
- by apply wc_prefix_job_meets_deadline.
- Qed.
-
- (** Finally, we can show that the transformation leads to a schedule in which
- the processor is not idle if a job is ready. *)
- Lemma wc_is_work_conserving_at:
- forall j t,
- job_ready sched_wc j t ->
- arrives_in arr_seq j ->
- exists j', sched_wc t = Some j'.
- Proof.
- move=> j t READY ARR_IN.
- rewrite /sched_wc /wc_transform /wc_transform_prefix.
- apply (prefix_map_pointwise_property (all_deadlines_of_arrivals_met arr_seq)
- (is_work_conserving_at arr_seq)
- (make_wc_at arr_seq)); rewrite //.
- { by apply mwa_all_deadlines_of_arrivals_met. }
- { by intros; apply mwa_establishes_wc. }
- { exists j.
- split; first by apply ARR_IN.
- have EQ: job_ready sched_wc j t = job_ready (prefix_map sched (make_wc_at arr_seq) (succn t)) j t.
- {
- rewrite /sched_wc /wc_transform /job_ready
- /basic_ready_instance /pending /completed_by
- /service /service_during /service_at /wc_transform_prefix.
- destruct has_arrived; last by rewrite Bool.andb_false_l.
- have EQ_SUM: \sum_(0 <= t0 < t) service_in j (prefix_map sched (make_wc_at arr_seq) (succn t0) t0)
- = \sum_(0 <= t0 < t) service_in j (prefix_map sched (make_wc_at arr_seq) (succn t) t0).
- { apply eq_big_nat => t' /andP [_ LT_t].
- rewrite -/(wc_transform_prefix arr_seq sched _ _).
- rewrite -/(wc_transform_prefix arr_seq sched _ _).
- rewrite (wc_transform_prefix_inclusion arr_seq sched t'.+1 t.+1)=> //.
- by auto. }
- by rewrite EQ_SUM. }
- move: READY. by rewrite EQ. }
- Qed.
-
- (** We can easily extend the previous lemma to obtain the definition
- of a work-conserving schedule. *)
- Lemma wc_is_work_conserving:
- work_conserving arr_seq sched_wc.
- Proof.
- move=> j t ARR_IN.
- rewrite /backlogged => /andP [READY _].
- move: (wc_is_work_conserving_at j t READY ARR_IN) => [j' SCHED_wc].
- by exists j'; rewrite scheduled_at_def; apply /eqP.
- Qed.
-
- (** Ultimately, we can show that the work-conservation transformation maintains
- all the properties of validity, does not introduce new deadline misses, and
- establishes the work-conservation property. *)
- Theorem wc_transform_correctness:
- valid_schedule sched_wc arr_seq /\
- all_deadlines_of_arrivals_met arr_seq sched_wc /\
- work_conserving arr_seq sched_wc.
- Proof.
- repeat split.
- - apply wc_jobs_come_from_arrival_sequence.
- - apply wc_jobs_must_be_ready_to_execute.
- - apply wc_all_deadlines_of_arrivals_met.
- - apply wc_is_work_conserving.
- Qed.
-
-End WorkConservingTransformation.
diff --git a/analysis/transform/edf_trans.v b/analysis/transform/edf_trans.v
deleted file mode 100644
index cdd681c2b3e038e50a5cdc06bb7ded2dc5413926..0000000000000000000000000000000000000000
--- a/analysis/transform/edf_trans.v
+++ /dev/null
@@ -1,69 +0,0 @@
-Require Export prosa.analysis.transform.prefix.
-Require Export prosa.analysis.transform.swap.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-
-(** In this file we define the EDF transformation of a schedule, which turns a
- (finite prefix of a) schedule into an EDF schedule. This operation is at
- the core of the EDF optimality proof. *)
-
-Section EDFTransformation.
- (** Consider any given type of jobs... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... and ideal uni-processor schedules. *)
- Let PState := ideal.processor_state Job.
- Let SchedType := schedule (PState).
-
- (** We say that a state [s1] "has an earlier or equal deadline" than a state
- [s2] if the job scheduled in state [s1] has has an earlier or equal
- deadline than the job scheduled in state [s2]. This function is never
- used on idle states, so the default values are irrelevant. *)
- Definition earlier_deadline (s1 s2: PState) :=
- (oapp job_deadline 0 s1) <= (oapp job_deadline 0 s2).
-
- (** We say that a state is relevant (for the purpose of the transformation)
- if it is not idle and if the job scheduled in it has arrived prior to
- some given reference time. *)
- Definition relevant_pstate (reference_time: instant) (s: PState) :=
- match s with
- | None => false
- | Some j' => job_arrival j' <= reference_time
- end.
-
- (** Next, we define a central element of the EDF transformation procedure:
- given a job scheduled at a time [t1], find a later time [t2] before the
- job's deadline at which a job with an earlier-or-equal deadline is
- scheduled. In other words, find a job that causes the [EDF_at] property
- to be violated at time [t1]. *)
- Definition find_swap_candidate (sched: SchedType) (t1: instant) (j: Job) :=
- if search_arg sched (relevant_pstate t1) earlier_deadline t1 (job_deadline j) is Some t
- then t
- else 0.
-
- (** The point-wise EDF transformation procedure: given a schedule and a time
- [t1], ensure that the schedule satisfies [EDF_at] at time [t1]. *)
- Definition make_edf_at (sched: SchedType) (t1: instant): SchedType :=
- match sched t1 with
- | None => sched (* leave idle instants alone *)
- | Some j =>
- let
- t2 := find_swap_candidate sched t1 j
- in swapped sched t1 t2
- end.
-
- (** To transform a finite prefix of a given reference schedule, apply
- [make_edf_at] to every point up to the given finite horizon. *)
- Definition edf_transform_prefix (sched: SchedType) (horizon: instant): SchedType :=
- prefix_map sched make_edf_at horizon.
-
- (** Finally, a full EDF schedule (i.e., one that satisfies [EDF_at] at any
- time) is obtained by first computing an EDF prefix up to and including
- the requested time [t], and by then looking at the last point of the
- prefix. *)
- Definition edf_transform (sched: SchedType) (t: instant): ideal.processor_state Job :=
- let
- edf_prefix := edf_transform_prefix sched t.+1
- in edf_prefix t.
-
-End EDFTransformation.
-
diff --git a/analysis/transform/prefix.v b/analysis/transform/prefix.v
deleted file mode 100644
index 82f976f515bbd90decf13968ee8885672ac907e4..0000000000000000000000000000000000000000
--- a/analysis/transform/prefix.v
+++ /dev/null
@@ -1,104 +0,0 @@
-From mathcomp Require Import ssrnat ssrbool fintype.
-Require Export prosa.analysis.facts.behavior.all.
-
-(** This file provides an operation that transforms a finite prefix of
- a given schedule by applying a point-wise transformation to each
- instant up to a given horizon. *)
-
-Section SchedulePrefixMap.
-
- (** For any type of jobs and... *)
- Context {Job : JobType}.
-
- (** ... any given type of processor states ... *)
- Context {PState: ProcessorState Job}.
-
- (** ... we define a procedure that applies a given function to every
- point in a given finite prefix of the schedule.
-
- The point-wise transformation f is given a schedule and the point
- to transform, and must yield a transformed schedule that is used
- in subsequent operations. *)
- Fixpoint prefix_map
- (sched: schedule PState)
- (f: schedule PState -> instant -> schedule PState)
- (horizon: instant) :=
- match horizon with
- | 0 => sched
- | S t =>
- let
- prefix := prefix_map sched f t
- in f prefix t
- end.
-
-
- (** We provide a utility lemma that establishes that, if the
- point-wise transformation maintains a given property of the
- original schedule, then the prefix_map does so as well. *)
- Section PropertyPreservation.
-
- (** Given any property of schedules... *)
- Variable P: schedule PState -> Prop.
-
- (** ...and a point-wise transformation [f],... *)
- Variable f: schedule PState -> instant -> schedule PState.
-
- (** ...if [f] maintains property [P],... *)
- Hypothesis H_f_maintains_P: forall sched t, P sched -> P (f sched t).
-
- (** ...then so does a prefix map of [f]. *)
- Lemma prefix_map_property_invariance:
- forall sched h, P sched -> P (prefix_map sched f h).
- Proof.
- move=> sched h P_sched.
- induction h; first by rewrite /prefix_map.
- rewrite /prefix_map -/prefix_map.
- by apply: H_f_maintains_P.
- Qed.
-
- End PropertyPreservation.
-
- (** Next, we consider the case where the point-wise transformation
- establishes a new property step-by-step. *)
- Section PointwiseProperty.
-
- (** Given any property of schedules [P],... *)
- Variable P: schedule PState -> Prop.
-
- (** ...any point-wise property [Q],... *)
- Variable Q: schedule PState -> instant -> Prop.
-
- (** ...and a point-wise transformation [f],... *)
- Variable f: schedule PState -> instant -> schedule PState.
-
- (** ...if [f] maintains [P]... *)
- Hypothesis H_f_maintains_P:
- forall sched t_ref,
- P sched -> P (f sched t_ref).
-
- (** ...and establishes [Q] (provided that [P] holds)... *)
- Hypothesis H_f_grows_Q:
- forall sched t_ref,
- P sched ->
- (forall t', t' < t_ref -> Q sched t') ->
- forall t', t' <= t_ref -> Q (f sched t_ref) t'.
-
- (** ...then the prefix-map operation will "grow" [Q] up to the horizon. *)
- Lemma prefix_map_pointwise_property:
- forall sched horizon,
- P sched ->
- forall t,
- t < horizon ->
- Q (prefix_map sched f horizon) t.
- Proof.
- move=> sched h P_holds.
- induction h as [|h Q_holds_before_h]; first by rewrite /prefix_map.
- rewrite /prefix_map -/prefix_map => t.
- rewrite ltnS => LE_t_h.
- apply H_f_grows_Q => //.
- by apply prefix_map_property_invariance.
- Qed.
-
- End PointwiseProperty.
-
-End SchedulePrefixMap.
diff --git a/analysis/transform/swap.v b/analysis/transform/swap.v
deleted file mode 100644
index 8c6dd170487ef6a0e1a8d4353ec91ea2e2a4f929..0000000000000000000000000000000000000000
--- a/analysis/transform/swap.v
+++ /dev/null
@@ -1,52 +0,0 @@
-Require Export prosa.behavior.all.
-
-(** This file defines simple allocation substitutions and a swapping operation
- as used for instance in the classic EDF optimality proof. *)
-
-(** We begin by defining the notion of a schedule with a "tweaked" (i.e.,
- overridden) allocation. *)
-Section ReplaceAt.
- (** For any given type of jobs... *)
- Context {Job : JobType}.
- (** ... any given type of processor states, ... *)
- Context {PState: ProcessorState Job}.
-
- (** ...consider any given reference schedule. *)
- Variable original_sched: schedule PState.
-
- (** Suppose we are given a specific time [t'] ... *)
- Variable t': instant.
-
- (** ...and a replacement state [new_state]. *)
- Variable new_state: PState.
-
- (** Then the schedule with replacement is simply one that returns the given
- [new_state] at [t'], and the original allocation at all other times. *)
- Definition replace_at : schedule PState :=
- fun t => if t' == t then new_state else (original_sched t).
-
-End ReplaceAt.
-
-(** Based on [replace_at], we define the notion of a schedule with swapped
- allocations. *)
-Section Swapped.
- (** For any given type of jobs... *)
- Context {Job : JobType}.
- (** ... any given type of processor states, ... *)
- Context {PState: ProcessorState Job}.
-
- (** ...consider any given reference schedule. *)
- Variable original_sched: schedule PState.
-
- (** Given two specific times [t1] and [t2]... *)
- Variable t1 t2: instant.
-
- (** ...we define the notion of a schedule in which the two allocations at [t1]
- and [t2] have been swapped. *)
- Definition swapped : schedule PState :=
- let s1 := original_sched t1 in
- let s2 := original_sched t2 in
- let replaced_s1 := replace_at original_sched t1 s2 in
- replace_at replaced_s1 t2 s1.
-
-End Swapped.
diff --git a/analysis/transform/wc_trans.v b/analysis/transform/wc_trans.v
deleted file mode 100644
index eab5f8b1de5dc27e3787f32871f65cb707e027d9..0000000000000000000000000000000000000000
--- a/analysis/transform/wc_trans.v
+++ /dev/null
@@ -1,86 +0,0 @@
-Require Export prosa.analysis.transform.swap.
-Require Export prosa.analysis.transform.prefix.
-Require Export prosa.util.search_arg.
-Require Export prosa.util.list.
-Require Export prosa.model.processor.ideal.
-
-(** In this file we define the transformation from any ideal uniprocessor schedule
- into a work-conserving one. The procedure is to patch the idle allocations
- with future job allocations. Note that a job cannot be allocated before
- its arrival, therefore there could still exist idle instants between any two
- job allocations. *)
-Section WCTransformation.
-
- (** We assume ideal uni-processor schedules. *)
- #[local] Existing Instance ideal.processor_state.
-
- (** Consider any type of jobs with arrival times, costs, and deadlines... *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobDeadline Job}.
-
- (** ...an ideal uniprocessor schedule... *)
- Let PState := ideal.processor_state Job.
-
- (** ...and any valid job arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arr_seq_valid : valid_arrival_sequence arr_seq.
-
- (** We say that a state is relevant (for the purpose of the
- transformation) if it is not idle and if the job scheduled in it
- has arrived prior to some given reference time. *)
- Definition relevant_pstate reference_time pstate :=
- match pstate with
- | None => false
- | Some j => job_arrival j <= reference_time
- end.
-
- (** In order to patch an idle allocation, we look in the future for another allocation
- that could be moved there. The limit of the search is the maximum deadline of
- every job arrived before the given moment. *)
- Definition max_deadline_for_jobs_arrived_before arrived_before :=
- let deadlines := map job_deadline (arrivals_up_to arr_seq arrived_before)
- in max0 deadlines.
-
- (** Next, we define a central element of the work-conserving transformation
- procedure: given an idle allocation at [t], find a job allocation in the future
- to swap with. *)
- Definition find_swap_candidate sched t :=
- let order _ _ := false (* always take the first result *)
- in
- let max_dl := max_deadline_for_jobs_arrived_before t
- in
- let search_result := search_arg sched (relevant_pstate t) order t max_dl
- in
- if search_result is Some t_swap
- then t_swap
- else t. (* if nothing is found, swap with yourself *)
-
- (** The point-wise transformation procedure: given a schedule and a
- time [t1], ensure that the schedule is work-conserving at time
- [t1]. *)
- Definition make_wc_at sched t1 : schedule PState :=
- match sched t1 with
- | Some j => sched (* leave working instants alone *)
- | None =>
- let
- t2 := find_swap_candidate sched t1
- in swapped sched t1 t2
- end.
-
- (** To transform a finite prefix of a given reference schedule, apply
- [make_wc_at] to every point up to the given finite horizon. *)
- Definition wc_transform_prefix sched horizon :=
- prefix_map sched make_wc_at horizon.
-
- (** Finally, a fully work-conserving schedule (i.e., one that is
- work-conserving at any time) is obtained by first computing a
- work-conserving prefix up to and including the requested time [t],
- and by then looking at the last point of the prefix. *)
- Definition wc_transform sched t :=
- let
- wc_prefix := wc_transform_prefix sched t.+1
- in wc_prefix t.
-
-End WCTransformation.
diff --git a/behavior/README.md b/behavior/README.md
deleted file mode 100644
index a4c35967620dc4d085fa5358574076e15b6ba3d9..0000000000000000000000000000000000000000
--- a/behavior/README.md
+++ /dev/null
@@ -1,15 +0,0 @@
-# Prosa Behavior Specification
-
-This module defines the **Prosa trace-based semantics**. The following rules/guidelines apply to this module:
-
-- Files in this module must be largely self-contained and may depend only on "helper" definitions in `rt.util`. In particular, nothing in here may depend on concepts in the `model` or `analysis` modules.
-
-- This module is purely a specification of semantics. There are no proofs.
-
-- This behavior specification strives to be (almost) minimal. If a concept doesn't have to be defined here, if it is not required to state the basic trace semantics, then it should be introduced elsewhere.
-
-- The behavior specification is the universally agreed-upon foundation of Prosa. Everyone uses this; there are no alternatives to the basic definitions introduced here.
-
-- If there are multiple competing sets of assumptions in the literature, then that's a sure sign that it should go into the `model` or `analysis` modules.
-
-- Changes here are extremely sensitive precisely because this is the part of the library that *everyone* is going to use, so significant changes here should be discussed early and extensively.
diff --git a/behavior/all.v b/behavior/all.v
deleted file mode 100644
index 56031ef4b066cbfb0df3749fa103a1e58ea1dc39..0000000000000000000000000000000000000000
--- a/behavior/all.v
+++ /dev/null
@@ -1,6 +0,0 @@
-Require Export prosa.behavior.time.
-Require Export prosa.behavior.job.
-Require Export prosa.behavior.arrival_sequence.
-Require Export prosa.behavior.schedule.
-Require Export prosa.behavior.service.
-Require Export prosa.behavior.ready.
diff --git a/behavior/arrival_sequence.v b/behavior/arrival_sequence.v
deleted file mode 100644
index 4e9fde5ada178e8ea2b4dc8fbcc7c5ef17dc80b0..0000000000000000000000000000000000000000
--- a/behavior/arrival_sequence.v
+++ /dev/null
@@ -1,127 +0,0 @@
-From mathcomp Require Export ssreflect seq ssrnat ssrbool bigop eqtype ssrfun.
-Require Export prosa.behavior.job.
-Require Export prosa.util.notation.
-
-(** This module contains basic definitions and properties of job arrival
- sequences. *)
-
-(** * Notion of an Arrival Sequence *)
-
-(** We begin by defining a job arrival sequence. *)
-Section ArrivalSequence.
-
- (** Given any job type with decidable equality, ... *)
- Variable Job: JobType.
-
- (** ..., an arrival sequence is a mapping from any time to a (finite) sequence of jobs. *)
- Definition arrival_sequence := instant -> seq Job.
-
-End ArrivalSequence.
-
-(** * Arrival of a Job *)
-
-(** Next, we define properties of jobs in a given arrival sequence. *)
-Section JobProperties.
-
- (** Consider any job arrival sequence. *)
- Context {Job: JobType}.
- Variable arr_seq: arrival_sequence Job.
-
- (** First, we define the sequence of jobs arriving at time t. *)
- Definition arrivals_at (t : instant) := arr_seq t.
-
- (** Next, we say that job j arrives at a given time t iff it belongs to the
- corresponding sequence. *)
- Definition arrives_at (j : Job) (t : instant) := j \in arrivals_at t.
-
- (** Similarly, we define whether job j arrives at some (unknown) time t, i.e.,
- whether it belongs to the arrival sequence. *)
- Definition arrives_in (j : Job) := exists t, j \in arrivals_at t.
-
-End JobProperties.
-
-(** * Validity of an Arrival Sequence *)
-
-(** Next, we define valid arrival sequences. *)
-Section ValidArrivalSequence.
-
- (** Assume that job arrival times are known. *)
- Context {Job: JobType}.
- Context `{JobArrival Job}.
-
- (** Consider any job arrival sequence. *)
- Variable arr_seq: arrival_sequence Job.
-
- (** We say that arrival times are consistent if any job that arrives in the
- sequence has the corresponding arrival time. *)
- Definition consistent_arrival_times :=
- forall j t,
- arrives_at arr_seq j t -> job_arrival j = t.
-
- (** We say that the arrival sequence is a set iff it doesn't contain duplicate
- jobs at any given time. *)
- Definition arrival_sequence_uniq := forall t, uniq (arrivals_at arr_seq t).
-
- (** We say that the arrival sequence is valid iff it is a set and arrival times
- are consistent *)
- Definition valid_arrival_sequence :=
- consistent_arrival_times /\ arrival_sequence_uniq.
-
-End ValidArrivalSequence.
-
-(** * Arrival Time Predicates *)
-
-(** Next, we define properties of job arrival times. *)
-Section ArrivalTimeProperties.
-
- (** Assume that job arrival times are known. *)
- Context {Job: JobType}.
- Context `{JobArrival Job}.
-
- (** Let j be any job. *)
- Variable j: Job.
-
- (** We say that job j has arrived at time t iff it arrives at some time t_0
- with t_0 <= t. *)
- Definition has_arrived (t : instant) := job_arrival j <= t.
-
- (** Next, we say that job j arrived before t iff it arrives at some time t_0
- with t_0 < t. *)
- Definition arrived_before (t : instant) := job_arrival j < t.
-
- (** Finally, we say that job j arrives between t1 and t2 iff it arrives at
- some time t with t1 <= t < t2. *)
- Definition arrived_between (t1 t2 : instant) := t1 <= job_arrival j < t2.
-
-End ArrivalTimeProperties.
-
-(** * Finite Arrival Sequence Prefixes *)
-
-(** In this section, we define arrival sequence prefixes, which are useful to
- define (computable) properties over sets of jobs in the schedule. *)
-Section ArrivalSequencePrefix.
-
- (** Assume that job arrival times are known. *)
- Context {Job: JobType}.
- Context `{JobArrival Job}.
-
- (** Consider any job arrival sequence. *)
- Variable arr_seq: arrival_sequence Job.
-
- (** By concatenation, we construct the list of jobs that arrived in the
- interval <<[t1, t2)>>. *)
- Definition arrivals_between (t1 t2 : instant) :=
- \cat_(t1 <= t < t2) arrivals_at arr_seq t.
-
- (** Based on that, we define the list of jobs that arrived up to time t, ...*)
- Definition arrivals_up_to (t : instant) := arrivals_between 0 t.+1.
-
- (** ... the list of jobs that arrived strictly before time t, ... *)
- Definition arrivals_before (t : instant) := arrivals_between 0 t.
-
- (** ... and the list of jobs that arrive in the interval <<[t1, t2)>> and
- satisfy a certain predicate [P]. *)
- Definition arrivals_between_P (P : Job -> bool) (t1 t2 : instant) :=
- [seq j <- arrivals_between t1 t2 | P j].
-
-End ArrivalSequencePrefix.
diff --git a/behavior/job.v b/behavior/job.v
deleted file mode 100644
index d008c821976426421f3e4d6a019c9d6a39ea5e85..0000000000000000000000000000000000000000
--- a/behavior/job.v
+++ /dev/null
@@ -1,24 +0,0 @@
-From mathcomp Require Export eqtype ssrnat.
-Require Export prosa.behavior.time.
-
-(** * Notion of a Job Type *)
-
-(** Throughout the library we assume that jobs have decidable equality. *)
-Definition JobType := eqType.
-
-(** * Notion of Work *)
-
-(** We define 'work' to denote the amount of service received or needed. In a
- real system, this corresponds to the number of processor cycles. *)
-Definition work := nat.
-
-(** * Basic Job Parameters — Cost, Arrival Time, and Absolute Deadline *)
-
-(** Definition of a generic type of parameter relating jobs to a discrete cost. *)
-Class JobCost (Job : JobType) := job_cost : Job -> work.
-
-(** Definition of a generic type of parameter relating jobs to an arrival time. *)
-Class JobArrival (Job : JobType) := job_arrival : Job -> instant.
-
-(** Definition of a generic type of parameter relating jobs to an absolute deadline. *)
-Class JobDeadline (Job : JobType) := job_deadline : Job -> instant.
diff --git a/behavior/ready.v b/behavior/ready.v
deleted file mode 100644
index c13bc91436c01a546be7b717651a723aace0b739..0000000000000000000000000000000000000000
--- a/behavior/ready.v
+++ /dev/null
@@ -1,82 +0,0 @@
-From mathcomp Require Export ssreflect ssrnat ssrbool eqtype fintype bigop.
-Require Export prosa.behavior.service.
-
-(** * Readiness of a Job *)
-
-(** We define a general notion of readiness of a job: a job can be
- scheduled only when it is ready, as determined by the predicate
- [job_ready]. This notion of readiness is a general concept that is
- used to model jitter, self-suspensions, etc. Crucially, we require
- that any sensible notion of readiness is a refinement of the notion
- of a pending job, i.e., any ready job must also be pending. *)
-Class JobReady (Job : JobType) (PState : ProcessorState Job)
- {jc : JobCost Job} {ja : JobArrival Job} :=
- {
- job_ready : schedule PState -> Job -> instant -> bool;
-
- (** What follows is the consistency requirement: We require any
- reasonable readiness model to consider only pending jobs to be
- ready. *)
- _ : forall sched j t, job_ready sched j t -> pending sched j t;
- }.
-
-(** * Backlogged Jobs *)
-
-(** Based on the general notion of readiness, we define what it means to be
- backlogged, i.e., ready to run but not executing. *)
-Section Backlogged.
- (** Consider any kinds of jobs and any kind of processor state. *)
- Context {Job : JobType} {PState : ProcessorState Job}.
-
- (** Allow for any notion of readiness. *)
- Context {jc : JobCost Job} {ja : JobArrival Job} {jr : JobReady Job PState}.
-
- (** Job j is backlogged at time t iff it is ready and not scheduled. *)
- Definition backlogged (sched : schedule PState) (j : Job) (t : instant) :=
- job_ready sched j t && ~~ scheduled_at sched j t.
-
-End Backlogged.
-
-
-(** * Validity of a Schedule *)
-
-(** With the readiness concept in place, we define the notion of valid schedules. *)
-Section ValidSchedule.
- (** Consider any kind of jobs and any kind of processor state. *)
- Context {Job : JobType} {PState : ProcessorState Job}.
-
- (** Consider any schedule. *)
- Variable sched : schedule PState.
-
- Context `{JobArrival Job}.
-
- (** We define whether jobs come from some arrival sequence... *)
- Definition jobs_come_from_arrival_sequence (arr_seq : arrival_sequence Job) :=
- forall j t, scheduled_at sched j t -> arrives_in arr_seq j.
-
- (** ..., whether a job can only be scheduled if it has arrived ... *)
- Definition jobs_must_arrive_to_execute :=
- forall j t, scheduled_at sched j t -> has_arrived j t.
-
- Context {jc : JobCost Job} {ja : JobArrival Job} {jr : JobReady Job PState}.
-
- (** ..., whether a job can only be scheduled if it is ready ... *)
- Definition jobs_must_be_ready_to_execute :=
- forall j t, scheduled_at sched j t -> job_ready sched j t.
-
- (** ... and whether a job cannot be scheduled after it completes. *)
- Definition completed_jobs_dont_execute :=
- forall j t, scheduled_at sched j t -> service sched j t < job_cost j.
-
- (** We say that the schedule is valid iff
- - jobs come from some arrival sequence
- - a job is scheduled if it is ready *)
- Definition valid_schedule (arr_seq : arrival_sequence Job) :=
- jobs_come_from_arrival_sequence arr_seq /\
- jobs_must_be_ready_to_execute.
-
- (** Note that we do not explicitly require that a valid schedule satisfies
- [jobs_must_arrive_to_execute] or [completed_jobs_dont_execute] because these
- properties are implied by jobs_must_be_ready_to_execute. *)
-
-End ValidSchedule.
diff --git a/behavior/schedule.v b/behavior/schedule.v
deleted file mode 100644
index 1eb487cef0d4b34fabe56fcb70f4fd215eac40aa..0000000000000000000000000000000000000000
--- a/behavior/schedule.v
+++ /dev/null
@@ -1,89 +0,0 @@
-From mathcomp Require Export ssreflect ssrnat ssrbool eqtype fintype bigop.
-Require Export prosa.behavior.arrival_sequence.
-
-(** * Generic Processor State Interface *)
-
-(** Rather than choosing a specific schedule representation up front, we define
- the notion of a generic processor state, which allows us to state general
- definitions of core concepts (such as "how much service has a job
- received") that work across many possible scenarios (e.g., ideal
- uniprocessor schedules, schedules with overheads, variable-speed
- processors, multiprocessors, etc.).
-
- A concrete processor state type precisely determines how all relevant
- aspects of the execution environment are modeled (e.g., scheduled jobs,
- overheads, spinning). Here, we define just the common interface of all
- possible concrete processor states by means of a type class, i.e., we
- define a few generic functions and an invariant that must be defined for
- all concrete processor state types.
-
- In the most simple case (i.e., an ideal uniprocessor state—see
- [model/processor/ideal.v]), at any given time, either a particular job is
- scheduled or the processor is idle. *)
-Class ProcessorState (Job : JobType) :=
- {
- State : Type;
- (** A [ProcessorState] instance provides a finite set of cores on which
- jobs can be scheduled. In the case of uniprocessors, this is irrelevant
- and may be ignored (by convention, the unit type is used as a
- placeholder in uniprocessor schedules, but this is not
- important). (Hint to the Coq novice: [finType] just means some type
- with finitely many values, i.e., it is possible to enumerate all cores
- of a multi-processor.) *)
- Core : finType;
- (** For a given processor state and core, the [scheduled_on] predicate
- checks whether a given job is running on the given core. *)
- scheduled_on : Job -> State -> Core -> bool;
- (** For a given processor state and core, the [service_on] function determines
- how much service a given job receives on the given core). *)
- service_on : Job -> State -> Core -> work;
- (** We require [scheduled_on] and [service_on] to be consistent in
- the sense that a job can receive service (on a given core)
- only if it is also scheduled (on that core). *)
- service_on_implies_scheduled_on :
- forall j s r, ~~ scheduled_on j s r -> service_on j s r = 0
- }.
-Coercion State : ProcessorState >-> Sortclass.
-
-(** The above definition of the [ProcessorState] interface provides
- the predicate [scheduled_on] and the function [service_on], which
- relate a given job to a given core in a given state. This level of
- detail is required for generality, but in many situations it
- suffices and is more convenient to elide the information about
- individual cores, instead referring to all cores at once. To this
- end, we next define the short-hand functions [scheduled_in] and
- [service_in] to directly check whether a job is scheduled at all
- (i.e., on any core), and how much service the job receives
- anywhere (i.e., across all cores). *)
-Section ProcessorIn.
- (** Consider any type of jobs... *)
- Context {Job : JobType}.
- (** ...and any type of processor state. *)
- Context {State : ProcessorState Job}.
-
- (** For a given processor state, the [scheduled_in] predicate checks
- whether a given job is running on any core in that state. *)
- Definition scheduled_in (j : Job) (s : State) : bool :=
- [exists c : Core, scheduled_on j s c].
-
- (** For a given processor state, the [service_in] function determines how
- much service a given job receives in that state (across all cores). *)
- Definition service_in (j : Job) (s : State) : work :=
- \sum_(r : Core) service_on j s r.
-
-End ProcessorIn.
-
-(** * Schedule Representation *)
-
-(** In Prosa, schedules are represented as functions, which allows us to model
- potentially infinite schedules. More specifically, a schedule simply maps
- each instant to a processor state, which reflects state of the computing
- platform at the specific time (e.g., which job is presently scheduled). *)
-
-Definition schedule {Job : JobType} (PState : ProcessorState Job) :=
- instant -> PState.
-
-(** The following line instructs Coq to not let proofs use knowledge of how
- [scheduled_on] and [service_on] are defined. Instead,
- proofs must rely on basic lemmas about processor state classes. *)
-Global Opaque scheduled_on service_on.
diff --git a/behavior/service.v b/behavior/service.v
deleted file mode 100644
index f503d7ef0451544363843bbd92f1b412651e030f..0000000000000000000000000000000000000000
--- a/behavior/service.v
+++ /dev/null
@@ -1,74 +0,0 @@
-From mathcomp Require Export ssreflect ssrnat ssrbool eqtype fintype bigop.
-Require Export prosa.behavior.schedule.
-
-Section Service.
-
- (** * Service of a Job *)
-
- (** Consider any kind of jobs and any kind of processor state. *)
- Context {Job : JobType} {PState : ProcessorState Job}.
-
- (** Consider any schedule. *)
- Variable sched : schedule PState.
-
- (** First, we define whether a job [j] is scheduled at time [t], ... *)
- Definition scheduled_at (j : Job) (t : instant) := scheduled_in j (sched t).
-
- (** ... and the instantaneous service received by job j at time t. *)
- Definition service_at (j : Job) (t : instant) := service_in j (sched t).
-
- (** We say that a job [j] receives service at time [t] if
- [service_at j t] is positive. *)
- Definition receives_service_at (j : Job) (t : instant) := 0 < service_at j t.
-
- (** Based on the notion of instantaneous service, we define the cumulative
- service received by job j during any interval from [t1] until (but not
- including) [t2]. *)
- Definition service_during (j : Job) (t1 t2 : instant) :=
- \sum_(t1 <= t < t2) service_at j t.
-
- (** Using the previous definition, we define the cumulative service received
- by job [j] up to (but not including) time [t]. *)
- Definition service (j : Job) (t : instant) := service_during j 0 t.
-
- (** * Job Completion and Response Time *)
-
- (** In the following, consider jobs that have a cost, a deadline, and an
- arbitrary arrival time. *)
- Context `{JobCost Job}.
- Context `{JobDeadline Job}.
- Context `{JobArrival Job}.
-
- (** We say that job [j] has completed by time [t] if it received all required
- service in the interval from [0] until (but not including) [t]. *)
- Definition completed_by (j : Job) (t : instant) := service j t >= job_cost j.
-
- (** We say that job [j] completes at time [t] if it has completed by time [t] but
- not by time [t - 1]. *)
- Definition completes_at (j : Job) (t : instant) := ~~ completed_by j t.-1 && completed_by j t.
-
- (** We say that a constant [R] is a response time bound of a job [j] if [j]
- has completed by [R] units after its arrival. *)
- Definition job_response_time_bound (j : Job) (R : duration) :=
- completed_by j (job_arrival j + R).
-
- (** We say that a job meets its deadline if it completes by its absolute deadline. *)
- Definition job_meets_deadline (j : Job) :=
- completed_by j (job_deadline j).
-
- (** * Pending or Incomplete Jobs *)
-
- (** Job [j] is pending at time [t] iff it has arrived but has not yet completed. *)
- Definition pending (j : Job) (t : instant) := has_arrived j t && ~~ completed_by j t.
-
- (** Job [j] is pending earlier and at time [t] iff it has arrived before time [t]
- and has not been completed yet. *)
- Definition pending_earlier_and_at (j : Job) (t : instant) :=
- arrived_before j t && ~~ completed_by j t.
-
- (** Let's define the remaining cost of job [j] as the amount of service that
- has yet to be received for it to complete. *)
- Definition remaining_cost j t :=
- job_cost j - service j t.
-
-End Service.
diff --git a/behavior/time.v b/behavior/time.v
deleted file mode 100644
index 58fb14fa2185cf4d699190687c1aff4c1dac5eee..0000000000000000000000000000000000000000
--- a/behavior/time.v
+++ /dev/null
@@ -1,8 +0,0 @@
-(** * Model of Time *)
-
-(** Prosa is based on a discrete model of time. Thus, time is simply defined by
- the natural numbers. To aid readability, we distinguish between values of time
- that represent a duration and values of time that represent a specific
- instant. *)
-Definition duration := nat.
-Definition instant := nat.
diff --git a/create_makefile.sh b/create_makefile.sh
index 5951c7459ee8bd53d127bf320500660a056702bc..77c623350b3c4370290c526d2c7735cc878054c6 100755
--- a/create_makefile.sh
+++ b/create_makefile.sh
@@ -6,16 +6,6 @@ FIND_OPTS=( . -name '*.v' ! -name '*#*' ! -path './.git/*' ! -path './with-proof
while ! [ -z "$1" ]
do
case "$1" in
- --without-classic)
- FIND_OPTS+=( ! -path './classic/*' )
- ;;
- --without-refinements)
- FIND_OPTS+=( ! -path './implementation/refinements/*' )
- ;;
- --only-classic)
- FIND_OPTS+=( ! -path './analysis/*' ! -path './behavior/*' ! -path './model/*' \
- ! -path './implementation/*' ! -path './results/*')
- ;;
*)
echo "Unrecognized option: $1"
exit 1
diff --git a/implementation/definitions/arrival_bound.v b/implementation/definitions/arrival_bound.v
deleted file mode 100644
index a4e9999ebbc7c0eb343bdaaab816fa67351f7fc6..0000000000000000000000000000000000000000
--- a/implementation/definitions/arrival_bound.v
+++ /dev/null
@@ -1,48 +0,0 @@
-Require Export prosa.implementation.definitions.extrapolated_arrival_curve.
-
-(** * Implementation of a Task's Arrival Bound *)
-
-(** In this file, we define a reference implementation of the notion of a task's
- arrival bound.
-
- Note that its use is entirely optional: clients of Prosa may choose to use
- this type or implement their own notion of arrival bounds. *)
-
-(** A task's arrival bound is an inductive type comprised of three types of
- arrival patterns: (a) periodic, characterized by a period between consequent
- activation of a task, (b) sporadic, characterized by a minimum inter-arrival
- time, or (c) arrival-curve prefix, characterized by a finite prefix of an
- arrival curve. *)
-Inductive task_arrivals_bound :=
-| Periodic : nat -> task_arrivals_bound
-| Sporadic : nat -> task_arrivals_bound
-| ArrivalPrefix : ArrivalCurvePrefix -> task_arrivals_bound.
-
-(** To make it compatible with ssreflect, we define a decidable
- equality for arrival bounds. *)
-Definition task_arrivals_bound_eqdef (tb1 tb2 : task_arrivals_bound) :=
- match tb1, tb2 with
- | Periodic p1, Periodic p2 => p1 == p2
- | Sporadic s1, Sporadic s2 => s1 == s2
- | ArrivalPrefix s1, ArrivalPrefix s2 => s1 == s2
- | _, _ => false
- end.
-
-(** Next, we prove that [task_eqdef] is indeed an equality, ... *)
-Lemma eqn_task_arrivals_bound : Equality.axiom task_arrivals_bound_eqdef.
-Proof.
- intros x y.
- destruct (task_arrivals_bound_eqdef x y) eqn:EQ.
- { apply ReflectT; destruct x, y.
- all: try by move: EQ => /eqP EQ; subst.
- }
- { apply ReflectF; destruct x, y.
- all: try by move: EQ => /eqP EQ.
- all: by move: EQ => /neqP; intros NEQ1 NEQ2; apply NEQ1; inversion NEQ2.
- }
-Qed.
-
-(** ..., which allows instantiating the canonical structure for [[eqType of task_arrivals_bound]]. *)
-Canonical task_arrivals_bound_eqMixin := EqMixin eqn_task_arrivals_bound.
-Canonical task_arrivals_bound_eqType := Eval hnf in EqType task_arrivals_bound task_arrivals_bound_eqMixin.
-
diff --git a/implementation/definitions/extrapolated_arrival_curve.v b/implementation/definitions/extrapolated_arrival_curve.v
deleted file mode 100644
index 3cfa60b367fd4321e7b3184b389c8898b6ed07bf..0000000000000000000000000000000000000000
--- a/implementation/definitions/extrapolated_arrival_curve.v
+++ /dev/null
@@ -1,149 +0,0 @@
-From mathcomp Require Export ssreflect ssrbool eqtype ssrnat div seq path fintype bigop.
-Require Export prosa.behavior.time.
-Require Export prosa.util.all.
-
-(** This file introduces an implementation of arrival curves via the
- periodic extension of finite _arrival-curve prefix_. An
- arrival-curve prefix is a pair comprising a horizon and a list of
- steps. The horizon defines the domain of the prefix, in which no
- extrapolation is necessary. The list of steps ([duration × value])
- describes the value changes of the corresponding arrival curve
- within the domain.
-
- For time instances outside of an arrival-curve prefix's domain,
- extrapolation is necessary. Therefore, past the domain,
- arrival-curve values are extrapolated assuming that the
- arrival-curve prefix is repeated with a period equal to the
- horizon.
-
- Note that such a periodic extension does not necessarily give the
- tightest curve, and hence it is not optimal. The advantage is
- speed of calculation: periodic extension can be done in constant
- time, whereas the optimal extension takes roughly quadratic time
- in the number of steps. *)
-
-(** An arrival-curve prefix is defined as a pair comprised of a
- horizon and a list of steps ([duration × value]) that describe the
- value changes of the described arrival curve.
-
- For example, an arrival-curve prefix [(5, [:: (1, 3)])] describes
- an arrival sequence with job bursts of size [3] happening every
- [5] time instances. *)
-Definition ArrivalCurvePrefix : Type := duration * seq (duration * nat).
-
-(** Given an inter-arrival time [p] (or period [p]), the corresponding
- arrival-curve prefix can be defined as [(p, [:: (1, 1)])]. *)
-Definition inter_arrival_to_prefix (p : nat) : ArrivalCurvePrefix := (p, [:: (1, 1)]).
-
-(** The first component of arrival-curve prefix [ac_prefix] is called horizon. *)
-Definition horizon_of (ac_prefix : ArrivalCurvePrefix) := fst ac_prefix.
-
-(** The second component of [ac_prefix] is called steps. *)
-Definition steps_of (ac_prefix : ArrivalCurvePrefix) := snd ac_prefix.
-
-(** The time steps of [ac_prefix] are the first components of the
- steps. That is, these are time instances before the horizon
- where the corresponding arrival curve makes a step. *)
-Definition time_steps_of (ac_prefix : ArrivalCurvePrefix) :=
- map fst (steps_of ac_prefix).
-
-(** The function [step_at] returns the last step ([duration ×
- value]) such that [duration ≤ t]. *)
-Definition step_at (ac_prefix : ArrivalCurvePrefix) (t : duration) :=
- last (0, 0) [ seq step <- steps_of ac_prefix | fst step <= t ].
-
-(* The function [value_at] returns the _value_ of the last step
- ([duration × value]) such that [duration ≤ t] *)
-Definition value_at (ac_prefix : ArrivalCurvePrefix) (t : duration) :=
- snd (step_at ac_prefix t).
-
-(** Finally, we define a function [extrapolated_arrival_curve] that
- performs the periodic extension of the arrival-curve prefix (and
- hence, defines an arrival curve).
-
- Value of [extrapolated_arrival_curve t] is defined as
- [t %/ h * value_at horizon] plus [value_at (t mod horizon)].
- The first summand corresponds to [k] full repetitions of the
- arrival-curve prefix inside interval <<[0,t)>>. The second summand
- corresponds to the residual change inside interval <<[k*h, t)>>. *)
-Definition extrapolated_arrival_curve (ac_prefix : ArrivalCurvePrefix) (t : duration) :=
- let h := horizon_of ac_prefix in
- t %/ h * value_at ac_prefix h + value_at ac_prefix (t %% h).
-
-(** In the following section, we define a few validity predicates. *)
-Section ValidArrivalCurvePrefix.
-
- (** Horizon should be positive. *)
- Definition positive_horizon (ac_prefix : ArrivalCurvePrefix) :=
- horizon_of ac_prefix > 0.
-
- (** Horizon should bound time steps. *)
- Definition large_horizon (ac_prefix : ArrivalCurvePrefix) :=
- forall s, s \in time_steps_of ac_prefix -> s <= horizon_of ac_prefix.
-
- (** We define an alternative, decidable version of [large_horizon]... *)
- Definition large_horizon_dec (ac_prefix : ArrivalCurvePrefix) : bool :=
- all (fun s => s <= horizon_of ac_prefix) (time_steps_of ac_prefix).
-
- (** ... and prove that the two definitions are equivalent. *)
- Lemma large_horizon_P :
- forall (ac_prefix : ArrivalCurvePrefix),
- reflect (large_horizon ac_prefix) (large_horizon_dec ac_prefix).
- Proof.
- move=> ac.
- apply /introP; first by move=> /allP ?.
- apply ssr.ssrbool.contraNnot => ?.
- by apply /allP.
- Qed.
-
- (** There should be no infinite arrivals; that is, [value_at 0 = 0]. *)
- Definition no_inf_arrivals (ac_prefix : ArrivalCurvePrefix) :=
- value_at ac_prefix 0 == 0.
-
- (** Bursts must be specified; that is, [steps_of] should contain a
- pair [(ε, b)]. *)
- Definition specified_bursts (ac_prefix : ArrivalCurvePrefix) :=
- ε \in time_steps_of ac_prefix.
-
- (** Steps should be strictly increasing both in time steps and values. *)
- Definition ltn_steps a b := (fst a < fst b) && (snd a < snd b).
- Definition sorted_ltn_steps (ac_prefix : ArrivalCurvePrefix) :=
- sorted ltn_steps (steps_of ac_prefix).
-
- (** The conjunction of the 5 afore-defined properties defines a
- valid arrival-curve prefix. *)
- Definition valid_arrival_curve_prefix (ac_prefix : ArrivalCurvePrefix) :=
- positive_horizon ac_prefix
- /\ large_horizon ac_prefix
- /\ no_inf_arrivals ac_prefix
- /\ specified_bursts ac_prefix
- /\ sorted_ltn_steps ac_prefix.
-
- (** We define an alternative, decidable version of [valid_arrival_curve_prefix]... *)
- Definition valid_arrival_curve_prefix_dec (ac_prefix : ArrivalCurvePrefix) : bool :=
- (positive_horizon ac_prefix)
- && (large_horizon_dec ac_prefix)
- && (no_inf_arrivals ac_prefix)
- && (specified_bursts ac_prefix)
- && (sorted_ltn_steps ac_prefix).
-
- (** ... and prove that the two definitions are equivalent. *)
- Lemma valid_arrival_curve_prefix_P :
- forall (ac_prefix : ArrivalCurvePrefix),
- reflect (valid_arrival_curve_prefix ac_prefix) (valid_arrival_curve_prefix_dec ac_prefix).
- Proof.
- move=> ac.
- apply /introP.
- - by move => /andP[/andP[/andP[/andP[? /large_horizon_P ?] ?]?]?].
- - apply ssr.ssrbool.contraNnot.
- move=> [?[/large_horizon_P ?[?[??]]]].
- by repeat (apply /andP; split => //).
- Qed.
-
- (** We also define a predicate for non-decreasing order that is
- more convenient for proving some of the claims. *)
- Definition leq_steps a b := (fst a <= fst b) && (snd a <= snd b).
- Definition sorted_leq_steps (ac_prefix : ArrivalCurvePrefix) :=
- sorted leq_steps (steps_of ac_prefix).
-
-End ValidArrivalCurvePrefix.
diff --git a/implementation/definitions/generic_scheduler.v b/implementation/definitions/generic_scheduler.v
deleted file mode 100644
index bfd21eaf299b76ec4f487cfd0581995d7a1dec6d..0000000000000000000000000000000000000000
--- a/implementation/definitions/generic_scheduler.v
+++ /dev/null
@@ -1,53 +0,0 @@
-Require Export prosa.analysis.transform.swap.
-
-(** * Generic Reference Scheduler *)
-
-(** In this file, we provide a generic procedure that produces a schedule by
- making a decision on what to schedule at each point in time. *)
-
-(** To begin with, we define the notion of a pointwise scheduling policy that
- makes a decision at a given time [t] based on given prefix up to time
- [t.-1]. *)
-Section PointwisePolicy.
- (** Consider any type of jobs and type of schedule. *)
- Context {Job : JobType}.
- Variable PState : ProcessorState Job.
-
- (** A pointwise scheduling policy is a function that, given a schedule prefix
- that is valid up to time [t - 1], decides what to schedule at time
- [t]. *)
- Definition PointwisePolicy := schedule PState -> instant -> PState.
-End PointwisePolicy.
-
-Section GenericSchedule.
- (** Consider any type of jobs and type of schedule. *)
- Context {Job : JobType} {PState : ProcessorState Job}.
-
- (** Suppose we are given a policy function that, given a schedule prefix that
- is valid up to time [t - 1], decides what to schedule at time [t]. *)
- Variable policy : PointwisePolicy PState.
-
- (** Let [idle_state] denote the processor state that indicates that the
- entire system is idle. *)
- Variable idle_state : PState.
-
- (** We construct the schedule step by step starting from an "empty" schedule
- that is idle at all times as a base case. *)
- Definition empty_schedule: schedule PState := fun _ => idle_state.
-
- (** Next, we define a function that computes a schedule prefix up to a given
- time horizon [h]. *)
- Fixpoint schedule_up_to (h : instant) :=
- let
- prefix := if h is h'.+1 then schedule_up_to h' else empty_schedule
- in
- replace_at prefix h (policy prefix h).
-
- (** Finally, we define the generic schedule as follows: for a
- given point in time [t], we compute the finite prefix up to and including
- [t], namely [schedule_up_to t], and then return the job scheduled at time
- [t] in that prefix. *)
- Definition generic_schedule (t : instant) : PState :=
- schedule_up_to t t.
-
-End GenericSchedule.
diff --git a/implementation/definitions/ideal_uni_scheduler.v b/implementation/definitions/ideal_uni_scheduler.v
deleted file mode 100644
index e2503e47494c93e72d153faf23fbb18db448b5b3..0000000000000000000000000000000000000000
--- a/implementation/definitions/ideal_uni_scheduler.v
+++ /dev/null
@@ -1,100 +0,0 @@
-Require Export prosa.implementation.definitions.generic_scheduler.
-
-Require Export prosa.model.preemption.parameter.
-Require Export prosa.model.schedule.priority_driven.
-Require Export prosa.analysis.facts.readiness.backlogged.
-Require Export prosa.analysis.transform.swap.
-
-(** * Ideal Uniprocessor Reference Scheduler *)
-
-(** In this file, we provide a generic priority-aware scheduler that produces
- an ideal uniprocessor schedule for a given arrival sequence. The scheduler
- respects nonpreemptive sections and arbitrary readiness models. *)
-
-Section UniprocessorScheduler.
-
- (** Consider any type of jobs with costs and arrival times, ... *)
- Context {Job : JobType} {JC : JobCost Job} {JA : JobArrival Job}.
-
- (** .. in the context of an ideal uniprocessor model. *)
- Let PState := ideal.processor_state Job.
- Let idle_state : PState := None.
-
- (** Suppose we are given a consistent arrival sequence of such jobs ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_consistent_arrival_times: consistent_arrival_times arr_seq.
-
- (** ... and a non-clairvoyant readiness model. *)
- Context {RM: JobReady Job (ideal.processor_state Job)}.
- Hypothesis H_nonclairvoyant_job_readiness: nonclairvoyant_readiness RM.
-
- (** ** Preemption-Aware Scheduler *)
-
- (** First, we define the notion of a generic uniprocessor scheduler that is
- cognizant of non-preemptive sections, so consider any preemption model. *)
- Context `{JobPreemptable Job}.
-
- Section NonPreemptiveSectionAware.
-
- (** Suppose we are given a scheduling policy that applies when jobs are
- preemptive: given a set of jobs ready at time [t], select which to run
- (if any) at time [t]. *)
- Variable choose_job : instant -> seq Job -> option Job.
-
- (** The next job is then chosen either by [policy] (if the current job is
- preemptive or the processor is idle) or a non-preemptively executing job
- continues to execute. *)
- Section JobAllocation.
-
- (** Consider a finite schedule prefix ... *)
- Variable sched_prefix : schedule (ideal.processor_state Job).
-
- (** ... that is valid up to time [t - 1]. *)
- Variable t : instant.
-
- (** We define a predicate that tests whether the job scheduled at the
- previous instant (if [t > 0]) is nonpreemptive (and hence needs to be
- continued to be scheduled). *)
- Definition prev_job_nonpreemptive : bool :=
- match t with
- | 0 => false
- | S t' => if sched_prefix t' is Some j then
- job_ready sched_prefix j t &&
- ~~job_preemptable j (service sched_prefix j t)
- else
- false
- end.
-
- (** Based on the [prev_job_nonpreemptive] predicate, either the previous
- job continues to be scheduled or the given policy chooses what to run
- instead. *)
- Definition allocation_at : option Job :=
- if prev_job_nonpreemptive then
- sched_prefix t.-1
- else
- choose_job t (jobs_backlogged_at arr_seq sched_prefix t).
- End JobAllocation.
-
- (** A preemption-model-compliant ideal uniprocessor schedule is then produced
- when using [allocation_at] as the policy for the generic scheduler. *)
- Definition pmc_uni_schedule : schedule PState := generic_schedule allocation_at idle_state.
-
- End NonPreemptiveSectionAware.
-
- (** ** Priority-Aware Scheduler *)
-
- (** Building on the preemption-model aware scheduler, we next define a simple priority-aware scheduler. *)
- Section PriorityAware.
-
- (** Given any JLDP priority policy... *)
- Context `{JLDP_policy Job}.
-
- (** ...always choose the highest-priority job when making a scheduling decision... *)
- Definition choose_highest_prio_job t jobs := supremum (hep_job_at t) jobs.
-
- (** ... to obtain a priority- and preemption-model-aware ideal uniprocessor
- schedule. *)
- Definition uni_schedule : schedule PState := pmc_uni_schedule choose_highest_prio_job.
- End PriorityAware.
-
-End UniprocessorScheduler.
diff --git a/implementation/definitions/job_constructor.v b/implementation/definitions/job_constructor.v
deleted file mode 100644
index 5ef42030a03a71da9cfa4647256d4c56f08237a0..0000000000000000000000000000000000000000
--- a/implementation/definitions/job_constructor.v
+++ /dev/null
@@ -1,27 +0,0 @@
-Require Export prosa.implementation.facts.maximal_arrival_sequence.
-Require Export prosa.implementation.definitions.task.
-
-(** * Job Constructor *)
-
-(** In this file, we define a job-generation function to use in pair with a
- concrete arrival sequence. These facts sit at the basis of POET's
- assumption-less certificates, used to prove the absence of contradicting
- hypotheses in abstract RTA. *)
-
-(** The generated jobs to belong to the concrete task type. *)
-Definition Task := [eqType of concrete_task].
-Definition Job := [eqType of concrete_job].
-
-
-(** We first define a job-generation function that produces one concrete job of
- the given task, with the given job ID, arriving at the given time ... *)
-Definition generate_job_at tsk t id : Job :=
- {| task.job_id := id
- ; task.job_arrival := t
- ; task.job_cost := task_cost tsk
- ; task.job_deadline := t + task_deadline tsk
- ; task.job_task := tsk |}.
-
-(** ... and then generalize the above function to an arbitrary number of
- jobs. *)
-Definition generate_jobs_at tsk n t := map (generate_job_at tsk t) (iota 0 n).
diff --git a/implementation/definitions/maximal_arrival_sequence.v b/implementation/definitions/maximal_arrival_sequence.v
deleted file mode 100644
index c46090c50c0f5905e5cc0d153cb65fed129b1bbd..0000000000000000000000000000000000000000
--- a/implementation/definitions/maximal_arrival_sequence.v
+++ /dev/null
@@ -1,88 +0,0 @@
-Require Export prosa.model.task.arrival.curves.
-Require Export prosa.util.supremum.
-
-(** * A Maximal Arrival Sequence *)
-
-(** In this section, we propose a concrete instantiation of an arrival sequence.
- Given an arbitrary arrival curve, the defined arrival sequence tries to
- generate as many jobs as possible at any time instant by adopting a greedy
- strategy: at each time [t], the arrival sequence contains the maximum possible
- number of jobs that does not violate the given arrival curve's constraints. *)
-Section MaximalArrivalSequence.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Let [max_arrivals] denote any function that takes a task and an interval length
- and returns the associated number of job arrivals of the task. *)
- Context `{MaxArrivals Task}.
-
- (** In this section, we define a procedure that computes the maximal number of
- jobs that can be released at a given instant without violating the
- corresponding arrival curve. *)
- Section NumberOfJobs.
-
- (** Let [tsk] be any task. *)
- Variable tsk : Task.
-
- (** First, we introduce a function that computes the sum of all elements in
- a given list's suffix of length [n]. *)
- Definition suffix_sum xs n := \sum_(size xs - n <= t < size xs) nth 0 xs t.
-
- (** Let the arrival prefix [arr_prefix] be a sequence of natural numbers,
- where [nth xs t] denotes the number of jobs that arrive at time [t].
- Then, given an arrival curve [max_arrivals] and an arrival prefix
- [arr_prefix], we define a function that computes the number of jobs that
- can be additionally released without violating the arrival curve.
-
- The high-level idea is as follows. Let us assume that the length of the
- arrival prefix is [Δ]. To preserve the sub-additive property, one needs
- to go through all suffixes of the arrival prefix and pick the
- minimum. *)
- Definition jobs_remaining (arr_prefix : seq nat) :=
- supremum leq [seq (max_arrivals tsk Δ.+1 - suffix_sum arr_prefix Δ) | Δ <- iota 0 (size arr_prefix).+1].
-
- (** Further, we define the function [next_max_arrival] to handle a special
- case: when the arrival prefix is empty, the function returns the value
- of the arrival curve with a window length of [1]. Otherwise, it returns
- the number the number of jobs that can additionally be generated. *)
- Definition next_max_arrival (arr_prefix : seq nat) :=
- match jobs_remaining arr_prefix with
- | None => max_arrivals tsk 1
- | Some n => n
- end.
-
- (** Next, we define a function that extends by one a given arrival prefix... *)
- Definition extend_arrival_prefix (arr_prefix : seq nat) :=
- arr_prefix ++ [:: next_max_arrival arr_prefix ].
-
- (** ... and a function that generates a maximal arrival prefix
- of size [t], starting from an empty arrival prefix. *)
- Definition maximal_arrival_prefix (t : nat) :=
- iter t.+1 extend_arrival_prefix [::].
-
- (** Finally, we define a function that returns the maximal number
- of jobs that can be released at time [t]; this definition
- assumes that at each time instant prior to time [t] the maximal
- number of jobs were released. *)
- Definition max_arrivals_at t := nth 0 (maximal_arrival_prefix t) t.
-
- End NumberOfJobs.
-
- (** Consider a function that generates [n] concrete jobs of
- the given task at the given time instant. *)
- Variable generate_jobs_at : Task -> nat -> instant -> seq Job.
-
- (** The maximal arrival sequence of task set [ts] at time [t] is a
- concatenation of sequences of generated jobs for each task. *)
- Definition concrete_arrival_sequence (ts : seq Task) (t : instant) :=
- \cat_(tsk <- ts) generate_jobs_at tsk (max_arrivals_at tsk t) t.
-
-End MaximalArrivalSequence.
diff --git a/implementation/definitions/task.v b/implementation/definitions/task.v
deleted file mode 100644
index 5f9636133b934cab6fb2d794be6210ae70cb058d..0000000000000000000000000000000000000000
--- a/implementation/definitions/task.v
+++ /dev/null
@@ -1,148 +0,0 @@
-Require Export prosa.implementation.definitions.arrival_bound.
-Require Export prosa.model.task.arrival.curves.
-Require Export prosa.model.priority.numeric_fixed_priority.
-
-(** * Implementation of Tasks and Jobs *)
-
-(** This file provides reference implementations of the notions of "tasks" and
- "jobs" that can be used to meet the hypotheses on which many of the analyses
- in Prosa are based.
-
- Note that their use is entirely optional: clients of Prosa may choose to use
- these types or implement their own notions of "tasks" and "jobs". *)
-
-(** ** Implementation of a Concrete Task *)
-
-
-(** A task comprises of an id, a cost, an arrival bound, a deadline
- and a priority. *)
-Structure concrete_task :=
- { task_id: nat (* for uniqueness *)
- ; task_cost: nat
- ; task_arrival: task_arrivals_bound
- ; task_deadline: instant
- ; task_priority : nat
- }.
-
-(** To make it compatible with ssreflect, we define a decidable
- equality for concrete tasks. *)
-Definition task_eqdef (t1 t2: concrete_task) :=
- (task_id t1 == task_id t2)
- && (task_cost t1 == task_cost t2)
- && (task_arrival t1 == task_arrival t2)
- && (task_deadline t1 == task_deadline t2)
- && (task_priority t1 == task_priority t2).
-
-(** Next, we prove that [task_eqdef] is indeed an equality, ... *)
-Lemma eqn_task : Equality.axiom task_eqdef.
-Proof.
- unfold Equality.axiom; intros x y.
- destruct (task_eqdef x y) eqn:EQ.
- { apply ReflectT.
- unfold task_eqdef in *.
- move: EQ => /andP [/andP [/andP [/andP [/eqP ID /eqP COST] /eqP PER] /eqP DL] /eqP PRIO].
- by destruct x, y; simpl in *; subst. }
- { apply ReflectF.
- unfold task_eqdef, not in * => BUG.
- apply negbT in EQ.
- repeat rewrite negb_and in EQ.
- destruct x, y.
- move: BUG => [ID COST PER DL PRIO].
- rewrite ID COST PER DL PRIO //= in EQ.
- by subst; rewrite !eq_refl in EQ.
- }
-Qed.
-
-(** ..., which allows instantiating the canonical structure for [[eqType of concrete_task]]. *)
-Canonical concrete_task_eqMixin := EqMixin eqn_task.
-Canonical concrete_task_eqType := Eval hnf in EqType concrete_task concrete_task_eqMixin.
-
-
-(** ** Implementation of a Concrete Job *)
-
-
-(** A job comprises of an id, an arrival time, a cost, a deadline and the
- task it belongs to. *)
-Record concrete_job :=
- { job_id: nat
- ; job_arrival: instant
- ; job_cost: nat
- ; job_deadline: instant
- ; job_task: [eqType of concrete_task]
- }.
-
-(** For convenience, we define a function that converts each possible arrival
- bound (periodic, sporadic, and arrival-curve prefix) into an arrival-curve
- prefix... *)
-Definition get_arrival_curve_prefix tsk :=
- match task_arrival tsk with
- | Periodic p => inter_arrival_to_prefix p
- | Sporadic m => inter_arrival_to_prefix m
- | ArrivalPrefix steps => steps
- end.
-
-(** ... and define the "arrival bound" concept for concrete tasks. *)
-Definition concrete_max_arrivals tsk Δ :=
- extrapolated_arrival_curve (get_arrival_curve_prefix tsk) Δ.
-
-(** To make it compatible with ssreflect, we define a decidable
- equality for concrete jobs. *)
-Definition job_eqdef (j1 j2: concrete_job) :=
- (job_id j1 == job_id j2)
- && (job_arrival j1 == job_arrival j2)
- && (job_cost j1 == job_cost j2)
- && (job_deadline j1 == job_deadline j2)
- && (job_task j1 == job_task j2).
-
-(** Next, we prove that [job_eqdef] is indeed an equality, ... *)
-Lemma eqn_job : Equality.axiom job_eqdef.
-Proof.
- unfold Equality.axiom; intros x y.
- destruct (job_eqdef x y) eqn:EQ.
- { apply ReflectT; unfold job_eqdef in *.
- move: EQ => /andP [/andP [/andP [/andP [/eqP ID /eqP ARR] /eqP COST] /eqP DL] /eqP TASK].
- by destruct x, y; simpl in *; subst. }
- { apply ReflectF.
- unfold job_eqdef, not in *; intro BUG.
- apply negbT in EQ; rewrite negb_and in EQ.
- destruct x, y.
- rewrite negb_and in EQ.
- move: EQ => /orP [EQ | /eqP TASK].
- move: EQ => /orP [EQ | /eqP DL].
- rewrite negb_and in EQ.
- move: EQ => /orP [EQ | /eqP COST].
- rewrite negb_and in EQ.
- move: EQ => /orP [/eqP ID | /eqP ARR].
- - by apply ID; inversion BUG.
- - by apply ARR; inversion BUG.
- - by apply COST; inversion BUG.
- - by apply DL; inversion BUG.
- - by apply TASK; inversion BUG. }
-Qed.
-
-(** ... which allows instantiating the canonical structure for [[eqType of concrete_job]].*)
-Canonical concrete_job_eqMixin := EqMixin eqn_job.
-Canonical concrete_job_eqType := Eval hnf in EqType concrete_job concrete_job_eqMixin.
-
-
-(** ** Instances for Concrete Jobs and Tasks. *)
-
-(** In the following, we connect the concrete task and job types defined above
- to the generic Prosa interfaces for task and job parameters. *)
-Section Parameters.
-
- (** First, we connect the above definition of tasks with the
- generic Prosa task-parameter interfaces. *)
- Let Task := [eqType of concrete_task].
- #[global,program] Instance TaskCost : TaskCost Task := task_cost.
- #[global,program] Instance TaskPriority : TaskPriority Task := task_priority.
- #[global,program] Instance TaskDeadline : TaskDeadline Task := task_deadline.
- #[global,program] Instance ConcreteMaxArrivals : MaxArrivals Task := concrete_max_arrivals.
-
- (** Second, we do the same for the above definition of job. *)
- Let Job := [eqType of concrete_job].
- #[global,program] Instance JobTask : JobTask Job Task := job_task.
- #[global,program] Instance JobArrival : JobArrival Job := job_arrival.
- #[global,program] Instance JobCost : JobCost Job := job_cost.
-
-End Parameters.
diff --git a/implementation/facts/extrapolated_arrival_curve.v b/implementation/facts/extrapolated_arrival_curve.v
deleted file mode 100644
index 54858e058728b319486c603ff9873ed1a4a4f45c..0000000000000000000000000000000000000000
--- a/implementation/facts/extrapolated_arrival_curve.v
+++ /dev/null
@@ -1,278 +0,0 @@
-From mathcomp Require Export ssreflect ssrbool eqtype ssrnat div seq path fintype bigop.
-Require Export prosa.behavior.time.
-Require Export prosa.util.all.
-Require Export prosa.implementation.definitions.extrapolated_arrival_curve.
-
-(** In this file, we prove basic properties of the arrival-curve
- prefix and the [extrapolated_arrival_curve] function. *)
-
-(** We start with basic facts about the relations [ltn_steps] and [leq_steps]. *)
-Section BasicFacts.
-
- (** We show that the relation [ltn_steps] is transitive. *)
- Lemma ltn_steps_is_transitive :
- transitive ltn_steps.
- Proof.
- move=> a b c /andP [FSTab SNDab] /andP [FSTbc SNDbc].
- by apply /andP; split; lia.
- Qed.
-
- (** Next, we show that the relation [leq_steps] is reflexive... *)
- Lemma leq_steps_is_reflexive :
- reflexive leq_steps.
- Proof.
- move=> [l r].
- rewrite /leq_steps.
- by apply /andP; split.
- Qed.
-
- (** ... and transitive. *)
- Lemma leq_steps_is_transitive :
- transitive leq_steps.
- Proof.
- move=> a b c /andP [FSTab SNDab] /andP [FSTbc SNDbc].
- by apply /andP; split; lia.
- Qed.
-
-End BasicFacts.
-
-(** In the following section, we prove a few properties of
- arrival-curve prefixes assuming that there are no infinite
- arrivals and that the list of steps is sorted according to the
- [leq_steps] relation. *)
-Section ArrivalCurvePrefixSortedLeq.
-
- (** Consider an arbitrary [leq]-sorted arrival-curve prefix without
- infinite arrivals. *)
- Variable ac_prefix : ArrivalCurvePrefix.
- Hypothesis H_sorted_leq : sorted_leq_steps ac_prefix.
- Hypothesis H_no_inf_arrivals : no_inf_arrivals ac_prefix.
-
- (** We prove that [value_at] is monotone with respect to the relation [<=]. *)
- Lemma value_at_monotone :
- monotone leq (value_at ac_prefix).
- Proof.
- intros t1 t2 LE; clear H_no_inf_arrivals.
- unfold sorted_leq_steps, value_at, step_at, steps_of in *.
- destruct ac_prefix as [h steps]; simpl.
- have GenLem:
- forall t__d1 v__d1 t__d2 v__d2,
- v__d1 <= v__d2 ->
- all (leq_steps (t__d1, v__d1)) steps ->
- all (leq_steps (t__d2, v__d2)) steps ->
- snd (last (t__d1, v__d1) [seq step <- steps | fst step <= t1]) <= snd (last (t__d2, v__d2) [seq step <- steps | fst step <= t2]).
- { induction steps as [ | [t__c v__c] steps]; first by done.
- simpl; intros *; move => LEv /andP [LTN1 /allP ALL1] /andP [LTN2 /allP ALL2].
- move: (H_sorted_leq); rewrite //= (@path_sorted_inE _ predT leq_steps); first last.
- { by apply/allP. }
- { by intros ? ? ? _ _ _; apply leq_steps_is_transitive. }
- move => /andP [ALL SORT].
- destruct (leqP (fst (t__c, v__c)) t1) as [R1 | R1], (leqP (fst (t__c, v__c)) t2) as [R2 | R2]; simpl in *.
- { rewrite R1 R2 //=; apply IHsteps; try done. }
- { by lia. }
- { rewrite ltnNge -eqbF_neg in R1; move: R1 => /eqP ->; rewrite R2 //=; apply IHsteps; try done.
- - by move: LTN1; rewrite /leq_steps => /andP //= [_ LEc].
- - by apply/allP.
- }
- { rewrite ltnNge -eqbF_neg in R1; move: R1 => /eqP ->.
- rewrite ltnNge -eqbF_neg in R2; move: R2 => /eqP ->.
- apply IHsteps; try done.
- - by apply/allP.
- - by apply/allP.
- }
- }
- apply GenLem; first by done.
- all: by apply/allP; intros x _; rewrite /leq_steps //=.
- Qed.
-
- (** Next, we prove a correctness claim stating that if [value_at]
- makes a step at time instant [t + ε] (that is, [value_at t <
- value_at (t + ε)]), then [steps_of ac_prefix] contains a step
- [(t + ε, v)] for some [v]. *)
- Lemma value_at_change_is_in_steps_of :
- forall t,
- value_at ac_prefix t < value_at ac_prefix (t + ε) ->
- exists v, (t + ε, v) \in steps_of ac_prefix.
- Proof.
- intros ? LT.
- unfold value_at, step_at in LT.
- destruct ac_prefix as [h2 steps]; simpl in LT.
- rewrite [in X in _ < X](sorted_split _ _ fst t) in LT.
- { rewrite [in X in _ ++ X](eq_filter (a2 := fun x => fst x == t + ε)) in LT; last first.
- { by intros [a b]; simpl; rewrite -addn1 /ε eqn_leq. }
- { destruct ([seq x <- steps | fst x == t + ε]) eqn:LST.
- { rewrite LST in LT.
- rewrite [in X in X ++ _](eq_filter (a2 := fun x => fst x <= t)) in LT; last first.
- { clear; intros [a b]; simpl.
- destruct (leqP a t).
- - by rewrite Bool.andb_true_r; apply/eqP; lia.
- - by rewrite Bool.andb_false_r.
- }
- { by rewrite cats0 ltnn in LT. }
- }
- { destruct p as [t__c v__c]; exists v__c.
- rewrite /steps_of //=; symmetry in LST.
- apply mem_head_impl in LST.
- by move: LST; rewrite mem_filter //= => /andP [/eqP -> IN].
- }
- }
- }
- { move: (H_sorted_leq); clear H_sorted_leq; rewrite /sorted_leq_steps //= => SORT; clear H_no_inf_arrivals.
- induction steps; [by done | simpl in *].
- move: SORT; rewrite path_sortedE; auto using leq_steps_is_transitive; move => /andP [LE SORT].
- apply IHsteps in SORT.
- rewrite path_sortedE; last by intros ? ? ? LE1 LE2; lia.
- apply/andP; split; last by done.
- apply/allP; intros [x y] IN.
- by move: LE => /allP LE; specialize (LE _ IN); move: LE => /andP [LT _].
- }
- Qed.
-
-End ArrivalCurvePrefixSortedLeq.
-
-(* In the next section, we make the stronger assumption that
- arrival-curve prefixes are sorted according to the [ltn_steps]
- relation. *)
-Section ArrivalCurvePrefixSortedLtn.
-
- (** Consider an arbitrary [ltn]-sorted arrival-curve prefix without
- infinite arrivals. *)
- Variable ac_prefix : ArrivalCurvePrefix.
- Hypothesis H_sorted_ltn : sorted_ltn_steps ac_prefix. (* Stronger assumption. *)
- Hypothesis H_no_inf_arrivals : no_inf_arrivals ac_prefix.
-
- (** First, we show that an [ltn]-sorted arrival-curve prefix is an
- [leq]-sorted arrival-curve prefix. *)
- Lemma sorted_ltn_steps_imply_sorted_leq_steps_steps :
- sorted_leq_steps ac_prefix.
- Proof.
- destruct ac_prefix; unfold sorted_leq_steps, sorted_ltn_steps in *; simpl in *.
- clear H_no_inf_arrivals d.
- destruct l; simpl in *; first by done.
- eapply sub_path; last by apply H_sorted_ltn.
- intros [a1 b1] [a2 b2] LT.
- by unfold ltn_steps, leq_steps in *; simpl in *; lia.
- Qed.
-
- (** Next, we show that [step_at 0] is equal to [(0, 0)]. *)
- Lemma step_at_0_is_00 :
- step_at ac_prefix 0 = (0, 0).
- Proof.
- unfold step_at; destruct ac_prefix as [h [ | [t v] steps]]; first by done.
- have TR := ltn_steps_is_transitive.
- move: (H_sorted_ltn); clear H_sorted_ltn; rewrite /sorted_ltn_steps //= path_sortedE // => /andP [ALL LT].
- have EM : [seq step <- steps | fst step <= 0] = [::].
- { apply filter_in_pred0; intros [t' v'] IN.
- move: ALL => /allP ALL; specialize (ALL _ IN); simpl in ALL.
- by rewrite -ltnNge //=; move: ALL; rewrite /ltn_steps //= => /andP [T _ ]; lia. }
- rewrite EM; destruct (posnP t) as [Z | POS].
- { subst t; simpl.
- move: H_no_inf_arrivals; rewrite /no_inf_arrivals /value_at /step_at //= EM //=.
- by move => /eqP EQ; subst v. }
- { by rewrite leqNgt POS //=. }
- Qed.
-
- (** We show that functions [steps_of] and [step_at] are consistent.
- That is, if a pair [(t, v)] is in steps of [ac_prefix], then
- [step_at t] is equal to [(t, v)]. *)
- Lemma step_at_agrees_with_steps_of :
- forall t v, (t, v) \in steps_of ac_prefix -> step_at ac_prefix t = (t, v).
- Proof.
- intros * IN; destruct ac_prefix as [h steps].
- unfold step_at; simpl in *.
- apply in_cat in IN; move: IN => [steps__l [steps__r EQ]]; subst steps.
- apply sorted_cat in H_sorted_ltn; destruct H_sorted_ltn; clear H_sorted_ltn; last by apply ltn_steps_is_transitive.
- rewrite filter_cat last_cat (nonnil_last _ _ (0,0)); last by rewrite //= leqnn.
- move: H0; rewrite //= path_sortedE; auto using ltn_steps_is_transitive; rewrite //= leqnn => /andP [ALL SORT].
- simpl; replace (filter _ _ ) with (@nil (nat * nat)); first by done.
- symmetry; apply filter_in_pred0; intros x IN; rewrite -ltnNge.
- by move: ALL => /allP ALL; specialize (ALL _ IN); move: ALL; rewrite /ltn_steps //= => /andP [LT _ ].
- Qed.
-
-End ArrivalCurvePrefixSortedLtn.
-
-(** In this section, we prove a few basic properties of
- [extrapolated_arrival_curve] function, such as (1) monotonicity of
- [extrapolated_arrival_curve] or (2) implications of the fact that
- [extrapolated_arrival_curve] makes a step at time [t + ε]. *)
-Section ExtrapolatedArrivalCurve.
-
- (** Consider an arbitrary [leq]-sorted arrival-curve prefix without infinite arrivals. *)
- Variable ac_prefix : ArrivalCurvePrefix.
- Hypothesis H_positive : positive_horizon ac_prefix.
- Hypothesis H_sorted_leq : sorted_leq_steps ac_prefix.
-
- (** Let [h] denote the horizon of [ac_prefix] ... *)
- Let h := horizon_of ac_prefix.
-
- (** ... and [prefix] be shorthand for [value_at ac_prefix]. *)
- Let prefix := value_at ac_prefix.
-
- (** We show that [extrapolated_arrival_curve] is monotone. *)
- Lemma extrapolated_arrival_curve_is_monotone :
- monotone leq (extrapolated_arrival_curve ac_prefix).
- Proof.
- intros t1 t2 LE; unfold extrapolated_arrival_curve.
- replace (horizon_of _) with h; last by done.
- move: LE; rewrite leq_eqVlt => /orP [/eqP EQ | LTs].
- { by subst t2. }
- { have ALT : (t1 %/ h == t2 %/ h) \/ (t1 %/ h < t2 %/ h).
- { by apply/orP; rewrite -leq_eqVlt; apply leq_div2r, ltnW. }
- move: ALT => [/eqP EQ | LT].
- { rewrite EQ leq_add2l; apply value_at_monotone => //.
- by apply eqdivn_leqmodn; lia.
- }
- { have EQ: exists k, t1 + k = t2 /\ k > 0.
- { exists (t2 - t1); split; lia. }
- destruct EQ as [k [EQ POS]]; subst t2; clear LTs.
- rewrite divnD; last by done.
- rewrite !mulnDl -!addnA leq_add2l.
- destruct (leqP h k) as [LEk|LTk].
- { eapply leq_trans; last by apply leq_addr.
- move: LEk; rewrite leq_eqVlt => /orP [/eqP EQk | LTk].
- { by subst; rewrite divnn POS mul1n; apply value_at_monotone, ltnW, ltn_pmod. }
- { rewrite -[value_at _ (t1 %% h)]mul1n; apply leq_mul.
- rewrite divn_gt0; [by apply ltnW | by done].
- by apply value_at_monotone, ltnW, ltn_pmod.
- }
- }
- { rewrite divn_small // mul0n add0n.
- rewrite divnD // in LT; move: LT; rewrite -addnA -addn1 leq_add2l divn_small // add0n.
- rewrite lt0b => F; rewrite F; clear F.
- rewrite mul1n; eapply leq_trans; last by apply leq_addr.
- by apply value_at_monotone, ltnW, ltn_pmod.
- }
- }
- }
- Qed.
-
- (** Finally, we show that if
- [extrapolated_arrival_curve t <> extrapolated_arrival_curve (t + ε)],
- then either (1) [t + ε] divides [h] or (2) [prefix (t mod h) < prefix ((t + ε) mod h)]. *)
- Lemma extrapolated_arrival_curve_change :
- forall t,
- extrapolated_arrival_curve ac_prefix t != extrapolated_arrival_curve ac_prefix (t + ε) ->
- (* 1 *) t %/ h < (t + ε) %/ h
- \/ (* 2 *) t %/ h = (t + ε) %/ h /\ prefix (t %% h) < prefix ((t + ε) %% h).
- Proof.
- intros t NEQ.
- have LT := ltn_neqAle (extrapolated_arrival_curve ac_prefix t) (extrapolated_arrival_curve ac_prefix (t + ε)).
- rewrite NEQ in LT; rewrite extrapolated_arrival_curve_is_monotone in LT; last by apply leq_addr.
- clear NEQ; simpl in LT.
- unfold extrapolated_arrival_curve in LT.
- replace (horizon_of _) with h in LT; last by done.
- have AF : forall s1 s2 m x y,
- s1 <= s2 ->
- m * s1 + x < m * s2 + y ->
- s1 < s2 \/ s1 = s2 /\ x < y.
- { clear; intros * LEs LT.
- move: LEs; rewrite leq_eqVlt => /orP [/eqP EQ | LTs].
- { by subst s2; rename s1 into s; right; split; [ done | lia]. }
- { by left. }
- }
- apply AF with (m := prefix h).
- { by apply leq_div2r, leq_addr. }
- { by rewrite ![prefix _ * _]mulnC; apply LT. }
- Qed.
-
-End ExtrapolatedArrivalCurve.
diff --git a/implementation/facts/generic_schedule.v b/implementation/facts/generic_schedule.v
deleted file mode 100644
index 6de5e8de08a19f2b9997bbbedf928c3542a8b1b6..0000000000000000000000000000000000000000
--- a/implementation/facts/generic_schedule.v
+++ /dev/null
@@ -1,99 +0,0 @@
-From mathcomp Require Export ssreflect ssrnat ssrbool eqtype fintype bigop.
-Require Export prosa.implementation.definitions.generic_scheduler.
-Require Export prosa.analysis.facts.transform.replace_at.
-
-(** * Properties of the Generic Reference Scheduler *)
-
-(** This file establishes some facts about the generic reference scheduler that
- constructs a schedule via pointwise scheduling decisions based on a given
- policy and the preceding prefix. *)
-
-Section GenericScheduleProperties.
- (** For any type of jobs and type of schedule, ... *)
- Context {Job : JobType} {PState : ProcessorState Job}.
-
- (** ... any scheduling policy, and ... *)
- Variable policy : PointwisePolicy PState.
-
- (** ... any notion of idleness. *)
- Variable idle_state : PState.
-
- (** For notational convenience, we define [prefix t] to denote the finite
- prefix considered when scheduling a job at time [t]. *)
- Let prefix t := if t is t'.+1 then schedule_up_to policy idle_state t' else empty_schedule idle_state.
-
- (** To begin with, we establish two simple rewriting lemmas for unrolling
- [schedule_up_to]. First, we observe that the allocation is indeed
- determined by the policy based on the preceding prefix. *)
- Lemma schedule_up_to_def:
- forall t,
- schedule_up_to policy idle_state t t = policy (prefix t) t.
- Proof. by elim=> [|n IH]; rewrite [LHS]/schedule_up_to -/(schedule_up_to _) /replace_at; apply ifT. Qed.
-
- (** Second, we note how to replace [schedule_up_to] in the general case with
- its definition. *)
- Lemma schedule_up_to_unfold:
- forall h t,
- schedule_up_to policy idle_state h t = replace_at (prefix h) h (policy (prefix h) h) t.
- Proof. by move=> h t; rewrite [LHS]/schedule_up_to /prefix; elim: h. Qed.
-
- (** Next, we observe that we can increase a prefix's horizon by one
- time unit without changing any allocations in the prefix. *)
- Lemma schedule_up_to_widen:
- forall h t,
- t <= h ->
- schedule_up_to policy idle_state h t = schedule_up_to policy idle_state h.+1 t.
- Proof.
- move=> h t RANGE.
- rewrite [RHS]schedule_up_to_unfold rest_of_schedule_invariant // => EQ.
- now move: RANGE; rewrite EQ ltnn.
- Qed.
-
- (** After the horizon of a prefix, the schedule is still "empty", meaning
- that all instants are idle. *)
- Lemma schedule_up_to_empty:
- forall h t,
- h < t ->
- schedule_up_to policy idle_state h t = idle_state.
- Proof.
- move=> h t.
- elim: h => [LT|h IH LT].
- { rewrite /schedule_up_to rest_of_schedule_invariant // => ZERO.
- now subst. }
- { rewrite /schedule_up_to rest_of_schedule_invariant -/(schedule_up_to _ _ h t);
- first by apply IH => //; apply ltn_trans with (n := h.+1).
- move=> EQ. move: LT.
- now rewrite EQ ltnn. }
- Qed.
-
- (** A crucial fact is that a prefix up to horizon [h1] is identical to a
- prefix up to a later horizon [h2] at times up to [h1]. *)
- Lemma schedule_up_to_prefix_inclusion:
- forall h1 h2,
- h1 <= h2 ->
- forall t,
- t <= h1 ->
- schedule_up_to policy idle_state h1 t = schedule_up_to policy idle_state h2 t.
- Proof.
- move=> h1 h2 LEQ t BEFORE.
- elim: h2 LEQ BEFORE; first by rewrite leqn0 => /eqP ->.
- move=> t' IH.
- rewrite leq_eqVlt ltnS => /orP [/eqP <-|LEQ] // t_H1.
- rewrite IH // schedule_up_to_widen //.
- now apply (leq_trans t_H1).
- Qed.
-
- (** It follows that [generic_schedule] and [schedule_up_to] for a given
- horizon [h] share an identical prefix. *)
- Corollary schedule_up_to_identical_prefix:
- forall h t,
- t <= h.+1 ->
- identical_prefix (schedule_up_to policy idle_state h) (generic_schedule policy idle_state) t.
- Proof.
- move=> h t LE.
- rewrite /identical_prefix /generic_schedule => t' LT.
- rewrite (schedule_up_to_prefix_inclusion t' h) //.
- by move: (leq_trans LT LE); rewrite ltnS.
- Qed.
-
-End GenericScheduleProperties.
diff --git a/implementation/facts/ideal_uni/preemption_aware.v b/implementation/facts/ideal_uni/preemption_aware.v
deleted file mode 100644
index dc6d3ae727bcc32b5a6808cd65154044bb5fd2df..0000000000000000000000000000000000000000
--- a/implementation/facts/ideal_uni/preemption_aware.v
+++ /dev/null
@@ -1,314 +0,0 @@
-Require Export prosa.implementation.facts.generic_schedule.
-Require Export prosa.implementation.definitions.ideal_uni_scheduler.
-Require Export prosa.analysis.facts.model.ideal.schedule.
-Require Export prosa.model.schedule.limited_preemptive.
-
-(** * Properties of the Preemption-Aware Ideal Uniprocessor Scheduler *)
-
-(** This file establishes facts about the reference model of a
- preemption-model-aware ideal uniprocessor scheduler. *)
-
-(** The following results assume ideal uniprocessor schedules. *)
-Require Import prosa.model.processor.ideal.
-
-Section NPUniprocessorScheduler.
-
- (** Consider any type of jobs with costs and arrival times, ... *)
- Context {Job : JobType} `{JobCost Job} `{JobArrival Job}.
-
- (** ... in the context of an ideal uniprocessor model. *)
- Let PState := ideal.processor_state Job.
- Let idle_state : PState := None.
-
- (** Suppose we are given a consistent arrival sequence of such jobs, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_consistent_arrival_times: consistent_arrival_times arr_seq.
-
- (** ... a non-clairvoyant readiness model, ... *)
- Context {RM: JobReady Job (ideal.processor_state Job)}.
- Hypothesis H_nonclairvoyant_job_readiness: nonclairvoyant_readiness RM.
-
- (** ... and a preemption model. *)
- Context `{JobPreemptable Job}.
-
- (** For any given job selection policy ... *)
- Variable choose_job : instant -> seq Job -> option Job.
-
- (** ... consider the schedule produced by the preemption-aware scheduler for
- the policy induced by [choose_job]. *)
- Let schedule := pmc_uni_schedule arr_seq choose_job.
- Let policy := allocation_at arr_seq choose_job.
-
- (** To begin with, we establish that the preemption-aware scheduler does not
- induce non-work-conserving behavior. *)
- Section WorkConservation.
-
- (** If [choose_job] does not voluntarily idle the processor, ... *)
- Hypothesis H_non_idling:
- forall t s,
- choose_job t s = idle_state <-> s = [::].
-
- (** ... then we can establish work-conservation. *)
-
- (** First, we observe that [allocation_at] yields [idle_state] only if there are
- no backlogged jobs. *)
- Lemma allocation_at_idle:
- forall sched t,
- allocation_at arr_seq choose_job sched t = idle_state ->
- jobs_backlogged_at arr_seq sched t = [::].
- Proof.
- move=> sched t.
- elim: t => [|t _]; first by apply H_non_idling.
- rewrite /allocation_at /prev_job_nonpreemptive.
- elim: (sched t) => [j'|]; last by apply H_non_idling.
- move=> SCHED.
- destruct (job_ready sched j' t.+1 && ~~ job_preemptable j' (service sched j' t.+1)) => //.
- by apply (H_non_idling t.+1).
- Qed.
-
- (** As a stepping stone, we observe that the generated schedule is idle at
- a time [t] only if there are no backlogged jobs. *)
- Lemma idle_schedule_no_backlogged_jobs:
- forall t,
- is_idle schedule t ->
- jobs_backlogged_at arr_seq schedule t = [::].
- Proof.
- move=> t.
- rewrite /is_idle /schedule /pmc_uni_schedule /generic_schedule => /eqP.
- move=> NONE. move: (NONE).
- rewrite schedule_up_to_def => IDLE.
- apply allocation_at_idle in IDLE.
- rewrite -IDLE.
- apply backlogged_jobs_prefix_invariance with (h := t.+1) => //.
- rewrite /identical_prefix => x.
- rewrite ltnS leq_eqVlt => /orP [/eqP ->|LT]; last first.
- { elim: t LT IDLE NONE => // => h IH LT_x IDLE NONE.
- by apply schedule_up_to_prefix_inclusion. }
- { elim: t IDLE NONE => [IDLE _| t' _ _ ->]; last by rewrite schedule_up_to_empty.
- rewrite /schedule_up_to replace_at_def.
- by rewrite /allocation_at /prev_job_nonpreemptive IDLE H_non_idling. }
- Qed.
-
- (** From the preceding fact, we conclude that the generated schedule is
- indeed work-conserving. *)
- Theorem np_schedule_work_conserving:
- work_conserving arr_seq schedule.
- Proof.
- move=> j t ARRIVES BACKLOGGED.
- move: (@ideal_proc_model_sched_case_analysis Job schedule t) => [IDLE|SCHED]; last by exact.
- exfalso.
- have NON_EMPTY: j \in jobs_backlogged_at arr_seq schedule t by apply mem_backlogged_jobs => //.
- clear BACKLOGGED.
- move: (idle_schedule_no_backlogged_jobs t IDLE) => EMPTY.
- by rewrite EMPTY in NON_EMPTY.
- Qed.
-
- End WorkConservation.
-
- (** The next result establishes that the generated preemption-model-aware
- schedule is structurally valid, meaning all jobs stem from the arrival
- sequence and only ready jobs are scheduled. *)
- Section Validity.
-
- (** First, any reasonable job selection policy will not create jobs "out
- of thin air," i.e., if a job is selected, it was among those given
- to choose from. *)
- Hypothesis H_chooses_from_set: forall t s j, choose_job t s = Some j -> j \in s.
-
- (** Second, for the schedule to be valid, we require the notion of readiness
- to be consistent with the preemption model: a non-preemptive job remains
- ready until (at least) the end of its current non-preemptive section. *)
- Hypothesis H_valid_preemption_behavior: valid_nonpreemptive_readiness RM schedule.
-
- (** Finally, we assume the readiness model to be non-clairvoyant. *)
- Hypothesis H_nonclairvoyant_readiness: nonclairvoyant_readiness RM.
-
- (** For notational convenience, recall the definition of a prefix of the
- schedule based on which the next decision is made. *)
- Let sched_prefix t :=
- if t is t'.+1 then schedule_up_to policy None t' else empty_schedule idle_state.
-
- (** We begin by showing that any job in the schedule must come from the arrival
- sequence used to generate it. *)
- Lemma np_schedule_jobs_from_arrival_sequence:
- jobs_come_from_arrival_sequence schedule arr_seq.
- Proof.
- move=> j t; rewrite scheduled_at_def /schedule /pmc_uni_schedule /generic_schedule.
- elim: t => [/eqP | t' IH /eqP].
- - rewrite schedule_up_to_def /allocation_at /prev_job_nonpreemptive => IN.
- move: (H_chooses_from_set _ _ _ IN).
- by apply backlogged_job_arrives_in.
- - rewrite schedule_up_to_def /allocation_at.
- case: (prev_job_nonpreemptive (schedule_up_to _ _ t') t'.+1) => [|IN].
- + by rewrite -pred_Sn => SCHED; apply IH; apply /eqP.
- + move: (H_chooses_from_set _ _ _ IN).
- by apply backlogged_job_arrives_in.
- Qed.
-
- (** Next, we show that any job selected by the job selection policy must
- be ready. *)
- Theorem chosen_job_is_ready:
- forall j t,
- choose_job t (jobs_backlogged_at arr_seq (sched_prefix t) t) == Some j ->
- job_ready schedule j t.
- Proof.
- move=> j t /eqP SCHED.
- apply H_chooses_from_set in SCHED.
- move: SCHED; rewrite mem_filter => /andP [/andP[READY _] IN].
- rewrite (H_nonclairvoyant_readiness _ (sched_prefix t) j t) //.
- move=> t' LEQt'.
- rewrite /schedule /pmc_uni_schedule /generic_schedule
- schedule_up_to_def /sched_prefix.
- destruct t => //=.
- rewrite -schedule_up_to_def.
- by apply (schedule_up_to_prefix_inclusion policy).
- Qed.
-
- (** Starting from the previous result we show that, at any instant, only
- a ready job can be scheduled. *)
- Theorem jobs_must_be_ready:
- jobs_must_be_ready_to_execute schedule.
- Proof.
- move=> j t SCHED.
- rewrite scheduled_at_def /schedule /uni_schedule /pmc_uni_schedule
- /allocation_at /generic_schedule schedule_up_to_def //= in SCHED.
- destruct (prev_job_nonpreemptive _) eqn:PREV.
- { destruct t => //; rewrite //= in SCHED, PREV.
- destruct (schedule_up_to) => //.
- move: PREV => /andP [READY _].
- move: SCHED=> /eqP SCHED.
- injection SCHED => EQ; rewrite -> EQ in *.
- erewrite (H_nonclairvoyant_readiness _ _ j t.+1); [by apply READY| |by done].
- move=> t' LT.
- rewrite /schedule /pmc_uni_schedule /generic_schedule //=.
- rewrite /allocation_at //=.
- by apply (schedule_up_to_prefix_inclusion policy). }
- { by apply chosen_job_is_ready. }
- Qed.
-
- (** Finally, we show that the generated schedule is valid. *)
- Theorem np_schedule_valid:
- valid_schedule schedule arr_seq.
- Proof.
- rewrite /valid_schedule; split; first by apply np_schedule_jobs_from_arrival_sequence.
- move=> j t; rewrite scheduled_at_def /schedule /pmc_uni_schedule /generic_schedule.
- elim: t => [/eqP |t' IH /eqP].
- { rewrite schedule_up_to_def /allocation_at /prev_job_nonpreemptive => IN.
- move: (H_chooses_from_set _ _ _ IN).
- rewrite mem_filter /backlogged => /andP [/andP [READY _] _].
- now rewrite -(H_nonclairvoyant_job_readiness (empty_schedule idle_state) schedule j 0). }
- { rewrite schedule_up_to_def /allocation_at /prev_job_nonpreemptive.
- have JOB: choose_job t'.+1 (jobs_backlogged_at arr_seq (schedule_up_to policy idle_state t') t'.+1)
- = Some j
- -> job_ready schedule j t'.+1.
- { move=> IN.
- move: (H_chooses_from_set _ _ _ IN).
- rewrite mem_filter /backlogged => /andP [/andP [READY _] _].
- rewrite -(H_nonclairvoyant_job_readiness (schedule_up_to policy idle_state t') schedule j t'.+1) //.
- rewrite /identical_prefix /schedule /pmc_uni_schedule /generic_schedule => t'' LT.
- now rewrite (schedule_up_to_prefix_inclusion _ _ t'' t') //. }
- case: (schedule_up_to _ _ t' t') => [j' | IN]; last by apply JOB.
- destruct (job_ready _ _ _ && ~~ job_preemptable j' _) eqn:NP => [EQ|IN]; last by apply JOB.
- apply H_valid_preemption_behavior.
- injection EQ => <-.
- move: NP.
- have <-: (service (schedule_up_to policy idle_state t') j' t'.+1
- = service (fun t : instant => schedule_up_to policy idle_state t t) j' t'.+1) => //.
- rewrite /service.
- apply equal_prefix_implies_same_service_during => t /andP [_ BOUND].
- now rewrite (schedule_up_to_prefix_inclusion _ _ t t').
- rewrite //=.
- by move=> /andP [? ?]. }
- Qed.
-
- End Validity.
-
- (** Next, we observe that the resulting schedule is consistent with the
- definition of "preemption times". *)
- Section PreemptionTimes.
-
- (** For notational convenience, recall the definition of a prefix of the
- schedule based on which the next decision is made. *)
- Let prefix t := if t is t'.+1 then schedule_up_to policy idle_state t' else empty_schedule idle_state.
-
- (** First, we observe that non-preemptive jobs remain scheduled as long as
- they are non-preemptive. *)
- Lemma np_job_remains_scheduled:
- forall t,
- prev_job_nonpreemptive (prefix t) t ->
- schedule_up_to policy idle_state t t = schedule_up_to policy idle_state t t.-1.
- Proof.
- elim => [|t _] // NP.
- rewrite schedule_up_to_def /allocation_at /policy /allocation_at.
- rewrite ifT // -pred_Sn.
- by rewrite schedule_up_to_widen.
- Qed.
-
- (** From this, we conclude that the predicate used to determine whether the
- previously scheduled job is nonpreemptive in the computation of
- [np_uni_schedule] is consistent with the existing notion of a
- [preemption_time]. *)
- Lemma np_consistent:
- forall t,
- prev_job_nonpreemptive (prefix t) t ->
- ~~ preemption_time schedule t.
- Proof.
- elim => [|t _]; first by rewrite /prev_job_nonpreemptive.
- rewrite /schedule /pmc_uni_schedule /generic_schedule /preemption_time
- schedule_up_to_def /prefix /allocation_at => NP.
- rewrite ifT // -pred_Sn.
- move: NP; rewrite /prev_job_nonpreemptive.
- elim: (schedule_up_to policy idle_state t t) => // j.
- have ->: (service (fun t0 : instant => schedule_up_to policy idle_state t0 t0) j t.+1 =
- service (schedule_up_to policy idle_state t) j t.+1) => //.
- rewrite /service.
- apply equal_prefix_implies_same_service_during => t' /andP [_ BOUND].
- rewrite (schedule_up_to_prefix_inclusion _ _ t' t) //.
- by move=> /andP [? ?].
- Qed.
-
- End PreemptionTimes.
-
- (** Finally, we establish the main feature: the generated schedule respects
- the preemption-model semantics. *)
- Section PreemptionCompliance.
-
- (** As a minimal validity requirement (which is a part of
- [valid_preemption_model]), we require that any job in [arr_seq] must
- start execution to become nonpreemptive. *)
- Hypothesis H_valid_preemption_function :
- forall j,
- arrives_in arr_seq j ->
- job_cannot_become_nonpreemptive_before_execution j.
-
- (** Second, for the schedule to be valid, we require the notion of readiness
- to be consistent with the preemption model: a non-preemptive job remains
- ready until (at least) the end of its current non-preemptive section. *)
- Hypothesis H_valid_preemption_behavior: valid_nonpreemptive_readiness RM schedule.
-
- (** Given such a valid preemption model, we establish that the generated
- schedule indeed respects the preemption model semantics. *)
- Lemma np_respects_preemption_model :
- schedule_respects_preemption_model arr_seq schedule.
- Proof.
- move=> j.
- elim => [| t' IH];[by rewrite service0=>ARR /negP ?;move:(H_valid_preemption_function j ARR)|].
- move=> ARR NP.
- have: scheduled_at schedule j t'.
- { apply contraT => NOT_SCHED.
- move: (not_scheduled_implies_no_service _ _ _ NOT_SCHED) => NO_SERVICE.
- rewrite -(service_last_plus_before) NO_SERVICE addn0 in NP; apply IH in NP => //.
- by move /negP in NOT_SCHED. }
- rewrite !scheduled_at_def /schedule/pmc_uni_schedule/generic_schedule => /eqP SCHED.
- rewrite -SCHED (schedule_up_to_prefix_inclusion _ _ t' t'.+1) // np_job_remains_scheduled //.
- rewrite /prev_job_nonpreemptive SCHED.
- rewrite (identical_prefix_service _ schedule); last by apply schedule_up_to_identical_prefix.
- apply /andP; split => //.
- rewrite (H_nonclairvoyant_job_readiness _ schedule _ t'.+1) //.
- - by apply H_valid_preemption_behavior.
- - by apply schedule_up_to_identical_prefix.
- Qed.
-
- End PreemptionCompliance.
-
-End NPUniprocessorScheduler.
diff --git a/implementation/facts/ideal_uni/prio_aware.v b/implementation/facts/ideal_uni/prio_aware.v
deleted file mode 100644
index bb279dc5e515df3441e96cb400841be37b7b2303..0000000000000000000000000000000000000000
--- a/implementation/facts/ideal_uni/prio_aware.v
+++ /dev/null
@@ -1,144 +0,0 @@
-Require Export prosa.implementation.facts.ideal_uni.preemption_aware.
-
-(** * Ideal Uniprocessor Scheduler Properties *)
-
-(** This file establishes facts about the reference model of a priority- and
- preemption-model-aware ideal uniprocessor scheduler. *)
-
-Section PrioAwareUniprocessorScheduler.
-
- (** Consider any type of jobs with costs and arrival times, ... *)
- Context {Job : JobType} {JC : JobCost Job} {JA : JobArrival Job}.
-
- (** ... in the context of an ideal uniprocessor model. *)
- Let PState := ideal.processor_state Job.
- Let idle_state : PState := None.
-
- (** Suppose we are given a consistent arrival sequence of such jobs, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_consistent_arrival_times: consistent_arrival_times arr_seq.
-
- (** ... a non-clairvoyant readiness model, ... *)
- Context {RM : JobReady Job (ideal.processor_state Job)}.
- Hypothesis H_nonclairvoyant_job_readiness: nonclairvoyant_readiness RM.
-
- (** ... a preemption model, ... *)
- Context `{JobPreemptable Job}.
-
- (** ... and reflexive, total, and transitive JLDP priority policy. *)
- Context `{JLDP : JLDP_policy Job}.
- Hypothesis H_reflexive_priorities: reflexive_priorities.
- Hypothesis H_total: total_priorities.
- Hypothesis H_transitive: transitive_priorities.
-
- (** Consider the schedule generated by the preemption-policy- and
- priority-aware ideal uniprocessor scheduler... *)
- Let schedule := uni_schedule arr_seq.
-
- (** ...and assume that the preemption model is consistent with the
- readiness model. *)
- Hypothesis H_valid_preemption_behavior:
- valid_nonpreemptive_readiness RM schedule.
-
- (** First, we note that the priority-aware job selection policy obviously
- maintains work-conservation. *)
- Corollary uni_schedule_work_conserving:
- work_conserving arr_seq schedule.
- Proof.
- apply np_schedule_work_conserving => //.
- move=> t jobs.
- rewrite /choose_highest_prio_job; split.
- - by apply supremum_none.
- - by move=> ->.
- Qed.
-
- (** Second, we similarly note that schedule validity is also maintained. *)
- Corollary uni_schedule_valid:
- valid_schedule schedule arr_seq.
- Proof.
- apply np_schedule_valid => //.
- move=> t jobs j.
- by apply supremum_in.
- Qed.
-
- (** Third, the schedule respects also the preemption model semantics. *)
- Section PreemptionCompliance.
-
- (** Suppose that every job in [arr_seq] adheres to the basic validity
- requirement that jobs must start execution to become nonpreemptive. *)
- Hypothesis H_valid_preemption_function :
- forall j,
- arrives_in arr_seq j ->
- job_cannot_become_nonpreemptive_before_execution j.
-
- (** Since [uni_schedule arr_seq] is an instance of [np_uni_schedule], the
- compliance of [schedule] with the preemption model follows trivially
- from the compliance of [np_uni_schedule]. *)
- Corollary schedule_respects_preemption_model :
- schedule_respects_preemption_model arr_seq schedule.
- Proof.
- by apply np_respects_preemption_model.
- Qed.
-
- End PreemptionCompliance.
-
- (** Now we proceed to the main property of the priority-aware scheduler: in
- the following section we establish that [uni_schedule arr_seq] is
- compliant with the given priority policy whenever jobs are
- preemptable. *)
- Section Priority.
-
- (** For notational convenience, recall the definitions of the job-selection
- policy and a prefix of the schedule based on which the next decision is
- made. *)
- Let policy := allocation_at arr_seq choose_highest_prio_job.
- Let prefix t := if t is t'.+1 then schedule_up_to policy idle_state t' else empty_schedule idle_state.
-
- (** To start, we observe that, at preemption times, the scheduled job is a
- supremum w.r.t. to the priority order and the set of backlogged
- jobs. *)
- Lemma scheduled_job_is_supremum:
- forall j t,
- scheduled_at schedule j t ->
- preemption_time schedule t ->
- supremum (hep_job_at t) (jobs_backlogged_at arr_seq (prefix t) t) = Some j.
- Proof.
- move=> j t SCHED PREEMPT.
- have NOT_NP: ~~ prev_job_nonpreemptive (prefix t) t.
- { apply contraL with (b := preemption_time (uni_schedule arr_seq) t) => //.
- now apply np_consistent. }
- move: SCHED.
- rewrite scheduled_at_def => /eqP.
- rewrite {1}/schedule/uni_schedule/pmc_uni_schedule/generic_schedule schedule_up_to_def /allocation_at -/(prefix t).
- rewrite ifF //.
- now apply negbTE.
- Qed.
-
- (** From the preceding facts, we conclude that [uni_schedule arr_seq]
- respects the priority policy at preemption times. *)
- Theorem schedule_respects_policy :
- respects_JLDP_policy_at_preemption_point arr_seq schedule JLDP.
- Proof.
- move=> j1 j2 t ARRIVES PREEMPT BACK_j1 SCHED_j2.
- case: (boolP (scheduled_at (uni_schedule arr_seq) j1 t)) => [SCHED_j1|NOT_SCHED_j1].
- { have <-: j1 = j2 by apply (ideal_proc_model_is_a_uniprocessor_model j1 j2 (uni_schedule arr_seq) t).
- by apply H_reflexive_priorities. }
- { move: BACK_j1.
- have ->: backlogged (uni_schedule arr_seq) j1 t = backlogged (prefix t) j1 t.
- { apply backlogged_prefix_invariance' with (h := t) => //.
- rewrite /identical_prefix /uni_schedule /prefix => t' LT.
- induction t => //.
- rewrite /pmc_uni_schedule/generic_schedule (schedule_up_to_prefix_inclusion _ _ t' t) //.
- rewrite /prefix scheduled_at_def.
- induction t => //.
- now rewrite schedule_up_to_empty. }
- move=> BACK_j1.
- move: (scheduled_job_is_supremum j2 t SCHED_j2 PREEMPT) => SUPREMUM.
- apply supremum_spec with (s := jobs_backlogged_at arr_seq (prefix t) t) => //.
- now apply mem_backlogged_jobs. }
- Qed.
-
- End Priority.
-
-End PrioAwareUniprocessorScheduler.
-
diff --git a/implementation/facts/job_constructor.v b/implementation/facts/job_constructor.v
deleted file mode 100644
index 4f01242ce43873c969c0d1bcf0918be2c56ac720..0000000000000000000000000000000000000000
--- a/implementation/facts/job_constructor.v
+++ /dev/null
@@ -1,81 +0,0 @@
-Require Export prosa.implementation.definitions.job_constructor.
-
-(** In this file, we prove facts about the job-constructor function when used in
- pair with the concrete arrival sequence. *)
-Section JobConstructor.
-
- (** Assume that an arrival curve based on a concrete prefix is given. *)
- #[local] Existing Instance ConcreteMaxArrivals.
-
- (** Consider a task set [ts] with non-duplicate tasks. *)
- Variable ts : seq Task.
- Hypothesis H_ts_uniq : uniq ts.
-
- (** First, we show that [generate_jobs_at tsk n t] generates n jobs ... *)
- Lemma job_generation_valid_number:
- forall tsk n t,
- tsk \in ts -> size (generate_jobs_at tsk n t) = n.
- Proof.
- move=> tsk n t IN.
- by rewrite size_map size_iota.
- Qed.
-
- (** ... and that each generated job is unique. *)
- Lemma generate_jobs_at_unique:
- forall tsk n t,
- uniq (generate_jobs_at tsk n t).
- Proof.
- move=> tsk n t.
- rewrite /generate_jobs_at //= /generate_job_at map_inj_uniq //=;
- first by apply iota_uniq.
- by move=> x1 x2 /eqP /andP [/andP [/andP [/andP [//= /eqP EQ _] _] _] _].
- Qed.
-
- (** Next, for convenience, we define [arr_seq] as the concrete arrival
- sequence used with the job constructor. *)
- Let arr_seq := concrete_arrival_sequence generate_jobs_at ts.
-
- (** We start by proving that the arrival time of a job is consistent with its
- positioning inside the arrival sequence. *)
- Lemma job_arrival_consistent:
- forall j t,
- j \in arrivals_at arr_seq t -> job_arrival j = t.
- Proof. by move=> j t /mem_bigcat_exists [tsk [TSK_IN /mapP [i INi] ->]]. Qed.
-
- (** Next, we show that the list of arrivals at any time [t] is unique ... *)
- Lemma arrivals_at_unique:
- forall t,
- uniq (arrivals_at arr_seq t).
- Proof.
- move=> t.
- apply bigcat_uniq => //=;
- first by move=> tau; apply: generate_jobs_at_unique.
- move=> j task1 task2 /mapP[i1 IN1 EQj1] /mapP[i2 IN2 EQj2].
- by move: EQj1 EQj2 => -> [_].
- Qed.
-
- (** ... and generalize the above result to arbitrary time intervals. *)
- Lemma arrivals_between_unique:
- forall t1 t2,
- uniq (arrivals_between arr_seq t1 t2).
- Proof.
- move=> t1 t2.
- rewrite /arrivals_between.
- apply bigcat_nat_uniq.
- - by apply arrivals_at_unique.
- - move=> j jt1 jt2 IN1 IN2.
- by move: (job_arrival_consistent j jt1 IN1)
- (job_arrival_consistent j jt2 IN2) => <- <-.
- Qed.
-
- (** Finally, we observe that [generate_jobs_at tsk n t] indeed generates jobs
- of task [tsk] that arrive at [t] *)
- Corollary job_generation_valid_jobs:
- forall tsk n t j,
- j \in generate_jobs_at tsk n t ->
- job_task j = tsk
- /\ job_arrival j = t
- /\ job_cost j <= task_cost tsk.
- Proof. by move=> tsk n t j /mapP [i INi] ->. Qed.
-
-End JobConstructor.
diff --git a/implementation/facts/maximal_arrival_sequence.v b/implementation/facts/maximal_arrival_sequence.v
deleted file mode 100644
index 73856ca8829522332e06b964d14d03dc113e2f0d..0000000000000000000000000000000000000000
--- a/implementation/facts/maximal_arrival_sequence.v
+++ /dev/null
@@ -1,266 +0,0 @@
-Require Export prosa.analysis.facts.model.task_arrivals.
-Require Export prosa.implementation.definitions.maximal_arrival_sequence.
-
-(** Recall that, given an arrival curve [max_arrivals] and a
- job-generating function [generate_jobs_at], the function
- [concrete_arrival_sequence] generates an arrival sequence. In this
- section, we prove a few properties of this function. *)
-Section MaximalArrivalSequence.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider a task set [ts] with non-duplicate tasks. *)
- Variable ts : seq Task.
- Hypothesis H_ts_uniq : uniq ts.
-
- (** Let [max_arrivals] be a family of valid arrival curves, i.e.,
- for any task [tsk] in [ts], [max_arrival tsk] is (1) an arrival
- bound of [tsk], and (2) it is a monotonic function that equals [0]
- for the empty interval [delta = 0]. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
-
- (** Further assume we are given a function that generates the required number of
- jobs of a given task at a given instant of time. *)
- Variable generate_jobs_at : Task -> nat -> instant -> seq Job.
-
- (** First, we assume that [generate_jobs_at tsk n t] generates [n] jobs. *)
- Hypothesis H_job_generation_valid_number:
- forall (tsk : Task) (n : nat) (t : instant), tsk \in ts -> size (generate_jobs_at tsk n t) = n.
-
- (** Second, we assume that [generate_jobs_at tsk n t] generates jobs of task
- [tsk] that arrive at time [t]. *)
- Hypothesis H_job_generation_valid_jobs:
- forall (tsk : Task) (n : nat) (t : instant) (j : Job),
- (j \in generate_jobs_at tsk n t) ->
- job_task j = tsk
- /\ job_arrival j = t
- /\ job_cost j <= task_cost tsk.
-
- (** Finally, we assume that all jobs generated by [generate_jobs_at] are unique. *)
- Hypothesis H_jobs_unique:
- forall (t1 t2 : instant),
- uniq (arrivals_between (concrete_arrival_sequence generate_jobs_at ts) t1 t2).
-
- (** Assuming such a well-behaved "constructor" [generate_jobs_at], we prove a
- few validity claims about an arrival sequence generated by
- [concrete_arrival_sequence]. *)
- Section ValidityClaims.
-
- (** We start by showing that the obtained arrival sequence is a set. *)
- Lemma arr_seq_is_a_set :
- arrival_sequence_uniq (concrete_arrival_sequence generate_jobs_at ts).
- Proof.
- move=> t.
- move: (H_jobs_unique t t.+1).
- by rewrite /arrivals_between big_nat1.
- Qed.
-
- (** Next, we show that all jobs in the arrival sequence come from [ts]. *)
- Lemma concrete_all_jobs_from_taskset :
- all_jobs_from_taskset (concrete_arrival_sequence generate_jobs_at ts) ts.
- Proof.
- move=> j [t /mem_bigcat_exists [tsk [TSK_IN IN]]].
- move: (H_job_generation_valid_jobs tsk _ _ _ IN) => [JOB_TASK _].
- by rewrite JOB_TASK.
- Qed.
-
- (** Further, we note that the jobs in the arrival sequence have consistent
- arrival times. *)
- Lemma arrival_times_are_consistent :
- consistent_arrival_times (concrete_arrival_sequence generate_jobs_at ts).
- Proof.
- move=> j t /mem_bigcat_exists [tsk [TSK_IN IN]].
- by move: (H_job_generation_valid_jobs tsk _ _ _ IN) => [_ [JOB_ARR _]].
- Qed.
-
- (** Lastly, we observe that the jobs in the arrival sequence have valid job
- costs. *)
- Lemma concrete_valid_job_cost :
- arrivals_have_valid_job_costs (concrete_arrival_sequence generate_jobs_at ts).
- Proof.
- move=> j [t /mem_bigcat_exists [tsk [TSK_IN IN]]].
- move: (H_job_generation_valid_jobs tsk _ _ _ IN) => [JOB_TASK [_ JOB_COST]].
- by rewrite /valid_job_cost JOB_TASK.
- Qed.
-
- End ValidityClaims.
-
- (** In this section, we prove a series of facts regarding the maximal arrival
- sequence, leading up to the main theorem that all arrival-curve
- constraints are respected. *)
- Section Facts.
-
- (** Let [tsk] be any task in [ts] that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** First, we show that the arrivals at time [t] are indeed generated by
- [generate_jobs_at] applied at time [t]. *)
- Lemma task_arrivals_at_eq_generate_jobs_at:
- forall t,
- task_arrivals_at (concrete_arrival_sequence generate_jobs_at ts) tsk t
- = generate_jobs_at tsk (max_arrivals_at tsk t) t.
- Proof.
- move=> t.
- rewrite /task_arrivals_at bigcat_filter_eq_filter_bigcat bigcat_seq_uniqK // => tsk0 j INj.
- apply H_job_generation_valid_jobs in INj.
- by destruct INj.
- Qed.
-
- (** Next, we show that the number of arrivals at time [t] always matches
- [max_arrivals_at] applied at time [t]. *)
- Lemma task_arrivals_at_eq:
- forall t,
- size (task_arrivals_at (concrete_arrival_sequence generate_jobs_at ts) tsk t)
- = max_arrivals_at tsk t.
- Proof.
- move=> t.
- rewrite task_arrivals_at_eq_generate_jobs_at //.
- by apply H_job_generation_valid_number.
- Qed.
-
- (** We then generalize the previous result to an arbitrary interval
- <<[t1,t2)>>. *)
- Lemma number_of_task_arrivals_eq :
- forall t1 t2,
- number_of_task_arrivals (concrete_arrival_sequence generate_jobs_at ts) tsk t1 t2
- = \sum_(t1 <= t < t2) max_arrivals_at tsk t.
- Proof.
- move=> t1 t2.
- rewrite /number_of_task_arrivals task_arrivals_between_is_cat_of_task_arrivals_at -size_big_nat.
- apply eq_big_nat => t RANGE.
- by apply task_arrivals_at_eq.
- Qed.
-
- (** We further show that, starting from an empty prefix and applying
- [extend_arrival_prefix] [t] times, we end up with a prefix of size
- [t]... *)
- Lemma extend_horizon_size :
- forall t,
- size (iter t (extend_arrival_prefix tsk) [::]) = t.
- Proof. by elim=> // t IHt; rewrite size_cat IHt //=; lia. Qed.
-
- (** ...and that the arrival sequence prefix up to an arbitrary horizon
- [t] is a sequence of [t+1] elements. *)
- Lemma prefix_up_to_size :
- forall t,
- size (maximal_arrival_prefix tsk t) = t.+1.
- Proof.
- by elim=> // t IHt; rewrite /maximal_arrival_prefix /extend_arrival_prefix size_cat IHt //=; lia.
- Qed.
-
- (** Next, we prove prefix inclusion for [maximal_arrival_prefix] when the
- horizon is expanded by one... *)
- Lemma n_arrivals_at_prefix_inclusion1 :
- forall t h,
- t <= h ->
- nth 0 (maximal_arrival_prefix tsk h) t
- = nth 0 (maximal_arrival_prefix tsk h.+1) t.
- Proof.
- move=> t h LEQ.
- rewrite /maximal_arrival_prefix //= {3}/extend_arrival_prefix nth_cat prefix_up_to_size.
- by case: (ltnP t h.+1); lia.
- Qed.
-
- (** ...and we generalize the previous result to two arbitrary horizons [h1 <= h2]. *)
- Lemma n_arrivals_at_prefix_inclusion :
- forall t h1 h2,
- t <= h1 <= h2 ->
- nth 0 (maximal_arrival_prefix tsk h1) t = nth 0 (maximal_arrival_prefix tsk h2) t.
- Proof.
- move=> t h1 h2 /andP[LEQh1 LEQh2].
- induction h2; [by have -> : h1 = 0; lia |].
- rewrite leq_eqVlt in LEQh2.
- move: LEQh2 => /orP [/eqP EQ | LT]; first by rewrite EQ.
- feed IHh2; first by lia.
- rewrite -n_arrivals_at_prefix_inclusion1 //.
- by lia.
- Qed.
-
- (** Next, we prove that, for any positive time instant [t], [max_arrivals_at] indeed
- matches the arrivals of [next_max_arrival] applied at [t-1]. *)
- Lemma max_arrivals_at_next_max_arrivals_eq:
- forall t,
- 0 < t ->
- max_arrivals_at tsk t
- = next_max_arrival tsk (maximal_arrival_prefix tsk t.-1).
- Proof.
- move => t GT0.
- move: prefix_up_to_size; rewrite /maximal_arrival_prefix => PUS.
- rewrite /max_arrivals_at /maximal_arrival_prefix {1}/extend_arrival_prefix nth_cat extend_horizon_size //= ltnn //= subnn //=.
- by destruct t.
- Qed.
-
- (** Given a time instant [t] and and interval [Δ], we show that
- [max_arrivals_at] applied at time [t] is always less-or-equal to
- [max_arrivals] applied to [Δ+1], even when each value of
- [max_arrivals_at] in the interval <<[t-Δ, t)>> is subtracted from it. *)
- Lemma n_arrivals_at_leq :
- forall t Δ,
- Δ <= t ->
- max_arrivals_at tsk t
- <= max_arrivals tsk Δ.+1 - \sum_(t - Δ <= i < t) max_arrivals_at tsk i.
- Proof.
- move=> t Δ LEQ.
- move: (H_valid_arrival_curve tsk H_tsk_in_ts) => [ZERO MONO].
- destruct t.
- { rewrite unlock //= subn0.
- rewrite /max_arrivals_at /maximal_arrival_prefix /extend_arrival_prefix
- /next_max_arrival //= /suffix_sum subn0 unlock subn0.
- by apply MONO. }
- { rewrite max_arrivals_at_next_max_arrivals_eq; last by done.
- rewrite /next_max_arrival /jobs_remaining prefix_up_to_size.
- simpl (t.+1.-1).
- destruct supremum eqn:SUP; last by move:(supremum_none _ _ SUP); rewrite map_cons.
- eapply (supremum_spec _ leqnn leq_total leq_trans _ _ SUP).
- rewrite /suffix_sum prefix_up_to_size /max_arrivals_at.
- have -> : \sum_(t.+1 - Δ <= i < t.+1) nth 0 (maximal_arrival_prefix tsk i) i =
- \sum_(t.+1 - Δ <= i < t.+1) nth 0 (maximal_arrival_prefix tsk t) i.
- { apply eq_big_nat => i RANGE.
- by apply n_arrivals_at_prefix_inclusion; lia. }
- set f := fun x => max_arrivals _ x.+1 - \sum_(t.+1-x <= i < t.+1) nth 0 (maximal_arrival_prefix _ t) i.
- have-> : max_arrivals tsk Δ.+1 - \sum_(t.+1 - Δ <= i < t.+1) nth 0 (maximal_arrival_prefix tsk t) i = f Δ by done.
- apply map_f.
- by rewrite mem_iota; lia. }
- Qed.
-
- End Facts.
-
- (** Finally, we prove our main result, that is, the proposed maximal arrival
- sequence instantiation indeed respects all arrival-curve constraints. *)
- Theorem concrete_is_arrival_curve :
- taskset_respects_max_arrivals (concrete_arrival_sequence generate_jobs_at ts) ts.
- Proof.
- move=> tsk IN t1 t LEQ.
- set Δ := t - t1.
- replace t1 with (t-Δ); last by lia.
- have LEQd: Δ <= t by lia.
- generalize Δ LEQd; clear LEQ Δ LEQd.
- induction t; move => Δ LEQ.
- { rewrite sub0n.
- rewrite number_of_task_arrivals_eq //.
- by vm_compute; rewrite unlock. }
- { rewrite number_of_task_arrivals_eq //.
- destruct Δ; first by rewrite /index_iota subnn; vm_compute; rewrite unlock.
- rewrite subSS.
- specialize (IHt Δ).
- feed IHt; first by lia.
- rewrite number_of_task_arrivals_eq // in IHt.
- rewrite big_nat_recr //=; last by lia.
- rewrite -leq_subRL; first apply n_arrivals_at_leq; try lia.
- move: (H_valid_arrival_curve tsk IN) => [ZERO MONO].
- apply (leq_trans IHt).
- by apply MONO. }
- Qed.
-
-End MaximalArrivalSequence.
-
diff --git a/implementation/refinements/EDF/fast_search_space.v b/implementation/refinements/EDF/fast_search_space.v
deleted file mode 100644
index ec06bad5dd84d826c5b8cccded0693a1f9d43f93..0000000000000000000000000000000000000000
--- a/implementation/refinements/EDF/fast_search_space.v
+++ /dev/null
@@ -1,164 +0,0 @@
-Require Export prosa.results.edf.rta.bounded_nps.
-Require Export prosa.implementation.refinements.fast_search_space_computation.
-
-(** First, we define the concept of higher-or-equal-priority workload. *)
-Definition bound_on_total_hep_workload (ts : seq Task) (tsk : Task) A Δ :=
- \sum_(tsk_o <- ts | tsk_o != tsk)
- task_rbf tsk_o (minn ((A + ε) + task_deadline tsk - task_deadline tsk_o) Δ).
-
-(** Next, we provide a function that checks a single point [P=(A,F)] of the search space when
- adopting a fully-preemptive policy. *)
-Definition check_point_FP (ts : seq Task) (tsk : Task) (R : nat) (P : nat * nat) :=
- (task_rbf tsk (P.1 + ε) + bound_on_total_hep_workload ts tsk P.1 (P.1 + P.2) <= P.1 + P.2)
- && (P.2 <= R).
-
-(** Further, we provide a way to compute the blocking bound when using nonpreemptive policies. *)
-Definition blocking_bound_NP (ts : seq Task) (tsk : Task) (A : nat) :=
- \max_(tsk_o <- [seq i | i <- ts] | blocking_relevant tsk_o &&
- (task_deadline tsk + A <
- task_deadline tsk_o)) (task_cost tsk_o - ε).
-
-(** Finally, we provide a function that checks a single point [P=(A,F)] of the search space when
- adopting a fully-nonpreemptive policy. *)
-Definition check_point_NP (ts : seq Task) (tsk : Task) (R : nat) (P : nat * nat) :=
- (blocking_bound_NP ts tsk P.1
- + (task_rbf tsk (P.1 + ε) - (task_cost tsk - ε))
- + bound_on_total_hep_workload ts tsk P.1 (P.1 + P.2) <= P.1 + P.2)
- && (P.2 + (task_cost tsk - ε) <= R).
-
-(** * Search Space Definitions *)
-Section SearchSpaceDefinition.
-
- (** Assume that an arrival curve based on a concrete prefix is given. *)
- #[local] Existing Instance ConcreteMaxArrivals.
- Definition Task := [eqType of concrete_task].
- Definition Job := [eqType of concrete_job].
-
- Context (TMNSP: TaskMaxNonpreemptiveSegment Task).
-
- (** First, we recall the notion of correct search space as defined by
- abstract RTA. *)
- Definition correct_search_space ts (tsk:Task) L :=
- [seq A <- iota 0 L | is_in_search_space ts tsk L A].
-
- (** Next, we provide a computation-oriented way to compute abstract RTA's search space for
- fixed-priority schedules, as we will prove that earliest-deadline-first is equivalent.
- We start with a function that computes the search space in a generic
- interval <<[l,r)>>, ... *)
- Definition search_space_emax_FP_h (tsk : Task) l r :=
- let h := get_horizon_of_task tsk in
- let offsets := map (muln h) (iota l r) in
- let emax_offsets := repeat_steps_with_offset tsk offsets in
- map predn emax_offsets.
-
- (** ... which we then apply to the interval <<[0, (L %/h).+1)>>. *)
- Definition search_space_emax_FP L (tsk : Task) :=
- let h := get_horizon_of_task tsk in
- search_space_emax_FP_h (tsk : Task) 0 (L %/h).+1.
-
- (** Analogously, we define the search space for a task scheduled under earliest-deadline-first
- in a generic interval <<[l,r)>>, ... *)
- Definition task_search_space_emax_EDF_h (tsk tsko : Task) (l r : nat) :=
- let h := get_horizon_of_task tsko in
- let offsets := map (muln h) (iota l r) in
- let emax_offsets := repeat_steps_with_offset tsko offsets in
- let emax_edf_offsets := shift_points_neg (shift_points_pos emax_offsets (task_deadline tsko))
- (task_deadline tsk) in
- map predn emax_edf_offsets.
-
- (** ...which we then apply to the interval <<[0, (L %/h).+1)>>. *)
- Definition task_search_space_emax_EDF (tsk tsko : Task) (L : nat) :=
- let h := get_horizon_of_task tsko in
- task_search_space_emax_EDF_h tsk tsko
- 0 ((L + (task_deadline tsk - task_deadline tsko)) %/ h).+1.
-
- (** Finally, we define the overall search space as the concatenation of per-task search
- spaces. *)
- Definition search_space_emax_EDF ts (tsk : Task) (L : nat) :=
- \cat_(tsko <- ts) task_search_space_emax_EDF tsk tsko L.
-
-End SearchSpaceDefinition.
-
-(** * Fast Search Space Computation Lemmas *)
-Section FastSearchSpaceComputationSubset.
-
- (** Consider a given maximum busy-interval length [L], ... *)
- Variable L : duration.
-
- (** ... a task set [ts] with valid arrivals, positive task costs, and arrival curves
- with positive steps, ... *)
- Variable ts : seq Task.
- Hypothesis H_valid_task_set : task_set_with_valid_arrivals ts.
- Hypothesis H_all_tsk_positive_cost : forall tsk, tsk \in ts -> 0 < task_cost tsk.
- Hypothesis H_all_tsk_positive_step :
- forall tsk, tsk \in ts -> fst (head (0,0) (steps_of (get_arrival_curve_prefix tsk))) > 0.
-
- (** ... and a task belonging to [ts]. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** First, we show that the earliest-deadline-first search space is a generalization of
- the fixed-priority search space. *)
- Lemma EDF_ss_generalize_FP_ss :
- task_search_space_emax_EDF_h
- tsk tsk 0 ((L + (task_deadline tsk - task_deadline tsk)) %/ get_horizon_of_task tsk).+1
- = search_space_emax_FP L tsk.
- Proof.
- rewrite /task_search_space_emax_EDF_h /search_space_emax_FP /search_space_emax_FP_h.
- rewrite subnn addn0.
- set (S := repeat_steps_with_offset _ _) in *.
- replace (shift_points_neg _ _) with S; first by done.
- symmetry; unfold shift_points_neg, shift_points_pos.
- induction S; first by done.
- rewrite //= leq_addr //= IHS.
- by replace ( _ + _ - _) with a; last lia.
- Qed.
-
- (** Finally, we show that the abstract RTA's standard search space is a subset of the
- computation-oriented version defined above. *)
- Lemma search_space_subset_EDF :
- forall A, A \in correct_search_space ts tsk L -> A \in search_space_emax_EDF ts tsk L.
- Proof.
- intros *; unfold correct_search_space, is_in_search_space.
- rewrite mem_filter => /andP [/andP [LT /orP [CH|CH]] IN]; unfold search_space_emax_EDF.
- { move: (H_tsk_in_ts) => INTS.
- apply in_cat in INTS; destruct INTS as [ts_l [ts_r EQ]].
- rewrite EQ; rewrite big_cat big_cons //= !mem_cat; apply/orP; right; apply/orP; left.
- unfold task_search_space_emax_EDF; rewrite EDF_ss_generalize_FP_ss.
- by eapply task_search_space_subset; eauto. }
- { move: CH => /hasP [tsko INts /andP [NEQtsk NEQ]].
- apply in_cat in INts; destruct INts as [ts_l [ts_r EQ]]; subst.
- have INts:tsko \in ts_l++[::tsko]++ts_r by rewrite !mem_cat mem_seq1; apply/orP;right;apply/orP;left.
- rewrite big_cat big_cons //= !mem_cat; apply/orP; right; apply/orP; left; apply/mapP.
- exists A.+1; last by lia.
- apply /mapP; exists (A.+1 + task_deadline tsk); last by rewrite -addnBA // subnn addn0.
- rewrite mem_filter; apply/andP; split; first by lia.
- have AD : task_deadline tsko <= A + task_deadline tsk.
- { move_neq_up CONTR.
- have Z1 : A + task_deadline tsk - task_deadline tsko = 0 by lia.
- have Z2 : A + 1 + task_deadline tsk - task_deadline tsko = 0 by lia.
- by rewrite Z1 Z2 eq_refl in NEQ. }
- apply /mapP; exists (A.+1 + task_deadline tsk - task_deadline tsko); last by rewrite subnKC; lia.
- set rto := repeat_steps_with_offset; set ght := get_horizon_of_task.
- have IN_RTO : forall B L', (B \in search_space_emax_FP L' tsko) ->
- B.+1 \in rto tsko [seq ght tsko * i | i <- iota 0 (L' %/ ght tsko).+1].
- { move => B L' /mapP [C INC EQC].
- have POS : C > 0 by eapply nonshifted_offsets_are_positive; eauto 2.
- by rewrite EQC prednK. }
- destruct (leqP (task_deadline tsko) (task_deadline tsk)) as [EE|EE].
- { rewrite -addnBA //; rewrite -!addnBA // -addnA[1+_] addnC addnA in NEQ.
- rewrite -addn1 -addnA [1 + _ ]addnC addnA addn1.
- set (B := A + (task_deadline tsk - task_deadline tsko)) in *.
- have CH : task_rbf_changes_at tsko B; [ done | clear NEQ ].
- have LTB : B < L + (task_deadline tsk - task_deadline tsko) by unfold B; lia.
- by apply IN_RTO; last by eapply task_search_space_subset; eauto. }
- { apply ltnW in EE.
- rewrite -subnBA//-subnBA//-addnBAC in NEQ; last by rewrite /concept.task_deadline /TaskDeadline; lia.
- rewrite -subnBA // -addn1 -addnBAC //; last by lia.
- set (B := A - (task_deadline tsko - task_deadline tsk)) in *.
- have CH : task_rbf_changes_at tsko B; [ done | clear NEQ ].
- replace (task_deadline tsk - task_deadline tsko) with 0; [rewrite addn0 addn1 |lia].
- by apply IN_RTO; last eapply task_search_space_subset; eauto 2; unfold B; lia. } }
- Qed.
-
-End FastSearchSpaceComputationSubset.
diff --git a/implementation/refinements/EDF/nonpreemptive_sched.v b/implementation/refinements/EDF/nonpreemptive_sched.v
deleted file mode 100644
index fa654fa6cd0ccc2e9a98c99f0d75dc8507b00407..0000000000000000000000000000000000000000
--- a/implementation/refinements/EDF/nonpreemptive_sched.v
+++ /dev/null
@@ -1,124 +0,0 @@
-Require Export prosa.analysis.facts.preemption.task.nonpreemptive.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.nonpreemptive.
-Require Export prosa.analysis.facts.readiness.basic.
-Require Export prosa.analysis.definitions.tardiness.
-Require Export prosa.implementation.facts.ideal_uni.prio_aware.
-Require Export prosa.implementation.definitions.task.
-Require Export prosa.model.priority.edf.
-
-(** ** Fully-Nonpreemptive Earliest-Deadline-First Schedules *)
-
-(** In this section, we prove that the fully-nonpreemptive preemption policy
- under earliest-deadline-first schedules is valid, and that the scheduling policy is
- respected at each preemption point.
-
- Some lemmas in this file are not novel facts; they are used to uniform
- POET's certificates and minimize their verbosity. *)
-Section Schedule.
-
- (** In this file, we adopt the Prosa standard implementation of jobs and tasks. *)
- Definition Task := [eqType of concrete_task].
- Definition Job := [eqType of concrete_job].
-
- (** Consider any arrival sequence with consistent arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... assume basic readiness, ... *)
- Instance basic_ready_instance : JobReady Job (ideal.processor_state Job) :=
- basic.basic_ready_instance.
-
- (** ... and consider any fully-nonpreemptive, earliest-deadline-first schedule. *)
- #[local] Existing Instance fully_nonpreemptive_job_model.
- #[local] Existing Instance EDF.
- Definition sched := uni_schedule arr_seq.
-
- (** First, we show that only ready jobs execute. *)
- Lemma sched_jobs_must_be_ready_to_execute :
- jobs_must_be_ready_to_execute sched.
- Proof.
- move=> j t SCHED.
- apply jobs_must_be_ready => //.
- - move=> tt ss jj IN.
- rewrite /choose_highest_prio_job in IN.
- by apply supremum_in in IN.
- - by apply basic_readiness_nonclairvoyance.
- Qed.
-
- (** Next, we remark that such a schedule is valid. *)
- Remark sched_valid :
- valid_schedule sched arr_seq.
- Proof.
- split.
- - apply np_schedule_jobs_from_arrival_sequence.
- by move=> t ???; eapply (supremum_in (hep_job_at t)).
- - by apply sched_jobs_must_be_ready_to_execute.
- Qed.
-
- (** Next, we show that an unfinished job scheduled at time [t] is
- always scheduled at time [t+1] as well. Note that the validity of
- this fact also depends on which readiness model is used. *)
- Lemma sched_nonpreemptive_next :
- forall j t,
- scheduled_at sched j t ->
- ~~ completed_by sched j t.+1 ->
- scheduled_at sched j t.+1.
- Proof.
- move=> j t SCHED NCOMP.
- have PENDING: job_ready sched j t by apply sched_jobs_must_be_ready_to_execute.
- unfold job_ready, basic_ready_instance, basic.basic_ready_instance in *.
- set chp:= choose_highest_prio_job.
- have SERV_ZERO: 0 < service sched j t.+1.
- { apply scheduled_implies_nonzero_service => //; last by simpl; exists t; split.
- by apply ideal_proc_model_ensures_ideal_progress. }
- have SERV_COST: service sched j t.+1 < job_cost j by apply less_service_than_cost_is_incomplete.
- move: SCHED NCOMP.
- rewrite !scheduled_at_def /sched /uni_schedule
- /pmc_uni_schedule /generic_schedule => /eqP SCHED NCOMP.
- rewrite schedule_up_to_def {1}/allocation_at ifT; first by rewrite SCHED.
- rewrite /prev_job_nonpreemptive SCHED /job_preemptable /fully_nonpreemptive_job_model.
- move: SERV_COST SERV_ZERO; rewrite /uni_schedule /pmc_uni_schedule /generic_schedule.
- replace (_ (_ (_ _ _) _ t) j _) with (service sched j t.+1); last first.
- { rewrite /uni_schedule /pmc_uni_schedule /generic_schedule /service
- /service_during /service_at.
- apply eq_big_nat; intros.
- replace (_ (_ _ _) _ t i) with (schedule_up_to (allocation_at arr_seq chp) None i i) => //.
- by apply schedule_up_to_prefix_inclusion. }
- move=> SERV_COST SERV_ZERO; apply /andP.
- split; [|by apply /norP;split;[rewrite -lt0n|move: SERV_COST;rewrite ltn_neqAle=> /andP [??]]].
- { unfold job_ready, basic_ready_instance, basic.basic_ready_instance.
- apply/andP; split; first by move: PENDING => /andP [ARR _]; unfold has_arrived in *; lia.
- unfold completed_by in *; rewrite <- ltnNge in *.
- replace (service (_ (_ _ _) _ t) j t.+1) with
- (service (fun t => schedule_up_to (allocation_at arr_seq chp) None t t) j t.+1) => //.
- rewrite /service /service_during //=; apply eq_big_nat.
- move=> t' /andP[GEQ0 LEQt]; rewrite /service_at.
- replace (_ (_ _ _) _ t' t') with (schedule_up_to (allocation_at arr_seq chp) None t t') => //.
- by symmetry; apply schedule_up_to_prefix_inclusion; lia. }
- Qed.
-
- (** Using the lemma above, we show that the schedule is nonpreemptive. *)
- Lemma sched_nonpreemptive :
- nonpreemptive_schedule (uni_schedule arr_seq).
- Proof.
- rewrite /nonpreemptive_schedule.
- induction t'; first by move=> t'; have->: t = 0 by lia.
- move=> LEQ SCHED NCOMP.
- destruct (ltngtP t t'.+1) as [LT | _ | EQ] => //; last by rewrite -EQ.
- feed_n 3 IHt'=> //.
- { specialize (completion_monotonic sched j t' t'.+1) => MONO.
- feed MONO; first by lia.
- by apply contra in MONO. }
- by apply sched_nonpreemptive_next.
- Qed.
-
- (** Finally, we show that the earliest-deadline-first policy is respected
- at each preemption point. *)
- Lemma respects_policy_at_preemption_point_edf_np :
- respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
- Proof.
- apply schedule_respects_policy => //; auto with basic_rt_facts.
- by apply basic_readiness_nonclairvoyance.
- Qed.
-
-End Schedule.
diff --git a/implementation/refinements/EDF/preemptive_sched.v b/implementation/refinements/EDF/preemptive_sched.v
deleted file mode 100644
index 0f373504147fda3fa8686c8327cbd690d0e5d295..0000000000000000000000000000000000000000
--- a/implementation/refinements/EDF/preemptive_sched.v
+++ /dev/null
@@ -1,52 +0,0 @@
-Require Export prosa.analysis.facts.preemption.task.preemptive.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.preemptive.
-Require Export prosa.analysis.facts.readiness.basic.
-Require Export prosa.analysis.definitions.tardiness.
-Require Export prosa.implementation.facts.ideal_uni.prio_aware.
-Require Export prosa.implementation.definitions.task.
-Require Export prosa.model.priority.edf.
-
-(** ** Fully-Preemptive Earliest-Deadline-First Schedules *)
-
-(** In this section, we prove that the fully-preemptive preemption policy
- under earliest-deadline-first schedules is valid, and that the scheduling policy is
- respected at each preemption point.
-
- This file does not contain novel facts; it is used to uniform POET's certificates
- and minimize their verbosity. *)
-Section Schedule.
-
- (** In this file, we adopt the Prosa standard implementation of jobs and tasks. *)
- Definition Task := [eqType of concrete_task].
- Definition Job := [eqType of concrete_job].
-
- (** Consider any arrival sequence with consistent arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... assume basic readiness, ... *)
- Instance basic_ready_instance : JobReady Job (ideal.processor_state Job) :=
- basic.basic_ready_instance.
-
- (** ... and consider any fully-preemptive, earliest-deadline-first schedule. *)
- #[local] Existing Instance fully_preemptive_job_model.
- #[local] Existing Instance EDF.
- Definition sched := uni_schedule arr_seq.
-
- (** First, we remark that such a schedule is valid. *)
- Remark sched_valid :
- valid_schedule sched arr_seq.
- Proof.
- apply uni_schedule_valid => //.
- by apply basic_readiness_nonclairvoyance.
- Qed.
-
- (** Finally, we show that the fixed-priority policy is respected at each preemption point. *)
- Lemma respects_policy_at_preemption_point_edf_fp :
- respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
- Proof.
- apply schedule_respects_policy => //; auto with basic_rt_facts.
- by apply basic_readiness_nonclairvoyance.
- Qed.
-
-End Schedule.
diff --git a/implementation/refinements/EDF/refinements.v b/implementation/refinements/EDF/refinements.v
deleted file mode 100644
index 02c70b146e4f81f0862d1b366021537ae11b11ae..0000000000000000000000000000000000000000
--- a/implementation/refinements/EDF/refinements.v
+++ /dev/null
@@ -1,287 +0,0 @@
-Require Export prosa.implementation.refinements.refinements.
-Require Export prosa.implementation.refinements.task.
-Require Export prosa.implementation.refinements.EDF.fast_search_space.
-Require Export prosa.implementation.refinements.arrival_bound.
-
-(** We begin by defining a generic version of the functions we seek to define. *)
-Section Definitions.
-
- (** Consider a generic type T supporting basic arithmetic operations,
- neutral elements, and comparisons. *)
- Context {T : Type}.
- Context `{!zero_of T, !one_of T, !sub_of T, !add_of T, !mul_of T,
- !div_of T, !mod_of T, !eq_of T, !leq_of T, !lt_of T}.
- Context `{!eq_of (seq T)}.
- Context `{!eq_of (@task_T T)}.
-
- (** We define a generic version of total request-bound function of
- higher-or-equal priority task, ... *)
- Definition total_rbf_T (ts : seq task_T) (Δ : T) : T :=
- let work_ts := map (fun tsk' => task_rbf_T tsk' Δ) ts in
- foldr +%C 0%C work_ts.
-
- (** ... of bound on total higher-or-equal priority workload, ... *)
- Definition bound_on_total_hep_workload_T (ts : seq task_T) (tsk : task_T) (A Δ : T) : T :=
- let o_ts := filter (fun tsk_o => ~~ (eq_of2 tsk_o tsk)) ts in
- let o_work := map (fun tsk_o => task_rbf_T tsk_o (minn_T ((A + 1) + task_deadline_T tsk - task_deadline_T tsk_o) Δ))%C o_ts in
- foldr +%C 0%C o_work.
-
- (** Next, we define a generic version of [check_point_FP], ... *)
- Definition check_point_FP_T (ts : seq task_T) (tsk : task_T) (R : T) (P : T * T) : bool :=
- (task_rbf_T tsk (P.1 + 1) + bound_on_total_hep_workload_T ts tsk P.1 (P.1 + P.2) <= P.1 + P.2)%C
- && (P.2 <= R)%C.
-
- (** ... a generic version of [blocking_bound_NP], ... *)
- Definition blocking_bound_NP_T (ts : seq task_T) (tsk : task_T) A :=
- let blocking_relevant tsk_o := (0 < ConcreteMaxArrivals_T tsk_o 1)%C && (0 < task_cost_T tsk_o)%C in
- let ts_lp := filter (fun tsk_o => (blocking_relevant tsk_o)
- && (@task_deadline_T T tsk + A < @task_deadline_T T tsk_o))%C ts in
- let ts_block := map (fun tsk_o => task_cost_T tsk_o - 1)%C ts_lp in
- foldr maxn_T 0%C ts_block.
-
- (** ... of [check_point_NP], ... *)
- Definition check_point_NP_T (ts : seq task_T) (tsk : task_T) (R : T) (P : T * T) : bool :=
- (blocking_bound_NP_T ts tsk P.1
- + (task_rbf_T tsk (P.1 + 1) - (task_cost_T tsk - 1))
- + bound_on_total_hep_workload_T ts tsk P.1 (P.1 + P.2) <= P.1 + P.2)%C
- && (P.2 + (task_cost_T tsk - 1) <= R)%C.
-
- (** ... of [valid_arrivals]. *)
- Definition valid_arrivals_T (tsk : task_T) : bool :=
- match @task_arrival_T T tsk with
- | Periodic_T p => (1 <= p)%C
- | Sporadic_T m => (1 <= m)%C
- | ArrivalPrefix_T emax_vec => valid_extrapolated_arrival_curve_T emax_vec
- end.
-
-End Definitions.
-
-(** In this section, we introduce some functions operating on binary numbers. *)
-Section DefinitionsN.
-
- (** We provide a definition of [iota], ... *)
- Definition iota_N (a Δ : N) := iota_T a Δ.
-
- (** ... of [task_search_space_emax_EDF_h], ... *)
- Definition task_search_space_emax_EDF_h_N (tsk tsko : task_T) (l r : N) : seq N :=
- let h := get_horizon_of_task_T tsko in
- let offsets := map (N.mul h) (iota_N l r) in
- let emax_offsets := repeat_steps_with_offset_T tsko offsets in
- let emax_edf_offsets :=
- shift_points_neg_T
- (shift_points_pos_T emax_offsets (task_deadline_T tsko))
- (task_deadline_T tsk) in
- map predn_T emax_edf_offsets.
-
- (** ... of [task_search_space_emax_EDF], ... *)
- Definition task_search_space_emax_EDF_N (tsk tsko : task_T) (L : N) :=
- let h := get_horizon_of_task_T tsko in
- task_search_space_emax_EDF_h_N
- tsk tsko 0
- (((L + (task_deadline_T tsk - task_deadline_T tsko)) %/ h) + 1)%C.
-
- (** ... and of [search_space_emax_EDF_N]. *)
- Definition search_space_emax_EDF_N (ts : seq task_T) (tsk : task_T) (L : N) :=
- let points := map (fun tsko => task_search_space_emax_EDF_N tsk tsko L) ts in
- flatten points.
-
-End DefinitionsN.
-
-
-(** ** Refinements *)
-
-(** We now establish the desired refinements. *)
-
-(** First, we prove a refinement for the [task_search_space_emax_EDF_h] function. *)
-Local Instance refine_task_search_space_emax_EDF_h :
- refines (Rtask ==> Rtask ==> Rnat ==> Rnat ==> list_R Rnat)%rel
- task_search_space_emax_EDF_h
- task_search_space_emax_EDF_h_N.
-Proof.
- rewrite refinesE => tsk tsk' Rtsk tsko tsko' Rtsko l l' Rl r r' Rr.
- apply refinesP; unfold task_search_space_emax_EDF_h, task_search_space_emax_EDF_h_N.
- by refines_apply; refines_abstr.
-Qed.
-
-(** Next, we prove a refinement for the [task_search_space_emax_EDF] function. *)
-Global Instance refine_task_search_space_emax_EDF :
- forall tsk tsko,
- refines (Rnat ==> list_R Rnat)%rel
- (task_search_space_emax_EDF (taskT_to_task tsk) (taskT_to_task tsko))
- (task_search_space_emax_EDF_N tsk tsko).
-Proof.
- intros.
- rewrite refinesE => δ δ' Rδ.
- unfold task_search_space_emax_EDF, task_search_space_emax_EDF_N.
- apply refinesP; rewrite -addn1.
- refines_apply.
- all: by rewrite refinesE; unfold Rtask, fun_hrel.
-Qed.
-
-(** Next, we prove a refinement for the [search_space_emax_EDF] function. *)
-Global Instance refine_search_space_emax_EDF :
- forall ts tsk,
- refines (Rnat ==> list_R Rnat)%rel
- (search_space_emax_EDF (map taskT_to_task ts) (taskT_to_task tsk))
- (search_space_emax_EDF_N ts tsk).
-Proof.
- intros ? ?.
- unfold search_space_emax_EDF, search_space_emax_EDF_N.
- rewrite refinesE => L L' RL; apply refinesP.
- have F: forall xs f, \cat_(x <- xs) f x = flatten (map f xs).
- { clear; induction xs as [ | x xs]; intros.
- - by rewrite big_nil.
- - by rewrite big_cons //= IHxs. }
- rewrite F; clear F.
- refines_apply.
- Unshelve.
- 5: exact (Rtask ==> list_R Rnat)%rel.
- 4: exact (list_R Rtask).
- - rewrite refinesE => f f' Rf xs xs' Rxs; apply refinesP.
- by eapply refine_map; [rewrite refinesE; exact Rxs | rewrite refinesE ].
- - move: refine_task_search_space_emax_EDF=> R; rewrite refinesE in R.
- by rewrite refinesE => tsko tsko' Rtsko; rewrite -Rtsko; apply R.
- - move: refine_task_set' => RTS.
- rewrite refinesE; rewrite refinesE in RTS.
- by apply RTS; apply unifyxx.
-Qed.
-
-(** Next, we prove a refinement for the [total_request_bound_function] function. *)
-Local Instance refine_total_rbf :
- refines (list_R Rtask ==> Rnat ==> Rnat)%rel total_request_bound_function total_rbf_T.
-Proof.
- apply refines_abstr2;
- rewrite /total_request_bound_function /total_rbf_T /total_request_bound_function
- /concept.task_cost /TaskCost /max_arrivals /MaxArrivals => t t' Rt y y' Ry.
- eapply refine_uncond_foldr; first exact Rt.
- by rewrite refinesE => tsko tsko' Rtsko; apply refinesP; refines_apply.
-Qed.
-
-(** Next, we prove a special-case refinement for the [total_request_bound_function] function
- when applied to a refined task set and a refined task. This special case
- is required to guide the typeclass engine. *)
-Global Instance refine_total_rbf' :
- forall ts,
- refines (Rnat ==> Rnat)%rel
- (total_request_bound_function (map taskT_to_task ts))
- (total_rbf_T ts) | 0.
-Proof.
- intros; rewrite refinesE; intros δ δ' Rδ.
- move: refine_task_set' => RTS.
- rewrite refinesE in RTS.
- specialize (RTS ts ts (unifyxx _)); simpl in RTS.
- apply refinesP.
- move: (refine_total_rbf) => EQ.
- rewrite refinesE in EQ.
- erewrite <-EQ; [ | eassumption | eassumption].
- set (x := total_rbf_T _ _).
- by rewrite refinesE.
-Qed.
-
-(** Next, we provide equality comparisons between different pairs of objects
- manipulated in Poet's certificates. *)
-Global Instance eq_listN : eq_of (seq N) := fun x y => x == y.
-Global Instance eq_NlistNN : eq_of (prod N (seq (prod N N))) := fun x y => x == y.
-Global Instance eq_taskab : eq_of (@task_arrivals_bound_T N) := taskab_eqdef_T.
-Global Instance eq_task : eq_of (@task_T N) := task_eqdef_T.
-
-(** Next, we prove a refinement for the [task_eqdef] function. *)
-Local Instance refine_task_eqdef :
- refines (Rtask ==> Rtask ==> bool_R)%rel task_eqdef task_eqdef_T.
-Proof.
- apply refines_abstr2.
- intros a a' Ra b b' Rb.
- unfold task_eqdef, task_eqdef_T.
- by rewrite refinesE; repeat apply andb_R; apply refinesP; refines_apply.
-Qed.
-
-(** Next, we prove a refinement for the [bound_on_total_hep_workload] function. *)
-Global Instance refine_bound_on_total_hep_workload :
- refines (list_R Rtask ==> Rtask ==> Rnat ==> Rnat ==> Rnat)%rel
- bound_on_total_hep_workload bound_on_total_hep_workload_T.
-Proof.
- rewrite refinesE => ts ts' Rts tsk tsk' Rtsk a a' Ra δ δ' Rδ.
- unfold bound_on_total_hep_workload, bound_on_total_hep_workload_T.
- apply refinesP.
- eapply refine_foldr; rewrite refinesE; first by apply Rts.
- all: by move=> tsko tsko' Rtsko; apply refinesP; refines_apply.
-Qed.
-
-(** Next, we prove a refinement for the [check_point_FP] function. *)
-Global Instance refine_check_point_FP :
- refines (list_R Rtask ==> Rtask ==> Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel
- check_point_FP check_point_FP_T.
-Proof.
- rewrite refinesE => ts ts' Rts tsk tsk' Rtsk l l' Rl p p' Rp.
- unfold check_point_FP, check_point_FP_T.
- by apply andb_R; apply refinesP; tc.
-Qed.
-
-(** Next, we prove a special-case refinement for the [check_point_FP] function
- when applied to a refined task set and a refined task. This special case
- is required to guide the typeclass engine. *)
-Global Instance refine_check_point_FP' :
- forall ts tsk,
- refines (Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel
- (check_point_FP (map taskT_to_task ts) (taskT_to_task tsk))
- (check_point_FP_T ts tsk) | 0.
-Proof.
- intros ts tsk; rewrite refinesE => l l' Rl p p' Rp.
- unfold check_point_NP, check_point_NP_T; apply andb_R; apply refinesP; tc.
- move: refine_task' => RT.
- move: refine_task_set' => RTS.
- rewrite refinesE in RT; rewrite refinesE in RTS.
- by refines_apply; rewrite refinesE; [apply RT | apply RTS | apply RT].
-Qed.
-
-(** Next, we prove a refinement for the [blocking_bound_NP] function. *)
-Global Instance refine_blocking_bound :
- refines (list_R Rtask ==> Rtask ==> Rnat ==> Rnat)%rel blocking_bound_NP blocking_bound_NP_T.
-Proof.
- rewrite refinesE => ts ts' Rts tsk tsk' Rtsk.
- unfold blocking_bound_NP, blocking_bound_NP_T, blocking_relevant.
- intros A A' RA; apply refinesP; eapply refine_foldr_max.
- - by rewrite refinesE map_id; apply Rts.
- - by apply refines_abstr; move => tsk1 tsk1' Rtsk1; unfold ε; tc.
- - rewrite refinesE => tsk1 tsk1' Rtsk1.
- apply andb_R; first apply andb_R.
- + unfold ε.
- apply refine_ltn; first by done.
- by apply refinesP; rewrite /max_arrivals; refines_apply; apply refine_ConcreteMaxArrivals.
- + by apply refine_ltn; [done | apply refinesP; refines_apply].
- + move: refine_task_deadline => Ra.
- rewrite refinesE in Ra; specialize (Ra _ _ Rtsk1).
- move: refine_task_deadline => Rb.
- rewrite refinesE in Rb; specialize (Rb _ _ Rtsk).
- inversion Ra; inversion Rb.
- set (a := @task_deadline_T N tsk') in *.
- set (b := @task_deadline_T N tsk1') in *.
- by apply refine_ltn; [apply refinesP; refines_apply | done].
-Qed.
-
-(** Next, we prove a refinement for the [check_point_NP] function. *)
-Global Instance refine_check_point_NP :
- refines (list_R Rtask ==> Rtask ==> Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel
- check_point_NP check_point_NP_T.
-Proof.
- rewrite refinesE => ts ts' Rts tsk tsk' Rtsk l l' Rl p p' Rp.
- unfold check_point_NP, check_point_NP_T.
- by apply andb_R; apply refinesP; tc.
-Qed.
-
-(** Finally, we prove a special-case refinement for the [check_point_NP] function
- when applied to a refined task set and a refined task. This special case
- is required to guide the typeclass engine. *)
-Global Instance refine_check_point_NP' :
- forall ts tsk,
- refines (Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel
- (check_point_NP (map taskT_to_task ts) (taskT_to_task tsk))
- (check_point_NP_T ts tsk) | 0.
-Proof.
- intros ts tsk; rewrite refinesE => l l' Rl p p' Rp.
- move: refine_task' => RT.
- move: refine_task_set' => RTS.
- rewrite refinesE in RT; rewrite refinesE in RTS.
- unfold check_point_NP, check_point_NP_T.
- by apply andb_R; apply refinesP;refines_apply;rewrite refinesE;(apply RT || apply RTS).
-Qed.
diff --git a/implementation/refinements/FP/fast_search_space.v b/implementation/refinements/FP/fast_search_space.v
deleted file mode 100644
index 6764912a3f6e74b40731a1aa5eb930b03e62c279..0000000000000000000000000000000000000000
--- a/implementation/refinements/FP/fast_search_space.v
+++ /dev/null
@@ -1,83 +0,0 @@
-Require Export prosa.results.fixed_priority.rta.bounded_nps.
-Require Export prosa.implementation.refinements.fast_search_space_computation.
-
-(** Throughout this file, we work with Prosa's fixed-priority policy implementation. *)
-#[local] Existing Instance NumericFPAscending.
-
-(** First, we define the concept of higher-or-equal-priority and different task, ... *)
-Definition ohep_task (tsk1 : Task) (tsk2 : Task) :=
- hep_task tsk1 tsk2 && (tsk1 != tsk2).
-
-(** ... cumulative request-bound function for higher-or-equal-priority tasks
- (including the task under analysis), ... *)
-Definition total_hep_rbf (ts : seq Task) (tsk : Task) (Δ : duration) :=
- total_hep_request_bound_function_FP ts tsk Δ.
-
-(** ... and an analogous definition that does not include the task under analysis. *)
-Definition total_ohep_rbf (ts : seq Task) (tsk : Task) (Δ : duration) :=
- total_ohep_request_bound_function_FP ts tsk Δ.
-
-(** Next, we provide a function that checks a single point [P=(A,F)] of the search space
- when adopting a fully-preemptive policy. *)
-Definition check_point_FP (ts : seq Task) (tsk : Task) (R : nat) (P : nat * nat) :=
- (task_rbf tsk (P.1 + ε) + total_ohep_rbf ts tsk (P.1 + P.2) <= P.1 + P.2) && (P.2 <= R).
-
-(** Further, we provide a way to compute the blocking bound when using nonpreemptive policies. *)
-Definition blocking_bound_NP (ts : seq Task) (tsk : Task) :=
- \max_(tsk_other <- ts | ~~ hep_task tsk_other tsk) (concept.task_cost tsk_other - ε).
-
-(** Finally, we provide a function that checks a single point [P=(A,F)] of the search space when
- adopting a fully-nonpreemptive policy. *)
-Definition check_point_NP (ts : seq Task) (tsk : Task) (R : nat) (P : nat * nat) :=
- (blocking_bound_NP ts tsk
- + (task_rbf tsk (P.1 + ε) - (concept.task_cost tsk - ε))
- + total_ohep_rbf ts tsk (P.1 + P.2) <= P.1 + P.2)
- && (P.2 + (concept.task_cost tsk - ε) <= R).
-
-(** * Search Space Definitions *)
-
-(** First, we recall the notion of correct search space as defined by
- abstract RTA. *)
-Definition correct_search_space (tsk : Task) (L : duration) :=
- [seq A <- iota 0 L | is_in_search_space tsk L A].
-
-(** Next, we provide a computation-oriented way to compute abstract RTA's search space. We
- start with a function that computes the search space in a generic interval <<[a,b)>>, ... *)
-Definition search_space_emax_FP_h (tsk : Task) a b :=
- let h := get_horizon_of_task tsk in
- let offsets := map (muln h) (iota a b) in
- let emax_offsets := repeat_steps_with_offset tsk offsets in
- map predn emax_offsets.
-
-(** ... which we then apply to the interval <<[0, (L %/h).+1)>>. *)
-Definition search_space_emax_FP (tsk : Task) (L : duration) :=
- let h := get_horizon_of_task tsk in
- search_space_emax_FP_h tsk 0 (L %/h).+1.
-
-(** In this section, we prove that the computation-oriented search space defined above
- contains each of the points contained in abstract RTA's standard definition. *)
-Section FastSearchSpaceComputationSubset.
-
- (** Consider a given maximum busy-interval length [L], ... *)
- Variable L : duration.
-
- (** ... a task set with valid arrivals, ... *)
- Variable ts : seq Task.
- Hypothesis H_valid_arrivals : task_set_with_valid_arrivals ts.
-
- (** ... and a task belonging to [ts] with positive cost. *)
- Variable tsk : Task.
- Hypothesis H_positive_cost : 0 < task_cost tsk.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Then, abstract RTA's standard search space is a subset of the computation-oriented
- version defined above. *)
- Lemma search_space_subset_FP :
- forall A, A \in correct_search_space tsk L -> A \in search_space_emax_FP tsk L.
- Proof.
- move=> A IN.
- move: IN; rewrite mem_filter => /andP[/andP[LEQ_L NEQ] _].
- by apply (task_search_space_subset _ ts) => //.
- Qed.
-
-End FastSearchSpaceComputationSubset.
diff --git a/implementation/refinements/FP/nonpreemptive_sched.v b/implementation/refinements/FP/nonpreemptive_sched.v
deleted file mode 100644
index a8e95535c63a1f50f13225bd39207681699c3d15..0000000000000000000000000000000000000000
--- a/implementation/refinements/FP/nonpreemptive_sched.v
+++ /dev/null
@@ -1,124 +0,0 @@
-Require Export prosa.analysis.facts.preemption.task.nonpreemptive.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.nonpreemptive.
-Require Export prosa.analysis.facts.readiness.sequential.
-Require Export prosa.analysis.definitions.tardiness.
-Require Export prosa.implementation.facts.ideal_uni.prio_aware.
-Require Export prosa.implementation.definitions.task.
-
-(** ** Fully-Nonpreemptive Fixed-Priority Schedules *)
-
-(** In this section, we prove some facts about the fully-nonpreemptive
- preemption policy under fixed-priority schedules.
-
- Some lemmas in this file are not novel facts; they are used to uniform
- POET's certificates and minimize their verbosity. *)
-Section Schedule.
-
- (** In this file, we adopt the Prosa standard implementation of jobs and tasks. *)
- Definition Task := [eqType of concrete_task].
- Definition Job := [eqType of concrete_job].
-
- (** Consider any arrival sequence with consistent arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... assume sequential readiness, ... *)
- Instance sequential_ready_instance : JobReady Job (ideal.processor_state Job) :=
- sequential_ready_instance arr_seq.
-
- (** ... and consider any fully-nonpreemptive, fixed-priority schedule. *)
- #[local] Existing Instance fully_nonpreemptive_job_model.
- #[local] Existing Instance NumericFPAscending.
- Definition sched := uni_schedule arr_seq.
-
- (** First, we show that only ready jobs execute. *)
- Lemma sched_jobs_must_be_ready_to_execute :
- jobs_must_be_ready_to_execute sched.
- Proof.
- move=> j t SCHED.
- apply jobs_must_be_ready => //.
- - move=> tt ss jj IN.
- rewrite /choose_highest_prio_job in IN.
- by apply supremum_in in IN.
- - by apply sequential_readiness_nonclairvoyance.
- Qed.
-
- (** Next, we remark that such a schedule is valid. *)
- Remark sched_valid :
- valid_schedule sched arr_seq.
- Proof.
- split.
- - apply np_schedule_jobs_from_arrival_sequence.
- by move=> t ???; eapply (supremum_in (hep_job_at t)).
- - by apply sched_jobs_must_be_ready_to_execute.
- Qed.
-
- (** Next, we show that an unfinished job scheduled at time [t] is
- always scheduled at time [t+1] as well. Note that the validity of
- this fact also depends on which readiness model is used. *)
- Lemma sched_nonpreemptive_next:
- forall j t,
- scheduled_at sched j t ->
- ~~ completed_by sched j t.+1 ->
- scheduled_at sched j t.+1.
- Proof.
- move=> j t SCHED NCOMP.
- have READY: job_ready sched j t by apply sched_jobs_must_be_ready_to_execute.
- move: READY => /andP[/andP[ARR NC] /allP PRIOR].
- have SZ: 0 < service sched j t.+1.
- { apply scheduled_implies_nonzero_service; last by simpl; exists t; split.
- by apply ideal_proc_model_ensures_ideal_progress. }
- have SC: service sched j t.+1 < job_cost j by apply less_service_than_cost_is_incomplete.
- move: SCHED NCOMP; rewrite !scheduled_at_def /sched /uni_schedule /pmc_uni_schedule
- /generic_schedule => /eqP SCHED NCOMP.
- rewrite schedule_up_to_def {1}/allocation_at ifT; first by rewrite SCHED.
- rewrite /prev_job_nonpreemptive SCHED /job_preemptable /fully_nonpreemptive_job_model.
- move: SC SZ; rewrite /uni_schedule /pmc_uni_schedule /generic_schedule.
- set chp:= choose_highest_prio_job; set sut:= schedule_up_to.
- replace (_ (_ (_ _ _) _ t) j t.+1) with (service sched j t.+1); last first.
- { rewrite /uni_schedule /pmc_uni_schedule /generic_schedule /service
- /service_during /service_at; apply eq_big_nat; intros.
- replace (_ (_ _ _) _ t i) with (sut (allocation_at arr_seq chp) None i i) => //.
- by apply schedule_up_to_prefix_inclusion. }
- move=> SC SZ; apply /andP.
- split; last by apply /norP; split; [rewrite -lt0n|move:SC; rewrite ltn_neqAle=> /andP[??]].
- apply /andP; split; [apply /andP; split; [by unfold has_arrived in *; lia|]|].
- { unfold completed_by in *; rewrite <- ltnNge in *.
- replace (_ _ j _) with (service (fun t=> sut (allocation_at arr_seq chp) None t t) j t.+1)=> //.
- rewrite /service /service_during //=; apply eq_big_nat.
- move=> t' /andP[GEQ0 LEQt]; rewrite /service_at.
- replace (_ _ _ _ _) with (sut (allocation_at arr_seq chp) None t t')=> //.
- by symmetry; apply schedule_up_to_prefix_inclusion; lia. }
- { apply /allP => j' IN; apply (leq_trans (PRIOR j' IN)).
- rewrite /service /service_during big_nat_recr //= -(addn0 (\sum_(0 <= _ < t) _)).
- apply leq_add => //; apply eq_leq, eq_big_nat.
- move=> t' /andP[GEQ0 LEQt].
- rewrite /service_at /sched /uni_schedule /pmc_uni_schedule /generic_schedule.
- replace (_ (_ _ _) _ t' t') with (sut (allocation_at arr_seq chp) None t t') => //.
- by symmetry; apply schedule_up_to_prefix_inclusion; lia. }
- Qed.
-
- (** Using the lemma above, we show that the schedule is nonpreemptive. *)
- Lemma sched_nonpreemptive :
- nonpreemptive_schedule (uni_schedule arr_seq).
- Proof.
- rewrite /nonpreemptive_schedule.
- induction t'; first by move=> t'; have->: t = 0 by lia.
- move=> LEQ SCHED NCOMP.
- destruct (ltngtP t t'.+1) as [LT | _ | EQ] => //; last by rewrite -EQ.
- feed_n 3 IHt'=> //.
- { specialize (completion_monotonic sched j t' t'.+1) => MONO.
- feed MONO; first by lia.
- by apply contra in MONO. }
- by apply sched_nonpreemptive_next.
- Qed.
-
- (** Finally, we show that the fixed-priority policy is respected at each preemption point. *)
- Lemma respects_policy_at_preemption_point_np :
- respects_FP_policy_at_preemption_point arr_seq sched (NumericFPAscending Task).
- Proof.
- apply schedule_respects_policy; rt_eauto.
- by apply sequential_readiness_nonclairvoyance.
- Qed.
-
-End Schedule.
diff --git a/implementation/refinements/FP/preemptive_sched.v b/implementation/refinements/FP/preemptive_sched.v
deleted file mode 100644
index 6a797a1eeb983b523446b1bf5cc018d7b42c0d0d..0000000000000000000000000000000000000000
--- a/implementation/refinements/FP/preemptive_sched.v
+++ /dev/null
@@ -1,51 +0,0 @@
-Require Export prosa.analysis.facts.preemption.task.preemptive.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.preemptive.
-Require Export prosa.analysis.facts.readiness.sequential.
-Require Export prosa.analysis.definitions.tardiness.
-Require Export prosa.implementation.facts.ideal_uni.prio_aware.
-Require Export prosa.implementation.definitions.task.
-
-(** ** Fully-Preemptive Fixed-Priority Schedules *)
-
-(** In this section, we prove that the fully-preemptive preemption policy
- under fixed-priority schedules is valid, and that the scheduling policy is
- respected at each preemption point.
-
- This file does not contain novel facts; it is used to uniform POET's certificates
- and minimize their verbosity. *)
-Section Schedule.
-
- (** In this file, we adopt the Prosa standard implementation of jobs and tasks. *)
- Definition Task := [eqType of concrete_task].
- Definition Job := [eqType of concrete_job].
-
- (** Consider any arrival sequence with consistent arrivals, ... *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_arrival_times_are_consistent : consistent_arrival_times arr_seq.
-
- (** ... assume sequential readiness, ... *)
- Instance sequential_ready_instance : JobReady Job (ideal.processor_state Job) :=
- sequential_ready_instance arr_seq.
-
- (** ... and consider any fully-preemptive, fixed-priority schedule. *)
- #[local] Existing Instance fully_preemptive_job_model.
- #[local] Existing Instance NumericFPAscending.
- Definition sched := uni_schedule arr_seq.
-
- (** First, we remark that such a schedule is valid. *)
- Remark sched_valid :
- valid_schedule sched arr_seq.
- Proof.
- apply uni_schedule_valid => //.
- by apply sequential_readiness_nonclairvoyance.
- Qed.
-
- (** Finally, we show that the fixed-priority policy is respected at each preemption point. *)
- Lemma respects_policy_at_preemption_point :
- respects_FP_policy_at_preemption_point arr_seq sched (NumericFPAscending Task).
- Proof.
- apply schedule_respects_policy => //; rt_eauto.
- by apply sequential_readiness_nonclairvoyance.
- Qed.
-
-End Schedule.
diff --git a/implementation/refinements/FP/refinements.v b/implementation/refinements/FP/refinements.v
deleted file mode 100644
index b2ff698b85e94252a3a5de2b5b8801f77e7df541..0000000000000000000000000000000000000000
--- a/implementation/refinements/FP/refinements.v
+++ /dev/null
@@ -1,275 +0,0 @@
-Require Export prosa.implementation.refinements.refinements.
-Require Export prosa.implementation.refinements.FP.fast_search_space.
-Require Export prosa.implementation.refinements.arrival_bound.
-
-
-(** Throughout this file, we work with Prosa's fixed-priority policy implementation. *)
-#[local] Existing Instance NumericFPAscending.
-
-(** We begin by defining a generic version of the functions we seek to define. *)
-Section Definitions.
-
- (** Consider a generic type T supporting basic arithmetic operations,
- neutral elements, and comparisons. *)
- Context `{T : Type}.
- Context `{!zero_of T, !one_of T, !sub_of T, !add_of T, !mul_of T,
- !div_of T, !mod_of T, !eq_of T, !leq_of T, !lt_of T}.
- Context `{!eq_of (seq T)}.
- Context `{!eq_of (@task_T T)}.
-
- (** We define a generic version of higher-or-equal priority task, ... *)
- Definition hep_task_T tsk_o tsk := (task_priority_T tsk <= @task_priority_T T tsk_o)%C.
-
- (** ... of total request-bound function of higher-or-equal priority task, ... *)
- Definition total_hep_rbf_T (ts : seq task_T) (tsk : task_T) (Δ : T) : T :=
- let hep_ts := filter (fun tsk' => hep_task_T tsk' tsk) ts in
- let work_ts := map (fun tsk' => task_rbf_T tsk' Δ) hep_ts in
- foldr +%C 0%C work_ts.
-
- (** ... an analogous version of [hep_task] in without symmetry, ... *)
- Definition ohep_task_T tsk_o tsk :=
- (hep_task_T tsk_o tsk) && (~~ (eq_of2 tsk_o tsk)%C).
-
- (** ... with a respective cumulative version. *)
- Definition total_ohep_rbf_T (ts : seq task_T) (tsk : task_T) (Δ : T) : T :=
- let hep_ts := filter (fun tsk' => ohep_task_T tsk' tsk) ts in
- let work_ts := map (fun tsk' => task_rbf_T tsk' Δ) hep_ts in
- foldr +%C 0%C work_ts.
-
- (** Next, we define a generic version of [check_point_FP], ... *)
- Definition check_point_FP_T (ts : seq task_T) (tsk : task_T) (R : T) (P : T * T) : bool :=
- (task_rbf_T tsk (P.1 + 1) +
- total_ohep_rbf_T ts tsk (P.1 + P.2) <= P.1 + P.2)%C && (P.2 <= R)%C.
-
- (** ... a generic version of [blocking_bound_NP], ... *)
- Definition blocking_bound_NP_T (ts : seq task_T) (tsk : task_T) :=
- let lp_ts := filter (fun tsk_o => ~~ hep_task_T tsk_o tsk) ts in
- let block_ts := map (fun tsk_o => task_cost_T tsk_o - 1)%C lp_ts in
- foldr maxn_T 0%C block_ts.
-
- (** ... and of [check_point_NP]. *)
- Definition check_point_NP_T (ts : seq task_T) (tsk : task_T) (R : T) (P : T * T) : bool :=
- (blocking_bound_NP_T ts tsk
- + (task_rbf_T tsk (P.1 + 1) - (task_cost_T tsk - 1))
- + total_ohep_rbf_T ts tsk (P.1 + P.2) <= P.1 + P.2)%C
- && (P.2 + (task_cost_T tsk - 1) <= R)%C.
-
-End Definitions.
-
-(** In this section, we introduce some functions operating on binary numbers. *)
-Section DefinitionsN.
-
- (** We provide a definition of [iota], ... *)
- Definition iota_N (a Δ : N) := iota_T a Δ.
-
- (** ... of [search_space_emax_FP_h], ... *)
- Definition search_space_emax_FP_h_N (tsk : task_T) (l r : N) : seq N :=
- let h := get_horizon_of_task_T tsk in
- let offsets := map (N.mul h) (iota_N l r) in
- let emax_offsets := repeat_steps_with_offset_T tsk offsets in
- map predn_T emax_offsets.
-
- (** ... and of [search_space_emax_FP]. *)
- Definition search_space_emax_FP_N (tsk : task_T) (L : N) :=
- let h := get_horizon_of_task_T tsk in
- search_space_emax_FP_h_N tsk 0 (((L %/ h)+1))%C.
-
-End DefinitionsN.
-
-(** ** Refinements *)
-
-(** We now establish the desired refinements. *)
-
-(** First, we prove a refinement for the [search_space_emax_h] function. *)
-Local Instance refine_search_space_emax_h :
- refines (Rtask ==> Rnat ==> Rnat ==> list_R Rnat)%rel
- search_space_emax_FP_h
- search_space_emax_FP_h_N.
-Proof.
- rewrite refinesE => tsk tsk' Rtsk l l' Rl r r' Rr.
- apply refinesP; unfold search_space_emax_FP_h, search_space_emax_FP_h_N.
- by refines_apply; refines_abstr.
-Qed.
-
-(** Next, we prove a refinement for the [search_space_emax_FP] function. *)
-Global Instance refine_search_space_emax :
- forall tsk,
- refines (Rnat ==> list_R Rnat)%rel
- (search_space_emax_FP (taskT_to_task tsk))
- (search_space_emax_FP_N tsk).
-Proof.
- intros.
- rewrite refinesE => δ δ' Rδ.
- unfold search_space_emax_FP, search_space_emax_FP_N.
- apply refinesP; rewrite -addn1.
- by refines_apply; rewrite refinesE; unfold Rtask, fun_hrel.
-Qed.
-
-(** Next, we prove a refinement for the [hep_task] function. *)
-Global Instance refine_hep_task :
- refines ( Rtask ==> Rtask ==> bool_R )%rel hep_task hep_task_T.
-Proof.
- apply refines_abstr2.
- rewrite /hep_task /hep_task_T /NumericFPAscending
- /numeric_fixed_priority.task_priority /TaskPriority.
- move=> tsk1 tsk1' Rtsk1 tsk2 tsk2' Rtsk2.
- by refines_apply.
-Qed.
-
-(** Next, we prove a refinement for the [total_hep_rbf] function. *)
-Global Instance refine_total_hep_rbf :
- refines ( list_R Rtask ==> Rtask ==> Rnat ==> Rnat )%rel total_hep_rbf total_hep_rbf_T.
-Proof.
- apply refines_abstr; move => ts ts' Rts.
- apply refines_abstr; move => tsk tsk' Rtsk.
- apply refines_abstr; move => Δ Δ' RΔ.
- rewrite /total_hep_rbf /total_hep_request_bound_function_FP /total_hep_rbf_T.
- eapply refine_foldr.
- - by apply Rts.
- - by apply refines_abstr; move => tsk1 tsk1' Rtsk1; tc.
- - by apply refines_abstr; move => tsk1 tsk1' Rtsk1; tc.
-Qed.
-
-(** Next, we prove a special-case refinement for the [total_hep_rbf] function
- when applied to a refined task set and a refined task. This special case
- is required to guide the typeclass engine. *)
-Global Instance refine_total_hep_rbf' :
- forall ts tsk,
- refines (Rnat ==> Rnat)%rel
- (total_hep_rbf (map taskT_to_task ts) (taskT_to_task tsk))
- (total_hep_rbf_T ts tsk) | 0.
-Proof.
- intros; rewrite refinesE; intros δ δ' Rδ.
- move: refine_task_set' => RTS.
- rewrite refinesE in RTS.
- specialize (RTS ts ts (unifyxx _)); simpl in RTS.
- apply refinesP.
- move: refine_total_hep_rbf => EQ.
- refines_apply.
- move: refine_task' => Rtsk.
- rewrite refinesE; rewrite refinesE in Rtsk.
- by apply Rtsk.
-Qed.
-
-(** Next, we provide equality comparisons between different pairs of objects
- manipulated in Poet's certificates. *)
-Global Instance eq_listN : eq_of (seq N) := fun x y => x == y.
-Global Instance eq_listNN : eq_of (seq (prod N N)) := fun x y => x == y.
-Global Instance eq_NlistNN : eq_of (prod N (seq (prod N N))) := fun x y => x == y.
-Global Instance eq_taskab : eq_of (@task_arrivals_bound_T N) := taskab_eqdef_T.
-Global Instance eq_task : eq_of (@task_T N) := task_eqdef_T.
-
-(** Next, we prove a refinement for the [task_eqdef] function. *)
-Global Instance refine_task_eqdef :
- refines (Rtask ==> Rtask ==> bool_R)%rel task_eqdef task_eqdef_T.
-Proof.
- apply refines_abstr2.
- intros a a' Ra b b' Rb.
- unfold task_eqdef, task_eqdef_T.
- by rewrite refinesE; repeat apply andb_R; apply refinesP; refines_apply.
-Qed.
-
-(** Next, we prove a refinement for the [ohep_task] function. *)
-Global Instance refine_ohep_task :
- refines ( Rtask ==> Rtask ==> bool_R )%rel ohep_task ohep_task_T.
-Proof.
- apply refines_abstr2.
- rewrite /ohep_task /ohep_task_T /NumericFPAscending
- /numeric_fixed_priority.task_priority /TaskPriority.
- move=> tsk1 tsk1' Rtsk1 tsk2 tsk2' Rtsk2.
- by refines_apply.
-Qed.
-
-(** Next, we prove a refinement for the [total_ohep_rbf] function. *)
-Global Instance refine_total_ohep_rbf :
- refines ( list_R Rtask ==> Rtask ==> Rnat ==> Rnat )%rel total_ohep_rbf total_ohep_rbf_T.
-Proof.
- apply refines_abstr; move => ts ts' Rts.
- apply refines_abstr; move => tsk tsk' Rtsk.
- apply refines_abstr; move => Δ Δ' RΔ.
- rewrite /total_hep_rbf /total_hep_request_bound_function_FP.
- eapply refine_foldr.
- - by apply Rts.
- - by apply refines_abstr; move => tsk1 tsk1' Rtsk1; tc.
- - by unfold ohep_task_T; apply refines_abstr; move => tsk1 tsk1' Rtsk1; tc.
-Qed.
-
-(** Next, we prove a refinement for the [check_point_FP] function. *)
-Global Instance refine_check_point :
- refines (list_R Rtask ==> Rtask ==> Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel
- check_point_FP check_point_FP_T.
-Proof.
- rewrite refinesE => ts ts' Rts tsk tsk' Rtsk l l' Rl p p' Rp.
- by unfold check_point_FP, check_point_FP_T; apply andb_R; apply refinesP; tc.
-Qed.
-
-(** Next, we prove a special-case refinement for the [check_point_FP] function
- when applied to a refined task set and a refined task. This special case
- is required to guide the typeclass engine. *)
-Global Instance refine_check_point' :
- forall ts tsk,
- refines (Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel
- (check_point_FP (map taskT_to_task ts) (taskT_to_task tsk))
- (check_point_FP_T ts tsk) | 0.
-Proof.
- intros ts tsk; rewrite refinesE => l l' Rl p p' Rp.
- unfold check_point_FP, check_point_FP_T; apply andb_R; apply refinesP; tc.
- move: refine_task' => RT.
- move: refine_task_set' => RTS.
- rewrite refinesE in RT; rewrite refinesE in RTS.
- by refines_apply; rewrite refinesE; [apply RT | apply RTS | apply RT].
-Qed.
-
-(** Next, we prove a refinement for the [blocking_bound_NP] function. *)
-Global Instance refine_blocking_bound :
- refines ( list_R Rtask ==> Rtask ==> Rnat )%rel blocking_bound_NP blocking_bound_NP_T.
-Proof.
- rewrite refinesE => ts ts' Rts tsk tsk' Rtsk.
- unfold blocking_bound, blocking_bound_NP_T.
- apply refinesP; eapply refine_foldr_max.
- - by rewrite refinesE; apply Rts.
- - by apply refines_abstr; move => tsk1 tsk1' Rtsk1; unfold ε; tc.
- - by apply refines_abstr; move => tsk1 tsk1' Rtsk1; tc.
-Qed.
-
-(** Next, we prove a special-case refinement for the [blocking_bound_NP] function
- when applied to a refined task set and a refined task. This special case
- is required to guide the typeclass engine. *)
-Global Instance refine_blocking_bound' :
- forall ts tsk,
- refines ( Rnat )%rel
- (blocking_bound_NP (map taskT_to_task ts) (taskT_to_task tsk))
- (blocking_bound_NP_T ts tsk) | 0.
-Proof.
- intros ts tsk; rewrite refinesE.
- move: refine_task' => RT.
- move: refine_task_set' => RTS.
- rewrite refinesE in RT; rewrite refinesE in RTS.
- by apply refinesP; refines_apply; (rewrite refinesE; (apply RT || apply RTS)).
-Qed.
-
-(** Next, we prove a refinement for the [check_point_NP] function. *)
-Global Instance refine_check_point_NP :
- refines (list_R Rtask ==> Rtask ==> Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel
- check_point_NP check_point_NP_T.
-Proof.
- rewrite refinesE => ts ts' Rts tsk tsk' Rtsk l l' Rl p p' Rp.
- by unfold check_point_NP, check_point_NP_T; apply andb_R; apply refinesP; tc.
-Qed.
-
-(** Finally, we prove a special-case refinement for the [check_point_NP] function
- when applied to a refined task set and a refined task. This special case
- is required to guide the typeclass engine. *)
-Global Instance refine_check_point_NP' :
- forall ts tsk,
- refines (Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel
- (check_point_NP (map taskT_to_task ts) (taskT_to_task tsk))
- (check_point_NP_T ts tsk) | 0.
-Proof.
- intros ts tsk; rewrite refinesE => l l' Rl p p' Rp.
- move: refine_task' => RT.
- move: refine_task_set' => RTS.
- rewrite refinesE in RT; rewrite refinesE in RTS.
- unfold check_point_NP, check_point_NP_T; apply andb_R; apply refinesP; refines_apply.
- all: try by (rewrite refinesE; (apply RT || apply RTS)).
-Qed.
diff --git a/implementation/refinements/arrival_bound.v b/implementation/refinements/arrival_bound.v
deleted file mode 100644
index fb352f2983f542ee17419484ab71d925b8b8dc50..0000000000000000000000000000000000000000
--- a/implementation/refinements/arrival_bound.v
+++ /dev/null
@@ -1,363 +0,0 @@
-Require Export prosa.implementation.refinements.refinements.
-Require Export prosa.implementation.definitions.arrival_bound.
-
-(** In this section, we define a generic version of arrival bound and
- prove that it is isomorphic to the standard, natural-number-based
- definition. *)
-Section Definitions.
-
- (** Consider a generic type [T], for which all the basic arithmetical
- operations, ordering, and equality are defined. *)
- Context {T : Type}.
- Context `{!zero_of T, !one_of T, !sub_of T, !add_of T, !mul_of T,
- !div_of T, !mod_of T, !eq_of T, !leq_of T, !lt_of T}.
- Context `{!eq_of (seq T)}.
- Context `{!eq_of (T * seq (T * T))}.
-
- (** As in the natural-numbers-based definition, an arrival curve prefix
- is composed of an horizon and a list of steps. *)
- Let ArrivalCurvePrefix : Type := T * seq (T * T).
-
- (** A task's arrival bound is an inductive type comprised of three types of
- arrival patterns: (a) periodic, characterized by a period between consequent
- activation of a task, (b) sporadic, characterized by a minimum inter-arrival
- time, or (c) arrival-curve prefix, characterized by a finite prefix of an
- arrival curve. *)
- Inductive task_arrivals_bound_T :=
- | Periodic_T : T -> task_arrivals_bound_T
- | Sporadic_T : T -> task_arrivals_bound_T
- | ArrivalPrefix_T : T * seq (T * T) -> task_arrivals_bound_T.
-
- (** Further, we define the equality for two generic tasks as the equality
- of each attribute. *)
- Definition taskab_eqdef_T (tb1 tb2 : task_arrivals_bound_T) : bool :=
- match tb1, tb2 with
- | Periodic_T p1, Periodic_T p2 => (p1 == p2)%C
- | Sporadic_T s1, Sporadic_T s2 => (s1 == s2)%C
- | ArrivalPrefix_T s1, ArrivalPrefix_T s2 => (s1 == s2)%C
- | _, _ => false
- end.
-
- (** The first component of arrival-curve prefix [ac_prefix] is called horizon. *)
- Definition horizon_of_T (ac_prefix_vec : T * seq (T * T)) := fst ac_prefix_vec.
-
- (** The second component of [ac_prefix] is called steps. *)
- Definition steps_of_T (ac_prefix_vec : T * seq (T * T)) := snd ac_prefix_vec.
-
- (** The time steps of [ac_prefix] are the first components of the
- steps. That is, these are time instances before the horizon
- where the corresponding arrival curve makes a step. *)
- Definition time_steps_of_T (ac_prefix_vec : T * seq (T * T)) := map fst (steps_of_T ac_prefix_vec).
-
- (** The function [step_at] returns the last step ([duration ×
- value]) such that [duration ≤ t]. *)
- Definition step_at_T (ac_prefix_vec : T * seq (T * T)) (t : T) :=
- (last (0, 0) [ seq step <- steps_of_T ac_prefix_vec | fst step <= t ])%C.
-
- (** The function [value_at] returns the _value_ of the last step
- ([duration × value]) such that [duration ≤ t] *)
- Definition value_at_T (ac_prefix_vec : T * seq (T * T)) (t : T) := snd (step_at_T ac_prefix_vec t).
-
- (** Finally, we define a generic version of the function [extrapolated_arrival_curve]
- that performs the periodic extension of the arrival-curve prefix (and
- hence, defines an arrival curve). *)
- Definition extrapolated_arrival_curve_T (ac_prefix_vec : T * seq (T * T)) (t : T) :=
- let h := horizon_of_T ac_prefix_vec in
- (t %/ h * value_at_T ac_prefix_vec h + value_at_T ac_prefix_vec (t %% h))%C.
-
- (** Steps should be strictly increasing both in time steps and values. *)
- Definition ltn_steps_T (a b : T * T) := (fst a < fst b)%C && (snd a < snd b)%C.
- Definition sorted_ltn_steps_T (ac_prefix : ArrivalCurvePrefix) :=
- sorted ltn_steps_T (steps_of_T ac_prefix).
-
- (** We also define a predicate for non-decreasing order that is
- more convenient for proving some of the claims. *)
- Definition leq_steps_T (a b : T * T) := (fst a <= fst b)%C && (snd a <= snd b)%C.
-
- (** Horizon should be positive. *)
- Definition positive_horizon_T (ac_prefix : ArrivalCurvePrefix) := (0 < horizon_of_T ac_prefix)%C.
-
- (** Horizon should bound time steps. *)
- Definition large_horizon_T (ac_prefix : ArrivalCurvePrefix) : bool :=
- all (fun s => s <= horizon_of_T ac_prefix)%C (time_steps_of_T ac_prefix).
-
- (** There should be no infinite arrivals; that is, [value_at 0 = 0]. *)
- Definition no_inf_arrivals_T (ac_prefix : ArrivalCurvePrefix) :=
- (value_at_T ac_prefix 0 == 0)%C.
-
- (** Bursts must be specified; that is, [steps_of] should contain a
- pair [(ε, b)]. *)
- Definition specified_bursts_T (ac_prefix : ArrivalCurvePrefix) :=
- has (fun step => step == 1)%C (time_steps_of_T ac_prefix).
-
- (** The conjunction of the 5 afore-defined properties defines a
- valid arrival-curve prefix. *)
- Definition valid_extrapolated_arrival_curve_T (ac_prefix : ArrivalCurvePrefix) : bool :=
- positive_horizon_T ac_prefix
- && large_horizon_T ac_prefix
- && no_inf_arrivals_T ac_prefix
- && specified_bursts_T ac_prefix
- && sorted_ltn_steps_T ac_prefix.
-
-End Definitions.
-
-Section Translation.
-
- (** First, we define the function that maps a generic arrival-curve prefix to a natural-number
- one... *)
- Definition ACPrefixT_to_ACPrefix (ac_prefix_vec_T : N * seq (N * N)) : ArrivalCurvePrefix :=
- (nat_of_bin (horizon_of_T ac_prefix_vec_T), m_tb2tn (steps_of_T ac_prefix_vec_T)).
-
- (** ... and its function relationship. *)
- Definition RArrivalCurvePrefix := fun_hrel ACPrefixT_to_ACPrefix.
-
- (** Next, we define the converse function, mapping a natural-number arrival-curve prefix
- task to a generic one. *)
- Definition ACPrefix_to_ACPrefixT (ac_prefix_vec : ArrivalCurvePrefix) : (N * seq (N * N)) :=
- (bin_of_nat (horizon_of ac_prefix_vec), m_tn2tb (steps_of ac_prefix_vec)).
-
- (** Further, we define the function that maps a generic task arrival-bound to a natural-number
- one... *)
- Definition task_abT_to_task_ab (ab : @task_arrivals_bound_T N) : task_arrivals_bound :=
- match ab with
- | Periodic_T p => Periodic p
- | Sporadic_T m => Sporadic m
- | ArrivalPrefix_T ac_prefix_vec => ArrivalPrefix (ACPrefixT_to_ACPrefix ac_prefix_vec)
- end.
-
- (** ... and its function relationship. *)
- Definition Rtask_ab := fun_hrel task_abT_to_task_ab.
-
- (** Finally, we define the converse function, mapping a natural-number task arrival-bound
- task to a generic one. *)
- Definition task_ab_to_task_abT (ab : task_arrivals_bound) : @task_arrivals_bound_T N :=
- match ab with
- | Periodic p => Periodic_T (bin_of_nat p)
- | Sporadic m => Sporadic_T (bin_of_nat m)
- | ArrivalPrefix ac_prefix_vec => ArrivalPrefix_T (ACPrefix_to_ACPrefixT ac_prefix_vec)
- end.
-
-End Translation.
-
-Section Lemmas.
-
- (** We prove that [leq_steps_T] is transitive... *)
- Lemma leq_stepsT_is_transitive:
- transitive (@leq_steps_T N leq_N).
- Proof.
- move=> a b c /andP [FSTab SNDab] /andP [FSTbc SNDbc].
- rewrite /leq_steps_T.
- destruct a as [a1 a2], b as [b1 b2], c as [c1 c2]; simpl in *.
- apply/andP; split.
- - by apply /N.leb_spec0; eapply N.le_trans;
- [apply /N.leb_spec0; apply FSTab
- | apply /N.leb_spec0; apply FSTbc].
- - by apply /N.leb_spec0; eapply N.le_trans;
- [apply /N.leb_spec0; apply SNDab
- | apply /N.leb_spec0; apply SNDbc].
- Qed.
-
- (** ... and so is [ltn_steps_T]. *)
- Lemma ltn_stepsT_is_transitive:
- transitive (@ltn_steps_T N lt_N).
- Proof.
- move=> a b c /andP [FSTab SNDab] /andP [FSTbc SNDbc].
- rewrite /ltn_steps_T.
- destruct a as [a1 a2], b as [b1 b2], c as [c1 c2]; simpl in *.
- apply/andP; split.
- - by apply /N.ltb_spec0; eapply N.lt_trans;
- [apply /N.ltb_spec0; apply FSTab
- | apply /N.ltb_spec0; apply FSTbc].
- - by apply /N.ltb_spec0; eapply N.lt_trans;
- [apply /N.ltb_spec0; apply SNDab
- | apply /N.ltb_spec0; apply SNDbc].
- Qed.
-
-End Lemmas.
-
-(** In this fairly technical section, we prove a series of refinements
- aimed to be able to convert between a standard natural-number task
- and a generic task. *)
-Section Refinements.
-
- (** We prove the refinement for the [leq_steps] function. *)
- Global Instance refine_leq_steps :
- refines (prod_R Rnat Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel leq_steps leq_steps_T.
- Proof.
- rewrite /leq_steps /leq_steps_T refinesE => a a' Ra b b' Rb.
- by apply refinesP; refines_apply.
- Qed.
-
- (** Next, we prove the refinement for the [ltn_steps] function. *)
- Global Instance refine_ltn_steps :
- refines (prod_R Rnat Rnat ==> prod_R Rnat Rnat ==> bool_R)%rel ltn_steps ltn_steps_T.
- Proof.
- rewrite /ltn_steps /ltn_steps_T refinesE => a a' Ra b b' Rb.
- destruct a as [a1 a2], a' as [a1' a2'], b as [b1 b2], b' as [b1' b2']; simpl in *.
- inversion Ra; subst.
- inversion Rb; subst.
- by apply andb_R; apply refine_ltn.
- Qed.
-
- (** Next, we prove the refinement for the [ACPrefixT_to_ACPrefix] function. *)
- Local Instance refine_ACPrefixT_to_ACPrefix :
- refines (unify (A:=N * seq (N * N)) ==> prod_R Rnat (list_R (prod_R Rnat Rnat)))%rel ACPrefixT_to_ACPrefix id.
- Proof.
- rewrite refinesE => evec evec' Revec.
- unfold unify in *; subst evec'.
- destruct evec as [h st].
- apply prod_R_pair_R.
- - by compute.
- - simpl; clear h; induction st.
- + apply list_R_nil_R.
- + simpl; apply list_R_cons_R; last by done.
- destruct a; unfold tb2tn, tmap; simpl.
- by apply refinesP; refines_apply.
- Qed.
-
- (** Next, we prove the refinement for the [ltn_steps_sorted] function. *)
- Global Instance refine_ltn_steps_sorted :
- forall xs xs',
- refines ( list_R (prod_R Rnat Rnat) )%rel xs xs' ->
- refines ( bool_R )%rel (sorted ltn_steps xs) (sorted ltn_steps_T xs').
- Proof.
- induction xs as [ | x xs]; intros * Rxs.
- { destruct xs' as [ | x' xs']; first by tc.
- by rewrite refinesE in Rxs; inversion Rxs. }
- { destruct xs' as [ | x' xs']; first by rewrite refinesE in Rxs; inversion Rxs.
- rewrite //= !path_sortedE; first last.
- { by apply ltn_steps_is_transitive. }
- { by apply ltn_stepsT_is_transitive. }
- { rewrite refinesE in Rxs; inversion Rxs; subst.
- rewrite refinesE; apply andb_R.
- - apply refinesP; refines_apply.
- - by apply refinesP; apply IHxs; rewrite refinesE. } }
- Qed.
-
- (** Next, we prove the refinement for the [leq_steps_sorted] function. *)
- Global Instance refine_leq_steps_sorted :
- forall xs xs',
- refines ( list_R (prod_R Rnat Rnat) )%rel xs xs' ->
- refines ( bool_R )%rel (sorted leq_steps xs) (sorted leq_steps_T xs').
- Proof.
- induction xs as [ | x xs]; intros * Rxs.
- { destruct xs' as [ | x' xs']; first by tc.
- by rewrite refinesE in Rxs; inversion Rxs. }
- { destruct xs' as [ | x' xs']; first by rewrite refinesE in Rxs; inversion Rxs.
- rewrite //= !path_sortedE; first last.
- { by apply leq_steps_is_transitive. }
- { by apply leq_stepsT_is_transitive. }
- { rewrite refinesE in Rxs; inversion Rxs; subst.
- rewrite refinesE; apply andb_R.
- - by apply refinesP; refines_apply.
- - by apply refinesP; apply IHxs; rewrite refinesE. } }
- Qed.
-
- (** Next, we prove the refinement for the [value_at] function. *)
- Global Instance refine_value_at :
- refines (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> Rnat ==> Rnat)%rel value_at value_at_T.
- Proof.
- rewrite refinesE => evec evec' Revec δ δ' Rδ.
- unfold value_at, value_at_T, step_at, step_at_T.
- have RP := refines_snd_R Rnat Rnat.
- rewrite refinesE in RP.
- eapply RP; clear RP.
- have RL := @refine_last _ _ (prod_R Rnat Rnat).
- rewrite refinesE in RL.
- apply RL; clear RL.
- - by apply refinesP; refines_apply.
- - apply filter_R.
- + intros [n1 n2] [n1' n2'] Rnn.
- inversion Rnn; subst; clear Rnn X0; rename X into Rn1.
- by rewrite //=; apply refinesP; refines_apply.
- + unfold steps_of, steps_of_T.
- by apply refinesP; refines_apply.
- Qed.
-
- (** Next, we prove the refinement for the [time_steps_of] function. *)
- Global Instance refine_get_time_steps :
- refines (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> list_R Rnat)%rel time_steps_of time_steps_of_T.
- Proof.
- rewrite refinesE => evec evec' Revec.
- destruct evec as [h st], evec' as [h' st'].
- inversion Revec; subst; rename X into Rh; rename X0 into Rst.
- rewrite /time_steps_of /time_steps_of_T //=.
- apply refinesP; eapply refine_map.
- - by rewrite refinesE; apply Rst.
- - by apply refines_fst_R.
- Qed.
-
- (** Next, we prove the refinement for the [extrapolated_arrival_curve] function. *)
- Global Instance refine_arrival_curve_prefix :
- refines (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> Rnat ==> Rnat)%rel extrapolated_arrival_curve extrapolated_arrival_curve_T.
- Proof.
- rewrite refinesE => evec evec' Revec δ δ' Rδ.
- unfold extrapolated_arrival_curve, extrapolated_arrival_curve_T.
- by apply refinesP; refines_apply.
- Qed.
-
- (** Next, we prove the refinement for the [ArrivalCurvePrefix] function. *)
- Global Instance refine_ArrivalPrefix:
- refines (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> Rtask_ab)%rel ArrivalPrefix ArrivalPrefix_T.
- Proof.
- rewrite refinesE => arrival_curve_prefix arrival_curve_prefix' Rarrival_curve_prefix.
- destruct arrival_curve_prefix as [h steps], arrival_curve_prefix' as [h' steps'].
- inversion_clear Rarrival_curve_prefix; rename X into Rh, X0 into Rsteps.
- unfold Rtask_ab, fun_hrel, task_abT_to_task_ab, ACPrefixT_to_ACPrefix.
- simpl.
- have ->: nat_of_bin h' = h by rewrite -Rh.
- have ->: m_tb2tn steps' = steps; last by done.
- clear h h' Rh; move: steps' Rsteps; induction steps; intros.
- - by destruct steps'; [done | inversion Rsteps].
- - destruct steps'; first by inversion Rsteps.
- inversion_clear Rsteps; rename X into Rh, X0 into Rsteps.
- apply/eqP; rewrite //= eqseq_cons; apply/andP; split.
- + destruct a, p; unfold tb2tn, tmap; simpl; apply/eqP.
- apply prod_RE in Rh.
- by compute in Rh; destruct Rh; subst.
- + by apply/eqP; apply: IHsteps.
- Qed.
-
- (** Next, we define some useful equality functions to guide the typeclass engine. *)
- Global Instance eq_listN : eq_of (seq N) := fun x y => x == y.
- Global Instance eq_NlistNN : eq_of (prod N (seq (prod N N))) := fun x y => x == y.
- Global Instance eq_taskab : eq_of (@task_arrivals_bound_T N) := taskab_eqdef_T.
-
- (** Finally, we prove the refinement for the [ArrivalCurvePrefix] function. *)
- Global Instance refine_task_ab_eq :
- refines (Rtask_ab ==> Rtask_ab ==> bool_R)%rel eqtype.eq_op eq_taskab.
- Proof.
- rewrite refinesE => tb1 tb1' Rtb1 tb2 tb2' Rtb2.
- destruct tb1 as [per1 | spor1 | evec1], tb1' as [per1' | spor1' | evec1'];
- destruct tb2 as [per2 | spor2 | evec2], tb2' as [per2' | spor2' | evec2'].
- all: try (inversion Rtb1; fail); try (inversion Rtb2; fail); try (compute; constructor).
- { replace (Periodic per1 == Periodic per2) with (per1 == per2) by constructor.
- replace (eq_taskab(Periodic_T per1')(Periodic_T per2'))%C with (per1' == per2') by constructor.
- inversion Rtb1; inversion Rtb2; subst; clear.
- by apply refinesP; refines_apply. }
- { replace (Sporadic spor1 == Sporadic spor2) with (spor1 == spor2) by constructor.
- have ->: (eq_taskab (Sporadic_T spor1') (Sporadic_T spor2'))%C = (spor1' == spor2') by constructor.
- inversion Rtb1; inversion Rtb2; subst; clear.
- by apply refinesP; refines_apply. }
- { replace (ArrivalPrefix evec1 == ArrivalPrefix evec2) with (evec1 == evec2) by constructor.
- replace (eq_taskab (ArrivalPrefix_T evec1') (ArrivalPrefix_T evec2'))%C with (evec1' == evec2')%C by constructor.
- inversion Rtb1; inversion Rtb2; subst; clear.
- rename evec1' into evec1, evec2' into evec2.
- destruct evec1 as [h1 evec1], evec2 as [h2 evec2].
- rewrite /ACPrefixT_to_ACPrefix //= !xpair_eqE.
- have -> : ((h1, evec1) == (h2, evec2))%C = ((h1 == h2) && (evec1 == evec2))%C by constructor.
- apply andb_R.
- apply refinesP; refines_apply.
- clear h1 h2; move: evec2; induction evec1 as [| h1 evec1]; first by intros [].
- simpl; intros [ | h2 evec2]; first by done.
- rewrite //= !eqseq_cons.
- apply andb_R; last by apply IHevec1.
- destruct h1, h2; simpl.
- rewrite /tb2tn /tmap; simpl.
- replace ((n, n0) == (n1, n2)) with ((n == n1) && (n0 == n2)) by constructor.
- replace ((nat_of_bin n, nat_of_bin n0) == (nat_of_bin n1, nat_of_bin n2)) with
- ((nat_of_bin n == nat_of_bin n1) && (nat_of_bin n0 == nat_of_bin n2)) by constructor.
- apply refinesP; refines_apply. }
- Qed.
-
-End Refinements.
diff --git a/implementation/refinements/arrival_curve.v b/implementation/refinements/arrival_curve.v
deleted file mode 100644
index ca61002ec0b815b7cf415c5a1d03fb0b939f1525..0000000000000000000000000000000000000000
--- a/implementation/refinements/arrival_curve.v
+++ /dev/null
@@ -1,385 +0,0 @@
-Require Export prosa.analysis.definitions.request_bound_function.
-Require Export prosa.implementation.refinements.task.
-
-(** ** Arrival Curve Refinements. *)
-
-(** In this module, we provide a series of definitions related to arrival curves
- when working with generic tasks. *)
-
-(** First, we define a helper function that yields the horizon of the arrival
- curve prefix of a task ... *)
-Definition get_horizon_of_task (tsk : Task) : duration :=
- horizon_of (get_arrival_curve_prefix tsk).
-
-(** ... another one that yields the time steps of the arrival curve, ... *)
-Definition get_time_steps_of_task (tsk : Task) : seq duration :=
- time_steps_of (get_arrival_curve_prefix tsk).
-
-(** ... a function that yields the same time steps, offset by δ, ...**)
-Definition time_steps_with_offset tsk δ := [seq t + δ | t <- get_time_steps_of_task tsk].
-
-(** ... and a generalization of the previous function that repeats the time
- steps for each given offset. *)
-Definition repeat_steps_with_offset (tsk : Task) (offsets : seq nat): seq nat :=
- flatten (map (time_steps_with_offset tsk) offsets).
-
-(** For convenience, we provide a short form to indicate the request-bound
- function of a task. *)
-Definition task_rbf (tsk : Task) (Δ : duration) :=
- task_request_bound_function tsk Δ.
-
-(** Further, we define a valid arrival bound as (1) a positive
- minimum inter-arrival time/period, or (2) a valid arrival curve prefix. *)
-Definition valid_arrivals (tsk : Task) : bool :=
- match task_arrival tsk with
- | Periodic p => p >= 1
- | Sporadic m => m >= 1
- | ArrivalPrefix emax_vec => valid_arrival_curve_prefix_dec emax_vec
- end.
-
-(** Next, we define some helper functions, that indicate whether
- the given task is periodic, ... *)
-Definition is_periodic_arrivals (tsk : Task) : Prop :=
- exists p, task_arrival tsk = Periodic p.
-
-(** ... sporadic, ... *)
-Definition is_sporadic_arrivals (tsk : Task) : Prop :=
- exists m, task_arrival tsk = Sporadic m.
-
-(** ... or bounded by an arrival curve. *)
-Definition is_etamax_arrivals (tsk : Task) : Prop :=
- exists ac_prefix_vec, task_arrival tsk = ArrivalPrefix ac_prefix_vec.
-
-(** Further, for convenience, we define the notion of task
- having a valid arrival curve. *)
-Definition has_valid_arrival_curve_prefix (tsk: Task) :=
- exists ac_prefix_vec, get_arrival_curve_prefix tsk = ac_prefix_vec /\
- valid_arrival_curve_prefix ac_prefix_vec.
-
-(** Finally, we define define the notion of task set with
- valid arrivals. *)
-Definition task_set_with_valid_arrivals (ts : seq Task) :=
- forall tsk,
- tsk \in ts -> valid_arrivals tsk.
-
-(** In this section, we prove some facts regarding the above definitions. *)
-Section Facts.
-
- (** Consider a task [tsk]. *)
- Variable tsk : Task.
-
- (** First, we show that [valid_arrivals] matches [valid_arrivals_dec]. *)
- Lemma valid_arrivals_P :
- reflect (valid_arrivals tsk) (valid_arrivals tsk).
- Proof.
- destruct tsk, task_arrival.
- all: unfold valid_arrivals, valid_arrivals; try by apply idP.
- Qed.
-
- (** Next, we show that a task is either periodic, sporadic, or bounded by
- an arrival-curve prefix. *)
- Lemma arrival_cases :
- is_periodic_arrivals tsk
- \/ is_sporadic_arrivals tsk
- \/ is_etamax_arrivals tsk.
- Proof.
- rewrite /is_periodic_arrivals /is_sporadic_arrivals /is_etamax_arrivals.
- destruct (task_arrival tsk).
- - by left; eexists; reflexivity.
- - by right; left; eexists; reflexivity.
- - by right; right; eexists; reflexivity.
- Qed.
-
-End Facts.
-
-
-(** In this fairly technical section, we prove a series of refinements
- aimed to be able to convert between a standard natural-number task
- arrival bound and an arrival bound that uses, instead of numbers,
- a generic type [T]. *)
-Section Theory.
-
- (** First, we prove a refinement for [positive_horizon]. *)
- Local Instance refine_positive_horizon :
- refines (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> bool_R)%rel
- positive_horizon positive_horizon_T.
- Proof.
- unfold positive_horizon, positive_horizon_T.
- apply refines_abstr; intros.
- unfold horizon_of, horizon_of_T.
- destruct a as [h s], b as [h' s']; simpl.
- rewrite refinesE; rewrite refinesE in X; inversion_clear X.
- by apply refine_ltn; auto using Rnat_0.
- Qed.
-
- (** Next, we prove a refinement for [large_horizon]. *)
- Local Instance refine_large_horizon :
- refines (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> bool_R)%rel
- large_horizon_dec large_horizon_T.
- Proof.
- unfold large_horizon_dec, large_horizon_T.
- apply refines_abstr; intros ac ac' Rac.
- refines_apply.
- apply refines_abstr; intros a a' Ra.
- by refines_apply.
- Qed.
-
- (** Next, we prove a refinement for [no_inf_arrivals]. *)
- Local Instance refine_no_inf_arrivals :
- refines (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> bool_R)%rel
- no_inf_arrivals no_inf_arrivals_T.
- Proof.
- unfold no_inf_arrivals, no_inf_arrivals_T.
- apply refines_abstr; intros ac ac' Rac.
- refines_apply.
- Qed.
-
- (** Next, we prove a refinement for [specified_bursts]. *)
- Local Instance refine_specified_bursts :
- refines (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> bool_R)%rel
- specified_bursts specified_bursts_T.
- Proof.
- unfold specified_bursts, specified_bursts_T.
- apply refines_abstr; intros ac ac' Rac.
- rewrite -has_pred1.
- refines_apply; last first.
- - by refines_abstr; rewrite pred1E eq_sym /ε; refines_apply.
- - refines_abstr.
- rewrite refinesE; eapply has_R; last by apply refinesP; eassumption.
- by intros; apply refinesP; refines_apply.
- Qed.
-
- (** Next, we prove a refinement for the arrival curve prefix validity. *)
- Local Instance refine_valid_arrival_curve_prefix :
- refines
- (prod_R Rnat (list_R (prod_R Rnat Rnat)) ==> bool_R)%rel
- valid_arrival_curve_prefix_dec
- valid_extrapolated_arrival_curve_T.
- Proof.
- apply refines_abstr.
- unfold valid_arrival_curve_prefix_dec, valid_extrapolated_arrival_curve_T.
- by intros; refines_apply.
- Qed.
-
- (** Next, we prove a refinement for the arrival curve validity. *)
- Global Instance refine_valid_arrivals :
- forall tsk,
- refines (bool_R)%rel
- (valid_arrivals (taskT_to_task tsk))
- (valid_arrivals_T tsk) | 0.
- Proof.
- intros ?.
- have Rtsk := refine_task'.
- rewrite refinesE in Rtsk.
- specialize (Rtsk tsk tsk (unifyxx _)); simpl in Rtsk.
- have Rab := refine_task_arrival.
- rewrite refinesE in Rab.
- specialize (Rab _ _ Rtsk).
- all: unfold valid_arrivals, valid_arrivals_T.
- destruct (task_arrival (_ _)) as [?|?|arrival_curve_prefix], (task_arrival_T _) as [?|?|arrival_curve_prefixT].
- all: try (inversion Rab; fail).
- all: try (refines_apply; rewrite refinesE; inversion Rab; subst; by done).
- { unfold ArrivalCurvePrefix in *.
- refines_apply.
- destruct arrival_curve_prefix as [h st], arrival_curve_prefixT as [h' st'].
- inversion Rab; refines_apply.
- move: H1; clear; move: st'.
- rewrite refinesE; induction st; intros [|s st']; try done.
- - by intros _; rewrite //=; apply list_R_nil_R.
- - intros ?; inversion H1; rewrite //=.
- apply list_R_cons_R; last by apply IHst.
- destruct s, a; unfold tb2tn, tmap; simpl.
- by apply refinesP; refines_apply. }
- Qed.
-
- (** Next, we prove a refinement for [repeat_steps_with_offset]. *)
- Global Instance refine_repeat_steps_with_offset :
- refines (Rtask ==> list_R Rnat ==> list_R Rnat)%rel
- repeat_steps_with_offset repeat_steps_with_offset_T.
- Proof.
- rewrite refinesE => tsk tsk' Rtsk os os' Ros.
- apply flatten_R; eapply map_R; last by apply Ros.
- intros o o' Ro.
- eapply map_R.
- { by intros a a' Ra; apply refinesP; refines_apply. }
- { unfold get_time_steps_of_task, get_time_steps_of_task_T.
- have Rab := refine_task_arrival.
- rewrite refinesE in Rab; specialize (Rab _ _ Rtsk).
- rewrite /get_arrival_curve_prefix /get_extrapolated_arrival_curve_T.
- destruct (task_arrival tsk) as [?|?|arrival_curve_prefix], (task_arrival_T tsk') as [?|?|arrival_curve_prefixT].
- all: try (inversion Rab; fail).
- all: unfold inter_arrival_to_prefix, inter_arrival_to_extrapolated_arrival_curve_T.
- { apply refinesP; refines_apply.
- by rewrite refinesE; inversion Rab; subst. }
- { apply refinesP; refines_apply.
- by rewrite refinesE; inversion Rab; subst. }
- { apply refinesP; refines_apply.
- destruct arrival_curve_prefix as [h st], arrival_curve_prefixT as [h' st'].
- inversion Rab; refines_apply.
- move: H1; clear; move: st'.
- rewrite refinesE; induction st; intros [ |s st']; try done.
- - by intros _; rewrite //=; apply list_R_nil_R.
- - intros ?; inversion H1; rewrite //=.
- apply list_R_cons_R; last by apply IHst.
- destruct s, a; unfold tb2tn, tmap; simpl.
- by apply refinesP; refines_apply. } }
- Qed.
-
-
- (** Next, we prove a refinement for [get_horizon_of_task]. *)
- Global Instance refine_get_horizon_of_task :
- refines (Rtask ==> Rnat)%rel get_horizon_of_task get_horizon_of_task_T.
- Proof.
- rewrite refinesE => tsk tsk' Rtsk.
- rewrite /get_horizon_of_task /get_horizon_of_task_T.
- have Rab := refine_task_arrival.
- rewrite refinesE in Rab; specialize (Rab _ _ Rtsk).
- rewrite /get_arrival_curve_prefix /get_extrapolated_arrival_curve_T.
- destruct (task_arrival _) as [?|?|arrival_curve_prefix], (task_arrival_T _) as [?|?|arrival_curve_prefixT].
- all: try (inversion Rab; fail).
- all: unfold inter_arrival_to_prefix, inter_arrival_to_extrapolated_arrival_curve_T.
- { apply refinesP; refines_apply.
- by rewrite refinesE; inversion Rab; subst. }
- { apply refinesP; refines_apply.
- by rewrite refinesE; inversion Rab; subst. }
- { destruct arrival_curve_prefix as [h st], arrival_curve_prefixT as [h' st'].
- rewrite /horizon_of /horizon_of_T //=.
- by inversion Rab; apply refinesP; tc. }
- Qed.
-
- (** Next, we prove a refinement for the extrapolated arrival curve. *)
- Local Instance refine_extrapolated_arrival_curve :
- forall arrival_curve_prefix arrival_curve_prefixT δ δ',
- refines Rnat δ δ' ->
- Rtask_ab (ArrivalPrefix arrival_curve_prefix) (ArrivalPrefix_T arrival_curve_prefixT) ->
- refines Rnat (extrapolated_arrival_curve arrival_curve_prefix δ) (extrapolated_arrival_curve_T arrival_curve_prefixT δ').
- Proof.
- move=> arrival_curve_prefix arrival_curve_prefixT δ δ' Rδ Rab.
- refines_apply.
- destruct arrival_curve_prefix as [h st], arrival_curve_prefixT as [h' st'].
- inversion Rab; refines_apply.
- move: H1; clear; move: st'.
- rewrite refinesE; induction st; intros [ |s st']; try done.
- - by intros _; rewrite //=; apply list_R_nil_R.
- - intros ?; inversion H1; rewrite //=.
- apply list_R_cons_R; last by apply IHst.
- destruct s, a; unfold tb2tn, tmap; simpl.
- by apply refinesP; refines_apply.
- Qed.
-
- (** Next, we prove a refinement for the arrival bound definition. *)
- Local Instance refine_ConcreteMaxArrivals :
- refines ( Rtask ==> Rnat ==> Rnat )%rel ConcreteMaxArrivals ConcreteMaxArrivals_T.
- Proof.
- apply refines_abstr2.
- rewrite /ConcreteMaxArrivals /concrete_max_arrivals /ConcreteMaxArrivals_T.
- move => tsk tsk' Rtsk δ δ' Rδ.
- have Rab := refine_task_arrival.
- rewrite refinesE in Rab; rewrite refinesE in Rtsk.
- specialize (Rab _ _ Rtsk).
- rewrite /get_arrival_curve_prefix /get_extrapolated_arrival_curve_T.
- destruct (task_arrival tsk) as [?|?|arrival_curve_prefix], (task_arrival_T tsk') as [?|?|arrival_curve_prefixT].
- all: try (inversion Rab; fail).
- all: unfold inter_arrival_to_prefix, inter_arrival_to_extrapolated_arrival_curve_T.
- { by refines_apply; rewrite refinesE; inversion Rab; subst. }
- { by refines_apply; rewrite refinesE; inversion Rab; subst. }
- { by apply refine_extrapolated_arrival_curve. }
- Qed.
-
- (** Next, we prove a refinement for the arrival bound definition applied to the
- task conversion function. *)
- Global Instance refine_ConcreteMaxArrivals' :
- forall tsk,
- refines (Rnat ==> Rnat)%rel (ConcreteMaxArrivals (taskT_to_task tsk))
- (ConcreteMaxArrivals_T tsk) | 0.
- Proof.
- intros tsk; apply refines_abstr.
- rewrite /ConcreteMaxArrivals /concrete_max_arrivals
- /ConcreteMaxArrivals_T => δ δ' Rδ.
- have Rtsk := refine_task'.
- rewrite refinesE in Rtsk.
- specialize (Rtsk tsk tsk (unifyxx _)); simpl in Rtsk.
- have Rab := refine_task_arrival.
- rewrite refinesE in Rab.
- specialize (Rab _ _ Rtsk).
- rewrite /get_arrival_curve_prefix /get_extrapolated_arrival_curve_T.
- destruct (task_arrival (_ _)) as [?|?|arrival_curve_prefix], (task_arrival_T tsk) as [?|?|arrival_curve_prefixT].
- all: try (inversion Rab; fail).
- all: unfold inter_arrival_to_prefix, inter_arrival_to_extrapolated_arrival_curve_T.
- { by refines_apply; rewrite refinesE; inversion Rab; subst. }
- { by refines_apply; rewrite refinesE; inversion Rab; subst. }
- { by apply refine_extrapolated_arrival_curve. }
- Qed.
-
- (** Next, we prove a refinement for [get_arrival_curve_prefix]. *)
- Global Instance refine_get_arrival_curve_prefix :
- refines (Rtask ==> prod_R Rnat (list_R (prod_R Rnat Rnat)))%rel
- get_arrival_curve_prefix get_extrapolated_arrival_curve_T.
- Proof.
- rewrite refinesE => tsk tsk' Rtsk.
- have Rab := refine_task_arrival.
- rewrite refinesE in Rab; specialize (Rab _ _ Rtsk).
- rewrite /get_arrival_curve_prefix /get_extrapolated_arrival_curve_T.
- unfold inter_arrival_to_prefix, inter_arrival_to_extrapolated_arrival_curve_T.
- destruct (task_arrival _) as [?|?|e], (task_arrival_T _) as [?|?|eT].
- all: try (inversion Rab; fail).
- all: try (inversion Rab; subst; apply refinesP; refines_apply; fail).
- destruct e as [h?], eT as [? st];[apply refinesP; refines_apply; inversion Rab; tc].
- inversion Rab; subst.
- induction st; first by rewrite //= refinesE; apply list_R_nil_R.
- destruct a; rewrite refinesE.
- apply list_R_cons_R; first by apply refinesP; unfold tb2tn,tmap; refines_apply.
- by apply refinesP, IHst.
- Qed.
-
- (** Next, we prove a refinement for [get_arrival_curve_prefix] applied to lists. *)
- Global Instance refine_get_arrival_curve_prefix' :
- forall tsk,
- refines
- (prod_R Rnat (list_R (prod_R Rnat Rnat)))%rel
- (get_arrival_curve_prefix (taskT_to_task tsk))
- (get_extrapolated_arrival_curve_T tsk) | 0.
- Proof.
- intros tsk.
- have Rtsk := refine_task'.
- rewrite refinesE in Rtsk.
- specialize (Rtsk tsk tsk (unifyxx _)); simpl in Rtsk.
- move: (refine_task_arrival) => Rab.
- rewrite refinesE in Rab.
- specialize (Rab _ _ Rtsk).
- rewrite /get_arrival_curve_prefix /get_extrapolated_arrival_curve_T.
- unfold inter_arrival_to_prefix, inter_arrival_to_extrapolated_arrival_curve_T.
- destruct (task_arrival _) as [?|?|e], (task_arrival_T _) as [?|?|eT].
- all: try (inversion Rab; fail).
- all: try (inversion Rab; subst; refines_apply; fail).
- destruct e as [h?], eT as [? st]; refines_apply; first by inversion Rab; subst; tc.
- inversion Rab; subst.
- induction st; first by rewrite //= refinesE; apply list_R_nil_R.
- destruct a; rewrite //= refinesE.
- apply list_R_cons_R; first by apply refinesP; unfold tb2tn,tmap; refines_apply.
- by apply refinesP, IHst.
- Qed.
-
- (** Next, we prove a refinement for [sorted] when applied to [leq_steps]. *)
- Global Instance refine_sorted_leq_steps :
- forall tsk,
- refines (bool_R)%rel
- (sorted leq_steps (steps_of (get_arrival_curve_prefix (taskT_to_task tsk))))
- (sorted leq_steps_T (get_extrapolated_arrival_curve_T tsk).2) | 0.
- Proof.
- intros.
- by apply refine_leq_steps_sorted; refines_apply.
- Qed.
-
- (** Lastly, we prove a refinement for the task request-bound function. *)
- Global Instance refine_task_rbf :
- refines ( Rtask ==> Rnat ==> Rnat )%rel task_rbf task_rbf_T.
- Proof.
- apply refines_abstr2.
- rewrite /task_rbf /task_rbf_T /task_request_bound_function
- /concept.task_cost /TaskCost
- /max_arrivals /MaxArrivals => t t' Rt y y' Ry.
- by refines_apply.
- Qed.
-
-End Theory.
diff --git a/implementation/refinements/arrival_curve_prefix.v b/implementation/refinements/arrival_curve_prefix.v
deleted file mode 100644
index a153016bf77457958a37f223d87df3213efda0da..0000000000000000000000000000000000000000
--- a/implementation/refinements/arrival_curve_prefix.v
+++ /dev/null
@@ -1,92 +0,0 @@
-Require Export prosa.implementation.refinements.arrival_curve.
-
-(** In this section, we prove some properties that every valid
- arrival curve prefix entails. *)
-Section ValidArrivalCurvePrefixFacts.
-
- (** Consider a task set with valid arrivals [ts], ... *)
- Variable ts : seq Task.
- Hypothesis H_valid_task_set : task_set_with_valid_arrivals ts.
-
- (** ... and a task [tsk] belonging to [ts] with positive cost and
- non-zero arrival bound. *)
- Variable tsk : Task.
- Hypothesis H_positive_cost : 0 < task_cost tsk.
- Hypothesis H_tsk_in_ts : tsk \in ts.
- Hypothesis H_positive_step : fst (head (0,0) (steps_of (get_arrival_curve_prefix tsk))) > 0.
-
- (** First, we show that the arrival curve prefix of [tsk] is valid. *)
- Lemma has_valid_arrival_curve_prefix_tsk :
- has_valid_arrival_curve_prefix tsk.
- Proof.
- move: (H_valid_task_set tsk H_tsk_in_ts); rewrite /valid_arrivals => VALID.
- destruct (arrival_cases tsk) as [[p EQ] | [[m EQ] | [evec EQ]]].
- all: rewrite /has_valid_arrival_curve_prefix /max_arrivals /MaxArrivals /ConcreteMaxArrivals /get_arrival_curve_prefix EQ //=.
- all: rewrite EQ in VALID.
- { exists (inter_arrival_to_prefix p).
- split;[|split;[|split;[|split;[|split]]]] => //=.
- move=> s.
- rewrite /large_horizon in_cons => /orP [|] => /eqP EQs //=.
- by subst s; rewrite //=; lia. }
- { exists (inter_arrival_to_prefix m).
- split;[|split;[|split;[|split;[|split]]]] => //=.
- move=> s.
- rewrite /large_horizon in_cons => /orP [|] => /eqP EQs //=.
- by subst s; rewrite //=; lia. }
- { by exists evec; split => //; apply /valid_arrival_curve_prefix_P. }
- Qed.
-
- (** Next, we show that each time step of the arrival curve prefix must be
- positive. *)
- Lemma steps_are_positive_if_first_step_is_positive :
- forall st,
- st \in get_time_steps_of_task tsk -> st > 0.
- Proof.
- intros st IN; unfold get_time_steps_of_task in *.
- move: (H_valid_task_set) => VAL; specialize (VAL _ H_tsk_in_ts).
- unfold valid_arrivals in VAL; unfold get_arrival_curve_prefix in *.
- destruct (task_arrival tsk).
- { by unfold inter_arrival_to_prefix, time_steps_of in *; simpl in IN;
- move: IN; rewrite mem_seq1 => /eqP EQ; subst. }
- { by unfold inter_arrival_to_prefix, time_steps_of in *; simpl in IN;
- move: IN; rewrite mem_seq1 => /eqP EQ; subst. }
- { destruct a as [h [ | st0 sts]]; first by done.
- move: IN => /mapP [[t v] IN EQ]; simpl in *; subst st.
- move: IN; rewrite in_cons => /orP [/eqP EQ | IN]; first by subst.
- move: VAL => /valid_arrival_curve_prefix_P VAL.
- destruct VAL as [_ [_ [_ [_ SORT]]]].
- unfold sorted_ltn_steps in *; simpl in *.
- rewrite (@path_sorted_inE _ predT) in SORT; last apply all_predT.
- + move: SORT => /andP [/allP ALL _].
- specialize (ALL (t,v) IN); move: ALL.
- destruct st0; simpl in *.
- by move => /andP //= => [[LT1 LT2]]; lia.
- + by intros ? ? ? _ _ _; apply ltn_steps_is_transitive. }
- Qed.
-
- (** Next, we show that even shifting the time steps by a positive
- offset, they remain positive. *)
- Lemma nonshifted_offsets_are_positive :
- forall A offs,
- A \in repeat_steps_with_offset tsk offs -> A > 0.
- Proof.
- intros * IN.
- move: IN => /flatten_mapP [o INo IN].
- move: IN => /mapP [st IN EQ]; subst A.
- rewrite addn_gt0; apply/orP; left.
- by apply steps_are_positive_if_first_step_is_positive.
- Qed.
-
- (** Finally, we show that the time steps are strictly increasing. *)
- Lemma time_steps_sorted :
- sorted ltn (get_time_steps_of_task tsk).
- Proof.
- move: (H_valid_task_set) => VALID; rewrite /get_time_steps_of_task.
- move: (has_valid_arrival_curve_prefix_tsk) => [arrival_curve_prefix [EQ [POSh [LARGEh [NOINF [BUR SORT]]]]]].
- rewrite EQ.
- eapply (homo_sorted _ _ SORT).
- Unshelve.
- by move => x y; rewrite /ltn_steps => /andP[LT _].
- Qed.
-
-End ValidArrivalCurvePrefixFacts.
diff --git a/implementation/refinements/fast_search_space_computation.v b/implementation/refinements/fast_search_space_computation.v
deleted file mode 100644
index bc9585d95321379c0235e38e99c7dc82cbada5f6..0000000000000000000000000000000000000000
--- a/implementation/refinements/fast_search_space_computation.v
+++ /dev/null
@@ -1,260 +0,0 @@
-Require Export prosa.implementation.refinements.arrival_curve_prefix.
-
-(** In this section, we provide definitions and lemmas to show
- Abstract RTA' s search space can be rewritten in an equivalent,
- computation-oriented way. *)
-Section FastSearchSpaceComputation.
-
- (** Let L be a constant which bounds any busy interval of task [tsk]. *)
- Variable L : duration.
-
- (** Consider a task set [ts] with valid arrivals... *)
- Variable ts : seq Task.
- Hypothesis H_valid_task_set : task_set_with_valid_arrivals ts.
-
- (** ... and a task [tsk] of [ts] with positive cost. *)
- Variable tsk : Task.
- Hypothesis H_positive_cost : 0 < task_cost tsk.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- Section Definitions.
-
- (** We generically define the search space for fixed-priority tasks in
- the interval <<[l,r)>> by repeating the time steps of the task
- in the interval <<[l*h,r*h)>>. *)
- Definition search_space_arrival_curve_prefix_FP_h (tsk : Task) l r :=
- let h := get_horizon_of_task tsk in
- let offsets := map (muln h) (iota l r) in
- let arrival_curve_prefix_offsets := repeat_steps_with_offset tsk offsets in
- map predn arrival_curve_prefix_offsets.
-
- (** By using the above definition, we give a concrete definition of
- the search space for fixed-priority tasks. *)
- Definition search_space_arrival_curve_prefix_FP (tsk : Task) L :=
- let h := get_horizon_of_task tsk in
- search_space_arrival_curve_prefix_FP_h (tsk : Task) 0 (L %/h).+1.
-
- End Definitions.
-
- Section Facts.
-
- (** We begin by showing that either each time step of an arrival curve prefix
- is either strictly less than the horizon, or it is the horizon. *)
- Lemma steps_lt_horizon_last_eq_horizon :
- (forall s, s \in get_time_steps_of_task tsk -> s < get_horizon_of_task tsk) \/
- (last0 (get_time_steps_of_task tsk) = get_horizon_of_task tsk).
- Proof.
- move: (has_valid_arrival_curve_prefix_tsk _ H_valid_task_set _ H_tsk_in_ts).
- move => [arrival_curve_prefix [EQ [POSh [LARGEh [NOINF [BUR SORT]]]]]].
- destruct (ltngtP (last0 (get_time_steps_of_task tsk)) (get_horizon_of_task tsk))
- as [GT1 | LT1 | EQ1]; last by right.
- { left.
- move => step IN.
- apply leq_ltn_trans with (n:=last0 (get_time_steps_of_task tsk)) => //.
- move: (time_steps_sorted ts H_valid_task_set tsk H_tsk_in_ts).
- rewrite ltn_sorted_uniq_leq => /andP [TS_UNIQ TS_SORT].
- apply (sorted_leq_index leq_trans leqnn TS_SORT step _ IN) => //=.
- - by destruct get_time_steps_of_task; last by rewrite /last0 //=; apply mem_last.
- - destruct get_time_steps_of_task; rewrite //= -index_mem in IN.
- by rewrite /last0; simpl (last 0 _); rewrite index_last. }
- { exfalso. (* h is at least the last step *)
- destruct get_time_steps_of_task eqn:TS => //.
- have IN: last0 (d::l) \in d::l by rewrite /last0 //=; apply mem_last.
- unfold large_horizon, get_time_steps_of_task in *.
- rewrite EQ in TS; rewrite TS in LARGEh.
- apply LARGEh in IN.
- by rewrite /get_horizon_of_task EQ in LT1; lia. }
- Qed.
-
-
- (** Next, we show that for each offset [A] in the search space for fixed-priority
- tasks, either (1) [A+ε] is zero or a multiple of the horizon, offset by
- one of the time steps of the arrival curve prefix, or (2) [A+ε] is
- exactly a multiple of the horizon. *)
- Lemma structure_of_correct_search_space :
- forall A,
- A < L ->
- task_rbf tsk A != task_rbf tsk (A + ε) ->
- (exists i t,
- i < (L %/ get_horizon_of_task tsk).+1
- /\ (t \in get_time_steps_of_task tsk)
- /\ A + ε = i * get_horizon_of_task tsk + t )
- \/ (exists i,
- i < (L %/ get_horizon_of_task tsk).+1
- /\ A + ε = i * get_horizon_of_task tsk).
- Proof.
- move: (has_valid_arrival_curve_prefix_tsk ts H_valid_task_set tsk H_tsk_in_ts).
- move=> [evec [EQ [POSh [LARGEh [NOINF [BUR SORT]]]]]] A LT_L NEQ.
- rewrite eqn_pmul2l // /max_arrivals /MaxArrivals /ConcreteMaxArrivals
- /concrete_max_arrivals EQ in NEQ.
- rewrite /get_horizon_of_task EQ.
- move: (sorted_ltn_steps_imply_sorted_leq_steps_steps _ SORT NOINF) => SORT_LEQ.
- unfold positive_horizon in *; set (h := horizon_of evec) in *.
- move: (extrapolated_arrival_curve_change evec POSh SORT_LEQ A NEQ) => [LT|[EQdiv LTe]].
- { right.
- exists ((A+ε) %/ h); split; first by rewrite ltnS leq_div2r // /ε; lia.
- by symmetry; apply /eqP; rewrite -dvdn_eq; by apply ltdivn_dvdn. }
- { left.
- exists ((A + ε) %/ h), (step_at evec ((A + ε) %% h)).1; split; last split.
- { by rewrite addn1 ltnS; apply leq_div2r. }
- { rewrite /get_time_steps_of_task EQ.
- have-> := @map_f _ _ fst (steps_of _) (last (0, 0) [seq s <- _ | s.1 <= (A+ε)%%h])=> //.
- have EQeps: (A + ε) %% h = A %% h + ε by apply addn1_modn_commute.
- rewrite EQeps in LTe.
- move: (value_at_change_is_in_steps_of _ SORT_LEQ NOINF _ LTe) => [v IN].
- rewrite -EQeps in IN; apply filter_last_mem; apply /hasP.
- by exists ((A+ε) %% h, v). }
- { case (extrapolated_arrival_curve_change _ POSh SORT_LEQ _ NEQ) as [EQs|[EQs LT]].
- { apply ltdivn_dvdn in EQs; move: EQs => /dvdnP [k EQs]; rewrite EQs.
- by rewrite modnMl step_at_0_is_00; [rewrite addn0 mulnK | apply SORT |]. }
- { subst h; unfold ε in *; set (h := horizon_of evec) in *.
- rewrite {1}[_ + _](divn_eq _ h).
- apply/eqP; rewrite eqn_add2l; apply/eqP.
- rewrite modnD //= [h <= _]leqNgt addmod_le_mod //= subn0 in LT.
- have EQ1: 1%%h= 1 by apply modn_small; case h as [|[|h]]; rewrite //= in EQs; lia.
- rewrite EQ1 in LT; apply value_at_change_is_in_steps_of in LT => //.
- case LT as [v IN].
- rewrite modnD //= [h <= _]leqNgt addmod_le_mod //=.
- apply step_at_agrees_with_steps_of in IN => //.
- by rewrite subn0 !EQ1 IN. } } }
- Qed.
-
- (** Conversely, every multiple of the horizon that is strictly less than [L] is contained
- in the search space for fixed-priority tasks... *)
- Lemma multiple_of_horizon_in_approx_ss :
- forall A,
- A < L ->
- get_horizon_of_task tsk %| A ->
- A \in search_space_arrival_curve_prefix_FP tsk L.
- Proof.
- move: (has_valid_arrival_curve_prefix_tsk ts H_valid_task_set tsk H_tsk_in_ts) => [evec [EMAX VALID]].
- intros * LT DIV; rewrite /search_space_arrival_curve_prefix_FP.
- destruct VALID as [POSh [LARGEh [NOINF [BUR SORT]]]].
- replace A with (A + ε - ε); last by lia.
- rewrite subn1; apply map_f.
- set (h := get_horizon_of_task tsk) in *.
- rewrite /repeat_steps_with_offset; apply/flatten_mapP.
- move: DIV => /dvdnP [k DIV]; subst A.
- exists (k * h).
- { rewrite mulnC; apply map_f.
- rewrite mem_iota; apply/andP; split; first by apply leq0n.
- rewrite add0n ltnS leq_divRL //; first by lia.
- rewrite /specified_bursts in BUR.
- by rewrite /h /get_horizon_of_task EMAX. }
- { rewrite /time_steps_with_offset addnC.
- have MFF := map_f (fun t0 => t0 + k * h); apply: MFF.
- by rewrite /get_time_steps_of_task EMAX; apply BUR. }
- Qed.
-
- (** ... and every [A] for which [A+ε] is a multiple of the horizon offset by a
- time step of the arrival curve prefix is also in the search space for
- fixed-priority tasks. *)
- Lemma steps_in_approx_ss :
- forall i t A,
- i < (L %/ get_horizon_of_task tsk).+1 ->
- (t \in get_time_steps_of_task tsk) ->
- A + ε = i * get_horizon_of_task tsk + t ->
- A \in search_space_arrival_curve_prefix_FP tsk L.
- Proof.
- move: (H_valid_task_set) => VALID; intros * LT IN EQ; rewrite /search_space_arrival_curve_prefix_FP.
- replace A with (A + ε - ε); last by lia.
- rewrite subn1; apply map_f.
- set (h := get_horizon_of_task tsk) in *.
- rewrite /repeat_steps_with_offset; apply/flatten_mapP.
- exists (i * h); first by rewrite mulnC; apply map_f; rewrite mem_iota; lia.
- unfold time_steps_with_offset.
- rewrite EQ addnC.
- by apply (map_f (fun t0 => t0 + i * h) IN).
- Qed.
-
- (** Next, we show that if the horizon of the arrival curve prefix divides [A+ε],
- then [A] is not contained in the search space for fixed-priority tasks. *)
- Lemma constant_max_arrivals :
- forall A,
- (forall s, s \in get_time_steps_of_task tsk -> s < get_horizon_of_task tsk) ->
- get_horizon_of_task tsk %| (A + ε) ->
- max_arrivals tsk A = max_arrivals tsk (A + ε).
- Proof.
- move: (has_valid_arrival_curve_prefix_tsk ts H_valid_task_set tsk H_tsk_in_ts).
- move=> [evec [EMAX [POSh [LARGEh [NOINF [BUR SORT]]]]]] A LTH DIV.
- rewrite /max_arrivals /ConcreteMaxArrivals /concrete_max_arrivals EMAX.
- rewrite /get_horizon_of_task EMAX in DIV; move: (DIV) => /eqP MOD0.
- rewrite /extrapolated_arrival_curve.
- set (h := horizon_of evec) in *; set (vec := value_at evec) in *.
- destruct (ltngtP 1 h) as [GT1|LT1|EQ1].
- { move: NOINF => /eqP NOINF.
- rewrite MOD0 {4}/vec NOINF addn0.
- have -> : vec (A %% h) = vec h.
- { rewrite /vec /value_at.
- have -> : ((step_at evec (A %% h)) = (step_at evec h)) => //.
- rewrite (pred_Sn A) -addn1 modn_pred; [|repeat destruct h=> //|lia].
- rewrite /step_at DIV.
- have -> : [seq step <- steps_of evec | step.1 <= h] = steps_of evec.
- { apply /all_filterP /allP => [step IN]; apply ltnW; subst h.
- move: LTH; rewrite /get_horizon_of_task EMAX => -> //.
- rewrite /get_time_steps_of_task EMAX.
- by apply (map_f fst). }
- have -> : [seq step <- steps_of evec | step.1 <= h.-1] = steps_of evec => //.
- apply /all_filterP /allP => [step IN]; subst h.
- move: LTH; rewrite /get_horizon_of_task EMAX => VALID.
- specialize (VALID step.1).
- feed VALID; first by rewrite /get_time_steps_of_task EMAX; apply (map_f fst).
- by destruct (horizon_of evec). }
- rewrite -mulSnr {1}(pred_Sn A) divn_pred -(addn1 A) DIV subn1 prednK //=.
- move: DIV => /dvdnP [k EQk]; rewrite EQk.
- by destruct k;[rewrite /ε in EQk; lia | rewrite mulnK]. }
- { replace h with 0; rewrite /positive_horizon in POSh; lia. }
- { exfalso.
- rewrite /get_time_steps_of_task EMAX in LTH.
- specialize (LTH _ BUR).
- move: LTH; rewrite ltnNge => /negP CONTR; apply: CONTR.
- by unfold h in *; rewrite /get_horizon_of_task EMAX -EQ1. }
- Qed.
-
- (** Finally, we show that steps in the request-bound function correspond to
- points in the search space for fixed-priority tasks. *)
- Lemma task_search_space_subset :
- forall A,
- A < L ->
- task_rbf tsk A != task_rbf tsk (A + ε) ->
- A \in search_space_arrival_curve_prefix_FP tsk L.
- Proof.
- intros A LT_L IN.
- destruct (get_horizon_of_task tsk %|A) eqn:DIV;
- first by apply multiple_of_horizon_in_approx_ss.
- move: (structure_of_correct_search_space _ LT_L IN).
- move=> [[i [t [LT [INt EQ]]]] | [i [LT EQ]]]; first by eapply steps_in_approx_ss; eauto.
- destruct (steps_lt_horizon_last_eq_horizon) as [LTh | EQh].
- { exfalso. (* Can't be in search space if h > last step *)
- move: (H_valid_task_set) => VALID; specialize (VALID _ H_tsk_in_ts).
- move: (has_valid_arrival_curve_prefix_tsk ts H_valid_task_set tsk H_tsk_in_ts).
- move => [evec [EMAXeq [POSh [LARGEh [NOINF [BUR SORT]]]]]].
- rewrite /task_rbf /task_request_bound_function /max_arrivals
- /MaxArrivals /ConcreteMaxArrivals /concrete_max_arrivals
- EMAXeq eqn_mul2l negb_or in IN.
- move: IN => /andP [_ NEQ].
- move: (sorted_ltn_steps_imply_sorted_leq_steps_steps _ SORT NOINF) => SORT_LEQ.
- move: (constant_max_arrivals A LTh) => EQmax.
- feed EQmax; first by rewrite EQ; apply dvdn_mull, dvdnn.
- rewrite /max_arrivals /MaxArrivals /ConcreteMaxArrivals
- /concrete_max_arrivals EMAXeq in EQmax.
- by rewrite EQmax in NEQ; move: NEQ => /eqP. }
- { replace A with (A + ε - ε); last by lia.
- rewrite subn1; apply map_f; rewrite EQ.
- set (h := get_horizon_of_task tsk) in *.
- apply /flatten_mapP; exists ((i-1)*h); first by rewrite mulnC map_f // mem_iota; lia.
- replace (i * h) with (h + (i - 1) * h); last first.
- { destruct (posnP i) as [Z|POS]; first by subst i; rewrite /ε in EQ; lia.
- by rewrite mulnBl mul1n; apply subnKC, leq_pmull. }
- have MFF := map_f (fun t0 => t0 + (i - 1) * h); apply: MFF.
- rewrite -EQh.
- move: (has_valid_arrival_curve_prefix_tsk ts H_valid_task_set tsk H_tsk_in_ts).
- move => [evec [EMAXeq [POSh [LARGEh [NOINF [BUR SORT]]]]]].
- rewrite /get_time_steps_of_task EMAXeq; unfold specified_bursts in *.
- destruct (time_steps_of evec) => //=.
- by rewrite /last0 //=; apply mem_last. }
- Qed.
-
- End Facts.
-
-End FastSearchSpaceComputation.
diff --git a/implementation/refinements/refinements.v b/implementation/refinements/refinements.v
deleted file mode 100644
index dc21360209098230e398e3aa1435742e32d8109a..0000000000000000000000000000000000000000
--- a/implementation/refinements/refinements.v
+++ /dev/null
@@ -1,492 +0,0 @@
-Require Export prosa.implementation.definitions.task.
-Require Export prosa.implementation.facts.extrapolated_arrival_curve.
-Require Export NArith.
-From CoqEAL Require Export hrel param refinements binnat.
-Export Refinements.Op.
-
-(** * Refinements Library *)
-
-(** This file contains a variety of support definitions and proofs for
- refinements. Refinements allow to convert unary-number definitions into
- binary-number ones. This is used for the sole purpose of performing
- computations involving large numbers, and can safely be ignored if this is
- of no interest to the reader. See Maida et al. (ECRTS 2022) for the
- motivation and further details, available at
- <<https://drops.dagstuhl.de/opus/volltexte/2022/16336/>>. *)
-
-(** ** Brief Introduction *)
-
-(** Consider the refinement [refines (Rnat ==> Rnat ==> Rnat)%rel maxn maxn_T.]
- This statements uses the relation [Rnat], which relates each unary number
- with its binary counterpart.
-
- Proving this statement shows that the [maxn] function is isomorphic to
- [maxn_T], i.e., given two unary numbers [(a,b)] and two binary numbers [(a',
- b')], [Rnat a b -> Rnat a' b' -> Rnat (maxn a b) (maxn_T a' b')]. In other
- words, if [a] is related to [a'] and [b] to [b'], then [maxn a b] is related
- to [maxn_T a' b')]. This statement is encoded in a succinct way via the [==>]
- notation.
-
- For more information, refer to
- <<https://hal.inria.fr/hal-01113453/document>>. *)
-
-(** ** Auxiliary Definitions *)
-
-(** First, we define a convenience function that translates a list of unary
- natural numbers to binary numbers... *)
-Definition m_b2n b := map nat_of_bin b.
-Definition m_n2b n := map bin_of_nat n.
-
-(** ... and an analogous version that works on pairs. *)
-Definition tmap {X Y : Type} (f : X -> Y) (t : X * X) := (f (fst t), f (snd t)).
-Definition tb2tn t := tmap nat_of_bin t.
-Definition tn2tb t := tmap bin_of_nat t.
-Definition m_tb2tn xs := map tb2tn xs.
-Definition m_tn2tb xs := map tn2tb xs.
-
-(** * Basic Arithmetic *)
-
-(** In the following, we encode refinements for a variety of basic arithmetic
- functions. *)
-
-(** ** Definitions *)
-
-(** We begin by defining a generic version of the functions we seek to
- refine. *)
-Section Definitions.
- (** Consider a generic type T supporting basic arithmetic operations,
- neutral elements, and comparisons. *)
- Context {T : Type}.
- Context `{!zero_of T, !one_of T, !sub_of T, !add_of T, !mul_of T,
- !div_of T, !mod_of T, !eq_of T, !leq_of T, !lt_of T}.
-
- (** We redefine the predecessor function. Note that, although this
- definition uses common notation, the [%C] indicates that we
- refer to the generic type [T] defined above. *)
- Definition predn_T (n : T) := (n - 1)%C.
-
- (** Further, we redefine the maximum and minimum functions... *)
- Definition maxn_T (m n : T) := (if m < n then n else m)%C.
- Definition minn_T (m n : T) := (if m < n then m else n)%C.
-
- (** ... the "divides" function... *)
- Definition dvdn_T (d : T) (m : T) := (m %% d == 0)%C.
-
- (** ... and the division with ceiling function. *)
- Definition div_ceil_T (a : T) (b : T) :=
- if dvdn_T b a then (a %/ b)%C else (1 + a %/ b)%C.
-
-End Definitions.
-
-(** ** Refinements *)
-
-(** We now establish the desired refinements. *)
-
-(** First, we prove a refinement for the [b2n] function. *)
-Global Instance refine_b2n :
- refines (unify (A:=N) ==> Rnat)%rel nat_of_bin id.
-Proof.
- apply refines_abstr; move => n n' Rn.
- compute in Rn; destruct refines_key in Rn; subst.
- by apply trivial_refines.
-Qed.
-
-(** Second, we prove a refinement for the predecessor function. *)
-Global Instance Rnat_pred :
- refines (Rnat ==> Rnat)%rel predn predn_T.
-Proof.
- rewrite !refinesE => a a' Ra.
- rewrite -subn1 /predn_T.
- by apply: refinesP.
-Qed.
-
-(** Next, we prove a refinement for the "divides" function. *)
-Global Instance refine_dvdn :
- refines (Rnat ==> Rnat ==> bool_R)%rel dvdn dvdn_T.
-Proof.
- apply refines_abstr2; unfold "%|", dvdn_T; move=> x x' rx y y' ry.
- by exact: refines_apply.
-Qed.
-
-(** Next, we prove a refinement for the division with ceiling. *)
-Global Instance refine_div_ceil :
- refines (Rnat ==> Rnat ==> Rnat)%rel div_ceil div_ceil_T.
-Proof.
- apply refines_abstr2; unfold div_ceil, div_ceil_T.
- move => x x' Rx y y' Ry.
- have <-: y %| x = dvdn_T y' x'.
- { eapply refines_eq.
- apply refines_bool_eq; unfold "%|", dvdn_T.
- by refines_apply. }
- destruct (y %| x) eqn:B.
- { eapply refines_apply.
- refines_abstr.
- by exact Ry. }
- { eapply refines_apply.
- refines_abstr.
- eapply refines_apply.
- refines_abstr.
- by exact Ry. }
-Qed.
-
-(** Next, we prove a refinement for the minimum function. *)
-Global Instance refine_minn :
- refines (Rnat ==> Rnat ==> Rnat)%rel minn minn_T.
-Proof.
- intros *; rewrite refinesE => a a' Ra b b' Rb; unfold minn, minn_T.
- compute in Ra, Rb; subst.
- rename a' into a, b' into b.
- have <- : (a < b) = (a < b)%C; last by destruct (a < b).
- unfold lt_op, lt_N.
- destruct (a < b) eqn:EQ; symmetry; first by apply N.ltb_lt; apply /Rnat_ltP.
- apply N.ltb_ge.
- apply negbT in EQ; rewrite -leqNgt in EQ.
- apply /N.leb_spec0.
- by move: Rnat_leE => LE; unfold leq_op, leq_N in LE; rewrite LE.
-Qed.
-
-(** Finally, we prove a refinement for the maximum function. *)
-Global Instance refine_maxn :
- refines (Rnat ==> Rnat ==> Rnat)%rel maxn maxn_T.
-Proof.
- intros *; rewrite refinesE => a a' Ra b b' Rb; unfold maxn, maxn_T.
- compute in Ra, Rb; subst.
- rename a' into a, b' into b.
- have <- : (a < b) = (a < b)%C; last by destruct (a < b).
- unfold lt_op, lt_N.
- destruct (a < b) eqn:EQ; symmetry; first by apply N.ltb_lt; apply /Rnat_ltP.
- apply N.ltb_ge.
- apply negbT in EQ; rewrite -leqNgt in EQ.
- apply /N.leb_spec0.
- by move: Rnat_leE => LE; unfold leq_op, leq_N in LE; rewrite LE.
-Qed.
-
-(** ** Supporting Lemmas *)
-
-(** As the next step, we prove some helper lemmas used in refinements. We
- differentiate class instances from lemmas, as lemmas are applied manually,
- and not via the typeclass engine. *)
-
-(** First, we prove that negating a positive, binary number results in [0]. *)
-Lemma posBinNatNotZero:
- forall p, ~ (nat_of_bin (N.pos p)) = O.
-Proof.
- rewrite -[0]bin_of_natK.
- intros ? EQ.
- have BJ := @Bijective _ _ nat_of_bin bin_of_nat.
- feed_n 2 BJ.
- { by intros ?; rewrite bin_of_natE; apply nat_of_binK. }
- { by apply bin_of_natK. }
- apply bij_inj in BJ; apply BJ in EQ; clear BJ.
- by destruct p.
-Qed.
-
-(** Next, we prove that, if the successor of a unary number [b] corresponds to a
- positive binary number [p], then [b] corresponds to the predecessor of
- [p]. *)
-Lemma eq_SnPos_to_nPred:
- forall b p, Rnat b.+1 (N.pos p) -> Rnat b (Pos.pred_N p).
-Proof.
- move => b p.
- rewrite /Rnat /fun_hrel => EQ.
- rewrite -addn1 in EQ.
- apply /eqP; rewrite -(eqn_add2r 1) -EQ; apply /eqP.
- move: (nat_of_add_bin (Pos.pred_N p) 1%N) => EQadd1.
- by rewrite -EQadd1 N.add_1_r N.succ_pos_pred.
-Qed.
-
-(** Finally, we prove that if two unary numbers [a] and [b] have the same
- numeral as, respectively, two binary numbers [a'] and [b'], then [a<b] is
- rewritable into [a'<b']. *)
-Lemma refine_ltn :
- forall a a' b b',
- Rnat a a' ->
- Rnat b b' ->
- bool_R (a < b) (a' < b')%C.
-Proof.
- intros * Ra Rb.
- replace (@lt_op N lt_N a' b') with (@leq_op N leq_N (1 + a')%N b');
- first by apply refinesP; refines_apply.
- unfold leq_op, leq_N, lt_op, lt_N.
- apply /N.leb_spec0; case (a' <? b')%N eqn:LT.
- - by move: LT => /N.ltb_spec0 LT; rewrite N.add_1_l; apply N.le_succ_l.
- - rewrite N.add_1_l => CONTR; apply N.le_succ_l in CONTR.
- by move: LT => /negP LT; apply: LT; apply /N.ltb_spec0.
-Qed.
-
-
-(** * Functions on Lists *)
-
-(** In the following, we encode refinements for a variety of functions related
- to lists. *)
-
-(** ** Definitions *)
-
-(** We begin by defining a generic version of the functions we want to
- refine. *)
-Section Definitions.
-
- (** Consider a generic type T supporting basic arithmetic operations
- and comparisons *)
- Context {T : Type}.
- Context `{!zero_of T, !one_of T, !sub_of T, !add_of T, !mul_of T,
- !div_of T, !mod_of T, !eq_of T, !leq_of T, !lt_of T}.
-
- (** We redefine the [iota] function, ... *)
- Fixpoint iota_T (a : T) (b : nat): seq T :=
- match b with
- | 0 => [::]
- | S b' => a :: iota_T (a + 1)%C b'
- end.
-
- (** ... the size function, ... *)
- Fixpoint size_T {X : Type} (s : seq X): T :=
- match s with
- | [::] => 0%C
- | _ :: s' => (1 + size_T s')%C
- end.
-
- (** ... the forward-shift function, ... *)
- Definition shift_points_pos_T (xs : seq T) (s : T) : seq T :=
- map (fun x => s + x)%C xs.
-
- (** ... and the backwards-shift function. *)
- Definition shift_points_neg_T (xs : seq T) (s : T) : seq T :=
- let nonsmall := filter (fun x => s <= x)%C xs in
- map (fun x => x - s)%C nonsmall.
-
-End Definitions.
-
-(** ** Refinements *)
-
-(** In the following, we establish the required refinements. *)
-
-(** First, we prove a refinement for the [map] function. *)
-Global Instance refine_map :
- forall {A A' B B': Type}
- (F : A -> B) (F' : A' -> B')
- (rA : A -> A' -> Type) (rB : B -> B' -> Type) xs xs',
- refines (list_R rA) xs xs' ->
- refines (rA ==> rB)%rel F F' ->
- refines (list_R rB)%rel (map F xs) (map F' xs').
-Proof.
- intros * Rxs RF; rewrite refinesE.
- eapply map_R; last first.
- - by rewrite refinesE in Rxs; apply Rxs.
- - by intros x x' Rx; rewrite refinesE in RF; apply RF.
-Qed.
-
-(** Second, we prove a refinement for the [zip] function. *)
-Global Instance refine_zip :
- refines (list_R Rnat ==> list_R Rnat ==> list_R (prod_R Rnat Rnat))%rel zip zip.
-Proof. by rewrite refinesE => xs xs' Rxs ys ys' Rys; apply zip_R. Qed.
-
-(** Next, we prove a refinement for the [all] function. *)
-Global Instance refine_all :
- forall {A A' : Type} (rA : A -> A' -> Type),
- refines ((rA ==> bool_R) ==> list_R rA ==> bool_R)%rel all all.
-Proof.
- intros.
- rewrite refinesE => P P' RP xs xs' Rxs.
- eapply all_R; last by apply Rxs.
- by intros x x' Rx; apply RP.
-Qed.
-
-(** Next, we prove a refinement for the [flatten] function. *)
-Global Instance refine_flatten :
- forall {A A': Type} (rA : A -> A' -> Type),
- refines (list_R (list_R rA) ==> list_R rA)%rel flatten flatten.
-Proof.
- by intros; rewrite refinesE => xss xss' Rxss; eapply flatten_R.
-Qed.
-
-(** Next, we prove a refinement for the [cons] function. *)
-Global Instance refine_cons A C (rAC : A -> C -> Type) :
- refines (rAC ==> list_R rAC ==> list_R rAC)%rel cons cons.
-Proof.
- by rewrite refinesE => h h' rh t t' rt; apply list_R_cons_R.
-Qed.
-
-(** Next, we prove a refinement for the [nil] function. *)
-Global Instance refine_nil A C (rAC : A -> C -> Type) :
- refines (list_R rAC) nil nil.
-Proof.
- by rewrite refinesE; apply list_R_nil_R.
-Qed.
-
-(** Next, we prove a refinement for the [last] function. *)
-Global Instance refine_last :
- forall {A B : Type} (rA : A -> B -> Type),
- refines (rA ==> list_R rA ==> rA)%rel last last.
-Proof.
- intros *; rewrite refinesE => d d' Rd xs xs' Rxs.
- move: d d' Rd xs' Rxs; induction xs; intros.
- - by destruct xs'; last inversion Rxs.
- - destruct xs'; first by inversion Rxs.
- inversion Rxs; subst; clear Rxs; rename X1 into Rab, X4 into Rxs.
- by simpl; apply IHxs.
-Qed.
-
-(** Next, we prove a refinement for the [size] function. *)
-Global Instance refine_size A C (rAC : A -> C -> Type) :
- refines (list_R rAC ==> Rnat)%rel size size_T.
-Proof.
- rewrite refinesE => h.
- induction h; intros h' Rh; first by destruct h'; last inversion Rh.
- destruct h'; first by inversion Rh.
- inversion_clear Rh.
- apply IHh in X4; clear IHh; simpl.
- by have H := Rnat_S; rewrite refinesE in H; specialize (H _ _ X4).
-Qed.
-
-(** Next, we prove a refinement for the [iota] function when applied
- to the successor of a number. *)
-Lemma iotaTsuccN :
- forall (a : N) p,
- iota_T a (N.succ (Pos.pred_N p)) = a :: iota_T (succN a) (Pos.pred_N p).
-Proof.
- move=> a p.
- destruct (N.succ (Pos.pred_N p)) eqn:EQ; first by move: (N.neq_succ_0 (Pos.pred_N p)).
- move: (posBinNatNotZero p0) => /eqP EQn0.
- destruct (nat_of_bin (N.pos p0)) eqn:EQn; first by done.
- have -> : n = Pos.pred_N p; last by rewrite //= /succN /add_N /add_op N.add_comm.
- apply /eqP.
- rewrite -eqSS -EQn -EQ -addn1.
- move: (nat_of_add_bin (Pos.pred_N p) 1%N) => EQadd1; rewrite -EQadd1.
- by rewrite N.add_1_r.
-Qed.
-
-(** Next, we prove a refinement for the [iota] function. *)
-Global Instance refine_iota :
- refines (Rnat ==> Rnat ==> list_R Rnat)%rel iota iota_T.
-Proof.
- rewrite refinesE => a a' Ra b; move: a a' Ra; induction b; intros a a' Ra b' Rb.
- { destruct b'; first by rewrite //=; apply list_R_nil_R.
- by compute in Rb; apply posBinNatNotZero in Rb. }
- { destruct b'; first by compute in Rb; destruct b.
- have Rsa := Rnat_S.
- rewrite refinesE in Rsa; specialize (Rsa a a' Ra).
- specialize (IHb _ _ Rsa).
- rewrite //= -N.succ_pos_pred iotaTsuccN.
- apply list_R_cons_R; first by done.
- apply IHb; clear Rsa Ra IHb.
- by apply eq_SnPos_to_nPred. }
-Qed.
-
-(** Next, we prove a refinement for the [shift_points_pos] function. *)
-Global Instance refine_shift_points_pos:
- refines (list_R Rnat ==> Rnat ==> list_R Rnat)%rel shift_points_pos shift_points_pos_T.
-Proof.
- rewrite refinesE => xs xs' Rxs s s' Rs.
- unfold shift_points_pos, shift_points_pos_T.
- apply refinesP; eapply refine_map; first by rewrite refinesE; apply Rxs.
- rewrite refinesE => ? ? ?.
- by apply refinesP; tc.
-Qed.
-
-(** Next, we prove a refinement for the [shift_points_neg] function. *)
-Global Instance refine_shift_points_neg:
- refines (list_R Rnat ==> Rnat ==> list_R Rnat)%rel shift_points_neg shift_points_neg_T.
-Proof.
- rewrite refinesE => xs xs' Rxs s s' Rs.
- unfold shift_points_neg, shift_points_neg_T.
- apply refinesP; eapply refine_map.
- - rewrite refinesE; eapply filter_R; last by eassumption.
- by intros; apply refinesP; refines_apply.
- - rewrite refinesE => x x' Rx.
- by apply refinesP; refines_apply.
-Qed.
-
-(** Finally, we prove that the if the [nat_of_bin] function is applied to a
- list, the result is the original list translated to binary. *)
-Global Instance refine_abstract :
- forall xs,
- refines (list_R Rnat)%rel (map nat_of_bin xs) xs | 0.
-Proof.
- induction xs; first by rewrite refinesE; simpl; apply list_R_nil_R.
- rewrite //= refinesE; rewrite refinesE in IHxs.
- by apply list_R_cons_R; last by done.
-Qed.
-
-(** ** Supporting Lemmas *)
-
-(** As the last step, we prove some helper lemmas used in refinements. Again,
- we differentiate class instances from lemmas, as lemmas are applied
- manually, not via the typeclass engine. *)
-
-(** First, we prove a refinement for the [foldr] function. *)
-Lemma refine_foldr_lemma :
- refines ((Rnat ==> Rnat ==> Rnat) ==> Rnat ==> list_R Rnat ==> Rnat)%rel foldr foldr.
-Proof.
- rewrite refinesE => f f' Rf d d' Rd xs; induction xs as [ | x xs]; intros xs' Rxs.
- { by destruct xs' as [ | x' xs']; [ done | inversion Rxs ]. }
- { destruct xs' as [ | x' xs']; first by inversion Rxs.
- inversion Rxs; subst.
- by simpl; apply Rf; [ done | apply IHxs]. }
-Qed.
-
-Section GenericLists.
-
- (** Now, consider two types [T1] and [T2], and two lists of the respective
- type. *)
- Context {T1 T2 : Type}.
- Variable (xs : seq T1) (xs' : seq T2).
-
- (** We prove a refinement for the [foldr] function when applied to a [map] and
- [filter] operation. *)
- Lemma refine_foldr:
- forall (R : T1 -> bool) (R' : T2 -> bool) (F : T1 -> nat) (F' : T2 -> N),
- forall (rT : T1 -> T2 -> Type),
- refines ( list_R rT )%rel xs xs' ->
- refines ( rT ==> Rnat )%rel F F' ->
- refines ( rT ==> bool_R )%rel R R' ->
- refines Rnat (\sum_(x <- xs | R x) F x) (foldr +%C 0%C [seq F' x' | x' <- xs' & R' x']).
- Proof.
- intros * Rxs Rf Rr.
- have ->: \sum_(x <- xs | R x) F x = foldr addn 0 [seq F x | x <- xs & R x].
- { by rewrite foldrE big_map big_filter. }
- refines_apply.
- Unshelve.
- - by rewrite refinesE=> b b' Rb z z' Rz l l' Rl; eapply foldr_R; eauto.
- - by rewrite refinesE => g g' Rg l l' Rl; eapply map_R; eauto.
- - by rewrite refinesE => p p' Rp l l' Rl; eapply filter_R; eauto.
- Qed.
-
- (** Next, we prove a refinement for the [foldr] function when applied to a
- [map] operation. *)
- Lemma refine_uncond_foldr :
- forall (F : T1 -> nat) (F' : T2 -> N),
- forall (rT : T1 -> T2 -> Type),
- refines ( list_R rT )%rel xs xs' ->
- refines ( rT ==> Rnat )%rel F F' ->
- refines Rnat (\sum_(x <- xs) F x) (foldr +%C 0%C [seq F' x' | x' <- xs']).
- Proof.
- intros * Rxs Rf.
- have ->: \sum_(x <- xs) F x = foldr addn 0 [seq F x | x <- xs] by rewrite foldrE big_map.
- refines_apply.
- by apply refine_foldr_lemma.
- Qed.
-
- (** Next, we prove a refinement for the [foldr] function when applied to a
- [max] operation over a list. In terms, the list is the result of a [map]
- and [filter] operation. *)
- Lemma refine_foldr_max :
- forall (R : T1 -> bool) (R' : T2 -> bool)
- (F : T1 -> nat) (F' : T2 -> N),
- forall (rT : T1 -> T2 -> Type),
- refines ( list_R rT )%rel xs xs' ->
- refines ( rT ==> Rnat )%rel F F' ->
- refines ( rT ==> bool_R )%rel R R' ->
- refines Rnat (\max_(x <- xs | R x) F x) (foldr maxn_T 0%C [seq F' x' | x' <- xs' & R' x']).
- Proof.
- intros * Rxs Rf Rr.
- have ->: \max_(x <- xs | R x) F x = foldr maxn 0 [seq F x | x <- xs & R x]
- by rewrite foldrE big_map big_filter.
- refines_apply.
- Unshelve.
- - by rewrite refinesE=> b b' Rb z z' Rz l l' Rl; eapply foldr_R; eauto.
- - by rewrite refinesE => g g' Rg l l' Rl; eapply map_R; eauto.
- - by rewrite refinesE => p p' Rp l l' Rl; eapply filter_R; eauto.
- Qed.
-
-End GenericLists.
diff --git a/implementation/refinements/task.v b/implementation/refinements/task.v
deleted file mode 100644
index a8f89b5c3534e1d0859e3ca0dfff9b98bff2f6a9..0000000000000000000000000000000000000000
--- a/implementation/refinements/task.v
+++ /dev/null
@@ -1,255 +0,0 @@
-Require Export prosa.analysis.definitions.request_bound_function.
-Require Export prosa.implementation.facts.extrapolated_arrival_curve.
-Require Export prosa.implementation.refinements.arrival_bound.
-Require Export prosa.implementation.definitions.task.
-
-(** ** Task Refinement *)
-
-(** In this module, we define a generic version of concrete task and
- prove that it is isomorphic to the standard, natural-number-based
- definition. *)
-
-(** We begin by defining the generic task type. *)
-Section Definitions.
-
- (** In this file, we refine the Prosa standard implementation of
- jobs and tasks. *)
- Definition Task := [eqType of concrete_task].
- Definition Job := [eqType of concrete_job].
-
- (** Consider a generic type [T], for which all the basic arithmetical
- operations, ordering, and equality are defined. *)
- Context `{T : Type}.
- Context `{!zero_of T, !one_of T, !sub_of T, !add_of T, !mul_of T,
- !div_of T, !mod_of T, !eq_of T, !leq_of T, !lt_of T}.
- Context `{!eq_of (seq T)}.
- Context `{!eq_of (@task_arrivals_bound_T T)}.
-
- (** We define a generic task type that uses [T] for each numerical value. *)
- Structure task_T :=
- {
- task_id_T: T;
- task_cost_T: T;
- task_arrival_T: @task_arrivals_bound_T T;
- task_deadline_T: T;
- task_priority_T: T
- }.
-
- (** Further, we define the equality for two generic tasks as the equality
- of each attribute. *)
- Definition task_eqdef_T (t1 t2: task_T) :=
- (task_id_T t1 == task_id_T t2)%C &&
- (task_cost_T t1 == task_cost_T t2)%C &&
- (task_arrival_T t1 == task_arrival_T t2)%C &&
- (task_deadline_T t1 == task_deadline_T t2)%C &&
- (task_priority_T t1 == task_priority_T t2)%C.
-
- (** Next, we define a helper function that convert a minimum inter-arrival time
- to an arrival curve prefix. *)
- Definition inter_arrival_to_extrapolated_arrival_curve_T (p : T) : T * seq (T * T) := (p, [::(1, 1)])%C.
-
- (** Further, we define the arrival bound of a task as, possibly, (1) periodic,
- (2) sporadic, or (3) an arrival curve. Note that, internally, the workload
- bound is always represented by an arrival curve. *)
- Definition get_extrapolated_arrival_curve_T (tsk : task_T) : T * seq (T * T) :=
- match task_arrival_T tsk with
- | Periodic_T p => inter_arrival_to_extrapolated_arrival_curve_T p
- | Sporadic_T m => inter_arrival_to_extrapolated_arrival_curve_T m
- | ArrivalPrefix_T steps => steps
- end.
-
- (** With the previous definition in place, we define the workload bound... *)
- Definition ConcreteMaxArrivals_T (tsk : task_T) (Δ : T): T :=
- extrapolated_arrival_curve_T (get_extrapolated_arrival_curve_T tsk) Δ.
-
- (** ... and the task request-bound function. *)
- Definition task_rbf_T (tsk : task_T) (Δ : T) :=
- (task_cost_T tsk * ConcreteMaxArrivals_T tsk Δ)%C.
-
- (** Further, we define a valid arrival bound as (1) a positive
- minimum inter-arrival time/period, or (2) a valid arrival curve prefix. *)
- Definition valid_arrivals_T (tsk : task_T) : bool :=
- match task_arrival_T tsk with
- | Periodic_T p => (1 <= p)%C
- | Sporadic_T m => (1 <= m)%C
- | ArrivalPrefix_T ac_prefix_vec => valid_extrapolated_arrival_curve_T ac_prefix_vec
- end.
-
- (** Next, we define a helper function that yields the horizon of the arrival
- curve prefix of a task ... *)
- Definition get_horizon_of_task_T (tsk : task_T) : T :=
- horizon_of_T (get_extrapolated_arrival_curve_T tsk).
-
- (** ... another one that yields the time steps of the arrival curve, ... *)
- Definition get_time_steps_of_task_T (tsk : task_T) : seq T :=
- time_steps_of_T (get_extrapolated_arrival_curve_T tsk).
-
- (** ... a function that yields the same time steps, offset by δ, ... *)
- Definition time_steps_with_offset_T tsk δ :=
- [seq t + δ | t <- get_time_steps_of_task_T tsk]%C.
-
- (** ... and a generalization of the previous function that repeats the time
- steps for each given offset. *)
- Definition repeat_steps_with_offset_T (tsk : task_T) (offsets : seq T): seq T :=
- (flatten (map (time_steps_with_offset_T tsk) offsets))%C.
-End Definitions.
-
-(** In this section, we define two functions used to convert from a generic task
- to the standard task definition, and vice-versa. *)
-Section Translation.
-
- (** First, we define the function that maps a generic task to a natural-number
- task... *)
- Definition taskT_to_task (tsk: @task_T N) : Task :=
- match tsk with
- | {| task_id_T := id;
- task_cost_T := cost;
- task_arrival_T := arrival_bound;
- task_deadline_T := deadline;
- task_priority_T := priority |}
- =>
- {| task.task_id := nat_of_bin id;
- task.task_cost := nat_of_bin cost;
- task.task_arrival := task_abT_to_task_ab arrival_bound;
- task.task_deadline := nat_of_bin deadline;
- task.task_priority := nat_of_bin priority |}
- end.
-
- (** ... and its function relationship. *)
- Definition Rtask := fun_hrel taskT_to_task.
-
- (** Finally, we define the converse function, mapping a natural-number
- task to a generic one. *)
- Definition task_to_taskT (tsk: Task) : @task_T N :=
- match tsk with
- | {| task.task_id := id;
- task.task_cost := cost;
- task.task_arrival := arrival_bound;
- task.task_deadline := deadline;
- task.task_priority := priority |}
- =>
- {| task_id_T := bin_of_nat id;
- task_cost_T := bin_of_nat cost;
- task_arrival_T := task_ab_to_task_abT arrival_bound;
- task_deadline_T := bin_of_nat deadline;
- task_priority_T := bin_of_nat priority |}
- end.
-
-End Translation.
-
-(** In this fairly technical section, we prove a series of refinements
- aimed to be able to convert between a standard natural-number task
- and a generic task. *)
-Section Theory.
-
- (** We prove the refinement of the constructor functions. *)
- Global Instance refine_task :
- refines (Rnat ==> Rnat ==> Rtask_ab ==> Rnat ==> Rnat ==> Rtask)%rel
- Build_concrete_task Build_task_T.
- Proof.
- by rewrite refinesE=> _ i <- _ c <- _ p <- _ d <- _ pr <-.
- Qed.
-
- (** Next, we prove a refinement for the task id. *)
- Global Instance refine_task_id :
- refines (Rtask ==> Rnat)%rel task_id task_id_T.
- Proof.
- rewrite refinesE => _ tsk <-.
- by destruct tsk.
- Qed.
-
- (** Next, we prove a refinement for the task cost. *)
- Global Instance refine_task_cost :
- refines (Rtask ==> Rnat)%rel task_cost task_cost_T.
- Proof.
- rewrite refinesE => _ tsk <-.
- by destruct tsk.
- Qed.
-
- (** Next, we prove a refinement for the task arrival. *)
- Global Instance refine_task_arrival :
- refines (Rtask ==> Rtask_ab)%rel task_arrival task_arrival_T.
- Proof.
- rewrite refinesE => _ tsk <-.
- by destruct tsk.
- Qed.
-
- (** Next, we prove a refinement for the task deadline. *)
- Global Instance refine_task_deadline :
- refines (Rtask ==> Rnat)%rel task_deadline task_deadline_T.
- Proof.
- rewrite refinesE => _ tsk <-.
- by destruct tsk.
- Qed.
-
- (** Next, we prove a refinement for the task priority. *)
- Global Instance refine_task_priority :
- refines (Rtask ==> Rnat)%rel task_priority task_priority_T.
- Proof.
- rewrite refinesE => _ tsk <-.
- by destruct tsk.
- Qed.
-
- (** Next, we prove a refinement for the task period. *)
- Global Instance refine_Periodic :
- refines (Rnat ==> Rtask_ab)%rel Periodic Periodic_T.
- Proof.
- rewrite refinesE => t t' Rt.
- compute in Rt; subst.
- by compute.
- Qed.
-
- (** Next, we prove a refinement for the task minimum inter-arrival time. *)
- Global Instance refine_Sporadic :
- refines (Rnat ==> Rtask_ab)%rel Sporadic Sporadic_T.
- Proof.
- rewrite refinesE => t t' Rt.
- compute in Rt; subst.
- by compute.
- Qed.
-
- (** Next, we prove a refinement for the task id conversion. *)
- Local Instance refine_task' :
- refines (unify (A:= task_T) ==> Rtask)%rel taskT_to_task id.
- Proof.
- rewrite refinesE => tsk tsk' UNI.
- by have UNIT := unify_rel; last specialize (UNIT _ _ _ UNI); subst tsk'; clear UNI.
- Qed.
-
- (** Finally, we prove a refinement for the id conversion applied to a list of tasks. *)
- Local Instance refine_task_set' :
- refines (unify (A:= seq task_T) ==> list_R Rtask)%rel (map taskT_to_task) id.
- Proof.
- rewrite refinesE => ts ts' UNI.
- have UNIT := unify_rel; last specialize (UNIT _ _ _ UNI); subst ts'; clear UNI.
- induction ts as [ | tsk ts].
- - by simpl; apply list_R_nil_R.
- - simpl; apply list_R_cons_R; last by done.
- by unfold Rtask, fun_hrel.
- Qed.
-
-End Theory.
-
-
-
-(** For convenience, we define a simple notation to declare concrete tasks using
- numbers represented in binary, adopted in POET's certificates. *)
-Require Export NArith.
-
-Notation "{| 'id:' c1 'cost:' c2 'deadline:' c3 'arrival:' c4 'priority:' c5 }" := {|
- task_id_T := c1;
- task_cost_T := c2;
- task_deadline_T := c3;
- task_arrival_T := c4;
- task_priority_T := c5 |} (at level 6,
- right associativity,
- only parsing ).
-
-Notation "{| 'id:' c1 'cost:' c2 'deadline:' c3 'arrival:' c4 }" := {|
- task_id_T := c1;
- task_cost_T := c2;
- task_deadline_T := c3;
- task_arrival_T := c4;
- task_priority_T := 0%N |} (at level 6,
- right associativity,
- only parsing ).
diff --git a/model/README.md b/model/README.md
deleted file mode 100644
index 2f4d7669294f82e2d4989b2f2497311993bf5da3..0000000000000000000000000000000000000000
--- a/model/README.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# Prosa Model Library
-
-This module provides Prosa's library of **system model definitions** and **common modelling assumptions**. In particular, this module defines common task models such as the sporadic task model, concepts such as self-suspensions and release jitter, and uni- and multiprocessor schedules, among many other common model elements.
-
-All concepts and definitions here are provided on an **opt-in basis**: for many concepts, there is no "one size fits all" definition. Rather, in the literature, there are many different reasonable alternatives to choose from, and higher-level results are free to choose whichever definition is most appropriate in their context.
-
-For example, a higher-level result can choose to assume either the classic Liu&Layland readiness model (any pending job is ready to be executed), a release-jitter model (a job may not be ready for execution for some bounded duration after its arrival, but once it's released it can always be executed), or a dynamic self-suspension model (a job may not be ready at various points during its execution). Similarly, there are many different preemption models (fully preemptive, fully nonpreemptive, segmented limited-preemptive, floating nonpreemptive, etc.) that are all of practical relevance in different contexts.
-
-
-## Structure Convention
-
-If there is a central concept (e.g., notion of readiness, processor model, arrival model, etc.) for which there are multiple reasonable competing definitions (e.g., different readiness models such as release jitter or self-suspensions, different uni- or multiprocessor models, or different arrival models such as periodic vs. sporadic tasks vs. arbitrary arrival curves), then
-
-1. create a folder/module corresponding to the high-level concept (e.g., `readiness`, `processor`, `task/arrival`, etc.) and
-
-2. provide different, mutually exclusive modelling assumptions as individual files or sub-modules (e.g., `readiness.basic` vs. `readiness.jitter`, `processor.ideal` vs. `processor.varspeed`, `arrival.sporadic` vs. `arrival.arrival_curves`, etc.).
-
-This allows other proofs to "pick and choose" just the right system model by combining once definition from each category.
-
-Crucially, when used in other files, modules that define new `Instance`s should be `Import`ed (not `Export`ed) to avoid inadvertently polluting the namespace with specific instantiations of generic concepts.
-
-This allows higher-level results to clearly state assumptions in an elegant way. For instance, it is intuitively understandable what `Require prosa.model.processor.ideal` means.
-
-## Job and Task Parameters
-
-Please follow the below rules when introducing new job or task parameters.
-
-- Define new job and task parameters wherever they are first needed.
-Example: `JobJitter` is introduced in `model.readiness.jitter`, not in `behavior.job`.
-
-- Each job/task parameter is introduced as a separate type class. For example, there are separate type classes for `JobArrival`, `JobCost`, and `JobDeadline` so that parameters can be selected and mixed as needed (e.g., not every type of job has necessarily a deadline).
-
-- For certain general concepts it can be very useful (or even essential) to state invariants that any reasonable choice must satisfy. This can be expressed as proof terms within a type class expressing the general concept. For instance, this is used in the `ProcessorState` and `JobReady` type classes, to specify their fundamental semantics. Introducing such proof terms is ok if it is truly required, or if it yields great benefits in readability elsewhere, but generally speaking **use proof terms sparingly and document their use profusely**.
-
-- When in doubt, avoid proof terms and instead opt for the regular Prosa way of defining a `valid_...` predicate to concisely express all properties that any reasonable interpretation of a given general concept must satisfy.
\ No newline at end of file
diff --git a/model/aggregate/service_of_jobs.v b/model/aggregate/service_of_jobs.v
deleted file mode 100644
index b5617fe0287c19b45956defda9d51128e1708284..0000000000000000000000000000000000000000
--- a/model/aggregate/service_of_jobs.v
+++ /dev/null
@@ -1,103 +0,0 @@
-Require Export prosa.model.priority.classes.
-
-(** * Service Received by Sets of Jobs *)
-
-(** In this file, we define the notion of service received by a set of
- jobs. *)
-
-Section ServiceOfJobs.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** Consider any kind of processor model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any given schedule. *)
- Variable sched : schedule PState.
-
- (** First, we define the service received by a generic set of jobs. *)
- Section ServiceOfSetOfJobs.
-
- (** Let [P] be any computable predicate over jobs, ...*)
- Variable P : pred Job.
-
- (** ... and let [jobs] denote any (finite) set of jobs. *)
- Variable jobs : seq Job.
-
- (** We define the cumulative service received at time [t] by
- jobs in [jobs] that satisfy predicate [P] ... *)
- Definition service_of_jobs_at (t : instant) :=
- \sum_(j <- jobs | P j) service_at sched j t.
-
- (** ... and the cumulative service received during the interval
- <<[t1, t2)>> by jobs that satisfy predicate [P]. *)
- Definition service_of_jobs (t1 t2 : instant) :=
- \sum_(j <- jobs | P j) service_during sched j t1 t2.
-
- End ServiceOfSetOfJobs.
-
- (** Next, we define the service received by jobs with higher or
- equal priority under JLFP policies. *)
- Section PerJobPriority.
-
- (** Consider any JLDP policy. *)
- Context `{JLFP_policy Job}.
-
- (** Let jobs denote any (finite) set of jobs. *)
- Variable jobs : seq Job.
-
- (** Let j be the job to be analyzed. *)
- Variable j : Job.
-
- (** Based on the definition of jobs of higher or equal priority, ... *)
- Let of_higher_or_equal_priority j_hp := hep_job j_hp j.
-
- (** ...we define the service received during <<[t1, t2)>> by jobs of higher or equal priority. *)
- Definition service_of_higher_or_equal_priority_jobs (t1 t2 : instant) :=
- service_of_jobs of_higher_or_equal_priority jobs t1 t2.
-
- End PerJobPriority.
-
- (** We define the notion of cumulative service received by
- the jobs of a given task. *)
- Section ServiceOfTask.
-
- (** Let [tsk] be the task to be analyzed ... *)
- Variable tsk : Task.
-
- (** ... and let [jobs] denote any (finite) set of jobs. *)
- Variable jobs : seq Job.
-
- (** We define the cumulative task service received by the jobs of
- task [tsk] within time interval <<[t1, t2)>>. *)
- Definition task_service_of_jobs_in t1 t2 :=
- service_of_jobs (job_of_task tsk) jobs t1 t2.
-
- End ServiceOfTask.
-
- (** Finally, we define the notion of total service received by a set of jobs. *)
- Section TotalService.
-
- (** Let [jobs] denote any (finite) set of jobs. *)
- Variable jobs : seq Job.
-
- (** We define the total service of [jobs] in an interval <<[t1,t2)>> simply
- as a sum of the service of individual jobs in interval <<[t1,t2)>>.
-
- (The predicate [predT] is the trivial predicate that always evaluates to
- [true], meaning that no jobs are filtered, and hence all jobs are
- accounted for.) *)
- Definition total_service_of_jobs_in (t1 t2 : instant) :=
- service_of_jobs predT jobs t1 t2.
-
- End TotalService.
-
-End ServiceOfJobs.
diff --git a/model/aggregate/workload.v b/model/aggregate/workload.v
deleted file mode 100644
index 43890137247cd2488a1b1f0f869bd57b260a08c3..0000000000000000000000000000000000000000
--- a/model/aggregate/workload.v
+++ /dev/null
@@ -1,75 +0,0 @@
-Require Export prosa.model.priority.classes.
-
-(** * Cumulative Workload of Sets of Jobs *)
-
-(** In this module, we define the notion of the cumulative workload of
- a set of jobs. *)
-Section WorkloadOfJobs.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs with execution costs that are
- associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobCost Job}.
-
- (** Consider any job arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** First, we define the workload for generic sets of jobs. *)
- Section WorkloadOfJobs.
-
- (** Given any computable predicate on jobs, ... *)
- Variable P : pred Job.
-
- (** ... and any (finite) set of jobs, ... *)
- Variable jobs : seq Job.
-
- (** ... we define the total workload of the jobs that satisfy
- predicate [P]. *)
- Definition workload_of_jobs := \sum_(j <- jobs | P j) job_cost j.
-
- End WorkloadOfJobs.
-
- (** Next, we define the workload of jobs with higher or
- equal priority under JLFP policies. *)
- Section PerJobPriority.
-
- (** Consider any JLFP policy that indicates whether a job has
- higher or equal priority. *)
- Context `{JLFP_policy Job}.
-
- (** Let j be the job to be analyzed. *)
- Variable j : Job.
-
- (** Recall the notion of a job of higher or equal priority. *)
- Let of_higher_or_equal_priority j_hp := hep_job j_hp j.
-
- (** Then, we define the workload of higher or equal priority of all jobs
- with higher-or-equal priority than j. *)
- Definition workload_of_higher_or_equal_priority_jobs :=
- workload_of_jobs of_higher_or_equal_priority.
-
- End PerJobPriority.
-
- (** We also define workload of a task. *)
- Section TaskWorkload.
-
- (** Let [tsk] be the task to be analyzed. *)
- Variable tsk : Task.
-
- (** We define the task workload as the workload of jobs of task
- [tsk]. *)
- Definition task_workload jobs := workload_of_jobs (job_of_task tsk) jobs.
-
- (** Finally, we define the task's workload in a given interval [[t1,
- t2)]. *)
- Definition task_workload_between (t1 t2 : instant) :=
- task_workload (arrivals_between arr_seq t1 t2).
-
- End TaskWorkload.
-
-End WorkloadOfJobs.
diff --git a/model/preemption/fully_nonpreemptive.v b/model/preemption/fully_nonpreemptive.v
deleted file mode 100644
index 2e2073186fd9bb255a8ae34044a7265ff1f03f22..0000000000000000000000000000000000000000
--- a/model/preemption/fully_nonpreemptive.v
+++ /dev/null
@@ -1,20 +0,0 @@
-Require Export prosa.model.preemption.parameter.
-
-(** * Preemption Model: Fully Non-Preemptive Jobs *)
-(** In this section, we instantiate [job_preemptable] for the fully
- non-preemptive model, wherein no job can be forcefully preempted at any
- time. *)
-Section FullyNonPreemptiveModel.
-
- (** Consider any type of jobs with execution costs. *)
- Context {Job : JobType}.
- Context `{JobCost Job}.
-
- (** We say that the model is fully non-preemptive iff no job
- can be preempted until its completion. *)
- #[local] Instance fully_nonpreemptive_job_model : JobPreemptable Job :=
- {
- job_preemptable (j : Job) (Ï : work) := (Ï == 0) || (Ï == job_cost j)
- }.
-
-End FullyNonPreemptiveModel.
diff --git a/model/preemption/fully_preemptive.v b/model/preemption/fully_preemptive.v
deleted file mode 100644
index e3c7f77f0a6f18c90300236cd7fb0f512d99639e..0000000000000000000000000000000000000000
--- a/model/preemption/fully_preemptive.v
+++ /dev/null
@@ -1,18 +0,0 @@
-Require Export prosa.model.preemption.parameter.
-
-(** * Preemption Model: Fully Preemptive Jobs *)
-(** In this section, we instantiate [job_preemptable] for the fully preemptive
- model, wherein any job may be preempted at any time. This matches the
- classic Liu & Layland model. *)
-Section FullyPreemptiveModel.
-
- (** Consider any type of jobs. *)
- Context {Job : JobType}.
-
- (** In the fully preemptive model, any job can be preempted at any time. *)
- #[local] Instance fully_preemptive_job_model : JobPreemptable Job :=
- {
- job_preemptable (_ : Job) (_ : work) := true
- }.
-
-End FullyPreemptiveModel.
diff --git a/model/preemption/limited_preemptive.v b/model/preemption/limited_preemptive.v
deleted file mode 100644
index 80976de6d6e4ba151c93a522e2b3ba37127dc0de..0000000000000000000000000000000000000000
--- a/model/preemption/limited_preemptive.v
+++ /dev/null
@@ -1,75 +0,0 @@
-Require Export prosa.model.preemption.parameter.
-
-(** * Job Model Parameter for Preemption Points *)
-
-(** Under the limited-preemptive preemption model, jobs can be preempted only
- at a precise set of points during their execution. To allow such fixed,
- progress-dependent preemption points to be specified, we introduce a new
- job parameter [job_preemptive_points] that, for each job, yields the set of
- progress values at which the job can be preempted by the scheduler.
-
- NB: the job parameter is called [job_preemptive_points], rather than
- [job_preemption_points], to avoid a name clash with the definition of the
- same name. *)
-Class JobPreemptionPoints (Job : JobType) :=
- {
- job_preemptive_points : Job -> seq work
- }.
-
-(** * Preemption Model: Limited-Preemptive Jobs *)
-
-(** Based on the above definition of [job_preemptive_points], in the following
- we instantiate [job_preemptable] for limited-preemptive jobs and introduce
- requirements that the function [job_preemptive_points] should satisfy to be
- coherent with the limited-preemptive preemption model. *)
-Section LimitedPreemptions.
-
- (** Consider any type of jobs with arrival times and execution costs. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Given each job's preemption points, as determined by
- [job_preemptive_points], ...*)
- Context `{JobPreemptionPoints Job}.
-
- (** ...a job [j] is preemptable at a given point of progress [Ï] iff [Ï] is
- one of the preemption points of [j]. *)
- #[local] Instance limited_preemptive_job_model : JobPreemptable Job :=
- {
- job_preemptable (j : Job) (Ï : work) := Ï \in job_preemptive_points j
- }.
-
- (** ** Model Validity *)
-
- (** Next, we introduce some structural properties that a valid sequence of
- preemption points must satisfy. *)
- Section ValidLimitedPreemptiveModel.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** We require the sequence of preemption points to contain the beginning ... *)
- Definition beginning_of_execution_in_preemption_points :=
- forall j, arrives_in arr_seq j -> 0 \in job_preemptive_points j.
-
- (** ... and the end of execution for any job [j] that arrives in the given
- arrival sequence [arr_seq]. *)
- Definition end_of_execution_in_preemption_points :=
- forall j, arrives_in arr_seq j -> last0 (job_preemptive_points j) = job_cost j.
-
- (** We further require the sequence of preemption points to be a
- non-decreasing sequence. *)
- Definition preemption_points_is_nondecreasing_sequence :=
- forall j, arrives_in arr_seq j -> nondecreasing_sequence (job_preemptive_points j).
-
- (** A job model is considered valid w.r.t. limited-preemptive preemption
- model if it satisfies each of the preceding definitions. *)
- Definition valid_limited_preemptions_job_model :=
- beginning_of_execution_in_preemption_points /\
- end_of_execution_in_preemption_points /\
- preemption_points_is_nondecreasing_sequence.
-
- End ValidLimitedPreemptiveModel.
-
-End LimitedPreemptions.
diff --git a/model/preemption/parameter.v b/model/preemption/parameter.v
deleted file mode 100644
index c92656e23bb5d2c9942b2e533eaeb9865792262a..0000000000000000000000000000000000000000
--- a/model/preemption/parameter.v
+++ /dev/null
@@ -1,143 +0,0 @@
-Require Export prosa.util.all.
-Require Export prosa.behavior.all.
-Require Export prosa.model.priority.classes.
-
-(** * Job-Level Preemption Model *)
-(** There are many equivalent ways to represent at which points in time a job
- is preemptable, i.e., where it can be forced to relinquish the processor on
- which it is executing. In Prosa, the various preemption models are
- represented with a single predicate [job_preemptable] that indicates, for
- given a job and a given degree of progress, whether the job is preemptable
- at its current point of execution. *)
-Class JobPreemptable (Job : JobType) :=
- job_preemptable : Job -> work -> bool.
-
-(** * Maximum and Last Non-preemptive Segment of a Job *)
-(** In the following section we define the notions of the maximal and the last
- non-preemptive segments. *)
-Section MaxAndLastNonpreemptiveSegment.
-
- (** Consider any type of jobs with arrival times and execution costs... *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... and consider any given preemption model. *)
- Context `{JobPreemptable Job}.
-
- (** It is useful to define a representation of the preemption points of a job
- as an actual sequence of points where this job can be preempted. To this
- end, we define [job_preemption_points j] as the sequence of all progress
- values at which job [j] is preemptable, according to
- [job_preemptable]. *)
- Definition job_preemption_points (j : Job) : seq work :=
- [seq Ï : work <- range 0 (job_cost j) | job_preemptable j Ï].
-
- (** We observe that the conversion indeed is an equivalent way of
- representing the set of preemption points. *)
- Remark conversion_preserves_equivalence :
- forall (j : Job) (Ï : work),
- Ï <= job_cost j ->
- job_preemptable j Ï <-> Ï \in job_preemption_points j.
- Proof. by move=> j rho le; rewrite mem_filter mem_index_iota ltnS le/= andbT. Qed.
-
- (** We further define a function that, for a given job, yields the sequence
- of lengths of its nonpreemptive segments. *)
- Definition lengths_of_segments (j : Job) := distances (job_preemption_points j).
-
- (** Next, we define a function that determines the length of a job's longest
- nonpreemptive segment (or zero if the job is fully preemptive). *)
- Definition job_max_nonpreemptive_segment (j : Job) := max0 (lengths_of_segments j).
-
- (** Similarly, we define a function that yields the length of a job's last
- nonpreemptive segment (or zero if the job is fully preemptive). *)
- Definition job_last_nonpreemptive_segment (j : Job) := last0 (lengths_of_segments j).
-
- (** * Run-to-Completion Threshold of a Job *)
-
- (** Finally, we define the notion of a job's run-to-completion
- threshold (RTCT): the run-to-completion threshold is the amount
- of service after which a job cannot be preempted until its
- completion. *)
- Definition job_rtct (j : Job) :=
- job_cost j - (job_last_nonpreemptive_segment j - ε).
-
-End MaxAndLastNonpreemptiveSegment.
-
-
-(** * Model Validity *)
-(** In the following, we define properties that any reasonable job preemption
- model must satisfy. *)
-Section PreemptionModel.
-
- (** Consider any type of jobs with arrival times and execution costs... *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... and any preemption model. *)
- Context `{JobPreemptable Job}.
-
- (** Consider any JLDP policy. *)
- Context `{JLDP_policy Job}.
-
- (** Consider any kind of processor model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any given schedule. *)
- Variable sched : schedule PState.
-
- (** We say that a job is [preempted_at t] if the job is scheduled at [t-1] and not scheduled at [t],
- but not completed by [t]. *)
- Definition preempted_at (j : Job) (t : instant) :=
- scheduled_at sched j t.-1
- && ~~ completed_by sched j t
- && ~~ scheduled_at sched j t.
-
- (** In the following, we define the notion of a valid preemption model. To
- begin with, we require that a job has to be executed at least one time
- instant in order to reach a nonpreemptive segment. In other words, a job
- must start execution to become non-preemptive. *)
- Definition job_cannot_become_nonpreemptive_before_execution (j : Job) :=
- job_preemptable j 0.
-
- (** And vice versa, a job cannot remain non-preemptive after its completion. *)
- Definition job_cannot_be_nonpreemptive_after_completion (j : Job) :=
- job_preemptable j (job_cost j).
-
- (** Next, if a job [j] is not preemptable at some time instant [t], then [j]
- must be scheduled at time [t]. *)
- Definition not_preemptive_implies_scheduled (j : Job) :=
- forall t,
- ~~ job_preemptable j (service sched j t) ->
- scheduled_at sched j t.
-
- (** A job can start its execution only from a preemption point. *)
- Definition execution_starts_with_preemption_point (j : Job) :=
- forall prt,
- ~~ scheduled_at sched j prt ->
- scheduled_at sched j prt.+1 ->
- job_preemptable j (service sched j prt.+1).
-
- (** We say that a preemption model is a valid preemption model if
- all assumptions given above are satisfied for any job. *)
- Definition valid_preemption_model :=
- forall j,
- arrives_in arr_seq j ->
- job_cannot_become_nonpreemptive_before_execution j
- /\ job_cannot_be_nonpreemptive_after_completion j
- /\ not_preemptive_implies_scheduled j
- /\ execution_starts_with_preemption_point j.
-
- (** We say that there are no superfluous preemptions if a job can
- only be preempted by another job having strictly higher priority. *)
- Definition no_superfluous_preemptions :=
- forall t j j_hp,
- preempted_at j t ->
- scheduled_at sched j_hp t ->
- ~~ hep_job_at t j j_hp.
-
-End PreemptionModel.
diff --git a/model/priority/classes.v b/model/priority/classes.v
deleted file mode 100644
index de1bb7c8fc73157f5f2f16c68a534bceb39c3e74..0000000000000000000000000000000000000000
--- a/model/priority/classes.v
+++ /dev/null
@@ -1,193 +0,0 @@
-From mathcomp Require Export seq.
-
-Require Export prosa.model.task.concept.
-Require Export prosa.util.rel.
-Require Export prosa.util.list.
-
-(** * The FP, JLFP, and JLDP Priority Classes *)
-
-(** In this module, we define the three well-known classes of priority
- relations: (1) fixed-priority (FP) policies, (2) job-level fixed-priority
- (JLFP) polices, and (3) job-level dynamic-priority (JLDP) policies, where
- (2) is a subset of (3), and (1) a subset of (2). *)
-
-(** As a convention, we use "hep" to mean "higher or equal priority." *)
-
-(** We define an FP policy as a relation among tasks, ... *)
-Class FP_policy (Task: TaskType) := hep_task : rel Task.
-
-(** ... a JLFP policy as a relation among jobs, and ... *)
-Class JLFP_policy (Job: JobType) := hep_job : rel Job.
-
-(** ... a JLDP policy as a relation among jobs that may vary over time. *)
-Class JLDP_policy (Job: JobType) := hep_job_at : instant -> rel Job.
-
-(** NB: The preceding definitions currently make it difficult to express
- priority policies in which the priority of a job at a given time varies
- depending on the preceding schedule prefix (e.g., least-laxity
- first). That is, there is room for an even more general notion of a
- schedule-dependent JLDP policy, where the priority relation among jobs
- may vary depending both on time and the schedule prefix prior to a
- given time. This is left to future work. *)
-
-(** ** Automatic FP âž” JLFP âž” JLDP Conversion *)
-
-(** Since there are natural interpretations of FP and JLFP policies as JLFP and
- JLDP policies, respectively, we define conversions that express these
- generalizations. In practice, this means that Coq will be able to
- automatically satisfy a JLDP assumption if a JLFP or FP policy is in
- scope. *)
-
-(** First, any FP policy can be interpreted as an JLFP policy by comparing jobs
- according to the priorities of their respective tasks. *)
-#[global]
-Instance FP_to_JLFP (Job: JobType) (Task: TaskType)
- `{JobTask Job Task} `{FP_policy Task} : JLFP_policy Job :=
- fun j1 j2 => hep_task (job_task j1) (job_task j2).
-
-(** Second, any JLFP policy implies a JLDP policy that simply ignores the time
- parameter. *)
-#[global]
-Instance JLFP_to_JLDP (Job: JobType) `{JLFP_policy Job} : JLDP_policy Job :=
- fun _ j1 j2 => hep_job j1 j2.
-
-(** We add coercions to enable automatic conversion from [JLFP] to [JLDP]... *)
-Coercion JLFP_to_JLDP : JLFP_policy >-> JLDP_policy.
-(** ...and from [FP] to [JLFP]. *)
-Coercion FP_to_JLFP : FP_policy >-> JLFP_policy.
-
-(** ** Properties of Priority Policies *)
-
-(** In the following section, we define key properties of common priority
- policies that proofs often depend on. *)
-
-Section Priorities.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks, ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** .. and assume that jobs have a cost and an arrival time. *)
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** In the following section, we define properties of JLDP policies, and by
- extension also properties of FP and JLFP policies. *)
- Section JLDP.
-
- (** Consider any JLDP policy. *)
- Context `{JLDP_policy Job}.
-
- (** We define what it means for a JLDP policy to be reflexive, transitive,
- and total. Note that these definitions, although phrased in terms of a
- given JLDP policy, can also be used for JLFP and FP policies due to the
- above-defined conversion instances. *)
-
- (** A JLDP policy is reflexive if the relation among jobs is reflexive at
- every point in time. *)
- Definition reflexive_priorities := forall t, reflexive (hep_job_at t).
-
- (** A JLDP policy is transitive if the relation among jobs is transitive at
- every point in time. *)
- Definition transitive_priorities := forall t, transitive (hep_job_at t).
-
- (** A JLDP policy is total if the relation among jobs is total at
- every point in time. *)
- Definition total_priorities := forall t, total (hep_job_at t).
-
- End JLDP.
-
- (** Next, we define a property of JLFP policies. *)
- Section JLFP.
-
- (** Consider any JLFP policy. *)
- Context `{JLFP_policy Job}.
-
- (** Recall that jobs of a sequential task are necessarily executed in the
- order that they arrive.
-
- An arbitrary JLFP policy, however, can violate the sequential tasks
- hypothesis. For example, consider two jobs [j1], [j2] of the same task
- such that [job_arrival j1 < job_arrival j2]. It is possible that a JLFP
- priority policy [Ï€] will assign a higher priority to the second job [Ï€
- j2 j1 = true]. But such a situation would contradict the natural
- execution order of sequential tasks. It is therefore sometimes
- necessary to restrict the space of JLFP policies to those that assign
- priorities in a way that is consistent with sequential tasks.
-
- To this end, we say that a policy respects sequential tasks if, for any
- two jobs [j1], [j2] of the same task, [job_arrival j1 <= job_arrival j2]
- implies [Ï€ j1 j2 = true]. *)
- Definition policy_respects_sequential_tasks :=
- forall j1 j2,
- job_task j1 == job_task j2 ->
- job_arrival j1 <= job_arrival j2 ->
- hep_job j1 j2.
-
- End JLFP.
-
- (** Finally, we we define and observe two properties of FP policies. *)
- Section FP.
-
- (** Consider any FP policy. *)
- Context `{FP_policy Task}.
-
- (** To express the common assumption that task priorities are unique, we
- define whether the given FP policy is antisymmetric over a task set
- [ts]. *)
- Definition antisymmetric_over_taskset (ts : seq Task) :=
- antisymmetric_over_list hep_task ts.
-
- (** Further, we observe that any [FP_policy] respects the sequential tasks
- hypothesis, meaning that later-arrived jobs of a task don't have higher
- priority than earlier-arrived jobs of the same task (assuming that task
- priorities are reflexive). *)
- Remark respects_sequential_tasks :
- reflexive_priorities -> policy_respects_sequential_tasks.
- Proof.
- move => REFL j1 j2 /eqP EQ LT.
- rewrite /hep_job /FP_to_JLFP EQ.
- by eapply (REFL 0).
- Qed.
-
- End FP.
-
-End Priorities.
-
-(** ** Derived Priority Relations *)
-
-(** In the following section, we derive two auxiliary priority
- relations. *)
-Section DerivedPriorityRleations.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** Consider a JLFP-policy that indicates a higher-or-equal priority relation. *)
- Context `{JLFP_policy Job}.
-
- (** First, we introduce a relation that defines whether job [j1] has
- a higher-than-or-equal-priority than job [j2] and [j1] is not
- equal to [j2]. *)
- Definition another_hep_job : JLFP_policy Job :=
- fun j1 j2 => hep_job j1 j2 && (j1 != j2).
-
- (** Next, we introduce a relation that defines whether a job [j1]
- has a higher-or-equal-priority than job [j2] and the task of
- [j1] is not equal to task of [j2]. *)
- Definition another_task_hep_job : JLFP_policy Job :=
- fun j1 j2 => hep_job j1 j2 && (job_task j1 != job_task j2).
-
-End DerivedPriorityRleations.
-
-(** We add the above observation into the "Hint Database" basic_rt_facts, so Coq
- will be able to apply it automatically. *)
-Global Hint Resolve respects_sequential_tasks : basic_rt_facts.
diff --git a/model/priority/deadline_monotonic.v b/model/priority/deadline_monotonic.v
deleted file mode 100644
index 7b11cfe61401d8df4962039639b931eb910c7cd3..0000000000000000000000000000000000000000
--- a/model/priority/deadline_monotonic.v
+++ /dev/null
@@ -1,45 +0,0 @@
-Require Export prosa.model.priority.classes.
-
-(** * Deadline-Monotonic Fixed-Priority Policy *)
-
-(** We define the notion of deadline-monotonic task priorities, i.e., the
- classic FP policy in which tasks are prioritized in order of their relative
- deadlines. *)
-#[export] Instance DM (Task : TaskType) `{TaskDeadline Task} : FP_policy Task :=
-{
- hep_task (tsk1 tsk2 : Task) := task_deadline tsk1 <= task_deadline tsk2
-}.
-
-(** In this section, we prove a few basic properties of the DM policy. *)
-Section Properties.
-
- (** Consider any kind of tasks with relative deadlines... *)
- Context {Task : TaskType}.
- Context `{TaskDeadline Task}.
-
- (** ...and jobs stemming from these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** DM is reflexive. *)
- Lemma DM_is_reflexive : reflexive_priorities.
- Proof. by move=> ?; rewrite /hep_job_at /JLFP_to_JLDP /hep_job /FP_to_JLFP /hep_task /DM. Qed.
-
- (** DM is transitive. *)
- Lemma DM_is_transitive : transitive_priorities.
- Proof. by intros t y x z; apply leq_trans. Qed.
-
- (** DM is total. *)
- Lemma DM_is_total : total_priorities.
- Proof. by move=> t j1 j2; apply leq_total. Qed.
-
-End Properties.
-
-(** We add the above lemmas into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply them automatically. *)
-Global Hint Resolve
- DM_is_reflexive
- DM_is_transitive
- DM_is_total
- : basic_rt_facts.
-
diff --git a/model/priority/edf.v b/model/priority/edf.v
deleted file mode 100644
index 3929b55914195f7af7d734d690176c33bdc82aaf..0000000000000000000000000000000000000000
--- a/model/priority/edf.v
+++ /dev/null
@@ -1,45 +0,0 @@
-Require Export prosa.model.priority.classes.
-
-(** * EDF Priority Policy *)
-
-(** We introduce the classic EDF priority policy, under which jobs are
- scheduled in order of their urgency, i.e., jobs are ordered according to
- their absolute deadlines. The EDF policy belongs to the class of JLFP
- policies. *)
-#[export] Instance EDF (Job : JobType) `{JobDeadline Job} : JLFP_policy Job :=
-{
- hep_job (j1 j2 : Job) := job_deadline j1 <= job_deadline j2
-}.
-
-(** In this section, we prove a few properties about EDF policy. *)
-Section PropertiesOfEDF.
-
- (** Consider any type of jobs with deadlines. *)
- Context {Job : JobType}.
- Context `{JobDeadline Job}.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** EDF is reflexive. *)
- Lemma EDF_is_reflexive : reflexive_priorities.
- Proof. by intros t j; unfold hep_job_at, JLFP_to_JLDP, hep_job, EDF. Qed.
-
- (** EDF is transitive. *)
- Lemma EDF_is_transitive : transitive_priorities.
- Proof. by intros t y x z; apply leq_trans. Qed.
-
- (** EDF is total. *)
- Lemma EDF_is_total : total_priorities.
- Proof. by move=> t j1 j2; apply leq_total. Qed.
-
-End PropertiesOfEDF.
-
-(** We add the above lemmas into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply them automatically. *)
-Global Hint Resolve
- EDF_is_reflexive
- EDF_is_transitive
- EDF_is_total
- : basic_rt_facts.
-
diff --git a/model/priority/fifo.v b/model/priority/fifo.v
deleted file mode 100644
index eca55d459815e373a6f51815c2bd52aab339c6df..0000000000000000000000000000000000000000
--- a/model/priority/fifo.v
+++ /dev/null
@@ -1,41 +0,0 @@
-Require Export prosa.model.priority.classes.
-
-(** * FIFO Priority Policy *)
-
-(** We define the basic FIFO priority policy, under which jobs are prioritized
- in order of their arrival times. The FIFO policy belongs to the class of
- JLFP policies. *)
-#[export] Instance FIFO (Job : JobType) `{JobArrival Job} : JLFP_policy Job :=
-{
- hep_job (j1 j2 : Job) := job_arrival j1 <= job_arrival j2
-}.
-
-(** In this section, we prove a few basic properties of the FIFO policy. *)
-Section Properties.
-
- (** Consider any type of jobs with arrival times. *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
-
- (** FIFO is reflexive. *)
- Lemma FIFO_is_reflexive : reflexive_priorities.
- Proof. by intros t j; unfold hep_job_at, JLFP_to_JLDP, hep_job, FIFO. Qed.
-
- (** FIFO is transitive. *)
- Lemma FIFO_is_transitive : transitive_priorities.
- Proof. by intros t y x z; apply leq_trans. Qed.
-
- (** FIFO is total. *)
- Lemma FIFO_is_total : total_priorities.
- Proof. by move=> t j1 j2; apply leq_total. Qed.
-
-End Properties.
-
-(** We add the above lemmas into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply them automatically. *)
-Global Hint Resolve
- FIFO_is_reflexive
- FIFO_is_transitive
- FIFO_is_total
- : basic_rt_facts.
-
diff --git a/model/priority/gel.v b/model/priority/gel.v
deleted file mode 100644
index b385e6260c82289a6b2fee5f6c492dd1a02996dc..0000000000000000000000000000000000000000
--- a/model/priority/gel.v
+++ /dev/null
@@ -1,80 +0,0 @@
-Require Export prosa.model.priority.classes.
-Require Export BinInt.
-
-From mathcomp Require Import ssrZ.
-
-(** * GEL Priority Policy *)
-
-(** We define the class of "Global-EDF-like" (GEL) priority policies,
- as first introduced by Leontyev et al. ("Multiprocessor Extensions
- to Real-Time Calculus", Real-Time Systems, 2011).
-
- GEL scheduling is a (large) subset of the class of JLFP policies,
- which structurally resembles EDF scheduling, hence the name. Under
- GEL scheduling, each task has a constant "priority point offset."
- Each job's priority point is given by its arrival time plus its
- task's offset, with the interpretation that an earlier priority
- point implies higher priority.
-
- EDF and FIFO are both special cases of GEL with the offset
- respectively being the relative deadline and zero. *)
-
-(** To begin, we define the offset type. Note that an offset may be negative. *)
-Definition offset := Z.
-
-(** We define a task-model parameter to express each task's relative priority point. *)
-Class PriorityPoint (Task : TaskType) := task_priority_point : Task -> offset.
-
-(** Based on the task-level relative priority-point parameter, we
- define a job's absolute priority point in a straightforward manner.
- To this end, we need to introduce some context first. *)
-Section AbsolutePriorityPoint.
- (** For any type of tasks with relative priority points, ... *)
- Context {Job : JobType} {Task : TaskType} `{JobTask Job Task} `{PriorityPoint Task} `{JobArrival Job}.
-
- (** ... a job's absolute priority point is given by its arrival time
- plus its task's relative priority point. *)
- Definition job_priority_point (j : Job) := (Z.of_nat (job_arrival j) + task_priority_point (job_task j))%Z.
-End AbsolutePriorityPoint.
-
-(** The resulting definition of GEL is straightforward: a job [j1]'s
- priority is higher than or equal to a job [j2]'s priority iff
- [j1]'s absolute priority point is no later than [j2]'s absolute
- priority point. *)
-#[export] Instance GEL (Job : JobType) (Task : TaskType)
- `{PriorityPoint Task} `{JobArrival Job} `{JobTask Job Task} : JLFP_policy Job :=
-{
- hep_job (j1 j2 : Job) := (job_priority_point j1 <=? job_priority_point j2)%Z
-}.
-
-(** In this section, we note three basic properties of the GEL policy:
- the priority relation is reflexive, transitive, and total. *)
-Section PropertiesOfGEL.
-
- (** Consider any type of tasks with relative priority points...*)
- Context {Task : TaskType} `{PriorityPoint Task}.
-
- (** ...and jobs of these tasks. *)
- Context {Job : JobType} `{JobArrival Job} `{JobTask Job Task}.
-
- (** GEL is reflexive. *)
- Fact GEL_is_reflexive : reflexive_priorities.
- Proof. by move=> t j; apply Z.leb_refl. Qed.
-
- (** GEL is transitive. *)
- Fact GEL_is_transitive : transitive_priorities.
- Proof. by move=> t y x z; apply Zbool.Zle_bool_trans. Qed.
-
- (** GEL is total. *)
- Fact GEL_is_total : total_priorities.
- Proof. by move=> t j1 j2; apply ZInstances.leZ_total. Qed.
-
-End PropertiesOfGEL.
-
-(** We add the above facts into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply them automatically where needed. *)
-Global Hint Resolve
- GEL_is_reflexive
- GEL_is_transitive
- GEL_is_total
- : basic_rt_facts.
diff --git a/model/priority/numeric_fixed_priority.v b/model/priority/numeric_fixed_priority.v
deleted file mode 100644
index 217c11a72fb233bce76259338bd2b78b3a6410cb..0000000000000000000000000000000000000000
--- a/model/priority/numeric_fixed_priority.v
+++ /dev/null
@@ -1,107 +0,0 @@
-Require Export prosa.model.priority.classes.
-
-(** * Numeric Fixed Task Priorities *)
-
-(** We define the notion of arbitrary numeric fixed task priorities, i.e.,
- tasks are prioritized in order of user-provided numeric priority values,
- where numerically smaller values indicate lower priorities (as for instance
- it is the case in Linux). *)
-
-(** First, we define a new task parameter [task_priority] that maps each task
- to a numeric priority value. *)
-Class TaskPriority (Task : TaskType) := task_priority : Task -> nat.
-
-(** Based on this parameter, we define two corresponding FP policies. In one
- instance, a lower numeric value indicates lower priority, while in the other
- instance, a lower numeric value indicates higher priority. Both these
- interpretations can be found in practice and in the literature. For example,
- Linux uses "higher numeric value <-> higher priority", whereas many papers
- assume "lower numeric value <-> higher priority". *)
-
-(** In this section, we define ascending numeric fixed priorities, where a
- larger numeric value indicates higher priority, and note some trivial facts
- about this interpretation of priority values. *)
-Section PropertiesNFPA.
-
- (** The instance [NumericFPAscending] assigns higher priority to tasks with
- higher numeric [task_priority] value. *)
- #[local] Instance NumericFPAscending (Task : TaskType) `{TaskPriority Task} : FP_policy Task :=
- {
- hep_task (tsk1 tsk2 : Task) := task_priority tsk1 >= task_priority tsk2
- }.
-
- (** Consider any kind of tasks with specified priorities... *)
- Context {Task : TaskType}.
- Context `{TaskPriority Task}.
-
- (** ...and jobs stemming from these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** The resulting priority policy is reflexive. *)
- Lemma NFPA_is_reflexive : reflexive_priorities.
- Proof. by move=> ?; rewrite /hep_job_at /JLFP_to_JLDP /hep_job /FP_to_JLFP /hep_task /NumericFPAscending. Qed.
-
- (** The resulting priority policy is transitive. *)
- Lemma NFPA_is_transitive : transitive_priorities.
- Proof.
- move=> t y x z.
- rewrite /hep_job_at /JLFP_to_JLDP /hep_job /FP_to_JLFP /hep_task /NumericFPAscending.
- by move=> PRIO_yx PRIO_zy; apply leq_trans with (n := task_priority (job_task y)).
- Qed.
-
- (** The resulting priority policy is total. *)
- Lemma NFPA_is_total : total_priorities.
- Proof. by move=> t j1 j2; apply leq_total. Qed.
-
-End PropertiesNFPA.
-
-(** Next, we define descending numeric fixed priorities, where a larger numeric
- value indicates lower priority, and again note some trivial facts about this
- alternate interpretation of priority values. *)
-Section PropertiesNFPD.
-
- (** The instance [NumericFPDescending] assigns lower priority to tasks with
- higher numeric [task_priority] value. *)
- #[local] Instance NumericFPDescending (Task : TaskType) `{TaskPriority Task} : FP_policy Task :=
- {
- hep_task (tsk1 tsk2 : Task) := task_priority tsk1 <= task_priority tsk2
- }.
-
- (** Consider any kind of tasks with specified priorities... *)
- Context {Task : TaskType}.
- Context `{TaskPriority Task}.
-
- (** ...and jobs stemming from these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** The resulting priority policy is reflexive. *)
- Lemma NFPD_is_reflexive : reflexive_priorities.
- Proof. by move=> ?; rewrite /hep_job_at /JLFP_to_JLDP /hep_job /FP_to_JLFP /hep_task /NumericFPDescending. Qed.
-
- (** The resulting priority policy is transitive. *)
- Lemma NFPD_is_transitive : transitive_priorities.
- Proof.
- move=> t y x z.
- rewrite /hep_job_at /JLFP_to_JLDP /hep_job /FP_to_JLFP /hep_task /NumericFPDescending.
- by move=> PRIO_yx PRIO_zy; apply leq_trans with (n := task_priority (job_task y)).
- Qed.
-
- (** The resulting priority policy is total. *)
- Lemma NFPD_is_total : total_priorities.
- Proof. by move=> t j1 j2; apply leq_total. Qed.
-
-End PropertiesNFPD.
-
-(** We add the above lemmas into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply them automatically. *)
-Global Hint Resolve
- NFPA_is_reflexive
- NFPA_is_transitive
- NFPA_is_total
- NFPD_is_reflexive
- NFPD_is_transitive
- NFPD_is_total
- : basic_rt_facts.
-
diff --git a/model/priority/rate_monotonic.v b/model/priority/rate_monotonic.v
deleted file mode 100644
index 7e794d48a2302e974123ed3b245c5ce1361bf31b..0000000000000000000000000000000000000000
--- a/model/priority/rate_monotonic.v
+++ /dev/null
@@ -1,47 +0,0 @@
-Require Export prosa.model.priority.classes.
-Require Export prosa.model.task.arrival.sporadic.
-
-
-(** * Rate-Monotonic Fixed-Priority Policy *)
-
-(** We define the notion of rate-monotonic task priorities for sporadic tasks,
- i.e., the classic FP policy in which sporadic tasks are prioritized in
- order of their minimum inter-arrival times (or periods). *)
-#[export] Instance RM (Task : TaskType) `{SporadicModel Task} : FP_policy Task :=
-{
- hep_task (tsk1 tsk2 : Task) := task_min_inter_arrival_time tsk1 <= task_min_inter_arrival_time tsk2
-}.
-
-(** In this section, we prove a few basic properties of the RM policy. *)
-Section Properties.
-
- (** Consider sporadic tasks... *)
- Context {Task : TaskType}.
- Context `{SporadicModel Task}.
-
- (** ...and jobs stemming from these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** RM is reflexive. *)
- Lemma RM_is_reflexive : reflexive_priorities.
- Proof. by move=> ?; rewrite /hep_job_at /JLFP_to_JLDP /hep_job /FP_to_JLFP /hep_task /RM. Qed.
-
- (** RM is transitive. *)
- Lemma RM_is_transitive : transitive_priorities.
- Proof. by intros t y x z; apply leq_trans. Qed.
-
- (** RM is total. *)
- Lemma RM_is_total : total_priorities.
- Proof. by move=> t j1 j2; apply leq_total. Qed.
-
-End Properties.
-
-(** We add the above lemmas into a "Hint Database" basic_rt_facts, so Coq
- will be able to apply them automatically. *)
-Global Hint Resolve
- RM_is_reflexive
- RM_is_transitive
- RM_is_total
- : basic_rt_facts.
-
diff --git a/model/processor/ideal.v b/model/processor/ideal.v
deleted file mode 100644
index f8dc6e48ab8ea8d5bfbf366621014500a2087277..0000000000000000000000000000000000000000
--- a/model/processor/ideal.v
+++ /dev/null
@@ -1,59 +0,0 @@
-From mathcomp Require Import all_ssreflect.
-Require Export prosa.behavior.all.
-
-(** * The Ideal Uniprocessor Model *)
-
-
-(** In this module, we define a central piece of the Prosa model: the notion of
- an ideal uniprocessor state. The word "ideal" here refers to the complete
- absence of runtime overheads or any other complications. In an ideal
- uniprocessor schedule, there are only two possible cases: at a given time,
- either a specific job is scheduled and makes unit-progress, or the
- processor is idle. To model this, we simply reuse the standard [option]
- type from the Coq standard library. *)
-
-Section State.
-
- (** Consider any type of jobs. *)
- Variable Job: JobType.
-
- (** We connect the notion of an ideal processor state with
- the generic interface for the processor-state abstraction in Prosa by
- declaring a so-called instance of the [ProcessorState] typeclass. *)
- Program Definition processor_state : ProcessorState Job :=
- {|
- (** We define the ideal "processor state" as an [option Job],
- which means that it is either [Some j] (where [j] is a
- [Job]) or [None] (which we use to indicate an idle
- instant). *)
- State := option Job;
- (** As this is a uniprocessor model, cores are implicitly defined
- as the [unit] type containing a single element as a placeholder. *)
- (** We say that a given job [j] is scheduled in a
- given state [s] iff [s] is [Some j]. *)
- scheduled_on j s (_ : unit) := s == Some j;
- (** Similarly, we say that a given job [j] receives service in a
- given state [s] iff [s] is [Some j]. *)
- service_on j s (_ : unit) := if s == Some j then 1 else 0;
- |}.
- Next Obligation. by rewrite /nat_of_bool; case: ifP H => // ? /negP[]. Qed.
-
-End State.
-
-(** ** Idle Instants *)
-
-(** In this section, we define the notion of idleness for ideal uniprocessor
- schedules. *)
-Section IsIdle.
-
- (** Consider any type of jobs... *)
- Context {Job : JobType}.
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any ideal uniprocessor schedule of such jobs. *)
- Variable sched : schedule ((*ideal*)processor_state Job).
-
- (** We say that the processor is idle at time [t] iff there is no job being scheduled. *)
- Definition is_idle (t : instant) := sched t == None.
-
-End IsIdle.
diff --git a/model/processor/multiprocessor.v b/model/processor/multiprocessor.v
deleted file mode 100644
index 1131457e485d32f435eb7f16496653d20ea02f87..0000000000000000000000000000000000000000
--- a/model/processor/multiprocessor.v
+++ /dev/null
@@ -1,83 +0,0 @@
-From mathcomp Require Export fintype.
-Require Export prosa.behavior.all.
-Require Import prosa.analysis.facts.behavior.service.
-
-(** * Multiprocessor State *)
-
-(** In the following, we define a model of identical multiprocessors, i.e., of
- processors with multiple cores of identical capabilities. The
- multiprocessor model is generic in the type of processor state of the
- cores. That is, it is possible to combine any uniprocessor state (such as
- the ideal state) with the following generic multiprocessor
- construction. (In fact, by combining the below multiprocessor model with
- variable speed processors, it is even possible to obtain a so-called
- uniform multiprocessor model.)
-
- NB: For now, the definition serves only to document how this can be done;
- it is not actually used anywhere in the library. *)
-
-Section Schedule.
-
- (** Consider any types of jobs... *)
- Variable Job: JobType.
-
- (** ... and consider any type of per-processor state. *)
- Variable processor_state: ProcessorState Job.
-
- (** Given a desired number of processors [num_cpus], we define a finite type
- of integers from [0] to [num_cpus - 1]. The purpose of this definition is
- to obtain a finite type (i.e., set of values) that can be enumerated in a
- terminating computation.
-
- Syntax hint: the ['I_] before [num_cpus] is ssreflect syntax for the
- finite set of integers from zero to [num_cpus - 1]. *)
- Definition processor (num_cpus: nat) := 'I_num_cpus.
-
- (** Next, for any given number of processors [num_cpus]... *)
- Variable num_cpus : nat.
-
- (** ...we represent the type of the "multiprocessor state" as a function that
- maps processor IDs (as defined by [processor num_cpus], see above) to the
- given state on each core. *)
- Definition multiprocessor_state := processor num_cpus -> processor_state.
-
- (** Based on this notion of multiprocessor state, we say that a given job [j]
- is currently scheduled on a specific processor [cpu], according to the
- given multiprocessor state [mps], iff [j] is scheduled in the
- processor-local state [(mps cpu)]. *)
- Definition multiproc_scheduled_on
- (j : Job) (mps : multiprocessor_state) (cpu : processor num_cpus)
- := scheduled_in j (mps cpu).
-
- (** Similarly, the service received by a given job [j] in a given
- multiprocessor state [mps] on a given processor of ID [cpu] is exactly
- the service given by [j] in the processor-local state [(mps cpu)]. *)
- Definition multiproc_service_on
- (j : Job) (mps : multiprocessor_state) (cpu : processor num_cpus)
- := service_in j (mps cpu).
-
- (** Finally, we connect the above definitions with the generic Prosa
- interface for processor models. *)
- #[local] Program Instance multiproc_state : ProcessorState Job :=
- {|
- State := multiprocessor_state;
- scheduled_on := multiproc_scheduled_on;
- service_on := multiproc_service_on
- |}.
- Next Obligation.
- move: j s r H.
- move=> j mps cpu.
- by apply: service_in_implies_scheduled_in.
- Qed.
-
- (** From the instance [multiproc_state], we get the function [service_in].
- The service received by a given job [j] in a given multiprocessor state
- [mps] is given by the sum of the service received across all individual
- processors of the multiprocessor. *)
- Lemma multiproc_service_in_eq : forall (j : Job) (mps : multiprocessor_state),
- service_in j mps = \sum_(cpu < num_cpus) service_in j (mps cpu).
- Proof.
- reflexivity.
- Qed.
-
-End Schedule.
diff --git a/model/processor/platform_properties.v b/model/processor/platform_properties.v
deleted file mode 100644
index bc26d070ad5b1de806bdeacb1cd28f7aaf247e0d..0000000000000000000000000000000000000000
--- a/model/processor/platform_properties.v
+++ /dev/null
@@ -1,32 +0,0 @@
-Require Export prosa.behavior.all.
-
-(** To reason about classes of schedule types / processor models, we define the
- following properties that group processor models into classes of similar
- models. *)
-Section ProcessorModels.
- (** Consider any job type and any processor state.
-
- Note: we make the processor state an explicit variable (rather than
- implicit context) because it is the primary subject of the following
- definitions. *)
- Context {Job : JobType}.
- Variable PState : ProcessorState Job.
-
- (** We say that a processor model provides unit service if no job ever
- receives more than one unit of service at any time. *)
- Definition unit_service_proc_model :=
- forall (j : Job) (s : PState), service_in j s <= 1.
-
- (** We say that a processor model offers ideal progress if a scheduled job
- always receives non-zero service. *)
- Definition ideal_progress_proc_model :=
- forall j s, scheduled_in j s -> service_in j s > 0.
-
- (** In a uniprocessor model, the scheduled job is always unique. *)
- Definition uniprocessor_model :=
- forall j1 j2 s t,
- scheduled_at s j1 t ->
- scheduled_at s j2 t ->
- j1 = j2.
-
-End ProcessorModels.
diff --git a/model/processor/spin.v b/model/processor/spin.v
deleted file mode 100644
index 7bbbe392ff6098769fb5890c460f1f96f6aa3c02..0000000000000000000000000000000000000000
--- a/model/processor/spin.v
+++ /dev/null
@@ -1,63 +0,0 @@
-From mathcomp Require Import all_ssreflect.
-Require Export prosa.behavior.all.
-
-(** In the following, we define a processor state that includes the possibility
- of spinning, where spinning jobs do not progress (= don't get any service).
-
- NB: For now, the definition serves only to document how this can be done;
- it is not actually used anywhere in the library. *)
-Section State.
-
- (** Consider any type of jobs. *)
- Variable Job: JobType.
-
- (** We define the state of a processor at a given time to be one of three
- possible cases: either a specific job is scheduled and makes progress
- [Progress j], a specific job is scheduled but makes not useful progress
- [Spin j], or the processor is idle [Idle]. *)
- Inductive processor_state :=
- Idle
- | Spin (j : Job)
- | Progress (j : Job).
-
- (** Next, we define the semantics of the processor state with spinning. *)
- Section Service.
-
- (** Let [j] denote any job. *)
- Variable j : Job.
-
- (** It is scheduled in a given state [s] iff the state is not idle and [j]
- is the job mentioned in the state. *)
- Definition spin_scheduled_on (s : processor_state) (_ : unit) : bool :=
- match s with
- | Idle => false
- | Spin j' => j' == j
- | Progress j' => j' == j
- end.
-
- (** In contrast, job [j] receives service only if the given state [s] is
- [Progress j]. *)
- Definition spin_service_on (s : processor_state) (_ : unit) : work :=
- match s with
- | Idle => 0
- | Spin j' => 0
- | Progress j' => j' == j
- end.
-
- End Service.
-
- (** Finally, we connect the above definitions with the generic Prosa
- interface for abstract processor states. *)
- Program Definition pstate_instance : ProcessorState Job :=
- {|
- State := processor_state;
- scheduled_on := spin_scheduled_on;
- service_on := spin_service_on
- |}.
- Next Obligation.
- move: r H.
- case: s=>//= j' _.
- rewrite /nat_of_bool.
- by case: ifP.
- Qed.
-End State.
diff --git a/model/processor/varspeed.v b/model/processor/varspeed.v
deleted file mode 100644
index 73a19bbd7d5f935a3f90115266c9bfe601771dbe..0000000000000000000000000000000000000000
--- a/model/processor/varspeed.v
+++ /dev/null
@@ -1,60 +0,0 @@
-From mathcomp Require Import all_ssreflect.
-Require Export prosa.behavior.all.
-
-(** In the following, we define a model of processors with variable execution
- speeds.
-
- NB: For now, the definition serves only to document how this can be done;
- it is not actually used anywhere in the library. *)
-
-Section State.
-
- (** Consider any type of jobs. *)
- Variable Job: JobType.
-
- (** We define the state of a variable-speed processor at a given time to be
- one of two possible cases: either a specific job is scheduled and
- progresses with a specific speed, or the processor is idle. *)
- Inductive processor_state :=
- Idle
- | Progress (j : Job) (speed : nat).
-
- (** Next, we define the semantics of the variable-speed processor state. *)
- Section Service.
-
- (** Consider any job [j]. *)
- Variable j : Job.
-
- (** Job [j] is scheduled in a given state [s] if [s] is not idle and [j]
- matches the job recorded in [s]. *)
- Definition varspeed_scheduled_on (s : processor_state) (_ : unit) : bool :=
- match s with
- | Idle => false
- | Progress j' _ => j' == j
- end.
-
- (** If it is scheduled in state [s], job [j] receives service proportional
- to the speed recorded in the state. *)
- Definition varspeed_service_on (s : processor_state) (_ : unit) : work :=
- match s with
- | Idle => 0
- | Progress j' speed => if j' == j then speed else 0
- end.
-
- End Service.
-
- (** Finally, we connect the above definitions to the generic Prosa interface
- for processor states. *)
- Program Definition pstate_instance : ProcessorState Job :=
- {|
- State := processor_state;
- scheduled_on := varspeed_scheduled_on;
- service_on := varspeed_service_on
- |}.
- Next Obligation.
- move: r H.
- case: s=>//= j' v _.
- by case: ifP.
- Qed.
-
-End State.
diff --git a/model/readiness/basic.v b/model/readiness/basic.v
deleted file mode 100644
index 7595ca7b80b570bedd44440343502550d78061fe..0000000000000000000000000000000000000000
--- a/model/readiness/basic.v
+++ /dev/null
@@ -1,25 +0,0 @@
-Require Export prosa.behavior.all.
-
-(** * Liu & Layland Readiness Model *)
-
-(** In this module, we define the notion of job readiness for the classic Liu &
- Layland model without jitter or self-suspensions, where pending jobs are
- simply always ready. *)
-
-Section LiuAndLaylandReadiness.
- (** Consider any kind of jobs... *)
- Context {Job : JobType}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Suppose jobs have an arrival time and a cost. *)
- Context `{JobArrival Job} `{JobCost Job}.
-
- (** In the basic Liu & Layland model, a job is ready iff it is pending. *)
- #[local,program] Instance basic_ready_instance : JobReady Job PState :=
- {
- job_ready sched j t := pending sched j t
- }.
-
-End LiuAndLaylandReadiness.
diff --git a/model/readiness/jitter.v b/model/readiness/jitter.v
deleted file mode 100644
index 728f2609335502b556d2ddb2e8f9d1ccfc94c5c2..0000000000000000000000000000000000000000
--- a/model/readiness/jitter.v
+++ /dev/null
@@ -1,49 +0,0 @@
-From mathcomp Require Export ssreflect ssrnat ssrbool eqtype fintype bigop.
-
-Require Export prosa.behavior.all.
-Require Import prosa.util.nat.
-
-
-(** * Job Model Parameter for Jobs Exhibiting Release Jitter *)
-
-(** If a job exhibits release jitter, it is not immediately available for
- execution upon arrival, and can be scheduled only after its release, which
- occurs some (bounded) time after its arrival. We model this with the
- [job_jitter] parameter, which maps each job to its jitter duration. *)
-
-Class JobJitter (Job : JobType) := job_jitter : Job -> duration.
-
-(** * Readiness of Jobs with Release Jitter *)
-
-(** Based on the job model's jitter parameter, we define the readiness
- predicate for jogs with release jitter (and no self-suspensions). *)
-
-Section ReadinessOfJitteryJobs.
- (** Consider any kind of jobs... *)
- Context {Job : JobType}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Suppose jobs have an arrival time, a cost, and exhibit release jitter. *)
- Context `{JobArrival Job} `{JobCost Job} `{JobJitter Job}.
-
- (** We say that a job is released at a time [t] after its arrival if the
- job's release jitter has passed. *)
- Definition is_released (j : Job) (t : instant) := job_arrival j + job_jitter j <= t.
-
- (** Based on the predicate [is_released], it is easy to state the notion of
- readiness for jobs subject to release jitter: a job is ready only if it
- is released and not yet complete. *)
- #[local,program] Instance jitter_ready_instance : JobReady Job PState :=
- {
- job_ready sched j t := is_released j t && ~~ completed_by sched j t
- }.
- Next Obligation.
- move: H2 => /andP [REL UNFINISHED].
- rewrite /pending. apply /andP. split => //.
- move: REL. rewrite /is_released /has_arrived.
- by apply: leq_trans; rewrite leq_addr.
- Qed.
-
-End ReadinessOfJitteryJobs.
diff --git a/model/readiness/sequential.v b/model/readiness/sequential.v
deleted file mode 100644
index e199be6e7dfd8cbdf3515772ddba13d95b023929..0000000000000000000000000000000000000000
--- a/model/readiness/sequential.v
+++ /dev/null
@@ -1,37 +0,0 @@
-Require Export prosa.behavior.all.
-Require Export prosa.model.task.sequentiality.
-
-(** * Sequential Readiness Model *)
-
-(** In this module, we define the notion of sequential task readiness.
- This notion is similar to the classic Liu & Layland model without
- jitter or self-suspensions. However, an important difference is
- that in the sequential task readiness model only the earliest
- pending job of a task is ready. *)
-
-Section SequentialTasksReadiness.
-
- (** Consider any type of job associated with any type of tasks... *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Consider any job arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** A job [j] is ready at a time instant [t] iff all jobs from task
- [job_task j] that arrived earlier than job [j] are already
- completed by time [t]. *)
- #[local,program] Instance sequential_ready_instance : JobReady Job PState :=
- {
- job_ready sched j t := pending sched j t &&
- prior_jobs_complete arr_seq sched j t
- }.
- Next Obligation. by move: H2 => /andP[]. Qed.
-
-End SequentialTasksReadiness.
diff --git a/model/readiness/suspension.v b/model/readiness/suspension.v
deleted file mode 100644
index 0a9020b77534b4a3a528f42e142044c54b5e4620..0000000000000000000000000000000000000000
--- a/model/readiness/suspension.v
+++ /dev/null
@@ -1,77 +0,0 @@
-Require Export prosa.behavior.all.
-Require Export prosa.analysis.definitions.progress.
-Require Export prosa.util.nat.
-
-(** * Job Model Parameter for Jobs Exhibiting Self-Suspensions *)
-
-(** We define a job's self-suspension parameter as follows: after having
- received a given number of units of service [rho], a job [j] may either
- self-suspend for a given duration [d], in which case [job_suspension j rho
- = d], or it may remain ready, in which case [job_suspension j rho =
- 0]. Note that a job may self-suspend before having received any service,
- which is equivalent to release jitter. (Suspensions after a job has
- completed are meaningless and irrelevant.) *)
-Class JobSuspension (Job : JobType) := job_suspension : Job -> work -> duration.
-
-(** * Readiness of Self-Suspending Jobs *)
-
-(** In the following section, we define the notion of "readiness" for
- self-suspending jobs based on the just-defined job-model parameter. *)
-Section ReadinessOfSelfSuspendingJobs.
- (** Consider any kind of jobs... *)
- Context {Job : JobType}.
-
- (** ... and any kind of processor state. *)
- Context {PState : ProcessorState Job}.
-
- (** Suppose jobs have an arrival time, a cost, and that they exhibit
- self-suspensions. *)
- Context `{JobArrival Job} `{JobCost Job} `{JobSuspension Job}.
-
- (** We say that a job's last suspension (if any) of length [delay] "has
- passed" at a given time [t] (i.e., the job is ready again at time [t]) if
- the job arrived at least [delay] time units ago and has not progressed
- within the last [delay] time units. In other words, since a
- self-suspension can start only when a job progresses (i.e., when it
- receives some service), if a job has not been making progress in the last
- [delay] time units, then a self-suspension of length [delay] has
- necessarily ended at time [t]. *)
- Definition suspension_has_passed (sched : schedule PState) (j : Job) (t : instant) :=
- let delay := job_suspension j (service sched j t) in
- (job_arrival j + delay <= t) && no_progress_for sched j t delay.
-
- (** Based on [suspension_has_passed], we state the notion of readiness for
- self-suspending jobs: a job [t] is ready at time [t] in a schedule
- [sched] only if it is not self-suspended or complete at time [t]. *)
- #[local,program] Instance suspension_ready_instance : JobReady Job PState :=
- {
- job_ready sched j t := suspension_has_passed sched j t
- && ~~ completed_by sched j t
- }.
- Next Obligation.
- move: H2 => /andP [PASSED UNFINISHED].
- rewrite /pending. apply /andP. split => //.
- move: PASSED. rewrite /suspension_has_passed /has_arrived => /andP [ARR _].
- by apply: leq_trans ARR; rewrite leq_addr.
- Qed.
-
-End ReadinessOfSelfSuspendingJobs.
-
-
-(** * Total Suspension Time of a Job *)
-
-(** Next, we define the notion of a job's cumulative and total suspension times. *)
-
-Section TotalSuspensionTime.
-
- (** Consider any kind of jobs... *)
- Context {Job : JobType}.
-
- (** ...where each job has a cost and may exhibit self-suspensions. *)
- Context `{JobCost Job} `{JobSuspension Job}.
-
- (** A job's total self-suspension length is simply the sum of the lengths of
- all its suspensions. *)
- Definition total_suspension (j : Job) := \sum_(0 <= Ï < job_cost j) job_suspension j Ï.
-
-End TotalSuspensionTime.
diff --git a/model/schedule/edf.v b/model/schedule/edf.v
deleted file mode 100644
index 947d79c584395708fb75858d0bb3ec53637ded26..0000000000000000000000000000000000000000
--- a/model/schedule/edf.v
+++ /dev/null
@@ -1,60 +0,0 @@
-From mathcomp Require Import ssrnat ssrbool fintype.
-Require Export prosa.behavior.all.
-
-(** * Fully-Preemptive EDF Schedules *)
-
-(** This module provides an alternative definition of what it means to be an
- "EDF schedule".
-
- Note that the "proper" way to define an EDF schedule in Prosa is to use the
- EDF priority policy defined in model.priority.edf and the notion of
- priority-compliant schedules defined in model.schedule.priority_driven, as
- well as the general notion of work-conservation provided in
- model.schedule.work_conserving, which will have the benefit of taking into
- account issues such as various readiness models (e.g., jitter) and diverse
- preemption models (e.g., limited-preemptive jobs).
-
- The simpler definition offered in this module is (intentionally) oblivious
- to (i.e., not compatible with) issues such as non-preemptive regions or
- self-suspensions, and does not imply anything about work-conservation. In
- other words, it implicitly assumes that pending jobs are always ready and
- at all times preemptable.
-
- The advantage of this alternative definition is, however, that it is
- largely self-contained and fairly simple, following primarily from first
- principles. This makes it easier to use in certain contexts such as the
- proof of optimality of EDF. *)
-
-Section AlternativeDefinitionOfEDF.
-
- (** Consider any type of jobs with arrival times, costs, and deadlines ... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... and any processor model. *)
- Context {PState : ProcessorState Job}.
-
- (** We say that a schedule is _locally EDF-compliant_ at a given point in
- time [t] if the job [j] scheduled at time [t] has a deadline that is
- earlier than or equal to the deadline of any other job [j'] that could be
- scheduled at time [t] (i.e., arrives at or before time [t]) but is
- actually scheduled later in the given schedule.
-
- In other words, a schedule is locally EDF-compliant at time [t] if there
- is no witness of a priority inversion (= an already arrived job with an
- earlier deadline) at a later point in the schedule. *)
- Definition EDF_at (sched: schedule PState) (t: instant) :=
- forall (j: Job),
- scheduled_at sched j t ->
- forall (t': instant) (j': Job),
- t <= t' ->
- scheduled_at sched j' t' ->
- job_arrival j' <= t ->
- job_deadline j <= job_deadline j'.
-
- (** Based on the notion of a locally EDF-compliant schedule given by
- [EDF_at], we say that a schedule is (globally) EDF-compliant
- schedule if it is locally EDF-compliant at every point in
- time. *)
- Definition EDF_schedule (sched: schedule PState) := forall t, EDF_at sched t.
-
-End AlternativeDefinitionOfEDF.
diff --git a/model/schedule/limited_preemptive.v b/model/schedule/limited_preemptive.v
deleted file mode 100644
index dbf659caf64ddbe671a35a2b8fcf96ecac676f1c..0000000000000000000000000000000000000000
--- a/model/schedule/limited_preemptive.v
+++ /dev/null
@@ -1,34 +0,0 @@
-Require Export prosa.model.preemption.parameter.
-
-(** * Preemption Model Compliance *)
-
-(** A preemption model restricts when jobs can be preempted. In this
- module, we specify the corresponding semantics, i.e., how a valid
- schedule must be restricted to be compliant with a given
- preemption model. *)
-Section ScheduleWithLimitedPreemptions.
-
- (** Consider any type of jobs, ... *)
- Context {Job : JobType}.
-
- (** ... any processor model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... and any preemption model. *)
- Context `{JobPreemptable Job}.
-
- (** Consider any arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and a schedule of the jobs in the arrival sequence. *)
- Variable sched : schedule PState.
-
- (** We say that a schedule respects the preemption model given by
- [job_preemptable] if non-preemptable jobs remain scheduled. *)
- Definition schedule_respects_preemption_model :=
- forall j t,
- arrives_in arr_seq j ->
- ~~ job_preemptable j (service sched j t) ->
- scheduled_at sched j t.
-
-End ScheduleWithLimitedPreemptions.
diff --git a/model/schedule/nonpreemptive.v b/model/schedule/nonpreemptive.v
deleted file mode 100644
index 803e88a97b8b93a7e965e569db8d6641c40019bd..0000000000000000000000000000000000000000
--- a/model/schedule/nonpreemptive.v
+++ /dev/null
@@ -1,27 +0,0 @@
-Require Export prosa.behavior.all.
-
-(** * Nonpreemptive Schedules *)
-
-(** In this module, we introduce a simple alternative definition of
- nonpreemptive schedules. Take also note of the fully nonpreemptive
- preemption model in model.preemption.fully_nonpreemptive. *)
-
-Section NonpreemptiveSchedule.
-
- (** Consider any type of jobs with execution costs ... *)
- Context {Job : JobType}.
- Context `{JobCost Job}.
-
- (** ... and any kind of processor model. *)
- Context {PState : ProcessorState Job}.
-
- (** We say that a given schedule is _nonpreemptive_ if every job,
- once it is scheduled, remains scheduled until completion. *)
- Definition nonpreemptive_schedule (sched : schedule PState) :=
- forall (j : Job) (t t' : instant),
- t <= t' ->
- scheduled_at sched j t ->
- ~~ completed_by sched j t' ->
- scheduled_at sched j t'.
-
-End NonpreemptiveSchedule.
diff --git a/model/schedule/preemption_time.v b/model/schedule/preemption_time.v
deleted file mode 100644
index 456521e0621375e17a63345cf31b3db5dda57e68..0000000000000000000000000000000000000000
--- a/model/schedule/preemption_time.v
+++ /dev/null
@@ -1,38 +0,0 @@
-Require Export prosa.model.preemption.parameter.
-Require prosa.model.processor.ideal.
-
-(** * Preemption Times *)
-
-(** The preemption framework defines a generic predicate [job_preemptable] as
- the interface to various preemption models. Crucially, [job_preemptable]
- does not depend on the current schedule or the current time, but only on
- the job's progress, i.e., it indicates the presence or absence of a
- preemption _point_ in the job's execution. In this section, we define the
- notion of a preemption _time_ in an ideal uniprocessor schedule base on the
- progress of the currently scheduled job.
-
- NB: For legacy reasons, the following definition are currently specific to
- ideal uniprocessor schedules. Lifting this assumption is future work
- (https://gitlab.mpi-sws.org/RT-PROOFS/rt-proofs/-/issues/76). *)
-
-Section PreemptionTime.
-
- (** Consider any type of jobs, ... *)
- Context {Job : JobType}.
-
- (** ... any preemption model, ... *)
- Context `{JobPreemptable Job}.
-
- (** ... and any ideal uniprocessor schedule of such jobs. *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** We say that a time [t] is a preemption time iff the job that is currently
- scheduled at [t], if any, can be preempted according to the predicate
- [job_preemptable] (which encodes the preemption model). An idle instant
- is always a preemption time. *)
- Definition preemption_time (t : instant) :=
- if sched t is Some j then
- job_preemptable j (service sched j t)
- else true.
-
-End PreemptionTime.
diff --git a/model/schedule/priority_driven.v b/model/schedule/priority_driven.v
deleted file mode 100644
index a8c23380de616d0a31b0f490f0ed4e4d411fa6e5..0000000000000000000000000000000000000000
--- a/model/schedule/priority_driven.v
+++ /dev/null
@@ -1,59 +0,0 @@
-Require Export prosa.model.priority.classes.
-Require Export prosa.model.schedule.preemption_time.
-
-(** * Priority-Driven Schedules *)
-
-(** We now define what it means for a schedule to respect a priority in the
- presence of jobs with non-preemptive segments. We only specify a
- definition for JLDP policies since JLFP and FP policies can be used with
- this definition through the canonical conversions (see
- model.priority.classes).
-
- NB: For legacy reasons, the below definition is currently specific to ideal
- uniprocessor schedules. Removal of this limitation is future work. *)
-
-Section Priority.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** Suppose jobs have an arrival time, a cost, ... *)
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... and consider any preemption model and notion of readiness. *)
- Context `{JobPreemptable Job}.
- Context {jr : JobReady Job (ideal.processor_state Job)}.
-
- (** Given any job arrival sequence... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ...and an ideal uniprocessor schedule of these jobs, *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** we say that a priority policy is respected by the schedule iff,
- at every preemption point, the priority of the scheduled job is
- higher than or equal to the priority of any backlogged job.
- We define three separate notions of priority policy compliance
- based on the three types of scheduling policies : [JLDP]... *)
- Definition respects_JLDP_policy_at_preemption_point (policy: JLDP_policy Job) :=
- forall j j_hp t,
- arrives_in arr_seq j ->
- preemption_time sched t ->
- backlogged sched j t ->
- scheduled_at sched j_hp t ->
- hep_job_at t j_hp j.
-
- (** ... [JLFP], and... *)
- Definition respects_JLFP_policy_at_preemption_point (policy: JLFP_policy Job) :=
- respects_JLDP_policy_at_preemption_point policy.
-
- (** [FP]. *)
- Definition respects_FP_policy_at_preemption_point (policy: FP_policy Task) :=
- respects_JLDP_policy_at_preemption_point (FP_to_JLFP Job Task ).
-
-End Priority.
diff --git a/model/schedule/tdma.v b/model/schedule/tdma.v
deleted file mode 100644
index 5f79fecc17a70b739f1df0726c3879da1c047d04..0000000000000000000000000000000000000000
--- a/model/schedule/tdma.v
+++ /dev/null
@@ -1,155 +0,0 @@
-From mathcomp Require Import div.
-Require Export prosa.model.task.concept.
-Require Export prosa.util.seqset.
-Require Export prosa.util.rel.
-
-(** Throughout this file, we assume ideal uniprocessor schedules. *)
-Require prosa.model.processor.ideal.
-
-(** * TDMA Scheduling *)
-
-(** The TDMA scheduling policy is based on two properties.
- (1) Each task has a fixed, reserved time slot for execution;
- (2) These time slots are ordered in sequence to form a TDMA cycle, which
- repeats along the timeline.
- An example of TDMA schedule is illustrated in the following.
-<<
- _______________________________
- | s1 | s2 |s3| s1 | s2 |s3|...
- --------------------------------------------->
- 0 t
->> *)
-
-(** ** Task Parameter for TDMA Scheduling *)
-
-(** We define the TDMA policy as follows.*)
-Section TDMAPolicy.
-
- Variable Task: eqType.
- (** With each task, we associate the duration of the corresponding TDMA slot. *)
- Definition TDMA_slot := Task -> duration.
-
- (** Moreover, within each TDMA cycle, task slots are ordered according to
- some relation (i.e, [slot_order slot1 slot2] means that [slot1] comes
- before [slot2] in a TDMA cycle). *)
- Definition TDMA_slot_order := rel Task.
-
-End TDMAPolicy.
-
-(** We introduce slots and the slot order as task parameters. *)
-Class TDMAPolicy (T : TaskType) :=
- {
- task_time_slot : TDMA_slot T;
- slot_order : TDMA_slot_order T
- }.
-
-(** ** TDMA Policy Validity *)
-
-(** First, we define the properties of a valid TDMA policy. *)
-Section ValidTDMAPolicy.
-
- Context {Task : eqType}.
-
- (** Consider any task set ts... *)
- Variable ts : {set Task}.
-
- (** ...and a TDMA policy. *)
- Context `{TDMAPolicy Task}.
-
- (** Time slot order must be transitive... *)
- Definition transitive_slot_order := transitive slot_order.
-
- (** ..., totally ordered over the task set... *)
- Definition total_slot_order :=
- total_over_list slot_order ts.
-
- (** ... and antisymmetric over task set. *)
- Definition antisymmetric_slot_order :=
- antisymmetric_over_list slot_order ts.
-
- (** A valid time slot must be positive *)
- Definition valid_time_slot :=
- forall tsk, tsk \in ts -> task_time_slot tsk > 0.
-
- Definition valid_TDMAPolicy :=
- transitive_slot_order /\ total_slot_order /\ antisymmetric_slot_order /\ valid_time_slot.
-
-End ValidTDMAPolicy.
-
- (** ** TDMA Cycles, Sots, and Offsets *)
-
-(** In this section, we define key TDMA concepts. *)
-Section TDMADefinitions.
-
- Context {Task : eqType}.
-
- (** Consider any task set ts... *)
- Variable ts : {set Task}.
-
- (** ...and a TDMA policy. *)
- Context `{TDMAPolicy Task}.
-
- (** We define the TDMA cycle as the sum of all the tasks' time slots *)
- Definition TDMA_cycle:=
- \sum_(tsk <- ts) task_time_slot tsk.
-
- (** We define the function returning the slot offset for each task: i.e., the
- distance between the start of the TDMA cycle and the start of the task
- time slot. *)
- Definition task_slot_offset (tsk : Task) :=
- \sum_(prev_task <- ts | slot_order prev_task tsk && (prev_task != tsk)) task_time_slot prev_task.
-
- (** The following function tests whether a task is in its time slot at
- instant [t]. *)
- Definition task_in_time_slot (tsk : Task) (t:instant):=
- ((t + TDMA_cycle - (task_slot_offset tsk)%% TDMA_cycle) %% TDMA_cycle)
- < (task_time_slot tsk).
-
-End TDMADefinitions.
-
-(** ** TDMA Schedule Validity *)
-
-Section TDMASchedule.
-
- Context {Task : TaskType} {Job : JobType}.
-
- Context {ja : JobArrival Job} {jc : JobCost Job}.
- Context {jr : JobReady Job (ideal.processor_state Job)} `{JobTask Job Task}.
-
- (** Consider any job arrival sequence... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ..., any uniprocessor ideal schedule ... *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** ... and any sporadic task set. *)
- Variable ts: {set Task}.
-
- Context `{TDMAPolicy Task}.
-
- (** In order to characterize a TDMA policy, we first define whether a job is executing its TDMA slot at time [t]. *)
- Definition job_in_time_slot (job:Job) (t:instant):=
- task_in_time_slot ts (job_task job) t.
-
- (** We say that a TDMA policy is respected by the schedule iff
- 1. when a job is scheduled at time [t], then the corresponding task
- is also in its own time slot... *)
- Definition sched_implies_in_slot j t:=
- scheduled_at sched j t -> job_in_time_slot j t.
-
- (** 2. when a job is backlogged at time [t], the corresponding task
- isn't in its own time slot or another previous job of the same task is scheduled *)
- Definition backlogged_implies_not_in_slot_or_other_job_sched j t:=
- backlogged sched j t ->
- ~ job_in_time_slot j t \/
- exists j_other, arrives_in arr_seq j_other/\
- job_arrival j_other < job_arrival j/\
- job_task j = job_task j_other/\
- scheduled_at sched j_other t.
-
- Definition respects_TDMA_policy:=
- forall (j:Job) (t:instant),
- arrives_in arr_seq j ->
- sched_implies_in_slot j t /\
- backlogged_implies_not_in_slot_or_other_job_sched j t.
-End TDMASchedule.
diff --git a/model/schedule/work_conserving.v b/model/schedule/work_conserving.v
deleted file mode 100644
index 47a97cd57fa0136adc645572fe4b8e2d43887b2a..0000000000000000000000000000000000000000
--- a/model/schedule/work_conserving.v
+++ /dev/null
@@ -1,48 +0,0 @@
-Require Export prosa.behavior.all.
-
-(** * Definition of Work Conservation *)
-
-(** In this module, we introduce a restrictive definition of work-conserving
- schedules. The definition is restrictive because it does not yet cover
- multiprocessor scheduling (there are plans to address this in future
- work). The definition does however cover effects such as jitter or
- self-suspensions that affect whether a job can be scheduled at a given
- point in time because it is based on the general notion of a job being
- [backlogged] (i.e., ready and not executing), which is parametric in any
- given job readiness model. *)
-
-Section WorkConserving.
- (** Consider any type of jobs... *)
- Context {Job: JobType}.
-
- (** ... with arrival times and costs ... *)
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... and any kind of processor model. *)
- Context {PState: ProcessorState Job}.
-
- (** Further, allow for any notion of job readiness. *)
- Context {jr : JobReady Job PState}.
-
- (** Given an arrival sequence and a schedule ... *)
- Variable arr_seq : arrival_sequence Job.
- Variable sched: schedule PState.
-
- (** ... we say that a scheduler is _work-conserving_ iff whenever a job [j]
- is backlogged, the processor is always busy executing another job
- [j_other]. Note that this definition is intentionally silent on matters of
- priority. *)
- Definition work_conserving :=
- forall j t,
- arrives_in arr_seq j ->
- backlogged sched j t ->
- exists j_other, scheduled_at sched j_other t.
-
- (** Related to this, we define the set of all jobs that are backlogged at a
- given time [t], i.e., the set of jobs that could be scheduled, and which
- a work-conserving scheduler must hence consider. *)
- Definition jobs_backlogged_at (t : instant): seq Job :=
- [seq j <- arrivals_up_to arr_seq t | backlogged sched j t].
-
-End WorkConserving.
diff --git a/model/task/absolute_deadline.v b/model/task/absolute_deadline.v
deleted file mode 100644
index cdcccb019a49160a9455c6887db9803345a4c7b4..0000000000000000000000000000000000000000
--- a/model/task/absolute_deadline.v
+++ /dev/null
@@ -1,11 +0,0 @@
-Require Export prosa.model.task.concept.
-
-(** Given relative task deadlines and a mapping from jobs to tasks, we provide
- the canonical definition of each job's absolute deadline, i.e.,
- [job_deadline], as the job's arrival time plus its task's relative
- deadline. *)
-
-#[global]
-Instance job_deadline_from_task_deadline (Job : JobType) (Task : TaskType)
- `{TaskDeadline Task} `{JobArrival Job} `{JobTask Job Task} : JobDeadline Job :=
- fun (j : Job) => job_arrival j + task_deadline (job_task j).
diff --git a/model/task/arrival/curve_as_rbf.v b/model/task/arrival/curve_as_rbf.v
deleted file mode 100644
index c99d6015df208b02d63a563ad6dbae41460ae3fe..0000000000000000000000000000000000000000
--- a/model/task/arrival/curve_as_rbf.v
+++ /dev/null
@@ -1,183 +0,0 @@
-Require Export prosa.util.all.
-Require Export prosa.model.task.arrival.request_bound_functions.
-Require Export prosa.model.task.arrival.curves.
-
-(** * Converting an Arrival Curve + Worst-Case/Best-Case to a Request-Bound Function (RBF) *)
-
-(** In the following, we show a way to convert a given arrival curve,
- paired with a worst-case/best-case execution time, to a request-bound function.
- Definitions and proofs will handle both lower-bounding and upper-bounding arrival
- curves. *)
-Section ArrivalCurveToRBF.
-
- (** Consider any type of tasks with a given cost ... *)
- Context {Task : TaskType} `{TaskCost Task} `{TaskMinCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType} `{JobTask Job Task} `{JobCost Job}.
-
- (** Let [MaxArr] and [MinArr] represent two arrivals curves. [MaxArr] upper-bounds
- the possible number or arrivals for a given task, whereas [MinArr] lower-bounds it. *)
- Context `{MaxArr : MaxArrivals Task} `{MinArr : MinArrivals Task}.
-
- (** We define the conversion to a request-bound function as the product of the task cost and the
- number of arrivals during [Δ]. In the upper-bounding case, the cost of a task will represent
- the WCET of its jobs. Symmetrically, in the lower-bounding case, the cost of a task will
- represent the BCET of its jobs. *)
- Definition task_max_rbf (arrivals : Task -> duration -> nat) task Δ := task_cost task * arrivals task Δ.
- Definition task_min_rbf (arrivals : Task -> duration -> nat) task Δ := task_min_cost task * arrivals task Δ.
-
- (** Finally, we show that the newly defined functions are indeed request-bound functions. *)
- Global Program Instance MaxArrivalsRBF : MaxRequestBound Task := task_max_rbf max_arrivals.
- Global Program Instance MinArrivalsRBF : MinRequestBound Task := task_min_rbf min_arrivals.
-
- (** In the following section, we prove that the transformation yields a request-bound
- function that conserves correctness properties in both the upper-bounding
- and lower-bounding cases. *)
- Section Facts.
-
- (** First, we establish the validity of the transformation for a single, given task. *)
- Section SingleTask.
-
- (** Consider an arbitrary task [tsk] ... *)
- Variable tsk : Task.
-
- (** ... and any job arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** First, note that any valid upper-bounding arrival curve, after being
- converted, is a valid request-bound function. *)
- Theorem valid_arrival_curve_to_max_rbf:
- forall (arrivals : Task -> duration -> nat),
- valid_arrival_curve (arrivals tsk) ->
- valid_request_bound_function ((task_max_rbf arrivals) tsk).
- Proof.
- move => ARR [ZERO MONO].
- split.
- - by rewrite /task_max_rbf ZERO muln0.
- - move => x y LEQ.
- rewrite /task_max_rbf.
- destruct (task_cost tsk); first by rewrite mul0n.
- by rewrite leq_pmul2l //; apply MONO.
- Qed.
-
- (** The same idea can be applied in the lower-bounding case. *)
- Theorem valid_arrival_curve_to_min_rbf:
- forall (arrivals : Task -> duration -> nat),
- valid_arrival_curve (arrivals tsk) ->
- valid_request_bound_function ((task_min_rbf arrivals) tsk).
- Proof.
- move => ARR [ZERO MONO].
- split.
- - by rewrite /task_min_rbf ZERO muln0.
- - move => x y LEQ.
- rewrite /task_min_rbf.
- destruct (task_min_cost tsk); first by rewrite mul0n.
- by rewrite leq_pmul2l //; apply MONO.
- Qed.
-
- (** Next, we prove that the task respects the request-bound function in
- the upper-bounding case. Note that, for this to work, we assume that the
- cost of tasks upper-bounds the cost of the jobs belonging to them (i.e.,
- the task cost is the worst-case). *)
- Theorem respects_arrival_curve_to_max_rbf:
- jobs_have_valid_job_costs ->
- respects_max_arrivals arr_seq tsk (MaxArr tsk) ->
- respects_max_request_bound arr_seq tsk ((task_max_rbf MaxArr) tsk).
- Proof.
- move=> TASK_COST RESPECT t1 t2 LEQ.
- specialize (RESPECT t1 t2 LEQ).
- apply leq_trans with (n := task_cost tsk * number_of_task_arrivals arr_seq tsk t1 t2) => //.
- - rewrite /max_arrivals /number_of_task_arrivals -sum1_size big_distrr //= muln1 leq_sum_seq // => j.
- rewrite mem_filter => /andP [/eqP TSK _] _.
- rewrite -TSK.
- by apply TASK_COST.
- - by destruct (task_cost tsk) eqn:C; rewrite /task_max_rbf C // leq_pmul2l.
- Qed.
-
- (** Finally, we prove that the task respects the request-bound function also in
- the lower-bounding case. This time, we assume that the cost of tasks lower-bounds
- the cost of the jobs belonging to them. (i.e., the task cost is the best-case). *)
- Theorem respects_arrival_curve_to_min_rbf:
- jobs_have_valid_min_job_costs ->
- respects_min_arrivals arr_seq tsk (MinArr tsk) ->
- respects_min_request_bound arr_seq tsk ((task_min_rbf MinArr) tsk).
- Proof.
- move=> TASK_COST RESPECT t1 t2 LEQ.
- specialize (RESPECT t1 t2 LEQ).
- apply leq_trans with (n := task_min_cost tsk * number_of_task_arrivals arr_seq tsk t1 t2) => //.
- - by destruct (task_min_cost tsk) eqn:C; rewrite /task_min_rbf C // leq_pmul2l.
- - rewrite /min_arrivals /number_of_task_arrivals -sum1_size big_distrr //= muln1 leq_sum_seq // => j.
- rewrite mem_filter => /andP [/eqP TSK _] _.
- rewrite -TSK.
- by apply TASK_COST.
- Qed.
-
- End SingleTask.
-
- (** Next, we lift the results to the previous section to an arbitrary task set. *)
- Section TaskSet.
-
- (** Let [ts] be an arbitrary task set... *)
- Variable ts : TaskSet Task.
-
- (** ... and consider any job arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** First, we generalize the validity of the transformation to a task set both in
- the upper-bounding case ... *)
- Corollary valid_taskset_arrival_curve_to_max_rbf:
- valid_taskset_arrival_curve ts MaxArr ->
- valid_taskset_request_bound_function ts MaxArrivalsRBF.
- Proof.
- move=> VALID tsk IN.
- specialize (VALID tsk IN).
- by apply valid_arrival_curve_to_max_rbf.
- Qed.
-
- (** ... and in the lower-bounding case. *)
- Corollary valid_taskset_arrival_curve_to_min_rbf:
- valid_taskset_arrival_curve ts MinArr ->
- valid_taskset_request_bound_function ts MinArrivalsRBF.
- Proof.
- move=> VALID tsk IN.
- specialize (VALID tsk IN).
- by apply valid_arrival_curve_to_min_rbf.
- Qed.
-
- (** Second, we show that a task set that respects a given arrival curve also respects
- the produced request-bound function, lifting the result obtained in the single-task
- case. The result is valid in the upper-bounding case... *)
- Corollary taskset_respects_arrival_curve_to_max_rbf:
- jobs_have_valid_job_costs ->
- taskset_respects_max_arrivals arr_seq ts ->
- taskset_respects_max_request_bound arr_seq ts.
- Proof.
- move=> TASK_COST SET_RESPECTS tsk IN.
- by apply respects_arrival_curve_to_max_rbf, SET_RESPECTS.
- Qed.
-
- (** ...as well as in the lower-bounding case. *)
- Corollary taskset_respects_arrival_curve_to_min_rbf:
- jobs_have_valid_min_job_costs ->
- taskset_respects_min_arrivals arr_seq ts ->
- taskset_respects_min_request_bound arr_seq ts.
- Proof.
- move=> TASK_COST SET_RESPECTS tsk IN.
- by apply respects_arrival_curve_to_min_rbf, SET_RESPECTS.
- Qed.
-
- End TaskSet.
-
- End Facts.
-
-End ArrivalCurveToRBF.
-
-(** We add the lemmas into the "Hint Database" basic_rt_facts so that
- they become available for proof automation. *)
-Global Hint Resolve
- valid_arrival_curve_to_max_rbf
- respects_arrival_curve_to_max_rbf
- valid_taskset_arrival_curve_to_max_rbf
- taskset_respects_arrival_curve_to_max_rbf
- : basic_rt_facts.
diff --git a/model/task/arrival/curves.v b/model/task/arrival/curves.v
deleted file mode 100644
index dda71fdbe4c3f07e2ad25be8feee2ab69fd8e8af..0000000000000000000000000000000000000000
--- a/model/task/arrival/curves.v
+++ /dev/null
@@ -1,154 +0,0 @@
-Require Export prosa.util.rel.
-Require Export prosa.model.task.arrivals.
-
-(** * The Arbitrary Arrival Curves Model *)
-
-(** In the following, we define the notion of arbitrary arrival curves, which
- can be used to reason about the frequency of job arrivals. In contrast to
- the sporadic task model, the arbitrary arrival curves model is well-suited
- to expressing bursty and irregular arrival processes. *)
-
-(** ** Task Parameters for the Arrival Curves Model *)
-
-(** The arrival curves model describes tasks by giving an upper bound and,
- optionally, a lower bound on the number of new job arrivals during any
- given interval. These bounds are typically called arrival curves. *)
-
-(** We let [max_arrivals tsk Δ] denote a bound on the maximum number of
- arrivals of jobs of task [tsk] in any interval of length [Δ]. *)
-Class MaxArrivals (Task : TaskType) := max_arrivals : Task -> duration -> nat.
-
-(** Conversely, we let [min_arrivals tsk Δ] denote a bound on the minimum
- number of arrivals of jobs of task [tsk] in any interval of length [Δ]. *)
-Class MinArrivals (Task : TaskType) := min_arrivals : Task -> duration -> nat.
-
-(** Alternatively, it is also possible to describe arbitrary arrival processes
- by specifying the minimum and maximum lengths of an interval in which a
- given number of jobs arrive. Such bounds are typically called minimum- and
- maximum-distance functions. *)
-
-(** We let [min_separation tsk N] denote the minimal length of an interval in
- which exactly [N] jobs of task [tsk] arrive. *)
-Class MinSeparation (Task : TaskType) := min_separation : Task -> nat -> duration.
-
-(** Conversely, we let [max_separation tsk N] denote the maximal length of an interval in
- which exactly [N] jobs of task [tsk] arrive. *)
-Class MaxSeparation (Task : TaskType) := max_separation : Task -> nat -> duration.
-
-
-(** ** Parameter Semantics *)
-
-(** In the following, we precisely define the semantics of the arrival curves
- model. *)
-Section ArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** Consider any job arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** *** Definition of Arrival Curves *)
-
- (** First, what constitutes a valid arrival bound for a task? *)
- Section ArrivalCurves.
-
- (** We say that a given curve [num_arrivals] is a valid arrival curve for
- task [tsk] iff [num_arrivals] is a monotonic function that equals 0 for
- the empty interval [delta = 0]. *)
- Definition valid_arrival_curve (num_arrivals : duration -> nat) :=
- num_arrivals 0 = 0 /\
- monotone leq num_arrivals.
-
- (** We say that [max_arrivals] is an upper arrival bound for task [tsk]
- iff, for any interval <<[t1, t2)>>, [max_arrivals (t2 - t1)] bounds the
- number of jobs of [tsk] that arrive in that interval. *)
- Definition respects_max_arrivals (tsk : Task) (max_arrivals : duration -> nat) :=
- forall (t1 t2 : instant),
- t1 <= t2 ->
- number_of_task_arrivals arr_seq tsk t1 t2 <= max_arrivals (t2 - t1).
-
- (** We analogously define the lower arrival bound.. *)
- Definition respects_min_arrivals (tsk : Task) (min_arrivals : duration -> nat) :=
- forall (t1 t2 : instant),
- t1 <= t2 ->
- min_arrivals (t2 - t1) <= number_of_task_arrivals arr_seq tsk t1 t2.
-
- End ArrivalCurves.
-
- (** *** Definition of Minimum Distance Bounds *)
-
- (** Next, we define the semantics of minimum-distance bounds. *)
- Section SeparationBound.
-
- (** We say that a given function [min_separation] is a lower separation
- bound iff, for any number of jobs of task [tsk], [min_separation]
- lower-bounds the minimum interval length in which that many jobs can
- arrive. *)
- Definition respects_min_separation (tsk : Task) (min_separation: nat -> duration) :=
- forall t1 t2,
- t1 <= t2 ->
- min_separation (number_of_task_arrivals arr_seq tsk t1 t2) <= t2 - t1.
-
- (** We analogously define in upper separation bounds. *)
- Definition respects_max_separation (tsk : Task) (max_separation: nat -> duration):=
- forall t1 t2,
- t1 <= t2 ->
- t2 - t1 <= max_separation (number_of_task_arrivals arr_seq tsk t1 t2).
-
- End SeparationBound.
-
-End ArrivalCurves.
-
-
-(** ** Model Validity *)
-
-(** Based on the just-established semantics, we define the properties of a
- valid arrival curves model. *)
-
-Section ArrivalCurvesModel.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** Consider any job arrival sequence... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ..and all kinds of arrival and separation curves. *)
- Context `{MaxArrivals Task}
- `{MinArrivals Task}
- `{MaxSeparation Task}
- `{MinSeparation Task}.
-
- (** Let [ts] be an arbitrary task set. *)
- Variable ts : TaskSet Task.
-
- (** We say that [arrivals] is a valid arrival curve for a task set
- if it is valid for any task in the task set *)
- Definition valid_taskset_arrival_curve (arrivals : Task -> duration -> nat) :=
- forall (tsk : Task), tsk \in ts -> valid_arrival_curve (arrivals tsk).
-
- (** Finally, we lift the per-task semantics of the respective arrival and
- separation curves to the entire task set. *)
-
- Definition taskset_respects_max_arrivals :=
- forall (tsk : Task), tsk \in ts -> respects_max_arrivals arr_seq tsk (max_arrivals tsk).
-
- Definition taskset_respects_min_arrivals :=
- forall (tsk : Task), tsk \in ts -> respects_min_arrivals arr_seq tsk (min_arrivals tsk).
-
- Definition taskset_respects_max_separation :=
- forall (tsk : Task), tsk \in ts -> respects_max_separation arr_seq tsk (max_separation tsk).
-
- Definition taskset_respects_min_separation :=
- forall (tsk : Task), tsk \in ts -> respects_min_separation arr_seq tsk (min_separation tsk).
-
-End ArrivalCurvesModel.
diff --git a/model/task/arrival/example.v b/model/task/arrival/example.v
deleted file mode 100644
index 927962ee8aa41c07b27cc05ef9f7234f50f5f652..0000000000000000000000000000000000000000
--- a/model/task/arrival/example.v
+++ /dev/null
@@ -1,82 +0,0 @@
-Require Import prosa.model.task.arrival.periodic.
-Require Import prosa.model.task.arrival.periodic_as_sporadic.
-Require Import prosa.model.task.arrival.sporadic_as_curve.
-Require Import prosa.model.task.arrival.curve_as_rbf.
-
-(** * Arrival Model Conversion
-
- This file demonstrates the automatic conversion of arrival
- models. In particular, we show how a set of periodic tasks can be
- interpreted also as (1) sporadic tasks with minimum inter-arrival
- times, (2) sporadic tasks with arrival curves, and (3) request-bound
- functions. *)
-
-Section AutoArrivalModelConversion.
-
- (** Consider periodic tasks ... *)
- Context {Task : TaskType} `{PeriodicModel Task}.
-
- (** ... and their corresponding jobs. *)
- Context {Job : JobType} `{JobArrival Job} `{JobTask Job Task}.
-
- (** Given a set of such periodic tasks ... *)
- Variable ts : TaskSet Task.
-
- (** ... and a valid arrival sequence, ...*)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... if the tasks are valid periodic tasks, ...*)
- Hypothesis H_respects : taskset_respects_periodic_task_model arr_seq ts.
- Hypothesis H_valid_periods : valid_periods ts.
-
- (** ... then we can automatically interpret them also as satisfying
- other arrival models, as we demonstrate in the following. *)
-
- (** ** Periodic Tasks as Sporadic Tasks *)
-
- (** The tasks satisfy the sporadic validity constraint... *)
- Goal valid_taskset_inter_arrival_times ts.
- Proof. by rt_auto. Qed.
-
- (** ... and arrival sequence is legal under the sporadic task
- model. *)
- Goal taskset_respects_sporadic_task_model ts arr_seq.
- Proof. by rt_auto. Qed.
-
- (** ** Periodic Tasks as Arrival Curves *)
-
- (** The tasks satisfy the arrival-curve validity constraint... *)
- Goal valid_taskset_arrival_curve ts max_arrivals.
- Proof. by rt_auto. Qed.
-
- (** ... and the arrival sequence is legal under the arrival-curve
- model. *)
- Goal taskset_respects_max_arrivals arr_seq ts.
- Proof. by rt_eauto. Qed.
-
- (** ** Periodic Tasks as RBFs *)
-
- (** Assuming that each task has a WCET... *)
- Context `{TaskCost Task}.
-
- (** ... and that jobs are compliant with the WCET, ... *)
- Context `{JobCost Job}.
- Hypothesis H_valid_costs : jobs_have_valid_job_costs.
-
- (** ... the tasks satisfy the RBF validity constraint... *)
- Goal valid_taskset_request_bound_function ts (task_max_rbf max_arrivals).
- Proof. by rt_auto. Qed.
-
- (** ... and the arrival sequence is legal under the RBF model. *)
- Goal taskset_respects_max_request_bound arr_seq ts.
- Proof. by rt_eauto. Qed.
-
- (** Thanks to type-class resolution, all conversions from more
- restrictive to less restrictive task model happen transparently
- and the and necessary proofs are found automatically.
-
- Of course, it is possible to start from sporadic tasks or tasks
- with arrival curves, too. *)
-
-End AutoArrivalModelConversion.
diff --git a/model/task/arrival/periodic.v b/model/task/arrival/periodic.v
deleted file mode 100644
index 5f065e7aceac81e8b0afd116c9803bf41e03f97b..0000000000000000000000000000000000000000
--- a/model/task/arrival/periodic.v
+++ /dev/null
@@ -1,62 +0,0 @@
-Require Export prosa.model.task.arrival.sporadic.
-Require Export prosa.model.task.arrival.task_max_inter_arrival.
-Require Export prosa.model.task.offset.
-Require Export prosa.analysis.facts.job_index.
-
-(** * The Periodic Task Model *)
-
-(** In the following, we define the classic Liu & Layland arrival process,
- i.e., the arrival process commonly known as the _periodic task model_,
- wherein the arrival times of consecutive jobs of a periodic task are
- separated by the task's _period_. *)
-
-(** ** Task Model Parameter for Periods *)
-
-(** Under the periodic task model, each task is characterized by its period,
- which we denote as [task_period]. *)
-
-Class PeriodicModel (Task : TaskType) := task_period : Task -> duration.
-
-(** ** Model Validity *)
-
-(** Next, we define the semantics of the periodic task model. *)
-Section ValidPeriodicTaskModel.
-
- (** Consider any type of periodic tasks. *)
- Context {Task : TaskType} `{PeriodicModel Task}.
-
- (** A valid periodic task has a non-zero period. *)
- Definition valid_period (tsk : Task) := task_period tsk > 0.
-
- (** Next, consider any type of jobs stemming from these tasks ... *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job}.
-
- (** ... and an arbitrary arrival sequence of such jobs. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** We say that a task respects the periodic task model if every job [j]
- (except the first one) has a predecessor [j'] that arrives exactly one
- task period before it. *)
- Definition respects_periodic_task_model (tsk : Task) :=
- forall j,
- arrives_in arr_seq j ->
- job_index arr_seq j > 0 ->
- job_task j = tsk ->
- exists j',
- arrives_in arr_seq j' /\
- job_index arr_seq j' = job_index arr_seq j - 1 /\
- job_task j' = tsk /\
- job_arrival j = job_arrival j' + task_period tsk.
-
- (** Further, in the context of a set of periodic tasks, ... *)
- Variable ts : TaskSet Task.
-
- (** ... every task in the set must have a valid period ... *)
- Definition valid_periods := forall tsk : Task, tsk \in ts -> valid_period tsk.
-
- (** ... and all jobs of every task in a set of periodic tasks must
- respect the period constraint on arrival times. *)
- Definition taskset_respects_periodic_task_model :=
- forall tsk, tsk \in ts -> respects_periodic_task_model tsk.
-
-End ValidPeriodicTaskModel.
diff --git a/model/task/arrival/periodic_as_sporadic.v b/model/task/arrival/periodic_as_sporadic.v
deleted file mode 100644
index 8ed6c33164c12cc9c8efe5e8984f5ebfd3efa9fc..0000000000000000000000000000000000000000
--- a/model/task/arrival/periodic_as_sporadic.v
+++ /dev/null
@@ -1,96 +0,0 @@
-Require Export prosa.model.task.arrival.periodic.
-
-(** ** Treating Periodic Tasks as Sporadic Tasks *)
-
-(** Since the periodic-arrivals assumption is stricter than the
- sporadic-arrivals assumption (i.e., any periodic arrival sequence is also a
- valid sporadic arrivals sequence), it is sometimes convenient to apply
- analyses for sporadic tasks to periodic tasks. We therefore provide an
- automatic "conversion" of periodic tasks to sporadic tasks, i.e., we tell
- Coq that it may use a periodic task's [task_period] parameter also as the
- task's minimum inter-arrival time [task_min_inter_arrival_time]
- parameter. *)
-
-Section PeriodicTasksAsSporadicTasks.
-
- (** Any type of periodic tasks ... *)
- Context {Task : TaskType} `{PeriodicModel Task}.
-
- (** ... and their corresponding jobs from a consistent arrival sequence with
- non-duplicate arrivals ... *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job}.
-
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** ... may be interpreted as a type of sporadic tasks by using each task's
- period as its minimum inter-arrival time ... *)
- Global Instance periodic_as_sporadic : SporadicModel Task :=
- {
- task_min_inter_arrival_time := task_period
- }.
-
- (** ... such that the model interpretation is valid, both w.r.t. the minimum
- inter-arrival time parameter ... *)
- Remark valid_period_is_valid_inter_arrival_time:
- forall tsk, valid_period tsk -> valid_task_min_inter_arrival_time tsk.
- Proof. trivial. Qed.
-
- (** ... and the separation of job arrivals. *)
- Remark periodic_task_respects_sporadic_task_model:
- forall tsk, valid_period tsk ->
- respects_periodic_task_model arr_seq tsk ->
- respects_sporadic_task_model arr_seq tsk.
- Proof.
- intros tsk VALID_PERIOD H_PERIODIC j1 j2 NEQ ARR ARR' TSK TSK' ARR_LT.
- rewrite /task_min_inter_arrival_time /periodic_as_sporadic.
- have IND_LT : job_index arr_seq j1 < job_index arr_seq j2.
- { rewrite -> diff_jobs_iff_diff_indices in NEQ => //; eauto; last by rewrite TSK.
- move_neq_up IND_LTE; move_neq_down ARR_LT.
- specialize (H_PERIODIC j1); feed_n 3 H_PERIODIC => //; try by lia.
- move : H_PERIODIC => [pj [ARR_PJ [IND_PJ [TSK_PJ PJ_ARR]]]].
- have JB_IND_LTE : job_index arr_seq j2 <= job_index arr_seq pj by lia.
- apply index_lte_implies_arrival_lte in JB_IND_LTE => //; try by rewrite TSK_PJ.
- rewrite PJ_ARR.
- have POS_PERIOD : task_period tsk > 0 by auto.
- by lia. }
- specialize (H_PERIODIC j2); feed_n 3 H_PERIODIC => //; try by lia.
- move: H_PERIODIC => [pj [ARR_PJ [IND_PJ [TSK_PJ PJ_ARR]]]].
- have JB_IND_LTE : job_index arr_seq j1 <= job_index arr_seq pj by lia.
- apply index_lte_implies_arrival_lte in JB_IND_LTE => //; try by rewrite TSK_PJ.
- by rewrite PJ_ARR; lia.
- Qed.
-
- (** For convenience, we state these obvious correspondences also at the level
- of entire task sets. *)
-
- (** First, we show that all tasks in a task set with valid periods
- also have valid min inter-arrival times. *)
- Remark valid_periods_are_valid_inter_arrival_times :
- forall ts, valid_periods ts -> valid_taskset_inter_arrival_times ts.
- Proof. trivial. Qed.
-
- (** Second, we show that each task in a periodic task set respects
- the sporadic task model. *)
- Remark periodic_task_sets_respect_sporadic_task_model :
- forall ts,
- valid_periods ts ->
- taskset_respects_periodic_task_model arr_seq ts ->
- taskset_respects_sporadic_task_model ts arr_seq.
- Proof.
- intros ts VALID_PERIODS H_PERIODIC tsk TSK_IN.
- specialize (H_PERIODIC tsk TSK_IN).
- apply periodic_task_respects_sporadic_task_model => //.
- by apply VALID_PERIODS.
- Qed.
-
-End PeriodicTasksAsSporadicTasks.
-
-(** We add the lemmas into the "Hint Database" basic_rt_facts so that
- they become available for proof automation. *)
-Global Hint Resolve
- periodic_task_respects_sporadic_task_model
- valid_period_is_valid_inter_arrival_time
- valid_periods_are_valid_inter_arrival_times
- periodic_task_sets_respect_sporadic_task_model
- : basic_rt_facts.
diff --git a/model/task/arrival/request_bound_functions.v b/model/task/arrival/request_bound_functions.v
deleted file mode 100644
index 32bcfcfaf5476aa47e244925a2c1e8aea3a06e34..0000000000000000000000000000000000000000
--- a/model/task/arrival/request_bound_functions.v
+++ /dev/null
@@ -1,115 +0,0 @@
-Require Export prosa.util.rel.
-Require Export prosa.model.task.arrivals.
-
-(** * Request Bound Functions (RBF) *)
-
-(** In the following, we define the notion of Request Bound Functions
- (RBF), which can be used to reason about the job cost arrivals. In
- contrast to arrival curves which constrain the number of arrivals
- per time interval, request bound functions bound the sum of costs
- of arriving jobs. *)
-
-(** ** Task Parameters for the Request Bound Functions *)
-
-(** The request bound functions give an upper bound and, optionally, a
- lower bound on the cost of new job arrivals during any given
- interval. *)
-
-(** We let [max_request_bound tsk Δ] denote a bound on the maximum
- cost of arrivals of jobs of task [tsk] in any interval of length
- [Δ]. *)
-Class MaxRequestBound (Task : TaskType) := max_request_bound : Task -> duration -> work.
-
-(** Conversely, we let [min_request_bound tsk Δ] denote a bound on the
- minimum cost of arrivals of jobs of task [tsk] in any interval of
- length [Δ]. *)
-Class MinRequestBound (Task : TaskType) := min_request_bound : Task -> duration -> work.
-
-(** ** Parameter Semantics *)
-
-(** In the following, we precisely define the semantics of the request
- bound functions. *)
-Section RequestBoundFunctions.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobCost Job}.
-
- (** Consider any job arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** *** Definition of Request Bound Functions *)
-
- (** First, what constitutes a valid request bound function for a task? *)
- Section RequestBoundFunctions.
-
- (** We say that a given bound [request_bound] is a valid request
- bound function iff [request_bound] is a monotonic function
- that equals 0 for the empty interval [delta = 0]. *)
- Definition valid_request_bound_function (request_bound : duration -> work) :=
- request_bound 0 = 0 /\
- monotone leq request_bound.
-
- (** We say that [request_bound] is an upper request bound for task
- [tsk] iff, for any interval <<[t1, t2)>>, [request_bound (t2 -
- t1)] bounds the sum of costs of jobs of [tsk] that arrive in
- that interval. *)
- Definition respects_max_request_bound (tsk : Task) (max_request_bound : duration -> work) :=
- forall (t1 t2 : instant),
- t1 <= t2 ->
- cost_of_task_arrivals arr_seq tsk t1 t2 <= max_request_bound (t2 - t1).
-
- (** We analogously define the lower request bound. *)
- Definition respects_min_request_bound (tsk : Task) (min_request_bound : duration -> work) :=
- forall (t1 t2 : instant),
- t1 <= t2 ->
- min_request_bound (t2 - t1) <= cost_of_task_arrivals arr_seq tsk t1 t2.
-
- End RequestBoundFunctions.
-
-End RequestBoundFunctions.
-
-
-(** ** Model Validity *)
-
-(** Based on the just-established semantics, we define the properties of a
- valid request bound model. *)
-Section RequestBoundFunctionsModel.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobCost Job}.
-
- (** Consider any job arrival sequence... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ...and all kinds of request bounds. *)
- Context `{MaxRequestBound Task}
- `{MinRequestBound Task}.
-
- (** Let [ts] be an arbitrary task set. *)
- Variable ts : TaskSet Task.
-
- (** We say that [request_bound] is a valid arrival curve for a task set
- if it is valid for any task in the task set *)
- Definition valid_taskset_request_bound_function (request_bound : Task -> duration -> work) :=
- forall (tsk : Task), tsk \in ts -> valid_request_bound_function (request_bound tsk).
-
- (** Finally, we lift the per-task semantics of the respective
- request bound functions to the entire task set. *)
-
- Definition taskset_respects_max_request_bound :=
- forall (tsk : Task), tsk \in ts -> respects_max_request_bound arr_seq tsk (max_request_bound tsk).
-
- Definition taskset_respects_min_request_bound :=
- forall (tsk : Task), tsk \in ts -> respects_min_request_bound arr_seq tsk (min_request_bound tsk).
-
-End RequestBoundFunctionsModel.
diff --git a/model/task/arrival/sporadic.v b/model/task/arrival/sporadic.v
deleted file mode 100644
index 014a8ba5b1ed016135e6d91d4cbb313b626b5481..0000000000000000000000000000000000000000
--- a/model/task/arrival/sporadic.v
+++ /dev/null
@@ -1,68 +0,0 @@
-Require Export prosa.model.task.concept.
-
-(** * The Sporadic Task Model *)
-
-(** In the following, we define the arrival process commonly known as the
- sporadic task model, where jobs may arrive at any time provided any two
- jobs of a task are separated by at least the minimum inter-arrival time (or
- period) of the task. *)
-
-
-(** ** Task Parameter for the Sporadic Task Model *)
-
-(** Under the sporadic task model, each task is characterized by its minimum
- inter-arrival time, which we denote as [task_min_inter_arrival_time]. *)
-
-Class SporadicModel (Task : TaskType) :=
- task_min_inter_arrival_time : Task -> duration.
-
-(** ** Model Validity *)
-
-(** Next, we define the semantics of the sporadic task model. *)
-Section ValidSporadicTaskModel.
- (** Consider any type of sporadic tasks. *)
- Context {Task : TaskType} `{SporadicModel Task}.
-
- (** A valid sporadic task should have a non-zero minimum inter-arrival
- time. *)
- Definition valid_task_min_inter_arrival_time tsk :=
- task_min_inter_arrival_time tsk > 0.
-
- (** Further, in the context of a set of such tasks, ... *)
- Variable ts : TaskSet Task.
-
- (** ... every task in the set should have a valid inter-arrival time. *)
- Definition valid_taskset_inter_arrival_times :=
- forall tsk : Task,
- tsk \in ts -> valid_task_min_inter_arrival_time tsk.
-
- (** Next, consider any type of jobs stemming from these tasks ... *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job}.
-
- (** ... and an arbitrary arrival sequence of such jobs. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** We say that a task respects the sporadic task model if the arrivals of
- its jobs in the arrival sequence are appropriately spaced in time. *)
- Definition respects_sporadic_task_model (tsk : Task) :=
- forall (j j': Job),
- (** Given two different jobs j and j' ... *)
- j <> j' ->
- (** ...that belong to the arrival sequence... *)
- arrives_in arr_seq j ->
- arrives_in arr_seq j' ->
- (** ... and that stem from the given task, ... *)
- job_task j = tsk ->
- job_task j' = tsk ->
- (** ... if the arrival of j precedes the arrival of j' ..., *)
- job_arrival j <= job_arrival j' ->
- (** then the arrival of j and the arrival of j' are separated by at least
- one period. *)
- job_arrival j' >= job_arrival j + task_min_inter_arrival_time tsk.
-
- (** Based on the above definition, we define the sporadic task model as
- follows. *)
- Definition taskset_respects_sporadic_task_model :=
- forall tsk, tsk \in ts -> respects_sporadic_task_model tsk.
-
-End ValidSporadicTaskModel.
diff --git a/model/task/arrival/sporadic_as_curve.v b/model/task/arrival/sporadic_as_curve.v
deleted file mode 100644
index ddb7ef0fac4661e12388f47b12d5a7fb2faf13ae..0000000000000000000000000000000000000000
--- a/model/task/arrival/sporadic_as_curve.v
+++ /dev/null
@@ -1,84 +0,0 @@
-Require Export prosa.util.all.
-Require Export prosa.model.task.arrival.curves.
-Require Export prosa.analysis.facts.sporadic.arrival_bound.
-
-(** Arrival Curve for Sporadic Tasks *)
-
-(** Any analysis that supports arbitrary arrival curves can also be
- used to analyze sporadic tasks. We establish this link below. *)
-Section SporadicArrivalCurve.
- (** Consider any type of sporadic tasks. *)
- Context {Task : TaskType} `{SporadicModel Task}.
-
- (** The bound on the maximum number of arrivals in a given interval
- [max_sporadic_arrivals] is in fact a valid arrival curve, which
- we note with the following arrival-curve declaration. *)
- Global Program Instance MaxArrivalsSporadic : MaxArrivals Task := max_sporadic_arrivals.
-
- (** It remains to be shown that [max_sporadic_arrivals] satisfies
- all expectations placed on arrival curves. First, we observe
- that the bound is structurally sound. *)
- Lemma sporadic_arrival_curve_valid :
- forall tsk,
- valid_arrival_curve (max_sporadic_arrivals tsk).
- Proof.
- move=> tsk; split; first exact: div_ceil0.
- move=> delta1 delta2 LEQ.
- exact: div_ceil_monotone1.
- Qed.
-
- (** For convenience, we lift the preceding observation to the level
- of entire task sets. *)
- Remark sporadic_task_sets_arrival_curve_valid :
- forall ts,
- valid_taskset_arrival_curve ts max_arrivals.
- Proof. move=> ? ? ?; exact: sporadic_arrival_curve_valid. Qed.
-
- (** Next, we note that it is indeed an arrival bound. To this end,
- consider any type of jobs stemming from these tasks ... *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job}.
-
- (** ... and any well-formed arrival sequence of such jobs. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** We establish the validity of the defined curve. *)
- Section Validity.
-
- (** Let [tsk] denote any valid sporadic task to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_sporadic_model: respects_sporadic_task_model arr_seq tsk.
- Hypothesis H_valid_inter_min_arrival: valid_task_min_inter_arrival_time tsk.
-
- (** We observe that [max_sporadic_arrivals] is indeed an upper bound
- on the maximum number of arrivals. *)
- Lemma sporadic_arrival_curve_respects_max_arrivals :
- respects_max_arrivals arr_seq tsk (max_sporadic_arrivals tsk).
- Proof. move=> t1 t2 LEQ. by apply sporadic_task_arrivals_bound; rt_eauto. Qed.
-
- End Validity.
-
- (** For convenience, we lift the preceding observation to the level
- of entire task sets. *)
- Remark sporadic_task_sets_respects_max_arrivals :
- forall ts,
- valid_taskset_inter_arrival_times ts ->
- taskset_respects_sporadic_task_model ts arr_seq ->
- taskset_respects_max_arrivals arr_seq ts.
- Proof.
- move=> ts VAL SPO tsk IN.
- apply: sporadic_arrival_curve_respects_max_arrivals.
- - by apply: SPO.
- - by apply: VAL.
- Qed.
-
-End SporadicArrivalCurve.
-
-(** We add the lemmas into the "Hint Database" basic_rt_facts so that
- they become available for proof automation. *)
-Global Hint Resolve
- sporadic_arrival_curve_valid
- sporadic_task_sets_arrival_curve_valid
- sporadic_arrival_curve_respects_max_arrivals
- sporadic_task_sets_respects_max_arrivals
- : basic_rt_facts.
diff --git a/model/task/arrival/task_max_inter_arrival.v b/model/task/arrival/task_max_inter_arrival.v
deleted file mode 100644
index 087ce468b6723905401d7d600afa77b0a867bc2c..0000000000000000000000000000000000000000
--- a/model/task/arrival/task_max_inter_arrival.v
+++ /dev/null
@@ -1,59 +0,0 @@
-Require Export prosa.model.task.concept.
-Require Export prosa.model.task.arrivals.
-
-(** * Task Max Inter-Arrival *)
-
-(** We define a task-model parameter [task_max_inter_arrival_time] as
- the maximum time difference between the arrivals of consecutive jobs. *)
-Class TaskMaxInterArrival (Task : TaskType) :=
- task_max_inter_arrival_time : Task -> duration.
-
-(** In the following section, we define two properties that a task must satisfy
-for its maximum inter-arrival time to be valid. *)
-Section ValidTaskMaxInterArrival.
-
- (** Consider any type of tasks, ... *)
- Context {Task : TaskType}.
- Context `{TaskMaxInterArrival Task}.
-
- (** ... any type of jobs associated with the tasks, ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** ... and any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Firstly, the task maximum inter-arrival time for a task is positive. *)
- Definition positive_task_max_inter_arrival_time (tsk : Task) :=
- task_max_inter_arrival_time tsk > 0.
-
- (** Secondly, for any job [j] (with a positive [job_index]) of a task [tsk],
- there exists a job [j'] of task [tsk] that arrives before [j]
- with [j] not arriving any later than the task maximum inter-arrival
- time of [tsk] after [j']. *)
- Definition arr_sep_task_max_inter_arrival (tsk : Task) :=
- forall (j : Job),
- arrives_in arr_seq j ->
- job_task j = tsk ->
- job_index arr_seq j > 0 ->
- exists (j' : Job),
- j <> j' /\
- arrives_in arr_seq j' /\
- job_task j' = tsk /\
- job_arrival j' <= job_arrival j <= job_arrival j' + task_max_inter_arrival_time tsk.
-
- (** Finally, we say that the maximum inter-arrival time of a task [tsk] is
- valid iff it satisfies the above two properties. *)
- Definition valid_task_max_inter_arrival_time (tsk: Task) :=
- positive_task_max_inter_arrival_time tsk /\
- arr_sep_task_max_inter_arrival tsk.
-
- (** A task set is said to respect the task max inter-arrival model iff all tasks
- in the task set have valid task max inter-arrival times as defined above. *)
- Definition taskset_respects_task_max_inter_arrival_model (ts : TaskSet Task) :=
- forall tsk,
- tsk \in ts ->
- valid_task_max_inter_arrival_time tsk.
-
-End ValidTaskMaxInterArrival.
diff --git a/model/task/arrivals.v b/model/task/arrivals.v
deleted file mode 100644
index 0ff7d557c914c56d97e807bdd547077fbe5b3c8c..0000000000000000000000000000000000000000
--- a/model/task/arrivals.v
+++ /dev/null
@@ -1,125 +0,0 @@
-Require Export prosa.model.task.concept.
-
-(** In this module, we provide basic definitions concerning the job
- arrivals of a given task. *)
-
-Section TaskArrivals.
-
- (** Consider any type of job associated with any type of tasks. *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** Consider any job arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any task. *)
- Variable tsk : Task.
-
- (** First, we construct the list of jobs of task [tsk] that arrive
- in a given half-open interval <<[t1, t2)>>. *)
- Definition task_arrivals_between (t1 t2 : instant) :=
- [seq j <- arrivals_between arr_seq t1 t2 | job_of_task tsk j].
-
- (** Based on that, we define the list of jobs of task [tsk] that
- arrive up to and including time [t], ... *)
- Definition task_arrivals_up_to (t : instant) :=
- task_arrivals_between 0 t.+1.
-
- (** ... the list of jobs of task [tsk] that arrive strictly
- before time [t], ... *)
- Definition task_arrivals_before (t : instant) :=
- task_arrivals_between 0 t.
-
- (** ... the list of jobs of task [tsk] that arrive exactly at an instant [t], ... *)
- Definition task_arrivals_at (tsk : Task) (t : instant) :=
- [seq j <- arrivals_at arr_seq t | job_of_task tsk j].
-
- (** ... and finally count the number of job arrivals. *)
- Definition number_of_task_arrivals (t1 t2 : instant) :=
- size (task_arrivals_between t1 t2).
-
- (** ... and also count the cost of job arrivals. *)
- Definition cost_of_task_arrivals (t1 t2 : instant) :=
- \sum_(j <- task_arrivals_between t1 t2) job_cost j.
-
-End TaskArrivals.
-
-(** In this section we introduce a few definitions
- regarding arrivals of a particular task prior to a job. *)
-Section PriorArrivals.
-
- (** Consider any type of jobs associated with any type of tasks. *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any arrival sequence of jobs ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any job [j]. *)
- Variable j : Job.
-
- (** We first define a sequence of jobs of a task
- that arrive before or at [job_arrival j]. *)
- Definition task_arrivals_up_to_job_arrival :=
- task_arrivals_up_to arr_seq (job_task j) (job_arrival j).
-
- (** Next, we define a sequence of jobs of a task
- that arrive strictly before [job_arrival j]. *)
- Definition task_arrivals_before_job_arrival :=
- task_arrivals_before arr_seq (job_task j) (job_arrival j).
-
- (** Finally, we define a sequence of jobs of a task
- that arrive at [job_arrival j]. *)
- Definition task_arrivals_at_job_arrival :=
- task_arrivals_at arr_seq (job_task j) (job_arrival j).
-
-End PriorArrivals.
-
-(** In this section, we define the notion of a job's index. *)
-Section JobIndex.
-
- (** Consider any type of tasks, ... *)
- Context {Task : TaskType}.
-
- (** ... any type of jobs associated with the tasks, ... *)
- Context {Job : JobType}.
- Context `{JobArrival Job}.
- Context `{JobTask Job Task}.
-
- (** ... and any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Given a job [j], we define a concept of job index as the number
- of jobs of the same task as [j] that arrived before or at the
- same instant as [j]. Please note that job indices start from zero. *)
- Definition job_index (j : Job) :=
- index j (task_arrivals_up_to_job_arrival arr_seq j).
-
-End JobIndex.
-
-(** In this section we define the notion of a previous job
- for any job with a positive [job_index]. *)
-Section PreviousJob.
-
- (** Consider any type of jobs associated with any type of tasks. *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** Consider any job arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- Let task_arrivals_up_to_job_arrival j := task_arrivals_up_to_job_arrival arr_seq j.
- Let prev_index j := job_index arr_seq j - 1.
-
- (** For any job [j] with a positive [job_index] we define the notion
- of a previous job. *)
- Definition prev_job (j : Job) := nth j (task_arrivals_up_to_job_arrival j) (prev_index j).
-
-End PreviousJob.
diff --git a/model/task/concept.v b/model/task/concept.v
deleted file mode 100644
index c255a7bc18d1f0cc90f0648a869cb5312e03d8f7..0000000000000000000000000000000000000000
--- a/model/task/concept.v
+++ /dev/null
@@ -1,177 +0,0 @@
-From mathcomp Require Export ssrbool.
-Require Export prosa.behavior.all.
-
-(** * Task Type *)
-
-(** As in case of the job model, we make no assumptions about the structure or
- type of tasks, i.e., like jobs, we consider tasks to be mathematically
- opaque objects. We only assume that any type that represents tasks has a
- decidable equality. *)
-Definition TaskType := eqType.
-
-(** * Task Model Core Parameters *)
-
-(** In the following, we define three central parameters of the task model: how
- jobs map to tasks, deadlines of tasks, and each task's WCET parameter. *)
-
-(** First, we define a job-model parameter [job_task] that maps each job to its
- corresponding task. *)
-Class JobTask (Job : JobType) (Task : TaskType) := job_task : Job -> Task.
-
-(** Second, we define a task-model parameter to express each task's relative
- deadline. *)
-Class TaskDeadline (Task : TaskType) := task_deadline : Task -> duration.
-
-(** Third, we define a task-model parameter to express each task's worst-case
- execution cost (WCET). *)
-Class TaskCost (Task : TaskType) := task_cost : Task -> duration.
-
-(** And finally, we define a task-model parameter to express each task's best-case
- execution cost (BCET). *)
-Class TaskMinCost (Task : TaskType) := task_min_cost : Task -> duration.
-
-
-(** * Task Model Validity *)
-
-(** In the following section, we introduce properties that a reasonable task
- model must satisfy. *)
-Section ModelValidity.
-
- (** Consider any type of tasks with WCETs/BCETs and relative deadlines. *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskMinCost Task}.
- Context `{TaskDeadline Task}.
-
- (** First, we constrain the possible WCET values of a valid task. *)
- Section ValidCost.
-
- (** Consider an arbitrary task. *)
- Variable tsk: Task.
-
- (** The WCET of the task should be positive. *)
- Definition task_cost_positive := task_cost tsk > 0.
-
- (** The WCET should not be larger than the deadline, as otherwise the task
- is trivially infeasible. *)
- Definition task_cost_at_most_deadline := task_cost tsk <= task_deadline tsk.
-
- End ValidCost.
-
- (** Second, we relate the cost of a task's jobs to its WCET. *)
- Section ValidJobCost.
-
- (** Consider any type of jobs associated with the tasks ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- (** ... and consider the cost of each job. *)
- Context `{JobCost Job}.
-
- (** The cost of any job [j] cannot exceed the WCET of its respective
- task. *)
- Definition valid_job_cost j :=
- job_cost j <= task_cost (job_task j).
-
- (** Every job have a valid job cost *)
- Definition jobs_have_valid_job_costs :=
- forall j, valid_job_cost j.
-
- (** Next, consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** The cost of a job from the arrival sequence cannot
- be larger than the task cost. *)
- Definition arrivals_have_valid_job_costs :=
- forall j,
- arrives_in arr_seq j ->
- valid_job_cost j.
-
- End ValidJobCost.
-
- (** Third, we relate the cost of a task's jobs to its BCET. *)
- Section ValidMinJobCost.
-
- (** Consider any type of jobs associated with the tasks ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- (** ... and consider the cost of each job. *)
- Context `{JobCost Job}.
-
- (** The cost of any job [j] cannot be less than the BCET of its respective
- task. *)
- Definition valid_min_job_cost j :=
- task_min_cost (job_task j) <= job_cost j.
-
- (** Every job have a valid job cost *)
- Definition jobs_have_valid_min_job_costs :=
- forall j, valid_min_job_cost j.
-
- (** Next, consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** The cost of a job from the arrival sequence cannot
- be less than the task cost. *)
- Definition arrivals_have_valid_min_job_costs :=
- forall j,
- arrives_in arr_seq j ->
- valid_min_job_cost j.
-
- End ValidMinJobCost.
-
-End ModelValidity.
-
-(** * Task Sets *)
-
-(** Next, we introduce the notion of a task set and define properties of valid
- task sets. *)
-
-(** For simplicity, we represent sets of such tasks simply as (finite) sequences of
- tasks. *)
-Definition TaskSet := seq.
-
-Section ValidTaskSet.
-
- (** Consider any type of tasks with WCETs ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- (** ... as well as their individual execution costs. *)
- Context `{JobCost Job}.
-
- (** Further, consider an arrival sequence of these jobs... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ...and the set of tasks that generate them. *)
- Variable ts : TaskSet Task.
-
- (** All jobs in the arrival sequence should come from the task set. *)
- Definition all_jobs_from_taskset :=
- forall j,
- arrives_in arr_seq j ->
- job_task j \in ts.
-
-End ValidTaskSet.
-
-(** Finally, for readability, we define two ways in which jobs and tasks
- relate. *)
-Section SameTask.
-
- (** For any type of job associated with any type of tasks... *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
-
- (** ... we say that two jobs [j1] and [j2] are from the same task iff
- [job_task j1] is equal to [job_task j2]. *)
- Definition same_task (j1 j2 : Job) := job_task j1 == job_task j2.
-
- (** We further say that a job [j] is a job of task [tsk] iff [job_task j] is
- equal to [tsk]. *)
- Definition job_of_task (tsk : Task) (j : Job) := job_task j == tsk.
-
-End SameTask.
-
-
diff --git a/model/task/offset.v b/model/task/offset.v
deleted file mode 100644
index 31c5291fbaf0e3a5cb8dda74f58f3b2110de076b..0000000000000000000000000000000000000000
--- a/model/task/offset.v
+++ /dev/null
@@ -1,71 +0,0 @@
-Require Export prosa.model.task.concept.
-Require Export prosa.behavior.all.
-Require Export prosa.model.task.arrivals.
-Require Export prosa.util.all.
-Require Export prosa.analysis.facts.behavior.all.
-
-(** * Task Offset *)
-
-(** We define a task-model parameter [task_offset] that maps each task
- to its corresponding offset, that is the instant when its first job arrives. *)
-Class TaskOffset (Task : TaskType) := task_offset : Task -> instant.
-
-(** In the following section, we define two important properties
- that an offset of any task should satisfy. *)
-Section ValidTaskOffset.
-
- (** Consider any type of tasks with offsets, ... *)
- Context {Task : TaskType}.
- Context `{TaskOffset Task}.
-
- (** ... any type of jobs associated with these tasks, ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
-
- (** ... and any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** No jobs of a task [tsk] arrive before [task_offset tsk]. *)
- Definition no_jobs_before_offset (tsk : Task) :=
- forall j,
- job_task j = tsk ->
- job_arrival j >= task_offset tsk.
-
- (** Furthermore for a task [tsk], there exists a job that
- arrives exactly at the offset. *)
- Definition job_released_at_offset (tsk : Task) :=
- exists j',
- arrives_in arr_seq j' /\
- job_task j' = tsk /\
- job_arrival j' = task_offset tsk.
-
- (** An offset is valid iff it satisfies both of the above conditions. *)
- Definition valid_offset (tsk : Task) := no_jobs_before_offset tsk /\ job_released_at_offset tsk.
-
- (** In the context of a set of tasks [ts], ... *)
- Variable ts : TaskSet Task.
-
- (** ... all tasks in the set must have valid offsets. *)
- Definition valid_offsets := forall tsk, tsk \in ts -> valid_offset tsk.
-
-End ValidTaskOffset.
-
-(** In this section we define the notion of a maximum task offset. *)
-Section MaxTaskOffset.
-
- (** Consider any type of tasks with offsets, ... *)
- Context {Task : TaskType}.
- Context `{TaskOffset Task}.
-
- (** ... and any task set. *)
- Variable ts : TaskSet Task.
-
- (** We define the sequence of task offsets of all tasks in [ts], ... *)
- Definition task_offsets := map task_offset ts.
-
- (** ... and the maximum among all the task offsets. *)
- Definition max_task_offset := max0 task_offsets.
-
-End MaxTaskOffset.
-
diff --git a/model/task/preemption/floating_nonpreemptive.v b/model/task/preemption/floating_nonpreemptive.v
deleted file mode 100644
index 7476b2268141cee72820b8d9f44e9f70dccfd627..0000000000000000000000000000000000000000
--- a/model/task/preemption/floating_nonpreemptive.v
+++ /dev/null
@@ -1,68 +0,0 @@
-Require Export prosa.model.preemption.limited_preemptive.
-Require Export prosa.model.task.preemption.parameters.
-
-(** * Task Model with Floating Non-Preemptive Regions *)
-
-(** In this file, we instantiate the specific task model of (usually)
- preemptive tasks with "floating" non-preemptive regions, i.e., with jobs
- that exhibit non-preemptive segments of bounded length at unpredictable
- points during their execution. *)
-
-(** ** Model Validity *)
-
-(** To begin with, we introduce requirements that the function
- [task_max_nonpr_segment] must satisfy to be coherent with the floating
- non-preemptive regions model. *)
-Section ValidModelWithFloatingNonpreemptiveRegions.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- (** ... with a bound on the maximum non-preemptive segment length ... *)
- Context `{TaskMaxNonpreemptiveSegment Task}.
-
- (** ... and any type of limited-preemptive jobs associated with these tasks ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- (** ... with execution costs and specific preemption points. *)
- Context `{JobCost Job}.
- Context `{JobPreemptionPoints Job}.
-
- (** We assume limited-preemptive jobs. *)
- #[local] Existing Instance limited_preemptive_job_model.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** We require [task_max_nonpreemptive_segment (job_task j)] to be an upper
- bound of the length of the maximum nonpreemptive segment of job [j]. *)
- Definition job_respects_task_max_np_segment :=
- forall (j : Job),
- arrives_in arr_seq j ->
- job_max_nonpreemptive_segment j <= task_max_nonpreemptive_segment (job_task j).
-
- (** A model with floating nonpreemptive regions is valid if it is both valid
- a the job level and jobs respect the upper bound of their task. *)
- Definition valid_model_with_floating_nonpreemptive_regions :=
- valid_limited_preemptions_job_model arr_seq /\
- job_respects_task_max_np_segment.
-
-End ValidModelWithFloatingNonpreemptiveRegions.
-
-(** ** Run-to-Completion Threshold *)
-
-(** In this section, we instantiate the task-level run-to-completion threshold
- for the model with floating non-preemptive regions. *)
-Section TaskRTCThresholdFloatingNonPreemptiveRegions.
-
- (** Consider any type of tasks with a WCET bound.*)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** In the model with floating non-preemptive regions, there is no static
- information about the placement of preemption points in all jobs, i.e.,
- it is impossible to predict when exactly a job will be preemptable. Thus,
- the only safe run-to-completion threshold is [task cost]. *)
- Definition floating_preemptive_rtc_threshold : TaskRunToCompletionThreshold Task :=
- fun tsk : Task => task_cost tsk.
-
-End TaskRTCThresholdFloatingNonPreemptiveRegions.
diff --git a/model/task/preemption/fully_nonpreemptive.v b/model/task/preemption/fully_nonpreemptive.v
deleted file mode 100644
index 249dc0685d13feab0385023eb056c5ab956730dc..0000000000000000000000000000000000000000
--- a/model/task/preemption/fully_nonpreemptive.v
+++ /dev/null
@@ -1,37 +0,0 @@
-Require Export prosa.model.task.preemption.parameters.
-
-(** * Fully Non-Preemptive Task Model *)
-
-(** In this module, we instantiate the task model in which jobs cannot be
- preempted once they have commenced execution. *)
-Section FullyNonPreemptiveModel.
-
- (** Consider any type of tasks with WCET bounds. *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** In the fully non-preemptive model, no job can be preempted until its
- completion. The maximal non-preemptive segment of a job [j] has length
- [job_cost j], which is bounded by [task_cost tsk].*)
- Definition fully_nonpreemptive_task_model : TaskMaxNonpreemptiveSegment Task :=
- fun tsk : Task => task_cost tsk.
-
-End FullyNonPreemptiveModel.
-
-(** ** Run-to-Completion Threshold *)
-
-(** In this section, we instantiate the task-level run-to-completion threshold
- for the fully non-preemptive model. *)
-Section TaskRTCThresholdFullyNonPreemptive.
-
- (** Consider any type of tasks. *)
- Context {Task : TaskType}.
-
- (** In the fully non-preemptive model, no job can be preempted prior to its
- completion. In other words, once a job starts running, it is guaranteed
- to finish. Thus, we can set the task-level run-to-completion threshold
- to ε. *)
- Definition fully_nonpreemptive_rtc_threshold : TaskRunToCompletionThreshold Task :=
- fun tsk : Task => ε.
-
-End TaskRTCThresholdFullyNonPreemptive.
diff --git a/model/task/preemption/fully_preemptive.v b/model/task/preemption/fully_preemptive.v
deleted file mode 100644
index f3d48b5fe4280da104e5b59ed31d1618d98e9bb4..0000000000000000000000000000000000000000
--- a/model/task/preemption/fully_preemptive.v
+++ /dev/null
@@ -1,38 +0,0 @@
-Require Export prosa.model.task.preemption.parameters.
-
-(** * Fully Preemptive Task Model *)
-
-(** In this module, we instantiate the common task model in which all jobs are
- always preemptable. *)
-
-Section FullyPreemptiveModel.
-
- (** Consider any type of jobs. *)
- Context {Task : TaskType}.
-
- (** In the fully preemptive model, any job can be preempted at any
- time. Thus, the maximal non-preemptive segment has length at most ε
- (i.e., one time unit such as a processor cycle). *)
- Definition fully_preemptive_task_model : TaskMaxNonpreemptiveSegment Task :=
- fun tsk : Task => ε.
-
-End FullyPreemptiveModel.
-
-(** ** Run-to-Completion Threshold *)
-
-(** Since jobs are always preemptive, there is no offset after which a job is
- guaranteed to run to completion. *)
-
-Section TaskRTCThresholdFullyPreemptiveModel.
-
- (** Consider any type of tasks with WCETs. *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** In the fully preemptive model, any job can be preempted at any
- time. Thus, the only safe run-to-completion threshold for a task
- is its WCET. *)
- Definition fully_preemptive_rtc_threshold : TaskRunToCompletionThreshold Task :=
- fun tsk : Task => task_cost tsk.
-
-End TaskRTCThresholdFullyPreemptiveModel.
diff --git a/model/task/preemption/limited_preemptive.v b/model/task/preemption/limited_preemptive.v
deleted file mode 100644
index 42d7393efb161cccfc000d6e3dd190585cce9e8f..0000000000000000000000000000000000000000
--- a/model/task/preemption/limited_preemptive.v
+++ /dev/null
@@ -1,112 +0,0 @@
-Require Export prosa.model.task.preemption.parameters.
-Require Export prosa.model.preemption.limited_preemptive.
-
-(** * Limited-Preemptive Task Model *)
-
-(** In this module, we instantiate the task model in which jobs can be
- preempted only at certain preemption points. *)
-
-(** ** Model Validity *)
-
-(** To begin with, we introduce requirements that the function
- [task_max_nonpr_segment] must satisfy to be coherent with the
- limited-preemptive task model. *)
-Section ValidModelWithFixedPreemptionPoints.
-
- (** Consider any type of tasks with WCET bounds and given preemption points ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskPreemptionPoints Task}.
-
- (** ... and any type of jobs associated with these tasks, ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- (** ... where each job has an arrival time, an execution cost, and some
- preemption points. *)
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobPreemptionPoints Job}.
-
- (** Consider any arrival sequence. *)
- Variable arr_seq : arrival_sequence Job.
-
- (** Consider an arbitrary task set [ts]. *)
- Variable ts : TaskSet Task.
-
- (** First, we describe structural properties that a sequence of preemption
- points of a task should satisfy. *)
-
- (** (1) We require the sequence of preemption points to contain the beginning ... *)
- Definition task_beginning_of_execution_in_preemption_points :=
- forall tsk, tsk \in ts -> first0 (task_preemption_points tsk) = 0.
-
- (** ... and (2) the end of execution. *)
- Definition task_end_of_execution_in_preemption_points :=
- forall tsk, tsk \in ts -> last0 (task_preemption_points tsk) = task_cost tsk.
-
- (** (3) Furthermore, we require the sequence of preemption points to be a
- non-decreasing sequence. *)
- Definition nondecreasing_task_preemption_points :=
- forall tsk, tsk \in ts -> nondecreasing_sequence (task_preemption_points tsk).
-
- (** (4) We also require the number of nonpreemptive segments of a job to be
- equal to the number of nonpreemptive segments of its task. Note that
- some of nonpreemptive segments of a job can have zero length;
- nonetheless the number of segments should match. *)
- Definition consistent_job_segment_count :=
- forall j,
- arrives_in arr_seq j ->
- size (job_preemptive_points j) = size (task_preemption_points (job_task j)).
-
- (** (5) We require the lengths of the nonpreemptive segments of a job to be
- bounded by the lengths of the corresponding segments of its task. *)
- Definition job_respects_segment_lengths :=
- forall j n,
- arrives_in arr_seq j ->
- nth 0 (distances (job_preemptive_points j)) n
- <= nth 0 (distances (task_preemption_points (job_task j))) n.
-
- (** (6) Lastly, we ban empty nonpreemptive segments at the task level. *)
- Definition task_segments_are_nonempty :=
- forall tsk n,
- (tsk \in ts) ->
- n < size (distances (task_preemption_points tsk)) ->
- ε <= nth 0 (distances (task_preemption_points tsk)) n.
-
- (** We define a valid task-level model with fixed preemption points as the
- conjunction of the hypotheses above. *)
- Definition valid_fixed_preemption_points_task_model :=
- task_beginning_of_execution_in_preemption_points /\
- task_end_of_execution_in_preemption_points /\
- nondecreasing_task_preemption_points /\
- consistent_job_segment_count /\
- job_respects_segment_lengths /\
- task_segments_are_nonempty.
-
- (** Finally, a model with fixed preemption points is valid if it is both valid
- a the job and task levels. *)
- Definition valid_fixed_preemption_points_model :=
- valid_limited_preemptions_job_model arr_seq /\
- valid_fixed_preemption_points_task_model.
-
-End ValidModelWithFixedPreemptionPoints.
-
-(** ** Run-to-Completion Threshold *)
-
-(** In this section, we instantiate the task-level run-to-completion threshold
- for the task model with fixed preemption points. *)
-Section TaskRTCThresholdLimitedPreemptions.
-
- (** Consider any type of tasks with WCET bounds and fixed preemption points. *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskPreemptionPoints Task}.
-
- (** Given fixed preemption points, no job can be preempted after a job
- reaches its last non-preemptive segment. Thus, we can set the task-level
- run-to-completion threshold to [task_cost tsk - (task_last_nonpr_seg tsk - ε)],
- which safely bounds [job_cost j - (job_last_nonpr_seg j - ε)]. *)
- Definition limited_preemptions_rtc_threshold : TaskRunToCompletionThreshold Task :=
- fun tsk : Task => task_cost tsk - (task_last_nonpr_segment tsk - ε).
-
-End TaskRTCThresholdLimitedPreemptions.
diff --git a/model/task/preemption/parameters.v b/model/task/preemption/parameters.v
deleted file mode 100644
index d92eb3f8a32ebb55d6e820369a4b28df223ab7b1..0000000000000000000000000000000000000000
--- a/model/task/preemption/parameters.v
+++ /dev/null
@@ -1,182 +0,0 @@
-Require Export prosa.model.preemption.parameter.
-Require Export prosa.model.task.concept.
-
-(** * Task Preemption Model *)
-
-(** In this file, we define the abstract interface for task-level preemption
- models. Specific preemption models are instantiated in the sibling files in
- this directory. *)
-
-(** ** Preemption-Related Task Parameters *)
-
-(** We define three parameters to express the preemption behavior of a given task. *)
-
-(** First, we define [task_max_nonpreemptive_segment] to denote a bound on the
- maximum length of a task's non-preemptive segment. *)
-Class TaskMaxNonpreemptiveSegment (Task : TaskType) :=
- task_max_nonpreemptive_segment : Task -> work.
-
-(** Second, run-to-completion threshold (RTCT) indicates a progress
- bound with the interpretation that, once a job of a task [tsk] has
- received at least [task_rtct tsk] time units of service, it will
- remain nonpreemptive until the end and run to completion. *)
-Class TaskRunToCompletionThreshold (Task : TaskType) :=
- task_rtct : Task -> work.
-
-(** Third, the parameter [task_preemption_points] indicates the non-preemptive
- segments of a task. Obviously, not all preemption models use this parameter. *)
-Class TaskPreemptionPoints (Task : TaskType) :=
- task_preemption_points : Task -> seq work.
-
-(** ** Derived Properties *)
-(** In this section, we define the notions of the maximal and the last
- non-preemptive segments of a task. *)
-Section MaxAndLastNonpreemptiveSegment.
-
- (** Consider any type of tasks with fixed preemption points. *)
- Context {Task : TaskType}.
- Context `{TaskPreemptionPoints Task}.
-
- (** We define a function [task_max_nonpr_segment] that computes the length of
- the longest non-preemptive segment of a given task. *)
- Definition task_max_nonpr_segment (tsk : Task) :=
- max0 (distances (task_preemption_points tsk)).
-
- (** Similarly, [task_last_nonpr_segment] is a function that computes the
- length of the last non-preemptive segment. *)
- Definition task_last_nonpr_segment (tsk : Task) :=
- last0 (distances (task_preemption_points tsk)).
-
-End MaxAndLastNonpreemptiveSegment.
-
-(** To avoid having to specify redundant information, we allow Coq to
- automatically infer a task's maximum non-preemptive segment length if its
- preemption points are known. *)
-#[global]
-Instance TaskPreemptionPoints_to_TaskMaxNonpreemptiveSegment_conversion
- (Task : TaskType) `{TaskPreemptionPoints Task} : TaskMaxNonpreemptiveSegment Task := task_max_nonpr_segment.
-
-
-(** ** Preemption Model Validity *)
-
-(** For analysis purposes, it is important that the distance between any two
- neighboring preemption points of a job is bounded. We define the validity
- criterion for the maximum non-preemptive segment length accordingly. *)
-Section ValidPreemptionModel.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobCost Job}.
-
- (** Suppose we are given the maximum non-preemptive segment length for each task ... *)
- Context `{TaskMaxNonpreemptiveSegment Task}.
-
- (** ... and a job-level preemption model. *)
- Context `{JobPreemptable Job}.
-
- (** Consider any kind of processor state model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence, ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any given schedule. *)
- Variable sched : schedule PState.
-
- (** First we require that [task_max_nonpreemptive_segment] gives an upper
- bound on values of the function [job_max_nonpreemptive_segment]. *)
- Definition job_respects_max_nonpreemptive_segment (j: Job) :=
- job_max_nonpreemptive_segment j <= task_max_nonpreemptive_segment (job_task j).
-
- (** Next, we require that all segments of a job [j] have bounded length. That
- is, for any progress [Ï] of job [j], there exists a preemption point [pp]
- such that [Ï <= pp <= Ï + (job_max_nps j - ε)]. That is, in any time
- interval of length [job_max_nps j] during which a job is continuously
- scheduled, there exists a preemption point that lies in this interval. *)
- Definition nonpreemptive_regions_have_bounded_length (j : Job) :=
- forall (Ï : duration),
- 0 <= Ï <= job_cost j ->
- exists (pp : duration),
- Ï <= pp <= Ï + (job_max_nonpreemptive_segment j - ε) /\
- job_preemptable j pp.
-
- (** We say that the schedule exhibits bounded nonpreemptive segments iff the
- predicate [job_preemptable] satisfies the two preceding conditions. *)
- Definition model_with_bounded_nonpreemptive_segments :=
- forall j,
- arrives_in arr_seq j ->
- job_respects_max_nonpreemptive_segment j
- /\ nonpreemptive_regions_have_bounded_length j.
-
- (** Finally, we say that the schedule exhibits _valid_ bounded nonpreemptive
- segments iff the predicate [job_preemptable] defines a valid preemption
- model and if this model has non-preemptive segments of bounded length. *)
- Definition valid_model_with_bounded_nonpreemptive_segments :=
- valid_preemption_model arr_seq sched /\
- model_with_bounded_nonpreemptive_segments.
-
-End ValidPreemptionModel.
-
-(** ** Run-to-Completion Threshold Validity *)
-
-(** Since a task model may not provide exact information about the preemption
- points of a task, a task's run-to-completion threshold generally cannot be
- defined in terms of the preemption points of a task (unlike a job's
- run-to-completion threshold, which can always be computed from a job's
- preemption points). Instead, we require each task-level preemption model to
- specify a task's run-to-completion threshold explicitly. We define its
- required properties in the following. *)
-Section ValidTaskRunToCompletionThreshold.
-
- (** Consider any type of tasks with bounded WCETs ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks ... *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
-
- (** ... where each job has an execution cost. *)
- Context `{JobCost Job}.
-
- (** Suppose we are given a job-level preemption model ... *)
- Context `{JobPreemptable Job}.
-
- (** ...and the run-to-completion threshold for each task. *)
- Context `{TaskRunToCompletionThreshold Task}.
-
- (** Further, consider any kind of processor model, ... *)
- Context {PState : ProcessorState Job}.
-
- (** ... any job arrival sequence, ... *)
- Variable arr_seq: arrival_sequence Job.
-
- (** ... and any given schedule. *)
- Variable sched: schedule PState.
-
- (** A task's run-to-completion threshold must not exceed the WCET of the
- task. *)
- Definition task_rtc_bounded_by_cost tsk :=
- task_rtct tsk <= task_cost tsk.
-
- (** We say that the run-to-completion threshold of a task [tsk] bounds the
- job-level run-to-completion threshold iff, for any job [j] of task [tsk],
- the job's run-to-completion threshold is at most the task's
- run-to-completion threshold. *)
- Definition job_respects_task_rtc tsk :=
- forall j,
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- job_rtct j <= task_rtct tsk.
-
- (** Finally, we require that a valid run-to-completion threshold parameter
- will satisfy the two above definitions. *)
- Definition valid_task_run_to_completion_threshold tsk :=
- task_rtc_bounded_by_cost tsk /\
- job_respects_task_rtc tsk.
-
-End ValidTaskRunToCompletionThreshold.
diff --git a/model/task/sequentiality.v b/model/task/sequentiality.v
deleted file mode 100644
index 4db3f7e37fc4c9eb3c3a65ffc8a8b9203e47ecf4..0000000000000000000000000000000000000000
--- a/model/task/sequentiality.v
+++ /dev/null
@@ -1,47 +0,0 @@
-Require Export prosa.model.task.concept.
-Require Export prosa.model.task.arrivals.
-
-(** In this module, we give a precise definition of the common notion of
- "sequential tasks", which is commonly understood to mean that the jobs of a
- sequential task execute in sequence and in a non-overlapping fashion. *)
-
-Section PropertyOfSequentiality.
-
- (** Consider any type of jobs stemming from any type of tasks ... *)
- Context {Job : JobType}.
- Context {Task : TaskType}.
- Context `{JobTask Job Task}.
-
- (** ... with arrival times and costs ... *)
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** ... and any kind of processor model. *)
- Context {PState : ProcessorState Job}.
-
- (** Consider any arrival sequence ... *)
- Variable arr_seq : arrival_sequence Job.
-
- (** ... and any schedule of this arrival sequence. *)
- Variable sched : schedule PState.
-
- (** We say that the tasks execute sequentially if each task's jobs are
- executed in arrival order and in a non-overlapping fashion. *)
- Definition sequential_tasks :=
- forall (j1 j2 : Job) (t : instant),
- arrives_in arr_seq j1 ->
- arrives_in arr_seq j2 ->
- same_task j1 j2 ->
- job_arrival j1 < job_arrival j2 ->
- scheduled_at sched j2 t ->
- completed_by sched j1 t.
-
- (** Given a job [j] and a time instant [t], we say that all prior
- jobs are completed if any job [j_tsk] of task [job_task j] that
- arrives before time [job_arrival j] is completed by time [t]. *)
- Definition prior_jobs_complete (j : Job) (t : instant) :=
- all
- (fun j_tsk => completed_by sched j_tsk t)
- (task_arrivals_before arr_seq (job_task j) (job_arrival j)).
-
-End PropertyOfSequentiality.
diff --git a/model/task/suspension/dynamic.v b/model/task/suspension/dynamic.v
deleted file mode 100644
index a6c0889bccf8c88d9e356f1409925fb05d7db2eb..0000000000000000000000000000000000000000
--- a/model/task/suspension/dynamic.v
+++ /dev/null
@@ -1,36 +0,0 @@
-Require Export prosa.model.readiness.suspension.
-Require Export prosa.model.task.concept.
-
-(** * Task Parameter for the Dynamic Self-Suspension Model *)
-
-(** Under the dynamic self-suspension model, for each task, there is a bound on
- the maximum total self-suspension duration exhibited by any job of the
- task. *)
-Class TaskTotalSuspension (Task : TaskType) := task_total_suspension : Task -> duration.
-
-(** * Validity *)
-
-(** In the following section, we specify the semantics of the dynamic
- self-suspension model: each job self-suspends in total no longer than
- specified by the cumulative self-suspension bound of its associated
- task. *)
-
-Section ValidDynamicSuspensions.
-
- (** Consider any kind of jobs,... *)
- Context {Job : JobType}.
-
- (** ...where each job has a cost and may exhibit self-suspensions,... *)
- Context `{JobCost Job} `{JobSuspension Job}.
-
- (** ...and the tasks from which these jobs stem. *)
- Context {Task : TaskType}.
- Context `{JobTask Job Task} `{TaskTotalSuspension Task}.
-
- (** Under the dynamic self-suspension model, the total self-suspension time
- of any job cannot exceed the self-suspension bound of its associated
- task. *)
- Definition valid_dynamic_suspensions :=
- forall j, total_suspension j <= task_total_suspension (job_task j).
-
-End ValidDynamicSuspensions.
diff --git a/results/edf/README.md b/results/edf/README.md
deleted file mode 100644
index 119feef44276a270560597b014b73ff771a19128..0000000000000000000000000000000000000000
--- a/results/edf/README.md
+++ /dev/null
@@ -1,40 +0,0 @@
-# High-Level Results about Earliest-Deadline First (EDF) Scheduling
-
-This folder collects the main theorems in Prosa about EDF-scheduled systems. There are currently the following results available.
-
-## EDF Optimality
-
-As a case study, Prosa includes the proof that EDF is optimal w.r.t. meeting deadlines on an ideal uniprocessor.
-
-**EDF optimality** on ideal uniprocessors: [optimality.v](optimality.v).
-
-## Response-Time Bounds
-
-On the more practical side, Prosa includes several **response-time bounds** for EDF. The proofs of these RTAs are based on abstract RTA.
-
-The following RTAs all assume ideal uniprocessors and the basic Liu & Layland readiness model (i.e., jobs exhibit neither release jitter nor self-suspensions), but work for arbitrary arrival curves and arbitrary deadlines.
-
-### (1) EDF RTA with Bounded Priority Inversions
-
-The main result in [rta/bounded_pi.v](rta/bounded_pi.v) provides a general response-time bound assuming a bound on priority inversion (for whatever reason) is known.
-
-### (2) EDF RTA with Bounded Non-Preemptive Segments
-
-The main theorem in [rta/bounded_nps.v](rta/bounded_nps.v) provides a refinement of (1) based on the more specific assumption that priority inversions are caused by lower-priority non-preemptive jobs with bounded non-preemptive segment lengths.
-
-### (3) EDF RTA for Fully Preemptive Jobs
-
-The RTA provided in [rta/fully_preemptive.v](rta/fully_preemptive.v) applies (2) to the commonly assumed case of fully preemptive tasks (i.e., the complete absence of non-preemptive segments), which matches the classic Liu & Layland model.
-
-### (4) EDF RTA for Fully Non-Preemptive Jobs
-
-The file [rta/fully_nonpreemptive.v](rta/fully_nonpreemptive.v) provides a refinement of (2) for the case in which each job forms a single non-preemptive segment, i.e., where in-progress jobs execute with run-to-completion semantics and cannot be preempted at all.
-
-### (5) EDF RTA for Floating Non-Preemptive Sections
-
-The file [rta/floating_nonpreemptive.v](rta/floating_nonpreemptive.v) provides an RTA based on (2) for tasks that execute mostly preemptively, but that may also exhibit some non-preemptive segments (of bounded length) at unpredictable times.
-
-### (6) EDF RTA for Limited-Preemptive Tasks
-
-The file [rta/limited_preemptive.v](rta/limited_preemptive.v) provides an RTA based on (2) for tasks that consist of a sequence of non-preemptive segments, separated by fixed preemption points.
-
diff --git a/results/edf/optimality.v b/results/edf/optimality.v
deleted file mode 100644
index afd4d24cd782a9a37551ecdb436069afe7b056df..0000000000000000000000000000000000000000
--- a/results/edf/optimality.v
+++ /dev/null
@@ -1,169 +0,0 @@
-Require Import prosa.model.readiness.basic.
-Require Import prosa.model.preemption.fully_preemptive.
-Require Export prosa.analysis.facts.transform.edf_opt.
-Require Export prosa.analysis.facts.transform.edf_wc.
-Require Export prosa.analysis.facts.edf_definitions.
-Require prosa.model.priority.edf.
-
-(** * Optimality of EDF on Ideal Uniprocessors *)
-
-(** This module provides the famous EDF optimality theorem: if there
- is any way to meet all deadlines (assuming an ideal uniprocessor
- schedule), then there is also an (ideal) EDF schedule in which all
- deadlines are met. *)
-
-(** ** Optimality Theorem *)
-
-Section Optimality.
-
- (** Consider any given type of jobs, each characterized by execution
- costs, an arrival time, and an absolute deadline,... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... and any valid arrival sequence of such jobs. *)
- Variable arr_seq: arrival_sequence Job.
- Hypothesis H_arr_seq_valid: valid_arrival_sequence arr_seq.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** We assume that jobs are fully preemptive. *)
- #[local] Existing Instance fully_preemptive_job_model.
-
- (** Under these assumptions, EDF is optimal in the sense that, if there
- exists any schedule in which all jobs of [arr_seq] meet their deadline,
- then there also exists an EDF schedule in which all deadlines are met. *)
- Theorem EDF_optimality:
- (exists any_sched : schedule (ideal.processor_state Job),
- valid_schedule any_sched arr_seq /\
- all_deadlines_of_arrivals_met arr_seq any_sched) ->
- exists edf_sched : schedule (ideal.processor_state Job),
- valid_schedule edf_sched arr_seq /\
- all_deadlines_of_arrivals_met arr_seq edf_sched /\
- EDF_schedule edf_sched.
- Proof.
- move=> [sched [[COME READY] DL_ARR_MET]].
- have ARR := jobs_must_arrive_to_be_ready sched READY.
- have COMP := completed_jobs_are_not_ready sched READY.
- move: (all_deadlines_met_in_valid_schedule _ _ COME DL_ARR_MET) => DL_MET.
- set sched' := edf_transform sched.
- exists sched'. split; last split.
- - by apply edf_schedule_is_valid.
- - by apply edf_schedule_meets_all_deadlines_wrt_arrivals.
- - by apply edf_transform_ensures_edf.
- Qed.
-
- (** Moreover, we note that, since EDF maintains work conservation, if there
- exists a schedule in which all jobs of [arr_seq] meet their deadline,
- then there also exists a work-conserving EDF in which all deadlines are
- met. *)
- Theorem EDF_WC_optimality :
- (exists any_sched : schedule (ideal.processor_state Job),
- valid_schedule any_sched arr_seq /\
- all_deadlines_of_arrivals_met arr_seq any_sched) ->
- exists edf_wc_sched : schedule (ideal.processor_state Job),
- valid_schedule edf_wc_sched arr_seq /\
- all_deadlines_of_arrivals_met arr_seq edf_wc_sched /\
- work_conserving arr_seq edf_wc_sched /\
- EDF_schedule edf_wc_sched.
- Proof.
- move=> [sched [[COME READY] DL_ARR_MET]].
- move: (all_deadlines_met_in_valid_schedule _ _ COME DL_ARR_MET) => DL_MET.
- set wc_sched := wc_transform arr_seq sched.
- have wc_COME : jobs_come_from_arrival_sequence wc_sched arr_seq
- by apply wc_jobs_come_from_arrival_sequence.
- have wc_READY : jobs_must_be_ready_to_execute wc_sched
- by apply wc_jobs_must_be_ready_to_execute.
- have wc_ARR := jobs_must_arrive_to_be_ready wc_sched wc_READY.
- have wc_COMP := completed_jobs_are_not_ready wc_sched wc_READY.
- have wc_DL_ARR_MET : all_deadlines_of_arrivals_met arr_seq wc_sched
- by apply wc_all_deadlines_of_arrivals_met; apply DL_ARR_MET.
- move: (all_deadlines_met_in_valid_schedule _ _ wc_COME wc_DL_ARR_MET) => wc_DL_MET.
- set sched' := edf_transform wc_sched.
- exists sched'. split; last split; last split.
- - by apply edf_schedule_is_valid.
- - by apply edf_schedule_meets_all_deadlines_wrt_arrivals.
- - apply edf_transform_maintains_work_conservation; by [ | apply wc_is_work_conserving ].
- - by apply edf_transform_ensures_edf.
- Qed.
-
- (** Remark: [EDF_optimality] is of course an immediate corollary of
- [EDF_WC_optimality]. We nonetheless have two separate proofs for historic
- reasons as [EDF_optimality] predates [EDF_WC_optimality] (in Prosa). *)
-
- (** Finally, we state the optimality theorem also in terms of a
- policy-compliant schedule, which a more generic notion used in Prosa for
- scheduling policies (rather than the simpler, but ad-hoc
- [EDF_schedule] predicate used above).
-
- Given that we're considering the EDF priority policy and a fully
- preemptive job model, satisfying the [EDF_schedule] predicate is
- equivalent to satisfying the [respects_policy_at_preemption_point]
- w.r.t. to the EDF policy predicate. The optimality of priority-compliant
- schedules that are work-conserving follows hence directly from the above
- [EDF_WC_optimality] theorem. *)
- Corollary EDF_priority_compliant_WC_optimality:
- (exists any_sched : schedule (ideal.processor_state Job),
- valid_schedule any_sched arr_seq /\
- all_deadlines_of_arrivals_met arr_seq any_sched) ->
- exists priority_compliant_sched : schedule (ideal.processor_state Job),
- valid_schedule priority_compliant_sched arr_seq /\
- all_deadlines_of_arrivals_met arr_seq priority_compliant_sched /\
- work_conserving arr_seq priority_compliant_sched /\
- respects_JLFP_policy_at_preemption_point arr_seq priority_compliant_sched (EDF Job).
- Proof.
- move /EDF_WC_optimality => [edf_sched [[ARR READY] [DL_MET [WC EDF]]]].
- exists edf_sched.
- apply (EDF_schedule_equiv arr_seq _) in EDF => //.
- now apply (completed_jobs_are_not_ready edf_sched READY).
- Qed.
-
-End Optimality.
-
-(** ** Weak Optimality Theorem *)
-
-(** We further state a weaker notion of the above optimality result
- that avoids a dependency on a given arrival
- sequence. Specifically, it establishes that, given a reference
- schedule without deadline misses, there exists an EDF schedule of
- the same jobs in which no deadlines are missed. *)
-Section WeakOptimality.
-
- (** For any given type of jobs, each characterized by execution
- costs, an arrival time, and an absolute deadline,... *)
- Context {Job : JobType} `{JobCost Job} `{JobDeadline Job} `{JobArrival Job}.
-
- (** ... if we have a well-behaved reference schedule ... *)
- Variable any_sched: schedule (ideal.processor_state Job).
- Hypothesis H_must_arrive: jobs_must_arrive_to_execute any_sched.
- Hypothesis H_completed_dont_execute: completed_jobs_dont_execute any_sched.
-
- (** ... in which no deadlines are missed, ... *)
- Hypothesis H_all_deadlines_met: all_deadlines_met any_sched.
-
- (** ...then there also exists an EDF schedule in which no deadlines
- are missed (and in which exactly the same set of jobs is
- scheduled, as ensured by the last clause). *)
- Theorem weak_EDF_optimality:
- exists edf_sched : schedule (ideal.processor_state Job),
- jobs_must_arrive_to_execute edf_sched /\
- completed_jobs_dont_execute edf_sched /\
- all_deadlines_met edf_sched /\
- EDF_schedule edf_sched /\
- forall j,
- (exists t, scheduled_at any_sched j t) <->
- (exists t', scheduled_at edf_sched j t').
- Proof.
- set sched' := edf_transform any_sched.
- exists sched'. repeat split.
- - by apply edf_transform_jobs_must_arrive.
- - by apply edf_transform_completed_jobs_dont_execute.
- - by apply edf_transform_deadlines_met.
- - by apply edf_transform_ensures_edf.
- - by move=> [t SCHED_j]; try ( apply edf_transform_job_scheduled' with (t0 := t) ) || apply edf_transform_job_scheduled' with (t := t).
- - by move=> [t SCHED_j]; try ( apply edf_transform_job_scheduled with (t0 := t) ) || apply edf_transform_job_scheduled with (t := t).
- Qed.
-
-End WeakOptimality.
diff --git a/results/edf/rta/bounded_nps.v b/results/edf/rta/bounded_nps.v
deleted file mode 100644
index ec88724a7716db728540f21cee64d6c6a78640ed..0000000000000000000000000000000000000000
--- a/results/edf/rta/bounded_nps.v
+++ /dev/null
@@ -1,356 +0,0 @@
-Require Import prosa.model.readiness.basic.
-Require Import prosa.model.priority.edf.
-Require Import prosa.model.schedule.work_conserving.
-Require Import prosa.model.task.preemption.parameters.
-Require Export prosa.analysis.facts.model.rbf.
-Require Export prosa.analysis.facts.model.arrival_curves.
-Require Export prosa.analysis.facts.model.sequential.
-Require Export prosa.analysis.facts.busy_interval.ideal.priority_inversion_bounded.
-Require Export prosa.results.edf.rta.bounded_pi.
-
-(** * RTA for EDF with Bounded Non-Preemptive Segments *)
-
-(** In this section we instantiate the Abstract RTA for EDF-schedulers
- with Bounded Priority Inversion to EDF-schedulers for ideal
- uni-processor model of real-time tasks with arbitrary
- arrival models _and_ bounded non-preemptive segments. *)
-
-(** Recall that Abstract RTA for EDF-schedulers with Bounded Priority
- Inversion does not specify the cause of priority inversion. In
- this section, we prove that the priority inversion caused by
- execution of non-preemptive segments is bounded. Thus the Abstract
- RTA for EDF-schedulers is applicable to this instantiation. *)
-Section RTAforEDFwithBoundedNonpreemptiveSegmentsWithArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskDeadline Task}.
- Context `{TaskRunToCompletionThreshold Task}.
- Context `{TaskMaxNonpreemptiveSegment Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{Arrival : JobArrival Job}.
- Context `{Cost : JobCost Job}.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For clarity, let's denote the relative deadline of a task as [D]. *)
- Let D tsk := task_deadline tsk.
-
- (** Consider the EDF policy that indicates a higher-or-equal priority relation.
- Note that we do not relate the EDF policy with the scheduler. However, we
- define functions for Interference and Interfering Workload that actively use
- the concept of priorities. *)
- Let EDF := EDF Job.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Next, consider any valid ideal uni-processor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
-
- (** In addition, we assume the existence of a function mapping jobs
- to their preemption points ... *)
- Context `{JobPreemptable Job}.
-
- (** ... and assume that it defines a valid preemption model with
- bounded non-preemptive segments. *)
- Hypothesis H_valid_model_with_bounded_nonpreemptive_segments:
- valid_model_with_bounded_nonpreemptive_segments arr_seq sched.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy at every preemption point. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched EDF.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from the task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for
- any task [tsk] in ts [max_arrival tsk] is (1) an arrival bound of
- [tsk], and (2) it is a monotonic function that equals 0 for the
- empty interval delta = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Consider a valid preemption model... *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** ...and a valid task run-to-completion threshold function. That
- is, [task_rtct tsk] is (1) no bigger than [tsk]'s cost, (2) for
- any job of task [tsk] [job_rtct] is bounded by [task_rtct]. *)
- Hypothesis H_valid_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
-
- (** We introduce as an abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation for the task
- request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define the request bound
- function of all tasks (total request bound function). *)
- Let total_rbf := total_request_bound_function ts.
-
- (** Next, we define an upper bound on interfering workload received from jobs
- of other tasks with higher-than-or-equal priority. *)
- Let bound_on_total_hep_workload A Δ :=
- \sum_(tsk_o <- ts | tsk_o != tsk)
- rbf tsk_o (minn ((A + ε) + D tsk - D tsk_o) Δ).
-
- (** Let's define some local names for clarity. *)
- Let max_length_of_priority_inversion :=
- max_length_of_priority_inversion arr_seq.
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- (** For a job with the relative arrival offset [A] within its busy window, we
- define the following blocking bound. Only other tasks that potentially
- release non-zero-cost jobs are relevant, so we define a predicate to
- exclude pathological cases. *)
- Definition blocking_relevant (tsk_o : Task) :=
- (max_arrivals tsk_o ε > 0) && (task_cost tsk_o > 0).
- Definition blocking_bound (A : duration) :=
- \max_(tsk_o <- ts | blocking_relevant tsk_o && (D tsk_o > D tsk + A))
- (task_max_nonpreemptive_segment tsk_o - ε).
-
- (** ** Search Space *)
-
- (** If priority inversion is caused exclusively by non-preemptive sections,
- then we do not need to consider the priority-inversion bound in the search
- space. Hence we define the following search space, which refines the more
- general [bounded_pi.is_in_search_space] for our specific setting. *)
- Definition is_in_search_space (L A : duration) :=
- (A < L) && (task_rbf_changes_at tsk A
- || bound_on_total_hep_workload_changes_at ts tsk A).
-
- (** For the following proof, we exploit the fact that the blocking bound is
- monotonically decreasing in [A], which we note here. *)
- Fact blocking_bound_decreasing :
- forall A1 A2,
- A1 <= A2 ->
- blocking_bound A1 >= blocking_bound A2.
- Proof.
- move=> A1 A2 LEQ.
- rewrite /blocking_bound.
- apply: bigmax_subset => tsk_o IN /andP[/andP[OTHER LT] ARR].
- by repeat (apply /andP; split) => //; lia.
- Qed.
-
- (** To use the refined search space with the abstract theorem, we must show
- that it still includes all relevant points. To this end, we first observe
- that a step in the blocking bound implies the existence of a task that
- could release a job with an absolute deadline equal to the absolute
- deadline of the job under analysis. *)
- Lemma task_with_equal_deadline_exists :
- forall {A},
- priority_inversion_changes_at blocking_bound A ->
- exists tsk_o, (tsk_o \in ts)
- && (blocking_relevant tsk_o)
- && (tsk_o != tsk)
- && (D tsk_o == D tsk + A).
- Proof.
- move=> A. rewrite /priority_inversion_changes_at => NEQ.
- have LEQ: blocking_bound A <= blocking_bound (A - ε) by apply: blocking_bound_decreasing; lia.
- have LT: blocking_bound A < blocking_bound (A - ε) by lia.
- move: LT; rewrite /blocking_bound => LT {LEQ} {NEQ}.
- move: (bigmax_witness_diff LT) => [tsk_o [IN [NOT HOLDS]]].
- move: HOLDS => /andP[REL LTeps].
- exists tsk_o; repeat (apply /andP; split) => //;
- first by apply /eqP => EQ; move: LTeps; rewrite EQ; lia.
- move: NOT; rewrite negb_and => /orP[/negP // |].
- by move: LTeps; rewrite /ε => LTeps; lia.
- Qed.
-
- (** With the above setup in place, we can show that the search space defined
- above by [is_in_search_space] covers the the more abstract search space
- defined by [bounded_pi.is_in_search_space]. *)
- Lemma search_space_inclusion :
- forall {A L},
- bounded_pi.is_in_search_space ts tsk blocking_bound L A ->
- is_in_search_space L A.
- Proof.
- move=> A L /andP[BOUND STEP].
- apply /andP; split => //; apply /orP.
- move: STEP => /orP[/orP[STEP|RBF] | IBF]; [right| by left| by right].
- move: (task_with_equal_deadline_exists STEP) => [tsk_o /andP[/andP[/andP[IN REL] OTHER] EQ]].
- rewrite /bound_on_total_hep_workload_changes_at.
- apply /hasP; exists tsk_o => //.
- apply /andP; split; first by rewrite eq_sym.
- move: EQ. rewrite /D => /eqP EQ.
- rewrite /task_request_bound_function EQ.
- move: REL; rewrite /blocking_relevant => /andP [ARRIVES COST].
- rewrite eqn_pmul2l //.
- have -> : A + task_deadline tsk - (task_deadline tsk + A)
- = 0 by lia.
- have -> : A + ε + task_deadline tsk - (task_deadline tsk + A)
- = ε by lia.
- by move: (H_valid_arrival_curve tsk_o IN) => [-> _]; lia.
- Qed.
-
-
- (** ** Priority inversion is bounded *)
- (** In this section, we prove that a priority inversion for task [tsk] is bounded by
- the maximum length of non-preemptive segments among the tasks with lower priority. *)
- Section PriorityInversionIsBounded.
-
- (** First, we observe that the maximum non-preemptive segment length of any
- task that releases a job with an earlier absolute deadline (w.r.t. a
- given job [j]) and non-zero execution cost upper-bounds the maximum
- possible length of priority inversion (of said job [j]). *)
- Lemma priority_inversion_is_bounded_by_max_np_segment :
- forall {j t1},
- max_length_of_priority_inversion j t1
- <= \max_(j_lp <- arrivals_between arr_seq 0 t1 | (~~ EDF j_lp j)
- && (job_cost j_lp > 0))
- (task_max_nonpreemptive_segment (job_task j_lp) - ε).
- Proof.
- move=> j t1.
- rewrite /max_length_of_priority_inversion /max_length_of_priority_inversion.
- apply: leq_big_max => j' JINB NOTHEP.
- rewrite leq_sub2r //.
- apply in_arrivals_implies_arrived in JINB.
- by apply H_valid_model_with_bounded_nonpreemptive_segments.
- Qed.
-
- (** Second, we prove that the maximum length of a priority inversion of a
- given job [j] is indeed bounded by defined the blocking bound. *)
- Lemma priority_inversion_is_bounded_by_blocking:
- forall j t1 t2,
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- busy_interval_prefix arr_seq sched j t1 t2 ->
- max_length_of_priority_inversion j t1 <= blocking_bound (job_arrival j - t1).
- Proof.
- intros j t1 t2 ARR TSK BUSY; unfold max_length_of_priority_inversion, blocking_bound.
- destruct BUSY as [TT [QT [_ LE]]]; move: LE => /andP [GE LT].
- apply: leq_trans; first by apply: priority_inversion_is_bounded_by_max_np_segment.
- apply /bigmax_leq_seqP => j' JINB NOTHEP.
- have ARR': arrives_in arr_seq j'
- by apply: in_arrivals_implies_arrived; exact: JINB.
- apply leq_bigmax_cond_seq with (x := (job_task j')) (F := fun tsk => task_max_nonpreemptive_segment tsk - 1);
- first by apply H_all_jobs_from_taskset.
- eapply in_arrivals_implies_arrived_between in JINB; last by rt_eauto.
- move: JINB; move => /andP [_ TJ'].
- repeat (apply/andP; split); last first.
- { rewrite /EDF -ltnNge in NOTHEP.
- move: TSK => /eqP <-.
- have ARRLE: job_arrival j' < job_arrival j by apply leq_trans with t1.
- move: NOTHEP; rewrite /job_deadline /absolute_deadline.job_deadline_from_task_deadline /D.
- by lia. }
- { move: NOTHEP => /andP [_ NZ].
- move: (H_valid_job_cost j' ARR'); rewrite /valid_job_cost.
- by lia. }
- { apply: non_pathological_max_arrivals; last first.
- - exact: ARR'.
- - by rewrite /job_of_task.
- - by apply H_is_arrival_curve, H_all_jobs_from_taskset, ARR'. }
- Qed.
-
- (** Using the lemma above, we prove that the priority inversion of the task is bounded by
- the maximum length of a nonpreemptive section of lower-priority tasks. *)
- Lemma priority_inversion_is_bounded:
- priority_inversion_is_bounded_by arr_seq sched tsk blocking_bound.
- Proof.
- move => j ARR TSK POS t1 t2 PREF; move: (PREF) => [_ [_ [_ /andP [T _]]]].
- move: H_sched_valid => [COARR MBR].
- destruct (leqP (t2 - t1) (blocking_bound (job_arrival j - t1))) as [NEQ|NEQ].
- { apply leq_trans with (t2 - t1); last by done.
- rewrite /cumulative_priority_inversion.
- rewrite -[X in _ <= X]addn0 -[t2 - t1]mul1n -iter_addn -big_const_nat.
- by rewrite leq_sum //; intros t _; destruct (priority_inversion_dec).
- }
- edestruct @preemption_time_exists as [ppt [PPT NEQ2]]; rt_eauto.
- move: NEQ2 => /andP [GE LE].
- apply leq_trans with (cumulative_priority_inversion arr_seq sched j t1 ppt);
- last apply leq_trans with (ppt - t1).
- - rewrite /cumulative_priority_inversion.
- rewrite (@big_cat_nat _ _ _ ppt) //=; last first.
- { rewrite ltn_subRL in NEQ.
- apply leq_trans with (t1 + blocking_bound (job_arrival j - t1)); last by apply ltnW.
- apply leq_trans with (t1 + max_length_of_priority_inversion j t1); first by done.
- by rewrite leq_add2l; eapply priority_inversion_is_bounded_by_blocking; eauto 2; apply/eqP. }
- rewrite -[X in _ <= X]addn0 leq_add2l leqn0.
- rewrite big_nat_cond big1 //; move => t /andP [/andP [GEt LTt] _ ].
- edestruct @not_quiet_implies_exists_scheduled_hp_job
- with (K := ppt - t1) (t := t) as [j_hp [ARRB [HP SCHEDHP]]]; rt_eauto.
- { by exists ppt; split; [done | rewrite subnKC //; apply/andP; split]. }
- { by rewrite subnKC //; apply/andP; split. }
- apply/eqP; rewrite eqb0; apply/negP; move => /priority_inversion_P INV.
- feed_n 3 INV; rt_eauto; last move: INV => [_ [j_lp /andP[SCHED PRIO]]].
- enough (EQ : j_lp = j_hp); first by subst; rewrite HP in PRIO.
- by eapply ideal_proc_model_is_a_uniprocessor_model; rt_eauto.
- - rewrite /cumulative_priority_inversion.
- rewrite -[X in _ <= X]addn0 -[ppt - t1]mul1n -iter_addn -big_const_nat.
- by rewrite leq_sum //; intros t _; destruct (priority_inversion_dec).
- - rewrite leq_subLR.
- apply leq_trans with (t1 + max_length_of_priority_inversion j t1); first by done.
- by rewrite leq_add2l; eapply priority_inversion_is_bounded_by_blocking; eauto 2; apply/eqP.
- Qed.
-
- End PriorityInversionIsBounded.
-
- (** ** Response-Time Bound *)
- (** In this section, we prove that the maximum among the solutions of the response-time
- bound recurrence is a response-time bound for [tsk]. *)
- Section ResponseTimeBound.
-
- (** Let L be any positive fixed point of the busy interval recurrence. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = total_rbf L.
-
- (** Consider any value [R], and assume that for any given arrival
- offset [A] in the search space, there is a solution of the
- response-time bound recurrence which is bounded by [R]. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space L A ->
- exists (F : duration),
- A + F >= blocking_bound A
- + (task_rbf (A + ε) - (task_cost tsk - task_rtct tsk))
- + bound_on_total_hep_workload A (A + F) /\
- R >= F + (task_cost tsk - task_rtct tsk).
-
- (** Then, using the results for the general RTA for EDF-schedulers, we establish a
- response-time bound for the more concrete model of bounded nonpreemptive segments.
- Note that in case of the general RTA for EDF-schedulers, we just _assume_ that
- the priority inversion is bounded. In this module we provide the preemption model
- with bounded nonpreemptive segments and _prove_ that the priority inversion is
- bounded. *)
- Theorem uniprocessor_response_time_bound_edf_with_bounded_nonpreemptive_segments:
- response_time_bounded_by tsk R.
- Proof.
- eapply uniprocessor_response_time_bound_edf; rt_eauto.
- - by apply priority_inversion_is_bounded.
- - move=> A BPI_SP.
- by apply H_R_is_maximum, search_space_inclusion.
- Qed.
-
- End ResponseTimeBound.
-
-End RTAforEDFwithBoundedNonpreemptiveSegmentsWithArrivalCurves.
diff --git a/results/edf/rta/bounded_pi.v b/results/edf/rta/bounded_pi.v
deleted file mode 100644
index 2a5d9d632260fed8d11b81914caabce88b416384..0000000000000000000000000000000000000000
--- a/results/edf/rta/bounded_pi.v
+++ /dev/null
@@ -1,441 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Export prosa.analysis.facts.priority.edf.
-Require Export prosa.analysis.definitions.schedulability.
-Require Import prosa.model.readiness.basic.
-Require Import prosa.model.priority.edf.
-Require Import prosa.model.task.absolute_deadline.
-Require Import prosa.analysis.abstract.ideal_jlfp_rta.
-Require Import prosa.analysis.facts.busy_interval.carry_in.
-Require Import prosa.analysis.facts.readiness.basic.
-Require Import prosa.analysis.facts.busy_interval.ideal.inequalities.
-
-
-(** * Abstract RTA for EDF-schedulers with Bounded Priority Inversion *)
-(** In this module we instantiate the Abstract Response-Time analysis
- (aRTA) to EDF-schedulers for ideal uni-processor model of
- real-time tasks with arbitrary arrival models. *)
-
-(** Given EDF priority policy and an ideal uni-processor scheduler
- model, we can explicitly specify [interference],
- [interfering_workload], and [interference_bound_function]. In this
- settings, we can define natural notions of service, workload, busy
- interval, etc. The important feature of this instantiation is that
- we can induce the meaningful notion of priority
- inversion. However, we do not specify the exact cause of priority
- inversion (as there may be different reasons for this, like
- execution of a non-preemptive segment or blocking due to resource
- locking). We only assume that that a priority inversion is
- bounded. *)
-
-Section AbstractRTAforEDFwithArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskDeadline Task}.
- Context `{TaskRunToCompletionThreshold Task}.
- Context `{TaskMaxNonpreemptiveSegment Task}.
-
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context {Arrival : JobArrival Job}.
- Context {Cost : JobCost Job}.
- Context `{JobPreemptable Job}.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** For clarity, let's denote the relative deadline of a task as D. *)
- Let D tsk := task_deadline tsk.
-
- (** Consider the EDF policy that indicates a higher-or-equal priority relation.
- Note that we do not relate the EDF policy with the scheduler. However, we
- define functions for Interference and Interfering Workload that actively use
- the concept of priorities. *)
- Let EDF := EDF Job.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Next, consider any valid ideal uni-processor schedule of this arrival sequence
- that follows the scheduling policy. *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched EDF.
-
- (** Note that we differentiate between abstract and
- classical notions of work conserving schedule. *)
- Let work_conserving_ab := definitions.work_conserving arr_seq sched.
- Let work_conserving_cl := work_conserving.work_conserving arr_seq sched.
-
- (** We assume that the schedule is a work-conserving schedule
- in the _classical_ sense, and later prove that the hypothesis
- about abstract work-conservation also holds. *)
- Hypothesis H_work_conserving : work_conserving_cl.
-
- (** Assume that a job cost cannot be larger than a task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Consider an arbitrary task set ts. *)
- Variable ts : list Task.
-
- (** Next, we assume that all jobs come from the task set. *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for any task [tsk] in ts
- [max_arrival tsk] is (1) an arrival bound of [tsk], and (2) it is a monotonic function
- that equals 0 for the empty interval delta = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Consider a valid preemption model... *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** ...and a valid task run-to-completion threshold function. That
- is, [task_rtct tsk] is (1) no bigger than [tsk]'s cost, (2) for
- any job of task [tsk] [job_rtct] is bounded by [task_rtct]. *)
- Hypothesis H_valid_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
-
- (** We introduce [rbf] as an abbreviation of the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for some task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- of the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define the request bound
- function of all tasks (total request bound function). *)
- Let total_rbf := total_request_bound_function ts.
-
- (** Assume that there exists a bound on the length of any priority inversion experienced
- by any job of task [tsk]. Since we analyze only task [tsk], we ignore the lengths of priority
- inversions incurred by any other tasks.*)
- Variable priority_inversion_bound: duration -> duration.
- Hypothesis H_priority_inversion_is_bounded:
- priority_inversion_is_bounded_by
- arr_seq sched tsk priority_inversion_bound.
-
- (** Let L be any positive fixed point of the busy interval recurrence. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = total_rbf L.
-
- (** Next, we define an upper bound on interfering workload received from jobs
- of other tasks with higher-than-or-equal priority. *)
- Let bound_on_total_hep_workload (A Δ : duration) :=
- \sum_(tsk_o <- ts | tsk_o != tsk)
- rbf tsk_o (minn ((A + ε) + D tsk - D tsk_o) Δ).
-
- (** To reduce the time complexity of the analysis, we introduce the notion of search space for EDF.
- Intuitively, this corresponds to all "interesting" arrival offsets that the job under
- analysis might have with regard to the beginning of its busy-window. *)
-
- (** In the case of the search space for EDF, we consider three conditions.
- First, we ask whether [task_rbf A ≠task_rbf (A + ε)]. *)
- Definition task_rbf_changes_at (A : duration) := task_rbf A != task_rbf (A + ε).
-
- (** Second, we ask whether there exists a task [tsko] from ts such that [tsko
- ≠tsk] and [rbf(tsko, A + D tsk - D tsko) ≠rbf(tsko, A + ε + D tsk - D
- tsko)]. Note that we use a slightly uncommon notation [has (λ tsko ⇒ P
- tskâ‚’) ts], which can be interpreted as follows: the task set [ts] contains
- a task [tsko] such that a predicate [P] holds for [tsko]. *)
- Definition bound_on_total_hep_workload_changes_at A :=
- has (fun tsko =>
- (tsk != tsko)
- && (rbf tsko (A + D tsk - D tsko)
- != rbf tsko ((A + ε) + D tsk - D tsko))) ts.
-
- (** Third, we ask whether [priority_inversion_bound (A - ε) ≠priority_inversion_bound A]. *)
- Definition priority_inversion_changes_at (A : duration) :=
- priority_inversion_bound (A - ε) != priority_inversion_bound A.
-
- (** The final search space for EDF is a set of offsets that are less than [L]
- and where [priority_inversion_bound], [task_rbf], or
- [bound_on_total_hep_workload] changes in value. *)
- Definition is_in_search_space (A : duration) :=
- (A < L) && (priority_inversion_changes_at A
- || task_rbf_changes_at A
- || bound_on_total_hep_workload_changes_at A).
-
- (** Let [R] be a value that upper-bounds the solution of each
- response-time recurrence, i.e., for any relative arrival time [A]
- in the search space, there exists a corresponding solution [F]
- such that [R >= F + (task cost - task lock-in service)]. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= priority_inversion_bound A
- + (task_rbf (A + ε) - (task_cost tsk - task_rtct tsk))
- + bound_on_total_hep_workload A (A + F) /\
- R >= F + (task_cost tsk - task_rtct tsk).
-
- (** To use the theorem uniprocessor_response_time_bound_seq from the Abstract RTA module,
- we need to specify functions of interference, interfering workload and [IBF_other]. *)
-
- (** Instantiation of Interference *)
- (** We say that job j incurs interference at time t iff it cannot execute due to
- a higher-or-equal-priority job being scheduled, or if it incurs a priority inversion. *)
- Let interference (j : Job) (t : instant) :=
- ideal_jlfp_rta.interference arr_seq sched j t.
-
- (** Instantiation of Interfering Workload *)
- (** The interfering workload, in turn, is defined as the sum of the priority inversion
- function and interfering workload of jobs with higher or equal priority. *)
- Let interfering_workload (j : Job) (t : instant) :=
- ideal_jlfp_rta.interfering_workload arr_seq sched j t.
-
- (** Finally, we define the interference bound function ([IBF_other]). [IBF_other] bounds
- the interference if tasks are sequential. Since tasks are sequential, we exclude
- interference from other jobs of the same task. For EDF, we define [IBF_other] as
- the sum of the priority interference bound and the higher-or-equal-priority workload. *)
- Let IBF_other (A R : duration) := priority_inversion_bound A + bound_on_total_hep_workload A R.
-
- (** ** Filling Out Hypothesis Of Abstract RTA Theorem *)
- (** In this section we prove that all hypotheses necessary
- to use the abstract theorem are satisfied. *)
- Section FillingOutHypothesesOfAbstractRTATheorem.
-
-
- (** First, we prove that [IBF_other] is indeed an interference bound. *)
- Section TaskInterferenceIsBoundedByIBF_other.
-
-
- Section HepWorkloadBound.
-
- (** Consider an arbitrary job [j] of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive: job_cost_positive j.
-
- (** Consider any busy interval <<[t1, t2)>> of job [j]. *)
- Variable t1 t2 : duration.
- Hypothesis H_busy_interval :
- definitions.busy_interval sched interference interfering_workload j t1 t2.
-
- (** Let's define A as a relative arrival time of job j (with respect to time t1). *)
- Let A := job_arrival j - t1.
-
- (** Consider an arbitrary shift Δ inside the busy interval ... *)
- Variable Δ : duration.
- Hypothesis H_Δ_in_busy : t1 + Δ < t2.
-
- (** ... and the set of all arrivals between [t1] and [t1 + Δ]. *)
- Let jobs := arrivals_between arr_seq t1 (t1 + Δ).
-
- (** We define a predicate [EDF_from tsk].Predicate [EDF_from tsk]
- holds true for any job [jo] of task [tsk] such that
- [job_deadline jo <= job_deadline j]. *)
- Let EDF_from (tsk : Task) := fun (jo : Job) => EDF jo j && (job_task jo == tsk).
-
- (** Now, consider the case where [A + ε + D tsk - D tsk_o ≤ Δ]. *)
- Section ShortenRange.
-
- (** Consider an arbitrary task [tsk_o ≠tsk] from [ts]. *)
- Variable tsk_o : Task.
- Hypothesis H_tsko_in_ts: tsk_o \in ts.
- Hypothesis H_neq: tsk_o != tsk.
-
- (** And assume that [A + ε + D tsk - D tsk_o ≤ Δ]. *)
- Hypothesis H_Δ_ge: A + ε + D tsk - D tsk_o <= Δ.
-
-
- (** Then we prove that the total workload of jobs with
- higher-or-equal priority from task [tsk_o] over time
- interval [t1, t1 + Δ] is bounded by workload over time
- interval [t1, t1 + A + ε + D tsk - D tsk_o].
- The intuition behind this inequality is that jobs which arrive
- after time instant [t1 + A + ε + D tsk - D tsk_o] has smaller priority
- than job [j] due to the term [D tsk - D tsk_o]. *)
- Lemma total_workload_shorten_range:
- workload_of_jobs (EDF_from tsk_o) (arrivals_between arr_seq t1 (t1 + Δ))
- <= workload_of_jobs (EDF_from tsk_o) (arrivals_between arr_seq t1 (t1 + (A + ε + D tsk - D tsk_o))).
- Proof.
- have BOUNDED: t1 + (A + ε + D tsk - D tsk_o) <= t1 + Δ by lia.
- rewrite (workload_of_jobs_nil_tail _ _ BOUNDED) // => j' IN'; rt_eauto.
- rewrite /EDF_from /ε => ARR'.
- case: (eqVneq (job_task j') tsk_o) => TSK';
- last by rewrite andbF.
- rewrite andbT; apply: contraT => /negPn.
- rewrite /EDF/edf.EDF/job_deadline/job_deadline_from_task_deadline.
- move: H_job_of_tsk; rewrite TSK' /job_of_task => /eqP -> HEP.
- have LATEST: job_arrival j' <= t1 + A + D tsk - D tsk_o by rewrite /D/A; lia.
- have EARLIEST: t1 <= job_arrival j' by apply: job_arrival_between_ge; rt_eauto.
- by case: (leqP (A + 1 + D tsk) (D tsk_o)); [rewrite /D/A|]; lia.
- Qed.
-
- End ShortenRange.
-
- (** Using the above lemma, we prove that total
- workload of tasks is at most [bound_on_total_hep_workload(A, Δ)]. *)
- Corollary sum_of_workloads_is_at_most_bound_on_total_hep_workload :
- \sum_(tsk_o <- ts | tsk_o != tsk) workload_of_jobs (EDF_from tsk_o) jobs
- <= bound_on_total_hep_workload A Δ.
- Proof.
- move: (H_busy_interval) => [[/andP [JINBI JINBI2] [QT _]] _].
- apply leq_sum_seq => tsko INtsko NEQT.
- edestruct (leqP Δ (A + ε + D tsk - D tsko)) as [NEQ|NEQ]; [ | apply ltnW in NEQ].
- - apply (workload_le_rbf arr_seq ts); try by done.
- - eapply leq_trans; first by eapply total_workload_shorten_range; eauto 2.
- eapply workload_le_rbf; rt_eauto.
- Qed.
-
- End HepWorkloadBound.
-
- (** Recall that in module abstract_seq_RTA hypothesis
- task_interference_is_bounded_by expects to receive a function
- that maps some task t, the relative arrival time of a job j of
- task t, and the length of the interval to the maximum amount
- of interference.
-
- However, in this module we analyze only one task -- [tsk],
- therefore it is “hard-coded†inside the interference bound
- function [IBF_other]. Therefore, in order for the [IBF_other] signature to
- match the required signature in module abstract_seq_RTA, we
- wrap the [IBF_other] function in a function that accepts, but simply
- ignores the task. *)
- Corollary instantiated_task_interference_is_bounded:
- task_interference_is_bounded_by
- arr_seq sched tsk interference interfering_workload (fun tsk A R => IBF_other A R).
- Proof.
- rewrite /task_interference_is_bounded_by.
- move => j R2 t1 t2 ARR TSK N NCOMPL BUSY.
- move: (posnP (@job_cost _ Cost j)) => [ZERO|POS].
- - exfalso; move: NCOMPL => /negP COMPL; apply: COMPL.
- by rewrite /completed_by /completed_by ZERO.
- - move: (BUSY) => [[/andP [JINBI JINBI2] [QT _]] _].
- rewrite (cumulative_task_interference_split arr_seq _ sched _ _ _ _ _ tsk j); rt_eauto;
- last first.
- + by eapply arrived_between_implies_in_arrivals; rt_eauto.
- + by eapply EDF_implies_sequential_tasks; rt_eauto.
- rewrite /I leq_add //; first by eapply cumulative_priority_inversion_is_bounded; rt_eauto.
- eapply leq_trans; first by eapply cumulative_interference_is_bounded_by_total_service; rt_eauto.
- eapply leq_trans; first by eapply service_of_jobs_le_workload; rt_eauto.
- eapply leq_trans.
- * eapply reorder_summation; rt_eauto.
- move => j' IN.
- apply H_all_jobs_from_taskset.
- eapply in_arrivals_implies_arrived.
- by exact IN.
- * move : TSK => /eqP TSK.
- rewrite TSK.
- move : TSK => /eqP TSK.
- by eapply leq_trans;
- first by eapply sum_of_workloads_is_at_most_bound_on_total_hep_workload; rt_eauto.
- Qed.
-
-
- End TaskInterferenceIsBoundedByIBF_other.
-
- (** Finally, we show that there exists a solution for the response-time recurrence. *)
- Section SolutionOfResponseTimeReccurenceExists.
-
- (** Consider any job j of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** Given any job j of task [tsk] that arrives exactly A units after the beginning of
- the busy interval, the bound of the total interference incurred by j within an
- interval of length Δ is equal to [task_rbf (A + ε) - task_cost tsk + IBF_other(A, Δ)]. *)
- Let total_interference_bound tsk (A Δ : duration) :=
- task_rbf (A + ε) - task_cost tsk + IBF_other A Δ.
-
- (** Next, consider any A from the search space (in abstract sense). *)
- Variable A : duration.
- Hypothesis H_A_is_in_abstract_search_space:
- search_space.is_in_search_space tsk L total_interference_bound A.
-
- (** We prove that A is also in the concrete search space. *)
- Lemma A_is_in_concrete_search_space:
- is_in_search_space A.
- Proof.
- move: H_A_is_in_abstract_search_space => [-> | [/andP [POSA LTL] [x [LTx INSP2]]]];
- apply/andP; split => //.
- { apply/orP; left; apply/orP; right.
- rewrite /task_rbf_changes_at /task_rbf /rbf task_rbf_0_zero //; eauto 2.
- apply contraT => /negPn /eqP ZERO.
- rewrite -(ltnn 0) {2}ZERO add0n.
- apply: (@leq_trans (task_cost tsk));
- last by apply: task_rbf_1_ge_task_cost; rt_eauto.
- apply: (@leq_trans (job_cost j)) => //.
- move: (H_job_of_tsk) => /eqP <-.
- by apply: (H_valid_job_cost _ H_j_arrives). }
- { apply contraT; rewrite !negb_or => /andP [/andP [/negPn/eqP PI /negPn/eqP RBF] WL].
- exfalso; apply INSP2.
- rewrite /total_interference_bound subnK // RBF.
- apply /eqP; rewrite eqn_add2l /IBF_other PI eqn_add2l.
- rewrite /bound_on_total_hep_workload subnK //.
- apply /eqP; rewrite big_seq_cond [RHS]big_seq_cond.
- apply eq_big => // tsk_i /andP [TS OTHER].
- move: WL; rewrite /bound_on_total_hep_workload_changes_at => /hasPn WL.
- move: {WL} (WL tsk_i TS) => /nandP [/negPn/eqP EQ|/negPn/eqP WL];
- first by move: OTHER; rewrite EQ => /neqP.
- case: (ltngtP (A + ε + D tsk - D tsk_i) x) => [ltn_x|gtn_x|eq_x];
- rewrite /minn.
- { by rewrite ifT //; lia. }
- { rewrite ifF //.
- by move: gtn_x; rewrite leq_eqVlt /ε => /orP [/eqP EQ|LEQ]; lia. }
- { case: (A + D tsk - D tsk_i < x).
- - by rewrite WL.
- - by rewrite eq_x. } }
- Qed.
-
- (** Then, there exists solution for response-time recurrence (in the abstract sense). *)
- Corollary correct_search_space:
- exists F,
- A + F >= task_rbf (A + ε) - (task_cost tsk - task_rtct tsk) + IBF_other A (A + F) /\
- R >= F + (task_cost tsk - task_rtct tsk).
- Proof.
- edestruct H_R_is_maximum as [F [FIX NEQ]]; first by apply A_is_in_concrete_search_space.
- exists F; split; last by done.
- rewrite -{2}(leqRW FIX).
- by rewrite addnA [_ + priority_inversion_bound A]addnC -!addnA.
- Qed.
-
- End SolutionOfResponseTimeReccurenceExists.
-
- End FillingOutHypothesesOfAbstractRTATheorem.
-
- (** ** Final Theorem *)
- (** Based on the properties established above, we apply the abstract analysis
- framework to infer that R is a response-time bound for [tsk]. *)
- Theorem uniprocessor_response_time_bound_edf:
- task_response_time_bound arr_seq sched tsk R.
- Proof.
- move => js ARRs TSKs.
- move: (posnP (@job_cost _ Cost js)) => [ZERO|POS].
- { by rewrite /job_response_time_bound /completed_by ZERO. }
- ( try ( eapply uniprocessor_response_time_bound_seq with
- (interference0 := interference) (interfering_workload0 := interfering_workload)
- (task_interference_bound_function := fun tsk A R => IBF_other A R) (L0 := L) ) ||
- eapply uniprocessor_response_time_bound_seq with
- (interference := interference) (interfering_workload := interfering_workload)
- (task_interference_bound_function := fun tsk A R => IBF_other A R) (L := L)); rt_eauto.
- - by eapply instantiated_i_and_w_are_coherent_with_schedule; rt_eauto.
- * eapply EDF_implies_sequential_tasks; rt_eauto.
- - by eapply instantiated_interference_and_workload_consistent_with_sequential_tasks; rt_eauto.
- - by eapply instantiated_busy_intervals_are_bounded; rt_eauto.
- - by apply instantiated_task_interference_is_bounded.
- - by eapply correct_search_space; eauto 2.
- Qed.
-
-End AbstractRTAforEDFwithArrivalCurves.
diff --git a/results/edf/rta/floating_nonpreemptive.v b/results/edf/rta/floating_nonpreemptive.v
deleted file mode 100644
index b11bc393ab8ecbbfef5df5cf7c51d66b22ef450f..0000000000000000000000000000000000000000
--- a/results/edf/rta/floating_nonpreemptive.v
+++ /dev/null
@@ -1,153 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Import prosa.model.readiness.basic.
-Require Export prosa.results.edf.rta.bounded_nps.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.floating.
-Require Export prosa.analysis.facts.readiness.sequential.
-Require Import prosa.model.priority.edf.
-
-(** * RTA for EDF with Floating Non-Preemptive Regions *)
-(** In this module we prove the RTA theorem for floating non-preemptive regions EDF model. *)
-
-(** ** Setup and Assumptions *)
-
-Section RTAforModelWithFloatingNonpreemptiveRegionsWithArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskDeadline Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** We assume that jobs are limited-preemptive. *)
- #[local] Existing Instance limited_preemptive_job_model.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Assume we have the model with floating non-preemptive regions.
- I.e., for each task only the length of the maximal non-preemptive
- segment is known _and_ each job level is divided into a number
- of non-preemptive segments by inserting preemption points. *)
- Context `{JobPreemptionPoints Job}
- `{TaskMaxNonpreemptiveSegment Task}.
- Hypothesis H_valid_task_model_with_floating_nonpreemptive_regions:
- valid_model_with_floating_nonpreemptive_regions arr_seq.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from this task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for
- any task [tsk] in ts [max_arrival tsk] is (1) an arrival bound of
- [tsk], and (2) it is a monotonic function that equals 0 for the
- empty interval delta = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Next, consider any valid ideal uni-processor schedule with limited
- preemptions of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid: valid_schedule sched arr_seq.
- Hypothesis H_schedule_with_limited_preemptions:
- schedule_respects_preemption_model arr_seq sched.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
-
- (** ** Total Workload and Length of Busy Interval *)
-
- (** We introduce the abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- for the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define the request bound
- function of all tasks (total request bound function). *)
- Let total_rbf := total_request_bound_function ts.
-
- (** We define a bound for the priority inversion caused by jobs with lower priority. *)
- Definition blocking_bound A :=
- \max_(tsk_other <- ts | (blocking_relevant tsk_other)
- && (task_deadline tsk_other > task_deadline tsk + A))
- (task_max_nonpreemptive_segment tsk_other - ε).
-
- (** Next, we define an upper bound on interfering workload received from jobs
- of other tasks with higher-than-or-equal priority. *)
- Let bound_on_total_hep_workload A Δ :=
- \sum_(tsk_o <- ts | tsk_o != tsk)
- rbf tsk_o (minn ((A + ε) + task_deadline tsk - task_deadline tsk_o) Δ).
-
- (** Let L be any positive fixed point of the busy interval recurrence. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = total_rbf L.
-
- (** ** Response-Time Bound *)
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := bounded_nps.is_in_search_space ts tsk L.
-
- (** Consider any value [R], and assume that for any given arrival
- offset [A] in the search space, there is a solution of the
- response-time bound recurrence which is bounded by [R]. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= blocking_bound A + task_rbf (A + ε) + bound_on_total_hep_workload A (A + F) /\
- R >= F.
-
- (** Now, we can leverage the results for the abstract model with
- bounded nonpreemptive segments to establish a response-time
- bound for the more concrete model with floating nonpreemptive
- regions. *)
-
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- Theorem uniprocessor_response_time_bound_edf_with_floating_nonpreemptive_regions:
- response_time_bounded_by tsk R.
- Proof.
- move: (H_valid_task_model_with_floating_nonpreemptive_regions) => [LIMJ JMLETM].
- move: (LIMJ) => [BEG [END _]].
- try ( eapply uniprocessor_response_time_bound_edf_with_bounded_nonpreemptive_segments with (L0 := L) ) ||
- eapply uniprocessor_response_time_bound_edf_with_bounded_nonpreemptive_segments with (L := L).
- all: rt_eauto.
- rewrite subnn.
- intros A SP.
- apply H_R_is_maximum in SP.
- move: SP => [F [EQ LE]].
- exists F.
- by rewrite subn0 addn0; split.
- Qed.
-
-End RTAforModelWithFloatingNonpreemptiveRegionsWithArrivalCurves.
diff --git a/results/edf/rta/fully_nonpreemptive.v b/results/edf/rta/fully_nonpreemptive.v
deleted file mode 100644
index a09f5bf2c9821e7143d60a373e2c105cf294bc19..0000000000000000000000000000000000000000
--- a/results/edf/rta/fully_nonpreemptive.v
+++ /dev/null
@@ -1,148 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Import prosa.model.readiness.basic.
-Require Export prosa.results.edf.rta.bounded_nps.
-Require Export prosa.analysis.facts.preemption.task.nonpreemptive.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.nonpreemptive.
-Require Export prosa.analysis.facts.readiness.basic.
-Require Export prosa.model.task.preemption.fully_nonpreemptive.
-Require Import prosa.model.priority.edf.
-
-(** * RTA for Fully Non-Preemptive EDF *)
-(** In this module we prove the RTA theorem for the fully non-preemptive EDF model. *)
-
-(** ** Setup and Assumptions *)
-
-Section RTAforFullyNonPreemptiveEDFModelwithArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskDeadline Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** We assume that jobs and tasks are fully nonpreemptive. *)
- #[local] Existing Instance fully_nonpreemptive_job_model.
- #[local] Existing Instance fully_nonpreemptive_task_model.
- #[local] Existing Instance fully_nonpreemptive_rtc_threshold.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from this task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for
- any task [tsk] in ts [max_arrival tsk] is (1) an arrival bound of
- [tsk], and (2) it is a monotonic function that equals 0 for the
- empty interval delta = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Next, consider any valid ideal non-preemptive uniprocessor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid: valid_schedule sched arr_seq.
- Hypothesis H_nonpreemptive_sched : nonpreemptive_schedule sched.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
-
- (** ** Total Workload and Length of Busy Interval *)
-
- (** We introduce the abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- for the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define the request bound
- function of all tasks (total request bound function). *)
- Let total_rbf := total_request_bound_function ts.
-
- (** We also define a bound for the priority inversion caused by jobs with lower priority. *)
- Let blocking_bound A :=
- \max_(tsk_o <- ts | (blocking_relevant tsk_o)
- && (task_deadline tsk_o > task_deadline tsk + A))
- (task_cost tsk_o - ε).
-
- (** Next, we define an upper bound on interfering workload received from jobs
- of other tasks with higher-than-or-equal priority. *)
- Let bound_on_total_hep_workload A Δ :=
- \sum_(tsk_o <- ts | tsk_o != tsk)
- rbf tsk_o (minn ((A + ε) + task_deadline tsk - task_deadline tsk_o) Δ).
-
- (** Let L be any positive fixed point of the busy interval recurrence. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = total_rbf L.
-
- (** ** Response-Time Bound *)
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := bounded_nps.is_in_search_space ts tsk L.
-
- (** Consider any value [R], and assume that for any given arrival
- offset [A] in the search space, there is a solution of the
- response-time bound recurrence which is bounded by [R]. *)
- Variable R: nat.
- Hypothesis H_R_is_maximum:
- forall A,
- is_in_search_space A ->
- exists F,
- A + F >= blocking_bound A + (task_rbf (A + ε) - (task_cost tsk - ε))
- + bound_on_total_hep_workload A (A + F) /\
- R >= F + (task_cost tsk - ε).
-
- (** Now, we can leverage the results for the abstract model with bounded nonpreemptive segments
- to establish a response-time bound for the more concrete model of fully nonpreemptive scheduling. *)
-
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- Theorem uniprocessor_response_time_bound_fully_nonpreemptive_edf:
- response_time_bounded_by tsk R.
- Proof.
- case: (posnP (task_cost tsk)) => [ZERO|POS].
- { intros j ARR TSK.
- have ZEROj: job_cost j = 0.
- { move: (H_valid_job_cost j ARR) => NEQ.
- rewrite /valid_job_cost in NEQ.
- move: TSK => /eqP -> in NEQ.
- rewrite ZERO in NEQ.
- by apply/eqP; rewrite -leqn0.
- }
- by rewrite /job_response_time_bound /completed_by ZEROj.
- }
- try ( eapply uniprocessor_response_time_bound_edf_with_bounded_nonpreemptive_segments with (L0 := L) ) ||
- eapply uniprocessor_response_time_bound_edf_with_bounded_nonpreemptive_segments with (L := L).
- all: rt_eauto.
- Qed.
-
-End RTAforFullyNonPreemptiveEDFModelwithArrivalCurves.
diff --git a/results/edf/rta/fully_preemptive.v b/results/edf/rta/fully_preemptive.v
deleted file mode 100644
index 1b4941921966191b5c09138e8655bbc3aa9ab7e3..0000000000000000000000000000000000000000
--- a/results/edf/rta/fully_preemptive.v
+++ /dev/null
@@ -1,144 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Import prosa.model.readiness.basic.
-Require Import prosa.results.edf.rta.bounded_nps.
-Require Export prosa.analysis.facts.preemption.task.preemptive.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.preemptive.
-Require Export prosa.analysis.facts.readiness.basic.
-Require Import prosa.model.task.preemption.fully_preemptive.
-Require Import prosa.model.priority.edf.
-
-(** * RTA for Fully Preemptive EDF *)
-(** In this section we prove the RTA theorem for the fully preemptive EDF model *)
-
-(** ** Setup and Assumptions *)
-
-Section RTAforFullyPreemptiveEDFModelwithArrivalCurves.
-
- (** We assume that jobs and tasks are fully preemptive. *)
- #[local] Existing Instance fully_preemptive_job_model.
- #[local] Existing Instance fully_preemptive_task_model.
- #[local] Existing Instance fully_preemptive_rtc_threshold.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskDeadline Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from this task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for
- any task [tsk] in ts [max_arrival tsk] is (1) an arrival bound of
- [tsk], and (2) it is a monotonic function that equals 0 for the
- empty interval delta = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Next, consider any valid ideal uniprocessor schedule of the arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid: valid_schedule sched arr_seq.
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
-
- (** ** Total Workload and Length of Busy Interval *)
-
- (** We introduce the abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- for the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define the request bound
- function of all tasks (total request bound function). *)
- Let total_rbf := total_request_bound_function ts.
-
- (** If jobs are fully preemptive, lower priority jobs do not cause priority inversion.
- Hence, the blocking bound is always 0 for any [A]. *)
- Let blocking_bound (A : duration) := 0.
-
- (** Next, we define an upper bound on interfering workload received from jobs
- of other tasks with higher-than-or-equal priority. *)
- Let bound_on_total_hep_workload A Δ :=
- \sum_(tsk_o <- ts | tsk_o != tsk)
- rbf tsk_o (minn ((A + ε) + task_deadline tsk - task_deadline tsk_o) Δ).
-
- (** Let L be any positive fixed point of the busy interval recurrence. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = total_rbf L.
-
- (** ** Response-Time Bound *)
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := bounded_nps.is_in_search_space ts tsk L.
-
- (** Consider any value [R], and assume that for any given arrival
- offset [A] in the search space, there is a solution of the
- response-time bound recurrence which is bounded by [R]. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= task_rbf (A + ε) + bound_on_total_hep_workload A (A + F) /\
- R >= F.
-
- (** Now, we can leverage the results for the abstract model with
- bounded non-preemptive segments to establish a response-time
- bound for the more concrete model of fully preemptive
- scheduling. *)
-
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- Theorem uniprocessor_response_time_bound_fully_preemptive_edf:
- response_time_bounded_by tsk R.
- Proof.
- apply: uniprocessor_response_time_bound_edf_with_bounded_nonpreemptive_segments; rt_eauto.
- move => A /andP [LT CHANGE].
- have BLOCK: forall A', bounded_nps.blocking_bound ts tsk A' = blocking_bound A'.
- { by move=> A'; rewrite /bounded_nps.blocking_bound /parameters.task_max_nonpreemptive_segment
- /fully_preemptive_task_model subnn big1_eq. }
- specialize (H_R_is_maximum A); feed H_R_is_maximum; first by apply/andP; split; done.
- move: H_R_is_maximum => [F [FIX BOUND]].
- exists F; split.
- + by rewrite BLOCK add0n subnn subn0.
- + by rewrite subnn addn0.
- Qed.
-
-End RTAforFullyPreemptiveEDFModelwithArrivalCurves.
diff --git a/results/edf/rta/limited_preemptive.v b/results/edf/rta/limited_preemptive.v
deleted file mode 100644
index 691cc6d792fb756f1ad218852f9641215b9763ff..0000000000000000000000000000000000000000
--- a/results/edf/rta/limited_preemptive.v
+++ /dev/null
@@ -1,168 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Export prosa.model.readiness.basic.
-Require Export prosa.results.edf.rta.bounded_nps.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.limited.
-Require Export prosa.analysis.facts.readiness.basic.
-Require Export prosa.model.task.preemption.limited_preemptive.
-Require Export prosa.model.priority.edf.
-
-(** * RTA for EDF with Fixed Preemption Points *)
-(** In this module we prove the RTA theorem for EDF-schedulers with
- fixed preemption points. *)
-
-(** ** Setup and Assumptions *)
-
-Section RTAforFixedPreemptionPointsModelwithArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskDeadline Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness
- without jitter or self-suspensions, wherein pending jobs are
- always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** We assume that jobs are limited-preemptive. *)
- #[local] Existing Instance limited_preemptive_job_model.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from this task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Next, we assume we have the model with fixed preemption points.
- I.e., each task is divided into a number of non-preemptive segments
- by inserting statically predefined preemption points. *)
- Context `{JobPreemptionPoints Job}.
- Context `{TaskPreemptionPoints Task}.
- Hypothesis H_valid_model_with_fixed_preemption_points:
- valid_fixed_preemption_points_model arr_seq ts.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for
- any task [tsk] in ts [max_arrival tsk] is (1) an arrival bound of
- [tsk], and (2) it is a monotonic function that equals 0 for the
- empty interval delta = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Next, consider any valid ideal uni-processor schedule with limited
- preemptions of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid: valid_schedule sched arr_seq.
- Hypothesis H_schedule_with_limited_preemptions:
- schedule_respects_preemption_model arr_seq sched.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched (EDF Job).
-
- (** ** Total Workload and Length of Busy Interval *)
-
- (** We introduce the abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- for the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define the request bound
- function of all tasks (total request bound function). *)
- Let total_rbf := total_request_bound_function ts.
-
- (** We define a bound for the priority inversion caused by jobs with lower priority. *)
- Let blocking_bound A :=
- \max_(tsk_other <- ts | (blocking_relevant tsk_other)
- && (task_deadline tsk_other > task_deadline tsk + A))
- (task_max_nonpreemptive_segment tsk_other - ε).
-
- (** Next, we define an upper bound on interfering workload received from jobs
- of other tasks with higher-than-or-equal priority. *)
- Let bound_on_total_hep_workload A Δ :=
- \sum_(tsk_o <- ts | tsk_o != tsk)
- rbf tsk_o (minn ((A + ε) + task_deadline tsk - task_deadline tsk_o) Δ).
-
- (** Let L be any positive fixed point of the busy interval recurrence. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = total_rbf L.
-
- (** ** Response-Time Bound *)
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := bounded_nps.is_in_search_space ts tsk L.
-
- (** Consider any value [R], and assume that for any given arrival
- offset [A] in the search space, there is a solution of the
- response-time bound recurrence which is bounded by [R]. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= blocking_bound A
- + (task_rbf (A + ε) - (task_last_nonpr_segment tsk - ε))
- + bound_on_total_hep_workload A (A + F) /\
- R >= F + (task_last_nonpr_segment tsk - ε).
-
- (** Now, we can leverage the results for the abstract model with bounded non-preemptive segments
- to establish a response-time bound for the more concrete model of fixed preemption points. *)
-
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- Theorem uniprocessor_response_time_bound_edf_with_fixed_preemption_points:
- response_time_bounded_by tsk R.
- Proof.
- move: (H_valid_model_with_fixed_preemption_points) => [MLP [BEG [END [INCR [HYP1 [HYP2 HYP3]]]]]].
- move: (MLP) => [BEGj [ENDj _]].
- case: (posnP (task_cost tsk)) => [ZERO|POSt].
- { intros j ARR TSK.
- move: (H_valid_job_cost _ ARR) => POSt.
- move: TSK => /eqP TSK; move: POSt; rewrite /valid_job_cost TSK ZERO leqn0; move => /eqP Z.
- by rewrite /job_response_time_bound /completed_by Z.
- }
- try ( eapply uniprocessor_response_time_bound_edf_with_bounded_nonpreemptive_segments with (L0 := L) ) ||
- eapply uniprocessor_response_time_bound_edf_with_bounded_nonpreemptive_segments with (L := L).
- all: rt_eauto.
- rewrite subKn; first by done.
- rewrite /task_last_nonpr_segment -(leq_add2r 1) subn1 !addn1 prednK; last first.
- - rewrite /last0 -nth_last.
- apply HYP3; try by done.
- rewrite -(ltn_add2r 1) !addn1 prednK //.
- move: (number_of_preemption_points_in_task_at_least_two
- _ _ H_valid_model_with_fixed_preemption_points _ H_tsk_in_ts POSt) => Fact2.
- move: (Fact2) => Fact3.
- by rewrite size_of_seq_of_distances // addn1 ltnS // in Fact2.
- - apply leq_trans with (task_max_nonpreemptive_segment tsk).
- + by apply last_of_seq_le_max_of_seq.
- + rewrite -END; last by done.
- apply ltnW; rewrite ltnS; try done.
- by apply max_distance_in_seq_le_last_element_of_seq; eauto 2.
- Qed.
-
-End RTAforFixedPreemptionPointsModelwithArrivalCurves.
diff --git a/results/fifo/rta.v b/results/fifo/rta.v
deleted file mode 100644
index 33ca38b21a43dc5319a966e7d8c7c8dd7a2c46ef..0000000000000000000000000000000000000000
--- a/results/fifo/rta.v
+++ /dev/null
@@ -1,520 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Import prosa.model.readiness.basic.
-Require Import prosa.model.priority.fifo.
-Require Import prosa.analysis.facts.priority.fifo.
-Require Import prosa.analysis.abstract.ideal_jlfp_rta.
-Require Export prosa.analysis.facts.busy_interval.carry_in.
-Require Export prosa.analysis.facts.busy_interval.ideal.inequalities.
-Require Import prosa.analysis.facts.model.task_cost.
-
-(** The formal development and the proofs in this file are described in-depth in
- the following paper:
-
- - Bedarkar et al., _"From Intuition to Coq: A Case Study in Verified
- Response-Time Analysis of FIFO Scheduling"_, RTSS'22.
-
- The interested reader is invited to follow along in parallel both in the
- paper and here. In particular, the below sections labeled _A_ through _H_
- correspond directly to the equivalently labeled subsections in Section IV of
- the paper. *)
-
-
-(** * Response-Time Analysis for FIFO Schedulers *)
-
-(** In the following, we derive a response-time analysis for FIFO schedulers,
- assuming a workload of sporadic real-time tasks characterized by arbitrary
- arrival curves executing upon an ideal uniprocessor. To this end, we
- instantiate the _abstract Response-Time Analysis_ (aRTA) as provided in the
- [prosa.analysis.abstract] module. *)
-
-Section AbstractRTAforFIFOwithArrivalCurves.
-
- (** ** A. Defining the System Model *)
-
- (** Before any formal claims can be stated, an initial setup is needed to
- define the system model under consideration. To this end, we next
- introduce and define the following notions using Prosa's standard
- definitions and behavioral semantics:
- - tasks, jobs, and their parameters,
- - the sequence of job arrivals,
- - worst-case execution time (WCET) and the absence of self-suspensions,
- - the set of tasks under analysis,
- - the task under analysis, and, finally,
- - an arbitrary schedule of the task set. *)
-
- (** *** Tasks and Jobs *)
-
- (** Consider any type of tasks, each characterized by a WCET [task_cost], an arrival
- curve [max_arrivals], and a run-to-completion threshold [task_rtct], ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{MaxArrivals Task}.
- Context `{TaskRunToCompletionThreshold Task}.
-
- (** ... and any type of jobs associated with these tasks, where each job has
- an arrival time [job_arrival], a cost [job_cost], and an arbitrary
- preemption model indicated by [job_preemptable]. *)
- Context {Job : JobType} `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
- Context `{JobPreemptable Job}.
-
- (** *** The Job Arrival Sequence *)
-
- (** Consider any arrival sequence [arr_seq] with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** *** Absence of Self-Suspensions and WCET Compliance *)
-
- (** We assume the classic (i.e., Liu & Layland) model of readiness without
- jitter or self-suspensions, wherein [pending] jobs are always ready. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** We further require that a job's cost cannot exceed its task's stated
- WCET. *)
- Hypothesis H_valid_job_cost : arrivals_have_valid_job_costs arr_seq.
-
- (** *** The Task Set *)
-
- (** We consider an arbitrary task set [ts]... *)
- Variable ts : seq Task.
-
- (** ... and assume that all jobs stem from tasks in this task set. *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** Furthermore, we assume that [max_arrivals] is a family of valid arrival
- curves that constrains the arrival sequence [arr_seq], i.e., for any task
- [tsk] in [ts], [max_arrival tsk] is (1) an arrival bound of [tsk], and ... *)
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** ... (2) a monotonic function that equals 0 for the empty interval [delta = 0]. *)
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
-
- (** *** The Task Under Analysis *)
-
- (** Let [tsk] be any task in [ts] that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** We assume that [tsk] is described by a valid task _run-to-completion
- threshold_. That is, there exists a task parameter [task_rtct] such
- that [task_rtct tsk] is
- - (1) no larger than [tsk]'s WCET, and
- - (2) for any job of task [tsk], the job's run-to-completion threshold
- [job_rtct] is bounded by [task_rtct tsk]. *)
- Hypothesis H_valid_run_to_completion_threshold :
- valid_task_run_to_completion_threshold arr_seq tsk.
-
- (** *** The Schedule *)
-
- (** Finally, consider any arbitrary, valid ideal uni-processor schedule of the
- given arrival sequence [arr_seq] (and hence the given task set [ts]). *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_valid_schedule : valid_schedule sched arr_seq.
-
- (** We assume that the schedule complies with the preemption model ... *)
- Hypothesis H_valid_preemption_model : valid_preemption_model arr_seq sched.
-
- (** ... and, last but not least, that it respects the [FIFO] scheduling
- policy. *)
- Hypothesis H_respects_policy_at_preemption_point :
- respects_JLFP_policy_at_preemption_point arr_seq sched (FIFO Job).
-
-
- (** ** B. Encoding the Scheduling Policy and Preemption Model *)
-
- (** With the system model in place, the next step is to encode the scheduling
- policy and preemption model such that aRTA becomes applicable. To this
- end, we encode the semantics of the scheduling policy and preemption model
- using two functions, by convention called [interference] and
- [interfering_workload]. The paper explains the idea behind these two
- functions and how they interact in much more detail. At the code level,
- we fortunately can simply reuse the existing general definitions of
- _interference_ and _interfering workload_ that apply to any job-level
- fixed-priority (JLFP) policy (as provided in the module
- [ideal_jlfp_rta]). *)
- Let interference (j : Job) (t : instant) :=
- ideal_jlfp_rta.interference arr_seq sched j t.
-
- Let interfering_workload (j : Job) (t : instant) :=
- ideal_jlfp_rta.interfering_workload arr_seq sched j t.
-
- (** Please refer to the general definitions (by clicking on the links above)
- to see how they correspond to the definitions provided in Listing 3 of the
- paper (they are identical). *)
-
- (** ** C. Classic and Abstract Work Conservation *)
-
- (** The next step is to connect the classic notion of work conservation with
- the abstract notion assumed by aRTA. First, let us recall the abstract and
- classic notations of work conservation as [work_conserving_ab] and
- [work_conserving_cl], respectively. *)
- Let work_conserving_ab := abstract.definitions.work_conserving arr_seq sched.
- Let work_conserving_cl := work_conserving.work_conserving arr_seq sched.
-
- (** In the following, we make the standard assumption that the schedule is
- work-conserving in the classic sense. *)
- Hypothesis H_work_conserving : work_conserving_cl.
-
- (** As explained in much detail in the paper, a general proof obligation of
- aRTA is to show that its abstract notion of work conservation is also
- satisfied. That is, the classic, policy-specific notion assumed in
- [H_work_conserving] needs to be "translated" into the abstract notion
- understood by aRTA. Fortunately, in our case the proof is trivial: as a
- benefit of reusing the general definitions of [interference] and
- [interfering_workload] for JLFP policies, we can reuse the existing
- general lemma [instantiated_i_and_w_are_coherent_with_schedule]. This
- lemma immediately allows us to conclude that the schedule is
- work-conserving in the abstract sense with respect to [interference] and
- [interfering_workload]. *)
- Fact abstractly_work_conserving : work_conserving_ab interference interfering_workload.
- Proof. by apply: instantiated_i_and_w_are_coherent_with_schedule; rt_eauto. Qed.
-
- (** The preceding fact [abstractly_work_conserving] corresponds to Lemma 1 in
- the paper. To see the correspondence, refer to the definition of
- [definitions.work_conserving] (by clicking the link in the above
- definition). *)
-
- (** ** D. Bounding the Maximum Busy-Window Length *)
-
- (** The next step is to establish a bound on the maximum busy-window length,
- which aRTA requires to be given. *)
-
- (** To this end, we assume that we are given a positive value [L] ...*)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
-
- (** ... that is a fixed point of the following equation. *)
- Hypothesis H_fixed_point : L = total_request_bound_function ts L.
-
- (** Given this definition of [L], it is our proof obligation to show that all
- busy windows (in the _abstract_ sense) are indeed bounded by [L]. To this
- end, let us first recall the notion of a bound on the maximum busy-window
- length (or, interchangeably, busy-interval length) as understood by
- aRTA. *)
- Let busy_windows_are_bounded_by L :=
- busy_intervals_are_bounded_by arr_seq sched tsk interference interfering_workload L.
-
- (** We observe that the length of any (abstract) busy window in [sched] is
- indeed bounded by [L]. Again, the proof is trivial because we can reuse a
- general lemma, namely [instantiated_busy_intervals_are_bounded] in this
- case, due to the choice to reuse the existing JLFP definitions of
- [interference] and [interfering_workload]. *)
- Fact busy_windows_are_bounded : busy_windows_are_bounded_by L.
- Proof. by apply: instantiated_busy_intervals_are_bounded; rt_eauto. Qed.
-
- (** The preceding fact [busy_windows_are_bounded] correspond to Lemma 2 in the
- paper. To clearly see the correspondence, refer to the definition of
- [busy_intervals_are_bounded_by] (by clicking on the link in the definition
- above). *)
-
- (** ** E. Defining the Interference Bound Function (IBF) *)
-
- (** Finally, we define the _interference bound function_ ([IBF]). [IBF] bounds
- the cumulative interference incurred by a job in its busy window. In
- general, aRTA expects to reason about an IBF parametric in two parameters,
- a _relative arrival offset_ [A] and an _interval length_ [Δ], as described
- in the paper. In our specific case, for [FIFO] scheduling, only [A] is
- actually relevant. We therefore define [IBF] as the sum, across all
- tasks, of the per-task request-bound functions (RBFs) in the interval [A +
- ε] minus the WCET of the task under analysis [tsk]. *)
- Let IBF tsk (A Δ : duration) := (\sum_(tsko <- ts) task_request_bound_function tsko (A + ε))
- - task_cost tsk.
-
- (** As discussed in the paper, our proof obligation now is to show that the
- stated [IBF] is indeed correct. To this end, we first establish two
- auxiliary lemmas. *)
-
- (** *** Absence of Priority Inversion *)
-
- (** Because we reuse the general JLFP notions of [interference] and
- [interfering_workload], which allowed us to save much proof effort in the
- preceding sections, we must reason about priority inversion. While
- priority inversion is _conceptually_ not relevant under FIFO scheduling,
- it clearly is a factor in the general JLFP case, and hence shows up in the
- definitions of [interference] and [interfering_workload]. We therefore
- next show it to be _actually_ impossible, too, by proving that, under FIFO
- scheduling, the cumulative priority inversion experienced by a job [j] in
- any interval within its busy window is always [0]. *)
- Section AbsenceOfPriorityInversion.
-
- (** Consider any job [j] of the task under analysis [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
-
- (** Assume that the job has a positive cost (as we later do not need to
- reason about zero-cost jobs). *)
- Hypothesis H_job_cost_positive: job_cost_positive j.
-
- (** Assume the busy interval of the job [j] is given by <<[t1,t2)>>. *)
- Variable t1 t2 : duration.
- Hypothesis H_busy_interval :
- definitions.busy_interval sched interference interfering_workload j t1 t2.
-
- (** Consider any sub-interval <<[t1, t1 + Δ)>> of the busy interval of [j]. *)
- Variable Δ : duration.
- Hypothesis H_Δ_in_busy : t1 + Δ < t2.
-
- (** We prove that the cumulative priority inversion in the interval <<[t1, t1 + Δ)>>
- is indeed [0]. *)
- Lemma no_priority_inversion:
- cumulative_priority_inversion arr_seq sched j t1 (t1 + Δ) = 0.
- Proof.
- apply /eqP; rewrite -leqn0.
- pose zf : nat -> nat := (fun=> 0).
- have: cumulative_priority_inversion arr_seq sched j t1 (t1 + Δ) <= zf (job_arrival j - t1);
- last by apply.
- apply: cumulative_priority_inversion_is_bounded; rt_eauto.
- have -> : priority_inversion_is_bounded_by arr_seq sched tsk zf
- = priority_inversion_is_bounded_by_constant arr_seq sched tsk 0;
- by try apply: FIFO_implies_no_pi; rt_eauto.
- Qed.
-
- End AbsenceOfPriorityInversion.
-
- (** *** Higher- and Equal-Priority Interference *)
-
- (** Next, we establish a bound on the interference produced by higher- and
- equal-priority jobs. *)
- Section BoundOnHEPWorkload.
-
- (** Consider again a job [j] of the task under analysis [tsk] with a positive cost. *)
- Variable j : Job.
- Hypothesis H_job_of_task : job_of_task tsk j.
- Hypothesis H_j_in_arrivals : arrives_in arr_seq j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** Consider the (abstract) busy window of [j] and denote it as <<[t1, t2)>>. *)
- Variable t1 t2 : instant.
- Hypothesis H_busy_window :
- definitions.busy_interval sched interference interfering_workload j t1 t2.
-
- (** Consider any arbitrary sub-interval <<[t1, Δ)>> within the busy window
- of [j]. *)
- Variable Δ : instant.
- Hypothesis H_in_busy : t1 + Δ < t2.
-
- (** The cumulative interference from higher- and equal-priority jobs during
- <<[t1, Δ)>> is bounded as follows. *)
- Lemma bound_on_hep_workload :
- \sum_(t1 <= t < t1 + Δ) is_interference_from_another_hep_job sched j t <=
- \sum_(tsko <- ts) task_request_bound_function tsko (job_arrival j - t1 + ε) - task_cost tsk.
- Proof.
- move: H_busy_window => [ [ /andP [LE GT] [QUIETt1 _ ] ] [QUIETt2 EQNs]].
- rewrite (cumulative_i_ohep_eq_service_of_ohep arr_seq); rt_eauto;
- last by rewrite instantiated_quiet_time_equivalent_quiet_time; rt_eauto.
- eapply leq_trans; first by apply service_of_jobs_le_workload; rt_eauto.
- rewrite (leqRW (workload_equal_subset _ _ _ _ _ _ _)); rt_eauto.
- rewrite (workload_minus_job_cost j); rt_eauto;
- last by rewrite /ε; apply job_in_arrivals_between; rt_auto; lia.
- rewrite /workload_of_jobs /IBF (big_rem tsk) //=
- (addnC (task_request_bound_function tsk (job_arrival j - t1 + ε))).
- rewrite -addnBA; last first.
- - apply leq_trans with (task_request_bound_function tsk ε);
- first by apply : (task_rbf_1_ge_task_cost arr_seq); rt_eauto.
- by apply task_rbf_monotone; [apply H_valid_arrival_curve | lia].
- - eapply leq_trans;
- last by erewrite leq_add2l; eapply task_rbf_excl_tsk_bounds_task_workload_excl_j; eauto 1.
- rewrite addnBA.
- + rewrite leq_sub2r //; eapply leq_trans.
- * apply sum_over_partitions_le => j' inJOBS.
- by apply H_all_jobs_from_taskset, (in_arrivals_implies_arrived _ _ _ _ inJOBS).
- * rewrite (big_rem tsk) //= addnC leq_add //; last by rewrite subnKC.
- rewrite big_seq_cond [in X in _ <= X]big_seq_cond big_mkcond [in X in _ <= X]big_mkcond //=.
- apply leq_sum => tsk' _; rewrite andbC //=.
- destruct (tsk' \in rem (T:=Task) tsk ts) eqn:IN; last by [].
- apply rem_in in IN.
- eapply leq_trans;
- last by apply (task_workload_le_task_rbf _ _ _ IN H_valid_job_cost H_is_arrival_curve t1).
- by rewrite addnBAC //= subnKC //= addn1; apply leqW.
- + move : H_job_of_task => TSKj.
- rewrite /task_workload_between /task_workload /workload_of_jobs (big_rem j) //=;
- first by rewrite TSKj; apply leq_addr.
- apply job_in_arrivals_between => //; rt_eauto.
- by apply /andP; split; [| rewrite subnKC; [rewrite addn1 |]].
- Qed.
-
- End BoundOnHEPWorkload.
-
- (** *** Correctness of [IBF] *)
-
- (** Combining the bound on interference due to lower-priority jobs (priority
- inversion, i.e., [no_priority_inversion]) and the interference due to
- higher- or equal-priority jobs ([bound_on_hep_workload]), we can prove
- that [IBF] indeed bounds the total interference. *)
- Lemma IBF_correct :
- job_interference_is_bounded_by arr_seq sched tsk interference interfering_workload IBF.
- Proof.
- move => t1 t2 Δ j ARRj TSKj BUSY IN_BUSY NCOMPL.
- rewrite /cumul_interference cumulative_interference_split; rt_eauto.
- rewrite /IBF /cumulative_priority_inversion.
- have JPOS: job_cost_positive j by rewrite -ltnNge in NCOMPL; unfold job_cost_positive; lia.
- move: (BUSY) => [ [ /andP [LE GT] [QUIETt1 _ ] ] [QUIETt2 EQNs]].
- have CPIB := no_priority_inversion j ARRj _ JPOS t1 t2.
- rewrite /cumulative_priority_inversion in CPIB;
- rewrite /ideal_jlfp_rta.cumulative_priority_inversion CPIB //= add0n.
- by apply: bound_on_hep_workload; rt_eauto.
- Qed.
-
- (** The preceding lemma [IBF_correct] corresponds to Lemma 3 in the paper. To
- see the correspondence more clearly, refer to the definition of
- [job_interference_is_bounded_by] in the above lemma. *)
-
- (** ** F. Defining the Search Space *)
-
- (** In this section, we define the concrete search space for [FIFO] and relate
- it to the abstract search space of aRTA. In the case of [FIFO], the concrete
- search space is the set of offsets less than [L] such that there exists a
- task [tsk'] in [ts] such that [r bf tsk' (A) ≠rbf tsk' (A + ε)]. *)
- Definition is_in_concrete_search_space (A : duration) :=
- (A < L) && has (fun tsk' => task_request_bound_function tsk' (A) !=
- task_request_bound_function tsk' ( A + ε )) ts.
-
- (** To enable the use of aRTA, we must now show that any offset [A] included
- in the abstract search space is also included in the concrete search
- space. That is, we must show that the concrete search space is a
- refinement of the abstract search space assumed by aRTA. *)
-
- (** To this end, first recall the notion of the abstract search space in aRTA. *)
- Let is_in_abstract_search_space A := abstract.search_space.is_in_search_space tsk L IBF A.
-
- Section SearchSpaceRefinement.
-
- (** Suppose we are given a job [j] of the task under analysis [tsk] with
- positive cost. We use the existence of such a job in the subsequent
- proof, even if it does not feature in the claim directly. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_positive_cost : 0 < task_cost tsk.
-
- (** Under this assumption, given any [A] from the _abstract_ search space, ... *)
- Variable A : nat.
- Hypothesis H_in_abstract : is_in_abstract_search_space A.
-
- (** ... we prove that [A] is also in the concrete search space. In other
- words, we prove that the abstract search space is a subset of the
- concrete search space. *)
- Lemma search_space_refinement : is_in_concrete_search_space A.
- Proof.
- move: H_in_abstract => [INSP | [/andP [POSA LTL] [x [LTx INSP2]]]].
- { subst A.
- apply/andP; split; [by done |].
- apply /hasP. exists tsk; first by done.
- rewrite neq_ltn;apply/orP; left.
- erewrite task_rbf_0_zero; eauto 2.
- rewrite add0n ; apply leq_trans with (task_cost tsk).
- - by eapply leq_trans; eauto 2.
- - by eapply task_rbf_1_ge_task_cost; rt_eauto. }
- { apply /andP; split; first by done.
- apply /hasPn.
- move => EQ2. unfold IBF in INSP2.
- rewrite subnK in INSP2; try by done.
- apply INSP2; clear INSP2.
- have -> : \sum_(tsko <- ts) task_request_bound_function tsko A =
- \sum_(tsko <- ts) task_request_bound_function tsko (A + ε); last by done.
- apply eq_big_seq => //= task IN.
- by move: (EQ2 task IN) => /negPn /eqP. }
- Qed.
-
- (** The preceding lemma [search_space_refinement] corresponds to Lemma 4 in
- the paper, which is apparent after consulting the definitions of the
- abstract and concrete search spaces. *)
-
- End SearchSpaceRefinement.
-
- (** ** G. Stating the Response-Time Bound [R] *)
-
- (** Having established all necessary preliminaries, it is finally time to
- state the claimed response-time bound [R]. *)
- Variable R : duration.
- Hypothesis H_R_max:
- forall (A : duration),
- is_in_concrete_search_space A ->
- exists (F : nat),
- A + F >= \sum_(tsko <- ts) task_request_bound_function tsko (A + ε) /\
- F <= R.
-
- (** Ultimately, we seek to apply aRTA to prove the correctness of this [R].
- However, in order to connect the concrete definition of [R] with aRTA, we
- must first restate the bound in the shape of the abstract response-time
- bound equation that aRTA expects, which we do next. *)
-
- Section ResponseTimeBoundRestated.
- (** Suppose again we are given a job [j] of the task under analysis [tsk]
- with positive cost. We use the existence of such a job in the subsequent
- proof, even if it does not feature in the claim directly. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** We know that:
- - if [A] is in the abstract search space, then it is also in
- the concrete search space; and
- - if [A] is in the concrete search space, then there exists a solution
- that satisfies the inequalities stated in [H_R_is_maximum].
- Using these facts, we prove that, if [A] is in the abstract search
- space, then there also exists a solution [F] to the response-time
- equation as expected by aRTA. *)
- Lemma soln_abstract_response_time_recurrence :
- forall A,
- is_in_abstract_search_space A ->
- exists (F : nat),
- A + F >= task_rtct tsk + IBF tsk A (A + F) /\
- F + (task_cost tsk - task_rtct tsk) <= R.
- Proof.
- move => A IN.
- eapply search_space_refinement in IN; rt_eauto.
- move: (H_R_max _ IN) => [F [FIX NEQ]].
- have R_GE_TC: task_cost tsk <= R.
- { move : (H_R_max 0) => SEARCH; feed SEARCH;
- first by eapply search_space_refinement; rt_eauto; left.
- move: SEARCH => [F' [LE1 LE2]].
- rewrite !add0n in LE1.
- rewrite -(leqRW LE2) -(leqRW LE1).
- by eapply (task_cost_le_sum_rbf arr_seq); rt_eauto. }
- exists (R - (task_cost tsk - task_rtct tsk)); split.
- - rewrite /IBF.
- rewrite (leqRW FIX) addnC -subnA; first last.
- + rewrite -(leqRW FIX).
- apply : (task_cost_le_sum_rbf _ _ _ ); rt_eauto.
- by rewrite addn1.
- + by move : H_valid_run_to_completion_threshold => [TASKvalid JOBvalid].
- + rewrite addnBA; first by rewrite leq_sub2r // leq_add2l.
- by apply leq_trans with (task_cost tsk); [lia|].
- - rewrite subnK; first by done.
- by apply leq_trans with (task_cost tsk); [lia| ].
- Qed.
-
- (** Lemma [soln_abstract_response_time_recurrence] is shown in Listing 3 in
- the paper. *)
- End ResponseTimeBoundRestated.
-
- (** ** H. Soundness of the Response-Time Bound *)
-
- (** Finally, we are in a position to establish the soundness of the claimed
- response-time bound [R] by applying the main general aRTA theorem
- [uniprocessor_response_time_bound]. *)
- Theorem uniprocessor_response_time_bound_FIFO:
- task_response_time_bound arr_seq sched tsk R.
- Proof.
- move => js ARRs TSKs.
- rewrite /job_response_time_bound /completed_by.
- case: (posnP (@job_cost _ _ js)) => [ -> |POS]; first by done.
- eapply uniprocessor_response_time_bound; rt_eauto.
- - exact: abstractly_work_conserving.
- - exact: busy_windows_are_bounded.
- - exact: IBF_correct.
- - by apply: soln_abstract_response_time_recurrence; eauto.
- Qed.
-
- (** The preceding theorem [uniprocessor_response_time_bound_FIFO] corresponds
- to Theorem 2 in the paper. The correspondence becomes clearer when referring
- to the definition of [task_response_time_bound], and then in turn to the
- definitions of [job_of_task] and [job_response_time_bound]. *)
-
-End AbstractRTAforFIFOwithArrivalCurves.
diff --git a/results/fixed_priority/README.md b/results/fixed_priority/README.md
deleted file mode 100644
index 5f0c848e5ed8a8ac3ac96002ba29f8b590ade511..0000000000000000000000000000000000000000
--- a/results/fixed_priority/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# High-Level Results about Fixed-Priority (FP) Scheduling
-
-This folder collects the main theorems in Prosa about FP-scheduled systems. There are currently the following results available.
-
-
-## Response-Time Bounds
-
-Prosa includes several **response-time bounds** for FP scheduling. The proofs of these RTAs are based on abstract RTA.
-
-### (1) FP RTA with Bounded Priority Inversions
-
-The main result in [rta/bounded_pi.v](rta/bounded_pi.v) provides a general response-time bound assuming a bound on priority inversion (for whatever reason) is known.
-
-### (2) FP RTA with Bounded Non-Preemptive Segments
-
-The main theorem in [rta/bounded_nps.v](rta/bounded_nps.v) provides a refinement of (1) based on the more specific assumption that priority inversions are caused by lower-priority non-preemptive jobs with bounded non-preemptive segment lengths.
-
-### (3) FP RTA for Fully Preemptive Jobs
-
-The RTA provided in [rta/fully_preemptive.v](rta/fully_preemptive.v) applies (2) to the commonly assumed case of fully preemptive tasks (i.e., the complete absence of non-preemptive segments), which matches the classic Liu & Layland model.
-
-### (4) FP RTA for Fully Non-Preemptive Jobs
-
-The file [rta/fully_nonpreemptive.v](rta/fully_nonpreemptive.v) provides a refinement of (2) for the case in which each job forms a single non-preemptive segment, i.e., where in-progress jobs execute with run-to-completion semantics and cannot be preempted at all.
-
-### (5) FP RTA for Floating Non-Preemptive Sections
-
-The file [rta/floating_nonpreemptive.v](rta/floating_nonpreemptive.v) provides an RTA based on (2) for tasks that execute mostly preemptively, but that may also exhibit some non-preemptive segments (of bounded length) at unpredictable times.
-
-### (6) FP RTA for Limited-Preemptive Tasks
-
-The file [rta/limited_preemptive.v](rta/limited_preemptive.v) provides an RTA based on (2) for tasks that consist of a sequence of non-preemptive segments, separated by fixed preemption points.
-
-### (7) FP RTA for Fully Preemptive Jobs with Computed Fixpoints
-
-The RTA provided in [rta/comp/fully_preemptive.v](rta/comp/fully_preemptive.v) is a refinement of (3), in which the fixpoints upon which the analysis rests are assumed to have been computed with the functions provided in [util/fixpoint.v](../../util/fixpoint.v). See the comment at the start of the file for further explanation.
diff --git a/results/fixed_priority/rta/bounded_nps.v b/results/fixed_priority/rta/bounded_nps.v
deleted file mode 100644
index 46fa81d00d0a98a71dafc54b48c9d86fa2415047..0000000000000000000000000000000000000000
--- a/results/fixed_priority/rta/bounded_nps.v
+++ /dev/null
@@ -1,238 +0,0 @@
-Require Export prosa.analysis.definitions.schedulability.
-Require Export prosa.analysis.definitions.request_bound_function.
-Require Export prosa.analysis.facts.model.sequential.
-Require Export prosa.analysis.facts.busy_interval.ideal.priority_inversion_bounded.
-Require Export prosa.results.fixed_priority.rta.bounded_pi.
-
-(** * RTA for FP-schedulers with Bounded Non-Preemptive Segments *)
-
-(** In this section we instantiate the Abstract RTA for FP-schedulers
- with Bounded Priority Inversion to FP-schedulers for ideal
- uni-processor model of real-time tasks with arbitrary
- arrival models _and_ bounded non-preemptive segments. *)
-
-(** Recall that Abstract RTA for FP-schedulers with Bounded Priority
- Inversion does not specify the cause of priority inversion. In
- this section, we prove that the priority inversion caused by
- execution of non-preemptive segments is bounded. Thus the Abstract
- RTA for FP-schedulers is applicable to this instantiation. *)
-Section RTAforFPwithBoundedNonpreemptiveSegmentsWithArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskRunToCompletionThreshold Task}.
- Context `{TaskMaxNonpreemptiveSegment Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{Arrival : JobArrival Job}.
- Context `{Cost : JobCost Job}.
-
- (** Consider an FP policy that indicates a higher-or-equal priority
- relation, and assume that the relation is reflexive and
- transitive. *)
- Context {FP : FP_policy Task}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
- Hypothesis H_priority_is_transitive : transitive_priorities.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence, ... *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** ... allow for any work-bearing notion of job readiness, ... *)
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** ... and assume that the schedule is valid. *)
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
-
- (** In addition, we assume the existence of a function mapping jobs
- to their preemption points ... *)
- Context `{JobPreemptable Job}.
-
- (** ... and assume that it defines a valid preemption
- model with bounded non-preemptive segments. *)
- Hypothesis H_valid_model_with_bounded_nonpreemptive_segments:
- valid_model_with_bounded_nonpreemptive_segments arr_seq sched.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_FP_policy_at_preemption_point arr_seq sched FP.
-
- (** Assume we have sequential tasks, i.e, jobs from the
- same task execute in the order of their arrival. *)
- Hypothesis H_sequential_tasks : sequential_tasks arr_seq sched.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from the task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for
- any task [tsk] in ts [max_arrival tsk] is (1) an arrival bound of
- [tsk], and (2) it is a monotonic function that equals 0 for the
- empty interval delta = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Consider a valid preemption model... *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** ...and a valid task run-to-completion threshold function. That
- is, [task_rtct tsk] is (1) no bigger than [tsk]'s cost, (2) for
- any job of task [tsk] [job_rtct] is bounded by [task_rtct]. *)
- Hypothesis H_valid_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
-
- (** Let's define some local names for clarity. *)
- Let max_length_of_priority_inversion :=
- max_length_of_priority_inversion arr_seq.
- Let task_rbf := task_request_bound_function tsk.
- Let total_hep_rbf := total_hep_request_bound_function_FP ts tsk.
- Let total_ohep_rbf := total_ohep_request_bound_function_FP ts tsk.
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- (** We also define a bound for the priority inversion caused by jobs with lower priority. *)
- Definition blocking_bound :=
- \max_(tsk_other <- ts | ~~ hep_task tsk_other tsk)
- (task_max_nonpreemptive_segment tsk_other - ε).
-
- (** ** Priority inversion is bounded *)
- (** In this section, we prove that a priority inversion for task [tsk] is bounded by
- the maximum length of non-preemptive segments among the tasks with lower priority. *)
- Section PriorityInversionIsBounded.
-
- (** First, we prove that the maximum length of a priority inversion of a job j is
- bounded by the maximum length of a non-preemptive section of a task with
- lower-priority task (i.e., the blocking term). *)
- Lemma priority_inversion_is_bounded_by_blocking:
- forall j t,
- arrives_in arr_seq j ->
- job_of_task tsk j ->
- max_length_of_priority_inversion j t <= blocking_bound.
- Proof.
- intros j t ARR TSK; move: TSK => /eqP TSK.
- rewrite /max_length_of_priority_inversion /blocking_bound /max_length_of_priority_inversion.
- apply: (@leq_trans (\max_(j_lp <- arrivals_before arr_seq t | ~~ hep_job j_lp j)
- (job_max_nonpreemptive_segment j_lp - ε)));
- first by apply: bigmax_subset => j' IN /andP [not_hep _].
- apply: (@leq_trans (\max_(j_lp <- arrivals_between arr_seq 0 t
- | ~~ hep_task (job_task j_lp) tsk)
- (task_max_nonpreemptive_segment (job_task j_lp) - ε))).
- { rewrite /hep_job /FP_to_JLFP TSK.
- apply leq_big_max => j' JINB NOTHEP.
- rewrite leq_sub2r //.
- apply H_valid_model_with_bounded_nonpreemptive_segments.
- by eapply in_arrivals_implies_arrived; eauto 2. }
- { apply /bigmax_leq_seqP => j' JINB NOTHEP.
- apply leq_bigmax_cond_seq with
- (x := (job_task j')) (F := fun tsk => task_max_nonpreemptive_segment tsk - 1);
- last by done.
- apply H_all_jobs_from_taskset.
- by apply: in_arrivals_implies_arrived (JINB). }
- Qed.
-
- (** Using the above lemma, we prove that the priority inversion of the task is bounded by blocking_bound. *)
- Lemma priority_inversion_is_bounded:
- priority_inversion_is_bounded_by_constant
- arr_seq sched tsk blocking_bound.
- Proof.
- intros j ARR TSK POS t1 t2 PREF.
- case NEQ: (t2 - t1 <= blocking_bound).
- { apply leq_trans with (t2 - t1); last by done.
- rewrite /cumulative_priority_inversion -[X in _ <= X]addn0
- -[t2 - t1]mul1n -iter_addn -big_const_nat leq_sum //.
- by intros t _; case: (priority_inversion_dec _ _ _).
- }
- move: NEQ => /negP /negP; rewrite -ltnNge; move => BOUND.
- edestruct (@preemption_time_exists) as [ppt [PPT NEQ]]; rt_eauto.
- move: NEQ => /andP [GE LE].
- apply leq_trans with (cumulative_priority_inversion arr_seq sched j t1 ppt);
- last apply leq_trans with (ppt - t1); first last.
- - rewrite leq_subLR.
- apply leq_trans with (t1 + max_length_of_priority_inversion j t1); first by done.
- by rewrite leq_add2l; eapply priority_inversion_is_bounded_by_blocking; eauto 2.
- rewrite /cumulative_priority_inversion -[X in _ <= X]addn0
- -[ppt - t1]mul1n -iter_addn -big_const_nat leq_sum //.
- by intros t _; case: (priority_inversion_dec _ _ _).
- - rewrite /cumulative_priority_inversion.
- rewrite (@big_cat_nat _ _ _ ppt) //=; last first.
- { rewrite ltn_subRL in BOUND.
- apply leq_trans with (t1 + blocking_bound); last by apply ltnW.
- apply leq_trans with (t1 + max_length_of_priority_inversion j t1); first by done.
- by rewrite leq_add2l; eapply priority_inversion_is_bounded_by_blocking; eauto 2.
- }
- rewrite -[X in _ <= X]addn0 leq_add2l leqn0.
- rewrite big_nat_cond big1 // => t /andP [/andP [GEt LTt] _ ].
- apply/eqP; rewrite eqb0; apply/negP => /priority_inversion_P PI; feed_n 3 PI; rt_eauto.
- move: PI => [NSCHED [j__lp /andP [SCHED HEP]]].
- edestruct (@not_quiet_implies_exists_scheduled_hp_job)
- with (K := ppt - t1) (t1 := t1) (t2 := t2) (t := t)
- as [j_hp [ARRB [HP SCHEDHP]]]; rt_eauto.
- { by exists ppt; split; [done | rewrite subnKC //; apply/andP]. }
- { by rewrite subnKC //; apply/andP; split. }
- enough (EQef : j__lp = j_hp); first by subst; rewrite HP in HEP.
- by eapply ideal_proc_model_is_a_uniprocessor_model; rt_eauto.
- Qed.
-
- End PriorityInversionIsBounded.
-
- (** ** Response-Time Bound *)
- (** In this section, we prove that the maximum among the solutions of the response-time
- bound recurrence is a response-time bound for [tsk]. *)
- Section ResponseTimeBound.
-
- (** Let L be any positive fixed point of the busy interval recurrence. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = blocking_bound + total_hep_rbf L.
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := is_in_search_space tsk L.
-
- (** Next, consider any value R, and assume that for any given arrival offset A from the search
- space there is a solution of the response-time bound recurrence that is bounded by R. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= blocking_bound
- + (task_rbf (A + ε) - (task_cost tsk - task_rtct tsk))
- + total_ohep_rbf (A + F) /\
- F + (task_cost tsk - task_rtct tsk) <= R.
-
- (** Then, using the results for the general RTA for FP-schedulers, we establish a
- response-time bound for the more concrete model of bounded nonpreemptive segments.
- Note that in case of the general RTA for FP-schedulers, we just _assume_ that
- the priority inversion is bounded. In this module we provide the preemption model
- with bounded nonpreemptive segments and _prove_ that the priority inversion is
- bounded. *)
- Theorem uniprocessor_response_time_bound_fp_with_bounded_nonpreemptive_segments:
- response_time_bounded_by tsk R.
- Proof.
- eapply uniprocessor_response_time_bound_fp;
- eauto using priority_inversion_is_bounded with basic_rt_facts.
- Qed.
-
- End ResponseTimeBound.
-
-End RTAforFPwithBoundedNonpreemptiveSegmentsWithArrivalCurves.
diff --git a/results/fixed_priority/rta/bounded_pi.v b/results/fixed_priority/rta/bounded_pi.v
deleted file mode 100644
index f496efd8e1187d2f9c8681a7fd04bc699d7c9ddf..0000000000000000000000000000000000000000
--- a/results/fixed_priority/rta/bounded_pi.v
+++ /dev/null
@@ -1,325 +0,0 @@
-Require Export prosa.model.schedule.priority_driven.
-Require Export prosa.analysis.abstract.ideal_jlfp_rta.
-Require Export prosa.analysis.facts.busy_interval.busy_interval.
-
-(** * Abstract RTA for FP-schedulers with Bounded Priority Inversion *)
-(** In this module we instantiate the Abstract Response-Time analysis
- (aRTA) to FP-schedulers for ideal uni-processor model of
- real-time tasks with arbitrary arrival models. *)
-
-(** Given FP priority policy and an ideal uni-processor scheduler
- model, we can explicitly specify [interference],
- [interfering_workload], and [interference_bound_function]. In this
- settings, we can define natural notions of service, workload, busy
- interval, etc. The important feature of this instantiation is that
- we can induce the meaningful notion of priority
- inversion. However, we do not specify the exact cause of priority
- inversion (as there may be different reasons for this, like
- execution of a non-preemptive segment or blocking due to resource
- locking). We only assume that that a priority inversion is
- bounded. *)
-Section AbstractRTAforFPwithArrivalCurves.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
- Context `{TaskRunToCompletionThreshold Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context {Arrival : JobArrival Job}.
- Context {Cost : JobCost Job}.
- Context `{JobPreemptable Job}.
-
- (** Consider an FP policy that indicates a higher-or-equal priority relation,
- and assume that the relation is reflexive. Note that we do not relate
- the FP policy with the scheduler. However, we define functions for
- Interference and Interfering Workload that actively use the concept of
- priorities. We require the FP policy to be reflexive, so a job cannot
- cause lower-priority interference (i.e. priority inversion) to itself. *)
- Context `{FP_policy Task}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Next, consider any ideal uni-processor schedule of this arrival sequence, ... *)
- Variable sched : schedule (ideal.processor_state Job).
-
- (** ... allow for any work-bearing notion of job readiness, ... *)
- Context `{@JobReady Job (ideal.processor_state Job) Cost Arrival}.
- Hypothesis H_job_ready : work_bearing_readiness arr_seq sched.
-
- (** ... and assume that the schedule is valid. *)
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
-
- (** Note that we differentiate between abstract and
- classical notions of work conserving schedule. *)
- Let work_conserving_ab := definitions.work_conserving arr_seq sched.
- Let work_conserving_cl := work_conserving.work_conserving arr_seq sched.
-
- (** We assume that the schedule is a work-conserving schedule
- in the _classical_ sense, and later prove that the hypothesis
- about abstract work-conservation also holds. *)
- Hypothesis H_work_conserving : work_conserving_cl.
-
- (** Assume we have sequential tasks, i.e, jobs from the
- same task execute in the order of their arrival. *)
- Hypothesis H_sequential_tasks : sequential_tasks arr_seq sched.
-
- (** Assume that a job cost cannot be larger than a task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Consider an arbitrary task set ts. *)
- Variable ts : list Task.
-
- (** Next, we assume that all jobs come from the task set. *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for any task [tsk] in ts
- [max_arrival tsk] is (1) an arrival bound of [tsk], and (2) it is a monotonic function
- that equals 0 for the empty interval delta = 0. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Consider a valid preemption model... *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
-
- (** ...and a valid task run-to-completion threshold function. That
- is, [task_rtct tsk] is (1) no bigger than [tsk]'s cost, (2) for
- any job of task [tsk] [job_rtct] is bounded by [task_rtct]. *)
- Hypothesis H_valid_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
-
- (** For clarity, let's define some local names. *)
- Let job_pending_at := pending sched.
- Let job_scheduled_at := scheduled_at sched.
- Let job_completed_by := completed_by sched.
- Let job_backlogged_at := backlogged sched.
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- (** We introduce [task_rbf] as an abbreviation of the task request bound function,
- which is defined as [task_cost(tsk) × max_arrivals(tsk,Δ)]. *)
- Let task_rbf := task_request_bound_function tsk.
-
- (** Using the sum of individual request bound functions, we define the request bound
- function of all tasks with higher-or-equal priority (with respect to [tsk]). *)
- Let total_hep_rbf := total_hep_request_bound_function_FP ts tsk.
-
- (** Similarly, we define the request bound function of all tasks other
- than [tsk] with higher-or-equal priority (with respect to [tsk]). *)
- Let total_ohep_rbf :=
- total_ohep_request_bound_function_FP ts tsk.
-
- (** Assume that there exists a constant priority_inversion_bound that bounds
- the length of any priority inversion experienced by any job of [tsk].
- Since we analyze only task [tsk], we ignore the lengths of priority
- inversions incurred by any other tasks. *)
- Variable priority_inversion_bound : duration.
- Hypothesis H_priority_inversion_is_bounded:
- priority_inversion_is_bounded_by_constant
- arr_seq sched tsk priority_inversion_bound.
-
- (** Let L be any positive fixed point of the busy interval recurrence. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = priority_inversion_bound + total_hep_rbf L.
-
- (** To reduce the time complexity of the analysis, recall the notion of search space.
- Intuitively, this corresponds to all "interesting" arrival offsets that the job under
- analysis might have with regard to the beginning of its busy-window. *)
- Definition is_in_search_space A := (A < L) && (task_rbf A != task_rbf (A + ε)).
-
- (** Let [R] be a value that upper-bounds the solution of each response-time recurrence,
- i.e., for any relative arrival time A in the search space, there exists a corresponding
- solution [F] such that [R >= F + (task cost - task lock-in service)]. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum :
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= priority_inversion_bound
- + (task_rbf (A + ε) - (task_cost tsk - task_rtct tsk))
- + total_ohep_rbf (A + F) /\
- R >= F + (task_cost tsk - task_rtct tsk).
-
- (** Instantiation of Interference *)
- (** We say that job j incurs interference at time t iff it cannot execute due to
- a higher-or-equal-priority job being scheduled, or if it incurs a priority inversion. *)
- Let interference (j : Job) (t : instant) :=
- ideal_jlfp_rta.interference arr_seq sched j t.
-
- (** Instantiation of Interfering Workload *)
- (** The interfering workload, in turn, is defined as the sum of the
- priority inversion function and interfering workload of jobs
- with higher or equal priority. *)
- Let interfering_workload (j : Job) (t : instant) :=
- ideal_jlfp_rta.interfering_workload arr_seq sched j t.
-
- (** Finally, we define the interference bound function
- ([IBF_other]). [IBF_other] bounds the interference if tasks are
- sequential. Since tasks are sequential, we exclude interference
- from other jobs of the same task. For FP, we define [IBF_other]
- as the sum of the priority interference bound and the
- higher-or-equal-priority workload. *)
- Let IBF_other (R : duration) := priority_inversion_bound + total_ohep_rbf R.
-
- (** ** Filling Out Hypotheses Of Abstract RTA Theorem *)
- (** In this section we prove that all preconditions necessary to use the abstract theorem are satisfied. *)
- Section FillingOutHypothesesOfAbstractRTATheorem.
-
- (** Recall that L is assumed to be a fixed point of the busy interval recurrence. Thanks to
- this fact, we can prove that every busy interval (according to the concrete definition)
- is bounded. In addition, we know that the conventional concept of busy interval and the
- one obtained from the abstract definition (with the interference and interfering
- workload) coincide. Thus, it follows that any busy interval (in the abstract sense)
- is bounded. *)
- Lemma instantiated_busy_intervals_are_bounded:
- busy_intervals_are_bounded_by arr_seq sched tsk interference interfering_workload L.
- Proof.
- move => j ARR TSK POS.
- edestruct (exists_busy_interval) with (delta := L) as [t1 [t2 [T1 [T2 BI]]]]; rt_eauto.
- { intros; rewrite {2}H_fixed_point leq_add //.
- rewrite /workload_of_higher_or_equal_priority_jobs /total_hep_rbf
- /total_hep_request_bound_function_FP
- /workload_of_jobs /hep_job /FP_to_JLFP.
- move: (TSK) => /eqP ->.
- by apply: sum_of_jobs_le_sum_rbf; eauto. }
- exists t1, t2; split; first by done.
- by eapply instantiated_busy_interval_equivalent_busy_interval; rt_eauto.
- Qed.
-
- (** Next, we prove that [IBF_other] is indeed an interference bound.
-
- Recall that in module abstract_seq_RTA hypothesis task_interference_is_bounded_by expects
- to receive a function that maps some task t, the relative arrival time of a job j of task t,
- and the length of the interval to the maximum amount of interference (for more details see
- files limited.abstract_RTA.definitions and limited.abstract_RTA.abstract_seq_rta).
-
- However, in this module we analyze only one task -- [tsk], therefore it is “hard-codedâ€
- inside the interference bound function [IBF_other]. Moreover, in case of a model with fixed
- priorities, interference that some job j incurs from higher-or-equal priority jobs does not
- depend on the relative arrival time of job j. Therefore, in order for the [IBF_other] signature to
- match the required signature in module abstract_seq_RTA, we wrap the [IBF_other] function in a
- function that accepts, but simply ignores, the task and the relative arrival time. *)
- Lemma instantiated_task_interference_is_bounded:
- task_interference_is_bounded_by
- arr_seq sched tsk interference interfering_workload (fun t A R => IBF_other R).
- Proof.
- intros ? ? ? ? ARR TSK ? NCOMPL BUSY; simpl.
- move: (posnP (@job_cost _ Cost j)) => [ZERO|POS].
- { by exfalso; rewrite /completed_by ZERO in NCOMPL. }
- eapply instantiated_busy_interval_equivalent_busy_interval in BUSY; rt_eauto.
- rewrite /interference; erewrite cumulative_task_interference_split; rt_eauto; last first.
- { move: BUSY => [[_ [_ [_ /andP [GE LT]]]] _].
- by eapply arrived_between_implies_in_arrivals; rt_eauto. }
- unfold IBF_other, interference.
- rewrite leq_add; try done.
- { apply leq_trans with (cumulative_priority_inversion arr_seq sched j t1 (t1 + R0)); first by done.
- apply leq_trans with (cumulative_priority_inversion arr_seq sched j t1 t2); last first.
- { by apply H_priority_inversion_is_bounded; rt_eauto; move: BUSY => [PREF QT2]. }
- rewrite [X in _ <= X](@big_cat_nat _ _ _ (t1 + R0)) //=.
- - by rewrite leq_addr.
- - by rewrite leq_addr.
- - by rewrite ltnW.
- }
- { erewrite cumulative_i_thep_eq_service_of_othep; rt_eauto;
- last by unfold quiet_time; move: BUSY => [[_ [T1 T2]] _].
- apply: leq_trans.
- { apply service_of_jobs_le_workload; first apply ideal_proc_model_provides_unit_service.
- by apply (valid_schedule_implies_completed_jobs_dont_execute sched arr_seq). }
- { rewrite /workload_of_jobs /total_ohep_rbf /total_ohep_request_bound_function_FP.
- rewrite /another_task_hep_job /hep_job /FP_to_JLFP.
- set (pred_task tsk_other := hep_task tsk_other tsk && (tsk_other != tsk)).
- rewrite (eq_big (fun j=> pred_task (job_task j)) job_cost) //;
- last by move=> j'; rewrite /pred_task; move: TSK => /eqP ->.
- erewrite (eq_big pred_task); [|by done|by move=> tsk'; eauto].
- by apply: sum_of_jobs_le_sum_rbf; eauto. } }
- Qed.
-
- (** Finally, we show that there exists a solution for the response-time recurrence. *)
- Section SolutionOfResponseTimeRecurrenceExists.
-
- (** Consider any job [j] of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive: job_cost_positive j.
-
- (** Given any job j of task [tsk] that arrives exactly A units after the beginning of
- the busy interval, the bound of the total interference incurred by j within an
- interval of length Δ is equal to [task_rbf (A + ε) - task_cost tsk + IBF_other Δ]. *)
- Let total_interference_bound tsk A Δ :=
- task_rbf (A + ε) - task_cost tsk + IBF_other Δ.
-
- (** Next, consider any A from the search space (in the abstract sense). *)
- Variable A : duration.
- Hypothesis H_A_is_in_abstract_search_space :
- search_space.is_in_search_space tsk L total_interference_bound A.
-
- (** We prove that A is also in the concrete search space. *)
- Lemma A_is_in_concrete_search_space:
- is_in_search_space A.
- Proof.
- move: H_A_is_in_abstract_search_space => [INSP | [/andP [POSA LTL] [x [LTx INSP2]]]].
- - rewrite INSP.
- apply/andP; split; first by done.
- rewrite neq_ltn; apply/orP; left.
- rewrite {1}/task_rbf; erewrite task_rbf_0_zero; eauto 2; try done.
- rewrite add0n /task_rbf; apply leq_trans with (task_cost tsk).
- + by apply leq_trans with (job_cost j); eauto 2; move: (H_job_of_tsk) => /eqP <-; eauto 2.
- + by eapply task_rbf_1_ge_task_cost; rt_eauto.
- - apply/andP; split; first by done.
- apply/negP; intros EQ; move: EQ => /eqP EQ.
- apply INSP2.
- unfold total_interference_bound in *.
- rewrite subn1 addn1 prednK; last by done.
- by rewrite -EQ.
- Qed.
-
- (** Then, there exists a solution for the response-time recurrence (in the abstract sense). *)
- Corollary correct_search_space:
- exists (F : duration),
- A + F >= task_rbf (A + ε) - (task_cost tsk - task_rtct tsk) + IBF_other (A + F) /\
- R >= F + (task_cost tsk - task_rtct tsk).
- Proof.
- move: (H_R_is_maximum A) => FIX.
- feed FIX; first by apply A_is_in_concrete_search_space.
- move: FIX => [F [FIX NEQ]].
- exists F; split; last by done.
- rewrite -{2}(leqRW FIX).
- by rewrite addnA [_ + priority_inversion_bound]addnC -!addnA.
- Qed.
-
- End SolutionOfResponseTimeRecurrenceExists.
-
- End FillingOutHypothesesOfAbstractRTATheorem.
-
-
- (** ** Final Theorem *)
- (** Based on the properties established above, we apply the abstract analysis
- framework to infer that [R] is a response-time bound for [tsk]. *)
- Theorem uniprocessor_response_time_bound_fp:
- response_time_bounded_by tsk R.
- Proof.
- intros js ARRs TSKs.
- move: (posnP (@job_cost _ Cost js)) => [ZERO|POS].
- { by rewrite /job_response_time_bound /completed_by ZERO. }
- eapply uniprocessor_response_time_bound_seq; rt_eauto.
- - by eapply instantiated_i_and_w_are_coherent_with_schedule; rt_eauto.
- - by eapply instantiated_interference_and_workload_consistent_with_sequential_tasks; rt_eauto.
- - by apply instantiated_busy_intervals_are_bounded.
- - by apply instantiated_task_interference_is_bounded.
- - by eapply correct_search_space; eauto 2.
- Qed.
-
-End AbstractRTAforFPwithArrivalCurves.
diff --git a/results/fixed_priority/rta/comp/fully_preemptive.v b/results/fixed_priority/rta/comp/fully_preemptive.v
deleted file mode 100644
index 9ba1dc6585e610be87f85e467f7f2df28f084461..0000000000000000000000000000000000000000
--- a/results/fixed_priority/rta/comp/fully_preemptive.v
+++ /dev/null
@@ -1,154 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Export prosa.util.fixpoint.
-Require Export prosa.results.fixed_priority.rta.fully_preemptive.
-
-(** * RTA for Fully Preemptive FP Scheduling with Computed Fixpoints *)
-
-(** This module refines the general response-time bound for fully preemptive
- fixed-priority scheduling in
- [prosa.results.fixed_priority.rta.fully_preemptive]. Whereas the general
- result assumes that all fixpoints are given, i.e., that they have been found
- _somehow_ without imposing any assumptions on how they have been found, here
- we _compute_ all relevant fixpoints using the procedures provided in
- [prosa.util.fixpoint]. *)
-
-(** ** Problem Setup and Analysis Context *)
-
-(** To begin, we must set up the context as in
- [prosa.results.fixed_priority.rta.fully_preemptive]. *)
-
-Section RTAforFullyPreemptiveFPModelwithArrivalCurves.
- (** We assume ideal uni-processor schedules. *)
- #[local] Existing Instance ideal.processor_state.
-
- (** Consider any type of tasks characterized by WCETs ... *)
- Context {Task : TaskType} `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks, where each job is
- characterized by an arrival time and an execution cost. *)
- Context {Job : JobType} `{JobTask Job Task} `{JobArrival Job} `{JobCost Job}.
-
- (** We assume that jobs and tasks are fully preemptive. *)
- #[local] Existing Instance fully_preemptive_job_model.
- #[local] Existing Instance fully_preemptive_task_model.
- #[local] Existing Instance fully_preemptive_rtc_threshold.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider an arbitrary task set [ts], ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from the task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and that the cost of a job does not exceed the task's WCET . *)
- Hypothesis H_valid_job_cost: arrivals_have_valid_job_costs arr_seq.
-
- (** Let [max_arrivals] be a family of valid arrival curves, i.e., for any task
- [tsk] in [ts], [max_arrival tsk] is (1) an arrival bound for [tsk], and
- (2) it is a monotonic function that equals 0 for the empty interval [delta
- = 0]. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in [ts] that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Recall that we assume sequential readiness, i.e., jobs of the same task
- are executed in order of their arrival. *)
- #[local] Instance sequential_readiness : JobReady _ _ :=
- sequential_ready_instance arr_seq.
-
- (** Next, consider any ideal uniprocessor schedule of this arrival sequence. *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** Finally, we assume that the schedule is work-conserving ... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and that it respects a reflexive and transitive fixed-priority
- scheduling policy [FP]. *)
- Context {FP : FP_policy Task}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
- Hypothesis H_priority_is_transitive : transitive_priorities.
- Hypothesis H_respects_policy :
- respects_FP_policy_at_preemption_point arr_seq sched FP.
-
- (** ** Computation of the Fixpoints *)
-
- (** In the following, we introduce the bound on the maximum busy-window length
- [L] and the response-time bound [R] and assume that they have been are
- calculated using the tools provided by [util.fixpoint]. *)
-
- (** Let [h] denote the horizon for the fixpoint search, i.e., an upper bound
- on the maximum relevant fixpoint. Practically speaking, this is the
- threshold at which the fixpoint search is aborted and ends in failure.
- Since we assume in the following that the fixpoint search terminated
- successfully, it implies that [h] was chosen to be "sufficiently large";
- it may hence be safely ignored in the following. *)
- Variable h : nat.
-
- (** We let [L] denote the bound on the maximum busy-window length ... *)
- Variable L : duration.
-
- (** ... and assume that it has been found by means of a successful fixpoint
- search. *)
- Hypothesis H_L_is_fixpoint :
- Some L = find_fixpoint (total_hep_request_bound_function_FP ts tsk) h.
-
- (** Recall the notion of the search space of the RTA for fixed-priority
- scheduling. *)
- Let is_in_search_space := is_in_search_space tsk L.
-
- (** We let [R] denote [tsk]'s response-time bound ... *)
- Variable R : duration.
-
- (** ... and assume that it has been found by means of finding the maximum
- among the fixpoints for each element in the search space with regard
- to the following [recurrence] function. *)
- Let recurrence A F := task_request_bound_function tsk (A + ε)
- + total_ohep_request_bound_function_FP ts tsk (A + F)
- - A.
- Hypothesis H_R_is_max_fixpoint :
- Some R = find_max_fixpoint L is_in_search_space recurrence h.
-
- (** ** Correctness of the Response-Time Bound *)
-
- (** Using the lemmas from [util.fixpoints], we can show that all preconditions
- of the general fully preemptive fixed-priority RTA theorem are met. *)
- Theorem uniprocessor_response_time_bound_fully_preemptive_fp :
- task_response_time_bound arr_seq sched tsk R.
- Proof.
- (* First, eliminate the trivial case of no higher- or equal-priority
- interference. *)
- case: (ltnP 0 (total_hep_request_bound_function_FP ts tsk ε));
- last by rewrite leqn0 => /eqP ZERO; apply: pathological_total_hep_rbf_any_bound; rt_eauto.
- move=> GT0.
- (* Second, apply the general result. *)
- try (eapply uniprocessor_response_time_bound_fully_preemptive_fp
- with (L0 := L) (ts0 := ts) => //)
- ||
- (eapply uniprocessor_response_time_bound_fully_preemptive_fp
- with (L := L) (ts := ts) => //).
- { apply: ffp_finds_positive_fixpoint; eauto.
- exact: total_hep_rbf_monotone. }
- { by apply: ffp_finds_fixpoint; eauto. }
- { move=> A.
- rewrite /bounded_pi.is_in_search_space => /andP[LT IN_SP].
- have IN_SP' : (A < L) && is_in_search_space A
- by repeat (apply /andP; split).
- move: (fmf_is_maximum _ _ H_R_is_max_fixpoint IN_SP') => [F FIX BOUND].
- exists F; split => //.
- have: F = recurrence A F
- by apply: ffp_finds_fixpoint; eauto.
- by rewrite /recurrence; lia. }
- Qed.
-
-End RTAforFullyPreemptiveFPModelwithArrivalCurves.
diff --git a/results/fixed_priority/rta/floating_nonpreemptive.v b/results/fixed_priority/rta/floating_nonpreemptive.v
deleted file mode 100644
index 2c873b98965871a615b4a0a083b401103d43eda4..0000000000000000000000000000000000000000
--- a/results/fixed_priority/rta/floating_nonpreemptive.v
+++ /dev/null
@@ -1,154 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Export prosa.results.fixed_priority.rta.bounded_nps.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.floating.
-Require Export prosa.analysis.facts.readiness.sequential.
-
-(** * RTA for Model with Floating Non-Preemptive Regions *)
-(** In this module we prove the RTA theorem for floating non-preemptive regions FP model. *)
-
-(** ** Setup and Assumptions *)
-
-Section RTAforFloatingModelwithArrivalCurves.
-
- (** We assume ideal uni-processor schedules. *)
- #[local] Existing Instance ideal.processor_state.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume that jobs are limited-preemptive. *)
- #[local] Existing Instance limited_preemptive_job_model.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Assume we have the model with floating non-preemptive regions.
- I.e., for each task only the length of the maximal non-preemptive
- segment is known _and_ each job level is divided into a number of
- non-preemptive segments by inserting preemption points. *)
- Context `{JobPreemptionPoints Job}
- `{TaskMaxNonpreemptiveSegment Task}.
- Hypothesis H_valid_task_model_with_floating_nonpreemptive_regions:
- valid_model_with_floating_nonpreemptive_regions arr_seq.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from the task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for any task [tsk] in ts
- [max_arrival tsk] is (1) an arrival bound of [tsk], and (2) it is a monotonic function
- that equals [0] for the empty interval [delta = 0]. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Recall that we assume sequential readiness. *)
- #[local] Instance sequential_readiness : JobReady _ _ :=
- sequential_ready_instance arr_seq.
-
- (** Next, consider any valid ideal uni-processor schedule with with
- limited preemptions of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
- Hypothesis H_schedule_with_limited_preemptions : schedule_respects_preemption_model arr_seq sched.
-
- (** Consider an FP policy that indicates a higher-or-equal priority relation,
- and assume that the relation is reflexive and transitive. *)
- Context {FP :FP_policy Task}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
- Hypothesis H_priority_is_transitive : transitive_priorities.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_FP_policy_at_preemption_point arr_seq sched FP.
-
- (** ** Total Workload and Length of Busy Interval *)
-
- (** We introduce the abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- for the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define
- the request bound function of all tasks with higher priority
- ... *)
- Let total_hep_rbf := total_hep_request_bound_function_FP ts tsk.
-
- (** ... and the request bound function of all tasks with higher
- priority other than task [tsk]. *)
- Let total_ohep_rbf := total_ohep_request_bound_function_FP ts tsk.
-
- (** Next, we define a bound for the priority inversion caused by tasks of lower priority. *)
- Let blocking_bound :=
- \max_(tsk_other <- ts | ~~ hep_task tsk_other tsk)
- (task_max_nonpreemptive_segment tsk_other - ε).
-
- (** Let L be any positive fixed point of the busy interval recurrence, determined by
- the sum of blocking and higher-or-equal-priority workload. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = blocking_bound + total_hep_rbf L.
-
- (** ** Response-Time Bound *)
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := is_in_search_space tsk L.
-
- (** Next, consider any value R, and assume that for any given
- arrival A from search space there is a solution of the
- response-time bound recurrence which is bounded by R. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= blocking_bound + task_rbf (A + ε) + total_ohep_rbf (A + F) /\
- R >= F.
-
- (** Now, we can reuse the results for the abstract model with
- bounded nonpreemptive segments to establish a response-time
- bound for the more concrete model with floating nonpreemptive
- regions. *)
-
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- Theorem uniprocessor_response_time_bound_fp_with_floating_nonpreemptive_regions:
- response_time_bounded_by tsk R.
- Proof.
- move: (H_valid_task_model_with_floating_nonpreemptive_regions) => [LIMJ JMLETM].
- move: (LIMJ) => [BEG [END _]].
- eapply uniprocessor_response_time_bound_fp_with_bounded_nonpreemptive_segments.
- all: rt_eauto.
- - by apply sequential_readiness_implies_work_bearing_readiness; rt_eauto.
- - by apply sequential_readiness_implies_sequential_tasks; rt_eauto.
- - intros A SP.
- rewrite subnn subn0.
- destruct (H_R_is_maximum _ SP) as [F [EQ LE]].
- by exists F; rewrite addn0; split.
- Qed.
-
-End RTAforFloatingModelwithArrivalCurves.
diff --git a/results/fixed_priority/rta/fully_nonpreemptive.v b/results/fixed_priority/rta/fully_nonpreemptive.v
deleted file mode 100644
index 6675bb005756ece0cd483550b06ab1b0605b3c68..0000000000000000000000000000000000000000
--- a/results/fixed_priority/rta/fully_nonpreemptive.v
+++ /dev/null
@@ -1,159 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Export prosa.results.fixed_priority.rta.bounded_nps.
-Require Export prosa.analysis.facts.preemption.task.nonpreemptive.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.nonpreemptive.
-Require Export prosa.analysis.facts.readiness.sequential.
-Require Export prosa.model.task.preemption.fully_nonpreemptive.
-
-(** * RTA for Fully Non-Preemptive FP Model *)
-(** In this module we prove the RTA theorem for the fully non-preemptive FP model. *)
-
-(** ** Setup and Assumptions *)
-
-Section RTAforFullyNonPreemptiveFPModelwithArrivalCurves.
-
- (** We assume ideal uni-processor schedules. *)
- #[local] Existing Instance ideal.processor_state.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume that jobs and tasks are fully nonpreemptive. *)
- #[local] Existing Instance fully_nonpreemptive_job_model.
- #[local] Existing Instance fully_nonpreemptive_task_model.
- #[local] Existing Instance fully_nonpreemptive_rtc_threshold.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from the task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for
- any task [tsk] in ts [max_arrival tsk] is (1) an arrival bound of
- [tsk], and (2) it is a monotonic function that equals [0] for the
- empty interval [delta = 0]. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Recall that we assume sequential readiness. *)
- #[local] Instance sequential_readiness : JobReady _ _ :=
- sequential_ready_instance arr_seq.
-
- (** Next, consider any ideal non-preemptive uniprocessor schedule of
- this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
- Hypothesis H_nonpreemptive_sched : nonpreemptive_schedule sched.
-
- (** Consider an FP policy that indicates a higher-or-equal priority relation,
- and assume that the relation is reflexive and transitive. *)
- Context {FP : FP_policy Task}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
- Hypothesis H_priority_is_transitive : transitive_priorities.
-
- (** Next, we assume that the schedule is a work-conserving schedule ... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_FP_policy_at_preemption_point arr_seq sched FP.
-
- (** ** Total Workload and Length of Busy Interval *)
-
- (** We introduce the abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- for the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define
- the request bound function of all tasks with higher priority
- ... *)
- Let total_hep_rbf := total_hep_request_bound_function_FP ts tsk.
-
- (** ... and the request bound function of all tasks with higher
- priority other than task [tsk]. *)
- Let total_ohep_rbf := total_ohep_request_bound_function_FP ts tsk.
-
- (** Next, we define a bound for the priority inversion caused by tasks of lower priority. *)
- Let blocking_bound :=
- \max_(tsk_other <- ts | ~~ hep_task tsk_other tsk) (task_cost tsk_other - ε).
-
- (** Let L be any positive fixed point of the busy interval recurrence, determined by
- the sum of blocking and higher-or-equal-priority workload. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = blocking_bound + total_hep_rbf L.
-
- (** ** Response-Time Bound *)
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := is_in_search_space tsk L.
-
- (** Next, consider any value [R], and assume that for any given
- arrival [A] from search space there is a solution of the
- response-time bound recurrence which is bounded by [R]. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= blocking_bound
- + (task_rbf (A + ε) - (task_cost tsk - ε))
- + total_ohep_rbf (A + F) /\
- R >= F + (task_cost tsk - ε).
-
- (** Now, we can leverage the results for the abstract model with
- bounded nonpreemptive segments to establish a response-time
- bound for the more concrete model of fully nonpreemptive
- scheduling. *)
-
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- Theorem uniprocessor_response_time_bound_fully_nonpreemptive_fp:
- response_time_bounded_by tsk R.
- Proof.
- move: (posnP (@task_cost _ H tsk)) => [ZERO|POS].
- { intros j ARR TSK.
- have ZEROj: job_cost j = 0.
- { move: (H_valid_job_cost j ARR) => NEQ.
- rewrite /valid_job_cost in NEQ.
- move: TSK => /eqP -> in NEQ.
- rewrite ZERO in NEQ.
- by apply/eqP; rewrite -leqn0.
- }
- by rewrite /job_response_time_bound /completed_by ZEROj.
- }
- try ( eapply uniprocessor_response_time_bound_fp_with_bounded_nonpreemptive_segments with
- (L0 := L) ) ||
- eapply uniprocessor_response_time_bound_fp_with_bounded_nonpreemptive_segments with
- (L := L).
- all: rt_eauto.
- - by apply sequential_readiness_implies_work_bearing_readiness; rt_auto.
- - by apply sequential_readiness_implies_sequential_tasks; rt_auto.
- Qed.
-
-End RTAforFullyNonPreemptiveFPModelwithArrivalCurves.
diff --git a/results/fixed_priority/rta/fully_preemptive.v b/results/fixed_priority/rta/fully_preemptive.v
deleted file mode 100644
index 747eb0eacaeb861d5a4ee9c49c95740f23d9c975..0000000000000000000000000000000000000000
--- a/results/fixed_priority/rta/fully_preemptive.v
+++ /dev/null
@@ -1,150 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Export prosa.results.fixed_priority.rta.bounded_nps.
-Require Export prosa.analysis.facts.preemption.task.preemptive.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.preemptive.
-Require Export prosa.analysis.facts.readiness.sequential.
-Require Export prosa.model.task.preemption.fully_preemptive.
-
-(** * RTA for Fully Preemptive FP Model *)
-(** In this section we prove the RTA theorem for the fully preemptive FP model *)
-
-(** ** Setup and Assumptions *)
-
-Section RTAforFullyPreemptiveFPModelwithArrivalCurves.
-
- (** We assume ideal uni-processor schedules. *)
- #[local] Existing Instance ideal.processor_state.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume that jobs and tasks are fully preemptive. *)
- #[local] Existing Instance fully_preemptive_job_model.
- #[local] Existing Instance fully_preemptive_task_model.
- #[local] Existing Instance fully_preemptive_rtc_threshold.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from the task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for
- any task [tsk] in ts [max_arrival tsk] is (1) an arrival bound of
- [tsk], and (2) it is a monotonic function that equals 0 for the
- empty interval [delta = 0]. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Recall that we assume sequential readiness. *)
- #[local] Instance sequential_readiness : JobReady _ _ :=
- sequential_ready_instance arr_seq.
-
- (** Next, consider any ideal uniprocessor schedule of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
- Hypothesis H_jobs_come_from_arrival_sequence:
- jobs_come_from_arrival_sequence sched arr_seq.
-
- (** Consider an FP policy that indicates a higher-or-equal priority relation,
- and assume that the relation is reflexive and transitive. *)
- Context {FP : FP_policy Task}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
- Hypothesis H_priority_is_transitive : transitive_priorities.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_FP_policy_at_preemption_point arr_seq sched FP.
-
- (** ** Total Workload and Length of Busy Interval *)
-
- (** We introduce the abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- for the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define
- the request bound function of all tasks with higher priority
- ... *)
- Let total_hep_rbf := total_hep_request_bound_function_FP ts tsk.
-
- (** ... and the request bound function of all tasks with higher
- priority other than task [tsk]. *)
- Let total_ohep_rbf := total_ohep_request_bound_function_FP ts tsk.
-
- (** Let L be any positive fixed point of the busy interval recurrence, determined by
- the sum of blocking and higher-or-equal-priority workload. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = total_hep_rbf L.
-
- (** ** Response-Time Bound *)
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := is_in_search_space tsk L.
-
- (** Next, consider any value [R], and assume that for any given
- arrival [A] from search space there is a solution of the
- response-time bound recurrence which is bounded by [R]. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= task_rbf (A + ε) + total_ohep_rbf (A + F) /\
- R >= F.
-
- (** Now, we can leverage the results for the abstract model with
- bounded non-preemptive segments to establish a response-time
- bound for the more concrete model of fully preemptive
- scheduling. *)
-
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- Theorem uniprocessor_response_time_bound_fully_preemptive_fp:
- response_time_bounded_by tsk R.
- Proof.
- have BLOCK: blocking_bound ts tsk = 0.
- { by rewrite /blocking_bound /parameters.task_max_nonpreemptive_segment
- /fully_preemptive_task_model subnn big1_eq. }
- eapply uniprocessor_response_time_bound_fp_with_bounded_nonpreemptive_segments.
- all: rt_eauto.
- rewrite /work_bearing_readiness.
- - by apply sequential_readiness_implies_work_bearing_readiness; rt_auto.
- - by apply sequential_readiness_implies_sequential_tasks => //; rt_auto.
- - by rewrite BLOCK add0n.
- - move => A /andP [LT NEQ].
- edestruct H_R_is_maximum as [F [FIX BOUND]].
- { by apply/andP; split; eauto 2. }
- exists F; split.
- + by rewrite BLOCK add0n subnn subn0.
- + by rewrite subnn addn0.
- Qed.
-
-End RTAforFullyPreemptiveFPModelwithArrivalCurves.
diff --git a/results/fixed_priority/rta/limited_preemptive.v b/results/fixed_priority/rta/limited_preemptive.v
deleted file mode 100644
index e2bec6476fb0121ddf289921c1ecfe857a858c31..0000000000000000000000000000000000000000
--- a/results/fixed_priority/rta/limited_preemptive.v
+++ /dev/null
@@ -1,177 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop.
-
-Require Export prosa.results.fixed_priority.rta.bounded_nps.
-Require Export prosa.analysis.facts.preemption.rtc_threshold.limited.
-Require Export prosa.analysis.facts.readiness.sequential.
-Require Export prosa.model.task.preemption.limited_preemptive.
-
-(** * RTA for FP-schedulers with Fixed Preemption Points *)
-(** In this module we prove the RTA theorem for FP-schedulers with
- fixed preemption points. *)
-
-(** ** Setup and Assumptions *)
-
-Section RTAforFixedPreemptionPointsModelwithArrivalCurves.
-
- (** We assume ideal uni-processor schedules. *)
- #[local] Existing Instance ideal.processor_state.
-
- (** Consider any type of tasks ... *)
- Context {Task : TaskType}.
- Context `{TaskCost Task}.
-
- (** ... and any type of jobs associated with these tasks. *)
- Context {Job : JobType}.
- Context `{JobTask Job Task}.
- Context `{JobArrival Job}.
- Context `{JobCost Job}.
-
- (** We assume that jobs are limited-preemptive. *)
- #[local] Existing Instance limited_preemptive_job_model.
-
- (** Consider any arrival sequence with consistent, non-duplicate arrivals. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** Consider an arbitrary task set ts, ... *)
- Variable ts : list Task.
-
- (** ... assume that all jobs come from the task set, ... *)
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** ... and the cost of a job cannot be larger than the task cost. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** First, we assume we have the model with fixed preemption points.
- I.e., each task is divided into a number of non-preemptive segments
- by inserting statically predefined preemption points. *)
- Context `{JobPreemptionPoints Job}
- `{TaskPreemptionPoints Task}.
- Hypothesis H_valid_model_with_fixed_preemption_points:
- valid_fixed_preemption_points_model arr_seq ts.
-
- (** Let max_arrivals be a family of valid arrival curves, i.e., for any task [tsk] in ts
- [max_arrival tsk] is (1) an arrival bound of [tsk], and (2) it is a monotonic function
- that equals 0 for the empty interval [delta = 0]. *)
- Context `{MaxArrivals Task}.
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** Let [tsk] be any task in ts that is to be analyzed. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** Recall that we assume sequential readiness. *)
- #[local] Instance sequential_readiness : JobReady _ _ :=
- sequential_ready_instance arr_seq.
-
- (** Next, consider any valid ideal uni-processor schedule with limited preemptions of this arrival sequence ... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
- Hypothesis H_schedule_respects_preemption_model:
- schedule_respects_preemption_model arr_seq sched.
-
- (** Consider an FP policy that indicates a higher-or-equal priority relation,
- and assume that the relation is reflexive and transitive. *)
- Context {FP : FP_policy Task}.
- Hypothesis H_priority_is_reflexive : reflexive_priorities.
- Hypothesis H_priority_is_transitive : transitive_priorities.
-
- (** Next, we assume that the schedule is a work-conserving schedule... *)
- Hypothesis H_work_conserving : work_conserving arr_seq sched.
-
- (** ... and the schedule respects the scheduling policy. *)
- Hypothesis H_respects_policy : respects_FP_policy_at_preemption_point arr_seq sched FP.
-
- (** ** Total Workload and Length of Busy Interval *)
-
- (** We introduce the abbreviation [rbf] for the task request bound function,
- which is defined as [task_cost(T) × max_arrivals(T,Δ)] for a task T. *)
- Let rbf := task_request_bound_function.
-
- (** Next, we introduce [task_rbf] as an abbreviation
- for the task request bound function of task [tsk]. *)
- Let task_rbf := rbf tsk.
-
- (** Using the sum of individual request bound functions, we define
- the request bound function of all tasks with higher priority
- ... *)
- Let total_hep_rbf := total_hep_request_bound_function_FP ts tsk.
-
- (** ... and the request bound function of all tasks with higher
- priority other than task [tsk]. *)
- Let total_ohep_rbf := total_ohep_request_bound_function_FP ts tsk.
-
- (** Next, we define a bound for the priority inversion caused by tasks of lower priority. *)
- Let blocking_bound :=
- \max_(tsk_other <- ts | ~~ hep_task tsk_other tsk)
- (task_max_nonpreemptive_segment tsk_other - ε).
-
- (** Let L be any positive fixed point of the busy interval recurrence, determined by
- the sum of blocking and higher-or-equal-priority workload. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = blocking_bound + total_hep_rbf L.
-
- (** ** Response-Time Bound *)
-
- (** To reduce the time complexity of the analysis, recall the notion of search space. *)
- Let is_in_search_space := is_in_search_space tsk L.
-
- (** Next, consider any value [R], and assume that for any given
- arrival [A] from search space there is a solution of the
- response-time bound recurrence which is bounded by [R]. *)
- Variable R: nat.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= blocking_bound
- + (task_rbf (A + ε) - (task_last_nonpr_segment tsk - ε))
- + total_ohep_rbf (A + F) /\
- R >= F + (task_last_nonpr_segment tsk - ε).
-
- (** Now, we can reuse the results for the abstract model with
- bounded non-preemptive segments to establish a response-time
- bound for the more concrete model of fixed preemption points. *)
-
- Let response_time_bounded_by := task_response_time_bound arr_seq sched.
-
- Theorem uniprocessor_response_time_bound_fp_with_fixed_preemption_points:
- response_time_bounded_by tsk R.
- Proof.
- move: (H_valid_model_with_fixed_preemption_points) => [MLP [BEG [END [INCR [HYP1 [HYP2 HYP3]]]]]].
- move: (MLP) => [BEGj [ENDj _]].
- edestruct (posnP (task_cost tsk)) as [ZERO|POSt].
- { intros j ARR TSK.
- move: (H_valid_job_cost _ ARR) => POSt.
- move: TSK => /eqP TSK; move: POSt; rewrite /valid_job_cost TSK ZERO leqn0; move => /eqP Z.
- by rewrite /job_response_time_bound /completed_by Z.
- }
- try ( eapply uniprocessor_response_time_bound_fp_with_bounded_nonpreemptive_segments
- with (L0 := L) ) ||
- eapply uniprocessor_response_time_bound_fp_with_bounded_nonpreemptive_segments
- with (L := L).
- all: rt_eauto.
- - by apply sequential_readiness_implies_work_bearing_readiness; rt_auto.
- - by apply sequential_readiness_implies_sequential_tasks; rt_auto.
- - intros A SP.
- destruct (H_R_is_maximum _ SP) as[FF [EQ1 EQ2]].
- exists FF; rewrite subKn; first by done.
- rewrite /task_last_nonpr_segment -(leq_add2r 1) subn1 !addn1 prednK; last first.
- + rewrite /last0 -nth_last.
- apply HYP3; try by done.
- rewrite -(ltn_add2r 1) !addn1 prednK //.
- move: (number_of_preemption_points_in_task_at_least_two
- _ _ H_valid_model_with_fixed_preemption_points _ H_tsk_in_ts POSt) => Fact2.
- move: (Fact2) => Fact3.
- by rewrite size_of_seq_of_distances // addn1 ltnS // in Fact2.
- + apply leq_trans with (task_max_nonpreemptive_segment tsk).
- * by apply last_of_seq_le_max_of_seq.
- * rewrite -END; last by done.
- apply ltnW; rewrite ltnS; try done.
- by apply max_distance_in_seq_le_last_element_of_seq; eauto 2.
- Qed.
-
-End RTAforFixedPreemptionPointsModelwithArrivalCurves.
diff --git a/results/gel/rta/bounded_pi.v b/results/gel/rta/bounded_pi.v
deleted file mode 100644
index e1a83957cae0c3182770a29ec87c500020e5f46f..0000000000000000000000000000000000000000
--- a/results/gel/rta/bounded_pi.v
+++ /dev/null
@@ -1,426 +0,0 @@
-From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bigop ssrZ.
-
-Require Import prosa.model.readiness.basic.
-Require Import prosa.analysis.abstract.ideal_jlfp_rta.
-Require Import prosa.analysis.facts.busy_interval.carry_in.
-Require Import prosa.analysis.facts.readiness.basic.
-Require Import prosa.model.schedule.priority_driven.
-Require Import prosa.model.priority.gel.
-Require Import analysis.facts.priority.gel.
-Require Import prosa.analysis.facts.busy_interval.ideal.inequalities.
-Require Import prosa.analysis.facts.model.workload.
-
-(** * Abstract RTA for GEL-Schedulers with Bounded Priority Inversion *)
-(** In this module we instantiate the abstract response-time analysis
- (aRTA) for GEL-schedulers assuming the ideal uni-processor model and
- real-time tasks with arbitrary arrival models. *)
-
-(** The important feature of this instantiation is that
- it allows reasoning about the meaningful notion of priority
- inversion. However, we do not specify the exact cause of priority
- inversion (as there may be different reasons for this, like
- execution of a non-preemptive segment or blocking due to resource
- locking). We only assume that the duration of priority inversion is
- bounded. *)
-
-Section AbstractRTAforGELwithArrivalCurves.
-
- (** We consider tasks and jobs with the given parameters. *)
- Context {Task : TaskType} `{TaskCost Task} `{TaskRunToCompletionThreshold Task}
- `{TaskMaxNonpreemptiveSegment Task} `{MaxArrivals Task}.
- Context {Job : JobType} `{JobTask Job Task} {Arrival : JobArrival Job}
- {Cost : JobCost Job} `{JobPreemptable Job} `{PriorityPoint Task}.
-
- (** We assume the basic readiness model. *)
- #[local] Existing Instance basic_ready_instance.
-
- (** ** A. Defining the System Model *)
-
- (** We begin by defining the system model. First,
- we model arrivals using an arrival sequence. We assume
- that the arrival is consistent and does not contain duplicates. *)
- Variable arr_seq : arrival_sequence Job.
- Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.
-
- (** We consider a valid, ideal uniprocessor schedule... *)
- Variable sched : schedule (ideal.processor_state Job).
- Hypothesis H_sched_valid : valid_schedule sched arr_seq.
-
- (** ... that respects the GEL policy at every preemption point. *)
- Hypothesis H_respects_policy : respects_JLFP_policy_at_preemption_point arr_seq sched (GEL Job Task).
-
- (** We assume that all arrivals have valid job costs. *)
- Hypothesis H_valid_job_cost:
- arrivals_have_valid_job_costs arr_seq.
-
- (** We model the tasks in the system using a task set [ts].
- We assume that all jobs in the system come from this task set. *)
- Variable ts : list Task.
- Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.
-
- (** We assume that the task set respects the arrival curve
- defined by [max_arrivals]. *)
- Hypothesis H_valid_arrival_curve : valid_taskset_arrival_curve ts max_arrivals.
- Hypothesis H_is_arrival_curve : taskset_respects_max_arrivals arr_seq ts.
-
- (** The task under consideration [tsk] is contained in [ts]. *)
- Variable tsk : Task.
- Hypothesis H_tsk_in_ts : tsk \in ts.
-
- (** While we do not assume an explicit preemption model,
- we assume that any preemption model under consideration
- is valid. We also assume that the run-to-completion-threshold
- of the task [tsk] is valid. *)
- Hypothesis H_valid_preemption_model:
- valid_preemption_model arr_seq sched.
- Hypothesis H_valid_run_to_completion_threshold:
- valid_task_run_to_completion_threshold arr_seq tsk.
-
- (** As mentioned, we assume that the priority inversion for the task
- [tsk] is bound by [priority_inversion_bound]. *)
- Variable priority_inversion_bound: duration -> duration.
- Hypothesis H_priority_inversion_is_bounded:
- priority_inversion_is_bounded_by arr_seq sched tsk priority_inversion_bound.
-
- (** ** B. Encoding the Scheduling Policy and Preemption Model *)
- (** Next, we encode the scheduling policy and preemption model
- using the functions [interference] and [interfering_workload].
- To this end, we simply reuse the general definitions of interference
- and interfering workload that apply to any JLFP policy, as defined in
- the module [ideal_jlfp_rta]. *)
- Let interference (j : Job) (t : instant) :=
- ideal_jlfp_rta.interference arr_seq sched j t.
-
- Let interfering_workload (j : Job) (t : instant) :=
- ideal_jlfp_rta.interfering_workload arr_seq sched j t.
-
- (** ** C. Abstract Work Conservation *)
- (** Let us recall the abstract and classic notations of work conservation. *)
- Let work_conserving_ab := definitions.work_conserving arr_seq sched.
- Let work_conserving_cl := work_conserving.work_conserving arr_seq sched.
-
- (** We assume that the schedule is work-conserving in the classic sense,
- which allows us to apply [instantiated_i_and_w_are_coherent_with_schedule]
- to conclude that abstract work-conservation also holds. *)
- Hypothesis H_work_conserving : work_conserving_cl.
-
- (** ** D. Bounding the Maximum Busy-Window Length *)
- (** Next, we define [L] as the fixed point of the given equation.
- Given this definition of [L], we can apply the theorem
- [instantiated_busy_intervals_are_bounded] to prove that [L]
- bounds the length of the busy window. *)
- Variable L : duration.
- Hypothesis H_L_positive : L > 0.
- Hypothesis H_fixed_point : L = total_request_bound_function ts L.
-
- (** ** E. Defining [IBF_other] *)
- (** Next, we define [IBF_other] and prove that [IBF_other] bounds
- the interference incurred by any job of [tsk]. *)
-
- (** Consider the following parametrized interval. *)
- Let interval (tsk_o : Task) (A : instant):=
- (Z.of_nat(A + ε) + task_priority_point tsk - task_priority_point tsk_o)%Z.
-
-
- (** We define the bound on the total higher-or-equal-priority (HEP) workload
- produced during the interval [Δ] as the sum of the RBFs of all tasks in
- the task set [ts] (excluding [tsk]) over the minimum of [Δ] and [interval]. *)
- Let bound_on_total_hep_workload (A Δ : duration) :=
- \sum_(tsk_o <- ts | tsk_o != tsk)
- task_request_bound_function tsk_o (minn (Z.to_nat (interval tsk_o A)) Δ).
-
- (** Finally, [IBF_other] for an interval [R] is defined as the sum of
- [bound_on_total_hep_workload] in [R] and [priority_inversion_bound]. *)
- Let IBF_other (A R : duration) := priority_inversion_bound A + bound_on_total_hep_workload A R.
-
- (** For convenience, we define the following acronym. *)
- Let PP (task : Task) := (task_priority_point task).
-
- (** In this section, we prove the soundness of [IBF_other]. We start
- by establishing a bound on the HEP workload.*)
- Section HepWorkloadBound.
-
- (** Consider any job [j] of task [tsk] that
- has a positive job cost and is in the arrival
- sequence. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive: job_cost_positive j.
-
- (** Assume the busy interval of [j] is given by <<[t1,t2)>>. *)
- Variable t1 t2 : duration.
- Hypothesis H_busy_interval :
- definitions.busy_interval sched interference interfering_workload j t1 t2.
-
- (** Assume the relative arrival time of [j] is given by [A]. *)
- Let A := job_arrival j - t1.
-
- (** Consider any arbitrary interval [Δ] within the busy window. *)
- Variable Δ : duration.
- Hypothesis H_Δ_in_busy : t1 + Δ < t2.
-
- (** Consider the set of jobs arriving in <<[t1, t1 + Δ)>>. *)
- Let jobs := arrivals_between arr_seq t1 (t1 + Δ).
-
- (** We define a predicate to identify higher priority jobs coming from the task [tsk]. *)
- Let GEL_from (tsk : Task) := fun (jo : Job) => hep_job jo j && (job_task jo == tsk).
-
- (** First, consider the case where [interval ≤ Δ]. *)
- Section ShortenRange.
-
-
- (** Consider any task [tsk_o] distinct from [tsk].
- Assume [tsk_o] is in [ts]. *)
- Variable tsk_o : Task.
- Hypothesis H_tsko_in_ts: tsk_o \in ts.
- Hypothesis H_neq: tsk_o != tsk.
-
- (** If [Δ] is greater than [interval] for [tsk_o] and [A], ... *)
- Hypothesis H_Δ_ge: Z.to_nat (interval tsk_o A) <= Δ.
-
- (** ... then the workload of jobs satisfying the predicate [GEL_from]
- in the interval <<[t1,t1 + Δ)>> is equal to the workload in
- the interval <<[t1, t1 + interval [tsk_o] [A])>>.
- Note that, we use the functions [Z.to_nat] to [Z.of_nat] to convert
- integers to natural numbers and vice-versa. *)
- Lemma total_workload_shorten_range:
- workload_of_jobs (GEL_from tsk_o)
- (arrivals_between arr_seq t1 (t1 + Δ))
- <= workload_of_jobs (GEL_from tsk_o)
- (arrivals_between arr_seq t1
- (Z.to_nat (Z.of_nat t1 + interval tsk_o A))).
- Proof.
- have BOUNDED: Z.to_nat (Z.of_nat t1 + (interval tsk_o A)) <= t1 + Δ by lia.
- rewrite (workload_of_jobs_nil_tail _ _ BOUNDED) // => j' IN' ARR'; rt_eauto.
- rewrite /GEL_from.
- case: (eqVneq (job_task j') tsk_o) => TSK';
- last by rewrite andbF.
- rewrite andbT; apply: contraT => /negPn HEP.
- move: (hep_job_arrives_after_zero _ j' HEP) => GT0.
- move: (hep_job_arrives_before _ j' HEP) => EARLIEST.
- move: H_job_of_tsk; rewrite /job_of_task => /eqP TSK.
- move: ARR'; rewrite /interval /ε => LATEST.
- have LATEST': (Z.of_nat (t1 + A + 1) + task_priority_point tsk -
- task_priority_point tsk_o <= Z.of_nat (job_arrival j') )%Z
- by lia.
- by move: LATEST'; rewrite -TSK -TSK' => LATEST'; lia.
- Qed.
-
- End ShortenRange.
-
- (** Using the above lemma, we prove that [bound_on_total_hep_workload]
- bounds the sum of higher-priority workload over all tasks in [ts]. *)
- Corollary sum_of_workloads_is_at_most_bound_on_total_hep_workload :
- \sum_(tsk_o <- ts | tsk_o != tsk) workload_of_jobs (GEL_from tsk_o) jobs
- <= bound_on_total_hep_workload A Δ.
- Proof.
- move: (H_busy_interval) => [[/andP [JINBI JINBI2] [QT _]] _].
- apply leq_sum_seq => tsko INtsko NEQT.
- case ( Δ <= Z.to_nat (interval tsko A)) eqn: EQ.
- - rewrite /minn //= ifF; try by lia.
- by apply (workload_le_rbf arr_seq ts); try by done.
- - rewrite /minn ifT; try by lia.
- eapply leq_trans; first by eapply total_workload_shorten_range; eauto 2; lia.
- rewrite /GEL_from.
- case (interval tsko A >=? 0)%Z eqn: EQ1.
- + have -> : (Z.to_nat (Z.of_nat t1 + interval tsko A)) = t1 + Z.to_nat (interval tsko A)
- by lia.
- by eapply workload_le_rbf; rt_eauto.
- + rewrite arrivals_between_geq /workload_of_jobs.
- rewrite big_nil.
- have -> : Z.to_nat (interval tsko A) = 0 by lia.
- rewrite task_rbf_0_zero; rt_eauto.
- by lia.
- Qed.
-
- End HepWorkloadBound.
-
- (** Finally, we prove that [IBF_other] bounds the interference incurred by [tsk]. *)
- Corollary instantiated_task_interference_is_bounded:
- task_interference_is_bounded_by
- arr_seq sched tsk interference interfering_workload (fun tsk A R => IBF_other A R).
- Proof.
- move => j R2 t1 t2 ARR TSK N NCOMPL BUSY.
- move: (posnP (@job_cost _ Cost j)) => [ZERO|POS].
- - exfalso; move: NCOMPL => /negP COMPL; apply: COMPL.
- by rewrite /completed_by /completed_by ZERO.
- - move: (BUSY) => [[/andP [JINBI JINBI2] [QT _]] _].
- rewrite (cumulative_task_interference_split arr_seq _ sched _ _ _ _ _ tsk j); rt_eauto.
- + rewrite /I leq_add //.
- eapply cumulative_priority_inversion_is_bounded; rt_eauto.
- eapply leq_trans. eapply cumulative_interference_is_bounded_by_total_service; rt_eauto.
- eapply leq_trans. apply service_of_jobs_le_workload; rt_eauto.
- eapply leq_trans. eapply reorder_summation; eauto 2 => j' IN.
- by apply H_all_jobs_from_taskset; eapply in_arrivals_implies_arrived; exact IN.
- eapply leq_trans.
- move : TSK => /eqP TSK; rewrite TSK.
- eapply sum_of_workloads_is_at_most_bound_on_total_hep_workload; eauto 2.
- by apply /eqP.
- by done.
- + by eapply GEL_implies_sequential_tasks; rt_auto.
- + by eapply arrived_between_implies_in_arrivals; rt_eauto.
- Qed.
-
- (** ** F. Defining the Search Space *)
-
- (** In this section, we define the concrete search space for [GEL].
- Then, we prove that, if a given [A] is in the abstract search space,
- then it is also included in the concrete search space. *)
-
- (** In order to define the concrete search space, we
- define the predicates [task_rbf_changes_at], ... *)
- Definition task_rbf_changes_at (A : duration) :=
- task_request_bound_function tsk A != task_request_bound_function tsk (A + ε).
-
- (** ... [bound_on_total_hep_workload_changes_at], ... *)
- Definition bound_on_total_hep_workload_changes_at A :=
- has (fun tsko =>
- ((tsk != tsko) && (interval tsko (A - ε) != interval tsko A)))
- ts.
-
- (** ... and [priority_inversion_changes_at]. *)
- Definition priority_inversion_changes_at (A : duration) :=
- priority_inversion_bound (A - ε) != priority_inversion_bound A.
-
- (** Finally, we define the concrete search space as the set containing
- all points less than [L] at which any of the bounds on priority inversion, task [rbf],
- or bound on total HEP workload changes. *)
- Definition is_in_search_space (A : duration) :=
- (A < L) && (priority_inversion_changes_at A
- || task_rbf_changes_at A
- || bound_on_total_hep_workload_changes_at A).
-
- (** In this section, we prove that for any job [j] of [tsk],
- if [A] is in the abstract search space, then it is also in
- the concrete search space. *)
- Section ConcreteSearchSpace.
-
- (** Consider any job j of [tsk]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** For [j], the total interference bound is defined as follows. *)
- Let total_interference_bound tsk (A Δ : duration) :=
- task_request_bound_function tsk (A + ε) - task_cost tsk + IBF_other A Δ.
-
- (** Consider any point [A] in the abstract search space. *)
- Variable A : duration.
- Hypothesis H_A_is_in_abstract_search_space:
- search_space.is_in_search_space tsk L total_interference_bound A.
-
- (** Then, [A] is also in the concrete search space. *)
- Lemma A_is_in_concrete_search_space:
- is_in_search_space A.
- Proof.
- move: H_A_is_in_abstract_search_space => [-> | [/andP [POSA LTL] [x [LTx INSP2]]]];
- apply/andP; split => //.
- { apply/orP; left; apply/orP; right.
- rewrite /task_rbf_changes_at task_rbf_0_zero //; eauto 2.
- apply contraT => /negPn /eqP ZERO.
- rewrite -(ltnn 0) {2}ZERO add0n.
- apply: (@leq_trans (task_cost tsk));
- last by apply: task_rbf_1_ge_task_cost; rt_eauto.
- apply: (@leq_trans (job_cost j)) => //.
- move: (H_job_of_tsk) => /eqP <-.
- by apply: (H_valid_job_cost _ H_j_arrives). }
- { apply contraT; rewrite !negb_or => /andP [/andP [/negPn/eqP PI /negPn/eqP RBF] WL].
- exfalso; apply INSP2.
- rewrite /total_interference_bound subnK // RBF.
- apply /eqP; rewrite eqn_add2l /IBF_other PI eqn_add2l.
- rewrite /bound_on_total_hep_workload.
- apply /eqP; rewrite big_seq_cond [RHS]big_seq_cond.
- apply eq_big => // tsk_i /andP [TS OTHER].
- move: WL; rewrite /bound_on_total_hep_workload_changes_at => /hasPn WL.
- move: {WL} (WL tsk_i TS) => /nandP [/negPn/eqP EQ|/negPn/eqP WL];
- first by move: OTHER; rewrite EQ => /neqP.
- case: (ltngtP (Z.to_nat (interval tsk_i A)) x) => [ltn_x|gtn_x|eq_x];
- rewrite /minn;
- first by rewrite ifT // WL.
- - rewrite ifF // WL.
- by lia.
- - by case: (Z.to_nat (interval tsk_i (A - ε)) < x)%nat; [rewrite WL| rewrite eq_x]. }
- Qed.
-
- End ConcreteSearchSpace.
-
- (** ** G. Stating the Response-Time Bound [R] *)
-
- (** Finally, we define the response-time bound [R] as follows. *)
- Variable R : duration.
- Hypothesis H_R_is_maximum:
- forall (A : duration),
- is_in_search_space A ->
- exists (F : duration),
- A + F >= priority_inversion_bound A
- + (task_request_bound_function tsk (A + ε) - (task_cost tsk - task_rtct tsk))
- + bound_on_total_hep_workload A (A + F) /\
- R >= F + (task_cost tsk - task_rtct tsk).
-
- Section ResponseTimeReccurence.
-
- (** In order to connect the concrete definition of [R]
- with the shape of response-time bound equation that aRTA expects,
- we prove the theorem [correct_search_space]. *)
- Variable j : Job.
- Hypothesis H_j_arrives : arrives_in arr_seq j.
- Hypothesis H_job_of_tsk : job_of_task tsk j.
- Hypothesis H_job_cost_positive : job_cost_positive j.
-
- (** We define the total interference as defined above. *)
- Let total_interference_bound tsk (A Δ : duration) :=
- task_request_bound_function tsk (A + ε) - task_cost tsk + IBF_other A Δ.
-
- (** We know that if [A] is in the abstract search then it is in the concrete search space.
- We also know that if [A] is in the concrete search space then there exists an [R] that
- satisfies [H_R_is_maximum]. Using these facts, here we prove that if [A]
- is in the abstract search space then, there exists a solution to the response-time
- equation as stated in the aRTA. *)
- Corollary correct_search_space:
- forall A,
- search_space.is_in_search_space tsk L total_interference_bound A ->
- exists F,
- A + F >= task_request_bound_function tsk (A + ε) - (task_cost tsk - task_rtct tsk) +
- IBF_other A (A + F) /\ R >= F + (task_cost tsk - task_rtct tsk).
- Proof.
- move => A IN.
- edestruct H_R_is_maximum as [F [FIX NEQ]].
- eapply A_is_in_concrete_search_space; rt_eauto.
- exists F; split; last by done.
- rewrite -{2}(leqRW FIX).
- by rewrite addnA [_ + priority_inversion_bound A]addnC -!addnA.
- Qed.
-
- End ResponseTimeReccurence.
-
-
-
-
- (** ** H. Soundness of the Response-Time Bound *)
-
- (** Finally, we prove that [R] is a bound on the response time of the
- task [tsk]. *)
- Theorem uniprocessor_response_time_bound_edf:
- task_response_time_bound arr_seq sched tsk R.
- Proof.
- move => js ARRs TSKs.
- move: (posnP (@job_cost _ Cost js)) => [ZERO|POS].
- { by rewrite /job_response_time_bound /completed_by ZERO. }
- ( try ( eapply uniprocessor_response_time_bound_seq with
- (interference0 := interference) (interfering_workload0 := interfering_workload)
- (task_interference_bound_function := fun tsk A R => IBF_other A R) (L0 := L) ) ||
- eapply uniprocessor_response_time_bound_seq with
- (interference := interference) (interfering_workload := interfering_workload)
- (task_interference_bound_function := fun tsk A R => IBF_other A R) (L := L)); rt_eauto.
- - by eapply instantiated_i_and_w_are_coherent_with_schedule; rt_eauto.
- * eapply GEL_implies_sequential_tasks; rt_eauto.
- - by eapply instantiated_interference_and_workload_consistent_with_sequential_tasks; rt_eauto.
- - by eapply instantiated_busy_intervals_are_bounded; rt_eauto.
- - by apply instantiated_task_interference_is_bounded.
- - by eapply correct_search_space; eauto 2.
- Qed.
-
-
-End AbstractRTAforGELwithArrivalCurves.