Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
P
PROSA  Formally Proven Schedulability Analysis
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
2
Issues
2
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Vedant Chavda
PROSA  Formally Proven Schedulability Analysis
Commits
d1f8192c
Commit
d1f8192c
authored
Dec 02, 2019
by
Sergey Bozhko
Committed by
Björn Brandenburg
Dec 10, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
address spellchecking issues in analysis
parent
54220d8c
Changes
27
Expand all
Hide whitespace changes
Inline
Sidebyside
Showing
27 changed files
with
320 additions
and
326 deletions
+320
326
restructuring/analysis/abstract/abstract_rta.v
restructuring/analysis/abstract/abstract_rta.v
+61
61
restructuring/analysis/abstract/abstract_seq_rta.v
restructuring/analysis/abstract/abstract_seq_rta.v
+53
53
restructuring/analysis/abstract/definitions.v
restructuring/analysis/abstract/definitions.v
+33
33
restructuring/analysis/abstract/ideal_jlfp_rta.v
restructuring/analysis/abstract/ideal_jlfp_rta.v
+15
15
restructuring/analysis/abstract/run_to_completion.v
restructuring/analysis/abstract/run_to_completion.v
+12
12
restructuring/analysis/abstract/search_space.v
restructuring/analysis/abstract/search_space.v
+37
38
restructuring/analysis/concepts/priority_inversion.v
restructuring/analysis/concepts/priority_inversion.v
+6
6
restructuring/analysis/concepts/request_bound_function.v
restructuring/analysis/concepts/request_bound_function.v
+8
8
restructuring/analysis/concepts/schedulability.v
restructuring/analysis/concepts/schedulability.v
+7
7
restructuring/analysis/definitions/carry_in.v
restructuring/analysis/definitions/carry_in.v
+2
2
restructuring/analysis/definitions/task_schedule.v
restructuring/analysis/definitions/task_schedule.v
+6
6
restructuring/analysis/facts/behavior/ideal_schedule.v
restructuring/analysis/facts/behavior/ideal_schedule.v
+7
7
restructuring/analysis/facts/behavior/service.v
restructuring/analysis/facts/behavior/service.v
+4
4
restructuring/analysis/facts/behavior/service_of_jobs.v
restructuring/analysis/facts/behavior/service_of_jobs.v
+9
9
restructuring/analysis/facts/behavior/task_arrivals.v
restructuring/analysis/facts/behavior/task_arrivals.v
+1
1
restructuring/analysis/facts/busy_interval.v
restructuring/analysis/facts/busy_interval.v
+6
6
restructuring/analysis/facts/preemption/job/limited.v
restructuring/analysis/facts/preemption/job/limited.v
+6
6
restructuring/analysis/facts/preemption/job/preemptive.v
restructuring/analysis/facts/preemption/job/preemptive.v
+1
1
restructuring/analysis/facts/preemption/rtc_threshold/job_preemptable.v
...analysis/facts/preemption/rtc_threshold/job_preemptable.v
+3
3
restructuring/analysis/facts/preemption/task/floating.v
restructuring/analysis/facts/preemption/task/floating.v
+6
6
restructuring/analysis/facts/preemption/task/limited.v
restructuring/analysis/facts/preemption/task/limited.v
+2
2
restructuring/analysis/facts/preemption/task/nonpreemptive.v
restructuring/analysis/facts/preemption/task/nonpreemptive.v
+3
3
restructuring/analysis/facts/preemption/task/preemptive.v
restructuring/analysis/facts/preemption/task/preemptive.v
+2
2
restructuring/analysis/facts/priority_inversion.v
restructuring/analysis/facts/priority_inversion.v
+14
17
restructuring/analysis/facts/rbf.v
restructuring/analysis/facts/rbf.v
+14
16
restructuring/analysis/facts/readiness/basic.v
restructuring/analysis/facts/readiness/basic.v
+1
1
restructuring/analysis/transform/edf_trans.v
restructuring/analysis/transform/edf_trans.v
+1
1
No files found.
restructuring/analysis/abstract/abstract_rta.v
View file @
d1f8192c
This diff is collapsed.
Click to expand it.
restructuring/analysis/abstract/abstract_seq_rta.v
View file @
d1f8192c
This diff is collapsed.
Click to expand it.
restructuring/analysis/abstract/definitions.v
View file @
d1f8192c
This diff is collapsed.
Click to expand it.
restructuring/analysis/abstract/ideal_jlfp_rta.v
View file @
d1f8192c
...
...
@@ 31,7 +31,7 @@ Section JLFPInstantiation.
Hypothesis
H_arrival_times_are_consistent
:
consistent_arrival_times
arr_seq
.
Hypothesis
H_arr_seq_is_a_set
:
arrival_sequence_uniq
arr_seq
.
(** Next, consider any ideal uniprocessor schedule of this arrival sequence ... *)
(** Next, consider any ideal uni

processor schedule of this arrival sequence ... *)
Variable
sched
:
schedule
(
ideal
.
processor_state
Job
).
Hypothesis
H_jobs_come_from_arrival_sequence
:
jobs_come_from_arrival_sequence
sched
arr_seq
.
...
...
@@ 55,7 +55,7 @@ Section JLFPInstantiation.
earlierarrived jobs of the same task. *)
Hypothesis
H_JLFP_respects_sequential_tasks
:
policy_respects_sequential_tasks
.
(** Let
tsk
be any task in ts that is to be analyzed. *)
(** Let
[tsk]
be any task in ts that is to be analyzed. *)
Variable
tsk
:
Task
.
(** For simplicity, let's define some local names. *)
...
...
@@ 72,13 +72,13 @@ Section JLFPInstantiation.
of a job, we need to distinguish interference received from other
jobs of the same task and jobs of other tasks. In that regard, we
introduce two additional relations. The first relation defines
whether job
j1 has a higherthanorequalpriority than job j2
and
j1 is not equal to j2
... *)
whether job
[j1] has a higherthanorequalpriority than job [j2]
and
[j1] is not equal to [j2]
... *)
Let
another_hep_job
:
JLFP_policy
Job
:
=
fun
j1
j2
=>
higher_eq_priority
j1
j2
&&
(
j1
!=
j2
).
(** ...and the second relation defines whether a job
j1
has a higherorequalpriority than
job
j2 and the task of j1 is not equal to task of j2
. *)
(** ...and the second relation defines whether a job
[j1]
has a higherorequalpriority than
job
[j2] and the task of [j1] is not equal to task of [j2]
. *)
Let
hep_job_from_another_task
:
JLFP_policy
Job
:
=
fun
j1
j2
=>
higher_eq_priority
j1
j2
&&
(
job_task
j1
!=
job_task
j2
).
...
...
@@ 99,7 +99,7 @@ Section JLFPInstantiation.
is_priority_inversion
sched
higher_eq_priority
j
t
.
(** Next, we say that job j is incurring interference from another job with higher or equal
priority at time t, if there exists job
jhp
(different from j) with a higher or equal priority
priority at time t, if there exists job
[jhp]
(different from j) with a higher or equal priority
that executes at time t. *)
Definition
is_interference_from_another_hep_job
(
j
:
Job
)
(
t
:
instant
)
:
=
if
sched
t
is
Some
jhp
then
...
...
@@ 107,7 +107,7 @@ Section JLFPInstantiation.
else
false
.
(** Similarly, we say that job j is incurring interference from a job with higher or
equal priority of another task at time t, if there exists a job
jhp
(of a different task)
equal priority of another task at time t, if there exists a job
[jhp]
(of a different task)
with higher or equal priority that executes at time t. *)
Definition
is_interference_from_hep_job_from_another_task
(
j
:
Job
)
(
t
:
instant
)
:
=
if
sched
t
is
Some
jhp
then
...
...
@@ 182,7 +182,7 @@ Section JLFPInstantiation.
interfering workload) and definitions corresponding to the conventional concepts.
As it was mentioned previously, instantiated functions of interference and
interfering workload usually do not have any useful lemmas about them. Ho
vew
er,
interfering workload usually do not have any useful lemmas about them. Ho
wev
er,
it is possible to prove their equivalence to the more conventional notions like
service or workload. Next we prove the equivalence between the instantiations
and conventional notions. *)
...
...
@@ 214,10 +214,10 @@ Section JLFPInstantiation.
}
Qed
.
(** Let
j be any job of task tsk, and let upp_t be any time instant after job j
's arrival.
Then for any time interval lying before
upp_t, the cumulative interference received by tsk
is equal to the sum of the cumulative priority inversion of job
j
and the cumulative interference
incurred by task
tsk
due to other tasks. *)
(** Let
[j] be any job of task [tsk], and let [upp_t] be any time instant after job [j]
's arrival.
Then for any time interval lying before
[upp_t], the cumulative interference received by [tsk]
is equal to the sum of the cumulative priority inversion of job
[j]
and the cumulative interference
incurred by task
[tsk]
due to other tasks. *)
Lemma
cumulative_task_interference_split
:
forall
j
t1
t2
upp_t
,
job_task
j
=
tsk
>
...
...
@@ 275,7 +275,7 @@ Section JLFPInstantiation.
(** Let [t1,t2) be any time interval. *)
Variables
t1
t2
:
instant
.
(** Consider any job j of
tsk
. *)
(** Consider any job j of
[tsk]
. *)
Variable
j
:
Job
.
Hypothesis
H_j_arrives
:
arrives_in
arr_seq
j
.
Hypothesis
H_job_of_tsk
:
job_of_task
tsk
j
.
...
...
@@ 424,7 +424,7 @@ Section JLFPInstantiation.
the conventional, concrete definition of busy interval for JLFP scheduling. *)
Section
BusyIntervalEquivalence
.
(** Consider any job j of
tsk
. *)
(** Consider any job j of
[tsk]
. *)
Variable
j
:
Job
.
Hypothesis
H_j_arrives
:
arrives_in
arr_seq
j
.
Hypothesis
H_job_of_tsk
:
job_task
j
=
tsk
.
...
...
restructuring/analysis/abstract/run_to_completion.v
View file @
d1f8192c
...
...
@@ 5,13 +5,13 @@ From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq path fintype bi
(** * RuntoCompletion Threshold of a job *)
(** In this module, we provide a sufficient condition under which a job
receives enough service to become nonpreemptive. *)
receives enough service to become non

preemptive. *)
(** Previously we defined the notion of runtocompletion threshold (see file
abstract.run_to_completion_threshold.v). Runtocompletion threshold is the
amount of service after which a job cannot be preempted until its completion.
In this section we prove that if cumulative interference inside a busy interval
is bounded by a certain constant then a job executes long enough to reach its
runtocompletion threshold and become nonpreemptive. *)
runtocompletion threshold and become non

preemptive. *)
Section
AbstractRTARunToCompletionThreshold
.
(** Consider any type of tasks ... *)
...
...
@@ 25,20 +25,20 @@ Section AbstractRTARunToCompletionThreshold.
Context
`
{
JobCost
Job
}.
(** In addition, we assume existence of a function
maping jobs to their preemption points. *)
map
p
ing jobs to their preemption points. *)
Context
`
{
JobPreemptable
Job
}.
(** Consider any arrival sequence with consistent arrivals... *)
Variable
arr_seq
:
arrival_sequence
Job
.
Hypothesis
H_arrival_times_are_consistent
:
consistent_arrival_times
arr_seq
.
(** Next, consider any ideal uniprocessor schedule of this arrival sequence. *)
(** Next, consider any ideal uni

processor schedule of this arrival sequence. *)
Variable
sched
:
schedule
(
ideal
.
processor_state
Job
).
(** Assume that the job costs are no larger than the task costs. *)
Hypothesis
H_jobs_respect_taskset_costs
:
cost_of_jobs_from_arrival_sequence_le_task_cost
arr_seq
.
(** Let
tsk
be any task that is to be analyzed. *)
(** Let
[tsk]
be any task that is to be analyzed. *)
Variable
tsk
:
Task
.
(** Assume we are provided with abstract functions for interference and interfering workload. *)
...
...
@@ 54,17 +54,17 @@ Section AbstractRTARunToCompletionThreshold.
(** We assume that the schedule is workconserving. *)
Hypothesis
H_work_conserving
:
work_conserving
interference
interfering_workload
.
(** Let
j be any job of task tsk
with positive cost. *)
(** Let
[j] be any job of task [tsk]
with positive cost. *)
Variable
j
:
Job
.
Hypothesis
H_j_arrives
:
arrives_in
arr_seq
j
.
Hypothesis
H_job_of_tsk
:
job_task
j
=
tsk
.
Hypothesis
H_job_cost_positive
:
job_cost_positive
j
.
(** Next, consider any busy interval [t1, t2) of job
j
. *)
(** Next, consider any busy interval [t1, t2) of job
[j]
. *)
Variable
t1
t2
:
instant
.
Hypothesis
H_busy_interval
:
busy_interval
j
t1
t2
.
(** First, we prove that job
j
completes by the end of the busy interval.
(** First, we prove that job
[j]
completes by the end of the busy interval.
Note that the busy interval contains the execution of job j, in addition
time instant t2 is a quiet time. Thus by the definition of a quiet time
the job should be completed before time t2. *)
...
...
@@ 79,10 +79,10 @@ Section AbstractRTARunToCompletionThreshold.
Qed
.
(** In this section we show that the cumulative interference is a complement to
the total time where job
j
is scheduled inside the busy interval. *)
the total time where job
[j]
is scheduled inside the busy interval. *)
Section
InterferenceIsComplement
.
(** Consider any subinterval [t, t + delta) inside the busy interval [t1, t2). *)
(** Consider any sub

interval [t, t + delta) inside the busy interval [t1, t2). *)
Variables
(
t
:
instant
)
(
delta
:
duration
).
Hypothesis
H_greater_than_or_equal
:
t1
<=
t
.
Hypothesis
H_less_or_equal
:
t
+
delta
<=
t2
.
...
...
@@ 108,7 +108,7 @@ Section AbstractRTARunToCompletionThreshold.
End
InterferenceIsComplement
.
(** In this section, we prove a sufficient condition under which job
j
receives enough service. *)
(** In this section, we prove a sufficient condition under which job
[j]
receives enough service. *)
Section
InterferenceBoundedImpliesEnoughService
.
(** Let progress_of_job be the desired service of job j. *)
...
...
@@ 162,7 +162,7 @@ Section AbstractRTARunToCompletionThreshold.
Hypothesis
H_valid_preemption_model
:
valid_preemption_model
arr_seq
sched
.
(** Then, job
j
must complete in [job_cost j  job_run_to_completion_threshold j] time
(** Then, job
[j]
must complete in [job_cost j  job_run_to_completion_threshold j] time
units after it reaches runtocompletion threshold. *)
Lemma
job_completes_after_reaching_run_to_completion_threshold
:
forall
t
,
...
...
restructuring/analysis/abstract/search_space.v
View file @
d1f8192c
...
...
@@ 3,16 +3,16 @@ Require Import rt.util.tactics.
Require
Import
rt
.
restructuring
.
model
.
task
.
concept
.
From
mathcomp
Require
Import
ssreflect
ssrbool
eqtype
ssrnat
seq
path
fintype
bigop
.
(** * Reduction of the se
ra
ch space for Abstract RTA *)
(** * Reduction of the se
ar
ch space for Abstract RTA *)
(** In this file, we prove that in order to calculate the worstcase response time
it is sufficient to consider only values of
A
that lie in the search space defined below. *)
it is sufficient to consider only values of
[A]
that lie in the search space defined below. *)
Section
AbstractRTAReduction
.
(** The responsetime analysis we are presenting in this series of documents is based on searching
over all possible values of
A
, the relative arrival time of the job respective to the beginning
over all possible values of
[A]
, the relative arrival time of the job respective to the beginning
of the busy interval. However, to obtain a practically useful responsetime bound, we need to
constrain the search space of values of
A
. In this section, we define an approach to
constrain the search space of values of
[A]
. In this section, we define an approach to
reduce the search space. *)
Context
{
Task
:
TaskType
}.
...
...
@@ 20,65 +20,65 @@ Section AbstractRTAReduction.
(** First, we provide a constructive notion of equivalent functions. *)
Section
EquivalentFunctions
.
(** Consider an arbitrary type
T
... *)
(** Consider an arbitrary type
[T]
... *)
Context
{
T
:
eqType
}.
(** ...and two function from
nat to T
. *)
(** ...and two function from
[nat] to [T]
. *)
Variables
f1
f2
:
nat
>
T
.
(** Let
B
be an arbitrary constant. *)
(** Let
[B]
be an arbitrary constant. *)
Variable
B
:
nat
.
(** Then we say that
f1 and f2 are equivalent at values less than B
iff
for any natural number
x less than B
[f1 x] is equal to [f2 x]. *)
(** Then we say that
[f1] and [f2] are equivalent at values less than [B]
iff
for any natural number
[x] less than [B]
[f1 x] is equal to [f2 x]. *)
Definition
are_equivalent_at_values_less_than
:
=
forall
x
,
x
<
B
>
f1
x
=
f2
x
.
(** And vice versa, we say that
f1 and f2
are not equivalent at values
less than
B iff there exists a natural number x less than B
such
(** And vice versa, we say that
[f1] and [f2]
are not equivalent at values
less than
[B] iff there exists a natural number [x] less than [B]
such
that [f1 x] is not equal to [f2 x]. *)
Definition
are_not_equivalent_at_values_less_than
:
=
exists
x
,
x
<
B
/\
f1
x
<>
f2
x
.
End
EquivalentFunctions
.
(** Let
tsk
be any task that is to be analyzed *)
(** Let
[tsk]
be any task that is to be analyzed *)
Variable
tsk
:
Task
.
(** To ensure that the analysis procedure terminates, we assume an upper bound
B
on
the values of
A that must be checked. The existence of B
follows from the assumption
(** To ensure that the analysis procedure terminates, we assume an upper bound
[B]
on
the values of
[A] that must be checked. The existence of [B]
follows from the assumption
that the system is not overloaded (i.e., it has bounded utilization). *)
Variable
B
:
duration
.
(** Instead of searching for the maximum interference of each individual job, we
assume a pertask interference bound function [IBF(tsk, A, x)] that is parameterized
by the relative arrival time
A
of a potential job (see abstract_RTA.definitions.v file). *)
by the relative arrival time
[A]
of a potential job (see abstract_RTA.definitions.v file). *)
Variable
interference_bound_function
:
Task
>
duration
>
duration
>
duration
.
(** Recall the definition of
ε
, which defines the neighborhood of a point in the timeline.
Note that
epsilon = 1
under discrete time. *)
(** To ensure that the search converges more quickly, we only check values of
A
in the interval
[
0, B) for which the interference bound function changes, i.e., every point x
in which
interference_bound_function (A  ε, x) is not equal to interference_bound_function (A, x)
. *)
(** Recall the definition of
[ε]
, which defines the neighborhood of a point in the timeline.
Note that
[ε = 1]
under discrete time. *)
(** To ensure that the search converges more quickly, we only check values of
[A]
in the interval
[
[0, B)] for which the interference bound function changes, i.e., every point [x]
in which
[interference_bound_function (A  ε, x)] is not equal to [interference_bound_function (A, x)]
. *)
Definition
is_in_search_space
A
:
=
A
=
0
\/
0
<
A
<
B
/\
are_not_equivalent_at_values_less_than
(
interference_bound_function
tsk
(
A

ε
))
(
interference_bound_function
tsk
A
)
B
.
(** In this section we prove that for every
A there exists a smaller A_sp
in the search space such that
interference_bound_function(A_sp,x)
is
equal to
interference_bound_function(A, x)
. *)
(** In this section we prove that for every
[A] there exists a smaller [A_sp]
in the search space such that
[interference_bound_function(A_sp,x)]
is
equal to
[interference_bound_function(A, x)]
. *)
Section
ExistenceOfRepresentative
.
(** Let
A be any constant less than B
. *)
(** Let
[A] be any constant less than [B]
. *)
Variable
A
:
duration
.
Hypothesis
H_A_less_than_B
:
A
<
B
.
(** We prove that there exists a constant
A_sp
such that:
(a)
A_sp is no greater than A, (b) interference_bound_function(A_sp, x)
is
equal to
interference_bound_function(A, x) and (c) A_sp
is in the search space.
In other words, either
A
is already inside the search space, or we can go
to the "left" until we reach
A_sp
, which will be inside the search space. *)
(** We prove that there exists a constant
[A_sp]
such that:
(a)
[A_sp] is no greater than [A], (b) [interference_bound_function(A_sp, x)]
is
equal to
[interference_bound_function(A, x)] and (c) [A_sp]
is in the search space.
In other words, either
[A]
is already inside the search space, or we can go
to the "left" until we reach
[A_sp]
, which will be inside the search space. *)
Lemma
representative_exists
:
exists
A_sp
,
A_sp
<=
A
/\
...
...
@@ 125,18 +125,18 @@ Section AbstractRTAReduction.
End
ExistenceOfRepresentative
.
(** In this section we prove that any solution of the responsetime recurrence for
a given point
A_sp
in the search space also gives a solution for any point
a given point
[A_sp]
in the search space also gives a solution for any point
A that shares the same interference bound. *)
Section
FixpointSolutionForAnotherA
.
(** Suppose
A_sp + F_sp is a "small" solution (i.e. less than B
) of the responsetime recurrence. *)
(** Suppose
[A_sp + F_sp] is a "small" solution (i.e. less than [B]
) of the responsetime recurrence. *)
Variables
A_sp
F_sp
:
duration
.
Hypothesis
H_less_than
:
A_sp
+
F_sp
<
B
.
Hypothesis
H_fixpoint
:
A_sp
+
F_sp
=
interference_bound_function
tsk
A_sp
(
A_sp
+
F_sp
).
(** Next, let
A be any point such that: (a) A_sp <= A <= A_sp + F_sp
and
(b)
interference_bound_function(A, x)
is equal to
interference_bound_function(A_sp, x) for all x less than B
. *)
(** Next, let
[A] be any point such that: (a) [A_sp <= A <= A_sp + F_sp]
and
(b)
[interference_bound_function(A, x)]
is equal to
[interference_bound_function(A_sp, x)] for all [x] less than [B]
. *)
Variable
A
:
duration
.
Hypothesis
H_bounds_for_A
:
A_sp
<=
A
<=
A_sp
+
F_sp
.
Hypothesis
H_equivalent
:
...
...
@@ 144,8 +144,8 @@ Section AbstractRTAReduction.
(
interference_bound_function
tsk
A
)
(
interference_bound_function
tsk
A_sp
)
B
.
(** We prove that there exists a cons
ant F
such that [A + F] is equal to [A_sp + F_sp]
and [A + F] is a solution for the responsetime recurrence for
A
. *)
(** We prove that there exists a cons
tant [F]
such that [A + F] is equal to [A_sp + F_sp]
and [A + F] is a solution for the responsetime recurrence for
[A]
. *)
Lemma
solution_for_A_exists
:
exists
F
,
A_sp
+
F_sp
=
A
+
F
/\
...
...
@@ 162,5 +162,4 @@ Section AbstractRTAReduction.
End
FixpointSolutionForAnotherA
.
End
AbstractRTAReduction
.
End
AbstractRTAReduction
.
\ No newline at end of file
restructuring/analysis/concepts/priority_inversion.v
View file @
d1f8192c
...
...
@@ 3,7 +3,7 @@ Require Export rt.restructuring.analysis.concepts.busy_interval.
From
mathcomp
Require
Import
ssreflect
ssrbool
eqtype
ssrnat
seq
fintype
bigop
.
(** * Cumulative Priority Inversion for JLFPmodels *)
(** In this module we define the notion of cumulative priority inversion for uniprocessor for JLFP schedulers. *)
(** In this module we define the notion of cumulative priority inversion for uni

processor for JLFP schedulers. *)
Section
CumulativePriorityInversion
.
(** Consider any type of tasks ... *)
...
...
@@ 32,7 +32,7 @@ Section CumulativePriorityInversion.
(** Consider an arbitrary task [tsk]. *)
Variable
tsk
:
Task
.
(** Consider any job j of
tsk
. *)
(** Consider any job j of
[tsk]
. *)
Variable
j
:
Job
.
Hypothesis
H_from_arrival_sequence
:
arrives_in
arr_seq
j
.
Hypothesis
H_job_task
:
job_of_task
tsk
j
.
...
...
@@ 52,8 +52,8 @@ Section CumulativePriorityInversion.
Definition
cumulative_priority_inversion
(
t1
t2
:
instant
)
:
=
\
sum_
(
t1
<=
t
<
t2
)
is_priority_inversion
t
.
(** We say that priority inversion of job
j is bounded by a constant B
iff cumulative
priority inversion within any busy in
verval prefix is bounded by B
. *)
(** We say that priority inversion of job
[j] is bounded by a constant [B]
iff cumulative
priority inversion within any busy in
terval prefix is bounded by [B]
. *)
Definition
priority_inversion_of_job_is_bounded_by
(
B
:
duration
)
:
=
forall
(
t1
t2
:
instant
),
busy_interval_prefix
arr_seq
sched
higher_eq_priority
j
t1
t2
>
...
...
@@ 64,10 +64,10 @@ Section CumulativePriorityInversion.
(** In this section, we define a notion of the bounded priority inversion for task. *)
Section
TaskPriorityInversionBound
.
(** Consider an arbitrary task
tsk
. *)
(** Consider an arbitrary task
[tsk]
. *)
Variable
tsk
:
Task
.
(** We say that task
tsk
has bounded priority inversion if all
(** We say that task
[tsk]
has bounded priority inversion if all
its jobs have bounded cumulative priority inversion. *)
Definition
priority_inversion_is_bounded_by
(
B
:
duration
)
:
=
forall
(
j
:
Job
),
...
...
restructuring/analysis/concepts/request_bound_function.v
View file @
d1f8192c
Require
Export
rt
.
restructuring
.
model
.
arrival
.
arrival_curves
.
Require
Export
rt
.
restructuring
.
model
.
priority
.
classes
.
(** The following definitions assume ideal uniprocessor schedules. This
(** The following definitions assume ideal uni

processor schedules. This
restriction exists for historic reasons; the defined concepts could be
generalized in future work. *)
Require
Import
rt
.
restructuring
.
analysis
.
facts
.
behavior
.
ideal_schedule
.
...
...
@@ 25,24 +25,24 @@ Section TaskWorkloadBoundedByArrivalCurves.
Context
`
{
JobTask
Job
Task
}.
Context
`
{
JobCost
Job
}.
(** Consider any ideal uniprocessor schedule of these jobs... *)
(** Consider any ideal uni

processor schedule of these jobs... *)
Variable
sched
:
schedule
(
ideal
.
processor_state
Job
).
(** ... and an FP policy that indicates a higherorequal priority
relation. *)
Variable
higher_eq_priority
:
FP_policy
Task
.
(** Let
MaxArrivals
denote any function that takes a task and an interval length
(** Let
[MaxArrivals]
denote any function that takes a task and an interval length
and returns the associated number of job arrivals of the task. *)
Context
`
{
MaxArrivals
Task
}.
(** ** RBF of a Single Task *)
(** In this section, we define a bound for the workload of a single task
under uniprocessor FP scheduling. *)
under uni

processor FP scheduling. *)
Section
SingleTask
.
(** Consider any task
tsk
that is to be scheduled in an interval of length delta. *)
(** Consider any task
[tsk]
that is to be scheduled in an interval of length delta. *)
Variable
tsk
:
Task
.
Variable
delta
:
duration
.
...
...
@@ 59,7 +59,7 @@ Section TaskWorkloadBoundedByArrivalCurves.
(** Consider a task set ts... *)
Variable
ts
:
list
Task
.
(** ...and let
tsk
be any task in task set. *)
(** ...and let
[tsk]
be any task in task set. *)
Variable
tsk
:
Task
.
(** Let delta be the length of the interval of interest. *)
...
...
@@ 77,14 +77,14 @@ Section TaskWorkloadBoundedByArrivalCurves.
\
sum_
(
tsk
<
ts
)
task_request_bound_function
tsk
delta
.
(** Similarly, we define the following bound for the total workload of
tasks of higherorequal priority (with respect to
tsk
) in any interval
tasks of higherorequal priority (with respect to
[tsk]
) in any interval
of length delta. *)
Definition
total_hep_request_bound_function_FP
:
=
\
sum_
(
tsk_other
<
ts

is_hep_task
tsk_other
)
task_request_bound_function
tsk_other
delta
.
(** We also define a bound for the total workload of higherorequal
priority tasks other than
tsk
in any interval of length delta. *)
priority tasks other than
[tsk]
in any interval of length delta. *)
Definition
total_ohep_request_bound_function_FP
:
=
\
sum_
(
tsk_other
<
ts

is_other_hep_task
tsk_other
)
task_request_bound_function
tsk_other
delta
.
...
...
restructuring/analysis/concepts/schedulability.v
View file @
d1f8192c
...
...
@@ 17,14 +17,14 @@ Section Task.
(** ...and any schedule of these jobs. *)
Variable
sched
:
schedule
PState
.
(** Let
tsk
be any task that is to be analyzed. *)
(** Let
[tsk]
be any task that is to be analyzed. *)
Variable
tsk
:
Task
.
(** Then, we say that R is a responsetime bound of
tsk
in this schedule ... *)
(** Then, we say that R is a responsetime bound of
[tsk]
in this schedule ... *)
Variable
R
:
duration
.
(** ... iff any job
j of tsk
in this arrival sequence has
completed by
(job_arrival j + R)
. *)
(** ... iff any job
[j] of [tsk]
in this arrival sequence has
completed by
[job_arrival j + R]
. *)
Definition
task_response_time_bound
:
=
forall
j
,
arrives_in
arr_seq
j
>
...
...
@@ 83,16 +83,16 @@ Section Schedulability.
(** Assume that jobs don't execute after completion. *)
Hypothesis
H_completed_jobs_dont_execute
:
completed_jobs_dont_execute
sched
.
(** Let
tsk
be any task that is to be analyzed. *)
(** Let
[tsk]
be any task that is to be analyzed. *)
Variable
tsk
:
Task
.
(** Given a responsetime bound of
tsk
in this schedule no larger than its deadline, ... *)
(** Given a responsetime bound of
[tsk]
in this schedule no larger than its deadline, ... *)
Variable
R
:
duration
.
Hypothesis
H_R_le_deadline
:
R
<=
task_deadline
tsk
.
Hypothesis
H_response_time_bounded
:
task_response_time_bound
arr_seq
sched
tsk
R
.
(** ...then
tsk
is schedulable. *)
(** ...then
[tsk]
is schedulable. *)
Lemma
schedulability_from_response_time_bound
:
schedulable_task
arr_seq
sched
tsk
.
Proof
.
...
...
restructuring/analysis/definitions/carry_in.v
View file @
d1f8192c
...
...
@@ 5,7 +5,7 @@ From mathcomp Require Import ssreflect ssrbool eqtype ssrnat seq fintype bigop.
Require
Import
rt
.
restructuring
.
model
.
processor
.
ideal
.
(** * No CarryIn *)
(** In this module we define the notion of no carryin time for uniprocessor schedulers. *)
(** In this module we define the notion of no carryin time for uni

processor schedulers. *)
Section
NoCarryIn
.
(** Consider any type of tasks ... *)
...
...
@@ 22,7 +22,7 @@ Section NoCarryIn.
Variable
arr_seq
:
arrival_sequence
Job
.
Hypothesis
H_arrival_times_are_consistent
:
consistent_arrival_times
arr_seq
.
(** Next, consider any ideal uniprocessor schedule of this arrival sequence. *)
(** Next, consider any ideal uni

processor schedule of this arrival sequence. *)
Variable
sched
:
schedule
(
ideal
.
processor_state
Job
).
(** The processor has no carryin at time t iff every job (regardless of priority)
...
...
restructuring/analysis/definitions/task_schedule.v
View file @
d1f8192c
...
...
@@ 4,7 +4,7 @@ Require Export rt.restructuring.analysis.facts.behavior.ideal_schedule.
From
mathcomp
Require
Import
ssreflect
ssrbool
eqtype
ssrnat
seq
fintype
bigop
.
(** Due to historical reasons this file defines the notion of a schedule of
a task for the ideal uniprocessor model. This is not a fundamental limitation
a task for the ideal uni

processor model. This is not a fundamental limitation
and the notion can be further generalized to an arbitrary model. *)
(** * Schedule of task *)
...
...
@@ 21,15 +21,15 @@ Section ScheduleOfTask.
Context
`
{
JobArrival
Job
}.
Context
`
{
JobCost
Job
}.
(** Let
sched be any ideal uni
processor schedule. *)
(** Let
[sched] be any ideal uni
processor schedule. *)
Variable
sched
:
schedule
(
ideal
.
processor_state
Job
).
Section
TaskProperties
.
(** Let
tsk
be any task. *)
(** Let
[tsk]
be any task. *)
Variable
tsk
:
Task
.
(** Next we define whether a task is scheduled at time
t
, ... *)
(** Next we define whether a task is scheduled at time
[t]
, ... *)
Definition
task_scheduled_at
(
t
:
instant
)
:
=
if
sched
t
is
Some
j
then
job_task
j
==
tsk
...
...
@@ 39,11 +39,11 @@ Section ScheduleOfTask.
Definition
task_service_at
(
t
:
instant
)
:
=
task_scheduled_at
t
.
(** Based on the notion of instantaneous service, we define the
cumulative service received by
tsk
during any interval [t1, t2)... *)
cumulative service received by
[tsk]
during any interval [t1, t2)... *)
Definition
task_service_during
(
t1
t2
:
instant
)
:
=
\
sum_
(
t1
<=
t
<
t2
)
task_service_at
t
.
(** ...and the cumulative service received by
tsk
up to time t2,
(** ...and the cumulative service received by
[tsk]
up to time t2,
i.e., in the interval [0, t2). *)
Definition
task_service
(
t2
:
instant
)
:
=
task_service_during
0
t2
.
...
...
restructuring/analysis/facts/behavior/ideal_schedule.v
View file @
d1f8192c
...
...
@@ 3,13 +3,13 @@ Require Export rt.util.all.
Require
Export
rt
.
restructuring
.
model
.
processor
.
platform_properties
.
Require
Export
rt
.
restructuring
.
analysis
.
facts
.
behavior
.
service
.
(** Throughout this file, we assume ideal uniprocessor schedules. *)
(** Throughout this file, we assume ideal uni

processor schedules. *)
Require
Import
rt
.
restructuring
.
model
.
processor
.
ideal
.
(** Note: we do not reexport the basic definitions to avoid littering the global
namespace with type class instances. *)
(** In this section we estlish the classes to which an ideal schedule belongs. *)
(** In this section we est
ab
lish the classes to which an ideal schedule belongs. *)
Section
ScheduleClass
.
Local
Transparent
service_in
scheduled_in
scheduled_on
.
...
...
@@ 18,7 +18,7 @@ Section ScheduleClass.
Context
`
{
JobArrival
Job
}.
Context
`
{
JobCost
Job
}.
(** We note that the ideal processor model is indeed a uniprocessor
(** We note that the ideal processor model is indeed a uni

processor
model. *)
Lemma
ideal_proc_model_is_a_uniprocessor_model
:
uniprocessor_model
(
processor_state
Job
).
...
...
@@ 96,8 +96,8 @@ Hint Resolve ideal_proc_model_is_a_uniprocessor_model
(** We also provide tactics for case analysis on ideal processor state. *)
(** The first tactic generates two subgoals: one with idle processor and
the other with processor executing a job named
JobName
. *)
(** The first tactic generates two sub

goals: one with idle processor and
the other with processor executing a job named
[JobName]
. *)
Ltac
ideal_proc_model_sched_case_analysis
sched
t
JobName
:
=
let
Idle
:
=
fresh
"Idle"
in
let
Sched
:
=
fresh
"Sched_"
JobName
in
...
...
@@ 115,7 +115,7 @@ Ltac ideal_proc_model_sched_case_analysis_eq sched t JobName :=

move
:
(
Sched
)
;
simpl
;
move
=>
/
eqP
SchedEq
;
rewrite
?SchedEq
].
(** * Incremental Service in Ideal Schedule *)
(** In the following section we prove a few facts about service in ideal sched
e
ule. *)
(** In the following section we prove a few facts about service in ideal schedule. *)
(* Note that these lemmas can be generalized to an arbitrary scheduler. *)
Section
IncrementalService
.
...
...
@@ 127,7 +127,7 @@ Section IncrementalService.
(** ... any arrival sequence, ... *)
Variable
arr_seq
:
arrival_sequence
Job
.
(** ... and any ideal uniprocessor schedule of this arrival sequence. *)
(** ... and any ideal uni

processor schedule of this arrival sequence. *)
Variable
sched
:
schedule
(
ideal
.
processor_state
Job
).
(** As a base case, we prove that if a job j receives service in
...
...
restructuring/analysis/facts/behavior/service.v
View file @
d1f8192c
...
...
@@ 42,8 +42,8 @@ Section Composition.
rewrite
/
service
service_during_geq
//.
Qed
.
(** Trivially, an interval consiting of one time unit is equivalent to
service_at
. *)
(** Trivially, an interval consi
s
ting of one time unit is equivalent to
[service_at]
. *)
Lemma
service_during_instant
:
forall
t
,
service_during
sched
j
t
t
.+
1
=
service_at
sched
j
t
.
...
...
@@ 375,7 +375,7 @@ Section RelationToScheduled.
by
apply
(
IS_ZERO
t
)
;
apply
/
andP
;
split
=>
//.
Qed
.
(** If a job is scheduled at some point in an interval, it receive
e
s
(** If a job is scheduled at some point in an interval, it receives
positive cumulative service during the interval... *)
Lemma
scheduled_implies_cumulative_service
:
forall
t1
t2
,
...
...
@@ 407,7 +407,7 @@ Section RelationToScheduled.
End
GuaranteedService
.
Section
AfterArrival
.
(** Futhermore, if we know that jobs are not released early, then we can
(** Fu
r
thermore, if we know that jobs are not released early, then we can
narrow the interval during which they must have been scheduled. *)
Context
`
{
JobArrival
Job
}.
...
...
restructuring/analysis/facts/behavior/service_of_jobs.v
View file @
d1f8192c
...
...
@@ 50,7 +50,7 @@ Section GenericModelLemmas.
(** Let jobs denote any (finite) set of jobs. *)
Variable
jobs
:
seq
Job
.
(** Assume that the processor model is a unit service mo
o
del. I.e.,
(** Assume that the processor model is a unit service model. I.e.,
no job ever receives more than one unit of service at any time. *)
Hypothesis
H_unit_service
:
unit_service_proc_model
PState
.
...
...
@@ 122,7 +122,7 @@ Section GenericModelLemmas.
End
GenericModelLemmas
.
(** In this section, we prove some properties about service
of sets of jobs for ideal uniprocessor model. *)
of sets of jobs for ideal uni

processor model. *)
Section
IdealModelLemmas
.
(** Consider any type of tasks ... *)
...
...
@@ 138,7 +138,7 @@ Section IdealModelLemmas.
Variable
arr_seq
:
arrival_sequence
Job
.
Hypothesis
H_arrival_times_are_consistent
:
consistent_arrival_times
arr_seq
.
(** Next, consider any ideal uniprocessor schedule of this arrival sequence ... *)
(** Next, consider any ideal uni

processor schedule of this arrival sequence ... *)
Variable
sched
:
schedule
(
ideal
.
processor_state
Job
).
Hypothesis
H_jobs_come_from_arrival_sequence
:
jobs_come_from_arrival_sequence
sched
arr_seq
.
...
...
@@ 192,13 +192,13 @@ Section IdealModelLemmas.
is upperbounded by the corresponding interval length. *)
Section
ServiceOfJobsIsBoundedByLength
.
(** Let
jobs
denote any (finite) set of jobs. *)
(** Let
[jobs]
denote any (finite) set of jobs. *)
Variable
jobs
:
seq
Job
.