Library prosa.analysis.abstract.ideal.iw_instantiation

Require Export prosa.analysis.facts.busy_interval.carry_in.
Require Export prosa.analysis.abstract.IBF.task.
Require Export prosa.analysis.facts.interference.

Throughout this file, we assume ideal uni-processor schedules.

Require Import prosa.model.processor.ideal.
Require Export prosa.analysis.facts.model.ideal.priority_inversion.

JLFP instantiation of Interference and Interfering Workload for ideal uni-processor.

In this module we instantiate functions Interference and Interfering Workload for ideal uni-processor schedulers with an arbitrary JLFP-policy that satisfies the sequential-tasks hypothesis. We also prove equivalence of Interference and Interfering Workload to the more conventional notions of service or workload.

Section JLFPInstantiation.

Consider any type of tasks ...

Context {Task : TaskType}.
Context `{TaskCost Task}.

... and any type of jobs associated with these tasks.

  Context {Job : JobType}.
  Context `{JobTask Job Task}.
  Context `{JobArrival Job}.
  Context `{JobCost Job}.

Consider any valid arrival sequence with consistent arrivals ...

Variable arr_seq : arrival_sequence Job.
Hypothesis H_valid_arrival_sequence : valid_arrival_sequence arr_seq.

... and any ideal uni-processor schedule of this arrival sequence ...

  Variable sched : schedule (ideal.processor_state Job).
  Hypothesis H_jobs_come_from_arrival_sequence :
    jobs_come_from_arrival_sequence sched arr_seq.

... where jobs do not execute before their arrival or after completion.

Hypothesis H_jobs_must_arrive_to_execute : jobs_must_arrive_to_execute sched.
Hypothesis H_completed_jobs_dont_execute : completed_jobs_dont_execute sched.

Consider a JLFP-policy that indicates a higher-or-equal priority relation, and assume that this relation is reflexive and transitive.

  Context {JLFP : JLFP_policy Job}.
  Hypothesis H_priority_is_reflexive : reflexive_job_priorities JLFP.
  Hypothesis H_priority_is_transitive : transitive_job_priorities JLFP.

We also assume that the policy respects sequential tasks, meaning that later-arrived jobs of a task don't have higher priority than earlier-arrived jobs of the same task.

Hypothesis H_JLFP_respects_sequential_tasks :
policy_respects_sequential_tasks JLFP.

Let tsk be any task.

Variable tsk : Task.

Interference and Interfering Workload

In the following, we introduce definitions of interference, interfering workload and a function that bounds cumulative interference.

Instantiation of Interference

Before we define the notion of interference, we need to recall the definition of priority inversion. We say that job j is incurring a priority inversion at time t if there exists a job with lower priority that executes at time t. In order to simplify things, we ignore the fact that according to this definition a job can incur priority inversion even before its release (or after completion). All such (potentially bad) cases do not cause problems, as each job is analyzed only within the corresponding busy interval where the priority inversion behaves in the expected way.

We say that job j incurs interference at time t iff it cannot execute due to a higher-or-equal-priority job being scheduled, or if it incurs a priority inversion.

  #[local,program] Instance ideal_jlfp_interference : Interference Job :=
    {
      interference (j : Job) (t : instant) :=
        priority_inversion arr_seq sched j t
        || another_hep_job_interference arr_seq sched j t
    }.

Instantiation of Interfering Workload

The interfering workload, in turn, is defined as the sum of the priority inversion predicate and interfering workload of jobs with higher or equal priority.

  #[local,program] Instance ideal_jlfp_interfering_workload : InterferingWorkload Job :=
    {
      interfering_workload (j : Job) (t : instant) :=
        priority_inversion arr_seq sched j t
        + other_hep_jobs_interfering_workload arr_seq j t
    }.

Equivalences

In this section we prove useful equivalences between the definitions obtained by instantiation of definitions from the Abstract RTA module (interference and interfering workload) and definitions corresponding to the conventional concepts.

Instantiated functions of interference and interfering workload usually do not have any useful lemmas about them. However, it is possible to prove their equivalence to the more conventional notions like service or workload. Next, we prove the equivalence between the instantiations and conventional notions as well as a few useful rewrite rules.

Section Equivalences.

In the following subsection, we prove properties of the introduced functions under the assumption that the schedule is idle.

Section IdleSchedule.

Consider a time instant t ...

Variable t : instant.

... and assume that the schedule is idle at t.

Hypothesis H_idle : ideal_is_idle sched t.

We prove that in this case: ...

... there is no interference, ...

Lemma no_interference_when_idle :
∀ j, ~~ interference j t.

... as well as no interference for tsk.

      Lemma no_task_interference_when_idle :
        ∀ j, ~~ task_interference arr_seq sched j t.

    End IdleSchedule.

Next, we prove properties of the introduced functions under the assumption that the scheduler is not idle.

Section ScheduledJob.

Consider a job j of task tsk. In this subsection, job j is deemed to be the main job with respect to which the functions are computed.

Variable j : Job.
Hypothesis H_j_tsk : job_of_task tsk j.

Consider a time instant t.

Variable t : instant.

In the next subsection, we consider a case when a job j' from the same task (as job j) is scheduled.

Section FromSameTask.

Consider a job j' that comes from task tsk and is scheduled at time instant t.

        Variable j' : Job.
        Hypothesis H_j'_tsk : job_of_task tsk j'.
        Hypothesis H_j'_sched : scheduled_at sched j' t.

Similarly, there is no task interference, since in order to incur the task interference, a job from a distinct task must be scheduled.

        Lemma task_interference_eq_false :
          ~~ task_interference arr_seq sched j t.

      End FromSameTask.

In the next subsection, we consider a case when a job j' from a task other than j's task is scheduled.

Section FromDifferentTask.

Consider a job j' that does _not comes from task tsk and is scheduled at time instant t.

        Variable j' : Job.
        Hypothesis H_j'_not_tsk : ~~ job_of_task tsk j'.
        Hypothesis H_j'_sched : scheduled_at sched j' t.

Hence, if we assume that j' has higher-or-equal priority, ...

Hypothesis H_j'_hep : hep_job j' j.

Moreover, in this case, task tsk also incurs interference.

        Lemma sched_athep_implies_task_interference :
          task_interference arr_seq sched j t.

      End FromDifferentTask.

    End ScheduledJob.

We prove that we can split cumulative interference into two parts: (1) cumulative priority inversion and (2) cumulative interference from jobs with higher or equal priority.

    Lemma cumulative_interference_split :
      ∀ j t1 t2,
        cumulative_interference j t1 t2
        = cumulative_priority_inversion arr_seq sched j t1 t2
          + cumulative_another_hep_job_interference arr_seq sched j t1 t2.

Similarly, we prove that we can split cumulative interfering workload into two parts: (1) cumulative priority inversion and (2) cumulative interfering workload from jobs with higher or equal priority.

    Lemma cumulative_interfering_workload_split :
      ∀ j t1 t2,
        cumulative_interfering_workload j t1 t2 =
          cumulative_priority_inversion arr_seq sched j t1 t2
          + cumulative_other_hep_jobs_interfering_workload arr_seq j t1 t2.

Let j be any job of task tsk. Then the cumulative task interference received by job j is bounded to the sum of the cumulative priority inversion of job j and the cumulative interference incurred by job j due to higher-or-equal priority jobs from other tasks.

    Lemma cumulative_task_interference_split :
      ∀ j t1 t2,
        arrives_in arr_seq j →
        job_of_task tsk j →
        ~~ completed_by sched j t2 →
        cumul_task_interference arr_seq sched j t1 t2
        ≤ cumulative_priority_inversion arr_seq sched j t1 t2
          + cumulative_another_task_hep_job_interference arr_seq sched j t1 t2.

In this section, we prove that the (abstract) cumulative interfering workload is equivalent to the conventional workload, i.e., the one defined with concrete schedule parameters.

Section InstantiatedWorkloadEquivalence.

Let [t1,t2) be any time interval.

Variables t1 t2 : instant.

Consider any job j of tsk.

      Variable j : Job.
      Hypothesis H_j_arrives : arrives_in arr_seq j.
      Hypothesis H_job_of_tsk : job_of_task tsk j.

Then for any job j, the cumulative interfering workload is equal to the conventional workload.

      Lemma cumulative_iw_hep_eq_workload_of_ohep :
        cumulative_other_hep_jobs_interfering_workload arr_seq j t1 t2
        = workload_of_other_hep_jobs arr_seq j t1 t2.

    End InstantiatedWorkloadEquivalence.

In this section we prove that the abstract definition of busy interval is equivalent to the conventional, concrete definition of busy interval for JLFP scheduling.

Section BusyIntervalEquivalence.

In order to avoid confusion, we denote the notion of a quiet time in the classical sense as quiet_time_cl, and the notion of quiet time in the abstract sense as quiet_time_ab.

Let quiet_time_cl := classical.quiet_time arr_seq sched.
Let quiet_time_ab := abstract.definitions.quiet_time sched.

Same for the two notions of a busy interval prefix ...

Let busy_interval_prefix_cl := classical.busy_interval_prefix arr_seq sched.
Let busy_interval_prefix_ab := abstract.definitions.busy_interval_prefix sched.

... and the two notions of a busy interval.

Let busy_interval_cl := classical.busy_interval arr_seq sched.
Let busy_interval_ab := abstract.definitions.busy_interval sched.

Consider any job j of tsk.

      Variable j : Job.
      Hypothesis H_j_arrives : arrives_in arr_seq j.
      Hypothesis H_job_cost_positive : job_cost_positive j.

To show the equivalence of the notions of busy intervals, we first show that the notions of quiet time are also equivalent.

First, we show that the classical notion of quiet time implies the abstract notion of quiet time.

Lemma quiet_time_cl_implies_quiet_time_ab :
∀ t, quiet_time_cl j t → quiet_time_ab j t.

And vice versa, the abstract notion of quiet time implies the classical notion of quiet time.

Lemma quiet_time_ab_implies_quiet_time_cl :
∀ t, quiet_time_ab j t → quiet_time_cl j t.

The equivalence trivially follows from the lemmas above.

      Corollary instantiated_quiet_time_equivalent_quiet_time :
        ∀ t,
          quiet_time_cl j t ↔ quiet_time_ab j t.

Based on that, we prove that the concept of busy interval prefix obtained by instantiating the abstract definition of busy interval prefix coincides with the conventional definition of busy interval prefix.

Lemma instantiated_busy_interval_prefix_equivalent_busy_interval_prefix :
∀ t1 t2, busy_interval_prefix_cl j t1 t2 ↔ busy_interval_prefix_ab j t1 t2.

Similarly, we prove that the concept of busy interval obtained by instantiating the abstract definition of busy interval coincides with the conventional definition of busy interval.

Lemma instantiated_busy_interval_equivalent_busy_interval :
∀ t1 t2, busy_interval_cl j t1 t2 ↔ busy_interval_ab j t1 t2.

For the sake of proof automation, we note the frequently needed special case of an abstract busy window implying the existence of a classic quiet time.

      Fact abstract_busy_interval_classic_quiet_time :
        ∀ t1 t2,
          busy_interval_ab j t1 t2 → quiet_time_cl j t1.

Also for automation, we note a similar fact about classic busy-window prefixes.

      Fact abstract_busy_interval_classic_busy_interval_prefix :
        ∀ t1 t2,
          busy_interval_ab j t1 t2 → busy_interval_prefix_cl j t1 t2.

    End BusyIntervalEquivalence.

  End Equivalences.

In this section we prove some properties about the interference and interfering workload as defined in this file.

Section I_IW_correctness.

Consider work-bearing readiness.

Context `{!JobReady Job (ideal.processor_state Job)}.
Hypothesis H_work_bearing_readiness : work_bearing_readiness arr_seq sched.

Assume that the schedule is valid and work-conserving.

Hypothesis H_sched_valid : valid_schedule sched arr_seq.

Note that we differentiate between abstract and classical notions of work-conserving schedule.

    Let work_conserving_ab := definitions.work_conserving arr_seq sched.
    Let work_conserving_cl := work_conserving.work_conserving arr_seq sched.

    Let busy_interval_prefix_ab := definitions.busy_interval_prefix sched.

We assume that the schedule is a work-conserving schedule in the classical sense, and later prove that the hypothesis about abstract work-conservation also holds.

Hypothesis H_work_conserving : work_conserving_cl.

Assume the scheduling policy under consideration is reflexive.

Hypothesis H_policy_reflexive : reflexive_job_priorities JLFP.

In this section, we prove the correctness of interference inside the busy interval, i.e., we prove that if interference for a job is false then the job is scheduled and vice versa. This property is referred to as abstract work conservation.

Section Abstract_Work_Conservation.

Consider a job j that is in the arrival sequence and has a positive job cost.

      Variable j : Job.
      Hypothesis H_arrives : arrives_in arr_seq j.
      Hypothesis H_job_cost_positive : 0 < job_cost j.

Let the busy interval of the job be [t1,t2).

Variable t1 t2 : instant.
Hypothesis H_busy_interval_prefix : busy_interval_prefix_ab j t1 t2.

Consider a time t inside the busy interval of the job.

Variable t : instant.
Hypothesis H_t_in_busy_interval : t1 ≤ t < t2.

First, we prove that if interference is false at a time t then the job is scheduled.

Lemma not_interference_implies_scheduled :
¬ interference j t → receives_service_at sched j t.

Conversely, if the job is scheduled at t then interference is false.

      Lemma scheduled_implies_no_interference :
        receives_service_at sched j t → ¬ interference j t.

    End Abstract_Work_Conservation.

Using the above two lemmas, we can prove that abstract work conservation always holds for these instantiations of I and IW.

Corollary instantiated_i_and_w_are_coherent_with_schedule :
work_conserving_ab.

Next, in order to prove that these definitions of I and IW are consistent with sequential tasks, we need to assume that the policy under consideration respects sequential tasks.

Hypothesis H_policy_respects_sequential_tasks : policy_respects_sequential_tasks JLFP.

We prove that these definitions of I and IW are consistent with sequential tasks.

Lemma instantiated_interference_and_workload_consistent_with_sequential_tasks :
interference_and_workload_consistent_with_sequential_tasks arr_seq sched tsk.

Since interfering and interfering workload are sufficient to define the busy window, next, we reason about the bound on the length of the busy window.

Section BusyWindowBound.

Consider an arrival curve.

Context `{MaxArrivals Task}.

Consider a set of tasks that respects the arrival curve.

Variable ts : list Task.
Hypothesis H_taskset_respects_max_arrivals : taskset_respects_max_arrivals arr_seq ts.

Assume that all jobs come from this task set.

Hypothesis H_all_jobs_from_taskset : all_jobs_from_taskset arr_seq ts.

Consider a constant L such that...

Variable L : duration.

... L is greater than 0, and...

Hypothesis H_L_positive : L > 0.

L is the fixed point of the following equation.

Hypothesis H_fixed_point : L = total_request_bound_function ts L.

Assume all jobs have a valid job cost.

Hypothesis H_arrivals_have_valid_job_costs : arrivals_have_valid_job_costs arr_seq.

Then, we prove that L is a bound on the length of the busy window.

      Lemma instantiated_busy_intervals_are_bounded:
        busy_intervals_are_bounded_by arr_seq sched tsk L.

    End BusyWindowBound.

  End I_IW_correctness.

End JLFPInstantiation.

To preserve modularity and hide the implementation details of a technical definition presented in this file, we make the definition opaque. This way, we ensure that the system will treat each of these definitions as a single entity.

Global Opaque another_hep_job_interference
       another_task_hep_job_interference
       ideal_jlfp_interference
       ideal_jlfp_interfering_workload
       cumulative_another_hep_job_interference
       cumulative_another_task_hep_job_interference
       cumulative_other_hep_jobs_interfering_workload
       other_hep_jobs_interfering_workload.

We add some facts into the "Hint Database" basic_rt_facts, so Coq will be able to apply them automatically where needed.

Global Hint Resolve
       abstract_busy_interval_classic_quiet_time
       abstract_busy_interval_classic_busy_interval_prefix
  : basic_rt_facts.