Built with Alectryon, running Coq+SerAPI v8.15.0+0.15.0. Bubbles () indicate interactive fragments: hover for details, tap to reveal contents. Use Ctrl+↑Ctrl+↓ to navigate, Ctrl+🖱️ to focus. On Mac, use ⌘ instead of Ctrl.
Notation"[ rel _ _ | _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ : _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ | _ ]" was already used
in scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"_ + _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation"_ - _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation"_ <= _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation"_ < _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation"_ >= _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation"_ > _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation"_ <= _ <= _" was already used in scope
nat_scope. [notation-overridden,parsing]
Notation"_ < _ <= _" was already used in scope
nat_scope. [notation-overridden,parsing]
Notation"_ <= _ < _" was already used in scope
nat_scope. [notation-overridden,parsing]
Notation"_ < _ < _" was already used in scope
nat_scope. [notation-overridden,parsing]
Notation"_ * _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation"[ rel _ _ | _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ : _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ | _ ]" was already used
in scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ | _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ : _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ | _ ]" was already used
in scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ | _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ : _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ | _ ]" was already used
in scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ | _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ : _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ | _ ]" was already used
in scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ | _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ : _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ | _ ]" was already used
in scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ | _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ : _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ | _ ]" was already used
in scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ & _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation"[ rel _ _ in _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
(** We begin by defining a generic version of the functions we seek to define. *)SectionDefinitions.(** Consider a generic type T supporting basic arithmetic operations, neutral elements, and comparisons. *)Context {T : Type}.Context `{!zero_of T, !one_of T, !sub_of T, !add_of T, !mul_of T,
!div_of T, !mod_of T, !eq_of T, !leq_of T, !lt_of T}.Context `{!eq_of (seq T)}.Context `{!eq_of (@task_T T)}.(** We define a generic version of total request-bound function of higher-or-equal priority task, ... *)Definitiontotal_rbf_T (ts : seq task_T) (Δ : T) : T :=
letwork_ts := map (funtsk' => task_rbf_T tsk' Δ) ts in
foldr +%C 0%C work_ts.(** ... of bound on total higher-or-equal priority workload, ... *)Definitionbound_on_total_hep_workload_T (ts : seq task_T) (tsk : task_T) (AΔ : T) : T :=
leto_ts := filter (funtsk_o => ~~ (eq_of2 tsk_o tsk)) ts inleto_work := map (funtsk_o => task_rbf_T tsk_o (minn_T ((A + 1) + task_deadline_T tsk - task_deadline_T tsk_o) Δ))%C o_ts in
foldr +%C 0%C o_work.(** Next, we define a generic version of [check_point_FP], ... *)Definitioncheck_point_FP_T (ts : seq task_T) (tsk : task_T) (R : T) (P : T * T) : bool :=
(task_rbf_T tsk (P.1 + 1) + bound_on_total_hep_workload_T ts tsk P.1 (P.1 + P.2) <= P.1 + P.2)%C
&& (P.2 <= R)%C.(** ... a generic version of [blocking_bound_NP], ... *)Definitionblocking_bound_NP_T (ts : seq task_T) (tsk : task_T) A :=
letblocking_relevanttsk_o := (0 < ConcreteMaxArrivals_T tsk_o 1)%C && (0 < task_cost_T tsk_o)%C inletts_lp := filter (funtsk_o => (blocking_relevant tsk_o)
&& (@task_deadline_T T tsk + A < @task_deadline_T T tsk_o))%C ts inletts_block := map (funtsk_o => task_cost_T tsk_o - 1)%C ts_lp in
foldr maxn_T 0%C ts_block.(** ... of [check_point_NP], ... *)Definitioncheck_point_NP_T (ts : seq task_T) (tsk : task_T) (R : T) (P : T * T) : bool :=
(blocking_bound_NP_T ts tsk P.1
+ (task_rbf_T tsk (P.1 + 1) - (task_cost_T tsk - 1))
+ bound_on_total_hep_workload_T ts tsk P.1 (P.1 + P.2) <= P.1 + P.2)%C
&& (P.2 + (task_cost_T tsk - 1) <= R)%C.(** ... of [valid_arrivals]. *)Definitionvalid_arrivals_T (tsk : task_T) : bool :=
match @task_arrival_T T tsk with
| Periodic_T p => (1 <= p)%C
| Sporadic_T m => (1 <= m)%C
| ArrivalPrefix_T emax_vec => valid_extrapolated_arrival_curve_T emax_vec
end.EndDefinitions.(** In this section, we introduce some functions operating on binary numbers. *)SectionDefinitionsN.(** We provide a definition of [iota], ... *)Definitioniota_N (aΔ : N) := iota_T a Δ.(** ... of [task_search_space_emax_EDF_h], ... *)Definitiontask_search_space_emax_EDF_h_N (tsktsko : task_T) (lr : N) : seq N :=
leth := get_horizon_of_task_T tsko inletoffsets := map (N.mul h) (iota_N l r) inletemax_offsets := repeat_steps_with_offset_T tsko offsets inletemax_edf_offsets :=
shift_points_neg_T
(shift_points_pos_T emax_offsets (task_deadline_T tsko))
(task_deadline_T tsk) in
map predn_T emax_edf_offsets.(** ... of [task_search_space_emax_EDF], ... *)Definitiontask_search_space_emax_EDF_N (tsktsko : task_T) (L : N) :=
leth := get_horizon_of_task_T tsko in
task_search_space_emax_EDF_h_N
tsk tsko 0
(((L + (task_deadline_T tsk - task_deadline_T tsko)) %/ h) + 1)%C.(** ... and of [search_space_emax_EDF_N]. *)Definitionsearch_space_emax_EDF_N (ts : seq task_T) (tsk : task_T) (L : N) :=
letpoints := map (funtsko => task_search_space_emax_EDF_N tsk tsko L) ts in
flatten points.EndDefinitionsN.(** ** Refinements *)(** We now establish the desired refinements. *)(** First, we prove a refinement for the [task_search_space_emax_EDF_h] function. *)
refines (Rnat ==> list_R Rnat)%rel
(search_space_emax_EDF
[seq taskT_to_task i | i <- ts]
(taskT_to_task tsk))
(search_space_emax_EDF_N ts tsk)
ts: seq task_T tsk: task_T
refines (Rnat ==> list_R Rnat)%rel
(funL : nat =>
\cat_(tsko<-[seq taskT_to_task i | i <- ts])
task_search_space_emax_EDF (taskT_to_task tsk)
tsko L)
(funL : N =>
flatten
[seq task_search_space_emax_EDF_N tsk tsko L
| tsko <- ts])
ts: seq task_T tsk: task_T L: nat L': N RL: Rnat L L'
refines (list_R Rnat)
(\cat_(tsko<-[seq taskT_to_task i | i <- ts])
task_search_space_emax_EDF (taskT_to_task tsk)
tsko L)
(flatten
[seq task_search_space_emax_EDF_N tsk tsko L'
| tsko <- ts])
ts: seq task_T tsk: task_T L: nat L': N RL: Rnat L L'
forall (TT0 : Type) (xs : seq T) (f : T -> seq T0),
\cat_(x<-xs)f x = flatten [seq f i | i <- xs]
ts: seq task_T tsk: task_T L: nat L': N RL: Rnat L L' F: forall (TT0 : Type) (xs : seq T)
(f : T -> seq T0),
\cat_(x<-xs)f x = flatten [seq f i | i <- xs]
refines (list_R Rnat)
(\cat_(tsko<-[seq taskT_to_task i | i <- ts])
task_search_space_emax_EDF (taskT_to_task tsk)
tsko L)
(flatten
[seq task_search_space_emax_EDF_N tsk tsko L'
| tsko <- ts])
ts: seq task_T tsk: task_T L: nat L': N RL: Rnat L L'
forall (TT0 : Type) (xs : seq T) (f : T -> seq T0),
\cat_(x<-xs)f x = flatten [seq f i | i <- xs]
T, T0: Type f: T -> seq T0
\cat_(x<-[::])f x = flatten [seq f i | i <- [::]]
T, T0: Type x: T xs: seq T IHxs: forallf : T -> seq T0,
\cat_(x<-xs)f x = flatten [seq f i | i <- xs] f: T -> seq T0
\cat_(x<-(x :: xs))f x =
flatten [seq f i | i <- x :: xs]
T, T0: Type f: T -> seq T0
\cat_(x<-[::])f x = flatten [seq f i | i <- [::]]
T, T0: Type x: T xs: seq T IHxs: forallf : T -> seq T0,
\cat_(x<-xs)f x = flatten [seq f i | i <- xs] f: T -> seq T0
\cat_(x<-(x :: xs))f x =
flatten [seq f i | i <- x :: xs]
T, T0: Type x: T xs: seq T IHxs: forallf : T -> seq T0,
\cat_(x<-xs)f x = flatten [seq f i | i <- xs] f: T -> seq T0
\cat_(x<-(x :: xs))f x =
flatten [seq f i | i <- x :: xs]
T, T0: Type x: T xs: seq T IHxs: forallf : T -> seq T0,
\cat_(x<-xs)f x = flatten [seq f i | i <- xs] f: T -> seq T0
\cat_(x<-(x :: xs))f x =
flatten [seq f i | i <- x :: xs]
byrewrite big_cons //= IHxs.
ts: seq task_T tsk: task_T L: nat L': N RL: Rnat L L' F: forall (TT0 : Type) (xs : seq T)
(f : T -> seq T0),
\cat_(x<-xs)f x = flatten [seq f i | i <- xs]
refines (list_R Rnat)
(\cat_(tsko<-[seq taskT_to_task i | i <- ts])
task_search_space_emax_EDF
(taskT_to_task tsk) tsko L)
(flatten
[seq task_search_space_emax_EDF_N tsk tsko L'
| tsko <- ts])
ts: seq task_T tsk: task_T L: nat L': N RL: Rnat L L'
refines (list_R Rnat)
(flatten
[seq task_search_space_emax_EDF
(taskT_to_task tsk) x L
| x <- [seq taskT_to_task i | i <- ts]])
(flatten
[seq task_search_space_emax_EDF_N tsk tsko L'
| tsko <- ts])
ts: seq task_T tsk: task_T L: nat L': N RL: Rnat L L'
byrewrite refinesE => tsko tsko' Rtsko; apply refinesP; refines_apply.Qed.(** Next, we prove a special-case refinement for the [total_request_bound_function] function when applied to a refined task set and a refined task. This special case is required to guide the typeclass engine. *)
forallts : seq task_T,
refines (Rnat ==> Rnat)%rel
(total_request_bound_function
[seq taskT_to_task i | i <- ts]) (total_rbf_T ts)
forallts : seq task_T,
refines (Rnat ==> Rnat)%rel
(total_request_bound_function
[seq taskT_to_task i | i <- ts]) (total_rbf_T ts)
ts: seq task_T δ: nat δ': N Rδ: Rnat δ δ'
Rnat
(total_request_bound_function
[seq taskT_to_task i | i <- ts] δ)
(total_rbf_T ts δ')
ts: seq task_T δ: nat δ': N Rδ: Rnat δ δ' RTS: list_R Rtask [seq taskT_to_task i | i <- ts] ts EQ: (list_R Rtask ==> Rnat ==> Rnat)%rel
total_request_bound_function total_rbf_T x:= total_rbf_T ts δ': N
refines Rnat x x
byrewrite refinesE.Qed.(** Next, we provide equality comparisons between different pairs of objects manipulated in Poet's certificates. *)Global Instanceeq_listN : eq_of (seq N) := funxy => x == y.Global Instanceeq_NlistNN : eq_of (prod N (seq (prod N N))) := funxy => x == y.Global Instanceeq_taskab : eq_of (@task_arrivals_bound_T N) := taskab_eqdef_T.Global Instanceeq_task : eq_of (@task_T N) := task_eqdef_T.(** Next, we prove a refinement for the [task_eqdef] function. *)
forall (a : task.Task) (b : task_T),
refines Rtask a b ->
forall (a' : task.Task) (b' : task_T),
refines Rtask a' b' ->
refines bool_R (task_eqdef a a') (task_eqdef_T b b')
a: task.Task a': task_T Ra: refines Rtask a a' b: task.Task b': task_T Rb: refines Rtask b b'
refines bool_R (task_eqdef a b) (task_eqdef_T a' b')
a: task.Task a': task_T Ra: refines Rtask a a' b: task.Task b': task_T Rb: refines Rtask b b'
refines bool_R
((task_id a == task_id b) &&
(task_cost a == task_cost b) &&
(task_arrival a == task_arrival b) &&
(task_deadline a == task_deadline b) &&
(task_priority a == task_priority b))
((task_id_T a' == task_id_T b')%C &&
(task_cost_T a' == task_cost_T b')%C &&
(task_arrival_T a' == task_arrival_T b')%C &&
(task_deadline_T a' == task_deadline_T b')%C &&
(task_priority_T a' == task_priority_T b')%C)
byrewrite refinesE; repeatapply andb_R; apply refinesP; refines_apply.Qed.(** Next, we prove a refinement for the [bound_on_total_hep_workload] function. *)
byapply andb_R; apply refinesP; tc.Qed.(** Next, we prove a special-case refinement for the [check_point_FP] function when applied to a refined task set and a refined task. This special case is required to guide the typeclass engine. *)
byapply andb_R; apply refinesP; tc.Qed.(** Finally, we prove a special-case refinement for the [check_point_NP] function when applied to a refined task set and a refined task. This special case is required to guide the typeclass engine. *)