Library rt.analysis.uni.susp.dynamic.jitter.taskset_membership

Require Import rt.util.all.
Require Import rt.model.priority rt.model.suspension.
Require Import rt.model.arrival.basic.task rt.model.arrival.basic.job
               rt.model.arrival.basic.arrival_sequence.
Require Import rt.model.arrival.jitter.job.
Require Import rt.model.schedule.uni.response_time.
Require Import rt.model.schedule.uni.susp.schedule
               rt.model.schedule.uni.susp.platform
               rt.model.schedule.uni.susp.valid_schedule.
Require Import rt.analysis.uni.susp.dynamic.jitter.jitter_schedule
               rt.analysis.uni.susp.dynamic.jitter.jitter_taskset_generation.
Require Import rt.analysis.uni.susp.sustainability.singlecost.reduction
               rt.analysis.uni.susp.sustainability.singlecost.reduction_properties.

(* In this file we prove that the jitter-aware schedule sched_jitter used in the
   reduction is an instance of the jitter-aware task set that we analyze. *)

Module TaskSetMembership.

  Import SporadicTaskset Suspension Priority ValidSuspensionAwareSchedule
         ScheduleWithSuspensions ResponseTime PlatformWithSuspensions.

  Module reduction := JitterScheduleConstruction.
  Module ts_gen := JitterTaskSetGeneration.
  Module sust := SustainabilitySingleCost.
  Module sust_prop := SustainabilitySingleCostProperties.
  Module valid_sched := ValidSuspensionAwareSchedule.
  Module job_susp := Job.
  Module job_jitter := JobWithJitter.

  Section ProvingMembership.

    Context {Task: eqType}.
    Variable task_period: Task time.
    Variable task_deadline: Task time.
    Context {Job: eqType}.
    Variable job_arrival: Job time.
    Variable job_deadline: Job time.
    Variable job_task: Job Task.

Basic Setup & Setting

    (* Let ts be any suspension-aware task set. *)
    Variable ts: seq Task.

    (* Consider any job arrival sequence with consistent, duplicate-free arrivals... *)
    Variable arr_seq: arrival_sequence Job.
    Hypothesis H_arrival_times_are_consistent:
      arrival_times_are_consistent job_arrival arr_seq.
    Hypothesis H_arrival_sequence_is_a_set: arrival_sequence_is_a_set arr_seq.

    (* ...where jobs come from the task set. *)
    Hypothesis H_jobs_come_from_taskset:
       j, arrives_in arr_seq j job_task j \in ts.

    (* ...and the associated job and task costs. *)
    Variable job_cost: Job time.
    Variable task_cost: Task time.

    (* Assume that jobs and tasks have associated suspension times. *)
    Variable job_suspension_duration: job_suspension Job.
    Variable task_suspension_bound: Task time.

    (* Assume any FP policy that is reflexive, transitive and total... *)
    Variable higher_eq_priority: FP_policy Task.
    Hypothesis H_priority_is_reflexive: FP_is_reflexive higher_eq_priority.
    Hypothesis H_priority_is_transitive: FP_is_transitive higher_eq_priority.
    Hypothesis H_priority_is_total: FP_is_total_over_task_set higher_eq_priority ts.
    Let job_higher_eq_priority := FP_to_JLDP job_task higher_eq_priority.

    (* Recall the definition of a valid suspension-aware schedule. *)
    Let is_valid_suspension_aware_schedule :=
      valid_suspension_aware_schedule job_arrival arr_seq job_higher_eq_priority
                                      job_suspension_duration.

    (* Next, consider any valid suspension-aware schedule of this arrival sequence.
       (Note: see rt.model.schedule.uni.susp.valid_schedule.v for details) *)

    Variable sched_susp: schedule Job.
    Hypothesis H_valid_schedule:
      valid_suspension_aware_schedule job_arrival arr_seq job_higher_eq_priority
                                      job_suspension_duration job_cost sched_susp.

    (* Recall the definition of response-time bounds in sched_susp. *)
    Let task_response_time_in_sched_susp_bounded_by :=
      is_response_time_bound_of_task job_arrival job_cost job_task arr_seq sched_susp.
    Let job_response_time_in_sched_susp_bounded_by :=
      is_response_time_bound_of_job job_arrival job_cost sched_susp.

Analysis Setup

    (* Let tsk_i be any task to be analyzed... *)
    Variable tsk_i: Task.
    Hypothesis H_tsk_in_ts: tsk_i \in ts.

    (* ...and let j be any job of this task. *)
    Variable j: Job.
    Hypothesis H_j_arrives: arrives_in arr_seq j.
    Hypothesis H_job_of_tsk_i: job_task j = tsk_i.

    (* Also recall the definition of task response-time bound with any job cost and schedule... *)
    Let is_task_response_time_bound_with job_cost sched :=
      is_response_time_bound_of_task job_arrival job_cost job_task arr_seq sched.

    (* ...and the definition of higher-or-equal-priority tasks (other than tsk_i). *)
    Let other_hep_task tsk_other := higher_eq_priority tsk_other tsk_i && (tsk_other != tsk_i).

    (* Next, assume that for each of those higher-or-equal-priority tasks (other than tsk_i),
       we know a response-time bound R that is valid across all suspension-aware schedules of ts. *)

    Variable R: Task time.
    Hypothesis H_valid_response_time_bound_of_hp_tasks_in_all_schedules:
       job_cost sched,
        is_valid_suspension_aware_schedule job_cost sched
         tsk_hp,
          tsk_hp \in ts
          other_hep_task tsk_hp
          is_task_response_time_bound_with job_cost sched tsk_hp (R tsk_hp).

    (* The existence of response-time bounds across all schedules implies that we can find
       actual response times of the higher-priority jobs in sched_susp... *)

    Definition actual_response_time (j_hp: Job) : time :=
      [pick-min r R (job_task j_hp) |
       job_response_time_in_sched_susp_bounded_by j_hp r].

    (* ...and show that they are valid... *)
    Corollary actual_response_time_is_valid:
       j_hp,
        arrives_in arr_seq j_hp
        other_hep_task (job_task j_hp)
        job_response_time_in_sched_susp_bounded_by j_hp (actual_response_time j_hp).

    (* ...and tight. *)
    Corollary actual_response_time_is_minimum:
       j_hp r_hp,
        arrives_in arr_seq j_hp
        other_hep_task (job_task j_hp)
        job_response_time_in_sched_susp_bounded_by j_hp r_hp
        actual_response_time j_hp r_hp.

Instantiation of the Reduction

    (* Using the actual response time of higher-priority jobs as a parameter, we construct
       the jitter-aware schedule from sched_susp. *)

    Let inflated_job_cost := reduction.inflated_job_cost job_cost job_suspension_duration j.
    Let job_jitter := reduction.job_jitter job_arrival job_task higher_eq_priority job_cost j
                                           actual_response_time.

    (* We also recall the parameters of the generated jitter-aware task set. *)
    Let inflated_task_cost := ts_gen.inflated_task_cost task_cost task_suspension_bound tsk_i.
    Let task_jitter := ts_gen.task_jitter task_cost higher_eq_priority tsk_i R.

Proof of Task Set Membership

    (* Now we proceed with the main claim. We are going to show that the job parameters in the
       jitter-aware schedule sched_susp are an instance of the task set parameters. *)


    (* Assume that the original costs are positive... *)
    Hypothesis H_positive_costs:
       j, arrives_in arr_seq j job_cost j > 0.

    (* ...and no larger than the task costs. *)
    Hypothesis H_job_cost_le_task_cost:
       j,
        arrives_in arr_seq j
        job_cost j task_cost (job_task j).

    (* Also assume that job suspension times are bounded by the task suspension bounds. *)
    Hypothesis H_dynamic_suspensions:
      dynamic_suspension_model job_cost job_task job_suspension_duration task_suspension_bound.

    (* We begin by showing that the inflated job costs remain positive... *)
    Section JobCostPositive.

      Lemma ts_membership_inflated_job_cost_positive:
         j, arrives_in arr_seq j inflated_job_cost j > 0.

    End JobCostPositive.

    (* ...and no larger than the inflated task costs. *)
    Section JobCostBoundedByTaskCost.

      Lemma ts_membership_inflated_job_cost_le_inflated_task_cost:
         j,
          arrives_in arr_seq j
          inflated_job_cost j inflated_task_cost (job_task j).

    End JobCostBoundedByTaskCost.

    (* Finally, we show that the job jitter in sched_susp is upper-bounded by the task jitter.
       This only concerns higher-priority jobs, which are assigned non-zero jitter to
       compensate suspension times. *)

    Section JobJitterBoundedByTaskJitter.

      (* Let any_j be any job from the arrival sequence. *)
      Variable any_j: Job.
      Hypothesis H_any_j_arrives: arrives_in arr_seq any_j.

      (* Since most parts of the proof are trivial, we focus on the more complicated case
         of higher-priority jobs. *)

      Section JitterOfHigherPriorityJobs.

        (* Suppose that any_j is a higher-or-equal-priority job from some task other than tsk_i. *)
        Hypothesis H_higher_priority: higher_eq_priority (job_task any_j) tsk_i.
        Hypothesis H_different_task: job_task any_j != tsk_i.

        (* Recall that we want to prove that job_jitter any_j <= task_jitter (job_task any_j).
           By definition, this amounts to showing that:
                actual_response_time any_j - job_cost any_j <=
                    R (job_task any_j) - task_cost (job_task any_j). *)


        (* The proof follows by a sustainability argument based on the following reduction. *)

        (* By inflating the cost of any_j to its worst-case execution time...*)
        Let higher_cost_wcet j' :=
          if j' == any_j then task_cost (job_task any_j) else job_cost j'.

        (* ...we construct a new suspension-aware schedule sched_susp_highercost where the response
           time of any_j is as large as in the original schedule sched_susp.
           (For more details, see analysis/uni/susp/sustainability/cost. ) *)

        Let sched_susp_highercost :=
          sust.sched_susp_highercost job_arrival arr_seq job_higher_eq_priority
                                     sched_susp job_suspension_duration higher_cost_wcet.

        (* Next, recall the definition of task response-time bounds in sched_susp_highercost. *)
        Let task_response_time_in_sched_susp_highercost_bounded_by :=
          is_response_time_bound_of_task job_arrival higher_cost_wcet job_task arr_seq
                                         sched_susp_highercost.

        (* Since the response-time bounds R are valid across all suspension-aware schedules
           of task set ts, they are also valid in sched_susp_higher_cost. *)

        Remark response_time_bound_in_sched_susp_highercost:
           tsk_hp,
            tsk_hp \in ts
            other_hep_task tsk_hp
            task_response_time_in_sched_susp_highercost_bounded_by tsk_hp (R tsk_hp).

        (* Finally, by comparing the two schedules, we prove that the difference between the
           actual response time and job cost is bounded by the difference between the
           response-time bound and the task cost. *)

        Lemma ts_membership_difference_in_response_times:
          actual_response_time any_j - job_cost any_j
            R (job_task any_j) - task_cost (job_task any_j).

      End JitterOfHigherPriorityJobs.

      (* Using the lemmas above, we conclude that the job jitter parameter is
         upper-bounded by the task jitter for any job in the arrival sequence. *)

      Lemma ts_membership_job_jitter_le_task_jitter:
        job_jitter any_j task_jitter (job_task any_j).

    End JobJitterBoundedByTaskJitter.

  End ProvingMembership.

End TaskSetMembership.