You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Test/VeriFast/tasks/vTaskSwitchContext/README.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -349,7 +349,7 @@ For that, `vTaskSwitchContext` calls `prvSelectHighestPriorityTask` which search
349
349
FreeRTOS maintains a global data structure called the "ready lists".
350
350
It is an array `pxReadyTasksLists` with an entry for every priority level that a task might have.
351
351
For every such priority level `p`, `pxReadyTasksLists[p]` stores a cyclic doubly linked list containing all tasks of priority level `p` that are ready to be scheduled, including currently running ones.
352
-
`prvSelectHighestPriorityTask` searches through the these lists in descending order.
352
+
`prvSelectHighestPriorityTask` searches through these lists in descending order.
353
353
That is, in order to verify `vTaskSwitchContext`, we have to reason about the ready lists.
354
354
355
355
@@ -370,7 +370,7 @@ The latter also contains the API proofs.
370
370
371
371
## Comparing the Original List Proofs and Our Adaptation
372
372
As mentioned, we had to heavily adapt the list formalization and proofs to reuse them for the scheduler verification.
373
-
Therefore, both `scp_list_predicates.h` and `scp_list_predicates.h` contain an updated version of the formalization and proofs used by our context-switch proof and the original version by Aalok Thakkar and Nathan Chong.
373
+
Therefore, both `scp_list_predicates.h` and `list.c` contain an updated version of the formalization and proofs used by our context-switch proof and the original version by Aalok Thakkar and Nathan Chong.
374
374
The latter is guarded by a preprocessor define `VERIFAST_SINGLE_CORE`.
375
375
We can compare both versions by preprocessing both files twice: Once with the define `VERIFAST_SINGLE_CORE`, which yields the original version, and once without which gives us the version used by our proofs.
376
376
Afterwards, a diff will show all the adaptations we had to apply.
@@ -456,11 +456,11 @@ While this change seems simple on a first glance, it forced us to adapt all the
456
456
457
457
## Issue 2: Model-induced Complexity
458
458
459
-
The formalization of doubly linked segments induces heavy complexity.
459
+
The formalization of doubly linked list segments induces heavy complexity.
460
460
The problem lies in the fact that `DLS` cannot express empty list segments.
461
461
This leads to complex case distinctions whenever we access list nodes.
462
462
Consequently, our proof becomes very complex and every list access leads to an exponential blow-up of the proof tree.
463
-
This in turn leads to very bad performance of checking the proof.
463
+
This in turn leads to very bad performance when checking the proof.
464
464
We solved this problem by introducing a new representation of a cyclic doubly-linked list as a potentially empty prefix, the node we want to access and a potentially empty suffix: `DLS_prefix(....) &*& xLIST_ITEM(node, ...) &*& DLS_suffix(...)`
465
465
We added lemmas that allow us to freely convert between a `DLS` predicate and our new representation.
466
466
Thereby, the proof became a lot simpler and it reduced the time needed to check the proof from ~20 minutes to about 12.5 seconds.
0 commit comments