Skip to main content

Scheduler Theorems

This file contains theorems that can be derived from the axioms in scheduler-theory.md. More specifically, statements in this file follow from TenvTsch(a,b,tlag)T_{\textsf{env}} \cup T_{\textsf{sch}}(a,b,t_{\texttt{lag}}).

Theorem 1 — Quiescence after Crash

G(Crash(¬RSx  W  IEs))\texttt{G}( \texttt{Crash} \rightarrow (\neg \texttt{RS}_x \; \texttt{W} \; \texttt{IEs}) )

After Crash\texttt{Crash} no new starts until re-initialisation. Uses environment axioms EA1, EA2, and EA6.

Theorem 2 — Per-task non-overlap

G(RSx¬Y  Runningx)\texttt{G}\big( \texttt{RS}_x \rightarrow \neg \texttt{Y} \;\texttt{Running}_x \big)

Once a run starts, no further RSx\texttt{RS}_x may occur before a matching REx\texttt{RE}_x or Crash\texttt{Crash}. Derived from S1 together with the definition of Pending\texttt{Pending}.

Theorem 3 — Quiescence after StopEnd

G(SE(¬RSx  W  IEs))\texttt{G}( \texttt{SE} \rightarrow (\neg \texttt{RS}_x \; \texttt{W} \; \texttt{IEs}) )

After SE\texttt{SE}, no new starts until re-initialisation. Derived from S1 and the fact that Obligation\texttt{Obligation} requires Active\texttt{Active}.

Theorem 4 — Crash dominance

G(Crash¬RSx)G(Crash¬REx)G(Crash¬ISR)G(Crash¬IE)G(Crash¬SS)G(Crash¬SE)\texttt{G}( \texttt{Crash} \rightarrow \neg \texttt{RS}_x ) \\ \texttt{G}( \texttt{Crash} \rightarrow \neg \texttt{RE}_x ) \\ \texttt{G}( \texttt{Crash} \rightarrow \neg \texttt{IS}_R ) \\ \texttt{G}( \texttt{Crash} \rightarrow \neg \texttt{IE} ) \\ \texttt{G}( \texttt{Crash} \rightarrow \neg \texttt{SS} ) \\ \texttt{G}( \texttt{Crash} \rightarrow \neg \texttt{SE} ) \\

A crash cannot cooccur with any action. Derived from EA1 and EA2.

Theorem 5 — Example Theorem of Traces

The following are traces of TenvTsch(a,b,tlag)T_{\textsf{env}} \cup T_{\textsf{sch}}(a,b,t_{\texttt{lag}}):

Trace 1 — Normal operation

IS
IE              // task "1" registered
Due_1
RS_1            // consumes Pending_1
REs_1
Due_1
RS_1
REf_1
RetryDue_1      // RetryDue_1 occurs at t_f + RetryDelay(1); eligibility becomes true then
RS_1            // consumes RetryPending_1
REs_1

Trace 2 — Stop and restart

IS
IE                 // task "1" registered
SS
SE
                   // No RS_1 until re-init; no obligations either
IS
IE                 // task "1" registered
Due_1
RS_1
REs_1

Trace 3 — Crash and restart

IS
IE                 // task "1" registered
Due_1
RS_1
Crash              // no RS_1 until next IE
IS
IE                 // task "1" registered
Due_1
RS_1               // restart after re-init
REs_1