IEEE TRANSACTIONS ON COMPUTERS, VOL. 39,NO.

9, SEPTEMBER 1990 1175

Priority Inheritance Protocols: An Approach to

Real-Time Synchronization

Abstmct- A direct application of commonly used synchro- of heuristic algorithms to generate feasible schedules. Their
nization primitives such as semaphores, monitors, or the Ada heuristic has a high probability of success in the generation of
rendezvous can lead to uncontrolled priority inversion, a situa- feasible schedules.
tion in which a higher priority job is blocked by lower priority
jobs for an indefinite period of time. In this paper, we investi- In this paper, we investigate the synchronization problem in
gate two protocols belonging to the class of priority inheritance the context of priority-driven preemptive scheduling, an ap-
protocols, called the basic priority inheritance protocol and the proach used in many real-time systems. The importance of
priority ceiling protoool. We show that both protocols solve this this approach is underscored by the fact that Ada, the lan-
uncontrolled priority inversion problem. In particular, the pri- guage mandated by the U.S. Department of Defense for all
ority ceiling protocol reduces the worst case task blocking time
to at most the duration of execution of a single critical section its real-time systems, supports such a scheduling discipline.
of a lower priority task. In addition, this protocol prevents the Unfortunately, a direct application of synchronization mecha-
formation of deadlocks. We also derive a set of sufficient con- nisms like the Ada rendezvous, semaphores, or monitors can
ditions under which a set of periodic tasks using this protocol lead to uncontrolled priority inversion: a high priority job be-
is schedulable. ing blocked by a lower priority job for an indefinite period
of time. Such priority inversion poses a serious problem in
Index Terms-Priority inheritance, priority inversion, real-
time systems, scheduling, synchronization. real-time systems by adversely affecting both the schedulabil-
ity and predictability of 'real-time systems. In this paper, we
formally investigate the priority inheritance protocol as a pri-
ority management scheme for synchronization primitives that
I. INTRODUCTION remedies the uncontrolled priority inversion problem. We for-
mally define the protocols in a uniprocessor environment and
T HE SCHEDULING of jobs with hard deadlines has been
an important area of research in real-time computer sys-
terns. Both nonpreemptive and preemptive scheduling algo-
in terms of binary semaphores. In Section 11, we review the
problems of existing synchronization primitives, and define
rithms have been studied in the literature [31, [4], [6]-[8], the basic concepts and notation. In Section 111, we define the
[lo], [1I]. An important problem that arises in the context of basic priority inheritance protocol and analyze its properties.
such real-time systems is the effect of blocking caused by the In Section IV, we define an enhanced version of the basic
need for the synchronization of jobs that share logical or phys- priority inheritance protocol referred to as the priority ceiling
ical resources. Mok [9] showed that the problem of deciding protocol and investigate its properties. Section V analyzes the
whether it is possible to schedule a set of periodic processes impact of this protocol on schedulability analysis when the
is NP-hard when periodic processes use semaphores to en- rate-monotonic scheduling algorithm is used and Section VI
force mutual exclusion. One approach to the scheduling of examines the implication considerations as well as some pos-
real-time jobs when synchronization primitives are used is to sible enhancements to the priority ceiling protocol. Finally,
try to dynamically construct a feasible schedule at run-time. Section VI1 presents the concluding remarks.
Mok [9] developed a procedure to generate feasible sched-
ules with a kernelized monitor, which does not permit the 11. THEPRIONTY PROBLEM
INVERSION
preemption of jobs in critical sections. It is an effective tech- Ideally, a high-priority job J should be able to preempt
nique for the case where the critical sections are short. Zhao, lower priority jobs immediately upon Ss initiation. Priority
Ramamritham, and Stankovic [14], [15] investigated the use inversion is the phenomenon where a higher priority job is
blocked by lower priority jobs. A common situation arises
Manuscript received December 1, 1987; revised May 1, 1988. This work when two jobs attempt to access shared data. To maintain con-
was suppofled in part by the Officeof Naval Research under Contract N00014-
84-K-0734, in part by Naval Ocean Systems Center under Contract N66001- sistency, the access must be serialized. If the higher priority
87-C-0155, and in part by the W e r a l Systems Division of IBM Corporation job gains access first then the proper priority order is main-
under University Agreement YA-278067. tained; however, if the lower priority job gains access first
L. Sha is with the Software Engineering Institute and the Department of
Computer Science, Carnegie Mellon University, Pittsburgh, PA 15213. and then the higher priority job requests access to the shared
R. Rajkumar is with IBM Thomas J. Watson Research Center, Yorkown data, this higher priority job is blocked until the lower priority
Heights, NY 10598. job completes its access to the shared data. Thus, blocking is
J. P. Lehoczky is with the Department of Statistics, Carnegie Mellon Uni-
versity, Pittsburgh, PA 15213. a form of priority inversion where a higher priority job must
IEEE Log Number 9037197. wait for the processing of a lower priority job. Prolonged du-

0018-9340/90/0900-1175$01.OO @ 1990 IEEE

1176 IEEE TRANSACTIONS ON COMPUTERS, VOL. 39, NO. 9, SEPTEMBER 1990

rations of blocking may lead to the missing of deadlines even job is a sequence of instructions that will continuously use the
at a low level of resource utilization. The level of resource processor until its completion if it is executing alone on the
utilization attainable before a deadline is missed is referred to processor. That is, we assume that jobs do not suspend them-
as the schedulability of the system. To maintain a high de- selves, say for I/O operations; however, such a situation can
gree of schedulability, we will develop protocols that would be accommodated by defining two or more jobs. In addition,
minimize the amount of blocking. It is also important to be we assume that the critical sections of a job are proper&
able to analyze the performance of any proposed protocol in nested and a job will release all of its locks, if it holds any,
order to determine the schedulability of real-time tasks that before or at the end of its execution. In all our discussions
use this protocol. below, we assume that jobs J 1 , J2, . . . ,J , are listed in de-
Common synchronization primitives include semaphores, scending order of priority with J 1 having the highest priority.
locks, monitors, and Ada rendezvous. Although the use of A periodic task is a sequence of the same type of job occur-
these or equivalent methods is necessary to protect the con- ring at regular intervals, and an aperiodic task is a sequence
sistency of shared data or to guarantee the proper use of non- of the same type of job occurring at irregular intervals. Each
preemptable resources, their use may jeopardize the ability of task is assigned a fixed priority, and every job of the same
the system to meet its timing requirements. In fact, a direct task is initially assigned that task’s priority. If several jobs are
application of these synchronization mechanisms can lead to eligible to run,the highest priority job will be run. Jobs with
an indefinite period of priority inversion and a low level of the same priority are executed in a FCFS discipline. When
schedulability. a job J is forced to wait for the execution of lower priority
Example I: Suppose that J1, J2, and J3 are three jobs jobs, job J is said to be “blocked.” When a job waits for the
arranged in descending order of priority with J1 having the execution of high priority jobs or equal priority jobs that have
highest priority. We assume that jobs J1 and J3 share a data arrived earlier, it is not considered as “blocked.” We now
structure guarded by a binary semaphore S. Suppose that at state our notation.
time tl ,job J3 locks the semaphore S and executes its criti- Notation :
cal section. During the execution of job J3’s critical section,
Ji denotes a job, i.e., an instance of a task ri. Pi and Ti
the high priority job J1 is initiated, preempts J3, and later at-
denote the priority and period of task ~i , respectively.
tempts to use the shared data. However, job J1 will be blocked
A binary semaphore guarding shared data and/or re-
on the semaphore S. We would expect that J1, being the high- source is denoted by Si. P ( S ; ) and V ( S i ) denote the
est priority job, will be blocked no longer than the time for
indivisible operations lock (wait) and unlock (signal),
job J3 to complete its critical section. However, the duration
respectively, on the binary semaphore Si.
of blocking is, in fact, unpredictable. This is because job J3
Thejth critical section in job Ji is denoted by z i , j and
can be preempted by the intermediate priority job J2. The
corresponds to the code segment of job Ji between the
blocking of J3, and hence that of J1, will continue until J2
jth P operation and its corresponding V operation. The
and any other pending intermediate jobs are completed.
semaphore that is locked and released by critical section
The blocking period in Example 1 can be arbitrarily long.
z i , j is denoted by Si,j .
This situation can be partially remedied if a job in its critical
We write zi,, c z i , k if the critical section z ; , j is entirely
section is not allowed to be preempted; however, this solution
contained in zi, k .
is only appropriate for very short critical sections, because it
The duration of execution of the critical section z;,j , de-
creates unnecessary blocking. For instance, once a low prior-
noted d ; , j , is the time to execute z i , j when Ji executes
ity job enters a long critical section, a high priority job which
on the processor alone.
does not access the shared data structure may be needlessly
blocked. An identical problem exists in the use of monitors. We assume that critical sections are properly nested. That
The priority inversion problem was first discussed by Lamp- is, given any pair of critical sections zi,j and Z i , k , then either
son and Redell [2] in the context of monitors. They suggest Z i , j C Z i , k , Z i , k c Z i , j , Or Z i , j n 2 i . k = 0 . In addition, We
that the monitor be executed at a priority level higher than all assume that a semaphore may be locked at most once in a
tasks that would ever call the monitor. In the case of the Ada single nested critical section.
rendezvous, when a high priority job (task) is waiting in the Definition: A job J is said to be blocked by the critical
entry queue of a server job, the server itself can be preempted section zi, j of job Ji if Ji has a lower priority than J but J
by an independentjob J , if job S s priority is higher than both has to wait for Ji to exit zi, j in order to continue execution.
the priority of the server and the job which is currently in Definition: A job J is said to be blocked by job J ; through
rendezvous with the server. Raising the server priority to be semaphore S , if the critical section zi,, blocks J and Si,j = S.
higher than all its callers would avoid this particular problem In the next two sections, we will introduce the concept of
but would create a new problem: a low priority job may un- priority inheritance and a priority inheritance protocol called
necessarily block the execution of independent higher priority the priority ceiling protocol. An important feature of this pro-
jobs via the use of the server. tocol is that one can develop a schedulability analysis for it
The use of priority inheritance protocols is one approach in the sense that a schedulability bound can be determined. If
to rectify the priority inversion problem in existing synchro- the utilization of the task set stays below this bound, then the
nization primitives. Before we investigate these protocols, we deadlines of all the tasks can be guaranteed. In order to create
first define the basic concepts and state our assumptions. A such a bound, it is necessary to determine the worst case du-
SHA et al. : PRIORITY INHERITANCE PROTOCOLS 1177

ration of priority inversion that any task can encounter. This ity of the jobs blocked by J . When J exits a critical section, it
worst case blocking duration will depend upon the particular resumes the priority it had at the point of entry into the critical
protocol in use. section.*
Notation: P i , j denotes the set of all critical sections of 3) Priority inheritance is transitive. For instance, suppose
the lower priority job J j which can block J i . That is, J1, J 2 , and J3 are three jobs in descending order of priority.
P i , j = { Z j , k l j > i and z j , k can block J i } . ’ Then, if job J3 blocks job J 2 , and J2 blocks job J1, J3 would
Since we consider only properly nested critical sections, inherit the priority of J1 via J2. Finally, the operations of
the set of blocking critical sections is partially ordered by priority inheritance and of the resumption of original priority
set inclusion. Using this partial ordering, we can reduce our must be indi~isible.~
attention to the set of maximal elements of / 3 i , j , Pi: Specif- ,. 4) A job J can preempt another job J L if job J is not
ically, we have fl:j = { z j , k ] ( Z j , k E P i , j ) A ( k j , m E P i , j blocked and its priority is higher than the priority, inherited
Such that z j , k C Z j , m ) } . or assigned, at which job J L is executing.
The set contains the longest critical sections of J j which It is helpful to summarize that under the basic priority inher-
can block Ji and eliminates redundant inner critical sections. itance protocol, a high priority job can be blocked by a low-
For purposes of schedulability analysis, we will restrict atten- priority job in one of two situations. First, there is the dirert
tion to @ * = Uj,iP[ j , the set of all longest critical sections blocking, a situation in which a higher priority job attempts
that can block J i . to lock a locked semaphore. Direct blocking is necessary to
ensure the consistency of shared data. Second, a medium pri-
ority job J1 can be blocked by a low priority job J 2 , which
III. THEBASICP r u o INHERITANCE
~~ PROTOCOL
inherits the priority of a high priority job J o . We refer to this
The basic idea of priority inheritance protocols is that when form of blocking as push-through blocking, which is neces-
a job J blocks one or more higher priority jobs, it ignores its sary to avoid having a high-priority job Jo being indirectly
original priority assignment and executes its critical section preempted by the execution of a medium priority job J1.
at the highest priority level of all the jobs it blocks. After
exiting its critical section, job J returns to its original priority B. The Properties of the Basic Protocol
level. To illustrate this idea, we apply this protocol to Example We now proceed to analyze the properties of the basic pri-
1. Suppose that job J1 is blocked by job J3. The priority ority inheritance protocol defined above. In this section, we
inheritance protocol requires that job J3 execute its critical assume that deadlock is prevented by some external means,
section at job J l ’ s priority. As a result, job J2 will be unable e.g., semaphores are accessed in an order that is consistent
to preempt job J3 and will itself be blocked. That is, the higher with a predefined acyclical order. Throughout this section, 0;
priority job J2 must wait for the critical section of the lower refers to the sets of the longest critical sections that can block
priority job J3 to be executed, because job J3 “inherits” the Ji when the basic priority inheritance protocol is used.
priority of job J1. Otherwise, J1 will be indirectly preempted Lemma I : A job J H can be blocked by a lower prior-
by J 2 . When J3 exits its critical section, it regains its assigned ity job J L , only if J L is executing within a critical section
lowest priority and awakens J1 which was blocked by J3. Z L , ~E when J H is initiated.
Job J1, having the highest priority, immediately preempts J3 Proof: By the definitions of the basic priority inheritance
and runs to completion. This enables J2 and J3 to resume in protocol and the blocking set P;i,L, task J L can block J H
succession and run to completion. only if it directly blocks J H or has its priority raised above
J H through priority inheritance. In either case, the critical
A . The Definition of the Basic Protocol section Z L , j currently being executed by J L is in Or;, L . If J L
We now define the basic priority inheritance protocol. is not within a critical section which cannot directly block J H
1) Job J , which has the highest priority among the jobs and cannot lead to the inheritance of a priority higher than
ready to run, is assigned the processor. Before job J enters a J H , then J L can be preempted by J H and can never block
critical section, it must first obtain the lock on the semaphore JH.
S guarding the critical section. Job J will be blocked, and the Lemma 2: Under the basic priority inheritance protocol, a
lock on S will be denied, if semaphore S has been already high priority job J H can be blocked by a lower priority job
locked. In this case, job J is said to be blocked by the job J L for at most the duration of one critical section of
which holds the lock on S . Otherwise, job J will obtain the regardless of the number of semaphores J and J L share.
lock on semaphore S and enter its critical section. When job J Proof: By Lemma 1, for J L to block J H , J L must be
exits its critical section, the binary semaphore associated with currently executing a critical section Z L , , E P;, L . Once JL
the critical section will be unlocked, and the highest priority exits Z L , j , it can be preempted by J H and J H cannot be
job, if any, blocked by job J will be awakened. blocked by J L again.
2) A job J uses its assigned priority, unless it is in its crit-
ical section and blocks higher priority jobs. If job J blocks * For example, when J executes Y(S2) in SI), . ’ . ,P(S2), . . . ,
Y ( S 2 ) ., . . , V ( S , ) } , it reverts to the priority it had before it executedP(S2).
higher priority jobs, J inherits (uses) PH, the highest prior- This may be lower than its current priority and cause J to be preempted by
a higher priority task. J would, of course, still hold the lock on SI.
’ Note that the second suffix of &,, and the first suffix of 2 j . k correspond The operations must be indivisible in order to maintain internal consis-
to job J , . tency of data structures being manipulated in the run-time system.
1178 IEEE TRANSACTIONS ON COMPUTERS, VOL. 39, NO. 9, SEPTEMBER 1990

Theorem 3: Under the basic priority inheritance proto- J2 locks semaphore S2 and enters its critical section. At time
col, given a job J O for which there are n lower priority jobs t 2 , job J Z attempts to make a nested access to lock semaphore
{ J I,. . . ,J n } , job J O can be blocked for at most the duration S 1 . However, job J 1 , a higher priority job, is ready at this
of one critical section in each of .0; i , 1 5 i 5 n . time. Job J1 preempts job J2 and locks semaphore S I . Next,
Pro08 By Lemma 2 , each of the n lower priority jobs if job J1 tries to lock semaphore S Z , a deadlock is formed.
can block job J O for at most the duration of a single critical The deadlock problem can be solved, say, by imposing a
section in each of the blocking sets 0 .; i . total ordering on the semaphore accesses. Still, a second prob-
We now determine the bound on the blockings as a function lem exists. The blocking duration for a job, though bounded,
of the semaphores shared by jobs. can still be substantial, because a chain of blocking can be
Lemma 4: A semaphore S can cause push-through block- formed. For instance, suppose that J1 needs to sequentially
ing to job J , only if S is accessed both by a job which has access SI and S2. Also suppose that J2 preempts J3 within
priority lower than that of J and by a job which has or can the critical section ~ 3 , 1and enters the critical section Z Z , 2 .
inherit priority equal to or higher than that of J . Job J1 is initiated at this instant and finds that the semaphores
Pro08 Suppose that J L accesses semaphore S and has S1 and S2 have been respectively locked by the lower priority
priority lower than that of J . According to the priority inher- jobs J3 and J z . As a result, J1 would be blocked for the du-
itance protocol, if S is not accessed by a job which has or can ration of two critical sections, once to wait for J3 to release
inherit priority equal to or higher than that of J , then job JL'S SIand again to wait for J Z to release S2. Thus, a blocking
critical section guarded by S cannot inherit a priority equal to chain is formed.
or higher than that of J . In this case, job J L will be preempted We present in the next section the priority ceiling protocol
by job J and the lemma follows. that addresses effectively both these problems posed by the
We next define i,": j , k to be the set of all longest critical basic priority inheritance protocol.
sections of job J j guarded by semaphore S k and which can
block job Ji either directly or via push-through blocking. That IV. THEPRIORITY
CEILINGPROTOCOL
it
is, j , k = { Z j , p 1Zj.p E 0,":j and s j , p = Sk}. A . Overview
Let {;.$ = Uj2ii{ j , k represent the set of all longest crit- The goal of this protocol is to prevent the formation of
ical sections corresponding to semaphore S k which can block deadlocks and of chained blocking. The underlying idea of
Ji . this protocol is to ensure that when a job J preempts the
Lemma 5: Under the basic priority inheritance protocol, a critical section of another job and executes its own critical
job Ji can encounter blocking by at most one critical section section z , the priority at which this new critical section z will
in {,":.& for each semaphore S k , 1 5 k 5 m , where m is the execute is guaranteed to be higher than the inherited priorities
number of distinct semaphores. of all the preempted critical sections. If this condition cannot
P r m 8 By Lemma 1, job J L can block a higher prior- be satisfied, job J is denied entry into the critical section z
ity job J H if J L is currently executing a critical section in and suspended, and the job that blocks J inherits J's priority.
P & L . Any such critical section corresponds to the locking This idea is realized by first assigning a priority ceiling to each
and unlocking of a semaphore S k . Since we deal only with semaphore, which is equal to the highest priority task that
binary semaphores, only one of the lower priority jobs can be may use this semaphore. We then allow a job J to start a new
within a blocking critical section corresponding to a particular critical section only if J's priority is higher than all priority
semaphore S k . Once this critical section is exited, the lower ceilings of all the semaphores locked by jobs other than J .
priority job J L can no longer block J H . Consequently, only Example 2 illustrates this idea and the deadlock avoidance
one critical section in 0: corresponding to semaphore S k can property while Example 3 illustrates the avoidance of chained
block J H . The lemma follows. blocking.
Theorem 6: Under the basic priority inheritance protocol, Example 2: Suppose that we have three jobs J o , J1 ,and 5 2
if there are m semaphores which can block job J , then J can in the system. In addition, there are two shared data structures
be blocked by at most m times. protected by the binary semaphores SI and S2, respectively.
Pro08 It follows from Lemma 5 that job J can be We define the priority ceiling of a semaphore as the priority of
blocked at most once by each of the m semaphores. the highest priority job that may lock this semaphore. Suppose
Theorems 3 and 6 place an upper bound on the total block- the sequence of processing steps for each job is as follows.
ing delay that a job can encounter. Given these results, it is
possible to determine at compile-time the worst case blocking Jo = {. . . ,P(So),. . . ,V(So),. . .}
duration of a job. For instance, if there are four semaphores
J1 = {. . .,P ( S l ) ,. . . ,P(S2),. . . ,V(S2),* . V ( S l ) ,. . .}
a ,

which can potentially block job J and there are three other
lower priority tasks, J may be blocked for a maximum dura- J2 = {. . . ,P(S2), . . . , P ( S , ) ,. . . ,V ( S l ) ,. . . ,V(S2),. . .}.
tion of three longest subcritical sections. Moreover, one can
find the worst case blocking durations for a job by studying Recall that the priority of job J1 is assumed to be higher than
the durations of the critical sections in 6,": and {:.$. that of job J2. Thus, the priority ceilings of both semaphores
Still, the basic priority inheritance protocol has the follow- SIand S2 are equal to the priority of job J 1 .
ing two problems. First, this basic protocol, by itself, does not The sequence of events described below is depicted in Fig.
prevent deadlocks. For example, suppose that at time t l , job 1. A line at a low level indicates that the corresponding job
SHA er al.: PRIORlTY INHERITANCE PROTOCOLS 1179

Critical saction pardtd by So

Critical scction guarded by S2
Critical section pardbd by S

*
s unlocked

J1

I I I I I 1 I I
I 1 I I I I t I I +
t t b
t2t3 t4 f5 f6 7 8

Fig. 1. Sequence of events described in Example 2.

is blocked or has been preempted by a higher priority job. A

line raised to a higher level indicates that the job is executing.
. At t s , J2 completes.

The absence of a line indicates that the job has not yet been
Note that in the above example, J O is never blocked because
initiated or has completed. Shaded portions indicate execution
its priority is higher than the priority ceilings of semaphores
of critical sections. Suppose that
S1 and S2. J1 was blocked by the lower priority job 5 2 dur-
At time t o , J2 is initiated and it begins execution and ing the intervals [ t 2 , f 3 ] and [ f 4 , t 6 ] . However, these intervals
then locks semaphore S2. correspond to part of the duration that J2 needs to lock S 2 .
At time t 1 , job J1 is initiated and preempts job J z . Thus, J 1 is blocked for no more than the duration of one crit-
At time t 2 , job J1 tries to enter its critical section by ical section of a lower priority job J2 even though the actual
making an indivisible system call to executeP(S1). How- blocking occurs over disjoint time intervals. It is, indeed, a
ever, the run-time system will find that job J I 's priority is property of this protocol that any job can be blocked for at
not higher than the priority ceiling of locked semaphore most the duration of a single critical section of a lower pri-
S2. Hence, the run-time system suspends job J I without ority job. This property is further illustrated by the following
locking S I . Job J2 now inherits the priority of job J I example.
and resumes execution. Note that J I is blocked outside Example 3: Consider the example from the previous sec-
its critical section. As J 1 is not given the lock on S I but tion where a chain of blockings can be formed. We assumed
suspended instead, the potential deadlock involving J 1 that job J I needs to access S1 and S2 sequentially while 52
and J2 is prevented. accesses S2 and J3 accesses S I .Hence, the priority ceilings
At time f 3 , J2 is still in its critical section and the highest of semaphores SI and S2 are equal to P I . As before, let job
priority job Jo is initiated and preempts J2. Later, J O J 3 lock S I at time t o . At time CI, job J2 is initiated and
attempts to lock semaphore So. Since the priority of J O preempts J 3 . However, at time f 2 , when 52 attempts to lock
is higher than the priority ceiling of locked semaphore S 2 , the run-time system finds that the priority of J2 is not
S 2 , job J O will be granted the lock on the semaphore higher than the priority ceiling P I of the locked semaphore
So. Job J Owill therefore continue and execute its critical S I . Hence, 52 is denied the lock on S2 and blocked. Job J3
section, thereby effectively preempting J2 in its critical resumes execution at J2's priority. At time 1 3 , when 53 is still
section and not encountering any blocking. in its critical section, J I is initiated and finds that only one
At time t 4 , J Ohas exited its critical section and completes semaphore S I is locked. At time t 4 , J1 is blocked by J3 which
execution. Job 5 2 resumes, since Jt is blocked by J2 and holds the lock on S I . Hence, J3 inherits the priority of J I .
cannot execute. J2 continues execution and locks S I . At time f 5 , job J3 exits its critical section z3, I , resumes its
At time t 5 , J2 releases S I . original priority, and awakens J1. Job 5 3 , having the highest
At time t 6 , J2 releases S2 and resumes its assigned pri- priority, preempts J3 and runs to completion. Next, 52 which
ority. Now, J I is signaled and having a higher priority, is no longer blocked completes its execution and is followed
it preempts 52, resumes execution, and locks S2. Then, by J 3 .
J I locks S I , executes the nested critical section, and un- Again, note that J 1 is blocked by J3 in the interval [t4, ts]
locks S I . Later it unlocks S2 and executes its noncritical which corresponds to the single critical section z 3 , l . Also,
section code. job J2 is blocked by 53 in the disjoint intervals [ t 2 , t3] and
At t 7 , J I completes execution and J2 resumes. [t4, t 5 1 which also correspond to the same critical section z3,
1180 IEEE TRANSACTIONS ON COMPUTERS, VOL. 39, NO. 9, SEPTEMBER 1990

Critical section guarded by So

Critical section guarded by S
Critical section guarded by S,

blocked
(attempt to lock So)

JO
S 2 locked
blocked by J2

'r (aaempt to lock S )

IJ2 I
I
to
I
1
'1
I I
I

t2t3
1

t4
I
I
'5
I
I
I
I
'6
I
I

'7
I
I

'8
I
I

'9
II

'IO
b
time

I
Fig. 2. Sequence of events described in Example 4.

B . Definition Example 4: We assume that the priority of job Ji is higher

than that of job J i + l . The processing steps in each job are as
Having illustrated the basic idea of the priority ceiling pro- follows:
tocol and its properties, we now present its definition. Job J O accesses 20.0 and z0, by executing the steps
1) Job J , which has the highest priority among the jobs
ready to run, is assigned the processor, and let S* be the {' ' ' P(So),' . ' 7 v ( S 0 ) 7 .' ' ,P(Sl),' ' ' y ( S 1 ) , ' ' '},
7

semaphore with the highest priority ceiling of all semaphores

currently locked by jobs other than job J . Before job J en- job J 1 accesses only 2 1 , ~by executing
ters its critical section, it must first obtain the lock 011the
semaphore S guarding the shared data structure. Job J will
be blocked and the lock on S will be denied, if the priority
of job J is not higher than the priority ceiling of semaphore and job J2 accesses z2,2 and makes a nested semaphore access
S*.4 In this case, job J is said to be blocked on semaphore to S1 by executing
S* and to be blocked by the job which holds the lock on S * .
Otherwise, job J will obtain the lock on semaphore S and en- {. . . ,P(SZ),* . . ,P(SI),. . . ,V(Sl), . . . ,Y(S2), . ..I.
ter its critical section. When a job J exits its critical section,
the binary semaphore associated with the critical section will Note that the priority ceilings of semaphores SO and S1 are
be unlocked and the highest priority job, if any, blocked by equal to P O ,and the priority ceiling of semaphore SZ is P I .
job J will be awakened. Fig. 2 depicts the sequence of events described below.
2) A job J uses its assigned priority, unless it is in its critical Suppose that
section and blocks higher priority jobs. If job J blocks higher
priority jobs, J inherits P H , the highest priority of the jobs At time to, job J Z begins execution and later locks Sz.
blocked by J . When J exits a critical section, it resumes the At time t l , job J1 is initiated, preempts J z , and begins
priority it had at the point of entry into the critical ~ e c t i o n . ~ execution.
Priority inheritance is transitive. Finally, the operations of At time t2, while attempting to access S2 already locked
priority inheritance and of the resumption of previous priority by J2, job J1 becomes blocked. Job J2 now resumes
the execution of its critical section ZZ,Z at its inherited
must be indivisible.
3) A job J , when it does not attempt to enter a critical priority of J1, namely P I .
section, can preempt another job J L if its priority is higher At time t3, job J2 successfully enters its nested critical
than the priority, inherited or assigned, at which job J L is section z2,1 by locking SI.Job J2 is allowed to lock SI,
because there is no semaphore S* which is locked by
executing.
other jobs.
We shall illustrate the priority ceiling protocol using an
example. At time t4, job J2 is still executing 22, but the highest
priority job J O is initiated. Job J O preempts J2 within
Note that if S has been already locked, the priority ceiling of S will be at
least equal to the priority of J . Because job Ss priority is not higher than the z2,1 and executes its own noncritical section code. This
priority ceiling of the semaphore S locked by another job, J will be blocked. is possible because PO,the priority of J o , is higher than
Hence, this rule implies that if a job J attempts to lock a semaphore that has P I ,the inherited priority level at which job J2's 22.1 was
been already locked, J will be denied the lock and blocked instead.
'That is, when J exits the part of a critical section, it resumes its previous being executed.
priority. At time t5, job J Oattempts to enter its critical section ZO,o
SHA et al. : PRIORITY INHERITANCE PROTOCOLS 1181

by locking S O , which is not locked by any job. However, JL, only if the priority of job J is no higher than the highest
since the priority of job J O is not higher than the priority priority ceiling of all the semaphores that are locked by all
ceiling POof the locked semaphore S 1 , job J O is blocked lower priority jobs when J is initiated.
by job J2 which holds the lock on S1. This is a new form Proof: Suppose that when J is initiated, the priority of
of blocking introduced by the priority ceiling protocol in job J is higher than the highest priority ceiling of all the
addition to the direct and push-through blocking encoun- semaphores that are currently locked by all lower priority jobs.
tered in the basic protocol. At this point, job 52 resumes By the definition of the priority ceiling protocol, job J can
its execution of 22.1 at the newly inherited priority level always preempt the execution of job JL ,and no higher priority
of Po. job will ever attempt to lock those locked semaphores.
At time t6, job J2 exits its critical section 2 2 , ~ . Lemma 8: Suppose that the critical section z , , ~of job Jj
Semaphore S 1is now unlocked, job J2 returns to the pre- is preempted by job Ji which enters its critical section Zi,m.
viously inherited priority of P I , and job Jo is awakened. Under the priority ceiling protocol, job J j cannot inherit a
At this point, J O preempts job J2, because its priority priority level which is higher than or equal to that of job Ji
P O is higher than the priority ceiling P I of S2. Job J O until job Ji completes.
will be granted the lock on SOand will execute its criti- Proof: Suppose that job J j inherits a priority that is
cal section z o , ~Later,
. it unlocks SOand then locks and higher than or equal to that of job Ji before Ji completes.
unlocks Si. Hence, there must exist a job J which is blocked by J j . In
At time t7, job J O completes its execution, and job J2 addition, S s priority must be higher than or equal to that of job
resumes its execution of z 2 , 2 at its inherited priority P I . Ji. We now show the contradiction that J cannot be blocked
At time t8, job J2 exits 22,2, semaphore S2 is unlocked, by J j . Since job Ji preempts the critical section z,,,, of job
job 52 returns to its own priority P2, and job J1 is awak- J j and enters its own critical section zi,m , job Ji’s priority
ened. At this point, job J1 preempts job J2 and J1 is must be higher than the priority ceilings of all the semaphores
granted the lock on S2. Later, J1 unlocks S2 and exe- currently locked by all lower priority jobs. Since Ss priority
cutes its noncritical section code. is assumed to be higher than or equal to that of Ji, it follows
At time t9, job J1 completes its execution and finally job that job Ss priority is also higher than the priority ceilings
J2 resumes its execution, until it also completes at time of all the semaphores currently locked by all lower priority
tl0. jobs. By Lemma 7, J cannot be blocked by J j . Hence, the
contradiction and the lemma follows.
The priority ceiling protocol introduces a third type of
blocking in addition to direct blocking and push-through Definition: Transitive blocking is said to occur if a job J
blocking caused by the basic priority inheritance protocol. is blocked by Ji which, in turn, is blocked by another job J j .
An instance of this new type of blocking occurs at time t5 Lemma 9: The priority ceiling protocol prevents transitive
in the above example. We shall refer to this form of block- blocking.
ing as ceiling blocking. Ceiling blocking is needed for the Proof: Suppose that transitive blocking is possible. Let
avoidance of deadlock and of chained blocking. This avoid- J3 block job J2 and let job 52 block job J1. By the transitivity
ance approach belongs to the class of pessimistic protocols of the protocol, job J 3 will inherit the priority of J1 which
which sometimes create unnecessary blocking. Although the is assumed to be higher than that of job J2. This contradicts
priority ceiling protocol introduces a new form of blocking, Lemma 8, which shows that J 3 cannot inherit a priority that
the worst case blocking is dramatically improved. Under the is higher than or equal to that of job J2. The lemma follows.
basic priority inheritance protocol, a job J can be blocked for Theorem IO: The priority ceiling protocol prevents dead-
at most the duration of min(n, m) critical sections, where n locks.
is the number of lower priority jobs that could block J and m Proof: First, by assumption, a job cannot deadlock with
is the number of semaphores that can be used to block J. On itself. Thus, a deadlock can only be formed by a cycle of
the contrary, under the priority ceiling protocol a job J can jobs waiting for each other. Let the n jobs involved in the
be blocked for at most the duration of one longest subcritical blocking cycle be (J1,. . . ,Jn }. Note that each of these n
section. jobs must be in one of its critical sections, since a job that
does not hold a lock on any semaphore cannot contribute to
C . The Properties of the Priority Ceiling Protocol the deadlock. By Lemma 9, the number of jobs in the blocking
Before we prove the properties of this protocol, it is impor- cycle can only be two, i.e., n = 2. Suppose that job J2’s
tant to recall the two basic assumptions about jobs. First, a critical section was preempted by job J1, which then enters
job is assumed to be a sequence of instructions that will con- its own critical section. By Lemma 8, job J2 can never inherit
tinuously execute until its completion, when it executes alone a priority which is higher than or equal to that of job J 1 before
on a processor. Second, a job will release all of its locks, if it job J1 completes. However, if a blocking cycle (deadlock) is
ever holds any, before or at the end of its execution. The re- formed, then by the transitivity of priority inheritance, job J2
laxation of our first assumption is addressed at the end of this will inherit the priority of job J1. This contradicts Lemma 8
section. Throughout this section, the sets pi,j , /3[ j , and 0; and hence the theorem follows.
refer to the blocking sets associated with the priority ceiling Remark: Lemma 1 is true under the priority ceiling pro-
protocol. tocol.
Lemma 7: A job J can be blocked by a lower priority job Remark: Suppose that the run-time system supports the
1182 IEEE TRANSACTIONS ON COMPUTERS, VOL. 39, NO. 9 , SEPTEMBER 1990

priority ceiling protocol. Theorem 10 leads to the useful re- all the tasks are periodic. Second, we assume that each job
sult that programmers can write arbitrary sequences of prop- in a periodic task has deterministic execution times for both
erly nested semaphore accesses. As long as each job does not its critical and noncritical sections and that it does not syn-
deadlock with itself, there will be no deadlock in the system. chronize with external events, i.e., a job will execute to its
Lemma 11: Let J L be a job with a lower priority than that completion when it is the only job in the system. Finally, we
of job J ; . Job J ; can be blocked by job J L for at most the assume that these periodic tasks are assigned priorities accord-
duration of one critical section in /3[ L . ing to the rate-monotonic algorithm. Readers who are inter-
Proof: First, job J ; will preempt J L if J L is not in a ested in more general scheduling issues, such as the reduction
critical section Z L , E~ /3[L. Suppose that job Ji is blocked of aperiodic response times and the effect of task stochastic
by Z L , ~ By. Theorem 10, there is no deadlock and hence job execution times, are referred to [4]and [12].
J L will exit Z L , m at some instant tl . Once job J L leaves this We quote the following theorem also due to Liu and Lay-
critical section at time t 1 , job J L can no longer block job J i . land which was proved under the assumption of independent
This is because job J ; has been initiated and J L is not within tasks, i.e., when there is no blocking due to data sharing and
a critical section in /3[L. It follows from Lemma 1 that job synchronization.
J L can no longer block job J i . Theorem 14: A set of n periodic tasks scheduled by the
Theorem 12: A job J can be blocked for at most the du- rate-monotonic algorithm can always meet their deadlines if
ration of at most one element of b;.
Proof: Suppose that job J can be blocked by n > 1 ele-
ments of 0;. By Lemma 11, the only possibility is that job J
is blocked by n different lower priority jobs. Suppose that the where C ; and Ti are the execution time and period of task r;,
first two lower priority jobs that block job J are J1 and J2 . By respectively.
Lemma 1, in order for both these jobs to block job J , both of Theorem 14 offers a sufficient (worst case) condition that
them must be in a longest blocking critical section when job characterizes the rate-monotonic schedulability of a given peri-
J is initiated. Let the lowest priority job J2 enter its blocking odic task set. The following exact characterization was proved
critical section first, and let the highest priority ceiling of all by Lehoczky, Sha, and Ding [ 5 ] . An example of the use of
the semaphores locked by J2 be p 2 . Under the priority ceiling this theorem will be given later in this section.
protocol, in order for job J 1 to enter its critical section when Theorem 15: A set of n periodic tasks scheduled by the
J2 is already inside one, the priority of job J1 must be higher rate-monotonic algorithm will meet all their deadlines for all
than priority ceiling p2. Since we assume that job J can be task phasings if and only if
blocked by job J2, by Lemma 7 the priority of job J cannot
be higher than priority ceiling p 2 . Since the priority of job J1
is higher than p2 and the priority of job J is no higher than
p 2 , job J l ' s priority must be higher than the priority of job
J. This contradicts the assumption that the priority of job J
is higher than that of both J1 and J2. Thus, it is impossible
for job J to have priority higher than both jobs J1 and 5 2
and to be blocked by both of them under the priority ceiling where C j , T j , and Uj are the execution time, period, and
protocol. The theorem follows immediately. utilization of task r j , respectively, and R; = { ( k , 1) 11 I k 5 i ,
Remark: We may want to generalize the definition of a job 1 = I , . . . , lT;/Tk]}.
by allowing it to suspend during its execution, for instance, When tasks are independent of one another, Theorems 14
to wait for I/O services to complete. The following corollary and 15 provide us with the conditions under which a set
presents the upper bound on the blocking duration of a gen- of n periodic tasks can be scheduled by the rate-monotonic
eralized job that might suspend and later resume during its algorithm.6 Although these two theorems have taken into ac-
execution. count the effect of a task being preempted by higher prior-
Corollary 13: If a generalized job J suspends itself n times ity tasks, they have not considered the effect of a job being
during its execution, it can be blocked by at most n 1 not + blocked by lower priority jobs. We now consider the effect of
necessarily distinct elements of 0;. blocking. Each element in pi is a critical section accessed by a
lower priority job and guarded by a semaphore whose priority
V. SCHEDULABILITY
ANALYSIS ceiling is higher than or equal to the priority of job Jj . Hence,
Having proved the properties of the priority ceiling proto- 0; can be derived from p i . By Lemma 7 and Theorem 12,
col, we now proceed to investigate the effect of blocking on job J ; of a task r can be blocked for at most the duration of
the schedulability of a task set. In this section, we develop a single element in 0;. Hence, the worst case blocking time
a set of sufficient conditions under which a set of periodic for J is at most the duration of the longest element of 0;. We
tasks using the priority ceiling protocol can be scheduled by denote this worst case blocking time of a job in task 7; by Bj .
the rate-monotonic algorithm, which assigns higher priorities Note that given a set of n periodic tasks, B , = 0, since there
to tasks with shorter periods and is an optimal static priority is no lower priority task to block 7,.
algorithm when tasks are independent [8]. To this end, we 6That is, the conditions under which all the jobs of all the n tasks will
will use a simplified scheduling model. First, we assume that meet their deadlines.
SHA er al. : PRIORITY INHERITANCE PROTOCOLS 1183

Theorems 14 and 15 can be generalized in a straightforward Remark: The blocking duration Bi represents the worst
fashion. In order to test the schedulability of 7i,we need to case conditions and hence the necessary and sufficient condi-
consider both the preemptions caused by higher priority tasks tions of Theorem 15 become sufficient conditions in Theorem
and blocking from lower priority tasks along with its own 18.
utilization. The blocking of any job of 7i can be in the form The following example helps clarify the use of Theorem
of direct blocking, push-through blocking, or ceiling blocking 18. Consider the case of three periodic tasks:
but does not exceed Bi.Thus, Theorem 14 becomes
Task 71: C1 = 40; T I= 100; B1 = 20; U1 = 0.4
Theorem 16: A set of n periodic tasks using the prior-
Task 72: C2 = 40; T2 = 150; B2 = 30; U2 = 0.267
ity ceiling protocol can be scheduled by the rate-monotonic
Task 73:C3 = 100; T3 = 350;B3 = 0;U3 = 0.286.
algorithm if the following conditions are satisfied:

Task 71 can be blocked by task 72 for at most 20 units, while 72

can be blocked by task 73 for at most 30 time units. The lowest
Proof: Suppose that for each task 7; the equation is sat- priority task, 73,cannot be blocked by any lower priority tasks.
The total utilization of the task set ignoring blocking is 0.952,
isfied. It follows that the equation of Theorem 14 will also be
+
satisfied with n = i and Ci replaced by CF = (Ci Bi).That far too large to apply the conditions of Theorem 16. Theorem
is, in the absence of blocking, any job of task 7; will still meet 18 is checked as follows:
+
its deadline even if it executes for (Ci Bi) units of time. It +
1) Task 71: Check C1 B1 5 100. Since 40 20 5 100, +
follows that task 7 i , if it executes for only Ci units of time, task 71 is schedulable.
can be delayed by Bi units of time and still meet its deadline. 2) Task 7 2 : Check whether either
Hence, the theorem follows.
Remark: The first i terms in the above inequality constitute CI +C2 +B2 I 100 80+30 > 100
the effect of preemptions from all higher priority tasks and
7;’s own execution time, while Bi of the last term represents or 2C1 +C2 B2 I + 150 +
120 30 I 150.
the worst case blocking time due to all lower priority tasks
for any job of task 7 i . To illustrate the effect of blocking Task 72 is scheddable and in the worst case phasing will
in Theorem 16, suppose that we have three harmonic tasks: meet its deadline exactly at time 150.
71 =(Cl = 1, T1 = 2), 7 2 =(C2 = 1, T2 = 4), 73 =(C3 =
3) Task 73:Check whether either
2, T3 = 8). In addition, B1 = B2 = 1 . Since these tasks
are harmonic, the utilization bound becomes 100%. Thus,
+
we have ‘‘C1/T1 BI/T1 = 1” for task 7 ] . Next, we have
C1 +C2 +C3 5 100 +
40 +40 100 > 100
“CI/TI +C2/T2+B2/T2 = 1” for task 72. Finally, we have or 2C1 +C2 +C3 5 150 +
80 +40 100 > 150
“CI/TI +
+Cz/T2 C3/T3 = 1” for task 73. Since all three
equations hold, these three tasks can meet all their deadlines. or 2C1 +2C2 + C 3 I 200 80 + 80 + 100 > 200
Corollary 17: A set of n periodic tasks using the prior-
ity ceiling protocol can be scheduled by the rate-monotonic or3C1 +2c2+c3 5300 120+80+100=300
algorithm if the following condition is satisfied:
+ + +
or 4C1 3c2 C3 5 350 160 120 100 > 350. +
c1 C
- + . .+ 2 + m a 2 .. . E .!A) 5 n(21/n - 1).
TI Tn I:( ’ ’ Tn-l
Task 73 is also scheddable and in the worst case phasing will

. . . ,Bn-1 /Tn-l)2 Bi /Ti, if this equation holds then all the

equations in Theorem 16 also hold. VI. APPLICATIONS OF THE PROTOCOLAND FUTUREWORK
Similar to the sufficient condition in Theorem 16, the con- In this section, we briefly discuss the implementation as-
ditions in Theorem 15 can be easily generalized. Specifically, pects of the protocol as well as the possible extensions of this
Theorem 18: A set of n periodic tasks using the prior- work.
ity ceiling protocol can be scheduled by the rate-monotonic
algorithm for all task phasings if A . Implementation Considerations
The implementation of the basic priority inheritance pro-
Vi, 1 S i I n , tocol is rather straightforward. It requires a priority queue-
ing of jobs blocked on a semaphore and indivisible system
calls Lock-Semaphore and Release-Semaphore. These sys-
tem calls perform the priority inheritance operation, in addi-
tion to the traditional operations of locking, unlocking, and
where C i , Ti,and Ui are defined in Theorem 15, and Bi is semaphore queue maintenance.
the worst case blocking time for 7i. The implementation of the priority ceiling protocol entails
P m f i The proof is identical to that of Theorem 16. further changes. The most notable change is that we no longer
1184 IEEE TRANSACTIONS ON COMPUTERS, VOL. 39, NO. 9, SEPTEMBER 1990

maintain semaphore queues. The traditional ready queue is tees that deadlocks and chaining will be avoided. This protocol
replaced by a single job queue Job-Q. The job queue is a is called the priority limit protocol. The priority limit proto-
priority-ordered list of jobs ready to run or blocked by the col eliminates the ceiling blocking that Jc, encounters at time
ceiling protocol. The job at the head of the queue is assumed t5 in Example 4. Moreover, this protocol requires identical
to be currently running. We need only a single prioritized information as does the priority ceiling protocol and can be
job queue because under the priority ceiling protocol, the job implemented with equal ease. However, the priority limit pro-
with the highest (inherited) priority is always eligible to ex- tocol does not improve the worst case behavior and hence the
ecute. Finally, the run-time system also maintains S-List, a schedulability.
list of currently locked semaphores ordered according to their It is also possible to enhance the priority limit protocol by
priority ceilings. Each semaphore S stores the information of replacing the priority floor condition by the following condi-
the job, if any, that holds the lock on S and the ceiling of tion. A job J can also be allowed to lock a semaphore S if the
S . Indivisible system calls Lock-Semaphore and Release- priority of J is equal to the priority of S and no preempted
Semaphore maintain Job-Q and S-List. An example of the lower priority job accesses the semaphore S . This condition
implementation can be seen in [13]. also guarantees avoidance of deadlock and chaining. This pro-
The function Lock-Semaphore could also easily detect a tocol is called the job conflict protocol and is better than the
self-deadlock where a job blocks on itself. Since the run-time priority ceiling and priority limit protocols.’ The job conflict
system associates with each semaphore the job, if any, that protocol is, however, still a suboptimal protocol. It will be an
holds the lock on it, a direct comparison of a job requesting a interesting exercise to develop an optimal priority inheritance
lock and the job that holds the lock determines whether a self- protocol, and then compare it to the priority ceiling protocol
deadlock has occurred. If such a self-deadlock does occur, for both performance and implementation complexity.
typically due to programmer error, the job could be aborted VII. CONCLUSION
and an error message delivered.
The scheduling of jobs with hard deadlines is an important
Suppose monitors are used for achieving mutual exclusion.
area of research in real-time computer systems. In this pa-
We again assume that a job does not suspend until its comple-
per, we have investigated the synchronization problem in the
tion when it executes alone on the processor. We also assume
context of priority-driven preemptive scheduling. We showed
that the job does not deadlock with itself by making nested
that a direct application of commonly used synchronization
monitor calls. A job inside a monitor inherits the priority of
primitives may lead to uncontrolled priority inversion, a situ-
any higher priority job waiting on the monitor. To apply the
ation in which a high priority job is indirectly preempted by
priority ceiling protocol, each monitor is assigned a priority
lower priority jobs for an indefinite period of time. TO rem-
ceiling, and a job J can enter a monitor only if its priority
edy this problem, we investigated two protocols belonging to
is higher than the highest priority ceiling of all monitors that
the class of priority inheritance protocols, called the basic
have been entered by other jobs. Since the priority ceiling
priority inheritance protocol and the priority ceiling pro-
protocol prevents deadlocks, nested monitor calls will not be
tocol in the context of a uniprocessor. We showed that both
deadlocked. The implications of priority ceiling protocol to
protocols solve the uncontrolled priority inversion problem.
Ada tasking are more complicated and are beyond the scope
In particular, the priority ceiling protocol prevents deadlocks
of this paper. Readers who are interested in this subject are
referred to [I]. and reduces the blocking to at most one critical section. We
also derived a set of sufficient conditions under which a set
B . Future Work of periodic tasks using this protocol is schedulable by the
rate-monotonic algorithm. Finally, we outlined implementa-
The priority ceiling protocol is an effective real-time syn-
tion considerations for and possible extensions to this proto-
chronization protocol for it prevents deadlock, reduces the
col.
blocking to at most one critical section, and is simple to im-
plement. Nonetheless, it is still a suboptimal protocol in that ACKNOWLEDGMENT
it can cause blocking to a job that can be avoided by en- The authors wish to thank D. Cornhill for his contributions
hancements to the protocol. Although a formal treatment of on the priority inversion problems in Ada, J. Goodenough for
possible enhancements is beyond the scope of this paper, we his many insightful and detailed comments on this paper that
would like to present the ideas of some possible enhancements helped us to clarify some of the key issues, and K. Ramam-
to stimulate more research on this subject. ritham for his suggestions on the possible enhancements of
For example, we can define the priority floor of a this protocol. We would also like to thank H. Tokuda, T. Ess,
semaphore, analogous to its priority ceiling, as the priority J. Liu, and A. Stoyenko for their helpful comments. Finally,
of the lowest priority job that may access it. Then, a job J we want to thank the referees for their many fine suggestions.
can lock a semaphore S if its priority is higher than the pri- REFERENCES
ority ceiling of S or if the following conditions are true. The
[l] J. B. Goodenough and L. Sha, “The priority ceiling protocol: A
lock on S can also be granted if the priority of J is equal to method for minimizing the blocking of high priority Ada tasks,” in
the priority ceiling of S and the priority floor of S is greater Proc. 2nd ACM Int. Workshop Real-TimeAda Issues, 1988.
than the highest priority preempted job. This latter condition, [2] B. W. Lampson and D. D. Redell, “Experiences with processes and
monitors in Mesa,” Commun. ACM, vol. 23, no. 2, pp. 105-117,
called the priority floor condition, ensures that neither a pre- Feb. 1980.
empted job nor a higher priority job accesses S . This guaran- ’ This enhancement was suggested by Krithi Ramamritham.
SHA el al.: PRIORITY INHERITANCEPROTOCOLS 1185

131 J. P. Lehoczky and L. Sha, ‘‘Performance of real-time bus scheduling ested in developing analytical solutions for the problems in the construction
algorithms,” ACM Perform. Eval. Rev., Special Issue, vol. 14, no. of distributed real-time system.
1, May 1986. Dr. Sha is a member of the IEEE Computer Society.
I41 J. P. Lehoczky, L. Sha, and J. Strosnider, “Enhancing aperiodic re-
sponsiveness in a hard real-time environment,” in Proc. ZEEE Real-
Time Syst. Symp., 1987.
151 J. P. Lehoczky, L. Sha, and Y. Ding, “The rate monotonic schedul-
ing algorithm-Exact characterization and average case behavior,” in
Proc. ZEEE Real-Time Svst. - SvmD.,
_ _ 1989.
.
I61 D. W. Leinbaugh, “Guaranteed response time in a hard real-time en- Ragunathan Rajkumar (M’90) received the B.E.
vironment,” ZEEE Tmns. Software Eng., Jan. 1980.
(Hons.) degree from the P.S.G. College of Tech-
171 J. Y. Leung and M. L. Merrill, “A note on preemptive scheduling of nology, Coimbatore, India, and the M.S. and Ph.D.
periodic, real time tasks,” Inform. Processing Lett., vol. 11, no. 3,
pp. 115-118, NOV.1980. degrees from Camegie Mellon University in 1986
and 1989, respectively.
181 C. L. Liu and J. W. Layland, “Scheduling algorithms for multipro- He has been a Research Staff Member at the
gramming in a hard real time environment,” J. ACM, vol. 20, no. 1,
pp. 46-61, 1973. IBM Thomas J. Watson Research Center, Yorktown
Heights, NY, since 1989. His interests lie in the
I91 A. K. Mok, “Fundamental design problems of distributed systems for
the hard real time environment,” Ph.D. dissertation, M.I.T., 1983. area of real-time systems.
Dr. Rajkumar is a member of the IEEE Computer
1101 K. Ramamritham and J. A. Stankovic, “Dynamic task scheduling in
hard real-time distributed system,’’ ZEEE Software, July 1984. Society and the Association for Computing Machin-
1111 L. Sha, J. P. Lehoczky, and R. Rajkumar, “Solutions for some prac- ery.
tical problems in prioritized preemptive scheduling,” in Proc. ZEEE
Real-Time Syst. Symp., 1986.
1121 L. Sha, R. Rajkumar, and J. P. Lehoczky, “Task scheduling in
distributed real-time systems,” in P m . ZEEE Industrial Electron.
Conf., 1987.
1131 -, “Priority inheritance protocols: An approach to real-time syn-
chronization,” Tech. Rep., Dep. Comput. Sci., CMU, 1987.
r141 W. Zhao, K. Ramamritham, and J. A. Stankovic, “Scheduling tasks John P. Lehoczky (M’88) received the B.A. de-
with resource requirements in hard real-time systems,” ZEEE Trans. gree in mathematics from Oberlin College, Oberlin,
Software Eng., Apr. 1985. OH, in 1965, and the M.S. and Ph.D. degrees in
1151 -, “Preemptive scheduling under time and resource constraints,” statistics from Stanford University, Stanford, CA,
ZEEE Tmns. Comput., Aug. 1987. in 1967 and 1969, respectively.
He was an Assistant Professor of Statistics at
Carnegie Mellon University, Pittsburgh, PA, from
Lui Sha (S’76-M’84) received the B.S.E.E. 1969 to 1973, Associate Professor from 1973 to
(Hons.) degree from McGill University, Montreal, 1981, and Professor from 1981 to the present. He
P.Q., Canada in 1978 and the M.S.E.E. and Ph.D. has served as Head of the Department of Statistics
degrees from Carnegie-Mellon University (CMU), since 1984. His research interests involve applied
Pittsburgh, PA, in 1979 and 1985. probability theory with emphasis on models in the area of computer and com-
He was an engineer in the CMU Department of munication systems. In addition, he is a senior member of the Advanced Real-
Computer Science from 1979 to 1984 and was a Time Technology (ART) Project in the Carnegie Mellon University Computer
member of the Research Faculty in CMU CS depart- Science Department and is doing research in distributed real-time systems.
ment from 1985 to 1987. Since 1988 he has been a Dr. Lehoczky is a member of Phi Beta Kappa, a fellow of the Institute
member of the Technical Staffs in the CMU’s Soft- of Mathematical Statistics, and the American Statistical Association. He is
ware Engineering Institute, a member of Research a member of the Operations Research Society of America and the Institute
Faculty in the CMU CS department, and a senior member of the Advanced of Management Science. He served as area editor of Management Science
Real-Time Technology (ART) project at CMU CS department. He is inter- from 1981 to 1986.