Incomputer science,priority inversion is a scenario inscheduling in which a high-prioritytask is indirectly superseded by a lower-priority task, effectively inverting the assigned priorities of the tasks. This violates the priority model that high-priority tasks can only be prevented from running by higher-priority tasks. Inversion occurs when there is aresource contention with a low-priority task that is thenpreempted by a medium-priority task.
Consider two tasksH andL, of high and low priority respectively, either of which can acquire exclusive use of a shared resourceR. IfH attempts to acquireR afterL has acquired it, thenH becomes blocked untilL relinquishes the resource. Sharing an exclusive-use resource (R in this case) in a well-designed system typically involvesL relinquishingR promptly so thatH (a higher-priority task) does not stay blocked for excessive periods of time. Despite good design, however, it is possible that a third taskM of medium priority becomes runnable duringL's use ofR. At this point,M being higher in priority thanL, preemptsL (sinceM does not depend onR), causingL to not be able to relinquishR promptly, in turn causingH—the highest-priority process—to be unable to run (that is,H suffers unexpected blockage indirectly caused by lower-priority tasks likeM).
In some cases, priority inversion can occur without causing immediate harm—the delayed execution of the high-priority task goes unnoticed, and eventually, the low-priority task releases the shared resource. However, there are also many situations in which priority inversion can cause serious problems. If the high-priority task is leftstarved of the resources, it might lead to a system malfunction or the triggering of pre-defined corrective measures, such as awatchdog timer resetting the entire system. The trouble experienced by theMars Pathfinder lander in 1997[1][2] is a classic example of problems caused by priority inversion inrealtime systems.
Priority inversion can also reduce theperceived performance of the system. Low-priority tasks usually have a low priority because it is not important for them to finish promptly (for example, they might be abatch job or another non-interactive activity). Similarly, a high-priority task has a high priority because it is more likely to be subject to strict time constraints—it may be providing data to an interactive user, or acting subject to real-time response guarantees. Because priority inversion results in the execution of a lower-priority task blocking the high-priority task, it can lead to reduced system responsiveness or even the violation of response time guarantees.
The existence of this problem has been known since the 1970s. Lampson and Redell[3] published one of the first papers to point out the priority inversion problem. Systems such as the UNIX kernel were already addressing the problem with the splx() primitive. There is no foolproof method to predict the situation.[clarification needed][citation needed] There are however many existing solutions, of which the most common ones are:
Disabling all interrupts to protect critical sections
When disabling interrupts is used to prevent priority inversion, there are only two priorities:preemptible, andinterrupts disabled. With no third priority, inversion is impossible. Since there's only one piece of lock data (the interrupt-enable bit), misordering locking is impossible, and so deadlocks cannot occur. Since the critical regions always run to completion, hangs do not occur. Note that this only works if all interrupts are disabled. If only a particular hardware device's interrupt is disabled, priority inversion is reintroduced by the hardware's prioritization of interrupts. In early versions of UNIX, a series of primitives named splx(0) ... splx(7) disabled all interrupts up through the given priority. By properly choosing the highest priority of any interrupt that ever entered the critical section, the priority inversion problem could be solved without locking out all of the interrupts. Ceilings were assigned inrate-monotonic order, i.e. the slower devices had lower priorities.
In multiple CPU systems, a simple variation, "single shared-flag locking" is used. This scheme provides a single flag in shared memory that is used by all CPUs to lock all inter-processor critical sections with abusy-wait. Interprocessor communications are expensive and slow on most multiple CPU systems. Therefore, most such systems are designed to minimize shared resources. As a result, this scheme actually works well on many practical systems. These methods are widely used in simpleembedded systems, where they are prized for their reliability, simplicity and low resource use. These schemes also require clever programming to keep the critical sections very brief. Many software engineers consider them impractical in general-purpose computers.[citation needed]
Priority ceiling protocol
Withpriority ceiling protocol, the sharedmutex process (that runs the operating system code) has a characteristic (high) priority of its own, which is assigned to the task of locking the mutex. This works well, provided the other high-priority task(s) that try to access the mutex do not have a priority higher than the ceiling priority.
Priority inheritance
Under the policy ofpriority inheritance, whenever a high-priority task has to wait for some resource shared with an executing low-priority task, the low-priority task is temporarily assigned the priority of the highest waiting priority task for the duration of its own use of the shared resource, thus keeping medium priority tasks from pre-empting the (originally) low priority task, and thereby affecting the waiting high priority task as well. Once the resource is released, the low-priority task continues at its original priority level.
Random boosting
Ready tasks holding locks arerandomly boosted in priority until they exit the critical section. This solution was used inMicrosoft Windows[4] until it was replaced by AutoBoost a form of priority inheritance.[5]
Avoid blocking
Because priority inversion involves a low-priority task blocking a high-priority task, one way to avoid priority inversion is to avoid blocking, for example by usingnon-blocking algorithms such asread-copy-update.
^Cohen, Aaron; Woodring, Mike (1998),Win32 Multithreaded Programming, O'Reilly & Associates, p. 30,Windows NT solves the priority inversion problem by randomly boosting the dynamic priorities of threads that are ready to run.
