============================================= Signaling Semaphores and Priority Inheritance ============================================= .. warning:: Migrated from https://cwiki.apache.org/confluence/display/NUTTX/Signaling+Semaphores+and+Priority+Inheritance Locking vs Signaling Semaphores =============================== Locking Semaphores ------------------ POSIX counting semaphores have multiple uses. The typical usage is where the semaphore is used as lock on one or more resources. In this typical case, priority inheritance works perfectly: The holder of a semaphore count must be remembered so that its priority can be boosted if a higher priority task requires a count from the semaphore. It remains the holder until the same task calls ``sem_post()`` to release the count on the semaphore. Mutual Exclusion Example ------------------------ This usage is very common for providing mutual exclusion. The semaphore is initialized to a value of one. The first task to take the semaphore has access; additional tasks that need access will then block until the first holder calls ``sem_post()`` to relinquish access: +---------------------+--------------------+ | **TASK A** | **TASK B** | +=====================+====================+ | `have access` | | +---------------------+--------------------+ | `priority boost` | **sem_wait(sem);** | +---------------------+--------------------+ | `priority restored` | `have access` | +---------------------+--------------------+ | **sem_post(sem);** | | +---------------------+--------------------+ | **sem_wait(sem);** | | +---------------------+--------------------+ | | `blocked` | +---------------------+--------------------+ The important thing to note is that ``sem_wait()`` and ``sem_post()`` both called on the same thread, TASK A. When ``sem_wait()`` succeeds, TASK A becomes the holder of the semaphore and, while it is the holder of the semaphore (1) other threads, such as TASK B, cannot access the protected resource and (2) the priority of TASK A may be modified by the priority inheritance logic. TASK A remains the holder until is calls ``sem_post()`` on the `same thread`. At that time, (1) its priority may be restored and (2) TASK B has access to the resource. Signaling Semaphores -------------------- But a very different usage model for semaphores is for signaling events. In this case, the semaphore count is initialized to zero and the receiving task calls ``sem_wait()`` to wait for the next event of interest to occur. When an event of interest is detected by another task (or even an interrupt handler), ``sem_post()`` is called which increments the count to 1 and wakes up the receiving task. Signaling Semaphores and Priority Inheritance details ===================================================== Example ------- For example, in the following TASK A waits on a semaphore for events and TASK B (or perhaps an interrupt handler) signals task A of the occurrence of the events by posting to that semaphore: +--------------------------+--------------------+ | **TASK A** | **TASK B** | +==========================+====================+ | **sem_init(sem, 0, 0);** | | +--------------------------+--------------------+ | **sem_wait(sem);** | | +--------------------------+--------------------+ | `blocked` | | +--------------------------+--------------------+ | | **sem_post(sem);** | +--------------------------+--------------------+ | `Awakens as holder` | | +--------------------------+--------------------+ Notice that unlike the mutual exclusion case above, ``sem_wait()`` and ``sem_post()`` are called on `different` threads. Usage in Drivers ---------------- This usage case is used often within drivers, for example, when the user calls the ``read()`` method and there is no data available. ``sem_wait()`` is called to wait for new data to be received; ``sem_post()`` is called when the new data arrives and the user task is re-awakened. Priority Inheritance Fails -------------------------- These two usage models, the locking modeling and the signaling model, are really very different and priority inheritance simply does not apply when the semaphore is used for signalling rather than locking. In this signaling case priority inheritance can interfere with the operation of the semaphore. The problem is that when TASK A is awakened it is a holder of the semaphore. Normally, a task is removed from the holder list when it finally releases the semaphore via ``sem_post()``. In this case, TASK B calls ``sem_post(sem)`` but TASK B is not the holder of the semaphore. Since TASK A never calls ``sem_post(sem)`` it becomes a permanently a holder of the semaphore and may have its priority boosted at any time when any other task tries to acquire the semaphore. Who's to Blame -------------- In the POSIX case, priority inheritance is specified only in the pthread mutex layer. In NuttX, on the other hand, pthread mutexes are simply built on top of binary locking semaphores. Hence, in NuttX, priority inheritance is implemented in the semaphore layer. In the case of a mutex this could be simply resolved since there is only one holder but for the case of counting semaphores, there may be many holders and if the holder is not the thread that calls ``sem_post()``, then it is not possible to know which thread/holder should be released. Selecting the Semaphore Protocol ================================ ``sem_setprotocol()`` --------------------- The fix is to call non-standard NuttX function ``sem_setprotocol(SEM_PRIO_NONE)`` immediately after the ``sem_init()``. The effect of this function call is to disable priority inheritance for that specific semaphore. There should then be no priority inheritance operations on this semaphore that is used for signalling. .. code-block:: C sem_t sem // ... sem_init(&sem, 0, 0); sem_setprotocol(&sem, SEM_PRIO_NONE); Here is the rule: If you have priority inheritance enabled and you use semaphores for signaling events, then you `must` call ``sem_setprotocol(SEM_PRIO_NONE)`` immediately after initializing the semaphore. Why Another Non-Standard OS Interface? -------------------------------------- The non-standard ``sem_setprotocol()`` is the `moral` `equivalent` of the POSIX ``pthread_mutexattr_setprotocol()`` and its naming reflects that relationship. In most implementations, priority inheritance is implemented only in the pthread mutex layer. In NuttX, on the other hand, pthread mutexes are simply built on top of binary locking semaphores. Hence, in NuttX, priority inheritance is implemented in the semaphore layer. This architecture then requires an interface like ``sem_setprotocol()`` in order to manage the protocol of the underlying semaphore. ``pthread_mutexattr_setprotocol()`` ----------------------------------- Since NuttX implements pthread mutexes on top of binary semaphores, the above recommendation also applies when pthread mutexes are used for inter-thread signaling. That is, a mutex that is used for signaling should be initialize like this (simplified, no error checking here): .. code-block:: c pthread_mutexattr_t attr; pthread_mutex_t mutex; // ... pthread_mutexattr_init(&attr); pthread_mutexattr_settype(&attr, PTHREAD_PRIO_NONE); pthread_mutex_init(&mutex, &attr); Is this Always a Problem? ========================= Ideally ``sem_setprotocol(SEM_PRIO_NONE)`` should be called for all signaling semaphores. But, no, often the use of a signaling semaphore with priority inversion is not a problem. It is not a problem if the signaling semaphore is always taken on the same thread. For example: * If the driver is used by only a single task, or * If the semaphore is only taken on the worker thread. But this can be a serious problem if multiple tasks ever wait on the signaling semaphore. Drivers like the serial driver, for example, have many user threads that may call into the driver.