Many suspensions, many problems: a review of selfsuspending tasks in realtime systems
 745 Downloads
 1 Citations
Abstract
In general computing systems, a job (process/task) may suspend itself whilst it is waiting for some activity to complete, e.g., an accelerator to return data. In realtime systems, such selfsuspension can cause substantial performance/schedulability degradation. This observation, first made in 1988, has led to the investigation of the impact of selfsuspension on timing predictability, and many relevant results have been published since. Unfortunately, as it has recently come to light, a number of the existing results are flawed. To provide a correct platform on which future research can be built, this paper reviews the state of the art in the design and analysis of scheduling algorithms and schedulability tests for selfsuspending tasks in realtime systems. We provide (1) a systematic description of how selfsuspending tasks can be handled in both soft and hard realtime systems; (2) an explanation of the existing misconceptions and their potential remedies; (3) an assessment of the influence of such flawed analyses on partitioned multiprocessor fixedpriority scheduling when tasks synchronize access to shared resources; and (4) a discussion of the computational complexity of analyses for different selfsuspension task models.
Keywords
Selfsuspension Schedulability tests Realtime systems Multiprocessor synchronization1 Introduction
Complex cyberphysical systems (i.e., advanced embedded realtime computing systems) have timeliness requirements such that deadlines associated with individual computations must be met (e.g., in safety–critical control systems). Appropriate analytical techniques have been developed that enable a priori guarantees to be established on timing behavior at runtime regarding computation deadlines. The seminal work by Liu and Layland (1973) considers the scheduling of periodically triggered computations, which are usually termed tasks. The analysis they presented enables the schedulability of a set of such tasks to be established, i.e., whether their deadlines will be met at runtime. This initial analysis has been extended to incorporate many other task characteristics, e.g., sporadic activations (Mok 1983).
One underlying assumption of the majority of these schedulability analyses is that a task does not voluntarily suspend its execution—once executing, a task ceases to execute only as a result of either a preemption by a higherpriority task, becoming blocked on a shared resource that is held by a lowerpriority task on the same processor, or completing its execution (for the current activation of the task). This is a strong assumption that lies at the root of Liu and Layland’s seminal analysis (Liu and Layland 1973), as it implies that the processor is contributing some useful work (i.e., the system progresses) whenever there exist incomplete jobs in the system (i.e., if some computations have been triggered, but not yet completed).
Allowing tasks to selfsuspend, meaning that computations can cease to progress despite being incomplete, conversely has the effect that key insights underpinning the analysis of nonselfsuspending tasks no longer hold. As an example, consider the execution scenario in Fig. 1. Figure 1a illustrates the worstcase execution scenario for nonselfsuspending tasks, i.e., where the longest interval between the arrival time and the finishing time of an instance of a task occurs. This worst case, termed critical instant, occurs when a job release coincides with the release of all higher priority tasks and all followup jobs of the higherpriority tasks are released as early as possible by satisfying the interarrivaltime constraint. However, if a higherpriority task is allowed to suspend its execution, Fig. 1b shows that it is possible that a lowerpriority task misses its deadline even if its deadline can be met under the criticalinstant scenario defined above. The classical critical instant theorem (Liu and Layland 1973) thus does not apply to selfsuspending task systems.
Selfsuspension has become increasingly important to model accurately within schedulability analysis. For example, a task that utilizes an accelerator or external physical device (Kang et al. 2007; Kato et al. 2011) can be modelled as a selfsuspending task, where the resulting suspension delays range from a few microseconds (e.g., a write operation on a flash drive, Kang et al. 2007) to a few hundreds of milliseconds (e.g., offloading computation to GPUs, Kato et al. 2011; Liu et al. 2014b). Whilst the maximum selfsuspension time could be included as additional execution time, this would be pessimistic and potentially underutilize the processor at runtime. If the selfsuspension time is substantial, exploiting the selfsuspension time effectively by executing other tasks properly would lead to a performance increase. Therefore, the scheduling strategies and the timing analyses should consider such features to make the best use of the potential selfsuspension time.
1.1 Impact of selfsuspending behavior
When periodic or sporadic tasks may selfsuspend, the scheduling problem becomes much harder to handle.
For the ordinary periodic task model (without selfsuspensions), Liu and Layland (1973) studied the earliestdeadlinefirst (EDF) scheduling algorithm and fixedpriority (FP) scheduling. They showed EDF to be optimal (with respect to the satisfaction of deadlines), and established that, among FP scheduling algorithms, the ratemonotonic (RM) scheduling algorithm is optimal (Liu and Layland 1973).
In contrast, the introduction of suspension behavior has a negative impact on the timing predictability and causes intractability in hard realtime systems (Ridouard et al. 2004). It was shown by Ridouard et al. (2004) that finding an optimal schedule (to meet all deadlines) is \({\mathcal {NP}}\)hard in the strong sense even when the suspending behavior is known a priori.
One specific problem due to selfsuspending behavior is the deferrable execution phenomenon. In the ordinary sporadic and periodic task model, the critical instant theorem by Liu and Layland (1973) provides concrete worstcase scenarios for fixedpriority scheduling. That is, the critical instant of a task defines an instant at which, considering the state of the system, an execution request for the task will generate the worstcase response time (if the job completes before next jobs of the task are released). However, with selfsuspensions, no critical instant theorem has yet been established. This makes it difficult to efficiently test the schedulability. Even worse, the effective scheduling strategies for nonselfsuspending tasks may not work very well for selfsuspending tasks. For example, it is known that EDF (RM, respectively) has a \(100\%\) (\(69.3\%\), respectively) utilization bound for ordinary periodic realtime task systems on uniprocessor systems, as provided by Liu and Layland (1973). However, with self suspensions, it was shown in Ridouard et al. (2004) and Chen and Liu (2014) that most existing scheduling strategies, including EDF and RM, do not provide any bounded performance guarantees.
Selfsuspending tasks can be classified into two models: the dynamic selfsuspension and segmented (or multisegment) selfsuspension models. The dynamic selfsuspension task model characterizes each task \(\tau _i\) with predefined total worstcase execution time and total worstcase selfsuspension time bounds, such that a job of task \(\tau _i\) can exhibit any number of selfsuspensions of arbitrary duration as long as the sum of the suspension (respectively, execution) intervals does not exceed the specified total worstcase selfsuspension (respectively, execution) time bounds. The segmented selfsuspending sporadic task model defines the execution behavior of a job of a task as a known sequence of predefined computation segments and selfsuspension intervals. The models will be explained in Sect. 3.
1.2 Purpose and organization of this paper

Incorrect quantification of jitter for dynamic selfsuspending task systems (Audsley and Bletsas 2004a, b; Kim et al. 1995; Ming 1994). This misconception was unfortunately carried forward in Zeng and di Natale (2011), Brandenburg (2013), Yang et al. (2013), Kim et al. (2014), Han et al. (2014), Carminati et al. (2014), Yang et al. (2014), and Lakshmanan et al. (2009) in the analysis of worstcase response times under partitioned multiprocessor realtime locking protocols.

Incorrect quantification of jitter for segmented selfsuspending task systems (Bletsas and Audsley 2005).

Incorrect assumptions on the critical instant as defined in Lakshmanan and Rajkumar (2010).

Incorrectly counting highestpriority selfsuspension time to reduce the interference on the lowerpriority tasks (Kim et al. 2013).

Incorrect segmented fixedpriority scheduling with period enforcement (Kim et al. 2013; Ding et al. 2009).

Incorrect conversion of higherpriority selfsuspending tasks into sporadic tasks with release jitter (Nelissen et al. 2015).

summarize the existing selfsuspending task models (Sect. 3);

provide the general methodologies to handle selfsuspending task systems in hard realtime systems (Sect. 4) and soft realtime systems (Sect. 7);

explain the misconceptions in the literature, their consequences, and potential solutions to fix those flaws (Sect. 5);

examine the inherited flaws in multiprocessor synchronization, due to a flawed analysis in selfsuspending task models (Sect. 6);

provide the summary of the computational complexity classes of different selfsuspending task models and systems (Sect. 8).
During the preparation of this review paper, several reports (Chen et al. 2016b; Chen and Brandenburg 2017; Liu and Anderson 2015; Bletsas et al. 2018) have been filed to discuss the flaws, limits, and proofs of individual papers and results. In the interest of brevity, these reports are summarized here only at a high level, as including them in full detail is beyond the scope of this already long paper. The purpose of this review is thus not to present the individual discussions, evaluations and comparisons of the results in the literature. Rather, our focus is to provide a systematic picture of this research area, common misconceptions, and the state of the art of selfsuspending task scheduling. Although it is unfortunate that many of the early results in this area were flawed, we hope that this review will serve as a solid foundation for future research on selfsuspensions in realtime systems.
2 Examples of selfsuspending task systems
Selfsuspensions arise in realtime systems for a range of reasons. To motivate the need for suspensionaware analysis, we initially review three common causes.
Example 1: I/O or memoryintensive tasks An I/Ointensive task may have to use DMA (direct memory access) to transfer a large amount of data to or from peripheral devices. This can take from a few microseconds up to milliseconds. In such cases, a job of a task executes for a certain amount of time, then initiates an I/O activity, and suspends itself. When the I/O activity completes, the job can be moved back to the ready queue to be (re)eligible for execution.
This also applies to systems with scratchpad memories, where the scratchpad memory allocated to a task is dynamically updated during its execution. In such a case, a job of a task executes for a certain amount of time, then initiates a scratchpad memory update to push its content from the scratchpad memory to the main memory and to pull some content from the main memory to the scratchpad memory, often using DMA. During the DMA transfers to update the scratchpad memory, the job suspends itself. Such memory access latency can become much more dynamic and larger when we consider multicore platforms with shared memory, due to bus contention and competition for memory resources.
Example 2: multiprocessor synchronization Under a suspensionbased locking protocol, tasks that are denied access to a shared resource (i.e., that block on a lock) are suspended. Interestingly, on uniprocessors, the resulting suspensions can be accounted for more efficiently than general selfsuspensions by considering the blocking time due to the lowerpriority job(s) that hold(s) the required shared resource(s). More detailed discussions about the reason why uniprocessor synchronization does not have to be considered to be selfsuspension can be found in Sect. 6.1. In multiprocessor systems, selfsuspensions can arise (for instance) under partitioned scheduling (in which each task is assigned statically on a dedicated processor) when the tasks have to synchronize their access to shared resources (e.g., shared I/O devices, communication buffers, or scheduler locks) with suspensionbased locks (e.g., binary semaphores).
We use a binary semaphore shared by two tasks assigned on two different processors as an example. Suppose each of these two tasks has a critical section protected by the semaphore. If one of them, say task \(\tau _1\), is using the semaphore on the first processor and another task, say \(\tau _2\), executing on the second processor intends to enter its critical section, then task \(\tau _2\) has to wait until the critical section of task \(\tau _1\) finishes on the first processor. During the execution of task \(\tau _1\)’s critical section, task \(\tau _2\)suspends itself.
In this paper, we will specifically examine the existing results for multiprocessor synchronization protocols in Sect. 6.
Since modern embedded systems are designed to execute complicated applications, the limited resources, such as the battery capacity, the memory size, and the processor speed, may not satisfy the required computation demand. Offloading heavy computation to some powerful computing servers has been shown as an attractive solution, including optimizations for system performance and energy saving. Computation offloading with realtime constraints has been specifically studied in two categories. In the first category, computation offloading always takes place at the end of a job and the postprocessing time to process the result from the computing server is negligible. Such offloading scenarios do not incur selfsuspending behavior (Nimmagadda et al. 2010; Toma and Chen 2013). In the second category, nonnegligible computation time after computation offloading is needed. For example, the computation offloading model studied in Liu et al. (2014b) defines three segments of a task: (1) the first segment is the local computation time to encrypt, extract, or compress the data, (2) the second segment is the worstcase waiting time to receive the result from the computing server, and (3) the third segment is either the local compensation if the result from the computing server is not received in time or the post processing if the result from the computing server is received in time.
Other examples Selfsuspension behavior has been observed in other applications. Examples are scheduling of parallel tasks where each subtask is statically assigned on one designated processor (Fonseca et al. 2016), realtime tasks in multicore systems with shared memory (Huang et al. 2016), timing analysis of deferrable servers (Chen et al. 2015), and dynamic reconfigurable FPGAs for realtime applications (Biondi et al. 2016).
3 Realtime sporadic selfsuspending task models
We now recall the definition of the classic sporadic task model (without selfsuspensions) (Liu and Layland 1973; Mok 1983) and then introduce the main models of selfsuspensions.
The sporadic task model characterizes a task \(\tau _i\) as a threetuple \((C_i,T_i,D_i)\). Each sporadic task \(\tau _i\) can release an infinite number of jobs (also called task instances) under the given minimum interarrival time (also called period) constraint \(T_i\). Each job released by a sporadic task \(\tau _i\) has a relative deadline \(D_i\). That is, if a job of task \(\tau _i\) arrives at time t, it must (in hard realtime systems), or should (in soft realtime systems) be finished before its absolute deadline at time \(t+D_i\), and the next instance of the task must arrive no earlier than time \(t + T_i\). The worstcase execution time of task \(\tau _i\) is \(C_i\). That is, the execution time of a job of task \(\tau _i\) is at most \(C_i\). The utilization of task \(\tau _i\) is defined as \(U_i=C_i/T_i\).
Throughout this paper, we will use \(\mathbf{T}\) to denote the task set and use n to denote the number of tasks in \(\mathbf{T}\).
If the relative deadline of each task in \(\mathbf{T}\) is equal to its deadline, then the tasks in \(\mathbf{T}\) are said to have implicit deadlines. If the relative deadline of each task in \(\mathbf{T}\) is no larger than its period, then the tasks in \(\mathbf{T}\) have constrained deadlines. Otherwise, the tasks in \(\mathbf{T}\) have arbitrary deadlines. In this paper, unless explicitly noted otherwise (for instance in some parts of Sect. 7), we consider only constrained and implicitdeadline task systems.
Two main models of selfsuspending tasks exist: the dynamic selfsuspension and segmented (or multisegment) selfsuspension models. These two models have been recently augmented by hybrid selfsuspension models (von der Brüggen et al. 2017). An additional model, using a directed acyclic graph (DAG) representation of the task control flow, can be reduced to an instance of the former two models, for analysis purposes (Bletsas 2007).
Dynamic selfsuspension model The dynamic selfsuspension sporadic task model characterizes a task \(\tau _i\) as a fourtuple \((C_i,S_i,T_i,D_i)\). Similar to the sporadic task model, \(T_i\) denotes the minimum interarrival time (or period) of \(\tau _i\), \(D_i\) denotes the relative deadline of \(\tau _i\) and \(C_i\) is an upper bound on the total execution time of each job of \(\tau _i\). The new parameter \(S_i\) denotes an upper bound on the total suspension time of each job of \(\tau _i\).
The dynamic selfsuspension model is convenient when it is not possible to know a priori the number and/or the location of selfsuspension intervals for a task, e.g., when these may vary for different jobs of the same task.
For example, in the general case, a task may have several possible control flows, where the actual execution path depends on the values of the program and/or system variables at runtime. Each of those paths may have a different number of selfsuspension intervals. Additionally, during the execution of a job of a task, one control flow may have a selfsuspension interval at the beginning of the job and another one may selfsuspend shortly before its completion. Under such circumstances, it is convenient to be able to collapse all these possibilities by modelling the task according to the dynamic selfsuspension model using just two parameters: the worstcase execution time of the task in consideration and an upper bound for the time spent in selfsuspension by any job of the task.
Segmented selfsuspension model The segmented selfsuspension sporadic task model extends the fourtuple of the dynamic model by further characterizing the computation segments and suspension intervals using an array \((C_{i}^1,S_{i}^1,C_{i}^2,S_{i}^2,\ldots , \)\(S_{i}^{m_i1},C_{i}^{m_i})\). Each job of \(\tau _i\) is assumed to be composed of \(m_i\) computation segments separated by \(m_i1\) suspension intervals. The execution time of the \(\ell ^{\text {th}}\) computation segment is upper bounded by \(C_{i}^{\ell }\), and the length of the \(\ell ^{\text {th}}\) suspension interval is upper bounded by \(S_{i}^{\ell }\). For a segmented sporadic task \(\tau _i\), we have \(C_i = \sum _{\ell =1}^{m_i} C_i^\ell \) and \(S_i=\sum _{\ell =1}^{m_i1} S_i^\ell \).
The segmented selfsuspension model is a natural choice when the code structure of a task exhibits a certain linearity, i.e., there is a deterministic number of selfsuspension intervals interleaved with portions of processorbased code with singleentry singleexit controlflow semantics. Such tasks can always be modeled according to the dynamic selfsuspension model, but this would discard the information about the constraints in the location of selfsuspensions intervals of a job, i.e., in the control flow. The segmented selfsuspension model preserves this information, which can be potentially used to derive tighter bounds on worstcase response times or exploited for designing better scheduling strategies.
Hybrid selfsuspension model The dynamic selfsuspension model is very flexible but inaccurate, whilst the segmented selfsuspension model is very restrictive but very accurate. The hybrid selfsuspension task models proposed in von der Brüggen et al. (2017) assume that in addition to \(S_i\), each task \(\tau _i\) has at most a known number of \(m_i1\) suspension intervals. This means that the execution of each job of \(\tau _i\) is composed of at most \(m_i\)computation segments separated by \(m_i1\)suspension intervals, similar to the segmented selfsuspension model. The sum of the execution times of the computation segments of a job of task \(\tau _i\) is at most its WCET \(C_i\), while the sum of the lengths of the selfsuspension intervals of a job of task \(\tau _i\) is at most its worstcase suspension time \(S_i\). Depending on the known information, different hybrid selfsuspension models were proposed in von der Brüggen et al. (2017) with different tradeoffs between flexibility and accuracy.
DAGbased selfsuspension model In the DAGbased selfsuspension model (Bletsas 2007), each node represents either a selfsuspension interval or a computation segment with singleentry–singleexit control flow semantics. Each possible path from the source node to the sink node represents a different program execution path. Note that a linear graph is already an instance of the segmented selfsuspension model. An arbitrary task graph can be reduced with some information loss (pessimism) to an instance of the dynamic selfsuspension model.
Remarks on selfsuspension models Note that all of the above models can additionally be augmented with lower bounds for segment execution times and suspension lengths; when absent, these are implicitly assumed to be zero.
From the system designer’s perspective, the dynamic selfsuspension model provides an easy way to specify selfsuspending systems without considering the control flow surrounding I/O accesses, computation offloading, or synchronization. However, from an analysis perspective, such a dynamic model may lead to quite pessimistic results in terms of schedulability since the occurrence of suspensions within a job is unspecified. By contrast, if the suspension patterns are welldefined and characterized with known suspension intervals, the segmented selfsuspension task model is more appropriate. Note that it is possible to employ both the dynamic selfsuspension model and the segmented selfsuspension model simultaneously in one task set. The hybrid selfsuspension models can be adopted with different tradeoffs between flexibility and accuracy. Further note that the DAG selfsuspension model is a representational model without its own scheduling analysis. For analysis purposes, it is converted to an instance of either the dynamic or the segmented selfsuspension model, which may then serve as input to existing analysis techniques.
3.1 Assumptions and terminology
3.1.1 Scheduling
Implicitly, we will assume that the system schedules jobs in a preemptive manner, unless specified otherwise. We will mainly focus on uniprocessor systems; however some results for multiprocessor systems will be discussed in Sects. 4.4 and 7. We assume that the cost of preemption has been subsumed into the worstcase execution time of each task. In uniprocessor systems, i.e., in Sects. 4 and 5 (except Sect. 4.4), we will consider both earliestdeadlinefirst (EDF) and fixedpriority (FP) scheduling as well as some of their variants.
Under EDF, a task may change its priority at runtime; the highest priority being given to the job (in the ready queue) with the earliest absolute deadline. Variants of EDF scheduling for selfsuspending tasks have been explored in Chen and Liu (2014), Liu et al. (2014b), Devi (2003), Huang and Chen (2016), and von der Brüggen et al. (2016).
For fixedpriority scheduling, in general, a task is assigned a unique priority level, and all the jobs generated by the task have the same priority level. Examples are ratemonotonic (RM) scheduling (Liu and Layland 1973), i.e., a task with a shorter period has a higherpriority level, and deadlinemonotonic (DM) scheduling, i.e., a task with a shorter relative deadline has a higherpriority level. In this paper, if we consider fixedpriority scheduling, we will also implicitly assume that task \(\tau _i\) has higher priority than task \(\tau _j\) if \(i < j\). Such tasklevel fixedpriority scheduling strategies for the selfsuspension task models have been explored in Rajkumar (1991), Kim et al. (1995), Ming (1994), Palencia and Harbour (1998), Audsley and Bletsas (2004a), Audsley and Bletsas (2004b), Bletsas and Audsley (2005), Lakshmanan and Rajkumar (2010), Kim et al. (2013), Liu and Chen (2014), Huang et al. (2015), Huang and Chen (2015b), Huang and Chen (2016), and Chen et al. (2016c). Moreover, in some results in the literature, e.g., Kim et al. (2013) and Ding et al. (2009), each computation segment in the segmented selfsuspending task model has its own unique priority level. Such a scheduling policy is referred to as segmented fixedpriority scheduling.
For hard realtime tasks, each job should be finished before its absolute deadline. For soft realtime tasks, deadline misses are allowed. We will mainly focus on hard realtime tasks. Soft realtime tasks will be briefly considered in Sect. 7.
3.1.2 Analysis
The response time of a job is defined as the difference between its finishing time and its arrival time. The worstcase response time (WCRT) of a realtime task \(\tau _k\) in a task set \(\mathbf{T}\) is defined as an upper bound on the response times of all the jobs of task \(\tau _k \in \mathbf{T}\) for any legal sequence of jobs of \(\mathbf{T}\). A sequence of jobs of the task system \(\mathbf{T}\) is a legal sequence if any two consecutive jobs of task \(\tau _i \in \mathbf{T}\) are separated by at least\(T_i\) and the selfsuspension and computation behavior are upper bounded by the defined parameters. The goal of response time analysis is to analyze the worstcase response time of a certain task \(\tau _k\) in the task set \(\mathbf{T}\) or all the tasks in \(\mathbf{T}\).

Utilizationbased schedulability tests. Examples of such tests are the utilization bounds by Liu and Layland (1973) and the hyperbolic bound by Bini et al. (2003).

Timedemand analysis (TDA) or response time analysis (RTA) (Lehoczky et al. 1989). Several exact tests exist for periodic and sporadic tasks without suspension (e.g., Liu and Layland 1973; Spuri 1996; Goossens and Devillers 1997, 1999; Zhang and Burns 2009).
To solve the computational complexity issues of many scheduling problems in realtime systems, approximation algorithms based on resource augmentation with respect to speedup factors have attracted much attention. If an algorithm \({\mathcal {A}}\) has a speedup factor\(\rho \), then any task set that is schedulable (under the optimal scheduling policy) at the original platform speed is also schedulable by algorithm \({\mathcal {A}}\) when all the processors have speed \(\rho \) times the original platform speed.
3.1.3 Platform
Most of this paper focuses on single processor systems. However, the multiprocessor case is discussed in Sects. 4.4 and 7. When addressing the scheduling of tasks on multiprocessor systems, we distinguish between two major categories of multiprocessor realtime schedulers: (i) partitioned scheduling and (ii) global scheduling.
Under partitioned scheduling, tasks are statically partitioned among processors, i.e., each task is bound to execute on a specific processor and never migrates to another processor. An often used multiprocessor partitioned scheduling algorithm is partitioned EDF (PEDF), which applies EDF on each processor individually. Partitioned fixedpriority (PFP) scheduling is another widespread choice in practice due to the wide support in industrial standards such as AUTOSAR, and in many RTOSs like VxWorks, RTEMS, ThreadX, etc. Under PFP scheduling, each task has a fixedpriority level and is statically assigned to a specific processor, and each processor is scheduled independently as a uniprocessor. In contrast to partitioned scheduling, under global scheduling, jobs that are ready to be executed are dynamically dispatched to available processors, i.e., jobs are allowed to migrate from one processor to another at any time. For example, global EDF (GEDF) is a global scheduling algorithm under which jobs are EDFscheduled using a single ready queue.
4 General design and analysis strategies
Selfsuspending task systems have been widely studied in the literature and several solutions have been proposed over the years for analyzing their schedulability and building effective suspensionaware scheduling algorithms. In this section, we provide an overview of the different strategies commonly adopted in the stateoftheart approaches to analyze and solve the selfsuspending task scheduling problem. Although such strategies are correct in essence, many previouslyproposed strategies for handling selfsuspending tasks rely upon incorrect assumptions or misconceptions regarding the computation demand induced by selfsuspension, leading to incorrect results. Fortunately, once these misconceptions are identified and corrected, these general strategies can still be applied. A detailed description of the various misunderstandings of the selfsuspending task model, together with the demonstration of counterintuitive results, is provided in Sect. 5.
As to be discussed in details in Sect. 8, performing the timing analysis of a set of selfsuspending tasks has been proven to be intractable in the general case. For that reason, most work adopts some common strategies to simplify the worstcase response time analysis of selfsuspending tasks. Instead of reviewing and summarizing individual research results in the literature, e.g., Rajkumar (1991); Kim et al. (1995); Ming (1994); Palencia and Harbour (1998); Audsley and Bletsas (2004a, b); Bletsas and Audsley (2005); Lakshmanan and Rajkumar (2010); Kim et al. (2013); Liu and Chen (2014); Huang et al. (2015); Huang and Chen (2015b, 2016), we will present the highlevel analyses and modeling strategies commonly adopted across those works. Specifically, we will present those strategies in Sects. 4.1 and 4.2 by decoupling the modeling of the task under analysis and the task interfering with the analyzed task, respectively. In Sects. 4.1 and 4.2, both the segmented and the dynamic selfsuspending task models are considered, where Tables 1 and 2 provide a summary to show how the methods explained in Sects. 4.1 and 2 are linked to the existing results in the literature. Moreover, Sect. 4.3 presents release enforcement mechanisms to reduce the impact due to selfsuspension.
We will implicitly assume uniprocessor systems in Sects. 4.1, 4.2, and 4.3. Furthermore, in most cases, we will use fixedpriority scheduling to explain the strategies. Therefore, we implicitly consider the timing analysis for a task \(\tau _k\), in which hp(k) is the set of higherpriority tasks, if fixedpriority scheduling is considered.
Summary of existing methods without any enforcement mechanisms (chronological order)
Papers/methods  Suspension and scheduling model  Interfered task (\(\tau _k\))  Interfering tasks (hp(k) under FP) 

Ming (1994)  Dynamic, FP  Suspensionoblivious, Sect. 4.1.1  As release jitter, Sect. 4.2.3 
Kim et al. (1995)  Dynamic, FP  Suspensionoblivious, Sect. 4.1.1  As release jitter, Sect. 4.2.3 
Palencia and Harbour (1998)  Segmented, FP  Split (see footnote 1), Sect. 4.1.2  Segmented structures with dynamic offsets, Sect. 4.2.6 
Liu (2000, pp. 164–165)  Dynamic, FP  Suspensionoblivious, Sect. 4.1.1  As blocking, Sect. 4.2.4 
Devi (2003, Sect. 4.5)  Dynamic, EDF  Suspensionoblivious, Sect. 4.1.1  As blocking, Sect. 4.2.4 
Dynamic, FP  Suspensionoblivious, Sect. 4.1.1  As release jitter, Sect. 4.2.3  
Bletsas and Audsley (2005)  Segmented, FP  Suspensionoblivious, Sect. 4.1.1  Segmented structures with fixed offsets, Sect. 4.2.6 
Bletsas (2007, Chapter 5.4)  Dynamic or segmented, FP  Hybrid, Sect. 4.1.3  Segmented structures with fixed offsets, Sect. 4.2.6 
Lakshmanan and Rajkumar (2010)  Segmented, FP  Revised critical instant, Sect. 4.1.4  (Only ordinary sporadic tasks) 
Liu and Anderson (2013)  Multiprocessor, global FP and EDF  Suspensionoblivious, Sect. 4.1.1  Carryin jobs in multiprocessor scheduling, Sect. 4.4 
Liu et al. (2014a)  Dynamic, FP (harmonic)  Suspensionoblivious, Sect. 4.1.1  No additional impact due to selfsuspension 
Liu and Chen (2014)  Dynamic, FP  suspensionoblivious, Sect. 4.1.1  As carryin, Sect. 4.2.2 
Huang and Chen (2015b)  Segmented, FP  Segmented structures with dynamic offsets, Sect. 4.2.6  
Huang et al. (2015)  Dynamic, FP  Suspensionoblivious, Sect. 4.1.1  As carryin, Sect. 4.2.2 
Nelissen et al. (2015)  Segmented, FP  Based on a revised critical instant, Sect. 4.1.4  Suspension by modeling proper release jitter (Sect. 4.2.3) and enumerating the worstcase interferences 
Chen et al. (2016c)  Dynamic, FP  Suspensionoblivious, Sect. 4.1.1  A unifying framework based on more precise release jitter, Sect. 4.2.5 
Summary of existing methods without any enforcement mechanisms (methodological classification)
Interfered task (\(\tau _k\))  

Suspensionoblivious (Sect. 4.1.1)  Split (Sect. 4.1.2)  Hybrid (Sect. 4.1.3)  Critical instant (Sect. 4.1.4)  
Interfering tasks  
Suspensionoblivious (Sect. 4.2.1)  Used as baselines in many papers  –  –  Lakshmanan and Rajkumar (2010, Sect. III) and Nelissen et al. (2015, Sect. IV) (footnote 2) 
Carryin jobs (Sect. 4.2.2)  Huang and Chen (2015b)  Huang and Chen (2015b)  –  
Ming (1994), Kim et al. (1995), Audsley and Bletsas (2004a), Audsley and Bletsas (2004b)  
Suspension as blocking (Sect. 4.2.4)  –  –  –  
Segmented structures (Sect. 4.2.6)  –  Palencia and Harbour (1998) (footnote 1)  Bletsas and Audsley (2005), Bletsas (2007, Chapter 5.4), and Huang and Chen (2015b)  – 
4.1 Modeling the interfered task
4.1.1 Modeling suspension as computation
This strategy is often referred to as the suspensionoblivious approach in the literature, but sometimes also called “joint” Bletsas (2007). It assumes that the selfsuspending task \(\tau _k\) continues executing on the processor when it selfsuspends. Its suspension intervals are thus considered as being preemptible. From an analysis perspective, it is equivalent to replacing the selfsuspending task \(\tau _k\) by an ordinary sporadic (nonselfsuspending) task \(\tau _k'\) with worstcase execution time equal to \(C_k + S_k\) and the same relative deadline/period as those of task \(\tau _k\), i.e., a threetuple \((C_k+S_k, T_k, D_k)\).
Converting the suspension time of task \(\tau _k\) into computation time can become very pessimistic for segmented selfsuspending tasks. This is especially true when (i) its total selfsuspension time \(S_k\) is much larger than its worstcase execution time \(C_k\) and/or (ii) the lengths of \(\tau _k\)’s suspension intervals are larger than the periods of (some of) the interfering tasks.
Example 1
Consider the task set in Table 3 under FP scheduling. Task \(\tau _3\) would be transformed into a nonselfsuspending task \(\tau _3'=(7,15,15)\). Task \(\tau _3'\) is obviously not schedulable since the total utilization of \(\tau _1\), \(\tau _2\) and \(\tau _3'\) is given by \(\frac{2}{5} + \frac{2}{10} + \frac{7}{15} = \frac{16}{15} > 1\). Yet, the selfsuspending task \(\tau _3\) is schedulable as it will be shown in Sect. 4.1.2. \(\square \)
Nevertheless, for one special case, this modeling strategy is an exact solution to compute the WCRT of dynamic selfsuspending tasks under fixedpriority scheduling, i.e., if the only selfsuspending task is the lowestpriority task. For better illustrating this situation, consider two sporadic realtime tasks \(\tau _1\) and \(\tau _2\), in which \(C_1=2, T_1=D_1=5\) and \(C_2=3\epsilon , S_2=63\epsilon , T_2=D_2=10\) for an infinitesimal \(\epsilon >0\). Task \(\tau _1\) does not suspend itself and has a higher priority than task \(\tau _2\). Suppose that both tasks release their first jobs at time 0 and both request to be executed on the processor. Task \(\tau _1\) finishes its first job at time 2. At time \(2+\epsilon \), task \(\tau _2\) suspends itself after executing \(\epsilon \) amount of time. Task \(\tau _2\) resumes at time 5 and again competes with the second job of task \(\tau _1\). At time \(7+\epsilon \), task \(\tau _2\) suspends itself after executing \(\epsilon \) amount of time until time \(10\epsilon \). Task \(\tau _2\) then finishes its last \(\epsilon \) amount of execution time at time 10. In this example, task \(\tau _2\)’s suspension time is effectively converted into computation time without any loss of accuracy.
As a result, if the computation segments and suspension intervals of \(\tau _k\) interleave such that \(\tau _k\) selfsuspends only between the arrival of higherpriority jobs (i.e., a computation segment of \(\tau _k\) is started whenever a higherpriority job is released), then the resulting schedule would be similar if \(\tau _k\) was indeed executing on the processor during its selfsuspensions. Therefore, when there is no knowledge about how many times, when, and for how long \(\tau _k\) may selfsuspend in each selfsuspension interval (but is still upper bounded by the suspension time \(S_k\)), modeling the selfsuspension time of \(\tau _k\) as execution time provides the exact worstcase response time for \(\tau _k\) under FP scheduling.
Theorem 3 by Huang et al. (2015) provides the following necessary condition for scheduling dynamic selfsuspending tasks under any fixedpriority scheduling:
It is also clear that Eq. (1) is a sufficient analysis if \(D_k \le T_k\) and all the tasks in hp(k) are ordinary sporadic realtime tasks without any suspensions. To achieve this sufficient analysis, one has to repeat the proof of the classical critical instant theorem. Since there is no selfsuspension after the suspension is converted into computation effectively, the classical results of realtime systems can be directly applied. Therefore, this analysis is exact if \(\tau _k\) is a dynamic selfsuspending task with \(D_k \le T_k\) and all the tasks in hp(k) are ordinary sporadic realtime tasks without any suspensions.
By Eq. (1), it is necessary to model the suspension time of the task under analysis as computation time if we consider dynamic selfsuspending tasks under fixedpriority scheduling. Such a modeling strategy to consider suspension as computation for the task under analysis is widely used in all the existing analyses for the dynamic selfsuspension task model under fixedpriority scheduling, e.g., (Liu and Chen 2014; Huang et al. 2015; Ming 1994; Kim et al. 1995; Audsley and Bletsas 2004a, b; Liu 2000) (see Tables 1 and 2, in which some multiprocessor cases from Liu and Anderson 2013, Liu et al. 2014a are also covered). However, such a modeling strategy is not always exact for the dynamic selfsuspension task model if other scheduling strategies (instead of fixedpriority scheduling) are applied.
4.1.2 Modeling each computation segment as an independent task
An alternative is to individually compute the WCRT of each of the computation segments of task \(\tau _k\) (Bletsas 2007; Palencia and Harbour 1998; Huang and Chen 2015b).^{1} The WCRT of \(\tau _k\) is then upperbounded by the sum of the segments’ worstcase response times added to \(S_k\), the maximum length of the overall selfsuspension intervals.
Let \(R_k^j\) denote the worstcase response time of the computation segment \(C_k^j\). The schedulability test for task \(\tau _k\) succeeds if \(\sum _{j=1}^{m_k} R_k^j + \sum _{j=1}^{m_k1} S_k^j \le D_k \).
Example 2
Therefore, the WCRT of \(C_3^1\) and \(C_3^2\) are both 5. Hence, we know that the WCRT of task \(\tau _3\) is at most \(R_3^1 + R_3^2 + S_3 = 5 + 5 + 5 = 15\). \(\square \)
The idea of the above test is based on a safe but rather pessimistic approach where each computation segment of task \(\tau _k\) always suffers from the worstcase interference. However, it may not be possible to construct such worstcase interference for every computation segment of a job of task \(\tau _k\) since the release patterns of the higher priority tasks are also constrained by their temporal properties, shown in the following example:
Example 3
Consider the same task set presented in Example 2 by decreasing \(S_3\) from 5 to 1. This analysis still considers that both computation segments suffer from the worstcase interference from the two higherpriority tasks. It then returns \(R_3^1 + R_3^2 + S_3 = 5 + 5 + 1 =11\) as the (upper bound on the) worstcase response time of \(\tau _3\). Yet the suspensionoblivious approach discussed in Sect. 4.1.1 shows that the worstcase response time of \(\tau _3\) is at most 9. The reason why considering \(R_3^1 + R_3^2 + S_3\) is pessimistic is that a job of task \(\tau _2\), under such an analysis, is considered to interfere with both the first and the second computation segments of a job of task \(\tau _3\). However, a job of task \(\tau _2\) can only interfere with one of the two segments of a job of task \(\tau _3\) in any possible release patterns. \(\square \)
This strategy is not widely used alone, but can be used as part of hybrid approaches, explained as follows.
4.1.3 Hybrid approaches
Both methods discussed in Sects. 4.1.1 and 4.1.2 have their pros and cons. The joint (i.e., suspensionoblivious) approach has the advantage of respecting the minimum interarrival times (or periods) of the higherpriority tasks during the schedulability analysis of \(\tau _k\). However, it has the disadvantage of assuming that the task under analysis can be delayed by preemptions during suspension intervals since they are treated as computation intervals. This renders the analytical pessimism as it accounts for nonexisting interference. The split approach does not assume preemptible suspension intervals but considers a worstcase response time for each computation segment independently. Yet, the respective release patterns of interfering tasks leading to the worstcase response time of each computation segment may not be compatible with each other.
As shown with the above examples, the joint and split approaches are not comparable in the sense that none of them dominates the other. Yet, since both provide an upper bound on the worstcase response time of \(\tau _k\), one can simply take the minimum response time value obtained with any of them. However, as proposed in (Bletsas 2007, Chapter 5.4) and Huang and Chen (2015b), it is also possible to combine their respective advantages and hence reduce the overall pessimism of the analysis. The technique proposed in Bletsas (2007), for tasks of the segmented model, consists in dividing the selfsuspending task \(\tau _k\) (that is under analysis) into several blocks of consecutive computation segments. The suspension intervals between computation segments pertaining to the same block are modeled as execution time like in the “joint” approach. The suspension intervals situated between blocks are “split”. The worstcase response time is then computed for each block independently and \(\tau _k\)’s WCRT is upperbounded by the sum of the block’s WCRTs added to the length of the split suspension intervals. This provides a tighter bound on the WCRT, especially if we consider all possible block sequence decompositions of \(\tau _k\), which has exponentialtime complexity.
4.1.4 Exact schedulability analysis
As already mentioned in Sect. 4.1.1, under fixedpriority scheduling, the suspensionoblivious approach is an exact analysis for dynamic selfsuspending tasks assuming that there is only one selfsuspending task \(\tau _k\) and all the interfering tasks do not selfsuspend. There is no work providing an exact schedulability analysis for any other cases under the dynamic selfsuspending task model.
The problem of the schedulability analysis of segmented selfsuspending tasks has been treated in Lakshmanan and Rajkumar (2010) and Nelissen et al. (2015), again assuming only one selfsuspending task \(\tau _k\). The proposed solutions are based on the notion of the critical instant.^{2} That is, they aim to find an instant at which, considering the state of the system, an execution request for \(\tau _k\) will generate the largest response time. Unfortunately, the analysis in Lakshmanan and Rajkumar (2010) has been proven to be flawed in Nelissen et al. (2015). Further details are provided in Sect. 5.3. It has been recently shown by Chen (2016) that the schedulability analysis for FP scheduling (even with only one segmented selfsuspending task as the lowestpriority task) is \(co{\mathcal {NP}}\)hard in the strong sense when there are at least two selfsuspension intervals in task \(\tau _k\).
4.2 Modeling the interfering tasks

suspensionoblivious analysis in Sect. 4.2.1,

interference analysis based on carryin jobs in Sect. 4.2.2,

interference analysis based on release jitter in Sect. 4.2.3,

modeling selfsuspensions as blocking in Sect. 4.2.4, and

unifying interference analysis based on more precise jitter in Sect. 4.2.5.
4.2.1 Suspensionoblivious analysis
Similarly to the task under analysis, the simplest modeling strategy for the interfering tasks is the suspensionoblivious approach, which converts all the suspension times of those tasks into computation times. Each task \(\tau _i\) is thus modeled by a nonselfsuspending task \(\tau _i' = (C'_i, D_i, T_i)\) with a WCET \(C'_i = C_i+S_i\). After that conversion, the interfering tasks therefore become a set of ordinary nonselfsuspending sporadic realtime tasks. Although the simplest, it is also the most pessimistic approach. This is commonly used as the baseline of the analysis, for example, Liu and Anderson (2013) and Brandenburg (2011). It indeed considers that the suspension intervals of each interfering task \(\tau _i\) are causing interference on the task \(\tau _k\) under analysis. Yet, suspension intervals truly model durations during which \(\tau _i\) stops executing on the processor and hence cannot prevent the execution of \(\tau _k\) or any other lowerpriority job.
4.2.2 Modeling selfsuspensions with carryin jobs
If all the higherpriority jobs/tasks are ordinary sporadic jobs/tasks without any selfsuspensions, then the maximum number of interfering jobs that can be released by an interfering (ordinary) sporadic task \(\tau _i\) in a window of length t, is upper bounded by \(\left\lceil \frac{t}{T_i} \right\rceil \) in fixedpriority scheduling. The interfering workload is then bounded by \(\sum _{\forall \tau _i \in hp(k)} \left\lceil \frac{t}{T_i} \right\rceil C_i\) for fixed priority scheduling. This assumes that each interfering job asks for the processor as soon as it is released, thereby preventing the task \(\tau _k\) under analysis from executing.
With selfsuspending tasks however, the computation segment of an interfering job may not require an immediate access to the processor as it can be delayed by its suspension intervals. Hence, a job of task \(\tau _i\) released before the release of a job of task \(\tau _k\) may have all its execution time \(C_i\) delayed by its suspension intervals to entirely interfere with \(\tau _k\). This is clearly visible on the example schedule of Fig. 1b, when \(\tau _2\) is the task under analysis. Such a job of \(\tau _i\) (e.g., second job of task \(\tau _1\) in Fig. 1b), which is released before the job of \(\tau _k\) under analysis, but interfering with the execution of \(\tau _k\), is called a carryin job.
In the worst case, each interfering task \(\tau _i\) releases one carryin job (assuming that they all respect their deadlines and that \(D_i \le T_i\)). This extraworkload, which can be up to \(C_i\), has been integrated in the schedulability test for selfsuspending tasks in Huang et al. (2015) and Liu and Chen (2014) (see Tables 1 and 2) by greedily adding one interfering job to the interfering workload released by each task \(\tau _i\).
4.2.3 Modeling selfsuspensions as release jitter
A more accurate way to model the phenomena described above is to use the concept of release jitter, e.g., in Nelissen et al. (2015), Bletsas et al. (2018), Huang et al. (2015), Rajkumar (1991), Audsley and Bletsas (2004a, b), and Kim et al. (1995). It basically considers that the computation segments of each task \(\tau _i\) are not released in a purely periodic manner but are instead subject to release jitter. Hence the first interfering job of \(\tau _i\) may have its computation segment pushed as far as possible from the actual release of the job due to its suspension behavior, while all the jobs released afterward may directly start with their computation segments and never selfsuspend (see task \(\tau _1\) in Fig. 1 for a simple example or task \(\tau _2\) in Fig. 3 in Sect. 5 for a more complicated example). Let \(J_i\) denote that jitter on \(\tau _i\)’s computation segment release. It was proven in Nelissen et al. (2015) and Bletsas et al. (2018) that \(J_i\) is upperbounded by \(R_iC_i\) where \(R_i\) is the WCRT of \(\tau _i\). If an optimal priority assignment must be computed for a fixedpriority task set using Audsley’s optimal priority assignment algorithm (Audsley 1991), one can pessimistically assume that \(J_i\) is equal to \(D_iC_i\) (Huang et al. 2015; Rajkumar 1991) as long as all the interfering tasks, i.e., \(\forall \tau _i \in hp(k)\) in fixedpriority scheduling, are schedulable, i.e., \(R_i \le D_i\).
Example 4
Note that several solutions proposed in the literature (Audsley and Bletsas 2004a, b; Kim et al. 1995) for modeling the selfsuspending behavior of the interfering tasks as release jitter, are flawed. Those analyses usually assume that \(J_i\) can be upperbounded by the total selfsuspension time \(S_i\) of \(\tau _i\). This is usually wrong. A detailed discussion on this matter is provided in Sect. 5.1.
4.2.4 Modeling selfsuspensions as blocking
Example 5
Devi (in Theorem 8 in Devi (2003), Section 4.5) extended the above analysis to EDF scheduling. However, there is no proof to support the correctness at this moment.
4.2.5 A unifying analysis framework

If \(x_i\) is 1 for task \(\tau _i\), then the release jitter of task \(\tau _i\) is \(\sum _{j=i}^{k1} (S_j \times x_j)\).

If \(x_i\) is 0 for task \(\tau _i\), then the release jitter of task \(\tau _i\) is \((\sum _{j=i}^{k1} (S_j \times x_j)) + R_iC_i\).
Example 6
Consider the task set presented in Table 5. By using the same analysis as in Example 4, \(R_1=9\) and \(R_2=15\) since \(7+\left\lceil {\frac{15+5}{10}}\right\rceil 4 = 15\). There are four possible vector assignments \({\varvec{x}}\) for testing the schedulability of task \(\tau _3\). The corresponding procedure to use these four vector assignments can be found in Table 6. Case 1 is the same as the analysis in Sect. 4.2.3 when \(J_1 = R_1C_1\) and \(J_2 = R_2C_2\). Among the above four cases, the tests in Cases 2 and 4 are the tightest. \(\square \)
\(C_i\)  \(S_i\)  \(D_i\)  \(T_i\)  

\(\tau _1\)  4  5  10  10 
\(\tau _2\)  6  1  19  19 
\(\tau _3\)  4  0  50  50 
Detailed procedure for deriving the upper bound of \(R_3\), with \(R_1C_1=5\) and \(R_2C_2=9\)
\({\varvec{x}}\)  Condition of Eq. (3)  Upper bound of \(R_3\)  

Case 1: (0, 0)  \(4+ \left\lceil {\frac{t+0+5}{10}}\right\rceil 4 + \left\lceil {\frac{t+0+9}{19}}\right\rceil 6 \le t\)  42  
Case 2: (0, 1)  \(4+ \left\lceil {\frac{t+1+5}{10}}\right\rceil 4 + \left\lceil {\frac{t+1+0}{19}}\right\rceil 6 \le t\)  32  
Case 3: (1, 0)  \(4+ \left\lceil {\frac{t+5+0}{10}}\right\rceil 4 + \left\lceil {\frac{t+0+9}{19}}\right\rceil 6 \le t\)  42  
Case 4: (1, 1)  \(4+ \left\lceil {\frac{t+6+0}{10}}\right\rceil 4 + \left\lceil {\frac{t+1+0}{19}}\right\rceil 6 \le t\)  32 
4.2.6 Improving the modeling of segmented selfsuspending tasks
In the segmented selfsuspending task model, we can simply ignore the segmentation structure of computation segments and suspension intervals and directly apply all the strategies for dynamic selfsuspending task models. However, the analysis can become too pessimistic. This is due to the fact that the segmented suspensions are not completely dynamic.
Characterizing the worstcase suspending patterns of the higherpriority tasks to quantify the interference under the segmented selfsuspending task model is not easy. Modelling the interference by a job of a selfsuspending task \(\tau _i\) as multiple persegment “chunks”, spaced apart in time by the respective selfsuspension intervals inbetween, is potentially more accurate than modelling it as a contiguous computation segment of \(C_i\) units. However, the worstcase release offset of \(\tau _i\) in hp(k), relative to the task \(\tau _k\) under analysis, to maximize the interference needs to be identified.
To deal with this, in Bletsas and Audsley (2005) the computation segments and selfsuspension intervals of each interfering task are reordered to create a pattern that dominates all such possible task release offsets. The computational segments of the interfering task are modelled as distinct tasks arriving at an offset to each other and sharing a period and arrival jitter. However, we will explain in Sect. 5.2 why the quantification of the interference in Bletsas and Audsley (2005) is incorrect.
Another possibility is to characterize the worstcase interference in the carryin job of a higherpriority task \(\tau _i\) by analyzing its selfsuspending pattern, as presented in Huang and Chen (2015b). This approach does examine the different possible task release offsets and can also be used for response time analysis compatible with Audsley’s optimal priority algorithm (Audsley 1991). Palencia and Harbour (1998) provided another technique for modelling the interference of segmented interfering tasks, albeit in the context of multiprocessors. In their approach, the bestcase and worstcase response times of a computation segment are first analyzed, and then the gap between these two response times is used as the release jitter of a computation segment. This is called dynamic offset in Palencia and Harbour (1998).
4.2.7 Remarks on the methods without enforcement
The strategies presented from Sects. 4.1.1 to 4.2.6 can be combined together (with care), as shown in Table 2. These strategies are correct in essence, but the detailed quantifications and combinations should be done carefully to ensure the correctness of the resulting analyses. We will present the corresponding misconceptions due to incorrect quantifications or combinations in Sect. 5.
4.3 Period enforcement mechanisms
Selfsuspension can cause substantial schedulability degradation, because the resulting nondeterminism in the schedule can give rise to unfavourable execution patterns. To alleviate the potential impact, one possibility is to guarantee periodic behavior by enforcing the release time of the computation segments. There exist different categories of such enforcement mechanisms.
4.3.1 Dynamic online period enforcement
Rajkumar (1991) proposed a period enforcer algorithm to handle the impact of uncertain releases (such as selfsuspensions). In a nutshell, the period enforcer algorithm artificially increases the length of certain suspensions dynamically, at runtime, whenever a task’s activation pattern carries the risk of inducing undue interference in lowerpriority tasks. Quoting Rajkumar (1991), the period enforcer algorithm “forces tasks to behave like ideal periodic tasks from the scheduling point of view with no associated scheduling penalties”.
 1.
Period enforcement can be a cause of deadline misses for selfsuspending task sets that are otherwise schedulable.
 2.
With the stateoftheart techniques, the schedulability analysis of the period enforcer algorithm requires a task set transformation which is subject to exponential time complexity.
 3.
The period enforcer algorithm is incompatible with all existing analyses of suspensionbased locking protocols, and can in fact cause everincreasing suspension times until a deadline is missed.
4.3.2 Static period enforcement
As an alternative to the online period enforcement, one may instead achieve periodicity in the activation of computation segments and prevent the most unfavorable execution patterns from arising, by constraining each computation segment to be released at a respective fixed offset from its job’s arrival. These constant offsets are computed and specified offline.
Suppose that the offset for the jth computation segment of task \(\tau _i\) is \(\phi _i^j\). This means that the jth computation segment of task \(\tau _i\) is released only at time \(r_i+\phi _i^j\), where \(r_i\) is the arrival time of a job of task \(\tau _i\). That is, even if the preceding selfsuspension completes before \(r_i+\phi _i^j\), the computation segment under consideration is never executed earlier. With this static enforcement, each computation segment can be represented by a sporadic task with a minimum interarrival time \(T_i\), a WCET \(C_i^j\), and a relative deadline \(\phi _{i}^{j+1}\phi _i^jS_i^j\) (with \(\phi _{i}^{m_i+1}\) set to \(D_i\)). Suppose that the offset for each computation segment is specified. This can be observed as a reduction to the generalized multiframe (GMF) task model introduced in Baruah et al. (1999). A GMF task \(G_i\) consisting of \(m_i\) frames is characterized by the 3tuple \(({\varvec{C}}_{{\varvec{i}}}, {\varvec{D}}_{{\varvec{i}}}, {\varvec{T}}_{{\varvec{i}}})\), where \({\varvec{C}}_{{\varvec{i}}}\), \({\varvec{D}}_{{\varvec{i}}}\), and \({\varvec{T}}_{{\varvec{i}}}\) are \(m_i\)ary vectors \((C_{i}^0,C_{i}^1,...,C_{i}^{m_i1})\) of execution requirements, \((D_{i}^0,D_{i}^1,...,D_{i}^{m_i1})\) of relative deadlines, \((T_{i}^0,T_{i}^1,...,T_{i}^{m_i1})\) of minimum interarrival times, respectively. In fact, from the analysis perspective, a selfsuspending task \(\tau _i\) under the offset enforcement is equivalent to a GMF task \(G_i\), by considering the computation segments as the frames with different separation times (Huang and Chen 2016; Ding et al. 2009).
Such approaches have been presented in Kim et al. (2013), Chen and Liu (2014), Huang and Chen (2016), and Ding et al. (2009). The method in Chen and Liu (2014) is a simple and greedy solution for implicitdeadline selfsuspending task systems with at most one selfsuspension interval per task. It assigns the offset \(\phi _i^2\) always to \(\frac{T_i+S_i^1}{2}\) and the relative deadline of the first computation segment of task \(\tau _i\) to \(\frac{T_iS_i^1}{2}\). This is the first method in the literature with speedup factor guarantees by using the revised relative deadline for earliestdeadlinefirst scheduling. This has been recently improved in von der Brüggen et al. (2016) based on a simple strategy, called Shortest execution interval first deadline assignment (SEIFDA). That is, the tasks are assigned relative deadlines according to a greedy order from the smallest \(T_iS_i\) to the largest \(T_iS_i\). Moreover, approaches based on mixed integer linear programming (MILP) were also proposed in Peng and Fisher (2016) and von der Brüggen et al. (2016). For more than one selfsuspension interval per task, Huang and Chen (2016) showed that assigning the relative deadline of each of the computation segments of a task equally also leads to a bounded speedup factor.
If the underlying scheduling algorithm is EDF, then the release enforcement can also be relaxed. It has been already shown in von der Brüggen et al. (2016) and Chen and Liu (2014) that releasing its jth frame at the moment when its (\(j1\))th selfsuspension interval finishes by respecting the original setting of the absolute deadline of the jth frame does not change the schedulability condition, as the subjobs are scheduled using EDF.
The methods in Kim et al. (2013) and Ding et al. (2009) assign each computation segment a fixedpriority level and an offset. Unfortunately, in Kim et al. (2013) and Ding et al. (2009), the schedulability tests are not correct, and the mixedinteger linear programming formulation proposed in Kim et al. (2013) is unsafe for worstcase response time guarantees. A detailed discussion on this matter is provided in Sect. 5.5.
4.3.3 Slack enforcement
The slack enforcement in Lakshmanan and Rajkumar (2010) intends to create periodic execution enforcement for selfsuspending tasks so that a selfsuspending task behaves like an ideal periodic task. However, as to be discussed in Sect. 9.1, the presented methods in Lakshmanan and Rajkumar (2010) require more rigorous proofs to support their correctness as the proof of the key lemma of the slack enforcement mechanism in Lakshmanan and Rajkumar (2010) is incomplete.
4.4 Multiprocessor scheduling for selfsuspending tasks
The schedulability analysis of distributed systems is inherently similar to the schedulability analysis of multiprocessor systems following a partitioned scheduling scheme. Each task is mapped on one processor and can never migrate to another processor. Palencia and Harbour (1998) extended the worstcase response time analysis for distributed systems, and hence multiprocessor systems, to segmented selfsuspending tasks. They model the effect of the selfsuspension time as release jitter.
The first suspensionaware worstcase response time analysis for dynamic selfsuspending sporadic tasks assuming a global scheduling scheme was presented in Liu and Anderson (2013). The given M processors are assumed to be identical and the jobs can migrate during their execution. The analysis in Liu and Anderson (2013) is mainly based on the existing results in the literature for global fixedpriority and earliest deadline first scheduling for sporadic task systems without selfsuspensions. The general concept in Liu and Anderson (2013) is to quantify the interference from the higherpriority tasks by following similar approaches in Baruah (2007), Guan et al. (2009) for task systems without selfsuspension. The task that is under analysis greedily uses suspension as computation, as explained in Sect. 4.1.1.
Unfortunately, the schedulability test provided in Liu and Anderson (2013) for global fixedpriority scheduling suffers from two errors, which were later fixed in Liu and Anderson (2015). Since these two errors are unrelated to any misconception due to selfsuspension, we have decided to present them here and not to include them in Sect. 5. First, the workload bound proposed in Lemma 1 (in Liu and Anderson 2013) is unsafe. It has been acknowledged and corrected in Liu and Anderson (2015). Secondly, it is optimistic to claim that there are at most \(M1\) carryin jobs in the general case. This flaw has been inherited from an error in previous work Guan et al. (2009), which was pointed out and further corrected in Sun et al. (2014) and Huang and Chen (2015a). Therefore, by adopting the analysis from Huang and Chen (2015a), which is consistent with the analysis in Liu and Anderson (2013), the problem can easily be fixed. The reader is referred to Liu and Anderson (2015) for further details.
Dong and Liu (2016) explored global earliestdeadlinefirst (global EDF) scheduling for dynamic selfsuspending tasks. They presented an approach to selectively convert the selfsuspension time of a few tasks into computation and performed the schedulability tests purely based on the utilization of the computation after conversion. Chen et al. (2015) studied global ratemonotonic scheduling in multiprocessor systems, including dynamic selfsuspending tasks. The proposed utilizationbased schedulability analysis can easily be extended to handle constraineddeadline task systems and any given fixedpriority assignment.
5 Existing misconceptions in the state of the art
This section explains several misconceptions in some existing results by presenting concrete examples to demonstrate their overstatements. These examples are constructed case by case. Therefore, each misconception will be explained by using one specific example.
5.1 Incorrect quantifications of jitter (dynamic selfsuspension)
A set of dynamic selfsuspending tasks for demonstrating the counterexample used for the incorrect quantification of jitter in Sect. 5.1
\(\tau _i\)  \(C_i\)  \(S_i\)  \(T_i\) 

\(\tau _1\)  1  0  2 
\(\tau _2\)  5  5  20 
\(\tau _3\)  1  0  \(\infty \) 
Consequences Since the results in Audsley and Bletsas (2004a), Audsley and Bletsas (2004b), Kim et al. (1995), and Ming (1994) are fully based on the analysis in Eq. (4), the above unsafe example disproves the correctness of their analyses. The source of error comes from a wrong interpretation by Ming (1994) with respect to a paper by Audsley et al. (1993).^{4} Audsley et al. (1993) explained that deferrable executions may result in arrival jitter and the jitter terms should be accounted while analyzing the worstcase response time. However, Ming (1994) interpreted that the jitter is the selfsuspension time, which was not originally provided in Audsley et al. (1993). Therefore, there was no proof of the correctness of the methods used in Ming (1994). The concept was adopted by Kim et al. (1995).
This misconception spread further when it was propagated by Lakshmanan et al. (2009) in their derivation of worstcase response time bounds for partitioned multiprocessor realtime locking protocols, which in turn was reused in several later works (Zeng and di Natale 2011; Brandenburg 2013; Yang et al. 2013; Kim et al. 2014; Han et al. 2014; Carminati et al. 2014; Yang et al. 2014). We explain the consequences and how to correct the later analyses in Sect. 6.
Moreover this counterexample also invalidates the comparison in Ridouard and Richard (2006), which compares the schedulability tests from Kim et al. (1995) and Liu (2000, pp. 164–165), since the result derived from Kim et al. (1995) is unsafe.
Independently, Audsley and Bletsas (2004a, b) used the same methods in 2004 from different perspectives. A report that explains in greater detail how to correct this issue has been filed by Bletsas et al. (2018).
5.2 Incorrect quantifications of jitter (segmented selfsuspension)
We now explain a misconception in the literature regarding an optimistic quantification of the jitter of segmented selfsuspending task systems under fixedpriority scheduling.
For the purpose of bounding the interference from a segmented selfsuspending task, the analysis in Bletsas and Audsley (2005) reorders the computation segments and the selfsuspension intervals such that the computation segments appear with decreasing (upperbounded) execution times and the suspension intervals appear with increasing (lowerbounded) suspension times. Among the selfsuspension intervals, a “notional” selfsuspension corresponding to the interval between the completion time of a job of task \(\tau _i\) and the arrival time of the next job of task \(\tau _i\) is included. The purpose of this reordering step is to avoid having to consider different release offsets for each interfering task (corresponding to its computational segments). Using the following example of an implicitdeadline segmented selfsuspending task, with deterministic segment execution times and selfsuspension lengths, for convenience: Let \((C_i^1, S_i^1, C_i^2, S_i^2, C_i^3)= (1,5,4,3,2)\), \(T_i=40\), and \(R_i=25\). The notional gap is \(S_i^3=4025=15\). After reordering, the parameters become \((C_i^1, S_i^1, C_i^2, S_i^2, C_i^3, S_i^3) = (4,3,2,5,1,15)\).
In Bletsas (2007), an error in the quantification of the notional gap was already identified and fixed. However, there remains an error in the specified jitter term, designed to capture the variability in the start times of the computation segments, relative to the job release. In Bletsas and Audsley (2005) it was incorrectly argued that it is safe to only consider the variability in the lengths of preceding computation segments and selfsuspension intervals. In the worst case though, one should also consider the variability resulting from interference by tasks with higher priorities.
Instead of going into the detailed mathematical formulations, we will demonstrate the misconception with the following example in Table 8, which has only one selfsuspending task \(\tau _3\) and there is no variation between the worstcase and the actualcase execution/suspension times. In this specific example, reordering has no effect. The analysis in Bletsas and Audsley (2005) can be imagined as replacing the selfsuspending task \(\tau _3\) with a sporadic task without any jitter or selfsuspension, with \(C_3=2\) and \(D_3=T_3=15\). Therefore, the analysis in Bletsas and Audsley (2005) concludes that the worstcase response time of task \(\tau _4\) is at most 15 since \(C_4+\sum _{i=1}^{3}\left\lceil {\frac{15}{T_i}}\right\rceil C_i = 3+ 6 + 4 + 2= 15\).
A set of segmented selfsuspending tasks for demonstrating the misconception of the incorrect quantification of jitter in Sect. 5.2
\(\tau _i\)  \((C_i^1, S_i^1, C_i^2)\)  \(D_i\)  \(T_i\) 

\(\tau _1\)  (2, 0, 0)  5  5 
\(\tau _2\)  (2, 0, 0)  10  10 
\(\tau _3\)  (1, 5, 1)  15  15 
\(\tau _4\)  (3, 0, 0)  ?  \(\infty \) 
Consequences This example shows that the analysis in Bletsas and Audsley (2005) is flawed. A fix has been filed in Bletsas et al. (2018).
Solutions When attempting to fix the error in the jitter quantification, there is no simple way to exploit the additional information provided by the segmented selfsuspending task model. However, quantifying the jitter of a selfsuspending task \(\tau _i\) with \(D_iC_i\) (or \(R_iC_i\)) as in Sect. 5.1 remains safe for constraineddeadline task systems since the dynamic selfsuspension pattern is more general than a segmented selfsuspension pattern.
5.3 Incorrect assumptions regarding the critical instant
Over the years, it has been well accepted that the characterization of the critical instant for selfsuspending tasks is a complex problem. The complexity of verifying the existence of a feasible schedule for segmented selfsuspending tasks has been proven to be \({\mathcal {NP}}\)hard in the strong sense (Ridouard et al. 2004). For segmented selfsuspending tasks with constrained deadlines under fixedpriority scheduling, the complexity of verifying the schedulability of a task set has been left open until a recent proof of its co\({\mathcal {NP}}\)hardness in the strong sense by Chen (2016) and Mohaqeqi et al. (2016) in 2016 (see Sect. 8).

the scheduling algorithm is fixedpriority;

\(\tau _k\) is the lowestpriority task; and

all the higherpriority tasks are sporadic and nonselfsuspending.

every task releases a job simultaneously with \(\tau _k\);

the jobs of higherpriority tasks that are eligible to be released during the selfsuspension interval of \(\tau _k\) are delayed to be aligned with the release of the subsequent computation segment of \(\tau _k\); and

all the remaining jobs of the higherpriority tasks are released with their minimum interarrival time.
A set of segmented selfsuspending tasks for demonstrating the misconception of the synchronous release of all tasks in Sect. 5.3
\((C_i^1, S_i^1, C_i^2)\)  \(D_i=T_i\)  

\(\tau _1\)  (1, 0, 0)  4 
\(\tau _2\)  (1, 0, 0)  50 
\(\tau _3\)  (1, 2, 3)  100 
5.3.1 A counterexample to the synchronous release
Consequence The synchronous release of all tasks does not necessarily generate the maximum interference for the selfsuspending task \(\tau _k\) and is thus not always a critical instant for \(\tau _k\). It was however proven in Nelissen et al. (2015) that in the critical instant of a selfsuspending task \(\tau _k\), every higherpriority task releases a job synchronously with the arrival of at least one computation segment of \(\tau _k\), but not all higherpriority tasks must release a job synchronously with the same computation segment.
5.3.2 A counterexample to the minimum interrelease time
A set of segmented selfsuspending tasks used to demonstrate that it is a misconception to believe that releasing interfering jobs as early and often as possible yields a worstcase scenario, as discussed in Sect. 5.3
\((C_i^1, S_i^2, C_i^2)\)  \(D_i=T_i\)  

\(\tau _1\)  (4, 0, 0)  8 
\(\tau _2\)  (1, 0, 0)  10 
\(\tau _3\)  (1, 0, 0)  17 
\(\tau _4\)  (265, 2, 6)  1000 
Consider two scenarios with respect to the job release pattern. Scenario 1 is a result of the proposed critical instant, in which the jobs of the higherpriority nonselfsuspending tasks are released as early and often as possible to interfere with each computation segment of \(\tau _4\). In Scenario 2, one less job of task \(\tau _1\) is released before the first computation segment of the selfsuspending task finishes. We show that the WCRT of \(\tau _4\) is higher in the second scenario.
Scenario 1
Continuing the release of jobs of the nonselfsuspending tasks as early and often as possible without violating their minimum interarrival times, the first computation segment of \(\tau _4\) finishes its execution at time 782 as shown in Fig. 6a. After completion of its first computation segment, \(\tau _4\) selfsuspends for two time units until time 784. As \(\tau _3\) would have released a job within the selfsuspension interval, we delay the release of that job from time 782 to 784 in order to maximize the interference exerted by \(\tau _3\) on the second computation segment of \(\tau _4\) as shown in Fig. 6a. Note that, in order to respect its minimum interarrival time, \(\tau _2\) has an offset of 6 time units with the arrival of the second computation segment of \(\tau _4\). Upon following the rest of the schedule, it can easily be seen that the job of \(\tau _4\) finishes its execution at time 800.
Scenario 2
As shown in Fig. 6b, the release of a job of task \(\tau _1\) is skipped at time 776 in comparison to Scenario 1. As a result, the execution of the first computation segment of \(\tau _4\) is completed at time 777, thereby causing one job of \(\tau _2\) that was released at time 780 in Scenario 1, to not be released during the execution of the first computation segment of \(\tau _4\). The response time of the first computation segment of \(\tau _4\) is thus reduced by \(C_1 + C_2 = 5\) time units in comparison to Scenario 1 (see Fig. 6a). Note that this deviation from Scenario 1 does not affect the fact that \(\tau _1\) still releases a job synchronously with the second computation segment of \(\tau _4\). The next job of \(\tau _3\) however, is not released in the suspension interval anymore but 3 time units after the arrival of \(\tau _4\)’s second computation segment. Moreover, the offset of \(\tau _2\) with respect to the start of the second computation segment is reduced by \(C_1 + C_2 = 5\) time units. This causes an extra job of \(\tau _2\) to be released in the second computation segment of \(\tau _4\), initiating a cascade effect: an extra job of \(\tau _1\) is released in the second computation segment at time 795, which in turn causes the release of an extra job of \(\tau _3\), itself causing the arrival of one more job of \(\tau _2\). Consequently, the response time of the second computation segment increases by \(C_2 + C_1 + C_3 + C_2 = 7\) time units. Overall, the response time of \(\tau _4\) increases by \(7  5 = 2\) time units in comparison to Scenario 1. This is reflected in Fig. 6b as the job of \(\tau _4\) finishes its execution at time 802.
Consequence This counterexample proves that the response time of a selfsuspending task \(\tau _k\) can be larger when the tasks in hp(k) do not release jobs as early and often as possible to interfere with each computation segment of task \(\tau _k\).
Solution The problem of defining the critical instant remains open even for the special case where only the lowestpriority task is selfsuspending. Nelissen et al. propose a limited solution in Nelissen et al. (2015) based on an exhaustive search with exponential time complexity.
5.4 Counting highestpriority selfsuspension time to reduce the interference

there is only one selfsuspending task with the highest priority, i.e., \(\tau _1\),

the selfsuspension time is fixed, i.e., early return of selfsuspension has to be controlled by the scheduler, and

the actual execution time of the selfsuspending task is always equal to its worstcase execution time.
A set of segmented selfsuspending tasks for demonstrating the misconception to reduce the interference by exploiting the highestpriority selfsuspension time in Sect. 5.4, where \(0 < \epsilon \le 0.1\)
\((C_i^1, S_i^1, C_i^2)\)  \(D_i=T_i\)  

\(\tau _1\)  \((\epsilon , 1, 1)\)  \(4+10\epsilon \) 
\(\tau _2\)  (\(2+2\epsilon \), 0, 0)  6 
\(\tau _3\)  (\(2+2\epsilon \), 0, 0)  6 
Counter example of Theorem 3 in Kim et al. (2013) Suppose that the selfsuspending task \(\tau _1\) has two computation segments, with \(C_1^1 = C_1\epsilon \), \(C_1^2 = \epsilon \), and \(S_1=S_1^1 > 0\) with very small \(0 < \epsilon \ll C_1^1\). For such an example, it is obvious that this selfsuspending highestpriority task is like an ordinary sporadic task, i.e., selfsuspension does not matter. In this counterexample, the utilization bound is still Liu and Layland bound \(n(2^{\frac{1}{n}}1)\) (Liu and Layland 1973), regardless of the ratio of \(S_1/T_1\).Theorem 3 in Kim et al. (2013) For a taskset \(\varGamma _{1s}\) with implicit deadlines, \(\varGamma _{1s}\) is schedulable if the total utilization of the taskset is less than or equal to \(n((2+2\gamma )^{\frac{1}{n}}1)\gamma \), where n is the number of tasks in \(\varGamma _{1s}\), and \(\gamma \) is the ratio of \(S_1\) to \(T_1\) and lies in the range of 0 to \(2^{\frac{1}{n1}}1\).
The source of the error of Theorem 3 in Kim et al. (2013) is due to its Theorem 2 and the footnote 4 in Kim et al. (2013), which claims that the case in Fig. 7 in Kim et al. (2013) is the worst case. This statement is incorrect and can be disproved with the above counterexample.
Consequences Theorems 2 and 3 in Kim et al. (2013) are flawed.
Solutions The three assumptions, i.e., one highestpriority segmented selfsuspending task, controlled suspension behavior, and controlled execution time in Kim et al. (2013) actually imply that the selfsuspending behavior of task \(\tau _1\) can be modeled as several sporadic tasks with the same minimum interarrival time. More precisely, there is no need to consider selfsuspension of task \(\tau _1\), but we have to effectively consider each computation segment as a highestpriority sporadic task during the response time analysis. When the jth computation segment of task \(\tau _1\) starts its execution at time t, the earliest time for this computation segment to be executed again in the next job of task \(\tau _1\) is at least \(t+T_1\).
5.5 Incorrect analysis of segmented fixedpriority scheduling with periodic enforcement
We now introduce misconceptions that may happen due to periodic enforcement if it is not carefully adopted for segmented selfsuspending task systems. As mentioned in Sect. 4.3.2, we can set a constant offset to constrain the release time of a computation segment. If this offset is given, each computation segment behaves like a standard sporadic (or periodic) task. Therefore, the schedulability test for sporadic task systems can be directly applied. Since the offsets of two computation segments of a task may be different, one may want to assign each computation segment a fixedpriority level. However, this has to be carefully handled.
Consider the example listed in Table 12. Suppose that the offset of the computation segment \(C_2^1\) is 0 and the offset of the computation segment \(C_2^2\) is 10. This setting creates three sporadic tasks. Suppose that the segmented fixed priority assignment assigns \(C_2^1\) the highest priority and \(C_2^2\) the lowest priority. It should be clear that the worstcase response time of the computation segment \(C_2^1\) is 5 and the worstcase response time of the computation segment \(C_1\) is 15. We focus on the WCRT analysis of \(C_2^2\).
Since the two computation segments of task \(\tau _2\) should not have any overlap, one may think that during the analysis of the worstcase response time of the computation segment \(C_2^2\), we do not have to consider the computation segment \(C_2^1\). The worstcase response time of the computation segment \(C_2^2\) (after its constant offset 10) for this case is 26 since \(\left\lceil {\frac{26}{30}}\right\rceil C_1 + C_2^2 = 26\). Since \(26+10 < 40\), one may conclude that this enforcement results in a feasible schedule. This analysis is adopted in Section IV in Kim et al. (2013) and Section 3 in Ding et al. (2009).
A set of segmented selfsuspending tasks for demonstrating the misconception in the literature when analyzing the schedulability of task \(\tau _k\) under segmented fixedpriority scheduling with periodic enforcement in Sect. 5.5
\((C_i^1, S_i^1, C_i^2)\)  \(D_i=T_i\)  

\(\tau _1\)  (10, 0, 0)  30 
\(\tau _2\)  (5, 5, 16)  40 
Consequences The priority assignment algorithms in Kim et al. (2013), Ding et al. (2009) use the above unsafe schedulability test to verify the priority assignments. Therefore, their results are flawed due to the unsafe schedulability test.
Solutions This requires us to revisit the schedulability test of a given segmented fixedpriority assignment. As discussed in Sect. 4.3.2, this can be observed as a reduction to the generalized multiframe (GMF) task model introduced by Baruah et al. (1999). However, most of the existing fixedpriority scheduling results for the GMF task model assume a unique priority level per task. To the best of our knowledge, the only results that can be applied for a unique level per computation segment are the utilizationbased analysis in Chen et al. (2016a) and Huang and Chen (2015c).
A simple fix can be achieved by classifying the interfering higherpriority computation segments into two types: carryin and noncarryin computation segments, presented in Kim et al. (2016). When analyzing the response time of a computation segment, the approach in Kim et al. (2016) pessimistically accounts for one higherpriority carryin computation segment per task, due to the assumption that the task systems are with constrained deadlines and as the higherpriority computation segments have to meet their deadlines.
5.6 Incorrect conversion of higher priority selfsuspending tasks
We now explain a misconception that treats the higherpriority selfsuspending tasks by introducing safe release jitters and analyzes the response time of task \(\tau _k\) by accounting for the selfsuspending behavior explicitly. Consider the example listed in Table 13. Task \(\tau _1\) obviously meets its deadline. Task \(\tau _2\) can be validated to meet its deadline by using the split approach, i.e., \(8 + 12+ 8 = 28\). The jitter of task \(\tau _2\) is hence at most \(R_2C_2=28(3+ 3) = 22\).
Since \(\left\lceil {\frac{t+22}{T_2}}\right\rceil = 1\) for any \(0 \le t \le 39\), we can conclude that there is only one active job of task \(\tau _2\) in time interval \((a, a+39]\), in which a job of task \(\tau _3\) arrives at time a. Theorem 2 in Nelissen et al. (2015) exploited the above property and converted task \(\tau _2\) to an ordinary sporadic task, denoted as task \(\tau _2'\) here, with jitter equal to 22 and worstcase execution time equal to \(3+3=6\). By the above discussion, in our setting in Table 13, there is only one job of task \(\tau _2'\) that can interfere with a job of task \(\tau _3\).
A set of segmented selfsuspending tasks for demonstrating the misconception which analyzes the schedulability of task \(\tau _k\) by combining the release jitter approach for the higherpriority interfering tasks and the explicit selfsuspension behavior for the interfered task \(\tau _k\), presented in Sect. 5.6
\((C_i^1, S_i^1, C_i^2)\)  \(D_i\)  \(T_i\)  

\(\tau _1\)  (5, 0, 0)  10  10 
\(\tau _2\)  (3, 12, 3)  28  1000 
\(\tau _3\)  (3, 4, 3)  35  1000 
Consequences The analysis in Section VI of Nelissen et al. (2015), that accounts for the selfsuspending behavior of \(\tau _3\) explicitly and analyzes the interference from the higherpriority selfsuspending tasks by converting each of them into an ordinary sporadic task (without selfsuspension) with a safe release jitter, is flawed as shown in the example.
Solutions Each computation segment of a higherpriority task should be treated as an individual sporadic task with jitter. This means that the treatment in Section VI of Nelissen et al. (2015) remains valid if each computation segment of a higherpriority task \(\tau _i\) is converted into an ordinary sporadic task with proper jitter. In our example here, the segmented selfsuspending task \(\tau _2\) should be converted into two ordinary sporadic tasks with proper jitter. This error and appropriate solutions were published in Nelissen et al. (2017).
6 Selfsuspending tasks in multiprocessor synchronization
In this section, we consider the analysis of selfsuspensions that arise due to accesses to explicitly synchronized shared resources (e.g., shared I/O devices, message buffers, or other shared data structures) that are protected with suspensionbased locks (e.g., binary semaphores) in multiprocessor systems under PFP scheduling. The selfsuspension time of a task due to lock contention is usually called its remote blocking time in the literature. This has been used specifically in Sect. 2 to motivate the importance of analyzing selfsuspension. As semaphores induce selfsuspensions, some of the misconceptions surrounding the analysis of selfsuspensions on uniprocessors unfortunately also spread to the analysis of realtime locking protocols on partitioned multiprocessors.
In particular, the analysis technique introduced by Lakshmanan et al. (2009) adopted the unsafe analysis presented in Sect. 5.1. This technique was later reused in several other work (Zeng and di Natale 2011; Brandenburg 2013; Yang et al. 2013; Kim et al. 2014; Han et al. 2014; Carminati et al. 2014; Yang et al. 2014). We show a concrete counterexample in Sect. 6.2 to demonstrate that their schedulability analysis is unsafe. Fortunately, as we will discuss in Sect. 6.4, there are straightforward solutions based on the corrected responsetime bounds discussed in Sect. 5.1.
We begin with a review of existing analysis strategies for semaphoreinduced suspensions on uniprocessors and partitioned multiprocessors.
6.1 Semaphores in uniprocessor systems
Under a suspensionbased locking protocol, tasks that are denied access to a shared resource (i.e., that block on a lock) are suspended. Interestingly, on uniprocessors, the resulting suspensions are not considered to be selfsuspensions and can be accounted for more efficiently than general selfsuspensions.
When comparing Eq. (5) for general selfsuspensions with Eq. (7) for selfsuspensions due to semaphores, it is apparent that Eq. (7) is considerably less pessimistic since the ceiling term does not include \(R_i\) or \(D_i\) for \(\tau _i \in hp(k)\). Intuitively, this difference is due to the fact that tasks incur blocking due to semaphores only if a local lowerpriority task holds the resource, i.e., when the local processor is busy. In contrast, general selfsuspensions may overlap with idle intervals.
6.2 Semaphores in partitioned multiprocessor systems
When suspensionbased protocols, such as the multiprocessor priority ceiling protocol (MPCP) (Rajkumar 1990), are applied under partitioned scheduling, resources are classified according to how they are shared: if a resource is shared by two or more tasks assigned to different processors, then it is called a global resource, otherwise it is called a local resource.
Similarly, a job is said to incur remote blocking if it is waiting to acquire a global resource that is held by a job on another processor, and it is said to incur local blocking if it is prevented from being scheduled by a lowerpriority task on its local processor that is holding a resource (either global or local).
Regardless of whether a task incurs local or remote blocking, a waiting task always suspends until the contested resource becomes available. The resulting task suspension, however, is analyzed differently depending on whether a local or a remote task is currently holding the lock.
From the perspective of the local schedule on each processor, remote blocking is caused by external events (i.e., resource contention due to tasks on the other processors) and pushes the execution of higherpriority tasks to a later point in time regardless of the schedule on the local processor (i.e., even if the local processor is idle). Remote blocking thus may cause additional interference on lowerpriority tasks and must be analyzed as a selfsuspension.
In contrast, local blocking takes place only if a local lowerpriority task holds the resource [i.e., if the local processor is busy], just as it is the case with uniprocessor synchronization protocols like the PCP (Sha et al. 1990). Consequently, local blocking is accounted for similarly to blocking under the PCP in the uniprocessor case [i.e., as in Eq. (7)], and not as a general selfsuspension [Eq. (5)]. Since local blocking can be handled similarly to the uniprocessor case, we focus on remote blocking in the remainder of this section.
As previously discussed in Sect. 4.1.1, a safe, but pessimistic strategy is to simply model remote blocking as computation, which is called suspensionoblivious analysis (Brandenburg and Anderson 2010). By overestimating the processor demand of selfsuspending, higherpriority tasks, the additional delay due to deferred execution is implicitly accounted for as part of regular interference analysis. Block et al. (2007) first used this strategy in the context of partitioned and global earliest deadline first (EDF) scheduling; Lakshmanan et al. (2009) also adopted this approach in their analysis of “virtual spinning,” where tasks suspend when blocked on a lock, but at most one task per processor may compete for a global lock at any time. However, while suspensionoblivious analysis is conceptually straightforward, it is also subject to structural pessimism, and it has been shown that, in pathological cases, any analysis that inflates task execution times to account for blocking can overestimate response times by a factor linear in both the number of tasks and the ratio of the longest period to the shortest period (Wieder and Brandenburg 2013).

Zeng and di Natale (2011) (Eq. 9), Han et al. (2014) (Eq. 5), and Yang et al. (2014) (Section 2.5) in the context of the MPCP, and

Yang et al. (2013) (Eq. 6), Brandenburg (2013) (Eq. 1), Carminati et al. (2014) (Eqs. 3, 12, and 16), and Kim et al. (2014) (Eq. 6) in the context of other suspensionbased locking protocols.
A set of realtime sporadic tasks for demonstrating the counterexample for the misconception used in Eq. (8)
\(\tau _k\)  \(C_k\)  \(T_k\) (\(= D_k\))  \(s_k\)  \(C_{k,1}^{\prime }\)  Processor 

\(\tau _1\)  2  6  0  −  1 
\(\tau _2\)  \(4+6\epsilon \)  13  1  \(5\epsilon \)  1 
\(\tau _3\)  \(\epsilon \)  14  0  −  1 
\(\tau _4\)  7  14  1  \(44\epsilon \)  2 
In the following example, we show the existence of a schedule in which a task that is considered schedulable according to Eq. (8) misses a deadline. Consider four implicitdeadline sporadic tasks \({\tau _1, \tau _2, \tau _3, \tau _4}\) with parameters as listed in Table 14, indexed in decreasing order of priority, that are scheduled on two processors using PFP scheduling. Tasks \(\tau _1\), \(\tau _2\) and \(\tau _3\) are assigned to processor 1, while task \(\tau _4\) is assigned to processor 2.
Each job of \(\tau _2\) has one critical section (\(s_2 = 1\)) of length at most \(5\varepsilon \) (i.e., \(C_{2,1}^{\prime } = 5\varepsilon \)), where \(0 < \varepsilon \le 1/3\), in which it accesses a global shared resource \(\ell _1\).
Each job of \(\tau _4\) has one critical section (\(s_4 = 1\)) of length at most \(44\varepsilon \) (i.e., \(C_{4,1}^{\prime } = 44\varepsilon \)), in which it also accesses \(\ell _1\).
However, there exists a schedule, shown in Fig. 10, in which a job of task \(\tau _3\) arrives at time 6 and misses its absolute deadline at time 20. This shows that Eq. (8) does not always yield a sound responsetime bound.
The misconception here is to account for remote blocking (i.e., \(B_i^r\)), which is a form of selfsuspension, as if it is equivalent to release jitter. However, it is not, as already explained in Sect. 5.1.
6.3 Incorrect contention bound in interfacebased analysis
A related problem affects an interfacebased analysis proposed by Nemati et al. (2011). Targeting open realtime systems with globally shared resources (i.e., systems where the final task set composition is not known at analysis time, but tasks may share global resources nonetheless), the goal of the interfacebased analysis is to extract a concise abstraction of the constraints that need to be satisfied to guarantee the schedulability of all tasks. In particular, the analysis seeks to determine the maximum tolerable blocking time, denoted \( mtbt _k\), that a task \(\tau _k\) can tolerate without missing its deadline.
6.4 A safe responsetime bound
In Eq. (8), the effects of deferred execution are accounted for similarly to release jitter. However, it is not sufficient to count the duration of remote blocking as release jitter, as already explained in Sect. 5.1.
Finally, the already mentioned papers (Zeng and di Natale 2011; Brandenburg 2013; Yang et al. 2013; Kim et al. 2014; Han et al. 2014; Carminati et al. 2014; Yang et al. 2014) that based their analysis on Eq. (8) can be fixed by simply using Eq. (11) instead, because they merely reused the unsafe suspensionaware responsetime bound introduced in Lakshmanan et al. (2009) without further modifications. The actual, novel contributions in Zeng and di Natale (2011), Brandenburg (2013), Yang et al. (2013), Kim et al. (2014), Han et al. (2014), Carminati et al. (2014), and Yang et al. (2014) remain unaffected by this correction.
7 Soft realtime selfsuspending task systems
For a hard realtime task, its deadline must be met; while for a soft realtime task, missing some deadlines can be tolerated. We have discussed the selfsuspending tasks in hard realtime systems in the previous sections. In this section, we will review the existing results for scheduling soft realtime systems when the tasks can suspend themselves. So far, no concern has been raised regarding the correctness of the results discussed in this section.
We assume a wellstudied soft realtime notion, in which a soft realtime task is schedulable if its tardiness can be provably bounded [e.g., several recent dissertations have focused on this topic Leontyev (2010) and Devi (2006)]. Such bounds would be expected to be reasonably small. A task’s tardiness is defined as its maximum job tardiness, which is 0 if the job finishes before its absolute deadline or is the job’s completion time minus the job’s absolute deadline otherwise. The schedulability analysis techniques on soft realtime selfsuspending task systems can be categorized into two categories: suspensionoblivious analysis and suspensionaware analysis.
7.1 Suspensionoblivious analysis
According to Devi and Anderson (2005) as well as Leontyev and Anderson (2007), an ordinary sporadic task system (i.e. no selfsuspensions) has bounded tardiness under global EDF for all the n sporadic tasks if \(\sum _{i=1}^{n} C_i/T_i \le M\), where M is the number of processors in the system. The suspensionoblivious analysis simply treats the suspensions as computation, as also explained in Sects. 4.1.1 and 4.2.1. Therefore, by suspensionoblivious analysis, an selfsuspending sporadic task system has bounded tardiness under global EDF for all the n tasks if \(\sum _{i=1}^{n} (C_i+S_i)/T_i \le M\). This can be very pessimistic since \(\sum _{i=1}^{n} (C_i+S_i)/T_i\) can easily exceed M for schedulable task sets.
7.2 Suspensionaware analysis
8 Computational complexity and approximations
The computational complexity classes of scheduling and schedulability analysis for selfsuspending tasks
Task Model  Feasibility  Schedulability  

Fixedpriority scheduling  Dynamicpriority scheduling (constraineddeadline)  Dynamicpriority scheduling (implicitdeadline)  
Segmented selfsuspension models  \({\mathcal {NP}}\)hard in the strong sense (Richard 2003; Ridouard et al. 2004)  co\({\mathcal {NP}}\)hard in the strong sense (Mohaqeqi et al. 2016; Chen 2016)  co\({\mathcal {NP}}\)hard in the strong sense (Chen 2016)  co\({\mathcal {NP}}\)hard in the strong sense (Chen 2016) 
Dynamic selfsuspension models  Unknown  (At least) \({\mathcal {NP}}\)hard in the weak sense (Ekberg and Yi 2017)  co\({\mathcal {NP}}\)hard in the strong sense (Chen 2016)  Unknown 
8.1 Computational complexity of designing scheduling policies
We first present the computational complexity of designing scheduling policies for both selfsuspending task models considered in this report.
8.1.1 Segmented selfsuspending tasks
Verifying the existence of a feasible schedule for segmented selfsuspending task systems is proved to be \({\mathcal {NP}}\)hard in the strong sense in Ridouard et al. (2004) for implicitdeadline tasks with at most one selfsuspension per task. For this model, it is also shown that EDF and RM do not have any speedup factor bound in Ridouard et al. (2004) and Chen and Liu (2014), respectively. For the generalization of the segmented selfsuspension model to multithreaded tasks (i.e., every task is defined by a Directed Acyclic Graph (DAG) with edges labelled by suspension delays), the feasibility problem is also known to be \({\mathcal {NP}}\)hard in the strong sense (Richard 2003) even if all subjobs have unit execution times. Up to now, there is no known theoretical lower bound with respect to the speedup factors for this scheduling problem.
The only results with speedup factor analysis for fixedpriority scheduling and dynamicpriority scheduling can be found in Chen and Liu (2014), Huang and Chen (2016), and von der Brüggen et al. (2016). The analysis with a speedup factor of 3 in Chen and Liu (2014) and von der Brüggen et al. (2016) can be used for systems with at most one selfsuspension interval per task under dynamicpriority scheduling. The analysis with a bounded speedup factor in Huang and Chen (2016) can be used for fixedpriority and dynamicpriority systems with any number of selfsuspension intervals per task. The scheduling policy used in Huang and Chen (2016) is suspension laxitymonotonic (SLM) scheduling, which assigns the highest priority to the task with the least suspension laxity, defined as \(D_iS_i\). However, the speedup factor of SLM depends on the number of selfsuspension intervals, and grows quadratically with respect to it.
The above analysis also implies that the priority assignment in dynamicpriority and fixedpriority scheduling should be carefully designed. Traditional approaches like RM or EDF do not work very well. SLM may work well for a few selfsuspension intervals, but how to perform the optimal priority assignment is an open problem. Such difficulty comes from scheduling anomalies that may occur at runtime. An example is provided in Ridouard et al. (2004) to show that reducing execution times or selfsuspension delays can result in deadline misses under EDF (i.e., EDF is no longer sustainable). This latter result can be easily extended to fixedpriority scheduling policies (i.e., RM and DM). Lastly, in Ridouard and Richard (2006), it is proved that no deterministic online scheduler can be optimal if the realtime tasks are allowed to suspend themselves.
8.1.2 Dynamic selfsuspending tasks

\(C_1=12\epsilon \), \(S_1=0\), \(T_1=1\)

\(C_2=\epsilon \), \(S_2=T1\epsilon \), \(T_2=T\)
There is no upper bound of this problem in the most general case. The analysis in Huang et al. (2015) for a speedup factor 2 uses a trick to compare the speedup factor with respect to the optimal fixedpriority schedule instead of the optimal schedule. The priority assignment used in Huang et al. (2015) is based on the optimalpriority algorithm (OPA) from Audsley et al. (1993) with an OPAcompatible schedulability analysis. However, since the schedulability test used in Huang et al. (2015) is not exact, the priority assignment is also not the optimal solution. Finding the optimal priority assignment for fixedpriority scheduling is still an open problem.
For dynamic selfsuspending task systems, as shown in Chen (2016), the speedup factor for any FP preemptive scheduling, compared to the optimal schedules, is not bounded by a constant if the suspension time cannot be reduced by speeding up. Such a statement of unbounded speedup factors was proved in Chen (2016) for earliestdeadlinefirst (EDF), leastlaxityfirst (LLF), and earliestdeadlinezerolaxity (EDZL) scheduling algorithms. How to design good schedulers with a constant speedup factor remains as an open problem.
8.2 Computational complexity of schedulability tests
We now present the computational complexity of schedulability tests for both selfsuspending task models considered in this report.
8.2.1 Segmented selfsuspending tasks
Preemptive fixedpriority scheduling In this case, the computational complexity of schedulability tests is \(co{\mathcal {NP}}\)hard in the strong sense even when the lowest priority task has at least two selfsuspension intervals and the higherpriority sporadic tasks do not suspend themselves (Chen 2016; Mohaqeqi et al. 2016). The computational complexity analysis holds for both implicitdeadline and constraineddeadline task systems, when the priority assignment is given. Moreover, validating whether there exists a feasible priority assignment is \(co{\mathcal {NP}}\)hard in the strong sense for constraineddeadline segmented selfsuspending task systems.
Preemptive dynamicpriority scheduling In this case, if the task systems have constrained deadlines, i.e., \(D_i \le T_i\), the computational complexity of this problem is at least co\({\mathcal {NP}}\)hard in the strong sense, since a special case of this problem is co\({\mathcal {NP}}\)complete in the strong sense (Ekberg and Yi 2015). It has been proved in Ekberg and Yi (2015) that verifying uniprocessor feasibility of ordinary sporadic tasks with constrained deadlines is strongly co\({\mathcal {NP}}\)complete. Therefore, when we consider constraineddeadline selfsuspending task systems, the complexity class is at least co\({\mathcal {NP}}\)hard in the strong sense.
It is also not difficult to see that the implicitdeadline case is also at least co\({\mathcal {NP}}\)hard. A special case of the segmented selfsuspending task system is to allow each task \(\tau _i\) to have exactly one selfsuspension interval with a fixed length \(S_i\) and one computation segment with WCET \(C_i\). Therefore, the relative deadline of the computation segment of task \(\tau _i\) (after it is released to be scheduled) is \(D_i = T_iS_i\). For such a special case, selfsuspension of a task is equivalent to a release offset of \(S_i\). Therefore, there is no need to consider any selfsuspension behavior any further. Scheduling in such a scenario is equivalent to ordinary constraineddeadline sporadic realtime task systems, in which preemptive EDF is optimal. It has been proved in Ekberg and Yi (2015) that verifying uniprocessor feasibility of ordinary sporadic tasks with constrained deadlines is strongly co\({\mathcal {NP}}\)complete. By the above discussions, any ordinary constraineddeadline sporadic task system can be converted to a corresponding implicitdeadline segmented selfsuspending task system, and their exact schedulability tests for EDF scheduling are identical. Since a special case of the problem is co\({\mathcal {NP}}\)complete in the strong sense, the problem is co\({\mathcal {NP}}\)hard in the strong sense.
8.2.2 Dynamic selfsuspending tasks
Preemptive fixedpriority scheduling In this case, the complexity class is at least weakly \({\mathcal {NP}}\)hard since the schedulability test problem for implicitdeadline task systems under uniprocessor preemptive fixedpriority scheduling, i.e., a special case, is weakly \({\mathcal {NP}}\)complete proved by Ekberg and Yi (2017). Therefore, the schedulability test problem for selfsuspending task systems under fixedpriority scheduling is at least weakly \({\mathcal {NP}}\)hard.
The computational complexity due to the additional dynamic selfsuspending behavior is in general unknown up to now. The only exception is the special case mentioned in Sect. 4.1.4 when there is only one dynamic selfsuspending sporadic task assigned to the lowest priority and the higherpriority tasks are ordinary sporadic tasks. That is, the computational complexity of this special case remains the same as that of nonselfsuspending sporadic task systems. Whether the problem (with dynamic selfsuspension) is \({\mathcal {NP}}\)hard in the weak or strong sense is an open problem.
List of flaws/incompleteness and their solutions in the literature. All the references to Section X in the column “Potential Solutions” are listed for this paper
Type of arguments  Affected papers and statements  Potential solutions  (Flaw/issue) status 

Conceptual flaws  Audsley and Bletsas (2004a), Audsley and Bletsas (2004b): wrong quantification of jitter  See Sect. 5.1 or the erratum filed by the authors Bletsas et al. (2018)  Solved 
Ming (1994): wrong quantification of jitter  See Sect. 5.1  Solved  
Bletsas and Audsley (2005): wrong quantification of jitter  Solved  
Lakshmanan and Rajkumar (2010): critical instant theorem in Section III and the response time analysis are incorrect  Solved  
Kim et al. (2013): incorrect accounting for the highestpriority interference in Theorems 2 and 3  See Sect. 5.4  Solved  
Kim et al. (2013), Ding et al. (2009): wrong schedulability test for segmented fixedpriority scheduling with periodic enforcement (Section IV in Kim et al. (2013), Sect. 3 in Ding et al. (2009))  See Sect. 5.5  Solved  
Nelissen et al. (2015): incorrect combination of techniques in Section VI by converting a higher priority selfsuspending task in a single nonselfsuspending task with jitter  See Sect. 5.6  Solved  
Inherited flaws  Kim et al. (1995), Zeng and di Natale (2011), Brandenburg (2013), Yang et al. (2013), Kim et al. (2014), Han et al. (2014), Carminati et al. (2014), Yang et al. (2014), and Lakshmanan et al. (2009): adopting wrong quantifications of jitters (refer to Sect. 6 in this paper)  See Sect. 6.4  Solved 
Liu and Anderson (2013): inherited flaw from Guan et al. (2009) and unsafe Lemma 1 to quantify the workload  See the erratum Liu and Anderson (2015) filed by the authors  Solved  
Closed issues  (Liu 2000, pp. 164–165): schedulability test without any proof  See (Chen et al. 2016b) for a proof  Solved 
Rajkumar (1991): period enforcer can be used for deferrable task systems. It may result in deadline misses for selfsuspending tasks and is not compatible with existing multiprocessor synchronization analyses  See (Chen and Brandenburg 2017) for the explanations.  Solved  
Open issues  Devi (2003): Proof of Theorem 8 for considering suspension as blocking in EDF is incomplete  ?  Unresolved 
Lakshmanan and Rajkumar (2010): proofs for slack enforcement in Sections IV and V are incomplete  ?  Unresolved 
9 Final discussion
Selfsuspensions are becoming an increasingly prominent characteristic in realtime systems, for example due to (i) I/Ointensive tasks, (ii) multiprocessor synchronization and scheduling, and (iii) computation offloading with coprocessors such as GPUs. This paper has reviewed the literature in the light of recent developments in the analysis of selfsuspending tasks, explained the general methodologies, summarized the computational complexity classes, and detailed a number of misconceptions in the literature concerning this topic. We have given concrete examples to demonstrate the effect of these misconceptions, listed some flawed statements in the literature, and presented potential solutions. For completeness, all the misconceptions, open issues, closed issues, and inherited flaws discussed in this paper are listed in Table 16.
This review extensively references errata and reports as follows: the proof (Chen et al. 2016b) of the correctness of the analysis by Jane W.S. Liu in her book (Liu 2000, pp. 164–165); the reexamination and the limitations (Chen and Brandenburg 2017) of the period enforcer algorithm proposed in Rajkumar (1991); the erratum report (Bletsas et al. 2018) of the misconceptions in Audsley and Bletsas (2004a), Audsley and Bletsas (2004b), Bletsas and Audsley (2005); and the erratum (Kim et al. 2016) of the misconceptions in Kim et al. (2013). For brevity, these errata and reports are only summarized in this review. We encourage interested readers to refer to these reports and errata for more detailed explanations.
9.1 Unresolved issues

Devi (in Theorem 8 in Devi 2003, Section 4.5) extended the analysis proposed by Jane W.S. Liu in her book (Liu 2000, Page 164165) to EDF scheduling. This method quantifies the additional interference due to selfsuspensions from the higherpriority jobs by setting up the blocking time induced by selfsuspensions. However, there is no formal proof in Devi (2003). The proof made by Chen et al. in Chen et al. (2016b, c) for fixedpriority scheduling cannot be directly extended to EDF scheduling. The correctness of Theorem 8 in Devi (2003), Section 4.5 should be supported with a rigorous proof, since selfsuspension behavior has induced several nontrivial phenomena.
 For segmented selfsuspending task systems with at most one selfsuspension interval, Lakshmanan and Rajkumar (2010) proposed two slack enforcement mechanisms to shape the demand of a selfsuspending task so that the task behaves like an ideal ordinary periodic task. From the scheduling point of view, this means that there is no scheduling penalty when analyzing the interferences of the higherpriority tasks. However, the suspension time of the task under analysis has to be converted into computation. The correctness of the dynamic slack enforcement in Lakshmanan and Rajkumar (2010) is heavily based on the statement of their Lemma 4. However, the proof is not rigorous for the following reasons:For similar reasons, the static slack enforcement algorithm in Lakshmanan and Rajkumar (2010) also requires a more rigorous proof.

Firstly, the proof argues: “Let the durationRunder consideration start from timesand finish at time\(s + R\). Observe that ifsdoes not coincide with the start of the Levelibusy period ats, thenscan be shifted to the left to coincide with the start of the Levelibusy period. Doing so will not decrease the Leveliinterference overR.” This argument has to be expanded to also handle cases in which a task suspends before the \(Leveli\) busy period. This results in the possibility that a higherpriority task \(\tau _j\) starts with the second computation segment in the Leveli busy period. Therefore, the first and the third paragraphs in the proof of Lemma 4 (Lakshmanan and Rajkumar 2010) require more rigorous reasoning.

Secondly, the proof argues: “The only property introduced by dynamic slack enforcement is that under worstcase interference from higherpriority tasks there is no slack available to\(J_j^p\)between\(f_j^p\)and\(\rho _j^p + R_j\). [...]The second segment of\(\tau _j\)is never delayed under this transformation, and is released sporadically.” In fact, the slack enforcement may make the second computation segment arrive earlier than its worst case. For example, we can greedily start with the worstcase interference of task \(\tau _j\) in the first iteration, and do not release the higherpriority tasks of task \(\tau _j\) after the arrival of the second job of task \(\tau _j\). This can immediately create some release jitter of the second computation segment \(C_j^2\).

9.2 Nonimplicated approaches
 For segmented selfsuspending task systems:
 1.
Rajkumar’s period enforcer (Rajkumar 1991) if a selfsuspending task can only suspend at most once and only before any computation starts;
 2.
the result by Palencia and Harbour (1998) using the arrival jitter of a higherpriority task properly with an offset (also for multiprocessor partitioned scheduling);
 3.
the proof of \({\mathcal {NP}}\)hardness in the strong sense to find a feasible schedule and negative results with respect to the speedup factors, provided by Ridouard et al. (2004);
 4.
the result by Nelissen et al. (2015) by enumerating the worstcase interference from higherpriority sporadic tasks with an exhaustive search;
 5.
the result by Chen and Liu (2014), Huang and Chen (2016), Peng and Fisher (2016), and von der Brüggen et al. (2016) using the releasetime enforcement as described in Sect. 4.3.2^{7};
 6.
the result by Huang and Chen (2015b) exploring the priority assignment problem and analyzing the carryin computation segments together;
 7.
the proof of co\({\mathcal {NP}}\)hardness by Chen (2016) and Mohaqeqi et al. (2016) based on a reduction from the 3partition problem when there are at least two suspension intervals.
 1.
 For dynamic selfsuspending task systems on uniprocessor platforms:
 1.
 2.
the utilizationbased analysis by Liu and Chen (2014) under ratemonotonic scheduling;
 3.
the priority assignment and the schedulability analysis with a speedup factor 2, with respect to optimal fixedpriority scheduling, by Huang et al. (2015);
 4.
 5.
the negative results regarding existing scheduling algorithms with respect to speedup factors by Chen (2016).
 1.
 For dynamic selfsuspending task systems on identical multiprocessors:
 1.
the schedulability test for global EDF scheduling by Liu and Liu and Anderson (2013);
 2.
the schedulability test by Liu et al. (2014a) for harmonic task systems with strictly periodic job arrivals;
 3.
the utilizationbased schedulability analysis by Chen et al. (2015) considering carryin jobs as bursty behavior.
 1.
Footnotes
 1.
 2.
 3.
It is in fact not clear why suspension induces blocking. Chen et al. (2016c) noted that “Even though the authors in this paper are able to provide a proof to support the correctness, the authors are not able to provide any rationale behind this method which treats suspension time as blocking time.” Here, we still use the original wording introduced by Jane Liu for consistency with the existing literature.
 4.
 5.
In general, the upper bound on blocking of course depends on the specific locking protocol in use, but in this example, by construction, the stated bound holds under any reasonable locking protocol. Recent surveys of multiprocessor semaphore protocols may be found in Brandenburg (2013), Yang et al. (2015).
 6.
This list is not exhaustive as not all selfsuspension results that were published after 2015 have been carefully examined by the authors.
 7.
Chen and Liu found a typo in Theorem 3 in Chen and Liu (2014) and filed a corresponding erratum in their websites.
Notes
Acknowledgements
This paper has been partially supported by DFG, as part of the Collaborative Research Center SFB876 (http://sfb876.tudortmund.de/), subproject B2. This work has been partially supported by National Funds through FCT/MCTES (Portuguese Foundation for Science and Technology) within the CISTER Research Unit (CEC/04234); also by FCT and the EU ECSEL JU under the H2020 Framework Programme, within projects EMC2 (ARTEMIS/0001/2013, JU Grant No. 621429) and CONCERTO (ARTEMIS/0003/2012, JU Grant No. 333053). This work has been partially supported by NSFC (Grant No. 61802052), and by the China Postdoctoral Science Foundation Funded Project (Grant No. 2017M612947). This material is based upon work funded and supported by NSF grants OISE 1427824, CNS 1527727, and CNS CAREER 1750263, and the Department of Defense under Contract No. FA872105C0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for nonUS Government use and distribution. Carnegie Mellon\(^{\copyright }\) is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM0003197
References
 Audsley NC (1991) Optimal priority assignment and feasibility of static priority tasks with arbitrary start times. Tech. Report YCS164, Department of Computer Science, University of YorkGoogle Scholar
 Audsley NC, Bletsas K (2004a) Fixed priority timing analysis of realtime systems with limited parallelism. In: Proceedings of the 16th Euromicro conference on realtime systems (ECRTS), pp 231–238Google Scholar
 Audsley NC, Bletsas K (2004b) Realistic analysis of limited parallel software/hardware implementations. In: Proceedings of the 10th IEEE realtime and embedded technology and applications symposium (RTAS), pp 388–395Google Scholar
 Audsley N, Burns A, Richardson M, Tindell K, Wellings A (1993) Applying new scheduling theory to static priority preemptive scheduling. Softw Eng J 8(5):284–292CrossRefGoogle Scholar
 Baruah S (2007) Techniques for multiprocessor global schedulability analysis. Proceedings of the 28th IEEE international realtime systems symposium, pp 119–128Google Scholar
 Baruah S, Chen D, Gorinsky S, Mok A (1999) Generalized multiframe tasks. RealTime Syst 17(1):5–22CrossRefGoogle Scholar
 Bini E, Buttazzo GC, Buttazzo GM (2003) Rate monotonic analysis: the hyperbolic bound. IEEE Trans Comput 52(7):933–942CrossRefGoogle Scholar
 Biondi A, Balsini A, Pagani M, Rossi E, Marinoni M, Buttazzo GC (2016) A framework for supporting realtime applications on dynamic reconfigurable FPGAs. In: Proceedings of the IEEE realtime systems symposium, RTSS, pp 1–12Google Scholar
 Bletsas K (2007) Worstcase and bestcase timing analysis for realtime embedded systems with limited parallelism, Ph.D. thesis, Dept of Computer Science, University of York, UKGoogle Scholar
 Bletsas K, Audsley NC (2005) Extended analysis with reduced pessimism for systems with limited parallelism. In: Proceedings of the 11th IEEE international conference on embedded and realtime computing systems and applications (RTCSA), pp 525–531Google Scholar
 Bletsas K, Audsley NC, Huang WH, Chen JJ, Nelissen G (2018) Errata for three papers (2004–05) on fixedpriority scheduling with selfsuspensions. Leibniz Trans Embed Syst 5(1):2:1–2:20Google Scholar
 Block A, Leontyev H, Brandenburg B, Anderson J (2007) A flexible realtime locking protocol for multiprocessors. In: Proceedings of the RTCSA, pp 47–56Google Scholar
 Brandenburg B (2011) Scheduling and locking in multiprocessor realtime operating systems, Ph.D. thesis, The University of North Carolina at Chapel HillGoogle Scholar
 Brandenburg B (2013) Improved analysis and evaluation of realtime semaphore protocols for PFP scheduling. In: Proceedings of the RTAS, pp 141–152Google Scholar
 Brandenburg B, Anderson J (2010) Optimality results for multiprocessor realtime locking. In: Proceedings of the 31st realtime systems symposium, pp 49–60Google Scholar
 Carminati A, de Oliveira R, Friedrich L (2014) Exploring the design space of multiprocessor synchronization protocols for realtime systems. J Syst Archit 60(3):258–270CrossRefGoogle Scholar
 Chen JJ (2016) Computational complexity and speedup factors analyses for selfsuspending tasks. In: Proceedings of the realtime systems symposium (RTSS), pp 327–338Google Scholar
 Chen JJ, Brandenburg B (2017) A note on the period enforcer algorithm for selfsuspending tasks. Leibniz Trans Embed Syst (LITES) 4(1):01:1–01:22Google Scholar
 Chen JJ, Liu C (2014) Fixedrelativedeadline scheduling of hard realtime tasks with selfsuspensions. In: Proceedings of the IEEE 35th IEEE realtime systems symposium (RTSS). A typo in the schedulability test in Theorem 3 was identified on 13 May 2015. http://ls12www.cs.tudortmund.de/daes/media/documents/publications/downloads/2014chenFRDerratum.pdf, pp 149–160
 Chen JJ, Huang WH, Liu C (2015) k2U: A general framework from kpoint effective schedulability analysis to utilizationbased tests. In: Proceedings of the realtime systems symposium (RTSS), pp 107–118Google Scholar
 Chen JJ, Huang W, Liu C (2016a) k2Q: a quadraticform response time and schedulability analysis framework for utilizationbased analysis. In: Proceedings of the 2016 IEEE realtime systems symposium, RTSS, pp 351–362Google Scholar
 Chen JJ, Huang WH, Nelissen G (2016b) A note on modeling selfsuspending time as blocking time in realtime systems. Computing Research Repository (CoRR). http://arxiv.org/abs/1602.07750
 Chen JJ, Nelissen G, Huang WH (2016c) A unifying response time analysis framework for dynamic selfsuspending tasks. In: Proceedings of the Euromicro conference on realtime systems (ECRTS), pp 327 – 338Google Scholar
 Devi UC (2003) An improved schedulability test for uniprocessor periodic task systems. In: Proceedings of the 15th Euromicro conference on realtime systems (ECRTS), pp 23–32Google Scholar
 Devi UC (2006) Soft realtime scheduling on multiprocessors, Ph.D. thesis, University of North Carolina at Chapel HillGoogle Scholar
 Devi U, Anderson J (2005) Tardiness bounds under global EDF scheduling on a multiprocessor. In: Proceedings of the 26th IEEE realtime systems symposium, pp 330–341Google Scholar
 Ding S, Tomiyama H, Takada H (2009) Effective scheduling algorithms for I/O blocking with a multiframe task model. IEICE Trans 92–D(7):1412–1420CrossRefGoogle Scholar
 Dong Z, Liu C (2016) Closing the loop for the selective conversion approach: a utilizationbased test for hard realtime suspending task systems. In: Proceedings of the realtime systems symposium (RTSS), pp 339–350Google Scholar
 Dutertre B (1999) The priority ceiling protocol: formalization and analysis using PVS. In: Proceedings of the 21st IEEE Conference on RealTime Systems Symposium (RTSS), pp 151–160Google Scholar
 Ekberg P, Yi W (2015) Uniprocessor feasibility of sporadic tasks with constrained deadlines is strongly coNPComplete. In: Proceedings of the 27th Euromicro conference on realtime systems, ECRTS, pp 281–286Google Scholar
 Ekberg P, Yi W (2017) Fixedpriority schedulability of sporadic tasks on uniprocessors is nphard. In: Proceedings of the 2017 IEEE realtime systems symposium, RTSS 2017, Paris, France, December 5–8, 2017, pp 139–146Google Scholar
 Fonseca J, Nelissen G, Nelis V, Pinho LM (2016) Response time analysis of sporadic dag tasks under partitioned scheduling. In: Proceedings of the 11th IEEE Symposium on Industrial Embedded Systems (SIES), pp 1–10Google Scholar
 Goossens J, Devillers R (1997) The nonoptimality of the monotonic priority assignments for hard realtime offset free systems. RealTime Syst 13(2):107–126CrossRefGoogle Scholar
 Goossens J, Devillers R (1999) Feasibility intervals for the deadline driven scheduler with arbitrary deadlines. In: Proceedings of the sixth international conference on realtime computing systems and applications (RTCSA), pp 54–61Google Scholar
 Guan N, Stigge M, Yi W, Yu G (2009) New response time bounds for fixed priority multiprocessor scheduling. In: Proceedings of the IEEE realtime systems symposium, pp 387–397Google Scholar
 Han G, Zeng H, di Natale M, Liu X, Dou W (2014) Experimental evaluation and selection of data consistency mechanisms for hard realtime applications on multicore platforms. IEEE Trans Ind Inf 10(2):903–918CrossRefGoogle Scholar
 Huang WH, Chen JJ (2015a) Response time bounds for sporadic arbitrarydeadline tasks under global fixedpriority scheduling on multiprocessors. In: Proceedings of the RTNS, pp 215–224Google Scholar
 Huang WH, Chen JJ (2015b) Schedulability and priority assignment for multisegment selfsuspending realtime tasks under fixedpriority scheduling, Tech. report, Technical University of Dortmund. http://ls12www.cs.tudortmund.de/daes/media/documents/publications/downloads/2015technicalreportmultisegKevin.pdf
 Huang WH, Chen JJ (2015c) Techniques for schedulability analysis in mode change systems under fixedpriority scheduling. In: Proceedings of the embedded and realtime computing systems and applications (RTCSA), pp 176–186Google Scholar
 Huang WH, Chen JJ (2016) Selfsuspension realtime tasks under fixedrelativedeadline fixedpriority scheduling. Design, Automation, and Test in Europe (DATE), pp 1078–1083Google Scholar
 Huang WH, Chen JJ, Zhou H, Liu C (2015) PASS: priority assignment of realtime tasks with dynamic suspending behavior under fixedpriority scheduling. In: Proceedings of the design automation conference (DAC), pp 154:1–154:6Google Scholar
 Huang WH, Chen JJ, Reineke J (2016) MIRROR: symmetric timing analysis for realtime tasks on multicore platforms with shared resources. In: Proceedings of the design automation conference, DAC, pp 158:1–158:6Google Scholar
 Kang W, Son S, Stankovic J, Amirijoo M (2007) I/Oaware deadline miss ratio management in realtime embedded databases. In: Proceedings of the 28th IEEE realtime systems symposium, pp 277–287Google Scholar
 Kato S, Lakshmanan K, Kumar A, Kelkar M, Ishikawa Y, Rajkumar R (2011) RGEM: a responsive GPGPU execution model for runtime engines. In: Proceedings of the realtime systems symposium RTSS, pp 57–66Google Scholar
 Kim I, Choi K, Park S, Kim D, Hong M (1995) Realtime scheduling of tasks that contain the external blocking intervals. In: In: Proceedings of the RTCSA, pp 54–59Google Scholar
 Kim J, Andersson B, de Niz D, Rajkumar R (2013) Segmentfixed priority scheduling for selfsuspending realtime tasks. In: Proceedings of the IEEE 34th realtime systems symposium, (RTSS), pp 246–257Google Scholar
 Kim H, Wang S, Rajkumar R (2014) vMPCP: a synchronization framework for multicore virtual machines. In: Proceedings of the realtime systems symposium RTSS, pp 86–95Google Scholar
 Kim J, Andersson B, de Niz D, Chen JJ, Huang WH, Nelissen G (2016) Segmentfixed priority scheduling for selfsuspending realtime tasks, Tech. Report CMU/SEI2016TR002, CMU/SEI. http://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_466102.pdf
 Lakshmanan K, Rajkumar R (2010) Scheduling selfsuspending realtime tasks with ratemonotonic priorities. In: Proceedings of the 16th IEEE realtime and embedded technology and applications symposium (RTAS), pp 3–12Google Scholar
 Lakshmanan K, De Niz D, Rajkumar R (2009) Coordinated task scheduling, allocation and synchronization on multiprocessors. In: Proceedings of the RTSS, pp 469–478Google Scholar
 Lehoczky J, Sha L, Ding Y (1989) The rate monotonic scheduling algorithm: exact characterization and average case behavior. In: Proceedings of the RTSS, pp 166–171Google Scholar
 Leontyev H (2010) Compositional analysis techniques for multiprocessor soft realtime scheduling, Ph.D. thesis, University of North Carolina at Chapel HillGoogle Scholar
 Leontyev H, Anderson J (2007) Tardiness bounds for FIFO scheduling on multiprocessors. In: Proceedings of the 19th Euromicro conference on realtime systems, pp 7180Google Scholar
 Liu JWSW (2000) Realtime systems, 1st edn. Prentice Hall PTR, Upper Saddle RiverGoogle Scholar
 Liu C, Anderson J (2009) Task scheduling with selfsuspensions in soft realtime multiprocessor systems. In: Proceedings of the 30th realtime systems symposium, pp 425–436Google Scholar
 Liu C, Anderson J (2010a) Improving the schedulability of sporadic selfsuspending soft realtime multiprocessor task systems. In: Proceedings of the 16th IEEE international conference on embedded and realtime computing systems and applications (RTCSA), pp 14–23Google Scholar
 Liu C, Anderson J (2010b) Scheduling suspendable, pipelined tasks with nonpreemptive sections in soft realtime multiprocessor systems. In: Proceedings of the 16th IEEE realtime and embedded technology and applications symposium (RTAS), pp 23–32Google Scholar
 Liu C, Anderson J (2012a) A new technique for analyzing soft realtime selfsuspending task systems. In: Proceedings of the ACM SIGBED review, pp 29–32Google Scholar
 Liu C, Anderson J (2012b) An O(m) analysis technique for supporting realtime selfsuspending task systems. In: Proceedings of the 33th IEEE Realtime systems symposium (RTSS), pp 373–382Google Scholar
 Liu C, Anderson JH (2013) Suspensionaware analysis for hard realtime multiprocessor scheduling. In: Proceedings of the 25th Euromicro conference on realtime systems, ECRTS, pp 271–281Google Scholar
 Liu C, Anderson JH (2015) Erratum to “suspensionaware analysis for hard realtime multiprocessor scheduling”. https://cs.unc.edu/~anderson/papers/ecrts13e_erratum.pdf
 Liu CL, Layland JW (1973) Scheduling algorithms for multiprogramming in a hardrealtime environment. J ACM 20(1):46–61MathSciNetCrossRefzbMATHGoogle Scholar
 Liu C, Chen JJ (2014) Burstyinterference analysis techniques for analyzing complex realtime task models. In: Proceedings of the realtime systems symposium (RTSS), pp 173–183Google Scholar
 Liu C, Chen JJ, He L, Gu Y (2014a) Analysis techniques for supporting harmonic realtime tasks with suspensions. In: Proceedings of the 26th Euromicro conference on realtime systems, ECRTS 2014, Madrid, Spain, July 8–11, 2014, pp 201–210Google Scholar
 Liu W, Chen JJ, Toma A, Kuo TW, Deng Q (2014b) Computation offloading by using timing unreliable components in realtime systems. In: Proceedings of the the 51st annual design automation conference on design automation conference—DAC ’14, pp 39:1–39:6Google Scholar
 Ming L (1994) Scheduling of the interdependent messages in realtime communication. In: Proceedings of the first international workshop on realtime computing systems and applicationsGoogle Scholar
 Mohaqeqi M, Ekberg P, Yi W (2016) On fixedpriority schedulability analysis of sporadic tasks with selfsuspension. In: Proceedings of the 24th international conference on realtime networks and systems, RTNS, pp 109–118Google Scholar
 Mok AK (1983) Fundamental design problems of distributed systems for the hardrealtime environment. Tech. report, Massachusetts Institute of Technology, Cambridge, MA, USAGoogle Scholar
 Nelissen G, Fonseca J, Raravi G, Nelis V (2015) Timing analysis of fixed priority selfsuspending sporadic tasks. In: Proceedings of the Euromicro conference on realtime systems (ECRTS), pp 80–89Google Scholar
 Nelissen G, Fonseca J, Raravi G, Nélis V (2017) Errata: Timing analysis of fixed priority selfsuspending sporadic tasks. Tech. Report CISTERTR170205, CISTER, ISEP, INESCTECGoogle Scholar
 Nemati F, Behnam M, Nolte T (2011) Independentlydeveloped realtime systems on multicores with shared resources. In: Proceedings of the ECRTS, pp 251–261Google Scholar
 Nimmagadda Y, Kumar K, Lu YH, Lee CG (2010) Realtime moving object recognition and tracking using computation offloading. In: Proceedings of the 2010 IEEE/RSJ international conference on intelligent robots and systems (IROS), IEEE, pp 2449–2455Google Scholar
 Palencia JC, Harbour MG (1998) Schedulability analysis for tasks with static and dynamic offsets. In: Proceedings of the 19th IEEE realtime systems symposium (RTSS), pp 26–37Google Scholar
 Peng B, Fisher N (2016) Parameter adaptation for generalized multiframe tasks and applications to selfsuspending tasks. In: Proceedings of the international conference on realtime computing systems and applications (RTCSA), pp 49–58Google Scholar
 Rajkumar R (1990) Realtime synchronization protocols for shared memory multiprocessors. ICDCS, pp 116–123Google Scholar
 Rajkumar R (1991) Dealing with Suspending Periodic Tasks., Tech. report, IBM T. J. Watson Research Center. http://www.cs.cmu.edu/afs/cs/project/rtmach/public/papers/periodenforcer.ps
 Richard P (2003) On the complexity of scheduling realtime tasks with selfsuspensions on one processor. In: Proceedings of the 15th Euromicro conference on realtime systems (ECRTS), pp 187–194Google Scholar
 Ridouard F, Richard P (2006) Worstcase analysis of feasibility tests for selfsuspending tasks. In: Proceedings of the 14th realtime and network systems RTNS, Poitiers, pp 15–24Google Scholar
 Ridouard F, Richard P, Cottet F (2004) Negative results for scheduling independent hard realtime tasks with selfsuspensions. In: Proceedings of the 25th IEEE international realtime systems symposium, pp 47–56Google Scholar
 Sha L, Rajkumar R, Lehoczky J (1990) Priority inheritance protocols: an approach to realtime synchronization. IEEE Trans Comput 39(9):1175–1185MathSciNetCrossRefzbMATHGoogle Scholar
 Spuri M (1996) Analysis of deadline scheduled realtime systems. Tech. Report RR2772, INRIAGoogle Scholar
 Sun Y, Lipari G, Guan N, Yi W et al (2014) Improving the response time analysis of global fixedpriority multiprocessor scheduling. In: Proceedings of the IEEE international conference on embedded and realtime computing systems and applications (RTCSA), pp 1–9Google Scholar
 Toma A, Chen JJ (2013) Computation offloading for framebased realtime tasks with resource reservation servers. In: Proceedings of the ECRTS, pp 103–112Google Scholar
 von der Brüggen G, Huang WH, Chen JJ, Liu C (2016) Uniprocessor scheduling strategies for selfsuspending task systems. In: Proceedings of the international conference on realtime networks and systems, RTNS ’16, pp 119–128Google Scholar
 von der Brüggen G, Huang WH, Chen JJ (2017) Hybrid selfsuspension models in realtime embedded systems. In: Proceedings of the IEEE international conference on embedded and realtime computing systems and applications, RTCSA, pp 1–9Google Scholar
 Wieder A, Brandenburg B (2013) On spin locks in AUTOSAR: blocking analysis of FIFO, unordered, and priorityordered spin locks. In: Proceedings of the RTSS, pp 45–56Google Scholar
 Yang M, Lei H, Liao Y, Rabee F (2013) PKOMLP: An OMLP based kexclusion realtime locking protocol for multi GPU sharing under partitioned scheduling. In: Proceedings of the DASC, pp 207–214Google Scholar
 Yang M, Lei H, Liao Y, Rabee F (2014) Improved blocking time analysis and evaluation for the multiprocessor priority ceiling protocol. J Comput Sci Technol 29(6):1003–1013MathSciNetCrossRefGoogle Scholar
 Yang M, Wieder A, Brandenburg B (2015) Global realtime semaphore protocols: a survey, unified analysis, and comparison. In: Proceedings of the IEEE realtime systems symposium (RTSS), pp 1–12Google Scholar
 Zeng H, di Natale M (2011) Mechanisms for guaranteeing data consistency and flow preservation in AUTOSAR software on multicore platforms. In: Proceedings of the SIES, pp 140–149Google Scholar
 Zhang F, Burns A (2009) Schedulability analysis for realtime systems with EDF scheduling. IEEE Trans Comput 58(9):1250–1258MathSciNetCrossRefzbMATHGoogle Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.