Deadlock

COMP3151/9151 Foundations of Concurrency Lecture 10

Termination 2: Deadlock-Freedom

Kai Engelhardt

CSE, UNSW (and data61)

Revision: 1.5 of Date: 2017/10/09 01:00:47 UTC

1 Deadlock

Deadlock Classes

A non-terminated is deadlocked if it cannot move anymore. In the context of concurrency:

A deadlock is a situation wherein two or more competing actions are waiting for the other to finish, and thus neither ever does. [wikipedia] In our setting of transition diagrams, there are two distinct causes for deadlock:

Message deadlock: The process blocks on a receive (or synchronous send) statement but no communication partner will ever execute the corresponding send (receive) statement. Resource deadlock: The process blocks in a state from which only guarded transition depart but none of the guards will ever become true again.

2 Deadlock

Deadlock-Avoidance by Order

A simple resource acquisition policy can be formulated that precludes resource deadlocks by avoiding cycles in wait-for-graphs.

[. . . ] assign a precedence to each resource and force processes to request resources in order of increasing precedence. [wikipedia] This is a common solution in OS and DB.

3 Deadlock

Deadlock-Avoidance by Resource-Scheduling

Around 1964 Dijkstra described a Banker’s to overcome a problem he called deadly embrace [Dij64]. It requires both the number of processes and their resource needs to be static. It boils down to granting resources only if all resources a process needs can be granted at that time to avoid entering unsafe states in which more than one process holds partial sets of resources.

4 Deadlock

Deadlock for Transtion Diagrams

A transition ` −b→−f−→`0 is enabled in a state σ if its boolean condition b is satisfied in σ. A process is blocked at a location ` if it has not terminated (` 6= t) and none of its transitions are enabled there. A concurrent program is deadlocked if some of its processes are blocked and the remaining ones have terminated. Clearly, deadlock is an undesirable situation. How can we prove deadlock-freedom?

5 Deadlock

Characterisation of

Let P = P1 k ... k Pn, its precondition φ, and assume that for each process Pi = (Li , Ti , si , ti ) of P there is a local assertion network( Q`)`∈L V i satisfying all but the last condition (|= i Qti → ψ) of the Owicki/Gries method for proving {φ} P {ψ}.

Process Pi can only be blocked in state σ at non-final location ` ∈ Li \{ti } from which there are m transitions with boolean conditions b1,..., bm, respectively, if σ |= c`, where Wm c` = Q` ∧ ¬ k=1bk .

6 Deadlock

Characterisation of Blocking cont’d

Consequently, using predicates

B = W c i `∈Li \{ti } ` deadlock can only occur in a state σ if

Vn Wn σ |= i=1(Qti ∨ Bi ) ∧ i=1Bi holds. (Every process has terminated or blocked and at least one is blocked.)

7 Deadlock

Owicki/Gries Deadlock-Freedom Condition

Vn Wn  |= ¬ i=1(Qti ∨ Bi ) ∧ i=1Bi DFC ensures that P will not deadlock when started in a state satisfying φ.

8 Deadlock

Example 3

Prove deadlock freedom of this program:

P1: P2:

s1 s2 t2

false

t1 `2

9 Deadlock

Example 3

Prove deadlock freedom of this program:

P1: P2:

s1 s2 t2

false

t1 `2

10 Deadlock

Soundness & Completeness

Theorem The Owicki/Gries method with the last condition replaced by DFC is sound and semantically complete for proving deadlock-freedom relative to some precondition φ.

11 Deadlock

Deadlock-Freedom for Synchronous

An I/O transition can occur iff the guards of both (matching) transition involved hold. For a global configuration1 h`; σi define ( true, if all local locations are terminal σ |= live ` iff a transition is enabled in h`; σi, otherwise.

If we can show that every configuration h`; σi reachable from an initial global state (satisfying φ if we happen to have such a precondition) satisfies σ |= live `, then we have verified deadlock freedom.

1A global configuration is a pair consisting of a state giving values to all variables and a tuple of local locations, one for each diagram. 12 Deadlock

Deadlock-Freedom `ala AFR

For n ∈ {1 ... n} let Pi = (Li , Ti , si , ti ) such that the Li are pairwise disjoint and the processes’ variable sets are pairwise disjoint.

To prove that a synchronous transition diagram P = P1 k ... k Pn is deadlock-free relative to precondition φ:

1 Omit the last point from the AFR method. 2 Verify the deadlock-freedom condition for every global label h`1, . . . , `ni ∈ L1 × ... × Ln: V |= I ∧ i Q`i → live h`1, . . . , `ni .

NB This method generates a verification condition for each global location, n i.e., |L1 × ... × Ln| = Πi=1|Li | many.

13 Deadlock

Example 4 cont’d

P1: P2:

x > 0 → x := x − 1 0 `1 `1 s2

x ≤ 0 C?x C!y

s1 t1 t2

I = (k1 = k2).

14 Deadlock

Example 4 cont’d

P1: P2:

x > 0 → x := x − 1 0 `1 `1 s2

x ≤ 0 C?x → k1 := 1 C!y → k2 := 1

s1 t1 t2

I = (k1 = k2).

15 Deadlock

Example 4 cont’d

P1: P2:

x ∈ N x > 0 → x := x − 1 0 `1 `1 s2 k2 = 0 ∧ k1 = 1 x ∈ N ∧ k1 = 1 x ≤ 0 C?x → k1 := 1 C!y → k2 := 1

k1 = 0 s1 k1 = 1 t1 t2 k2 = 1

I = (k1 = k2).

16 Deadlock

Soundness & Completeness

Theorem The methods are once again sound and semantically complete (with auxiliary variables).

—end—

17 Deadlock

Soundness & Completeness

Theorem The methods are once again sound and semantically complete (with auxiliary variables).

—end—

18 Deadlock

ReferencesI

Edsger W. Dijkstra. Een algorithme ter voorkoming van de dodelijke omarming. circulated privately, 1964.

19