Deadlock COMP3151/9151 Foundations of Concurrency Lecture 10 Termination 2: Deadlock-Freedom Kai Engelhardt CSE, UNSW (and data61) Revision: 1.5 of Date: 2017/10/09 01:00:47 UTC 1 Deadlock Deadlock Classes A non-terminated process is deadlocked if it cannot move anymore. In the context of concurrency: A deadlock is a situation wherein two or more competing actions are waiting for the other to finish, and thus neither ever does. [wikipedia] In our setting of transition diagrams, there are two distinct causes for deadlock: Message deadlock: The process blocks on a receive (or synchronous send) statement but no communication partner will ever execute the corresponding send (receive) statement. Resource deadlock: The process blocks in a state from which only guarded transition depart but none of the guards will ever become true again. 2 Deadlock Deadlock-Avoidance by Order A simple resource acquisition policy can be formulated that precludes resource deadlocks by avoiding cycles in wait-for-graphs. [. ] assign a precedence to each resource and force processes to request resources in order of increasing precedence. [wikipedia] This is a common solution in OS and DB. 3 Deadlock Deadlock-Avoidance by Resource-Scheduling Around 1964 Dijkstra described a Banker's Algorithm to overcome a problem he called deadly embrace [Dij64]. It requires both the number of processes and their resource needs to be static. It boils down to granting resources only if all resources a process needs can be granted at that time to avoid entering unsafe states in which more than one process holds partial sets of resources. 4 Deadlock Deadlock for Transtion Diagrams A transition ` −b!−f−!`0 is enabled in a state σ if its boolean condition b is satisfied in σ. A process is blocked at a location ` if it has not terminated (` 6= t) and none of its transitions are enabled there. A concurrent program is deadlocked if some of its processes are blocked and the remaining ones have terminated. Clearly, deadlock is an undesirable situation. How can we prove deadlock-freedom? 5 Deadlock Characterisation of Blocking Let P = P1 k ::: k Pn, its precondition φ, and assume that for each process Pi = (Li ; Ti ; si ; ti ) of P there is a local assertion network( Q`)`2L V i satisfying all but the last condition (j= i Qti ! ) of the Owicki/Gries method for proving fφg P f g. Process Pi can only be blocked in state σ at non-final location ` 2 Li n fti g from which there are m transitions with boolean conditions b1;:::; bm, respectively, if σ j= c`, where Wm c` = Q` ^ : k=1bk : 6 Deadlock Characterisation of Blocking cont'd Consequently, using predicates B = W c i `2Li nfti g ` deadlock can only occur in a state σ if Vn Wn σ j= i=1(Qti _ Bi ) ^ i=1Bi holds. (Every process has terminated or blocked and at least one is blocked.) 7 Deadlock Owicki/Gries Deadlock-Freedom Condition Vn Wn j= : i=1(Qti _ Bi ) ^ i=1Bi DFC ensures that P will not deadlock when started in a state satisfying φ. 8 Deadlock Example 3 Prove deadlock freedom of this program: P1: P2: s1 s2 t2 false t1 `2 9 Deadlock Example 3 Prove deadlock freedom of this program: P1: P2: s1 s2 t2 false t1 `2 10 Deadlock Soundness & Completeness Theorem The Owicki/Gries method with the last condition replaced by DFC is sound and semantically complete for proving deadlock-freedom relative to some precondition φ. 11 Deadlock Deadlock-Freedom for Synchronous Message Passing An I/O transition can occur iff the guards of both (matching) transition involved hold. For a global configuration1 h`; σi define ( true, if all local locations are terminal σ j= live ` iff a transition is enabled in h`; σi, otherwise. If we can show that every configuration h`; σi reachable from an initial global state (satisfying φ if we happen to have such a precondition) satisfies σ j= live `, then we have verified deadlock freedom. 1A global configuration is a pair consisting of a state giving values to all variables and a tuple of local locations, one for each diagram. 12 Deadlock Deadlock-Freedom `ala AFR For n 2 f1 ::: ng let Pi = (Li ; Ti ; si ; ti ) such that the Li are pairwise disjoint and the processes' variable sets are pairwise disjoint. To prove that a synchronous transition diagram P = P1 k ::: k Pn is deadlock-free relative to precondition φ: 1 Omit the last point from the AFR method. 2 Verify the deadlock-freedom condition for every global label h`1; : : : ; `ni 2 L1 × ::: × Ln: V j= I ^ i Q`i ! live h`1; : : : ; `ni : NB This method generates a verification condition for each global location, n i.e., jL1 × ::: × Lnj = Πi=1jLi j many. 13 Deadlock Example 4 cont'd P1: P2: x > 0 ! x := x − 1 0 `1 `1 s2 x ≤ 0 C?x C!y s1 t1 t2 I = (k1 = k2). 14 Deadlock Example 4 cont'd P1: P2: x > 0 ! x := x − 1 0 `1 `1 s2 x ≤ 0 C?x ! k1 := 1 C!y ! k2 := 1 s1 t1 t2 I = (k1 = k2). 15 Deadlock Example 4 cont'd P1: P2: x 2 N x > 0 ! x := x − 1 0 `1 `1 s2 k2 = 0 ^ k1 = 1 x 2 N ^ k1 = 1 x ≤ 0 C?x ! k1 := 1 C!y ! k2 := 1 k1 = 0 s1 k1 = 1 t1 t2 k2 = 1 I = (k1 = k2). 16 Deadlock Soundness & Completeness Theorem The methods are once again sound and semantically complete (with auxiliary variables). |end| 17 Deadlock Soundness & Completeness Theorem The methods are once again sound and semantically complete (with auxiliary variables). |end| 18 Deadlock ReferencesI Edsger W. Dijkstra. Een algorithme ter voorkoming van de dodelijke omarming. circulated privately, 1964. 19.