Liveness Conditions for a Safe Distributed Deadlock Resolution Algorithm * J. R. Gonzalez de Mendhill, F. Fariiia2, J. Villadangosl, J. R. Garitagoitia2 Department of Automatic Control, Electronics and System Engineering; Public University of Navarra; Campus Arrosadia s/n, 3 1006 Pamplona, SPAIN; e.mai1:cjrmendi @ tsc.upna.es> Department of Mathematics and Computation; Public University of Navarra; Campus Arrosadia s/n, 3 1006 Pamplona, SPAIN; e.mail:
[email protected]>
Abstract
for complex models are directed to the design of DDDR algorithms in which liveness and high performance are the desired properties [8] [9]. However, those works usually forget the issue of the SSC by relaxing such a property. They use different Weak Safety Conditions (WSC) which allow to resolve some kinds of false deadlocks. Recently, we have proposed a new DDDR algorithm for the Multiple-Request (MR) model [ 11 which verifies the SSC. The proposed solution is probe-based [a], that is, it uses special messages, called probes, to detect deadlocks. The algorithm uses priority of processes to select the victims; and simple information of the probes is stored to guarantee the resolution of only true deadlocks. In this paper, we are interested on the study of the liveness conditions the algorithm verifies. In order to give a formal way to prove the properties, the algorithm abstraction is expressed by using the InpuUOutput Automata Model [ 101 [ 111. We prove that the proposed DDD/R algorithm verifies the SLC when the re-entrance of aborted processes is finite; and in the infinite case, it verifies the Weak Liveness Condition (WLC): "Deadlocks are resolved while there exist deadlocks in the system". This starvation is due by the required SSC. The rest of the paper is organized as follows. Section 2 presents the environment and the specifications of the problem. Section 3 is devoted to show the resolution algorithm. Section 4 deals with the correctness proof. Finally, concluding remarks end the work.
Although the problem of deadlock detection and resolution in distributed systems has been studied in detail during the last years, it is still an open and difficult problem for all but the simplest models. One of the main difficulties in finding adequate solutions in the Multiple-Request model resides in the need to avoid false deadlock resolutions. In this paper we show a distributed solution with the Strong Safety Condition of "only true deadlocks must be detectedlresolved". The algorithm was proved to satisfy this safety condition in [ I ] and now we study the liveness conditions the algorithm supports.
1. Introduction The Deadlock Problem has been studied in detail during the last years [2] [3], but it is still a very difficult problem in the area of Distributed Systems. Recently, different formal frameworks [4] [5] have been presented in order to characterize deadlocks in various resource allocation models and to define the correctness criteria that Distributed Deadlock Detection/Resolution (DDD/R) algorithms must verify. The classical intuitive criteria of correctness: Strong Safety Condition (SSC): "only true deadlocks must be detectedlresolved"; and Strong Liveness Condition (SLC): "every deadlock must be detectedresolved infinite time"; are satisfied only for very restricted models of resource management -as the SingleRequest model [6] [7]. One of the main difficulties in dealing with deadlocks in complex resource allocation models is that certain operations over a particular deadlock situation -the resolution via aborting a process- affect to another deadlocks of the system. Some published works
2. Specifications A Distributed System can be considered as a collection of sites interconnected by a communication network. In order to simplify the discussion, we consider only one process or resource for each site. A process requests to its local manager for the resources it needs. The manager sends the requests to the sites where the resources stand. If a resource is allocated to the process which have requested
* This work
has been partially supported by the Basque Government under the scholarship number BFI.95.037 and by the CICYT under the research grant TIC 93-304.
1066-6192/96 $5.00 0 1996 IEEE
Proceedings of PDP '96
139
it, then the local manager of that resource sends a grant message. We are not interested in modelling the relation among local managers, but capturing the global behaviour of the waitfor relations among processes and resources of the system. In this work, the real behaviour is simulated by using a special graph, called the Communication- Wait For Graph (CWFG) [l] [5].
An add(i, needed(i)) action means that process i has requested a set of resources. This action only can be performed if process i is not waiting for other resource and is not a victim. If node i represents a resource, the action means that the resource has been allocated to the process contained in needed(i). This action only can be performed if the resource is not being held by other process. The action is always local to the site of the node i and implies a requesdgrant message to be delivered.
2.1 The Manager of the system
add(eg ,j) prec: version((qj,j))= version((i, eij)) - 1 A j e victims. eff: Arcs t Arcs U {(ei,j)}; version((q,, j)) t version((eij, j)) + 1.
In this work, the distributed deadlock in MR model is studied. The model assumes that each process can perform several requests each time, and then, it waits for a reply to each request. The changes in the waitfor relations among processes and resources can be modelled by the executions of the automaton M [l],which abstract the MR model. Let N= { 1, 2,. .., n ,... } be a countable set of non-zero positive integers, called nodes. An element of N can be interpreted in several ways: the identifier, or the priority of a process or resource, or the site where they act. The total order of N yields to consider the values as priorities of nodes -in order to ensure the algorithm only selects processes as candidates to resolve deadlocks, it is assumed that their priority is lower than the priority of resources-. The fact that N be countable avoids the discussion about re-entrance of victims. -it is simulated by assigning new values in N to re-entrant processes. The set E= { q j / i+ j A i, j e N} represents the set of intermediate nodes. A subset Ei= {eii / i# j A i, jE N } can be interpreted as the possible waitfor relations that node i may maintain with another nodes j. The CWFG is a pair ( N U E , Arcs) where the set Arcs c {(i,ei,), (eij,j)/i#j ~ i , N}. j ~ The arcs represent the partial knowledge about the wait for relations different nodes can find at their sites. A generic arc of the graph will be denoted (n, n'). A value version((n, n')) counts the number of appearances of arc (n, n') on the graph. Finally the set victims contains the aborted nodes in the history of the system. A state S E states(M) is defined by the values of the variables: s.Arcs, s.victims and Vi, j e N : s.version((i, qj)) and s.version((eij, J)). Initially s.Arcs= s.victims = 0 and s.version((i, eij)) = s.version((qj,J))= 0. The action signature of the Mis: ,&z(M)={abort(i)}and out(M)= {Vi, J E N : Vneeded(i)E 2E1:: add(i, needed(i)); add(eij, j), del(eij, j), del(i, e$}. The steps of M are given with the preconditions/effects formalism [lo].
An add(eij, j) action means that resource j knows the request of process i, or that the no victim process j knows that resource i is waiting its release. In both cases, the reception of the requedgrant messages sent by the previous action is implicitly included. Therefore, this action cannot be executed if an action add& needed(i)) has not been performed.
del@ j) prec: d+(i)= 0 v ie victims eff: Arcs +Arcs - {(q,,j)}. The action del(e9,j) means that process j is sending to resource i its release, so process j cannot be blocked. If j is a resource then it means that j is going to be allocated to process i, so it cannot be allocated to other process. In both cases, this action implies the sending of a release/grant message to node i. This action also can mean that resource j has received a withdrawing message [3] which was created when i aborted.
del(i, qj) prec: i E victims v (d+(eij)=0 A (i E victims v version( (q,,j))= version((i, e$) - 1)). e E Arcs t Arcs - { (i, qj)}. A del(i, eij) action can mean that process i has received a grant from resource J or it is withdrawing its requests because it is a victim, or that resource i has received a release message from process j or it has received a message indicating that its holder j has aborted.
abort(i) eff: victims c victims U { i} ; Arcs t Arcs - incoming(i).
As the U 0 automata are input enabled, input actions have not preconditions. The effects of this action are clear. Remark 1 [l]: It is simple to prove that, in absence of abort(.) actions, the existence of a circuit in the state of M is a stable property. Therefore, deadlocks can be characterized by the existence of circuits in the graph, that is, 3C E s.Arcs there exists a deadlock in the system.
add(&needed (i)) prec: d+(i)= 0 A i e victims. // Sli)=outdegree ofnode i. eff Arcs +Arcs U {(i,eij)/eijE needed(i)}; FOR eij IN needed(i) DO version((i, qj)) t version ((i, eij)) + 1.
140
Remark 2 [l] :Only the performance of abort(.) actions can break circuits, then those are the actions which resolve the deadlocks of the system. Therefore, the performance of an abort(i) action is an event of deadlock resolution if and only if that action breaks a circuit in the graph. If no circuit is broken by its performance then the event is a false deadlock resolution. It is easy to see that the executions of M satisfy the following lemma that says how a circuit is created. Lemma 1: Let a- so 7c 1 s 1 ... 7c s,. .. be a fair execution Of M . 3 c :: ( c C Sk.ArCS A c GZ Sk-l.ArCs =$ 7c E { b' i, j e N : :add(eij, j ) } ) .
,
2.2 The Specification of the Algorithm The specification of the algorithm is given by the automaton A0 defined as follows: A state SE states(A0) is defined by the values of : s.Arcs and s.victims. Initially s.Arcs= s.victims = $3 The action signature of A0 is: out(Ao)={abort(i)} and h(Ao)= {Vi, j E N : Vneeded(i)E 2Ei:: add(i, needed(i)); add(eij, j), del(eij, j), del(i, eu)}. The steps of A0 are the following:
abort(i) prec: 3 C E Arcs A i= min(Nodes(C) eff: victims c victims v {i}; Arcs t Arcs - incoming(i); add(i, needed (i)) eff: Arcs t Arcs
U {(i,ei,)/eijE
add(e4, j ) e E Arcs t Arcs
U {(eij,j
This property expresses the WLC . If the system is assumed to be finite -N finite-, it is simple to show that WLC implies SLC. Lemma 2: Let a= SO X I s 1 ... 7c, s, be a fair execution of Ao. 3C csk.Arcs 3 k'>k, ie Nodes(C) :: nr= abort(i). Proof: By contradiction. Assume the property is false, that is: 3C c sk.Arcs verifying b' k'>k :: C c sk.Arcs. The function d(s): { s / C c s.Arcs} -+Z+ is defined as d(s) = IN1 - Is.victimsl - ICI. The execution of actions of Ao makes this function decrease. No action can increase it so this function is monotonally decreasing. As C remains in the graph, Property 1 ensures that the actions of Ao have to be performed, so d(s) must decrease during the execution. As function d(s) is upper bounded, there exist one state se' verifying d(sK') = 0. That is N - sg'.victims = Nodes(C). Since circuit C remains, A0 is enabled and one of their actions must be eventually performed. Only the actions abort(i) with i belonging to Nodes(C) can be enabled -a victim node cannot be aborted again-, so eventually one abort(i) action with i E N o d e s ( C ) must be executed. However, this action would break C and, therefore, the initial assumption does not hold.
3. The Deadlock Resolution Algorithm N)
//min-minimum
The algorithm will be defined by the automaton Al. Some definitions used in their state were given above. There are state variables associated with each node, n: status(n), version(n), create(n), transmitted(n) and to-repZy(n). The variable stutus(n) indicates the status of the node with respect to the deadlock resolution algorithm. This variable has one of the following values: running if the node does not maintain wait for relations, blocked if the node waits for another node and has not been selected to break a deadlock, candidate if the node has been selected to break a circuit and victim if the node has been aborted. The variables version (n) are counters that allow to distinguish obsolete information. A set creute(n) contains all intermediate nodes for which n has to create a probe. A set transmitted(n) records the probes that have been transmitted by n; and the set to-reply (n) registers the nodes from which an information message has arrived while n is in candidate status. The algorithm works with three kinds of messages: probes, information messages and reply messages. A probe has six fields, m= (det, init, version, to, v, v'). The first field identifies the kind of the message; init is the priority of the node which created the probe; version is the value of version (init) when the probe was created; to is the intermediate node to which the probe was sent when it was created, being v the version of the arc (to, init) when the probe was created. The field v' is the only field that is modified in a probe by the rest of nodes; it is the version
needed@};
)};
ij, j) eff: Arcs t Arcs - {(e+ j ) } ;
del(i, eij) eff: Arcs t Arcs - { (i, eij)}; The partition on local(A0) has one class Ao= out(Ao)= { V i E N :: abort(i)}. This partition implies that the fair executions of A0 verify the property: Property 1: Let CYF SO 7c1 s 1 . .. 7c, s,. .. be a fair execution of Ao. 3 C E Sk.ArCS =? 3 k'>k :: ny E out(&)).
Proof: The existence of a circuit in the graph enables one abort(.) action -each circuit have a node verifying the condition of being the node with lower priority in the circuit- and these actions belong to the class Ao. Only the breaking of the circuit can disable the class, so it will be enabled until the execution of one of its actions. Therefore, by fairness, one action of Ao= out(A0) will be eventually performed.
141
of the arc where a node transmits the probe when this transmission is performed. The set containing all possible probes in the executions of the algorithm is called D.The information and reply messages have two fields: the identifier of the kind of message -inf for information messages and rep for reply messages- and the priority of the node that creates the message. The set of all possible information messages in the executions of the algorithm is called I , and the set of all reply messages, R. The state variables, mess(possib1e arc), are FIFO lists which contain the messages that are travelling from a particular node to an intermediate node or vice versa. Therefore, a state S E states(A1) is defined by the values of the variables: s.Arcs, 'die N : s.status(i), s.version(i), s.creute(i), s.transmitted(i), s.to-reply(i), and Vi, j E N : s.version((i, ei;)), s.version((eij, j)), s.mess(i, ei;) and s.mess(ei;, j). Initially s.Arcs= sg.victims= 0; 'die N s.creute(i)= s. trunsmitted(i)= s.to-reply (i)= 0,s.stutus(i)= running, s.version(i)= 0, and Vi, jE N: s.version((i, e$)= s.version((eij,j))=0, s.mess(i, eij)= s.mess(e,,, j)= E .
If d+(i)= 0 then i cannot belong to any circuit, so the action makes obsolete its previous probes and empties the set create (i). del(e I,j) e E Arcs t Arcs - {(q;,j)}; create(j) t create (i) - {eij }.
create(i, j) prec: stutus(i)= blocked A ejie create (i); e E mess(eji, i) t mess(eji, i)*(det, i, version(i), eji, version( (ej, i)), version((e;i, i))); create(i) t creute(i) - {eji}. The action create(i, j) creates a probe of node i and sends it towards node j. That probe appears in the arc from eji to i because the probes go in a backward direction through the arcs of the graph.
send(j, e 8 ,m) prec: mess(eij, j) = m p A m E D e E mess(eij,j) +p; mess(i, ei;) c mess(i, qj) m.
3.2 Actions of A I
I
U U R.
The actions send(j, ei;, m) model the reliable communication among the sites. These actions always pass a message of the algorithm from a site to another one. The rest of the actions are commented at the end of the presentation.
The automaton A1 reflects the performance of the algorithm under a MR manager, so its action signature can be seen as partitioned into two groups: The actions of communication between the algorithm and the manager and the actions defining the performance of the algorithm. Formally the automaton action signature is: in(ill)={ Vi, j e N : Vneeded(i)E 2Ei: add(i, needed(i)); add(ei;, j), W e i j , j), deKi, eij)} out(Al)= {Vi€ N : abort(i)} int(A I ) = { V i , j g N : create& j), handle-det(i, ei), handle-inf(i, ei;), handle-rep(i, e$, detect($ VmE D U I U R: send& ei;, m)} The actions are given in the following.
handle-det(i, e ij ) prec: mess(i, e$= (det, init, vn, to, v, v') p A (init= i (( to,init)P Arcs v v# version((to,init)) v version(i)#vn v (i,ei;)PArcs v v'#version( (iei;)))). e R mess(i, eij) t p; IF (i, q j } ~Arcs AND v'= version( (i, ei;) AtVD status(i)= blocked AND incoming(i)# 0 THEN //else the probe is lost. //Case transmission. IF init < i THEN FOR (eh, i) IN incoming(i) DO mess(eki, i) t mess(eki, i) (det, init, vn, to, v, version ((eh, i )); trunsmitted(i) c trunsmitted(i) U { init}. IF init 2 i THEN //Regeneration ofprobes. FOR (eh, i) IN incoming(i) DO creute(i) t creute(i) U {eh}.
add(i, needed (i)) eft Arcs t Arcs U {(i, eij}/ei;E needed(i)}; stutus(i) t blocked; FOR q; IN needed(i) DO version((i, e,;)) t version ((i, e$) + I. add(e$, j) eft Arcs t Arcs U {(e,;,j)}; verszon((qj,j)) t version((ei;, j)) + 1; IF status (j)# candidate THEN create 0)t create (j) U { eij }.
detect(i) prec: xi,q i ) ~Arcs / mess(i,eii)=(det, i, ver;ion(i), to, version((to,i)), v) p A status(i)= blocked A (to,$€ Arcs A v= version( (i, eij)); eff: mess& eij) t p; status(i) t- candidate; create(i) c 0; FOR k IN transmitted(i) DO mess(ek, i) t mess(ek, i ) (inf, i).
del(&qj ) eff: Arcs t Arcs - {(i, ei;)}; IF d+(i)= 0 THEN stutus(i) t running; version(i) c version(i) + 1; creute(i) t @.
142
(Case 1)
circuit I
(Case 2)
circuit 2
circuit 1
Figure 1. Possible executions of A1 when there exist a knot in the CWFG. message by the handle-rep(i, ell) action only causes the candidate i to erase a node from which it will wait for the permission to abort. Finally, an abort(i) action transforms process i into a victim. A victim process does not maintain any resource, so arcs with i as terminal endpoint are deleted. The actions abort(i) together with the performance of handle-inf(k, ek,) and handle-rep(i, elk) actions assure the local knowledge about the circuits and candidates before the abortion is consistent. The partition on local(A1) is composed by the classes: A'; V iE N :: Dll; and V i, j E N :: HI, , S',, and C', being A'= out(A1)= { V i E N :: abort(i)}; Dil= {detect(i)}; SI,= {Vm E D u l U R :: send(eIJ,m)}; C', = {createo, i)} and finally H1,= { handle-det(i, eIJ), handle-inf(i, eIJ), handle-rep(i, ell)}; . The Figure 1 helps the reader to obtain an intuitive vision of the behaviour of the algorithm. The nodes i and j are the lowest priority node of circuit 1 and 2 respectively. In case 1, the node i detects the circuit 1 before it receives the probe m2 of the node j. In case 2, the node i detects circuit 1 after it has transmitted the probe m2 of the node j. The probes have the mission of detecting circuits and identifying the node with minimum priority of each circuit as a candidate to resolve it -in Figure 1 the messages (det, . . .) represent the probes-. Each node only let pass through it the probes created by lower priority nodes -in Figure 1, case 2 only is possible if j < i--, and stores information about the probes it has transmitted. When a node is selected as a candidate to break a circuit -when ml reaches i--, this node can perform two actions. If no probe has been transmitted by it then it knows that it is the lowest priority node of a circuit and it can proceed to abort -case 1 of Figure 1, i detects circuit 1 and can abort itself; the abortion resolves circuits 1 and 2, but as m2 cannot reach j no false deadlock can be resolved-. In the other case, the initiators of the probes that have been transmitted by the candidate node do not know that this node is going to abort. This fact could promote a posterior false resolution -if m2 reaches node j in Figure 1, case 2 after the abortion of node i-. This is avoided by the
The action handle-det(i, eij) is enabled if one probe has arrived to node i unless this probe would be a probe enabling detect(i). The former action checks the conditions that can make the probe irrelevant; if it decides the probe is relevant, it can transmit this probe to its predecessors in the graph, or send to them its own probes by enabling its create(.) actions. If the probe is relevant to the node and is one of its own probes, then the action detect(i) is enabled. This action makes the node to enter the second phase of the algorithm. It can be shown [I] that this action ensures the existence of a deadlock in the system which can be resolved only by node i, so node i is a candidate and informs to the nodes that need it about this new situation.
handle-inf(i, eij ) prec: mess(i, eij)= (inf, j) 0 p. eft mess(i, eij) t p; IF status (i)= candidate THEN //Permission denied. to-reply(i) t to-reply(i) U {j}. ELSE // Giving permission to j . mess(eji, i) c mess(eji, i ) (rep, i); IF stutus(i)= blocked THEN version(i) t version(i) + 1. handle-rep(i, eg ) prec: mess(i, e;$= (rep, j) 0 p. eft mess(i, eij) t p; trunsmitted(i) t trunsmitted(i)- {j}. abort(i) prec: stutus(i)= candidate A trunsmitted(i)= 0. eff: stutus(i) t victim; Arcs c Arcs - incoming(i); FOR k IN to-reply (i) DO mess(ek, i) t mess(eki, i) (rep, i). When node i knows, by the execution of a handle-inf(i, eij) action, that node j is a candidate, then it can reply that the abortion is allowed and modify its version -all previously sent probes will be irrelevant after this modification- or, if the node is another candidate it delays the reply until its abortion. This second case avoids a kind of false resolutions. The reception of a reply 143
that: First(P)= n A L a s t ( P ) =init A V ~ ((Nodes(P)E {init, n}) nN):: (binit A init€ sk.transmitted(1)). In the particular case of a relevant probe fires the performance of X k = detect(i), it implies 3 C G Sk-1 .Arcs such that i = min(Nodes( C) nN ) . In addition, the order established by sets transmitted(.) and to-reply(.) allows to prove that SSC is verified. At this point, we are interested on the liveness of the algorithm.
introduction of an invalidation mechanism. Before aborting a candidate node, it sends information messages to the nodes that created the message it has transmitted. These messages have the mission of reporting that previous probes of receptor nodes are no longer valid -in Figure 1 case 2, i informs to j that it is going to abort; after the reception of m3 by j, m2 is not considered as relevant by node j-. The candidate node waits for a reply for each inf message before aborting. During this delay no probe passes through the candidate node. If a candidate receives an information message, then it stores that message and only sends the corresponding reply when aborting -in Figure 1 if m2 reaches j before m3, then j is candidate when it receives the information message. Until its abortion, j will not send the reply to i, so i cannot abort. The automaton A1 is the result of the composition of the automata of each site, which represent an instance of the DDD/R algorithm, and the communication network after hiding the communication actions -{ send(j, ei,, m)}--. The automaton A 1 reflects the global behaviour of the DDD/R algorithm in the distributed system.
4.1. Liveness Since the fair behaviours of A0 verify WLC (SLC if N is finite), we only have to prove that the fair behaviours of A1 are included into the set of fair behaviours of A0 [lo]. Some previous Lemmas are needed. All of them assume thatceson1s1 ... q,sSn...isafairexecutionofA1 Firstly, Lemmas 3 and 4 prove that the messages of the algorithm reach their destination. The actions and partition of A 1 assume the channels are secure and FIFO, so the proof of these lemmas is obvious. Lemma 3: sk.mess(i, eij)= w m W' 3 k' 2 k :: sr.mess(i, qj) = m 0". (a,W'and W " E ( D U I U R)"). Lemma 4: sk.mess(eij, j)= w m W ' 3 3 k' 2 k :: sr.mess(eij, j)= m w".(0, W'and W " E ( D u ZU R)*). The following invariant can be easily proved by induction over the length of the executions. It says that while there exist circuits in the system one locally controlled action of A 1 must be enabled. That is while there exist deadlocks the algorithm is trying to detect them. Lemma 5: 3 C c Sk.ArCs 3 3 (eij, j ) E C :: enabled(sk, create(j, i)) v 3 (n, n') E c :: sk.mess(n, n')# E v ( 3 i E Nodes(C) :: sk.status(i)= candidate A sk. transmitted(i) = 0) The following Lemmas ensure that the existence of a circuit in the graph imply a subsequent detection of a circuit -the same or another. Firstly, when a circuit appears, if it doesn't contains any candidate, the creation of probes of one of its nodes is enabled. Lemma 6: 3 C :: (C Q Sk-1 .Arcs A C c s k.Arcs) 3 (3(eij,j) E c :: (enabled(sk, C$))v sk.statuS(j)=candidate) Proof: By Lemma l , Z k = add(eij, j). The effects of such an action ensure that the Lemma holds. Once the class C'ij is enabled, only the deletion of some arcs or the selection of i as candidate can avoid the execution of its action. Lemma 7: enabled(sk, C'ij) 3 3 k > k :: (7cr E {detect(i), create(i, i), del(ei,, j)} v b' ejl :: 4, e,l) G skdrcs). Proof: By definition of fairness, either one action of C1ij is executed or the class is disabled. In the first case, as createfi, i) is executed, the Lemma holds. In the second
4. Proof of Correctness In [l], we have provided the complete proof for the SSC: "only true deadlocks must be detectedlresolved". Basically, that work shows that if execs(A1) and the action nk = abort(i) then 3c sk-1 .Arcs verifying that i=min(Nodes(C) n N). The proof is based in the existence of a possibilities mapping [lo], h defined as follows: Definition 1: h: states(A1) + 2Stutes(Ao)is defined as the mapping such that tE h(s) H s.victims= t.victims A sArcs= t.Arcs. To prove that h is a possibilities mapping the main idea was the use of the definition of a relevant probe: Definition 2: m= (det, init, vn, to, v, v') is a relevant probe of an arc (n, n'), with n, n'e N U E , at state s of A 1 if and only if the following conditions hold: s.mess(n, n')= p m p' (i) (ii) (n, n')E s.Arcs (iii) (to, init)€ s.Arcs (iv) s.version(init)= vn (v) s.version((to, init))= v (vi) s.version((n, n'))= v' (vii) s.status (n)+ victim (viii) s.status (i)= blocked The following result is the key for the proof and it can be made by simple induction over the length of the execution: Let a be an execution of AI, a= SOnIsl ...zksk ... If m= (det, init, vn, to, v, v') is a relevant probe of the arc (n, n') at state s k then there exists a path P c sk.Arcs such
144
case one of the conditions of the Lemma must be true to disable the class. It can be ensured that the existence of circuits in the system leads to the execution of detect(.) actions, that is, to the appearance of candidates. Lemma 8: 3 C :: (C E Sk.ArCS A i = min(Nodes(C)) A 3eji :: (eji, i) E C) 3 3 k' > k :: nr= create(i, j) v {IE N / Sk.StUtUS(l)= candidate}# 0.
The following Lemma assumes that there are not infinite deadlocks at any time in a system. Lemma 12: sk.stutus(i)= candidate 3 k' 2 k :: enabled(sr, AI). Proof: By Lemma 11 either sk.trunsmitted(i)= 0 and consequently abort(i) is enabled or 3 j :: i E sr.to-reply(i). In this case, by Lemma 10, j < i and stutus(i) = candidate. As the same arguments can be used recursively, we can build an ordered sequence of candidates i < j 1 < j,
