Testing Deadlock-Freedom of Computer Systems - Computer Science

Testing Deadlock-Freedom of Computer Systems TIKO KAMEDA University of Waterloo, Waterloo, Ontarw, Canada ABSTRACT. The problem of determining whether it is possible for a set of "free-running" processes to become deadlocked is considered. It is assumed that any request by a process is immediately granted as long as there are enough free resource umts to satisfy the request The questton of whether or not there exists a polynomml algorithm for predicting deadlock in a "claim-limited" serially reusable resource system has been open. An algorithm employing a network flow technique is presented for this purpose. Its running time is bounded by O(mn15)if the system consists of n processes sharing m types of serially reusable resources. deadlock, serially reusable resource, resour~ allocation, process, deadlock algorithm, operating system, efficient algorithm, network flow, bipartite matching, degree-constrained matchmg, algorithm complexity K ~ Y W O R D S A N D PHRASES:

CRCATEGORIES. 4.32,4 35, 5.25, 5.32

1. Introduction A n undesirable situation called deadly embrace or deadlock was pointed out b y Dljkstra [8] i n a computer system in which two or moreprocesses coexist sharing resources. A simple example is where a process P1 holds device A a n d requires device B to continue, b u t device B is already held by another process P2 which requires A to continue. There is a circular wait here a n d it will not be resolved unless a "drastic" action, i.e., preemption, is taken. Informally, a deadlock is a situation in which there is a process whose progress is blocked forever owing to lack o f resources, regardless o f the future activity (e.g., release of resource umts) of u n b l o c k e d processes. Different aspects o f the deadlock p r o b l e m have been investigated in the past [2, 5, 12-16, 22, 24], a n d interest in it is being revived in the database a n d distributed e n v i r o n m e n t [4, 21, 25]. C o f f m a n et al. [2] classify approaches to dealing with deadlocks into three categories: detection and recovery, avoidance, a n d prevention. This paper considers whether a given system needs a n y deadlock avoidance or prevention overhead. T h a t is, given a system, we want to k n o w whether deadlock is possible if n o particular efforts are m a d e to avoid it. Following H a b e r m a n n [13], we assume that the m a x i m u m resource requirement (i.e., clatm) o f each process is k n o w n in advance. It is assumed that within this limit each process can m a k e requests for resources dynamically in a n arbitrary sequence. Further, we adopt the expedient allocation policy [16], which grants a n y request as long as there are e n o u g h free resource units required. I n this paper we call a system deadlock-free (or secure [16]) if this allocation policy never causes deadlock. Deadlock-freedom is a desirable feature, particularly for the p e r m a n e n t system processes or the processes in a dedicated system, dispensing with both the need for a t i m e - c o n s u m i n g deadlock avoidance algorithm to be Permission to c o p y without fee all or part o f this material is g r a n t e d provided that the copies are not m a d e or d l s t n b u t e d for &rect commercial advantage, the A C M copyright n o t l ~ a n d the role o f the p u b h c a u o n a n d Rs

date appear, and notice is given that copying is by permission of the Association for Computing Machinery To copy otherwise, or to repubhsh, requires a fee and/or Specific permission This work was supported by the Natural Science and Engineering Research Council of Canada under Grant No A4315 Author's address: Department of Electrtcal Engmeermg, Umversity of Waterloo, Waterloo, Ontario, Canada N2L 3GI © 1980ACM 0004-5411/80/0400-0270$00.75 Journal of the Assocmt~onfor ComputingMachinery,Vol 27, No 2, April 1980,pp 270-280

Testing Deadlock-Freedom of Computer Systems

271

invoked each time a new request arrives, and recovery measures from deadlock. The price one must pay for a deadlock-free system is generally the need for more resource units than are absolutely necessary. If a system is not deadlock-free, it may be still possible to avoid deadlock by delaying the granting of some requests [13]. As we mention in the conclusion of this paper, it is possible to apply our algorithm to deadlock prevention in a certain situation. One exhaustive method for testing deadlock-freedom would be to enumerate all possible "allocation states," using a deadlock detection algorithm such as Holt's [15, 16] on each such state to test if it is a deadlock state. Clearly, the system is deadlock-free if no state is a deadlock state. Shaw claims, in essence, that no nonexhaustive algorithm is known for testing whether or not a given system is deadlock-free [23, p. 230]. In Sections 2 and 3 we present an analysis of a model of process-resource systems. This model leads to an algorithm whose running time is bounded by O(mn ~5), where n is the number of processes and m is the number of resource types (Section 4). A preliminary version of this paper with an O(mn a) algorithm appeared in I191.

2. Model We consider a system consisting of n (_>2)processes Pl, P2. . . . . Pn, sharing m (_>1) types of resources (or simply resources), R l, R2 . . . . . Rm, which are serially reusable [14]. 6 denotes the total number of available units of resource Rj. A unit of resource can be allocated to only one process at a time. Let N -- (1, 2 . . . . . n) and M -- { 1, 2 . . . . . m} be the index sets of the processes and resource types, respectively. For i E N and j E M, the claim C(i, j) [ 13], which denotes the maximum number of units of resource Rj that could be, used by process P, at some time, is assumed to be known. Obviously we must require that C(i, j ) -< 6 for all i and j. The matrix C = [C(i, j)], whose (i, j ) element is C(i, j), is called the claim matrix. If

E C(i,j) _< 6

(1)

~EN

is satisfied for allj E M, then there will always be enough free (i.e., nonallocated) units to grant any request immediately, and therefore the system is free from deadlock [22]. The state of a gwen system is defined by a pair of n x m matrices (A, R), where A = [A (t, j ) ] is called the allocation matrtx and R = JR(i, j)] the request matrix. A(i, j ) denotes the number of units of resource Rj allocated to process P, in a given state, and R(i, j ) denotes the number of units of Rj requested by (but not yet allocated to) P,. Both are nonnegatwe integers satisfying

A(i, j ) + RO, j ) --< CO, j).

(2)

Clearly, not more than 6 umts of Rj can be allocated; therefore we have for e a c h j E M

X A ( k , j ) _< 6.

(3)

lk~N

Note that the number of free units of Rj is gwen by t~ - ~k~N A(k, j). Process P, is said to be blocked on Rj if

R(i,j) > 6 -

X A(k,j), keN

i.e., If there currently are not enough free units of Rj to sausfy the request of P,. Note that a process may be blocked on more than one resource. We assume that a process can make a request for units of several dtfferent resource types, but a blockedprocess can neither release umts allocated to tt nor make further requests. Process P~ is deadlocked in a state if P, is blocked in it and will stay blocked regardless of the future activity (acquiring and releasing of resource units) of the other processes. A state is a deadlock state if there is a process that is deadlocked m it. Note that according to our definition there may be processes that are

272

TIKO K A M E D A

executing in a deadlock state. It follows from these definitions that a state (A, R) is a deadlock state if and only if there is a nonempty index set I ~ N such that each process P,, i E I, is requesting more units of Rj (for some j E M) than will be free when the processes not indexed by I release all their resource units. That is to say, for each i E I there exists an index j E M satisfying

R(i, j) > t, - ~ a(k, j).

(4)

kel

In this case we say that Rj is involved in the deadlock. HeR has an efficient deadlock detection algorithm to test if a given state is a deadlock state [15, 16]. Finally, a system is deadlock-free if it has no deadlock state. The reader should convince himself that this is equivalent to the informal definition of deadlock-freedom given in the introduction. If a system is not deadlock-free, we use the expression that the system can deadlock. For the case of single-unit resources, where tj = 1 for all j E M, and also for the single-resourcetype case, where m = 1, Holt has efficient algorithms for testing deadlock-freedom [15]. Example 1. Consider a system consisting of two processes, P1 and P2, and one resource type R1 with tl -- 5 units. Let C(I, 1) = C(2, 1) = 5. In the state (A, R) given by

there is only t~ - (A(I, l) + A(2, 1)) = 1 free unit. Since both requests R(I, 1) and R(2, 1) are larger than 1, this is a deadlock state and therefore the system is not deadlock-free. Since our test of deadlock-freedom will involve a search for the deadlock state, it will be helpful to restrict the scope of the search. In the preceding example we can make Pi "absorb" the free unit by changing the allocation matrix to

and we can reduce the requests to

State (A', R') is still a deadlock state. In the next section Lemma 1 generalizes and formalizes the above argument. 3. The Main Theorems In this section we prove two important theorems which provide the basis for the algorithm to be presented in the next section. We call a process P, in state (A, R) inactive (as far as resource usage is concerned) If it neither holds nor is requesting any resource; i.e., A(i, j ) ffi R(i, j ) ffi 0 for a l l j ~ M. We claim that if a system can deadlock at all, it can deadlock under the assumption that processes request one resource unit at a time. The following lemma proves this fact. LEMMA 1. A system of processes {P, li E N} and resources {R~Ij ~ M} can deadlock if and only if there are a nonempty index set I C_ N and a deadlock state in which each P,, i ~ I, is deadlocked with a request f o r exactly one resource unit outstanding, and each process P,, i ~ I, is inactive.

PROOF. The " i f " part is trivial. In order to prove the "only i f " part, assume the system is not deadlock-free and let a deadlock state be given by (A, R), where A = [A(i,j)] and R = [R(i, j)], with the processes {P,[i ~ I ) being deadlocked. We first modify this state by setting A(i, j ) = R(i, j ) = 0 for each i ~ I. With each deadlocked process P, we shall now associate one resource type R,, and set R(i, i') = 1 as follows. For each i ~ I (i can be

Testing Deadlock-Freedom of Computer Systems

273

chosen in an arbitrary order) perform the following two steps, using the updated values o f {A(l,j)} each tmae. Pick an index i' ~ M such that R(i, z') > t,. - ~kel A(k, i'). (The existence o f such an is guaranteed by inequahty (4).) Let r,, = t,, - ~ k e I A ( k , i'). (Note that r,, is the number of units of R,, which are free all processes {e, l i q~ I } have released their resources.) I f r,, > 0, then increase A(t, i') by r,,. (Since R(i, i') > r,., this still does not fully satisfy the request of P, for R,,.) Set (1) index (2) when

R(i, i') = 1. After the above steps have been carried out for each i E / , we set all R(i, j ) = 0, except for (R(i, t')[ i E I ) , which have been set to 1. W e claim that the resulting state is a deadlock state satisfying the conditions of the lemma. Q.E.D.

Example 2. A system consisting of processes (P1, P2, Pa} and resource types with t~ = 4 and t2 = 5 which has the claim matrix

{R1, R2}

can deadlock since there is a deadlock state, among others, represented by (A, R), where A--

,

R=

.

This is a deadlock state as described in Lemma 1, where I -- (1, 2) and P~ (P2) has an outstanding request for one unit o f R2 (R1). Another deadlock state in this system is given by (A', R'), where

A' =

,

R' =

.

The above lemma has the following unplication: In addition to our expedient allocation policy, we may now consider only the single-unit request case, which is one of the easier cases to deal with [15, 161. In the second deadlock state o f Example 2, three processes are blocked on the same resource type, namely, R~. The natural quesUon to ask now is "How many processes can be blocked on a particular resource type?" Note that in Example 2, P~ and P2 cannot both be blocked on R2, since even if they both make requests equal to their claims, i.e., 3 units of R2 each, the request of one of them is fully satisfied and therefore it cannot be blocked on R2. Now let I C N be a nonempty index set. We introduce for each j ~ M,

dj(I) = ~ C ( t , j ) - t j tel

and call it the deficiency of Rj associated with I. Suppose the processes P , i ~ / , are inactive. If d j ( I ) _< 0, there are always enough units to grant any requests for Rj by (P, li ~ I} immediately. Therefore we say that resource R~ is nonrestrictive f o r (P, li ~ I) If dj(1) _< O. If dj(I) > 0, on the other hand, then even when {P, l i ~ I} are inactwe, it is possible for some P , i E L to get blocked on Rj. LEMMA 2. Let I C_ N and suppose the processes { P, I i ~ I} are inactive, l f d~(I ) > O, then at most mm(dj(1), II1)processes out of the set (P, li ~ I} can be stmultaneously blocked o n Rj.

PROOF. Consider any state m which the processes {e, lt q~ 1} are inactive and some processes out o f the set (P, I i E I} are blocked on Rj. Pick any process Pk that is blocked

274

TIKO K A M E D A

on R~ and make it "absorb" the remaining free units of R~, if any. That is to say, as in the proof of L e m m a I, if tj - ~ A(i,j) > 0, then increment A(k, j) by this amount and decrement R(k,j) by the same amount. With thischange, we have tj- ~,ez A(i,j) = 0 and therefore,using (2), RO, j) -- ~ R(i,j) + ~ A(i,j) - tj ce.l

~el

-< E c(i,j)

~e.l

-

t, ffi 4 ( / ) .

eel

Since each R(i,j) is a nonnegative integer, this inequality implies that there can be at most dj(I) nonzero R(i, j)'s, which implies at most min(dj(1), Ill) processes can be blocked on Rj. Q.E.D. We now introduce a graphical representation o f the states of interest to us. It will play an important role in our characterization of deadlock-free systems (Theorem 1). We define the graph associated with an index set L denoted by G(I), to be a labeled bipartite graph in which a set of nodes represents the processes {P, [ i E 1} and the set of the remaining nodes represents the resource types {R~ Ij E M} such that (i) there is an edge between the process node Pc and the resource node R1 if and only if 4 ( I ) > 0 and C(i,j) > 0, (ii) each process node has label 1, and (iii) for e a c h j E M the resource node Rj is labeled by max(dj(I), 0). In the graph G(1) the presence of an edge between the process node P, and the resource node R~ indicates that P, could be blocked on Rj when {P~lk f~ I} are inactive. We can visualize the situation in which the process Pc is blocked on the resource Rj by thickening the edge (P,, Rj). At this point we cast our problem into the form of a well-known problem known as the degree-constrained bipartite matching problem or Mormon marriage problem ~. A (degreeconstrained) matching for a labeled graph is a set S o f edges such that for each node the number of edges of S that are incident on it is no more than its label. Each edge in S is called a matching edge, and the end nodes of a matching edge are said to be matched to each other by S. Consider now the process nodes of GC(1) as women and the resource nodes as men, and consider an edge between a man and a woman as representing compatibility for marriage. Then a matching for G(I) represents a way of marrying compatible pairs in the Mormon-type marriages 2 in which a woman can have at most one husband but a man can have more than one wife. If there is a way of marrying every woman to a man, satisfying the constraints given by the node labels (in the corresponding matching S, each node representing a woman would be incident on exactly one edge of S), we say that this instance of the Mormon marriage problem (or the degree-constrained matching problem) has a complete matching. We now can state our first main theorem in terms of the Mormon marriage problem. THEOREM 1. A system of processes {Pcli ~ N} and resource types {R~Ij ~ M} can deadlock if and only if there is a nonempty index set 1 _CN such that the Mormon marriage problem on G(I) has a complete matching. PROOF. We shall show that if the Mormon marriage problem on G(I) has a complete matching, then there is a deadlock state as described in Lemma 1 for the same index set 1, and conversely. The result then follows from Lemma 1. First, suppose the Mormon marriage problem on G(1) has a complete matching S. If S matches P, to Rj, then let R(i, j ) = 1; otherwise set R(i, j ) = O. (Recall that R(i, j ) = 1 represents a request by Pc for a unit of Rj.) For each j ~ M, if R(k, j ) = 1 for some k (i.e., R: is requested by some process), then set the values of {A(i,J)lZ E I} in any manner so that all the umts of Rj are allocated; i.e., ~,ex A(i, j ) = tj. This is possible, smce dj(I) > O, This n a m e was suggested b y one o f the referees 2 In the usual 0 e , Christ.an) m a m a g e a m a n , too, c a n h a v e at most one spouse T h e p r o b l e m o f a r r a n g i n g th~s type o f m a m a g e is called the mamage problem or bipartite matching problem [1].

Testing Deadlock-Freedom of Computer Systems

275

i.e., ~,~z C(i, j ) > t~ for such j; set all remaining A(i, j ) = 0. The created state (A, R) is clearly a deadlock state as described in Lemma 1. Next suppose there are a deadlock state (A, R) and an index set 1 satisfying the conditions of Lemma 1. Now construct the graph G(I) and let S be a matching for G(I) such that, for each i E I and j ~ M, S matches P, to Rj if and only if R(i, j ) = 1. Since I {P, IR(i,j) = 1} I_< d~(t) by Lemma 2, and there is exactly one matching edge of the form (P,, R~) for each i ~ I, S is a complete matching for G(I). The theorem follows from Lemma 1. Q.E.D. In what follows we consider maximum matchings (i.e., matchings of the maximum cardinality) for the Mormon marriage problem on G(I). Intuitively, this means that we want to marry off as many women as possible. Note that if such a problem has a complete matching, then it is also a maximum matching. In the algorithm to be presented in the next section, we first find a maximum matching for G(N). From Theorem 2 below it follows that if a process node P, is not matched to any resource node in some maximum matching for G(N), we may remove process P~ from consideration in the search for a deadlock state. THEOREM 2. If it is possible for a process Pk to become deadlocked, then the node Pk is matched to some resource node in every maximum matching for G(N). PROOF. Contrary to the theorem, assume that there is a maximum matching for G(N) that does not match Pk to any resource node, and that there is an index set 1 C_ N with k ~ ! such that G(1) has a complete matching. The second assumption above, according to the proof of Theorem 1, implies that it is possible for Pk to become deadlocked. We shall derive a contradicUon from these assumptions. Let S' be a complete (therefore a maximum) matching for G(I) and S be a maximum matching for G(N) that does not match node Pk to any resource node. We obtain a new matching S" for G(N) by modifying S as described below. Since S is a maximum matching, we expect that I s"l -< I Sl. However, the construction below generates an S" with I S"l > IS 1, which is a contradiction. To construct S", we start with S and replace the matching edges incident with {P, I i E / } by S'. Since Pk is matched to some Rj in S", but not in S, we have I S " I > I SI. (Recall that S is a maximum matching.) There remains to show that S" is indeed a matching, satisfying the constraints imposed by the labels of the resource nodes. Note that for any j, S" matches the node R~ to zero or more process nodes {P,I i ~ I} (as S ' does) and also to zero or more process nodes {P,I i E N - l } (as S does). The number of process nodes of the former kind is no more than dj(I) and that of the process nodes of the latter kind is no more than ~,eN-x C(i, j). Therefore the total number of process nodes to which S" matches the node Rj is no more than

d:(I) + ~

C(i,j)= ~ C ( i , j ) - t,

tEN--I

ten

= dj(N). It follows that the constraints are satisfied.

Q.E.D.

The following example illustrates the usefulness of this theorem.

Example 3. Consider the example of Figure 1. We first compute dl(N) = 2, dz(N) = da(N) = 1. The graph G(N) associated with the index set N is shown in Figure 2a, where the resource node R1 has label 2 and all other nodes have label 1. A maximum matching is indicated by the thickened edges. (How to obtain a maximum matching will be described in Section 4.) The process node P~ is not matched to any resource node by this maximum matching and therefore, by Theorem 2, the process P5 can never be deadlocked. Now the resource node Rz can be matched to node P5 instead of to node P4 by another maximum matching

276

TIKO KAMEDA

]

2

3

Processes: Pi,P2,P3,P4,P5

1

2

l

0

Resource Types: Ri,R2,R 3

2

0

2

0

3

2

0

l

4

0

2

]

5

0

0

2

t I = 2, t 2 = 4', t 3 = 3

C(i,j) FIG 1

An example system.

I I

2

I

I

I

I

I

(a)

(b) FIG 2

(c)

Applying Theorem 2 to the example of Figure 1.

as shown in Figure 2b. By Theorem 2, the process P4 can never be deadlocked. The maximum matching of Figure 2b can be modified to that of Figure 2c by matching the node R2 to the node Pa instead of to P2. Again, by Theorem 2, the process P2 cannot be deadlocked. Example 3 leads us to an interesting observation. Given a graph with a matching, we call a path consisting alternately of matching and nonmatching edges an alternating path. For example, in Figure 2a the path (P2, Rz) (Rz, P4) (P4, R3) (R3, P~) is an alternating path. COROLLARY I. Let S be a maximum matching which matches a process node Pk to no resource node. I f there is an alternating path with respect to S f r o m a process node P, to Pk, then P~ can never be deadlocked. PROOF. Let S' be the maximum matching obtained from S by interchanging the matching and nonmatching edges on the alternating path from P, to Pk. Then S' matches P, to no resource node and therefore, by Theorem 2, P, can never be deadlocked. Q.E.D. Given a maximum matching S, imagine that the matching (nonmatching) edges are directed from a process (resource) node to a resource (process) node. (The resulting directed graph is somewhat similar to the "resource graph" of Holt [16], the difference being that the edges from resource nodes to process nodes do not exactly correspond to his "assignment edges.") The algorithm presented in the next section eliminates all those nodes of this graph which are reachable from the "sink" process nodes, Le., process nodes with outdegree zero, tracing alternating paths in their reverse direction. This is justified by Corollary 1. (Again, this operation has some resemblance to Holt's "knot" detection algorithm [16].) There is another imphcation of Theorem 1 and Corollary 1 which is not obvious at this point: All processes that can become deadlocked are deadlocked m the state represented

Testing Deadlock-Freedom of Computer Systems

(a)

(b) F1o. 3

277

(c)

Algorithm apphed to the example of F,gure 1

by any maximum matching. Some other results a which follow from Theorems I and 2 play important roles in the extensions of the present work [17, 18].

4. Algorithm In this section we describe an algorithm based on Theorems 1 and 2 for testing the deadlock-freedom of a given process-resource system. A method for finding the maximum matching required in step 2 of the following algorithm is given later in this section, when we analyze the time requirement of the algorithm. The reason why resource nodes can be eliminated as described in step 3 may not be intmtively clear at this point. The correctness of the algorithm is proved later. As before, N and M denote the index sets of the processes and resource types, respectively. Algorzthm Inputs. Claim matrix C ffi [C0, J ) ] ~ N . ~ and the numbers of avadable umts of the resources, {t~lj ~ M}. (!) For each resource type Rj, compute dj(N) ffi ~ N C(i, J) - tj. Remove Rj for whtch aS(N) _< 0 from consideraUon Construct the labeled blparUte graph G(N) with the remaining resource types. (2) Fred a maxunum degree-constrained matching for the Mormon mamage problem on G(N). If the matching is complete, then the system is not deadlock-free (stop), else go to step 3 (3) Pick a process node whtch ~s not mordent on any matching edge Ehminate this node and all the resource nodes, ff any, adjacent to it (Le., those from whtch there is an edge to this node), together with the edges mctdent on those removed resource nodes. Repeat step 3 as many tunes as possible (4) The system is deadlock-free ff and only ff no process node remains.

Example 4. Consider the example of Figure 1 again. Figure 3a shows a maximum matching found in step 2 of the algorithm. Since the matching is not complete, we go to step 3. No matching edge is incident on the node P5 in Figure 3a, so we eliminate P5 together with the node R3 that is adjacent to it and the edges incident on R3, obtaining the graph of Figure 3b. In repeating step 3, we eliminate the nodes P4, R2, and P2 together with the edges incident on them. The system is not deadlock-free since the resulting graph (Figure 3c) contains the nodes P1 and P3 (step 4). Note that we have actually found a deadlock state involving two deadlocked processes P1 and Pz (Figure 3c). THEOREM 3.

The preceding algorithm correctly tests the deadlock-freedom of a given

system. PROOF. Let S be the maximum matching found in step 2. We rename the processes, so that for k = 1, 2 , . . . , Pk denotes the process, if any, eliminated in the kth repetition of step 3 of the algorithm. We shall prove by mathematical induction that for k ffi 1, 2 . . . . . there is a maximum matching Sk for G(N) with the following properties. (1) The node Pk is matched to no resource node by Sk, and 3 For example, tt can be shown that a system is not deadlock-free if and only if there is a nonempty index set I ~ N such that It[ --