A lightweight deadlock analysis for programs with threads and reentrant locks

(1)

HAL Id: hal-02392938

https://hal.inria.fr/hal-02392938

Submitted on 4 Dec 2019

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

A lightweight deadlock analysis for programs with

threads and reentrant locks

Cosimo Laneve

To cite this version:

Cosimo Laneve. A lightweight deadlock analysis for programs with threads and reentrant locks.

Science of Computer Programming, Elsevier, 2019, 181, pp.64 - 81. �10.1016/j.scico.2019.06.002�.

�hal-02392938�

(2)

Contents lists available atScienceDirect

Science

of

Computer

Programming

www.elsevier.com/locate/scico

A

lightweight

deadlock

analysis

for

programs

with

threads

and

reentrant

locks

Cosimo Laneve

1

DepartmentofComputerScienceandEngineering,UniversityofBologna–INRIAFocus,Italy

a

r

t

i

c

l

e

i

n

f

o

a

b

s

t

r

a

c

t

Articlehistory: Received5October2018

Receivedinrevisedform11June2019 Accepted14June2019

Availableonline21June2019 Keywords:

Deadlockanalysis Threadsandreentrantlocks Lams

Circularities Staticsemantics

Deadlockanalysis of multi-threaded programs with reentrant locks is complex because theseprograms may haveinfinitely manystates. We define asimple calculus featuring recursion, threads and synchronizations that guarantee exclusive access to objects. We detectdeadlocksbyassociatinganabstractmodeltoprograms–theextendedlam model –andwedefineanalgorithmforverifyingthataproblematicobjectdependency (e.g. a circularity)betweenthreadswillnotbemanifested.

Theanalysisislightweightbecausethedeadlockdetectionproblemisfullyreducedtothe correspondingoneinlams(withoutusingothermodels).Infact,thetechniqueisintended tobe aneffective tool forthe deadlock analysis ofprogramming languages bydeﬁning ad-hocextractionprocesses.Wedemonstratethiseffectivitybyapplyingouranalysistoa corecalculusfeaturingsharedobjects,threadsandJava-likesynchronizationprimitives. Wealsodiscussaprototypeveriﬁer,calledJaDA,thatcoversseveralfeaturesofJavaand deliverinitialassessmentsofthetool.

1. Introduction

Threadsandlocksare acommonmodelofconcurrent programmingthat isnowadayswidelyused bythemainstream programming languages(

Java

,

C#

.

C++

,

Objective

C

, etc.). In theselanguages,deadlocksare ﬂaws that occur when two or morethreads are blockedbecause eachone is attemptingto acquire an object’slock heldby another one.As an example,considerthefollowingmethod

setTable(C x,C y,int n) = (new C z)( if (n=0) then sync(y){ sync(x){ 0 } } else fork{ sync(x){ sync(z){ 0 } } } z.setTable(z,y,n-1)

)

where

new

C

z

createsanewobjectofclass

C

,

fork

{

P

}

Q createsanewthreadwhosebodyis P andrunsitinparallel withthecontinuation Q ,and

sync(x){

P

}

istheoperationlockingtheobject

x

,performing P ,andreleasing

x

when P terminates.Themethod

setTable

createsatable ofn

+

1 threads –thephilosophers –each one sharingan object– thefork –withthenearbyphilosopher.Everyphilosopher,exceptone,grabstheforkonhisleft–theﬁrstargument–and onhisright–thesecondargument–inthisorderandthenreleasesthem.Theexceptionalcaseisthe

then

-branch(

n=0

) wherethegrabbingstrategyisopposite.Itiswell-knownthat,whenthemethodisinvokedwith

x.setTable(x,x,n)

,

E-mailaddress:cosimo.laneve@unibo.it.

1 _Research_partly_supported_by_the_{H2020-MSCA-RISE}_project_ID₇₇₈₂₃₃_{“Behavioural}_Application_Program_Interfaces_(BEHAPI)”.

(3)

nodeadlock willeveroccurbecause atleastone philosopherhasa strategythat isdifferentfromtheotherones. Onthe contrary,ifwechangethe

then

-branchinto

sync(this){

sync(y){

0 }

}

adeadlock mayoccur because philoso-phers’strategiesare allsymmetric.Itisworthtonoticethat

x.setTable(x,x,0)

isdeadlock-freebecauseitjustlocks twicetheobject

x

,whichisadmittedinthemodelwiththreadsandlocks–athreadmayacquireasamelockseveraltimes (lock-reentrancy).

Inordertoensuretermination,currentanalyzers [4,7,1,16,27,28] useﬁniteapproximatemodelsrepresentingthe

depen-dencies between object names. The corresponding algorithms usually return false positives with input

x.setTable(x,x,n)

becausetheyarenotpowerfulenoughtomanagestructuresthatarenotstaticallybounded. In [11,17] we solved this problem for value-passing CCS [21] and pi-calculus [22]. In that case, the technique used two formal models: PetriNets [25] anddeadLockAnalysisModels – lams [12]. The former onesare a well-known model ofconcurrent anddistributedsystems; the latteronesare basic recursive modelsthat collect dependencies andfeatures recursion anddynamic name creation. Inthe pi-calculus analyzer,Petri Netswere used toverify the consistency ofthe communication protocol of every channel, while lams were used for guaranteeing the correctness of the dependencies betweendifferentchannels.Theanalysisalgorithmof [11,17] requiredatoolforverifyingthereachabilityofPetriNetsthat modelchannels’behaviors (whichhasexponentialcomputational complexitywithrespecttothesizeofthenet [15])and a tool foranalyzing lams(which hasexponential computational complexity withrespectto thenumber ofargumentsof functions).

Inthispaperwedemonstratethatitispossibletodeﬁneadeadlockanalyzerforprogramswiththreadsand(reentrant) locksbyonlyusinganextensionoflams.Forexample,thelamfunctioncorrespondingto

setTable

is2

setTable

(

t

,

x

,

y

)

= (

ν

s

,

z

)

(

y

,

x

)

t

+ ((

x

,

z

)

s&

setTable

(

t

,

z

,

y

))

.

Theterm

(

y

,

x

)

t,calleddependency,indicatesthatthethreadt,whichownsthelockof y,isgoingtograbthelockofx.The operation “

+

” and“&”are disjunctionandconjunctionsof dependencies, respectively.The indext of

(

y

,

x

)

t was missing in [12,11,17];ithas beennecessary formodeling reentrant locks.Inparticular,

(

x

,

x

)

isa circularity inthe standardlam model,whilst

(

x

,

x

)

t isnotacircularityintheextendedlammodel becauset canacquirex twice.Therefore,

setTable

(

t

,

x

,

x

)

manifestsacircularityinthemodelof [12,11,17] anditdoesnotintheextendedmodel.Acircularityintheextendedmodel is

(

y

,

x

)

t&

(

x

,

y

)

s,whichdenotesthattwodifferent threadsareattemptingtoacquiretwoobjectsindifferentorder.Thislam gives

(

x

,

x

)

,whichrepresentsacircularity.

Becauseoftheforegoing extension,thealgorithm fordetecting circularitiesinextendedlams isdifferentthantheone in [11,17]. Inparticular, while there is a decisionalgorithm for the presence/absence of circularities instandard lams,in Section 2wedeﬁne an algorithmthat veriﬁestheabsence andis impreciseinsomecases(it mayreturnthat alamwill manifestacircularitywhileitwillnotbethecase–afalsepositive).

Wealsodeﬁneasimplelanguageofconcurrentprogramsfeaturingrecursion,threads,sharedobjectsandsynchronization primitivesinspiredtothoseof

Java

.(Theforegoingmethod

setTable

isatermofourcalculus.)Thesyntax,semantics, andexamplesofthecalculusareinSection3.Section4reportsatypesystemthatassociateslamstoprocesses.Forexample, thetype systemreturnsthelamfunction

setTable

forthemethod

setTable

.Asa byproductofthetype systemand thealgorithmfordetectingcircularitiesinlams,ourtechniquecandetectdeadlocksofprogramslike

setTable

.

In order to deliver initial assessments of our technique, we have extended the basic language in Section 3 to cover severalfeatures of

Java

. InSection 5 we focus on inheritancethat allows classes to be definedassub-classes of other onesby deriving the corresponding method(and field) definitionsand eventually redefinethem (method overriding). In a languagewithinheritance, locating amethod definitionisperformedatrun-timethrougha mechanismcalleddynamic dispatch thatusestheactualvalue ofthecalledobject.Sinceourtechnique extractslamsfromprograms atstatictime,the precisemodeling ofdynamicdispatchisnotfeasible.Wethereforeover-approximatethetypebyreturningthelamfunctions ofeverypossibleoverriddenmethodinthesubclasses.InSection6wealsoanalyzeassignmentsandrecursivedata-types. Theanalysisofotherfeaturesof

Java

canbefoundinGarcia’sPhDthesis [9].Thisanalysisdoesnotaddresscoordination primitives(methods

wait

,

notify

and

notifyAll

)and

Java

concurrentlibraries,suchas

java.util.concurrent

, –seeSection9foradiscussion.

Ourtheoreticaldevelopmentsarecomplementedbyan analyzerprototypecalled

JaDA

[10,19].Whilethetype system inthispapersimplychecksstaticinformation,

JaDA

infers thebehavioral typesfromthe code.Inferenceisimportantin practicebecauseitlightensthe analysisbutcheckingiscrucialfortypesafety.Section 7reportsoninitialassessments of thetool.

Wediscussafew weaknessesofthetechniquesinSection8 andwe pointtorelatedworksandgive some concluding remarksinSection 9.Thepaperalsoincludesanappendixthatcontainsthedemonstrationoftypesafetyforthelanguage ofSection3andthetypesystemofSection4.

Thispapercollectstwoconferencecontributionsaboutdeadlockanalysisof

Java

-likelanguages: [18] and [19].Herewe extend [18] withtheproofoftypesoundnessandwiththediscussionontheextensionsofthebasiccalculusinSection 3.

2 _Actually,_this_is_a_simpliﬁed_form_of_setTable_._The_lam_function_associated_to_setTable_by_the_type_system_in_Section₄_has_two_additional_names

(4)

Withrespectto [19],weadopta differentpresentationstyle.Wediscusstypingrulesforthe

Java

language,whileinthe conferencepaperthefocuswason

Java

bytecode.

2. Lamsandthealgorithmfordetectingcircularities

This sectionextends thetheory developedin [11,17] tocover threadreentrancy.Inparticular, thenewdeﬁnitions are thoseoftransitiveclosureandDeﬁnition2.3.Theorem2.8isnew.

Preliminaries. We usean inﬁniteset

A

ofnames,rangedoverbyx, y,t,s,

· · ·

.Arelationon

A

,denoted

R

,

R

,

· · ·

,isan element of

P(A × A × (A ∪ {,

•}))

,where

P(·)

isthestandardpowersetoperator,

· × ·

isthecartesianproduct,and

,

• ∈

/

A

aretwospecial names.Theelementsof

R

,calleddependencies,aredenotedby

(

x

,

y

)

t,wheret iscalledthread.The name

indicatesthatthedependencyisduetothecontributionsoftwoormorethreads;

•

indicatesthatthedependency isduetoathreadwhosenameisunknown.

Let

–

R

+betheleastrelationcontaining

R

andclosedundertheoperations: 1. if

(

x

,

y

)

t

,

(

y

,

z

)

t

∈ R

+ andt

=

tthen

(

x

,

z

)

∈ R

+;

2. if

(

x

,

y

)

t

,

(

y

,

z

)

t

∈ R

+,t

∈

A ∪ {}

,then

(

x

,

z

)

t

∈ R

+; 3. if

(

x

,

y

)

•

,

(

y

,

z

)

•

∈ R

+,

(

x

,

y

)

•

= (

y

,

z

)

•,then

(

x

,

z

)

∈ R

+.

–

{R

1

,

· · · ,

R

m

}

{R

₁

,

· · · ,

R

n

}

ifandonlyif,forall

R

i,thereis

R

_jsuchthat 1. if

(

x

,

y

)

t

∈ R

i,t

∈

A

,then

(

x

,

y

)

t

∈ R

j+

2. if

(

x

,

y

)

∈ R

itheneither

(

x

,

y

)

∈ R

j+orthereist

∈

A

suchthat

(

x

,

y

)

t

∈ R

j+; 3. if

(

x

,

y

)

_•

∈ R

i theneither

(

x

,

y

)

•

∈ R

j

+_or_there_is_t

_∈

_A

_such_that

₍

_x

_,

_y

₎

t

∈ R

_j+. –

{R

1

,

· · · ,

R

m

}

&

{R

1

,

· · · ,

R

n

}

def

= {R

i

∪ R

j

|

1

≤

i

≤

mand 1

≤

j

≤

n

}

.

Weuse

R,

R

,

· · ·

torangeover

{R

1

,

· · · ,

R

m

}

,whichareelementsof

P(P(A × A × (A ∪ {,

•})))

.

The names

and

•

aremanaged inanad-hocwayinthetransitiveclosure

R

+ andintherelation

.Inparticular,if

(

x

,

y

)

t and

(

y

,

z

)

t belongtoarelationandt

=

t,thedependencyobtainedby transitivity,e.g.

(

x

,

z

)

,recordsthatithas beenproduced byacontributionoftwodifferentthreads–thisisimportantforseparatingcircularities,e.g.

(

x

,

x

)

,from lockreentrancy,e.g.

(

x

,

x

)

t.Thename

•

copeswithanotherissue:itallowsustoabstractawaythreadnamesthatarecreated inside methods.For thisreasonthetransitivedependency of

(

x

,

y

)

_• and

(

y

,

z

)

_• is

(

x

,

z

)

because thethreads producing

(

x

,

y

)

•and

(

y

,

z

)

•mightbedifferent.Themeaningof

R R

isthat

R

is“moreprecise”withrespecttopairs

(

x

,

y

)

:ifthis pairisindexedwitheither

or

•

insome

R

∈

R

then itmaybeindexedbyat (t

=

)inthecorresponding(transitive closure)relationof

R

.Forexample

{ {(

x

,

y

)

_•

,

(

y

,

z

)

_•

,

(

x

,

z

)

} } { {(

x

,

y

)

t

,

(

y

,

z

)

t

} }

and

{

{(

x

,

x

)

•

} } { {(

x

,

x

)

t

,

(

x

,

x

)

t

}

.

Deﬁnition2.1.Arelation

R

hasacircularity if

(

x

,

x

)

∈ R

+forsomex.Asetofrelations

R

hasacircularity ifthereis

R

∈

R

thathasacircularity.

Lams. Inourtechnique,dependenciesareexpressedbymeansoflams [12],noted

,whosesyntaxis

::=

0

| (

x

,

y

)

t

| (

ν

x

)

|

&

| + | f(

x

)

The term0istheempty type;

(

x

,

y

)

t speciﬁesadependencybetweenthenamex andthename y thathasbeencreated by (thethread)t.Theoperation

(

ν

x

)

createsanewname x whosescope isthetype

; theoperations

&

and

+

deﬁnetheconjunctionanddisjunctionofthedependenciesin

and

,respectively.Theoperators

+

and& areassociative and commutative; theoperator & has precedence over

+

. The term

f

(

x

)

deﬁnes the invocationof

f

witharguments x. Theargumentsequencex hasalwaysatleasttwoelementsinourcase:theﬁrstelementisthethreadthatperformedthe invocation,thesecondelementisthelastobjectwhoselockhasbeenacquiredbyit.

Alamprogram isapair

L ,

,where

L

isaﬁniteset offunctiondeﬁnitions

f

(

x

)

=

f

with

f beingthebody of

f

,and

isthemainlam.Wealwaysassumethat(i)x isasequenceofpairwisedifferentnames

and(ii)

f

= (

ν

z

)

f where

fhasno

ν

-binder.Theconstraint(ii)alsoappliesto

and,wheneverwewrite

L ,

(

ν

x

)

wealwaysmeanthat

hasno

ν

-binder.Thefunction

setTable

intheIntroductionisanexampleofalamfunction.

Letalamcontext,noted

L

[ ]

,beatermderivedbythefollowingsyntax:

L

[ ] ::= [ ]

|

&

L

[ ]

|

+ L[ ]

Asusual

L

[]

isthelamwheretheholeof

L

[ ]

isreplacedby

.Weremarkthat,accordingtothesyntax,lamcontextshave no

ν

-binder.

(5)

Sincerelations

R

are collectionsofdependencies, withanabuseofnotation, we oftenuse

R

and&(x,y)t∈R

(

x

,

y

)

t

inter-changeably,allowing thecontexttodisambiguate whetherwe meana relationora lam.Forexample,wewilloftenwrite

L

[R]

meaningthe lam

L

[

&(x,y)t∈R

(

x

,

y

)

t

]

.Similarly, whenwewrite

R

{

y

/

x

}

,we maymeaneithertherelation

R

wherethe occurrencesofx inthedependencieshavebeenreplacedby y orthelam

(

&(x,y)t∈R

(

x

,

y

)

t

)

{

y

/

x

}

.

The operational semanticsof a lamprogram

L ,

(

ν

x

)

is a transitionsystemwhere states are lams,the transition relation isthesmallesttransitionrelationinducedbythefollowingrule

(Red)

f

(

x

)

= (

ν

z

)

f

∈

L

zare fresh

L

[f(

u

)

] −→ L[

f

{

z

/

z

}{

u

/

x

}]

withinitialstate

.Wewrite

−→

∗ forthereﬂexiveandtransitiveclosureof

−→

.

Forexample,if

f

(

t

,

x

)

= (

ν

s

,

z

) ((

x

,

z

)

t&

f

(

s

,

z

))

then

f

(

t

,

x

)

−→ (

x

,

z

)

t&

f

(

t

,

z

)

,where t andz are freshnames. By continuingtheevaluationof

f

(

t

,

x

)

,thereadermayobservethat(i)everyinvocationcreatesnewfreshnamesand(ii)the evaluationdoesnot terminatebecause

f

is recursive.Thesetwo points implythata lammodelmayhave inﬁnitestates, whichmakestheanalysisnontrivial.

Flatteningandcircularities. Lamsrepresentelements oftheset

P(P(A × A × (A ∪ {,

•})))

.Thispropertyisdisplayed by thefollowingﬂatteningfunction.Let

L

bea setoffunctiondeﬁnitionsandlet I

(

·)

,calledﬂattening, bea functionon lams that(1)maps functionname

f

deﬁnedin

L

to elements of

P(P(A × A × (A ∪ {,

•})))

and(2)isdeﬁnedon lamsasfollows

I

(

0

)

= {∅},

I

((

x

,

y

)

t

)

= {{(

x

,

y

)

t

}},

I

(

&

)

=

I

()

&I

(

),

I

(

+

)

=

I

()

∪

I

(

),

I

((

ν

x

) )

=

I

()

{

x

_/

x

}

with xfresh

,

I

(f(

u

))

=

I

(f)

{

u

_/

x

}

(where x are the formal parameters of

f

)

.

Let I⊥ be themap suchthat, forevery

f

deﬁnedin

L

, I⊥

(f)

= {∅}

.Forexample,let

setTable

be thefunctioninthe Introductionandlet

I

(setTable)

= {{(

y

,

x

)

t

}} = setTable(

t

,

x

,

y

)

&

(

x

,

y

)

s

+ (

x

,

y

)

s

.

Then I

()

=

{(

y

,

x

)

t

,

(

x

,

y

)

s

}, {(

x

,

y

)

s

}

,

I⊥

()

=

{(

x

,

y

)

s

}

.

Deﬁnition2.2.Alam

hasacircularity if I⊥

()

hasa circularity. Alam program

L ,

(

ν

x

)

hasacircularity if thereis

−→

∗

and

hasacircularity.

Forexampletheabovelam

hasacircularitybecause

setTable

(

t

,

x

,

y

)

&

(

x

,

y

)

s

+ (

x

,

y

)

s

−→ ((

y

,

x

)

t

+ (

x

,

z

)

s&

setTable

(

t

,

z

,

y

))

&

(

x

,

y

)

s

+ (

x

,

y

)

s

=

andI⊥

(

)

hasacircularity.

Fixpointdeﬁnitionoftheinterpretationfunction. Our algorithm relieson the computation oflam functions’ interpretation, whichisdonebyastandardﬁxpointtechnique.

Let

L

be the set

f

i

(

xi

)

= (

ν

zi

)

i, withi

∈

1

..

n.Let A

=

i∈1..nxi and

be a specialname that doesnot occur in

L ,

.Weusethedomain

P(P((

A

∪ {})

× (

A

∪ {}) × (

A

∪ {,

•}))), ⊆

whichisaﬁnite lattice [5].

Deﬁnition2.3.Let

f

_i

(

xi

)

= (

ν

zi

)

i, with i

∈

1

..

n, be the function deﬁnitions in

L

. The family of ﬂattening functions I(k)_L

: {f

1

,

· · · ,

f

n

} →

P(P((

A

∪ {})

× (

A

∪ {}) × (

A

∪ {,

•})))

isdeﬁnedasfollows I_L(0)

(f

i

)

= {∅}

I_L(k+1)

(f

i

)

= {proj

_xzi i

(R

+

₎

_{| R ∈}

_I(k) L

(

i

)

}

where

proj

z x

(R)

def

=

{(

u

,

v

)

t

| (

u

,

v

)

t

∈ R

and u

,

v

∈

x and t

∈

x

∪ {}}

∪ {(, )

| (

u

,

u

)

∈ R

and u

∈

/

x

}

∪ {(

u

,

v

)

_•

| (

u

,

v

)

t

∈ R

and u

,

v

∈

x and t

∈

z

}

(6)

Wenoticethat I(_L0)isthefunctionI⊥.LetusanalyzethedeﬁnitionofI(k_L+1)

(f

i

)

and,inparticular,thefunction

proj

:

•

ﬁrstofall,noticethat

proj

appliestothetransitiveclosuresofrelations,whichmayhavenamesin A,zi,

,

•

and

;

•

thetransitiveclosureoperationiscrucialbecauseacircularitymayfollowwiththekeycontributionoffreshnames.For instancethemodelof

f

(

x

)

= (

ν

t

,

t

,

z

) (

x

,

z

)

t&

(

z

,

x

)

t is

{{(

x

,

x

)

}}

;themodelof

g

()

= (

ν

t

,

t

,

x

,

y

) (

x

,

y

)

t&

(

y

,

x

)

t is

{

{(,

)

}

(thisisthereasonwhyweusethename

);

•

everydependency

(

u

,

v

)

t

∈ proj

z_x

(R)

issuchthatu

,

v

∈

x,exceptfor

(,

)

.Forexample,if

f

(

x

,

y

)

= (

ν

s

,

z

) ((

x

,

y

)

s&

(

x

,

z

)

s

)

then,ifwe invoke

f

(

u

,

v

)

we obtain

(

u

,

v

)

t&

(

u

,

z

)

t,wheret andz arefreshobjectnames. Thislammay be simpliﬁed because, being z fresh and unknown elsewhere, the dependency

(

u

,

z

)

t will never be involved in a circularity. For example,ifwe have

= (

v

,

u

)

t&

f

(

u

,

v

)

then we maysafely reasonon

-simpliﬁed

(

u

,

v

)

t&

(

u

,

v

)

t. Forthisreasonwedropthedependenciescontainingfreshnamesaftertheircontributiontothetransitiveclosurehasbeen computed;

•

the sameargumentdoesnot applyto namesusedasthreads.Forexample,intheabove

-simpliﬁedlamwecannot drop

(

u

,

v

)

t becausetisfresh. Infact,thecontext

(

v

,

u

)

t&

(

u

,

v

)

t givesacircularity. Therefore,dependencieswhose threadnamesarefreshmustbehandledinadifferentway.Wetakeasimplesolution:thesedependenciesallhave

•

asthreadname.Thatis,weassume thatthey areallgeneratedby thecontributionofdifferentthreads.Forexample,

g

(

x

,

y

)

= (

ν

t

) (

x

,

y

)

t.Then, I(_L1)

(g

)

= {

{(

x

,

y

)

•

}

.

Example2.4.Theﬂatteningfunctionsof

setTable

are

I(_L0)

(setTable)

= {∅}

I(_L1)

(setTable)

= { {(

y

,

x

)

t

} }

Asanotherexample,considerthefunction

g

(

x

,

y

,

z

)

= (

ν

t

,

u

) (

x

,

y

)

t&

g

(

y

,

z

,

u

)

.Then:

I(_L0)

(g)

= {∅}

I(_L1)

(g)

= { {(

x

,

y

)

•

} }

I(_L2)

(g)

= { {(

x

,

y

)

_•

, (

y

,

z

)

_•

, (

x

,

z

)

} }

Proposition2.5.Let

f

(

x

)

= (

ν

z

)

f

∈

L

. 1. Forevery k,I(k)_L

(f)

∈

P(P((

x

∪ {}) × (

x

∪ {})

× (

x

∪ {,

•})))

. 2. Foreveryk,I(k)_L

(f)

I(k_L+1)

(f)

.

Proof. (1)followsbydeﬁnition.Asregards(2),weobservethat I

()

ismonotoniconI.Thatis,ifI andIaretwoﬂattening functions such that, for every

f

, I

(f)

I

(f)

then it ispossible to demonstrate by a standard structuralinduction that I

()

I

()

.Aninductiononk givesI(k)_L

(f)

I(k_L+1)

(f)

.

2

Since,foreveryk,I(k)_L

(f

i

)

rangesoverafinitelattice,bythefixpointtheory [5],thereexistsm suchthatI_L(m)isafixpoint, namelyI(m)_L

≈

I(m_L+1)where

≈

istheequivalencerelationinducedby

.Inthefollowing,welet I_L,calledtheinterpretation function (ofalam),betheleastﬁxpointI_L(m).InExample2.4,I_L(1)istheﬁxpointof

setTable

andI_L(2)istheﬁxpointof

g

.

Proposition2.6.Let

L

bealamcontext,

bealamwithno

ν

binder,andI

(

·)

beaﬂattening.Thenwehave: 1. I

(L

[])

hasacircularityifandonlyifI

(L

[R])

hasacircularityforsome

R

∈

I

()

.

2. Let

f

(

x

)

= (

ν

z

)

f

∈

L

and

R ∈

I

(

f

{

z

/

_z

})

withzfresh.IfI

(L

[R{

u

_/

x

}])

hasacircularitythenI

(L

[(proj

xz

(R

+

))

{

u

/

x

}])

hasa circularity.

Proof. Property1followsfromthedeﬁnitions.Tosee2,weuseastraightforwardinductionon

L

.Weanalyzethebasiccase

L = [

]

:thegeneralcasefollowsbyinduction.Let

R ∈

I

(

f

{

z

/

_z

})

suchthat

R

{

u

_/

x

}

hasacircularity.Therearetwocases:

• (

v

,

v

)

∈ R

+.Bydeﬁnitionof

proj

z x

(R

+

)

either

(

v

,

v

)

∈ proj

z x

(R

+

)

,whenv

∈

/

z,or

(,

)

∈ proj

z x

(R

+

)

,otherwise. Inthiscasethestatement2followsimmediately.

• (

v

,

v

)

∈ R{

u

_/

x

}

+. Bydeﬁnitionoftransitiveclosure

R

{

u

/

x

}

+

= (R

+

)

{

u

/

x

}

.Then thereisadependency

(

x1

,

x2

)

∈ R

+

suchthat

(

x1

,

x2

)

{

u

/

_x

} = (

v

,

v

)

.Bydeﬁnitionof

proj

,

(

x1

,

x2

)

∈ proj

zx

(R

+

)

.Therefore

proj

z

x

(R

+

)

{

u

/

x

}

hasalsoa circularity.

2

(7)

Lemma2.7.Let

L = {f

1

(

x1

)

= (

ν

z1

)

1

,

· · · ,

f

n

(

xn

)

= (

ν

zn

)

n

}

andlet

L

[f

_i₁

(

u1

)

] · · · [f

im

(

um

)

] −→

m

_L

_[

i1

{

z 1

/

_z i1

}{

u1

/

xi1

}] · · · [

im

{

zm

/

_z im

}{

um

/

xim

}]

where

L

[·]

· · · [·]

isamultiplecontextwithoutfunctioninvocations. IfI_L(k)

(L

[

i1

{

z 1

/

_z i1

}{

u1

_/

xi1

}]

· · · [

im

{

zm

/

_z im

}{

um

_/

xim

}])

hasacircularitythenI

(k+1)

L

(L

[f

i1

(

u1

)

]

· · · [f

im

(

um

)

])

hasalsoacircularity.

Proof. Toshowtheimplicationsupposethat

I_L(k)

(L

[

i1

{

z 1

/

zi1

}{

u1

_/

xi1

}] · · · [

im

{

zm

/

zim

}{

um

_/

xim

}])

hasacircularity.ByrepeatedapplicationsofProposition2.6(1),thereexists

R

_j

∈

I_L(k)

(

i1

{

z

j

/

_z ij

}{

uj

_/

xij

})

with1

≤

j

≤

m such

that I_L(k)

(L

[R

1

]

· · · [R

m

])

hasa circularity. It is easy to verifythat every

R

j maybe written as

R

_j

{

uj

_/

xij

}

, forsome

R

j. By repeatedapplicationofProposition2.6(2),wehavethat

I_L(k)

(L

[proj

z_xi1 i1

(R

1+

)

{

u1

/

x1

}] · · · [proj

z_im xim

(R

m+

)

{

um

/

xm

}])

hasacircularity.Since,forevery1

≤

j

≤

m,

proj

z_xi j i j

(R

j+

)

{

u1

/

x1

} ∈

I (k+1) L

(f

ij

(

uj

))

andsince

L

hasnofunctioninvocation,wederivethat I_L(k+1)

(L

[f

i1

(

u1

)

]

· · · [f

im

(

um

)

])

hasalsoacircularity.

2

Unlike [11,17],Lemma2.7isstrictinourcase,foreveryk.Forexample,consider

h

(

x

,

y

,

z

)

= (

ν

t

) (

x

,

y

)

t&

(

y

,

z

)

t

.

Then,whenk

≥

1,I(k)_L

(h)

= {

{(

x

,

y

)

•

,

(

y

,

z

)

•

}

.Noticethat I_L(k)

(h(

x

,

y

,

x

))

= {

{(

x

,

y

)

•

,

(

y

,

x

)

•

}

,whichhasacircularity–see Deﬁnition2.1.However

I_L(k)

((

x

,

y

)

t&

(

y

,

x

)

t

)

= { {(

x

,

y

)

t

, (

y

,

x

)

t

, (

x

,

x

)

t

} }

hasnocircularity(thisisacaseofreentrantlock).

Theorem2.8.Let

L ,

(

ν

x

)

bealamprogramand

−→

∗

.IfI_L

(

)

hasacircularitythenI_L

()

hasalsoacircularity.Therefore

L ,

hasnocircularityifI_L

()

hasnocircularity.

Proof. Let

haveacircularity.Hence,bydeﬁnition,I⊥

(

)

hasacircularityand,sinceI⊥

(

)

=

I_L(0)

(

)

,byProposition2.5(2) I(_L0)

(

)

I_L

(

)

.Therefore I_L

(

)

hasalsoacircularity.Then,byLemma2.7,since I_L istheﬁxpoint interpretation func-tion,I_L

()

hasalsoacircularity.

2

Ouralgorithmforverifyingthat alamwillnever manifestacircularity consistsofcomputingI_L

(f)

,forevery

f

,and I_L

()

, where

is the main lam.As discussed in thissection, I_L

(f)

uses a saturation technique onnames based on a powersetconstruction. Henceit hasacomputational complexity thatis exponential onthenumberofnames. Weremind thatthenamesweconsiderarethearguments oflamfunctions(thatcorrespondstomethods’arguments),whichareusually notsomany.Infact,thisalgorithmisquiteeﬃcientinpractice [10].

3. Thelanguageanditssemantics

Inthis sectionwe deﬁne a simpleprogrammingmodel ofconcurrent object-oriented languagesfeaturing threadsand objectsynchronizations(thereadermayeasilyrecognizethebasicoperationsofthreadcreationandsynchronizationused in

Java

and

C#

).Wegiveadescriptionofhowdeadlockmaybeidentiﬁed,anddiscussfewexamples.Thefollowingsection containsthetypesystemthatassociateslamstotheprograms.

Ourmodelhastwodisjointcountable setsofnames: thereare integerandobjectnames,rangedover by x

,

y

,

z

,

t

,

s

,

· · ·

, andmethodnames,rangedoverby

m

,

n

,

· · ·

.Aprogram isatuple

C

1

D

1

,

· · · , C

n

D

n

,

P

where

D

iareﬁnitesets ofmethodnamedeﬁnitions

m

(T

x

)

=

Pm,with

T

x beingtheformalparameters x andtheirtypes

T

and

Pmbeingthebody of

m

;weassumethatmethodnamedeﬁnitionshaveanimplicitformalparameter

C

ithis whichrefersto thecarrier.Theprocess P isthemainprocess.Types

T

areeitherintegers

int

or

C

i.

(8)

Thesyntaxofprocesses P andexpressionse isdeﬁnedbelow

P

::=

0

| (new C

x

)

P

| fork{

P

}

P

| if

e

then

P

else

P

|

x

.m(

e

)

| sync(

x

)

{

P

}

e

::=

x

|

v

|

e

op

e

Aprocesscanbetheinertprocess0,orarestriction

(new C

x

)

P thatbehaveslike P exceptthattheexternalenvironment cannot accesstothe object x of class

C

,orthe spawn

fork

{

Q

}

P of anew thread Q bya process P , ora conditional

if

e

then

P

else

Q thatevaluatese andbehaveseitherlikeP orlike Q dependingonwhetherthevalueis

=

0 (true)or

=

0 (false),oraninvocationx

.m(

e

)

ofthemethod

m

withcarrierx andactualparameterse.Thelastprocessis

sync

(

x

)

{

P

}

thatexecutes P withexclusiveaccesstox.

Anexpressione canbeanamex,anintegervalue v,oragenericbinaryoperationonintegers

op

,where

op

ranges over a set includingthe usual operators like

+

,

≤

,etc. Integer expressions without names(constantexpressions) may be evaluatedtoanintegervalue(thedeﬁnitionoftheevaluationofconstantexpressionsisomitted).Let

J

e

K

betheevaluation of an expression e:

J

e

K

is undeﬁned whene is an integer expression that contains integer names;

J

x

K =

x when x is a non-integername.

To deﬁne the semantics ofthe above language, we usestates, ranged overby

P

,that are multisets of threads P

• σ

, where

σ

isa(possiblyempty)sequenceofobjectnamesrepresentingthelocksthattheprocess P hasalreadygrabbed(in order, fromtheleft toright).When P terminates,thelocksof

σ

mustbeall released.Thethread P

• σ

isreentrant onx when

σ

contains atleasttwo occurrencesofx. Weusually write statesas P1

• σ

1

| · · · |

Pn

• σ

n andsometimeshorten theminto

_i_∈₁_..nPi

• σ

i.Wewritex

∈ P

if

P

contains

σ

andx occursin

σ

.Sincestatesaremultiset,weidentifythosethat are equalup-toassociativityandcommutativity of

|

.Emptysequences

σ

are written

ε

.Inorderto easethedeﬁnitions, wewillusefewnotationalconventions

•

Object names are partitioned into inﬁnitely countable disjoint sets that are addressed by class names. The notation z

=

fresh

(C)

statesthatz isafreshnameintheset

C

(e.g. z doesnotoccurinthestate).

•

Wemakeexplicitthatz isanameintheset

C

bywritingz

∈ C

.

•

Ifaprogram

hasapair

C

D

suchthat

D

containsamethod

m

(T

x

)

=

P thenwewrite

C

.m(T

x

)

=

P

∈

.

Deﬁnition3.1.Theoperationalsemantics of a program

=

C

1

D

1

,

· · · ,

C

n

D

n

,

P

isa transitionsystemwherethe initial stateis P

• ε

,andthetransitionrelation

−→

istheleastoneclosedundertherules:

(Zero) 0

• σ

−→

(NewO) z

=

fresh

(C)

(new C

x

)

P

• σ

| P −→

P

{

z

/

x

} •

σ

| P

(NewT)

fork

{

P

}

Q

• σ

−→

P

• ε

|

Q

• σ

(IfT)

[[

e

]] =

0

if

e

then

P

else

Q

• σ

−→

P

• σ

(IfF)

[[

e

]] =

0

if

e

then

P

else

Q

• σ

−→

Q

• σ

(Call)

J

e

K =

v x

∈ C C.m(T

z

)

=

P

∈

x

.m(

e

)

• σ

−→

P

{

x,v

/

this,z

} •

σ

(Sync) x

∈ P

/

sync

(

x

)

{

P

} •

σ

| P −→

P

• σ

·

x

| P

We oftenomit the subscript of

−→

when it isclear fromthe context. We write

−→

∗ for the reﬂexive andtransitive closureof

−→

.

Wediscusstherelevantrules.Rule (Zero) modelstermination:everylocktakenbythethreadisreleasedandthethread disappears fromthe state(which isa multiset). Thisisbecause,accordingto thesyntax, thereis nocontinuation inthis case. Rule (NewO) creates a newobjectofclass

C

: we simply take aname that doesnot occurin thestate, replace the bound namewiththefreshone,andremovethebinder.Weobservethattherenamingonlyapplies to P :beingx new,it cannot havebeenalreadylocked(

σ

isnot inthescope oftherenaming).Rule (NewT) spawnsa newthread thathasan empty sequenceoflocks(because ithasnotperformedanysynchronizationsofar).Rule (Call) dispatchestheinvocation totherightmethoddeﬁnitionandexecutesthemethodbodyoncetheformalparametershavebeenreplacedbytheactual ones. Rule (Sync) modelssynchronizations.Athreadmaylockx provideditisnotalreadylockedby anotherthreadinthe state–premisex

∈ P

/

.Weobservethatx mayoccurin

σ

,thatisathreadmaylockx severaltimes(threadreentrancy).

(9)

Ourbasicprogrammingmodeldoesnotretaintheexplicitinstructionforsequentialcomposition,e.g. P

;

Q .However, thisoperationmaybeeasilyencodedusingsynchronizations:

(new C

x

) sync(

x

)

{ fork{sync(

x

)

{

Q

}}

P

}

Thatis,wesequentialize P and Q byletting P to acquire thelockofanewobject x before spawning Q . Inturn Q will beginafter theterminationof P becausethelockofx isgrabbedbyit.Accordingtoourrules,wehave

(new C

x

) sync(

x

)

{ fork{sync(

x

)

{

Q

}}

P

} •

σ

−→ sync(

x

)

{ fork{sync(

x

)

{

Q

}}

P

} •

σ

−→ fork{sync(

x

)

{

Q

}}

P

• σ

·

x

−→

P

• σ

·

x

| sync(

x

)

{

Q

} •

ε

and,byrule (Sync),Q cannotstartaslongasxislockedby P .

Deﬁnition3.2(Deadlock-freedom).Aprogram

C

1

D

1

,

· · · ,

C

n

D

n

,

P

isdeadlock-free ifthefollowingconditionholds:

whenever P

• ε

−→

∗

P

and

P

= sync(

x

)

{

Q

} •

σ

| P

then there exists

P

such that

P

−→ P

.

Example3.3.Weselectthreeprocessesanddiscusstheirbehaviors,highlightingwhethertheydeadlockornot:

• fork{

sync

(

x

)

{

sync

(

y

)

{

0

} }}

sync

(

x

)

{

sync

(

y

)

{

0

} }

.Thisprocessspawnsathreadthatacquirethelocksofx and y in thesameorder ofthemainthread:nodeadlockwilleveroccur.

•

Onthecontrary,theprocess

fork

{

sync

(

y

)

{

sync

(

x

)

{

0

} }}

sync

(

x

)

{

sync

(

y

)

{

0

} }

spawnsathreadacquiringthelocks inreverseorder.Thisisacomputationgivingadeadlock:

fork

{

sync

(

y

)

{

sync

(

x

)

{

0

} }}

sync

(

x

)

{

sync

(

y

)

{

0

} } •

ε

−→

sync

(

y

)

{

sync

(

x

)

{

0

} } •

ε

|

sync

(

x

)

{

sync

(

y

)

{

0

} } •

ε

−→

sync

(

x

)

{

0

} •

y

|

sync

(

x

)

{

sync

(

y

)

{

0

} } •

ε

−→

sync

(

x

)

{

0

} •

y

|

sync

(

y

)

{

0

} •

x

•

Thefollowingmethod

m

(C

x

, C

y

, int

n

)

=

if

(

n

=

0

) then fork

{

sync

(

y

)

{

sync

(

x

)

{

0

} }}

sync

(

y

)

{

0

}

else

sync

(

x

)

{

this

.m(

x

,

y

,

n

−

1

)

}

performsn-nestedsynchronizationsonthis (reentrancy)andthenspawnsathreadacquiringthelocks y andx inthis order,while themain threadacquire thelock y.Thismethoddeadlocksforevery n

≥

1,howeveritnever deadlocks whenn

≤

0.

4. Staticsemantics

Environments,rangedoverby

,containthetypesofobjects,e.g. x

: C

,thetypeofintegervariablese.g. x

: int

,andthe typesofmethodnames,e.g.

C

.m

: [T]

.Withoutlossofgenerality,inmethoddeﬁnitionsofFig.1weorderformalparameters ofmethods:thoseoftypeclassareinfrontofthoseoftypeinteger.Therefore

(C.m)

willhaveshape

[C

,

int

]

.

Letdom

()

bethedomainof

andlet

• ,

x

:T

,whenx

∈

/

dom

()

(,

x

:T)(

y

)

def

=

T

if y

=

x

(

x

)

otherwise

• +

_,_when_x

_∈

_dom

₍₎

_∩

_dom

₍

₎

_implies

₍

_x

₎

₌

₍

_x

₎

_:

(

+

)(

x

)

def

=

⎧

⎨

⎩

(

x

)

if x

∈

dom

()

(

x

)

if x

∈

dom

(

)

undeﬁned otherwise

(10)

Processes: (T-Zero) ;σt0: (σ)t (T-New) ,x:C;σtP: x∈/σ ;σt(new Cx)P: (νx) (T-Sync) ;σ·xtP: ;σtsync(x){P} : (T-If) te: int ;σtP: ;σtP: ;σtifethenPelseP: + (T-Par) ;σtP: ,t: Thread,u: Obj;utP: ;σtfork{P}P: &(νt,u) (T-Call) (x)= C (C.m) = [C_{, int}_]_u_{: C} _e_{: int}

;σ·ztx.m(u,e): fC.m(t,z,x,u)&(σ·z)t Expressions: (T-Int) v_{: int} (T-Var) ,x_{: T}x_{: T} (T-Op) e_{: int}e_{: int} eope: int (T-Seq) (ei: Ti)i∈1..n e1,. . .,en: T1,. . ., Tn Programs: (T-Prog) _{= {C.m : [C}, int_{] | C.m(C}x, inty)₌P_C_.m_{∈ }}

,this_{: C,}x_{: C},y_{: int,}t_{: Thread,}u_{: Obj;}utPC.m: C.m

C.m(Cx,inty)=P_C_.m∈ L =_C_.m(_C_x_,int_y₎₌_P

C.m∈{fC.m

(t,z,this,x)= C.m}

,t: Thread,u: Obj;ut.main:

 :L ,

Fig. 1. The type system (we assume a function namefC.mfor every method namemof classC).

Letalso

(

x1

· · ·

xn

·

xn+1

)

t def

=

⎧

⎨

⎩

0 if n

=

0

(

x1

· · ·

xn

)

t if xn+1

∈ {

x1

,

· · · ,

xn

}

(

x1

· · ·

xn

)

t&

(

xn

,

xn+1

)

t otherwise Thestaticsemanticshasthreejudgments:

•

e

: T

–theexpressione hastype

T

in

;

• ; σ

tP

:

–thethreadP withnamet haslam

in

; σ

.Weassumethattheclassoft isapredeﬁnedclass

Thread

and

containsthebindingst

: Thread

;

• :

L ,

theprogram

haslamprogram

L ,

in

.

In addition to

Thread

, thestatic semanticsalso usesanother predeﬁnedclass, called

Obj

. The objectsof thisclass are used fortyping newthreads (cf. rule (T-Par) inFig.1;thisexpedientallowsusto havea simplerrulefortyping function invocations.

Fewnotationalconventionsareinorder.When

=

C

1

D

1

,

· · · ,

C

n

D

n

,

P

,welet

.

main

=

P andwewrite

C

i

.m(T

x

)

=

P

C

i.m

∈

whenever

D

i contains

m

(

T x

)

=

P

C

i.m.

ThetypesystemisdeﬁnedinFig.1.Afewkeyrulesarediscussed.Rule (T-Zero) typestheprocess0inathreadt that haslockedtheobjectsin

σ

in(inverse)order.Thelamistheconjunctionofdependenciesin

σ

withthreadt –cf. notation

(

σ

)

t.Rule (T-Sync) types the critical section P with a sequence oflocks extended with x. Rule (T-Par) typesa parallel composition ofprocessesbycollectingthelamsofthecomponents.Weuseanewnamet forthespawnedthreadanda newnameufortheobjectthatisalreadygrabbedbyt.Thisobjecthasclass

Obj

.(Accordingtoourconvention,whenwe write

,

t

: Thread,

u

: Obj

weassumethatt

,

u

∈

/

dom

()

.)Rule (T-Call) typesamethodnameinvocationintermsofa (lam)functioninvocationandconstrainsthetypesofactualargumentstomatchwiththetypesofformalparametersinthe methoddeclaration.Theargumentsofthelamfunctioninvocationareextendedwiththethreadnameofthecallerandthe nameofthelastobjectlockedbyit(andnotyetreleased).Inadditionwealsoconjunctthedependencies

(

σ

·

x

)

t created by thecallerbecausethemethodinvocationruninathreadthat holdsthoselocks.Thisrulemustbereadinconjunction

(11)

with (T-Prog). (T-Prog) associatesalamfunctiontoeverymethod–c.f. itssecondandthirdpremises.Thebodyofthelam function isdeﬁnedby typing the bodyof themethodin thehypotheticalcontext wherethe threadonly owns one lock, which isgivenasargument ofthelam function.Ofcourse, thisis not thegeneralcase: amethod maybe invokedby a threadthatgrabsmanylocks.Toaddressthegeneralcasewe recordthelastobjectsynchronizedbythethreadandbuild thedependenciesoftheinvocationstartingfromit.Itturnsoutthat takingthesedependenciesinconjunctionwiththose ofthecaller–seerule (T-Call) –doessuﬃceforkeepingtrackoftheoveralldependencies(seePropositionA.1).Because ofthistechnicality,werequirethateverythread,eventhosethatarejustcreated,locksatleastoneobject.

Example4.1.Letusshowthetypingofthemethod

setTable

intheIntroduction.Let

= C.setTable : [C, C, int],

this

: C,

x

: C,

y

: C,

n

: int,

t

: Thread,

u

: Obj

P

= sync(

y

)

{ sync(

x

)

{

0

} }

Q

= fork{sync(

x

)

{ sync(

z

)

{

0

} }}

z

.setTable(

z

,

y

,

n

−

1

)

Then

,

z

: C;

u

·

y

·

x

t0

:

1

= (

u

,

y

)

t&

(

y

,

x

)

t

,

z

: C;

u

·

y

t

sync

(

x

)

{

0

} :

1

,

z

: C;

u

t P

:

1

(

∗)

,

z

: C;

u

t Q

:

2

,

z

: C;

u

t

if

n

=

0

then

P

else

Q

:

1

+

2

;

u

t

(new C

z

) (if

n

=

0

then

P

else

Q

)

: (

ν

z

) (

1

+

2

)

where

(

∗)

arethetwoprooftrees

· · ·

,

z

: C;

u

tz

.setTable(

z

,

y

,

n

−

1

)

:

2 and

· · ·

,

z

: C,

t

: Thread,

u

: Obj;

w

t

sync

(

x

)

{ sync(

z

)

{

0

} } :

2

(asanexercise,thereadermaytrytocompletethem).Byrule (T-Par),wederive

2

=

2&

(

ν

t

,

u

)

2.Aftercompletingthe prooftree,oneobtainsthelamfunction

setTable

(

t

,

u

,

this

,

x

,

y

)

=

(

ν

z

,

t

,

u

)

(

u

,

y

)

t&

(

y

,

x

)

t

+ (

u

,

x

)

t&

(

x

,

z

)

t&

setTable

(

t

,

u

,

x

,

z

,

y

)

whichhastwo additionalargumentswithrespectto theone intheIntroduction: u andthis.Infact, thesearguments,as wellasu,donotplayanyroleintheanalysisofcircularitiesof

setTable

(

t

,

u

,

this

,

x

,

y

)

.

Thefollowing theoremstatesthesoundnessofour typesystem. The technicaldetailsofthe proof arereportedinthe Appendix.

Theorem4.2.Let

C

1

D

1

,

· · · ,

C

n

D

n

,

P

:

L ,

.If

L ,

hasnocircularitythen

C

1

D

1

,

· · · ,

C

n

D

n

,

P

isdeadlock-free.

Example4.3.Letusverify whethertheprocess x

.setTable(

x

,

x

,

n

)

isdeadlock-free.The lamfunction associatedby the typesystemisdetailedinExample4.1.Theinterpretationfunction I_L

(setTable)

iscomputedasfollows:

I_L(0)

(setTable)

= {∅}

I_L(1)

(setTable)

= { {(

u

,

y

)

t

, (

y

,

x

)

t

, (

u

,

x

)

t

} }

I_L(2)

(setTable)

= { {(

u

,

y

)

t

, (

y

,

x

)

t

, (

u

,

x

)

t

}, {(

u

,

y

)

t

} } .

Since I(_L2)

=

I_L,wearereducedtocompute I_L(2)

(setTable(

t

,

u

,

x

,

x

,

x

))

.Thatis

{ {(

u

,

y

)

t

, (

y

,

x

)

t

, (

u

,

x

)

t

}, {(

u

,

y

)

t

} }{

x

/

y

} = { {(

u

,

x

)

t

, (

x

,

x

)

t

}, {(

u

,

x

)

t

} }

whichhasnocircularity,thereforetheprocessx

.setTable(

x

,

x

,

n

)

isdeadlock-free.