7.6 Simultaneous Locking Pattern
The Simultaneous Locking Pattern is a pattern solely concerned with deadlock avoidance. It achieves this by breaking condition 2 (holding resources while waiting for others). The pattern works in an all-or-none fashion. Either all resources needed are locked at once or none are.
Deadlock can be solved by breaking any of the four conditions required for its existence. This pattern prevents the condition of holding some resources by requesting others by allocating them all at once. This is similar to the Critical Section Pattern. However, it has the additional benefit of allowing higher-priority tasks to run if they don't need any of the locked resources.
The problem of deadlock is such a serious one in highly reliable computing that many systems design in specific mechanisms to detect it or avoid it. As previously discussed, deadlock occurs when a task is waiting on a condition that can never, in principle, be satisfied. There are four conditions that must be true for deadlock to occur, and it is sufficient to deny the existence of any one of these. The Simultaneous Locking Pattern breaks condition 2, not allowing any task to lock resources while waiting for other resources to be free.
7.6.3 Pattern Structure
Figure 7-15 shows the structure of the Simultaneous Locking Pattern. The special structural aspect of this pattern is the collaboration role MultiResource. Each MultiResource has a single mutex semaphore that locks only when the entire set of aggregated Shared Resources is available to be locked. Similarly, when the semaphore is released, all the aggregated Shared Resources are released.
Figure 7-15: Simultaneous Locking Pattern
7.6.4 Collaboration Roles
This object aggregates an entire set of resources needed (or possibly needed) by a Resource Client. MultiResource explicitly locks and unlocks the set of resources. This locking and unlocking action should be a noninterruptible critical section. If any of the aggregated Shared Resources is not available during the locking process, then the MultiResource must release all of the Shared Resources it successfully locked. MultiResource must define operations startCriticalSection() and endCriticalSection to prevent task switching from occurring during the locking or unlocking process. Also, areAnyLockedParts() returns TRUE if any of the Shared Resources aggregated by the MultiResource are still locked. For walking through the Shared Resources, the MultiResource also has the operations getFirstResource() and getNextResource(), both of which return a pointer to a Shared Resource (or NULL if at the end of the list) and isLocked(*Shared Resource), which returns TRUE only if the referenced Shared Resource is currently locked by the MultiResource. If either unlocked or not aggregated by the MultiResource, then it returns FALSE. Two more operations, lockNow() and unlockNow(), simply set the isLocked attribute of the MultiResource without checking the status of the aggregated parts.
The Mutex is a mutual exclusion semaphore object that associates with MultiResource. In this pattern the shared resources are locked for a longer duration than with the priority inheritance-based patterns. This is because Resource Client needs to own all the resources for the entire critical section so that the Resource Client never owns a resource while trying to lock another. The policy is that the Mutex is only locked if all of the required ShareResource PartLocks are successfully locked. Mutex is an OS-level mutex and signals the Scheduler to take care of blocking tasks that attempt to lock the SharedResource.
The PartLock is a special mutual exclusion semaphore that associates to Shared Resource. This Mutex is queryable as to its lock status, using the getIsLocked() operation. This semaphore does not signal the Scheduler unlike the Mutex, because there is no need; the OS-level locking is done by the Mutex and not by the PartLock. Nevertheless, the MultiResource needs to be able to ascertain the locking status of all the resources before attempting to lock any of them.
The Resource Client is a user of Shared Resource objects. It locks potentially multiple Shared Resources via the MultiResource. The policy enforced in this pattern is that all resources used in a critical section must be locked at the same time, or the entire lock will fail. The Resource Client is specifically prohibited from locking one resource and later, while still owning that lock, attempting to lock another. Put another way, an attempt to lock a set of resources is only permitted if the Resource Client currently owns no locks at all, and if any of the requested resources are unavailable, the entire lock will fail and the Resource Client must wait and block on the set of resources (that is, it blocks on the mutex owned by its associated MultiResource).
The ResourceMaster orchestrates the locking and unlocking of Mutexes associated with MultiResources. Whenever a MultiResource locks a Mutex, the ResourceMaster searches its list of all MultiResources and locks any that share one of the SharedResources. That way, if a Thread tries to lock its MultiResource and another one owns a needed SharedResource, the Thread can block on the Mutex of its associated MultiResource. Conversely, when a MultiResource releases all of its Shared Resources, that MultiResource notifies the ResourceMaster and it tracks down all of the other MultiResources and sees if it can unlock them as well (it may not be able to if another MultiResource has locked a SharedResource unused by the first).
A resource is a part object owned by the MultiResource object. In this pattern, a Shared Resource does not connect to a Mutex because it is not locked individually. As implied by its name, the same Shared Resource object may be an aggregated part of different MultiResource objects. The pattern policy is that no resource that is aggregated by one MultiResource is allowed to be directly locked by a Thread, although it may be accessed by a Thread to perform services. The Shared Resource contains operations to explicitly lock, unlock, and to query its locked status, and these simply invoke services in the associated PartLock.
The Simultaneous Locking Pattern prevents deadlock by breaking condition 2, required for deadlock to occurnamely locking some resources while waiting for others to become available. It does this by locking all resources needed at once and releasing them all at once. This resource management pattern can easily be used in most scheduling patterns, such as the Static Priority Pattern.
There are two primary negatives to the use of this pattern. First, priority inversion is not bounded. A higher-priority task is free to preempt and run as long as it doesn't use any currently locked resource. This pattern could be mixed in with the priority inheritance pattern to address that problem.
The second issue is that this pattern invokes some computational overhead, which may become severe in situations in which there are many shared resources. Each time a request to lock a resource is made, each of the Shared Resources must be locked and all of the other MultiResources must be checked to see if they aggregate any of these locked Shared Resources. Any MultiResource that shares one of the just-locked Shared Resources must itself be locked. On release of a lock on a particular MultiResource, all of its Shared Resources must be unlocked, and then each of the other MultiResources must be examined using the areAnyLockedParts() operation. If it returns TRUE, then that MultiResource must remain locked; otherwise is must be unlocked.
Another issue is that programmer/designer discipline is required not to access the Shared Resources without first obtaining a lock by going through the MultiResource mechanism. Because Shared Resources don't use standard OS mutexes for locking (since we don't want Threads blocking on them rather then the MultiResources), it is possible to directly access the Shared Resource, bypassing the locking mechanisms. This is a Bad Idea. One possible solution to enforce the locking is to propagate all of the operations from the resources to the MultiResource, make the operations public in the MultiResource and private in the Shared Resource, and making the MultiResource a friend of the Shared Resource. This adds some additional computational overhead, but in some languages the propagated operations could be made inline to minimize this. Alternatively, each Shared Resource could be told, during the locking process, who its owner is. Then on each service call, the owner would have to pass an owner ID to prove it had rights to request the service.
7.6.6 Implementation Strategies
Care must be taken that the locking of all the resources in MultiResource.lock() and MultiResource.unlock() must be done in a critical section to prevent deadlock condition 2 from occurring. Other than that, the implementation of this pattern is straightforward.
7.6.7 Related Patterns
This pattern removes deadlock by breaking condition 2 required for deadlock. There are other approaches to avoiding deadlock. One of this is presented in the Ceiling Priority Pattern and another in the Ordered Locking Pattern, both presented in this chapter. This pattern is normally mixed with a concurrency management policy, such as the Static Priority Pattern, but other patterns can be used as well. If it is desirable to limit priority inversion, then this pattern can be mixed with the Priority Inheritance Pattern.
7.6.8 Sample Model
Figure 7-16a shows a simple example of the application of this pattern. Two Concrete Threads, Machine 1 and Machine 2, share three resources: MsgQueue 1 (Machine 1 only), Command Queue (both), and MsgQueue 2 (Machine 2 only). To avoid the possibility of a deadlock occurring, the Simultaneous Locking Pattern is used. Two MultiResources (Multi 1 and Multi 2) are created as composite parts of an instance of ResourceMaster. Figure 7-16b shows the behavior when Machine 1 locks its resources, does some work (moving messages from the Command Queue to MsgQueue 1), and then unlocks the resources.
Figure 7-16: Simultaneous Locking Pattern (continued)
What is not shown is what happens if Machine 2 runs during the execution of the get() and put() operations, but it is clear that as soon as Machine 2 attempts to lock its MultiResource, it will be blocked.