Partial mutual exclusion for infinitely many processes

Partial mutual exclusion is the drinking philosophers problem for complete graphs. It is the problem that a process may enter a critical section CS of its code only when some finite set nbh of other processes are not in their critical sections. For each execution of CS, the set nbh can be given by the environment. We present a starvation free solution of this problem in a setting with infinitely many processes, each with finite memory, that communicate by asynchronous messages. The solution has the property of first-come first-served, in so far as this can be guaranteed by asynchronous messages. For every execution of CS and every process in nbh, between three and six messages are needed. The correctness of the solution is argued with invariants and temporal logic. It has been verified with the proof assistant PVS.

💡 Research Summary

The paper tackles the problem of partial mutual exclusion (PMX) in a setting with an unbounded number of processes that communicate solely via asynchronous, reliable messages. In the classic drinking‑philosophers formulation, each philosopher (process) has a fixed set of neighbours and must not enter its critical section (CS) simultaneously with any neighbour that is also in its CS. The authors generalize this: at each attempt to enter CS, the environment nondeterministically supplies a finite set nbh(p) of “neighbour” processes for each process p. The requirement is that if two processes are mutually listed in each other’s nbh (i.e., a conflict), they must never be in CS together. The set nbh may change from one entry to the next, and the graph induced by conflicts can be arbitrary and dynamic.

The proposed solution is a two‑layer protocol. The outer layer guarantees a first‑come‑first‑served (FCFS) ordering despite the lack of FIFO guarantees on the message channels. The inner layer enforces the actual exclusion condition. Each process is modeled as a collection of three concurrent components: an environment component that injects nbh sets and may abort an entry attempt, a forward component that implements the entry protocol, and a receive component that handles incoming messages. The algorithm uses only five message types (req, gra, notify, withdraw, ack) and maintains several finite sets (before, after, prio, need, wack, etc.) that record the state of notifications, withdrawals, and pending acknowledgments.

When a process p starts an entry attempt (pc = 12), it sends a notify to every member of nbh(p). Recipients record the sender in their before set. Later, p may send withdraw messages to cancel outstanding notifications; recipients move the sender to the after set. The intersection prio(p) = before(p) ∖ after(p) ∩ nbh(p) represents neighbours whose notifications have not yet been withdrawn. p waits until prio(p) becomes empty, which, because of the asynchronous nature of the network, precisely captures the FCFS ordering: a process that started later cannot clear its prio before an earlier process that has already sent its notify.

Once prio(p) is empty, p enters the inner protocol. It only contacts neighbours with a higher identifier (the “higher” processes). For each such neighbour q, p sends a req message; q replies with a gra (grant) message when it is not in CS and has no conflicting higher‑identifier neighbour pending. This asymmetric treatment (only higher identifiers are asked) reduces the number of messages: lower‑identifier neighbours never need a request. After receiving all required gra messages (recorded in the need set), p enters CS, then immediately sends withdraw to all neighbours to clean up its notifications, and finally sends gra and fork messages to release the “token” used for the inner protocol. The total number of messages per neighbour lies between three and six, depending on the relative identifiers and whether the neighbour is lower or higher.

The authors prove safety (mutual exclusion and deadlock‑freedom) by defining invariants that capture the emptiness of prio and need, the proper pairing of notify/withdraw with ack, and the boundedness of the message counters (at most one message of each type in transit between any pair). Liveness (starvation‑freedom and maximal concurrency) is proved under a weak fairness assumption: any step that remains continuously enabled will eventually be taken. Under this assumption, any process whose prio and need sets become empty will inevitably reach CS, and a process without conflicts can progress even if other processes are not weakly fair, satisfying the maximal concurrency property.

All proofs are mechanized in the PVS proof assistant. The model represents asynchronous channels as natural‑number counters m.q.r with the invariant m.q.r ≤ 1, ensuring at most one in‑flight message of each type between any two processes. The PVS scripts (available on the authors’ website) verify that every protocol transition preserves the invariants and that the liveness conditions hold under the stated fairness hypothesis.

In summary, the paper delivers a clean, message‑optimal, FCFS‑compatible algorithm for partial mutual exclusion that works for an infinite population of processes with dynamically changing neighbour sets. It combines a simple outer notification/withdrawal scheme with an asymmetric inner request/grant protocol, achieves a bounded per‑neighbour message cost, and is fully verified using a state‑of‑the‑art interactive theorem prover. This contribution advances the theory of distributed resource allocation and provides a practically implementable building block for systems where dynamic, partial exclusion constraints are required.