loke.dev
Header image for How to Detect Distributed Deadlocks Without a Centralized Wait-For-Graph

How to Detect Distributed Deadlocks Without a Centralized Wait-For-Graph

Stop relying on aggressive timeout-based kills and learn to pinpoint cross-node resource cycles using the Chandy-Misra-Haas algorithm.

· 8 min read

Have you ever wondered why your distributed database suddenly grinds to a halt, only to recover ten seconds later after a "Transaction Timeout" error nukes half your pending tasks?

It’s a frustratingly common scenario. In a single-node database, deadlock detection is almost a solved problem—the engine maintains a Wait-For-Graph (WFG), spots a cycle, and kills the youngest transaction. But move that logic to a distributed cluster of twenty nodes, and suddenly, the "simple" WFG becomes a nightmare.

If you try to centralize the graph, you create a massive bottleneck and risk "phantom deadlocks" caused by network latency. If you rely purely on timeouts, you end up killing perfectly healthy, albeit slow, transactions.

The Chandy-Misra-Haas (CMH) algorithm offers a better way. It’s an "edge-chasing" algorithm that detects deadlocks without any central authority, using nothing but probes that follow the path of the dependency itself.

The Crudeness of Timeouts

Before we dive into CMH, let's acknowledge why we’re here. Most engineers start with a lock_timeout.

# The "I give up" approach
try:
    acquire_distributed_lock("resource_A", timeout=5000)
except LockTimeout:
    rollback_and_retry()

This is simple, but it's a blunt instrument. If Node A is waiting for Node B, and Node B is just doing a very heavy computation, the timeout will fire even though there is no deadlock. You waste work. Conversely, if there *is* a deadlock, the system sits idle for the full 5 seconds before doing anything.

We want to detect the deadlock the moment it becomes a cycle, and we want to do it without a "Master Node" that needs to know every single lock state in the cluster.

Visualizing the Distributed Cycle

Imagine three transactions:
1. T1 on Node 1 holds Resource_A and wants Resource_B (held by T2 on Node 2).
2. T2 on Node 2 holds Resource_B and wants Resource_C (held by T3 on Node 3).
3. T3 on Node 3 holds Resource_C and wants Resource_A (held by T1 on Node 1).

No single node sees the whole loop. Node 1 only knows T1 is waiting for something remote. Node 2 only knows T2 is waiting for Node 3.

This is where "Edge Chasing" comes in. Instead of building a map, we send a "scout" (a probe) to follow the arrows. If the scout returns to the person who sent it, we have a circle.

The Chandy-Misra-Haas Logic

The beauty of CMH is its simplicity. It uses a special message called a probe, defined as a triplet: (initiator, sender, receiver).

- Initiator: The transaction that first suspected a deadlock and started the probe.
- Sender: The process that is passing the probe along.
- Receiver: The process the probe is being sent to.

The Rules of Propagation

1. Initiation: If Transaction $P_i$ starts waiting for Transaction $P_j$, and $P_j$ is remote, $P_i$ sends a probe $(i, i, j)$ to the node where $P_j$ resides.
2. Forwarding: If Transaction $P_k$ receives a probe $(i, j, k)$, it checks if it is currently waiting for any other transactions. If $P_k$ is waiting for $P_m$, it forwards the probe as $(i, k, m)$.
3. Detection: If the initiator $P_i$ receives a probe $(i, j, i)$, a deadlock has been detected.

Implementing a Distributed Probe Tracker

Let’s look at how we might implement this. We'll simulate a few nodes and a message-passing interface. In a real system, these would be RPC calls or messages over a socket.

First, let's define our basic Probe and the state of a node.

from collections import defaultdict
import dataclasses

@dataclasses.dataclass(frozen=True)
class Probe:
    initiator_id: int
    sender_id: int
    receiver_id: int

class TransactionNode:
    def __init__(self, tx_id):
        self.tx_id = tx_id
        # Transactions this node is currently waiting for
        self.waiting_for = set() 
        # Transactions that hold resources this node needs
        self.upstream_holders = [] 
        # Cache of probes we've already sent to avoid infinite loops 
        # in complex non-deadlock scenarios
        self.seen_probes = set()

    def add_dependency(self, target_tx_id):
        self.waiting_for.add(target_tx_id)

In a real-world scenario, the TransactionNode would exist on a specific physical server. When tx_1 wants a resource held by tx_2, it doesn't just block; it initiates the probe.

The Probe Initiation

We don't want to send probes for every single wait. Usually, we wait for a small "grace period." If the lock isn't acquired within, say, 200ms, *then* we start the edge-chasing.

def initiate_deadlock_detection(nodes, start_tx_id):
    tx = nodes[start_tx_id]
    print(f"[Node {start_tx_id}] Suspects deadlock, initiating probe...")
    
    for blocked_on_id in tx.waiting_for:
        probe = Probe(
            initiator_id=start_tx_id,
            sender_id=start_tx_id,
            receiver_id=blocked_on_id
        )
        # In reality, this would be an async network call
        process_probe(nodes, probe)

def process_probe(nodes, probe):
    initiator = probe.initiator_id
    current_tx_id = probe.receiver_id
    
    # If the probe comes back to the initiator, the loop is closed.
    if current_tx_id == initiator:
        print(f"!!! DEADLOCK DETECTED !!! Transaction {initiator} is in a cycle.")
        handle_deadlock(initiator)
        return

    # Otherwise, forward the probe to everyone current_tx_id is waiting for
    target_tx = nodes.get(current_tx_id)
    if not target_tx:
        return # Transaction might have finished already

    # To prevent redundant network traffic, check if we've handled 
    # this initiator's probe recently.
    if initiator in target_tx.seen_probes:
        return
    
    target_tx.seen_probes.add(initiator)

    for next_tx_id in target_tx.waiting_for:
        new_probe = Probe(
            initiator_id=initiator,
            sender_id=current_tx_id,
            receiver_id=next_tx_id
        )
        print(f"  > Forwarding probe ({initiator}, {current_tx_id}, {next_tx_id})")
        process_probe(nodes, new_probe)

Running a Simulation

Let's wire up a classic cycle: $T1 \to T2 \to T3 \to T1$.

def simulate_cycle():
    # Setup 3 transactions
    nodes = {
        1: TransactionNode(1),
        2: TransactionNode(2),
        3: TransactionNode(3)
    }

    # Create the cycle
    nodes[1].add_dependency(2) # T1 waits for T2
    nodes[2].add_dependency(3) # T2 waits for T3
    nodes[3].add_dependency(1) # T3 waits for T1

    # T1 gets tired of waiting and starts a probe
    initiate_deadlock_detection(nodes, 1)

simulate_cycle()

When you run this, the output looks something like this:

[Node 1] Suspects deadlock, initiating probe...
  > Forwarding probe (1, 2, 3)
  > Forwarding probe (1, 3, 1)
!!! DEADLOCK DETECTED !!! Transaction 1 is in a cycle.

The probe effectively "walks" the graph. It doesn't matter if Node 1 is in New York, Node 2 is in London, and Node 3 is in Tokyo. As long as they can pass the probe message, the deadlock is discovered.

Why This Beats a Centralized Wait-For-Graph

I used to think a centralized coordinator was simpler. Just have every node heartbeat its lock table to a leader. But that approach dies at scale for three reasons:

1. The "Phantom Deadlock" Problem: Imagine Transaction A releases a lock on Node 1, and then Transaction B requests a lock on Node 2. If the message that A *released* the lock is delayed, but the message that B is *waiting* for A arrives quickly, the central coordinator might see a cycle that no longer exists. CMH avoids this because the probe follows the *current* active dependency.
2. Congestion: If you have 1,000 nodes and 100,000 transactions, the central node becomes a massive bottleneck for metadata. In CMH, the traffic is distributed across the edges of the wait graph.
3. Complexity of Leadership: You have to handle leader election, failover of the lock graph, and state synchronization. CMH is stateless in the sense that the "state" is the probe itself.

The "Phantom" Edge Case in CMH

CMH isn't magic; it has its own version of the phantom deadlock. If a transaction finishes *while* a probe is in flight, the probe might still return to the initiator.

Consider this:
1. T1 waits for T2.
2. T1 sends probe $(1, 1, 2)$.
3. T2 releases its resource and finishes.
4. But before the probe reaches Node 2, T3 (which was waiting for T2) now starts waiting for T1.

This is rare, but in high-concurrency systems, it happens. To mitigate this, a transaction that receives a probe should verify it is still blocked on the same resource before forwarding.

Also, when a deadlock is detected, the standard procedure is to kill the "Initiator." However, in a distributed system, multiple transactions might start probes simultaneously. You might end up killing three transactions to break one cycle.

A common optimization is to only allow the transaction with the lowest ID (or the lowest priority) to initiate a probe. If $T_5$ is waiting for $T_2$, and $5 > 2$, $T_5$ doesn't start a probe. It only starts if $T_{initiator} > T_{holder}$. This halves the number of messages in the system.

Practical Implementation: Integrating with a Database

If you're building this into a real service (like a distributed KV store), you shouldn't trigger probes on every GET or SET. You need a LockManager that tracks who owns what.

Here’s a more structured view of how the LockManager interacts with the CMH logic:

class DistributedLockManager:
    def __init__(self, node_id, transport):
        self.node_id = node_id
        self.transport = transport
        self.locks = {} # resource_id -> holder_tx_id
        self.waiting_txs = defaultdict(list) # resource_id -> list of waiting tx_ids

    def acquire(self, tx_id, resource_id):
        if resource_id not in self.locks:
            self.locks[resource_id] = tx_id
            return True
        
        # Resource held by someone else
        holder_id = self.locks[resource_id]
        self.waiting_txs[resource_id].append(tx_id)
        
        # Start the CMH process after a delay
        self.schedule_deadlock_check(tx_id, holder_id)
        return False

    def schedule_deadlock_check(self, waiter_id, holder_id):
        # We don't want to spam probes. 
        # In a real system, use a timer or a background worker.
        probe = Probe(initiator_id=waiter_id, sender_id=waiter_id, receiver_id=holder_id)
        self.transport.send(holder_id, probe)

    def on_receive_probe(self, probe):
        # If I am the initiator, handle deadlock
        if probe.initiator_id == self.current_active_tx_id():
             self.abort_transaction(probe.initiator_id)
             return

        # Forward the probe to whoever this node's transactions are waiting for
        for res_id, waiters in self.waiting_txs.items():
            if self.node_id in waiters: # Simplified check
                holder = self.locks.get(res_id)
                if holder:
                    new_probe = Probe(probe.initiator_id, self.node_id, holder)
                    self.transport.send(holder, new_probe)

Performance Considerations

When you move from theory to production, the "cost" of detection matters.

1. Probe Throttling: Don’t let a single transaction flood the network. I’ve found that limiting a transaction to one active probe at a time is usually enough.
2. Probe Expiry: Put a TTL (Time-to-Live) on your probes. If a probe hasn't found a cycle within 2 seconds, it’s probably lost or the cycle was broken by a natural timeout/completion anyway.
3. The "Wait-For" Cache: Maintaining a list of who is waiting for whom can get memory-intensive. I prefer cleaning up the seen_probes cache every time a transaction commits or aborts.

Is it worth it?

You might be thinking, "This seems like a lot of code just to avoid a timeout."

And you're right—for most CRUD apps, it is. But if you’re building a distributed ledger, a complex microservices orchestration engine, or a custom database, "waiting 10 seconds for a timeout" is a performance killer. It holds up locks, which holds up other transactions, leading to convoys where the entire system's throughput drops to zero.

The Chandy-Misra-Haas algorithm turns deadlock detection from a "stop-the-world" event into a background conversation between nodes. It lets you use much shorter "logical" timeouts because you have a mechanism to prove that a transaction is actually stuck, rather than just being slow.

Key Takeaways

- Don't Centralize: Central WFGs are fragile and suffer from phantom cycles due to message reordering.
- Chase the Edge: Follow the dependency path. If the message finds its way back home, the loop is real.
- Verify Before Forwarding: To minimize "phantom" detections in CMH, ensure the dependency still exists before passing the probe along.
- Optimization: Use transaction ID ordering ($T_{ID} > T_{Holder}$) to decide who initiates a probe, reducing network overhead by 50%.

Distributed systems are often about trading off global knowledge for local efficiency. CMH is one of those rare algorithms that gives you a global answer (is there a deadlock?) using only local information and peer-to-peer communication. It's elegant, it's robust, and it's far better than just crossing your fingers and waiting for a timeout to fire.