Randomized Two-Process Wait-Free Test-and-Set by Tromp, John & Vitanyi, Paul
ar
X
iv
:c
s/0
10
60
56
v2
  [
cs
.D
C]
  1
5 M
ar 
20
02
1
Randomized Two-Process Wait-Free Test-and-Set
John Tromp and Paul Vitanyi
Abstract—We present the first explicit, and currently sim-
plest, randomized algorithm for two-process wait-free test-
and-set. It is implemented with two 4-valued single writer
single reader atomic variables. A test-and-set takes at most
11 expected elementary steps, while a reset takes exactly 1
elementary step. Based on a finite-state analysis, the proofs
of correctness and expected length are compressed into one
table.
Keywords— Test-and-set objects, Symmetry break-
ing, Asynchronous distributed protocols, Fault-tolerance,
Shared memory, Wait-free read/write registers, Atomicity,
Randomized algorithms, Adaptive adversary.
I. Introduction
A test-and-set protocol concurrently executed by each
process out of a subset of n processes selects a unique pro-
cess from among them. In a distributed or concurrent sys-
tem, the test-and-set operation is useful and sometimes
mandatory in a variety of situations including mutual ex-
clusion, resource allocation, leader election and choice co-
ordination. It is well-known that in the wait-free setting,
[23], a deterministic construction from atomic read/write
variables is impossible [24]. Although widely assumed to
exist, and referred to, an explicit randomized construc-
tion for wait-free test-and-set has not appeared in print
yet, apart from a deterministic construction assuming two-
process atomic test-and-set [3]. The latter, in the form of
a randomized two-process wait-free test-and-set has been
circulated in draft form [36] for a decade. Here we finally
present the construction. Since such constructions are no-
toriously prone to hard-to-detect errors, we prove it correct
by an exhaustive finite-state proof, thus also presenting a
nontrivial application of this proof technique.
Interprocess Communication: The model is inter-
process communication through shared memory as com-
monly used in the theory of distributed algorithms [26].
We use atomic single writer single reader registers as prim-
itives. Such primitives can be implemented wait-free from
single-reader single-writer “safe” bits (mathematical ver-
sions of hardware “flip-flops”) [23]). A concurrent object
is constructible if it can be implemented deterministically
with boundedly many safe bits. A deterministic protocol
executed by n processes is wait-free if there is a finite func-
tion f such that every non-faulty process terminates its
protocol executing a number of at most f(n) of accesses to
the shared memory primitives, regardless of the other pro-
J. Tromp is with the Centrum voor Wiskunde en Informatica,
Kruislaan 413, 1098 SJ Amsterdam, The Netherlands. email:
tromp@cwi.nl. P.M.B. Vita´nyi is with the Centrum voor Wiskunde
en Informatica and the University of Amsterdam, address: CWI,
Kruislaan 413, 1098 SJ Amsterdam, The Netherlands, email:
paulv@cwi.nl. Both authors were partially supported by the EU fifth
framework project QAIP, IST–1999–11234, the NoE QUIPROCONE
IST–1999–29064, the ESF QiT Programmme, and the EU Fourth
Framework BRA NeuroCOLT II Working Group EP 27150.
cesses execution speeds. If the execution speed of a process
drops to zero then this is indistinguishable from the pro-
cess having a crash failure. As a consequence, a wait-free
solution can tolerate up to n − 1 processes having crash
failures (a property called “(n − 1)-resiliency”), since the
surviving non-faulty process correctly executes and termi-
nates its protocol. Below, we also write “shared variable”
for “register.”
Randomization: The algorithms executed by each pro-
cess are randomized by having the process flip coins (ac-
cess a random number generator). In our randomized al-
gorithms the answers are always correct—a unique pro-
cess gets selected— but with small probability the proto-
col takes a long time to finish. We use the customary as-
sumption that the coin flip and subsequent write to shared
memory are separate atomic actions. To express the com-
putational complexity of our algorithm we use the expected
complexity, over all system executions and with respect
to the randomization by the processes and the worst-case
scheduling strategy of an adaptive adversary. A random-
ized protocol is wait-free if f(n) upper bounds the expec-
tation of the number of elementary steps, where the ex-
pectation is taken over all randomized system executions
against the worst-case adversary in the class of adversaries
considered (in our results the adaptive adversaries).
Complexity Measures: The computational complex-
ity of distributed deterministic algorithms using shared
memory is commonly expressed in number and type of in-
tercommunication primitives required and the maximum
number of sequential read/writes by any single process in
a system execution. Local computation is usually ignored,
including coin-flipping in a randomized algorithm.
Related Work: What concurrent wait-free object is the
most powerful constructible one? It has been shown that
wait-free atomic multi-user variables, and atomic snapshot
objects, are constructible, for example [30], [23], [37], [22],
[33], [25], [32], [14], [5], [2], [16]. In contrast, the agree-
ment problem in the deterministic model of computation
(shared memory or message passing) is unsolvable in the
presence of faults [21], [17], [24]. Correspondingly, wait-free
consensus—viewed as an object on which each of n pro-
cesses can execute just one operation—is not constructible
[12], [1], although randomized implementations are pos-
sible [12], [1], [6], [34]. Wait-free concurrent test-and-set
can deterministically implement two-process wait-free con-
sensus, and therefore is not deterministically constructible
[24], [17]. This raises the question of whether randomized
algorithms for test-and-set exist.
In [17] it is shown that repeated use of ‘consensus’ on
unbounded hardware can implement ‘test-and-set’. In [31],
[34], [18] it is argued that a bounded solution can be ob-
tained by combining several intermediate constructions,
2like so-called “sticky bits”, but no explicit construction
is presented to back up this claim. To quote [31]: “ran-
domized consensus algorithms of Chor, Israeli, and Li [12],
Abrahamson [1], Aspnes and Herlihy [7], and Attiya, Dolev,
and Shavit [4], together with our construction imply that
polynomial number of safe bits is sufficient to convert a safe
implementation into a (randomized) wait-free one.” Any
such a “layered” construction will require orders of mag-
nitude more primitive building blocks like one-writer one-
reader bits than the direct construction we present below.
Wait-free n-process test-and-set can be implemented de-
terministically from wait-free two-process test-and-set, [3],
showing that the impossibility of a deterministic algorithm
for n-process test-and-set is solely due to the two-process
case.
Present Results: Despite the frequent use of random-
ized wait-free test-and-set in the literature, no explicit con-
struction for the basic ingredient, randomized wait-free
two-process test-and-set, has appeared in print. Our con-
struction, [36], has been subsumed and referred to long
since, for example in [3], [28], [15], [10], but other interests
prevented us publishing a final version earlier. The con-
struction is optimal or close to optimal. The presented
algorithm directly implements wait-free test-and-set be-
tween two processes from single-writer single-reader atomic
shared registers. Randomization means that the algorithm
contains a branch conditioned on the outcome of a fair
coin flip (as in [35]). We use a finite-state based proof
technique for verifying correctness and worst-case expected
execution length in the spirit of [13]. Our construction is
very simple: it uses two 4-valued 1-writer 1-reader atomic
variables. The worst-case expected number of elementary
steps (called “accesses” in the remainder of the paper) in
a test-and-set operation is 11, whereas a reset always takes
1 access.
II. Preliminaries
Processes are sequentially executed finite programs with
bounded local variables communicating through single-
writer, multi-reader bounded wait-free atomic registers
(shared variables). The latter are a common model for in-
terprocess communication through shared memory as dis-
cussed briefly in Section I. For details see [23], [25] and
for use and motivation in distributed protocols see [8], [9],
[19].
A. Shared Registers, Atomicity
The basic building blocks of our construction are 4-
valued 1-writer 1-reader atomic registers. Every read/write
register is owned by one process. Only the owner of a reg-
ister can write it, while only one other process can read it.
In one access a process can either:
• Read the value of a register;
• Write a value to one of its own registers;
• Moreover, following the read/write of a register the pro-
cess possibly flips a local coin (invokes a random number
generator that returns a random bit), preceded or followed
by some local computation.
We require the system to be atomic: every access of a
process can be thought to take place in an indivisible in-
stance of time and in every indivisible time instance at
most one access by one process is executed. The atomicity
requirement induces in each actual system execution total
orders on the set of all of the accesses by the different pro-
cesses, on the set of accesses of every individual process,
and on the set of read/write operations executed on each
individual register. The state of the system gives for each
process: the contents of the program counter, the contents
of the local variables, and the contents of the owned shared
registers. Since processes execute sequential programs, in
each state every process has at most a single access to be
executed next. Such accesses are enabled in that state.
B. Adversary
There is an adversarial scheduling demon that in each
state decides which enabled access is executed next, and
thus determines the sequence of accesses of the system
execution. There are two main types of adversaries: the
oblivious adversary that uses a fixed schedule independent
of the system execution, and the much stronger adaptive
adversary that dynamically adapts the schedule based on
the past initial segment of the system execution. Our re-
sults hold against the adaptive adversary—the strongest
adversary possible.
C. Complexity
The computational complexity of a randomized dis-
tributed algorithm in an adversarial setting and the cor-
responding notion of wait-freeness require careful defini-
tions. For the rigorous novel formulation of adversaries
as restricted measures over the set of system executions
we refer to the Appendix of [28]. For the simple appli-
cation in this paper we can assume that the notions of
global (system) execution, wait-freeness, adaptive adver-
sary, and expected complexity are familiar. A randomized
distributed algorithm is wait-free if the expected number of
read/writes to shared memory by every participating pro-
cess is bounded by a finite function f(n), where n is the
number of processes. The expectation is taken over the
probability measure over all randomized global (system)
executions against the worst-case adaptive adversary.
III. Test-and-Set Implementation
We first specify the semantics of the target object:
Definition III.1: An atomic test-and-set object X is a
global variable, associated with n processes P0, . . . , Pn−1,
exhibiting the following functionality:
• The value of X is 0 or 1;
• Every process Pi has a local binary variable xi which it
alone can read or write;
• At any time exactly one of X, x0, . . . , xn−1 has value 0,
all others have value 1 (we assume the global time model);
• A process Pi with xi = 1 can atomically execute a test-
and-set operation τ :
read xi := X ; write X := 1; return xi.
3• A process Pi with xi = 0 can atomically execute a reset
operation ρ:
xi := 1; write X := 0.
This specification naturally leads to the definition of
the state of the test-and-set object as an element of
{⊥, 0, . . . , n − 1} corresponding to the unique local vari-
able out of X, x0, . . . , xn−1 that has value 0. Here ⊥ is the
state that none of the xi’s is 0. Formally, the specification
is given later as a finite automaton in Definition V.1.
Since “atomicity” means that the operation is executed in a
single indivisible time instant, and, moreover, in every such
time instant at most one operation execution takes place,
the effect of a test-and-set operation by process Pi is that
xi := 0 iff all xj 6= 0 for all j 6= i, and xi = 1 otherwise. The
effect of a reset operation by Pi is only defined for initially
xi = 0 and xj 6= 0 for all j 6= i, and results in xi :=
1. To synthesise the target object from more elementary
objects, we have to use a sequence of atomic accesses to
these elementary objects. By adversary scheduling these
sequences may be interleaved arbitrarily. Yet we would like
to have the effect of an atomic execution of the test-and-
set operations and the reset operations by each process.
To achieve such a “virtual” atomic execution we proceed
as follows:
Definition III.2: An implementation of a test-and-set op-
eration τ or a reset operation ρ by a process P is an
algorithm executed by P that results in an ordered se-
quence of accesses of that process to elements of a set
{R0, . . . , Rm−1} of atomic shared variables, interspersed
with local computation and/or local coin flips. The se-
quence of accesses is determined by the, possibly random-
ized, algorithm, and the values returned by the “read”
accesses to shared variables. We denote an access by
(P,R,A), meaning that process P executes access A (read
or write a “0” or “1”) on shared variable R. The imple-
mentation must satisfy the specification of the target test-
and-set semantics of Definition III.1 restricted to process
P . Formally, the specification is given later as a finite au-
tomaton in Definition V.2.
Definition III.3: A local execution of a process P con-
sists of the (possibly infinite) sequence of test-and-set op-
erations and reset operations it executes, according to the
implementation, each such operation a ∈ {τ, ρ} provided
with a start time s(a) and a finish time f(a)—we assume
a global time model. Note that s(a) coincides with the
time of execution of the first access in the ordered sequence
consituting a, and f(a) coincides the time of execution of
the last access in the ordered sequence constituting a. By
the atomicity of the individual accesses in the global time
model, all accesses are executed at different time instants.
In certain cases (which we show to have zero probability)
it is possible that f(a) is not finite (because the algorithm
executes infinitely many loops with probability 1
2
each).
Definition III.4: Let the local execution of process Pi
consist of the ordered sequence of operations ai
1
, ai
2
, . . .
(0 ≤ i ≤ n− 1). A global execution consists of the (A,→)
where A = {aij : j = 1, 2, . . . , 0 ≤ i ≤ n − 1} and → is
a partial order on the elements of A defined by a → b iff
f(a) < s(b) (the last access of a precedes the first of b).
We require that the number of b such that b → a is finite
for each a.
A test-and-set operation or reset operation by a particu-
lar process may consist of more than one access, and there-
fore the local executions by the different processes may hap-
pen concurrently and asynchronously. This has the effect
that a global execution can correspond to many different
interleavings.
Definition III.5: Consider a global execution. An inter-
leaving of the accesses by the different processes associ-
ated with the global execution is a (possibly infinite) to-
tally ordered sequence (P 1, R1, A1), (P 2, R2, A2) . . . , where
(P i, Ri, Ai) is the ith access, respecting
• The start times and finish times determined by the local
executions; and
• the order of the accesses in the local executions.
The implementation should guarantee that the function-
ality of the implementation is “equivalent”, in an appro-
priate sense, to the functionality of the target test-and-set
object, and in particular satisfies the “linearizability re-
quirement” [20] (also called “atomicity” in [23]).
Definition III.6: The system implements the target test-
and-set object if the system is initially in state ⊥, and we
can extend→ on A to a total order⇒ on A with an initial
element, satisfying:
• From state ⊥, a successful test-and-set operation τ exe-
cuted by process Pi (setting xi := 0) moves the system to
state i at some time instant in the interval [s(τ), f(τ)];
• from state i, a reset operation ρ executed by process Pi
moves the system to state ⊥ at some time instant in the
interval [s(ρ), f(ρ)];
• From state i, every operation execution different from a
reset by process Pi leaves the system invariant in state i;
and
• No other state transitions than the above are allowed.
The implementation must satisfy the specification of the
target test-and-set semantics of Definition III.1. Formally,
the specification is given later as a finite automaton in Def-
initions V.3 and V.4.
To prove that a protocol executed by all processes is
an implementation of the target test-and-set object it suf-
fices to show that every possible interleaving that can be
produced by the processes executing the protocol in every
global execution, starting from the ⊥ state, satisfies the
above requirements.
IV. Algorithm
We give a test-and-set implementation between two pro-
cesses, process P0 and process P1. The construction uses
two 4-valued shared read/write variables R0 and R1. The
four values are ‘me’, ‘he’, ‘choose’, ‘rst’—chosen as a
mnemonic aid explained below. Process Pi solely writes
variable Ri, its own variable, and solely reads R1−i. For
this reason the reads and writes in the protocol don’t need
to be qualified by the shared variables they access. The
protocol, for process Pi (i = 0, 1), is presented as both
a finite state chart, Figure 1 and as the program below.
4HE
RST
ME
CHOOSE
rst
r(rst)
r(he)r(choose)
choose
free
tst1
he
nothe
tohetome
me
notme
tst0
w(choose) w(choose)r(choose) r(choose)
r(he) r(rst)r(me)
w(me) w(he)
w(me)w(me)
r(me) r(he)
r(rst)w(rst)
r(rst)
r(me) r(choose)
r(me)
r(he)
r(choose)
Fig. 1
State Chart
The state chart representation will simplify the analysis
later. The transitions in the state chart are labeled with
reads r(value) and writes w(value) of the shared variables,
where value denotes the value read or written. The 11
states of the state chart are split into 4 groups enclosed by
dotted lines. Each group is an equivalence class consist-
ing of the set of states in which process Pi’s own shared
variable Ri has the same value. That is, the states in a
group are equivalent in the sense that process P1−i cannot
distinguish between them by reading Ri. Accordingly, the
inter-group transitions are writes to Ri, whereas the intra-
group transitions are reads of R1−i. Each group is named
after the corresponding value of the own shared variable
Ri. The state chart is deterministic, but for a coin flip
which is modeled by the two inter-group transitions in the
“choose” group, representing the two outcomes of a fair
coin flip. Doubly circled states are “idle” states (no op-
eration execution is in progress), and singly circled states
are intermediate states in an operation execution that is in
progress.
A program representation of the protocol, for process Pi,
is given below. An occurrence of Ri not preceded by ‘write’
(similarly, R1−i not preceded by ‘read’) as usual refers to
the last value written to it (resp. read from it). The con-
ditional ‘rnd(true,false)’ represents the boolean outcome
‘true’ or ‘false’ of a fair coin flip. The system is initial-
ized with value ‘rst’ in shared variables R0, R1. In our
protocol, all assignments to local variables consist of con-
tents read from shared variables. To simplify, we abbrevi-
ate statements like “r1−i := R1−i; while r1−i = ri do . . .
r1−i := R1−i.” to “while read R1−i = Ri do . . . ”. Here,
ri is the local variable containing the value last written to
shared variable Ri and r1−i is the local variable storing the
last read value of shared variable R1−i, for process Pi. This
way, our (writing of the) protocol can dispense with local
variables altogether.
test and set:
if Ri = he AND read R1−i 6= rst
then return 1
write Ri := me
while read R1−i = Ri do
write Ri := choose
if read R1−i = he OR
(R1−i = choose AND rnd(true,false))
then write Ri := me
else write Ri := he
if Ri = me
then return 0
else return 1
5reset:
write Ri := rst
It can be verified in the usual way that the state chart
represents the operation of the program. The intuition is
easily explained using the state chart. The default situ-
ation is where both processes are idle, which corresponds
to being in the ‘rst’ state. If process Pi starts a test-and-
set then it writes Ri := me (indicating its desire to take
the 0), and checks by reading R1−i whether process P1−i
agrees (by not having R1−i = me). If so, then Pi has suc-
cessfully completed a test-and-set by obtaining the 0 and,
implicitly, setting the global variable X := 1 . In this case
process P1−i cannot get 0 until process Pi does a reset by
writing Ri := rst. While Ri = me, process P1−i can only
move from state ‘me’ to state ‘notme’ and on via states
‘choose’, ‘tohe’ and ‘he’ to ‘tst1’, where it completes its
test-and-set operation by failure to obtain the 0.
The only complication arises if both processes see each
other’s variable equal to ‘me’. In this case they are said
to disagree or to be in conflict. They then proceed to the
‘choose’ state from where they decide between going for 0
or 1, according to what the other process is seen to be do-
ing. (It is essential that this decision be made in a neutral
state, without a claim of preference for either 0 or 1. If,
for example, on seeing a conflict, a process would change
preference at random, then a process cannot know for sure
whether the other one agrees or is about to write a changed
preference.)
The deterministic choices, those made if the other’s vari-
able is read to contain a value different from ‘choose’, can
be seen to lead to a correct resolution of the conflict. A
process ending up in the ‘tst1’ state makes sure that its
test-and-set resulting in obtaining the 1 is justified, by re-
maining in that state until it can be sure that the other
process has taken the 0. Only if the other process is seen
to be in the ‘rst’ state it resumes trying to take the 0 itself.
Suppose now that process Pi has read R1−i = choose
and is about to flip a coin. Assume that process 1 − i has
already moved to one of the states ‘tome’/‘tohe’ (or else
reason with the processes interchanged). With 50 percent
chance, process Pi will move to the opposite state as did
process P1−i, and thus the conflict will be resolved.
In the proof of Theorem V.13 (below) we establish that
the probability of each loop through the ‘choose’ state is
at most one half, and the expected number of ‘choices’
(transitions from state choose) is at most two. This indi-
cates that the worst case expected test-and-set length is 11.
Namely, starting from the ‘tst1’ state, it takes 4 accesses
to get to state ‘choose’, another 4 accesses to loop back
to ‘choose’ and 3 more accesses to reach ‘tst0’/‘tst1’. The
reset operation always takes 1 access.
V. Proof of Correctness
The proof idea is as follows: We give a specification of a
correct implementation of two-process test-and-set in the
form of a finite automaton (Figure 4). We then show that
all initial segments of every possible interleaving of accesses
by two processes P0 and P1, both executing the algorithm
of the state chart (Figure 1), are accepted by the finite
automaton. Moreover, the sequence of states of the finite
automaton in the acceptance process induces a linear order
on the operation execution of the implemented processes
that extends the partial order induced by the start and fin-
ish times of the individual operation executions. Thus, the
implementation is both correct and atomic. Essentially,
the proof is given by Figure 5, which gives the state of the
specification finite automaton for every reachable combi-
nation of states which processes P0 and P1 can attain in
their respective copies of the state chart (Figure 1). By
analysis of the state chart, or Figure 5, we upper bound
the expectation of the number of accesses of every opera-
tion execution of the implementation by a small constant.
Hence the implementation is wait-free.
Let h be an interleaving corresponding to a global execu-
tion (A,→) of two processes running the protocol starting
from the initial state. Let {s(a), f(a) : a ∈ A} be the
set of time instants that start or finish an operation exe-
cution, each such time instant corresponding to an access
(P,R,A). Let B denote the set these accesses. Recall that
if a is a reset, then we have s(a) = f(a) and there is but a
single access executing this operation.
By definition, h|B, the restriction of h to the accesses
in B, completely determines the partial order →. If, for
every a ∈ A we can choose a single access (P,R,A)a in the
sequence of accesses constituting the operation execution of
a, such that if a→ b then (P,R,A)a precedes (P,R,A)b in
h, then we are done. Namely, we can imagine an operation
a as executing atomically at the time instant of atomic
access (P,R,A)a, and the total order ⇒ defined by a ⇒ b
iff (P,R,A)a precedes (P,R,A)b in h, extends the partial
order →. Denote the set {(P,R,A)a : a ∈ A} by C. We
have to show that for every h as defined above such a C
can be found.
Definition V.1: Specification of two-process atomic test-
and-set: The definition of the target atomic test-and-set for
two processes, process P0 and process P1, is captured by
finite automaton FA1 in Figure 2, which accepts all possible
sequences of atomic test-and-set and reset operations (all
states final). The states are labeled with the owner of the 0-
bit. The arcs representing actions of process P1 are labeled,
whereas the non-labeled arcs represent the corresponding
actions of process P0: resulting in setting x1 := 1.
Definition V.2: Specification of wait-free atomic test-
and-set restricted to a single process: Figure 3 shows the se-
mantics required of a correct implementation of a wait-free
test-and-set object as a finite automaton FA2, that accepts
all sequences of accesses by a single process Pi (i = 0, 1)
executing a correct wait-free atomic test-and-set protocol:
(all states final):
• the access starting a test-and-set operation execution,
denoted s(tas),
• the atomic occurrence of a test-and-set operation execu-
tion returning 0, denoted tas0,
• the atomic occurrence of a test-and-set operation execu-
tion returning 1, denoted tas1,
6 0
1
tas0
rst
tas1
Fig. 2
FA1: Specification of two-process atomic test-and-set object
• the access finishing a test-and-set operation execution
returning 0, denoted f(tas0),
• the access finishing a test-and-set operation execution
returning 1, denoted f(tas1),
• the single access corresponding to a complete reset oper-
ation execution, denoted rst.
These are the events in B ∪ C restricted to a process Pi.
The reason for not splitting a reset operation execution
into start, atomic occurrence, and finish is that it is im-
plemented in our protocol as a single atomic write where
the above three transitions coincide. As before, doubly cir-
cled states are “idle” states (no operation execution is in
progress), and singly circled states are intermediate states
in an operation execution that is in progress.
s(tas)
rst
tas0 f(tas0)
tas1
f(tas1)
Fig. 3
FA2: Specification of 1-process wait-free implementation of
atomic test-and-set
Definition V.3: Specification of two-process wait-free
atomic test-and-set: The proof that our implementation is
correct consists in demonstrating that it satisfies the speci-
fication in the form of the finite automaton FA3 in Figure 4
below (again all states are final).
Formally [27], FA3 is the composition of FA1 with two
copies of FA2, in the I/O Automata framework, as fol-
lows: It is drawn as a cartesian product of the two com-
ponent processes—transitions of process P0 are drawn ver-
tically and those of process P1 horizontally. For clarity,
the transition names are only given once: only for pro-
cess P1. Identifying the starts and finishes of test-and-
set operation executions a with their atomic occurrence
(P,R,A)a by collapsing the s() and f() arcs, FA3 reduces
to the atomic test-and-set diagram FA1. Identifying all
nodes in the same column (row) reduces FA3 to FA2 of
process P0 (process P1).
In the states labeled ‘a’ through ‘h’, neither process owns
tas1
f(tas1)
rst
f(tas0)tas0s(tas)
tsr
qpo
nm
lk
ji
hgf
edc
ba
Fig. 4
FA3/FA4: Specification of two-process wait-free atomic
test-and-set
the 0; the system is in state ⊥. In the states labeled ‘i’
through ‘n’, process 1 owns the 0; the system is in state 1.
In the states labeled ‘o’ through ‘t’, process 0 owns the 0;
and the system is in state 0.
The broken transitions of Figure 4 correspond to the ac-
cess (P,R,A)a ∈ C, required for a correct implementation,
where the atomic execution of operation a can be virtually
situated. Recall that this is only relevant for a is a test-
and-set operation, since the reset operation is implemented
in the protocol already in a single atomic access of a shared
primitive variable.
Definition V.4: Let FA4 be the (nondeterministic) finite
automaton obtained from FA3 by turning the broken tran-
sitions of Figure 4, which correspond to the unknown but
existing access (P,R,A)a ∈ C where the execution of a can
be virtually situated, into ǫ-moves.
Lemma V.5: Acceptance of h|B by FA4 implies that
(A,→) is linearizable: partial order → can be extended to
a total order⇒ such that the sequence of operation execu-
tions in A ordered by ⇒ satisfy the test-and-set semantics
specification of Definition V.1.
Proof: If FA4 accepts h|B, then, corresponding to
the ǫ moves, we can augment the sequence h|B with an
access (P,R,A)a in the interval [s(a), f(a)] of each opera-
tion execution a ∈ A—or select the single access involved if
s(a) = f(a) as in the case of a reset operation execution—
to obtain a new sequence h′ that is accepted by FA3. By
the way FA1 composes FA3, it accepts h′|C, the subse-
quence of atomic accesses (P,R,A)a with a ∈ A contained
7in h′. Furthermore, letting t(a) denote the time of access
(P,R,A)a, we have a → b iff t(a) ≤ f(a) ≤ s(b) ≤ t(b).
Defining a ⇒ b if t(a) < t(b), the total order of accesses
in h′|C, then ⇒ is a total order that extends the partial
order →. That is, the sequence of operation executions of
A, linear ordered by ⇒, is accepted by FA1.
Recall that Figure 1 is the state chart of the execution
of the implementation of an operation by a single process.
Each process can be in a particular state of the state chart.
Let (s0, s1) denote the state of the system with process Pi
in state si (i ∈ {0, 1}).
Definition V.6: The initial system state is (rst, rst). A
system state (s0, s1) is reachable from the initial system
state (rst, rst) if there is a sequence h arising from the
execution of our test-and-set implementation, represented
by the state chart of Figure 1, starting from the initial state
and ending in state (s0, s1).
Example V.7: In the initial state both processes are in
state ‘rst’. Process P0 can start a test-and-set by execut-
ing w(me) and entering state me. Suppose process P1 now
starts a test-and-set: it executes w(me) and moves to state
me. Hence, system states (me, rst) and (me,me) are reach-
able states. ♦
Definition V.8: The representative set of a reachable sys-
tem state (s0, s1) is a nonempty set Ss0,s1 of FA3/FA4
states, as in Figure 4, such that: For every sequence of
accesses h starting in the initial state and ending in state
(s0, s1), the set Ss0,s1 is the set of states in which FA4 can
be after processing h|B, excluding those states that have
outgoing moves that are ǫ-moves only.
Example V.9: We elaborate Example V.7. In the initial
state both processes are in state ‘rst’. The corresponding
start state d of FA4 gives the associated (in this case sin-
gleton) representative set {d}. When process P0 executes
w(me) and enters state me, the resulting system state is
(me, rst) with the associated representative set {g, p} of
FA4 states. That is, the system is now either in state g,
meaning that process P0 has executed s(tas), or in state p
meaning that process P0 has executed s(tas) and also tas0
atomically. In the scenario of Example V.7, process P1 now
executes w(me) and moves to stateme, resulting in the sys-
tem state (me,me). The corresponding representative set
of FA4 states is {i,m, o, q}. State m says process P1 has
executed s(tas) and tas0 atomically, while process P0 has
only executed s(tas)—hence the system was previously in
state g and not in state p. State i says process P1 has
executed s(tas) and tas0 atomically, while process P0 has
executed s(tas) and tas1 atomically—and hence the sys-
tem was previously in state g and not state p. States o and
q imply the same state of affairs with the roles of process P0
and process P1 interchanged, and the previous system state
is either p or g. (The correspondence between reachable
states and their representative sets is exhaustively estab-
lished in Claim V.11 below.) ♦
Lemma V.10: Let h be a sequence of accesses arising
from the execution of our test-and-set implementation, rep-
resented by the state chart of Figure 1, starting from the
initial state (both processes in state ‘rst’). Then, every ini-
tial segment of h|B is accepted by FA4 starting from initial
state ‘d’.
Proof: We show that the set of letters in an entry in
the table of Figure 5 is a representative set for the state of
process P0, indexing the row, and the state of process P1,
indexing the column. The entries were chosen excluding all
states from the representative sets with all outgoing moves
consisting of ǫ-moves (but the representative sets contain
the states the outgoing ǫ-moves of the excluded states point
to). This gives the most insight into the workings of the
protocol by considering only the result of executing ǫ-moves
from a state if its only outgoing moves are ǫ-moves. A ∗-
entry indicates an unreachable state pair. (The number
ending an entry gives the expected number of accesses to
finish the current operation execution of process P0—and
by symmetry, that for an equivalent state pair with respect
to P1. We will use this later.) Thus, every state (s0, s1)
of the implementation execution corresponds with a set of
states Ss0,s1 of FA4.
Claim V.11: The representative sets are given by the en-
tries of Figure 5.
Proof: The proof of the claim is contained in the
combination of Figures 1, 4, 5. Below we give the inductive
argument. The mechanical verification of the subcases has
been done by hand, and again by machine. The setting up
of the exhaustive list subcases and subsequent verification
by a computer program is the essennce of a finite-state
proof. In this particular case, exceptionally, the finite state
machines involved (and the table of representative sets)
have been minimized so that “mechanical” verification by
hand by the reader is still feasible. Induction is on the
length of the sequence of accesses:
Base Case: Initially, after an empty sequence of accesses,
FA4 is in the state {d} = Srst,rst.
Induction: Every non-reachable state has a ∗-entry in the
table of Figure 5. Consider an arbitrary atomic transition
from a reachable state (s0, s1) to a state (t0, t1), that is,
using a single arc in the state chart in Figure 1 for either
process P0 or P1. This way, either t0 = s0 or t1 = s1 but
not both. Then, for every FA4 state y ∈ St0,t1 , Figure 4,
according to the table of Figure 5, there is an FA4 state
x ∈ Ss0,s1 according to Figure 4, such that FA4 can move
from x to y by executing: either the access corresponding
to the transition in the state chart in Figure 1, if that access
belongs to B, or no access otherwise (there is a sequence
of ǫ-moves from x to y).
Since every reachable state of the system (s0, s1), with si
(i ∈ {0, 1}) a state of the state chart of Figure 1, has a rep-
resentative set in FA4, Figure 4, and every state of of FA4
is an accepting state, the lemma follows from Claim V.11.
Theorem V.12: The algorithm represented by state
chart of Figure 1 correctly implements an atomic test-and-
set object.
Proof: By Lemma V.10 the implementation by the
state chart in Figure 1 correctly implements the specifica-
tion of two-process test-and-set given by Figure 4. The im-
8rst tst0 notme me tome choose tohe he nothe tst1 free
rst d10 l10 cek10 ek10 ek10 c10 c10 c10 c10 d10 ek10
tst0 s1 * rt1 rt1 rt1 r1 r1 r1 r1 s1 rt1
notme agp8 jn8 imoq8 imoq8 * imoq8 imoq8 o4 * p4 *
me gp9 jn9 imoq9 imoq9 imoq9 o1 o1 o1 o1 p1 imoq9
tome gp10 jn10 * imoq10 imoq10 imoq6 o2 o2 imoq6 p2 *
choose a3 j3 imoq7 i3 imoq7 imoq7 imoq7 o3 imoq7 p3 *
tohe a2 j2 imoq6 i2 i2 imoq6 imoq10 imoq10 * p6 *
he a1 j1 i1 i1 i1 i1 imoq9 imoq9 imoq9 p5 *
nothe a4 j4 * i4 imoq8 imoq8 * imoq8 imoq8 p4 *
tst1 d11 l11 k11 k11 k11 k11 k11 k11 k11 * *
free gp10 jn10 * imoq10 * * * * * * *
Fig. 5
Table verification of correctness and wait-freedom
plementation is linearizable (atomic) by Lemma V.10. The
system makes progress (every operation execution is exe-
cuted completely except for possibly the last one of each
process) since h|B contains only the start and finish ac-
cesses of each operation execution performed by the imple-
mentation.
Theorem V.13: The algorithm represented by state
chart of Figure 1 is wait-free: the expected number of ac-
cesses to shared variables never exceeds 11 during execution
of an operation.
Proof: In Figure 1 every arc is an access. Double cir-
cled states are idle states (in between completing an oper-
ation execution and starting a new one). Consider process
P0 (the case for process P1 is symmetrical). The longest
path without completing an operation and without cycling
is from state ‘tst1’: tst1, free, me, notme, choose, tohe,
he, tst1. This takes 7 accesses. Four of these accesses are
parts of a potential cycle of length 4. The remainder is 3
accesses outside the potential cycle. In state ‘choose’, the
outgoing arrow is a random choice only when process P1
is also in the CHOOSE group. If it is, then with 1
2
proba-
bility P1 makes (or has already made) a choice which will
cause process P0 to loop back to the ‘choose’ state again.
This can happen again and again. The expected number of
iterations of loops is
∑
∞
i=1 i
(
1
2
)i
= 1
2
(1− 1
2
)−2 = 2. Since a
loop has length 4, this gives a total of expected accesses of
8 for the loops. Together with 3 non-loop accesses the total
is at most 11 accesses. Such a computation holds for every
state in the state chart of Figure 1, the only loop being
the one discussed but the longest possible path is the one
starting from ‘tst1’. For definiteness, we have in fact com-
puted the expected number of accesses for every accessible
state (s0, s1) according to the state chart of Figure 1, and
added that number to the representative set concerned in
the table of Figure 5. Since the expected number of ac-
cesses is between 1 and 11 for all operation executions, the
algorithm given by the state chart of Figure 1 is wait-free.
To aid intuition, we give an example of checking a few
transitions below, as well as giving the interpretation.
Example V.14: We elaborate and continue Exam-
ples V.7, V.9. In the initial state both processes are in
state ‘rst’. In Figure 4, the table entry d10 gives the cor-
responding start state d of FA4. The worst-case expected
number of accesses for a test-and-set by process 0 is 10.
Process P0 can start a test-and-set by executing w(me)
and entering state me. The corresponding table entry gp9
indicates in Figure 4 that the system is now either in state
g meaning that process P0 has executed s(tas), or in state
p meaning that process P0 has executed s(tas) and also
tas0 atomically. The expected number of accesses is now
9 ≤ 10−1. Suppose process P1 now starts a test-and-set: it
executes w(me) and moves to stateme. The corresponding
table entry imoq9 gives the system state as one possibil-
ity in {i,m, o, q} in Figure 4 and the expected number of
accesses for execution of test-and-set by process P0 is still
9. State m says process P1 has executed s(tas) and tas0
atomically, while process P0 has only executed s(tas)—
hence the system was previously in state g and not in state
p. State i says process P1 has executed s(tas) and tas0
atomically, while process P0 has executed s(tas) and tas1
atomically—and hence the system was previously in state
g and not state p. States o and q imply the same state
of affairs with the roles of process P0 and process P1 in-
terchanged, and the previous system state is either p or
g.
Note that at this point the system can also be in state
h of FA4—both processes having executed s(tas) but no
process having executed tas0 or tas1. However, from h
there are two ǫ-moves possible, and no other moves, leading
to q and m. This corresponds to the fact that if both
processes have executed s(tas), one of them must return
0 and the other one must return 1. We have optimized
the table entries by eliminating such spurious intermediate
states h with outgoing moves that are ǫ-moves only.
Process P0 might now read R1 = me, and move via state
‘notme’ (table entry imoq8) by writing R0 := choose, to
state ‘choose’. Process P1 is idle in the meantime. The
table entry is now i3. This says that process P1 has atomi-
cally executed tst0, and process P0 has atomically executed
tst1. Namely, all subsequent schedules lead in 3 accesses
of process P0 to state ‘tst1’—hence the expectation 3.
The expected number of remaining accesses of pro-
cess P0’s test-and-set has dropped from 8 to 3 by the
last access since 8 was the worst-case which could be
forced by the adversary. Namely, from the system in state
9(notme,me), the adversary can schedule process P1 to
move to (notme, notme) with table entry imoq8, followed
by a move of process P1 to state (notme, choose) with ta-
ble entry imoq8, followed by a move of process P0 to state
(choose, choose) with table entry imoq7. Suppose the ad-
versary now schedules process P0. It now flips a fair coin to
obtain the conditional boolean rnd(true, false). If the out-
come is true, then the system moves to state (tome, choose)
with entry imoq6. If the outcome is false, then the sys-
tem moves to state (tohe, choose) with table entry imoq6.
Given a fair coin, this access of process P0 correctly decre-
ments the expected number of accesses. Suppose the adver-
sary schedules process P1 in state (choose, choose). Pro-
cess P1 flips a fair coin. If the outcome is true the sys-
tem moves to state (choose, tome) with table entry imoq7;
if the outcome is false then the system moves to state
(choose, tohe) with table entry imoq7. ♦
VI. Remark on Multi-Process Test-And-Set
The obvious way to extend the given solution to more
than two processes would be to arrange them at the leaves
of a binary tree. Then, a process wishing to execute an n-
process test-and-set, would enter a tournament, as in [29],
by executing a separate two-process test-and-set for each
node on the path up to the root. When one of these fails, it
would again descend, resetting all the tas-bits on which it
succeeded, and return 1. When it succeeds ascending up to
the root, it would return 0 and leave the resetting descend
to its n-process reset.
The intuition behind this tree approach is that if a pro-
cess i fails the test-and-set at some node N , then another
process j will get to the root successfully and thus justify
the value 1 returned by the former.
The worst case expected length of the n-process opera-
tions is only logn (binary logarithm) times more than that
of the two-process case.
Unfortunately, this straightforward extension does not
work. The problem is that the other process j need not be
the one responsible for the failure at node N , and might
have started its n-process test-and-set only after process i
completes its own. Clearly, the resulting history cannot be
linearized.
Nonetheless, it turns out that with a somewhat more
complicated construction we can deterministically imple-
ment n-process test-and-set using two-process test-and-set
as primitives [3]. This shows that the impossibility of de-
terministic wait-free atomic n-process test-and-set is com-
pletely due to the impossibility of deterministic wait-free
atomic two-process test-and-set. This latter problem we
have just solved by a simple direct randomized algorithm.
References
[1] K. Abrahamson, On achieving consensus using shared memory,
Proc. 7th ACM Symp. Principles of Distributed Computing, 1988,
291–302.
[2] Y. Afek, H. Attiya, D. Dolev, E. Gafni, M. Merritt, N. Shavit,
Atomic snapshots of shared memory, Journal of the ACM,
40:4(1993), 873-890.
[3] Y. Afek, E. Gafni, J. Tromp, P.M.B. Vita´nyi, Wait-free test-
and-set, pp. 85-94 in: Proc. 6th Workshop on Distributed Al-
gorithms (WDAG-6), Lecture Notes in Computer Science, vol.
647, Springer Verlag, Berlin, 1992.
[4] H. Attiya, D. Dolev, N. Shavit, Bounded Polynomial Random-
ized Consensus, Proc.8th ACM Symp. Principles of Distributed
Computing, 1989, 281–293.
[5] J.H. Anderson, Multiwriter composite registers, Distributed Com-
puting, 7:4(1994), 175-195.
[6] J. Aspnes, Time- and space-efficient randomized consensus, Jour-
nal of Algorithms, 14:3(1993), 414-431.
[7] J. Aspnes, M. Herlihy, Fast randomized consensus using shared
memory, Journal of Algorithms, 11:3(1990), 441-461,
[8] A. Bar-Noy and D. Dolev, A partial equivalence between shared-
memory and message-passing in an asynchronous fail-stop dis-
tributed environment, Mathematical Systems Theory, 26(1993),
21–39.
[9] E. Borowsky and E. Gafni, Immediate Atomic Snapshots and Fast
Renaming, Proc. 11th ACM Symp. on Principles of Distributed
Computing, 1992, pp. 41–52.
[10] H. Buhrman, A. Panconesi, R. Silvestri, and P. Vitanyi On the
importance of having an identity or, is consensus really Uni-
versal?, Distributed Computing Conference (DISC’00), Lecture
Notes in Computer Science, Vol. 1914, Springer-Verlag, Berlin,
2000, 134–148.
[11] J.E Burns, P.Jackson, N.A. Lynch, M.J. Fischer, G.L. Peterson,
Data Requirements for Implementation of N-process Mutual Ex-
clusion Using a Single Shared Variable, J. Assoc. Comput. Mach.,
29(1982),183–205.
[12] B. Chor, A. Israeli, M. Li, Wait–Free Consensus Using Asyn-
chronous Hardware, SIAM J. Comput., 23:4(1994), 701–712.
[13] E. M. Clarke, O. Grumberg, and D. Peled, Model Checking, MIT
Press, 2000.
[14] D. Dolev and N. Shavit, Bounded concurrent time-stamp sys-
tems are constructible, Siam J. Comput., 26(2):418-455, 1997.
[15] W. Eberly, L. Higham, J. Warpechowska-Gruca, Long-lived,
fast, waitfree renaming with optimal name space and high
throughput, Proc. 12th Intn’l Distributed Computing Conference
(DISC’98), Lecture Notes in Computer Science, 1499, Springer-
Verlag, Berlin, 1998.
[16] S. Haldar, P.M.B. Vitanyi, Bounded concurrent timestamp sys-
tems using vector clocks, J. Assoc. Comput. Mach., 49:1(2002).
[17] M. Herlihy, Wait-free synchronization. ACM Trans. Progr. Lang.
Syst., 13:1(1991), 124–149.
[18] M.P. Herlihy, Randomized Wait-Free Concurrent Objects, Proc.
10th ACM Symp. Principles of Distributed Computing, 1991, 11–
21.
[19] M. Herlihy and N. Shavit, The topological structure of asyn-
chronous computability, J. Assoc. Comp. Mach., 46:6(1999), 858-
923.
[20] M. Herlihy, J. Wing, Linearizability: A correctness condition for
concurrent objects, ACM Trans. Program. Languages and Sys-
tems, 12(1990), 463–492.
[21] M.J. Fischer, N.A. Lynch, and M.S. Paterson, Impossibility
of Distributed Consensus with One Faulty Processor. J. Assoc.
Comput. Mach. 32:2(1985), 374–382.
[22] A. Israeli and M. Li, Bounded Time-Stamps, Distributed Com-
puting 6(1993), 205–209.
[23] L. Lamport, On Interprocess Communication Parts I and II,
Distributed Computing 1(1986), 77–101.
[24] M. Loui, H.H. Abu-Amara, Memory requirements for agreement
among unreliable asynchronous processes, pp. 163–183 in: Ad-
vances in Computing Research, Vol. 4, JAI Press, 1987.
[25] M. Li, J. Tromp, P.M.B. Vita´nyi, How to share concurrent wait-
free variables, J. Assoc. Comp. Mach., 43 (1996), 723-746.
[26] N.A. Lynch, Distributed Algorithms, Morgan Kaufmann, 1996.
[27] N.A. Lynch and M. Tuttle, An Introduction to Input/Output
automata, CWI-Quarterly, 2:3(1989), 219–246.
[28] A. Panconesi, M. Papatrintafilou, P. Tsigas, P. Vitanyi, Ran-
domized Naming Using Wait-Free Shared Variables, Distributed
Computing, 11(1998), 113–124.
[29] G.L. Peterson, M. Fischer, Economical solutions for the critical
section problem in a distributed system, Proc. 9th ACM Symp.
Theory of Computing, 1977, 91–97.
[30] G.L. Peterson, Concurrent reading while writing, ACM Trans.
Programming Languages and Systems, 5:1(1983), 46–55.
[31] S. Plotkin, Sticky bits and universality of consensus, Proc. 8th
ACM Symp. Principles of Distributed Computing, 1989, 159–175.
[32] A.K. Singh, J.H. Anderson, and M.G. Gouda, The Elusive
10
Atomic Register Revisited, J. Assoc. Comput. Mach., 41:2(1994),
311–339.
[33] R. Schaffer, On the correctness of atomic multi-writer registers,
Technical Report MIT/LCS/TM-364, MIT lab. for Computer Sci-
ence, June 1988.
[34] M. Saks, N. Shavit, and H. Woll. Optimal time randomized con-
sensus – making resilient algorithms fast in practice, 2nd ACM
Symp. On Discrete Algorithms, 1991, 351–362.
[35] M.O. Rabin, The choice coordination problem. Acta Informat-
ica, 17(1982), 121–134.
[36] J. Tromp and P. M. B. Vitanyi, Randomized wait-free test-and-
set, Manuscript, November 1990.
[37] P.M.B. Vitanyi, B. Awerbuch, Atomic Shared Register Access by
Asynchronous Hardware, Proc. 27th IEEE Symp. Foundations of
Computer Science, 1986, 233–243. (Errata, Ibid.,1987)
