On Composition and Implementation of Sequential Consistency (Extended Version) by Perrin, Matthieu et al.
On Composition and Implementation of Sequential
Consistency (Extended Version)
Matthieu Perrin, Matoula Petrolia, Achour Mostefaoui, Claude Jard
To cite this version:
Matthieu Perrin, Matoula Petrolia, Achour Mostefaoui, Claude Jard. On Composition and
Implementation of Sequential Consistency (Extended Version). [Research Report] LINA-
University of Nantes. 2016. <hal-01346805v4>
HAL Id: hal-01346805
https://hal.archives-ouvertes.fr/hal-01346805v4
Submitted on 28 Jul 2016
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
On Composition and Implementation of Sequential Consistency
(Extended Version)
Matthieu Perrin
LINA – University of Nantes
matthieu.perrin@univ-nantes.fr
Matoula Petrolia
LINA – University of Nantes
stamatina.petrolia@univ-nantes.fr
Achour Mostfaoui
LINA – University of Nantes
achour.mostefaoui@univ-nantes.fr
Claude Jard
LINA – University of Nantes
claude.jard@univ-nantes.fr
Abstract
It has been proved that to implement a linearizable shared memory in synchronous message-passing
systems it is necessary to wait for a time proportional to the uncertainty in the latency of the network
for both read and write operations, while waiting during read or during write operations is sufficient for
sequential consistency.
This paper extends this result to crash-prone asynchronous systems. We propose a distributed al-
gorithm that builds a sequentially consistent shared memory abstraction with snapshot on top of an
asynchronous message-passing system where less than half of the processes may crash. We prove that it
is only necessary to wait when a read/snapshot is immediately preceded by a write on the same process.
We also show that sequential consistency is composable in some cases commonly encountered: 1)
objects that would be linearizable if they were implemented on top of a linearizable memory become
sequentially consistent when implemented on top of a sequential memory while remaining composable
and 2) in round-based algorithms, where each object is only accessed within one round.
Key words
Asynchronous message-passing system, Crash-failures, Composability, Sequential consistency, Shared
memory, Snapshot.
1 Introduction
A distributed system is abstracted as a set of entities (nodes, processes, agents, etc) that communicate with
each other using a communication medium. The two most used communication media are communication
channels (message-passing system) and shared memory (read/write operations). Programming with shared
objects is generally more convenient as it offers a higher level of abstraction to the programmer, therefore
facilitates the work of designing distributed applications. A natural question is the level of consistency
ensured by shared objects. An intuitive property is that shared objects should behave as if all processes
accessed the same physical copy of the object. Sequential consistency [17] ensures that all the operations
that happen in a distributed history appear as if they were executed sequentially, in an order that respects
the sequential order of each process (called the process order).
Unfortunately, sequential consistency is not composable: if a program uses two or more objects, despite
each object being sequentially consistent individually, the set of all objects may not be sequentially consistent.
An example is shown in Fig. 1, where two processes share two registers named X and Y ; although the
operations of each register may be totally ordered (the read precedes the write), it is impossible to order
all the operations at once. Linearizability [15] overcomes this limitation by adding constraints on real time:
1
p1
p0
lX
lY
X.write(1) Y.read → 0
Y.write(1) X.read → 0
Figure 1: Sequential consistency is not composable: registers X and Y are both sequentially consistent but
their composition is not.
each operation appears at a single point in time, between its start event and its end event. As a consequence,
linearizability enjoys the locality property [15] that ensures its composability. Because of this composability,
much more effort has been focused on linearizability than on sequential consistency so far. However, one
of our contributions implies that in asynchronous systems where no global clock can be implemented to
measure real time, a process cannot distinguish between linearizability and sequential consistency, thus the
connection to real time seems to be a worthless — though costly — guarantee.
In this paper we focus on message-passing distributed systems. In such systems a shared memory is not
a physical object; it has to be built using the underlying message-passing communication network. Several
bounds have been found on the cost of sequential consistency and linearizability in synchronous distributed
systems, where the transit time for any message is in a range [d−u, d], where d and u are called respectively
the latency and the uncertainty of the network. Let us consider an implementation of a shared memory, and
let r (resp. w) be the worst case latency of any read (resp. write) operation. Lipton and Sandberg proved
in [18] that, if the algorithm implements a sequentially consistent memory, the inequality r + w ≥ d must
hold. Attiya and Welch refined this result in [5], proving that each kind of operations could have a 0-latency
implementation for sequential consistency (though not both in the same implementation) but that the time
duration of both kinds of operations has to be at least linear in u in order to ensure linearizability.
Therefore the following questions arise. Are there applications for which the lack of composability of
sequential consistency is not a problem? For these applications, can we expect the same benefits in weaker
message-passing models, such as asynchronous failure-prone systems, from using sequentially consistent
objects rather than linearizable objects?
To illustrate the contributions of the paper, we also address a higher level operation: a snapshot operation
[1] that allows to read in a single operation a whole set of registers. A sequentially consistent snapshot is
such that the set of values it returns may be returned by a sequential execution. This operation is very useful
as it has been proved [1] that linearizable snapshots can be wait-free implemented from single-writer/multi-
reader registers. Indeed, assuming a snapshot operation does not bring any additional power with respect to
shared registers. Of course this induces an additional cost: the best known simulation needs O(n log n) basic
read/write operations to implement each of the snapshot operations and the associated update operation
[4]. Such an operation brings a programming comfort as it reduces the “noise” introduced by asynchrony
and failures [12] and is particularly used in round-based computations [13] we consider for the study of the
composability of sequential consistency.
Contributions. This paper has three major contributions. (1) It identifies two contexts that can benefit
from the use of sequential consistency: round-based algorithms that use a different shared object for each
round, and asynchronous shared-memory systems, where programs can not differentiate a sequentially con-
sistent memory from a linearizable memory. (2) It proposes an implementation of a sequentially consistent
memory where waiting is only required when a write is immediately followed by a read. This extends the
result presented in [5], which only applies to synchronous failure-free systems, to failure-prone asynchronous
systems. (3) The proposed algorithm also implements a sequentially consistent snapshot operation the cost
of which compares very favorably with the best existing linearizable implementation to our knowledge (the
stacking of the snapshot algorithm of Attiya and Rachman [4] over the ABD simulation of linearizable
registers).
2
Outline. The remainder of this article is organized as follows. In Section 2, we define more formally
sequential consistency, and we present special contexts in which it becomes composable. Then, in Section 3,
we present our implementation of shared memory and study its complexity. Finally, Section 4 concludes the
paper.
2 Sequential Consistency and Composability
2.1 Definitions
In this section we recall the definitions of the most important notions we discuss in this paper: two consistency
criteria, sequential consistency (SC, Def. 2, [17]) and linearizability (L, Def. 3, [15]), as well as composability
(Def. 4). A consistency criterion associates a set of admitted histories to the sequential specification of each
given object. A history is a representation of an execution. It contains a set of operations, that are partially
ordered according to the sequential order of each process, called process order. A sequential specification is
a language, i.e. a set of sequential (finite and infinite) words. For a consistency criterion C and a sequential
specification T , we say that an algorithm implements a C(T )-consistent object if all its executions can
be modelled by a history that belongs to C(T ), that contains all returned operations and only invoked
operations. Note that this implies that if a process crashes during an operation, then the operation will
appear in the history as if it was complete or as if it never took place at all.
Dfinition 1 (Linear extension). Let H be a history and T be a sequential specification. A linear extension
≤ is a total order on all the operations of H , that contains the process order, and such that each event e has
a finite past {e′ : e′ ≤ e} according to the total order.
Dfinition 2 (Sequential Consistency). Let H be a history and T be a sequential specification. The history
H is sequentially consistent regarding T , denoted H ∈ SC(T ), if there exists a linear extension ≤ such that
the word composed of all the operations of H ordered by ≤ belongs to T .
Dfinition 3 (Linearizability). Let H be a history and T be a sequential specification. The history H
is linearizable regarding T , denoted H ∈ L(T ), if there exists a linear extension ≤ such that (1) for two
operations a and b, if the end of a precedes the beginning of b in real time, then a ≤ b and (2) the word
formed of all the operations of H ordered by ≤ belongs to T .
Let T1 and T2 be two sequential specifications. We define the composition of T1 and T2, denoted by
T1 × T2, as the set of all the interleaved sequences of a word from T1 and a word from T2. An interleaved
sequence of two words l1 and l2 is a word composed of the disjoint union of all the letters of l1 and l2, that
appear in the same order as they appear in l1 and l2. For example, the words ab and cd have six interleaved
sequences: abcd, acbd, acdb, cabd, cadb and cdab.
A consistency criterion C is composable (Def. 4) if the composition of a C(T1)-consistent object and
a C(T2)-consistent object is a C(T1 × T2)-consistent object. Linearizability is composable, and sequential
consistency is not.
Dfinition 4 (Composability). For a history H and a sequential specification T , let us denote by HT the
sub-history of H that only contains the operations belonging to T .
A consistency criterion C is composable if, for all sequential specifications T1 and T2 and all histories H
containing only events on T1 and T2, (HT1 ∈ C(T1) and HT2 ∈ C(T2)) imply H ∈ C(T1 × T2).
2.2 From Linearizability to Sequential Consistency
Software developers usually abstract the complexity of their system gradually, which results in a layered
software architecture: at the top level, an application is built on top of several objects specific to the
application, themselves built on top of lower levels. Such an architecture is represented in Fig. 2a. The
lowest layer usually consists of one or several objects provided by the system itself, typically a shared memory.
3
Application
Y × Z
Y Z
X (memory)
(a) Layer based
architecture.
p1
p0
YSC .op
0
1
YSC .op
0
0
YSC .op
1
0
XSC .op
0
1
XSC .op
1
1
XSC .op
2
1
XSC .op
0
0
XSC .op
1
0
XSC .op
2
0
(b) The implementation of upper layer objects call operations on objects from lower layers.
p1
p0
YSC .op
0
1
YSC .op
0
0
YSC .op
1
0
XSC .op
0
1
XSC .op
1
1
XSC .op
2
1
XSC .op
0
0
XSC .op
1
0
XSC .op
2
0
(c) An asynchronous process cannot differentiate this history from the one on Figure 2b.
Figure 2: In layer based program architecture running on asynchronous systems, local clocks of different
processes can be distorted such that it is impossible to differentiate a sequentially consistent execution from
a linearizable execution.
The system can ensure sequential consistency globally on all the provided objects, therefore composability
is not required for this level. Proposition 1 expresses the fact that, in asynchronous systems, replacing a
linearizable object by a sequentially consistent one does not affect the correctness of the programs running
on it circumventing the non composability of sequential consistency. This result may have an impact on
parallel architectures, such as modern multi-core processors and, to a higher extent, high performance
supercomputers, for which the communication with a linearizable central shared memory is very costly, and
weak memory models such as cache consistency [14] make the writing of programs tough.
Proposition 1. Let A be an algorithm that implements an SC(Y )-consistent object when it is executed on
an asynchronous system providing an L(X)-consistent object. Then A also implements an SC(Y )-consistent
object when it is executed in an asynchronous system providing an SC(X)-consistent object.
Proof. Let A be an algorithm that implements an SC(Y )-consistent object when it is executed on an asyn-
chronous system providing an L(X)-consistent object.
Let us consider a history HSC obtained by the execution of A in an asynchronous system providing a
SC(X)-consistent object. Such a history is depicted on Fig. 2b. The history HSC contains operations on X
(in red in Fig. 2b), as well as on Y (in blue in Fig. 2b).
We will now build another history HL, in which the operations on X are linearizable, and the operations
on Y consist in the same calls to operations on X . Such a history is depicted on Fig. 2c. The only difference
between the histories on Fig. 2b and 2c is the way the two processes experience time. As the system is
asynchronous, it is impossible for them to distinguish them.
Let us enumerate all the operations made on X in their linear extension ≤ required for sequential
consistency. Now, we build the execution HL in which the i
th operation on X of HSC is called on an
L(X)-consistent object at time 2i seconds and lasts for one second. As no two operations overlap, and the
operations happen in the same order in HL and in the linearization of HSC , ≤ is the only linear extension
accepted by linearizability. Therefore, all operations can return the same values in HL and in HSC (and
they will if X is deterministic). Now let us assume all operations on X in HL were called by algorithm A,
in the same pattern as in HSC . When considering the operations on Y , HL is SC(Y )-consistent. Moreover,
as A works on asynchronous systems and the same values were returned by X in HSC and in HL, A returns
the same values in both histories. Therefore, HSC is also SC(Y )-consistent.
An interesting point about Proposition 1 is that it allows sequentially consistent — but not linearizable
— objects to be composable. Let AY and AZ be two algorithms that implement L(Y )-consistent and L(Z)-
consistent objects when they are executed on an asynchronous system providing an L(X)-consistent object,
4
Application
Y Z
X1→X2→X3→· · ·
(a) Round-based pro-
gram architecture.
round 1 round 2 round 3
p2
p1
p0
l1
l2
l3
⋖
→⋆
•
X1.op1
•
X1.op2
•
X1.op3
•
X1.op4
•
X1.op5
•
X2.op1
•
X2.op2
•
X2.op3
•
X2.op4
•
X2.op5
•
X2.op6
•
X2.op7
•X3.op1
•
X3.op2
•
X3.op3
(b) As the ordering between different objects follows the process order, that is contained
into the serialization order of each object, no loop can appear.
Figure 3: The composition of sequentially consistent objects used in different rounds is sequentially consistent.
like on Fig. 2a. As linearizability is stronger than sequential consistency, according to Proposition 1, executing
AY and AZ on an asynchronous system providing an SC(X)-consistent object would implement sequentially
consistent — yet not linearizable — objects. However, in a system providing the linearizable object X , by
composability of linearizability, the composition of AY and AZ implements an L(Y × Z)-consistent object.
Therefore, by Proposition 1 again, in a system providing the sequentially consistent objectX , the composition
also implements an SC(Y × Z)-consistent object. In this example, the sequentially consistent versions of
Y and Z derive their composability from an anchor to a common time, given by the sequentially consistent
memory, that can differ from real time, required by linearizability.
2.3 Round-Based Computations
Even at a single layer, a program can use several objects that are not composable, but that are used in a
fashion so that the non-composability is invisible to the program. Let us illustrate this with round-based
algorithms. The synchronous distributed computing model has been extensively studied and well-understood
leading the researchers to try to offer the same comfort when dealing with asynchronous systems, hence the
introduction of synchronizers [6]. A synchronizer slices a computation into phases during which each process
executes three steps: send/write, receive/read and then local computation. This model has been extended
to failure prone systems in the round-by-round computing model [13] and to the Heard-Of model [9] among
others. Such a model is particularly interesting when the termination of a given program is only eventual.
Indeed, some problems are undecidable in failure prone purely asynchronous systems. In order to circumvent
this impossibility, eventually or partially synchronous systems have been introduced [10]. In such systems
the termination may hold only after some finite but unbounded time, and the algorithms are implemented
by the means of a series of asynchronous rounds each using its own shared objects.
In the round-based computing model, the execution is sliced into a sequence of asynchronous rounds.
During each round, a new data structure (usually a single-writer/multi-reader register per process) is created
and it is the only shared object used to communicate during the round. At the end of the round, each
process destroys its local accessor to the object, so that it can no more access it. Note that the rounds
are asynchronous: the different processes do not necessarily start and finish their rounds at the same time.
Moreover, a process may not terminate a round, and keep accessing the same shared object forever or may
crash during this round and stop executing. A round-based execution is illustrated in Fig. 3b.
In Proposition 2, we prove that sequentially consistent objects of different rounds behave well together: as
the ordering added between the operations of two different objects always follows the round numbering, that
is consistent with the program order already contained in the linear extension of each object, the composition
of all these objects cannot create loops (Figure 3b). Putting together this result and Proposition 1, all the
algorithms that use a round-based computation model can benefit of any improvement on the implementation
of an array of single-writer/multi-reader register that sacrifices linearizability for sequential consistency. Note
that this remains true whatever is the data structure used during each round. The only constraint is that
a sequentially consistent shared data structure can be accessed during a unique round. If each object is
sequentially consistent then the whole execution is consistent.
5
Proposition 2. Let (Tr)r∈N be a family of sequential specifications and (Xr)r∈N be a family of shared objects
such that, for all r, Xr is SC(Tr)-consistent. Let H be a history that does not contain two operations Xr.a
and Xr′ .b with r > r
′ such that Xr.a precedes Xr′ .b in the process order. Then H is sequentially consistent
with respect to the composition of all the Tr.
Proof. Let (Tr)r∈N be a family of sequential specifications and (Xr)r∈N be a family of shared object such
that, for all r, Xr is SC(Tr)-consistent. Let H be a history that does not contain two operations Xr.a and
Xr′ .b with r > r
′ such that Xr.a precedes Xr′ .b in the process order.
For each Xr, there exists a linearization lr that contains the operations on Xr and respects Tr. For each
operation op, let us denote by op.r the index of the object Xr on which it is made and by op.i the number
of operations that precede op in the linearization lr. Let us define two binary relations ⋖ and → on the
operations of H . For two operations op and op′, op ⋖ op′ if op.r < op′.r, or op.r = op′.r and op.i ≤ op′.i.
Note that ⋖ is the concatenation of all the linear extensions, so it is a total order on all the operations of H ,
but it may not be a linear extension as an operation can have an infinite past if a process does not finish its
round. For two operations op and op′, op → op′ if op and op′ were done in that order by the same process,
or op.r = op′.r and op.i ≤ op′.i. Let →⋆ be the transitive closure of →.
Notice that, according to the round based model, → is contained into ⋖, and so is →⋆ because ⋖ is
transitive. The relation →⋆ is transitive and reflexive by construction. Moreover, if op →⋆ op′ →⋆ op, we
have op.r ≤ op′.r ≤ op.r and therefore op.i ≤ op′.i ≤ op.i, so op = op′ (antisymmetry), which proves that
→⋆ is a partial order. Moreover, let us suppose that an operation contains an infinite past according to →⋆.
There is a smallest such operation, opmin, according to ⋖. The direct predecessors of opmin according to →
are smaller than opmin according to ⋖, so they have a finite past. Moreover, they precede opmin either in
the process order or in the linearization lop.r, so there is a finite number of them. This is a contradiction, so
all operations have a finite past according to →⋆. It is possible to extend →⋆ to a total order ≤ such that
all operations have a finite past according to ≤. As ≤ contains the total orders defined by all the lr, the
execution of all the operations in the order ≤ respects the sequential specification of the composition of all
the Xr.
3 Implementation of a Sequentially Consistent Memory
In this section we will describe the computation model that we consider for the implementation of a se-
quentially consistent shared memory (Section 3.1). In Section 3.2 we will discuss the characteristics of such
a memory and, finally, in Section 3.3 we will present the proposed implementation of the discussed data
structure. Finally, in Section 3.5 we discuss the complexity of the proposed implementation.
3.1 Computation Model
The computation system consists of a set Π of n sequential processes which are denoted p0, p1, . . . , pn−1.
The processes are asynchronous, in the sense that they all proceed at their own speed, not upper bounded
and unknown to all other processes.
Among these n processes, up to t may crash (halt prematurely) but otherwise execute correctly the
algorithm until the moment of their crash. We call a process faulty if it crashes, otherwise it is called correct
or non-faulty. In the rest of the paper we will consider the above model restricted to the case t < n
2
.
The processes communicate with each other by sending and receiving messages through a complete
network of bidirectional communication channels. This means that a process can directly communicate with
any other process, including itself (pi receives its own messages instantaneously), and can identify the sender
of the message it received. Each process is equipped with two operations: send and receive.
The channels are reliable (no losses, no creation, no duplication, no alteration of messages) and asyn-
chronous (finite time needed for a message to be transmitted but there is no upper bound). We also assume
the channels are FIFO: if pi sends two messages to pj , pj will receive them in the order they were sent.
As stated in [7], FIFO channels can always be implemented on top of non-FIFO channels. Therefore, this
6
assumption does not bring additional computational power to the model, but it allows us to simplify the
writing of the algorithm. Process pi can also use the macro-operation FIFO broadcast, that can be seen as
a multi-send that sends a message to all processes, including itself. Hence, if a faulty process crashes during
the broadcast operation some processes may receive the message while others may not, otherwise all correct
processes will eventually receive the message.
3.2 Single-Writer/Multi-Reader Registers and Snapshot Memory
The shared memory considered in this paper, called a snapshot memory, consists of an array of shared
registers denoted REG[1..n]. Each entry REG[i] represents a single-writer/multi-reader (SWMR) register.
When process pi invokes REG.update(v), the value v is written into the SWMR register REG[i] associated
with process pi. Differently, any process pi can read the whole array REG by invoking a single operation
namely REG.snapshot(). According to the sequential specification of the snapshot memory, REG.snapshot()
returns an array containing the most recent value written by each process or the initial default value if no
value is written on some register. Concurrency is possible between snapshot and writing operations, as
soon as the considered consistency criterion, namely linearizability or sequential consistency, is respected.
Informally in a sequentially consistent snapshot memory, each snapshot operation must return the last value
written by the process that initiated it, and for any pair of snapshot operations, one must return values at
least as recent as the other for all registers.
Compared to read and write operations, the snapshot operation is a higher level abstraction introduced
in [1] that eases program design without bringing additional power with respect to shared registers. Of
course this induces an additional cost: the best known simulation, above SWMR registers proposed in [4],
needs O(n log n) basic read/write operations to implement each of the snapshot and the associated update
operations.
Since the seminal paper [2] that proposed the so-called ABD simulation that emulates a linearizable
shared memory over a message-passing distributed system, most of the effort has been put on the shared
memory model given that a simple stacking allows to translate any shared memory-based result to the
message-passing system model. Several implementations of linearizable snapshot have been proposed in the
literature some works consider variants of snapshot (e.g. immediate snapshot [8], weak-snapshot [11], one
scanner [16]) others consider that special constructions such as test-and-set (T&S) [3] or load-link/store-
conditional (LL/SC) [19] are available, the goal being to enhance time and space efficiency. In this paper, we
propose the first message-passing sequentially consistent (not linearizable) snapshot memory implementation
directly over a message-passing system (and consequently the first sequentially consistent array of SWMR
registers), as traditional read and write operations can be immediately deduced from snapshot and update
with no additional cost.
3.3 The Proposed Algorithm
Algorithm 1 proposes an implementation of the sequentially consistent snapshot memory data structure
presented in Section 3.2. Process pi can write a value v in its own register REG[i] by calling the operation
REG.update(v), implemented by the lines 6-9. It can also call the operation REG.snapshot(), implemented
by the lines 10-11. Roughly speaking, the principle of this algorithm is to maintain, on each process, a local
view of the object that reflects a set of validated update operations. To do so, when a value is written, all
processes label it with their own timestamp. The order in which processes timestamp two different update
operations define a dependency relation between these operations. For two operations a and b, if b depends
on a, then pi cannot validate b before a.
More precisely, each process pi maintains five local variables:
• Xi ∈ Nn represents the array of most recent validated values written on each register.
• ValClocki ∈ Nn represents the timestamps associated with the values stored in Xi, labelled by the
process that initiated them.
7
Algorithm 1: Implementation of a sequentially consistent memory (code for pi)
/* Local variable initialization */
1 Xi ← [0, . . . , 0]; // Xi ∈ Nn: Xi[j] is the last validated value written by pj
2 ValClocki ← [0, . . . , 0]; // ValClocki ∈ Nn: ValClocki[j] is the stamp given by pj to value
Xi[j]
3 SendClocki ← 0; // SendClocki ∈ N: used to stamp all the updates
4 Gi ← ∅; // Gi ⊂ N
3+n: contains a g = (g.v, g.k, g.t, g.cl) per non-val. update of g.v by
pg.k
5 Vi ← ⊥; // Vi ∈ N ∪ {⊥}: stores updates that have not yet been proposed to validation
operation update(v) /* v ∈ N: written value; no return value */
6 if ∀g ∈ Gi : g.k 6= i then // no non-validated update by pi
7 SendClocki++;
8 FIFO broadcast message(v, i, SendClocki, SendClocki);
9 else Vi ← v; // postpone the update
operation snapshot() /* return type: Nn */
10 wait until Vi = ⊥ ∧ ∀g ∈ Gi : g.k 6= i ; // make sure pi’s updates are validated
11 return Xi;
when a message message(v, k, t, cl) is received from pj
/* v ∈ N: written value, k ∈ N: writer id, t ∈ N: stamp by pk, cl ∈ N: stamp by
pj */
12 if t > ValClocki[k] then // update not validated yet
13 if ∃g ∈ Gi : g.k = k ∧ g.t = t then // update already known
14 g.cl[j]← cl;
15 else // first message for this update
16 if k 6= i then
17 SendClocki++;
18 FIFO broadcast message(v, k, t, SendClocki); // forward with own stamp
19 var g ← (g.v = v, g.k = k, g.t = t, g.cl = [∞, . . . ,∞]);
20 g.cl[j]← cl;
21 Gi ← Gi ∪ {g}; // create an entry in Gi for the update
22 var G′ = {g ∈ Gi : |{l : g
′.cl[l] <∞}| > n
2
}; // G′ contains updates that can be validated
23 while ∃g ∈ Gi \G′, g′ ∈ G′ : |{l : g′.cl[l] < g.cl[l]}| 6=
n
2
do G′ ← G′ \ {g′};
24 Gi ← Gi \G′; // validate updates of G′
25 for g ∈ G′ do
26 if ValClocki[g.k] < g.t then ValClocki[g.k] = g.t; Xi[g.k] = g.V;
27 if Vi 6= ⊥ ∧ ∀g ∈ Gi : g.k 6= i then // start validation process for postponed update if
any
28 SendClocki++;
29 FIFO broadcast message(Vi, i, SendClocki, SendClocki);
30 Vi ← ⊥;
8
• SendClocki ∈ N is an integer clock used by pi to timestamp all the update operations. SendClocki
is incremented each time a message is sent, which ensures all timestamps from the same process are
different.
• Gi ⊂ N3+n encodes the dependencies between the update operations that have not been validated yet,
as they are known by pi. An element g ∈ Gi, of the form (g.v, g.k, g.t, g.cl), represents the update
operation of value g.v by process pg.k labelled by process pg.k with timestamp g.t. For all 0 ≤ j < n,
g.cl[j] contains the timestamp associated by pj if it is known by pi, and ∞ otherwise.
All updates of a history can be uniquely represented by a pair of integers (k, t), where pk is the process
that invoked it, and t is the timestamp associated to this update by pk. Considering a history and
a process pi, we define the dependency relation →i on pairs of integers (k, t), by (k, t) →i (k′, t′) if
for all g, g′ ever inserted in Gi with (g.k, g.t) = (k, t), (g
′.k, g′.t) = (k′, t′), we have |{j : g′.cl[j] <
g.cl[j]}| ≤ n
2
(i.e. the dependency does not exist if pi knows that a majority of processes have seen
the first update before the second). Let →⋆i denote the transitive closure of →i.
• Vi ∈ N∪{⊥} is a buffer register used to store a value written while the previous one is not yet validated.
This is necessary for validation (see below).
The key of the algorithm is to ensure the inclusion between sets of validated updates on any two processes
at any time. Remark that it is not always necessary to order all pairs of update operations to implement a
sequentially consistent snapshot memory: for example, two update operations on different registers commute.
Therefore, instead of validating both operations on all processes in the exact same order (which requires
Consensus), we can validate them at the same time to prevent a snapshot to occur between them. Therefore,
it is sufficient to ensure that, for all pairs of update operations, there is a dependency agreed by all processes
(possibly in both directions). This property is expressed by Lemma 4 from Section 3.4.
This is done by the mean of messages of the form message(v, k, t, cl) containing four integers: v the
value written, k the identifier of the process that initiated the update, t the timestamp given by pk and
cl the timestamp given by the process that sent this message. Timestamps of successive messages sent by
pi are unique and totally ordered, thanks to variable SendClocki, that is incremented each time a message
is sent by pi. When process pi wants to submit a value v for validation, it FIFO-broadcasts a message
message(v, i, SendClocki, SendClocki) (lines 8 and 29). When pi receives a message message(v, k, t, cl), three
cases are possible. If pi has already validated the corresponding update (t > ValClocki[k]), the message is
simply ignored. Otherwise, if it is the first time pi receives a message concerning this update (Gi does not
contain any piece of information concerning it), it FIFO-broadcasts a message with its own timestamp and
adds a new entry g ∈ Gi. Whether it is its first message or not, pi records the timestamp cl, given by pj , in
g.cl[j] (lines 14 or 20). Note that we cannot update g.cl[k] at this point, as the broadcast is not causal: if pi
did so, it could miss dependencies imposed by the order in which pk saw concurrent updates. Then, pi tries
to validate update operations: pi can validate an operation a if it has received messages from a majority of
processes, and there is no operation b →⋆i a that cannot be validated. For that, it creates the set G
′ that
initially contains all the operations that have received enough messages, and removes all operations with
unvalidatable dependencies from it (lines 22-23), and then updates Xi and ValClocki with the most recent
validated values (lines 24-26).
This mechanism is illustrated in Fig. 4, featuring five processes. Processes p0 and p4 initially call
operation REG.update(1). Messages that have an impact in the algorithm are represented by arrows, and
messages that do not appear on the figure are received later. Several situations may occur. The simplest
case is process p3, that received three messages concerning a (from p4, p3 and p2, with 3 >
n
2
) before its
first message concerning b, allowing it to validate a. The case of process p4 is similar: even if it knows
that process p1 saw b before a, it received messages concerning a from three other processes, which allows
it to ignore the message from p1. At first sight, the situation of processes p0 and p1 may look similar to
the situation of p4. However, the message they received concerning a and one of the messages they received
concerning b come from the same process p2, which forces them to respect the dependency a →0 b. Note
that the same situation occurs on process p2 so, even if a has been validated before b by other processes, p2
must respect the dependency b→2 a.
9
p4
p3
p2
p1
p0
∅ {a} {a, b}a : REG[4].update(1)
b : REG[0].update(1)
Figure 4: An execution of Algorithm 1. An update is validated by a process when it has received enough
messages for this update, and all the other updates it depends of have also been validated.
a ⇋ b ⇋ c ⇋ d ⇋ e ⇋ f ⇋ g ⇋ h ⇋ . . .
p3
p2
p1
p0
a c e g . . .
b d f h . . .
Figure 5: If we are not careful, infinite chains of dependencies may occur. We must avoid infinite chains of
dependencies in order to ensure termination
Sequential consistency requires the total order to contain the process order. Therefore, a snapshot of
process pi must return values at least as recent as its last updated value. In other words, it is not allowed
to return from a snapshot between an update and the time when it is validated (grey zones in Fig. 4).
There are two ways to implement this: we can either wait at the end of each update until it is validated,
in which case all snapshot operations are done for free, or wait at the beginning of all snapshot operations
that immediately follow an update operation. This extends the remark of [5] to crash-prone asynchronous
systems: to implement a sequentially consistent memory, it is necessary and sufficient to wait either during
read or during write operations. In Algorithm 1, we chose to wait during read/snapshot operations (line 10).
This is more efficient for two reasons: first, it is not necessary to wait between two consecutive updates,
which can not be avoided if we wait at the end of the update operation, and second the time between the end
of an update and the beginning of a snapshot counts in the validation process, but it can be used for local
computations. Note that when two snapshot operations are invoked successively, the second one also returns
immediately, which improves the result of [5] according to which waiting is necessary for all the operations
of one kind.
In order to obtain termination of the snapshot operations (and progress in general), it is necessary to
ensure that all update operations are eventually validated by all processes. This property is expressed by
Lemma 5 from Section 3.4. Figure 5 illustrates what could happen. On the one hand, process p2 receives
a message concerning a and a message concerning c before a message concerning b. On the other hand,
process p1 receives a message concerning b before messages concerning a and c. Therefore, it may create
dependencies a →i b →i c →i b →i a on some process pi, which means pi will be forced to validate a and
c at the same time, even if they are ordered by the process order. The pattern in Fig. 5 shows that it can
result in an infinite chain of dependencies, blocking validation of any update operation. To break this chain,
we force process p3 to wait until a is validated locally before it proposes c to validation, by storing the value
written by c in a local variable Vi until a is validated (lines 6 and 9). When a is validated, we start the
same validation process for c (lines 27-30). Remark that, if several updates (say c and e) happen before a
10
is validated, the update of c can be dropped as it will eventually be overwritten by e. In this case, c will
happen just before e in the final linearization required for sequential consistency.
This algorithm could be adjusted to implement multi-writer/multi-reader registers. Only three points
must be changed. First, the identifier of the register written should be added to all messages and all
g ∈ Gi. Second, concurrent updates on the same register must be ordered; this can be done, for example, by
replacing SendClocki by a Lamport Clock, that respects the order in which updates are validated, and using
a lexicographic order on pairs (cl, k). Third, variable Vi must be replaced by a set of update operations,
and so does the value contained in the messages. All in all, this greatly complexifies the algorithm, without
changing the way concurrency is handled. This is why we only focus on collections of SWMR registers here.
3.4 Correctness
In order to prove that Algorithm 1 implements a sequentially consistent snapshot memory, we must show
that two important properties are verified by all histories it admits. These two properties correspond to
lemmas 4 and 5. In Lemma 4, we show that it is possible to totally order the sets of updates validated by
two processes at different moments. This allows us to build a total order on all the operations. In Lemma 5,
we prove that all update operations are eventually validated by all processes. This is important to ensure
termination of snapshot operations, and to ensure that update operations can not be ignored forever. Before
that, Lemma 3 expresses a central property on how the algorithm works: the fact that each correct process
broadcasts a message corresponding to each written value proposed to validation. Finally, Property 6 proves
that all histories admitted by Algorithm 1 are sequentially consistent.
In the following and for each process pi and local variable xi used in the algorithm, let us denote by x
t
i
the value of xi at time t. For example, ValClock
0
i is the initial value of ValClocki. For arrays of n integers cl
and cl′, we also denote by cl ≤ cl′ the fact that, for all i, cl[i] ≤ cl′[i] and cl < cl′ if cl ≤ cl′ and cl 6= cl′.
Lemme 3. If a message message(v, k, t, cl) is broadcast by a correct process pi, then each correct process pj
broadcasts a unique message message(v, k, t, cl′).
In the following, for all processes pj and pairs (k, t), let us denote by Mj(k, t) the message
message(v, k, t, cl′) and by CLj(k, t) = cl
′ the stamp that pj put in this message.
Proof. Let pi and pj be two correct processes, and suppose pi broadcasts a message Mi(k, t).
First, we prove that pj broadcasts a message Mj(k, t). As pi is correct, pj will eventually receive the
message sent by pi. At that time, if t > ValClockj [k], after the condition on line 13 and whatever its result, Gi
contains a value g with g.k = k and g.t = t. That g was inserted on line 13 (possibly after the reception of a
different message), just after pj sent a message Mj(k, t) at line 18. Otherwise, ValClockj [k] was incremented
on line 26, when validating some g′, that was added in Gj after pj received a (first) message Ml(g
′.k, g′.t),
with g′.k = k and g′.t = ValClockj [k]. Remark that, as FIFO reception is used, pk sent message Mk(k, t)
before Mk(k,ValClockj [k]), and all other processes only forward messages, pj received messageMl(k, t) before
Ml(k,ValClockj [k]), and at that time, t > ValClockj [k], so the first case applies.
Now, we prove that pi will broadcast no other message with the same k and t later. If i = k, the
message would be sent on line 8 or 29, just after SendClocki is incremented, which would lead to a different
t. Otherwise, the message would be sent on line 18, which would mean the condition of line 13 is false. As
pi broadcast a first message, a corresponding g was present in Algogi, deleted on line 24, which would make
the condition of line 12 to be false.
Lemme 4. Let pi, pj be two processes and ti, tj be two time instants, and let us denote by ValClock
ti
i
(resp. ValClock
tj
j ) the value of ValClocki (resp. ValClockj) at time ti (resp. tj). We have either, for all k,
ValClock
ti
i [k] ≤ ValClock
tj
j [k] or for all k, ValClock
tj
j [k] ≤ ValClock
ti
i [k].
Proof. Let pi, pj be two processes and ti, tj be two instants. Let us suppose (by contradiction) that there
exist k and k′ such that ValClock
tj
j [k] < ValClock
ti
i [k] and ValClock
ti
i [k
′] < ValClock
tj
j [k
′].
As ValClocki is only updated on line 26, at some time t
k
i ≤ ti, there was g
k
i ∈ G
′ with gki .k = k and
gki .t = ValClock
ti
i [k]. According to line 22, we have |{l : g
k
i .cl[l] < ∞}| >
n
2
and according to lines 14 and
11
20, each finite field gki .cl[l] corresponds to the reception of a message Ml(k,ValClock
ti
i [k]). Similarly, process
pj received messages Ml(k
′,ValClock
tj
j [k
′]) from more than n
2
processes. Since the number of processes is n,
the intersection of these two sets of processes is not empty.
Let pc be a process that belongs to both sets, i.e. pc broadcast messages Mc(k,ValClock
ti
i [k]) and
Mc(k
′,ValClock
tj
j [k
′]). Process pc sent these two messages in a given order, let us say Mc(k
′,ValClock
tj
j [k
′])
before Mc(k,ValClock
ti
i [k]) (the other case is symmetric). As SendClockc is never decremented and it is
incremented before all sendings, CLc(k
′,ValClock
tj
j [k
′]) < CLc(k,ValClock
ti
i [k]). Moreover, as the protocol
uses FIFO ordering, pi received the two messages in the same order.
According to line 26, ValClocki can only increase, so ValClock
t′i
i [k
′] ≤ ValClocktii [k
′] and ValClocktii [k
′] <
ValClock
tj
j [k
′]. It means that the condition on line 12 was true when pi receivedMc(k
′,ValClock
tj
j [k
′]). Then,
after the execution of the condition starting on line 13 and whatever the result of this condition, there was
a gk
′
i ∈ Gi with g
k′
i .k = k
′, gk
′
i .t = ValClock
tj
j [k
′] and gk
′
i .cl[c] = CLc(k
′,ValClock
tj
j [k
′]).
At time ti, if g
k′
i 6∈ Gi, it was removed on line 24, which means ValClock
t
i[k
′] ≥ gk
′
i .t = ValClock
tj
j [k
′] by
lines 25 and 26, which is absurd by our hypothesis. Otherwise, after line 23 was executed at time tki , we
have gki ∈ G
′ and gk
′
i 6∈ G
′, which is impossible as gk
′
i .cl[c] ≤ g
k
i .GCL[c].
This is a contradiction. Therefore ValClocktii ≤ ValClock
tj
j or ValClock
tj
j ≤ ValClock
ti
i .
Lemme 5. If a message message(v, i, t, t) is sent by a correct process pi, then beyond some time t
′, for each
correct process pj, ValClock
t′
j [i] ≥ t.
Proof. Let us suppose a message Mi(i, t) is sent by a correct process pi.
Let us suppose (by contradiction) that there exists a process pj such that the pair (i, t) has an infinity
of predecessors according to →⋆j . As the number of processes is finite, an infinity of these predecessors
correspond to the same process, let us say (k, tl)l∈N. As pj is correct, pk eventually receives messageMj(i, t),
which means an infinity of messages mk(k, tl) were sent after pk receives message mj(i, t), and for all of
them, (k, tl) →⋆i (i, t) →i (k, tl). Therefore, there exists a sequence (k1, t
′
1) →i (k2, t
′
2) →i · · · →i (km, t
′
m)
with k1 = km = k and t
′
m > t
′
1. Two cases are possible for (k2, t
′
2):
• If pk received a message Mx(k2, t
′
2) (from any px) before it sent Mk(k, t
′
1), then pk also send Mk(k2, t
′
2)
before it sent Mk(k, t
′
1), and all processes received these messages in the same order (and possibly a
message Mx(k2, t
′
2) even before from another process), which is in contradiction with the fact that
(k, t′1)→i (k2, t
′
2).
• Otherwise, there is an index l such that process pk received a message Mx(kl′ , t′l′) (from any px) for all
l′ > l but not for l′ = l, before it sent message Mk(k, t
′
1). Whether it finally sends it on line 8 or line
29, there was no g ∈ Gi corresponding to (km, t′m) so, by lines 22-23, pk received messages Mx(kl′ , t
′
l′)
for all l′ > l, from a majority of processes px, and all of them sent Mx(kl′ , t
′
l′) before Mx(kl, t
′
l).
As (kl, t
′
l) →i (kl+1, t
′
l+1) and FIFO reception is used, a majority of processes sent Mx(kl, t
′
l) before
Mx(kl′ , t
′
l′). This is impossible as two majorities always have a non-empty intersection. Therefore, this
case is also impossible.
Finally, for all correct processes pj , there exists a finite number of pairs (k, t
′) such that (k, t′)→j (i, t). As
pj is correct, according to Lemma 3, pj will eventually receive a message Mx(k, t
′) for all of them from all
correct processes, which are in majority. At the last message, on line 25, G′ will contain a g with g.k = i
and g.t = t and after it executed line 26, it will have ValClockj [i] ≥ t. As ValClockj [i] can only grow and
what precedes is true for all j, eventually it will be true for all correct processes.
Finally, given Lemmas 4 and 5, it is possible to prove that Algorithm 1 implements a sequentially
consistent snapshot memory (Proposition 6). The idea is to order snapshot operations according to the
order given by Lemma 4 on the value of ValClocki when they were made and to insert the update operations
at the position where ValClocki changes because they are validated. It is possible to complete this order into
a linearization order, thanks to Lemma 5, and to show that the execution of all the operations in that order
respects the sequential specification of the snapshot memory data structure.
12
Proposition 6. All histories admitted by Algorithm 1 are sequentially consistent.
Proof. Let H be a history admitted by Algorithm 1. For each operation op, let us define op.clock as follows:
• If op is a snapshot operation done on process pi, op.clock is the value of ValClocki when pi executes
line 11.
• If op is an update operation done on process pi, let us remark that the call to op is followed by the
sending of a message message(v, i, cli, cli), either directly on line 8 or later on line 29 as lemma 5
prevents the condition of line 27 to remain false forever (in this case, the value v may be more recent
from the one written in op). Let us consider the clock cli of the first such message sent by pi. We pose
op.clock as the smallest value taken by variable ValClockj for any j (according to the total order given
by lemma 4) such that opi ≤ op.clock[i] (such a clock exists according to lemma 5).
Let ⋖ be any total order on all the operations, that contains the process order, and such that all operation
has a finite past according to ⋖ (⋖ is only used to break ties). We define the relation ≤ on all operations of
H by op ≤ op′ if
1. op.clock < op′.clock, or
2. op.clock = op′.clock, op is an update operation and op′ is a snapshot operation, or
3. op.clock = op′.clock, op and op′ are either two snapshot or two update operations and op⋖ op′.
Let us prove that ≤ is a total order.
reflexivity: for all op, the third point in the definition is respected, as ⋖ is a total order.
antisymmetry: let op, op′ be two operations such that op ≤ op′ ≤ op. We have op.clock = op′.clock, op
and op′ are either two snapshot or two update operations and, as ⋖ is antisymmetric, op = op′.
transitivity: let op, op′, op′′ be three operations such that op ≤ op′ ≤ op′′. If op.clock ≤ op′.clock or
op′.clock ≤ op′′.clock, then op.clock ≤ op′′.clock. Otherwise, op.clock = op′.clock = op′′.clock. If the
three operations are all update or all snapshot operations, op.clock⋖op′′.clock so op.clock ≤ op′′.clock.
Otherwise, op is an update and op′ is a snapshot so op.clock ≤ op′′.clock.
total: let op, op′ be two operations. If op.clock 6= op′.clock, they are ordered according to lemma 4. Other-
wise, they are ordered by one of the last two points.
Let us prove that ≤ contains the process order. Let op and op′ be two operations that occurred on the
same process pi, on which op preceded op
′. According to lemma 4, op.clock and op′.clock are ordered.
• If op.clock < op′.clock then op ≤ op′.
• Let us suppose op.clock = op′.clock. It is impossible that op is a read operation and op′ is an update
operation: as SendClocki is always increased before pi sends a message, op.clock[i] < op
′.clock[i]. If op
is an update operation and op′ is a snapshot operation, then op ≤ op′. In the other cases, op⋖ op′ so
op ≤ op′.
• We now prove case op.clock > op′.clock cannot happen. As above, it is impossible that o is a read
operation and o′ is an update operation. It is also impossible that op and op′ are two read or two
update operations because ValClocki can only grow. Finally, if op is an update operation and op
′ is a
snapshot operation, op.clock[i] ≤ op′.clock[i] thanks to line 10, and by definition of op.clock for update
operations, op.clock ≤ op′.clock.
13
ABD [2]
ABD + AR [2, 4]
Algorithm 1
Read
# messages
O(n)
∼
0
latency
4
∼
0 — 4
Write
# messages
O(n)
∼
O(n2)
latency
2
∼
0
Snapshot
# messages
∼
O
(
n2 logn
)
0
latency
∼
O (n log(n))
0 — 4
Update
# messages
∼
O
(
n2 logn
)
O(n2)
latency
∼
O (n log(n))
0
Figure 6: Complexity of several algorithms to implement a shared memory.
Let us prove that all operations have a finite past according to ≤. Let op be an operation of the history.
Let us first remark that, for each process pi, op.clock[i] corresponds to a messageMi(i, op.clock[i]). According
to lemma 5, eventually, for all processes pi, ValClocki ≥ op.clock. Only a finite number of operations have
been done before that, therefore {op′ : op′.clock < op.clock} is finite. Moreover, all the updates op′ with
op′.clock ≤ op.clock are done before that time, so there is a finite number of them. If op is an update
operation, then its antecedents op′ verify either op′.clock < op.clock or op′.clock = op.clock and op′ is a write
operation. In both cases, there is a finite number of them. If op is a snapshot operation, its antecedents
op′ verify either (1) op′.clock < op.clock, (2) op′.clock = op.clock and op′ is an update operation or (3)
op′.clock = op.clock and op′ is a snapshot operation. Cases (1) and (2) are similar as above, and antecedents
that verify case (3) also are its antecedents by ⋖ so there is a finite number of them. Finally, in all cases, op
has a finite number of antecedents.
Let us prove that the execution of all the operations in the order ≤ respects the sequential specification
of memory. Let op be a snapshot operation invoked by process pi and let pj be a process. According to
line 26, the value of Xi[j] corresponds to the value contained in a message Mj(j, op.clock[j]). Let op
′ be the
last update operation invoked by process pj before it sent this message. Whether the message was sent on
line 8 or 29, Xi[j] is the value written by op
′. Moreover, op′.clock ≤ op.clock so op′ ≤ o′ and for all update
operations op′′ done by process pj after op
′, op.clock < op′′.clock so op ≤ op′′. All in all, op returns the last
values written on each register, according to the order ≤.
Finally, ≤ defines a linearization of all the events of the history that respects the sequential specification
of the shared object. Therefore, H is sequentially consistent.
3.5 Complexity
In this section, we analyze the algorithmic complexity of Algorithm 1 in terms of the number of messages
and latency for snapshot and update operations. Fig. 6 sums up this complexity and compares it with the
standard implementation of linearizable registers [2], as well as with the construction of a snapshot object
[4] implemented on top of registers.
In an asynchronous system as the one we consider, the latency d and the uncertainty u of the network
can not be expressed by constants. We therefore measure the complexity as the length of the longest chain
of causally related messages to expect before an operation can complete. For example, if a process sends a
message to another process and then waits for its answer, the complexity will be 2.
According to Lemma 3, it is clear that each update operation generates at most n2 messages. The time
complexity of an update operation is 0, as update operations return immediately. No message is sent for
snapshot operations. Considering its latency, in the worst case, a snapshot operation is called immediately
after two update operations a and b. In this case, the process must wait until its own message for a is received
by the other processes, then to receive their acknowledgements, and then the same two messages must be
routed for b, which leads to a complexity of 4. However, in the case of two consecutive snapshots, or if
enough time has elapsed between a snapshot and the last update, the snapshot can also return immediately.
In comparison, the ABD simulation uses solely a linear number of messages per operation (reads as well
as writes), but waiting is necessary for both kinds of operations. Even in the case of the read operation, our
worst case corresponds to the latency of the ABD simulation. Moreover, our solution directly implements the
snapshot operation. Implementing a snapshot operation on top of a linearizable shared memory is actually
more costly than just reading each register once. The AR implementation [4], that is (to our knowledge) the
14
implementation of the snapshot that uses the least amount of operations on the registers, uses O(n log n)
operations on registers to complete both a snapshot and an update operation. As each operation on memory
requires O(n) messages and has a latency of O(1), our approach leads to a better performance in all cases.
Algorithm 1, like [2], uses unbounded integer values to timestamp messages. Therefore, the complexity of
an operation depends on the numberm of operations executed before it, in the linear extension. All messages
sent by Algorithm 1 have a size of O (log(nm)). In comparison, ABD uses messages of size O (log(m)) but
implements only one register, so it would also require messages of size O (log(nm)) to implement an array
of n registers.
Considering the use of local memory, due to asynchrony, it is possible in some cases that Gi contains
an entry g for each value previously written. In that case, the space occupied by Gi may grow up to
O(mn logm). Remark however that, according to Lemma 4, an entry g is eventually removed from Gi (in a
synchronous system, after 2 time units if g.k = i or 1 time unit if g.k 6= i). Therefore, this maximal bound
is not likely to happen. Moreover, if all processes stop writing (which is the case in the round based model
we discussed in Section 2.3), then eventually Gi becomes empty and the space occupied by the algorithm
drops down to O(n logm), which is comparable to ABD. In comparison, the AR implementation keeps a
tree containing past values from all registers, in each register, which leads to a much higher size of messages
and local memory.
4 Conclusion
In this paper, we investigated the advantages of focusing on sequential consistency. Because of its non
composability, sequential consistency has received little focus so far. However, we show that in many appli-
cations, this limitation is not a problem. The first case concerns applications built on a layered architecture.
If one layer contains only one object, then it is impossible for objects built on top of it to determine if
this object is sequentially consistent or linearizable. The other example concerns round-based algorithms: if
processes access to one different sequentially consistent object in each round, then the overall history is also
sequentially consistent.
Using sequentially consistent objects instead of their linearizable counterpart can be very profitable in
terms of execution time of operations. Whereas waiting is necessary for both read and write operations
when implementing linearizable memory, we presented an algorithm in which waiting is only required for
read operations when they follow directly a write operation. This extends the result of Attiya and Welch
(that only concerns synchronous failure-free systems) to asynchronous systems with crashes. Moreover, the
proposed algorithm implements a sequentially consistent snapshot memory for the same cost, which results
in a better message and time comlexity, for both kinds of operations, than the best known implementation
of a snapshot memory.
Exhibiting such an algorithm is not an easy task for two reasons. First, as write operations are wait-free,
a process may write before its previous write has been acknowledged by other processes, which leads to
“concurrent” write operations by the same process. Second, proving that an implementation is sequentially
consistent is more difficult than proving it is linearizable since the condition on real time that must be
respected by linearizability highly reduces the number of linear extensions that need to be considered.
5 Acknowledgments
This work has been partially supported by the Franco-German ANR project DISCMAT under grant agree-
ment ANR-14-CE35-0010-01. The project is devoted to connections between mathematics and distributed
computing.
15
References
[1] Yehuda Afek, Hagit Attiya, Danny Dolev, Eli Gafni, Michael Merritt, and Nir Shavit. Atomic snapshots
of shared memory. J. ACM, 40(4):873–890, 1993.
[2] Hagit Attiya, Amotz Bar-Noy, and Danny Dolev. Sharing memory robustly in message-passing systems.
Journal of the ACM (JACM), 42(1):124–142, 1995.
[3] Hagit Attiya, Maurice Herlihy, and Ophir Rachman. Atomic snapshots using lattice agreement. Dis-
tributed Computing, 8(3):121–132, 1995.
[4] Hagit Attiya and Ophir Rachman. Atomic snapshots in o(n log n) operations. SIAM J. Comput.,
27(2):319–340, 1998.
[5] Hagit Attiya and Jennifer L Welch. Sequential consistency versus linearizability. ACM Transactions on
Computer Systems (TOCS), 12(2):91–122, 1994.
[6] Baruch Awerbuch. Complexity of network synchronization. J. ACM, 32(4):804–823, 1985.
[7] Kenneth P Birman and Thomas A Joseph. Reliable communication in the presence of failures. ACM
Transactions on Computer Systems (TOCS), 5(1):47–76, 1987.
[8] Elizabeth Borowsky and Eli Gafni. Immediate atomic snapshots and fast renaming (extended abstract).
In Proceedings of the Twelth Annual ACM Symposium on Principles of Distributed Computing, Ithaca,
New York, USA, August 15-18, 1993, pages 41–51, 1993.
[9] Bernadette Charron-Bost and Andre´ Schiper. The heard-of model: computing in distributed systems
with benign faults. Distributed Computing, 22(1):49–71, 2009.
[10] C. Dwork, N.A. Lynch, and L.J. Stockmeyer. Consensus in the presence of partial synchrony. J. ACM,
35(2):288–323, 1988.
[11] Cynthia Dwork, Maurice Herlihy, Serge A Plotkin, and Orli Waarts. Time-lapse snapshots. In Theory
of Computing and Systems, pages 154–170. Springer, 1992.
[12] E. Gafni. Distributed Computing: a Glimmer of a Theory, in Handbook of Computer Science. CRC
Press, 1998.
[13] Eli Gafni. Round-by-round fault detectors: Unifying synchrony and asynchrony (extended abstract).
In Proceedings of the Seventeenth Annual ACM Symposium on Principles of Distributed Computing,
PODC ’98, Puerto Vallarta, Mexico, June 28 - July 2, 1998, pages 143–152, 1998.
[14] James R Goodman. Cache consistency and sequential consistency. University of Wisconsin-Madison,
Computer Sciences Department, 1991.
[15] Maurice P Herlihy and Jeannette M Wing. Linearizability: A correctness condition for concurrent
objects. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(3):463–492, 1990.
[16] Lefteris M. Kirousis, Paul G. Spirakis, and Philippas Tsigas. Reading many variables in one atomic
operation: Solutions with linear or sublinear complexity. IEEE Trans. Parallel Distrib. Syst., 5(7):688–
696, 1994.
[17] Leslie Lamport. How to make a multiprocessor computer that correctly executes multiprocess programs.
Computers, IEEE Transactions on, 100(9):690–691, 1979.
[18] Richard J Lipton and Jonathan S Sandberg. PRAM: A scalable shared memory. Princeton University,
Department of Computer Science, 1988.
[19] Yaron Riany, Nir Shavit, and Dan Touitou. Towards a practical snapshot algorithm. Theor. Comput.
Sci., 269(1-2):163–201, 2001.
16
