Dynamic FTSS in Asynchronous Systems: the Case of Unison by Dubois, Swan et al.
ar
X
iv
:0
90
4.
46
15
v2
  [
cs
.D
S]
  1
0 F
eb
 20
11
Dynamic FTSS in Asynchronous Systems:
the Case of Unison∗,†
Swan Dubois1,2 Maria Potop-Butucaru1,2 Sébastien Tixeuil1,3
1 UPMC Sorbonne Universités
2 INRIA Rocquencourt, Project-team REGAL
3 Institut Universitaire de France
Postal adress: LIP6, Case 26-00/225, 4 place Jussieu, 75005 Paris (France)
Mail: {swan.dubois,maria.gradinariu,sebastien.tixeuil}@lip6.fr – Fax: +33 1 44 27 74 95
Abstract
Distributed fault-tolerance can mask the effect of a limited number of permanent faults,
while self-stabilization provides forward recovery after an arbitrary number of transient faults
hit the system. FTSS (Fault-Tolerant Self-Stabilizing) protocols combine the best of both
worlds since they tolerate simultaneously transient and (permanent) crash faults. To date,
deterministic FTSS solutions either consider static (i.e. fixed point) tasks, or assume syn-
chronous scheduling of the system components.
In this paper, we present the first study of deterministic FTSS solutions for dynamic tasks
in asynchronous systems, considering the unison problem as a benchmark. Unison can be seen
as a local clock synchronization problem as neighbors must maintain digital clocks at most
one time unit away from each other, and increment their own clock value infinitely often. We
present several impossibility results for this difficult problem and propose a FTSS solution
(when the problem is solvable) for the state model that exhibits optimal fault containment.
Keywords: Distributed algorithms, Self-stabilization, Fault-tolerance, Unison, Clock syn-
chronization.
1 Introduction
The advent of ubiquitous large-scale distributed systems advocates that tolerance to various
kinds of faults and hazards must be included from the very early design of such systems. Self-
stabilization [8, 10] is a versatile technique that permits forward recovery from any kind of
transient fault, while Fault-tolerance [17] is traditionally used to mask the effect of a limited
number of permanent faults. Making distributed systems tolerant to both transient and perma-
nent faults is appealing yet proved difficult [1, 18] as impossibility results are expected in many
cases.
The seminal works of [1, 18] define FTSS protocols as protocols that are both fault tolerant
and self-stabilizing, i.e. able to tolerate a few crash faults as well as arbitrary initial memory
corruption. In [1], impossibility results for size computation and election in asynchronous systems
are presented, while unique naming is proved possible. In [18], a general transformer is presented
for synchronous systems, as well as positive results with failure detectors. The transformer of [18]
was later proved impossible to transpose to asynchronous systems due to the impossibility of
∗This work was funded in part by ANR project SHAMAN, ALADDIN, and SPADES.
†A preliminary version of this work was published as a 2-pages brief announcement in DISC’09 [16].
1
tight synchronization in the FTSS context. For local tasks (i.e. tasks whose correctness can be
checked locally, such as vertex coloring), the notion of strict stabilization was proposed [28, 26].
Strict stabilization guarantees that there exists a containment radius outside which the effect of
permanent faults is masked, provided that the problem specification makes it possible to break
the causality chain that is caused by the faults. Strong stabilization [25, 14, 15] weakens this
requirement and ensures processes outside the containment radius are only impacted a finite
number of times by the Byzantine nodes.
It turns out that FTSS possibility results in fully asynchronous systems known to date are
restricted to static tasks, i.e. tasks that require eventual convergence to some global fixed point
(tasks such as naming or vertex coloring fall in this category). In this paper, we consider the
more challenging problem of dynamic tasks, i.e. tasks that require both eventual safety and
liveness properties (examples of such tasks are clock synchronization and token passing). Due to
the aforementioned impossibility of tight clock synchronization, we consider the unison problem,
which can be seen as a local clock synchronization problem. In the unison problem [27], each
node is expected to keep its digital clock value within one time unit of every of its neighbors’ clock
values (weak synchronization), and increment its clock value infinitely often (liveness). Note that
in synchronous systems where the underlying topology is a fully connected graph in which clocks
have discrete time unit values, unison induces tight clock synchronization. Several self-stabilizing
solutions exist for this problem [3, 4, 5, 20], both in synchronous and asynchronous systems, yet
none of those can tolerate crash faults.
As a matter of fact, there exists a number of FTSS results for dynamic tasks in synchronous
systems. [12, 29] provide self-stabilizing clock synchronization that is also wait free, i.e that
tolerate napping faults, in complete networks. Also [11] presents a FTSS clock synchronization
for general networks. Still in synchronous systems, it was proved that even malicious (i.e.
Byzantine) faults can be tolerated, to some extent. In [2, 13], probabilistic FTSS protocols
were proposed for up to one third of Byzantine processors, while in [9, 22] deterministic solution
tolerate up to one fourth and one third of Byzantine processors, respectively. Note that all
solutions presented in this paragraph are for fully synchronous systems. [21] is a notable exception
since it proposes a probabilistic solution to a clock synchronization problem in an asynchronous
system.
In this paper, we tackle the open issue of FTSS deterministic solutions to dynamic tasks in
asynchronous systems, using the unison problem as a case study. Our first negative results show
that whenever two or more crash faults may occur, FTSS unison is impossible in any asynchronous
setting. The remaining case of one crash fault drives the most interesting results (see Section 3).
The first main contribution of the paper is the characterization of two key properties satisfied by
all previous self-stabilizing asynchronous unison protocols: minimality and priority. Minimality
means that nodes maintain no extra variables but the digital clock value. Priority means that if
incrementing the clock value does not break the local safety predicate between neighbors, then
the clock value is actually incremented in a finite number of activations, even if no neighbor
modifies its clock value. Then, depending on the fairness properties of the scheduling of nodes,
we provide various results with respect to the possibility or impossibility of unison. When the
scheduling is unfair (only global progress is guaranteed), universal FTSS unison (i.e. unison that
can operate on every graph of a particular class) is impossible. When the scheduling is weakly
fair (a processor that is continuously enabled is eventually activated), then it is impossible to
solve universal FTSS unison by a protocol that satisfies either minimality or priority. The case
of strongly fair scheduling (a processor that is enabled infinitely often is eventually activated) is
2
similar whenever the maximum degree of the graph is at least three. Our negative results still
apply when the clock variable is unbounded, the local synchronization constraint is relaxed, and
the scheduling is central (i.e. a single processor is activated at any time).
On the positive side (Section 4), we present a universal FTSS protocol for connected net-
works of maximum degree at most two (i.e. rings and chains), which satisfies both minimality
and priority properties. This protocol makes minimal system hypothesis with respect to the
aforementioned impossibility results (maximum degree, fairness of the scheduling, etc.) and is
optimal with respect to the containment radius that is achieved (no correct processor is ever
prevented from incrementing its clock). This protocol assumes that the scheduling is central.
Table 1 provides a summary of the main results of the paper. Remaining open questions are
discussed in Section 5.
Unfair Weakly fair Strongly fair
Minimal Priority ∆ ≥ 3 ∆ ≤ 2
Minimal Priority
f = 1 Impossible Impossible Impossible Impossible Impossible Possible
(Prop. 2) (Prop. 3) (Prop. 4) (Prop. 5) (Prop. 6) (Prop. 11)
f ≥ 2 Impossible (Prop. 1)
Table 1: Summary of results
2 Model, Problem and Specifications
We model the network as an undirected connected graph G = (V,E) where V is a set of processors
and E is a binary relation that denotes the ability for two processors to communicate ((p, q) ∈ E
if and only if p and q are neighbors). We consider only anonymous systems (i.e. there exists no
unique identifiers for each processor) but we assume that every processor p can distinguish its
neighbors and locally label them. Each processor p maintains Np, the set of its neighbors’ local
labels. In the following, n denotes the number of processors, and ∆ the maximal degree. If p and
q are two processors of the network, we denote by d(p, q) the length of the shortest path between
p and q (i.e the distance from p to q). In this paper, we assume that the network can be hit
by crash faults, i.e. some processors can stop executing their actions permanently and without
any warning to their neighborhood. Since the system is assumed to be fully asynchronous, no
processor can detect if one of its neighbors is crashed or slow.
We consider the classical local shared memory model of computation (see [10]) where com-
munications between neighbors are modeled by direct reading of variables instead of exchange
of messages. In this model, the program of every processor consists of a set of shared variables
(henceforth, referred to as variables) and a finite set of rules. A processor can write to its own
variables only, and read its own variables and those of its neighbors. Each rule consists of:
<label>::<guard>−→<statement>. The label of a rule is simply a name to refer the action in
the text. The guard of a rule in the program of p is a Boolean predicate involving variables of p
and its neighbors. The statement of a rule of p updates one or more variables of p. A statement
can be executed only if the corresponding guard is satisfied (i.e. it evaluates to true). The
processor rule is then enabled, and processor p is enabled in γ ∈ Γ if and only if at least one rule
is enabled for p in γ. The state of a processor is defined by the current value of its variables.
The state of a system (a.k.a. the configuration) is the product of the states of all processors. We
3
also refer to the state of a processor and its neighborhood as a local configuration. We note Γ
the set of all configurations of the system.
A step γ → γ′ is defined as an atomic execution of a non-empty subset of enabled rules in γ
that transitions the system from γ to γ′. An execution of a protocol P is a maximal sequence of
configurations ǫ = γ0γ1 . . . γiγi+1 . . . such that, ∀i ≥ 0, γi → γi+1 is a step if γi+1 exists (else γi
is a terminal configuration). Maximality means that the sequence is either finite (and no action
of P is enabled in the terminal configuration) or infinite. E is the set of all possible executions
of P. A processor p is neutralized in step γi → γi+1 if p is enabled in γi and is not enabled in
γi+1, yet did not execute any rule in step γi → γi+1.
A scheduler (also called daemon) is a predicate over the executions. Recall that, in any
execution, each step γ −→ γ′ results from a non-empty subset of enabled processors atomically
executing a rule. This subset is chosen by the scheduler. A scheduler is central if it chooses
exactly one enabled processor in any particular step, it is distributed if it chooses at least one
enabled processor, and locally central if it chooses at least one enabled processor yet ensures
that no two neighboring processors are chosen concurrently. A scheduler is synchronous if it
chooses every enabled processor in every step. A scheduler is asynchronous if it is either central,
distributed or locally central. A scheduler may also have some fairness properties. A scheduler
is strongly fair (the strongest fairness assumption for asynchronous schedulers) if every processor
that is enabled infinitely often is eventually chosen to execute a rule. A scheduler is weakly
fair if every continuously enabled processor is eventually chosen to execute a rule. Finally,
the unfair scheduler has the weakest fairness assumption: it only guarantees that at least one
enabled processor is eventually chosen to execute a rule. As the strongly fair scheduler is the
strongest fairness assumption, any problem that cannot be solved under this assumption cannot
be solved for all weaker fairness assumptions. In contrast, any algorithm performing under the
unfair scheduler also works for all stronger fairness assumptions.
Fault-containment and Stabilization. In a particular execution ǫ, we distinguish the set of
processors V ∗ that never crash in ǫ (i.e. the set of correct processors). By extension, for any part
C ⊂ V , the set of correct processors in C is denoted by C∗. As crashed processors cannot be
distinguished from slow ones by their neighbors, we assume that variables of crashed processors
are always readable.
Let P be a problem to solve. A specification of P is a predicate that is satisfied by every
algorithm solving the problem. We recall definitions about stabilization and fault-tolerance.
Definition 1 (self-stabilization [8]) Let P be a problem, and SP a specification of P. An
algorithm A is self-stabilizing for SP if and only if for every configuration γ0 ∈ Γ, for every
execution ǫ = γ0γ1 . . ., there exists a finite prefix γ0γ1 . . . γl of ǫ such that all executions starting
from γl satisfy SP .
Definition 2 ((f, r)−containment [28]) Let P be a problem, and SP a specification of P. A
configuration γ ∈ Γ is (f, r)−contained for specification SP if and only if, given at most f
crashed processors, every execution starting from γ, always satisfies SP on the sub-graph induced
by processors that are at distance r or more from any crashed processor.
Definition 3 (fault-tolerant self-stabilization (FTSS) [1, 18]) Let P be a problem, and
SP a specification of P. An algorithm A is fault-tolerant and self-stabilizing with radius r for f
crashed processors (and denoted by (f, r) − FTSS) for specification SP if and only if, given at
4
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
5
6 6
70 6 7
7 8
7G G′
Figure 1: Some examples of weakly synchronized configurations (the numbers represent clock
values, the double circles represent crashed processors). System G is in a weakly synchronized
configuration but not in a uniformly weakly synchronized configuration whereas system G′ is in a
uniformly weakly synchronized configuration (and hence in a weakly synchronized configuration).
most f crashed processors, for every configuration γ0 ∈ Γ, for every execution ǫ = γ0γ1 . . ., there
exists a finite prefix γ0γ1 . . . γl of ǫ such that γl is (f, r)−contained for specification SP .
Unison. In the following, cp is the variable of processor p that represents its clock value. Values
are taken in the set of natural integers (that is, the number of states is unbounded, and a total
order can be defined on clock values). Note that we do not consider the case of bounded clocks
in this paper. We now define two notions related to local clock synchronization: the first one
restricts the safety property to correct processors, while the second one considers all processors.
We call drift between two processors p and q the absolute value of the difference between their
clock values. In this paper, we deal with unison that is a weak clock synchronization: we must
ensure that clocks are eventually "close" from each other. More precisely, two processors p and
q are in unison if the drift between them is no more than 1. We say that a configuration of the
system is weakly synchronized if any correct processor is in unison with its correct neighbors.
More formally,
Definition 4 (weakly synchronized configuration) Let γ ∈ Γ. We say that γ is weakly
synchronized, denoted by γ ∈ Γ∗1, if and only if : ∀p ∈ V
∗ ∀q ∈ N∗p |cp − cq| ≤ 1.
We say that a configuration of the system is uniformly weakly synchronized if any processor
is in unison with all its neighbors (even with crashed ones). More formally,
Definition 5 (uniformly weakly synchronized configuration) Let γ ∈ Γ. We say that γ is
uniformly weakly synchronized, denoted by γ ∈ Γ1, if and only if : ∀p ∈ V,∀q ∈ Np, |cp− cq| ≤ 1.
Figure 1 gives some examples of weakly synchronized configurations.
We now specify the two variants of our problem (depending whether safety property is ex-
tended to crashed processors or not). Intuitively, asynchronous unison (respectively uniform
asynchronous unison) ensures that the system is eventually (and remains forever) in a weakly
(respectively uniformly weakly) synchronized configuration (safety property) and that clocks of
correct processors are infinitely often incremented by 1 (liveness condition). More formally,
5
Definition 6 (asynchronous unison) Let γ0 ∈ Γ. An execution ǫ = γ0γ1... is a legitimate
execution for asynchronous unison, denoted by AU, if and only if:
Safety: ∀i ∈ N, γi ∈ Γ
∗
1.
Liveness: Each processor p ∈ V ∗ increments its clock (by 1) infinitely often in ǫ.
Definition 7 (uniform asynchronous unison) Let γ0 ∈ Γ. An execution ǫ = γ0γ1... is a
legitimate execution for uniform asynchronous unison, denoted by UAU, if and only if:
Safety: ∀i ∈ N, γi ∈ Γ1.
Liveness: Each processor p ∈ V ∗ increments its clock (by 1) infinitely often in ǫ.
Note that an algorithm that complies to specification of UAU also complies to that of AU
(the converse is not true) since Γ1 ⊆ Γ
∗
1 (if no processor is crashed, we have: Γ1 = Γ
∗
1, but if
at least one processor is crashed, we have: Γ1 ( Γ
∗
1). Note also that these two specifications do
not forbid decrementing clocks. Our specification generalizes the classical unison specification [5]
as any solution to the former is also a solution of ours. Unison protocols that are useful in a
distributed setting are those that do not know the underlying communication graph. We refer to
universal protocols to denote the fact that a protocol that can perform on every communication
graph that matches a particular predicate (e.g. every graph of degree less than two). To disprove
universality of a protocol, it is thus sufficient to exhibit a particular communication graph in its
acceptance predicate such that at least one possible execution does not satisfy the specification.
We now present two key properties satisfied by all known self-stabilizing unison protocols.
Those properties are used in the impossibility results presented in Section 3. We called these
properties respectively minimality and priority.
Minimality means that nodes maintain no extra variables but the digital clock value. This
implies that the code of a minimal unison can only refer to clocks or to predefined constants.
We now state the formal definition of this property.
Definition 8 (minimality) A unison is minimal if and only if every processor only maintains
a clock variable.
Priority means that if, for a given processor, incrementing the clock value does not break
the local safety predicate with its neighbors, then its clock value is actually incremented in a
finite number of activations, even if no neighbor modifies its clock value. This property implies
that, if a processor can increment its clock without breaking unison with its neighbors, then
it does so in finite time whether its neighbors are crashed or not. This property is similar to
obstruction-freedom in the sense that the protocol only has very weak constraints about progress.
We formally state this property in the following definition.
Definition 9 (priority) A unison is priority if and only if it satisfies the following property: if
there exists a processor p such that ∀q ∈ Np, (cq = cp or cq = cp + 1) in a configuration γi, then
there exists a fragment of execution ǫ = γi...γi+k such that:
- only p is chosen by the scheduler during ǫ.
- cp is not modified during γi+j −→ γi+j+1, for j ∈ {0, ..., k − 2}.
- cp is incremented during γi+k−1 −→ γi+k.
For example, protocols proposed by [3, 4, 5, 20] fall in the category of minimal and priority
unison using these definitions. Another example is the protocol of [29] that is priority but not
minimal. To our knowledge, any existing unison protocol satisfies either minimality or priority.
6
3 Impossibility Results
In this section we present a broad class of impossibility results related to the FTSS unison.
First, we show a preliminary result that states that a processor cannot modify its clock value if
it has two neighbors q and q′ with cq = cp − 1 and cq′ = cp + 1 (Lemma 1). This property is
further used in the sequel of this section. Proposition 1 proves that there exists no (f, r)−FTSS
algorithm for any r value if f ≥ 2. Furthermore, in Proposition 2, we prove that there exists
no (1, r)−FTSS algorithm for AU under an unfair daemon for any r value. Then we study the
minimal and priority asynchronous unison and prove there exists no (1, r)−FTSS algorithm for
minimal or priority AU under a weakly fair daemon for any r value (Lemma 2, Propositions
3 and 4). Finally, we prove there exists no (1, r)−FTSS algorithm for minimal or priority AU
under a strongly fair daemon for any r value if the network has a maximal degree of at least
3 (Lemma 3, Propositions 5 and 6). In the following we assume, for the sake of generality, the
most constrained scheduler (the central one).
3.1 Preliminaries
First, we introduce a preliminary result that shows that in any execution of a universal (f, r)−ftss
algorithm for AU (under an asynchronous daemon) a processor cannot modify its clock value if
it has two neighbors q and q′ such that: cq = cp − 1 and cq′ = cp + 1.
Lemma 1 Let A be a universal (f, r)−ftss algorithm for AU (under an asynchronous daemon).
Let γ be a configuration where a processor p (such that cp ≥ 1) has two neighbors q and q
′ such
that: cq = cp−1 and cq′ = cp+1. If p executes an action of A during the step γ −→ γ
′, then this
action does not modify the value of cp. If A is also minimal, then the processor p is not enabled
for A in γ.
Proof. Let A be a universal (f, r)−ftss algorithm for AU (under an asynchronous daemon).
Let G be a network and γ be a configuration of G such that no processor is crashed, γ ∈ Γ1
and there exists a processor p (such that cp ≥ 1) that has two neighbors q and q
′ such that:
cq = cp − 1 and cq′ = cp + 1.
Assume p executes an action of A during the step γ −→ γ′ (and only p) such that this action
modifies the value of cp. Note that cq and cq′ are identical in γ and γ
′. Let α be the value of cp
in γ and α′ be the value of cp in γ
′. Values of α and α′ satisfy one of the two following relations:
Case 1: α < α′.
This implies that |α′ − cq| = |α′ − α|+ |α− cq| > 1 (since |α′ − α| ≥ 1 by hypothesis and
|α− cq| = 1).
Case 2: α′ < α.
This implies that |α′ − cq′ | = |α
′ − α|+ |α− cq′ | > 1 (since |α
′ − α| ≥ 1 by hypothesis and
|α− cq′ | = 1).
In the two above cases, γ′ /∈ Γ1, hence the safety property of A is not satisfied.
If A is also minimal, then the previous result implies that p is not enabled for A in γ. 
7
3.2 Impossibility Result due to the Number of Crashed Processors
Proposition 1 For any natural number r, there exists no universal (f, r)−ftss algorithm for
AU under an asynchronous daemon if f ≥ 2.
Proof. Let r be a natural number. Let A be a universal (2, r)−ftss algorithm for AU (under
an asynchronous daemon). Consider a network represented by the following graph: G = (V,E)
with V = {p0, . . . , p2(r+1)} and E = {{pi, pi+1}|i ∈ {0, . . . , 2r + 1}}. Let γ be the following
configuration of the network: p0 and p2(r+1) are crashed and ∀i ∈ {0, . . . , 2(r + 1)}, cpi = i (all
the other variables may have any value).
By Lemma 1, no processor between p2 and p2r+1 can change its clock value in every execution
starting from γ. This contradicts the definition of A. Indeed, pr+1 must eventually satisfy
the specification of AU since the closest crashed processor is at r hops away. In particular,
any execution starting from γ must contain a suffix where the clock of pr+1 is infinitely often
incremented. This contradiction shows us the result. 
3.3 Impossibility Result due to Unfair Daemon
Proposition 2 For any natural number r, there exists no universal (1, r)−ftss algorithm for
AU under an unfair daemon.
Proof. Let r be a natural number. Assume that there exists a universal (1, r)−ftss algorithm
A for AU under an unfair daemon. Consider a network G, of diameter greater than 2r + 2
(note that in this case, at least one processor must eventually satisfy the specification of the
AU problem). Let p be a processor of G. Since the daemon is unfair, it can choose to never
activate p in an execution ǫ unless this processor becomes the only enabled processor of G in a
configuration of ǫ by definition.
For the sake of contradiction, assume that there exists a configuration γ such that no processor
is crashed and where p is the only enabled processor of the network. Denote by γ′ the same
configuration when p is crashed. Note that the set of enabled processors is identical in γ and
γ′ by construction. As we assumed that only p is enabled in γ, this implies that no correct
processor is enabled in γ′. Hence, the system is deadlocked in γ′ and the specification of AU is
not satisfied since no clock of correct processor can be updated. This contradiction implies that,
for any configuration where no processor is crashed, at least two processors are enabled.
Since there exists no configuration where p is the unique enabled processor (in every execution
starting from an arbitrary configuration), the unfair daemon can starve p infinitely (if no crash
occurs). This contradicts the liveness property of A since p cannot update its clock in this
execution. 
3.4 Impossibility Results due to Weakly Fair Daemon
In this section we prove there exists no universal (1, r)−ftss algorithm for minimal or priority
AU under a weakly fair daemon for any r value.
The first impossibility result uses the following property: if there exists a universal algorithm
A that is (1, r)−ftss for minimal AU under a weakly fair daemon for a natural number r, then
an arbitrary processor p is not enabled for A if it has only one neighbor p′ and if cp = cp′ (proved
in Lemma 2 formally stated below). Then, we show that A starves the network reduced to a
two-correct-processor chain where all clock values are identical (see Proposition 3).
8
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
γ1 0 1 2 r+1r+1rr-1
p0 p1 p2 pr−1 pr pr+1 pr+2
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
r+1r+1
p0 p1 p2 pr−1 pr pr+1 pr+2
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
10 2 r+1rr-1
p0 p1 p2 pr−1 pr pr+1 pr+2
γ2
γ3
r+2r+32r+2 2r+1 2r
r+2
Figure 2: The three configurations used in the proof of Lemma 2 (the numbers represent clock
values and the double circles represent crashed processors).
Lemma 2 If there exists a universal algorithm A that is (1, r)−ftss for minimal AU under a
weakly fair daemon for a natural number r, then an arbitrary processor p is not enabled for A if
it has only one neighbor p′ and if cp = cp′.
Proof. Let r be a natural number. Let A be a universal (1, r)−ftss algorithm for the minimal
AU under a weakly fair daemon.
Let G be the network reduced to a chain of length r+ 2. Assume processors in G labeled as
follows: p0, p1, . . . , pr+2. Consider the following configurations of G (see Figure 2):
• γ1 defined by ∀i ∈ {0, . . . , r + 1}, cpi = i and cpr+2 = r + 1 and p0 crashed.
• γ2 defined by ∀i ∈ {0, . . . , r + 1}, cpi = 2r + 2− i and cpr+2 = r + 1 and p0 crashed.
• γ3 defined by ∀i ∈ {0, . . . , r + 2}, cpi = i and p0 crashed.
By Lemma 1, processors from p1 to pr are not enabled in such configurations (and remain
not enabled until one of the processors within p0 . . . pr+1 executes a rule).
Note that for the processor pr+2, the configurations γ1 and γ2 are indistinguishable (otherwise
the unison would not be minimal). We are going to prove the result by contradiction. Assume
pr+2 is enabled in γ1 and γ2. The safety property of A implies that the enabled rule for pr+2
modifies its clock either to r + 2 or to r. In the following we discuss these cases separately:
Case 1: The enabled rule for pr+2 modifies its clock into r + 2.
Assume without loss of generality that pr+2 is the only activated processor. Hence its clock
takes the value r + 2. The following cases are possible in the obtained configuration:
Case 1.1: pr+2 is not enabled.
If an execution started from γ1, then no processor is enabled, which contradicts the
liveness property of AU.
Case 1.2 : pr+2 is enabled and the enabled rule modifies its clock into r + 1.
Let ǫ be an execution starting from γ1 where only pr+2 is activated. Consequently, the
clock of the processor pr+2 takes infinitely the following sequence of values: r+1, r+2.
In this execution, pr+2 executes infinitely often while processors from p0 to pr are
9
never enabled. Note that pr+1 is not enabled when cpr+2 = r+2, hence this processor
is never infinitely enabled. In conclusion, this execution is allowed by the weakly
fair scheduler. Note that this execution starves pr+1, which contradicts the liveness
property of A.
Case 1.3 : pr+2 is enabled and the enabled rule modifies its clock into r.
The execution of this rule leads to case 2.
Case 2 : The enabled rule for pr+2 modifies its clock into r.
Assume without loss of generality that pr+2 is the only activated processor and after its
execution the new configuration satisfies one of the the following cases:
Case 2.1 : pr+2 is not enabled.
If an execution started from γ2, then no processor is enabled, which contradicts the
liveness property (the network is starved).
Case 2.2 : pr+2 is enabled and the enabled rule modifies its clock into r + 1.
Let ǫ be an execution starting from γ2 that contains only actions of pr+2 (its clock takes
infinitely the following value sequence : r + 1, r). In this execution, pr+2 executes a
rule infinitely often (by construction) and processors from p0 to pr are never enabled.
Note that pr+1 is not enabled when cpr+2 = r, so this processor is never infinitely
enabled. In conclusion, this execution satisfies the weakly fair scheduling.
Note that this execution starves pr+1, which contradicts the liveness property of A.
Case 2.3 : pr+2 is enabled and the enabled rule modifies its clock into r + 2.
The execution of these rule leads to case 1.
Overall, the only two possible cases (cases 1.3 and 2.3) are the following:
1. pr+2 is enabled for modifying its clock value into r when cpr+2 = r + 2 and cpr+1 = r + 1.
2. pr+2 is enabled for modifying its clock value into r + 2 when cpr+2 = r and cpr+1 = r + 1.
Let ǫ be an execution starting from γ3 that contains only actions of pr+2 (its clock takes
infinitely the following sequence of values: r + 2, r). In this execution, pr+2 executes a rule
infinitely often (by construction) and processors in p0 . . . pr are never enabled. Note that pr+1 is
not enabled when cpr+2 = r + 2, so this processor is never infinitely enabled. In conclusion, this
execution satisfies the weakly fair scheduling.
This execution starves pr+1, which contradicts the liveness property of A and proves the
result. 
Proposition 3 For any natural number r, there exists no universal (1, r)−ftss algorithm for
minimal AU under a weakly fair daemon.
Proof. Let r be a natural integer. Assume there exists a universal (1, r)−ftss algorithm A
for the minimal AU under a weakly fair daemon. By Lemma 2, an arbitrary processor p is not
enabled for A if it has only one neighbor p′ and if cp = cp′ .
Let G be a network reduced to a chain of 2 processors p and p′. Let γ be a configuration
of G where cp = cp′ with no crashed processor. Notice that no processor is enabled in γ that
contradicts the liveness property of A and proves the result. 
10
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
γ00 0 1 2 r+1rr-1
p0 p1 p2 pr−1 pr pr+1 pr+2
r+2
Figure 3: Initial configuration used in the proof of Proposition 4 (the numbers represent clock
values and the double circles represent crashed processor).
The second main result of this section is that there exists no universal (1, r)−ftss algorithm
for priority AU under a weakly fair daemon for any natural number r (see Proposition 4).
We prove this result by contradiction. We construct an execution starting from the config-
uration γ00 shown in Figure 3 allowed by a weakly fair scheduler. We prove that this execution
starves pr+1 that contradicts the liveness property of the algorithm.
Proposition 4 For any natural number r, there exists no universal (1, r)−ftss algorithm for
priority AU under a weakly fair daemon.
Proof. Let r be a natural number. Assume that there exists a universal (1, r)−ftss algorithm
A for priority AU under a weakly fair daemon. Let G be the network reduced to a chain of
length r + 2. Assume that processors in G are labeled as follows: p0, p1, . . . , pr+2. Let γ
0
0 be a
configuration such that p0 is crashed and ∀i ∈ {0, . . . , r + 2}, cpi = i (See Figure 3). Note that
all the other variables may have any value.
We construct a fragment of execution ǫ′0 = γ
0
0γ
0
1γ
0
2 . . . γ
0
r+1 starting from γ
0
0 such that ∀i ∈
{0, 1, . . . , r}, the step γ0i → γ
0
i+1 contains only an action of pi+1 if pi+1 is enabled. By Lemma 1,
this fragment does not modify the clock value of any processor in {p0 . . . pr+1}.
We also construct a fragment of execution, ǫ′′0, starting from γ
0
r+1 using the following cases:
Case 1: pr+2 is not enabled in γ
0
r+1.
Let ǫ′′0 be ǫ (empty word).
Case 2: pr+2 is enabled in γ
0
r+1.
We distinguish now the following sub-cases:
Case 2.1: There exists a rule of pr+2 enabled in γ
0
r+1 that does not modify the clock value
of pr+2.
Let ǫ′′0 be γ
0
r+1γ
0
r+2 where step γ
0
r+1 → γ
0
r+2 contains only the execution of this rule
by pr+2.
Case 2.2: Any enabled rule of pr+2 in γ
0
r+1 modifies its clock value.
Note that the safety property of A implies that the clock of pr+2 takes the value r or
r + 1. Let us study the following cases.
Case 2.2.1: There exists a rule of pr+2 enabled in γ
0
r+1 that modifies its clock value
into r + 1.
Since A is a priority unison, there exists by definition a fragment of execution ǫ′′0 =
γ0r+1γ
0
r+2 . . . γ
0
r+k that contains only actions of pr+2 such that (i) pr+2 executes
one of the rules that modifies its clock value into r + 1 in the step γ0r+1 → γ
0
r+2
(ii) in the steps from γ0r+2 to γ
0
r+k−1 the clock value of pr+2 is not modified while
(iii) in the step γ0r+k−1 → γ
0
r+k the clock value of pr+2 is incremented.
Case 2.2.2: Any enabled rule of pr+2 in γ
0
r+1 modifies its clock value into r.
Since A is a priority unison, there exists by definition a fragment of execution ǫa =
11
γ0r+1γ
0
r+2 . . . γ
0
r+k that contains only actions of pr+2 such that (i) pr+2 executes
one of the rules that modifies its clock value into r in the step γ0r+1 → γ
0
r+2 (ii)
in the steps from γ0r+2 to γ
0
r+k−1 the clock value of pr+2 is not modified and (iii)
in the step γ0r+k−1 → γ
0
r+k the clock of pr+2 takes the value r + 1.
Since A is a priority unison, there exists by definition a fragment of execution
ǫb = γ
0
r+kγ
0
r+k+1 . . . γ
0
r+j that contains only actions of pr+2 such that (i) in the
steps from γ0r+k to γ
0
r+j−1 the clock value of pr+2 is not modified and (ii) in the
step γ0r+j−1 → γ
0
r+j the clock value of pr+2 is incremented.
Let ǫ′′0 be ǫaǫb.
In all cases, we construct a fragment of execution ǫ0 = ǫ
′
0ǫ
′′
0 such that its last configuration
(let us denote it by γ10) satisfies: the value of any clock is identical to the one in γ
0
0 (the others
variables may have changed). Then, we can reiterate the reasoning and obtain a fragment of
execution ǫ1, ǫ2 . . . (respectively starting from γ
1
0 , γ
2
0 , . . .) that satisfies the same property.
We finally obtain an execution ǫ = ǫ0ǫ1 . . . that satisfies:
• No processor is infinitely enabled without executing a rule (since all enabled processors in
γi0 execute a rule or are neutralized during ǫi). Consequently ǫ is an execution that satisfies
the weakly fair scheduling.
• The clock of processor pr+1 never changes (whereas d(p0, pr+1) = r + 1).
This execution contradicts the liveness property of A that is a (1, r)−ftss algorithm for
priority AU under a weakly fair daemon by hypothesis. 
3.5 Impossibility Results due to Strongly Fair Daemon
In this section we prove that there exists no universal (1, r)−ftss algorithm for minimal or priority
AU under a strongly fair daemon if the degree of the network is at least 3.
In order to prove the first impossibility result, we use the following property: if a processor p
has only one neighbor q such that cq = r+1 and if |cp−cq| ≤ 1, then p is enabled in any universal
(1, r)−ftss algorithm for minimal AU (see Lemma 3). Then we construct a strongly fair infinite
execution that starves a processor such that the closest crashed processor is at more than r hops
away. This execution contradicts the liveness property of the AU problem (see Proposition 5).
Lemma 3 Let A be a universal (1, r)−ftss algorithm for minimal AU. If a processor p has only
one neighbor q such that cq = r + 1 and if |cp − cq| ≤ 1, then p is enabled in A.
Proof. Assume that there exists a universal algorithm A that is (1, r)−ftss for minimal AU.
Let G be a network that executes A and that contains at least one processor p that has only one
neighbor q. Assume that cq = r + 1 and |cp − cq| ≤ 1. Then, we have:
1. If cp = r, then p is enabled for at least one rule of A. Otherwise, all processors are
starved in the network reduced to the chain p0, . . . , pr, q, p in the configuration γ1 defined
by ∀i ∈ {0, . . . , r}, cpi = 2r + 2 − i, cq = r + 1, cp = r where p0 is crashed (see Figure 4)
since no correct processor is enabled (by Lemma 1).
12
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
γ1 r+1
p0 p1 p2 pr−1 pr
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
0 1 2 r+1rr-1
p0 p1 p2 pr−1 pr
✒✑
✓✏
✒✑
✓✏
γ2
q p
r+2
r+1 r+1
q p
γ3
q p
rr+2r+32r+2 2r+1 2r
Figure 4: The three configurations used in the proof of Lemma 3 (the numbers represent clock
values and the double circles represent crashed processors).
2. If cp = r + 1, then p is enabled for at least one rule of A. Otherwise, all processors
are starved in the network reduced to the chain q, p in the configuration γ2 defined by
cq = cp = r+1 and where no processor is crashed (see Figure 4). Indeed, the symmetry of
the configuration implies that q is enabled if and only if p is enabled.
3. If cp = r + 2, then p is enabled for at least one rule of A. Otherwise, all processors are
starved in the network reduced to the chain p0, . . . , pr, q, p in the configuration γ3 defined
by ∀i ∈ {0, . . . , r}, cpi i, cq = r+1, cp = r+2 and p0 crashed (see Figure 4) since no correct
processor is enabled (by Lemma 1).

Proposition 5 For any natural number r, there exists no universal (1, r)−ftss algorithm for
minimal AU under a strongly fair daemon if the system has a maximal degree of at least 3.
Proof. Let r be a natural number. Assume that there exists a universal (1, r)−ftss algorithm
A for the minimal AU under a strongly fair daemon in a network with a degree of at least 3.
Let G be the network defined by: V = {p0, . . . , pr+1, q, q
′} and E = {{pi, pi+1}, i ∈ {0, . . . , r}}∪
{{pr+1, q}, {pr+1, q
′}}.
As A is deterministic and the system anonymous, q and q′ must behave identically if they
have the same clock value (in this case, their local configurations are identical). If cpr+1 = r + 1
and |cpr+1 − cq| ≤ 1, there exists three local configurations for q: (1) cq = r, (2) cq = r+1 or (3)
cq = r + 2 (the same property holds for q
′).
By Lemma 3, processor q (respectively q′) is enabled in any configuration where cpr+1 = r+1
and |cpr+1 − cq| ≤ 1 (respectively |cpr+1 − cq′ | ≤ 1). Moreover, in this case, the enabled rule
for q (respectively q′) modifies its clock into a value in {r, r + 1, r + 2} − {cq} (respectively
{r, r + 1, r + 2} − {cq′}) by the safety property of A.
For each of the three possible local configurations for q or q′ (studied in the proof of Lemma
3), A can only allow 2 moves. Hence, there exists 8 possible moves for A. Let us denote each of
these possibilities by a triplet (a, b, c) where a, b and c are the clock value of q after the allowed
move when cq = r, cq = r+1, and cq = r+2 respectively. Note that, due to the determinism of
A, moves allowed for q′ and q are identical. There exists the following cases:
13
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏ ✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
γ1 r+1
p0 p1 p2 pr−1 pr
r+2r+32r+2 2r+1 2r
pr+1
✒✑
✓✏
q
q′
r+1
r
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏ ✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
p0 p1 p2 pr−1 pr pr+1
✒✑
✓✏
q
q′
γ2 0 1 2 r-1 r r+1
r
r+2
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏ ✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
p0 p1 p2 pr−1 pr pr+1
✒✑
✓✏
q
q′
0 1 2 r-1 r r+1γ3
r+2
r+1
Figure 5: The three configurations used in the proof of Proposition 5 (the numbers represent
clock values and the double circles represent crashed processors).
Case 1: (r + 1, r, r)
Let γ1 be the configuration of G defined by: ∀i ∈ {0, . . . , r+1}, cpi = 2r+2− i, cq = r+1
and cq′ = r and p0 crashed (see Figure 5). Note that only q and q
′ are enabled (by Lemma
1). Assume q executes. Hence, its clock takes the value r. By Lemma 1, only q and q′ are
enabled. Assume now that q′ executes. Its clock takes the value r + 1. This configuration
is identical to γ1 (since processors are anonymous), we can repeat the above reasoning in
order to obtain an infinite execution where processors p1, . . . , pr+1 are never enabled (see
Figure 6 for an illustration when r = 1).
Case 2: (r + 1, r + 2, r)
Let γ2 be the configuration of G defined by: ∀i ∈ {0, . . . , r+1}, cpii, cq = r and cq′ = r+2
and p0 crashed (see Figure 5). Note that only q and q
′ are enabled (by Lemma 1). Assume
q executes. Its clock takes the value r + 1. By Lemma 1, only q and q′ are enabled.
Assume q executes its rule again. Its clock takes the value r + 2. By Lemma 1, only q
and q′ are enabled. Assume now that q′ executes its rule. Its clock takes the value r.
This configuration is identical to γ2 (since processors are anonymous). We can repeat the
reasoning in order to obtain an infinite execution where processors in p1, . . . , pr+1 are never
enabled.
Case 3: (r + 1, r, r + 1)
Similar to the reasoning of case 1.
Case 4: (r + 1, r + 2, r + 1)
Let γ3 be the configuration of G defined by: ∀i ∈ {0, . . . , r + 1}, cpi = i, cq = r + 2 and
cq′ = r+1 and where p0 is crashed (see Figure 5). Note that only q and q
′ are enabled (by
Lemma 1). Assume q′ executes its rule. Its clock takes the value r+2. By Lemma 1, only
14
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
γ1
p0 p1 p2 ✒✑
✓✏
✒✑
✓✏
q
q′
234
2
1
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
p0 p1 p2 ✒✑
✓✏
✒✑
✓✏
q
q′
234
1
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
p0 p1 p2 ✒✑
✓✏
✒✑
✓✏
q
q′
234
2
1
1
❅
❅
❅
❅
❅❅❘
 
 
 
 
  ✠γ1
Figure 6: Example of the execution constructed in case 1 of Proposition 5 when r = 1 (the
numbers represent clock values and the double circles represent crashed processors).
q and q′ are enabled. Assume now that q executes its rule. Its clock takes the value r+ 1.
This configuration is identical to γ3 (since processors are anonymous). We can repeat the
reasoning in order to obtain an infinite execution where processors in p1, . . . , pr+1 are never
enabled.
Case 5: (r + 2, r, r)
Let γ2 be the configuration of G as defined in the case 2 above. Note that only q and q
′
are enabled (by Lemma 1). Assume q executes its rule. Its clock takes the value r+2. By
Lemma 1, only q and q′ are enabled. Assume now that q′ executes its rule. Its clock takes
the value r. This configuration is identical to γ2 (since processors are anonymous). We can
repeat the reasoning in order to obtain an infinite execution where processors p1, . . . , pr+1
are never enabled.
Case 6: (r + 2, r + 2, r)
The reasoning is similar to the case 5.
Case 7: (r + 2, r, r + 1)
Let γ2 be the configuration of G as defined in the case 2 above. Note that only q and q
′
are enabled (by Lemma 1). Assume q executes its rule. Its clock takes the value r+2. By
Lemma 1, only q and q′ are enabled. Assume q′ executes its rule. Its clock takes the value
r+1. By Lemma 1, only q and q′ are enabled. Assume q′ executes again its rule. Its clock
takes the value r. This configuration is identical to γ2 (since processors are anonymous).
We can repeat the above scenario in order to obtain an infinite execution where processors
p1, . . . , pr+1 are never enabled.
Case 8: (r + 2, r + 2, r + 1)
The proof is similar to the case 4.
15
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏ ✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
✒✑
✓✏
p0 p1 p2 pr−1 pr pr+1
✒✑
✓✏
q
q′
0 1 2 r-1 r r+1
r+2
γ00
r+2
Figure 7: The initial configuration for the proof of Proposition 6 (the numbers represent clock
values and the double circles represent crashed processors).
Overall, we can construct an infinite execution where processor p0 is crashed, processors from
p1 to pr+1 are never enabled and processors q and q
′ execute a rule infinitely often. This execution
satisfies the strongly fair scheduling. Notice that in this execution pr+1 is never enabled, hence
it is starved. This contradicts the liveness property of A and proves the result. 
The second main result of this section is that there exists no universal (1, r)−ftss algorithm
for priority AU under a strongly fair daemon for any natural number r if the degree of the graph
modeling the network is at least 3. (see Proposition 6).
We prove this result by contradiction. We construct an execution starting from the configu-
ration γ00 of Figure 7 satisfying the strongly fair scheduling that starves pr+1, which contradicts
the liveness of the algorithm.
Proposition 6 For any natural number r, there exists no universal (1, r)−ftss algorithm for
priority AU under a strongly fair daemon if the system has a maximal degree of at least 3.
Proof. Let r be a natural number. Assume that there exists a universal (1, r)−ftss algorithm
A for priority AU under a strongly fair daemon even if the graph modeling the network has
a degree of at least 3. Let G be the network defined by: V = {p0, . . . , pr+1, q, q
′} and E =
{{pi, pi+1}, i ∈ {0, . . . , r}} ∪ {{pr+1, q}, {pr+1, q
′}}. Note that G has a degree equal to 3.
Let γ00 be the following configuration: ∀i ∈ {0, . . . , r + 1}, cpi = i, cq = cq′ = r + 2 and p0
crashed (see Figure 7). Note that, for any execution ǫ starting from γ00 , one of the processors q and
q′ must be enabled to modify its clock in a finite time (otherwise the network would be starved
following Lemma 1). This implies the existence of a fragment of execution ǫ0a = γ
0
0γ
0
1 . . . γ
0
k with
the following properties:
1. k ≥ 1 if there exists i ∈ {0, . . . , r + 1} such that pi is enabled in γ
0
0 , k = 0 otherwise;
2. ǫ0a contains no modification of clock values;
3. γ0k is the first configuration where q or q
′ is enabled to modify its clock value.
Assume now that the scheduling of ǫ0a satisfies the following property: at each step, the
daemon chooses the processor that was last activated among enabled processors. Note that this
scenario is compatible with a strongly fair scheduling.
Let us study the following cases:
Case 1: q is enabled in γ0k for a modification of its clock value. The safety property of A implies
that the value of cq should be modified either to r or to r + 1.
Case 1.1: The value of cq is modified to r.
Since A is a priority unison, there exists by definition a fragment of execution ǫ0b1 =
16
γ0kγ
0
k+1 . . . γ
0
k+r that contains only actions of q such that (i) in the steps from γ
0
k to
γ0k+r−1 the clock value of q is not modified and (ii) in the step γ
0
k+r−1 → γ
0
k+r the
clock value of q is incremented.
Since A is a priority unison, there exists by definition a fragment of execution ǫ0b2 =
γ0k+rγ
0
k+r+1 . . . γ
0
k+j that contains only executions of a rule by q such that (i) in the
steps from γ0k+r to γ
0
k+j−1 the clock value of q is not modified and (ii) in the step
γ0k+j−1 → γ
0
k+j the clock value of q is incremented.
Let ǫ0b be ǫ
0
b1ǫ
0
b2.
Case 1.2: The value of cq is modified to r + 1.
Since A is a priority unison, there exists by definition a fragment of execution ǫ0b =
γ0kγ
0
k+1 . . . γ
0
k+r that contains only actions of q such that (i) in the steps from γ
0
k to
γ0k+r−1 the clock value of q is not modified and (ii) in the step γ
0
k+r−1 → γ
0
k+r the
clock value of q increments.
If q′ is enabled in the last configuration of ǫ0b
1, we can construct ǫ0c similarly to ǫ
0
b using
processor q′. Otherwise, let ǫ0c be ǫ (the empty word).
Case 2: q′ is enabled in γ0k for a modification of its clock value.
We can construct ǫ0b and ǫ
0
c similar to the case 1 by reversing the roles of q and q
′.
Let us define ǫ0 = ǫ0aǫ
0
bǫ
0
c . Notice that the clock values are identical in the first and the last
configuration of ǫ0. This implies that we can infinitely repeat the previous reasoning in order to
obtain an infinite execution ǫ = ǫ0ǫ1 . . . that satisfies:
• No correct processor is infinitely often enabled without executing a rule (since q and q′
execute a rule infinitely often and others processors are chosen in function of their last
execution of a rule, which implies that an infinitely often enabled processor executes a rule
in a finite time). This execution satisfies a strongly fair scheduling.
• The clock value of pr+1 is never modified (whereas d(p0, pr+1) = r + 1).
This execution contradicts the liveness property of A, which implies the result. 
4 A Universal Protocol for Chains and Rings
In the following we consider the only remaining possibility results (see Table 1) that are related
to asynchronous unison on chains and rings (i.e. networks with a degree inferior to 3). In
this section, we propose an (1, 0)−FTSS algorithm for AU under a locally central strongly fair
daemon. The proposed algorithm is both minimal and priority.
The main difference between our protocol and the many self-stabilizing unison algorithms
existing in the literature [9, 11, 12, 29] is that our correction rules use averaging rather than
maximizing or minimizing, in order to not favor the clock value of a particular neighbor. Indeed,
using a maximum or a minimum strategy could make the chosen neighbor prevent stabilization
if it is crashed. The averaging idea was previously studied in [24] in a non-stabilizing fault-free
setting. [23] uses also average to perform clock synchronization in a non-stabilizing Byzantine-
tolerant system. The main difference with our approach is that authors of [23] reject values
1In this case, q′ was already enabled in the last configuration of ǫ0a
17
Algorithm 1 (UFT SS): universal (1, 0)-FTSS AU for chains and rings.
Data:
- Np: set of neighbors of p.
Variable:
- cp: natural integer representing the clock of the processor.
Macros:
- For A ⊆ N and a ∈ N, next(A, a) =
{
a+ 1 if a+ 1 ∈ A
min{A} otherwise
.
- For q ∈ Np, poss(q) =
{
{cq − 1, cq, cq + 1} if cq 6= 0
{cq, cq + 1} otherwise
.
- Inter(Np) =
⋂
q∈Np
poss(q).
Rules:
/* Normal rule */
(N) :: |Inter(Np)| ≥ 2 −→ cp := next (Inter(Np), cp)
/* Correction rules */
(C1) :: (|Inter(Np)| = 0) ∧
(
cp 6=
⌈ ∑
q∈Np
cq
|Np|
⌉)
∧
(
cp 6=
⌊ ∑
q∈Np
cq
|Np|
⌋)
−→ cp :=
⌊ ∑
q∈Np
cq
|Np|
⌋
(C2) :: (Inter(Np) = {h}) ∧ (cp 6= h) −→ cp := h
that are too far from others (in order to avoid values proposed by Byzantine neighbors). In our
case, we cannot reject any value due to the arbitrary initial clock values and the small number
of available values (as our protocol operates on chains or rings, each processor has at most two
neighbors).
4.1 Our Algorithm
The main idea of our algorithm follows. Each processor checks if it is “locally synchronized”,
i.e. if the drift between its clock value and the clock values of its neighbors does not exceed 1.
If a processor p is “locally synchronized”, it modifies its clock value in a finite time in order to
preserve this property. Otherwise, p corrects its clock value in finite time.
More precisely, each processor p has only one variable: its clock denoted by cp. At each step,
every processor p computes a set of possible clock values, i.e. the set of clock values that have a
drift of at most 1 with respect to all neighbors of p (note that computing this set relies only on
the clock values of p’s neighbors, but not on the one of p). This set is denoted by Inter(Np).
Then, the following cases may appear:
- |Inter(Np)| = 0, then p has two neighbors and the drift between their clock values is strictly
greater than 2. In this case, p is enabled to take the average value between these two clock values
if its clock does not have yet this value.
- |Inter(Np)| = 1, then p has two neighbors and the drift between their clock values is exactly
2. In this case, p is enabled to take the average value between these two clock values if its clock
does not have yet this value.
- |Inter(Np)| ≥ 2, then p has one neighbor or the drift between the clock values of its two
neighbors is strictly less than 2. In this case, p is enabled to modify its clock value as follows: if
cp + 1 ∈ Inter(Np), then cp is modified to cp + 1, otherwise cp is modified to min{Inter(Np)}.
The reader can find some examples of execution of our algorithm in Figures 8 to 11.
18
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
γ0 1 7 6 7 13 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
1 6 7
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
6✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
3 6γ1
γ2 2 5γ3 4 4 632 3 5
3 3 4 3 4γ4 3 4 4 4 4γ5
✲
✛
✲
❄
❄
(C1) (N) (N) (N)
(N)(C2)(N)(N)
(N)(N)
Figure 8: An example of execution of UFT SS on a chain with no crash (the numbers represent
clock values and squared processors in γi executed the indicated rule during the step γi −→ γi+1).
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
γ0 1 7 6 7 13 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
6
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞p0 p1 p2 p3 p4
γ1
γ2γ3
γ4 γ5
✲
✛
✲
❄
❄
6 9 13
7 7 6 9 88 7 6 7 8
6 7 6 7 6 6 7 6 5 6
7
(N)
(C2)
(C1) (N) (N)
(N)(N)(N)
(N)
Figure 9: An example of execution of UFT SS on a chain with a crash (the numbers represent
clock values, the double circles represent crashed processors and squared processors in γi executed
the indicated rule during the step γi −→ γi+1).
The detailed description of our solution is proposed in Algorithm 1.
4.2 Correction Proof Road Map
In this section, we present the key ideas in order to prove the correctness of our algorithm.
First, we introduce some useful notations:
Notation 1 Let p be a processor. If q denotes one of its neighbors, we denote the other neighbor
by q¯ (if this neighbor exists).
Notation 2 We denote the value of cp for a processor p in a configuration γi by (cp)
γi .
We denote the value of Inter(Np) for a processor p in a configuration γi by (Inter(Np))
γi .
In order to prove that UFT SS is a (1, 0)-ftss algorithm for AU under a locally central
strongly fair daemon on a chain and on a ring (see Proposition 11), we prove in the sequel the
following properties:
19
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
γ0
p0
p1
p2p3
p4 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2
p3
p4 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2
p3
p4
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2p3
p4 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2
p3
p4 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2p3
p4
✲ ✲
❄
✛✛
γ1 γ2
γ3γ4γ5
1
7
67
13
1
3
67
4
3
3
65
4
4
3
45
4
4
4
45
5
5
44
5 4
(C1)
(N)
(C2)
(C1)
(N)
(C2)
(N)(N)
(N)
(N)
Figure 10: An example of execution of UFT SS on a ring with no crash (the numbers represent
clock values and squared processors in γi executed the indicated rule during the step γi −→ γi+1).
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
γ0
p0
p1
p2p3
p4 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2
p3
p4 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2p3
p4
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2p3
p4 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2p3
p4 ✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
✍✌
✎☞
p0
p1
p2p3
p4
✲ ✲
❄
✛✛
γ1 γ2
γ3γ4γ5
1
7
67
13
1
3
67
4
3
3
5
4
4
3
6
65
4
4
4
65
4
4
5
65
4
(N)
(C1)
(C2)
(C1) (C1)
(N)
(N)
Figure 11: An example of execution of UFT SS on a ring with a crash (the numbers represent
clock values, the double circles represent crashed processors and squared processors in γi executed
the indicated rule during the step γi −→ γi+1).
20
1. UFT SS is a self-stabilizing algorithm for AU under a locally central strongly fair daemon
on a chain (Proposition 7).
2. UFT SS is a self-stabilizing algorithm for AU under a locally central strongly fair daemon
on a chain even if one processor is crashed in the initial configuration (Proposition 8).
3. UFT SS is a self-stabilizing algorithm for AU under a locally central strongly fair daemon
on a ring (Proposition 9).
4. UFT SS is a self-stabilizing algorithm for AU under a locally central strongly fair daemon
on a ring even if one processor is crashed in the initial configuration (Proposition 10).
The proof of each of these 4 propositions is deduced from 3 lemmas as follows:
1. Firstly, we prove that UFT SS satisfies the closure of the safety of UAU under the con-
sidered hypothesis (i.e. if there exists a configuration γ such that γ ∈ Γ1, then every
configuration γ′ reachable from γ satisfies: γ′ ∈ Γ1, see respectively Lemma 4, 10, 13, and
19).
The idea of the proof is as follows: we first prove that only the normal rule is enabled
in such a configuration and then, we show that this rule ensures the closure of the safety
property.
2. Secondly, we prove that UFT SS satisfies liveness of UAU under the considered hypothesis
in every execution starting from a legitimate configuration (i.e. every (correct) processor
increments infinitely often its clock, see respectively Lemma 6, 11, 15, and 20).
This proof is done in the following way: we first show that every (correct) processor executes
infinitely often the normal rule in every execution starting from a configuration γ ∈ Γ1 and
then, we show that if a processor executes infinitely often the normal rule, it increments
its clock in a finite time.
3. Finally, we prove that UFT SS converges to a legitimate configuration of UAU under the
considered hypothesis in every execution (i.e. there exists a configuration γ ∈ Γ1 in every
execution, see respectively Lemma 9, 12, 18, and 21).
In order to complete this proof we study a potential function.
4.3 Proof on a Chain
In this section, we assume that our algorithm is executed on a chain under a strongly fair locally
central daemon. In the following we prove that UFT SS is a FTSS UAU (that implies that it
is a FTSS AU) under these assumptions. The proof contains two major steps:
• First, we prove that our algorithm is self-stabilizing.
• Second, we prove that our algorithm is self-stabilizing even if the initial configuration
contains a crashed processor.
4.3.1 Proof of Self-Stabilization
In this section, ǫ = γ0, γ1 . . . denotes an execution of UFT SS where there is no crash.
Firstly, we are going to prove the closure of our algorithm.
Lemma 4 If there exists i ≥ 0 such that γi ∈ Γ1, then γi+1 ∈ Γ1.
Proof. Assume that there exists i ≥ 0 such that γi ∈ Γ1. This implies that ∀p ∈ V,
(Inter(Np))
γi 6= ∅ and then the rule (C1) is not enabled in γi. Assume rule (C2) is enabled in
γi. This implies that (Inter(Np))
γi = {h} and that (cp)
γi 6= h. Then, we have γi /∈ Γ1 (since if
(cp)
γi 6= h, then the following holds: ∃q ∈ Np, | (cp)
γi − (cq)
γi | ≥ 2). This contradiction allows
us to conclude that the enabled processors in γi are only enabled for rule (N).
Let p be a processor that executes a rule during the step γi → γi+1. Since the daemon is
locally central, neighbors of p do not execute a rule during this step (their clock values remain
identical). Assume the following holds: ∃q ∈ Np, | (cp)
γi+1−(cq)
γi+1 | ≥ 2. By construction of rule
(N), (cp)
γi+1 ∈ (Inter(Np))
γi . By construction, (Inter(Np))
γi ⊆ {(cq)
γi − 1, (cq)
γi , (cq)
γi + 1}.
It follows that ∀q ∈ Np, | (cp)
γi+1 − (cq)
γi+1 | < 2 for each processor p that executes a rule (since
∀q ∈ Np, (cq)
γi = (cq)
γi+1). Overall, γi+1 ∈ Γ1. 
Secondly, we prove the liveness of our algorithm.
Lemma 5 ∀γ0 ∈ Γ1,∀p ∈ V, p executes the rule (N) in a finite time in any execution starting
from γ0.
Proof. Let γ ∈ Γ1. Following Lemma 4, the only enabled rule is (N). We prove this property
by induction. To this end, we define the following property (where p denotes a processor):
(Pd) : If d is the distance between p and the closest end of the chain, then p executes the rule
(N) in a finite time in any execution starting from γ0.
Initialization (d = 0): For all γ′, configurations contained in an execution starting from γ0, p
is enabled for rule (N) since (Inter(Np))
γ′ ⊇ {(cq)
γ′ , (cq)
γ′ +1} where q denotes the only
neighbor of p. Since the daemon is strongly fair, p executes a rule in a finite time.
Induction (d > 0): Assume (Pd−1) is true. Denote by q the neighbor of p that is on the
half-chain starting with p of length d. Assume for the sake of contradiction that p is
never enabled for rule (N) in an execution ǫ starting from γ0 ∈ Γ1. This implies that,
for each configuration γ′ that is contained in ǫ, we have | (Inter(Np))
γ′ | = 1 (since if
| (Inter(Np))
γ′ | = 0, then γ′ /∈ Γ1). Let us study the following cases (remind that, if q
denotes a neighbor of p, q¯ denotes the second neighbor of p as stated in Notation 1):
Case 1: q¯ never executes a rule in ǫ (this implies that cq¯ is a constant in ǫ).
It follows that: ∀γ′ ∈ ǫ, (cq)
γ′ = (cq¯)
γ′ + 2 or (cq)
γ′ = (cq¯)
γ′ − 2.
As q executes infinitely often rule (N), its clock moves at each activation from a
value to the other. Hence, we have (cq)
γ′ = (cq¯)
γ′ − 2 in a finite time. Then, the next
activation of q moves its clock value to (cq¯)
γ′ + 2, which is contradictory with the
construction of macro next (it can only increment the clock value by 1 or decrement
it).
22
Case 2: q¯ executes a rule in a finite time in ǫ.
Let γ → γ′ be the first step when q¯ executes the rule (N). It is known that, for any
γ ∈ Γ1:
| (Inter(Np))
γ | = 1⇒


(cq¯)
γ = ((cp)
γ − 1) ∧ (cq)
γ = ((cp)
γ + 1) (A)
or
(cq¯)
γ = ((cp)
γ + 1) ∧ (cq)
γ = ((cp)
γ − 1) (B)
Let us study the following cases:
Case 2.1: (A) is true in γ and (B) is true in γ′. The clock move of q¯ is in contra-
diction with the construction of macro next.
Case 2.2: (B) is true in γ and (A) is true in γ′. The clock move of q is in contra-
diction with the construction of macro next.
This proves that case 2 is contradictory.
Since the two cases are contradictory, we can conclude that p is enabled for rule (N) in
a finite time in every execution starting from a configuration γ ∈ Γ1. Since the daemon
is strongly fair, we can say that p executes rule (N) in a finite time in every execution
starting from γ0. Consequently (Pd) is true.

The above property implies that ∀γ0 ∈ Γ1,∀p ∈ V, p executes the rule (N) infinitely often
in every execution starting from γ0.
Lemma 6 If γ ∈ Γ1, then any processor increments its clock in a finite time in any execution
starting from γ.
Proof. Assume for the sake of contradiction that there exists a processor p and an execution
ǫ starting from γ0 ∈ Γ1 such that p never increments its clock in ǫ.
Let α = (cp)
γ0 . By Lemma 5, p executes infinitely often (N). But, it never increments
its clock, which implies that next((Inter(Np))
γ , (cp)
γ) = min{(Inter(Np)
γ)} at each execution
of a rule by p (in a configuration γ). Since ∀γ ∈ Γ1,∀q ∈ Np, | (cp)
γ − (cq)
γ | < 2 and ∀q ∈
Np, (Inter(Np))
γ ⊆ {(cq)
γ − 1, (cq)
γ , (cq)
γ + 1}, we have: min{(Inter(Np))
γ} ≤ (cp)
γ .
Assume that there exists γ ∈ Γ1 such that min{(Inter(Np))
γ} = (cp)
γ . This implies that
there exists q ∈ Np such that (cq)
γ = (cp)
γ + 1.
Remind that, if q denotes a neighbor of p, q¯ denotes the second neighbor of p as stated in
Notation 1. If q¯ does not exist or if (cq¯)
γ ∈ {(cp)
γ , (cp)
γ + 1}, then (cp)
γ + 1 ∈ (Inter(Np))
γ .
This contradicts next((Inter(Np))
γ , (cp)
γ) = min{(Inter(Np)
γ)}. We deduce that q¯ exists and
that (cq¯)
γ = (cp)
γ − 1. This implies that (N) is not enabled for p.
We can deduce that, if rule (N) is executed by a processor p in a configuration γ, then
min{(Inter(Np))
γ} < (cp)
γ . We can now state that, in at most α executions of p, cp = 0. The
next execution of p increments its clock value, which contradicts the assumption on p and the
construction of ǫ. Then, we obtain the result. 
In the following we prove the convergence of our algorithm.
Let γ ∈ Γ, we define the following notations:
∀e = {p, q} ∈ E,ω(e, γ) = | (cp)
γ − (cq)
γ |
∀p ∈ V,̟(p, γ) = max
e∈E/p∈e
{ω(e, γ)}
∀i ∈ N, p(i, γ) = |{e ∈ E/ω(e, γ) = i}|
23
Consider the following potential function:
P :


Γ −→ N∞
γ 7−→ (. . . , 0, 0, p(k, γ), p(k − 1, γ), . . . , p(2, γ)) with k = max
e∈E
{ω(e, γ)}
To compare values of P , we define the following total order. If γ and γ′ are two configurations
such that P (γ) = (. . . , 0, pi, pi−1, . . . , p2) and P (γ
′) = (. . . , 0, qj , qj−1, . . . , q2), then
P (γ) > P (γ′)⇔


i > j
or
(i = j) ∧ (∃t ∈ {2, . . . , i}, (∀k ∈ {t+ 1, . . . , i}, pk = qk) ∧ (pk > qk))
The following properties are satisfied:
∀γ ∈ Γ, P (γ) ≥ (. . . 0, 0)
∀γ ∈ Γ, γ ∈ Γ1 ⇔ P (γ) = (. . . , 0, 0)
∀γ ∈ Γ, γ ∈ Γ \ Γ1 ⇔ P (γ) > (. . . , 0, 0)
Lemma 7 If γ ∈ Γ \ Γ1, then every step γ → γ
′, which contains the execution of a rule by a
processor p such that ̟(p) ≥ 2 satisfies P (γ′) < P (γ).
Proof. Let γ ∈ Γ \ Γ1. Let γ → γ
′ be a step that contains the execution of a rule by a
processor p such that ̟(p) ≥ 2 and γ ∈ Γ \Γ1. Since the daemon is locally central, neighbors of
p do not modify their clocks during this step. Consider the following cases:
Case 1: p’s degree equals 1.
Let q be its only neighbor and j = ω({p, q}, γ) = | (cp)
γ − (cq)
γ |. (Inter(Np))
γ = {(cq)
γ −
1, (cq)
γ , (cq)
γ + 1}. It follows that p executed rule (N). So, we have | (cp)
γ′ − (cq)
γ′ | ≤ 1.
Then: ̟({p, q}, γ′) ≤ 1 and :
P (γ) = (. . . , 0, 0, p(k, γ), p(k − 1, γ), . . . , p(j, γ), . . . , p(2, γ))
P (γ′) = (. . . , 0, 0, p(k, γ), p(k − 1, γ), . . . , p(j, γ) − 1, . . . , p(2, γ))
And then: P (γ′) < P (γ).
Case 2: p’s degree equals 2.
Let q be the neighbor of p such that ω({p, q}, γ) = ̟(p, γ) ≥ 2 and denote j = ω({p, q¯}, γ) ≤
̟(p, γ), e = {p, q} and e¯ = {p, q¯}. Consider the following cases:
Case 2.1: p executed the rule (N) during the step γ → γ′.
By construction of (Inter(Np))
γ , we have ω(e, γ′) ≤ 1 and ω(e¯, γ′) ≤ 1. Then:
P (γ) = (. . . , 0, 0, p(k, γ), p(k − 1, γ), . . . , p(̟(p, γ), γ), . . . , p(j, γ), . . . , p(2, γ))
P (γ′) = (. . . , 0, p(k, γ), . . . , p(̟(p, γ), γ) − 1, . . . , p(j, γ) − 1, . . . , p(2, γ))
And then: P (γ′) < P (γ).
Case 2.2: p executed the rule (C2) during the step γ → γ
′.
This case is similar to the case 2.1.
24
Case 2.3: p executed the rule (C1) during the step γ → γ
′.
Let us study the following cases:
Case 2.3.1: We have: (cq)
γ < (cq¯)
γ .
By hypothesis, we know that ω(e, γ) ≥ ω(e¯, γ) and then:
(cp)
γ ≥
(cq)
γ + (cq¯)
γ
2
1) Assume that (cp)
γ > (cq¯)
γ +
(cq)
γ+(cq¯)
γ
2 .
We can say that:
ω(e, γ) > (cq¯)
γ − (cq)
γ +
(cq)
γ+(cq¯)
γ
2
ω(e, γ′) =
⌊
(cq)
γ+(cq¯)
γ
2
⌋
Then: ω(e, γ′) < ω(e, γ).
On the other hand,
ω(e¯, γ) >
(cq)
γ+(cq¯)
γ
2
ω(e¯, γ′) = (cq¯)
γ −
⌊
(cq)
γ+(cq¯)
γ
2
⌋
Then: ω(e¯, γ′) ≤ ω(e¯, γ).
In conclusion, we have: P (γ′) < P (γ).
2) Assume that (cp)
γ ≤ (cq¯)
γ +
(cq)
γ+(cq¯)
γ
2 .
We have then:
ω(e, γ) >
(cq)
γ+(cq¯)
γ
2
ω(e, γ′) =
⌊
(cq)
γ+(cq¯)
γ
2
⌋
Then: ω(e, γ′) < ω(e, γ).
In contrast, we have that: ω(e¯, γ′) ≥ ω(e¯, γ). But we can say that ω(e¯, γ′) <
ω(e, γ) (obvious if (cp)
γ > (cq¯)
γ , due to the fact that (cp)
γ >
⌈
(cq)
γ+(cq¯)
γ
2
⌉
in the
contrary case).
In conclusion, we have: P (γ′) < P (γ).
Case 2.3.2: We have (cq)
γ > (cq¯)
γ .
This case is similar to the case 2.3.1 when we permute q and q¯.
That proves the result. 
Lemma 8 If γ0 ∈ Γ \ Γ1, then every execution starting from γ0 contains the execution of a rule
by a processor p such that ̟(p, γ0) ≥ 2.
Proof. Let γ0 ∈ Γ \ Γ1. We prove the result by contradiction. Assume that there exists an
execution ǫ = γ0γ1 . . . starting from γ0, which contains no execution of a rule by processors p
satisfying ̟(p, γ0) ≥ 2.
In a first time, assume that one end of the chain (denote it by p) satisfies: ̟(p, γ0) ≥ 2.
Denote q the only neighbor of p. If q is activated during ǫ, we obtain a contradiction (since
̟(q, γ0) ≥ ̟(p, γ0) ≥ 2). If q is not activated during ǫ, we obtain that ∀i ∈ N, (Inter(Np))
γi =
{(cq)
γ0 − 1, (cq)
γ0 , (cq)
γ0 +1}, p is so always enabled for rule (N). Since the daemon is strongly
fair, p executes a rule in a finite time, which is contradictory. We can deduce that the two ends
of the chain satisfy: ̟(p, γ0) < 2.
25
Under a strongly fair daemon, the only way for a processor to never execute a rule is to
be never enabled from a given configuration. Here, we assume that all processors p satisfying
̟(p, γ0) ≥ 2 never execute a rule, which implies that the network satisfies:
∃k ∈ N,∀j ≥ k,∀p ∈ V/̟(p, γ0) ≥ 2,


(Inter(Np))
γj = ∅
and
(cp)
γj ∈
{⌈
(cq)
γj+(cq¯)
γj
2
⌉
,
⌊
(cq)
γj+(cq¯)
γj
2
⌋}
Number processors of the chain from p1 to pn. Let i be the smallest integer such that
̟(pi, γk) ≥ 2 (remark that, by hypothesis, pi+1 never execute a rule, which implies that its clock
value never changes). All these constraints allows us to say:

(
cpi−1
)γk = (cpi)γk + 1 ∧ (cpi+1)γk = (cpi)γk − 2 (A)
or(
cpi−1
)γk = (cpi)γk − 1 ∧ (cpi+1)γk = (cpi)γk + 2 (B)
By a reasoning similar to these of the proof of Lemma 6, we can prove that all processors
between p0 and pi−1 executes infinitely often the rule (N) in every execution starting from γk
even if pi never executes a rule (this is the case by hypothesis). By a reasoning similar to the
one of the proof of Lemma 6, we can state that cpi−1 not remains constant. The construction
of Inter(Npi−1) implies that
(
Inter(Npi−1)
)γj ⊆ {(cpi)γk − 1, (cpi)γk , (cpi)γk + 1} for each j ≥ k
(since cpi does not change by hypothesis).
If we are in case (A), we can deduce that cpi−1 takes infinitely often the value (cpi)
γk − 1
or (cpi)
γk . We can see that pi is enabled by (N) and (C1) respectively. This contradicts the
construction of k (recall that pi is never enabled in ǫ from γk).
If we are in case (B), we can deduce that cpi−1 takes infinitely often the value (cpi)
γk + 1
or (cpi)
γk . We can see that pi is enabled by (N) and (C1) respectively. This contradicts the
construction of k (recall that pi is never enabled in ǫ from γk).
This finishes the proof. 
Lemma 9 There exists i ≥ 0 such that γi ∈ Γ1.
Proof. The result follows directly from Lemmas 7 and 8. 
Finally, we can conclude:
Proposition 7 UFT SS is a self-stabilizing AU under a locally central strongly fair daemon.
Proof. Lemmas 4, 6, and 9 allows us to say that UFT SS is a self-stabilizing UAU under a
locally central strongly fair daemon. Then, we can deduce the result. 
4.3.2 Proof of Self-Stabilization in spite of a Crash
In this section, ǫ = γ0, γ1 . . . denotes an execution of UFT SS such that a processor c is crashed
in γ0.
Firstly, we are going to prove the closure of our algorithm under these assumptions.
Lemma 10 If there exists i ≥ 0 such that γi ∈ Γ1, then γi+1 ∈ Γ1.
26
Proof. We can repeat the reasoning of Lemma 4 since the fact that a processor is crashed or
not does not modify the proof. 
Secondly, we are going to prove the liveness of our algorithm under these assumptions.
Lemma 11 If γ0 ∈ Γ1, then every processor p 6= c increments its clock in a finite time in ǫ.
Proof. We repeat the reasoning of Lemma 6 taking in account a processor p ∈ V ∗.
In order to prove the property of Lemma 5, we take d as the distance between p and the
end e of the chain that satisfy: no processor between p and e is crashed. This implies that the
processor q is not crashed. The case where q¯ is crashed appear in the case 1 of the induction.
We can repeat the reasoning of the proof of Lemma 6 since the fact that a processor is crashed
or not does not modify the proof. 
Now, we are going to prove the convergence of our algorithm under these assumptions.
Lemma 12 There exists i ≥ 0 such that γi ∈ Γ1.
Proof. We repeat the reasoning of Lemma 9 taking in account a processor p ∈ V ∗.
We can repeat the reasoning of the proof of the property of Lemma 7 since the fact that a
processor is crashed or not does not modify the proof.
In order to prove the property of Lemma 8, we take a numbering of processors that ensures
the following property: no processor between p0 and pi (including) is crashed. It is always
possible to choose such numbering since there exists at least one edge e such that ω(e, γk) ≥ 2
by hypothesis, which implies that there exists at least two processors p such that ̟(p, γk) ≥ 2,
which allows us to choose one that is not crashed. The case when pi+1 is crashed does not modify
the proof since we assumed that this processor never executes a rule. 
Finally, we can conclude:
Proposition 8 UFT SS is a self-stabilizing AU under a locally central strongly fair daemon
even if a processor is crashed in the initial configuration.
Proof. Lemmas 10, 11, and 12 allows us to say that UFT SS is a self-stabilizing UAU under
a locally central strongly fair daemon even if a processor is crashed in the initial configuration.
Then, we can deduce the result. 
4.4 Proof on a Ring
In this section, we assume that our algorithm is executed on a ring under a strongly fair locally
central daemon. In fact, we are going to show that UFT SS is a FTSS UAU (that implies that
it is a FTSS AU) under these assumptions. The proof contains two major steps:
• Firstly, we show that our algorithm is self-stabilizing under these assumptions.
• Secondly, we show that our algorithm is self-stabilizing even if the initial configuration
contains a crashed processor under these assumptions.
27
4.4.1 Proof of Self-Stabilization
In this section, ǫ = γ0, γ1 . . . denotes an execution of UFT SS where there is no crash.
Firstly, we are going to prove the closure of our algorithm under these assumptions.
Lemma 13 If there exists i ≥ 0 such that γi ∈ Γ1, then γi+1 ∈ Γ1.
Proof. We can repeat the reasoning of the proof of Lemma 4 since the topology of the network
has no impact on the proof. 
Secondly, we are going to prove the liveness of our algorithm under these assumptions.
Lemma 14 ∀γ0 ∈ Γ1,∀p ∈ V, p executes rule (N) in a finite time in every execution starting
from γ0.
Proof. Let γ0 ∈ Γ1 (we have seen in the proof of Lemma 4 that implies that only rule (N)
can be enabled). Assume that there exists a processor p and an execution ǫ = γ0, γ1 . . . starting
from γ0 such that p never execute a rule in ǫ. Since the daemon is strongly fair, which implies
that ∃k ∈ N,∀j ≥ k, p is not enabled in γj
Since Processor p is not enabled, it satisfies: ∃q ∈ Np, (cp)
γj = (cq)
γj + 1 and (cp)
γj =
(cq¯)
γj − 1. Let i be the smallest integer greater than k such that the step γi → γi+1 contains the
execution of rule by at least one neighbor of p. Let us study the following cases:
Case 1: q and q¯ simultaneously execute a rule during the step γi → γi+1.
Since p is not enabled in γi+1 (by hypothesis) and that the execution of rule (N) always
modifies the clock values (cf. proof of Lemma 6),we have:

(cp)
γi = (cq)
γi + 1 and (cp)
γi = (cq¯)
γi − 1
and
(cp)
γi+1 = (cq)
γi+1 − 1 and (cp)
γi+1 = (cq¯)
γi+1 + 1
The clock move of q¯ contradicts the construction of rule (N) and (Inter(Np))
γi . Therefore,
this case is impossible.
Case 2: Only q executes a rule during the step γi → γi+1.
By construction of rule (N), (Inter(Nq))
γi , and the fact that the execution of this rule
must change the clock value, we have: (cq)
γi+1 ∈ {(cp)
γi , (cp)
γi − 1}. Processor p is then
enabled for rule (N) (since the clocks of p and q¯ have not changed by hypothesis). This
contradicts the construction of k. Therefore, this case is impossible.
Case 3: Only q¯ executes a rule during the step γi → γi+1.
This case is similar to case 2.
Case 4: Neither q nor q¯ executes a rule during the step γi → γi+1.
By the three previous contradictions, it is the only possible case.
We can deduce that ∀j ≥ k, q and q¯ do not execute a rule in γj, which implies that their
clock values remains constant from γk. If we repeat the previous reasoning, we obtain that it is
possible only if the second neighbor of q has a clock value equal to (cp)
γk + 2 and if the second
neighbor of q¯ have a clock value equals to (cp)
γk − 2, etc..
28
Since the ring has a finite length n, we obtain (following the same reasoning) that there exists
two neighboring processors p1 and p2 such that (cp1)
γk = (cp)
γk + α and (cp2)
γk = (cp)
γk − β
(with α and β integers greater or equal to 1 depending on the parity of n). Therefore, | (cp1)
γk −
(cp2)
γk | = α + β ≥ 2. Then, we obtain that γk /∈ Γ1, which contradicts Lemma 13 and proves
the lemma. 
Lemma 15 If γ0 ∈ Γ1, then every processor increments its clock in a finite time in ǫ.
Proof. The proof is similar to the one of Lemma 6 using Lemma 14 (instead of Lemma 5)
since the topology of the network has no impact on the proof. 
Now, we are going to prove the convergence of our algorithm under these assumptions.
In the following, we consider the potential function P previously defined and use similar
arguments as for the proof of Lemma 9.
Lemma 16 If γ ∈ Γ \ Γ1, then every step γ → γ
′ that contains the execution of a rule of a
processor p such that ̟(p) ≥ 2 satisfies P (γ′) < P (γ).
Proof. The proof is similar to the proof of Lemma 7 since the topology of the network has
no impact on the proof (note that the case 1 is impossible on a ring). 
Lemma 17 If γ0 ∈ Γ\Γ1, then every execution starting from γ0 contains the execution of a rule
of a processor p such that ̟(p, γ0) ≥ 2.
Proof. Let γ0 ∈ Γ \ Γ1. Assume, for the sake of contradiction, that there exists an execution
ǫ = γ0γ1 . . . starting from γ0 that contains no execution of a rule by any processor p that satisfies
̟(p, γ0) ≥ 2. Since the daemon is strongly fair, this implies that ∃k ∈ N,∀j ≥ k, p is not enabled
in γj
Let q be the neighbor of p satisfying ω({p, q}, γk) = ̟(p, γk). By hypothesis, q never executes
a rule. Therefore, its clock value remains constant. Let us study the following cases:
Case 1: | (cq)
γj − (cq¯)
γj | ≤ 1
It follows that p is enabled for the rule (N) since | (Inter(Np))
γj | ≥ 2. This contradicts
the construction of k.
Case 2: | (cq)
γj − (cq¯)
γj | = 2
It follows that p is enabled for the rule (C1) since (Inter(Np))
γj = {h} and (cp)
γj 6= h
(because ̟(p, γj) = ̟(p, γk) ≥ 2). This contradicts the construction of k.
Case 3: | (cq)
γj − (cq¯)
γj | ≥ 3
By the two previous contradictions, it is the only possible case. Since p is not enabled (by
hypothesis), we obtain that:
∀j ≥ k,


(Inter(Np))
γj = ∅
and
(cp)
γj ∈
{⌈
(cq)
γj+(cq¯)
γj
2
⌉
,
⌊
(cq)
γj+(cq¯)
γj
2
⌋}
Since the clock values of p and q are constants by hypothesis, we can deduce that the
one of q¯ remains also constant (because, in the contrary case, p becomes enabled, which
contradicts the hypothesis). It follows: (cq)
γj < (cp)
γj < (cq¯)
γj or (cq)
γj > (cp)
γj > (cq¯)
γj .
29
Since this reasoning holds for every processor on the ring, we can always label the nodes of
any ring by p0, p1,. . . ,pn such that the following property is satisfied : cp0 < cp1 < . . . < cpn .
But, the previous reasoning for processor cp0 implies that we have: cpn < cp0 < cp1 . It is
impossible to satisfy simultaneously these two inequalities, which proves the lemma. 
Lemma 18 There exists i ≥ 0 such that γi ∈ Γ1.
Proof. The result follows directly from Lemmas 16 and 17. 
Finally, we can conclude:
Proposition 9 UFT SS is a self-stabilizing AU under a locally central strongly fair daemon.
Proof. Lemmas 13, 15, and 18 lead to the conclusion that UFT SS is a self-stabilizing UAU
under a locally central strongly fair daemon. 
4.4.2 Proof of Self-Stabilization in spite of a Crash
In this section, ǫ = γ0, γ1 . . . denotes an execution of UFT SS such that a processor c is crashed
in γ0.
First, we prove the closure of our algorithm, then we prove the convergence property.
Lemma 19 If there exists i ≥ 0 such that γi ∈ Γ1, then γi+1 ∈ Γ1.
Proof. This proof is similar to the proof of Lemma 13 since the fact that a processor is
crashed or not does not modify the proof. 
Secondly, we are going to prove the liveness of our algorithm under these assumptions.
Lemma 20 If γ0 ∈ Γ1, then every processor p 6= c increments its clock in a finite time in ǫ.
Proof. This proof is similar to the proof of Lemma 15. 
In the following we prove the convergence of our algorithm.
Lemma 21 There exists i ≥ 0 such that γi ∈ Γ1.
Proof. This proof is similar to the proof of Lemma 18 since the fact that a processor is
crashed or not does not modify the proof. 
Finally, we can conclude:
Proposition 10 UFT SS is a self-stabilizing AU under a locally central strongly fair daemon
even if a processor is crashed in the initial configuration.
Proof. Lemmas 19, 20, and 21 allows us to say that UFT SS is a self-stabilizing UAU under
a locally central strongly fair daemon even if a processor is crashed in the initial configuration.
Then, we can deduce the result. 
4.5 Conclusion
We are now in position to state our final result:
Proposition 11 UFT SS is a (0, 1)-ftss AU on a chain or a ring under a locally central strongly
fair daemon.
Proof. This a direct consequence of Propositions 7, 8, 9, and 10. 
30
5 Concluding Remarks
We presented the first study of FTSS protocols for dynamic tasks in asynchronous systems, and
showed the intrinsic problems that are induced by the wide range of faults that we address. The
combination of asynchrony and maintenance of liveness properties implies many impossibility
results, and the deterministic protocol that we provided for one of the few remaining cases is
optimal with respect to all impossibility results and containment measures. Then, we can observe
that the results remain even if the weakly synchronized configuration definition is relaxed to allow
neighbor clocks to be at most κ away from each other, for some constant κ.
Generalization: κ-asynchronous unison. In this paragraph, we briefly explain how to
generalize the above results to a weaker problem. Assume that κ ∈ N∗. In the κ-asynchronous
unison problem (κ-AU), a drift of at most κ units is allowed between clocks of any two neighbors.
Hence, the AU problem corresponds to the 1-AU.
Let us observe that a similar result to Lemma 1 holds in the case of κ-AU:
Lemma 22 Let A be a universal (f, r)−FTSS algorithm for κ-AU (under an asynchronous
daemon). Let γ be a configuration where a processor p with cp ≥ κ has two neighbors q and q
′
such that: cq = cp − κ and cq′ = cp + κ. If p executes an action of A during the step γ −→ γ
′,
then this action does not modify the value of cp. If A is also minimal, then the processor p is not
enabled for A in γ.
As Lemma 1 is the basis of proofs of Section 3, we can deduce that all impossibility results
presented in Section 3 still hold in the case of κ-AU .
In order to solve the κ-AU problem in the remaining cases, we modify Algorithm UFT SS
(see Section 4) in the definition of macro poss(q) in the following way:
∀q ∈ Np, poss(q) = {max{cq − κ, 0},max{cq − κ, 0} + 1, . . . , cq, . . . , cq + κ− 1, cq + κ}
This modified algorithm is a universal (0, 1)-FTSS κ-AU under a locally central strongly fair
daemon on a chain or a ring (the proof is a simple generalization of the correctness proof of
Section 4).
Open questions. An immediate future work is to generalize the possibility result (that as-
sumes a central scheduler) to cope with a distributed scheduler, or extend the impossibility proof
in that case. There also remains the open case of protocols that neither satisfy the minimality
or the priority properties (see Table 1). We conjecture that at least one of those properties
is necessary for the purpose of deterministic self-stabilization, yet none of those could be re-
quired for deterministic weak stabilization [19] (weak stabilization is a weaker property than
self-stabilization since existence of execution reaching a legitimate configuration is guaranteed).
As recent results [7] hint that weak-stabilizing solutions can be easily turned into probabilistic
self-stabilizing ones, this raises the open question of the possibility of probabilistic FTSS for
dynamic tasks in asynchronous systems.
Another possible extension of our work is the feasibility of FTSS solutions for other reactive
tasks, such as dining philosophers and mutual exclusion. In the case of dining philosophers, [28]
proposed a solution that can withstand transient (it is self-stabilizing) and Byzantine failures
(with a containment radius of 2), so it is also a solution for tolerating transient and crash faults.
However, even in the case of crash faults, a containement radius of 2 is also a lower bound [30]
31
when the system is asynchronous. The same paper [28] shows that global tasks such as mutual
exclusion cannot admit a constant radius fault-containing solution when both transient and
Byzantine fault are considered. It would be interesting to investigate whether limiting the fault
model to transient faults and process crashes permits to break this impossibility result.
References
[1] Efthymios Anagnostou and Vassos Hadzilacos. Tolerating transient and permanent failures
(extended abstract). In André Schiper, editor, WDAG, volume 725 of Lecture Notes in
Computer Science, pages 174–188. Springer, 1993.
[2] Michael Ben-Or, Danny Dolev, and Ezra N. Hoch. Fast self-stabilizing byzantine tolerant
digital clock synchronization. In Rida A. Bazzi and Boaz Patt-Shamir, editors, PODC,
pages 385–394. ACM, 2008.
[3] Christian Boulinier, Franck Petit, and Vincent Villain. When graph theory helps self-
stabilization. In Soma Chaudhuri and Shay Kutten, editors, PODC, pages 150–159. ACM,
2004.
[4] Christian Boulinier, Franck Petit, and Vincent Villain. Synchronous vs. asynchronous uni-
son. In Ted Herman and Sébastien Tixeuil, editors, Self-Stabilizing Systems, volume 3764
of Lecture Notes in Computer Science, pages 18–32. Springer, 2005.
[5] Jean-Michel Couvreur, Nissim Francez, and Mohamed G. Gouda. Asynchronous unison
(extended abstract). In ICDCS, pages 486–493, 1992.
[6] Ajoy Kumar Datta and Maria Gradinariu, editors. Stabilization, Safety, and Security of
Distributed Systems, 8th International Symposium, SSS 2006, Dallas, TX, USA, November
17-19, 2006, Proceedings, volume 4280 of Lecture Notes in Computer Science. Springer,
2006.
[7] Stéphane Devismes, Sébastien Tixeuil, and Masafumi Yamashita. Weak vs. self vs. prob-
abilistic stabilization. In Proceedings of the IEEE International Conference on Distributed
Computing Systems (ICDCS 2008), Beijin, China, June 2008.
[8] Edsger W. Dijkstra. Self-stabilizing systems in spite of distributed control. Commun. ACM,
17(11):643–644, 1974.
[9] Danny Dolev and Ezra N. Hoch. On self-stabilizing synchronous actions despite byzantine
attacks. In Andrzej Pelc, editor, DISC, volume 4731 of Lecture Notes in Computer Science,
pages 193–207. Springer, 2007.
[10] S. Dolev. Self-stabilization. MIT Press, March 2000.
[11] Shlomi Dolev. Possible and impossible self-stabilizing digital clock synchronization in general
graphs. Real-Time Systems, 12(1):95–107, 1997.
[12] Shlomi Dolev and Jennifer L. Welch. Wait-free clock synchronization. Algorithmica,
18(4):486–511, 1997.
32
[13] Shlomi Dolev and Jennifer L. Welch. Self-stabilizing clock synchronization in the presence
of byzantine faults. J. ACM, 51(5):780–799, 2004.
[14] Swan Dubois, Toshimitsu Masuzawa, and Sébastien Tixeuil. The impact of topology on
byzantine containment in stabilization. In Proceedings of DISC 2010, Lecture Notes in
Computer Science, Boston, Massachusetts, USA, September 2010. Springer Berlin / Heidel-
berg.
[15] Swan Dubois, Toshimitsu Masuzawa, and Sébastien Tixeuil. On byzantine containment
properties of the min+1 protocol. In Proceedings of SSS 2010, Lecture Notes in Computer
Science, New York, NY, USA, September 2010. Springer Berlin / Heidelberg.
[16] Swan Dubois, Maria Potop-Butucaru, and Sébastien Tixeuil. Brief announcement: Dynamic
FTSS in Asynchronous Systems: the Case of Unison. In Proceedings of DISC 2009, Lecture
Notes in Computer Science, Elche, Spain, September 2009. Springer Berlin / Heidelberg.
[17] Michael J. Fischer, Nancy A. Lynch, and Mike Paterson. Impossibility of distributed con-
sensus with one faulty process. J. ACM, 32(2):374–382, 1985.
[18] Ajei S. Gopal and Kenneth J. Perry. Unifying self-stabilization and fault-tolerance (prelim-
inary version). In PODC, pages 195–206, 1993.
[19] Mohamed G. Gouda. The theory of weak stabilization. In Ajoy Kumar Datta and Ted
Herman, editors, WSS, volume 2194 of Lecture Notes in Computer Science, pages 114–123.
Springer, 2001.
[20] Mohamed G. Gouda and Ted Herman. Stabilizing unison. Inf. Process. Lett., 35(4):171–175,
1990.
[21] Ezra N. Hoch, Michael Ben-Or, and Danny Dolev. A fault-resistant asynchronous clock
function. In Shlomi Dolev, Jorge Arturo Cobb, Michael J. Fischer, and Moti Yung, editors,
SSS, volume 6366 of Lecture Notes in Computer Science, pages 19–34. Springer, 2010.
[22] Ezra N. Hoch, Danny Dolev, and Ariel Daliot. Self-stabilizing byzantine digital clock syn-
chronization. In Datta and Gradinariu [6], pages 350–362.
[23] Leslie Lamport and P. M. Melliar-Smith. Synchronizing clocks in the presence of faults. J.
ACM, 32(1):52–78, 1985.
[24] Qun Li and Daniela Rus. Global clock synchronization in sensor networks. In INFOCOM,
2004.
[25] Toshimitsu Masuzawa and Sébastien Tixeuil. Bounding the impact of unbounded attacks
in stabilization. In Datta and Gradinariu [6], pages 440–453.
[26] Toshimitsu Masuzawa and Sébastien Tixeuil. Stabilizing link-coloration of arbitrary net-
works with unbounded byzantine faults. International Journal of Principles and Applications
of Information Science and Technology (PAIST), 1(1):1–13, December 2007.
[27] Jayadev Misra. Phase synchronization. Inf. Process. Lett., 38(2):101–105, 1991.
33
[28] Mikhail Nesterenko and Anish Arora. Tolerance to unbounded byzantine faults. In 21st
Symposium on Reliable Distributed Systems (SRDS 2002), page 22. IEEE Computer Society,
2002.
[29] Marina Papatriantafilou and Philippas Tsigas. On self-stabilizing wait-free clock synchro-
nization. Parallel Processing Letters, 7(3):321–328, 1997.
[30] Scott M. Pike and Paolo A. G. Sivilotti. Dining philosophers with crash locality 1. In
ICDCS, pages 22–29. IEEE Computer Society, 2004.
34
