Metastability in Asynchronous Wait-Free Protocols by Paynter S et al.
Metastability in
Asynchronous Wait-Free Protocols
Stephen E. Paynter, Neil Henderson, and James M. Armstrong
Abstract—We demonstrate that the safe register abstraction is an inappropriate model of a shared bit variable in an ACM. This is due
to the phenomenon of metastability and the way that circuits are engineered to reduce the probability of it propagating. We give a bit
model that takes the engineered restrictions into account and which is therefore stronger than the safe bit model. With our bit model we
show that some impossibility results concerning ACMs which are based on safe bit models are pessimistic. We establish this using the
CSP process algebra and the FDR2 model-checker, by investigating the impact of various models of shared bits on different wait-free
protocols, including Lamport’s regular register, Simpson’s 4-slot ACM, Kirousis et al.’s ACM, Tromp’s Atomic Bit and 4-Track ACMs,
and Haldar and Subramanian’s ACM. We show how these protocols can fail in the presence of rereadable metastability.
Index Terms—Protocol verification, model checking, formal models, asynchronous operation.

1 INTRODUCTION
ASYNCHRONOUS communication occurs in modern digitalelectronic systems whenever a signal is passed
between two circuits which do not share a common clock.
Sometimes a protocol is constructed out of simple (binary)
asynchronous signals to establish higher-level synchronous
communication. On other occasions, high-level asynchro-
nous protocols are constructed. Protocols which support
asynchronous communication are variously called wait-free
protocols, e.g., [1], asynchronous registers, e.g., [2], or
asynchronous communication mechanisms (ACMs), e.g., [3].
Conceptually, ACMs support the communication of data
between writing and reading processes in a way which
prevents any temporal interaction between them. The
progress of the write algorithm is unaffected by the reader
accessing the ACM at the same time and vice versa. The
relative rates of the writer and reader are unconstrained.
Not only may reads and writes overlap, but multiple
consecutive writes may overlap a read and multiple
consecutive reads may overlap a write. ACMs therefore
are Wait-Free. Algorithms which place an upper bound on
any temporal interference are also usually called “wait-
free.” Some of the ACMs considered in this paper are only
wait-free in this wider sense.
ACMs are essentially shared-variables and, hence, have
the properties that:
. Each write puts one (possibly aggregate) value into
the ACM;
. Each read gets one (possibly aggregate) value from
the ACM;
. A value written into an ACM may be read many
times; and
. Writing a value conceptually destroys (makes
unavailable for reading) values written previously.
The asynchronous communication that ACMs support
therefore needs to be distinguished from the “asynchro-
nous communication” supported by (infinite) buffers, for
example, [4].
Shared-variables that are implemented as ACMs there-
fore have fundamentally different synchronization proper-
ties from shared-variables that are implemented as Hoare-
atomic (H-atomic, in the sequel) monitors, which use
mutual exclusion to ensure that inconsistent data cannot
be read, [5].
ACMs are of particular interest because they support the
integration of subsystems or processes which run at
different frequencies or which are sporadic while decou-
pling the temporal interactions between them. They there-
fore provide a means of building systems which are robust
against deadlock due to the failure of one of the commu-
nicating systems.
Unfortunately, any classical (nonquantum) system that
reads an asynchronous message may exhibit the phenom-
enon called “metastability” [6]. Metastability can have
various detrimental effects on the performance or behavior
of the system. This is well-known by electronic engineers
who design circuits which engage in asynchronous com-
munication and they take steps to reduce the probability of
these effects to extremely low levels. However, our results
suggest that some designers of wait-free protocols are
making an inappropriately pessimistic assumption about
the behavior of shared bits: namely, that a shared bit can be
read multiple times while it is changing during a write. This
is impossible in properly designed hardware because the
reader is designed to take long enough to ensure metast-
ability is resolved and this ensures that the write will have
finished before the next read. Many ACMs are designed
292 IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 3, MARCH 2006
. S.E. Paynter is with MBDA UK Ltd., PO Box 5, Filton, Bristol, BS34
7QW, UK. E-mail: stephen.paynter@mbda.co.uk.
. N. Henderson is with the BAE Systems Dependable Computing Systems
Centre, University of Newcastle-upon-Tyne, NE1 7RU, UK.
. J.M. Armstrong is with the BAE SYSTEMS Systems Engineering
Innovation Centre (SEIC), University of Loughborough, Loughborough
LE11 3TU, UK.
Manuscript received 19 July 2004; revised 1 Feb. 2005; accepted 6 May 2005;
published online 20 Jan. 2006.
For information on obtaining reprints of this article, please send e-mail to:
tc@computer.org, and reference IEEECS Log Number TC-0241-0704.
0018-9340/06/$20.00  2006 IEEE Published by the IEEE Computer Society
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
and analyzed on the assumption that shared bits in such
protocols behave as L-safe registers, [2]. L-safe registers
encapsulate this inappropriate assumption, which is pessi-
mistic with respect to properly contained metastability, but
optimistic with respect to unconstrained metastable effects.
L-safe registers are introduced below in Section 3 and the
modeling of metastability is discussed in Section 4. We
include models of unconstrained metastability for logical
completeness and to confirm that protocols will fail in its
presence.
The authors have shown in a previous paper [7] that a
protocol which can be demonstrated to have desirable
properties when its shared bits are assumed to be L-safe
registers may fail to have these properties when metast-
ability is not contained; Simpson’s 1987 4-Slot ACM [8], [3]
preserves data-coherence (see Section 3.1) with L-safe bits,
but does not do so when metastable variables can be reread
two or more times before metastability resolves. We
suggested in that paper that there might be a problem with
any wait-free protocol whose behavior had not been
checked when metastability is not contained, even those
with correctness proofs, if those proofs were based on the
L-safe model of bits. In this paper, we take up the challenge
and apply the same metastability analysis techniques that
we applied to Simpson’s 4-slot ACM to other published
wait-free protocols. The new protocols we analyze are:
Lamport’s regular ACM [2], Kirousis et al.’s ACM [9],
Tromp’s Atomic Bit and 4-Track ACMs [10], and Haldar
and Subramanian’s ACM [11].
The rest of this paper is organized in the following way:
Section 2 introduces the phenomenon of metastability and
explains how circuits are engineered to minimize its impact.
Section 3 introduces the terminology that is used to
characterize and compare wait-free protocols. Section 4
describes a series of increasingly realistic CSP models of
shared bit variables. These show how the effects of
metastability can be taken into account in a model of an
ACM. This necessitates a brief discussion on how the
algorithms which use such variables should be modeled.
Section 5 gives the specification models for semiregular
(data-coherent), L-regular, and L-atomic (global freshness
and sequencing) registers. Section 6 reports on the results
established by model-checking the different ACMs with the
various bit models. Finally, some conclusions on modeling
bits in ACMs are drawn in Section 7.
2 METASTABILITY
Metastability is a fundamental phenomenon of classical
systems which have two or more stable states, and which
respond to connected inputs, that is, to inputs which are
either continuous in time or continuous in value (or both).
Such systems have: 1) stable states, 2) regions of unstable
states which must lead to a stable state, and 3) metastable
states between the unstable regions. The unstable region
(and, hence, stable state) which will be entered from a
metastable state and the length of time it takes to enter such
a region is undetermined. However, it has been shown that
the probability that a system remains in a metastable state
decreases exponentially with time [6], [12].
An important class of systems that can exhibit metast-
ability are digital electronic circuits that synchronize
asynchronous inputs [13], [14], [15]. The two binary states
are the stable states and the asynchronous input can (by
definition) occur arbitrarily close to the synchronizing
(latching) clock pulse, causing the device to read a changing
input that will not have a clear binary value. The
synchronizer or latch then enters a metastable state, where
its latched value may linger indefinitely between the two
stable digital states. It needs to be recognized that it is
possible for a metastable value itself (while it is an invalid
digital value) to induce metastability in a circuit that reads
it. Note that metastability is not induced in the input (i.e.,
writing) circuit.
It needs to be emphasized that metastability is a
fundamental phenomenon in that it is unavoidable in
circuits which have to handle asynchronous inputs [16],
[17], although there are various practical approaches that
can be adopted to reduce the problem, [6]. One option is to
use a detector to detect when the value read is metastable
and hold up the reading system’s clock until the metast-
ability has resolved [18]. Chapiro notes in his paper that this
is not the same as causing the system to skip clock cycles
until after the metastability has been resolved. This is
because the detector’s “end of metastability” signal would
itself be an asynchronous input into the circuit which blocks
the clock from reaching the reading system and, hence, it
could be the cause of further metastability. In Chapiro’s
solution, therefore, the clock when it resumes need not be in
phase with what it was previously. This requires the ability
to stop the reading system’s clock and the system has to be
able to cope with arbitrary long pauses in its operation.
A more common option is to accept that a reader of an
asynchronous signal may enter a metastable state and
ensure that, after the value is latched (i.e., read), a period
long enough for metastability to resolve elapses before the
value is used as an input to another device. A suitable
duration can ensure that the probability that the metast-
ability has failed to be resolved is reduced as low as is
needed [19].
3 SPECIFYING AND CLASSIFYING ACMS
This section introduces two different approaches to classi-
fying ACMs, which we previously described in [7] and
which we summarize here. The terminology introduced is
used to describe the ACMs analyzed below.
All the ACMs considered in this paper are wait-free and
only support a single reader and a single writer.
3.1 A Behavioral Classification Scheme
The behavioral classification scheme we use consists of a
cumulative hierarchy of five properties: persistent, L-safe,
semiregular, L-regular, and L-atomic [20].
A persistent ACM is one which behaves like a normal
local variable when no read occurs contemporaneously
with a write, but, when a read clashes (overlaps in time)
with a write, it may return any value which the ACM can
represent. This value need not be one of the values of the
type that the writer is attempting to communicate through
the ACM.
PAYNTER ET AL.: METASTABILITY IN ASYNCHRONOUS WAIT-FREE PROTOCOLS 293
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
An L-safe ACM is a persistent ACM except that a clashing
read may only return an arbitrary value of the type that is
being communicated. When the ACM can only represent
values of this type, a persistent ACM is automatically an
L-safe one. Shared single bits used to communicate binary
values have been assumed to be L-safe ACMs in much of
the literature since [2].
A semiregular ACM is an L-safe ACM, except that a
clashing read may only return an arbitrary value that has
been previously written into the ACM (or the initial one).
We have noted elsewhere that an ACM which does not
corrupt data communicated through it (i.e., which preserves
data-coherence) is semiregular.
An L-regular ACM is a semiregular ACM that addition-
ally guarantees that a clashing read gets either 1) the value
of the immediately prior write which did not clash with that
read or 2) a value written by one of the (possibly multiple)
writes that clash with that read. This can be considered to
be a good definition of the local freshness property, which
requires that each read gets the most recently “available”
value, where “availability” is defined relative to each read.
An L-atomic ACM is an L-regular ACM which ensures
that clashing reads do not read earlier values than have
already been read. This is equivalent to saying that the
values returned by the reads are as if the reads and writes
had occurred in some determinate nonclashing order. This
can be considered to be a good definition of the global
freshness property, which requires that each read gets the
most recently “available” value, where “availability” is
defined relative to the sequence of reads.
3.2 An Implementation Classification Scheme
The classification scheme we review here is widely used in
the literature on wait-free protocols, for example [21].
ACMs which are used to communicate more than two
values are usually called multivalued, while ACMs which
only communicate two values are normally called bits.
Those implementations which use different variables to
pass data and to coordinate access to the data are called
buffer-based. The variables used to hold the data being
communicated are called buffers in this scheme, although
they are also known as “slots” or “tracks” in particular
algorithms.
In a buffer-based ACM no coordination information is
passed through the buffers and no data is passed through
the control variables.
A buffer-based shared variable where the reader and
writer never access the same buffer (not control-variable) at
the same time is called either pure [22] or conflict-free [11].
One advantage of an ACM which is conflict-free is that its
buffers need only be implemented by persistent ACMs as
clashing accesses on a buffer will not occur (by definition).
Furthermore, a buffer-based shared variable where the
write or read algorithm only writes or reads one buffer per
execution may be called write-once or read-once, respectively.
A non-conflict-free protocol is unlikely to be able to be read-
once as some rereading will be necessary should a conflict
have occurred since the conflict might have resulted in the
read obtaining inconsistent data. The write-once read-once
properties are highly desirable in multivalued ACMs which
are required to communicate large complex data-values.
3.3 Some ACM Impossibility Results
In 1983, Peterson showed that buffer-based, 1-Writer ACMs
needed to have nþ 2 buffers, where n is the the number of
readers [1]. In 1989, Burns and Peterson showed that, when
the conflict-free constraint was added, an ACM had to have
at least 2nþ 2 buffers. All multivalued 1-Reader ACMs
considered in this paper use four buffers and are, therefore,
buffer-optimal.
In [23], Haldar and Vidyasankar have shown that it is
impossible to realize a conflict-free write-once L-atomic
variable from only four buffers and four L-safe shared
control bits.
4 MODELING SHARED BIT VARIABLES
In this section, we present nine models of shared bits in
CSPm, the machine readable ASCII version of the CSP
language [24]. These are then used in the models of the
ACMs that are analyzed in this paper. The first model
considers a shared bit to be a simple H-atomic variable. The
next four differ over whether they are stable or flicker when
overwritten with the value they already hold and over
whether they allow multiple or only single clashes. The last
four repeat these four options, but include a model of
metastability. There is also a discussion of how algorithms
should be modeled that use bits which may return
metastable values.
The context for the following bit models are reading and
writing processes such as the following, where B is the
name of the shared bit variable.
WRITER = B.sw!x -> B.ew -> WRITER
READER = B.sr -> B.er?x -> use(x) -> READER
Note that, in these processes, writing and reading
operations are modeled by the events that mark their
beginning and end (sw, ew, sr, and er), respectively. This
allows the “true” concurrency of the reads and writes to be
modeled in spite of CSP’s interleaving semantics.
4.1 BITH Atomic: An H-Atomic Bit Model
We first consider an H-atomic variable as a model of a bit.
This is not realistic for most implementations of shared bits,
but it reflects the assumption that many adopt when
thinking about bits and is included here for completeness.
BIT_hatmomic(val) =
sw?x -> ew -> BIT_hatmomic(x)
[]
sr -> er!val -> BIT_hatmomic(val)
Note, we assume “val” takes one of the binary values, b0
or b1. Also note that, for consistency with the other bit
models we present, the writing and reading operations are
modeled by the events that mark their beginning and end.
4.2 BITfm: Flickering, Multiple-Clash (L-Safe) Bit
Model
The BITfm bit model “flickers” when the bit is overwritten
with a new value, even if the new value is the same as it is
already holding. This flickering behavior is reflected in the
“f” in its name. It also allows multiple reads to clash with a
294 IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 3, MARCH 2006
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
single write and multiple writes to clash with a single read;
this multiple clashing behavior is represented by the “m” in
its name.
These properties mean, for example, that a series of reads
that clash with a single write might get the values
b0 b1 b0 b0 b1.
BITfm is an L-safe ACM. Nonclashing reads always get
the value stored in the bit, while a read that does clash may
get any value of the valid type, [2]. Lamport identifies one
important class of L-safe ACM as bit variables that are used
to communicate data of a binary valued type. This
observation has led to a widespread assumption that
shared bit variables are L-safe ACMs.1
BITfm is modeled by the following process:
BITfm(val) = sw?x -> BITfm_w(val, x) []
sr -> BITfm_r(val)
BITfm_w(val, x) = ew -> BITfm(x) []
sr -> BITfm_wr(val, x)
BITfm_r(val) = sw?x -> BITfm_wr(val, x) []
er!val -> BITfm(val)
BITfm_wr(val, x) = ew -> BITfm_r_clashed(x) []
(er!b0 -> BITfm_w(val, x) |~|
er!b1 -> BITfm_w(val, x))
BITfm_r_clashed(val) = sw?x -> BITfm_wr(val, x)
[]
(er!b0 -> BITfm(val) |~|
er!b1 -> BITfm(val))
The process starts by accepting either a start_write (sw)
or a start_read (sr) event. Depending upon which is
chosen, it moves to BITfm w or BITfm r, which offer the
appropriate events taking into account which action has
already started. These then progress to subsequent states.
Note that a write introduces the new value at start_write
(sw), while the read does not return the value it acquires
until end_read (er). Also note that any clash between the
reader and writer means that the value returned by the
read is chosen by internal nondeterminism. This is
because, although the value read is returned by the er
event, the time this value is determined (acquired) may
be at any time during the read and, hence, may be during
the time that the read was clashing with the write.
Although, in many ways, this model of bits captures the
behavior that much formal analysis of wait-free protocols is
built upon, there are at least three ways in which it is open
to challenge. The first, and perhaps least significant,
observation is that hardware bits can be engineered so that
when they are overwritten with the same value that they
already hold, the latched value does not flicker. The second
(and probably the most significant) observation is that,
when the operating constraints that apply to most digital
electronic circuits are taken into account, it is not feasible for
multiple reads to clash with the changing bit value. This is
because, in edge-triggered circuits, the transition time for a
latch to change (in response to the leading edge of the write
signal) is independent of the duration of the write and is
short with respect to the set-up-and-hold and propagation
times of the circuit. In other words, in such circuits, at most
one read can clash with the changing value. This behavior is
captured in later bit models that we present. The third
observation is that BITfm fails to model the fact that shared
bits can enter a metastable state when they are latched
while the value being written into them is changing.
4.3 BITsm: Stable, Multiple-Clash Bit Model
This model modifies the previous by ensuring that the
value of a bit is not disturbed when it is overwritten with
the same value as it already holds. In this paper, we call
such a bit “stable.” If care is taken, it is possible to engineer
digital circuits to behave in this way.
BITsm(val) = sw?x -> (if x == val then
BITsm_w_stable(val)
else
BITsm_w(val, x)) []
sr -> BITsm_r(val)
BITsm_w(val, x) = ew -> BITsm(x) []
sr -> BITsm_wr(val, x)
BITsm_r(val) =
sw?x -> (if x == val then
BITsm_wr_stable(val)
else
BITsm_wr(val, x)) []
er!val -> BITsm(val)
BITsm_wr(val, x) =
ew -> BITsm_r_clashed(x) []
(er!b0 -> BITsm_w(val, x) |~|
er!b1 -> BITsm_w(val, x))
BITsm_r_clashed(val) =
sw?x -> BITsm_wr(val, x) []
(er!b0 -> BITsm(val) |~|
er!b1 -> BITsm(val))
BITsm_w_stable(val) =
ew -> BITsm(val) []
sr -> BITsm_wr_stable(val)
BITsm_wr_stable(val) =
ew -> BITsm_r(val) []
er!val -> BITsm_w_stable(val)
It should be noted that this model is more deterministic
than the L-safe one because reads that clash with writes
which do not change the value of the bit return the value
that the bit retains. In other words, BITsm is an L-safe
register (i.e., it refines BITfm), but it does not itself exhibit
all the L-safe behaviors. Lamport notes that stable bits are
L-regular, [2].
PAYNTER ET AL.: METASTABILITY IN ASYNCHRONOUS WAIT-FREE PROTOCOLS 295
1. For example, even within the literature on the 4-Slot, Clark et al. and
the current authors have previously asserted or argued that the 4-Slot’s
control bit variables are L-safe [25], [26], [20].
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
4.4 BITfs: Flickering, Single-Clash Bit Model
This bit model is not stable, but it encodes the property that
at most one read may clash with a write. This is a corollary
of another practical engineering issue relating to shared bit
variables that needs to be incorporated into our model. This
issue challenges the erroneous assumption that, for a
variable to be an ACM, access at arbitrarily fast speeds
must be possible. This is important because digital electro-
nic circuits have maximum speeds at which they may be
operated as the components within them will have
minimum “set up and hold” times that have to be observed
if they are to be operated within their specifications. Shared-
variables that have minimum access times are still ACMs
providing they do not force a synchronization between the
reader and writer accessing them. In particular, a maximum
access frequency is compatible with relative asynchrony
and places no constraints on the ratio between the reader
and writer frequencies.
It also needs to be appreciated that actual digital
electronic circuit implementations of bits have maximum
switching or propagation times. Taken together, these
timing constraints limit the number of reads that may
access a switching value. When the reads and writes arise
from processor instructions, the relatively slow speed of
processor clocks means that at most one read will occur
while a value is switching and at most one write will occur
while a value is being read.
BITfs(val) = sw?x -> BITfs_w(val, x) []
sr -> BITfs_r(val)
BITfs_w(val, x) = ew -> BITfs(x) []
sr -> BITfs_wr(val, x)
BITfs_r(val) = sw?x -> BITfs_wr(val, x) []
er!val -> BITfs(val)
BITfs_wr(val, x) =
ew -> BITfs_r_clashed(x) []
(er!b0 -> BITfs_w_r_occured(val, x) |~|
er!b1 -> BITfs_w_r_occured(val, x))
BITfs_r_clashed(val) = er!b0 -> BITfs(val) |~|
er!b1 -> BITfs(val)
BITfs_w_r_occured(val, x) = ew -> BITfs(x)
These definitions assume that switching and latching are
triggered by the edge of the clock and, hence, the switching
and latching durations are independent of the writer’s and
reader’s clock frequency. In other words, in this model, the
beginning and end of the switching duration are modeled
by the sw and ew events, respectively, and the beginning
and end of the latching duration are modeled by the sr and
er events, respectively.
4.5 BITss: Stable, Single-Clash Bit Model
This encodes both the stability and the single-clash
constraints introduced in earlier models.
BITss(val) = sw?x -> (if x == val then
BITss_w_stable(val)
else
BITss_w(val, x))
[] sr -> BITss_r(val)
BITss_w(val, x) = ew -> BITss(x) []
sr -> BITss_wr(val, x)
BITss_r(val) = sw?x -> (if x == val then
BITss_wr_stable(val)
else
BITss_wr(val, x))
[] er!val -> BITss(val)
BITss_wr(val, x) =
ew -> BITss_r_clashed(x) []
(er!b0 -> BITss_w_r_occured(val, x) |~|
er!b1 -> BITss_w_r_occured(val, x))
BITss_r_clashed(val) = er!b0 -> BITss(val) |~|
er!b1 -> BITss(val)
BITss_w_stable(val) = ew -> BITss(val) []
sr -> BITss_wr_stable(val)
BITss_wr_stable(val) =
ew -> BITss_r(val) []
er!val -> BITss_w_stable(val)
BITss_w_r_occured(val, x) = ew -> BITss(x)
4.6 Modeling Metastability in Bit Models
None of the four models of shared bits given so far model
metastability. However, metastability can be added to each
of the above models, giving a total of eight different models
of shared bits in CSP (plus the H-atomic model). Metast-
ability is modeled by extending the alphabet of the channels
associated with the sw and er events so that they include an
extra dithering value, d. This value is returned should a
read and write clash.
Rather than repeat each of the four models given above,
we only illustrate the modeling of metastability by extend-
ing the BITfm model, resulting in the BITfm meta model. The
other models (BITsm meta, BITfs meta, and BITss meta) are
modified similarly.
BITfm_meta(val) =
sw?x -> BITfm_meta_w(val, x) []
sr -> BITfm_meta_r(val)
BITfm_meta_w(val, x) =
ew -> BITfm_meta(x) []
sr -> BITfm_meta_wr(val, x)
BITfm_meta_r(val) =
sw?x -> BITfm_meta_wr(val, x) []
er!val -> BITfm_meta(val)
296 IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 3, MARCH 2006
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
BITfm_meta_wr(val, x) =
ew -> BITfm_meta_r_clashed(x) []
(er!b0 -> BITfm_meta_w(val, x) |~|
er!b1 -> BITfm_meta_w(val, x) |~|
er!d -> BITfm_meta_w(val, x))
BITfm_meta_r_clashed(val) =
sw?x -> BITfm_meta_wr(val, x) []
(er!b0 -> BITfm_meta(val) |~|
er!b1 -> BITfm_meta(val) |~|
er!d -> BITfm_meta(val))
4.7 Modeling Metastability in the Algorithms
At this point, it is necessary to consider how the values read
from bit variables are handled in the reading process. For
the four models that do not capture metastability, a simple
process which reads a bit variable, B, and then uses (in
some unspecified way) the value read would be:
READER1 = B.sr -> B.er?x -> use1(x) ->
use2(x) -> READER1
However, when a shared bit such as B is modeled by a
process which handles metastability, the value returned by
a read of the bit may now be the metastable value, d. The
variables (and the operations that are performed on them)
in the reading algorithm have to be modified to handle this
extra value. Furthermore, the algorithm needs to be able to
model the fact that metastable values may decay into a
standard binary value at some point in the future.
The way adopted here of systematically extending the
local variables and enabling them to model metastability
decay is to use a process in parallel with the reading process
for each local bit variable in the process. Therefore, in the
above example, the local bit variable “x” is modeled by a
“local bit process.” The value read into “x” from shared bit
B is written into (and, subsequently, read out from) this
process.
We present two different models of local bits, LB1 and
LB2. LB1 can either autonomously resolve metastable
values into binary ones (if it contains a metastable value)
or it can be set or read. A revised reader process definition
which uses these local bits is given later.
LB1(val) = if val == d then
(LB1(b0) |-| LB1(b1) |~|
(set?x -> LB1(x) []
get!val -> LB1(val))
)
else
(set?x -> LB1(x) []
get!val -> LB1(val))
LB2 is similar, except that it models the case that
metastable values resolve into binary ones before they are
used by resolving any metastable value when it is written
into it.
LB2(val) = set?x -> (if x == d then
LB2(b0) |-| LB2(b1)
else LB2(x)) []
get!val -> LB2(val))
In practice, of course, metastable circuits cannot be
arbitrarily forced into a stable state, otherwise metast-
ability would not be the fascinating phenomena and
problem that it is. Nevertheless, this is an adequate CSP
model of the behavior of metastable values which resolve
before being used.
Resolving metastable values as they are set obviously
ensures that all subsequent reads will get the same
nondeterministically chosen value. As was mentioned
above, by leaving a suitable time between reading a shared
bit and making use of the value obtained, the chances that it
will still be metastable when it is used can be reduced to an
arbitrarily low probability. This suggests that, when such
delays are engineered into the circuit, LB2 is a more
appropriate model for a local bit variable than LB1.
However, when such delays are not present, LB1 is more
appropriate.
Any reading process would need to be changed to make
use of such local variable processes. For example, READER1
above becomes READER2 below:
READER2 = B.sr -> B.er?x -> B_LB.set!x ->
B_LB.get?x -> use1(x) ->
B_LB.get?x -> use2(x) -> READER2
Here, the first two actions are reading the shared bit
variable, B, as before; this value is then set in a local bit
variable, B LB. This is then read back into the reading
process, thus giving the opportunity for the potentially
metastable value to resolve to a binary one when the LB1
model is used. The value is then used as before, e.g.,
use1(x). However, another get from the local variable
precedes the next use of “x.” Generally, every use of “x”
in the original algorithm needs to be preceded by such a get
as this allows the metastability resolution that occurs in the
local variable process to influence the algorithm.
A further modeling issue arises for some of the ACMs
considered here. It is necessary to model the “operation” of
using a potentially metastable variable in a conditional
statement which determines the flow of control of the
algorithm. The following CSP process illustrates the kind
construct found in some ACMs:
READER3 = B.sr -> B.er?x ->
(if x == b1 then
use1(x) -> READER3
else use2(x) -> READER3)
It is not immediately obvious how such a situation
should be modeled when the shared bit can return the
metastable value “d.” One possibility is simply to treat “d”
like a third value. (In other words, to leave the model as
above.) In if-then-else statements, this has the effect of
making the metastable value always favor the else branch.
This seems implausible and means that possible behaviors
will not be modeled. A better option is to change the model
of the algorithm to explicitly check for “d” and, when it is
detected, enter a new branch which involves a nondetermi-
nistic choice of the other branches. This is illustrated in
READER4:
READER4 = B.sr -> B.er?x ->
(if x == d
PAYNTER ET AL.: METASTABILITY IN ASYNCHRONOUS WAIT-FREE PROTOCOLS 297
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
then Reader4_Branch1 |~|
Reader4_Branch2
else
(if x == b1
then Reader4_Branch1
else Reader4_Branch2))
It can be argued, however, that this is still too benign: It
fails tomodel any indeterminacy aboutwhich value is loaded
into the processor’s next instruction register should the
metastable value resolve during that operation. It seems
conceivable that the two addresses might be merged to
produce a (practically random) third address.Clearly, should
this happen, it is no longer possible to bound the potential
behaviors. Such a catastrophic event needs to be considered
and is captured in our CSP model by making CHAOS a
possible behavior. This is illustrated in READER5:
READER5 = B.sr -> B.er?x ->
(if x == d
then Reader5_Branch1 |~|
Reader5_Branch2 |~|
CHAOS(Events)
else
(if x == b1
then Reader5_Branch1
else Reader5_Branch2))
5 SPECIFICATION MODELS
This section describes CSP models of data-coherence,
sequencing, and freshness. These are the formal models
against which models of the ACMs will be checked for
trace-refinement.
5.1 Data-Coherence
Data-coherence can be modeled abstractly by giving a
process that is semiregular—that is, a process in which a
nonclashing read gets the value stored in the variable, while
a clashing read is constrained only to return one of the
values that have been written into the ACM so far. This is a
“black-box” definition of data-coherence which works for
ACMs which are not conflict-free. Data-coherence for
conflict-free ACMs can be specified in a more “white-box”
manner by asserting that no buffer is ever read while it is
being written or written while it is being read.
SemiRegACM(vals, v) =
start_write?x ->
SemiRegACM_w(union({x}, vals), x)
[]
start_read -> SemiRegACM_r(vals, v)
SemiRegACM_w(vals, x) =
end_write -> SemiRegACM(vals, x)
[]
start_read -> SemiRegACM_wr(vals, x)
SemiRegACM_r(vals, v) =
start_write?x ->
SemiRegACM_wr(union({x}, vals), x)
[]
end_read!v -> SemiRegACM(vals, v)
SemiRegACM_wr(vals, x) =
end_write -> SemiRegACM_r_clashed(vals, x)
[]
([] z : vals @ end_read!z ->
SemiRegACM_w(vals, x))
SemiRegACM_r_clashed(vals, v) =
start_write?z ->
SemiRegACM_wr(union({z}, vals), z)
[]
([] z : vals @ end_read!z ->
SemiRegACM(vals, v))
SemiRegACM_Spec = SemiRegACM({1}, 1)
The above specification works by the process keeping a
set (vals) of the values written into it so far, as well as its
current value. A clashing read returns a nondeterministi-
cally chosen value from this set.2
5.2 L-Regular
Fortunately, for ACMs which communicate finite values of
types with finite domains, L-regularity is a finite state
property. It is therefore possible to define a CSP process
which models the L-regular property, thus making (local)
freshness something that can be determined by model-
checking. See Section 3. A CSP process which captures the
L-regular property is given below—it builds up a set of
values which the reader may acquire, as more and more
writes clash with a read, and it resets the set at appropriate
points (such as when a write finishes when a read is not
active and when a read finishes when a write is not active).
RegACM(val) =
start_write?x -> RegACM_w(union({x},
{val}), x)
[]
start_read -> RegACM_r(val)
RegACM_w(vals, x) =
end_write -> RegACM(x)
[]
start_read -> RegACM_wr(vals, x)
RegACM_r(val) =
start_write?x -> RegACM_wr(union({x},
{val}), x)
[]
end_read!val -> RegACM(val)
RegACM_wr(vals, x) =
end_write -> RegACM_r_clashed(vals, x)
[]
([] z : vals @ end_read!z -> RegACM_w(vals, x))
298 IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 3, MARCH 2006
2. This specification corrects a fault in our earlier paper [7], which was
pointed out by an anonymous referee of an earlier version of this paper.
Fortunately, the fault does not undermine the results of that paper.
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
RegACM_r_clashed(vals, x) =
start_write?z -> RegACM_wr(union({z},
vals), z)
[]
([] z : vals @ end_read!z -> RegACM(x))
5.3 L-Atomicity
A mechanism which is L-regular and which preserves the
sequencing of data passed through it is L-atomic. Therefore,
both the local and global definitions of freshness can be
determined by model-checking.
An alternative way of modeling (global) freshness is to
check whether the mechanism behaves like an asynchro-
nous reader and writer whose core state is modeled by an
H-atomic variable, as in the following definitions:
Core_H_Atomic_Var(var_name, val) =
var_name.wr_op?x -> Core_H_Atomic_Var(x) []
var_name.rd_op!val -> Core_H_Atomic_Var(val)
Read = start_read -> var_name.rd_op?val ->
end_read!val -> Read
Write=start_write?val->var_name.wr_op!val->
end_write -> Write
Core_H_Atomic_state =
Core_H_Atomic_Var(var_name, 1)
LAtomicACM =
(((Read ||| Write) [| {| var_name |} |]
Core_H_Atomic_State) \ {| var_name |})
5.4 Relationships between the Specifications
A trace is the sequence of actions that a model (i.e., a CSP
process) can engage in. One model or process is said to
trace-refine another if all of the first model’s traces are valid
traces of the second model.
We have achieved some validation of these specifica-
tion models by showing that SemiRegACM is trace-refined
by RegACM and that RegACM is trace-refined by LAtomi-
cACM, as one would expect. Furthermore, by composing
LAtomicACM with 1) a writer which writes a mono-
tonically increasing sequence of values and 2) a reader
which fails if it does not read a weakly monotonically
increasing sequence and 3) then checking that the reader
does not fail, we have shown that LAtomicACM preserves
the ordering of data passed through it. As mentioned
above, this is another defining property of L-atomic
ACMs.
6 RESULTS OF MODEL-CHECKING ACMS
This section reports on the model-checking of a number of
ACMs in the literature against each of the main specifica-
tion properties (semiregular, L-regular, L-atomic) for each
of the nine shared bit models described in Section 4. Each
protocol is briefly described according to the classification
schemes of Section 3 and the results of the model-checking
that ACM are tabulated. These results were obtained using
the FDR2 model-checker from Formal Systems (Europe)
Ltd., [27], which performs an exhaustive check that all the
ACM’s traces are valid traces of the specification process.
Table 1 summarizes the properties of each bit model.
6.1 Lamport’s Regular ACM
In a seminal paper in 1986 [2], Lamport described various
protocols, including a multivalued L-regular ACM. It is not
a very practical ACM; for example, it requires n-bits to
communicate values from a data type with cardinality n.
However, the ACM by Kirousis et al. [9] is built on top of a
multivalued L-regular ACM, and, in particular, they
reference Lamport’s implementation.
The results of analyzing this multivalued L-regular
register are summarized in Table 2.
A number of things should be noted about these results.
First, the failures of the protocol when shared bits flicker are
due to our adoption of a simplistic model of the algorithm
given in [2]. The protocol would not fail in this way if, when
shared bits already contain the value to be written, the write
algorithm did not update them. Lamport himself advocates
this scheme [2].
Second, the protocol’s correctness in the presence of
metastability depends on how potentially metastable values
in conditional statements are modeled. The
p  symbol is
used in the result tables for protocols which satisfy the
PAYNTER ET AL.: METASTABILITY IN ASYNCHRONOUS WAIT-FREE PROTOCOLS 299
TABLE 1
Descriptions of the Different Bit Models
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
property if one of the defined branches of the conditional
statement are taken, but which may fail if an arbitrary
statement is executed.
Table 2 contains
p  symbols because Lamport’s reader
algorithm uses the value of a (potentially metastable)
shared bit as the test for loop termination. When this is
understood as being a nondeterministic choice between the
two options of terminating the loop or continuing to execute
it (as in READER4 above), the protocol remains L-regular.
However, should this be modeled as allowing chaos (as in
READER5 above), the protocol fails to be data-coherent.
6.2 Simpson’s 4-Slot ACM
In 1987, Simpson described a “4-Slot” ACM, [8] and [3]. It is
a buffer-based, conflict-free, 1-Writer 1-Reader write-once,
read-once multivalued ACM. It is buffer-optimal because it
only uses four buffers (slots). It is particularly simple: The
write operation consists of only five actions and the read
operation only four and neither algorithm contains any
branching. It has been the subject of various academic
analyses, based on different assumptions and using various
technologies and techniques: [28], [29], [30], [31], [32], [26],
[33], [34], [20], [35], and [36].
It should be noted that Haldar and Vidyshankar’s
impossibility result (mentioned above in Section 3) applies
to the 4-Slot ACM. In other words, Simpson’s 4-slot cannot
be L-atomic if its shared bits are L-safe registers. Rushby’s
work [34] establishes that the 4-Slot does indeed fail to be
L-atomic when its shared bits are L-safe. However, with
models of bits which are arguably more realistic than the
L-safe model (as they assume well-handled metastability
and typical timing constraints), the 4-Slot ACM is L-atomic.
The full results of analyzing Simpson’s 1987 4-Slot mechan-
ism are summarized in Table 3. Note, row 2 of this table
confirms Rushby’s results, [34].
Simpson’s original 1987 4-Slot has therefore been shown
to be L-atomic (i.e., globally fresh, which entails data-
coherence) when modeled with the BITss and BITss meta
LB2 shared bit models. In other words, it is an L-atomic
variable providing that its bits are engineered to be flicker-
free variables and the bits are implemented in hardware in
such a way that at most one read of the bit can clash with
any write of that bit. As one would expect, this result is not
changed by metastability which decays into a binary value
before being used (the LB2 rows).
An important ramification follows from both: 1) the
4-Slot being L-atomic with BITss bits and 2) it not even
being L-regular for BITfm (L-safe) bits. Since BITss is a
perfectly reasonable requirement to place on hardware
implementations of a bit (as discussed in Section 4), the
analysis of protocols based on L-safe models of shared bits
may be pessimistic. This raises questions about the practical
relevance of L-atomic impossibility and optimality results
that are based on the assumption that bits are L-safe
variables.
Perhaps an even more important ramification arises from
the fact that, although the 4-Slot maintains data-coherence
with L-safe bits, it fails to do so for certain plausible models
of metastability (the LB1 rows). This means that analysis of
protocols based on L-safe models of shared bits may be
unduly optimistic. This therefore calls into question all
analysis based on the L-safe bit register assumption, which
has been a common assumption made in the literature.
It is interesting to note that, alone of the protocols
considered here, Simpson’s 4-Slot ACM does not require
any use of potentially metastable values to determine the
control-flow of either the reader or writer algorithms.
However, using potentially metastable values to determine
the value to be read may result (in some implementations)
in random memory locations being accessed with unknown
consequences.
6.3 Kirousis et al.’s ACM
Kirousis et al. introduced a protocol which they claim is
L-atomic in [9]. It is a multivalued, buffer-based, conflict-
free, write-once, and read-once ACM. It has four buffers, so
it is buffer-optimal. However, it is not immediately obvious
how many shared bits it uses as it exploits three shared
L-regular registers which can hold 13 different values.
Kirousis et al. suggest that these be implemented using
Lamport’s multivalued regular registers proposed in [2].
The results in Table 4 have been obtained by building the
KKV protocol out of Lamport L-regular registers.
Assuming we have understood and modeled this
protocol properly, we have shown that this relatively
complex ACM is flawed. It fails to be conflict-free for the
300 IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 3, MARCH 2006
TABLE 2
Lamport’s Regular ACM Analysis Results
TABLE 3
Simpson’s 4-Slot Analysis Results
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
initializations given in the paper [9] for any of the bit
models. However, when the control variables are made
L-atomic and an initialization is adopted which is compa-
tible with ongoing behavior, we have shown that the
protocol is L-atomic. This, however, is a very weak result as
it only shows that this protocol implements a multivalued
L-atomic ACM when it is built out of multiple multivalued
L-atomic ACMs. Unfortunately, the table is incomplete
because we have not been able to determine whether the
protocol preserves data-coherence for any of the bit models.
Twin Pentium IV processors with 1Gb of RAM, running at
3GHz for 3 weeks with over 35Gb of disk space failed to
produce a result.
Our results emphasize the benefits of developing
machine-checked proofs of correctness of ACMs, rather
than relying on proof sketches. An informal “proof sketch”
or “rigorous argument” carries little conviction when
performed for such complex protocols. However, the failure
to obtain a result for a protocol the size of KKV underlines
the current limitations of model-checking.
6.4 Tromp’s Atomic Bit ACM
In [10], Tromp gives a protocol for an “atomic bit.” It is a
buffer-based protocol which consists of three shared bits,
one of the shared bits, “V,” being the buffer. Tromp
sketches a proof that it is indeed L-atomic [10]; however,
this proof clearly fails to take metastability into account. The
results of model checking Tromp’s Atomic Bit using the
same bit models introduced above are shown in Table 5.
It should be noted that the second row confirms Tromp’s
analysis that his protocol is L-atomic when bits are assumed
to be L-safe, i.e., when there is no metastability. However, it
is possible for this algorithm to return a metastable value
when unconstrained metastability may occur. If one accepts
that such values are (ultimately) binary ones and, hence,
should be modeled as a nondeterministically chosen binary
value, it can be concluded that Tromp’s bit algorithm is
L-regular even in the presence of rereadable metastability
(the LB1 rows). However, if such values are considered to
be a third (nonbinary) one, the protocol does not even
preserve data-coherence (hence the
p  in the table).
It should be noted, however, that, when rereadable
metastability is present, this protocol fails to preserve
sequencing and, hence, fails to be L-atomic. This situation
corresponds to the read algorithm being executed so fast
that metastable values may be reread, inducing further
metastability throughout the algorithm. This confirms the
danger of omitting metastability from protocol analysis.
6.5 Tromp’s First 4-Track ACM
In [10], Tromp gives a 4-Track ACM which he builds on top
of his atomic bit ACM. It is a buffer-optimal buffer-based,
conflict-free, write-once, read-once multivalued ACM built
from four L-atomic bits (or expanding his atomic bit ACMs,
12 shared bits). He argues that it is L-atomic.
The results of model checking Tromp’s First 4-Track
ACM using the same bit models are shown in Table 6. The
model was constructed using a model of Tromp’s atomic bit
protocol analyzed above.
This shows that this protocol nominally works in the
presence of rereadable metastability (the LB1 rows). This is
surprising, given that Tromp’s paper gives no hint that
metastability was considered when the protocol was
developed. It is also surprising because it builds upon
Tromp’s atomic bit protocol, which itself fails to be L-atomic
in the presence of rereadable metastability.
It will be noted, however, that the results for all the
LB1 rows are again marked with a star. This is because
Tromp’s algorithm makes use of a variable which may be
metastable when it is used in a conditional check. When this
is modeled as a nondeterministic choice between the stated
branches, the protocol works; but, when an arbitrary
alternative behavior might result (modeled by the CHAOS
process), not surprisingly, the protocol fails. (See the
discussion in Section 4.7 above.)
PAYNTER ET AL.: METASTABILITY IN ASYNCHRONOUS WAIT-FREE PROTOCOLS 301
TABLE 4
KKV’s ACM Analysis Results
TABLE 5
Tromp’s Atomic-Bit Analysis Results
TABLE 6
Tromp’s First 4-Track ACM Analysis Results
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
6.6 Tromp’s Efficient 4-Track ACM
In [10], Tromp also presents a variant of his 4-Track ACM
which uses fewer shared bits—only eight compared with
12. It is not built from Tromp’s Atomic Bit protocol, but
exploits the fact that the reader and writer cannot clash on
every shared bit. The results of model-checking Tromp’s
Efficient 4-Track ACM using the same bit models are shown
in Table 7.
These results show that Tromp’s Efficient 4-Track ACM
has similar behavior to his original 4-Track ACM; it is
equally as impressive in handling all kinds of metastability,
but is open to the same possibility of failing with arbitrary
behavior in the presence of rereadable metastability.
6.7 Haldar and Subramanian’s ACM
Haldar and Subramanian introduced a multivalued, buffer-
based, ACM in [11]. It is buffer-optimal, and only used four
shared bits. However, it is not write-once. It is, therefore,
not a counterexample to Haldar and Vidyasankar’s impos-
sibility result mentioned above, [23].
The results of model-checking Haldar and Subramanian’s
ACM using the same bit models are shown in Table 8.
The protocol works for all our bit models, except those
that support rereadable metastability (the LB1 rows).
7 CONCLUSIONS
This paper has shown that metastability and other hard-
ware timing constraints and behavior can be incorporated
into models used to analyze asynchronous wait-free
protocols. Furthermore, it has shown that there are strong
reasons for not continuing to use L-safe registers as a model
of shared bits in such algorithms. In summary, these
include the facts that:
1. the analysis may be pessimistic (the 4-Slot ACM was
shown not to be L-regular, although it is even
L-atomic under stronger but realistic assumptions);
2. the analysis may be optimistic (all the ACMs were
shown to have failure modes when metastability is
not contained); and
3. overly complex and inefficient ACMs may be
adopted, when smaller and more efficient
ACMs could be used. For example, Haldar
and Vidyasankar’s unpublished impossibility re-
sult [23] shows that it is impossible to implement a
conflict-free, write and read-once ACM from only
four buffers and four L-safe control variables.
However, the 4-Slot ACM successfully uses only
four shared bits to control access to its four buffers.
It is not possible to conclude that any one ACM is better
than all its rivals in all circumstances from these results.
Haldar and Subramanian’s ACM and Simpson’s 4-Slot use
fewer control bits than Tromp’s Efficient ACM—four rather
than eight. The cost for Haldar and Subramanian’s ACM is
that it is not write-once; this might have unacceptable
performance implications when large data-structures are
being communicated. The cost for Simpson’s 4-Slot is that it
only works when bits are implemented so that they are
stable and at most one clash may occur while a bit is being
set. In the large class of implementations where this is true,
Simpson’s 4-Slot will be correct and more efficient than
Tromp’s. All the ACMs have difficulties when they are
executed so fast that metastable values may be reread
before they resolve into binary values. However, Simpson’s
4-Slot ACM does not exhibit the failure-mode by which a
metastable value may directly upset control flow. In
different cases, where BITss assumptions do not hold,
Tromp’s Efficient 4-Track algorithm is the most compre-
hensive and efficient alternative considered here.
This work has underlined that it would be desirable to
develop a collection of impossibility results for wait-free
protocols based on stronger models of bits such as the
BITss model.
ACKNOWLEDGMENTS
MBDA UK Ltd. and the BAESYSTEMS DCSC funded this
research.
REFERENCES
[1] G.L. Peterson, “Concurrent Reading while Writing,” ACM Trans.
Programming Languages and Systems, vol. 5, no. 1, pp. 46-55, Jan.
1983.
[2] L. Lamport, “On Interprocess Communication—Part 2: Algo-
rithms,” Distributed Computing, vol. 1, pp. 86-101, 1986.
[3] H. Simpson, “Four-Slot Fully Asynchronous Communication
Mechanism,” IEE Proc., vol. 137 Part E, no. 1, pp. 17-30, Jan. 1990.
302 IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 3, MARCH 2006
TABLE 7
Tromp’s Efficient 4-Track ACM Analysis Results
TABLE 8
Haldar and Subramanian’s ACM Analysis Results
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
[4] M.B. Josephs, C. Hoare, and H. Jifeng, “A Theory of Asynchro-
nous Processes,” Technical Report PRG-TR-6-89, Programming
Research Group, Oxford Univ. Computing Laboratory, Feb. 1989.
[5] C. Hoare, “Monitors: An Operating System Structuring Concept,”
Comm. ACM, vol. 17, no. 10, pp. 549-557, 1974.
[6] R. Ma¨nner, “Metastable States in Asynchronous Digital Systems:
Avoidable or Unavoidable?” Microelectronic Reliability, vol. 28,
no. 2, pp. 295-307, 1988.
[7] S. Paynter, N. Henderson, and J. Armstrong, “Ramifications of
Metastability in Bit Variables Explored via Simpson’s 4-Slot
Mechanism,” Formal Aspects of Computing, vol. 16, no. 4, pp. 332-
351, Nov. 2004.
[8] H. Simpson, “Fully Asynchronous Communication,” Proc. IEE
Colloquium MASCOT in Real-Time Systems, May 1987.
[9] L. Kirousis, E. Kranakis, and P. Vita´nyi, “Atomic Multireader
Register,” Proc. Workshop Distributed Algorithms, pp. 278-296, 1987.
[10] J. Tromp, “How to Construct an Atomic Variable (Extended
Abstract),” Proc. Third Int’l Workshop Distributed Algorithms,
pp. 292-302, 1989.
[11] S. Haldar and P. Subramanian, “Space-Optimum Conflict-Free
Construction of Buffer-Optimal 1-Writer 1-Reader Multivalued
Atomic Variable,” Proc. Eighth Int’l Workshop Distributed Algo-
rithms (WDAG ’94), pp. 116-129, 1994.
[12] D.J. Kinniment, A. Bystrov, and A.V. Yakovlev, “Synchronization
Circuit Performance,” IEEE J. Solid-State Circuits, vol. 37, no. 2,
pp. 202-209, 2002.
[13] T.J. Chaney and C.E. Molnar, “Anomalous Behavior of Synchro-
nizer and Arbitor Circuits,” IEEE Trans. Computers, vol. 22, no. 4,
pp. 421-422, Apr. 1973.
[14] J.U. Horstmann, H.W. Eichek, and R.L. Coates, “Metastability
Behaviour of CMOS ASIC Flip-Flops in Theory and Test,” IEEE J.
Solid-State Circuits, vol. 24, no. 1, pp. 146-157, Feb. 1989.
[15] J. Kessels, “Register-Communication Between Mutually Asyn-
chronous Domains,” Proc. 11th Int’l Symp. Asynchronous Circuits
and Systems (ASYNC ’05), 2005.
[16] L.R. Marino, “General Theory of Metastable Operation,” IEEE
Trans. Computers, vol. 30, no. 2, pp. 107-115, Feb. 1981.
[17] L. Kleeman and A. Cantoni, “On the Unavoidability of Metastable
Behaviour in Digital Systems,” IEEE Trans. Computers, vol. 36,
no. 1, pp. 109-112, Jan. 1987.
[18] D.M. Chapiro, “Reliable High-Speed Arbitration and Synchroni-
zation,” IEEE Trans. Computers, vol. 36, no. 10, pp. 1251-1255, Oct.
1987.
[19] R. Ginosar, “Fourteen Ways to Fool Your Synchronizer,” Proc. 11th
Int’l Symp. Asynchronous Circuit and Systems (ASYNC ’03), pp. 89-
95, 2003.
[20] N. Henderson and S. Paynter, “The Formal Classification and
Verification of Simpson’s 4-Slot Asynchronous Communication
Mechanism,” Proc. 11 Int’l Symp. Formal Methods Europe (FME ’02),
L.-H. Eriksson and P. Lindsay, eds., pp. 350-369, 2002.
[21] S. Haldar and K. Vidyasankar, “Buffer-Optimal Constructions of
1-Writer Multireader Multivalued Atomic Shared Variables,”
J. Parallel and Distributed Computing, vol. 31, pp. 174-180, 1995.
[22] J.E. Burns and G.L. Peterson, “The Ambiguity of Choosing,” Proc.
Eighth Ann. Symp. Principles of Distributed Computing (PODC ’89),
pp. 145-157, 1989.
[23] S. Haldar and K. Vidyasankar, “Space-Optimal Buffer-Based
Conflict-Free Construction of 1-Writer 1-Reader Multivalued
Atomic Variables from Safe Bits,” unpublished paper, 2001.
[24] A. Roscoe, The Theory and Practice of Concurrency. Prentice Hall
Series in Computer Science, 1998.
[25] I. Clark, F. Xia, A. Yakovlev, and A. Davis, “Petri Net Models of
Latch Metastability,” Electronic Letters, vol. 34, no. 7, pp. 635-636,
1998.
[26] I. Clark, “A Unified Approach to the Study of Asynchronous
Communication Mechansims in Real-Time Systems,” PhD dis-
sertation, London Univ., King’s College, May 2000.
[27] Failures-Divergence Refinement: The FDR 2.0 User Manual. Formal
Systems (Europe) Ltd., Aug. 1996.
[28] H. Simpson, “Correctness Analysis for Class of Asynchronous
Communication Mechanism,” IEE Proc., vol. 139 Part E, no. 1,
pp. 35-49, Jan. 1992.
[29] H. Simpson, “Role Model Analysis of an Asynchronous Commu-
nication Mechanism,” IEE Proc. Computers and Digital Techniques,
vol. 144, no. 4, pp. 232-240, July 1997.
[30] P. Brooke, J.L. Jacob, and J.M. Armstrong, “Analysis of the Four-
Slot Mechanism,” Proc. BCS-FACS Northern Formal Methods Work-
shop, 1996.
[31] P. Brooke, “A Timed Semantics for a Hierarchical Design
Notation,” PhD dissertation, Dept. of Computer Science, Univ.
of York, Apr. 1999.
[32] F. Xia and I. Clark, “Complementing the Role Model Method with
Petri Net Techniques in Studying Issues of Data Freshness of the
Four-Slot Mechanism,” Hardware Design and Petri-Nets, pp. 33-50,
Kluwer Academic, 2000.
[33] F. Xia, “Supporting the MASCOT Method with Petri Net
Techniques for Real-Time Systems Development,” PhD disserta-
tion, London Univ., King’s College, Jan. 2000.
[34] J. Rushby, “Model-Checking Simpson’s Four-Slot Fully Asychro-
nous Communication Mechanism,” technical report, Computer
Science Laboratory—SRI Int’l, July 2002.
[35] N. Henderson, “Proving the Correctness of Simpson’s 4-Slot ACM
Using an Assertional Rely-Guarantee Proof Method,” FM 2003:
The 12th Int’l Formal Methods Europe Symp., 2003.
[36] N. Henderson, “The Formal Modelling and Analysis of an
Asynchronous Communication Mechanism,” PhD dissertation,
School of Computing Science, Univ. of Newcastle upon Tyne, Feb.
2005.
Stephen E. Paynter joined British Aerospace
Dynamics Ltd., a predecessor company to
MBDA UK Ltd., in 1980. In 1986, he received
the BSc degree in electrical and electronic
engineering from Brunel University, West Lon-
don, and, in 1993, the PhD degree from the
Mathematics Department of the University of
Southampton. Since 1991, he has been one of
the industrial customers for the DCSC at the
Universities of York and Newcastle. His re-
search interests include formal methods for real-time systems, the
semantics of software design notations, safety engineering for software
intensive systems, and asynchronous communication.
Neil Henderson worked in a leading UK clearing
bank from 1975 to 1994. He received the honours
degree in computing science from the University
of Newcastle upon Tyne in 1998 and subse-
quently joined the BAE SYSTEMS Dependable
Computing Systems Centre. He has recently
completed the PhD degree in formal specification
and analysis of asynchronous protocols at the
University of Newcastle upon Tyne. His research
interests include the use formal methods for
specifying and analyzing the requirements and timing constraints of
safety critical distributed real-time systems and asynchronous commu-
nication mechanisms.
James M. Armstrong received the PhD degree
in software engineering from Brighton Polytech-
nic in 1991. His first postdoctoral research
position was at the Centre for Software Relia-
bility within the British Aerospace (BAE Systems
Ltd) Dependable Computing Systems Research
Centre (DCSC). He worked as a researcher at
the DCSC for eight and a half years. For three
years, he was the British Aerospace Lecturer in
Dependable Computing at Newcastle. He is now
a member of the BAE SYSTEMS Systems Engineering Innovation
Centre (SEIC) at Loughborough University.
. For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.
PAYNTER ET AL.: METASTABILITY IN ASYNCHRONOUS WAIT-FREE PROTOCOLS 303
Authorized licensed use limited to: Newcastle University. Downloaded on July 09,2010 at 13:35:33 UTC from IEEE Xplore.  Restrictions apply. 
