Fault-tolerant critical section management in asynchronous environments  by Bar-Noy, Amotz et al.
INFORMATION AND COMPUTATION 95, 1-20 ( 1991) 
Fault-Tolerant Critical Section Management 
in Asynchronous Environments 
AMOTZ BAR-N• Y * 
IBBM T.J. Watson Research Center, P.O. Box 704, Yorktown Heights, New York 10598 
DANNY DOLEV 
IBM Almaden Research Center, 650 Harry Road, San Jose, California 95120 and 
Computer Science Department, Hebrew University, Jerusalem, Israel 
DAPHNE KOLLER’ 
Computer Science Department, Stanford University, Stanford, California 94305 
AND 
DAVID PELEG~ 
Department of Applied Mathematics, The Weizmann Institute, Rehovot 76100, Israel 
The paper deals with the problem of managing a fault-tolerant critical section in 
a completely asynchronous distributed network. The existence of a solution to this 
problem should be contrasted with a basic result of Fischer, Lynch, and Paterson, 
proving that in a completely asynchronous network, “nontrivial agreement” cannot 
be achieved even when only a single “benign” processor failure is possible. We 
present solutions to several versions of the critical section problem in this model. 
Denote by t the maximum number of possible faulty processors. Processors are 
allowed to fail while in the critical section, and therefore the critical section must 
have at least 1+ 1 slots. In the case where the slots are identical we present two 
algorithms which require t + 1 slots. The first is very simple, but requires every non- 
faulty processor to use the critical section infinitely often. The second solution 
allows non-faulty processors to quit. For distinct slots we present an algorithm that 
requires 2t + 1 slots. 0 1991 Academic Press, Inc 
* This work was carried out while this author was visiting Stanford University. Supported 
in part by a Weizmann fellowship, by Contract ONR N00014-88-K-0166, and by a grant of 
Stanford Center for Integrated Systems. 
i This work was carried out while this author was a student in the Computer Science 
Department, Hebrew University, Jerusalem. 
: Part of this work was carried out while this author was visiting Stanford University. 
Supported in part by a Weizmann fellowship, by Contract ONR N00014-88-K-0166, and 
by a grant of Stanford Center for Intregrated Systems. 
0890~5401/91 $3.00 
Copyright ID 1991 by Academic Press, Inc. 
All rights of reproduction in any form reserved. 
BAR-NOYET AL. 
1. INTRODUCTION 
An important issue in the theory of distributed systems is the extent to 
which processor cooperation and coordination can be achieved in the 
presence of faults. There are several parameters influencing this question. 
The first major parameter is the level of synchronism that exists in the 
system. A basic result [FLP] states that in a completely asynchronous 
system, a collection of n b 3 processors cannot deterministically achieve 
“nontrivial consensus” in a faulty environment, even if at most one 
processor may fail, and even when this can only be a benign fail-stop fault 
(i.e., a faulty processor may only stop functioning completely at some 
stage). This result and later stronger versions of it [DDS] characterize 
agreement as a “possibly too powerful” goal, and force us to limit ourselves 
to weaker forms of processor cooperation, hoping that these will be 
sufficient for executing various common tasks within such a system. 
In this paper we study the ability to achieve weak forms of cooperation 
in a completely asynchronous message passing evironment. The paper deals 
with various algorithms for handling a basic task that requires a certain 
degree of processor cooperation-a controlled access to a shared resource. 
This task is sometimes called critical section management. Sometimes it is 
necessary to achieve mutual exclusion for accessing the resource, i.e., at 
most one processor can be in the critical section at any time. This goal is 
obviously unachievable when processors may fail while inside the critical 
section. We consider an extension of the problem in which there are several 
copies or slots of the resource, and the number M of such slots bounds the 
number of processors allowed to concurrently access the resource. This 
models a common situation in parallel operating systems [PS, Ru], and 
was introduced first in [FLBB]. 
Note that most previous studies of the critical section problem assumed 
a shared memory (cf. [R] ) and that no processor fails in the critical 
section. Failure within a critical section was studied in [DGS]. Recently, 
other achievable goals in faulty asynchronous message passing networks 
received some attention (cf. [ABDKPR, BW, BMZ, DLPSW, K]). 
When possible access methodologies for a multi-slot resource are con- 
sidered, there are two viable alternatives. One approach in designing the 
access algorithms asserts that a processor’s responsibility is limited only to 
ensuring itself the right to enter the critical section, and it is not required 
to locate and secure itself a particular slot. This approach allows processors 
to view the critical section as a “black box,” containing equal, externally 
indistinguishable slots. A more demanding approach requires the processor 
to be responsible for the entire assignment process, including finding itself 
a specific slot and making sure that this slot is not occupied by any other 
processor at the same time. Here, the processor views each slot as a distinct 
FAULT-TOLERANT CRITICAL SECTIONS 3 
entity although all the slots might be functionally equivalent and inter- 
changeable; i.e., a system with a number of identical servers, where the 
process has to choose a specific server. This is a common situation in 
operating systems. 
The two approaches can be illustrated by considering the different proce- 
dures of buying a ticket for a bus ride or a flight. In the first case, the 
passenger needs only to make sure that there is a room on the bus, but not 
to reserve a particular seat. In the second case, it is necessary to have a seat 
assignment before boarding the aircraft. This seemingly insignificant 
distinction turns out to have a considerable influence on complexity and 
algorithmic issues. 
The identical-slot critical section problem (identical CS, for short) can be 
formalized by imposing the following three requirements: 
1. Exclusion: At most A4 of the processors are in the CS at any given 
time. 
2. Non-starvation: Every non-faulty processor that wants to enter the 
CS eventually succeeds. 
3. Fairness: If a non-faulty processor p enters the CS, then it is 
among the first M processors according to a given priority rule. 
Note that the fairness requirement alone does not prevent non-starva- 
tion. It could be the case that a processor has priority to access the CS but 
still cannot do this. In the sequel two priority rules are discussed in detail. 
Both rules are based on #p, the actual number of times that p has ever 
used slots of the CS. This is a natural criterion in an asynchronous system, 
where more widely-used criterions (e.g., which process attempts to enter 
the critical section first) are very difficult to formalize. These rules imply 
the following two variants of the identical CS problem: 
l The Global Identical CS: The variant based on the rule that 
processor p has higher priority than processor q whenever ( # p, p} < 
(#a 4).’ 
l The Transient Identical CS: The variant based on the rule that 
processor p has higher priority than processor q only if ( #p, p) < 
( #q, q), p wants to enter the CS, and furthermore, q knows that fact. 
An apparent limitation of the lirst rule is that it forces non-faulty pro- 
cessors to use the critical section infinitely often; if M non-faulty processors 
stop entering the critical section at some stage, then some time afterwards 
they will reach the highest priority and deadlock the system. This limitation 
’ Throughout the paper, whenever we compare two tuples (a,, . . . . a,) and (b,, ,,_, b,), we 
assume a lexicographical ordering with the first component being the most signihcant. 
4 BAR-NOY ET AL. 
does not exist with the second rule. On the other hand, when the second 
rule is used sometimes a processor can effectuate its priority only after 
some other processors know that it wants to enter the critical section. 
A third variant of the problem is the distinct-slot critical section problem 
(distinct CS, for short). In this variant there are M distinguished slots 
1 2 ...> M, and the exclusion property is replaced by: 
1’. Distinction: No two processors are simultaneously in the same 
slot. 
Solving these versions of the critical section problems when all the pro- 
cessors are non-faulty is not difficult. In this paper we solve them in the 
presence of faulty processors, where the fault model assumed is fail-stop. In 
this model, a faulty processor may suddenly stop functioning, regardless of 
the state it is in. In particular, a processor may fail while in a critical sec- 
tion, as well as in the process of sending messages. Some of the algorithms 
can be extended to worse kinds of faults, such as Byzantine faults, where 
the faulty processors may be malicious and even collude to prevent a 
correction solution. 
Throughout, n denotes the number of processors in the system and t is 
a prescribed upper bound on the number of faulty processors. These values 
are known to all the processors and the processors are named 1, . . . . n. 
Solutions to the CS problems should strive to minimize M. However, 
there may be as many as t faulty processors in the system, and each of 
them might stop functioning while inside the critical section. The 
asynchronous model implies that one cannot distinguish between a faulty 
processor and a slow one. Therefore, any algorithm needs at least t + 1 
slots in order to prevent starvation. This proves: 
PROPOSITION 1.1. Any algorithm for either of the critical section 
problems requires M > t + 1 slots. 
Clearly, if M > n we can dedicate a distinct slot to each processor and 
trivially meet all the requirements. Thus Proposition 1.1 is complemented 
by the following: 
PROPOSITION 1.2. There exists an algorithm for either of the critical 
section problems using M = n slots. 
In the case of the Byzantine fault model, we can prove a stronger lower 
bound on M. According to Proposition 1.1, there are at least t + 1 slots 
which are open to competition to all processors. If we assume that a faulty 
processor can enter the critical section without any of the other processors 
being aware of the situation, then the t faulty processors can secretly take 
FAULT-TOLERANT CRITICAL SECTIONS 5 
up t additional slots, thus creating a situation where there are 2t + 1 
processorsin the critical section at the same time. This proves: 
PROPOSITION 1.3. In the presence of Byzantine faults, any algorithm for 
either variant of the identical critical section problem requires M3 2t $ 1 
slots. 
A few of the algorithms presented for the identical CS problem overcome 
Byzantine faults, as they are with t additional slots. We note that the 
bound on the number of non-faulty processors in the critical section 
remains the same in both environments. The t additional slots are required 
for the faulty processors only. 
Another consideration besides the number of required slots is the 
amount of memory and communication used by the algorithm. The defini- 
tion of fairness ncessitates the usage of an internal memory proportional to 
the number of processors and the number of times that the processors have 
accessed the critical section. Nevertheless, it does not impose the use of 
messages of that size. The issue of message complexity will not be discussed 
in this paper. 
Let us now list the results presented in the paper. For the global identical 
CS problem, our basic algorithm requires M= t + 1, matching the above 
lower bound. This algorithm is very simple and the size of the messages is 
only one bit. The algorithm overcomes Byzantine faults as well, using 
2t + 1 slots. In this algorithm each processor is required to maintain infor- 
mation about the usage of the critical section by all the other processors. 
Next, we present an algorithm for the transient identical CS problem. In 
this algorithm each processor p stores locally only #p, the number of 
times it has used the critical section, and collects additional information 
only when it wants to use the CS. This algorithm also requires M= t + 1 
slots, but the size of its messages is proportional to the number of times 
processors have accessed the critical section. Another, simpler, algorithm 
for the transient identical CS problem, which requires M = 2t + 1 slots is 
described. The later overcomes Byzantine faults using 3t + 1 slots. 
For the distinct CS case we provide an algorithm that uses M= 2t + 1 
slots. This algorithm again requires the processors to access the critical sec- 
tion infinitely often and use internal memory and message size proportional 
to the numbers #p. Also, there is still a gap between our upper and lower 
bounds for A4 in this problem, as we cannot prove any lower bound other 
than that of Proposition 1.1. 
The general strategy for solving the distinct CS problem is somewhat 
similar to that presented in the renaming algorithm of [ABDKPR], where 
selecting a slot is analogous to deciding a new name. A major difference 
between the two problems is that in the renaming problem, the entire 
6 BAR-NOY ET AL. 
process is done only once, and processors do not change their names 
once they decide on them. The need to repeatedly access the CS and the 
non-starvation requirement prevent us from using the solution to the 
renaming problem. 
The system model is the standard asynchronous model [FLP, DDS]. 
Each processor has a message buffer modeled as an unordered set; sending 
a message to processor p is represented as appending the message to p’s 
buffer. In each step the processor either receives or sends messages, but not 
both (i.e., we assume non-atomic receive/send). When receiving, it reads 
some arbitrary (possibly empty) subset of the messages in its buffer; when 
sending, it can only transmit a message to a single processor. There are no 
restrictions or assumptions on the order in which messages are received, 
nor are there any restrictions on the order in which processors take steps, 
except that each none-faulty processor takes an infinite number of steps 
during any infinite run. In addition, every message sent from a non-faulty 
processor to another non-faulty processor will eventually be received. 
Section 2 describes the solution for the global identical CS problem. The 
two algorithms for the transient identical CS problem are presented in 
Section 3. The solution for the distinct CS problem is given in Section 4. 
2. THE GLOBAL IDENTICAL CS PROBLEM 
This section presents a simple algorithm named GICS for the 
global identical CS problem with M = t + 1. The result matches the lower 
bound of Proposition 1.1. The algorithm requires every processor to 
attempt entering the critical section infinitely often, in order to guarantee 
non-starvation. 
The main idea of our algorithm is that upon leaving the CS, a processor 
sends a one-bit message notifying the others. Each processor p maintains a 
vector C, of counters. The qth entry of this vector, C,(q), accumulates the 
number of notifications received by p from every other processor q. The 
following simple fact makes these estimates useful by relating them to 
the actual number of times (denoted by #q) each processor q entered the 
critical section. 
Fact 2.1. For every two processors p, q, at any time, 
1. C,(q) < # = q, and 
2. C,(p)= #p. 
In every counter vector, C,, the processors q are ordered dynamically by 
the pairs (C,(q), q). Note that this is a logical ordering, not a physical 
one. We refer to it as the local ordering of p. The local rank of a processor 
FAULT-TOLERANT CRITICAL SECTIONS 7 
q in a vector C, (in this local ordering) is denoted by R,(q). Also, the 
global rank of a processor q in the global ordering of the pairs ( #q, q) is 
denoted by R # (9). 
COROLLARY 2.1. For every processor p, at any time, R,(p) 2 R # (p). 
Proof Suppose that R,(p) = i. This means that there are exactly i- 1 
other porcessors q such that ( #q, q) < ( #p, p). By Fact 2.1, for each 
such processor q, 
(C,(q), 4) G (#% 4) < < #P> P> = <C,(P), P>. 
This completes the proof since then necessarily R,(p) b i. 1 
These relationships imply that the local estimates made by a processor 
p about its global rank are conservative, in the sense that it always 
ranks itself no lower than its real place. Thus if the estimates 
maintained by p indicate that its rank is t + 1 or less, then it can safely 
enter the critical section. 
Let us now give a formal description of the algorithm. 
ALGORITHM GICS. / * For a processor p */ 
1. / * Initialization */ 
Create a vector C, of length n. Set each entry to 0. 
2. /* An attempt to enter the CS */ 
(a) If you receive a message “1” from q, then C,(q) c C,(q) + 1. 
(b) If R,(p) d t + 1 then goto 3. 
3. /* Entering the critical section */ 
(a) Enter the critical section. 
(b) Upon leaving the CS: 
send “1” to everyone; C,(p) e C,,(p) + 1; and goto 2. 
In order to prove the correctness of the algorithm we need to show that 
the algorithm guarantees exclusion, non-starvation, and fairness. 
LEMMA 2.1 (Exclusion). In every run of algorithm GICS, at most t + 1 
processors are in the critical section at any given time. 
Proof: Assume to the contrary that t + 2 or more processors are present 
in the critical section at a certain time, in some run of the algorithm. Let 
p be the processor with the largest global rank R,(p) among these 
processors at that time. Necessarily R,(p) > t + 2. It follows from 
Corollary 2.1 that also R,(p) 2 t + 2. Hence p should not have entered the 
critical section; a contradiction. 1 
8 BAR-NOY ET AL. 
LEMMA 2.2 (Non-starvation). In euery run of algorithm GICS every 
non-faulty processor enters the critical section an infinite number of times. 
Proof. Assume, seeking to establish a contradiction, that starvation has 
occurred in some run of the algorithm and let p be the processor with the 
minimal global rank R # (p) among the starved processors. Eventually, for 
every non-starved non-faulty processor q, #q > #p, because every non- 
starved non-faulty processor uses the critical section infinitely often. At 
some later time the appropriate notifications reach p and are reflected in 
C,, i.e., C,(q) > C,(p) for every non-starved non-faulty processor q. There 
are at most t faulty processors whose messages may not reach p from some 
point on. Therefore the local rank of p, R,(p), eventually becomes t + 1 or 
smaller, and p should enter the CS; a contradiction. 1 
LEMMA 2.3 (Fairness). In any run of algorithm GICS, if a processor p 
enters the critical section, then its global rank satisfies R,(p) < t + 1. 
Proof: If p enters the CS then its local rank satisfies R,(p) < t + 1. By 
Corollary 2.1 this is true also globally (i.e., R,(p) < t + 1). 1 
Theorem 2.1 follows from Lemmas 2.1, 2.2, and 2.3. 
THEOREM 2.1. Algorithm GICS solves the global identical CS problem 
with t + 1 slots. 
Note that if M= 2t + 1, this algorithm is correct even when the faulty 
processors are malicious, as long as a non-faulty processor can always 
identify the immediate sender of any message it receives. 
Though this algorithm achieves our definition of fairness, it is only weak 
fairness, as it does not ensure that processors enter the critical section in 
the right order. Under this definition, a processor can wait arbitrary long 
(though finite) amount of time, while processors with lower priority enter 
the critical section. A slightly stronger notion of fairness requires that if a 
non-faulty processor p enters the CS, then every processor q with higher 
priority than p enters the CS when it receives all the messages in transit for 
it. Note, that under this definition there might be also some time in which 
the fairness is not perfect. It is possible that a processor enters the CS 
before some other with higher priority, but this is unavoidable in a com- 
pletely asynchronous system. The GICS algorithm can easily be extended 
to achieve this notion of fairness, using simple message forwarding. This 
extension is only valid in a fail-stop fault model. 
FAULT-TOLERANT CRITICAL SECTIONS 
3. THE TRANSIENT IDENTICAL CS PROBLEM 
3.1. The M= t+ 1 Algorithm 
Algorithm GICS, presented in the previous section, has two main draw- 
backs. First, it requires every processor to try to enter the critical section 
infinitely often, in order to guarantee non-starvation. Second, each pro- 
cessor has to handle every message it receives. The correctness of the 
algorithm depends heavily on a processor’s updating its data structure 
upon receiving every message. Without this update it cannot reflect 
the state of other processors. Algorithm TICS, described below, solves 
the CS problem with the transient fairness property and does not have 
these drawbacks. 
In algorithm TICS, processors that do not want to access the CS are 
asked only to reply by sending some acknowledge message, and do not 
need to maintain any information about other processors. The algorithm 
requires t + 1 slots. Whenever a processor intends to use the CS, it registers 
itself by sending an appropriate message to every processor. Only pro- 
cessors that at present want to use the CS need to keep track of how many 
times each processor has visited the CS. Every other processor stores only 
the number of times it has previously visited the CS. 
In the previous algorithm GICS, whenever a processor finds itself ranked 
t + 1 or less in the global ordering of the pairs ( #q, q), it may safely enter 
the critical section. The transient rule for fairness does not allow us to use 
such a simple criterion. A processor needs to inform others that it intends 
to access the CS. Similarly, before entering the CS, it has to make sure that 
no processor of higher priority has changed its state. Thus, the process of 
entering the CS is composed of two rounds of acknowledgment collection. 
This process is best described by identifying special states through with the 
processor has to go. Each processor is initially in PASSIVE state. A 
processor p that wishes to enter the CS first changes its state into 
REGISTERING and sends announcements informing all other processors 
of its wish. It then has to await acknowledgements for its announcement. 
These acknowledgments enable p to collect information regardig other 
processors’ states. It switches into the state TRYING when it finds itself 
ranked t + 1 or less among the processors that want to enter the CS. 
Upon entering state TRYING, p has to start a second round of sending 
announcements and awaiting acknowledgements. If, while collecting these 
acknowledgements, p learns of any higher priority processor that changed 
its state, it has to return to state REGISTERING and go through the 
entire process once again. The delicate part of the algorithm is to guarantee 
the Exclusion Property. 
Let us now give a slightly more formal definition of the various states 
10 BAR-NOY ET AL. 
and messages used in the algorithm. Every processor can be in one of four 
states: 
l PASSIVE (not interested at the moment)+ncoded by 3. 
l REGISTERING (to enter the CS)encoded by 2. 
l TRYING (to enter the CS)+ncoded by 1. 
l ACCESSING (at present in the CS+xcoded by 0. 
There are two types of messages sent by processors. Announcement 
messages of the form “(S, c),” where S is the current state of the sender 
and c is its counter, or acknowledgment messages of the form 
“(S, c, S’, c’)” as a reply to an announcement message “(S, c’),” where 
S and c are defined as above. 
During any run of the algorithm processors may send the same announ- 
cement message more than once. Therefore, they need to be able to 
associate each acknowledgment with the appropriate announcement in 
order to recognize when an acknowledgment to the current announcement 
is received. This can be achieved by either adding a counter to messages, 
or assuming FIFO on the lines and counting the acknowledgments 
received. It can also be solved by transmitting an announcement only after 
the acknowledgment to the previous announcement is received. Applying 
the last method to the algorithm does not require storing all outstanding 
announcements; it is sufficient to remember the last one. Throughout the 
algorithm we assume that one of these methods is applied. Hence, a pro- 
cessor eventually receives an acknowledgment to its last announcement 
from any non-faulty processor. 
While a processor p attempts to enter the CS, it maintains three vectors, 
Kp, S, and C,, each of length n, containing information about the other 
processors. The vector CD, is as in the previous section. The qth 
entry indicates whether q has acknowledged knowing that p is in a 
REGISTERING or TRYING state (encoded by K,(q) = l), or such 
an acknowledgement has not arrived p yet (encoded by K,(q)=O). 
Throughout the run of the algorithm, each processor maintains information 
about itself (even when it is in state PASSIVE). The initial values are 
K,(p) = 1, S,,(p) = 3, C,(p) = 0. Thus, every processor starts in a PASSIVE 
state with a zero counter. 
Denote by DB, the database that processor p holds, i.e., the above three 
vectors. In every database DB, the processors q are ordered dynamically 
by the quadruples 
<K,(q), s,(q), C,(q), 4). 
The rank of a processor q in a database DB, (in this ordering) is denoted 
by R,(q). 
FAULT-TOLERANT CRITICAL SECTIONS I1 
Each processor is instructed by the algorithm to respond to certain 
messages arriving while it is in certain states, but is allowed to ignore these 
messages while being in other states. Consequently, the description of the 
algorithm prefixes each instruction by the states in which that instruction 
is applicable. 
ALGORITHM TICS /* For a processor p */ 
1. /* Initialization */ 
Create vectors K,, S, and C, of length FL K,(p) t 1; S,(p) c 3; 
C,(P) + 0. 
2. In every state: 
/ * acknowledgements and book-keeping */ 
if you receive “(s, c),” from q then 
(a) Send “(3, c, S,(p), C,(p)>” to q. 
if not in state PASSIVE and c> C,(q) (not an old message) then 
C,(q) + c; S,(q) + 3. 
3. In state PASSIVE: 
if you want to enter the CS then 
(a) Change your state to REGISTERING (S,(p) c 2). 
(b) Send “(S,(p), C,(p))” to every processor. 
(c) For every processor q initialize the vectors: 
K,(q)+O; S,(q)+@ C,(q)+ -1. 
4. In state REGISTERING: 
(a) If you receive “(s, c, s’, c’)” from q such that s= S,(p) and 
c = C,(p), then K,(q) c 1; C,(q) = c’; S,(q) = s’. 
(b) If R,(p) 6 t + 1 then 
i. Change your state to TRYING (S,(p) c 1). 
ii. For every q, K,(q) c 0. 
iii. Send “(S,(p), C,(p))” to every processor. 
5. In state TRYING: 
(a) If you receive “(s, c, s’, c’)” from q such that s = S,(p) and 
c = C,(P), then K,(q) + 1; C,(q) t c’; S,(q) c s’. 
(b) If an announcement message was received from some q such that 
(C,(q), 4) < (C,(P), P>, then 
i. Change your state to REGISTERING (S,(p) e 2). 
ii. For every q, K,,(q) c 0. 
iii. Send “(S,(p), C,,(p))” to every processor. 
(c) If R,(p) < t + 1 then 
i. Change your state to ACCESSING (S,(p) t 0). . 
enter the CS. 
6. In stiik ACCESSING: 
upon leaving the CS: 
12 BAR-NOY ET AL. 
(a) Change your state to PASSIVE (S,(p) c 3). 
(b) C,(P) + C,(P) + 1. 
(c) Send “(S,(p), C,(p))” to every processor. 
LEMMA 3.1 (Exclusion). In every run of algorithm TICS at most t + 1 
processors are in the critical section at any given time. 
Proof Assume to the contrary that there is a set Z of t + 2 processors 
in the critical section at a certain time in some run. Let p be the last 
processor from this set that changed its state from REGISTERING to 
TRYING before accessing the critical section. Since p accessed the critical 
section, there must be a processor q in the set Z such that according to the 
data in p’s vectors just before switching from TRYING to ACCESSING 
As K,(p) = 1 we conclude that K,(q) = 1 and S,(q)> S,(p) = 1. On the 
other hand, S,(q) was extracted by p from an acknowledgement sent by q. 
This acknowledgment was sent in response to an announcement sent by p 
after switching into state TRYING (in Step 4(b)). Since p was the last to 
change its state into TRYING, it follows that q was already TRYING or 
ACCESSING, i.e., S,(q) < 1. Thus, necessarily S,(q) = S,(p) = 1. Hence it 
should be the case that (C,(p), p) < (C,(q), q). But then if q had 
received p’s announcement while being in state TRYING, the algorithm 
instructs q (in Step 5(b)) to change its state back to REGISTERING and 
retry. Thus if q is in the CS now, it must have switched back into TRYING 
after p had already done so, contradicting the assumption that p was the 
last to switch from REGISTERING to TRYING. 1 
LEMMA 3.2 (Non-Starvation). In every run of algorithm TICS every 
non-faulty processor that wants to enter the critical section eventually 
succeeds. 
Proof: Assume to the contrary that starvation has occurred in some run 
of the algorithm. Let p be the non-faulty processor with the smallest pair 
( #p, p) among the starved processors. Eventually, for every non-faulty 
processor q, (C,(q), q) will be greater than (C,(p), p ). When this hap- 
pens, p will no longer return from state TRYING to state REGISTERING, 
and therefore will access the CS after all the non-faulty processors acknow- 
ledge its trying announcement; a contradiction. 1 
LEMMA 3.3 (Fairness). In every run of algorithm TICS, zf a non-faulty 
processor p enters the CS, then at the time p enters the critical section, there 
FAULT-TOLERANT CRITICAL SECTIONS 13 
is a slot available for every processor with higher priority that wants to use 
the critical section. 
Proof. If (#q, q) < ( # p, p) and q wants to enter the CS and p 
knows that, then by definition q has higher priority than p. If 
S,(q) < S,(p), then q appears before p in p’s database, and p takes q into 
account (and leaves it a slot) when it decides to enter the CS. If 
S,(q) > S,(p), then since q is not in state PASSIVE, necessarily p’s state is 
TRYING. But then when p gets q’s announcement, it will return to state 
REGISTERING (Step 5(b)), which reduces to the first case. 1 
Theorem 3.1 follows from Lemma 3.1, 3.2, and 3.3. 
THEOREM 3.1. Algorithm TICS solves the transient identical CSproblem 
with t + 1 slots. m 
3.2. The M = 2t + 1 Algorithm 
In algorithm TICS, state TRYING is necessary because the CS has only 
t + 1 slots. In the case where M= 2t + 1, one can implement the transient 
rule for fairness without state TRYING, i.e., with only one round of 
announcements and acknowledgements. The necessary modifications 
involve canceling Steps 4(b)(ii), 4(b)(iii), and 5 of the algorithm; in Step 
4(b)(i), instead of entering state TRYING, the processor directly switches 
into state ACCESSING. We refer to this modified algorithm as algorithm 
TICS- 1. 
In order to prove that algorithm TICS-l is correct, it suffices to prove 
the exclusion property. The proofs for the non-starvation and fairness 
properties remain as for algorithm TICS. 
LEMMA 3.4 (Exclusion). In every run of algorithm TICS-l at most 2t + 1 
processors are in the critical section at the same time. 
Proof: Assume to the contrary that there are 2t + 2 processors in the 
critical section at a certain time in some run. Construct the following 
directed graph over the set of the processors that are at the critical 
section. The directed arc (p, q) is in the graph if in p’s database 
<&(P), S,(P), C,(P), P> < (f$(q), S,(q), C,(q), 4). It is impossible that 
in this graph the arcs (p, q) and (q, p) occur together (but it might be 
that there is no arc between p and q). 
Each procesor draws at least t + 1 outgoing arcs from itself, otherwise it 
cannot enter the CS. Therefore, there exists at least one processor with 
indegree at least t + 1 which should prevent it from entering the CS; a 
contradiction. 1 
Theorem 3.2 follows from Lemmas 3.4, 3.2 and 3.3. 
14 BAR-NOY ETAL. 
THEOREM 3.2. Algorithm TICS-l solves the identical CS problem with 
2t + 1 slots. 1 
When M= 3t + 1, Algorithm TICS-l is correct even when faulty 
processors are malicious, as long as a non-faulty processor can identify the 
immediate sender of any message it receives. Algorithm TICS cannot over- 
come Byzantine faults, because a faulty processor can force a non-faulty 
processor to continually retry entering the CS without success (i.e., 
switching between the states TRYING and REGISTERING). 
4. THE DISTINCT CS PROBLEM 
In this section we present an algorithm named DCS for the distinct CS 
problem using M = 2t + 1 slots. Following Proposition 1.2 we assume that 
n > 2t + 1. The set of slots is denoted by S = { 1, . . . . 2t + 1 }. Throughout the 
execution of the algorithm each processor p maintains three vectors X,,, J,, 
and C,, each of n entries, containing information about the system’s status. 
The processors dynamically update their vectors by exchanging them with 
all the others. Specifically, the information kept by p is the following: 
1. X,(q)--a slot suggested by q. 
2. J,(q)-a running counter of suggestions. 
3. C,(qtthe number of times processor q has previously used the 
CS, according to p’s knowledge. 
Initially, the vectors held by p are set to the appropriate null values. 
Denote by DB, the database that processor p holds, i.e., the above three 
vectors. In addition, p maintains a collection U, of n databases, such that 
U,(q) is the last database that p has received from q, and U,(p) is p’s 
current database. 
In every database DB, the processors q are ordered dynamically by the 
pairs (C,(q), q). The rank of a processor q in a database DB, (in this 
ordering) is denoted by R,(q). The set left,(q) contains all processors 
in DB, with rank less than or equal to that of q (i.e., left,(q) = 
(4’ I R,(d) G $Aq) > ). 
DEFINITION 4.1. Suppose p holds the database DB,. The database DB 
is a supporting database for DB, if it contains identical information about 
all the processors in left,(p). 
Since t processors might be faulty, a processor cannot expect to get 
messages from more than n - t - 1 other processors. Thus, after receiving 
n - t - 1 supporting versions of its database from other processors, it is 
FAULT-TOLERANT CRITICAL SECTIONS 15 
useless to wait for more information (which might never arrive), and the 
processor should take some action. This observation leads us to define the 
notion of a left-stable database. 
DEFINITION 4.2. A database DB, is left-stable with respect to p in a 
given run of the algorithm if p has n - t supporting databases in its collec- 
tion of databases, U,. The database DB is left-stable if it is left-stable w.r.t. 
some processor p. 
The process of selecting a slot and entering the CS can be sketched as 
follows. A processor p is required to exchange information with other pro- 
cessors until it reaches a left-stable database DB,, and then to suggest a 
slot based on this stable information. Again, p exchanges information with 
other processors until it reaches a left-stable database. Now p has to review 
its suggestion by checking whether it currently collides with suggestions 
made by other processors. If there are no collisions, the processor p decides 
on its slot and proceeds to enter the critical section. Otherwise, it has to 
suggest a new slot and repeat the whole process. 
The general strategy of algorithm DCS is thus somewhat similar to that 
of the renaming algorithm of [ABDKPR], and selecting a slot is 
analogous to deciding a new name. A major difference between the two 
problems is that in the renaming problem, the entire process is done only 
once, and processors do not change their names once they decide on them. 
This simplifies the solution by allowing stabilization on the entire database. 
The need to repeatedly recompute stable databases while processors change 
their priorities every once in a while is responsible for the additional com- 
plication of having to consider only the “lower” part of the database. 
We need a certain partial ordering on databases. This ordering reflects 
the accumulation of knowledge by the processors. Intuitively, DB, > DB, 
means that DB, is more updated than DB,. The ordering is defined as 
follows. 
DEFINITION 4.3. The information about processor r is more updated in 
DB, than in DB,, denoted by DB, 2, DB,, if 
(C,(r), J,(r) > 2 (C,(r), J,(r) >. 
In order to suggest a new slot, p should know all the slots that are 
suggested and that appear in any of these supporting databases. We define 
free(DB) for any database DB as the list of the slots that do not appear as 
suggestions in its slot-suggestions vector X, and free(p, U,) as the list of the 
slots that appear in free(DB,) in every supporting database DB, that 
appears in the collection U,. 
643/95/l-? 
16 BAR-NOY ETAL. 
ALGORITHM DCS / * For a processor p. */ 
1. / * Initialization */ 
Construct an initial DB, and UP. Set all entries to 0. 
2. /* A new attempt to enter the CS */ 
(a) Send DB, to every other processor. 
(b) U,(pb-DB,. 
3. Wait until you receive a message DB, from some processor q. 
(a) /* test if DB, is more updated */ 
i. U,(q) t DB,. 
ii. For every processor r such that DB, 2, DB,: 
update C,(r) + C,(r); J,(r) c J,(r); X,(r) c X,(r). 
iii. U,(p) c DB,. 
iv. If DB, has been modified, send it to every other processor. 
(b) / * p tests if it has more support */ 
If the number of supporting databases in UP is n - t, 
then goto 4 else goto 3. 
4. /* DB, is a left-stable database */ 
If a slot X,(p), has previously been suggested, and this slot is different 
from any suggested slot X,(r) for any r and any q such that DB, E UP 
is a supporting database for DB,, then goto 5, else goto 6. 
5. /* Entering the critical section */ 
(a) Enter slot number X,(p) of the critical section. 
(b) Upon releasing this slot and leaving the CS: 
X,(p) + 0; C,(p) +- C,(p) + 1; J,(p) + 0; and goto 2. 
6. /* otherwise, needs to suggest a new slot */ 
(a) If R,(p) > min{ t + 1, Ifree( p, U,)l } / * no suggestion possible */ 
then: X,(p) t 0; and goto 2. 
(b) X,(p) t the R,(p)th slot in free(p, U,). 
(cl J,(P)+J,(p)+ 1. 
(d) Goto 2. 
As in Section 2, in order to prove the correctness of the algorithm we 
need to show that distinction, non-starvation, and fairness properties are 
preserved. 
LEMMA 4.1 (Distinction). At most one processor is in slot number i at 
any given time. 
Proof. Assume to the contrary that there exists a time T such that pro- 
cessors p and q are in the same slot in the CS. The algorithm implies that 
X,(p) = X,(q), where X, (respectively, X,) is the vector of slots suggestions 
held by p (respectively, q) when deciding to enter the critical section. Let 
U, and U, be the sets of databases they respectively maintained when 
they decided to enter the CS. The assumption n > 2t implies that 
FAULT-TOLERANT CRITICAL SECTIONS 17 
(n - t) + (n - t) > n. Therefore, there exists a processor r such that U,(r) is 
in the set of the n - t supporting databases of p and U,(r) is in the set of 
the n - t supporting databases of q. Let Tp and T, be the times at which 
Y sent U,(Y) and U,(r), respectively. Without loss of generality assume that 
T,, < T, d T. Processor p did not change its suggestion X,,(p) between time 
T,, and T (otherwise, U,(Y) would not be counted as a supporting 
database). Therefore, X,(p) appears in U,(r) by time T,, and on. The 
definition of T, implies that X,(p) appears as the suggested slot of p 
in U,(r) and, hence, X,(q) could not have passed the test in step 4 of the 
algorithm; a contradiction. 1 
LEMMA 4.2 (Non-starvation). Every non-faulty processor enters the 
critical section an infinite number of times. 
Prooj We prove the claim by assuming the opposite and deriving a 
contradiction. Given an infinite run, we classify the processors of P as 
follows. Let P, be the set of non-faulty processors that access the critical 
section infinitely often. Let P, be the set of non-faulty processors p that 
enter the critical section only a finite number of times during the run (i.e., 
reach a final value #p), but get infinitely many left-stable vectors 
afterwards. Together, these two sets form the collection of active pro- 
cessors, P, = P, u P,. Further, let P, be the set of non-faulty processors p 
that reach a final value of #p and obtain only a finite number of left-stable 
vectors during the run. Let P,- denote the set of processors that become 
faulty during the run. These two sets form the collection of passive 
processors, P, = P( v P,. See Fig. 1 
passive processors active processors 
ps pz pt7 PI 
faulty processors final #p and access the CS final #p and 
finite left-stable infinitely often infinite left-stable 
vectors vectors 
FIG. 1. The partition of processors. 
18 BAR-NOYETAL. 
The contradiction assumption assumes the existence of a run in which 
P, u P2 # 0. From some point on, all the databases DB, held by the pro- 
cessors satisfy the following properties: 
1. All processors q in P, have reached their final C,(q) value, 
obtained their last left-stable database and made a suggestion based on it 
(hence their entries to not change afterwards). 
2. All processors q in P, have reached their final C,(q) value. 
3. For every processor q E P,, C,(q) is larger than any of the final 
C,(v) values of the processors r in P, u P,. 
Hereafter we refer to every database with these properties as a limit 
database. Note that for all limit databases DB,, the rank R,(q) of any 
processor q E P, u P, is fixed. We refer to these ranks as limit ranks. In 
particular, let p,, be the processor whose limit rank R, is the smallest 
in P,uP,. For any limit database DB, of a non-faulty processor, the 
subdatabase left&,) (all processors in DB, with rank less than or equal 
to that of pO) is fixed and contains p,, and possibly some processors from 
Pr Since 1 P,-1 < t it follows that R, < t + 1. 
CLAIM 4.1. poePI. 
Proof Assume to the contrary that p0 E P,. Consider the point of time 
by which all databases held by the processors are limit databases. In all 
these databases, only processors from Pf might appear to the left of pO, and 
the information on these processors does not change. Therefore, at some 
later point p0 will obtain a left-stable database again; a contradiction. 1 
Let Y, denote the set of final slots suggested by the passive processors 
in P,, and let Y, = S - Y,. Intuitively, Y, is the set of slots into which the 
active processors of P, continuously attempt to enter. 
CLAIM 4.2. ( Y,l 2 R,. 
Proof: Assume 1 Y,I CR,,< t + 1. Since lPfj <t and ISI = 2t + 1, some 
slots must be suggested by some processors of P,. Let p E P, be the pro- 
cessor with the smallest limit rank among those processors in P, whose 
final state includes a suggestion X,(p) # 0. Since in all limit vectors the 
rank of every active processor in P, is at least R,, according to step 6(a) 
no suggestions will be made and eventually all these processors will set 
their suggestions to 0 and never change it. Therefore sometime later p will 
obtain yet another stable vector; a contradiction. i 
Assume that Y, is ordered, and let Y, = { y , , y,, . . . }. For every limit 
FAULT-TOLERANT CRITICAL SECTIONS 19 
database DB and for every slot y E free(DB), denote by f(y) its index in 
free(DB). Clearly f( yi) < i. 
There is a time after which every suggestion made by processors in P, is 
based on a limit database. Hence, there is a later time at which pO holds 
a left-stable database DB, in which every suggested slot was suggested 
based on a limit database. 
CLAIM 4.3. In every left-stable database DB obtained by pO after DB,, 
either yRoe free(DB) or yRO is suggested only by pO. 
Proof: Assume to the contrary that Y,+, appears in DB as a slot 
suggested by some q E P,, q # pO. Then q suggested yRo according to some 
left-stable limit database DB,. But then f(yRa) 6 RO in free(DB,), so q 
could not have suggested it, as its rank in DB, is strictly larger than R,. 1 
Therefore, upon seeing DB,, pO either decides immediately on yRO and 
enters this slot (in case yRO appears as its suggested slot in DB,) or it 
suggests y,, now and decides it upon obtaining the next left-stable vector. 
It follows that pO does enter the critical section once again, contradicting 
the assumption that pO has reached its final value of #p,,. This completes 
the proof of Lemma 4.2. 1 
LEMMA 4.3 (Fairness). If a processor p enters the critical section then its 
global rank satisfies R # (p) 6 t + 1. 
Proof: The same as the proof of Lemma 2.3. 1 
Theorem 4.1 follows from Lemmas 4.1, 4.2 and 4.3. 
THEOREM 4.1. Algorithm DCS solves the distinct CS problem with 2t + 1 
slots. 1 
We do not have any lower bound for the number of slots needed for the 
distinct CS problem. The difficulties in constructing a better upper bound 
arise from the fact that processors cannot distinguish between slow 
processors and faulty processors. It seems that a processor must leave t 
slots for the faulty processors, in case they have higher priorities, and t 
slots for slow processors that might have higher priorities. 
RECEIVED December 12, 1988; FINAL MANUSCRIPT RECEIVED March 1, 1990 
REFERENCES 
[ABDKPR] H. ATTIYA, A. BAR-N• Y. D. DOLEV, D. KOLLER, D. PELEG, AND R. REWXUJK. 
Achievable cases in an asynchronous environment, J. ,~s.wc. Cornput. Mach., to 
appear. 












0. BIRAN, S. MORAN, AND S. ZAKS (1988), A combinatorial characterization of 
the distributed tasks whcih are solvable in the presence of one faulty processor, 
in “Proc. 7th ACM Symp. of Principles of Dist. Computing,” pp. 263-273. 
M. F. BRIDGLAND AND R. J. WATRO (1987), Fault-tolerant decision making in 
totally asynchronous distributed systems, in “Proc. 6th ACM Symp. of 
Principles of Dist. Computing,” pp. 52-63. 
D. DOLEV. C. DWORK, AND L. STOCKMEYER (1987), On the minimal 
synchronism needed for distributed consensus, J. Assoc. Compur. Much. 34, 
77-97. 
D. DOLEV, E. GAFNI, AND N. SHAVIT (1988). Toward a non-atomic era: 
L-exclusion as a test case, in “Proc. 19th ACM SIGACT Symposium on Theory 
of Computing,” pp. 78-92. 
D. DOLEV, N. A. LYNCH, S. PINTER, E. STARK, AND W. E. WEIHL (1986) 
Reaching approximate agreement in the presence of faults, J. Assoc. Comput. 
Mach. 33, 4999516. 
M. J. FISCHER, N. A. LYNCH, J. E. BURNS, AND A. BORODIN (1979). Resource 
allocation with immunity to limited process failure, in “Proc. 20th Symp. on 
Foundations of Comp. Science,” pp. 234-254. 
M. J. FISCHER, N. A. LYNCH, M. S. PATER~N (1985), Impossibility of 
distributed consensus with one faulty processor, J. Assoc. Comput. Mach. 32. 
374-382. 
D. KOLLER (1986) “Token Survival: Resilient Token Algorithms,” M.Sc. Thesis, 
Hebrew University. 
J. L. PETERSON AND A. SILBERSCHATZ (1985), “Operating Systems Concepts,” 
2nd. ed., Chaps. 8, 9, 13, Addison-Wesley, Reading, MA. 
M. RAYNAL (1986). “Algorithms for Mutual Exclusion,” North Oxford 
Academic Publishers. 
L. S. RUDOLPH (1981). “Software Structures for Ultra Parallel Computing,” 
Ph.D. dissertation, Courant Institute, New York University, 1981. 
