Upper and Lower Bounds on the Space Complexity of Detectable Object by Ben-Baruch, Ohad et al.
ar
X
iv
:2
00
2.
11
37
8v
1 
 [c
s.D
C]
  2
6 F
eb
 20
20
Upper and Lower Bounds on the Space Complexity
of Detectable Objects
Ohad Ben-Baruch
Ben-Gurion University, Israel
ohadben@post.bgu.ac.il
Danny Hendler
Ben-Gurion University, Israel
hendlerd@cs.bgu.ac.il
Matan Rusanovsky
Ben-Gurion University and
Israel Atomic Energy Commission, Israel
matanru@post.bgu.ac.il
February 27, 2020
Abstract
The emergence of systems with non-volatile main memory (NVM) increases the interest
in the design of recoverable concurrent objects that are robust to crash-failures, since their
operations are able to recover from such failures by using state retained in NVM. Of particular
interest are recoverable algorithms that, in addition to ensuring object consistency, also provide
detectability, a correctness condition requiring that the recovery code can infer if the failed
operation was linearized or not and, in the former case, obtain its response.
In this work, we investigate the space complexity of detectable algorithms and the external
support they require. We make the following three contributions. First, we present the first
wait-free bounded-space detectable read/write and CAS object implementations. Second, we
prove that the bit complexity of every N -process obstruction-free detectable CAS implementa-
tion, assuming values from a domain of size at least N , is Ω(N). Finally, we prove that the
following holds for obstruction-free detectable implementations of a large class of objects: their
recoverable operations must be provided with auxiliary state – state that is not required by
the non-recoverable counterpart implementation – whose value must be provided from outside
the operation, either by the system or by the caller of the operation. In contrast, this external
support is, in general, not required if the recoverable algorithm is not detectable.
1
1 Introduction
Byte-addressable non-volatile main memory (NVM) combines the performance benefits of conven-
tional (volatile) main memory with the durability of secondary storage. Systems where non-volatile
memory co-exists with volatile main memory already exist and are expected to become more preva-
lent in the future. This increases the interest in the crash-recovery model, where a failed process
may be resurrected by the system following a crash. Traditional log-based recovery techniques can
be applied correctly in such systems but fail to take full advantage of the parallelism and efficiency
that may be gained by allowing processing cores to concurrently access recovery data directly from
NVM, rather than by performing slow block transfers from secondary storage. Consequently, there
is increasing interest in the design of recoverable concurrent objects that are robust to crash-failures,
since their operations are able to recover from such failures by using state retained in NVM (see
e.g. [3, 9, 11, 10, 12, 19, 20]).
Of particular interest are recoverable algorithms that, in addition to ensuring object consistency,
also provide detectability [9]. Detectability requires that the code recovering from a failed operation
can infer if it was linearized or not and, in the former case, obtain its response. Several recent works
presented detectable algorithms [3, 4, 9]. In particular, both Ben-David et al. [4] and Attiya et al. [3]
presented detectable CAS algorithms and [3] also presented a detectable read/write object. All these
algorithms augment the arguments of recoverable operations with unique identifiers, for allowing the
recovery code to detect whether or not the failed operation was linearized, consequently incurring
unbounded space complexity.1 In addition, [3] proved that every lock-free detectable test-and-
set implementation from (non-recoverable) test-and-set objects must use unbounded space. This
raises the question of whether unbounded space complexity is inherent to nonblocking detectable
implementations of these objects. We provide a negative answer to this question by presenting
the first nonblocking bounded-space detectable CAS and read/write algorithms. Both algorithms
are wait-free. Our N -process bounded-space CAS algorithm uses Θ(N) bits in addition to those
storing the CAS object’s value. In our second contribution, we show that every obstruction-free
detectable CAS implementation, assuming values from a domain of size at least N , must have Ω(2N )
different reachable shared-memory configurations, thus establishing that our CAS algorithm’s space
complexity is asymptotically optimal.
Detectable algorithms often require auxiliary state that helps them infer where in the execution
the failure occurred. Informally, auxiliary state is information that is provided to the recoverable
operation that is not provided to (nor required by) the “original” (non-recoverable) operation. In
some works, it is assumed that this information is provided by the system. For example, the recov-
erable mutual exclusion algorithms presented by Golab and Hendler [10] assume a model in which
the system provides to each operation an epoch number whose value increases after each (system-
wide) failure. Some detectable algorithms presented by Attiya et al. [3] assume that the system
provides to the recovery code information identifying the instruction that the failed operation was
about to execute via a non-volatile variable. However, auxiliary state is not necessarily provided by
the system. For example, the read/write algorithm of [3], the CAS algorithm of Ben-David et al.
[4] and the queue algorithm of Friedman et al. [9] rely on auxiliary state (e.g. unique identifiers)
passed to recoverable operations via their arguments by the operations that invoke them.
We show that, for a large class of objects that includes read/write, CAS and FIFO queue
objects, any obstruction-free detectable implementation must receive auxiliary state. As we prove,
1This is also the case with the durable queue algorithm of [9].
1
this auxiliary state must be made available to recoverable operations either via their arguments or
via a non-volatile variable accessible by them whose value must be modified outside the operation.
In contrast, this external support is, in general, not required if the recoverable algorithm is not
detectable.
The rest of the paper is organized as follows. We describe the system model in Section 2.
We then present our bounded-space detectable read/write and CAS algorithms in Sections 3 and
4, respectively. In Section 4 we also prove a lower bound on the space complexity of detectable
CAS. This is followed by a proof that detectable implementations of a large class of objects require
auxiliary state in Section 5. The paper is concluded by a short discussion in Section 6.
2 System Model
A set P of N asynchronous crash-prone processes communicate through shared objects. The system
provides base objects (also called shared variables or registers) that support atomic read, write, and
read-modify-write primitive operations. Base objects are used to implement higher-level concurrent
objects by defining algorithms, for each process, which use primitive operations to carry out the
operations of the implemented object.
The state of the system consists of non-volatile shared-memory variables and per-process local
variables stored in its local volatile cache. Local variables are accessed only by the process to which
they belong. For presentation simplicity, we assume that each process p may own non-volatile
private variables that reside in the NVM but are accessed only by p. We also assume the abstract
private cache model [4, 18], in which all shared variables are always persistent and there is no shared
cache. In this model, primitive operations to shared variables are applied directly to the NVM.
At any point during the execution of an operation, a system-wide crash-failure (or simply a crash)
may occur, which resets the local variables of all processes to their initial values, but preserves the
values of all non-volatile variables.
As we explain in Section 6, all our results hold also in the more realistic shared-cache model.
In this model, in addition to per-process private caches, there is a single (volatile) shared cache.
Primitive operations to shared variables are applied to this cache and explicit persistency instruc-
tions may be required for guaranteeing that values written to this cache get persisted to the NVM
in the correct order [18].
To start executing an operation Op, a process p invokes Op. We say that Op completes once
control returns to the caller of Op. Before completing, Op returns a response value, which is stored
to a local variable of p. The response value is lost if p crashes before persisting it (i.e., writing it
to a non-volatile variable). We say that a process is idle if it is not in the midst of executing any
operation. Each recoverable operation Op of a shared object is associated with a recovery function,
denoted Op.Recover, which is responsible to infer whether Op was linearized or not, and to obtain
its response in the former case. Op.Recover is performed by p in order to recover from a failure
that occurred while p was executing Op. We assume that Op.Recover is being called with the same
arguments as those with which Op was invoked when the crash occurred. If Op.Recover infers that
Op was not yet linearized, it returns a special fail value, otherwise it returns Op’s response.
Our lower bounds (Theorems 1 and 2) only require the model assumptions specified above. How-
ever, as we prove in Theorem 2, detectable algorithms must receive auxiliary state whose value
is modified either by the operation’s caller or by the system. We therefore make the following
additional assumptions that are used by the algorithms we present. Each process p is associated
2
with a private non-volatile structure Annp consisting of three fields. Annp.op stores the type of
recoverable operation currently performed by p, as well as the arguments with which it was called.
It is accessed only by the caller of the recoverable operation Op, which sets its value (thus announc-
ing the operation it is about to perform) immediately before invoking Op. Which function (if any)
should be invoked by p in order to recover from a failure is determined according to the value of
Annp.op. Field Annp.resp stores the response of the recoverable operation and is initialized to ⊥
immediately before Op is invoked. The 3rd field, Annp.CP , may be used by recoverable operations
and recovery functions for managing checkpoints in their execution flow. Field Annp.CP is set to
0 by the caller of the recoverable operation immediately before invoking it. Annp.CP can be read
and written by recoverable operations and their recovery functions and is used by p in order to
record (in the NVM) the fact that the execution reached a certain point. The recovery function
can then use this information in order to correctly recover and to avoid re-execution of critical
instructions.
Failed processes recover in an asynchronous manner, independently of each other. Specifically,
the recovery of some processes may have already completed while other processes may have not
yet completed (or even started) their recovery. Op.Recover may be invoked multiple times before
it completes, because the system may undergo multiple crashes in the course of executing it. If all
the operations of an implementation are recoverable, then the implementation is called recoverable.
Linearizability [17] requires that each operation applied to a concurrent object takes effect
instantaneously at some point between its invocation and response. The correctness condition
ensured by our algorithms is durable linearizability (DL) [18]. DL requires that linearizability be
maintained in spite of crash-failures. In other words, once the system recovers after a crash-failure,
the state of the data structure reflects a history containing all operations that completed before
the crash and may also contain some operations that have not completed before the crash. This
captures the idea that an operation can be linearized only once its effect gets persisted to NVM.
The progress conditions we consider are wait-freedom [15] and obstruction-freedom [16]. A
recoverable operation or a recovery function is wait-free (resp. obstruction-free) if, starting from
any reachable configuration, p completes it in a finite number of its own steps (resp. when running
solo), when the system experiences no crashes. We emphasize that all our results hold also in a
model where processes may fail independently, such as that assumed by [3].
3 Detectable Read/Write Object
Algorithm 1 presents the pseudo-code of a detectable read/write object O that uses bounded
space from (bounded-space) variables that support read/write primitive operations. To the best
of our knowledge, this is the first detectable read/write algorithm that uses bounded space. The
checkpoint field Annp.CP is used by process p in order to allow the recovery function to infer
where in the recoverable operation the failure occurred. Each process p owns two private variables:
RDp, storing data used during recovery, and Tp, storing an index ∈ {0, 1} to one of two size-n
toggle-bit arrays, A[ ][p][0] and A[ ][p][1], that are used by p’s write operations in an alternating
manner. O’s state consists of a single shared read/write register R storing a triplet of values
〈v, q, b〉, where v is O’s current value, q is the identifier of the process that (last) wrote v, and b is
the index of the toggle-bit array used by q for that write operation. Initially, R = 〈vinit, 0, 0〉, where
vinit is O’s initial value, thus “attributing” this value to a write by process 0 that used toggle-bit
array 0. Register R stores O(log n) bits in addition to the application value v, in contrast with
3
the unbounded state required by the read/write object implementation of Attiya et al. [3]. A
3-dimensional array A[N ][N ][2] allows each writing process p to coordinate with any other process
q using p’s two toggle-bit arrays.
The key challenge with which Algorithm 1 copes is the ABA problem. Attiya et al. [3] avoid it
by ensuring that all written values are distinct, at the cost of using a register of unbounded-size.
Algorithm 1 allows the same value to be written multiple times, so a process p may read from R a
value vq (written by process q) and then write some value vp that is later overwritten by another
write of vq by q. In this case, if p recovers after a system crash, a mechanism for allowing it to
detect whether or not its operation was linearized is required. As we explain below, per-process
toggle bits are used to implement this mechanism. Before invoking an operation on the object, its
caller initializes the Annp structure as described in Section 2. Specifically, Annp.CP is initialized
to 0 and Annp.resp is initialized to ⊥.
The Write operation To write, process p reads R (line 1), thus learning that q was the last
to write to R and which toggle-bit array was used by q for writing. Next, p resets the bit from q’s
other toggle-bit array corresponding to p (line 2), and persists the value read from R, as well as the
index of the toggle-bit array used by p’s current write (stored in Tp), into RDp (lines 3-4). Then,
p reads R again (line 5) and proceeds to write to R (line 7) only if it read from R the same value
as in line 1. In this case, p sets its checkpoint field to 1 (line 6) immediately before the write to R
and sets it to 2 (line 8) immediately after it. It then sets all the bits in the toggle-bit array used
by its current write operation, switches its toggle-bit array index, persist the response and returns
(lines 9-13).
If the condition of line 5 is not satisfied then, as we prove, a write operation W by a process
other than p is linearized between p’s first and second reads of R, hence p can be assumed to have
been overwritten by W . In this case, p skips lines 6-7 and proceeds directly to line 8.
The Write.Recover recovery function Upon recovery from a failed Write operation W ,
p first reads RDp (line 14) and then checks if Annp.result was set (line 15). In this case, W was
completed and has been linearized, so the recovery function returns ack. Next, p checks if Annp.CP
equals 0 (line 17). In this case, as we prove, W was not linearized before the failure, so the recovery
function returns fail (line 18); the caller of the failed operation can now decide whether or not
to reattempt performing W . Otherwise, if Annp.CP equals 1 (line 19), then the recovery code
must determine whether or not R was written in line 7 (either by p or by another process) since
when W read 〈qval, q, qtoggle〉 from R in line 1. This is done in line 20 as follows. If R’s value
differs from 〈qval, q, qtoggle〉, then R was written and so either W performed line 7 or W can be
assumed to have been overwritten by another write, so the recovery code proceeds by performing
lines 22-27 (which are identical to lines 8-13). Otherwise, R’s value equals 〈qval, q, qtoggle〉 but it
is still possible that q wrote 〈qval, q, qtoggle〉 to R again after R was read by W . This is checked by
the 2nd condition of line 20 which relies on the following key observation used by our correctness
proof: in order for q to write again using the same toggle-bit index, it must first complete a write
operation using the other toggle-bit index. However, in that earlier write operation, q sets all its
toggle bits of that set to 1 (either in lines 9-10 of its write operation or in lines 23-24 of its recovery
function). Therefore, upon recovery, if p reads the same value from R as before the crash, it can
conclude that a write occurred in between its two reads of R if and only if q’s toggle bit that it has
set to 0 is now 1. If this is not the case, p concludes that W was not linearized and returns fail
4
Algorithm 1: Bounded space detectable read/write object O, code for process p.
Non-Volatile Shared variables: read/write register R initially 〈vinit, 0, 0〉, boolean A[N ][N ][2] initially all
0
Non-Volatile Private variables: Read/write register RDp initially ⊥, Tp initially 0
Procedure Write (val)
1 〈qval, q, qtoggle〉 := R
2 A[p][q][1 − qtoggle] := 0
3 mtoggle := Tp
4 RDp := 〈mtoggle, qval, q, qtoggle〉
5 if R 6= 〈qval, q, qtoggle〉 then goto 8
6 Annp.CP := 1
7 R := 〈val, p,mtoggle〉
8 Annp.CP := 2
9 for i = 1 to N do
10 A[i][p][mtoggle] := 1
11 Tp := 1−mtoggle
12 Annp.result := ack
13 return ack
Procedure Write.Recover (val)
14 〈mtoggle, qval, q, qtoggle〉 := RDp
15 if Annp.result 6= ⊥ then
16 return ack
17 if Annp.CP = 0 then
18 return fail
19 if Annp.CP = 1 then
20 if R = 〈qval, q, qtoggle〉 and
A[p][q][1− qtoggle] = 0 then
21 return fail
22 Annp.CP := 2
23 for i = 1 to N do
24 A[i][p][mtoggle] := 1
25 Tp := 1−mtoggle
26 Annp.result := ack
27 return ack
(line 21).
The Read operation reads a triplet of values from R and then extracts its first component,
writes it to Annp.resp and returns it. Its recovery function re-invokes Read if Annp.resp = ⊥
holds, otherwise it returns it. This simple code is not presented in Algorithm 1.
It is easily seen that Algorithm 1 uses bounded space, assuming that the values written by
Write operations are of bounded size. It remains to show that the algorithm satisfies durable
linearizability, detectability and wait-freedom.
Lemma 1. Algorithm 1 is wait-free and satisfies durable linearizability and detectability.
Proof. Consider an execution α of Algorithm 1. Assume process p completes a Write(val) oper-
ation W in α (either directly or by completing the recovery function). We prove that one of the
following holds: 1) p writes to R exactly once, and this is W ’s linearization point; 2) p does not
write to R and there is a concurrent write operation W ′ by a different process that writes to R,
hence we can linearize W immediately before W ′; or 3) the failure occurred before W wrote to R,
in which case Write.Recover returns fail.
We start by observing that if there is no crash during W , then either it writes to R exactly
once in line 7, or the condition in line 5 holds, in which case p does not write to R and there was
a concurrent write operation W ′ by a different process that wrote to R.
We proceed to prove that the lemma holds also if W and its recovery code experience one or
more crashes. If the system crashes before p writes to CPp in line 6 then p did not write to R while
executing W , nor did it write to any entry in its toggle-bit arrays A[i][p][y] for i 6= p, hence none
of its writes is ever read by another process. Thus, W was not linearized yet and the recovery code
simply returns fail (line 18). Otherwise, consider the case where a crash occurred after p executed
line 8. Then either p wrote to R in line 7 (hence W was linearized) or p observed in line 5 a write
5
by a concurrent write operation W ′ and so W can be linearized immediately before W ′. In both
cases, Write.Recover re-executes the for loop of lines 23-24, switches its toggle-bit index, and
returns.
We are left with the case where a crash occurred after the update of CPp in line 6 but before its
update in line 8. Upon recovery, in order to satisfy detectability, the algorithm has to determine
whether W was linearized or not. To complete the proof, we establish the following two claims: 1)
the condition of line 20 evaluates to false only if there was a write to R (either by p or by some
other process) after p first read it (in line 1); 2) if p wrote to R before the crash (in line 7), then
the condition of line 20 evaluates to false.
In line 1, p reads R and writes its content (together with p’s current value of Tp) to RDp in line
4. Therefore, p persists the identifer q of the process that last wrote to R and the toggle-bit index
used by q. Denote byWq this write of q, and let qts denote the toggle-bit index used inWq. Assume
that the condition of line 20 evaluates to false. We prove that some write operation is linearized
after Wq. Since a write operation can only be linearized when R is written (not necessarily by the
linearized operation itself), this would prove claim 1). If p reads from R in line 20 a value different
from the one stored in RDp, then clearly there was a write to R after the read in line 1 and we are
done. Otherwise, p reads the same value from R in line 20, and so it holds that A[p][q][1− qts] = 1.
In line 2, p sets A[p][q][1 − qts] to 0. Thus, q must have set it to 1 later in the execution. Notice
that q sets a bit of the (1 − qts) toggle-bit array to 1 only during the for loop (in lines 9-10 or
23-24), after completing a write using the toggle-bit index 1− qts. Denote this write by W q. Since
p observed the write Wq, which is associated with the toggle-bit index qts, it must be that write
W q was performed after the read of p in line 1. This is true since W q must either write to R, or
observe a write to R by another process, and in both cases, the linearization point of W q must be
after p observed Wq in line 1.
We now prove claim 2). Assume the system crashed after p wrote to R in line 7. Upon
recovery, if p reads in line 20 a value from R other than that stored in RDp, the claim clearly holds.
Otherwise, p reads the same value written by Wq. Notice that p reads the same value in line 5,
after setting A[p][q][1 − qts] to 0. Moreover, later in the execution p writes to R, and thus there
must be another write by q to R with the same value as in Wq that was done after p wrote to R. In
particular, these two writes use the same toggle-bit index qts, thus there must be another write by
q using toggle-bit index 1−qts in between the two. This write must have been completed, and thus
the for loop updating A[p][q][1 − qts] to 1 was done after p’s read in line 5, hence, after p has set
A[p][q][1 − qts] to 0. Moreover, no process but p can set A[p][q][1 − qts] to 0 again. Consequently,
the second condition of the if statement in line 20 does not hold, implying that claim 2) holds.
To conclude the proof of durable linearizability and detectability, we claim that every completed
Read operation returns the value of the latestWrite operation linearized before it, or vinit if there
are no such Write operations. We linearize a Read operation Op when it writes to Annp.resp
and its linearization point is then set to its previous read of R. It follows that the response of a
completed Read is the value of R’s first component when last read by the operation. A Write
operation W can be linearized either when it writes to R (line 7) or when it does not write to R
but is linearized before a concurrent Write operation W ′ that does write to R. The claim now
follows from the atomicity of R.
It is easily seen that the algorithm is wait-free, since neither Read, Write or their recovery
functions contain any loops, so each of these operations/functions terminates in a constant number
of steps if it experiences no crashes.
6
4 A Detectable CAS Algorithm and Lower Bound
We now present a wait-free detectable implementation of an N -process durable linearizable CAS
object from (bounded-space) variables that support read/CAS primitive operations. As far as we
know, this is the first bounded-space detectable CAS implementation. Our algorithm uses Θ(N) bits
in addition to those storing the CAS object’s value. We then prove that any such implementation
requires Ω(N) bits, thus establishing that our algorithm is asymptotically space optimal.
4.1 A Bounded-Space Recoverable CAS Algorithm
Our implementation of a detectable CAS object O is presented by Algorithm 2. O’s state is
represented by a shared variable C (supporting primitive read/CAS operations) that stores both
O’s value (initially vinit) and an N -bit vector vec (all of whose components are initially 0). Each
process p owns a private variable RDp, storing p’s recovery data.
The Cas operation To perform a Cas operation, p first reads C. If O’s current value differs
from argument old, the CAS should fail, so p persists a false response to Annp.result and then
returns false (lines 28-31). Otherwise, p flips the bit vec[p] (line 32), persists the flipped value,
and increments its checkpoint variable (lines 33-34). Then, p attempts to atomically both change
C’s value and flip vec[p] using an atomic CAS (line 35). Finally, it persists the CAS response and
returns it (lines 36-37).
The Cas.Recover recovery function Upon recovery from a crash inside Cas, p first checks
if it crashed after persisting the response, in which case it returns it (lines 38-39). Otherwise, if
Annp.CP is 0, implying p surely crashed before attempting the CAS , then it returns fail (lines
40-41). Finally, p must determine if it performed a successful CAS before crashing. Observe that
p is the only process to ever change vec[p], hence a successful CAS operation flips vec[p] and it
will remain flipped until p’s next successful CAS , whereas a failed CAS attempt does not change
vec[p]. Leveraging this observation, p reads the vector stored in C and returns true if vec[p] has
been changed (lines 42-43, 45-46). If the bit was not changed (implying that either the CAS failed
or the crash occurred before p performed it), p returns fail (line 44).
A Read operation simply reads C, extracts O’s value, writes it to Annp.resp and returns it.
Its recovery function re-invokes Read if Annp.resp = ⊥ holds, otherwise it returns it. This simple
code is not shown.
Lemma 2. Algorithm 2 is wait-free and satisfies durable linearizability and detectability.
Proof. Consider an execution α of Algorithm 2. Assume process p completes a Cas(old, val)
operation Op in α (either directly or by completing the recovery function). We prove that one
of the following holds: 1) p successfully writes to C exactly once and the return value of Op is
true, in which case this is Op’s linearization point; 2) p does not write to C and C contains a value
different then old at some point during Op, hence we can linearize Op at this point and it returns
false; or 3) a failure occurs before Op wrote to C, in which case Cas.Recover returns fail.
We start by observing that if Op does not experience a crash, then either p reads a value different
from old in C, thus it returns false (lines 29-31), or p performs a single CAS in line 35 and returns
its response. The CAS is successful only if the value stored in C is old, in which case p returns
true. On the other hand, the CAS fails only if another process performed a successful CAS to C
7
Algorithm 2: Bounded-space detectable CAS object O, code for process p.
Non-Volatile Shared variables: C, supporting primitive read/CAS operations, initially 〈vinit, 〈0, . . . , 0〉〉
Non-Volatile Private variables: read/write register RDp containing boolean field, initially ⊥
Procedure Cas (old, new)
28 〈val, vec〉 := C
29 if val 6= old then // CAS failed; return
30 Annp.result := false
31 return false
32 newvec := flipBit(vec, p) // flip vec [p]
33 RDp := newvec[p] // persist new bit
34 Annp.CP := 1 // set check-point
35 res := C.CAS(〈val, vec〉, 〈new, newvec〉)
36 Annp.result := res // persist response
37 return res
Procedure Cas.Recover (old, new)
38 if Annp.result 6= ⊥ then
39 return Annp.result
40 if Annp.CP = 0 then
41 return fail
42 〈val, vec〉 := C
43 if vec[p] 6= RDp then
44 return fail // CAS failed or not
performed
45 Annp.result := true // CAS was successful
46 return true
after p first read it in line 28, hence the value of C after it must be other than old, and this is also
the linearization point of Op, which indeed returns false.
Note that p is the only process to ever update vec[p] and the only place in which this update
occurs is the CAS of line 35. Moreover, this is the only place in the code where a CAS is performed.
Thus, since lines 32-33 have to be executed before line 35 (even in case of a crash), each successful
CAS to C by p will flip the bit vec[p] stored in C, and it will remain flipped until p’s next successful
CAS .
We proceed to prove that the lemma holds also if Op experiences one or more crashes. If a crash
occurs before Op writes to Annp.CP in line 34, then p did not write to C while executing Op. Thus,
Op was not linearized yet and Cas.Recover simply re-invokes Op (line 41). Otherwise, consider
the case where a crash occurs after p performs line 34. If p performed a successful CAS at line
35 before the crash, then the operation was already linearized. As per our previous observation,
C.vec[p] = RDp will hold as long as p does not perform another (successful) CAS . Hence, the
condition in line 43 is evaluated as false, and p persists true as its response and then returns (lines
45-46).
It remains to consider the case where the crash occurred when p did not perform a successful
CAS at line 35, either because the CAS failed or because p crashed before performing line 35. In
this case, we can consider Op as not having been linearized yet, since it did not change the value of
any variable that operations by other processes may read. In both cases, vec[p] 6= RDp holds, since
vec[p] stores the old, un-flipped, value, whereas RDp stores the new, flipped, value. Moreover, no
process but p can change vec[p]. Thus, the condition of line 43 is evaluated as true and the recovery
function returns fail in line 44.
4.2 A Space Lower Bound on Detectable CAS
Algorithm 2 uses Θ(N) shared memory bits, in addition to those required for storing the CAS
object’s value. Let V denote the set of states that may be assumed by a CAS object O. Assuming
that |V| ≥ N , we prove that any recoverable and detectable obstruction-free implementation A
of O must have at least 2N−1 reachable configurations with distinct shared-memory states. This
8
C C ′
Cs
Cns
S1
S2
Dns
Ds
α
CaspN (0, 1)
true
Casq
(0, 1
)
s ◦Casq (0, 1)false
βns
βs
γ
false / fail
CRASH ◦Cas.RecoverpN (0, 1)
γ
false / fail
CRASH ◦Cas.RecoverpN (0, 1)
Figure 1: The induction step of Theorem 1. Response of completed operations are in blue font.
implies that A uses at least N − 1 shared-memory bits. If |V| = O(N), then only O(logN) bits are
required for storing the CAS object’s value, implying that Ω(N) additional shared-memory bits are
required for supporting detectability. Before proceeding with the proof, we need the following two
definitions. We say that configurations C,D are memory-equivalent if the values of each shared
memory variable is the same in both configurations. We say that a step s by some process p is a
modifying step [14] w.r.t. to an operation Op by another process q in some configuration C, if the
solo execution of Op by q after C and after C ◦ s return different responses. Figure 1 illustrates the
structure of the inductive construction of the proof that follows.
Theorem 1. Let A be an N -process obstruction-free implementation of a CAS object O (using
any primitive operations) satisfying durable linearizability and detectability, assuming values from
a domain V of size at least N . Then A has at least 2N−1 different reachable configurations, no two
of which are memory-equivalent.
Proof. We prove the claim by induction on N . The claim holds trivially for N = 1. Assume the
claim holds for N and let A be an (N+1)-process obstruction-free recoverable implementation of a
CAS object O satisfying durable linearizability and detectability, assuming values from a domain
V of size at least N + 1. Denote the processes using A by p1, p2, . . . , pN , q. Assume also WLOG
that {0, 1, . . . , N} ⊆ V and that O’s value in the initial configuration C is 0. Starting from C, we
let pN perform a CaspN (0, 1) operation until it is about to perform the first modifying step s with
respect to a Casq(0, 1) operation by process q. We denote by α the prefix of pN ’s execution up to
(but not including) step s. That is, a solo execution of Casq(0, 1) by q after C ◦ α returns true,
while its solo execution after C ◦ α ◦ s returns false. Such a modifying step exists because A is
obstruction-free, a solo execution of Casq(0, 1) starting from C returns true, but a solo execution
of Casq(0, 1) after CaspN (0, 1) completes returns false. We define the following two configurations:
Cns = C ◦ α ◦Casq(0, 1) Cs = C ◦ α ◦ s ◦Casq(0, 1)
that are reached after Casq(0, 1) returns. The executions leading to Cns and Cs exist, since A is
obstruction-free. From linearizability, O’s value is 1 in both Cs and Cns, that is, a Read( ) (resp.
a Cas(1, 0)) operation on O, performed to completion immediately after either Cs or Cns, must
return 1 (resp. return true and change the object’s value to 0). Moreover, Casq(0, 1) returns true
in the execution leading to Cns and false in the execution leading to Cs. Notice that all processes
but pN are idle in Cns. Moreover, if we fix Cns as an initial configuration, halt pN starting from
this point on and restrict processes p1, . . . , pN−1, q to perform CAS operations with arguments
from the domain V \ {0}, then we obtain an N -process algorithm A′ for which we can apply the
induction hypothesis. Thus, there is a set S1 of at least 2
N−1 configurations reachable from Cns in
9
pN -free executions, no two of which are memory-equivalent. The same argument can be applied to
configuration Cs, resulting in a second set S2 of 2
N−1 configurations reachable from Cs, no two of
which are memory-equivalent.
To complete the proof, we show that no configuration reachable from S1 can be memory-
equivalent with any configuration reachable from S2. Intuitively, this is because the modifying step
s must write to shared memory and does not modify any of pN ’s local variables. Thus, if we can
extend both Cs and Cns and reach two memory-equivalent configurations, then pN will behave the
same after a crash in both of them, which leads to a contradiction. The formal proof follows.
Assume towards a contradiction that there exist executions βns and βs starting from Cns and Cs,
respectively, leading to memory-equivalent configurations Dns ∈ S1 and Ds ∈ S2. Note that both
βns and βs are pN -free. We extend Dns by a system crash, followed by a recovery of pN , followed
by an execution in which pN performs its recovery function Cas.RecoverpN (0, 1) to completion.
Denote this extension by γ. Since CaspN (0, 1) can be linearized only after Casq(0, 1) (as the
latter returns true in the execution leading to Cns) and as O’s state is positive all throughout βns,
Cas.RecoverpN (0, 1) must return either false or fail in γ.
Since all of pN ’s local variables are reset after the crash, and since Dns and Ds are memory-
equivalent, if the system crashes afterDs, and then pN recovers by performingCas.RecoverpN (0, 1)
to completion, it will return false or fail as well. However, as Casq(0, 1) returned false in the ex-
ecution leading to Cs, from linearizability, Cas.RecoverpN (0, 1) must return true. This is a
contradiction.
5 Detectable Algorithms Require Auxiliary State
The detectable algorithms we presented in Sections 3-4 use auxiliary state, provided via the non-
volatile Annp.CP field used for managing checkpoints. As we’ve mentioned in Section 1, detectable
algorithms often require auxiliary state that helps them infer where in the execution the failure
occurred [3, 9]. We now formalize this notion.
Definition 1. Let Op be a recoverable operation. We say that auxiliary state is provided to Op
via NVM, if in-between every two successive invocations of Op, a write is made to a non-volatile
variable that can be accessed by Op. We say that auxiliary state is provided to Op via operation
arguments, if the arguments to Op contain data not specified by the object’s abstract operation.
For example, in our model, the system provides auxiliary state via Annp.CP , since it sets its
value to 0 before any invocation of a recoverable operation by p. The queue algorithm of [9] provides
auxiliary state via unique operation identifiers passed as arguments.
In the following, we prove that the usage of auxiliary state is inevitable for obtaining detectable
implementations for a large class of objects that includes read/write, CAS, resettable test-and-set
and FIFO queue objects.
Definition 2. A recoverable implementation A satisfies weak obstruction-freedom if for every
process p, starting from any configuration (reached by an execution of A) in which all processes
other than p are idle, if p runs by itself while performing an operation or a recovery function and
incurs no crashes, then it completes it.
It is easily seen that weak obstruction-freedom is satisfied by any recoverable algorithm that
satisfies obstruction-freedom or deadlock-freedom. Our proof holds for the class of doubly-perturbing
objects, a notion we define next.
10
Definition 3. Given an object O and a sequential history H, we say that an operation Op is
perturbing after H, if there exists an operation Op′ by a different process such that Op′ returns
different responses in H ◦ Op ◦ Op′ and in H ◦ Op′. We also say that Op is perturbing with
respect to Op′ after H. We say that O is doubly-perturbing if there exists an operation Opp by
some process p and a sequential history H1 of O such that the following conditions hold:
1. Opp is perturbing with respect to some Op
′ after H1.
2. H1 ◦Opp ◦Op
′ has a p-free extension, resulting in a sequential history H2, such that Opp is
perturbing after H2.
We say that Opp witnesses that O is doubly-perturbing.
It is easily shown that many widely-used objects are doubly-perturbing. We now prove that a
read/write object is doubly perturbing. In the appendix, we provide proofs that establish that the
counter, CAS, fetch-and-add and FIFO queue objects are doubly-perturbing as well.
Lemma 3. A read/write object is doubly-perturbing.
Proof. Consider a read/write object O over a domain of values including at least two distinct
values v0, v1, initialized to v0. We claim that writep(v1) witnesses that O is doubly-perturbing.
For any process q 6= p, writep(v1) is perturbing w.r.t. readq after the empty sequential history.
This satisfies the first condition of Definition 3. Moreover, writep(v1) ◦ readq can be extended by
a writeq(v0) operation, resulting in a sequential history H2 = writep(v1) ◦ readq ◦writeq(v0), such
that (a second instance of) writep(v1) is perturbing w.r.t. (a second instance of) readq operation
after H2. This satisfies the second condition of Definition 3. Thus, O is doubly-perturbing.
The notion of doubly-perturbing objects bears similarity to the notion of perturbable objects
defined by Jayanti et al. [21]. Although most common perturbable objects (including read/write,
counter, compare-and-swap, swap and fetch-and-add objects) are also doubly-perturbing, the two
classes of objects are incomparable. We now prove that there are perturbable objects that are not
doubly-perturbing (e.g., a max register [2]). In the appendix we prove that a bounded counter is
doubly-perturbing but not perturbable.
Lemma 4. A max register object is not doubly-perturbing.
Proof. Consider a max register object O, which supports a writeMax(v) operation and a read()
operation that returns the largest value written to the register preceding it. Clearly, a read oper-
ation cannot witness that O is doubly-perturbing, as it cannot be observed by other operations.
As for a writeMax(v) operation by some process p, once the operation is lineraized any read must
return a value v or higher. Thus, invoking writeMax(v) for a second time cannot modify O’s value,
and thus cannot change the response of any other operation.
Lemma 4 proves that max register is not doubly-perturbing. However, it is known to be per-
turbable [21]. Thus, Theorem 2 below does not apply for a max register object. This raises the
question of whether there is an obstruction-free implementation of a max-register satisfying durable
linearizability and detectability that does not use auxiliary state. We now show that this is indeed
the case.
Algorithm 3 presents the pseudo-code of a detectable max register implementation that uses
no auxiliary state. The max register is composed of an integers array MR, such that process p
11
Algorithm 3: recoverable Max-Register object O, code for process p.
Non-Volatile Shared variables: integer array MR[N ] initially all 0
Procedure Write-Max (val)
47 if MR[p] < val then
48 MR[p] := val
49 return ack
Procedure Read ()
50 a[N ], initially all 0
51 while a 6= MR do
52 a := MR
53 res := highest value in a
54 Annp.result := res
55 return res
is associated with entry MR[p]. To perform Write-Max(val), p simply checks if the value in
MR[p] is smaller than val, and if so updates it. To perform Read, p uses a local array. For
simplicity of presentation, we use an array-assignment/comparison notation as a shorthand for
copying/comparing the array entry by entry. Process p repeatedly copies the contents of MR until
the first successful double collect. Upon success, p managed to obtain a valid snapshot of MD, so
the largest value in MD was the value of the max register at some point in the execution interval
of Read. The recovery function of each of these operations simply re-invokes the operation, and
thus the code is not shown.
Next, we present our impossibility result. The following two definitions are required for the
proof. We say that configurations C,D are indistinguishable to process p, denoted by C
p
∼ D, if
the values of all shared-memory variables, as well as those of p’s local variables, are the same in
both configurations. We say that C
Q
∼ D for a set of processes Q if C
p
∼ D for any p ∈ Q. Figure
2 depicts the structure of the execution constructed by our proof. We note that Theorem 2 holds
regardless of the primitive operations used by the implementation.
Theorem 2. Let A be a weak obstruction-free recoverable implementation of a doubly-perturbing
object O satisfying durable linearizability and detectability and let Op be a recoverable operation of
Op. Then either auxiliary state is provided to Op via NVM, or it is provided to Op via operation
arguments.
Proof. Assume towards a contradiction that auxiliary state is not provided to Op neither via NVM
nor via the arguments to Op, so the arguments to operations in A are identical to those applied to
the implemented object. For example, if O is a read/write object, our assumption means that read
Cα Cβ Cγ D1 D2
C
′
β C
′
γ C
′
γδ E1 E2
α
Opp
β
p
.R
E
S
Opr ◦ ...
γ
Opr ◦ ...
γ δ
p.R
ES
◦O
pp.
IN
V ◦
CR
AS
H
CRASH p.REC ◦ ζ
p.REC ◦ ζ
Op
q
: u
Op
q
: v
Op
q
: u
Op
q
: u
Op
q
: v
Op
q
: v
Figure 2: The execution of A constructed in the proof of Theorem 2.
12
operations receive no arguments and a write operation invoked for writing value v receives a single
argument whose value is v. We construct an execution of A that will establish that A violates
durable linearizability, thus reaching a contradiction.
Since O is doubly-perturbing, there exists an operation Opp by some process p, witnessing
that O is doubly-perturbing. Thus, from the first condition of Definition 3, there is a sequential
history H1 such that Opp is perturbing w.r.t. to some operation Opr after H1, for r 6= p. Since
A satisfies weak obstruction-freedom, there exists an execution α in which processes perform their
operations according to H1 in a sequential manner, starting from an initial configuration, leading to
a configuration Cα. Starting from Cα, let p apply its Opp operation and halt just before returning;
denote the resulting configuration by Cβ. Starting from Cβ, let p complete its Opp operation on O
by returning from it and denote the resulting configuration by C ′β. As A satisfies weak obstruction-
freedom, the executions leading to Cβ and C
′
β exist, since in both p runs solo starting from a
quiescent configuration. Since returning a response does not change any shared variable and no
auxiliary state is provided via NVM, we get: (1) ∀q 6= p : Cβ
q
∼ C ′β. Notice that C
′
β is a quiescent
configuration. Since Opp witnesses that O is doubly-perturbing, from the second condition of
Definition 3, the history H1 ◦Opp ◦Opr has a p-free extension resulting in a sequential history H2
(extending H1) such that Opp is perturbing after H2. Assume it is perturbing w.r.t. an operation
Opq (for some q 6= p). Since A is weak obstruction-free, there exists an execution γ starting from C
′
β
in which first r performs to completion Opr, followed by a p-free sequential execution corresponding
to the extension of H1 ◦Opp ◦Opr, resulting in configuration C
′
γ . Moreover, let δ denote the solo
execution of Opp after C
′
γ , then Opq returns different responses when executed after C
′
γ and after
C ′γδ. Since γ is a p-free execution, and from Equation (1), we get that γ is also an execution
starting from Cβ such that: (2) ∀q 6= p : Cγ
q
∼ C ′γ . Opr was performed to completion in γ. Since
Opr returns the same response in the executions leading to C
′
γ and to Cγ and as Opp perturbed
its response, it follows that the linearization point of Opp precedes that of Opr in both executions.
Next, consider the following two configurations: D1 = Cγ ◦CRASH and E1 = Cγ ◦(Opp.RES)◦
(Opp.INV ) ◦ CRASH. Thus, in the execution leading to D1, the system crashes just before
p returns from its first Opp operation, whereas, in the execution leading to E1, p completes that
operation (thus p returns its response), invokes a second Opp operation and then the system crashes
immediately after p’s invocation. Note that both these executions exist, since all processes but p are
idle in Cγ and A satisfies weak obstruction-freedom. Since neither responses nor invocations change
any shared variables and since no auxiliary state is provided, neither via NVM nor via operation
arguments, and as a crash reset all local variables of p we get: (3) D1
P
∼ E1. Next, starting from E1,
we extend the execution by recovering p, letting it perform a solo execution of its recovery function
to completion, denoted by ζ. We let E2 = E1 ◦ (p.REC) ◦ ζ denote the resulting configuration.
ζ exists, since all processes but p are idle in E1 and A satisfies weak obstruction-freedom. From
Equation (3), p performs the same execution ζ after E1 ◦ (p.REC) and after D1 ◦ (p.REC), hence
D2 = D1 ◦ (p.REC) ◦ ζ exists and we have: (4) D2
P
∼ E2.
Finally, starting from configuration E2, extend the execution by letting process q 6= p perform
Opq to completion. Opq completes, since E2 is quiescent and A satisfies weak obstruction-freedom.
Assume that Opq returns value v. From Equation (4), Opq returns v also if it is performed starting
from configuration D2. Notice that p cannot return fail in its recovery function in ζ. This is due
to the fact that in the execution leading to D1 p executed a single Opp operation which perturbs
the response of Opr. Hence, Opp must be linearized before Opr, and the recovery function returns
its response. In particular, the recovery function of p executed in E2 returns a response different
13
then fail, and thus the second Opp must have a linearization point in the execution leading to E2.
Moreover, since Opp is perturbing w.r.t. Opq after H2, executing Opq starting from E1 returns a
response u 6= v. That is, the execution of Opp in ζp perturbs the response of Opq. From Equation
(3), we get that executing Opq starting from D1 returns u as well. It follows that p’s recovery
function, executed in ζ after D1, perturbs the response of Opq performed after D2. However, p
executed a single Opp operation in the execution leading to D2, which was linearized before Opr,
while a second linearization point of Opp must exist in the execution of Opp’s recovery function
(ζ), since it perturbs the response of Opq. Thus, Opp has two linearization points in the same
execution. This is a contradiction to our assumption that A satisfies durable linearizability.
6 Discussion
Several works propose different correctness conditions for the crash-recovery model [1, 5, 13].
Izraelevitz et al. [18] presented durable linearizability (DL) that assumes a system-wide crash
model. Roughly speaking, it requires that after the system recovers from a crash, the state of each
object reflects a consistent sub-history that contains all the operations that completed before the
crash. Detectability [9] requires, in addition, that a process recovering from a crash that occurred
while it was performing an operation Op can infer if Op took effect (was linearized) and, in such
case, obtain its response. This allows for a “client” operation that called Op to continue its execu-
tion after the crash, since Op’s response is made available to it. If Op was not linearized, the client
operation can choose whether or not to re-invoke it.
Attiya et al. [3] formalized a strict variant of this notion as nesting-safe recoverable linearizability
(NRL). NRL requires that Op.Recover complete the crashed operation and persist its response
before returning, thus allowing the client operation access to this response. NRL is stricter than
detectability [9], since the latter provides the client code with the flexibility of choosing whether
or not to re-invoke a crashed operation that was not linearized (upon receiving a fail response),
whereas NRL will re-attempt such an operation again and again until it completes (if it ever does).
We note that NRL implies DL and detectability, as each crashed operation must complete,
persist the response, and is linearized before Op.Recover completes. As for the other direction,
given an implementation that satisfies both DL and detectability, one can easily transform it into
an implementation satisfying NRL by having the recovery function Op.Recover invoke Op again
instead of returning a fail response. Therefore, all algorithms presented in this paper can be easily
be transformed to satisfy NRL.
The private cache model [9, 18] is an abstract model, where primitive operations are applied
directly to NVM and processes do not share a cache. In the more realistic shared cache model [18],
the main memory is non-volatile, while primitive operations are applied to a volatile shared cache.
In this model, explicit persistency instructions are used in order to ensure that writes get persisted
to the NVM and do so in the right order. Upon a crash, the shared cache content, as well as
any the values of local variables, are lost. It is easily seen that our impossibility and lower-bound
results hold also in the shared cache model. As for our algorithms, for presentation simplicity, we
specified and analyzed them assuming the private cache model. A simple syntactic transformation
was proposed by [18], where persistency instructions are added to the code, thus transforming it to
an implementation for the shared cache model. By applying this transformation to our algorithms,
they maintain their correctness (as well as their space complexity) in the shared cache model as
14
well.
An alternative approach for achieving recoverability is the design of persistent universal con-
structions. For example, [7] designed a persistent log-based universal construction that requires
only one round trip to NVRAM per operation, which is optimal. However, logging imposes signifi-
cant overheads in time and space, which are even more pronounced for concurrent data structures,
where there is an extra cost of synchronizing accesses to the log. [5] presented a recoverable variant
of Herlihy’s wait-free universal construction. These constructions do not provide detectability as
defined by [9]. However, upon recovery processes are able to determine which operations were lin-
earized before the crash and obtain their response. Such implementations does not require auxiliary
state, as upon recovery process can not infer whether its last invoked operation was linearized. For
example, assume process p performs the same operation Op twice, and a crash occurs during its
second instance of Op. Upon recovery, p is able to conclude that its last linearized operation was
Op, and obtain its response. However, p can not tell what instance of Op was linearized. Unlike it,
detectability requires p to infer if the second instance of Op, during which the crash occurred, was
linearized.
Ben-David et al. [4] showed that any implementation using only read, write and CAS primitives
can be made detectable by partitioning the code into capsules, each containing a single CAS followed
by several reads, and replacing each CAS with its recoverable version.
Some recent works study the recoverable mutual exclusion (RME) problem, defined by Golab
and Ramaraju [11, 10, 12, 19, 20]. Much work was also done on implementing persistent trans-
actional memory frameworks (see [8, 22, 24, 26]). Several previous works investigated recoverable
implementations for specific data-structures. Friedman et al. [9] presented concurrent lock-free
queue algorithms exhibiting different tradeoffs between consistency and efficiency. Coburn et al.
[6] presented NV-heaps. Several works proposed persistent algorithms for index trees [27, 23, 25, 27].
In this work, we presented the first bounded-space detectable CAS and read/write algorithms.
Detectable algorithms have the advantage of supporting composability. On the downside, as we
established, this comes with a price tag in terms of space complexity and the need to provide
recoverable operations and recovery functions with auxiliary data.
Open Problems Theorem 1 establishes a space lower bound of Ω(N) shared bits on any obstruction-
free detectable implementation of a CAS object, thus establishing that Algorithm 2 is asymptoti-
cally space optimal. However, Algorithm 2 uses a single Ω(N)-bits shared variable. Finding such an
algorithm which uses registers of size O(logN) bits, or alternatively proving that such an algorithm
is impossible, is an interesting research direction.
No (non-trivial) space lower bound for a detectable read/write object is known and finding
the tight bound is another open question. Finally, exploring the tradeoff between space and time
complexity for detectable implementations, as well as the tradeoff between the complexities of a
recoverable operation and its recovery function, is another interesting avenue for future work.
References
[1] Aguilera, M. K., and Frølund, S. Strict linearizability and the power of aborting. In
Tech. Rep. HPL-2003-241 (2003), HP Labs.
15
[2] Aspnes, J., Attiya, H., and Censor-Hillel, K. Polylogarithmic concurrent data struc-
tures from monotone circuits. J. ACM 59, 1 (2012), 2:1–2:24.
[3] Attiya, H., Ben-Baruch, O., and Hendler, D. Nesting-safe recoverable linearizability:
Modular constructions for non-volatile memory. In Proceedings of the 2018 ACM Symposium
on Principles of Distributed Computing, PODC 2018, Egham, United Kingdom, July 23-27,
2018 (2018), C. Newport and I. Keidar, Eds., ACM, pp. 7–16.
[4] Ben-David, N., Blelloch, G. E., Friedman, M., and Wei, Y. Delay-free concurrency
on faulty persistent memory. In The 31st ACM on Symposium on Parallelism in Algorithms
and Architectures, SPAA 2019, Phoenix, AZ, USA, June 22-24, 2019 (2019), C. Scheideler
and P. Berenbrink, Eds., ACM, pp. 253–264.
[5] Berryhill, R., Golab, W. M., and Tripunitara, M. Robust shared objects for non-
volatile main memory. In 19th International Conference on Principles of Distributed Systems,
OPODIS 2015, December 14-17, 2015, Rennes, France (2015), E. Anceaume, C. Cachin, and
M. G. Potop-Butucaru, Eds., vol. 46 of LIPIcs, Schloss Dagstuhl - Leibniz-Zentrum fu¨r Infor-
matik, pp. 20:1–20:17.
[6] Coburn, J., Caulfield, A. M., Akel, A., Grupp, L. M., Gupta, R. K., Jhala, R.,
and Swanson, S. Nv-heaps: making persistent objects fast and safe with next-generation,
non-volatile memories. In Proceedings of the 16th International Conference on Architectural
Support for Programming Languages and Operating Systems, ASPLOS 2011, Newport Beach,
CA, USA, March 5-11, 2011 (2011), R. Gupta and T. C. Mowry, Eds., ACM, pp. 105–118.
[7] Cohen, N., Guerraoui, R., and Zablotchi, I. The inherent cost of remembering consis-
tently. In Proceedings of the 30th on Symposium on Parallelism in Algorithms and Architec-
tures, SPAA 2018, Vienna, Austria, July 16-18, 2018 (2018), C. Scheideler and J. T. Fineman,
Eds., ACM, pp. 259–269.
[8] Correia, A., Felber, P., and Ramalhete, P. Romulus: Efficient algorithms for persistent
transactional memory. In Proceedings of the 30th on Symposium on Parallelism in Algorithms
and Architectures, SPAA 2018, Vienna, Austria, July 16-18, 2018 (2018), C. Scheideler and
J. T. Fineman, Eds., ACM, pp. 271–282.
[9] Friedman, M., Herlihy, M., Marathe, V. J., and Petrank, E. A persistent lock-free
queue for non-volatile memory. In Proceedings of the 23rd ACM SIGPLAN Symposium on
Principles and Practice of Parallel Programming, PPoPP 2018, Vienna, Austria, February
24-28, 2018 (2018), A. Krall and T. R. Gross, Eds., ACM, pp. 28–40.
[10] Golab, W., and Hendler, D. Recoverable mutual exclusion under system-wide failures.
In Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing, PODC
2018, Egham, United Kingdom, July 23-27, 2018 (2018), C. Newport and I. Keidar, Eds.,
ACM, pp. 17–26.
[11] Golab, W. M., and Hendler, D. Recoverable mutual exclusion in sub-logarithmic time.
In Proceedings of the ACM Symposium on Principles of Distributed Computing, PODC 2017,
Washington, DC, USA, July 25-27, 2017 (2017), E. M. Schiller and A. A. Schwarzmann, Eds.,
ACM, pp. 211–220.
16
[12] Golab, W. M., and Ramaraju, A. Recoverable mutual exclusion: [extended abstract].
In Proceedings of the 2016 ACM Symposium on Principles of Distributed Computing, PODC
2016, Chicago, IL, USA, July 25-28, 2016 (2016), G. Giakkoupis, Ed., ACM, pp. 65–74.
[13] Guerraoui, R., and Levy, R. R. Robust emulations of shared memory in a crash-recovery
model. In 24th International Conference on Distributed Computing Systems (ICDCS 2004),
24-26 March 2004, Hachioji, Tokyo, Japan (2004), IEEE Computer Society, pp. 400–407.
[14] Hendler, D., and Shavit, N. Solo-valency and the cost of coordination. Distributed Com-
puting 21, 1 (2008), 43–54.
[15] Herlihy, M. Wait-free synchronization. ACM Trans. Program. Lang. Syst. 13, 1 (1991),
124–149.
[16] Herlihy, M., Luchangco, V., and Moir, M. Obstruction-free synchronization: Double-
ended queues as an example. In 23rd International Conference on Distributed Computing
Systems (ICDCS 2003), 19-22 May 2003, Providence, RI, USA (2003), IEEE Computer Soci-
ety, pp. 522–529.
[17] Herlihy, M., and Wing, J. M. Linearizability: A correctness condition for concurrent
objects. ACM Trans. Program. Lang. Syst. 12, 3 (1990), 463–492.
[18] Izraelevitz, J., Mendes, H., and Scott, M. L. Linearizability of persistent memory
objects under a full-system-crash failure model. In Distributed Computing - 30th International
Symposium, DISC 2016, Paris, France, September 27-29, 2016. Proceedings (2016), C. Gavoille
and D. Ilcinkas, Eds., vol. 9888 of Lecture Notes in Computer Science, Springer, pp. 313–327.
[19] Jayanti, P., Jayanti, S. V., and Joshi, A. Optimal recoverable mutual exclusion using
only FASAS. In Networked Systems - 6th International Conference, NETYS 2018, Essaouira,
Morocco, May 9-11, 2018, Revised Selected Papers (2018), A. Podelski and F. Ta¨ıani, Eds.,
vol. 11028 of Lecture Notes in Computer Science, Springer, pp. 191–206.
[20] Jayanti, P., and Joshi, A. Recoverable FCFS mutual exclusion with wait-free recovery. In
31st International Symposium on Distributed Computing, DISC 2017, October 16-20, 2017,
Vienna, Austria (2017), A. W. Richa, Ed., vol. 91 of LIPIcs, Schloss Dagstuhl - Leibniz-
Zentrum fu¨r Informatik, pp. 30:1–30:15.
[21] Jayanti, P., Tan, K., and Toueg, S. Time and space lower bounds for nonblocking
implementations. SIAM J. Comput. 30, 2 (2000), 438–456.
[22] Kolli, A., Pelley, S., Saidi, A. G., Chen, P. M., and Wenisch, T. F. High-performance
transactions for persistent memories. In Proceedings of the Twenty-First International Confer-
ence on Architectural Support for Programming Languages and Operating Systems, ASPLOS
’16, Atlanta, GA, USA, April 2-6, 2016 (2016), T. Conte and Y. Zhou, Eds., ACM, pp. 399–
411.
[23] Lee, S. K., Lim, K. H., Song, H., Nam, B., and Noh, S. H. WORT: write optimal
radix tree for persistent memory storage systems. In 15th USENIX Conference on File and
Storage Technologies, FAST 2017, Santa Clara, CA, USA, February 27 - March 2, 2017 (2017),
G. Kuenning and C. A. Waldspurger, Eds., USENIX Association, pp. 257–270.
17
[24] Liu, M., Zhang, M., Chen, K., Qian, X., Wu, Y., Zheng, W., and Ren, J. Dudetm:
Building durable transactions with decoupling for persistent memory. In Proceedings of the
Twenty-Second International Conference on Architectural Support for Programming Languages
and Operating Systems, ASPLOS 2017, Xi’an, China, April 8-12, 2017 (2017), Y. Chen,
O. Temam, and J. Carter, Eds., ACM, pp. 329–343.
[25] Oukid, I., Lasperas, J., Nica, A., Willhalm, T., and Lehner, W. Fptree: A hybrid
SCM-DRAM persistent and concurrent b-tree for storage class memory. In Proceedings of
the 2016 International Conference on Management of Data, SIGMOD Conference 2016, San
Francisco, CA, USA, June 26 - July 01, 2016 (2016), F. O¨zcan, G. Koutrika, and S. Madden,
Eds., ACM, pp. 371–386.
[26] Volos, H., Tack, A. J., and Swift, M. M. Mnemosyne: lightweight persistent memory.
In Proceedings of the 16th International Conference on Architectural Support for Programming
Languages and Operating Systems, ASPLOS 2011, Newport Beach, CA, USA, March 5-11,
2011 (2011), R. Gupta and T. C. Mowry, Eds., ACM, pp. 91–104.
[27] Yang, J., Wei, Q., Chen, C., Wang, C., Yong, K. L., and He, B. Nv-tree: Reduc-
ing consistency cost for nvm-based single level systems. In Proceedings of the 13th USENIX
Conference on File and Storage Technologies, FAST 2015, Santa Clara, CA, USA, February
16-19, 2015 (2015), J. Schindler and E. Zadok, Eds., USENIX Association, pp. 167–181.
18
A Doubly-Perturbing Objects
Lemma 5. A counter object is doubly-perturbing.
Proof. Consider a counter object O over a domain of values including at least three distinct values
v0, v0+1, v0+2, initialized to v0. We claim that Incrementp witnesses that O is doubly-perturbing.
For any process q 6= p, Incrementp is perturbing w.r.t. readq after the empty sequential history.
This satisfies the first condition of Definition 3. Moreover, Incrementp ◦ readq can be extended by
a an empty p − free extension, resulting in a sequential history H2 = Incrementp ◦ readq, such
that (a second instance of) Incrementp is perturbing w.r.t. (a second instance of) readq operation
after H2. This satisfies the second condition of Definition 3. Thus, O is doubly-perturbing.
Lemma 5 proves that a bounded counter, supporting only {0, 1, 2} values, is doubly-perturbing.
However, such a bounded counter is not perturbable, since clearly an operation Op can change its
response at most twice.
Lemma 6. A compare-and-swap object is doubly-perturbing.
Proof. Consider a compare-and-swap object O over a domain of values including at least two distinct
values v0, v1, initialized to v0. We claim that CASp(v0, v1) witnesses that O is doubly-perturbing.
For any process q 6= p, CASp(v0, v1) is perturbing w.r.t. CASq(v0, v1) after the empty sequential
history. This satisfies the first condition of Definition 3. Moreover, CASp(v0, v1) ◦ CASq(v0, v1)
can be extended by a CASq(v1, v0) operation, resulting in a sequential history H2 = CASp(v0, v1)◦
CASq(v0, v1) ◦ CASq(v1, v0), such that (a second instance of) CASp(v0, v1) is perturbing w.r.t.
(a second instance of) CASq(v0, v1) operation after H2. This satisfies the second condition of
Definition 3. Thus, O is doubly-perturbing.
Lemma 7. A fetch-and-add object is doubly-perturbing.
Proof. Since fetch-and-add object support an addition of the value 1, the proof from Lemma 5
will hold here too. More formally, consider a fetch-and-add object O over a domain of values
including at least three distinct values v0, v0 + 1, v0 + 2, initialized to v0. We claim that FAAp(1)
witnesses that O is doubly-perturbing. For any process q 6= p, FAAp(1) is perturbing w.r.t. readq
after the empty sequential history. This satisfies the first condition of Definition 3. Moreover,
FAAp(1) ◦ readq can be extended with the empty p − free extension, resulting in a sequential
history H2 = FAAp(1) ◦ readq, such that (a second instance of) FAAp(1) is perturbing w.r.t. (a
second instance of) readq operation after H2. This satisfies the second condition of Definition 3.
Thus, O is doubly-perturbing.
Lemma 8. A FIFO queue object is doubly-perturbing.
Proof. Consider a FIFO queue object O over a domain of values including at least two distinct
values v0, v1, initialized to an empty queue. We claim that Deqp witnesses that O is doubly-
perturbing. After the empty sequential history, we perform the following sequence of operations
Enqp(v0) ◦ Enqp(v1), and denote the resulting history as H1. For any process q 6= p, Deqp is
perturbing w.r.t. Deqq after H1. This satisfies the first condition of Definition 3. Moreover,
Deqp◦Deqq can be extended by the sequence of operations: Enqq(v0)◦Enqq(v1) as before, resulting
in a sequential history H2 = Enqp(v0) ◦Enqp(v1) ◦Deqp ◦Deqq ◦Enqq(v0) ◦Enqq(v1), such that (a
second instance of) Deqp is perturbing w.r.t. (a second instance of) Deqq operation after H2. This
satisfies the second condition of Definition 3. Thus, O is doubly-perturbing.
19
