Self-stabilization of wait-free shared memory objects by Hoepman, J.H. (Jaap-Henk) et al.
Self-Stabilization of 
Wait-Free Shared Memory Objects* 
Jaap-Henk Hoepman1, Marina Papatriantafilou2•3 , and Philippas Tsigas3 
1 CWI, P.O. Box 94079, 1090 SB Amsterdam., The Netherlands. 
2 CTI &: CE and Informatics Dept., Patras University, Greece. 
3 MPI flir Informatik, hn Stadtwald, 66123 Saarbriicken, Germany. 
Email:jhhGcvi.nl, {ptrianta,tsigas}Gmpi-sb.mpg.de 
Abstract. It is an interesting question whether one can device highly 
fault tolerant distributed protocols that tolerate both processor failures 
as well as transient memory errors. To answer this question we consider 
self-stabilizing wait-free shared memory objects. In this paper we propose 
a general definition of a self-stabilizing wait-free shared memory object 
that expresses safety guarantees even in the face of processor failures. We 
prove that within this framework one cannot construct a self-stabilizing 
single-reader single-writer regular bit from single-reader single-writer safe 
bits. This impossibility result leads us to postulate a self-stabilizing dual-
reader single-writer safe bit as the minimal object needed to achieve self-
stabilizing wait-free interprocess communication and synchronization. 
Based on this model, adaptations of well known wait-free constructions 
of regular and atomic shared registers are proven to be self-stabilizing. 
1 Introduction 
The importance of reliable distributed systems can hardly be exaggerated. In the 
past, research on fault tolerant distributed systems has focused either on system 
models in which processors fail, or on system models in which the memory is 
faulty. In the first model a distributed system must remain operational while a 
certain fraction of the processors is malfunctioning. When constructing shared 
memory objects like, for instance, atomic registers, this issue is addressed by 
considering wait-free constructions which guarantee that any operation executed 
by a single processor is able to complete even if all other processors crash in the 
meantime. Originally, research in this area focussed on the construction of atomic 
registers from weaker (safe or regular) ones [VA86, Lam86, PB87, LTV89, 1892]. 
Later attention shifted to stronger objects (cf. [AH90, Her91] and many others). 
In the second model a distributed system is required to overcome arbitrary 
changes to its state within a bounded amount of time. If the system is able to 
do so, it is called self-stabilizing. Self-stabilizing protocols have been extensively 
* Research partially supported by the Dutch. foundation for scientific research (NWO) 
through NFI Proj. ALADDIN (contr. # NF 62-376) and a NUFFIC Fellowship, and 
by the EC ESPRIT II BRA Proj. ALCOM II (contr. # 7141). 
274 
studied in the past. Originating from the work of Dijkstra on self-stabilizing 
mutual exclusion on rings [Dij74], several other self-stabilizing protocols have 
been proposed for particular problems, like mutual exclusion on other topologies 
[BGW89, BP89, DIM93], the construction of a spanning-tree [AKY90], orienting 
a ring [IJ93, Hoe94), and network synchronization [AKM+93]. Another approach 
focuses on the construction of a 'compiler' to automatically transform a protocol 
belonging to a certain class to a similar, self-stabilizing, one [KP90, AKM+93). 
For a general introduction to self-stabilization see [Sch93, Tel94). 
To develop truly reliable systems both failure models must be considered 
together. We briefly summarize recent theoretical research that addresses this 
issue. Anagnostou and Hadzilacos [AH93] show that no self-stabilizing, fault-
tolerant, protocol exists to determine, even approximately, the size of a ring. 
Gopal and Perry [GP93] present a 'compiler' to turn a fault-tolerant protocol 
for the synchronous rounds message-passing model into a protocol for the same 
model which is both fault-tolerant and self-stabilizing. A combination of self-
stabilization and wait-freedom in the construction of clock-synchronization proto-
cols is presented in [DW93, PT94]. Another approach to combining processor and 
memory failures is put forward by Afek et al. [AGMT92, AMT93] and Jayanti 
et al. [JCT92]. They analyze whether shared objects do or do not have wait-free 
(self)-implementations from other objects of which at most tare assumed to fail. 
Objects may fail by giving responses which are incorrect, or by responding with 
a special error value, or even by not responding at all. In so-called gracefully 
degrading constructions, operations during which more than t objects fail are 
required to fail in the same manner. 
We are interested in exploring the relation between self-stabilization and 
wait-freedom in shared memory objects. A shared memory object is a data 
structure stored in shared memory which may be accessed concurrently by 
several processors through the invocation of operations defined for it. Self-stabili-
zing wait-free objects occur naturally in distributed systems in which both 
processors and memory may be faulty. We give a general definition of self-
stabilizing wait-free shared memory objects, and focus on studying the self-
stabilizing properties of wait-free shared registers. Single-writer single-reader safe 
bits-traditionally used as the elementary memory units to build these registers 
with-are shown to be too weak for our purposes. Focusing on registers, being 
the weakest type of shared memory objects, allows us to determine the minimal 
object properties needed for a system to be able to converge to legal behaviors 
after transient memory faults, as well as to remain operative in the presence of 
processor crashes. 
Shared registers are shared objects reminiscent of ordinary variables, that can 
be read or written by different processors concurrently. They are distinguished 
by the level of consistency guaranteed in the presence of concurrent operations 
([Lam86]). A register is safe if a read returns the most recently written value, 
unless the read is concurrent with a write in which case it may return an arbitrary 
value. A register is regular if a read returns the value written by a concurrent 
or an immediately preceding write. A register is atomic if all operations on the 
275 
register appear to take effect instantaneously and act consistent with a sequential 
execution. Shared registers are also distinguished by the number of processors 
that may invoke a read or a write operation, and by the number of values they 
may assume. These dimensions imply a hierarchy with single-writer single-reader 
(lWlR) binary safe registers (a.k.a. bits) on the lowest level, and multi-writer 
multi-reader ( n W nR) l-ary atomic registers on the highest level. A construction 
or implementation of a register is comprised ofi) a data structure consisting of 
memory cells called sub-registers and ii) a set of read and write procedures which 
provide the means to access it. 
Li and Vitanyi [LV91] and Israeli and Shaham [IS92] were the first to consider 
self-stabilization in the context of shared memory constructions. Both papers 
implicitly call a shared memory construction self-stabilizing if for every fair run 
started in an arbitrary state, the object behaves according to its specification 
except for a finite prefix of the run. Moreover, they do not seem to consider 
the possibility of pending operations. We feel, however, that this notion of a 
self-stabilizing object does not agree well with the additional requirement that 
the object is wait-free, since self-stabilization of the object now only guarantees 
recovery from transient errors in fair runs {in which no processors crash), while 
an object should be wait-free to ensure that a single processor can make progress 
even if all other processors have crashed. 
Our contribution in this paper is threefold. First, in Sect. 2, we propose 
a general definition of a self-stabilizing wait-free shared memory object, that 
ensures that all operations after a transient error will eventually behave according 
to their specification even in the face of processor failures. Second, in Sect. 3, we 
prove that within this framework one cannot construct a self-stabilizing single-
reader single-writer regular bit from single-reader single-writer safe bits-which 
have traditionally been used as the basic building blocks in wait-free shared 
register implementations. This impossibility result leads us to postulate a self-
stabilizing dual-reader single-writer safe bit, which models a :flip-flop with its 
output wire split in two (cf. Sect. 4). Using this bit as a basic building block, 
we formally prove, as a third contribution, that adaptations of well known wait-
free implementations of regular and atomic shared registers are self-stabilizing 
(cf. Sects. 4.1, 4.2, and 4.3). This shows that our definition of self-stabilizing 
wait-free shared objects is viable-in the sense that it is neither trivial nor 
impractical. Section 5 concludes this paper with directions for further research. 
2 Defining Self-Stabilizing Wait-Free Objects 
In the definition of shared memory objects we follow the concept of linearizability 
(cf. [Her91]), which we, for the sake of self containment, briefly paraphrase here. 
Consider a distributed system of n sequential processors. A shared memory 
object is a data-structure stored in shared memory that may be accessed by 
several processors concurrently. Such an object defines a set of operations CJ 
which provide the only means for a processor to modify or inquire the state 
of the object. The set of processors that can invoke a certain operation may 
276 
be restricted. Each operation 0 E 0 takes zero or more parameters p on its 
invocation and returns a valuer as its response (r = O(p)). Each such operation 
execution is called an action and is a sequential execution of a procedure's steps; 
each step may be either a sub-operation on the cells of the data structure, or 
local computations of the procedure. We denote by t,(A) ~ 0 the invocation 
time of an action A and by t,.(A) > ti(A) its response time (on the real time 
axis). Processors are sequential and, therefore, cannot invoke an action if their 
previously invoked action has not responded yet. To model processor crash 
failures we introduce for each processor p a crash action 1/Jp· No invocation or 
response of an action at processor p, nor another crash action 1/Jp may occur later 
than the time t( 1/Jp) processor p crashes. In terms of the implementation of an 
object, no sub-operations may be executed by p after the crash action 1/Jp either. 
The desired behavior of an object is described by its sequential specification 
S. This specifies the state of the object, and for each operation its effect on the 
state and its (optional) response. We write (s, r = O(p), s') E S if invoking 0 
with parameters pin states changes the state of the object to s' and returns r as 
its response. A run over the object is a tuple (A,-+) with actions A and partial 
order -+ such that for A, B EA, A-+ B iff t,,. (A) < ti(B). Similarly, 1/;p -+A iff 
t(.,Pp) < ti(A). If two actions are incomparable under -+1 they are said to overlap. 
Runs have infinite length, and capture the real time ordering between actions 
invoked by the processors. An implementation of a shared object is wait-free if in 
all runs each invocation of an action A is followed by a matching response after 
finite time (i.e. t,.(A)-ti(A) < oo), unless the processor p invoking A crashed at 
time t('f/;p) such that 0 < t(,Pp)- ti(A) < oo. A sequential e:z:ecution (A,::::}) over 
the object is an infinite sequence s1A1s2A2 ... , where U, A,= A, Si a state of the 
object as in its sequential specification, and ::::} a total order over A defined by 
A, ::::} A; iff i < j. A run (A, -+) corresponds with a sequential execution (A,::::}) 
if the set of actions A is the same in both runs, and if ::::} is a total extension 
of-+ (i.e. A-+ B implies A=> B). Stated differently, the sequential execution 
corresponding to a run is a run in which no two actions are concurrent but in 
which the 'observable' order of actions in the run is preserved. 
Definitionl. A run (A,-+) over an object is linearizable w.r.t. sequential specifi-
cation S, if there exists a corresponding sequential execution (A,::::}), such that 
(si, A., s•+d ES for all i. 
An object is linearizable w.r.t. its sequential specification S if all possible runs 
over the object are linearizable w.r.t. S. Informally speaking, an object is lineari-
zable w.r.t.to specification S if all actions appear to take effect instantaneously 
and act according to S. 
2.1 Adding Self-Stabilization 
Li and Vitanyi [LV91] and Israeli and Shaham [IS92] were the first to consider 
self-stabilizing wait-free constructions. Both papers implicitly use the following 
straightforward definition of a self-stabilizing wait-free object. 
277 
Definition 2. A shared wait-free object is self-stabilizing if an arbitrary fair 
execution (in which all operations on all processors are executed infinitely often) 
started in an arbitrary state, is linearizable except for a finite prefix. 
A moment of reflection shows that assuming fairness may not be very reasonable 
for wait-free shared objects. The above definition requires that after a transient 
error all processors cooperate to repair the fault. On the other hand, wait-
fr.eedom should imply that processors can make sensible progress even if other 
processors have crashed. This observation leads us to the following stronger, still 
informal, definition of a self-stabilizing wait-free she.red object. 
Definition 3. A shared wait-free object is self-stabilizing, if an arbitra.ry exe-
cution started in an arbitrary state is linearizable except for a bounded finite 
prefix. 
Let us develop a formal version of this definition. To model self-stabilization we 
need to allow runs that start in an arbitrary state; in particular we have to allow 
runs in which a subset of the processors start executing an action at an arbitrary 
point within its implementation. Such runs model the case in which transient 
memory errors occurs during an action, or, rather, the case where alteration of 
the program counter by the transient error forces the processor to jump to an 
arbitrary point within the procedure implementing the operation. For such so 
called pending actions A, and for such actions alone, we set t;(A) = 0. Slow 
pending actions can carry the effects of a transient error arbitrarily far into the 
future4 • Hence we can only say something meaningful about that part of a run 
after the time that all pending actions have finished, or the processors on which 
these pending actions run have crashed. 
An action A overlaps a pending action i:ff there exists a pending action B 
on some processor p with t;(B) == 0 such that t,.(B) f. ti(A) and t(,Pp) f. ti(A). 
Define count( A) equal 0 for all actions A overlapping a pending action, and define 
count( A) equal to i if A is executed as the i-th action of a certain processor not 
overlapping a pending action. As a special case-to be used later-for all actions 
A with count(A) = 0 for which there exists a B with count(B) = 1 and AIJB set 
count(A) =Ea instead. Actions A with count( A)= Ea overlap both with pending 
actions and with actions not overlapping any pending actions. As each processor 
executes sequentially, and actions are unique, count is well-defined. 
Definition4. A run (A,-+) is linearizable w.r.t. sequential specification S after 
k processor actions, if there exists a corresponding sequential execution (.A,::::}), 
such that for all i, if count(A;) > k then (si, Ai, Si+i) ES. 
4 A pending action may carry something "malicious" in its local state that might 
disorder the system at any time after it is used to modify a sub-register. Consider 
for instance the Vitanyi-Awerbuch register (cf. [VA86] and Sect. 4.3). Ha pendmg 
action writes a huge tag only to the last register s.,,. in the row, no later action except 
one executed by processor n will see this tag. H writes after the pending action use 
a lower tag, they will be ignored by actions of processor n, even if these writes occur 
strictly before the actions of processor n. 
278 
Note that the definition allows the first k actions of a processor to behave 
arbitrarily (even so far as to allow e.g. a read action to behave as a write action 
or vice versa), but the effect of such an arbitrary action should be globally 
consistent. Thus this definition gives the strong guarantee that all actions fol-
lowing such arbitrarily behaving actions will agree on how that action actually 
behaved. In particular, for k = 0 and in the absence of pending actions, the 
definition implies that all actions agree on the effect of the transient error on 
the state of the object; for example, for a shared register all reads that occur 
immediately after a transient error should return the same value. 
Definition5. An implementation of a shared object with sequential specification 
S is k-stabilizing wait-free if all its runs are wait-free and linearizable w.r.t. S 
after k processor actions. 
In the above definition the stabilization delay k is taken to be independent of the 
type of operations performed by a processor, while one might very well feel that 
the difficulty of stabilizing different types of operations on the same object may 
vary. Indeed, preliminary versions of this definition were more fine-grained and 
included separate delays for different types of operations (e.g. allowing the first 
kw writes and the first kr reads performed by a processor on a read/write register 
to be arbitrary). It turns out that this amount of detail is really unnecessary, 
essentially because different types of operations on a shared object already need 
to reach some form of agreement on the state of the object. 
The above definition is general and considers all objects whose behavior is 
described by a sequential specification. Since our goal is to study, from the lowest 
level, the requirements needed to support shared objects that are both wait-free 
and self-stabilizing, we need to define safe and regular self-stabilizing registers. 
A register is a shared object on which read operations R and write operations 
W(v) are defined. For a run (A,-) over such a register, define the set 1?. of read 
actions that do not act as writes, and define the set W of write actions plus 
read actions that act as writes. For RE 1?. define val(R) as the value returned 
by read action Rand for WE W define val(W) as the value 'actually' written 
by action W. Also for WE Wand RE 1?. define W directly precedes R, W +:=t R, 
if W - R and if there is no W' E W such that W - W' - R. If no such 
write exists, we take the imaginary initial write W 1. responsible for writing the 
arbitrary initial value val(WJ.). Let us write AllB if neither A - B nor B - A. 
Define the feasible writes of a read Ras all WE W such that W +:=t R or WllR. 
A write W ( 11) on a register behaves correctly if va I ( W ( 11)) = v. A read R on a 
safe register behaves correctly if R E 1?. and there is a write W such that WllR, 
or val(R) = val(W) for a write W with W +:=t R. A read on a regular register 
behaves correctly if RE 1?. and val(R) = val(W) for some feasible write of R. 
Definition6. A safe or regular register is k-stabilizing wait-free if all its runs are 
wait-free and for all its runs only actions A with count( A).~ k behave arbitrarily. 
Such a register is simply stabilizing wait-free if all its runs are wait-free and for 
all its runs only pending write actions W and read actions R overlapping pending 
writes behave arbitrarily without behaving as a write (i.e. RE 7?.). 
279 
3 Stabilizing 1W1R Safe Bits Are Not Strong Enough. 
In this section we prove that 1 WlR safe bits are not strong enough to give self-
stabilizing wait-free shared registers; this is shown by proving that there exists no 
implementation of a 1 WlR wait-free k-stabilizing regular binary register using 
stabilizing 1 WlR binary safe sub-registers. 
It is a common convention to view the scheduling of processor steps as being 
chosen by an adversary, who seeks to force the protocol to behave incorrectly. 
The adversary is in control of (i) choosing the configuration of the system after 
a transient error and (ii) scheduling the processes' steps in a run. 
The heart of the problem of such an implementation can be described as 
follows. Since the writer (the reader) cannot read the sub-registers which it 
can write, in order to know their contents and converge into correct stabilized 
behaviors, it has to rely on information that either is local or is passed to 
it through shared sub-registers that can be written only. by the reader (the 
writer, respectively). The adversary can set the system in a state in which 
this information is inconsistent; subsequently, by scheduling the processes' sub-
actions on the same sub-register to be concurrent, it can destroy the information 
propagation because of the weak consistency that safeness guarantees. 
If an implementation of a 1 WlR binary regular register from stabilizing 
1W1R safe bi.nary sub-registers exists, it must use two sets of sub-registers (that 
can be considered as two "big" sub-registers): one (Sw) that can be written by 
the writer and read by the reader and one (SR) that can be written by the reader 
and read by the writer. A system configuration C is a tuple (LR,Lw,SR,Sw) 
that describes a system state, where LR, Lw denote the reader's and writer's 
local states, respectively. Since there is a single reader, we assume that the value 
of the register depends only on the state of its implementation, i.e. for any 
configuration, the value of the register in that configuration is the value that 
would be returned by the k+l-th read of a sequence ofreads taking place in a 
time interval during which no write action is executed. Similarly, we assume that 
the behaviour of an operation solely depends on the state in which it is executed 
and not in its position in the run, i.e. if a read behaves as a write in some state, 
it must behave as a write in that state wherever that state occurs in the run. 
A read action on the regular register may involve several sub-reads of Sw; 
however, in the course for a contradiction, attention may be restricted to runs 
in which all those sub-reads observe the same value of Sw, say sw. Then, we 
can consider that the value returned by each read is determined by a reader's 
function fR(lr, sw); let also fR(lr, sw) denote the value returned by the z-th read 
of a sequence of reads that start from a configuration where LR = lr and all find 
Sw =sw. 
Theorem 7. There e:tists no deterministic implementation of a wait-free k-
stal>ilizing 1 W1R binary regular register using 1 WlR binary stabilizing safe sub-
registers. 
Proof. Suppose that such an implementation exists. Since we look for a contradi-
ction we may safely restrict attention to runs with no pending actions. 
280 
Consider an arbitrary initial configuration C and a run starting from C, 
in which the following actions are sequentially scheduled: k reads, k writes 
(writing arbitrary values), a Write(O) action Wo and a Write(l) action W1 • 
The system configuration after Wo is Co= (lr, lwo, sr, swo). Since the register is 
k-stabilizing by assumption the last of k + 1 reads starting in Co must return 
0, so ti+i(zr, swo) = 0. Similarly, the last of k + 1 reads starting after W1 must 
return 1, Therefore, during the W1 action the writer performs some sub-writes 
s1, ... , Sm on bits of Sw in that order. We write sw \ s1 .. si to denote the value 
of Sw after sub-writes s1, ... , Si have been applied, while Sw held sw initially. 
Then f~+1 (lr, sw0 \s1 •• sm) = 1. Hence there will be ans.;. (1 ~ i ~ m), such that 
ti+1(lr, sw~ = swo \ s1 .. s.;.-1) = 0 and f~+i(zr, sw1 = swo \ s1 .• si) = 1 (1) 
The former value for Sw could be observed by reads scheduled after s,_1 and 
before any other sub-operation of W1, the latter by reads scheduled after Si and 
before any other sub-operation of W1. If k + 1 reads are scheduled to take place 
overlapping Si and they all observe swh they will return 0 (Eq. 1); moreover, since 
the register is k-stabilizing by assumption, none of those reads should perform 
as write. Now let lr' be the local state of the reader after those reads and sw~ 
the contents of Sw after completion of W1 in that schedule. Again because the 
register is k-stabilizing, 
(2) 
Now let the adversary set the system in Co1 = (lr, lwo, sr, sw1), i.e., differing 
from Co only in the contents of Sw, and schedule again a Write(l) action. By 
our assumption and Eq. 1, the value of the register in C01 equals 1, while the 
writer observes the same state as before and, hence, it again performs the same 
sequence of subwrites. The adversary can again schedule k + 1 reads overlapping 
Si, as before; although the value of the corresponding bit does not change now 
during this subwrite, all these k + 1 reads may observe sw~ instead of sw~, 
because of the safeness of the corresponding bit. From the previous paragraph 
and our initial assumption it is known that none of these reads performs as a 
write, while the k+l-th read returns 0 (Eq. 1). But the only feasible writes are 
a write of 1 (recall Eq. 2) and the write of the initial value, which is 1. This is a 
contradiction, as the k + 1-th read must return the value of a feasible write. 
4 Self-Stabilizing Constructions of Shared Registers 
If we assume the existence of stabilizing dual-reader single-writer safe bits, the 
reasoning of the previous section does not apply: to know the value of its own 
shared bits the writer can simply read them. This assumption is legitimate, 
because assuming a 1 W2R safe bit exists is not much stronger than assuming a 
IWIR safe bit exists. After all, the latter models a flip-flop with a single output 
wire, whereas the first models a flip-flop with its output wire split in two. We will 
formally prove in the next sections that if these 1 W2R safe bits are used as basic 
building blocks in some well-known wait-free constructions of shared registers, 
the resulting constructions become, after minor modifications, self-stabilizing. 
S: stabilizing 1W2R sde bit 
operation Read(): {O, 1} 
return (Read( S)) ; 
281 
operation Write(v: {O, 1}) 
l:{0,1} 
l := Read(S) ; 
if l =F v then Write( S, v) ; 
Protocol 1. A stabilizing 1 W1R regular bit 
4.1 A Stabilizing 1W1R Regular Bit 
Protocol I presents the adaptation o£Lamport's [Lam86) construction ofa lWlR 
regular bit from a 1 WlR safe bit, into a stabilizing wait-free one using a wait-free 
stabilizing 1 W2R safe bit. We proceed by proving its correctness. 
Theorems. Protocol 1 implements a wait-free stabilizing 1W1R regular binary 
register using one wait-free stabilizing 1 W2R safe binary register. 
Proof. Let (A, ~) be an arbitrary run of reads R and writes W over the regular 
bit. Write R(S) (W(S)) for the read from (write to) the safe bit S performed 
by read R (write W). Let W.L be the initializing write of S, and set val(W.L) = 
val(w.L) for the initializing write of the regular bit. If {A,~) has a pending write 
W, set val(W) to the value of S just after W; this is the value an interference 
free read starting after W will read. For all other, non-pending, writes set 
val(W(v)) = v. According to Def. 6 it remains to show that in (A,~) all reads 
R not overlapping a pending write return the value written by a feasible write. 
Due to space constraints, we state the following claim without a proof. 
Claim 9. If R does not overlap a pending write and R(S) is interference free 
and W +:= R(S) then val(W) = val(R(S)). 
Consider a read R not overlapping a pending write. Then val(R) = val(R(S)). If 
R( S) is interference-free, then by Claim 9, for a write W with W +:= R( S) we have 
val(W) = val(R(S)) = val(R) and W is feasible for R. If R(S) is interfered, there 
is a write W{z) with WJJR writing Sand W cannot be pending by assumption. 
Then W read S by R'(S) and val(R'(S)) = -,;i:. By Claim 9 and the fact that 
now R' ( S) is executed by a write so it cannot overlap another write, for W' with 
W' +:= W we must have val(W') = -,z. As WJJR, then W' µ R or W'JJR, so both 
Wand W' are feasible for R and val(R) equals one of these. 
4.2 A Stabilizing 1W1R l-ary Regular Register 
Protocol 2 presents the adaptation of Lamport 's [Lam86) construction of a 1 WlR 
l-ary regular register from l 1 WIR regular bits, into a wait-free stabilizing one 
using l 1 WIR wait-free stabilizing regular bits. We prove its correctness below. 
Let (A,~) be an arbitrary run over the regular Z-ary register. Number the 
writes consecutively, writing W' for the write with index i. Let w0 be the 
pending write if it exists, and W .L otherwise. Let us write R(S,,) for the read of 
So ... Si-1: stabilizing 
1 W1R regular bit 
operation Write(v: {O, ... , l - l}) 
Write(S .. ,1); 
while v -:j:. 0 
do v := v -1; Write(S,,,O); 
282 
operation Read(): {O, ... , l -1} 
w: {O, ... ,l} 
w:=O; 
while Read(Sw) = 0 /\ w < l 
do w :=w+l; 
if w = l then return (l - 1) ; 
else return ( w) ; 
Protocol 2. A stabilizing 1 WlR l-ary regular register 
S'IJ by read R, and let us write W(S11 ) for the write to S11 by a write W. The 
index ofW(S'IJ) equals the index ofW (and the index ofw'IJ,.l always equals 0). 
For reads R not overlapping a pending write, define 11"( R) to be the largest index 
i such that w• is feasible for Rand val(W') = val(R). 
Consider the values of all S'IJ just after w 0 (i.e. the value read by an non-
interfered read starting after w 0 ). Set val(W0 ) to the minimal v such that S,, = 
1, setting val(W0 ) = l - 1 if no such v exists. For all other writes W(v) set 
val(W(v)) = v. Due to space constraints, we state the following claim without 
proof. 
Claim 10. Let R be a read not overlapping a pending write. If w•(u)-+ R then 
1l"(R(S11 )) ?: i for all v $ u. If R reads S10+1 then 1l"(R(S10 )) $ 1l"(R(S10 +1 )). 
Theorem 11. Protocol 2 implements a stabilizing lWlR l-ary regular register 
using l stabilizing 1 WlR regular binary registers. 
Proof. According to Def. 6 we have to show that in (A, --+) all reads not overlap-
ping a pending write return the value written by a feasible write. First consider 
a read R with val(R(S .. )) = 1 for some v. Let 11"(R(S .. )) = i. Then val(R) = 
v, val(w') = v and w.: f- R. w• is not a feasible write for R only if there 
exists a Wi (w) such that w•--+ Wi (w)--+ R (and soi< j). If w?: v, then by 
Claim 10 11"(R(S,,))?: j > i, and if w < v, then using Claim 10 inductively i < 
j $ 1l"(R(S10 )) $ 11"(R(S,, )). This contradicts the assumption that 11"(R(S .. )) = i. 
Now consider a read R where, for all v, val(R(S .. )) = 0. Then val(R) = l - 1. 
Because all writes write 1, if anything, to S,_1 , and val(R(S1-d) = O, we have 
1l"(R(S1-d) = 0. Then, using Claim 10 inductively, 1r(R(S'IJ)) = 0 for all v, and 
so, for all v, the value of S11 just after w0 equals 0. Hence, val(W0 ) = l - 1 by 
definition. By a similar argument as before, w0 is feasible for R. 
4.3 A 1-Stabilizing nWnR Z-ary Atomic Register 
Protocol 3 presents the adaptation of the Vitanyi-Awerbuch [VA86, AKKV88] 
multi-reader multi-writer atomic register construction from 1 WlR multi-valued 
regular registers, into a wait-free !-stabilizing nWnR l-ary atomic register using 
n 2 wait-free stabilizing 1 WlR oo-ary regular registers. We prove its correctness 
283 
S11 ••• S.,..,.: stabilizing 1 WlR regular: JN x {1, ... , n} x V 
(with fields tag, id, and val) 
operation Write1( v : V) 
maz: JN x {1, ... ,n} x V 
maz := max.1<;<,. Rea.d(S;i) ; 
for i := 1 to~ -
do Write(S1;, (maz.tag+ l,i,11)); 
operation Read1(): V 
maz:JNx{l, ... ,n}xV 
ma:i: := max1:s;;:s; .. Rea.d(S;1) ; 
for j := 1 ton 
do write( s.; ' ma3:) j 
return (maz.val); 
Protocol 3. A 1-stabilizing nWnR l-ary atomic register 
below. In the protocol, V is the domain of values written and read by the multi-
writer register. The construction uses n 2 regular stabilizing regular registers 
S;,; written by processor i and read by processor j. These registers store a 
label consisting of an unbounded tag, a processor id with values in the domain 
{1, ... , n }, and a value in V. Labels are lexicographically ordered by :::;. 
The sequential specification of an atomic register simply states that a write 
updates the state to be the value written, whereas a read returns the state of the 
register. Let (A, -+) be a run of the above protocol. In the remainder of the proof, 
(A,-+) is the above run with actions A with count(A) = 0 (thus count(A) =fa E9) 
removed. We will show that for this "sub-run" there exists a corresponding 
sequential execution (A,=>) such that =>is an extension of-+ and for all reads 
R with count(R) > 1, R returns the current state of the register. As for actions 
A, B with count( A) = 0 and count(B) =fa 0 in the original run either A-+ B or 
AllB, we can prepend all these A to (A,=>) such that the resulting sequential 
execution (A,=>) corresponds to the original run (A,-+) and satisfies Def. 4. 
We are going to partition A into a set 'R.. of actions that behave as reads and 
a set W of actions that behave as writes. To this end, define 
:F = {A EA I count(A) = E9 V count(A) = 1} 
'R..- ={A EA I count(A) > 1 and A is a read} 
w- ={A EA I count(A) > 1 and A is a write} 
Then :F corresponds to the set of actions that, according to Def. 4, may behave 
arbitrary. We further subdivide :F into actions :Fw that seem to behi:i.ve as a 
write and actions :FR that seem to behave as a read, making sure that no two 
apparent writes write the same label. Define for A E A, label(A) as the label 
written by A, and for a set of actions :F, label (:F) = {label(F) I F E :F}. Set 
£ = label ( :F) \ label (W-) and let :Fw be an arbitrary subset of :F such that 
(Fl) label(:Fw) = .C, and 
(F2) For all A, BE :Fw, if label(A) = label(B) then A= B, and 
(F3) For all A E :Fw and BE :F, if label(A) = label(B) then t;,(A) < ti(B). 
Now set :FR= :F\ :Fw and define W = w- U :Fw and 'R.. = 'R..- U :FR. 
284 
Lemma 12. If A - B then label(A) ~ label(B). If BE w- this inequality is 
strict. 
Proof. Let A be performed by processor i and B be performed by processor j. 
If A - B, then the write to S,i by A precedes the read of S,; by B. Because 
we only consider actions with count f. 0, the write to S0; is not pending, and by 
A - B the read of S0; does not overlap a pending write. Then the write of A to 
Si; or a later write by action C of i to Sij is a feasible write to the read of Sij of 
B-hence this read returns the value written to Sij by processor i during action 
A or the later action C. Since processor i both reads and writes from Sii, and 
count(A) f. 0, label(A) ~ label(C). Therefore the read of Sij by B returns a label 
greater than or equal to label(A). B picks the maximum of all labels read, so if 
B is a read, label(A) ~ label(B) and if Bis a write, then label(A) < label(B). 
Lemma 13. For all RE Ji there e:cists a WE W such that label (W) = label(R) 
andRf+W. 
Proof. Define A""'-+' B iff label(A) = label(B) and B f+ A. Then A""'-+' A. Let 
R E Ji be arbitrary, and pick a B E A such that B ""'-+' Rand for no A E A, A f. B, 
A""'-+' B. If B E W we are done, so assume B E Ji. Suppose count(B) > 1. Then 
there is an operation Con the same processor with count(C) = 1 and C - B. 
If label(C) = label(B) then C ""'-+' B, while if label(C) < label(B) (the only other 
possible case according to Lemma 12) then the contents of the register from 
which B obtains label(B) has changed after C read that same register. This 
register then is written by an operation D with label(D) = label(B) before B 
reads it. Then D f+ C, which, as count(C) = 1, implies count(D)-::/:- 0 and hence 
D ""'-+' B. This contradicts the assumption that there is no A such that A""'-+' B. 
We conclude that count(B) ~ 1 and hence B E :F, so label(B) E label(:F). 
So either there exists a WE w- such that label(W) = label(B) = label(R), or 
label(B) E £ and by (Fl) there exists a W' E :Fw with label(W') = label(B) = 
label(R). In the first case, by Lemma 12, Rf+ W as required. In the second 
case, since B E :F we must have by (F3), ti(W') < ti(B). Then as B ""'-+' R 
implies Rf+ B, this in turn implies Rf+ W'. 
Lemma 14. For all W, W' E W if label(W) = label(W') then W = W'. 
Proof. There are three cases 
W, W' E w-: By the protocol then W and W' must be executed by the same 
processor (or else their id-fields differ). But then either W - W' or W' - W. 
By Lemma 12 then label(W) f. label(W'), a contradiction. 
WE w-, W' E :Fw: If WE w- then label(W) <J. C, and if W' E :Fw then 
label(W') E £by (Fl). Therefore label(W)-::/:- label(W'), a contradiction. 
W, W' E :Fw: If label(W) = label(W'), then by (F2) we have W = W'. 
Now we can define a reading mapping 1!': Ji 1-+ W for a particular run (A,-) 
by ?r(R) = W if label(R) = label(W) and WE W. 
285 
Lemma 15. For all R E 'R, 'l!"(R) is defined and unique, Rf+ 'l!"(R), and R 
returns the value written by 'l!"( R). 
Proof. That 'll"{R) is defined and Rf+ 'l!"(R) follows from Lemma 13. That it is 
unique follows from Lemma 14. If 'l!"(R) E w-, then label('ll"(R)).val equals the 
value written by 1r(R). If 'll"{R) E :Fw we define the (arbitrary) value written by 
1r(R) to equal label ( 'l!"(R) ). val 
We now show that every run (A, ~) with the above reading function 'l!" is atomic. 
Define for WE Wits clan [W] by [W] = {W} u {RE 'R I 1r(R) = W}, and let 
I'= {[W] I WE W} be the set of all clans. Define~' over I' by 
[W] ->1 [W'] {::::::;>- (3A E [W], B E [W'] :: A~ B) 
Lemma16. For all WE Wand A,B E [W] we have label(A) = label(B). Also 
ifW :j:. W', then for all A E [W], BE [W'] we have label(A) :j:. label(B). 
Proof. It follows from the definition of [W] and 'll"{R) and from Lemma 14. 
Lemma 1 7. ->1 is an acyclic partial order over I'. 
Proof. Suppose not. Then there exists a chain 
with m > 1, and Wi :j:. W; if i :j:. j. This implies that for all i with 1 _'.S i ::; m 
there exist actions Ai, Bi E [Wi] such that A, -> Bi+i (addition modulo m + 1 
from now). By Lemma 12 and 16 label(Ai) _'.S label(Bi+i) = label(A;+i)· Then 
label(A1) = label(A2 ), contrary to Lemma 16. 
Applying these lemmas and the results of [AKKV88] we get the result. 
Theorem 18. Protocol S implements a 1-stabilizing nWnR l-ary atomic register 
using n 2 stabilizing 1 W1R oo-ary regular registers. 
Proof. Define a total order :::} over A extending -> as follows. First extend ~' 
over I' to a total order :::}1 (according to Lemma. 17, this is possible). Now for 
A E [W] and B E [W'] let A :::} B if [W] :::}1 [W'] (a). This extends ~ because 
if A~ B, then by the definition of~', [W] ->1 [W'] and thus [W] :::}1 [W']. 
For A, B E [W] fix an arbitrary extension :::} of -> such that for the only writer 
W E [W] we have for all other C E [W] that W :::} C (b). This is an extension 
of-+ because by Lemma 15, C f+ W. Now :::} is a total order over A such that 
for all R E n 1r(R) :::} R by Lemma 15 and (b). Also there does not exists a 
W E W such that 'l!"(R) :::} W:::} R, because by (a) and the fact that R r/. [W] 
by Lemma 16, either W:::} [1r(R)] or R:::} [W]. Hence W:::} 1t'(R) or R:::} W. 
286 
5 Further Research 
Our results are a first step towards exploring the relation between self-stabiliza-
tion and wait-freedom in the construction of shared objects. There are still a 
lot of interesting questions in this new area that remain unanswered. First of 
all, this paper describes a :first attempt to propose a reasonable and general 
definition of a self-stabilizing wait-free shared object. Although we believe our 
approach is viable, further research is necessary to demonstrate this, or to decide 
that other definitions may be more appropriate. Second, our construction of the 
1-stabilizing nWnR atomic register uses unbounded time-stamps to invalidate 
old values. We would like to know whether this necessarily so, or if the space 
requirements of a k-stabilizing atomic register can be bounded. Finally, following 
the work of Aspnes and Herlihy [AH90], it is an interesting venture to classify, 
based on their sequential specification, all k-stabilizing shared memory objects 
that can be constructed from k' -stabilizing atomic registers, and to provide a 
general method to do so. 
Acknowledgements 
It's a pleasure to thank Moti Yung for his encouragement in this work. We are 
grateful to the anonymous referees for their accurate and insightful comments, 
and to the MPI and the CWI for their hospitality during mutual visits. 
References 
[AGMT92] AFBK, Y., GREENBERG, D., MERRITT, M., AND TAUBENFELD, G. 
Computing with faulty shared memory. In 11th PODC (Vancouver, BC, 
Canada, 1992), ACM Press, pp. 47-58. 
[AKY90] AFEK, Y., KUTTEN, S., AND YUNG, M. Memory-efficient self stabilizing 
protocols for general graphs. In 4th WDAG (Bari, Italy, 1990), LNCS 486 1 
Springer Verlag, pp. 15-28. 
[AMT93] AFEK, Y., MERRITT, M., AND TAUBENFELD, G. Benign failure models for 
shared memory. In 7th WDAG (Lausanne, Switzerland, 1993), LNCS 725, 
Springer Verlag, pp. 69-83. 
[AH93] ANAGNOSTOU, E., AND HADZn.Acos, V. Tolerating transient and 
permanent failures. In 7th WDAG (Lausanne, Switzerland, 1993), LNCS 
725, Springer Verlag, pp. 174-188. 
[AH90] AsPNES 1 J., AND HERLIHY, M. P. Wait-free data structures in the 
asynchronous PRAM model. In !nd SPAA (Crete, Greece, 1990), ACM 
Press, pp. 340-349. 
[AKKV88] AWERBUCH, B., Kmousxs, L. M., KRANAKIS, E., AND VITANYI, P. M. B. 
A proof technique for register atomicity. In Bth FST8TCS (Pune, India, 
1988), LNCS 338, Springer Verlag, pp. 286-303. 
[AKM+93] AWERBUcH, B., KUTTEN, s., MANSOUR, Y., PATT-SHAMIR, B., AND 
VARGHESE, G. Time optimal self-stabilizing synchronization. In !Sth 






















BaoWN, G. M., GouoA, M. G., AND Wu, C. L. Token systems t.hat self. 
stabilise. IEEE 7ro.rn. on Comput. SS, 6 (1989), 845-852. 
Bmt.Ns, J. E., AND PACHL, J. Uniform self-stabilising rings. ACJI Thlru. 
Prog. Lc.ng. tJ S'lllt· 11, 2 ( 1989), 330-344. 
DIJKSTRA, E. W. Self-stabilising systetnJJ in spite of dUtributed control. 
Comm. ACJI 17, 11 (1974), 643-644. 
DoLBV, S., lsRABLI, A., AND MORAN, S. Self-stabilisation of dynamic 
systems astUm.ing only read/write atomicity. Diltr. Comput. 7, 1 (1993), 
3-16. 
DoLBV, S., AND WBLCH, J. L. Wait-free clock synchronization. In t!th 
PODC (Ithaca, NY, USA, 1993), ACM Press, pp. 97-108. 
GoPAL, A. S., AND PBRRY, K. J. Unifying self-stabilisation and fault-
tolerance. In 1!th PODC (Ithaca, NY, USA, 1993), pp. 195-l06. 
Hmu.IHY, M. P. Wait-free synchronization. ACM 7ro.m. Prog. Lc.ng. tJ 
Syat. 18, 1 (1991), 124-149. 
HoBPMAN, J.-H. Uniform deterministic self-stabilising ring-orientation on 
odd-length rings. In Bth WDAG (Terschelling, The Netherlands, 1994), 
LNCS 857, Springer Verlag, pp. 265-279. 
ISRAELI, A., AND JALFON, M. Uniform self-stabilising ring orientation. 
In/. tJ Comput. 104, 2 (1993), 175-196. 
ISRAELI, A., AND SHAHAM, A. Optimal multi-writer multi-reader atomic 
register. In 11th PODC (Vancouver, BC, Canada, 1992), ACM Press, 
pp. 71-82. 
JAYANTI, P., CHANDRA, T., AND Towo, S. Fault-tolerant wait~freeshared 
objects. In 33rd FOCS (Pittsburgh, Penn., USA, 1992), IEEE Comp. Soc. 
Press, pp. 157-166. 
KATZ, S., AND PBltRY, K. J. Self-stabilising extensions for message-passing 
systems. In 9th PODC (Quebec City, Quebec, Canada, 1990), ACM, ACM 
Press, pp. 91-101. 
LAMPORT, L. On interprocess communication. Part I: Basic formalism., 
part II: Algorithms. Di1tr. Comput. 1, 2 (1986), 77-101. 
LI, M., TROMP, J., AND VITANYI, P. M. B. How to share concurrent 
wait-free variables. Tech. Rep. CS-R8916, CWI, Amsterdam, 1989. 
LI, M., AND VITANYI, P. M. B. Optimalityofwait-freeatomicmultiwriter 
variables. Tech. Rep. CS-R9128, CWI, Amsterdam, The Netherlands, 1991. 
PAPATRIANTAFILOU, M., AND TSIGAS, P. Wait-free self-stabilising cloclc 
synchronisation. In 4th SWAT (A.rhus, Demnarlc, 1994), LNCS 824, 
Springer Verlag, pp. 267-277. 
PBTBRSON, G. L., AND BURNS, J. E. Concurrent reading while writing ii: 
The multi-writer case. In S8th FOCS (Los Angeles, CA, USA, 1987), IEEE 
Comp. Soc. Press, pp. 383-392. 
SCHNBIDBR, M. Self-stabilisation. ACM Comput. SuMJ. 25, 1 (1993), 45-
67. 
TEL, G. Introduction to Distributed Algorithm1. Cambridge University 
Press, 1994. 
VITANYI, P. M. B., AND AWBR.BUCH, B. Atomic shared register access 
by asynchronous hardware. In S7th FOGS (Toronto, Ont., Canada, 1986), 
IEEE Comp. Soc. Press, pp. 233-243. 
