We present the first explicit, and currently simplest, randomized algorithm for two-process wait-free testand-set. It is implemented with two 4-valued single writer single reader atomic variables. A test-and-set takes at most 11 expected elementary steps, while a reset takes exactly 1 elementary step. Based on a finite-state analysis, the proofs of correctness and expected length are compressed into one table.
Introduction
A test-and-set protocol concurrently executed by each process out of a subset of n processes selects a unique process from among them. In a distributed or concurrent system, the test-and-set operation is useful and sometimes mandatory in a variety of situations including mutual exclusion, resource allocation, leader election and choice coordination. It is wellknown that in the wait-free setting, [23] , a deterministic construction from atomic read/write variables is impossible [24] . Although widely assumed to exist, and referred to, an explicit randomized construction for wait-free test-and-set has not appeared in print yet, apart from a deterministic construction assuming two-process atomic test-and-set [3] . The latter, in the form of a randomized two-process wait-free test-and-set has been circulated in draft form [36] for a decade. Here we finally present the construction. Since such constructions are notoriously prone to hard-to-detect errors, we prove it correct by an exhaustive finite-state proof, thus also presenting a nontrivial application of this proof technique.
Partially supported by the EU fifth framework project QAIP, IST-1999-11234 , the NoE QUIPROCONE IST-1999-29064, the ESF QiT Programmme, and the EU Fourth Framework BRA NeuroCOLT II Working Group EP 27150.
Interprocess communication. The model is interprocess communication through shared memory as commonly used in the theory of distributed algorithms [26] . We use atomic single writer single reader registers as primitives. Such primitives can be implemented wait-free from single-reader single-writer "safe" bits (mathematical versions of hardware "flip-flops") [23] ). A concurrent object is constructible if it can be implemented deterministically with boundedly many safe bits. A deterministic protocol executed by n processes is wait-free if there is a finite function f such that every non-faulty process terminates its protocol executing a number of at most f (n) of accesses to the shared memory primitives, regardless of the other processes execution speeds. If the execution speed of a process drops to zero then this is indistinguishable from the process having a crash failure. As a consequence, a wait-free solution can tolerate up to n−1 processes having crash failures (a property called "(n − 1)-resiliency"), since the surviving non-faulty process correctly executes and terminates its protocol. Below, we also write "shared variable" for "register."
Randomization. The algorithms executed by each process are randomized by having the process flip coins (access a random number generator). In our randomized algorithms the answers are always correct-a unique process gets selected-but with small probability the protocol takes a long time to finish. We use the customary assumption that the coin flip and subsequent write to shared memory are separate atomic actions. To express the computational complexity of our algorithm we use the expected complexity, over all system executions and with respect to the randomization by the processes and the worstcase scheduling strategy of an adaptive adversary. A randomized protocol is wait-free if f (n) upper bounds the expectation of the number of elementary steps, where the expectation is taken over all randomized system executions against the worstcase adversary in the class of adversaries considered (in our results the adaptive adversaries).
Complexity measures. The computational complexity of distributed deterministic algorithms using shared memory is commonly expressed in number and type of intercommunication primitives required and the maximum number of sequential read/writes by any single process in a system execution. Local computation is usually ignored, including coin-flipping in a randomized algorithm.
Related work. What concurrent wait-free object is the most powerful constructible one? It has been shown that waitfree atomic multi-user variables, and atomic snapshot objects, are constructible, for example [30, 23, 37, 22, 33, 25, 32, 14, 5, 2, 16] . In contrast, the agreement problem in the deterministic model of computation (shared memory or message passing) is unsolvable in the presence of faults [21, 17, 24] . Correspondingly, wait-free consensus-viewed as an object on which each of n processes can execute just one operation-is not constructible [12, 1] , although randomized implementations are possible [12, 1, 6, 34] . Wait-free concurrent test-and-set can deterministically implement two-process wait-free consensus, and therefore is not deterministically constructible [24, 17] . This raises the question of whether randomized algorithms for test-and-set exist.
In [17] it is shown that repeated use of 'consensus' on unbounded hardware can implement 'test-and-set'. In [31, 34, 18] it is argued that a bounded solution can be obtained by combining several intermediate constructions, like so-called "sticky bits", but no explicit construction is presented to back up this claim. To quote [31] : "randomized consensus algorithms of Chor, Israeli, and Li [12] , Abrahamson [1] , Aspnes and Herlihy [7] , and Attiya, Dolev, and Shavit [4] , together with our construction imply that a polynomial number of safe bits is sufficient to convert a safe implementation into a (randomized) wait-free one."Any such "layered" construction will require orders of magnitude more primitive building blocks like one-writer one-reader bits than the direct construction we present below. Wait-free n-process test-and-set can be implemented deterministically from wait-free two-process testand-set, [3] , showing that the impossibility of a deterministic algorithm for n-process test-and-set is solely due to the twoprocess case.
Present results. Despite the frequent use of randomized waitfree test-and-set in the literature, no explicit construction for the basic ingredient, randomized wait-free two-process testand-set, has appeared in print. Our construction, [36] , has been subsumed and referred to long since, for example in [3, 28, 15, 10] , but other interests prevented us from publishing a final version earlier. The construction is optimal or close to optimal. The presented algorithm directly implements wait-free test-and-set between two processes from single-writer singlereader atomic shared registers. Randomization means that the algorithm contains a branch conditioned on the outcome of a fair coin flip (as in [35] ). We use a finite-state based proof technique for verifying correctness and worst-case expected execution length in the spirit of [13] . Our construction is very simple: it uses two 4-valued 1-writer 1-reader atomic variables. The worst-case expected number of elementary steps (called "accesses" in the remainder of the paper) in a test-andset operation is 11, whereas a reset always takes 1 access.
Preliminaries
Processes are sequentially executed finite programs with bounded local variables communicating through single-writer, multi-reader bounded wait-free atomic registers (shared variables). The latter are a common model for interprocess communication through shared memory as discussed briefly in Section 1. For details see [23, 25] and for use and motivation in distributed protocols see [8, 9, 19 ].
Shared registers, atomicity
The basic building blocks of our construction are 4-valued 1writer 1-reader atomic registers. Every read/write register is owned by one process. Only the owner of a register can write it, while only one other process can read it. In one access a process can either:
• Read the value of a register;
• Write a value to one of its own registers; • Moreover, following the read/write of a register the process possibly flips a local coin (invokes a random number generator that returns a random bit), preceded or followed by some local computation. We require the system to be atomic: every access of a process can be thought to take place in an indivisible instant of time and in every indivisible time instant at most one access by one process is executed. The atomicity requirement induces in each actual system execution a total order on the set of all of the accesses by the different processes, on the set of accesses of every individual process, and on the set of read/write operations executed on each individual register. The state of the system gives for each process: the contents of the program counter, the contents of the local variables, and the contents of the owned shared registers. Since processes execute sequential programs, in each state every process has at most a single access to be executed next. Such accesses are enabled in that state.
Adversary
There is an adversarial scheduling demon that in each state decides which enabled access is executed next, and thus determines the sequence of accesses of the system execution. There are two main types of adversaries: the oblivious adversary that uses a fixed schedule independent of the system execution, and the much stronger adaptive adversary that dynamically adapts the schedule based on the past initial segment of the system execution. Our results hold against the adaptive adversary-the strongest adversary possible.
Complexity
The computational complexity of a randomized distributed algorithm in an adversarial setting and the corresponding notion of wait-freeness require careful definitions. For the rigorous novel formulation of adversaries as restricted measures over the set of system executions we refer to the Appendix of [28] . For the simple application in this paper we can assume that the notions of global (system) execution, wait-freeness, adaptive adversary, and expected complexity are familiar. A randomized distributed algorithm is wait-free if the expected number of read/writes to shared memory by every participating process is bounded by a finite function f (n), where n is the number of processes. The expectation is taken over the probability measure over all randomized global (system) executions against the worst-case adaptive adversary.
Test-and-set implementation
We first specify the semantics of the target object: Definition 3.1. An atomic test-and-set object X is a global variable, associated with n processes P 0 , . . . , P n−1 , exhibiting the following functionality:
• The value of X is 0 or 1;
• Every process P i has a local binary variable x i which it alone can read or write; • At any time exactly one of X, x 0 , . . . , x n−1 has value 0, all others have value 1 (we assume the global time model); • A process P i with x i = 1 can atomically execute a testand-set operation τ : read x i := X; write X := 1; return x i . • A process P i with x i = 0 can atomically execute a reset operation ρ:
This specification naturally leads to the definition of the state of the test-and-set object as an element of {⊥, 0, . . . , n − 1} corresponding to the unique local variable out of X, x 0 , . . . , x n−1 that has value 0. Here ⊥ is the state that none of the x i 's is 0. Formally, the specification is given later as a finite automaton in Definition 5.1.
Since "atomicity" means that the operation is executed in a single indivisible time instant, and, moreover, in every such time instant at most one operation execution takes place, the effect of a test-and-set operation by process P i is that x i := 0 iff x j = 0 for all j = i, and x i = 1 otherwise. The effect of a reset operation by P i is only defined for initially x i = 0 and x j = 0 for all j = i, and results in x i := 1. To synthesise the target object from more elementary objects, we have to use a sequence of atomic accesses to these elementary objects. By adversary scheduling, these sequences may be interleaved arbitrarily.Yet we would like to have the effect of an atomic execution of the test-and-set operations and the reset operations by each process. To achieve such a "virtual" atomic execution we proceed as follows:
An implementation of a test-and-set operation τ or a reset operation ρ by a process P is an algorithm executed by P that results in an ordered sequence of accesses of that process to elements of a set {R 0 , . . . , R m−1 } of atomic shared variables, interspersed with local computation and/or local coin flips. The sequence of accesses is determined by the, possibly randomized, algorithm, and the values returned by the "read" accesses to shared variables. We denote an access by (P, R, A), meaning that process P executes access A (read or write a value) on shared variable R. The implementation must satisfy the specification of the target test-and-set semantics of Definition 3.1 restricted to process P . Formally, the specification is given later as a finite automaton in Definition 5.2. in the ordered sequence constituting a, and f (a) coincides with the time of execution of the last access in the ordered sequence constituting a. By the atomicity of the individual accesses in the global time model, all accesses are executed at different time instants. In certain cases (which we show to have zero probability) it is possible that f (a) is not finite (because the algorithm executes infinitely many loops with probability 1 2 each). Definition 3.4. Let the local execution of process P i consist of the ordered sequence of operations
A test-and-set operation or reset operation by a particular process may consist of more than one access, and therefore the local executions by the different processes may happen concurrently and asynchronously. This has the effect that a global execution can correspond to many different interleavings.
Definition 3.5. Consider a global execution. An interleaving of the accesses by the different processes associated with the global execution is a (possibly infinite) totally ordered se-
• The start times and finish times determined by the local executions; and • the order of the accesses in the local executions.
The implementation should guarantee that the functionality of the implementation is "equivalent", in an appropriate sense, to the functionality of the target test-and-set object, and in particular satisfies the "linearizability requirement" [20] (also called "atomicity" in [23] ). Definition 3.6. A system implements the target test-and-set object if the system is initially in state ⊥, and we can extend → on A to a total order ⇒ on A with an initial element, satisfying: To prove that a protocol executed by all processes is an implementation of the target test-and-set object it suffices to show that every possible interleaving that can be produced by the processes executing the protocol in every global execution, starting from the ⊥ state, satisfies the above requirements. 
Algorithm
We give a test-and-set implementation between two processes, process P 0 and process P 1 . The construction uses two 4-valued shared read/write variables R 0 and R 1 . The four values are 'me', 'he', 'choose', 'rst'-chosen as a mnemonic aid explained below. Process P i solely writes variable R i , its own variable, and solely reads R 1−i . For this reason the reads and writes in the protocol don't need to be qualified by the shared variables they access. The protocol, for process P i (i = 0, 1), is presented as both a finite state chart, Fig. 1 and as the program below. The state chart representation will simplify the analysis later. The transitions in the state chart are labeled with reads r(value) and writes w(value) of the shared variables, where value denotes the value read or written. The 11 states of the state chart are split into 4 groups enclosed by dotted lines. Each group is an equivalence class consisting of the set of states in which process P i 's own shared variable R i has the same value. That is, the states in a group are equivalent in the sense that process P 1−i cannot distinguish between them by reading R i . Accordingly, the inter-group transitions are writes to R i , whereas the intra-group transitions are reads of R 1−i . Each group is named after the corresponding value of the own shared variable R i . The state chart is deterministic, but for a coin flip which is modeled by the two inter-group transitions in the "choose" group, representing the two outcomes of a fair coin flip. Doubly circled states are "idle" states (no operation execution is in progress), and singly circled states are intermediate states in an operation execution that is in progress.
A program representation of the protocol, for process P i , is given below. An occurrence of R i not preceded by 'write' (similarly, R 1−i not preceded by 'read') as usual refers to the last value written to it (resp. read from it). The conditional 'rnd(true,false)' represents the boolean outcome 'true' or 'false' of a fair coin flip. The system is initialized with value 'rst' in shared variables R 0 , R 1 . In our protocol, all assignments to local variables consist of contents read from shared variables. To simplify, we abbreviate statements like "while ((r 1−i := R 1−i ) = r i ) do"; to "while read R 1−i = R i do . . . ". Here, r i is the local variable containing the value last written to shared variable R i and r 1−i is the local variable storing the last read value of shared variable R 1−i , for process P i . This way, our (writing of the) protocol can dispense with local variables altogether. It can be verified in the usual way that the state chart represents the operation of the program. The intuition is easily explained using the state chart. The default situation is where both processes are idle, which corresponds to being in the 'rst' state. If process P i starts a test-and-set then it writes R i := me (indicating its desire to take the 0), and checks by reading R 1−i whether process P 1−i agrees (by not having R 1−i = me). If so, then P i has successfully completed a test-and-set by obtaining the 0 and, implicitly, setting the global variable X := 1 . In this case process P 1−i cannot get 0 until process P i does a reset by writing R i := rst. While R i = me, process P 1−i can only move from state 'me' to state 'notme' and on via states 'choose', 'tohe' and 'he' to 'tst1', where it completes its test-and-set operation by failure to obtain the 0.
The only complication arises if both processes see each other's variable equal to 'me'. In this case they are said to disagree or to be in conflict. They then proceed to the 'choose' state from where they decide between going for 0 or 1, according to what the other process is seen to be doing. (It is essential that this decision be made in a neutral state, without a claim of preference for either 0 or 1. If, for example, on seeing a conflict, a process would change preference at random, then a process cannot know for sure whether the other one agrees or is about to write a changed preference.) The deterministic choices, those made if the other's variable is read to contain a value different from 'choose', can be seen to lead to a correct resolution of the conflict. A process ending up in the 'tst1' state makes sure that its test-and-set resulting in obtaining the 1 is justified, by remaining in that state until it can be sure that the other process has taken the 0. Only if the other process is seen to be in the 'rst' state it resumes trying to take the 0 itself.
Suppose now that process P i has read R 1−i = choose and is about to flip a coin. Assume that process 1 − i has already moved to one of the states 'tome'/'tohe'(or else reason with the processes interchanged). With 50 percent chance, process P i will move to the opposite state as did process P 1−i , and thus the conflict will be resolved.
In the proof of Theorem 5.13 (below) we establish that the probability of each loop through the 'choose' state is at most one half, and the expected number of 'choices' (transitions from state choose) is at most two. This indicates that the worst case expected test-and-set length is 11. Namely, starting from the 'tst1' state, it takes 4 accesses to get to state 'choose', another 4 accesses to loop back to 'choose' and 3 more accesses to reach 'tst0'/'tst1'. The reset operation always takes 1 access.
Proof of Correctness
The proof idea is as follows: We give a specification of a correct implementation of two-process test-and-set in the form of a finite automaton (Fig. 4) . We then show that all initial segments of every possible interleaving of accesses by two processes P 0 and P 1 , both executing the algorithm of the state chart ( Fig. 1) , are accepted by the finite automaton. Moreover, the sequence of states of the finite automaton in the acceptance process induces a linear order on the operation execution of the implemented processes that extends the partial order induced by the start and finish times of the individual operation executions. Thus, the implementation is both correct and atomic. Essentially, the proof is given by Fig. 5 , which gives the state of the specification finite automaton for every reachable combination of states which processes P 0 and P 1 can attain in their respective copies of the state chart ( Fig. 1) . By analysis of the state chart, or Fig. 5 , we upper bound the expectation of the number of accesses of every operation execution of the implementation by a small constant. Hence the implementation is wait-free.
Let h be an interleaving corresponding to a global execution (A, →) of two processes running the protocol starting from the initial state. Let {s(a), f(a) : a ∈ A} be the set of time instants that start or finish an operation execution, each such time instant corresponding to an access (P, R, A). Let B denote the set of these accesses. Recall that if a is a reset, then we have s(a) = f (a) and there is but a single access executing this operation.
By definition, h|B, the restriction of h to the accesses in B, completely determines the partial order →. If, for every a ∈ A we can choose a single access (P, R, A) a in the sequence of accesses constituting the operation execution of a, such that if a → b then (P, R, A) a precedes (P, R, A) b in h, then we are done. Namely, we can imagine an operation a as executing atomically at the time instant of atomic access (P, R, A) a , and the total order ⇒ defined by a ⇒ b iff (P, R, A) a precedes (P, R, A) b in h, extends the partial order →. Denote the set {(P, R, A) a : a ∈ A} by C. We have to show that for every h as defined above such a C can be found. Fig. 3 shows the semantics required of a correct implementation of a wait-free test-and-set object as a finite automaton FA2, that accepts all sequences of accesses by a single process P i (i = 0, 1) executing a correct wait-free atomic test-and-set protocol: (all states final):
• the access starting a test-and-set operation execution, denoted s(tas), • the atomic occurrence of a test-and-set operation execution returning 0, denoted tas0, • the atomic occurrence of a test-and-set operation execution returning 1, denoted tas1, • the access finishing a test-and-set operation execution returning 0, denoted f(tas0), • the access finishing a test-and-set operation execution returning 1, denoted f(tas1), • the single access corresponding to a complete reset operation execution, denoted rst.
These are the events in B ∪ C restricted to a process P i . The reason for not splitting a reset operation execution into start, atomic occurrence, and finish is that it is implemented in our protocol as a single atomic write where the above three transitions coincide. As before, doubly circled states are "idle" states (no operation execution is in progress), and singly cir- The proof that our implementation is correct consists in demonstrating that it satisfies the specification in the form of the finite automaton FA3 in Fig. 4 below (again all states are final). Formally [27] , FA3 is the composition of FA1 with two copies of FA2, in the I/O Automata framework, as follows: It is drawn as a cartesian product of the two component processes -transitions of process P 0 are drawn vertically and those of process P 1 horizontally. For clarity, the transition names are only given once: only for process P 1 . Identifying the starts and finishes of test-and-set operation executions a with their atomic occurrence (P, R, A) a by collapsing the s() and f () arcs, FA3 reduces to the atomic test-and-set diagram FA1. Identifying all nodes in the same column (row) reduces FA3 to FA2 of process P 0 (process P 1 ).
In the states labeled 'a' through 'h', neither process owns the 0; the system is in state ⊥. In the states labeled 'i' through 'n', process 1 owns the 0; the system is in state 1. In the states labeled 'o' through 't', process 0 owns the 0; and the system is in state 0.
The broken transitions of Fig. 4 correspond to the access (P, R, A) a ∈ C, required for a correct implementation, where the atomic execution of operation a can be virtually situated. Recall that this is only relevant for a is a test-and-set operation, Fig. 4 , which correspond to the unknown but existing access (P, R, A) a ∈ C where the execution of a can be virtually situated, into -moves.
Lemma 5.5. Acceptance of h|B by FA4 implies that (A, →)
is linearizable: the partial order → can be extended to a total order ⇒ such that the sequence of operation executions in A ordered by ⇒ satisfy the test-and-set semantics specification of Definition 5.1.
Proof. If FA4 accepts h|B, then, corresponding to the moves, we can augment the sequence h|B with an access (P, R, A) a in the interval [s(a), f(a)] of each operation execution a ∈ A -or select the single access involved if s(a) = f (a) as in the case of a reset operation execution -to obtain a new sequence h that is accepted by FA3. By the way FA1 composes FA3, it accepts h |C, the subsequence of atomic accesses (P, R, A) a with a ∈ A contained in h . Furthermore, letting t(a) denote the time of access (P, R, A) 
, the total order of accesses in h |C, then ⇒ is a total order that extends the partial order →. That is, the sequence of operation executions of A, linear ordered by ⇒, is accepted by FA1. Fig. 1 is the state chart of the execution of the implementation of an operation by a single process. Each process can be in a particular state of the state chart. Let (s 0 , s 1 ) denote the state of the system with process P i in state s i (i ∈ {0, 1}).
Recall that
Definition 5.6. The initial system state is (rst, rst). A system state (s 0 , s 1 ) is reachable from the initial system state rst  tst0  notme  me  tome  choose  tohe  he  nothe  tst1  free  rst  d10  l10  cek10  ek10  ek10  c10  c10  c10  c10  d10  ek10  tst0  s1  *  r t 1  rt1  rt1  r1  r1  r1  r1  s1  rt1  notme agp8  jn8  imoq8  imoq8  *  imoq8  imoq8  o4  *  p4  *  me  gp9  jn9  imoq9  imoq9  imoq9  o1  o1  o1  o1  p1  imoq9  tome  gp10 jn10  *  imoq10 imoq10 imoq6  o2  o2  imoq6  p2  *  choose  a3  j3  imoq7  i3  imoq7  imoq7  imoq7  o3  imoq7  p3  *  tohe  a2  j2  imoq6  i2  i2  imoq6 imoq10 imoq10  *  p6  *  he  a1  j1  i1  i1  i1  i1  imoq9  imoq9  imoq9  p5  *  nothe  a4  j4  *  i 4  imoq8  imoq8  *  imoq8  imoq8  p4  *  tst1  d11  l11  k11  k11  k11  k11  k11  k11  k11  *  *  free gp10 jn10 * imoq10 * * * * * * * Fig. 5 . Table verification of correctness and wait-freedom (rst, rst) if there is a sequence h arising from the execution of our test-and-set implementation, represented by the state chart of Fig. 1 , starting from the initial state and ending in state (s 0 , s 1 ).
Example 5.7. In the initial state both processes are in state 'rst'. Process P 0 can start a test-and-set by executing w(me) and entering state me. Suppose process P 1 now starts a testand-set: it executes w(me) and moves to state me. Hence, system states (me, rst) and (me, me) are reachable states.
Definition 5.8. The representative set of a reachable system state (s 0 , s 1 ) is a nonempty set S s0,s1 of FA3/FA4 states, as in Fig. 4 , such that: For every sequence of accesses h starting in the initial state and ending in state (s 0 , s 1 ), the set S s0,s1 is the set of states in which FA4 can be after processing h|B, excluding those states that have outgoing moves that aremoves only.
Example 5.9. We elaborate Example 5.7. In the initial state both processes are in state 'rst'. The corresponding start state d of FA4 gives the associated (in this case singleton) representative set {d}. When process P 0 executes w(me) and enters state me, the resulting system state is (me, rst) with the associated representative set {g, p} of FA4 states. That is, the system is now either in state g, meaning that process P 0 has executed s(tas), or in state p meaning that process P 0 has executed s(tas) and also tas0 atomically. In the scenario of Example 5.7, process P 1 now executes w(me) and moves to state me, resulting in the system state (me, me). The corresponding representative set of FA4 states is {i, m, o, q}. State m says process P 1 has executed s(tas) and tas0 atomically, while process P 0 has only executed s(tas) -hence the system was previously in state g and not in state p. State i says process P 1 has executed s(tas) and tas0 atomically, while process P 0 has executed s(tas) and tas1 atomically -and hence the system was previously in state g and not state p.
States o and q imply the same state of affairs with the roles of process P 0 and process P 1 interchanged, and the previous system state is either p or g. (The correspondence between reachable states and their representative sets is exhaustively established in Claim 5.11 below.) Lemma 5.10. Let h be a sequence of accesses arising from the execution of our test-and-set implementation, represented by the state chart of Fig. 1 , starting from the initial state (both processes in state 'rst'). Then, every initial segment of h|B is accepted by FA4 starting from initial state 'd'.
Proof. We show that the set of letters in an entry in the table of Fig. 5 is a representative set for the state of process P 0 , indexing the row, and the state of process P 1 , indexing the column. The entries were chosen excluding all states from the representative sets with all outgoing moves consisting of -moves (but the representative sets contain the states the outgoingmoves of the excluded states point to). This gives the most insight into the workings of the protocol by considering only the result of executing -moves from a state if its only outgoing moves are -moves. A * -entry indicates an unreachable state pair. (The number ending an entry gives the expected number of accesses to finish the current operation execution of process P 0 -and by symmetry, that for an equivalent state pair with respect to P 1 . We will use this later.) Thus, every state (s 0 , s 1 ) of the implementation execution corresponds with a set of states S s0,s1 of FA4.
Claim 5.11. The representative sets are given by the entries of Fig. 5 .
Proof. The proof of the claim is contained in the combination of Figs. 1, 4 , 5. Below we give the inductive argument. The mechanical verification of the subcases has been done by hand, and again by machine. The setting up of the exhaustive list subcases and subsequent verification by a computer program is the essennce of a finite-state proof. In this particular case, exceptionally, the finite state machines involved (and the table of representative sets) have been minimized so that "mechanical" verification by hand by the reader is still feasible. Induction is on the length of the sequence of accesses: Base Case. Initially, after an empty sequence of accesses, FA4 is in the state {d} = S rst,rst . Induction. Every non-reachable state has a * -entry in the table of Fig.5 . Consider an arbitrary atomic transition from a reachable state (s 0 , s 1 ) to a state (t 0 , t 1 ), that is, using a single arc in the state chart in Fig. 1 for either process P 0 or P 1 . This way, either t 0 = s 0 or t 1 = s 1 but not both. Then, for every FA4 state y ∈ S t0,t1 , Fig. 4 , according to the table of Fig. 5 , there is an FA4 state x ∈ S s0,s1 according to Fig. 4 , such that FA4 can move from x to y by executing: either the access corresponding to the transition in the state chart in Fig. 1 , if that access belongs to B, or no access otherwise (there is a sequence of -moves from x to y). This finalizes the proof of the claim.
Since every reachable state of the system (s 0 , s 1 ), with s i (i ∈ {0, 1}) a state of the state chart of Fig. 1 , has a representative set in FA4, Fig. 4 , and every state of of FA4 is an accepting state, the lemma follows from Claim 5.11.
Theorem 5.12. The algorithm represented by state chart of Fig. 1 correctly implements an atomic test-and-set object.
Proof. By Lemma 5.10 the implementation by the state chart in Fig. 1 correctly implements the specification of two-process test-and-set given by Fig. 4 . The implementation is linearizable (atomic) by Lemma 5.10. The system makes progress (every operation execution is executed completely except for possibly the last one of each process) since h|B contains only the start and finish accesses of each operation execution performed by the implementation.
Theorem 5.13. The algorithm represented by state chart of Fig. 1 is wait-free: the expected number of accesses to shared variables never exceeds 11 during execution of an operation.
Proof. In Fig. 1 every arc is an access. Double circled states are idle states (in between completing an operation execution and starting a new one). Consider process P 0 (the case for process P 1 is symmetrical). The longest path without completing an operation and without cycling is from state 'tst1': tst1, free, me, notme, choose, tohe, he, tst1. This takes 7 accesses. Four of these accesses are parts of a potential cycle of length 4. The remainder is 3 accesses outside the potential cycle. In state 'choose', the outgoing arrow is a random choice only when process P 1 is also in the CHOOSE group. If it is, then with 1 2 probability P 1 makes (or has already made) a choice which will cause process P 0 to loop back to the 'choose' state again. This can happen again and again. The expected number of iterations of loops is
Since a loop has length 4, this gives a total of expected accesses of 8 for the loops. Together with 3 non-loop accesses the total is at most 11 accesses. Such a computation holds for every state in the state chart of Fig. 1 , the only loop being the one discussed but the longest possible path is the one starting from 'tst1'. For definiteness, we have in fact computed the expected number of accesses for every accessible state (s 0 , s 1 ) according to the state chart of Fig. 1 , and added that number to the representative set concerned in the table of Fig. 5 . Since the expected number of accesses is between 1 and 11 for all operation executions, the algorithm given by the state chart of Fig. 1 is wait-free.
To aid intuition, we give an example of checking a few transitions below, as well as giving the interpretation.
Example 5.14. We elaborate and continue Examples 5.7, 5.9. In the initial state both processes are in state 'rst'. In Fig. 4 , the table entry d10 gives the corresponding start state d of FA4. The worst-case expected number of accesses for a test-andset by process 0 is 10. Process P 0 can start a test-and-set by executing w(me) and entering state me. The corresponding table entry gp9 indicates in Fig. 4 that the system is now either in state g meaning that process P 0 has executed s(tas), or in state p meaning that process P 0 has executed s(tas) and also tas0 atomically. The expected number of accesses is now 9 ≤ 10 − 1. Suppose process P 1 now starts a test-and-set: it executes w(me) and moves to state me. The corresponding table entry imoq9 gives the system state as one possibility in {i, m, o, q} in Fig. 4 and the expected number of accesses for execution of test-and-set by process P 0 is still 9. State m says process P 1 has executed s(tas) and tas0 atomically, while process P 0 has only executed s(tas) -hence the system was previously in state g and not in state p. State i says process P 1 has executed s(tas) and tas0 atomically, while process P 0 has executed s(tas) and tas1 atomically -and hence the system was previously in state g and not state p. States o and q imply the same state of affairs with the roles of process P 0 and process P 1 interchanged, and the previous system state is either p or g.
Note that at this point the system can also be in state h of FA4 -both processes having executed s(tas) but no process having executed tas0 or tas1. However, from h there are two -moves possible, and no other moves, leading to q and m. This corresponds to the fact that if both processes have executed s(tas), one of them must return 0 and the other one must return 1. We have optimized the table entries by eliminating such spurious intermediate states h with outgoing moves that are -moves only.
Process P 0 might now read R 1 = me, and move via state 'notme' (table entry imoq8) by writing R 0 := choose, to state 'choose'. Process P 1 is idle in the meantime. The table entry is now i3. This says that process P 1 has atomically executed tst0, and process P 0 has atomically executed tst1. Namely, all subsequent schedules lead in 3 accesses of process P 0 to state 'tst1' -hence the expectation 3.
The expected number of remaining accesses of process P 0 's test-and-set has dropped from 8 to 3 by the last access since 8 was the worst-case which could be forced by the adversary. Namely, from the system in state (notme, me), the adversary can schedule process P 1 to move to (notme, notme) with table entry imoq8, followed by a move of process P 1 to state (notme, choose) with table entry imoq8, followed by a move of process P 0 to state (choose, choose) with table entry imoq7. Suppose the adversary now schedules process P 0 . It now flips a fair coin to obtain the conditional boolean rnd(true, f alse). If the outcome is true, then the system moves to state (tome, choose) with entry imoq6. If the outcome is false, then the system moves to state (tohe, choose) with table entry imoq6. Given a fair coin, this access of process P 0 correctly decrements the expected number of accesses. Suppose the adversary schedules process P 1 in state (choose, choose). Process P 1 flips a fair coin. If the outcome is true the system moves to state (choose, tome) with table entry imoq7; if the outcome is false then the system moves to state (choose, tohe) with table entry imoq7.
Remark on multi-process test-and-set
The obvious way to extend the given solution to more than two processes would be to arrange them at the leaves of a binary tree. Then, a process wishing to execute an n-process testand-set, would enter a tournament, as in [29] , by executing a separate two-process test-and-set for each node on the path up to the root. When one of these fails, it would again descend, resetting all the tas-bits on which it succeeded, and return 1. When it succeeds ascending up to the root, it would return 0 and leave the resetting descend to its n-process reset.
The intuition behind this tree approach is that if a process i fails the test-and-set at some node N , then another process j will get to the root successfully and thus justify the value 1 returned by the former.
The worst case expected length of the n-process operations is only log n (binary logarithm) times more than that of the two-process case.
Unfortunately, this straightforward extension does not work. The problem is that the other process j need not be the one responsible for the failure at node N , and might have started its n-process test-and-set only after process i completes its own. Clearly, the resulting history cannot be linearized.
Nonetheless, it turns out that with a somewhat more complicated construction we can deterministically implement nprocess test-and-set using two-process test-and-set as primitives [3] . This shows that the impossibility of deterministic wait-free atomic n-process test-and-set is completely due to the impossibility of deterministic wait-free atomic twoprocess test-and-set. This latter problem we have just solved by a simple direct randomized algorithm.
