Self-Stabilizing Symmetry Breaking in Constant-Space

extended abstract

y z x

Alain Mayer Yoram Ofek Rafail Ostrovsky Moti Yung

Abstract 1.1 Hardware-Based Proto col Design:

an emerging technology

Weinvestigate the problem of self-stabilizi ng round-robin

Our motivation for considering the ab ove mo del comes from

token managementscheme on an anonymous bidirection al

practical high-sp eed b er optic media communication net-

ring of identical pro cessors, where each pro cessor is an asyn-

works, where a constant-size messages can go through many

chronous probabili stic coin- ippi ng nite state machine

high-sp eed hardware switches i.e. nite-state machines

which sends and receives messages. We show that the so-

and through many communication links during a single soft-

lution to this problem is equivalent to symmetry breaking

ware clo ck-tick.

i.e., leader election. Requiring only constant-size messages

In many such systems, the way fair access to the network

and message-passing mo del has practical implications: our

is regulated is by passing a single token i.e. a constant-

solution can b e implemented in high-sp eed networks using a

bit control signal in a round-robin fashion on a physical or

universal fast hardware switches i.e., nite state machines

emb edded ring. When a network no de needs a p ermission

of size independent of the size of the network.

for a certain action, it waits for a token, holds it for a single

Our automata-based message-passing mo del has inherent

unit of time and then passes it on to ensure fairness in case

deadlo ck p ossibility i.e., when all pro cessors are waiting for

other pro cessors are waiting.

a message whichwe assume is detected by an external time-

It must b e stressed that the eciency of the ab ove

out mechanism. Provided that there is no deadlo ck to b egin

hardware-based approach heavily relies on the fact that the

with, we showhow starting from an arbitrary con guration,

token is a control signal comprising of only a constantnum-

the system never enters a deadlo ck state and further stabi-

b er of bits and that switching hardware is a nite state ma-

lizes in p olynomial time. We note that Dijkstra showed that

chine which can decide even b efore the token arrives if there

the last problem do es not have a deterministic solution even

is a need to just let it pass through or to hold it | de-

when the identical pro cessors p ossess an arbitrary p ower:

p ending only on its lo cal state and the requirements of the

starting from a ring with a multitude of tokens, any de-

network no de. For example, let us consider the case when

terministic system will either not stabilize or will enter a

only a single pro cessor on a ring comp etes for a resource

deadlo ck state.

access control. The fact that the pro cessor must giveupa

token to ensure fairness i.e. to check if there is some other

1 Intro duction

pro cessor waiting does not incur a slowdown prop ortional

to the size of the ring. That is, when the pro cessor gives up

We consider an arbitrary ring of anonymous identical pro-

a token it do es not wait for the numb er of software clo ck-

cessors, where each pro cessor is a probabili stic nite-state

ticks prop ortional to the size of the ring: the constant-bit

machine whose size is xed and indep endent of the size of

control message makes a full round without substantial de-

the ring. We adopt asynchronous message-passing commu-

layby going through high-sp eed digital hardware switches at

nication, where each pro cessor can change state and send

each no de and not waiting for software clo ck-ticks at anyof

messages only up on receiving messages from one of its two

them. Moreover, the constant-bit control signal essentially

adjacent neighb ors.

do es not decrease the bandwidth of the communication links,

making the ab ovescheme very much useful in practice.

Computer Science Department, Brown University, Providence,

RI, 02912. The research of this author was partly supp orted by ONR

grant N00014-91-J-1613.Part of this work was p erformed while the

author was at the IBM T.J. Watson Research Center. Author's e-mail

GENERAL−PURPOSE wn.edu

address: a [email protected] SOFTWARE WITH

atson Research Center, Yorktown Heights, NY 10598.

IBM T.J. W SLOW CLOCK

Author's e-mail address: [email protected]

z NETWORK

echnology Square,

MIT Lab oratory for Computer Science, 545 T NODE

Cambridge, MA 02139. Supp orted by IBM Graduate Fellowship. Part

ork was done at IBM T.J. Watson Research Center. Author's

of this w SIMPLE AND FAST .lcs.mit.edu

e-mail address: raf@theory HARDWARE

atson Research Center, Yorktown Heights, NY 10598.

IBM T.J. W (FINITE STATE MACHINE)

Author's e-mail address: [email protected]

COMMUNICATION CHANNEL

Hardware−Based Protocol Design

1.2 Towards Hardware-Based Fault-Tolerant tokens meet, one dies then eventually only one token will

Token Management remain [IJ90a]. Notice, however, that their solution gives

up the round-robin prop erty | it uses random-walk on the

An imp ortant concern in practice is to make the hardware-

ring which enables token-management, but not round-robin.

based round-robin token-managementscheme fault-tolerant

This relaxation has heavy implication on the actual use of

where the kind of fault-tolerance needed is an ability to re-

the token after stabilizati on, since the token continues its

cover from an arbitrary transient fault which puts the system

drunkard walk at all times | thus its use is mainly for

in any or even maliciously chosen state. In fact, round-

mutual exclusion to solve contention, but not for regu-

robin token-management in the shared memory mo del was

lation and fair-co ordinati on of the network communication

considered in 1974 by Dijkstra in the seminal pap er which

medium, which is the usual task of token systems. Indeed,

intro duced the notion self-stabilization [Dij74 ]. Informally,

Lamp ort and Lynch [LL90] mention that: \there is one im-

the goal of self-stabilizati on is for the system to reach \nor-

p ortant prop erty that is harder to achieve in co ordination

mal" op eration, starting from an arbitrary initial state. Of

problems than in contention { namely self-stabilizatio n".

course, while making the scheme fault-tolerant, we should

The random walk solution can b e extended to achieve

not sacri ce eciency during \normal" op eration. That is,

round-robin prop erty in the following fashion: all tokens

the scheme should still b e ecient in b oth the sp eed and

travel only in one direction say clo ckwise, since

space requirements. In particular, the token, if not needed

self-stabilizin g ring-orientation in constant space is p ossible

at a no de, must b e able to go through the switching hardware

[IJ90b]; at each step, each token ips a coin and either stays

i.e. through nite state machine fast. That is, the hard-

for a single clo ck-tick or advances. When two tokens meet

ware should not rely on a software clock or other software

they play elimination tournament. Again, eventually and

mechanisms and we should deal with faults while maintain-

wepay in stabilizatio n time only one token will remain. No-

ing high-sp eed message-passing communication, esp ecially

tice, however, that this solution is also totally unacceptable,

of control information.

as we need a steady state in which tokens can propagates in

The inherent problem in any message-driven system is

hardware without waiting for a clo ck or other delaywe call

communication deadlo ck i.e. all messages are lost, see for

such a solution fair.

example [DIM91 ]. Also, any shared memory system of even

In this pap er, we solve the problem of fair round-robin

probabilis tic nite state automata for token-management

token managementscheme by actually considering and solv-

can p otentially deadlo ck in a state without tokens. Israeli

ing a strictly stronger problem in fact, equivalent to leader-

and Jalfon [IJ90a] show that deadlo ck-freeness implies that

election of automata-based bidirectional round-robin token

logn bits are needed to represent a token where n is the

management scheme: tokens have \p ositive" or \negative"

size of the ring for any deadlo ck-free solution.

signs, and dep ending on the sign they travel in opp osite di-

In practice, in normal op eration the high-sp eed switch

rections on the ring. In the steady state, there are exactly

can work while the software monitors it; which implies a

two cycling tokens, one in each direction.

twolayer solution. An ecient solution should minimize the

use of the monitoring software layer and let the fast switch

1.4 The Price of Self-Stabilizing Leader Election

do all the work. The slow software layer of a no de has a

clo ck and large memory and thus a no de can intro duce a

In Dijkstra's original pap er in addition to the imp ossibi li ty

new token into a system after a timeout which corresp onds

of deterministic round-robin token managementscheme, he

to a maximal round-trip delay of a token i.e., when it detects

presented a deterministic automata- based token- manage-

that no token passed through a hardware switch the ab ove

ment algorithm in a presence of a leader. However, cho os-

p erio d of time. From the system's sp eed p oint of view, it is

ing a leader among identical pro cessors i.e., leader election

imp ortant to let the slow software intervene only when a slow

is one of the most basic techniques in distributed comput-

and rare event like a round-trip delay o ccurs. Note however,

ing. That is, once a leader is chosen, it can co ordinate any

that no des will time-out in an unco ordinated fashion, and

distributed task. How dicult is it to elect a leader in a

consequently there might b e many tokens in the system after

self-stabilizin g fashion?

these time-outs. Wemay try to detect and correct it at the

If every pro cessor has a unique ID i.e. at least a loga-

slow software layer, however this means that this layer gets

rithmic memory at each no de then the problem of cho os-

involved in the op eration quite often, and also in non-faulty

ing a leader in a self-stabilizi ng manner b ecomes easy: the

scenarios, which is an unacceptable solution.

no de with the smallest ID is a leader i.e., [AKY90, APV91,

Thus, our goal is to design an ecient self-stabilizi ng

AV91]. Notice, however, that the price of self-stabilizatio n

token management system which reduces an arbitrary plu-

is high in b oth memory and communication. That is, in ad-

rality of tokens i.e. one or more to a single token travel-

dition to logarithmic memory at each pro cessor, the system

ing in a round-robin fashion in a completely asynchronous

must constantly send logarithmic size messages i.e. con-

message passing ring of identical nite state machines. It

taining ID's even in a steady state to ensure prop er stabi-

must b e stressed that in the ab ove formulation we disallow

lization. This do es not give a constant size automata-based

all the so-called \solutions" which under any circumstances

solution.

can bring the system from a non-deadlo ck state to a dead-

In this pap er, we show that self-stabilizin g bidirectional

lo ck state. That is, we insist that if there are one or more

round-robin token managementscheme already implies a

tokens to b egin with in an arbitrary initial con guration,

leader election scheme and showhow fair and ecient self-

we never eliminate all of them, and always end-up with ex-

stabilizing bidirection al round-robin scheme can b e achieved.

actly one token traveling in a cycle we call this prop erty

We stress that our scheme utilizes only constant-size control

non-dead locking .

signals and can b e implemented in high-sp eed network hard-

ware. That is, we present a uniform i.e. universal hardware

1.3 What constitutes a practical high-sp eed solution? switch whichachieves fair round-robin token management

scheme for rings of arbitrary size.

Dijkstra showed that round-robin token-managementisim-

The bidirectional problem is strictly stronger than the

p ossible on a ring of unknown size if pro cessors are uniform

unidirectional case: we show that on a unidirection al ring

and deterministic.

of nite-state machines, it is in fact imp ossible to elect a

However, the problem \whether a system of probabilistic

leader even in a randomized setting, while round-robin token

automata can have round-robin token-managementscheme"

management with delays is p ossible.

remained op en. Israeli and Jalfon observed that if each token

essentially uses symmetric random walk, where up on meet-

ings, tokens conduct elimination tournament i.e. when two

1.5 Previous Work on Self-Stabilizing Token Management only suitable to augment high-layer software proto cols but

unsuitable to fast on-line hardware implementation s. As

Previous solutions to the token problem include Dijkstra's

explained ab ove, it is crucial in the practical architectural

original work [Dij74 ] which uses a leader to solve a uni- and

needs for fast token e.g. [CO90, OY90] to have a con-

bi-directional ring of automata with access to their neigh-

stant delay p er token at a no de. Our motivation is there-

b or's memory shared-memory. Brown, Gouda, and Wu

fore to deal with constant size automata-based pro cessing

[BGW89 ] prop osed a solution using a leader and intro duced

resources motivated b oth by practical needs and theoreti-

the use of additional control signals in the algorithm. Israeli

cal interest. We note that, the previous works mentioned

and Jalfon prop osed the rst randomized token management

ab ove use either unb ounded memory and randomization,

scheme [IJ90a] in the shared memory mo del they gaveup

or require non-uniform pro cessors with on-line access to pro-

the round-robin prop ertyby using random-walk on the ring.

tected unique ID's which are to o long for, or inaccessibl e to

Another token-management solution gave up generalityby

high switching comp onents. The software-oriented meth-

assuming a sp ecial size rings prime-numb er size to avoid

o ds are applicable to maintenance, while hardware-oriented

symmetries by Burns and Pachl [BP88]; it is worthwhile

metho ds are highly useful in on-line op eration. For example,

mentioning that it presents a deterministic and uniform so-

in a system like[OY90], the metho ds develop ed for general

lution in this sp ecial case. Herman [Her90] presented a so-

top ology network, e.g., [AKY90, APV91, AV91] can b e

lution which requires strong synchrony and is also limited

used to nd and maintain a spanning tree over a general-

to sp ecial o dd ring-size. Finally, Afek and Brown pre-

top ology network in a self-stabili zin g fashion. Given a span-

sented token-management in the message-passing mo del and

ning tree, we can easily emb ed a virtual ring on it as part

round-robin fashion with the use of randomization, but still

of the self-stabilizi ng maintenance pro cedure. High-sp eed

assumed that a leader exists.

control information as in [CO90] is switched over the vir-

tual ring in order to regulate the network in a fast, on-line,

1.6 Practical Applications

and fair fashion in a mechanism which is able to overcome

transient faults.

Our work is directly derived from practical systems. The

main application is actual self-stabilizin g mechanisms for

2 The Mo del

future high-sp eed lo cal area ring networks LAN's and em-

b edded rings on general-top ology networks. Note that many

Each pro cessor is a probabilisti c, nite state machine PFSM.

future fast e.g., gigabit/sec. LAN's: FDDI [R86], Meta-

The PFSM can communicate with its two neighb ors via

Ring [CO90], Cambridge LAN [HN88], Magnet [LTG90],

asynchronous message-passing. Thus, the PFSM can receive

ATM-ring [OMS89 ], etc., have ring-based top ology. Also,

constant-sized control messages from its neighb ors. The

a recent suggestion for control on a general top ology net-

PFSM can do a state-transition and send its own control

work, is to emb ed a virtual ring to supp ort on-line high-sp eed

messages only up on the receipt of such a message. Hence

control mechanism [OY90]. Having self-stabilizi ng mecha-

the pro cessing at a no de is done in a message-driven, asyn-

nism can prevent costly centralized/dupl i cated monitoring

chronous fashion. Two constant-sized bu ers p orts are

and recovery proto cols for the high cost of such mecha-

used by each PFSM for communication with the left and

nism see e.g., [BCK+83]. As explained ab ove, for future

right neighb or. We can assume that the ring is oriented by

architectures e.g. [R86, CO90, OY90] we need hardware-

using a self-stabilizin g automata-based orientation proto col

oriented constant-time and constant-area control algorithm

as suggested in [IJ90b]. A bidirectional link between two

nite automata to supp ort fast on-line pro cessing at a low-

no des is mo deled as two indep endent asynchronous FIFO-

level proto col.

channels whichmay lose messages. We allow neighb oring

Other application s p ostp oned till the full version in-

no des to detect message col lision as a primitiveevent. That

clude computing a path e ectively emb edding a

is, two control messages traveling in opp osite directions are

bus-architecture in the ring, or the parity of the network,

said to col lide, if they physically cross each other on the

synchronization , counting, load balancing, various marking

ring .

pro cedures, global regulation algorithms and similar control

The global state of the system is de ned as the cross-

pro cedures.

pro duct of the states of the PFSM's and the contents of the

The mechanism for fair round-robin network access reg-

bu ers and links. A legal state in our case is a global state in

ulation weachieve is an imp ortant regulation control task

which there is exactly one token in a bu er or on a link in

in existing e.g., token ring and future LAN's, e.g. MetaR-

each direction and the state of each PFSM correctly re ects

ing [CO90]. MetaRing employsavariant of a token, called

the last token passed through that no de. An algorithm is

SAT-token. The SAT-token distributes transmission-p ermi ts

said to b e a self-stabilizi ng automata-based token manage-

or quota to the active no des, and as a result, multiple no des

mentscheme, if starting in an arbitrary global state with at

can access the network at the same time. In this new scheme

least one token, the scheme guarantees that i eventually a

a no de will hold the SAT-token only if it is not SATis ed it

legal state is reached and ii every successor state of legal

could not send the quota given to it by the SAT-token dur-

state is legal and tokens circulate in a round-robin fashion

ing its previous visit. It has b een shown that in high-sp eed

around the ring without delay.We p ostp one a more formal

implementations, the eciency and e ectiveness of this new

treatment to the nal pap er.

fairness scheme increases as the transfer delay of the SAT-

We note that the existence of such an algorithm implies

token decreases. Since the Meta-Ring unlike token-ring

that we can cho ose an arbitrary numb er of these PFSM's

allows concurrent transmission, it has b een further shown

think of a PFSM as a blo ck of simple hardware, plug them

that when the SAT-token is used, the fairness and correct

together in a ring, and consequently obtain a correct token

op eration are preserved even during stabilizati on time, when

managementscheme. Augmenting the mechanism with a

there are several SAT-tokens in the system, as long as the

global time-out mechanism implemented indep endentl y at

token managementscheme is round-robin and fair.

each no de, gives a full practical solution to the problem.

1.7 Software-Based Self-Stabilization

In practice, if links are unit-capacity i.e., similar to [APV91],

then a handshake proto col for the control messages to detect a colli-

A recent set of results includin g general pro cedures for cen-

sion can b e implemented. Alternatively,ifwe assume an upp er b ound

tral fault-tolerance tasks, were designed in order to aug-

on the communication-delay for control-messages over a single link,

we can detect collision by using a lo cal time-out

ment network proto cols with self-stabilizati on capabilities

e.g., [KP90, AKY90, APV91, AV91]. These pro cedure

are not limited by space or by pro cessing and are therefore

3 The Algorithm token t and t meet on the ring, they execute a collision-

1 2

op eration. A collision b etween t and t consists of executing

1 2

In this section we rst present high-level ideas and then

the following op erations: If t and t have identical absolute

1 2

an exact formulation of an algorithm whichachieves self-

values jV t j = jV t j then the tokens ip an unbiased

1 2

stabilizin g round-robin token management on a bidirection al

coin to agree on a new, distinct value Lines A4, A5 while

ring. The algorithm will stabilize to a state in which ex-

maintaining their sign. In other words, they agree on new,

actly one token circulates in each direction of the ring. Any

up to the sign identical, fo otprints.

mechanism which will make use of this algorithm is free to

In the other case, where their absolute values are di erent

cho ose one of these tokens as its unique token with resp ect to

e.g. jV t j < jV t j, the token with the smaller absolute

1 2

the network-function asso ciated with it e.g. access-control.

value e.g. t is eliminated Line A2. The intuition b ehind

We call tokens circulating in one direction positive tokens

the collision -op erati on is the following: if two tokens have

and the token circulating in the opp osite direction negative

distinct values and these values originate from a previous

tokens.

collision, then there must b e more than one pair of tokens in

the system. If the absolute values are equal, we still cannot

b e sure that there is really just one pair, so wemust continue

3.1 Basic Ingredients

to check, i.e cho ose a new random value. Note that the ab ove

The following typ e of control messages are used:

is the only condition on which a token is eliminated and

thus the non-deadlo ckin g prop erty of the algorithm follows

Tokens: A token t is a constant-size message which car-

easily i.e. the last token in the system is never eliminated

ries a value V t 2f3;2;1;1;2;3g.Tokens which

intro ducing a deadlo ck as part of the op eration.

go clo ckwise always have a p ositivevalue and tokens

Now let us fo cus on the generation op eration: When a

which go counter-clo ckwise always have a negativevalue.

token t arrives at no de i and sees a fo otprint identical to its

When a token passes through a no de, it leaves a \fo ot-

own V t=Vi, it assumes that the fo otprintatnodei

print" of its value on this no de, overwriting any previous

was left b ehind by t itself. If this assumption is correct, this

\fo otprint".

implies that neither token t nor no de i has seen another to-

Prob es: A prob e p is also constant-size message, which

ken since t left i at its last visit. Thus t can conclude that it

travels through the no des, but it do es not leaveany

is the only token left in the system and generates a new to-

\fo otprints". Prob es also carry a value in

ken of opp osite sign. The idea of token-generation based on

f2; 1; 1; 2g and an additional enabled / disabled bit.

marking, has b een used by [Mis83 ] for unidirectio nal rings,

though his metho d is di erent and actually uses O log n

No des store \fo otprints" of passing-by tokens. When wesay

space.

that no de i has a certain \value" V iwe mean the value of

So far wehave describ ed the collision - and thus the elim-

its current \fo otprint".

ination - and the generation-op eration . Unfortunately this

Having intro duced the basic elements, we presentnow

is not enough to ensure convergence. To see why, consider a

high-level overview of the algorithm: We note that line

state in which all tokens travel in the same direction we call

numb ers used in this overview refer to lines in the co de-

such a state skewed. In such a state there are only p ositive

like description of the algorithm, which can b e found in the

or only negative tokens left; if each pair of neighb oring to-

subsection 3.4. As mentioned ab ove, the most basic op er-

kens leaves distinct fo otprints b ehind, neither a collision nor

ation of a no de i is to receive a token t, copy the value or

a generation will ever take place.

fo otprint of t into its own register V i:=Vt and for-

ward the token Lines B11 and B12. In order to make the

system self-stabilizin g we need to add at least the following

i+2

wo mechanisms: token-generation and token-elimination.It

t This is my own t that b oth of these op erations

should b e noted at this p oin footprint

use lo cal information only. As we will see later, this im-

plies that our decisions are not always optimal with resp ect

to the global state, but nevertheless, lo cal information will

ve sucient to ensure convergence. pro LEGEND: V(T1) = 2

+2 i+2−2

NODE −2 V(T2) = −2

TOKEN

PROBE V(T1) = 2 LEGEND: +2

NODE

+2 IMMINENT TOKEN GENERATION BY T1

oovercome this dicultyweintro duce \exploration"

TOKEN T

by a second kind of messages, called probes. As we will

wnow, prob es are used to explore the current state and, PROBE sho

if appropriate, turn around a token from p ositive to nega-

tive or vice versa. Prob es are always generated by tokens

\fathers" in pairs \siblings ". Siblings travel in opp o-

h other. A prob e traveling in the same IMMINENT COLLISION BETWEEN T1 and T2 WHICH WILL site directions to eac

GENERATE EITHER +/−1 OR +/−3 AT RANDOM.

direction as its father-token is called a forward-probe; anal-

ogously, a prob e traveling in the opp osite direction is called

In order to implement eliminati on, weintro duce the no-

a backward-probe.Now, every time a token susp ects that

tion of a token col lision.Every time a p ositive and a negative

the system is in a skewed state, it sends a forward- and

WLOG, the ring is oriented, with one direction lab eled \clo ck-

backward-prob e to \explore" the global situation. The con-

wise" and the other counter-clo ckwise. The self-stabilizing ring ori-

dition to send prob es is enabled when a token seeing fo ot-

entation in constant space was shown in [IJ90b].

prints values of a token of the same kind direction which will b e done by again using the simple observation mentioned

are larger in absolute values than its own. So, for exam- ab ove with resp ect to comparing values when erroneous

ple, a p ositive token t will send out prob es, if, up on arriv- backward-prob es and tokens collide. Thus we will b e able to

ing at some no de i, the condition V t

B6. A prob e p is basically carrying the value of its father system stabilizes to exactly one pair of tokens.

t V p=Vt and an enabled/di sabl ed bit initiall y en- Now, all wehave to add to make the algorithm complete

abled. are conditions, on which disabled prob e who do not havea

sibling-prob e anymore, can b e eliminated from the system.

Note that this task is facilitated by the fact that erroneous

Together, we have

vergence of the tokens. covered the whole decisions are not a ecting the con

ring

Away to view howweachieve progress towards conver-

gence given an initial global state is via the following basic

argument which can b e called a \sliding rule" argument.

Consider two copies of the same in nite sequence with one

LEGEND:

wo sequences preceded with n arbitrary bits.

+1 +1 of the t

Notice that without a pre x, if we lo ok at consecutive

bits of the the sequence, they will always match indicated

NODE

by dotted lines. Our goal is to achieve a \matched" state,

starting from another state which is not \matched". Es-

tially, the sliding argumentsays that if you \wiggle" the

+1 TOKEN sen

top pair at random i.e. if mismatched, kill at random one

hed bits and try again then eventually they

PROBE of the mismatc

will match. This is used to argue that given a global state h could p o-

+1 our algorithm will eliminate initial prob es whic

tentially b e a part of an initial state, and which \do not

match" any other prob es.

IMMINENT TURN OF A TOKEN

p has b een generated and p is enabled, After a prob e 0

1 1

one of the following twoevents will o ccur: i p meets or

ARBITRARY 1 1

en t which hasavalue of opp osite sign collides with a tok 1 PREFIX OF 0

0 SIZE n 0

V pV t < 0 or ii p collides with a prob e p which has 0 0

0 0

alue as p and p thus assumes that p is its sibling. the same v 0 1

1 0

p has obtained evidence i.e the to- In the rst case, 1 1 THE SAME

1 RANDOM

en t that the current state is not skewed and thus p will k 0 0 0 SEQUENCE

0 p b e disabled Lines D1-D2, E1-E2. In the second case, 1

0 1

y evidence that the current state is not

has not obtained an 1 1 0

0 0

ewed, so it will rely on the exp erience of p , since if p is sk 1 1 0

p's sibling, these two prob es have together covered indeed THE SAME 1 RANDOM 0

the whole ring. If b oth are still enabled, then the prob es SEQUENCE 1

t state is indeed skewed, and thus conclude that the curren 1

kward-prob e, whose next collision is with its father- the bac 0

token, will change the sign and direction of its father Line

F3. Otherwise, they conclude correctly, that the current

state still contains tokens of opp osite sign, and thus they h other Line F6.

eliminate eac The "Sliding" Rule

Note that from the arguments ab ove, it also immediately

3.2 How to Piece the Basic Op erations Together

follows that a no de is p ermitted to \lose" incoming prob es if

their numb er exceeds its constant-size bu er-space without

It can b e easily reconstructed how a lone token will generate

a ecting the correctness.

a token of opp osite sign. So we provide nowanintuition on

how the op erations describ ed ab ovework together to reduce

the numb er of tokens, if there are more tokens in the system

3.3 Formal Description of the Algorithm

than just one p ositive and one negative.

In the following we present the di erenttyp es of messages

Our main to ol whichwe are using b elowandanumber of

used in the algorithm:

times in the correctness arguments of the next section is the

following simple observation: Let r;v 2f1;2;3g. Let r be

positive tokens: circulating clo ckwise on the ring.

a random value and v either an arbitrary \initial" value

negative tokens: circulating counter-clo ckwise on the ring.

or another, indep endently obtained random value. Thus

probes: tokens can send out prob es to avoid getting stuck

Prr 6= v > 0. Thus in an in nite sequence of compar-

in an skewed state. A token will send out prob es in b oth

isons of two suchvalues we get a mismatch with probability

directions. A prob e circulating in the same direction as

its father-token is called a forward-probe, otherwise it is

Now, if in a collision, at least one of the token carries a

called a backward-probe.

value obtained in a previous collision and is thus random,

then exactly the comparison op eration describ ed ab ove will

Next we present the data-structures used by the algorithm.

b e executed and a token will b e eliminated if there is a mis-

V i: value of no de i 1 jVij 3.

match. Thus our strategy should b e to ensure that this kind

V t: value of token t 1 jVtj 3.

of collision is rep eatedly going to take place as long as the

system has not stabilized to one pair of tokens.

S t : bit indicatin g that token t is currently sending out

In order to show this wehavetomake sure that prob es

prob es.

which originate from an \initial' state or have b een pro duced

V p: value of prob e p. V p is comp osed of two in-

erroneously are not an obstacle by causing tokens to rep eat-

tegers: V p:v and V p:v 1 jVp:v j 2, 2

1 2 1

edly turn and thus preventing these useful collision s. This

jV p:v j 3 indicating resp ectively the value of prob e 2

forward-prob e p and backward-prob e p collide:

p's father-token and the value of the last no de the father-

1 2

F1: IF V p = Vp THEN

token had visited at the time p was generated.

1 2

F2: IF E p AND E p THEN

1 2

E p : bit indicating whether the prob e p is enabled.

F3: IF C p THEN C p :=TRUE;

1 2

C p : bit indicating: if p is backward-prob e then whether

eliminate p

it is ab out to turn its father; if p is forward-prob e then

F4: ELSE C p :=TRUE; eliminate p

1 2

whether it already has seen one matching backward-

F5: END;

prob e it needs to see two matching backward-prob es

F6: ELSE eliminate p and p

1 2

in order to decide to turn its father.

F7: END

F8: END

p ositive token t and negative token t collide:

1 2

A1: IF jV t j6= jVt j THEN

1 2

Note that we make use of a function RANDOMS which

A2: eliminate token with smaller

returns a random value drawn from from the set S .We will

absolute value

only use it for sets of size 2.

A3: ELSE

A4: V t := RANDOMf1; 2; 3g fV t g;

1 1

A5: V t := Vt

2 1

4 Analysis

A6: END;

A7: S t :=FALSE; S t :=FALSE;

1 2

In this section we give a formal correctness-pro of of the

round-robin token managementscheme provided in the pre-

No de i receives p ositive token t :

vious sections.

B1: IF V i= Vt THEN

Theorem: MAIN There is a randomized self-stabilizing al-

B2: generate token t * negative *;

gorithm for fair round-robin token management on an asyn-

B3: V t:= Vt+1;

chronous bidirectional ring of oblivious name-less nite au-

B4: V t :=Vt

tomata pro cessors, using constant size bu ers and messages,

B5: S t:=FALSE; S t :=FALSE

starting from an arbitrary non-deadlo cked state.

B6: ELSIF V t

* t follows a larger-value p os. token *

Since the pro of will b e quite involved, we will precede

B7: send forward-prob e p and

its presentation with a subsection intro ducing all necessary

backward-prob e p with

de nitions and a subsection giving an overview of the pro of.

V p :v = V p :v = V t

1 1 2 1

and V p :v = V p :v = V i

1 2 2 2

4.1 De nitions

B8: S t:=TRUE

B9: ELSE S t:=FALSE

We start with de ning a global state of the system and the

B10: END

transitions among those global states. A global state is ba-

B11: V i:= Vt;

sically the value of each no de, the value of each token and

B12: send p ositive token t

the relative p osition of the tokens among each other on the

and negative token if one newly generated

ring. A transition from a state to its successor-state consists

either of a collision among two tokens, or a turn of a token,

No de i receives negative token t :

or a generation of a token. Further we de ne a lo cal state

symmetric to the receipt of a p ositive token

of a ring segment with resp ect to the prob es present on it.

Note that prob es are \invisibl e" in the global state. One

No de i receives forward-prob e p:

can think of a lo cal state as putting a magnifying glass on a

C1: send prob e p

segment of the ring.

No de i receives backward-prob e p:

De nition 1 local and global state, state-transition, seg-

D1: IF V iV p:v < 0 AND E p THEN

ment

D2: E p:=FALSE

D3: END

1. The global state of the system is de ned as:

D4: send prob e p

for each token t its value V t.

Token t and prob e p collide:

the relative p osition of the tokens on the ring.

E1: IF V tV p:v < 0 THEN

for each no de i its value V i.

* p is a forward-prob e *

E2: IF E p THEN E p:=FALSE

2. global state transition from state s to state s is de-

E3: ELSE eliminate p

0 0

ned bya successor function S : s = S s where s

E4: END

results from s by applying one of the following transi-

E5 ELSE * p is a backward-prob e *

tions: fcollision, turn, generationg See previous section

E6: IF :E p THEN

for a detailed description of these transitions. Let S s

eliminate p

b e the j th successorof s.

E7: ELSIF E p AND C p THEN

E8: IF V p:v = V t AND S t THEN

3. jsj denotes the numb er of token in state s.

E9: turn t;

E10: V t:=Vp:v ;

4. A sequence of no des starting at some no de i and ending

E11: S t:=FALSE

at some no de j , such that V i=Vi+1 = :: : = V j

E12: END;

is called a segment of value V =Vi.We will say

E13: eliminate p

that a token oraprob e is on segment , ifitisona node

E14: END

k; i k j or if it is on a link l; l +1;il

E15: END

We will use the symb ol t alternatively for the token itself

or the segment the token t is creating.

5. The local state of a segment in a global state s is de ned as:

its value V . De nition 5 block

Wesay that a segment has the predicate block in state s, i.e.

for each prob es p on its value V p and its p osition.

Let f s b s denote the set of enabled forward- blo ck , s if all prob es in b s have identical values.

prob es backward-prob es on .

De nition 6 state as a sequenceofpairs

In terms of the ab ove de nition we can now de ne the

If for state s covers holds, then we can view s alternatively

correctness condition that any round-robin token manage-

as a sequence of pair of numb ers. Every pair represents one

mentscheme must follow:

token and the segment it is traveling on through its token-

comp onent and segment-component.

De nition 2 correctness

For example the following cover corresp onds to the sequence

Foranarbitrary state s with jsj1 there are in nitely many

s =t1;s1t2;st3;s2t4;s2:

successor-states and, in particular, there is a state S s, such

l l

that jS sj =2and such that every state S s; l >l 2

T1 S1 T2T3 S2 T4

results from a collision of two tokens with identical absolute

value.

Since \initiall y" wehave no control over the values stored

in the no des or on the tokens, we will de ne now a predicate

4.2 Overview of the Pro of

over states, which will indicate that, although the system

may not have stabilized yet and indeed mighthave more

The pro of will b e structured as follows: For every state s

tokens than \initiall y", wehave reached a certain level of

with s 1we de ne a subgoal and show that this subgoal

order in the system. Intuitively, this means that every no de

will indeed b e reached. For every p ossible sequence of these

has at least seen one token and thus the neighb orho o d of

subgoals, the last one is always to reach stability. Thus

a token cannot any longer b e b e in uenced by the \initial"

if the algorithm reaches for each state the desired subgoal,

state.

correctness is assured. The following is now a list of di erent

states and their subgoals:

De nition 3 cover

Wesay that a state s has the predicate cover, i.e. covers if:

1. For a state s with jsj1 and :cov ers the subgoal

jsj 2.

is to show that there is a successor state S s for

the ring is a concatenation of segments, such that the seg-

which cov er S s. Note that it is very well p ossi-

ment b oundaries are exactly the tokens and a subset of their

ble that jS sj > jsj and thus at rst glance, the

previous collision-points. Below, we enumerate rst all p os-

successor- state seems to b e farther away from our ul-

sible neighb orho o ds to the left of a p ositive token t and

timate goal. However, the predicate cover implies that

then to the right of t \", \" denote tokens and their

wehave reached a higher level of order in the system,

direction, \ " denote previous collision-p oints. s's de-

since as so on as cover holds, no generation-transitio n

note segments and ts denote tokens and the segment they

can take place anymore and cover is a stable predicate.

are creating. Tokens traveling from left to right are p osi-

Thus it guarantees that the system do es not moveaway

tive tokens and thus their value is always p ositive. Tokens

anymore from its goal-state by generating additional

traveling from right to left are negative tokens and carry a

tokens. Another imp ortant fact is that any state with

negative value.

acover has a successor-state. If the state is skewed,

y holds thanks to our prob es-scheme. S1 T2 T this prop ert

2. For a state s with cov er s; jsj > 2; oddjsj the sub- l

T3 S2 T 2

w that there is a successor state S s

2) goal is to sho

l l

2 2

such that either jS sj < jsj or PrjS j < jsj > 0.

e part of our goal holds, then we T4 T If the rst disjunctiv

have made direct progress towards the goal state, oth-

erwise, wemust have at least reached a state in which

The values in the ab ove scenarios are constrained as fol-

we could have made progress, i.e. there was a nonzero

lows: jV t2j = jV tj; jV s1j6= jVtj; jVs2j =

probability to reduce the numb er of tokens in the tran-

jV tj;Vs2 < 0; jV t3j6= jVs2j;Vt4 6= V t.

sition to this state. This probabili ty follows from the

fact that in a state with an o dd numb er of tokens, there

T S1S2 T2 will b e always at least one token which collides consec-

utively with at least two other tokens. Since in the rst

collision , it picked up a random value indep endentof

T S3 T3 ws.

2) the rest of the system, the subgoal follo

3. For a state s with cov er s; jsj > 2;evens, the sub-

In addition to the ab ove two cases, the right neighb orhood

l l

3 3

goal is to show that either jS sj < jsj or Pr jS sj

of token T can also b e like a left neighb orho o d of another

< jsj > 0 or that there is a pair of tokens t ;t ofthe

1 2

p ositive token i.e. see the three cases in the previous pic-

following form t ; t ; such that Prbl ock ,

1 1 2 2 2

ture.

s > 0. Thus in the case in which there is an S

The values in the ab ove scenarios are constrained as fol-

even numb er of tokens we restrict ourselves to an even

lows: jV s1j6=jVtj;Vs1 < 0;Vs2 = V s1;

more mo dest goal. This is necessary since tokens can

jV t2j6= jVs2j; jV s3j6=jVtj; jVt3j6= jVs3j.

at least temp orarily form pairs, such that every to-

The cases for a negative token are symmetric.

ken only collide with its partner and then turns and

rep eats this cycle. However note that in order to turn,

We conclude this section with the following sequence of

a token needs to b e supplied with prob es. If nowa

simple de nitions:

block of prob es is on the adjacent segmentofatoken,

De nition 4 fragment then the token, which carries a random value indep en-

A fragment is a largest concatenation of segments, such that dent of the rest of the system has a nonzero probabili ty

the structural requirement of a cover is still ful lled and at least to mismatch these prob es and thus will break out of

one token is present on this part of the ring. its lo cal cycle.

4. For a state s with jsj =2; cov er s, the subgoal is condition on Line D1 in algorithm. Thus eventually there

to show that the left-over prob es will eventually b e will b e one such segment emptyofbackward-prob es. And

removed from the the system. This task is considerably the next time a token travels on , it will not turn and thus it

simpli ed by the fact that as long as the system is in will enlarge its fragment, which contradicts our assumption.

a state with more than two tokens, we are allowed to If a state is reached with a single fragment spanning the

make \mistakes" with resp ect to this task, since we whole ring and just one token is alive, then after at most one

have shown convergence to a state with two tokens for round a second token will b e generated compare condition

arbitrary con gurations of prob es.

on line B1 and thus a cover will have b een reached.

5. For a state s with s =t ; t ; , we show that if

1 1 2 2

The next few lemmas show that the cover-predicate is

there are no left-over prob es, wehave reached stability.

stable and well-de ned with resp ect to the successor-function.

We also show that no generation can take place in a state in

The rest of the pro of is basically to tie all the ab ove

the cover-predicate holds.

subgoals together to show that in an in nite sequence of

Lemma 3 Every state s,for which covers, has a successor-

states, the probabili ty is 1 that the desired stable state is

state.

reached.

Pro of:

4.3 Correctness Pro of

s is skewed: If no transition takes place then eventually

In order to prove our main theorem, we will intro duce a series

s =t; t ; :::t ; , where V t are either

1 1 2 2 i

jsj jsj

of lemmas. The rst lemma addresses the non-deadlo cking

all p ositive or all negative and = t .Thus, for at

i i+1

prop erty of the algorithm:

least one token t the condition to send out prob es Line

B7 or symmetric case will b e true every time it visits a

Lemma 1 For every state s for which jsj 1:8l>0:

no de. t sends forward-prob es on and backward-pros

i i

sj 1. jS

on t . Given the structure of s, these prob es cannot b e

disabled i.e. conditions on lines D1, C1, and E1 cannot

Pro of: The only condition on which a token is eliminated is

b ecome true. Thus there will b e at least one segment

the collision of two tokens Line A1 in the algorithm. Thus

, on which there is at least one forward-prob e which

every time a token is eliminated another token is surviving.

matches t 's backward-prob es and thus there will b e a

successor-state of s, resulting from a turn-transition of

token t .

The following lemma proves that we reach our rst sub-

s is not skewed and consequently there is a fragment

goal, a state s for which cov er s:

t ; t ; , where V t > 0;Vt<0. Thus a

1 1 2 2 1 2

turn-transition or a collisio n-transi ti on is imminent.

Lemma 2 For every state s,for which jsj 1, there exists a

nite l>0 such that coverS s.

Pro of: First we need to show that every state s, for which

Lemma 4 For every state s for which covers: jS sj jsj.

:cov ers, has a successor-state: i s is skewed, jsj 2:

Assume that no transition takes places. Then eventually

Pro of: By de nition of a cover, the only condition on which

s =t; t ; :: :t ; , where V t are either all

1 1 2 2 i

jsj jsj

the algorithm generates a new token Line B1 in the algo-

p ositive or all negative and = t .Thus, as it can b e

i i+1

rithm cannot b e enabled in s.

easily seen: cov ers. ii s is not skewed, jsj 2: there

are always two opp osite tokens facing each other with no

other token in b etween. Thus either a turn- or a collision -

Lemma 5 For every state s for which covers: coverS s.

transition is imminent. iii jsj = 1: if the token do es not

Pro of: By Lemma 4, there is no generation-transiti on lead-

turn, then a generation-transition will take place after at

ing out of s. As it can b e easily veri ed, every p ossible turn-

most one round.

transition and, given that jsj > 2, every p ossible collision-

Consider a link i; i + 1 as a pair of values of its end-no des

transition preserves the cover see Lines A1-A6, B2-B4, E9-

V i;V i + 1 together with the values of tokens which

E10. Also, if jsj = 2 and covers, then, by de nition of a

might b e in transit on this link. Based on this information,

cover, all collisions will take place b etween tokens of equal

we can decide for every link whether it could b e a part of a

fragment, i.e. the link is consistent.

absolute value.

First note that if a token has crossed a link and up dated

the value of the destination-no de, the link will b ecome con-

Lemma 6 For every state s,for which covers, there exists

sistent. Thus, a token can enlarge a fragmentby crossing the

a nite l>0such that S s results from a collision-transition.

rst inconsistent link outside of its fragment. In that case,

wesay that the token is at the border of its fragment. Fur-

Pro of: By Lemma 3 wehave always a \next" transition,

ther, every generation-, collision-, and turn-transition pre-

and by Lemma 4 there is no generation-transitio n. If all

serves the fragment in which or at whose b order it o ccurs

successor-states of s were results of turn-transitions, then

see Lines A1-A6, B2-B4, E9-E10. Hence the consistency

the sum of the values of all tokens would steadily increase.

of a link is a stable prop erty.

Since this sum is b ounded, this is not p ossible.

It remains to show that eventually every link will b e

crossed by a token and that at least two tokens will b e

present: By Lemma 1 all successor-states have at least one

Lemma 7 Starting in any state s for which cov er s,notoken

token and thus at least one fragment. Assume that there

will b e in twoormore consecutive turn-transitions.

is no successor-state of s, such that a given link has b een

Pro of: After a token t has b een in a turn-transition, its

crossed by a token. Then there must b e a state from which

absolute value jV tj has b een increased. Furthermore its

on no fragment grows. This implies in turn that there must

is traveling on a segment whose value is t's old value and

b e in nitely many turns on b oth ends of every fragment. Ev-

thus as long as it is on this segment, t will not turn again.

ery turn consumes two prob es. But every gap b etween two

t can leave this segment only through a collision-trans iti on.

fragments contains at least one no de such that backward-

prob es, which are needed for a turn, cannot cross the gap in

The lemma follows. at least one direction without b ecoming disabled compare

Lemma 8 For every state s,for which covers, and for every by a token. Thus t must have b een involved in two consec-

utive collisions . Nowwe can use Lemma 9 and we are done.

token t in s, there exists a nite l > 0 such that S s results

from a collision-transition involving token t.

Pro of: By induction on jsj:

De nition 7 partner, pair,local cycle, neighbor

Basis: jsj = 2: follows immediately from Lemma 6.

Starting in some state s for which cov ers, ev enjsj, jsj >

Hyp othesis: jsj = n.

2 we call two tokens involved in their rst collision partners

Step: jsj = n + 1. Assume that token t will never b e

with resp ect to state s, and the function partner t yields

involved in a collision -transi tio n. Then by Lemma 7, t

the partner of token t with resp ect to state s. By Lemma 8

can b e involved in only one turn-transition. Thus token

this function is well de ned. Both partners together form a

t will b e neither in a turn-transition nor in a collision -

pair.

transition for arbitrary many successor-states. By de -

A local cycle of a pair is a sequence of the three transitions

nition of a cover, token t will thus eventually b e in the

which brings b oth tokens back to the same relative p osition:

following fragment: t; t ; where V t and are

1 2 1

Each token is involved in a turn-transition and in a collision-

either b oth p ositive or b oth negative and t = .Now,

transition with its partner. Note that if b oth tokens started

0 0

if t turns, then t is in a collisio n. If t is in a collision

out with the same value, this is exactly the scenario for

where one token is eliminated, then we can apply the

which the probability of decreasing the numb er of tokens is

hyp othesis. If no token eliminated then t is in collisio n.

zero Lemma 9.

Thus t is neither in a turn-transition nor in a collision -

The two tokens on the left and on the right which might

transition. Thus it will eventually b e in a analogous

coincide of a pair are called neighbors of that pair.

fragmentast. Then we can lo ok at t right neighb or etc.

Finally we will get a contradiction with Lemma 3 and

The next few lemmas provide useful facts ab out pairs of

thus our assumption that t will never b e involved in a

tokens and the lo cal state of adjacent segments:

collisio n-transi ti on was wrong.

Lemma 11 Let s b e a state, such that cov er s; jsj > 2;

ev enjsj.Ifinsthe neighb ors of a pair are not a pair, or

The next lemma shows that any token whichisinvolved

if a pair do es not corresp ond to one of the following frag-

in at least two consecutive collisio ns creates a nonzero prob-

ments, then exists a nite l>0, such that jS sj < jsj _

ability that a token will b e eliminated:

PrjS sj < jsj > 0.For any pair the fragment lo oks like:

t; par tner t; with the following restrictions:

1 2

Lemma 9 The following two statements concern probabilistic

elimination of tokens and hold in any state s with cov ers:

1. V t > 0, V par tner t < 0, jV tj = jV par tner tj,

s s

= * ab out to collide *

1 2

1. if, starting in state s, there is at least one token which

consecutively collides with at least two opp osite tokens

2. V t < 0, V par tner t > 0, jV tj = jV par tner tj

s s

let S s b e the state right after the second collision,

* right after collision *

then PrjS sj < jsj > 0.

3. V t > 0, V par tner t > 0, jV tj > jV par tner tj,

s s

jV j = jV tj * b oth in p os dir *

2. if PrjS sj < jsj= 0, then every token collided with

at most one opp osite token in all transitions leading from

4. V t < 0, V par tner t < 0, jV tj < jV par tner tj,

s s

s to S s.

jV j = jV par tner tj * b oth in neg dir *

Pro of: 1 The value the token carries after the rst colli-

Pro of: If the neighb ors are not a pair, a similar argument

sion is random and indep endentofany other value in the sys-

as in the pro of of Lemma 10 shows that a token must b e

tem. Thus there is a nonzero probability that at the second

involved in two consecutive collisions. If a pair is not in one

collision the tokens carry distinct absolute values and conse-

of the scenarios ab ove, a collision-tran siti on with an elimi-

quently there is a nonzero probability that one of the tokens

nation is imminent.

involved in the collisio n will b e eliminated see Lines A1-A2.

In addition, no new tokens are generated by Lemma 4. 2

follows from the contrap osition of 1 and Lemma 7. Note

Lemma 12 If in state s covers, jsj > 2, ev enjsj, a

that a token needs to turn at least once b etween anytwo

pair is in the following form: t; par tner t; , where

1 2

collision s to ensure that Pr: = 0, and by Lemma 7 a token

jV tj = jV par tner tj;Vt<0;Vpar tner t > 0

s s

can turn at most once.

and V < 0, then for every prob e p 2 b s the value V p

is mutually indep endent from V t.

The next lemma shows that our second subgoal will b e

reached:

swe can conclude that Pro of: For every prob e p 2 b

token t cannot have pro duced p since its last collision . The

Lemma 10 For every state s with o ddjsj and covers, ex-

l l

lemma follows now since the value V t is random and mu-

ists a nite l>0, such that jS sj < jsj _ PrjS sj <

tually indep endent from every other value in the system.

jsj > 0.

Pro of: By Lemma 8 every token t presentinswill b e even-

tually involved in a collision -transi tio n with another token t .

Lemma 13 If in state s covers, jsj > 2, ev enjsj, a If one of these tokens is eliminated then we are done. Other-

pair is in the following form: t; par tner t; , where wise the fragment of these two tokens right after the collision

1 2

jV tj = jV par tner tj;Vt<0;Vpar tner t > 0 lo oks as follows: t; t ; , where V t;V < 0 and

1 2 2

s s

and for at least one of t or par tner t, the next transition

V t ;V > 0. Since the numb er of tokens in s is o dd,

is not a turn, then exists a nite l>0, such that jS sj <

there will b e a token t which after its rst collision with t will

00 00 0

be involved in a collision with a di erent token t ; t 6= t .

jsj _ PrjS sj < jsj > 0.

By Lemma 7, there cannot b e two or more consecutive turns

Pro of: Assume wlog that t's next transition is not a turn. probability that there will b e an elimination in the subse-

By Lemma 8 every token will b e involved in a collisio n lead- quent collision second in a row are indep endent, we are

ing into a successor-state and thus every token is involved

done.

in a future transition. From this follows that t will b e in-

The last few lemmas concern the last two subgoals, i.e.states

volved in a future transition and the only transition which

with two tokens:

is p ossible is a collision . If the other token involved in this

particular transition is not par tner t then we can apply

Lemma 16 for every state s with cov er s; jsj =2, there a -

Lemma 9, if this token is indeed par tner t, then, since

nite l > 0, such that S s = t ; t ; , where

1 1 2 2

jsj > 2, par tner tmust have b een in at least two consec-

V t ;V>0;Vt;V < 0 and V t

1 2 2 1 1 2

utive collisions , and thus we can also apply Lemma 9 with

resp ect to par tner t.

Pro of: Lemma 6 guarantees that there will b e always a

state s as describ ed ab ove except mayb e for the condition

The next lemma show that our third subgoal is reached:

V t

1 2

simply following the algorithm, we can conclude that the

Lemma 14 If the system is in state s, covers, jsj > 2,

0 2 0

full condition holds in either S s orS s.

ev enjsj, and a pair is in the following form:

t; par tner t; , where

1 2

jV tj = jV par tner tj; V t < 0

Lemma 17 If there are no enabled prob es in a state s of the s

;Vpar tner t > 0 and V < 0;V>0, then exists

1 2

form of Lemma 16, then the system has reached stability. s

l l

a nite l>0, such that either jS sj < jsj _ PrjS sj <

Pro of: Rememb er that s =t; t ; , where V t ,

1 1 2 2 1

jsj > 0 or Prbl ock ;s > 0.

V > 0;Vt;V < 0 and V t

2 2 1 1 2

wlog that just b efore the next transition s =t ; t ; .

1 2 2 2

Pro of: If either t's or par tner t's next transition is not a

Thus t is sending out prob es S t = TRUE. All of these

1 1

turn then we can apply Lemma 13. Otherwise the transitions

s and all of its backward-prob es forward-prob es are in f

of t and par tner t form a lo cal cycle. In order to maintain

are in b s. Following the algorithm, we get

this cycle b oth tokens must continuously turn and thus use

1 2

S s=t; t ; , where V > 0;V < 0. For

prob es in jb sj and jb sj.

2 3 1 4 3 4

s the conditions on Line E1 2 all prob es whichwere in f

So let us consider how jb S sj can change for k>

and E2 b ecame true b efore the transition and thus have b een

0: First note that also the neighb ors will form a lo cal cy-

disabled. All these forward-prob es are nowon . All en-

cle otherwise we can again invoke Lemma 13. This im-

abled backward-prob es are nowinb Ss. Thus b efore

plies that there will b e always new \incarnations" of

k the next transition, all backwards-prob es will have b een in

with initially jb S sj = 0. Note that all prob es enter-

a collisi on with a disabled forward-prob e and thus b e elim-

ing are either generated by the neighb or, or else passed

inated. Also, all disabled forward-prob es whichhave not

through the neighb ors which form the following fragment:

0 0 0 b een in a collision with two backward-prob es, will b e elim-

by Lemma 11, Scenario 3: t ; par tner t ; V t >

3 4

0 0 inated b efore system enters state S s condition on Line

0;V par tner t > 0; = par tner t ;V = Vt. In

3 4

s s

E3 in the algorithm is enabled on the collision of t with t .

2 1

order to pass through this fragment, the incoming backwards-

prob es must mismatch all prob es in f s all of which orig-

inated at token par tner t . If incoming backwards-prob es

originated with par tner t then they obviously match, oth-

Lemma 18 For every state as in the form of Lemma 16, the

erwise they match with nonzero probabili ty, since the forward-

numb er of enabled prob es is not larger than the previous time

prob e carries a random value indep endent of the value of the

the state of the system was of this form. There is a nonzero

backward-prob e By Lemma 12. Now if the rst incoming

probability that the numb er is strictly smaller.

prob e matches, only prob es generated by par tner t will

t t t t

1 1 2 2

Pro of: Trivially, jb sj = jf sj = jb sj = jf sj =

be on par tner t and consequently on .Thus for some

0. Wlog let us assume that just b efore the next transition l

nite l>0: Prbl ock ;s > 0, or, in other words, the

s. If b efore s =t ; t ; . Thus we concentrate on b

1 2 2 2

neighb oring pair acts as a probabilistic lter with resp ect to

t reached , jb sj6= 0, then there is a nonzero probabil-

1 2

incoming backwards-prob es.

ity that some of these prob es will match t 's prob es since

Note that if there are any disabled prob es on which

is V t is random and indep endent. Thus, assume that k

matchany of the enabled prob es, then they will merely elimi-

1 k jb sj prob es match and that l is the number

nate the enabled prob e and thus not interfere with the blo ck-

of prob es t is going send out b efore it turns. Then if k>l

predicate.

there will b e at most k l enabled prob es left in the next

state of the form of Lemma 16. If l

prob es will b e left by simply following the algorithm.

Lemma 15 For every state s cov ers; jsj > 2;evens, ex-

ists a nite l > 0, such that either jS sj < jsj_

Lemma 19 The lifetime of a disabled prob e is nite.

PrjS sj < jsj > 0.

Pro of: Just follow algorithm.

Pro of: By Lemma 8, there is a successor-state in whicha

pair is guaranteed to b e in the following scenario i.e. right

Wenow get to our main theorem which ties all the pre-

after a collision: t; par tner t; ,

1 2

vious lemmas together and show the correctness of our algo-

where jV tj = jV par tner tj; V t < 0;

rithm:

V par tner t > 0 and V < 0;V >0. By Lemma 14,

1 2

l l

if :jS sj < jsj _ PrjS sj < jsj > 0 then there is a

Theorem 1 Correctness There is a randomized self-

nonzero probability that there is a blo ck on at least one of

stabilizing algorithm for fair round-robin token management

or . By Lemma 12 the value of the blo ck is indep endentof

on an asynchronous bidirectional ring of oblivious name-less

the token's value. Thus there is a nonzero probabili ty that

nite automata pro cessors, using constant size bu ers and mes-

the blo ck has a di erentvalue than the token and thus the

sages, starting from an arbitrary non-deadlo cked state. Further-

next transition of the token is not a turn. Using Lemma 13

more, the lifetime of any control-signal, except for one pair of

and noting that the probabili ty for a blo ckon and the

a p ositive and a negative token, is nite.

Pro of: The following chain of arguments proves that start- 1. Create a leader if no leader exists:

ing the system in an arbitrary state s, jsj > 0 will lead

IF b oth tokens have not seen a leader since the last

l l

with probabili ty = 1 to a stable state S s with jS sj =2

collision THEN generate a leader; set the state of the

l 0:

tokens to 1, 2.

l l

1 1

By Lemma 2, cov er S s for a nite l .IfjS sj>2,

2. It was ok in the previous \cycle", lets check again:

then by Lemma 10 and Lemma 15 there exists a nite l ,

l l l l

2 1 2 1

IF the sum of leaders seen by b oth tokens since the

such that jS sj < jS sj_PrjS sj < jS sj > 0.

k l

1 last collision is exactly one THEN set the state of the

Also, by Lemma 4 and by Lemma 5, jS sj jS sj;8k>

tokens to 1,1.

l . Supp ose nowwehave an in nite sequence of states such

m l

that jS sj = jS sj 8m 0. The numb er of di erent

3. Something could b e wrong, lets clean the whole ring:

states in the system is nite. So some state s for which

IF the sum of leaders seen by b oth tokens since the last

jPrjSs j < jsj > 0 is visited in nitely often. Therefore

collision is larger than one THEN generate a leader; set

the probabili ty of the computation wehave supp osed is zero.

the state of the tokens to 4,4 cleaning mo de.

This argument can b e rep eated until for some l wehave:

jS sj = 2. By Lemma 17,Lemma 16 and an argument

4. We eliminated at least one leader, lets check the state:

similar to the ab ove, there is nowanl for which S sis

IF at least one token is eliminating THEN set the state

stable. Using Lemma 19 together with the argumentabove,

of the tokens to 1,1.

we can conclude that the lifetime of every signal except for

We stress that the ab ove solution provides us with unique

one p ositive and one negative token is indeed nite.

leader with essentially the same stabilizati on time as the

underlying problem of self-stabilizin g token scheme.

In this extended abstract we only give an outline of high-

5 Stabilization Time

level steps of the correctness Pro of. Let s b e the state leading

into a collisio n. When the round-robin token management

The stabilization time is the time-interval starting at the end

has stabilized and every token has already b een in at least

of the last transient fault and ending when the system has

one collisi on, then in every subsequent collisi on the tokens

reached a legal state.

can make accurate conclusions ab out the value Lsasit

was right after the system entered state s. In fact, we can

Theorem 2 The exp ected worst-case stabilization time of the

reduce self-stabilizi ng token management to self-stabilizin g

token management scheme is p olynomial in the actual size of

leader election, thus establishing:

the ring.

Theorem 3 Equivalence Given either self-stabilizing leader

We p ostp one the pro of until the nal version, it involves

election or self-stabilizing round-robin token management al-

analysis of the time to get rid of the initial unmatched sys-

gorithm with p olynomial time stabilization, there exists a p oly-

tem's elements, and analysis of convergence of a \clean" sys-

nomial time self-stabilizing algorithm for the other problem on

tem.

an asynchronous bidirectional ring of oblivious nite automata

pro cessors and constant size messages.

6 Symmetry Breaking

7 Unidirectional Case

Symmetry breaking is an imp ortant pro cedure in many par-

allel and distributed computing scenarios see e.g. [AAHK86,

We assume now a uni-directional ring with asynchronous

AB89, AN90, Ang80, ASW85 , CV86, Dij74 , It90, IR81, FL84 ,

links and show that it is very much di erent from by- di-

FS86 , PKR82 , RL81, STT89, SS89 , V84] In this section we

rectional case. As was mentioned in the intro duction, the

demonstrate a reduction from the problem of self-stabilizi ng

following randomized solution is p ossible: every token ips

leader-election breaking symmetry among the ring pro ces-

a coin and either stays for the duration of the software clo ck-

sors to the round-robin token management.

tickoradvances. When two tokens meet, one is eliminated.

Since we assume that the no des in the ring are identical,

Notice that this solution achieves round-robin prop erty i.e.

the task of electing a unique leader and thus breaking the

tokens do travel in a cycle however the scheme is not fair:

symmetry of the ring is an imp ortant task which will serve

the token has an exp ected delayevery two consecutive steps.

as a building blo ck for other applicati ons. First we need the

Thus, the solution is not ecient i.e. for the hardware im-

following de nition:

plementation, where the symbol must travel without delays,

De nition 8 Leader

nevertheless, it is interesting that there is a randomized

We augment every no de i with one bit l s indicating that in

non-deadlo cking token management algorithm on an asyn-

chronous unknown but b ounded link delay unidirectional

state s no de i claims to b e the leader. Let Ls= l s.

i=1

ring of oblivious nite automata pro cessors, using constant

The obvious goal of electing a leader is, starting in a

size messages.

state s with arbitrary Lstoconverge to a state s where

Even though token management in a uni-direction al case

Ls = 1 and where the lo cation of the leader eventually

is p ossible, leader election is not p ossible. That is, in the

remains xed. This is in fact what weachieve, given a by-

full version of the pap er we show that there is no random-

directional round-robin token managementscheme as a sub-

ized leader election algorithm on an asynchronous b ounded

routine. That is, we use the round-robin token management

delay unidirectional ring of oblivious nite automata pro ces-

as a basic buildin g blo ck for leader election, such that once

sors, using constant size messages. We p ostp one the details

tokens have reached a stable state, exactly one stationary

to the nal version.

leader will b e elected. We use collisions as a way to make

conclusions ab out the currentvalue of L. The following is

a high- level description of our approach: Every token car-

Acknowledgments

ries an additional state indicating whether it has seen 1 no

leader, 2 exactly one leader, or 3 more than one leader

We are happy to thank Yehuda Afek, BaruchAwerbuch,

since its last collision , 4 the token is eliminati ng all lead-

Amotz Bar-Noy, Shay Kutten, Sergio Ra jsbaum, and Baruch

ers it visits until its next collision. Thus, on a collision the

Schieb er for helpful discussions.

following actions will b e carried out:

References [IR81] A. Itai and M. Rodeh, Symmetry breaking in distributive

networks, Proc. 22nd IEEE Symp. on Foundations of

[AAHK86] Abrahamson, Adler, Higham, and Kirkpatrick, Proba-

Computer Science 1981, 150{159.

bilistic solitude veri cation on a ring. Proc. 5th ACM

[It90] A. Itai, On the p ower needed to elect a leader Proc. 4th

Symp. on Principles of Distributed. Computing 1986.

International Workshop on DistributedAlgorithms, Lec-

[AB89] Y. Afek and G.M. Brown, Self-stabilization over unre-

ture Notes in Computer Science,Vol 486, Springer-

liable communication media, manuscript. Previous ver-

Verlag, New York, 1989, 29{40.

sion app eared as: Self-stabilization of the alternating-bit

[KP90] S. Katz and K.J. Perry, Self-stabilizing extensions for

proto col, Proc. 8th IEEE Symp. on Reliable Distributed

message-passing systems, Proc. 9th ACM Symp. on Prin-

Systems 1989, 10{12.

ciples of Distributed. Computing 1990, 91{101.

[AKY90] Y. Afek, S. Kutten, and M. Yung, Memory-ecient self-

[LTG90] A. A. Lazar, A. T. Temple and R. Gidron,MAGNET

stabilization on general networks, Proc. 4th International

I I: A metrop olitan area network based on asynchronous

Workshop on DistributedAlgorithms, Lecture Notes in

time sharing, IEEE J. on SelectedAreas in Comm., 88,

Computer Science,Vol 486, Springer-Verlag, New York,

1990, 1582{1594.

1989, 12{28.

[LL90] L. Lamport and N.A. Lynch, Distributed computing mo d-

[AN90] N. Alon and M. Naor, Coin- ipping games immune

els and metho ds, Handbook on Theoretical Computer

against linear-sized coalition, Proc. 31st IEEE Symp. on

Science, North-Holland, 1990, 1159{1199.

Foundations of Computer Science 1990, 46{54.

[MZ86] Y. Mansour and S. Zaks, On the bit complexity of dis-

[Ang80] D. Angluin, Lo cal and global prop erties in networks of

tributed computations in a ring with a leader, Proc. 5th

pro cessors, Proc. 12th ACM Symp. on Theory of Com-

ACM Symp. on Principles of Distributed. Computing

puting 1980, 82{93.

1986, 131{140.

[ASW85] C. Attiya, M. Snir and M. Warmuth, Computing on an

[Mis83] J. Misra, Detecting termination of distributed computa-

anonymous ring, Proc. 4th ACM Symp. on Principles of

tions using markers, Proc. 2nd ACM Symp. on Princi-

Distributed. Computing 1985, 196{203. see also: Jour-

ples of Distributed. Computing 1983, 290{294.

nal of the ACM 354 1988, 845{875.

[OMS89] H. Ohnishi, N. Morita, and S. Suzuki,ATM ring proto col

[APV91] B. Awerbuch, B. Patt, and G. Varghese, Self-

and p erformance, Proc. ICC'89, 13.1, 1989, 394{398.

stabilization by lo cal checking and correction Proc. 33nd

IEEE Symp. on Foundations of Computer Science

[OY90] Y. Ofek and M. Yung, Principles for high-sp eed network

1991, 268{277.

control Proc. 9th ACM Symp. on Principles of Dis-

tributed. Computing, 1990.

[AV91] B. Awerbuch, and G. Varghese, Distributed program

checking: a paradigm for building self-stabilizing dis-

[PKR82] J. Pachl, E. Korach and D. Rotem, A technique for prov-

tributed proto cols, Proc. 33nd IEEE Symp. on Foun-

ing lower b ounds for distributed maximum- nding algo-

dations of Computer Science 1991, 258{267.

rithms, Proc. 14th ACM Symp. on Theory of Computing

1982, 378{382.

[BGW89] G.M. Brown, M.G Gouda, and C.L. Wu,Token sys-

tems that self-stabilize, IEEE Transactions on Comput-

[R86] F. E. Ross, FDDI - a Tutorial, IEEE Communication

ers 386 1989, 845{852.

Magazine, 245, 1986, 10{17.

[BP88] J.E. Burns and J. Pachl, Uniform self-stabilizing rings,

[RL81] M. O. Rabin and D. Lehmann, On the advantage of free

Proc. 3rdAegean Workshop on Computing, Lecture

choice: a symmetric solution to the dining philosophers

Notes in Computer Science,Vol 319, Springer-Verlag,

problem, Proc. ACM Symp. on Principles of Program-

New York, 1988, 391{400. See also: ACM TOPLAS

ming Languages. 1981, 133{138.

112 1989, 330{344.

[SS89] B. Schieber and M. Snir, Calling names on nameless

[BCK+83] W. Bux, F.H. Closs, K. Kummerle, H.J. Keller and

networks, Proc. 8th ACM Symp. on Principles of Dis-

H.R. Muller, Architecture and design of a reliable token-

tributed. Computing.

ring network, IEEE J. on SelectedAreas in Comm., 15,

1983, 756{765.

[STT89] P. Spirakis, B. Tampakas and A. Tsiolis, Symme-

try breaking in asynchronous rings in On messages,

[CV86] R. Cole and U. Vishkin, Deterministic coin tossing and

Proc. 3d International Workshop on DistributedAlgo-

accelerating cascades: micro and macro techniques for de-

rithms, Lecture Notes in Computer Science,Vol 393,

signing parallel algorithms, Proc. 18th ACM Symp. on

Springer-Verlag, New York, 1989, 233{241.

Theory of Computing 1986, 206{219.

[V84] P. Vitanyi, Distributed elections in an Archimedian ring

[CO90] I. Cidon and Y. Ofek, MetaRing - A full-duplex ring with

of pro cessors, Proc. 16th ACM Symp. on Theory of Com-

fairness and spatial reuse, Proc INFOCOM'90 969{981.

puting 1984, 542{547.

Also: Accepted to IEEE Tras. on Comm..

[Dij74] E.W. Dijkstra, Self-stabilizing systems in spite of dis-

tributed control, Communications of the ACM 1711

1974, 643{644.

[DIM91] S. Dolev, A. Israeli and S. Moran, Resource b ounds for

self stabilizing message driven proto cols, Proc. 10th ACM

Symp. on Principles of Distributed. Computing 1991,

281{293.

[FL84] G.N. Frederickson and N. Lynch, The impact of syn-

chronous communication on the problem of electing a

leadeProc. 16th ACM Symp. on Theory of Computing

1984, 493{503. see also: J. of the ACM 341 1987,

98{115.

[FS86] G.N. Frederickson and N. Santoro, Breaking Symme-

try in synchronous networks, Proc. 1st AWOC Lecture

Notes in Computer Science,Vol 227, Springer-Verlag,

New York, 1986, 82{93.

[Her90] T. Herman, Probabilistic self-stabilization, Information

Processing Letters 35 1990, 63{67.

[HN88] A. Hopper and R. M. Needham, The Cambridge fast ring

networking system, IEEE Transactions on Computers,

3710 1988, 1214{1223.

[IJ90a] A. Israeli and M. Jalfon,Token managementschemes

and random walks yield self stabilizing mutual exclu-

sion, Proc. 9th ACM Symp. on Principles of Distributed.

Computing 1990, 119{130.

[IJ90b] A. Israeli and M. Jalfon, Self-Stabilizing Ring Ori-

entation, Proc. 4th International Workshop on Dis-

tributedAlgorithms, Lecture Notes in Computer Sci-

ence,Vol 486, Springer-Verlag, New York, 1990, 1{14.