A Lighter Generic Protocol for Snap-Stabilizationdevismes/WWW/rapports/LaRIA-2006-07.pdf · processor is eventually chosen by the daemon. Finally, the unfair daemon is the weakest

A Lighter Generic Protocol for Snap-Stabilization

Alain Cournier Stephane Devismes Vincent VillainLaRIA, CNRS FRE 2733

Universite de Picardie Jules Verne, Amiens (France)

Abstract

A snap-stabilizing protocol, starting from any arbitrary initial configuration, always behaves according to its specification.In [11], we propose a protocol that snap-stabilizes self-stabilizing wave protocols for arbitrary networks with a unique initiator.Using similar techniques, we propose in this paper a light semi-automatic method allowing to snap-stabilize non-fault-tolerant waveprotocols for arbitrary networks with a unique initiator. The main consequence of our method is that we can now bound the overcostof the snap-stabilization for a non-fault-tolerant protocol. So, we will show that, using our method, we can easily obtain very efficientsnap-stabilizing protocols.

Keywords: Distributed systems, fault-tolerance, self-stabilization, snap-stabilization, transformer, wave protocols.

1 Introduction

A distributed system is a network where processors execute local computations according to their state andthe messages from their neighbors. Distributed systems have the inherent problems of faults. The quality ofa distributed system design depends on its tolerance to faults that may occur at various components of thesystem. Many fault-tolerant schemes have been proposed and implemented, but the most general technique todesign a system tolerating arbitrary transient faults is self-stabilization [15]. A self-stabilizing system, regard-less of the initial states of the processors and messages initialy in the links, is guaranteed to converge into theintended behavior in finite time. Recently, a new paradigm called snap-stabilization has been introduced in[6]. A snap-stabilizing protocol guaranteed that, starting from any configuration, it always behaves accordingto its specification. In other words, a snap-stabilizing protocol is a self-stabilizing protocol which stabilizesin 0 time unit. Obviously, a snap-stabilizing protocol is optimal in stabilization time.

Related Works. Designing and proving self- or snap- stabilizing protocols is usually a complicated task.That is why some protocols, called transformers, were proposed to automatically perform such a task, e.g.,[21, 8]. In [21], Katz and Perry design a protocol that transforms almost all non-self-stabilizing protocols intoself-stabilizing protocols. In [8], the authors propose a snap-stabilizing version of four fundamental protocols— Reset, Snapshot, Leader Election, and Termination Detection — using a snap-stabilizing Propagationof Information with Feedback (PIF) for arbitrary rooted networks as those in [5, 6, 12]. Using the abovementioned protocols, they show how to design a transformer providing a snap-stabilizing version of anyprotocol which can be self-stabilized with the transformer of [21], but, this transformer is designed in a higherlevel model than the one used in [21]. The transformers of [21, 8] use heavy mechanisms to transform aninitial protocol into a self- or snap- stabilizing protocol and the overcost of the stabilization is often difficult toevaluate. Indeed, they use snapshots to regulary evaluate a predicate defined on the variables of the protocolto transform. This predicate characterizes the normal configurations of the system. This technique is usedfor preventing the system from deadlocks and livelocks. The main drawbacks of these solutions are:

��such

a predicate is generally difficult to formalize;��

the number of snapshots used by the transformer protocolcannot be bounded compared to the number of actions of the initial protocol (i.e., the protocol to transform).In [11], we propose a black box protocol that does not use snapshots. However, our protocol just transformsself-stabilizing wave protocols with a unique initiator into snap-stabilizing wave protocols.

1

Contributions. In this paper, we show the minimal properties required by a non-fault-tolerant protocol tobe snap-stabilized by the black box protocol of [11]. From these properties, we deduce how to slightly updatea non-fault-tolerant protocol � for arbitrary networks with a unique initiator to obtain a protocol � that can betransformed in a snap-stabilizing protocol with the black box protocol of [11]. Of course, the modificationsto obtain � is easier than designing self- or snap- stabilizing protocols. Our black box does not use anysnapshot to snap-stabilize � . So, the main consequence of our solution is that we can now bound the overcostof the black box. Moreover, in contrast with the solution in [8], we can now design snap-stabilizing protocolsworking without any assumption on the fairness of processors. To show the feasibility of our method, wealso propose two snap-stabilizing protocols designed with our black box. In addition, we will show thatthese protocols are efficient in time as well as in space complexity. Hence, our black box can be seen as apowerful tool simplifying the design of snap-stabilizing protocols. Moreover, our black box has the propertyto generate at most two useless resets. This property allows us to design a snap-stabilizing mutual exclusionprotocol because each requestor of the critical section is now able to detect when the token is unique.

Outlines of the paper. The rest of the paper is organized as follows: in Section 2, we describe the modelin which our protocols are written. To valid our approach, we then propose in Section 4 two applicationsobtained with our black box. Using the depth-first token circulation proposed in Section 4, we design asnap-stabilizing mutual exclusion protocol in Section 5. Finally, we make concluding remarks in Section 6.

2 Preliminaries

Network. In this paper, we deal with distributed protocols having only one initiator and working on arbitrarytopologies. So, we consider a network as an undirected connected rooted graph �� ( � , � ,r) where � is aset of processors, � is the set of bidirectional asynchronous communication links, and r �� . In such anetwork, we distinguish the particular processor r which is usually called root. Of course, the root processorcorresponds to the protocol initiator. In the network, a communication link ( , ) exists if and only if and are neighbors. Every processor can distinguish all its links. To simplify the presentation, we refer to alink ( , ) of a processor by the label . We assume that the labels of , stored in the set � � �� , are locallyordered by � � . We also assume that �� is an input from the system and constant. In the paper, we alsouse the following notations: � is the size of the network (i.e., �� ) and � is the degree of the network(i.e., the maximal value among the local degrees of the processors).

Programs. In our model, the protocols are semi-uniform, i.e., each processor executes the same programexcept r. Indeed, r is the unique initiator of the protocols and the behavior of a protocol initiator is generallydifferent of the other processors. We consider the local shared memory model of computation introducedby Dijkstra in [15]. This model, called state model, is an abstraction of the message-passing model in asense that the notion of messages is replaced by the fact that any processor can directly read the variablesof its neighbors. In the state model, the program of every processor consists in a set of shared variables(henceforth, referred to as variables) and an ordered finite set of actions inducing a priority. This priorityfollows the order of appearance of the actions into the text of the protocol. A processor can write to its ownvariable only, and read its own variables and that of its neighbors. Each action is constitued as follows:

�� "!#!$� �&% �&')(*�,+-�".0/1�2/ �435�46 /7�98The guard of an action in the program of is a boolean expression involving variables of and its neighbors.The statement of an action of updates one or more variables of . An action can be executed only if itsguard is satisfied. The state of a processor is defined by the value of its variables. The state of a system isthe product of the states of all processors. We will refer to the state of a processor and the system as a (local)state and (global) configuration, respectively. We note : the set of all configurations of the system. Let ;��:and < an action of (=�=� ). < is said enabled at in ; if and only if the guard of < is satisfied by in; . Processor is said to be enabled in ; if and only if at least one action is enabled at in ; . When several

2

actions are simultaneously enabled at a processor : only the priority enabled action can be activated. Let adistributed protocol � be a collection of binary transition relations denoted by �+ , on : . An execution of aprotocol � is a maximal sequence of configurations � � � ;�� , ;�� ,..., ;�� , ;�� ,... � such that, � � ��

, ;��+ ;��(called a step) if ;�� exists, else ;�� is a terminal configuration. Maximality means that the sequence is eitherfinite (and no action of � is enabled in the terminal configuration) or infinite. All executions considered hereare assumed to be maximal. � is the set of all executions of � .

As we already said, each execution is decomposed into steps. Each step is shared into three sequentialphases atomically executed:

1. Every processor evaluates its guards.

2. A daemon (also called scheduler) chooses some enabled processors.

3. Each chosen processor executes its priority enabled action.

When the three phases are done, the next step begins. A daemon can be defined in terms of fairness and dis-tribution. There exists several kinds of fairness assumption. In this paper, we consider the strongly fairness,weakly fairness, and unfairness assumption, respectively (these fairness assumptions are the most commonof the literature). Under a strongly fair daemon, every processor that is enabled infinitively often is eventu-ally chosen by the daemon to execute an action. When a daemon is weakly fair, every continuously enabledprocessor is eventually chosen by the daemon. Finally, the unfair daemon is the weakest scheduling assump-tion: it can forever prevent a processor to execute an action except if it is the only enabled processor. Inthe following, to simplify the notation, we will denote (when necessary) the strongly fair, weakly fair, andunfair daemon by �� , �� , and � � . Concerning the distribution, we assume that the daemon is distributedmeaning that, at each step, if one or more processors are enabled, then the daemon chooses at least one ofthese processors to execute an action.

We consider that any processor is neutralized in the step ;��+ ;�� if was enabled in ;�� and notenabled in ;�� , but did not execute any action in ;��+ ;�� . The neutralization represents the followingsituation: at least one neighbor of changes its state in ;��+ ;�� , and this change effectively made the guardof all actions of false in ; �� . To compute the time complexity, we use the definition of round [17].

This definition captures the execution rate of the slowest processor in any execution. Given an execution� ( � �!� ), the first round of � (let us call it �#" ) is the minimal prefix of � containing the execution of one actionor the neutralization of every enabled processor from the initial configuration. Let � " " be the suffix of � suchthat � �9�$"#�%" " . The second round of � is the first round of ��" " , and so on.

Definition 1 (Wave Protocol [23]) A wave protocol is a protocol � that satisfies the following requirements:

1. Each execution of � (called wave) is finite and contains at least an action of decision.

2. Each action of decision is causally preceded by an action of each processor.

Definition 2 (Snap-stabilization) Let & be a task, and '(� ) the specification of & . The protocol � is snap-stabilizing for the specification '*�+) if and only if � � �,� , � satisfies '(�+) .

Consider a wave protocol having a unique initiator, r, and performing a specific task in a safe environment.In the safe environment, starting from a pre-defined configuration called normal starting configuration, rinitiates the protocol by executing a special action called initialization action. This initialization occurs uponan external (w.r.t. the protocol) request. Before this request, all the processors are “asleep” (i.e., disabled).In particular, r is on standby of a request. Similary, at the termination of the protocol, the processors becomeasleep again until the next request occurs at the initiator. In contrast, in a self-stabilizing environnement, theprotocols achieve a convergence to a specified behavior of the system in a finite time. So, the execution of firstwaves of such protocols may not satisfy its specification and, as a consequence, the waves have to be repeatedso that the system eventually satisfies its specification. Hence, self-stabilizing protocols are inherently cyclicand the notion of request is simply kept in the background. On the contrary, the snap-stabilization guarantees

3

that after the first initialization action, the execution of the protocol works as expected (i.e., according to itsspecification). Thus, snap-stabilization does not require to design cyclic protocols and the initialization of theprotocols is similar to the one in a safe environnement, i.e., the initialization is assumed to occur only upon anexternal request (see [8] for further details). In our protocols, we will explicitly mention this external requestusing the shared variable � �0 % � .0/�� / , ��6 , � % /�� (noted � 8 � � % � . /� for the specific protocol � ). Weconsider � � % � . / � as an input into the algorithm of the protocol initiator (r). � � % � .0/ � � � � � / means thatan execution of the protocol is required. When the initialization of the protocol occurs, � � % � . /� switchesfrom � � � / to ��6 meaning that r has taking the request into account. Finally, � �0 % � .0/�� switches from �&6to � % / at the termination of the wave meaning that the system is now ready to receive another request. Ofcourse, the switching of � � % � . /�� from � � � / to ��6 and from �&6 to � % / is managed by the task it-self whilethe switching from � % / to � � � / (which means that another execution of the protocol is required) is managedexternally. Note that all other transitions (for instance, ��6 to � � � / ) are forbidden. The external action, noted�� , that manages the switching from � % / to � � � / is of the following form:

� � !#! < � � �� &/ �� 6�� % � .0/ � r �� % � . /�� % / � + � �0 % � .0/�� ! � � � � /�� < � � �� 2/ �� 6�� $. � ��< � � �� &/ �� 6�� % � .0/ � r � is a predicate which is true when an application at the initiator r needs an exe-cution of the snap-stabilizing protocol. < � � �� 2/ �� 6�� . � � is a macro which contains the code of theapplication that has to be executed when the system takes the request into account. In particular, this macrohas to make Predicate < � � �� &/ �� 6�� % � .0/ � r � false. In the following, we will assume that, since satisfied,< � � �� &/ �� 6�� % � .0/ � r � is continuously satisfied until �� is executed.

From Definitions 1, 2, and the above discussion, follows:

Remark 1 Let & be a task, '(�+) a specification of & , and � a wave protocol with a unique initiator, r. Toprove that � is snap-stabilizing for '(� ) , we have to show that every execution of � satisfies the two followingconditions:

1. Since r requests a � wave, the requested � wave is initiated in a finite time.

2. From any configuration where r has initiated a � wave, the system computes & according to '*� ) .

3 The Transformer

3.1 Principle

Let � be a protocol with a unique initiator, r, designed for executing a specific task & in a safe environment.We want to snap-stabilize � without using the snapshot techniques. In [21, 8], the snapshots are used fordetecting deadlocks and livelocks in the execution of the initial protocol. As we do not want to use snapshots,we cannot detect the deadlocks or livelocks that may occur when using � in a non-safe environment. So,we propose to slightly modify � to obtain a protocol � satisfying an additional property. This property mustallow � to be automatically snap-stabilized by a black box protocol which does not use any snapshot. Theproperty must be ”minimal” in a sense that it should be the easiest as possible to design. In particular, itshould not be as difficult to design as self- or snap- stabilization. From now on, we note '*' � � � � �

the snap-stabilizing version of � obtained with our Snap-Stabilizing Black Box ( '(' � � ). By Remark 1, the propertyof � must insure that:

� Starting from any configuration and upon an external request on r, r eventually initiates '*' � � � � �

(Correctness I).

� As soon as '(' � � � � �is initiated, it executes the task & as expected (Correctness II).

First, by Correctness I, starting from any configuration, the system must reach a configuration from which'(' � � � � �

can properly start. This implies that when the root requests an execution of '*' � � � � �, '(' � � � � �

must start in a finite time but without aborting a previous initiated wave of & . One way to get this property isto design in � a predicate for r, noted � 8 � 6 ( � ' � , which verifies the BreakingIn property as defined below.

4

Definition 3 (Stable) Let � be a protocol, � be a predicate defined on the � variables, and � be a daemon( � � � � � , � � , � � �

). � satisfies � / �$� � � � � �( � is said stable for the daemon � ) if and only if: � is satisfied

implies that if there exists some actions having � as guard, then at least one will be executed despite � .

Definition 4 (BreakingIn) Let � be a wave protocol with only one initiator, r, and � � ' �be a predicate

defined on the � variables of r and its neighbors. � � ' � satisfies � ' � �� 6 � �&6 � � �where � � � � � , �� , ��

if and only if:

1. Starting from any configuration, � � ' � is satisfied in a finite time despite � .

2. If � � ' �is satisfied and a wave of � was initiated, then this wave is terminated.

3. In any configuration where � � ' �is satisfied, all action of � are disabled at r.

4. � � ' � satisfies � /1�$� � � � � �.

From Definitions 3 and 4, we deduce the following consequence:

Consequence 1 Let � be a wave protocol with only one initiator, r, and � � ' � be a predicate of r defined onthe � variables of r and its neighbors which satisfies � ' � �� 6 � ��6 � � �

. Let � � ; � , ; � ,..., ;�� ,... be an executionof � under � ( � � � �� , �� , � � �

).

- If �� , then, for every non-empty suffix �#" of � , �2;�� 5�$" such that � � ' �is satisfied in ;�� .

- If �� , then, �2;�� such that �� , � � ' � is satisfied in ;� .

- If �� , then, � is finite and � � ' � is satisfied in the terminal configuration.

Assuming the existence of � 8 � 6 ( � ' � (i.e., a predicate of � for r satisfying � ' � �� 6 � ��6 � � �), we now just

need to reset the variables of � since � 8 � 6 ( � ' � is satisfied in order to verify Correctness II. To that goal,we assume that, for each processor , all the variables assignments required to generate a normal startingconfiguration of � are stored in a macro of � noted � 8 ��6 � / � . For sake of clarity, we note � 8 �&6 � / the setof the macros � 8 ��6 � / � defined on all the processors . Using � 8 �&6 � / , the reset phase is trivially initiated atthe initialization action of '*' � � � � �

and, as soon as the reset terminates, � executes the task & as � in anon-fault-tolerant situation. In particular, this means that the initialization action of '(' � � � � �

correspondsto the initialization action of reset and, of course, '(' � � � � �

will take in account of the requests for � (using� 8 � � % � . /�� ) instead of � it-self. Hence, we can now define the SSBB-Friendly property which is the propertythat � must satisfy to be snap-stabilized by '(' � � .

Definition 5 (SSBB-Friendly) Let � be a wave protocol with only one initiator, r. � satisfies � �� -� ' � � 6 (&�� & , � �

where & is the specific task and � � � � � , �� , � � � if and only if:

1. � contains a predicate � 8 � 6 ( � ' � satisfying � ' � �� 6 � ��6 � � �.

2. � has a set of macros � 8 �&6 � / such that, from any configuration generated by � 8 ��6 � / , � executes & .

3. No action of � at r refers to � 8 � � % � .0/�� .'(' � � � � �

will reset the � variables (using � 8 ��6 � / ) so that the system reaches a normal starting configurationof � and, then, gives the execution control to � so that it performs the task & . A well-known technique toperform a reset in distributed systems is based on the Propagation of Information with Feedback (PIF). SomePIF protocols for arbitrary networks have been proposed in the snap-stabilizing literature, e.g., [7, 4, 13]. APIF scheme can be informally described as follows: the root processor initiates the protocol by broadcastinga message m (broadcast phase), then, every non-root processor will send an acknowledgment to the root forthe receipt of m (feedback phase). Using the PIF scheme, the reset protocol can be perform as follows:

��

the root processor broadcasts an “abort” message,��

upon the reception of the message, the processorsabort the execution of � ,

��finally, the processors reset their � variables during the feedback phase. To

implement '(' � � , we need a snap-stabilizing PIF protocol working under the most general daemon to beable to snap-stabilize protocols working under any kind of daemons. Such a protocol is provided in [13].

5

Algorithm 1 � � . � / � � �for �� r

Inputs: �� : set of (locally) ordered neighbors of�

;Constants: � �� ; � � � � ;Variables: � �� , � , � , �� ; �� , � , �� ;. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Macro: �� "!$#�� %�'&(� �� )��*+* ( ��,.-� � ) / ( �0, � � ) / ( �1, � � � �� ) / [( �2,.-� � � ) 3 ( � � �4�� , �(�5/��2, � � )] � ;. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .General Predicates:�� 76 �98 :

( ; &�� )� � *+* � , -� � )�<��=?>@6 ��8 :[ ; &�� )� � *+* ( � , -� � ) 3 ( � , -� � )]� �<��=?>@6 �98 :( � � �A� ) / [; &(� �� B*+* ( �0, � � ) 3 ( ��, � � )]�DC0EGFH� �JI � 6 ��8K:( �� ) / [ ; &�� .� ��B*+* ( �2,.-� � ) 3 ( ��G, � � )]

Guards:� �ML = #JN =OEGPQ6 ��8 :( � � � � ) /.�<��=?>@6 �98��'� #JR = N � 6 ��8 : � �<��=?>@6 ��8 /S�� 76 �98 /S�DC0EGFH� �JI � 6 ��8� � �'� ! ��=7CT6 ��8 :( � � � � ) / [ ; &�� )�� *+* ( �0, � � ) 3 ( �2, �� , �� )]� ! �'=JC � C � 6 ��8 :( � � � � ) /S�<��=?>@6 �98�D� & � � � �J6 ��8 :( � �.�� , �(� ) / [( � � �U� ) 3V�� '�J6 ��8 ] / [[( �� ) / ( ; &�� .� �� *+* ( � , -� � ) 3 ( ��9� , �� , �H� ))]W

[( ��9� �� ) / ( X &B� �.� �� *+* ( � , -� � ) / (( �� , � � )W

( &B� �� !Y# � /S�� , � � )))]]�DC0EGFH� � 6 ��8 :( � � �� , �(� ) / [( � � �U� ) 3V�� '�J6 ��8 ] / ( �� ) / (; &(� �� !Y#'�B*+* ��, �4��Z , �� )/ [ ; &�� .� �� *+* ( � , -� � ) 3 ( �� , -� � )]I � 6 �98 :( � � � � )

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Actions:PIF Part:� - = N P � L C /* Initialization */ *+* ( [D\ �D� & ��E]P ��UZ = � P ) /.[D\ ^�C # 6 ��8 / � �ML = #JN =?E]PQ6 ��8 _ � � * �U� ; �� * � � ;[`\ �D� & ��EGP � * �%a C ;� - = N P � L C *+* �� #JR = N � 6 ��8 _ � ��* � � ; [D\ a C � P � ;� - = N P � L C *+* � � �� ! �'=JC16 �98 _ � ��* � � ;� - = N P � L C *+* � ! �'=JC � C � 6 ��8 _ � � * � � ;b

- = N P � L C /* Decision */ *+* ( [D\ �D� & ��E]P ��ca C ) /.[D\ ^�C # 6 ��8 / I � 6 ��8 _ [`\ �D� & ��EGP � * � I �2P ;Question Part:�� - = N P � L C *+* �`� & � � � �76 �98 _ �� * � � ;�� - = N P � L C *+* �`CdE]F�� 6 ��8 _ �� * � � ;

3.2 Snap-Stabilizing PIF

A snap-stabilizing PIF protocol satisfies the following specification: starting from any configuration, when rhas a message m to broadcast, r starts the broadcast in a finite time. Then, every other processor will bothreceive m and send an acknowledgment (for the receipt of m) which will reach r in a finite time.

Theorem 1 ([13]) The PIF protocol proposed in [13] is snap-stabilizing under a distributed unfair daemon.

As the distributed unfair daemon is the most general daemon, Theorem 1 implies that the protocol of [13],called in the following ��e�f , works under any kind of daemon. Another important consequence of Theorem1 is that, starting from any configuration, each PIF wave performed by ��e�f is bounded in terms of steps.We now roughly present the main actions and variables of ��e�f (see the technical report [12] for details).��e�f is divided into three parts: the PIF, question, and correction parts, respectively. The PIF part is themost important part of the protocol because it contains the actions related to the three phases of a PIF wave:the broadcast phase, the feedback phase following the broadcast phase, and the cleaning phase which cleansthe trace of the feedback phase so that the root is ready to broadcast a new message. The two other parts ofthe algorithm implement two mechanisms allowing the snap-stabilization of the PIF part. Due to the lack ofspace, we do not present these mechanisms here (see the technical report [12] for details). Informally, the PIFpart maintains in every processor two crucial variables for '*' � � :

- g � . This variable points out to the processor from which receives the broadcast message. So, g � �� if ih� r and g � �kj if � r (indeed, as r is the initiator of the broadcast, r never receives anymessage and g � is a constant). A spanning tree of the network w.r.t. the g variables is dynamicallybuilt during the broadcast phase.

- � � . Informally, � � allows to know in which phase of the PIF the processor is. � � is set to � when switches to the broadcast phase ( � - � � / �� 6 ). Then, � � is set to � when switches to the feedbackphase ( � - � � / �� 6 ). The cleaning phase is managed with two states: g and l . After r detects the end

6

of the feedback phase (r is the last processor which switches to the feedback phase), r initiates thepropagation of the g value into the � variables following the computed spanning tree in order to informall the processor of this termination ( g - � � / �� 6 ). Then, the processors successively switches to l ( l -� � / �� 6 ) in a bottom up fashion (from the leaves of the spanning tree to r) meaning that they now readyto receive another broadcast message. Hence, the PIF wave terminates when r sets � � to l ( l - � � / �� 6 ).Finally, note that two more states exists in � � for h� r: � � and �� . But, they are used by thecorrection part only. So, we do not explain the goal of these states here.

We now recall some results about ��e�f :

Property 1 From [12], follows:

1. After r initiates a broadcast ( � -� � / �� 6 ), the system eventually reaches a configuration where every

processor is in the feedback phase associated to the broadcast of r (see proof of Property� g � �� in

Theorem 3 of [12]).

2. From any configuration, r executes � - � � / �� 6 in � ( �� ) steps and at most �� rounds (Theorems2 and 5 in [12]).

3. From any configuration, a complete PIF wave costs � ( �� ) steps and at most �� rounds(Corollary 2 and Theorem 8 in [12]).

4. �& � � , from any configuration where � � � l , is guaranteed to acknowledge a message initiated byr since its � C # � - � � / �� 6 1 (Lemmas 11 and 24 in [12]).

Remark 2 By Property 1, from any configuration, r executes � -� � / �� 6 in at most �� rounds. Actually,

this time complexity corresponds to the following worst case: the maximal number of rounds starting fromany configuration before the system reaches a configuration where � - � � / �� 6 at r is the only enabled action ofthe system (see [12] for details).

Using the protocol of [13], we now explain how we build our '*' � � protocol.

3.3 SSBB Protocol

To build '*' � � � � �, we use the following composition technique. Let g � and g�� be two protocols, the

composition of g*� and g � , denoted g �� g(� , will be the program satisfying the following conditions:

1. g �� g(� contains all the variables and actions of g � and g � .2. � is a predicate defined on the variables of g � .3. Each action � � !#!�� + � � of g�� is replaced into the protocol g�� g � by � � !#! � � � � + � � .

Following these composition rules, '(' � � � � � � � � � I � 6 �98 � � . � / � � �where � � � �� l �

. � � . � / � � �

is a slight modified version of ��e.f (see Algorithms 1 and 2). It is used for resetting the � variables whenit is necessary. To that goal, we modify the guard of its initialization action: � - � � / �� 6 at r (the initializationaction of '(' � � � � �

) so that it is enabled only when a request for � occurs at the root ( � 8 � �0 % � .0/ � � � � � / )and � 8 � 6 ( � ' � is satisfied (in order to avoid the aborting a previous initiated wave of � ). Then, we add theassignment � 8 � �0 % � .0/�� ! � �&6 into the statement of � - � � / �� 6 meaning that r takes the � request into accountat the initialization action of � � . � / � � �

(i.e., the initialization action of '(' � � � � �). Also, as previously

explained, we modify the � - � � / �� 6 so that the � variables will be reset using � 8 ��6 � / � during the feedbackphase. We use the predicate � � � � into the composition so that each processor stops its local execution of� when receiving the reset ( � - � � / �� 6 ) and until the local termination of the reset at . Indeed, we alreadyknow that continuously satisfies � � h� l during its participation to a reset (see previous subsection). So,while participates to a reset, � � � � is false and all actions of � in '(' � � � � �

are disabled at . Finally, weadd an action, noted ! - � � / �� 6 , so that r switches � 8 � � % � . /�� from ��6 to � % / at the termination (decision)of each wave of '(' � � � � �

.

1Remember that a snap-stabilizing system does not insure that processors never work in a fuzzy manner. Snap-stabilization justguarantees that any initiated task is computed according to its specification.

7

Algorithm 2 � � . � / � � �for h� r

Inputs: �� : set of (locally) ordered neighbors of�

;Variables: � �� , � , � , � , ^ � , ^��(� ; � �� .� �� ; � �.�� ; �� , � , Z , �� ;. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Macros:�� "!$#�� '&(� �.� ��G�*+* ( ��,9-� � ) / ( �0, � � ) / ( �T, � � � �� ) / [( ��,.-� � � ) 3 (( � � �� , �(�5/S�2, � � )

W( � � � ^ � ))] � ;� � � � L P �GC@P � = ! � � �'&(� �.� ��G�*+* ��, �A� � ;� L P �GC@P � = ! � � �'&(� �.� �� *+* ; &��d� � � � � L P ��C9P � = ! � , � ,�� ,�� ;

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .General Predicates:�� 76 �98 :

( ; &�� )� � *+* � , -� � )�<��=?>@6 ��8 :[ ; &�� )��*+* ( ��,.-� � ) 3 ( �0,�-� � )]� �<��=?>@6 �98 :( � ��A� ) / [; &(� �� *+* ( � , � � ) 3 ( � , � � )]�DC0EGFH� �JI � 6 ��8K:( �� ) / [ ; &�� .� �� *+* ( � , -� � ) 3 ( �� , � � )]� L�L # � 6 ��8 :( � �� )

W[( ��-� � � ) 3 (( �� ^ � )

W( � � � � /�� , �(� ))]� L�L # � 6 ��8 :

( � � -� � ) 3 ( � � � � � �� )� R � L�L PQ6 ��8 : � � L'L # �56 ��8 W � � L�L # �`6 ��8Guards:^�� R � L�L PQ6 �98 :

( � � � ^�� ) /�� R � L'L PQ6 ��8 / [ ; &(� �.� ��B*+* ( �0, � � /.�1,�� ) 3 ( ��, �� ^�� , �� )]^ � �ML = #7N =OEGPQ6 ��8 :( � �.�� , � , �(� ) / [

� � R � L�L PQ6 �98 3 ( � � � ^ � )]^��'� #7R = N � 6 �98 :( � � � ^ � ) / [; &(� �� *+* ( � , � � /�� , � � � ) 3 ( � , �� ^�� , �� )]� �ML = #JN =OEGPQ6 ��8 :( � � � � ) / ( � L P �GC@P � = ! � -�� ) /S�<��=?>@6 ��8��'� #JR = N � 6 ��8 : � �<��=?>@6 ��8 /�� '�J6 ��8 /��DC0EGFH� �JI � 6 ��8� � �'� ! ��=7CT6 ��8 :( � � � � ) / ( �� ) / [; &(� �� )� � *+* ( � , � � ) 3 ( � , �� , �� )]� ! �'=JC � C � 6 ��8 :( � � � � ) /.�<��=?>@6 �98�D� & � � � �J6 ��8 :( � � �� , �(� ) / [( � � �A� ) 3V�� '�J6 ��8 ] / [[( �� ) / ( ; &�� .� ��G� *+* ( ��,.-� � ) 3 ( ��G, �� , �� ))]W

[( �� 4��Z , �� ) / ( X &B� �.� �� *+* ( � , -� � ) / (( ��9� , � � )W

( &(� �� "!$# � /�� , � � )))]]Z = � PQ6 ��8 :( � �.�� , �(� ) / [( � � �A� ) 3V�� '�J6 ��8 ] / ( �� ) / ( �� )/ ( ; &(� �� "!$#'� *+* ��9�G, ��Z , �� ) / (; &(� �� B*+* ( ��,�-� � ) 3 ( ��, -� � ))�DC0EGFH� � 6 ��8 :( � �.�� , �(� ) / [( � � �A� ) 3V�� '�J6 ��8 ] / ( �� AZ ) / ( ��9� � � � )/ ( ; &(� �� "!$# � *+* ��9� , ��Z , �� ) / (; &(� �� *+* ( � , -� � ) 3 ( �� , -� � ))

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Actions:Correction Part:^(� - = N P � L C *+* ^�� R � L'L PQ6 ��8 _ � � * � � ;^ � - = N P � L C *+* ^ � ��L = #JN =OEGPQ6 �98 _ � �.* � ^ � ;^�� - = N P � L C *+* ^��'� #JR = N � 6 ��8 _ � �.* � ^�� ;PIF Part:� - = N P � L C *+* � �ML = #7N =OEGPQ6 ��8 _ � � * �U� ; � � * � min � ( � L P ��C9P � = ! � ); � � * � � �� ; �� * � � ;� - = N P � L C *+* ��'� #7R = N � 6 �98 _ � �.* � � ; [`\ a C � P � ;� - = N P � L C *+* � � �� ! �'=JC16 ��8 _ � � * � � ;� - = N P � L C *+* � ! ��=7C � C � 6 ��8 _ � � * � � ;Question Part:�� - = N P � L C *+* �D� & � � � �76 ��8 _ ��9� � * � � ;� Z - = N P � L C *+* Z = � PQ6 ��8 _ ��9� � * �UZ ;�� - = N P � L C *+* �DC0EGF�� 6 �98 _ ��9� � * � � ;

3.4 Proof of Correctness

In this subsection, we will prove that the composite protocol '(' � � � � �, where � is any protocol satisfying

� � � � - � ' � �46 (2�� & , � �, is snap-stabilizing for the specification of the task & under the daemon � . First, as

� is designed to solve the specific task & only, we make the following assumption:

Assumption 1 � does not write into the � � . � / � � �variables.

We now prove '*' � � � � �is a fair composition of Algorithms � � . � / � � �

and � .

Definition 6 (Fair Execution [23]) An execution � of the composite protocol g � � � � g(� is fair w.r.t. g � (� �

� , � � , if one of these conditions holds:

� � is finite.

� � contains infinitively many steps of g � , or contains an infinite suffix in which no step of g � is enabled.

Theorem 2 '*' � � � � �is a fair composition of Algorithms � � . � / � � �

and � .

8

Proof. Assume, by the contradiction, that there exists at least one execution � of '(' � � � � �which is not fair.

Then, by Definition 6, � is infinite and two cases are possible:

1. There exists an (infinite) suffix � " of � where some actions of � are enabled but only actions of � � . � / � � �

are executed. Then, � " contains infinitively many steps of � � . � / � � �. Now, By Property 1 (Claim

2), each wave of � � . � / � � �is performed in a finite number of steps. So, � � . � / � � �

executes wavesinfinitively often in � " . In � " , the variables of � � . � / � � �

behaves as ��e.f (by Assumption 1) whichis snap-stabilizing by Theorem 1. So, during its first complete wave in � " , � � . � / � � �

performs, inparticular, a complete feedback phase. Now, when r performs its feedback phase ( � - � � / �� 6 ), it alsoresets its � variables by � 8 �&6 � /�� . After this local reset, � 8 � 6 ( � ' � �� . � and, as the � variables atr are no more modified (by hypothesis, no action of � are executed in � " ), � 8 � 6 ( � ' � �� . � forever.This implies that the initialization action of � � . � / � � �

, i.e., � - � � / �� 6 of r, becomes disabled forever.So, � � . � / � � �

cannot execute waves infinitively often in � " , a contradiction.

2. There exists an (infinite) suffix � " of � where some actions of � � . � / � � �are enabled but only actions of

� are executed. In particular, this means that � " contains infinitively many steps of � . Then, accordingto the actions of � � . � / � � �

that are enabled in � " , we study the following three cases:

� Assume that � - � � / �� 6 is enabled at r in ; � such that ;��*� �%" . Then, ( � 8 � � % � . /� � � � � / )� � 8 � 6 ( � � � � ' � ��( � �$. / � � is satisfied in ; � . As � 8 � � % � . /�� remains equal to � � � / untilr executes � - � � / �� 6 , � 8 � � % � .0/�� is continuously equal to � � � / from ; � . Then, no action of� � . � / � � �

are executed in � and � does not write into the � � . � / � � �variables (Assumption 1). So,

� ' � �2( � ��.0/ � ' � is also continuously satisfied from ; � . Hence, the value of the guard of � - � � / �� 6depends on � 8 � 6 ( � � only. Now, as � 8 � 6 ( � � is satisfied in ; � and � 8 � 6 ( � �

is stable for � , byDefinition 3, � - � � / �� 6 is eventually executed despite � (the daemon), a contradiction.

� Assume that ! - � � / �� 6 is enabled at r in ;�� such that ;�� " . By a reasonning similar to theprevious one, we also obtain a contradiction.

� Assume that some actions of � � . � / � � �different of � - � � / �� 6 and ! - � � / �� 6 at r are enabled in

;�� such that ;�� %" . Such actions depend on internal variables of � � . � / � � �only. So, as � does

not write into the � � . � / � � �variables (Assumption 1), these actions are continuously enabled

and, by the contradiction, � � � � : only the unfair daemon can prevent a continuously enabledaction to be executed. Now, Consequence 1 (Claim 3) implies that the system eventually reachesa configuration ; where only actions of � � . � / � � �

are enabled in '*' � � � � �. Hence, at least one

enabled action of � � . � / � � �is executed in ; �+ ; �� , a contradiction.

�

The next lemma shows that from any configuration where a computation of the task & is required ( � 8 � � % � . / �� / ), '(' � � � � �

is initiated in a finite time.

Lemma 1 Starting from any configuration where � 8 � � % � .0/ � � � � � /, '*' � � � � �

is initiated in a finite time.

Proof. Assume, by the contradiction, that, starting from a configuration where � 8 � �0 % � .0/ � � � � � / , rnever executes � - � � / �� 6 , i.e., the initialization action of '*' � � � � �

. First, � - � � / �� 6 is the only action thatcan modify � 8 � � % � . /� when it is equal to � � � / (see Algorithms 1, 2, and Definition 5, Claim 2). So,r satisfies � 8 � �0 % � .0/ � � � � � / forever. Then, by Theorem 2 and Assumption 1, � does not perturb thebehavior of � � . � / � � �

. So, by Property 1 (Claim 2), despite the daemon � , the system reaches a configurationwhere no action of � � . � / � � �

are enabled and r satisfies � ' � ��( � �$. / � ' � forever in a finite number of steps.From such a configuration, the value of the guard of � - � � / �� 6 at r now depends on � 8 � 6 ( � � only. Now,despite � , r eventually satisfies � 8 � 6 ( � � because � 8 � 6 ( � � satisfies � ' � �� 6 � �&6 � � �

(see Definition 4)and, as � 8 � 6 ( � � is stable for � , r eventually executes � - � � / �� 6 despite � by Definition 3, a contradiction.�

9

The next lemma shows that since r requests a computation of the task & (formally, since the predicate< � � �� &/ �� 6�� % � .0/ � ' � of the external action �� is satisfied), the system eventually takes this request intoaccount by executing � 8 � �0 % � .0/� ! � � � � / .Lemma 2 Starting from any configuration where r requests a '(' � � � � �

wave, r executes � 8 � �0 % � .0/�� ! �� /

in a finite time.

Proof. Assume, by the contradiction, that, starting from a configuration ; , r requests a wave of '(' � � � � �

but never executes � � (i.e., the external action of r containing the statement � 8 � �0 % � .0/ � ! � � � � / ).� Assume that � 8 � �0 % � .0/� � � % / in ;�� . In such a configuration, �� is enabled (the guard of �� is< � � �� 2/ �� 6�� 0 % � .0/ � r � � � � � % � .0/ � �� % / � ). Also, no action of � � � � � � �

can modify � 8 � � % � . / �until r sets � 8 � � % � . /� to � � � / by � � . So, � � is continuously enabled at r and if � (the daemon) isstrongly or weakly fair, �� is eventually executed. Hence, assume, by the contradiction, that � � � �and, as �� is never executed, � 8 � � % � . /�� remains equal to � % / forever. In particular, this means that� - � � / �� 6 is disabled at r forever. By Theorem 2 and Assumption 1, � does not perturb the behavior of� � . � / � � �

. So, Property 1 (Claim 2) implies that, despite the daemon � , the system eventually reaches aconfiguration ; from which no action of � � . � / � � �

are enabled forever (remember that r never executes� - � � / �� 6 ). From ; , only actions of � are executed. Now, in this case, the system will converge from; to a configuration ; � where �� is the only enabled action by Consequence 1 (Claim 3). So, � � isexecuted in ;�� + ;�� , a contradiction.

� Assume that � 8 � � % � . /� � ��6 in ;�� . From ;�� , � 8 � � % � . /�� will remain equal to �&6 until r executes! - � � / �� 6 (see Algorithms 1, 2, and Definition 5 Claim 2). Assume that r eventually executes ! -� � / �� 6 . By ! - � � / �� 6 , � 8 � � % � . /� ! � � % / and, from the previous case, r eventually executes � � ,a contradiction. So, assume, by the contradiction, that r never executes ! - � � / �� 6 and � 8 � �0 % � .0/ �remains equal to ��6 forever. In particular, this means that � - � � / �� 6 is disabled at r forever from ; � .By Theorem 2 and Assumption 1, we know that � does not perturb the behavior of � � . � / � � �

. So,Property 1 (Claim 2) implies that, despite the daemon � , the system eventually reaches a configuration; from which no action of � � . � / � � �

are enabled and r satisfies � ' � ��( � �$. / � ' � forever. From ; ,� 8 � � % � .0/�� &6 � � � � l forever ( � ' � ��( � �$. / � ' �� l �

) and the value of the guard of ! -� � / �� 6 at r now depends on � 8 � 6 ( � � only. Now, despite � , r eventually satisfies � 8 � 6 ( � � because� 8 � 6 ( � � satisfies � ' � �� 6 � ��6 � � �

(see Definition 4) and, as � 8 � 6 ( � �is stable for � , r eventually

executes ! - � � / �� 6 despite � by Definition 3, a contradiction.

� Assume that � 8 � �0 % � .0/� � � � � / in ;�� . Then, by Lemma 1, we know that r eventually executes� - � � / �� 6 . By � - � � / �� 6 , � 8 � � % � .0/�� ! � ��6 and we retreive the previous case, a contradiction.

�

By Lemmas 1 and 2, the following theorem holds. This theorem means that, since r requests an execution of'(' � � � � �

, '*' � � � � �is initiated in a finite time.

Theorem 3 Starting from any configuration where r requests a '(' � � � � �wave, the requested '*' � � � � �

wave is eventually initiated.

The next theorem shows that each computation of the task & initiated by r is executed as expected.

Theorem 4 From any configuration where r initiates '*' � � � � �, the system computes the task & as expected.

Proof. '(' � � � � �starts by initiating a � � . � / � � �

wave with � - � � / �� 6 at r: r switches � � to � . This waveterminates when r switches � � to l by l - � � / �� 6 (see [13]). So, during the whole wave, r continuouslysatisfies � � h� l , i.e., � � � � ' � , and r cannot execute any action of � . In particular, r cannot initiate � before� � . � / � � �

terminates (at r).By Theorem 2 and Assumption 1, � does not perturb the behavior of � � . � / � � �

. Now, by Property 1(Claim 1), after r initiates a broadcast ( � - � � / �� 6 ), the system eventually reaches a configuration ; � where

10

every processor is in the feedback phase associated to the broadcast of r. So, as the � variables are locallyreset at when switches � � to � and no action of � are executed by while � � h� l (( � � h� l )

�

� � � � � ), ;�� corresponds to the configuration (w.r.t. the � variables) generated by � 8 �&6 � / (i.e., a normalstarting configuration of � ). Also, note that � 8 � 6 ( � ' � becomes false when r executes � - � � / �� 6 (because of� 8 ��6 � /�� ). Owing the fact that the system reaches the configuration ;�� induces two other consequences:

1. From ;�� , no processor will execute an action of � before r initiates � .

2. From ;�� , the system contains no abnormal behavior related to � � . � / � � �.

Hence, when the reset terminates at r by l - � � / �� 6 (i.e. � �=! � l ), the system is in a configuration ; where �&,�,� , � � � l (the normal starting configuration of � � . � / � � �

, see [13]), the � variables describethe configuration generated by � 8 ��6 � / , and � 8 � 6 ( � ' � � � �2��. � . From ; , no reset will be initiated before� 8 � 6 ( � ' � (see the guard of � - � � / �� 6 ), i.e., before the decision associated to the execution of � that r willinitiate. So, from ;� and until � 8 � 6 ( � ' � , �& � � , � � � l and only � works. Hence, by Claim 3 in Definition5, from ; , � performs the specific task & and, when r decide by ! - � � / �� 6 ( ! - � � / �� 6 will be executed when� � � l � � 8 � 6 ( � ' � ), the task & has been executed as expected.

�

By Remark 1, Theorems 3 and 4, follows:

Theorem 5 '*' � � � � �is snap-stabilizing for the specification of & under the daemon � .

3.5 Complexity Analysis

Space Complexity. Let� � � �

be the memory requirement of � . By taking the variables of � � . � / � � �into

account, follows:

Theorem 6 The memory requirement of � � � � � � �is � ( �� ( � ) �� ( � ) �

� � � �) bits per processor.

Time Complexity. The time complexity of �(� � � � � �depends on both � � . � / � � �

and � . Of course, thetime complexity of � � . � / � � �

matches that of ��e�f except for a constant factor. Then, as � can be anyprotocol satisfying �(� � � - � ' � �46 (&�� & , � �

, the general time complexity of � � � � � � �varies according to

the instance of � we used.

We first evaluates some complexity results on �(� � � � � �in terms of rounds. To that goal, we need some

notations about the complexity of � in term of rounds: let � � � � �be the maximal overcost of rounds (starting

from any configuration) due to � before '*' � � � � �starts and let � � � � �

the number of rounds that � requiresto perform the task & starting from the configuration generated by � 8 �&6 � / .Theorem 7 If � satisfies � � � � - � ' � � 6 (&�� & , � �

, then, starting from any configuration where r requests a'(' � � � � �

wave, the requested '(' � � � � �wave is initiated in � ( ��

� � � � � �) rounds.

Proof. Assume that, from a configuration ; � , r requests a wave of '(' � � � � �(i.e., < � � �� &/ �� 6�� % � .0/ � r �

is satisfied). According to � 8 � �0 % � .0/ � , three cases are then possible:

� � 8 � � % � .0/�� % / in ;�� . In such a configuration, � � is enabled (the guard of � � is < � � �� 2/ �� 6 -� �0 % � .0/ � r � � � � � % � .0/ � � � % / � ). Also, no action of � � � � � � �

can modify � 8 � � % � . / � untilr sets � 8 � � % � .0/�� to � � � / by � � . So, �� is continuously enabled at r and, r executes �� , i.e.,� 8 � � % � .0/�� ! � � � � / , in at most one round. Then, � 8 � � % � .0/�� is continuously equal � � � / until rinitiates '*' � � � � �

by � - � � / �� 6 (see Algorithms 1, 2, and Definition 5, Claim 2). Also, as � doesnot write into the � � . � / � � �

variables (Assumption 1), we can deduce from Property 1 (Claim 2) andRemark 2 that, in the worst case, the system reaches a configuration ; from which � ' � ��( � ��.0/ � ' � iscontinuously satisfied and no action of � � . � / � � �

different of � - � � / �� 6 at r is enabled until r executes� - � � / �� 6 in at most � � � rounds. Now, in at most � � � � �

rounds from ;� , the system reaches a con-figuration ; � from which � 8 � 6 ( � ' � is continuously satisfied until an action of � � . � / � � �

that makes

11

� 8 � 6 ( � ' � false. Thus, � - � � / �� 6 becomes continuously enabled at r from ; � and r executes � - � � / �� 6in the next round. Hence, starting from any configuration where � 8 � � % � .0/ � � � % / , '*' � � � � �

isinitiated in at most ��

rounds.

� � 8 � � % � .0/�� 6 in ;�� . As � does not write into the � � . � / � � �variables (Assumption 1), we can

deduce from Property 1 (Claim 2) and Remark 2 that, in the worst case, the system reaches a con-figuration ; from which � ' � ��( � ��.0/ � ' � is continuously satisfied and no action of � � . � / � � �

differentof � - � � / �� 6 at r is enabled until r executes � - � � / �� 6 in at most � � � rounds. Then, in at most��

rounds from ;� , the system reaches a configuration from which � 8 � 6 ( � ' � is continuously sat-isfied until an action of � � . � / � � �

that makes � 8 � 6 ( � ' � false is executed. As � - � � / �� 6 is disableduntil � 8 � �0 % � .0/�� / , two rounds are necessary so that � 8 � � % � . / � switches from ��6 to � % / by! - � � / �� 6 ( � ' � ��( � ��.0/ � ' � � � � � � l �

) and from � % / to � � � / by Action �� . Then, � - � � / �� 6 will becontinuously enabled at r and r will execute it in the next round. Hence, starting from any configurationwhere � 8 � �0 % � .0/ � � ��6 , '*' � � � � �

is initiated in at most � � � � � � �� rounds.

� � 8 � � % � .0/�� / in ;�� . In this case, the system has to perform a complete � � � � � � �wave before

r satisfies � 8 � �0 % � .0/ � � � % / . A '(' � � � � �wave becomes by a reset of the � variables (a � � . � / � � �

wave). During the reset, � does not write into the � � . � / � � �variables by Assumption 1. So, actions of

� � . � / � � �are executed like in ��e.f except for � - � � / �� 6 at r (which now also depends on � 8 � 6 ( � ' � ).

So, compared to the round complexities of a complete PIF wave (at most �� rounds, by Prop-erty 1 Claim 3) and similary to the previous cases, we have an additional cost of � � � � �

rounds before'*' � � � � �

starts. After the initialization action ( � - � � / �� 6 at r), � 8 � �0 % � .0/ � � ��6 and � � . � / � � �

works with a same cost than ��e�f . So, the cost of the reset is globally in at most �� rounds. After the reset, the system is in the configuration generated by � 8 ��6 � / ( '*' � � � � �

is snap-stabilizing by Theorem 5) and �&�� , � � � l (indeed, Property 1 Claim 1 implies that the abnormalbehaviors related to ��e�f are erased from the system during the first wave, so, this configuration cor-responds to the normal starting configuration of ��e�f ). Hence, � � � � �

additional rounds are necessaryto perform the specific task & . Finally, after performing & , the system is still in a configuration where�2 � � , � � � l and '(' � � � � �

terminates the wave with ! - � � / �� 6 : � 8 � � % � . / ��! � � % / in onestep (resp. round) because r is the only enabled processor. Similary, r then executes � � followed by � -� � / �� 6 in two steps (resp. rounds). Hence, starting from any configuration where � 8 � �0 % � .0/ � � � � � / ,'*' � � � � �

is initiated in at most ��

rounds.

�

Corollary 1 If � satisfies � � � � - � ' � �46 (2�� & , � �, then, starting from any configuration, a complete re-

quested � �� wave is executed in � ( � � � � � � �

� � � � � �) rounds.

We now evaluates some complexity results on �(� � � � � �in terms of steps. To that goal, we now need some

notations about the complexity of � in term of steps: let � � � �be the maximal number of actions of � that

can be executed before an action of � � . � / � � �.

Theorem 8 If � satisfies � � � � - � ' � � 6 (&�� & , � �, then, starting from any configuration where r requests a

'(' � � � � �wave, the requested '(' � � � � �

wave is initiated in � ( � � � � � � � � �) steps.

Proof. In the proof of Theorem 7, we have seen that, in the worst case, a requested '(' � � � � �wave

is initiated after a complete unrequested wave of '*' � � � � �. By Property 1 (Claim 3), we know that this

unrequested wave contains � ( � � � � ) actions of � � . � / � � �(i.e., the steps complexities of ��e.f except for a

constant factor due to the ! - � � / �� 6 which is thus eliminated). Also, we have stated that at most � � � �actions

of � are executed between each action of � � . � / � � �. Hence, a loose estimate (in terms of steps) of the delay

to start a requested � � � � � � �wave corresponds to the product of these two complexities and the theorem

holds.�

12

Algorithm 3 �%f ' for �� rInput : �.� ��G� : set of neighbors (locally ordered);

Variables: �`� & ��'EGP ��4��Z = � P , a C ,I �2P � ; � � N]N � � �.� �� "#J! � , # L C@�M� ;

Macros:� � � #�� '&B� �� )��*+* �d� N]N , � � � ;�� P � � ( &`� min � �'& � � �.� ��G� *+* �d� N]N , � � �"#J! �M� ) if & exists, # L C@� otherwise;a C � P � � � � N]N � * � �"#J! � ;Predicates:� L�� FH= � # 6 ��8 :

( �d� NGN �� #7! � )� = N � FH= � # 6 ��8 :( X &(� �.� ��*+* � � N]N � �U& /S�d� N]N , � # L C0� )^ ��ML�� 6 ��8 :( �d� NGN � -� # L C@� ) / [( � � � � # � � -� � ) W (( �d� N]N �B� �"#J! � ) / ( X &B� �� )� � *+* �d� NGN , -� �"#J! � ))]^�C # 6 �98 :( �d� NGN �� # L C@� )

Actions :^ �� - = N P � L C *+* ^ ��ML�� 6 ��8 _ �d� N]NQ��* � # L C0� ;��F # - = N P � L C *+* � L�� FH= � # 6 ��8 _ �d� N]N � * � �� P � ;� F # - = N P � L C *+* � = N � FH= � # 6 ��8 _ �d� N]N � * � �� P � ;

Corollary 2 If � satisfies � � � � - � ' � �46 (2�� & , � �, then, starting from any configuration, a complete re-

quested � �� wave is executed in � ( � � � � � � � � �

) steps.

4 Some Examples

In this section, we present two applications for our transformer: a depth-first search (� � � ) wave protocol and

a breath-first search ( � �� ) wave protocol. These two protocols are neither self- nor snap- stabilizing but wewill prove that they are SSBB-Friendly (Definition 5). So, by combining these protocols with our transformer( '(' � � ), we will obtain snap-stabilizing wave protocols for the depth-first search and the breath-first search,respectively.

4.1 Depth-First Search

In arbitrary rooted networks, a depth-first search (� �� ) wave protocol executes depth-first token circula-

tions noted� � ! l : a token is first created at the root and, then, is passed from one processor to another in a

depth-first order such that every processor eventually gets it during a single circulation. We now present a pro-tocol called � f ' (Algorithms 3 and 4). We then prove that �%f ' satisfies � � � � - � ' � �46 (2� � � � � ! l , � � �

.Hence, we will conclude that '(' � � � �%f ' �

is a snap-stabilizing� �� wave protocol.

We first exhibit a configuration from which � f ' executes a� � ! l . Consider the configuration ;�

where �&�� , � % �� (2� � . Starting from ;�� , � f ' works as follows. In ;�� , �� ( - � � / �� 6 at r is the onlyenabled action of the system. So, r initiates the protocol by creating a token with �� ( - � � / �� 6 in ;� �+ ;�� :using Macro �� / � , points out with � % � � � its minimal neighbor by the local order � � meaning that it is itssuccessor in the circulation, i.e., the next processor to receive the token. Then, at each configuration and untilthe circulation terminates, exactly one processor is enabled and two cases are possible for :

- satisfies ( � % �� (2� � ) �( �$ � � � ��4� !#! � % � � & � ). In this case, designated h� r as

its successor in the circulation and executes �� ( - � � / �� 6 to receive the token for the first time inthe circulation. By �� ( - � � / �� 6 , chooses a successor, if any. For this task, two cases are possibleaccording to Macro � �� / � :

a) �&�" � �� 4� , � % �� h� � (&� � , i.e., all neighbors of have already received the token. So, sets� % � � � to ( � 6 � meaning that the circulation from it-self is locally terminated.

b) Otherwise, chooses as successor its minimal neighbor (by � � ) satisfying � % � � � � (2� � .- satisfies � % � � � � such that �5� � ��4�� % � � & � ( � 6 � meaning that designated as its successor

and the circulation from is terminated. Then, backtracks the token to continue the circulation usinganother neighboring processor which is still not visited, if any. So, executes �� ( - � � / �� 6 to designatea new successor as previously explained.

13

Algorithm 4 �%f ' for h� rInput : �.� ��G� : set of neighbors (locally ordered);

Variable: � � N]N � � �� #7! � , # L C0�� ;Macros:� � � #�� '&B� �� )��*+* �d� N]N , � � � ;�� P � � ( &`� min � �'& � � �.� ��G� *+* �d� N]N , � � �"#J! �M� ) if & exists, # L C@� otherwise;a C � P � � � � N]N ��* � �"#J! � ;Predicates:� L�� FH= � # 6 ��8 :

( � � � � # � � � � ) / ( � � N]N �� "#J! � )� = N � FH= � # 6 ��8 :( X &(� �.� ��*+* � � N]N � �U& /S�d� N]N , � # L C0� )^ ��ML�� 6 ��8 :( �d� NGN � -� # L C@� ) / [( � � � � #'� � � � ) W ( �d� N]NQ� -� �"#J! �5/ � � � � #'� � � � )W

(( �d� N]N �� "#J! � ) / ( X &�� .� �� *+* � � N]N , � # L C@� ))]Actions :^ �� - = N P � L C *+* ^ ��ML�� 6 ��8 _ �d� N]NQ��* � # L C0� ;��F # - = N P � L C *+* � L�� FH= � # 6 ��8 _ �d� N]NQ��* � �� P � ;� F # - = N P � L C *+* � = N � FH= � # 6 ��8 _ �d� N]N � * � �� P � ;

By this mechanism, the circulation visits all processors of the network in a depth-first order and r eventuallyexecutes � % � � � � ( � 6 � meaning that the circulation is terminated. Note that, from this configuration, allprocessors are disabled forever.

From the previous discussion, we know that, from ; � , at each step exactly one action is executed: �� ( -� � / �� 6 or �� ( - � � / �� 6 . Moreover, we can remark that when a processor executes one of these actions:

- Either it sets � % � � � to ( � 6 � and becomes disabled forever.

- Or it designates with � % � � � a neighboring processor such that ( h� r� � % � � & � � (&� � ) and does not

execute any action until � % � � & � ( � 6 � .So, starting from ;�� and until the system reaches a terminal configuration, �� actions are executed todesignate successors and � actions are executed to set � % � � variables to ( � 6 � despite the daemon we assume.Hence, the following lemma holds:

Lemma 3 From ; � , � f ' executes a� ��! in � � � steps (resp. rounds) despite the daemon.

By Lemma 3, �%f ' satisfies Claim 2 of Definition 5 for an unfair daemon. We now show that Predicate�%f ' 8 � 6 ( � ' � satisfies � ' � �� 6 � ��6 � � � �

(Claim 1 of Definition 5). To that goal, we use the followingscheme of proof:

��we first show that � f ' 8 � 6 ( � ' � satisfies � ' � �� 6 � �&6 � ��

;��

we then show that ev-ery execution of � f ' contains a finite number of steps. By these two assertions, it is clear that �%f ' 8 � 6 ( � ' �satisfies � ' � �� 6 � �&6 � � � �

. Indeed, by��

, we can claim that each result about �%f ' holding for a weaklyfair daemon also holds for an unfair daemon.

To prove that �%f ' 8 � 6 ( � ' � satisfies � ' � �� 6 � ��6 � �� , we need to show that, starting from any con-

figuration (in particular, a configuration different of ; � ), the system reaches in a finite number of rounds aconfiguration from which �%f ' 8 � 6 ( � ' � is continuously satisfied. The behavior of �%f ' starting from a con-figuration different of ; � is the following: when a processor locally detects that the system is not in ; � ,it definitively sets � % � � � to ( � 6 � by � ' ' - � � / �� 6 which is the action having the highest priority (rememberthat the priorities follow the order of appearance of actions into the text of the algorithms). In the following,we will show that, thanks to � ' ' - � � / �� 6 , even if the system starts from a configuration different of ; � , thesystem will reach a configuration from which � f ' 8 � 6 ( � ' � is continuously satisfied in � ( � ) rounds. First,( � % � � � � ( � 6 � ) � � � ' ' � ' � � , so, the following result is trivial:

Lemma 4 After executing � ' ' - � � / �� 6 , any processor satisfies � � ' ' � ' � �forever.

We now introduce the notion of successor path which is used in the following proofs.

Definition 7 The sequence of processors �"�� , � , � , 84848 , � is called a path if � �, � � � �

, � �5� � �� .The processors � and � are termed as the extremities of � . � is an elementary cycle if and only if � �

,� �

� � � � � , � h� and � � � .

14

Definition 8 [Successor Path] A path �� , �� , ..., � is called a successor path if and only if � �,� � � � � ,

� % �� .Lemma 5 If � ,�� such that � ' ' � ' � �

, then �$ �� such that � ' ' - � � / �� 6 is continuously enabled at until executes it.

Proof. Let � be an execution of � f ' . Assume, by the contradiction, that, �2;��5� such that some processorssatisfying � ' ' � ' in ; but each of them eventually satisfies � � ' ' � ' without executing � ' ' - � � / �� 6 . Let beone these processors. According to � ' ' � ' � � , satisfies one of the following cases in ; :

a) ( h� r� � % �� (&� � �

( �$ � �� !#! � % �� & � ( � 6 � )). � ' ' - � � / �� 6 is action of havingthe highest priority. So, while � ' ' � ' � � , cannot execute any action and, by the contradiction, eventually moves so that � ' ' � ' � � becomes false. Now, as � % � � & � ( � 6 � , is disable forever (see thealgorithm), a contradiction.

b) ( h� r� � % �� 4� � � g ' � ( � � � �

). � ' ' - � � / �� 6 is action of having the highest priority. So,while � ' ' � ' � �

, cannot execute any action and, by the contradiction, at least one neighbor of , ,eventually sets � % � � & to so that � g ' � ( � � becomes greater than 0. By Macro �� / & , � � �� 4� , can set � % � � & to only if � % � � � � � (&� � . So, while does not execute � ' ' - � � / �� 6 , � g ' � ( � � remainsequal to 0 and � ' ' - � � / �� 6 is continuously enabled at , a contradiction.

c) ( h� r� � % � � � h� ( � 6 � � � g ' � ( � � � ). In this case, there exists at least one successor path such

that its final extremity is and its initial extremity is a processor satisfying � � or� �

. In this case,� ' ' - � � / �� 6 is continuously enabled at , a contradiction.

d) ( � r� � % � � � � � (&� � � ( �$ � �� 4� !#! � % � �1� h� � (&� � )). � ' ' - � � / �� 6 is action of having the highest

priority. So, while � ' ' � ' � � , cannot execute any action and, by the contradiction, eventually movesso that � ' ' � ' � � becomes false. Now, from the algorithm, we know that no action at sets � & to

� (2� � .Hence, no action of can make � ' ' � ' � � false, a contradiction.

e) (5� r� � % � � � h� ( � 6 � � � g ' � ( � ��h� �

). If � % � � � � � (&� � , then r also satisfies � � , a contradiction. So,� % � � � �5� � �� and two subcases are possible:

- There exists a successor path such that its final extremity is ' and its initial extremity is a processor satisfying � � or

� �. In this case, � ' ' - � � / �� 6 is continuously enabled at , a contradiction.

- There exists an elementary cycle � , � , ..., � such that�� r,

�� ,� � � � � ,

� � � �,�� , and�� g ' � ( �� &� . While r is in such a cycle, r is the only enabled processor in

the cycle and can only execute � ' ' - � � / �� 6 ( � ' ' - � � / �� 6 is the action having the highest priority).So, by the contradiction, at least one neighbor �" of a non-root processor in the cycle eventuallymoves so that satisfies � g ' � ( & � � . Now, by Macro �� / & � , � " � �� & , " can execute� % � � & � ! � only if � % � � & � � (2� � , a contradiction.

Hence, each time there exists some processors satisfying Predicate � ' ' � ' , there exists at least one processor such that � ' ' - � � / �� 6 continuously enabled at until executes it, and the lemma holds.

�

Lemma 6 Assuming a weakly fair daemon and starting from any configuration, the system reaches a config-uration where, �& � � , satisfies � � ' ' � ' � � after at most � rounds.

Proof. By Lemma 5, we know that while there exists processors satisfying Predicate � ' ' � ' , at least one ofthem, , has its � ' ' - � � / �� 6 continuously enabled and, as the daemon is weakly fair, executes � ' ' - � � / �� 6in at most one round. By Lemma 4, after executes � ' ' - � � / �� 6 , it satisfies � � ' ' � ' � � forever. So, thenumber of processors satisfying � � ' ' � ' forever increases of at least one unity per round until the systemreaches a configuration ; where � � � , � � ' ' � ' � � and ; is reached in at most � rounds.

�

Lemma 7 Assuming a weakly fair daemon and starting from any configuration, the system reaches a config-uration from which � f ' 8 � 6 ( � ' � is continuously satisfied in at most � � � rounds.

15

Proof. By Lemma 6, starting from any configuration, the system reaches a configuration ; where, �&�� , satisfies � � ' ' � ' � � in � rounds with � � � . By checking Predicate � ' ' � ' � � , we can then deduce that,�&5� � , satisfies the following assertions in ; :

a) ( h� r� � % � � � � � � �� )

�( � g ' � ( � �� ).

b) ( � r)�

( � g ' � ( � �)� �).

c) ( � % �� (2� � ) � (� � �� !#! � % � � &Uh� ( � 6 � ).By � � and � � , we can remark that �&5� � such that � % � � � � �� 4� in ; :

- Either is into a successor cycle containing non-root processors only.

- Or is into the traversal from the root and this traversal shapes an elementary successor path having ras initial extremity.

From ; and until � � � ( � 6 � , only the traversal from r can progress. This progression is performed sequen-tially by the execution of one �� ( - or �� ( - � � / �� 6 per step. At least � processors satisfies � % �� ( � 6 �in ; , so, from ; , at most � � � processors can participate to this traversal and the traversal is performed in atmost �� steps (resp. rounds). Hence, starting from any configuration, �%f ' locally terminatesat r after at most � � � �� rounds. Of course, the worst case of this complexity is obtained with� � �

, i.e., � � � rounds.�

By Lemma 7, Predicate �%f ' 8 � 6 ( � ' � satisfies Claims 1 and 4 of Definition 4 under a weakly fair daemon.Also, we already know that starting from ; � , �%f ' 8 � 6 ( � ' � is satisfied only when the traversal is termi-nated (Claim 2 of Definition 4). Finally, by checking the actions of Algorithms 3 and 4, we can state that�%f ' 8 � 6 ( � ' � satisfies Claims 3 of Definition 4. Hence, follows:

Lemma 8 � f ' 8 � 6 ( � ' � satisfies � ' � �� 6 � ��6 � �� .

By checking the actions of Algorithms 3 and 4, we can state that �%f ' verifies Claim 3 of Definition 5. So,by Lemmas 3 and 8, follows:

Lemma 9 � f ' satisfies � �� - � ' � � 6 (&�� ! , �� .

The next lemma proves that the results obtained with a weakly fair daemon also holds with an unfair daemon.

Lemma 10 Starting from any configuration, �%f ' terminates in at most� � � � � � steps.

Proof. In �%f ' , each time a processor executes an action either it points out a processor with � % � �4� or itsets � % � � � to ( � 6 � .

� If sets � % � � � to ( � 6 � , then becomes disable forever. So, �2=�=� , executes � % � � � ! � ( � 6 � atmost once during the execution.

� executes � % � � � ! � with ��"�� 4� (by �� ( - � � / �� 6 or �� ( - � � / �� 6 ) only if � & � � (&� � . Then, will be enabled to choose another successor (by � � ( - � � / �� 6 ) only when � & � ( � 6 � . So, cansuccessively designate each of its neighbors at most once (i.e., � actions) before setting � % � � � to ( � 6 � .

Hence, each processor ( � ) executes at most � � actions during an execution of �%f ' and the lemma holds.�

By lemmas 9 and 10, follows:

Lemma 11 � f ' satisfies � �� - � ' � � 6 (&�� ! , �� .

By lemma 11 and Theorem 5, follows:

Theorem 9 � �� %f ' �is a snap-stabilizing

� �� wave protocol under an unfair daemon.

16

We already proposed in [9, 10] two snap-stabilizing� �� wave protocols for arbitrary rooted network work-

ing under an unfair daemon. The time complexities of the protocol in [9] are very efficient. Indeed, using thisprotocol, a complete

� � ! l is executed in � ( � ) rounds and � ( � � ) steps, respectively. However, the draw-back of the solution is its high memory requirement which is in � ( � � �� ) bits per processor. In [10],we solve this drawback by proposing a protocol using � ( �� ) bits per processor. Unfortunately,the times complexities of this latter protocol are greater than those of [9]: a complete

� � ! l is executedin � ( � � ) rounds and � ( � � ) steps, respectively. Now, the complexity analysis of '(' � � � �%f ' �

below willreveal that '(' � � � � f ' �

solves almost all the drawbacks of the previous solutions.

Complexity Analysis of SSBB(DFS). By checking Algorithms 3 and 4, we can state that the space require-ment of �%f ' is � ( ��7� ) bits per processors. So, by Lemma 6, � � � � � � f ' �

requires � ( �� )bits per processor. Concerning the time complexity, the delay to start a requested

� � ! l , starting from anyconfiguration, is in � ( � ) rounds (by Theorem 7, Lemmas 3 and 7) and � ( � � � � � ) steps (by Theorem 8and Lemma 10). Finally, starting from any configuration, a complete requested

� � ! l is executed in � ( � )rounds (by Corollary 7, Lemmas 3, and 7) and � ( � � � � � ) steps (by Corollary 8 and Lemma 10). Finally,the code of our protocol is very similar to the code of the non-fault-tolerant basic solution and is simpler thanthat of [9, 10] and of any self-stabilizing DFTC of the literature.

4.2 Breath-First Search

In arbitrary rooted networks, a � �� protocol builds a breath-first spanning tree rooted at r, i.e., a tree con-taining all processors of the network and such that the distance of each processor along the tree to the root isthe smallest one. In the following, we will note � �� ! l (i.e., Breath-First Spanning Tree Construction) sucha task. Several self-stabilizing � �� protocol are proposed in the literature, e.g., [2, 22, 19, 16, 20]. In [1, 18],authors proposed a general scheme allowing, in particular, to implement a � �� protocol. Protocols proposedin [22, 1, 20, 18] run assuming an unfair daemon. However, except for [20], all these papers present silentprotocols, i.e., using the protocol, the system converge to a fix point. A drawback of such solutions is thatno processor is able to detect the termination of the protocol. The protocol of [20] is a self-stabilizing � ��wave protocol. In such a protocol, each wave terminates at the root by a particular action. However, as theprotocol of [20] is not snap-stabilizing, the root cannot detect when the system is stabilized. So, when a waveterminates at the root, the root cannot detect if a complete � � � spanning of the network is available. Finally,the transformer of [8] allows to snap-stabilize any distributed non-self-stabilizing � �� protocol, e.g., bycombining this transformer with the protocol of [3], we obtain a snap-stabilizing � � � wave protocol. An im-portant advantage of such a � �� wave protocol is that the root will know that a complete � �� spanning ofthe network is available: at the termination of the first wave. However, any solution built with the transformerof [8] works under a weakly fair daemon only. Hence, we now propose to design a snap-stabilizing � ��wave protocol working under an unfair daemon using our transformer. To that goal, we propose a protocolcalled �.f ' which satisfies � �� - � ' � � 6 (&�� ! l , � � �

(this protocol is based on the work in [3]).We first exhibit a configuration from which �.f ' executes a � �� ! l . Consider the configuration ;�

where, �& �9� , � /1�2/ % . � � � (&� � . Starting from ;�� , �.f ' builds a � � � spanning tree of the network byphases: during a � P phase, all processors at a distance of � from r hook on to the tree. Eventually, r detectsthe phase endings and initializes new phases until the construction is done. At the beginning of Phase 1 (i.e.,the system is in ;�� ), �� ( - � � / �� 6 at r is the only enabled action of the system. So, r initiates the protocol bysetting � / �&/ % . � to � in ;�� + ;�� . Then, all its neighbors, , become enabled to execute � � - � � / �� 6 . Bythis action, each hooks on to the tree: � / �2/ % . � switches to � , g � points out to r, and � � is set to � � � , i.e.,1. When all neighbors of r has joined the tree, r satisfies � �� g�� . � � r �� 6 � . � �

r�, i.e., Phase 1 is done

and r becomes enabled to initiate a new phase by �� - � � / �� 6 . r begins Phase 2 by initiating a reset of the� / �&/ % . variables in the tree: � /1�2/ % . � switches to � � . � / . Then, the neighbors of r also executes � �� - � � / �� 6to propagate the reset. When all neighbors of r have switched to their � / �&/ % . variable to � � . � / , r initiates thepropagation of a new � value into the tree ( �� ( - � � / �� 6 ) meaning that the neighbors at distance 2 have nowto hook on to the tree. When a neighbor of r, , receives the � value, two cases are possible:

17

Algorithm 5 �.f ' for �� rInput : �.� ��G� : set of neighbors (locally ordered);

Constants: � �� ; � � � � ;Variables: �`� & ��'EGP � �4��Z = � P , a C ,

I �2P � ; � P =JP"�9E � �4� ��#7! � , �D�'E��GP , � , # L C0�� ;Macros: �� "!$# � ��C ��%�'&B� �� )� � *+* �dP =7P"�9E , -� �"#J! �5/.� , � � � ; a C � P �� P =JP"�9E � * � �"#J! � ;Predicates:� � C � E� 06 �98 :

( ; &�� !Y# � �GC � *+* �dP =7P"�9E , � # L C0� )��GF�� 2=OE��76 ��8 :( �dP =JP"�@E � � � ) / [ ; &(� �� B*+* ( �dP =7P"�9E],�-� �"#J! � ) / ( &B� �� "!Y# � �GC � 3 �dP =JP"�@E], �� , # L C0�� )]�dP = � PQ6 ��8 :( �dP =JP"�@E � � �"#J! � ) / (; &(� �� *+* �dP =JP"�@E , �4� ��#7! � , # L C0�� )�D�'E��GP I�� 6 ��8 :( �dP =JP"�@E � � �D��EG��P ) / ( ; &�� "!$# � ��C � *+* �dP =7P"�9E , �4� �`��E��GP , # L C@�M� )� L�� FH= � # 6 ��8 : � P = � PQ6 ��8 W �D�'E��GP I � 6 ��8^�C # 6 �98 :( �dP =JP"�@E � � # L C0� )

Actions :��GF - = N P � L C *+* �.��F�� 2=OE��J6 ��8 / � � � C � EG d6 ��8 _ � P =JP"�9E � * � �D�'E��P ;��F # - = N P � L C *+* � L�� F�= � # 6 ��8 _ � P =JP"�9E � * � � ;� L C@� - = N P � L C *+* �.��F�� 2=OE��J6 ��8 /.� � C � E� 06 ��8 _ � P =JP"�9E ��* � # L C0� ;Algorithm 6 �.f ' for h� rInput : �.� ��G� : set of neighbors (locally ordered);

Variables: �dP =JP"�@E �.�� "#J! � , �`��EG��P , � , � , # L C0�� ; � �� .� �� ; � �.� � ;

Macros:�� "!$# � ��C � � �'&(� �� *+* �dP =JP"�@E],�-� �"#J! �5/.�0, � � � ;� L P �GC@P � = ! � � �'&(� �� *+* �dP =JP"�@E], � �(� ;� � C@� L P ��C9P � = ! � � min( � � , *+* &B� � L P ��C9P � = ! � � );a C � P � � �dP =7P"�9E � * � ��#7! � ;Predicates:� � C � E� 06 �98 :

( ; &�� !Y# � �GC ��*+* �dP =7P"�9E], � # L C0� )�<��=?>@6 ��8 :[ ; &�� )� � *+* ( � , � � ) 3 ( �dP =JP"�@E , �� "#J! � , # L C@�M� )]� L'L � 6 �98 :( �dP =JP"�@E � � �"#J! � ) / ( X &B� �� *+* �dP =JP"�@E , � � ) /.�<�'=O>@6 ��8��GF�� 2=OE��76 ��8 :( �dP =JP"�@E � �A� ) / ( � P =JP"�9E�� `��EG��P ) / ( ; &�� "!$# � ��C �*+* �dP =7P"�9EG, �4�� , # L C0�M� )� L�� FH= � # 6 ��8 :( �dP =JP"�@E � � �D��EG��P ) / ( �dP =JP"�@E � � � ) / ( ; &�� !Y# � �GC � *+* �dP =7P"�9E , �4� �`��EG��P , # L C0�M� )� = N � P � = N � 6 ��8 :( �dP =JP"�@E � � � ) / [ ; &(� �� *+* ( �dP =7P"�9E , -� �"#J! � ) / ( &B� �� "!Y# � �GC � 3 �dP =JP"�@E , �� , # L C0�� )]� L�L # �`��E��GPQ6 ��8 :( �dP =JP"�@E � � �D��EG��P ) 3 ( � P =JP"�9E�� `��E��GP , �(� )� L�L # �6 ��8 :( �dP =JP"�@E � � � ) 3 ( �dP =7P"�9E � � � )� L�L # � 6 �98 :( �dP =JP"�@E � �A� ) 3 ( � P =JP"�9E��4� �"#J! � , # L C0�� )� L�L # �1��7� ! 6 ��8 :( �dP =JP"�@E � -� �"#J! � ) 3 ( � � � � � � � )^ ��ML�� 6 ��8 :( �dP =JP"�@E � -� # L C0� ) / (

� � L�L # �`��EG��PQ6 �98 W � � L'L # �6 ��8 W � � L�L # � 6 �98 W � � L�L # �1��7� ! 6 �98 )Actions :^ �� - = N P � L C *+* ^ ��ML�� 6 ��8 _ �dP =7P"�9E � * � # L C@� ;� � - = N P � L C *+* � L�L � 6 ��8 _ �dP =7P"�9E � * �U� ; � � * � min � ( � L P ��C9P � = ! � ); � � * � � �� ;��GF - = N P � L C *+* �.��F�� 2=OE��J6 ��8 _ �dP =7P"�9E �.* � �`��EG��P ;��F # - = N P � L C *+* � L�� F�= � # 6 ��8 _ �dP =7P"�9E � * � � ;� N � - = N P � L C *+* � = N � P � = N � 6 ��8 / � � � C � E� 06 ��8 _ �dP =7P"�9E � * �U� ;� L C@� - = N P � L C *+* � = N � P � = N � 6 ��8 /S� � C � E� 06 ��8 _ �dP =7P"�9E � * � # L C@� ;

- has no neighbor at distance 2. So, satisfies � � � ��/ ')� � � � � � � � 6 � . � � � and sets � /1�2/ % . � to ( � 6 �by

� � 6 � - � � / �� 6 meaning that its subtree is completely built.

- has at least one neighbor, , at distance 2. Then, joins the tree by hooking on to the minimalprocessor (of the tree) satisfying � / �&/ % . � � using � & ( � � - � � / �� 6 ). When detects that all itsneighbors have joined the tree, it switches � / �&/ % . � to � by � � � - � � / �� 6 .

When all neighbors of r have switched their � / �2/ % . variable to � or ( � 6 � , r detects the end of Phase 2 andbecomes enabled to initiate a new phase. Inductively, the other phases works as follows. r is enabled toinitiate the � P phase (with �9� � ) when � / �&/ % . � � � � �&�� , � /1�2/ % . � � � � , ( � 6 � � . The � P phase begins with a reset initiated by r ( � �� - � � / �� 6 ). When �& � � � �� , � /1�2/ % . � � � � � . � / , ( � 6 � � , rinitiates the propagation of a new � value in the tree meaning that the neighbors at distance � have now tohook on to the tree. The � value is propagated in the tree in the following way: when a processor hasits parent in the tree, g & , such that � /1�2/ % . �0, � � , waits until all its childrens in the tree (if any) satisfies� / �&/ % . � � � � . � / , ( � 6 � � , and, after, propagates the � value (see Predicate � � ' � �&')( � � ). Eventually, one ofthese two cases appears:

- A � value reaches a processor such that all its children is the tree satisfies � / �2/ % . � ( � 6 � (i.e.,

18

satisfies � � � ��/1')� � � � � � � � 6 � . � � � ) and sets � / �2/ % . � to ( � 6 � (by�

- � � / �� 6 ) meaning that itssubtree is completely built.

- A � value reaches a leaf � � of the tree. If � � has no neighbor at distance � , � � satisfies � � � ��/ ')� � � � � �� 6 � . � � � and sets � / �&/ % . ! > to ( � 6 � by

� � 6 � - � � / �� 6 . Otherwise, � � has then at least one neighbor, ,at distance � . In this case, joins the tree by hooking on to the minimal processor (of the tree) satisfying� /1�2/ % . � � by � & ( � � - � � / �� 6 ). When � � detects that all its neighbors have joined the tree (i.e., � �satisfies � � � ��/ ')� � � � � � � � � � � 6 � . � � � � � ), it switches � / �&/ % . ! > to � by � � � - � � / �� 6 .

The � and ( � 6 � values are then propagated up into the tree (by � - � � / �� 6 or�

- � � / �� 6 ) and r eventuallysatisfies � / �2/ % . � � � � �&=�� , � / �&/ % . � � � � , ( � 6 � � again. In this case, if � =�� such that� / �&/ % . � � � and r initiates the � � P phase (by �� - � � / �� 6 ). Otherwise, the spanning tree is completelybuilt and r sets � / �&/ % . � to ( � 6 � (by

� � 6 � - � � / �� 6 ) meaning that the � �� ! l is completely done, i.e., thebreath-first search spanning tree is completely built.

As we have already say, starting from ; � , ��f ' builds a � � � spanning tree by phases: during the � P phase all processors at distance � from r hook on to the tree. Now, it is well-known that the height of a � ��spanning tree is

�where

�is the diameter of the network. So, from ; � , ��f ' executes exactly

�phases to

build the tree. Moreover, from the previous discussion, it is clear that each phase is performed in � (�

) round(resp. � ( � ) steps). Hence, the following lemma holds:

Lemma 12 From ;�� , �.f ' builds a � �� spanning tree in � (� � � ) steps (resp. � (

� � ) rounds) despitethe daemon.

By Lemma 12, �.f ' satisfies Claim 2 of Definition 5 for a unfair daemon. We now show that Predicate�.f ' 8 � 6 ( � ' � satisfies � ' � �� 6 � ��6 � ��

(Claim 1 of Definition 5). To that goal and as in Subsection 4.1,we first show that ��f ' 8 � 6 ( � ' � satisfies � ' � �� 6 � �&6 � ��

and, we then show that every execution of�.f ' contains a finite number of steps. To prove that �.f ' 8 � 6 ( � ' � satisfies � ' � �� 6 � ��6 � ��

, we need toshow that, starting from any configuration (in particular, a configuration different of ; � ), the system reachesin a finite number of rounds a configuration from which �.f ' 8 � 6 ( � ' � is continuously satisfied. When theprotocol starts from ; � , we can remark that each processor h� r maintains some properties based on thevalue of their variables and that of their parent: � � � ( � � . � / � � , � � � ( � � � , � �� ( � � � , and � �� ( � �� .Starting now from a configuration different of ; � , a processor h� r detects that it does not respect one of theseproperties by Predicate � ' ' � ' � � . If satisfies � ' ' � ' � � , then it simply corrects it by executing � ' ' - � � / �� 6which is the action having the highest priority. In the following, we will show that, thanks to � ' ' - � � / �� 6 ,even if the system starts from a configuration different of ; � , the system will reach a configuration from which�.f ' 8 � 6 ( � ' � is continuously satisfied in � (

� � � � ) rounds. To that goal, we first introduce some definitionsused in the proofs.

Definition 9 (BFSPath(p)) For any processor such that � /1�2/ % . � h� � (&� � , � � � g �2/ � � � is the unique path �� 84848 � � satisfying the following conditions:

1. � �, � � � � , g �� .

2. � �, � � � � , ( � / �2/ % . � � h� � (2� � ) � � � ' ' � ' � �� .

3. � � '�� ' ' � ' � �� /1�2/ % . � � ( � 6 � .Definition 10 (BFSTree � ) We define a set of processors � �� ! ' � � � as follows: For any processor , �� ! ' � � � if and only if � / �&/ % . � h� � (2� � and r is the initial extremity of � �� g �&/ � � � .Remark 3 Starting from ;�� , �& � � , � /1�2/ % . � � � (&� � or � � �� ! ' � � � .Definition 11 (Status-Trace) Let � be a tuple of processors ( � � � � , � , 84848 , � � ). � / �&/ % . - ! ')� � � � � � �� / �&/ % . �$� / �&/ % . � 84848 � /1�2/ % . � is the sequence of the values of Variable � /1�2/ % . on processors �� 84848 � �

.

Remark 4 �& � � such that � /1�2/ % . � h� � (&� � , � /1�2/ % . - ! ' � � � � � �� g �&/ � � � � � � � � � . � / � � � ( � 6 � �� . � / � � � ( � 6 � � � ( � 6 � � .

19

By executing � ' ' - � � / �� 6 , a processor sets � /1�2/ % . � to ( � 6 � . By checking the actions of ��f ' , we canremark that is then disable forever. So, � / �&/ % . � remains equals to ( � 6 � forever and the following lemmaholds:

Lemma 13 After executes � ' ' - � � / �� 6 , it satisfies � � ' ' � ' � � forever.

Lemma 14 �&5� �� r � , if enabled at , then � ' ' - � � / �� 6 remains enabled until executes it.

Proof. Let ; �+ ; " be a step. Assume, by the contradiction, that � �9�� r � such that � ' ' - � � / �� 6 isenabled at in ; and not in ; " but did not execute � ' ' - � � / �� 6 in ; �+ ; " .

First, as � ' ' - � � / �� 6 is the action of having the highest priority, cannot execute any action in ;!�+ ; " .Then, Predicate � ' ' � ' � � only refers to the variables of and that of its neighbor such that g � �9 . So, bythe contradiction, executes an action in ;,�+ ; " so that � � ' ' � ' � �

in ; " . Moreover, by the contradiction, does not satisfies � ' ' � ' � � . Otherwise, can only execute � ' ' - � � / �� 6 in ; �+ ; " and if executes it, then� & ! � ( � 6 � and still satisfies � ' ' � ' � �

in ; " .According to the state of ( satisfies � ' ' � ' � �

in ; ), we now study the four following cases:

1) satisfies � � � � ( � � . � / � � in ; . In this case, � / �&/ % . � � � � . � / � � / �&/ % . & � � � (&� � , � , ( � 6 � � in ; . As executes an action in ;!�+ ; " , this means that � /1�2/ % . &ch� ( � 6 � in ; . So, � / �2/ % . & � � � (&� � , � � in ; .� Assume that � r. Then, � /1�2/ % . & � � (2� � and �� ( - � � / �� 6 is the only action that may execute

in ; �+ ; " . Now, � /1�2' / � � � � ��. � because � /1�2/ % . � � � � . � / . So, �� ( - � � / �� 6 is disable at in ; and executes no action in ;,�+ ; " , a contradiction.

� Assume that h� r. If � / �&/ % . & � � (2� � , then � � - � � / �� 6 is the only action that may execute in; �+ ;�" . Now, as � /1�2/ % . � � � � . � / , � � � � � � � � ��. � and � � - � � / �� 6 is disable at in ; . So,by the contradiction, � / �&/ % . & � � in ; . In this case, � �� - � � / �� 6 is the only action that mayexecute in ;,�+ ; " (remember that does not satisfy � ' ' � ' � � in ; ). Now, as � / �2/ % . � � � � . � / ,�� g�� $. � � � � � ��. � in ; . So, � �� - � � / �� 6 is disable at in ; and executes no action in; �+ ; " , a contradiction.

2) satisfies � � �� ( � � � in ; . Then, � / �&/ % . � �� / �&/ % . & �� (&� � , � � . � / , � , ( � 6 � � in ; . First, by areasonning similar to the one used in � , we know that � /1�2/ % . &�� (&� � , ( � 6 � � .� Assume that � r. In this case, � / �&/ % . & � � � . � / and �� ( - � � / �� 6 is the only action that may

execute in ;,�+ ; " . Now, as � / �2/ % . � � � � � l � � � (&' �46 & , � � . � / � � � � � � ��. � in ; . Hence,� � ( - � � / �� 6 is disable in ; and executes no action in ;,�+ ; " , a contradiction.

� Assume that h� r. Then, � /1�2/ % . & � � � � . � / , � � in ; . If � / �2/ % . & � � � . � / in ; , then �� ( -� � / �� 6 is the only action that may execute in ; �+ ; " . But, as � / �2/ % . � � � � � l�� (&' � 6�& ,� � ' � �&')( � � � � �2��. � in ; and �� ( - � � / �� 6 is disable at in ; . Hence, by the contradiction,� /1�2/ % . & � � in ; . In this case, may execute � � � - or

� � 6 � - � � / �� 6 in ; �+ ; " . But, as� /1�2/ % . � �� Vl � � � (&' �46 & , � � � ��/1')� � � � � � � ��. � in ; and these two actions are disableat in ; . Hence, executes no action in ;,�+ ; " , a contradiction.

3) satisfies � � �� ( � � � in ; . This case is similar to those of � and � � . So, we also obtain a contradiction.

4) satisfies � � � � ( � ��$� � � � in ; . If � / �2/ % . & h� � (2� � , then cannot modify � & or set � /1�2/ % . & to� (2� � in

; �+ ; " and still satisfies � ' ' � ' � � in ; " . So, by the contradiction, � /1�2/ % . & � � (2� � in ; .� Assume that "� r. As � /1�2/ % . & � � (2� � , �� ( - � � / �� 6 is the only action that may executein ; �+ ; " . Now, ( � ' ' � ' � � � � � �� ( � ��

)�

( g � � � � / �2/ % . � �� (2� � , ( � 6 � � ) and( � / �2/ % . � �� (&� � , ( � 6 � � ) � ( � � / �&' / � � ). So, �� ( - � � / �� 6 is disable at in ; and executes noaction in ;,�+ ; " , a contradiction.

� Assume h� r. As � /1�2/ % . & � � (&� � , � � - � � / �� 6 is the only action that may execute in ; �+ ; " .Now, ( � ' ' � ' � � � � � �� ( � ��$� � � � ) � ( g � � � � / �&/ % . � �� (2� � , ( � 6 � � ) and ( � /1�2/ % . � �� (&� � , ( � 6 � � ) � ( � � � � � � � ). So, � � - � � / �� 6 is disable at in ; and executes no action in; �+ ; " , a contradiction.

20

�

Lemma 15 Assuming a weakly fair daemon and starting from any configuration, the system reaches a con-figuration where, �& � � � � ' � , satisfies � � ' ' � ' � � forever after at most � rounds.

Proof. Let be a non-root processor satisfying � ' ' � ' � �in the initial configuration. By Lemma 14,

� ' ' - � � / �� 6 is continuously enabled at and, as the daemon is weakly fair, executes � ' ' - � � / �� 6 in at mostone round. By Lemma 13, after executing � ' ' - � � / �� 6 , satisfies � � ' ' � ' � �

forever. Moreover, we canremark that the execution of � ' ' - � � / �� 6 by can only make enabled � ' ' - � � / �� 6 at each of its children(i.e., each processor such that � l�� (&' � 6 � ). So, during the next round, all its children (if any) execute� ' ' - � � / �� 6 and so on. Thus, after at most � rounds, the system reaches a configuration where � 5�"� , satisfies � � ' ' � ' � � and, by checking all actions of �.f ' , we can remark that in a such configuration, every satisfies � � ' ' � ' � � forever.

�

Lemma 16 Let ; ��: such that �& � � � � ' � , � � ' ' � ' � � . If � / �&/ % . � �� (&� � , ( � 6 � � , then at least oneprocessor is enabled in ; .

Proof. Let ; � : such that �& � � � � r � , � � ' ' � ' � � and � / �&/ % . � �� (&� � , ( � 6 � � . Assume,by the contradiction, that no processor is enabled in ; . First, by Remark 4, �& � � �� ! ' � � � , � / �&/ % . -! ')� � � � � �� g �2/ � � � � � � � � � . � / � � � ( � 6 � � � � � . � / � � � ( � 6 � � � ( � 6 � � . Let � � �� ! ' � � � .

1) Assume that h� r, � / �&/ % . � � � , and � /1�2/ % . � � � � � . � / in ; . Then, � �� l�� (�' � 6 � , � / �&/ % . & �� , ( � 6 � � because h� r

�� ' ' � ' � � and � �� - � � / �� 6 is enabled at , a contradiction.

2) Assume that h� r, � / �&/ % . � � � � . � / , and � / �&/ % . � � � � in ; . Then, � � l�� (�' � 6 � , � / �&/ % . & �� . � / , � , ( � 6 � � because h� r

�� ' ' � ' � � .� If �$ � l � � ��(�' �46 � , � /1�2/ % . &7� � then, by 1), �� - � � / �� 6 is enabled at , a contradiction.

� Otherwise, � � l�� (&' � 6 � , � / �&/ % . &=� � � � . � / , ( � 6 � � and �� ( - � � / �� 6 is enabled at , acontradiction.

3) Assume that � / �&/ % . � � � in ; . Without loss of generality, assume that satisfies � � � max( � � & !#! � � ��! ' �0� � � � / �&/ % . & � � � ). Then, � � l � � ��(�' �46 � , � / �&/ % . & � � � � . � / , � , ( � 6 � � because h�r�� ' ' � ' � � . If �$ � l � � � (&' �46 � , � /1�2/ % . & � � � . � / , then, by 2), is enabled in ; , a contradiction.

So, � � l�� (&' � 6 � , � / �&/ % . & � � � , ( � 6 � � .� Assume that �& " � �� 4� , � / �2/ % . � � h� � (&� � . If 5� r, then � �� - or� � 6 � - � � / �� 6 is enabled at

, a contradiction. Otherwise ( h� r), � � � - or� � 6 � - � � / �� 6 is enabled at , a contradiction.

� Assume that � " �5�� such � /1�2/ % . & � � (2� � . As, �& " " � � � �� , ( " " h� r)�� ' ' � ' � " " � , "

satisfies � � � � � �" � and � � - � � / �� 6 is enabled, a contradiction.

Hence, by the contradiction, � , � � , and � � imply that �2 � � �� ! ' � � � , � /1�2/ % . - ! ')� � � � � �� g �&/ � � � �

� � � . � / � ( � 6 � � � ( � 6 � � in ; . Now, as we assume that � / �&/ % . � �� (2� � , ( � 6 � � , �& � � �� ! ' �0� � ,� / �&/ % . - ! ')� � � � � � � g �2/ � � � � �� . � / � ( � 6 � � with, in particular, � /1�2/ % . � � � � . � / . As �&�� l � � ��(�' �46 � ,� / �&/ % . � � � � � . � / , ( � 6 � � , r also satisfies � � . � / � � �

r�

and �� ( - � � / �� 6 is enabled at r in ; , a contradiction.�

Lemma 17 Assuming a weakly fair daemon and starting from any configuration, the system reaches a con-figuration where ��f ' 8 � 6 ( � ' � is continuously satisfied in � (

� � � � ) rounds.

Proof. By lemma 15, starting from any configuration, the system reaches a configuration ; where �& � � ,� � ' ' � ' � � forever in at most � rounds. So, each configuration reached from ; satisfies one of the threefollowing cases:

1) � / �2/ % . � � � (2� � . In this case, as �&"�=� , � � ' ' � ' � � , we have �&=�"� , � /1�2/ % . � � � � (2� � , ( � 6 � � �(�� / �&/ % . � � � (&� � ). In such configurations, � � ( - � � / �� 6 at r is the only enabled action ofthe system, so, r executes it in the next step.

21

2) � / �2/ % . � � ( � 6 � . In this case, r is disable forever, so, �.f ' 8 � 6 ( � ' � is continuously satisfied.

3) � / �2/ % . � �� (2� � , ( � 6 � � . In such configuration, by Lemma 16, at least one processor is enabled. More-over, as �2 � � , � � ' ' � ' � �

, we can deduce that each satisfies one of the following cases:- is an idle processor, i.e., � / �&/ % . � � � (&� � .- "� � �� ! ' � � � and � /1�2/ % . - ! ' � � � � � �� g �&/ � � � � � � � � � . � / � � � ( � 6 � �� . � / � � � ( � 6 � �� ( � 6 � � , by Remark 4.- is an isolated done processor, i.e., � /1�2/ % . � � ( � 6 � � �� ! ' � � � and is disable forever.

So, � �� ! ' �0� � progresses in the network as when the system starts from ; � , i.e., phase by phase, someidle processors hook on to � �� ! ' � � � until r executes � /1�2/ % . � ! � ( � 6 � . In particular, we can remarkthat the isolated done processors can only prevent idle processors to hook on to the tree. Indeed, theremust exist a path � � , ..., � such that

�� ,� � � � � , � /1�2/ % . �� (&� � and

�� ! ' �0� �� / �2/ % . � � h� ( � 6 � so that an idle processor eventually hooks on to � �� ! ' �0� � .Hence, in the worst case, each idle processor in ; hooks on to the tree before r continuously satisfies� / �&/ % . � � ( � 6 � , i.e., �.f ' 8 � 6 ( � ' � . Now, as the farther idle processor in ; is at most at distance

�of

r, the system reaches such a configuraiton after � (�

) phases , i.e., � (� � ) rounds and the lemma holds.

�

By Lemma 17, Predicate �.f ' 8 � 6 ( � ' � satisfies Claims 1 and 4 of Definition 4 under a weakly fair daemon.Also, we already know that starting from ; � , ��f ' 8 � 6 ( � ' � is satisfied only when the breath-first searchspanning tree is built (Claim 2 of Definition 4). Finally, by checking the actions of Algorithms 5 and 6, wecan state that �.f ' 8 � 6 ( � ' � satisfies Claims 3 of Definition 4. Hence, follows:

Lemma 18 ��f ' 8 � 6 ( � ' � satisfies � ' � �� 6 � ��6 � �� .

By checking the actions of Algorithms 5 and 6, we can state that ��f ' verifies Claim 3 of Definition 5. So,by Lemmas 12 and 18, follows:

Lemma 19 ��f ' satisfies � �� - � ' � � 6 (&�� (� ! l , �� .

The next lemma proves that the results obtained with a weakly fair daemon also holds with an unfair daemon.

Lemma 20 Starting from any configuration, �.f ' terminates in � (� �5� ) steps.

Proof. Let � � . First, if � / �&/ % . � � � (&� � , then, after executing one action ( � � - � � / �� 6 if h� r,�� ( - � � / �� 6 otherwise), satisfies � /1�2/ % . � h� � (&� � forever. Also, since � /1�2/ % . � � ( � 6 � , is disableforever. So, to prove the lemma, we will show that each processor satisfying � /1�2/ % . � �� (&� � , ( � 6 � �(i.e., � / �&/ % . � � � � � . � / , � , � � ) executes � (

�) actions before satisfying � / �2/ % . � � ( � 6 � . Without loss of

generality, we will prove that executes � (�

) actions before executing� � 6 � - or � ' ' - � � / �� 6 .

Let � � such that � /1�2/ % . � � � � � . � / , � , � � (i.e., � / �&/ % . � �� (&� � , ( � 6 � � ) and be the initial extremityof � �� g �&/ � � �

. Assume that never executes� � 6 � - or � ' ' - � � / �� 6 . Two cases are then possible:

a) h� r, i.e., � ' ' � ' � � . Then, h� r and, according to � / �&/ % . � , three subcases are possible:1. � / �2/ % . � � � . Then, by Remark 4, � /1�2/ % . - ! ' � � � ( � �� g �2/ � � � ) � � � and cannot execute

any action while � � � � ��/1')� � � � � . So, assume that eventually satisfies � � � ��/1' � � � � � . Then, can only execute � � � - � � / �� 6 . By � � � - � � / �� 6 , sets � /1�2/ % . � to � and the � value is propagatedup into � �� g �&/ � � �

. We can then remark that is not enabled while � / �&/ % . � � h� � � . � / . Now,�2�" � � � � g �2/ � � � , �"Ah� r

� � /1�2/ % . � � h� � � . � / . Moreover, r is the only processor able togenerate a � � . � / value. So, never more execute any action. Thus, if � /1�2/ % . � �� , then canat most execute one action before executing

� � 6 � - or � ' ' - � � / �� 6 .2. � / �2/ % . � � � � . � / . Then, by Remark 4, � /1�2/ % . - ! ' � � � ( � �� g �2/ � � � ) �� . � / � .� Assume that � /1�2/ % . &*� � � . � / . Then, � / �&/ % . - ! ')� � � ( � �� g �&/ � � �

) � � � . � / � and isnot enabled while � /1�2/ % . � � h� � . Now, �&�" � � �� g �&/ � � � , �"Ah� r

� � /1�2/ % . � � h� � .Moreover, r is the only processor able to generate a � value. So, never more execute anyaction.

22

� Assume that � /1�2/ % . & � � . Then, does not execute any action while � /1�2/ % . � � h� � .Assume that � / �&/ % . � � is eventually equal to � . Then, �� ( - � � / �� 6 is the only action that can execute. If executes � � ( - � � / �� 6 , then � / �&/ % . - ! ')� � � ( � �� g �&/ � � �

) becomes equalto � � and we retrieve Case 1.

Thus, if � / �&/ % . � � � � . � / , then can at most execute two actions before executing� � 6 � - or

� ' ' - � � / �� 6 .3. � / �2/ % . � � � . Then, by Remark 4, � / �&/ % . - ! ')� � � ( � � � g �2/ � � � ) � � � � � . � / � � � � � � . � / � � � .� Assume that � /1�2/ % . - ! ' � � � ( � �� g �2/ � � � ) �� . � / � � � . If � / �&/ % . - ! ')� � � ( � �� g �&/ � -� �

) � � � � � . � / � � � , then the � and � � . � / values are propagated down in � �� g �2/ � � �by �� - and � � ( - � � / �� 6 . until � / �2/ % . � � � . After executes these two actions,� /1�2/ % . � � � and we retrieve Case 1. If � /1�2/ % . - ! ')� � � ( � �� g �2/ � � � ) � � � � � , then is not enabled while � /1�2/ % . � � h�� . � / . Now, �&�" � � �� g �2/ � � � , �" h� r

� � / �2/ % . � � h�� . � / . Moreover, r is the only processor able to generate a � � . � / value. So, never moreexecute any action.� Assume that � / �&/ % . - ! ')� � � ( � �� g �&/ � � �

) � � � . � / � � � . In this case, the � � . � / valueis propagated down in � �� g �&/ � � � until � / �&/ % . � � � � . � / . So, at most executes one�� - � � / �� 6 and then we retrieve Case � .

Thus, if � /1�2/ % . � � � then, can at most execute three actions before executing� � 6 � - � � / �� 6 or

� ' ' - � � / �� 6 .

Thus, if h� r, then can execute at most three actions before setting � /1�2/ % . � to ( � 6 � .b) � r. Then, by Definition 10, � � �� ! ' � � � . We know that � �� ! ' � � � progresses in the network

by phases.� If "� �� r, then, in the worst case, participates to all the phases. Now, for each phases, rexecutes one �� - � � / �� 6 and one �� ( - � � / �� 6 and the number of phases is bounded by

�. So,

if �� r, then executes � (�

) actions before setting � / �2/ % . � to ( � 6 � .� Otherwise, h� r and, in the worst case, participates to

� � � phases where � is the distancefrom to r in � ��! ' �0� � . Now, at each phases where participates, executes one � �� - � � / �� 6 ,one �� ( - � � / �� 6 , and one � � � - � � / �� 6 . So, if h� r, then executes � (

�) actions before setting

� /1�2/ % . � to ( � 6 � .Thus, if � r, then can execute � (

�) actions before setting � / �2/ % . � to ( � 6 � .

Hence, �& � � such that � /1�2/ % . � � � � � . � / , � , � � , executes � (�

) actions before executing � / �&/ % . � ! �( � 6 � (� � 6 � - � � / �� 6 or � ' ' - � � / �� 6 ) and the lemma holds.

�

By lemmas 19 and 20, follows:

Lemma 21 ��f ' satisfies � �� - � ' � � 6 (&�� (� ! l , � � �.

By lemma 21 and Theorem 5, follows:

Theorem 10 � �� .f ' �is a snap-stabilizing � �� wave protocol under an unfair daemon.

Complexity Analysis of SSBB(BFS). By checking Algorithms 5 and 6, we can state that the space require-ment of �.f ' is � ( �� ) bits per processors. So, by Lemma 6, � � � � � ��f ' �

requires � ( �� ) bits per processor. Concerning the time complexity, the delay to start a requested � �� ! l , startingfrom any configuration, is in � (

� � �� ) rounds (by Theorem 7, Lemmas 12, and 17) and � ( � � � � � �)

steps (by Theorem 8 and Lemma 20). Finally, starting from any configuration, a complete requested � �� ! lis executed in � (

� � � � ) rounds (by Corollary 7, Lemmas 12, and 17) and � ( � � � � � �) steps (by Corol-

lary 8 and Lemma 20). As for DFTC, the code of our protocol is similar to the basic code in [3] and is simplerthan that of [20].

23

5 Extension: Mutual Exclusion

In Subsection 4.1, we seen that � � � � � � f ' �performs, when requested by r, a single depth-first token

circulation of the network in a snap-stabilizing manner. The snap-stabilizing property of � � � � � � f ' �

guarantees that, starting from any configuration, after the root requests it, a token is created in a finite timeand this token visits all the network following the depth-first search order. With a slight modification, � � -� � � � f ' �

can be transformed into a cyclic token circulation, i.e., a protocol which repeats cycle of tokencirculation infinitively often without waiting any request from the root. To that goal, we just have to replaceAction � � by the following action:

� � �� N]! �"N !#! � �%f ' 8 � � % � .0/�� % / � + � f ' 8 � � % � . /�� ! � � � � /��In the following, we denote by � � � � � l � � � �� - �%f ' �

the cyclic version of � � � � � � f ' �. A common

application of cyclic token circulations is the mutual exclusion problem. In the mutual exclusion, the existenceof a special section of code, called critical section (noted � l � � in the following), is assumed. The criticalsection must be executed by at most one processor at each time. The mutual exclusion can be specified asfollows: any processor that requests � l � � enters in � l � � in a finite time (liveness), and if a requestingprocessor enters in � l�� , then it is the only processor in � l � � (safety). We can remark that, in a safeenvironnement, the safety property is equivalent to the following property “Never more that one processoris in � l � � ” in a sense that any protocol satisfying the first property also satisfies the second one [24] andreciprocally. Of course, it is not the case in a faulty environnement.

Using any cyclic token circulation, the mutual exclusion can be solved as follows: the token is seen asa privilege and a processor can execute its critical section only when it holds a token. Unfortunately, � � -� � � l � � � �� - �%f ' �

is not snap-stabilizing for the mutual exclusion. Indeed, starting from any configuration,several corrupted tokens may circulate simultaneously into the network. As a consequence, several proces-sors may request and execute the critical section simultaneously. However, we know that, starting from anyconfiguration, any cycle of � � � � � l � � � �� - �%f ' �

is composed of a snap-stabilizing reset of �%f ' variablesfollowed by the circulation of one token into the network. So, after the first reset of the network, the specifi-cation of the mutual exclusion is verified forever and the protocol is self-stabilizing for the mutual exclusion.Moreover, r can detect when a token is unique into the network: once r has initiated the protocol (i.e., the firstreset), the next token that r will created will be unique into the network. The following theorem (Theorem 11)shows that there is a way for any processor to detect when they hold a token which is unique into the network.Indeed, Theorem 11 show that, for every processor , we just have to count the number of different tokensthat receives and, since receives the third token, this token is unique into the network.

Theorem 11 �&9�9� , starting from any configuration, is guaranteed to receive a token which is uniqueinto the network since it executes �� ( - � � / �� 6 for the third time.

Proof. To execute � � ( - � � / �� 6 , a processor must, in particular, satisfy � % � � � � � (&� � in �%f '( � � ' � �2' ( � � ) and � � � l in � � . � / � �%f ' �

(because of � � � � in � f ' � � I � 6 ��8 � � . � / � � f ' �). After

executing �� ( - � � / �� 6 , satisfies � % � � � h� � (&� � � � � � l . By checking the actions of � � . � / � �%f ' �and

�%f ' , we can then remark that will satisfy � % � � � � � (2� � again (i.e., will be ready to receive a new token)only after executing � - � � / �� 6 of � � . � / � � f ' �

. So, executes at least one � - � � / �� 6 between each �� ( -� � / �� 6 and, from the � P token that receives, at least two � - � � / �� 6 . have been already executed at . Now,by Property 1 (Claim 4), since the � C # feedback at , the � - � � / �� 6 . at are always associated to a broadcastinitiated by r. During such a feedback phase, any processor resets � % � � & to

� (&� � ( � f ' 8 �&6 � / & ) and switches� & of � � . � / � �%f ' �

to � . Then, as any cannot modify � % � � & while � & h� l , the system eventually reachesa configuration where � �� , � % � � & � � (2� � by Property 1 (Claim 1). From the explanations provided atthe beginning of Subsection 4.1, we know that, from such a configuration, at most one token exists into thenetwork and the theorem holds.

�

By Theorem 11, we can trivially obtain a very efficient self-stabilizing protocol: we just have to authorize anyprocessor to access to the critical section only when it receives a new token ( �� ( - � � / �� 6 ) and, in that case,any processor executes the critical section at most twice without satisfying the safety of the mutual execution.

24

We now describe how to build a snap-stabilizing mutual exclusion using l � � � �� - � � � � � � f ' �. By The-

orem 11, we know that from the moment where processor becomes requestor for the critical section, it just hasto wait for receiving at least three tokens and then executes the critical section when receiving the third token( �� ( - � � / �� 6 ). That is the solution we now propose. To simplify the design of our snap-stabilizing mutualexclusion protocol, we use the protocol composition technique called conditional composition introduced byDatta et al in [14].

Definition 12 (Conditional Composition) Let � � and � � be protocols such that variables written by � � arenot referred by � � . The conditional composition of �� and � � , denoted by � �� , is a protocol that satisfiesthe following conditions:

1. It contains all the variables and actions of �(� and � � .2. � is a set of predicates and is a subset of the guards of �(� .3. Every guard of � � has the form

� �� or �

� �� where

�is a logical expression using the guards �� .

4. Since some actions of � � may also be enabled when an action of � � is enabled, the order of executionis the following: the action of � � followed by the action of �� (in the same step).

Using the conditional composition, our snap-stabilizing mutual exclusion protocol corresponds to the fol-lowing composite protocol:

� � � � � ��F # � � �9= � # 6 �98 � l � � � �� - �(� � � � �%f ' �(see Algorithm 5 for the formal

description of� � ). �� ( - � % �&')( � �

is the guard of �� ( - � � / �� 6 at in l � � � �� - �(� � � � �%f ' �, i.e., � � ( -

� % �&')( � � ( � � ' � �&')( � � � � � � �

). Then, it is important to note that, contrary to the previous protocolspresented in the paper,

� � � � � ��F # � � ��= � # 6 ��8 � l � � � �� - � � � � � � f ' �is a multi-initiator protocol: indeed, in

the mutual exclusion problem, any processor can request the critical section. So, in the following, we will usethe variable

� � 8 � �0 % � .0/ � � � � � � / , �&6 , � % / � for managing the request and this variable will be defined forall processor instead of r only. Actually,

� � � � � ��F # � � ��= � # 6 ��8 � l � � � �� - � � � � � � f ' �works as follows:

� When a processor requests the critical section (i.e.,� � 8 � � % � . / � �� / ), it waits for receiving a

new token by �� ( - � � / �� 6 . Before executing �� ( - � � / �� 6 but in the same step, executes � � � . ByAction � � � , sets the counter l � % 6 / � ' � to 1 (to remember that it has already receive one token) andswitches

� � 8 � � % � . / � to ��6 (meaning that the request has been taking in account).

� When receives another token ( � � ( - � � / �� 6 ), it also satisfies (� � 8 � �0 % � .0/ � � ��6 )

�( l � % 6 / � ' � �

) and then execute � � � before �� ( - � � / �� 6 but in the same step. By this action, it simply incrementsl � % 6 / � ' � .

� Finally, by Action � � � , executes the critical section ( � l�� ) and, then, it switches� � 8 � � % � . / �

to � % / (meaning that the request of has been performed) just before receiving the third token ( �� ( -� � / �� 6 ).

By the mechanism we previously describe and Theorem 11, it is obvious that, starting from any configuration,the safety of the mutual exclusion is always satisfied. Moreover, the liveness is ensured by the fact thatl � � � �� - �(� � � � �%f ' �

ensures that any processor receives tokens infinitively often even if the daemon isunfair. Hence, we can conclude with the following theorem:

Theorem 12� � � � � ��F #�� = � # 6 ��8 � l � � � �� - �(� � � � �%f ' �

is a snap-stabilizing mutual exclusion protocolassuming an unfair daemon.

6 Conclusion

We presented a light semi-automatic method allowing to snap-stabilize non-fault-tolerant wave protocols forarbitrary rooted networks with a unique initiator. Contrary to the Transformer proposed in [8], our solutioncannot transform any protocol: the protocol we stabilize needs to satisfy an additional property. However, thisproperty is easier to obtain than self- or snap- stabilization. The main advantage of our solution, compared

25

Algorithm 7� � , �&5� � :

Input: ��F # - � ��= � # 6 ��8 : guard of ��F # - = N P � L C in �T� �(� 6�� 8 ;Variables: ��1\ �D� & ��E]P ��Z = � P , a C ,

I ��P � ; � L �2C@P � � �.�� , � � ;Actions:� ^ � *+* ��F # - � ��= � # 6 ��8 / ( ��1\ �`� & ��'EGP � �AZ = � P ) _ � L ��C9P � � �.* � � ; ��1\ �`� & ��'EGP ��* �ca C ;� ^� *+* ��F # - � ��= � # 6 ��8 / ( ��1\ �`� & ��'EGP � �Ua C ) / ( � L ��C9P � � � � � )

_ � L ��C9P � � �.* � � ;� ^ � *+* ��F # - � ��= � # 6 ��8 / ( ��1\ �`� & ��'EGP ��Ua C ) / ( � L ��C9P � � �� ) _ � �� ; ��T\ �D� & �9�'EGP � * � I �2P ;

to [8], is that we do not use any snapshot to guarantee the snap-stabilization. As a consequence, the overcostof the snap-stabilization is bounded. In particular and in contrast with the previous solution, our methodallows to generate solutions working with the unfair daemon. To validate the method, we also proposed twosnap-stabilizing solutions for the

� �� and the � �� respectively. These two protocols work with an unfairdaemon and are efficient in terms of time and space complexity. Moreover, these exemples show that therequested properties do not lead us to provide complex codes as that of self- or snap- stabilizing solutionsbut codes which are very closed to the basic non-fault-tolerant solutions and by consequence easy to prove.Finally, thanks to its specific properties, we show how to use our snap-stabilizing

� �� wave protocol forsolving the mutual exclusion in a snap-stabilizing manner.

References[1] Y Afek and A Bremler. Self-stabilizing unidirectional network algorithms by power supply. Chicago Journal of Theoretical Computer Science,

1998:Article 3, 1998.

[2] Y Afek, S Kutten, and M Yung. Memory-efficient self-stabilization on general networks. In WDAG90 Distributed Algorithms 4th InternationalWorkshop Proceedings, Springer-Verlag LNCS:486, pages 15–28, 1990.

[3] B Awerbuch and RG Gallager. Distributed bfs algorithms. In FOCS 1985, pages 250–256, 1985.

[4] L Blin, A Cournier, and V Villain. An improved snap-stabilizing pif algorithm. In DSN SSS’03 Workshop: Sixth Symposium on Self-StabilizingSystems (SSS’03), pages 199–214. LNCS 2704, 2003.

[5] A Bui, AK Datta, F Petit, and V Villain. Space optimal PIF algorithm: Self-stabilizing with no extra space. In IPCCC’99, IEEE InternationalPerformance, Computing, and Communications Conference, pages 20–26. IEEE Computer Society Press, 1999.

[6] A Bui, AK Datta, F Petit, and V Villain. State-optimal snap-stabilizing PIF in tree networks. In Proceedings of the Fourth Workshop onSelf-Stabilizing Systems, pages 78–85, Austin, Texas, USA, June 1999. IEEE Computer Society Press.

[7] A Cournier, AK Datta, F Petit, and V Villain. Snap-stabilizing PIF algorithm in arbitrary rooted networks. In 22st International Conference onDistributed Computing Systems (ICDCS-22), pages 199–206. IEEE Computer Society Press, 2002.

[8] A Cournier, AK Datta, F Petit, and V Villain. Enabling snap-stabilization. In 23th International Conference on Distributed Computing Systems(ICDCS 2003), pages 12–19, Providence, Rhode Island USA, May 19-22 2003. IEEE Computer Society Press.

[9] A Cournier, S Devismes, F Petit, and V Villain. Snap-stabilizing depth-first search on arbitrary networks. In OPODIS’04, InternationalConference On Principles Of Distributed Systems Proceedings, pages 267–282, Grenoble, France, 2004. LNCS 3544.

[10] A Cournier, S Devismes, and V Villain. A snap-stabilizing dfs with a lower space requirement. In Seventh International Symposium onSelf-Stabilizing Systems (SSS’05), pages 33–47, Barcelona, Spain, 2005. LNCS 3764.

[11] A Cournier, S Devismes, and V Villain. From self- to snap- stabilization (submitted to sss’06). Technical Report LaRIA-2006-08, LaRIA, CNRSFRE 2733, Universit e de Picardie Jules Verne, Amiens (France), 2006. Available at www.laria.u-picardie.fr/ � devismes/LaRIA-2006-08.pdf.

[12] A Cournier, S Devismes, and V Villain. Snap-stabilizing pif and useless computations. Technical Report LaRIA-2006-04, LaRIA, CNRS FRE2733, 2006. Available at www.laria.u-picardie.fr/ � devismes/LaRIA-2006-04.pdf.

[13] A Cournier, S Devismes, and V Villain. Snap-stabilizing pif and useless computations. In The Twelfth International Conference on Parallel andDistributed Systems (ICPADS’06), volume 1, pages 39–46, Minneapolis, USA, 2006. IEEE Computer Society Press P2612.

[14] Ajoy Kumar Datta, Shivashankar Gurumurthy, Franck Petit, and Vincent Villain. Self-stabilizing network orientation algorithms in arbitraryrooted networks. In International Conference on Distributed Computing Systems, pages 576–583, 2000.

[15] EW Dijkstra. Self stabilizing systems in spite of distributed control. Communications of the Association of the Computing Machinery, 17:643–644, 1974.

[16] S Dolev, A Israeli, and S Moran. Self-stabilization of dynamic systems assuming only read/write atomicity. Distributed Computing, 7:3–16,1993.

26

[17] S Dolev, A Israeli, and S Moran. Uniform dynamic self-stabilizing leader election. IEEE Transactions on Parallel and Distributed Systems,8(4):424–440, 1997.

[18] B Ducourthial and S Tixeuil. Self-stabilization with r-operators. Distributed Computing, 14(3):147–162, July 2001.

[19] ST Huang and NS Chen. A self-stabilizing algorithm for constructing breadth-first trees. Information Processing Letters, pages 41:109–117,1992.

[20] C Johnen. Memory efficient, self-stabilizing algorithm to construct bfs spanning trees. In PODC97 Proceedings of the Sixteenth Annual ACMSymposium on Principles of Distributed Computing, page 288, 1997.

[21] S Katz and KJ Perry. Self-stabilizing extensions for message-passing systems. Distributed Computing, 7:17–26, 1993.

[22] S Sur and PK Srimani. A self-stabilizing distributed algorithm to construct bfs spanning trees on a symetric graph. Parallel Processing Letters,pages 2(2/3):171–179, 1992.

[23] G Tel. Introduction to distributed algorithms. Cambridge University Press, Cambridge, UK, Second edition 2001.

[24] V Villain. Snap-stabilization versus self-stabilization. Journ ees internationales sur l’auto-stabilisation, October 2002. CIRM, Luminy (France).

27

Documents

A Lighter Generic Protocol for Snap-Stabilizationdevismes/WWW/rapports/LaRIA-2006-07.pdf · processor is eventually chosen by the daemon. Finally, the unfair daemon is the weakest