Snap-Stabilization in Message-Passing Systems

apport   de recherche ISSN 0249-6399 ISRN INRIA/RR--9999--FR+ENG Thème NUM INSTITUT N A TION AL DE RECHERCHE EN INFORMA TIQUE ET EN A UTOMA TIQUE Snap-Stabilization in Message- P assing S ystems Sylvie Delaët — Stéphane De vismes — Mikhail Nesterenko — Sébastien T ixeuil N° 9999 February 2008 Unité de recherche INRIA Futurs Parc Club Orsay Uni versité, ZA C des V ignes, 4, rue Jacques Monod , 91893 ORSA Y Cedex (France) Téléphone : +33 1 72 92 59 00 — Télécopie : +33 1 60 19 66 08 Snap-Stabilization in Message-P assing Systems Sylvie Dela ¨ et ∗ , St ´ ephane Devismes † , Mikhail Nesterenk o ‡ , S ´ ebastien Tixeuil § Th` eme NUM — Syst` emes num ´ eriques Pro jet Grand large Rapp ort de re cherche n ° 9999 — F ebruary 2 008 — 26 pa ges Abstract: In this pap er, we tac kle the op en pr o blem of snap-sta biliz a tion in messag e- passing systems. Snap-stabilization is a nice approach to design proto co ls that withstand transient f aults. Compared to the well-kno wn self-stabilizing appr oach, snap-stabilization guarantees that the effect of faults is c o ntained immediately after faults cease to o ccur. Our contribution is t w ofold: w e show that (1) snap-sta biliza tion is imp os s ible for a wide cla ss of pr oblems if we cons ide r netw or k s with finite yet unbounded channel capacity; (2) snap- stabilization b ecomes p o ssible in the same setting if we assume b ounded-ca pacity channels. W e pr o p ose three snap-sta bilizing proto c o ls working in fully-connected netw o rks. Our work op ens exciting new resear ch p ersp ectives, as it enables the s nap-stabilizing par adigm to b e implemen ted in actual netw orks . Key-w ords: Distributed sys tems, Distributed algor ithm, Self-sta bilization, Snap- Stabili- zation ∗ Unive rsi t ´ e P aris- Sud, F rance † CNRS, Unive rsit´ e Paris-Sud, F r ance ‡ Computer Science Departmen t, Kent Stat e Uni versity , USA § Unive rsi t ´ e P aris 6, LIP6-CNRS & INRIA, F rance Stabilisation instan tan´ ee dans les syst ` emes ` a p assage de messages R´ esum´ e : Dans cet a rticle, nous consid´ er o ns le probl` eme, jusqu’ici ouvert, de la stabili- sation instantan ´ ee dans les syst` emes ` a pa ssage de messages. La s ta bilisation instantan ´ ee est une appro che ´ el ´ e gante p ermetta nt de r´ ea liser des proto c o les qui supp ortent les fautes transitoires . Par ra pp o rt ` a l’appr o che auto-stabilisa nte, la sta bilisation instantan ´ ement sta- bilisante assure que l’effet des fautes est co nt enu imm´ ediatement apr` es que celles-c i ce ssent. Notre contribution e s t double: nous pro uvons que (1) la stabilisation instantan ´ ee es t imp os - sible p o ur de no mb reux pr obl` emes si nous supp osons des r´ eseaux o ` u la capa c it ´ e des canaux de co mmunications est finie mais non b or n´ ee; (2 ) la stabilisa tion instantan ´ ee devient p o s- sible avec les mˆ emes param` etres si on supp o se que la capacit´ e des ca naux est b or n´ ee. A titre d’exemple, Nous prop oso ns trois proto coles instantan´ ement stabilis ants fonctionnant dans un r´ esea u complet. Ces trav aux ouvrent de no uvelles p ersp ec tives de recherche car ils d´ emontren t q ue la stabilisatio n instantan ´ ee p eut ˆ etre implant ´ ee dans les r´ esea ux actuels . Mots-cl´ es : Syst` emes distribu´ es, Algorithme distribu´ e, Auto-stabilisa tion, Sta bilisation Instantan ´ ee Snap-Stabilization in Message-Passing Systems 3 1 Int ro duction Self-stabilization [23] is an elegant appro ach to for ward fa ilure recov ery . Reg ardless of the global state to which the failure drives the s ystem, after the influence of the failure stops, a self-stabilizing s ystem is g uaranteed to resume co rrect op eration. This gua rantee comes a t the exp ense of temp ora ry safety violatio n. That is, a s e lf- s tabilizing system may b ehave in- correctly as it recovers. Bui et al [1 1] intro duce a related concept of snap-stabilization . Given a pr oblem sp ecificatio n, a system is guaranteed to p erfor m acco rding to this sp ecification regar dless of the initial state. If the s ystem is se nsitive to safety violatio n snap-stabiliza tion bec omes an attractive o ption. How ever, the sna p- stabilizing pro to cols pr esented thus fa r assume a rather abstrac t shar ed memory mo del. In this mo del a pro cess rea ds the states o f all of its neighbors and upda tes its own state in a s ingle atomic step. The pr oto col desig n with forward re c ov ery mechanisms such as self- a nd snap-stabiliza tion under mor e concrete progra m mo del such a s asynchronous messag e-passing is ra ther challenging. As Gouda a nd Multari [26] demonstr ate, if channels can hold an arbitrar y num be r o f messa ges, a large num- ber of pro blems could not b e solved by self-s ta bilizing algo r ithms: a pa tho logical corr upted state with incorrect messages in the c hannels may prevent the pro to col from stabilizing. See also Ka tz and Perry [29] for additiona l detail on this to pic. The is sue is exac e rbated for snap-stabiliza tio n by the stricter safety requir ements. Thus, how ever attra ctive the concept, the applica bilit y of snap-stabiliza tio n to concr ete mo dels, such as messa ge-pas s ing mo dels remained. In this pa p er we addr ess this pr oblem. W e outline the b ounds of the achiev- able and present snap-stabilizing solutions in messa g e-passing systems for se veral practical problems. Related literature. Several studies mo dify the concept of self-s tabilization to add safety prop erty during r e cov ery fr om faults. Dolev a nd Her man [24] introduce su p er-s t abilization where a self-stabilizing proto co l can recover from a lo c a l fault while satisfying a safety predicate. T his theme is further developed a s fault-c ontainment [25]. A num ber of snap-stabilizing proto co ls are presented in the literature. In particular pr op agation of information with fe e db ack (PIF) is a p opular problem to addr ess [11, 10, 12, 20, 14, 9, 19]. Several studies present s nap-stabilizing token circula tion proto co ls [30, 16, 18]. There a lso exis ts snap-stabilizing pro to cols for neighbo rho o d sy nchronization [28], bina r y search tr e e cons truction [8] and cut-set detection [17]. Cour nie r et al [15] prop o se a metho d to add snap-s tabilization to a lar ge cla ss of proto co ls. Unlik e snap-stabiliza tion, s e lf-stabilizing proto col w ere designed for message- passing sys- tems of unbounded capacity channels. Afek and Brown [2] use a string of ra ndo m sequence nu mbers to counteract the pr oblem of infinite-capacity channels and design a self-stabilizing alternating-bit pro to col (ABP). Dela¨ et et al [2 2] pro p ose a metho d to design self-sta bilizing proto cols for a class of termina ting problems in messag e-passing systems with lossy c hannels of unbo unded capacity . Aw erbuch et al [6] describ e the pr o p erty of lo c al c orr e ctability a nd demonstrate who to design lo cally -corr e ctable self-stabilizing proto co ls. Researchers a lso consider messa ge-pass ing sy stems with b ounded capacity channels [1, 3 3, 27, 5 , 7]. RR n ° 9999 4 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil Our con trib uti on. In this pap er , we address the pro blem of snap-stabilization in messa ge- passing systems. W e intro duce the co ncept of safety-distribute d pr oblem sp e cific ation that encompasses most pr actical pr oblems and s how that it is imp o ssible to sa tisfy by a snap- stabilizing proto col in messa ge-pass ing systems with unbounded finite channel capacity . That is if the channel capacity b ound is unknown to the pro cess es. As a constructive contribution, we sho w that snap- stabilization beco mes p ossible if bound for the c hannel capacity is known. W e prese nt the snap- s tabilizing pro to cols that solve the PIF, the ID- learning a nd the m utual exclusion pr o blems. T o the b est of our knowledge these are the first sna p- stabilizing pro to cols in such a co ncrete pr ogra m mo del. P ap er outline . The rest of the paper is o rganized as follows. W e define the messag e- passing prog ram mo del in Section 2. In the same sectio n, we describ e the notion of snap- stabilization a nd pro blem sp ecifications. In Section 3, we pr ov e the impo ssibility of sna p- stabilization in message- passing sys tems with channels of infinite capacity . W e prese nt the snap-stabilizing alg o rithms for the sy stem with b ounded capacity channels in Sectio n 4. W e conclude the pap er in Section 5. 2 T he Mo del W e consider distributed systems having a fi nite numb er of pr o c esses a nd a ful ly-c onne cte d top olo gy : any t wo dis tinct proce sses can communicate together b y sending mes sages thr ough a bidirectio nnal link ( i.e. , tw o channels in the o pp o site dire c tio n). A pr o cess is a sequential deterministic machin e that uses a lo cal memor y , a lo cal al- gorithm, a nd input/output capabilities. Intuitiv ely , such a pro cess executes a lo ca l algo- rithm. This algo rithm mo difies the s tate of the pro cess memor y , a nd sends/r e c eives messages through channels. W e assume that the channels incident to a pr o cess are lo cally dis tinguished by a channel numb er . F or sake of simplicity , we assume that every pr o cess nu mbers its channels from 1 to n − 1 ( n be ing the num b er o f pro cess e s ). In the following, we will indifferently use the notation q to desig nate the pro cess q or the lo cal channel num ber of q in the co de o f so me pro cess p . W e as sume that the channels are FIF O but no t neces s ary r eliable (mess ages can b e lost). Ho wev er they all satisfy the following pro p er ty: if an or igin pro cess o sends infinitely many message s to a destination pro cess d , then infinitely many messages are even tually received b y d fr om o . Also, we a s sume tha t any messag e that is never lo st is received in a finite (but unbounded) time. The messa ges are o f the following form: h messag e - ty p e , messag e - val u e i . The mes - sag e - v al ue field is omitted if the mess age do es not carry any v alue. The messag es can contain mo re than one me ssag e - v al ue . An proto c o l consists o f a c ollection of actions. An action is of the following form: h la bel i :: h g uar d i → h stateme n t i . A guar d is a b o olean ex pression ov er the v aria bles o f a pro cess a nd/or a n input message . A statement is a se quence of assig nment s and/ or message sendings . An action can b e ex ecuted only if its guard is true. W e a ssume that the actions INRIA Snap-Stabilization in Message-Passing Systems 5 are atomically executed, meaning that the ev a lua tion of the gua r d and the execution o f the corres p o nding s ta tement of an action, if executed, a re done in o ne atomic step. An action is said enable d when its g uard is true. When several actions a re simultaneously enabled at a pro cess p , all these a ctions are sequentially executed following the orde r of their app earance in text of the pr oto col. W e reduce the state of ea ch pro ces s to the state o f its lo c a l memory , a nd the state of each link to its conten t. Hence, the glo bal sta te o f the system, refer red to as c onfigur ation , can b e simply defined a s the pr o duct o f the states of the memories of pro cess es and of the conten ts of the links. A distributed system can b e describ e d using a t r ansition system [32]. A tr ansition system is a 3-uple S = ( C , 7→ , I ) such that: C is set of co nfigurations , 7→ is a binary tra nsition rela tion on C , and I ⊆ C is the set of initial c o nfigurations . Using the notion of tr ansition system, we can modeliz e the executions of a distributed s y stem as follows: an exe cu tion o f S = ( C , 7→ , I ) is a maximal sequence of configuratio ns γ 0 , . . . , γ i − 1 , γ i , . . . s uch that: γ 0 ∈ I and ∀ i > 0, γ i − 1 7→ γ i ( γ i − 1 7→ γ i is refer red to as a st ep ). In this paper , w e o nly consider systems S = ( C , 7→ , I ) s uch that I = C . Snap-Stabilization. In the following, a sp e cific ation is a predica te defined on the execu- tions. Definition 1 (Snap-Stabilization [11]) L et S P T b e a sp e cific ation. An pr oto c ol P is snap-stabilizing for S P T if and only if st arting fr om any c onfigur ation, any exe cution of P satisfies S P T . It is imp or tant to note that a s nap-stabilizing proto co l do es not guara ntee that the system never works in a fuzzy manner. Actually , the ma in idea b ehind the sna p-stabilization is the following: the proto co l is seen a s a function and the function ensures t wo prop erties despites the ar bitrary initial configur a tion of the system: (1) Up o n an extern al ( w.r.t. the proto col) r e qu est at a pro cess p , the pro cess p (called the initiator ) star ts a c omputation of the function in finite time using spec ial a ctions called s t arting actions . (2) If the pro cess p starts an c omputation , then the computation p erfor ms an exp e cte d task . With such pro p erties, the proto col a lwa ys satisfies its sp ecifications . Indeed, when the proto co l receives a re quest, this means that an exter nal a pplication (or a user) re q uests the computation of a sp ecific task provided by the proto c ol. In this case, a sna p-stabilizing proto col gua rantees that the requested ta sk is executed as exp ected. O n the contrary , when ther e is no request, there is nothing to gua rantee 1 . 1 This latter p oint is the basis of many misunderstandings ab out snap-stabilization. Indeed, due to the arbitrary i nitial configuration, some computations ma y initiall y run i n the system without having b een started: of course, snap-stabilization does not provide any guaran tee on these non-requeste d computations. Consider, f or instance, the problem of mutual exclusion . Starting from any configuration, a snap-stabilizing protocol cannot prev ent several (non-requesting) pr o cesses to execute the cr itical section simultane ously . How ever, it guaran tees that ev ery requesting pro cess executes the critical section in an exclusiv e manner. RR n ° 9999 6 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil Sp ecifications. Due to the Start and Corr e ctness pr op erties it has to ensure, snap-sta - bilization req uires s pe cifications ba sed on a sequence of actio ns (request, star t, . . . ) r ather than a particular subset of co nfigurations ( e.g. , the le gitimate c onfigur ations ). Hence, for any tas k T , we consider sp ecifica tions o f the following form: - When requested, an initiator sta rts a computation of T in a finite time. (Start) - Any computation o f T that is started is co r rectly p erfor med. (Correctness) In this pap er, the tw o first pr oto cols we present ar e of a particular class: the wave proto cols [32]. The particular ity o f such proto cols is that they compute tasks that ar e finite a nd each of their computations contains at least one de cision event that causally dep ends o n an action a t each pro ce ss. Hence, our sp ec ific a tions fo r wav e proto cols contain t wo additionnal requirements: - Each computation (even non-s tarted) termina tes in finite time. (T ermination) - When the proto col ter minates, if a computation was s ta rted, then at least one de- cision o ccur red and such a de c is ion causa lly dep ends on a n action at every pro cess. (Decision ) Self- vs. Snap-Stabilization. Snap-stabilizing pr o to cols are o ften compared to the self-stabilizing pr oto cols — such proto cols co nverge in a finite time to a sp ecified b ehavior starting from any initial co nfiguration ([23]). The main adv antage of the s nap-stabilizing approach compar ed to the self-stabilizing one is the following: while a snap-s tabilizing pro- to col ensur es that a ny request is satisfied des pite the a rbitrar y initial configur ation, a self- stabilizing proto c ol often needs to b e rep ea ted an unbounded num ber of times b efore guar- ant y ing the prop er pro cessing o f a ny request. 3 Imp ossibilit y of S n ap-Stabilization in M essage-P as- sing with Un b ounded Capacit y Channels In [3], Alp ern and Schneider o bs erve that a sp ecificatio n is an intersection of s afety and liveness prop erties. In [4], the s ame authors define a safety prop erty as a se t o f “bad things” that must never happ en. Hence, it is sufficien t to show that a prefix of an execution con tains a “bad thing” to pr ove that the execution (and so the proto col) vio lates the safety pr op erty . W e now consider s afety-distribute d specifica tions, i.e. , sp ec ifications ha ving so me safety- distribute d pr op erties. Roug hly s p ea king, a safety-distribute d pro p erty is a sa fety prop erty that do es not o nly depend o n the b ehavior of a single pro c ess: some lo cal be haviors at some pr o cesses are forbidden to b e ex e cuted s imu ltaneous ly while they are po ssible a nd do not vio late the sa fety-distributed prop erty if they are ex ecuted alone. F or example, in the m utual ex c lusion problem, a reques ting pr o cess even tually e x ecutes the cr itical section but no tw o r equesting pr o cesses must execute the critical section co nc ur rently . W e now introduce the no tions of abstr act c onfigur ation, st ate-pr oje ction, and sequenc e- pr oje ction . These three notions are useful to formalize safety-distribute d s p ecifications. INRIA Snap-Stabilization in Message-Passing Systems 7 Definition 2 (Abstract Config uration) We c al l abstract configuration any c onfigura - tion r estricte d to the state of the pr o c esses ( i.e. , a c onfigur ation wher e the state of e ach link has b e en r emove d). Definition 3 (State-Pro jection) L et γ b e c onfigur ation and p b e a pr o c ess. The state- pro jection of γ on p , note d φ p ( γ ) , is the lo c al st ate of p in γ . Similary, the state-pr o jection of γ on al l pr o c esses, φ ( γ ) is the pr o duct of t he lo c al states of al l pr o c esses in γ ( n.b. φ ( γ ) is an abstr act c onfigur ation). Definition 4 (Sequence-Pro jection) L et s = γ 0 , γ 1 , . . . b e a c onfi gu r ation se quenc e and p b e a pr o c ess. T he sequenc e - pro jection of s on p , note d Φ p ( s ) , is t he state se quenc e φ p ( γ 0 ) , φ p ( γ 1 ) , . . . Simila ry, the sequence-pro jection of s on al l pr o c esses, note d Φ( s ) , is the abstr act c onfigur ation se quenc e φ ( γ 0 ) , φ ( γ 1 ) , . . . Definition 5 (Safet y-Distributed) A sp e cific ation S P is safety-distributed if ther e exists a se quenc e of abstra ct c onfi gur ations BAD , c al le d bad-factor , such that: (1) F or e ach ex e cut ion e , if ther e exist thr e e c onfigur ation se quenc es e 0 , e 1 , and e 2 such that e = e 0 e 1 e 2 and Φ( e 1 ) = B AD , then e do es not satisfy S P . (2) F or e ach pr o c ess p , ther e exists at le ast one exe cution e p satisfying S P wher e ther e exist thr e e c onfigu r ation se quenc es e 0 p , e 1 p , and e 2 p such that e p = e 0 p e 1 p e 2 p and Φ p ( e 1 p ) = Φ p ( BAD ) . Almost all classical problems of distributed computing ha ve safety-distribute d sp ecifications, e.g. , mutual exclusion, phase synchronization, . . . F or example, in mutual exclus io n a b ad- factor is any sequence of abstract configura tions whe r e several reques ting pro cess e s exe cutes the critica l section concurr ently . W e now consider a message- passing system with unbounded capacity channels and sho w the imp ossibility of sn ap-stabilization for safety-distribute d sp ec- ifications in that case. Theorem 1 Ther e ex ists no safety-distributed sp e cific ation that admits a s n ap-stabilizing solution in message-p assing syst ems with unb ounde d c ap acity channels. Pro of. Let S P b e a safety-distribute d sp ecification and BAD = α 0 , α 1 ,. . . b e a b ad-factor of S P . Assume, for the purp os e of contradiction, that ther e exists a pro to col P that is sna p- stabilizing for S P . By Definition 5, for each pro cess p , there exists an execution e p of P that can b e split into three e xecution factors e 0 p , e 1 p = β 0 , β 1 ,. . . , and e 2 p such that e p = e 0 p e 1 p e 2 p and Φ p ( e 1 p ) = Φ p ( BAD ). Let us deno te b y M e s S eq q p the order ed seq ue nce of messa ges that p receives fro m any pro cess q in e 1 p . Co nsider now the configur ation γ 0 such that: (1) φ ( γ 0 ) = α 0 . (2) F o r each tw o pro cesses p , q such tha t p 6 = q , the link { p , q } as the following state in γ 0 : (a) The mess a ges in the channel from q to p are exactly the sequence M esS eq q p (keeping the same order ). RR n ° 9999 8 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil (b) The messages in the c hannel from p to q are exactly the sequence M esS e q p q (keeping the same order ). (It is imp ortant to no te that we have the guarantee that γ 0 exists b ecause we assume un- bo unded capacity channels. Assuming channels with a bo unded capacity c , no configura tion satisfies Poin t (2) if ther e are at least tw o dis tinct pro cesses p and q suc h that | M esS eq q p | > c .) As P is sna p-stabilizing, γ 0 is a p os sible initial co nfiguration of P . T o obtain the con- tradiction, we now s how that there is an execution starting from γ 0 that do es not satisfy S P . By definition, φ ( γ 0 ) = α 0 . Consider a pro cess p and the tw o first configuratio ns of e 1 p : β 0 and β 1 . An y mess a ge that p receives in β 0 7→ β 1 can b e received by p in the first step from γ 0 : γ 0 7→ γ 1 . No w, φ p ( γ 0 ) = φ p ( β 0 ). So, p can b ehav e in γ 0 7→ γ 1 as in β 0 7→ β 1 . In tha t ca se, φ p ( γ 1 ) = φ p ( β 1 ). Hence, if every pro cess p behaves in γ 0 7→ γ 1 as in the first step of its execution factor e 1 p , we o bta in a configur ation γ 1 such that φ ( γ 1 ) = α 1 . By induction principle, there ex is ts a n execution prefix star ting from γ 0 noted P R E D such that Φ( P RE D ) = B AD . As P is snap-stabilizing , there exists an execution S U F F that starts from the last configura tion o f P R E D . No w, merging P RE D a nd S U F F we obtain an exe - cution of P that do es not sa tisfy S P — this contradicts the fact that P is s nap-stabilizing.  Int uitively , the impo ssibility result of Theorem 1 is due to the fact that in a s ystem with un b ounded ca pacity channels, a ny initial configur ation can contain an unbounded num be r of messa ges. If we consider now systems with b ounded a nd known channel capacity , we can circumv ent the imp oss ibilit y result by des igning proto cols that r equire a num b er of mess ages that is greater than the b ound on the channel capacity to pe r form their sp ecified task. This is our approa ch in the nex t section. 4 S n ap-Stabilizing Message-P assing Proto cols W e now co nsider systems with channels having a b ounded ca pacity . In such systems, we assume that if a pr o cess sends a messa ge in a channel that is full, then the message is lo st. W e restrict our study to sys tems with single-message ca pa city channels. The exten tion to an arbitrar y but known b ounded message ca pacity is str aightforw ard (see [6, 7]). W e prop o se three sna p-stabilizing pr oto cols (Algorithms 1-3) for the Pr op agation of Information with F e e db ack (P IF), IDs-Learning, a nd mutual exclusion pr oblem, resp ectively . The PIF is a basic to ol allowing us to solve the t wo o ther problems. The IDs-Learning is a simple application of the P IF. Finally , the m utual exclusion proto col uses the tw o former proto cols . 4.1 A PIF P roto c ol The concept of Pr op agation of Information with F e e db ack (P IF), also called Wave Pr op aga- tion , has b een introduce d by Chang [13] and Segall [31]. P I F has b een extensively studied in the distributed litera tur e becaus e many fundamental proto cols, e.g. , R eset , Snapshot , L e ader Ele ction , and T ermination Dete ction , can b e solved using a PIF- based solution. The INRIA Snap-Stabilization in Message-Passing Systems 9 PIF scheme can b e infor mally describ ed as follows: when re quested, a pro ce s s s ta rts the first phase of the PIF-computation by broa dcasting a sp ecific mess a ge m into the netw ork (this phase is c a lled the br o adc ast phase ). Then, every no n- initiator a cknowledges 2 to the initiator the receipt of m (this phase is called the fe e db ack phase ). The PIF-co mputation ter- minates when the initiator received acknowledgmen ts fro m every other pr o cess and decides taking these ackno wledgments int o account. In distributed systems, a ny pro cess may nee d to initiate a PIF-co mputation. Thus, any pr o cess ca n be the initiato r o f a P IF-computation and several PIF-computatio ns may run concurr e nt ly . Hence, a ny PIF pro to col ha s to cop e with co ncurrent PIF-c o mputations. Sp ecification 1 (PIF-Execution) An exe cution e satisfies PIF- execution ( e ) if and o nly if e satisfies the fol lowing four pr op erties: - Start. When ther e is a r e quest for a pr o c ess p to br o adc ast a message m , p starts a PIF-computation in fin ite time. - Correctness. Du ring any P IF-computation starte d by p for the message m : - Any pr o c ess differ ent of p re c eives m . - p r e c eives acknow le dgments for m fr om every other pr o c ess. - T erminatio n. Any PIF-c omputation (even non-starte d) terminates in fi nite time. - Decision. When a P IF-computation starte d by p terminates at p , p de cides t aking al l acknow le dgments of the last message it br o adc asts into ac c ount only. Approac h. In the following, we r efer to o ur snap-stabilizing P IF as P roto col P I F . W e describ e our appro ach using a net work of tw o pr o cesses: p and q . The ge ne r alization to a fully- c onnected netw ork o f mo re than tw o pro cesses is straightforward and presented in Algorithm 1. Consider the fo llowing example. E ach pro cess maintains in the v ar iable Ol d its own age and p wan ts to know the age of q . Then, p p erfor ms a P IF of the mess age “ How o ld a re you?”. T o that goal, we need the following input/output v ariables : - Requ est p . This v ariable is used to ma nage the P IF’requests for p . Request p is (ex- ternally) set to Wait when there is a request for p to perfor m a P IF. Request p is switched from Wait to In at the sta rt of each PIF- computation ( n.b. p starts a PIF- computation up on a request o nly). Finally , Reque st p is switched from In to Do ne a t the termination of each PIF-co mputation (this latter sw itch als o corr esp onds to the de cision event ). Since a PIF-computation is started by p , we as sume that p do es not set Re quest p to Wait un til the termination of the current PIF-computation, i.e. , until Reques t p = Done . - B - Me s p . This v a riable contains the messag e to br oadcast. - F - Me s q . When q receives the bro adcast messag e, q assigns the ackno wledgment message in F - Mes q . 2 An ac kno wledgmen t is a message sent by the receiving pro cess to inform the sender about data it hav e correctly receiv ed. RR n ° 9999 10 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil Using these v a riables, we p erform a P IF of “How o ld ar e y ou?” a s follows: P I F . B - M es p and P I F . R eques t p are r esp ectively (ex ternally) set to “How old are you?” a nd W ait meaning that we request tha t p broadca s ts “How old ar e you?” to q . Conseq ue ntly to this reques t, Proto co l P I F star ts a PIF-computation by setting P I F . R eques t p to In and this computa- tion terminates when P I F . Reque st p is set to Do ne . Betw een this sta rt a nd this termination, P I F gener ates tw o even ts. First, a “ receiv e-brd h H ow old ar e y ou ? i from p ” even t a t q . When this even t o ccurs, q sets P I F . F - Mes q to O l d q so tha t P I F feedbacks the v alue o f Ol d q to p . P r oto col P I F then transmits the v alue o f Ol d q to p : this g enerates a “ recei ve-fc k h x i from q ” event at p w her e x is the v alue of O l d q . A naive attempt to implement Proto co l P I F could b e the following: - When P I F . Re quest p = Wai t , p sends a broadcas t messag e co nt aining the data message P I F . B - Mes p to q and s ets P I F . Re quest p to In (meaning that the PIF- computation is in pro ce ssing). - Up on receiving a bro adcast messag e containing the data B , a “ receive-brd h B i from p ” even t is gener ated at q so that the application (a t q ) that uses the PIF treats the message B . Upon this event, the applica tion is a ssumed to set the feedback message int o P I F . F - Mes q . The n, q s ends a feedback message co ntaining P I F . F - Mes q to p . - Up on r eceiving a feedback mes sage containing the data F , a “ receive-fc k h F i from q ” e vent is genera ted a t p so that the application (at p ) that us es the PIF trea ts the feedback a nd then sets P I F . Reques t p to Done . Unfortunately , such a s imple a pproach is not sna p-stabilizing in o ur system: (1) Due to the unreliability of the c hannels, the system may suffer of deadlo ck. If the broadcas t mess a ge from p or feedback messag e fro m q are lo st, P roto co l P I F never terminates at p . (2) Due to the ar bitrary initial configura tion, the link { p , q } may initially alrea dy c ontain an ar bitrary messag e in the channel from p to q and another in the channel from q to p . Hence, after sending the br oadcast mes sage to q , p may receive a feedback message that was not sent by q . Also, q may receive a br oadcast mes sage that was not sent by p : as a consequence, q genera tes an undesir able feedback messa ge. T o circumv ent these tw o pro blems, we use tw o additionnal v a riables at each pr o cess: - Stat e p ∈ { 0,1,2,3 ,4 } (resp. St ate q ) is a flag v alue that p (resp. q ) puts into its messages. - Neig State p (resp. NeigSt ate q ) is equal to the last State q (resp. State p ) that p (resp. q ) receives fro m q (res p. p ). (Note that we use a single messag e type, noted PI F , to manag e the PIF-computations initiated by b oth p and q .) Our pro to col works a s follows: p starts a PIF-c omputation by setting State p to 0. Then, until State p = 4, p rep eatedly sends h P IF , B - Mes p , F - Mes p , State p , NeigSt ate p i to q . When q rec eives h B , F , pS tate , q S tate i (fro m p ), q up dates N eigSta te q to pS tate a nd then INRIA Snap-Stabilization in Message-Passing Systems 11 sends a message h PIF , B - M es q , F - Mes q , State q , NeigSt ate q i to p if pS tate < 4 ( i.e. , if p is still waiting for a messa ge from q ). Fina lly , p increments St ate p only when it receives a h PIF , B , B , q S tate , pS tate i message fro m q such that State p = pS tate and pS tate < 4. Hence, after p starts, Sta te p = 4 only after p succ e ssively receives h PIF , B , F , q S tate , pS ta te i messages (from q ) w ith pS tate = 0 ,1,2,3. Now, cons ide r ing the arbitra ry initial v alue of NeigSt ate q and the a t most tw o ar bitrary messages initially in the link { p , q } (o ne in the channel fro m p to q and one in the channel fr om q to p ), we are s ur e that after p star ts, p receives a h PIF , B , F , q S tate , pS tate i from q with pS tate = S tate p = 3 o nly if this message was sent by q consequently to the receptio n by q of a mess a ge sent b y p . Figure 1 illustra tes the worst ca se of Pro to col P I F in terms o f config ur ations. In this example, p may incr ement Sta te p after r e ceiving the initial message with the flag v alue pS tate = 0. Then, if q starts a PIF-computatio n, q sends mes s ages with the flag v alue pS tate = 1 until receiving (from p ) the initial messa ge with the v a lue pS t a te = 2. Hence, p can still increment S tate p t wice due to the v a lues 1 and 2 ( i.e. , S tate p then reaches the v alue 3 ). B ut, a fter these incr ementations, p no more incre ments Stat e p un til rec e iv ing a message with the v alue pS tate = 3 a nd q starts sending messages with the v a lue pS tate = 3 only after r eceiving a mess age from p with the v alue pS tat e = 3. Finally , note that after receiving a mes s age with the v alue pS tate = 3, p increments Stat e p to 4 and stops sending messages unt il the next request. T his ensures tha t if the requests eventually stop, the system even tually contains no messa ge. Figure 1 : W ors t case of P r oto col P I F in terms of configura tions. It r emains to see whe n a pro cess can generate the receive-brd and receiv e-fc k even ts: - q receives a t least 4 copie s of the broadca st messages . But, q gener ate a receive-brd even t only once for each broa dcast message: when q switches Ne igSta te q to 3. - After it starts, p is sur e to rece ive the “go o d” feedback only when it r eceives a message with pS tate = Sta te p = 3. As previously , to limit the num b er o f even ts, p g enerates a receiv e-fc k even ts only when it switches State p from 3 to 4. The other copies are then ignor ed. Also, note that after r e ceiving this message, p can o nly receives duplicates until the next PIF-co mputation. Hence, when p decides, it decides only taking the “g o o d” feedbacks into account. W e g eneralize this sna p-stabilizing o ne - to-one bro adcast with feedback to a snap-sta bilizing all-to-all br oadcast with feedback ( i.e. , a PIF) in Algorithm 1. It is imp o rtant to note that RR n ° 9999 12 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil Algorithm 1 Pro to col P I F for any pro cess p Constant: n : in teger, n umbe r of pro cesses V ariables: Request p ∈ { Wait , In , Done } : input/output v ariable B - Mes p : data to broadcast, inp ut v ariable F - Mes p [1 . . . n − 1] : arra y of me ssages to feedback, in put v ariable State p [1 . . . n − 1] ∈ { 0,1,2,3,4 } n − 1 : in tern al v ariable NeigState p [1 . . . n − 1] ∈ { 0,1,2,3,4 } n − 1 : in tern al v ariable Actions: A 1 :: ( Re quest p = Wait ) → Request p ← In / ∗ Start ∗ / for all q ∈ [1 . . . n − 1] do State p [ q ] ← 0 done A 2 :: ( Re quest p = In ) → if ( ∀ q ∈ [ 1 . . . n − 1], State p [ q ] = 4) then Request p ← Done / ∗ T erm ination ∗ / else for all q ∈ [1 . . . n − 1] do if ( S tate p [ q ] 6 = 4) then send h PIF , B - Mes p , F - Mes p [ q ], State p [ q ], NeigState p [ q ] i to q end if done end if A 3 :: receive h PIF , B , F , q S tate , pS tate i from q → if ( NeigState p [ q ] 6 = 3) ∧ ( qS tate = 3) then generate a “ receiv e-b rd h B i from q ” event end if NeigState p [ q ] ← q S tate if ( State p [ q ] = pS tate ) ∧ ( State p [ q ] < 4) then State p [ q ] ← State p [ q ] + 1 if ( S tate p [ q ] = 4) then generate a “ receive -fck h F i fro m q ” even t end if end if if ( q S tate < 4) then send h PIF , B - Mes p , F - Mes p [ q ], State p [ q ], NeigState p [ q ] i to q end if our pro to col do es not preven t pro ces s es to generate unexp ected receiv e-brd or receiv e-fc k even ts. Actually , what our proto c ol ensures is: when a pro cess p starts to broadcast a message m , then (1) every o ther pro cess even tually r eceives m ( receive-brd ), (2 ) p even- tually r eceives a feedback for m from a ny o ther pr o cess ( receive-fc k ), and (3) p decides ( P I F . Re quest p ← Done ) by only taking the “go o d” feedbacks into acc ount. Another in- teresting pr o p erty o f our pr oto col is the following: after the first complete computation of P I F (from the start to the terminatio n), the channels from and to p contain no messa ge from the initial configura tion. Pro of of Snap-Stabili zation. The pro o f of snap-stabiliza tion of P I F just consis ts in showing that, despite the arbitr a ry initial co nfiguration, any execution of P I F alwa ys sat- isfies the four pro pe rties of Spec ific a tion 1 . In the following pro ofs, the mess ag e - v al ue s will be r eplaced by “ − ” when they have no impact on the reasonning. INRIA Snap-Stabilization in Message-Passing Systems 13 Lemma 1 (Start) St arting fr om any c onfigur ation, when ther e is a r e quest for a pr o c ess p to br o adc ast a message, p starts a PIF-co mputation in finite time. Pro of. W e assumed that Reque st p is externa lly s e t to Wa it when there is a request for the pro cess p to bro adcast a messag e. Moreov er, we claim that a pro cess p starts Pr oto col P I F by switching Reque st p from Wait to I n . Now, when Requ est p = Wait , Action A 1 is contin uously ena bled at p and by executing A 1 , p sets Req uest p to In . Hence, the lemma holds.  The following Lemmas (Lemmas 2-6) ho ld a ssuming that no PIF-c omputation (even non- started) ca n b e interrupted due to a nother r equest: Hyp othesi s 1 While R eques t p 6 = D one , Re quest p is not (external ly) set to Wai t . Lemma 2 Consider t wo distinct pr o c esses p and q . Starting fr om any c onfigur ation, if ( Reques t p = I n ) ∧ ( St ate p [ q ] < 4) , then S tate p [ q ] is eventu al ly incr emente d. Pro of. Assume, for the purp ose of contradiction, that Reque st p = In and State p [ q ] = i with i < 4 but Sta te p [ q ] is never incremented. Then, from Algor ithm 1, R eques t p = I n and Sta te p [ q ] = i ho ld forever and by Actions A 2 and A 3 , we know that: - p only s ends to q message s of the for m h PIF , − , − , i , −i . - p sends s uch messag es infinitely many times. As a consequence, q even tually only receives from p messag es o f the form h PIF , − , − , i , −i and q receives such messa ges infinitely often. By Action A 3 , N eigSt ate q [ p ] = i even tually holds forever. F rom that p oint, any messa ge that q sends to p is of the form h PI F , − , − , − , i i . Also, as i < 4 and q receives infinitely many message s fro m p , q sends infinitely many message s of the for m h PIF , − , − , − , i i to p (see Action A 3 ). Hence, p event ually receives h P IF , − , − , − , i i from q a nd, as a co nsequence, incr ements S tate p [ q ] (see Action A 3 ) — a contradiction.  Lemma 3 (T ermination) Starting fr om any c onfigur ation, any PIF-computation (even non-starte d) terminates in finite time. Pro of. Assume, for the pur p ose of contradiction, that a PIF-c omputation never termi- nates a t so me pr o cess p , i.e. , R eques t p 6 = D one fo rever. Then, Requ est p = I n even tually holds fo rever by Lemma 1. Now, by Lemma 2 and owing the fact that ∀ q ∈ [1 . . . n − 1 ], State p [ q ] cannot decrease while the computation is not terminated at p , we can deduce that p even tually sa tisfies “ ∀ q ∈ [1 . . . n − 1 ], State p [ q ] = 4” forever. In this case, p se ts Reque st p to Don e by Action A 2 — a contradiction.  Lemma 4 L et p and q b e two distinct pr o c esses. After p starts t o br o adc ast a message fr om an arbitr ary c onfigur ation, p switches St ate p [ q ] fr om 2 t o 3 only if the thr e e fol lowing c onditions hold: RR n ° 9999 14 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil (1) Any message in the channel fr om p to q ar e of t he form h PIF , − , − , i , −i with i 6 = 3 . (2) Nei gStat e q [ p ] 6 = 3 . (3) Any message in the channel fr om q t o p ar e of the form h PIF , − , − , − , j i with j 6 = 3 . Pro of. p starts to br o adcast a mes sage by executing Action A 1 ( n.b. A 1 is the only starting action of P I F ). When p exe c utes A 1 , p sets (in particula r) State p [ q ] to 0. F rom that p oint, State p [ q ] can o nly b e incremented one by one until r eaching v alue 4 . Let us study the three first incr ementations of Sta te p [ q ]: - F rom 0 to 1. State p [ q ] switches from 0 to 1 only after p rec e ives h P IF , − , − , − ,0 i from q (Action A 3 ). As the link { p , q } always co ntains a t most one message in the channel from q to p , the ne x t mes s age that p will r e ceive fr o m q will b e a message sent by q . - F rom 1 to 2. F rom the prev ious case, we k now that St ate p [ q ] switches from 1 to 2 only whe n p receives h PIF , − , − , − ,1 i from q and this messa ge was sent by q . F rom Actions A 2 and A 3 , we can then deduce that Nei gStat e q [ p ] = 1 held when q s e nt h PIF , − , − , − ,1 i to p . F r om that p oint, NeigS tate q [ p ] = 1 holds until q r eceives from p a message o f the fo rm h PIF , − , − , i , − i w ith i 6 = 1. - F rom 2 to 3. The switching o f S tate p [ q ] fro m 2 to 3 ca n o ccurs only after p r e- ceives a message mes 1 = h PIF , − , − , − ,2 i from q . Now, from the previous case, we can deduce that p re c eives me s 1 consequently to the reception b y q o f a message mes 0 = h PIF , − , − ,2, −i from p . Now: (a) As the link { p , q } always contains at mos t one mess age in the channel from p to q , after receiving mes 0 and until Sta te p [ q ] switches fro m 2 to 3, e very mess age in tra nsit fro m p to q is of the form h PIF , − , − , i , −i with i 6 = 3 (Condition (1) of the lemma) b ecause after p star ts to broa dcast a mes sage, p sends messa ges of the for m h PIF , − , − ,3, −i to q only when State p [ q ] = 3. (b) After receiving mes 0 , Ne igSta te q [ p ] 6 = 3 until q rec e ives h PIF , − , − ,3, − i . Hence, by ( a ), after receiving mes 0 and until (at lea st) St ate p [ q ] switches from 2 to 3, NeigSt ate q [ p ] 6 = 3 (Condition (2) of the lemma). (c) After receiv ing mes 1 , Sta te p [ q ] 6 = 3 until p receives h PIF , − , − , − ,3 i from q . As p receives mes 1 after q re c eives mes 0 , by ( b ) we can deduce that after r eceiving mes 1 and until (at least) State p [ q ] s witches from 2 to 3, every message in transit from q to p is of the for m h PIF , − , − , − , j i with j 6 = 3 (Co ndition (3) of the lemma). Hence, when p switches S tate p [ q ] from 2 to 3 , the three co nditions (1), (2), a nd (3) are s atisfied, which proves the le mma.  Lemma 5 (Correctness) Starting fr om any c onfi gu r ation, if p st arts to br o adc ast a mes- sage m , then: - Any pr o c ess differ ent of p r e c eives m . - p r e c eives acknow le dgments for m fr om every other pr o c ess. INRIA Snap-Stabilization in Message-Passing Systems 15 Pro of. p starts to broadca st m by executing Action A 1 : p switches Re quest p from Wai t to In and sets Sta te p [ q ] to 0, ∀ q ∈ [1 . . . 0]. Then, Request p remains equal to In until p decides by Reques t p ← Don e . Now, p decides in finite time by Le mma 3 and when p decides, we hav e Sta te p [ q ] = 4, ∀ q ∈ [1 . . . 0] (Action A 2 ). F ro m the co de o f Algorithm 1, this mea ns that ∀ q ∈ [1 . . . 0], State p [ q ] is incremented one by one from 0 to 4. B y Le mma 4, ∀ q ∈ [1 . . . 0], S tate p [ q ] is incremented fr om 3 to 4 only after: - q receives a mes s age sent by p of the form h P IF , m , − ,3, − i , and then - p receives a messa ge sent by q of the form h PIF , − , − ,3 , −i . When q receives the first h PI F , m , − ,3, −i messa ge from p , q g enerates a “ receiv e-brd h m i from p ” even t a nd then starts to send h PIF , − , F , − ,3 i messa ges to p 3 . F rom that p oint and un til p decides, q o nly receives h PI F , m , − ,3, −i message from p . So, from that p oint and un til p decides, any message that q se nds to p ackno wledges the rece ption of m . Since, p re ceives the fir st h P IF , − , F , − ,3 i mess age from q , p g enerates a “ recei v e-fc k h F i from q ” even t and then sets Stat e p [ q ] to 4 . Hence, ∀ q ∈ [1 . . . 0], the broadca s t of m gener ates a “ recei ve-brd h m i from p ” event at pro c e ss q and then a n ass o ciated “ receiv e-fc k h F i from q ” e vent at p , which proves the lemma.  Lemma 6 (Decision) St arting fr om any c onfigu r at ion, when a PIF- c o mputation starte d by p terminates at p , p de cides taking al l acknow le dgments of the last message it br o adc asts into ac c oun t only. Pro of. First, p star ts to br o adcast a message m by ex ecuting Action A 1 : p switches Reques t p from Wai t to In and sets State p [ q ] to 0, ∀ q ∈ [1 . . . 0]. Then, Re quest p remains equal to In un til p decides by R eques t p ← D one . Now, (1) p decides in finite time by Lemma 3, (2) when p decides, we have Sta te p [ q ] = 4, ∀ q ∈ [1 . . . 0] (Action A 2 ), and (3) after p dec ides , each time q re c e ives a mess a ge fr om p with the data m , the message is ignored (this is a conse quence of Cla im (2)). F rom the co de of Algorithm 1, we know that exactly one “ receive-fc k h F i from q ” event p er neighbor q oc c urs at p b efor e p decides: when p switches Sta te p [ q ] from 3 to 4. Now, Lemma 5 a nd Claim (3) imply that each of these feedbacks co rresp o nds to an ackno wledgment for m . Hence, p de c ides tak ing a ll ackno wledgments of m into acco unt only and the lemma is pr ov en.  By Lemmas 1, 3, 5, and 6, starting from any arbitra ry initial configura tion, any execution of P I F alwa ys sa tisfie s Sp ecification 1. Hence, follows: Theorem 2 Pr oto c ol P I F is snap-stabilizing for Sp e cific ation 1 . Below, we give an additio nnal prop erty of P I F , this pro p e rty will b e used in the snap- stabilization pro of o f Pro to col ME . 3 q sends a h PIF , − , F , − ,3 i message to p (at least) eac h time it receives a h PIF , m , − , 3, −i message f rom p . RR n ° 9999 16 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil Prop ert y 1 If p s t arts a PIF-c omputation (using Pr oto c ol P I F ) in t he c onfigur ation γ 0 and the c omputation t erm inates at p in t he c onfigur ation γ k , then any message that was in a channel fr om and to p in γ 0 is no longer in the channel in γ k . Pro of. Assume that a pro ces s p starts a PIF-computatio n (using Proto co l P I F ) in the configuratio n γ 0 . Then, as P I F is snap-s ta bilizing for Specifica tion 1, we hav e the guarantee that for every p ’neighbor q , at lea st one broadca st messag e cros ses the channel from p to q and at least one ackno wledgment mes s age crosses the channel from q to p during the PIF-c omputation. Now, we assumed that each channel has a single-messa ge capacity . Hence, every message that was in a channel from a nd to p in the configur ation γ 0 has b een received or lost when the PIF- computation ter minates a t p in c o nfiguration γ k  4.2 A IDs-Learning Proto col Proto co l I DL (its implementation is prese nt ed in Algo rithm 2 ) is a simple application of Proto co l P I F . This pr oto col assumes IDs on pro ces ses ( I D p denotes the identit y of the pro cess p ) and uses three v ariables a t e a ch pr o cess p : - Requ est p ∈ { Wait , In , Done } . The go al of this v ariable is the same a s in P I F . - minI D p . After a complete exec utio n of I D L ( i.e. , fr o m the star t to the terminatio n), minID p contains the minimal ID of the system. - ID - Tab p [1 . . . n ]. After a complete exe c ution of I D L , ID - Tab p [ q ] c o ntains the ID of the p ’neighbor q . When reque s ted ( I D L . Re quest p = W ait ) a t p , P roto co l I D L ev a luates the ID of e a ch of its neig hbors q and the minima l ID of the sys tem using P r oto col P I F . The r esults of the computation ar e av ailable for p since p decides (when I D L . R equest p ← Do ne ). Based on the sp ecification of P I F , it is e asy to see that I D L is snap-stabilizing for the following sp ecification: Sp ecification 2 (IDs-Learning-Execution ) An exe cution e satisfies IDs-Learning- e xe- cution ( e ) if and only if e satisfies t he fol lowing four pr op erties: - Start. When r e quest e d, a pr o c ess p start s a IDs- Learning-c omputation in finite time. - Correctness. At the end of any IDs-Lea rning-co mputation starte d by p : - ∀ q ∈ [1 . . . n − 1 ] , ID - T ab p [ q ] = I D q . - minI D p = min( { I D q , q ∈ [1 . . . n − 1] } ∪ { I D p } ) . - T erminatio n. Any IDs-Learning-co mputation (even non- starte d) t erminates in finite time. - Decision. If p is in a terminal state and a IDs-Lear ning-computation was starte d by p , then p de cide d kn owing the minimal ID of the system and the ID of every of its neighb ors. Theorem 3 Pr oto c ol I DL is snap-stabilizing for Sp e cific ation 2. INRIA Snap-Stabilization in Message-Passing Systems 17 Algorithm 2 Pro to col I D L for any pro ces s p Constant: n : integer, num b er of proc esses I D p : integer, identity of p V ariables: Request p ∈ { Wait , In , Done } : input/output v ariable minID p : integer, outp ut v ariable ID - Tab p [1 . . . n − 1] ∈ N n − 1 : output v ariable Actions: A 1 :: ( Request p = Wait ) → Request p ← In / ∗ Start ∗ / minID p ← I D p P I F . B - Mes p ← IDL P I F . Request p ← Wait A 2 :: ( Request p = In ) ∧ ( P I F . Request p = Done ) → Request p ← Done / ∗ T erm ination ∗ / A 3 :: receiv e-brd h IDL i from q → P I F . F - Mes p [ q ] ← I D p A 4 :: receiv e-fck h qI D i from q → ID - Tab p [ q ] ← q I D minID p ← min( minID p , qI D ) 4.3 A Mutual Exc lusion Prot o col W e now co nsider the problem of mutual exclus ion . Mutual exclusion is a well-kno wn mecha- nism allowing to allo cate a co mmon reso ur ce. Indeed, a mu tual-exc lus ion mechanism ensures that a sp ecial section of co de, called critic al se ction (noted h CS i in the following), can b e executed by a t most one pro ces s at any time. The pro cess es can use their critical section to access to a s hared re s source. Gene r ally , this resour ce c o rresp o nds to a set of shared v ariables in a common sto re or a shar ed hardware devic e ( e.g. , a printer). The first snap- stabilizing implemen tation of mutual exclusio n is presented in [21] but in the state mo de l (a stro nger mo del than the message-pa ssing mo del). In [2 1], authors a do pt the fo llowing sp e c ification 4 : Sp ecification 3 (ME-E xecution) An exe cution e satisfies ME-ex e c ution ( e ) if a nd only if e satisfies the fol lowing two pr op erties: - Start. Any pr o c ess that r e quest s the h CS i enters in the h CS i in finite time. - Correctness. If a r e questing pr o c ess enters in the h C S i , then it exe cut es the h CS i alone. Approac h. W e now pr op ose a snap-stabilizing m utual exclusion pr oto col called P roto col ME . The implementation of M E is presented in Algorithm 3. As for the previous so lu- tions, P roto co l ME uses the input/output v a riable R eques t . A pro c e ss p (ex ternally) sets ME . Req uest p to W ait when it req ue s ts the a ccess to the h CS i . Pro cess p is then called a r e questor and assumed to not execute M E . Req uest p ← W ait until ME . Req uest p = Do ne , i.e. , until its current request is done. 4 This specification was firstly i ntroduced and justified in [15]. RR n ° 9999 18 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil The main idea of the proto col is the following: we as sume IDs on pr o cesses a nd the pro cess with the smalles t ID — ca lled the le ader — decides using a v ariable called Value which pro ces s can executes the h CS i . When a pro ces s learns that it is autho rized to acce ss the h CS i : (1) It fir st ensures that no other pro cess ca n execute the h CS i . (2) It then executes the h CS i if it wishes. (3) Finally , it notifies to the leader that it releases the h CS i so that the leader (fairly ) authorizes another pro cess to access the h CS i . T o apply this sc heme, ME e x ecutes by phases from P ha se 0 to 4 in such way that each pro cess go es through Phas e 0 infinitely often. F or e a ch pro cess p , Phas e p denotes in which phase pro cess p is. After re questing the h CS i ( ME . Reques t p ← W ait ), a pr o cess p c a n access the h CS i only a fter executing Phase 0. Indeed, p can access to the h CS i only if ME . Req uest p = In and p switches ME . R eques t p from W ait to In only when executing Phase 0. Hence, our proto co l has just to ensure that after executing its phase 0, a pro cess alwa ys executes the h CS i alone. Our proto col o ffers such a guara ntee thanks to the five phases des crib ed b elow: - Phase 0. When a pro c e ss p is in Pha se 0, it starts a computation of I D L , s e ts ME . Req uest p to In if M E . Req uest p = Wait ( i.e. , if p requests the h CS i , then the proto col takes this reques t into acco unt ), a nd finally s witches to Pha se 1. - Phase 1. When a pr o cess p is in P hase 1 , p waits the ter mina tion o f I DL to know (1) the ID of each of its neighbor s q ( ID - Tab p [ q ]) and (2) the leader of the system ( I D L . min ID p ), i.e. , the pro cess with the smallest ID. Then, p s tarts a PIF of the message ASK to know which is the pro ces s authorized to a ccess the h CS i and switches to Phase 2. Upo n receiving a mes sage ASK from p , any pr o cess q answers YES if Value q is equal to the channel num b er of p a t q , NO other wise. Of co urse, p will only take the answer of the leader into a ccount. - Phase 2. When a pr o cess p is in P ha se 2 , it w aits the terminatio n of the P IF star ted in Pha se 1. After P I F terminates, the ans wers of a ny neighbors q of p ar e stored in Privil eges p [ q ] and, so, p k nows if it is a uthorized to access the h CS i . Actually , p is authorized to a c cess the h C S i (see W inner ( p )) if: (1) p is the leader and Valu e p = 0 or (2) the leader answers Y ES to p . If p has the a uthorization to access the h CS i , p star ts a P IF of the mes sage EX IT . The goal of this message is to force a ll other pro cesses to r estart to Phas e 0. This e ns ures no o ther pro cess executes the h CS i until p no tifies to the leader that it relea ses the h CS i . Indeed, due to the arbitra ry initial configuratio n, some pro c ess q 6 = p ma y b elieve that it is autho r ized to execute the h CS i : if q never starts Phas e 0. On the contrary , after res tarting to 0, q cannot receive any authorization from the leader un til p notifies to the leader that it relea ses the h CS i . Finally , p terminates Phase 2 by switching to P ha se 3 . - Phase 3. When a pr o cess p is in Phase 3, it waits the termination o f the last PIF. After P I F terminates , if p is author ized to e x ecute the h CS i , then: p executes the INRIA Snap-Stabilization in Message-Passing Systems 19 h CS i if ME . R eques t p = In ( i.e. , if the system to ok a request of p into a ccount) and then either (1) p is the lea der a nd switches Val ue p from 0 to 1 or (2) p is not the leader and starts a PIF of the messag e EXI TCS to notify to the leader that it relea ses the h CS i . Upon receiving such a message, the leader incr ements its v ar ia ble Valu e mo dulus n + 1 to authoriz e another pr o cess to access the h CS i . Finally , p terminates Phase 3 by switching to P hase 4. - Phase 4. When a pro c e s s p is in Pha s e 4, it waits the termination of the last PIF and then switches to Phase 0. Pro of of Snap-Stabilization. W e b egin the pro of of snap-stabiliza tion of Pr oto col ME by showing tha t, des pite the arbitrary initial config ur ation, any execution of ME alwa ys satisfies the co r rectness prop er ty of Sp ecifica tion 3. Assume that a pro cess p requests the h C S i , i.e. , ME . R eques t p = Wa it . Then, p ca nnot ent ers in the h CS i b efore executing Action A 0 , indeed: - p enters in the h CS i only if ME . Reques t p = I n , and - Action A 0 is the only action of ME a llowing p to set ME . Reques t p to In . Hence, to show the cor rectness prop er ty of Specifica tion 3 (Corollar y 1), we have just to prov e tha t, despite the initial configura tion, after p executes Actio n A 0 , if p enters in the h CS i , then it executes the h CS i alone (Lemma 9 ). Lemma 7 L et p b e a pr o c ess. Starting fr om any c onfi gur ation, after p exe cut es A 0 , if p enters in the h C S i , then every other pr o c ess has switches to Phase 0 at le ast onc e. Pro of. By chec king all the actions of Algorithm 3, we can r emark that after p executes A 0 , p must exec ute the four actio ns A 0 , A 1 , A 2 , and A 3 successively to enter in the h CS i (in A 3 ). Also, to execute the h CS i in Action A 3 , p must satisfy the predicate W inner ( p ). The v alue of the predicate W inner ( p ) only dep ends on (1) the I D L computation started in A 0 and (2) the PIF o f the messag e ASK started in A 1 . Now, this tw o co mputations are done when p executes A 2 . So, the fact that p satisfies W inner ( p ) when exe c uting A 3 implies that p also satisfies W inner ( p ) when e x ecuting A 2 . As a consequence , p s ta rts a PIF of the message EXIT in A 2 . Now, p executes A 3 only after this PIF termina tes. Hence, p executes A 3 only after every other pro cess exec utes A 6 ( i.e. , the feedback of the messag e E XIT ): by this action, every other pro ces s switches to P hase 0.  Definition 6 (Leader) We c al l Leader the pr o c ess of the system with the smal lest ID. In the fol lowing, this pr o c ess wil l b e denote d by L . Definition 7 (F a v our) We say that t he pr o c ess p fav ours the pr o c ess q if and only if ( p = q ∧ Value p = 0) ∨ ( p 6 = q ∧ V alue p = q ) . RR n ° 9999 20 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil Algorithm 3 Pro to col ME for any pr o cess p Constant: n : integer, num b er of proc esses I D p : integer, identity of p V ariables: Request p ∈ { Wait , In , Done } : input/output v ariable Phase p ∈ { 0,1,2,3,4 } : in tern al v ariable Value p ∈ { 0 . . . n − 1 } : in tern al v ariable Privileges p [1 . . . n − 1] ∈ { true , f alse } n − 1 : in tern al v ariable Predicate: W inner ( p ) ≡ ( I D L . minID p = I D p ∧ Value p =0) ∨ ( ∃ q ∈ [1 . . . n − 1], Pri vileges p [ q ] ∧ I D L . ID - Tab p [ q ]= I D L . minID p ) Actions: A 0 :: ( Phase p = 0) → I D L . Request p ← Wait if Request p = Wait then Request p ← In / ∗ Start ∗ / end if Phase p ← Phase p + 1 A 1 :: ( Phase p = 1) ∧ ( I D L . Request p = Done ) → P I F . B - Mes p ← ASK P I F . Requ est p ← Wait Phase p ← Phase p + 1 A 2 :: ( Phase p = 2) ∧ ( P I F . Reque st p = Done ) → if W inner ( p ) then P I F . B - Mes p ← EXIT P I F . Request p ← Wait end if Phase p ← Phase p + 1 A 3 :: ( Phase p = 3) ∧ ( P I F . Reque st p = Done ) → if W inner ( p ) then if ( R equest p = In ) then h CS i Request p ← Done / ∗ T erm ination ∗ / end if if ( I D L . minID p = I D p ) then Value p ← 1 else P I F . B - Mes p ← EXITCS P I F . Requ est p ← Wait end if end if Phase p ← Phase p + 1 A 4 :: ( Phase p = 4) ∧ ( P I F . Reque st p = Done ) → Phase p ← 0 A 5 :: receiv e-brd h ASK i from q → if Value p = q then P I F . F - Mes p [ q ] ← YES else P I F . F - Mes p [ q ] ← NO end if A 6 :: receiv e-brd h EXIT i from q → Phase p ← 0 P I F . F - Mes p [ q ] ← OK A 7 :: receiv e-brd h EXIT CS i from q → if ( Value p = q ) then Value p ← ( Value p + 1) mod ( n + 1) end if P I F . F - Mes p [ q ] ← OK A 8 :: receiv e-fck h YES i from q → Privileges p [ q ] ← tr ue A 9 :: receiv e-fck h NO i from q → Privileges p [ q ] ← f alse A 10 :: receiv e-fck h OK i from q → / ∗ do nothin g ∗ / INRIA Snap-Stabilization in Message-Passing Systems 21 Lemma 8 L et p b e a pr o c ess. Starting fr om any c onfigur ation, after p exe cutes A 0 , p ent ers in the h CS i only if the lea der favours p u ntil p re le ases t he h CS i . Pro of. By checking all the actions o f Algorithm 3, we can remark that a fter p executes A 0 , p must execute the four a ctions A 0 , A 1 , A 2 , and A 3 successively to enter in the h CS i (in A 3 ). Mo reov er, p exec utes a complete I D L -computation betw een A 0 and A 1 . So : (1) I D L . minI D p = I D L when p executes A 3 (b y Theo rem 3, I D L is s nap-stabilizing for Spec ific a tion 2). (2) Also, fr om the c o nfiguration where p e x ecutes A 1 , all messag es in the channels from and to p hav e b een sent after I D L starts at p in Action A 0 (Prop erty 1 , page 16). Let us now study the tw o fo llowing cases : - p = L . In this ca se, when p ex e cutes A 3 , p m ust satisfy Va lue p = Value L = 0 to enter in the h CS i by (1). This means that L favours p (actua lly itself ) when p ent ers in the h CS i . Morever, as the exe cution of A 3 is a tomic, L fav ours p until p r eleases the h CS i and the lemma holds in this case . - p 6 = L . In this c a se, when p executes A 3 , p satisfies I D L . min ID p = I D L by (1). So, p executes the h CS i only if ∃ q ∈ [1 . . . n − 1] such that I D L . ID - Tab p [ q ] = I D L ∧ Privil eges p [ q ] = tru e (see Predicate W inner ( p )). T o tha t goal, p must receive a feedback message YES fr om L during the PIF of the messa ge ASK sta r ted in Action A 1 . Now, L sends such a feedba ck to p only if Valu e L = p w hen the “ receive - brd h AS K i from p ” even t o ccurs at L (see Action A 5 ). Also, since L satisfies Value L = p , L upda tes Value p only after r eceiving an EXIT CS mes sage fro m p (see Action A 7 ). Now, by (2), after L feedbacks YES to p , L receives a n EXI TCS mes s age from p only if p broadcas ts E XITCS to L after releasing the h CS i (see Action A 3 ). Hence, L fav ours p un til p releases the h CS i and the lemma holds in this ca se.  Lemma 9 L et p b e a pr o c ess. St arting fr om any c onfigu r ation, if p enters in t he h CS i after exe cu ting A 0 , then it exe cutes t he h CS i alone. Pro of. Assume, for the purp o se of con tradiction, tha t p enters in the h CS i a fter executing A 0 but executes the h C S i concurrently with a no ther pr o cess q . Then, q a lso executes Action A 0 befo re executing the h CS i b y Lemma 7 . By Lemma 8, we hav e the tw o following prop er ty: - L fav ours p dur ing the whole p erio d where p ex ecutes the h CS i . - L fav ours q during the whole p erio d whe r e q executes the h CS i . This con tradicts the fact that p and q executes the h CS i c oncurrently b ecause L always fav ours e x actly o ne pro cess at a time.  Corollary 1 (Correctness) S tarting fr om any c onfi gur ation, if a re questing pr o c ess enters in the h CS i , then it exe cutes the h CS i alone. RR n ° 9999 22 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil W e now show that, despite the arbitra ry initia l c o nfiguration, a ny exec ution of ME alwa ys satisfies the star t pro p er ty of Sp ecification 3 . Lemma 10 St arting fr om any c onfigur ation, every pr o c ess p switches to Phase 0 infinitely often. Pro of. Consider the tw o following cas es: - “ receiv e - brd h EX IT i ” events o c cu r at p infi n itely often. Then, each time suc h an event o ccurs at p , p switches to Pha se 0 (see A 6 ). So , the lemma holds in this case. - Only a finite nu mb er of “ receiv e - brd h EXI T i ” events o c curs at p . In this case, p even tually re aches a config uration fr o m which it no more executes Action A 6 . F r om this configura tion, P hase p can only b e incr e mented mo dulus 5 a nd dep ending of the v alue of Phase p , we hav e the following p ossibilities: - Phas e p = 0 . In this case , A 0 is co ntin uo us ly enabled at p . Hence, p eventu ally sets Ph ase p to 1 (see Action A 0 ). - Phas e p = i with i > 0 . In this case, Action A i is even tually contin uously enabled due to the termination pr op erty o f I D L and P I F . By executing A i , p incr ements Phase p mo dulus 5. Hence, if only a finite num b er of “ recei v e - brd h EXIT i ” ev ents o c c urs at p , then Phase p is eventually incr emented mo dulus 5 infinitely o ften, which prov es the lemma in this case.  Lemma 11 St arting fr om any c onfi gur ation, Value L is incr emente d mo dulus n + 1 infinitely often. Pro of. Assume, for the purp os e o f co ntradiction, that Va lue L is even tually no more incremented mo dulus n + 1. W e can then deduce that L even tually fav ours s ome pro cess p forever. In order to prove the co ntradiction, we first s how that (*) assu ming that L favours p for ever, only a finite numb er of “ receiv e - brd h EXIT i ” event s o c curs at p . T o that g o al, assume, for the pur po se of contradiction, that an infinite num b er of “ receiv e - brd h EXIT i ” even ts o ccurs at p . Then, as the num be r of pr o cesses is finite, there is a pro cess q 6 = p that br oadcas ts EXIT messag es infinitely often. Now, ev ery P IF-computation terminates in finite time (termina tion prop erty of Spe c ification 1, page 9 ). So, q per fo rms infinitely many P IF of the message EX IT . In order to star t another PIF o f the messag e EXIT , q m ust then suc c e ssively exe c ute Actions A 0 , A 1 , A 2 . Now, when q executes A 2 after A 0 and A 1 , I D L . minID q = I D L and either (1) q = L and, as q 6 = p , Value L 6 = 0, o r (2) L has feedback NO to the PIF o f the messag e ASK started by q b ecause V alue L = p 6 = q . In bo th cases, q satisfies ¬ W in ner ( q ) and, as a consequence, do es not broadcas t EXIT (see Action A 3 ). Hence, q even tually stops to bro adcast the message EXIT — a co nt radic tio n. INRIA Snap-Stabilization in Message-Passing Systems 23 Using Pr op erty (*), we now show the contradiction. By Lemma 1 0, p switches to Phas e 0 infinitely often. By (*), we know that p even tually stops exe cuting Action A 6 . So, from the co de of Algor ithm 3, we ca n deduce that p e ven tually success ively executes Actions A 0 , A 1 , A 2 , A 3 , and A 4 infinitely often. Co nsider the fir s t time p successively exe cutes A 0 , A 1 , A 2 , A 3 , and A 4 and study the tw o following case s: - p = L . Then, Val ue p = 0 and I D L . min ID p = I D p when p executes A 3 bec ause p executes a complete I D L -co mputation betw een A 0 and A 1 and I D L is snap-stabilizing for Sp ecification 2 (page 16). Hence, p up dates Va lue p to 1 when executing A 3 — a contradiction. - p 6 = L . Then, I DL . minI D p = I D p when p executes A 3 bec ause p executes a co mplete I D L -computation b etw een A 0 and A 1 and I D L is snap- s tabilizing for Sp ecifica tion 2 (page 16). Also, p r eceives YES fr om L bec ause p executes a complete PIF of the mes- sage ASK betw een A 1 and A 2 and P I F is snap-s tabilizing for Sp ecification 1 (pag e 9). Hence, p sa tisfies the predicate W inn er ( p ) when executing A 3 and, as a co nsequence, starts a PIF o f the message EXITC S in Action A 3 . This PI F terminates when p executes A 4 : from this p oint o n, we hav e the guara nt ee tha t L has executed Action A 7 . Now, by A 7 , L increments Val ue L — a contradition.  Lemma 12 (Start) Starting fr om any c onfigur ation, any pr o c ess that r e quests the h CS i , enters in the h C S i in finite time. Pro of. Assume, for the purp ose of contradiction, that from a configur ation γ , a pro cess p req uests but never enters in the h CS i . Then, Lemma 10 implies that p event ually ex ecutes A 0 and after ex e cuting A 0 , Req uest p = I n holds for ever ( Requ est p is switched to Do ne only after p relea ses the h CS i ). F rom the co de of Algo rithm 3, we can then deduce that there is t wo p ossibilities after p executes A 0 : - p no mor e exec utes A 3 , o r - p satisfies ¬ W inner ( p ) each time it executes A 3 . Consider then the t wo following cases: - p = L . Then, Valu e p = 0 even tually ho lds fore ver — a co ntradiction to Lemma 11. - p 6 = L . In this case, p no more starts any P IF of the mess age EX ITCS . Now, every PIF- computation terminates in finite time (termination prop er t y o f Sp ecificatio n 1, page 9). Hence, the “ receiv e - brd h EXIT CS i from p ” even t e ven tually no mor e o ccurs a t L . As a co nsequence, Value L even tually no mo re switc hes from v a lue p to ( p + 1) mo d ( n + 1 ) — a contradiction to Lemma 11.  By Coro llary 1 and Lemma 12, starting fro m an y config ur ation, an y executio n of M E always satisfies Specifica tion 3. Hence, fo llows: Theorem 4 Pr oto c ol ME is sn ap-st abilizing fr om Sp e cific ation 3. RR n ° 9999 24 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil 5 Conclus ion W e addres sed the pro ble m of snap-stabilization in messag e - passing systems and presented matching negative and p os itive r e sults. On the negative side, we show that snap-stabilization is imposs ible for a wide class of sp ecific a tions — namely , the safety-distribute d sp ecifications — in mes sage-pa ssing systems where the c hannel capa c it y is finite yet unbounded. On the po sitive side, we show that snap-stabilization is p ossible (even for safety-distribute d sp ecifications) in message-pa ssing sys tems if we assume a b ound on the channel capacity . The pro of is constructive, as we presented the first three sna p- stabilizing pro to cols for message- passing sy stems with a bo unded channel capac it y . These pro to cols resp ectively so lve the PIF, IDs-Lea rning, and mutual e xclusion pr oblem in a fully-connec ted netw ork. On the theoretical side, it is worth inv estigating if the res ults pres ented in this pap er could b e extended to mo re g eneral netw orks, e.g. with general top olog ies, a nd/ or wher e no des are sub ject to p ermanent aka cras h failures. On the pr actical side, our result implies the po ssibility o f implemen ting snap- s tabilizing proto cols on real netw ork s, and a ctually implemen ting them is a future challenge. References [1] Y Afek and A Bremler. Self-sta bilizing unidirec tio nal netw ork a lgorithms b y pow er supply . Chic ago J ournal of The or etic al Computer Scienc e , 1 9 98:Article 3 , 199 8 . [2] Y Afek and GM Br own. Self-sta bilization over unr eliable co mm unication media. D is- tribute d Computing , 7):27–3 4, 1 993. [3] Bow en Alp er n and F red B. Schneider. Defining liveness. Inf. Pr o c ess. L ett. , 21 (4):181– 185, 1985. [4] Bow en Alp ern a nd F red B. Schneider. Recognizing safety and liv eness. Distribute d Computing , 2(3):117 –126 , 1987. [5] Anish Aror a and Mikhail Nester e nko. Unifying stabilization and terminatio n in message-pa ssing systems. Distribute d Computing , 17(3):279 –290 , 2005 . [6] B Awerbuc h, B Patt-Shamir, and G V arghes e . Self-stabilization by lo ca l chec king and correctio n. In F OCS91 Pr o c e e dings of the 31st Annual IEEE Symp osium on F oundations of Computer Scienc e , pag es 2 6 8–27 7, 199 1. [7] Baruch Aw erbuch, Shay K utten, Yishay Mansour, Boaz Patt-Shamir, and Geo r ge V a r ghese. A time-optimal self-stabilizing sync hronizer us ing a phas e clo ck. IEEE T r ans. Dep endable Se c. Comput. , 4(3):1 80–19 0, 200 7. [8] Doina Be in, Ajoy Kumar Datta, and Vincent Villain. Snap-stabilizing optimal binar y search tree. In T ed Herma n and S´ ebastien Tixeuil, editors, Self-Stabilizing Syst ems , volume 3 764 of L e ct ur e Notes in Computer S cienc e , pages 1–1 7. Spr inger, 2 005. INRIA Snap-Stabilization in Message-Passing Systems 25 [9] L B lin, A Cournie r , a nd V Villain. An improv ed snap-stabilizing P I F algorithm. In DSN SS S ’03 Workshop: Six th Symp osium on Self-Stabilizing Systems (S SS’03) , pag es 199–2 14. LNCS 2 704, 200 3 . [10] A Bui, AK Datta, F Petit, and V Villain. Snap-s tabilizing PIF algorithm in tre e net works without sens e of directio n. In SIROCCO’99, The 6th Intern ational Col lo quium On Stru ctur al Information and Communic ation Complexity Pr o c e e dings , pag es 32–4 6. Carleton Univ ers ity Pre s s, 1999 . [11] A Bui, AK Datta, F Petit, and V Villa in. State- optimal snap-s tabilizing PIF in tree net works. In Pr o c e e dings of the F ourth Workshop on Self-Stabilizing Systems , pages 78–85 , Austin, T exas, USA, June 1 9 99. IEEE Computer So ciety P r ess. [12] Alain Bui, Ajoy Kumar Datta, F r anck Petit, and Vincent Villain. Snap-stabiliza tion and pif in tree netw o rks. Distribut e d Computing , 2 0 (1):3–19 , 20 07. [13] EJH Cha ng. Echo algor ithms: depth parallel op erations on general gra phs . IEEE T r ansactions on Softwar e Engine ering , SE- 8:391 – 401, 1 982. [14] A Co urnier, AK Datta, F Petit, and V Villain. Snap-stabilizing PIF algorithm in arbitrar y r o oted netw ork s. In 22st International Confer enc e on Distribute d Computing Systems (ICDCS-22) , pa ges 1 99–2 06. IEE E Computer So ciety Press , 2002 . [15] A Cour nier, AK Datta, F Petit, and V Villain. E nabling snap-stabiliza tion. In 23th International Confer enc e on Distribute d Computing S ystems (ICDCS 2003) , pages 1 2– 19, P rovidence, Rho de Is land USA, May 19-22 2003. IEEE Computer So ciety P ress. [16] A Cournier, S Devismes , F Petit, and V Villain. Snap-Stabilizing Depth-First Se a rch on Arbitrary Netw orks . The Computer Journal , 49(3):2 6 8–28 0, 2006. [17] A Cournier , S Devismes, a nd V Villain. Snap-stabilizing detection of cutsets. In HIPC 2005, 12th Annual IEEE Confer enc e on High Performanc e Computing , pag e s 488– 497. LNCS 3 769, 20 05. [18] A Cournier , S Devismes, and V Villain. A snap-s tabilizing DFS with a lower space requirement. In Seventh International Symp osium on Self-St abilizing Systems (SS S’05) , pages 33–47 , Ba r celona, Spain, 2005 . LNCS 3 764. [19] A Co urnier, S Devismes, and V Villain. Snap-stabilizing P IF and useles s computa- tions. In The Twelfth In ternational Confer enc e on Par al lel and Distribute d S ystems (ICP ADS’06) , volume 1, pages 39 –46, Minneap o lis, USA, 2006. IE EE Computer So ci- ety Press P 2612 . [20] Alain Cournier, Ajoy Kumar Datta, F ranck Petit, and Vincent Villain. Optimal snap- stabilizing pif algo rithms in un-or iented trees. J. High Sp e e d Networks , 14 (2):185– 200, 2005. RR n ° 9999 26 Sylvie Dela¨ et , St´ ephane Devismes , Mikhail Nester enko , S´ eb astien Tixeuil [21] Alain Cournier, St´ ephane Devismes, and Vincen t Villain. Light enabling snap- stabilization. ACM T r ansactions on Autonomous and A daptive Systems (T AAS) , 2007. Under soumission. [22] Sylvie Dela¨ et, Bertrand Ducourthial, and S´ ebastien T ix euil. Self-stabilization with r-op era tors re visited. Journal of A er osp ac e Computing, I n formation, and Communic a- tion , 2 006. [23] EW Dijkstra. Self stabilizing s y stems in spite of distributed control. Communic ations of t he Asso ciation of the Computing Machinery , 17:6 43–64 4, 197 4. [24] Shlomi Dolev and T ed Herma n. Sup erstabilizing proto co ls for dynamic distributed systems. Chic ago Journal of The or etic al Computer S cienc e , 199 7. [25] S Ghosh, A Gupta, T Herman, a nd SV Pemmara ju. F ault-containing self-stabilizing distributed proto c o ls. T echnical Rep or t 0 0-01, Depa r tment of Co mputer Science, Uni- versit y of Iow a, 2000 . [26] Mohamed G. Go uda and Nicholas J. Multari. Stabilizing communication proto cols. IEEE T r ans. Computers , 40 (4 ):448–4 58, 19 91. [27] Ro dney R. How ell, Mikhail Nesterenko, a nd Masaa ki Mizuno. Finite-state self- stabilizing pro to cols in message- pa ssing systems. J. Par al lel Distrib. Comput. , 62(5):792 –817 , 2002 . [28] Colette Johnen, Luc Alima, Ajoy K. Datta, and S ´ ebastien Tixeuil. O ptimal snap- stabilizing neigh b orho o d synch ro niz e r in tree netw orks. Par al lel Pr o c essing L etters , 12(3-4 ):3 27–3 4 0, 2002. [29] S K atz a nd KJ Perry . Self-sta bilizing extens io ns for message - passing s ystems. Dis- tribute d Computing , 7:17– 26, 1993. [30] F r anck Petit and Vincent Villain. Optimal snap-s tabilizing depth-first token c ir culation in tr e e net works. J. Par al lel D ist rib. Comput. , 67(1 ):1 –12, 2007 . [31] A Sega ll. Distributed netw ork pro to cols. IEEE T r ansactions on In formation The ory , IT-29:23 –35, 1 983. [32] G T e l. Int ro duction to distribute d algorithms . Ca mb ridge Universit y Press , Cambridge, UK, Second edition 200 1. [33] George V arghese. Self- s tabilization by counter flushing . SIAM J. Comput. , 3 0(2):486 – 510, 2000. INRIA Unité de recherche INRIA Futurs Parc Club Orsay Uni versité - ZA C des V ignes 4, rue Jacques Monod - 9189 3 ORSA Y Cedex (France) Unité de reche rche INRIA Lorraine : LORIA, T echnopôle de Nanc y-Brabois - Campus scientifiq ue 615, rue du Jardin Botani que - BP 101 - 54602 V illers-lè s-Nancy Cedex (France ) Unité de reche rche INRIA Rennes : IRISA, Campus uni versitai re de Beauli eu - 35042 Rennes Cede x (France) Unité de reche rche INRIA Rhône-Alpes : 655, ave nue de l’Europe - 38334 Montbonno t Saint-Ismier (France) Unité de recherch e INRIA Rocquencourt : Domaine de V oluceau - Rocquenc ourt - BP 105 - 78153 Le Chesnay Cedex (France) Unité de reche rche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France) Éditeur INRIA - Domaine de V olucea u - Rocquenc ourt, BP 105 - 78153 Le Chesnay Cedex (France) http://www.inria.fr ISSN 0249 -6399