Irreducibility and Additivity of Set Agreement-oriented Failure Detector Classes

HAL Id: inria-00000604

https://hal.inria.fr/inria-00000604

Submitted on 7 Nov 2005

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires

Irreducibility and Additivity of Set Agreement-oriented Failure Detector Classes

Achour Mostefaoui, Sergio Rajsbaum, Michel Raynal, Corentin Travers

To cite this version:

Achour Mostefaoui, Sergio Rajsbaum, Michel Raynal, Corentin Travers. Irreducibility and Additivity of Set Agreement-oriented Failure Detector Classes. [Research Report] PI 1758, 2005, pp.24. �inria- 00000604�

I

I

S A

IN STITUT D

E R

ECHERCHE^E N^IN

FORMAT^IQ^U

EET SYS^TÈ MES

AL^É

ATOIR^ES

P U B L I C A T I O N I N T E R N E

N^o

I R I S A

1758

IRREDUCIBILITY AND ADDITIVITY OF SET

AGREEMENT-ORIENTED FAILURE DETECTOR CLASSES

A. MOSTEFAUI S. RAJSBAUM M. RAYNAL C. TRAVERS

http://www.irisa.fr

Irreducibility and Additivity of Set Agreement-oriented Failure Detector Classes

A. Mostefaui* S. Rajsbaum** M. Raynal*** C. Travers****

Systemes communicants

Publication interne n1758 | Novembre 2005 | 24 pages

Abstract: Solving agreement problems (such as consensus and k-set agreement) in asynchronous dis- tributed systems prone to process failures has been shown to be impossible. To circumvent this impossibility, distributed oracles (also called unreliable failure detectors) have been introduced. A failure detector provides information on failures, and a failure detector class is dened by a set of abstract properties that encapsulate (and hide) synchrony assumptions. Some failure detector classes have been shown to be the weakest to solve some agreement problems (e.g., is the weakest class of failure detectors that allow solving theconsensus problem in asynchronous systems where a majority of processes do not crash).

This paper considers several failure detector classes and focuses on their additivity or their irreducibility.

It mainly investigates two families of failure detector classes (denoted ^3Sx and^3y, 0xy n), shows that they can be \added" to provide a failure detector of the class ^z (a generalization of ). It also characterizes the power of such an \addition", namely, ^3Sx+^{3y z ,}x+y+z > t+ 1, where t is the maximum number of processes that can crash in a run. As an example, the paper shows that, while

3St allows solving 2-set agreement (and not consensus) and ³¹ allows solving t-set agreement (but not (t^;1)-set agreement), their \addition" allows solving consensus. More generally, the paper studies the failure detector classes^3Sx,^3y and ^z, and shows which reductions among these classes are possible and which are not. The paper presents also an ^k-basedk-set set agreement protocol. In that sense, it can be seen as a step toward the characterization of the weakest failure detector class that allows solving the k-set agreement problem.

Key-words: Asynchronous system, Distributed algorithm, Eventual leader, Fault-tolerance, Limited scope accuracy, Process crash, Reduction algorithm, Scalability, Set agreement, Unreliable failure detector.

(Resume : tsvp)

*IRISA, Universite de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France[email protected]

**Instituto de Matematicas, UNAM, D. F. 04510, Mexico[email protected]

***IRISA, Universite de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France,[email protected]

****IRISA, Universite de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France,[email protected]

Centre National de la Recherche Scientifique Institut National de Recherche en Informatique

Sur la composition de classes de detecteurs de fautes

Resume : Ce rapport etudie la composition de classes de detecteurs de fautes. Il montre aussi que certaines classes ne peuvent ^etre composees pour donner des detecteurs d'une puissance superieure.

Mots cles : Systemes repartis asynchrones, Tolerance aux fautes, Crash de processus, Leader ineluctable, Classes de detecteurs de fautes, Reduction, Composition.

1 Introduction

Context of the work: failure detectors for agreement problems Consensus is one of the most fundamental problem in fault-tolerant distributed computing: each process proposes a value, and every non- faulty process must decide a value (termination) such that no two dierent values are decided (agreement) and the decided value is a proposed value (validity). Despite the simplicity of its denition and its use as a basic building block to solve distributed agreement problems, consensus cannot be solved in asynchronous system where even a single process can crash 8].

Several approaches have been investigated to circumvent this impossibility result. One of them is the failure detector approach 3, 22]. It consists in equipping the underlying system with a distributed oracle that provides each process with (possibly incorrect) hints on process failures. According to the type and the quality of the hints, several classes of failure detectors can be dened. As far as consensus is concerned, two classes are particularly important.

- The class of leader failure detectors 2] (denoted ). This class includes all the failure detectors that continuously output at each process a process identity such that, after some time, all the correct processes are provided with the same identity that is the identity of a correct process (eventual leadership). Before that time, dierent processes can be provided with distinct leaders (that can also change over time), and there is no way for the processes to know when this anarchy period is over. -based asynchronous consensus protocols can be found in 9, 14, 20]¹.

- The class of eventually strong failure detectors 3] (denoted^3S). A failure detector of that class provides each process with a set of suspected processes such that this set eventually includes all the crashed processes (strong completeness) and there is a correct processpand a time after which no set contains the identity of p(eventual strong accuracy). ^3S-based asynchronous consensus protocols can be found in 3, 9, 18, 24].

Two important results are associated with these classes. First, they are equivalent (which means that it is possible, from any failure detector of any of these classes, to build a failure detector of the other class) 2, 5, 17]. Second, as far information on failures is concerned, they are the weakest class of failure detectors that allow solving consensus in asynchronous systems where a majority of processes are correct 2].

Thek-set agreementproblem relaxes the consensus requirement to allow up tok dierent values to be decided 4] (consensus is 1-set agreement). This problem is solvable in asynchronous system despite up to k^;1 process crash failures, but has been shown to be impossible to solve as soon ask or more processes can crash 1, 12, 23].

The failure detector class^3S has been weakened in 19, 25] to address this problem. While the scope of the accuracy property of^3S spans the whole system (there is a correct process that, after some time, is not suspected by any process), the class^3Sxis dened by the same completeness property and a limited scope accuracy property, namely, there is a correct process that, after some time, is not suspected byxprocesses. It is easy to see that^3Sn (wherenis the total number of processes) is^3S, while^3S1provides no information on failures. Moreover,^3Sx^+13Sx. It has been shown that, when we consider the family (^3Sx)¹ x nof failure detectors,^3Sx is the weakest class that allows solvingk-set agreement in asynchronous systems for k=t^;x+ 2 (wheret is an upper bound on the number of processes that can crash) 11] (message-passing systems must also satisfy the additional constraint of a majority of correct processes, t < n=2). The class

Sx of failure detectors is a subset of^3Sx. It has a the same completeness property but a stronger accuracy property: it requires that, from the very beginning, there is a subset ofxprocesses that a never suspect one correct process.

A new family of failure detectors (denoted (^y)⁰ y n), has recently been introduced in 16] (where it is used in conjunction with conditions 15] to solve set agreement problems). A failure detector of the class ^y provides the processes with a query primitive that has a parameter (a setX of processes) and returns a boolean answer. The invocationquery(X) by a process returns systematically true (resp., false) when 0 ^jX^j t^;y, i.e., when the set is too small (resp., ^jX^j > t, i.e., when the set is too big). When t^;y <^jX^jt (the set has then an appropriate size)query(X) returns true only if all the processes inX have crashed moreover, if all the processes ofX have crashed and a process repeatedly issuesquery(X), it

1It is important to notice that the rst version of the leader-based Paxos protocol dates back to 1989, i.e.. before the formalism was introduced.

eventually obtains the answer true. We have^y+1y. Moreover,⁰ provides no information on failures, while, ⁸ y t, ^y is equivalent to a perfect failure detector (one that never does a mistake 3]). "^y is a subclass of ^y that additionally requires the sets passed as query parameters to satisfy a containement property (i.e., any two such sets X1 and X2 need to be such that X1X2 or X2X1). It is shown in 16], that, in shared memory systems, "^y is the weakest failure detector class of the family ("^y)⁰ y t that allows solving asynchronousk-set agreement with k=t^;y+ 1.

The family of failure detector classes (^z)¹ z n21] has been introduced to augment the synchronization power of object types in the wait-free hierarchy. A failure detector of the class ^z outputs at each process a set of at mostz process identities such that, after some time, the same set including the identity of at least one correct process is output at all correct processes. Clearly, ¹ is . Moreover, ^zz+1.

Motivation and results The paper rst extends the family (^y)⁰ y n, by considering its eventual coun- terpart, namely the family (^3y)⁰ y n. ^3y is a weakening of ^y in the sense it allows the properties dening ^y to be satised only after some nite time. So, while the families (^Sx)¹ y n and (^y)⁰ y n are characterized by a \perpetual" property (i.e., a property that has to be satised from the very begining), the families (^3Sx)¹ y n, (^z)¹ z n and (^3y)⁰ y n are characterized by an eventual property.

It appears that, when we are interested in solving set agremeent problems, we are provided with three families of failure detectors: (^3Sx)¹ x n, (^3y)⁰ y<n and (^z)¹ z n. Whatever the problems these failure detector classes help solving, important questions are the following: Which among these classes are equiv- alent? Which are not? Is it possible to combine some of them to obtain stronger failure detector classes?

If the answer is \yes", which ones and which failure detector class do they produce? If the answer is \no", why? Etc. This is the type of questions addressed in this paper that characterizes relationships linking each pair of failure detector classes. More precisely, the issues and results of the paper are the following. The notationA+B C means that, given as inputs a failure detector of the class Aand a failure detector of the classB, there is an algorithm that constructs a failure detector of the classC. The notationA+B⁶C means that there is no such transformation algorithm. The notations A C and A ⁶C have the same meaning considering a single failure detector class as input.

Reducibility, Irreducibility and Minimality.

{ Relations linking ^y=^3y and^Sx=^3Sx:

- Let 1xt+ 1 and 1yt. ^Sx^63y. (Theorem 8.) - Let 0y < t and 1< xt+ 1. ^{y 63S}_x. (Theorem 9.)

{ Relations linking ^y=^3y and ^z:

-^3yz Iy+z > t. (Corollary 6.)

- Let 1zt+ 1 and 1yt. ^z63y. (Theorem 10.)

{ Relations linking ^3Sxand ^z:

-^3Sx^zI x+z > t+ 1. (Corollary 7.) - Let 1< xzt. ⁸z: ^z63Sx. (Theorem 11.)

All these relations are depicted in Figure 1 where the bold arrows mean reducibility, and the dotted arrows mean irreducibility. The class^Sxis the subclass of^3Sxwhere the accuracy is perpetual (namely, there is a correct process that is not suspected byxprocesses from the very beginning). ^P is the class of perfect failure detectors 3] (the ones that never do a mistake). The column at the right of the gure concernsk-set agreement: all the failure detector classes in thezth line allow solvingz-set agreement.

It is important to notice that (1) ^3St^;z⁺² and ^3t;z+1 cannot be compared, (2) both are stronger than ^z. Moreover, given a line (say z) of the gure, ^z is the weakest failure detector class of that line that allows solving k-set agreement.

Additivity. This paper poses (for the rst time to our knowledge) the question of adding failure detectors of distinct classes. This is an important issue as \additivity" is a crucial concept as soon modularity and scalability of distributed systems are concerned.

As an example, assumingt >1, let us consider the class^3St that allows solving 2-set agreement (but not consensus), and the class³¹ that allows solvingt-set agreement (but not (t^;1)-set agreement).

3P P k-set agreement

St+1 3St+1 Ω¹ 3φ^t φ^t 1

St 3St Ω² 3φ^t−1 φ^t−1 2

St−z+2 3St−z+2 Ω^z 3φ^t−z+1 φ^t−z+1 z

S1 3S1 Ω^t+1 3φ⁰ φ⁰ t+ 1

Figure 1: Grid of failure detector classes

k-set agreement

Ω^z−1 z−1

+

Ω^z z= (t+ 1−(x−1))−y

= (t+ 1−y)−(x−1)

+

3Sx t+ 1−(x−1)

3φ^y t+ 1−y

Figure 2: Additivity of^3Sxand^3y What about ^3St+³¹? Is it possible to add them? If the answer is \yes", which type of information on failures is provided by their combination? The paper shows that ^3St+^3t;1 allows solving the consensus problem. More generally, with respect to the grid described in the previous gure, the paper characterizes which classes can be added and which cannot. More explicitly, it shows the following result (see also Figure 2): ^3Sx+^{3y z,}x+y+z > t+ 1. To that end, the paper presents a construction algorithm (su$ciency part, Figures 5 and 6), and an impossibility proof (necessity part, Theorem 7).

Intuitively, this shows that^3Sxand^3y provide dierent seeds to build ^z. To see the gain provided by such an addition, let us analyze it as follows:

- As^3Sx^t;x+2, the previous addition shows that adding^yallows strengthening ^t;x+2to obtain ^z withz= (t^;x+ 2)^;y.

- Similarly, as ^{3y t;y+1}, the previous addition shows that adding ^3Sx allows strengthening ^t;y+1to ^z withz= (t^;y+ 1)^;(x^;1).

Asynchronous ^k-basedk-set agreement. This paper proposes such an algorithm. (To our knowledge, no previous work has addressed the design of ^z-based k-set agreement algorithms.) The proposed algorithm (Figure 3) is very simple. Moreover, the paper establishes that t < n=2 and z k are two tight bounds of the k-set agreement problem, when considering the (^z)¹ z n family of failure detectors in an asynchronous message-passing system (Theorem 4). Consequently, among all the classes described in Figure 1, ^k is the weakest class for solving asynchronous k-set agreement (hence, the algorithm is optimal in that respect). This constitutes a step towards the characterization of the weakest failure detector class that allows solving the k-set agreement problem.

From a methodology point of view, the paper uses as much as possible reduction algorithms (striving not to reinvent the wheel). The paper presents also two more transformations for particular cases. These transformations (given in appendix) are simpler and more e$cient than the general transformation building a failure detector of the class ^z from failure detectors of the classes^3Sx and ^3y. The rst (Figure 8) transforms "^y into ^z fory+z > t. The second (Figure 9) presents an addition algorithm of^3Sxwith^3y that provides^3S when x+y > t.

Roadmap The paper is made up of 5 sections plus an appendix. Section 2 describes the asynchronous computing model and the classes of failure detectors we are interested in. Section 3 presents the asynchronous ^k-based k-set agreement algorithm. Then, Section 4 presents an algorithm that builds a failure detector of the class ^z from a pair of underlying failure detectors, one of the class^3y, the other of the class ^3S.

Section 5 shows thatx+y+z > t+1 is a necessary requirement for the previous construction, and establishes the irreducibility relations depicted by the grid of Figure 1.

2 Computation Model

2.1 Asynchronous System with Process Crash Failures

We consider a system consisting of a nite set % ofn2 processes, namely, % =^fp¹p²::: pn^g. When it is not ambiguous we also use % to denote the set of the identities 1::: nof the processes. A process can fail by crashing, i.e., by prematurely halting. It behaves correctly (i.e., according to its specication) until it (possibly) crashes. By denition, a process is correct in a run if it does not crash in that run otherwise it is faulty. As previously indicated, t denotes the maximum number of processes that can crash in a run (1t < n). The identity of the processpiisi, and each process knows all the identities.

Processes communicate and synchronize by sending and receiving messages through channels. Every pair of processes is connected by a channel. Channels are assumed to be reliable: they do not create, alter or lose messages. In particular, ifp_i sends a message top_j, then eventuallyp_j receives that message unless it fails.

There is no assumption about the relative speed of processes or message transfer delays (let us observe that channels are not required to befifo).

Broadcast(m) is an abbreviation for \foreach^pj ²%do ^{send(m) top}j enddo". Moreover, we assume (without loss of generality) that the communication system provides the processes with a reliable broadcast abstraction 10]. Such an abstraction is made up of two primitives Broadcast() and Deliver() that allow a process to broadcast and deliver messages (we say accordingly that a message is R broadcast or R delivered by a process) and satisfy the following properties:

Validity: If a process R deliversm, then some process has R broadcastm. (No spurious messages.) Integrity: A process R delivers a messagemat most once. (No duplication.)

Termination: If a correct process R broadcasts or R delivers a messagem, then all the correct processes R delivers m. (No message R broadcast or R delivered by a correct process is missed by a correct process.)

As we can see, the messages sent (resp., R broadcast) by a process are not necessarily received (resp., R delivered) in their sending order. Moreover, dierent processes can R deliver messages in dierent order.

There is no assumption on message transfer delays. The communication system is consequently reliable and asynchronous.

2.2 Failure Detector Classes

The denition of the families of failure detector classes (^Sx)¹ x n, (^3Sx)¹ x n, ("^y)⁰ y<n, (^y)⁰ y<n and (^z)¹ z nhave been sketched in the introduction. This section provides more complete denitions.

The classes (^Sx)¹ x n and (^3Sx)¹ x n A failure detector of the class ^Sx or^3Sx consists of a set of modules, each one attached to a process: the module attached to pi maintains a set (named suspectedi) of processes it currently suspects to have crashed. As in other papers devoted to failure detectors, we say

\processpi suspects processpj at some time ", ifpj ²suspectedi at that time. Moreover, (by denition) a crashed process suspects no process.

The failure detector^3Sx class generalizes the class ^3S dened in 3] (we have ^3Sn =^3S). A failure detector belongs to the class^3Sxif it satises the following properties:

Strong Completeness: Eventually, every process that crashes is permanently suspected by every correct process.

Limited Scope Eventual Weak Accuracy: There is a time after which there is a setQofxprocesses such that Qcontains a correct process and that process is never suspected by the processes ofQ.

Similarly, the class^Sx generalizes the class^S 3] (and we have^Sn =^S). A failure detector of the class

Sx satises the previous strong completeness property, plus the following accuracy property:

Limited Scope Perpetual Weak Accuracy: there is a set Q of x processes such that (from the very beginning) Qcontains a correct process and that process is never suspected by the processes ofQ. It is easy to see that ^Sx^{+1 S}x, ^3Sx^{+1 3S}x, and^Sx ^3Sx. It is also easy to see that the failure detectors of the classes ^S1 and ^3S1 provide no information on failures. It has been shown in 11] that

3Sx is the weakest failure detector class of the family (^3Sx)¹ x nthat allows solving k-set agreement for k=t^;x+ 2, in asynchronous message-passing systems with a majority of correct processes (t < n=2).

The classes (^z)¹ z n This family of failure detectors has been introduced in 21]. A failure detector of the class ^zmaintains at each processpia set of processes of size at mostz(denotedtrustedi) that satises the following property:

Eventual Multiple Leadership: there is a time after which the sets trusted_i of the correct processes contains forever the same set of processes and at least one process of this set is correct.

The family (^z)¹ z n generalizes the class of failure detectors dened in 2] (we have ¹=).

Recently, another generalization of has been studied in 7] that considers S, whereS is a predened subset of the processes of the system. S requires that all the correct processes ofSeventually agree on the same correct leader (it is not required that their eventual common leader belongs toS). LetX be the set of all the pairs of processes. It is shown in 7] that, given all the x,x²X, it is possible to build .

The classes^("y)0 y<nand ^(y)0 y<n These failure detector classes have been introduced in 16] to solve set agreement problems in combination with conditions 15]. Dierently from the previous classes of failure detectors that provides each processpi with a set (suspectedi ortrustedi) thatpi can only read, a failure detector of a class^y(or "^y) provides the processes with a primitivequery(X), whereX is a set of process identities supplied by the invoking process. Such a primitive allows a process p_i to query about the crash of a regionX of the system. More precisely, a failure detector of the class ^y is dened by the following properties (remind thatt is an upper bound on the number of process crashes):

Triviality property. If ^jS^j t^;y, then query_y(X) returns true. If ^jS^j > t, then query(X) returns false.

Safety property. Ift^;y <^jX^jt, then if at least one process inX has not crashed when query(X) is invoked, the invocation returns false.

Liveness property. Let X be such that t^;y < ^jX^j t. Let be a time such that, at time , all the processes inX have crashed. Moreover, let us assume that after there is an innite sequence of invocations ofquery(X). Then, for some time⁰ , all the invocations ofquery(X) return true.

The triviality property provides the invoking process with a trivial output when the setX is too small or too big. The safety property states that if the output is true, then all the processes inX have crashed. The liveness property states thatquery(X) eventually outputs true when all the processes inX have crashed. It is shown in 16] that (1)^y+1y, and (2) ^t and the class^P of perfect failure detectors are equivalent in any system where at mostt processes can crash. Moreover, it is easy to see that⁰ provides no information on failures.

The class "^y is a subclass of ^y. It additionally requires that for any pair of queries query(X1) and query(X2), we have X1 X2 orX2 X1. Hence, we have "^{y y}. It has been shown in 16] that, within the family ("^y)⁰ y t of failure detector classes, "^y is the weakest for solving k-set agreement for k=t^;y+ 1, in asynchronous shared memory systems.

The classes ^(3y)0 y<n The failure detector class ^3y is the \eventual" counterpart of the class ^y. More precisely, a failure detector of the class^3y is dened by the following properties (remind thattis an upper bound on the number of process crashes):

Triviality property. If ^jS^j t^;y, then query_y(X) returns true. If ^jS^j > t, then query(X) returns false.

Eventual Safety property. LetX be such thatt^;y <^jX^jt. Suppose that at least one correct process belongs to X. Moreover, let us assume that there is an innite sequence of invocation of query(X).

Then, it exists some time from which all the invocations ofquery(X) return false.

Liveness property. Let X be such that t^;y < ^jX^j t. Let be a time such that, at time , all the processes inX have crashed. Moreover, let us assume that after there is an innite sequence of invocations ofquery(X). Then, for some time⁰ , all the invocations ofquery(X) return true.

As for the classes (^y)⁰ y t, it follows from these properties that (1) ^{3y+1 3y}, and (2) ^3t and the class^3P are equivalent in any system where at most tprocesses can crash.

2.3 Notation

Let ^F and ^G be any two classes among the previous classes of failure detectors. The notation ^ASnt^F] is used to represent a message-passing asynchronous system made up of n processes, where up to t may crash, equipped with a failure detector of the class ^F. Similarly, ^ASnt^FG] denotes a system equipped with a failure detector of the class^F and a failure detector of the class^G. Finally,^ASnt] denotes a \pure"

asynchronous message-passing system (i.e., without additional equipment).

3 Using ^k to Solve ^k-Set Agreement

This section presents an ^k-based k-set agreement algorithm, and lower bounds when solving k-set agree- ment with failure detector classes of the family (^k)¹ z n. These lower bounds are t < n=2 and z k. Interestingly, the proof of these bounds is based on a reduction to a^3Sx-basedk-set agreement algorithm and a corresponding lower bound 11].

3.1 A ^k-Set Agreement Algorithm

The algorithm, described in Figure 3, is a simple adaptation of an -based consensus algorithm described in 9] (which is in turn inspired from a^3S-based consensus algorithm described in 18]) it assumest < n=2. A processpiinvokesk-set agreement(vi), whereviis the value it proposes. If it does not crash, it terminates when it executes the statement return(v), wherev is then the value it decides.

The function k-set agreement(vi) is made up of two tasks. The task T2 is used to disseminate a decided value and prevent deadlock: due to the reliable broadcast, as soon as a process decides, all the correct processes decide. In the main task T1, the processes proceed in consecutive asynchronous rounds, each round being made up of two phases, each including a communication step. When consideringp_i, the local variableest_i is the local estimate of the decision valuer_i is its current round number.

During the rst phase of roundr,pirst readstrustedi(the set provided by its underlying failure detector module of the class ^z), stores its value inLi, and sends aphase1(riLiesti) message to all the processes.

Then,piwaits until it has received such roundrmessages fromn^;tprocesses (i.e., from at least a majority) and it has either received such a message from a process of itsLi set or the settrustedi has changed. Then, if a majority of processes have the same leader setL, andpihas received an estimate valuevLfrom a process in this setL, it keepsvL inauxi, otherwise it sets auxi to^?. Let us notice that we can conclude from the previous statements (see the proof) that, at the end of the rst phase of each round, the set of theauxi local variables contains at most ^jLi^j=kdistinct values dierent from^?.

The second phase of a round aims at allowing the processes to decide, while ensuring that no more than kdierent values are decided, whatever the round during which a process decides. To that end, each process

pi broadcasts a phase2(riauxi) message to all the processes, and then waits until it has received such messages from n^;t processes. If it receives a non-^?valuev, it adoptsv as its new estimate (if there are several such values, it takes one arbitrarily). Moreover, if none of the values it has received is^?, it decides the estimate valuevit has just adopted this is done by broadcastingvin a reliable way, and then returning that value (in taskT2).

Functionk-set agreement(^vi): ^Init:^{esti viri} 0

TaskT1:

(01) ^whiletrue^do

||||| Phase 1 |||||||||||||||||||||

(02) ^{ri ri}+ 1^{Li trustedi} (03) Broadcastphase1(^riLiesti)

(04) ^waituntil(phase1(^ri ) received from(^n;t) processes)

(05) ^waituntil;(phase1(^ri ) received from a process^2Li)^_(^Li6=^trustedi) (06) ^if;(^9L:phase1(^riL ) received from a majority of processes)

(07) ^{^}(phase1(^{ri vL}) received from a process^2L) (08) ^{thenauxi vLelseauxi ?end if}

% Here^jfauxj:^{j2^auxj6}=^?gjjLij=^k%

||||| Phase 2 |||||||||||||||||||||

(09) Broadcastphase2(^riauxi)

(10) ^waituntil;phase2(^ri ) received from (^n;t) processes (11) ^letreci=^faux:phase2(^riaux) has been received^g (12) ^if(^9v:^v6=^{?^v2reci})^{thenesti vendif}

(13) ^if(^?2=reci)^thenR Broadcast decision(^esti)^stopT1^{end if} (14) ^enddo

TaskT2: ^whendecision(^v)^isRdelivered: return(^v)^stopT2

Figure 3: ^k-basedk-set agreement algorithm (code for p_i)

3.2 Short Discussion

The notion of perfection, oracle-eciency and zero-degradation used here are straightforward generalizations of the same notions introduced in 6, 9] in the context of failure detector-based consensus algorithms.

Let a failure detector of the class ^kbe perfect if, from the very beginning, it delivers to the processes the same set of at mostkprocesses including at least one correct process. A set agreement algorithm is oracle- ecientif it terminates in two communication steps (a single round) when its underlying failure detector is perfect and there is no crash. It is easy to see that the previous algorithm is oracle-e$cient. This algorithm satises an even stronger property, namely, it is zero-degrading. A set agreement algorithm is zero-degrading if it terminates in two steps when its underlying failure detector is perfect and there are only initial crashes (a crash is initial if the corresponding process crashes before the algorithm starts). The reader can easily checks that the proposed algorithm is zero-degrading. Zero-degradation is particularly important when a set agreement algorithm is used repeatedly: it means that future executions do not suer from past process failures as soon as the failure detector behaves perfectly.

3.3 Proof of the Algorithm

The proof is similar to the proof of the -based consensus algorithm described in 9]. It assumes t < n=2 andzk(see Theorem 4).

Lemma 1 No correct process blocks forever in a round.

Proof ^{Let p}i be a correct process. We have to show, whatever the round numberr, that pi cannot be blocked forever in thewaitstatements (lines 04, 05 and 10) of roundr. This follows from (1) the fact thatt being the maximum number of faulty processes, (2) the termination and integrity properties of the reliable