urable R/W storage. RAMBO [19, 12] solves a similar problem to
the one we have formulated above; other works [21, 23, 24] extend
this concept for Byzantine fault tolerance. All of these works have
processes agree upon a unique sequence of configuration changes.
Some works use an auxiliary source (such as a single reconfigurer
process or an external consensus algorithm) to determine config-
uration changes [18, 11, 19, 12, 21, 24], while others implement
fault-tolerant consensus decisions on view changes [5, 23]. In con-
trast, our work implements reconfigurable R/W storage without any
agreement on view changes.
Since the closest related work is on RAMBO, we further elabo-
rate on the similarities and differences between RAMBO and Dy-
naStore. In RAMBO, a new configuration can be proposed by any
process, and once it is installed, it becomes the current configura-
tion. In DynaStore, processes suggest changes and not configura-
tions, and thus, the current configuration is determined by the set
of all changes proposed by complete reconfigurations. For exam-
ple, if a process suggests to add p
1
and to remove p
2
, while another
process concurrently suggests to add p
3
, DynaStore will install a
configuration including both p
1
and p
3
and without p
2
, whereas in
RAMBO there is no guarantee that any future configuration will
reflect all three proposed changes, unless some process explicitly
proposes such a configuration. In DynaStore, a quorum of a con-
figuration is any majority of its members, whereas RAMBO allows
for general quorum-systems, specified explicitly for each configu-
ration by the proposing process. In both algorithms, a non-faulty
quorum is required from the current configuration. A central idea in
allowing dynamic changes is that a configuration can be replaced,
after which a quorum of the old configuration can crash. In Dyna-
Store, a majority of a current configuration C is allowed to crash as
soon as C is no longer current. In RAMBO, two additional condi-
tions are needed: C must be garbage-collected at every non-faulty
process p ∈ C, and all read and write operations that began at p
before C was garbage-collected must complete. Thus, whereas in
DynaStore the conditions allowing a quorum of C to fail can be
evaluated based on events visible to the application, in RAMBO
these conditions are internal to the algorithm. Note that if some
process p ∈ C might fail, it might be impossible for other pro-
cesses to learn whether p garbage-collected C or not. Assuming
that all quorums required by RAMBO and DynaStore are respon-
sive, both algorithms require additional assumptions for liveness.
In both, the liveness of read and write operations is conditioned
on the number of reconfigurations being finite. In addition, in
both algorithms, the liveness of reconfigurations does not depend
on concurrent read and write operations. However, whereas re-
configurations in RAMBO rely on additional synchrony or failure-
detection assumptions required for consensus, reconfigurations in
DynaStore, just like its read and write operations, only require the
number of reconfigurations to be finite.
View-oriented group communication systems provide a member-
ship service whose task is to maintain a dynamic view of active
members. These systems solve a dynamic problem of maintaining
agreement on a sequence of views, and additionally provide certain
services within the members of a view, such as atomic multicast
and others [6]. Maintaining agreement on group membership in it-
self is impossible in asynchronous systems [4]. However, perhaps
surprisingly, we show that the dynamic R/W problem is solvable in
asynchronous systems. This appears to contradict the impossibility
but it does not: We do not implement group membership because
our processes do not have to agree on and learn a unique sequence
of view changes.
The State Machine Replication (SMR) approach [15, 25] pro-
vides a fault tolerant emulation of arbitrary data types by forming
agreement on a sequence of operations applied to the data. Paxos
[15] implements SMR, and allows one to dynamically reconfigure
the system by keeping the configuration itself as part of the state
stored by the state machine. Another approach for reconfigurable
SMR is to utilize an auxiliary configuration-master to determine
view changes, and incorporate directives from the master into the
replication protocol. This approach is adopted in several practical
systems, e.g., [17, 20, 26], and is formulated in [16]. Naturally, a
reconfigurable SMR can support our dynamic R/W memory prob-
lem. However, our work solves it without using the full generality
of SMR and without reliance on consensus.
An alternative way to break the minority barrier in R/W emula-
tion is by strengthening the model using a failure detector. Delporte
et al. [9] identify the weakest failure detector for solving R/W mem-
ory with arbitrary failure thresholds. Their motivation is similar
to ours– solving R/W memory with increased resilience threshold.
Unlike our approach, they tackle more than a minority of failures
right from the outset. They identify the quorums failure detector as
the weakest detector required for strengthening the asynchronous
model, in order to break the minority resilience threshold. Our ap-
proach is incomparable to theirs, i.e., our model is neither weaker
nor stronger. On the one hand, we do not require a failure detector,
and on the other, we allow the number to failures to exceed a minor-
ity only after certain actions are taken. Moreover, their model does
not allow for additions as ours does. Indeed, our goal differs from
[9], namely, to model dynamic reconfiguration in which resilience
is adaptive to actions by the processes.
3. DYNAMIC PROBLEM DEFINITION
The goal of our work is to implement a read/write service with
atomicity guarantees. The storage service is deployed on a collec-
tion of processes that interact using asynchronous message passing.
We assume an unknown, unbounded and possibly infinite universe
of processes Π. Communication channels between all processes
are reliable. Below we revisit the definition of reliable links in a
dynamic setting.
The service stores a value v from a domain V and offers an in-
terface for invoking read and write operations and obtaining their
result. Initially, the service holds a special value ⊥ 6∈ V. The se-
quential specification for this service is as follows: In a sequence of
operations, a read returns the latest written value or ⊥ if none was
written. Atomicity [14] (also called linearizability [13]) requires
that for every execution, there exist a corresponding sequential ex-
ecution, which conforms with the operation precedence relation,
and which satisfies the sequential specification.
In addition to the above API, the service exposes an interface for
invoking reconfigurations. We define Changes
def
= {Remove, Add}×Π.
We informally call any subset of Changes a set of changes. A view
is a set of changes. A reconfig operation takes as parameter a set
of changes c and returns OK. We say that a change ω is proposed
in the execution if a reconfig(c) operation is invoked s.t. ω ∈ c.
A process p
i
is active if p
i
does not crash, some process invokes
a reconfig operation to add p
i
, and no process invokes a reconfig
operation to remove p
i
. We do not require all processes in Π to
start taking steps from the beginning of the execution, but instead
we assume that if p
i
is active then p
i
takes infinitely many steps (if
p
i
is not active then it may stop taking steps).
For a set of changes w, the removal-set of w, denoted w.remove,
is the set {i | (Remove, i) ∈ w}. The join set of w, denoted w.join,
is the set {i | (Add, i) ∈ w}. Finally, the membership of w, denoted
w.members, is the set w.join\w.remove.
At any time t in the execution, we define V (t) to be the union of
all sets c s.t. a reconfig(c) completes by time t. Note that removals