Proof of Correctness of Algorithm 6 (The Bakery Algorithm), Chapter 6, Silberschatz & Galvin CS 3750 -- OS I -- (John Sarraille) The Bakery Algorithm is Due to Lamport (1974). The common data structures are: var choosing : array [0..n-1] of boolean ; number : array [0..n-1] of integer ; All data structures are initialized to false and 0, respectively. For convenience, we define the following notation: @ (a,b) < (c,d) if a < c or if a = c and b < d. @ max( a0, ..., an-1) is a number k such that k >= ai for i = 0, ..., n-1. The program of process Pi is: repeat choosing[i] := true ; number[i] := max(number[0], number[1], ..., number[n-1]) + 1 ; choosing[i] := false ; for j := 0 to n-1 do begin while choosing[j] do skip ; while number[j] <> 0 and ((number[j],j) < (number[i],i)) do skip ; end ; ... CS ... number[i] := 0 ; ... RS ... until false Mutual Exclusion Proof: Assume that two processes exist in the CS simultaneously. Let Tk be the time that it first happens, with Pk arriving in the CS at Tk. Let Ph be the other process, arriving in the CS for the last time before (or no later than) Th. Consider the following times: a. Ph gets the number it enters with at Th b. Ph verifies that Pk is not choosing (the last time before Th) c. Ph finds that number[k] = 0, or that ((number[k],k) > (number[h],h)). -------------------------------------------------------------- ^ ^ ^ ^ ^ a b c Th Tk In order that Pk can enter the CS at Tk, it must verify first that number[h] = 0, or that ((number[h],h) > (number[k],k)). Obviously, this cannot be done after a., because the number it would have to get would be larger than number[h]. (Note that number[h] does not change between a and Tk. If Pk gets its number at around the same time as a., then since Ph waits for Pk to finish choosing (b) before comparing numbers (c), the outcome of that test will be "(number[h],h) > (number[k],k))", contrary to the fact that the outcome was "((number[k],k) > (number[h],h))". So Pk can't do that either. Pk also can't get the number at a time well before a., since that would also imply that the successful test in c. would have failed.