Strong Invariants for Weak Consistency Gustavo Petri Marc Shapiro Masoud Saeida-Ardekani
Consistency & Invariants • Consistency in 3D • Characterization of consistency models according to the guarantees they provide • Dimensions of Guarantees • Single object • Propagation of effects on different objects • Composition of objects
How much can I get for free? Which invariants are guaranteed by the consistency model without additional instrumentation?
Three classes… …of invariant … of protocol Constrain value of an Total order of Gen1 object operations Ordering between PO Visibility operations State equivalence EQ Composition between objects [Decomposing consistency] 4
Consistency in 3D Total Order Axis (Gen1) How Operations on Individual Objects are Updated/Observed Partial Order Axis (PO) How Operations on Different Objects { 0 ≤ balance ≤ MAX � INT } are Updated/Observed { x ≤ y } Equality Axis (EQ) How Composed Operations on Different Objects are Updated/Observed { x ∈ friendsOf ( y ) ⇐ ⇒ y ∈ friendsOf ( x ) }
Program Model: Operationally
Operation u client u ! origin replica u PRE u ? other replica u ! u: state ⤻ (retval, (state ⤻ state)) Prepare (@origin) u ? ; deliver u ! Read one, write all (ROWA) Deferred-update replication (DUR)
Concurrent u ! v ! u ? v ! u ! v ? Concurrent, Multi-master Strong: total order, identical state Weak: concurrent, interleaving, no global state Axiomatic definitions can be derived from the operational ones
Total Order Axis • Assumption: Single Object • Total Order of Effectors and Generators (TOE=TOG) u ? u ! v ! v ! u ! v ! u ! v ? u ? u ! v ? v !
Total Order Axis • Assumption: Single Object • Total Order of Effectors and Generators (TOE 1 ) u ? u ! v ! v ! u ! v ! v ? u ! u ! v !
Total Order Axis • Assumption: Single Object • Total Order of Effectors and Generators (TOE 1 ) • Gapless TOE 1 : all replicas apply all effectors in the same order • Capricious TOE 1 : replicas apply a subset of the effectors in an order consistent with a global total order } • Concurrent Updates (No Global Ordering)
(TO) Total order updates + queries Negotiated total order updates Total order, capricious Concurrent
������ ���������� ��� ������� ������ �� ���������� �� � ������� ���� ��������� �� ��� ����������� ������ ���������� ��� ������� ������ �� ���������� �� � ������� ���� ��������� �� ��� ����������� ��� ��������� �� ��� ��������� �� ��� ���� ������� ������ �� � ����� � ����� ���������� ��� ������� ������ �������� �� Total Order Axis (Gen1) • Assumptions: • (i) Single Object, • (ii) State Based, • (iii) O is a valid object for I [eg. Owicki/Gries proof] ����� �������� ⇒ ���� ������ � ��� ��������� �� � ������ ����� �������� ⇒ ������������� � ��� ��������� �� � ������ ��������� �������� ⇒ ����� � ��� � �� � ����� ������ ������
����������� ���������� ��� ��� ������ �� ���������� �� �� �� ��������� �� ��� ��������� ����� ��� ������� ���� � ��� ���� ����� �� ���� ��� � ������������� �� ����� ��� ������ ���������� ��� ������� ��� ������� Gapless TOE • Assumptions: • (i) Single Object, • (ii) State Based, • (iii) O is a valid object for I [eg. Owicki/Gries proof] • Release Acquire (RA) Memory Model [Lahav&Vafeiadis’15] ����� �������� ��� ∼ ��� � ��� ��������� �� � ������ ������
Partial Order Axis • Assumption: Multiple (2) Objects • Client Guarantees: • Visibility Properties: • Read Own Writes • Transitive Visibility • Monotonicity (Reads/Writes) • Causal Visibility • Preservation of (anti)Dependencies
(PO) External Total causal order + Session Order + Write-Read dependence Monotonic Reads + Read My Writes Total order updates Negotiated total order updates Total order, Concurrent capricious + queries Rollbacks (TO)
Partial Order Axis (Invariants) • Assumptions: • (i) Multiple Object, • (ii) State Based, • (iii) O is a valid object for I • Invariants Relating Objects • Programming: • Demarcation Protocol • x ≤ y • Escrow • P(x) ⟹ Q(y)
Demarcation Protocol
Demarcation Protocol* I = { x � y � ( � i. A i � B i ) } x = x + A 1 ; x = x + A 2 ; x = x + A 3 ; � � y = y + B 1 ; y = y + B 2 ; y = y + B 3 ; Usual approach: ghost variables I = { x � ( � ite ( a i , A i , 0)) � y � ( � ite ( s i , B i , 0)) � ( � i. A i � B i ) } � x = x + A 1 ; � x = x + A 2 ; � x = x + A 3 ; � � � a 1 = true ; a 2 = true ; a 3 = true ; � y = x + B 1 ; � y = x + B 2 ; � y = x + B 3 ; � � � � � s 1 = true ; s 2 = true ; s 3 = true ; * Program Order as communication
�� ���������� ������ �� ������ ����������� � ��� ���� ��������� ���� � ������ ���� ���������� ������� �� ������ ���������� ��� ��� ����������� ������ ����� �� ��� Program Order Axis • Assumptions: • (i) Multiple Object, • (ii) State Based, • (iii) O is a valid object for I ����� ��� � ��� 1 ∼ ��� � ��� ��� ��������� ���������� ��� ������ �������� ��� ��� ������ ���� 1 �� ����� ������ �� ���������� ��������� ����� ��� �� � ��� 1 � � ��� ���� ����� �� ���� ��� � ������������� �� ����� ��� ������ ���������� �� ��� ��� 1 � ������ ����������� � ��� 1 �� ��� � ������ ���������� �������
Demarcation Protocol Template Proof for Demarcation-style Programs** I = { x � ( � ite ( a i , A i , 0)) � y � ( � ite ( s i , B i , 0)) � ( � i. A i � B i ) } � � � � � � x = x + A 1 ; x = x + A 2 ; x = x + A 3 ; a 1 = true ; a 2 = true ; a 3 = true ; � � � � � � � � y = x + B 1 ; y = x + B 2 ; y = x + B 3 ; s 1 = true ; s 2 = true ; s 3 = true ; **[Lahav&Vafeiadis ghosts are compatible but slightly different]
Equality Order Axis • Assumption: Multiple (n) Objects • Transactions • Write-atomicity: All-or-nothing • Read-atomicity: Snapshot • Consistent Snapshot
(PO) External Total causal order + Session Order + Write-Read dependence Monotonic Reads + Read My Writes Total order updates Negotiated total order updates Total order, Concurrent capricious + queries Rollbacks (TO) S i n g l e o p e r a t i o n I n d i v i s i b l e e f f e c t s + s n a p s h o t s n a p s + h c o t o n s i s t e n t (EQ)
��� ���������� ���������� ���� ��������� ������������� ��� ����� ������� ��� �� ������� ����� � �������������� ������������ ������ ����� ���������������� �� ������� �� ����������� ������ ������� Equality Order Axis • Assumptions: • (i) Multiple Object, • (ii) State Based, • (iii) O is a valid object for I ����� ������� ��������������� ⇒ ��� � ��� ����� ���������� Robustness criteria? [Bernardi,Cerone,Gotsman]
Equality Axis • Rely Guarantee approach • Every Generator/Effector preserves preconditions and the invariant • CISE tool [Gotsman et al.’16]
Open Problems & Future Work • What about operation-based implementations? CRDTs? • Our characterization of invariants is incomplete
Recommend
More recommend
