Reasoning about consistency choices in distributed systems

Hongseok YangUniversity of Oxford

Joint work with Alexey Gotsman (IMDEA, Spain), Carla Ferreira (U Nova Lisboa), Mahsa Najafzadeh, Marc Shapiro (INRIA)

Global-scale Internet service

Geo-replicated databases

• Every data centre stores a complete replica of data

• Purpose: Minimising latency. Fault tolerance.

Weakly consistent DBs

First update. Propagate later.

{(A,4)}

Weakly consistent DBscart.rem(A,2)cart.read() : {A}

✘{(A,4)}

{(A,4)}

{(A,2)}

✘{(A,4)}

{(A,4)}

{(A,2)}

✘{(A,4)}

{(A,2)}

Weakly consistent DBscart.rem(A,2)cart.count(A): 4

✘{(A,4)}

{(A,2)}

Issue 1: Anomalies

✘{(A,0)}

{(A,2)}

Issue 2: Conflicting updates

cart.remAll(A)

✘{(A,0)}

{(A,2)}

cart.remAll(A)

remAll(A)

rem(A,2)

Issue 2: Conflicting updates

How to develop correct programs running on top of weakly consistent distributed databases?

1. Strengthen consistency selectively.2. Use rely-guarantee reasoning.

How to develop correct programs running on top of weakly consistent distributed databases?

1. Strengthen consistency selectively.2. Prove the correctness of a program.

Simple bank account

class account { // invariant: amount >= 0 var amount = 0

def query() = { return amount } def inc() = { amount = amount+1; return true } def dec() = { if (amount > 0) { amount = amount-1; return true } else { return false } } }

Distributed bank account

class account { // invariant: amount >= 0 var[dis] amount = 0

def query() = { return (amount, (a)=>a) } def inc() = { amount = amount+1; return (true, (a)=>a+1) } def dec() = { if (amount > 0) { amount = amount-1; return (true, (a)=>a-1) } else { return (false, (a)=>a) } } }

query()

[Q] What cannot be the result of query()?(a) 0 (b) -1 (c) -2 (d) all possible

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a++ a—

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a— skip

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a++ a—

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a++ a— a—

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a++ a— a—

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a— a—

How to write correct prog.?

Causal consistency

• Message delivery preserves the dependency of events.

Axiom: HB is transitive.

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a— a—

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a— a—

Not causally consistent.

use causality

class account { // invariant: amount >= 0 var[dis] amount = 0

def query() = { return (amount, (a)=>a) } def inc() = { amount = amount+1; return (true, (a)=>a+1) } def dec() = { if (amount > 0) { amount = amount-1; return (true, (a)=>a-1) } else { return (false, (a)=>a) } } }

Token system

• (T, 💔) where 💔 is a symmetric rel. on T.

• Examples:

1. T = {lock}, 💔 = {(lock,lock)}

2. T = {rd,wr}, 💔 = {(rd,wr), (wr,wr), (wr,rd)}

On-demand consistency using a token system (T, 💔)

• Each operation acquires a set of tokens.

• Operations with conflicting tokens cannot be run concurrently.

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a++ a— a—

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a++ a— a—

{lock}

{lock}{}

T = {lock}💔 = {(lock, lock)}

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a++ a— a—

{lock}

{lock}{}

query()

Bob in UK

Alice in Korea

inc() dec()

Carol in USA

a++ a— a—

{lock}

{lock}{}

use causality

class account { // invariant: amount >= 0 var[dis] amount = 0 use-token-system({lock},{(lock,lock)})

def query() with {} = { return (amount, (a)=>a) } def inc() with {} = { amount = amount+1; return (true, (a)=>a+1) } def dec() with {lock} = { if (amount > 0) { amount = amount-1; return (true, (a)=>a-1) } else { return (false, (a)=>a) } } }

How to write correct prog.?

Our proof rule

• Based on rely-guarantee.

• Incorporates guarantees from causal and on-demand consistency.

To prove that I is an invariant

9G0 2 P(State⇥ State), G 2 Token ! P(State⇥ State)such that

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

Exec(T ,F) ✓ eval�1F (I)

Figure 5. State-based proof rule for a token system T =

(Token, ./). For T ✓ Token we let G(T ) =

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

the reflexive and transitive closure of a relation R. For a relationR 2 P(A ⇥ B) and a predicate P 2 P(A), the expression R(P )

denotes the image of P under R.

��

(a) (b)

XX �

X ��F e↵

o (�)

Figure 6. Graphical illustrations of (a) the state-based rule; and (b)the event-based rule.

The key challenge of the above verification problem is theneed to consider infinitely many executions consistent with T andF . Our main technical contribution is the proof rule for solvingthis problem that avoids considering all such executions explicitly.Instead, the proof rule is modular in that it allows us to reasonabout the behaviour of every operation separately. Our proof ruleis also state-based in that it reasons in terms of states obtained byevaluating parts of executions or, from the operational perspective,in terms of replica states.

We give our proof rule in Figure 5 and explain it from the op-erational perspective. The rule assumes that the invariant I holdsof the initial database state �

(condition S1). Consider a compu-tation of the database implementation from §2 and a state � of areplica r at some point in this computation. The proof rule assumesthat � 2 I and aims to establish that executing any operation o at rwill preserve the invariant I . This is easy if we only consider howo’s effect changes the state of r, since this effect is applied to thestate � where it was generated:

8�. (� 2 I =) F

(�)(�) 2 I). (10)

The difficulty comes from the need to consider how o’s effectchanges the state of any other replica r

0 that receives it; see Fig-ure 6(a). At the time of the receipt, r0 may be in a different state�

0, due to operations executed at r0 concurrently with o. We canshow that it is sound to assume that this state �

0 also satisfies theinvariant. Thus, to check that the operation o preserves the invariantwhen applied at any replica, it is sufficient to ensure

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

However, establishing this without knowing anything about the re-lationship between � and �

0 is a tall order. In the bank accountexample, both � = 100 and �

0= 0 satisfy the integrity invari-

ant (5). Then F

withdraw(100)(�)(�0) = �100, which violates the

invariant. Condition (11) fails in this case because it does not takeinto account the tokens acquired by withdraw.

The proof rule in Figure 5 addresses the weakness of (11) by al-lowing us to assume a certain relationship between the state wherean operation is generated (�) and where its effect is applied (�0),which takes into account the tokens acquired by the operation. Toexpress this assumption, the rule uses a form of rely-guarantee rea-soning [25]. Namely, it requires us to associate each token ⌧ with aguarantee relation G(⌧), describing all possible state changes thatan operation acquiring ⌧ can cause. Crucially, this includes not onlythe changes that the operation can cause on the state of its originreplica, but also any change that its effect causes at any other replicait is propagated to. We also have a guarantee relation G0, describingthe changes that can be performed by an operation without acquir-ing any tokens. Condition S2 requires the guarantees to preservethe invariant.

Like (11), condition S3 considers an arbitrary state � of o’sorigin replica r, assumed to satisfy the invariant I . The conditionthen considers any state �

0 of another replica r

0 to which the effectof o is propagated. The conclusion of S3 requires us to prove thatapplying the effect F e↵

(�) of the operation o to the state �0 satisfiesthe union of the guarantees associated with the tokens F tok

(�) thatthe operation o acquires. By S2, this implies that the effect of theoperation preserves the invariant. Condition S3 further allows usto assume that the state �

0 of r

0 can be obtained from the state� of r by applying a finite number of changes allowed by G0 orthe guarantees for those tokens that do not conflict with any ofthe tokens acquired by the operation o, i.e., G0 [G((F

(�))

Informally, acquiring a token denies other replicas permissions toconcurrently perform changes that require conflicting tokens.

We now use our proof rule to show that the operations in thebanking application (Figure 4) preserve the integrity invariant (5).We assume that the initial state �

satisfies the invariant. Theguarantees are as follows:

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

Since withdrawals acquire the token ⌧ , the guarantee G(⌧) for thistoken allows decreasing the balance without turning it negative;the guarantee G0 allows increasing a non-negative balance. Thencondition S2 is satisfied. We show how to check the condition S3in the most interesting case of o = withdraw(a). Consider � and�

0 satisfying the premiss of S3:

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�) = {⌧}, we have that (F

(�))

?= ;. Thus,

(�,�

0) 2 G

⇤0. This and � 2 I imply that

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

0. Furthermore, �0� 0 by

(13). Thus, (�0,F

(�)(�

0)) = (�

0) 2 G0, which implies the

conclusion of S3.If � � a, then F

(�)(�

0) = �

0� a. Since � �

0, by (13) wehave �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

which implies the conclusion of S3. Operationally, in this caseour proof rule establishes that, if there was enough money in theaccount at the replica where the withdrawal was made, then therewill be enough money at any replica the withdrawal is delivered to.This completes the proof of our example.

In a banking application with multiple accounts, we could en-sure non-negativity of balances by associating every account c witha token ⌧

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

0 for another accountc

0. Thus, withdrawals from the same account would have to syn-chronise, while withdrawals from different accounts could proceedwithout synchronisation. Our proof rule easily deals with this gen-

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

. . .. . .

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

. . .. . .

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

. . .. . .

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

. . .. . .

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

T⊥ = {𝝉 | ∄𝝉’∈T. (𝝉, 𝝉ʹ) ∈ 💔}

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

I = { σ | 0 ≤ σ }G0 = {(σ, σ’) | σ ≤ σ’}G1(lock) = {(σ, σ’) | 0 < σ ∧ σ’ ≤ σ}

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

. . .{}

{lock}

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

{lock}

G0 ∪ G1(lock)

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

{lock}

G0 ∪ G1(lock)

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

{lock}

G0 ∪ G1(lock)if 0 < σ then σ’-1 else σ’

What if no on-demand consistency?

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

What if no on-demand consistency?

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

What if no causality?

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

What if no causality?

S1. �init

S2. G0(I) ✓ I ^ 8⌧. G(⌧)(I) ✓ I

S3. 8o,�,�0. (� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

=) (�

(�)(�

0)) 2 G0 [G(F

(�))

S⌧2T

G(⌧) andT

?= {⌧ | ⌧ 2 Token ^ ¬9⌧

02 T. ⌧ ./ ⌧

0}. We denote by R

��

(a) (b)

XX �

X ��F e↵

o (�)

8�. (� 2 I =) F

(�)(�) 2 I). (10)

8�,�

0. (�,�

02 I =) F

(�)(�

0) 2 I). (11)

ant (5). Then F

0 of r

(�))

G(⌧) = {(�,�

0) | 0 �

0< �};

G0 = {(�,�

0) | 0 � �

� 2 I ^ (�,�

0) 2 (G0 [G((F

(�))

Since F

(�))

?= ;. Thus,

(�,�

0) 2 G

0 � �

0. (13)

If � < a, then F

(�)(�

0) = �

(13). Thus, (�0,F

(�)(�

0)) = (�

(�)(�

0) = �

0� a. Thus, (�0

(�)(�

0)) = (�

0� a) 2 G({⌧}),

such that ⌧c

./ ⌧

, but ⌧c

6./ ⌧

σ’ ∈ I

Feff(σ)(σ’) ∈ Io

Reasoning about consistency choices in distributed systems · 2015. 8. 14. · Reasoning about...

Transcript of Reasoning about consistency choices in distributed systems · 2015. 8. 14. · Reasoning about...

Reasoning about consistency choices in distributed systems · 2015. 8. 14. · Reasoning about...

Documents

Transcript of Reasoning about consistency choices in distributed systems · 2015. 8. 14. · Reasoning about...

The Distributed Object Consistency Protocol Version 1 · The Distributed Object Consistency Protocol Web Cache Consistency 2 2.1 Strong Consistency Models Under a strong consistency

Consistency Methods for Temporal Reasoning

Maintaining Consistency in Hierarchical Reasoning · Reasoning Consistency in Hierarchical Systems This basic reason scheme can present dif- ficulty in a system, such as the one il-

Consistency choices in modern distributed systems...modern distributed systems Alexey Gotsman IMDEA Software Institute, Madrid, Spain Data is replicated and partitioned across multiple

Using Economic Reasoning to Solve Mysteries. Economics in Action Lesson 3 ConceptsTEKS Choices ( 4) Economics. The student understands the basic principles.

Webinar: Eventual Consistency != Hopeful Consistency

Distributed Systems: Ordering and Consistency · 2018-10-18 · Theory only Useful for reasoning about distributed systems But, gap between theory and practice Modern distributed

Reasoning Effectively. Six criteria for evaluating philosophical claims and theories: Conceptual clarity = define your terms! Consistency = any contradictions?

Induction on Number Series - uni-bamberg.de. Human Inductive Reasoning Reasoning is a thought process involving logic. Instead of making arbitrary decisions humans support their choices

MAKING GOOD CHOICES: AN INTRODUCTION TO ... 6. Making...134 MAKING GOOD CHOICES: AN INTRODUCTION TO PRACTICAL REASONING CHAPTER 6: SINGLE CRITERION INDIVIDUAL DECISION UNDER RISK:

’Cause I’m Strong Enough: Reasoning about Consistency Choices …software.imdea.org/~gotsman/papers/logic-popl16-ext.pdf · 2015. 12. 20. · Reasoning about Consistency Choices

MAKING GOOD CHOICES: AN INTRODUCTION TO PRACTICAL REASONING … 14. Irrartional Choices... · In the area of practical reasoning there are, likewise, common errors that we humans

aaswanberg.weebly.comaaswanberg.weebly.com/uploads/5/9/1/9/5919837/1_aug_19_2015_geo.pdf · Activity Sheet 2: Inductive and Deductive Name Reasoning ... The choices were Vanilla,

Consistency As A Service:Auditing Cloud Consistency

Testing the level of consistency between choices and ... · Testing the level of consistency between choices and beliefs in ... Costa-Gomes and ... A low level of consistency between

'Cause I'm Strong Enough: Reasoning about Consistency ...

SOAS: ADD Essay Writing for Postgraduate University Study ... · 10/10/2012 5 Conceptual writing Empirical writing 1. Logical consistency (contradictions) 2. Coherence (reasoning

Candidate Assessment Handbook · submitted and why they are important. They also describe the choices and decisions they made, and the analyses and reasoning underlying the choices

Economics for Leaders Magic of Markets. Economics for Leaders 5 Economic Reasoning Propositions People Choose, and individual choices are the source of.

Consistency Methods for Temporal Reasoning Lin XU Constraint Systems Laboratory Advisor: Dr. B.Y. Choueiry April, 2003 Supported by a grant from NASA-Nebraska,