This paper introduces algebraic laws linking two formal models of weakly-consistent databases, enabling better reasoning about program robustness and correctness in distributed systems.
Contribution
It presents novel algebraic laws connecting abstract executions and dependency graphs, and establishes robustness criteria for programs on weakly-consistent databases.
Findings
01
Algebraic laws relate different specification styles.
02
Robustness criteria ensure program correctness.
03
Full abstraction connects models for certain consistency classes.
Abstract
Modern distributed systems often rely on so called weakly-consistent databases, which achieve scalability by sacrificing the consistency guarantee of distributed transaction processing. Such databases have been formalised in two different styles, one based on abstract executions and the other based on dependency graphs. The choice between these styles has been made according to intended applications: the former has been used to specify and verify the implementation of these databases, and the latter to prove properties of programs running on top of the databases. In this paper, we present a set of novel algebraic laws (i.e. inequations) that connect these two styles of specifications; the laws relate binary relations used in a specification based on abstract executions, to those used in a specification based on dependency graphs. We then show that this algebraic connection gives rise to…
Equations390
\begin{array}[]{| lcl | l l l | }\hline\cr\text{Function}&&\text{Definition}\\
\hline\cr\rho_{\mathsf{Id}}(R)&$=$&\mathsf{Id}\\
\rho_{\mathsf{SI}}(R)&=&R\setminus\mathsf{Id}\\
\rho_{x}(R)&=&{[{\sf{Writes}}_{x}]}\\
\rho_{S}(R)&=&{[{{\tt SerTx}}]}\\
\hline\cr\text{Guarantee}&\lx@intercol\hfil\text{Associated Axiom}\hfil\lx@intercol\vrule\lx@intercol\\
\hline\cr(\rho_{\mathsf{Id}},\rho_{\mathsf{Id}})&\lx@intercol\hfil{\sf{AR}}\subseteq{\mathsf{VIS}}\lx@intercol\vrule\lx@intercol\\
(\rho_{\mathsf{Id}},\rho_{\mathsf{SI}})&\lx@intercol\hfil{\sf{AR}}\mathrel{;}{\mathsf{VIS}}\subseteq{\mathsf{VIS}}\lx@intercol\vrule\lx@intercol\\
(\rho_{x},\rho_{x})&\lx@intercol\hfil{[{\sf{Writes}}_{x}]}\mathrel{;}{\sf{AR}}\mathrel{;}{[{\sf{Writes}}_{x}]}\subseteq{\mathsf{VIS}}\lx@intercol\vrule\lx@intercol\\
(\rho_{S},\rho_{S})&\lx@intercol\hfil{[{{\tt SerTx}}]}\mathrel{;}{\sf{AR}}\mathrel{;}{[{{\tt SerTx}}]}\subseteq{\mathsf{VIS}}\lx@intercol\vrule\lx@intercol\\
\hline\cr\end{array}
\begin{array}[]{| lcl | l l l | }\hline\cr\text{Function}&&\text{Definition}\\
\hline\cr\rho_{\mathsf{Id}}(R)&$=$&\mathsf{Id}\\
\rho_{\mathsf{SI}}(R)&=&R\setminus\mathsf{Id}\\
\rho_{x}(R)&=&{[{\sf{Writes}}_{x}]}\\
\rho_{S}(R)&=&{[{{\tt SerTx}}]}\\
\hline\cr\text{Guarantee}&\lx@intercol\hfil\text{Associated Axiom}\hfil\lx@intercol\vrule\lx@intercol\\
\hline\cr(\rho_{\mathsf{Id}},\rho_{\mathsf{Id}})&\lx@intercol\hfil{\sf{AR}}\subseteq{\mathsf{VIS}}\lx@intercol\vrule\lx@intercol\\
(\rho_{\mathsf{Id}},\rho_{\mathsf{SI}})&\lx@intercol\hfil{\sf{AR}}\mathrel{;}{\mathsf{VIS}}\subseteq{\mathsf{VIS}}\lx@intercol\vrule\lx@intercol\\
(\rho_{x},\rho_{x})&\lx@intercol\hfil{[{\sf{Writes}}_{x}]}\mathrel{;}{\sf{AR}}\mathrel{;}{[{\sf{Writes}}_{x}]}\subseteq{\mathsf{VIS}}\lx@intercol\vrule\lx@intercol\\
(\rho_{S},\rho_{S})&\lx@intercol\hfil{[{{\tt SerTx}}]}\mathrel{;}{\sf{AR}}\mathrel{;}{[{{\tt SerTx}}]}\subseteq{\mathsf{VIS}}\lx@intercol\vrule\lx@intercol\\
\hline\cr\end{array}
\begin{array}[]{| l l l l | l l l l |}\hline\cr\vrule\lx@intercol\hfil{\textbf{(a)}}\;\text{Algebraic laws for sets of transactions}\hfil\lx@intercol\vrule\lx@intercol&\lx@intercol\hfil{\textbf{(c)}}\leavevmode\nobreak\ \text{Algebraic laws for abstract Executions}\hfil\lx@intercol\vrule\lx@intercol\\[5.0pt]
{\textbf{(a.1)}}&{[\mathcal{T}^{\prime}]}\subseteq\mathsf{Id}&{\textbf{(a.2)}}&{[\mathcal{T}_{1}\cap\mathcal{T}_{2}]}={[\mathcal{T}_{1}]}\mathrel{;}{[\mathcal{T}_{2}]}&{\textbf{(c.1)}}&{\mathsf{WR}}(x)\subseteq{\mathsf{VIS}}&{\textbf{(c.2)}}&{\mathsf{WW}}(x)\subseteq{\sf{AR}}\\
{\textbf{(a.3)}}&\lx@intercol(R_{1}\mathrel{;}{[\mathcal{T}^{\prime}]})\cap R_{2}=(R_{1}\cap R_{2})\mathrel{;}{[\mathcal{T}^{\prime}]}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.3)}}&{\mathsf{RW}}(x)\subseteq\overline{{\mathsf{VIS}}^{-1}}&{\textbf{(c.4)}}&{\mathsf{VIS}}^{+}\subseteq{\mathsf{VIS}}\\
{\textbf{(a.4)}}&\lx@intercol({[\mathcal{T}^{\prime}]}\mathrel{;}R_{1})\cap R_{2}={[\mathcal{T}^{\prime}]}\mathrel{;}(R\cap R_{2})\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.5)}}&{\sf{AR}}^{+}\subseteq{\sf{AR}}&{\textbf{(c.6)}}&{\mathsf{VIS}}\subseteq{\sf{AR}}\\
\cline{1-4}\cr\vrule\lx@intercol\hfil{\textbf{(b)}}\leavevmode\nobreak\ \text{Algebraic laws for (anti-)dependencies}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.7)}}&\lx@intercol{[{\sf{Writes}}_{x}]}\mathrel{;}{\mathsf{VIS}}\mathrel{;}{\mathsf{RW}}(x)\subseteq{\sf{AR}}\hfil\lx@intercol\vrule\lx@intercol\\[5.0pt]
{\textbf{(b.1)}}&\lx@intercol{\mathsf{WR}}(x)\subseteq{[{\sf{Writes}}_{x}]}\mathrel{;}{\mathsf{WR}}(x)\mathrel{;}{[{\sf{Reads}}_{x}]}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.8)}}&\lx@intercol{\mathsf{VIS}}\mathrel{;}\overline{{\mathsf{VIS}}^{-1}}\subseteq\overline{{\mathsf{VIS}}^{-1}}\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(b.2)}}&\lx@intercol{\mathsf{WW}}(x)\subseteq{[{\sf{Writes}}_{x}]}\mathrel{;}{\mathsf{WW}}(x)\mathrel{;}{[{\sf{Writes}}_{x}]}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.9)}}&\lx@intercol\overline{{\mathsf{VIS}}^{-1}}\mathrel{;}{\mathsf{VIS}}\subseteq\overline{{\mathsf{VIS}}^{-1}}\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(b.3)}}&\lx@intercol{\mathsf{RW}}(x)\subseteq{[{\sf{Reads}}_{x}]}\mathrel{;}{\mathsf{RW}}(x)\mathrel{;}{[{\sf{Writes}}_{x}]}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.10)}}&\lx@intercol(\overline{{\mathsf{VIS}}^{-1}}\mathrel{;}{\mathsf{VIS}})\cap\mathsf{Id}\subseteq\emptyset\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(b.4)}}&\lx@intercol{\mathsf{WR}}(x)\subseteq{\mathsf{WR}}(x)\setminus\mathsf{Id}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.11)}}&\lx@intercol({\mathsf{VIS}}\mathrel{;}\overline{{\mathsf{VIS}}^{-1}})\cap\mathsf{Id}\subseteq\emptyset\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(b.5)}}&\lx@intercol{\mathsf{WW}}(x)\subseteq{\mathsf{WW}}(x)\setminus\mathsf{Id}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.12)}}&{\sf{AR}}\cap\mathsf{Id}\subseteq\emptyset&&\\
{\textbf{(b.6)}}&\lx@intercol{\mathsf{RW}}(x)\subseteq{\mathsf{RW}}(x)\setminus\mathsf{Id}\hfil\lx@intercol\vrule\lx@intercol&&&&\\
\hline\cr\vrule\lx@intercol\hfil{\textbf{(d)}}\leavevmode\nobreak\ \text{Algebraic laws induced by the consistency guarantee }(\rho,\pi)\hfil\lx@intercol\vrule\lx@intercol\\[5.0pt]
{\textbf{(d.1)}}&\lx@intercol\rho({\mathsf{VIS}})\mathrel{;}{\sf{AR}}\mathrel{;}\pi({\mathsf{VIS}})\subseteq{\mathsf{VIS}}\hfil\lx@intercol&{\textbf{(d.2)}}&\lx@intercol(\pi({\mathsf{VIS}})\mathrel{;}\overline{{\mathsf{VIS}}^{-1}}\mathrel{;}\rho({\mathsf{VIS}}))\setminus\mathsf{Id}\subseteq{\sf{AR}}\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(d.3)}}&\lx@intercol\hfil({\sf{AR}}\mathrel{;}\pi({\mathsf{VIS}})\mathrel{;}\overline{{\mathsf{VIS}}^{-1}})\cap\rho(\mathcal{T}\times\mathcal{T})^{-1}\subseteq\overline{{\mathsf{VIS}}^{-1}}\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(d.4)}}&\lx@intercol\hfil(\overline{{\mathsf{VIS}}^{-1}}\mathrel{;}\rho({\mathsf{VIS}})\mathrel{;}{\sf{AR}})\cap\pi(\mathcal{T}\times\mathcal{T})^{-1}\subseteq\overline{{\mathsf{VIS}}^{-1}}\hfil\lx@intercol\vrule\lx@intercol\\
\hline\cr\end{array}
\begin{array}[]{| l l l l | l l l l |}\hline\cr\vrule\lx@intercol\hfil{\textbf{(a)}}\;\text{Algebraic laws for sets of transactions}\hfil\lx@intercol\vrule\lx@intercol&\lx@intercol\hfil{\textbf{(c)}}\leavevmode\nobreak\ \text{Algebraic laws for abstract Executions}\hfil\lx@intercol\vrule\lx@intercol\\[5.0pt]
{\textbf{(a.1)}}&{[\mathcal{T}^{\prime}]}\subseteq\mathsf{Id}&{\textbf{(a.2)}}&{[\mathcal{T}_{1}\cap\mathcal{T}_{2}]}={[\mathcal{T}_{1}]}\mathrel{;}{[\mathcal{T}_{2}]}&{\textbf{(c.1)}}&{\mathsf{WR}}(x)\subseteq{\mathsf{VIS}}&{\textbf{(c.2)}}&{\mathsf{WW}}(x)\subseteq{\sf{AR}}\\
{\textbf{(a.3)}}&\lx@intercol(R_{1}\mathrel{;}{[\mathcal{T}^{\prime}]})\cap R_{2}=(R_{1}\cap R_{2})\mathrel{;}{[\mathcal{T}^{\prime}]}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.3)}}&{\mathsf{RW}}(x)\subseteq\overline{{\mathsf{VIS}}^{-1}}&{\textbf{(c.4)}}&{\mathsf{VIS}}^{+}\subseteq{\mathsf{VIS}}\\
{\textbf{(a.4)}}&\lx@intercol({[\mathcal{T}^{\prime}]}\mathrel{;}R_{1})\cap R_{2}={[\mathcal{T}^{\prime}]}\mathrel{;}(R\cap R_{2})\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.5)}}&{\sf{AR}}^{+}\subseteq{\sf{AR}}&{\textbf{(c.6)}}&{\mathsf{VIS}}\subseteq{\sf{AR}}\\
\cline{1-4}\cr\vrule\lx@intercol\hfil{\textbf{(b)}}\leavevmode\nobreak\ \text{Algebraic laws for (anti-)dependencies}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.7)}}&\lx@intercol{[{\sf{Writes}}_{x}]}\mathrel{;}{\mathsf{VIS}}\mathrel{;}{\mathsf{RW}}(x)\subseteq{\sf{AR}}\hfil\lx@intercol\vrule\lx@intercol\\[5.0pt]
{\textbf{(b.1)}}&\lx@intercol{\mathsf{WR}}(x)\subseteq{[{\sf{Writes}}_{x}]}\mathrel{;}{\mathsf{WR}}(x)\mathrel{;}{[{\sf{Reads}}_{x}]}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.8)}}&\lx@intercol{\mathsf{VIS}}\mathrel{;}\overline{{\mathsf{VIS}}^{-1}}\subseteq\overline{{\mathsf{VIS}}^{-1}}\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(b.2)}}&\lx@intercol{\mathsf{WW}}(x)\subseteq{[{\sf{Writes}}_{x}]}\mathrel{;}{\mathsf{WW}}(x)\mathrel{;}{[{\sf{Writes}}_{x}]}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.9)}}&\lx@intercol\overline{{\mathsf{VIS}}^{-1}}\mathrel{;}{\mathsf{VIS}}\subseteq\overline{{\mathsf{VIS}}^{-1}}\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(b.3)}}&\lx@intercol{\mathsf{RW}}(x)\subseteq{[{\sf{Reads}}_{x}]}\mathrel{;}{\mathsf{RW}}(x)\mathrel{;}{[{\sf{Writes}}_{x}]}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.10)}}&\lx@intercol(\overline{{\mathsf{VIS}}^{-1}}\mathrel{;}{\mathsf{VIS}})\cap\mathsf{Id}\subseteq\emptyset\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(b.4)}}&\lx@intercol{\mathsf{WR}}(x)\subseteq{\mathsf{WR}}(x)\setminus\mathsf{Id}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.11)}}&\lx@intercol({\mathsf{VIS}}\mathrel{;}\overline{{\mathsf{VIS}}^{-1}})\cap\mathsf{Id}\subseteq\emptyset\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(b.5)}}&\lx@intercol{\mathsf{WW}}(x)\subseteq{\mathsf{WW}}(x)\setminus\mathsf{Id}\hfil\lx@intercol\vrule\lx@intercol&{\textbf{(c.12)}}&{\sf{AR}}\cap\mathsf{Id}\subseteq\emptyset&&\\
{\textbf{(b.6)}}&\lx@intercol{\mathsf{RW}}(x)\subseteq{\mathsf{RW}}(x)\setminus\mathsf{Id}\hfil\lx@intercol\vrule\lx@intercol&&&&\\
\hline\cr\vrule\lx@intercol\hfil{\textbf{(d)}}\leavevmode\nobreak\ \text{Algebraic laws induced by the consistency guarantee }(\rho,\pi)\hfil\lx@intercol\vrule\lx@intercol\\[5.0pt]
{\textbf{(d.1)}}&\lx@intercol\rho({\mathsf{VIS}})\mathrel{;}{\sf{AR}}\mathrel{;}\pi({\mathsf{VIS}})\subseteq{\mathsf{VIS}}\hfil\lx@intercol&{\textbf{(d.2)}}&\lx@intercol(\pi({\mathsf{VIS}})\mathrel{;}\overline{{\mathsf{VIS}}^{-1}}\mathrel{;}\rho({\mathsf{VIS}}))\setminus\mathsf{Id}\subseteq{\sf{AR}}\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(d.3)}}&\lx@intercol\hfil({\sf{AR}}\mathrel{;}\pi({\mathsf{VIS}})\mathrel{;}\overline{{\mathsf{VIS}}^{-1}})\cap\rho(\mathcal{T}\times\mathcal{T})^{-1}\subseteq\overline{{\mathsf{VIS}}^{-1}}\hfil\lx@intercol\vrule\lx@intercol\\
{\textbf{(d.4)}}&\lx@intercol\hfil(\overline{{\mathsf{VIS}}^{-1}}\mathrel{;}\rho({\mathsf{VIS}})\mathrel{;}{\sf{AR}})\cap\pi(\mathcal{T}\times\mathcal{T})^{-1}\subseteq\overline{{\mathsf{VIS}}^{-1}}\hfil\lx@intercol\vrule\lx@intercol\\
\hline\cr\end{array}
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Full text
\Copyright
Andrea Cerone, Alexey Gotsman and Hongseok Yang\EventEditorsRoland Meyer and Uwe Nestmann
\EventNoEds2
\EventLongTitle28th International Conference on Concurrency Theory (CONCUR 2017)
\EventShortTitleCONCUR 2017
\EventAcronymCONCUR
\EventYear2017
\EventDateSeptember 5–8, 2017
\EventLocationBerlin, Germany
\EventLogo
\SeriesVolume85
\ArticleNo22
Algebraic Laws for Weak Consistency (Extended Version)
Modern distributed systems often rely on so called weakly consistent databases,
which achieve scalability by weakening consistency guarantees of distributed transaction
processing. The semantics of such databases have been formalised in two different styles, one based
on abstract executions and the other based on dependency graphs. The choice
between these styles has been made according to intended applications. The former has
been used for specifying and verifying the implementation of the databases, while
the latter for proving properties of client programs of the databases.
In this paper, we present a set of novel algebraic laws (inequalities) that
connect these two styles of specifications. The laws relate binary relations used in
a specification based on abstract executions to those used in a specification
based on dependency graphs. We then show that this algebraic connection gives
rise to so called robustness criteria: conditions which ensure that a client program
of a weakly consistent database does not exhibit anomalous behaviours due to
weak consistency. These criteria make it easy to reason about these client programs,
and may become a basis for dynamic or static program analyses.
For a certain class of consistency models specifications, we prove a full
abstraction result that connects the two styles of specifications.
Modern distributed systems often rely on databases that achieve scalability by weakening
consistency guarantees of distributed transaction processing. These databases are said
to implement weak consistency models. Such weakly consistent databases
allow for faster transaction processing, but exhibit anomalous behaviours, which do not arise
under a database with a strong consistency guarantee, such as serialisability. Two important
problems for the weakly consistent databases are: (i) to find
elegant formal specifications of their consistency models and to prove that these
specifications are correctly implemented by protocols used in the databases; (ii) to develop
effective reasoning techniques for applications running on top of such databases.
These problems have been tackled by using two different formalisms, which model the run-time
behaviours of weakly consistent databases differently.
When the goal is to verify the correctness of a protocol implementing
a weak consistency model, the run-time behaviour of a distributed database is often
described in terms of abstract executions [14],
which abstract away low-level implementation details of the database (§2).
An example of abstract execution is depicted in Figure 1; ignore
the bold edges for the moment. It comprises four transactions, T0, T1, T2, and S;
transaction T0 initializes the value of an object acct to [math];
transactions T1 and T2 increment the value of acct by
50 and 25, respectively, after reading its initial value;
transaction S reads the value of acct.
In this abstract execution, both the updates of
T1 and T2 are VISible to transaction S, as witnessed by the two VIS-labelled
edges: T1VISS
and T2VISS.
On the other hand, the update of T1 is not visible to T2, and
vice versa, as indicated by the absence of an edge labelled with VIS between these transactions.
Intuitively, the absence of such an edge means that
T1 and T2 are executed concurrently.
Because S sees T1 and T2, as indicated by VIS-labelled edges from T1 and T2 to S,
the result of
reading the value of acct in S must be one of the values written by T1 and T2. However, because these
transactions are concurrent, there is a race, or conflict, between them.
The AR-labelled edge connecting T1 to T2, is used to ARbitrate the conflict:
it states that the update of T1 is older than the one of T2, hence the query of acct
in S returns the value written by the latter.
The style of specifications of consistency models in terms of abstract executions can be given by imposing
constraints over the relations VIS,AR (§2.1).
A set of transactions T={T1,T2,⋯},
called a history, is allowed by a consistency model specification
if it is possible to exhibit two witness relations VIS,AR over T such that the resulting abstract execution
satisfies the constraints imposed by the specification. For example, serialisability can be
specified by requiring that the relation VIS should be a strict total order. The set of transactions {T0,T1,T2,S}
from Figure 1 is not serialisable: it is not possible to choose a relation VIS such that the resulting abstract execution relates the transactions T1,T2 and the results of read operations are consistent with
visible updates.
Specifications of consistency models using abstract executions have been used in
the work on proving the correctness of protocols implementing weak consistency models, as well
as on justifying operational, implementation-dependent descriptions of these
models [16, 14, 12, 13].
The second formalism used to define weak consistency models is based on the notion
of dependency graphs [2], and it has been used for proving properties of client programs
running on top of a weakly consistent database.
Dependency graphs capture the data dependencies of transactions at run-time (§3);
the transactions {T0,T1,T2,S} depicted above, together with the bold edges but without
normal edges, constitute an example of dependency graph.
The edge T2WR(acct)S111For simplicity, references to the object
acct have been removed from the dependencies of
Figure 1. denotes a write-read dependency. It means that the read of
acct in transaction S returns the value written by transaction T2,
and the edges T0WR(acct)T1 and T0WR(acct)T2
mean something similar. The edge T1WW(acct)T2
denotes a write-write dependency, and says that the write to acct in T2 supersedes
the write to the same object in T1. The remaining edges T1RW(acct)T2
and T2RW(acct)T1 express anti-dependencies. The former
means that T1 reads a value for object acct which is older
than the value written by T2.
When using dependency graphs, consistency models are specified as sets of transactions
for which there exist WR,WW,RW relations that satisfy certain properties,
usually stated as particular relations being acyclic [17, 8]; for
example, serialisability can be specified by requiring that dependency graphs are acyclic.
Because dependencies of transactions can be over-approximated at the compilation time,
specifications of consistency models in terms of dependency graphs have been widely used for manually or automatically reasoning about properties of client programs of weakly consistent
databases [19, 27].
They have also been used in the complexity
and undecidability results for verifying implementations of consistency models [10].
Our ultimate aim is to reveal a deep connection between these two styles of specifying
weak consistency models, which was hinted at for specific consistent models in
the literature. Such a connection would, for instance, give us a systematic way to derive
a specification of a weak consistency model based on dependency graphs from
the specification based on abstract executions, while ensuring that the original
and the derived specifications are equivalent in a sense. In doing so, it would enable us
to prove properties about client programs of a weakly consistent database
using techniques based on dependency graphs [17, 18, 10]
even when the consistency model of the database is specified in terms of abstract executions.
In this paper, we present our first step towards this ultimate aim.
First, we observe that each abstract execution determines an underlying dependency graph.
Then we study the connection between these two structures at an algebraic level.
We propose a set of algebraic laws, parametric in the
specification of a consistency model to which the original abstract execution belongs (§4).
These laws can be used to derive properties of the form RG⊆RA:
here RG is an expression from the Kleene Algebra with Tests [23]
whose ground terms are run-time dependencies of transactions,
and tests are properties over transactions. The relation RA is one
of the fundamental relations of abstract executions: VIS, AR, or
a novel relation VIS−1 that we call anti-visibility, defined as VIS−1={(T,S)∣¬(SVIST)}.
Some of the algebraic laws that we propose show that there is a direct
connection between each kind of dependencies and the relations of abstract
executions: WR⊆VIS,WW⊆AR, and RW⊆VIS−1.
The other laws capture the connection between the relations of abstract
executions VIS,AR, and VIS−1. The exact nature of
this connection depends on the specification of the consistency model
of the considered abstract execution.
We are particularly interested in deriving properties of the form
RG⊆AR. Properties of this form
give rise to so called
robustness criteria for client programs, conditions ensuring that a program
only exhibits serialisable behaviours even when it runs under a weak consistency
model [19, 8, 11].
Because AR is a total order, this implies that RG must be acyclic,
hence all cycles must be in the complement of RG. We can then
check for the absence of such critical cycles at compile time:
because dependency graphs of serialisable databases are always acyclic, this
ensures that said application only exhibits serialisable behaviours.
As another contribution we show that, for a relevant class of consistency models,
our algebraic laws can be used to derive properties which are not only necessary,
but also sufficient, for dependency graphs in such models (§5).
2. Abstract Executions
We consider a database storing objects in Obj={x,y,⋯},
which for simplicity we assume to be integer-valued.
Client programs can interact with the database by
executing operations from a set Op, grouped inside transactions.
We leave the set Op unspecified, apart from requiring that
it contains read and write operations over objects:
{write(x,n),read(x,n)∣x∈Obj,n∈N}⊆Op.
Histories.
To specify a consistency model, we first define the set of
all client-database interactions allowed by the model. We start by introducing
(run-time) transactions and histories, which record such
interactions in a single computation.
Transactions are elements from a set T={T,S,⋯};
the operations executed by transactions are given by
a function behav:T→2Op, which maps a transaction
T to a set of operations that are performed by the transaction
and can be observed by other transactions.
We often abuse notations and just write o∈T (or T∋o) instead of
o∈behav(T). We adopt similar conventions for
O⊆behav(T) and O=behav(T) where O is a subset of operations.
We assume that transactions enjoy
atomic visibility
: for each object x,
(i) a transaction S never observes two different writes to x from a single transaction T
and (ii) it never reads two different values of x. Formally, the requirements are that
if T∋(writex:n) and T∋(writex:m), or T∋(readx:n) and T∋(readx:m),
then n=m. Our treatment of atomic visibility is taken from our previous work
on transactional consistency models [16]. Atomic visibility
is guaranteed by many consistency models [6, 28, 19].
We point out that
although we focus on transactions in distributed systems in the paper,
our results apply to weak shared-memory models [5]; there a transaction T
is the singleton set of a read operation (T={readx:n}),
that of a write operation (T={writex:n}), or the set of read and write
representing a compare and set operation (T={readx:n,writex:m}).
For each object x, we let
Writesx:={T∣∃n.(writex:n)∈T} and
Readsx:={T∣∃n,(readx:n)∈T} be the
sets of transactions that write to and read from x, respectively.
Definition 2.1**.**
A history T is a finite set of transactions {T1,T2,⋯,Tn}.
Consistency Models.
A consistency model Γ is a set of histories
that may arise when client programs interact with the database.
To define Γ formally,
we augment histories with two relations, called visibility and arbitration.
Definition 2.2**.**
An abstract executionX is a tuple (T,VIS,AR)
where T is a history and
VIS,AR⊆(T×T) are relations on transactions such that
VIS⊆AR
and AR is a strict total order222A relation
R⊆T×T is a strict (partial) order if it is transitive and irreflexive; it is total
if for any T,S∈T, either T=S, (T,S)∈R or (S,T)∈R..
We often write TVISS for (T,S)∈VIS, and similarly for
other relations. For each abstract execution X=(T,VIS,AR),
we let TX:=T, VISX:=VIS,
and ARX:=AR.
In an abstract execution X, TVISXS means
that the read operations in S may depend on the updates
of T, while TARXS means that the
update operations of S supersede those performed by T.
Naturally, one would expect that
the value fetched by read operations in a transaction T is
the most up-to-date one among all the values written by transactions visible to T.
For simplicity, we assume that such a transaction always exists.
Definition 2.3**.**
An abstract execution X=(T,VIS,AR) respects the Last Write Win (LWW) policy,
if for all T∈T such that T∋(readx:n),
the set T′:=(VIS−1(T)∩Writesx) is not empty,
and maxAR(T′)∋(writex:n), where maxAR(T′) is the AR-supremum of T′.
Definition 2.4**.**
An abstract execution X=(T,VIS,AR)respects
causality if VIS is transitive. Any abstract execution
that respects both causality and the LWW policy is said
to be valid.
We always assume an abstract execution to be valid, unless otherwise stated.
Causality is respected by all abstract executions allowed
by several interesting consistency models. They also simplify the mathematical
development of our results. In (§B), we explain how our results
can be generalised for consistency models that do not respect causality. We also
discuss how the model can be generalised to account for sessions and
session guarantees [29].
We can specify a consistency model using abstract executions in two steps.
First, we identify
properties on abstract executions, or axioms, that formally express an informal consistency guarantee, and
form a set with the abstract executions satisfying the properties. Next, we project abstract
executions in this set to underlying histories, and define a consistency model
Γ to be the set of resulting histories.
Abstract executions hide low-level operational details of the interaction between client programs
and weakly consistent databases. This benefit has been exploited for proving
that such databases implement intended consistency models [14, 20, 12, 13, 16].
2.1. Specification of Weak Consistency Models
In this section we introduce a simple framework for specifying
consistency models using the style of specification discussed above.
In our framework, axioms of consistency models relate the visibility and
arbitration relations via inequalities of the form
R1;ARX;R2⊆VISX,
where R1 and R2 are particular relations over transactions, and
X is an abstract execution.
As we will explain later, axioms of this form establish a necessary condition for two transactions
in an abstract execution X to be related by VISX,
i.e. they cannot be executed concurrently.
Despite its simplicity, the framework is
expressive enough to capture several consistency models for
distributed databases [16, 24]; as we will show in
§4, one of the benefits of this simplicity is that we can
infer robustness criteria of consistency models in a systematic way.
As we will see, the relations
R1,R2 in axioms of the form above, may depend on the visibility relation of the abstract execution X.
To define such relations, we introduce the notion of specification function.
Definition 2.5**.**
A function ρ:2(T×T)→2(T×T) is a specification function if
for every history T and relation R⊆T×T,
then ρ(R)=ρ(T×T)∩R?.
Here R? is the reflexive closure of R.
A consistency guarantee, or simply guarantee, is a pair of specification functions (ρ,π).
Definition 2.5 ensures that specification functions are
defined locally: for any R1,R2⊆T×T, ρ(R1∪R2)=ρ(R1)∪ρ(R2), and in particular for any R⊆T×T,
ρ(R)=(⋃T,S∈Tρ({(T,S)}))∩R?.
The reflexive closure in Definition 2.5 is needed because we will always apply
specification functions to irreflexive relations
(namely, the visibility relation of abstract
executions), although the result of this application need
not be irreflexive. For example, ρId(R):=Id, where Id is the identity function,
is a valid specification function.
Each consistency guarantee (ρ,π) defines, for each abstract execution X,
an axiom of the form ρ(VISX);ARX;π(VISX)⊆VISX: if this axiom is satisfied by X, we say that
X satisfies the consistency guarantee (ρ,π).
Consistency guarantees impose a
condition on when two transactions T,S in an abstract
execution X are not allowed to
execute concurrently,
i.e. they must be related by a VISX edge.
By definition, in abstract executions visibility edges
cannot contradict arbitration edges,
hence it is only natural
that the order in which the transactions T,S above are
executed is determined by the arbitration order:
in fact, the definition of specification function ensures that
ρ(VISX)⊆VISX? and
π(VISX)⊆VISX?,
so that
(ρ(VISX);ARX;π(VISX))⊆ARX
for all abstract executions X.
Definition 2.6**.**
A consistency model specification Σ or x-specification
is a set of consistency guarantees {(ρi,πi)}i∈I for some
index set I.
We define Executions(Σ) to be the set of valid abstract executions that satisfy all
the consistency guarantees of Σ. We let modelOf(Σ):={TX∣X∈Executions(Σ)}.
Examples of Consistency Model Specifications.
Figure 2 shows several examples of specification functions
and consistency guarantees.
In the figure
we use the relations [T]:={(T,T)∣T∈T}
and [o]:={(T,T)∣T∋o} for T⊆T and o∈Op.
The guarantees in the figure can be composed together to specify,
among others, several of the consistency models considered in [16]:
we give some examples of them below.
Each of these consistency models
allows different kinds of anomalies:
due to lack of space, these
are illustrated in (§A).
**Causal Consistency [25]: **
This is the weakest consistency model
we consider. It is specified by ΣCC=∅.
In this case, all abstract executions in Executions(ΣCC) respect causality.
The execution in Figure 1 is an example in Executions(ΣCC).
Red-Blue Consistency [24]:
This model extends causal consistency
by marking a subset of transactions as serialisable,
and ensuring that no two such transactions appear to execute concurrently.
We model red-blue consistency via
the x-specification ΣRB={(ρS,ρS)}. In the definition of ρS,
an element SerTx∈Op is used to mark transactions as serialisable, and
the specification requires that
in every execution X∈Executions(ΣRB),
any two transactions T,S∋SerTx in X
be compared by VISX. The abstract execution from Figure 1
is included in Executions(ΣRB), but if it were modified so that transactions
T1,T2 were marked as serialisable, then the result would not belong to
Executions(ΣRB).
**Parallel Snapshot Isolation (PSI) [28, 26]: ** This model
strengthens causal consistency by enforcing the Write Conflict Detection
property: transactions writing to one same object do not execute concurrently.
We let
ΣPSI={(ρx,ρx)}x∈Obj:
every execution X∈Executions(ΣPSI) satisfies
the inequality
([Writesx];ARX;[Writesx])⊆VISX, for all x∈Obj.
**Snapshot Isolation (SI) [7]: ** This consistency model
strengthens PSI by requiring that, in executions, the set of transactions visible
to any transaction T is a prefix of the arbitration relation.
Formally, we let ΣSI=ΣPSI∪{(ρId,ρSI)}.
The consistency guarantee (ρId,ρSI) ensures that any abstract
execution X∈Executions(SI) satisfies the property (ARX;VISX)⊆VISX333To be precise, the
property induced by the guarantee (ρId,ρSI) is
(ARX;(VISX∖Id))⊆ARX.
However, since VISX is an irreflexive relation, VISX∖Id=VISX.
Also, note that ρ(R)=R is not a specification function, so we cannot replace the guarantee
(ρId,ρSI) with (ρId,ρ)..
Similarly to what we did to specify Red-Blue consistency,
we can strengthen SI by allowing the possibility to mark transactions
as serialisable. The resulting x-specification is ΣSI+SER=ΣSI∪{(ρS,ρS)}. This x-specification captures a fragment of Microsoft SQL server,
which allows the user to select the consistency model at which
a transaction should run [1].
**Serialisability: ** Executions in this consistency model require
the visibility relation to be total. This can be formalised via the x-specification
ΣSER:={(ρId,ρId)}.
Any X∈Executions(ΣSER) is such that
ARX⊆VISX, thus
enforcing VISX to be a strict total order.
3. Dependency Graphs
We present another style of specification for consistency models
based on dependency graphs,
introduced in [2]. These are structures that capture the
data-dependencies between transactions accessing one same object.
Such dependencies can be over approximated at compilation time. For
this reason, they have found use in
static analysis
[19, 17, 18, 8] for programs
running under a weak consistency model.
Definition 3.1**.**
A dependency graph is a tuple G=(T,WR,WW,RW),
where T is a history and
WW:Obj→2T×T* is such that for every x∈Obj, WW(x) is a strict, total order over Writesx;*
3. (3)
RW:Obj→2T×T* is such that SRW(x)T
iff S=T and ∃T′.T′WR(x)S∧T′WW(x)T.*
Given a dependency graph G=(T,WR,WW,RW),
we let TG:=T, WRG:=WR, WWG:=WW, RWG:=RW.
The set of all dependency graphs is denoted as Graphs.
Sometimes, we commit an abuse of notation and use the symbol
WR to denote the relation ⋃x∈ObjWR(x),
and similarly for WW and RW. The actual meaning
of WR will always be clear from the context.
Let G∈Graphs. The write-read dependencyTWRG(x)S
means that S reads the value of object x that has been written by T.
By Definition 3.1, for any transaction S∈Readsx
there exists exactly one transaction T such that TWRG(x)S.
The relation WWG(x) establishes a total order in which updates
over object x are executed by transactions; its elements are called write-write dependencies.
Edges in the relation RWG(x) take the
name of anti-dependencies. TRWG(x)S means that
transaction T fetches some value for object x, but this is later
updated by S.
Given an abstract execution X, we can extract a dependency graph graph(X) such that Tgraph(X)=TX.
Definition 3.2**.**
Let X=(T,VIS,AR) be an execution. For x∈Obj, we define
graph(X)=(T,WRX,WWX,RWX), where:
For any valid abstract execution X, graph(X)
is a dependency graph.
Specification of Consistency Models using Dependency Graphs.
We interpret a dependency graph G
as a labelled graph whose vertices are transactions in Tx,
and whose edges are pairs of the form TRS, where R∈{WRG(x),WWG(x)G,RWG(x)∣x∈Obj}.
To specify a consistency model, we employ a two-steps approach.
We first identify one or more conditions to be satisfied by dependency graphs.
Such conditions require cycles of a certain form not to appear in a dependency graph. Then
we define a consistency model by projecting the set of dependency graphs satisfying the
imposed conditions into the underlying histories.
This style of specification is reminiscent
of the one used in the CAT [5] language for formalising weak memory models.
In the following we treat the relations
WRG(x),WWG(x),RWG(x) both as set-theoretic relations, and
as edges of a labelled graph.
Definition 3.4**.**
A dependency graph based specification, or simply g-specification, is a set Δ={δ1,⋯,δn},
where for each i∈{1,⋯,n}, δi is a function of type
Graphs→2(T×T)
and satisfies δi(G)⊆(WRG∪WWG∪RWG)∗
for every G∈Graphs.
Given a g-specification Δ, we define Graphs(Δ)={G∈Graphs∣∀δ∈Δ.δ(G)∩Id=∅},
and we let modelOf(Δ)={T∣∃WR,WW,RW.(T,WR,WW,RW)∈Graphs(Δ)}.
The requirement imposed over the functions δ1,⋯,δn ensures that, whenever (T,S)∈δi(G), for
some dependency graph G, then there exists a path in G, that connects T to S.
For Δ={δi}i=1n and G∈Graphs, the requirement that δi(G)∩Id=∅
means that G does not contain any cycle
T0R0T1R1⋯Rn−1Tn,
such that T0=Tn, and (R0;⋯;Rn−1)⊆δi(G).
Examples of g-specifications of consistency models.
Below we give some examples of g-specifications for the consistency models
presented in §2.
Theorem 3.5**.**
(1)
An execution X is serialisable iff graph(X) does not contain
any cycle. That is, modelOf(ΣSER)=modelOf({δSER}),
where δSER(G)=(WRG∪WWG∪RWG)+.
2. (2)
An execution X is allowed by snapshot isolation iff
graph(X) only admits cycles with at least
two consecutive anti-dependency edge. That is,
modelOf(ΣSI)=modelOf({δSI}),
where δSI(G)=((WRG∪WWG);RWG?)+.
3. (3)
An execution X is allowed by parallel snapshot isolation iff
graph(X) has no cycle where all anti-dependency
edges are over the same object.
Let δPSI0(G)=(WRG∪WWG)+,
δPSI(x)(G)=(⋃x∈Obj(WRG∪WWG)∗;RWG(x))+,
and define ΔPSI={δPSI0}∪{δPSI(x)∣x∈Obj}.
Then, modelOf(ΣPSI)=modelOf(ΔPSI).
Theorem 3.5(1) was proved
in [2]. The only if condition of Theorem 3.5(2) was
proved in [19]; we proved the if condition of Theorem 3.5(2)
in [17].
Theorem 3.5(3) improves on
the specification we gave for PSI in [17]; the latter does
not have any constraints on the objects to which anti-dependencies refer to.
We outline the proof of Theorem 3.5(3) in §5.
4. Algebraic Laws for Weak Consistency
Having two different styles for specifying consistency
models gives rise to the following problems:
**Weak Correspondence Problem: **
given a x-specification Σ, determine a non-trivial g-specification Δ which
over-approximates Σ, that is such that modelOf(Σ)⊆modelOf(Δ).
**Strong Correspondence Problem: **
Given a x-specification Σ, determine an equivalent
g-specification Δ, that is such that modelOf(Σ)=modelOf(Δ).
We first focus on the weak correspondence problem,
and we discuss the strong correspondence problem in §5.
This problem is not only of theoretical interest.
Determining a g-specification Δ that
over-approximates a x-specification Σ corresponds to establishing one or
more conditions
satisfied by all cycles of dependency graphs from the set
{graph(X)∣X∈Executions(Σ)}.
Cycles in a
dependency graph that
respect such a condition
are called Σ-critical (or simply critical), and graphs that admit a non-Σ-critical cycle
cannot be obtained from abstract executions in Executions(Σ).
One can ensure that an application running under the model Σ
is robust, i.e. it only produces serialisable behaviours, by checking for the absence of
Σ-critical cycles at static time [19, 8].
Robustness of an application can also be checked at run-time,
by incrementally constructing the dependency graph of executions,
and detecting the presence of Σ-critical cycles [31].
General Methodology.
Let Σ be a given x-specification. We tackle the weak correspondence problem in two steps.
First, we identify a set of inequalities that hold for all the executions X satisfying
consistency guarantees (ρ,π) in Σ. There are two kinds of such inequalities.
The first are the inequalities in Figure 3, and the second the inequalities
corresponding to the axioms of the Kleene
Algebra (2T×T,∅,Id,∪,;,⋅∗) and
the Boolean algebra (2T×T,∅,T×T,∪,∩,⋅).
The exact meaning of the inequalities in Figure 3 is discussed later in this section.
Second,
we exploit our inequalities to derive
other inequalities of the form RX⊆ARX for every X∈Executions(Σ).
Here RX is a relation built from dependencies in graph(X),
i.e. RX⊆(WRX∪WWX∪RWX)∗.
Because ARX is acyclic (that is ARX+∩Id⊆∅), we may conclude that RX is acyclic for any X∈Executions(Σ). In particular, we have that modelOf(Σ)⊆modelOf({δ}),
where δ is a function that maps, for every abstract execution X,
the dependency graph graph(X) into the relation RX.
Some of the inequalities we develop, namely those in Figure 3(d),
are parametric in the consistency guarantee (ρ,π). As a consequence,
our approach can be specialised to any consistency model that is captured by our
framework. To show its applicability, we derive critical cycles
for several of the consistency models that we have presented.
Presentation of the Laws.
Let X=(T,VIS,AR),
and graph(X)=(T,WR,WW,RW).
We now explain the inequalities in Figure 3.
Among these, the inequalities in Figures 3(a)
and (b) should be self-explanatory.
Let us discuss the inequalities of Figure 3(c).
The inequalities (c.1), (c.2) and (c.3)
relate dependencies to either basic or derived relations of abstract executions.
Dependencies of the form WR,WW are included in the
relations VIS,AR, respectively, as established by inequalities (c.1)
and (c.2).
The inequality (c.3), which we prove presently, is non-standard. It
relates anti-dependencies to a novel anti-visibility relation
VIS−1, defined as TVIS−1S
iff ¬(SVIST). In words, S is anti-visible to T
if T does not observe the effects of S. As we will explain later,
anti-visibility plays a fundamental role in the development of our laws.
Proof of Inequality (c.3).
Suppose TRW(x)S for some object x∈Obj.
By definition, T=S, and there exists a transaction T′ such that T′WR(x)T
and T′WW(x)S. In particular, T′VIST and T′ARS by
the inequalities (c.1) and (c.2), respectively.
Now, if it were SVIST,
then we would have that T′ is not
the AR-supremum of the set of transactions
visible to T, and writing to object x.
But this contradicts the definition of graph(X), and the
edge T′WR(x)T.
Therefore, TVIS−1S. ∎
Another non-trivial inequality is (c.7) in Figure 3(c).
It says that if a
transaction T reads a value for an object x that is
later updated by another transaction S (TRWS), then the
update of S is more recent (i.e. it follows
in arbitration) than all the updates to x seen by T.
We prove it in (§C). The other inequalities
in Figure 3(c) are self explanatory.
The inequalities in Figure 3(d)
are specific to a consistency guarantee (ρ,π), and
hold for an execution X when the execution satisfies (ρ,π).
The inequality (d.1) is just the definition of consistency
guarantee. The next inequality (d.2) is where
the novel anti-visibility relation, introduced previously, comes into play.
While the consistency guarantee (ρ,π) expresses
when arbitration induces transactions related by visibility,
the inequality (d.2) expresses when anti-visibility induces
transactions related by arbitration. To emphasise
this correspondence, we call the inequality (d.2)co-axiom induced by (ρ,π).
Later in this section, we show how by exploiting the co-axiom induced by
several consistency guarantees, we can derive critical cycles of several
consistency models.
Proof of Inequality (d.2).
Assume X∈Executions({(ρ,π)}).
Let T,T′,S′,S∈T be such that T=S, Tπ(VIS)T′VIS−1S′ρ(VIS)S.
Because AR is total, either SART or TARS.
However, the former case is not possible. If so, we would have S′ρ(VIS)SARTπ(VIS)T′.
because X∈Executions({(ρ,π)}), by
the inequality (d.1), it would follow that S′VIST′, contradicting the assumption that T′VIS−1S′.
Therefore, it has to be TARS. ∎
The last inequalities (d.3) and
(d.4) in Figure 3(d)
show that anti-visibility edges of X
are also induced by the consistency guarantee (ρ,π).
We prove them formally in (§C), where
we also illustrate some of their applications.
Applications.
We employ the algebraic laws of Figure 3 to derive Σ-critical
cycles for arbitrary x-specifications, using the methodology explained previously:
given a x-specification Σ and an abstract execution X, we
characterise a subset of ARX as a relation
RG built from the dependencies in graph(X)
and relations of the form [o], where o∈Op.
Because RG⊆ARX, we conclude
that RG is acyclic.
The inequalities (c.1), (c.6) and (c.2) ensure that
we can always include write-read and write-write dependencies in
the relation RG above. Because
of inequalities (c.3) and (d.2) (among others),
we can include in RG also relations that involve anti-dependencies.
The following result shows how this methodology can
be applied to serialisability.
We use the notation R1⊆(eq)R2
to denote that the inequality R1⊆R2 follows from (eq).
Theorem 4.1**.**
For all X∈Executions(ΣSER), the relation (WRX∪WWX∪RWX) is acyclic.
Proof.
Recall that ΣSER={(ρId,ρId)}, where ρId(_)=Id. We have
[TABLE]
Along the lines of the proof of Theorem 4.1, we can
characterise Σ-critical cycles for an arbitrary x-specification Σ.
Below, we show how to apply our methodology to derive ΣRB-critical
cycles.
Theorem 4.2**.**
Let X∈Executions(ΣRB). Say that a RWX edge in a cycle of
graph(X) is protected if its endpoints are connected to
serialisable transactions via a sequence of WRX edges. Then
all cycles in graph(X) have at least one unprotected RWX edge.
Formally, let ⊩RWX\dashV be ([SerTx];(WRX)∗;RWX;(WRX)∗;[SerTx]).
Then (WRX∪WWX∪⊩RWX\dashV) is acyclic.
Proof.
It suffices to prove that ⊩RWX\dashV⊆ARX. The
rest of the proof is similar to the one of Theorem 4.1.
We recall that ΣRB={(ρS,ρS)}, where ρS(_)=[SerTx].
[TABLE]
We remark that our characterisation of ΣRB-critical
cycle cannot be compared to the one given in [8].
In §C we show how our methodology
can be applied to give a characterisation of ΣRB-critical cycles
that is stronger than both the one presented in Theorem 4.2 and the one given in [8].
We also employ our proof technique to prove both known and new derivations of critical cycles for other x-specifications.
5. Characterisation of Simple Consistency Models
We now turn our attention to the Strong Correspondence
Problem presented in §4. Given a x-specification
Σ={(ρ1,π1),⋯,(ρn,πn)} and
a dependency graph G, we want to find a sufficient and necessary
condition for determining whether
G=graph(X) for some X∈Executions(Σ).
In this section we propose a proof technique for solving the strong correspondence problem.
This technique applies to a particular class of x-specifications, which
we call simple x-specifications.
This class includes several of the consistency models we have presented.
Characterisation of Simple x-specifications.
Recall that for each x∈Obj,
the function ρx of an abstract execution X is defined as ρx(_)=[Writesx],
and the associated axiom is [Writesx];ARX;[Writesx]⊆VISX.
Definition 5.1**.**
A x-specification Σ is simple
if there exists a consistency guarantee (ρ,π) such that
Σ⊆{(ρ,π)}∪{(ρx,ρx)}x∈Obj.
That is, a simple x-specification Σ
contains at most one consistency guarantee, beside those
of the form (ρx,ρx) which express the write-conflict detection
for some object x∈Obj.
Among the x-specifications
that we have presented in this paper, the only non-simple one is ΣSI+SER.
For simple x-specifications, it is possible to solve the strong correspondence problem.
Fix a simple x-specification Σ⊆{(ρ,π)}∪{(ρx,ρx)∣x∈Obj}
and a dependency graph G. We define a system
of inequalities SystemΣ(G) in three unknowns XV,XA and XN, and
depicted in Figure 4 (the inequalities (V4) and (A5) are included
in the system if and only if (ρ,π)∈Σ). These unknowns correspond to subsets of the visibility, arbitration
and anti-visibility relations of the abstract execution X∈Executions(Σ), with underlying
dependency graph G, that we wish to find.
Note that each one of the inequalities of SystemΣ(G), with the exception of (V3),
follows the structure of one of the algebraic laws from Figure 3.
We prove that, in order to ensure that the abstract execution X exists, it is
sufficient to find a solution of SystemΣ(G) whose XA-component is acyclic.
In particular, this is true if and only if the XA-component of the smallest solution444
A solution (XV=VIS,XA=AR,XN=AntiVIS) is smaller than another one
(XV=VIS′,XA=AR′,XN=AntiVIS′) iff
VIS⊆VIS′,AR⊆AR′ and AntiVIS⊆AntiVIS′. of SystemΣ(G)
is acyclic.
Theorem 5.2**.**
**Soundness: : **
for any X∈Executions(Σ) such that graph(X)=G,
the triple (XV=VISX,XA=ARX,XN=VISX−1) is a
solution of SystemΣ(G),
**Completeness: : **
Let (XV=VIS0,XA=AR0,XN=AntiVIS0) be the smallest solution of SystemΣ(G)
.
If AR0 is acyclic, then there exists an abstract
execution X such that X∈Executions(Σ) and graph(X)=G. ∎
Note that the relation AR0 need not to be total in the completeness direction of Theorem 5.2.
Before discussing the proof of Theorem 5.2,
we show how it can be used to prove the equivalence of a x-specification
and a g-specification. We give a proof of Theorem 3.5(3).
Theorems 3.5(1) and 3.5(2)
can be proved similarly, and their proof is given in (§D).
Proof Sketch of Theorem 3.5(3).
Recall that ΔPSI={δPSI0}∪{δPSI(x)(G)∣x∈Obj}, where δPSI0(G)=(WRG∪WWG)+,
δPSI(x)(G)=((WRG∪WWG)∗;RWG(x))+. In (§D)
we prove that
Graphs(ΔPSI)=Graphs({δPSI}), where
[TABLE]
Therefore, it suffices to prove that modelOf(ΣPSI)=modelOf({δPSI}):
modelOf(ΣPSI)⊆modelOf({δPSI})**: : **
given X∈Executions(ΣPSI), and let G:=graph(X),
we need to show that δPSI(G)∩Id=∅. The proof follows the style of Theorems 4.1 and 4.2;
details can be found in (§C),
modelOf({δPSI})⊆modelOf(ΣPSI)**: : **
given G∈Graphs({δPSI}), let VISG=(WR∪WW)+;
It is immediate to prove that the triple (XV=VISG,XA=δPSI(G),XN=VISG?;RW;VISG?)
is a solution of SystemΣPSI(G). Because δPSI(G) is acyclic,
if we take the smallest solution (XV=_,XA=ARG,XN=_) of SystemΣ(G), then ARG⊆δPSI(G), hence ARG is acyclic.
By Theorem 5.2, there exists an abstract execution X∈Executions(PSI)
such that graph(X)=G, and in particular TX=TG. ∎
We now turn our attention to the proof of Theorem 5.2.
The proof of the soundness direction is straightforward.
Proof of Theorem 5.2 (Soundness).
Let X∈Executions(Σ), and define G:=graph(X).
To show that the triple (XV=VISX,XA=ARX,XN=VISX−1) is a solution of SystemΣ(G),
we need to show that all the inequalities from said system are satisfied,
when the unknowns XA,XV,XN are replaced with VISX,ARX,VISX−1,
respectively.
In practice, all the inequalities, with the exception of (V3), follow from the algebraic laws of Figure 3.
Let us prove that (V3) is also valid: for any (ρx,ρx)∈Σ
we have that
[TABLE]
The proof of the completeness direction of Theorem 5.2
is much less straightforward.
Let (XV=VIS0,XA=AR0,XN=AntiVIS0)
be the smallest solution of SystemΣ(G). Assume that AR0 is acyclic.
The challenge is that of constructing a valid abstract execution X, i.e. whose
arbitration order is total,
from the dependencies in G, that is included in Executions(Σ). We
do this incrementally: at intermediate stages of the construction
we get structures similar to abstract executions, but where the arbitration
order can be partial.
Definition 5.3**.**
A pre-executionP=(TG,VIS,AR) is a tuple that satisfies
all the constraints of abstract executions, except that AR is not necessarily
total, although AR is still required to be total over the set Writesx for
every object x.
The notation adopted for abstract executions naturally extends to pre-executions;
also, for any pre-execution P, graph(P) is a well-defined dependency graph.
Given a x-specification Σ, we let PreExecutions(Σ) be the set of all valid pre-executions
that satisfy all the consistency guarantees in Σ.
SystemΣ(G) is defined so that all of its solutions whose XA-component
is acyclic induce a valid pre-execution in PreExecutions(Σ) with underlying dependency graph G.
Proposition 5.4**.**
Let (XV=VIS′,XA=AR′,XN=AntiVIS′)
be a solution to SystemΣ(G). If AR′∩Id=∅,
then P=(TG,VIS′,AR′)∈PreExecutions(Σ);
moreover, graph(P)=G.
Proof Sketch.
The inequalities (A1), (A2) and (A4)
together with the assumption that AR0 is acyclic, ensure that P is a pre-execution.
In particular, (A1) ensures that AR0 is a total relation over
the set Writesx, for any x∈Obj.
As we explain in (§D),
the inequalities (V1), (A1) and (A3) enforce the Last Write Wins policy
(Definition 2.3).
The inequality (V2) mandates that P respects causality.
Finally, the inequalities (V3) and (V4) ensure that all
the consistency guarantees in Σ are satisfied by P. ∎
In particular, the smallest solution (XV=VIS0,XA=AR0,XN=AntiVIS0)
of SystemΣ(G)
induces the pre-execution (TG,VIS0,AR0)∈PreExecutions(Σ).
To construct an abstract execution X∈Executions(Σ), with
graph(X)=G, we define a finite chain of pre-executions {Pi,}i=0n,
n≥0, as follows: (i) let P0:=(TG,VIS0,AR0); (ii)
given Pi, i≥0, choose two different transactions
Ti,Si∈TG (if any) that are not related by ARi,
compute the smallest solution (XV=VISi+1,XA=ARi+1,XN=_)
such that ARi+1⊇ARi∪{(Ti,Si)}, and let Pi+1:=(TG,VISi+1,ARi+1);
(iii) if the transactions Ti,Si∈TG from the previous step do not exist,
then let n:=i and terminate the construction.
Because we are assuming that TG is finite, the construction of {P0,⋯,Pn}
always terminates.
To prove the completeness direction of Theorem 5.2, we show that
all of the pre-executions {P0,⋯,Pn} in the construction outlined
above are included in PreExecutions(Σ); then, because in Pn=(TG,VISn,ARn) all transactions are related by ARn, we may conclude that ARn is
total, and Pn∈Executions(Σ). According to Proposition 5.4, it
suffices to show that each of the relations ARi,i=0,⋯,n is acyclic.
However, this is not completely trivial, because of how ARi+1 is defined:
adding one edge (Ti,Si) in ARi+1 may cause more edges to be
included in VISi+1, due to the inequality (V4). This in turn leads
to including more edges in ARi+1, thus augmenting the risk of having a
cycle in ARi+1.
In practice, the definition of SystemΣ(G) ensures that
this scenario does not occur.
Proposition 5.5**.**
For i=0,⋯,n−1, let ΔARi:=ARi?;{(Ti,Si)};ARn?.
Then ARi+1=ARi∪ΔARi.
Corollary 5.6**.**
For i=0,⋯,n−1, if ARi∩Id=∅, then ARi+1∩Id=∅.
Proof.
Because ARi∩Id=∅ by hypothesis,
by Proposition 5.5 we only need to show that
ΔARi∩Id=∅. If (T,T)∈ΔARi
for some T∈TG, then it must be TARi?Ti
and SiARi?T. It follows that
SiARi?Ti. But this contradicts the
hypothesis that ARi does not relate transactions Ti and Si.
Therefore, (T,T)∈ΔARi
for any T∈TG, i.e. ΔARi∩Id=∅.
∎
We have now everything in place to prove Theorem 5.2.
Proof of Theorem 5.2 (Completeness).
Let G be a dependency graph, and
define the chain of pre-executions P0=(TG,VIS0,AR0),⋯,Pn=(TG,VISn,ARn) as described above.
We show that for any i=0,⋯,n, Pi∈PreExecutions(Σ),
and graph(Pi)=G. Because ARn is a total order, this implies that Pn∈Executions(Σ),
and graph(Pn)=G, as we wanted to prove. The proof is by induction on n.
**Case i=0: : **
observe that the triple (XV=VIS0,XA=AR0,XN=_) corresponds to
the smallest solution of SystemΣ(G), hence AR0 is acyclic
by hypothesis. It follows from Proposition 5.4 that
P0∈PreExecutions(Σ), and graph(P0)=G,
**Case i>0: : **
assume that i≤n; then i−1<n, and by
induction hypothesis Pi−1∈PreExecutions(Σ). In particular, the relation
ARi−1 is acyclic; by Corollary 5.6 we obtain
that ARi is acyclic. Finally, recall that the triple (XV=VISi,XA=ARi,XN=_)
is a solution of SystemΣ(G) by construction. It follows from
Proposition 5.4 that Pi∈PreExecutions(Σ), and graph(Pi)=G. ∎
6. Conclusion
We have explored the connection between two different styles
of specifications for weak consistency models at an algebraic
level. We have proposed several laws which we applied to
devise several robustness criteria for consistency models.
To the best of our knowledge, this is the first generic proof
technique for proving robustness criteria of weak consistency models.
We have shown that, for a particular class of consistency models,
our algebraic approach leads to a precise characterisation of consistency models
in terms of dependency graphs.
Related Work.
Abstract executions have been introduced by Burckhardt in [13] to
model the behaviour of eventually consistent data-stores;
They have been used to capture the behaviour of
replicated data types [Gotsman et al., 14],
geo-replicated databases [Cerone et al., 16] and
non-transactional distributed storage systems [Viotti et al., 30].
Dependency graphs have been introduced by Adya [2];
they have been used since to reason about programs running
under weak consistency models.
Bernardi et al., used dependency graphs to derive robustness criteria
of several consistency models [8], including PSI and red-blue; in contrast with
our work, the proofs there contained do not rely on
a general technique.
Brutschy et al. generalised the notion of dependency
graphs to replicated data types, and proposed a robustness criterion
for eventual consistency [11].
Weak consistency also arises in the context of shared memory systems [5].
Alglave et al., proposed the CAT language for specifying weak memory models in [5],
which also specifies weak memory models as a set of irreflexive relations over data-dependencies
of executions. Castellan [15], and Jeffrey et al. [21],
proposed different formalisations of weak memory models via event structures.
The problem of checking the robustness of applications has also been
addressed for weak memory models [4, 9, 3].
The strong correspondence problem (§5) is
also highlighted by Bouajjani et al. in [10]: there the authors
emphasize the need for general techniques to identify all the bad patterns
that can arise in dependency-graphs like structures. We solved the
strong correspondence problem for SI in [17].
Appendix A Exampes of Anomalies
We give examples of several anomalies: for each
of them we list those consistency models, among those
considered in the paper, that allow the anomaly,
and those that forbid it. For the sake of clarity,
we have removed from the pictures below a
transaction writing the initial value [math] to relevant objects,
and visible to all other transactions. Also, unnecessary
visibility and arbitration edges are omitted from figures.
**Fractured Reads: : **
Transaction T2 reads only one of the updates performed by transaction T1:
**•: **
**Allowed by: ** No consistency model enjoying atomic visibility allows this anomaly.
The update of transaction T2 to object y depends on the value of x
written by another transaction T1. For example, T2 can be generated by
the code if(x=1)theny:=1;. A third transaction
T3 observes the update to y, but not the one to x.
**•: **
**Allowed by: ** None of the models discussed in the paper.
However, some other consistency models such as Read Atomic
[6] allow this anomaly.
This is the abstract Execution depicted in Figure
1, which we draw again below. Two transactions T1,T2
concurrently update the same object, after reading the initial value for it.
This execution is the same as the one above, but
the two transactions T1,T2 are marked as serialisable. In the figure below,
transactions marked as serialisable are depicted using a box with double borders. Because Causal Consistency does not distinguish
between transactions marked as serialisable from those that are not marked as such, it allows the serialisable
lost update. However, this anomaly is forbidden by Red-blue Consistency.
This is the same
as the long fork, but the transactions T1,T2 that
write to objects x,y, respectively, are marked as serialisable.
Because Parallel Snapshot Isolation does not take serialisable
transactions into account, it allows this anomaly.
However, Red-blue Consistency distinguishes between serialisable and
non-serialisable transactions, hence it does not allow
it.
**Remark: ** Note that Red-blue consistency forbids this anomaly, but allows the lost update anomaly
from above. In contrast, Parallel Snapshot Isolation allows this anomaly, but forbids
the lost-update anomaly. In other words, Red-blue Consistency and Parallel Snapshot Isolation
are incomparable: Executions(ΣRB)⊆Executions(ΣPSI)
and Executions(ΣPSI)⊆Executions(ΣRB).
**Write Skew: : **
Transactions T1,T2 read each the initial value of an object which is
updated by the other.
Appendix B Session Guarantees and Non-Causal Consistency Models
We augment histories with sessions: clients submit transactions
within sessions, and the order in which they are submitted to the database is tracked
by a session order. We propose a variant of x-specifications that
allows for specifying session guarantees, as well as causality guarantees
that are weaker than causal consistency.
Definition B.1**.**
Let T be a set of transactions, and let {T1,T2,⋯,Tn} be
a partition of T.
An extended history is a pair H=(T,SO), where SO=⋃i=1nSOi,
and each SOi is a strict, total order over Ti. Each of the sets Ti=1,⋯,n takes
the name of session, and we call SO the session order.
Given an extended history H=(T,SO), we let TH=T, and
SOH=SO.
If (T,SO) is an extended history, and (T,VIS,AR) is an abstract execution, then we
call (T,SO,VIS,AR) an extended abstract execution.
Specification functions can also be lifted to take extended abstract executions into account:
an extended specification function is a function ρ:(H,R)↦R′,
such that for any extended history H and relation R⊆TH×TH,
ρ(H,R)=ρ(H,TH×TH)∩R?.
An example of extended specification function is ρ(H,R)=R∖(SOH?).
An extended consistency guarantee is a pair (ρ,π), where ρ,π are extended specification functions.
Definition B.2**.**
A session guarantee is a function σ:2T×T→2T×T
such that, for any relation R⊆T×T, σ(R)⊆R?.
A causality guarantee is a pair (γ,β), where γ and β are extended specification functions.
An extended x-specification of a consistency model is a triple Σ=({σi}i∈I,{(γj,βj)}j∈J,{(ρk,\leavevmodeπk)}k∈K), where I,J,K are (possibly empty)
index sets, for any i∈I,j∈J and k∈K, σi is a session guarantee, (γj,βj)
is a causality guarantee, and (ρk,πk) is an extended consistency guarantee.
Note that the definition of causality and (extended) consistency guarantees are the same. However,
they play a different role when defining the set of executions admitted by a consistency model.
Definition B.3**.**
An extended abstract execution X=(T,SO,VIS,AR)
conforms to the extended specification ({σi}i∈I,{(γj,βj)}j∈J,{(ρk,πk)}k∈K iff
(1)
for any i∈I, σi(SO)⊆VIS
2. (2)
for any j∈J, γj(H,VIS);βj(H,VIS)⊆VIS,
3. (3)
for any k∈K, ρk(H,VIS);AR;πk(H,VIS)⊆VIS.
Any x-specification can be lifted to an extended one: let γCC(_,R)=(R∖Id)555The
difference with the identity relation
is needed for γ to satisfy the definition of specification function. However, we will always apply γ to an
irreflexive relation R, for which γ(_,R)=(R∖Id)=R..
Let also Σ be any x-specification, and for any pair (ρ,π)∈Σ, define
ρ′(_,R)=ρ(R), π′(_,R)=π(R). Then for any abstract X,
X∈Executions(Σ) iff X conforms to the extended specification
(∅,{(γCC,γCC)},{(ρ′,π′)∣(ρ,π)∈Σ}).
Dependency graphs can also be extended to take sessions into account. If
(T,SO) is a history, and (T,WR,WW,RW) is a dependency graph,
then G=(T,SO,WR,WW,RW) is an extended dependency graph.
Given an extended abstract execution X=(T,SO,VIS,AR), we
define graph(X)=(T,SO,WR,WW,RW), where (T,WR,WW,RW)=graph(T,VIS,AR).
An extended abstract execution X=(T,SO,VIS,AR) with underlying extended dependency
graph graph(X)=(T,SO,WR,WW,RW) and conforming to the extended specification
({σi}i∈I,{(γj,βj)}j∈J,{(ρk,πk)}k∈K,
satisfies all the Equations of Figure 3, exception made for equations,
(c.8) and (c.9). Furthermore, sessions and causality guarantees induce
novel inequalities, which are listed below:
(1)
⋃i∈Iσi(SO)⊆VIS,
2. (2)
for any j∈J, (βj(H,VIS);VIS−1)∩γ(H,T×T)−1⊆VIS−1,
3. (3)
for any j∈J, (VIS−1;γj(H,VIS))∩βj(H,T×T)−1⊆VIS−1.
Equation (1) is obviously satisfied. To see why (2)
is satisfied by X, let j∈J and suppose that Tβj(H,VIS)VVIS−1S,
and Sγj(H,T×T)T. If it were SVIST, then
we would have a contradiction: because γj is an extended specification function,
Sγj(H,T×T)T and SVIST imply that
Sγj(H,VIS)T, and together with Tβj(H,VIS)V
then we would have SVISV, contradicting the assumption that VVIS−1S.
Therefore it has to be ¬(SVIST), or equivalently TVIS−1S.
Equation (3) can be proved similarly.
Examples of Session Guarantees.
Below we give some examples of session guarantees, inspired by [29].
Read Your Writes: This guarantee states that when processing a transaction,
a client must see previous writes in the same session. This can be easily expressed
via the collection of consistency guarantees {σRYW(x)}x∈Obj,
where for each object x, σRYW(x)(R)=[Writesx];R;[Readsx].
An extended abstract execution X=(T,SO,VIS,AR) satisfies this session guarantee
if ⋃x∈Obj[Writesx];SO;[Readsx]⊆VIS,
Monotonic Writes: This guarantee states that transactions writing
at least to one object are processed in
the same order in which the client requested them. It can be specified via the
function σMW(R)=(⋃x∈Obj[Writesx]);R;(⋃x∈Obj[Writesx]). Any extended abstract execution X=(T,SO,VIS,AR) satisfies
the monotonic writes guarantee, is such that (⋃x∈Obj[Writesx]);SO;(⋃x∈Obj[Writesx])⊆VIS,
Strong Session Guarantees: This guarantee states that all transactions
are processed by the database in the same order in which the client requested them.
It can be specified via the function σSS(R)=R;
an extended abstract execution (T,SO,VIS,AR) satisfies this guarantee if
SO⊆VIS.
Examples of Causality Guarantee: .
We have already seen how to model causal consistency via
the causality guarantee (γCC,γCC).
Below we give an example of weak causality guarantee:
Per-object Causal Consistency: this guarantee states that
causality is preserved only among transactions accessing the same object.
That is, let γx(R)=([Writesx∪Readsx];R;[Writesx∪Readsx])∖Id. The difference with the identity set is needed in order for γx(R) to be a
specification function. By definition, An extended abstract execution X=(T,SO,VIS,AR) that
satisfies the per-object causal consistency guarantee, satisfies the inequality
[Writesx∪Readsx];VIS;[Writesx∪Readsx];VIS;[Writesx∪Readsx]⊆VIS.
Appendix C Additional Proofs of Algebraic Laws and Robustness Criteria
Throughout this Section, we assume that X=(T,VIS,AR) is
a valid abstract execution, and
graph(X)=(T,WR,WW,RW).
First, a result about specification functions, which was hinted at in
the main paper:
Proposition C.1**.**
Let ρ(⋅) be a specification function.
For all histories T and relations R,R′⊆T×T,
(i)
ρ(R)⊆R?;
2. (ii)
ρ(T×T)∩R⊆ρ(R);
3. (iii)
ρ(R)∪ρ(R′)=ρ(R∪R′).
Proof.
Recall that, by definition, if ρ is a specification function,
then ρ(R)=ρ(T×T)∩R?. It is immediate
to observe then that (i) ρ(R)⊆R?, and
(ii) ρ(T×T)∩R⊆ρ(T×T)∩R?=ρ(R). To prove (iii) note that
All the (in)equalities of Figure 3(a) are satisfied.
Proof.
We prove each of the (in)equalities in Figure 3(a) individually. Throughout
the proof, we let T′,T1,T2⊆T, and R1,R2⊆T×T
•
(a.1): by Definition, [T′]={(T,T)∣T∈T′}⊆IdT,
•
(a.2): note that we can rewrite [Ti]={(T,S)∣T∈T1∧S∈T1∧T=S}, where i=1,2; then
[TABLE]
•
(a.3):
[TABLE]
•
(a.4):
[TABLE]
∎
Proposition C.3**.**
All the inequalities of Figure 3(b) are satisfied by X.
Proof. We only prove (in)equalities (b.1) and (b.4). The proof for the other
(in)equalities is similar.
Suppose that TWR(x)S. By Definition, S∋(readx:_), hence
(S,S)∈[Readsx]. Also, T∈VIS−1(S)∩Writesx⊆Writesx,
from which (T,T)∈[Writesx] follows. Thus, (T,S)∈[Writesx];WR(x);[Readsx]; this proves Equation (b.1).
To prove Equation (b.4), first observe that because TWR(x)S, then
TVISS, and because VIS⊆AR then also TARS.
By definition of abstract
execution, then T=S. Therefore, WR(x)∩Id=∅. Now we can rewrite
[TABLE]
Proposition C.4**.**
X* satisfies inequalities (c.1), (c.2)
and (c.7).*
Proof.
The inequalities (c.1) and (c.2) follow directly from the
Definition of graph(X).
It remains to prove the inequality (c.7). Let T,S,T′ be three transactions
such that T∋(writex:_), TVISS and SRW(x)T′;
we need to show that TART′. Recall that, because X is an
abstract execution, then the relation AR is total: either T=T′, T′ART,
or TART′. It is not possible that T=T′, because otherwise we would have
SRW(x)T and TVISS
(equivalently, ¬(SVIS−1T)),
contradicting the inequality (c.3).
It cannot be that
T′ART either: in the picture
to the right, we have given a
graphical
representation of this scenario, where dashed edges
represent the consequences of having T′ART.
In this case, T∈Writesx by hypothesis; because SRW(x)T′,
we also have that T′∈Writesx; because T,T′∈Writesx, and
T′ART, the definition of graph(X) implies that
it has to be T′WW(x)T.
Since SRW(x)T′,
then S′WR(x)S, and S′WW(x)T′ for some S′;
because WW(x) is transitive, then
S′WW(x)T. We have proved that S′WR(x)S,
and S′WW(x)T. By definition, it follows that SRW(x)T:
together with the hypothesis TVISS, we get a contradiction
because the inequality (c.3) is violated. We have proved that it
cannot be T=T′, nor T′ART. Therefore TART′,
as we wanted to prove.
∎
Proposition C.5**.**
X* satisfies inequalities (c.8) and (c.9).*
Proof.
We only prove the inequality (c.8), as
the inequality (c.9) can be proved in a similar manner.
Suppose that TVISVVIS−1S.
We prove that ¬(SVIST), or
equivalently (TVIS−1S), by contradiction.
Let then SVIST. Because X respects causality,
SVISTVISV implies that SVISV.
But VVIS−1S by hypothesis,
which causes the contradiction. A graphical representation of the
proof is given to the right; here dashed edges are implied by the assumption that
SVIST. ∎
Proposition C.6**.**
X* satisfies all the inequalities of Figure 3(c).*
Proof. We have proved that X satisfies the inequalities (c.1), (c.2)
and (c.7) in Proposition C.4. The Proof of the inequality (c.3) was given
at Page 3. The inequalities (c.5), (c.6),
and (c.12) are trivial consequences of the definition of abstract execution. The inequalities
(c.4) is satisfied because we are assuming that X respects causality.
The inequality (c.11) is a trivial
consequence of the fact that, for any relation R⊆T×T,
R−1={(T,S)∣(S,T)∈/R}; then
[TABLE]
The inequality (c.10) can be proved similarly.
Finally, the inequalities (c.8) and (c.9) are satisfied,
as we have proved in Proposition C.5. ∎
Proposition C.7**.**
If X satisfies the consistency guarantee (ρ,π),
then it also satisfies the inequalities (d.3) and (d.4).
Proof.
We only prove the inequality (d.3). The proof for the inequaiton
(d.4) is similar.
Let T,T′,S′,S∈T be such that TART′, T′π(VIS)S′,
S′VIS−1S, and Sρ(T×T)T.
We need to prove that TVIS−1S, or equivalently that ¬(SVIST).
The proof goes by contradiction: suppose that SVIST.
Then we
have that Sρ(T×T)∩VIST, and by
Proposition C.1 it follows that Sρ(VIS)T.
We have Sρ(VIS)TART′π(VIS)S′.
Because X∈Executions({ρ,π}), then SVISS′
by Inequality (d.1). But S′VIS−1S by hypothesis, hence
the contradiction. A graphical representation of the proof is given to the right: here dashed
edges are implied by the assumption that SVIST.
∎
Proposition C.8**.**
If X satisfies the consistency guarantee (ρ,π), then it satisfies
all the inequalities of Figure 3(d), relatively to said
consistency guarantee.
Proof.
Because X satisfies the consistency guarantee (ρ,π) by hypothesis,
then it satisfies the inequality (d.1). It also satisfies the inequality (d.2),
as we showed in §4. Finally, it satisfies inequalities (d.3) and
(d.4) by Proposition C.7.
∎
C.2. Additional Algebraic Laws
Here we prove some additional algebraic laws that can
be proved from the laws of Figure 3,
and from the axioms of the Kleene Algebra and boolean algebra of set relations.
In the following, we assume that X=(T,VIS,AR) is an abstract
execution, and graph(X)=(T,WR,WW,RW).
Given two relations R1,R2⊆T×T, we recall
that we use the notation R1⊆(eq)R2 (R1=(eq)R2) to denote
the fact that R1⊆R2 (R1=R2) follows from the (in)equality (eq).
Sometimes we omit the complete sequence of steps needed to derive an inequality, when these
can be easily inferred. For example, we write WR⊆(c.1)VIS, instead
of the whole sequence of inclusions needed to prove such an inequality, namely
[TABLE]
Proposition C.9**.**
For all relations R1,R2⊆T×T,
[TABLE]
Proof.
Suppose (R1;R2)∩Id⊆∅.
For any T∈T, there exists no S∈T such that
(T,S)∈R1 and (S,T)∈R2. In particular,
there exists no S∈T such that (S,T)∈R2,(T,S)∈R1,
for all T∈T: equivalently, (S,S)∈/(R2;R1) for all S∈T.
That is, (R2;R1)∩Id⊆∅.
∎
Proposition C.10**.**
For any set T′⊆T,
[TABLE]
Proof.[T′]=[T′∩T′]=(a.2)[T′];[T′].
∎
Proposition C.11**.**
For any relation R⊆T×T,
[TABLE]
Proof.
Suppose R∩Id=∅. Then
[TABLE]
Now, suppose that R⊆R∖Id. Then
[TABLE]
Most of the time we will omit applications of the implications given by equation (7).
For example, we write AR⊆(c.12)AR∖Id
instead of
[TABLE]
Other examples of inequalities that we can prove using equation (7)
are given below:
[TABLE]
Proposition C.12**.**
Let Σ be a x-specification such that (ρx,ρx)∈Σ,
for some object x∈Obj. If X∈Executions(Σ), then
[TABLE]
Proof.
Recall that ρx(_)=[Writesx].
Because (ρx,ρx)∈Σ, then
[TABLE]
∎
Corollary C.13**.**
Let Σ be a consistency model such that (ρx,ρx)∈Σ
for all x∈Obj. If X∈Executions(Σ), then
[TABLE]
Proof.
If X∈Executions(Σ), then
[TABLE]
Corollary C.14**.**
Let Σ be a consistency model such that (ρx,ρx)∈Σ
for any x∈Obj. If X∈Executions(Σ), then
[TABLE]
Proof.
If X∈Executions(Σ), then
[TABLE]
Some proofs of the robustness criteria we present require the following theorem from
Kleene Algebra:
Proof.
Recall that (R1;R2)+=⋃n>0(R1;R2)n, and
(R2;R1)∗=⋃n≥0(R2;R1)n. We
prove, by induction on n, that for all n>0, (R1;R2)n=(R1;(R2;R1)n−1;R2). Then we have
[TABLE]
**Case n=1:: **
[TABLE]
**Case n>1:: **
suppose that
[TABLE]
Then
[TABLE]
C.3. Robustness Criteria of x-Specifications
In this Section we show several applications of the algebraic laws for
inferring robustness criteria for several x-specification.
We start by giving alternative proofs of previously known results
(theorems C.16 and C.17). Then
we present and prove novel robustness criteria for other x-specifications
(theorems C.19 and C.20).
For all X∈Executions(ΣPSI), it is not possible that all anti-dependencies in a cycle of graph(X) are over the same object666This
implies that all cycles have at least two anti-dependencies.:
(WRX∪WWX)∗;RW(x) is acyclic for all x∈Obj.
Proof.
Recall that ΣPSI={(ρx,ρx)}x∈Obj, where ρx(_)=[Writesx].
Then
[TABLE]
Definition C.18**.**
Let X∈ΣRB, and suppose that
graph(X) contains a cycle T0R0⋯Rn−1Tn,
where T0=Tn and Ri∈{WRX,WWX,RWX} for any i=0,⋯,n−1.
We recall the following definition of protected anti-dependency edge in the cycle, and also introduce the notion of
protected WW-dependencies.
•
an anti-dependency edge Ri=RWX is protected if there exist two integers j,k=0,⋯,n−1
such that (T(i−j)modn)∋SerTx,(T((i+1)+k)modn)∋SerTx, and for all h=(i−j),⋯,(i+k+1),
Rhmodn=WRX; in other words, in the cycle the endpoints of the Ri anti-dependency edge
are connected to serialisable transactions by a sequence of WR-dependencies,
•
a WW-dependency edge Ri=WWX is protected if tere exist two integers
j,k=0,⋯,n−1 such that (T(i−j)modn)∋SerTx,(T((i+1)+k)modn)∋SerTx, and for all h=(i−j),⋯,(i+k+1),
Rhmodn∈{WRX,WWX}; in other words, in the cycle the endpoints of the Ri dependency edge
are connected to serialisable transactions by a sequence of both WR-dependencies and WW-dependencies.
Theorem C.19**.**
Let X∈Executions(ΣRB). Then any cycle in graph(X) contains
at least one unprotected anti-dependency edge, and another edge that is either an unprotected
anti-dependency, or an unprotected WW-dependency.
Formally, given a relation R⊆TX×TX,
let ⊩R\dashV=[SerTx];WRX∗;R;WRX∗;[SerTx]. then
[TABLE]
Proof.
Recall that ΣRB={(ρS,ρS)}, where ρS(_)=[SerTx].
In the proof of Theorem 4.2 we proved the following fact:
So far, none of the robustness criteria that we have derived has
exploited the inequalities (d.3) and (d.4) from
Figure 3. Here we give another example of x-specification,
for which we can derive a robustness criterion which makes use of the
inequalities (d.3) and (d.4).
Such a x-specification is given by ΣCP={(ρId,ρSI),(ρS,ρS)}. The set of executions Executions(ΣCP) coincides with the
definition of the Consistent Prefix consistency model given in [8].
The x-specification ΣCP can be thought as a weakening of
ΣSI+SER which does not have any write conflict detection.
Theorem C.20**.**
Let X=(T,VIS,AR)∈Executions(ΣCP).
We say that a path T0R0⋯Rn−1Tn of graph(X),
is critical if T0=Tn, both T0,Tn∋SerTx, only one of the edges
Ri,0≤i<n is an anti-dependency, and none of the edges
Rj,0≤j<i is a WW-edge (note that if j>i, we allow Rj=WWX).
Then all cycles of graph(X) have at least one anti-dependency
edge
that is not contained within a critical sub-path of the cycle.
Formally, let CSubX=([SerTx];WR∗;RW;(WW∪WR)∗;[SerTx])∖Id,
where graph(X)=(T,WR,WW,RW).
Then (WR∪WW∪CSubX)
is acyclic.
Proof.
By Definition, ΣCP={(ρS,ρS),(ρId,ρSI)},
where ρS(_)=[SerTx], ρId(_)=Id and
ρSI(R)=R∖Id. This implies that ρSI(T×T)−1=((T×T)∖Id)−1=(T×T)∖Id, and
for any relation R⊆T×T,
[TABLE]
For X∈Executions(ΣCP), we have:
[TABLE]
[TABLE]
Appendix D Proofs of Results for Simple x-Specifications
Let X⊆Obj and suppose that (ρ,π) is a consistency guarantee.
Throughout this section we will work with the (simple) x-specification
Σ={(ρx,ρx)}x∈X∪{(ρ,π)},
although all the results apply to the x-specification Σ′={(ρx,ρx)}x∈X
which does not contain any consistency guarantee, aside from those enforcing the write conflict detection
property over the objects included in X.
Recall the following definition of valid pre-execution:
Definition D.1**.**
a pre-execution is a quadruple P=(T,VIS,AR) such that
(1)
VIS⊆AR,
2. (2)
VIS* and AR are strict partial orders,*
3. (3)
for any object x∈Obj, AR is total over the set Writesx,
4. (4)
P* satisfies the Last Write Wins property: for any T∈T, if
T∋(readx:n) then S:=maxAR(VIS−1(T)∩Writesx)
is well defined, and S∋writex:n.*
The proof of Proposition 5.4 relies
on the following auxiliary result:
Proposition D.2**.**
Let (XV=VIS,XA=AR,XN=AntiVIS) be a solution of SystemΣ(G).
If AR∩Id is acyclic, then P=(T,VIS,AR) is a valid pre-execution.
Proof.
Because (XV=VIS,XA=AR,XN=AntiVIS) is a solution of SystemΣ(G),
all the inequalities in the latter are satisfied when substituting the relations VIS,AR,AntiVIS
for the unknowns
XV,XA,XN, respectively.
We prove that all the properties (1)-(4) from Definition D.1 is satisfied
by P=(T,VIS,AR).
(1)
VIS⊆AR: this follows directly from the inequality (A2),
2. (2)
VIS,AR are strict partial orders (i.e. they are irreflexive and transitive): the relation AR is irreflexive by hypothesis,
and transitive because of the inequality (A4). The relation VIS is irreflexive
because of the inequality (A2) and the assumption that AR∩Id⊆∅;
VIS is also transitive because of the inequality (V2),
3. (3)
AR is a strict total order order
over the set Writesx, for any x∈Obj: we prove that
AR∩(Writesx×Writesx)=WW(x); then the claim
follows because WW(x) is a strict total order over Writesx
by definition. Let then x∈Obj. For all T,T′∈T such
that TWW(x)T′, we have that T∈Writesx,T′∈Writesx,
and TART′ because of the inequality (A1). This proves
that WW(x)⊆AR∩(Writesx×Writesx).
For the opposite implication, let T,T′∈T be transactions such that
T∈Writesx,T′∈Writesx and TART′.
Because WW(x) is a strict total order over Writesx by hypothesis,
then either T=T′,T′WW(x)T, or TWW(x)T′.
Because TART′ and because AR∩Id⊆∅ by
hypothesis, then T=T′. Also, it cannot be T′WW(x)T. By the inequality
(A1) this would imply that T′ART, and because of the assumption TART′
and the inequality (A4), this would mean that T′ART′, contradicting the assumption
that AR∩Id⊆∅,
4. (4)
P satisfies the Last Write Wins property:
let T∈T be a transaction such that T∋(readx:n). By Definition 3.1 there exists
a transaction S such that S∋writex:n and SWR(x)T. By Equation (V1),
we have that WR⊆VIS, hence
SVIST. Because SVIST and S∋(writex:n), we have that
S∈(VIS−1(T)∩Writesx), and in particular
(VIS−1(T)∩Writesx)=∅.
Because (VIS−1(T)∩Writesx)=∅, and
because by (3) above we have that AR∩(Writesx×Writesx)=WW(x),
then the entity S′=maxAR(VIS−1(T)∩Writesx) is well-defined.
It remains to prove that S′∋(writex:n). To this end, we show that
that S=S′ (recall that S is the unique transaction such that SWR(x)T),
and observe that S∋(writex:n), from which the claim follows.
Because S,S′∈Writesx and WW(x) coincides with the restriction of
AR to the set Writesx, we obtain that either S′ARS, SARS′ or S=S′.
The first case is not possible, because S∈VIS−1(T)∩Writesx, and S′=maxAR(VIS−1(T)∩Writesx).
The second case is also not possible:
if SARS′ then SWW(x)S′; together with SWR(x)T this implies
that there is an anti-dependency edge TRW(x)S′; now we have that S′∈Writesx,
and S′VISTRW(x)S′: that is, (S′,S′)∈[Writesx];VIS;WR(x).
By the inequation (A3), this implies that S′ARS′,
contradicting the assumption that AR∩Id⊆∅. We are left with the only possibility
S=S′, which is exactly what we wanted to prove.
∎
Proof of Proposition 5.4.
Let P:=(T,VIS,AR). By Proposition D.2 we know
that P is a valid pre-execution. We need to show that
P∈PreExecutions(Σ), and graph(P) is well-defined
and equal to G=(T,WR,WW,RW). To show that P∈PreExecutions(Σ),
we need to show the following:
(1)
P satisfies the consistency guarantee (ρx,ρx) for any object x∈X:
that is, given x∈X, then [Writesx];AR;[Writesx]⊆VIS
Let then x∈X, and consider two transactions T,S
be such that TARS, and T,S∈Writesx: we show that
TVISS. Because AR∩Id⊆∅, then
T=S. Also, it cannot be SWW(x)T: by inequation (A1)
this would imply that SART; by inequation (A4)
and the assumption that TARS, this
would lead to SARS, contradicting the assumption that AR∩Id=∅. We have proved that T,S∈Writesx, T=S and ¬(SWW(x)T):
since WW(x) is a total order over the set Writesx, it must be TWW(x)S. It
follows from the inequation (V3) that TVISS,
2. (2)
ρ(VIS);AR;π(VIS)⊆VIS; this
inequality is directly enforced by the inequation (V4).
Therefore, P is a valid pre-execution that
satisfies all the consistency guarantees of the x-specification
Σ={(ρWritesx,ρWritesx)}x∈X∪{(ρ,π)}.
By definition, P∈PreExecutions(Σ).
Next, we show that graph(P) is well-defined and equal to G.
To this end, let G′:=graph(P). The proof that G′ is a well-defined
dependency graph is analogous to the one given for abstract
executions in [17, extended version, Proposition 23].
It remains to prove that G′=G; to this end, it suffices to show that
for any x∈Obj, WRG(x)=WRG′(x), and WWG(x)=WWG′(x).
Let T,S be two entities such that TWRG(x)S.
By definition, S∋(readx:n), and T∋(writex:n) for some
n. Also, let T′∋(writex:n) be the entity such
that T′WRG′(x)S, which exists because S∋(readx:n)
and G′ is a well-defined dependency graph.
By definition, T′=maxAR(VIS−1(S)∩Writesx), and
in particular T′VISS.
Since T,T′∋(writex:n), we have that either T=T′, TWWG(x)T′, or T′WWG(x)T. We prove that the first case is the only possible one:
•
if TWWG(x)T′,
then by definition, the edges
TWRG(x)S and TWWG(x)T′ induce
the anti-dependency SRWG(x)T′. However,
now we have that T′∋(writex:_), T′VISS
and SRWG(x)T′: by the inequation (A3),
it follows that T′ART′, contradicting the assumption
that AR∩Id⊆∅,
•
if T′WWG(x)T, then note that by the inequation (A1)
it has to be T′ART; also, because of the dependency
TWRG(x)S and the inequality (V1), it has to be
TVISS; but this contradicts the assumption that
T′=maxAR(VIS−1(S)∩Writesx).
We are left with the case T=T′, from which TWRG′(x)S follows.
Next, suppose that T′WRG′(x)S. Then S∋readx:n for some n,
and because G is a dependency graph, there exists an entity T such
that TWRG(x)S. We can proceed as in the previous case
to show that T=T′, hence T′WRG(x)T.
Finally, we need to show that WWG′(x)=WWG(x). First, note
that if TWWG(x)S, then T,S∈Writesx.
By the inequation (A1) we obtain that TARS,
so that TWWG′(x)S by definition of graph(P).
If TWWG′(x)S, then it has to be the case that TARS,
T,S∈Writesx. Since WWG(x) is total over Writesx, then either
T=S,SWWG(x)T or TWWG(x)S. However,
the first case is not possible because it would imply TART, contradicting
the assumption that AR∩Id⊆∅.
The second case is not possible either, because by the inequality (A1)
we would get that SARTARS, and by
the inequality (A4) SARS, again contradicting
the assumption that AR∩Id⊆∅. We are left with
TWWG(x)S,
as we wanted to prove.
The fact that RWG=RWG′ follows from the observation that,
for any object x∈Obj, RWG(x)=WRG−1(x);WWG(x)=WRG′−1(x);WWG′(x)=RWG′(x).
∎
In the following, we let G=(T,WR,WW,RW), and
we assume that (XV=VIS,XA=AR,XN=AntiVIS)
is a solution of SystemΣ(G) such that AR∩Id=∅.
Also, we assume that there exist two transactions T,S such that
T=S, ¬(TARS), and ¬(SART).
The proof of Proposition 5.5 is a direct consequence
of the following result, which we will prove in this section:
Proposition D.3**.**
*Define the following relations:
*
•
∂A={(T,S)},
•
ΔA=AR?;∂A;AR?,
•
ARν=AR∪ΔAR,
•
∂V=ρ(VIS);ΔA;π(VIS),
•
ΔV=VIS?;∂V;VIS?,
•
VISν=VIS∪ΔV,
•
AntiVISν=VISν?;RW;VISν?.
Then (XV=VISν,XA=ARν,XN=AntiVISν)
is a solution to SystemΣ(G). Furthermore, it is the smallest solution
for which the relation corresponding to the unknown XA
contains the relation (AR∪∂A).
Before proving Proposition D.3, we need to
prove several technical lemmas.
Lemma D.4** (∂-Cut).**
For any relations
R,P,Q⊆T×T we have that
(R;∂A;Q;∂A;P)⊆(R;∂A;P), and
(R;∂V;Q;∂V;P)⊆(R;∂V;P).
Proof.
Recall that ∂A={(T,S)}, where T,S are not related by AR.
That is, whenever T′′∂AS′′, for some T′′,S′′∈T,
then T′′=T,S′′=S.
It follows that (T′,S′)∈(R;∂A;Q;∂A;P) if and only if
T′RT∂ASQT∂ASPS′. As a consequence,
T′RT∂ASPS′,
as we wanted to prove.
Next, recall that ∂V=ρ(VIS);ΔA;π(VIS),
where ΔA=AR?;∂A;AR?. That is,
∂V=ρ(VIS);AR?;∂A;AR?;π(VIS).
If we apply the statement above to the relations R′:=(R;ρ(VIS);AR?),
Q′:=(AR?;π(VIS);Q;ρ(VIS);AR?),
P′:=(AR?;π(VIS);P), we obtain that
[TABLE]
Corollary D.5**.**
*The relations ARν and VISν are transitive.
*
Proof.
We only show the result for ARν.
The statement relative to VISν can be proved
analogously.
It suffices to show that ARν;ARν=(AR∪ΔA);(AR∪ΔA)⊆(AR∪ΔAR). By distributivity of
; with respect to ∪, this reduces to prove the following
four inclusions:
•
(AR;AR)⊆(AR∪ΔAR). Recall
that (XV=VIS,XA=AR,XN=AntiVIS) is a solution of
SystemΣ(G), hence by the inequation (A4) AR;AR⊆AR.
It follows immediately that AR;AR⊆AR∪ΔAR.
•
(AR;ΔA)⊆(AR∪ΔA):
recall that ΔA=AR?;∂A;AR?.
Because of the inequation (A4), we have that AR;AR?⊆AR?,
Therefore
[TABLE]
•
ΔA;AR⊆(AR∪ΔA):
This case is symmetric to the previous one.
•
(ΔA;ΔA)⊆(AR∪ΔA):
[TABLE]
where the inequation above has been obtained by applying a ∂-cut (Lemma D.4). ∎
Lemma D.6** (Δ-extraction (ρ case)).**
[TABLE]
We refer to the first inequality as right Δ-extraction,
and to the second inequality as left Δ-extraction.
Lemma D.7** (Δ-extraction (π case)).**
[TABLE]
Proof.
We only show how to prove the first inequation of Lemma D.6.
The proof of the second inequation of Lemma D.6,
and the proof of Lemma D.7, are similar.
Recall that VISν=VIS∪ΔV.
By Proposition C.1(iii), we have that
[TABLE]
by unfolding the definition of specification function to the RHS, and by applying the distributivity of ∩ over ∪, we get
[TABLE]
Note that for any relation R1,R2, R1?∪R2?=R1?∪R2, hence we can elide
the reflexive closure in the term (ΔV)? of the equality above
[TABLE]
By applying the distributivity of ∩ over ∪, and then by applying the definition of specification
function, we get
[TABLE]
Because (XV=VIS,XA=AR,XN=AntiVIS) is a solution of SystemΣ(G), by Equation (A2)
we obtain that VIS?⊆AR?. Also, by Proposition C.1(i)
we have that π(VIS)⊆VIS?⊆AR?. Finally, the inequation (A4)states that AR;AR⊆AR, from which AR?;AR?⊆AR? follows.
By putting all these together, we get
[TABLE]
as we wanted to prove.
∎
Lemma D.8**.**
[TABLE]
Proof.
Recall that ∂V=ρ(VIS);ΔA;π(VIS).
We prove the first inequality as follows:
[TABLE]
where we have used the fact that ρ(VIS)=ρ(T×T)∩VIS?⊆VIS?⊆AR?, because of the definition of specification function
and because of Inequation (A2).
∎
The next step needed to prove Proposition D.3
is that of verifying that by substituting ARν for XA,
VISν for XV, and AntiVISν for XN,
each of the inequations in SystemΣ(G) is satisfied.
The next propositions show that this is
indeed the case.
Proposition D.9**.**
[TABLE]
Proof.
Recall that VISν=VIS∪ΔV,
ARν=AR∪ΔA. To prove that
VISν⊆ARν, it suffices to show
that VIS⊆(AR∪ΔA), and
ΔV⊆(AR∪ΔA).
The inequation VIS⊆AR∪ΔA follows immediately the fact that
(XV=VIS,XA=AR,XN=AntiVIS) is
a solution of SystemΣ(G), and from the inequation
(A2) - VIS⊆AR.
It remains to prove that ΔV⊆AR∪ΔA.
In fact, we prove a stronger result, namely ΔV⊆ΔA. This is done as follows:
[TABLE]
Proposition D.10**.**
[TABLE]
Proof.
First, we perform a right Δ-extraction (Lemma D.6) of
ρ(VISν),
and a left Δ-extraction (Lemma D.7) of
π(VISν). This gives us the following inequation:
[TABLE]
and we rewrite the RHS of the above by applying the distributivity of ∪ over ;.
[TABLE]
We show that each of the components of the union of the RHS of the inequation above is
included in VISν, from which we get the desired result ρ(VIS);ARν;π(VIS)⊆VISν.
•
ρ(VIS);ARν;π(VIS)⊆VISν.
Recall that ARν=AR∪ΔA,
from which we get that
[TABLE]
We prove that each of the components of the union in the RHS above are included in VISν.
First, observe that
[TABLE]
because of Inequation (V4). Also, we have that
[TABLE]
and in this case there is nothing left to prove.
•
ρ(VIS);ARν;(ΔA;π(VIS);VIS?)⊆VISν.
Again, by unfolding the definition of ARν and by applying the distributivity of ∪ over
;, we obtain that
[TABLE]
We prove that each of the components of the union in the RHS above is included in VISν.
[TABLE]
•
VIS?;ρ(VIS);ΔA;ARν;π(VIS)⊆VISν.
As for the two cases above, we unfold ARν and distribute the resulting union over ;:
this leads to
[TABLE]
Then we prove that each of the two terms in the union on the RHS above is included
in VISν:
[TABLE]
•
VIS?;ρ(VIS);ΔA;ARν;ΔA;π(VIS);VIS?
in this case we have the following:
[TABLE]
Proposition D.11**.**
[TABLE]
Proof.
Recall that AntiVISν=VISν?;RW;VISν?.
Thus, we need to prove that
[TABLE]
We start by performing a Δ-extraction both for the specification functions π and ρ:
[TABLE]
We prove that each of the four terms of the union above is included in ARν. To this end,
it suffices to prove the following:
[TABLE]
In fact, if the inequation (30) is satisfied, we obtain that
•
(π(VIS);VISν;RW;VISν?;ρ(VIS))∖Id⊆ARν:
[TABLE]
•
(ΔA;π(VIS);VIS?;VISν?;RW;VISν?;ρ(VIS))∖Id⊆ARν:
[TABLE]
•
(π(VIS);VISν?;RW;VISν?;VIS?;ρ(VIS);ΔA)∖Id⊆ARν:
[TABLE]
•
(ΔA;π(VIS);VIS?;VISν?;RW;VISν?;VIS?;ρ(VIS);ΔA)∖Id⊆ARν: here it suffices to apply a ∂-cut (Lemma D.4) to obtain the result:
We prove that each of the terms in the union above is included in ARν?.
•
[TABLE]
[TABLE]
•
π(VIS);ΔV;RW;VIS?;ρ(VIS)⊆ARν?:
[TABLE]
•
π(VIS);VIS?;RW;ΔV;ρ(VIS)⊆ARν?:
[TABLE]
•
π(VIS);ΔV;RW;ΔV;ρ(VIS)⊆ARν?:
[TABLE]
Proposition D.12**.**
[TABLE]
Proof.
Let T′,U,S′ be such that T′∈Writesx, T′VISνURW(x)S′
for some object x∈Obj. We need to show that T′ARνS′.
By definition, VISν=VIS∪ΔV. Thus,
T′VISU or T′ΔVU.
If T′VISU, then
T′VISURW(x)S′ and T′∈Writesx. By the inequation (A3)
we have that T′ARS′, which implies the desired
T′ARνS′.
Suppose then that T′ΔVU.
By unfolding the definition of ΔV, we have that
[TABLE]
Recall that by definition of ∂A, the transactions T and S are not related by AR.
Note that, since URW(x)S′, then U∈Readsx,S′∈Writesx.
Recall that WW(x) is a total order over Writesx. Therefore, we have
three possible cases: T′WW(x)S′, T′=S′ or T′WW(x)S′. These
cases are analysed separately.
•
T′WW(x)S′: by the inequality (A1)we have that T′ARS′. Thus, T′ARνS′.
•
T′=S′: this case is not possible. We first prove
that U′=T′′. Suppose U′=T′′. Then SAR?U′=T′′AR?T, that is SAR?T.
But by hypothesis, T and S are not related by AR,
hence we get a contradiction.
Let then U′=T′′. Since we have
[TABLE]
we have that U′ART′′ by the inequality (A5).
Thus, SAR?U′ART′′AR?T,
or equivalently SART. Again, this contradict the
assumption that S and T are not related by AR.
•
S′WW(x)T′: this case is also not possible.
Recall that URW(x)S′;
that is, there exists an entity U′′ such that U′′WR(x)U,
U′′WW(x)S′. By the transitivity of WW(x), we have
that U′′WW(x)T′. Thus, URW(x)T′.
We can proceed as in the case above to show that this implies
SART, contradicting the assumption that
T and S are not related by AR. ∎
Finally, we prove the following:
Proposition D.13**.**
The triple (XV=VISν,XA=ARν,XN=AntiVISν)
is included in the least
solution to SystemΣ(G) for which the relation corresponding to the unknown XA includes
the relation AR∪∂A.
Proof..
Let (XV=VIS′,XA=AR′,XN=AntiVIS′) be a solution
to SystemΣ(G) such that (AR∪∂A)⊆AR′.
We need to show that ARν⊆AR′, VISν⊆VIS′,
and AntiVisν⊆AntiVIS′.
•
ARν⊆AR′:
note that we have that
[TABLE]
from which it follows that ARν=AR∪ΔAR⊆(AR′∪AR′)=AR′.
•
VISν⊆VIS′:
Observe that for any solution (XV=VIS′′,XA=AR′′,XN=AntiVIS′′) of
SystemΣ(G), the relation VIS′ is determined uniquely by AR′′:
specifically, VIS′′=μV.F(V,AR′′), where
[TABLE]
the functional F is monotone in its second argument, which means
that the inequation ARν⊆AR′ also implies that
VISν⊆VIS′.
•
AntiVISν⊆VIS′.
Observe that, for any solution (XV=VIS′′,XA=AR′′,XN=AntiVIS′′),
the relation AntiVIS′′ is determined uniquely by VIS′′. Specifically,
we have that AntiVIS′′=F(VIS′′), where
F(VIS′′)=VIS′′?;RW;VIS′′?.
The functional F is monotone, from which it follows that the inequation
VISν⊆VIS′, proved above, implies that AntiVisν⊆AntiVIS′.
∎
Proof of Proposition D.3.
We need to show that (XV=VISν,XA=ARν,XN=AntiVISν)
is a solution of SystemG(Σ). By Proposition D.13,
it follows that it is the smallest solution for which the relation corresponding to the unknown
XA includes AR∪∂A.
Obviously we have that WR⊆VIS⊆VISν,
and
⋃{WW(x)∣(ρx,ρx)∈Σ}⊆VIS⊆VISν: the inequations (V1)and (V3)are satisfied.
The validity of inequation (V2) follows from Corollary D.5.
The inequation
(V4) is also satisfied, as we have proved in Proposition D.10.
The inequality (A1)is satisfied because WW⊆AR⊆ARν,
and the inequation (A2) has been proved in Proposition D.9.
The validity of the inequation (A4) also follows from Corollary D.5.
The inequation (A5) and (A3) are satisfied,
as we have proved in propositions D.11 and D.12.
Finally, the inequation (N1) is satisfied because RW⊆VISν?;RW;VISν?=AntiVISν; the inequation (N2) is satisfied because
VISν;AntiVISν=VISν;VISν?;RW;VISν?⊆VISν?;RW;VISν?=AntiVISν (recall that VISν is
transitive by Corollary D.5), and similarly we can prove that the inequation (N3) is also satisfied.
∎
Recall that ΣSER={(ρS,ρS)}, where ρS(R)=Id.
The instantiation of inequations (V4) and (A5), in SystemΣSER(G)
gives rise to the inequations XA⊆XV and XN∖Id⊆XA.
Let VIS=AR=AntiVIS=(WR∪WW∪RW)+.
We prove that (XV=VIS,XA=AR,XN=AntiVIS)
is a solution to SystemΣSER(G): to this end,
we show that by substituting each of the unknowns for the relation (WR∪WW∪RW)+ in SystemΣSER(G),
then each of the inequations of such a system is satisfied.
Clearly WR⊆VIS, hence equation (V1) is satisfied.
Because there is no consistency guarantee of the form (ρx,ρx)∈ΣSER,
the inequation (V3) is trivially satisfied.
Inequation (V2) is also satisfied.
VIS;VIS=(WR∪WW∪RW)+;(WR∪WW∪RW)+=(WR∪WW∪RW)+=VIS. Inequation (V4) requires that
AR⊆VIS: this is also satisfied, as AR=(WR∪WW∪RW)+=VIS.
Inequation (A1) is trivially satisfied: WW⊆(WR∪WW∪RW)+=AR.
Inequation (A2) is also satisfied: VIS=(SO∪WR∪RW)+=AR, hence
VIS⊆AR.
Inequation (A5) is satisfied as well: AntiVIS∖Id=(WR∪WW∪RW)+∖Id⊆(WR∪WW∪RW)+=AR.
Inequation (A3) is also satisfied: ⋃x∈Obj[Writesx];VIS;RW(x)⊆VIS;RW=(WR∪WW∪RW)+;RW⊆(WR∪WW∪RW)+=AR.
Inequation (N1) is obviously satisfied, as RW⊆(WR∪WW∪RW)+=AntiVIS.
For inequation (N2) , note that VIS;AntiVIS=(WR∪WW∪RW)+;(WR∪WW∪RW)+⊆(WR∪WW∪RW)+=AntiVIS, and it can be
shown that Inequation (N3) is satisfied in a similar way.
The proof that the solution (XV=VIS,XA=AR,XN=AntiVIS) is the
smallest solution of SystemΣSER(G) can be obtained as in the proof
of Theorem 4.1.
∎
Recall that ΣSI={(ρx,ρx)}x∈Obj∪{(ρId,ρSI)},
where ρx(R)=[Writesx], ρSI(R)=R∖Id.
By instantiating inequation (V3) to ΣSI we obtain WW⊆XV,
while by instantiating inequations (V4) and (A5) to the consistency guarantee (ρId,ρSI),
we obtain XA;(XV∖Id)⊆XV, and
((XV∖Id);XN)∖Id⊆XA.
Let AR=((WR∪WW);RW?)+, VIS=AR?;(WR∪WW),
AntiVIS=VIS?;RW;VIS?. Then (XV=VIS,XA=AR,XN=AntiVIS) is a solution of SystemΣSI(G).
We can prove that it is the smallest such solution in the same way as in Theorem
C.16.
We need to show that, by substituting VIS,AR,AntiVIS for XV,XA,XN
respectively, in
SystemΣSI(G), all the inequations are satisfied. Here
we give the details only for the most important of them. A full proof of this statement
can be found in [17].
•
AR;(VIS∖Id)⊆VIS:
[TABLE]
•
((VIS∖Id);AntiVIS)∖Id⊆AR:
[TABLE]
where we have used the fact that AR;VIS⊆VIS, which we have proved previously.∎
Let VIS=(WR∪WW)+, AR=VIS∪⋃x∈Obj([Writesx];VIS?;RW(x))+,
AntiVIS=VIS?;RW;VIS?. If AR is irreflexive, then
(XV=VIS,XA=AR,XN=AntiVIS) is a solution of SystemΣPSI(G).
Furthermore, it is the smallest such solution.
Proof.
Recall that ΣPSI={(ρx,ρx)}x∈Obj.
Therefore, the system of inequations
SystemΣPSI(G)
does not contain inequations (V4) and (A5), and inequation (V3)
is instantiated to WW⊆VIS.
We prove that, under the assumption that AR is irreflexive,
the triple (XV=VIS,XA=AR,XN=AntiVIS) is
a solution of SystemΣPSI(G) by
showing that, by substituting VIS,AR and AntiVIS for
XV,XA and XN in SystemΣPSI(G), respectively,
all the inequations are satisfied.
The fact that the triple (XV=VIS,XA=AR,XN=AntiVIS)
is the smallest solution of SystemΣPSI(G)
can be proved in the same way as in the proof of Theorem C.17.
First, we observe that if AR is irreflexive, then
for any x∈Obj, [Writesx];VIS?;RW(x)⊆WW(x).
To see why this is true, recall that WW(x) is a strict, total order over Writesx.
Suppose that T∋writex:_, TVIS?S′RW(x)S.
Note that, since [Writesx];VIS?;RW(x)⊆AR,
and we are assuming that the latter is irreflexive, it cannot be T=S.
By definition of RW(x), S∋writex:_. Therefore, either TWW(x)S,
or SWW(x)T. However, if it were SWW(x)T, we would
have S∋Writesx, SWW(x)TVIS?S′RW(x)S:
because VIS=(WR∪WW)+, WW(x);VIS?⊆VIS?, hence
SVIS?S′RW(x)S, and because S∋writex:_, it would
follow that SARS, contradicting the hypothesis that AR is irreflexive.
Therefore, it must be TWW(x)S.
We have proved that, if AR is irreflexive, then for any x∈Obj, [Writesx];VIS?;RW(x)⊆WW. An immediate consequence of this fact
is the following:
[TABLE]
Next, we prove that each of the inequations in SystemΣPSI are
satisfied when VIS,AR,AntiVIS are substituted for XV,XA,XN,
respectively.
**Inequation (V1):: **
WR⊆VIS. This is true, because WR⊆(WR∪WW)+=VIS,
**Inequation (V2):: **
VIS;VIS⊆VIS. This is trivially satisfied: VIS;VIS=(WR∪WW)+;(WR∪WW)+⊆(WR∪WW)+=VIS,
**Inequation (V3):: **
WW⊆VIS. This can be proved as above: WW⊆(WR∪WW)+⊆VIS,
**Inequation (A1):: **
WW⊆AR. We have already proved that WW⊆VIS, hence it suffices to show
that VIS⊆AR; this is done below,
**Inequation (A2):: **
VIS⊆AR. We have that
[TABLE]
**Inequation (A3):: **
⋃x∈Obj[Writesx];VIS;RW(x)⊆AR. This inequation is
trivially satisfied by the definition of AR:
[TABLE]
**Inequation (A4):: **
AR;AR⊆AR. We have that
[TABLE]
**Inequation (N1):: **
RW⊆AntiVIS. We have that
RW⊆VIS?;RW;VIS?=AntiVIS,
**Inequation (N2):: **
VIS?;RW⊆AntiVIS: we have
that VIS?;RW⊆VIS?;RW;VIS?=AntiVIS.
Inequation (N3) can be proved similarly.
∎
Proof of Theorem 3.5(3).
Let ΔPSI={δPSI0}∪{δPSI(x)}x∈Obj.
Recall that
[TABLE]
We need to show that modelOf(ΣPSI)=modelOf(ΔPSI):
for any execution X∈Executions(ΣPSI), graph(X)∈Graphs(ΔPSI),
and for any G∈Graphs(ΔPSI), there exists an execution X∈Executions(ΣPSI)
such that graph(X)=G.
We prove this result in several step. First, define
[TABLE]
We prove that modelOf(ΣPSI)=modelOf({δPSI′}).
By Theorem C.17 we have that, for any X∈Executions(PSI), the relation
δPSI′(G) is irreflexive, hence modelOf(ΣPSI)⊆modelOf({δPSI′}).
Let then G∈modelOf(δPSI′), that is the relation δPSI′(G) is irreflexive. By Proposition D.14
we have that (XV=_,XA=δPSI′(G),XN=_) is a solution to SystemPSI(G), and by
Theorem 5.2 it follows that there exists a relation X∈Executions(ΣPSI) such
that graph(X)=G. That is, modelOf({δPSI′})⊆modelOf(ΣPSI).
Next, for any object x∈Obj, define δPSI(x)′(G)=([Writesx];(WRG∪WWG)∗;RWG(x))+.
It is immediate to observe that modelOf({δPSI′})=modelOf({δPSI0}∪{δPSI(x)′∣x∈Obj}).
In fact, for any G∈Graphs, we have that δPSI′(G)=δPSI0(G)∪⋃x∈ObjδPSI(x)′(G),
hence δPSI′(G)∩Id=∅ if and only if
δPSI0(G)∩Id=∅, and δPSI′(x)(G)∩Id=∅.
At this point we have that modelOf(ΣPSI)=modelOf({δPSI′})=modelOf({δPSI0}∪{δPSI(x)∣x∈Obj′}).
As a last step, we show that for each dependency graph G and object x, the relation δPSI(x)′(G) is irreflexive
if and only if the relation δPSI(x)(G) is irreflexive, where we recall that δPSI(x)(G)=((WRG∪WWG)∗;RWG(x))+.
An immediate consequence of this fact is that modelOf(ΣPSI)=modelOf({δPSI0}∪{δPSI(x)∣x∈Obj})=modelOf(ΔPSI), which is exactly what we want to prove.
Note that δPSI(x)′(G)=([Writesx];(WRG∪WWG)∗;RWG(x))+⊆)(WRG∪WWG)∗;RWG(x))+=δPSI(x)(G): if
δPSI(x)(G) is irreflexive, then so if δPSI(x)′(G).
Finally, suppose that δPSI(x)′(G)∩Id⊆∅. That is,
([Writesx];(WRG∪WWG)∗;RWG(x))+∩Id⊆∅.
We apply the following Theorem from Kleene Algebra: for any relations R1,R2⊆TG×TG,
(R1;R2)+=R1;(R2;R1)∗;R2. This leads to the following:
[TABLE]
Also, by Proposition C.9, the latter can be rewritten as follows:
[TABLE]
which can be simplified into
[TABLE]
As a last step, note that RWG(x);[Writesx]⊆RWG(x), hence we have
[TABLE]
which is exactly δPSI(x)(G)∩Id⊆∅.
∎
D.4. Incompleteness for Arbitrary x-specifications of Consistency Models
One could ask whether Theorem 5.2 holds for non-simple
x-specifications Σ, where SystemΣ(G) is defined by
including inequations of the form (V4), (A5), for each consistency
guarantee (ρ,π)∈Σ. Unfortunately, this is not the case.
Consider the x-specification Σ={(ρId,ρSI),(ρS,ρS)}, and let G be the dependency graph
depicted to the right. Recall that transactions with a double border
are marked as serialisable.
We omitted from G a transaction T0
which writes the value [math]
for objects x,v, and which is seen by T1,T3.
For the dependency graph G, the least solution of
SystemΣ(G) is (XV=_,XA=AR0,XN=_),
where AR0={(T2,T3),(T4,T1)}∪{(T0,Ti)}i=14.
That is, AR0 is acyclic. However, there exists no abstract execution
X∈Executions(Σ) such that graph(X)=G. In
fact, if such X existed, then T1 and T3 should
be related by ARX. However, it cannot be T1ARXT3:
the axiom of the consistency guarantee (ρS,ρS),
[SerTx];ARX;[SerTx]⊆VISX,
would imply T1VISXT3;
together with T3RWXT4
and the co-axiom induced by (ρId,ρSI),
(VISX;VISX−1)∖Id⊆ARX,
this would mean that T1ARXT4.
But we also
have T4ARXT1, hence a contradiction.
Similarly, we can prove ¬(T3ARXT1).
Bibliography31
The reference list from the paper itself. Each links out to its DOI / PubMed record.
1[1] Microsoft SQL server documentation, SET TRANSACTION ISOLATION LEVEL. https://docs.microsoft.com/en-us/sql/t-sql/statements/set-transaction-isolation-level-transact-sql.
2[2] A. Adya. Weak consistency: A generalized theory and optimistic implementations for distributed transactions. Ph D thesis, MIT, 1999.
3[3] J. Alglave, D. Kroening, V. Nimal, and D. Poetzl. Don’t sit on the fence: A static analysis approach to automatic fence insertion. ACM Transactions on Programming Languages Systems , 39(2):6:1–6:38, 2017.
4[4] J. Alglave and L. Maranget. Stability in weak memory models. In International Confence on Computer Aided Verification (CAV) , pages 50–66, 2011.
5[5] J. Alglave, L. Maranget, and M. Tautschnig. Herding cats: Modelling, simulation, testing, and data mining for weak memory. ACM Transactions on Programming Languages Systems , 36(2):7:1–7:74, 2014.
6[6] P. Bailis, A. Fekete, A. Ghodsi, J. M. Hellerstein, and I. Stoica. Scalable atomic visibility with RAMP transactions. In 2014 ACM SIGMOD International Conference on Management of Data (SIGMOD) , pages 27–38, 2014.
7[7] H. Berenson, P. Bernstein, J. Gray, J. Melton, E. O’Neil, and P. O’Neil. A critique of ANSI SQL isolation levels. In 1995 ACM SIGMOD international conference on Management of data (SIGMOD) , pages 1–10, 1995.
8[8] G. Bernardi and A. Gotsman. Robustness against consistency models with atomic visibility. In 27th International Conference on Concurrency Theory (CONCUR) , pages 7:1–7:15, 2016.