Hamsaz: replication coordination analysis and synthesis

Houshmand, Farzin; Lesani, Mohsen

doi:10.1145/3290387

Cited by 33 publications

(30 citation statements)

References 72 publications

(54 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We remark at this point that no assumptions are made about the duplication of messages or the order in which messages are delivered. This is in contrast to other works on the verification of properties of replicated objects [11,13]. The reason why this assumption is not a problem in our case is that the least-upperbound assumption of the merge function, as well as the inflation assumptions on the states considered in Item 2 (Section 6.1) mean that delayed messages have no effect when they are merged.…”

Section: Operational Semanticsmentioning

confidence: 81%

“…Houshmand et al [13] extends CISE by lowering the causal consistency requirements and generating concurrency control protocols. It still requires reasoning about concurrent behaviours.…”

Section: Related Workmentioning

confidence: 99%

“…This temporary divergence can lead to an unsafe state, in this case declaring a wrong winner. This correctness problem has been addressed before; however, previous works mostly consider the operation-based propagation approach [11,13,19,24].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Proving the Safety of Highly-Available Distributed Objects

Nair¹,

Petri

Shapiro³

2020

Programming Languages and Systems

View full text Add to dashboard Cite

To provide high availability in distributed systems, object replicas allow concurrent updates. Although replicas eventually converge, they may diverge temporarily, for instance when the network fails. This makes it difficult for the developer to reason about the object's properties, and in particular, to prove invariants over its state. For the subclass of state-based distributed systems, we propose a proof methodology for establishing that a given object maintains a given invariant, taking into account any concurrency control. Our approach allows reasoning about individual operations separately. We demonstrate that our rules are sound, and we illustrate their use with some representative examples. We automate the rule using Boogie, an SMT-based tool.

show abstract

Section: Operational Semanticsmentioning

confidence: 81%

“…Houshmand et al [13] extends CISE by lowering the causal consistency requirements and generating concurrency control protocols. It still requires reasoning about concurrent behaviours.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Proving the Safety of Highly-Available Distributed Objects

Nair¹,

Petri

Shapiro³

2020

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…A number of earlier efforts [2,21,10,12,11] have looked at the problem of verifying state-based invariants in distributed applications. These techniques typically target applications built using CRDTs, and assume their underlying correctness.…”

Section: Related Work and Conclusionmentioning

confidence: 99%

Automated Parameterized Verification of CRDTs

Nagar

Jagannathan

2019

Computer Aided Verification

View full text Add to dashboard Cite

Maintaining multiple replicas of data is crucial to achieving scalability, availability and low latency in distributed applications. Conflict-free Replicated Data Types (CRDTs) are important building blocks in this domain because they are designed to operate correctly under the myriad behaviors possible in a weakly-consistent distributed setting. Because of the possibility of concurrent updates to the same object at different replicas, and the absence of any ordering guarantees on these updates, convergence is an important correctness criterion for CRDTs. This property asserts that two replicas which receive the same set of updates (in any order) must nonetheless converge to the same state. One way to prove that operations on a CRDT converge is to show that they commute since commutative actions by definition behave the same regardless of the order in which they execute. In this paper, we present a framework for automatically verifying convergence of CRDTs under different weak-consistency policies. Surprisingly, depending upon the consistency policy supported by the underlying system, we show that not all operations of a CRDT need to commute to achieve convergence. We develop a proof rule parameterized by a consistency specification based on the concepts of commutativity modulo consistency policy and non-interference to commutativity. We describe the design and implementation of a verification engine equipped with this rule and show how it can be used to provide the first automated convergence proofs for a number of challenging CRDTs, including sets, lists, and graphs.

show abstract

“…A second approach, captured by abstractions like concurrent revisions [Burckhardt et al 2010], admit richer semantics by permitting executions that are not linearizable; these abstractions explicitly expose replicated behavior to clients by defining operations that create and synchronize different versions of object state, where each version captures the evolution of a replicated object as it executes on a different replica. Finally, there have been recent attempts to equip specifications, rather than applications, with mechanisms that characterize notions of correctness in the presence of replication [Houshmand and Lesani 2019;Sivaramakrishnan et al 2015], using these specifications to guide implementations on when and how different global coordination and synchronization mechanisms should be applied. In all three cases, developers must grapple with various operational nuances of replication, either in the way objects are defined, abstractions used, or specifications written.…”

Section: Introductionmentioning

confidence: 99%

Mergeable replicated data types

Kaki

Priya

Sivaramakrishnan

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Programming geo-replicated distributed systems is challenging given the complexity of reasoning about different evolving states on different replicas. Existing approaches to this problem impose significant burden on application developers to consider the effect of how operations performed on one replica are witnessed and applied on others. To alleviate these challenges, we present a fundamentally different approach to programming in the presence of replicated state. Our insight is based on the use of invertible relational specifications of an inductively-defined data type as a mechanism to capture salient aspects of the data type relevant to how its different instances can be safely merged in a replicated environment. Importantly, because these specifications only address a data type's (static) structural properties, their formulation does not require exposing low-level system-level details concerning asynchrony, replication, visibility, etc. As a consequence, our framework enables the correct-by-construction synthesis of rich merge functions over arbitrarily complex (i.e., composable) data types. We show that the use of a rich relational specification language allows us to extract sufficient conditions to automatically derive merge functions that have meaningful non-trivial convergence properties. We incorporate these ideas in a tool called Quark, and demonstrate its utility via a detailed evaluation study on real-world benchmarks. CCS Concepts: • Computing methodologies → Distributed programming languages; • Computer systems organization → Availability; • Software and its engineering → Formal software verification.

show abstract

Hamsaz: replication coordination analysis and synthesis

Cited by 33 publications

References 72 publications

Proving the Safety of Highly-Available Distributed Objects

Proving the Safety of Highly-Available Distributed Objects

Automated Parameterized Verification of CRDTs

Mergeable replicated data types

Contact Info

Product

Resources

About