4 research outputs found
Verifying Strong Eventual Consistency in Distributed Systems
Data replication is used in distributed systems to maintain up-to-date copies of shared data across multiple
computers in a network. However, despite decades of research, algorithms for achieving consistency in
replicated systems are still poorly understood. Indeed, many published algorithms have later been shown to
be incorrect, even some that were accompanied by supposed mechanised proofs of correctness. In this work,
we focus on the correctness of Conflict-free Replicated Data Types (CRDTs), a class of algorithm that provides
strong eventual consistency guarantees for replicated data. We develop a modular and reusable framework
in the Isabelle/HOL interactive proof assistant for verifying the correctness of CRDT algorithms. We avoid
correctness issues that have dogged previous mechanised proofs in this area by including a network model
in our formalisation, and proving that our theorems hold in all possible network behaviours. Our axiomatic
network model is a standard abstraction that accurately reflects the behaviour of real-world computer networks.
Moreover, we identify an abstract convergence theorem, a property of order relations, which provides a formal
definition of strong eventual consistency. We then obtain the first machine-checked correctness theorems for
three concrete CRDTs: the Replicated Growable Array, the Observed-Remove Set, and an Increment-Decrement
Counter. We find that our framework is highly reusable, developing proofs of correctness for the latter two
CRDTs in a few hours and with relatively little CRDT-specific code
Replication-Aware Linearizability
Geo-distributed systems often replicate data at multiple locations to achieve
availability and performance despite network partitions. These systems must
accept updates at any replica and propagate these updates asynchronously to
every other replica. Conflict-Free Replicated Data Types (CRDTs) provide a
principled approach to the problem of ensuring that replicas are eventually
consistent despite the asynchronous delivery of updates.
We address the problem of specifying and verifying CRDTs, introducing a new
correctness criterion called Replication-Aware Linearizability. This criterion
is inspired by linearizability, the de-facto correctness criterion for
(shared-memory) concurrent data structures. We argue that this criterion is
both simple to understand, and it fits most known implementations of CRDTs. We
provide a proof methodology to show that a CRDT satisfies replication-aware
linearizability which we apply on a wide range of implementations. Finally, we
show that our criterion can be leveraged to reason modularly about the
composition of CRDTs