on verifying causal consistency - arxiv · about causal consistency is intrinsically hard in...
TRANSCRIPT
arX
iv:1
611.
0058
0v2
[cs.
LO]
15 N
ov 2
016
On Verifying Causal Consistency
Ahmed BouajjaniUniv. Paris Diderot & IUF, France
Constantin EneaUniv. Paris Diderot, France
Rachid GuerraouiEPFL, Switzerland
Jad HamzaEPFL-INRIA, Switzerland
Abstract. Causal consistency is one of the most adopted con-sistency criteria for distributed implementations of datastructures.It ensures that operations are executed at all sites according to theircausal precedence. We address the issue of verifying automaticallywhether the executions of an implementation of a data structureare causally consistent. We consider two problems: (1) checkingwhetheronesingle execution is causally consistent, which is rele-vant for developing testing and bug finding algorithms, and (2) ver-ifying whetherall the executions of an implementation are causallyconsistent.
We show that the first problem is NP-complete. This holds evenfor the read-write memory abstraction, which is a building blockof many modern distributed systems. Indeed, such systems oftenstore data in key-value stores, which are instances of the read-write memory abstraction. Moreover, we prove that, surprisingly,the second problem isundecidable, and again this holds even forthe read-write memory abstraction. However, we show that forthe read-write memory abstraction, these negative resultscan becircumvented if the implementations aredata independent, i.e.,their behaviors do not depend on the data values that are writtenor read at each moment, which is a realistic assumption.
We prove that for data independent implementations, the prob-lem of checking the correctness of a single execution w.r.t.theread-write memory abstraction is polynomial time. Furthermore,we show that for such implementations the set of non-causally con-sistent executions can be represented by means of a finite numberof register automata. Using these machines as observers (in parallelwith the implementation) allows to reduce polynomially theprob-lem of checking causal consistency to a state reachability problem.This reduction holds regardless of the class of programs used forthe implementation, of the number of read-write variables,and ofthe used data domain. It allows leveraging existing techniques forassertion/reachability checking to causal consistency verification.Moreover, for a significant class of implementations, we derivefrom this reduction the decidability of verifying causal consistencyw.r.t. the read-write memory abstraction.
Categories and Subject Descriptors D.2.4 [Software/ProgramVerification]: Model checking; F.3.1 [Specifying and Verifyingand Reasoning about Programs]: Mechanical verification; E.1[Data structures]: Distributed data structures
Keywords distributed systems, causal consistency, model check-ing, static program analysis
1. IntroductionCausal consistency [29] (CC for short) is one of the oldest and mostwidely spread correctness criterion for distributed systems. For adistributed system composed of several sites connected through anetwork where each site executes some set of operations, if an op-erationo1 affects another operationo2 (o2 causally depends ono1),causal consistency ensures that all sites must execute these opera-tions in that order. There exist many efficient implementations sat-isfying this criterion, e.g., [5, 13, 14, 25, 32], contrary to strongconsistency (linearizability) which cannot be ensured in the pres-ence of network partitions and while the system remains available[17, 19] (the sites answer to clients’ requests without delay).
However, developing distributed implementations satisfyingcausal consistency poses many challenges: Implementations mayinvolve a large number of sites communicating through unbounded1
communications channels. Roughly speaking, causal consistencycan be ensured if each operation (issued by some site) is broad-cast to the other sites together with its whole “causal past”(theother operations that affect the one being broadcast). But this is notfeasible in practice, and various optimizations have been proposedthat involve for instance the use of vector clocks [16, 33]. Defin-ing and implementing such optimizations is generally very delicateand error prone. Therefore, it is appealing to consider formal meth-ods to help developers write correct implementations. At differentstages of the development, both testing and verification techniquesare needed either for detecting bugs or for establishing correctnessw.r.t abstract specifications. We study in this paper two fundamen-tal problems in this context: (1) checking whether one givenexe-cution of an implementation is causally consistent, a problem thatis relevant for the design of testing algorithms, and (2) theproblemof verifying whether all the executions of an implementation arecausally consistent.
First, we prove that checking causal consistency for a singleexecution is NP-hard in general. We prove in fact that this problemis NP-complete for the read-write memory abstraction (RWM for
1 Throughout the paper,unboundedmeans finite but arbitrarily large.
1
short), which is at the basis of many distributed data structures usedin practice.
Moreover, we prove that the problem of verifying causal con-sistency of an implementation is undecidable in general. Weprovethis fact in two different ways. First, we prove that for regular spec-ifications (i.e., definable using finite-state automata), this problemis undecidable even for finite-state implementations with two sitescommunicating through bounded-size channels. Furthermore, weprove that even for the particular case of the RWM specification,the problem is undecidable in general. (The proof in this case istechnically more complex and requires the use of implementationswith more than two sites.)
This undecidability result might be surprising, since it isknownthat linearizability (stronger than CC) [23] and eventual consis-tency (weaker than CC) [39] are decidable to verify in that samesetting [3, 8, 21]. This result reveals an interesting aspect in thedefinition of causal consistency. Intuitively, two key properties ofcausal consistency are that (1) it requires that the order between op-erations issued by the same site to be preserved globally at all thesites, and that (2) it allows an operationo1 which happened arbi-trarily sooner than an operationo2 to be executed aftero2 (if o1 ando2 are not causally related). Those are the essential ingredients thatare used in the undecidability proofs (that are based on encodingsof the Post Correspondence Problem). In comparison, linearizabil-ity does not satisfy (2) because for a fixed number of sites/threads,the reordering between operations is bounded (since only opera-tions which overlap in time can be reordered), while eventual con-sistency does not satisfy (1).
Our NP-hardness and undecidability results show that reasoningabout causal consistency is intrinsically hard in general.However,by focusing on the case of the RWM abstraction, and by consid-ering commonly used objects that are instances of this abstraction,e.g., key-value stores, one can observe that their implementationsare typicallydata independent[1, 42]. This means that the waythese implementations handle data with read and write instructionsis insensitive to the actual data values that are read or written. Weprove that reasoning about causal consistency w.r.t. the RWM ab-straction becomes tractable under the natural assumption of dataindependence. More precisely, we prove that checking causal con-sistency for a single computation is polynomial in this case, and thatverifying causal consistency of an implementation is polynomiallyreducible to a state reachability problem, the latter beingdecidablefor a significant class of implementations. Let us explain how weachieve that.
In fact, data independence implies that it is sufficient to con-sider executions where each value is written at most once; let uscall such executionsdifferentiated(see, e.g., [1]). The key step to-ward the results mentioned above is a characterization of the setof all differentiated executions that violate causal consistency w.r.t.the RWM. This characterization is based on the notion of abadpatternthat can be seen as a set of operations occurring (within anexecution) in some particular order corresponding to a causal con-sistency violation. We express our bad patterns using appropriatelydefined conflict/dependency relations between operations along ex-ecutions. We show that there is afinite numberof bad patterns suchthat an execution is consistent w.r.t. the RWM abstractionif andonly if the execution does not contain any of these patterns.
In this characterization, the fact that we consider only differ-entiated executions is crucial. The reason is that all relations usedto express bad patterns include the read-from relation thatasso-ciates with each read operation the write operation that providesits value. This relation is uniquely defined for differentiated execu-tions, while for arbitrary executions where writes are not unique,reads can take their values from an arbitrarily large numberof
writes. This is actually the source of complexity and undecidabilityin the non-data independent case.
Then, we exploit this characterization in two ways. First, weshow that for a given execution, checking that it contains a badpattern can be done in polynomial time, which constitutes anim-portant gain in complexity w.r.t. to the general algorithm that doesnot exploit data independence (precisely because the latter needs toconsider all possible read-from relations in the given execution.)
Furthermore, we show that for each bad pattern, it is possibleto construct effectively anobserver(which is a state-machine ofsome kind) that is able, when running in parallel with an imple-mentation, to detect all the executions containing the bad pattern.A crucial point is to show that these observers are in a class ofstate-machines that has “good” decision properties. (Basically, it isimportant that checking whether they detect a violation is decid-able for a significant class of implementations.) We show that theobservers corresponding to the bad patterns we identified can bedefined asregister automata[10], i.e., finite-state state machinessupplied with a finite number of registers that store data over apotentially infinite domain (such as integers, strings, etc.) but onwhich the only allowed operation is checking equality. An impor-tant feature of these automata is that their state reachability prob-lem can be reduced to the one for (plain) finite-state machines. Theconstruction of the observers is actually independent fromthe typeof programs used for the implementation, leading to a semanticallysound and complete reduction to a state reachability problem (re-gardless of the decidability issue) even when the implementationis deployed over an unbounded number of sites, has an unboundednumber of variables (keys) storing data over an unbounded domain.
Our reduction enables the use of any reachability analysis orassertion checking tool for the verification of causal consistency.Moreover, for an important class of implementations, this reduc-tion leads to decidability and provides a verification algorithm forcausal consistency w.r.t. the RWM abstraction. We considerimple-mentations consisting of a finite number of state machines commu-nicating through a network (by message passing). Each machinehas a finite number of finite-domain (control) variables withunre-stricted use, in addition to a finite number ofdata variablesthatare used only to store and move data, and on which no conditionaltests can be applied. Moreover, we do not make any assumptionon the network: the machines communicate through unboundedunordered channels, which is the usual setting in large-scale dis-tributed networks. (Implementations can apply ordering protocolson top of this most permissive model.)
Implementations in the class we consider have an infinite num-ber of configurations (global states) due to (1) the unboundednessof the data domain, and (2) the unboundedness of the communi-cation channels. First, we show that due to data independence andthe special form of the observers detecting bad patterns, provingcausal consistency for any given implementation in this class (withany data domain) reduces to proving its causal consistency for aboundeddata domain (with precisely 5 elements). This crucial factallows to get rid of the first source of unboundedness in the configu-ration space. The second source of unboundedness is handledusingcounters: we prove that checking causal consistency in thiscasecan be reduced to the state reachability problem in Vector Addi-tion Systems with States (equivalent to unbounded Petri Nets), andconversely. This implies that verifying causal consistency w.r.t. theRWM (for this class of implementations) is EXPSPACE-complete.
It is important to notice that causal consistency has differentmeanings depending on the context and the targeted applications.Several efforts have been made recently for formalizing various no-tions of causal consistency (e.g., [11, 12, 20, 35, 37]). In this pa-per we consider three important variants. The variant called simplycausal consistency (abbreviated asCC) allows non-causally depen-
2
dent operations to be executed in different orders by different sites,and decisions about these orders to be revised by each site. Thismodels mechanisms for solving the conflict between non-causallydependent operations where each site speculates on an orderbe-tween such operations and possibly roll-backs some of them ifneeded later in the execution, e.g., [6, 27, 34, 39]. We also con-sider two stronger notions, namelycausal memory(CM) [2, 35],andcausal convergence(CCv) [11, 12, 35]. The latter assumes thatthere is a total order between non-causally dependent operationsand each site can execute operations only in that order (whenitsees them). Therefore, a site is not allowed to revise its orderingof non-causally dependent operations, and all sites execute in thesame order the operations that are visible to them. This notion isused in a variety of systems [5, 14, 28, 38, 40, 43] because it alsoimplies a strong variant of convergence, i.e., that every two sitesthat receive the same set of updates execute them in the same order.As for CM, a site is allowed to diverge from another site on the or-dering of non-causally dependent operations, but is not allowed torevise its ordering later on.CM andCCv are actually incomparable[35].
All the contributions we have described above in this sectionhold for theCC criterion. In addition, concerningCM andCCv, weprove that (1) the NP-hardness and undecidability results hold, (2)a characterization by means of a finite number of bad patternsispossible, and (3) checking consistency for a single execution ispolynomial time.
To summarize, this paper establishes the first complexity and(un)decidability results concerning the verification of causal con-sistency:
• NP-hardness of the problems of checkingCC, CM, andCCv fora single execution (Section 5).
• Undecidability of the problems of verifyingCC, CM, andCCv forregular specifications, and actually even for the RWM specifi-cation (Section 6).
• A polynomial-time procedure for verifying that a single execu-tion of a data independent implementation isCC, CM, andCCvw.r.t. RWM (Section 8).
• Decidability and complexity for the verification ofCC w.r.t. theRWM for a significant class of data independent implementa-tions (Section 10).The complexity and decidability results obtained for the RWM
(under the assumption of data independence) are based on twokeycontributions that provide a deep insight on the problem of veri-fying causal consistency, and open the door to efficient automatedtesting/verification techniques:
• A characterization as a finite set of “bad patterns” of the setof violations toCC, CM, and CCv w.r.t. the RWM, under theassumption of data independence (Section 7).
• A polynomial reduction of the problem of verifying that adata independent implementation isCC w.r.t. to the RWM toa state reachability (or dually to an invariant checking) problem(Section 9).
2. Notations2.1 Sets, Multisets, Relations
Given a setO and a relationR ⊆ O × O, we denote byo1 <R o2the fact that(o1, o2) ∈ R. We denote byo1 ≤R o2 the fact thato1 <R o2 or o1 = o2. We denote byR+ thetransitive closureofR,which is the composition of one or more copies ofR.
Let O′ be a subset ofO. ThenR∣O′ is the relationR projectedon the setO′, that is{(o1, o2) ∈ R ∣ o1, o2 ∈ O′}. The setO′ ⊆ O issaid to bedownward-closed(with respect to relationR) if ∀o1, o2,if o2 ∈ O′ ando1 <R o2, theno1 ∈ O′ as well. We defineupward-closedsimilarly.
2.2 Labeled Posets
A relation< ⊆ O ×O is astrict partial order if it is transitive andirreflexive. Aposetis a pair(O,<) where< is a strict partial orderoverO. Note here that we use the strict version of posets, and notthe ones where the underlying partial order isweak, i.e. reflexive,antisymmetric, and transitive.
Given a setΣ, a Σ labeled posetρ is a tuple(O,<, ℓ) where(O,<) is a poset andℓ ∶ O → Σ is the labeling function.
We say thatρ′ is aprefixof ρ if there exists a downward closedset A ⊆ O (with respect to relation<) such thatρ′ = (A,<, ℓ). A (resp., labeled)sequential poset(sequence for short) is a(resp., labeled) poset where the relation< is a strict total order. Wedenote bye ⋅ e′ the concatenation of sequential posets.
3. Replicated ObjectsWe define an abstract model for the class of distributed objectscalled replicated objects[7], where the object state is replicatedat different sites in a network, called alsoprocesses, and updatesor queries to the object can be submitted to any of these sites.This model reflects the view that a client has on an execution ofthis object, i.e., a set of operations with their inputs and outputswhere every two operations submitted to the same site are ordered.It abstracts away the implementation internals like the messagesexchanged by the sites in order to coordinate about the objectstate. Such a partially ordered set of operations is called ahistory.The correctness (consistency) of a replicated object is defined withrespect to aspecificationthat captures the behaviors of that objectin the context of sequential programs.
3.1 Histories
A replicated object implements a programming interface (API)defined by a set ofmethodsM with input or output values froma domainD.
For instance, in the case of theread/write memory, the setof methodsM is {wr,rd} for writing or reading a variable. Also,given a set ofvariablesX, the domainD is defined as(X×N)⊎X⊎N ⊎ {�}. Write operations take as input a variable inX and a valuein N and return� while read operations take as input a variable inX and return a value inN. The return value� is often omitted forbetter readability.
A historyh = (O,PO, ℓ) is a poset labeled byM×D×D, where:• O is a set of operation identifiers, or simplyoperations,• PO is a union of total orders between operations calledprogram
order: for o1, o2 ∈ O, o1 <PO o2 means thato1 ando2 weresubmitted to the same site, ando1 occurred beforeo2,
• for m ∈ M andarg , rv ∈ D, ando ∈ O, ℓ(o) = (m,arg , rv)means that operationo is an invocation ofm with inputarg and returningrv . The labelℓ(o) is sometimes denotedm(arg)▷ rv .Given an operationo from aread/write memory history, whose
label is eitherwr(x, v) or rd(x)▷v, for somex ∈ X, v ∈ D, wedefinevar(o) = x andvalue(o) = v.
3.2 Specification
The consistency of a replicated object is defined with respect toa particular specification, describing the correct behaviors of thatobject in a sequential setting. AspecificationS is thus defined2 asa set of sequences labeled byM ×D ×D.
2 In general, specifications can be defined as sets of posets instead ofsequences. This is to model conflict-resolution policies which are moregeneral than choosing a total order between operations. In this paper, wefocus on theread/write memory whose specification is a set of sequences.
3
CC
CCv
CM
Figure 1: Implication graph of causal consistency definitions.
pa:wr(x,1)rd(x)▷2
pb:wr(x,2)rd(x)▷1
(a)CM but notCCv
pa:wr(z,1)wr(x,1)wr(y,1)
pb:wr(x,2)rd(z)▷0
rd(y)▷ 1
rd(x)▷2
(b) CCv but notCM
pa:wr(x,1)
pb:wr(x,2)rd(x)▷1
rd(x)▷2
(c) CC but notCM norCCv
pa:wr(x,1)rd(y)▷0
wr(y,1)rd(x)▷1
pb:wr(x,2)rd(y)▷ 0
wr(y,2)rd(x)▷2
(d) CC, CM andCCv but notsequentially consistent
pa:wr(x,1)wr(y,1)
pb:rd(y)▷1
wr(x,2)
pc:rd(x)▷2
rd(x)▷1
(e) notCC (norCM, norCCv)
Figure 2: Histories showing the differences between the consis-tency criteriaCC, CM, andCCv.
In this paper, we focus on theread/write memory whose speci-ficationSRW is defined inductively as the smallest set of sequencesclosed under the following rules (x ∈ X andv ∈ N):1. ε ∈ SRW,2. if ρ ∈ SRW, thenρ ⋅ wr(x, v) ∈ SRW,3. if ρ ∈ SRW contains no write onx, thenρ ⋅ rd(x)▷0 ∈ SRW,4. if ρ ∈ SRW and the last write inρ on variablex is wr(x, v), then
ρ ⋅ rd(x)▷ v ∈ SRW.
4. Causal ConsistencyCausal consistency is one of the most widely used consistencycriterion for replicated objects. Informally speaking, itensures that,if an operationo1 is causally relatedto an operationo2 (e.g., somesite knew abouto1 when executingo2), then all sites must executeoperationo1 before operationo2. Operations which are not causallyrelated may be executed in different orders by different sites.
From a formal point of view, there are several variations ofcausal consistency that apply to slightly different classes of im-plementations. In this paper, we consider three such variations thatwe call causal consistency (CC), causal memory (CM), and causalconvergence (CCv). We start by presentingCC followed byCM andCCv, which are both strictly stronger thanCC. CM andCCv are notcomparable (see Figure 1).
4.1 Causal Consistency: Informal Description
Causal consistency [20, 35] (CC for short) corresponds to the weak-est notion of causal consistency that exists in the literature. We de-scribe the intuition behind this notion of consistency using severalexamples, and then give the formal definition.
AxCausal PO ⊆ coAxArb co ⊆ arbAxCausalValue CausalHist(o){o} ⪯ ρoAxCausalSeq CausalHist(o){POPast(o)} ⪯ ρoAxCausalArb CausalArb(o){o} ⪯ ρo
where:CausalHist(o) = (CausalPast(o), co, ℓ)CausalArb(o) = (CausalPast(o),arb , ℓ)CausalPast(o) = {o′ ∈ O ∣ o′ ≤co o}POPast(o) = {o′ ∈ O ∣ o′ ≤PO o}
Table 1: Axioms used in the definitions of causal consistency.
Recall that a historyh models the point of view of a clientusing a replicated object, and it contains no information regardingthe internals of the implementation, in particular, the messagesexchanged between sites. This means that a history containsnonotion of causality order. Thus, from the point of view of theclient, a history isCC as long as thereexistsa causality order whichexplains the return value of each operation. This is why, in theformal definition ofCC given in the next section, the causality orderco is existentially quantified.
Example 1. History (2e) is notCC. The reason is that there does notexist a causality order which explains the return values of all opera-tions in the history. Intuitively, in any causality order,wr(y,1)mustbe causally related tord(y)▷ 1 (so that the read can return value1). By transitivity of the causality order and because any causalityorder must contain the program order,wr(x,1) must be causallyrelated towr(x,2). However, sitepc first readsrd(x)▷2, andthenrd(x)▷ 1. This contradicts the informal constraint that ev-ery site must see operations which are causally related in the sameorder.
Example 2. History (2c) isCC. The reason is that we can definea causality order where the writeswr(x,1) and wr(x,2) are notcausally related between them, but each write is causally relatedto both reads. Since the writes are not causally related, sitepb canread them in any order.
There is a subtlety here. In History (2c), sitepb first doesrd(x)▷ 1, which implicitly means that it executedwr(x,1) afterwr(x,2). Thenpb doesrd(x)▷ 2 which means thatpb “changedits mind”, and decided to orderwr(x,2) after wr(x,1). This isallowed byCC, but as we will see later, not allowed by the strongercriteriaCM andCCv.
This feature ofCC is useful for systems which do speculativeexecutions and rollbacks [6, 39]. It allows systems to execute oper-ations by speculating on an order, and then possibly rollback, andchange the order of previously executed operations. This happensin particular in systems where convergence is important, where aconsensus protocol is running in the background to make all siteseventually agree on a total order of operations. The stronger def-initions, CM andCCv, are not suited to represent such speculativeimplementations.
4.2 Causal Consistency: Definition
We now give the formal definition ofCC, which corresponds to thedescription of the previous section. A historyh = (O,PO, ℓ) is CCwith respect to a specificationS when there exists a strict partialorderco ⊆ O ×O, calledcausal order, such that, for all operationso ∈ O, there exists a specification sequenceρo ∈ S such that axiomsAxCausal andAxCausalValue hold (see Table 1).
4
ρa:[o1] wr(x,1)
[o2] wr(y,2)
[o3] rd(x)
ρb:[o1] wr(x,1)
[o2] wr(y,2)
[o3] rd(x)▷ 1
ρc:[o1] wr(x,1)
[o2] wr(y,2)
[o3] rd(x)▷ 1
Figure 3: Illustration of the⪯ relation. We haveρa ⪯ ρb, but notρa ⪯ ρc. The label of an operationo is written next too. Thearrows represent the transitive reduction of the strict partial ordersunderlying the labeled posets. (For instance, none of the operationsin ρc are ordered.)
Axiom AxCausal states that the causal order must at least con-tain the program order. AxiomAxCausalValue states that, for eachoperationo ∈ O, the causal history ofo (roughly, all the operationswhich are beforeo in the causal order) can be sequentialized in or-der to obtain a valid sequence of the specificationS. This sequen-tialization must also preserve the constraints given by thecausalorder. Formally, we define thecausal pastof o, CausalPast(o), asthesetof operations beforeo in the causal order and thecausal his-tory of o, CausalHist(o) as the restriction of the causal order to theoperations in its causal past. Since a site is not required tobe con-sistent with the return values it has provided in the past or the returnvalues provided by the other sites, the axiomAxCausalValue usesthe causal history where only the return value of operationo hasbeen kept. This is denoted byCausalHist(o){o}. The fact that thelatter can be sequentialized to a sequenceρo in the specification isdenoted byCausalHist(o){o} ⪯ ρo. We defer the formal definitionof these two last notations to the next section.
4.3 Operations on Labeled Posets
First, we introduce an operator which projects away the returnvalues of a subset of operations. Letρ = (O,<, ℓ) be aM ×D × Dlabeled poset andO′ ⊆ O. We denote byρ{O′} the labeled posetwhere only the return values of the operations inO′ have beenkept. Formally,ρ{O′} is the(M×D)∪ (M×D×D) labeled poset(O,<, ℓ′) where for allo ∈ O′, ℓ′(o) = ℓ(o), and for allo ∈ O∖O′,if ℓ(o) = (m,arg , rv), thenℓ′(o) = (m,arg). If O′ = {o}, wedenoteρ{O′} by ρ{o}.
Second, we introduce a relation on labeled posets, denoted⪯.Let ρ = (O,<, ℓ) and ρ′ = (O,<′, ℓ′) be two posets labeled by(M × D) ∪ (M × D × D) (the return values of some operations inO might not be specified). We denote byρ′ ⪯ ρ the fact thatρ′ hasless order and label constraints on the setO. Formally,ρ′ ⪯ ρ if<′ ⊆< and for all operationo ∈ O, and for allm ∈M, arg , rv ∈ D,
• ℓ(o) = ℓ′(o), or• ℓ(o) = (m,arg , rv) impliesℓ′(o) = (m,arg).
Example 3. For any set of operationsO′ ⊆ O, ρ{O′} ⪯ ρ. Thereason is thatρ{O′} has the same order constraints onO thanρ,but some return values are hidden inρ{O′}.
Example 4. In Figure 3, we haveρa ⪯ ρb, as the only differencesbetweenρa andρb is the label ofo3, and the fact thato1 < o2 holdsin ρb but not inρa.
We haveρa /⪯ ρc, aso1 < o3 holds inρa, but not inρc.
4.4 Causal Memory (CM)
Compared to causal consistency, causal memory [2, 35] (denotedCM) does not allow a site to “change its mind” about the order ofoperations. The original definition of causal memory of Ahamadet al. [2] applies only to theread/write memory and it was ex-tended by Perrin et al. [35] to arbitrary specifications. We use themore general definition, since it was also shown that it coincides
with the original one for histories where for each variablex ∈ X,the values written tox are unique.
For instance, History (2c) isCC but notCM. Intuitively, the reasonis that sitepb first decides to orderwr(x,1) after wr(x,2) (forrd(x)▷ 1) and then decides to orderwr(x,2) afterwr(x,1) (forrd(x)▷ 2).
On the other hand, History (2a) isCM. Sitespa andpb disagreeon the order of the two write operations, but this is allowed by CM,as we can define a causality order where the two writes are notcausally related.
Formally, a historyh = (O,PO, ℓ) is CM with respect to aspecificationS if there exists a strict partial orderco ⊆ O ×O suchthat, for each operationo ∈ O, there exists a specification sequenceρo ∈ S such that axiomsAxCausal andAxCausalSeq hold. Withrespect toCC, causal memory requires that each site is consistentwith respect to the return values it has provided in the past.A siteis still not required to be consistent with the return valuesprovidedby other sites. Therefore,AxCausalSeq states:
CausalHist(o){POPast(o)} ⪯ ρo
where CausalHist(o){POPast(o)} is the causal history whereonly the return values of the operations which are beforeo inthe program order (inPOPast(o)) are kept. For finite histories,if we set o to be the last operation of a sitep, this means thatwe must explain all return values of operations inp by a singlesequenceρo ∈ S. In particular, this is not possible for for sitepb inHistory (2c).
The following lemma gives the relationship betweenCM andCC.
Lemma 1 ([35]). If a historyh is CM with respect to a specificationS, thenh is CC with respect toS.
Proof. We know by definition that there exists a strict partial orderco such that, for all operationo ∈ O, there existsρo ∈ S such thataxiomsAxCausal andAxCausalSeq. In particular, for anyo ∈ O,we haveCausalHist(o){POPast(o)} ⪯ ρo.
SinceCausalHist(o){o} ⪯ CausalHist(o){POPast(o)}, andthe relation⪯ is transitive, we haveCausalHist(o){o} ⪯ ρo, andaxiomAxCausalValue holds.
4.5 Causal Convergence (CCv)
Our formalization of causal convergence (denotedCCv) corre-sponds to the definition ofcausal consistencygiven in Burckhardtet al. [12] and Burckhardt [11] restricted to sequential specifica-tions.CCv was introduced in the context ofeventual consistency,another consistency criterion guaranteeing that roughly,all siteseventually converge towards the same state, when no new updatesare submitted.
Causal convergence uses a total order between all the operationsin a history, called thearbitration order, as an abstraction of theconflict resolution policy applied by sites to agree on how toorderoperations which arenot causally related. As it was the case for thecausal order, the arbitration order, denoted byarb, is not encodedexplicitly in the notion of history and it is existentially quantifiedin the definition ofCCv.
Example 5. History (2a) is notCCv. The reason is that, for the firstsitepa to readrd(x)▷2, the writewr(x,2)must be afterwr(x,1)in the arbitration order. Symmetrically, because of therd(x)▷1,wr(x,2) must be beforewr(x,1) in the arbitration order, which isnot possible.
Example 6. History (2b) gives a history which isCCv but notCM.To prove that it isCCv, a possible arbitration order is to have thewrites ofpa all before thewr(x,2) operation, and the causalityorder then relateswr(y,1) to rd(y)▷1.
5
On the other hand, History (2b) is notCM. If History (2b) wereCM, for sitepb, wr(y,1) should go beforerd(y)▷ 1. By transitivity,this implies thatwr(x,1) should go beforerd(x)▷2. But for theread rd(x)▷2 to return value2, wr(x,1) should then also gobeforewr(x,2). This implies thatwr(z,1) goes beforerd(z)▷0
preventingrd(z)▷ 0 from reading the initial value0.
Example 7. History (2d) shows that all causal consistency defi-nitions (CC, CM, andCCv) are strictly weaker than sequential con-sistency. Sequential consistency [30] imposes a total order on all(read and write) operations. In particular, no such total order canexist for History (2d). Because of the initial writeswr(x,1) andwr(x,2), and the final readsrd(x)▷1 andrd(x)▷2, all the op-erations ofpa must be completely ordered before the operations ofpb, or vice versa. This would make one of therd(y)▷ 0 to be or-dered after eitherwr(y,1) or wr(y,2), which is not allowed by theread/write memory specification. On the other hand, History (2d)satisfies all criteriaCC, CM, CCv. The reason is that we can set thecausality order to not relate any operation frompa to pb nor frompb to pa.
Formally, a historyh is CCv with respect toS if there exist astrict partial orderco ⊆ O ×O and a strict total orderarb ⊆ O ×Osuch that, for each operationo ∈ O, there exists a specificationsequenceρo ∈ S such that the axiomsAxCausal, AxArb, andAxCausalArb hold. AxiomAxArb states that the arbitration orderarb must at least respect the causal orderco. Axiom AxCausalArbstates that, to explain the return value of an operationo, we mustsequentialize the operations which are in the causal past ofo, whilerespecting the arbitration orderarb.
Axioms AxCausalArb and AxArb imply axiom AxCausal-Value, as the arbitration orderarb contains the causality orderco. We therefore have the following lemma.
Lemma 2 ([35]). If a historyh is CCv with respect to a specifica-tion S, thenh is CC with respect toS.
Proof. Similar to the proof of Lemma 1, but using the fact thatCausalHist(o){o} ⪯ CausalArb(o){o} (since by axiomAxArb,co ⊆ arb).
5. Single History Consistency is NP-completeWe first focus on the problem of checking whether a given history isconsistent, which is relevant for instance in the context oftesting agiven replicated object. We prove that this problem isNP-completefor all the three variations of causal consistency (CC, CM, CCv) andtheread/write memory specification.
Lemma 3. Checking whether a historyh isCC (resp.,CM, resp.,CCv)with respect toSRW isNP-complete.
Proof. Membership inNP holds for all the variations of causal con-sistency, and any specificationS for which there is a polynomial-time algorithm that can check whether a given sequence is inS.This includes theread/write memory, and common objects suchas sets, multisets, stacks, or queues. It follows from the fact thatone can guess a causality orderco (and an arbitration orderarb forCCv), and a sequenceρo for each operationo, and then check inpolynomial time whether the axioms of Table 1 hold, and whetherρo ∈ S.
For NP-hardness, we reduce boolean satisfiability to checkingconsistency of a single history reusing the encoding from Furbachet al. [18]. Letφ be a boolean formula in CNF with variablesx1, . . . , xn, and clausesC1, . . . ,Ck. The goal is to define a historyh which is CC if and only if φ is satisfiable. All operations onhare on a single variabley. For the encoding, we assume that eachclause corresponds to a unique integer strictly larger thann.
For i ∈ {1, . . . , n}, we definePos(xi) as the set of clauseswherexi appears positively, andNeg(xi) as the set of clauseswherexi appears negatively.
For eachi ∈ {1, . . . , n}, h contains two sites,pifalse andpitrue.Sitepifalse first writes eachC ∈ Pos(xi) (in the order they appearin C1, . . . ,Ck) to variabley, and then, it writesi. Similarly, Sitepitrue writes eachC ∈ Neg(xi) (in the order they appear inC1, . . . ,Ck) to variabley, and then, it writesi.
Finally, a sitepeval doesrd(y)▷1⋯rd(y)▷n followed byrd(y)▷C1⋯rd(y)▷Ck.
We then prove the following equivalence: (the equivalence forCM andCCv can be proven similarly):h is CC iff φ is satisfiable.(⇐) This direction follows from the proof of [18]. They show
that if φ is satisfiable, the historyh is sequentially consistent.(⇒) Assumeh is CC. Then, there existsco, such that, for allo ∈
O, there existsρo ∈ SRW, such thatAxCausal andAxCausalValuehold. In particular, eachrd(y)▷ i of peval must have awr(y, i) inits causal past.
Thewr(y, i) operation can either be frompifalse (correspondingto setting variablexi to false inφ), or from pitrue (correspondingto setting variablexi to true inφ). For instance, if it is from sitepifalse, then none of of thewr(y,C) for C ∈ Pos(xi) can be usedfor the readsrd(y)▷Ci of peval.
Consequently, for any variablexi, only the writes ofwr(y,C)for C ∈ Pos(xi), or the ones withC ∈ Neg(xi) can be used forthe readsrd(y)▷Ci of peval.
Moreover, each readrd(y)▷Ci has a correspondingwr(y,Ci),meaning thatφ is satisfiable.
The reduction from boolean satisfiability used to prove NP-hardness uses histories where the same value is written multipletimes on the same variable. We show in Section 8 that this is infactnecessary to obtain theNP-hardness: when every value is writtenonly once per variable, the problem becomes polynomial time.
6. Undecidability of Verifying Causal ConsistencyWe now consider the problem of checking whether all historiesof an implementation are causally consistent. We consider thisproblem for all variants of causal consistency (CC, CM, CCv).
We prove that this problem is undecidable. In order to formallyprove the undecidability, we describe an abstract model forrepre-senting implementations.
6.1 Executions and Implementations
Concretely, an implementation is represented by a set ofexecutions.Formally, anexecutionis a sequence of operations. Each operationis labeled by an element(p,m,arg , rv) of PId×M×D×D, meaningthatm was called with argument valuearg on sitep, and returnedvalue rv . An implementationI is a set of executions which isprefix-closed (ifI contains an executione ⋅ e′, I also containse).
All definitions given for histories (and sets of histories) transferto executions (and sets of executions) as for each executione, wecan define a corresponding historyh. The historyh = (O,PO, ℓ)contains the same operations ase, and orderso1 <PO o2 if o1 ando2 are labeled by the same site, ando1 occurs beforeo2 in e.
For instance, an implementation isdata independentif the cor-responding set of histories is data independent.
6.2 Undecidability Proofs
We prove undecidability even whenI andS are regular languages(given by regular expressions or by finite automaton). We referto this as the first undecidability proof. Even stronger, we givea second undecidability proof, which shows that this problem isundecidable when the specification is set toSRW, with a fixed
6
number of variables, and with a fixed domain size (which is aparticular regular language).
These results imply that the undecidability does not come fromthe expressiveness of the model used to describe implementations,nor from the complexity of the specification, but specifically fromthe fact that we are checking causal consistency.
For both undecidability proofs, our approach is to reduce thePost Correspondence Problem (PCP, an undecidable problem informal languages), to the problem of checking whetherI is notcausally consistent (resp.,CC,CM,CCv).
Definition 1. Let ΣPCP be a finite alphabet.PCP asks, givenn pairs (u1, v1), . . . , (un, vn) ∈ (Σ
∗PCP × Σ∗PCP), whether there
existi1, . . . , ik ∈ {1, . . . , n} such thatui1⋯uik = vi1⋯vik , with(k > 0).
From a high-level view, both proofs operate similarly. We build,from a PCP instanceP , an implementationI (which is here aregular language) – and for the first proof, a specificationS – suchthatP has a positive answer if and only ifI contains an executionwhich is not causally consistent (resp.,CC,CM,CCv) with respect toS (with respect to a bounded version ofSRW for the second proof).
The constructed implementationsI produce, for each possiblepair of words(u, v), an execution whose historyH(u,v) is notcausally consistent (resp.,CC,CM,CCv) if and only if (u, v) forma valid answerfor P .
Definition 2. Two sequences(u, v) in Σ∗PCP form avalid answerif u = v and they can be decomposed intou = ui1 ⋅ ui2⋯uik andv = vi1 ⋅ vi2⋯vik , with each(uij , vij ) corresponding to a pair ofproblemP .
Therefore,I is not causally consistent, if and only ifI containsan execution whose historyH(u,v) is not causally consistent, if andonly if there exists(u, v) which form a valid answer forP , if andonly if P has a positive answer.
6.3 Undecidability For Regular Specifications
For the first proof, we first prove that theshuffling problem, aproblem on formal languages that we introduce, is not decidable.This is done by reducingPCP to the shuffling problem.
We then reduce the shuffling problem to checking whether animplementation is not causally consistent (resp.,CC,CM,CCv), show-ing that verification of causal consistency is undecidable as well.
Given two wordsu, v ∈ Σ∗, theshufflingoperator returns theset of words which can be obtained fromu andv by interleavingtheir letters. Formally, we defineu∥v ⊆ Σ∗ inductively:ε∥v = {v},u∥ε = {u} and(a ⋅ u)∥(b ⋅ v) = a ⋅(u∥(b ⋅ v))∪b ⋅((a ⋅ u)∥v), witha, b ∈ Σ.
Definition 3. Theshuffling problemasks, given a regular languageL over an alphabet(Σu ⊎Σv)
∗, if there existu ∈ Σ∗u andv ∈ Σ∗vsuch thatu∥v ∩L = ∅.
Lemma 4. The shuffling problem is undecidable.
We now give the undecidability theorem for causal consistency(resp.,CC,CM,CCv), by reducing the shuffling problem to the prob-lem of verifying (non-)causal consistency. The idea is to let one sitesimulate words fromΣ∗u, and the second site fromΣ∗v. We then setthe specification to be (roughly) the languageL. We therefore ob-tain that there exists an execution which isnot causally consistentwith respect toL if and only if there existu ∈ Σ∗u, v ∈ Σ∗v such thatno interleaving ofu andv belongs toL, i.e.u∥v ∩L = ∅.
Theorem 1. Given an implementationI and a specificationSgiven as regular languages, checking whether all executions ofIare causally consistent (resp.,CC, CM, CCv) with respect toS isundecidable.
6.4 Undecidability for the read/write memory abstraction
Our approach for the second undecidability proof is to reduce di-rectlyPCP to the problem of checking whether a finite-state imple-mentation isnot CC (resp.,CM, CCv) with respect to theread/writememory, without going through the shuffling problem. The reduc-tion here is much more technical, and requires13 sites. This is dueto the fact that we cannot encode the constraints we want in thespecification (as the specification is set to beSRW), and we mustencode them using appropriately placed read and write operations.
Theorem 2. Given an implementationI as a regular language,checking whether all executions ofI are causally consistent(resp.,CC, CM, CCv) with respect toSRW is undecidable.
7. Causal Consistency under Data IndependenceImplementations used in practice are typicallydata indepen-dent [1], i.e. their behaviors do not depend on the particular datavalues which are stored at a particular variable. Under thisassump-tion, we prove in Section 7.1 that it is enough to verify causalconsistency for histories which use distinctwr values, calleddiffer-entiatedhistories.
We then show in Section 7.2, for each definition of causal con-sistency, how to characterize non-causally consistent (differenti-ated) histories through the presence of certain sets of operations.
We call these sets of operationsbad patterns, because any his-tory containing one bad pattern is necessarily not consistent (forthe considered consistency criterion). The bad patterns are definedthrough various relations derived from a differentiated history, andare all computable in polynomial time (proven in Section 8).Forinstance, forCC, we provide in Section 7.2 four bad patterns suchthat, a differentiated historyh is CC if and only if h contains noneof these bad patterns. We give similar lemmas forCM andCCv.
7.1 Differentiated Histories
Formally, a history(O,PO, ℓ) is said to bedifferentiatedif for allo1 ≠ o2, if ℓ(o1) = wr(x)▷d1 and ℓ(o2) = wr(x)▷d2, thend1 ≠ d2, and there are no operationwr(x,0) (which writes theinitial value). LetH be a set of labeled posets. We denote byH≠the subset of differentiated histories ofH .
A renamingf ∶ N × N is a function which modifies the datavalues of operations. Given aread/write memory history h, wedefine byh[f] the history where any numbern ∈ N appearing in alabel ofh is changed tof(n).
A set of historiesH is data independentif, for every historyh,• there exists a differentiated historyh′ ∈ H , and a renamingf ,
such thath = h′[f].• for any renamingf , h[f] ∈H .
The following lemma shows that for the verification of a dataindependent set of histories, it is enough to consider differentiatedhistories.
Lemma 5. LetH be a data independent set of histories. Then,His causally consistent (resp.,CC, CM, CCv) with respect to theread-/write memory if and only ifH≠ is causally consistent (resp.,CC,CM, CCv) with respect to theread/write memory.
7.2 Characterizing Causal Consistency (CC)
Let h = (O,PO, ℓ) be a differentiated history. We now define andexplain the bad patterns ofCC. They are defined using theread-fromrelation. The read-from relation relates each writew to each readthat reads fromw. Since we are considering differentiated histories,we can determine, only by looking at the operations of a history,from which write each read is reading from. There is no ambiguity,as each value can only be written once on each variable.
7
CyclicCO there is a cycle inPO ∪ RF (in CO)WriteCOInitRead there is ard(x)▷0 operationr, and an op-
erationw such thatw <CO r andvar(w) =var(r)
ThinAirRead there is ard(x)▷v operationr such thatv ≠ 0, and there is now operation withw <RF r
WriteCORead there exist write operationsw1,w2 and aread operationr1 in O such thatw1 <COw2 <CO r1, w1 <RF r1, and var(w1) =var(w2)
WriteHBInitRead there is ard(x)▷0 operationr, and an op-erationw such thatw <HBo r andvar(w) =var(r), for someo, with r ≤PO o
CyclicHB there is a cycle inHBo for someo ∈ OCyclicCF there is a cycle inCF ∪ CO
Table 2: All bad patterns defined in the paper.
CC CM CCv
CyclicCO CyclicCO CyclicCOWriteCOInitRead WriteCOInitRead WriteCOInitReadThinAirRead ThinAirRead ThinAirReadWriteCORead WriteCORead WriteCORead
WriteHBInitRead CyclicCFCyclicHB
Table 3: Bad patterns for each criteria.
Definition 4. Theread-fromrelationRF is defined as:
{(o1, o2) ∣ ∃x ∈ X, d ∈ D. ℓ(o1) = wr(x,d) ∧ ℓ(o2) = rd(x)▷d}.
The relationCO is defined asCO = (PO ∪RF)+.
Remark 1. Note that we use lower-caseco for the existentiallyquantified causality order which appears in the definition ofcausalconsistency, while we use upper-caseCO for the relation fixed as(PO ∪ RF)+. The relationCO represents the smallest causalityorder possible. We in fact show in the lemmas 6, 7, and 8, thatwhen a history isCC (resp.,CM, CCv), the causality orderco canalways be set toCO.
There are four bad patterns forCC, defined in terms of theRF andCO relations:CyclicCO, WriteCOInitRead,ThinAirRead,WriteCORead (see Table 2).
Example 8. History (2e) contains bad patternWriteCORead.Indeed, wr(x,1) is causally related (through relationCO) towr(x,2), which is causally related tord(x)▷ 1. Intuitively,this means that the site executingrd(x)▷1 is aware of bothwrites wr(x,1) and wr(x,2), but chose to orderwr(x,2) be-fore wr(x,1), while wr(x,1) is causally related towr(x,2). Asa result, History (2e) is notCC (nor CM, nor CCv).
History (2d) contains none of the bad patterns defined in Ta-ble 2, and satisfies all definitions of causal consistency. Inparticu-lar, History (2d) isCC.
Lemma 6. A differentiated historyh is CC with respect toSRW ifand only ifh does not contain one of the following bad patterns:CyclicCO, WriteCOInitRead, ThinAirRead, WriteCORead.
Proof. Let h = (O,PO, ℓ) be a differentiated history.
(⇒) Assume thath is CC with respect toSRW. We prove bycontradiction thath cannot contain bad patternsCyclicCO, Write-COInitRead, ThinAirRead, WriteCORead.
First, we show thatCO ⊆ co. Given the specification ofrd’s,and given thath is differentiated, we must haveRF ⊆ co. Moreover,by axiomAxCausal, PO ⊆ co. Sinceco is a transitive order, wethus have(PO ∪ RF)+ ⊆ co andCO ⊆ co.
(CyclicCO) Sinceco is acyclic, andCO ⊆ co, CO is acyclic aswell.
(WriteCOInitRead) If there is ard(x)▷ 0 operationr, andan operationw such thatw <CO r with var(w) = x: we obtaina contradiction, becauseCC ensures that there exists a sequenceρr ∈ SRW that ordersw beforer. However, this is not allowedby SRW, ash is differentiated, and does not contain operation thatwrite the initial value0. A readrd(x)▷ 0 can thus happen onlywhen there are no previous write operation onx.
(ThinAirRead) Similarly, we cannot have ard(x)▷v opera-tion r such thatv ≠ 0, and such that there is now operation withw <RF r. Indeed,CC ensures that there exists a sequenceρr ∈ SRW
that containsr. Moreover,SRW allowsrd(x)▷ v operations onlywhen there is a previous writewr(x, v). So there must exist awr(x, v) operationw (such thatw <RF r).
(WriteCORead) If there existw1,w2, r1 ∈ O such that• w1 <RF r1 and• w1 <CO w2 with var(w1) = var(w2) and• w2 <CO r1.
Let x ∈ X andd1 ≠ d2 ∈ N such that:• ℓ(w1) = wr(x,d1),• ℓ(w2) = wr(x,d2),• ℓ(r1) = rd(x)▷d1.
By CC, and sinceCO ⊆ co , we know there existsρr1 ∈ SRW thatcontainsw1 beforew2, and ends withr1. The specificationSRW
require the last write operation onx to be awr(x,d1). However, ash is differentiated, the onlywr(x,d1) operation isw1. As a result,the last write operation on variablex in ρr1 cannot bew1 (asw2 isafterw1), and we have a contradiction.(⇐) Assume thath contains none of the bad patterns described
above. We show thath is CC. We use for this the strict partial orderCO = (PO∪RF)+ as the causal orderco. The relationCO is a strictpartial order, ash does not contain bad patternCyclicCO. AxiomAxCausal holds by construction. We define for each operationo ∈ O a sequenceρo ∈ SRW such thatCausalHist(o){o} ⪯ ρo(such thatAxCausalValue holds).
Let o ∈ O. We have three cases to consider.1) If o is awr operation, then all the return values of the read
operations inCausalHist(o){o} are hidden. We can thus defineρo as any sequentialization ofCausalHist(o){o}, and where weadd the appropriate return values to the read operations (the valuewritten by the last preceding write on the same variable).
2) If o is ard operationr, labeled byrd(x)▷0 for somex ∈ X.We know by the fact thath does not containWriteCOInitRead thatthere is now such thatw <CO r. As a result, we can defineρoas any sequentialization ofCausalHist(o){o}, where we add theappropriate return values to the read operations differentfrom r.
3) If o is a rd operationr1, labeled byrd(x)▷d1 for somex ∈ X andd1 ≠ 0, we know by assumption that there exists awr op-erationw1 such thatw1 <RF r1 (h does not containThinAirRead).
We also know (h does not containWriteCORead) there is now2 such that
• w1 <RF r1 and• w1 <CO w2 with var(w1) = var(w2) and• w2 <CO r1.
This ensures thatw1 must be a maximalwr operation on vari-able x in CausalHist(o). It is thus possible to sequentializeCausalHist(o){o} into ρo, so thatw1 is the last write on vari-
8
able x. We can then add appropriate return values to the readoperations different thanr1, whose return values were hidden inCausalHist(o){o} (the value written by the last preceding write inρo on the same variable).
7.3 Characterizing Causal Convergence (CCv)
CCv is stronger thanCC. Therefore,CCv excludes all the bad pat-terns ofCC, given in Lemma 6.CCv also excludes one additionalbad pattern, defined in terms of aconflict relation.
The conflict relation is a relation on write operations (whichwrite to the same variable). It is used for the bad patternCyclicCFof CCv, defined in Table 2. Intuitively, for two write operationsw1 and w2, we havew1 <CF w2 if some site saw both writes,and decided to orderw1 beforew2 (so decided to return the valuewritten byw2).
Example 9. History (2a) contains bad patternCyclicCF. Thewr(x,1) operationw1 is causally related to therd(x)▷2 opera-tion, so we havew1 <CF w2, wherew2 is thewr(x,2) operation.Symmetrically,w2 <CF w1, and we obtain a cycle. On the otherhand, History (2a) does not contain any of the bad patterns ofCM.
Example 10. History (2c) contains bad patternCyclicCF. Thecycle is on the two writes operationswr(x,1) andwr(x,2).
The formal definition of the conflict relation is the following.
Definition 5. We define theconflict relationCF ⊆ O ×O to be thesmallest relation such that: for allx ∈ X, and d1 ≠ d2 ∈ N andoperationsw1,w2, r2, if
• w1 <CO r2,• ℓ(w1) = wr(x,d1),• ℓ(w2) = wr(x,d2), and• ℓ(r2) = rd(x)▷d2,
thenw1 <CF w2.
We obtain the following lemma for the bad patterns ofCCv.
Lemma 7. A differentiated historyh is CCv with respect toSRW ifand only ifh is CC and does not contain the following bad pattern:CyclicCF.
7.4 Characterizing Causal Memory (CM)
CM is stronger thanCC. Therefore,CM excludes all the bad patternsof CC, given in Lemma 6.CM also excludes two additional badpatterns, defined in terms of ahappened-before relation.
Thehappened-before relation for an operationo ∈ O intuitivelyrepresents the minimal constraints that must hold in a sequencecontaining all operations beforeo, on the site ofo.
Example 11. History (2b) contains bad patternWriteHBIni-tRead. Indeed, we havewr(z,1) <PO wr(x,1) <HBr2
wr(x,2) <POrd(z)▷0, wherer2 is therd(x)▷ 2 operation. The edgewr(x,1) <HBr2
wr(x,2) is induced by the fact thatwr(x,1) <co rd(x)▷2.
The formal definition ofHBo is the following.
Definition 6. Giveno ∈ O, we define thehappened-before relationfor o, notedHBo ⊆ O ×O, to be the smallest relation such that:
• CO∣CausalPast(o) ⊆ HBo, and• HBo is transitive, and• for x ∈ X, andd1 ≠ d2 ∈ N, if
w1 <HBo r2,r2 ≤PO o,ℓ(w1) = wr(x,d1),ℓ(w2) = wr(x,d2), andℓ(r2) = rd(x)▷d2,
thenw1 <HBo w2.
There are two main differences with the conflict relationCF.First,CF is not defined inductively in terms of itself, but only interms of the relationCO. Second, in the happened-before relationfor o, in order to add an edge between write operations, there isthe constraint thatr2 ≤PO o, while in the definition of the conflictrelation,r2 is an arbitrary read operation. These differences makethe conflict and happened-before relations not comparable (withrespect to set inclusion).
We obtain the following lemma for the bad patterns ofCM (seeTable 2 for the bad patterns’ definitions).
Lemma 8. A differentiated historyh is CM with respect toSRW ifand only ifh is CC and doesnotcontain the following bad patterns:WriteHBInitRead, CyclicHB.
Table 3 gives, for each consistency criterion, the bad patternswhich are excluded by the criterion.
8. Single History Consistency under DIThe lemmas of the previous sections entail a polynomial-time algo-rithm for checking whether a given differentiated history is causallyconsistent (for any definition). This contrasts with the fact thatchecking whether an arbitrary history is causally consistent isNP-complete.
The algorithm first constructs the relations which are used in thedefinitions of the bad patterns, and then checks for the presence ofthe bad patterns in the given history.
Lemma 9. Let h = (O,PO, ℓ) be a differentiated history. Com-puting the relationsRF,CO,CF, andHBo for o ∈ O can be donein polynomial time (O(n5) wheren is the number of operations inh).
Proof. We show this for the relationHBo (for some o ∈ O).The same holds for the other relations. The relationHBo can becomputed inductively using its fixpoint definition. At each iterationof the fixpoint computation, we add one edge between operationsin O. Thus, there are at mostn2 iterations.
Each iteration takesO(n3) time. For instance, an iteration ofcomputation ofHBo can consist in adding an edge by transitivity,which takesO(n3) time.
Thus the whole computation ofHBo takesO(n5) time.
Once the relations are computed, we can check for the presenceof bad patterns in polynomial time.
Theorem 3. Leth = (O,PO, ℓ) be a differentiated history. Check-ing whetherh is CC (resp.,CM, resp.,CCv) can be done in polyno-mial time (O(n5) wheren is the number of operations inh).
Proof. First, we compute the relationsRF,CO,CF,HBo (for allo ∈ O), in timeO(n5). The presence of bad patterns can be checkedin polynomial time. For instance, for bad patternCyclicCF, we needto find a cycle in the relationCF. Detecting the presence of a cyclein a relation takesO(n2).
The complexity of the algorithm thus comes from computingthe relations, which isO(n5).
In the next two sections, we only consider criterionCC.
9. Reduction to Control-State Reachability underData Independence
The undecidability proof of Theorem 2 uses an implementationwhich is not data independent. Therefore, it does not apply whenwe consider only data independent implementations. In fact, weshow that forread/write memory implementations which are data
9
independent, there is an effective reduction from checkingCC to anon-reachability problem.
Using the characterization of Section 7.2, we define anobserverMCC that looks for the bad patterns leading to non-CC. More pre-cisely, our goal is to defineMCC as aregister automatonsuch that(by an abuse of notation, the set of executions recognized byMCC
is also denotedMCC):
I is CC with respect toSRW ⇐⇒ I ∩MCC = ∅
whereI is any data independent implementation.Ultimately, we exploit in Section 10 this reduction to provethat
checkingCC for (finite-state) data independent implementations,with respect to theread/write memory specification, is decidable.
q0 qerrp, rd(x)▷1
q1CausalLink[d0 ← 3]
CausalLink[d0 ← 4]
q′
err
p, wr(x, 1)p, rd(x)▷1
reg′x ∶= x
regx ∶= x
regp ∶= p
p, wr(x, 2)
reg′x == x
regx ∶= x
regp == p
p, rd(x)▷1
reg′x == x
regp == p
q2CausalLink[d0 ← 2]
q′′
err
p, wr(x, 1)p, rd(x)▷1
reg′x ∶= x
regx ∶= x
regp ∶= p
p, rd(x)▷0
reg′x == x
regx ∶= x
regp == p
Figure 4: The observerMCC, finding bad patterns forCC withrespect toSRW. The first branch looks for bad patternThinAirRead.The second branch looks for bad patternWriteCORead. The thirdbranch looks for bad patternWriteCOInitRead.Each state has a self-loop with any symbol containing value5,which we do not represent. Two labelsp,m(arg)▷ rv above atransition denote two different transitions.
qbqa
p,rd(x)▷d0regp ∶= pregx == x
p,wr(x,d0)regx ∶= xregp == p
Figure 5: The register automatonCausalLink, which recognizescausality chains by following links in thePO ∪ RF relations. Bothstates are final.Each state has a self-loop with any symbol containing value5,which we do not represent.
9.1 Register Automata
Register automata[10] have a finite number of registers in whichthey can store values (such as the site identifier, the name ofavariable in theread/write memory, or the data value stored at aparticular variable), and test equality on stored registers.
We describe the syntax of register automata that we use in thefigures. The labelp,wr(x,1) above the transition going fromq1
in Figure 4 is a form of pattern matching. If the automaton reads atuple(p0,wr(x0,1)), for somep0 ∈ PId, x0 ∈ X, then the variablesp, x are bound respectively top0, x0.
If this transition, or another transition, gets executed afterwards,the variablesp, x can be bound to other values. These variables areonly local to a specific execution of the transition.
The instructionreg′x ∶= x, on this same transition, is used tostore the valuex0 which was bound byx in registerreg′x. Thisensures that the operationswr(x,2) andrd(x)▷1 that come lateruse the same variablex0, thanks to the equality checkreg′x == x.
Note that, in Figure 5,d0 is not a binding variable asp andx, butis instead a constant which is fixed to different values in Figure 4.
9.2 Reduction
MCC (see Figure 4) is composed of three parts. The first partrecognizes executions which contain bad patternThinAirRead,i.e. which have ard operation with no correspondingwr. The sec-ond part recognizes executions containing bad patternWriteCORead,composed of operationsw1, w2, andr1, such thatw1 <CO w2 <COr1, w1 <RF r1, andvar(w1) = var(w2). The third part recognizesexecutions containing bad patternWriteCOInitRead, where a writeon some variablex, writing a non-initial value, is causally relatedto ard(x)▷0.
To track the relationCO,MCC uses another register automaton,called CausalLink (see Figure 5), which recognizes unboundedchains in theCO relation.
The registers ofMCC store site ids and the variables’ names ofthe read/write memory (we use registers because the number ofsites and variables in the causality links can be arbitrary).
By data independence,MCC only needs to use a bounded num-ber of values. For instance, for the second branch recognizing badpatternWriteCORead, it uses value1 for operationsw1 andr1, andvalue2 for operationw2. It uses value3 for the causal link betweenw1 andw2, and value4 for the causal link betweenw2 andr1. Fi-nally, it uses the value5 ∈ N for all actions of the execution whichare not part of the bad pattern. As a result, it can self-loop with anysymbol containing value5. We do not represent these self-loops tokeep the figure simple.
We prove in Theorem 4 that any execution recognized byMCC
is notCC. Reciprocally, we prove that for any differentiated execu-tion of an implementationI which is notCC, we can rename thevalues to obtain an execution with5 values recognized byMCC. Bydata independence ofI, the renamed execution is still an executionof I.
Remark 2. Note here that the observerMCC does not look for badpatternCyclicCO. We show in Theorem 4 that, since the implemen-tation is a prefix-closed set of executions, it suffices to look for badpatternThinAirRead to recognize bad patternCyclicCO.
Theorem 4. LetI be a data independent implementation.I is CCwith respect toSRW if and only ifI ∩MCC = ∅.
This result allows to reuse any tool or technique that can solvereachability (in the system composed of the implementationandthe observerMCC) for the verification ofCC (with respect to theread/write memory).
10. Decidability under Data IndependenceIn this section, we exploit this reduction to obtain decidability forthe verification ofCC with respect to theread/write memory.
We consider a class of implementationsC for which reachabilityis decidable, makingCC decidable (EXPSPACE-complete). Weconsider implementationsI which are distributed over a finitenumber of sites. The sites run asynchronously, and communicateby sending messages using peer-to-peer communication channels.
10
Moreover, we assume that the number of variables from theread/write memory that the implementationI seeks to implementis fixed and finite as well. However, we do not bound the domainof values that the variables can store.
Each site is a finite-state machine with registers that can storevalues inN for the contents of the variables in theread/writememory. Registers can be assigned using instructions of the formx ∶∶= y andx ∶∶= d wherex, y are registers, andd ∈ N is a value (aconstant, or a value provided as an argument of a method). Valuescan also be sent through the network to other sites, and returned bya method. We make no assumption on the network: the peer-to-peerchannels are unbounded and unordered.
Any implementation inC is thus necessarily data independentby construction, as the contents of the registers storing the valueswhich are written are never used in conditionals.
The observerMCC we constructed only needs5 values to detectall CC violations. For this reason, when modeling an implemen-tation inC, there is no need to model the whole range of naturalnumbersN, but only5 values. With this in mind, any implementa-tion in C can be modelled by a Vector Addition System with States(VASS) [24, 26], or a Petri Net [15, 36]. The local state of each siteis encoded in the state of the VASS, and the content of the peer-to-peer channels is encoded in the counters of the VASS. Each countercounts how many messages there are of a particular kind in a par-ticular peer-to-peer channel. There exist similar encodings in theliterature [8].
Then, since the number of sites and the number of variables isbounded, we can get rid of the registers in the register automaton ofthe observerMCC, and obtain a (normal) finite automaton. We thenneed to solve control-state reachability in the system composedof the VASS and the observerMCC to solve CC (according toTheorem 4). Since VASS are closed under composition with finiteautomata, and control-state reachability isEXPSPACE-completefor VASS, we get theEXPSPACE upper bound for the verificationof CC (for theread/write memory).
TheEXPSPACE lower bound follows from: (1) State reachabil-ity in classC is EXPSPACE-complete, equivalent to control-statereachability in VASS [4]. Intuitively, a VASS can be modelled byan implementation inC, by using the unbounded unordered chan-nels to simulate the counters of the VASS. (Similar to the reductionfrom C to VASS outlined above, but in the opposite direction.) (2)Checking reachability can be reduced to verifyingCC. Given an im-plementationI in C, and a stateq, knowing whetherq is reachablecan be reduced to checking whether a new implementationI′ isnot causally consistent.I′ is an implementation which simulatesI, and produces only causally consistent executions; if it reachesstateq, it artificially produces a non-causally consistent execution,for instance by returning wrong values to read requests.
Theorem 5. Let I be a data independent implementation inC. Verifying CC of I with respect to theread/write memory isEXPSPACE-complete (in the size of the VASS ofI).
11. Related WorkWei et al. [41] studied the complexity of verifying PRAM consis-tency (also called FIFO consistency) for one history. They provedthat the problem isNP-complete. For differentiated executions,they provided a polynomial-time algorithm.
Independently, Furbach et al. [18] showed that checking causalconsistency (CM definition) of one history is anNP-complete prob-lem. They proved that checking consistency for one history for anycriterion stronger thanSLOW consistency and weaker than sequen-tial consistency isNP-complete, whereSLOW consistency ensuresthat for each variablex, and for each sitep, the reads ofp onvariablex can be explained by ordering all the writes tox while
respecting the program order. This range coversCM, but does notcoverCC (see Figure 2c for a history which isCC but notSLOW). Itis not clear whether this range coversCCv. To proveNP-hardness,they used a reduction from theNP-completeSAT problem. Weshow that their encoding can be reused to showNP-hardness forchecking whether a history isCC (resp.,CCv) with respect to theread/write memory specification.
Concerning verification, we are not aware of any work study-ing the decidability or complexity of checking whether all execu-tions of an implementation are causally consistent. There have beenworks on studying the problem for other criteria such as lineariz-ability [23] or eventual consistency [39]. In particular, it was shownthat checking linearizability is anEXPSPACE-complete problemwhen the number of sites is bounded [3, 21]. Eventual consistencyhas been shown to be decidable [8]. Sequential consistency wasshown to be undecidable [3].
The approach we adopted to obtain decidability of causal con-sistency by defining bad patterns for particular specifications hasbeen used recently in the context of linearizability [1, 9, 22]. How-ever, the bad patterns for linearizability do not transfer to causalconsistency. Even from a technical point of view, the results intro-duced for linearizability cannot be used in our case. One reason forthis is that, in causal consistency, there is the additionaldifficultythat the causal order is existentially quantified, while thehappens-before relation in linearizability is fixed (by a global clock).
Lesani et al. [31] investigate mechanized proofs of causal con-sistency using the theorem prover Coq. This approach does not leadto full automation however, e.g., by reduction to assertionchecking.
12. ConclusionWe have shown that verifying causal consistency is hard, even un-decidable, in general: verifying whether one single execution sat-isfies causal consistency is NP-hard, and verifying if all the execu-tions of an implementation are causally consistent is undecidable.These results are not due to the complexity of the implementationsnor of the specifications: they hold even for finite-state implemen-tations and specifications. They hold already when the specifica-tion corresponds to the simple read-write memory abstraction. Theundecidability result contrasts with known decidability results forother correctness criteria such as linearizability [3] andeventualconsistency [8].
Fortunately, for the read-write memory abstraction, an impor-tant and widely used abstraction in the setting of distributed sys-tems, we show that, when implementations are data-independent,which is the case in practice, the verification problems we considerbecome tractable. This is based on the very fact that data indepen-dence allows to restrict our attention to differentiated executions,where the written values are unique, which allows to deterministi-cally establish the read-from relation along executions. This is cru-cial for characterizing by means of a finite number of bad patternsthe set of all violations to causal consistency, which is thekey toour complexity and decidability results for the read-writememory.
First, using this characterization we show that the problemofverifying the correctness of a single execution is polynomial-timein this case. This is important for building efficient and scalabletesting and bug detection algorithms. Moreover, we provideanalgorithmic approach for verifying causal consistency (w.r.t. theread-write memory abstraction) based on an effective reduction ofthis problem to a state reachability problem (or invariant checkingproblem) in the class of programs used for the implementation.Regardless from the decidability issue, this reduction holds foran unbounded number of sites (in the implementation), and anunbounded number of variables (in the read-write memory). In fact,it establishes a fundamental link between these two problems andallows to use all existing (and future) program verificationmethods
11
and tools for the verification of causal consistency. In addition,when the number of sites is bounded, this reduction providesadecidability result for verifying causal consistency concerning asignificant class of implementations: finite-control machines (oneper site) with data registers (over an unrestricted data domain, withonly assignment operations and equality testing), communicatingthrough unbounded unordered channels. As far as we know, thisis the first work that establishes complexity and (un)decidabilityresults for the verification of causal consistency.
All our results hold for the three existing variants of causalconsistencyCC, CM, and CCv, except for the reduction to statereachability and the derived decidability result that we give in thispaper forCC only. For the other two criteria, building observersdetecting their corresponding bad patterns is not trivial in general,when there is no assumption on the number of sites and the numberof variables (in the read-write memory). We still do not knowifthis can be done using the same class of state-machines we usein this paper for the observers. However, this can be done if thesetwo parameters are bounded. In this case, we obtain a decidabilityresult that holds for the same class of implementations as for CC,but this time for a fixed number of variables in the read-writememory. This is still interesting since when data independence isnot assumed, verifying causal consistency is undecidable for theread-write memory even when the number of sites is fixed, thenumber of variables is fixed, and the data domain is finite. We omitthese results in this paper.
Finally, let us mention that in this paper we have consideredcor-rectness criteria that correspond basically to safety requirements.Except forCCv, convergence, meaning eventual agreement betweenthe sites on their execution orders of non-causally dependent oper-ations is not guaranteed. In fact, these criteria can be strengthenedwith a liveness part requiring the convergence property. Then, it ispossible to extend our approach to handle the new criteria follow-ing the approach adopted in [8] for eventual consistency. Verifyingcorrectness in this case can be reduced to a repeated reachabilityproblem, and model-checking algorithms can be used to solveit.
For future work, it would be very interesting to identify a classof specifications for which our approach is systematically applica-ble, i.e., for which there is a procedure producing the complete setof bad patterns and their corresponding observers in a decidableclass of state machines.
AcknowledgmentsThis work is supported in part by the European Research Council(ERC) under the European Union’s Horizon 2020 research andinnovation programme (grant agreement No 678177), and by anEPFL-Inria postdoctoral grant.
References[1] P. A. Abdulla, F. Haziza, L. Holık, B. Jonsson, and A. Rezine. An in-
tegrated specification and verification technique for highly concurrentdata structures. InTACAS ’13. Springer, 2013.
[2] M. Ahamad, G. Neiger, J. E. Burns, P. Kohli, and P. W. Hutto. Causalmemory: definitions, implementation, and programming.DistributedComputing, 9(1):37–49, 1995.
[3] R. Alur, K. L. McMillan, and D. Peled. Model-checking of correctnessconditions for concurrent objects.Inf. Comput., 160(1-2), 2000.
[4] M. F. Atig, A. Bouajjani, and T. Touili. Analyzing asynchronous pro-grams with preemption. InIARCS Annual Conference on Foundationsof Software Technology and Theoretical Computer Science, FSTTCS2008, December 9-11, 2008, Bangalore, India, pages 37–48, 2008.
[5] P. Bailis, A. Ghodsi, J. M. Hellerstein, and I. Stoica. Bolt-on causalconsistency. InSIGMOD ’13, pages 761–772, New York, NY, USA,2013. ACM.
[6] L. Benmouffok, J.-M. Busca, J. M. Marques, M. Shapiro, P. Sutra, andG. Tsoukalas. Telex: A semantic platform for cooperative applicationdevelopment. InCFSE, Toulouse, France, 2009.
[7] K. P. Birman. Replication and fault-tolerance in the ISIS system,volume 19. ACM, 1985.
[8] A. Bouajjani, C. Enea, and J. Hamza. Verifying eventual consistencyof optimistic replication systems. InPOPL ’14, pages 285–296, NewYork, NY, USA, 2014. ACM.
[9] A. Bouajjani, M. Emmi, C. Enea, and J. Hamza. On reducing lineariz-ability to state reachability. InICALP ’15, pages 95–107. Springer,2015.
[10] P. Bouyer, A. Petit, and D. Therien. An algebraic characterizationof data and timed languages. In K. G. Larsen and M. Nielsen, editors,CONCUR 2001 - Concurrency Theory, 12th International Conference,Aalborg, Denmark, August 20-25, 2001, Proceedings, volume 2154 ofLecture Notes in Computer Science, pages 248–261. Springer, 2001.
[11] S. Burckhardt.Principles of Eventual Consistency. now publishers,October 2014.
[12] S. Burckhardt, A. Gotsman, and H. Yang. Understanding eventual con-sistency. Technical Report MSR-TR-2013-39, Microsoft Research.
[13] J. Du, S. Elnikety, A. Roy, and W. Zwaenepoel. Orbe: scalable causalconsistency using dependency matrices and physical clocks. In ACMSymposium on Cloud Computing, SOCC ’13, Santa Clara, CA, USA,October 1-3, 2013, pages 11:1–11:14, 2013.
[14] J. Du, C. Iorgulescu, A. Roy, and W. Zwaenepoel. Gentlerain: Cheapand scalable causal consistency with physical clocks. InProceed-ings of the ACM Symposium on Cloud Computing, Seattle, WA, USA,November 03 - 05, 2014, pages 4:1–4:13, 2014.
[15] J. Esparza. Decidability and complexity of petri net problems — anintroduction. InLectures on Petri Nets I: Basic Models. SpringerBerlin Heidelberg, 1998.
[16] C. J. Fidge. Timestamps in message-passing systems that preservethe partial ordering. Australian National University. Department ofComputer Science, 1987.
[17] M. J. Fischer, N. A. Lynch, and M. S. Paterson. Impossibility ofdistributed consensus with one faulty process.J. ACM, 32(2):374–382, Apr. 1985.
[18] F. Furbach, R. Meyer, K. Schneider, and M. Senftleben. Memorymodel-aware testing - a unified complexity analysis. InApplicationof Concurrency to System Design (ACSD), 2014 14th InternationalConference on, pages 92–101, June 2014. doi: 10.1109/ACSD.2014.27.
[19] S. Gilbert and N. A. Lynch. Brewer’s conjecture and the feasibility ofconsistent, available, partition-tolerant web services.SIGACT News,33(2):51–59, 2002.
[20] J. Hamza. Algorithmic Verification of Concurrent and DistributedData Structures. PhD thesis, Universite Paris Diderot, 2015.
[21] J. Hamza. On the complexity of linearizability. InNETYS ’15, volume9466 ofLecture Notes in Computer Science. Springer, 2015.
12
[22] T. A. Henzinger, A. Sezgin, and V. Vafeiadis. Aspect-oriented lin-earizability proofs. InCONCUR ’13. Springer, 2013.
[23] M. Herlihy and J. M. Wing. Linearizability: A correctness conditionfor concurrent objects.ACM Trans. Program. Lang. Syst., 12(3), 1990.
[24] J. Hopcroft and J.-J. Pansiot. On the reachability problem for 5-dimensional vector addition systems.Theoretical Computer Science,8(2):135–159, 1979.
[25] E. Jimenez, A. Fernandez, and V. Cholvi. A parametrized algorithmthat implements sequential, causal, and cache memory consistencies.J. Syst. Softw., 81(1):120–131, Jan. 2008. ISSN 0164-1212.
[26] R. M. Karp and R. E. Miller. Parallel program schemata.Journal ofComputer and system Sciences, 3(2):147–195, 1969.
[27] A.-M. Kermarrec, A. I. T. Rowstron, M. Shapiro, and P. Druschel. Theicecube approach to the reconciliation of divergent replicas. InPODC,pages 210–218, 2001.
[28] R. Ladin, B. Liskov, L. Shrira, and S. Ghemawat. Providing highavailability using lazy replication.ACM Trans. Comput. Syst., 10(4):360–391, Nov. 1992. ISSN 0734-2071.
[29] L. Lamport. Time, clocks, and the ordering of events in adistributedsystem.Commun. ACM, 21(7):558–565, July 1978.
[30] L. Lamport. How to make a multiprocessor computer that correctlyexecutes multiprocess programs.IEEE Trans. Comput., 28(9):690–691, Sept. 1979. ISSN 0018-9340.
[31] M. Lesani, C. J. Bell, and A. Chlipala. Chapar: certifiedcausallyconsistent distributed key-value stores. InACM SIGPLAN Notices,volume 51, pages 357–370. ACM, 2016.
[32] W. Lloyd, M. J. Freedman, M. Kaminsky, and D. G. Andersen. Don’tsettle for eventual: scalable causal consistency for wide-area storagewith COPS. InSOSP, pages 401–416, 2011.
[33] F. Mattern. Virtual time and global states of distributed systems.In PARALLEL AND DISTRIBUTED ALGORITHMS, pages 215–226.North-Holland, 1988.
[34] J. Michaux, X. Blanc, M. Shapiro, and P. Sutra. A semantically richapproach for collaborative model edition. InSAC, pages 1470–1475,2011.
[35] M. Perrin, A. Mostefaoui, and C. Jard. Causal consistency: Beyondmemory. InProceedings of the 21st ACM SIGPLAN Symposium onPrinciples and Practice of Parallel Programming, PPoPP ’16, pages26:1–26:12, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4092-2.
[36] C. A. Petri. Kommunikation mit automaten. 1962.
[37] M. Raynal and A. Schiper. From causal consistency to sequentialconsistency in shared memory systems. InInternational Conferenceon Foundations of Software Technology and Theoretical ComputerScience, pages 180–194. Springer, 1995.
[38] D. B. Terry, A. J. Demers, K. Petersen, M. Spreitzer, M. Theimer, andB. W. Welch. Session guarantees for weakly consistent replicated data.In Proceedings of the Third International Conference on Parallel andDistributed Information Systems, PDIS ’94, pages 140–149, Washing-ton, DC, USA, 1994. IEEE Computer Society. ISBN 0-8186-6400-2.
[39] D. B. Terry, M. Theimer, K. Petersen, A. J. Demers, M. Spreitzer, andC. Hauser. Managing update conflicts in bayou, a weakly connectedreplicated storage system. In M. B. Jones, editor,Proceedings ofthe Fifteenth ACM Symposium on Operating System Principles, SOSP1995, Copper Mountain Resort, Colorado, USA, December 3-6,1995,pages 172–183. ACM, 1995.
[40] D. B. Terry, V. Prabhakaran, R. Kotla, M. Balakrishnan,M. K. Aguil-era, and H. Abu-Libdeh. Consistency-based service level agreementsfor cloud storage. InProceedings of the Twenty-Fourth ACM Sym-posium on Operating Systems Principles, SOSP ’13, pages 309–324,New York, NY, USA, 2013. ACM. ISBN 978-1-4503-2388-8.
[41] H. Wei, Y. Huang, J. Cao, X. Ma, and J. Lu. Verifying PRAM con-sistency over read/write traces of data replicas.CoRR, abs/1302.5161,2013.
[42] P. Wolper. Expressing interesting properties of programs in proposi-tional temporal logic. InPOPL ’86: Conference Record of the Thir-
teenth Annual ACM Symposium on Principles of Programming Lan-guages, pages 184–193. ACM Press, 1986.
[43] M. Zawirski, N. Preguica, S. Duarte, A. Bieniusa, V. Balegas, andM. Shapiro. Write fast, read in the past: Causal consistencyfor client-side applications. InProceedings of the 16th Annual MiddlewareConference, Middleware ’15, pages 75–87, New York, NY, USA,2015. ACM. ISBN 978-1-4503-3618-5.
13
A. Differentiated HistoriesWe detail here the results of Section 7.1. We identify here condi-tions under which is it enough to check the causal consistency ofonly a subsetH ′ ⊆ H of histories, while ensuring that all historiesH are causally consistent.
We then use this notion to prove that it is enough to check causalconsistency with respect to theread/write memory for historieswhich use distinctwr values.
A.1 Reduction
LetR be a relation over labeled posets. A subsetH ′ ⊆H is said tobecompletefor H if: for all h ∈H , there existsh′ ∈H ′, h′ <R h.
When checking whether a set of historiesH1 is a subset of asetH2 which is upward-closed with respect toR, it is sufficient tocheck the inclusion for a complete subsetH1
′ ⊆H1.
Lemma 10(Complete Sets of Histories). LetR be a relation, andletH1
′ ⊆H1 a complete set of labeled posets using relationR. LetH2 be a set of histories which is upward-closed with respect toR,we haveH1 ⊆H2 if and only ifH1
′ ⊆H2.
Proof. (⇒) Holds becauseH1′ is a subset ofH1.
(⇐) AssumeH1′ ⊆H2 and leth1 ∈H1. SinceH1
′ is completefor H1, we know there existsh1
′ ∈ H1′ such thath1
′ <R h1.By assumption,h1
′ ∈ H2. Finally, sinceH2 is upward-closed,h1 ∈H2.
Given a functionf ∶ D → D and a tuplea ∈ M × D ora ∈M×D×D, we denote bya[f] the tuple where each occurrenceof d ∈ D has been replaced byf(d). We lift the notation toM × DandM×D×D labeled posets by changing the labels of the elements.We lift the notation to sets of labeled posets in a point-wisemanner.
LetF ⊆ D→ D be a set of functions.
Definition 7. S isF -invariantif for all f ∈ F , S[f] ⊆ S.
We define a relationFÐ→ as follows:h1
FÐ→ h2 ⇐⇒ ∃f ∈
F. h2 = h1[f]. Let S be a specification. We denote byCC(S)(resp.,CM(S), CCv(S)) the set of histories which areCC (resp.,CM,CCv) with respect toS. We show that for any specification whichis F -invariant, the setCC(S) (resp.,CM(S), CCv(S)) is upward-
closed with respect to the relationFÐ→.
Lemma 11. Let F ⊆ D → D be a set of functions. LetS be aspecification which isF -invariant. The setCC(S) (resp.,CM(S),
CCv(S)) is upward-closed with respect toFÐ→.
Proof. We show the proof forCC(S), but the proof can be directlyadapted to the setsCM(S) andCCv(S). Let h = (O,<, ℓ) ∈ CC(S)
andh′ such thathFÐ→ h′. We know there existsf ∈ F such that
h′ = h[f]. As a result,h andh′ have the same underlying poset(O,<). Leth′ = (O,<, ℓ′).
Let o ∈ O. By axiomAxCausalValue, we know there isρo ∈S such thatCausalHist(o){o} ⪯ ρo, whereCausalHist(o) =(CausalPast(o), co , ℓ).
We have(CausalPast(o), co, ℓ′) = CausalHist(o)[f]. There-fore, by definingρ′o = ρo[f], we have(CausalPast(o), co, ℓ′) ⪯ρ′o. SinceS is F -invariant,ρ′o ∈ S, and axiomAxCausalValueholds for historyh′.
We conclude thath′ is in CC(S).
Lemmas 10 and 11 combined show it is enough to checkCC
(resp.,CM, CCv) for a complete subset of histories, to obtainCC(resp.,CM, CCv) for all histories.
Corollary 1. LetF ⊆ D → D be a set of functions. LetH be a setof histories, andH ′ ⊆H a complete set of histories, using relationFÐ→. Let S be specification which isF -invariant. Then,H is CC
(resp.,CM, CCv) with respect toS if and only ifH ′ is CC (resp.,CM,CCv) with respect toS.
Proof. Using Lemmas 10 and 11, we knowH ′ ⊆ CC(S) if andonly if H ⊆ CC(S). The same applies for the setsCM(S) andCCv(S).
A.2 Data Independence
We show how to apply the notion of completeness for the veri-fication of theread/write memory. Most implementations used inpractice aredata independent[1], i.e. their behaviors do not dependon the particular data values which are stored at a particular vari-able. Under this assumption, we show it is enough to verify causalconsistency for histories which do not write twice the same valueon the same variable, and which never writes the initial value 0,calleddifferentiatedhistories.
Formally, a history(O,PO, ℓ) is said to bedifferentiatedif:• for all o1 ≠ o2, x ∈ X, ℓ(o1) = wr(x,d1) andℓ(o2) = wr(x,d2)
and implies thatd1 ≠ d2, and• for all x ∈ X, h does not containwr(x,0) operation.
Let H be a set of labeled posets. We denote byH≠ the subset ofdifferentiated histories ofH .
A data-renamingis a function fromD to D which modifiesthe data values of operations. More precisely, we can build adata-renamingf from any functionf0 ∶ N→ N in the following way.
Remember that for theread/write memory, D is the set(X ×N) ⊎X ⊎N ⊎ {�}, and we define:
• f(x,arg) = (x, f0(arg)) for x ∈ X,arg ∈ N,• f(x) = x for x ∈ X,• f(rv) = f0(rv) for rv ∈ N,• f(�) = �.
Let FData be the set of all data-renamings.
Definition 8. A set of histories isdata independentif the subset
H≠ ⊆H is complete using relationFDataÐÐÐ→, andH isFData-invariant.
Remark 3. This definition corresponds to the other definition ofdata independence we have in Section 7.1.
Using the following lemma and then applying Corollary 1, weobtain that it is enough to check causal consistency for historieswhich are differentiated (to ensure the causal consistencyof allhistories).
Lemma 12. TheSRW specification isFData-invariant.
Proof. Let f ∈ FData and letρ ∈ SRW. We can see thatρ[f] ∈ SRW,as changing the written and read values in a valid sequence ofSRW
yields a valid sequence ofSRW.
Lemma 5. LetH be a data independent set of histories. Then,His causally consistent (resp.,CC, CM, CCv) with respect to theread-/write memory if and only ifH≠ is causally consistent (resp.,CC,CM, CCv) with respect to theread/write memory.
Proof. SinceH is data independent, we have thatH≠ ⊆ H is
complete using relationFDataÐÐÐ→. The result then follows directly from
Corollary 1 and Lemma 12.
14
B. Undecidability of Causal Consistency For2Sites
Lemma 4. The shuffling problem is undecidable.
Proof. Let ΣPCP = {a, b} and(u1, v1), . . . , (un, vn) ∈ (Σ∗PCP ×
Σ∗PCP) ben pairs forming the input of aPCP problemP . LetΓu ={au, bu} andΓv = {av, bv} be two disjoint copies ofΣPCP, and leth ∶ (Γu ⊎ Γv) → ΣPCP, hu ∶ ΣPCP → Γu, hv ∶ ΣPCP → Γv, be thehomomorphisms which map corresponding letters. Moreover,let su
andsv be two new letters. LetΣu = {au, bu, su},Σv = {av, bv , sv},andΣ = Σu ⊎Σv.
Our goal is to define a regular languageL ⊆ Σ∗ such that
ThePCP problemP has a positive answerui1⋯uik = vi1⋯vik , (k > 0)
⇔ ∃u ∈ Σ∗u, v ∈ Σ∗v . u∥v ∩ L = ∅ (1)
The idea is to encode inu the sequenceui1 , . . . , uik ashu(ui1)⋅su⋯hu(uik) ⋅ su by usingsu as a separator (and end marker), andlikewise forv with the separatorsv. Then, we define the languageL by a disjunction of regular properties that no shuffling of anencoding of a validPCP answer toP could satisfy.
Formally,w ∈ L iff one of the following conditions holds:1. when ignoring the letterssu andsv, w starts with an alternation
of Γu andΓv such that two letters do not matchw∣Γu∪Γv
∈ (ΓuΓv)∗(aubv + buav)Σ
∗
2. when ignoring the letterssu andsv, w starts with an alternationof Γu andΓv and ends with onlyΓu letters or onlyΓv lettersw∣Γu∪Γv
∈ (ΓuΓv)∗(Γ+u + Γ
+v)
3. when only keepingsu and sv letters, eitherw starts with analternation ofsu and sv and ends with onlysu or only sv, orw is the empty wordεw∣{su,sv} ∈ (susv)
∗(s+u + s+v ) + ε
4. w contains a letter fromΓu not followed bysu, or a letter fromΓv not followed bysv
w ∈ Σ∗Γu(Σ ∖ su)∗+Σ∗Γv(Σ ∖ sv)
∗
5. w starts with an alternation ofΓ∗usu andΓ∗vsv such that one pairof Γ∗u,Γ
∗v is not a pair of ourPCP instance
w ∈ (Γ∗usuΓ∗vsv)
∗(Γ∗usuΓ∗vsv ∖+i hu(ui) ⋅ su ⋅ hv(vi) ⋅ sv)Σ
∗
We can now show that equivalence (1) holds.(⇒) Let k > 0, i1, . . . , ik ∈ {1, . . . , n} such thatui1⋯uik =
vi1⋯vik . Let u = hu(ui1) ⋅ su⋯hu(uik) ⋅ su andv = hu(vi1) ⋅sv⋯hu(vik) ⋅ sv. We want to show that no wordw in the shufflingof u and v satisfies one of the conditions ofS. If w starts withan alternation ofΓu andΓv, sinceui1⋯uik = vi1⋯vik , any pairof letters match, and thus, condition 1 cannot hold. Condition 2cannot hold sincew contains as many letters fromΓu as fromΓv.Likewise for condition 3 sincew contains as manysu assv (and atleast 1).
Sinceu (resp.,v) does not contain a letter fromΓu not followedby su (resp., a letter fromΓv not followed bysv), neither doesw,which shows that condition 4 does not hold. Finally, ifw starts withan alternation ofΓ∗usu andΓ∗vsv, then all the corresponding pairs ofΓ∗u,Γ
∗v are pairs from thePCP input, and condition 5 cannot hold
either.(⇐) Let u ∈ Σ∗u, v ∈ Σ∗v such thatu∥v ∩ L = ∅. Since no
word in u∥v satisfies condition 3, nor condition 4,u ends withsu, v ends with sv, and u has as manysu as v has sv (and atleast 1). This shows that,u = x1su⋯xksu and v = y1sv⋯yksv
for somek > 0, x1, . . . , xk ∈ Γ∗u, y1, . . . , yk ∈ Γ∗v. Moreover,since no word inu∥v satisfies condition 5, for anyj, (xj , yj)corresponds to a pair(uij , vij ) of our inputP – more precisely,h(xj) = uij andh(yj) = vij for someij ∈ {1, . . . , n}. Finally,the fact that no word inu∥v satisfies condition 1, nor condition 2ensures thath(x1⋯xk) = h(y1⋯yk) and that thePCP problemPhas a positive answerui1⋯uik = vi1⋯vik .
Theorem 1. Given an implementationI and a specificationSgiven as regular languages, checking whether all executions of Iare causally consistent (resp.,CC, CM, CCv) with respect toS isundecidable.
Proof. LetL be a regular language overΣ = Σu⊎Σv . We constructan implementationI and a specificationS, in order to reduce theshuffling problem (undecidable by Lemma 4) to the negation ofcausal consistency.
Said differently, if (and only if) the shuffling problem has apositive answer, i.e. there existu ∈ Σ∗u and v ∈ Σ∗v such thatu∥v ∩ L = ∅, then there exists an execution inI which is notcausally consistent (resp.,CC, CM, CCv) with respect toS.
For the methods, we useM = {ma ∣ a ∈ Σu}∪ {mb ∣ b ∈ Σv}∪{EndA,EndB}, andD = {F,T} for the domain of the return values.The return values are only relevant for the methodEndB, so we donot represent return values for the other methods. We assumeherethat methods do not take arguments, as we do not need them for thereduction. As a result, a specification is a set of sequences labeledbyM ×D (method, return value).
Letu ∈ Σ∗u andv ∈ Σ∗v . I produces, for any such pair, an execu-tion whose history isH(u,v), described hereafter. The specificationS is then built in such a way thatH(u,v) is not causally consistentif and only if u∥v ∩ L = ∅. Therefore, the shuffling problem has apositive answer if and only ifI contains an execution which is notcausally consistent.
Here is the description of an execution corresponding to a pairu ∈ Σ∗u andv ∈ Σ∗v , whose history isH(u,v). The implementationcontains two sites,pA andpB. SitepA executema operations forthe lettersa of u. SitepB executemb operations for the lettersb ofv. MethodEndA is then executed on sitepA. SitepA then sends amessage topB , informingpB that a methodEndB returningT cannow be executed onpB . When the message is received bypB, amethodEndB returningT is then executed onpB. (If methodEndBis called on sitepB another time,pB returnsF).
Remark 4. If a methodmb with b ∈ Σv gets executed on sitepA,thenpA does not send the message to sitepB. If a methodma witha ∈ Σu gets executed on sitepB, thenpB return F when methodEndB gets called.
Such executions will be causally consistent by default, by con-struction ofS, defined below, because they will not contain anyEndB▷T operations. (The specificationS contains, among othersequences, any sequence which does not containEndB▷T opera-tion.)
Formally, the set of executionsI is a regular language, and canbe represented by the finite automaton given in Figure 6 (we donotrepresent the executions described in Remark 4, which can neverlead to non-causally consistent executions).
The epsilon transition going fromq2 to q3 represents the factthat sitepB receives the message sent bypA. After this, sitepB canexecute aEndB method returningT. This epsilon transition is onlyhere for clarity and can be removed.
We here do not represent transitions withEndB returningF, asEndB▷F operations are ignored by the specificationS. They canbe added as self-loops to the automaton.
The specificationS is defined to contain any wordw such that:• w does not containEndB▷T, or• when ignoringEndB▷F,w is of the formL′ ⋅EndA ⋅EndB▷T,
whereL′ is L with every lettera ∈ Σu replaced byma andevery letterb ∈ Σv replaced bymb.We now prove the following equivalence:
1. I is notCC (resp.,CM,CCv) with respect toS,2. ∃u ∈ Σ∗u, v ∈ Σ
∗v. u∥v ∩L = ∅
15
q1 q2
q3q4
(pA,ma)
(pB ,mb)
(pA,ma)
(pB ,mb)
(pA,ma)
(pB ,mb)
(pB ,mb)
(pA,ma)
(pA,EndA)
ǫ
(pB ,EndB▷T)
Figure 6: Finite automaton describing the executions of implemen-tationI of Theorem 1. All states are accepting.
(2) ⇒ (1) Let u ∈ Σ∗u, andv ∈ Σ∗v such thatu∥v ∩ L = ∅.We construct an executione in I which is not causally consistent(resp.,CC,CM,CCv). The executione follows the description above,and the history ofe is H(u,v).
SitepB executes the sequence of operationsmb for each letterbof v. Independently, sitepA executes the sequence of operationsma for each lettera of u. The sitepA then executes aEndAoperation and sends a message to sitepB. After pB receives themessage,pB executes aEndB▷T operation.
Assume by contradiction thate is CC (a contradiction here alsoproves thate cannot beCM nor CCv). There must thus exists acausal orderco (containing the program orderPO). Let o be theEndB▷T operation ofe We know there existsρo ∈ S, such thatCausalHist(o){o} ⪯ ρo.
Sinceρo containso, by definition ofS, ρo must be of the formρ′o ⋅EndA ⋅EndB▷T, with ρ′o. In particular, this means thatρo mustcontain theEndA operation ofe. By transitivity ofco, and becausePO ⊆ co, ρo must contain all operations ofe.
Thus, the sequenceρ′o effectively defines a shuffling ofu andvwhich is inL, contradicting the assumption thatu∥v ∩L = ∅.(1)⇒ (2) Let e be an execution ofI which is not causally con-
sistent (resp.,CC, CM, CCv). It must contain aEndB▷T operation,otherwise, by definition ofS, e is causally consistent regardless ofhow we define the causality orderco (as a strict partial order).
Note that there can only be oneCheck▷T operation. Indeed,after executingEndB▷T, site pB only returnsF when methodEndB gets called.
Also, for pB to execute aEndB▷T operation, it must be thecase thatpA executed aEndA operationo, and sent a message topB.
This means that, prior too, pA must have executed a sequenceof ma operations, witha ∈ Σu, corresponding to a word inu ∈ Σu.Similarly, prior to executing theEndB▷T operationpB must haveexecuted a sequence ofmb operations corresponding to a word inv ∈ Σv .
Assume by contradiction that there exists a wordw in the shuf-fling of u andv which belongs toL, i.e. assume by contradictionthatu∥v ∩ L ≠ ∅. Using this, we can construct a sequenceρo ∈ S,containing theEndA▷T andEndB▷T operations as well as alloperations corresponding tou andv, to form a sequence which be-longsS. This means thate must be causally consistent (for anydefinition) and we have a contradiction.
This ends the proof of equivalence between statements 1 and2, and ends the reduction from the shuffling problem to checkingwhether an implementation is not causally consistent. Thisimpliesthat checking whether a implementation is causally consistent isnot decidable.
16
C. Undecidability for Non-Data-IndependentRead/Write Memory Implementations
Theorem 2. Given an implementationI as a regular language,checking whether all executions ofI are causally consistent(resp.,CC, CM, CCv) with respect toSRW is undecidable.
Proof. Let ΣPCP = {a, b} and(u1, v1), . . . , (un, vn) ∈ (Σ∗PCP ×
Σ∗PCP) ben pairs forming the input of aPCP problemP . We callthese pairsdominoes.
Our goal is to build an implementationI such thatI isnot causally consistent (resp.,CC, CM, CCv) with respect to theread/write memory if and only if the problemP has a positiveanswer:ui1⋯uik = vi1⋯vik , (k > 0).
Two sequences(u, v) in Σ∗PCP form a sequence of dominoesif they can be decomposed intou = ui1 ⋅ ui2⋯uik and v =vi1 ⋅ vi2⋯vik , with each(uij , vij ) corresponding to a pair ofP .They form avalid answerif we additionally haveu = v. A validanswer corresponds to a positive answer for thePCP problemP .
Reduction Overview The implementationI will produce, foreach sequence of dominoes(u, v), an execution whose history isH(u,v), defined thereafter.
We constructH(u,v) so thatH(u,v) is not causally consistent(resp.,CC,CM,CCv) if and only if u = v.
Therefore, if (and only if)I is not causally consistent (resp.,CC,CM, CCv), (and can produce a history which is not causally consis-tent), thePCP instanceP has a positive answer.
Construction of one History Given a letterL ∈ ΣPCP, we defineL′ = b if L = a, L′ = a if L = b.
Let u = U1⋯Uµ, andv = V1⋯Vν , with µ,ν > 0, andUi, Vi ∈ΣPCP for all i. We depict in Figure 7 the historyH(u,v) in Icorresponding to(u, v). We show in Lemma 13 thatH(u,v) is notcausally consistent (for any definition) if and only ifu = v.
To defineH(u,v), we make use of the constructuniq rd(x)▷d,which denotes the sequence of operationswr(x,0) ⋅ rd(x)▷d ⋅wr(x,0), for x ∈ X, andd ≠ 0. This is only a notation, and doesnot imply that the three operations must be executed atomically. Itis introduced only to simplify the presentation of the proof.
This construct ensures the useful property thatuniq rd(x)▷1
operations made by the same sitep need distinctwr(x,1) to readfrom, as sitep overwritex with wr(x,0) after readingrd(x)▷1.More generally, for anym ∈ N, if a site p doesm operationsuniq rd(x)▷d for somed ≠ 0, then there need to be at leastmdistinctwr(x,d) in the execution for the execution to be causallyconsistent.
We now have all the ingredients needed to prove that the exe-cutionH(u,v) of Figure 7 satisfies the property we want:H(u,v)is causally consistent (resp.,CC, CM, CCv) if and only if u ≠ v. Inthe figure, we put the operations’ names between brackets, sothatwe can refer to them in the proof. When there is an operation namenext to auniq rd operation, it is actually the name correspondingto the underlyingrd operation.
The idea is the following. Ifu andv are different, then thereexistsi such thatUi ≠ Vi andUi = Vi
′ (or u andv have differentsizes). This means that the writexi can be used for the readyi,which means that one write from the backup sites need not be usedfor yi, and can be used instead for one of the three readsra, rb, r#.Moreover, two writes (out of three) from the extra sites can be usedfor the readsra, rb, r#, which makes the historyH(u,v) causallyconsistent.
(The case whereu andv have different sizes is handled thanksto the ticker sites, the symbol#, and the variablesSu,Sv,M ,N ,andChs.)
If u andv are equal, thenUi is different thanVi′, for all i. Then,
the writes of all backup processes must be used for the readsyi and
zi, and cannot be used for the three readsra, rb, r#. Since onlytwo (out of three) writes from the extra sites can be used (onewriteis lost because of variableCh, and read operationrch), the threereadsra, rb, r# cannot be consistent, and the historyH(u,v) is notcausally consistent (for any definition).
The technicalities are given in the following lemma.
Lemma 13. The following statements are equivalent:1. H(u,v) is CC2. H(u,v) is CM3. H(u,v) is CCv4. u ≠ v
Proof. LetA (resp.,B,C) be the number ofrd(L)▷a (resp.,rd(L)▷ b,rd(L)▷#) operations among they1, z1, . . . , yν+1, zν+1 opera-tions. Note thatA +B +C = 2 ∗ ν + 2.(1 ⇒ 4) AssumeH(u,v) is CC, and letco be a causality order
which proves it. Assume by contradiction thatu = v. Thus,µ = νand for alli ∈ {1, . . . , µ}, we haveUi = Vi, Ui ≠ Vi
′ andUi ≠#.Our goal (*) is to show that the readsyi andzi can only read
from xi (or from the backup/extra sites), but not fromxj for i ≠ j.Then, sinceUi ≠ Vi
′ andUi ≠ #, the readsyi andzi must usethe writes from the backup or extra sites, and the writesxi have nouse.
Overall, there are2 ∗ ν + 5 uniq rd’s on variableL in pv, and2∗ν+5 writes toL in the backup and extra sites. However, becauseof thechoicevariableCh, one of the write from the extra sites mustbe causally related torch (and to operationd), and thus cannot beused for theuniq rd’s on variableL in pv. We are left with only2 ∗ ν + 4 writes toL, which are usable for the2 ∗ ν + 5 uniq rd
on variableL in pv, which means thatH(u,v) cannot beCC. Weconclude thatu ≠ v.
(*) We now show that the readsyi andzi can only read fromxi
(or from the backup/extra sites), but not fromxj for i ≠ j.First, notice that because of the variablesM and N , all the
operations ofpu andpv must be causally related torn in pf .Assume by contradiction that an operationgi is causally related
to an operationrvj , and that an operationhi′ is causally related toan operationruj′ . Then both write operationssu andsv would becausally related torn is pf , and are not usable for the readsrfs
u
andrfsv . Moreover, because of variableChs, only one of the writes
wsu andws
v is usable for the readsrfsu andrfs
v . Since there are noother writes toSu or Sv, this is contradiction.
Now, assume by contradiction an operationgi is causally relatedto an operationrvj , with j ≤ ν+1. Then, we know that no operationhi′ can be causally related to an operationruj′ . The readsruj′ musttherefore use the writestvj′ , andtvj′ must be causally related toruj′for all j′ ∈ {1, . . . , ν + 2}. But then, by transitivity, we would havethatgi is causally related torsu, and also thatsu is causally relatedto rsu, which is not possible (as there are nowr(su,0) operation inthe history).
Similarly, we can prove that no operationhi can be causallyrelated to an operationruj with j ≤ ν + 1.
This entails that, eachruj with j ≤ ν + 1, must use the writetvj .And readrvj with j ≤ ν + 1 must use the writetuj . This implies inparticular than eachxj is causally related torvj for j ≤ ν + 1, andcannot be used for a readyi with i > j.
Moreover,xj cannot be causally related toyi with i < j. Thiswould create a cycle in the causality relation, as we know that tvi iscausally related torui .
This concludes the proof that the readsyi andzi can only readfrom xi (or from the backup/extra sites), but not fromxj for i ≠ j.(4⇒ 2) Assumeu ≠ v. We have three cases to consider:µ = ν,
µ > ν andν > µ.Caseµ = ν. Let j ∈ {1, . . . , µ} such thatUj ≠ Vj . Assume
without loss of generality that we haveUj = a, andVj = b (the
17
pBUa
(backup sitea):[a1] ∶ wr(L,a)[a2] ∶ wr(L,a). . .[aA] ∶ wr(L,a)
pBUb
(backup siteb):[b1] ∶ wr(L, b)[b2] ∶ wr(L, b). . .[bB] ∶ wr(L, b)
pBU#
(backup site#):[c1] ∶ wr(L,#)[c2] ∶ wr(L,#). . .[cC] ∶ wr(L,#)
paE(extra sitea):[exa] ∶ wr(L,a)[cha] ∶ wr(Ch,1)
pbE(extra siteb):[exb] ∶ wr(L, b)
[chb] ∶ wr(Ch,1)
p#
E
(extra site#):[ex#] ∶ wr(L,#)
[ch#] ∶ wr(Ch,1)
pTu
(ticker siteu):[su] ∶ wr(Su,1)[g1] ∶ wr(Tu,1). . .[gν+2] ∶ wr(Tu,1)
pTv
(ticker sitev):[sv] ∶ wr(Sv,1)[h1] ∶ wr(Tv,1). . .[hµ+2] ∶ wr(Tv,1)
pSu
[wsu] ∶ wr(Su,1)
[chus ] ∶ wr(Chs,1)
pSu
[wsv] ∶ wr(Sv,1)
[chvs] ∶ wr(Chs,1)
pu:
[x1] ∶ wr(L,U1)
[tu1 ] ∶ wr(Tu,1)[ru1 ] ∶ uniq rd(Tv)▷1
[x2] ∶ wr(L,U2)
[tu2 ] ∶ wr(Tu,1)[ru2 ] ∶ uniq rd(Tv)▷1
. . .[xµ] ∶ wr(L,Uµ)
[tuµ] ∶ wr(Tu,1)[ruµ] ∶ uniq rd(Tv)▷1
[xµ+1] ∶ wr(L,#)
[tuµ+1] ∶ wr(Tu,1)[ruµ+1] ∶ uniq rd(Tv)▷ 1
[tuµ+2] ∶ wr(Tu,1)[ruµ+2] ∶ uniq rd(Tv)▷ 1
[rsu] ∶ rd(Su)▷0
[wm] ∶ wr(M,1)
pv:[rch] ∶ rd(Ch)▷1
[d] ∶ wr(L,0)[y1] ∶ uniq rd(L)▷V1
′
[z1] ∶ uniq rd(L)▷#
[tv1] ∶ wr(Tv,1)[rv1] ∶ uniq rd(Tu)▷ 1
[y2] ∶ uniq rd(L)▷V2′
[z2] ∶ uniq rd(L)▷#
[tv2] ∶ wr(Tv,1)[rv2] ∶ uniq rd(Tu)▷ 1
. . .[yν] ∶ uniq rd(L)▷Vν
′
[zν] ∶ uniq rd(L)▷#
[tvν] ∶ wr(Tv,1)[rvν] ∶ uniq rd(Tu)▷ 1
[yν+1] ∶ uniq rd(L)▷a[zν+1] ∶ uniq rd(L)▷ b[tvν+1] ∶ wr(Tv,1)[rvν+1] ∶ uniq rd(Tu)▷ 1
[tvν+2] ∶ wr(Tv,1)[rvν+2] ∶ uniq rd(Tu)▷ 1
[rsv] ∶ rd(Sv)▷0
[ra] ∶ uniq rd(L)▷a
[rb] ∶ uniq rd(L)▷ b
[r#] ∶ uniq rd(L)▷#
[wn] ∶ wr(N,1)
pf :[rm] ∶ rd(M)▷ 1
[rn] ∶ rd(N)▷ 1
[rchs] ∶ rd(Chs)▷1
[wfsu] ∶ wr(Su,0)
[wfsv ] ∶ wr(Sv,0)
[rfsu] ∶ rd(Su)▷1
[rfsv ] ∶ rd(Sv)▷ 1
Figure 7: This historyH(u,v) corresponds to a sequence of dominoes(U1⋯Uµ, V1⋯Vν), with Ui, Vi ∈ {a, b} for all i. H(u,v) is not causallyconsistent (resp.,CC,CM,CCv) if and only (µ = ν and)U1⋯Uµ = V1⋯Vν , i.e.(U1⋯Uµ, V1⋯Vν) form a valid answer forP . This history uses9 variables and a domain size of4.
18
other case is symmetric). By definition,Uj = Vj′. In that case, we
prove thatH(u,v) is CM.Let q ∈ {1, . . . ,A} such thatyj is the qth rd(L)▷a in pv.
We define the causality relationco as the transitive closure of theprogram order and the following constraints:
• tui to rvi , for i ∈ {1, . . . , µ + 2},• tvi to rui , for i ∈ {1, . . . , µ + 2},• bi to yi′ , for i ∈ {1, . . . ,B}, and whereyi′ is theith rd(L)▷ b
in pv,• ci to zi′ , for i ∈ {1, . . . ,C}, and wherezi′ is theith rd(L)▷#
in pv,• ai to yi′ , for i ∈ {1, . . . , q − 1}, and whereyi′ is the ithrd(L)▷a in pv,
• xj to yj ,• ai−1 to yi′ , for i ∈ {q + 1, . . . ,A}, and whereyi′ is the ithrd(L)▷a in pv,
• aA to ra,• cha to rch,• exb to rb,• ex# to r#,• wm to rm,• wn to rn,• su to rfs
u,• sv to rfs
v ,• chu
s to rchs .By construction,co is a strict partial order, and we havePO ⊆
co. Also, for each read operationr (in particularruµ andrb), wecan construct a sequence, which respects the causality order, andcontaining all return values of the read operations beforer inthe program order. for every operationo of H(u,v), there existsρo ∈ SRW such thatCausalHist(o){POPast(o)} ⪯ ρo (axiomAxCausalSeq).
The key idea here is that, sinceUj = Vj′, yj can read fromxj .
As a result, there is awr(L,a) from the backup sitea which is notneeded for theuniq rd(L)▷a operations ofpv. We can thus usethe last write from the backup sitea (i.e.aA), for the readra. Then,we usecha to explain the return value ofrch, and we can thereforeuseexb to explain the return value ofrb, andex# to explain thereturn value ofr#.
Caseµ > ν. We prove thatH(u,v) is CM. We define the causalityrelationco as the transitive closure of the program order and thefollowing constraints:
• tui to rvi , for i ∈ {1, . . . , ν + 2},• tvi to rui , for i ∈ {1, . . . , ν + 2},• hi to rui , for i ∈ {ν + 2, µ + 2},• ai to yi′ , for i ∈ {1, . . . ,A}, and whereyi′ is theith rd(L)▷a
in pv,• bi to yi′ , for i ∈ {1, . . . ,B}, and whereyi′ is theith rd(L)▷ b
in pv,• ci to zi′ , for i ∈ {1, . . . ,C}, and wherezi′ is theith rd(L)▷#
in pv,• ch# to rch,• exa to ra,• exb to rb,• xµ+1 to r#,• wm to rm,• wn to rn,• su to rfs
u,• ws
v to rfsv ,
• chus to rchs .
Caseν > µ. Similar to the previous two cases. Here,xµ+1 willbe used forzµ+1, thus allowing the writecC to be used forr#.
(4 ⇒ 3) We can prove this by using the same causality orderused forCM. We can then define an arbitration order, as all the sitesagree on the order of write operations.(2⇒ 1) By Lemma 1.(3⇒ 1) By Lemma 2.
Construction of the Implementation We now describe how tobuild the implementationI, such thatI is not causally consistentwith respect to theread/write memory if and only if the problemP has a positive answer.
More precisely, we describe how to defineI as a regular lan-guage, so thatI produces, for each sequence of dominoes(u, v),an execution whose history isH(u,v).
In an execution ofI, the following happens: First, the extrasites, as well as the sitespSu and pSv execute their operations.Each ticker site executes its first operation. Then, sitepv executesoperationsrch andd.
After that, Sitepu chooses non-deterministically a domino(ui, vi) from thePCP instanceP . It sends messages to the backupsites, the ticker sites, andpv so that they execute the operationscorresponding to this domino(ui, vi) (following Figure 7).
This step, of choosing non-deterministically a domino and whatfollows, can happen an arbitrary number of times.
All sites thus synchronize after each choice of a domino. Thehistory of an executione of I thus always corresponds to a prefixof the history given in Figure 7.
Finally, the ticker sites, as well aspu, pv andpf execute theirlast operations, as depicted in Figure 7.
Since the sites synchronize after each choice of a domino,I canbe described by a regular language (or equivalently, by a distributedimplementation where each site has a bounded local memory, andwhere the sites communicate through a network whose capacity isbounded).
Remark 5. In an implementation, each method can be calledat any time, on any site. We handle this like in Theorem 1: if asite detects a method call that it is not expecting (i.e. thatdoesnot follow Figure 7), the implementation falls back to a defaultimplementation which is causally consistent (resp.,CC, CM, CCv).Therefore, ifI can produce an execution which is not causallyconsistent, it must be an execution whose history is of the formH(u,v) where(u, v) form a sequence of dominoes.
Lemma 14. I is not causally consistent (resp.,CC,CM,CCv) if andonly if thePCP problemP has a positive answer.
Proof. (⇒) If I is not causally consistent (resp.,CC,CM,CCv), itproduces a historyh which is not causally consistent. By construc-tion of I, h must be of the formH(u,v), for some sequence ofdominoes(u, v). By Lemma 13, we know thatu = v, and(u, v)for a valid answer forP .(⇐) If (u, v) form a valid answer toP , thenI is not causally
consistent, as it can produce an execution whose history isH(u,v),which is not causally consistent (resp.,CC,CM,CCv) by Lemma 13.
19
D. Reduction to Control-State ReachabilityTheorem 4. LetI be a data independent implementation.I is CCwith respect toSRW if and only ifI ∩MCC = ∅.
Proof. (⇒) Assume by contradiction that there is an executione ∈ I which is accepted byMCC. We make a case analysis basedon which branch ofMCC acceptse.
(First branch) If e is accepted on stateqerr, then it has ard(x)▷ 1 operation with no correspondingwr operation. It there-fore contains bad patternThinAirRead, ande is notCC.
(Second branch) Otherwise,e is accepted on stateq′err. Letw1
be thewr(x)▷ 1 operation read afterq1. Letw2 be thewr(x)▷2
operation read after the first causal link. Letr1 be therd(x)▷1
operation read just beforeq′err. Let e≠ ∈ I be a differentiatedexecution andf a renaming such thate = e≠[f]. Let 1≠ ∈ N bethe data value ofr1 in e≠. The renamingf maps1≠ to 1.
We show that, in the executione≠, the operationsw1, w2, andr1 form bad patternWriteCORead becausew1 <co w2 <co r1,w1 <RF r1, andvar(w1) = var(w2). The conditionsvar(w1) =var(w2), andw1 <RF r1 hold, because these three operations alloperate on the same variable (ensured by the registerreg′x), andw1
andr1 use the same data value1≠.The conditionw2 <co r1 holds because eitherr1 is betweenq5
andq′err, in which caseregp ensures that it is on the same site asw2; or r1 is betweenq6 andq′err, and in that case the precedingrd(x)▷ 2 operation makes a causality link withw2.
The causality linksw1 <co w2 <co r1 are ensured by thepresence of theCausalLink subautomata.CausalLink recognizesunbounded chains in thePO ∪ RF relation. InCausalLink, a rd
operation read fromqb to qa reads-from a precedingwr operationfrom qa to qb (thanks to registerregx). Moreover, the registerregpensures that ard operation is before, in the program order, thewr
operation which is following it.We conclude by Lemma 6 thate≠ is not causally consistent.(Third branch) Similar to the previous branch, but for bad pat-
ternWriteCOInitRead.(⇐) Assume by contradiction that there is an executione≠ ∈ I
which is not causally consistent. By Lemma 5, we can assume thate≠ is differentiated. Using Lemma 6, we have four bad patterns toconsider.
(CyclicCO) The first case is when there is a cycle inPO ∪ RF.Without loss of generality, we can assume that the cycle is analternation ofPO andRF edges, of the form (n > 1):
r1 <PO w2 <RF r2 <PO w3 . . . <RF rn−1 <PO wn <RF rn = r1.
This is true for two reasons. First,PO is transitive, so twoPO edgescan always be contracted to one. Second,RF connectswr to rd
operations, so there cannot be twoRF edges one after the other.Consider the minimal prefixe′≠ of e≠ which contains only one
out of these2 ∗ (n − 1) operations. This operation must be ardoperation, as everywr operationwi is preceded byri−1 <PO wi inthe program order. Note thate′≠ belongs toI, asI is prefix-closed.
The executione′≠ thus contains ard operationr which has nocorrespondingwr operation anywhere else in the execution, as itscorrespondingwr operation was among the2 ∗ (n − 1) operationsabove, and was not kept ine′≠.
Consider the renamingf which maps the data value ofr to 1,and every other value to5. By data independence,e′≠[f] belongs toI. Moreover,e′≠[f] can be recognized by (the first branch of)MCC.We thus obtain a contradiction, asI ∩MCC is not empty.
(ThinAirRead) The second case is when there is ard operationwith no correspondingwr operation. Again, such an execution canbe recognized by the first branch ofMCC (after renaming).
(WriteCORead) The third case is when there are operationsw1,w2, andr1 in e≠ such thatw1 <RF r1, var(w1) = var(w2), andw1 <co w2 <co r1.
Consider the renamingf which maps:• the data value ofw1 andr1 to 1,• the data value ofw2 to 2,• maps any value which appears in awr operation in a causality
chain betweenw1 <co w2 to 3,• maps any value which appears in awr operation in a causality
chain betweenw1 <co w2 to 4,• maps any other value to5.
Then,e≠[f] can be recognized by (the second branch of)MCC,andI ∩MCC is not empty.
(WriteCOInitRead) This bad pattern can be treated similarly tothe previous one, but using the third branch ofMCC instead of thesecond.
20
E. CCv Bad PatternsLemma 7. A differentiated historyh is CCv with respect toSRW ifand only ifh is CC and does not contain the following bad pattern:CyclicCF.
Proof. Let h = (O,PO, ℓ) be a differentiated history.(⇒) Assume thath is CCv, and let co ⊆ arb be relations
satisfying the properties ofCCv. By Lemma 2, we know thath isCC. Assume by contradiction thath contains bad patternCyclicCF.
Consider any edgew1 <CF w2 in the CF relation, whereℓ(w1) = wr(x,d1) and ℓ(w2) = wr(x,d2) for somex ∈ X andd1 ≠ d2 ∈ N.
By definition of CF, we havew1 <co r2, where ℓ(r2) =rd(x)▷d2.
Moreover,CCv ensures that there existsρr2 ∈ SRW such that(CausalPast(r2),arb, ℓ){r2} ⪯ ρr2 .
Since bothw1 andw2 are in ρr2 , w1 must be beforew2 inρr2 , as r2 is the last operation ofρr2 . (andh is differentiated).As a result,w1 <arb w2, andCF ⊆ arb. The cycle inCF ∪ COthus induces a cycle inarb ∪ CO, which contradicts the fact thatCO ⊆ co ⊆ arb and thatarb is strict total order.(⇐) Assume thath is CC and does not contain bad pattern
CyclicCF. We use the causal orderco = CO = (PO ∪ RF)+ toshow thath is CCv with respect toSRW. We must also construct thearbitration orderarb, which is a strict total order overO.
We definearb as any strict total order which containsCF∪CO.This is possible sinceCF ∪ CO is acyclic (h does not contain badpatternCyclicCF).
Let r ∈ O be a read operation. We prove that there existsρr ∈ SRW such thatCausalArb(r){r} ⪯ ρr.
In the case thatr returns the initial value0, and becauseh doesnot contain bad patternWriteCOInitRead, there is no write on thesame variable asr in CausalPast(r). The sequenceρr can thus bedefined as adding appropriate values to the reads different fromr inCausalArb(r){r} (that is, the value of the preceding write on thesame variable, or the initial value0 if there is no such write).
If r returns a value different that0, we know that there isa corresponding writew in CausalPast(r). Consider any writeoperationw′ ≠ w in CausalPast(o) which is on the same variableas o. By definition of the conflict relationCF and by definitionof arb, we know thatw′ <arb w. Thus, the last write operationon variable inCausalArb(r){r} must bew. As previously, wecan thus defineρr asCausalArb(r){r} where we add appropriatereturn values to the reads different thatr.
F. CM Bad PatternsLemma 8. A differentiated historyh is CM with respect toSRW ifand only ifh is CC and doesnotcontain the following bad patterns:WriteHBInitRead, CyclicHB.
Proof. Let h = (O,PO, ℓ) be a differentiated history.(⇒) Assume thath is CM. By Lemma 1, we know thath is CC.Assume by contradiction thath contains bad patternWrite-
HBInitRead or CyclicHB for some operationo.By CM, there isρo ∈ SRW with CausalHist(o){POPast(o)} ⪯
ρo. This implies in particular that the return values of all read op-erations which are beforeo (in POPast(o)) are still present inρr1 .They are not abstracted away by the projectionCausalHist(o){POPast(o)}.
We show below (*), by induction on the definition ofHBo, thatany edgeo1 <HBo o2 for operations inCausalPast(o) implies thato1 must be beforeo2 in ρo. Sinceρo is a strict total order overCausalPast(o), there can be no cycle inHBo. Soh cannot containbad patternCyclicHB.
Moreover, by definition ofSRW, for any rd(x)▷ 0 operationr, there can be no write operationw such thatw is beforer in ρo(h is differentiated, so it cannot containwr(x,0) operations). Sohcannot contain bad patternWriteHBInitRead.
(*) We now prove by induction, that any edgeo1 <HBo o2 foroperations inCausalPast(o) implies thato1 is beforeo2 in ρo.
Let o1, o2 ∈ CausalPast(o) such thato1 <HBo o2. Based on thedefinition ofHBo, we have three cases to consider.
• If o1 <CO o2, theno1 is beforeo2 in ρo becauseCausalHist(o){POPast(o)} ⪯ ρo.
• (transitivity) If there existso3 such thato1 <HBo o3 ando3 <HBo
o2, we can assume by induction thato1 is beforeo3, ando3 isbeforeo2 is ρo. Sinceρo is a sequence,o1 is beforeo2 in ρo.
• If there isx ∈ X, andd1 ≠ d2 ∈ N, and a read operationr2 suchthat:
o1 <HBo r2,r2 ≤PO o,ℓ(o1) = wr(x,d1),ℓ(o2) = wr(x,d2), andℓ(r2) = rd(x)▷d2:
We know by induction thato1 is beforer2 in ρo. Sinceh isdifferentiated, the onlywr(x,d2) operation inh is o2, ando2must thus be aftero1 in ρo.This concludes the first part (⇒) of the proof.(⇐) Assume thath is CC and does not contain the bad patterns
WriteHBInitRead andCyclicHB. We use the causal orderCO =(PO ∪ RF)+ to show thath is CM with respect toSRW. Sinceh isCC, we know thatCO is a strict partial order.
Let o be an operation, and letp be the site ofo. Our goal is toshow that there existsρo ∈ SRW such thatCausalHist(o){POPast(o)} ⪯ρo. Said differently, we must sequentialize the operationsCausalHist(o),while keeping the return values of all read operations done on thesame site aso, and beforeo (in POPast(o)).
We prove this by induction on the size ofPOPast(o). We proveactually the stronger property thatρo must also respect the orderHBo.
Let o′ be the operation immediately precedingo in the programorder (if it exists). We apply the induction hypothesis ono′, and ob-tain a sequenceρ′ = ρo′ such thatCausalHist(o′){POPast(o′)} ⪯ρ′. We can apply the induction hypothesis ono′, because acyclicityin HBo′ ⊆ HBo, so acyclicity inHBo implies acyclicity inHBo′ .By induction hypothesis, we also know thatρ′ respects the orderHBo′ .
If o is the first operation on the site (base case of the induction),theno′ does not exist, but we defineρ′ = ε. In both cases, we haveρ′ ∈ SRW.
We consider three cases:
21
1) o is a write operation. Here, the causal past ofo is the causalpast ofo′ whereo has been added as a maximal operation. Thereason is thatCO is defined as(PO ∪ RF)+ and the read-fromrelationRF only relates writes to reads. Thus, there cannot existan operationo′′ such thato′′ <CO o ando′′ /<CO o′. And we candefineρo asρ′ with o added at the end. We obtain thatρo ∈ SRW.
2) o is a read operationrd(x)▷0 for some variablex ∈ X. Thefact thath does not contain bad patternsWriteCOInitRead ensuresthat the causal pasto does not contain write operations on variablex. As in the previous case, the causal past ofo is the causal pastof o′ whereo has been added as a maximal operation. We can thusdefineρo asρ′ with o added at the end. We obtain thatρo ∈ SRW.
3) o is a read operationrd(x)▷d for somex ∈ X and d ≠0. The fact thath does not contain bad patternsThinAirReadand WriteCORead ensures that there exists a correspondingwoperation such thatw <RF o (in the causal past ofo), and such thereis now2 operation withw <CO w2 <CO o andvar(w) = var(w2).
We consider two subcases:a) w is in the causal past ofo′. By definition ofHBo, for any
w′ ∈ CausalPast(o) with w ≠ w′ andvar(w) = var(w′), we havew′ <HBo w. The last write operation on variablex in ρ′ must thusbew.
Moreover, the causal past ofo is the causal past ofo′ whereohas been added as a maximal operation. We can thus defineρo as
ρ′ with o added at the end. We obtain thatρo ∈ SRW, aso can readthe value written byw.
b)w is not in the causal past ofo′. This implies thato is the onlyrd(x)▷d operation inPOPast(o). (If there was another such readoperationr′, we would havew <RF r′ ≤PO o′, andw would be inthe causal past ofo′.) LetO′′ be the set of operations contained inthe causal past ofo (including o), but not contained in the causalpast ofo′. That is,O′′ = CausalPast(o) ∖ CausalPast(o′). Withthe absence of bad patternCyclicHB, we know thatw is a maximal(in theHBo order) write operation on variablex in o′′ (there is nowrite operationw2 on variable var such thatw <HBo w2 <HBo o,otherwise, by definition ofHBo, we would havew2 <HBo w andHBo would be cyclic.
We can thus define a sequenceρ′′ ∈ SRW such that the lastwrite operation on variablex is w, and such thatρ′′ respect theorderHBo. We then defineρo asρ′ ⋅ ρ′′, while setting the returnvalues of all reads which are not in sitep to the last correspondingwrite in ρo (these can be freely modified, as they are hidden bythe projectionCausalHist(o){POPast(o)}). We thus obtain thatCausalHist(o){POPast(o)} ⪯ ρo, andρo respects the orderHBo.
22