Certified Mergeable Replicated Data Types

Certi
fi
ed Mergeable
Replicated Data Types
“KC” Sivaramakrishnan
joint work with
Vimala Soundarapandian, Adharsh Kamath and Kartik Nagar

View Slide

View Slide

INTERNET

View Slide

INTERNET
≠

View Slide

INTERNET
≠
• Serializability
• Linearizability
• Weak Consistency & Isolation

View Slide

Even simple data structures attract enormous
complexity when made distributed

View Slide

4
module Counter : sig

type t

val read : t -> int

val add : t -> int -> t

val sub : t -> int -> t

end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d

end
Sequential Counter

View Slide

• Written in idiomatic style
• Composable
4

type t

val read : t -> int



end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d

end
type counter_list = Counter.t list
Sequential Counter

View Slide

INTERNET
0
0
0
0
Replicated Counter

View Slide

INTERNET
0
0
0
Replicated Counter
+2
2

View Slide

INTERNET
0
0
Replicated Counter
+2
2
+3
3

View Slide

INTERNET
0
0
Replicated Counter
+2
2
+3
3
• Idea: Apply the local operations at all replicas

View Slide

INTERNET
Replicated Counter
+2 +3
5
5
5
5
• Idea: Apply the local operations at all replicas

View Slide

7

type t

val read : t -> int



val mult : t -> int -> t

end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d

let mult x n = x * n

end

View Slide

7

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7

View Slide

7

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8
+1

View Slide

7

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3

View Slide

7

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3
24
*3

View Slide

7

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3
24 22
*3 +1

View Slide

7

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3
24 22
*3 +1
Diverges

View Slide

7

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3
24 22
*3 +1
Diverges
Addition and multiplication do not commute

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
• Idea: Capture the effect of multiplication through the
commutative addition operation

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8
+1

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3
22
+14

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3
22 22
+14 +1

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3
22 22
+14 +1
Converges

View Slide

8

type t

val read : t -> int




end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


end
7
8 21
+1 *3
22 22
+14 +1
Converges
• CRDTs

View Slide

Convergent Replicated Data Types
(CRDT)
9

View Slide

(CRDT)
• CRDT is guaranteed to ensure strong eventual consistency (SEC)
★ G-counters, PN-counters, OR-Sets, Graphs, Ropes, docs, sheets
★ Simple interface for the clients of CRDTs
9

View Slide

(CRDT)
• CRDT is guaranteed to ensure strong eventual consistency (SEC)
★ G-counters, PN-counters, OR-Sets, Graphs, Ropes, docs, sheets
★ Simple interface for the clients of CRDTs
• Need to reengineer every datatype to ensure SEC
(commutativity)
★ Do not mirror sequential counter parts => implementation & proof
burden
★ Do not compose!
✦ counter set is not a composition of counter and set CRDTs
9

View Slide

Can we program & reason about replicated data types
as an extension of their sequential counterparts?

View Slide

Can we program & reason about replicated data types
as an extension of their sequential counterparts?
MRDT

View Slide

11

type t

val read : t -> int




val merge : lca:t -> v1:t -> v2:t -> t

end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d


let merge ~lca ~v1 ~v2 =

lca + (v1 - lca) + (v2 - lca)

end

View Slide

11

type t

val read : t -> int





end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d



lca + (v1 - lca) + (v2 - lca)

end
7

View Slide

11

type t

val read : t -> int





end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d



lca + (v1 - lca) + (v2 - lca)

end
7
8
+1

View Slide

11

type t

val read : t -> int





end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d



lca + (v1 - lca) + (v2 - lca)

end
7
8 21
+1 *3

View Slide

11

type t

val read : t -> int





end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d



lca + (v1 - lca) + (v2 - lca)

end
7
8 21
+1 *3
22

View Slide

11

type t

val read : t -> int





end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d



lca + (v1 - lca) + (v2 - lca)

end
7
8 21
+1 *3
22 22

View Slide

11

type t

val read : t -> int





end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d



lca + (v1 - lca) + (v2 - lca)

end
7
8 21
+1 *3
22 22
22 = 7 + (8-1) + (21 -7)

View Slide

11

type t

val read : t -> int





end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d



lca + (v1 - lca) + (v2 - lca)

end
7
8 21
+1 *3
22 22
22 = 7 + (8-1) + (21 -7)
• 3-way merge function makes the counter suitable for distribution

View Slide

11

type t

val read : t -> int





end = struct

type t = int

let read x = x

let add x d = x + d

let sub x d = x - d



lca + (v1 - lca) + (v2 - lca)

end
7
8 21
+1 *3
22 22
22 = 7 + (8-1) + (21 -7)
• 3-way merge function makes the counter suitable for distribution
• Does not appeal to individual operations => independently
extend data-type

View Slide

12
Systems ➞ PL

View Slide

12
Systems ➞ PL
• CRDTs need to take care of
systems level concerns such as
message loss, duplication and
reordering

View Slide

12
Systems ➞ PL
reordering
• 3-way merge is oblivious to these
✦ By leaving those concerns to MRDT
middleware

View Slide

12
7
8 21
+1 *3
22 22
Systems ➞ PL
reordering
middleware

View Slide

??
12
7
8 21
+1 *3
22 22
Systems ➞ PL
reordering
middleware

View Slide

??
12
7
8 21
+1 *3
22 22
22
22 = 21 + (21-21) + (22 -21)
Systems ➞ PL
reordering
middleware

View Slide

Does the 3-way merge idea generalise?

View Slide

Does the 3-way merge idea generalise?
Sort of

View Slide

14
Observed-Removed Set

View Slide

14
• OR-set — add-wins when there is a concurrent add and remove
of the same element

View Slide

14
of the same element

(lca ∩ v1 ∩ v2) (* unmodified elements *)

∪ (v1 - lca) (* added in v1 *)

Kaki et al. “Mergeable Replicated Data Types”,
OOPSLA 2019

View Slide

14
{1}
of the same element



OOPSLA 2019

View Slide

14
{1}
{1}
add(1)
of the same element



OOPSLA 2019

View Slide

14
{1}
{1} { }
add(1) rem(1)
of the same element



OOPSLA 2019

View Slide

14
{1}
{1} { }
{ } { }
add(1) rem(1)
of the same element



{ } ∪ ({1} - {1}) ∪ ({ } - {1})

= { } ∪ { } ∪ { }

= { } (expected {1})
OOPSLA 2019

View Slide

14
{1}
{1} { }
{ } { }
add(1) rem(1)
• Convergence is not suf
fi
cient; Intent is not preserved
of the same element



{ } ∪ ({1} - {1}) ∪ ({ } - {1})

= { } ∪ { } ∪ { }

= { } (expected {1})
OOPSLA 2019

View Slide

Concretising Intent
• Intent is a woolly term
★ How can we formalise the intent of operations on a data
structure?
15
l
v1 v2
v

View Slide

Concretising Intent
• Intent is a woolly term
★ How can we formalise the intent of operations on a data
structure?
• We need
★ A formal language to specify the intent of an RDT
★ Mechanization to bridge the air gap between speci
fi
cation
and implementation due to distributed system complexity
15
l
v1 v2
v

View Slide

Peepul — Certi
fi
ed MRDTs
16

View Slide

Peepul — Certi
fi
ed MRDTs
• An F* library implementing and proving MRDTs
★ https://github.com/prismlab/peepul
16

View Slide

Peepul — Certi
fi
ed MRDTs
• Speci
fi
cation language is event-based
★ Burckhardt et al. “Replicated Data Types: Speci
fi
cation, Veri
fi
cation and Optimality”,
POPL 2014
16

View Slide

Peepul — Certi
fi
ed MRDTs
• Speci
fi
fi
cation, Veri
fi
POPL 2014
• Replication-aware simulation to connect speci
fi
cation with implementation
16

View Slide

Peepul — Certi
fi
ed MRDTs
• Speci
fi
fi
cation, Veri
fi
POPL 2014
fi
• Composition of MRDTs and their proofs!
16

View Slide

Peepul — Certi
fi
ed MRDTs
• Speci
fi
fi
cation, Veri
fi
POPL 2014
fi
• Composition of MRDTs and their proofs!
• Extracted RDTs are compatible with Irmin — a Git-like distributed
database
16

View Slide

Fixing OR-Set
• Discriminate duplicate additions by
associating a unique id
17

View Slide

Fixing OR-Set
17
{ (a,1) }

View Slide

Fixing OR-Set
17
{ (a,1) }
{ (a,1);

(a,2) }
add(a)

View Slide

Fixing OR-Set
17
{ (a,1) }
{ (a,1);

(a,2) }
{ }
add(a) rem(a)

View Slide

Fixing OR-Set
17
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)
{ } ∪ ( { (a,1); (a,2) } - { (a,1) }) ∪ ( { } - { (a,1) } )

= { } ∪ { (a,2) } ∪ { }

= { (a,2) }

View Slide

Fixing OR-Set
• MRDT implementation
17
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)
{ } ∪ ( { (a,1); (a,2) } - { (a,1) }) ∪ ( { } - { (a,1) } )

= { } ∪ { (a,2) } ∪ { }

= { (a,2) }

View Slide

Fixing OR-Set
• MRDT implementation
17
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)
{ } ∪ ( { (a,1); (a,2) } - { (a,1) }) ∪ ( { } - { (a,1) } )

= { } ∪ { (a,2) } ∪ { }

= { (a,2) }
Unique Lamport Timestamps

View Slide

18
Specifying OR-Set
Abstract state

View Slide

18
Specifying OR-Set
Abstract state
add(a)
add(a) rem(a)
rd
vis
vis
vis vis
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)

View Slide

18
Specifying OR-Set
Abstract state
= { a }
add(a)
add(a) rem(a)
rd
vis
vis
vis vis
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)

View Slide

Simulation Relation
• Connects the abstract execution with the concrete state
• For the OR-set,
19

View Slide

Verifying Operations
1. Show that the simulation holds for operations
20

View Slide

20
to prove
Operation de
fi
nition
de
fi
ned once-and-for-all
Simulation
relation

View Slide

20
to prove
Operation de
fi
nition
de
fi
Simulation
relation
2. Show that the simulation holds for merge

View Slide

20
to prove
Operation de
fi
nition
de
fi
Simulation
relation
2. Show that the simulation holds for merge
Merge de
fi
nition
Assume
de
fi
To prove

View Slide

3. Show that the speci
fi
cation and the implementation agree on
the return values of operations
21

View Slide

fi
21
4. Convergence

View Slide

fi
21
4. Convergence
✦ Permits the different replicas to converge to states that are
observationally equal but not structurally equal
✤ Example: differently balanced BSTs

View Slide

Space-ef
fi
cient OR-Set
• Recall that the OR-set has duplicates
• How can we remove them?
22
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)

View Slide

Space-ef
fi
cient OR-Set
• Idea
★ On addition, replace existing element’s timestamp with the new timestamp
★ On merge, pick the larger timestamp
22
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)

View Slide

Space-ef
fi
cient OR-Set
• Idea
★ On addition, replace existing element’s timestamp with the new timestamp
★ On merge, pick the larger timestamp
22
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)
Correctness
argument is tricky

View Slide

Space-ef
fi
cient OR-Set
23
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)
{ (a,1) }
{ (a,2) } { }
{ (a,2) } { (a,2) }
add(a) rem(a)

View Slide

Space-ef
fi
cient OR-Set
23
{ (a,1) }
{ (a,1);

(a,2) }
{ }
{ (a,2) } { (a,2) }
add(a) rem(a)
{ (a,1) }
{ (a,2) } { }
{ (a,2) } { (a,2) }
add(a) rem(a)
Simulation relation is more
intricate as one would
expect

View Slide

Veri
fi
cation effort
24

View Slide

25
Composing CRDTs is HARD!

View Slide

Composing IRC-style chat
• Build IRC-style group chat
★ Send and read messages in channels
★ For simplicity, channels and messages cannot be deleted
• Represent application state as a grow-only map with string
(channel name) keys and mergeable-log as values
• Goal:
★ map and log proved correct separately
★ Use the proof of underlying RDTs to prove chat application
correctness
26

View Slide

Generic Map MRDT
• Speci
fi
cation
27

View Slide

Generic Map MRDT
• Speci
fi
cation
27
where

View Slide

Generic Map MRDT
• Speci
fi
cation
• Project
fi
lters the abstract state of the map on the key k and
returns an abstract state of the underlying data type
★ Provided by the user once for a generic MRDT
27
where

View Slide

Generic Map MRDT
• Speci
fi
cation
• Project
fi
lters the abstract state of the map on the key k and
returns an abstract state of the underlying data type
★ Provided by the user once for a generic MRDT
27
where
set (“general”, append (“hello”))
set (“compiler”, append (“error”))
set (“general”, append (“world”))
vis
vis
get (“general”, rd)
[“world”; “hello”]

View Slide

28
Generic Map MRDT
Implementation
Simulation Relation

View Slide

28
Generic Map MRDT
Implementation
Simulation Relation
Get applies given operation on the
value at key k and returns the value

View Slide

28
Generic Map MRDT
Implementation
Simulation Relation
Set is Get + update the map
with the new state

View Slide

28
Generic Map MRDT
Implementation
Simulation Relation
with the new state
Merge uses the merge of the
underlying value type!

View Slide

28
Generic Map MRDT
Implementation
Simulation Relation
with the new state
Merge uses the merge of the
underlying value type!
Simulation relation appeals to the
value type’s simulation relation!

View Slide

• Program state is constructed by instantiating generic map with
mergeable log
★ The proof of correctness of the chat application directly follows from the
composition!
29
Composing IRC-style chat

View Slide

Mergeable Queues
• Replicated queue with at-least-once dequeue semantics
★ First veri
fi
ed queue RDT!
30

View Slide

Mergeable Queues
• Replicated queue with at-least-once dequeue semantics
★ First veri
fi
ed queue RDT!
• Our aim is to have O(1) enqueue and dequeue and O(n) merge
30

View Slide

Mergeable Queues
• Implementation
★ Uses two-list functional queue implementation
✦ amortised O(1) enqueue and dequeue operations
★ Merge uses longest common contiguous subsequence
algorithm — O(n)
31
M

View Slide

Mergeable Queues
• Implementation
algorithm — O(n)
• Speci
fi
cation
1.Any element popped in either A or B does not
remain in M
2. Any element pushed into either A or B appears in M
3. An element that remains untouched in LCA, A, B
remains in M
4. Order of pairs of elements in LCA, A, B must be
preserved in M, if those elements are present in M.
31
M

View Slide

Mergeable Queues
• Implementation
algorithm — O(n)
• Speci
fi
cation
1.Any element popped in either A or B does not
remain in M
2. Any element pushed into either A or B appears in M
3. An element that remains untouched in LCA, A, B
remains in M
4. Order of pairs of elements in LCA, A, B must be
preserved in M, if those elements are present in M.
31
M
Implementation far
removed from the
specification!

View Slide

Veri
fi
cation effort
32

View Slide

33
Summary

View Slide

• Programming and proving with RDTs is complicated due to
concurrency and the lack of suitable programming abstractions
33
Summary

View Slide

• MRDTs simplify RDTs by implementing them as extensions of
sequential data types
★ Reasoning about correctness is still hard
33
Summary

View Slide

• Peepul is an F* library for certi
fi
ed MRDTs
★ Replication-aware simulation for proving complex MRDTs
★ Complex MRDTs can be constructed and proved using simpler MRDTs
33
Summary

View Slide

• Peepul is an F* library for certi
fi
ed MRDTs
★ Replication-aware simulation for proving complex MRDTs
★ Complex MRDTs can be constructed and proved using simpler MRDTs
• F* allows us to strike a balance between automated and
interactive proofs
★ Extract to OCaml and run on Irmin!
33
Summary

View Slide

Backup Slides
34

View Slide

Queue Performance
35

View Slide

Certified Mergeable Replicated Data Types

Certified Mergeable Replicated Data Types

KC Sivaramakrishnan

More Decks by KC Sivaramakrishnan

Other Decks in Science

Featured

Transcript