Declarative programming over eventually consistent data stores
Summary (7 min read)
1. Introduction
- Many real-world web services — such as those built and maintained by Amazon, Facebook, Google, Twitter, etc. — replicate application state and logic across multiple replicas within and across data centers.
- Indeed, modern web services, which aim to provide an "always-on" experience, overwhelmingly favor availability and partition tolerance over strong consistency.
- Contracts are used to specify fine-grained application-level consistency properties, and are statically analyzed to assign the most efficient and sound store consistency level to the corresponding operation.
- The rest of the paper is organized as follows.
2. System Model
- The authors describe the system model and introduce the primitive relations that their contract language is seeded with.
- Each object is associated with a set of operations.
- The sequence of operations invoked by a particular client on the store is called a session.
- The effectswx1 andwx2 are visible towx4 , written logically as vis(wx1 , wx4 ) ∧ vis(wx2 , wx4 ), where vis is the visibility relation between effects.
- For simplicity, the authors assume all operation names across all object are distinct.
3. Motivation
- Consider how the authors might implement a highly available bank account on top of an ECDS, with the integrity constraint that the balance must be non-negative.
- The authors begin by implementing a bank account replicated data type (RDT) in QUELEA, and then describe the mechanisms to obtain the desired correctness guarantees.
3.1 RDT Specification
- A key novelty in QUELEA is that it allows the addition of new RDTs to the store, which obviates the need for coercing application logic to utilize store-provided data types.
- Concerns permits operational reasoning for conflict resolution, and declarative reasoning for consistency.
- The implementation of the bank account operations in QUELEA is given in Figure 2.
- The datatype Acc represents the effect type for the bank account.
- For each operation, hist is a snapshot of the state of the object at some replica.
3.1.1 Summarization
- Observe that the definition of getBalance reduces over the entire history of updates to an account.
- If the authors are to realize an efficient implementation of this bank account RDT, they need a summary of the account history.
- Intuitively, the current account balance summarizes the state of an account.
- This notion of observable equivalence can be generalized to other RDTs as well.
- Since the notion of observable equivalence is specific to each RDT, programmers can provide a summarization function - of type [e] -> [e] - as a part of the RDT specification.
3.2 Anomalies under Eventual Consistency
- The authors goal is to choose the correct consistency level for each of the bank account operations such that (1) the balance remains nonnegative and (2) the getBalance operation never incorrectly returns a negative balance.
- The withdraw operation witnesses the deposit and succeeds1.
- Subsequently, session 2 perform a withdraw operation, but importantly, due to eventual consistency, only witnesses the deposit from session 1, but not the subsequent withdraw.
- This anomaly leads the user to incorrectly conclude that the withdraw operation failed to go through.
- Finding the appropriate fixes is not readily apparent.
3.3 Contracts
- QUELEA helps facilitate the mapping of operations to appropriate consistency levels by letting the programmer declare applicationlevel consistency constraints as contracts2 (Figure 4) that axiomatically specify the set of allowed executions involving this operation.
- In their running example, it is clear that in order to preserve the critical integrity constraint, the withdraw operation must be strongly consistent.
- Withdraw states that a is an effect emitted by a withdraw operation i.e., oper(a, withdraw) holds, also known as The syntax a.
- Any execution on a bank account object that preserves the above contract for a withdraw operation is said to be derived from a correct implementation of withdraw.
- Let η̂ stand for the effect emitted by the getBalance operation.
3.4 From Contracts to Implementation
- Notice that the contracts for withdraw and getBalance only express application-level consistency requirements, and make no reference to the semantics of the underlying store.
- The mapping of application-level consistency requirements to appropriate store-level guarantees is done automatically behind-the-scene.
- One strategy would be to execute operations speculatively.
- The overhead of state maintenance and the complexity of user-defined contracts is likely to make this technique infeasible in practice.
- Contracts are analyzed with the help of a theorem prover, and statically mapped to a particular store-level consistency property that the prover guarantees preserves contract semantics.
4.1 Syntax
- The syntax of their core contract language is shown in Figure 4.
- The language is based on first-order logic (FOL), and admits prenex universal quantification over typed and untyped effect variables.
- Notice that η̂ occurs free in the contract.
- An untyped effect variable ranges over all operation names.
- Quantifier-free propositions in their contract language are conjunctions, disjunctions and implications of predicates expressing relations between pairs of effect variables.
4.2 Semantics
- QUELEA contracts are constraints over axiomatic definitions of program executions.
- Figure 5 summarizes artifacts relevant to define an axiomatic execution.
- The authors formalize an axiomatic execution as a tuple (A,vis,so,sameobj), where A, called the effect soup, is the set of all effects generated during the program execution, and vis, so, sameobj ⊆ A × A are visibility, session order, and same object relations, respectively, witnessed over generated effects at run-time.
- Note that the axiomatic definition of an execution (E) provides interpretations for primitive relations (eg: vis) that occur free in contract formulas, and also fixes the domain of quantification to set of all effects (A) observed during the program execution.
- As such, E is a potential model for any first-order formula (ψ) expressible in their contract language.
4.3 Capturing Store Semantics
- An important aspect of their contract language is its ability to capture store-level consistency guarantees, along with application-level consistency requirements.
- Similar to [10], the authors can rigorously define a wide variety of store semantics including those that combine any subset of session and causality guarantees, and multiple consistency levels.
- Eventually consistent operations can be satisfied as long as the client can reach at least one replica, also known as Eventual consistency.
- In the bank account example, deposit is an eventually consistent operation.
- While an ECDS typically offers basic eventual consistency with all possible anomalies, the authors assume that their store 3 Strictly speaking,R+ is not the transitive closure ofR, as transitive closure is not expressible in FOL.
4.4 Contract Classification
- The authors goal is to map application-level consistency constraints on operations to appropriate store-level consistency guarantees capable of satisfying these constraints.
- Towards this end, the authors define a binary weaker than relation for their contract language as following: Definition 2.
- It is safe to execute operation op under a store consistency level captured by ψst.
- The authors define the corresponding consistency level as the consistency class of the contract.
- Along with three straightforward rules that classify contracts into consistency classes, the classification scheme also presents a rule that judges well-formedness of a contract.
4.5 Generality of Contracts
- It is important to note that their contract language provides a generic way to capture application-level consistency properties and is not tied to a particular store semantics.
- In particular, the same application-level contracts can easily be mapped to a different store with a varied consistency lattice.
- The consistency level of an operation is any combination of the above guarantees, which form a partially ordered consistency lattice show in Figure 7.
- An edge from an upper level element to a lower level element corresponds to a weaker-than relation between the corresponding contracts.
- Classifying a contract under this scheme is a directed search in the lattice, starting from the bottom, and determining the weakest consistency level under which the contract can be satisfied.
4.6 Soundness of Contract Classification
- The authors now present a meta-theoretic result that certifies the soundness of classification-based contract enforcement.
- The authors model the system as a tuple E,Σ, where the axiomatic execution E captures the data store’s current state, and session soup Σ is the set of concurrent client sessions interacting with the store.
- The relation captures the progress of the execution (from E to E′) due to the successful completion of a client operation op from one of the sessions in Σ, generating a new effect η.
- The theorem states that if a data store correctly enforces ψsc, ψcc, and ψec contracts in all well-formed executions, then the same store, extended with the classification scheme shown in Figure 6, can enforce all well-formed QUELEA contracts.
- The proof of the theorem is given below: Proof.
5. Operational Semantics
- The authors now describe operational semantics of a data store that implements strong, causal and eventual consistency guarantees.
- For technical reasons, the authors tag each session with a session identifier (s) and the sequence number (i) of the next operation in the session.
- Session order relation (so) relates effects generated by the same session.
- Rule [OPER] is an auxiliary reduction of the form: Θ ` (E, 〈s, i, op〉) r ↪−→ (E′, η) Under the store configuration Θ, the rule captures the progress in execution (from E to E′) due to the application of operation op to replica r resulting in a new effect η.
- The rule first constructs a context for the application from the local state (Θ(r)) of the replica, by projecting4 relevant information from effects in Θ(r).
5.1 Soundness of Operational Semantics
- The authors now prove a meta-theoretic property that establishes the soundness of their operational semantics in enforcing ψec, ψcc, and ψsc consistency guarantees at every reduction step.
- The following theorem proves that their operational semantics correctly enforce ψec, ψcc, and ψsc guarantees: Theorem 7 (Soundness Modulo Classification).
- By inversion on H1, the authors get the following hypotheses: Theorem 8 (Causal Consistency Preservation).
- Therefore, the authors need to prove that new store configuration Θ is causally consistent under E = (A,vis,so,sameobj).
6. Transaction Contracts
- While contracts on individual operations offer the programmer object-level declarative reasoning, real-world scenarios often involve operations that span multiple objects.
- In order to address this problem, several recent systems [2, 9, 26] have proposed eventually consistent transactions in order to compose operations on multiple objects.
- Given that classical transaction models such as serializability and snapshot isolation require inter-replica coordination, these systems espouse coordination-free transactions that remain available under network partitions, but only provide weaker isolation guarantees.
- Coordination-free transactions have intricate consistency semantics and widely varying runtime overheads.
- This choice is further complicated by the consistency semantics of individual operations.
6.1 Syntax and Semantics Extensions
- QUELEA automates the choice of assigning the correct and most efficient transaction isolation level.
- Similar to contracts on individual operations, the programmer associates contracts with transactions, declaratively expressing consistency specifications.
- The authors extend the contract language with a new term under quantifier-free propositions - txn S1 S2, where S1 and S2 are sets of effects, and introduce a new primitive equivalence relation sametxn that holds for effects from the same transaction.
- The authors assume that operations not part of any transaction belong to their own unique transaction.
- While transactions may have varying isolation guarantees, the authors make the standard assumption that all transactions provide atomicity.
6.2 Transactional Bank Account
- In order to illustrate the utility of declarative reasoning for transactions, consider an extension of their running example to use two accounts – current (c) and savings (s).
- The authors goal is to ensure that totalBalance returns the result obtained from a consistent snapshot of the object states.
- The two getBalance operations in a totalBalance transaction might be served by different replicas with a distinct set of committed save transactions.
- It is not immediately apparent how to choose the weakest isolation guarantee that would be sufficient to prevent the anomaly.
- Instead, QUELEA requires the programmer to simply state the consistency requirement as a contract.
6.3 Coordination-free Transactions
- In order to illustrate the utility of transaction contract classification, the authors identify three well-understood coordination-free transaction semantics – Read Committed (RC) [7], Monotonic Atomic View (MAV) [2] and Repeatable Read (RR) [7], and illustrate the classification strategy.
- A transaction with ANSI RC semantics only witnesses committed operations.
- Once all the updates from a transaction are available, the buffered updates are made visible to subsequent client requests.
- Importantly, RC does not entail any other guarantees.
- St witnessed by the running transaction, and before performing an operation at some replica, ensure that the replica includes all the transactions in St. Hence, MAV is coordination-free.
6.4 Classification
- Similar to operation-level contracts, with respect to ≤ relation, the coordination-free transaction semantics described here form a total order: ψrc ≤ ψmav ≤ ψrr.
- The transaction classification is also similar to the operation-level contract classification presented in Figure 6; given a contract ψ on a transaction, the authors start from the weakest transaction contract ψrc, and progressively compare its strength to the known transaction contracts until they find a isolation level under which ψ can be safely discharged.
7. Implementation
- QUELEA is implemented as a shallow extension of GHC Haskell and runs on top of Cassandra, an off-the-shelf eventually consistent distributed data (or backing) store responsible for all data management issues (i.e., replication, fault tolerance, availability, and convergence).
- Template Haskell is used to implement static contract classification, and proof obligations are discharged with the help of the Z3 [30] SMT solver.
- Figure 10 illustrates the overall system architecture.
- The authors implementation supports eventual, causal, and strong consistency for data type operations, and RC, MAV, and RR semantics for transactions.
- This functionality is implemented entirely on top of the standard interface exposed by Cassandra.
7.1 Operation Consistency
- The shim layer maintains a causally consistent in-memory snapshot of a subset of objects in the backing store, by explicitly tracking dependencies introduced between effects due to visibility, session and same transaction relations.
- Dependence tracking is similar to the techniques presented in [3] and [20].
- Similarly, new shim layer nodes can be spawned on demand.
- Hence, their dependence tracking strategy ensures that QUELEA does not track every effect as the number of writes in the system grows.
- The shim layer nodes periodically fetch updates from the backing store for eventually consistent operations, and on-demand for causally consistent and strongly consistent operations.
7.2 Transactions
- QUELEA implements atomic visibility by exploiting shim layer causality guarantees – an effect is included only if all the effects if depends on are also included.
- The dotted circle represents effects that are not yet inserted into the store.
- The graph on the left shows that state of the store after executing oper2.
- This ensures atomicity and satisfies the RC requirement.
7.3 Summarization
- The authors utilize the summarize function (§ 3.1.1) to summarize the object state both in the shim layer node and the backing store, typically when the number of effects on an object crosses a tunable threshold.
- Shim layer summarization is straight-forward; a summarization thread takes the local lock on the cached object, and replaces its state with the summarized state.
- It is essential that concurrent client operations are permitted, but are not allowed to witness the intermediate state of the summarization process.
- Suppose the original set of effects on an object are o1, o2 and o3.
8. Evaluation
- The authors present an evaluation study of their implementation, report contract profiles of benchmark programs, and illustrate the performance benefits of fine-grained consistency classification on operations and transactions.
- The application allows adding new users, adding and replying to tweets, following, unfollowing and blocking users, and fetching a user’s timeline, userline, followers and following.
- With 512 clients, the QUELEA implementation was within 41% of the latency and 18% of the throughput of EC, whereas SC operations had 162% higher latency and 52% lower throughput than EC operations.
- The numbers were obtained under a 1DC configuration.
- The authors use 128 clients and a single QUELEA replica, with all clients operating on the same LWW register to stress test the summarization mechanism.
10. Conclusions
- This paper presents QUELEA, a shallow Haskell extension for declarative programming over ECDS.
- The key idea underlying QUELEA’s design is the automatic classification of fine-grained consistency contracts on operations and distributed transactions with respect various consistency and isolation levels offered by the store.
- The authors contract language is carefully crafted from a decidable subset of first-order logic, enabling the use of automated verification tools to discharge the proof obligations associated with contract classification.
- The authors realize an instantiation of QUELEA on top of an off-the-shelf distributed store, Cassandra, and illustrate the benefit of fine-grained contract classification by implementing and evaluating several scalable applications.
Did you find this useful? Give us your feedback
Citations
136 citations
Cites background from "Declarative programming over eventu..."
...[41] have proposed a static analysis that automatically chooses consistency levels in a replicated database given programmer-supplied contracts....
[...]
118 citations
105 citations
Cites background from "Declarative programming over eventu..."
...Related results from the systems [8] and programming languages [48] communities show similar promise....
[...]
82 citations
Cites background from "Declarative programming over eventu..."
...Unlike Bloom, QUELEA language (Sivaramakrishnan et al. 2015) maps operations to a fine-grained consistency levels such as eventual, causal, and ordering and transaction isolation levels like read committed (RC), repeatable read (RR) (Berenson et al. 1995), and monotonic atomic view (MAV) (Bailis…...
[...]
...Unlike Bloom, QUELEA language [Sivaramakrishnan et al. 2015] maps operations to a fine-grained consistency levels such as eventual, causal, and ordering and transaction isolation levels like read committed (RC), repeatable read (RR) [Berenson et al....
[...]
67 citations
References
4,349 citations
"Declarative programming over eventu..." refers background in this paper
..., negative balances in a bank account, or having an item appear in a shopping cart after it has been removed [13])....
[...]
3,396 citations
"Declarative programming over eventu..." refers background in this paper
...Traditionally programmers have relied on strong consistency guarantees such as linearizability [15] or serializability [22] in order to build correct applications....
[...]
3,276 citations
"Declarative programming over eventu..." refers methods in this paper
...Our client workload was generated using the YCSB benchmark [12]....
[...]
2,870 citations
"Declarative programming over eventu..." refers background or methods in this paper
...Operation-based RDTs have been widely studied in terms of their algorithmic properties [10, 25], and several systems utilize this model to construct distributed data structures [5, 17, 23]....
[...]
...For our performance evaluation, we deploy QUELEA applications in clusters, where each cluster is composed of five fully replicated Cassandra replicas within the same datacenter....
[...]
...The lease mechanism is implemented with the help of Cassandra’s support for conditional updates and expiring columns....
[...]
...Although an application might be naturally expressed in terms of well-understood and expressive data types such as maps, trees, queues, or graphs, geo-distributed stores typically only provide a minimal set of data types with in-built conflict resolution strategies such as last-writer-wins (LWW) registers, counters, and sets [17, 26]....
[...]
...Categories and Subject Descriptors D.1.3 [Concurrent Programming]: Distributed Programming; C.2.4 [Distributed Systems]: Distributed databases; D.3.2 [Language Classifications]: Applicative (Functional) Languages; F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning about Programs General Terms Languages, Performance Keywords Eventual Consistency, Availability, CRDTs, Axiomatic Contracts, Contract Classification, Distributed Transactions, SMT solvers, Decidable Logic, Quelea, Cassandra, Haskell ∗ This work was done at Purdue University, USA....
[...]
1,456 citations
Related Papers (5)
Frequently Asked Questions (7)
Q2. What are the implications of predicates expressing relations between pairs of effect variables?
Quantifier-free propositions in their contract language are conjunctions, disjunctions and implications of predicates expressing relations between pairs of effect variables.
Q3. What can the authors do to maintain a runtime manifestation of executions?
The authors can maintain a runtime manifestation of executions, and check well-formedness conditions at runtime, rolling back executions if they are ill-formed.
Q4. How many clients are used to stress test the summarization mechanism?
The authors use 128 clients and a single QUELEA replica, with all clients operating on the same LWW register to stress test the summarization mechanism.
Q5. What is the relation between effects and replicas?
The effect added to a particular replica is asynchronously sent to other replicas, and eventually merged into all other replicas.
Q6. Why was the average latency of QUELEA operations slower?
In a 2DC configuration (not shown here), the average latency of SC operations with 512 clients increased by 9.4× due to the cost of geo-distributed coordination, whereas QUELEA operations were only 2.2× slower, mainly due to the increased cost of withdraw operations.
Q7. What is the simplest way to determine whether a contract is weaker than a store?
If the contract (ψop) of an operation (op) is weaker than a store contract (ψst), then constraints expressed by the former are implied by guarantees provided by the latter.