plereplicatedobjects:inthiscase,asynchronouspropagationofupdatesbetwee - PDF document

plereplicatedobjects:inthiscase,asynchronouspropagationofupdatesbetweenreplicasmayleadtocounterintuitivebehaviors—anomalies,indatabaseterminology.Thefollowingcodeillustratesananomalyhappeninginrealreplicatedstores[1,17]:Replicar1!x:wr(post) i=y:rd//comment Replicar2y:wr(comment) j=x:rd//empty(2)Wehavetwoclientsreadingfromandwritingtoregisterobjectsxandyattwodifferentreplicas;iandjareclient-localvariables.Therstclientmakesapostbywritingtoxatreplicar1andthencommentsonthepostbywritingtoy.Aftereverywrite,replicar1mightsendamessagewiththeupdatetoreplicar2.Ifthemessagescarryingthewritesofposttoxandcommenttoyarrivetoreplicar2outoftheordertheywereissuedin,thesecondclientcanseethecomment,butnotthepost.Differentreplicatedstoresmayallowsuchananomalyornot,andthishastobetakenintoaccountwhenreasoningaboutthem.Inthispaper,weproposetechniquesforreasoningabouteven-tuallyconsistentreplicatedstoresinthefollowingthreeareas.1.Specication.Weproposeacomprehensiveframeworkforspecifyingthesemanticsofreplicatedstores.Itskeynovelcom-ponentisreplicateddatatypespecications(x3),whichprovidetherstwayofspecifyingthesemanticsofreplicatedobjectswithadvancedconictresolutiondeclaratively,likeabstractdatatypes[24].Weachievethisbydeningtheresultofadatatypeoperationnotbyafunctionofstates,butofoperationcontexts—setsofeventsaffectingtheresultoftheoperation,togetherwithsomerelationshipsbetweenthem.Weshowthatourspecicationsaresufcientlyexibletohandledatatypesrepresentingavarietyofconict-resolutionstrategies:last-write-winsregister,counter,multi-valueregisterandobserved-removeset.Wethenspecifythesemanticsofawholestorewithmultipleobjects,possiblyofdifferenttypes,byconsistencyaxioms(x7),whichconstrainthewaythestoreprocessesincomingrequestsinthestyleofweakshared-memorymodels[2]andthusdenetheanomaliesallowed.Asanillustration,wedeneconsistencymod-elsusedinexistingreplicatedstores,includingaweakformofeventualconsistency[1,17]anddifferentkindsofcausalconsis-tency[22,26,32,33].Wendthat,whenspecializedtolast-writer-winsregisters,thesespecicationsareveryclosetofragmentsoftheC/C++memorymodel[5].Thus,ourspecicationframeworkgeneralizesaxiomaticshared-memorymodelstoreplicatedstoreswithnontrivialconictresolution.2.Verication.Weproposeamethodforprovingthecorrectnessofreplicateddatatypeimplementationswithrespecttoourspeci-cationsandapplyittosevenexistingimplementationsofthefourdatatypesmentionedabove,includingthosewithnontrivialopti-mizations.Reasoningabouttheimplementationsisdifcultduetothehighlyconcurrentnatureofareplicatedstore,withmultiplereplicassimultaneouslyupdatingtheirobjectcopiesandexchang-ingmessages.Weaddressthischallengebyproposingreplication-awaresimulations(x5).Likeclassicalsimulationsfromdatarene-ment[20],theseassociateaconcretestateofanimplementationwithitsabstractdescription—structuresonevents,inourcase.Tocombatthecomplexityofreplication,theyconsiderthestateofanobjectatasinglereplicaoramessageintransitseparatelyandas-sociateitwithabstractdescriptionsofonlythoseeventsthatledtoit.Verifyinganimplementationthenrequiresonlyreasoningaboutaninstanceofitscoderunningatasinglereplica.Here,however,wehavetodealwithanotherchallenge:codeatasinglereplicacanaccessboththestateofanobjectandamessageatthesametime,e.g.,whenupdatingtheformeruponreceivingthelatter.Toreasonaboutsuchcode,weoftenneedtorelyoncer-tainagreementpropertiescorrelatingtheabstractdescriptionsofthemessageandtheobjectstate.Establishingthesepropertiesre-quiresglobalreasoning.Fortunately,wendthatagreementprop-ertiesneededtoproverealisticimplementationsdependonlyonba-sicfactsabouttheirmessagingbehaviorandcanthusbeestablishedonceforbroadclassesofdatatypes.Thenaparticularimplementa-tionwithinsuchaclasscanbeveriedbyreasoningpurelylocally.Bycarefullystructuringreasoninginthisway,weachieveeasyandintuitiveproofsofsingledatatypeimplementations.Wethenlifttheseresultstostoreswithmultipleobjectsofdifferenttypesbyshowinghowconsistencyaxiomscanbeprovedgivenpropertiesofthetransportlayeranddatatypeimplementations(x7).3.Optimality.Replicateddatatypedesignersstrivetooptimizetheirimplementations;knowingthatoneisoptimalcanhelpguidesucheffortsinthemostpromisingdirection.However,provingoptimalityischallenginglybroadasitrequiresquantifyingoverallpossibleimplementationssatisfyingthesamespecication.Formostdatatypeswestudied,theprimaryoptimizationtargetisthesizeofthemetadataneededtoresolveconictsorhandlenet-workfailures.Toestablishoptimalityofmetadatasize,wepresentanovelmethodforprovinglowerboundsontheworst-casemeta-dataoverheadofreplicateddatatypes—theproportionofmetadatarelativetotheclient-observablecontent.Themainideaistondalargefamilyofexecutionsofanarbitrarycorrectimplementationsuchthat,giventheresultsofdatatypeoperationsfromacertainxedpointinanyoftheexecutions,wecanrecoverthepreviousexecutionhistory.Thisimpliesthat,acrossexecutions,thestatesatthispointaredistinctandthusmusthavesomeminimalsize.Usingourmethod,weprovethatfouroftheimplementationsweveriedhaveanoptimalworst-casemetadataoverheadamongallimplementationssatisfyingthesamespecication.Twoofthese(counter,last-writer-winsregister)arewell-known;one(optimizedobserved-removeset[6])isarecentlyproposednontrivialopti-mization;andone(optimizedmulti-valueregister)isasmallim-provementofaknownimplementation[32]thatwediscovereddur-ingafailedattempttoproveoptimalityofthelatter.WesummarizealltheboundsweprovedinFig.10.Wehopethatthetheoreticalfoundationswedevelopwillhelpinexploringthedesignspaceofreplicateddatatypesandreplicatedeventuallyconsistentstoresinasystematicway.2.ReplicatedDataTypesWenowdescribeourformalmodelforreplicatedstoresandintro-ducereplicateddatatypeimplementations,whichimplementop-erationsonasingleobjectatareplicaandtheprotocolusedbyreplicastoexchangeupdatestothisobject.Ourformalismfollowscloselythemodelsusedbyreplicateddatatypedesigners[32].Areplicatedstoreisorganizedasacollectionofnamedob-jectsObj=fx;y;z;:::g.Eachobjectishostedatallreplicasr;s2ReplicaID.Thesetsofobjectsandreplicasmaybeinnite,tomodeltheirdynamiccreation.Clientsinteractwiththestorebyperformingoperationsonobjectsataspeciedreplica.Eachob-jectx2Objhasatype=type(x)2Type,whosetypesigna-ture(Op;Val)determinesthesetofsupportedoperationsOp(rangedoverbyo)andthesetoftheirreturnvaluesVal(rangedoverbya;b;c;d).Weassumethataspecialvalue?2Valbe-longstoallsetsValandisusedforoperationsthatreturnnovalue.Forexample,wecandeneacounterdatatypectrandanintegerregistertypeintregwithoperationsforreading,incre-mentingorwritinganintegera:Valctr=Valintreg=Z[f?g,Opctr=frd;incgandOpintreg=frdg[fwr(a)ja2Zg.WealsoassumesetsMessageofmessages(rangedoverbym)andtimestampsTimestamp(rangedoverbyt).Forsimplicity,welettimestampsbepositiveintegers:Timestamp=N1.DEFINITION1.AreplicateddatatypeimplementationforadatatypeisatupleD=(;~0;M;do;send;receive),where~0: However,weneedtobemorecareful,sinceforop-basedimple-mentationsero(C)���!e0del(C)����!f0ro(C)���!fdoesnotensurethattheupdateofeistakenintoaccountbyf:ifthereisanothersendevente00inbetweeneande0,thene00willcapturetheupdateofeande0willnot.Hence,wedenethewitnessas:Vop(C)=ro(C)jdo[f(e;f)je;f2(C:E)jdo^9e0;f0:ero(C)���!e0del(C)����!f0ro(C)���!f^:9e00:ero(C)���!e00ro(C)���!e0^C:act(e00)=sendg:WenextpresentamethodforprovingdatatypeimplementationcorrectnessinthesenseofDef.7.Inx7weliftthistostoreswithmultipleobjectsandtakeintoaccountconsistencyaxioms.5.ProvingDataTypeImplementationsCorrectThestraightforwardapproachtoprovingcorrectnessinthesenseofDef.7wouldrequireustoconsiderglobalstorecongurationsinexecutionsC,includingobjectstatesatallreplicasandallmes-sagesintransit,makingthereasoningnon-modularandunintuitive.Todealwiththischallenge,wefocusonasinglecomponentofastorecongurationusingreplication-awaresimulationrelationsRrandM,analogoustosimulation(akacoupling)relationsusedindatarenement[20].TheRrrelationassociatestheobjectstateatareplicarwithanabstractexecutionthatdescribesonlythoseeventsthatledtothisstate;Mdoesthesameforamessage.Forexample,whenprovingDctrinFig.2(b)withrespecttoFctrin(3),Massociatesamessagecarryingavectorvwithexecutionsinwhicheachreplicasmakesv(s)increments.AspartofaproofofD,werequirecheckingthattheeffectofitsmethods,suchasD:do,canbesimulatedbyappropriatelytransformingrelatedab-stractexecutionswhilepreservingtherelations.Wedenethesetransformationsusingabstractmethodsdo],send]andreceive]asillustratedinFig.4(a,b).Forexample,ifareplicarexecutesD:dofromastaterelatedbyRrtoanabstractexecutionI(weexplaintheuseofIinsteadofAlater),weneedtondanI0relatedbyRrtotheresultingstate0.WealsoneedtocheckthatthevaluereturnedbyD:doonisequaltothatreturnedbyFonI.Theseconditionsconsiderthebehaviorofanimplementationmethodonasinglestateand/ormessageanditseffectononlytherelevantpartoftheabstractexecution.However,bylocalizingthereasoninginthisway,welosesomeglobalinformationthatisactuallyrequiredtoverifyrealisticimplementations.Inparticular,thisoccurswhendischargingtheobligationforreceiveinFig.4(b).Takingaglobalview,andmtherearemeanttocomefromthesamecongurationinaconcreteexecutionC;correspondingly,IandJaremeanttobefragmentsofthesameabstractexecutionabs(C;V).Inthiscontextwemayknowcertainagreementprop-ertiescorrelatingIandJ,e.g.,thattheunionoftheirvisibilityre-lationsisitselfawell-formedvisibilityrelationandisthusacyclic.Establishingthemrequiresglobalreasoningaboutwholeexecu-tionsCandabs(C;V).Fortunately,wendthatthiscanbedoneknowingonlytheabstractmethods,nottheimplementationD.Furthermore,thesemethodsstatebasicfactsaboutthemessagingbehaviorofimplementationsandarethuscommontobroadclassesofthem,suchasstate-basedorop-based.Thisallowsustoestab-lishagreementpropertiesusingglobalreasoningonceforagivenclassofimplementations;atthisstagewecanalsobenetfromthetransportlayerspecicationTandcheckthattheabstractmethodsconstructvisibilityaccordingtothegivenwitnessV.Thenapar-ticularimplementationwithintheclasscanbeveriedbydischarg-inglocalobligations,suchasthoseinFig.4(a,b),whileassumingagreementproperties.Thisyieldseasyandintuitiveproofs.Tosummarize,wedealwiththechallengeposedbyadistributeddatatypeimplementationbydecomposingreasoningaboutitinto Figure4.Diagramsillustratingreplication-awaresimulations (a)(b)(c)Ido]// I0OORr D:do// RrOO 0(I;J)receive]// I0OORr (;m)D:receive// RrMOO 0Dstep(C0;e;D)// D0OOG Ce// GOO C0 globalreasoningdoneonceforabroadclassofimplementationsandlocalimplementation-specicreasoning.Westartbypresent-ingthegeneralformofobligationstobedischargedforasingleimplementationwithinacertainclass(x5.1)andtheparticularformtheytakefortheclassofstate-basedimplementations(x5.2),to-getherwithsomeexamples(x5.3).Wethenformulatetheobliga-tionstobedischargedforaclassofimplementations(x5.4),whichinparticular,establishtheagreementpropertiesassumedintheper-implementationobligations.InxB,wegivetheobligationsforop-basedimplementations,togetherwithaproofofthecounterinFig.2(a).Animpatientreadercanmoveontox6afternishingx5.3,andcomebacktox5.4later.SinceDef.7considersonlysingle-objectexecutions,wexanobjectxoftypeandconsideronlyconcreteandabstractexecutionsoverx,whosesetswedenotebyCEx[x]andAEx[x].5.1Replication-AwareSimulationsAsistypicalforsimulation-basedproofs,weneedtouseauxiliarystatetorecordinformationaboutthecomputationhistory.Forthisreason,actuallyoursimulationrelationsassociateastateorames-sagewithaninstrumentedexecution—apair(A;info)2IExofanabstractexecutionA2AEx[x]andafunctioninfo:A:E!AInfo,taggingeventswithauxiliaryinformationfromasetAInfo.Asweshowbelow,AInfocanbechosenonceforaclassofdatatypeimplementations:e.g.,AInfo=Timestampforstate-basedones(x5.2).WeuseIandJtorangeoverinstrumentedexecutionsandshorten,e.g.,I:A:EtoI:E.Forapartialfunctionhwewriteh(x)#forx2dom(h),andadopttheconventionthath(x)=yimpliesh(x)#.DEFINITION8.Areplication-awaresimulationbetweenDandFwithrespecttoinfoandabstractmethodsdo],send]andreceive]isacollectionofrelationsfRr;Mjr2ReplicaIDgsatisfyingtheconditionsinFig.5.Hereinfoandabstractmethodsaremeanttobexedforagivenclassofimplementations,suchasstateorop-based.Toproveapar-ticularimplementationwithinthisclass,oneneedstondsimula-tionrelationssatisfyingtheconditionsinFig.5.Forexample,asweshowinx5.3,thefollowingrelationletsusprovethecorrectnessofthecounterinFig.2(b)withrespecttoinfoandabstractmethodsappropriateforstate-basedimplementations:hs;vi[Rr]I()(r=s)^(v[M]I);v[M]((E;repl;obj;oper;rval;ro;vis;ar);info)()8s:v(s)=fe2Ejoper(e)=inc^repl(e)=sg:(6)INITinFig.5associatestheinitialstateatareplicarwiththeexecutionhavinganemptysetofevents.DO,SENDandRECEIVEformalizetheobligationsillustratedinFig.4(a,b).Notethatdo]isparameterizedbyanevente(requiredtobefreshininstantiations)andtheinformationabouttheoperationperformed.TheabstractmethodsarepartialandtheobligationsinFig.5assumethattheirapplicationsaredened.Wheninstantiatingreceive]foragivenclassofimplementations,weletitbedenedonlywhenitsargumentssatisfytheagreementpropertyforthisclass,whichweestablishseparately(x5.4).Whiledoingthis,wecanalsoestablishsomeexecutioninvariants,holdingofsingleex- Figure7.OptimizedOR-setimplementation[6]anditssimulation =ReplicaID((ZReplicaID)!N0)(ReplicaID!N0)~0=r:hr;(a;s:0);(s:0)iM=((ZReplicaID)!N0)(ReplicaID!N0)do(add(a0);hr;V;wi;t)=(hr;(a;s:ifa=a0^s=rthenw(r)+1elseV(a;s));w[r7!w(r)+1]i;?)do(remove(a0);hr;V;wi;t)=(hr;(a;s:ifa=a0then0elseV(a;s));wi;?)do(rd;hr;V;wi;t)=(hr;V;wi;faj9s:V(a;s)�0g)send(hr;V;wi)=(hr;V;wi;hV;wi)receive(hr;V;wi;hV0;w0i)=hr;(a;s:if(V(a;s)=0^w(s)V0(a;s))_(V0(a;s)=0^w0(s)V(a;s))then0elsemaxfV(a;s);V0(a;s)g);(s:maxfw(s);w0(s)g)i hs;V;wi[Rr]I()(r=s)^(hV;wi[M]I)hV;wi[M]((E;repl;obj;oper;rval;ro;vis;ar);info)()1:9distinctes;k:(fes;kjs2ReplicaID^1kw(s)g=2:fe2Ejoper(e)=add( )g)^3:(8s;k;j:(repl(es;k)=s)^(es;jro�!es;k()jk))^4:(8a;s:(V(a;s)w(s))^(V(a;s)6=0=)5:(oper(es;V(a;s))=add(a))^6:(:9k:V(a;s)kw(s)^oper(es;k)=add(a))^7:(:9f2E:oper(f)=remove(a)^es;V(a;s)vis�!f)))^8:(8a;s;k:es;k2E^oper(es;k)=add(a)=)9:(kV(a;s)_9f2E:oper(f)=remove(a)^es;kvis�!f)) Thecomponentwinhr;V;wirecordsidentiersofbothofthoseinstancesthathavebeenremovedandthosethatarestillintheset(areactive).ThecomponentVservestodistinguishthelatter.Asithappens,wedonotneedtostoreallactiveinstancesofanelementa:foreveryreplicas,itisenoughtokeepthelastactiveinstanceidentiergeneratedbyanadd(a)atthisreplica.IfV(a;s)6=0,thisidentieris(s;V(a;s));ifV(a;s)=0,allinstancesofageneratedatsthatthecurrentreplicaknowsaboutareinactive.ThemeaningofVisformalizedinthesimulation:eachinstanceidentiergivenbyViscoveredbyw(line4)and,ifV(a;s)6=0,thentheeventes;V(a;s)performsadd(a)(line5),isthelastadd(a)byreplicas(line6)andhasnotbeenobservedbyaremove(a)(line7).Finally,theadd(a)eventsthatarenotseenbyaremove(a)intheexecutionareeithertheeventses;V(a;s)orthosesupersededbythem(lines8-9).ThisensuresthatreturningallelementswithanactiveinstanceinrdmatchesForset.Whenareplicarperformsdo(add(a0)),weupdateV(a0;r)tocorrespondtothenewinstanceidentier.Conversely,indo(remove(a0)),weclearallentriesinV(a0),therebydeactivat-ingallinstancesofa0.However,afterthistheiridentiersarestillrecordedinw,andsoweknowthattheyhavebeenpreviouslyre-moved.Thisallowsustoaddresstheproblemwithimplementingreceivewementionedabove:ifwereceiveamessagewithanactiveinstance(s;V0(a;s))ofanelementathatisnotinthesetatourreplica(V(a;s)=0),butpreviouslyexisted(w(s)V0(a;s)),thismeansthattheinstancehasbeenremovedandshouldnotbeactiveintheresultingstate(theentryfor(a;s)shouldbe0).Wealsodothesamecheckwiththestateandthemessageswapped.Astheaboveexplanationshows,oursimulationrelationsareusefulnotonlyforprovingcorrectnessofdatatypeimplementa-tions,butalsoforexplainingtheirdesigns.DischargingobligationsinFig.5requiressomeworkfortheOR-set;duetospacecon-straints,wedeferthistoxA. Figure8.Functionstepthatmirrorstheeffectofanevente2C0:EfromC02CEx[x]inD2DEx,denedwhensoistheabstractmethodused step(C0;e;D)=D[r7!do](D(r);e;r;C0:oper(e);C0:rval(e);C0:time(e))];ifC0:act(e)=do^C0:repl(e)=rstep(C0;e;D)=D[r7!I;C0:msg(e)7!J];ifC0:act(e)=send^C0:repl(e)=r^C0:msg(e)62dom(D)^send](D(r))=(I;J)step(C0;e;D)=D[r7!receive](D(r);D(C0:msg(e)))];ifC0:act(e)=receive^C0:repl(e)=r 5.4SoundnessandEstablishingAgreementPropertiesWepresentconditionsonAInfoandabstractmethodsensuringthesoundnessofreplication-awaresimulationsoverthemand,inpar-ticular,establishingtheagreementpropertyandexecutioninvari-antsassumedviathedenednessofabstractoperationsinFig.5.THEOREM9(Soundness).AssumeAInfo,do],send],receive],VandTthatsatisfytheconditionsinFig.9forsomeG.Ifthereexistsareplication-awaresimulationbetweenDandFwithrespecttotheseparameters,thenDsat[V;T]F.ConditionsinFig.9requireglobalreasoning,butcanbedischargedonceforaclassofdatatypes.Forexample,theyholdoftheinstantiationforstate-basedimplementationsfromx5.2,aswellasoneforop-basedimplementationspresentedinxB.THEOREM10.ThereexistsGsuchthat,forallD,theparametersinFig.6satisfytheconditionsinFig.9withrespecttothisG,V=Vstate,T=T-Any.TheproofsofTheorems9and10aregiveninxB.ToexplaintheconditionsinFig.9,hereweconsidertheproofstrategyforTheorem9.ToestablishDsat[V;T]F,foranyC2JDK\Tweneedtoshowabs(C;V)j=[7!F].WeprovethisbyinductiononthelengthofC.TousethelocalizedconditionsinFig.5,werequirearelationGassociatingCwithadecomposedexecution—apartialfunctionD:(ReplicaID[MessageID)*IExthatgivesfragmentsofabs(C;V)correspondingtoreplicastatesandmessagesinthenalcongurationofC.WewriteDExforthesetofalldecomposedexecutions,sothatGCEx[x]DEx.TheexistenceofadecomposedexecutionDsuchthatC[G]Dformsthecoreofourinductionhypothesis.G-CTXTinFig.9checksthattheabstractmethodsconstructvisibilityaccordingtoV:itrequiresthecontextofanyeventebyareplicartobethesameinD(r)andabs(C;V).TogetherwithDOinFig.5,thisensuresabs(C;V)j=[7!F].WewriteC0(Ce�!(R;T))whenC0isanextensionofCinthefollowingsense:C0:E=C:E]feg,theothercompo-nentsofCarethoseofC0restrictedtoC:E,eislastinC0:eoandC0:post(e)=(R;T).Fortheinductionstep,assumeC[G]DandC0(Ce�!(R;T));seeFig.4(c).Thenthedecomposedexecu-tionD0correspondingtoC0isgivenbystep(C0;e;D),wherethefunctionstepinFig.8mirrorstheeffectoftheeventefromC0inDusingtheabstractmethods.G-STEPensuresthatitpreservestherelationG.Crucially,G-STEPalsorequiresustoestablishthede-nednessofstepandthusthecorrespondingabstractmethod.ThisjustiestheagreementpropertyandexecutioninvariantsencodedbythedenednessandallowsustousetheconditionsinFig.5tocompletetheinduction.WealsorequireG-INIT,whichestablishesthebasecase,andG-VIS,whichformulatesatechnicalrestrictiononV.Finally,theconditionsinFig.9allowustousethetransportspecicationTbyconsideringonlyexecutionsCsatisfyingit.6.SpaceBoundsandImplementationOptimalityObjectstatesinreplicateddatatypeimplementationsincludenotonlythecurrentclient-observablecontent,butalsometadata some2Qwehavelen(enc(state(e)))blgjjjQjc.Thenwcmo(D;n;m)mmo(D;C)len(state(e)) len(C:rval(e))blgjjjQjc max02Qlen(C0:rval(e0)):utToapplythislemmatothebesteffect,weneedtondexperi-mentfamilieswithjQjaslargeaspossibleandlen(C0:rval(e0))assmallaspossible.Findingsuchfamiliesischallenging,asthereisnosystematicwaytoderivethem.Wereliedonintuitionsabout“whichsituationsforcereplicastostorealotofinformation”whensearchingforexperimentfamilies.Driverprograms.Wedeneexperimentfamiliesusingdriverprograms(e.g.,seeFig.11).Thesearewritteninimperativepseu-docodeandusetraditionalconstructslikeloopsandconditionals.Astheyexecute,theyconstructconcreteexecutionsofthedatatypelibrary[7!D]bymeansofthefollowinginstructions,eachofwhichtriggersauniquely-determinedtransitionfromFig.3:dorotdooperationoonxatreplicarwithtimestamptu dorotsame,butassignthereturnvaluetousendr(mid)sendamessageforxwithidentiermidatrreceiver(mid)receivethemessagemidatreplicarProgramsexplicitlysupplytimestampsfordoandmessageidentiersforsendandreceive.Werequirethattheydothiscor-rectly,e.g.,respectuniquenessoftimestamps.Whenadriverpro-gramterminates,itmayproduceareturnvalue.ForaprogramP,animplementationD,andaconguration(R;T),weletexec(D;(R;T);P)betheconcreteexecutionofthedatatypeli-brary[7!D]startingin(R;T)thatresultsfromrunningP;wedeneresult(D;(R;T);P)asthereturnvalueofPinthisrun.6.3LowerBoundforState-BasedCounter(ctr)THEOREM15.IfDctrsat[Vstate;T-Any]Fctr,thenDctrisb (n).Westartbyformulatingasuitableexperimentfamily.LEMMA16.IfDctrsat[Vstate;T-Any]Fctr,n2andmnisamultipleof(n�1),thentuple(Q;n;m;C;e;rb)asdenedintheleftcolumnofFig.11isanexperimentfamily.Theideaoftheexperimentsistoforcereplica1torememberonenumberforeachoftheotherreplicasinthesystem,whichthenintroducesanoverheadproportionalton;cf.theimplementationinFig.2(b).WeshowoneexperimentinFig.12.Allexperimentsstartwithacommoninitializationphase,denedbyinit,whereeachofthereplicas2::nperformsm=(n�1)incrementsandsendsamessageaftereachincrement.Allmessagesremainundelivereduntilthesecondphase,denedbyexp().Therereplica1receivesexactlyonemessagefromeachreplicar=2::n,selectedusing(r).Anexperimentconcludeswiththereadeontherstreplica.Theread-backworksbyperformingseparatetestsforeachofthereplicasr=2::n,denedbytest(r).Forexample,todeter-minewhichmessagewassentbyreplica2duringtheexperimentinFig.12,theprogramtest(2):readsthecountervalueatreplica1,getting12;deliversthenalmessagebyreplica2toit;andreadsthecountervalueatreplica1again,getting14.Byobservingthedifference,theprogramcandeterminethemessagesentduringtheexperiment:(2)=5�(14�12)=3.PROOFOFLEMMA16.Theonlynontrivialobligationistoproverb(state(e))=.Let(R;T)=nal(C).Then(r)(i)=result(Dctr;(R0;T0);(init;exp();test(r)))=result(Dctr;(R;T);test(r))(ii)=result(Dctr;(Rinit[(x;1)7!R(x;1)];Tinit);test(r))=rb(R(x;1))(r)=rb(state(e))(r); Figure11.Experimentfamilies(Q;n;m;C;e;rb)usedintheproofsofTheorem15(ctr)andTheorem17(orset) ctr orset Conditionsonn;m(numberofreplicas/updates) mn2 mn2 mmod(n�1)=0 (m�1)mod(n�1)=0 IndexsetQ Q=([2::n]![1::m n�1]) Q=([2::n]![1::m�1 n�1]) FamilysizejQj jQj=(m n�1)n�1 jQj=(m�1 n�1)n�1 Driverprograms procedureinitforallr2[2::n]foralli2[1::m n�1]dorincrm+isendr(midr;i) procedureinitforallr2[2::n]foralli2[1::m�1 n�1]doradd(0)rm+isendr(midr;i) procedureexp()forallr2[2::n]receive1(midr;(r))do1rd(n+2)m//reade procedureexp()forallr2[2::n]receive1(midr;(r))do1remove(0)(n+2)mdo1rd(n+3)m//reade proceduretest(r)u do1rd(n+3)mreceive1(midr;m n�1)u0 do1rd(n+4)mreturnm n�1�(u0�u) proceduretest(r)foralli2[1::(m�1 n�1)]receive1(midr;i)u do1rd(n+4)m+iif02ureturni�1returnm�1 n�1 DenitionofexecutionsC C=exec(D;(R0;T0);init;exp()) where(R0;T0)=([x7!D:~0];;) Denitionofread-backfunctionrb:D:!Q rb()=r:[2::n]:result(D;(Rinit[(x;1)7!];Tinit);test(r)) where(Rinit;Tinit)=post(exec(D;(R0;T0);init)) Figure12.Exampleexperiment(n=4andm=15)andtestforctr.Graydashedlinesrepresenttheconguration(Rinit[(x;1)7!R(x;1)];Tinit)wherethetestdriverprogramisapplied. where:(i)ThisisduetoDctrsat[Vstate;T-Any]Fctr,asweexplainedinformallyabove.LetC0=exec(Dctr;(R0;T0);(init;exp();test(r))):Thentheoperationcontextinabs(C0;Vstate)oftherstreadintest(r)containsPnr=2(r)increments,whilethatofthesecondreadcontains(m=(n�1))�(r)moreincrements.(ii)WehaveT=Tinitbecauseexp()doesnotsendanymes-sages.Also,RandRinit[(x;1)7!R(x;1)]candifferonly Figure13.Aselectionofconsistencyaxiomsoveranexecution(E;repl;obj;oper;rval;ro;vis;ar) Auxiliaryrelationssameobj(e;f)()obj(e)=obj(f)Per-objectcausality(akahappens-before)order:hbo=((ro\sameobj)[vis)+Causality(akahappens-before)order:hb=(ro[vis)+AxiomsEVENTUAL:8e2E::(9innitelymanyf2E:sameobj(e;f)^:(evis�!f))THINAIR:ro[visisacyclicPOCV(Per-ObjectCausalVisibility):hbovisPOCA(Per-ObjectCausalArbitration):hboarCOCV(Cross-ObjectCausalVisibility):(hb\sameobj)visCOCA(Cross-ObjectCausalArbitration):hb[arisacyclic Figure14.Anomaliesallowedordisallowedbydifferentaxioms (a)DisallowedbyTHINAIR:x;y:intregi=x:rd j=y:rdy:wr(i) x:wr(j) (b)DisallowedbyPOCV:x:orsetx:add(1) i=x:rd j=x:rdx:add(2) x:add(3) (c)AllowedbyCOCVandCOCA:x;y:intregx:wr(1) y:wr(1)i=y:rd j=x:rd fromeffectsofspeculativecomputations,whicharedonebysomeolderreplicatedstores[35].THINAIRisvalidatedbyfVstate;VopgandT-Any,andEVEN-TUALbyfVstate;VopgandthefollowingconditiononCensuringthateverymessageiseventuallydeliveredtoallotherreplicasandeveryoperationisfollowedbyamessagegeneration:(8e2C:E:8r;r0:C:act(e)=send^C:repl(e)=r^r6=r0=)9f:C:repl(f)=r0^edel(C)����!f)^(8e2C:E:C:act(e)=do=)9f:act(f)=send^eroo(C)����!f);whereroo(C)isro(C)projectedtoeventsonthesameobject.Causalityguarantees.Manyreplicatedstoresachieveavailabil-ityandpartitiontolerancewhileprovidingstrongerguarantees,whichweformalizebytheotheraxiomsinFig.13.Wecallanex-ecutionper-object,respectively,cross-objectcausallyconsistent,ifitiseventuallyconsistent(asperabove)andsatisestheax-iomsPOCVandPOCA,respectively,COCVandCOCA.POCVguaranteesthatanoperationseesalloperationsconnectedtoitbyacausalchainofeventsonthesameobject;COCValsoconsid-erscausalchainsviadifferentobjects.Thus,POCVdisallowstheexecutioninFig.14(b),andCOCVtheoneinx3.1,correspond-ingto(2)fromx1.POCAandCOCAsimilarlyrequirearbitrationtobeconsistentwithcausality.Theaxiomshighlighttheprincipleofformalizingstrongerconsistencymodels:includingmoreedgesintovisandar,sothatclientshavemoreup-to-dateinformation.Cross-objectcausalconsistencyisimplementedby,e.g.,COPS[26]andGemini[22].Itisweakerthanstrongconsistency,asitallowsreadingstaledata.Forexample,itallowstheexecutioninFig.14(c),wherebothreadsfetchtheinitialvalueoftheregister,despitewritestoitbytheotherreplica.Itiseasytocheckthatthisoutcomecannotbeproducedbyanyinterleavingoftheeventsatthetworeplicas,andisthusnotstronglyconsistent.Aninterestingfeatureofper-objectcausalconsistencyisthatstate-baseddatatypesensuremostofitjustbythedenitionofVstate:POCVisvalidatedbyfVstategandT-Any.IfthewitnesssetisfVstate;Vopg,thenweneedTtoguaranteethefollowing:in-formally,ifasendeventeandanothereventfareconnectedbyacausalchainofeventsonthesameobject,thenthemessagecre-atedbyeisdeliveredtoC:repl(f)bythetimefisdone.POCAisvalidatedbyfVstate;Vopgandthetransportlayerspecication(roo(C)[del(C))+jdoar(C).ThisstatesthattimestampsofeventsoneveryobjectbehavelikeaLamportclock[21].Condi-tionsforCOCVandCOCAaresimilar.Therealsoexistconsistencylevelsinbetweenbasiceventualconsistencyandper-objectcausalconsistency,denedusingso-calledsessionguarantees[34].WecovertheminxD.Comparisonwithshared-memoryconsistencymodels.Inter-estingly,thespecializationsoftheconsistencylevelsdenedbytheaxiomsinFig.13tothetypeintregofLWW-registersareveryclosetothoseadoptedbythememorymodelinthe2011CandC++standards[5].Thus,POCAandPOCVdenethesemanticsofthefragmentofC/C++restrictedtoso-calledrelaxedoperations;therethissemanticsisdenedusingcoherenceaxioms,whichareanalogoustosessionguarantees[34].COCVandCOCAareclosetothesemanticsofC/C++restrictedtorelease-acquireoperations.However,C/C++doesnothaveananalogofEVENTUALanddoesnotvalidateTHINAIR,sinceitmakestheeffectsofspeculationsvisibletotheprogrammer[4].WeformalizethecorrespondencetoC/C++inxD.Inthefuture,thiscorrespondencemayopenthedoortoapplyingtechnologydevelopedforshared-memorymod-elstoeventuallyconsistentsystems;promisingdirectionsincludemodelchecking[3,9],automaticinferenceofrequiredconsistencylevels[25]andcompositionalreasoning[4].8.RelatedWorkForacomprehensiveoverviewofreplicateddatatyperesearchwereferthereadertoShapiroetal.[31].Mostpapersproposingnewdatatypeimplementations[6,30–32]donotprovidetheirformaldeclarativespecications,savefortheexpectedproperty(1)ofqui-escentconsistencyorrstspecicationattemptsforsets[6,7].For-malizationsofeventualconsistencyhaveeitherexpressedquiescentconsistency[8]orgavelow-leveloperationalspecications[16].AnexceptionistheworkofBurckhardtetal.[10,12],whopro-posedanaxiomaticmodelofcausaleventualconsistencybasedonvisibilityandarbitrationrelationsandanoperationalmodelbasedonrevisiondiagrams.Theirstorespecicationdoesnotprovidecustomizableconsistencyguarantees,andtheirdatatypespecica-tionsarelimitedtothesequentialSconstructionfromx3.2,whichcannotexpressadvancedconictresolutionusedbythemulti-valueregister,theOR-setandmanyotherdatatypes[31].Moresignif-icantly,theiroperationalmodeldoesnotsupportgeneralop-orstate-basedimplementations,andisthusnotsuitedforstudyingthecorrectnessoroptimalityofthesecommonlyusedpatterns.Simulationrelationshavebeenappliedtoverifythecorrectnessofsequential[24]andshared-memoryconcurrentdatatypeimple-mentations[23].Wetakethisapproachtothemorecomplexset-tingofareplicatedstore,wherethesimulationneedstotakeintoaccountmultipleobjectcopiesandmessagesandassociatethemwithstructuresonevents,ratherthansingleabstractstates.Thisposestechnicalchallengesnotconsideredbypriorwork,whichweaddressbyournovelnotionofreplication-awaresimulations.Thedistributedcomputingcommunityhasestablishedanum-berofasymptoticlowerboundsonthecomplexityofimplement-ingcertaindistributedorconcurrentabstractions,includingone- A.AdditionalproofsofdatatypecorrectnessOptimizedOR-set(orset).WenowdischargetheobligationsforthesimulationfortheoptimizedOR-setwepresentedinx5.3.TheonlyinterestingobligationisRECEIVE.Letreceive(hr;V;wi;hV0;w0i)=hr;V00;w00i;sothatw00=s:maxfw(s);w0(s)gandV00=(a;s:if(V(a;s)=0^w(s)V0(a;s))_(V0(a;s)=0^w0(s)V(a;s))then0elsemaxfV(a;s);V0(a;s)g):Assumehr;V;wi[Rr]I,hV0;w0i[M]JandI=((E;repl;obj;oper;rval;ro;vis;ar);info);J=((E0;repl0;obj0;oper0;rval0;ro0;vis0;ar0);info0);ItJ=((E00;repl00;obj00;oper00;rval00;ro00;vis00;ar00);info00):ByagreewehaveItJ2IEx.Then9distinctes;k:(fes;kjs2ReplicaID^1kw(s)g=fe2Ej9a:oper00(e)=add(a)g)^(8s;j;k:(repl00(es;k)=s)^(es;jro�!es;k()jk))^(8a;s:(V(a;s)w(s))^(V(a;s)6=0=)oper00(es;V(a;s))=add(a)^(:9k:V(a;s)kw(s)^oper00(es;k)=add(a))^(:9f2E:oper00(f)=remove(a)^es;V(a;s)vis�!f)))^(8a;s;k:es;k2E^oper00(es;k)=add(a)=)(kV(a;s)_9f2E:oper00(f)=remove(a)^es;kvis�!f))and9distincte0s;k:(fe0s;kjs2ReplicaID^1kw0(s)g=fe2E0j9a:oper00(e)=add(a)g)^(8s;j;k:(repl00(e0s;k)=s)^(e0s;jro0�!e0s;k()jk))^(8a;s:(V0(a;s)w0(s))^(V0(a;s)6=0=)oper00(e0s;V0(a;s))=add(a)^(:9k:V0(a;s)kw0(s)^oper00(e0s;k)=add(a))^(:9f2E0:oper00(f)=remove(a)^e0s;V0(a;s)vis0��!f)))^(8a;s;k:e0s;k2E0^oper00(e0s;k)=add(a)=)(kV0(a;s)_9f2E0:oper00(f)=remove(a)^e0s;kvis0��!f)):Theagreepropertyalsoimpliesthat8s;k:1kminfw(s);w0(s)g=)es;k=e0s;k:Hence,thereexistdistincte00s;kfors2ReplicaID,k=1::w00(s)suchthat(8s;k:1kw(s)=)e00s;k=es;k)^(8s;k:1kw0(s)=)e00s;k=e0s;k)and(e00s;kjs2ReplicaID^1kw00(s)g=fe2E[E0j9a:oper00(e)=add(a)g)^(8s;j;k:(repl(e00s;k)=s)^(e00s;jro00��!e00s;k()jk)):Since8a;s:V(a;s)w(s)^V0(a;s)w0(s);bythedenitionofV00wehaveV00(a;s)maxfV(a;s);V0(a;s)gmaxfw(s);w0(s)g=w00(s):ConsideraandssuchthatV00(a;s)6=0.ThenV00(a;s)=V(a;s)orV00(a;s)=V0(a;s).Hence,oper00(e0s;V00(a;s))=oper00(es;V(a;s))=add(a)oroper00(e0s;V00(a;s))=oper00(e0s;V0(a;s))=add(a);sothatinanycaseoper00(e0s;V00(a;s))=add(a):Wealsohave:8k:(V(a;s)kw(s)_V0(a;s)kw0(s))=)oper00(e00s;k)6=add(a):Hence,8k:(maxfV(a;s);V0(a;s)gkmaxfw(s);w0(s)g=)oper00(e00s;k)6=add(a);and8k:V00(a;s)kw00(s)=)oper00(e00s;k)6=add(a):Wenowshowthat:9f2E00:oper00(f)=remove(a)^es;V00(a;s)vis00��!f:(7)SinceV00(a;s)6=0,weget(V(a;s)6=0_(V0(a;s)6=0^w(s)V0(a;s)))^(V0(a;s)6=0_(V(a;s)6=0^w0(s)V(a;s)));whichisequivalentto(V(a;s)6=0^V0(a;s)6=0)_(V(a;s)=0^V0(a;s)6=0^w(s)V0(a;s))_(V0(a;s)=0^V(a;s)6=0^w0(s)V(a;s)):Considereverydisjunctseparately.Intherstcase,wehave(:9f2E:oper00(f)=remove(a)^es;V(a;s)vis�!f)^(:9f2E0:oper00(f)=remove(a)^es;V0(a;s)vis0��!f)andV00(a;s)=maxfV(a;s);V0(a;s)g.IfV(a;s)=V0(a;s),thenthisstraightforwardlyimplies(7).IfV(a;s)V0(a;s),thenV00(a;s)=V0(a;s)and,since:9k:V(a;s)kw(s)^oper(es;k)=add(a);wehavees;V0(a;s)62E.Thisimplies(7).ThecaseofV(a;s)&#x-285;V0(a;s)isanalogous.Inthecaseoftheseconddisjunct,wehaveV00(a;s)=V0(a;s).FromV0(a;s)6=0weget:9f2E0:oper00(f)=remove(a)^es;V0(a;s)vis0��!f;andfromw(s)V0(a;s)wegetes;V0(a;s)62E.Thisimplies(7).Thethirddisjunctishandledanalogously.Thus,(7)holds.Finally,weshowthat8a;s;k:e00s;k2E00^oper00(e00s;k)=add(a)=)(kV00(a;s)_9f2E00:oper00(f)=remove(a)^e00s;kvis00��!f):(8)Takea;s;ksuchthate00s;k2E00andoper00(e00s;k)=add(a)andassumethat:9f2E00:oper00(f)=remove(a)^e00s;kvis00��!f:Then(kw(s)=):9f2E:oper00(f)=remove(a)^es;kvis�!f);(kw0(s)=):9f2E0:oper00(f)=remove(a)^e0s;kvis0��!f); Hence,8f2fe2Ej9b:oper(e)=wr(b)g:9(a;v)2V:f=eh(a;v);v(h(a;v))_fvis�!eh(a;v);v(h(a;v)):(11)Theinvpropertyimpliesthatvisistransitive,sothattheaboveand(10)imply8(a;v)2V::9f2fe2Ej9b:oper(e)=wr(b)g:eh(a;v);v(h(a;v))vis�!f:Thisand(11)implyfeh(a;v);v(h(a;v))j(a;v)2Vg=fej9a2E:oper(e)=wr(a)^:9f2E:9a0:oper(e)=wr(a0)^evis�!fg:Since8(a;v)2V:oper(eh(a;v);v(h(a;v)))=wr(a);thisimplies(9).LetusnowdischargeRECEIVE.Letreceive(hr;Vi;V0)=hr;V00i,whereV00=f(a;v)2Vj:9(a0;v0)2V0:vvv0g[f(a0;v0)2V0j:9(a;v)2V:v0vvgAssumehr;Vi[Rr]I,V0[M]JandI=((E;repl;obj;oper;rval;ro;vis;ar);info);J=((E0;repl0;obj0;oper0;rval0;ro0;vis0;ar0);info0);ItJ=((E00;repl00;obj00;oper00;rval00;ro00;vis00;ar00);info00):ByagreewehaveItJ2IEx.Then(8(a;v);(a0;v0)2V:(a=a0^v=v0)_:(vvv0))^9distinctes;k:9h:V!ReplicaID:(fe2Ej9a:oper00(e)=wr(a)g=fes;kjs2ReplicaID^1kmaxfv(s)j9a:(a;v)2Vgg)^(8s;j;k:(repl00(es;k)=s)^(es;jro�!es;k()jk))^(8(a;v)2V:oper00(eh(a;v);v(h(a;v)))=wr(a))^(8(a;v)2V:8f2fe2Ej9b:oper(e)=wr(b)g:fvis�!eh(a;v);v(h(a;v))()9s;k:f=es;k^((s6=h(a;v)^1kv(s))_(s=h(a;v)^1kv(s)�1))))and(8(a;v);(a0;v0)2V0:(a=a0^v=v0)_:(vvv0))^9distincte0s;k:9h0:V0!ReplicaID:(fe2E0j9a:oper00(e)=wr(a)g=fe0s;kjs2ReplicaID^1kmaxfv(s)j9a:(a;v)2V0gg)^(8s;j;k:(repl00(e0s;k)=s)^(e0s;jro0�!e0s;k()jk))^(8(a;v)2V0:oper00(e0h0(a;v);v(h0(a;v)))=wr(a))^(8(a;v)2V0:8f2fe2E0j9b:oper(e)=wr(b)g:fvis0��!e0h0(a;v);v(h0(a;v))()9s;k:f=e0s;k^((s6=h0(a;v)^1kv(s))_(s=h0(a;v)^1kv(s)�1)))):Theagreepropertyalsoimplies8s;k:1kminmaxfv(s)j9a:(a;v)2Vg;maxfv(s)j9a:(a;v)2V0g =)es;k=e0s;k:Hence,thereexistdistincte00s;kfors2ReplicaID;k=1::(maxfv(s)j9a:(a;v)2V00g);suchthat(8s;k:1kmaxfv(s)j9a:(a;v)2Vg=)e00s;k=es;k)^(8s;k:1kmaxfv(s)j9a:(a;v)2V0g=)e00s;k=e0s;k)and(fe2E[E0j9a:oper00(e)=wr(a)g=fe00s;kjs2ReplicaID^1kmaxfv(s)j9a:(a;v)2V00gg)^(8s;j;k:(repl(e00s;k)=s)^(e00s;jro00��!e00s;k()jk)):Assume(a;v)2V,(a0;v)2V0andh(a;v)6=h0(a0;v).Thene00h(a;v);v(h(a;v))vis00��!e00h0(a0;v);v(h0(a0;v))vis00��!e00h(a;v);v(h(a;v));contradictingItJ2IEx.Hence,h(a;v)=h0(a0;v)andthuswr(a)=oper(eh(a;v);v(h(a;v)))=oper(e0h0(a0;v);v(h0(a0;v)))=wr(a0):Wehavethusshownthat(a;v)2V;(a0;v)2V0=)h(a;v)=h0(a0;v)^a=a0:(12)Fromthis,thedenitionofV00and8a;v;a0;v0:((a;v);(a0;v0)2V_(a;v);(a0;v0)2V0)=)((a=a0^v=v0)_:(vvv0));weget8(a;v);(a0;v0)2V00:(a=a0^v=v0)_:(vvv0):From(12)weget8(a;v)2V\V0:h(a;v)=h0(a;v):Hence,thereexistsh00:V00!ReplicaIDsuchthat(8(a;v)2V00\V:h00(a;v)=h(a;v))^(8(a;v)2V00\V0:h00(a;v)=h0(a;v)):Finally,westraightforwardlyget(8(a;v)2V00:8f2fe2E[E0j9b:oper(e)=wr(b)g:fvis00��!eh00(a;v);v(h00(a;v))()9s;k:f=e00s;k^((s6=h00(a;v)^1kv(s))_(s=h00(a;v)^1kv(s)�1)))):Alloftheaboveimplieshr;V00i[Rr](ItJ),asrequired.Optimizedmulti-valueregister(mvr).WeprovethecorrectnessoftheimplementationDmvrinFig.17withrespecttothespeci-cationFmvrdenedinx3.2.Weletleastupperboundoperatoronversionvectorsbe:FV=s:maxfv(s)jv2Vg.Theoriginalimplementationofmulti-valueregisterstoresaver-sionvectorwitheachwrite.Ifasinglevaluewaswrittenconcur-rently,vectorscorrespondingtothesewritesareincomparable,i.e.,theydonoteliminateoneanotherduringreceive.Intheresult,mul-tiplevectorsmaybestoredinthestateforasinglevalue.Theoptimizedimplementationavoidsthisunnecessaryover-headwithanewdenitionofreceivethatcoalescesversionvectorsforthesamevalue.Notethatintheoriginalimplementationavalueaisisexposedintheregister'sobservablestate,orequivalently,ap-pearsasatleastoneentry(a; )2V,ifthereisatleastoneentryforwriteofathathasnotbeendominatedbyanotherwriteofa06=a.Weobservethisconditionisequivalentto:theleastupperboundofallvectorsofwritesofaisnotdominatedbytheleastupperboundofallvectorsofwritesofa06=a.Consequently,implementationstoresonlytheleastupperboundversionvectorperelement.ThesimulationrelationisalsoshowninFig.17.TheonlyinterestingcasesintheproofareDOforrdandRECEIVE.Consider Considere2E[E0suchthatoper(e)=wr(a)^:9f2E:oper(f)=wr( )^evis00��!f;(15)then(a;v)2V00forsomev.IfvvGfv0j9a0:(a0;v0)2V00^a6=a0g:then(14)yieldsacontradictionwith(15).Hence,(a;v)2V000.BythedenitionofV000wehave8(a;v)2V000:v6vGfv0j9a0:(a0;v0)2V00^a6=a0g:SinceV000V00,thisimplies8(a;v)2V000:v6vGfv0j9a0:(a0;v0)2V000^a6=a0g:Alloftheaboveimplieshr;V000i[Rr](ItJ),asrequired.B.Additionalmaterialonreplication-awaresimulationsInthisappendix,weprovethetheoremsandclaimsinx5.Recallthatinthatsection,wexedthefollowingentities:Objectxofatype;D=(;~0;M;do;send;receive);VisibilitywitnessV;TransportlayerspecicationT:Also,weconsideredabstract,instrumented,decomposedandcon-creteexecutionsthatworkonlyontheobjectx.Accordingly,wewriteAEx[x]andCEx[x]forthesetsofsuchx-restrictedabstractandconcreteexecutions,respectively.Finally,weusedthenota-tionI;tomeantheinstrumentedabstractexecutionwiththeemptyeventset,andD;theuniquedecomposedexecutionsatisfyingtheconditionbelow:dom(D;)=ReplicaID^8r2ReplicaID:D;(r)=I;:B.1ProofofTheorem9Inthissubsection,weprovethesoundnessofoursimulationmethod(Theorem9).Intheproof,wewillusethefollowingno-tationsandconcepts.1.Foreverypartialfunctionf:X1:::Xn*Y,wewritef(x1;:::;xn)#tomeanthat(x1;:::;xn)2dom(f).2.Weliftoursimulationrelationfromstatesofasingleobjecttocongurations:SCongDExwhichisdenedasfollows:(R;T)[S]D()dom(D)=(frj(x;r)2dom(R)g[dom(T))^(8m2M:8mid2dom(D)\MessageID:T(mid)=( ; ;m)=)m[M]D(mid))^(8r2dom(D)\ReplicaID:R(x;r)[Rr]D(r)):3.ForaconcreteexecutionCwitheventsetC:E,wewriteC(R0;T0)e1�!(R1;T1)e2�!:::en��!(Rn;Tn)forsome1n,tomeanthat(a)e1:::enistheenumerationofallelementsinC:EaccordingtoC'seoorder;(b)pre(ei)=(Ri�1;Ti�1)andpost(ei)=(Ri;Ti)foralli.WeextendthisnotationtoconcreteexecutionsCwithcountablyinnitesetsC:E,andwriteC(R0;T0)e1�!(R1;T1)e2�!:::ei�!(Ri;Ti)ei+1���!:::tomeanthesamepropertyexceptthatitnowreferstotheinniteenumeratione1;:::;ei;:::ofC:Ebytheeoorder.Inbothcases,foranyprexe1;:::;eioftheenumerationofC:Eaccordingtotheeoorder,weusethenotationCje1;:::;eitomeantherestrictionofCtoeventsinfe1;:::;eig.Thisre-strictionalwaysgivesawell-denedconcreteexecution,becausee1;:::;eiisaprexoftheenumerationofC:Ebyeo.4.WesaythatCstartslegitimatelyifitsstartingconguration(R0;T0)satisesthefollowingcondition:dom(T0)=;^dom(R0)=f(x;r)jr2ReplicaIDg^8r2ReplicaID:R0(x;r)=~0(r):THEOREM22.ForeveryconcreteexecutionC2CEx[x]\T,ifCstartslegitimatelyandC(R0;T0)e1�!(R1;T1)e2�!:::ei�!(Ri;Ti)ei+1���!:::forsomeei'sand(Ri;Ti)'s,thenthereexistsasequenceofdecom-posedexecutions:D0;D1;D2;:::;Di;:::suchthat1.foreveryi1,step(C;ei;Di�1)#^step(C;ei;Di�1)=Di;2.foreveryi1,ifweletAi=abs(Cje1;:::;ei;V),then8e2Ai:E:8r2ReplicaID:Ai:repl(e)=r=)ctxt(Di(r):A;e)=ctxt(Ai;e);3.foreveryi0,(Ri;Ti)[S]Di:AsimilarpropertyalsoholdsforanconcreteexecutionCwithniteC:E,ifCstartslegitimately.PROOF.Foralli1,letCi=Cje1;:::;ei:Then,foreveryi1,Ci2CEx[x]\T^CiCi�1ei�!(Ri;Ti)^8D:step(Ci;ei;D)=step(C;ei;D):Foreachk1andasequenceofdecomposedexecutionD0;D1;D2;:::;Dk;wewrite(D0;:::;Dk)ifthefollowingtwoconditionsaremet:1.Forall1ik,step(C;ei;Di�1)#^step(C;ei;Di�1)=Di:2.Forall1ik,Ci[G]Di:LetI;betheinstrumentedabstractexecutionwiththeemptyeventset,anddeneD;asfollows:dom(D;)=ReplicaID^8r2ReplicaID:D;(r)=I;:SinceCstartslegitimately,dom(T0)=;.Hence,bytheG-INITconditionofthesimulationmethodinFig.9,step(C1;e;D;)#^C1[G]step(C1;e;D;):WedeneD0=D;andD1=step(C1;e;D;): Bythedenitionofthetransitionrelationforconcreteexecu-tions,Ri=Ri�1[(x;r)7!0]^Ti=Ti�1:Thus,bycombiningallthethingsthatweprovedtogetherandtherelationship(Ri�1;Ti�1)[S]Di�1fromtheinductionhypothesis,wecanconcludethat(Ri;Ti)[S]Di;asdesired.PROOFOFTHEOREM9.Considerdo];send];receive];V;T;GsuchthattheconditionsinFig.9hold.AssumethatDsimulatesaspecicationFwithrespecttotheseoperations.PickaconcreteexecutionC2JDK\T:Weshouldshowthatabs(C;V)j=[7!F].LetA=abs(C;V):IfA:Eisempty,thereisnothingtoprove.Otherwise,Cstartslegitimately.WewillfocusonthecasethatC:Eiscountablyinnite,andprovethatAj=[7!F].TheothercaseofC:Ebeingnitecanbeprovedsimilarly.Letei'sand(Ri;Ti)'sbeeventsandcongurationssuchthatC(R0;T0)e1�!(R1;T1)e2�!:::en��!(Ri;Ti):::ByTheorem22,thereexistsasequenceofdecomposedexecutions:D0;D1;D2;:::;Di;:::suchthat1.foreveryi0,step(C;ei;Di�1)#^step(C;ei;Di�1)=Di;2.foreveryi1,ifweletAi=abs(Cje1;:::;ei;V),8e2Ai:E:8r2ReplicaID:Ai:repl(e)=r=)ctxt(Di(r):A;e)=ctxt(Ai;e);3.foreveryi0,(Ri;Ti)[S]Di:Also,foreachi1,letCi=Cje1;:::;ei:Then,Ci2CEx[x]\Tandforeverye2abs(Ci;V):E,ctxt(abs(Ci;e);e)=ctxt(abs(C);e)=ctxt(A;e):Usingwhatwehavejustprepared,weprovethetheorem.Picke2A:E.WewillprovethatF(ctxt(A;e))=A:rval(e):Sinceabs(C;V)=A,9i1:ei=e:Theabs(C;V)operationincludesonlyado-typeevent.Hence,C:act(ei)=do;Let(r;o;a;t)=(C:repl(ei);C:oper(ei);C:rval(ei);C:time(ei))Then,bythedenitionofthetransitionrelation,thereexist;0suchthatRi�1(x;r)#^=Ri�1(x;r)^(0;a)=D:do(o;;t)^Ri=Ri�1[(x;r)7!0]:Sincestep(C;ei;Di�1)isdenedandequalsDi,thereexistin-strumentedexecutionsI;JsuchthatDi�1(r)#^Di�1(r)=I^do](I;ei;r;o;a;t)#^do](I;ei;r;o;a;t)=J^Di(r)=J:Meanwhile,becauseof(Ri�1;Ti�1)[S]Di�1,=Ri�1(x;r)[Rr]Di�1(r)=I:NowtheDOconditionofoursimulationmethodinFig.5ensuresthata=F(ctxt(J:A;ei)):(17)SinceC:rval(e0)=A:rval(e0)foreverye02A:E,a=C:rval(ei)=A:rval(e):(18)Furthermore,ctxt(J:A;ei)=ctxt(Di(r):A;e)=ctxt(abs(Ci;V);e)=ctxt(A;e):(19)Bycombining(17),(18)and(19),wecanderiveF(ctxt(A;e))=A:rval(e);asdesired.utB.2ProofofTheorem10Foranyabstract,concreteorinstrumentedexecutionX,setofeventsEandreplicaidr,wewriteXjEfortherestrictionofXtoeventsinE,andXjrfortherestrictionofXtoeventsinthereplicar.TheGstaterelationforstate-basedimplementationsinx5.4isdenedasfollows:C[Gstate]DifandonlyifReplicaIDdom(D)^dom(D)\MessageID=fC:msg(e)jC:act(e)=sendg^(8i2dom(D):inv(D(i)))^(8i2dom(D):D(i):A=abs(C;Vstate)jD(i):E)^(8i2dom(D):8e2D(i):E:e2C:E^D(i):info(e)=C:time(e))^(8r2dom(D)\ReplicaID:D(r):E=(((ro(C)[del(C)))�1(Cjr:E))jdo)^(8mid2dom(D)\MessageID:8E0:E0=fe2C:EjC:msg(e)=mid^C:act(e)=sendg=)D(mid):E=(((ro(C)[del(C)))�1E0)jdo)^(8i;j2dom(D):i6=j=)agree(D(i);D(j)))HereVstateisthevisibilitywitnessforthestate-basedimplementa-tionsinx4,andinvandagreearepredicatesinFig.6.THEOREM10ThereexistsGsuchthatforallD,theparametersinFig.6satisfytheconditionsinFig.9withrespecttothisG,V=Vstate,T=T-Any.PROOF.LetT=T-Any.Weproveeachofthefourconditionsseparately.ConditionG-CTXT.AssumethatC[Gstate]D:Picke;rsuchthate2abs(C;Vstate):E^abs(C;Vstate):repl(e)=r:SinceC[Gstate]D,wehaver2dom(D).LetI=D(r): LetD0=D[r7!I;mid7!I].WeshouldshowthatC0[Gstate]D0:ThefollowingconjunctsinthedenitionofC0[Gstate]D0followimmediatelyfromtheassumptionC[Gstate]D:ReplicaIDdom(D0)^dom(D0)\MessageID=fC0:msg(e)jC0:act(e)=sendg^(8i2dom(D0):inv(D0(i))):ForthenextconjunctinthedenitionofC0[Gstate]D0,wenoticethatabs(C;Vstate)=abs(C0;Vstate)andthatforev-eryi2dom(D0),thereexistssomej2dom(D)satisfyingD0(i)=D(j).Hence,foreveryi2dom(D0),ifweletjbesuchj,D0(i):A=D(j):A=abs(C;Vstate)jD(j):E=abs(C0;Vstate)jD(j):E=abs(C0;Vstate)jD0(i):E:Fortheremainingconjuncts,wenoticethatalltheinstrumentedexecutionsinD0arealreadypresentinD,C0isanextensionofCwithe,andeisthesendoperationandhappensattheendaccordingtotheC0:eoorder.FromthesepropertiesandtheassumptionC[Gstate]Dfollowalltheremainingconjuncts:(8i2dom(D0):8e2D0(i):E:e2C0:E^D0(i):info(e)=C0:time(e))^(8r2dom(D0)\ReplicaID:D0(r):E=(((ro(C0)[del(C0)))�1(C0jr:E))jdo)^(8mid02dom(D0)\MessageID:8E0:E0=fe2C0:EjC0:msg(e)=mid0^C0:act(e)=sendg=)D0(mid0):E=(((ro(C0)[del(C0)))�1E0)jdo)^(8i;j2dom(D0):i6=j=)agree(D0(i);D0(j))):3.ThelastcaseisthatC0:act(e)=receive.Letr=C0:repl(e);mid=C0:msg(e)and(R0;T0)=C0:pre(e):Bythedenitionofthetransitionrelation,mid2dom(T0).Then,sinceC0isaconcreteexecutionstartingfromacongu-rationwiththeemptyTcomponentandC0Ce�!(R;T),mid2fC:msg(f)jf2C:E^C:act(f)=sendg:Thus,fromourassumptionC[Gstate]D,itfollowsthatr2dom(D)^mid2dom(D):LetI1=D(r)andI2=D(mid):SinceC[Gstate]Dandr6=mid,inv(I1)^inv(I2)^agree(I1;I2):Hence,receive](I1;I2)#.LetJ=receive](I1;I2)andD0=D[r7!J]:ItremainstoshowthatC0[Gstate]D0.Sincedom(D0)=dom(C0)andC0:act(e)=receive,theassumptionC[Gstate]DgivesReplicaIDdom(D0)^dom(D0)\MessageID=fC0:msg(f)jC0:act(f)=sendgThenextrequirementsinthedenitionofC0[Gstate]D0are:(8i2dom(D0):inv(D0(i)))^(8i2dom(D0):D0(i):A=abs(C0;Vstate)jD0(i):E):SinceC[Gstate]D,wejustneedtoshowthatinv(J)^(J:A=abs(C0;Vstate)jJ:E):Thepartofinv(J)relatingJ:arandJ:infofollowsfrominv(I1)andinv(I2)andthedenitionofJ.Fortheotherpartofinv(J)andJ:A=abs(C0;Vstate)jJ:E,wewillshowthefollowingsufcientcondition:(J:ro=abs(C0;Vstate):ro\(EventJ:E))^(J:vis=abs(C0;Vstate):vis\(EventJ:E))^(J:ar=abs(C0;Vstate):ar\(EventJ:E)):Toseewhytheyimplythesecondpartofinv(J),lookatthebelowderivation:(J:vis[J:ro)+=((abs(C0;Vstate):vis\(EventJ:E))[(abs(C0;Vstate):ro\(EventJ:E)))+=((abs(C0;Vstate):vis[abs(C0;Vstate):ro)\(EventJ:E))+(abs(C0;Vstate):vis\(EventJ:E))+(abs(C0;Vstate):vis)+\(EventJ:E)=J:vis:Theproofsofthethreeconjunctsinthesufcientconditionaboveareessentiallythesame.Wepresenttheproofoftherst:J:ro=I1:ro[I2:ro=(abs(C;Vstate):ro\(EventI1:E))[(abs(C;Vstate):ro\(EventI1:E))=abs(C;Vstate):ro\((EventI1:E)[(EventI2:E))=abs(C;Vstate):ro\(Event(I1:E[I2:E))=abs(C;Vstate):ro\(EventJ:E)=abs(C0;Vstate):ro\(EventJ:E):WemoveontothefollowingconditionsofC0[Gstate]D0:(8i2dom(D0):8f2D0(i):E:f2C0:E^D0(i):info(f)=C0:time(f))^(8r02dom(D0)\ReplicaID:D0(r0):E=(((ro(C0)[del(C0)))�1(C0jr0:E))jdo)^(8mid02dom(D0)\MessageID:8E0:E0=ff2C0:EjC0:msg(f)=mid0^C0:act(f)=sendg=)D0(mid0):E=(((ro(C0)[del(C0)))�1E0)jdo):ProvingallthethreeconditionsusestheassumptionC[Gstate]D,whichwewillnotmentionexplicitly.TherstconditionholdsbecauseJ=receive](I1;I2)andI1andI2alreadysatisfythisconditionfori=randi=mid,respectively.ThethirdconditionholdsbecauseD0andDarethesamewhenrestrictedtothesubdomainMessageIDandtheeventeisthereceiveeventthatismaximalaccordingtobothro(C0)anddel(C0).Forthesecondcondition,sinceC0:act(e)=receiveandeismaximalinro(C0)anddel(C0),itissufcienttoshowthatJ:E=(((ro(C0)[del(C0)))�1(C0jr:E))jdo:(21)LetE0=ff2C:EjC:msg(f)=mid^C:act(f)=sendg: Foreveryi2dom(D0),D0(i):E=;.Also,ff2C:EjC:act(f)=dog=;.Thus,(8i2dom(D0):inv(D0(i)))^(8i2dom(D0):D0(i):A=abs(C;Vstate)jD0(i):E)^(8i2dom(D0):8f2D0(i):E:f2C:E^D0(i):info(f)=C:time(f))^(8r02dom(D0)\ReplicaID:D0(r0):E=(((ro(C)[del(C)))�1(Cjr0:E))jdo)^(8mid2dom(D0)\MessageID:8E0:E0=ff2C:EjC:msg(f)=mid^C:act(f)=sendg=)D0(mid):E=(((ro(C)[del(C)))�1E0)jdo):TheonlyremainingconditionofC[Gstate]D0is:8i;j2dom(D0):i6=j=)agree(D0(i);D0(j)):ThisholdsbecauseD0(i):E=;foreveryi2dom(D0).ConditionG-VIS.ConsiderC1;C22CEx[x];e2abs(C1;Vstate):E;(R;T)2Cong;D2DExsuchthatC1isaprexofC2underC2:eo.Weshouldshowthatctxt(abs(C1;Vstate);e)=ctxt(abs(C2;Vstate);e):Let(o1;G1;oper1;vis1;ar1)=ctxt(abs(C1;Vstate);e);(o2;G2;oper2;vis2;ar2)=ctxt(abs(C2;Vstate);e):Then,o1=o2.Also,ifG1=G2,thenoper1=oper2andar1=ar2.Thus,itsufcestoprovethatG1=G2^vis1=vis2:(22)WerecallthedenitionsofG1,G2,vis1andvis2:G1=(Vstate(C1))�1(e);G2=(Vstate(C2))�1(e);vis1=Vstate(C1)jG1;vis2=Vstate(C2)jG2:LetE=fe0j(e0;e)2(C2:eo)g.BythedenitionofVstate,(Vstate(C1)C1:eoC2:eo)^(Vstate(C2)C2:eo):Hence,Vstate(C1)\(EventE)=Vstate(C1)\(EE);Vstate(C2)\(EventE)=Vstate(C2)\(EE):Then,wecandischargeourproofobligationin(22)byshowingthatVstate(C1)\(EE)=Vstate(C2)\(EE):(23)Since(ro(C1)[del(C1))C1:eoC2:eo,Vstate(C1)\(EE)=(ro(C1)[del(C1))+jdo\(EE)=((ro(C1)[del(C1))\(EE))+jdo:Similarly,since(ro(C2)[del(C2))C2:eo,Vstate(C2)\(EE)=(ro(C2)[del(C2))+jdo\(EE)=((ro(C2)[del(C2))\(EE))+jdo:Thismeansthatwecanprove(23)byshowingthat((ro(C1)[del(C1))\(EE)=((ro(C2)[del(C2))\(EE): Figure18.Instantiationforop-basedimplementations. :nmeansthepro-jectionofthen-thcomponentofatuple.IjEistherestrictionofItoeventsinE.ThemissingcomponentsinI0areasinFigure6. AInfo=Timestampfold;newgP(Event)P(Event)inv(I)()(8e;f2I:E:(e;f)2I:ar()I:info(e):1I:info(f):1)agree(I;J)()I:E\J:E=;do](I;e;r;o;a;t)=I0;ifinv(I)^e62I:E^I02IExwhereg=(t;new;ff2I:EjI:repl(f)=rg;I:E)I0=((I:E[feg;I:repl[e7!r];:::);info[e7!g])send](I)=(J;JjE);ifinv(I)whereG(e)=(I:info(e):1;old;I:info(e):3;I:info(e):4)J=(I:A;G)E=fe2I:EjI:info(e):2=newgreceive](I;J)=J00;ifinv(I)^inv(J)^agree(I;J)^J002IExwhereJ0=ItJRr=f(e;f)2I:EJ:Eje2J:info(f):3gR0r=f(e;f)2J:EI:Eje2I:info(f):3gRv=f(e;f)2I:EJ:Eje2J:info(f):4gR0v=f(e;f)2J:EI:Eje2I:info(f):4gJ00=((J0:E;J0:repl;J0:obj;J0:oper;J0:rval;J0:ro[Rr[R0r;J0:vis[Rv[R0v;J0:ar);J0:info) Thisequalityholdsbecauseofthedenitionsofroanddel,andthefactthatC1:eo\(EE)=C2:eo\(EE);whichitselfistruebecauseC1isaprexofC2underC2:eo.B.3Instantiationforop-basedimplementationsFig.18givesaninstantiationappropriateforop-basedimplemen-tations,whichensuresDsat[Vop;T-Unique]F.Intheop-basedcase,amessagedescribestheoperationsthereplicaperformedsincethelastsend(x2).Wekeeptrackofthecorrespondingeventsbymarkingthemasnewininfo.Thus,werelateastateha;diofthecounterinFig.2toexecutionswithaincrementoperations,outofwhichdarenew:ha;di[Rr]I()a=fe2I:EjI:oper(e)=incg^d[M]I;d[M]I()d=fe2I:EjI:oper(e)=inc^I:info(e)=( ;new)g:Foreachevente,infoalsokeepstrackofitspredecessorsinreplicaorderandvisibilityrelations.Thisisrequiredtoupdatethesere-lationsonareceive],similarlytohowtimestampsareneededtoupdatearbitration.However,thesecomponentsofinfoarenotusedinthecaseofthecounter.ThedenitionsofabstractmethodsaresimilartoFig.6,exceptdo]markstheeventeasnewininfo,andsend]retunstheprojec-tionoftheexecutionontoneweventsandmarksthemasold.ThisandtheT-Uniquespecicationensureakeyagreementpropertythattheargumentsofreceive]havedisjointsetsofevents.Addi-tionally,themethodsupdatethelasttwocomponentsininfoandusethemtoupdatereplicaorderandvisibilityrelationinreceive].TheobligationsforthecounterinFig.2canbedischargedstraight-forwardly.Wenowprovethesoundnessofabstractmethodsforop-basedimplementations.Ourproofusesthenotationsintheprevioussub-section,aswellasthevisibilitywitnessVopfortheop-basedim-plementationsinx4,andthepredicatesinvandagreeinFig.18.Wealsoneedafewnewnotations.LetCbeaconcreteexecu-tioninCEx[x].First,wedenetworelationsoneventsinC:E:roi(C)(C:EC:E);rc(C)(C:EC:E) LetD0=D[r7!J].Then,dom(D0)=dom(D)^8i2dom(D0):(D0(i)=D(i)_D0(i)=J):Hence,thefollowingconjunctsinthedenitionofC0[Gop]D0hold.ReplicaIDdom(D0)^dom(D0)\MessageID=fC0:msg(e)jC0:act(e)=sendg^(8i2dom(D0):inv(D0(i)))^(8i2dom(D0):8f2D0(i):E:f2C0:E^D0(i):info(f):1=C0:time(f)):Wealsohave8i2dom(D):D0(i):A=abs(C0;Vop)jD0(i):Eforthefollowingtworeasons.First,foralli2dom(D)suchthati6=r,D0(i):A=D(i):A=abs(C;Vop)jD(i):E=abs(C0;Vop)jD(i):E=abs(C0;Vop)jD0(i):E:Second,byC[Gop]D,(J:vis)�1(e)=I:E=(Cjr:E[((roi(C);del(C))�1Cjr:E))jdo=(abs(C0;Vop):vis)�1(e):BythesamereasonsandtheassumptionC[Gop]D,8r02dom(D0)\ReplicaID:D0(r0):E(abs(C0;Vop):vis)�1(D(r0)jr0:E)^D0(r0):E=(C0jr0:E[((roi(C0);del(C0))�1C0jr0:E))jdo:WedonotchangeanythingregardingmessageswhendeningD0,sodom(D)\MessageID=dom(D0)\MessageID^8mid2dom(D)\MessageID:D(mid)=D0(mid):Thus,fromtheassumptionC[Gop]Ditfollowsthat8mid2dom(D0)\MessageID:8E0:E0=ff2C0:EjC0:msg(f)=mid^C0:act(f)=sendg=)D0(mid):E=(roi(C0)�1E0)jdo:Wewillnowshowthat8r02dom(D0)\ReplicaID:D0(r0):N=C0jr0:N:Pickr02dom(D0)\ReplicaID.Ifr06=r,thedesiredequalityfollowsfromourassumptionthatC[Gop]D.Otherwise,D0(r0):N=D(r):N[feg=Cjr:N[feg=C0jr0:N:Thenextpropertytoshowisthat8i2dom(D0)\ReplicaID:8j2dom(D0):i6=j=)D0(i):N\D0(j)=;:Picki2dom(D0)\ReplicaIDandj2dom(D0)suchthati6=j.SinceC[Gop]D,itsufcestocheckthecasesthati=rorj=r.Ifi=r,D0(i):N\D0(j)=(D(i):N[feg)\D(j)=;:Ifj=r,D0(i):N\D0(j)=D(i):N\(D(j)[feg)=;:NowconsiderthefollowingrequirementsofC0[Gop]D0.8i2dom(D0)\MessageID:8j2dom(D0):(i6=j^j62rcv(C0;i))=)D0(i):E\D0(j):E=;:Picki2dom(D0)\MessageIDandj2dom(D0)suchthati6=j^j62rcv(C0;i):BythedenitionsofD0andC0,i;j2dom(D)^j62rcv(C;i)^D0(i):E=D(i):E:Hence,fromourassumptionC[Gop]DfollowsthatD(i):E\D(j):E=;:Sincee62(D(i):E[D(j):E)andD0(j):ED(j):E[feg,D0(i):E\D0(j):E=;:ThefollowingrequirementofC0[Gop]D0holdsbecauseD0andDarethesamewhentheirdomainsarerestrictedtoMessageIDandC[Gop]D:8i2dom(D0)\MessageID:8f2D0(i):E:D0(i):info(f):2=old:Itremainstoshowthefollowingrequirements:(8i2dom(D0):8f2D0(i):E:D0(i):info(f):3=abs(C0;Vop):ro�1(f))^(8i2dom(D0):8f2D0(i):E:D0(i):info(f):4=abs(C0;Vop):vis�1(f))TheserequirementsmostlyfollowfromtheassumptionC[Gop]DandthewaythatD0andC0aredenedfromDandC,respectively.Theonlynontrivialthingstocheckare:D0(r):info(e):3=Ijr:E=abs(C0;Vop):ro�1(e);D0(r):info(e):4=I:E=abs(C0;Vop):vis�1(e):BothequalitiesfollowfromtheassumptionthatC[Gop]D.2.ThenextcaseisthatC0:act(e)=send.Let(r;mid)=(C0:repl(e);C0:msg(e)):Bythedenitionsofthetransitionrelationandtheconcreteexecution,C0:msg(e)62fC:msg(f)jf2C:E^C:act(f)=sendg:Hence,fromourassumptionC[Gop]D,itfollowsthatr2dom(D)^mid62dom(D):LetI=D(r).Then,inv(I)holds,becauseC[Gop]D.Thus,send](I)#^send](I)=(J;I0)whereJ=(I:A;e:(I:info(e):1;old;I:info(e):3;I:info(e):4));E=fe2I:EjI:info(e):2=newg;I0=JjE:Thisinturnimpliesthatstep(C0;e;D)#^step(C0;e;D)=D[r7!J;mid7!I0]:LetD0=D[r7!J;mid7!I0].WeshouldshowthatC0[Gop]D0:ThefollowingconjunctsinthedenitionofC0[Gop]D0followimmediatelyfromtheassumptionC[Gop]Dandthedenitions 3.ThelastcaseisthatC0:act(e)=receive.Letr=C0:repl(e);mid=C0:msg(e)and(R0;T0)=C0:pre(e):Bythedenitionofthetransitionrelation,mid2dom(T0).Then,sinceC0isaconcreteexecutionstartingfromacongu-rationwiththeemptyTcomponentandC0Ce�!(R;T),mid2fC:msg(f)jf2C:E^C:act(f)=sendg:Thus,fromourassumptionC[Gop]D,itfollowsthatr2dom(D)^mid2dom(D):LetI1=D(r);I2=D(mid);J=I1tI2;Rr=f(e;f)2I1:EI2:Eje2I2:info(f):3g;R0r=f(e;f)2I2:EI1:Eje2I1:info(f):3g;Rv=f(e;f)2I1:EI2:Eje2I2:info(f):4g;R0v=f(e;f)2I2:EI1:Eje2I1:info(f):4g;J0=((J:E;J:repl;J:obj;J:oper;J:rval;J:ro[Rr[R0r;J:vis[Rv[R0v;J:ar);J:info):HereJ=I1tI2isdenedbecauseI1:A=abs(C;Vop)jI1:E^I2:A=abs(C;Vop)jI2:E^(8i2f1;2g:8f2Ii:E:Ii:info(f):1=C:time(f))^(8i2f1;2g:8f2Ii:E:Ii:info(f):3=abs(C;Vop):ro�1(f))^(8i2f1;2g:8f2Ii:E:Ii:info(f):4=abs(C;Vop):vis�1(f)):Also,bythesamereasonandthedenitionofJ0,J0:A=abs(C;Vop)jJ0:E^(8f2J0:E:J0:info(f):1=C:time(f))^(8f2J0:E:J0:info(f):3=abs(C;Vop):ro�1(f))^(8f2J0:E:J0:info(f):4=abs(C;Vop):vis�1(f)):(25)OneconsequenceofthisisthatJ0isawell-denedinstrumentedexecution.SinceC2T=T-Unique,themessagemidisnotdeliveredtothereplicarintheconcreteexecutionC:r62rcv(C;mid):Hence,ourassumptionC[Gop]Dimpliesthatinv(I1)^inv(I2)^I1:E\I2:E=;:NoticethatbyshowingJ02IExandtheabovepropertiesofI1andI2,wehaveshownthatthesideconditionofreceive](I1;I2)ismet.Hencereceive](I1;I2)#.LetD0=D[r7!J0]:ItremainstoshowthatC0[Gop]D0.Sincedom(D0)=dom(C0)andC0:act(e)=receive,theassumptionC[Gop]DgivesReplicaIDdom(D0)^dom(D0)\MessageID=fC0:msg(f)jC0:act(f)=sendgThenextrequirementsinthedenitionofC0[Gop]D0are:(8i2dom(D0):inv(D0(i)))^(8i2dom(D0):D0(i):A=abs(C0;Vop)jD0(i):E)^(8i2dom(D0):8f2D0(i):E:f2C0:E^D0(i):info(f):1=C0:time(f))SinceC[Gop]Dandabs(C;Vop)=abs(C0;Vop),wejustneedtoshowthatinv(J0)^(J0:A=abs(C0;Vop)jJ0:E)^(8f2J0:E:f2C0:E^J0:info(f):1=C0:time(f)):Allthesefollowfrom(25).Wemoveontothefollowingcondi-tionsofC0[Gop]D0:(8r02dom(D0)\ReplicaID:D0(r0):E(abs(C0;Vop):vis)�1(D0(r)jr:E))^(8r02dom(D0)\ReplicaID:D0(r0):E=(C0jr0:E[(roi(C0);del(C0))�1(C0jr0:E))jdo)^(8mid02dom(D0)\MessageID:8E0:E0=ff2C0:EjC0:msg(f)=mid0^C0:act(f)=sendg=)D0(mid0):E=(roi(C0)�1E0)jdo):ProvingallthethreeconditionsusestheassumptionC[Gop]Dandthefactthatabs(C;Vop)=abs(C0;Vop),whichwewillnotmentionexplicitly.TherstconditionholdsbecauseJ0:E=I1:E[I2:EandI2jr:E=;^I1:E(abs(C;Vop):vis)�1(I1jr:E):ThethirdconditionholdsbecauseD0andDarethesamewhenrestrictedtothesubdomainMessageIDandtheeventeisthereceiveeventthatismaximalaccordingtobothro(C0)anddel(C0).Forthesecondcondition,sinceC0:act(e)=receiveandeismaximalinro(C0)anddel(C0),itissufcienttoshowthatJ0:E=(C0jr:E[(roi(C0);del(C0))�1(C0jr:E))jdo:(26)LetE0=ff2C:EjC:msg(f)=mid^C:act(f)=sendg:Weprovetheequalityin(26)asfollows:J0:E=I1:E[I2:E=(Cjr:E[(roi(C);del(C))�1(Cjr:E))jdo[(roi(C)�1E0)jdo=(Cjr:E[(roi(C);del(C))�1(Cjr:E)[roi(C)�1E0)jdo=(C0jr:E[(roi(C0);del(C0))�1(Cjr:E[feg))jdo=(C0jr:E[(roi(C0);del(C0))�1(C0jr:E))jdo:WenowconsiderthefollowingrequirementsinthedenitionofC0[Gop]D0:(8r02dom(D0)\ReplicaID:D0(r0):N=C0jr0:N)^(8i2dom(D0)\ReplicaID:8j2dom(D0):i6=j=)D0(i):N\D0(j):E=;)^(8i2dom(D0)\MessageID:8j2dom(D0):(i6=j^j62rcv(C0;i))=)D0(i):E\D0(j):E=;):Therstholdsbecauseforeveryr02dom(D0)\ReplicaID,r02dom(D)^D0(r0):N=D(r0):N^C0jr0:N=Cjr0:N;whichitselffollowsfromtheassumptionC[Gop]Dandthefactthattheeventeisareceiveevent.Fortheothertworequirements,sincercv(C0;mid)=rcv(C;mid)[frg,D0(r):N=D(r):NandsimilarrequirementsholdforCandD,itsufcestoprove Sincedom(D0)=ReplicaID[fmidg,thersttwoconditionsofC[Gop]D0hold:ReplicaIDdom(D0)^dom(D0)\MessageID=fC:msg(f)jC:act(f)=sendg:Foreveryi2dom(D0),D0(i):E=;.Also,ff2C:EjC:act(f)=dog=;.ThefollowingremainingrequirementsofC[Gop]D0followfromthesefacts:(8i2dom(D0):inv(D0(i)))^(8i2dom(D0):D0(i):A=abs(C;Vop)jD0(i):E)^(8i2dom(D0):8f2D0(i):E:f2C:E^D0(i):info(f):1=C:time(f))^(8r02dom(D0)\ReplicaID:D0(r0):E(abs(C;Vop):vis)�1(D0(r0)jr0:E))^(8r02dom(D0)\ReplicaID:D0(r0):E=(Cjr0:E[((roi(C);del(C))�1Cjr0:E))jdo)^(8mid02dom(D0)\MessageID:8E0:E0=ff2C:EjC:msg(f)=mid0^C:act(f)=sendg=)D0(mid0):E=(roi(C)�1E0)jdo)^(8r02dom(D0)\ReplicaID:D0(r0):N=Cjr0:N)^(8i2dom(D0)\ReplicaID:8j2dom(D0):i6=j=)D0(i):N\D0(j):E=;)^(8i2dom(D0)\MessageID:8j2dom(D0):(i6=j^j62rcv(C;i))=)D0(i):E\D0(j):E=;):^(8i2dom(D0)\MessageID:8f2D0(i):E:D0(i):info(f):2=old)^(8i2dom(D0):8f2D0(i):E:D0(i):info(f):3=abs(C;Vop):ro�1(f))^(8i2dom(D0):8f2D0(i):E:D0(i):info(f):4=abs(C;Vop):vis�1(f)):ConditionG-VIS.ConsiderC1;C22CEx[x];e2abs(C1;Vop):E;(R;T)2Cong;D2DExsuchthatC1isaprexofC2underC2:eo.Weshouldshowthatctxt(abs(C1;Vop);e)=ctxt(abs(C2;Vop);e):Let(o1;G1;oper1;vis1;ar1)=ctxt(abs(C1;Vop);e);(o2;G2;oper2;vis2;ar2)=ctxt(abs(C2;Vop);e):Then,o1=o2.Also,ifG1=G2,thenoper1=oper2andar1=ar2.Thus,itsufcestoprovethatG1=G2^vis1=vis2:(27)WerecallthedenitionsofG1,G2,vis1andvis2:G1=(Vop(C1))�1(e);G2=(Vop(C2))�1(e);vis1=Vop(C1)jG1;vis2=Vop(C2)jG2:LetE=fe0j(e0;e)2(C2:eo)g.Noticethatsincee2C1:EandC1isaprexofC2accordingtotheC2:eoorder,E=fe0j(e0;e)2(C1:eo)g:BythedenitionofVop,(Vop(C1)C1:eoC2:eo)^(Vop(C2)C2:eo):Hence,Vop(C1)\(EventE)=Vop(C1)\(EE);Vop(C2)\(EventE)=Vop(C2)\(EE):Then,wecandischargeourproofobligationin(27)byshowingthatVop(C1)\(EE)=Vop(C2)\(EE):(28)ForeachCi,denearelationrc(Ci)byrc(Ci)=f(e;f)je;f2Ci:E^Ci:act(e)=do^Ci:act(f)=do^9e0;f0:ero(Ci)����!e0del(Ci)����!f0ro(Ci)����!f^:9e00:ero(Ci)����!e00ro(Ci)����!e0^Ci:act(e00)=sendg:Then,Vop(C1)\(EE)=(ro(C1)[rc(C1))jdo\(EE)=((ro(C1)[rc(C1))\(EE))jdo:Similarly,Vop(C2)\(EE)=(ro(C2)[rc(C2))jdo\(EE)=((ro(C2)[rc(C2))\(EE))jdo:Thismeansthatwecanprove(28)byshowingthatro(C1)\(EE)=ro(C2)\(EE)^rc(C1)\(EE)=rc(C2)\(EE):Therstequalityfollowsfromthedenitionofro,andthefactthatC1:eo\(EE)=C2:eo\(EE);whichholdsbecauseC1isaprexofC2underC2:eo.Thesecondequalityfollowsfromthefactthatforalleventse;f,ife2E,(fro(C1)����!e()fro(C2)����!e)^(fdel(C1)����!e()fdel(C2)����!e)^(fro(C1)����!e=)f2E)^(fdel(C1)����!e=)f2E):C.AdditionalspaceboundsproofsC.1EncodingsTable1presentsstandardrecursiveencodingschemesforvaluesfromdifferentdomainsandtheirasymptoticcost.Theseschemesareemployedtoencodereplicastateandreturnvaluesthroughoutallourproofs.C.2LowerboundproofsforanyimplementationWeapplytheprooftechniquepresentedinx6tootherdatatypesdiscussedinthepaper:registersintregandmvr.C.2.1Lowerboundforstate-basedlast-writer-winsregister(intreg)THEOREM24.IfDintregsat[Vstate;T-Any]Fintreg,thenDintregisb (lgm).Westartbyformulatingasuitableexperimentfamily.LEMMA25.IfDintregsat[Vstate;T-Any]Fintreg,n2andmn,thentuple(Q;n;m;C;e;rb)asdenedintheleftcolumnofFig.20isanexperimentfamily.Theideaoftheexperimentsistoforcereplica1toremembernumberofwritesdominatedbywriteofthecurrentvalue,whichthenintroducesanoverheadproportionalproportionaltothelgm, weget:wcmo(Dintreg;n;m)blgjjjQjc=(max2Qlen(C:rval(e)))K1lgjj(m) 1Klgm:utC.2.2Lowerboundforstate-basedmulti-valueregister(mvr)THEOREM26.IfDmvrsat[Vstate;T-Any]Fmvr,thenDmvrisb (nlgm).LEMMA27.IfDmvrsat[Vstate;T-Any]Fmvr,n2andmnissuchthat(m�1)isamultipleof(n�1),thentuple(Q;n;m;C;e;rb)asdenedintherightcolumnofFig.20isanexperimentfamily.Theideaoftheexperimentsistoforcereplica1torememberanumberofwroperationsfromeachreplicadominatedbythecurrentwr,whichthenintroducesanoverheadproportionaltonlgm;cf.theimplementationinFig.17.Allexperimentsstartwithacommoninitializationphase,denedbyinit,whereeachofthereplicas2::nperforms(m�1)=(n�1)writeswr(0)andsendsamessageaftereachwrite.Allmessagesremainundelivereduntilthesecondphase,denedbyexp().Therereplica1receivesexactlyonemessagefromeachreplicar=2::n,selectedusing(r),andsubsequentlyoverwritestheregisterwithwr(1).Anexperimentconcludeswiththereadeontherstreplica.Theread-backworksbyperformingseparatetestsforeachofthereplicasr=2::n,denedbytest(r).Todeterminewhichmessagewassentbyreplicarduringtheexperiment,theprogramtest(r)enforces(re)deliveryofallmessagessentbyreplicartoreplica1,intheordertheyweresent,performingareadaftereachmessagedelivered.Byinspectingthereturnvalueofeachsuchread,theprogramidentiestherstmessagethatcausesreadtoreturnbothvalues0and1,whichcorrespondstoobservinganoutcomeofawr(0)performedatrthatwasnotvisibleatthetimeofwr(1),i.e.,thatisconcurrenttowr(1);theindexofthismessagecorrespondsto(r)+1.PROOFOFLEMMA27.Somepartsoftheproofarestraightfor-ward,suchascheckingthatnandmmatchthenumberofrepli-cas/updates,andthatthedriverprogramsusemessageidentiersandtimestampscorrectly.Theonlynontrivialobligationistoproverb(state(e))=.Let(R;T)=nal(C).Thenrb(state(e))(r)=rb(R(x;1))(r)=result(Dmvr;(Rinit[(x;1)7!R(x;1)];Tinit);test(r))(ii)=result(Dmvr;(R;T);test(r))=result(Dmvr;(R0;T0);(init;exp();test(r)))(i)=(r);where:(i)ThisisduetoDmvrsat[Vstate;T-Any]Fmvr,asweexplainedinformallyabove.Letuidenotevalueofareadintouinthei-thiterationoftheloopintheprogramtest(r).ByFmvrthevalueofuiisdeterminedbythesetandrelationofvisiblewritesintheoperationcontext.LetC0=exec(Dmvr;(R0;T0);(init;exp();test(r))):Thentheoperationcontextinabs(C0;Vstate)ofthereadintouiintest(r)contains:(a)rstmax((r);i)operationswr(0)fromreplicar,and(b)rst(r0)operationswr(0)fromeveryreplicar06=r,and(c)andasinglewr(1)madeonreplica1.Wewillnowanalyzethevisibilityrelationbetweenwriteswr(0)andwr(1).Noneofwriteswr(0)observedwr(1)initsoperationcontextinabs(C0;Vstate).Theoperationcontextofwr(1)includesrst(r0)operationswr(0)fromeveryreplicar0,includingreplicar.Thatmeans,readintouiobservesmax(0;i�(r))operationswr(0)fromrthatwerenotvisibletowr(1).ByspecicationFmvrthereturnvalueofthereadisinthiscase:ui=f0;1gifi�(r)�0f1gotherwisei.e.,0appearsinthereturnvaluewheneverthereiswr(0)concurrenttowr(1)visible.Therefore:(r)=minfijui+1=f0;1g_i=m�1 n�1g:(ii)WehaveTinit=Tbecauseexp()doesnotsendanymes-sages.Besides,Rinit[(x;1)7!R(x;1)]andRcandifferonlyinthestatesofthereplicas2::n.Thesecannotinuencetherunoftest(r),sinceitperformseventsonreplica1only.utPROOFOFTHEOREM26.Givenn0;m0,wepickn=n0andsomemn0suchthat(m�1)isamultipleof(n�1)andmn2.Taketheexperimentfamily(Q;n;m;C;e;rb)givenbyLemma27.Thenforany,C:rval(e)=f1g,whichcanbeencodedwithaconstantlengthstring.UsingLemma14andmn2,forsomeconstantsK1;K2;K3;Kindependentfromn0;m0weget:wcmo(Dmvr;n;m)blgjjjQjc=(max2Qlen(C:rval(e)))K1lgjj(m�1 n�1)n�1 lenP(Z)(f0g)K2nlg(m=n) 1K3nlgp mKnlgm:utC.3UpperboundsforknownimplementationsThefollowingupperboundsaimtoproveasymptoticworst-caseoptimalityofknownobjectimplementationsiftheymatchthelowerboundsestablishedforany1-pushconvergentimplementa-tion.THEOREM28.LetDintregbethestate-basedlast-writer-winsregisterimplementationdenedinFig.2(c),suchthatDintregsat[Vstate;T-Any]Fintreg(x5.3).DintregisbO(lgm).PROOF.ConsideranyexecutionC2JDintregKwithnreplicas,mupdates,andanyrdeventeinthisexecution(assumingthereisatleastone).Recallthatthestateofaregisterreplicausedinthereadisatupleha;ti=state(e),whereaisaregistervalueandtisatimestampofthevalue.PracticalimplementationsofLWW-registerandreplicatedstores,oftendonotrelyonintegersastimestampsaswesimpliedsofar,butuseLamportclocks[21]instead.Lamportclockisatuplet=(k;r)2NReplicaIDwherekisanintegerclockandrisanidofreplicathatgeneratedthetuple.AssumingtheoptimalLamportclockimplementationisusedbytheregister,suchthatkm,forsomeconstantK1,stateha;(k;r)iencodingisboundedby:len(a;(k;r))K1(lenZ(a)+lgm+lgn)Notethatreturnvalueu=C:rval(e)ofrdmatchestheregistervaluestoredinthestate(c.f.thedenitionofrdforDintreg),u=a.Therefore,forsomeconstantsK2,K(pickedindependentlyofa,nandm)weobtainthefollowingboundonmetadataoverhead:len(a;(k;r)) len(u)K2len(a)+lgm+lgn len(a)KlgmwhichsatisesthebOdenition.THEOREM29.LetDctrbethestate-basedcounterimplementa-tiondenedinFig.2(b),suchthatDctrsat[Vstate;T-Any]Fctr(x5.3).DctrisbO(n). Thismeansthat,forsomeconstantsK3andK4,completestateoccupiesatmost:len(r;V;w)K3(lgn+nlgm+nXa2U(lenZ(a)+lgm))K4nlgm(1+Xa2UlenZ(a))ForsomeconstantK5,returnvalueu=C:rval(e)ofrdconsumesnolessthan:lenP(Z)(u)K5(1+Xa2ulenZ(a))Fromthedenitionofrd,weobserve:u=U(V).Hence,forsomeconstantK,theoverheadisboundedby:len(r;V;w) len(u)Knlgm(1+Pa2U(V)lenZ(a)) 1+Pa2U(V)lenZ(a)=KnlgmTheoriginalimplementationofOR-sethasahigherupperbound,asshownnext.THEOREM33.LetDorsetbetheoriginalstate-basedOR-setim-plementationdenedinFig.15,suchthatDorsetsat[Vstate;T-Any]Forset(xA).DorsetisbO(mlgm).PROOF.ConsideranyexecutionC2JDorsetKwithnreplicas,mupdates,andanyrdeventeinthisexecution(assumingthereisatleastone).RecallthatthestateofasetreplicaatthetimeofreadisatuplehS;Di=state(e),whereSisasetofactiveentries(a;t)2Swithvalueaandtimestampt,andDisasetoftimestampsofremovedelements.Werstestablishsomepropertiesofstate.Byinspectionofadd,remove,andreceive,theonlyoperationsmutatingsetsSandD,theinvariant(a;t)2S=)t62Dholds.Bydenitionsofaddandreceive,jSjm.Similarly,bydenitionsofremoveandreceive,jDjm.Moreover,sinceonlyaddgeneratenewtimestampsandremainingfunctionsonlytransferthembetweencomponentsSandD,jSj+jDjm.LetU(S)=faj9(a;t)2Sg.AssumingLamportclocksastimestamps,forsomeconstantsK1,K2,K3andK4,thestatecanbeencodedwithatmost:len(S;D)K1(1+X(a;t)2S(lenZ(a)+lgn+lgm)+jDj(lgn+lgm))K2(1+mlgm+X(a; )2SlenZ(a))K3(1+mlgm+mXa2U(S)lenZ(a))K4mlgm(1+Xa2U(S)lenZ(a))ForsomeconstantK5,returnvalueu=C:rval(e)ofrdconsumesnolessthan:lenP(Z)(u)K5(1+Xa2ulenZ(a))Bythedenitionofrd,thesetofreturnedvaluesumatchestheactiveelements,i.e.,u=U(S).Hence,forsomeconstantKtheoverheadis:len(S;D) len(u)Kmlgm(1+Pa2U(S)lenZ(a)) 1+Pa2U(S)lenZ(a)=KmlgmC.4LowerboundsforsuboptimalimplementationsInordertodemonstrateanimplementationofadatatypeissubop-timal,weneedtoshowalowerboundhigherthantheupperboundoftheoptimalimplementation,usingcounter-exampleexecutions.THEOREM34.LetDorsetbetheoriginalstate-basedOR-setim-plementationdenedinFig.15,suchthatDorsetsat[Vstate;T-Any]Forset(xA).Dorsetisb (mlgm).PROOF.Considerthefollowingdriverprogramdenedforanypositivenandmsuchthatmmod2=0:procedurein ate(n;m)foralli2[1::(m=2)]do1add(i)2ido1remove(i)2i+1do1rdm+2//readeforalli2[2::n]do2rdm+3//meaninglessreadonotherreplicasGivenanynumberofreplicasn0andanynumberofupdatesm0n0,wepickn=n0andm=2m0todemonstrateover-headonexecution:C=exec(Dorset;([x7!Dorset:~0];;);in ate(n;m))Clearly,theexecutionhasnreplicasandmupdates.Theexecutioniswell-denedsincethedriverprogramusesmessageidentiersandtimestampscorrectly.LethS;Di=state(e)bethestateofreplica1atthetimeofreade,whereSisasetofactiveentriesandDisasetoftimestampsofdeletedelements.BydenitionsofaddandremoveinDorset,thesetofactiveelementsisemptyforthisexecution,S=;,whereasthesetofdeletedelementscontainstombstonesforallremovedelements,jDj=m=2.AssumingLamportclocktimestamps,forsomeconstantsK1andK2,statehS;Dineedstooccupyatleast:len(S;D)K1m=2Xi=1(lgn+lgm+lenZ(i))K2mlgmBydenitionofrd,thereturnvalueuofreadeisanemptyset,C:rval(e)=;,whichcanbeencodedwithaconstantlengthstring.Therefore,forsomeconstantKtheoverheadatthetimeofreadefulllsthedenitionofb :wcmo(Dorset;m;n)mmo(Dorset;C)len(S;D) len(C:rval(e))KmlgmTHEOREM35.LetDmvrbetheoriginalstate-basedmulti-valueregisterimplementationdenedinFig.16,suchthatDmvrsat[Vstate;T-Any]Fmvr(xA).Dmvrisb (n2lgm).PROOF.Considerthefollowingdriverprogramdenedforanypositivenandmsuchthatm�n n1and(m�n)modn=0:procedurein ate(n;m)forallr2[1::n]foralli2[1::(m�n n)]dorwr(0)rm�n n+isendr(midr;0)forallr2[1::n]forallr02[1::n]nfrgreceiver(midr0;0)dorwr(1)2m+rsendr(midr;1)ifr6=1receive1(midr;1)do1rd2m+n+1//reade Figure22.Axiomsdeningsessionguaranteesoveranexecution(E;repl;obj;oper;rval;ro;vis;ar).Wewriter1;r2forthecompositionofbinaryrelationsr1andr2. Auxiliaryrelationssameobj(e;f)()obj(e)=obj(f)Per-objectreplicaorder:roo=(ro\sameobj)AxiomsRYW(ReadYourWrites).Anoperationseesallpreviousoperationsatthesamereplica:roovisMR(MonotonicReads).Anoperationseesalloperationspreviouslyseenbythesamereplica:(vis;roo)visWFRV(WritesFollowReadsinVisibility).Operationsaremadevisibleatotherreplicasafteroperationsonthesameobjectthatwerepreviouslyseenatthesamereplica:(vis;roo;vis)visWFRA(WritesFollowReadsinArbitration).Arbitrationordersanoperationafterotheroperationspreviouslyseenatthesamereplica:(vis;roo)arMWV(MonotonicWritesinVisibility).Operationsaremadevisibleatotherreplicasafterallpreviousoperationsonthesameobjectatthesamereplica:(roo;vis)visMWA(MonotonicWritesinArbitration).Arbitrationordersanoperationafterallpreviousoperationsatthesamereplica:rooar have(C:act(e0)=send)^eroo(C)����!e0(roo(C)[del(C))+�����������!f^:9e00:eroo(C)����!e00roo(C)����!e0^(C:act(e00)=send):ThenbyT-PO-Causal,forsomef02C:Ewehavee0del(C)����!f0roo(C)����!f:Thenevis�!fbythedenitionofVop.5.Using(29)andT-PO-Lamport,weget:hbo=((ro\sameobj)[vis)+(roo(C)[del(C))+jdoar:6.Wehave:hb=(vis[roo)+(ro(C)[del(C))+jdo:Consider(e;f)2hb\sameobj.Ifrepl(e)=repl(f),then(e;f)roo(C)vis.Otherwise,byT-CO-Causalforsomee0;f02C:Ewehaveeroo(C)����!e0del(C)����!f0roo(C)����!f^:9e00:eroo(C)����!e00roo(C)����!e0^C:act(e00)=send:Thenevis�!fbythedenitionofVstateandVop.7.COCA.Using(29)andT-CO-Lamport,weget:hb[ar=(ro[vis)+[ar(ro(C)[del(C))+jdo[ar(C)f(e;f)je;f2C:Ejdo^time(e)time(f)g;whichisacyclic.D.2SessionguaranteesTheaxiomsRYW–MWAinFig.13formalizesessionguarantees,whichareusedtodenelevelsofconsistencyinbetweenbasiceventualconsistencyandper-objectcausalconsistency.Theguar-anteesareduetoTerryetal.[34],whodenedtheminalow-leveloperationalframework.Herewerecastthemintoaxiomsappropri-ateforarbitraryreplicateddatatypes.However,wehavepreservedtheoriginalterminology,andthusrefertoreadsandwritesinthenamesoftheaxioms.Asatest-caseforourformalization,weprovethattheconjunctionofallsessionguaranteesisisequivalenttoper-objectcausalconsistency2.PROPOSITION37.POCVisequivalenttotheconjunctionofRYW,MR,WFRVandMWV.POCAisequivalenttothecon-junctionofWFRAandMWA.PROOF.POCVisequivalenttotheconjunctionofRYW,MR,WFRVandMWV.PickanabstractexecutionA=(E;repl;obj;oper;rval;ro;vis;ar):Letrooandhbobe,respectively,theper-objectreplicaorderandtheper-objectcausalityorder,bothinducedbyA.Letr1=roo[(vis;roo)[(vis;roo;vis)[(roo;vis);r2=(vis[roo)+:ThenPOCVisequivalenttor2vis,andtheconjunctionofRYW,MR,WFRVandMWVtor1vis.Ifr2vis,thenr1r2vis.Wenowassumethatr1visandshowr2vis.Picke;e02Esuchthat(e;e0)2r2.Sinceroor1,if(e;e0)2roo,then(e;e0)2r1vis,asrequired.If(e;e0)62roo,thenthereexiste1;f1;:::;en;fnwithn1suchthat(e;e1)2roo^(fn;e0)2roo^(8i2f1;:::;ng:(ei;fi)2vis)^(8i2f1;:::;n�1g:(fi;ei+1)2roo):Usingourassumptionthatr1viscanprovethedesired(e;e0)2visasfollows:(e;e1)2roo^(e1;f1)2vis^(f1;e2)2roo^:::(en;fn)2vis^(fn;e0)2roo=)(e;e1)2roo^(e1;fn)2vis^(fn;e0)2roo=)(e;e1)2roo^(e1;e0)2vis=)(e;e0)2vis:Therstimplicationcomesfromthefactthat(vis;roo;vis)r1,thesecondfrom(vis;roo)r1,andthethirdfrom(roo;vis)r1.POCAisequivalenttotheconjunctionofWFRAandMWA.ConsidertheabstractexecutionA.POCAobviouslyimpliesWFRAandMWA,soitremainstoprovetheconverse.Consider(e;f)2hbo.Bythedenitionofhbo,thereexiste1;:::;enwithn2suchthate1=e^en=f^8i2f1;:::;n�1g:(ei;ei+1)2(roo[vis):SinceWFRAandMWAhold,thelastconjunctaboveimpliesthat8i2f1;:::;n�1g:(ei;ei+1)2ar:Furthermore,aristransitive.Hence,wehave(e;f)2ar,asdesired.D.3ComparisonwithquiescentconsistencyWeshowthatourspecicationsofeventualconsistencydescribethesemanticsofareplicatedstoremorepreciselythanquiescentconsistency,asstatedby(1).Toformalizethelatter,assumethatalloperationsaredividedintoqueries(Query)andupdates(Upd),andthatreturnvaluescomputedbyFareinsensitivetoqueries:F(o;E;oper;vis;ar)=F(o;Eju;operju;visju;arju)where
judenotesarestrictiontoupdateevents.Thefollowingstraightforwardpropositionshowsthateventhebasicnotionofeventualconsistencyfromx7impliesquiescentconsistency. 2J.Brzezi´nski,C.Sobaniec,andD.Wawrzyniak.Fromsessioncausalitytocausalconsistency.InPDP,2004. DEFINITION40.ForanabstractexecutionA=(E;repl;obj;oper;rval;ro;vis;ar)overintregobjectsweletthecorrespondingshared-memoryexe-cutionbeshared(A)=(E;repl;obj;oper;rval;ro;rf;mo);whereerf�!f()oper(e)=wr( )^oper(f)=rd^evis�!f^:9e0:oper(e0)=wr( )^ear�!e0vis�!f;emo�!f()oper(e)=wr( )^oper(f)=wr( )^ear�!f:PROPOSITION41.1.IfAoverintregobjectssatisesoneoftheaxiomsfromFig.13,thenshared(A)satisesthecorrespond-ingaxiomsfromFig.23,withPOCVcorrespondingtobothS-POCVandS-DETREADPOandCOCVcorrespondingtobothS-COCVandS-DETREADCO.Furthermore,ifAsatis-esFintreg,thenshared(A)satisesS-RVAL.2.IfRsatisesoneofthefollowingsetsofaxioms:(a)S-RVAL,S-THINAIR;(b)S-RVAL,S-THINAIR,S-POCV,S-POCA,S-DETREADPO;(c)S-RVAL,S-THINAIR,S-COCV,S-COCA,S-DETREADCO,thenthereexistsAoverintregobjectssuchthatR=shared(A)andAsatises(a)Fintreg,THINAIR;(b)Fintreg,THINAIR,POCV,POCA;(c)Fintreg,THINAIR,COCV,COCA.3.TheconjunctionofS-RYW,S-MR,S-WFRA,S-MWAisequivalenttothatofS-POCVandS-POCA.PROOF.Theproofofitem1istrivial.Toproveitem2,considerashared-memoryexecutionR=(E;repl;obj;oper;rval;ro;rf;mo):andletA=(E;repl;obj;oper;rval;ro;vis;ar);wherevisandararedenedasfollows:(a)vis=rfandarisanyextensionofmotoaunionoftransitive,irreexiveandtotalordersoneventsoneachobject.(b)vis=shboandarisanyextensionofmo[shbotoaunionoftransitive,irreexiveandtotalordersoneventsoneachobject.S-THINAIRimpliesthatvisiswell-formed.S-POCAandthetotalityofmoonwritestothesameobjectimplythatmo[shboisacyclic,andthusarcanindeedbeconstructed.(c)vis=shb\sameobjandar= ar\sameobj,where arisanytransitive,irreexiveandtotalorderoneventsinEcontainingshb[mo.S-COCAimpliesthatbothvisiswell-formedand arcanindeedbeconstructed.Incase(b),hbo=shbo,sothatAsatisesPOCVandPOCA.Incase(c),hb=shb.Thenhb\sameobj=shb\sameobjvis;sothatAsatisesCOCV.Besides,hb[arshb[ ar= ar;whichisacyclic.Thus,AsatisesCOCA.Inallcases,thedenitionsofvisimplyvis(ro[rf)+;sothat(ro[vis)+(ro[rf)+:HenceifRsatisesS-THINAIR,thenAsatisesTHINAIR.Wenowprovethatshared(A)=R;thisstraightforwardlyimpliesthatAsatisesFintreg.Assumethatshared(A)6=R.Sinceinallcaseswehavemoar,theprojectionofarontowritestothesameobjectisequaltomo.Furthermore,wehaverfvisinallcases.Thus,weareleftwiththefollowingtwopossibilities.erf�!f,butforsomee;f;e02Ewehaveoper(e)=wr( )^oper(f)=rd^oper(e0)=wr( )^ear�!e0vis�!f;whichimpliesemo�!e0.Incase(a),vis=rf,sothattheaboveisimpossiblebythepropertiesofrfandmo.Incase(b),vis=shbo,sothattheabovecontradictsS-POCV.Incase(c),vis=shb\sameobj,sothattheabovecontradictsS-COCV.Forsomee;f2Ewehaveoper(e)=wr( )^oper(f)=rd^evis�!f;but:9e0:e0rf�!f.Incase(a),vis=rfandtheaboveim-mediatelyyieldsacontradiction.Incase(b),vis=shbo,andwegetacontradictionwithS-DETREADPO.Incase(c),vis=shb\sameobj,andwegetacontradictionwithS-DETREADCO.Finally,weproveitem3.ItiseasytoseethatS-POCVim-pliesS-RYW,S-MRandS-POCAimpliesS-MWA,S-WFRA.AssumenowthatS-RYW,S-MR,S-MWA,S-WFRAhold.Con-sidere;e02Esuchthat(e;e0)2shbonroo.Thenthereexistw1;r1;:::;wn;rnwithn1suchthat(e;w1)2roo^(rn;e0)2roo^(8i2f1;:::;ng:(wi;ri)2vis)^(8i2f1;:::;n�1g:(ri;wi+1)2roo):Sincemoistotalonwritestothesameobject,byS-MRweget(e;w1)2roo^(w1;r1)2rf^(r1;w2)2roo^:::(wn;rn)2rf^(rn;e0)2roo=)(e;w1)2roo^(w1;rn)2rf^(rn;e0)2roo:Hence,shbo=roo[(roo;rf;roo).ToproveS-POCV,assumethereexistw1;w2;r2Esuchthatw1mo// rf33 w2shbo// rIfw2roo��!r,thenthiscontradictsS-RYW.Otherwise,forsomew0;r02Ewehavew1mo// rf11 w2roo// w0rf// r0roo// rThenbyS-MWAandtheirreexivityofmowegetw1mo// rf22 w0rf// r0roo// rwhichcontradictsS-MR.ToproveS-POCA,assumethereexistw1;w22Esuchthatw1shbo** w2mojj