A Formal Analysis of the Global Sequence Protocol

. The Global Sequence Protocol (GSP) is an operational model for replicated data stores, in which updates propagate asynchronously. We introduce the GSP-calculus as a formal model for GSP. We give a formal account for its proposed implementation, which addresses communication failures and compact representation of data, and use simulation to prove that the implementation is correct. Then, we use the GSP-calculus to reason about execution histories and prove ordering guarantees, such as read my writes, monotonic reads, causality and consistent preﬁx. We also prove that GSP extended with synchronous updates provides strong consistency guarantees.


Introduction
Cloud infrastructures provide data storages that are virtually unlimited, elastic (i.e., scalable at run-time), highly available and partition tolerant. This is achieved by replicating data over multiple servers. A client may perform update and read operations over any of these replicas and the store is responsible for keeping them synchronised. However, it is known (CAP theorem [7]) that any system cannot simultaneously provide availability, partition tolerance, and consistency. Thus, one of these properties has to be discarded. Today's popular data storages, such as Dynamo [6] and Cassandra [9], ensure availability and offer weaker notions of consistency, called eventual consistency. Roughly, eventual consistency guarantees that all updates will be delivered to the different replicas, which will eventually converge to the same state [1]. The storages adopt different strategies to achieve eventual consistency, which impact on the guarantees provided by the system, i.e., on the kind of inconsistencies or anomalies that are allowed to happen. For instance, a storage may resolve automatically conflicts introduced be concurrent updates (e.g., by using timestamps or causality) or may leave the problem to applications that read the database (like in Cassandra). In this way, the consistency model supported by a data store becomes crucial when writing applications.
Consequently, there has been a growing interest on establishing programming abstractions to help developers to deal with eventual consistent stores. For instance, commutative replicated data types [10] and cloud types [3] provide programmers with suitable data type abstractions that encapsulate issues related to eventual consistency. Recent proposals advocate declarative approaches for programming with eventual consistency, e.g., to automatically select the consistency level required from a store provided with a consistency contract for the application [11] or to prove that a given consistency level is adequate for preserving some data invariant [8]. With similar aims, the Global Sequence Protocol (gsp) [5] proposes an operational model to reason about applications running on top of replicated stores. Basically, the state of a store is represented as the sequence of updates that have led to it. Clients have their own copy of the state which they operate upon: each read and write operation has immediate effect over the local state and the system propagates changes to make all replicas consistent using a reliable total order broadcast protocol (rtob). The rtob protocol guarantees that all messages are delivered in the same total order to all clients. Replicas rely on the order generated by rtob to converge to the same state. In the very basic model, called core gsp, each client interacts with its local state by performing read and write operations. Albeit simple, this model introduces some subtleties when programming because it does not ensure read stability (i.e., two successive reads may return different values) nor atomicity of several updates (i.e., another client may partially observe the effects of a sequence of updates). To overcome these limitations, three synchronisation primitives, namely pull, push and confirmed, allow programmers to control the propagation of changes. It has been shown that this model can be implemented so to handle communication failures and to represent updates efficiently by using two type of objects: states and deltas. Both models, i.e. the idealised one and its implementation, have been defined in terms of a reference implementation.
In this paper, we propose a formal account for each model: the gsp and igsp calculi ( § 2 and § 3). We prove that the behaviour of a program running over igsp can be observed over the idealised model. Technically, we show that each igsp system can be simulated by the corresponding gsp system ( § 4). Then, we study and prove the consistency guarantees ensured by gsp. We rely on the characterisation of consistency guarantees in terms of abstract histories proposed in [2]. Abstract histories capture the visibility relation between actions and the arbitration order of updates in the system. Then, a wide-spectrum of consistency models can be characterised in terms of these two relations. In § 5, we show how to operationally associate abstract histories to concrete computations and prove that gsp enjoys properties such as Monotonic Read, Causal Visibility and Consistent prefix, among others. Finally, in § 6 we study the extension of gsp with synchronous write operations, which ensures strong consistency.

Syntax
Clients interact with a store by performing operations in U ∪ R: an element in U denotes an update operation, while one in R stands for a read operation.  Fig. 1. Syntax of the gsp calculus No operation can simultaneously read and update a store, therefore we assume U ∩ R = ∅. We write u, u , u , . . . for updates and r, r , r , . . . for reads. The state of a store is represented by a sequence of updates. For technical convenience (particularly in § 5), we distinguish different executions of the same operation. Formally, stores associate each update with a fresh event identifier.
We assume a set V of event identifiers v, v 0 , . . . , v ,. . . and write u v for the update u associated with the event v.
We use u to denote sequences of decorated updates and u for an atomic block of updates. We write b for a sequence of blocks. We denote the empty sequence with and use the usual operations on sequences such as b[i] to denote the i-th element of b, b[i..j] for the subsequence of b from position i to j, |b| for its length and b \ b for the relative complement of b in b . Additionally, b stands for the plain sequence of updates in b (i.e., without any separation in blocks).
We rely on the countable sets X of program variables x, x , . . . and I of client identifiers i, i , . . . , i 1 , . . .. A gsp system N consists of a store and zero or more clients. The global store S is completely defined by its state, which consists of a sequence of blocks. The term P, u T , b S , b P , k, j i stands for a client identified by i and engaged on the execution of the program P . The remaining elements are used to describe the state of the local replica: u T contains the updates that have been made locally and are part of an unfinished block; b S models the communication buffer, which keeps all blocks completed by the client but not received by the global store; b P is the pending buffer, which contains all completed blocks that are unconfirmed by the global store. For simplicity, we do not have an explicit replica of the global store in each client; we use instead a natural number k to indicate the portion of the global state that is known to the client. Specifically, the client i knows the sequence S[0..k − 1]. Similarly, j indicates the number of updates received by the client that have not been added to the local replica, i.e., the client has received the updates contained in the segment S[k..k + j − 1].
A program P is built as a sequence of operations that interacts with the store: read(r), update(u), pull, push, confirmed (we postpone their description until § 2.2). A program let x = . . . in P introduces a bound variable whose scope is P . The definition of free variables of a program is standard. We say that a process P is closed when it does not contain free variables. We keep the language for programs simple. We remark that this choice does not affect the results presented in this paper. Actually, we could just have characterised the behaviour of programs as a labelled transition system, but we prefer to have a syntax throughout the presentation.
. . , m} is well-formed if the following conditions hold 1. i l = i l for all l = l ; 2. k l + j l ≤ |S| for all l; 3. b Pl = u 1 · · · u p · b Sl and for all 1 ≤ x < y ≤ p there exists x , y s.t.
S[x ] = u x , S[y ] = u y and k l ≤ x < y ; and We require identifiers to univocally identify clients (1) and every local state to be consistent with the global store, i.e., a client can see at most every message in the store (2), all unconfirmed blocks in b Pl are either in the communication buffer b Sl or in the unseen part of the global store u 1 · · · u p (3). Moreover, an event identifier is associated with a unique update in the system (4). Hereafter, we assume every gsp system to be well-formed.

Operational Semantics
The operational semantics of gsp is given by a labelled transition system over well-formed terms, quotiented by the structural equivalence ≡ defined as the least equivalence such that || is associative, commutative and has 0 as neutral element. The set of actions is given by the following grammar: As usual, τ stands for an internal, unobservable action, while the remaining ones correspond to the interaction of a client with the store. A label (λ, i) indicates that the client i performs the action λ. We write We now comment on the inference rules in Fig. 2. When a client performs an update (rule update), the change has only local effects: the sequence of local updates u T is extended with the operation u decorated with a globally fresh identifier v. We remark that decorations are used for technical reasons but they are operationally irrelevant (see § 5).
A client propagates its local changes to the global store by executing push (rule push): all local changes in u T will be transmitted as a block u T , i.e., as an atomic unit. Nevertheless, these changes are not made available immediately Operational semantics for gsp at the global store because of the asynchronous communication model. In fact, the new block u T is added to the communication buffer b S , which contains all blocks that have not reached the global store. Also, u T is added to the pending messages b P . Rule send stands for a block that finally reaches the global store. Conversely, rule receive models the reception of a new update. The received update is not immediately added to the local replica. Actually, each client explicitly refreshes its local view by executing pull (rule pull). At this time, all previously received updates j are incorporated to the local copy (i.e., k is changed to k + j). Additionally, all pending updates in the new fragment S[k..k + j − 1] are remove from b P . The semantics of operations is defined abstractly by the interpretation function rvalue : R × U * → V, i.e., a function that takes a read operation and a sequence of updates and returns a value in some domain V. A read operation r is evaluated over the local state of the client (rule read), i.e., the known prefix of the global store S[0..k − 1] and the local updates in b P and u T . The value v is bound to the variable x, and hence all free occurrences of x in the continuation P are substituted by v. A client may perform confirmed to check whether its executed updates are already in the global store: this operation returns true only when the local buffers b P and u T are both empty (rule confirm).
We remark that the operational semantics preserves well-formedness.
ins ∈ I → r (out srv) outs ∈ I → seg The gsp model describes an idealised system that abstracts away from several implementation details, such as non-optimised representation of the state and unreliable communication. This section presents a formal model for the implementation proposed in [5].

Syntax
The implementation of gsp relies on a compact representation for states and updates. Their precise definition highly depends on the datatype of the values handled by the store, but they are characterised in terms of two abstract types: State and Delta, which provides the following operations [5]: Constants δ ∅ and ∅ denote the empty elements in their respective types. An object δ ∈ Delta describes the effects of a sequence of updates and is built by either appending an update to an existing delta (append) or combining together several deltas (reduce). Operation read is the interpretation function for operations (i.e., the implementation counterpart of function rvalue( , ) used by the idealised model) and apply corresponds to state transformations.
Clients and the global store exchange δ objects to communicate changes. As each single δ may correspond to several update operations, clients send each δ accompanied by its own identifier and a sequence number n. Precisely, clients send rounds, i.e. triples r = i, n, δ . Differently, the global store sends segments seg = δ, f , in which δ is accompanied by a function f ∈ I → N. In this way, the global store confirms all changes from client i until round f(i). To deal with crashes and recovery, the server may send segments of the form s, f , which communicates a complete state instead of a delta object. Definition 3.1 (GSP Language). The set of igsp terms is given by the grammar in Fig. 3.
As for gsp, a system is composed by a global store S and possibly many clients C. A global store is modelled by a tuple s, f, in s , out s containing a state s, a function f to keep track of processed rounds and the communication buffers in s and out s . There are two dedicated buffers for each client i: in s (i) contains the rounds received from i, and out s (i) the segments that have been sent to i.
A client is represented by a term P, s, δ T , δ P , n, r, in c i . As for gsp, i is its identity and P is its program. Note that the language for programs remains unaltered. The component δ T is analogous to u T in the gsp model, i.e., it keeps all local updates until the client performs push. Differently, δ P keeps all finished blocks that have not been sent. The number n identifies the current round. Buffer r keeps all sent rounds that have not been confirmed by the global store (similar to b P in gsp), while in c keeps all received segments (analogous to j).
We also impose the following well-formedness condition on systems.

either
(i) r l = , f(i l ) ≤ n l and if i l ∈ dom(in s ) then in s (i l ) = ; (ii) r l = in s (i l ) = i l , n fst , δ fst · r l and n fst > f(i l ); (iii) r l = r l · i l , n lst , δ lst · in s (i l ) and in cl · out s (i l ) = δ 0 , f 0 · · · δ lst , f lst with f lst (i l ) = n lst ; or (iv) in s (i l ) = , r l = r l · i l , n lst , δ lst and either in cl ·out s (i l ) = s, f ·seg with f (i l ) ≤ n lst or in cl · out s (i l ) = and f(i l ) ≤ n lst .
We require all clients to have different identifiers (1). Communication channels in the implementation are bidirectional, hence i l ∈ dom(in s ) iff i l ∈ dom(out s ) (2). Moreover, the input buffer of a disconnected client is empty (3). Condition (4) states that s, f can appear only as the first message in the flow from the store and that the store confirms processed rounds in a non-decreasing order. Similarly, clients send rounds with increasing round number (5). The last condition (6) states a coherence requirement between pending rounds and the segments sent by the store, which can only confirm rounds that are pending.

Operational Semantics
As for the idealised model, the operational semantics is given by a labelled transition system over well-formed terms, up-to structural equivalence. We consider a new label τ without any client annotation for transitions associated with changes in the global store and communication failures. The inference rules are in Fig. 4.
Rule (i-update), which is analogous to rule (update), adds the operation u to the temporary block δ T . The decoration v is irrelevant in this model, hence we do not impose any freshness requirement. A client terminates a block by executing push (i-push). At this time, the block δ T is appended to the already terminated blocks in δ P , which will be sent on the next round. Additionally, the block counter n is incremented by 1. By rule (i-send), a client sends changes to the global store. This transition takes place whenever the client is connected (i.e., i ∈ dom(in s )), there are finished blocks in δ P (i.e., δ P = δ ∅ ) and there is no need for resynchronisation (i.e., in c · out s (i) = s , f · seg) 3 . The available blocks are sent within the same round r = i, n, δ P , which contains the number n corresponding to the last finished block. The new round r is added to the corresponding input buffer in the store, i.e., in s (i) is updated to in s (i) · r (where [ → ] is the update operator for functions). Additionally, r is added to the sequence of pending rounds r and the buffer δ P is reset to δ ∅ . Symmetrically, the client i may receive an available segment at any time (ireceive). The new segment seg is removed from the buffer out s (i) of the global store and added to the input buffer of the client. As for the idealised model, all received changes are applied to the local replica when i performs pull. Rule (i-pull 1 ) handles the case in which the connection with the global store has not been previously reset. In such case, all received segments are of the form δ, f . Therefore, the changes δ 1 · · · δ k are applied to the local state s and all rounds confirmed by the received segments are removed from the pending list r. By well-formedness (Def. 3.2,5), it suffices to consider the confirmation f k , which has the greatest confirmation. Hence, all rounds up-to f k (i) are removed from r. This is done by the auxiliary function filter( , ), defined as follows filter(n, r) = i, n j , δ j · · · i, n k , δ k if r = i, n 0 , δ 0 · · · i, n j , δ j · · · i, n k , δ k , n j−1 ≤ n and n j > n Rules (i-read) and (i-confirm) are analogous the ones in the gsp calculus. We use ∆( ) for the function that projects a sequence of rounds into the sequence that contains the corresponding δs. The global store changes its state as prescribed by rule (i-batch): it collects all received rounds in in s by using the auxiliary function rnds( ), which builds a unique object δ by appending all available rounds, and a function f that associates each client with the number of the last received round. Let in s be such that dom(in s ) = {i 0 , . . . , i m } and ∀i l ∈ dom(in s ).in s (i l ) = r l · i l , n k l l , δ k l l . Then, rnds( ) is defined as follows The obtained δ is applied to the current state s and f is updated with f . In addition, the new segment δ, f[f ] is sent to every connected client, i.e., it is added at the end of every buffer out s (i). The input buffers in s (i l ) are emptied because all received rounds have been processed.
The remaining rules deal with connectivity issues: rule (i-drop-cxn) models a disconnection: the buffers out s (i) and in s (i) are removed from the global store and also the input buffer of i is set to . When the client i (re-)establishes its connection (i-accept-cxn), the store creates the buffers for i and sends a segment containing the current state of the store. Rule (i-pull 2 ) is analogous to (i-pull 1 ), but handles the first pull after a reconnection. The first received segment s , f 0 contains a state instead of a delta object. The client uses s instead of its local state to resynchronise. The application of successive segments is analogous to rule (i-pull 1 ). Moreover, the client resends a round r containing all pending segments lost by the server during the disconnection.
The proposed implementation allows for a server to crash, i.e., to close all communication buffers, but we do not model explicitly this behaviour because it can be obtained by applying rule (i-drop-cxn) several times.

Correctness of the Implementation
We now prove that igsp is a correct implementation of gsp. We recall in Fig. 5 the requirements stated in [5] for the operations provided by the data types State and Delta. Formally, the relation associates delta and state objects with sequences of updates: δ u (similarly, s u) means that δ (correspondingly, s) is a compact representation of u. Then, it is also assumed that s u implies read(r, s) = rvalue(r, u) for any r. Building on the above relation, we define under which conditions a igsp system is an implementation of a gsp system.
. . , m}, and N = C 0 || . . . || C m || S a igsp system such that S = s, f s , in s , out s and C l = P l , s l , δ Tl , δ Pl , n l , r l , in cl i l . We say N implements N if the following conditions hold: s u δ1 u1 . . . δn un apply(s, δ1 · · · δn) u · u1 · · · un ( -reduce) δ1 u1 . . . δn un reduce(δ1 · · · δn) u1 · · · un The first three conditions are self-explanatory. Condition (4) states that the pending blocks in b Pl correspond either to rounds in the pending list r l or to blocks ready to be sent, i.e., in δ Pl . By condition (5), if a client is synchronised with the store (i.e., i l ∈ dom(in s ) and in c · out s (i l ) = s , f · seg) then all blocks in the sending list b Sl are either rounds that have been sent, i.e., in in s (i l ), or ready blocks in δ Pl . Condition (6) establishes the relation between the received messages in both models. Basically, the local replica is complete when there are no segments for the client (i). When the first received segment is a delta object (ii), the content in the input buffer in cl corresponds to the received messages in S[k l ..k l + j l − 1] and the the output buffer out s (i l ) contains the updates in the sequence S[k l + j l ..|S| − 1]. In the remaining two cases, the first segment contains a state. When the segment is in the input buffer of the client (iii), the received state s corresponds to a prefix of the sequence S whose length lies in between of the updates already received by the client in the idealised model, i.e., S[0..t − 1] with k ≤ t ≤ k l + j l , while the remaining conditions are analogous to the previous case. Differently, when the first segment is still on the output buffer of the store (iv), s corresponds to a prefix that contains at least all updates in S already known to the client, i.e., t ≥ k l + j l because the store confirmations are monotonic. Condition (7) states that in any segment δ, f sent by the store, δ corresponds to a contiguous sequence of updates in S, i.e., S[x..x ]. Moreover, all confirmed rounds are also within the prefix S[0..x ].
We now show that igsp is a correct implementation of gsp by proving that N weakly simulates N when N implements N . We use standard simulation but technically we take into account the fact that gsp associates a fresh event identifier to each update while igsp does not. Take →= τ − → i∈I τ − → i , ⇒ as the reflexive and transitive closure of →, i.e.⇒=→ * , and  We remark that R −1 is not a simulation because the implementation cannot mimic the behaviour in which a client have completed two consecutive blocks (i.e., two push commands) without sending the first block. In gsp it is still possible to interleave the two blocks with blocks sent by other clients but in igsp they are treated as atomic because they will be sent as a unique δ object.

Consistency Guarantees
In this section we study the consistency properties offered by gsp. We rely on the characterisation of properties in terms of abstract executions [4], execution histories enriched with information about visibility and arbitration of actions. We write ↓ for function/relation restriction. For a given abstract history A, we write U (similarly, R) for the codomain restriction of OP to U (correspondingly, Definition 5.2 (Well-formed history). Let N = C 0 || . . . ||C m ||S be a gsp system where C l = P l , u Tl , b Sl , b Pl , k l , j l i l . A history A = N , OP, SS, SO, VIS, AR is well-formed if the following conditions hold: The above conditions ensure that events in SS are associated with an operation by OP (1). Besides, SO only relates events belonging to the same session (2), which are totally ordered within each session (3). Differently from the definition in [2], we restrict visibility to keep track of dependencies between updates and read events(4). We do not require AR to be a total order but instead to be a prefix order (5). In this way the updates in different replicas are arbitrated when they reach the global store. The remaining two conditions require the abstract history to be consistent with the state of the system. Rules in Fig. 6 provides an operational way to associate abstract executions with gsp computations. Rules (a-update) and (a-read) add new events to the history and corresponds to the execution of a read or update operation by a client. In both cases OP is extended with a new event v (i.e., v / ∈ dom(OP)), which is associated with the corresponding operation (either r or u). The new event v is added to the corresponding session i, and SO is updated to make v the maximal event for the session i. Rule (a-update) amends AR by capturing the fact that all updates that are already in the global state took place before the new event. Rule (a-read) instead augments VIS with the pairs associating the new event with all events that are seen by the read action, namely, the local view of the global state S[0..k i − 1] and the local buffers b Pi and u Ti . Rule (a-arb) handles the changes in the state of the global store (due to a send transition in one client) and amends AR by arbitrating (i) the new events by respecting the relative order in which they are added to the store (i.e., {(v i , v j ) | i, j ∈ {0, . . . , n}, i < j}) and (ii) all updates in the local state of the clients after the new ones (i.e., ({v 0 , . . . , v n } × {w | w ∈ U ∀u.u w ∈ S · u}). The remaining transitions of the system are considered as internal changes that do not affect the history and are handled by rule (a-int).
We use histories to analyse the ordering guarantees offered by the gsp model. (Due to space limitation, we refer the interested reader to see the characterisations provided in [2, Ch. 5]).  The following example shows that the gsp model exhibits the Dekker anomaly, hence it does not enjoy sequential consistency [2].
Example 5.1 (Dekker anomaly). Consider the following system consisting of two clients and the empty store N = || C 1 || C 2 where C 1 = update(u 1 ); let y = read(r 1 ) in P, , , , 0, 0 i1 C 2 = update(u 2 ); let y = read(r 2 ) in Q, , , , 0, 0 i2 Since the updates are made locally, none of the clients see the update performed by the other and this is the essence of the Dekker anomaly which is ruled out by strong consistency models like sequential consistency or linearizability.

gsp with atomic updates
In this section we study the atomic updates proposed in [5]. We extend the language of programs as follows: wait; P, u T , b S , b P , k, j i || N τ − → i let x = confirmed in x (pull; wait; P ); P, u T , b S , b P , k, j i || N The execution of a program syncUpd(u); P remains blocked until the update u is performed over the global store. This is achieved by continuously pulling (i.e., a busy-waiting) until the updates are confirmed by global store. In order to provide the formal semantics of the language, we consider the following runtime syntax for programs. The operational semantics for the new primitives is given by the rules in Fig. 2. Rule (sync-upd) rewrites each synchronous update as the sequence consisting of an asynchronous update followed by pull and wait. Processes wait continuously checks whether local changes have been confirmed by the global store. As described by rule (wait), it is implemented as a busy-waiting loop that first checks the local buffers by executing confirmed and then performs the conditional jump x (pull; wait); P . If the condition x is true, then it follows as P otherwise it continues as pull; wait, as described by rules (guard-true) and (guard-false).
Single order is characterised, essentially, by imposing arbitration and visibility to coincide [2]. Since our definition for AR and VIS makes them disjoint, we use an alternative characterisation of single order guarantee, which disregards the arbitration order of updates that are not observed. Hence, we use the following characterisation for single order: AR; VIS ⊆ VIS and AR −1 ; ¬VIS ⊆ ¬VIS The following result shows that any well-formed gsp system, whose programs are free from asynchronous updates enjoy the single order guarantee.

Conclusions
We have proposed a formal model for the Global Sequence Protocol and its proposed implementation. We use our formal model to provide a simplified proof (that relies on standard simulation) that the proposed implementation is correct. We remark that our proof does not require to exhibit an auxiliary state for the simulation and that several invariants are trivially ensured by the definition of the model (e.g., the fact that clients have a consistent view of the global sequence) and the well-formed conditions imposed over systems. We have formally studied the consistency guarantees ensured by the model by relying on the operational semantics of the calculus to incrementally compute (a relaxed version of) abstract histories. We have also shown how gsp can be used to formally study programming patterns, like synchronous update operations, that provide stronger consistency guarantees at the expenses of efficiency and availability. We plan to use the gsp calculus as a formal basis for developing programming techniques to enable the fine-tuning of consistency levels in applications.