Co-Design and Verification of an Available File System

Shapiro, Marc; Eugster, Patrick

doi:10.1007/978-3-319-73721-8_17

Cited by 7 publications

(7 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Najafzadeh et al [5], [6] previously implemented a replicated filesystem with a move operation, and analysed the case of concurrent move operations introducing a cycle. Using the CISE proof tool [10], [11] the authors confirm that it is not sufficient for the replica that generates a move operation to check whether the operation introduces a cycle: like in Figure 2, two concurrent operations may be safe individually, but introduce a cycle when combined.…”

Section: Is a Highly-available Move Operation Impossible?mentioning

confidence: 99%

See 1 more Smart Citation

A Highly-Available Move Operation for Replicated Trees

Kleppmann

Mulligan

Gomes

et al. 2022

IEEE Trans. Parallel Distrib. Syst.

View full text Add to dashboard Cite

Replicated tree data structures are a fundamental building block of distributed filesystems, such as Google Drive and Dropbox, and collaborative applications with a JSON or XML data model. These systems need to support a move operation that allows a subtree to be moved to a new location within the tree. However, such a move operation is difficult to implement correctly if different replicas can concurrently perform arbitrary move operations, and we demonstrate bugs in Google Drive and Dropbox that arise with concurrent moves. In this paper we present a CRDT algorithm that handles arbitrary concurrent modifications on trees, while ensuring that the tree structure remains valid (in particular, no cycles are introduced), and guaranteeing that all replicas converge towards the same consistent state. Our algorithm requires no synchronous coordination between replicas, making it highly available in the face of network partitions. We formally prove the correctness of our algorithm using the Isabelle/HOL proof assistant, and evaluate the performance of our formally verified implementation in a geo-replicated setting.

show abstract

Section: Is a Highly-available Move Operation Impossible?mentioning

confidence: 99%

“…• We define a Conflict-free Replicated Data Type for trees that allow move operations without any coordination between replicas such as locking or consensus. As discussed in §2.3, this has previously been thought to be impossible to achieve [5], [6].…”

Section: Introductionmentioning

confidence: 99%

A Highly-Available Move Operation for Replicated Trees

Kleppmann

Mulligan

Gomes

et al. 2022

IEEE Trans. Parallel Distrib. Syst.

View full text Add to dashboard Cite

show abstract

“…Najafzadeh [40,41] also implemented a CRDT-based replicated filesystem, but chose a different approach: move operations must acquire a global lock before they can proceed, which ensures that conflicting concurrent move operations cannot occur in the first place. This conservative approach rules out move conflicts, but the resulting datatype is not strictly a CRDT, since some operations require strongly consistent synchronisation.…”

Section: The Difficulty Of a Move Operationmentioning

confidence: 99%

“…Najafzadeh [40,41] asserts that concurrent move operations on a tree cannot safely be implemented in a CRDT, since the precondition of a move operation is not stable. Najafzadeh suggests the use of locks to globally synchronise move operations, preventing a scenario such as that in Figure 4 from ever occurring.…”

Section: Collaborative Tree Datatypesmentioning

confidence: 99%

See 1 more Smart Citation

OpSets: Sequential Specifications for Replicated Datatypes (Extended Version)

Kleppmann¹,

Gomes²,

Mulligan³

et al. 2018

Preprint

View full text Add to dashboard Cite

We introduce OpSets, an executable framework for specifying and reasoning about the semantics of replicated datatypes that provide eventual consistency in a distributed system, and for mechanically verifying algorithms that implement these datatypes. Our approach is simple but expressive, allowing us to succinctly specify a variety of abstract datatypes, including maps, sets, lists, text, graphs, trees, and registers. Our datatypes are also composable, enabling the construction of complex data structures. To demonstrate the utility of OpSets for analysing replication algorithms, we highlight an important correctness property for collaborative text editing that has traditionally been overlooked; algorithms that do not satisfy this property can exhibit awkward interleaving of text. We use OpSets to specify this correctness property and prove that although one existing replication algorithm satisfies this property, several other published algorithms do not. We also show how OpSets can be used to develop new replicated datatypes: we provide a simple specification of an atomic move operation for trees, an operation that had previously been thought to be impossible to implement without locking. We use the Isabelle/HOL proof assistant to formalise the OpSets approach and produce mechanised proofs of correctness of the main claims in this paper, thereby eliminating the ambiguity of previous informal approaches, and ruling out reasoning errors that could occur in handwritten proofs.

show abstract