AMECOS: A Modular Event-Based Framework for Concurrent Object Specification
Abstract
In this work, we introduce a modular framework for specifying distributed systems that we call AMECOS. Specifically, our framework departs from the traditional use of sequential specification, which presents limitations both on the specification expressiveness and implementation efficiency of inherently concurrent objects, as documented by Castañeda, Rajsbaum and Raynal in CACM 2023. Our framework focuses on the interactions between the various system components, specified as concurrent objects. Interactions are described with sequences of object events. This provides a modular way of specifying distributed systems and separates legality (object semantics) from other issues, such as consistency. We demonstrate the usability of our framework by (i) specifying various well-known concurrent objects, such as registers, shared memory, message-passing, reliable broadcast, and consensus, (ii) providing hierarchies of ordering semantics (namely, consistency hierarchy, memory hierarchy, and reliable broadcast hierarchy), and (iii) presenting a novel axiomatic proof of the impossibility of the well-known Consensus problem.
Keywords and phrases:
Concurrency, Object specification, Consistency conditions, Consensus impossibilityCopyright and License:
![[Uncaptioned image]](x1.png)
2012 ACM Subject Classification:
Theory of computation Distributed algorithmsFunding:
This work has been partially supported by Région Bretagne, the French ANR project ByBloS (ANR-20-CE25-0002-01), the H2020 project SOTERIA, the Spanish Ministry of Science and Innovation under grants SocialProbing (TED2021-131264B-I00) and DRONAC (PID2022-140560OB-I00), the ERDF “A way of making Europe”, NextGenerationEU, and the Spanish Government’s “Plan de Recuperación, Transformación y Resiliencia”.Editors:
Silvia Bonomi, Letterio Galletta, Etienne Rivière, and Valerio SchiavoniSeries and Publisher:

1 Introduction
Motivation.
Specifying distributed systems is challenging as they are inherently complex: they are composed of multiple components that concurrently interact with each other in unpredictable ways, especially in the face of asynchrony and failures. Stemming from this complexity, it is very challenging to compose concise specifications of distributed systems and, even further, devise correctness properties for the objects those systems may yield. To ensure the correctness of a distributed system, realized by both safety (“nothing bad happens”) and liveness (“something good eventually happens”) properties, the specification must capture all of the possible ways in which the system’s components can interact with each other and with the system’s external environment. This can be difficult, especially when dealing with complex and loosely coupled distributed systems in which components may proceed independently of the actions of others. Another challenge caused by concurrency is to specify the consistency of the system or the objects it implements. The order in which processes access an object greatly impacts the evolution of the state of said object. Several types of consistency guarantees exist, from weak ones such as PRAM consistency [26] to stronger ones such as Linearizability [20]. Therefore, one needs to precisely specify the ordering/consistency guarantees expected by each object the system implements.
To address the inherent complexity of distributed systems, researchers often map executions of concurrent objects to their sequential counterparts, using sequential specifications [4, 27]. Although easier and more intuitive for specifying how abstract data structures behave in a sequential way [35], as noted in [11], sequential specifications appear unnatural for systems where events may not be totally ordered, hindering the potential of concurrent objects. More precisely, there are concurrent objects that do not have a sequential specification (e.g., set-linearizable objects or Java’s exchanger object [11]), or objects that, even if they can be sequentially specified, have an inefficient sequential implementation. For example, it is impossible to build a concurrent queue implementation that eliminates the use of expensive synchronization primitives [11].
Our approach.
In this work, we propose a modular framework which we call AMECOS (from A Modular Event-based framework for Concurrent Object Specification) that does not use sequential specification of objects, but instead offers a relaxed concurrent object specification mechanism
that encapsulates concurrency intuitively, alleviating the specifier from complex specifications.
Here are some noteworthy features of our framework.
Component Identification and Interfacing: Our specification focuses on the interface between the various system components specified as concurrent objects.
In particular, it considers objects as opaque boxes, specifying them by directly describing the intended behavior and only examining the interactions between the object and its clients.
In this way, we do not conflate the specification of an object with its implementation, as is typically the case with formal specification languages such as TLA+ [25] and Input/Output Automata [28].
Specifically, these languages specify a distributed system and its components with a state machine (as a transparent box). In contrast, our formalism specifies an object at the interface level
(as an opaque box).
Furthermore, we avoid using higher-order logic, which sometimes can be cumbersome, and instead, we use simple logic, rendering our specification “language” simple to learn and use.
In some sense, we provide the “ingredients” needed for an object to satisfy specific properties and consistency guarantees.
Modularity: Focusing on the object’s interface also provides a modular way of specifying distributed systems and separates the object’s semantics from other aspects, such as consistency.
With our formalism, we can, for example, specify the semantics of a shared register [23], then specify different consistency semantics, such as PRAM [26] and Linearizability [20], independently, and finally combine them to obtain PRAM and atomic (i.e., linearizable) shared registers, respectively.
This modularity also helps, when convenient (e.g., for impossibility proofs), to abstract away the underlying communication medium used for exchanging information.
In fact, we also specify communication media as objects.
Structured Formalism: The formalism follows a precondition/postcondition style for specifying an object’s semantics, via 3 families of predicates: Validity, Safety, and Liveness.
The first one specifies the requirements for the use of the object (preconditions), while the other two specify the guarantees (hard and eventual) provided by the object (postconditions).
This makes our formalism easy to use, providing a structured way of specifying object semantics.
Notification Operations: Another feature of the formalism is what we call notification operations, that is, operations that are not invoked by any particular process, but that spontaneously notify processes of some information.
For example, a broadcast service provides a operation for disseminating a message in a system, but all processes of this system must be eventually notified that they received a message without invoking any operation.
So, a notification is a “callback” made by an object to a process, and not by a process to an object.
This feature increases our framework’s expressiveness compared to formalisms that are restricted to using only invocation and response events for operations [33].
Contributions.
The following list summarizes the contributions of the paper.
-
We first present our framework’s architecture, basic components, key concepts, and notation (see Section 3). We especially show that our framework can elegantly take into account a wide range of process failures, such as crashes or Byzantine faults (see Sections 3.5 and 6). Then, we demonstrate how concurrent objects can be specified using histories, preconditions, and postconditions (see Section 4).
-
Using our formalism, we show how we can specify several classic consistency conditions, from weak ones such as PRAM consistency to strong ones such as Linearizability. Then, we show that we can define consistency conditions (set-linearizability and interval linearizability) for objects that do not have sequential specifications (see Section 5).
-
Using the definitions of object specification and consistency, we show how they can be combined to yield correctness definitions for histories, even in the presence of Byzantine failures (see Section 6).
-
We demonstrate our framework’s effectiveness in constructing axiomatic proofs by presenting a novel, axiomatic proof of the impossibility of resilient consensus objects in an asynchronous system (see Section 7). To our knowledge, this is one of the simplest and most general proofs of this result. Its simplicity and generality stem from the fact that our formalism abstracts away the implementation details of the object or system being specified, allowing us to focus on proving intrinsic fundamental properties. For instance, our impossibility proof abstracts away the communication medium. (For completeness, we show in Appendix F that SWSR atomic registers and point-to-point message-passing channels satisfy the relevant assumptions of the proof.)
-
Finally, to further exemplify the usability of our formalism, we specify shared memory, message passing, and reliable broadcast as concurrent objects (see Appendices C-D). The modularity of our formalism is demonstrated by combining the consistency conditions with these object specifications, obtaining shared memory and broadcast hierarchies.
We also present a comparison with related work (Section 2) and a discussion of our findings (Section 8). Due to page limitations, some developments appear in appendices.
2 Related Work
The present work addresses two different (but not unrelated) problems: object semantics specification and consistency conditions. It also deals with the Consensus impossibility.
Object semantics specification.
As we already discussed, traditionally, formal definitions of concurrent objects (e.g., shared stacks or FIFO channels) are given by sequential specifications, which define the behavior of some object when its operations are called sequentially. Distributed algorithms are commonly defined using formal specification languages, e.g., input/output (IO) automata [28], temporal logics (e.g., LTL [32], CTL* [13], TLA [25]) and CSP [1], for implementing concurrent objects. Formal proofs are used to show that those implementations satisfy the sequential specifications of the object in any possible execution.
We argue that defining concurrent objects using such formal methods conflates the specification and implementation of said objects. On the contrary, as we already discussed in Section 1, our formalism considers objects as opaque boxes, and the specification stays at the object’s interface. Furthermore, formal methods are typically complex and difficult to learn, requiring specialized tools and expertise. Our formalism, instead, relies only on simple logic (no higher-order logic is required), making it easy to learn and use. To this end, we concur that our formalism complements existing formal methods by providing an intuitive way to express the necessary properties a concurrent object must satisfy. Moreover, the formalism may reveal the necessary components (“ingredients”) needed for an object to satisfy specific guarantees. Armed with our object specifications, formal methods may be used to specify and compose simpler components, drifting away from the inherent complexities of more synthetic distributed structures.
Consistency conditions.
Consistency conditions can be seen as additional constraints on the ordering of operation calls that can be applied on top of an object semantics specification, which, in this work, we call legality. Over time, several very influential consistency conditions have been presented (e.g., [2, 5, 20, 24, 26]). However, all of these consistency conditions have been introduced in their own notations and context (databases, RAM/cache coherence or distributed systems), which raised the need to have a unified formalism for expressing all types of consistency. Several formalisms have been proposed [8, 9, 30, 36, 38]. We propose a formalism that uses light notation and is very expressive. As we demonstrate in Section 5, we view legality as the lowest degree of consistency, thus making a clear separation between legality and consistency. Furthermore, our formalism helps us specify consistency guarantees incrementally, moving from weaker to stronger ones, yielding a consistency hierarchy. Several works already presented consistency hierarchies and a way to combine consistencies with object specifications [30, 39]. In contrast to our framework, these approaches rely on sequential object specifications, which, as we have already discussed, can constrain expressiveness.
Possibly the work in [38] (derived from [8, 9]) is the closest to ours with respect to “specification style.” However, the object specifications in [38] (and [8, 9]) use the artificial notion of arbitration to always impose a total order on object operation executions, whereas our formalism does not require a total order (unless the consistency imposes it); in general, we only consider partial orders of operation executions. Another notable difference with [38] is that their consistency specification is for storage objects, whereas we specify consistency conditions in general, and then we combine them with a specification of a shared memory object to yield a consistency hierarchy for registers (similar to storage objects considered in [38]). Additionally, compared to other endeavors such as [8, 9, 30], our framework also considers strong failure types such as Byzantine faults.
Impossibility of Asynchronous Consensus.
Consensus is a fundamental abstraction where all participants of a distributed system must eventually agree on one of the values that have been proposed [27]. To demonstrate the utility of the framework, we define a Consensus object and provide a proof of the FLP impossibility [14]. Like [37], our proof follows an axiomatic approach: the notion of asynchronous resilient consensus is defined as a system of axioms, and then it is proved that this system is inconsistent, i.e., that there is a contradiction. With the framework, the proof becomes agnostic to the communication media, unlike other proofs that assume message-passing [14, 15, 18, 40], shared memory [15, 17, 19] or other models like iterated immediate snapshot [21]. See Appendix A.6 for more details.
3 Framework: Architecture, Components, Notation, and Concepts
3.1 System Architecture
The proposed framework assumes a distributed system as depicted in Figure 1, which has a set of processes that interact with some Communication Medium (e.g., shared memory, message passing), modeled as an object. The processes have applications and local modules that implement other objects. (Processes are essentially computing entities, and they could be modeled as I/O Automata [28].) Each object offers an interface formed by operations that can be invoked by applications and modules of other objects. An execution of this system is an execution of the applications of all the processes and the execution of the object operations these applications invoke (directly or by execution of operations in other objects).
3.2 Components
In the framework, an execution of a distributed system is described with 6 (potentially infinite) sets. As shown in Figure 2, these sets are in relation to each other.
: contains all processes (of identity ) of the system execution, where the attribute is the type of (either correct or faulty, see Section 3.5).
: contains all the objects of the system (e.g., a channel, a register, a stack, etc.).
An object is associated with a set of operations (the interface) that processes can execute on it.
: contains all the operations that can be executed on some object , where the attribute is the name of (e.g., or ), the attribute is the type of (either it is a normal operation or a notification operation, see Section 3.3), and the , , and attributes are predicates respectively defining the invocation validity, safety, and liveness of the operation (see Section 4).
: contains all operation executions (op-ex for short) of an operation by a process . When an operation is executed, it produces an invocation event and a response event. Hence, an op-ex is the pair of the invocation and the response
events of . If then op-ex has no invocation event, i.e., (see Section 3.3).
: contains all the events in , where the attribute is the value of the event (i.e., the input or output value of an op-ex, see Section 3.3).
The set does not contain the value, which denotes the absence of an event.
: corresponds to the total order of the events in , represented as a set of event pairs .
For the sake of simplicity, we denote this total order with over all elements of as follows:
The order defines the temporal ordering of events, i.e., means event happens before event .
3.3 Notation
As described, an op-ex is a pair where and . An op-ex can have the following configurations:
-
, where , , and : in this case, is said to be a complete op-ex (an operation invocation that has a matching response),
-
, where : in this case, is said to be a pending op-ex (this notation is useful to denote operation calls by faulty processes or operation calls that do not halt),
-
, where : in this case, is said to be a notification op-ex (i.e., its operation is not a callable operation, but an operation spontaneously invoked by the object to transmit information to its client).
The “” relation indicates that some op-ex follows a given form or the same form as another op-ex: an op-ex could be of the form “ op-ex on register by process which returned output value ”, which we denote “”. If the object, process ID, parameter, or return value are not relevant, we omit these elements in the notation: the form “ op-ex on list , process , index as input value and returned output value ” could simply be written “”. If only some (but not all) parameters can have an arbitrary value, we can use the “” notation: the form “ op-ex on key-value store for key and for any value ” could be written “”. As notifications have no input, the parameter parentheses are omitted for notifications: the form “ notification op-ex of message by receiver process from sender process ” is denoted “”. Lastly, we denote by “” any op-ex operation: the form “any op-ex on register ( or )” could thus be written “”. Pending op-exes and complete op-exes with no return value can be respectively denoted with a and symbol as their output value. For instance, the forms “All pending op-exes” and “All complete op-exes with no return value” can be written “” and “”, respectively. By abuse of notation, to refer to any op-ex of a set that follows a given form , we can write , for example .
3.4 Histories
The six sets of the framework are used to describe an execution of a distributed system. We are interested in describing all possible executions of the system for a given set of and . Hence, each such system execution is described with , , , and . We call this a history. Note that a history captures a system execution via the events and op-exes observed in the objects’ interfaces.
Hence, a history of a distributed system is a tuple , where is the set of events, is a strict total order of events in , is the set of op-exes, and is the set of processes. There are some natural constraints on a history that cannot be expressed directly on the diagram of Figure 2.
-
Event validity: Every event must be part of exactly one op-ex.
-
Operation validity: If an operation is a notification, then all its op-exes must be notification op-exes, otherwise, they must all be complete or pending op-exes.
In the sequel, we will often consider subhistories of a history . For instance, it is useful to consider the subhistory obtained by projecting a history to one particular object. Hence, given history and object , we denote by the subhistory containing only the events of applied to and the op-exes of applied to , and the corresponding subset of . The concepts of legality, consistency, and correctness defined in the next sections can hence be applied to histories and subhistories.
3.5 Process Faults
Our framework considers two very general types of process failures: omission faults and Byzantine faults. In the framework’s model presented in Figure 2, for any , omission faults concern only if , and Byzantine faults concern only if . Processes of type are subject to none of these faults.
Omissions correspond to missing events, like op-ex invocations that do not have a matching response, for whatever reason, producing pending op-exes. We assume that such omitting processes, although they may suffer omissions at any time, follow their assigned algorithm. A crash fault is a special case of omission fault on a process , where there exists a point in the sequence of events of the history (the crash point) such that, has no event after in the sequence. Observe that omission faults also account for benign dynamic process failures like crash-recovery models.
On the other hand, Byzantine processes may arbitrarily deviate from their assigned algorithm (for instance, because of implementation errors or attacks). Strictly speaking, given that their behavior can be arbitrary, we cannot say that Byzantine processes execute actual op-exes on the same operations and objects as non-Byzantine processes. For instance, Byzantine processes may simulate op-exes that can appear legitimate to other processes. We further discuss Byzantine faults in Section 6.
Observe that by adding more constraints to the model, new failure subtypes can be derived from these two basic failure types.
4 Object Specification and History Legality
4.1 Object Specification
In our formalism, we specify an object using a set of conditions that are defined for the operations and applied to the op-exes of the object. There are two types of such conditions (that we express as predicates): preconditions (invocation validity) and postconditions (safety and liveness). Every operation of every object has a precondition and two and postconditions (if not given, they are assumed to be satisfied). We will use the register object as an example to understand better the notations defined below. A register is associated with two operations, and , where the former returns the value of and the latter sets the value of to , respectively.
Op-ex context.
The context of an op-ex is the set of all op-exes preceding in the same object with respect to a binary relation defined over .
Definition 1 (Context of an op-ex).
The context of an op-ex with respect to a binary relation over is defined as where and .
For instance, the context of a op-ex is made of all the previous op-exes of register with respect to a given relation. Note that pending op-exes can be part of the context of other op-exes, and thus influence their behavior (and especially their return value in the case of complete op-exes or notifications).
Preconditions.
The preconditions of an object are the use requirements of this object by its client that are needed to ensure that the object works properly. Typically, a precondition for the operation on an object can require that the input (parameters) of this operation is valid, or that some op-ex required for this operation to work indeed happened before. For instance, we cannot have a op-ex in register if there was no preceding op-ex in . Another example of precondition for the operation that returns the result of the division of number by number , is that must not be zero. These preconditions are given for each operation of an object by the invocation validity predicate .
Definition 2 (Invocation validity predicate ).
Given an operation , its invocation validity predicate indicates whether an op-ex of (i.e., ) respects the usage contract of the object given its context .
Postconditions.
The postconditions of an object are the guarantees provided by this object to its client. The postconditions are divided into two categories: safety and liveness. Broadly speaking, safety ensures that nothing bad happens, while liveness ensures that something good will eventually happen. For a given op-ex , safety is interested in the prefix of op-exes of (i.e., its context), while liveness is potentially interested in the whole history of op-exes. For example, for a register object , the safety condition is that the value returned by a is (one of) the latest written values, while the liveness condition is that the and op-exes always terminate. These postconditions are given for each operation of an object by the safety predicate and the liveness predicate .
Definition 3 (Safety predicate ).
Given an operation , its safety predicate indicates whether is a valid return value for op-ex of (i.e., ) in relation to its context .
We can see in the above definition that the predicate is not defined if , that is, if is a pending op-ex.
Definition 4 (Liveness predicate ).
Given an operation , its liveness predicate indicates whether an op-ex of (i.e., ) respects the liveness specification of .
Example.
As a complete example, the following is the specification of a single-writer single-reader (SWSR) shared register using the above conditions. Let and be the writer and reader processes, respectively. Recall that is the context of op-ex . Let us define predicate , which forces an op-ex to have a response if executed by a correct process.
Operation .
If , then we have the following conditions.
The predicate states that only the reader process can read and the register must have been previously written. The predicate states that a read must return one of the latest written values. The predicate prevents a op-ex of a correct process to be pending.
Operation .
If , then we have the following condition.
Observe that the predicate is not provided and is hence assumed to be always satisfied.
4.2 History Legality
We now define the notion of history legality.
Definition 5 (History validity, safety, and liveness).
Given a history and a relation on , the following predicates define the validity, safety, and liveness of .
Notice that, for an op-ex , if is a notification, we do not need to verify its invocation validity, and if is a pending op-ex, we do not need to verify its safety.
Definition 6 (Legality condition).
Given a history and a relation on , the legality condition is defined as
is defined as a set of clauses (or constraints) on a history and an op-ex relation . Informally, a history is legal if and only if all clauses of evaluate to .
5 Consistency Conditions
In the previous section we have presented how object legality can be specified using operation conditions, abstracting the consistency model with a binary order relation . In this section we describe how to define order relations to extend legality with different consistency conditions. We first define reusable predicates describing certain constraints on the op-ex order (Section 5.1) and then we define common consistency conditions (Section 5.2) to showcase the power of the formalism. In addition, we provide the definitions of set-linearizability [29] and interval-linearizability [10], which are new interesting consistency conditions; objects with these consistencies do not have sequential specifications [11] (Section 5.3).
5.1 Op-ex Order Relations
We first define partial and total orders within our framework.
Definition 7 (Generic strict orders).
Given an arbitrary set and an arbitrary binary relation over the elements of , the following predicates define strict partial order and strict total order.
We call these orders “strict” because they are irreflexive. Observe that the asymmetry property is redundant for strict orders because it directly follows from irreflexivity and transitivity. As we can also see, total order adds the connectedness property to partial order.
Definition 8 (Basic orders).
Given a history and a relation on the set of op-exes , the following predicates define history order, process order and FIFO order:
Note that the above predicates do not define “classic” order relations (strict or not) per se, as they do not guarantee all the required properties. These predicates define how a “visibility” relation between op-exes of history should look in different contexts, in the sense that the behavior of an op-ex is determined by the set of op-exes it “sees”.
-
In , we check if respects the event order : if two op-exes are not concurrent with respect to the order, then the oldest one must precede the newest one. Note that we distinguish whether the second op-ex is a notification or not.
-
In , we check if totally orders the op-exes of each process while also respecting the event order of .
-
In , we check that, if an op-ex of any given process sees some other op-ex of another process, then it also sees all the previous op-exes of the latter process. Furthermore, we also check that the set of op-exes seen by the op-exes of a given process is monotonically increasing, i.e., that a given op-ex sees all the op-exes that its predecessors (of the same process) saw. More details about can be found in Appendix B.
5.2 Classic Consistency Conditions
This section defines common consistency conditions from the literature. They are represented as sets of clauses, extending those in and constraining the op-ex order.
Definition 9 (Classic consistency conditions).
Note that the above condition strays away from the traditional definition of serializability, as it considers that a transaction (originally defined as an atomic sequence of op-exes [5]) is the same as a single op-ex. Likewise, as discussed in detail in Appendix B, our definition of differs from the traditional definition of PRAM consistency.
We illustrate in Figure 3 the relations between all the consistency conditions defined in this section. In this figure, if we have for two consistency conditions and , then it means that is stronger than , and thus, that imposes more constraints on the order of op-exes. The conditions inside the red rectangle are conditions that impose a total order of op-exes. Combining these consistency conditions with other object specifications allows us to obtain multiple consistent object specifications (see Section C.2).
5.3 Set- and Interval-Linearizability Definitions
This section adds set-linearizability [29] and interval-linearizability [10] to the repertoire of consistency conditions supported by the framework. These are interesting because they define objects with no sequential specification [11]. We first define interval and set orders.
Definition 10 (Set and interval orders).
Given a history and a relation on , the following predicates define interval and set orders:
In , an op-ex is represented as a time interval, and we check that it can see only all op-exes with which it overlaps, and all previous op-exes. The first clause guarantees irreflexivity (an op-ex cannot see itself), the second connectedness (all op-exes are in relation with each other), and the last one ensures that no forbidden pattern is present.
In , we check that an op-ex can see only all other op-exes of its equivalence class (except itself), and all previous op-exes. In addition to , guarantees a weakened version of transitivity, allowing two-way cycles between two or more op-exes, thus creating equivalence classes. Let us remark that the weakened transitivity property of implies the last clause of .
Leveraging the above order relations, we can define set- and interval-linearizability.
Definition 11 (Set- and interval-linearizability).
To illustrate the set- and interval-linearizability consistency conditions, we provide some examples of executions of lattice agreement in Figures 5 and 5, taken from [11]. Lattice agreement is an object that provides a single operation , where is a value and is a set of proposed values. Its only safety property is that must contain all previously or concomitantly proposed values along with the value being proposed, and its only liveness property is that the operation must eventually terminate for correct processes.
In the set-linearizability example of Figure 5, op-exes form two equivalence classes and . The last clause of enables the creation of said equivalence classes. Indeed, we have and . Besides, we also have and . This shows that the forbidden pattern in set-linearizability is, for any op-exes such that , there is and . Hence, the weakened transitivity clause of precludes this pattern. Note that the condition in this clause prevents the contradiction of this clause with the irreflexivity property.
In the interval-linearizability example of Figure 5, equivalence classes can be more complex. More precisely, two equivalence classes can intersect, but it does not necessarily imply that both equivalence classes can “see” each other. Here, op-exes form two different equivalence classes and . This shows that the forbidden pattern in interval-linearizability is: for any op-exes that are connected but not concurrent, i.e., , we also have . The clause precluding this pattern is thereby . However, because of the connectedness property, the part of the implication is redundant, and the formula can be simplified to . Finally, by applying the contrapositive, we obtain the formulation of the clause that appears in : .
6 History Correctness
Thus far, we have defined Legality (Section 4) and extended it to the Consistency (Section 5) of a history with respect to an op-ex order , as a set of clauses . We now define the correctness of a history with respect to a set of clauses when no process is Byzantine.
Definition 12 (Correctness predicate).
Given a history and a set of clauses , the following predicate describes the correctness of with respect to :
Intuitively, a history is correct with respect to a set of clauses if it is possible to find a relation on the op-exes of , such that all clauses in are satisfied. As an example, is the predicate that decides whether history is correct under ProcessConsistency, which according to its definition in Section 5, requires that the clauses composing Legality (see Section 4) and OpProcessOrder (see Section 5) are satisfied by . Note by the above definition of correctness, it is apparent that the more clauses are present, the fewer histories, and thus executions, will satisfy all the clauses. This demonstrates that when stronger, more restrictive, semantics are considered, the more refined is the set of executions that can provide them.
In a similar fashion, we can derive a more general definition where processes may exhibit Byzantine behavior. To model the set of all possible Byzantine behaviors, we introduce the function, which, given a history , returns the set of all modified histories , where the op-exes by non-Byzantine (i.e., or ) processes are the same in and , but Byzantine processes are given any arbitrary set of pending op-exes.
Definition 13 (Byzantine histories function).
Given history , the function returns the set of all possible histories s.t.
Informally, given a base history and a modified history , the set is constructed by keeping all op-exes of by non-Byzantine processes and creating arbitrary pending op-exes for Byzantine processes, the set is the set of all events appearing in , and the order is an arbitrary total order on extending . Notice that we only populate the op-exes of Byzantine processes using pending op-exes, and not complete op-exes or notifications, as we do not guarantee anything for Byzantine processes. Hence, we define correctness with Byzantine processes as follows.
Definition 14 (Byzantine Correctness predicate).
Given a history and a set of clauses , the following predicate describes the Byzantine correctness of :
Intuitively, a history with Byzantine processes is correct with respect to a set of clauses if it is possible to construct a modified history (where Byzantine processes perform arbitrary op-exes) and an arbitrary relation on the op-exes of , such that all clauses in are satisfied. To create the set of all possible modified histories, we use the function. In other words, history is correct if and only if we can “fix” it by changing only the op-exes of the Byzantine processes to make it correct with respect to . In the absence of Byzantine processes, Definition 14 collapses to Definition 12.
7 Asynchronous Resilient Consensus Impossibility
This section further exemplifies the framework’s utility by showing how it can be used to construct axiomatic proofs. Particularly, we demonstrate the FLP impossibility of having consensus in an asynchronous system with process failures [14]. Due to page limitation, we provide a high-level overview of the proof in this section, but the full developments can be found in Appendix A.
The Consensus object.
Without loss of generality, we consider a simplified version of the consensus object , which only has one notification operation, , returning a value (we have binary consensus if ) to process . Proving the impossibility of this weaker version makes our proof more general. We give in the following the semantics of the notification operation. If , then we have the following predicates.
The predicate states that the values decided are in the appropriate set and that, in the context of each op-ex, all decided values are the same. Observe that we allow the same process to decide several times as long as the decided values are the same. The predicate states that some process must decide.
Set of states of the system ().
In the proof, we consider a system with a consensus object and a communication medium object . We use the (potentially infinite) set to capture all the histories of the system executions. From each execution, a history is obtained that contains only the events of objects and in the order they occurred. From these histories, we will construct a (potentially infinite) set of possible states of the system. Each state is a (potentially infinite) set of events. Intuitively, a state is the collection of local states of all system processes , represented by the totally-ordered local events that has experienced. We also assign an index to each event in a history . The index assigned to event is an attribute that is the position of in the sequence of events of its process . This sequence is obtained by ordering with the set .
A special subset of is the set of complete states, defined as Consider now any history . We say that state is a state extracted from .
The property.
This property ensures that, from every nonempty state , a previous substate can be obtained by removing one event using the following recursive procedure exhaustively. If is a state extracted from , let be the event in with the largest index of those from process , then is also a state in extracted from . This procedure ends when the empty state is reached (which is also in ). Hence, contains a state iff there is a history such that the events in from every process are a prefix of the sequence of all events from in ordered by .
The axiom.
An asynchronous system’s set of states must satisfy the axiom, which requires that, if two states differ only in their last respective events, which are from different processes, their union is also a state. Observe that this must hold even if the two states are extracted from different histories. We point out that our impossibility proof is agnostic of the communication medium object , as long as the medium satisfies asynchrony as defined above. For completeness we show in Appendix F that atomic registers and message-passing objects satisfy this axiom.
The function.
Our impossibility proof relies on the notion of valence, which was first introduced in [14]. We represent it as a function , taking a state as a parameter, and returning the set of all possible decision values that can be reached from this state (by extending with more events, or because already contains some events). The valence of a complete state is the set of all values that were decided in the histories from which it was extracted. Moreover, the valence of an incomplete state is the union of the valences of all the states obtained by adding one event to it. We call this last property . We say that a state is univalent iff we have , and we say that it is multivalent iff we have .
The lemma.
This lemma uses the predicate of the object to show that there is no state with an empty valence, (proof in Appendix A).
The lemma.
This lemma shows that all complete states have a finite univalent sub-state (proof in Appendix A).
The axiom.
This axiom states that, for any process, any multivalent state can be extended by an event that is not from this process. This ensures that even if one process stops taking steps (i.e., crashes), the system can still progress and reach a decision.
The axiom.
This axiom states that there exist 2 states with different valences, implying that there are histories deciding different values.
The impossibility theorem.
The proof of the impossibility of asynchronous resilient consensus consists in showing that a contradiction lies in the system of axioms that we have created. Firstly, we show that , , and imply the existence of a multivalent state. From this multivalent state and using , we can find a critical state, i.e., a multivalent state for which all extensions are univalent. By from the critical state, we can find two univalent 1-event extensions with different valences. Let us consider the two distinct events, and , that extend the critical state into these two superstates with different valences. If , then applies, and we can create an extension of the critical state containing both and , however, by and , this state would be multivalent, which contradicts the definition of a critical state. Otherwise, if , then by , we can create another 1-event extension of the critical state, whose valence is different from at least one of the two previous extensions (that of or that of ). This makes us fall back to the case , again yielding a contradiction. Therefore, in all cases, the system of axioms leads to a contradiction. (The details of the proof can be found in Appendix A).
8 Conclusion
In this paper, we have introduced a modular framework for specifying distributed objects. Our approach departs from sequential specifications, and it deploys simple logic for specifying the interface between the system’s components as concurrent objects. It also separates the object’s semantics from other aspects such as consistency and failures, while providing a structured precondition/postcondition style for specifying objects. We demonstrate the usability of our framework by specifying communication media, services, and even problems, as objects. With our formalism, we also provide a proof of the impossibility of consensus that is agnostic of the medium used for inter-process communication. The simple specification examples we presented in this paper were for illustration and understanding the formalism. Of course, we acknowledge that some combinations of system model, object, and consistency may not be specified with the current version of the framework. We are confident that our framework’s expressiveness (via the specification and combination of concurrent objects) enables the specification of more complex distributed systems, including ones with dynamic node participation. As our formalism gets used and flourishes with object definitions, its usefulness will be apparent both to distributed computing researchers and practitioners seeking for a modular specification of complex distributed objects. In addition, we plan to explore how to feed our specification into proof assistants such as Coq [22] and Agda [6].
References
- [1] Ali E. Abdallah, Cliff B. Jones, and Jeff W. Sanders, editors. Communicating Sequential Processes: The First 25 Years, Symposium on the Occasion of 25 Years of CSP, volume 3525 of Lecture Notes in Computer Science. Springer, 2005.
- [2] Mustaque Ahamad, Gil Neiger, James E. Burns, Prince Kohli, and Phillip W. Hutto. Causal memory: Definitions, implementation, and programming. Distributed Comput., 9(1):37–49, 1995. doi:10.1007/BF01784241.
- [3] Timothé Albouy, Davide Frey, Michel Raynal, and François Taïani. Asynchronous Byzantine reliable broadcast with a message adversary. Theor. Comput. Sci., 978:114110, 2023. doi:10.1016/J.TCS.2023.114110.
- [4] Hagit Attiya and Jennifer L. Welch. Distributed computing – Fundamentals, simulations, and advanced topics (2. ed.). Wiley series on parallel and distributed computing. Wiley, 2004.
- [5] Philip A. Bernstein, Vassos Hadzilacos, and Nathan Goodman. Concurrency Control and Recovery in Database Systems. Addison-Wesley, 1987.
- [6] Ana Bove, Peter Dybjer, and Ulf Norell. A Brief Overview of Agda – A Functional Language with Dependent Types. In Theorem Proving in Higher Order Logics, pages 73–78, Berlin, Heidelberg, 2009. Springer. doi:10.1007/978-3-642-03359-9_6.
- [7] Gabriel Bracha. Asynchronous Byzantine agreement protocols. Inf. Comput., 75(2):130–143, 1987. doi:10.1016/0890-5401(87)90054-X.
- [8] Sebastian Burckhardt. Principles of eventual consistency. Found. Trends Program. Lang., 1(1-2):1–150, 2014. doi:10.1561/2500000011.
- [9] Sebastian Burckhardt, Alexey Gotsman, Hongseok Yang, and Marek Zawirski. Replicated data types: specification, verification, optimality. In Proc. 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’14), pages 271–284. ACM, 2014. doi:10.1145/2535838.2535848.
- [10] Armando Castañeda, Sergio Rajsbaum, and Michel Raynal. Unifying concurrent objects and distributed tasks: Interval-linearizability. J. ACM, 65(6):45:1–45:42, 2018. doi:10.1145/3266457.
- [11] Armando Castañeda, Sergio Rajsbaum, and Michel Raynal. A linearizability-based hierarchy for concurrent specifications. Commun. ACM, 66(1):86–97, 2023. doi:10.1145/3546826.
- [12] Shir Cohen and Idit Keidar. Tame the wild with Byzantine linearizability: Reliable broadcast, snapshots, and asset transfer. In Proc. 35th Int’l Symposium on Distributed Computing (DISC’21), volume 209 of LIPIcs, pages 18:1–18:18. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2021. doi:10.4230/LIPICS.DISC.2021.18.
- [13] E. Allen Emerson and Joseph Y. Halpern. “Sometimes” and “not never” revisited: On branching versus linear time. In Proc. 10th ACM Symposium on Principles of Programming Languages (POPL’83), pages 127–140. ACM Press, 1983. doi:10.1145/567067.567081.
- [14] Michael J. Fischer, Nancy A. Lynch, and Mike Paterson. Impossibility of distributed consensus with one faulty process. J. ACM, 32(2):374–382, 1985. doi:10.1145/3149.214121.
- [15] Eli Gafni and Giuliano Losa. Invited paper: Time is not a healer, but it sure makes hindsight 20:20. In Proc. 25th Int’l Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS’23), volume 14310 of Lecture Notes in Computer Science, pages 62–74. Springer, 2023. doi:10.1007/978-3-031-44274-2_6.
- [16] Vassos Hadzilacos and Sam Toueg. A modular approach to fault-tolerant broadcasts and related problems. Technical report, Cornell University, 1994.
- [17] Maurice Herlihy. Wait-free synchronization. ACM Trans. Program. Lang. Syst., 13(1):124–149, 1991. doi:10.1145/114005.102808.
- [18] Maurice Herlihy, Sergio Rajsbaum, and Mark R. Tuttle. Unifying synchronous and asynchronous message-passing models. In Proc 17th ACM Symposium on Principles of Distributed Computing (PODC’98), pages 133–142. ACM, 1998. doi:10.1145/277697.277722.
- [19] Maurice Herlihy and Nir Shavit. The topological structure of asynchronous computability. J. ACM, 46(6):858–923, 1999. doi:10.1145/331524.331529.
- [20] Maurice Herlihy and Jeannette M. Wing. Linearizability: A correctness condition for concurrent objects. ACM Trans. Program. Lang. Syst., 12(3):463–492, 1990. doi:10.1145/78969.78972.
- [21] Gunnar Hoest and Nir Shavit. Towards a topological characterization of asynchronous complexity (preliminary version). In Proc. 16th ACM Symposium on Principles of Distributed Computing (PODC’97), pages 199–208. ACM, 1997. doi:10.1145/259380.259440.
- [22] Gérard Huet, Gilles Kahn, and Christine Paulin-Mohring. The Coq proof assistant a tutorial. Rapport Technique, 178, 1997. URL: http://www.itpro.titech.ac.jp/coq.8.2/Tutorial.pdf.
- [23] Leslie Lamport. Time, clocks, and the ordering of events in a distributed system. Commun. ACM, 21(7):558–565, 1978. doi:10.1145/359545.359563.
- [24] Leslie Lamport. How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Trans. Computers, 28(9):690–691, 1979. doi:10.1109/TC.1979.1675439.
- [25] Leslie Lamport. The temporal logic of actions. ACM Trans. Program. Lang. Syst., 16(3):872–923, 1994. doi:10.1145/177492.177726.
- [26] Richard J. Lipton and Jonathan S. Sandberg. PRAM: A scalable shared memory. Technical Report TR-180-88, Princeton University, 1988.
- [27] Nancy A. Lynch. Distributed Algorithms. Morgan Kaufmann, 1996.
- [28] Nancy A. Lynch and Mark R. Tuttle. Hierarchical correctness proofs for distributed algorithms. In Proc. 16th ACM Symposium on Principles of Distributed Computing (PODC’87), pages 137–151. ACM, 1987. doi:10.1145/41840.41852.
- [29] Gil Neiger. Set-linearizability. In Proc. 13th ACM Symposium on Principles of Distributed Computing (PODC’94), page 396. ACM, 1994. doi:10.1145/197917.198176.
- [30] Matthieu Perrin. Spécification des objets partagés dans les systèmes répartis sans-attente. (Specification of shared objects in wait-free distributed systems). PhD thesis, University of Nantes, France, 2016. URL: https://tel.archives-ouvertes.fr/tel-01390700.
- [31] Matthieu Perrin, Achour Mostéfaoui, and Claude Jard. Causal consistency: beyond memory. In Proc. 21st ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP’16), pages 26:1–26:12. ACM, 2016. doi:10.1145/2851141.2851170.
- [32] Amir Pnueli. The temporal logic of programs. In Proc. 18th Symposium on Foundations of Computer Science (FOCS’77), pages 46–57. IEEE Computer Society, 1977. doi:10.1109/SFCS.1977.32.
- [33] Michel Raynal. Fault-Tolerant Message-Passing Distributed Systems – An Algorithmic Approach. Springer, 2018. doi:10.1007/978-3-319-94141-7.
- [34] Nicola Santoro and Peter Widmayer. Time is not a healer. In Proc. 6th Symposium on Theoretical Aspects of Computer Science (STACS’89), volume 349 of Lecture Notes in Computer Science, pages 304–313. Springer, 1989. doi:10.1007/BFB0028994.
- [35] Nir Shavit. Data structures in the multicore age. Commun. ACM, 54(3):76–84, 2011. doi:10.1145/1897852.1897873.
- [36] Robert C. Steinke and Gary J. Nutt. A unified theory of shared memory consistency. J. ACM, 51(5):800–849, 2004. doi:10.1145/1017460.1017464.
- [37] Gadi Taubenfeld. On the nonexistence of resilient consensus protocols. Inf. Process. Lett., 37(5):285–289, 1991. doi:10.1016/0020-0190(91)90221-3.
- [38] Paolo Viotti and Marko Vukolic. Consistency in non-transactional distributed storage systems. ACM Comput. Surv., 49(1):19:1–19:34, 2016. doi:10.1145/2926965.
- [39] Roman Vitenberg and Roy Friedman. On the locality of consistency conditions. In Proc. 17th Int’l Conference on Distributed Computing (DISC’03), volume 2848 of Lecture Notes in Computer Science, pages 92–105. Springer, 2003. doi:10.1007/978-3-540-39989-6_7.
- [40] Hagen Völzer. A constructive proof for FLP. Inf. Process. Lett., 92(2):83–87, 2004. doi:10.1016/J.IPL.2004.06.008.
Appendix A Impossibility of Resilient Consensus in Asynchronous Systems
In this section, we use our framework to define a Consensus object and to provide an axiomatic proof of the FLP impossibility of having reliable deterministic consensus in an asynchronous system with process failures [14]. (This proof is inspired by [37].) After the proof a discussion on its relevance is included.
A.1 Consensus Object
We start by providing the specification of a Consensus object using the conditions defined in Section 4. Our Consensus object has only one notification operation, , which returns a value (we have binary consensus if ) to process . Observe that we consider a simple version of a Consensus object without the common operation. Proving the impossibility of this version makes our proof more general111We could add a operation to the Consensus object that returns nothing. The validity predicate of the notification has to be adapted accordingly, but this does not affect the proof..
Let be the set of histories of a distributed system that contains a Consensus object . For every history , let be the subhistory containing only the events of applied to . Consider history with set of op-exes , a relation on , an op-ex , and its context .
Operation .
If , then we have the following predicates.
The predicate states that the values decided are in the appropriate set and that, in the context of each op-ex, all decided values are the same. Observe that we allow the same process to decide several times as long as the decided values are the same. The predicate states that some process must decide in every history.
The Consensus object must guarantee that exactly one value can be decided in each history. We achieve this by combining the Consensus object specification with the consistency.
Assumption 15.
For every history , we must have .
Observe that is only imposed on , that is, we only impose a total order on the op-exes. From the fact that is a total order of the op-exes on object (imposed by ), and the last clause of , all op-exes in return the same value .
Observation 16.
.
Observe that it is possible to have trivial implementations of a Consensus object in which all histories decide the same hardcoded value . Unfortunately, this object is not very useful. We will impose below a non-triviality condition that guarantees that there are histories in which the Consensus object decides different values. Additionally, the set of must reflect the fact that the system is asynchronous and has processes of which up to one can crash.
A.2 Asynchronous Distributed System
We consider an asynchronous distributed system with processes in which up to one process can crash. This means that in any history of the system and at most one process has . For convenience we assume that in all histories.
The set of objects contains a crash-resilient Consensus object . In order to be able to solve consensus, it also contains some object that allows processes to communicate. Observe that the events of this communication medium are in the system histories.
The (potentially infinite) set represents the system executions. From these histories, we will construct a (potentially infinite) set of possible states of the system. Each state is a (potentially infinite) set of events. Intuitively, a state is the collection of local states of all system processes , represented by the totally-ordered local events that has experienced.
To define the set , we first assign an index to each event in a history . The index assigned to event is an attribute that is the position of in the sequence of events of its process . This sequence is obtained by ordering with the set . Observe that the sets of events of different histories may have common events. After adding the indices, common events with the same index are the same, but with different indices are different. For instance, the indices distinguish events in two histories in which the same process receives the same messages from the same senders but in different orders.
A special subset of is the set of complete states, defined as Consider now any history . We say that state is a state extracted from . Then, we apply iteratively and exhaustively the following procedure to add more states to : if is a state extracted from , let be the event in with the largest index of those from process , then is also a state in extracted from . This procedure ends when the empty state is reached (which is also in ). Hence, contains a state iff there is a history such that the events in from every process are a prefix of the sequence of all events from in ordered by .
Observe that this construction of the set guarantees the following property:
Moreover, the set of states of the asynchronous system must satisfy the following axiom.
Definition 17 (Asynchronous distributed system axiom).
The following predicate holds for the set of states in an asynchronous distributed system.
requires that if two states differ only in their last respective events, which are from different processes, their union is also a state. Observe that this must hold even if the two states are extracted from different histories. We point out that our impossibility proof is agnostic of the communication medium object , as long as the medium satisfies asynchrony as defined above.
A.3 Valence
Our impossibility proof relies on the notion of valence, which was first introduced in [14].
Definition 18 (Valence function ).
Given a state , the valence of is a set of values given by as follows.
-
If state and is extracted from history , then .
-
: .
Intuitively, the valence of a complete state is the set of all values that were decided in the histories from which it was extracted, and, by , the valence of an incomplete state is the union of the valences of all its one-event extensions. We say that a state is univalent iff we have , and we say that it is multivalent iff we have . Observe that it is not possible that , due to the predicate of the Consensus object.
Lemma 19.
.
Proof.
From the predicate (liveness) of the Consensus object specification, the valence of a complete state extracted from some history contains at least one value. Let us consider now a state and assume by induction that all its one-event extension states have . By construction of the set of states , there is at least one such one-event extension state . By , if holds that . Then, .
Moreover, it holds that all complete states have a finite univalent sub-state.
Lemma 20.
.
Proof.
Assume is extracted from history . First note that from 16. Let and . Then, in there is a event from process that returns . Then, is finite and has .
A.4 Resilient Non-trivial Consensus
Let us now define the properties we require for a non-trivial Consensus object that is resilient to any stopping process.
Definition 21 (Resilient Non-trivial Consensus axioms).
Given a system , the following predicates describe resilient non-trivial consensus.
states that there exist 2 states with different valences, implying that there are histories deciding different values. states that, for any process, any multivalent state can be extended by an event that is not from this process. This guarantees that even if one process stops taking steps (i.e., crashes), the system can still progress and eventually reach a decision.
A.5 Impossibility Theorem
Theorem 22.
There cannot be a resilient non-trivial Consensus object in an asynchronous system.
Proof.
By way of contradiction, let us assume that we have a resilient non-trivial Consensus object in an asynchronous distributed system, and let be the set of states obtained from the set of the system as described above. By construction, the properties , , , and hold for . By assumption of an asynchronous distributed system, the axiom of Definition 17 holds. We also assume that the axioms and of Definition 21 hold for , since is resilient and non-trivial.
We first show that at least one multivalent state exists, i.e., . From , we have two states and with different valences. From , and do not have empty valences, so they are either multivalent or univalent. If either or is multivalent, we are done, so let us assume that they are both univalent. By and , we can iteratively remove one event in these states, until we reach a state ( can be the empty set) that is contained in both and such that . Hence, is multivalent.
From the fact that there is some multivalent state , we can inductively show that there exists what we call a critical state , i.e., a multivalent state for which all extensions are univalent:
Observe that is incomplete (by ) and hence has one-event extensions. If all extensions are univalent, satisfies the property of a critical state and we set . Otherwise, has some one-event extension that is multivalent. Then, we make this new multivalent extension and repeat this procedure. Observe that this process must eventually end by finding a critical state, since otherwise, it means an infinite multivalent state exists, which contradicts .
Let us remark that, given that is a critical state, extending it by only one event results in a univalent state. By , there exists (at least) two univalent states , with different valences and obtained extending with one event: and such that and . Let us consider the two following cases.
-
Case 1: . Given that the processes of the two events are distinct, from , we have . Since , from it holds that , and since (), then we have . However, a similar argument yields that , which contradicts .
-
Case 2: . By , we can extend with one event not from to get a state , such that . From the criticality of , is univalent. Then, either or . Without loss of generality, assume that . Then, the contradiction follows from Case 1.
A.6 Discussion on Impossibility of Asynchronous Resilient Consensus
Consensus is a fundamental abstraction of distributed computing with a simple premise: all participants of a distributed system must propose a value, and all participants must eventually agree on one of the values that have been proposed [27]. But just as fundamental is the impossibility theorem associated with consensus in the presence of asynchrony and faults. This result of impossibility, colloquially known as the FLP theorem (for the initials of its authors), was first shown in 1983 [14]. Later on, different approaches for proving similar theorems were proposed (e.g., [15, 18, 21]). Notably, the impossibility of asynchronous resilient consensus can be proved using algebraic topology and, more specifically, the asynchronous computability theorem [19]. Constructive proofs follow another interesting approach [15, 40]: they explicitly describe how a non-terminating execution of consensus can be constructed.222 In their paper [15], Gafni and Losa show the equivalence of 4 different models in terms of computability power: asynchronous 1-resilient atomic shared memory, asynchronous 1-resilient message passing, synchronous fail-to-send message passing, and synchronous fail-to-receive message passing. They then present a constructive impossibility proof in the synchronous fail-to-send message-passing model, and the impossibility in the other models directly follows. However, unlike ours, their proof still makes assumption of the communication medium. Like [37], our proof follows an axiomatic approach: the notion of asynchronous resilient consensus is defined as a system of axioms, and then it is proved that this system is inconsistent, i.e., that there is a contradiction.
Compared to previous impossibility proofs of asynchronous resilient consensus, we believe our proof to be one of the most general, partly due to the more natural notations offered by our specification formalism. In particular, unlike [14], which assumes that processes communicate through a message-passing network, our proof is agnostic on the communication medium (as long as such communication medium is asynchronous), hence it holds both for systems using send/receive or RW shared memory. In addition, our proof is more general than many previous proofs, in the sense that it shows an impossibility for a very weak version of the problem.
For instance, our proof differs from [14, 19], which assumes that, at least in some specific cases, the value decided by the consensus instance is a value proposed by some process. In contrast, our proof does not make this assumption, as it does not need to relate the inputs (proposals) to the outputs (decisions) of the consensus execution.
Appendix B FIFO Consistency Addendum
Let us notice that the definition of the condition, as defined in Section 5.2, differs from the traditional definition of PRAM consistency we encounter in the literature, which is: “For each process , we can construct a total order of op-exes containing op-exes of , and the update op-exes of all processes.” Here, update op-exes refer to the op-exes that change the object’s internal state. For instance, for a register object with and operations, the updates would be the op-exes. However, this initial definition is not completely accurate, because when we are constructing the total order of op-exes for a process , if some update op-ex of another process returns a value, we do not want to verify the validity of this value. Furthermore, adding a “” quantifier at the start of the condition would make this condition structurally different from the other conditions of Definition 9, as it would create a potentially different relation for every process of the system, instead of having a single global relation like the other conditions of Definition 9.
Hence, our definition of relies on our new predicate , which enforces a specific pattern on the relation that characterizes the FIFO order of op-exes. As a reminder, here are the definitions of and given in Sections 5.1 and 5.2, respectively.
As said in Section 5.1, intuitively, checks that a given op-ex sees all its predecessors on the same process, plus all the predecessors of the op-exes it sees on other processes. Furthermore, the “knowledge” of the op-exes of a given process is monotonically increasing with time: all the op-exes seen by a given op-ex must also be seen by its successors on the same process. Figure 6 illustrates the predicate: we consider two processes, and (that can be the same process), that both have two op-exes (, , and ). If the first op-ex of sees the second op-ex of , and the second op-ex of sees the first op-ex of , then the first and second op-ex of must respectively see the first and second op-ex of .
In the end, we believe that, with this predicate, the resulting definition of that we obtain is simpler than the original definition of PRAM consistency, while still achieving the same goal.
Appendix C Examples: Reliable Broadcast Object
This section gives an example of object specification by formally defining the celebrated reliable broadcast problem [7]. Let us remark that our formalism allows us to create object specifications and consistency hierarchies that are completely independent of the failure model: they hold both for omission (e.g., crashes) and Byzantine faults. Let us also observe that our framework’s modularity enables us to define various consistent object specifications effortlessly by simply combining an object definition with a consistency condition. For example, by combining with reliable broadcast (as specified in this section), we obtain another abstraction, linearizable broadcast [12].
In the following, the specifications consist of a list of operations with their correctness predicates, , , and . For concision, if we do not explicitly specify the , or predicates for some operation, then it means that implicitly, these predicates always evaluate to . Furthermore, we use in the following logical formulas the symbol to denote an assignment of a value to a variable in the predicates. For convenience, we define below a shorthand for referring to the set of correct processes.
Definition 23 (Set of correct processes).
For a given history , we define the function that returns the set of correct processes of , i.e.,
Below, we define a reusable specification property for liveness checking that, if the process of an op-ex is correct, then this op-ex must terminate.
Definition 24 (Op-ex termination).
For an op-ex , the op-ex termination liveness property is defined as
C.1 Reliable Broadcast Specification
Reliable broadcast is a fundamental abstraction of distributed computing guaranteeing an all-or-nothing delivery of a message that a sender has broadcast to all processes of the system, and this despite the potential presence of faults (crashes or Byzantine) [7]. This section considers the multi-sender and multi-shot variant of reliable broadcast, where every process can broadcast multiple messages (different messages from the same process are differentiated by their message ID). A reliable broadcast object provides the following operations:
-
: broadcasts message with ID ,
-
(notification): delivers message with ID from process .
In the following, we consider a multi-shot reliable broadcast object , a set of op-exes , a relation on , an op-ex and its context .
Operation .
If , then we have the following.
The predicate states that a process cannot broadcast more than once with a given ID. The predicate states that a op-ex must terminate if a correct process made it, and must trigger matching op-ex on every correct process.
Operation .
If , then we have the following.
The predicate states that a delivery must return one of the first broadcasts that have not been delivered with respect to . In , denotes the set of candidate broadcast op-exes that have not been delivered, and denotes the set of “first” broadcast values (message and ID) of op-exes of that are not preceded (w.r.t. ) by other op-exes in . Notice that this does not necessarily mean that broadcasts must be delivered in FIFO order, as does not necessarily follow FIFO order (to have this property, would have to follow , see Section 5). This is the reverse of registers, where you can only read one of the last written values according to . The predicate states that, if a correct process delivers a message, then all correct processes deliver this message.
C.2 The Reliable Broadcast Consistency Hierarchy
The modularity of our formalism allows us to plug any consistency condition (e.g., the ones defined in Section 5.2), or set of consistency conditions, that we want on any given object specification (e.g., reliable broadcast) to yield a consistent object specification. This section demonstrates this fact by applying different consistency conditions on the previously defined reliable broadcast specification.
A reliable broadcast object can provide different ordering guarantees depending on which consistency conditions it is instantiated with. Figure 7 illustrates the reliable broadcast hierarchy, and how reliable broadcasts of different strengths can be obtained by using , , , or .
As we can see, to obtain simple reliable broadcast, we must use the condition to guarantee that the op-exes of a given process are totally ordered. This assumption is necessary for the invocation validity (the precondition) of the operation, defined by the predicate. Indeed, this predicate states that a process cannot broadcast twice with the same ID; however, if op-exes of a process are not totally ordered, then there can be two op-exes from the same process and with the same ID that would not be in the context of one another, and thus the would not be violated when it should be. This is why a per-process total order of op-exes (imposed by ) is often required for some object specifications (and in this case, for reliable broadcast).
Appendix D Examples: Shared Memory Object
Shared memory is a communication model where system processes communicate by reading and writing on an array of registers, identified by their address.
D.1 Shared Memory Object Specification
A shared memory provides the following operations:
-
: returns one of the latest values written in at address ,
-
: writes value in at address .
In the following, we consider a shared memory , a set of op-exes , a relation on , an op-ex and its context .
Operation .
If , then we have the following.
The predicate states that a process cannot read an address never written into. The predicate states that a read must return one of the last written values at that address with respect to . The predicate states that a op-ex must terminate if a correct process made it.
Operation .
If , then we have the following.
The predicate states that a op-ex must terminate if a correct process made it.
D.2 Possible Variants
In the above, we have defined a version of shared memory constituted of multi-writer multi-reader registers (abridged MWMR), where everyone can read and write all the registers. But if we want to restrict the access of some registers to some processes, we can use the precondition of the and operations. For example, if we want to design a single-writer multi-reader register (abridged SWMR), we can impose in the predicate that only the invocations of by a single process are considered valid. More generally, we can design asymmetric objects that provide different operations to different system processes using this technique.
D.3 The Shared Memory Hierarchy
As illustrated by Figure 8, by applying the , , or consistency conditions on the specification of shared memory (Appendix D), different kinds of memory consistencies can be obtained.
Appendix E Examples: Asynchronous Message-passing Object
Asynchronous message-passing is a communication model where system processes communicate by sending and receiving messages. This model is said to be asynchronous because messages can have arbitrary delays.
E.1 Asynchronous Message-passing Object Specification
A message-passing object provides the following operations:
-
: sends message to receiver ,
-
(notification): receives message from process .
In the following, we consider an asynchronous message-passing object , a set of op-exes , a relation on , an op-ex and its context .
Operation .
If , then we have the following.
The predicate states that a op-ex must terminate if a correct process made it, and that the receiver, if it is correct, must eventually receive the message. For simplicity, we assume that a given message is only sent once (so we do not have to guarantee that it is received as often as it has been sent.
Operation .
If , then we have the following.
The predicate states that if a process receives a message, then this message has been sent before.
E.2 Possible Variants
We considered in this specification the asynchronous message-passing model, in which messages have arbitrary delays. But let us mention that this model’s synchronous counterpart, where messages have a maximum delay known by all processes, can also be represented in our formalism as a concurrent object. The synchronous message-passing model can be represented as having rounds of communication, where all the messages sent in a round are received in the same round. Hence, we see that a synchronous message-passing object can be represented as providing two operations and , where is a notification delivering to the process at hand all the set of messages sent to during the round that ended. Again, let us notice that our formalism can specify the behavior of complex distributed systems without relying on higher-order logic such as temporal logic.
Furthermore, we assumed a message-passing specification over reliable channels; that is, there is no message corruption, deletion, duplication, etc., for instance, due to interference or disconnections. We classify this kind of network failure under the message adversary model [34]. However, we can easily imagine variants of this specification that consider a message adversary. In particular, for message deletions, the techniques introduced in [3] can help us to design a message-adversary-prone asynchronous message-passing object.
Finally, we considered an authenticated message-passing object because, when a message is received, the recipient knows the sender’s identity (there is no identity spoofing), but we can easily design an unauthenticated variant that does not provide this information.
Appendix F Asynchrony of SWSR Atomic Registers and Point-to-point Message Passing
In this section, we prove that SWSR atomic registers and message passing, as communication media, satisfy the axiom of Definition 17. We make the following natural assumption about op-ex invocations.
Assumption 25 (Process consistent behavior).
A process decides whether to invoke an op-ex based only on its local view. Formally,
F.1 Asynchrony of an SWSR Atomic Register
We prove that an SWSR atomic register satisfies asynchrony as defined in Definition 17.
Theorem 26.
A linearizable Single Writer Single Reader (SWSR) atomic register satisfies the asynchronous distributed system axiom of Definition 17.
Proof.
Let us consider a system that contains a SWSR register as specified in Section 4 with consistency. Let us consider the set of all the correct histories of this system projected to object . Let be the set of states extracted from . Observe that the states in only contain events from two processes: the writer and reader processes. Let us assume by way of contradiction that does not satisfy asynchrony in , then there is a and events and from writer and reader respectively such that
(1) |
This implies that can be extracted from a history from which can also be extracted, but no such history has event . Similarly, can be extracted from a history from which can also be extracted, but no such history has event . We have that is an event from a write op-ex, and hence or . On its hand, is an event from a read op-ex, and or . We have the following possibilities:
(1) First, consider a situation in which one of the events is an invocation event (i.e., or ). Let us assume, without loss of generality, that . We have that . Then, from the process consistent behavior assumption (25) applied to , , and , we have that belongs to , which contradicts the assumption. The case is similar.
(2) Next, consider the situation where both events are responses, i.e., and . Consider , which must contains the invocation of the write op-ex . Let us consider any history from which can be extracted in which is correct. Then by the of (and in particular the predicate of the operation), op-ex has to terminate in . That is, will have as its next event in . Then which is a contradiction.
F.2 Asynchrony of a Point-to-point Message-passing Object
We can also prove that a message-passing object as defined in Appendix E satisfies the axiom. We consider here a message passing object used by two processes, a sender and a receiver , to communicate.
Theorem 27.
A point-to-point message-passing object satisfies the asynchronous distributed system axiom of Definition 17.
The proof is similar to the proof of Theorem 26 replacing the writer with the sender and the reader with the receiver, and is omitted.