A Formal Model for the Deferred Update Replication Technique

Abstract

Database replication is a technique employed to enhance both performance and availability of database systems. The Deferred Update Replication (DUR) technique offers strong consistency (i.e. serializability) and uses an optimistic concurrency control with a lazy replication strategy relying on atomic broadcast communication. Due to its good performance, DUR has been used in the construction of several database replication protocols and is often chosen as a basic technique for several extensions considering modern environments. The correctness of the DUR technique, i.e. if histories accepted by DUR are serializable, has been discussed by different authors in the literature. However, a more comprehensive discussion involving the completeness of DUR w.r.t. serializability was lacking. As a first contribution, this paper provides an operational semantics of the DUR technique which serves as foundation to reason about DUR and its derivatives. Second, using this model the correctness of DUR w.r.t. serializability is shown. Finally, we discuss the completeness of DUR w.r.t. serializability and show that for any serializable history there is an equivalent history accepted by DUR. Moreover, we show that transactions aborted by DUR could not be accepted without changing the order of already committed transactions.

Partially supported by FAPERGS and CNPq.

Appendix

We present here the proof of Theorem 2.

Theorem 5

(Well-formed server states are reachable). A server state over a set of transactions \({\mathcal {T}}\) is reachable if and only if it is well-formed.

Proof

Only if part   We must show that the initial state \(D_0\) of Definition 8 is well-formed, and that if \(D\) is well-formed and there is a transition \(D \Rightarrow D'\), then \(D'\) is well-formed as well. Let us consider the six conditions for well-formedness of Definition 7.

1. 1.

   By definition \({\textit{WS}}_0(0) = X\) holds in \(D_0\), and the only rule that modifies vector \({\textit{WS}}\), that is [commit], changes it at index \({\textit{CI}}+ 1 > 0\); therefore the first condition is satisfied by each reachable state.

2. 2.

   \(D_0\) satisfies the second condition because \({\textit{CI}}_0 = \bot \). The only rule that modifies \({\textit{WS}}\) is [commit], which also changes \({\textit{SC}}\) and \({\textit{CI}}\) in a way that maintains the invariant described by the second condition.

3. 3.

   The only rule that modifies the snapshot identifier \({\textit{ST}}(T)\) of a transaction is [read \(-\bot \!\!\) ]: its second premise guarantees the third condition.

4. 4.

   Finally, conditions 4, 5 and 6 are clearly satisfied by \(D_0\) because \({\textit{CI}}_0 = \bot \), and they express invariants that are easily checked to be maintained by rules [abort], [commit] and [commit-RO], respectively.

If part   Let \(D = {\langle {\textit{SC}}_D, {\textit{WS}}_D, {\textit{ST}}_D, {\textit{CI}}_D \rangle }\) be a well-formed server state over \({\mathcal {T}}\). We proceed by induction on the cardinality of \({\textit{Comm}}(D)\).

If \(|{\textit{Comm}}(D)| = 0\), no transaction of \({\mathcal {T}}\) committed, and therefore we must have \({\textit{SC}}_D = 0, {\textit{WS}}_D = [0 \mapsto X]\), and \({\textit{CI}}_D = \bot \), as no transaction could have aborted either, by condition 4 of Definition 7. Furthermore, \({\textit{ST}}_D(T) \in \{\bot , 0\}\) for all \(T \in {\mathcal {T}}\), i.e. some transactions may already have 0 as snapshot identifier. Let us show that \(D\) is reachable, i.e. \(D_0 {\Rightarrow }^{*} D\) where \(D_0\) is as in Definition 8. In fact, if \(\{T_i\}_{1\le i\le k} = \{T \mid {\textit{ST}}_D(T) = 0\}\), by condition 3 of Definition 7 we know that \(\mathbf{rs }(T_i)\) is not empty for \({1\le i\le k}\), and thus there exists a sequence of transitions \({D_0 \xrightarrow [\textit{[read} -\bot \textit{]}]{{\textit{rec}}(T_1)} D_0^1 \cdots D_0^{k-1} \xrightarrow [\textit{[read} -\bot \textit{]}]{{\textit{rec}}(T_k)} D_0^k = D}\), where for all \(i \in [1,k]\) it holds \({\textit{ST}}_{D_0^i}(T)= 0 \iff T \in \{T_1, \ldots , T_i\}\).

Suppose now that \(|{\textit{Comm}}(D)| = n+1\). We first show that, without loss of generality, we may assume that no transaction aborted yet in \(D\). In fact, if \(\{T_i\}_{1\le i\le k} = \{ T \mid {\textit{CI}}_D(T) = \textit{aborted}\}\), then \(D\) is reachable from a state \(D'\) where those transactions are still active (i.e. \({\textit{CI}}_{D'}(T_i) = \bot \)), with a sequence of \(k\) [abort] transitions, one for each element of \(\{T_i\}_{1\le i\le k}\). The preconditions of such [abort] transitions are satisfied by condition 4 of 7.

Now, assuming that \(D\) has no aborted transactions, let \(T\) be one of the transactions in \({\textit{Comm}}(D)\) with maximal commit index. We have two cases: either \(T\) is read-only or not.

If \(T\) is read-only, by conditions 6 and 2 of Definition 7 we have \({\textit{CI}}_D(T) = {\textit{ST}}_D(T) + 0.5 = {\textit{SC}}+ 0.5\). Consider the server state \(D' = {\langle {\textit{SC}},{\textit{WS}}, {\textit{ST}}', {\textit{CI}}' \rangle }\) where

$$\begin{aligned} {\textit{ST}}'(x) =\left\{ \begin{array}{ll} {\textit{ST}}(x) &{} \text{ if }\; x \not = T\\ \bot &{} \text{ if }\; x = T \end{array}\right.&\qquad \qquad {\textit{CI}}'(x) =\left\{ \begin{array}{ll} {\textit{CI}}(x) &{} \text{ if }\; x \not = T\\ \bot &{} \text{ if }\; x = T \end{array}\right. \end{aligned}$$

State \(D'\) represents a snapshot of the system where all transactions but \(T\) are as in state \(D\), while \(T\) did not start yet (its snapshot identifier is \(\bot \)). It is easily shown that \(D'\) is well-formed, therefore by inductive hypothesis \(D'\) is reachable from \(D_0\).

It remains to show that \(D\) is reachable from \(D'\) by accepting all the requests generated by the execution of \(T\), i.e. \({D'\!\xrightarrow [\textit{read}-\bot ]{{\textit{rec}}(T)} D''\!\xrightarrow [{\textit{[read]}}]{{\textit{rec}}(T)} D'' \cdots D''\!\xrightarrow [{\textit{[commit-RO]}}]{{\textit{adel}}(T)} D}\); in fact the first transition sets \({\textit{ST}}(T)\) to \({\textit{SC}}\), and the last one sets \({\textit{CI}}(T)\) to \({\textit{SC}}+0.5\).

If \(T\) is not read-only, by condition 2 of Definition 7 we have that \({\textit{CI}}_D(T) = {\textit{SC}}_D\). Let us additionally assume that \({\textit{ST}}_D(T) = {\textit{CI}}_D(T) -1\). The idea, as in the case just seen, is to remove \(T\) from \(D\) obtaining a state \(D'\) with less committed transactions. But if there are transactions with \({\textit{ST}}_D(T') = {\textit{SC}}_D = {\textit{CI}}_D(T)\), the resulting state would not be well-formed because \({\textit{ST}}_D(T') > {\textit{SC}}_{D'} = {\textit{SC}}_D - 1\).

Therefore let us consider state \(D'\) obtained from \(D\) by setting \({\textit{ST}}_{D'}(T) = \bot \) for all transactions in \(\{T\}_{1\le i \le k} = \{ T \mid {\textit{ST}}_D(T) = {\textit{CI}}_D\}\). We clearly have \(D' {\Rightarrow }^{*} D\) with a sequence of transitions \({D' \xrightarrow [\textit{read}-\bot ]{{\textit{rec}}(T_1)} D'_1 \cdots D'_{k-1} \xrightarrow [\textit{read}-\bot ]{{\textit{rec}}(T_k)} D'_k = D}\), which are possible by condition 3 of Definition 7.

Consider now the server state \(D'' = {\langle {\textit{SC}}'',{\textit{WS}}'', {\textit{ST}}'', {\textit{CI}}'' \rangle }\) where

$${{\textit{SC}}''={\textit{SC}}'-1, \qquad \qquad {\textit{WS}}''(x) =\left\{ \begin{array}{ll} {\textit{WS}}'(x) &{} \text{ if }\; x \not = {\textit{SC}}'\\ \bot &{} \text{ if }\; x = {\textit{SC}}' \end{array}\right. }$$

$${{\textit{ST}}''(x) =\left\{ \begin{array}{ll} {\textit{ST}}'(x) &{} \text{ if }\; x \not = T\\ \bot &{} \text{ if }\; x = T \end{array}\right. \qquad \qquad {\textit{CI}}''(x) =\left\{ \begin{array}{ll} {\textit{CI}}'(x) &{} \text{ if }\; x \not = T\\ \bot &{} \text{ if }\; x = T \end{array}\right. }$$

State \(D''\) is the server state before transaction \(T\) has started, and it is easily shown to be well-formed. Therefore by induction hypothesis \(D''\) is reachable from \(D_0\). To show that \(D'' {\Rightarrow }^{*} D'\), we consider two cases, depending on the readset of \(T\).

1. 1.

   \(\mathbf{rs }(T)=\emptyset \): In this case, the premise of [commit] is satisfied because \(T\) is not read-only, thus \(D'' \xrightarrow [{\textit{[commit]}}]{{\textit{adel}}(T)} \hat{D}\). The resulting state is

   $$\hat{D}= {\langle {\textit{SC}}''+1, {\textit{WS}}''[{\textit{SC}}''+1\mapsto \mathbf{ws }(T)],{\textit{ST}}'',{\textit{CI}}''[T\mapsto {\textit{SC}}''+1] \rangle }$$

   and using \({\textit{SC}}''={\textit{SC}}'-1\), \({\textit{CI}}'(T)={\textit{SC}}'\), \(\mathbf{rs }(T)=\emptyset \) we conclude that

   $$\hat{D}= {\langle {\textit{SC}}', {\textit{WS}}''[{\textit{CI}}'(T)\mapsto \mathbf{ws }(T)],{\textit{ST}}',{\textit{CI}}''[T\mapsto {\textit{SC}}'] \rangle }$$

   and thus \(D'=\hat{D}\) is reachable.

2. 2.

   \(\mathbf{rs }(T)\ne \emptyset \): Here, analogously to the case of read-only transactions, we may start by an application of rule [read] \(-\bot \) followed by some applications of rule [read] until all variables in \(\mathbf{rs }(T)\) are read, leading to state \(\hat{D}\). Since state \(D\) was well-formed, it is easy to check that rule [commit] is enabled for \(T\) in \(\hat{D}\), and that its application yields state \(D'\).

It remains to consider the last case, where the transaction with highest commit index in \(D\), say \(T\), is not read-only and where \({\textit{ST}}_D(T) < {\textit{CI}}_D(T) -1\). We argue as follows. Let \(D'\) be exactly like \(D\), but with \({\textit{ST}}_{D'}(T) = {\textit{CI}}_D(T) -1\). By the argument just presented we know that \(D'\) is reachable from \(D_0\), i.e. there is a sequence of transitions \(D_0 {\Rightarrow }D_1 \cdots D_{n-1} {\Rightarrow }D_n = D'\). In this sequence, the transition \({\cdot \xrightarrow [\textit{read}-\bot ]{{\textit{rec}}(T)}\cdot }\), that sets the value of \({\textit{ST}}(T)\), must occur after transition \(\cdot \xrightarrow [{\textit{[commit]}}]{{\textit{adel}}(T')}\cdot \), which sets \({\textit{CI}}(T') = {\textit{CI}}(T) -1\). Between the two transitions, there could be other [read], [read] \(-\bot \) and [commit-RO] transitions only. Now, it is easy to show that \({\cdot \xrightarrow [\textit{read}-\bot ]{{\textit{rec}}(T)}\cdot }\) can be anticipated by switching it with all these transitions, without affecting the well-formedness of the states and without changing the final state. Finally, when we have the consecutive transitions \({\cdot \xrightarrow [{\textit{[commit]}}]{{\textit{adel}}(T')}\cdot \xrightarrow [\textit{read}-\bot ]{{\textit{rec}}(T)}\cdot }\), we can switch them by obtaining \({\cdot \xrightarrow [\textit{read}-\bot ]{{\textit{rec}}(T)}\cdot \xrightarrow [{\textit{[commit]}}]{{\textit{adel}}(T')}\cdot }\). This is possible, again, because the well-formedness of state \(D\) ensures that \(\mathbf{ws }(T') \cap \mathbf{rs }(T) = \emptyset \). In the resulting final state only the value of \({\textit{ST}}(T)\) is changed, and it is \({\textit{CI}}(T') = {\textit{CI}}(T) -2\). By iterating this transformation of the sequence of transitions we can show that the original state \(D\) is reachable. \(\square \)