Automated Parameterized Verification of CRDTs

Maintaining multiple replicas of data is crucial to achieving scalability, availability and low latency in distributed applications. Conflict-free Replicated Data Types (CRDTs) are important building blocks in this domain because they are designed to operate correctly under the myriad behaviors possible in a weakly-consistent distributed setting. Because of the possibility of concurrent updates to the same object at different replicas, and the absence of any ordering guarantees on these updates, convergence is an important correctness criterion for CRDTs. This property asserts that two replicas which receive the same set of updates (in any order) must nonetheless converge to the same state. One way to prove that operations on a CRDT converge is to show that they commute since commutative actions by definition behave the same regardless of the order in which they execute. In this paper, we present a framework for automatically verifying convergence of CRDTs under different weak-consistency policies. Surprisingly, depending upon the consistency policy supported by the underlying system, we show that not all operations of a CRDT need to commute to achieve convergence. We develop a proof rule parameterized by a consistency specification based on the concepts of commutativity modulo consistency policy and non-interference to commutativity. We describe the design and implementation of a verification engine equipped with this rule and show how it can be used to provide the first automated convergence proofs for a number of challenging CRDTs, including sets, lists, and graphs.


Introduction
For distributed applications, keeping a single copy of data at one location or multiple fully-synchronized copies (i.e. state-machine replication) at different locations, makes the application susceptible to loss of availability due to network and machine failures. On the other hand, having multiple un-synchronized replicas of the data results in high availability, fault tolerance and uniform low latency, albeit at the expense of consistency. In the latter case, an update issued at one replica can be asynchronously transmitted to other replicas, allowing the system to operate continuously even in the presence of network or node failures [8]. However, mechanisms must now be provided to ensure replicas are kept consistent with each other in the face of concurrent updates and arbitrary re-ordering of such updates by the underlying network.
Over the last few years, Conflict-free Replicated Datatypes (CRDTs) [19,20,18] have emerged as a popular solution to this problem. In op-based CRDTs, when an operation on a CRDT instance is issued at a replica, an effector (basically an update function) is generated locally, which is then asynchronously transmitted (and applied) at all other replicas. 1 Over the years, a number of CRDTs have been developed for common datatypes such as maps, sets, lists, graphs, etc.
The primary correctness criterion for a CRDT implementation is convergence (sometimes called strong eventual consistency [9,19] (SEC)): two replicas which have received the same set of effectors must converge to the same CRDT state. Because of the weak default guarantees assumed to be provided by the underlying network, however, we must consider the possibility that effectors can be applied in arbitrary order on different replicas, complicating correctness arguments. This complexity is further exacerbated because CRDTs impose no limitations on how often they are invoked, and may assume additional properties on network behaviour [14] that must be taken into account when formulating correctness arguments.
Given these complexities, verifying convergence of operations in a replicated setting has proven to be challenging and error-prone [9]. In response, several recent efforts have used mechanized proof assistants to yield formal machinechecked proofs of correctness [9,23]. While mechanization clearly offers stronger assurance guarantees than handwritten proofs, it still demands substantial manual proof engineering effort to be successful. In particular, correctness arguments are typically given in terms of constraints on CRDT states that must be satisfied by the underlying network model responsible for delivering updates performed by other replicas. Relating the state of a CRDT at one replica with the visibility properties allowed by the underlying network has typically involved constructing an intricate simulation argument or crafting a suitably precise invariant to establish convergence. This level of sophisticated reasoning is required for every CRDT and consistency model under consideration. There is a notable lack of techniques capable of reasoning about CRDT correctness under different weak consistency policies, even though such techniques exist for other correctness criteria such as preservation of state invariants [10,11] or serializability [4,15] under weak consistency.
To overcome these challenges, we propose a novel automated verification strategy that does not require complex proof-engineering of handcrafted simulation arguments or invariants. Instead, our methodology allows us to directly connect constraints on events imposed by the consistency model with constraints on states required to prove convergence. Consistency model constraints are extracted from an axiomatization of network behavior, while state constraints are generated using reasoning principles that determine the commutativity and noninterference of sequences of effectors, subject to these consistency constraints. Both sets of constraints can be solved using off-the-shelf theorem provers. Be-cause an important advantage of our approach is that it is parametric on weak consistency schemes, we are able to analyze the problem of CRDT convergence under widely different consistency policies (e.g., eventual consistency, causal consistency, parallel snapshot isolation (PSI) [22], among others), and for the first time verify CRDT convergence under such stronger models (efficient implementations of which are supported by real-world data stores). A further pleasant by-product of our approach is a pathway to take advantage of such stronger models to simplify existing CRDT designs and allow composition of CRDTs to yield new instantiations for more complex datatypes.
The paper makes the following contributions: 1. We present a proof methodology for verifying the correctness of CRDTs amenable to automated reasoning. 2. We allow the proof strategy to be parameterized on a weak consistency specification that allows us to state correctness arguments for a CRDT based on constraints imposed by these specifications. 3. We experimentally demonstrate the effectiveness of our proposed verification strategy on a number of challenging CRDT implementations across multiple consistency schemes.
Collectively, these contributions yield (to the best of our knowledge) the first automated and parameterized proof methodology for CRDT verification. The remainder of the paper is organized as follows. In the next section, we provide further motivation and intuition for our approach. Sec. 3 formalizes the problem definition, providing an operational semantics and axiomatizations of well-known consistency specifications. Sec. 4 describes our proof strategy for determining CRDT convergence that is amenable to automated verification. Sec. 5 provides details about our implementation and experimental results justifying the effectiveness of our framework. Secs. 6 presents related work and conclusions. We illustrate our approach using a Set CRDT specification as a running example. A CRDT (Σ, O, σ init ) is characterized by a set of states Σ, a set of operations O and an initial state σ init ∈ Σ, where each operation o ∈ O is a function with signature Σ → (Σ → Σ). The state of a CRDT is replicated, and when operation o is issued at a replica with state σ, the effector o(σ) is generated, which is immediately applied at the local replica (which we also call the source replica) and transmitted to all other replicas, where it is subsequently applied upon receipt.
Additional constraints on the order in which effectors can be received and applied at different replicas are specified by a consistency policy, discussed below.
In the absence of any such additional constraints, however, we assume the underlying network only offers eventually consistent guarantees -all replicas eventually receive all effectors generated by all other replicas, with no constraints on the order in which these effectors are received.
Consider the simple Set CRDT definition shown in Fig. 1. Let E be an arbitrary set of elements. The state space Σ is IP(E). Add(a):S denotes the operation Add(a) applied on a replica with state S, which generates an effector which simply adds a to the state of all other replicas it is applied to. Similarly, Remove(a):S generates an effector that removes a on all replicas to which it is applied. Lookup(a):S is a query operation which checks whether the queried element is present in the source replica S.
A CRDT is convergent if during any execution, any two replicas which have received the same set of effectors have the same state. Our strategy to prove convergence is to show that any two effectors of the CRDT pairwise commute with each other modulo a consistency policy, i.e. for two effectors e 1 and e 2 , e 1 • e 2 = e 2 • e 1 . Our simple Set CRDT clearly does not converge when executed on an eventually consistent data store since the effectors e 1 = Add(a):S 1 and e 2 = Remove(a):S 2 do not commute, and the semantics of eventual consistency imposes no additional constraints on the visibility or ordering of these operations that could be used to guarantee convergence. For example, if e 1 is applied to the state at some replica followed by the application of e 2 , the resulting state does not include the element a; conversely, applying e 2 to a state at some replica followed by e 1 leads to a state that does contain the element a. However, while commutativity is a sufficient property to show convergence, it is not always a necessary one. In particular, different consistency models impose different constraints on the visibility and ordering of effectors that can obviate the need to reason about their commutativity. For example, if the consistency model enforces Add(a) and Remove(a) effectors to be applied in the same order at all replicas, then the Set CRDT will converge. As we will demonstrate later, the PSI consistency model exactly matches this requirement. To further illustrate this, consider the definition of the ORSet CRDT shown in Fig. 2. Here, every element is tagged with a unique identifier (coming from the set I). Add(a,i):S simply adds the element a tagged with i 2 , while Remove(a):S returns an effector that when applied to a replica state will remove all tagged versions of a that were present in S, the source replica.
Suppose e 1 =Add(a,i):S 1 and e 2 =Remove(a):S 2 . If it is the case that S 2 does not contain (a,i), then these two effectors are guaranteed to commute because e 2 is unaware of (a,i) and thus behaves as a no-op with respect to effector e 1 when it is applied to any replica state. Suppose, however, that e 1 's effect was visible to e 2 ; in other words, e 1 is applied to S 2 before e 2 is generated. There are two possible scenarios that must be considered. (1) Another replica (call it S') has e 2 applied before e 1 . Its final state reflects the effect of the Add operation, while S 2 's final state reflects the effect of applying the Remove; clearly, convergence is violated in this case. (2) All replicas apply e 1 and e 2 in the same order; the interesting case here is when the effect of e 1 is always applied before e 2 on every replica. The constraint that induces an effector order between e 1 and e 2 on every replica as a consequence of e 1 's visibility to e 2 on S 2 is supported by a causally consistent distributed storage model. Under causal consistency, whenever e 2 is applied to a replica state, we are guaranteed that e 1 's effect, which adds (a,i) to the state, would have occurred. Thus, even though e 1 and e 2 do not commute when applied to an arbitrary state, their execution under causal consistency nonetheless allows us to show that all replica states converge. The essence of our proof methodology is therefore to reason about commutativity modulo consistency -it is only for those CRDT operations unaffected by the constraints imposed by the consistency model that proving commutativity is required. Consistency properties that affect the visibility of effectors are instead used to guide and simplify our analysis. Applying this notion to pairs of effectors in arbitrarily long executions requires incorporating commutativity properties under a more general induction principle to allow us to generalize the commutativity of effectors in bounded executions to the unbounded case. This generalization forms the heart of our automated verification strategy. Fig. 3 defines an ORSet with "tombstone" markers used to keep track of deleted elements in a separate set. Our proof methodology is sufficient to automatically show that this CRDT converges under EC.

Problem Definition
In this section, we formalize the problem of determining convergence in CRDTs parametric to a weak consistency policy. First, we define a general operational semantics to describe all valid executions of a CRDT under any given weak consistency policy. As stated earlier, a CRDT program P is specified by the tuple (Σ, O, σ init ). Here, we find it to convenient to define an operation o ∈ O as a function (Σ × (Σ → Σ) * ) → (Σ → Σ). Instead of directly taking as input a generating state, operations are now defined to take as input a start state and a sequence of effectors. The intended semantics is that the sequence of effectors would be applied to the start state to obtain the generating state. Using this syntax allows us simplify the presentation of the proof methodology in the next section, since we can abstract a history of effectors into an equivalent start state.
To define the operational semantics, we abstract away from the concept of replicas, and instead maintain a global pool of effectors. A new CRDT operation is executed against a CRDT state obtained by first selecting a subset of effectors from the global pool and then applying the elements in that set in some non-deterministically chosen permutation to the initial CRDT state. The choice of effectors and their permutation must obey the weak consistency policy specification. Given a CRDT P = (Σ, O, σ init ) and a weak consistency policy Ψ , we define a labeled transition system S P,Ψ = (C, →), where C is a set of configurations and → is the transition relation. A configuration c = (∆, vis, eo) consists of three components : ∆ is a set of events, vis ⊆ ∆ × ∆ is a visibility relation, and eo ⊆ ∆ × ∆ is a global effector order relation (constrained to be anti-symmetric). An event η ∈ ∆ is a tuple (eid, o, σ s , ∆ r , eo) where eid is a unique event id, o ∈ O is a CRDT operation, σ s ∈ Σ is the start CRDT state, ∆ r is the set of events visible to η (also called the history of η), and eo is a total order on the events in ∆ r (also called the local effector order relation). We assume projection functions for each component of an event (for example σ s (η) projects the start state of the event η).
Given an event η = (eid, o, σ s , ∆ r , eo), we define η e to be the effector associated with the event. This effector is obtained by executing the CRDT operation o against the start CRDT state σ s and the sequence of effectors obtained from the events in ∆ r arranged in the reverse order of eo. Formally, (1) In the above definition, when ∆ r is non-empty, we define a permutation P of the events in ∆ r such that the permutation order is the inverse of the effector order eo. This ensures that if (η i , η j ) ∈ eo, then η e j occurs before η e i in the sequence passed to the CRDT operation o, effectively applying η e i before η e j to obtain the generating state for o.
The following rule describes the transitions allowed in S P,Ψ : The rule describes the effect of executing a new operation o, which begins by first selecting a subset of already completed events (∆ r ) and a total order eo r on these events which obeys the global effector order eo. This mimics applying the operation o on an arbitrary replica on which the events of ∆ r have been applied in the order eo r . A new event (η) corresponding to the issued operation o is computed, which is used to label the transition and is also added to the current configuration. All the events in ∆ r are visible to the new event η, which is reflected in the new visibility relation vis ′ . The system moves to the new configuration (∆ ′ , vis ′ , eo ′ ) which must satisfy the consistency policy Ψ . Note that even though the general transition rule allows the event to pick any arbitrary start state σ s , we restrict the start state of all events in a well-formed execution to be the initial CRDT state σ init , i.e. the state in which all replicas begin their execution. A trace of S P,Ψ is a sequence of transitions. Let S P,Ψ be the set of all finite traces. Given a trace τ , L(τ ) denotes all events (i.e. labels) in τ .
Let WF (S P,Ψ ) denote all well-formed executions of S P,Ψ . The consistency policy Ψ (∆, vis, eo) is a formula constraining the events in ∆ and relations vis and eo defined over these events. Below, we illustrate how to express certain well-known consistency policies in our framework: For Eventual Consistency (EC) [3], we do not place any constraints on the visibility order and require the global effector order to be empty. This reflects the fact that in EC, any number of events can occur concurrently at different replicas, and hence a replica can witness any arbitrary subset of events which may be applied in any order. In Causal Consistency (CC) [14], an event is applied at a replica only if all causally dependent events have already been applied. An event η 1 is causally dependent on η 2 if η 1 was generated at a replica where either η 2 or any other event causally dependent on η 2 had already been applied. The visibility relation vis captures causal dependency, and by making vis transitive, we ensure that all causal dependencies of events in ∆ r are also present in ∆ r (this is because in the transition rule, Ψ is checked on the updated visibility relation which relates events in ∆ r with the newly generated event). Further, causally dependent events must be applied in the same order at all replicas, which we capture by asserting that vis implies eo. In RedBlue Consistency (RB) [13], a subset of CRDT operations (O r ⊆ O) are synchronized, so that they must occur in the same order at all replicas. We express RB in our framework by requiring the visibility relation to be total among events whose operations are in O r . In Parallel Snapshot Isolation (PSI) [22], two events which conflict with each other (because they write to a common variable) are not allowed to be executed concurrently, but are synchronized across all replicas to be executed in the same order. Similar to [10], we assume that when a CRDT is used under PSI, its state space Σ is a map from variables to values, and every operation generates an effector which simply writes to certain variables. We assume that Wr(η e ) returns the set of variables written by the effector η e , and express PSI in our framework by requiring that events which write a common variable are applied in the same order (determined by their visibility relation) across all replicas; furthermore, the policy requires that the visibility operation among such events is total. Finally, in Strong Consistency, the visibility relation is total and all effectors are applied in the same order at all replicas.
Given an execution τ ∈ S P,Ψ and a transition C η − → C ′ in τ , we associate a set of replica states Σ η that the event can potentially witness, by considering all permutations of the effectors visible to η which obey the global effector order, when applied to the start state σ s (η). Formally, this is defined as follows, assuming η = (eid, o, σ s , {η 1 , . . . , η k }, eo r ) and C = (∆, vis, eo)): . . , k}, eo P is a total order , i < j ⇒ (η P (j) , η P (i) ) ∈ eo P , eo ⊆ eo P } In the above definition, for all valid local effector orders eo P , we compute the CRDT states obtained on applying those effectors on the start CRDT state, which constitute Σ η . The original event η presumably would have witnessed one of these states.
An event is convergent if all valid permutations of visible events according to the specification Ψ lead to the same state. This corresponds to the requirement that if two replicas have witnessed the same set of operations, they must be in the same state. A CRDT achieves SEC if all events in all executions are convergent.

Automated Verification
In order to show that a CRDT achieves SEC under a consistency specification, we need to show that all events in any well-formed execution are convergent, which in turn requires us to show that any valid permutation of valid subsets of events in an execution leads to the same state. This is a hard problem because we have to reason about executions of unbounded length, involving unbounded sets of effectors and reconcile the declarative event-based specifications of weak consistency with states generated during execution. To make the problem tractable, we use a two-fold strategy. First, we show that if any pair of effectors generated during any execution either commute with each other or are forced to be applied in the same order by the consistency policy, then the CRDT achieves SEC. Second, we develop an inductive proof rule to show that all pairs of effectors generated during any (potentially unbounded) execution obey the above mentioned property. To ensure soundness of the proof rule, we place some reasonable assumptions on the consistency policy that (intuitively) requires behaviorally equivalent events to be treated the same by the policy, regardless of context (i.e., the length of the execution history at the time the event is applied). We then extract a simple sufficient condition which we call as non-interference to commutativity that captures the heart of the inductive argument. Notably, this condition can be automatically checked for different CRDTs under different consistency policies using off-the-shelf theorem provers, thus providing a pathway to performing automated parametrized verification of CRDTs.
We now present a property that consistency policies must obey for our verification methodology to be soundly applied. First, we define the notion of behavioral equivalence of events: That is, behaviorally equivalent events produce the same effectors. We use the notation η 1 ≡ η 2 to indicate that they are behaviorally equivalent.

Definition 5 (Behaviorally Stable Consistency Policy). A consistency policy
the following holds: Behaviorally stable consistency policies treat behaviorally equivalent events which have the same visibility relation among them in the same manner by enforcing the same effector order. All consistency policies that we discussed in the previous section (representing the most well-known in the literature) are behaviorally stable: Lemma 2. EC, CC, PSI, RB and SC are behaviorally stable.
EC does not enforce any effector ordering and hence is trivially stable behaviorally. CC forces causally dependent events to be in the same order, and hence behaviorally equivalent events which have the same visibility order will be forced to be in the same effector order. RB forces events whose operations belong to a specific subset to be in the same order, but since behaviorally equivalent events perform the same operation, they would be enforced in the same effector ordering. Similarly, PSI forces events writing to a common variable to be in the same order, but since behaviorally equivalent events generate the same effector, they would also write to the same variables and hence would be forced in the same effector order. SC forces all events to be in the same order which is equal to the visibility order, and hence is trivially stable behaviorally. In general, behaviorally stable consistency policies do not consider the context in which events occur, but instead rely only on observable behavior of the events to constrain their ordering. A simple example of a consistency policy which is not behaviorally stable is a policy which maintains bounded concurrency [12] by limiting the number of concurrent operations across all replicas to a fixed bound. Such a policy would synchronize two events only if they occur in a context where keeping them concurrent would violate the bound, but behaviorally equivalent events in a different context may not be synchronized.
For executions under a behaviorally stable consistency policy, the global effector order between events only grows in an execution, so that if two events η 1 and η 2 are in the history of some event η are related by eo η , then if they later occur in the history of any other event, they would be related in the same effector order. Hence, we can now define a common global effector order for an execution. Given an execution τ ∈ S P,Ψ , the effector order eo τ ⊆ L(τ ) × L(τ ) is an anti-symmetric relation defined as follows: Similarly, we also define vis τ to be the common visibility relation for an execution τ , which is nothing but the vis relation in the final configuration of τ .
Our goal is to use Lemma 3 to show that all events in any execution commute modulo the consistency policy. However, executions can be arbitrarily long and have an unbounded number of events. Hence, for events occurring in such large executions, we will instead consider behaviorally equivalent events in a smaller execution and show that they commute modulo the consistency policy, which by stability of the consistency policy directly translates to their commutativity in the larger context. Recall that the effector generated by an operation depends on its start state and the sequence of other effectors applied to that state. To generate behaviorally equivalent events with arbitrarily long histories in short executions, we summarize these long histories into the start state of events, and use commutativity itself as an inductive property of these start states. That is, we ask if two events with arbitrary start states and empty histories commute modulo Ψ , whether the addition of another event to their histories would continue to allow them to commute modulo Ψ .
where σ s (η 1 ) = σ 1 , σ s (η 2 ) = σ 2 , η 1 and η 2 commute modulo Ψ , then for Condition (1) corresponds to the base case of our inductive argument and requires that in well-formed executions with 2 events, both the events commute modulo Ψ . For condition (2), our intention is to consider two events η a and η b with any arbitrary histories which can occur in any well-formed execution and, assuming that they commute modulo Ψ , show that even after the addition of another event to their histories, they continue to commute. We use CRDT states σ 1 , σ 2 to summarize the histories of the two events, and construct behaviorally equivalent events (η 1 ≡ η a and η 2 ≡ η b ) which would take σ 1 , σ 2 as their start states. That is, if η a produced the effector o(σ init , π) 4 , where o is the CRDT operation corresponding to η a and π is the sequence of effectors in its history, we leverage the observation that o(σ init , π) = o(π(σ init ), ǫ), and assuming σ 1 = π(σ init ), we obtain the behaviorally equivalent event η 1 , i.e. η e 1 ≡ η e a . Similar analysis establishes that η e 2 ≡ η e b . However, since we have no way of characterizing states σ 1 and σ 2 which are obtained by applying arbitrary sequences of effectors, we use commutativity itself as an identifying characteristic, focusing on only those σ 1 and σ 2 for which the events η 1 and η 2 commute modulo Ψ .
The interfering event is also summarized by another CRDT state σ 3 , and we require that after suffering interference from this new event, the original two events would continue to commute modulo Ψ . This would essentially establish that any two events with any history would commute modulo Ψ in these small executions, which by the behavioral stability of Ψ would translate to their commutativity in any execution. Theorem 1. Given a CRDT P and a behaviorally stable consistency policy Ψ , if P satisfies non-interference to commutativity under Ψ , then P achieves SEC under Ψ .
Example: Let us apply the proposed verification strategy to the ORSet CRDT shown in Fig 2. Under EC, condition (1) of Non-Interf fails, because in the execution C init and vis(η 1 , η 2 ), η 1 and η 2 don't commute modulo EC, since (a,i) would be present in the source replica of Remove(a). However, η 1 and η 2 would commute modulo CC, since they would be related by the effector order. Now, moving to condition (2) of Non-interf, we limit ourselves to source replica states σ 1 and σ 2 where Add(a,i) and Remove(a) do commute modulo CC. If vis τ (η 1 , η 2 ), then after interference, in execution τ ′ , vis τ ′ (η ′ 1 , η ′ 2 ), in which case η ′ 1 and η ′ 2 trivially commute modulo CC (because they would be related by the effector order). On the other hand, if ¬vis τ (η 1 , η 2 ), then for η 1 and η 2 to commute modulo CC, we must have that the effectors η e 1 and η e 2 themselves commute, which implies that (a,i) / ∈ σ 2 . Now, consider any execution τ ′ with an interfering operation η 3 . If η 3 is another Add(a,i') operation, then i' = i, so that even if it is visible to η ′ 2 , η ′ e 2 will not remove (a,i), so that η

Experimental Results
In this section, we present the results of applying our verification methodology to a number of CRDTs under different consistency models. We collected CRDT implementations from a number of sources [19,1,18] and since all of the existing implementations assume a very weak consistency model (primarily CC), we additionally implemented a few CRDTs on our own intended to only work under stronger consistency schemes but which are better in terms of time/space complexity and ease of development. Our implementations are not written in any specific language but instead are specified abstractly akin to the definitions given in Figs. 1 and 2. To specify CRDT states and operations, we fix an abstract language that contains uninterpreted datatypes (used for specifying elements of sets, lists, etc.), a set datatype with support for various set operations (add, delete, union, intersection, projection, lookup), a tuple datatype (along with operations to create tuples and project components) and a special uninterpreted datatype equipped with a total order for identifiers. Note that the set datatype used in our abstract language is different from the Set CRDT, as it is only intended to perform set operations locally at a replica. Our data types are uninterpreted since our verification technique generates verification conditions in first-order logic (FOL) with universal quantifiers. All existing CRDT definitions can be naturally expressed in this framework and can be found in Appendix B.
Here, we revert back to the op-based specification of CRDTs. For a given CRDT P = (Σ, O, σ init ), we convert all its operations into FOL formulas relating the source, input and output replica states. That is, for a CRDT operation Since CRDT states are typically expressed as sets, we axiomatize set operations to express their semantics in FOL.
In order to specify a consistency model, we introduce a sort for events and binary predicates vis and eo over this sort. Here, we can take advantage of the declarative specification of consistency models and directly encode them in FOL. Given an encoding of CRDT operations and a consistency model, our verification strategy is to determine whether the Non-Interf property holds. Since both conditions of this property only involve executions of finite length (at most 3), we can directly encode them as UNSAT queries by asking for executions which break the conditions. For condition (1), we query for the existence of two events η 1 and η 2 along with vis and eo predicates which satisfy the consistency specification Ψ such that these events are not related by eo and their effectors do not commute. For condition (2), we query for the existence of events η 1 , η 2 , η 3 and their respective start states σ 1 , σ 2 , σ 3 , such that η 1 and η 2 commute modulo Ψ but after interference from η 3 , they are not related by eo and do not commute. Both these queries are encoded in EPR [17], a decidable fragment of FOL, so if the CRDT operations and the consistency policy can also be encoded in a decidable fragment of FOL (which is the case in all our experiments), then our verification strategy is also decidable. We write Non-Interf-1 and Non-Interf-2 for the two conditions of Non-Interf. Fig. 4 shows the results of applying the proposed methodology on different CRDTs. We used Z3 to discharge our satisfiability queries. For every combination of a CRDT and a consistency policy, we write ✗ to indicate that verification of Non-Interf failed, while ✓ indicates that it was satisfied. We also report the verification time taken by Z3 for every CRDT across all consistency policies executing on a standard desktop machine. We have picked the three collection datatypes for which CRDTs have been proposed i.e. Set, List and Graph, and for each such datatype, we consider multiple variants that provide a tradeoff between consistency requirements and implementation complexity. Apart from EC, CC and PSI, we also use a combination of PSI and RB, which only enforce PSI between selected pairs of operations (in contrast to simple RB which would enforce SC between all selected pairs). Note that when verifying a CRDT under PSI, we assume that the set operations are implemented as Boolean assignments, and the write set Wr consists of elements added/removed. We are unaware of any prior effort that has been successful in automatically verifying any CRDT, let alone those that exhibit the complexity of the ones considered here.
Set: The Simple-Set CRDT in Fig 1 does not converge under EC or CC, but achieves convergence under PSI+RB which only synchronizes Add and Remove operations to the same elements, while all other operations continue to run under EC, since they do commute with each other. As explained earlier, ORSet does not converge under EC and violates Non-Interf-1. ORSet with tombstones converges under EC as well since it uses a different set (called a tombstone) to keep track of removed elements. USet is another implementation of the Set CRDT which converges under the assumptions that an element is only added once, and removes only work if the element is already present in the source replica. USet converges only under PSI, because under any weaker consistency model, non-interf-2 breaks, since Add(a) interferes and breaks the commutativity of Add(a) and Remove(a). Notice that as the consistency level weakens, implementations need to keep more and more information to maintain convergence-compute unique ids, tag elements with them or keep track of deleted elements. If the underlying replicated store supports stronger consistency levels such as PSI, simpler definitions are sufficient.
List: The List CRDT maintains a total ordering between its elements. It supports two operations : AddRight(e,a) adds new element a to the right of existing element e, while Remove(e) removes e from the list. We use the im-plementation in [1] (called RGA) which uses time-stamped insertion trees. To maintain integrity of the tree structure, the immediate predecessor of every list element must be present in the list, due to which operations AddRight(a,b) and AddRight(b,c) do not commute. Hence RGA does not converge under EC because Non-Interf-1 is violated , but converges under CC.
To make adds and removes involving the same list element commute, RGA maintains a tombstone set for all deleted list elements. This can be expensive as deleted elements may potentially need to be tracked forever, even with garbage collection. We consider a slight modification of RGA called RGA-No-Tomb which does not keep track of deleted elements. This CRDT now has a convergence violation under CC (because of Non-Interf-1), but achieves convergence under PSI+RB where we enforce PSI only for pairs of AddRight and Remove operations.
Graph: The Graph CRDT maintains sets of vertices and edges and supports operations to add and remove vertices and edges. The 2P2P-Graph specification uses separate 2P-Sets for both vertices and edges, where a 2P-Set itself maintains two sets for addition and removal of elements. While 2P sets themselves converge under EC, the 2P2P-Graph has convergence violations (to Non-Interf-1) involving AddVertex(v) and RemoveVertex(v) (similarly for edges) since it removes a vertex from a replica only if it is already present. We verify that it converges under CC. Graphs require an integrity constraint that edges in the edge-set must always be incident on vertices in the vertex-set. Since concurrent RemoveVertex(v) and AddEdge(v,v') can violate this constraint, the 2P2P-Graph uses the internal structure of the 2P-Set which keeps track of deleted elements and considers an edge to be in the edge set only if its vertices are not in the vertex tombstone set (leading to a remove-wins strategy).
Building a graph CRDT can be viewed as an exercise in composing CRDTs by using two ORSet CRDTs, keeping the internal implementation of the ORSet opaque, using only its interface. The Graph-with-ORSet implementation uses separate ORSets for vertices and edges and explicitly maintains the graph integrity constraint. We find convergence violations (to Non-Interf-1) between RemoveVertex(v) and AddEdge(v,v'), and RemoveVertex(v) and RemoveEdge(v,v') under both EC and CC. Under PSI+RB (enforcing RB on the above two pairs of operations), we were able to show convergence.
When a CRDT passes Non-Interf under a consistency policy, we can guarantee that it achieves SEC under that policy. However, if it fails Non-Interf, it may or may not converge. In particular, if it fails Non-Interf-1 it will definitely not converge (because Non-Interf-1 constructs a well-formed execution), but if it passes Non-Interf-1 and fails Non-Interf-2, it may still converge because of the imprecision of Non-Interf-2. There are two sources of imprecision, both concerning the start states of the events picked in the condition: (1) we only use commutativity as a distinguishing property of the start states, but this may not be a sufficiently strong inductive invariant, (2) we place no constraints on the start state of the interfering operation. In practice, we have found that for all cases except U-Set, convergence violations manifest via failure of Non-Interf-1. If Non-Interf-2 breaks, we can search for well-formed executions of higher length upto a bound. For U-Set, we were successful in adopting this approach, and were able to find a non-convergent well-formed execution of length 3.

Related Work and Conclusions
Reconciling concurrent updates in a replicated system is a important well-studied problem in distributed applications, having been first studied in the context of collaborative editing systems [16]. Incorrect implementation of replicated sets in Amazon's Dynamo system [7] motivated the design of CRDTs as a principled approach to implementing replicated data types. Devising correct implementations has proven to be challenging, however, as evidenced by the myriad pre-conditions specified in the various CRDT implementations [19].
Burckhardt et al. [6] present an abstract event-based framework to describe executions of CRDTs under different network conditions; they also propose a rigorous correctness criterion in the form of abstract specifications. Their proof strategy, which is neither automated nor parametric on consistency policies, verifies CRDT implementations against these specifications by providing a simulation invariant between CRDT states and event structures. Zeller et al. [23] also require simulation invariants to verify convergence, although they only target state-based CRDTs. Gomes et al. [9] provide mechanized proofs of convergence for ORSet and RGA CRDTs under causal consistency, but their approach is neither automated nor parametric.
A number of earlier efforts [2,21,10,12,11] have looked at the problem of verifying state-based invariants in distributed applications. These techniques typically target applications built using CRDTs, and assume their underlying correctness. Because they target correctness specifications in the form of state-based invariants, it is unclear if their approaches can be applied directly to the convergence problem we consider here. Other approaches [4,5,15] have also looked at the verification problem of transactional programs running on replicated systems under weak consistency, but these proposals typically use serializability as the correctness criterion, adopting a "last-writer wins" semantics, rather than convergence, to deal with concurrent updates. This paper demonstrates the automated verification of CRDTs under different weak consistency policies. We rigorously define the relationship between commutativity and convergence, formulating the notion of commutativity modulo consistency policy as a sufficient condition for convergence. While we require a non-trivial inductive argument to show that non-interference to commutativity is sufficient for convergence, the condition itself is designed to be simple and amenable to automated verification using off-the-shelf theorem-provers. We have successfully applied the proposed verification strategy for all major CRDTs, additionally motivating the need for parametrization in consistency policies by showing variants of existing CRDTs which are simpler in terms of implementation complexity but converge under different weak consistency models. A Proofs Lemma 1. Given an execution τ ∈ S P,Ψ , and an event η = (id, o, σ s , ∆ r , eo r ) ∈ L(τ ), if for all η 1 , η 2 ∈ ∆ r such that η 1 = η 2 , either η e 1 • η e 2 = η e 2 • η e 1 or eo η (η 1 , η 2 ) or eo η (η 2 , η 1 ), then η is convergent.
Proof. Let ∆ r = {η 1 , . . . , η n }. To show that η is convergent, we need to show that any two permutations P 1 and P 2 of effectors in ∆ r obeying the global effector order eo η lead to the same state when applied on the initial state σ init . We will show this using induction on n (i.e. size of ∆ r ). If n = 1, then there is only one effector and hence only one permutation. Assume that the result holds for k − 1. Now, let n = k and consider two permutations P 1 and P 2 . We need to show that η e P1(1) • . . . η e P1(k) (σ init ) = η e P2(1) • . . . η e P2(k) (σ init ) If P 1 (1) = P 2 (1), then the result follows because by the inductive hypothesis, which states that if the number of events is k − 1 then all permutations lead to the same state, and hence (1), let j be such that P 1 (1) = P 2 (j). Now, for all 1 ≤ k < j, neither eo η (η P1(1) , η P2(k) ) nor eo η (η P2(k) , η P1(1) ) because η P2(k) appears before η P1(1) in P 2 and η P1(1) appears before η P2(k) in P 1 . Hence, we must have Hence, we now interchange η e P2(j) and η e P2(k) without changing the overall function obtained from the composition, bringing η e P2(j) at the front of P 2 . Now, the result directly follows as above from the inductive hypothesis.
Proof. Directly follows from the definition of behavioral stability and definition of the consistency policies. ⊓ ⊔ Lemma 3. Given a CRDT P and a behaviorally stable consistency specification Ψ , if for all τ ∈ WF (S P,Ψ ), for all η 1 , η 2 ∈ L(τ ) such that η 1 = η 2 , η 1 and η 2 commute modulo the consistency policy Ψ , then P achieves SEC under Ψ .
⊓ ⊔ Theorem 1. Given a CRDT P and a behaviorally stable consistency policy Ψ , if P satisfies non-interference to commutativity under Ψ , then P achieves SEC under Ψ .
Proof. To prove this, we will show that if P satisfies non-interference to commutativity under Ψ , then any two events in any well-formed execution commute modulo Ψ , which by Lemma 3 shows that P achieves SEC under Ψ . We use induction on the length of execution (note that length of an execution is the number of events it contains). Base Case: For execution of length 1, it is trivially true since there is only one event.
Inductive Case: Suppose the statement holds for all executions of length less than or equal to k. Consider an execution τ of length k + 1.
In the above execution, η is the (k + 1)th event, and η ′ is its predecessor event. By the inductive hypothesis, all events in τ before η commute with each other modulo Ψ , and hence we only need to show that η commutes modulo Ψ with all other events in τ . Let η = (id, o, σ init , ∆ r , eo). There are two cases based on whether η ′ is present in ∆ r : Case-1 : η ′ / ∈ ∆ r . In this case, we can interchange the order of the two events, since the event η can also occur from configuration C ′′ . By doing so, we get an execution of length k containing η and by the inductive hypothesis, η would commute with all other events in this execution modulo Ψ . Hence, we only need to show now that η ′ commutes with η modulo Ψ . Let r is empty, then condition (1) in the non-interf directly applies, since both these events can directly occur from the initial empty configuration C init . Hence, η and η ′ would commute modulo Ψ . Now suppose that ∆ r ∪ ∆ ′ r contains at least one event. Let η ′′ be the latest event in the execution τ occurring in ∆ r ∪ ∆ ′ r . We can construct an execution τ ′ which does not contain η ′′ which would end in events γ ′ and γ which are analogous to η ′ and η except that they don't contain η ′′ in their history. Note that every other event which contains η ′′ in its history and other events which contain these removed events in their history would also have to be removed to get τ ′ . However, since η ′′ is the latest event in the histories of η and η ′ , every other event in their history would still be present in τ ′ . Hence, γ = (id, o, σ init , ∆ r \{η ′′ }, eo r ) where eo r and eo ′ r are same as the original local effector orders eo and eo ′ but applied on the new histories.
Since the length of τ ′ is less than or equal to k (because at least one event is guaranteed to be removed), by the inductive hypothesis γ ′ and γ commute modulo Ψ . Now, we will instantiate condition (2) of non-interf with η 1 being analogous to γ ′ and η 2 analogous to γ.
Specifically, let σ 1 = π ′ (σ init ) where π ′ is the sequence of effectors in ∆ In the above derivation, we first use the property that for any CRDT operation o, state σ and function f , o(σ, f ) = o(f (σ), ǫ).
Let us consider the case where η ′′ was visible to η ′ , so that η ′′ ∈ ∆ ′ r . Then, η Note that for the last step, we use the fact that η ′′ commutes with all events in ∆ ′ r modulo Ψ by the inductive hypothesis. Since η ′′ is the latest occurring event in τ , it cannot be related by eo ′ before any other event in ∆ ′ r . Hence, η ′′ is either the last event in the total order eo ′ (in which case the above derivation directly follows) or is not the last event, but commutes with every other event after it in π ′ , due to which we get the same result.
Case-2 : η ′ ∈ ∆ r , let us first consider any other event η ′′ in τ . Here, we repeat the above procedure to prove the commutativity of the two events η and η ′′ by considering η ′ as the interfering event.
We construct an execution τ ′ which is the same as τ except that it does not contain η ′ . This execution will end in the event γ which is analogous to η except that it does not contain η ′ in its history. Hence, γ = (id, o, σ init , ∆ r \ {η ′ }, eo r ), where eo r is eo restricted to ∆ r \ {η ′ }. The event η ′′ will also be present in τ ′ . Since the length of τ ′ is k, by the inductive hypothesis, γ and η ′′ commute modulo Ψ . Now, we will instantiate NON-INTERF-2 with η 1 ≡ η ′′ and η 2 ≡ γ.
Specifically, suppose that η , where σ 2 = π(σ init ) where π is the sequence of effectors of ∆ r \ {η ′ } in the order eo r . Note that here we assume that η ′′ / ∈ ∆ r . The other case where η ′′ ∈ ∆ r can be similarly handled by placing η 1 in the history of η 2 . Now, by the behavioral stability of Ψ , in the execution, C init η1 − → C 1 η2 − → C 2 , η 1 and η 2 commute modulo Ψ . We let η 3 ≡ η ′ be the interfering event. Then, in the execution C init Finally, let us now prove the commutativity of η and η ′ , where we will again the repeat the above argument by picking the latest event in the histories of η and η ′ as the interfering event.
Otherwise, let η ′′ be the latest event in (∆ r ∪ ∆ ′ r ) \ {η ′ }. We construct an execution τ ′ which is the same as τ except it does not contain η ′′ and ends in events γ ′ and γ analogous to η ′ and η except that they don't contain η ′′ in their history. Note that every other event which contains η ′′ in its history also needs to be removed (and events containing these removed events and so on). However, since η ′′ is the latest event in the combined histories of η and η ′ , no other event in their history will be removed.