Telex: Principled System Support for Write-Sharing in Collaborative Applications

apport   de recherche ISSN 0249-6399 ISRN INRIA/RR--6546--FR+ENG Thème COM INSTITUT N A TION AL DE RECHERCHE EN INFORMA TIQUE ET EN A UTOMA TIQUE T elex: Principled System Support f or Writ e-Sharing in Collaborativ e Applications Lamia Benmouffok — Jean-Michel Busca — Joan Manu el Marquès — Marc Shapiro — Pierre Sutra — Geor gios Tsoukalas N° 6546 9 May 2008 Centre de recherche INRIA Paris – Rocquencour t Domaine de V oluceau, Rocquencour t, BP 105, 78153 Le Chesnay Cedex Téléphone : +33 1 39 63 55 11 — Téléco pie : +33 1 39 63 53 30 T elex: Prinipled System Supp ort for W rite-Sharing in Collab orativ e Appliations ∗ Lamia Benmouok † ‡ , Jean-Mi hel Busa † ‡ , Joan Man uel Marquès § ‡ , Mar Shapiro † ‡ , Pierre Sutra † ‡ , Georgios T souk alas ¶ Thème COM  Systèmes omm unian ts Équip e-Pro jet Regal Rapp ort de re her he n ° 6546  9 Ma y 2008  28 pages Abstrat: The T elex system is designed for sharing m utable data in a dis- tributed en vironmen t, partiularly for ollab orativ e appliations. Users op erate on their lo al, p ersisten t replia of shared do umen ts; they an w ork dison- neted and suer no net w ork lateny . The T elex approa h to detet and orret onits is appliation indep enden t, based on an ation-onstrain t graph (A CG) that summarises the onurreny seman tis of appliations. The A CG is stored eien tly in a multilo g struture that eliminates on ten tion and is optimised for lo alit y . T elex supp orts m ultiple appliations and m ulti-do umen t up dates. The T elex system learly separates system logi (whi h inludes repliation, views, undo, seurit y , onsisteny , onits, and ommitmen t) from appliation logi. An example appliation is a shared alendar for managing m ulti-user meetings; the system detets meeting onits and resolv es them onsisten tly . Key-w ords: No k eyw ords ∗ This resear h is supp orted in part b y Respire (ANR, F rane, respire.lip6.fr ), Grid4All (FP6, EU, www.grid4all.eu ) and gran t JC2007-00213 (Spain). † INRIA, P aris-Ro quenourt, F rane ‡ LIP6, P aris, F rane § Univ ersitat Ob erta de Catalun y a, Barelona, Spain ¶ National T e hnial Univ ersit y of A thens, Greee T elex : un système de partage en ériture p our les appliations ollab orativ es, basé sur un mo dèle formel Résumé : Le système T elex est onçu p our le partage des données mo diables dans un en vironnemen t réparti, prinipalemen t p our des appliations ollab ora- tiv es. Les utilisateurs op èren t sur une opie lo ale et p ersistan te des do umen ts qu'ils partagen t ils p euv en t tra v ailler en mo de déonneté, et ne son t pas ra- len tis par la latene du réseau. T elex utilise une appro  he indép endan te de l'appliation p our déteter et orriger les onits, qui se base sur un graphe ations-on train tes (A CG) qui résume la séman tique de onurrene des appli- ations. L'A CG est sto  k é de façon eae dans une struture dite multi-journal qui élimine la on ten tion et est optimisée p our la lo alité. Des appliations dif- féren tes s'exéuten t sur T elex, qui p ermet de mettre à jour plusieurs do umen ts de façon o ordonnée. T elex sépare propremen t la logique système (e qui inlut la répliation, les vues, le undo , la séurité, la ohérene, les onits, et la nalisation) de la logique appliativ e. Un exemple d'appliation est un alen- drier partagé, p our gérer des réunions m ulti-utilisateur le système détete les onits de réunion et les résout de façon ohéren te. Mots-lés : P as de motlef T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 3 1 In tro dution The T elex system pro vides no v el solutions for write-sharing data in o-op erativ e and disonneted w ork settings. Existing approa hes ha v e sev ere limitations. F or instane state ma hine repliation [5 ℄ imp oses high lateny and do es not supp ort disonneted op era- tion. The p opular last-writer-wins algorithm [11 ℄ do es not ensure an y high-lev el orretness guaran tees. 1 In on trast, T elex is based on a prinipled approa h that om bines exibilit y and orretness, and leanly separates appliation logi from system logi. Appliation logi transmits to T elex ations (op erations) and onstrain ts (onurreny in v arian ts), and applies exeution s hedules transmitted b y T elex. In return, T elex tak es are of: repliation, onsisteny , storage and aess on- trol; olleting, transmitting and p ersisting op erations; deteting onits and omputing high-qualit y onit-free s hedules; forw ard exeution and rollba k;  he kp oin ting; ommitmen t; and aess on trol. T elex supp orts m ulti-do umen t up dates and ross-appliation senarios out of the b o x. T elex is based on a prinipled approa h, the A tion-Constrain t Graph (A CG) [12 ℄. W e designed the multilo g data struture to store A CG-based do - umen ts in a distributed le system. Multilogs eliminate write on ten tion and promote lo alit y . W e dev elop ed a n um b er of demonstration appliations ab o v e T elex. F or instane, a shared alendar appliation lets p eople organise their agenda ollab- orativ ely , arranging priv ate ev en ts and group meetings. T elex detets meeting onits and prop oses p ossible solutions. The on tributions of this pap er inlude: a no v el approa h to shared data repliation that is appliation indep enden t y et appliation-a w are, the A CG; the pratial engineering of an A CG system, in partiular the do umen t and m ulti- log strutures; design examples and lessons learned for A CG-based appliations; and some b en hmarks and p erformane measuremen ts. This pap er pro eeds as follo ws. Setion 2 is an o v erview. Setion 3 explains the data strutures that T elex uses. Setion 4 do umen ts the T elex ar hite- ture and implemen tation. In Setion 5, w e presen t some example appliations. Setion 6 ev aluates the T elex p erformane. W e reet on lessons learned in Setion 7. Setion 8 ompares T elex with related w ork. Finally , Setion 9 on- ludes. 2 T elex o v erview W e giv e an o v erview of the T elex system from three omplemen tary p oin ts of view. 1 Setion 8 analyses the state of the art in detail. RR n ° 6546 4 Benmouok et al. a. App. reies user op. b. Remote ation rvd.: . Compute s hedule(s), as ations & onstrain ts up all for onit onstrain ts exeute, displa y Figure 1: T elex in terations. (The irled n um b ers refer to Figure 5 ) 2.1 User/appliation p ersp etiv e T elex supp orts p artiip ants , i.e., users w orking at disjoin t sites , whi h ma y b e widely distributed. An authorised partiipan t ma y repliate a shared do ument on his site. A site op erates optimistially [11 ℄: it applies lo al ations (op erations), sends them to other sites, and ev en tually r eplays the ations it reeiv es. Hene, appliations are not slo w ed do wn b y remote syn hronisation, net w ork issues, or b y remote failures. A partiipan t ma y w ork either onneted or disonneted from others. Th us, ea h partiipan t has his o wn view of the urren t state of the shared do umen t. Do umen ts and views p ersist aross log-out/log-in and restarts. Ho w ev er, a view is only ten tativ e and ma y ha v e to roll ba k. T elex, not appliations, tak es are of hard issues su h as onit detetion, reoniliation, and onsisteny . Ho w ev er, sine a onit is the violation of some appliation in v arian t, T elex is parameterised b y appliation-sp ei onurreny in v arian ts alled  onstr aints . A onstrain t relates t w o ations, either of the same or distint do umen ts. Hene, T elex main tains onsisteny b et w een do umen ts. Figure 1 illustrates the on trol struture of T elex with a Shared Calendar (SC) appliation. 2 In this example, the partiipan t reates an app oin tmen t, whi h onits (double b o oking) with one reated remotely . In Figure 1 .a, the partiipan t p erforms the app ointment op eration. The SC appliation logs the orresp onding ations and onstrain ts to the lo al T elex dæmon ( +ation app ointment ). In Figure 1.b, when the site reeiv es a remote ation ( signal ), it ompares it to the onurren t ations. If T elex susp ets a onit, it alls up to the appliation ( getConstraint ), whi h replies with preise information ( +onstraint antagonism ). Finally , as in Figure 1., T elex p erio dially sends she dules to the appliation, for exeution and/or rollba k. The appliation 2 Elemen ts of the gure not disussed here will b e explained in later setions. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 5 Name Notation Seman tis NotAfter A → B A is nev er after B in an y s hedule Enables A ⊳ B B in a s hedule implies A in same s hedule NonCommuting A / B Must agree on A → B or B → A (onit) A tomi A ⊳ ⊲ B All or nothing Causal A ⊳ → B B dep ends ausally on A A ntagonism A ← → B A and B nev er b oth in same s hedule (onit) T able 1: Constrain ts omputes and displa ys the orresp onding views, in this example with a onit indiation ( onit ). 3 2.2 F ormal p ersp etiv e: ations and onstrain ts T elex is based on a formal mo del, the A tion-Constrain t Graph (A CG) [ 12 ℄. The A CG is a lab elled graph whose no des are the ations and edges are the onstrain ts. The urren t view of a site is the result of exeuting a sound she dule , i.e., an ordering of ations urren tly kno wn at that site, that ob eys the safet y onstrain ts NotAfter and Enables . In eet, the A CG represen ts the set of all legal views. T able 1 presen ts briey the onstrain ts supp orted b y T elex; for full details please refer to the relev an t publiations [12℄. The rst three are primitiv e, the last three are om binations of the primitiv es. 4 These represen t imp ortan t lasses of onurreny in v arian ts. While they an appro ximate the true appliation seman tis only grossly , w e ha v e found that they are suien tly expressiv e for reoniliation purp oses in sev eral kinds of appliations [9 , 13 ℄. F ormally , ev en tual onsisteny requires that all s hedules b e sound, that they ha v e a ommon stable sound prex, that ev ery ation ev en tually b e either ab orted or in the prex, and that non-omm uting ations that are in the prex b e ordered. 5 The latter t w o items imply a global onsensus b et w een sites. W e all this onsensus the  ommitment pr oto  ol . In T elex, ommitmen t is optimisti, i.e., it o urs in the ba kground, not in the ritial path of appliations. 2.3 Engineering p ersp etiv e: m ulti-logs and ommitmen t The design of T elex is motiv ated b y some ma jor requiremen ts and  hallenges: (i) P ersist and repliate the A CG. (ii) Pro vide strong guaran tees ab o v e a dis- 3 F or the purp ose of this pap er, do umen t state, view and s hedule are synon ymous. View emphasises that the state is lo al and is not unique; s hedule emphasises that it is omputed b y some ordering of a v ailable ations. 4 A tomi do es not ensure transational isolation; an isolation onstrain t will b e added in the future. Curren tly , to a hiev e isolation, the user m ust man ually group op erations in to a single ation. 5 Mutually-omm uting ations ma y run in an y relativ e order. RR n ° 6546 6 Benmouok et al. tributed le system with only b est-eort onsisteny . (iii) In tegrate do umen ts in to the le system, with reasonable o v erhead and salabilit y . (iv) Pro vide a- ess on trol, without violating onsisteny . (v) Remo v e old A CG en tries from storage. (vi) Deen tralised, p eer-to-p eer design, with supp ort for asual dison- neted op eration. A do umen t is a named en tit y in the le system. F or lo alit y , a do umen t stores only the p ortion of the A CG onsisting of the ations op erating on the do umen t, and their onstrain ts. T elex do umen ts o exist with ordinary les and diretories in the le system. Using one or the other is up to the appliation. T elex relies on external me hanisms to store and repliate do umen ts, and to propagate  hanges to remote sites. T o a v oid le system b ottlene ks and onsisteny issues, ea h partiipan t writes to a distint app end-only lo g within a do umen t. T o enable inremen tal garbage olletion, the log is brok en do wn in to suessiv e  h unk les. This struture is alled multilo g . A log is a suession of ations and onstrain ts in no partiular order. W e optimise for the exp eted ommon ase, where onstrain ts are inside the same log; in ter-log onstrain ts within the same do umen t are sligh tly more exp ensiv e. In ter-do umen t onstrain ts are assumed to b e relativ ely rare and are more ostly . Beause of net w ork dela ys and disonnetions, and b eause of ltering and aess on trol (explained later), at an y p oin t in time, dieren t partiipan ts ma y observ e dieren t A CGs. Ho w ev er, ea h partiipan t's view is onsisten t, b eause it results from a sound s hedule. Th us, if some ation A is not in a view, and A Enables B , then B is also not in that view. The urren t view an b e reorded in a snapshot . Snapshots name a view, sp eed up the omputation of later views, and help with garbage olletion. A deen tralised, ba kground ommitmen t proto ol ensures that the ommon prex of s hedules mak es progress. Ea h partiipan t an v ote for a s hedule aording, for instane, to user preferene. V oting is deen tralised and p eer-to- p eer. Committed log reords ma y b e deleted. Ho w ev er it ma y b e adv an tageous to retain them for auditing, reo v ery or seletiv e undo (to b e explained later). 3 Data strutures 3.1 Do umen t storage T elex stores its do umen ts in le systems with standard, b est-eort onsisteny guaran tees. The storage design ob eys some sp ei requiremen ts. Do umen ts should b e seamlessly in tegrated ab o v e a standard POSIX in terfae, with reason- able p erformane and salabilit y . They should o-exist with lassial les and INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 7 Figure 2: Storage of T elex do umen t diretories. P artiipan ts m ust b e able to w ork normally while disonneted. The system should sales w ell with the n um b er of ollab orating partiipan ts. Finally , P artiipan ts' data m ust b e seured ev en when shared. W e implemen ted m ultilogs ab o v e the federativ e p eer-to-p eer le system V OFS [1 ℄. V OFS pro vides global aess to les with b est-eort onsisteny . It supp orts disonneted op erations via p ersisten t repliation, and notiations for le mo diations on distributed les. A omplete desription of V OFS is outside of the sop e of this pap er; here w e fo us on sp ei features related to T elex in tegration. 3.1.1 Multilog Design As illustrated in Figure 2, a T elex do umen t is a strutured diretory of les. Appliations and T elex ma y store do umen t-sp ei data within the do umen t, su h as lters and snapshots. These data are lo al to a partiipan t; only the m ultilog needs to b e repliated. A m ultilog is itself strutured as a diretory that on tains an app end-only log p er partiipan t. A tions and onstrain ts reated b y an appliation are ap- p ended to that partiipan t's log. Ea h partiipan t's log is repliated at the other partiipan ts' sites; V OFS propagates the up dates to the net w ork. As ea h log has a single writer, is app end-only , and lo al to a do umen t, this a v oids write on ten tion and salabilit y issues. Propagation of a log through the net w ork is asyn hronous, i.e., a log replia ma y on tain only a prex of its soure, as indiated b y the syn bar in the RR n ° 6546 8 Benmouok et al. Figure 3: Implemen tation of m ultilogs o v er V OFS. gure. T elex instanes monitor the logs for new up dates. Ev en tually , all ations and onstrain ts are kno wn to all partiipan ts. As time passes, an ation ev en tually b eomes ommitted and is not needed an y more. T o enable remo ving su h old reords, a log is itself strutured as a diretory of  h unk les. When the size of the urren t  h unk rea hes a threshold, a new one is reated. The name of a  h unk le inludes a sequene n um b er, making it on v enien t to read  h unks in order, and to seletiv ely delete  h unks. A  h unk ma y b e deleted when all the ations it on tains are ommitted and there is a later materialised snapshot. This is, ho w ev er, a p oliy deision; a site ma y deide instead to retain old  h unks for auditing or reo v ery . 3.1.2 Multilogs on V OFS A do umen t is stored b y the T elex dæmon in the le system as a diretory . The in ternal struture of this diretory is not meaningful to users, and is in tended to b e hidden b y the user in terfae (m u h lik e the bundles of MaOS). In our deplo y ed m ultilogs so far, w e ha v e used a en tralised setup at a primary master site, on taining the authoritativ e v ersion of all the logs in a do umen t. P artiipan ts' sites a he the logs p ersisten tly , making them a v ailable for disonneted op eration. The master site is a single p oin t of failure and a salabilit y b ottlene k. In the future, w e plan to use a p eer-to-p eer onguration, using aross- net w ork sym b oli links that V OFS pro vides. Here, ea h partiipan t hosts the authoritativ e v ersion of his o wn log on his o wn site, as in Figure 3. As b efore, partiipan ts a he remote logs p ersisten tly . The master site serv es only to list all the logs using sym b oli links. An y other metho d of distributing the list ould b e used. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 9 Figure 4: T w o m ultilogs with their logs; note onstrain ts within log, within do umen t, and b et w een do umen ts 3.1.3 The Multilog T o olkit V OFS is optimised for m ultilogs, whi h impro v es the user exp eriene. Ho w ev er, m ultilogs an b e implemen ted ab o v e an y ordinary distributed le system. W e pro vide a to olkit implemen tation of m ultilogs, as a set of simple programs and dæmons, pro viding simple and eien t m ultilog managemen t and aess ab o v e an ordinary le system. The implemen tation follo ws losely the design of Figure 2. More details are a v ailable in Setion 6. 3.2 A tion and Constrain t An ation represen ts an appliation op eration. It is desrib ed b y sev eral at- tributes, of whi h some are kno wn to T elex and other are appliation-sp ei. Among the former, the most imp ortan t is a list of ation keys . An ation k ey indiates the do umen t subset that this ation targets; if t w o ations ha v e a ommon k ey , this indiates suspiion that the ations onit (see Setion 4.2.1 for more detail). An ation b elongs to only one do umen t. It is uniquely iden- tied b y the triple h do ument, issuer, timestamp i . T elex logs an ation in the log of the partiipan t who issues it. A onstrain t reies a seman ti relation b et w een t w o ations. It is dened b y its t yp e ( NonCommuting , NotAfter or Enables ) and b y the t w o ations it binds. A onstrain t is uniquely iden tied b y the triple h typ e, ation1, ation2 i . T elex logs a onstrain t in the log of the partiipan t who issues it. Most often, a onstrain t binds t w o ations of the same do umen t, whether issued b y the same partiipan t or not. Su h a onstrain t is alled an intr a- do ument onstrain t. Ho w ev er, a onstrain t ma y bind ations of t w o distint do umen ts. Su h a onstrain t is alled a r oss-do ument onstrain t. It is then logged in b oth do umen ts. RR n ° 6546 10 Benmouok et al. A onstrain t C referenes an ation A b y using one of the three follo wing forms: (timestamp) if A is issued b y the same partiipan t as C and b elongs to the same do umen t, (issuer, timestamp) if A b elongs to the same do umen t as C and (do Id, issuer, timestamp) otherwise. In the latter form, do Id is the id of the do umen t that ation A b elongs to. Figure 4 sho ws an example of the t w o t yp es of onstrain t. Constrain t C 1 is an in tra-do umen t onstrain t: it binds ations A 1 and A 2 of do umen t OSDI_p ap er . Constrain t C 1 is issued b y Pierr e and th us it is logged in Pierr e 's log of OSDI_p ap er . On the other hand, onstrain t C 2 is a ross-do umen t on- strain t: it binds ation A 3 of do umen t OSDI_p ap er and ation A 4 of do umen t gur e_1 . Constrain t C 2 is issued b y Ge or gios and th us it is logged in Ge or gios 's log of b oth OSDI_p ap er and gur e_1 . 3.3 Views A desirable feature of repliation in ollab orativ e w ork is to enable dieren t partiipan ts to ha v e their o wn view of a shared do umen t. F or instane a partiipan t w orking on a giv en setion of a shared do umen t ma y temp orarily ignore up dates to the same setion b y other partiipan ts. T elex allo ws the partiipan t to selet a partiular view of a do umen t b y means of ation lters . A lter denes whi h ations of the A CG T elex m ust exlude when omputing sound s hedules. When applying a lter, T elex also exlude all ations that ltered ations enable. This ensures that the view omputed b y ltering is alw a ys sound, i.e., do umen t in v arian ts are not violated. A partiipan t denes a lter b y sp eifying its name and one or more lter- ing riteria in v olving an y attribute of an ation. The partiipan t ma y dene sev eral lters on a do umen t and dynamially add and remo v e them. T elex sa v es urren tly-dened lters as part of the p ersisten t state of a do umen t. Note that a lter ma y target a sp ei ation of a do umen t. By adding and remo ving the lter, user ma y th us seletiv ely undo and redo the orresp onding ation in his view of the do umen t. (T o undo an ation p ersisten tly , the parti- ipan t m ust ab ort it. By on v en tion, this is expressed b y marking the ation as an tagonisti with itself.) Filters also pro vide a means to p ermanen tly exlude the op erations of a partiipan t who turns out to b e maliious, as in the Ivy le system [6 ℄. Con trary to Ivy , T elex lters main tain orretness, b y exluding all ations that dep ends on the maliious partiipan t's ations. 3.4 Snapshot A snapshot reords some view of the do umen t. T o dene a snapshot, a par- tiipan t sp eies its name and the she dule of ations whose exeution yields INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 11 Figure 5: T elex ar hiteture the state b eing reorded. In addition, the appliation ma y pro vide the or- resp onding binary state of the do umen t. In this ase, the snapshot is said materialise d . Materialised snapshots sp eed up the omputation of a view and are used as garbage olletion p oin ts. The partiipan t ma y dene an y n um b er of snapshots of in terest to him, and later remo v e those that are no longer useful. T elex sa v es the set of urren tly- dened snapshots as part the p ersisten t state of the do umen t. 4 T elex ar hiteture and op eration Figure 5 is a detailed view of Figure 1 whi h sho ws the o v erall ar hiteture of T elex. An instane of T elex runs at ea h site and omm uniates with remote sites. On top of the gure are the appliations using the servies of T elex. Sev eral su h appliations ma y run onurren tly at the same site. In the middle of the gure is the T elex system. It is omp osed of t w o main mo dules  the s heduler and the replia reoniler  la y ered on top of t w o auxiliary mo dules  the transmitter and the logger. Arro ws in the gure represen t in v o ation paths b et w een T elex mo dules and to/from appliations. RR n ° 6546 12 Benmouok et al. Ea h appliation ma y op en one or more do umen ts. F or ea h op en do u- men t, T elex reates one instane of ea h mo dule, whi h main tains the exeution on text of the do umen t. The only exeption is when do umen ts are b ound b y ross-do umen t onstrain ts, as desrib ed in setion 4.2.3 . In this ase, the b ound do umen ts share the same instane of the replia reoniler and the s heduler. W e desrib e next the in teration b et w een a T elex instane and the outside w orld and then detail the op eration of the main mo dules. 4.1 In terations T elex-appliation in terations in v olv e ex hanging piees of A C graphs (sets of ations and onstrain ts do wn w ards, sets of s hedules up w ards). The in teration yle is as follo ws. The partiipan t ats up on the appliation, whi h translates his request in to one or more ations and onstrain ts and passes them to T elex. In return, T elex omputes a sound s hedule from the set of lo ally-kno wn ations and onstrain ts and hands the s hedule to the appliation. The appliation exeutes the s hedule and presen ts the resulting state to the partiipan t. If some ations onit, then sev eral sounds s hedules exist, ea h orresp onding to a p ossible solution to the onit. The appliation presen ts the resulting states to the partiipan t so that he an selet the solution he prefers. T elex sites ex hange ations and onstrain ts through m ultilogs, and om- m uniate with ea h other in the ommitmen t proto ol. The logger mo dule logs the ations and onstrain ts submitted b y the lo al partiipan t in the partii- pan t's log. In return, the V OFS noties the logger when remote partiipan t's log are up dated. The transmitter determines the set of p eer sites and pro vides an A tomi Multiast servie among p eer sites (arro ws #9 and #10). 4.2 S heduler The role of the s heduler is t w ofold. First, it main tains the in-memory A CG that represen ts the state of the do umen t at the lo al site. Seond, it p erio dially omputes sets of sound s hedules from the A CG and prop oses them to the appliation for exeution. A tions and/or onstrain ts are added to the graph either b y:  The appliation (Figure 5 , arro w #1), when the lo al partiipan t up dates the do umen t.  The logger (arro w #2), when it reeiv es an up date issued b y a remote partiipan t.  The replia reoniler (arro w #3), when it ommits a s hedule. The s heduler passes lo ally-submitted ations and onstrain ts to the logger (arro w #4) to log them on p ersisten t storage. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 13 4.2.1 Cross-site onstrain t generation A tions logged indep enden tly b y t w o partiipan ts ma y onit; for instane in the shared alendar appliation, a same user ould b e added to t w o parallel meetings. T elex ensures that onits are reied b y onstrain ts as follo ws. When a site reeiv es a new ation, it ompares it against already-kno wn, onurren t ations of the same do umen t. If they ha v e a ommon k ey , then T elex in v ok es the orresp onding appliation's getConstr aint up all. If the ations really onit, the appliation resp onds b y logging an appropriate onstrain t (arro w #5 in Figure 1 .b or Figure 5 ). A tion k eys are opaque to T elex, whi h tests them for equalit y only . A tion k eys serv e as a ompat, but appro ximate, represen tation of the do umen t subset that the ation uses or up dates. T ypially , an ation k ey hashes the iden tier of a parameter of the ation. Multiple k eys ha v e or seman tis (T elex up alls getConstr aint if a k ey of one ation equals an y k ey of the other). T o implemen t and seman tis (for instane, to get an up all only if t w o giv en ob jets are in v olv ed) the appliation hashes the X OR of their iden tiers in to a single k ey . An ation with no k eys onits with no other. If t w o unrelated ations happ ens to ha v e equal ation k eys, no harm is done, other than a loss of p erformane. 4.2.2 S hedule generation A large n um b er of sound s hedules exist for an y giv en A CG in the general ase. It is therefore not feasible to ompute all sound s hedules b eforehand and presen t them to the appliation. Besides, the appliation ma y b e in terested only in a few or ev en just one s hedule. F or these reasons, T elex generates sound s hedules dynamially , up on appliation request (this is not sho wn in Figure 5). The appliation ma y th us iterate through the prop osed s hedules and stops when one or more appropriate s hedules are found. T elex generates the b est s hedules rst, where the qualit y metri is the n um b er of ations inluded (implying few er ations ab orted). Optimal s hedul- ing is NP-omplete, therefore T elex runs a heuristi inspired b y IeCub e [9℄. Seondary goals of the heuristi are to giv e preferene to ations of the lo al partiipan t in the ase of a onit, and to a v oid returning a s hedule equiv alen t to one returned previously . 4.2.3 Bound do umen ts T w o do umen ts are said b ound if there exists a onstrain t b et w een an ation of one and an ation of the other, and either ation (or b oth) is not ommitted. F or instane, if a partiipan t wishes to up date t w o do umen ts atomially , he sets an Enables onstrain t in ea h diretion b et w een the up dates. RR n ° 6546 14 Benmouok et al. The ations of a do umen t ma y not b e s heduled indep enden tly from those of the do umen ts it is b ound to. S heduling is optimised for the ommon ase of non-b ound do umen ts, but w e pro vide sp eial pro essing for this partiular ase. Note that b ound do umen ts ma y b e handled b y distint appliations. T elex pro esses b ound do umen t b y merging them in to a single shar e d A CG in order to ompute glob al s hedules o v er all ations and onstrain ts. Ea h global s hedule generally on tains ations from all b ound do umen ts. Th us, in order to exeute a global s hedule, T elex rst pro jets the s hedule on ea h do umen t and passes ea h resulting sub-s hedule to the relev an t appliation. The pro jetion op eration simply onsists in retaining only those ations that b elong to the target do umen t while preserving their order. T elex assigns the same iden tier to the sub-s hedules deriving from the same global s hedule. This w a y , the partiipan t an iden tify mat hing sub-s hedules on ea h b ound do umen t. 4.3 Replia reoniler Ea h T elex site prop oses a set of onstrain ts, a pr op osal , to remote sites. A pro- p osal on tains deision to ommit, ab ort or serialise ations. These prop osals ma y dier, due to asyn hronous omm uniation, ltering, diering lo al infor- mation, or user preferene. The r epli a r e  oniler is in  harge of  ommitment , i.e., rea hing agreemen t on a ommon s hedule prex. Commitmen t o urs in the ba kground, not within the ritial path of appliations. The ommitted prop osal app ears as a prex of the lo al s hedules. W e prop ose a plug-in replia reoniler ar hiteture, pro viding dieren t strategies aording to needs. A reoniler has four (asyn hronous) phases. 1. Ea h sites ompute a prop osal, aording to its lo al view, for instane based on the user's preferenes (arro w #8 in Figure 5). 2. The transmitter atomi m ultiasts prop osals to set of sites diretly on- erned (arro w #9) b y the agreemen t (in ase of b ound do umen ts more than one replia group ma y b e onerned). A tomi m ultiast main tains liv eness in presene of faults and net w ork lags. 3. The transmitter forw ards prop osals it reeiv es up to the replia reoniler (arro w #10). 4. A ording to the ommitmen t algorithm (desrib ed next) the reoniler  ho oses a winning prop osal, and logs it (arro ws #3 and #4). Curren tly w e prop ose t w o ommitmen t algorithms. (i) A rst-in rst-out algo- rithm for appliations su h as a distributed database. A t ea h site the FIF O algorithm prop oses to minimise the n um b er of dead ations aording to its lo al view. When a site deliv ers a new prop osal, the FIF O algorithm  he ks the soundness of the prop osal aording to the previous winning prop osals (arro ws #8 and #7). If the deision is sound, the reoniler adds it to the A CG, if not the deision is disarded. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 15 (ii) A v oting algorithm that tak es in to aoun t lo al preferenes. A prop osal is a v ote spanning one or m ultiple ations o v er one or more do umen ts. A prop osal is brok en in to sub-A CGs with sp ei prop erties, alled andidates. Candidates on taining the same ations  hallenge ea h other. A andidate ma y b e eleted only if its set of ations is transitiv ely losed in the union of all the A CGs aross sites. This proto ol is desrib ed in detail in a separate publiation [15 ℄. 4.4 A ess on trol The T elex design inludes aess on trol at inreasingly ne-grain lev els, using a seurit y framew ork (whose desription is out of sop e of this do umen t). This is indiated b y the three arro ws mark ed hek in Figure 1 . (i) A ess on trol at le gran ularit y ensures that a single partiipan t writes a giv en log, and that only authorised users an read a log. (ii) The T elex dæmon  he ks whether a user is allo w ed to aess an individual log reord. 6 (iii) Appliations ma y enfore further on trol. F or instane, in the SC appliation, a user migh t observ e the times that another user is busy , but not b e allo w ed to see the other details of his meetings. As explained in Setion 2.3 , aess on trol do es not violate onsisteny . 5 Appliations T o pro vide insigh t on the issues in v olv ed in using the T elex system, this setion presen ts some of our example appliations. W e will return to the lessons learned in a later setion. 5.1 Simple Repliated Ditionary W e start with a simple example. Our Simple Repliated Ditionary Appliation (SRD A) manages shared ditionaries. SRD A is in tended as a building blo  k for appliations su h as a shared address b o ok. Users an op erate on a ditionary in either onneted or disonneted mo de. T elex guaran tees that, in spite of no de arriv als, departures or failures, all instanes of a giv en ditionary on v erge. A do umen t on tains tuples of the form h tupleID , attribute 1 , attribute 2 , . . . i , for an y n um b er of attributes. Ea h attribute is a h name, value i pair. SRD A pro vides these op erations:  insert ( tupleID , attrs ) : inserts a new en try , with iden tier tupleID and attributes attrs , in to the ditionary do umen t.  mo dify ( t upleID , attrs ) : mo dies attributes for the giv en tupleID . 6 This is not y et implemen ted in the urren t v ersion. RR n ° 6546 16 Benmouok et al. insert ∀ previous r em i . TID : r em i . TID → urren t ins . TID r emove ins . TID ⊳ → urren t r em . TID mo dify ins . TID ⊳ → urren t mo d . TID ∀ previous mo d i . TID . attr j : mo d i → urren t mo d T able 2: Sequen tial exeution onstrain ts (Notation: ins = insert , mo d = mo dify , r em = r emove , attr = attribute , TID = tupleID )  r emove ( tupleID ) : deletes the tuple orresp onding to the giv en tupleID .  r e ad ( t upleID ) : returns the attributes orresp onding to the giv en tupleID . In the rst op eration, the tupleID m ust b e previously un used or remo v ed; for all the others, a tuple iden tied b y tupleID m ust already exist. The mo d- ify op eration assigns the listed attributes if they already exist for the tuple, otherwise it adds them. Insert, mo dify and remo v e op erations translate to a T elex ation. Beause T elex do es not y et supp ort isolated m ulti-op eration transations, w e manage write dep endenies in the write op erations, as explained shortly . Read op era- tions are treated as lo al. 5.1.1 Sequen tial onstrain ts T able 2 summarises the sequen tial seman tis of SRD A. SRD A logs these on- strain ts at the same time as it logs the righ t-hand ation of the onstrain t. In the T elex design, the appliation should log ausal dep endene only when the seond ation truly dep ends on the rst. Hene, a mo dify ation, or a r emove , is ausally dep enden t on the insert that reated the tuple. Th us, if the insert ab orts or fails, the dep enden t mo dify and r emove ations will b e disarded from an y sound s hedule. F urthermore, w e treat ev ery write op eration as a read-ompute-write transation. In order to ensure read-y our-writes session guaran tees [16 ℄, w e set NotAfter onstrain ts b et w een insert , mo dify and r emove ations in the same user session, ev en b et w een dieren t ditionary do umen ts. Finally , to ensure the orret s heduling of a r emove follo w ed b y an insert with the same tuple iden tier, w e mak e all previous r emove with the same tuple-id NotAfter the urren t insert . The SRD A appliation logs the ab o v e onstrain ts in the m ultilog, at the same time as it logs the righ t-hand ation. The SRD A appliation logs the ab o v e onstrain ts in the m ultilog, at the same time as it logs the righ t-hand ation. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 17 ins 2 mo d 2 ins 1 ins 1 . TID = ins 2 . TID ⇒ ins 1 / ins 2  mo d 1 . TID = mo d 2 . TID ∧ mo d 1 imp ossible attrs 1 . TIDs ∩ attrs 2 . TIDs 6 = Ø ⇒ mod 1 / m o d 2 T able 3: SRD A getConstr aint 5.1.2 Conurreny onstrain ts Sine it is illegal to insert the same iden tier t wie, t w o onurren t insert ations that refer to the same iden tier are NonCommuting . Otherwise, onurren t inserts omm ute. Similarly , t w o onurren t mo dify op erations with the same iden tier and o v erlapping attributes are also NonCommuting . Those onstrain ts are added b y the appliation when T elex in v ok es its getConstr aint metho d. They are summarised in T able 3, where NonCommuting is noted / . In order to ensure that T elex up alls the getConstr aint metho d as needed, insert and mo dify ations ha v e an ation k ey , omputed as a hash of the tupleID . 5.2 Shared Calendar Our Shared Calendar (SC) appliation is represen tativ e of ollab orativ e deision- making appliations. SC illustrates the adv an tages of T elex for seman tially-ri h ollab orativ e appliations. SC helps p eople organise priv ate ev en ts and group meetings ollab orativ ely , p ossibly in disonneted and asyn hronous mo de. Con trary to existing alendar appliations, SC detets onits (su h as double b o oking), prop oses solutions, and ensures agreemen t and ev en tual onsisteny . This w ould b e diult to a hiev e without T elex supp ort. Appliation logi (i.e., main taining the data strutures and iden tifying onstrain ts) is w ell sepa- rated from the system logi, i.e., p ersistene, repliation, onit detetion and resolution, ommitmen t, et. 5.2.1 SC logi Ea h user or lo ation has an asso iated  alendar do umen t. Ea h event (e.g., a meeting) is a separate do umen t. A alendar ma y b e read or up dated b y other users, who an (if so authorised) reate or manage ev en ts, in vite p eople to an ev en t, or iden tify onits and free time. W e use the follo wing notations. An ev en t e is unique, has a name e.name , and a date e.date , and is materialised b y a T elex do umen t e.dox . A user A reates an ev en t e b y reating the do umen t e.dox , and b y logging an op en-event ation in his o wn alendar and an invite(A) ations in e.dox . He RR n ° 6546 18 Benmouok et al. Figure 6: Exeution senario for the Shared Calendar appliation also logs an enable-event ation in e.dox that sym b olises the reation of the ev en t. This ation is used to sp eify onstrain ts on the ev en t reation as sho wn next. Later, user A ma y in vite other users b y logging an op en-event ation in his log within their alendars, and a orresp onding invite ation in e.dox . One a user has op ened an ev en t do umen t, he ma y in vite more users. He also an anel the ev en t or some user in vitation b y logging a  an el-event or a  an el-invitation ation in e.dox . 7 The ation k eys iden tify the ev en t and its time-slots. Therefore, ations in the same alendar for the same ev en t, or for dieren t ev en ts at the same time, will ha v e o v erlapping k eys, ausing T elex to in v ok e the getConstr aint up all in terfae of SC. A alendar do umen t ation omm utes with all other alendar do umen t ations. Constrain ts b et w een ev en t do umen t ations are similar to the SRD A onstrain ts, where enable-event ,  an el-event and invite (or  an el-invitation ) are lik e lik e insert , r emove and mo dify resp etiv ely . T o a v oid double b o okings, onurren t invite ations are an tagonisti, if they onern the same user at the same time but dieren t ev en ts. 5.2.2 Use ase Consider the senario in Figure 6. Users Jean-Mi hel, Lamia and Mar are w orking separately and omm uniate only via the SC appliation. 7 Curren tly it is not p ossible to ollab orativ ely  hange the time of an ev en t. This will require extensions to T elex to asso iate the time up dates with some user in vitation to detet a double b o oking, whi h is future w ork. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 19 Figure 7: Mar's site at t 3 Jean-Mi hel organises meeting Net w orking Seminar NS with Mar. He pro- p oses t w o alternativ e dates, Monda y and T uesda y (Op eration 1 in the gure). Lamia also organises a meeting Greek Lesson GL with Mar on Monda y (Op eration 2). SC reates the ev en t do umen ts and logs the ations and onstrain ts to T elex, as detailed in Figure 7, depiting the state of Mar's site at time t 3 . Lamia's SC instane reates GL.dox do umen t, imp orts Mar's alendar, and logs the follo wing ations:  On Mar's and Lamia's alendar: op en-event (e2) .  On GL.dox : A = enable-event , B = invite(L amia) , C = invite(Mar ) . SC groups them atomially: A ⊳ ⊲ B ∧ B ⊳ ⊲ C . T o express the alternativ e Jean-Mi hel's SC instane transparen tly reates t w o ev en ts NS1 and NS2 with oniting enable-event ations. F or b oth ev en ts, SC generates similar ations as for the GL ev en t. Supp ose that, at some p oin t in time t 1 , Mar has reeiv ed Jean-Mi hel's ations, but not y et Lamia's. This ma y happ en, for instane, if Lamia is w orking oine. T elex omputes the s hedules orresp onding to t w o p ossible solutions: (i) holding NS on Monda y and ab orting NS on T uesda y; or (ii) holding NS on T uesda y, and ab orting NS on Monda y. Sine the former solution on tains more ations, it will b e prop osed rst. RR n ° 6546 20 Benmouok et al. Later, at t 2 Mar kno ws Lamia's ations. T elex  he ks the k eys of Lamia's ations with Jean-Mi hel's. C = invite(Mar ) on GL.dox and E = invite(Mar ) on NS1.dox b oth ha v e a k ey represen ting the Monday slot. Therefore, T elex asks SC for the orresp onding onstrain ts. SC returns an an tagonism onstrain t C ← → E . This ensures that no view on tains b oth C or E , and that one or the other (or b oth) ev en tually ab ort. Finally , T elex oers the t w o p ossible solutions: (i) NS on T uesda y and GL on Monda y, ab orting NS on Monda y; or (ii) NS on Monda y, ab orting GL on Monda y and ab orting NS on T uesda y. Lamia is not in vited to ev en t NS , she ma y not read NS1.dox nor NS2.dox . Nev ertheless, T elex ensures that she ev en tually gets notied of a onit o ur- rene that ma y ab ort GL . The same go es for Jean-Mi hel. The reoniliation phase ensures that Mar, Lamia and Jean-Mi hel ev en tually see a onsisten t state for GL and NS ev en ts. 5.3 Shared wiki F or la k of spae, w e desrib e our Shared Wiki Appliation (SW A) only briey . Ea h wiki page is a separate do umen t. Ev ery user urren tly editing it has a log in the do umen t. His site k eeps a lo al replia of the wiki text, whi h the user mo dies lo ally using a standard text editor. Ev ery time the user sa v es, the SW A omputes the dierene from the previous v ersion, and translates it in to insert-line and delete-line ations. Mo difying a line is in terpreted as an atomi grouping of delete-line and insert-line. The SW A uses the W OOTO op erational transformation algorithm [7℄ to ensure that onurren t edit op erations omm ute. A delete-line ation dep ends ausally on the ation that inserted the line. Inserting a line b et w een t w o other lines dep ends ausally on the t w o orresp onding line insert op erations. Sine all onurren t op erations inside a do umen t omm ute, there will nev er b e an y onits. Therefore, edit ations arry no k eys, and T elex nev er up alls getConstr aint to the SW A. S hedule omputation is trivial, sine all s hedules that are ompatible with ausal dep endene order are equiv alen t. Existing wiki editors main tain the set of past v ersions of a page. Thanks to T elex, SW A an reonstrut an y past v ersion, and additionally main tains the relations b et w een v ersions. In the future, w e ould extrat more history information from the p ersisten t m ulti-log, inluding page splits and merges, and op y-paste b et w een pages. F rom the p ersp etiv e a single page, T elex serv es mainly to reliably broadast ations and repla y them in ausal order. One added v alue of T elex for SW A is the abilit y to p erform m ulti-do umen t up dates, e.g., a global replae through all wiki pages onsisten tly . T elex also enables m ulti-appliation senarios, e.g., ensuring that a wiki page on tain the details of a meeting agreed in the shared alendar appliation. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 21 Cong Name 1x8M 8x8M 1x8L 8x8L W riters 1 8 1 8 Log size (MB) 50 50 5 5 RX limiting no no y es y es run time (se) 3.4 9.3 306.48 309.31 a vg RX+TX (B/s) 102.9M 75.3M 228.4K 226.3K T able 4: Represen tativ e results for shared m ultilogs with 1 and 8 writers, with and without limiting reeiving tra 0 1000000 2000000 3000000 4000000 5000000 0 20 40 60 80 100 120 Log size (bytes) Time (seconds) Log Propagation Progression: Site-3 view, 8 writers, 4 disconnect, limit incoming site-0 site-1 site-2 site-3 site-4 site-5 site-6 site-7 Figure 8: Multilog repliation progression for 8 writers, throttled inoming traf- . 4 disonnet. 6 P erformane ev aluation 6.1 Multilog exp erimen t The m ultilog to olkit is a simple set of to ols and dæmons that reate, aess and onnet logs in m ultilogs. It is written in Python and uses TCP/IP for net w orking. It straigh tforw ardly implemen ts the design illustrated in Figure 2 . There are four main utilities in the to olkit. L o gServer monitors a log and propagate up dates. L o gClient on tats a list of LogServ ers and lo ally repliates their logs. L o gT o ol is a utilit y that an read or write a log. Multilo gD is a simple dæmon that giv en a list of partiipan ts, om bines the log-to ols to implemen t a m ultilog. RR n ° 6546 22 Benmouok et al. 6.1.1 Ev aluation summary The m ultilog struture deouples reads and writes and promotes mostly-linear aess patterns. Therefore, the read/write p erformane of m ultilogs is domi- nated b y the lo al lesystem and of the net w ork sta k. The purp ose of this ev aluation is to demonstrate this fat; the results are summarised in T able 4 Our p erformane goals are to sale to v ery large n um b ers of readers. The n um b ers of writers for a single do umen t is exp eted to remain relativ ely small, on the order of tens of partiipan ts. This is t ypial for the in ternet so iet y . Eien t propagation from a small n um b er of writers to a h uge n um b er of readers is p ossible in p eer-to-p eer net w orks, where reipien ts of data propagate them further. The net eet of su h a solution is a high outgoing bandwidth and limited inoming bandwidth. In some of our exp erimen ts, w e em ulate this eet b y sev erely limiting inoming tra of partiipan ts while lea ving outgoing tra unlimited. 6.1.2 Detailed Results The exp erimen tal setup in v olv es one partiipan t installed on ea h of 8 no des in teronneted with Gigabit Ethernet. The senario is simple; Either one or all 8 partiipan ts b egin to log a sp ei amoun t of data as fast as p ossible. A t the same time, ea h partiipan t reads his logs and reords its repliation progression o v er time. The writers and readers are implemen ted with LogT o ol instanes, logs are serv ed b y LogServ ers and propagated up dates are reeiv ed and written to replias b y LogClien ts. T able 4 lists represen tativ e results for running 1 and 8 onurren t writers b oth with and without limiting the inoming tra. The a v erage tra is the sum of the inoming and outgoing tra om bined. Our onlusion is that, when there is no limit in eet, m ultilog propagation p erformane is omparable to the maxim um net w ork bandwidth. When limits are in plae, although o v erall bandwidth drops as exp eted, w e observ e that v arying the n um b er of writers b et w een 1 and 8 has no eet. F urthermore, in all the exp erimen ts, disonnetion of a partiipan t do es not disrupt the remaining ones, as illustrated in Figure 8 . 6.2 Syn theti b en hmarks Sound s hedules omputation T elex omputes sound s hedules using the IeCub e algorithm [9℄. F or a randomly generated graph on tainning 10000 a- tions and 20000 onstrain ts, our algorithm omputes a sound s hedule in 200 ms. In running mo de T elex uses inremen tal mo de, and the omputation is around a milliseond. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 23 Reoniliation time W e test the time to deide newly prop osed ations. During this exp eriene w e ompute a s hedule ev ery 100ms, and a prop osal ev ery 100ms. Ea h site submits 20 ations p er seond. The a v erage time to ommit an ation using the FIF O algorithm (see Setion 4.3) is 64ms. 6.3 STMBen h W e run the STMBen h7 b en hmark [ 2℄, whi h em ulates an appliation with a ri h data struture and man y dieren t op erations. W e  hose STMBen h7 mainly b eause it demonstrates onurreny and onits. It also serv es as an illustration of the use of T elex on a omplex data struture. STMBen h7 w as dev elop ed to exerise soft w are transational memories, based on the previous OO7 b en hmark for ob jet-orien ted databases. STM- b en h7 builds an ob jet graph with millions of ob jets and onneted b y n u- merous p oin ters. It on tains 45 op erations (21 read-only , 24 read-write) with v arious sop e and omplexit y . W e p orted to T elex the read-write op erations only . They all op erate in a similar manner: tra v erse the data struture, reading one or man y attributes of one or man y ob jets, and mo dify an ob jet. An STMBen h7 b en hmark onsists of t w o phases: reating a randomised ob jet graph, and in v oking op erations. W e measure only the seond phase. There are four four main ategories of op erations:  Long tra v ersal: aess large parts of the ob jet graph, t ypially all as- sem blies and atomi parts.  Short tra v ersals: aess few er ob jets, tra v ersing the graph along a ran- domly  hosen path.  Short op erations:  ho ose a small n um b er of ob jets, and p erform an op- eration on these ob jets or in their neigh b ourho o d.  Struture mo diations: randomly reate or delete ob jets, or reate or delete p oin ters b et w een ob jets. Ea h STMBen h7 op erations is mapp ed to a single ation, hene will b e isolated from onurren t op erations. Unexp etedly , in the original o de, op erations alw a ys omm ute, b eause the up dates either sw ap t w o shared p oin ters, or add 1 mo dulo 2 to a shared in teger. W e therefore mo died the b en hmark so that, with some probabilit y , up dates either omm ute or do not omm ute. Due to the large n um b er of op erations, w e will not presen t a omprehen- siv e list of onstrain ts. Instead, w e explain the rules w e follo w to dene the onstrain ts.  An y mo diation to an ob jet is ausally dep enden t on the reation of the same ob jet.  T w o ations that mo dify the same data are NonCommuting . RR n ° 6546 24 Benmouok et al. Num b er of sites Time to b en hmark (s) 1 20 2 21 3 21 4 21 5 21 6 21 T able 5: STMBen h7 results  If an ation reads some data, and another ation onurren t writes the same data, the former is NotAfter the latter. This ensures that, at all sites, the read will see the v alue b efore the write. The results of the b en hmark are sho wn in T able 5, exeuting the op erations that mo dify data (not the struture). P erformane is indep enden t of the n um b er of sites. 7 Lessons learned Exp eriene with appliations and b en hmarks has giv en us useful feedba k, b oth regarding the implemen tation of T elex, as w ell as guidelines for appliation dev elop ers. The urren t implemen tation of T elex suers from exessiv e memory on- sumption. The A CG an qui kly rea h sizes of sev eral tens of thousands of no des, and is aessed onurren tly b y man y threads. F or instane, the s hed- uler parses the A CG at the same time as lo al and remote appliations are mo difying it. T o a v oid onurreny issues, the s heduler tak es a full op y of the urren t A CG, whi h b oth onsumes memory and is slo w (in Ja v a). Similarly , forw ard exeution and rollba k of appliations in v olv es op ying their in ternal state, whi h an b e v ery large. In b oth ases, an ob vious solution (and future w ork) is to op y-on-write instead. T ranslating appliation seman tis in to ations and onstrain ts is a skill that tak es time to aquire. W e presen t some guidelines deriv ed from our o wn exp e- riene. Note that these are not hard rules, and ev en ma y b e oniting. The most imp ortan t suggestion is to lev erage omm utativit y as m u h as p ossible. As noted in the SW A, if all op erations omm ute, onsisteny is trivial. The SW A example also sho ws that, sometimes, op erations that app ear non- omm uting in tuitiv ely , an b e designed or transformed to omm ute. W e learned that it is imp ortan t to turn ev ery piee of shared information in to a separate do umen t. In the initial design of SC, alendars w ere the only do umen ts, and ev en ts w ere impliit in the alendars. This raised a n um b er INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 25 of problems, b eause there w as no ob vious w a y to detet when a meeting on- it w ould impat another user indiretly . Separating out ev en ts as distint do umen ts solv ed this. It is imp ortan t to distinguish the sequen tial onstrain ts (mainly , NotAfter and Causal ) from the onurreny onstrain ts (onits). The former are logged with their righ t-hand ation; the latter are logged in resp onse to getConstr aint . Conurreny onstrain ts are deriv ed from the appliation in v arian ts. F or in- stane, in SRD A, the sequen tial sp eiation forbids t w o tuples with the same iden tier; it follo ws that onurren t insert s with the same iden tier are in A ntagonism . One lesson from STMBen h7 is to reason ab out high-lev el op erations rather than lo w-lev el ones, in order to deal with few er om binations. F urthermore, it is sometimes the ase where high-lev el op erations omm ute (for instane, inremen t and deremen t a shared in teger) ev en though their lo w-lev el imple- men tations (e.g., reads and writes) do not. Ho w ev er, in some ases, it ma y b e simpler to reason ab out a small n um b er of lo w-lev el primitiv es when they ma y b e om bined in to a large n um b er of op- erations. Curren tly , this kind of approa h is ompliated b y the la k of supp ort for transational isolation, whi h is future w ork. Constrain ts are hard to v alidate. W e suggest t w o omplemen tary approa hes for future w ork. A ompiler ould generate ations and onstrain ts from a high-lev el sp eiation, and a  he k er ould v erify that all ation-onstrain t om binations v erify the appliation in v arian ts. 8 Related w ork State-ma hine repliation [5℄ is based a total order of op erations. This ensures onsisteny and orretness, but requires onsensus at ea h op eration, in the ritial path of the appliation. In on trast, T elex's optimisti approa h p er- forms onsensus in bat hes, in the ba kground. Optimisti repliation [11 ℄ has b een widely used, e.g., in repliated le sys- tems (for instane, Co da [3 ℄ or Roam [10 ℄) and for ollab orativ e w ork (e.g., Ba y ou [17 ℄). In these systems, replias ev en tually on v erge, but they generally do not ensure an y high-lev el orretness. F or instane, the widely-used last- writer-wins (L WW) loses up dates when onits o ur, and do es not main tain onsisteny b et w een ob jets. Our onstrain ts additionally ensure that applia- tion in v arian ts are preserv ed. Man y repliated systems transmit new v alues or deltas (the state-based mo del). The op eration-based mo del used in T elex (i.e., the system stores, transmits and repla ys logs of op erations) retains more useful information for reoniliation. This is esp eially adv an tageous when high-lev el op erations log- ially omm ute despite reading and writing the same ph ysial data, as in our SC and SW A appliations. RR n ° 6546 26 Benmouok et al. The literature on omputer-supp orted o-op erativ e w ork is widely based on op erational transformation (OT) [ 14 ℄. OT ensuring omm utativit y b et w een onurren t op erations b y mo difying them at repla y time. Com bined with reli- able ausal-order broadast, this ensures on v ergene with no further onur- reny on trol, but unfortunately OT app ears limited to v ery simple text-editing senarios. T elex tak es adv an tage of omm utativit y when it is a v ailable, and supp orts an y mix of omm utativ e and non-omm utativ e op erations. Co da's appliation-sp ei resolv ers [4℄ or Ba y ou [17 ℄ giv e appliations full on trol o v er onits. Ho w ev er, this requires dev elop ers to ha v e a deep under- standing of distributed systems issues. Instead, T elex requires st ylised onur- reny onstrain ts from appliations and tak es are of onit resolution in an appliation-indenden t manner. T elex has man y similarities with Ba y ou [ 17 ℄ and also man y dierenes. Ba y ou is an op eration-based system that pro vides ommitmen t; the ommit- ted state is guaran teed orret. Ho w ev er, Ba y ou relies on a primary site for ommitmen t and the ommitted s hedule is unpreditable. F urthermore, the system oers no help for reoniliation. Constrain ts w ere used for reoniliation in the IeCub e [9 ℄ system. IeCub e relies on a primary site for ommitmen t. In T elex, ea h site runs an IeCub e engine (or an y alternativ e) to prop ose s hedules, and the ommitmen t proto ol ensures onsensus based on these prop osals. IeCub e supp orts a ri her set of onstrain ts and an extrat them from the appliations' soure o de [ 8 ℄. The Ivy p eer-to-p eer le system [6℄ reoniles the urren t state of a le from single-writer, app end-only logs. There are sev eral dierenes b et w een Ivy and T elex. Ivy is designed for onneted op eration. Ivy is state-based and reoniles using a p er-b yte L WW algorithm b y default. Whereas T elex lo alises logs p er do umen t, in Ivy there is a single global log for all the up dates of a giv en partiipan t. Reading an y le requires sanning all the logs in the system, whi h do es not sale w ell, although this is oset somewhat b y a hing. Ivy has no ommitmen t proto ol, therefore a state ma y remain ten tativ e indenitely . The Ivy authors suggest that maliious up dates an b e remo v ed after the fat, b y ignoring the orresp onding log. Ho w ev er, sine Ivy do es not reord onstrain ts, it annot reonstrut a orret state: for instane, an up date b y an inno en t user that dep ends on a previous but maliious up date annot b e remo v ed. 9 Conlusion W e presen ted the T elex system for shared m utable do umen ts in a distributed system. W e presen ted our motiv ations, its formal priniples, the engineering design and implemen tation, and a n um b er of protot ypial appliations. W e also pro vided some p erformane measuremen ts. INRIA T elex: Priniple d Sys. Supp ort for W rite-Sharing in Col lab. Apps. 27 Our t w o main inno v ations are our prinipled approa h based on ation- onstrain t graph, and the m ultilog struture. The former enables T elex to pro vide orretness guaran tees while main taining appliation onurreny in- v arian ts. It also allo ws a lear separation b et w een the resp onsibilities of appli- ations, and those of the system. Thanks to onstrain ts, appliations sp eify preisely the lev el of onsisteny that they need, and the system enfores that lev el eien tly , and no more. Indep enden tly of the A CG, w e argue that the m ultilog struture is b etter adapted to shared, m utable do umen ts than ordinary les, esp eially in a ollab- orativ e en vironmen t. A le system ma y pro vide guaran tees for diretories, but generally only b est-eort onsisteny for les. F urthermore, the design goals of a le system are lik ely to b e dieren t from the needs of atual appliations. The m ultilog struture deouples reads and writes, a v oids on ten tion, en- ourages lo alit y , and allo ws eien t linear aess. Soft w are at a higher lev el in terprets the logs to reonstrut the appliation state. In our ase, this is T elex, but it ould b e the appliation diretly . Multilogs do not imp ose an y unneessarily limitations. T elex is op en soure soft w are, a v ailable at gfo rge.inria.fr/p rojets/telex2 . A  kno wledgmen ts W e thank Abhishek Gupta, of Indian Institute of T e hnology Gu w ahati, for implemen ting m ultilogs during an in ternship at INRIA and for authoring the SW A appliation, and Zenon P erisé, of Univ ersitat Ob erta de Catalun y a, for authoring the Collab orativ e En vironmen t appliation. Referenes [1℄ An ton y Chazapis, Georgios T souk alas, Georgios V erigakis, K ornilios K ourtis, Aristidis Sotirop oulos, and Netarios K oziris. Global-sale p eer-to-p eer le servies with dfs. In GRID , pages 251258, 2007. [2℄ Ra hid Guerraoui, Mi hal Kapalk a, and Jan Vitek. STMBen h7: a b en hmark for soft w are transational memory . In Eur o. Conf. on Comp. Sys. (Eur oSys) , pages 315324, 2007. [3℄ James J. Kistler and M. Sat y anara y anan. Disonneted op eration in the Co da le system. A CM T r ans. on Comp. Sys. (TOCS) , 10(5):325, F ebruary 1992. [4℄ Puneet Kumar and M. Sat y anara y anan. Flexible and safe resolution of le onits. In Usenix T e h. Conf. , New Orleans, LA, USA, Jan uary 1995. [5℄ Leslie Lamp ort. Time, lo  ks, and the ordering of ev en ts in a distributed system. Communi-  ations of the A CM , 21(7):558565, July 1978. [6℄ A. Muthita haro en, R. Morris, T. Gil, and B. Chen. Ivy: A read/write p eer-to-p eer le system. In Symp. on Op. Sys. Design and Implementation (OSDI) , Boston, MA, USA, Deem b er 2002. Usenix. [7℄ Gérald Oster, P asal Urso, P asal Molli, and Ab dessamad Imine. Data onsisteny for P2P ollab orativ e editing. In Int. Conf. on Computer-Supp orte d Co op er ative W ork (CSCW) , pages 259268, Ban, Alb erta, Canada, No v em b er 2006. A CM Press. [8℄ Nuno Preguiça, Mar Shapiro, and J. Legatheaux Martins. Automating seman tis-based reoniliation for mobile transations. In CFSE'3 :  onfér en e fr ançaise sur les systèmes d'exploitation , pages 515524, La-Colle-sur-Loup, F rane, Otob er 2003. RR n ° 6546 28 Benmouok et al. [9℄ Nuno Preguiça, Mar Shapiro, and Caroline Matheson. Seman tis-based reoniliation for ollab orativ e and mobile en vironmen ts. In Int. Conf. on Co op. Info. Sys. (Co opIS) , v olume 2888 of L e tur e Notes in Comp. S. , pages 3855, Catania, Siily , Italy , No v em b er 2003. Springer-Verlag Gm bH. [10℄ P eter Reiher, John S. Heidemann, Da vid Ratner, Gregory Skinner, and Gerald J. P op ek. Resolving le onits in the Fius le system. In Usenix Conf. Usenix, June 1994. [11℄ Y asushi Saito and Mar Shapiro. Optimisti repliation. Computing Surveys , 37(1):4281, Mar h 2005. [12℄ Mar Shapiro, Karthik ey an Bharga v an, and Nishith Krishna. A onstrain t-based formalism for onsisteny in repliated systems. In Int. Conf. on Priniples of Dist. Sys. (OPODIS) , n um b er 3544 in Leture Notes in Comp. S., pages 331345, Grenoble, F rane, Deem b er 2004. [13℄ Mar Shapiro, Nuno Preguiça, and James O'Brien. Rus: mobile data sharing using a generi onstrain t-orien ted reoniler. In Conf. on Mobile Data Management , pages 146151, Berk e- ley , CA, USA, Jan uary 2004. [14℄ Chengzheng Sun, Xiaoh ua Jia, Y an h un Zhang, Y un Y ang, and Da vid Chen. A  hieving on- v ergene, ausalit y preserv ation, and in ten tion preserv ation in real-time o op erativ e editing systems. T r ans. on Comp.-Human Inter ation , 5(1):63108, Mar h 1998. [15℄ Pierre Sutra, João Barreto, and Mar Shapiro. Deen tralised ommitmen t for optimisti se- man ti repliation. In Int. Conf. on Co op. Info. Sys. (Co opIS) , Vilamoura, Algarv e, P ortugal, No v em b er 2007. [16℄ Douglas B. T erry , Alan J. Demers, Karin P etersen, Mik e J. Spreitzer, Marvin M. Theimer, and Bren t B. W el h. Session guaran tees for w eakly onsisten t repliated data. In Int. Conf. on Par a. and Dist. Info. Sys. (PDIS) , pages 140149, Austin, T exas, USA, Septem b er 1994. [17℄ Douglas B. T erry , Marvin M. Theimer, Karin P etersen, Alan J. Demers, Mik e J. Spreitzer, and Carl H. Hauser. Managing up date onits in Ba y ou, a w eakly onneted repliated storage system. In 15th Symp. on Op. Sys. Priniples (SOSP) , pages 172182, Copp er Moun tain, CO, USA, Deem b er 1995. A CM SIGOPS, A CM Press. INRIA Centre de recherche INRIA Paris – R ocqu encour t Domaine de V oluceau - Rocquencourt - BP 105 - 78153 Le Chesnay C edex (France) Centre de recherc he INRIA Bordeaux – S ud Ouest : Domaine Uni versita ire - 351, cours de la Libérat ion - 33405 T alence Ced ex Centre de recherc he INRIA Grenobl e – Rhône-Alpes : 655, avenu e de l’Europ e - 38334 Montbonnot Saint-Ismier Centre de recherc he INRIA Lille – Nord Europe : Pa rc Scientifique de la Haute Borne - 40, avenu e Hall ey - 59650 V illene uve d’Ascq Centre de recherc he INRIA Nanc y – Grand Est : L ORIA, T echnopôle de Nancy-Bra bois - Campus scientifique 615, rue du Jardin Botani que - BP 101 - 54602 V illers-lès-Na ncy Cede x Centre de recherc he INRIA Renne s – Bretagne Atlantique : IRISA, Campus univ ersitaire de Beaulieu - 35042 Rennes Cedex Centre de recherc he INRIA Sacla y – Île-de-France : Parc Orsay Uni versité - ZAC d es Vi gnes : 4, rue Jacques Monod - 91893 Orsay Cede x Centre de recherc he INRIA Sophia Antipolis – Méditerranée : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex Éditeur INRIA - Domaine de V olucea u - Rocquenc ourt, BP 105 - 78153 Le Chesnay Cede x (France) http://www.inria.fr ISSN 0249 -6399