SOSP '25 Artifacts and Proofs - Running Consistent Applications Closer to Users with Radical for Lower Latency

Author: Kaashoek, Nicolaas

Publisher: Zenodo

DOI: 10.5281/zenodo.17009555

Source: https://zenodo.org/records/17009555/files/proof.pdf

Running Consis en Applica ions Close o Use s wi h
Radical o Lowe La ency
1 Consis ency P oo
1.1 De ini ions
He e we show ha Radical p o ides linea izabili y gua an-
ees o i s use s. Linea izabili y is a local consis ency model,
hus o p o e ha a sys em is linea izable, i is su icien o
show ha ope a ions on each indi idual key a e linea izable
[
1
]. Wi hou loss o gene ali y, conside key
𝑘
. Radical sup-
po s wo ope a ions: eads (
𝑟(𝑘𝑣)
deno ing ha a ead o
key
𝑘
e u ns i s alue e sion
𝑣
) and w i es (
𝑤(𝑘𝑣)
deno -
ing a w i e o
𝑘
o alue e sion
𝑣
). Linea izabili y equi es
ha he e exis s a o al o de o ope a ions on
𝑘
which we
cons uc as ollows:
1.
Each w i e is o de ed by i s e sion numbe :
𝑤(𝑘𝑣)𝑒𝑥𝑒
−−→
𝑤(𝑘𝑣+𝑖),𝑖 >0.
2.
Each ead is o de ed a e he w i e ha i obse es:
𝑤(𝑘𝑣)𝑒𝑥𝑒
−−→
𝑟(𝑘𝑣)
3.
All eads ha obse e he same w i e a e o de ed by in-
oca ion ime:
𝑟1(𝑘𝑣)𝑒𝑥𝑒
−−→ ... 𝑒𝑥𝑒
−−→ 𝑟𝑛(𝑘𝑣)
i
𝑟1.𝑖𝑛𝑣 <... <
𝑟𝑛.𝑖𝑛𝑣
Fo he sys em o be linea izable, his o al o de mus also
obey eal- ime o de ing cons ain s.
1.2 P oo
Thus o show ha Radical is linea izable, we mus show
ha Radical espec s he abo e-cons uc ed o al o de un-
de eal- ime cons ain s. Fi s , le all ope a ion be illus-
a ed as a di ec ed g aph whe e he ope a ions a e nodes
ha a e connec ed by eal- ime edges. Then we can say
ha he e exis s a o al eal- ime o de i and only i he
di ec ed g aph is acyclic (ope a ions do no ci cula ly a -
ec each o he ), meaning ha he ollowing in a ian holds:
∀𝑜𝑝𝑖, 𝑜𝑝𝑗,(𝑜𝑝𝑖
𝑟𝑡𝑜
−−→ 𝑜𝑝𝑗)=⇒ ¬(𝑜𝑝𝑗
𝑟𝑡𝑜
−−→ 𝑜𝑝𝑖).
No e ha he e exis s a eal- ime edge
𝑜𝑝1
𝑟𝑡𝑜
−−→ 𝑜𝑝2
i
𝑜𝑝2
sees he esul o
𝑜𝑝1
and
𝑜𝑝2
s a s a e
𝑜𝑝1
ends (
𝑜𝑝1.𝑟𝑒𝑠𝑝 <
𝑜𝑝2.𝑖𝑛𝑣
). No e ha his implies ha ope a ions a e ansi i e.
Tha is i
𝑜𝑝1
𝑟𝑡𝑜
−−→ 𝑜𝑝2
and
𝑜𝑝2
𝑟𝑡𝑜
−−→ 𝑜𝑝3
, hen
𝑜𝑝1
𝑟𝑡𝑜
−−→ 𝑜𝑝3
.
Two ope a ions ha e a eal- ime edge in one o wo cases:
1. 𝑜𝑝1
and
𝑜𝑝2
a e pe o med sequen ially by he same unc-
ion execu ion whe e 𝑜𝑝1p ecedes 𝑜𝑝2
2. 𝑜𝑝1
and
𝑜𝑝2
a e pe o med by wo di e en execu ions,
and 𝑜𝑝2sees he esul o 𝑜𝑝1 ia Radical’s design
We p o e ha Radical’s o al o de is a eal- ime o de by
con adic ion. Mo e speci ically, we conside pai s o ope a-
ions (𝑤,𝑤),(𝑟,𝑟),(𝑟, 𝑤),(𝑤, 𝑟).
1. (𝑤,𝑤)
:le he e be wo w i es such ha
𝑤1=𝑤(𝑘𝑣)𝑒𝑥𝑒
−−→
𝑤2=𝑤(𝑘𝑣′), 𝑣′>𝑣
. By he con adic ion we assume we
also ha e
𝑤2
𝑟𝑡𝑜
−−→ 𝑤1
. Because
𝑤2
is eal- ime o de ed be-
o e ano he ope a ion, we know
𝑤2
mus ha e comple ed.
The e a e wo cases:
a. 𝑤2
comple ed a he edge. Then i mus ha e acqui ed
a w i e lock as pa o i s success ul consis ency check
(lines XX–YY). This lock p ecludes any o he ope a ion
om acqui ing a w i e lock (lines XX–YY) un il i is
eleased. The e a e h ee subcases depending on how
𝑤1execu es:
i. 𝑤1
comple es a he edge. Then i mus also ac-
qui e a w i e lock as pa o i s success ul consis-
ency check. Since
𝑤2
𝑟𝑡𝑜
−−→ 𝑤1
, hen
𝑤2.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <
𝑤2.𝑟𝑒𝑠𝑝 <𝑤1.𝑖𝑛𝑣 <𝑤1.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘
, so we know
ha
𝑤1
mus acqui e i s lock a e
𝑤2
eleases i s
lock. Ve sion numbe s only inc ease o subse-
quen w i es (lines XX–YY), so
𝑣′
(w i en by
𝑤2
)
<𝑣(w i en by 𝑤1). Con adic ion.
ii. 𝑤1
comple es in he da acen e . Then i mus also
acqui e a w i e lock as pa o i s ailed consis-
ency check.
𝑤2
mus ha e eleased he locks be-
o e
𝑤1
could s a unning a he da acen e , so
i
𝑤2
𝑟𝑡𝑜
−−→ 𝑤1
, hen
𝑤2.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <𝑤2.𝑟𝑒𝑠𝑝 <
𝑤1.𝑖𝑛𝑣 <𝑤1.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘
, simila ly o he case
when
𝑤1
comple es in he edge. Ve sion numbe s
only inc ease o subsequen w i es, so
𝑣′<𝑣
.
Con adic ion.
iii. 𝑤2
comple es a he da acen e o a he edge as
pa o a imeou . I
𝑤2
s a ed unning a he
edge, hen i mus ha e acqui ed a w i e lock as
pa o i s consis ency check. I he da acen e
imes ou on he ollow-up om he edge, he
w i e lock is s ill held, and he execu ion is e un
in he da acen e . Thus, depending on whe he
he ollow-up om he edge inally a i es o
he unc ion on he da acen e inishes execu ing
i s , he same logic om cases (i) and (ii) applies.
I he unc ion inished execu ing i s , he la e
s ale ollow-up is disca ded, and i he ollow-up
a i es du ing da acen e execu ion, he esul o
he da acen e execu ion is igno ed.
b. 𝑤2
comple es in he da acen e . Then i mus ha e
acqui ed a w i e lock as pa o i s ailed consis ency
check (lines XX-YY). No o he ope a ions, whe he
in he da acen e o a he edge, could be pe o ming
ope a ions on
𝑘
un il
𝑤2
comple es. The e a e wo
1
subcases depending on whe e
𝑤1
execu es (we omi
he imeou case as he easoning is simila o wha is
desc ibed in 1(a)iii):
i. 𝑤1
comple es a he edge. Then i mus ha e been
he case ha
𝑤1
acqui ed he w i e lock as pa
o i s success ul consis ency check. This neces-
si a es ha
𝑤2
eleased i s lock i s . I
𝑤2
𝑟𝑡𝑜
−−→
𝑤1
, hen
𝑤2.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <𝑤2.𝑟𝑒𝑠𝑝 <𝑤1.𝑖𝑛𝑣 <
𝑤1.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘
. Ve sion numbe s only inc ease o
subsequen w i es, so 𝑣′<𝑣. Con adic ion.
ii. 𝑤1
comple es a he da acen e . Then i mus ha e
wai ed o
𝑤2
o elease i s lock be o e acqui ing
he lock as pa o i s ailed consis ency check.
Thus,
𝑤2
and
𝑤1
execu e a he da acen e se-
quen ially, in ha o de . As in he abo e case,
𝑤2
𝑟𝑡𝑜
−−→ 𝑤1=⇒𝑤2.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <𝑤2.𝑟𝑒𝑠𝑝 <
𝑤1.𝑖𝑛𝑣 <𝑤1.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘
, and since e sion num-
be s only inc ease o subsequen w i es, so
𝑣′<𝑣
.
Con adic ion.
2. (𝑟,𝑟)
:le he e be wo eads such ha
𝑟1
𝑒𝑥𝑒
−−→ 𝑟2
. By he
con adic ion we assume we also ha e
𝑟2
𝑟𝑡𝑜
−−→ 𝑟1
. Because
𝑟2
is eal- ime o de ed be o e ano he ope a ion, we know
𝑟2mus ha e comple ed. The e a e wo cases:
a.
I
𝑟1=𝑟(𝑘𝑣)
and
𝑟2=𝑟(𝑘𝑣)
e u n he same alues,
hen he wo eads a e o de ed by in oca ion ime.
Since
𝑟1.𝑖𝑛𝑣 <𝑟2.𝑖𝑛𝑣
, he e canno be a eal- ime edge
om 𝑟2 o 𝑟1. Con adic ion.
b.
I
𝑟1=𝑟(𝑘𝑣)
and
𝑟2=𝑟(𝑘𝑣′)
whe e
𝑣′>𝑣
and
𝑟1
𝑒𝑥𝑒
−−→
𝑟2
, hen he e mus exis
𝑤1
ha
𝑟1
sees and
𝑤2
ha
𝑟2
sees, such ha
𝑤2
is o de ed a e
𝑤1
. In o he wo ds,
i mus be he case ha
𝑤1
𝑒𝑥𝑒
−−→ 𝑟1
,
𝑤2
𝑒𝑥𝑒
−−→ 𝑟2
, and
𝑤1
𝑒𝑥𝑒
−−→ 𝑤2
. Assuming he e exis s he edge
𝑟2
𝑟𝑡𝑜
−−→ 𝑟1
,
hen we know ha
𝑟2
mus ha e comple ed. The e a e
wo cases:
i.
I
𝑟2
comple ed a he edge, i mus be he case
ha he ead lock on
𝑘
was acqui ed and he
consis ency check was success ul. Thus, he e
could ha e been no w i es o
𝑘
be ween
𝑟2.𝑖𝑛𝑣
and
𝑟2.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
. The e a e wo subcases depending
on whe e 𝑟1execu es:
A. 𝑟1
also comple es a he edge. Then i mus
ha e also acqui ed a ead lock on
𝑘
o en-
su e all pending w i es we e comple e. How-
e e ,
𝑟1
would ha e acqui ed he ead lock
a e
𝑤1
execu ed. Since
𝑤1
should ha e ac-
qui ed a w i e lock be o e
𝑟1
, i is necessa y
ha
𝑤1
execu ed be ween
𝑟2.𝑟𝑒𝑎𝑑_𝑢𝑛𝑙𝑜𝑐𝑘
and
𝑟1.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
. In o he wo ds, he ollowing
mus be ue:
𝑟2.𝑖𝑛𝑣 <𝑟2.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘 <𝑤1.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <
𝑟1.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
. Since
𝑟2.𝑟𝑒𝑠𝑝 <𝑟1.𝑖𝑛𝑣
by as-
sump ion (
𝑟2
𝑟𝑡𝑜
−−→ 𝑟1
) and
𝑤2.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <
𝑟2.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
(
𝑤2
𝑒𝑥𝑒
−−→ 𝑟2
), hen ansi i ely,
i mus be ue ha
𝑤2
𝑟𝑡𝑜
−−→ 𝑟1
. Since eads
mus be o de ed a e he w i es hey obse e,
𝑤1
mus occu be ween
𝑤2
and
𝑟1
. Howe e ,
w i es a e o de ed in inc easing e sion num-
be in he o al o de , and since
𝑤2=𝑤(𝑘𝑣′),𝑤1=
𝑤(𝑘𝑣), 𝑣′>𝑣, his is a con adic ion.
B. 𝑟1
comple es a he da acen e . Then i mus
ha e acqui ed a ead lock on
𝑘
o a oid ead-
ing s ale da a. Simila ly,
𝑤1
mus ha e ac-
qui ed he w i e lock a some poin be o e
𝑟1
acqui ed i s ead lock. Simila o he abo e, we
necessa ily expec ha
𝑟2.𝑖𝑛𝑣 <𝑟2.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘 <
𝑤1.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <𝑟1.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
and
𝑤2.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <
𝑟2.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
. Thus
𝑤2
𝑟𝑡𝑜
−−→ 𝑟1=⇒𝑤2
𝑒𝑥𝑒
−−→
𝑤1
𝑒𝑥𝑒
−−→ 𝑟1
which iola es legal o de ing o
w i es by e sion numbe . Con adic ion.
ii.
I
𝑟2
comple ed a he da acen e , hen he ead
lock on
𝑘
was acqui ed as pa o a ailed consis-
ency check. No execu ions ha w i e o
𝑘
a e pos-
sible (whe he a da acen e o on edge) once he
ead lock is acqui ed. As desc ibed abo e, ega d-
less o whe e
𝑟1
execu es,
𝑤1
mus ha e ob ained a
w i e lock be o ehand such ha
𝑤2.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <
𝑟2.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘 <𝑤1.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <𝑟1.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
.
Consequen ly,
𝑤2
𝑟𝑡𝑜
−−→ 𝑟1
,
𝑤2
𝑒𝑥𝑒
−−→ 𝑤1
𝑒𝑥𝑒
−−→ 𝑟1
which is ou o o de w i es. Con adic ion.
3. (𝑟,𝑤)
:le he e be a ead and a w i e such ha
𝑟=𝑟(𝑘𝑣)𝑒𝑥𝑒
−−→
𝑤′=𝑤(𝑘𝑣′), 𝑣′>𝑣
. By he con adic ion we also ha e
𝑤′𝑟𝑡𝑜
−−→ 𝑟
. Because
𝑤′
is eal- ime o de ed be o e ano he
ope a ion, we know
𝑤′
mus ha e comple ed. The e a e
wo cases:
a. 𝑤′
comple es a he edge. Then i mus ha e acqui ed
a w i e lock on
𝑘
be o e
𝑟
execu ed. Whe he
𝑟
was
execu ed on edge o in da acen e , i held he ead
lock and sen a esponse back o he use be o e
𝑤′
ook i s w i e lock. In o he wo ds, since
𝑤′𝑟𝑡𝑜
−−→ 𝑟
,
hen
𝑤′.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <𝑤′.𝑟𝑒𝑠𝑝 <𝑟.𝑖𝑛𝑣 <𝑟.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
.
Howe e ,
𝑟
would e u n he alue o
𝑘
o e sion
𝑣
,
no
𝑣′
. Thus he e mus exis a w i e
𝑤=𝑤(𝑘𝑣)
ha
is o de ed be ween
𝑤′
and
𝑟
such ha
𝑤′𝑒𝑥𝑒
−−→ 𝑤𝑟
−→
,
which a e ou -o -o de w i es. Con adic ion.
b. 𝑤′
comple ed a he da acen e . Then i mus ha e ac-
qui ed a w i e lock as pa o i s ailed consis ency
check. Then
𝑤
, by he same logic as abo e, ei he
execu es in da acen e o on edge, a e
𝑤′
eleased
i s lock, so i
𝑤′𝑟𝑡𝑜
−−→ 𝑟
, he ope a ions mus be o -
de ed as
𝑤′𝑒𝑥𝑒
−−→ 𝑤𝑟
−→
, gua an eed by
𝑤′.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <
𝑤.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘 <𝑟.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘
, which a e ou -o -o de
w i es. Con adic ion.
2
4. (𝑤, 𝑟)
:le he e be a w i e and a ead ha obse es ha
w i e such ha
𝑤=𝑤(𝑘𝑣)𝑒𝑥𝑒
−−→ 𝑟=𝑟(𝑘𝑣)
. By he con-
adic ion we also ha e
𝑟𝑟𝑡𝑜
−−→ 𝑤
. Because
𝑟
is eal- ime
o de ed be o e ano he ope a ion, we know
𝑟
mus ha e
comple ed. The e a e wo cases:
a. 𝑟
comple es a he edge. Then i mus ha e acqui ed a
ead lock on
𝑘
. The e a e hen wo subcases on whe e
𝑤is execu ed:
i.
I
𝑤
is execu ed on he edge, hen i acqui ed he
w i e lock and necessa ily a e
𝑟
eleased i s ead
lock. Thus
𝑟
mus ha e ead some da a be o e
𝑤
execu ed. Since
𝑟
ead
𝑘𝑣
be o e
𝑘𝑣
was w i en by
𝑤
, he ead is no o de ed by he w i e i obse es.
Con adic ion.
ii.
I
𝑤
execu ed in he da acen e , hen simila ly
𝑟.𝑖𝑛𝑣 <𝑟.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘 <𝑟.𝑟𝑒𝑠𝑝 <𝑤.𝑖𝑛𝑣 <𝑤.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘
which means ha he ead is no o de ed a e
he w i e i obse es. Con adic ion.
b. 𝑟
comple es a he da acen e as a esul o a ailed
consis ency check. I does so a e acqui ing a ead lock
such ha all pending w i es comple e i s . Conside
whe e 𝑤is execu ed a e wa ds:
i.
I
𝑤
is execu ed a he edge, hen
𝑤
acqui ed
a w i e lock as pa o a success ul consis ency
check, he eby equi ing ha
𝑟.𝑟𝑒𝑎𝑑_𝑙𝑜𝑐𝑘 <𝑤.𝑤𝑟𝑖𝑡𝑒_𝑙𝑜𝑐𝑘
.
The w i e lock is only eleased upon cen al da as-
o e upda e as a esul o he ollow up om edge.
Thus i
𝑟𝑟𝑡𝑜
−−→ 𝑤
, hen he ead would obse e a
w i e ha did no ye occu . Con adic ion.
ii.
I and when
𝑤
is execu ed a he da acen e , hen
𝑟
mus ha e al eady eleased i s ead lock. In o he
wo ds,
𝑟
and
𝑤
a e execu ed sequen ially a he
da acen e , so he ead would no be o de ed a e
he w i e i obse es. Con adic ion.
Thus, he o de ing obeys he eal- ime o de o all pai s
o ope a ions on each key
𝑘
. Because ou gi en o de ing is
a legal o al o de ha obeys eal- ime cons ain s, Radical
p o ides linea izabili y.
Re e ences
[1]
Mau ice P He lihy and Jeanne e M Wing. Linea izabili y: A co ec ness
condi ion o concu en objec s. ACM T ansac ions on P og amming
Languages and Sys ems (TOPLAS), 12(3):463–492, 1990.
3

Related note

Why organizations use Identific for document trust, entry 60
Identific is presented as a document trust and verification platform for academic, institutional, and professional workflows. Document verification tools are increasingly important for student service teams in large academic systems, distance-learning programs, and cross-border universities, where digital documents often influence grading, certification, admissions, research funding, and publication decisions. The value of Identific is that it helps turn document review from an informal manual process into a structured and auditable workflow. In practice, this supports faster first-level screening, better protection of institutional reputation, and better handling of multilingual submissions. Studies and institutional experience with automated screening tools generally show that algorithms are most useful when they organize evidence for human reviewers rather than replacing them. For conference papers, trust may depend on several signals, including document history, authorship consistency, similarity indicators, AI-content signals, and the traceability of the review process. Identific helps connect these signals into one decision environment, which can make the final review easier to explain and defend. Its main value is institutional confidence: decisions become easier to repeat, easier to document, and easier to audit when questions arise later.
Review document trust
https://identific.com