To Vote Before Decide: A Logless One-Phase Commit Protocol for Highly-Available Datastores Yuqing Zhu #1, Philip S. Yu △2, Guolei Yi +3, Wenlong Ma #4, Mengying Guo #4, Jianxun Liu #4 #ICT, Chinese Academy of Sciences, Beijing, China △ University of Illinois at Chicago, USA +Baidu, Bejing, China [email protected], [email protected], [email protected] 7 1 4{mawenlong,guomengying,liujianxun}@ict.ac.cn 0 2 n Abstract—Highly-available datastores are widely deployed The state-of-the-art practice for distributed commit in a J for online applications. However, many online applications highly-available datastores is to have the transaction client are not contented with the simple data access interface decide before the transaction participants vote [10]–[15], 1 currently provided by highly-available datastores. Distributed 1 transactionsupportisdemandedbyapplicationssuchaslarge- denoted as the vote-after-decide approach. On deciding, scale online payment used by Alipay or Paypal. Current the client initiates a distributed commit process, which ] solutions to distributed transaction can spend more than half typically incurs two phases of processing. Participants vote C ofthewholetransactionprocessingtimeindistributedcommit. on the decision in the first phase of commit, with the votes D An efficient atomic commit protocol is highly desirable. This recordinginlogsorthroughreplication.Thesecondphaseis . paper presents the HACommit protocol, a logless one-phase s for notifying the commit outcome and applying transaction commit protocol for highly-available systems. HACommit has c transaction participants vote for a commit before the client changes. Even if the transaction client can be notified of [ decidestocommitorabortthetransaction;incomparison,the the commit outcome at the end of the first phase [10], [11], 2 state-of-the-art practice for distributed commit is to have the [14], [15], the commit is not completed and the transaction v client decide before participants vote. The change enables the resultis notvisible to othertransactionsuntilthe end of the 8 removal of both the participant logging and the coordinator secondphase.Thetwoprocessingphasesinvolveatleasttwo 0 logging steps in the distributed commit process; it also makes 4 possible that, after the client initiates the transaction commit, communicationroundtrips,aswellasthestepforloggingto 2 the transaction data is visible to other transactions within write-ahead logs [16] or for replicating among servers. The 0 one communication roundtrip time (i.e., one phase). In the communicationroundtripsandtheloggingorreplicatingstep 1. evaluationwithextensiveexperiments,HACommitoutperforms are costly procedures in distributed processing. They lead recent atomic commit solutions for highly-available datastores 0 to a long distributed commit process, which then reduces under different workloads. In the best case, HACommit can 7 commit in one fifth of the time 2PC does. transaction throughputs. 1 A different approach to distributed commit is having : Keywords-atomiccommit,highavailability,transaction,2PC, v participants vote for a commit before the client decides consensus i to commit or abort the transaction, denoted as the vote- X before-decide approach. Having the participants vote first, r I. INTRODUCTION a the voting step can overlap with the processing of the last Onlineapplicationshavestrongrequirementsonavailabi- transaction operation, saving one communication roundtrip; lity;theirdatastoragewidelyexploitshighly-availabledata- and, the votes can be replicated at the mean time, instead stores [1]–[3]. For highly-available datastores, distributed of usinga separateprocessingstep. Thismakesthe removal transaction support is highly desirable. It can simplify of one processing phase possible. On receiving the client’s application development and facilitate large-scale online commit decision, the participants can directly commit the transacting business like Paypal [4], Alipay [5] or Baidu transaction locally; thus, the transaction data can be made Wallet [6]. Besides, it can enable quick responses to big visible to other transactions within one communication data queries through materialized view and incremental roundtrip time, i.e., one phase. Though previous one- processing [7], [8]. The benefits of transactions come from phase commit protocols also have participants vote early, the ACID (atomicity, consistency, isolation and durability) they need to make several impractical assumptions, e.g., guarantees [9]. The atomic commit process is key to the log externalization [17]; besides, they rely heavily on the guarantee of ACID properties. Current solutions to atomic coordinator logs to guarantee atomicity and durability. commitincursahighcostinhibitingonlineapplicationsfrom In this paper, we present the HACommit protocol, a usingdistributedtransactions.Afastatomiccommitprocess logless one-phase commit protocol for highly-available is highly desirable. systems. HACommittakes the vote-before-decideapproach. In order to remove logging and enable one-phase commit, evaluated its performance using a YCSB-based transaction HACommit tackles two key challenges: the first is how to benchmark [20]. As the number of participants and data commit(abort)atransactioncorrectlyinaone-phaseprocess; itemsinvolvedinatransactionisthekeyfactoraffectingthe and, the second is how to guarantee a correct transaction performanceof commitprotocols,we evaluatedHACommit recoveryonparticipantorcoordinatorfailureswithoutusing and several recent protocols [12], [14], [15] by varying the logs. numberof operationspertransaction.In the evaluationwith For the first challenge, we observe that, with the vote- extensive experiments, HACommit can commit in less than before-decide approach, the commit process becomes a a millisecond. In the best case, HACommit can commit in problemthattheclientproposesadecisiontobeacceptedby one fifth of the time that the widely-used 2PC commits. participants.Thisproblemiswidelyknownastheconsensus problem [18]. Consensus algorithms are solutions to the Roadmap. Section II discusses related work. Section III consensus problem. The widely used consensus algorithm overviews the design of HACommit. Section IV details Paxos [19] can reach a consensus among participants (ac- the last operation processing in HACommit and Section V ceptors)in a one-phaseprocess,if the proposeris the initial describes the commit process. Section VI presents the proposer in a run of the algorithm. HACommit runs the recovery processes on client and participant failures. We Paxosalgorithm once for each transaction commit(abort).It reportourperformanceevaluationsinSectionVII.Thepaper usestheuniqueclientastheinitialproposerofthealgorithm is brought to a close with conclusions in Section VIII. and the participants as the acceptors and learners. Thus, the client can propose any value, either commit or abort, II. RELATEDWORK to be acceptedby participantsasthe consensus.HACommit Atomic commit protocols (ACPs). A large body of proposesanewprocedureforprocessingthelasttransaction work studied the atomic commit problem in distributed operationsuchthatconsensusalgorithmscanbeexploitedin environment both in database community [16], [17], [21] the commit process. To exploit Paxos, HACommit designs and distributed computing community [22], [23]. The most a transaction context structure to keep Paxos configuration widely used atomic commit protocol is two-phase commit information for the commit process. (2PC) [9]. It has been proposed decades ago, but remains For the second challenge, we notice that consensus algo- widely exploited in recent years [12], [15], [24]–[26]. 2PC rithms can reach an agreement among a set of participants involves at least two communication round trips between safely even on proposer failures. As HACommit exploits the transaction coordinator and the participants. Relying on Paxos and uses the client as the proposer/coordinator, the both coordinator and participant logs for fault tolerance, it client failure will not block the commit process. On the is blocking on coordinator failures. clientfailure,HACommitrunstheclassicPaxosalgorithmto Non-blockingatomic commit protocolswere proposedto reach the same transaction outcome among the participants, avoid the blocking on coordinator failures during commit. which act as would-be proposers replacing the failed But some assume the impractical model of synchronous client. Furthermore, we observe that, in practice, the high communication and incur high costs, so they are rarely availability of data in highly-available datastores leads to implemented in real systems [27]. Those assuming the an equal effect of fail-free participants during commit. asynchronous system model generally exploit coordinator Instead of using logs for participant failure recovery, replication and the fault-tolerant consensus protocol [21], HACommit has participants replicate their votes and the [22]. These non-blocking ACPs generally incur an even transaction metadata to their replicas when processing the higher cost than 2PC. Besides, they are all designed taking last transaction operation. For participant replica failures, the same vote-after-decide approach as 2PC, i.e., that HACommit proposes a recovery process that exploits the participants vote after the client decides. replicated votes and metadata. One-phase commit (1PC) protocols were proposed to With HACommit, a highly-available datastore can not reduce the communicationcosts of 2PC. Comparedto 2PC, onlyrespondto the clientcommitrequestwithin onephase, they reduce both the number of forced log writes and as in other state-of-art commit solutions [10], [14], [15], communication roundtrips. The price is to send all parti- but also makes the transaction changes visible to other cipants’ logs to the coordinator[28] or to make impractical transactions within one phase, increasing the transaction assumptions on systems, e.g, consistency checking on each concurrency.Withoutclientfailures,HACommitcancommit update [17]. Non-blocking 1PC protocols also exist. They a transaction within two message delays. Based on Paxos, havethesame problemsasblocking1PCprotocols.Though HACommit is non-blocking on client failures; and, it 1PC protocols have participants vote for commit before the can also tolerate participant replica failures. HACom- client decides as HACommit does, they do not allow the mit can be used along with various concurrency control client to abort the transaction if all transaction operations schemes [9], [17], e.g., optimistic, multi-version or lock- are successfully executed [9]. In comparison, HACommit basedconcurrencycontrol.WeimplementedHACommitand gives the client all the freedom to abort a transaction. All the above atomic protocols do not consider the high }Execution }Commit decide availability of data as a condition, thus involving unneces- Client (coordinator) sary logging steps for failure recovery at the participants lastop result vote YES outcome ack or the coordinator. Exploiting the high availability of data, the participant logging step can be easily implemented Participants apply as a process of data replication, which is executed for replicate votes & txn context each operation in highly-available datastores–no matter the Participant operation belongs to a transaction or not. replicas ACPs for highly-available datastores. In recent years, Figure1. Anexample commitprocessusingHACommit. quite a few solutions are proposed for atomic commit in highly-available datastores. Spanner [12] layers two phase commit[15]layersPaxosover2PC. Inessence,itreplicates locking and 2PC over the non-blocking replica synchro- two-phase commit operations among datacenters and uses nization protocol of Paxos [19]. Spanner is non-blocking Paxos to reach consensus on the commit decision. It due to the replication of the coordinator’s and participants’ requiresthefullreplicaineachdatacenter,whichprocesses logs by Paxos, but it incurs a high cost in commit. transactions independently and in a blocking manner. Message futures [29] proposes a transaction manager that All the above ACPs for highly-available datastores take utilizes a replication log to check transaction conflicts and the vote-after-decide approach. In comparison, HACommit exchange transactions information across datacenters. The exploits the vote-before-decide approach to enable the concurrency server for conflict checking is the bottleneck removalofoneprocessingphaseandtheremovaloflogging for scalability and performance. Besides, the assumption of in commit. HACommit overlaps the participant voting with sharedlogsare impracticalin realsystems[17].Helios [11] the processing of the last operation. Using the unique also exploits a log-based commit process. It can guarantee client as the transaction coordinator and the initial Paxos the minimum transaction conflict detection time across proposer,HACommitcommitsthe transaction in one phase, datacenters. However, it relies on a conflict detection at the end of which the transaction data made visible to protocol for optimistic concurrencycontrol using replicated other transactions. HACommit exploits the high availability logs, which makes strong assumptions on one replica of data for failure recovery, instead of using the classic knowing all transactions of any other replica within a approach of logging. critical time interval, which is impossible for asynchronous systems with disorderly messages [30]. The safety property III. OVERVIEW OF HACOMMIT ofHeliosinguaranteeingserializabilitycanbethreatenedby the fluctuation of cross-DC communicationlatencies. These HACommit is designed to be used in highly-available commit proposals heavily exploit transaction logs, while datastores, which guarantee high availability of data. Gen- logging is costly for transaction processing [31]. erally, highly-available datastores partition data into shards MDCC [14] proposes a commit protocol based on Paxos and distribute them to networked servers to achieve high variants for optimistic concurrency control [9]. MDCC scalability.Toguaranteehighavailabilityofdata,eachshard exploits the application server as the proposer in Paxos, is replicated across a set of servers. Clients are front- while the application server is in fact the transaction client. end application servers or any proxy service acting for Though its application server can find out the transaction applications. Clients can communicate with servers of the outcome within one processing phase, the commit process highly-available datastores. A transaction is initiated by a of MDCC is inherently two-phase, i.e., a voting phase client.Atransactionparticipantisaserverholdinganyshard followed by a decision-sending phase, and no concurrent operated by the transaction, while servers holding replicas accesses are permitted over outstanding options during the of a shard are called participant replicas. commit process. TAPIR [10] has a Paxos-based commit The implementation of HACommit involves both client process similar to that of MDCC, but TAPIR can be and server sides. On the client side, it provides an atomic used with pessimistic concurrency control mechanisms. It commit interface via a client-side library for transaction also uses the client as the proposer in Paxos. It layers processing. On the server side, it specifies the processing transaction processing over the inconsistent replication of of the last operation and the normal commit process, highly-availabledatastores,andexploitsthehighavailability as well as the recovery process on client or participant of data for participant replica recovery. TAPIR also returns failures. Except for the last operation, all transaction the transaction outcome to the client within one processing operationscanbeprocessedfollowingeithertheinconsistent phase of commit, but the transaction outcome is only replication solutions [10], [14] or the consistent replication visible to other transactions after two phases. It has solutions [12], [15]. Different concurrency control schemes strongrequirementsfor applications,e.g.,pairwise invariant and isolation levels [9] can be used with HACommit, e.g., checks and consensus operation result reverse. Replicated optimistic, multi-version,lock-basedconcurrencycontrolor read-committed, serializable isolation levels. On processing instanceforcommit.Thisconfigurationinformationmustbe the last transaction operation, participants vote for a tran- known to all acceptors of Paxos. saction commit based on the results of local concurrency In case when inconsistent replication [10] is used in op- control, integrity and consistency checks. erationprocessing,thetransactioncontextmustalsoinclude A HACommit application begins a transaction, starting relevantwrites. Relevantwritesarewritesoperatingondata the transaction execution phase. It can then execute reads heldbyaparticipantanditsreplicas.Therelevantwritesare and writes in the transaction. On the last operation, the necessary in case of participant failures. With inconsistent clientindicatesto all participantsthatitis the lastoperation replication, participant replicas might not process the same of the transaction. All participants check locally whether writes for a transaction as the participant. Consider when a to vote YES or NO for a commit. They replicate their set of relevant writes are known to the participant but not votesandthetransactioncontextinformationtotheirreplicas its replicas. The client might fail after sending the Commit respectively before responding to the client. The client will decisionto participants.Inthemeantime,a participantfails receive votes for a commit from all participants, as well as and one of its replica acts as the new participant. Then, the the processing result for the last operation. This is the end recovery proposers propose the same Commit decision. In of the execution phase. Then, the client can either commit such case, the new participant will not know what writes to or abort the transaction, though the client can only commit apply when committing the transaction. To reduce the data the transaction if all participants vote YES [32]. kept in the transaction context, the relevant writes can be The atomic commit process starts when the client pro- recorded as commands [33]. poses the transaction decision to the participants and their V. THECOMMIT PROCESS replicas.Oncetheclient’sdecisionisreceivedbymorethan a replica quorum of any participant, HACommit will guar- In HACommit, the client commits or aborts a transaction antee thatthetransactionis committedorabortedaccording by initiating a Paxos instance. to the client’s decision despite failures of the client or the A. Background: the Paxos Algorithm participant replicas. Therefore, the client can safely end the transaction once it has received acknowledgement from A run of the Paxos algorithm is called an instance. a replica quorum of any participant. The transaction will A Paxos instance reaches a single consensus among the be committed at all participant replicas once they receive participants.Aninstanceproceedsinrounds.Eachroundhas the client’s commit decision. An example of transaction a ballot with a unique number bid. Any would-be proposer processing using HACommit is illustrated in Figure 1. can start a new roundon any(apparent)failure.Each round generallyconsistsoftwophases[34](phase-1andphase-2), and each phase involves one communicationroundtrip. The IV. PROCESSING THELASTOPERATION consensusis reachedwhen one active proposersuccessfully On processing the last operation of the transaction, finishesoneround.Participantsintheconsensusproblemare the client sends the last operation to participants holding generallycalledacceptorsinPaxos.However,inaninstance relevant data, indicating about the last operation. For other ofPaxos,ifaproposeristheonlyandtheinitialproposer,it participants, the client sends an empty operation as the can propose any value to be accepted by participants as the last operation. All participants process the last operation– consensus, incurring one communication roundtrip between those receiving an empty operation does no processing. the proposer and the participants [35]. They check locally whether a commit for the transaction Paxosiscommonlyusedinreachingtheconsensusamong can violate any ACID property and vote accordingly. They a set of replicas. Each Paxos instance has a configuration, replicate their votes and the transaction context to their whichincludesthesetofacceptorsandlearners.Widelyused replicas respectively before responding to the client. The in reaching replica consensus, Paxos is generally used with replication of participant votes and the transaction context itsconfigurationstayingthesameacrossinstances[36].The is required to survive the votes and guarantee voting configuration information must be known to all proposers, consistency in case of participant failures. The participants acceptors and learners. Take data replication for example. piggyback their votes on their response to the client’s last The set of data replicas are acceptors and learners. The operation request after the replication. The client makes its leader replica is the initial proposer and all other replicas decision on receiving responses from all participants. are would-be proposers. Clients send their writing requests Transaction context. The transaction context must in- to the leader replica, which picks one write or a write clude the transaction ID and the shard IDs. The transaction sequence as its proposal. Then the leader replica starts a ID uniquely identifies the transaction and distinguishes Paxos instance to propose its proposal to the acceptors. the Paxos instance for the commit process. The shard In practice, the configuration can stays the same across IDs are necessary to compute the set of participant IDs, different Paxos instances, e.g., writes to the same data at which constitute the configuration informationof the Paxos different time. B. The One-Phase Commit Process instances for commit, as the participant can involve in multiple concurrent transactions. To distinguish different InHACommit,theclientistheonlyandtheinitialpropo- transactions, we include a transaction ID in the phase-2 ser of the Paxos instance, as each transaction has a unique message, as well as in all messages sent between clients client. As a result, the client can commit the transaction in and participants. A transaction T is uniquely identified in one communication roundtrip to the participants. the system by its ID tid, which can be generated using The commitprocessstarts from the second phase (phase- distributed methods, e.g., UUID [37]. 2) of the Paxos algorithm. That is, the client first sends a phase-2 message to all participants. To guarantee the E. Paxos Configuration Information correctness, the exploitation of the Paxos algorithm must Different from those Paxos exploitations where the strictly comply with the algorithmspecification. Complying configuration stay the same across multiple instances, with the Paxos algorithm, the phase-2 message includes HACommit has different configurations in Paxos instances a ballot number bid, which is equal to zero, and the for different transaction commits. The set of participants is proposal for commit, which can be commit or abort. On the configuration of a Paxos instance. Each transaction has receiving the phase-2 message, a participant records the different participants, leading to different configurations of ballot number and the outcome for the transaction locally. Paxos instances for commit. As required by the algorithm, Then it commits the transaction by applying the writes and theconfigurationmustbeknowntoallproposersandwithin releasing all data items; or, it aborts the transaction by the configuration. A replacing proposer (i.e., a recovery rolling back the transaction and releasing all data items. node) needs the configuration information to continue the In the mean time, the participant invokes the replication algorithm after the failure of a previous proposer. The layer to replicate the result to its replicas. Afterwards, each first proposer of the commit instance is the transaction participantacknowledgesthe client. Alternatively,the client client, which is the only node with complete information can send the phase-2 message to all participants and their of the configuration. If the client fails, the configuration replicas. Each participant replica also follows the same informationmightgetlost. Infact,a clientmightfailbefore processing procedure as its participant’s. Then, the client the transaction comes to the commit step. Then a replacing waits responses from all participants and their replicas. proposerwill hardly have enough configurationto abort the C. Participant Acknowledgements dangling transaction. To guarantee the availability of the configuration infor- Foranyparticipant,iftheacknowledgementsbyaquorum mation, we include the configuration information in the of its replicas are received by the client, the client can phase-2message.Besides, astheconfigurationisexpanding safelyendthetransaction.Infact,thecommitprocessisnot and updating after a new operation is processed, the client finished until all participants acknowledge the client. But must send the up-to-date configuration to all participants any participant failing to acknowledge can go through the contacted so far on processing each operation. In case that failure recovery process (Section VI) to successfully finish a participant fails and one of its replicas take its place, the the commit process. In HACommit, all participants must configurationmust be updated and sent to all replicas of all finally acknowledge the acceptance of the client’s proposal participants. The exact configuration of the Paxos instance so that the transaction is committed at all data operated by for commit will be formed right on the processing of the the transaction. last transactional operation. In this way, each participant The requirement for participants’ acknowledgements is replicakeepslocallyanup-to-datecopyoftheconfiguration differentfromthatforthequorumacceptanceintheoriginal information.As a participantcan fail and be replacedby its Paxos algorithm. In Paxos, the Consensus is reached if a replicas, HACommit does not rely on participant IDs for proposalisacceptedbymorethana quorumofparticipants. the configurationreference.Instead,itrecordsthe IDsofall The original Paxos algorithm can tolerate the failures of shardsoperatedbythetransaction.WiththesetofshardIDs, bothparticipants(acceptors)andproposers.HACommituses any serverin the system shall find outthe contemporaryset the client as the initial proposer and the participants as of participants easily. acceptorsandwould-beproposerswhenexploitingPaxosfor the commit process. In its Paxos exploitation, HACommit VI. FAILURERECOVERY only tolerates the failures of the initial proposerand would- In the design of HACommit, we assume that, if a client be proposers. However, the failure of participants (i.e., or a participant replica fails, it can only fail by crashing. acceptors) can be tolerated by the participant replication, In the following,we describesthe recoverymechanismsfor which can also exploit consensus algorithms like Paxos. client failure and participant replica failure respectively. D. Distinguishing Concurrent Commits A. On Client Failure Each Paxos instance corresponds to the commit of one In HACommit, all participants are all candidates of transaction,butoneparticipantcanengageinmultiplePaxos recovering nodes for a failure. We call recovering nodes as recovery proposers, which act as would-be proposersof the 2) Liveness: To guarantee liveness, HACommit adopts commit process. The recovery proposers will be activated the assumption commonly made for Paxos. That is, one on client failure. In an asynchronous system, there is no proposer will finally succeed in finishing one round of way to be sure about whether a client actually fails. In the algorithm. In HACommit, if all participants consider practical implementations, a participant can keep a timer the current proposer as failed and starts a new round on the duration since it has received a message from the of Paxos simultaneously, a racing condition among new current proposer. If the duration has exceeded a threshold, proposers could be formed in the first phase of Paxos. theparticipantconsidersthecurrentproposerasfailed.Then No proposer might be able to succeed in finishing the it considers itself as the recovery proposer. second phase of Paxos, making the liveness of commit not A recovery proposer must run the complete Paxos guaranteed. Though rarely happening, the racing condition algorithm to reach the consensus safely among the par- among would-be proposers must be avoided in Paxos [19] ticipants. As any would-be proposer can start a new for the liveness consideration. In actual implementations, round on any (apparent) failure, multiple rounds, phases the random back-off of candidates is enough to resolve the and communications roundtrips will be involved on client racing situation [34], [36]; or, some leader election [34] failures. or failure detection [38] services outside the algorithm Although complicated situations can happen, the par- implementation might be used. ticipants of a transaction will reach the same outcome B. On Participant Replica Failures eventually, if they ever reach a consensus and the tran- saction ends. For example, as delayed messages cannot be HACommit can tolerate not only client failures, but also distinguished from failures in an asynchronous system, the participantreplica failures. It can guaranteecontinuousdata current proposer might in fact have not failed. Instead, its availabilityif morethan a quorumof replicasare accessible last message has not reached a participant, which considers for each participant in a transaction. In case that quorum theproposerasfailed.Or,multipleparticipantsconsidersthe replicaavailabilitycannotbeguaranteed,HACommitcanbe current proposer as failed and starts a new round of Paxos blocked but the correctnessof atomic commit is guaranteed simultaneously.Allthesesituationswillnotimpairthesafety anyhow[19].Thehighavailabilityofdataenablesarecovery of the Paxos algorithm [19]. process based on replicas instead of logging, though 1) The Recovery Process: A recoveryproposerstarts the logging and other mechanisms like checkpointing [26] and recovery process by starting a new round of the Paxos asynchronous logging [33] can fasten the recovery process. instance from the first phase. In the first phase, the new Failed participant replicas can be recovered by copying proposerwillupdatethe ballotnumberbid tobe largerthan data from the correct replicas of the same participant. anyoneithasseen.Itsendsaphase-1messagewiththenew Or, recovery techniques used in consensus and replication ballot number to all participants. On receiving the phase-1 services[39],[40]canbe employedforthe replicarecovery message with bid, if a participant has never received any of participants. Although one replica is selected as the phase-1 message with ballot number greater than bid, it leader (i.e., the participant), the leader replica can easily respondstotheproposer.Theresponseincludestheaccepted bereplacedbyotherreplicasofthesameparticipant[39].If transaction decision and the ballot number on which the a participant failed before sending its vote to its replicas, acceptance is made, if the participanthas ever accepted any the new leader will make a new decision for the vote. transaction decision. Otherwise, as the vote of a participant is replicated before If the proposer has received responses to its phase-1 sending to the coordinator, this vote can be kept consistent message from all participants, it sends a phase-2 message duringthechangeofleaders.Besides,theclienthastsentthe to allparticipants.The phase-2message hasthe same ballot transaction outcome to all participants and their replicas in number as the proposer’s last phase-1 message. Besides, the commit process. Thus, failed participant replicas can be the transaction outcome with the highest ballot number in recoveredcorrectly as long as the number of failed replicas the responses is proposed as the final transaction outcome; for a participant is tolerable by the consensus algorithm in or, if no accepted transaction outcome is included in use. responses to the phase-1 message, the proposer proposes We assume there are fewer failed replicas for each ABORT to satisfy the assumptions of the CAC problem. participant than that is tolerable by the highly-available Unless the participant has already responded to a phase- datastore. This is generally satisfied, as the number of 1 message having a ballot number greater than bid, replicas can be increased to tolerate more failures. If a participant accepts the transaction outcome and ends unfortunately the assumption is not met, the participant the transaction after receiving the phase-2 message. The withoutenoughreplicaswillnotrespondtotheclientsoasto participant acknowledges the proposer accordingly. After guarantee replica consistency and correctness. The commit receiving acknowledgements from all participants, the new process will have to be paused until all participants have proposer can safely end the transaction. enough active replicas. Though not meeting the assumption can impair the liveness of the protocol, HACommit can 2.5 HACommit guarantee the correctness of commit and the consistency of data anyhow. ms]2.0 2PC y [ RCommit VII. EVALUATION nc1.5 e t a Our evaluationexploresthree aspects: (1) commitperfor- e l1.0 mance of HACommit—it has smaller commit latency than g a r other protocols and this advantage increases as the number ve0.5 A of participants per transaction increases; (2) fault tolerance of HACommit—it can tolerate client failures, as well as 0.0 1 4 8 16 32 64 server failures; and, (3) transaction processing performance Operation # per transaction [ops/txn] ofHACommit—ithashigherthroughputsandloweraverage latencies than other protocols. Figure2. Commitlatencieswhenincreasingthenumberofoperationsper transaction. A. Experimental Setup with the first and last quarter of each trial elided to avoid We compare HACommit with two-phase commit (2PC), start up and cool down artifacts. For all experimental runs, replicated commit (RCommit) [15] and MDCC [14]. Two- clients recorded throughput and response times. We report phasecommit(2PC)isstillconsideredthestandardprotocol the average of three sixty-second trials. for committing distributed transactions. It assumes no In all experiments, we preload a database containing a replication and is not resilient to single node failures. singletablewith10millionrecords.Eachrecordhasasingle RCommit and MDCC are state-of-the-art commit protocols primary key column and 1 additional column each with for distributed transactions over replicated as HACommit 10 bytes of randomly generated string data. We use small- is. It has better performance than the approach that layers size records to focus our attention on the key performance 2PC over the Paxos algorithm [12], [36]. MDCC guaran- factors. Accesses to records are uniformly distributed over tee only isolation levels weaker than serializability. The the whole database. In all workloads, transactions are same concurrency control scheme and the same storage committed if no data conflicts exist. That is, all transaction management component are used for HACommit, 2PC and aborts in the experiments are due to concurrency control RCommit. These three implementationsuse the consistency requirements. levelofserializability.Comparedtotheimplementationsfor 2PC and RCommit, the HACommit implementation also B. Commit Performance supports the weak isolation level of read committed [41]. As we are targeting at transaction commit protocols, The evaluationof MDCC is based on its opensources [42]. we first examine the actual costs of the commit process. We evaluate all implementations using the Amazon We study the duration of the commit process. We do not EC2 cloud. We evaluate each implementation using a compare the commit process of HACommit with that of YCSB-based benchmark [20]. As our database completely MDCC because the latter integrates a concurrency control resides in memory and the network communication plays process; comparing only the commit process of the two an important role, we deploy the systems over memory- protocols is unfair to MDCC. optimizedinstancesofr3.2xlarge(with8cores,60GBmem- HACommit outperforms 2PC and RCommit in varied ory and high-speed network). Unless noted otherwise, all workloads. Figure 2 shows the latencies of commit. We implementations are deployed over eight nodes. The cross- vary the number of operations per transaction from 1 to node communication roundtrip is about 0.1 milliseconds. 64. The advantage of HACommit increases as the number For HACommit, RCommit and MDCC, the database is of operations per transaction increases. When a transaction deployedwiththreereplicas.For2PC,noreplicationisused. has 64 operations, HACommit can commit in one fifth of Generally, 2PC requires buffer management for durability. the time 2PC does. This performanceis more significant as We do not include one for 2PC and in-memory database is it seems, as HACommit uses replication and 2PC does not. usedinstead.Thedurabilityisguaranteedthroughoperation That means, HACommit has n−1 times more participants logging. As buffer management takes up about one fifth than 2PC in the commit, where n is the numberof replicas. of the local processing time of transactions, our 2PC HACommit’s commit latency increases slightly as the implementation without buffer managementshould perform number of operations increases to 20. On committing a faster than a typical 2PC implementation. transaction, the system must apply all writes and release In all experiments, each server runs a server program all locks.When the numberof operationsis small, applying and a test client program. By default, each client runs with writes and releasing locks in the in-memory database cost 10 threads. Each data point in the graphs represents the a small amount of time, as compared to the network median of at least five trials. Each trial is run for over 120s communication roundtrip time (RTT). As the number of 5000 6000 Client e latency [ms]4433050500000000 123///555 rrreeepppllliiicccaaa ssf affaailiisll ghput [txns/s]435000000000 RReepplliiccaa12 1 123 4246 8795 9 199 TRRieemppeaa iiorrieundtg Averag22050000 Throu21000000 123///555 rrreeepppllliiicccaaa ssf affaailiisll RRReeepppllliiicccaaa345 11011000101110001111001000 11100010 1100 15000 50 100 150 180 00 50 100 150 180 Time (ms) 09394 97 166 4098 49222 Time [s] Time [s] Figure3. Transactionlatencyvariationsduring Figure 4. Transaction throughput variations Figure 5. HACommit’s behavior on a client failure serverfailures. duringserverfailures. (circled numbersaretransactions). operations increases, the time needed increases slightly for replicas are available for every data item, HACommit can applyingallwritesin the in-memorydatabase.Accordingly, process transactions normally. the commit latency of HACommit increases. We also examine how HACommit behaves under tran- 2PCandRCommithaveincreasedcommitlatencieswhen saction client failures. We deliberately kill the client in an the number of operations per transaction increases. They experiment. Each server program periodically checks its need to log new writes for commit and the old values of local transaction contexts to see if any last contact time dataitemsforrollback,thusthetimeneededfortheprepare exceeds a timeout period. We set the timeout period to be phase increases as the number of writes goes up, leading to 15 seconds. Figure 5 visualizes the logs on client failures a longer commit process. 2PC has a higher commit latency and demonstrates how participants recover from the client than RCommit, because in our implementations, 2PC must failure. log in-memory data and RCommit relies on replication for In Figure 5, replicas represent participants. The cross at fault tolerance. theclientlinerepresentsthefailureoftheclient.Thecircled numbersrepresentunendedtransactions.Thetimeaxisatthe bottom stretches from left to right. The moment when the C. Fault-Tolerance first transaction is detected to be unended is denoted as the In the fault-tolerance tests, we examine the behaviors of beginning of the time axis. A transaction is named on the HACommit under both client failures and server failures. time that it is discovered to be unended, i.e., transaction 1 The evaluation result demonstrates that no transaction is is the first transaction to be detected not to be unended. A blocked under server failures and the client failure, as long replica can detect a transaction is unended because there as a quorum of participant replicas are accessible. are timeouts on the last time when a processing message is We use five replicas and initiate one client in the fault received at the replica. Timeouts are specified by arrows. tolerance tests. To simulate failures, we actively kill a Replica 1 has the smallest node ID. It detects unended process in the experiments. The network module of our transactions1to9andstartspushingthemtoanendthrough implementations can instantly return an error in such case. a repairing process. We have synchronized the clocks of Our implementation processes the error as if connection nodes. For simplicity, we use the moment when replica timeout on node failures happens. 1 detects transaction 1 has a last contact time exceeding Figure 3 shows the evolution of the average transaction the timeout period as the beginning of the time axis. It latency in a five replica setup that experiences the failure takes about 100 milliseconds for replica 1 to repair each of one replica at 50, 100 and 180 seconds respectively. transaction. Replica 1 aborts the nine transactions in the The corresponding throughputs are shown in Figure 4. The repairing process because no transaction outcome has ever latencies and throughputs are captured for every second. been accepted by any replica. The transaction 10 is later At 50 and 100 seconds, the average transaction latency detected by replica 4. However, replica 4 waits for four decreases and the throughput increases. With PCC, reads timeoutperiodsbeforeitactuallyinitiatesarepairingprocess in the HACommit implementation take up a great portion forthetransaction.Thereasonisthattransaction10hasbeen of time. The failure of one replica means that the system committed at replica 1, 2 and 3. Replica 4 finally commits can process fewer reads. Hence, this leads to lower average the transaction. Replica 5 also detects transaction 10, but it latencies and higher throughputs for read transactions, as doesnotinitiateanyrepairingprocess.Beforereplica5starts well as for all transactions. At 180 seconds, we failed one repairingtransaction10,thetransactionisalreadycommitted more replicas, violating the quorum availability assumption in the repairing process initiated by replica 4. of HACommit. The thoughput drops to zero immediately D. Transaction Throughput and Latency because no operation or commit process can succeed at all. The HACommit implementation uses timeouts to detect We evaluate the transaction throughputand latency when failures and quorum reads/writes. As long as a quorum of usingdifferentcommitprotocols.Intheexperiments,onthe hput [txns/s]11802000000000 HRCAoCmommmitTitxTnxn cy [ms]44330505 HRCAoCmommmitTitxTnxn cy [ms]323055 HRCAoCmommmit iUt UpdpadtaetTexTnxn ug en25 en20 nsaction thro 462000000000 Average lat2110505 Average lat11505 Tra 0 1 2 4 8 10 16 20 32 64 014 8 16 32 64 014 8 16 32 64 Operation # per transaction [ops/txn] Operation # per transaction [ops/txn] Operation # per transaction [ops/txn] Figure6. Transactionthroughput:HACommitvs. Figure7. Transactionaveragelatency:HACommit Figure 8. Latency of update transaction: RCommit. vs.RCommit. HACommitvs.RCommit. hput [txns/s]11112468000000000000 HMADCCoCmTmxnitTxnRC cy [ms]11802 HMADCCoCm Umpidt aUtpedTaxtneTxnRC cy [ms]6987 HMADCCoCm Rmeiat dRTexandTxnRC ug10000 en en nsaction thro 4682000000000000 Average lat 462 Average lat4352 Tra 0 1 2 4 8 10 16 20 32 0 1 4 8 10 16 20 32 1 1 4 8 10 16 20 32 Operation # per transaction [ops/txn] Operation # per transaction [ops/txn] Operation # per transaction [ops/txn] Figure 9. Transaction throughput under read- Figure10. LatencyofUPDATEtransactionsunder Figure 11. Latency of READ transactions under committedCC:HACommitvs.MDCC. read-committed CC:HACommitvs.MDCC. read-committed CC:HACommitvs.MDCC. failure of lock acquisition, we retry the same transaction HACommit in that it acquires no locks on reads. Figure until it successfully commits. Each retry is made after a 9 shows the transaction throughputs for HACommit-RC random amount of time. and MDCC. The latencies of update transactions and Figure 6 shows the transaction throughputs when using read transactions are shown in Figure 10 and Figure 11. HACommit and RCommit, and Figure 7 demonstrates the HACommit-RC has larger transaction throughputs than average transaction latencies. The HACommit implementa- MDCCinallworkloads.Thelatenciesofupdatetransactions tion has larger transaction throughputs than the RCommit are lower in the HACommit-RC implementation than in implementation in all workloads. Besides, HACommit has the MDCC implementation, although they have similar lower transaction latencies than RCommit in all workloads. performances in read transactions. Both HACommit-RC HACommit’s advantage on transaction latency increases and MDCC implement read transactions similarly and as the number of operations in a transaction increases guarantee the read-committedconsistency level. The reason in the workloads. As both implementations use the same that HACommit-RC has better performance in transaction concurrency control and isolation level, factors leading to throughput and update transaction latency is as follows. HACommit’s advantage over RCommit are two-fold. First, MDCC uses optimistic concurrency control, which can nocostlyloggingisinvolvedduringthecommit.Second,no cause high abort rates under high contention, leading persistence of data is needed. to lower performance than HACommit-RC, which uses We compare the update transaction latencies of HA- pessimistic concurrencycontrol.Besides, MDCCholdsdata Commit and RCommit in Figure 8. Both implementations byoutstandingoptions,leadingtothesameeffectoflocking use the same concurrency control scheme and consistency in committed transactions. level. We can see that HACommit outperforms RCommit. As the number of operations increases in the workloads, VIII. CONCLUSION HACommit’s advantage also increases. The advantage of We have proposed HACommit, a logless one-phase HACommit is still due to a commit without logging and commit protocol for highly-available datastores. In contrast data persistence. to the classic vote-after-decide approach to distributed We also examine the transaction throughput and latency commit, HACommit adopts the vote-before-decide ap- when using weaker isolation levels with HACommit. In proach. In HACommit, the procedure for processing the this case, we compare HACommit against MDCC. We last transaction operation is redesigned to overlap the last implemented HACommit-RC with the read-committed iso- operation processing and the voting process. To commit a lation level [41]. This is an isolation level comparable to transactioninonephase,HACommitexploitsPaxosanduses that guaranteed by MDCC. HACommit-RC differs from the unique client as the initial proposer. To exploit Paxos, HACommit designs a transaction context structure to keep [12] J.C.Corbett,J.Dean,M.Epstein,A.Fikes,C.Frost,J.Fur- Paxos configuration information. Although client failures man, S. Ghemawat, A. Gubarev, C. Heiser, P. Hochschild et al., “Spanner: Google’s globally-distributed database,” can be tolerated by the Paxos exploitation, HACommit Proceedings of OSDI, p. 1, 2012. designs a recovery process for client failures such that the transaction can actually end with the transaction data [13] L. Glendenning, I. Beschastnikh, A. Krishnamurthy, and visible to other transactions. For participantreplica failures, T.Anderson,“Scalableconsistencyinscatter,”inProceedings HACommit has participants replicate their votes and the of SOSP. ACM, 2011, pp. 15–28. transactionmetadatatotheirreplicas;and,afailurerecovery [14] T. Kraska, G. Pang, M. J. Franklin, and S. Madden, “Mdcc: process is proposed to exploit the replicated votes and Multi-data center consistency,” in Eurosys, 2013. metadata. Our evaluation demonstrates that HACommit outperforms recent atomic commit solutions for highly- [15] H. A. Mahmoud, A. Pucher, F. Nawab, D. Agrawal, and available datastores. A.E.Abbadi,“Lowlatencymulti-datacenterdatabasesusing replicatedcommits,”inProc.oftheVLDBEndowment,2013. ACKNOWLEDGMENT [16] C. Mohan, B. Lindsay, and R. Obermarck, “Transaction This work is also supported in part by the State Key management in the r* distributed database management Development Program for Basic Research of China (Grant system,”ACMTrans.DatabaseSyst.,vol.11,no.4,pp.378– No. 2014CB340402) and the National Natural Science 396, Dec. 1986. Foundation of China (Grant No. 61303054). [17] M. Abdallah, R. Guerraoui, and P. Pucheral, “One-phase REFERENCES commit: does it make sense?” in Proc. of International [1] J. Shute, R. Vingralek, B. Samwel, B. Handy, C. Whipkey, ConferenceonParallelandDistributedSystems. IEEE,1998, E.Rollins,M.Oancea,K.Littlefield,D.Menestrina,S.Ellner, pp. 182–192. J. Cieslewicz, I. Rae, T. Stancescu, and H. Apte, “F1: A distributed sql database that scales,” Proc. VLDB Endow., [18] M. K. Aguilera, “Stumbling over consensus research: vol. 6, no. 11, pp. 1068–1079, Aug. 2013. Misunderstandings and issues,” in Replication. Springer, 2010, pp. 59–72. [2] “Amazon cloud goes down friday night, taking netflix, instagram and pinterest with it,” October 2012, [19] L. Lamport, “The part-time parliament,” ACM Transactions http://www.forbes.com/sites/anthonykosner/2012/06/30/ on Computer Systems, vol. 16, no. 2, pp. 133–169, 1998. amazon-cloud-goes-down-friday-night-taking-netflix- instagram-and-pinterest- with-it/. [20] B. F. Cooper, A. Silberstein, E. Tam, R. Ramakrishnan, and R. Sears, “Benchmarking cloud serving systems with ycsb,” [3] R. Nishtala, H. Fugal, S. Grimm, M. Kwiatkowski, H. Lee, in Proceedings of the 1st SoCC. ACM, 2010. H. C. Li, R. McElroy, M. Paleczny, D. Peek, P. Saab et al., “Scaling memcache at facebook.” in nsdi, vol. 13, 2013, pp. [21] J.GrayandL.Lamport,“Consensusontransactioncommit,” 385–398. ACMTrans.DatabaseSyst.,vol.31,no.1,pp.133–160,Mar. 2006. [4] “Paypal,” https://www.paypal.com/. [22] R.Guerraoui, M.Larrea,andA.Schiper,“Reducingthecost [5] “Alipay,” https://www.alipay.com/. fornon-blockinginatomiccommitment,”inProc.ofICDCS. IEEE, 1996, pp. 692–697. [6] “Baidu wallet,”https://www.baifubao.com/. [7] D. Peng and F. Dabek, “Large-scale incremental processing [23] R. Guerraoui and A. Schiper, “The decentralized non- using distributed transactions and notifications.” in OSDI, blocking atomic commitment protocol,” in Proc. of IEEE vol. 10, 2010, pp. 1–15. Symposium on Parallel and Distributed Processing. IEEE, 1995, pp. 2–9. [8] J. Goldstein and P.-A˚. Larson, “Optimizing queries using materialized views: a practical, scalable solution,” in ACM [24] Y.Sovran,R.Power,M.K.Aguilera,andJ.Li,“Transactional SIGMODRecord, vol.30,no. 2. ACM,2001, pp.331–342. storageforgeo-replicatedsystems,”inProc.ofSOSP’11,pp. 385–400. [9] P. A. Bernstein, V. Hadzilacos, and N. Goodman, Concur- rency control and recovery in database systems. Addison- [25] S. Mu, Y. Cui, Y. Zhang, W. Lloyd, and J. Li, “Extracting wesley New York, 1987, vol. 370. more concurrency from distributed transactions,” in Proc. of OSDI, 2014. [10] I. Zhang, N. K. Sharma, A. Szekeres, A. Krishnamurthy, and D. R. Ports, “Building consistent transactions with [26] E. P. Jones, D. J. Abadi, and S. Madden, “Low overhead inconsistent replication,”inProceedings of SOSP ’15. New concurrencycontrolforpartitionedmainmemorydatabases,” York, NY, USA: ACM, 2015. in Proc. of SIGMOD. ACM, 2010, pp. 603–614. [11] F. Nawab, V. Arora, D. Agrawal, and A. El Abbadi, “Minimizingcommitlatencyoftransactionsingeo-replicated data stores,” in Proceedings of SIGMOD’15. ACM, 2015, pp. 1279–1294.