Experiments in Model-Checking Optimistic Replication Algorithms

This paper describes a series of model-checking experiments to verify optimistic replication algorithms based on Operational Transformation (OT) approach used for supporting collaborative edition. We formally define, using tool UPPAAL, the behavior and the main consistency requirement (i.e. convergence property) of the collaborative editing systems, as well as the abstract behavior of the environment where these systems are supposed to operate. Due to data replication and the unpredictable nature of user interactions, such systems have infinitely many states. So, we show how to exploit some features of the UPPAAL specification language to attenuate the severe state explosion problem. Two models are proposed. The first one, called concrete model, is very close to the system implementation but runs up against a severe explosion of states. The second model, called symbolic model, aims to overcome the limitation of the concrete model by delaying the effective selection and execution of editing operations until the construction of symbolic execution traces of all sites is completed. Experimental results have shown that the symbolic model allows a significant gain in both space and time. Using the symbolic model, we have been able to show that if the number of sites exceeds 2 then the convergence property is not satisfied for all OT algorithms considered here. A counterexample is provided for every algorithm.

💡 Research Summary

The paper presents a rigorous model‑checking study of optimistic replication algorithms that rely on Operational Transformation (OT) to support collaborative editing. Using the timed‑automata verification tool UPPAAL, the authors formalize both the behavior of collaborative editing systems and their key consistency requirement – convergence, i.e., all replicas must eventually hold identical data despite concurrent updates.

Two distinct UPPAAL models are constructed. The first, termed the concrete model, mirrors the actual implementation: each site generates operations, broadcasts them, receives remote operations, and immediately applies the appropriate OT transformation. This model enjoys a high fidelity to real code but suffers from a classic state‑explosion problem because every possible interleaving of operations across sites yields a distinct state. To mitigate this, the authors introduce two reductions: (1) pre‑selection of operation signatures, where all sites agree on the set of operations to be executed before the simulation starts, and (2) grouping of independent operations, allowing several non‑conflicting operations to be executed atomically. Even with these optimizations, the concrete model quickly becomes intractable for more than two sites and for the richer OT algorithms (Ellis, Ressel, Sun, Suleiman, Imine).

The second model, called the symbolic model, takes a fundamentally different approach. Rather than executing operations as they are generated, the model first builds a symbolic execution trace for each site, recording the sequence of operation signatures without applying them. Only after all traces are constructed does the model invoke a single atomic function that applies the OT transformation logic to the collected traces. This postponement eliminates many intermediate states, dramatically shrinking the state space. The authors also experiment with a variant that treats timestamp vectors (used to infer causality and concurrency) as fixed input data or removes them entirely, further reducing complexity.

Experimental evaluation compares both models across varying numbers of sites (2, 3, 4) and across five representative OT algorithms. Results show that the symbolic model achieves orders‑of‑magnitude improvements in both memory consumption and verification time. Crucially, the symbolic model reveals that convergence fails whenever the system involves more than two sites, regardless of which of the five OT algorithms is used. For each algorithm, UPPAAL automatically generates a counterexample: a concrete sequence of concurrent insert/delete operations and the corresponding transformation steps that lead to divergent replica states. These counterexamples illustrate subtle bugs such as incorrect handling of simultaneous insertions at the same position followed by deletions, or asymmetric transformation rules that break causality.

The paper also discusses the broader implications of these findings. The reliance on timestamp vectors, while common in OT literature, is identified as a major source of state explosion; simplifying or eliminating them makes verification feasible. Moreover, the counterexamples expose design patterns that should be avoided in future OT algorithms, such as transformation functions that are not commutative under certain concurrency patterns.

In conclusion, the authors demonstrate that model checking with UPPAAL is a viable, automated method for assessing the correctness of OT‑based optimistic replication. The symbolic modeling technique they propose enables verification at scales previously unreachable, and the discovery that all examined OT algorithms lose convergence beyond two sites challenges a long‑standing assumption in the collaborative‑editing community. This work therefore provides both a practical verification framework and valuable insights for the design of more robust OT algorithms capable of supporting large‑scale, multi‑site collaborative applications.