Keep CALM and CRDT On
- Keep CALM and CRDT On redefines CRDT correctness by emphasizing safe query observations over mere state convergence.
- It applies the CALM theorem to distinguish monotone (safe) queries from non-monotone ones, enabling coordination-free local evaluations.
- The paper proposes a CRDT data store architecture that treats queries as first-class objects, paving the way for systematic query verification and dynamic coordination.
“Keep CALM and CRDT On” develops a research agenda for distributed data management in which the guarantees of conflict-free replicated datatypes (CRDTs) are extended from update convergence to the semantics of observation. Its central claim is that classic CRDT theory establishes properties of updates and merge, but does not constrain what a replica may safely report when its state is queried. The paper proposes to treat queries over CRDT state as first-class objects of analysis and to classify them through the monotonicity criterion of the CALM Theorem, so that coordination-free execution is available precisely where query semantics permit it (Laddad et al., 2022).
1. Updates, convergence, and the problem of observation
State-based CRDTs, or CvRDTs, are formulated over a state type with a merge operator that is associative, commutative, and idempotent. Updates are monotone with respect to the lattice order on , so replicas only move upward in the partial order, and replicas that have seen the same set of updates converge to the same state regardless of order or duplication (Laddad et al., 2022).
The paper argues that this standard guarantee is narrower than it is often taken to be. A CRDT library may expose methods such as contains(), contents(), or max(), but CRDT theory does not guarantee that executing such methods on a stale replica yields a result consistent with any sequential execution. In the paper’s formulation, CRDT guarantees extend only to data updates; observations of CRDT state are unconstrained and unsafe. The resulting misconception is summarized by the phrase “Schrödinger consistency”: CRDTs are guaranteed to be consistent only if they are not viewed (Laddad et al., 2022).
An unsafe observation is a query result that cannot be guaranteed to match what would be observed in any sequentially consistent execution of all operations on a single logical node unless coordination occurs. This shifts the design question from “does the datatype converge?” to “which observations are safe under partial visibility of updates?” The paper treats that shift as foundational rather than incidental.
2. CALM as the criterion for coordination-free queries
The paper’s analytic move is to connect CRDTs to CALM, the principle that a distributed program can be implemented in a coordination-free, eventually consistent way if and only if its semantics are monotone (Laddad et al., 2022).
In the usual logic setting, a query is monotone when
For CRDTs, the same idea is lifted from sets of facts to lattice states. A CvRDT is a join-semilattice , with order
Since updates are monotone and gossip only moves replicas upward in the lattice, each replica’s local state is an under-approximation of some larger merged state. This is exactly the informational regime in which CALM applies.
The paper therefore treats a query as a function and asks whether it is monotone with respect to the source lattice and the result order:
For Boolean results with the order , this becomes the persistence property that once a query returns true, no additional updates can make it false. The paper explicitly states that monotone queries are “the natural query model for CRDTs,” and further that CALM yields both directions: monotone queries are sufficient for coordination-free safety, and only monotone queries have that property (Laddad et al., 2022).
This framing turns monotonicity into a decision procedure. Selection, projection, union, and intersection are monotone operators. Set difference, negation, universal quantification, and many aggregates are non-monotone. The distinction is not merely syntactic; it determines whether local evaluation can avoid retractions.
3. Safe and unsafe observations over CRDT state
The paper’s canonical unsafe example is a shopping cart implemented as a 2P-Set with state 0, monotone updates add(x) and remove(x), and merge
1
The intended cart query is 2. If a backend replica has seen add(ferrari) but not yet remove(ferrari), then checkout may observe {potato, ferrari} even though the remove happened-before checkout. Because the query depends on set difference, it is non-monotone: seeing more state can retract an earlier answer. The paper presents this as the “Potato / Ferrari bug” and uses it to show that read correctness is a separate problem from update convergence (Laddad et al., 2022).
The same logic applies to absence-based or globally comparative queries. Over a G-Set of registered usernames, alice ∉ S is non-monotone; a later arrival can change true to false. Likewise, uniqueness checks such as |S| == |distinct(emails)| and threshold comparisons such as max(S) < 100 depend on missing information or global maxima and therefore require coordination if they are to satisfy sequential consistency.
By contrast, the paper gives several coordination-free safe queries. A threshold over a monotone count is monotone. For a set CRDT, one can compose COUNT with a threshold > 10; because each stage is monotone, the entire query is monotone. The paper also gives a fraud-detection example over a G-Set of transactions in which a query returns true if the cardinality of transactions satisfying txn.type == "GIFTCARD" and txn.amount > 100 exceeds 50. Since the filtered set only grows, its count only grows, and the predicate > 50 is monotone in the Boolean lattice, any local true answer is stable under further gossip (Laddad et al., 2022).
A similar rate-limiting example uses a 2P-Set and the query
3
Both 4 and 5 are monotone increasing, so the threshold is again monotone. The paper allows ABORT as an “unknown” outcome when there is not yet enough evidence; aborted queries do not need to be consistent. This suggests a design pattern in which monotone “bad news” is detected coordination-free, while non-monotone “good news” may still require synchronization.
4. Query guarantees and the role of coordination
The paper identifies two desiderata for a CRDT query model: safety and efficiency. Safety is stated as: “Queries should be sequentially consistent, regardless of the replica at which they are evaluated.” Efficiency is stated as: “Queries should be evaluated locally without coordination whenever possible” (Laddad et al., 2022).
From that perspective, monotone queries provide a specific observation-level guarantee. If a monotone Boolean query returns true at some replica, then no additional updates can make it false, so the answer is sound with respect to some sequential state extending the replica’s current knowledge. This is not global linearizability, and it is not transaction serializability. The paper instead characterizes it as a CALM-style no-retractions property, framed as sequential consistency of individual query results with respect to some serialization of operations.
Non-monotone queries do not admit this guarantee under single-replica evaluation. To obtain sequentially consistent answers, the system must coordinate enough replicas to observe a state equivalent to the relevant global join. The paper does not propose a new read protocol; it situates the issue relative to established patterns such as read-all, quorum-based reads, and the classic trade-offs summarized by Bernstein and Gorman. A practical consequence is that CRDTs still eliminate coordination on writes, while coordination can be confined to specific reads and specific queries rather than imposed uniformly across the store (Laddad et al., 2022).
The paper also discusses alternatives when coordination is undesirable. One option is anticipatory coordination: proactively synchronize keys if non-monotone queries are expected. Another is to accept weak consistency and handle errors through apologies or compensations, such as refunds or UI correction. The framework is therefore not purely about proving when coordination is unnecessary; it also clarifies when coordination is the unavoidable cost of stronger observation semantics.
5. From object APIs to a CRDT data store
A major architectural claim of the paper is that CRDTs should be treated less like in-memory objects and more like database tables. The logical model—lattices, operations, queries—should be separated from physical concerns such as storage layout, replication, gossip, garbage collection, and delta propagation (Laddad et al., 2022).
On that basis, the paper sketches a CRDT data store with a query language “like SQL but over semi-lattices / semirings.” Applications would submit monotone, mergeable operations such as addItem or removeItem, while observations would be expressed in a query language rather than as ad hoc imperative reads. The store would manage replicas and gossip, check query monotonicity statically where possible, decide when local execution is safe and when coordination is necessary, and apply physical optimizations such as delta-based gossip, compression, and garbage collection.
This agenda implies programming abstractions in which monotonicity becomes explicit. The paper mentions typed APIs separating local CRDT handles from synchronized views, and DSL-oriented directions related to Bloom6, Datafun, and Gallifrey. It also points toward provenance and lineage for downstream compensation, and toward SMT-based verification and synthesis using tools such as Z3 and CVC5. These proposals are presented as directions rather than a completed system, but they articulate a database-style layer above CRDT merge semantics.
6. Research agenda and significance
The paper is explicitly a vision piece rather than a fully formalized language or implementation. Its broader agenda includes query language design, monotonicity analysis for lattice-valued relational algebra, optimization strategies that distinguish streaming from barrier operators, storage-engine work on compression and garbage collection, and dynamic coordination policies that adapt to workloads with many non-monotone reads (Laddad et al., 2022).
Its main significance lies in re-scoping what CRDT correctness means. Plain CRDT literature establishes that merge is associative, commutative, and idempotent, and therefore that replicated state converges. “Keep CALM and CRDT On” argues that this is not sufficient for application correctness because read semantics and invariants live at the observation layer. CALM supplies the missing criterion: CRDTs solve write/write conflicts, while monotonicity characterizes which reads are safe without coordination.
A common misconception is therefore corrected. Eventual convergence of replicated state does not imply that arbitrary local observations are safe. The paper’s contribution is to make queries first-class objects of semantic analysis and to propose a path toward CRDT-backed data stores in which developers can know, rather than guess, when local reads are sound and when coordination is required. That repositioning links distributed data structures to query semantics and database execution, and suggests a more systematic foundation for reliable, coordination-aware distributed applications.