A Scalable Algorithm for Decentralized Actor Termination Detection

Automatic garbage collection (GC) prevents certain kinds of bugs and reduces programming overhead. GC techniques for sequential programs are based on reachability analysis. However, testing reachability from a root set is inadequate for determining whether an actor is garbage: Observe that an unreachable actor may send a message to a reachable actor. Instead, it is sufficient to check termination (sometimes also called quiescence): an actor is terminated if it is not currently processing a message and cannot receive a message in the future. Moreover, many actor frameworks provide all actors with access to file I/O or external storage; without inspecting an actor's internal code, it is necessary to check that the actor has terminated to ensure that it may be garbage collected in these frameworks. Previous algorithms to detect actor garbage require coordination mechanisms such as causal message delivery or nonlocal monitoring of actors for mutation. Such coordination mechanisms adversely affect concurrency and are therefore expensive in distributed systems. We present a low-overhead deferred reference listing technique (called DRL) for termination detection in actor systems. DRL is based on asynchronous local snapshots and message-passing between actors. This enables a decentralized implementation and transient network partition tolerance. The paper provides a formal description of DRL, shows that all actors identified as garbage have indeed terminated (safety), and that all terminated actors--under certain reasonable assumptions--will eventually be identified (liveness).


Introduction
The actor model [Agh90a,Agh90b] is a foundational model of concurrency that has been widely adopted for its scalability: for example, actor languages have been used to implement services at PayPal [pay], Discord [Vis17], and in the United Kingdom's National Health Service database [nhs13]. In the actor model, stateful processes known as actors execute concurrently and communicate by sending asynchronous messages to other actors, provided they have a reference (also called a mail address or address in the literature) to the recipient. Actors can also spawn new actors. An actor is said to be garbage if it can be destroyed without affecting the system's observable behavior.
Although a number of algorithms for automatic actor garbage collection (GC) have been proposed [CD13,KMW95,VA03,VAT92,Wan11,WV06], actor languages and frameworks currently popular in industry (such as Akka [akk], Erlang [AVWW96], and Orleans [BGK + 11]) require that programmers garbage collect actors manually. We believe this is because the GC algorithms proposed thus far are too expensive to implement in distributed systems. In order to find applicability in real-world actor runtimes, we argue that a GC algorithm should satisfy the following properties: (1) (Low latency) GC should not restrict concurrency in the application.
(2) (High throughput) GC should not impose significant space or message overhead.
(3) (Scalability) GC should scale with the number of actors and nodes in the system.
To the best of our knowledge, no previous algorithm satisfies all three constraints. The first requirement precludes any global synchronization between actors, a "stop-the-world" step, or a requirement for causal order delivery of all messages. The second requirement means that the number of additional "control" messages imposed by the algorithm should be minimal. The third requirement precludes algorithms based on global snapshots, since that requires all actors to respond before any garbage can be collected; such a delay may become unacceptable as a system grows large.
To address these goals, we have developed a garbage collection technique called DRL for Deferred Reference Listing. The primary advantage of DRL is that it is decentralized and incremental: local garbage can be collected in a subsystem without communicating with the rest of the system. Systems can also cooperate to detect distributed garbage by exchanging minimal amounts of information. Garbage collection can be performed concurrently with the application and imposes no message ordering constraints. We also expect DRL to be reasonably efficient in practice, since it does not require many additional messages or significant actor-local computation.
DRL works as follows. The communication protocol (Section 4) tracks information, such as references and message counts, and stores it in each actor's state. Actors periodically send out copies of their local state (called snapshots) to be stored at one or more designated snapshot aggregator actors. Each aggregator periodically searches its local store to find a subset of snapshots representing terminated actors (Sections 6 and 7). Once an actor is determined to have terminated, it can be garbage collected by, for example, sending it a self-destruct message. We prove that non-terminated actors will never be garbage collected (Corollary 6.11). Moreover, if every terminated actor eventually sends a snapshot to the aggregator, then all terminated actors will eventually be detected (Theorem 6.12) . Since DRL is defined in terms of the actor model, it is oblivious to details of a particular implementation (such as how sequential computations are represented or where actors are located). Our technique is therefore applicable to different actor frameworks; in particular, it may be implemented as a library. Moreover, it can also be applied to open systems, allowing an actor system using DRL to interoperate with a manually-collected actor system.
The outline of the paper is as follows. We provide a characterization of actor garbage in Section 2 and discuss related work in Section 3. We then provide a specification of the DRL protocol in Section 4. In Section 5, we describe a key property of DRL called the Chain Lemma. In Section 6, we use this lemma to define when a set of snapshots is finalized and prove that finalized snapshots correspond to terminated actors. In Section 7, we give algorithms that allow snapshot aggregators to find finalized subsets in an arbitrary set of snapshots. In Section 8, we describe an efficient protocol for snapshot aggregators to detect Vol. 18 A Terminated Figure 1: A simple actor system. Configuration (1) leads to the second after C receives the message m, which contains a reference to E. Notice that an actor can send a message and "forget" its reference to the recipient before the message is delivered, as is the case for actor F . In both configurations, E is a potential acquaintance of C, and D is potentially reachable from C. The only terminated actor is F in Configuration (2) because all other actors in (2) are potentially reachable from unblocked actors.
distributed cycles of terminated actors. We conclude in Section 9 with some discussion of future work and how DRL may be used in practice.

Preliminaries
An actor can only receive a message when it is idle. Upon receiving a message, it becomes busy. A busy actor can perform an unbounded sequence of actions before becoming idle. In [AMST97], an action may be to spawn an actor, send a message, or perform a (local) computation. The actor model places no constraints on message delivery order, though a particular implementation could provide stronger guarantees. We will also assume that actors can perform effects, such as file I/O. The actions an actor performs in response to a message are dictated by its application-level code, called a behavior. Actors can also receive messages from external actors (such as the user) by becoming receptionists. An actor A becomes a receptionist when its address is exposed to an external actor. Subsequently, any external actor can potentially obtain A's address and send it a message.
An actor is said to be garbage if it can be destroyed without affecting the system's observable behavior. However, without analyzing an actor's code, it is not possible to know whether it will have an effect when it receives a message. As is typical for garbage collection algorithms, we will restrict our attention to those actors that can be guaranteed to be garbage without inspecting their internal behavior. According to this more conservative definition, any actor that might receive a message in the future should not be garbage collected because it could, for instance, write to a log file when it becomes busy. Conversely, any actor that remains idle indefinitely can safely be garbage collected because it will never have any effects. We therefore conservatively define an actor to be terminated if it is guaranteed to remain idle indefinitely, regardless of how any other actor in the system behaves. For the purposes of this paper, terminated actors coincide with garbage actors.
The definition of termination above is problematic because it requires reasoning about infinite execution traces. Let us now introduce some terminology in order to give an equivalent definition in terms of the global state of an actor system [CL85].
We say that an actor B is a potential acquaintance of A (and A is a potential inverse acquaintance of B) if A has a reference to B or if there is an undelivered message to A that contains a reference to B. We define potential reachability to be the reflexive transitive closure of the potential acquaintance relation. That is, A can potentially reach B if there exists a sequence of actors A 1 , . . . , A n where A = A 1 , B = A n , and each A i+1 is a potential acquaintance of A i . If an actor is idle and has no undelivered messages, then it is blocked ; otherwise it is unblocked.
Clearly, an unblocked actor is not terminated because it will become busy when the message is delivered. More generally, if an actor is blocked but potentially reachable by an unblocked actor, then it is not terminated because it can become unblocked at some point in the future. Consider for example Figure 1 (1), in which actor D is potentially reachable by actors F, E, and C. Once C receives the message in Figure 1 (2), it becomes a busy actor with a reference to E. If C sends a message to E and E sends a message to D, then D can become busy.
Conversely, consider an actor A that is not potentially reachable by any unblocked actors, i.e. A is only potentially reachable by blocked actors. This means that A is only reachable by blocked actors, and there are no undelivered messages containing references to any of these actors. Hence there is no way for any of these blocked actors to become unblocked again, so they are all terminated.
Thus, we have shown that an actor is terminated-for a conservative definition of termination-precisely when it is only potentially reachable by blocked actors. One could therefore detect all terminated actors by computing a consistent global snapshot, but computing such snapshots would be infeasible for large actor systems. Instead, we will show how DRL can be used to find the terminated actors in an arbitrary set of local actor snapshots S. Remarkably, S does not have to be a consistent cut [CL85]. This is thanks to the state metadata maintained by the DRL communication protocol, which we introduce in Section 4.

Related Work
Global Termination and Snapshots. Global termination detection (GTD) is used to determine when all processes have terminated [Mat87,MC98]; detecting when individual actors have terminated, as we do in this paper, is a more general problem. For GTD, it suffices to obtain global message send and receive counts. Most GTD algorithms also assume a fixed process topology. However, Lai gives an algorithm that supports dynamic topologies such as in the actor model [Lai86]. Lai's algorithm performs termination detection in "waves", disseminating control messages along a spanning tree (such as an actor supervisor hierarchy) so as to obtain consistent global message send and receive counts. Venkatasubramanian et al. take a similar approach to obtain a consistent global snapshot of actor states in a distributed system [VAT92]. However, such an approach does not scale well because it is not incremental: garbage cannot be detected until all nodes in the system have responded. In contrast, DRL does not require a global snapshot, does not require actors to coordinate their Vol. 18 :1 A SCALABLE ALGORITHM FOR DECENTRALIZED ACTOR TERMINATION DETECTION 39:5 local snapshots, and does not require waiting for all nodes before detecting local terminated actors.
Reference Tracking. We say that an idle actor is simple garbage if it has no undelivered messages and no other actor has a reference to it. Such actors can be detected with distributed reference counting [WW87,Bev87,Piq91] or with reference listing [PS95,WV06] techniques. In reference listing algorithms, each actor maintains a partial list of actors that may have references to it. Whenever A sends B a reference to C, it also sends an info message informing C about B's reference. Once B no longer needs a reference to C, it informs C by sending a release message; this message should not be processed by C until all preceding messages from B to C have been delivered. Thus an actor is simple garbage when its reference listing is empty.
Our technique uses a form of deferred reference listing, in which A may also defer sending info messages to C until it releases its references to C. This allows info and release messages to be batched together, reducing communication overhead. In a system where most messages contain one or more references, this optimization can reduce the total number of messages by a factor of two.
Cyclic Garbage. Actors that are transitively acquainted with one another are said to form cycles. Cycles of terminated actors are called cyclic garbage and cannot be detected with reference listing alone. Since actors are hosted on nodes and cycles may span across multiple nodes, detecting cyclic garbage requires sharing information between nodes to obtain a consistent view of the global topology. One approach is to compute a global snapshot of the distributed system [KMW95] using the Chandy-Lamport algorithm [CL85]; but this requires pausing execution of all actors on a node to compute its local snapshot.
Another approach is to add edges to the actor reference graph so that actor garbage coincides with passive object garbage [VA03,WVHT10]. This is convenient because it allows existing algorithms for distributed passive object GC, such as [Sch89], to be reused in actor systems. However, such transformations require that actors know when they have undelivered messages, which necessitates some form of synchronization. Our approach also adds edges to the actor reference graph, but this time in the form of "contact tracing" (Section 4). Unlike prior work, this does not require synchronization and ensures that there is always a "path" (instead of a single reference) from an actor to its potential inverse acquaintances (Section 5).
To avoid pausing executions, Wang and Varela proposed a reference listing based technique called the pseudo-root algorithm. The algorithm computes approximate global snapshots and is implemented in the SALSA runtime [WV06,Wan11]. The pseudo-root algorithm requires acknowledgments for each application message and each reference contained inside a message, in the worst case producing several times more control messages than application messages. The algorithm also requires actors to write to shared memory (requiring synchronization) if they migrate or release references during snapshot collection. Our protocol does not require shared memory and, with batching, only sends control messages when references are released. Wang and Varela also explicitly address migration of actors, a concern orthogonal to our algorithm.

MAC.
Our technique was initially inspired by MAC, an actor termination detection algorithm implemented in the Pony runtime [CD13]. In MAC, actors send a local snapshot to a designated cycle detector whenever their message queue becomes empty, and send another notification whenever it becomes non-empty. Clebsch and Drossopoulou prove that for systems with causal message delivery, a simple request-reply protocol is sufficient to confirm that the cycle detector's view of the topology is consistent. However, enforcing causal delivery in a distributed system imposes additional costs: the well-known strategy of using vector clocks requires O(n) additional memory for each message, where n is the number of nodes [Fid88]. Another approach, in which nodes must be arranged in a tree topology, does not impose this overhead but still prevents point-to-point communication between nodes [BCD17]. DRL is similar to MAC, but does not require causal message delivery, supports decentralized termination detection, and does not require actors to take snapshots each time their message queues become empty.
We achieve this greater flexibility by reifying information in an actor's local state that would otherwise be implicit in the timing of a snapshot. For instance, all references in DRL are associated with a unique identifying token. If an actor and its acquaintance both include reference x in their snapshot, then the matching token allows us to conclude that the two snapshots are referring to the same reference. Another example of additional information in DRL is the message send and receive counts. In MAC, an actor can infer that it had no undelivered messages at the time of its snapshot if it sends a message to the cycle detector and receives an acknowledgment with no other messages arriving in between. In DRL, we assume that messages can be reordered or delayed by network partitions for an arbitrarily long time. This appears to necessitate the use of message send and receive counts.
Other Versions. An earlier version of DRL appeared in [PA18]. In this paper, we formalize the description of the algorithm and prove its safety and liveness. In the process, we discovered that release acknowledgment messages are unnecessary and that termination detection is more flexible than we first thought: it is not necessary for GC to be performed in distinct "phases" where every actor takes a snapshot in each phase. In particular, once an idle actor takes a snapshot, it need not take another snapshot until it receives a fresh message.
This paper is an extension of [PA20]. We have revised the text of several sections for clarity-particularly Section 6, which now uses the notion of a consistent set of snapshots and an alternative (but equivalent) definition of finalized sets. We also discovered a flaw in our original algorithm for finding maximal finalized sets of snapshots: under certain circumstances, the resulting set may be finalized but not necessarily maximal. The new Section 7 elaborates on the issues at play and presents an improved algorithm with a proof of correctness. The section also includes the old algorithm as a "heuristic" that might be more efficient in some cases. Finally, Section 8 is entirely new and gives an algorithm for efficiently detecting distributed cycles of terminated actors across multiple actor systems.

A Two-Level Semantic Model
In this section we present the DRL communication protocol. We begin by motivating what kind of information a snapshot aggregator would need to detect terminated actors. Next we present the communication protocol more formally, using a two-level semantic model [VT95]. In this model, a system-level transition system interprets the operations performed by a user-facing application-level transition system. The application level defines the abstract operational semantics of the actor system from the user's perspective, including location transparency and fairness assumptions. Since DRL preserves this semantics, we leave out the application-level system; for a formalization, see [AMST97]. The system-level transition system defines each actor's system-level state and what additional actions should be performed when the application level tried to do an operation, such as sending a message or spawning an actor. In the case of DRL, these operations sometimes cause additional system-level messages to be sent or for metadata to be added to an application-level message. 4.1. Overview. Ordinary actor systems allow an actor A to send a message to actor B if A has B's address. In DRL, actors must use reference objects (abbreviated refobs) instead; refobs combine a plain actor address (the address of the target) with additional metadata, such as the address of the refob's designated owner. A refob can only be used by its owner: in order for A to give B a reference to C, it explicitly creates a new refob owned by B. Once a refob is no longer needed, it is deactivated by its owner and removed from the owner's local state. These operations could be done manually at the application level or handled automatically in the runtime via a suitable API.
The DRL communication protocol enriches each actor's state with a list of refobs that it currently owns and associated message counts representing the number of messages sent using each refob. Each actor also maintains a subset of the refobs of which it is the target, together with associated message receive counts. Lastly, actors perform a form of "contact tracing" by maintaining a subset of the refobs that they have created for other actors; we provide details about the bookkeeping later in this section.
The additional information above allows us to detect termination by inspecting actor snapshots. If a set of snapshots is consistent (in the sense of [CL85]) then we can use the "contact tracing" information to determine whether the set is closed under the potential inverse acquaintance relation (see Section 5). Then, given a consistent and closed set of snapshots, we can use the message counts to determine whether an actor is blocked. We can therefore find all the terminated actors within a consistent set of snapshots.
In fact, DRL satisfies a stronger property: any set of snapshots that "appears terminated" in the sense above is guaranteed to be consistent. Hence, given an arbitrary closed set of snapshots, it is possible to determine which of the corresponding actors have terminated. This allows a great deal of freedom in how snapshots are aggregated. For instance, each actor could set its own recurring timeout for when to take the next snapshot. The duration of this timeout could be changed based on runtime information, such as how long the actor has been alive; this would amount to a generational approach to actor garbage collection [LH83].
Reference Objects. A refob is a triple (x, A, B), where A is the owner actor's address, B is the target actor's address, and x is a globally unique token. An actor can cheaply generate such a token by combining its address with a local sequence number, since actor systems already guarantee that each address is unique. We will stylize a triple (x, A, B) as x : A B. We will also sometimes refer to such a refob as simply x, since tokens act as unique identifiers.
When an actor A spawns an actor B (Figure 2 (1, 2)) the DRL protocol creates a new refob x : A B that is stored in both A and B's system-level state, and a refob w : B B in B's state. The refob x allows A to send application-level messages to B. These messages are denoted app(x, R), where R is the set of refobs contained in the message that A has created for B. The refob y corresponds to the self variable present in some actor languages. (1) (3) all the "facts" related to z that are stored in its local state. Although not pictured in the figure, A also obtains facts Active(x) and Active(y) after spawning actors B and C, respectively. Likewise, actors B, C obtain facts Created(x), Created(y), respectively, upon being spawned.
If A has active refobs x : A B and y : A C, then it can create a new refob z : B C by generating a token z. In addition to being sent to B, this refob must also temporarily be stored in A's system-level state and marked as "created using y" (Figure 2 (3)). Once B receives z, it must add the refob to its system-level state and mark it as "active" (Figure 2 (4)). Note that B can have multiple distinct refobs that reference the same actor in its state; this can be the result of, for example, several actors concurrently sending refobs to B. Transition rules for spawning actors and sending messages are given in Section 4. 3.
Actor A may remove z from its state once it has sent a (system-level) info message informing C about z (Figure 2 (4)). Similarly, when B no longer needs its refob for C, it can "deactivate" z by removing it from local state and sending C a (system-level) release message ( Figure 2 (5)). Note that if B already has a refob z : B C and then receives another z : B C, then it can be more efficient to defer deactivating the extraneous z until z is also no longer needed; this way, the release messages can be batched together.
When C receives an info message, it records that the refob has been created, and when C receives a release message, it records that the refob has been released ( Figure 2 (6)). Note that these messages may arrive in any order. Once C has received both, it is permitted to remove all facts about the refob from its local state. Transition rules for these reference listing actions are given in Section 4. 4.
Once a refob has been created, it cycles through four states: pending, active, inactive, or released. A refob z : B C is said to be pending until it is received by its owner B. Once received, the refob is active until it is deactivated by its owner, at which point it becomes inactive. Finally, once C learns that z has been deactivated, the refob is said to be released. A refob that has not yet been released is unreleased.
Slightly amending the definition we gave in Section 2, we say that B is a potential acquaintance of A (and A is a potential inverse acquaintance of B) when there exists an Vol. 18:1 A SCALABLE ALGORITHM FOR DECENTRALIZED ACTOR TERMINATION DETECTION 39:9 r e l e a s e ( z ) Figure 3: An event diagram [Agh90a] for actors A, B, C, illustrating message counts and consistent snapshots. Dashed arrows represent messages and dotted lines represent mutually quiescent cuts. For a cut to be mutually quiescent, it is necessary (but not sufficient) that the message send and receive counts agree for all participants.
unreleased refob x : A B. Thus, B becomes a potential acquaintance of A as soon as x is created, and only ceases to be an acquaintance once it has received a release message for every refob y : A B that has been created so far.
Message Counts and Snapshots. For each refob x : A B, the owner A maintains a count of how many app and info messages have been sent along x; this count can be deleted when A deactivates x. Each message is annotated with the refob used to send it. Whenever B receives an app or info message along x, it correspondingly increments a receive count for x; this count can be deleted once x has been released. Thus the memory overhead of message counts is linear in the number of unreleased refobs. Figure 3 gives an example.
A snapshot is a copy of all the facts in an actor's system-level state at some point in time. We will assume throughout the paper that in every set of snapshots Q, each snapshot was taken by a different actor; such a set is also said to form a cut. Recall that a set of snapshots Q is consistent if no snapshot in Q causally precedes any other [CL85]; it is as if all the actors in Q took their snapshots simultaneously. Let us also say that Q is mutually quiescent if for all actors A, B in Q, all messages sent from A to B before A's snapshot were also received before B's snapshot. Notice that mutual quiescence is just a special case of consistency, in which all messages sent by actors in the cut to actors in the cut have been delivered. Moreover, if each actor in Q is idle and Q contains each actor's potential inverse acquaintances, then Q corresponds to a terminated set of actors: every actor in Q is blocked and only potentially reachable by other blocked actors in Q.
One might therefore hope to check whether Q is mutually quiescent by simply comparing the message send and receive counts of all snapshots in Q. Clearly, if Q is mutually quiescent, then the participants' send and receive counts will agree for each x : A B where A, B ∈ Q. However, the converse may be false for two reasons: out of order delivery of messages, and temporarily null message counts.
(1) Out of order delivery: In Figure 3, a snapshot from B when Sent(z, 1) is in its knowledge set would not be consistent with a snapshot from C when Received(z, 1) is in its knowledge set. This is because the message info(z, y) is sent after B's snapshot and received before C's snapshot. To guarantee this situation does not occur, we must be able to prove that B does not send any messages along z in the interval between B's snapshot and C's snapshot. In particular, this holds when C's snapshot happens before B's snapshot. (2) Null message count: Based on the available information, C's snapshot at t 0 in Figure 3 appears mutually quiescent with B's snapshot at t 2 and C's snapshot at t 2 appears mutually quiescent with B's snapshot at t 0 -despite neither of these pairs being truly mutually quiescent. The problem is that when B's send count for z : B C is null, it could be because B has not yet received z or because B has already deactivated z. Likewise, C's receive count could be null because it has not yet received any messages along z or because z has already been released. To distinguish these scenarios, we incorporate the snapshots of C's other potential inverse acquaintances-such as A-into the snapshot set Q. In Section 5 we identify a distributed property called the Chain Lemma that must hold in any consistent set of snapshots closed under the potential inverse acquaintance relation. We show, in Section 6, that combining the Chain Lemma with message counts is sufficient to determine whether a set of snapshots is mutually quiescent.

Definitions.
We use the capital letters A, B, C, D, E to denote actor addresses. Tokens are denoted x, y, z, with a special reserved token null for messages from external actors.
A fact is a value that takes one of the following forms: Created(x), Released(x), CreatedUsing(x, y), Active(x), Unreleased(x), Sent(x, n), or Received(x, n) for some refobs x, y and natural number n. Each actor's state holds a set of facts about refobs and message counts called its knowledge set. We use φ, ψ to denote facts and Φ, Ψ to denote finite sets of facts. Each fact may be interpreted as a predicate that indicates the occurrence of some past event. Interpreting a set of facts Φ as a set of axioms, we write Φ φ when φ is derivable by first-order logic from Φ with the following additional rules: For convenience, we define a pair of functions incSent(x, Φ), incRecv(x, Φ) for incrementing message send/receive counts, as follows: Recall that an actor is either busy (processing a message) or idle (waiting for a message).

An actor with knowledge set Φ is denoted [Φ] if it is busy and (Φ) if it is idle.
Our specification includes both system messages (also called control messages) and application messages. The former are automatically generated by the DRL protocol and handled at the system level, whereas the latter are explicitly created and consumed by user-defined behaviors. Application-level messages are denoted app(x, R). The argument x is the refob used to send the message. The second argument R is a set of refobs created by the sender to be used by the destination actor. Any remaining application-specific data in the message is omitted in our notation.
The DRL communication protocol uses two kinds of system messages. info(y, z, B) is a message sent from an actor A to an actor C, informing it that a new refob z : B C was Vol. 18:1 A SCALABLE ALGORITHM FOR DECENTRALIZED ACTOR TERMINATION DETECTION 39:11 created using y : A C. release(x, n) is a message sent from an actor A to an actor B, informing it that the refob x : A B has been deactivated and that a total of n messages have been sent along x.
A configuration α | µ ρ χ is a quadruple (α, µ, ρ, χ) where: α is a mapping from actor addresses to knowledge sets; µ is a mapping from actor addresses to multisets of messages; and ρ, χ are sets of actor addresses. Actors in dom(α) are internal actors and actors in χ are external actors; the two sets may not intersect. The mapping µ associates each actor with undelivered messages to that actor. Actors in ρ are receptionists. We will ensure ρ ⊆ dom(α) remains valid in any configuration that is derived from a configuration where the property holds (referred to as the locality laws in [HB77]).
Configurations are denoted by κ, κ , κ 0 , etc. If an actor address A (resp. a token x), does not occur in κ, then the address (resp. the token) is said to be fresh. We assume a facility for generating fresh addresses and tokens.
In order to express our transition rules in a pattern-matching style, we will employ the following shorthand. Let α, The rules of our transition system define atomic transitions from one configuration to another. Each transition rule has a label l, parameterized by some variables x that occur in the left-and right-hand configurations. Given a configuration κ, these parameters functionally determine the next configuration κ . Given arguments v, we write κ l( v) − − → κ to denote a semantic step from κ to κ using rule l( v).
We refer to a label with arguments l( v) as an event, denoted e. A sequence of events is denoted π. If π = e 1 , . . . , e n then we write κ π − → κ when κ An execution (also called a computation path [AMST97]) is a sequence of events e 1 , . . . , e n such that κ 0 where κ 0 is the initial configuration (Section 4.2). We say that a property holds at time t if it holds in κ t . We will also employ the shorthand that α t is the actor configuration at time t, i.e. κ t = α t | µ ρ χ . Note that the DRL communication protocol does not require a notion of a unique global time. We could have given a more general specification using concurrent rewriting [Mes92], in which potential executions are partial orders of events. A given execution in such a specification can be mapped to an execution in our system by mapping its partial order to a total order which respects the ordering specified in the partial order. We refer to "time" as an ordinal corresponding to an arbitrary total order that is consistent with a partial order in a system's execution (see [Cli81,Agh90a]). This allows us to prove various properties by induction on time t instead of by more complicated means. 4. 2. Initial Configuration. The initial configuration κ 0 consists of a single actor in a busy state: The actor's knowledge set includes a refob to itself and a refob to an external actor E. A can become a 39:12
receptionist by sending E a refob to itself. Henceforth, we will only consider configurations that are derivable from an initial configuration. 4. 3. Standard Actor Operations. Figure 4 gives transition rules for standard actor operations, such as spawning actors and sending messages. Each of these rules corresponds a rule in the standard operational semantics of actors [AMST97]. Note that each rule is atomic, but can just as well be implemented as a sequence of several smaller steps without loss of generality because actors do not share state-see [AMST97] for a formal proof.
The Spawn event allows a busy actor A to spawn a new actor B and creates two refobs x : A B, y : B B. B is initialized with knowledge about x and y via the facts Created(x), Created(y). The facts Active(x), Active(y) allow A and B to immediately begin sending messages to B. Note that implementing Spawn does not require a synchronization protocol between A and B to construct x : A B. The parent A can pass both its address and the freshly generated token x to the constructor for B. Since actors typically know their own addresses, this allows B to construct the triple (x, A, B). Since the spawn call typically returns the address of the spawned actor, A can also create the same triple.
The Send event allows a busy actor A to send an application-level message to B containing a set of refobs z 1 , . . . , z n to actors C = C 1 , . . . , C n . Note that it is possible that B = A or C i = A for some i in this sequence-i.e., an actor may send itself a message, or it may send B its a refob containing its own address. For each new refob z i , we say that the message contains z i . Any other data in the message besides these refobs is irrelevant to termination detection and therefore omitted. To send the message, A must have active refobs to both the target actor B and to every actor C 1 , . . . , C n referenced in the message. Figure 5: Rules for performing the release protocol.
For each target C i , A adds a fact CreatedUsing(y i , z i ) to its knowledge set; we say that A created z i using y i . Finally, A must increment its Sent count for the refob x used to send the message; we say that the message is sent along x.
The Receive event allows an idle actor B to become busy by consuming an application message sent to B. Before performing subsequent actions, B increments the receive count for x and adds all refobs in the message to its knowledge set.
Finally, the Idle event puts a busy actor into the idle state, enabling it to consume another message. 4.4. Release Protocol. Whenever an actor creates or receives a refob, it adds facts to its knowledge set. To remove these facts when they are no longer needed, actors can perform the release protocol defined in Figure 5. All of these rules are not present in the standard operational semantics of actors. In . . , x n : A B n } and x 1 , . . . , x n fresh and Figure 6: Rules for interacting with the outside world.
The SendInfo event allows a busy actor A to inform C about a refob z : B C that it created using y; we say that the info message is sent along y and contains z. This event allows A to remove the fact CreatedUsing(y, z) from its knowledge set. It is crucial that A also increments its Sent count for y to indicate an undelivered info message sent to C: it allows the snapshot aggregator to detect when there are undelivered info messages, which contain refobs. This message is delivered with the Info event, which adds the fact Created(z : B C) to C's knowledge set and correspondingly increments C's Received count for y.
When an actor A no longer needs x : A B for sending messages, A can deactivate x with the SendRelease event; we say that the release is sent along x. A precondition of this event is that A has already sent messages to inform B about all the refobs it has created using x. In practice, an implementation may defer sending any info or release messages to a target B until all A's refobs to B are deactivated. This introduces a trade-off between the number of control messages and the rate of simple garbage detection (Section 5).
Each release message for a refob x includes a count n of the number of messages sent using x. This ensures that release(x, n) is only delivered after all the preceding messages sent along x have been delivered. Once the Release event can be executed, it adds the fact that x has been released to B's knowledge set. Once C has received both an info and release message for a refob x, it may remove facts about x from its knowledge set using the Compaction event.
Finally, the Snapshot event captures an idle actor's knowledge set. For simplicity, we have omitted the process of disseminating snapshots to an aggregator. Although this event does not change the configuration, it allows us to prove properties about snapshot events at different points in time. Vol. 18:1 A SCALABLE ALGORITHM FOR DECENTRALIZED ACTOR TERMINATION DETECTION 39:15 4.5. Composition and Effects. We give rules to dictate how internal actors interact with external actors in Figure 6. The In and Out rules correspond to similar rules in the standard operational semantics of actors.
External actors may or may not participate in the DRL protocol themselves. It would be routine (but tedious) to define the composition of two DRL systems and to give additional rules for exchanging info and release messages between them. For simplicity, we only define the bare minimum interaction between a system and its environment; all release and info messages sent to external actors are simply dropped by the ReleaseOut and InfoOut events. For a complete formalization of actor composition, see [AMST97]. We do, however, explore how snapshot aggregators from different actor systems can cooperate to detect cycles of terminated actors across the two systems (Section 8).
The In event allows an external actor to send an application-level message to a receptionist A containing a set of refobs R, all owned by A. If the external actor participates in DRL, the message is annotated as usual with the token x used to send the message. Otherwise, a special null token can be used instead. All targets in R that are not internal actors are added to the set of external actors.
The Out event delivers an application-level message to an external actor with a set of refobs R. All internal actors referenced in R become receptionists because their addresses have been exposed to the outside world. 4.6. Basic Properties. We now prove some basic properties of our model, both to help understand its semantics and to assist with later proofs. All three messages can only be sent when x is active. Moreover, the Release rule ensures that they must all be delivered before x can be released.
• Once CreatedUsing(y : A C, z : B C) is added to A's knowledge set, it will not be removed until after A has sent an info message containing z to C.
• Once Created(z : B C) is added to C's knowledge set, it will not be removed until after C has received the (unique) release message along z.
• Once Released(z : B C) is added to C's knowledge set, it will not be removed until after C has received the (unique) info message containing z.
Proof. Immediate from the transition rules.
The following lemma formalizes the argument made in Section 4.1. In our model, it is possible for the message counts of two actor snapshots to agree, and yet for there to be undelivered messages between the two actors. However, in the special case where no messages are sent during the interval between the two snapshots, we can indeed trust the message counts to accurately reflect the number of undelivered messages. Let t 1 , t 2 be times such that x has not yet been deactivated at t 1 and x has not yet been released at t 2 . In particular, t 1 and t 2 may be before the creation time of x.
Suppose that α t 1 (A) Sent(x, n) and α t 2 (B) Received(x, m) and, if t 1 < t 2 , that A does not send any messages along x during the interval [t 1 , t 2 ] . Then the difference 39:16

D. Plyukhin and G. Agha
Vol. 18:1 max(n − m, 0) is the number of messages sent along x before t 1 that were not received before t 2 .
Proof. Since x is not deactivated at time t 1 and unreleased at time t 2 , the message counts were never reset by the SendRelease or Compaction rules. Hence n is the number of messages A sent along x before t 1 and m is the number of messages B received along x before t 2 . Hence max(n − m, 0) is the number of messages sent before t 1 and not received before t 2 .

Garbage.
We can now operationally characterize actor garbage in our model. An actor A can potentially receive a message in κ if there is a sequence of events (possibly of length zero) leading from κ to a configuration κ in which A has an undelivered message.
We say that an actor is terminated if it is idle and cannot potentially receive a message. An actor is blocked if it satisfies three conditions: (1) it is idle, (2) it is not a receptionist, and (3) it has no undelivered messages; otherwise, it is unblocked. We define potential reachability as the reflexive transitive closure of the potential acquaintance relation. That is, A 1 can potentially reach A n if and only if there is a sequence of unreleased refobs (x 1 : has not yet received a release message for x.
Notice that an actor can potentially receive a message if and only if it is potentially reachable from an unblocked actor. Hence an actor is terminated if and only if it is only potentially reachable by blocked actors. A special case of this is simple garbage, in which an actor is blocked and has no potential inverse acquaintances besides itself.
We say that a set of actors S is closed at time t (with respect to the potential inverse acquaintance relation) if, whenever B ∈ S and there is an unreleased refob x : A B at time t, then also A ∈ S. The closure of a set of actors S is the smallest closed superset of S . Notice that the closure of a set of terminated actors is also a set of terminated actors.

Chain Lemma
To determine if an actor has terminated, one must show that all of its potential inverse acquaintances have terminated. This appears to pose a problem for termination detection, since actors cannot have a complete listing of all their potential inverse acquaintances without some synchronization: actors would need to consult their acquaintances before creating new references to them. In this section, we show that the DRL protocol provides a weaker guarantee that will nevertheless prove sufficient: knowledge about an actor's refobs is distributed across the system and there is always a "path" from the actor to any of its potential inverse acquaintances.
Let us construct a concrete example of such a path, depicted by Figure 7. Suppose that A 1 spawns B, gaining a refob x 1 : A 1 B. Then A 1 may use x 1 to create x 2 : A 2 B, which A 2 may receive and then use x 2 to create x 3 : A 3 B. At this point, there are unreleased refobs owned by A 2 and A 3 that are not included in B's knowledge set. However, Figure 7 shows that the distributed knowledge of B, A 1 , A 2 creates a "path" to all of B's potential inverse acquaintances. Since A 1 spawned B, B knows the fact Created(x 1 ). Then when A 1 created x 2 , it added the fact CreatedUsing(x 1 , x 2 ) to its knowledge set, and likewise A 2 added the fact CreatedUsing(x 2 , x 3 ); each fact points to another actor that owns an unreleased refob to B (Figure 7 (1)).

Vol. 18:1 A SCALABLE ALGORITHM FOR DECENTRALIZED ACTOR TERMINATION DETECTION 39:17
CreatedUsing(x 2 , x 3 ) x 1 x 2 x 2 x 1 Figure 7: An example of a chain from B to x 3 .
Since actors can remove CreatedUsing facts by sending info messages, we also consider (Figure 7 (2)) to be a "path" from B to A 3 . But notice that, once B receives the info message, the fact Created(x 3 ) will be added to its knowledge set and so there will be a "direct path" from B to A 3 . We formalize this intuition with the notion of a chain in a given configuration α | µ ρ χ : Definition 5.1. A chain to x : A B is a sequence of unreleased refobs (x 1 : A 1 B), . . . , (x n : A n B) such that: is in transit; and • A n = A and x n = x.
We say that an actor B is in the root set if it is a receptionist or if there is an application message app(x, R) in transit to an external actor with B ∈ targets(R).
Lemma 5.2 (Chain Lemma). Let B be an internal actor in κ. If B is not in the root set, then there is a chain to every unreleased refob x : A B. Otherwise, there is a chain to some refob y : C B where C is an external actor.
Remark: When B is in the root set, not all of its unreleased refobs are guaranteed to have chains. This is because an external actor may send B's address to other receptionists without sending an info message to B.
Proof. We prove that the invariant holds in the initial configuration and at all subsequent times by induction on events κ e − → κ , omitting events that do not affect chains. Let κ = α | µ ρ χ and κ = α | µ ρ χ . In the initial configuration, the only refob to an internal actor is y : A A. Since A knows Created(y : A A), the invariant is satisfied. In the cases below, let x, y, z, A, B, C be free variables, not referencing the variables used in the statement of the lemma. If C is already in the root set, then the invariant is trivially preserved. Otherwise, there must be a chain (x 1 : A 1 C), . . . , (x n : A n C) where x n = y and A n = A. Then x 1 , . . . , x n , z is a chain in κ , since α (A n ) CreatedUsing(x n , z).
If B is an internal actor, then this shows that every unreleased refob to C has a chain in κ . Otherwise, C is in the root set in κ . To see that the invariant still holds, notice that z : B C is a witness of the desired chain. • SendInfo(y, z, A, B, C) removes the CreatedUsing(y, z) fact but also sends info(y, z, B), so chains are unaffected. • Info(y, z, B, C) delivers info(y, z, B) to C and adds Created(z : B C) to its knowledge set.
Suppose z : B C is part of a chain (x 1 : A 1 C), . . . , (x n : A n C), i.e. x i = y and x i+1 = z and A i+1 = B for some i < n. Since α (C) Created(x i+1 : A i+1 C), we still have a chain x i+1 , . . . , x n in κ .
• Release(x, A, B) releases the refob x : A B. Since external actors never release their refobs, both A and B must be internal actors.
Suppose the released refob was part of a chain (x 1 : A 1 B), . . . , (x n : A n B), i.e. x i = x and A i = A for some i < n. We will show that x i+1 , . . . , x n is a chain in κ .
Before performing SendRelease( Since the info message was sent along x i , Lemma 4.1 ensures that the message must have been delivered before the present Release event. Furthermore, since x i+1 is an unreleased refob in κ , Lemma 4.2 ensures that α (B) Created(x i+1 : A i+1 B).

Termination Detection
In the following three sections, we present the scheme for detecting non-simple terminated actors in DRL. First, we define what it means for a set of snapshots to be finalized and prove that finalized sets correspond to closed sets of terminated actors. This reduces termination detection to simply collecting snapshots at an aggregator and periodically searching the collection for finalized subsets. We prove that such an approach is safe and live (under reasonable fairness assumptions). Next, in Section 7, we give an algorithm for finding the maximum finalized subset-the union of all finalized subsets-in an arbitrary set of snapshots. This gives each aggregator an efficient procedure for detecting terminated actors. Lastly, in Section 8, we show how a decentralized group of snapshot aggregators can cooperate to detect distributed garbage while exchanging minimal information. This makes DRL's termination detection scalable, parallelizable, and capable of making progress despite network partitions. 6.1. Consistent snapshots. Recall that when we speak of a set of snapshots Q, we assume each snapshot was taken by a different actor. We will therefore represent Q as a mapping from actor names to snapshots, with Q(A) denoting A's snapshot in Q.
As shown in Section 4.1, actor snapshots taken at different times can result in conflicting accounts of the configuration. Hence, in general, an arbitrary set of snapshots Q does not accurately describe the current configuration. If a set of snapshots does accurately describe the configuration, we say that it is consistent. Formally: That is, the snapshot Q(A) may not have been taken at time t-yet the contents of A's knowledge set at time t are the same as Q(A). If Q is consistent at time t, then it is as if all the actors of dom(Q) took their snapshots at time t.
Another important notion is that of a terminated actor's final action. We define this as the last non-snapshot event that an actor performs before becoming terminated. Notice that an actor's final action can only be an Idle, Info, or Release event. This is because terminated actors are idle, and only these three events change an actor's status from busy to idle. Note also that the final action may come strictly before an actor becomes terminated, since a blocked actor is only considered to be terminated once all of its potential inverse acquaintances are terminated.
We can now give a simple proof of our earlier claim that snapshots from terminated actors are consistent. This property will allow us to treat finalized sets of snapshots as if they were all taken at an instant in global time.
Lemma 6.2. Let S be a closed set of terminated actors at time t f . If every actor in S took a snapshot sometime after its final action, then the resulting set of snapshots Q is consistent at t f .

Proof.
A terminated actor's knowledge set never changes. Moreover, an actor's knowledge set cannot change between the point of performing its final action and becoming terminated. Hence each A's snapshot in Q agrees with its knowledge set at time t f . 6.2. Finalized sets. Given a consistent set of snapshots Q, is it possible to determine whether the actors dom(Q) are terminated? Let us begin by giving an alternative characterization of terminated actors.

Proof. By definition, A is terminated if and only if every actor that can potentially reach
A is blocked. Notice that the closure S is precisely the set of actors that can potentially reach A. Hence, if A is terminated then the actors of S are blocked, i.e. idle and have no undelivered messages from any actor. Conversely, let the actors of S be idle and mutually quiescent. Could any of them have undelivered messages from actors outside S? The basic property Lemma 4.1 shows that this cannot occur; any sender of such a message must be in S. Hence the actors of S are all blocked and A is terminated.
By the above lemma, we can only conclude that the actors of dom(Q) are terminated if dom(Q) is closed, mutually quiescent, and all the actors are idle. This last condition is automatically satisfied by our communication protocol, since only idle actors take snapshots. In order to check the other two conditions, we will inspect the snapshots themselves.
To check that dom(Q) is closed, recall that every unreleased refob x : A B has a chain, (x 1 : A 1 B), . . . , (x n : A n B). If dom(Q) is terminated, then there can be no undelivered info messages. Hence x must satisfy the following predicate: Checking where dom(Q) is closed therefore amounts to checking that B ∈ Q and Q Chain(x : A B) always implies A ∈ Q. To decide whether dom(Q) is mutually quiescent, we need to check that there are no undelivered messages along each unreleased refob x : A B where A, B ∈ dom(Q). In a consistent set of snapshots, we can do so by inspecting the message counts of A and B for x. Hence x must satisfy the following predicate: Together, we can use these predicates to characterize a set of snapshots from a closed, terminated set of actors.
Definition 6.6. A set of snapshots Q is finalized if, for all B ∈ dom(Q) and for all The first condition ensures that dom(Q) is closed; Q Chain(x : A B) implies that A is a potential inverse acquaintance of B. The second condition ensures that dom(Q) is mutually quiescent: between any two actors A, B ∈ dom(Q), the message counts for any unreleased refob x : A B must agree. If finalized sets Q correspond to closed sets of terminated actors S, then we would expect that a consistent snapshot of S is finalized. This is indeed the case: Theorem 6.7. Let Q be a consistent set of snapshots at time t of a closed set of terminated actors S. Then Q is finalized.

Vol. 18:1 A SCALABLE ALGORITHM FOR DECENTRALIZED ACTOR TERMINATION DETECTION 39:21
Proof. First, we show that if B ∈ dom(Q) and x : A B is an unreleased refob at time t, then Q Chain(x) ∧ Active(x) ∧ Sent(x, n) ∧ Received(x, n) for some n.
• Q Chain(x) follows from Lemma 5.2 because B is blocked and S is closed.
• Q Active(x) holds because x must be activated: if x were pending then A would be unblocked and if x were deactivated then B would be unblocked. • Q Sent(x, n) ∧ Received(x, n) holds because there are no undelivered messages between A and B at time t, so the send and receive counts of x at time t must agree. Now it suffices to show that, if Q Chain(x), then x : A B is unreleased at time t. There are two cases: Either Q(B) Created(x) or Q(C) CreatedUsing(y, x) for some C, y. In both cases, x has been created before time t. Since Q is consistent and Q(B) Released(x), it follows from Lemma 4.2 that B has not yet received a release message for x. Hence x is unreleased at time t.
By contrapositive, if Q is not finalized then it cannot be a consistent set of snapshots from a closed set of terminated actors. Recall also that any set of snapshots from terminated actors is guaranteed to be consistent (Lemma 6.2). Hence, if Q is not finalized, then either some actor in Q is not terminated or dom(Q) is not closed. The latter case indicates that there is insufficient information to conclude whether the actors of dom(Q) are terminated; they may or may not be reachable by an unblocked actor outside of dom(Q) . We now show that, surprisingly, the converse of Theorem 6.7 also holds: any finalized set of snapshots Q necessarily describes a closed set of terminated actors, with each snapshot taken some point after the actor's final action. By Lemma 6.2, such a set of snapshots is also consistent.
Given a set of snapshots Q taken before some time t f , we write Q t to denote those snapshots in Q that were taken before time t < t f . If A ∈ dom(Q), we denote the time of A's snapshot as t A .
Theorem 6.8. Let Q be a finalized set of snapshots at time t f . Then for all times t: (1) If B ∈ dom(Q t ) and x : A B is unreleased, then Q Chain(x). (2) The actors of Q t are all blocked. In particular Q t = Q, when t ≥ t f . Proof. Proof by induction on t. Notice that these two properties trivially hold in the initial configuration because Q 0 = ∅.
For the induction step, assume both properties hold at time t and call them IH-1 and IH-2, respectively. We show that IH-1 and IH-2 are preserved by any legal transition κ e − → κ .

Snapshot(B, Φ). Suppose B ∈ dom(Q) takes a snapshot at time t. We show that if
x : A B is unreleased at time t, then Q Chain(x) and there are no undelivered messages along x from A to B. We do this with the help of two lemmas. Proof (Lemma). Since Q Relevant(x : A B), we have A ∈ dom(Q) and Q Active(x) and Q Sent(x, n) ∧ Received(x, n) for some n.
Consider the case when t A > t. Since Q(A) Active(x), x is not deactivated and therefore not released at t A or t. Hence, by Lemma 4.3, every message sent along x before 39:22

D. Plyukhin and G. Agha
Vol. 18:1 t A was received before t. Since message sends precede receipts, each of those messages was sent before t. Hence there are no undelivered messages along x throughout [t, t A ]. Now consider the case when t A < t. Since Q(A) Active(x), x is not deactivated and not released at t A . By IH-2, A was blocked throughout the interval [t A , t], so it could not have sent a release message. Hence x is still not deactivated at t and therefore not released at t. By Lemma 4.3, all messages sent along x before t A must have been delivered before t. Hence, there are no undelivered messages along x at time t.
Lemma 6. 10. Let x 1 : A 1 B, . . . , x n : A n B be a chain to x : A B at time t. Then Q Chain(x).
Proof (Lemma). We prove by induction on the length of the chain that Q Chain(x i ) for all i ≤ n. Base case: By the definition of a chain, α t (B) Created(x 1 ) and α t (B) Released(x 1 ). Since B's snapshot happens at time t, we must have Q(B) Created(x 1 ) and Q(B) Released(x 1 ).
By the definition of a chain, either the message . But the first case is impossible by Lemma 6.9, so we only need to consider the latter.
Consider the case where t i > t. Lemma 6.9 implies that A i cannot perform the Now consider the case where t i < t. By IH-2, A i must have been blocked throughout the interval [t i , t]. Hence A i could not have created any refobs during this interval, so x i+1 must have been created before t i . This implies α t i (A i ) CreatedUsing(x i , x i+1 ). Lemma 6.10 implies that B cannot be in the root set. If it were, then by the Chain Lemma there would be a refob y : C B with a chain where C is an external actor. Since Q Chain(y), there would need to be a snapshot from C in Q-but external actors do not take snapshots, so this is impossible.
Since B is not in the root set, there must be a chain to every unreleased refob x : A B. By Lemma 6.10, Q Chain(x). By Lemma 6.9, there are no undelivered messages to B along x at time t. Since B can only have undelivered messages along unreleased refobs (Lemma 4.1), the actor is indeed blocked.
Send(x, y, z, A, B, C). In order to maintain IH-2, we must show that if B ∈ dom(Q t ) then this event cannot occur. So suppose B ∈ dom(Q t ). By IH-1, we must have Q Chain(x : A B), so A ∈ dom(Q). By IH-2, we moreover have A ∈ dom(Q t )-otherwise A would be blocked and unable to send this message. Since Q Relevant(x), we must have Q(A) Sent(x, n) and Q(B) Received(x, n) for some n. Hence x is not deactivated at t A and unreleased at t B . By Lemma 4.3, every message sent before t A is received before t B . Hence A cannot send this message to B because t A > t > t B .
In order to maintain IH-1, we will show that if one of the refobs sent to B in this step is z : B C, where C ∈ dom(Q t ), then Q Chain(z). In the configuration that follows this Send event, CreatedUsing(y, z) occurs in A's knowledge set. By the same argument as above, A ∈ dom(Q) \ Q t and Q(A) Sent(y, n) and Q(C) Received(y, n) for some n. Hence A cannot perform the SendInfo(y, z, A, B, C) event before t A , so Q(A) CreatedUsing(y, z). Since Q Chain(y) ∧ CreatedUsing(y, z) and Q Released(z), we have Q Chain(z).
SendInfo (y, z, A, B, C). By the same argument as above, A ∈ dom(Q t ) cannot send an info message to B ∈ dom(Q t ) without violating message counts, so IH-2 is preserved.
SendRelease (x, A, B). Suppose that A ∈ dom(Q t ) and B ∈ dom(Q t ). By IH-1, Q Chain(x) at time t. Since Q Relevant(x), it follows that Q(A) Active(x). Hence A cannot deactivate x and IH-2 is preserved.
In(A, R). By IH-1, every potential inverse acquaintance of an actor in Q t is also in Q. Hence none of the actors in Q t is a receptionist and this rule does not affect the invariants.
Out(x, B, R). Suppose (y : B C) ∈ R where C ∈ dom(Q t ). Then y is unreleased and Q Chain(y) and B ∈ dom(Q). But this is impossible because B is an external actor and external actors do not take snapshots.
End of proof of Theorem 6.8.
Corollary 6.11 (Safety). If Q is a finalized set of snapshots at time t f then the actors in Q are all terminated at t f . Proof. Theorem 6.8 implies that, at t f , all the actors in Q are blocked. Together with the fact that Q is finalized, it also implies that Q is closed under the potential inverse acquaintance relation at t f . Hence every actor that can potentially reach B ∈ dom(Q) at t f is blocked, so by definition every B ∈ dom(Q) is terminated at t f .
Recall that a snapshot aggregator detects terminated actors by receiving actor snapshots and periodically looking for finalized subsets. It is now simple to see that this algorithm is live, under reasonable fairness assumptions: Theorem 6.12 (Liveness). If every actor eventually takes a snapshot after performing an Idle, Info, or Release event, then every terminated actor is eventually part of a finalized set of snapshots.
Proof. If an actor A is terminated, then the closure S of {A} is a terminated set of actors. Every actor eventually takes a snapshot after taking its final action and the resulting set of snapshots is consistent, by Lemma 6.2. Then Theorem 6.7 implies that the resulting snapshots is finalized. 6.3. Strongly finalized sets. Note that our definition of finalized sets differs from the definition which originally appeared in [PA20]. This old definition, which we now call "strongly finalized", used Q Unreleased(x) instead of Q Chain(x): Definition 6.13. A set of snapshots Q is strongly finalized if, for all B ∈ dom(Q) and for all x : A B, Q Unreleased(x) implies Q Relevant(x).
In fact, the two notions of finalized are equivalent. However, in the process of developing the theory in Sections 7 and 8, we found this old definition to be inconvenient.
Notice that any strongly finalized Q is also finalized because Q Chain(x) implies Q Unreleased(x). However, in an arbitrary set Q, Q Unreleased(x) does not imply Q Chain(x); there could exist A, B, C ∈ dom(Q) such that Q(A) CreatedUsing(x : A C, y : B C) but Q Chain(x). Could such a situation occur in a finalized Q? We prove below that no, this is impossible: Theorem 6.14. If Q is finalized then Q is strongly finalized.
Proof. We will show that if Q is finalized, then Q Unreleased(x : A B) and B ∈ dom(Q) implies Q Chain(x : A B). Note that Q is consistent at some time t f , since dom(Q) is a closed terminated set of actors where each snapshot was taken after the actor's final action.
By definition, Q Unreleased(x : A B) implies that Q Released(x) and either (1) Q Created(x) or (2) Q Chain(y) ∧ CreatedUsing(y, x) for some y : C B. In case (1), we have a trivial chain Q Chain(x). In case (2), notice that we must have Q Active(y) because Q Relevant(y). Since Q is consistent, y must be an unreleased refob at t f . Due to Lemma 5.2, there must be a chain of unreleased refobs (y 1 : C 1 B), . . . , (y n : C n B) at t f . Again since Q is consistent, we must have Q Created(y 1 ) and Q CreatedUsing(y i , y i+1 ) for each i < n and Q Released(y i ) for each i ≤ n. Hence Q Chain(y). Since also Q CreatedUsing(y, x) and Q Released(x), we can "extend" this chain to derive Q Chain(x).
Thanks to this theorem, we can use the two definitions interchangeably.

Maximal Finalized Subsets
In the previous section, we showed that a finalized set of snapshots corresponds to a closed set of terminated actors. Hence, the problem of garbage collection reduces to finding all the finalized subsets of an arbitrary set of snapshots Q. In this section, we show that there is in fact a single largest finalized subset Q f ⊆ Q that contains all other finalized subsets. We then show that Q f can be computed in linear time by removing all snapshots that cannot appear in a finalized subset.
Originally, we presented a slightly different algorithm in [PA20]. It operates similarly to the new algorithm, iteratively removing snapshots that appear not to be in a finalized subset. However, we subsequently discovered through model checking that the original algorithm could sometimes be overzealous: the presence of certain "stale" snapshots in Q can cause other snapshots to be unnecessarily removed. In other words, the computed set is finalized but not necessarily maximal. Nevertheless, since the original algorithm can have better cache locality than the new algorithm, it may be more practical for real systems. We present the algorithm again in Section 7.2 and go on to prove that it eventually detects all terminated actors, under reasonable fairness conditions. 7.1. Chain Algorithm. Let us first show that a maximum finalized subset always exists. Notice that finalized sets are closed under union when they agree on dom(Q 1 ) ∩ dom(Q 2 ): Lemma 7.1. Let Q 1 , Q 2 be finalized sets of snapshots that agree at their intersection, i.e. ∀A ∈ dom(Q 1 ) ∩ dom(Q 2 ), Q 1 (A) = Q 2 (A). Then Q 1 ∪ Q 2 is also finalized. Proof. Suppose there exists x : A B such that Q 1 ∪ Q 2 Chain(x) and Q 1 ∪ Q 2 Relevant(x). Let (x 1 : A 1 B), . . . , (x n : A n B) be the chain. Let Q be either Q 1 or Q 2 ; we prove by induction on n that, if B ∈ dom(Q), then ∀i ≤ n, Q Chain(x i ). If n = 1 then Q(B) Created(x 1 ) and Q(B) Released(x 1 ) implies Q Chain(x 1 ). For n > 1, Q Chain(x n−1 ) implies Q Relevant(x n−1 ) since Q is finalized, and therefore A n−1 ∈ dom(Q). Hence Q(A n−1 ) CreatedUsing(x n−1 , x n ), which implies Q Chain(x n ).
Since each Q 1 , Q 2 is finalized, we must therefore have Q Relevant(x), i.e. Q Active(x) ∧ Sent(x, n) ∧ Received(x, n) for some n. By definition of ( ), it follows that Any two finalized subsets of Q will satisfy the condition of this lemma. Hence the maximum finalized subset Q f is the union of all finalized subsets of Q.
Next, we characterize which snapshots in Q can and cannot appear in a finalized subset of Q. To this end, we define the following useful concept: Definition 7. 2. We say that B depends on A in Q if A = B or there is a sequence of one or more refobs (x 1 : A 1 A 2 ), . . . , (x n : A n−1 A n ) where A = A 1 and B = A n and, for each i < n, Q Chain(x i : A i A i+1 ). Hence the "depends on" relation is reflexive and transitive.
The following lemmas show that if there exists A ∈ dom(Q) such that A ∈ dom(Q f ), then every B that depends on A in Q also cannot appear in Q f .
Proof. Proof by induction on the length of the chain (x 1 : A 1 B), . . . , (x n : A n B). If n = 1 then Q(B) Created(x 1 ) and Q(B) Released(x 1 ). Hence any subset Q f of Q must have Q f Chain(x 1 ).
If n > 1, assume Q f Chain(x n−1 ). Since Q f is finalized, A n−1 ∈ dom(Q f ). Since Q(A n−1 ) CreatedUsing(x n−1 , x n ) and Q(B) Released(x n ), it follows that Q f Chain(x n ).
Lemma 7.4. If B depends on A in Q, then every finalized subset of Q containing B must also contain A.
Proof. If A = B then the lemma trivially holds. We prove that this must hold for nontrivial sequences by induction on the length of the sequence (x 1 : A 1 A 2 ), . . . , (x n : A n−1 A n ). If n = 1 then Q Chain(x : A B). Then Q f Chain(x : A B) for any finalized subset Q f containing B. Since Q f is finalized, we must also have Q f Relevant(x : A B) and therefore A ∈ dom(Q f ).
For n > 1, assume any finalized subset containing A n−1 must also contain A 1 . By the same argument as above, any finalized subset containing A n must contain A n−1 and therefore also contain A 1 .
We can also use the notion of dependency to give a new characterization of finalized sets: Lemma 7.6. C is finalized in Q if and only if C is in a finalized subset of Q.
Proof. If C is finalized in Q, let Q f be a subset of Q containing only snapshots of actors on which C depends. To see that Q f is finalized, first notice that each B ∈ dom(Q f ) has a sequence of refobs (x 1 : A 1 A 2 ), . . . , (x n : A n−1 A n ) where B = A 1 and C = A n and Conversely, let C be in a finalized subset Q f and consider a sequence (x 1 : Since C ∈ Q f if and only if C is finalized in Q, it follows that C ∈ Q f if and only if C is not finalized in Q. Hence, to find the maximum finalized subset of Q it suffices to remove every snapshot that is not finalized in Q. Theorem 7.7. Algorithm 1 computes the largest finalized subset of Q.
Proof. Clearly, an actor is not finalized in Q if it depends on one of the actors of S 1 . Hence S 2 is precisely the set of all actors that are not finalized in Q. Its complement, S 3 , is therefore the set of all finalized actors in Q.

7.2.
Heuristic algorithm. Although the algorithm above has O(m) time complexity, where m is the number of unreleased refobs in Q, it can suffer from poor locality: finding every x : A B such that Q Chain(x) requires tracing a path from B to all of its potential inverse acquaintances using the chains of CreatedUsing facts.
One way to address this problem is to keep the CreatedUsing chains short, by having actors not keep the CreatedUsing fact in their knowledge set for long periods of time. In the extreme case, actors can immediately perform the SendInfo rule whenever they create a refob. This relieves the snapshot aggregator from dealing with CreatedUsing chains entirely, at the cost of increased control messages between actors.
Another interesting approach is for the snapshot aggregator to use a heuristic to find some finalized subset, not necessarily the largest one. For our heuristic, notice that Q Chain(x) implies Q Unreleased(x) in any set of snapshots Q. This motivates a new definition: Definition 7.8. B potentially depends on A in Q if A = B or there is a sequence of one or more refobs (x 1 : A 1 A 2 ), . . . , (x n : A n−1 A n ) where A = A 1 and B = A n and, for each i < n, Q Unreleased( Notice that if B depends on A, then B also potentially depends on A; the latter is a coarser relation than the former.
Our heuristic algorithm is identical to the original, except that S 2 is the set of all actors that potentially depend on S 1 . Since the "potentially depends" relation is coarser than the "depends" relation, every snapshot in the resulting set is necessarily in the maximum finalized subset. Vol The following lemma shows that, indeed, only "stale" snapshots prevent the resulting set from being the largest finalized subset.
Lemma 7.9. Let Q be an arbitrary set of snapshots at time t, and Q f the largest finalized subset of Q. Let Q be another set of snapshots, all taken after time t, such that dom(Q ) ∩ dom(Q) = ∅.
Then for all B ∈ dom(Q f ), for all x : and therefore Q f Chain(x) and therefore Q ∪ Q f Chain(x). Now suppose C ∈ dom(Q ) \ dom(Q f ). This implies C = B and therefore Q (C) CreatedUsing(y, x) for some y : C B. This implies that Q (C) Active(y), so y is unreleased at the time of C's snapshot t C . But since dom(Q f ) is closed at time t C , this implies C ∈ dom(Q f ) after all; a contradiction. Hence C ∈ dom(Q f ), so Q ∪ Q f Chain(x) by the argument above.
Hence, if every non-terminated actor eventually takes a snapshot, a snapshot aggregator running the heuristic algorithm will eventually detect all terminated garbage.

Cooperative Garbage Collection
Up to this point we have assumed the existence of a single snapshot aggregator that eventually receives all snapshots. However, there is no reason this must be a centralized entity. For instance, we can view a multicore actor system as a composition of n actor systems; one for each processor core. It would be natural to have a snapshot aggregator for each system, dedicated to detecting and collecting terminated actors in that system. To detect cycles terminated sets of actors distributed across multiple systems, the aggregators can gossip their local snapshots amongst themselves; eventually every aggregator will obtain enough snapshots to detect all local terminated actors. Moreover, since the actor model is location-transparent, this same strategy extends to distributed multicore systems as well.
More formally, the cooperative garbage collection problem is for two snapshot aggregators, with disjoint snapshot sets Q 1 , Q 2 , to find maximal subsetsQ 1 ⊆ Q 1 ,Q 2 ⊆ Q 2 , such that Q 1 ∪Q 2 is finalized. For simplicity, we assume that neither Q 1 nor Q 2 has any finalized subsets, since such terminated actors could be detected without cooperation. Although we only consider the two-party case here, the discussion naturally generalizes to n snapshot aggregators. In this formalism, the simple strategy amounts to having the first aggregator send its entire snapshot set Q 1 to the second aggregator, and vice versa. This is clearly inefficient for two reasons. Firstly, the two aggregators must perform duplicate work to compute the maximum finalized subset of Q 1 ∪ Q 2 . Secondly, each snapshot set seems to contain significantly more information than is necessary to computeQ 1 ,Q 2 ; we might expect, for example, that it is only necessary to pass along snapshots from actors at the "border" of Q 1 , Q 2 (e.g. the receptionists).
In this section, we address both of the above concerns. We begin by defining potentially finalized subsets of Q 1 and Q 2 , which omit any snapshots that a priori cannot be finalized in Q 1 ∪ Q 2 . Every actor in a potentially finalized set Q depends on one or more of the receptionists in Q. Hence, computingQ 1 ,Q 2 reduces to finding the finalized receptionists of Q 1 , Q 2 . With this insight, we then show how to compute summariesQ 1 ,Q 2 of Q 1 , Q 2 such that the finalized receptionists inQ 1 ∪Q 2 coincide with those of Q 1 ∪ Q 2 . Aggregators can therefore simply exchange summaries to find the finalized receptionists. Since summaries can be significantly smaller than the original set of snapshots, this technique reduces the amount of data exchanged and reduces the amount of computation needed to detect finalized receptionists.

Potentially finalized sets. An actor
This motivates the following definition: That is, C would be finalized in Q if it did not depend on some actors outside of Q. We say that a set Q is potentially finalized if every actor in Q is potentially finalized in Q.
Notice that if C is not potentially finalized in Q, then C depends on some B which has an irrelevant chain in Q. Such a C is guaranteed not to be finalized in Q 1 ∪ Q 2 , for any Q 2 . This means that any actor in Q i that is not potentially finalized in Q i can safely be removed from consideration, since it can neither be finalized in Q i nor Q 1 ∪ Q 2 .
Viewing dom(Q) as an actor system, we call B a receptionist in Q if B ∈ dom(Q) and Q Chain(x : A B) and A ∈ dom(Q). The following lemmas show that every C ∈ Q i depends on a receptionist.
Proof. Immediate from the assumption that Q i is potentially finalized.
Proof. Immediate from the assumption that Q i has no finalized subsets.
Moreover, C ∈ dom(Q i ) is finalized in Q 1 ∪ Q 2 if the receptionists on which it depends are finalized in Q 1 ∪ Q 2 : Lemma 8. 4. Let A ∈ dom(Q 1 ) and B ∈ dom(Q 2 ), without loss of generality. If  Proof. Let (x 1 : A 1 B), . . . , (x n : A n B) be the chain from B to x in Q 1 ∪ Q 2 . Since A n = A ∈ dom(Q 1 ), there must be some m ≤ n such that ∀i < m, A i ∈ dom(Q 2 ) and A m ∈ dom(Q 1 ). Hence Q 2 Chain(x m ) and A m ∈ dom(Q 2 ), so B is a receptionist in Q 2 . . . , (x n : A n−1 A n ) be the sequence of refobs from A to C. If ∀i ≤ n, A i ∈ dom(Q i ), then C depends on A in Q i . Otherwise, let m < n be the greatest index such that A m ∈ dom(Q i ); then A m+1 ∈ dom(Q i ) is a receptionist that depends on A and C depends on A m+1 in Q i .
Proof. If B ∈ dom(Q i ) is finalized in Q 1 ∪ Q 2 then every actor on which it depends must be finalized in Q 1 ∪ Q 2 . Since every actor on which B depends in Q i is also depended upon in Q 1 ∪ Q 2 , the receptionists in particular must be finalized.
Conversely, let C ∈ dom(Q i ) and let every receptionist on which C depends in Q i be finalized in . By the preceding lemma, there are two cases.
Case 1. B ∈ dom(Q i ) and C depends on B in Q i . If B is a receptionist of Q i then it is finalized by hypothesis; this implies Q 1 ∪ Q 2 Relevant(x) a fortiori. Otherwise, A must be in Q i , so Q i Relevant(x) by Lemma 8. 2.
Case 2. C depends on a receptionist B in Q i and B that depends on B in Q 1 ∪ Q 2 . Then B must be finalized because B is finalized.
Corollary 8.7. A receptionist B ∈ dom(Q 2 ) is finalized in Q 1 ∪ Q 2 if and only if Q 1 ∪ Q 2 Chain(x : A B) implies Q 1 ∪ Q 2 Relevant(x) and A is finalized.
This formalizes our intuition that snapshots from "internal actors" of Q 1 and Q 2 are unnecessary. It suffices to combine the snapshots of actors at the "boundary" (e.g. receptionists) with dependency information (i.e. which "boundary" actors depend on which receptionists). 8. 2. Summaries. Based on the insight from the preceding section, our approach is to compute, for each Q i , a smaller set of snapshotsQ i called its summary. These summaries are designed so that (1) all receptionists in Q i have snapshots inQ i , and (2) a receptionist is finalized inQ 1 ∪Q 2 if and only if it is finalized in Q 1 ∪ Q 2 . We achieve this by removing all facts about the "internal structure" of each Q i and then adding new refobs to encode the dependency information of Q i . Conversely, we now show that all the important dependencies have been preservednamely, which actors depend on which receptionists.
Lemma 8. 13. Let A, B ∈Q 1 ∪Q 2 and let A be a receptionist in Q 1 . If B depends on A in Q 1 ∪ Q 2 then B depends on A inQ 1 ∪Q 2 .
Proof. Let (x 1 : A 1 A 2 ), . . . , (x n : A n−1 A n ) be the sequence of refobs from A to B. If n = 0 then the lemma is trivially satisfied. If ∀i ≤ n, A i ∈ dom(Q 1 ) then, by construction ofQ 1 , there exists x : A B such that Q 1 Chain(x).
For the general case, the sequence of refobs may pass between Q 1 and Q 2 multiple times. We partition the sequence x 1 , . . . , x n into a sequence of "runs" x 1 , . . . , x m , such that: (1) For each refob (x : A B) in the first run x 1 , the owner A is in Q 1 ; for each refob (x : A B) in the second run x 2 , the owner A is in Q 2 ; for each refob (x : A B) in the third run x 3 , the owner A is in Q 1 ; and so on. (2) The concatenation of x 1 , . . . , x m is x 1 , . . . , x n . For each run x i , we denote the owner of the first refob as B i and the target of the last refob as C i . Notice that every B i is a receptionist. Hence, by construction ofQ 1 andQ 2 there is, for each run x i , a refob y i : B i C i such thatQ 1 ∪Q 2 Chain(y i ). Then the sequence of refobs y 1 , . . . , y m witnesses the fact that B depends on A inQ 1 ∪Q 2 .
Finally, we can show that summaries are sound and complete for the intended purpose of finding finalized receptionists.
Theorem 8.14. Let C ∈Q 1 ∪Q 2 . Then C is finalized inQ 1 ∪Q 2 if and only if C is finalized in Q 1 ∪ Q 2 .
Proof. Let C be finalized inQ 1 ∪Q 2 . We show that, if C depends on some B in Q 1 ∪ Q 2 and Q 1 ∪ Q 2 Chain(x : A B), then Q 1 ∪ Q 2 Relevant(x). If A, B are both in some Q i , then Q i Relevant(x) because Q i is potentially finalized. Otherwise, let A ∈ dom(Q 1 ) and B ∈ dom(Q 2 ), without loss of generality. Since Q 1 ∪ Q 2 Chain(x), Lemma 8.9 impliesQ 1 ∪Q 2 Chain(x). Since B is a receptionist, B ∈Q 2 . Since B, C ∈Q 1 ∪Q 2 and C depends on B in Q 1 ∪ Q 2 , C must also depend on B inQ 1 ∪Q 2 by Lemma 8. 13. Hence, since C is finalized,Q 1 ∪Q 2 Relevant(x). This implies, by Lemma 8.10, Q 1 ∪ Q 2 Relevant(x).
-Conversely, let C be finalized in Q 1 ∪ Q 2 . We show that, if C depends on some B iñ Q 1 ∪Q 2 andQ 1 ∪Q 2 Chain(x : A B), thenQ 1 ∪Q 2 Relevant(x). By Lemma 8.11, there are two cases: Case 1: B depends on A in Q i ; the refob x is a "fake" reference created in the process of constructingQ i . ThenQ i (A) Active(x) andQ i Sent(x, 0) ∧ Received(x, 0) by construction.
Hence a pair of aggregators can find terminated actors in Q 1 ∪ Q 2 by: (1) Garbage collecting all finalized actors in each Q i ; (2) Removing all actors not potentially finalized in each Q i ; 39:32

D. Plyukhin and G. Agha
Vol. 18:1 (3) Computing the summary of the remaining set of snapshots and exchanging it with their partner; (4) Removing all potentially unfinalized snapshots in the pair of summariesQ 1 ∪Q 2 (optionally using the Unreleased heuristic from Section 7.2); (5) Garbage collecting all actors in Q i that are reachable from a finalized receptionist iñ Q 1 ∪Q 2 . Alternatively, a set of aggregators could send their summaries to a parent aggregator, which uses the summaries to compute the finalized receptionists and sends this set to each child aggregator.

Conclusion and Future Work
We have shown how deferred reference listing and message counts can be used to detect termination in actor systems. The technique is provably safe (Corollary 6.11) and live (Theorem 6.12). An implementation in Akka is presently underway.
We believe that DRL satisfies our three initial goals: (1) Termination detection does not restrict concurrency in the application. Actors do not need to coordinate their snapshots or pause execution during garbage collection. (2) Termination detection does not impose high overhead. The amortized memory overhead of our technique is linear in the number of unreleased refobs. Besides application messages, the only additional control messages required by the DRL communication protocol are info and release messages. These control messages can be batched together and deferred, at the cost of worse termination detection time.
(3) Termination detection scales with the number of nodes in the system. Our algorithm is incremental, decentralized, and does not require synchronization between nodes. Since it does not matter what order snapshots are collected in, DRL can be used as a "building block" for more sophisticated garbage collection algorithms. One promising direction is to take a generational approach [LH83], in which long-lived actors take snapshots less frequently than short-lived actors. Different types of actors could also take snapshots at different rates. In another approach, snapshot aggregators could request snapshots instead of waiting to receive them. In the presence of faults, DRL remains safe but its liveness properties are affected. If an actor A crashes and its state cannot be recovered, then none of its refobs can be released and the aggregator will never receive its snapshot. Consequently, all actors potentially reachable from A can no longer be garbage collected. However, A's failure does not affect the garbage collection of actors it cannot reach. In particular, network partitions between nodes will not delay node-local garbage collection. Another issue that can affect liveness is message loss: If any messages along a refob x : A B are dropped, then B can never be garbage collected because it will always appear unblocked. This is, in fact, the desired behavior if one cannot guarantee that the message will not be delivered at some later point. In practice, this problem might be addressed with watermarking. Choosing an adequate fault-recovery protocol will likely vary depending on the target actor framework. One option is to use checkpointing or event-sourcing to persist GC state; the resulting overhead may be acceptable in applications that do not frequently spawn actors or create refobs. Another option is to monitor actors for failure and infer which refobs are no longer active; this is a subject for future work.