1 / 42

Foundational Aspects of Contract Compliance and Choreography Conformance

Foundational Aspects of Contract Compliance and Choreography Conformance. Mario Bravetti. Department of Computer Science University of Bologna. joint work with Gianluigi Zavattaro. Contract: abstract service description. Service. Contracts [FHRR04][CL06].

eugene
Télécharger la présentation

Foundational Aspects of Contract Compliance and Choreography Conformance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foundational Aspects of Contract Compliance and Choreography Conformance Mario Bravetti Department of Computer ScienceUniversity of Bologna joint work withGianluigi Zavattaro

  2. Contract:abstract service description Service Contracts [FHRR04][CL06] • Contract: service “behavioural interface” that describes • the signature of theprovided operations • the correct sequences of invoke and receive e.g. Abstract BPEL4WS public registry WSBPI, London - 08.02.08 2

  3. public registry public registry Contract:abstract service description Contract:abstract service description … P2P invocations Service Service … Multy-party Contract Compliance [BZ07a] • Correctness of service composition based on their contracts: when interacting each of them always reaches successful termination (fair w.r.t. loops) WSBPI, London - 08.02.08 3

  4. Choreography: abstract description of thecomposition of a groupof collaborating services e.g. WS-CDL projection projection Deriving Set of Compliant Contracts from Choreography[CHY07][BZ07b] … or choreography specification already in this form!E.g. BPEL4Chor Contract:abstract service description Contract:abstract service description compliant by construction … Participant 1 Participant n WSBPI, London - 08.02.08 4

  5. Discovery of required contracts: directly in registries… ? Choreography compliant by construction public registry public registry Contractrequired for Participant 1 Contractrequired for Participant n … Reciprocal invocations Service Service … WSBPI, London - 08.02.08 5

  6. Compliance-Preserving Contract Refinement ! Choreography compliant by construction Contract Part. 1 Contract Part. n … refines refines compliance preserved by refinement public registry public registry Contract Contract … Reciprocal invocations Service Service … WSBPI, London - 08.02.08 6

  7. First Relation: Contract Refinement Choreography compliant by construction Contract Part. 1 Contract Part. n … refines refines compliance preserved by refinement public registry public registry Contract Contract … Reciprocal invocations Service Service … WSBPI, London - 08.02.08 7

  8. Directly Checking Conformance w.r.t. Choreography Choreography e.g. WS-CDL is conformant for participant 1 to is conformant for participant n to compliance guaranteed by conformance public registry public registry Contract Contract … Reciprocal invocations Service Service … WSBPI, London - 08.02.08 8

  9. Second Relation: Choreography Conformance Choreography is conformant for participant 1 to is conformant for participant n to compliance guaranteed by conformance public registry public registry Contract Contract … Reciprocal invocations Service Service … WSBPI, London - 08.02.08 9

  10. 1. Contract Refinement Choreography compliant by construction Contract Part. 1 Contract Part. n … refines refines compliance preserved by refinement public registry public registry Contract Contract … Reciprocal invocations Service Service … WSBPI, London - 08.02.08 10

  11. Independent Discover of Contracts • Services publish their interface expressed in terms of a contract “C” in UDDI-like registries C ::= 0 | 1 | τ | a | a | C;C | C+C | C|C | C* • Given a set of required compliant contracts: for each role, independentlydiscover one service whose contract is a “sub-contract”. • Relation must be such that, though independently retrieved, the obtained services are still compliant WSBPI, London - 08.02.08 11

  12. Formally: Subcontract Preorder • Preorder ≤ between contracts C: • C’ ≤ C means C’ is a subcontract of C C subcontractpreorder sub-contracts of C WSBPI, London - 08.02.08 12

  13. subcontractpreorder sub-contracts of Cn sub-contracts of C1 sub-contracts of C2 … … C’1 C’2 C’n Definition of Preorder Induced from Independence Property Given a set of compliant contracts … C1 C2 Cn is a set of compliant contracts WSBPI, London - 08.02.08 13

  14. Singular Refinement is Implied • In particular (since ≤ is a preorder, it is reflexive, i.e. Cj ≤ Cj): C’i ≤ Ci implies C’i must comply with the other initial contracts C1,…,Ci-1,Ci+1,…,Cn WSBPI, London - 08.02.08 14

  15. Allowing Retrieval of Services with Additional Operations • Subcontracts using additional operations allowed by knowledge they are not used by other initial contracts, e.g. receiving additional (new) operations is ok if we know that other contracts do note invoke them • It is allowed to use such knowledge in retrieval. • Does not affect independence property • Formally, we parametrize subcontract preorders with information about what we assume • outputs O: operations “a” that can be invoked, i.e. a • inputs I: operations “a” that can be received, i.e. a by others. We write C’≤I,O C WSBPI, London - 08.02.08 15

  16. I/O Symmetry Causes Non Existance of the Largest Subcontract Preorder • Consider the two compliant contracts: C1= a C2= a we could have a preorder ≤’ for which a + b;0 ≤’N-{b},N-{b} a and a preorder ≤’’ for which a + b ≤’’N-{b},N-{b} a but no subcontract preorder ≤ could have both a + b;0 ≤N-{b},N-{b} a a + b ≤N-{b},N-{b} a • Consequence: no largest subcontract preorder WSBPI, London - 08.02.08 16

  17. Input/Output Asymmetry: t prefixing forced in outputs • In networks with asynchronous communication • The decision to execute an input operation depends on the availability of the corresponding message • The decision to execute an output is taken locally: cannot depend on the environment • Consequence: a + b but a + bτ;a + τ;b a + ba + τ;b no external choice among outputs (and mixed choice) in contracts! WSBPI, London - 08.02.08 17

  18. Subcontracts Cannot Add Reachable Invoke of New Operations • Due to asymmetry subcontracts cannot add reachable outputs on new types as did by ≤’’ • otherwise subcontract compliance w.r.t initial con-tracts is not preserved (can be it does not succeed) • Executable additional actions on new types can be just inputs so interaction on new types between subcontracts cannot be generated. WSBPI, London - 08.02.08 18

  19. max Main Theorem:Largest Subcontract Preorder Exists • The preorder C’ ≤I,O C iff for any context P with inputs in I and outputs in O, [C] Pis correct implies [C’] Pis correct • is a subcontract preoder • includes all subcontract preorders • Consequence: global independent subcontract retrieval WSBPI, London - 08.02.08 19

  20. max max max max Input Knowledge Independence • If I’,I’’ include types of outputs in C: C’ ≤I’,O C iff C’ ≤I’’,O C • because subcontracts cannot add reachable outputs on new types • We just use ≤Oto stand for ≤N,O • contrary to inputs, enlarging output types of contexts decreases allowed subcontracts WSBPI, London - 08.02.08 20

  21. Output Knowledge Allows Extension with Additional Input Types • Problem reduced to ≤ (meaning ≤N,N): C’ ≤O C iff C’ \\ N-O ≤ C \\ N-O i.e. to subcontract relation when inputs that cannot be invoked are restricted • Examples: • exploiting knowledge we have a+b ≤{a} a • in addition tot;a ≤ t;a + t;b (more deterministic) max max WSBPI, London - 08.02.08 21

  22. Decidible Sound Characterization Based on a Must-like Testing • Subcontract relation contains a universal quantification over possible contexts • Sound characterization resorting to a must-testing theory (should-testing [RV05]) • C’ ≤O C is implied by NF (C’ \\ N-O) ≤testNF (C \\ N-O) • i.e. ≤Ocoarser than testing preorder (and of simulation) max WSBPI, London - 08.02.08 22

  23. Adoption of a more realistic address-based communication • Alternative to standard Process Algebra channel-based communication mechanism • “ a ” can be received by any C doing “a” • Invokesal indicate a destination address (location l) • Every contract C is executed at a distiguished location l, written “[C]l” • i.e. from coreography, location = participant WSBPI, London - 08.02.08 23

  24. max max In Addition Output Knowledge Independence ! • If, for every l, O’l,O’’l include inputs in C: C’ ≤I,O’ C iff C’ ≤I,O’’ C • because compliant contexts of C cannot perform reachable outputs to C that it cannot receive WSBPI, London - 08.02.08 24

  25. Independence on Output Knowledge allows Extension with Input Types ! • Therefore, from C’ ≤ C iff C’ ≤N,I(C) C, we can reduce the problem: C’ ≤ C iff C’\\N-I(C) ≤ C i.e. to subcontract relation when inputs that cannot be invoked are restricted • Hence knowledge is no longer needed! • Analogous sound characterization based on a must-like testing scenario max max max max WSBPI, London - 08.02.08 25

  26. 2. Choreography Conformance Choreography is conformant for participant 1 to is conformant for participant n to compliance guaranteed by conformance public registry public registry Contract Contract … Reciprocal invocations Service Service … WSBPI, London - 08.02.08 26

  27. Choreography Language in Essence • Choreography H: H ::= ars | H;H | H+H | H|H | H* r invokes the operation a of s WSBPI, London - 08.02.08 27

  28. Notion of Implementation • Given a choreography H, a system P implements H if: • P is a composition of compliant contracts • Each (completed weak) trace of P has a corresponding (completed) trace of H • all computations of P are correct conversations according to the choreography H WSBPI, London - 08.02.08 28

  29. with rolesp1,p2,…,pn H conformance relation … contracts for pn contracts for p1 contracts for p2 … [C1]p1 | [C2]p2 … | [Cn]pn implements H Definition of Relation Induced from Independence Property WSBPI, London - 08.02.08 29

  30. No Maximal Choreography Conformance Relation • Consider the choreography ars | brs that can be implemented as: [ τ;as | τ;bs ]r | [ τ;a;b + τ;b;a ]s [τ;as;τ;bs + τ;bs;τ;as ]r | [a|b]s but not as: [τ;as;τ;bs + τ;bs;τ;as ]r | [ τ;a;b + τ;b;a ]s WSBPI, London - 08.02.08 30

  31. Combination of Projection and Subcontract Preorder Choreography compliant by construction Contract Part. 1 Contract Part. n … refines refines compliance preserved by refinement public registry public registry Contract Contract … Reciprocal invocations Service Service … WSBPI, London - 08.02.08 31

  32. Decidible Sound Characterization Based on a Must-like Testing • The sound characterization of the conso-nance relation between a choreography H and a contract C playing a role r given by NF (C \\ N-I([[H]]r)) ≤testNF ([[H]]r) is a conformance relation • proof exploits pre-congruence of testing (trace inclusion is implied by testing) WSBPI, London - 08.02.08 32

  33. Conclusion • “Standard” Contract Compliance: • S1: invoke(a);invoke(b) • S2: receive(a);invoke(c) • S3: receive(c);receive(b) S1 S2 S3 WSBPI, London - 08.02.08 33

  34. Conclusion • “Standard” Contract Compliance: • S1: invoke(a);invoke(b) • S2: receive(a);invoke(c) • S3: receive(c);receive(b) S1 S2 S3 WSBPI, London - 08.02.08 34

  35. Conclusion • “Standard” Contract Compliance: • S1: invoke(a);invoke(b) • S2: receive(a);invoke(c) • S3: receive(c);receive(b) S1 S2 S3 WSBPI, London - 08.02.08 35

  36. Conclusion • “Standard” Contract Compliance: • S1: invoke(a);invoke(b) • S2: receive(a);invoke(c) • S3: receive(c);receive(b) Any doubt? S1 S2 S3 WSBPI, London - 08.02.08 36

  37. Conclusion • Let us give a more careful look: • S1: invoke(a);invoke(b) • S2: receive(a);invoke(c) • S3: receive(c);receive(b) S1 S2 S3 WSBPI, London - 08.02.08 37

  38. Conclusion • Let us give a more careful look: • S1: invoke(a);invoke(b) • S2: receive(a);invoke(c) • S3: receive(c);receive(b) S1 S2 S3 WSBPI, London - 08.02.08 38

  39. Conclusion • Let us give a more careful look: • S1: invoke(a);invoke(b) • S2: receive(a);invoke(c) • S3: receive(c);receive(b) Strong compliance requires that the receptors should be always ready S1 These services are not strongly compliant !! S2 S3 WSBPI, London - 08.02.08 39

  40. Conclusion • “Standard” Contract Compliance: • S1: invoke(a);receive(b);invoke(b) • S2: receive(a);invoke(c) • S3: receive(c);invoke(b);receive(b) S1 S2 S3 WSBPI, London - 08.02.08 40

  41. Future work • Complete characterization of the subcontract relation • τ;a+τ;b≤c+c;d is not captured by the should-testing based characterization • Add name/value passing, link mobility, sessions,correlation sets, …. • Use of strong compliance to get maximal choreography conformance WSBPI, London - 08.02.08 41

  42. References • [FHRR04] C. Fournet, C.A.R. Hoare, S.K. Rajamani, and J. Rehof. Stuck-Free Conformance. In CAV’04. • [CCLP06] S. Carpineti, G. Castagna, C. Laneve, and L. Padovani. A Formal Account of Contracts for Web Services. In WS-FM’06. • [CL06] S. Carpineti and C. Laneve. A Basic Contract Language for Web Services. In ESOP’06. • [CHY07] M. Carbone, K. Honda, and N. Yoshida. Structured Communication-Centred Programming for Web Services. In ESOP’07. • [BZ07a] M. Bravetti and G. Zavattaro. Contract based Multi-party Service Composition. In FSEN’07. • [BZ07b] M. Bravetti and G. Zavattaro. Towards a Unifying Theory for Choreography Conformance and Contract Compliance .In SC’07. • [BZ07c] M. Bravetti and G. Zavattaro. A Theory for Strong Service Compliance. In Coordination’07. • [RV05] A. Rensink and W. Vogler. Fair testing. CTIT Technical Report TR-CTIT-05-64, Dep. Computer Science, Univ. of Twente, 2005. WSBPI, London - 08.02.08 42

More Related