1 Formal Languages for Flow Composition and Compensation: cCSP Roberto Bruni Dipartimento di Informatica Università di Pisa Models and Languages for Coordination

1

Formal Languages for Flow Composition and Compensation: cCSP

Roberto BruniDipartimento di Informatica Università di Pisa

Models and Languages for Coordination and Orchestration

IMT- Institutions Markets Technologies - Alti Studi Lucca

2

Roberto Bruni @ IMT Lucca 23 March 2005


InstitutionsMarketsTechnologies

IMT

Motivation Key issues in business processes languages for

WS WS Composition, Orchestration, Choreography WS Transactions Interesting for both Academy and Industry

A plethora of ad hoc proposals for standard poorly disciplined provision of "accessory" features

Design of business processes calls for rigorous mathematical foundations clean, elegant semantics well-disciplined service composition principles modular implementation

3




IMT

Flow Diagrams meet Process Description Languages

Many proposals to describe business processes unambiguously XML-based

WSFL, XLANG, WSCI, BPEL4WS Extensions of known mobile calculi

committed Join, t-calculus, web-calculus Flow-based

Compensating CSP (Butler, Hoare, Ferreira) previously Structured Activity Compensation (StAC)

Sagas Calculus (Bruni, Melgratti, Montanari)

4




IMT

Long-Running Transactions (L-RT)

A L-RT is an interactive component of a distributed system which must

be executed as if it were a single atomic action In principle (high-level abstraction)

it should not be interrupted or fail in the middle and it must not be interleaved with other atomic actions of

other concurrently executing components of the system In practice (implementors viewpoint)

it is not easy to keep the illusion alive in (mobile, concurrent) distributed interactive systems!

external interactions may require undo of committed activities because the transaction is interactive, familiar automatic

techniques of check-pointing and rollback are no longer adequate / applicable

the illusion of atomicity for a LRT is achieved with the aid of compensation actions supplied by the programmer

5




IMT

Compensations In long lasting negotiations partial

agreements can be reached and locally committed by parties to be compensated in case of failure to be published / confirmed on success

Formal models are needed to discover specification bugs to reason rigorously to run simulations to ease verification

6




IMT

Compensations (Merriam-Webster OnLine)

To Compensate to neutralize the effect of to supply an equivalent to to provide with means of counteracting

variation to offset an error, defect, or undesired

effect The most important fact:

Compensations have a cost!

7




IMT

Compensations: Examples I

A client buys books in an on-line bookstore the bookstore debits client's account as the

payment for the book order the bookstore later realizes that one of the

book in the client's order is out of print to compensate the client for this problem,

the bookstore can credit the account with the amount wrongfully debited

and send a letter apologising for their mistake

8




IMT

Compensations: Examples II

Late cancelling of hotel reservations can involve payment of fees

Failures on credit checks can cause the abort of parallel activities (which can be partially completed) e.g. to unpackage the goods to be sent to cancel the courier booking

Statements of politicians typically require an unbounded number of nested compensations

9




IMT

Sagas Compensation is important when a system

cannot control everything, such as when interaction with other agents (including humans) is involved Garcia-Molina and Salem exploit the concept of

compensation to define the notion of a saga a saga partitions a L-RT into a sequence of several

smaller sub-transactions, where each of the sub-transactions has an associated compensation

If one of the sub-transactions in the sequence aborts, the compensation associated with those committed sub-transactions is executed in the reverse order

10




IMT

Flow Composition

A1

A2 A3

A4

A5

11




IMT

Transactional Flows

A1

A2 A3

A4

A5

12




IMT

Compensation Activities

A1

B1

A2

B2

A3

B3 A4

B4

A5

B5

13




IMT

Compensation Flow

A1

B1

A2

B2

A3

B3 A4

B4

A5

B5

14




IMT

Nested Flow Diagrams

A1

B1

A2

B2

A3

B3

PP

A4

B4

15




IMT

Approaches Interaction based Composition,

Conversational Patterns or Global Model Services describe the ways they can be

engaged in a larger process Flow Composition or Hierarchical

Patterns Similar to workflow systems: a process

describes the flow of both control and data among WS

16




IMT

The Road to Compensating CSP

First use of process algebras for modeling compensations: StAC (Structured Activity Compensation)

by Michael Butler, Carla Ferreira et al. poorly disciplined, several variants / improvements along the

years Compensating CSP

by Michael Butler, Carla Ferreira, Tony Hoare robust formalization of compensable flow compositions closer to the spirit of Process Algebras

few key primitives inspired by BPEL

and to the independently developed saga calculus

17




IMT

Compensating CSP: Ingredients

Alphabet of observable actions ranged by A,B,...

Set of special events = { , !, ? } ranged by disjoint from

Interactive processes Standard processes

ranged by P,Q,... Compensable processes

ranged by PP,QQ,...

18




IMT

Compensating CSP: Syntax

Compensable processes

PP,QQ ::= P % Q | PP + QQ | PP ; QQ | PP || QQ | SKIPP | THROWW | YIELDD

Standard processesP,Q ::= A | [ PP ] | P + Q | P ; Q | P || Q | SKIP | THROW | YIELD

| P Q

atomic action

sequential composition

choice

parallel composition

normal termination

throw an interrupt

yield to an interrupt

interrupt handler

transaction block compensation pair

19




IMT

PackOrder = ||iItems ( PackItem(i) % UnpackItem(i) )

FulfillOrder = BookCourier % CancelCourier || PackOrder || CreditCheck ; ( Ok ; SKIPP + NotOk ; THROWW )

Compensating CSP: Example

OrderTransaction = [ ProcessOrder ]ProcessOrder = (AcceptOrder % RestockOrder) ;

FulfillOrder

20




IMT

Compensating CSP:Semantics

Denotational Trace Semantics defined in a compositional style each standard process is assigned a set of

traces traces are ranged over by p,q,... they are -event-terminated sequences of actions

ex. A,B, each compensable process is assigned a set of

trace-pairs (p,q) where p is the forward trace q is the corresponding compensation trace

21




IMT

Compensating CSP:Ordinary Traces

All traces for standard processes have three possible shapes: A,B,

trace leading to normal termination A,B,!

trace leading to interrupt throw A,B,?

trace leading to interrupt yield pq denotes the trace obtained by juxtaposition

ex. A B, = A,B, = A,B Note:

unlike trace semantics for CSP, prefix traces are not considered

22




IMT

Trace Semantics:Atomic Actions

For any A we define

A =trace { A, }

(The process performs a single atomic event and terminates successfully)

23




IMT

Trace Semantics:Skip

SKIP =trace { }

(SKIP immediately terminates successfully)

24




IMT

Trace Semantics:Throw

THROW =trace { ! }

(THROW immediately raises an interrupt)

25




IMT

Trace Semantics:Yield

YIELD =trace { , ? }

(YIELD can either yield to a raised interrupt or terminate)

26




IMT

Trace Semantics:Choice

For any standard processes P and Q

P + Q =trace P Q

(The semantics for choice is the union of the possible traces of P and Q)

27




IMT

Trace Semantics:Sequential Composition


P ; Q =trace { p;q | pP qQ }

where the sequential operator is defined on traces byp ; q = pqp ; q = p if

28




IMT

SECOND HOMEWORK:Prove or Disprove That:For any standard processes P,Q,R,SP;(Q+R) =trace (P;Q)+(P;R)

(P+Q);R =trace (P;R)+(Q;R)

(P+Q);(R+THROW) =trace P+Q

(P;Q);R =trace (P;Q);R

P;SKIP =trace P

SKIP;P =trace P

P;THROW =trace THROW

THROW;P =trace THROW

YIELD;YIELD =trace YIELD

29




IMT

Playful Digression:10 Advanced Proof Methods I

Proof by obviousness "The proof is so clear that it need not be mentioned."

Proof by lack of sufficient time "Because of the time constraint, I leave the proof to

you." Proof by general agreement

"All in favor?. . . " Proof by majority rule

Only to be used if general agreement is impossible Proof by accident

"Hey, what have we here?!"

30




IMT

Playful Digression:10 Advanced Proof Methods II

Proof by authority "Well, Don Knuth says it's true, so it must be!"

Proof by intuition "I just have this gut feeling. . ."

Proof by intimidation "Don't be stupid; of course it's true."

Proof by terror When intimidation fails ...

Proof by deception "Now everyone turn their backs. . ."

31




IMT

Trace Semantics:Interrupt Handler


P Q =trace { pq | pP qQ }

where the interrupt handling is defined on traces byp! q = pqp q = p if !

32




IMT

Trace Semantics:Useful Laws for InterruptFor any standard processes P,Q,R

(P Q) R =trace P (Q R)

SKIP P =trace SKIP

YIELD P =trace YIELD

THROW P =trace P

33




IMT

Compensating CSP: A Limitation

Synchronous execution of observable actions is not supported (yet)

Concurrency modeled by interleaving Processes running in parallel can synchronise

only on joint termination or on joint interruption

The kind of synchronization is decided by just looking at the terminal events of parallel traces it is convenient to define an operator for deriving

the joint terminal event

34




IMT

Compensating CSP: Joint Terminal Event

Let 1 and 2 be the terminal events of two parallel traces Their joint terminal event 1&2 is defined by1 2 1&2

!

!

!

?

?

!

?

?

!

!

!

?

?

(& is commutative)

35




IMT

Trace Semantics:Parallel Composition


P || Q =trace { r | rp||q pP qQ }

wherep1 || q2 = { r1&2 | rint(p,q) }

int(p,) = int(,p) = {p} int(Ap,Bq) = { Ar | rint(p,Bq) } { Br | rint(Ap,q) }

36




IMT

Trace Semantics:Useful Laws for ParallelFor any standard processes P,Q,R

P || Q =trace Q || P

(P || Q) || R =trace P || (Q || R)

37




IMT

Under Which Circumstances?

P || Q =trace P;Q + Q;P

THROW || (YIELD ; P) =trace THROW + P;THROW

38




IMT

Trace-Pair Semantics:Compensable Choice

For any compensable processes PP and QQ

PP + QQ =trace PP QQ

(The semantics for choice is the union of the possible traces of PP and QQ)

39




IMT

Trace-Pair Semantics:Compensable Parallel


PP || QQ =trace { z | zx||y xPP yQQ }

where(p,p') || (q,q') = { (r,r') | rp||q r'p'||q' }

40




IMT

Trace-Pair Semantics:Compensable Sequential


PP ; QQ =trace { x;y | xPP yQQ }

where (p,p') ; (q,q') = (pq,q';q)(p,p') ; (q,q') = (p,p') if

something wrong?

41




IMT

Trace-Pair Semantics:Compensation Pair


P % Q =trace { p%q | pP qQ } { (?,) }

where p % q = (p,q)p % q = (p,) if

42




IMT

Trace-Pair Semantics:Compensable Basic Processes

SKIPP =trace SKIP % SKIP

THROWW =trace THROW % SKIP

YIELDD =trace YIELDD % SKIP

43




IMT

Trace-Pair Semantics:Transaction Block

For any compensable process PP

[PP] =trace { pp' | (p!,p')PP }

{ p | (p,p')PP }

44




IMT

Trace-Pair Semantics:Other Useful LawsFor any composable processes PP;QQ andfor any standard processes P,Q

PP || QQ =trace QQ || PP

(PP || QQ) || RR =trace PP || (QQ || RR)

(PP ; QQ) ; RR =trace PP ; (QQ ; RR)

PP ; SKIPP =trace PP =trace SKIPP ; PP

THROWW ; PP =trace THROWW

YIELDD ; (P % Q) =trace (P % Q)

45




IMT

THIRD HOMEWORKEvaluate the semantics of[ THROWW ] =trace ???

[ YIELDD ] =trace ???

A % A' ; B % B' =trace ???

Prove that: if P,P',Q,Q' terminate successfully, neither raising nor yielding to interrupts, then[ P%P' || Q%Q' || THROWW ] =trace

SKIP + (P;P') + (Q;Q') + (P||Q);(P'||Q')

46




IMT

Is the Semantics Adequate?

Formal definitions can lead to conceptual clarifications make emerge submersed aspects give insights for language design

The semantics we have seen is compositional, simple and intuitive models forward and backward flows

Is it the appropriate one? Does it match our intuition? Any other option available?

47




IMT

Semantics vs Intuition Expectations:

if no interrupt is raised a "maximal" forward flow should be executed

if an interrupt is raised, all previously-completed activities are compensated no consequent activities are executed within that

transaction if an interrupt is raised during the backward flow? what else?

How can we reasonably conclude that the semantics is "correct"?

48




IMT

Some Ideas I P = { p | pP } P A successful trace is

either a forward trace with possibly many successful transactions

PP = { p | (p,q)PP }

or a trace with possibly many successfully compensated transactions

PP = { pq | (p!,q)PP }

49




IMT

Some Ideas II Theory of "cancellation"

each (forward) A has a compensating (backward) A° AA° is "essentially" SKIP

but A°A is not SKIP

Theory of "independence" independent actions can occur in either order

ex. parallel actions A||B independency, written , is symmetric

unlike cancelling independency can be exploited to bring A and A°

closer

50




IMT

Some Ideas III Abstract effect

A° annihilates A if we remove all such pairs from a trace,

we are left with an abstract residual A(s) it gives the meaningful actions performed

Take s* and define recursively A(s) = A(pqr)

if s = pAqA°r and Bq. B A° A(s) = s

otherwise

51




IMT

Example: Cancellation

Assume A° B°, then:

A(A, B, C, C°, A°, B°, ) = A(A, B, A°, B°, ) = A(A, A°, ) = A( ) =

52




IMT

Adequacy Criterion I When considering [PP] one would like that

for any p[PP]

if p is a forward trace, then A(p) = p if p is a compensated trace, then A(p) =

this is equivalent to require that pPP . A(p) = p pPP . A(p) =

Is this assumption strong enough? If we know that it holds for PP, what can we say

about [ PP ; THROWW ]?

53




IMT

Adequacy Criterion II PP is called self-cancelling, written S(PP) if

(p,p'') PP . A(pp'') = In other words,

we must guarantee that in any execution of PP, even partial ones, the installed compensation is able to cancel the actions executed so far

We can then prove interesting properties ex. S(PP) implies A([PP;THROWW]) =trace SKIP

where A(.) is extended element-wise to set of traces

54




IMT

A Well-Behaving Fragment We would like to characterize

syntactically a fragment of compensable processes guaranteeing the self-cancelling property it is easy to check that:

S(SKIPP), S(THROWW) and S(YIELDD) if S(PP) and S(QQ), then S(PP+QQ) if S(PP) and S(QQ), then S(PP;QQ)

But what can we say about PP||QQ ? And what about P%Q?

55




IMT

Restriction on Parallel When trying to prove that

if S(PP) and S(QQ), then S(PP||QQ) a difficulty emerges due to interleaving

in the resulting traces A and A° from PP are interleaved with actions from QQ

and vice versa To prove the thesis we must assume

that: A°B° for all A° in PP and B° in QQ

56




IMT

Restriction on Compensation Pairs

P%Q provides nesting of compensations programmable compensations

These features are indeed complex ones their foundations are under investigation

A safe assumption is allowing only A%A° in place of P%Q

Then S(A%A°) trivially holds

Documents

1 Formal Languages for Flow Composition and Compensation: cCSP Roberto Bruni Dipartimento di Informatica Università di Pisa Models and Languages for Coordination