1 Formal Languages for Flow Composition and Compensation: cCSP Roberto Bruni Dipartimento di...
-
date post
22-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of 1 Formal Languages for Flow Composition and Compensation: cCSP Roberto Bruni Dipartimento di...
1
Formal Languages for Flow Composition and Compensation: cCSP
Roberto BruniDipartimento di Informatica Università di Pisa
Models and Languages for Coordination and Orchestration
IMT- Institutions Markets Technologies - Alti Studi Lucca
2
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Motivation Key issues in business processes languages for
WS WS Composition, Orchestration, Choreography WS Transactions Interesting for both Academy and Industry
A plethora of ad hoc proposals for standard poorly disciplined provision of "accessory" features
Design of business processes calls for rigorous mathematical foundations clean, elegant semantics well-disciplined service composition principles modular implementation
3
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Flow Diagrams meet Process Description Languages
Many proposals to describe business processes unambiguously XML-based
WSFL, XLANG, WSCI, BPEL4WS Extensions of known mobile calculi
committed Join, t-calculus, web-calculus Flow-based
Compensating CSP (Butler, Hoare, Ferreira) previously Structured Activity Compensation (StAC)
Sagas Calculus (Bruni, Melgratti, Montanari)
4
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Long-Running Transactions (L-RT)
A L-RT is an interactive component of a distributed system which must
be executed as if it were a single atomic action In principle (high-level abstraction)
it should not be interrupted or fail in the middle and it must not be interleaved with other atomic actions of
other concurrently executing components of the system In practice (implementors viewpoint)
it is not easy to keep the illusion alive in (mobile, concurrent) distributed interactive systems!
external interactions may require undo of committed activities because the transaction is interactive, familiar automatic
techniques of check-pointing and rollback are no longer adequate / applicable
the illusion of atomicity for a LRT is achieved with the aid of compensation actions supplied by the programmer
5
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensations In long lasting negotiations partial
agreements can be reached and locally committed by parties to be compensated in case of failure to be published / confirmed on success
Formal models are needed to discover specification bugs to reason rigorously to run simulations to ease verification
6
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensations (Merriam-Webster OnLine)
To Compensate to neutralize the effect of to supply an equivalent to to provide with means of counteracting
variation to offset an error, defect, or undesired
effect The most important fact:
Compensations have a cost!
7
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensations: Examples I
A client buys books in an on-line bookstore the bookstore debits client's account as the
payment for the book order the bookstore later realizes that one of the
book in the client's order is out of print to compensate the client for this problem,
the bookstore can credit the account with the amount wrongfully debited
and send a letter apologising for their mistake
8
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensations: Examples II
Late cancelling of hotel reservations can involve payment of fees
Failures on credit checks can cause the abort of parallel activities (which can be partially completed) e.g. to unpackage the goods to be sent to cancel the courier booking
Statements of politicians typically require an unbounded number of nested compensations
9
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Sagas Compensation is important when a system
cannot control everything, such as when interaction with other agents (including humans) is involved Garcia-Molina and Salem exploit the concept of
compensation to define the notion of a saga a saga partitions a L-RT into a sequence of several
smaller sub-transactions, where each of the sub-transactions has an associated compensation
If one of the sub-transactions in the sequence aborts, the compensation associated with those committed sub-transactions is executed in the reverse order
10
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Flow Composition
A1
A2 A3
A4
A5
11
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Transactional Flows
A1
A2 A3
A4
A5
12
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensation Activities
A1
B1
A2
B2
A3
B3 A4
B4
A5
B5
13
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensation Flow
A1
B1
A2
B2
A3
B3 A4
B4
A5
B5
14
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Nested Flow Diagrams
A1
B1
A2
B2
A3
B3
PP
A4
B4
15
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Approaches Interaction based Composition,
Conversational Patterns or Global Model Services describe the ways they can be
engaged in a larger process Flow Composition or Hierarchical
Patterns Similar to workflow systems: a process
describes the flow of both control and data among WS
16
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
The Road to Compensating CSP
First use of process algebras for modeling compensations: StAC (Structured Activity Compensation)
by Michael Butler, Carla Ferreira et al. poorly disciplined, several variants / improvements along the
years Compensating CSP
by Michael Butler, Carla Ferreira, Tony Hoare robust formalization of compensable flow compositions closer to the spirit of Process Algebras
few key primitives inspired by BPEL
and to the independently developed saga calculus
17
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensating CSP: Ingredients
Alphabet of observable actions ranged by A,B,...
Set of special events = { , !, ? } ranged by disjoint from
Interactive processes Standard processes
ranged by P,Q,... Compensable processes
ranged by PP,QQ,...
18
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensating CSP: Syntax
Compensable processes
PP,QQ ::= P % Q | PP + QQ | PP ; QQ | PP || QQ | SKIPP | THROWW | YIELDD
Standard processesP,Q ::= A | [ PP ] | P + Q | P ; Q | P || Q | SKIP | THROW | YIELD
| P Q
atomic action
sequential composition
choice
parallel composition
normal termination
throw an interrupt
yield to an interrupt
interrupt handler
transaction block compensation pair
19
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
PackOrder = ||iItems ( PackItem(i) % UnpackItem(i) )
FulfillOrder = BookCourier % CancelCourier || PackOrder || CreditCheck ; ( Ok ; SKIPP + NotOk ; THROWW )
Compensating CSP: Example
OrderTransaction = [ ProcessOrder ]ProcessOrder = (AcceptOrder % RestockOrder) ;
FulfillOrder
20
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensating CSP:Semantics
Denotational Trace Semantics defined in a compositional style each standard process is assigned a set of
traces traces are ranged over by p,q,... they are -event-terminated sequences of actions
ex. A,B, each compensable process is assigned a set of
trace-pairs (p,q) where p is the forward trace q is the corresponding compensation trace
21
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensating CSP:Ordinary Traces
All traces for standard processes have three possible shapes: A,B,
trace leading to normal termination A,B,!
trace leading to interrupt throw A,B,?
trace leading to interrupt yield pq denotes the trace obtained by juxtaposition
ex. A B, = A,B, = A,B Note:
unlike trace semantics for CSP, prefix traces are not considered
22
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Atomic Actions
For any A we define
A =trace { A, }
(The process performs a single atomic event and terminates successfully)
23
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Skip
SKIP =trace { }
(SKIP immediately terminates successfully)
24
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Throw
THROW =trace { ! }
(THROW immediately raises an interrupt)
25
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Yield
YIELD =trace { , ? }
(YIELD can either yield to a raised interrupt or terminate)
26
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Choice
For any standard processes P and Q
P + Q =trace P Q
(The semantics for choice is the union of the possible traces of P and Q)
27
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Sequential Composition
For any standard processes P and Q
P ; Q =trace { p;q | pP qQ }
where the sequential operator is defined on traces byp ; q = pqp ; q = p if
28
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
SECOND HOMEWORK:Prove or Disprove That:For any standard processes P,Q,R,SP;(Q+R) =trace (P;Q)+(P;R)
(P+Q);R =trace (P;R)+(Q;R)
(P+Q);(R+THROW) =trace P+Q
(P;Q);R =trace (P;Q);R
P;SKIP =trace P
SKIP;P =trace P
P;THROW =trace THROW
THROW;P =trace THROW
YIELD;YIELD =trace YIELD
29
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Playful Digression:10 Advanced Proof Methods I
Proof by obviousness "The proof is so clear that it need not be mentioned."
Proof by lack of sufficient time "Because of the time constraint, I leave the proof to
you." Proof by general agreement
"All in favor?. . . " Proof by majority rule
Only to be used if general agreement is impossible Proof by accident
"Hey, what have we here?!"
30
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Playful Digression:10 Advanced Proof Methods II
Proof by authority "Well, Don Knuth says it's true, so it must be!"
Proof by intuition "I just have this gut feeling. . ."
Proof by intimidation "Don't be stupid; of course it's true."
Proof by terror When intimidation fails ...
Proof by deception "Now everyone turn their backs. . ."
31
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Interrupt Handler
For any standard processes P and Q
P Q =trace { pq | pP qQ }
where the interrupt handling is defined on traces byp! q = pqp q = p if !
32
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Useful Laws for InterruptFor any standard processes P,Q,R
(P Q) R =trace P (Q R)
SKIP P =trace SKIP
YIELD P =trace YIELD
THROW P =trace P
33
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensating CSP: A Limitation
Synchronous execution of observable actions is not supported (yet)
Concurrency modeled by interleaving Processes running in parallel can synchronise
only on joint termination or on joint interruption
The kind of synchronization is decided by just looking at the terminal events of parallel traces it is convenient to define an operator for deriving
the joint terminal event
34
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Compensating CSP: Joint Terminal Event
Let 1 and 2 be the terminal events of two parallel traces Their joint terminal event 1&2 is defined by1 2 1&2
!
!
!
?
?
!
?
?
!
!
!
?
?
(& is commutative)
35
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Parallel Composition
For any standard processes P and Q
P || Q =trace { r | rp||q pP qQ }
wherep1 || q2 = { r1&2 | rint(p,q) }
int(p,) = int(,p) = {p} int(Ap,Bq) = { Ar | rint(p,Bq) } { Br | rint(Ap,q) }
36
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace Semantics:Useful Laws for ParallelFor any standard processes P,Q,R
P || Q =trace Q || P
(P || Q) || R =trace P || (Q || R)
37
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Under Which Circumstances?
P || Q =trace P;Q + Q;P
THROW || (YIELD ; P) =trace THROW + P;THROW
38
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace-Pair Semantics:Compensable Choice
For any compensable processes PP and QQ
PP + QQ =trace PP QQ
(The semantics for choice is the union of the possible traces of PP and QQ)
39
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace-Pair Semantics:Compensable Parallel
For any compensable processes PP and QQ
PP || QQ =trace { z | zx||y xPP yQQ }
where(p,p') || (q,q') = { (r,r') | rp||q r'p'||q' }
40
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace-Pair Semantics:Compensable Sequential
For any compensable processes PP and QQ
PP ; QQ =trace { x;y | xPP yQQ }
where (p,p') ; (q,q') = (pq,q';q)(p,p') ; (q,q') = (p,p') if
something wrong?
41
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace-Pair Semantics:Compensation Pair
For any standard processes P and Q
P % Q =trace { p%q | pP qQ } { (?,) }
where p % q = (p,q)p % q = (p,) if
42
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace-Pair Semantics:Compensable Basic Processes
SKIPP =trace SKIP % SKIP
THROWW =trace THROW % SKIP
YIELDD =trace YIELDD % SKIP
43
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace-Pair Semantics:Transaction Block
For any compensable process PP
[PP] =trace { pp' | (p!,p')PP }
{ p | (p,p')PP }
44
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Trace-Pair Semantics:Other Useful LawsFor any composable processes PP;QQ andfor any standard processes P,Q
PP || QQ =trace QQ || PP
(PP || QQ) || RR =trace PP || (QQ || RR)
(PP ; QQ) ; RR =trace PP ; (QQ ; RR)
PP ; SKIPP =trace PP =trace SKIPP ; PP
THROWW ; PP =trace THROWW
YIELDD ; (P % Q) =trace (P % Q)
45
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
THIRD HOMEWORKEvaluate the semantics of[ THROWW ] =trace ???
[ YIELDD ] =trace ???
A % A' ; B % B' =trace ???
Prove that: if P,P',Q,Q' terminate successfully, neither raising nor yielding to interrupts, then[ P%P' || Q%Q' || THROWW ] =trace
SKIP + (P;P') + (Q;Q') + (P||Q);(P'||Q')
46
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Is the Semantics Adequate?
Formal definitions can lead to conceptual clarifications make emerge submersed aspects give insights for language design
The semantics we have seen is compositional, simple and intuitive models forward and backward flows
Is it the appropriate one? Does it match our intuition? Any other option available?
47
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Semantics vs Intuition Expectations:
if no interrupt is raised a "maximal" forward flow should be executed
if an interrupt is raised, all previously-completed activities are compensated no consequent activities are executed within that
transaction if an interrupt is raised during the backward flow? what else?
How can we reasonably conclude that the semantics is "correct"?
48
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Some Ideas I P = { p | pP } P A successful trace is
either a forward trace with possibly many successful transactions
PP = { p | (p,q)PP }
or a trace with possibly many successfully compensated transactions
PP = { pq | (p!,q)PP }
49
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Some Ideas II Theory of "cancellation"
each (forward) A has a compensating (backward) A° AA° is "essentially" SKIP
but A°A is not SKIP
Theory of "independence" independent actions can occur in either order
ex. parallel actions A||B independency, written , is symmetric
unlike cancelling independency can be exploited to bring A and A°
closer
50
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Some Ideas III Abstract effect
A° annihilates A if we remove all such pairs from a trace,
we are left with an abstract residual A(s) it gives the meaningful actions performed
Take s* and define recursively A(s) = A(pqr)
if s = pAqA°r and Bq. B A° A(s) = s
otherwise
51
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Example: Cancellation
Assume A° B°, then:
A(A, B, C, C°, A°, B°, ) = A(A, B, A°, B°, ) = A(A, A°, ) = A( ) =
52
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Adequacy Criterion I When considering [PP] one would like that
for any p[PP]
if p is a forward trace, then A(p) = p if p is a compensated trace, then A(p) =
this is equivalent to require that pPP . A(p) = p pPP . A(p) =
Is this assumption strong enough? If we know that it holds for PP, what can we say
about [ PP ; THROWW ]?
53
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Adequacy Criterion II PP is called self-cancelling, written S(PP) if
(p,p'') PP . A(pp'') = In other words,
we must guarantee that in any execution of PP, even partial ones, the installed compensation is able to cancel the actions executed so far
We can then prove interesting properties ex. S(PP) implies A([PP;THROWW]) =trace SKIP
where A(.) is extended element-wise to set of traces
54
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
A Well-Behaving Fragment We would like to characterize
syntactically a fragment of compensable processes guaranteeing the self-cancelling property it is easy to check that:
S(SKIPP), S(THROWW) and S(YIELDD) if S(PP) and S(QQ), then S(PP+QQ) if S(PP) and S(QQ), then S(PP;QQ)
But what can we say about PP||QQ ? And what about P%Q?
55
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Restriction on Parallel When trying to prove that
if S(PP) and S(QQ), then S(PP||QQ) a difficulty emerges due to interleaving
in the resulting traces A and A° from PP are interleaved with actions from QQ
and vice versa To prove the thesis we must assume
that: A°B° for all A° in PP and B° in QQ
56
Roberto Bruni @ IMT Lucca 23 March 2005
Models and Languages for Coordination and Orchestration
InstitutionsMarketsTechnologies
IMT
Restriction on Compensation Pairs
P%Q provides nesting of compensations programmable compensations
These features are indeed complex ones their foundations are under investigation
A safe assumption is allowing only A%A° in place of P%Q
Then S(A%A°) trivially holds