A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko...
-
Upload
angelica-parker -
Category
Documents
-
view
213 -
download
0
Transcript of A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko...
![Page 1: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/1.jpg)
A theory of DbC for multiparty
distributed interactions
Emilio TuostoUniversity of Leicester
Nobuko YoshidaImperial College London
Kohei HondaQueen Mary, University of London
Laura BocchiUniversity of Leicester
![Page 2: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/2.jpg)
Aims & Objectives
Support description/engineering of multiparty protocols
format of messages
discipline interactions in conversations
values carried in messages
Devise a theoretical framework
analyze protocols
specify obligations/guarantees of participants
![Page 3: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/3.jpg)
Reading listAssertion methods
Design by Contract (DbC)
Multiparty Asynchronous Session Types
Global assertions
K. Honda, N. Yoshida and M. Carbone Multyparty Asynchronous Session Types In POPL 2008.
B. MeyerApplying “Design by Contract”In Computer (IEEE), 25, 1992.
C. A. R. HoareAn axiomatic basis of computer programmingIn CACM, 12, 1969.
L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida A theory of DbC for multiparty distributedhttp://www.cs.le.ac.uk/people/lb148/assertedtypes.html
![Page 4: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/4.jpg)
Outline
![Page 5: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/5.jpg)
Design by ContractType signatures to constraint computation
the method m of an object of class C should be invoked with a string and an integer; m will return (if ever) a string
DbC = Types + Assertions
if m is invoked with a string representing a date 2007 ≤ d ≤ 2008 and an integer n ≤ 1000 then it will (if ever) return the date n days after d
In a distributed setting each party has
guarantees (e.g., on the content of the received messages)
obligations (e.g., on the content of the sent messages)
![Page 6: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/6.jpg)
A simple global type
µ t(p_o : int) 〈〈 .Buyer → Seller : ChSeller (o : int).Seller → Buyer : ChBuyer {
ok: Buyer → Bank : ChBank (p : int). Bank → Seller : ChSeller(a : bool), hag: t 〈 o 〈
}
![Page 7: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/7.jpg)
Outline
![Page 8: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/8.jpg)
Syntax for Global Assertions
What is A?
![Page 9: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/9.jpg)
Logical Language
The investigation of the most suitable logic is left as a future work
The logical language is likely to be application dependent
good candidates are first-order decidable logics (e.g. Presburger arithmetic)
![Page 10: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/10.jpg)
A global assertionGhag = μ t(o : int@{Buyer, Seller}) 〈 10 〈 {o≥10}.
Buyer → Seller: ChSeller (p : int) {p≥10}.
Seller → Buyer: ChBuyer{
{true} ok:
Buyer → Bank: ChBank (c : int) {c=p}.
Bank → Seller: ChSeller (a : bool) {true},
{p>o} hag: t 〈 p 〈
}
![Page 11: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/11.jpg)
Correctness of Global Assertions
Global assertions must respect 3 principles
History sensitivity
Locality
Temporal satisfiability
![Page 12: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/12.jpg)
History sensitivity principle
Alice → Bob : ChB (u:int) {true}. Bob → Carol : ChC (v:int) {true}. Carol → Alice : ChA (z:int) {z<u}
Alice → Bob : ChB (u:int) {true}. Bob → Carol : ChC (v:int) {v<u}. Carol → Alice : ChA (z:int) {z<v}
z indirectly depends on u...z indirectly depends on u...
An interaction predicate can only constraint variables known by the sender
Carol cannot guarantee Carol cannot guarantee z<u as she doesn’t know uz<u as she doesn’t know u
...but Carol can choose the ...but Carol can choose the right value since she knows v right value since she knows v
and the predicates ensure that and the predicates ensure that the dependencies are the dependencies are
respected respected
![Page 13: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/13.jpg)
Locality principle
Predicates can only constraint variables which they introduce
Alice → Bob : ChB (u:int) {u>0}. Bob → Carol : ChC (v:int) {true}. Carol → Alice : ChA (z:int) {z≥v ∧ v>1}
Carol strengthens the Carol strengthens the
constraints on v withough constraints on v withough
being entitledbeing entitled
Alice → Bob : ChB (u:int) {u>0}. Bob → Carol : ChC (v:int) {true}. Carol → Alice : ChA (z:int) {z≥v ∧ z>1}
![Page 14: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/14.jpg)
Temporal-satisfiability principle
Alice → Bob : ChB (u:int) {u<10}. Bob → Alice : ChA (v:int) {v<u ∧ v>6}
had Alice sent 6 or 7, Bob had Alice sent 6 or 7, Bob
couldn’t meet his couldn’t meet his
obbligation!obbligation!
For each value satisfying a predicate A
there is always a branch enabled
for each subsequent predicate A’, it is always possible to find values that satisfy A’
![Page 15: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/15.jpg)
Being true to our principles
HSP can be statically checked
![Page 16: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/16.jpg)
Being true to our principles
TSP implies LP, and we give a checker GSat(G,A)
![Page 17: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/17.jpg)
Well-assertedness
A global assertion G is well-asserted when
G is history-sensitive and
GSat(G,true) = true
![Page 18: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/18.jpg)
Outline
![Page 19: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/19.jpg)
End-point assertions
Endpoint assertions specify the behaviour of processes involved in a session.
![Page 20: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/20.jpg)
Projections & “third parties”
Seller → Buyer : ChBuyer(p : int) {p > 10}.
Buyer → Bank : ChBank (c : int) {c ≥ p}
A too naive projection wrt Bank would give
ChBank?(c:Int) {c ≥ p}
which is meaningless because Bank ignores the value of p so it cannot check if Buyer meets its obbligation.
![Page 21: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/21.jpg)
Projecting global assertions
Seller → Buyer : ChBuyer(p : int) {p > 10}.
Buyer → Bank : ChBank (c : int) {c ≥ p}
ChBank?(c:Int) {∃p. p≥10 ∧c ≥ p}
projected wrt Bank
![Page 22: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/22.jpg)
Projection in action
Thag = μ t(o : int) 〈 10 〈 {o≥10}.
ChSeller?(p : int) {p≥10 ∧o≥10};
ChBuyer⊕{
{true} ok: ChSeller?(a : bool) {∃c. p≥10 ∧o≥10 ∧ c=p}
{p>o} hag: t 〈 o 〈
}
Ghag = μ t(o : int@{Buyer, Seller}) 〈 10 〈 {o≥10}.Buyer → Seller: ChSeller (p : int) {p≥10}.Seller → Buyer: ChBuyer{
{true} ok:Buyer → Bank: ChBank (c : int) {c=p}.Bank → Seller: ChSeller (a : bool) {true},{p>o} hag: t 〈 p 〈
}
![Page 23: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/23.jpg)
Well-assertedness for endpoint assertionsSimilarly to global assertions, we define LSat(T,A) to check if T is satisfiable under assertion A
Notice that for endpoint assertions only TSP is important as
TSP implies LPHSP is vacuously guaranteed
Proj(G,true,p) preserves well-assertedness
![Page 24: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/24.jpg)
Asserted processes
![Page 25: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/25.jpg)
Semantics
![Page 26: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/26.jpg)
Outline
![Page 27: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/27.jpg)
Validating asserted processesunder the assertion
environment C and the sorting Γ, P is validated w.r.t. the assertion assignment Δ
![Page 28: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/28.jpg)
Main Results
Validated processes can be “simulated” by their end-point assertions
End-point assertions do not yield errors (by construction)
A validated process never reaches errors
Validation is decidable
![Page 29: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/29.jpg)
Main results 2
In a trusted environment, all assertions of validate processes can be turned into true
A monitor can be automatically deduced from validated processes (it has to check sent/selection messages)
In an untrusted environment, the monitor may guard processes and help in debugging
![Page 30: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/30.jpg)
Future work
Study properties of suitable logics for global assertions
tractability/decidability
complexity
Play with implementations
Apply this context to financial protocols
![Page 31: A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College London Kohei Honda Queen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfad1a28abf838c9c237/html5/thumbnails/31.jpg)
Thank you...