Sylvain Hallé
Sylvain Hallé and Tevfik Bultan
Realizability Analysis forMessage-Based Interactions
Using Shared-State Projections
NOSHOW
Université du Québec à ChicoutimiCANADA
University of California Santa BarbaraUSA
Sylvain Hallé
SHOW
Context: communicating with messages
Alice
Bob
Carl
Sylvain Hallé
Coordination problem in Service-OrientedArchitecture (SOA)
?Choreography specification and analysisChoreography and orchestration conformance
Process isolation in Operating Systems
Message-based communication instead of shared dataChannel contracts in Singularity OSChannel contract analysis and conformanceSession types
?
????
Motivation for message-based communication
Sylvain Hallé
Conversation protocol ( )C
Finite-state machine describing global sequences of messages sent between peers
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
Context
Sylvain Hallé
Examples of conversation protocols:
Web service choreographies
Channel contracts in Microsoft Singularity OS
Context
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®S C : AckStartSend®
S C : SendComplete®
S C : TpmStatus®IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
C
C C ... C
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
{ }0
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
{ }1
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
{1, }3
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1 B®A: m2
{1,3} { }2
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4
B®A: m2
{ }4
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4
B®A: m2
{4, }5
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
p( )A C
Sylvain Hallé
SHOW
Composing the projections
Alice
Bob
Carl
p( )A Cp( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A Cp( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Composing the projections
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A Cp( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m3
Composing the projections
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A Cp( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m5
Composing the projections
Sylvain Hallé
SHOW
Alice
Bob
Carl synchronouscommunication
Composing the projections
Sylvain Hallé
SHOW
Alice
Bob
Carl asynchronouscommunication
Composing the projections
Sylvain Hallé
SHOW
Alice
Bob
Carl asynchronouscommunication
message queues
Composing the projections
Sylvain Hallé
SHOW
Alice
Bob
Carl asynchronouscommunication
message queues
From , we create a
channel system
(peer states + queues)
C
C.
Composing the projections
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Channel system
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Channel system
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Channel system
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
Channel system
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
Channel system
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
?m2
Channel system
Sylvain Hallé
What happened?
It is easy to show that
L( ) Í L( )
i.e. each peer p follows its projection ( ), but the resulting p
interaction may not be part of !
A protocol is realizable when L( ) = L( )
C
CC
C
C
C
p
Realizability
SHOW
.
.
Sylvain Hallé
What happened?
It is easy to show that
L( ) Í L( )
i.e. each peer p follows its projection ( ), but the resulting p
interaction may not be part of !
A protocol is realizable when L( ) = L( )
How can we determine if a conversation protocol isrealizable?
C
CC
C
C
C
p
Realizability
SHOW
.
.
?
?
Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a‘‘bad sequence’’
channel system
SHOW
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a‘‘bad sequence’’
channel system
SHOW
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a‘‘bad sequence’’
Problem: in some cases, the channel system is
channel system
infinite
SHOW
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
Sylvain Hallé
How can we determine (un)realizability?
Solution B: devise on the original protocol
1. Three realizability conditions (Fu, Bultan, Su, TSE 2005)
1) Synchronous compatibleEvery time a peer can send a message m, its recipientmust be in (or reach) a state where m can be received
2) AutonomousAt any moment, a peer cannot be both sender andreceiver
3) Lossless-join
The ‘‘Cartesian product’’ of the ( ) produces L( )p
conditions
.
.
pC C
3
SHOW
Sylvain Hallé
How can we determine (un)realizability?
Solution B: devise on the original protocol
2. Session types (Honda et al., ESOP 1998, POPL 2008)
A programmer describes a scenario as a type G
Each component of the interaction is developedindependently and periodically checked to make sure it istypable against its projection on G
conditions
3
SHOW
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails autonomous condition’’
Honda et al.:‘‘not typable’’
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Realizable!
Fu et al.: ‘‘fails autonomous condition’’
Honda et al.:‘‘not typable’’
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
Both approaches incorrectly classify all protocols with an arbitrary initiator
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails autonomous condition’’
Honda et al.:‘‘not typable’’
Realizable!
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
Both approaches incorrectly classify all protocols with an arbitrary initiator
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails autonomous condition’’
Honda et al.:‘‘not typable’’
Realizable!
Sylvain Hallé
How can we determine (un)realizability?
3
SHOW
The key observation
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
{0}
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
{0} {0}
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
{0} {0} {0,1,2}
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
{0} {0} {0,1,2} = {0}ÇÇ
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m1
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
{1,3}
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
{1,3} {2,4}
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
{1,3} {2,4} {0,1,2}
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
{1,3} {2,4} {0,1,2} = ÆÇÇ
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
Carl
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...can
Carl
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...
...and check if we ever reach a moment where they disagree
can
might
Carl
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...
...and check if we ever reach a moment where they disagree
can
mightshared-state projections
Carl
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...
...and check if we ever reach a moment where they disagree
can
mightshared-state projections
Carl
conservativeapproximations
Sylvain Hallé
Proof sketch
SHOW
1. Start from a conversation protocol C
Sylvain Hallé
Proof sketch
SHOW
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
C
C.
p̂ finite
Sylvain Hallé
Proof sketch
SHOW
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). p
C
C
C
C
.
.
.
p
p
p
Sylvain Hallé
Proof sketch
SHOW
. .̂
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
C
C
C
C
.
.
.
p
p
Cp C
Sylvain Hallé
Proof sketch
SHOW
. .̂
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
C
C
C
C
C
.
.
.
p
p
C
p
p C
Sylvain Hallé
Proof sketch
SHOW
. .̂
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
C
C
C
C
C
C
.
.
.
.
p
p
C
p
p C
Sylvain Hallé
Proof sketch
SHOW
. .̂
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
Sylvain Hallé
Proof sketch
SHOW
.
.
.̂
^
^
^
L( ) Í L( ) Í L( )C C C
{
alreadyseen
{
by 3
.̂
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
Sylvain Hallé
Proof sketch
SHOW
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C.
.
.̂
^
^
^
L( ) Í L( ) Í L( ) Í L( )C CC C
{
alreadyseen
{
by 3
{
by 5
.̂
finite
Sylvain Hallé
Proof sketch
SHOW
.
. .
.̂
^
^
^
L( ) Í L( ) Í L( ) Í L( )C CC C
{
alreadyseen
{
by 3
{
by 5
Þ L( ) = L( )C C.̂
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
Sylvain Hallé
Proof sketch
SHOW
.
. .
.̂
^
^
^
L( ) Í L( ) Í L( ) Í L( )C CC C
{
alreadyseen
{
by 3
{
by 5
Þ L( ) = L( )
Þ is realizable!
CC
C.̂
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :C
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
C
Cp̂
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer‘ might be unrealizable’ as soon as one is found
C
C
C
p̂
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer‘ might be unrealizable’ as soon as one is found
3. Otherwise, repeat 1-2 for another peer
C
C
C
p̂
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer‘ might be unrealizable’ as soon as one is found
3. Otherwise, repeat 1-2 for another peer
4. Answer ‘ is realizable’ if no conflict state could be found for
any of the peers
C
C
C
C
p̂
Sylvain Hallé
Shared-state projection
3
SHOW
Shared-state projection
focus peer
one one
( )p
Let P be a set of peers and a conversation protocol with states
S. Select one peer p as the .
S?A state of ( ) is a mapping P ® 2 that defines onep
subset of S for each peer: the possible states of
?A transition from to , sending message m, is takenwhenever of the peers can send m from of itscurrent possible states of
?The consequences of that transition yield the next possiblestates of for each peer
p
p
CC
CC
C
C
s
s s’.
.
^
^
^ ^
Sylvain Hallé
Shared-state projection
3
SHOW
If A is the focus peer and the conversation has just started, what state can B be in, in addition to 0?
: since A cannot distinguishbetween them
: since for B it is merged with 0
: since B may have alreadysent A a message
: this would requireA to send a message
: also depends on A to be reachable
3, 5
2
4
Not 1
Not 6
.
.
.
.
A B : m1® A C : m2®
C B : m6®
B C : m5®
B C : m3®B A : m4®0
6
534
21
Sylvain Hallé
Shared-state projection
3
SHOW
With a similar reasoning for C, we can deduce that, from A’s point of view in state 0...
{0,2,3,4,5} are possible states for B{0,1,3,4,5} are possible states for C
The initial state of ( )p
is therefore:
A:{0,3,5} B:{0,2,3,4,5} C:{0,1,3,4,5}
pCA B : m1® A C : m2®
C B : m6®
B C : m5®
B C : m3®B A : m4®0
6
534
21
^
Sylvain Hallé
Shared-state projection
3
SHOW
Conflict state (i.e. ‘‘bad’’ state)In a shared-state projection, take the intersection of the set of states for each peer. A state is a conflict state if this intersection is empty.
Intuition: the peers have reached a point where they have diverging views of the current state of the conversation (and of what to do next)
Exact construction in the paper!
{1,3} {2,4} {0,1,2} = ÆÇÇ
Sylvain Hallé 3
SHOW
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
Back to Alice and Bob
Sylvain Hallé 3
SHOW
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
Back to Alice and Bob
Sylvain Hallé 3
SHOW
B®C: m3
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3}
Back to Alice and Bob
Sylvain Hallé 3
SHOW
B®C: m3
A:{3,5} B:{3,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3}
Back to Alice and Bob
Sylvain Hallé 3
SHOW
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
Back to Alice and Bob
Sylvain Hallé 3
SHOW
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
C®B: m6
Back to Alice and Bob
Sylvain Hallé 3
SHOW
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
C®B: m6
Carl cannot be the cause of a violation
Back to Alice and Bob
Sylvain Hallé
Back to Alice and Bob
3
SHOW
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
Sylvain Hallé 3
SHOW
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob
Sylvain Hallé 3
SHOW
A®B: m1
A:{1,3} B:{0,1,2,3,5,#} C:{0,1,2,3,5}
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob
Sylvain Hallé 3
SHOW
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob
Sylvain Hallé 3
SHOW
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A:{4,5} B:{2,4,5} C:{2,4,5}
A®B: m1
B®C: m3 A®C: m4
A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob
Sylvain Hallé 3
SHOW
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A:{4,5} B:{2,4,5} C:{2,4,5}
A®B: m1
B®C: m3 A®C: m4
A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
If Alice waits for Bob, she cannot cause a violation
Back to Alice and Bob
Sylvain Hallé
Experimental results
3
SHOW
SSPCalc: PHP tool computing shared-state projections + graphs and statistics
Sylvain Hallé
Experimental results
3
SHOW
Tool tested on 100 real-world protocols taken from web service specifications and Singularity OS channel contracts
?91% of protocolsanalyzed in lessthan 1 s
?95% in less than 10 s
2?Time µ state space
104
10 -3
100 101
101
100
10 -1
10 -2
102
103
104
102 103
Number of explored states
Val
idat
ion
tim
e (s
)
Sylvain Hallé
Experimental results
3
SHOW
With P peers and S states in , the shared-state projection has a 2 Smaximal size of P ? 2 states.
?Bound seldomreached in practice
?Very few protocolsrequired more than10,000 states
C
1010
108
106
104
104
102
100
100 101 102 103
Number of explored states
The
oret
ical
upp
er b
ound
y x=
Sylvain Hallé
Experimental results
3
SHOW
Provides on protocols with arbitrary initiator. Example: Singularity OS’ TPMContract.
Original version: unrealizable.
tighter conditions
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®S C : AckStartSend®
S C : SendComplete®
S C : TpmStatus®IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®
Sylvain Hallé
Experimental results
3
SHOW
IO_RUNNINGS1
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®S C : AckStartSend®
S C : SendComplete®
S C : SendComplete®
S C : TpmStatus®S C : TpmStatus® IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®
Provides on protocols with arbitrary initiator. Example: Singularity OS’ TPMContract.
Corrected version: realizable, yet existing conditions still yield false positive!
tighter conditions
Sylvain Hallé
Conclusion
3
SHOW
?
?
?
?
Asychronous communication can make a conversationprotocol
No and condition for realizability is currentlyknown
A (SSP) is a projection of that
keeps track of the possible state for the remaining peers
The absence of a conflict state in an SSP is a sufficientcondition for realizability of ; the computation is guaranteed
to terminate
C
C
C
unrealizable
exact universal
shared-state projection
Sylvain Hallé
Conclusion
3
SHOW
Open questions:
?Do SSPs define an over queuecontents?
The paper presents a method for producing of sufficient realizability conditions. What otherconditions could we devise?
Is the condition for a restricted subset, e.g.two-party protocols?
Can we unrealizable protocols automaticallyusing SSPs?
equivalence relation
families
necessary
repair
.
?
?
?
.
.
