Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)

582 views

Published on

The global interaction behavior in message-based systems can be specified as a finite-state machine defining acceptable sequences of messages exchanged by a group of peers. Realizability analysis determines if there exist local implementations for each peer, such that their composition produces exactly the intended global behavior. Although there are existing sufficient conditions for realizability, we show that these earlier results all fail for a particular class of specifications called arbitrary-initiator protocols. We present a novel algorithm for deciding realizability by computing a finite-state model that keeps track of the information about the global state of a conversation protocol that each peer can deduce from the messages it sends and receives. By searching for disagreements between each peer's deduced states, we provide a sound analysis for realizability that correctly classifies realizability of arbitrary-initiator protocols.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
582
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)

  1. 1. Sylvain Hallé Sylvain Hallé and Tevfik Bultan Realizability Analysis for Message-Based Interactions Using Shared-State Projections Université du Québec à Chicoutimi CANADA University of California Santa Barbara USA
  2. 2. Sylvain Hallé Context: communicating with messages Alice Bob Carl
  3. 3. Sylvain Hallé Coordination problem in Service-Oriented Architecture (SOA) ?Choreography specification and analysis Choreography and orchestration conformance Process isolation in Operating Systems Message-based communication instead of shared data Channel contracts in Singularity OS Channel contract analysis and conformance Session types ? ? ? ? ? Motivation for message-based communication
  4. 4. Sylvain Hallé Conversation protocol ( )C Finite-state machine describing global sequences of messages sent between peers A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 Context
  5. 5. Sylvain Hallé Examples of conversation protocols: Web service choreographies Channel contracts in Microsoft Singularity OS Context C S : GetTpmStatus®C S : GetTpmStatus® ReadyStateS0 ReadyStateS1 ReadyState C S : Send® S C : AckStartSend® S C : SendComplete® S C : TpmStatus® IO_RUNNINGS0 IO_RUNNING S C : TpmStatus®
  6. 6. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B C C C ... C
  7. 7. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )A C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp
  8. 8. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 { }0 C p( )A C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp
  9. 9. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 A®B: m1 { }1 {0} C p( )A C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp
  10. 10. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 A®B: m1 {1, }3 {0} C p( )A C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp
  11. 11. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 A®B: m1 B®A: m2 {1,3} { }2 {0} C p( )A C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp
  12. 12. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 A®B: m1 A®C: m4 B®A: m2 { }4 {1,3} {2} {0} C p( )A C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp
  13. 13. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 A®B: m1 A®C: m4 B®A: m2 {4, }5 {1,3} {2} {0} C p( )A C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp
  14. 14. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} C p( )A C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp
  15. 15. Sylvain Hallé Problem A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} C From a conversation protocol and peers A, B, ..., synthesize ‘‘local’’ protocols , , whose composition produces L( )A B Let’s compute the projection of for Alice ( ) C C C ... C Cp p( )A C
  16. 16. Sylvain Hallé Composing the projections Alice Bob Carl p( )A C p( )B C p( )C C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2}
  17. 17. Sylvain Hallé Alice Bob Carl p( )A C p( )B C p( )C C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 Composing the projections
  18. 18. Sylvain Hallé Alice Bob Carl p( )A C p( )B C p( )C C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m3 Composing the projections
  19. 19. Sylvain Hallé Alice Bob Carl p( )A C p( )B C p( )C C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m5 Composing the projections
  20. 20. Sylvain Hallé Alice Bob Carl synchronous communication Composing the projections
  21. 21. Sylvain Hallé Alice Bob Carl asynchronous communication Composing the projections
  22. 22. Sylvain Hallé Alice Bob Carl asynchronous communication message queues Composing the projections
  23. 23. Sylvain Hallé Alice Bob Carl asynchronous communication message queues From , we create a channel system (peer states + queues) C C . Composing the projections
  24. 24. Sylvain Hallé Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} Channel system
  25. 25. Sylvain Hallé Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 Channel system
  26. 26. Sylvain Hallé Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 Channel system
  27. 27. Sylvain Hallé Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 Channel system
  28. 28. Sylvain Hallé Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 Channel system
  29. 29. Sylvain Hallé Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 ?m2 Channel system
  30. 30. Sylvain Hallé What happened? It is easy to show that L( ) ÍL( ) i.e. each peer p follows its projection ( ), but the resultingp interaction may not be part of ! A protocol is realizable when L( ) =L( ) C C C C C C p Realizability . .
  31. 31. Sylvain Hallé What happened? It is easy to show that L( ) ÍL( ) i.e. each peer p follows its projection ( ), but the resultingp interaction may not be part of ! A protocol is realizable when L( ) =L( ) How can we determine if a conversation protocol is realizable? C C C C C C p Realizability . . ? ?
  32. 32. Sylvain Hallé How can we determine (un)realizability? Solution A Compute the from the projections; look for a ‘‘bad sequence’’ channel system A B : m1®, ! A B : m1®, ? A B : m1®, ?A B : m1®, ! A B : m4®, ! A B : m4®, ? B C : m3®, ! B C : m3®, ! B C : m3®, ? C A : m , !2® C A : m2®, ! C A : m2®, ! C A : m2®, ! C A : m2®, ? ({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee ({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee ({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee ({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee ({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee ({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2® ({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2® ({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®® ({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ® ({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1® ({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
  33. 33. Sylvain Hallé How can we determine (un)realizability? Solution A Compute the from the projections; look for a ‘‘bad sequence’’ channel system A B : m1®, ! A B : m1®, ? A B : m1®, ?A B : m1®, ! A B : m4®, ! A B : m4®, ? B C : m3®, ! B C : m3®, ! B C : m3®, ? C A : m , !2® C A : m2®, ! C A : m2®, ! C A : m2®, ! C A : m2®, ? ({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee ({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee ({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee ({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee ({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee ({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2® ({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2® ({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®® ({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ® ({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1® ({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
  34. 34. Sylvain Hallé How can we determine (un)realizability? Solution A Compute the from the projections; look for a ‘‘bad sequence’’ Problem: in some cases, the channel system is channel system infinite A B : m1®, ! A B : m1®, ? A B : m1®, ?A B : m1®, ! A B : m4®, ! A B : m4®, ? B C : m3®, ! B C : m3®, ! B C : m3®, ? C A : m , !2® C A : m2®, ! C A : m2®, ! C A : m2®, ! C A : m2®, ? ({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee ({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee ({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee ({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee ({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee ({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2® ({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2® ({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®® ({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ® ({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1® ({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
  35. 35. Sylvain Hallé How can we determine (un)realizability? Solution B: devise on the original protocol 1. Three realizability conditions (Fu, Bultan, Su, TSE 2005) 1) Synchronous compatible Every time a peer can send a message m, its recipient must be in (or reach) a state where m can be received 2) Autonomous At any moment, a peer cannot be both sender and receiver 3) Lossless-join The ‘‘Cartesian product’’ of the ( ) produces L( )p conditions . . pC C 3
  36. 36. Sylvain Hallé How can we determine (un)realizability? Solution B: devise on the original protocol 2. Session types (Honda et al., ESOP 1998, POPL 2008) A programmer describes a scenario as a type G Each component of the interaction is developed independently and periodically checked to make sure it is typable against its projection on G conditions 3
  37. 37. Sylvain Hallé How can we determine (un)realizability? Problem: both sets are sufficient, but not necessary for realizability 3 C S : c® C S : c®S C : f® S C : f® C S : s® 0 1 2 3 4
  38. 38. Sylvain Hallé How can we determine (un)realizability? Problem: both sets are sufficient, but not necessary for realizability 3 C S : c® C S : c®S C : f® S C : f® C S : s® 0 1 2 3 4 Fu et al.: ‘‘fails autonomous condition’’ Honda et al.: ‘‘not typable’’
  39. 39. Sylvain Hallé How can we determine (un)realizability? Problem: both sets are sufficient, but not necessary for realizability 3 C S : c® C S : c®S C : f® S C : f® C S : s® 0 1 2 3 4 Realizable! Fu et al.: ‘‘fails autonomous condition’’ Honda et al.: ‘‘not typable’’
  40. 40. Sylvain Hallé How can we determine (un)realizability? Problem: both sets are sufficient, but not necessary for realizability Both approaches incorrectly classify all protocols with an arbitrary initiator 3 C S : c® C S : c®S C : f® S C : f® C S : s® 0 1 2 3 4 Fu et al.: ‘‘fails autonomous condition’’ Honda et al.: ‘‘not typable’’ Realizable!
  41. 41. Sylvain Hallé How can we determine (un)realizability? Problem: both sets are sufficient, but not necessary for realizability Both approaches incorrectly classify all protocols with an arbitrary initiator 3 C S : c® C S : c®S C : f® S C : f® C S : s® 0 1 2 3 4 Fu et al.: ‘‘fails autonomous condition’’ Honda et al.: ‘‘not typable’’ Realizable!
  42. 42. Sylvain Hallé How can we determine (un)realizability? 3 The key observation
  43. 43. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2}
  44. 44. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} Is there a state that every peer can accept as the current global state of ?C
  45. 45. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} Is there a state that every peer can accept as the current global state of ?C {0}
  46. 46. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} Is there a state that every peer can accept as the current global state of ?C {0} {0}
  47. 47. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} Is there a state that every peer can accept as the current global state of ?C {0} {0} {0,1,2}
  48. 48. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} Is there a state that every peer can accept as the current global state of ?C {0} {0} {0,1,2} = {0}ÇÇ
  49. 49. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m1
  50. 50. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 m2
  51. 51. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 m2 Is there a state that every peer can accept as the current global state of ?C
  52. 52. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 m2 Is there a state that every peer can accept as the current global state of ?C {1,3}
  53. 53. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 m2 Is there a state that every peer can accept as the current global state of ?C {1,3} {2,4}
  54. 54. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 m2 Is there a state that every peer can accept as the current global state of ?C {1,3} {2,4} {0,1,2}
  55. 55. Sylvain Hallé Key observation Alice Bob Carl p( )A C A®B: m1 A®C: m4C®A: m5 B®A: m2 {4,5} {1,3} {2} {0} p( )B C A®B: m1 C®B: m6B®C: m3 B®A: m2 {3,5} {1} {2,4} {0} p( )C C B®C: m3 C®B: m6C®A: m5 A®C: m4 {5} {3} {4} {0,1,2} m1 m2 m2 Is there a state that every peer can accept as the current global state of ?C {1,3} {2,4} {0,1,2} = ÆÇÇ
  56. 56. Sylvain Hallé Key observation 3 Alice Bob, & don't agree on a common global protocol state "problems" Intuitively... Carl
  57. 57. Sylvain Hallé Key observation 3 Alice Bob, & don't agree on a common global protocol state "problems" Intuitively... When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...can Carl
  58. 58. Sylvain Hallé Key observation 3 Alice Bob, & don't agree on a common global protocol state "problems" Intuitively... When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in... ...and check if we ever reach a moment where they disagree can might Carl
  59. 59. Sylvain Hallé Key observation 3 Alice Bob, & don't agree on a common global protocol state "problems" Intuitively... When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in... ...and check if we ever reach a moment where they disagree can might shared-state projections Carl
  60. 60. Sylvain Hallé Key observation 3 Alice Bob, & don't agree on a common global protocol state "problems" Intuitively... When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in... ...and check if we ever reach a moment where they disagree can might shared-state projections Carl conservative approximations
  61. 61. Sylvain Hallé Proof sketch 1. Start from a conversation protocol C
  62. 62. Sylvain Hallé Proof sketch 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p C C . p^ finite
  63. 63. Sylvain Hallé Proof sketch ^ ^ finite 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ).p C C C C . . . p p p
  64. 64. Sylvain Hallé Proof sketch . .^ ^ ^ finite 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ). ÞL( ) ÍL( )p C C C C . . . p p Cp C
  65. 65. Sylvain Hallé Proof sketch . .^ ^ ^ ^ finite 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ). ÞL( ) ÍL( )p 4. Define a condition for ‘‘bad’’ states of ( )p C C C C C . . . p p C p p C
  66. 66. Sylvain Hallé Proof sketch . .^ ^ ^ ^ finite 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ). ÞL( ) ÍL( )p 4. Define a condition for ‘‘bad’’ states of ( )p 5. Show that no trace in L( ) ever visits a bad state C C C C C C . . . . p p C p p C
  67. 67. Sylvain Hallé Proof sketch . .^ ^ ^ ^ finite 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ). ÞL( ) ÍL( )p 4. Define a condition for ‘‘bad’’ states of ( )p 5. Show that no trace in L( ) ever visits a bad state 6. Consequence: if no bad state is ever generated, then C C C C C C . . . . . p p C p p C
  68. 68. Sylvain Hallé Proof sketch . . .^ ^ ^ ^ L( ) ÍL( ) ÍL( )C C C { already seen { by 3 .^ finite 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ). ÞL( ) ÍL( )p 4. Define a condition for ‘‘bad’’ states of ( )p 5. Show that no trace in L( ) ever visits a bad state 6. Consequence: if no bad state is ever generated, then C C C C C C . . . . . p p C p p C
  69. 69. Sylvain Hallé Proof sketch 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ). ÞL( ) ÍL( )p 4. Define a condition for ‘‘bad’’ states of ( )p 5. Show that no trace in L( ) ever visits a bad state 6. Consequence: if no bad state is ever generated, then C C C C C C . . . . . p p C p p C . . .^ ^ ^ ^ L( ) ÍL( ) ÍL( ) ÍL( )C CC C { already seen { by 3 { by 5 .^ finite
  70. 70. Sylvain Hallé Proof sketch . . . .^ ^ ^ ^ L( ) ÍL( ) ÍL( ) ÍL( )C CC C { already seen { by 3 { by 5 ÞL( ) =L( )C C .^ finite 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ). ÞL( ) ÍL( )p 4. Define a condition for ‘‘bad’’ states of ( )p 5. Show that no trace in L( ) ever visits a bad state 6. Consequence: if no bad state is ever generated, then C C C C C C . . . . . p p C p p C
  71. 71. Sylvain Hallé Proof sketch . . . .^ ^ ^ ^ L( ) ÍL( ) ÍL( ) ÍL( )C CC C { already seen { by 3 { by 5 ÞL( ) =L( ) Þis realizable! C C C .^ finite 1. Start from a conversation protocol 2. For each peer p, define a projection ( )p 3. Show that ( ) is an over-approximation of thep ‘‘standard’’ projection ( ). ÞL( ) ÍL( )p 4. Define a condition for ‘‘bad’’ states of ( )p 5. Show that no trace in L( ) ever visits a bad state 6. Consequence: if no bad state is ever generated, then C C C C C C . . . . . p p C p p C
  72. 72. Sylvain Hallé A realizability condition Workflow for evaluating realizability of :C
  73. 73. Sylvain Hallé A realizability condition Workflow for evaluating realizability of : 1. For some peer p, compute the shared-state projection. Guaranteed to terminate, as ( ) is finitep C Cp^
  74. 74. Sylvain Hallé A realizability condition Workflow for evaluating realizability of : 1. For some peer p, compute the shared-state projection. Guaranteed to terminate, as ( ) is finitep 2. In that projection, look for a bad state. Answer ‘ might be unrealizable’ as soon as one is found C C C p^
  75. 75. Sylvain Hallé A realizability condition Workflow for evaluating realizability of : 1. For some peer p, compute the shared-state projection. Guaranteed to terminate, as ( ) is finitep 2. In that projection, look for a bad state. Answer ‘ might be unrealizable’ as soon as one is found 3. Otherwise, repeat 1-2 for another peer C C C p^
  76. 76. Sylvain Hallé A realizability condition Workflow for evaluating realizability of : 1. For some peer p, compute the shared-state projection. Guaranteed to terminate, as ( ) is finitep 2. In that projection, look for a bad state. Answer ‘ might be unrealizable’ as soon as one is found 3. Otherwise, repeat 1-2 for another peer 4. Answer ‘ is realizable’ if no conflict state could be found for any of the peers C C C C p^
  77. 77. Sylvain Hallé Shared-state projection 3 Shared-state projection focus peer one one ( )p Let P be a set of peers and a conversation protocol with states S. Select one peer p as the . S ?A state of ( ) is a mapping P ®2 that defines onep subset of S for each peer: the possible states of ?A transition from to , sending message m, is taken whenever of the peers can send m from of its current possible states of ?The consequences of that transition yield the next possible states of for each peer p p C C C C C C s s s’ . . ^ ^ ^ ^
  78. 78. Sylvain Hallé Shared-state projection 3 If A is the focus peer and the conversation has just started, what state can B be in, in addition to 0? : since A cannot distinguish between them : since for B it is merged with 0 : since B may have already sent A a message : this would require A to send a message : also depends on A to be reachable 3, 5 2 4 Not 1 Not 6 . . . . A B : m1® A C : m2® C B : m6® B C : m5® B C : m3®B A : m4®0 6 534 21
  79. 79. Sylvain Hallé Shared-state projection 3 With a similar reasoning for C, we can deduce that, from A’s point of view in state 0... {0,2,3,4,5} are possible states for B {0,1,3,4,5} are possible states for C The initial state of ( )p is therefore: A:{0,3,5} B:{0,2,3,4,5} C:{0,1,3,4,5} pC A B : m1® A C : m2® C B : m6® B C : m5® B C : m3®B A : m4®0 6 534 21 ^
  80. 80. Sylvain Hallé Shared-state projection 3 Conflict state (i.e. ‘‘bad’’ state) In a shared-state projection, take the intersection of the set of states for each peer. A state is a conflict state if this intersection is empty. Intuition: the peers have reached a point where they have diverging views of the current state of the conversation (and of what to do next) Exact construction in the paper! {1,3} {2,4} {0,1,2} = ÆÇÇ
  81. 81. Sylvain Hallé 3 A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )C C^ Back to Alice and Bob
  82. 82. Sylvain Hallé 3 A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )C C^ A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2} Back to Alice and Bob
  83. 83. Sylvain Hallé 3 B®C: m3 A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )C C^ A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2} A:{3} B:{3} C:{3} Back to Alice and Bob
  84. 84. Sylvain Hallé 3 B®C: m3 A:{3,5} B:{3,5} C:{5} A®B: m1 B®C: m3 A®C: m4 C®A: m5 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )C C^ A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2} A:{3} B:{3} C:{3} Back to Alice and Bob
  85. 85. Sylvain Hallé 3 B®C: m3 A®C: m4 A:{3,5} B:{3,5} C:{5} A®B: m1 B®C: m3 A®C: m4 C®A: m5 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )C C^ A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2} A:{3} B:{3} C:{3} A:{4} B:{4} C:{4} Back to Alice and Bob
  86. 86. Sylvain Hallé 3 B®C: m3 A®C: m4 A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5} A®B: m1 B®C: m3 A®C: m4 C®A: m5 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )C C^ A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2} A:{3} B:{3} C:{3} A:{4} B:{4} C:{4} C®B: m6 Back to Alice and Bob
  87. 87. Sylvain Hallé 3 B®C: m3 A®C: m4 A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5} A®B: m1 B®C: m3 A®C: m4 C®A: m5 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )C C^ A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2} A:{3} B:{3} C:{3} A:{4} B:{4} C:{4} C®B: m6 Carl cannot be the cause of a violation Back to Alice and Bob
  88. 88. Sylvain Hallé Back to Alice and Bob 3 A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )A C^
  89. 89. Sylvain Hallé 3 A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )A C^ A:{0} B:{0,2} C:{0,2} Back to Alice and Bob
  90. 90. Sylvain Hallé 3 A®B: m1 A:{1,3} B:{0,1,2,3,5,#} C:{0,1,2,3,5} A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )A C^ A:{0} B:{0,2} C:{0,2} Back to Alice and Bob
  91. 91. Sylvain Hallé 3 A®B: m1 B®A: m2 A:{2} B:{2} C:{2} A:{1,3} B:{0,1,2,3,5,#} C:{0,1,2,3,5} A®B: m1 B®C: m3 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )A C^ A:{0} B:{0,2} C:{0,2} Back to Alice and Bob
  92. 92. Sylvain Hallé 3 A®B: m1 B®A: m2 A:{2} B:{2} C:{2} A:{1,3} B:{0,1,2,3,5,#} C:{0,1,2,3,5} A:{4,5} B:{2,4,5} C:{2,4,5} A®B: m1 B®C: m3 A®C: m4 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )A C^ A:{0} B:{0,2} C:{0,2} Back to Alice and Bob
  93. 93. Sylvain Hallé 3 A®B: m1 B®A: m2 A:{2} B:{2} C:{2} A:{1,3} B:{0,1,2,3,5,#} C:{0,1,2,3,5} A:{4,5} B:{2,4,5} C:{2,4,5} A®B: m1 B®C: m3 A®C: m4 A®C: m4 C®B: m6C®A: m5 B®A: m2 0 1 2 5 3 4 C p( )A C^ A:{0} B:{0,2} C:{0,2} If Alice waits for Bob, she cannot cause a violation Back to Alice and Bob
  94. 94. Sylvain Hallé Experimental results 3 SSPCalc: PHP tool computing shared-state projections + graphs and statistics
  95. 95. Sylvain Hallé Experimental results 3 Tool tested on 100 real-world protocols taken from web service specifications and Singularity OS channel contracts ?91% of protocols analyzed in less than 1 s ?95% in less than 10 s 2 ?Time µstate space 104 10-3 100 101 101 100 10-1 10-2 102 103 104 102 103 Number of explored states Validationtime(s)
  96. 96. Sylvain Hallé Experimental results 3 With P peers and S states in , the shared-state projection has a 2 S maximal size of P ?2 states. ?Bound seldom reached in practice ?Very few protocols required more than 10,000 states C 1010 108 106 104 104 102 100 100 101 102 103 Number of explored states Theoreticalupperbound y x=
  97. 97. Sylvain Hallé Experimental results 3 Provides on protocols with arbitrary initiator. Example: Singularity OS’ TPMContract. Original version: unrealizable. tighter conditions C S : GetTpmStatus®C S : GetTpmStatus® ReadyStateS0 ReadyStateS1 ReadyState C S : Send® S C : AckStartSend® S C : SendComplete® S C : TpmStatus® IO_RUNNINGS0 IO_RUNNING S C : TpmStatus®
  98. 98. Sylvain Hallé Experimental results 3 IO_RUNNINGS1 C S : GetTpmStatus®C S : GetTpmStatus® ReadyStateS0 ReadyStateS1 ReadyState C S : Send® S C : AckStartSend® S C : SendComplete® S C : SendComplete® S C : TpmStatus® S C : TpmStatus® IO_RUNNINGS0 IO_RUNNING S C : TpmStatus® Provides on protocols with arbitrary initiator. Example: Singularity OS’ TPMContract. Corrected version: realizable, yet existing conditions still yield false positive! tighter conditions
  99. 99. Sylvain Hallé Conclusion 3 ? ? ? ? Asychronous communication can make a conversation protocol No and condition for realizability is currently known A (SSP) is a projection of that keeps track of the possible state for the remaining peers The absence of a conflict state in an SSP is a sufficient condition for realizability of ; the computation is guaranteed to terminate C C C unrealizable exact universal shared-state projection
  100. 100. Sylvain Hallé Conclusion 3 Open questions: ?Do SSPs define an over queue contents? The paper presents a method for producing of sufficient realizability conditions. What other conditions could we devise? Is the condition for a restricted subset, e.g. two-party protocols? Can we unrealizable protocols automatically using SSPs? equivalence relation families necessary repair . ? ? ? . .

×