Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE...

Sylvain Hallé

Sylvain Hallé and Tevfik Bultan

Realizability Analysis forMessage-Based Interactions

Using Shared-State Projections

NOSHOW

Université du Québec à ChicoutimiCANADA

University of California Santa BarbaraUSA

Sylvain Hallé

Context: communicating with messages

Sylvain Hallé

Coordination problem in Service-OrientedArchitecture (SOA)

?Choreography specification and analysisChoreography and orchestration conformance

Process isolation in Operating Systems

Message-based communication instead of shared dataChannel contracts in Singularity OSChannel contract analysis and conformanceSession types

Motivation for message-based communication

Sylvain Hallé

Conversation protocol ( )C

Finite-state machine describing global sequences of messages sent between peers

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

Context

Sylvain Hallé

Examples of conversation protocols:

Web service choreographies

Channel contracts in Microsoft Singularity OS

Context

C S : GetTpmStatus®C S : GetTpmStatus®

ReadyStateS0

ReadyStateS1

ReadyState

C S : Send®S C : AckStartSend®

S C : SendComplete®

S C : TpmStatus®IO_RUNNINGS0

IO_RUNNING

S C : TpmStatus®

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

From a conversation protocol and peers A, B, ..., synthesize

‘‘local’’ protocols , , whose composition produces L( )A B

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

C p( )A C

Let’s compute the projection of for Alice ( )

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

C p( )A C

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

A®B: m1

C p( )A C

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

A®B: m1

{1, }3

C p( )A C

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

A®B: m1 B®A: m2

{1,3} { }2

C p( )A C

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

A®B: m1

A®C: m4

B®A: m2

{1,3} {2}

C p( )A C

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

A®B: m1

A®C: m4

B®A: m2

{4, }5

{1,3} {2}

C p( )A C

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

C p( )A C

C C ... C

Sylvain Hallé

Problem

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

C C ... C

p( )A C

Sylvain Hallé

Composing the projections

p( )A Cp( )B C

p( )C C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

{0} A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

p( )A Cp( )B C

p( )C C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

{0} A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

p( )A Cp( )B C

p( )C C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

{0} A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

p( )A Cp( )B C

p( )C C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

{0} A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

Carl synchronouscommunication

Sylvain Hallé

Carl asynchronouscommunication

Sylvain Hallé

message queues

Sylvain Hallé

message queues

From , we create a

channel system

(peer states + queues)

Sylvain Hallé

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Channel system

Sylvain Hallé

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Channel system

Sylvain Hallé

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Channel system

Sylvain Hallé

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Channel system

Sylvain Hallé

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Channel system

Sylvain Hallé

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Channel system

Sylvain Hallé

What happened?

It is easy to show that

L( ) Í L( )

i.e. each peer p follows its projection ( ), but the resulting p

interaction may not be part of !

A protocol is realizable when L( ) = L( )

Realizability

Sylvain Hallé

What happened?

It is easy to show that

L( ) Í L( )

i.e. each peer p follows its projection ( ), but the resulting p

interaction may not be part of !

A protocol is realizable when L( ) = L( )

How can we determine if a conversation protocol isrealizable?

Realizability

Sylvain Hallé

How can we determine (un)realizability?

Solution A

Compute the from the projections; look for a‘‘bad sequence’’

channel system

A B : m1®, !

A B : m1®, ?

A B : m1®, ?A B : m1®, !

A B : m4®, !

A B : m4®, ? B C : m3®, !

B C : m3®, !

B C : m3®, ?

C A : m , !2®

C A : m2®, !

C A : m2®, ?

({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee

({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee

({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee

({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee

({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee

({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®

({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®

({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®

({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®

({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®

({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®

Sylvain Hallé

Solution A

channel system

A B : m1®, !

A B : m1®, ?

A B : m1®, ?A B : m1®, !

A B : m4®, !

A B : m4®, ? B C : m3®, !

B C : m3®, !

B C : m3®, ?

C A : m , !2®

C A : m2®, !

C A : m2®, ?

({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee

({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee

({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee

({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee

({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee

({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®

({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®

({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®

({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®

({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®

Sylvain Hallé

Solution A

Problem: in some cases, the channel system is

channel system

infinite

A B : m1®, !

A B : m1®, ?

A B : m1®, ?A B : m1®, !

A B : m4®, !

A B : m4®, ? B C : m3®, !

B C : m3®, !

B C : m3®, ?

C A : m , !2®

C A : m2®, !

C A : m2®, ?

({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee

({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee

({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee

({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee

({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee

({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®

({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®

({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®

({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®

({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®

Sylvain Hallé

Solution B: devise on the original protocol

1. Three realizability conditions (Fu, Bultan, Su, TSE 2005)

1) Synchronous compatibleEvery time a peer can send a message m, its recipientmust be in (or reach) a state where m can be received

2) AutonomousAt any moment, a peer cannot be both sender andreceiver

3) Lossless-join

The ‘‘Cartesian product’’ of the ( ) produces L( )p

conditions

Sylvain Hallé

Solution B: devise on the original protocol

2. Session types (Honda et al., ESOP 1998, POPL 2008)

A programmer describes a scenario as a type G

Each component of the interaction is developedindependently and periodically checked to make sure it istypable against its projection on G

conditions

Sylvain Hallé

Problem: both sets are sufficient, but not necessary for realizability

C S : c®

C S : c®S C : f®

S C : f®

C S : s®

Sylvain Hallé

C S : c®

C S : c®S C : f®

S C : f®

C S : s®

Fu et al.: ‘‘fails autonomous condition’’

Honda et al.:‘‘not typable’’

Sylvain Hallé

C S : c®

C S : c®S C : f®

S C : f®

C S : s®

Realizable!

Sylvain Hallé

Both approaches incorrectly classify all protocols with an arbitrary initiator

C S : c®

C S : c®S C : f®

S C : f®

C S : s®

Realizable!

Sylvain Hallé

Both approaches incorrectly classify all protocols with an arbitrary initiator

C S : c®

C S : c®S C : f®

S C : f®

C S : s®

Realizable!

Sylvain Hallé

The key observation

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Is there a state that every peer can accept asthe current global state of ?C

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

{0} {0}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

{0} {0} {0,1,2}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

{0} {0} {0,1,2} = {0}ÇÇ

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

{1,3} {2,4}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

{1,3} {2,4} {0,1,2}

Sylvain Hallé

Key observation

p( )A C

A®B: m1

A®C: m4C®A: m5

B®A: m2

{1,3} {2}

p( )B C

A®B: m1

C®B: m6B®C: m3

B®A: m2

{1} {2,4}

p( )C C

B®C: m3

C®B: m6C®A: m5

A®C: m4

{3} {4}

{0,1,2}

{1,3} {2,4} {0,1,2} = ÆÇÇ

Sylvain Hallé

Key observation

Alice Bob, &don't agree on a common

global protocol state

"problems"

Intuitively...

Sylvain Hallé

Key observation

"problems"

Intuitively...

When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...can

Sylvain Hallé

Key observation

"problems"

Intuitively...

When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...

...and check if we ever reach a moment where they disagree

Sylvain Hallé

Key observation

"problems"

Intuitively...

mightshared-state projections

Sylvain Hallé

Key observation

"problems"

Intuitively...

mightshared-state projections

conservativeapproximations

Sylvain Hallé

Proof sketch

1. Start from a conversation protocol C

Sylvain Hallé

Proof sketch

1. Start from a conversation protocol

2. For each peer p, define a projection ( )p

p̂ finite

Sylvain Hallé

Proof sketch

finite

3. Show that ( ) is an over-approximation of thep

‘‘standard’’ projection ( ). p

Sylvain Hallé

Proof sketch

finite

‘‘standard’’ projection ( ). Þ L( ) Í L( )p

Sylvain Hallé

Proof sketch

finite

4. Define a condition for ‘‘bad’’ states of ( )p

Sylvain Hallé

Proof sketch

finite

5. Show that no trace in L( ) ever visits a bad state

Sylvain Hallé

Proof sketch

finite

6. Consequence: if no bad state is ever generated, then

Sylvain Hallé

Proof sketch

L( ) Í L( ) Í L( )C C C

alreadyseen

finite

Sylvain Hallé

Proof sketch

L( ) Í L( ) Í L( ) Í L( )C CC C

alreadyseen

finite

Sylvain Hallé

Proof sketch

L( ) Í L( ) Í L( ) Í L( )C CC C

alreadyseen

Þ L( ) = L( )C C.̂

finite

Sylvain Hallé

Proof sketch

L( ) Í L( ) Í L( ) Í L( )C CC C

alreadyseen

Þ L( ) = L( )

Þ is realizable!

finite

Sylvain Hallé

A realizability condition

Workflow for evaluating realizability of :C

Sylvain Hallé

Workflow for evaluating realizability of :

1. For some peer p, compute the shared-state projection.

Guaranteed to terminate, as ( ) is finitep

Sylvain Hallé

2. In that projection, look for a bad state. Answer‘ might be unrealizable’ as soon as one is found

Sylvain Hallé

3. Otherwise, repeat 1-2 for another peer

Sylvain Hallé

3. Otherwise, repeat 1-2 for another peer

4. Answer ‘ is realizable’ if no conflict state could be found for

any of the peers

Sylvain Hallé

Shared-state projection

focus peer

one one

Let P be a set of peers and a conversation protocol with states

S. Select one peer p as the .

S?A state of ( ) is a mapping P ® 2 that defines onep

subset of S for each peer: the possible states of

?A transition from to , sending message m, is takenwhenever of the peers can send m from of itscurrent possible states of

?The consequences of that transition yield the next possiblestates of for each peer

s s’.

Sylvain Hallé

If A is the focus peer and the conversation has just started, what state can B be in, in addition to 0?

: since A cannot distinguishbetween them

: since for B it is merged with 0

: since B may have alreadysent A a message

: this would requireA to send a message

: also depends on A to be reachable

A B : m1® A C : m2®

C B : m6®

B C : m5®

B C : m3®B A : m4®0

Sylvain Hallé

With a similar reasoning for C, we can deduce that, from A’s point of view in state 0...

{0,2,3,4,5} are possible states for B{0,1,3,4,5} are possible states for C

The initial state of ( )p

is therefore:

A:{0,3,5} B:{0,2,3,4,5} C:{0,1,3,4,5}

pCA B : m1® A C : m2®

C B : m6®

B C : m5®

B C : m3®B A : m4®0

Sylvain Hallé

Conflict state (i.e. ‘‘bad’’ state)In a shared-state projection, take the intersection of the set of states for each peer. A state is a conflict state if this intersection is empty.

Intuition: the peers have reached a point where they have diverging views of the current state of the conversation (and of what to do next)

Exact construction in the paper!

{1,3} {2,4} {0,1,2} = ÆÇÇ

Sylvain Hallé 3

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )C C^

Back to Alice and Bob

Sylvain Hallé 3

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )C C^

A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}

Sylvain Hallé 3

B®C: m3

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )C C^

A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}

A:{3} B:{3} C:{3}

Sylvain Hallé 3

B®C: m3

A:{3,5} B:{3,5} C:{5}

A®B: m1

B®C: m3 A®C: m4

C®A: m5

C®B: m6C®A: m5

B®A: m2

p( )C C^

A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}

A:{3} B:{3} C:{3}

Sylvain Hallé 3

B®C: m3 A®C: m4

A:{3,5} B:{3,5} C:{5}

A®B: m1

B®C: m3 A®C: m4

C®A: m5

C®B: m6C®A: m5

B®A: m2

p( )C C^

A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}

A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}

Sylvain Hallé 3

B®C: m3 A®C: m4

A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5}

A®B: m1

B®C: m3 A®C: m4

C®A: m5

C®B: m6C®A: m5

B®A: m2

p( )C C^

A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}

A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}

C®B: m6

Sylvain Hallé 3

B®C: m3 A®C: m4

A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5}

A®B: m1

B®C: m3 A®C: m4

C®A: m5

C®B: m6C®A: m5

B®A: m2

p( )C C^

A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}

A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}

C®B: m6

Carl cannot be the cause of a violation

Sylvain Hallé

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )A C^

Sylvain Hallé 3

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )A C^

A:{0} B:{0,2} C:{0,2}

Sylvain Hallé 3

A®B: m1

A:{1,3} B:{0,1,2,3,5,#} C:{0,1,2,3,5}

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )A C^

A:{0} B:{0,2} C:{0,2}

Sylvain Hallé 3

A®B: m1 B®A: m2

A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}

C:{0,1,2,3,5}

A®B: m1

B®C: m3 A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )A C^

A:{0} B:{0,2} C:{0,2}

Sylvain Hallé 3

A®B: m1 B®A: m2

A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}

C:{0,1,2,3,5}

A:{4,5} B:{2,4,5} C:{2,4,5}

A®B: m1

B®C: m3 A®C: m4

A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )A C^

A:{0} B:{0,2} C:{0,2}

Sylvain Hallé 3

A®B: m1 B®A: m2

A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}

C:{0,1,2,3,5}

A:{4,5} B:{2,4,5} C:{2,4,5}

A®B: m1

B®C: m3 A®C: m4

A®C: m4

C®B: m6C®A: m5

B®A: m2

p( )A C^

A:{0} B:{0,2} C:{0,2}

If Alice waits for Bob, she cannot cause a violation

Sylvain Hallé

Experimental results

SSPCalc: PHP tool computing shared-state projections + graphs and statistics

Sylvain Hallé

Tool tested on 100 real-world protocols taken from web service specifications and Singularity OS channel contracts

?91% of protocolsanalyzed in lessthan 1 s

?95% in less than 10 s

2?Time µ state space

100 101

102 103

Number of explored states

Sylvain Hallé

With P peers and S states in , the shared-state projection has a 2 Smaximal size of P ? 2 states.

?Bound seldomreached in practice

?Very few protocolsrequired more than10,000 states

100 101 102 103

Number of explored states

Sylvain Hallé

Provides on protocols with arbitrary initiator. Example: Singularity OS’ TPMContract.

Original version: unrealizable.

tighter conditions

ReadyStateS0

ReadyStateS1

ReadyState

S C : TpmStatus®IO_RUNNINGS0

IO_RUNNING

S C : TpmStatus®

Sylvain Hallé

IO_RUNNINGS1

ReadyStateS0

ReadyStateS1

ReadyState

S C : TpmStatus®S C : TpmStatus® IO_RUNNINGS0

IO_RUNNING

S C : TpmStatus®

Provides on protocols with arbitrary initiator. Example: Singularity OS’ TPMContract.

Corrected version: realizable, yet existing conditions still yield false positive!

tighter conditions

Sylvain Hallé

Conclusion

Asychronous communication can make a conversationprotocol

No and condition for realizability is currentlyknown

A (SSP) is a projection of that

keeps track of the possible state for the remaining peers

The absence of a conflict state in an SSP is a sufficientcondition for realizability of ; the computation is guaranteed

to terminate

unrealizable

exact universal

shared-state projection

Sylvain Hallé

Conclusion

Open questions:

?Do SSPs define an over queuecontents?

The paper presents a method for producing of sufficient realizability conditions. What otherconditions could we devise?

Is the condition for a restricted subset, e.g.two-party protocols?

Can we unrealizable protocols automaticallyusing SSPs?

equivalence relation

families

necessary

repair

Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE...

Technology

Transcript of Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE...

Realizability of Graphs

Soliton graphs and realizability: a gentle introductionjsidman/DMD Webpage/Karpman_slides.pdf · Soliton graphs and realizability: a gentle introduction Ray Karpman1 Yuji Kodama 2

FSE Brochure

04 fse understandingrequirements

Regular Functors and Relative Realizability Categories

FSE Assessment

Realizability Analysis 1 - Computer Sciencebultan/publications/WSR2_Fu_Bultan_Su.pdf · Realizability Analysis 1 ... Realizability Analysis 8 The join of four ... A conversation protocol

Functionalism. SUMMARY FROM LAST TIME “Multiple Realizability”

Realizability - mathematik.tu-darmstadt.destreicher/REAL/REAL.pdf · Realizability Thomas Streicher WS 17/18 Contents 1 Introduction 2 2 Kleene’s Number Realizability 5 3 Partial

Scenario realizability with constraint optimization · Scenario realizability with constraint optimization Rouwaida Abdallah1, Arnaud Gotlieb2, Lo c H elou et3,Claude Jard4 1ENS Cachan

CONTROLLABILITY, OBSERVABILITY, REALIZABILITY, AND STABILITY OF

FSE Barrackpore

Presentacion fse 2012

STIHL FSE 60

Problem of Physical Non-realizability-MG

WOODSMOKE - fse-scouts.eu

Reentrancer FSE

The Realizability Approach to Computable Analysis …reports-archive.adm.cs.cmu.edu › ... › 2000 › CMU-CS-00-164.pdfThe Realizability Approach to Computable Analysis and Topology

Lifschitz Realizability for Intuitionistic Zermelo ...rathjen/Lifschitz.pdf · set theories). Rathjen [22] adapted realizability to the context of constructive Zermelo-Fraenkel set

Filtered Order-partial Combinatory Algebras and Classical Realizability€¦ · Filtered Order-partial Combinatory Algebras and Classical Realizability MSc Thesis (Afstudeerscriptie)