Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE...
-
Upload
sylvain-halle -
Category
Technology
-
view
363 -
download
0
description
Transcript of Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE...
![Page 1: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/1.jpg)
Sylvain Hallé
Sylvain Hallé and Tevfik Bultan
Realizability Analysis forMessage-Based Interactions
Using Shared-State Projections
NOSHOW
Université du Québec à ChicoutimiCANADA
University of California Santa BarbaraUSA
![Page 2: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/2.jpg)
Sylvain Hallé
SHOW
Context: communicating with messages
Alice
Bob
Carl
![Page 3: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/3.jpg)
Sylvain Hallé
Coordination problem in Service-OrientedArchitecture (SOA)
?Choreography specification and analysisChoreography and orchestration conformance
Process isolation in Operating Systems
Message-based communication instead of shared dataChannel contracts in Singularity OSChannel contract analysis and conformanceSession types
?
????
Motivation for message-based communication
![Page 4: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/4.jpg)
Sylvain Hallé
Conversation protocol ( )C
Finite-state machine describing global sequences of messages sent between peers
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
Context
![Page 5: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/5.jpg)
Sylvain Hallé
Examples of conversation protocols:
Web service choreographies
Channel contracts in Microsoft Singularity OS
Context
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®S C : AckStartSend®
S C : SendComplete®
S C : TpmStatus®IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®
![Page 6: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/6.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
C
C C ... C
![Page 7: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/7.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
![Page 8: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/8.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
{ }0
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
![Page 9: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/9.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
{ }1
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
![Page 10: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/10.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
{1, }3
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
![Page 11: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/11.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1 B®A: m2
{1,3} { }2
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
![Page 12: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/12.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4
B®A: m2
{ }4
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
![Page 13: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/13.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4
B®A: m2
{4, }5
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
![Page 14: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/14.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
![Page 15: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/15.jpg)
Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
p( )A C
![Page 16: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/16.jpg)
Sylvain Hallé
SHOW
Composing the projections
Alice
Bob
Carl
p( )A Cp( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
![Page 17: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/17.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A Cp( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Composing the projections
![Page 18: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/18.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A Cp( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m3
Composing the projections
![Page 19: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/19.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A Cp( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m5
Composing the projections
![Page 20: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/20.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl synchronouscommunication
Composing the projections
![Page 21: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/21.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl asynchronouscommunication
Composing the projections
![Page 22: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/22.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl asynchronouscommunication
message queues
Composing the projections
![Page 23: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/23.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl asynchronouscommunication
message queues
From , we create a
channel system
(peer states + queues)
C
C.
Composing the projections
![Page 24: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/24.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Channel system
![Page 25: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/25.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Channel system
![Page 26: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/26.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Channel system
![Page 27: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/27.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
Channel system
![Page 28: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/28.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
Channel system
![Page 29: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/29.jpg)
Sylvain Hallé
SHOW
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
?m2
Channel system
![Page 30: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/30.jpg)
Sylvain Hallé
What happened?
It is easy to show that
L( ) Í L( )
i.e. each peer p follows its projection ( ), but the resulting p
interaction may not be part of !
A protocol is realizable when L( ) = L( )
C
CC
C
C
C
p
Realizability
SHOW
.
.
![Page 31: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/31.jpg)
Sylvain Hallé
What happened?
It is easy to show that
L( ) Í L( )
i.e. each peer p follows its projection ( ), but the resulting p
interaction may not be part of !
A protocol is realizable when L( ) = L( )
How can we determine if a conversation protocol isrealizable?
C
CC
C
C
C
p
Realizability
SHOW
.
.
?
?
![Page 32: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/32.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a‘‘bad sequence’’
channel system
SHOW
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
![Page 33: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/33.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a‘‘bad sequence’’
channel system
SHOW
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
![Page 34: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/34.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a‘‘bad sequence’’
Problem: in some cases, the channel system is
channel system
infinite
SHOW
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®
![Page 35: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/35.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Solution B: devise on the original protocol
1. Three realizability conditions (Fu, Bultan, Su, TSE 2005)
1) Synchronous compatibleEvery time a peer can send a message m, its recipientmust be in (or reach) a state where m can be received
2) AutonomousAt any moment, a peer cannot be both sender andreceiver
3) Lossless-join
The ‘‘Cartesian product’’ of the ( ) produces L( )p
conditions
.
.
pC C
3
SHOW
![Page 36: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/36.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Solution B: devise on the original protocol
2. Session types (Honda et al., ESOP 1998, POPL 2008)
A programmer describes a scenario as a type G
Each component of the interaction is developedindependently and periodically checked to make sure it istypable against its projection on G
conditions
3
SHOW
![Page 37: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/37.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
![Page 38: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/38.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails autonomous condition’’
Honda et al.:‘‘not typable’’
![Page 39: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/39.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Realizable!
Fu et al.: ‘‘fails autonomous condition’’
Honda et al.:‘‘not typable’’
![Page 40: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/40.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
Both approaches incorrectly classify all protocols with an arbitrary initiator
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails autonomous condition’’
Honda et al.:‘‘not typable’’
Realizable!
![Page 41: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/41.jpg)
Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for realizability
Both approaches incorrectly classify all protocols with an arbitrary initiator
3
SHOW
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails autonomous condition’’
Honda et al.:‘‘not typable’’
Realizable!
![Page 42: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/42.jpg)
Sylvain Hallé
How can we determine (un)realizability?
3
SHOW
The key observation
![Page 43: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/43.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
![Page 44: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/44.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
![Page 45: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/45.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
{0}
![Page 46: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/46.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
{0} {0}
![Page 47: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/47.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
{0} {0} {0,1,2}
![Page 48: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/48.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept asthe current global state of ?C
{0} {0} {0,1,2} = {0}ÇÇ
![Page 49: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/49.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m1
![Page 50: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/50.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
![Page 51: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/51.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
![Page 52: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/52.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
{1,3}
![Page 53: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/53.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
{1,3} {2,4}
![Page 54: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/54.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
{1,3} {2,4} {0,1,2}
![Page 55: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/55.jpg)
Sylvain Hallé
SHOW
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept asthe current global state of ?C
{1,3} {2,4} {0,1,2} = ÆÇÇ
![Page 56: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/56.jpg)
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
Carl
![Page 57: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/57.jpg)
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...can
Carl
![Page 58: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/58.jpg)
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...
...and check if we ever reach a moment where they disagree
can
might
Carl
![Page 59: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/59.jpg)
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...
...and check if we ever reach a moment where they disagree
can
mightshared-state projections
Carl
![Page 60: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/60.jpg)
Sylvain Hallé
Key observation
3
SHOW
Alice Bob, &don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the possible state that Bob and Carl be in...
...and check if we ever reach a moment where they disagree
can
mightshared-state projections
Carl
conservativeapproximations
![Page 61: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/61.jpg)
Sylvain Hallé
Proof sketch
SHOW
1. Start from a conversation protocol C
![Page 62: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/62.jpg)
Sylvain Hallé
Proof sketch
SHOW
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
C
C.
p̂ finite
![Page 63: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/63.jpg)
Sylvain Hallé
Proof sketch
SHOW
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). p
C
C
C
C
.
.
.
p
p
p
![Page 64: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/64.jpg)
Sylvain Hallé
Proof sketch
SHOW
. .̂
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
C
C
C
C
.
.
.
p
p
Cp C
![Page 65: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/65.jpg)
Sylvain Hallé
Proof sketch
SHOW
. .̂
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
C
C
C
C
C
.
.
.
p
p
C
p
p C
![Page 66: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/66.jpg)
Sylvain Hallé
Proof sketch
SHOW
. .̂
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
C
C
C
C
C
C
.
.
.
.
p
p
C
p
p C
![Page 67: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/67.jpg)
Sylvain Hallé
Proof sketch
SHOW
. .̂
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
![Page 68: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/68.jpg)
Sylvain Hallé
Proof sketch
SHOW
.
.
.̂
^
^
^
L( ) Í L( ) Í L( )C C C
{
alreadyseen
{
by 3
.̂
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
![Page 69: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/69.jpg)
Sylvain Hallé
Proof sketch
SHOW
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C.
.
.̂
^
^
^
L( ) Í L( ) Í L( ) Í L( )C CC C
{
alreadyseen
{
by 3
{
by 5
.̂
finite
![Page 70: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/70.jpg)
Sylvain Hallé
Proof sketch
SHOW
.
. .
.̂
^
^
^
L( ) Í L( ) Í L( ) Í L( )C CC C
{
alreadyseen
{
by 3
{
by 5
Þ L( ) = L( )C C.̂
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
![Page 71: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/71.jpg)
Sylvain Hallé
Proof sketch
SHOW
.
. .
.̂
^
^
^
L( ) Í L( ) Í L( ) Í L( )C CC C
{
alreadyseen
{
by 3
{
by 5
Þ L( ) = L( )
Þ is realizable!
CC
C.̂
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). Þ L( ) Í L( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
![Page 72: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/72.jpg)
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :C
![Page 73: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/73.jpg)
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
C
Cp̂
![Page 74: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/74.jpg)
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer‘ might be unrealizable’ as soon as one is found
C
C
C
p̂
![Page 75: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/75.jpg)
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer‘ might be unrealizable’ as soon as one is found
3. Otherwise, repeat 1-2 for another peer
C
C
C
p̂
![Page 76: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/76.jpg)
Sylvain Hallé
A realizability condition
SHOW
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer‘ might be unrealizable’ as soon as one is found
3. Otherwise, repeat 1-2 for another peer
4. Answer ‘ is realizable’ if no conflict state could be found for
any of the peers
C
C
C
C
p̂
![Page 77: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/77.jpg)
Sylvain Hallé
Shared-state projection
3
SHOW
Shared-state projection
focus peer
one one
( )p
Let P be a set of peers and a conversation protocol with states
S. Select one peer p as the .
S?A state of ( ) is a mapping P ® 2 that defines onep
subset of S for each peer: the possible states of
?A transition from to , sending message m, is takenwhenever of the peers can send m from of itscurrent possible states of
?The consequences of that transition yield the next possiblestates of for each peer
p
p
CC
CC
C
C
s
s s’.
.
^
^
^ ^
![Page 78: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/78.jpg)
Sylvain Hallé
Shared-state projection
3
SHOW
If A is the focus peer and the conversation has just started, what state can B be in, in addition to 0?
: since A cannot distinguishbetween them
: since for B it is merged with 0
: since B may have alreadysent A a message
: this would requireA to send a message
: also depends on A to be reachable
3, 5
2
4
Not 1
Not 6
.
.
.
.
A B : m1® A C : m2®
C B : m6®
B C : m5®
B C : m3®B A : m4®0
6
534
21
![Page 79: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/79.jpg)
Sylvain Hallé
Shared-state projection
3
SHOW
With a similar reasoning for C, we can deduce that, from A’s point of view in state 0...
{0,2,3,4,5} are possible states for B{0,1,3,4,5} are possible states for C
The initial state of ( )p
is therefore:
A:{0,3,5} B:{0,2,3,4,5} C:{0,1,3,4,5}
pCA B : m1® A C : m2®
C B : m6®
B C : m5®
B C : m3®B A : m4®0
6
534
21
^
![Page 80: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/80.jpg)
Sylvain Hallé
Shared-state projection
3
SHOW
Conflict state (i.e. ‘‘bad’’ state)In a shared-state projection, take the intersection of the set of states for each peer. A state is a conflict state if this intersection is empty.
Intuition: the peers have reached a point where they have diverging views of the current state of the conversation (and of what to do next)
Exact construction in the paper!
{1,3} {2,4} {0,1,2} = ÆÇÇ
![Page 81: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/81.jpg)
Sylvain Hallé 3
SHOW
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
Back to Alice and Bob
![Page 82: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/82.jpg)
Sylvain Hallé 3
SHOW
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
Back to Alice and Bob
![Page 83: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/83.jpg)
Sylvain Hallé 3
SHOW
B®C: m3
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3}
Back to Alice and Bob
![Page 84: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/84.jpg)
Sylvain Hallé 3
SHOW
B®C: m3
A:{3,5} B:{3,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3}
Back to Alice and Bob
![Page 85: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/85.jpg)
Sylvain Hallé 3
SHOW
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
Back to Alice and Bob
![Page 86: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/86.jpg)
Sylvain Hallé 3
SHOW
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
C®B: m6
Back to Alice and Bob
![Page 87: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/87.jpg)
Sylvain Hallé 3
SHOW
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4} C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
C®B: m6
Carl cannot be the cause of a violation
Back to Alice and Bob
![Page 88: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/88.jpg)
Sylvain Hallé
Back to Alice and Bob
3
SHOW
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
![Page 89: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/89.jpg)
Sylvain Hallé 3
SHOW
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob
![Page 90: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/90.jpg)
Sylvain Hallé 3
SHOW
A®B: m1
A:{1,3} B:{0,1,2,3,5,#} C:{0,1,2,3,5}
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob
![Page 91: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/91.jpg)
Sylvain Hallé 3
SHOW
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob
![Page 92: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/92.jpg)
Sylvain Hallé 3
SHOW
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A:{4,5} B:{2,4,5} C:{2,4,5}
A®B: m1
B®C: m3 A®C: m4
A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob
![Page 93: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/93.jpg)
Sylvain Hallé 3
SHOW
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A:{4,5} B:{2,4,5} C:{2,4,5}
A®B: m1
B®C: m3 A®C: m4
A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
If Alice waits for Bob, she cannot cause a violation
Back to Alice and Bob
![Page 94: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/94.jpg)
Sylvain Hallé
Experimental results
3
SHOW
SSPCalc: PHP tool computing shared-state projections + graphs and statistics
![Page 95: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/95.jpg)
Sylvain Hallé
Experimental results
3
SHOW
Tool tested on 100 real-world protocols taken from web service specifications and Singularity OS channel contracts
?91% of protocolsanalyzed in lessthan 1 s
?95% in less than 10 s
2?Time µ state space
104
10 -3
100 101
101
100
10 -1
10 -2
102
103
104
102 103
Number of explored states
Val
idat
ion
tim
e (s
)
![Page 96: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/96.jpg)
Sylvain Hallé
Experimental results
3
SHOW
With P peers and S states in , the shared-state projection has a 2 Smaximal size of P ? 2 states.
?Bound seldomreached in practice
?Very few protocolsrequired more than10,000 states
C
1010
108
106
104
104
102
100
100 101 102 103
Number of explored states
The
oret
ical
upp
er b
ound
y x=
![Page 97: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/97.jpg)
Sylvain Hallé
Experimental results
3
SHOW
Provides on protocols with arbitrary initiator. Example: Singularity OS’ TPMContract.
Original version: unrealizable.
tighter conditions
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®S C : AckStartSend®
S C : SendComplete®
S C : TpmStatus®IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®
![Page 98: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/98.jpg)
Sylvain Hallé
Experimental results
3
SHOW
IO_RUNNINGS1
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®S C : AckStartSend®
S C : SendComplete®
S C : SendComplete®
S C : TpmStatus®S C : TpmStatus® IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®
Provides on protocols with arbitrary initiator. Example: Singularity OS’ TPMContract.
Corrected version: realizable, yet existing conditions still yield false positive!
tighter conditions
![Page 99: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/99.jpg)
Sylvain Hallé
Conclusion
3
SHOW
?
?
?
?
Asychronous communication can make a conversationprotocol
No and condition for realizability is currentlyknown
A (SSP) is a projection of that
keeps track of the possible state for the remaining peers
The absence of a conflict state in an SSP is a sufficientcondition for realizability of ; the computation is guaranteed
to terminate
C
C
C
unrealizable
exact universal
shared-state projection
![Page 100: Realizability Analysis for Message-based Interactions Using Shared-State Projections (Talk @ FSE 2010)](https://reader036.fdocuments.in/reader036/viewer/2022062707/5585512dd8b42ae15d8b5405/html5/thumbnails/100.jpg)
Sylvain Hallé
Conclusion
3
SHOW
Open questions:
?Do SSPs define an over queuecontents?
The paper presents a method for producing of sufficient realizability conditions. What otherconditions could we devise?
Is the condition for a restricted subset, e.g.two-party protocols?
Can we unrealizable protocols automaticallyusing SSPs?
equivalence relation
families
necessary
repair
.
?
?
?
.
.