main - cs.unibo.itlanese/publications/fulltext/ioc.pdf · title: main.dvi created date: 12/19/2012...
TRANSCRIPT
Classifying Relationships between
Interaction- and Process-Oriented
Choreographies†
IVAN LANESE1, FABRIZ IO MONTESI2 and GIANLUIGI ZAVATTARO1
1Focus Research Team, Computer Science Department, University of Bologna/INRIA – Italy.2IT University of Copenhagen – Denmark.
In the area of service-oriented computing, choreography languages are used to specify
multiparty service compositions. Two main approaches have been followed in the design
of these languages: the interaction-oriented approach at the basis of WS-CDL and the
process-oriented approach of BPEL4Chor. In this paper we investigate the relationships
between the two approaches. In particular, we point out several possible interpretations
for interaction-oriented choreographies: one synchronous and various asynchronous,
differing in the kind of observable event (either send, or receive, or both). Under each of
these possible interpretations we characterize the class of interaction-oriented
choreographies which have a direct process-oriented counterpart, and we formalize the
corresponding notion of equivalence between the initial interaction-oriented
choreography and the corresponding process-oriented counterpart. We also show how to
amend interaction-oriented choreographies which have no direct process-oriented
counterpart, preserving their observable behavior.
1. Introduction
Choreography languages are an attempt at tackling the complexity of communication-
based software design. The basic idea is that the programmer defines the composition
of the independent entities of a system in a global description, where the different peers
exchange messages with each other in order to complete a predefined task. The paradigm
is particularly suitable for the programming of multiparty communication flows, i.e.,
interaction patterns that (possibly) comprehend more than two entities.
Choreography languages are attracting a lot of attention within the Service-Oriented
Computing (SOC) community, where two main distinct approaches are currently being
followed in the search for standard languages. On the one hand, the World Wide Web
Consortium (W3C) has developed the Web Services Choreography Description Language
WS-CDL (WS-CDL, 2005). On the other hand, the research community around the Web
† Research partially funded by the project ANR-10-SEGI-013-02 Aeolus.
I. Lanese, F. Montesi and G. Zavattaro 2
Service Business Process Execution Languages WS-BPEL (WS-BPEL, 2007) has pro-
posed BPEL4Chor (Decker et al., 2007), an extension of WS-BPEL for the description
of choreographies. The two approaches are fundamentally different in how they represent
communications. In WS-CDL the basic activity in a choreography is an interaction, that
is, the atomic exchange of a message between two communicating partners, similarly to
interaction diagrams in UML. Interactions are then composed in a single description that
represents the whole system. For this reason, we say that WS-CDL follows an interaction-
oriented approach. On the contrary, in BPEL4Chor each entity of a system is represented
by a separate description, i.e. a business process specified using an abstract version of
BPEL. In these processes, the basic activities are the classical send and receive actions
for message transmission. A choreography is then obtained as the parallel composition of
the independently specified business processes. For this reason, we say that BPEL4Chor
follows a process-oriented approach. In the sequel, we respectively refer to choreogra-
phies based on the interaction- and process-oriented approaches with the terms IOC (for
Interaction-Oriented Choreography) and POC (for Process-Oriented Choreography).
We clarify the difference between IOCs and POCs with a simple example. Let us model
a system where a buyer b can ask to a seller s a quotation for a product. This can be
described by the following IOC
askb→s; quotes→b
where b sends a message to s on operation† ask and, subsequently, s sends a message to
b on operation quote. The following is a POC representing the same system:
(ask; quote)b ‖ (ask; quote)s
where b sends a message on operation ask and then waits for a message on operation
quote, and s waits for a message on operation ask and then sends a message on operation
quote. The two choreographies can be considered equivalent, since the communications
in their executions coincide.
The interaction- and process-oriented solutions come with different advantages. An
IOC offers a clearer global description of the communication flows in a system, since
interactions are syntactically explicit. This clarity is lost in the second approach, where
the order of interactions must be derived by analyzing the possible matches between the
input and output actions of the different peers. However, the gap between a POC and
a corresponding system implementation is smaller. Given the abstract description of the
behavior of a specific entity, it is easier to check whether an actual component complies
with such a description, or in some cases the abstract description could be enriched with
additional information in order to make it directly executable (as it happens, for instance,
in the relationship between WS-BPEL and its abstract version). In other words, an IOC
is more suitable for the specification of the communication flows in a system, while a
POC is a good tool for checking (or generating) the local code for each entity.
The separation of the positive aspects offered by IOCs and POCs leads naturally to
† In service-oriented computing, operations are labels used to distinguish the kinds of transmittedmessages.
IOC vs POC 3
the question of whether they can be successfully combined. This question is at the base
of recent work (Carbone et al., 2007; Bravetti and Zavattaro, 2007; Zongyan et al., 2007;
Bultan and Fu, 2007; Honda et al., 2008; Castagna et al., 2011). In there, a programmer
can design a system using an IOC and then automatically generate a corresponding POC
by means of a projection function. An IOC may not be coherent, meaning that it cannot
be projected correctly onto an equivalent POC. Consider, for instance, the following IOC
oa→b; o′c→d
whose naturally correspondent POC is‡:
(o)a ‖ (o)b ‖ (o′)c ‖ (o′)d
It is not difficult to see that the two above choreographies could give rise to different
behaviors: in the POC, the communication between c and d could happen before the
interaction between a and b. In other words, the two choreographies are not conformant.
This problem arises because the two interactions are not connected, i.e., there is no
dependency between them enforced by any of the participants. Based on this intuition,
in this work we will use connectedness as a formalization of coherence for IOCs.
IOCs that are not connected are obviously undesirable, and can be automatically in-
dividuated through a static analysis. The exact definition of connectedness of an IOC,
however, is influenced by two factors: the underlying communication semantics of refer-
ence and the conformance (or type of equivalence) of interest between IOCs and POCs.
For this reason, different definitions of conformance and connectedness are given in each
of the works cited above. Unfortunately, the literature does not offer a systematic anal-
ysis of the different alternatives. This work offers such a comparison. Our first step is
to identify a set of different communication semantics (synchronous or asynchronous)
and conformance notions (based on message send, receive, or both). Then, we proceed
by developing a notion of coherence for all the possible configurations. For each such
configuration we obtain the following: (i) the precise characterization of the IOCs which
have a direct POC counterpart and (ii) the formalization of the corresponding notion of
conformance between the initial IOC and the corresponding POC.
A major contribution of the present paper is the identification of a relationship between
these different configurations. This relationship has driven the development of their no-
tions of coherence, which share a common structure. Furthermore, each one of them is
built on top of the previous ones.
We also show, given a disconnected IOC, how to amend it by transforming it into a
connected IOC with equivalent behavior. Exploiting our relationship between the settings
of interest, we are able to give a single transformation definition that ensures that the
resulting IOC is connected for every setting. This enables a design procedure where the
programmer writes a very high-level description of a system through a possibly discon-
nected IOC, as the one shown above, describing only the desired order of the interactions
and abstracting completely from how this order will be enforced. Then, our framework
‡ Actually, the projection is slightly more complex, but has the same behavior.
I. Lanese, F. Montesi and G. Zavattaro 4
transforms it into an equivalent connected IOC, applying all the necessary modifications
for making the description given by the programmer implementable. Finally, a corre-
sponding POC counterpart can be obtained through our notion of projection.
Structure of the paper§ Section 2 introduces syntax and semantics for IOC and
POC. Section 3 presents the projection from IOC to POC and discusses informally the
different settings we consider. The various configurations in the synchronous and asyn-
chronous cases are formalized respectively in Section 4 and Section 5. Section 6 shows
how to amend IOCs which have no direct POC counterpart. Section 7 discusses possible
extensions of the work. Section 8 reports a practical interpretation of our different set-
tings, showing some examples of their usage. Section 9 compares with related work and
concludes.
2. Calculi
In this section we define two basic choreography languages, an Interaction-Oriented
Choreography (IOC) language and a Process-Oriented Choreography (POC) language.
Both the languages are used for modeling choreographies, thus they share a few basic
elements. We consider in fact for them the same two sets of names: the set of participants
in the choreography, called roles, and ranged over by a, b, r, . . ., and the set of operations
that can be used for sending and receiving. We will consider two kinds of such operations:
public operations, ranged over by o, which represent observable activities of the system,
and private operations, ranged over by o∗, which are used for internal synchronization.
We use o? to range over both public and private operations.
2.1. Interaction-Oriented Choreography
This subsection describes the syntax and the operational semantics of IOCs. IOCs, ranged
over by I, I ′, . . ., are defined as follows:
I ::= o?a→b | 1 | 0 | I; I ′ | I ‖ I ′ | I + I ′
The basic construct is the interaction between two distinct roles a and b on operation
o?, denoted by o?a→b, meaning that role a sends a message on operation o? of role b. Roles a
and b should not coincide. Public and private interactions (i.e. interactions on public and
private operations) have the same operational semantics, but they will be distinguished
by the observational semantics, in particular weak observational semantics will abstract
away private interactions. In addition to interactions there are the empty IOC 1, the
deadlocked IOC 0, sequential and parallel composition of IOCs and nondeterministic
choice between IOCs. For instance (oa→b ‖ o′a→c); o′′b→c specifies that interactions oa→b
and o′a→c can be performed in any order, and after both of them have been performed
then interaction o′′b→c can be executed. The deadlocked IOC 0 is only needed for defining
§ The paper is an extended and revised version of (Lanese et al., 2008). In particular, Section 6 andSection 8 are completely new.
IOC vs POC 5
(Interaction)
o?a→b
o?a→b−−−−→ 1
(End)
1
√−→ 0
(Sequence)
I σ−→ I′ σ 6= √
I;J σ−→ I′;J
(Parallel)
I σ−→ I′ σ 6= √
I ‖ J σ−→ I′ ‖ J(Choice)
I σ−→ I′
I + J σ−→ I′
(Seq-end)
I√−→ I′ J σ−→ J ′
I;J σ−→ J ′
(Par-end)
I√−→ I′ J
√−→ J ′
I ‖ J√−→ I′ ‖ J ′
Table 1. IOC semantics (symmetric rules omitted).
the operational semantics, and is not expected to be used in the description of systems.
We call initial an IOC where 0 is never used.
We now define the operational semantics of IOCs. IOC transitions are defined as the
smallest labeled transition system (LTS) closed under the rules in Table 1. Symmetric
rules for parallel composition and choice have been omitted. The rules are in the style of,
e.g., (Bravetti and Zavattaro, 2007). We use σ to range over labels. We have two kinds of
labels: label o?a→b denotes the execution of an interaction o?a→b while label√
represents
the termination of the IOC.
Rule Interaction executes an interaction. Rule End terminates an empty IOC. Rule
Sequence executes a step in the first component of a sequential composition. Rule
Parallel executes an interaction from a component of a parallel composition while
rule Choice starts the execution of an alternative in a nondeterministic choice. Rule
Seq-end acknowledges the termination of the first component of a sequential composi-
tion, starting the second component. Rule Par-end synchronizes the termination of two
parallel components.
We can now define IOC traces. We consider both strong traces, where all the performed
interactions are observed, and weak traces, where only interactions on public operations
are visible.
Definition 2.1 (IOC traces). A (strong maximal) trace of an IOC I1 is a sequence
of labels σ1, . . . , σn such that there is a sequence of IOC transitions I1 σ1−→ . . .σn−−→ In+1
and such that In+1 has no outgoing transitions.
A weak trace of an IOC I1 is a sequence of labels σ1, . . . , σn obtained by removing all
the labels of the form o∗a→b from a strong trace of I1.An IOC trace is complete iff its last label is
√.
Initial IOCs capture well-behaved systems, in the sense that they never deadlock, as
shown by the following proposition.
Proposition 2.1. Let I be an initial IOC. Each maximal trace of I is complete.
Proof. By structural induction on I.
The proposition above holds since 0 cannot occur inside an initial IOC.
The function roles(I) that computes the set of roles in a given IOC I is inductively
defined as:
roles(o?a→b) = {a, b}
I. Lanese, F. Montesi and G. Zavattaro 6
(In)
o?o?−−→ 1
(Out)
o?o?−−→ 1
(Async-Out)
〈o?〉 〈o?〉−−−→ 1
(One)
1
√−→ 0
(Sequence)
Pγ−→ P ′ γ 6= √
P ;Qγ−→ P ′;Q
(Inner Parallel)
Pγ−→ P ′ γ 6= √
P | Q γ−→ P ′ | Q
(Choice)
Pγ−→ P ′
P +Qγ−→ P ′
(Seq-end)
P
√−→ P ′ Q
γ−→ Q′
P ;Qγ−→ Q′
(Inner Par-end)
P
√−→ P ′ Q
√−→ Q′
P | Q√−→ P ′ | Q′
(Lift)
Pγ−→ P ′ γ 6= o?,
√
(P )aγ:a−−→ (P ′)a
(Lift-Tick)
P
√−→ P ′
(P )a
√−→ (P ′)a
(Msg)
Po?−−→ P ′
(P )ao?:a−−−→ (P ′ | 〈o?〉)a
(Synch)
S 〈o?〉:a−−−−→ S′ S′′ o?:b−−−→ S′′′
S ‖ S′′ o?a→b−−−−→ S′ ‖ S′′′
(Ext-Parallel)
S γ−→ S′ γ 6= √
S ‖ S′′ γ−→ S′ ‖ S′′
(Ext-Par-End)
S√−→ S′ S′′
√−→ S′′′
S ‖ S′′√−→ S′ ‖ S′′′
Table 2. POC asynchronous semantics (symmetric rules omitted).
roles(1) = roles(0) = ∅roles(I; I ′) = roles(I ‖ I ′) = roles(I + I ′) = roles(I) ∪ roles(I ′)
2.2. Process-Oriented Choreography
This subsection describes the syntax and the operational semantics of POCs. POCs
include processes, ranged over by P , P ′, . . ., describing the behavior of participants, and
grouped into systems, ranged over by S, S ′, . . ..
P : : = o? | o? | 1 | P ;P ′ | P | P ′ | P + P ′ | 〈o?〉 | 0S : : = (P )a | S ‖ S ′
Processes include input action o? and output action o? on a specific operation o?
(either public or private), the empty process 1, sequential and parallel composition, and
nondeterministic choice. The runtime syntax includes also messages 〈o?〉, used in the
definition of the asynchronous semantics, and the deadlocked process 0. We call initial
a POC where 0 and messages are never used. POC systems are parallel compositions of
roles. Each role has a role name and executes a process. We require role names to be
unique.
We define two LTS semantics for POCs, synchronous and asynchronous. In the syn-
chronous semantics input actions and output actions interact atomically, while in the
asynchronous one the sending event creates a message that, later, may interact with the
corresponding input generating a receiving event.
The asynchronous LTS for POC is the smallest LTS closed under the rules in Table 2.
We use γ to range over labels. Symmetric rules for parallel compositions (both inter-
nal and external) and choice have been omitted. The semantics is in the style of, e.g.,
(Bravetti and Zavattaro, 2007).
Rules In andOut execute input actions and output actions respectively. RuleAsynch-
IOC vs POC 7
Out makes messages available for a corresponding input action. Rule One terminates
an empty process. Rule Sequence executes a step in the first component of a sequential
composition. Rule Inner Parallel executes an action from a component of a parallel
composition while rule Choice starts the execution of an alternative in a nondetermin-
istic choice. Rule Seq-end acknowledges the termination of the first component of a
sequential composition, starting the second component. Rule Inner Par-end synchro-
nizes the termination of two parallel components. Rule Lift lifts actions to the system
level, tagging them with the name of the role executing them. Action√
instead is dealt
with by rule Lift-Tick, which lifts it without adding the role name. Outputs instead
are stored as messages by rule Msg. Rule Synch synchronizes a message with the cor-
responding input action, producing an interaction. Rule Ext-Parallel allows parallel
systems to stay idle. Finally rule Ext-Par-End synchronizes the termination of parallel
systems.
The synchronous LTS for POC is the smallest LTS closed under the rules in Table 2,
where rules Out, Async-Out and Msg are deleted and the new rule Sync-Out below
is added:
(Sync-Out)
o?〈o?〉−−→s 1
This rule allows outputs in the synchronous semantics to send messages that can directly
interact with the corresponding input at the system level.
Synchronous transitions are denoted asγ−→s instead of
γ−→, to distinguish them from
the asynchronous ones.
As for IOCs, we define POC traces. We have different possibilities: in addition to the
distinction between strong and weak traces, we distinguish synchronous, asynchronous,
sender and receiver traces.
Definition 2.2 (POC traces). A (strong maximal) synchronous trace of a POC S1 is
a sequence of labels γ1, . . . , γn, where γi is of the form o?a→b, or√
for each i ∈ {1, . . . , n},such that there is a sequence of synchronous POC transitions S1
γ1−→s . . .γn−→s Sn+1 and
such that Sn+1 has no outgoing transitions of the same form.
A (strong maximal) asynchronous trace of a POC S1 is a sequence of labels γ1, . . . , γn,
where γi is of the form o? : a, o?a→b, or√
for each i ∈ {1, . . . , n}, such that there is a
sequence of asynchronous POC transitions S1γ1−→ . . .
γn−→ Sn+1 and such that Sn+1 has
no outgoing transitions of the same form.
A strong sender trace of a POC S1 is obtained by removing all labels of the form o?a→b
from a strong asynchronous trace of S1.
A strong receiver trace of a POC S1 is obtained by removing all labels of the form
o? : a from a strong asynchronous trace of S1.
A weak (synchronous/asynchronous/receiver/sender) trace of a POC S1 is obtained by
removing all labels o∗ : a and o∗a→b from a strong (synchronous/asynchronous/sender/re-
ceiver) trace of S1.
A POC trace is complete iff its last label is√.
In the definition of POC traces, input actions and messages are never considered,
I. Lanese, F. Montesi and G. Zavattaro 8
since they represent interactions with the external world, while we are interested in
the behavior of closed systems. Also, sender traces consider only output events, while
receiver traces consider only input events. Finally, weak traces disregard events of any
kind concerning private operations.
Note that, in general, POCs can deadlock, e.g. (o)a is a deadlocked system since its
only trace is empty, and, in particular, does not end with√.
3. Projecting IOCs onto POCs
In this section we show how to relate the Interaction-Oriented and the Process-Oriented
description of a choreography. In particular, given an IOC I we want to define a system
S implementing it. The idea is to project the IOC on the different roles, and build the
system S as parallel composition of the projections on the different roles.We consider here
the most natural projection, which is essentially an homomorphism on most operators.
As we will see, the POC resulting from such a projection is behaviorally related to the
starting IOC only under some syntactic conditions on the IOC itself. Also, POCs resulting
from the projection of initial IOCs will not deadlock. We will see in Section 6 how to
transform IOCs so to ensure that they will satisfy those syntactic conditions, preserving
the observable behavior.
Definition 3.1 (Projection function). Given an IOC I and a role a, the projection
proj(I, a) of IOC I on role a is defined by structural induction on I:
proj(o?a→b, a) = o?
proj(o?a→b, b) = o?
proj(o?a→b, c) = 1 if c 6= a, b
proj(1, a) = 1
proj(0, a) = 0
proj(I; I ′, a) = proj(I, a); proj(I ′, a)proj(I ‖ I ′, a) = proj(I, a) | proj(I ′, a)proj(I + I ′, a) = proj(I, a) + proj(I ′, a)
We denote with ‖i∈I Si the parallel composition of systems Si for each i ∈ I.
Definition 3.2. Given an IOC I, the projection of I is the system S defined by:
proj(I) =‖a∈roles(I) (proj(I, a))aWe now want to analyze the relationships between an IOC and the projected POC,
proving that the projection proj(I) of a given IOC I behaves according to the IOC
I. However, “behaves according to” can be formalized in different ways, depending on
the kind of properties that one wants to preserve. We call the “behaves according to”
relation a conformance relation. To ensure that an IOC and the projected POC satisfy
one of the different conformance relations, we find some syntactic conditions on the
form of the IOC, which we call connectedness conditions. Each conformance relation
will require its particular connectedness conditions. We now give an informal description
IOC vs POC 9
of the possible conformance relations, while the following sections are devoted to fully
formalize the correspondence in terms of different kinds of trace equivalences, and to
discuss the necessary connectedness conditions.
Let us consider the simple IOC I = oa→b; o′c→d from the Introduction, where a, b, c
and d may or may not be distinct. In the system proj(I) there are two possibly distinct
events for each interaction oa→b in the IOC: the sending o : a of the message by role a
and the reception oa→b of the message by role b. Let us denote with s1 and s2 the sending
events from oa→b and o′c→d respectively, and similarly let us denote with r1 and r2 the
corresponding receive events. We denote with e an arbitrary event, write e1 = e2 when
the two events are synchronized and e1 < e2 when e1 happens before e2. We may use the
same notation to denote both the label corresponding to the action execution and the
action itself.
The condition that oa→b has to be executed before o′c→d, expressed by the ; in the
IOC, has to be mapped into a condition relating the corresponding events in the POC.
We consider the following possibilities, one synchronous and four asynchronous:
Synchronous conformance: it guarantees that the POC, when executed using the syn-
chronous LTS, behaves as specified by the IOC. Because of synchronous semantics
s1 = r1 and s2 = r2, thus the sequentiality condition can be expressed, e.g., as
s1 < s2 ∨ s1 < r2 ∨ r1 < s2 ∨ r1 < r2;Sender conformance: it guarantees that the POC, when executed using the asyn-
chronous LTS, behaves as specified by the IOC from a sender perspective, i.e. that
s1 < s2;Receiver conformance: it guarantees that the POC, when executed using the asyn-
chronous LTS, behaves as specified by the IOC from a receiver perspective, i.e. that
r1 < r2;Sender-receiver conformance: it guarantees that the POC, when executed using the
asynchronous LTS, behaves as specified by the IOC from both a sender and a receiver
perspective, i.e. that s1 < s2∧r1 < r2; in the following we will not discuss this kind of
conformance in details, since an IOC and a POC are in a relation of sender-receiver
conformance iff they are both in a relation of sender conformance and of receiver
conformance;Disjoint conformance: it requires that, when the POC is executed using the asyn-
chronous LTS, the intervals of execution of the first interaction (from s1 to r1) and
of the second one (from s2 to r2) are completely disjoint: this can be formalized by
r1 < s2.
The conditions presented above form a partial order w.r.t. implication, e.g., if a system
satisfies the connectedness conditions for the disjoint conformance then it also satisfies
the connectedness conditions for the other forms of conformance. The partial order is
represented in Figure 1. In the partial order, going from top to bottom, connectedness
conditions become more relaxed, but behavioral guarantees become weaker. The same
implications are still satisfied when we generalize the conditions to take into account
IOCs which are more complex than the simple one above.
Since in the POC different roles are executing in parallel, sequentiality conditions
between events should be enforced by a single role, which thus should occur in more
I. Lanese, F. Montesi and G. Zavattaro 10
Disjoint
Sender−receiver
Sender Receiver
Synchronous
Strongerconditionsand guarantees
Weakerconditionsand guarantees
Fig. 1. Partial order for conformance.
than one interaction. We show below the conditions required on roles to make the simple
example above behave as expected, according to the different notions of conformance:
Synchronous conformance : {a, b} ∩ {c, d} 6= ∅;Sender conformance : c = a ∨ c = b;
Receiver conformance : d = b ∨ c = b;
Disjoint conformance : b = c.
Let us analyze, for instance, the condition for sender conformance: we require that the
sending from c happens after the sending from a. Clearly, if a = c then a can enforce
this condition. However if b = c then b, when it receives the message, knows that the
message has already been sent, and thus can enforce the sequentiality condition. We call
this condition connectedness for sequence.
We require also two other kinds of conditions: existence of unique points of choice
to ensure that all the participants are aware of which branch of a nondeterministic
choice has been taken, and causality safety to ensure that different interactions using the
same operation do not mix up. We refer the three conditions together as connectedness
conditions.
The next sections discuss the different notions of conformance and the corresponding
connectedness conditions.
4. Synchronous conformance
In this section we discuss synchronous conformance and the corresponding connectedness
conditions. This case is important since, while being simpler than the asynchronous ones,
it introduces most of the relevant concepts. For this reason we will describe it in details.
We will reuse most of the concepts in the following section.
We formalize the notion of conformance between an IOC and a POC using (variations
of) trace equivalence (Hoare, 1985). To simplify our proofs, we also use a (stronger)
characterization of conformance in terms of bisimilarity (Milner, 1989).
Definition 4.1 (Synchronous trace equivalence).
An IOC I and a POC S are synchronous trace equivalent iff the set of strong maximal
traces of I coincides with the set of strong maximal synchronous traces of S.
IOC vs POC 11
The aim of this section is to give all the tools to (make formal and) prove the following
theorem:
Theorem 4.1 (Synchronous conformance). Let I be an IOC and S = proj(I) be itsprojection. If I satisfies the connectedness conditions for the synchronous conformance,
then I and S are synchronous trace equivalent.
We start by formalizing the connectedness conditions required to guarantee the syn-
chronous conformance. A few auxiliary functions are needed. Functions transI(•) and
transF(•) compute respectively the sets of initial and final interactions in an IOC:
transI(o?a→b) = transF(o?a→b) = {o?a→b}transI(1) = transI(0) = transF(1) = transF(0) = ∅transI(I ‖ I ′) = transI(I + I ′) = transI(I) ∪ transI(I ′)transF(I ‖ I ′) = transF(I + I ′) = transF(I) ∪ transF(I ′)
transI(I; I ′) = transI(I ′) if I√−→, transI(I) otherwise
transF(I; I ′) = transF(I) if I ′√−→, transF(I ′) otherwise
The first connectedness condition that we present concerns sequential composition. It
generalizes the condition discussed in Section 3 for the synchronous conformance from
the case of sequential composition of interactions to the case of sequential composition
of arbitrary terms.
Definition 4.2 (Synchronous connectedness for sequence). An IOC I is syn-
chronous connected for sequence if for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈transF(I ′), ∀o′?c→d ∈ transI(I ′′), {a, b} ∩ {c, d} 6= ∅.
The second condition ensures that, for each nondeterministic choice in the IOC, all
the participants agree on which branch of the choice has been taken.
Definition 4.3 (Synchronous unique points of choice). An IOC I has synchronous
unique points of choice if for each subterm of the form I ′ + I ′′ we have:
— ∀o?a→b ∈ transI(I ′), ∀o′?c→d ∈ transI(I ′′), {a, b} ∩ {c, d} 6= ∅;— roles(I ′) = roles(I ′′).
The first condition ensures that any pair of initial interactions in different branches
of a choice shares a participant. In this way, as soon as an event of an interaction in a
branch of a choice has been performed, all the events in the other branch are disabled.
To understand the need for the additional condition roles(I ′) = roles(I ′′) consider thefollowing example.
Example 4.1. Consider the IOC I = (oa→b + o′a→c); o′′b→c. No trace of this IOC starts
with the interaction o′′b→c. However its projection is:
proj(I) = ((o+ o′; 1))a ‖ ((o+ 1); o′′)b ‖ ((1+ o′); o′′)c
I. Lanese, F. Montesi and G. Zavattaro 12
In this POC both the actions o′′ and o′′ are enabled, thus the interaction o′′b→c can be
performed immediately, while this is not the case for IOC I.
The two conditions above are enough to guarantee a correct behavior when each in-
teraction of the IOC is performed on a different operation o?. If different interactions
are performed over the same operation o?, special care is needed to ensure that the dif-
ferent occurrences of o? do not interfere. This is formalized below using the concept of
causality safety, requiring a causality relation or a full conflict relation between events of
interactions performed on the same operation.
For defining the causality relation and the full conflict relation we need to index inter-
actions inside IOCs and events inside POCs. We will call annotated IOC (resp. annotated
POC) an IOC (resp. POC) with indexes. However, not all the assignments of indexes
are good for us: we will call well-annotated IOC (resp. POC) an IOC (resp. POC) whose
indexes satisfy some conditions.
Definition 4.4 (Well-annotated IOC). Annotated IOCs are derived by a grammar
obtained by replacing o?a→b with n : o?a→b where n is a natural number (called index of
the interaction) in the grammar for IOCs. An IOC is well-annotated if all the indexes
are different.
Definition 4.5 (Annotated POC). Annotated POCs are derived by a grammar ob-
tained by replacing o?, o? and 〈o?〉 with n : o?, n : o? and n : 〈o?〉 respectively, where n
is a natural number (called index of the event) in the grammar for POCs.
The definition of well-annotated POC is deferred to Definition 4.11, since some pre-
liminary definitions are needed.
The semantics is trivially extended from IOCs to annotated IOCs and from POCs to
annotated POCs: indexes are just decorations and they have no effect on the semantics.
Also, transitions preserve indexes (for interactions and actions which are not discarded).
Similarly, one can easily extend the projection of an IOC into a POC to a projection of
an annotated IOC into an annotated POC: the input and the output actions obtained by
projecting interaction i have both index i. For instance, the projection of the annotated
IOC 1 : oa→b; 2 : o′c→d is (1 : o;1)a ‖ (1 : o;1)b ‖ (1; 2 : o′)c ‖ (1; 2 : o′)d.
We can use indexes of events to define matching events.
Definition 4.6 (Matching events). A POC input and a POC output with the same
index are called matching events. We denote with e an event matching event e. An event
is unmatched if it has no matching event.
We can now define the causality relation and the full conflict relation. We will also
define the conflict relation, characterizing pairs of events in different branches of a choice.
Definition 4.7 (Synchronous causality relation). Let us consider an annotated IOC
I. A synchronous causality relation ≤I is a partial order among events in the (derivatives
of the) projection S of I. We define ≤I as the minimum partial order satisfying:
sequentiality: for each subterm of the form I ′; I ′′ and each role a, if e′ is an event in
IOC vs POC 13
proj(I ′, a), e′′ is an event in proj(I ′′, a), and proj(I ′, a) has no transition of the form
proj(I ′, a)√−→ then e′ ≤I e′′;
synchronization: for each pair of events e and e′, e ≤I e′ implies e ≤I e′.
A pair e ≤I e′ formalizes the fact that event e should occur before event e′, eitherbecause the two events are in the same role and composed sequentially, or because some
synchronization involving e has to be performed before e′ can become enabled.
Definition 4.8 (Synchronous conflict relation). Let us consider an annotated IOC
I. A synchronous conflict relation #I is a relation among events in the (derivatives of
the) projection S of I. We define #I as the relation containing all pairs (e′, e′′) of eventssuch that e′ is in proj(I ′, a) for some role a and e′′ is in proj(I ′′, b) for some role b for
some subterm of the form I ′ + I ′′ of I. A synchronous full conflict relation f#I is a
relation among events in the (derivatives of the) projection S of I. We define f#I as the
relation containing all pairs (e, e′) of events such that (e, e′) ∈ #I and both e and e′ arenot minimal according to ≤I′+I′′ .
Definition 4.9 (Synchronous causality safety).
An IOC I is synchronous causality safe iff for each pair of interactions i and j performed
on the same operation the two conditions below hold:
— sif#I rj ∨ si ≤I rj ∨ rj ≤I si;
— sjf#I ri ∨ sj ≤I ri ∨ ri ≤I sj .
The following example shows the need for causality safety.
Example 4.2. Consider the annotated IOC I = 1 : oa→b ‖ 2 : oc→d. Here the two
interactions are performed on the same operation o, but there are no causal dependencies
or full conflicts between the events corresponding to the two interactions, i.e., the IOC
I is not causality safe. In fact, the projection of I has the transition (1 : o)a ‖ (1 : o)b ‖(2 : o)c ‖ (2 : o)d
oa→d−−−→ (1)a ‖ (1 : o)b ‖ (2 : o)c ‖ (1)d which is not allowed by the IOC
itself. Note that this POC interaction involves two events with different indexes.
In the projection of causality safe IOCs, one input and one output in different inter-
actions (thus with different indexes) on the same operation are never enabled together
and thus can not interact. This is proved in Lemma 4.2.
Annotated IOCs and POCs are also used in the proof of our main theorem to deal with
nondeterministic choice: when a choice is performed in the POC, some garbage is kept
in form of events whose matching events have been discarded, as shown by the following
example.
Example 4.3. Consider the annotated IOC transition:
(1 : oa→b; 2 : o′b→c) + (3 : o′′b→c; 4 : o′′′c→a)oa→b−−−→ (2 : o′b→c)
The corresponding annotated POC transition is:
(1 : o;1+ 1; 4 : o′′′)a ‖ (1 : o; 2 : o′ + 3 : o′′;1)b ‖ (1; 2 : o′ + 3 : o′′; 4 : o′′′)coa→b−−−→
(1;1)a ‖ (1; 2 : o′)b ‖ (1; 2 : o′ + 3 : o′′; 4 : o′′′)c
I. Lanese, F. Montesi and G. Zavattaro 14
In the result, events 3 : o′′ and 4 : o′′′ are unmatched, i.e. there is no other event with
the same index, thus they can never be executed and can be discarded.
We define the function rem(•) below to remove unmatched events.
Definition 4.10. Let S be an annotated POC. We denote with rem(S) the annotated
POC obtained from S by repeating the following pruning operations while possible:
1 replace an unmatched event e in S with 0;
2 replace each subterm 0;P by 0, each subterm 0 + P by P and each subterm 0 | Zwhere Z is a composition of 0s and 1s by 0.
POCs obtained projecting annotated connected IOCs enjoy particular properties.
Definition 4.11 (Synchronous well-annotated POC). An annotated POC S is
synchronous well-annotated for a causality relation ≤, a conflict relation # and a full
conflict relation f# iff for each index i there are at most two events with index i and, in
this case, they are matching events. Furthermore, for each pair of events e1 and e2 on the
same operation o? with indexes i, j such that i 6= j, either (e1, e2) ∈ f#, or e1 ≤ e2 or
e2 ≤ e1. Finally, if e1 ≤ e2 then e2 can become enabled only after e1 has been executed
or discarded and if (e1, e2) ∈ # then if e1 is executed then e2 does not occur in rem(S)where S is the system after e1 has been executed.
We now prove some basic properties of synchronous well-annotated POCs.
Lemma 4.1. If S is a synchronous well-annotated POC w.r.t. a causality relation ≤then only events which are minimal w.r.t. ≤ can be enabled in S.
Proof. The proof is by contradiction. Suppose ei is enabled but not minimal, i.e. there
is ej such that ej ≤ ei. If there is more than one such ej consider the one such that
the length of the derivation of ej ≤ ei is minimal. This should have length one, and this
should result from an application of the sequentiality rule. Thus from the definition of
the projection function and since the projection of the first component has no√
action
ei cannot be enabled.
Lemma 4.2. If S is a synchronous well-annotated POC and S o?a→b−−−→ S ′ then the two
executed events are matching events.
Proof. Because of the definition of the semantics the two events are on the same
operation. Assume that they are not matching events. Then they are either in causality
relation or in full conflict relation. In both the cases thanks to Lemma 4.1 at least one
of them cannot be enabled since it is not minimal. This is absurd, thus they have to be
matching events.
We will now prove that all the POCs we work with are synchronous well-annotated.
The proof is in two steps: in Lemma 4.3 we show that all the projections of synchronous
connected IOCs are synchronous well-annotated, and in Lemma 4.4 we show that syn-
chronous well-annotated POCs reduce to synchronous well-annotated POCs.
IOC vs POC 15
Lemma 4.3. Let I be a synchronous connected IOC. Then S = proj(I) is a synchronouswell-annotated POC w.r.t. ≤I , #I and f#I .
Proof. The first condition is trivially satisfied. The second condition trivially follows
from the definition of synchronous causality safety. The third condition follows from
Lemma 4.1.
Let us prove the last condition. Assume that e1 is in the projection of the branch I ′
of a choice I ′ + I ′′. We will prove that if e1 is executed then all the events in I ′′ donot occur in rem(S) where S is the system after e1 has been executed. For events in the
same role of e1 the thesis follows by the definition of the semantics. Also, e1 interacts
with a matching event e1 thanks to Lemma 4.2, thus the thesis follows trivially also for
the role of e1. For other roles, if the event is in the projection of an initial interaction
then it can be discarded by rem(•). In fact, because of the existence of unique points
of choice one of the two events of the interaction is at the same role of e1 or of e1, and
it is discarded by the semantics. Thus the other event becomes unmatched and can be
discarded too (first pruning operation of function rem(•)). We prove by induction on
the structure of the term that if all the events in the projection of initial interactions
of a term can be discarded, then all the events in the projection of the term can be
discarded. The only difficult case is sequential composition. Let J ;J ′ be the term. For
interactions in J the thesis follows by inductive hypothesis. It is enough to prove that
the initial interactions in J ′ can be discarded. Let o?a→b be such an interaction. Because
of synchronous connectedness for sequence then either a or b occurs also in each final
interaction of J . Let us take one such interaction, and let us assume that the event is
at a. By inductive hypothesis this event is discarded, i.e. replaced by 0. The projection
of J on a is composed only by 0s, for unmatched events, and 1s, for projections of
interactions not involving the role, and it includes at least a 0. Thus the projection of
J on a is reduced to 0 by rem(•) (second pruning operation). Since 0;P is replaced by
0, the event at a is discarded. The event at b becomes unmatched and can be discarded
too. The thesis follows.
Lemma 4.4. If S is a synchronous well-annotated POC w.r.t. ≤, # and f# and S o?a→b−−−→s
S ′ or S√−→s S ′ then S ′ is a synchronous well-annotated POC w.r.t. the restrictions of ≤,
# and f# to the events in S ′.
Proof. The first two conditions trivially hold. For the second one, if e1 is executed or
discarded then the relation e1 ≤ e2 is removed and nothing has to be proved. Otherwise
the thesis holds for the new relation. A similar reasoning can be done for the conflict
relation.
The next lemma proves the correctness of function rem(•), i.e. that applying function
rem(•) to a synchronous well-annotated POC does not change its semantics.
Lemma 4.5. Let S be a synchronous well-annotated POC. The following properties
hold:
— if S σ−→s S ′ for σ = o?a→b or σ =√, then rem(S) σ−→s rem(S ′);
I. Lanese, F. Montesi and G. Zavattaro 16
— if rem(S) σ−→s S ′′ for σ = o?a→b or σ =√, then there exists S ′ such that S σ−→s S ′ and
rem(S ′) = S ′′.
Proof. All cases are proved by induction on the number of pruning operations in
rem(S). The base case is trivial. Let us consider the inductive case. If the last prun-
ing operation has been applied, it is trivial to see that it does not affect the operational
semantics. If the first one has been applied, we have to prove that the event e replaced
with 0 is not involved in the transition. From Lemma 4.2 e can interact only with a
matching event. However, this is impossible since e is unmatched.
We now prove a few properties of transitions with label√.
Lemma 4.6. If I√−→ then, for each role r ∈ roles(I), proj(I, r)
√−→s and vice versa.
Proof. By structural induction on I.
Lemma 4.7. If transF(I) is empty, then I√−→.
Proof. By structural induction on I.
The next lemma shows that if two matching events are enabled in the projection of an
IOC, then the corresponding interaction is initial.
Lemma 4.8. Let I be a well-annotated, synchronous connected IOC and i : o?a→b be an
interaction in I. If i : o? and i : o? are matching events and are both enabled in proj(I)then i : o?a→b ∈ transI(I).
Proof. By structural induction on I. The cases for 1, 0 and interactions are trivial.
For parallel composition and choice just consider that since the two events have the
same index then they are from the same component, and the thesis follows by inductive
hypothesis. Let us consider sequential composition. Suppose I = I ′; I ′′. If i : o?a→b ∈ I ′
the thesis follows by inductive hypothesis. Otherwise by inductive hypothesis i : o?a→b ∈transI(I ′′). Thus from synchronous connectedness for sequence {c, d} ∩ {a, b} 6= ∅ for all
o′?c→d ∈ transF(I ′). Assume transF(I ′) not empty and take one such o′?c→d. Suppose, e.g.,
d = b (the other cases are analogous). If o′? inside d is not part of a choice then i : o? is
not enabled, since it is guarded by an input on the same role, and we get a contradiction.
If it is part of a choice, then role d should occur in all the other branches of the choice
too, thus in each branch there is an event concerning d to be executed. Again i : o? is not
enabled and we have a contradiction. If instead transF(I ′) is empty, then from Lemma 4.7
I ′√−→. Thus transI(I) = transI(I ′′) and the thesis follows by inductive hypothesis.
As a technical tool for proving our conformance result, we exploit a characterization
of conformance based on bisimilarity, to be able to exploit coinductive techniques in the
proof.
Definition 4.12 (Synchronous bisimilarity).
A synchronous bisimulation is a relation R between IOCs and POCs such that if (I,S) ∈R then:
IOC vs POC 17
— if I o?a→b−−−→ I ′ then S o?a→b−−−→s S ′ and (I ′,S ′) ∈ R;
— if I√−→ I ′ then S
√−→s S ′ and (I ′,S ′) ∈ R;
— if S o?a→b−−−→s S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;
— if S√−→s S ′ then I
√−→ I ′ and (I ′,S ′) ∈ R.
Synchronous bisimilarity ∼s is the largest synchronous bisimulation.
Synchronous bisimilarity implies synchronous trace equivalence.
Lemma 4.9. Let I be an IOC and S be a POC. If I ∼s S then I and S are synchronous
trace equivalent.
Proof. Easy, by coinduction.
Remember that an IOC I is synchronous connected if it is synchronous connected for
sequence, has synchronous unique points of choice and is synchronous causality safe.
We can now prove Theorem 4.1.
Proof of Theorem 4.1 We will show that the relation
R = {(I,S)| rem(S) = proj(I)}
where I is a well-annotated, synchronous connected IOC and S is a synchronous well-
annotated POC is a bisimulation. Thus the thesis will follow from Lemma 4.9. Thanks to
Lemma 4.3 all proj(I) are well-annotated. Thanks to Lemma 4.5 it is enough to consider
the case S = proj(I). Thanks to Lemma 4.4, all the obtained POCs are synchronous
well-annotated. The proof is by structural induction on the IOC I. All the subterms
of a synchronous connected IOC are synchronous connected, thus the induction can be
performed. The case for labels√
follows from Lemma 4.6. Let us consider the other
labels.
Case 1, 0, o?a→b: trivial;
Case I; I ′: from the definition of the projection function S =‖r (proj(I, r); proj(I ′, r))r .
Suppose that I; I ′ o?a→b−−−→ I ′′. There are two possibilities: either I o?a→b−−−→ I ′′′ and
I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis
‖r (proj(I, r))ro?a→b−−−→‖r (proj(I ′′′, r))r , thus:
‖r (proj(I, r); proj(I ′, r))ro?a→b−−−→‖r (proj(I ′′′, r); proj(I ′, r))r
and the thesis follows.
If I√−→ and I ′ o?a→b−−−→ I ′′ then by inductive hypothesis proj(I ′)
o?a→b−−−→ proj(I ′′). The
thesis follows since thanks to Lemma 4.6 also proj(I; I ′)o?a→b−−−→ proj(I ′′).
Let us consider the other condition. Suppose:
S =‖r (proj(I, r); proj(I ′, r))ro?a→b−−−→‖r (Pr)r
Thus proj(I; I ′, a)〈o?〉−−→ Pa and proj(I; I ′, b)
o?−→ Pb. The two events should have the
same index thanks to Lemma 4.2. Thus they are either both from I or both from I ′.
In the first case we have also ‖r (proj(I, r))ro?a→b−−−→‖r (P ′′
r )r with Pr = P ′′r ; proj(I ′, r).
I. Lanese, F. Montesi and G. Zavattaro 18
Thus by inductive hypothesis I o?a→b−−−→ I ′′ and ‖r (P ′′r )r is the projection of I ′′. Also
I; I ′ o?a→b−−−→ I ′′; I ′. The thesis follows.
In the second case thanks to Lemma 4.8 o?a→b ∈ transI(I; I ′). Thus I√−→ and
I ′ o?a→b−−−→ I ′′. Thanks to Lemma 4.6 then we have proj(I, a)√−→ and proj(I, b)
√−→.
Thus proj(I ′, a)〈o?〉−−→ Pa, proj(I ′, b)
o?−→ Pb and proj(I ′)o?a→b−−−→‖r (Pr)r. The thesis
follows by inductive hypothesis.
Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . If I ‖I ′ can perform an interaction then one of its two components can perform the same
interaction and the thesis follows by inductive hypothesis. For the other direction, an
input and an output on the same operation should be enabled. Thanks to Lemma 4.2
they should have the same index. Thus they are from the same component and the
thesis follows by inductive hypothesis.
Case I + I ′: from the definition of the projection S =‖r (proj(I, r)+proj(I ′, r))r . If I+I ′ can perform an interaction, i.e. I+I ′ o?a→b−−−→ I ′′, then one of its two components can
perform the same interaction. Let it be I. Thus I o?a→b−−−→ I ′′. By inductive hypothesis
‖r (proj(I, r))ro?a→b−−−→‖r (proj(I ′′, r))r . Thus ‖r (proj(I, r) + proj(I ′, r))r
o?a→b−−−→‖r(P ′′
r )r. We have to show that rem(‖r (P ′′r )r) =‖r (proj(I ′′, r))r . We show that the
equality holds for each role. For roles a and b this is trivial. For other roles, the
transition leaves them unchanged. However, thanks to the definition of synchronous
well-annotated POC and of conflict relation, all the events in proj(I ′, r) are removed
by rem(•). No event in proj(I, r) is removed, since only the executed pair of matching
events is removed, and no unmatched event remains.
For the other direction, we have an input and an output on the same operation o?
enabled. Suppose they are both in proj(I). Then proj(I) has the same transition, i.e.
proj(I) o?a→b−−−→ S ′′, and by inductive hypothesis I o?a→b−−−→ I ′′ and thus I + I ′ o?a→b−−−→ I ′′.
Also proj(I+I ′)o?a→b−−−→ S ′′′. We have to show that rem(S ′′′) = proj(I ′′). The technique
is the same as for the other direction.
It is not possible that the input and output events are one in I and the other in I ′
because of Lemma 4.2.
Since synchronous bisimilarity implies synchronous trace equivalence (Lemma 4.9) then
the thesis follows.
As a consequence, each POC obtained by projecting an initial synchronous connected
IOC is deadlock free.
Proposition 4.1. Let I be an initial synchronous connected IOC and proj(I) its pro-
jection. All maximal synchronous traces of proj(I) are complete.
Proof. This follows from the synchronous conformance between IOC and POC (The-
orem 4.1) and from Proposition 2.1, guaranteeing that the same property holds for the
IOC.
IOC vs POC 19
In the next section we show how these techniques have to be extended to deal with
the various possibilities emerging when the asynchronous semantics for POC is used.
5. Asynchronous conformance notions
In this section we discuss the different possibilities of conformance and connectedness
that arise when the asynchronous semantics for POC is used. In fact, while in the IOC
an interaction is an atomic event, in the POC, using the asynchronous LTS, for each
interaction two events are performed: the sending and the receiving of the correspond-
ing message. Thus different conformance relations are possible, depending on whether
the IOC is used to specify the ordering of sending events, of receiving events, or both
the orderings. These correspond respectively to the sender, receiver and sender-receiver
semantics. We also discuss the disjoint semantics, which considers also the ordering of
sending and receiving events together.
Some of the technicalities of the different asynchronous cases are similar, and discussed
below. The distinctive traits are analyzed in the following subsections.
Definition 5.1 (Asynchronous unique points of choice). An IOC I has asyn-
chronous unique points of choice iff for each subterm of the form I ′ + I ′′ we have:
— ∀o?a→b ∈ transI(I ′), ∀o′?c→d ∈ transI(I ′′).a = c;
— roles(I ′) = roles(I ′′).
Differently from synchronous unique points of choice, in the asynchronous case the
sender of all the starting interactions is the same. We call it the role that makes the
choice. Such a constraint is needed since in the asynchronous semantics senders can send
messages even if the corresponding receive is not available yet.
In order to define causality and well-annotated POCs, in addition to input and output
events as in the synchronous case, we have to consider also messages 〈o?〉. Messages are
events, they inherit the index of the output that generates them, and are matched with
inputs with the same index. Thus an input is matched iff there exists either an output
or a message with the same index.
Definition 5.2 (Asynchronous causality relation). Let us consider an annotated
IOC I. An asynchronous causality relation ≤aI is a partial order among events in the
derivatives of the projection S of I. We define≤aI as the minimum partial order satisfying:
sequentiality: for each subterm of the form I ′; I ′′ and each role a, if r′ is a receive event
in proj(I ′, a), e′′ is a generic event in proj(I ′′, a), and proj(I ′, a) has no transition of
the form proj(I ′, a)√−→ then r′ ≤a
I e′′;synchronization: for each receive event n : r and generic event m : e′, n : r ≤a
I m : e′
implies both n : s ≤aI m : e′ and n : 〈s〉 ≤a
I m : e′, where n : s is the sending event
with index n and n : 〈s〉 is the message with index n.
Differently from the synchronous case, here outputs cannot enforce sequentiality, since
they can be executed asynchronously.
I. Lanese, F. Montesi and G. Zavattaro 20
The definition of asynchronous conflict #aI is equal to the synchronous one (see Defini-
tion 4.8). The definition of asynchronous full conflict f#a
I is equal to the synchronous one
(see Definition 4.8), but exploiting the asynchronous causality relation ≤aI . The definition
of asynchronous causality safety is equal to the synchronous one (see Definition 4.9), but
exploiting the asynchronous causality relation ≤aI . For function rem(•), the same defini-
tion used in the synchronous case can be used too, using the new definition of unmatched
events.
POCs obtained projecting annotated connected IOCs enjoy particular properties.
Definition 5.3 (Asynchronous well-annotated POC). A POC S is asynchronous
well-annotated for a causality relation≤a, a conflict relation #a and a full conflict relationf#
aiff it is synchronous well-annotated w.r.t. ≤a, #a and f#
aand for each output event s
inside a choice, either s is in the role that makes the choice, or s is not minimal according
to ≤a in the choice term.
The next lemma proves the correctness of function rem(•) in the asynchronous case.
Lemma 5.1. Let S be an asynchronous well-annotated POC. The following properties
hold:
— if S σ−→ S ′ for σ = o?a→b, σ = o? : a, or σ =√, then rem(S) σ−→ rem(S ′);
— if rem(S) σ−→ S ′′ for σ = o?a→b, σ = o? : a, or σ =√, then there exists S ′ such that
S σ−→ S ′ and rem(S ′) = S ′′.
Proof. Similar to the proof of Lemma 4.5. Additionally we have to show that the first
pruning operation does not remove sending events, to ensure that all the transitions
of the form S o?:a−−→ S ′ are preserved. For a sending event sj to be removed, it should
be unmatched, i.e. the corresponding input rj should have been consumed. The only
possibility is that the input has been discarded by a choice (either directly or via pruning).
This requires that an event e in conflict with rj has been performed. From the definition of
conflict relation, this event should be in conflict also with sj . According to the definition
of asynchronous well-annotated POC we have to consider two cases: either the output sjis in the role that makes the choice, or it is not minimal in the choice term. In the first
case, as soon as the choice has been made, the output has been discarded, thus it cannot
be enabled. If instead it is not minimal in the choice term, let us consider the minimal
event e′ in the same role and in the same branch of the choice as sj . The event e′ is in
conflict with e. It should be an input, since no output in the role can be minimal because
of the properties of asynchronous well-annotated POC. It should also be matched with
an output in the role that makes the choice, which is discarded. Thus such an input can
never be executed, and sj can never become enabled.
We prove now that asynchronous well-annotated POCs reduce to asynchronous well-
annotated POCs. The proof that projections of well-annotated, asynchronous connected
IOCs are asynchronous well-annotated POCs will be done separately for each notion of
asynchronous conformance.
Lemma 5.2. If S is an asynchronous well-annotated POC w.r.t. ≤a, #a and f#aand
IOC vs POC 21
S σ−→ S ′ with σ ∈ {o?a→b, o? : a,
√}, then S ′ is an asynchronous well-annotated POC
w.r.t. the restrictions of ≤a, #a and f#ato the events in S ′.
Proof. Similar to the proof of Lemma 4.4. In addition we have to show that for each
output event e inside a choice, either e is in the role that makes the choice, or e is not
minimal in the choice term. The condition holds for S. If e is in the role that makes the
choice then it is in the role that makes the choice also in S ′, unless the choice is executed.However in this last case the choice is discarded and nothing has to be proved. Let us
consider the case e not minimal in S. Assume by contradiction that e is minimal in S ′.This means that all the events on which it was causally dependent have been performed.
However, the last such event is in the same role, thus performing it discards the choice.
Thus nothing has to be proved.
We proceed now to analyze the peculiar features of each asynchronous conformance
notion.
5.1. Sender conformance
According to the sender conformance, the IOC determines the order in which messages
are sent, disregarding when they are received. This is matched by the notion of sender
trace equivalence, based on strong maximal sender traces, which only include output
events.
Definition 5.4 (Sender trace equivalence). An IOC I and a POC S are sender trace
equivalent iff there is a bijection between strong maximal traces of I and strong maximal
sender traces of S such that, given a strong maximal trace t of I, the corresponding
strong maximal trace of S is obtained by replacing in t each label of the form o?a→b with
o? : a.
The translation on the labels is needed since o? : a is the POC label of the output
event that corresponds to the full interaction o?a→b.
We will develop the tools to prove:
Theorem 5.1 (Sender conformance). Let I be an IOC and S = proj(I) be its
projection. If I satisfies the connectedness conditions for the sender conformance, then
I and S are sender trace equivalent.
We start by formalizing the connectedness for sequence for the sender conformance.
Definition 5.5 (Sender connectedness for sequence). An IOC I is sender con-
nected for sequence iff for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈ transF(I ′),∀o′?c→d ∈ transI(I ′′).a = c ∨ b = c.
In the following, when we say that an IOC is sender connected, we mean that it satisfies,
besides sender connectedness for sequence, also the asynchronous unique points of choice
property and the asynchronous causality safety property.
The next lemma shows that if an output event is enabled in the projection of an IOC,
then the corresponding interaction is initial.
I. Lanese, F. Montesi and G. Zavattaro 22
Lemma 5.3. Let I be a sender connected IOC and i : o?a→b be an annotated interaction
in I. If i : o? is enabled in proj(I) then i : o?a→b ∈ transI(I).
Proof. By structural induction on I. The cases for 1, interactions, parallel composition
and choice are trivial. Let us consider sequential composition. Suppose I = I ′; I ′′. Ifi : o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by inductive
hypothesis the interaction is in transI(I ′′). Thus from sender connectedness for sequence
for each o′?c→d ∈ transF(I ′) we have c = a or d = a. If transF(I ′) is not empty, in both
the cases we get a contradiction since i : o? cannot be enabled. If instead transF(I ′) is
empty, then thanks to Lemma 4.7 I ′√−→ and the thesis follows by inductive hypothesis.
We show now that projections of well-annotated, sender connected IOCs are asyn-
chronous well-annotated POCs.
Lemma 5.4. Let I be a well-annotated, sender connected IOC. Then proj(I) is an
asynchronous well-annotated POC w.r.t. ≤aI , #
aI and f#
a
I .
Proof. Similar to the proof of Lemma 4.3. In addition we have to show that for each
output event e inside a choice, either e is in the role that makes the choice, or e is not
minimal in the choice term. Assume that e is not in the role that makes the choice, but
in a generic role a. In particular, e is not in an initial interaction of the choice, since all
the senders of these interactions are in the role that makes the choice. Thus, it should
be in the projection on a of the second component of a sequence I; I ′ such that there
is no transition of the form I√−→. Take the smallest such sequence. Then e is initial in
the component I ′ of the sequence. Because of sender connectedness for sequence, all the
final interactions in the first component should have an event at role a. There is at least
one such interaction otherwise from Lemma 4.7 I√−→. If this interaction is not inside a
choice inside I then proj(I, a) has no transition of the form proj(I, a)√−→ and e cannot
be minimal. If the interaction is inside a choice, because of unique points of choice the
role a is involved in all the branches and again proj(I, a) has no transition of the form
proj(I, a)√−→ and e cannot be minimal.
As a technical tool for proving our conformance result, we exploit a characterization
of conformance based on bisimilarity, to be able to exploit coinductive techniques in the
proof.
As auxiliary notation we will write ⇒i for a sequence of zero or more input transitionso1,?
a1→b1−−−−−→ · · ·on,?
an→bn−−−−−→.
Definition 5.6 (Sender bisimilarity). A sender bisimulation is a relation R between
IOCs and POCs such that if (I,S) ∈ R then:
— if I o?a→b−−−→ I ′ then S ⇒io?:a−−→ S ′ and (I ′,S ′) ∈ R;
— if I√−→ I ′ then S ⇒i
√−→ S ′ and (I ′,S ′) ∈ R;
— if S o?:a−−→ S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;
IOC vs POC 23
— if S√−→ S ′ then I
√−→ I ′ and (I ′,S ′) ∈ R;
— if S o?a→b−−−→ S ′ then (I,S ′) ∈ R.
Sender bisimilarity ∼n is the largest sender bisimulation.
The following lemmas will simplify the proof of the conformance result. Below, by
mixed choice we mean a choice between two POC terms, one able to perform as its first
action an input, and another one able to start with an output action. By input choice,
we mean a choice between two POC terms able to perform, as their first action, only
inputs.
Lemma 5.5. Let S be a POC without mixed choice. If S o?:a−−→ S ′ and S ⇒i S ′′ thenS ′ ⇒i S ′′′ and S ′′ o:a−−→ S ′′′.
Proof. Trivial, by induction on the number of transitions in ⇒i.
Lemma 5.6. Let S be a POC. Suppose that for each input choice, there is at most one
branch such that a message able to interact with it exists. If S o?a→b−−−→ S ′ and S o′?c→d−−−→ S ′′
with o? 6= o′? then S ′ o′?c→d−−−→ S ′′′ and S ′′ o?a→b−−−→ S ′′′.
Proof. Trivial, by case analysis.
The next lemma defines an auxiliary relation for proving sender bisimilarity.
Lemma 5.7. Let R′ be a relation between IOCs and POCs. Let R = {(I,S ′′)|S ′′ ⇒i
S ∧ (I,S) ∈ R′}. Suppose that in each POC S ′′ there is no mixed choice and that for
each input choice, there is at most one branch such that a message able to interact with
it exists. If R′ is such that if (I,S) ∈ R′ then:
— if I o?a→b−−−→ I ′ then S o?:a−−→ S ′ and (I ′,S ′) ∈ R;
— if I√−→ I ′ then S
√−→ S ′ and (I ′,S ′) ∈ R;
— if S o?:a−−→ S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;
— if S√−→ S ′ then I
√−→ I ′ and (I ′,S ′) ∈ R;
— S has no input transitions.
then R is a sender bisimilarity.
Proof. The proof is by coinduction. Let (I,S ′′) ∈ R. Thus S ′′ ⇒i S ∧ (I,S) ∈ R′. We
have to show that (I,S ′′) satisfies the bisimilarity conditions.
Suppose I o?a→b−−−→ I ′. We know that S ′′ ⇒i S and since (I,S) ∈ R′ then S o?:a−−→ S ′
with (I ′,S ′) ∈ R. The case of√
is similar.
Suppose now S ′′ o?:a−−→ S ′. We know that S ′′ ⇒i S and (I,S) ∈ R′. From Lemma 5.5
S o?:a−−→ S ′′′ and S ′ ⇒i S ′′′. From the second bisimilarity condition I o?a→b−−−→ I ′ and
(I ′,S ′′′) ∈ R. Since S ′ ⇒i S ′′′ also (I ′,S ′) ∈ R as desired. The case of√
is similar.
For the last condition we know that S ′′ ⇒i S and S ′′ o?a→b−−−→ S ′. We prove that (I,S ′) ∈R by induction on the number of inputs in ⇒i. The base case is vacuously true. For the
I. Lanese, F. Montesi and G. Zavattaro 24
inductive case if the first input in ⇒i is not on operation o? we can apply Lemma 5.6
and the thesis follows by inductive hypothesis. Assume now that both the transitions
are on the same operation. Then there should be either two inputs or two messages (or
both) on the same operation concurrently enabled. At least one of them has not the same
index of an event it can interact with. Thus because of asynchronous causality safety,
the two events are either in causal relation or in full conflict relation. Thus because of
the properties of asynchronous well-annotated POC at least one of them is not enabled.
This means that this case can never happen.
Sender bisimilarity implies sender trace equivalence.
Lemma 5.8. Let I be an IOC and S be a POC. If I ∼n S then I and S are sender trace
equivalent.
Proof. Easy, by coinduction.
We can now prove Theorem 5.1.
Proof of Theorem 5.1 The proof shows that the relation
R = {(I,S)|S ⇒i S ′ ∧ rem(S ′) = proj(I)}
where I is a well-annotated, sender connected IOC and S is an asynchronous well-
annotated POC is a sender bisimulation. Consider the relation
R′ = {(I,S ′)| rem(S ′) = proj(I)}
The conditions of Lemma 5.7 on choice are satisfied thanks to the existence of asyn-
chronous unique points of choice. In fact, there is no mixed choice since for each term
I + I ′ all the interactions have the same sender, i.e. all the outputs are in the same role,
which cannot have enabled inputs. Also, for each input choice there is at most one branch
such that a message able to interact with it exists since as soon as a message is created,
all the other outputs are discarded.
Thus it is enough to show that the conditions of Lemma 5.7 on R′ are satisfied.
Thanks to Lemma 5.1, Lemma 5.4 and Lemma 5.2 one can just consider the case S ′ =proj(I). First, rem(S ′) has no input transitions since projections contain no messages.
For the other conditions the proof is by structural induction on I:Case 0, 1: trivial.
Case o?a→b: the only possible transition is o?a→b
o?a→b−−−→ 1. The associated POC is (o?)a ‖(o?)b, which has as only transition (o?)a ‖ (o?)b
o?:a−−→ (〈o?〉)a ‖ (o)b. This satisfies
the first condition since (〈o?〉)a ‖ (o?)bo?a→b−−−→ (1)a ‖ (1)b = proj(1) thus (1, (〈o?〉)a ‖
(o?)b) ∈ R. The other conditions are satisfied too.
Case I; I ′: from the definition of the projection function S =‖r (proj(I, r); proj(I ′, r))r .
Suppose that I; I ′ o?a→b−−−→ I ′′. There are two possibilities: either I o?a→b−−−→ I ′′′ and
I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis ‖r
IOC vs POC 25
(proj(I, r))r o?:a−−→⇒i‖r (proj(I ′′′, r))r . As a consequence ‖r (proj(I, r); proj(I ′, r))ro?:a−−→⇒i‖r (proj(I ′′′, r); proj(I ′, r))r and the thesis follows. The second case is similar.
Let us consider now the case ‖r (proj(I, r); proj(I ′, r))ro?:a−−→ S. We should have
o? enabled. Thus thanks to Lemma 5.3 we have o?a→b ∈ transI(I; I ′). We have two
cases: either o? is in the projection of I or it is in the projection of I ′ (thanks to
asynchronous causality safety and Lemma 5.4 exactly one o? is enabled).
Suppose o? is in proj(I). Then I; I ′ o?a→b−−−→ I ′′′; I ′ and by inductive hypothesis ‖r(proj(I, r))r o?:a−−→ S ⇒i‖r (proj(I ′′′, r))r . Then ‖r (proj(I; I ′, r))r
o?:a−−→ S ′′ ⇒i‖r(proj(I ′′′; I ′, r))r . Note that the inputs in ⇒i are the same ones as before since from
asynchronous causality safety and Lemma 5.4 at most one input on any operation
can be enabled.
The case o? in proj(I ′) is possible only if I√−→, and follows trivially by inductive
hypothesis.
The cases for√
actions are trivial.
Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition and
the thesis follows from inductive hypothesis. Let us consider the other direction. Sup-
pose the output is from proj(I), i.e. proj(I) o?:a−−→ S ′′ =‖r (P ′′r )r. Then by inductive
hypothesis I o?a→b−−−→ I ′′ with (I ′′,S ′′) ∈ R. This means that S ′′ ⇒i proj(I ′′). Also
proj(I ‖ I ′)o?:a−−→‖r (P ′′
r | proj(I ′, r))r . All the inputs can be done by ‖r (P ′′r )r. Thus:
‖r (P ′′r | proj(I ′, r))r ⇒i proj(I ′′ ‖ I ′)
as desired.
Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . IfI+I ′ has a transition then one of its two components has the same transition. Suppose
that I is such a component. Then we have ‖r (proj(I, r) + proj(I ′, r))ro?a→b−−−→⇒i‖r
(proj(I, r)+P ′′r )r. We have to show that rem(‖r (proj(I, r)+P ′′
r )r) =‖r (proj(I, r))r .We show that the equality holds for each role. For role a this is trivial. For other roles,
the output transition leaves them unchanged. However, thanks to the definition of
asynchronous well-annotated POC and of conflict relation, all the events in proj(I ′, r)are removed by rem(•). No event in proj(I, r) is removed but the event matching the
output which is removed by the following input transition, since there is no unmatched
event inside proj(I). The case for√
is similar.
Consider the other direction. Suppose the output is from proj(I), i.e. proj(I) o?:a−−→S ′′ =‖r (P ′′
r )r. Then by inductive hypothesis we have I o?a→b−−−→ I ′′ with (I ′′,S ′′) ∈ R.
This means that S ′′ ⇒i proj(I ′′). Also proj(I + I ′)o?:a−−→‖r (P ′′
r + P ′′′′r )r. All the
inputs can be done by ‖r (P ′′r )r. Thus ‖r (P ′′
r + P ′′′′r )r ⇒i‖r (proj(I ′′, r) + P ′′′′′
r )r.
We have to show that rem(‖r (P ′′′′′)r) =‖r (0)r. The technique is the same as for the
other direction.
Since sender bisimilarity implies sender trace equivalence (Lemma 5.8) then the thesis
follows.
I. Lanese, F. Montesi and G. Zavattaro 26
As a consequence, each POC obtained by projecting an initial sender connected IOC
is deadlock free.
Proposition 5.1. Let I be an initial sender connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.
Proof. This follows from the sender conformance between IOC and POC (Theorem 5.1)
and from Proposition 2.1, guaranteeing that the same property holds for the IOC.
5.2. Receiver conformance
According to the receiver conformance, the IOC determines the order in which messages
are received, disregarding when they are sent. This is matched by the notion of receiver
trace equivalence, based on strong maximal receiver traces, which only include input
events.
Definition 5.7 (Receiver trace equivalence). An IOC I and a POC S are receiver
trace equivalent iff the strong maximal traces of I coincide with the strong maximal
receiver traces of S.
We will develop the tools to prove:
Theorem 5.2 (Receiver conformance). Let I be an IOC and S = proj(I) be its
projection. If I satisfies the connectedness conditions for the receiver conformance, then
I and S are receiver trace equivalent.
We start by formalizing the connectedness for sequence for the receiver conformance.
Definition 5.8 (Receiver connectedness for sequence). An IOC I is receiver con-
nected for sequence iff for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈ transF(I ′),∀o′?c→d ∈ transI(I ′′).b = c ∨ b = d.
In the receiver case, we also have to strengthen the definition of unique points of choice.
Definition 5.9 (Asynchronous receiver unique points of choice). An IOC I has
asynchronous receiver unique points of choice iff for each subterm of the form I ′+I ′′ wehave:
— ∀o?a→b ∈ transI(I ′), ∀o′?c→d ∈ transI(I ′′).a = c;
— roles(I ′) = roles(I ′′);— no output outside the role that makes the choice is minimal in the choice term ac-
cording to the causality relation.
The last condition is necessary to avoid that outputs in the wrong branch of the choice
are executed before the choice is made.
Remark 5.1. The last condition in the definition of asynchronous receiver unique points
of choice is not necessary in the other asynchronous cases, since it follows from the
asynchronous unique points of choice property and the sender connectedness for sequence
(cfr. the proof of Lemma 5.4). Thanks to this implication, even if we will not require
IOC vs POC 27
this condition for the sender-receiver conformance and the disjoint conformance, sender-
receiver and disjoint connectedness will imply receiver connectedness.
In the following, when we say that an IOC is receiver connected, we mean that it sat-
isfies, besides receiver connectedness for sequence, also the asynchronous receiver unique
points of choice property and the asynchronous causality safety property.
We show now that projections of well-annotated, receiver connected IOCs are asyn-
chronous well-annotated POCs.
Lemma 5.9. Let I be a well-annotated, receiver connected IOC. Then proj(I) is an
asynchronous well-annotated POC w.r.t. ≤aI , #
aI and f#
a
I .
Proof. Similar to the proof of Lemma 5.4. Just note that the fact that for each output
event e inside a choice, either e is in the role that makes the choice, or e is not minimal in
the choice term follows from the additional condition required for asynchronous receiver
unique points of choice.
As auxiliary notation we write ⇒o for a sequence of zero or more output transitionso?1:a1−−−→ · · · o?n:an−−−−→.
The next lemma shows that if in the projection of an IOC, after a sequence of out-
put events, an input and a message on the same operation are both enabled, then the
corresponding interaction is initial.
Lemma 5.10. Let I be a receiver connected IOC and i : o?a→b be an interaction in I. Ifthere exists S such that proj(I) ⇒o S and i : o? and i : 〈o?〉 are both enabled in S then
i : o?a→b ∈ transI(I).
Proof. By structural induction on I. The cases for 0, 1, interactions, parallel compo-
sition and choice are trivial. Let us consider sequential composition. Suppose I = I ′; I ′′.If i : o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by inductive hy-
pothesis the interaction is in transI(I ′′). Thus from receiver connectedness for sequence
for each o′?c→d ∈ transF(I ′) we have d = a or d = b. If d = b then i : o? could never
become enabled. Also, no j : o? with j 6= i can be enabled if i : 〈o?〉 is enabled because of
asynchronous causality safety and Lemma 5.9. If d = a then i : 〈o?〉 could never be cre-
ated. No j : 〈o?〉 with j 6= i could be enabled if i : o? is enabled because of asynchronous
causality safety and Lemma 5.9. Thus we have a contradiction and this case can never
happen.
The next lemma shows that output events which are not part of a given interaction
can always be postponed after the interaction.
Lemma 5.11. Let I be a receiver connected IOC. If we have proj(I) ⇒o S ′ o?a→b−−−→ S ′′
and I o?a→b−−−→ I ′ then proj(I ′) ⇒o rem(S ′′).
Proof. The proof is by structural induction on I. The cases for 0, 1 and interactions
are trivial.
Let us consider I = I ′′ ‖ I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.
I. Lanese, F. Montesi and G. Zavattaro 28
Because of asynchronous causality safety and Lemma 5.9 in the projection just one input
for o? can be enabled if an output is. Thus ‖r (proj(I ′′, r)| proj(I ′′′, r))r ⇒o
o?a→b−−−→‖r(P ′′
r |P ′′′r )r with ‖r (proj(I ′′, r))r ⇒o
o?a→b−−−→‖r (P ′′r )r and ‖r (proj(I ′′′, r))r ⇒o‖r (P ′′′
r )r.
By inductive hypothesis proj(I ′′′′) ⇒o‖r (P ′′r )r. Thus proj(I ′′′′ ‖ I ′′′) ⇒o‖r (P ′′
r |P ′′′r )r
as desired.
Let us consider I = I ′′; I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.Because of asynchronous causality safety and Lemma 5.9 in the projection just one input
for o? can be enabled if an output is. Thus we have:
‖r (proj(I ′′, r); proj(I ′′′, r))r ⇒o
o?a→b−−−→‖r (P ′′r ;P
′′′r )r
with ‖r (proj(I ′′, r))r ⇒o
o?a→b−−−→‖r (P ′′r )r and also ‖r (proj(I ′′′, r))r ⇒o‖r (P ′′′
r )r. By in-
ductive hypothesis we have proj(I ′′′′) ⇒o‖r (P ′′r )r. Thus proj(I ′′′′; I ′′′) ⇒o‖r (P ′′
r ;P′′′r )r
as desired. The other case is analogous.
Let us consider I = I ′′+I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.Because of asynchronous causality safety and Lemma 5.9 in the projection just one input
for o? can be enabled if an output is. Thus ‖r (proj(I ′′, r) + proj(I ′′′, r))r ⇒o
o?a→b−−−→‖r(P ′′
r + P ′′′r )r with ‖r (proj(I ′′, r))r ⇒o
o?a→b−−−→‖r (P ′′r )r and ‖r (proj(I ′′′, r))r ⇒o‖r (P ′′′
r )r.
By inductive hypothesis proj(I ′′′′) ⇒o‖r (P ′′r )r. Thus proj(I ′′′′ +I ′′′) ⇒o‖r (P ′′
r +P ′′′r )r.
To prove the thesis we have to show that rem(P ′′′r ) = 0 for each r. This follows from the
definition of asynchronous well-annotated POC and of conflict relation.
As a technical tool for proving our conformance result, we exploit a characterization
of conformance based on bisimilarity, to be able to exploit coinductive techniques in the
proof.
Definition 5.10 (Receiver bisimilarity). A receiver bisimulation is a relation R be-
tween IOCs and POCs such that if (I,S) ∈ R then:
— if I o?a→b−−−→ I ′ then S ⇒o
o?a→b−−−→ S ′ and (I ′,S ′) ∈ R;
— if I√−→ I ′ then S ⇒o
√−→ S ′ and (I ′,S ′) ∈ R;
— if S o?a→b−−−→ S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;
— if S√−→ S ′ then I
√−→ I ′ and (I ′,S ′) ∈ R;
— if S o?:a−−→ S ′ then (I,S ′) ∈ R.
Receiver bisimilarity ∼r is the largest receiver bisimulation.
Receiver bisimilarity implies receiver trace equivalence.
Lemma 5.12. Let I be an IOC and S be a POC. If I ∼r S then I and S are receiver
trace equivalent.
Proof. Easy, by coinduction.
We can now prove Theorem 5.2.
IOC vs POC 29
Proof of Theorem 5.2 The proof shows that the relation
R = {(I,S ′)| proj(I) ⇒o S ∧ rem(S) = S ′}
where I is a well-annotated, receiver connected IOC and S ′ is an asynchronous well-
annotated POC is a receiver bisimulation. Thanks to Lemma 5.1, Lemma 5.9 and Lem-
ma 5.2 it is enough to consider the case S ′ = S.The proof is by structural induction on I.
Case 0, 1: trivial;
Case o?a→b: the associated POC is (o?)a ‖ (o?)b, which has as only computation (o?)a ‖(o?)b
o?:a−−→ (〈o?〉)a ‖ (o?)bo?a→b−−−→ 1. This satisfies the bisimulation condition. Also, the
only process obtainable via ⇒o is (〈o?〉)a ‖ (o?)b which satisfies the condition.
Case I; I ′: from the definition of the projection function S =‖r (proj(I, r); proj(I ′, r))r .
Suppose that I; I ′ o?a→b−−−→ I ′′. There are two possibilities: either I o?a→b−−−→ I ′′′ and
I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis ‖r
(proj(I, r))r ⇒o
o?a→b−−−→‖r (proj(I ′′′, r))r , thus ‖r (proj(I, r); proj(I ′, r))r ⇒o
o?a→b−−−→‖r(proj(I ′′′, r); proj(I ′, r))r and the thesis follows. The second case is similar. The case
for√
is similar too.
Let us consider the case ‖r (proj(I, r); proj(I ′, r))r ⇒o S and S o?a→b−−−→ S ′. In S both
o? and 〈o?〉 are enabled. Thus thanks to Lemma 5.10 we have o?a→b ∈ transI(I; I ′).
If I√−→ then o?a→b ∈ transI(I ′) and the thesis follows trivially by induction. Otherwise
the thesis follows from Lemma 5.11. The case for√
is similar.
The last condition is trivially satisfied.
Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition and
the thesis follows from inductive hypothesis. The case for√
is similar.
Suppose S o?a→b−−−→ S ′. We have that proj(I ‖ I ′) ⇒o S. In S both o? and 〈o?〉 are
enabled. From Lemma 5.10 o?a→b ∈ transI(I ‖ I ′). Suppose o?a→b is from I, i.e.
I o?a→b−−−→ I ′′′. Thanks to asynchronous causality safety there is only one o? that can do
the receive. Thus by inductive hypothesis proj(I) ⇒o S ′′ o?a→b−−−→ S ′′′ and (I ′′′,S ′′′) ∈R. Also, proj(I ′) ⇒o S ′′′′. We have P ′
r = P ′′′r | P ′′′′
r with S ′ =‖r (P ′r)r, S ′′′ =‖r (P ′′′
r )rand S ′′′′ =‖r (P ′′′′
r )r. Thus (I ′ ‖ I ′′′,S ′) ∈ R as desired. The case for√
is similar.
The last condition is trivially satisfied.
Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . IfI+I ′ has a transition then one of its two components has the same transition. Suppose
that I is such a component. In order to prove the thesis we have to show that proj(I ′)is discarded. This follows from the definition of asynchronous well-annotated POC
and conflict relation.
The case for√
is similar.
Suppose S o?a→b−−−→ S ′. We have that proj(I + I ′) ⇒o S. In S both o? and 〈o?〉 are
enabled. From Lemma 5.10 o?a→b ∈ transI(I + I ′). Suppose o?a→b is from I, i.e.
I. Lanese, F. Montesi and G. Zavattaro 30
I o?a→b−−−→ I ′′′. Thanks to asynchronous causality safety there is only one o? that can do
the receive. Thus by inductive hypothesis proj(I) ⇒o S ′′ o?a→b−−−→ S ′′′ and (I ′′′,S ′′′) ∈R.
We have P ′r = P ′′′
r + P ′′′′r with S ′ =‖r (P ′
r)r, S ′′′ =‖r (P ′′′r )r and S ′′′′ =‖r (P ′′′′
r )r.
We have to show that rem(P ′′′′r ) = 0 for each r. The technique is the same as for the
other direction. Thus (I ′,S ′) ∈ R as desired. The case for√
is similar.
The last condition is trivially satisfied.
Since sender bisimilarity implies sender trace equivalence (Lemma 5.12) then the thesis
follows.
As a consequence, each POC obtained by projecting an initial receiver connected IOC
is deadlock free.
Proposition 5.2. Let I be an initial receiver connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.
Proof. This follows from the conformance between IOC and POC (Theorem 5.2) and
from Proposition 2.1, guaranteeing that the same property holds for the IOC.
5.3. Sender-receiver conformance
According to the sender-receiver conformance, the IOC determines the order in which
messages are sent and the order in which messages are received. However, there is no
constraint relating sending events to receiving events.
We will not describe sender-receiver connectedness conditions in details: simply, an IOC
is connected according to the sender-receiver conformance iff it is connected according
to both the sender conformance and the receiver conformance. In particular, thanks
to Remark 5.1 it is enough to require asynchronous unique points of choice instead of
asynchronous receiver unique points of choice. Similarly, the sender-receiver conformance
ensures that both the results for the sender conformance and the receiver conformance
hold.
We can thus state the conformance theorem for the sender-receiver semantics:
Theorem 5.3 (Sender-receiver conformance). Let I be an IOC and S = proj(I)be its projection. If I satisfies the connectedness conditions for the sender-receiver con-
formance, then I and S are sender-receiver trace equivalent.
Proof. It follows from Theorem 5.1 and Theorem 5.2.
5.4. Disjoint conformance
According to the disjoint conformance, the IOC determines both when messages are
sent and when they are received. Differently from the sender-receiver conformance which
considers sending and receiving events separately, the disjoint conformance considers also
their interplay.
IOC vs POC 31
In order to formalize the disjoint trace equivalence we need to add some more infor-
mation to POC traces.
Definition 5.11 (Indexed POC trace). An indexed POC trace is a POC trace where
a label index is associated to each label different from√, as described below. Output
labels have increasing label indexes: the first output label has index 1, the second one
index 2, and so on. Indexes are given to input labels considering for each operation o?
their position in the subsequence containing the inputs on operation o?. The index given
to the input label on operation o? in position i is the same index of the i-th output on
operation o?.
Indexes of labels are not to be confused with indexes of interactions and of events. The
next lemma shows that a POC trace can always be indexed.
Lemma 5.13. Let S be a POC without messages, and t a trace of S. Then it is possible
to give label indexes to all the labels in t different from√, transforming it to an indexed
trace.
Proof. One only has to check that for each operation o? there are at least as many
output labels on o? as input labels on o?. Since each input on operation o? consumes a
message on operation o?, and only outputs on operation o? can create such messages the
thesis follows.
We can now define disjoint trace equivalence.
Definition 5.12 (Disjoint trace equivalence). An IOC I and a POC S are disjoint
trace equivalent iff:
1 for each strong maximal trace t of I there is an asynchronous strong maximal trace
of S obtained from t by replacing each label o?a→b with a sequence of two labels, o? : a
and o?a→b;
2 for each indexed asynchronous strong maximal trace of S each trace obtained by
leaving only one label for each label index can be obtained from a strong maximal
trace of I by replacing some labels o?a→b with o? : a.
We will develop the tools to prove:
Theorem 5.4 (Disjoint conformance). Let I be an IOC and S = proj(I) be its
projection. If I satisfies the connectedness conditions for the disjoint conformance, then
I and S are disjoint trace equivalent.
We start by formalizing the connectedness for sequence for the disjoint conformance.
Definition 5.13 (Disjoint connectedness for sequence). An IOC I is disjoint con-
nected for sequence if for each subterm of the form J ;J ′ we have ∀o?a→b ∈ transF(J ),
∀o′?c→d ∈ transI(J ′).b = c.
In the following, when we say that an IOC is disjoint connected, we mean that it
satisfies, besides disjoint connectedness for sequence, also the asynchronous unique points
of choice property and the asynchronous causality safety property.
I. Lanese, F. Montesi and G. Zavattaro 32
We show now that projections of well-annotated, disjoint connected IOCs are asyn-
chronous well-annotated POCs.
Lemma 5.14. Let I be a well-annotated, disjoint connected IOC. Then proj(I) is an
asynchronous well-annotated POC w.r.t. ≤aI , #
aI and f#
a
I .
Proof. Similar to the proof of Lemma 5.4.
The next lemma shows that if an output event is enabled in the projection of an IOC,
then the corresponding input is enabled too and the corresponding interaction is initial.
Lemma 5.15. Let I be a disjoint connected IOC and i : o?a→b be an interaction in I.If i : o? is enabled in proj(I) then the action i : o? is enabled in proj(I). Furthermore
o?a→b ∈ transI(I).
Proof. By structural induction on I. The cases for 0, 1 and interactions are trivial.
For parallel composition and choice, asynchronous causality safety and Lemma 5.14 en-
sure that the input and the corresponding output are from the same component, thus
inductive hypothesis can be applied. Let us consider sequential composition. Suppose
I = I ′; I ′′. If o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by
inductive hypothesis the interaction is in transI(I ′′). Thus from disjoint connectedness
for each o′?c→d ∈ transF(I ′) we have d = a. If transF(I ′) is not empty we have an absurd
since o? cannot be enabled. If it is empty then from Lemma 4.7 I ′√−→ and the thesis
follows.
As a technical tool for proving our conformance result, we exploit a characterization
of conformance based on bisimilarity, to be able to exploit coinductive techniques in the
proof.
Definition 5.14 (Disjoint bisimilarity). A disjoint bisimulation is a relation R be-
tween IOCs and POCs such that if (I,S) ∈ R then:
— if I o?a→b−−−→ I ′ then S o?:a−−→ S ′′ o?a→b−−−→ S ′ and (I ′,S ′) ∈ R; furthermore if S ′′ γ−→ S ′′′
then S γ−→ o?:a−−→ S ′′′;
— if I√−→ I ′ then S
√−→ S ′ and (I ′,S ′) ∈ R;
— if S o?:a−−→ S ′ then S ′ o?a→b−−−→ S ′′ and I o?a→b−−−→ I ′ and (I ′,S ′′) ∈ R;
— if S√−→ S ′ then I
√−→ I ′ and (I ′,S ′′) ∈ R.
Disjoint bisimilarity ∼d is the largest disjoint bisimulation.
The diamond property condition in the first item is needed to ensure that the output
does not make any new transition enabled, but for the corresponding input. Without this
condition e.g. the IOC oa→b; o′a→c would be bisimilar to its projection (o; o)a ‖ (o;1)b ‖
(1; o′)c, but the projection can perform the output on o′ before the input of o, thus
violating the disjointness property we want to guarantee.
The following lemma relates label indexes and indexes from interactions.
IOC vs POC 33
Lemma 5.16. Let I be a disjoint connected IOC and S be its projection. Let t be an
indexed asynchronous maximal trace of S. If two events in t have the same label index,
then they also have the same interaction index.
Proof. If two events have the same label index then they are on the same operation,
and they are one output and one input. Let us prove the thesis for all the events on some
operation o?, by induction on the number of such events. The base case of no outputs
is trivial. Let us consider the inductive case. Let us take the first output. We will show
that it has the same index i of the first input. Suppose by contradiction that this is not
the case, i.e. it has an index j 6= i. Then there should be another output with index i,
and this should be before the input with index i and after the first output. Also, there
should be an input with index j after the one with index i. This violates the causality
safety conditions, thus we have a contradiction. This ensures that the first input on o?
and the first output on o? are from the same interaction. The thesis follows by inductive
hypothesis, considering the trace without those two events (which can be obtained by
projecting the IOC where the corresponding interaction has been removed).
The following proposition shows that executions of components of a sequential com-
position are disjoint. Actually, this is the property that gives its name to the disjoint
conformance. Note that to state this property one has to refer the starting IOC.
Lemma 5.17. Let I = I ′; I ′′ be an IOC connected according to the disjoint semantics.
Then each asynchronous maximal trace of proj(I) is obtained by concatenating an asyn-
chronous maximal trace of proj(I ′) (without the final√
action) and an asynchronous
maximal trace of proj(I ′′).
Proof. Take a maximal trace t of proj(I). If the trace is obtained by executing only
events in proj(I ′) followed by only events in proj(I ′′) we are done. Assume towards a
contradiction that this is not the case. Take the first event in proj(I ′′) to be executed.
Let e be such an event, and let a be its role. If e is not minimal in I ′′ then it cannot be
enabled, since the event it depends on has not been executed yet. If it is minimal, then
the corresponding interaction is in transI(I ′′).We have two cases: either e is an output event, or it is an input event. Assume e is an
output event. Then the input of all transitions in transF(I ′) should be in the same role
because of disjoint connectedness for sequence. By hypothesis, at least one such event
has not been executed yet. Also, if such event is inside a choice then an event in the same
role occurs in each branch of the choice because of asynchronous unique points of choice,
thus the event e is not minimal in the term and cannot be enabled. We have the desired
contradiction. If the event is an input event then it cannot be executed since there is no
enabled message that can interact with it. Again, we have a contradiction.
The next lemma shows that output events can be postponed unless the generated
message is read by the next event.
Lemma 5.18. Let I be a disjoint connected IOC and S its projection. Let t be one of
I. Lanese, F. Montesi and G. Zavattaro 34
its traces. If t includes a subtrace S ′ o?:a−−→ γ−→ S ′′ where γ and o? : a are not matching
events then it also includes a subtrace S ′ γ−→ o?:a−−→ S ′′.
Proof. By structural induction on I. The cases of 0, 1 and interactions are trivial.
Let us consider parallel composition. If the two actions are from the same component
then the thesis follows by inductive hypothesis, otherwise it is trivial. For choice note
that the two actions should come from the same component, since after an action in a
component has been executed, the ones from the other component are not executable any
more. Thus inductive hypothesis can be applied. Let us consider sequential composition.
If the two actions are from the same component then the thesis follows from inductive
hypothesis. Assume that they are in different components. Thanks to Lemma 5.17 they
should be the last action of the first component and the first action of the second. One
can prove that the last action of the projection of an IOC (before the√) is always an
input (the proof is by structural induction on the IOC). Thus we have a contradiction
and this case can never happen.
Similarly, input events can be anticipated unless they read a newly generated message.
Lemma 5.19. Let I be a disjoint connected IOC and S its projection. Let t be one of
its traces. If t includes a subtrace S ′ γ−→ o?a→b−−−→ S ′′ where o?a→b and γ are not matching
events then it also includes a subtrace S ′ o?a→b−−−→ γ−→ S ′′.
Proof. By structural induction on I. The cases of 0, 1 and interactions are trivial. Let
us consider parallel composition. If the two actions are from the same component then
the thesis follows by inductive hypothesis, otherwise it is trivial. For choice note that the
two actions should come from the same component, since after an action in a component
has been executed, the other ones from the other component are not executable any
more. Thus inductive hypothesis can be applied. Let us consider sequential composition.
If the two actions are from the same component then the thesis follows from inductive
hypothesis. Assume that they are in different components. Thanks to Lemma 5.17 they
should be the last action of the first component and the first action of the second. One
can prove that the first action of the projection of an IOC is always an output (the proof
is by structural induction on the IOC). Thus we have a contradiction and this case can
never happen.
Disjoint bisimilarity implies disjoint trace equivalence.
Lemma 5.20. Let I be an IOC and S be a POC. If I ∼d S then I and S are disjoint
trace equivalent.
Proof. The first condition can be proved easily by coinduction.
For the second condition, take an indexed asynchronous strong maximal trace of S.Thanks to Lemma 5.16 actions with the same label index are from the same interac-
tion. Consider the events to be discarded while creating the desired IOC trace. Using
Lemma 5.18 and Lemma 5.19 these events can be moved next to their matching event.
The trace obtained in this way corresponds to the same IOC trace as the previous one (by
IOC vs POC 35
performing the same choice about which events to preserve), but it has all the outputs
immediately followed by the corresponding input. One can easily prove by coinduction
that a corresponding IOC trace exists.
We can now prove Theorem 5.4.
Proof of Theorem 5.4 The proof shows that the relation
R = {(I,S)| rem(S) = proj(I)}
where I is a well-annotated, disjoint connected IOC and S is an asynchronous well-
annotated POC is a disjoint bisimulation. Thanks to Lemma 5.1, Lemma 5.14 and
Lemma 5.2 one can just consider the case S = proj(I). The proof is by structural
induction on I.Case 0,1: trivial;
Case o?a→b: the associated POC is (o?)a ‖ (o?)b, which has as only computation (o?)a ‖(o?)b
o?:a−−→ (〈o?〉)a ‖ (o?)bo?a→b−−−→ 1. This satisfies the bisimulation conditions.
Case I; I ′: from the definition of the projection function S =‖r (proj(S, r); proj(S ′, r))r .
Suppose that I; I ′ o?a→b−−−→ I ′′. There are two possibilities: either I o?a→b−−−→ I ′′′ and
I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis:
‖r (proj(I, r))r o?:a−−→‖r (P ′′r )r
o?a→b−−−→‖r (proj(I ′′′, r))rthus:
‖r (proj(I, r); proj(I ′, r))ro?:a−−→‖r (P ′′
r ; proj(I ′, r))ro?a→b−−−→‖r (proj(I ′′′, r); proj(I ′′, r))r
as desired.
Assume ‖r (P ′′r ; proj(I ′, r))r
γ−→‖r (P ′′′r )r. If the event is from ‖r (P ′′
r )r then ‖r(P ′′
r )rγ−→‖r (P ′′′′
r )r with ‖r (P ′′′r )r =‖r (P ′′′′
r ; proj(I ′, r))r and the thesis follows by
inductive hypothesis. If this is not the case then we have a contradiction, since there
are still events in P ′′r for some r to be performed, thus no event in proj(I ′, r) can be
enabled thanks to Lemma 5.17. The second case is similar. The case of√
is similar
too.
Let us consider now the case ‖r (proj(I, r); proj(I ′, r))ro?:a−−→ S. We should have
o? enabled in the starting process. Thus thanks to Lemma 5.15 we have that also
o? is enabled and o?a→b ∈ transI(I; I ′). If I√−→ then the thesis follows trivially by
induction. Otherwise S o?a→b−−−→ S ′, and the thesis follows by inductive hypothesis using
the definition of projection. Note that because of asynchronous causality-safety and
Lemma 5.4 we know that we have just one input on o? enabled.
Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition
and the thesis follows from inductive hypothesis. The other direction is similar, using
asynchronous causality-safety and Lemma 5.4 to ensure that the input and the output
come from the same parallel component.
Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . If
I. Lanese, F. Montesi and G. Zavattaro 36
I+I ′ has a transition then one of its two components has the same transition. Suppose
that I is such a component. In order to prove the thesis we have to show that proj(I ′)is discarded. This follows from the definition of asynchronous well-annotated POC
and conflict relation. The case for√
is similar.
The other direction is similar, using asynchronous causality safety and Lemma 5.14
to ensure that the input and the output come from the same component.
Since disjoint bisimilarity implies disjoint trace equivalence (Lemma 5.20) then the thesis
follows.
As a consequence, each POC obtained by projecting an initial disjoint connected IOC
is deadlock free.
Proposition 5.3. Let I be an initial disjoint connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.
Proof. This follows from the conformance between IOC and POC (Theorem 5.4) and
from Proposition 2.1, guaranteeing that the same property holds for the IOC.
6. Connecting IOCs
Until now, we have seen how to derive POCs from IOCs that satisfy the connectedness
conditions. In this section we discuss how to deal with IOCs that are not connected
(or not connected w.r.t. the desired notion of conformance). Let I be such an IOC.
We want to derive an IOC I ′ which is equivalent to I but which is connected, so that
the theory developed so far can be applied. However to this end we have to relax our
observational semantics. In particular, we will move from strong to weak traces, so that
we can add private interactions to synchronize the different roles. We also define weak
trace equivalence among IOCs, instead of between IOCs and POCs as done till now.
Definition 6.1 (Weak IOC trace equivalence).
An IOC I and an IOC I ′ are weak IOC trace equivalent iff the set of weak maximal
traces of I coincides with the set of weak maximal traces of I ′.
Let us consider our example from the Introduction: I = oa→b; o′c→d. I is not connected
since it does not satisfy connectedness for sequence (in this case, this does not depend
on the chosen notion of connectedness). A possible solution is to introduce a private
operation o∗ and transform I into oa→b; o∗b→c; o
′c→d, which is instead connected w.r.t all
the notions of conformance, and which is weak IOC trace equivalent to I. To get a more
easy to generalize pattern however we will consider a slightly more complex approach,
transforming I into oa→b; o∗b→e; o
∗′e→c; o
′c→d. The transformation introduces an auxiliary
role e acting as a coordinator. We introduce similar patterns to ensure existence of asyn-
chronous unique points of choice. Concerning causality safety, we distinguish parallel
causality safety, sequential causality safety and choice causality safety according to the
relation between the interfering interactions. For parallel causality safety, we use a form
of expansion law removing the undesired parallel composition. For sequential causality
safety we show that this never occurs for IOCs which are disjoint connected for sequence
IOC vs POC 37
and have asynchronous unique points of choice. For choice causality safety we show that
this never occurs for IOCs which are disjoint connected for sequence, have asynchronous
unique points of choice and where for each nondeterministic choice all the initial interac-
tions are on distinct operations not used elsewhere. If an IOC enjoys this last property
we say that it has distinct choice operations. One can ensure that an IOC has distinct
choice operations using the same pattern used for ensuring asynchronous unique points
of choice. For each pattern we present a correctness result ensuring that the transformed
IOC and the starting one are weak IOC trace equivalent. We consider the disjoint con-
nectedness, since it is the most demanding: if we can make our IOC disjoint connected,
then it will also comply with all the other notions of connectedness.
Since the transformations we present below preserve weak traces, the following results
combined allow to transform any IOC into an equivalent IOC which is disjoint connected.
The basic idea is to apply first the pattern for parallel causality safety, then, by proceeding
from the smallest subterms to the largest, the two other patterns. One of them will ensure
asynchronous unique points of choice and distinct choice operations, the other one disjoint
connectedness for sequence. In this way, while reasoning on parallel causality safety (the
most complex), we do not have to bother about the other connectedness conditions, which
will be satisfied by the following steps. Since disjoint connected IOCs can be projected
by preserving traces, we can conclude that our procedure transforms a given IOC into
another one that can be projected obtaining a POC which is weak trace equivalent to
the starting IOC.
The patterns are presented in reverse order, from the simplest one to the most complex,
to help the understanding.
6.1. Disjoint connectedness for sequence
Let I be an IOC that is not disjoint connected for sequence but has asynchronous unique
points of choice, has distinct choice operations, and is parallel causality safe. We will
transform I into an IOC which is disjoint connected for sequence, and which still enjoys
all the other properties.
Since I is not disjoint connected for sequence, there are subterms of the form I ′; I ′′
that do not satisfy ∀o′?a→b ∈ transF(I ′), ∀o′′?c→d ∈ transI(I ′′).b = c. The reconfiguration
pattern will be applied to those subterms, in any order that respects the subterm relation.
This ensures that we always deal with terms whose subterms are disjoint connected for
sequence.
Take one such term I ′; I ′′. Choose a fresh role e. Consider all the interactions o?a→b
contributing to transF(I ′) in the term. For each of them choose a fresh operation o∗
and replace o?a→b with o?a→b; o∗b→e. Similarly, for each interaction o?c→d contributing to
transI(I ′′) choose a fresh operation o∗ and replace o?a→b with o∗e→c; o?c→d.
Proposition 6.1. Let I = I ′; I ′′ be an IOC which has asynchronous unique points of
choice and distinct choice operations, and is parallel causality safe. Assume that I ′ andI ′′ are disjoint connected for sequence, have asynchronous unique points of choice and
I. Lanese, F. Montesi and G. Zavattaro 38
distinct choice operations, and are parallel causality safe. Let J = J ′;J ′′ be the IOC
obtained by applying the pattern above to I ′; I ′′. Then:
— J is disjoint connected for sequence, has asynchronous unique points of choice and
distinct choice operations, and is parallel causality safe;
— J and I are weak IOC trace equivalent.
Proof. Let us start by proving parallel causality safety. For interactions introduced by
the transformation, they are all performed on operations with different fresh names, thus
the condition is trivially satisfied. For existing interactions, relations of causality and
conflict are preserved by the transformation, thus the conditions hold by hypothesis.
Let us consider asynchronous unique points of choice. We consider the condition on
roles first. Take a subterm K′ + K′′ of J . It is the transformed version of a subterm
H′ +H′′ of I. By hypothesis H′ +H′′ has asynchronous unique points of choice. There
are two cases: the interactions inside H′ and H′′ have been modified or not. In the second
case the thesis follows by hypothesis. The first case may happen only if the interaction
is a final interaction in I ′ or an initial interaction in I ′′. In both the cases also the
interactions in the other subterm have been modified by adding the same role, thus the
condition still holds.
Let us consider the condition on the sender of the interactions. As before, either the
interactions have not been modified, and the thesis follows by hypothesis, or all of them
have been modified. If they were in transF(I ′) then the sender is unchanged and the thesis
follows by hypothesis. If they were in transI(I ′′) then the new sender of all the initial
interactions in the term K′ + K′′ is the role e freshly introduced by the transformation,
thus the thesis holds.
Let us consider distinctness of choice operations. This holds by inductive hypothesis
for old interactions, and new ones do not interfere since they use fresh distinct operations.
Let us consider disjoint connectedness for sequence. We have to show that each subterm
satisfies the condition. The new subterms introduced by the transformation have the
form o?a→b; o∗b→e and o∗e→c; o
?c→d, thus they satisfy the condition. Let us take a subterm
K′;K′′ obtained by transforming a subterm H′;H′′ of I of the same shape. By hypothesis
the condition was satisfied by H′;H′′. It is easy to check however that transF(K′) =
transF(H′) and transI(K′′) = transI(H′′), thus the term is still disjoint connected for
sequence. Finally, for term J ′;J ′′ the thesis holds by construction.
The second point is easily proved since the transformation does not change the weak
traces of the IOC.
6.2. Asynchronous unique points of choice
Let I be an IOC that does not have asynchronous unique points of choice and/or does
not have distinct choice operations, but is parallel causality safe. This means that there
is a subterm of the form J +J ′ that either does not satisfy ∀o?a→b ∈ transI(J ), ∀o′?c→d ∈transI(J ′).a = c, or that does not satisfy roles(J ) = roles(J ′), or with two initial
interactions on the same operation. The reconfiguration pattern will be applied to those
subterms, in any order that respects the subterm relation. This ensures that we always
IOC vs POC 39
deal with terms whose subterms have asynchronous unique points of choice and distinct
choice operations.
Take one such term J + J ′. If the first condition and/or the third condition are not
satisfied then choose a fresh role e. Consider all the interactions o?a→b contributing to
transI(J ) or to transI(J ′) in the term. For each of them choose a fresh operation o∗ and
replace o?a→b with o∗e→a; o?a→b.
Suppose now that the first and third conditions are satisfied, while the second one is
not. Then we can assume a role e which is the sender of all the interactions in transI(J +
J ′). Consider each role a that occurs in J but not in J ′ (the other case is symmetric).
For each of them add in parallel to J ′ the interaction o∗e→a where o∗ is a fresh operation.
Proposition 6.2. Let I = I ′ + I ′′ be an IOC which is parallel causality safe. Assume
that I ′ and I ′′ are disjoint connected for sequence, have asynchronous unique points of
choice and distinct choice operations, and are parallel causality safe. Let J = J ′ + J ′′
be the IOC obtained by applying the pattern above to I ′ + I ′′. Then:
— J is disjoint connected for sequence, has asynchronous unique points of choice and
distinct choice operations, and is parallel causality safe;
— J and I are weak IOC trace equivalent.
Proof. Let us start by proving parallel causality safety. For interactions introduced by
the transformation, they are all performed on operations with different fresh names, thus
the condition is trivially satisfied. For existing interactions, relations of causality and
conflict are preserved by the transformation, thus the conditions hold by hypothesis.
Let us consider asynchronous unique points of choice. We consider the two transfor-
mations separately. Let us start with the transformation ensuring that the roles in the
two branches are the same. Take a subterm K′ +K′′ of J . It is the transformed version
of a subterm H′ +H′′ of I. By hypothesis H′ +H′′ has asynchronous unique points of
choice and distinct choice operations. Since interactions may only be added in parallel to
the whole term the thesis follows by hypothesis. For the whole term the condition holds
by construction.
Let us consider now the transformation ensuring that all the senders coincide and all
initial interactions are on distinct operations not reused elsewhere. There are two cases:
either the interactions inside H′ and H′′ have been modified or not. In the second case
the thesis follows by hypothesis. The first case may happen only if one such interaction
is initial in the whole term. In this case however all the initial interactions have been
changed, and the freshly introduced role is the new sender in all of them. Also, all the
used operations are distinct and fresh. Thus the two conditions are satisfied. For the
whole term the two conditions are satisfied by construction.
For disjoint connectedness for sequence, note that all the subterms enjoy the property
either by hypothesis or by construction. Since the top-level operator is a nondeterministic
choice the same property holds for the whole term.
The last condition can be easily proved since the transformation does not change the
weak traces.
I. Lanese, F. Montesi and G. Zavattaro 40
6.3. Causality safety
Let I be an IOC that is not causality safe. This means that there are two interactions i
and j using the same operation such that neither si ≤s rj∧ri ≤s sj nor sj ≤s ri∧rj ≤s si
nor they are in full conflict. Let o?a→b be interaction i′ and o?c→d be interaction i′′. Notethat the problem is immediately solved by renaming one of the operations. However, this
will change the specification. We show how to stick to the original (weak) behavior, while
solving the causality safety issue.
Take the smallest subterm of I including both interaction i′ and interaction i′′. We
have a case analysis on its top-level operator. We have three cases corresponding to
parallel causality safety, sequential causality safety and choice causality safety.
Let us consider parallel causality safety. Thus I = I ′ ‖ I ′′, and we can assume that
interaction i′ is in I ′ and interaction i′′ is in I ′′. To solve this issue we will apply a form
of expansion law that transforms the parallel composition into nondeterminism, thus
either removing completely the causality safety issue or transforming it into sequential
causality safety or choice causality safety, discussed later on.
We define now the expansion law and prove its correctness. We also show that using
the expansion law one can transform any IOC into a normal form defined as below.
Definition 6.2 (Normal form). An IOC I is in normal form if it is written as:∑
i
o?i ai→bi; Ii
where∑
i is ennary nondeterministic choice and for each i also Ii is in normal form (we
can see the empty sum as 0).
The expansion law is defined below.
Definition 6.3 (Expansion law).
(∑
i
o?i ai→bi; Ii) ‖ (
∑
j
o?jaj→bj; Ij) = (
∑
i
o?i ai→bi; (Ii ‖ (
∑
j
o?jaj→bj; Ij)))
+(∑
j
o?jaj→bj; (Ij ‖ (
∑
i
o?i ai→bi; Ii)))
The expansion law is correct w.r.t. IOC trace equivalence, in the sense that applying
the expansion law to an IOC does not change the set of its traces (neither strong nor
weak), as proved by the lemma below.
Lemma 6.1. Let I be an IOC and J an IOC obtained by applying the expansion law
to a subterm of I. Then I and J have the same set of (strong or weak) traces.
Proof. Labels not involving the subterm are easily mimicked. Consider the first label
involving the subterm. If no such label exists the thesis follows. Otherwise, the label
corresponds to the execution of one of the interactions o?i ai→bior o?jaj→bj
. Executing any
of these interactions reduces both the terms to the same term. The thesis follows.
Using the expansion law we can transform any IOC I into an IOC J with the same
weak traces which is in normal form.
IOC vs POC 41
Proposition 6.3 (Normalization). Given an IOC I there is an IOC J in normal form
such that I and J are weak IOC trace equivalent.
Proof. The proof is by structural induction on the number of interactions occurring
in I. The cases of interactions and 0 are trivial. IOC 1 can be replaced by any private
interaction without changing the set of weak traces. For sequential composition note
that (∑
i o?i ai→bi
; Ii); I ′ and (∑
i o?i ai→bi
; Ii; I ′) have the same set of traces. Ii; I ′ canbe transformed in normal form by inductive hypothesis. For nondeterministic choice the
thesis is trivial (it is easy to check that nondeterministic choice is associative). For parallel
composition one can apply the expansion law, and the thesis follows from Lemma 6.1
and inductive hypothesis.
Let us consider sequential composition. Thus I = I ′; I ′′, and we can assume that
interaction i′ is in I ′ and interaction i′′ is in I ′′. We show that if I is disjoint connected
for sequence and has asynchronous unique points of choice, then no sequential causality
safety issue can occur.
Lemma 6.2. Let I = I ′; I ′′ be an IOC which is disjoint connected for sequence and has
asynchronous unique points of choice. Let i′ be an interaction in I ′ and i′′ an interaction
in I ′′. If e′ is an event of interaction i′ and e′′ is an event of interaction i′′, then e′ ≤aI e′′.
Proof. We will prove the thesis by induction on the structure of the term.
From disjoint connectedness for sequence all the receiving events in final interactions
of I ′ and all the sending events in initial interactions of I ′′ are performed by the same
role. Thus, from the sequentiality condition in the definition of causality relation, they
are causally related (the only possibility for the term to perform a√
is to have a 1 branch
in a nondeterministic choice, but this is forbidden because of existence of asynchronous
unique points of choice). Thanks to the synchronization condition the same holds for the
other events inside the same interactions. This proves the thesis for final interactions in
I ′ and initial interactions in I ′′.Assume now that the interaction i′ is not final inside I ′ (the case of i′′ not initial in I ′′
is similar). Then there exists a sequential composition J ;J ′ such that interaction i′ is inJ and a final interaction of I ′ is in J ′. Since J ;J ′ is a subterm of I ′ the thesis follows
by inductive hypothesis for events of interaction i′ and events of the final interaction.
The thesis follows by transitivity.
Let us consider nondeterministic choice. Thus I = I ′ + I ′′, and we can assume that
interaction i′ is in I ′ and interaction i′′ is in I ′′. We show that if I is disjoint connected
for sequence, has asynchronous unique points of choice and distinct choice operations,
then no choice causality safety issue can occur.
Lemma 6.3. Let I = I ′ + I ′′ be an IOC which is disjoint connected for sequence,
has asynchronous unique points of choice and distinct choice operations. Let i′ be an
interaction in I ′ and i′′ an interaction in I ′′. If e′ is an event of interaction i′ and e′′ isan event of interaction i′′, then e′ f#
a
I e′′.
I. Lanese, F. Montesi and G. Zavattaro 42
Proof. The events in the two interactions are in conflict. Since by hypothesis the two
interactions are not initial then the events are also in full conflict.
6.4. Putting the pieces together
Till now we have shown that given a subterm of an IOC which fails to satisfy one of the
connectedness conditions, we can transform it into an equivalent term that satisfies this
connectedness condition. Some care is required to avoid that while ensuring the condition
is satisfied, violations of other conditions are introduced, thus creating the possibility that
the connecting procedure would not terminate. The following theorem proves that we can
combine the connecting steps to get a terminating algorithm transforming a generic IOC
into a disjoint connected IOC.
Theorem 6.1 (Making IOCs connected). There is a terminating procedure that
given any IOC I creates a new IOC J such that:
— J is disjoint connected;
— J and I are weak IOC trace equivalent.
Proof. We can apply the normalization procedure to all the subterms of IOC I that
does not satisfy parallel causality safety, starting from the smallest subterms to the
largest, to get an IOC I ′ which is parallel causality safe (since the undesired parallel
compositions have been removed) and which is weak IOC trace equivalent to I thanks
to Proposition 6.3.
Now, again from the smallest subterms to the largest, we can apply to I ′ the procedurefor providing asynchronous unique points of choice and distinct choice operations to those
subterms which have a top-level nondeterministic choice operator and the procedure for
making them disjoint connected for sequence to those subterms which have a top-level
sequential composition operator.
For terms of the first kind, thanks to Proposition 6.2, we obtain terms which have
asynchronous unique points of choice and distinct choice operations, and are parallel
causality safe and disjoint connected for sequence. The same holds for terms of the
second kind by Proposition 6.1. In both the cases, the resulting term is weak IOC trace
equivalent to the starting one. Moreover, by applying these transformations to subterms,
we do not create new parallel causality safety issues in larger terms, since we only add
interactions on fresh operations.
From Lemma 6.2 and Lemma 6.3 we know that the obtained IOC J has no sequential
causality safety issues or choice causality safety issues, thus the thesis follows.
Example 6.1. We now apply our procedure to the IOC I = oa→b ‖ oc→d presented in
Example 4.2. First note that I does not satisfy parallel causality safety. By application of
the expansion law we obtain I1 = oa→b; oc→d+ oc→d; oa→b. Proceedings from smallest to
largest subterms, we first encounter the subterms oa→b; oc→d and oc→d; oa→b which are
not disjoint connected for sequence (and are not sequential causality safe). By applying
the corresponding pattern to the two subterms, we obtain I2 = oa→b; o∗1b→e′ ; o
∗2e′→c; oc→d+
oc→d; o∗3d→e′′ ; o
∗4e′′→a; oa→b. Now the internal terms are disjoint connected, but the whole
IOC vs POC 43
term does not have asynchronous unique points of choice nor distinct choice operations,
and is not choice causality safe. By application the transformation ensuring asynchronous
unique points of choice, we obtain:
I3 = o∗5e→a; oa→b; o∗1b→e′ ; o
∗2e′→c; oc→d + o∗6e→c; oc→d; o
∗3d→e′′ ; o
∗4e′′→a; oa→b
Finally, by applying the transformation ensuring that both the branches have the same
roles, we obtain:
I4 =(
o∗5e→a; oa→b; o∗1b→e′ ; o
∗2e′→c; oc→d ‖ o∗7e→e′′
)
+(
o∗6e→c; oc→d; o∗3d→e′′ ; o
∗4e′′→a; oa→b ‖ o∗8e→e′
)
which is disjoint connected.
6.5. Application: Two-buyers protocol
We show now how our transformation for connecting IOCs can be used as an effective
design tool for the programming of multiparty choreographies. We model the example
reported in (Honda et al., 2008), the two-buyers protocol, where two buyers – b1 and b2
– combine their finances for buying a product from a seller s. The protocol starts with
b1 asking the price for the product of interest to s. Then, s communicates the price to
both b1 and b2. Subsequently, b1 notifies b2 of how much she is willing to contribute to
the purchase. Finally, the choreography may either terminate (the product will not be
sent) or s may send a delivery date for the product to b2. We do not deal here with how
this choice is performed, as our IOCs abstract from data.
To create a quick prototype IOC I for the two-buyers protocol, we focus only on the
main interactions and we do not worry about our connectedness conditions. The code
follows naturally:
I = priceb1→s; ( quote1s→b1‖ quote2s→b2
); contribb1→b2 ; ( deliverys→b2+ 1 )
The code above is just a direct translation of our explanation in natural language into an
IOC. We can immediately observe that the IOC is not connected in three points w.r.t.
the rules ensuring disjoint conformance:
— the subterm ( quote1s→b1| quote2s→b2
); contribb1→b2 is not disjoint connected for
sequence; thus, e.g., b1 may send the contrib message before b2 receives the message
for quote2;
— the subterm ( deliverys→b2+ 1 ) has not asynchronous unique points of choice;
— the subterm contribb1→b2 ; ( deliverys→b2+ 1 ) is not disjoint connected for sequence.
We can apply our transformation for amending our IOC prototype, transforming it into
a disjoint connected IOC which is weak IOC trace equivalent to I, obtaining:priceb1→s; ( quote1s→b1
; o∗1b1→e1‖ quote2s→b2
; o∗2b2→e1);
o∗3e1→b1; contribb1→b2 ; o∗4b2→e2
; ( o∗5e2→s; deliverys→b2+ 1 ‖ o∗6e2→s ‖ o∗7e2→b2
)
The IOC above is disjoint connected, thus it can be projected, and the projection will
be conformant to the IOC, and weak conformant to the original IOC I.
I. Lanese, F. Montesi and G. Zavattaro 44
7. Possible extensions
Till now we considered in detail notions of connectedness for IOCs, and of conformance
between IOCs and POCs, but we focused on minimal calculi for both IOCs and POCs
to avoid unnecessary complexity. Here we discuss some possible extensions to the calculi,
and their impact on the developed theory. We also illustrate how conformance can be
combined with notions of equivalence and/or refinement at the level of IOCs and/or of
POCs. We plan to analyze this aspects in more detail in future work.
7.1. Other operators
In the main part of the paper we stick to the smallest set of operators necessary to write
interesting IOCs, but most of the developed theory can be extended to deal with other
operators. We consider here internal actions τa, and guarded recursion.
An internal action τa abstracts a computation performed by role a with no interaction
with other roles. E.g., role a can perform some mathematical computation, whose result
may be later on sent to some other role c via a communication. Such an activity cannot
be easily projected as if it was o?a→a, since the projection of such a term is not defined.
In order to model such an activity, one has to decide whether the activity is visible to
the outside or not. From the point of view of the projection, the interesting case is when
the activity is visible, and thus constraints imposed by sequentialization or choices have
to be satisfied. E.g., the projection of τa; τb should execute the internal activity at a first,
and then the internal activity at b. Using a natural projection, with proj(τa, a) = τ and
proj(τa, b) = 1 for b 6= a, the constraint above would not be satisfied. In fact, such an
IOC would not be connected, since the (sets of) roles involved in the two activities are
disjoint. One can make this IOC connected by transforming it into the equivalent IOC
τa; o∗a→b; τb. The theory discussed so far can be easily extended to consider this kind of
activity.
A more interesting challenge is given by guarded recursion, which allows one to describe
infinite choreographies. E.g., the IOC defined as recX.aska→b; answerb→a;X models an
infinite conversation where role a asks something to role b and receives an answer, then
the communication pattern restarts. It is easy to check that an homomorphic projection
of such an IOC has the desired behavior. Indeed, the IOC is disjoint connected. Actually,
we can apply here a result from (Honda et al., 2008) (reformulated for our calculus),
which states that a recursive IOC is connected iff its one level unfolding is connected.
E.g., the IOC above is disjoint connected since aska→b; answerb→a; aska→b; answerb→a is
disjoint connected.
The theory for amending IOCs which are not connected instead cannot be always
applied. In fact, some recursive IOCs allow infinitely many interactions on the same
operation, as in the case of IOC I = recX.oc→d ‖ (o′a→b; o′′b→a;X). Such an IOC does
not satisfy causality safety, since different instances of oc→d can be enabled in parallel.
One can imagine to apply the connecting procedure to the infinite term generated by the
unfolding of the recursion, but no finite representation of such a term can be given inside
the language. One can try to solve the problem by requiring all the roles to synchronize
IOC vs POC 45
on the end of each iteration. E.g., the IOC above can be transformed into:
J = recX.(o∗e→c; oc→d; o′∗d→e) ‖ (o′′∗e→a; o
′a→b; o
′′b→a; o
′′′∗a→e;X)
This approach however does not preserve weak traces, since e.g. the weak trace starting
with o′a→b, o′′b→a, o
′a→b, o
′′b→a, oc→d, . . . is legal in I but not in J .
It is worth noting that a similar approach has been taken in (Zongyan et al., 2007),
where infinite IOCs can be expressed with a repetition operator that repeats the execution
of a sub-IOC an arbitrary number of times. The repetition must be decorated with the
indication of a participant called the dominant role. In the projection, the dominant
role is in charge to detect the completion of a run of the sub-IOC, to decide whether
to execute another run or not, and then to communicate the decision to all the other
participants in the IOC. A complete comparison between our work and (Zongyan et al.,
2007) can be found in Section 9.
7.2. Adding data
Input and output events in the choreographies analyzed till now model message passing
communications, but the actual values to be sent have been abstracted away.
One can imagine to use the same approach at the more concrete level, where commu-
nicated data are explicitly described both at the IOC and at the POC level. A similar
problem has been considered in (Bocchi et al., 2010). Consider, e.g., the simple IOC
with data fact(n)a→b; answer(n!)b→a where role a asks to role b to compute the fac-
torial of some natural number n. One can easily project such an IOC obtaining the
POC (fact(na); answer(nfa))a ‖ (fact(nb); answer(!nb))b. The main point here is that
variables have to be introduced to store the received values and to enable their later
reuse. An interesting effect of the introduction of data is that nondeterministic choice
can be converted into deterministic choice: the IOC oa→b+o′a→b can be refined into, e.g.,
if n > 10 then oa→b else o′a→b. If we assume existence of asynchronous unique points of
choice, the role that makes the choice is the one that must evaluate the condition (and
thus must know the value of the involved variables). The projection of a deterministic
choice is still a deterministic choice on the role that makes the choice, while it is an input
guarded choice on the other roles.
An important aspect to keep into account is that in addition to the control depen-
dencies considered till now, data values introduce data dependencies that have to be
satisfied. This is relevant, in particular, if we assume that each participant has a private
state. Consider, e.g., the IOC oa→b(n) ‖ o′c→d(n). Here roles a and c should agree on
the value to be sent, but this is impossible in case of private states since there is no
communication between them. We will see in the next section that some of the notions
of conformance ensure that data dependencies can be more easily satisfied.
I. Lanese, F. Montesi and G. Zavattaro 46
7.3. Equivalences and refinements
We have considered till now mainly equivalences between an IOC and a POC. However,
standard notions of bisimilarity or trace equivalence can be defined also among IOCs or
among POCs, as we did for weak IOC trace equivalence in Section 6.
A similar definition can be given at the POC level, considering e.g. weak synchronous
traces. As already hinted at in Section 6, such notions of equivalence are compatible with
synchronous conformance and projection. In fact, considering two IOCs I and I ′ whichare IOC trace equivalent, and two POCs S and S ′ synchronous conformant respectively
to I and I ′, it is easy to prove that S and S ′ are synchronous trace equivalent. This
happens, in particular, if S and S ′ are the projections of I and I ′.
The same reasoning can be applied to the other notions of conformance (sender/rece-
iver/sender-receiver/disjoint), but the trace equivalence on POCs should be tailored ac-
cordingly. E.g., if we consider sender conformance then IOCs which are trace equivalent
correspond to POCs which are sender trace equivalent, i.e. have the same set of sender
traces.
Also, the reasoning can be applied to trace inclusions, which correspond to a form of
refinement: if an IOC I has a subset of the maximal traces of an IOC I ′, i.e. I is more
deterministic, it can be seen as an implementation of I ′. Such a notion corresponds to
analogous notions of trace inclusions on the projected POCs.
8. Practical interpretation
This section reports examples that show a practical interpretation of some of our different
settings. Giving a formalization of this interpretation goes beyond the scope of this paper,
but we believe its description to be sufficiently intuitive and interesting for motivating
our work. We will concentrate on the asynchronous cases of receiver, sender, and disjoint
connectedness notions. Therefore, in the following, we always assume an asynchronous
communication semantics. To simplify the presentation, we remove from POCs some 1s
which have no effect on the POC semantics.
8.1. Receiver connectedness
Receiver connectedness ensures that global invariants on the state of the participants
involved in an IOC are satisfied also in its projected POC. Here, we assume that a local
state can change only on message reception. Let us consider the following IOC, which is
sender connected but not receiver connected:
withdrawcustomer→bank; paycustomer→shop
Above, a customer wants to buy something from a shop. In order to pay, she first with-
draws some money from her bank and then uses it to pay the shop. The invariant holding
in this IOC that we would like to preserve in the corresponding POC is that the sum of
the amounts of money possessed by the customer and the shop should not increase. Let
IOC vs POC 47
us see now the projected POC:
(withdraw; pay)customer ‖ (withdraw)bank ‖ (pay)shop
Assume now that when the bank receives the withdrawal message it decreases the amount
of money in the bank account, while the shop increases its income upon reception of the
payment. Since communications are asynchronous, the shop may receive the message
for operation pay before the bank receives that for withdraw. During that in-between
moment, the total amount of money would be superior to that at the beginning, thus
breaking our invariant. In order to correct this problem, we could add an intermediary
interaction between the bank and the shop that makes the IOC receiver connected:
withdrawalcustomer→bank;withdrawalCompletedbank→shop; paymentcustomer→shop
This new version ensures that the projected POC will not break the invariant, since
the shop will accept the payment message (and thus update its state) only after the
withdrawal has been confirmed by the bank.
8.2. Sender connectedness
Sender connectedness is useful to satisfy data dependencies discussed in Section 7.2.
In fact, if role a has to send a value based on a message communicated in a previous
stage of the execution (i.e., before a sequential composition in the IOC), then there is
a sequence of communications that can be used to communicate such a value to a, and
this information will reach a before its sending can become enabled.
As an example, consider a scenario in which a shop initially sends an offer to the
customer, the bank offers to the customer to finance him in the purchase, and finally
the customer confirms to both the shop and the bank whether or not she accepts. This
scenario is another variant of the two-buyers protocol shown in (Carbone et al., 2007).
We represent it with the following IOC:
offershop→customer ; financebank→customer ;(
(
confirmShopcustomer→shop ‖ confirmBankcustomer→bank
)
+(
cancelShopcustomer→shop ‖ cancelBankcustomer→bank
)
)
This IOC is receiver connected but not sender connected. In the IOC, the financing from
the bank is defined after the offer from the shop has been performed. Assume now that
the financing option from the bank depends on the price contained in the offer from
the shop, e.g., the bank is willing to cover 30% of the cost if the price is below 20.000
euros, and 20% if it is above. This implies that the bank must know the offer from the
shop before sending its financing option to the customer, but our projected POC will not
guarantee this. We can solve this problem by adding an intermediary interaction between
the shop and the bank:
offershop→customer ; offerEmittedshop→bank; financebank→customer ;(
(
confirmShopcustomer→shop ‖ confirmBankcustomer→bank
)
+(
cancelShopcustomer→shop ‖ cancelBankcustomer→bank
)
)
I. Lanese, F. Montesi and G. Zavattaro 48
The IOC is now sender connected, and in the projected POC we have the guarantee that
the bank has received from the shop indications about the offer, before preparing the
message to send to the client the financing proposal.
8.3. Disjoint connectedness
As receiver connectedness, disjoint connectedness guarantees in the projected POC the
preservation of global invariants on the state of the roles involved in the choreography.
However, in disjoint connectedness the property is made more robust because it is pre-
served even in the presence of message loss.
To better understand the potential impact of message loss consider the following re-
ceiver connected IOC, in which a user contacts in parallel a shop and a bank in order to
organize a purchase. Afterwards, the bank notifies the shop of the payment.
( purchasecustomer→shop ‖ paycustomer→bank ); paymentbank→shop
The corresponding projected POC is:
(purchase ‖ pay)customer ‖ (pay; payment)bank ‖ (purchase; payment)shop
Let us assume now that the message for operation purchase sent from the customer
to the shop is lost. Then, the bank could still receive the message for operation pay
(thus subtracting the money from the bank account of the customer). Since we are
assuming asynchronous communications, the bank will send the message for payment
without noticing that the shop will not receive it, as the latter will remain blocked on
purchase. Therefore, the system would reach an incoherent state. This problem can be
solved by adding, in the IOC, an interaction between the shop and the bank before the
payment is completed:(
( purchasecustomer→shop; requirePaymentshop→bank ) ‖ paycustomer→bank
)
;
paymentbank→shop
Observe that this last IOC is disjoint connected. Disjoint connectedness solves the prob-
lem of message loss, because it checks that the execution of the projected POC coun-
terpart of the first part of a sequence is completed before the execution can proceed.
Therefore, the failure of a message communication immediately blocks the execution of
the POC implementation of a sequence in an IOC. This happens without having any
“pending” state update, i.e. a message in the network that still has to be received that
was part of an interaction specified before in the sequence, as can happen in the POCs
projected by receiver connected IOCs.
9. Conclusions and related work
In this paper we have discussed the relationships between IOCs and POCs, analyzing
both the synchronous and the asynchronous cases. In the asynchronous case we have
considered different possibilities, according to whether the focus is on the sender, on the
receiver or on both. For each possibility we have studied the conditions to make the
IOC vs POC 49
projection behave as expected, and we have proved a behavioral correspondence. When
an IOC is not projectable, we have presented a procedure that modifies the IOC by
adding interactions in such a way that all the conditions described above are satisfied
while preserving the observational semantics of the initially given IOC.
The problem of conformance between a POC and an IOC has been considered many
times in the literature. In both (Carbone et al., 2007) and (Honda et al., 2008) a global
calculus and an endpoint calculus are used to describe IOC and POC respectively. Since
the language is quite complex types are used as abstractions to check the conformance be-
tween POC and IOC. The language has prefix instead of general sequential composition
as in our case, and labeled choice in the session types style (Honda et al., 1998) instead of
nondeterministic choice. In (Carbone et al., 2007) a synchronous semantics is used, and
the relation between IOC and POC corresponds to our synchronous bisimulation. The
constraints imposed on IOCs are however stricter than ours, since for sequence they cor-
respond to our disjoint connectedness. In (Honda et al., 2008) instead the asynchronous
case is considered. The semantics therein corresponds to our receiver semantics, but they
preserve the order of messages from the same sender and on the same operation. Also
in this case their conditions are stricter than ours, since they do not allow the same role
to occur in different parallel components, while we do, and they require projections of
non initiator roles in choice to coincide in every branch, while we allow different (but not
empty) projections.
In (Bravetti and Zavattaro, 2007) trace inclusion (with a synchronous semantics) is
used to relate service contracts and an IOC. This is similar to our synchronous confor-
mance, but in (Bravetti and Zavattaro, 2007) the participants may provide additional
functionalities, provided that they are not used inside the IOC. Also, connectedness is
defined only from a behavioral point of view, but no syntactic criterion ensuring this
is presented. Syntactic criteria have been proposed in (Bravetti et al., 2009) following
the approach reported in the preliminary version of this work (Lanese et al., 2008). The
extension of the approach in (Bravetti and Zavattaro, 2007) to the asynchronous case
has been proposed in (Bravetti and Zavattaro, 2008).
In (Castagna et al., 2011) an intermediary approach between trace inclusion and trace
equivalence is used to relate global types (expressed with a language similar to our IOC
calculus) and multiparty sessions (expressed with a language similar to our POC cal-
culus). Namely, a multiparty session is an implementation of a global type if its traces
are included in the traces of the global type, and for every trace of the global type the
multiparty session exhibits at least one trace which is the same up to reordering. The
communication model for multiparty sessions is asynchronous, based on FIFO queues,
and the receiving events are observed: for this reason their approach is similar to our
receiver conformance. The approach we present in this paper is syntax based, while the
approach in (Castagna et al., 2011) is based on the semantics defined in terms of traces.
Namely, the conditions that a global type should satisfy in order to be projectable are
defined on its traces and not on its syntax. Due to the different notion of correspondence
between IOCs and POCs, their notion of well-formedness for sequences is weaker than
our connectedness for sequence: two subsequent interactions in a trace of an IOC should
either satisfy our connectedness for sequence condition, or the trace in which the two
I. Lanese, F. Montesi and G. Zavattaro 50
interactions are swapped should still be in the semantics of the IOC. This latter condi-
tion checks, at the level of the trace semantics, whether the two interactions are indeed
parallel, as they can be executed in any order.
In (Li et al., 2007) a language similar to ours is used, and constraints similar to disjoint
connectedness are required. User-defined POCs are checked to be a refinement of the
projection of the IOC, but no behavioral relation between an IOC and its projection is
presented.
In (Busi et al., 2005) and (Busi et al., 2006) different bisimilarities are used to charac-
terize conformance of a POC w.r.t. an IOC. These bisimilarities generalize respectively
our synchronous and receiver conformance notions, allowing a role in an IOC to be imple-
mented by many processes in a POC. However, the problems of automatically generating
the processes via projection and of deciding whether an IOC can be implemented are not
considered.
In (Kazhamiakin and Pistore, 2006) a taxonomy of different relationships between
IOCs and POCs is proposed. Starting from a fully asynchronous communication model,
four observational criteria are proposed: the first two criteria correspond to our disjoint
and sender-receiver notions of conformance, while the other two criteria consider the
preservation of the order of the send events projected to a single participant, or to the
interactions between two participants. Each observation criterion is characterized by a
corresponding communication model indicating the capacity of the message buffers and
their connections to processes. In order to verify the possibility to project an IOC accord-
ing to a given observation criterion, it is then possible to check whether the corresponding
semantics is preserved when moving from the asynchronous communication model to the
communication model corresponding to the observation criterion. This theory is devel-
oped by considering the choreographies represented as labeled transition systems. For
this reason there are no syntactic well-formedness conditions like tho ones we propose in
this paper.
Another approach working at the level of labeled transition system is presented in
(Basu et al., 2012), where a decidable criterion is presented to check whether an IOC
can be projected preserving the sender traces. Such criterion is based on two conditions.
The first condition checks whether the observable behavior of the choreography does not
change when moving from a synchronous semantics to an asynchronous semantics with
buffers of capacity 1. This condition was already proposed in (Basu and Bultan, 2011) as
a criterion to guarantee synchronizability, that is the observational equivalence between
the synchronous and the asynchronous semantics of a POC. The second condition is a
temporal property of the system: for every reachable configuration in which there is one
message in one buffer, there exists a subsequent reachable configuration in which such
message is consumed.
To the best of our knowledge, only two other papers consider the possibility to add
messages to an IOC in order to make it correctly projectable (Zongyan et al., 2007;
Salaun et al., 2011).
In (Zongyan et al., 2007) by exploiting a POC and an IOC calculus similar to ours,
a notion of conformance is defined which resembles our synchronous conformance. Con-
cerning the problem of sequences, it is formalized by a condition corresponding to our
IOC vs POC 51
connectedness for sequence. In case this condition is not satisfied by an IOC, the pro-
jection adds the following communications: all the roles involved in a final interaction
preceding the sequential composition send a message to all the roles involved in an initial
interaction after the sequential composition. In order to reduce the number of commu-
nications, in this case we amend the IOC by adding a coordinator for the sequential
composition, and the involved roles exchange only one message with the coordinator.
Concerning the problem of unique points of choice, in (Zongyan et al., 2007) the IOC
specification should be extended by decorating each problematic choice with the indica-
tion of a dominant role. The projection, in this case, adds an interaction between such
role and all the other roles in the IOC in order to globally agree on the selected branch.
Differently, we add a coordinator for the choice which sends a message only to the actu-
ally involved roles. Concerning the problem of causality safety, in (Zongyan et al., 2007)
there is no corresponding well-formedness condition. To the best of our understanding of
the paper this is problematic. In fact, the IOC (written according to our syntax, which
is slightly different w.r.t. to the one adopted in (Zongyan et al., 2007))
(ai→j ; bj→k; ck→l) ‖ (ei→j ; bj→k; fk→l)
is well-formed according to the conditions in (Zongyan et al., 2007), but the projected
POC¶
((a;1;1) | (e;1;1))i ‖ ((a; b;1) | (e; b;1))j ‖ ((1; b; c) | (1; b; f))k ‖ ((1;1; c) | (1;1; f))lhas the following wrong trace
ai→jbj→kfk→lei→jbj→kck→l.
In (Salaun et al., 2011) collaboration diagrams are considered as the language for the
description of IOCs. Collaboration diagrams have been proposed in (Bultan and Fu,
2007) as a graphical notation in which the interactions decorate a graph which has one
node for each role, and one edge for each pair of interacting roles. Interactions are or-
ganized in threads representing sub-choreographies. Messages are totally ordered within
the same thread, while a partial order can be defined among interactions belonging to
different threads. The connectedness problem we have considered in this paper has been
defined also for collaboration diagrams and called realizability. In collaboration diagrams
synchronous and asynchronous interactions coexist, and in the case of asynchronous com-
munication between peers, only the sender event is observed. Realizability is proved to
be guaranteed under conditions that resemble our sender connectedness for sequence. In
(Salaun et al., 2011) a tool support for the analysis of collaboration diagrams is presented.
This is obtained by translation of collaboration diagrams and their projection into the
process algebra LOTOS (Brinksma, 1985), thus allowing for the exploitation of the cor-
responding tool suite (in particular the CADP toolbox (Garavel et al., 2007)). In case the
tool detects that the collaboration diagram is not realizable (by checking conditions cor-
responding to our synchronous and sender connectedness for sequence) both the diagram
¶ To be more precise, in (Zongyan et al., 2007) the projected actions explicitly indicate the names ofthe sender and of the receiver.
I. Lanese, F. Montesi and G. Zavattaro 52
and the projection are modified in order to restore the well-formedness conditions. In the
context of collaboration diagrams there is no global choice composition operator among
sub-choreographies: for this reason there is no need for conditions like our unique points
of choice. Moreover, as in (Zongyan et al., 2007), there are no conditions corresponding
to our causality safety, but in this case this is not problematic as collaboration diagrams
make the stronger assumption that a message cannot occur among the events of two
distinct threads. Finally, in (Salaun et al., 2011) the main focus is on the implementation
of specific tools and their application to test suites instead of on the definition of general
and foundational results. In particular, there are no formal statements and proofs about
the correctness of the modifications applied to the choreographies in order to make them
connected.
Acknowledgments We thank Claudio Guidi for his contribution as co-author of the con-
ference version of this paper (Lanese et al., 2008). We are also grateful to Luca Padovani
for fruitful discussions about the related work (Castagna et al., 2011).
References
Basu, S. and Bultan, T. (2011). Choreography conformance via synchronizability. In Proc. of
WWW’11, pages 795–804. ACM Press.
Basu, S., Bultan, T., and Ouederni, M. (2012). Deciding choreography realizability. In Proc. of
POPL’12. ACM Press. To appear.
Bocchi, L., Honda, K., Tuosto, E., and Yoshida, N. (2010). A theory of design-by-contract for
distributed multiparty interactions. In Proc. of CONCUR 2010, volume 6269 of LNCS, pages
162–176. Springer.
Bravetti, M., Lanese, I., and Zavattaro, G. (2009). Contract-driven implementation of chore-
ographies. In Proc. of TGC’08, volume 5474 of LNCS, pages 1–18. Springer.
Bravetti, M. and Zavattaro, G. (2007). Towards a unifying theory for choreography conformance
and contract compliance. In Proc. of SC’07, volume 4829 of LNCS, pages 34–50. Springer.
Bravetti, M. and Zavattaro, G. (2008). Contract compliance and choreography conformance in
the presence of message queues. In Proc. of WS-FM’08, volume 5387 of LNCS, pages 37–54.
Springer.
Brinksma, E. (1985). A tutorial on lotos. In Proc. of Protocol Specification, Testing and Verifi-
cation V, pages 171–194. North-Holland.
Bultan, T. and Fu, X. (2007). Specification of realizable service conversations using collaboration
diagrams. In Proc. of SOCA’07, pages 122–130. IEEE Computer Society Press.
Busi, N., Gorrieri, R., Guidi, C., Lucchi, R., and Zavattaro, G. (2005). Choreography and
orchestration: A synergic approach for system design. In Proc. of ICSOC’05, volume 3826 of
LNCS, pages 228–240. Springer.
Busi, N., Gorrieri, R., Guidi, C., Lucchi, R., and Zavattaro, G. (2006). Choreography and
orchestration conformance for system design. In Proc. of Coordination’06, volume 4038 of
LNCS, pages 63–81. Springer.
Carbone, M., Honda, K., and Yoshida, N. (2007). Structured communication-centred program-
ming for web services. In Proc. of ESOP’07, volume 4421 of LNCS, pages 2–17. Springer.
Castagna, G., Dezani-Ciancaglini, M., and Padovani, L. (2011). On global types and multi-party
sessions. In Proc. of FMOODS/FORTE’11, volume 6722 of LNCS, pages 1–28. Springer.
IOC vs POC 53
Decker, G., Kopp, O., Leymann, F., and Weske, M. (2007). Bpel4chor: Extending bpel for
modeling choreographies. In Proc. of ICWS’07, pages 296–303. IEEE Computer Society
Press.
Garavel, H., Mateescu, R., Lang, F., and Serwe, W. (2007). CADP 2006: A toolbox for the
construction and analysis of distributed processes. In Proc. of CAV’07, volume 4590 of LNCS,
pages 158–163. Springer.
Hoare, C. (1985). Communicating Sequential Processes. Prentice-Hall.
Honda, K., Vasconcelos, V., and Kubo, M. (1998). Language primitives and type disciplines for
structured communication-based programming. In Proc. of ESOP’98, volume 1381 of LNCS,
pages 22–138. Springer.
Honda, K., Yoshida, N., and Carbone, M. (2008). Multiparty asynchronous session types. In
Proc. of POPL’08, pages 273–284. ACM Press.
Kazhamiakin, R. and Pistore, M. (2006). Analysis of realizability conditions for web service
choreographies. In Proc. of FORTE’06, volume 4229 of LNCS, pages 61–76. Springer.
Lanese, I., Guidi, C., Montesi, F., and Zavattaro, G. (2008). Bridging the gap between
interaction- and process-oriented choreographies. In Proc. of SEFM’08, pages 323–332. IEEE
Computer Society Press.
Li, J., Zhu, H., and Pu, G. (2007). Conformance validation between choreography and orches-
tration. In Proc. of TASE’07, pages 473–482. IEEE Computer Society Press.
Milner, R. (1989). Communication and Concurrency. Prentice Hall.
Salaun, G., Bultan, T., and Roohi, N. (2011). Realizability of choreographies using process
algebra encodings. IEEE Transactions on Services Computing, to appear.
WS-BPEL (2007). Web Services Business Process Execution Language Version 2.0 OASIS
Standard. OASIS. http://docs.oasis-open.org/wsbpel/2.0/OS/wsbpel-v2.0-OS.pdf.
WS-CDL (2005). Web Services Choreography Description Language Version 1.0. World Wide
Web Consortium. http://www.w3.org/TR/ws-cdl-10/.
Zongyan, Q., Xiangpeng, Z., Chao, C., and Hongli, Y. (2007). Towards the theoretical foundation
of choreography. In Proc. of WWW’07, pages 973–982. ACM Press.