Atomic Commit and Negotiation in Service Oriented ... - CiteSeerX

Atomic Commit and Negotiation in Service Oriented Computing

Laura Bocchi

Paolo Ciancarini

Roberto Lucchi

Technical Report UBLCS-2005-16 June 2005

Department of Computer Science University of Bologna Mura Anteo Zamboni 7 40127 Bologna (Italy)

The University of Bologna Department of Computer Science Research Technical Reports are available in PDF and gzipped PostScript formats via anonymous FTP from the area ftp.cs.unibo.it:/pub/TR/UBLCS or via WWW at URL http://www.cs.unibo.it/. Plain-text abstracts organized by year are available in the directory ABSTRACTS.

Recent Titles from the UBLCS Technical Report Series 2004-14 Intelligent Web Servers as Agents, Gaspari, M., Dragoni, N. Guidi, D., July 2004. 2004-15 SIR: a Model of Social Reputation, Mezzetti, N., October 2004. 2004-16 Algorithms for Large Directed CARP Instances: Urban Solid Waste Collection Operational Support, Maniezzo, V., October 2004. 2004-17 Supporting e-Commerce Systems Formalization with Choreography Languages, Bravetti, M., Guidi, C., Lucchi, R., Zavattaro, G., November 2004. 2004-18 Decentralized Ranking in Large-Scale Overlay Networks, Montresor, A., Jelasity, M., Babaoglu, O., December 2004. 2004-19 Advanced Collective Communication in WDM Optical Rings, Margara, L., Simon, J., Vassura, V., December 2004. 2005-1 ARTIS: Design and Implementation of an Adaptive Middleware for Parallel and Distributed Simulation (Ph.D. Thesis), D’Angelo, G., March 2005. 2005-2 Analysis and Prototype of a Metamodeling Environment for Engineering Grid Services (Ph.D. Thesis), Moretti, R., March 2005. 2005-3 On some combinatorial optimization problems arising from computer networks (Ph.D. Thesis), Vassura, M., March 2005. 2005-4 Experiences with Synthetic Network Emulation for Complex IP based Networks (Ph.D. Thesis), Cacciaguerra, S., March 2005. 2005-5 Interactivity Maintenance for Event Synchronization in Massive Multiplayer Online Games (Ph.D. Thesis), Ferretti, S., March 2005. 2005-6 Reasoning with preferences over temporal, uncertain, and conditional statements (Ph.D. Thesis), Venable, K. B., March 2005. 2005-7 Whole Platform (Ph.D. Thesis), Solmi, R., March 2005. 2005-8 Loss Functions and Structured Domains for Support Vector Machines (Ph.D. Thesis), Portera, F., March 2005. 2005-9 A Reasoning Infrastructure to Support Cooperation of Intelligent Agents on the Semantic Grid, Dragoni, N., Gaspari, M., Guidi, D., April 2005. 2005-10 Fault Tolerant Knowledge Level Communication in Open Asynchronous Multi-Agent Systems, Dragoni, N., Gaspari, M., April 2005. 2005-11 The AEDSS Application Ontology: Enhanced Automatic Assessment of EDSS in Multiple Sclerosis, Gaspari, M., Saletti, N., Scandellari, C., Stecchi, S., April 2005. 2005-12 How to cheat BitTorrent and why nobody does, Hales, D., Patarin, S., May 2005. 2005-13 Choose Your Tribe! - Evolution at the Next Level in a Peer-to-Peer network, Hales, D., May 2005. 2005-14 Knowledge-Based Jobs and the Boundaries of Firms: Agent-based simulation of Firms Learning and Workforce Skill Set Dynamics, Mollona, E., Hales, D., June 2005.

2005-15 Tag-Based Cooperation in Peer-to-Peer Networks with Newscast, Marcozzi, A., Hales, D., Jesi, G., Arteconi, S., Babaoglu, O., June 2005.

UBLCS-2005-16

1

Atomic Commit and Negotiation in Service Oriented Computing Laura Bocchi 2

Paolo Ciancarini2

Roberto Lucchi2

Technical Report UBLCS-2005-16 June 2005 Abstract We discuss the relationship between two coordination problems in the context of Service Oriented Computing: atomic commit and negotiation. The atomic commit is a well known problem addressing the agreement of a number of distributed participants to achieve a global outcome, typically commit or abort. Negotiation addresses the enactment of a multi-step interaction among a number of parties in order to achieve an agreement on the features provided by one or more services, for instance during the phase of service discovery/binding. We describe the Contract Net Protocol, a well known negotiation protocol, with the asynchronous pi calculus (Pi-CNP). We outline some basic properties of Pi-CNP and we discuss the possibility of expressing it as an instance of the atomic commit problem and vice versa. Such a relationship can be exploited to simplify the development of reliable protocols, especially for negotiation, on the basis of existing ones for atomic commit.

2. Department of Computer Science, University of Bologna, Mura Anteo Zamboni 7, 40127 Bologna, Italy.

2

1

Introduction

Figure 1. An example of cohesion

1

Introduction

Distributed state synchronization is a general problem concerning Service Oriented Computing (SOC). Specifically, in the Web Services scenario some efforts recently addressed the states synchronization of distributed participants. Some examples are the Tentative Hold Protocol (THP) [1], the Business Transaction Protocol (BTP) [2], and WS-Transaction [3]. These protocols rule the enactment of a multi-step interaction among a number of participants, in order to achieve an agreement on the outcome of the distributed transaction. Distributed transaction protocols are evolving according to the requirements of the real e-business scenario over the Web. One particular direction of this evolution is negotiation. For instance BTP introduces cohesions [4] to address use cases involving a negotiation on the particular service provided by each participant. BTP supports two types of transaction: atoms and cohesions. Atoms are a loosely coupled version of the classic ACID transaction: it commits only if all its sub-entities are able to commit, and in case of commitment all its sub-entities commit. Atoms are representable as instances of atomic commit [5]. The atomic commit is a well known problem addressing the agreement of a number of distributed participants (distributed consensus) to achieve a global outcome, typically commit or abort. With cohesions the consensus is no longer required. A cohesion can decide to commit even if some of its sub-entities are unable to commit. Furthermore in case of commit, a cohesion can decide to reject the commitment of some of its sub-entities, causing their failure. Figure 1 illustrates a travel booking service implemented by a cohesion that encloses multiple distributed and inter-organizational transactions. Travel Booking tries to book different alternative flights and to rent a car. Travel booking succeeds if at least one of the airlines has available flights. Car rental is not necessary. In case both airlines have available flights, travel booking commits but rejects the reservation of the most expensive flight. The example underlines also the possibility for a service (e.g., the Car Rental) of engaging sub-services (e.g, single car rental companies) in order to satisfy a request (i.e., sub-contracting). Cohesion addresses issues related to dynamic service composition in SOAs. These issues present analogies with the notion, well known in the context of Multi Agent Systems, of distributed problem solving. In a scenario of distributed problem solving some knowledge-sources (KS) have to find a cooperative solution to a problem, in a decentralized way. Each knowledge source is not able to autonomously achieve the solution; the problem is decomposed in sub-tasks that are delegated to some other KSs. A KS can decompose the assigned task in further sub-tasks. [6, 7] discuss the relationship between negotiation and distributed problem solving and propose the Contract Net Protocol as a solution to distributed problem solving. The CNP presents some similarities with the notion of cohesion. There is a procedural analogy since in both cases (1) the initiator sends a call for proposal (CFP) to many potential contractors, (2) the initiator awaits for proposals for a certain amount of time, (3) the initiator chooses a number of bids to award. Participants can subcontract. Furthermore, both CNP and cohesion refer to a context of self interested agents where the strategy reflects the local perspective of a party. Thus, investigating the relations between CNP and atomic commit is interesting in the context of service composition in SOAs. UBLCS-2005-16

3

2

Background

1.0.1 Contribution and Content. The main contribution of this work is the formal investigation, based on the pi calculus [8], of the mutual inter-dependencies between the CNP and atomic commit protocols. The pi calculus is a message-based formalism and is natural for the representation and formal analysis of distributed protocols, that are also based upon message exchange in a distributed setting. This implies a straightforward implementation with Web service languages. We present an implementation of CNP with the asynchronous pi calculus, namely Pi-CNP, for which we prove some basic properties. Finally we study how to solve the atomic commit problem by means of Pi-CNP and how to express a negotiation of Pi-CNP by composing a number of generic solutions to the atomic commit problem. Section 2 presents the background. Section 3 presents Pi-CNP. Section 4 presents the proofs of some Pi-CNP properties. Sections 5 and 6 discuss the encoding of Pi-CNP into atomic commit and of atomic commit into Pi-CNP respectively. Conclusions are presented in Section 7.

2

Background

The present section discusses the basics concepts that are used in the rest of this paper. Section 2.1 gives an overview of CNP. Section 2.2 gives an overview on the asynchronous pi calculus. Section 2.3 presents a pi calculus based high level semantic for the atomic commit. 2.1

Bidding Negotiation: the CNP

Negotiation is ‘...a discussion in which the interested parties exchange information and come to an agreement’ [6]. In the most general significance the discussion is a process involving parties that can be either human or software agents. In [9] negotiation is described by means of a number of orthogonal issues: protocol the pattern of information exchange between the parties, strategy the evaluation rules to decide whether to sign an agreement, objects description the description of the objects that have to be sold/bought. The protocol has to be known and applied by all the parties in order to perform a correct conversation. On the contrary a strategy is embodied within each single party; the evaluation is done according to a single party’s perspective. In this work we put the focus on a classic protocol for bidding negotiation, namely CNP [7]. The intuition of bidding protocols is that a single coordinator asks for an offer to a number of participants, each makes an offer and the coordinator chooses one of the requests. The interaction between agent involved in a CNP has been described by the Foundation for Intelligent Physical Agents (FIPA) [10] by means of the following steps: (1) the Initiator sends a CFP, (2) each Participant reviews the received CFP’s (possibly from different initiators) and bids (i.e., sends a proposal) on the feasible ones accordingly, (3) the Initiator chooses the best bid and awards the Contract to the respective Participant, (4) the Initiator rejects the other bids. Time is a relevant aspects to consider when implementing a CNP; [11] proposes a meta-model for CNP (i.e., the Time-Bounded Negotiation Framework), describing three different variants: the Nothing-Guaranteed Protocol (NGP) where the bidder does not give any grant about the future availability of its proposal (i.e., the grant holds for an interval t = 0), the AcceptanceGuaranteed Protocol (AGP) where the bidder is forced to keep its proposal available until it receives a notification (i.e., t = ∞) and the Finite-Time Guarantee Protocol (FGP) where the proposal is valid just for a certain period of time. In this paper we take into account the AGP. A further discussion about the relation of atomic commit with the other two approaches is left as a future work. Thus we assume that, once the initiator takes a decision, all the parties have to respect it.

UBLCS-2005-16

4

2

Background

2.2 An Overview of the Asynchronous Pi Calculus The asynchronous pi calculus assumes distributed entities called processes which exchange messages over channels, named u, v, . . . , z. The content of a message is also a channel name. A process can send a message z along a channel u with the non-blocking output action u z. A process can also receive a message on channel u with the blocking input action u(v).P . The parallel execution of two processes P and Q can be expressed as P | Q. Parallel processes can communicate by performing an input and an output action on the same channel. Communication τ along u is described by the reaction u z | u(v).P −→ P {z/v }. Its effects are visible to the receiver as name substitution of the actual parameter z for the formal parameter v. The continuation P of the input process can be executed after the input on u has been received. In the polyadic pi calculus a message is a string of names v˜ instead of a single name v. The process νu.P declare a local variable u with scope P . The process P + P represents the choice, !P can crate an arbitrary number of copies of P . The pi calculus is summarized in Table 1: labelled transitions define the possible reactions of a process, contexts C are processes with holes filled by other processes, and represent environments. Simulation is a relation characterizing when two processes have the same behavior. 2.3 The Atomic Commit The generic problem of atomic commit can be described by the following scenario. Let us consider a transaction that is distributed across n parties. Each party executes some local computation and eventually reaches a state in which it is either able or unable to commit. The parties have to enact some protocol to agree on the outcome. In particular it is necessary to assure that they eventually either all commit or all abort. It is assumed that a party can not pass from an unable state to an able one; if at least one party is unable, then the transaction must abort. In this paper we use a particular formulation of the atomic commit proposed in [12], that presents an analogy between the problem of atomic commit and the synchronous rendezvous of process calculi. In particular the basic rendezvous mechanism itself is already a special case of atomic commit between two parties. Since the problem of the atomic commit typically involves n parties, it is introduced a multi-parties rendezvous: u |v |w |u()∧v()∧w().P → P . We use the notation u(x)∧v(y)∧w(z).P to refer, at a high level, the atomic commit among the parties u, v, z. The multi-parties rendezvous is used to represent a generic solution to the atomic commit in the encoding of Pi-CNP (Section 6). The generic solution to the atomic commit is expressed as an implementation of the higher level description that follows. The protocol is defined as a set of states with transitions → among them. The transitions might correspond to transmission and receipt of a message, or an instance of failure. All the possible states are partitioned into the following disjoint and exhaustive partitions. Write (x, y) for a state where x parties have committed and y aborted. Let i, j range over 1 . . . N −1. A state (x, y)w denotes a case in which all the parties are able to commit (willing) and (x, y)u the case in which at least one party is unable (unwilling). The properties defined in literature, characterizing atomic commit protocols, have been used in [12] to define the high level semantic for correct atomic commit protocols that follows: Theorem 2.1 [Correctness] A transition system (P, →, ↓) is an atomic commit protocol iff it is bisimilar to the following diagram: (0, 0)wG GGGGG GGGG '  (N, 0)w (0, N )w

(0, 0)u  (0, N )u

Theorem 2.1, proved in [12], is used in Section 5 to prove that the encoding of atomic commit with Pi-CNP is correct.

UBLCS-2005-16

5

2

Background

Table 1. The asynchronous pi calculus

Terms P in the asynchronous pi calculus are as follows. In u(e x) the names x e are bound, as is x in νx.P . We identify terms up to alpha-renaming of bound names. P ::= 0 u x e u(e x).P P |P νx.P P + P !P u(e x).C P |C C|P C + P P + C νx.C !C C ::=

Labelled transitions are as follows, where labels µ range over u(e x), ν z˜.u x ˜ and τ . Symmetrical rules for (SUM), (PAR), and (COM) are omitted. ux e −→ 0 (OUT) µ

P −→ P 0 µ

!P −→

P0

|!P

µ

P −→ P 0

(REP )

µ

u(e x)

ux e

u(e x).P −→ P µ

P −→ P 0 µ

(IN )

x 6∈ µ

νx.P −→

P −→ P 0 µ

P + Q −→ P 0 e ν z˜.u y

P −→ P 0

(RES )

νx.P 0

(PAR )

µ

P | Q −→ P 0 | Q

P −→ P 0

u(˜ x)

Q −→ Q0

z˜ ∩ fn(Q) = ∅

τ

P | Q −→ ν z˜.(P 0 | Q0 {˜ y/˜ x}) τ ∗

τ

(OPEN)

νx.P −→ P 0

ν z˜.u y˜

bn(µ) ∩ fn(Q) = ∅

x 6= u, x ∈ y˜\˜ z ν z˜x.u y e

(SUM)

µ

τ ∗ µ

τ ∗

(COM) µ

Simulation is as follows. We write ⇒ for −→ , and ⇒ for −→ −→−→ when µ 6= τ , and P =⇒ µ for ∃P 0 : P =⇒ P 0 . A symmetric relation S is a weak ground simulation if whenever P SQ then µ

µ

P −→ P 0 implies there exists Q0 such that Q ⇒ Q0 and P 0 SQ0 . Write . for the largest ground simulation. S is a weak ground bisimulation, if both S and S −1 are weak ground simulations. Write ≈ for the largest ground bisimulation. We note some standard results: P ≈ Q implies ∀C : C[P ] ≈ C[Q] νx.x().P ≈ 0

P |0 ≈ P

P |(Q|R) ≈ (P |Q)|R

!P ≈ P |!P

P +Q≈Q+P

νx.(P |Q) ≈ P |νx.Q if x 6∈ fn(P )

νx.νy.P ≈ νy.νx.P x0

P |Q ≈ Q|P

νx.P ≈ νx .P { /x } if x 6∈ fn(P ) 0

0

Notation We write x eC for an arbitrary sequence x1 , . . . , xn of the elements in set C. We also use these syntactic sugars:

UBLCS-2005-16

x.P

=

x().P

x e.P νe x.P

= =

x1 . . . . .xn .P νx1 . . . . .νxn .P

P ⊕Q

=

νc.(c |c.P |c.Q), c fresh

x[P, Q]

=

νu, v.(x u, v|u.P |v.Q), u, v fresh

x left x right

= =

x(u, v).u x(u, v).v

(empty input)

(sequence input) (sequence restriction) (nondeterministic choice) (selection)

6

3 Negotiation and the Pi-CNP

3

Negotiation and the Pi-CNP

In this section we model CNP with the asynchronous pi calculus. Each instance of the protocol has one initiator I that involves a number of bidders. Each bidder can possibly subcontract. The whole interaction can be represented by a tree structure. Let I be the set of participants to the negotiation. The tree-like hierarchy of these transactions is denoted by a relation par : I 7→ I which indicates the immediate parent of a transaction; writing parn (i) for n applications of the pair function, we assume that if i = parm (j) then do not exists n such that j = parn (i). Define the set of i’s children C(i) = {j : par(j) = i} and the set of i’s descendants D(i) = {j : ∃n.i = parn (j)}. In the initial state Ti already sent its CFP: the identity of the participants C(i) is fixed. Let P roposals be the set of possible proposals, where a ∈ P roposals represents a non-proposal. P roposal has empty intersection with the channels used in the protocol: P roposal ∩ bn(T i ) ∩ {oki , aborti , di , ai , vi } = ∅. The intuition of the channels usage in Ti is summarized in Fig. 2.

Figure 2. The usage of the channels from Ti ’s perspective

In (1) the children make their proposals: a message along vc represents a valid proposal, and a message along ac represents the choice from c not to participate to the agreement (i.e., nonproposal). In (2) each valid proposal is forwarded along mc . Children that sent a non-proposal or that did not respect the deadline are notified later about the non participation to the agreement. In (3) depending on the strategy Ti decides whether it is able to succeeds or not. Success is indicated to the parent over the channel vi , failure over ai . (4) Eventually the parent will know whether to accept i, or to refuse it. This decision is communicated to i via the ‘decision’ channel di , and so determines i’s final state. The transaction i can indicate its final state via the messages oki /aborti . (5) Finally, the decision is propagated to all the children c along the channels deC(i) . The accepted children, according to the internal choice strategy, will be told the same decision as i received. The rejected children and the latecomers, will be told to abort/undo regardless. Strategy is not addressed in detail here but, since it induces choices that influence the execution of the protocol, we represent it as a parameter of Ti . Strategy s has the following influences on the protocol execution, where A is the set of bidders that sent a valid proposal: s.outcome. On the basis of the valid proposals from the children, Ti decides whether to send a proposal or a non-proposal to its parent. s.children. Decides which valid proposals to include in the agreement. s.merge. It is the final proposal from Ti to its parent, considering the self-proposal and the proposals of the sub-contractors. Ti is composed by different processes summarized in Table 2. Q Ti ’s children are implemented by c∈C(i) Tc and the self proposal by m s (xs ) with xs ∈ P roposals. ∅ T imerC(i) receives the votes from all the participants in C(i), that are assumed as non local entities. Its main roles are to convert external messages (i.e., the bids) into internal messages, to UBLCS-2005-16

7

3 Negotiation and the Pi-CNP

Table 2. The generic Pi-CNP node

Ti (s)

B T imerA

∅ = νe vC(i) , e aC(i) , m e C(i) , msi , deC(i) .(ms i (xs ) | T imerC(i) |

=

X

Y

Tc )

(negotiator)

c∈C(i)

B∪{c}

B ((vc (x).(m c (x) | T imerA\{c} ) + (ac .T imerA\{c} ))) ⊕ StopB A

(timer)

c∈A

StopB A

Ti .colA

= Ti .colC(i)\(A∪B)

(deadline)

(local outcome)

= msi (xs ).m e A (e xA ).(s.outcomeA )

Ti .localcA

= v i (s.mergeA (e xC(i) , xs )) | di [Ti .okA , Ti .failA ]

Ti .localfA

= a i | Ti .failA

Ti .okA

= ok i |

Y

(local unability)

d c lef t |

c∈s.childrenA

Ti .failA

= abort i |

Y

(local ability)

Y

d c right

(ok propagation)

c∈C(i)\s.childrenA

d c right

(abort propagation)

c∈C(i)

Table 3. The strategy

s.outcomeA : {P |C(i)|+1} → {Ti .localcA , Ti .localfA } s.mergeA : (P |C(i)|+1 ) → P roposals \ {a} s.childrenA : {P |C(i)|+1 } → P(A).

UBLCS-2005-16

8

4 The Properties of Pi-CNP

manage a deadline for bids arrivals, and to store the valid bidders with a recursive definition of the set A. A StopB A enforces the deadline expiration by triggering Ti .col . Latecomers and bidders that sent a non-proposal are not included in A. Ti .colA receives the internal votes and decides, depending on the strategy, embodied in the strategy s.outcomeA , whether to perform local success, that is Ti .localcA , or local failure, that is Ti .localfA ). s.outcomeA decides on the basis of the set of children proposals x eC(i) and the selfproposal. ∀c ∈ C(i), if c 6∈ A then xc = a. Ti .localcA is executed if bids are satisfactory. In this case Ti sends its proposal vi (s.mergeA ) to the parent, and awaits the parent’s final verdict along di . s.mergeA merges the self-proposal with the sub-contractors proposals. Ti .localfA is executed if the bids do not satisfy Ti . In this case a failure ai is signaled to i’s parent, and Ti .fail is executed to propagate the refusal to all the children. Ti .okA manages the achievement of a successful agreement. An arbitrary number of bidders is selected according to the function s.childrenA and is notified of the success. All the other participants (latecomers, non-proposal senders, parties rejected by s.children A ) are sent a failure message. Ti .failA notifies the failure of the agreement to all the participants. The overall tree of transactions is collected in a test harness that we refer to as initiator (I). We suppose the root of the tree is transaction i:
I = νvi , ai , di . Ti | (vi (x).(d i lef t + d i right) + ai ) . This harness merely executes the root transaction Ti , waits for its overall vote vi , and immediately sends back the vote as the decision if vote was success. If vote was fail there is no need of decision communication: the child already had its outcome without waiting any signal.

4

The Properties of Pi-CNP

In this section we illustrate and prove some properties of Pi-CNP. Durability, addressed in Section 4.1, assures that the outcome of a party is persistent. Eventuality, addressed in Section 4.10, assures that each party eventually reaches an outcome. Local Atomicity, addressed in Section 4.2, assures that the failure of a party implies the failure of all its sub-contractors. Table 4 illustrates the most general representation of the strategy within the protocol: the non deterministic choice of all the possibilities. We considered Ti (nd) in order to prove that the properties hold for each possible strategy. The following lemma underlines that the same properties hold for each possible strategy. Lemma 4.1 Ti (s) . Ti (nd) for each possible s. Lemma follows by observing that, for each possible s, s.outcomeA . nd.outcomeA and s.childrenA . nd.childrenA . Since the decisions of strategy.outcomeA and strategy.childrenA are non deterministic, the proposal has no relevance here. For this reason we assume the proposals to be equal to a simple signal where no message is sent along the channel vi (i.e., nd.mergeA and xs are an empty message). 4.1

Durability

We now prove durability: the observable behavior is never anything other than a single outcome notification (ok i /abort i ) for each node. The property is proved in Theorem 4.6 (basing on Proposition 4.5). We present some auxiliary results first. Lemma 4.2 simplifies the process T i in the case C(i) = ∅, Lemma 4.3 underlines some general results, Lemma 4.4 describes the relation between Ti (nd) sub-processes with different sets of valid proposals. UBLCS-2005-16

9

4 The Properties of Pi-CNP

Table 4. Non determinism as the most general strategy

nd.outcomeA = Ti .localcA ⊕ Ti .localfA Y nd.childrenA = d c lef t ⊕ d c right c∈A

Lemma 4.2 If C(i) = ∅, then Ti (nd) ≈ (vi | di [oki , aborti ]) ⊕ (ai | aborti ). Proof When C(i) = ∅ then Ti (nd) = νmsi .(ms i | T imer∅∅ ) = νmsi .(ms i | msi .(Ti .localc∅ ⊕ Ti .localf∅ )). Observe that the only action Ti (nd) can make is a τ move to Ti0 = νmsi .(Ti .localc∅ ⊕ Ti .localf∅ ) = νmsi .((vi | di [oki , aborti ]) ⊕ (ai | aborti )). Then trivially Ti0 ≈ (vi | di [oki , aborti ]) ⊕ (ai | aborti ). On the other hand the right hand process can just make a τ move performing the external choice. This is reflected by the other hand side with two τ moves (the move for achieving Ti0 followed by the external choice). Lemma 4.3 The following properties hold: 1. P ⊕ di [Q, P ] . P ⊕ (di [0, 0] | P ⊕ Q). 2. (P1 | P2 ) ⊕ (Q1 | Q2 ) . (P1 ⊕ Q1 ) | (P2 ⊕ Q2 ). 3. P1 ⊕ P2 ≈ P1 ⊕ (P2 ⊕ P1 ). 4. P ⊕ Q . P | Q. 5. P + Q . P | Q. 6. x.Q . x | Q. 7. νx.(x | P ) . νx.P

Lemma 4.4 The following properties hold: 1. Ti .okA . Ti .okC(i) with A ⊆ C(i). 2. Ti .failA . Ti .failC(i) with A ⊆ C(i). Q 3. Ti .colA . c∈C(i) mc | msi | Ti .okC(i) ⊕ Ti .failC(i) with A ⊆ C(i). Proposition 4.5 νvi , ai , di .(Ti (nd) | d i lef t ⊕ d i right) .

UBLCS-2005-16

Q

j∈D(i) (abort j

⊕ ok j ).

10

4 The Properties of Pi-CNP

Proof By induction on the depth of the tree. Base Case. C(i) = ∅. By Lemma 4.2, Ti (nd) ≈ (v i |di [ok i , abort i ]) ⊕ (a i |abort i ). Applying now Lemma 4.3 (2, 1, 2 and 3) to the right hand term: Ti (nd) . (v i ⊕ a i ) | (di [ok i , abort i ] ⊕ abort i ) . (v i ⊕ a i ) | (abort i ⊕ (di [0, 0] | (ok i ⊕ abort i )) . (v i ⊕ a i ) | (abort i ⊕ (ok i ⊕ abort i )) | d[0, 0] . (v i ⊕ a i ) | (abort i ⊕ ok i ) | d[0, 0]. Trivially νvi , ai , di .(Ti (nd) | d i lef t ⊕ d i right) . (abort i ⊕ ok i ). Inductive Case. Let us consider a generic node Ti . We have for inductive hypothesis that ∀c ∈ C(i) Y (abort j ⊕ ok j ). νvc , ac , dc .(Tc (nd) | d i lef t ⊕ d i right) . (1) j∈D(c)

By the standard results properties of ≈ (Table 1) we have the following: Y ∅ Tc | ν m e C(i) , msi .(ms i (x) | T imerC(i) Ti (nd) ≈ νe vC(i) , e aC(i) , deC(i) .( )).

(2)

c∈C(i)

For Lemma 4.3 (4, 5 and 6) and Lemma 4.4.3 Y Y Y ∅ ac | vc | T imerC(i) . m c | Ti .colC(i) .

Y

c∈C(i)

c∈C(i)

c∈C(i)

vc |

Y

ac |

mc |

c∈C(i)

c∈C(i)

c∈C(i)

Y

Y

(3)

mc | msi | Ti .okC(i) ⊕ Ti .failC(i) .

By standard result properties the following holds: Y Y νm e C(i) .msi ( mc | m c | msi | ms i ) ≈ 0 c∈C(i)

(4)

c∈C(i)

(5)

c∈C(i)

By using (5) and (4) we have

∅ νm e C(i) , msi .(ms i | T imerC(i) ).

Y

vc |

c∈C(i)

Y

ac | Ti .okC(i) ⊕ Ti .failC(i) .

(6)

c∈C(i)

By substituting the left hand term of (6) in (2) (we use the shorthand w e to denote veC(i) , e aC(i) , deC(i) ) Y Y Y Ti (nd) . ν w. e vc | ac | Ti .okC(i) ⊕ Ti .failC(i) | Tc (nd) (7) c∈C(i)

c∈C(i)

c∈C(i)

and then applying Lemma 6.2 plus some standard results to (7) Y Y Ti (nd) . ν w.abort e dc lef t ⊕ dc right | Tc (nd). i ⊕ ok i | c∈C(i)

(8)

c∈C(i)

Applying (1) to (7) we finally obtain

νvi , ai , di .(Ti (nd) | d i lef t ⊕ d i right) .

Y

(abort j ⊕ ok j ).

(9)

j∈D(i)

Corollary 4.6 [Durability] I . UBLCS-2005-16

Q

i∈I (abort j

⊕ ok j ). 11

4 The Properties of Pi-CNP

4.2 Eventuality We prove that any node of the tree can always notify an outcome (none of the nodes deadlocks). Lemma 4.7 proves that each part can eventually send a proposal for each possible computation. Lemma 4.8 provides that, depending on the proposal of a node, we can always get a decision from the parent that unblocks one of the final processes Ti .ok or Ti .fail. Then we prove (Lemma 4.9) that if a node votes and its provided with a decision then it and all the subtree is able to have an outcome. This leads directly to Theorem 4.10 that deals with the observable behavior of I. The following lemma is that a transaction can always eventually vote, no matter what sequence of internal moves it has already made. Henceforth we use the shorthand z˜ = veC(i) , e aC(i) , m e C(i) , msi , deC(i) to refer to the scope of a node Ti . v

τ

a

i i Lemma 4.7 If Ti (nd) =⇒ Ti0 then Ti0 =⇒ or Ti0 =⇒.

B Proof The possible steps for the process T imerA are B∪{c}

• an input along vc , with c ∈ A, that triggers T imerA\{c} , B • an input along ac , with c ∈ A, that triggers T imerA\{c} ,

• the τ step of the choice that enables the execution of StopB A.

P ∅ Thus, after a finite number of steps, T imerC(i) can be reduced into c∈S m c (x) | Ti .colS , with S ⊆ C(i). It follows that X τ ∗ Ti (nd) =⇒ ν z˜.(ms i (xs ) | m c (x) | Ti .colS ). c∈S

The right hand term can only make the τ steps of the communications along msi and mc and is eventually reduced into ν z˜.nd.outcomeS = ν z˜.(Ti .localcS ⊕Ti .localfS ). The process Ti .localcS ⊕ Ti .localfS ) is able to perform the external choice leading to a either a communication along ai or a communication along vi . Lemma 4.8 di lef t

v

di right

i 1. If Ti (nd) =⇒ Ti0 then Ti0 =⇒ ν z˜.(Ti .ok | P ) for some P and Ti0 =⇒ ν z˜.(Ti .fail | Q) for some Q,

a

τ

i 2. If Ti =⇒ Ti0 then Ti0 =⇒ ν z˜.(Ti .fail | P ) for some P .

Proof 1. If Ti was able to perform a v i transition it has previously unblocked the process successful branch of nd.outcomeA in the process Ti .colA that is v i | di [Ti .okA , Ti .failA ]. After the v i transition it will become Y ν z˜.(di [Ti .okA , Ti .failA ] | Tc0 ). c∈C(i)

The only possible transitions are the following: di lef t

−→ ν z˜.(Ti .okA |

Y

Tc0 )

(10)

c∈C(i) di right

−→ ν z˜.(Ti .failA |

Y

Tc0 )

(11)

c∈C(i)

where (10) enables a step along v i and (11) enables a step along a i . UBLCS-2005-16

12

4 The Properties of Pi-CNP

2. If Ti is able to perform a a ¯i action it has already triggered the failing action of nd.outcomeA A in Ti .col . After sending the output a ¯i the process of the node i is as follows and enables a step along a i : Y Tc0 ) enabling a i step. ν z˜.(Ti .failA | (12) c∈C(i)

Note: by hypothesis, only τ moves have been performed hence Ti .fail has not reacted. v

ok j

a

i i Lemma 4.9 If Ti0 : Ti =⇒ Ti0 or Ti =⇒ Ti0 then for every j ∈ {i} ∪ D(i), we have Ti0 | d i =⇒ or

abort j

Ti0 | d i =⇒ . Proof Let us reason by induction on the depth of the level of i. v

a

i i Ti0 or Ti −→ Ti0 . Thus by Lemma 4.8 Ti0 | d i Base Case. C(i) = ∅. By Lemma 4.7, Ti −→

v i (x)

ai

outcome i

=⇒ .

or Ti −→ By Lemma 4.8 we have Ti0 | Inductive Case. By Lemma 4.7 we have Ti −→ τ τ d i =⇒ ν z˜.(Ti .ok | P ) for some P or Ti0 | d i =⇒ ν z˜.(Ti .fail | P ) for some P . Recall the definition of Ti .ok and Ti .abort: Y Ti .okA = ok i | s.childrenA | d c right Ti0

Ti0 .

c∈C(i)\A

Ti .failA

=

abort i |

Y

d c right |

c∈A

Y

d c right

c∈C(i)\A

In both cases it is possible, from ν z˜.(Ti .ok | P ), to perform the following actions: d

c • −→ such that by inductive hypothesis ∀j ∈ D(c) ∪ {c}, Tc0 | d c

•

outcome j

=⇒ ,

outcome i

−→ . v

i Ti0 then for every j ∈ {i} ∪ D(i), Ti0 | d i It holds so that for any Ti0 such that Ti =⇒

outcome j

τ

=⇒ . ok

Corollary 4.10 [Eventuality] For every I such that I =⇒ I 0 then, for every j ∈ I, where I 0 =⇒i or abort

I 0 =⇒ i . Local Atomicity To prove Local Atomicity we simplify (Lemma 4.11) the behavior of Ti by considering its state after the it voted. Recall that by Lemma 4.7, each node eventually votes. Then we show (Lemma 4.12) that if a node i receives a failure decision or votes failure itself then none of the nodes in the subtree of i will ever notify a successful outcome. Finally we show that any node abort just if it received a failure notification or votes failure itself and generalize the property to the whole protocol I. Lemma 4.11 Q v i (x) vc Tc0 . 1. If Ti =⇒ Ti0 then Ti0 ≈ ν deC(i) .(di [Ti .ok, Ti .fail] | c∈C(i) Tc0 ) with Tc =⇒

Q ai vc 2. If Ti =⇒ Ti0 then Ti0 ≈ ν deC(i) .(Ti .fail | c∈C(i) Tc0 ) with Tc =⇒ Tc0 or Tc ⇒ Tc0 . UBLCS-2005-16

13

5 Expressing Atomic Commit with CNP

Lemma 4.12 v i (x)

ok j

1. If Ti =⇒ Ti0 then @j ∈ {i} ∪ D(i) such that Ti0 | d i right =⇒, ok j

a

i Ti0 then @j ∈ {i} ∪ D(i) such that Ti0 =⇒. 2. if Ti =⇒

Proof For induction on the depth of the tree. Base Case. the tree is composed by node Ti with C(i) = ∅. From Lemma 4.2 Ti ≈ T si with T si = (v i (x)|di [ok i , abort i ]) ⊕ (a i |abort i ). The only step that T si can perform is a τ action corresponding to the choice of one of the two branches. v i (x)

τ

1. If the left branch is chose then the only possible sequence of steps is: T si −→ v i (x)|di [ok i , abort i ] =⇒ τ

abort

di [ok i , abort i ]. Hence di [ok i , abort i ] | d i right =⇒ abort i =⇒ i . τ

a

i 2. If the right branch is chose then the only possible sequence of steps is: T si −→ a i |abort i =⇒

abort

abort i =⇒ i . v

i Ti0 . Depending on the vote type we have two cases: Inductive Case. we have that Ti =⇒

Q v i (x) 1. If Ti =⇒ Ti0 then by Lemma 4.11 Ti0 ≈ ν deC(i) .(di [Ti .ok, Ti .fail] | c∈C(i) Tc0 ). Hence νdi .(Ti0 | d i right) ≈ Ti .fail |

Y

Tc0 ).

c∈C(i)

Here i will surely fail (and just fail for durability (Corollary 4.6)) and will also provide a d c right decision ∀c ∈ C(i) that for inductive hypothesis grant that @j ∈ {c} ∪ D(c) such ok j

that Tc0 | d i right =⇒. Q ai Ti0 then for Lemma 4.11 Ti0 ≈ ν deC(i) .(Ti .fail | c∈C(i) ). The case is analogue to the 2. If Ti =⇒ previous one here. abort

ok j

Theorem 4.13 [Local Atomicity] If I =⇒ i I 0 then @j ∈ D(i) such that I 0 =⇒. abort

Proof If I =⇒ i I 0 then i must have failed for one of the following reasons: • i voted v¯i (x), the result follows from Lemma 4.12.2, • i voted a ¯i and received a failure decision from the parent d¯i right. The result follows from Lemma 4.12.1.

5

Expressing Atomic Commit with CNP

In order to express an atomic commit protocol by means of Pi-CNP we define a strategy (see Table 5) for which Pi-CNP satisfies Theorem 2.1. ac.outcomeA allows a state of local success only if all the children voted a valid proposal before the expiration, local failure otherwise. ac.children A defines the children either all confirmable or all rejectable depending on the local outcome. In case of local success the transaction can also fail; in this case all the children are rejected. We define ac.mergeA = xs as the empty message (messages along vi and ai are empty signals). Let I(ac) denote an instance of Pi-CNP with the strategy of Table 5. A preliminary lemma and correctness of the encoding are presented below. UBLCS-2005-16

14

5 Expressing Atomic Commit with CNP

Table 5. The strategy for atomic commit

ac.outcomeA = ac.childrenA =

( 

Ti .localcC(i) ⊕ Ti .localfC(i) Ti .localfA C(i) ∅

if A = C(i); otherwise.

if ac.outcomeA = Ti .localcC(i) ⊕ Ti .localfC(i) ; otherwise.

ok j

v

i Lemma 5.1 If Ti (ac) =⇒ Ti0 (ac) then ∀j ∈ {i} ∪ D(i), Ti0 | d i lef t =⇒.

Proof Let us reason by induction on the depth of the level of i. Base Case. C(i) = ∅. By Lemma 4.2, Ti = (v i | di [ok i , abort i ]) ⊕ (ai | aborti ). If a message along vi was sent, then the left hand term was previously chosen, and Ti0 = di [ok i , abort i ]. Trivially ok

i Ti0 | d i lef t =⇒.

v

i Ti0 (ac) then for Lemma 4.8,Q Ti (ac) | d i lef t =⇒ Ti .ok | P . The exeInductive Case. If Ti (ac) =⇒ cution of Ti .ok triggers the output ok i and the messages c∈C(i) dc lef t. ∀c ∈ C(i), by inductive hypothesis, we have ∀j ∈ D(c) the outcome ok j .

Proposition 5.2 I(ac) is an atomic commit protocol. Proof It is sufficient to show that I(ac) is bisimilar to the diagram of Theorem 2.1 in order to prove that it is an atomic commit protocol. We observe that I(ac) eventually reaches a state in ∅ which either all the parties already voted or the deadline expires. In this state, T imer C(i) →∗ Q A e A (xA ).(ac.outcome ) where A is the set of parties for which a valid proposc∈A m c (xc ) | msi .m als was received in time. It holds that either A = C(i) or A ⊂ C(i). We associate A = C(i) to the state (0, 0)w, and A ⊂ C(i) to the state (0, 0)u of the diagram. Starting from both (0, 0)w and (0, 0)u, a number of τ steps are performed, Y ms i (xs ) | m c (xc ) | msi .m e A (xA ).(ac.outcomeA ) →∗ ac.outcomeA c∈A

that are also associated to states (0, 0)w and (0, 0)u respectively. In (0, 0)u, ac.outcomeA = Ti .localfA . The subprocess Ti .failA of Ti .localfA enables a message abort i and, for Eventuality (Corollary 4.10) and Local Atomicity (Theorem 4.13), all the participants abort: (0, 0)u ⇒ (0, N )u In (0, 0)w, ac.outcomeC(i) = Ti .localcC(i) ⊕ Ti .localfC(i) . If ac.outcomeC(i) → Ti .localfC(i) then failC(i) enables a message abort i and, for Eventuality (Corollary 4.10) and Local Atomicity (Theorem 4.13), all the participants have to abort (i.e., (0, 0)w ⇒ (0, N )w). If ac.outcome C(i) → Ti .localcC(i) then (1) a message along vi unblocks the process d i lef t + d i right in the harness, C(i) (2) it is possible to execute either Ti .okC(i) or Ti .failQ depending on the parent decision. For Lemma 5.1, the message d i lef t assures an outcome j∈D(i) ok j , corresponding to the transition

C (0, 0)w ⇒ (N, 0)w. If the message d i right Q is chosen from the harness, Ti .fail (i) is executed assuring, for Local Atomicity, an outcome j∈D(i) abort j (i.e., (0, 0)w ⇒ (0, N )w). Finally notice that, for Durability (Corollary 4.6), (0, N ) and (N, 0) are final states.

UBLCS-2005-16

15

6 Expressing CNP with Atomic Commit

6

Expressing CNP with Atomic Commit

In this section we discuss in detail a list of differences between atomic commit and CNP. In particular we study an encoding for overcoming each of these differences. Section 6.1 addresses the votes collection (i.e., atomic commit waits for all the participants to vote, CNP allows participants to ignore the CFP), Section 6.2 addresses the outcome achievement (i.e., atomic commit succeeds only if all the votes are successful, CNP does not) and propagation (i.e., in case of success atomic commit assures the success of all the children, CNP can confirm just a subset of children), Section 6.3 discusses the differences of the yes/no vote type of Atomic Commit versus the CNP proposals. Section 6.4 presents a summary of the encoding. 6.1

Votes Collection.

A participant to CNP can decide whether to reply or not to a CFP, basing on other possible CFPs received and its own convenience. The initiator waits for proposals until the expiration of a deadline. Atomic commit waits for all votes. According to [5] atomic commit should consider unreliability (i.e., message loss among the distributed parties and temporary node crash). A solution to the atomic commit should cope with the problem of missing votes due to message loss. In general message loss is overcame with the usage of timers in the wait for votes phase. The case, in CNP, in which a party does not answer to a CFP corresponds, in the essence, to the loss of its vote. 6.2 Outcome Achievement and Propagation. We consider a simplified scenario where a proposal can be yes or no, similarly to the vote of atomic commit. We address generalized proposals later. According to [12] (see also Section 2.3), an instance of atomic commit is representable by a generalized rendezvous (e.g., a 1 ∧ . . . ∧ an .Pn ). In a negotiation there are different combination of proposals from i’s children that may lead to an agreement. We can represent each of these combinations as a set N (i) ⊆ C(i). N (i) encloses all the participants that are required to propose yes in a particular combination of proposals. For instance if we need to book a travel including transport and hotel room we can start a negotiation with a flight company, the railway company and a hotel. There are two combinations in this case: (Plane ∧ Hotel) and (Train ∧ Hotel). In [12] this behavior is expressed by mean of a choice among instances of atomic commit. For example, writing p() for the plane, t() for the train and h() for the hotel we can have p |h |p()∧h().S1 + t()∧h().S2 → S1 . t |h |p()∧h().S1 + t()∧h().S2 → S2 . In general, let Jj be an instance of atomic commit (expressed as multiparty rendezvous) with j ∈ {1, . . . , n}. Let Jj represent a set Nj (i) of necessary votes for i’s success. The overall behavior is represented by the choice J1 + . . . +Jm . Let A(i) ⊆ N (i) be the set of confirmed proposals in a particular combination. According to the proposed encoding of negotiation as a choice of atomic commit, we can express a scenario where N (i) = A(i): all the parties in Jj are necessary and accepted. The possibility that, in case of success, only some of the proposals are confirmed, is expressed by the choice operator. Recalling the example above, p()∧h() + t()∧h().S2 , either plane or train is confirmed even if they are both available. There is a further aspect to consider. A negotiation can commit even if some parties are not available. Let us consider, for instance, the case in which hotel h and plane p are necessary and taxi t is not. We can represent this scenario with two instances of atomic commit: with and without t (i.e., h ∧ p ∧ t + h ∧ p). The case in which a necessary party is not eventually confirmed is not represented (e.g., ‘book the flight just if there is a free hotel, but do not book the hotel’). This seems a reasonable limitation according to the use cases of the negotiation problem. UBLCS-2005-16

16

7 Conclusion

6.3 The Vote Type. We considered so far a proposal that can have values within a limited set, namely {yes, no}. Let us extend the set of proposals to a generic set P roposals. If P roposals is finite, then it is possible to represent the scenario with a number |P roposals| of yes/no-negotiations (i.e., J1 + . . . + Jn ): one for each possible value of P roposals. There is no a priori limitation to the cardinality of P roposals but to express CNP it is necessary a finite number of values. 6.4 The Encoding. Let us consider a negotiation with a set C(i) of participants. Each element of P(C(i)) represents a set of necessary elements in one instance of atomic commit. A negotiation is associated to a subset of P(C(i)). The presence of an unnecessary element i can be described by the repetition of the same set with and without i. The negotiation about a set of values extending the simple set {yes, no} is representable by the repetition of |P roposals| protocols on the {yes, no} set.

7

Conclusion

We modeled CNP with the asynchronous pi calculus and we illustrated some basic properties. We studied the relationship between CNP and atomic commit. On the one hand we have shown that the atomic commit is a particular case of CNP: a particular strategy exists that allows to satisfy the atomic commit requirements. On the other hand we have shown how the atomic commit can be exploited to implement negotiation protocols, with some limitations. The limitations are: (1) considering atomic commit protocols that address message loss, (2) excluding the case in which a necessary party is not eventually confirmed (3) defining P roposals as a finite set. Furthermore, in a negotiation scenario the choice is a done a posteriori with respect to the votes arrival. We represented it as the non deterministic choice among an a priori planned set of possibilities. Non determinism does not represent the preference among the possibilities. We conclude that: i) negotiation is a wider problem, w.r.t. atomic commit, ii) atomic commit, for which a number of solutions have been proposed and implemented, can be exploited to model a meaningful subset of the negotiation features.

References [1] Roberts J. and Srinivasan K. Tentative Hold Protocol Part 1: White Paper. http://www. w3.org/TR/tenthold-1/, 2001. [2] OASIS. Business Transaction Protocol. http://www.oasis-open.org/committees/ download.php/1184/2002-06-03.BTP cttee spec 1.0.pdf, 2002. [3] Cabrera F., Copeland G., Cox B., Freund T., Klein J., Storey T., and Thatte S. Web Services Transaction (WS-Transaction). http://www-106.ibm.com/developerworks/ webservices/library/ws-transpec/. [4] Dalal S., Temel S., Little M., Potts M., and Webber J. Storey T. Coordinating Business Transactions on the Web. IEEE Internet Computing, 7(1):30–39, 2003. [5] Hadzilacos V. On the Relationship Between the Atomic Commitment and Consensus Problems. In B. Simons and A.Z. Spector, editors, Fault Tolerant Distributed Computing, volume 448 of Lecture Notes in Computer Science, pages 201–208. Springer-Verlag, 1990. [6] Davis R. and Smith R. G. Negotiation as a Metaphor for Distributed Problem Solving. In Readings in Distributed Artificial Intelligence, pages 333–356. Morgan Kaufmann Publishers Inc., 1988.

UBLCS-2005-16

17

REFERENCES

[7] Smith R. G. The Contract Net Protocol: High-Level Communication and Control in a Distributed Problem Solver. In Readings in Distributed Artificial Intelligence, pages 357–366. Morgan Kaufmann Publishers Inc., 1988. [8] Milner R. Communicating and Mobile Systems: the Pi-Calculus. Cambridge University Press, 1989. [9] Jennings N. R., Parsons, S., Sierra C., and Faratin P. Automated Negotiation. In Proceedings of 5th Int Conf. on Practical Application of Intelligent Agents and Multi-Agent Systems (PAAM2000), pages 23–30, 2000. [10] FIPA. FIPA Contract Net Interaction Protocol Specification. FIPA, 2001. [11] Lee K. J. and Chang Y. S. Time-Bounded Negation Framework for Multi-Agent Coordination. In Selected papers from the First Pacific Rim International Workshop on Multi-Agents, Multiagent Platforms, pages 61–75. Springer-Verlag, 1999. [12] Bocchi L. and Wischik L. A Process Calculus of Atomic Commit. Electronic Notes in Theoretical Computer Science, 105:119–132, 2004.

UBLCS-2005-16

18