Nested commits for mobile calculi: extending Join - Semantic Scholar

Nested commits for mobile calculi: extending Join (Cover Page) Authors: Roberto Bruni Hern´an Melgratti Ugo Montanari

Dipartimento di Informatica, Universit`a di Pisa, Italia Dipartimento di Informatica, Universit`a di Pisa, Italia Dipartimento di Informatica, Universit`a di Pisa, Italia

Submission to track 2 of IFIP-TCS 2004

Corresponding author: First name Hern´an Last name Melgratti Affiliation Dipartimento di Informatica, Universit a` di Pisa Address Via F. Buonarroti n.2, 56127 Pisa, Italia Phone +39 050 2213146 Fax +39 050 2212726 [email protected] email

Abstract: In global computing applications the availability of a mechanism for some form of committed choice can be useful, and sometimes necessary. It can conveniently handle, e.g., contract stipulation, distributed agreements, and negotiations with nested choice points to be carried out concurrently. We propose a linguistic extension of the Join calculus for programming nested commits, called Committed Join (cJoin). It provides primitives for explicit abort, programmable compensations and interactions between ongoing negotiations. We give the operational semantics of cJoin in the reflexive CHAM style. Then we discuss its expressiveness on the basis of a few examples and of the cJoin encoding of other paradigms with similar aims but designed in different contexts, namely AKL and Zero-Safe nets. Finally, we provide a big-step semantics for cJoin processes that can be typed as shallow. We show that shallow processes are serializable by proving the correspondence between CHAM and big-step semantics. Keywords: Join calculus, distributed transactions, nested negotiations, compensation on abort, committed choice languages, zero-safe nets.

Nested commits for mobile calculi: extending Join ? Roberto Bruni, Hern´an Melgratti, and Ugo Montanari Dipartimento di Informatica, Universit`a di Pisa, Italia. fbruni,melgratt,[email protected]

Abstract. In global computing applications the availability of a mechanism for some form of committed choice can be useful, and sometimes necessary. It can conveniently handle, e.g., contract stipulation, distributed agreements, and negotiations with nested choice points to be carried out concurrently. We propose a linguistic extension of the Join calculus for programming nested commits, called Committed Join (cJoin). It provides primitives for explicit abort, programmable compensations and interactions between ongoing negotiations. We give the operational semantics of cJoin in the reflexive CHAM style. Then we discuss its expressiveness on the basis of a few examples and of the cJoin encoding of other paradigms with similar aims but designed in different contexts, namely AKL and Zero-Safe nets. Finally, we provide a big-step semantics for cJoin processes that can be typed as shallow. We show that shallow processes are serializable by proving the correspondence between CHAM and big-step semantics.

1 Introduction In recent years, wide area network computing, web programming, and, more generally, global computing (GC) are attracting the interest of many researchers in an attempt of laying the foundations for largely distributed applications. Such applications often require a coordination layer to orchestrate their components, which are designed and implemented separately, run on different platforms and communicate asynchronously (e.g. e-commerce or on-line auction systems). Though orchestration can be interpreted as the atomic execution of certain control activities (e.g. in terms of transactions, like in [15,6]), more generally, the problem is that of committing the results of long distributed decision processes as soon as the participants reach partial agreements (also called contracts or negotiations). In this context the terminology “commit” is maybe more appropriate than “transaction” because the ordinary ACID (Atomicity, Consistency, Isolation, and Durability) properties of transactions must be relaxed. For example, regarding atomicity, the fact that local commits are executed in all sites at the same time can hardly be ensured in a largely distributed system. Process description languages (PDLs), e.g. the π-calculus [13], are mathematical models of computation designed for isolating and studying phenomena that can occur in concurrent languages. In the spirit of PDL, it would be desirable to extend well-known calculi with primitives for distributed nested commits. Two key operations are the “abort with compensation” (e.g., to stop a negotiation when some participants withdraw their interest in carrying out the contract) and the “commit” (to store a partial agreement before moving to the next phase of a long negotiation). In this paper we propose a linguistic extension, called Committed Join (cJoin), for the Join calculus, a well-known PDL which has running distributed implementations, e.g. Jocaml [9] and Polyphonic C ℄ [1]. The design of cJoin is guided by the intuitive requirements (i)–(vi) below. Contracts are decision processes distributed on several nodes, each with the possibility of consulting both local and global resources and generating local sub-contracts (e.g. modeling decisions internal to an organization). However: (i) each internal sub-decision should not be made public before a common agreement is achieved, therefore only local resources should store such information; (ii) global resources might ?

Research supported by the MSR Cambridge Project N API, by the FET-GC Project IST-2001-32747 AGILE, by the MIUR Project COFIN 2001013518 C O M ETA, and by the MURST-CNR 1999 Project, Software Architectures on Cooperative WAN.

2

R. Bruni, H. Melgratti, and U. Montanari

be made available to partners upon commits, marking the conclusion of some contract; (iii) decision processes can be aborted, in which case all participants should be informed and suitable compensation procedures should be activated (e.g., upon a failure, new attempts for finding an agreement can be initiated) ; (iv) though divergence is possible in principle, well designed GC applications should guarantee that each contract eventually leads to an abort or a commit; (v) when two processes involved in separate negotiations exchange some information, then their contracts should be merged into a unique one. Similarly, new participants should be allowed to dynamically join an ongoing contract, taking part in the final decision. A participant interested in carrying out two separate contracts should instead be able to emit two independent agents, carrying out the two negotiations autonomously in a concurrent way. From what said above, (vi) it should be possible to have nested contracts. In general, an internal abort can be compensated in such a way that the main contract can be successfully completed. On the other hand, a failure of the main contract should cause the abort of all ongoing internal activities. The operational semantics of cJoin is given in the reflexive CHAM style introduced in [10]. Moreover, we define a big-step semantics for a sub-calculus of serializable processes, called shallow processes. We are interested on serializability, which is a standard requirement about correct executions of concurrent transactions, because it allows us to reason about a system at different levels of abstractions by considering transactions as single transitions at the abstract level. We show that shallow processes are serializable in cJoin by proving a correspondence between CHAM and big-step semantics. In this paper we also compare the features of cJoin against those of other two paradigms with similar aims, namely AKL [12] and Zero-Safe nets (ZS nets) [7]. A commit in cJoin resembles that of the AKL, e.g. it takes place when a local activity ends (i.e., when a guard is proved) and it makes local results available to the rest of the system (i.e., local constraints are promoted to the global environment). Our interest in ZS nets is mainly due to the fact that they naturally model multi-way transactions and can be implemented in Join by using a fully distributed two-phase commit protocol [6]. Synopsis. In § 2 we recall the principles of the CHAM and the syntax and semantics of Join. Committed Join is introduced in § 3. In § 4 we illustrate the main features of cJoin by showing a simple application for booking trips and the encoding of AKL. The implementation ZS nets is presented in § 5. Finally, we study serializability in § 6. For referees’ convenience, proof of main results are sketched in Appendices A–C.

2 Background 2.1 The Chemical Abstract Machine The CHAM was proposed in [3] as a suitable framework to model concurrent computations. Basically, states (called solutions) are finite multisets of terms (called molecules), and computations are multiset rewrites. Multisets are written as m1 ; : : : ; mn . Consequently, ; is associative and commutative. We usually abbreviate m1 ; : : : ; mn with i mi . Solutions can be structured in a hierarchical way by using the operator membrane f[:℄g, grouping a solution into a molecule. In [3] molecules can also be built by using airlock constructor, but it is not needed in our presentation. Transformations are described by a set of chemical rules, which specify how solutions may react. In a representing CHAM there are two different kinds of chemical rules: Heating / cooling (or structural) rules syntactical rearrangements of molecules in a solution, and reaction rules ! stating basic computation steps. Structural rules are reversible: a solution obtained by applying a cooling rule can be heated back to the original state, and vice versa (those rules closely correspond to the usual notion of structural congruence between terms). On the other hand, reaction rules cannot be undone. The laws that rule CHAM computations state that whenever an instance of a left-hand-side of a rule is found into a solution, it can be replaced by the corresponding instance of the right-hand-side. Chemical rules S1 ! S2 have no premises and are purely local, specifying only the part of the solution that actually changes. Consequently, they can be applied freely in every solution S; S 1 ! S; S2 (chemical law) and also



Nested commits for mobile calculi: extending Join

3

   

(P ROC ) P; Q ::= 0 j xh~yi j def D in P j PjQ

( STR -NULL) 0 ( STR -JOIN ) PjQ P; Q ( STR -AND ) D^E D; E Dσ dn(D) ; Pσdn(D) ( STR -DEF ) def D in P (with range(σdn(D) ) globally fresh ) ( RED ) J . P; Jσ ! J . P; Pσ

(D EF) D; E ::= J . P j D ^ E (PAT) J; K ::= xh~yi j J jK

Fig. 1. Join Calculus. (a) Syntax. (b) Semantics. dn(xh~yi) = fxg dn(J . P) = dn(J )

dn(J jK ) = dn(J ) [ dn(K ) dn(D ^ E ) = dn(D) [ dn(E )

rn(xh~yi) = f~yg

fn(D ^ E ) = fn(D) [ fn(E ) fn(0) = 0/ fn(PjQ) = fn(P) [ fn(Q)

rn(J jK ) = rn(J ) [ rn(K )

fn(J . P) = dn(J ) [ (fn(P)nrn(J )) fn(xh~yi) = fxg[f~yg fn(def D in P) = (fn(P) [ fn(D))ndn(D)

Fig. 2. Defined, received, and free names.

in sub-solutions, e.g. f[S; S 1 ℄g ! f[S; S2 ℄g. In particular, they can be nested at any level of the hierarchical structure of the chemical solution. Note that, since solutions are multisets, rules can be applied concurrently. 2.2 The Join calculus The Join calculus [10] is a PDL with asynchronous name-passing communication and it has the same expressive power as the asynchronous π-calculus. Join relies on an infinite set of names x; y; :::; u; v; :::. Name tuples are written ~u. Join processes, definitions and patterns are given in Figure 1(a): A process is either the inert process 0, the asynchronous emission xh~yi of message ~y on port x, the process def D in P equipped with local ports defined by D, or a parallel composition of processes PjQ. A definition is a conjunction of elementary reaction rules J . P that associate join-patterns J with guarded processes P. Names introduced by the definition D of def D in P are bound in the whole process P as well as in the guarded processes contained in D. The sets of defined names dn, received names rn and free names fn are defined in Figure 2. The semantics of the Join calculus relies on the reflexive CHAM. It is called reflexive because active reaction rules are represented by molecules present in solutions, which are activated dynamically. Molecules, generated by m ::= P j D, correspond to terms of the Join calculus denoting processes or definitions. The chemical rules are shown in Figure 1(b). We remind that all reactions can be applied inside any larger solution surrounded by membranes. A process P can start its computation when is put into a solution, i.e. the initial state has the form f[P℄g. Rule STR - NULL states that 0 can be added or removed from any solution. Rules STR - JOIN and STR - AND stand for the associativity and commutativity of j and ^, because ; is such. STR - DEF denotes the activation of a local definition, which implements a static scoping discipline by properly renaming defined ports by globally fresh names. A name x is fresh w.r.t. a process P (respectively a definition D) if x 62 fn(P) (resp. x 62 fn(D)). Moreover, x (respectively a set of names) is fresh w.r.t. a solution if it (resp. every name) is fresh w.r.t. every term in the solution. We write the substitution of names x1 : : : xn by names y1 : : : yn as σ = fy1 :::yn =x1 :::xn g, with dom(σ) = fx1 ; : : : ; xn g and range(σ) = fy 1 ; : : : ; yn g. We indicate with σN an injective substitution σ such that dom(σ) = N. We require names to be globally fresh, which means fresh w.r.t the implicit context in which rule is applied. Note that the version considering context would be

i mi ; def D in P  i mi ; Dσdn D ; Pσdn D where range(σdn D ) \ f n( i mi ) = 0/ : Consider, for instance, the solution f[zhx; zi; def xhyi . zhy; xi in xhai℄g, whose second molecule contains ( )

( )

( )

a local definition of x different from the homonym (free) port in the first molecule. When

STR - DEF

is

4

R. Bruni, H. Melgratti, and U. Montanari dno (D ^ E ) dnm (D ^ E )

= =

dno (D) [ dno (E ) dno (J . P) = dn(J ) dnm (D) [ dnm (E ) dnm (J . P) = 0/ Fig. 3. Ordinary and merge names.

dno (J dnm (J

IP IP

) = ) =

0/ dn(J )

applied, the local definition of x is renamed by using a fresh name, obtaining, for instance, the solution f[zhx; zi; x1 hyi . zhy; x1 i; x1 hai℄g. Finally, RED describes the use of an active reaction rule (J . P) to consume messages forming an instance of J (for a suitable substitution σ, with dom(σ) = rn(J )), and produce a new instance Pσ of its guarded process P. By applying RED for σ = f a =y g, the previous solution reduces to f[zhx; zi; x 1 hyi . zhy; x1 i; zha; x1 i℄g. Note that the local port x 1 has been extruded because it appears in a message on the free channel z.

3 Committed Join In this section we present cJoin, its CHAM semantics and compare its features against the informal requirements (i)-(vi) in the Introduction. 3.1 Syntax We extend the syntax of the join calculus by adding terms to denote negotiation processes. They are represented by [P : Q℄, where P is the normal execution of the activity and Q is its compensation, to be executed in the case of an abort. A negotiation process is executed in isolation until reaching either a commit state or an abort condition. In the case of commit, the result is delivered to the outside, whereas its compensation is given control in the case of abort. The abort decision is caused by the presence of the special constant abort. A process can define the creation of new negotiations by using reaction rules such as J . [P : Q℄, i.e., a rule that would produce a new instance of the negotiation process P with compensation Q. To allow interactions among ongoing negotiations we introduce a new kind of reaction rules, called merge definitions. These definitions have the form J P and allow the consumption of messages produced in the scope of different contracts by joining all participants to such negotiations in a unique larger one. The following grammar defines processes and definitions. In order to further simplify the description, we syntactically distinguish processes without definitions, i.e., a parallel composition of messages (M), from processes that can contain definitions (P).

I

M; N P; Q D; E J; K

::= ::= ::= ::=

0 j xh~yi j M jN M j abort j def D in P J .P j J P j D^E xh~yi j J jK

I

j [P : Q℄ j PjQ

I

/ fn([P : Q℄) = fn(P) [ fn(Q) and fn(J P) = The definition of fn is extended with fn(abort) = 0, dn(J ) [ (fn(P)nrn(J )). For definition D, we redefine dn(D) = dn o (D) [ dnm (D), where dno denotes the defined ordinary names and dn m the defined merge names (Figure 3). We assume names introduced by ordinary patterns different from names appearing in merge patterns, i.e., dn o (D) \ dnm (D) = 0/ holds for every definition D. 3.2 Operational Semantics The operational semantics of cJoin is defined in the reflexive CHAM style. Molecules m and solutions S are given by the following grammar: m ::= P

j D j xPy j f[S℄g

S ::= m

j m; S

Nested commits for mobile calculi: extending Join STR - NULL STR - AND STR - DEF RED

[

STR - CONT

MERGE

℄

[

COMMIT ABORT

  P; Q  D; E  Dσ ; Pσ range σ globally fresh ! J . P; Pσ P : Q  f P; xQy g f Mjdef D in 0; xQy g ! M f abortjP; xQy g ! Q I P; N f J σ; S ; xQ y g ! J j : : : jJ I P; f N S ; Pσ; xQ j : : : jQ y g 0 PjQ D^E def D in P J . P; Jσ

STR - JOIN

J1 j : : : jJn

dn(D) (

dn(D)

[

℄

1

n

( dn(D) )

5

)

℄

[

i [ i

℄

i

i ℄

[

i i

1

n ℄

Fig. 4. Operational semantics of cJoin.

xy

As in ordinary Join, processes and definitions are molecules. Additionally, we consider molecules of the form P denoting compensations that are frozen inside a solution. The chemical rules are in Figure 4. The first five chemical rules are the ordinary ones for Join. Rule STR - CONT describes how a term denoting a contract corresponds to a sub-solution consisting of two molecules: the process P and its compensation Q, which is frozen (because the operator : forbids the enclosed process to compute). COMMIT can be executed only when all internal computations have finished, i.e., all participants have done their tasks reaching a (local) state that does not contain locally defined names, which would represent internal states of a negotiation. In this way, a commit means clean termination, where all names denoting internal states of contracts have been consumed. Note that all definitions belonging to a contract can be discarded at commit time, because the messages that are being released do not contain those names, and those names cannot be extruded. Additionally, the compensation procedure is discarded at commit time. Note that a negotiation cannot commit when abort is within the solution. In fact, a process P  abort j P 0 cannot reduce to M j def D in 0 because abort is not a message. On the other hand, abort condition is handled with ABORT, which states that when abort is part of a solution the compensation can be released. Compensations are not predefined to be executed atomically. Nevertheless, as they are ordinary processes, they can be defined by the programmer as negotiations themselves. Interactions among negotiations are specified by rule MERGE, which consumes messages from different contracts and creates a new larger negotiation by combining the definitions and messages of the original ones with a new instance of the guarded process Pσ, where dom(σ) = rn(J ). Special attention should be put at merging negotiations in order not to capture names among local definitions belonging to different negotiations. Name clashes are avoided by imposing the following side condition dn(S i ) \ (dn(S j ) [ fn(S j )) = 0/ for i 6= j. However, if we are guaranteed that STR - DEF generates globally fresh names (and not just locally fresh names) then this side condition can be safely omitted, as it is trivially satisfied. Additionally, the compensation for the joint negotiation is the parallel composition of all the original compensations. In the case of nested contracts only negotiations at the same level can be joined. In practice, it might be useful to have the possibility of applying a top merge definition at an arbitrary depth in the hierarchy of the chemical solution. To this purpose, the rule STR - MOVE below might be added, so that merge patterns could float across contract boundaries, and sibling sub-contracts could be merged using a global merging rule.

xy

STR - MOVE

J

I P; f S g  f J I P; S g [ ℄

[

℄

It should be noted that previous reduction rules do not consider stall situations. Consider for instance the following process [def xhijyhi . 0 in xhi : Q℄, clearly the negotiation cannot compute, because there are no active reaction rules to apply. Neither it can commit, because there is a message (xhi) on a local port. In this situation the contract is blocked and should be aborted. Some of these situations can be recognized and handled locally to promote the abort (i.e., when no local rules can be applied). These situations can be represented by ad hoc rules or by a general rule to generate nondeterministically the abort (situations that real implementations typically handle with timeouts). Nevertheless, we cannot expect to axiomatize

6

R. Bruni, H. Melgratti, and U. Montanari

stall situations because it would mean to write axioms recognizing a non-termination condition, which is an undecidable problem. On the other hand, we do not want to limit the expressiveness of the language. Proposition 3.1. cJoin is a conservative extension of Join. With respect to the informal requirements discussed in the Introduction, we have that, as expected, membranes are exploited to define the boundaries of negotiations. Process like Pj[P 1 j[P2 : Q2 ℄j[P3 : Q3 ℄ : Q1 ℄ straightforwardly model sub-negotiations. The decisions taken internally by P 2 can influence P3 only if some merging definition is available at the level of P1 , in which case the sub-negotiations would be joined together. In absence of merge definitions, global and local resources are kept separate in each sub-negotiation. The commit of P2 can only happen when the internal state contains only global resources . At commit time, the result of the negotiation is made available to P1 . An abort generated in P2 activates the compensation at Q2 at the level of P1 , neither forcing the abort of any other sub-negotiations (P3 ) nor the abort of the main contract (P1 ). Note that if [P2 : Q2 ℄ was the result of the merging of several negotiations, then Q 2 is the union of all the compensations of the participants. Since Join is Turing complete, nontermination is undecidable, and it is left to the programmer’s skill to design applications that eventually lead to an abort or a commit. An important restriction is that local resources cannot cross negotiations boundaries and made known to siblings sub-negotiations. The only way to exchange information between siblings sub-negotiations is via merging definition, that however merge all participants into a unique negotiation that must then commit or abort (or diverge) as such.

4 Examples 4.1 Trip booking The goal of the first example is to show the encoding of a common application in cJoin. It shows how three components can interact in order to allow a customer to book flights and accommodations. We model the hotel component as follows: H

 def WaitBookinghi . [def request hoi . oh$i j priceh$i ^ priceh$i j confirmhvi . BookedRoomhvi priceh$i . abort ^ in offerRoomhrequest ; confirmi : Q℄ ^ BookedRoomhvi . R in WaitBookinghi j : : :

The definition of H includes a rule that creates a negotiation to attend a customer request. This negotiation begins by publishing in the merging port offerRoom the names of the services a client should use to make a reservation (i.e., request to ask for a quote and confirm to accept an offer). For simplicity, we use BookedRoom to denote the change in the state of the hotel component when a successful reservation ends (performed by R). The Airline component (A) can be written similarly but using the merging name offerFlight to publish services instead of offerRoom. The component Customer C can be written as below. C

 def

BookHotelhi . [def HotelMsghr; ci . def offerh$i . chvisai j hotelOK hhConf i ^ offerh$i . abort ^ hConf hi . HotelFoundhi in rhofferi in searchRoomhHotelMsgi : Q0 ℄

^ BookFlighthi . [def FlightMsghr; ci . def offerh$i . chvisai j flightOK hfConf i ^ offerh$i . abort ^ fConf hi . FlightFoundhi in rhofferi in searchFlighthFlightMsgi : Q ^ flightOK hfci j hotelOKhrci I fchi j rchi in BookHotelhi j BookFlighthi j :::

00

℄

Nested commits for mobile calculi: extending Join

7

This component defines two different rules for creating negotiations, one for booking rooms and the other for buying flight tickets. Both processes are quite similar. In particular, the negotiation for booking a room starts by sending a message to the merging port searchRoom in order to get the appropriate names for interacting with a hotel. These names will be received as a message on the local port HotelMsg. When such message arrives, a request for a quote is sent to the port r, which has been defined and published by the component H to attend client requests. After that, a particular offer from the hotel will be received as a message on offer. Whether the customer accepts or not a particular quote is modeled by the multiple reaction rules for the pattern offerh$i. A customer can confirm a received offer using the name c received earlier, i.e. the local port where the hotel negotiation expects a confirmation. Additionally, to be sure that also flight tickets were found before committing, a message hotelOK hhConf i is produced to wait until a flight can be successfully booked. This message will be managed by the merging rule defined in C. The contract will be blocked until a running negotiation for buying flight tickets sends a message to flightOK. At this time, the merging definition can be fired and both contracts merged. Eventually the negotiation will commit by releasing the messages on HotelFound and FlightFound, which denote changes in the state of the customer. The process representing the whole system (including the rules for merging requests and offers of services) can be written as below def searchRoomhhmi j offerRoomhr; ci ^ searchFlighthfmi j offerFlighthr; ci

I hmhr; ci I f mhr; ci

in H j A j C

4.2 Andorra Kernel Language AKL [12] is a concurrent logic programming language that includes the Prolog and committed choice languages (for referees’ convenience, a short description of AKL is in Appendix D). In this section we show how nested agreements and merging definitions can encode some computational features of AKL. We consider guarded rules of the form A G j B, where the head A is an atom, the guard G and the body B are (possibly empty) sequences of atoms, and j is the commit operator. An AKL program P is a list of guarded rules. An execution of P is initiated by providing a goal G , which is a conjunction of atoms. A cJoin process that simulates the behavior of P starting from G is:

def D ^ Jdefs(P )K ^ Jundef(P )K in Jand(G )KtrueG; f alseG j unif hfinal; truei

where D is a set of general definitions (described later in this section), defs(P ) is a partition of P , where every class contains all rules of P that define a particular atom. For instance, defs(A j; A jB; B j) = fA j; A jBg; fB jg. Additionally, undef(P ) denotes the set of all atoms appearing in P for which there are not defining rules, i.e., atoms whose proof will fail. Constraints or unifiers are encoded conveniently as cJoin processes, and denoted by θ, and we use true for the empty set. We will denote the constraints associated to a particular running proof by unif hfinal; θi. Roughly, program rules are encoded as definitions that consume a message denoting an atom to be proved and producing new processes denoting the parallel proofs of the guarded goals of its defining rules. When the whole proof completes successfully, both messages trueGhi and f inal hθi signal the completion of the proof of G for the computed constraints θ. Otherwise, the message falseGhi is sent to notify that G cannot be proved. Encoding rules for program clauses and goals are given in Figure 5. B 1 j C1 ; : : : ; A Bn j Cn is encoded as a merging rule that An atom A defined by program rules A substitutes a token JAKt;f by the proof of its defining rules in a choice-configuration. Instead, an undefined atom is encoded as a rule that always fails. A conjunction and(A 1 ; : : : ; An ) is encoded as a process that activates a negotiation containing the parallel composition of atoms that should be proved, i.e. the JA i Kti ; fi that can activate the proof of individual sub-atoms in the conjunction. Additionally, the negotiation contains the constraints that have been computed locally unif hw; θi corresponding to the proof of the conjunction. Note that every sub-proof initiated

8

R. Bruni, H. Melgratti, and U. Montanari

(D EF ) JA (U NDEF )

B1 j C1 ; : : : ; A

Bn j Cn K JAK

JAKt;f = Jand(A1 ; : : : ; An )Kt;f =

(G OAL) (A ND )

I Jchoice B I f hi

= JAKt;f

( 1

= JAKt;f

Aht; f i def and hi . [def

j C1 ; : : : ; Bn j Cn )Kt f ;

whi . 0 ^V jji 1 n ti hi . provedhwi j thi i 1 n f i hi . and hi j failed hi 2 ::

2 ::

...Rules for handling abortion...

(C HOICE )

Jchoice(A1

jB1 ; : : : ; An jBn)Kt f ;

in andhi

=

V

in jji21::n JAi Kti ; fi j unif hw; θi : f hi℄

def i21::n ihi . Jand(Bi )Kt;f in [def jji21::n fi hi j provinghi . abort i21::n ti hi j provinghi . ihi j chosenhi

V

...Rules for handling abortion...

in jji21::n Jand(Ai )Kti ; fi j provinghi : f hi℄ Fig. 5. Encoding of AKL committed rules.

I

(1) unif hw; θi [unif hw; θi : unif hw; θi℄ (3) failhi abort

I

(2) unif hw; θi (4) tellhw; θ1 i

j proved hwi I tellhw; θi j unif hz; θ2 i I and hθ1 ; θ2 ; z; faili

Fig. 6. Constraint handling rules.

by JAi Kti ; fi eventually will end by notifying its successful or failed termination by using ports t i and f i , respectively. Rule whi . 0 is a convenient way to define a local identifier for the negotiation and has no computational meaning. The second rule handles the case when all sub-proofs end successfully: message t hi is produced to signal the successful proof of the conjunction, although it is not released until the commit; proved hwi is generated to activate the promotion of the computed constraints (rules for promotion are defined in D and are explained below). The last set of rules defines the behavior of a contract when one of the sub-atoms reports a failure, i.e., a message on a port f i is received. In this case, all running sub-contracts should be aborted and the contract should commit by releasing the activation of another instance of the whole negotiation. Note that instead of reporting a failure, a new activation of the proof is generated because cJoin is not aimed at providing mechanisms for exhaustive search, and consequently we cannot assure that different possibilities for evaluating subgoals are explored in a proper manner. A choice-configuration choice(A 1 jB1 ; : : : ; An jBn ) is encoded as a process that starts a contract containing the parallel proof of all guards A i . Differently from and, the whole negotiation in choice-configuration can end as soon as one of the parallel proofs completes successfully (t i hi j provinghi . ihi j chosenhi). In this case, the produced message ihi, which will be released at commit, identifies the body corresponding to the rule whose guard has been proved. Additionally, message chosenhi activates the abortion of all running sub-contract. The remaining definitions handle the abortion and the consumption of messages notifying the failed termination of aborted sub-proofs. The whole contract produces at commit time only one message ihi, which will activate the corresponding body Jand(B i )Kt;f . At this point, one rule has been chosen (i.e. committed) and the final result for the whole choice-configuration depends on the result of the execution of Jand(Bi )Kt;f , i.e. the body of the committed choice. The rules for merging constraints are presented in Figure 6. Rule (4) describes the activation of and, a process that computes atomically θ 1 ^ θ2 . If θ1 and θ2 are consistent, it will produce unif hz; θ 1 ^ θ2 i; if not, the computation will finish with failhi. Consider the following negotiation that is ready to promote its local constraints [def : : : in unif hw; θ0 ij proved hwij truehi : failhi℄ j unif hz; θi (by (2) reduces to) [def : : : in tellhw; θ0 ij truehi : failhi℄ j unif hz; θi (by (1) and (4) reduces to) [def : : : in and hθ0 ; θ; z; f ail ij truehi : unif hz; θij failhi ℄:

Nested commits for mobile calculi: extending Join

(FIRING)

(ST EP ) (S1 ; Z1 )

S + Z [i S0 + Z 0 2 T

!

0 00 0 00 (S + S 00 ; Z + Z 00 ) T (S + S ; Z + Z ) (CONCATENATION) 0 00 00 0 0 (S1 ; Z ) T (S1 ; Z ) (S2 ; Z ) T (S2 ; Z )

!

!

(S1 + S2 ; Z )

!T (S1 + S2 ; Z ) 0

0

0

9

!T (S1 ; Z1 ) (S2 ; Z2 ) !T (S2 ; Z2) (S1 + S2 ; Z1 + Z2 ) !T (S1 + S2 ; Z1 + Z2 ) 0

0

0

0

(CL OSE ) /) (S; 0

0

0

0

0

!T (S ; 0/ ) / ) )T (S ; 0/ ) (S; 0 0

0

Fig. 7. Operational semantics of ZS nets (+ denotes multiset union).

When θ and θ0 are consistent, the last process reduces to [def : : : in unif hz; θ 0 ^ θij truehi : unif hθij failhi℄ and finally it can commit and release unif hz; θ 0 ^ θi, i.e., the updated constraints for the enclosing solution, and truehi, i.e., the notification that the sub-goal has been proved. On the other hand, when θ and θ 0 are not consistent the message failhi will be produced and then, by rule (3), the abort can be generated. In this case the negotiation may abort by releasing its compensation unif hz; θijfailhi, which will restore the original constraints and notify failed termination of the proof.

5 Encoding Zero-Safe nets Zero-safe nets ( ZS nets) have been introduced to model transactions in concurrent systems [7]. The basic model extends Place/Transition Petri nets ( PT nets) with a mechanism for expressing serializable concurrent (multiway) transactions. Recently, they have been used in [6] to encode short-running transactions R , a commercial workflow management system [15]. ZS nets additionally provides of Microsoft Biztalk a “dynamic” specification of transactions boundaries (as opposed to the “static” one of BizTalk) supporting multiway transactions, which retain several entry and exit points, and admit a number of participants which is statically unknown. Nevertheless, ZS nets are not suitable to express some interesting aspects of negotiations in global computing, such as mobility, programmable compensations and nesting. We recall that, in Petri nets, places are repositories of tokens (i.e. resources, messages) and transitions fetch and produce tokens. Net configurations, called markings, are multisets of places, recording the number of tokens available. The places of zero-safe nets are partitioned into ordinary and transactional ones (called stable and zero, respectively). Correspondingly, markings U can be seen as pairs (S; Z ) with U = S + Z, where S and Z are the multisets of stable and zero resources, respectively. Transitions are written U [iU 0 , with U and U 0 multisets of stable and zero places. A transaction goes from a multiset of stable places (stable marking) to another stable marking. The key point is that stable tokens produced during a transaction are made available only at commit time, when no zero tokens are left. We write (T ; S) for a ZS net with set of transitions T and initial stable marking S. The operational semantics of ZS nets is defined by the two relations ) T and !T in Figure 7. Rules FIRING and STEP are the ordinary ones for Petri nets, for the execution of one/many transition(s). However, sequences of steps differ from the ordinary transitive closure of ! T : The rule CONCATENATION composes zero tokens in series but stable tokens in parallel, hence stable tokens produced by the first step cannot be consumed by the second step. Transactions are step sequences from stable markings to stable markings, when CLOSE can be applied. The moves (S; 0/ ) )T (S0 ; 0/ ) define all the atomic activities of the net, and hence they can be performed in parallel and sequentially as the transitions of an ordinary net. It is worth noting that a step (S; 0/ ) )T (S0 ; 0/ ) can be itself the parallel composition of several transactions (by rule STEP). In this section we show that ZS nets can be straightforwardly encoded in cJoin. A distributed Join implementation of ZS nets has been already presented in [6]. However, the encoding in Join is complicated by the need of creating a local manager for each transition and implementing the commit and abort protocols.

10

R. Bruni, H. Melgratti, and U. Montanari

As done in [6], and without loss of generality, we restrict to nets made with the basic shapes in Figure 8(a) (which are as expressive as the general nets), for E any stable place and e; e 1 ; e2 any zero places. The translation in Figure 5 associates a cJoin definition with each basic shape of transitions. Places are seen as ports and tokens as messages. Tokens in stable places carry no value, while tokens in zero places carry the identifier of the transaction they belong to. For T the set of transitions and S the initial state of V the ZS nets, we let JT K = t 2T Jt K and then consider the cJoin process def JT K in JSK, which consists of the translation of the initial marking S in the environment containing all the definitions associated with transitions in T . Note that transitions whose pre-sets contain zero places are translated as merge definitions, otherwise as ordinary Join definitions. This is because zero places serve for orchestration, while stable places are the main resources. A transaction can be opened by firing a transition of the form E open e. In cJoin, this means opening a new negotiation whose internal state contains the definition of a fresh name z (the identifier of the transaction), the message ehzi, and whose compensation is set by default to give back the stable resources consumed so far (E hi). The dummy definition zhi . 0 declares a local identifier z, similar to w in the rule (A ND) in Figure 5. Since e is a name defined externally via merge definitions, then the reaction MERGE can be used to compute inside negotiations and merge them. When two transactions are merged by applying e.g. e1 hz1 ije2 hz2 i ehz1 i, then the identifiers z1 and z2 become part of the same transaction and have the same scope, becoming equivalent identifiers for the same larger negotiation. When computing inside a negotiation, each zero token carries one of the (possibly many) equivalent identifiers for that negotiation. In the given definition we arbitrarily use z 1 to identify the larger negotiation (we could have used z 2 as well). If stable messages E hi are released inside the negotiation, e.g., by firing e lose E, then they cannot be used until commit, because all the rules that can consume them are outside the negotiation boundaries, in the top chemical soup. The commit can happen if and only if the negotiation reaches a local state containing only stable messages E hi and definitions of transactions identifiers. Then, the reaction COMMIT can take place, closing the negotiations and releasing the stable tokens to the top level. Since ZS nets cannot be nested, the chemical rule STR - MOVE is useless. The following result assures the correctness and completeness of our encoding.

I

Theorem 5.1. (S; 0/ ) )T (S0 ; 0/ ) iff def JT K in JSK ! def JT K in JS0 K. The main behavioral difference between the cJoin encoding in Figure 5 and the Join encoding in [6] relies on the treatment of failures, as here no abort can be generated (and consequently compensations cannot be activated). A possible solution would be to add a timeout component each time a new negotiation is open, which is able to produce the abort via the rule A = timeouthi abort. In this case, we should let JE open eK = E hi . [def zhi . 0 in ehzijtimeouthi : E hi℄ and encode the net N = (T ; S) as def A ^ JT K in JSK.

I

6 Serializability and Big-Step Semantics Traditionally, any concurrent execution T1 jj : : : jj Tn of several ACID transactions is considered correct if it is serializable, i.e., if there exists a sequence Ti1 ; Ti2 ; : : : ; Tin that executes all transactions one at a time (without interleaving steps from different transactions) and produces the same result [2]. Serializability allows to reason about the behavior of a system by considering just the execution of one transaction at a time provided that transactions do not interfere each other. The semantics of cJoin presented in Figure 4 allows the cooperation among several negotiations. Nevertheless, we would like to be able to reason about the behavior of a process by analyzing interacting negotiations independently from the rest of the system. Serializable transactions can be described in an abstract representation of a system as single transitions between stable states, i.e., from the state that begins a transaction to the state obtained after the commit. By analogy, we would like to think about a set of cooperating negotiations as a transition mapping the state previous to the independent creation of each cooperating negotiation to the state obtained after the joint commit. Moreover, we would like this property to hold at every level of the nesting hierarchy. Therefore, we

Nested commits for mobile calculi: extending Join

e1

E

open

al

hi hi hzi : E hi℄ h iI h i h i I h ij h i h ij h i I h i h i I hi h iI

JE open eK ::= E . [def z . 0 in e Je1 al e2 K ::= e1 z e2 z Je fork e1 ; e2 K ::= e z e1 z e2 z e z1 Je1 ; e2 join eK ::= e1 z1 e2 z2 Je lose E K ::= e z E Je drop K ::= e z 0

e

fork

e2 e1 e2 e E open e e1 al e2 e fork e1; e2 e1

e2

join

e

e

lose

drop

e E e1; e2 join e e lose E

11

hi

JE K ::= E JS1 + S2 K ::= JS1 K JS2 K

j

e drop

(a) Basic shapes of ZS nets

(b) Translation of basic shapes and markings. Fig. 8. Encoding of ZS Nets in CJ OIN.

will consider negotiations to be serializable when the start of a sub-negotiation can be postponed until all the cooperating sub-negotiations needed to commit can be generated inside its parent negotiation. After being created, all interacting sub-negotiations compute isolated from the system, although interactions among them are possible by exploiting merge definitions. Well-programmed negotiations eventually will decide to commit or abort, producing a stable state. At the abstract level, those computations can be viewed as transitions starting with the consumption of messages needed to initiate all interacting sub-negotiations and finishing by generating all processes released at commit or abort. In this section we introduce a syntactical restriction on processes, called shallowness, that guarantees serializability. We characterize serializability by giving the big-step semantics of shallow processes. Definition 6.1 (Shallowness). The nesting degree nest(P) of a process P is defined by: nest(0) = nest(abort) = nest(xhyi) = 0 nest(def D in P) = nest(P)

nest([P : Q℄) = nest(P) + 1 nest(P j Q) = maxfnest(P); nest(Q)g

A process P is shallow if any basic definition D in P satisfies one of the two conditions: 1. D  J . P, where nest (P) = 0 or P = [R : Q℄ and nest (RjQ) = 0 2. D  J P and nest (P) = 0

I

We refer definitions in shallow processes as shallow definitions. Moreover, we call a process P stable iff P is shallow and nest (P) = 0. Shallow property imposes a discipline for activating sub-negotiations. In particular, condition 1 assures that the firing of an ordinary rule increases the height of the nesting structure by at most one level. Moreover, every definition produces just stable processes or a unique sub-negotiation without nesting sub-contracts. The second condition forbids the creation of sub-negotiations and merging of negotiations at the same time. This prevents the possibility of postponing the activation of the created sub-negotiations until all interacting sub-negotiations could be activated. Shallow condition forbids rules such as J 1 . P j [P1 : Q℄ and J2 . [[P1 : Q1 ℄ : Q℄. Nevertheless, they can be easily encoded as shallow definitions by using new local ports. For instance, the previous examples can be written respectively as D1  J1 . xhijP ^ xhi . [P1 : Q℄ and D2  J2 . [def xhi . [P1 : Q1 ℄ in xhi : Q℄. It should be clear that we are not limiting the nesting depth of a running negotiation. In fact, the shallow process def D2 in J2 σ reduces to def D2 in [def xhi . [P1 σ : Q1 σ℄ in xhi : Qσ℄, and then to def D 2 in [def xhi . [P1σ : Q1 σ℄ in [P1 σ : Q1 σ℄ : Qσ℄, which has nested negotiations.

12

R. Bruni, H. Melgratti, and U. Montanari

(PAR)

D`P

_

D `P

D`P jQ

D `Q

0

_

_

D `P jQ 0

D `Q

(SEQ)

D `P

0

_

D`P

D `P

0

(LOCAL (GL OBAL

` Jσ _ D ^ J . P ` P σ

(MERGE )

D ^jji Ji (LOCAL

I S ` jj D ` J σ j S : Q i[

i

i

i

COMMI T)

D ` [M j D

0

` 0 : S℄ _ D ` M

_

e `S B

_

D ^ B ` [S : Q ℄

i℄ _

D ^jji Ji

I S ` V D ` jj S [ i

(ABORT )

D ` [abortjP : S ℄

_

i

( i

00

D `P

FIRING)

FIRING )

D ^J .P

D `P

00

_

_

D `P

0

0

e `S B

0

D ^ B ` [S : Q ℄ 0

j S σ : jji Qi ℄

i)

(IDLE)

D `S

D`P

_

D `P

Fig. 9. Big-step semantics of cJoin.

In the following, P and Q will denote shallow processes, D a shallow definition, S a stable process, and B a shallow definition containing just merging rules. We abbreviate def D in P as D ` P , and ` P as P . Moreover, we take terms up-to structural equivalence, generated by closure w.r.t the equation

D ` P j def D in Q 0



D ^ D σdn ` P j Q σdn range(σdn ) \ ( f n(D ) [ f n(P ) 0

[

f n(def D 0 in Q ))

=

0/

plus equations stating that 0 is the unit for j and that the operators j and ^ are associative and commutative. These rules are analogous to the heating / cooling rules of Join. We characterize the serializability property by the big-step reduction relation between shallow processes presented in Figure 9. Steps can be composed in parallel ( PAR) and sequentially (SEQ), even with idle transitions ( IDLE). Rule GLOBAL FIRING corresponds to the firing of an ordinary definition in a top-level process. Instead LOCAL FIRING states possible internal transitions of a running contract. LOCAL FIRING captures the idea that certain computations of sub-negotiations can be represented as ordinary transitions at an abstract level. In fact, the computations occurring at a lower level in the nesting hierarchy (premise of LOCAL FIRING) that are relevant to its containing negotiation are those relating stable processes, i.e., S and S 0. Any negotiation has available, in addition to its own definitions, the merging definitions introduced by its containing process. In fact, a merging definition can be applied on a single contract, behaving in this case as an ordinary reduction defined in the global scope. The operator e transforms merging definitions in f . Note that LOCAL FIRING in Figure 9 corresponds to the e ^B ordinary ones: J P  J . P and B ^ B  B version of cJoin without structural rule STR - MOVE. When such rule is added, the premise of LOCAL FIRING e ^ B ` S , which allows merging definitions to be used at any level of the nesting e ^B ` S _ B should be B structure. Rules LOCAL COMMIT and ABORT handle the termination of a negotiation, whereas MERGE describes the interaction among sibling negotiations. Note that negotiations can be joined only if they do not contain running contracts. Note that the big-step relation defined previously corresponds to our notion of serializability. In fact, the completed negotiations at a particular level are represented as ordinary transitions at the upper level and all interacting transactions can be analyzed independently from the rest of the system. The following result states the correspondence between both semantics for shallow processes, and consequently assures that shallow processes are serializable in cJoin.

^

^I

0

0

0

Theorem 6.1. Let S ; S 0 be stable processes. Then S

! S 0 iff ` S 0

_

` S 0.

Nested commits for mobile calculi: extending Join

13

7 Concluding remarks We have proposed a linguistic extension of Join with natural primitives for modeling nested negotiations. The expressiveness of the resulting PDL, called cJoin, has been demonstrated by means of: (1) an informal discussion about the satisfaction of the general requirements enumerated in the Introduction; (2) two different examples; and (3) the encoding in cJoin of zero-safe nets. Additionally, we defined a syntactical restriction of processes that assures serializability, which has been characterized through a big-step semantics. In cJoin all dependencies between negotiations (commit or abort dependencies) must be programmed explicitly by defining appropriate merging rules. Unlike workflow systems, cJoin does not fix a set of constructors to describe dependencies in the style of, e.g., C ON T RACTS model [14]. The actual dependencies of a negotiation are known at execution time and are consequence of its interaction with other contracts. This feature distinguishes cJoin from the approach introduced in [4], where processes running as transactions can interact freely with the environment. On the other hand, cJoin is aimed at providing a way to model multi-party transactions by describing their interacting agents and not their global structure, such as [5,8]. Nevertheless, our language does not provide default mechanisms for undoing pre-committed activities of aborted transactions as in [11,8,4]. This is an interesting problem that bears further investigation. In particular, in which order compensations should be executed in a multi-party application? Is such an order given by the sequence in which transactions commit or in which they are created? Or, on the contrary, is it given by the causal relation established by the production and consumption of messages? Negotiations in cJoin have the flavour of multiway transactions in ZS-Nets, where participants are not statically fixed. Moreover, our extension distinguishes between local and global resources (i.e., names), and the notion of negotiation relies mainly on this distinction. In [6], an encoding of ZS nets in the Join was proposed, providing a distributed implementation of transactions, centered on the novel Distributed Two Phase Commit (D2PC) protocol. We plan to reuse or to extend the D2PC in order to have a full implementation of cJoin in Join itself. This would allow us to extend distributed implementations of the Join, such as Jocaml or Polyphonic C ℄ , by providing primitives for handling negotiations in distributed applications. Acknowledgements. We would like to thank Nick Benton, Luca Cardelli, C´edric Fournet and Cosimo Laneve with whom we discussed preliminary versions of cJoin.

References 1. N. Benton, L. Cardelli, and C. Fournet. Modern concurrency abstractions for C℄ . In B. Magnusson, editor, Proceedings of ECOOP 2002, volume 2374 of Lect. Notes in Comput. Sci., pages 415–440, Spain, June 2002. Springer Verlag. 2. P.A. Bernstein, V. Hadzilacos, and N. Goodman. Concurrency, Control and Recovery in Database Systems. Addison-Wesley Longman, 1987. 3. G. Berry and G. Boudol. The chemical abstract machine. Theoret. Comput. Sci., 96(1):217–248, 1992. 4. L. Bocchi, C. Laneve, and G. Zavattaro. A calculus for long-running transactions. In Proceedings of FMOODS’03, Lect. Notes in Comput. Sci. Springer Verlag, 2003. To appear. 5. BPEL Specification. version 1.1, May 2003. Available at http://www-106.ibm.com/developerworks/ webservices/library/ws-bpel/. 6. R. Bruni, C. Laneve, and U. Montanari. Orchestrating transactions in join calculus. In L. Brim, P. Jancar, M. Kretinsky, and A. Kucera, editors, Proceedings of CONCUR 2002, volume 2421 of Lect. Notes in Comput. Sci., pages 321–336. Springer Verlag, 2002. 7. R. Bruni and U. Montanari. Zero-safe nets: Comparing the collective and individual token approaches. Inform. and Comput., 156(1-2):46–89, 2000. 8. M. Butler, M. Chessell, C. Ferreira, C. Griffin, P. Henderson, and D. Vines. Extending the concept of transaction compensation. IBM Systems Journal, 41(4):743–758, 2002.

14

R. Bruni, H. Melgratti, and U. Montanari

9. S. Conchon and F. Le Fessant. Jocaml: Mobile agents for Objective-Caml. In Proceedings of ASA’99/MA’99, 1999. 10. C. Fournet and G. Gonthier. The reflexive chemical abstract machine and the Join calculus. In Proceedings of POPL’96, pages 372–385. ACM Press, 1996. 11. H. Garcia-Molina and K. Salem. Sagas. In U. Dayal and I.L. Traiger, editors, Proceedings of the ACM SIGMOD 1987, pages 249–259. ACM Press, 1987. 12. S. Haridi, S. Janson, and C. Palamidessi. Structural operational semantics of akl. Journal of Future Generation Computer Systems, 8:409–421, 1992. 13. R. Milner, J. Parrow, and J. Walker. A calculus of mobile processes, I and II. Inform. and Comput., 100(1):1– 40,41–77, 1992. 14. A. Reuter and H. W¨achter. The contract model. In A.K. Elmagarmid, editor, Transaction Models for Advanced Applications. Morgan Kaufmann, 1992. 15. U. Roxburgh. Biztalk orchestration: Transactions, exceptions, and debugging, 2001. Available at http://msdn. microsoft.com/library/en-us/dnbiz/html/btsorch.asp.

A Proof of Proposition 3.1 Proof. We want to prove that cJoin is a conservative extension of Join. It is obvious from the syntax that any Join process is also a cJoin process. It remains to show that: (1) for any Join processes P and Q, if P ! Q in Join, then P ! Q in cJoin; and (2) for any Join processes P, if P ! Q in cJoin, then Q is a Join process and P ! Q in Join. Both implications follow straightforwardly from the fact that the chemical rules of cJoin can be partitioned in two sets: one consisting exactly of the chemical rules of Join, and the other containing structural rules involving non-Join operators on both sides and reaction rules involving non- Join operators ut in the left-hand side.

B

Correspondence of ZS encoding

We devote this section to prove the correspondence between the encoding presented in Figure 8(b) and ZS nets semantics. The following lemmata relate ZS movements involving non stable configurations, with reductions in cJoin. Lemma B.1. Let JzKw = zhwi and JZ1 + Z2 Kw = JZ1 Kw j JZ2 Kw . If (S; Z ) !T (S0 ; Z 0 ) then def JT K in JSK jjji [def ^k wk hi . 0 in jjk JZik Kwk : :::℄ ! def JT K in JS 00 K jjj j [def ^l wl hi . 0 in JZ jl Kwk j JS 0j K : :::℄; S S S S S where Z = i k Zik , Z 0 = j l Z jl , S0 = j S 0j [ S 00 and J Kw is defined as follow: 0

0

Proof (sketch). By induction on the structure of the proof. The base case corresponds to rule FIRING and follows by analyzing the shape of the fired transition (according to Figure 8(a)). The inductive step follows by rule case analysis. Rule STEP corresponds to parallel computations in CHAM. The proof for CONCATE NATION follows by applying inductive hypothesis on both premises obtaining two derivations and noting that, by CHAM semantics, a derivation is also valid when processes are added into a solution, i.e., if def JT K in JS1 K j jji [def

^k wk hi . 0 in JZik Kw def JT K in

k

: :::℄ ! j jj j [def

JS1000 K

^l wl hi . 0 in JZ j l Kw j JS 0j K : 00

l

℄

:::

then also the following derivation is possible:

def JT K in JS2 K j JS1 K jjji [def ^k wk hi . 0 in JZik Kwk : :::℄ ! def JT K in JS2 K j JS1000 K jjj j [def ^l wl hi . 0 in JZ j l Kw j JS 0j K : :::℄ 00

Analogously, S 0j and S1000 can be added to the derivation associated to the second premise. Finally, the derivation corresponding to the whole proof can be constructed by combining sequentially the two extended ut derivations.

Nested commits for mobile calculi: extending Join

15

Corollary B.1. If (S; 0/ ) )T (S0 ; 0/ ) then def JT K in JSK ! def JT K in JS0 K. Proof (sketch). By Lemma B.1, there exists a derivation for (S; 0/ ) !T (S0 ; 0/ ) containing negotiations. Nevertheless, those negotiations do not contain messages to ports encoding zero-safe places, and therefore they can commit and release all messages to ports denoting stable places. Consequently, rule COMMIT can be ut applied repeatedly to finish all running negotiations. Lemma B.2. If there exists def JT K in JS00 K j jji [def ^k wk hi . 0 in JZik Kwk j JSi K : :::℄ ! def JT K in JS 000 K j jj j [def ^l wl hi . 0 in JZ jl Kwl j JS 0 j K : :::℄ without using rule ( COMMIT )

then (S; Z ) !T (S0 ; Z 0 ) , where Z =

SS i

0

k k Zi ,

Z0 =

S S Z l , S = S S [ S 00 and S0 = S 0

j

l

j

i i

0 j Sj

[ S 000

Proof (sketch). By induction on the length of the derivation. The base case corresponds to an idle movement of the net. The inductive step follows by analyzing the last applied rule in the reduction. For RED and MERGE, the proof is constructed by using inductive hypothesis on the initial derivation until the last step, and also for the final step. Then by analyzing the different shapes of the definition used for the last reduction (Figure 5) conclude that the only possible cases correspond to rule CONCATENATION. Note that, there are ut no ABORT steps, because the encoding cannot generate process abort. Lemma B.3. If def JT K in JSK ! def JT K in JS0 K then (S; 0/ ) )T (S0 ; 0/ ). Proof (sketch). The proof follows by using the results presented in Section 6 and proved in Appendix C. Note that all definitions generated by the encoding are shallow, and consequently negotiations are serializable by Theorem 6.1. Therefore, it is enough to consider reductions where steps from different transactions are not interleaved. Consequently, the whole reduction is equivalent to a sequence that computes transactions one at a time, i.e., it can be decomposed in subsequences of the form def JT K in JS i K ! def JT K in JSi+1 K, where COMMIT can be applied only as the last step. By Lemma B.2, any sub-reduction without considering the application of COMMIT corresponds to a movement (S i ; 0/ ) !T (Si+1 ; 0/ ) on the ZS net. Hence, any of this sub-reductions corresponds to a transaction (S i ; 0/ ) )T (Si+1 ; 0/ ). Consequently, the whole reduction is a sequence of transactions on the ZS net. ut Note that Theorem 5.1, follows from Corollary B.1 and Lemma B.3.

C Serializability of shallow processes In this section we prove Theorem 6.1 as a straight consequence of the technically involved Lemma C.1, which states a stronger relation between big-step semantics and reduction semantics. In particular, the bigstep relation corresponds to reductions between shallow processes without nested negotiations. Proposition C.1. If D ; S ; k [Sk0 : Sk00 ℄ ! D ; i [ Pi : Si ℄ ! D ; [P : D ; S ; k [Sk0 : Sk00 ℄ ! D ; i [ Si000 : Si ℄ ! D ; [S 0 : jji Si ℄ ! D ; [P : jji Si ℄.

jji Si ℄, then there exists a derivation

Proposition C.1 states that for any derivation starting from a process without nested negotiations there exists an equivalent reduction that merges only negotiations without sub-negotiations. Lemma C.1. D ; i [Si : Pi ℄; S

! D ; j [S 0j : P j0 ℄; S 0 if and only if D ` jji [Si : Pi ℄ j S

_

D ` jj j [S 0j : P j0 ℄ j S 0 .

Proof (sketch). ()) By induction on the length of the derivation. The base case corresponds to the IDLE axiom. The inductive step follows by rule case analysis of the first applied reduction. The interesting case is the application of RED, which presents two cases: (i) when it is applied at top level, i.e., producing a new negotiation or a new stable process, and (ii) when it generates a sub-negotiation in one of the existing negotiations. First case is immediate by inductive hypothesis and SEQ. In the second case, there is a negotiation k, i.e. [Sk : Pk ℄, that reduces to [[S 00 : P 0 ℄; Sk0 : Pk ℄. At this point, there are two possibilities. First, consider

16

R. Bruni, H. Melgratti, and U. Montanari .. .

e ` Sk B

GLOBAL FIRING , IDLE , PAR

_

e ^D B

00

e ^ D ` [S : P ℄ j S B k e e B ` Sk _ B ` Sk D ^ B ` [Sk : Pk ℄ _ D ^ B ` [Sk : Pk ℄

` [S

00

: P 0 ℄ j Sk0

00

00

0

0

_

e `S B k

00

IND . HYP. SEQ

00

0

0

00

LOCAL FIRING

Fig. 10. Proof sketch for Lemma C.1

that [[S 00 : P 0 ℄; Sk0 : Pk ℄ reduces to [Sk00 : Pk ℄, then it is possible to build the proof shown in Figure 10, and then the proof follows by using IDLE for the non-modified processes and inductive hypothesis and SEQ. The remaining possibility is when sub-negotiation [S 00 : P 0 ℄ can finish only after the parent negotiation is merged. Then by Proposition C.1 an equivalent derivation D ; i [ Si : Pi ℄; S ! D ; [S00 : jji Pi ℄; S000 ! D ; [P : jji Pi ℄; S000 ! D ; j [S 0j : P j0 ℄; S 0 that merges only negotiations not containing sub-negotiations can be found. Then, proof follows by applying inductive hypothesis for both parts D ; i [ Si : Pi ℄; S ! D ; [S00 : jji Pi ℄; S000 and D ; [S00 : jji Pi ℄; S000 ! D ; [P : jji Pi ℄; S000 ! D ; j [S 0j : P j0 ℄; S 0 . ut (() By induction on the structure of the proof.

D The Andorra Kernel Language (AKL ). We describe the computation model of mit(‘j’) as guard operator.

AKL

following the presentation in [12], but considering only com-

Syntax of Clauses and Goals. Program clauses and goals are defined as follows.

hguarded clausei ::= hheadi : hguardihguard operatorihbodyi hheadi ::= hprogram atomi hguardi; hbodyi ::= hsequence of atomsi hatomi ::= hprogram atomi j hconstraint atomi hguard operatori ::= ‘j’ (commit) A program atom is an atomic formula p(x 1 ; : : : ; xn ) where x1 ; : : : ; xn are variables. In the head all x i must be different, while in the body they may occur several times. A constraint atom is an atomic formula in some constraint language. Computation Model. Computation states are given by the following grammar.

hconfigurationi ::= hand-boxi hand-boxi ::= and(hsequence of local goalsi; hconstrainti) hset of variablesi hlocal goali ::= hatomic goali j hchoice-boxi hchoice-boxi ::= choice(hsequence of guarded goalsi) hguarded goali ::= hand-boxihguard operatorihsequence of atomsi In the following, the letters C and D stand for sequences of local goals, σ and θ for constraints; B and G for a sequence of atomic goals; G for a goal; P, Q for sequences of goals; S and T for sequences of guarded goals; V and W for set of variables; and β for a single goal. The symbol ‘%’ denotes a guard operator. And-boxes of the form and(; σ) are written as σ. The term true denotes a variable-free constraint formula that is true in the constraint theory. The symbol fail will be used to denote the empty or-box and the empty choice-box regarded as collapsing to the same object. Each subgoal has an environment, defined as the conjunction of the constraints of all the and-boxes in which the goal occurs. The notation op(σ) denotes a constraint operation op (e.g., ask or tell) applied to the primitive constraint σ.

Nested commits for mobile calculi: extending Join (C I ) (C F ) (F K ) (P D ) (j) (S C ) ( F 1) ( F 2)

17

and(C; op(σ); D; θ) ) and(C; D; θ ^ σ) if θ ^ σ is satisfiable and op(σ) is satisfied and(C; op(σ); D; θ) ) fail if σ is inconsistent with the environment of op(σ) A ) choice(and(G 1 ; true)V1 %B1 ; : : : ; and(Gn ; true)Vn %Bn ) where A unifies with Hi for rules Hi : Gi %Bi and(C; choice(θV %B); D; σ)W ) and(C; B; D; θ ^ σ)V [W if θ ^ σ is satisfiable choice(P; σjB; Q) ) choice(σjB) and(B; σ) ) fail if σ is unsatisfiable with the environment and(B; fail; C; σ) ) fail choice(S; (fail%B); T ) ) choice(S; T ) Table 1. Operational semantics of AKL.

Note that a configuration given by an and-box and(P1 ; :::; Pn ; σ)V1 represents the proof of P1 ^ ::: ^ Pn with the associated satisfiable constraint σ. The set of variables attached to an and-box contains the variables local to that box, i.e., variables in a clause that do not occur on the head. Rewriting rules are summarised in Table 1. Rules (C I ) and (C F ) denote the effects of a goal that has been proved by producing the constraint σ. When σ is consistent with the enclosing environment, the goal is reduced and the constraint of the enclosing and-box is updated, otherwise the whole goal fails. Local forking (F K ) on an atomic goal initiates the parallel proof of all definitions. The deterministic promotion (D P ) communicates the results of a local computation to the siblings of the goal that started the local computation. Rule (j) describes the pruning to be applied when the guard of a commit rule is proven. Note that the actual promotion is performed by the deterministic promotion rule. The last three rules are normalization rules that describe the propagation of failures (rules ( F 1) and ( F 2)), and the synchronization with the environment (S C ).