HAL Id: hal-00667815
https://hal.archives-ouvertes.fr/hal-00667815
Submitted on 30 Nov 2013
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
A Decentralized Model-Based Diagnosis for BPEL Services
Yingmin Li, Lina Ye, Philippe Dague, Tarek Melliti
To cite this version:
Yingmin Li, Lina Ye, Philippe Dague, Tarek Melliti. A Decentralized Model-Based Diagnosis for BPEL Services. 21st International Conference on Tools with Artificial Intelligence (ICTAI 2009), Nov 2009, Newark, NJ, United States. pp.609–616, �10.1109/ICTAI.2009.77�. �hal-00667815�
A Decentralized Model-Based Diagnosis for BPEL services
Yingmin Li, Lina Ye, and Philippe Dague
LRI, Univ. Paris-Sud, CNRS, and INRIA Saclay-ˆIle de France
Parc Club Orsay Universit´e, 4 rue Jacques Monod, bˆat G, Orsay, F-91893, France Email:[email protected], Tel: (33) 172925993
Tarek Melliti
IBISC, Univ. d’Evry Val d’Essonne, CNRS,
Tour Evry 2, 523 place des Terrasses de l’Agora, Evry, F-91025, Franc [email protected]
Abstract
The paper proposes a decentralized diagnosis approach for a set of choreographed BPEL Web services, where a lo- cal diagnoser is associated to each BPEL service and coop- erates with a coordinator. The local diagnosis is based on a Colored Petri Nets model enriched with I/O data depen- dency relations represented with color propagation func- tions. By applying the multiset marking calculation equa- tion, a diagnosis inequations system is constructed and solved to retrieve a local diagnosis. The coordinator up- dates the global diagnosis until reaching a final consis- tency.1
1 Introduction
Self-healing software is one of the important challenges for Information Society Technologies research. Our paper proposes a decentralized diagnosis approach for BPEL ser- vices, whose goal is to design a framework for self-healing Web services by adopting artificial intelligence methodolo- gies to solve the diagnosis problem by supporting online detection and identification of faults.
A Web service (WS) is a set of distributed message ori- ented interacting components. We can construct complex WS systems by composing basic WSs in two ways: or- chestration and choreography (P2P). An orchestrated BPEL service is a central process to organize (basic or complex) WSs to finish complex tasks. A choreographed WS has not a central process while all the involved WSs are aware of
1The work is supported by EU through the FP6 IST project 516933 WS-DIAMOND (Web Services DIAgnosability, MONitoring and Diag- nosis) and national ANR project WEBMOV (Web services Modeling and Verification).
their partners but none has the global view of the whole WS application. Distributed WS applications make B2B engi- neering more convenient but raise more challenges for han- dling dysfunctions. For example, how to locate the source and reason of faults when they occur? During the interac- tion of distributed WS components, subtle faults can come from corrupted data or some functional errors. Due to the message oriented nature of WS applications, faulty data is propagated through the execution trace and is used to elab- orate other faulty data and control decisions. In this way the subtle faults become large ones. A typical example is a misunderstanding of date format in different languages.
06/03/2009, in English, is June 3, 2009; but in French, is March 6, 2009. If a travel agency WS misinterprets the date format, all the date related reservations will be faulty. An- other example is the inconsistent data in data base because of the delay of the WS invocation. These two kinds of faults are named as semantic faults.
1.1 Example: flight agency
Consider a cross-organization cooperation, which in- volves four partners: an end-userU ser, a Customer agency (flight agency)C, an airline companyA, and a Bank cen- ter B. The three companies aim to offer a secure tickets buying service for U ser. C receives a request, which is composed of flight dates d1,d2 and departure and return citiesc1 andc2, fromU ser, andinvokes operationo1 to get the cheapest flight fromA. NextC invokes an opera- tiono2to pay onB. Then in apickprocess, ifOnM essage ofCis ”no credit”,C invokes an operationo3to cancel the reservation onAand shouldreplytoU sera failure mes- sage, else ifOnM essageof Cis a payment confirmation fromB,Cshouldreplya reservation information liked0, d1,c1,c2, airline name, flight number, price, etc. Partner
A receives a request fromCto get the cheapest flight,A invokes a basic WSBW S1 to get the cheapest available flight, and shouldreplyit toC. Then in apickprocess, if OnM essageofAis a payment confirmation fromB, pro- cess finishes, else ifAisOnM essagea cancel request from C,A invokes a basic WSBW S2to cancel the flight and terminate the process.B receives a payment order fromC, andinvokes a basic WS BW S3 to do deduction, then in aswitchprocess, if the deduction fails,B invokes an op- erationo4on one-way to send a ”no credit” message toC, elseB invokes operationso5ando6on one-way to send a confirmation message toAandC.
SupposeCis a French customer agent, whileAis an En- glish airline company, and there is some semantic incom- patibility between the two partners. A French reservation request like: reserve a round trip flight from Paris to Lon- don on March 4, 2009 (04/03/2009) and return 3 days later, on March 7, 2009 (07/03/2009) could be interpreted as re- serving a round trip from Paris to London on April 3, 2009 and return 3 months later, on July 3, 2009. SoC will re- ceive a wrong payment confirmation fromBand send it to U ser. In this case, an exception occurs onU serdue to a semantic fault. This example will be used to illustrate each step of our work.
1.2 Global view of decentralized diagnosis
When an exception is thrown, the service that generates the data and all the services modify the data should be sus- pected. Whereas a current Web service exception can only report where the exception happens. Since the semantic faults are the most difficult and critical ones to diagnose, our approach focuses on determining the exact source faults that are possibly responsible for the exceptions.
A BPEL process can be considered as a Discrete Event System (DES) and a set of BPEL services in a chore- ographed environment can be modeled as a set of place- bordered Petri nets. We propose a decentralized online di- agnosis architecture (in figure 1) in which, for each BPEL serviceBP ELi, a local diagnoserDi is provided and co- operates with a coordinatorCO. The coordinator contains a global diagnoser D and a global choreographed model M odel which acknowledges the choreographed relations CRbetween the interacting BPEL services. When an ex- ception occurs on communicatedBP ELi,Di is triggered and then infers a local diagnosis result toCOand that up- dates the status ofD. IfD finds thatBP ELj (j 6= i) is accused to be faulty, it triggersDj. Dis updated continu- ously until arriving a final consistency.
To achieve a decentralized diagnosis in a choreographed scenario, we first introduce a local model for each BPEL service in section 2, where we introduce a CPN model and define its firing rules in section 2.1, translate the typical ba-
D1 B P E L1
C P N s
C P N s D2
B P E L2 C P N s
C R D3 C R
B P E L3 C O M o d e l D
Figure 1.Diagnosis architecture
sic BPEL service activities and structural operators in to CPN models in section 2.2, especially, including the fault models locally. Next step, we construct the choreographed global model which includes the global fault model in sec- tion 3. The global and local diagnoses are presented in section 4. For the local diagnosis, an inequation diagno- sis system is constructed and solved according to the alge- bra properties of the CPN model in 4.1. And we describe the decentralized diagnosis steps in 4.2. We compare the related work, and conclude in section 5.
2 Local model for one BPEL service 2.1 Colored Petri Net
A Petri net is a Colored Petri Net if its tokens can be distinguished by colors. Here we restrict the definition of Colored Petri Net that we use in this paper.
LetEbe a set, a multiset onEis an applicationmfrom E toZ(a multiset is denoted asm = q0e0+....+qnen
where qi = m(ei)). We use M(E)to define the set of finite multisets fromEtoZ, andM+(E)if we restrict it toN. Sum and subtract operators between two multisets are defined as in [6]. For two given value domainsD,D′, we denote by[D → D′]the set of possible functions fromD toD′.
Definition 1 A Colored Petri Net graph (CPN graph) is a tupleN=hΣ,X,F,P,T,cd,P re,P osti, where: Σis a set of colors (see [6]);X is set of variables that range overΣ;F is a set of color functions,F ⊆S
n
[Σn →Σ];P is a set of labeled places;T is a set of labeled transitions, we denote T ype:T′→T′′withT′, T′′⊂T andT′∩T′′=∅is a type function ofT;cd:P →2Σ, is a function that associates to each place a color domain2;P re, P ost :are forward and backward matrices such thatP re:P×T → M+(Σ∪ X), are input arc expressions; andP ost : P×T → M+(E), are output arc expressions.
Erepresents a color expression which can be a color con- stant, a variable, or a color function of F (completely or partially instantiated). Given an expressione∈ E, we use
2In this definition, a transition has no color domain. This restriction will be explained in section 2.2.3.
V ar(e)to denote the set of variables which appear ine, and Eval(e), the evaluation ofeinΣ.
We denote•tandt•as the input and output places set of transitiont,•pandp•as the input and output transitions set of placep.
Definition 2 A CPN graph N = hΣ,X,F,P,T,cd,P re, P osti is well formed iff: ∀t ∈ T,∀p ∈ t•, we have V ar(P ost(p, t)) ⊆ V ar(P re(., t)) with V ar(P re(., t))
= S
p′∈•t
var(P re(p′, t)).
In a well formed CPN graph, we restrict that for each transition, the output arc expressions must be composed by the variables which are in the input arcs expressions. To each CPN graph, we associate its terms incidence MatrixC (P×T → M(E)) withC=P ost-P re.
In the following, we define the behaviors (the dynamics) of a CPN System.
Definition 3 A marking M of a CPN graph is a multiset vector indexed byP, where∀p∈P, M(p)∈ M+(cd(p)).
Operators+and−on multisets are extended to markings in an obvious way.
Definition 4 A Colored Petri Net system (CPN system) is a pairS=hN, M0iwhereN is a CPN graph andM0is an initial marking.
Definition 5 A transition t is enabled in a CPN sys- tem S with marking M, iff ∃u, with M ≥ P re(., t)u, V ar(P re(., t))→ Σ, which is a binding of the input arcs variables.3
Definition 6 LetM be a marking andta transition, with M[tiufor someu. The firing of the transitiontchanges the marking of CPN fromM toM′ =M +C(., t)u. We note the firing asM[tiuM′. A sequence of transitionsδ∈T∗is defined as: M[δiM ifδis the empty sequence;M[ωtiM′ iff∃M′′such thatM[ωiM′′andM′′[tiuM′.
2.2 From BPEL to CPN model
There exist already many works dedicate to translate BPEL services into CPN model for composition verifying ([12]), supervising ([3]), analyzing ([5]) etc.. In this sec- tion, we construct our own CPN model by introducing the faulty behaviors into Petri nets model which is suitable not only for diagnosing BPEL services, but also for diagnosing other large software systems. In the following, we define how to translate the static and dynamic features into CPN models.
3umust respect the color domain of the places, i.e.,∀p ∈• t,x ∈ var(P re(p, t)), we haveu(x)∈cd(p).
2.2.1 Translating static BPEL features to CPNs BPEL data variables and constants: to catch maximally the dependency between data (variables, constants, etc.), we decompose the structured XML data types intoleaves.
Each leavexiis denoted by(X, xi)as a place in CPNs.
Color Domain:three colors are used: red (r), faulty data value; black (b), not faulty data value; and unknown color (∗), correctness unknown of data value.
Data dependency within BPEL v.s. color functions:
to specify the effect of each activity on data, we give each activity a data dependency signature in term of three de- pendency relations (proposed in [1]): forward (F W), the activity just copies the value from the input to the output;
source (SRC), the output data is generated by the activity;
and elaboration (EL), the output data is elaborated from a set of input data. Each data dependency relation is associ- ated with a color propagation function to represent the data status production.
Definition 7 Given a data relations set D = {F W, SRC, EL},∀d ∈ D, the associated color propagation functiondc is defined as:∀c, c′∈Σ,∀C ⊆Σ,
F Wc∈[Σ→Σ],F Wc(c)=c SRCc∈[∅ →Σ],SRCc=∗
ELc∈[2Σ→Σ],ELc(C)=c′, withc′=
b, iff∀c∈ C,c=b r, iff∃c∈ C,c=r
∗, iff∃c∈ C,c=∗∧
∄c′′∈ C,c′′=r
In the following sections, we model dynamic features, the basic BPEL activities and structured operators, with CPNs in a choreographed scenario.
2.2.2 Translation from basic WS to CPN
A basic WS is a program which publishes its invocation in- terface and can be remotely called by other WS. As it is called synchronously and cannot be decomposed, we model it as a CPN system, which has a transition, remote in- put/output activation places and a set of shared input/output data places (the local components are in the dotted line boxes). The data dependency between its input and output can be F W,EL, and/orSRC, which is optional offered by the developers. The CPN model of a basic WS con- tains a set of data fault transitionstfi, which are triggered by the consummation of the token in the output activation place. Oncetfi is executed, there should be a fault in its output data place and the fault can be passed to its invoker, a BPEL process. We define the type of faulty transitions as tB:T ype(tfi) =tB(figure 2(A)).
E : B :
r
r
Cai n C
mi
tf 0
Cxi
tr e c
tfi
Xi Cao u t
T y p e ( ) = T y p e ( ) =tf 0 t
r e c
tfi C :
ai nP A C aP Ai n C
( C F Wc
i) m F Wc( Cai n)
ai n
ao u t mi
ai nP A
Cxi Xi
ao u t
P A
ti n v i n
r
r
tf 0 Cai nP A
ai nP A C
ao u t
ai nP A F Wc( Cxi)
ti n v o u t . . . o p t i o n a l b a s i c a c t i v i t i e s . . .
ai n
ao u t Cai n
F Wc( Cai n) Cxi
Xi
( C F Wc
i) x
ta s s
yi Cyi ( C ,
F = E Lc mi ni 1
mi ni 2 C )
c T y p e ( ) =tfi tB A :
r Cao u t
tfi mi 1
i n m
i 2 i n
ai nP A
ao u tP A Cai n
P A Cm
i 1 i n
tB
FC Cmo u ti
Cm i 2 i n
o u t m
i ( Ca
F Wc i n) P A
ai n
ao u t Cai n
F Wc( Cai n) Cxi
Xi
( C F Wc
i) x
tr e p
C mi
mi ao u t
P A
ao u t
P A
C D :
mio u t Cmo u ti
mji n Cmi nj ( C F Wc
) j mi n
Yj CYj
tf
j
T y p e ( ) = T y p e ( ) =tf 0 tf ti n vo u t
j
Cmi C
mi nj C
mo u ti
ai n1 Cai n
1
F Wc( Cai n)
F Wc( Cai n) Cai n ai n
F Wc( Cai n1) ao u t
1
Figure 2.CPNs of the basic activities
2.2.3 Basic activities translation
Due to space limitation, we model only four main basic activities (Receive,Assign,Invoke, andReply) while the other similar activities can be easily translated in the same way (structural operators also).
Receive(m, X)copies the values from a messagemto a local variableX. To separate the different faulty parts trans- mitted remotely, we add for eachmi an internal transition (fault) before the receive transition as in figure 2(C). Data places(m, mi),(x, xi)are simplified asmi andxi. A re- mote activation placeainP A is added to allow the activation control from partnerP AtoReceive.
Two kinds of fault transitions are modeled: tf0 models the remote control fault; and tfi models the remote data fault. Both their types are defined astrec: T ype(tf0) = T ype(tfi) =trec. The execution (occurrence) oftfiis trig- gered by the consummation of the token in the remote in- put activation placeainP A. The transmission of the fault (red token) is illustrated on the arc expressions. Each arc ex- pression represents the colored token consumed (on an arc (p, t)) or produced (on an arc (t, p)). To keep the liveness of the CPN, we add an arc from the output placexito the receive transitiontrec. Similar activity:OnM essage.
Invoke(X[, Y])calls another Web service, either a ba- sic or composite one. It takes the value of the variableX, sends a remote request to its partner, synchronously or asyn- chronously waits for the response message, stores it in the variable Y, or gets the response by Receive(m, Y). As Y can be infected by external faulty WS which is unob- servable, we introduce a series of unobservable faulty tran-
sitions between thetininv andtoutinv transitions to model the faults caused by external WS.Invokecan be asynchronous call and only sends the requestX. In this case, it has only thetininvtransition (figure 2(B)).
Reply(Y, m)copies values from a variableY to a mes- sagemfor returning the response (figure 2(D)). There is no fault model in its CPN model. Note thatreplydoes not af- fect the correctness of remote control, sofcon the arc (trep, aoutP A) isF Wc(ainP A).
Assign(X, Y)reorganizes local variable parts to com- pose a new one. So its model does not contain fault transition, remote activation, or shared data places (figure 2(E)). Similar operators:T hrowandRethrow. TheW ait, Empty, andExitactivities do not have relation with the variables, so their CPN model only have the I/O local and remote activation places.
2.2.4 Structured operators translation
Sequence operator sequence(S1, S2) connects different activities with and the occurrence execution order. So we can generate the resulting sequence CPN by merging the local intermediate output and input activation places of con- tractive CPNs (in figure 3(a)).
Conditional operatorSwitch({(coni(Xi, Vi),Si)}i∈I) represents an alternative execution of the activitiesSiunder the conditionsconi(Xi, Vi).XiandViare respectively the variables and constants. For each subprocess Si, a transi- tionconiis added to generate an activation placeaini which is elaborate from the common activation input place of Switch,Xi, andVi. So the faults in the data placesXi,Vi can be transmitted to subprocess activation control, which allows the diagnosis of the control fault in a BPEL process.
At the end of theSwitchprocess, a newaout replaces all theaouti of subprocessSi (in figure 3(c)). Similar opera- tors:Scopetogether with the compensation handlers, event handlers, and fault handlers.
Iterative operator while(con(X, V), S1) iterates the activityS1execution until the breaking off of the conditions con(X, V).W hileis similar toSwitchbut inW hile, the aoutof the iterative subprocess is alsoainoftcon(in figure 3(b)). Similar operators: Link with its ”transitionCondi- tion”. Similar operators:RepeatU ntil,F orEach.
Message triggering operator P ick({Mi, Si}i∈I)trig- gers one subprocess Si by the arriving (represented as the remote activation place ainP Ai) of a message OnM essage(Mi)from partnerP Ai. SoP ickoperator is a combination of a set ofOnM essageactivities (in figure 3(d)).
2.2.5 Some remarks on the BPEL model net
Observable vs unobservable transitions: we divideTinto observable transitions Tobs and fault transitionsTF (T =
a
a : S e q u e n c e ( S 1 , S 2 )
Ca
a1i n a2i n
ai n C
1
ao u t
1
ao u t
2
ai n
C
i
CX C
Vi
ai n Xi Vi
C o nn
a1i n ai n ai n n
i
ao u t
1
ao u ti ao u tn
ai n C
1 Cai n
i ai n C
n
C o ni C o n1
c : S w i t c h ( { ( c o n ( X , V ) , S ) } , i i i i i I )
o u t
a
E L ai n j c( C , CX, C
Vi)
C o n ai n
C
i
CX
C Vi
ai n Xi Vi
a1i n
ao u t
1
C o n _ _ _ _
E Lc( Cai n, CXj, C Vi)
E L ai n j c( C , CX, C
Vi)
O M1 O M n
ai n
X1 1
Mn
Xn
ai n
n ai n C
1 ai n C
n
ao u tn ao u t
1
F W ai n
c( C ) ai n
P An M1
ai n
P A 1
o u t
a
ai n
C
ai n
F W ai n
c( C )
1 F W ai n
c( C )
n
F W 1
c( M ) F Wc( M )n
b : W h i l e ( c o n ( X , V ) , S ) 1
d : P i c k ( { M i , S i } , i I)
Figure 3.CPNs of the structural operators
Tobs∪FandTobs∩TF =∅) and define a type function over faulty transition to observable onesT ype:TF →Tobs.
Initial and final marking configuration: obtained by markingPas in table 2.2.5.
Table 1.M0andMnof CPNs
CP1 DP2 AP03 AP04 APP A0 05 APP A0 i6
M0 ∗ b b 0 b 0
Mn ∗ x7 0 x7 0 x7
1Constant places; 2Variable places;
3First local activation places; 4Local activation places;
5First remote activation places;
6Remote activation places;
7x=rifpis within fault trace,x=bif verified by external checkers (e.g., user, developer),x=∗otherwise.
One-boundness:the resulted CPNs are one-bounded (or safe, means one place can at most contain one token), which is guaranteed by the fact that a BPEL process does not al- low a subprocess call that can lead to more than one token production in the activation and data places.
2.2.6 Example (cont.): flight agency
In figure 4, a CPN model of partner C is presented to- gether with its interacting relations (bolded arrows) with other partners (data places for each transition are simpli- fied as one input and one output for the sake of space limit).
All the color variablesCp of a placepare omitted and the
color propagation functions are listed. A symptom (red to- ken) occurs onU serto represent a faulty reservation which shows an unreasonable price.
r
r
r
a1
d1 a2
d2 t1
f3 f1
f2
t2 a3
d3
t3
a4
a5 a6
a7
a8
a9
t5
d4 d5
f4 d1c
d2c d3
c
d4c d
5 c
d9c d6
c d7c
d8c
d 1 0c
d1 1c d1 3c d1 4c f5
a1 1
t7 d7
d1 5c a1 2
d6
r r
r
r a1 0
a1 5 d8
a1 3 a1 4 f6
f7
f8
d9
d1 0
d 1 1 r
d1 2c
d1 6c d1 7c d1 8c
d1 9c
a1 6 C
U s e r
A
B
A
U s e r B
d1c F Wc( C ) a2
=
d2 c F Wc( C
1)
= d d3
c= d4
c= F Wc( C ) a3
d5c= F Wc( C 2) d
d7c=F Wc( C4 d )
= F Wc( Ca6)
d6 c
d9c=d8c= F Wc( Ca7)
d1 0c = F Wc( C ) d5
= 7
d1 2c F Wc( C d )
T y p e ( f ) = T y p e ( f ) = t1 2 1 T y p e ( f ) = T y p e ( f ) = t 3 4 3 t4
t6
t8
d2 0c
d1 3c=d1 1c =F W( C ) a9 c
F Wc( Cd8)
d1 4c =
d1 6c=d1 5c =F W( C ) a1 3 c
= 9
d1 7c F Wc( C d )
d2 0c=
d1 9c=d1 8c =F W( C ) a1 2 c
T y p e ( f ) = T y p e ( f ) = t 5 6 5 T y p e ( f ) = T y p e ( f ) = t 7 8 6
Figure 4.CPNs model of partnerC
3 Fault model of a choreographed set of WSs
Each partner Ni involved in a choreography scenario provides a BPEL process describing: (i) its partners {Nj}(j 6= i) and (ii) its interface (local operations like Invoke,Receive, andReply). A choreographed relation between two partners is represented by two sets of places which correspond to a share messages and their correspond- ing remote control places.
Definition 8 letPisdenote the subset of placesPionNiwhich are shared with anotherNj(j 6= i). A choreographed relation CR is a set of functionsFij : AoutP Ai ×Pis → AinP Aj ×Pjs}.
∀a ∈ AoutP A
i, ∀a′ ∈ AinP A
i, p ∈ Pir, Fij(a, p)=(a′, p′) and Fij−1(a′, p′)=(a, p).
Definition 9 A choreographed model is a tupleCDM=hS
i∈I
Ni, CRi, whereNiis a CPN model of a partner BPEL service, and CRis a choreographed relation.
3.1 Example (cont.): flight agency
In figure 4, the interacting places are: (ai, dj) with (i, j)=(1,1),(4,3),(5,4),(8,6),(10,7),(11,8),(14,10),(15,11).
