Towards a Unified Framework for Declarative Structured Communications

HAL Id: inria-00426609

https://hal.inria.fr/inria-00426609v2

Submitted on 17 Nov 2009

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Structured Communications

Hugo Lopez, Carlos Olarte, Jorge Perez

To cite this version:

Hugo Lopez, Carlos Olarte, Jorge Perez. Towards a Unified Framework for Declarative Structured Communications. 2nd PLACES 2009 - Second International Workshop on Programming Language Approaches to Concurrency and Communication-cEntric Software, Mar 2009, York, United Kingdom.

15p. �inria-00426609v2�

Communications

Hugo A. L´opez

IT University of Copenhagen lopez@itu.dk

Carlos Olarte

Ecole Polytechnique´ Universidad Javeriana Cali colarte@lix.polytechnique.fr

Jorge A. P´erez

University of Bologna perez@cs.unibo.it

We present a unified framework for the declarative analysis of structured communications. By relying on a (timed) concurrent constraint programming language, we show that in addition to the usual operational techniques from process calculi, the analysis of structured communications can elegantly exploit logic-based reasoning techniques. We introduce a declarative interpretation of the language for structured communications proposed by Honda, Vasconcelos, and Kubo. Distinguishing features of our approach are: the possibility of including partial information (constraints) in the session model;

the use of explicit time for reasoning about session duration and expiration; a tight correspondence with logic, which formally relates session execution and linear-time temporal logic formulas.

1 Introduction

Motivation. From the viewpoint of reasoning techniques, two main trends in modeling in Service Oriented Computing (SOC) can be singled out. On the one hand, anoperational approachfocuses on how process interactions can lead to correct configurations. Typical representatives of this approach are based on process calculi and Petri nets (see, e.g., [18, 3, 8, 9]), and count with behavioral equivalences and type disciplines as main analytic tools. On the other hand, in a declarative approach the focus is on the set of conditions components should fulfill in order to be considered correct, rather than on the complete specification of the control flows within process activities (see, e.g., [19, 14]). Even if these two trends address similar concerns, we find that they have evolved rather independently from each other.

The quest for a unified approach in which operational and declarative techniques can harmoniously converge is therefore a legitimate research direction. In this paper we shall argue that Concurrent Con- straint Programming (CCP) [17] can serve as a foundation for such an approach. Indeed, the unified framework for operational and logic techniques that CCP provides can be fruitfully exploited for anal- ysis in SOC, possibly in conjunction with other techniques such as type systems. Below we briefly introduce the CCP model and then elaborate on how it can shed light on a particular issue: the analysis of structured communications.

CCP [17] is a well-established model for concurrency where processes interact with each other by tellingandaskingfor pieces of information (constraints) in a shared medium, thestore. While the former operation simply adds a given constraint to the store (thus making it available for other processes), the latter allows for rich, parameterizable forms of process synchronization. Interaction is thus inherently asynchronous, and can be related to a broadcast-like communication discipline, as opposed to the point- to-point discipline enforced by formalisms such as the π-calculus [15]. In CCP, the information in the store grows monotonically, as constraints cannot be removed. This condition is relaxed in timed extensions of CCP (e.g., [16, 11]), where processes evolve along a series ofdiscrete time units. Although each unit contains its own store, information is not automatically transferred from one unit to another. In this paper we shall adopt a CCP process language that is timed in this sense.

In addition to the traditional operational view of process calculi, CCP enjoys adeclarative nature that distinguishes it from other models of concurrency: CCP programs can be seen, at the same time, as computing agents and as logic formulas [17, 11, 12], i.e., they can be read and understood as logical specifications. Hence, CCP-based languages are suitable forboth the specification and verification of programs. In the CCP language used in this paper, processes can be interpreted as linear-time temporal logic formulas; we shall exploit this correspondence to verify properties of our models.

This Work. We describe initial results on the definition of a formal framework for the declarative analysis of structured communications. We shall exploit utcc [13], a timed CCP process calculus, to give a declarative interpretation to the language defined by Honda, Vasconcelos, and Kubo in [7]

(henceforth referred to asHVK). This way, structured communications can be analyzed in a declarative framework where time is defined explicitly. We begin by proposing an encoding of theHVKlanguage intoutccand studying its correctness. We then move to the timed setting, and proposeHVK^T, a timed extension of HVK. The extended language explicitly includes information on session duration, allows for declarative preconditions within session establishment constructs, and features a construct for session abortion. We then discuss how the encoding ofHVKintoutccstraightforwardly extends toHVK^T. A Compelling Example. We now give intuitions on how a declarative approach could be useful in the analysis of structured communications. Consider the ATM example from [7, Sect. 4.1]. There, an ATM has established two sessions: the first one with a user, sharing sessionk over service a, and the second one with the bank, sharing session hover serviceb. The ATM offers deposit,balance, and withdrawoperations. When executing a withdraw, if there is not enough money in the account, then an overdraftmessage appears to the user. It is interesting to analyze what occurs when this scenario is extended to consider a card reader that acts as a malicious interface between the user and the ATM. The user communicates his personal data with the reader using the servicer, which will be kept by the reader after the first withdraw operation to continue withdrawing money without the authorization of the user.

A greedy card reader could even withdraw repeatedly until causing an overdraft, as expressed below:

Reader = acceptr(k⁰)ink⁰?(id)in

requesta(k)ink![id]; k⁰







withdraw:k⁰?(amt)in kwithdraw;k![amt];

k{dispense:k⁰dispense;k![amt];R(k,amt)koverdra f t:Q}





 R(j,x) = defR⁰inkwithdraw;j![x];j{dispense:j?(amt)inR⁰koverdra f t:Q}

User = requestr(k⁰)ink⁰![myId];

k⁰withdraw;k⁰![58]; k⁰{dispense:k⁰?(amt)inPkoverdra f t:Q}

By creating sessions between them, the card readerReaderis able to receive the user’s information, and to use it later by attempting a session establishment with the bank. Following authentication steps (not modeled above), the card reader allows the user to obtain the requested amount. Additional with- drawing transactions between the reader and the bank are defined by the recursive process R. In the specification above, the processQcan be assumed to send a message (through a session with the bank) representing the fact that the account has run out of money:Q=kbank![0];inact.

Even in this simple scenario, the combination of operational and declarative reasoning techniques may come in handy to reason about the possible states of the system. Indeed, while an operational ap- proach can be used to describe an operational description of the compromised ATM above, the declarative approach can complement such a description by offering declarative insights regarding its evolution. For instance, assumingQas above, one could show that autccspecification of the ATM example satisfies

the linear temporal logic formula3out(kbank,0), which intuitively means that in presence of a malicious card reader the user’s bank account will eventually reach an overdraft status.

Related Work. One approach to combine the declarative flavor of constraints and process calculi tech- niques is represented by a number of works that have extended name-passing calculi with some form of partial information (see, e.g., [20, 6]). The crucial difference between such a strand of work and CCP-based calculi is that the latter offer a tight correspondence with logic, which greatly broadens the spectrum of reasoning techniques at one’s disposal. Recent works similar to ours include CC-Pi [4] and the calculus for structured communications in [5]. Such languages feature elements that resemble much ideas underlying CCP (especially [4]). The main difference between our approach and such works is that we adhere to the use of declarative reasoning techniques based on temporal logic as an effective way of complementing operational reasoning techniques. In [4], the reasoning techniques associated to CC-Pi are essentially operational, and used to reason about service-level agreement protocols. In [5], the key for analysis is represented by a type system which provides consistency for session execution, much as in the original approach in [7].

2 Preliminaries

2.1 A Language for Structured Communication

We begin by introducingHVK, a language for structured communication proposed in [7]. We assume the following conventions: namesare ranged over bya,b, . . .;channelsare ranged over byk,k⁰;variables are ranged over byx,y, . . .;constants(names, integers, booleans) are ranged over byc,c⁰, . . .;expressions (including constants) are ranged over bye,e⁰, . . .;labelsare ranged over byl,l⁰, . . .;process variablesare ranged over byX,Y, . . .. Finally,u,u⁰, . . .denote names and channels. We shall use~xto denote a sequence (tuple) of variablesx₁...xnof lengthn=|~x|. Notation~xwill be similarly applied to other syntactic entities.

The sets of free names/channels/variables/process variables ofP, is defined in the standard way, and are respectively denoted byfn(·),fc(·), fv(·), andfpv(·). Processes without free variables or free channels are calledprograms.

Definition 1(TheHVKlanguage [7]). Processes inHVKare built from:

P,Q ::= requesta(k)in P Session Request | accepta(k)in P Session Acceptance

| k![~e];P Data Sending | k?(~x)in P Data Reception

| kl;P Label Selection | k{l₁:P₁k · · · kl_n:P_n} Label Branching

| throwk[k⁰];P Channel Sending | catchk(k⁰)in P Channel Reception

| ifethenPelseQ Conditional Statement | P|Q Parallel Composition

| inact Inaction | (νu)P Hiding

| defDinP Recursion | X[~e~k] Process Variables

D ::= X1(x₁k1) =P1and· · ·andXn(x_nkn) =Pn

Declaration for Recursion

Operational Semantics ofHVK. The operational semantics ofHVKis given by the reduction relation

−→_h which is the smallest relation on processes generated by the rules in Figure 1. In Rule STR, the structural congruence≡_his the smallest relation satisfying : 1)P≡_hQif they differ only by a renaming of bound variables (alpha-conversion). 2)P|inact≡_hP,P|Q≡_hQ|P,(P|Q)|R≡_hP|(Q|R). 3) (νu)inact≡_hinact,(νuu⁰)P≡_h(νu⁰u)P,(νu)(P|Q)≡_h(νu)P|Qifx∈/fv(Q),(νu)(defDinP)≡_h

(defDin((νu)P))ifu∈/ fv(D). 4) (defDinP) |Q≡_hdefDin(P |Q) if fpv(D)∩fpv(Q) = /0. 5) defDin(defD⁰inP)≡_hdefDandD⁰inPiffpv(D)∩fpv(D⁰) =/0.

LINK requesta(k)inQ|accepta(k)inP−→_h(νk)(P|Q) COM (k![~e];P)|(k?(~x)inQ)−→_hP|Q[~c/~x] ife↓~c

LABEL kl_i;P|k{l₁:P₁k · · · kl_n:P_n} −→_hP|Pi(1≤i≤n) PASS throwk[k⁰];P|catchk(k⁰)inQ−→_hP|Q

IF1 ifethenPelseQ −→_hP(e↓true) IF2 ifethenPelseQ −→_hQ(e↓false)

DEF defDin(X[~e~k]|Q)−→_hdefDin(P[~c/~x]|Q) (e↓~c,X(~x~k) =P∈D) SCOP P−→_hP⁰implies(νu)P−→_h(νu)P⁰

PAR P−→_hP⁰impliesP|Q−→_hP⁰|Q

STR IfP≡_hP⁰andP⁰−→_hQ⁰andQ⁰≡_hQthenP−→_hQ

Figure 1: Reduction Relation forHVK(−→_h)[7].

Let us give some intuitions about the language constructs and the rules in Figure 1. The central idea inHVKis the notion of asession, i.e., a series of reciprocal interactions between two parties, possibly with branching, delegation and recursion, which serves as an abstraction unit for describing structured communication. Each session has associated a specific port, or channel. Channels are generated at session initialization; communications inside the session take place on the same channel.

More precisely, sessions are initialized by a process of the formrequesta(k)inQ|accepta(k)inP.

In this case, there is a request, on name a, for the initiation of a session and the generation of a fresh channel. This request is matched by an accepting process on a, which generates a new channelk, thus allowing P and Q to communicate each other. This is the intuition behind rule LINK. Three kinds of atomic interactions are available in the language: sending (including name passing), branching, and channel passing (also referred to as delegation). Those actions are described by rules COM, LABEL, and PASS, respectively. In the case of COM, the expression~eis sent on the port (session channel)k. Process k?(~x)inQthen receives such a data and executesQ[~c/~x], where~cis the result of evaluating the expression

~e. The case of PASSis similar but considering that in the constructsthrowk[k⁰];Pandcatchk(k⁰)inQ, only session names can be transmitted. In the case of LABEL, the processkl_i;Pselects one label and then the corresponding processPi is executed. The other rules are self-explanatory.

For the sake of simplicity, and without loss of generality (due to rule 5 of≡_h), in the sequel we shall assume programs of the formdefDinPwhere there are not procedure definitions inP.

2.2 Timed Concurrent Constraint Programming

Timed concurrent constraint programming (tcc) [16] extends CCP for modeling reactive systems. In tcc, time is conceptually divided into time units (ortime intervals). In a particular time unit, a tcc process P gets an input (i.e. a constraint) c from the environment, it executes with this input as the initialstore, and when it reaches its resting point, itoutputsthe resulting storedto the environment. The resting point determines also a residual processQwhich is then executed in the next time unit. It is worth noticing that the final store is not automatically transferred to the next time unit.

The utcc calculus [13] extendstccfor reactive systems featuring mobility. Heremobilityis un- derstood as the dynamic reconfiguration of system linkage through communication, much like in the π-calculus [15].utccgeneralizestccby considering aparametricask operator of the form(abs~x;c)P, with the following intuitive meaning: process P[~t/~x]is executed for every term~t such that the current

store entails an admissible substitutionc[~t/~x]. This process can be seen as anabstractionof the process Pon the variables~xunder the constraint (or with theguard)c.

utccprovides a number of reasoning techniques: First,utccprocesses can be represented as par- tial closure operators (i.e. idempotent and extensive functions). Also, for a significant fragment of the calculus, the input-output behavior of a process P can be retrieved from the set of fixed points of its associated closure operator [12]. Second,utccprocesses can be characterized as First-order Linear-time Temporal Logic (FLTL) formulas [10]. This declarative view of the processes allows for the use of the well-established verification techniques from FLTL to reason aboututccprocesses.

Syntax. Processes in utcc are parametric in a constraint system[17] which specifies the basic con- straints that agents can tell or ask during execution. It also defines anentailmentrelation “`” specifying interdependencies among constraints. Intuitively,c`d means that the information ind can be deduced from that inc(as in, e.g.,x>42`x>0).

The notion of constraint system can be set up by using first-order logic (see e.g., [11]). We assume a first-order signatureΣand a (possibly empty) first-order theory∆, i.e., a set of sentences overΣhaving at least one model. Constraints are then first-order formulas overΣ. Consequently, the entailment relation is defined as follows: c`dif the implicationc⇒dis valid in∆.

The syntax of the language is as follows:

P,Q:= skip

|

|

|

|

|

|

|

A processskip does nothing; a processtell(c) adds c to the store in the current time interval. A process Q= (abs~x;c)P binds the variables~x inP andc. It executes P[~t/~x]for every term~t s.t. the current store entails an admissible substitution overc[~t/~x]. The substitution[~t/~x]is admissible if|~x|=|~t|

and noxi in~xoccurs in~t. Furthermore,Qevolves intoskipat the end of the time unit, i.e., abstractions are not persistent when passing from one time unit to the next one. P k QdenotesPandQrunning in parallel during the current time unit. A process(local~x;c)P bindsthe variables~xinPby declaring them private toPunder a constraintc. Ifc=true, we write(local~x)Pinstead of(local~x;true)P. Theunit delaynextPexecutesPin the next time unit. Thetime-outunlesscnextPis also a unit delay, butPis executed in the next time unit iffcis not entailed by the final store at the current time unit. Finally, the replication !PmeansPknextPknext²Pk. . ., i.e., an unbounded number of copies ofPbut one at a time. We shall use !_[n]Pto denotebounded replication, i.e.,PknextPk...knextⁿ⁻¹P.

From a programming language perspective, variables~x in (abs~x;c)P can be seen as the formal parameters ofP. This way,recursive definitionsof the formX(~x)^def= Pcan be encoded inutccas

R[[X(~x)^def= P]] =!(abs~x;callx(~x))Pb (1) where callx is an uninterpreted predicate (a constraint) of arity|~x|. Process Pbis obtained fromP by replacing recursive calls of the formX(~t) withtell(callx(~t)). Similarly, calls of the formX(~t)in other processes are replaced withtell(callx(~t)).

Operational Semantics. The operational semantics considerstransitionsbetween process-storecon- figurationshP,ciwith stores represented as constraints and processes quotiented by the structural con- gruence≡_udefined below. We shall useγ,γ⁰, . . .to range over configurations.

The semantics is given in terms of aninternaland anobservabletransition relation; both are given in Figure 2. Theinternal transition hP,di −→ hP⁰,d⁰iinformally means “Pwith storedreduces, in one

RT

htell(c),di −→ hskip,d∧ci RP

hP,ci −→ hP⁰,di

hPkQ,ci −→ hP⁰kQ,di RU d`c

hunlesscnextP,di −→ hskip,di

RL

hP,c∧(∃~xd)i −→ hP⁰,c⁰∧(∃~xd)i

h(local~x;c)P,di −→ h(local~x;c⁰)P⁰,d∧ ∃~xc⁰i RA

d`c[~t/~x] [~t/~x]is admissible h(abs~x;c)P,di −→

P[~t/~x]k(abs~x;c∧~x6=~. t)P,d

RS

γ1−→γ2

γ₁⁰−→γ₂⁰

ifγ1≡uγ₁⁰andγ2≡uγ₂⁰ RR

h!P,di −→ hPknext!P,di

RO

hP,ci −→^∗hQ,di 6−→

P ===^(c,d)⇒F(Q)

where F(P) =











skip ifP=skiporP= (abs~x;c)Q F(P1)kF(P2) ifP=P₁kP₂

(local~x)F(Q) ifP= (local~x;c)Q

Q ifP=nextQorP=unlesscnextQ

Figure 2: Operational Semantics for utcc. In RA,~x6=~. t (~x syntactically different from~t) denotes W

1≤i≤|~x|x_i6.

=t_i. If|~x|=0,~x6.

=~tis defined asfalse.

internal step, toP⁰ with stored⁰”. We sometimes abuse of notation by writingP−→P⁰ whend,d⁰ are unimportant. Theobservable transition P ===^(c,d)⇒Rmeans “Pon inputc, reducesin one time unittoR and outputsd”. The latter is obtained from a finite sequence of internal transitions.

In ruleR_S, the structural congruence≡_uis the smallest congruence satisfying: 1)P≡_uQif they differ only by a renaming of bound variables. 2)Pkskip≡_uP. 3)PkQ≡_uQkP,Pk(QkR)≡_u(PkQ)kR.

4)Pk(local~x;c)Q≡_u(local~x;c) (PkQ)if~x6∈fv(P). 5)(local~x;c) (local~y;d)P≡_u(local~x;~y;c∧d)P if~x∩~y=/0 and~y∈/fv(c). Extend≡uby decreeing thathP,ci ≡uhQ,ciiffP≡uQ.

Definition 2 (Output Behavior). Let s=c₁.c2....cn be a sequence of constraints. If P=P₁ ^(true,c===⇒¹⁾ P₂ ^(true,c===⇒²⁾. . .Pn

(true,cn)

===⇒ P_n+1≡_uQ we shall write P ===^s⇒^∗Q. If s=c₁.c₂.c₃...is an infinite sequence, we omit Q in P ===^s⇒^∗Q. Theoutput behaviorof P is defined as o(P) ={s|P ===^s⇒^∗}. If o(P) =o(Q) we shall write P∼^oQ. Furthermore, if P ===^s⇒Q and s is unimportant we simply write P ===⇒^∗Q.

Logic Correspondence. Remarkably, in addition to this operational view, utcc processes admit a declarative interpretation based on Pnueli’s first-order linear-time temporal logic (FLTL) [10]. This is formalized by the encoding below, which mapsutccprocesses into FLTL formulas.

Definition 3. LetTL[[·]]a map fromutccprocesses to FLTL formulas given by:

TL[[skip]] = true TL[[tell(c)]] = c

TL[[PkQ]] = TL[[P]]∧TL[[Q]] TL[[(abs~y;c)P]] = ∀~y(c⇒TL[[P]]) TL[[(local~x;c)P]] = ∃~x(c∧TL[[P]]) TL[[nextP]] = ◦TL[[P]]

TL[[unlesscnextP]] = c∨ ◦TL[[P]] TL[[!P]] = 2TL[[P]]

Modalities◦F andF represent thatF holds next andalways, respectively. We use theeventual modality3Fas an abbreviation of¬¬F.

The following theorem relates the operational view of processes with their logic interpretation.

Theorem 1 (Logic correspondence [13]). LetTL[[·]] be as in Definition 3, P autccprocess and s= c₁.c2.c3... an infinite sequence of constraints s.t. P ===^s⇒^∗. For every constraint d, it holds that:

TL[[P]]`3d iff there exists i≥1s.t. c<sub>i</sub>`d .

Recall that an observable transitionP ^(c,c

0)

===⇒Qis obtained from a finite sequence of internal transi- tions (rule R_O). We notice that there exist processes that may produce infinitely many internal transitions and as such, they cannot exhibit an observable transition; an example is(absx;c(x))tell(c(x+1)). The utccprocesses considered in this paper arewell-terminated, i.e., they never produce an infinite number of internal transitions during a time unit. Notice also that in the Theorem 1 the processPis assumed to be able to output a constraintcifor all time-uniti≥1. Therefore,Pmust be a well-terminated process.

Derived Constructs. Let outbe an uninterpreted predicate. One could attempt at representing the actions of sending and receiving as in a name-passing calculus (say,k![~e]andk?(~x)inP, resp.) with the utccprocessestell(out(k,~e))and(abs~x;out(k,~x))P, respectively. Nevertheless, since these processes are not automatically transferred from one time unit to the next one, they will disappear right after the current time unit, even if they do not interact. To cope with this kind of behavior, we shall define versions of(abs~x;c)Pandtell(c)processes that arepersistent in time. More precisely, we shall use the process (wait~x;c) do P, which transfers itself from one time unit to the next one until, for some~t, c[~t/~x] is entailed by the current store. Intuitively, the process behaves like an input that is active until interacting with an output. When this occurs, the process outputs the constraintc[~t/~x], as a way of acknowledging the successful read of c. When|~x|=0, we shall write wheneverc do P instead of(wait~x;c) do P.

Similarly, we definetell(c)for the persistent output ofcuntil some process “reads”c. These processes can be expressed in the basicutccsyntax as follows (in all cases, we assumestop,go∈/fv(c)):

tell(c) ^def= (localgo,stop) ( tell(out⁰(go))k!whenout⁰(go)do tell(c)k

!unlessout⁰(stop)next tell(out⁰(go))k

!whencdo!tell(out⁰(stop)))

(wait~x;c)doP ^def= (localstop,go) ( tell(out⁰(go))k!unlessout⁰(stop)next tell(out⁰(go)) k!(abs~x;c∧out⁰(go)) (Pk!tell(out⁰(stop))) (wait~x;c)doP ^def= (wait~x;c)do(Pktell(c))

Notice that once a pair of processestellandwaitinteract, their continuation in the next time unit is a process able to output only a constraint of the form∃_xout⁰(x)(e.g.,∃_stop(out⁰(stop))). We define the following equivalence relation that allows us to abstract from these processes.

Definition 4(Observables). Let∼^obe the output equivalent relation in Definition 2. We say that P and Q are observable equivalent, notation P∼^obsQ, if Pk!tell(∃_xout⁰(x))∼^oQk!tell(∃_xout⁰(x)).

Using the previous equivalence relation, we can show the following.

Proposition 1. Assume that c(~x)is a predicate symbol of arity|~x|.

1. If d6`c[~t/~x]for any~t then(wait~x;c)doP ===^(d,d)⇒(wait~x;c)doP.

2. If P≡utell(c(~t))k(wait~x;c(~x))do nextQ then P ===⇒∼^obsQ[~t/~x].

3 A Declarative Interpretation for Structured Communications

The encoding[[·]]fromHVKintoutccis defined in Table 3. Two noteworthy aspects when considering such a translation aredeterminacyandtimed behavior. Concerning determinacy, it is of uttermost impor- tance to recall that whileutccis a deterministic language,HVKprocesses may exhibit non-deterministic behavior. Moreover, whileHVKis a synchronous language, whereasutccis asynchronous. Consider, for instance, theHVKprocess:

P=k![~e];Q₁|k![~e⁰];Q₂|k?(~x)inQ₃

[[requesta(k)inP]] = (localk) (tell(req(a,k))kwheneveracc(a,k)do next[[P]]) [[accepta(k)inP]] = (waitk;req(a,k))do(tell(acc(a,k))knext[[P]])

[[k![~e];P]] = tell(out(k,~e))kwheneverout(k,~e)do next[[P]]

[[k?(~x)inP]] = (wait~x;out(k,~x))do next[[P]]

[[kl;P]] = tell(sel(k,l))kwheneversel(k,l)do next[[P]]

[[k{l1:P1k. . .kln:Pn}]] = (waitl;sel(k,l))do ∏

1≤i≤n

whenl=lido next[[P_i]]

[[throwk[k⁰];P]] = tell(outk(k,k⁰))kwheneveroutk(k,k⁰)do next[[P]]

[[catchk(k⁰)inP]] = wheneveroutk(k,k⁰)do next[[P]]

[[ifethenPelseQ]] = whene↓truedo next[[P]]kwhene↓falsedo next[[Q]]

[[P|Q]] = [[P]]k[[Q]]

[[inact]] = skip [[(νu)P]] = (localu) [[P]]

[[defDinP]] = ∏

Xi(xiki)∈D

R[[Xi(xiki)]]Pb

Table 3: An Encoding fromHVKintoutcc. R[[·]]andPbare defined in Equation 1.

ProcessPcan have two possible transitions, and evolve intok![~e⁰];Q₂| Q₃[~e/~x]or intok![~e];Q₁| Q₃[~e⁰/~x].

In both cases, there is an output that cannot interact with the inputk?(~x)inQ₃. Inutcc, inputs are repre- sented by abstractions which are persistent during a time unit. As a result, in the encoding ofPwe shall observe thatbothoutputs react with the same input, i.e. that[[P]] ===⇒[[Q₃[~e/~x]]]k[[Q₃[~e⁰/~x]]].

As for timed behavior, it is crucial to observe that whileHVKis an untimed calculus,utccprovides constructs for explicit time. In the encoding we shall advocate a timed interpretation of HVKin which all available synchronizations between processes occur at a given time unit, and the continuations of synchronized processes will be executed in the next time unit. This will prove convenient when showing the operational correspondence between both calculi, as we can relate the observable behavior inutcc and the reduction semantics inHVK.

Let us briefly provide some intuitions on[[·]]. ConsiderHVKprocessesP=requesta(k)inP⁰ and Q=accepta(x)inQ⁰. The encoding ofPdeclares a new variable sessionk and sends it through the channela by posting the constraintreq(a,k). Upon reception of the session key (local variable) gen- erated by[[P]], process[[Q]] adds the constraintacc(a,k) to notify the acceptance ofk. They can then synchronize on this constraint, and execute their continuations in the next time unit. The encoding of label selection and branching is similar, and uses constraint sel(k,l) for synchronization. We use the parallel composition ∏

1≤i≤n

whenl=lido next[[Pi]]to execute the selected choice. Notice that we do not require a non-deterministic choice since the constraintsl=li are mutually exclusive. As in [7], in the encoding ofifethenPelseQ we assume an evaluation function on expressions. Onceeis evaluated,↓e is aconstantboolean value. The encoding ofdefDinPexploits the scheme described in Equation 1.

Operational Correspondence. Here we study an operational correspondence property for our encod- ing. The differences with respect to (a)synchrony and determinacy discussed above will have a direct influence on the correspondence. Intuitively, the encoding falls short forHVKprograms featuring the kind of non-determinism that results from “uneven pairings” between session requesters/providers, label selection/branching, and inputs/outputs as in the example above.

We thus find it convenient to appeal to the type system ofHVKto obtain some basic determinacy of the source terms. Roughly speaking, the type discipline in [7] ensures a correct pairing between actions and co-actions once a session is established. Although the type system guarantees a correct match between (the types of) session requesters and providers, it does not rule out the kind of non- determinism induced by different orders in the pairing of requesters and providers. We shall then require session providers to be always willing to engage into a session. This is, given a channel a, we require that there is at most oneacceptprocess (possibly replicated) onathat is able to synchronize with every process requesting a session on a. Notice that this requirement is in line with a meaningful class of programs, namely those described by the type discipline developed in [2, 1].

Before presenting the operational correspondence, we introduce some auxiliary notions.

Definition 5 (Processes in normal form). We say that a HVKprocess P is innormal form if takes the forminactordefDinν~u(Q₁| · · · |Q_n)where neither the operators “ν” and “|” nor process variables occur in the top level of Q₁, . . . ,Qn.

The following proposition states that given a processPwe can find a processP⁰in normal form, such that: eitherP⁰ is structurally congruent toP, or it results from replacing the process variables at the top level ofPwith their corresponding definition (using rule DEF).

Proposition 2. For all HVKprocess P there exists P⁰ in normal form s.t. P−→^∗_h≡_hP⁰ only using the rulesDEFandSTRin Figure 1.

Proof. LetP be a process of the form defDinQ where there are no procedure definitions inQ. By repeated applications of the rule DEF, we can show thatP−→^∗_hP⁰ whereP⁰does not have occurrences of processes variables in the top level. Then, we use the rules of the structural congruence to move the local variables to the outermost position and findP⁰⁰≡_hP⁰in the desired normal form.

Notice that the rules of the operational semantics ofHVKare given for pairs of processes that can interact with each other. We shall refer to each of those pairs as aredex.

Definition 6(Redex). Aredexis a pair of complementary processes composed in parallel as in:

(1)requesta(k)inP|accepta(k)inQ (3)throwk[k⁰];P|catchk(k⁰)inQ.

(2)k![~e];P|k?(~x)inQ (4)kl;P|k{l1:P1k · · · kln:Pn}

Notice that a redex inHVKsynchronizes and reduces in a single transition as in(k![~e];P)|(k?(~x)inQ)

−→_hP|Q[~e/~x]. Nevertheless, in utcc, the encoding of the processes above requires several internal transitions for adding the constraintout(k,~e)to the current store, and for “reading” that constraint by means of(wait~x;out(k,~x))do next[[Q]]to later executenext[[Q[~e/~x]]]. We shall then establish the op- erational correspondence between an observable transition of utcc (obtained from a finite number of internal transitions) and the following subset of reduction relations overHVKprocesses:

Definition 7(Outermost Reductions). Let P≡_hdefDinν~x(Q₁| · · · |Q_n)be anHVKprogram in normal form. We define the outermost reduction relationP ===⇒_hP⁰ as the maximal sequence of reductions P−→^∗_hP⁰≡_hdefDinν~x⁰(Q⁰₁| · · · |Q⁰_n)such that for every i∈ {1, ..n}, either

1. Qi=ifethenR₁elseR₂ −→_hR_1/2=Q⁰_i;

2. for some j∈ {1, ..n}, Qi|Qj is a redex such that Qi|Qj−→_hν~y(Q⁰_i|Q⁰_j), with~y⊆~x⁰; 3. there is no k∈ {1, ..n}such that Qi|Q_kis a redex and Qi≡_hQ⁰_i.

One may argue that the above-presented definition may rule out some possible reductions inHVK.

Returning to the concerns about determinacy, an outermost reduction filters out cases where there are more than one possible reduction for a set of parallel processes (i.e.: the parallel composition of two outputs and one input with the same session key). The use of outermost reductions gives us a subset of possible reductions in HVKthat keeps synchronous processes and discard processes that are not going to interact in any way (recall that in the typing discipline of HVKthe composition of an input and an output with the same session key will consume the channel used; hence, every other process sending information over the same session will not have any complementary process to synchronize with).

In the sequel we shall thus consider only HVKprocesses P where for n≥1, ifP≡_h P₁ ===⇒_h P₂ ===⇒h· · · ===⇒hPnandP≡hP₁⁰ ===⇒hP₂⁰ ===⇒h· · · ===⇒hP_n⁰thenPi≡hP_i⁰for alli∈ {1, ..,n}, i.e.,Pis adeterministicprocess.

Theorem 2(Operational Correspondence). Let P,Q be deterministicHVKprocesses in normal form and R,S beutccprocesses. It holds:

1)Soundness: If P ===⇒_hQ then, for some R,[[P]] ===⇒R∼^obs[[Q]];

2)Completeness: If[[P]] ===⇒S then, for some Q, P ===⇒_hQ and[[Q]]∼^obsS.

Proof. Assume thatP≡_hdefDinν~x(Q₁| · · · |Qn)andQ≡_hdefDinν~x⁰(Q⁰₁| · · · |Q⁰_n).

1. Soundness. SinceP ===⇒_hQthere must exist a sequence of derivations of the formP≡_hP₁−→_h P₂−→_h...−→_hP_n≡_hQ. The proof proceeds by induction on the length of this derivation, with a case analysis on the last applied rule. We then have the following cases:

(a) Using the rule IF1. It must be the case that there existsQi≡_hifethenR₁elseR₂ andQi−→_h R₁≡_hQ⁰_i ande↓true. One can easily show thatwhene↓truedo next [[Q⁰_i]] ===⇒[[Q⁰_i]].

(b) Using the rule IF2Similarly as for IF1.

(c) Using the rule LINK. It must be the case that there existi,jsuch thatQi≡_hrequesta(k)inQ⁰_i andQj≡_haccepta(x)inQ⁰_jand thenQi|Qj−→_h(νk)(Q⁰_i|Q⁰_j). We then have a derivation

[[Qi]]k[[Q_k]] −→^∗ (localk;c) (R⁰_ikwheneveracc(a,k)do next[[Q⁰_i]]k

(waitk⁰;req(a,k⁰))do(tell(acc(a,k⁰))knext([[Q⁰_j]]))

−→^∗ (localk;c⁰) (R⁰_ikwheneveracc(a,k)do next[[Q⁰_i]]k R⁰_jktell(acc(a,k))knext([[Q⁰_j[k/k⁰]]])

−→^∗ (localk;c⁰⁰) (R⁰_ikR⁰_jknext[[Q⁰_i]]knext([[Q⁰_j[k/k⁰]]])6−→

wherec=req(a,k),c⁰=c∧req(a,k),c⁰⁰=c⁰∧acc(a,k)∧acc(a,k)andR⁰_i,R⁰_jare the pro- cesses resulting after the interaction of the processes in the parallel compositiontell(req(a,k))k (waitk⁰;req(a,k⁰))do · · ·, i.e.:

R⁰_i ≡u (localgo,stop;out⁰(go)∧out⁰(stop)∧c(~t))

next!unlessout⁰(stop)next tell(out⁰(go))knext!tell(out⁰(stop)) R⁰_j ≡u (localstop⁰,go⁰;out⁰(go⁰)∧c(~t)∧out⁰(stop⁰))next!tell(out⁰(stop⁰))

knext!unlessout⁰(stop⁰)next tell(out⁰(go⁰)) k(abs~x;c∧out⁰(go⁰)∧~x6.

=~t) (Qktell(c(~t))k!tell(out⁰(stop⁰)) knext!(abs~x;c∧out⁰(go⁰)) (Qktell(c(~t))k!tell(out⁰(stop⁰))

We notice thatR⁰_ikR⁰_j6−→and it is a process that can only output the constraintout⁰(x)where x is a local variable. By appealing to Proposition 1 we conclude [[Qi]]k[[Qj]] ===⇒∼^obs (localk) ([[Q⁰_i]]k[[Q⁰_j]]).

(d) The cases using the rules LABELand PASScan be proven similarly as the case forLINK.

2. Completeness. Given the encoding and the structure ofP, we have autccprocessR= [[P]]s.t.

R≡u(local~x) ([[Q1]]k...k[[Qn]]).

LetRi= [[Qi]]for 1≤i≤n. By an analysis on the structure ofR, ifRi−→R⁰_ithen it must be the case that either (a)R_i=whenedo next[[Q⁰_i]]andR⁰_i=next[[Q⁰_i]]or (b)hR_i,ci −→ hR⁰_i,c∧diwhere d is a constraint of the formreq(·),sel(·),out(·), or outk(·). In both cases we shall show that there exists aR⁰⁰_i such thatRi−→^∗R⁰⁰_i 6−→such thatQi−→hQ⁰_iandR⁰⁰_i =next[[Q⁰_i]].

(a) Assume thatRi=whene↓true do next[[Q⁰_i]]for someQ⁰_i. Then it must be the case that Qi=ifethenQ⁰_ielseQ⁰⁰_i . Ife↓truewe then haveR⁰⁰_i =next[[Q⁰_i]]. The case whene↓false is similar by consideringR_i=whene↓falsedoQ⁰_i.

(b) Assume now that hR_i,ci −→ hR⁰_i,c∧di where d is of the form req(·), sel(·), out(·) or outk(·). We proceed by case analysis of the constraintd. Let us consider only the cased=

∃_k(req(a,k)); the cases in whichdtakes the formsel(·),out(·), oroutk(·)are handled sim- ilarly. Ifd=∃_k(req(a,k))for somea, then we must have thatQ_i≡_hrequesta(k)inQ⁰_i for somei. If there exists jsuch thatQj≡_haccepta(x)inQ⁰_j, one can show a derivation similar to the case of the rule LINKin soundness to prove thatRikRj−→^∗∼^o(localk) (next[[Q⁰_i]]k next[[Q⁰_j]]). If there is noQ_jsuch thatQ_i |Q_jforms a redex, then one can show by using (1) in Proposition 1 thatRi ===⇒∼^obsRi.

4 A Timed Extension of HVK

We now propose an extension toHVKin which a bundled treatment of time is explicit and session closure is considered. More precisely, theHVK^Tlanguage arises as the extension ofHVKprocesses (Def. 1) with refined constructs for session request and acceptance, as well as with a construct for session abortion:

Definition 8(A timed language for sessions). HVK^Tprocesses are given by the following syntax:

P ::= requesta(k)duringmin P Timed Session Request

| accepta(k)givencin P Declarative Session Acceptance

| · · · { the other constructs, as in Def. 1 }

| killc_k Session Abortion

The intuition behind these three operators is the following: requesta(k)duringminPwill request a sessionk over the service nameaduringmtime units. Its dual construct isaccepta(k)givencinP:

it will grant the session key k when requested over the service name a provided by a session and a successful check over the constraintc. Notice thatc stands for a precondition for agreement between session request and acceptance. Inc, the durationmof the corresponding session keykcan be referenced by means of the variabledur_k. In the encoding we syntactically replace it by the variable corresponding tom. Finally,killck will removeck from the valid set of sessions.

Adapting the encoding in Table 3 to considerHVK^Tprocesses is remarkably simple (see Table 4).

Indeed, modifications to the encoding of session request and acceptance are straightforward. The most evident change is the addition of the parametermwithin the constraintreq(a,k,m). The duration of the requested session is suitably represented as a bounded replication of the process defining the activation of the sessionkrepresented as the constraintact(k). The execution of the continuation[[P]]is guarded by the constraintact(k)(i.e.Pcan be executed only when the sessionkis valid). Thus, in the encoding we use the functionGd(P) to denote the process behaving asPwhen the constraintd can be entailed from the current store, doing nothing otherwise. More precisely:

[[requesta(k)duringminP]] = (localk)tell(req(a,k,m))k

wheneveracc(a,k)do next(tell(act(k))kGact(k)([[P]])k

!_[m]unlesskill(k)next tell(act(k))) [[accepta(k)givencinP]] = (waitk;req(a,k,m)∧c[m/dur_k])do(tell(acc(a,k))knextGact(k)([[P]]))

[[killk]] = !tell(kill(k))

Table 4: The Extended Encoding.Gd(P)is in Definition 9.

Definition 9. LetG :C →Procs→Procs be defined as

Gd(skip) =skip Gd(P1kP2) =Gd(P1)kGd(P2)

Gd(tell(c)) =whenddo tell(c) Gd(!Q) =!Gd(Q)

Gd(nextQ) =whenddo nextGd(Q) Gd((abs~x;c)Q) =(abs~x;c)Gd(Q) if~x∈/fv(d) Gd(unlesscnextQ) =whenddo unlesscnextGd(Q) Gd((local~x;c)Q) =(local~x;c)Gd(Q) if~x∈/fv(d)

On the side of session acceptance, the main novelty is the introduction ofc[m/durk]. As explained before, we syntactically replace the variabledur_k by the corresponding duration of the sessionm. This is a generic way to represent the agreement that should exist between a service provider and a client; for instance, it could be the case that the client is requesting a session longer than what the service provider can or want to grant.

4.1 Case Study: Electronic booking

Here we present an example that makes use of the constructs introduced inHVK^T.

Let us consider an electronic booking scenario. On one side, consider a company AC which offers flights directly from its website. On the other side, there is a customer looking for the best offers. In this scenario, the customer establishes a timed session with AC and asks for a flight proposal given a set of constraints (dates allowed, destination, etc.). After receiving an offer from AC, the customer can refine the selection further (e.g. by checking that the prices are below a given threshold) and loops until finding a suitable option, that he will accept by starting the booking phase. One possibleHVK^Tspecification of this scenario is described in Table 5.

Customer = requestob(k)duringmin(k![bookingdata];Select(k))

Select(k) = k?(o f f er)in(if(o f f er.price≤1500)thenkContract;elseSelect(k) ) AC = acceptob(k)givendur_k≤MAX T IMEin(k?(bookingData)in

(νu)k![u];k

Contract:AcceptkRe ject:killk )

Table 5: Online booking example with two agents.

In a second stage, the customer uses an online broker to mediate between him and a set of airlines acting as service providers. Letnbe the number of service providers, and consider two vectors of fixed length: Offers, which contains the list[Offers0, . . . ,Offersi, . . . ,Offersn]of offers received by a customer, and SP, which contains the list of trusted services. First, the customer establishes a session with the broker for a given periodm; later on, he/she starts requesting for a flight by providing the details of his/her trip to the broker. On the other side, the broker will look into his pool of trusted service providers for the ones that can supply flights that suit the customer’s requirements. All possible offers are transferred back to the customer, who will invoke a local procedureSel (not specified here) that selects one of the offers