Synthesis of Orchestrations and Choreographies: Bridging the Gap between Supervisory Control and Coordination of Services
LLogical Methods in Computer ScienceVolume 16, Issue 2, 2020, pp. 9:1–9:29https://lmcs.episciences.org/ Submitted Oct. 05, 2019Published Jun. 03, 2020
SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES:BRIDGING THE GAP BETWEEN SUPERVISORY CONTROL ANDCOORDINATION OF SERVICES
DAVIDE BASILE a , MAURICE H. TER BEEK a , AND ROSARIO PUGLIESE ba ISTI–CNR, Pisa, Italy e-mail address : {davide.basile,maurice.terbeek}@isti.cnr.it b University of Florence, Italy e-mail address : rosario.pugliese@unifi.it
Abstract.
We present a number of contributions to bridging the gap between supervisorycontrol theory and coordination of services in order to explore the frontiers betweencoordination and control systems. Firstly, we modify the classical synthesis algorithm fromsupervisory control theory for obtaining the so-called most permissive controller in orderto synthesise orchestrations and choreographies of service contracts formalised as contractautomata. The key ingredient to make this possible is a novel notion of controllability. Then,we present an abstract parametric synthesis algorithm and show that it generalises theclassical synthesis as well as the orchestration and choreography syntheses. Finally, throughthe novel abstract synthesis, we show that the concrete syntheses are in a refinement order.A running example from the service domain illustrates our contributions. Introduction
Services are ubiquitous in today’s society. Examples include finances, healthcare, and tourism(e.g. booking services). Service-oriented computing (SOC) is “the discipline that seeks todevelop computational abstractions, architectures, techniques, and tools to support servicesbroadly” [16]. According to this paradigm, services are well-defined, self-contained, andstand-alone software modules that provide some standard business functionality. As such,services can serve as building blocks for the rapid, low-cost development of distributedapplications in heterogeneous environments. Services used in composite applications arenot limited to new service implementations, but may also include adapted and wrappedfragments of existing applications. The strength of SOC is composing multiple, distributedservices into more powerful applications. This reuse through composition provides businessesa means to reduce the cost and risks of developing new applications.Service composition is thus a key challenge for the full realisation of the SOC paradigm.As such, it can benefit from and contribute to emerging research directions inspired by cloudcomputing, IoT, social computing, and mobile computing, to name but a few. For instance,
Key words and phrases:
Service Contracts, Contract Automata, Controller Synthesis, Orchestration,Choreography.
LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.23638/LMCS-16(2:9)2020 c (cid:13)
D. Basile, M.H. ter Beek, and R. Pugliese CC (cid:13) Creative Commons :2 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 the composition of cloud services requires the coordination of hardware and software resourcesacross various layers. The IoT concept of smart cities concerns the large-scale composition ofdiverse and heterogeneous digital devices and services to provide multiple real-time, end usercustomised functionalities. Service composition based on relations in today’s large socialnetworks is challenging due to size and complexity of the resultant big data. In mobileenvironments, service composition is required to consider the intrinsic dynamicity and itseffect on QoS aspects concerning security and reliability.Two approaches are widely adopted for coordinating services by means of service compo-sition: orchestration and choreography . Intuitively, an orchestration yields the description ofa distributed workflow from “one party’s perspective” [41], whereas a choreography describesthe behaviour of the involved parties from a “global viewpoint” [34]. In an orchestratedmodel, the service components are coordinated by a special component, the orchestrator ,which, by interacting with them, dictates the workflow at runtime. In a choreographed model,instead, the service components autonomously execute and interact with each other on thebasis of a local control flow expected to comply with their role as specified by the globalviewpoint. Ideally, a choreographed model is thought to be more efficient due to the absenceof the overhead of communications with the orchestrator. Any choreography can trivially betransformed into an orchestration of services, by adding an idle orchestrator. Similarly, byexplicitly adding an orchestrator and its interactions with the service components, and hencethe relative overhead, an orchestration of services can be transformed into a choreography.Despite the key impact that SOC can have on other contemporary computing paradigms,as already mentioned before, the recent Service Computing Manifesto [16] points out that“Service systems have so far been built without an adequate rigorous foundation that wouldenable reasoning about them” and that “The design of service systems should build upon aformal model of services”. Therefore, the principled design of service-based applications andsystems is identified as a primary research challenge for the coming years.To tackle this challenge, in [10], two orchestrated and choreographed automata-basedmodels of services, called contract automata and communicating (finite-state) machines ,respectively, are studied and related. The goal of both formalisms is to compose theautomata such that each service is capable of reaching an accepting (final) state by synchro-nous/asynchronous one-to-one interactions with the other services in the composition. Themain difference relies on the fact that contract automata are oblivious of their partners andan orchestration is synthesised to drive their interactions, whereas communicating machinesname the recipient service of each interaction upfront and use FIFO buffers to interact witheach other. The model of contract automata was further developed in [8].The orchestration synthesis was borrowed from the synthesis of the most permissivecontroller (mpc) from Supervisory Control Theory (SCT) [43, 18], whose aim is to coordinatean ensemble of (local) components into a (global) system that functions correctly. In thecontext of contract automata, this amounts to refining the composition of service contractsinto its largest sub-portion whose behaviour is non-blocking and safe (a notion of servicecompliance). The adaptation of the mpc synthesis for synthesising an orchestration of servicesrequired the introduction of a novel notion of semi-controllability . Basically, the assumptionof the presence of an unpredictable environment was dropped in favour of a milder notion ofpredictable necessary service requests to be fulfilled. Not to be confused with the accidentally homonymous contract automata of [6], which were introducedto formalise legal contracts among two parties expressed in natural language. ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:3
In this paper, we contribute to the research efforts on rigorously modelling serviceorchestration and choreography. More specifically, building on [14], we report on the effortsto relate the mpc synthesis and the orchestration synthesis of contract automata through apolished, homogeneous formalisation. The need for semi-controllability is showcased withintuitive examples and its expressiveness is evaluated with respect to standard SCT notionsof controllable and uncontrollable actions. Moreover, we introduce a novel choreographysynthesis algorithm and a novel abstract synthesis algorithm. We then show that eachof the three synthesis algorithms can be obtained through a different instantiation of thisabstract synthesis algorithm. This paper extends [14] in several ways. We include all proofsand as an additional contribution we demonstrate that the different instantiations of theabstract synthesis algorithm are related through a notion of refinement, which allows usto formally prove that the orchestration synthesis is an abstraction of the mpc synthesis.Furthermore, we illustrate each of the synthesis algorithms through a running example fromthe service domain. Finally, we have also extended the prototypical tool FMCAT with theimplementation of the novel choreography synthesis algorithm and then used it to computeall the automata compositions and syntheses shown in our running example.The paper is organised as follows. Section 2 contains background notions and resultsconcerning contract automata and SCT, and introduces our running example. Section 3 andSection 4 introduce the synthesis of orchestrations and the novel synthesis of choreographiesin the setting of (modal service) contract automata. Section 5 demonstrates that each of theintroduced synthesis algorithms is an instantiation of a more abstract, parametric synthesisalgorithm, and Section 6 shows that these different instantiations are related. Section 7discusses related work, while Section 8 concludes the paper and provides some hints forfuture work. Appendix A contains the full proofs of two results only sketched in Section 5.2. Background
In this section, we provide some background useful to better appreciate our contributions onthe crossroads of supervisory control theory and coordination of services formalised as modalservice contract automata. We also introduce a running example from the service domainthat will be used throughout the paper to illustrate our contributions.2.1.
Contract Automata.
A Contract Automaton (CA) represents either a single service(in which case it is called a principal ) or a multi-party composition of services performingactions. The number of principals of a CA is called its rank . The states of a CA are vectorsof states of principals. In the following, (cid:126)v denotes a vector and (cid:126)v ( i ) denotes its i th element.The transitions of CA are labelled with actions, which are vectors of elements in thefinite set of basic actions L = R ∪ O ∪ {•} , with R ∩ O = ∅ and • (cid:54)∈ R ∪ O . Intuitively, R is the set of requests (depicted as non-overlined labels on arcs, e.g. a ), O is the set of offers (depicted as overlined labels on arcs, e.g. a ) with O = { a | a ∈ R } , and • is adistinguished symbol representing the idle action. To establish if a pair of a request andan offer are complementary , we use the involution function co : L → L defined as follows: ∀ a ∈ R : co ( a ) = a , ∀ a ∈ O : co ( a ) = a , and co ( • ) = • . By abusing notation, we let co ( R ) = O and co ( O ) = R . FMCAT is available at https://github.com/davidebasile/FMCAT . A video-tutorial showcasing thespecification, composition, and syntheses of the contract automata from our running example is available at https://github.com/davidebasile/FMCAT/tree/master/demoLMCS2020 . :4 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 An action is a vector (cid:126)a of basic actions with either a single offer, or a single request, ora single pair of request-offer that match, i.e. there exist i and j such that (cid:126)a ( i ) is an offer and (cid:126)a ( j ) is the complementary request (formally co ( (cid:126)a ( i ) ) = (cid:126)a ( j ) ); all other elements of the vectorare • , meaning that the corresponding principals remain idle. Such action is called request , offer , or match , respectively. A transition is said to be a request, offer, or match according toits labelling action.The goal of each principal is to reach an accepting ( final ) state such that all its requestsand offers are matched.In [11], CA are equipped with modalities , i.e. permitted ( (cid:51) ) and necessary ( (cid:50) ), thatare associated to requests. Offers remain without modalities, i.e. they are interpreted asalways permitted, like in the original CA formalism. Matches, on the other hand, inherit themodality of the involved request. The resulting formalism, called Modal Service ContractAutomata (MSCA), is formally defined next. Differently from standard SCT, all transitionsof MSCA are observable , since MSCA model the execution of services in terms of theirrequests and offers. Definition 2.1 (MSCA [11]) . Given a finite set of states Q = { q , q , . . . } , a Modal ServiceContract Automata (MSCA) A of rank n is a septuple (cid:104) Q, (cid:126)q , A (cid:51) , A (cid:50) , A o , T, F (cid:105) , with set ofstates Q ⊆ Q n , initial state (cid:126)q ∈ Q , set of permitted requests A (cid:51) and of necessary request A (cid:50) partitioning the set of requests A r ⊆ R , set of offers A o ⊆ O , set of final states F ⊆ Q ,set of transitions T ⊆ Q × A × Q , where A ⊆ ( A r ∪ A o ∪ {•} ) n , partitioned into permitted transitions T (cid:51) and necessary transitions T (cid:50) , such that: (i) given t = ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) ∈ T , (cid:126)a is eithera request, or an offer, or a match; (ii) ∀ i ∈ . . . n, (cid:126)a ( i ) = • implies (cid:126)q ( i ) = (cid:126)q (cid:48) ( i ) ; (iii) t ∈ T (cid:51) if and only if (cid:126)a is either a request, or a match on a ∈ A (cid:51) , or an offer on a ∈ A o ; otherwise t ∈ T (cid:50) .Remarkably, it follows that the set of transitions of an MSCA is finite.A principal is an MSCA of rank 1 such that A r ∩ co ( A o ) = ∅ . Unless stated differently, weassume that it is given an MSCA A = (cid:104) Q A , (cid:126)q A , A (cid:51) A , A (cid:50) A , A o A , T A , F A (cid:105) of rank n . Subscript A may be omitted if no confusion may arise.A step ( w, (cid:126)q ) (cid:126)a −→ ( w (cid:48) , (cid:126)q (cid:48) ) occurs in A if and only if w = (cid:126)aw (cid:48) , w (cid:48) ∈ A ∗ , and ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) ∈ T .Let → ∗ be the reflexive and transitive closure of → . The language of A is L ( A ) = { w | ( w, (cid:126)q ) w −→ ∗ ( ε, (cid:126)q ) , (cid:126)q ∈ F } . A step may be denoted as (cid:126)q (cid:126)a −→ if w , w (cid:48) , and (cid:126)q (cid:48) are irrelevant, andas (cid:126)q → (cid:126)q (cid:48) if w , w (cid:48) , and (cid:126)a are irrelevant.Composition of services is rendered through the composition of their MSCA models. Thisamounts to interleaving or matching the transitions of the component MSCA, forcing thematch whenever two components are ready on their respective complementary request/offeractions. In the resulting MSCA, states and actions are vectors of states and actions of thecomponent MSCA, respectively. The composition is non-associative, i.e. pre-existing matchesare not rearranged if a new MSCA joins the composition afterwards.In a composition of MSCA, typically various properties are analysed. We are especiallyinterested in agreement and strong agreement (which in the literature is also known asprogress of interactions, deadlock freedom, compliance or conformance of contracts). In anMSCA in strong agreement, all requests and offers must be matched. Instead, the propertyof agreement only requires matching all requests. An MSCA admits (strong) agreement if ithas a trace satisfying the corresponding property, and it is safe if all its traces are such.The MSCA formalism has its origins in [8], where CA were first introduced, but inthis paper we build on the version with modalities from [11] to cater for controllable and ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:5 c c c c c c (cid:48) c (cid:48) c (cid:48) c (cid:48) c (cid:48) qry (cid:51) bst (cid:51) o k (cid:51) n o k (cid:51) qry (cid:50) bst (cid:51) o k (cid:51) n o k (cid:51) Figure 1: MSCA
Client (left) and
PrivilegedClient (right) h h h h h h (cid:48) h (cid:48) h (cid:48) h (cid:48) h (cid:48) chk (cid:51) rsp (cid:51) b k (cid:51) n bk (cid:51) chk (cid:51) rsp (cid:51) b k (cid:50) n bk (cid:51) Figure 2: MSCA
Hotel (left) and
PrivilegedHotel (right)uncontrollable (and thus semi-controllable) actions. The branching condition for CA from [10]will be recalled in Section 4 as a condition for obtaining a choreography from an orchestration,and it is satisfied by construction by the output MSCA of the synthesis of the choreography.
Example 2.2.
We introduce a running example that will be used throughout the paperto showcase the synthesis of orchestration and choreography. We anticipate, as discussedin detail in Section 4, that a modified version of MSCA is used for the synthesis of achoreography, in which offers can be necessary whilst requests are only permitted.Figures 1, 3, and 2 show five MSCA of rank 1. These automata model an example of ahotel booking service, where clients and hotels interact by means of a broker for bookinghotel rooms. There are two types of clients,
Client and
PrivilegedClient . Both clientscan either terminate without interactions (final states are drawn as double circles), or theycan engage in interactions with the broker to possibly book a room. The first interaction isto ask for a room, by means of the offer qry (query). After this action, the clients receivethe best room option from the broker, by means of the request bst (best). Then, each clientcan either decide to accept (offer ok ) or refuse (offer nok ) the option offered by the broker. PrivilegedClient will be used to showcase a choreography in Section 4. Accordingly,
PrivilegedClient only differs from
Client with respect to the first offer qry , which isdeclared necessary . Basically,
PrivilegedClient reaches an agreement only if there exists atrace in which its offer is necessarily matched. All other actions are permitted.Similarly, there are two types of hotels,
Hotel and
PrivilegedHotel . Also both hotelscan either terminate without interactions, or they can engage in interactions with the brokerto possibly have their rooms booked. The first interaction is to receive a request for a room,by means of the request chk (check). After this check, a response is sent to the broker throughthe offer rsp (response). Then, each hotel can either receive a booking or a no booking replyby means of requests bk (book) or nbk (no book), respectively. PrivilegedHotel will beused to showcase an orchestration in Section 3. Accordingly,
PrivilegedHotel only differsfrom
Hotel with respect to the request bk , declared necessary . Basically, PrivilegedHotel admits non-empty orchestrations only if there exists a trace in which one of its rooms isbooked (i.e. the necessary request is matched). All other actions are permitted.Finally, the
Broker acts as an intermediary between a client and at least two hotels.The broker starts by receiving a request for a room by a client through the request qry . Atthis point, it starts to interact with the hotels to search for a possible option to propose tothe client. This is done by (twice) repeating the offer chk (sending a room enquiry) followed :6 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 b b b b b b b b b b b b b qry (cid:51) chk (cid:51) rsp (cid:51) chk (cid:51) rsp (cid:51) chk (cid:51) bst (cid:51) o k (cid:51) n o k (cid:51) bk (cid:51) nbk (cid:51) nbk (cid:51) nbk (cid:51) nbk (cid:51) nbk (cid:51) Figure 3: MSCA
Broker by the request rsp (receiving the room response by one hotel). Indeed, at least two hotelsmust be enquired to speak of a best offer. After that, the
Broker can engage with furtherhotels, from state b , or it can proceed with the best offer bst to the client. At this point,it receives through the requests ok or nok either the acceptance or rejection, respectively,of its offer. If the offer is accepted, Broker proceeds to book the room with offer bk to theselected hotel (abstracted away in the contract) and replying to all other hotels with a nbk offer. Otherwise, if the offer is rejected, Broker sends to all hotels waiting for a reply theoffer nbk . All actions of
Broker are permitted.2.2.
Supervisory Control Theory.
The aim of Supervisory Control Theory [43, 18] (SCT)is to provide an algorithm to synthesise a finite-state automaton model of a supervisorycontroller from given (component) finite-state automata models of the uncontrolled system andits requirements, themselves expressed as automata. The synthesised supervisory controller,if successfully generated, is such that the controlled system, which is the composition (i.e.synchronous product) of the uncontrolled system and the supervisory controller, satisfies therequirements and is additionally non-blocking , controllable , and maximally permissive .An automaton is non-blocking if from each state at least one of the so-called markedstates (distinguished stable states representing completed ‘tasks’ [43], e.g. a final state) canbe reached without passing through so-called forbidden states , meaning that the systemalways has the possibility to return to an accepted stable state. The algorithm assumes thatmarked states and forbidden states are indicated for each component model.SCT distinguishes between observable and unobservable , as well as controllable and uncontrollable actions, where unobservable actions are also uncontrollable. Intuitively, thesupervisory controller cannot distinguish one unobservable action from the other, whereas itcan take observable actions apart. Moreover, it is not permitted to directly block uncontrol-lable actions from occurring; the controller is only allowed to disable them by preventingcontrollable actions from occurring. Intuitively, controllable actions correspond to stimulatingthe system, while uncontrollable actions correspond to messages provided by the environment,like sensors, which may be neglected but cannot be denied from existing.Finally, the fact that the resulting supervisory controller is maximally permissive (orleast restrictive) means that as much behaviour of the uncontrolled system as possibleremains present in the controlled system without violating neither the requirements, norcontrollability, nor the non-blocking condition.From the seminal work of Ramadge and Wonham [43], we know that a unique maximallypermissive supervisory controller exists, provided that all actions are observable. This iscalled the most permissive controller ( mpc ); it coordinates an ensemble of (local) componentsinto a (global) system that works correctly. The synthesis algorithm suffers from the same ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:7 state space explosion problem as model checking [31]. However, SCT has successfully beenapplied to industrial size case studies [29, 49].Intuitively, the synthesis algorithm for computing the mpc of a finite-state automaton A works as follows. The mpc is computed through an iterative procedure that at each step i updates incrementally a set of states R i containing the bad states, i.e. those states thatcannot prevent a forbidden state to be eventually reached, and refines an automaton K i .The algorithm starts with an automaton K equal to A and a set R containing all dangling states in A , where a state is dangling if it cannot be reached from the initial stateor cannot reach a final state. At each step i , the algorithm prunes from K i − in a backwardsfashion transitions with target state in R i − or forbidden source state. The set R i is obtainedby adding to R i − dangling states in K i and source states of uncontrollable transitions of A with target state in R i − . When no more updates are possible, the algorithm terminates.Termination is ensured since A is finite-state and has a finite set of transitions, and at eachstep the subsets of its states R i cannot decrease while the set of its transitions T K i cannotincrease. Now, suppose that at its termination the algorithm returns the pair ( K s , R s ) . Wehave that the mpc is empty, if the initial state of A is in R s ; otherwise, the mpc is obtainedfrom K s by removing the states R s .We report below the standard synthesis algorithm, but we homogenise the notation andsimplify the formulation, to align the algorithm with those presented in the next sections. Forthis purpose, we assume the standard mpc synthesis to operate on MSCA where necessarytransitions ( T (cid:50) ) are uncontrollable whilst permitted transitions ( T (cid:51) ) are controllable.We use (cid:104) (cid:105) to denote the empty automaton. A state q ∈ Q is said to be dangling if andonly if (cid:64) w such that q w −→ ∗ q or q w −→ ∗ q f ∈ F . Let Dangling ( A ) denote the set of danglingstates of A . Given two MSCA A and A (cid:48) , we say that A (cid:48) is a sub-automaton of A , denotedby A (cid:48) ⊆ A , whenever the components of A (cid:48) are included in the corresponding ones of A .Moreover, given two sets of states R and R (cid:48) , we let ( A , R ) ≤ ( A (cid:48) , R (cid:48) ) if A (cid:48) ⊆ A and R ⊆ R (cid:48) .It is straightforward to show that ( MSCA × Q , ≤ ) is a complete partial order (cpo).The algorithm to compute the mpc is now defined in terms of the least fixed point of amonotone function on the cpo ( MSCA × Q , ≤ ) . Definition 2.3 (Standard synthesis, adapted from [43]) . Let A be an MSCA, and let K = A and R = Dangling ( K ) . We let the synthesis function f : MSCA × Q → MSCA × Q bedefined as follows: f ( K i − , R i − ) = ( K i , R i ) , with T K i = T K i − \ { ( (cid:126)q −→ (cid:126)q (cid:48) ) ∈ T K i − | (cid:126)q (cid:48) ∈ R i − ∨ (cid:126)q is forbidden } R i = R i − ∪ { (cid:126)q | ( (cid:126)q −→ (cid:126)q (cid:48) ) ∈ T (cid:50) A , (cid:126)q (cid:48) ∈ R i − } ∪ Dangling ( K i ) Theorem 2.4 (Standard mpc, adapted from [43]) . The synthesis function f is monotoneon the cpo ( MSCA × Q , ≤ ) and its least fixed point is: ( K s , R s ) = sup( { f n ( K , R ) | n ∈ N } ) The mpc of A , denoted by K A , is: K A = (cid:26) (cid:104) (cid:105) if (cid:126)q ∈ R s (cid:104) Q \ R s , (cid:126)q , A (cid:51) , A (cid:50) , A o , T K s , F \ R s (cid:105) otherwise We now want to estimate an upper bound of the complexity of the mpc synthesisalgorithm as results from Definition 2.3 and Theorem 2.4. In the worst case, deciding ifa state is dangling requires to visit the whole state space. Thus, an upper bound of the :8 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 complexity of the procedure for deciding if a state is dangling is O ( | Q | ) , and the upper-boundcomplexity for computing the set of dangling states is O ( | Q | ) . At each iteration, in theworst case, the algorithm either removes a single transition from T or adds a single stateto R , and each iteration requires to compute the set of dangling states. Thus, an upperbound of the complexity of the mpc synthesis algorithm is O (( | T | + | Q | ) × | Q | ) . To conclude,it is worth noticing that our analysis focusses on the abstract specification of the algorithmwhile its implementation could be optimised, for example by using parallelism and dedicateddata structures, in order to perform better than the complexity sketched above. Example 2.5.
We continue the running example by discussing the synthesis of the mpcfor the composition of two clients, the broker, one normal hotel, and one privileged hotel,denoted as A = Client ⊗ Client ⊗ Broker ⊗ Hotel ⊗ PrivilegedHotel
The property to be enforced is agreement: each request must be matched by a correspondingoffer. Basically, this property is an invariant stating that all request transitions are forbidden.Since the synthesis works on forbidden states, we need to preprocess A accordingly. Inparticular, the algorithm starts from the automaton A from which all permitted requestshave been removed. Forbidden states are those featuring an outgoing necessary request.The resulting mpc only consists of the initial (and final) state ( c , c (cid:48) , b , h , h (cid:48) ) , and itsbehaviour is empty. Hence, agreement cannot be enforced in A using the standard synthesisalgorithm. This is an indication of the fact that standard mpc synthesis is not useful for thescope of synthesising a correct service composition (i.e. in which agreement is satisfied). Thereason is that necessary transitions are not to be interpreted as uncontrollable. The notion ofuncontrollable transition stems from the necessity of modelling an unpredictable environment,which is not suitable to model necessary service requests. Basically, PrivilegedHotel has anecessary request that should be matched in at least one trace of the composition. However,by interpreting such necessary request as uncontrollable, the synthesis is enforcing thenecessary requests to be satisfied in every trace of the composition. Intuitively, this wouldrequire that a client is not allowed to refuse to book a room.As will become clear in the forthcoming sections, A admits a non-empty orchestrationin which agreement is enforced, because necessary transitions will not be interpreted as fullyuncontrollable.We have used our tool FMCAT to calculate the automaton A and its mpc synthesis.Their computation time and state-space dimension are reported in Table 1 (on page 17).3. Synthesis of Orchestrations
In this section, we discuss how we revised the classical synthesis algorithm from SCT toobtain the mpc (cf. Theorem 2.4) and synthesise orchestrations of MSCA.Originally, MSCA were capable of expressing only permitted requirements, correspondingto actions that are controllable by the orchestrator. Hence, in the synthesis of the orchestra-tion, all transitions labelled by actions violating the property to be enforced were pruned,and all dangling states were removed (cf. [8]).While permitted requests of MSCA are in one-to-one correspondence with controllableactions, interestingly this is not the case for necessary requests and uncontrollable actions. Anecessary (request) action is indeed a weaker constraint than an uncontrollable one. Thisstems from the fact that traditionally uncontrollable actions relate to an unpredictable ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:9 · a (cid:50) (cid:47) (cid:47) · · a (cid:51) (cid:34) (cid:34) b (cid:51) (cid:47) (cid:47) · a (cid:51) (cid:47) (cid:47) · ( · , · ) ( a , a ) (cid:50) (cid:34) (cid:34) ( • ,b ) (cid:51) (cid:47) (cid:47) ( · , · ) ( a , a ) (cid:50) (cid:35) (cid:35) ... (cid:55) (cid:51) Figure 4: Two MSCA (left and middle) and a possible composition A of them (right)environment. However, the interpretation of such actions as necessary service requests tobe fulfilled in a service contract, as is the case in the setting of MSCA, implies that itsuffices that in the synthesised orchestration at least one such synchronisation (i.e. match)actually occurs. This is precisely what is modelled by the notion of semi-controllable actions,anticipated in [11] and formally introduced in [12, 13], discussed next.The importance of this novel notion in the synthesis algorithm is showcased by anintuitive example. Consider the two MSCA interacting on the necessary service request a depicted in Fig. 4 (left and middle), and their possible composition A depicted in Fig. 4 (right).Note that A models two possibilities of fulfilling request a from the leftmost automaton bymatching it with a service offer a from the middle one. Note that a similar composition can beobtained in other automata-based formalisms (such as, e.g., (timed) I/O automata [39, 2, 25]).Now assume that a must be matched with a to obtain an agreement (i.e. it is necessary ),and that for some reason the bad state (cid:55) is to be avoided in favour of the successful state (cid:51) ,i.e. in some sense we would like to express that a must be matched at some point, ratherthan always. In most automata-based formalisms this is not allowed and the resulting mpcis empty. In the MSCA formalism, it is possible to orchestrate the composition of the twoautomata on the left in such a way that the result is the automaton A on the right, but without the state (cid:55) and its incident transition.In fact, in the MSCA formalism, A depicts a composition in which the automata on theleft can synchronise on a so-called semi-controllable action a (cid:50) either in their initial state orafter the middle automaton has performed some other action b (cid:51) , ignoring in this case whethera bad or a successful state is reached in the end. Indeed, the notion of semi-controllability isindependent from both the specific formalism being used and the requirement (e.g. agreementin case of MSCA) to be enforced.As far as we know, we were the first to define a synthesis algorithm, in [13], that is capableof producing a controller that guarantees that at least one of these two synchronisationsactually occurs. Indeed, in the standard synthesis algorithm (cf. Theorem 2.4), action a caneither be controllable and hence not necessary as we want, or uncontrollable thus requiringthat a must always be matched, a stronger requirement than the one posed by declaring a as necessary.To formalise the intuitions above , a semi-controllable transition t becomes controllableif in a given portion of A there exists a semi-controllable match transition t (cid:48) , with sourceand target states not dangling, such that in both t and t (cid:48) the same principal, in the same local state, does the same request. Otherwise, t is uncontrollable. Definition 3.1 (Controllability) . Let A be an MSCA and let t = ( (cid:126)q , (cid:126)a , (cid:126)q (cid:48) ) ∈ T A . Then: • if (cid:126)a is an action on a ∈ A (cid:51) ∪ A o , then t is controllable (in A ) and part of T (cid:51) ; • if (cid:126)a is a request or match on a ∈ A (cid:50) , then t is semi-controllable (in A ) and part of T (cid:50) . We refer the interested reader to [12, 13] for more complete accounts. :10
D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2
Moreover, given A (cid:48) ⊆ A , if t is semi-controllable and ∃ t (cid:48) = ( (cid:126)q , (cid:126)a , (cid:126)q (cid:48) ) ∈ T (cid:50) A (cid:48) in A (cid:48) such that (cid:126)a is a match, (cid:126)q , (cid:126)q (cid:48) (cid:54)∈ Dangling ( A (cid:48) ) , (cid:126)q i ) = (cid:126)q i ) , and (cid:126)a i ) = (cid:126)a i ) = a , then t is controllable in A (cid:48) (via t (cid:48) ); otherwise, t is uncontrollable in A (cid:48) .The algorithm for synthesising an orchestration enforcing agreement of MSCA follows.The main adaptation of the mpc synthesis of Theorem 2.4 is that transitions are no longerdeclared uncontrollable, but instead they can be either controllable or semi-controllable.More importantly, a semi-controllable transition switches from controllable to uncontrollableonly after it has been pruned in a previous iteration, in which case its source state becomesbad. Finally, in this case there are no forbidden states but rather forbidden transitions (i.e.requests, according to the property of agreement). Definition 3.2 (MSCA orchestration synthesis, adapted from [11]) . Let A be an MSCA,and let K = A and R = Dangling ( K ) . We let the orchestration synthesis function f o : MSCA × Q → MSCA × Q be defined as follows: f o ( K i − , R i − ) = ( K i , R i ) , with T K i = T K i − \ { ( (cid:126)q −→ (cid:126)q (cid:48) ) = t ∈ T K i − | ( (cid:126)q (cid:48) ∈ R i − ∨ t is a request ) } R i = R i − ∪ { (cid:126)q | ( (cid:126)q −→ ) ∈ T (cid:50) A is uncontrollable in K i } ∪ Dangling ( K i ) Theorem 3.3 (MSCA orchestration, adapted from [11]) . The orchestration synthesis function f o is monotone on the cpo ( MSCA × Q , ≤ ) and its least fixed point is: ( K s , R s ) = sup( { f no ( K , R ) | n ∈ N } ) The orchestration K A of A is: K A = (cid:26) (cid:104) (cid:105) if (cid:126)q ∈ R s (cid:104) Q \ R s , (cid:126)q , A (cid:51) , A (cid:50) , A o , T K s \ T (cid:48) , F \ R s (cid:105) otherwisewhere T (cid:48) = { t = (cid:126)q −→ ∈ K s | t is controllable in K s , (cid:126)q ∈ R s } . We now estimate the complexity of the orchestration synthesis algorithm. In the synthesisof the mpc, deciding whether a transition is controllable or uncontrollable has a complexityof O (1) . On the converse, for the orchestration case, deciding whether a semi-controllabletransition is controllable or uncontrollable requires in the worst case to check all transitionsof the automaton. Accordingly, the procedure for computing the set of uncontrollabletransitions has an upper-bound complexity of O ( | T | ) . Since this is the only difference withrespect to the mpc synthesis, a first upper bound of the complexity of the orchestrationsynthesis is O (( | T | + | Q | ) × | Q | × | T | ) . The computation of the set of dangling states anduncontrollable transitions could be done in parallel through a single visit of the automaton.Thus, the upper-bound complexity of the orchestration synthesis can be lowered to be thesame as the complexity of the mpc synthesis, i.e. O (( | T | + | Q | ) × | Q | ) . Finally, we want tounderline that our complexity estimation refers to the abstract specification of the algorithm,resulting from Definition 3.2 and Theorem 3.3. As already observed for the mpc synthesis,when implementing the algorithm further optimisations could be achieved that can lower itscomplexity. Example 3.4.
We further continue the running example by discussing the synthesis of theorchestration for the composition A = Client ⊗ Client ⊗ Broker ⊗ Hotel ⊗ PrivilegedHotel ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:11 c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) qry • qry •• (cid:50) •• chkchk • (cid:51) •• rsprsp • (cid:51) •• chk • chk (cid:51) •• rsp • rsp (cid:51) •• chk • chk (cid:51) •• rsp • rsp (cid:51) •• chkchk • (cid:51) •• rsprsp • (cid:51) bst • bst •• (cid:51) ok • ok •• (cid:51) •• bkbk • (cid:51) •• nbk • nbk (cid:51) •• nbk •• (cid:51) •• bk • bk (cid:50) •• nbknbk • (cid:51) •• nbk •• (cid:51) nok • nok •• (cid:51) •• nbknbk • (cid:51) •• nbk • nbk (cid:51) •• nbk • nbk (cid:51) •• nbknbk • (cid:51) •• nbk •• (cid:51) • qryqry •• (cid:50) •• chkchk • (cid:51) •• rsprsp • (cid:51) •• chk • chk (cid:51) •• rsp • rsp (cid:51) •• chk • chk (cid:51) •• rsp • rsp (cid:51) •• chkchk • (cid:51) •• rsprsp • (cid:51) • bstbst •• (cid:51) • okok •• (cid:51) •• bkbk • (cid:51) •• nbk • nbk (cid:51) •• nbk •• (cid:51) •• bk • bk (cid:50) •• nbknbk • (cid:51) •• nbk •• (cid:51) • noknok •• (cid:51) •• nbknbk • (cid:51) •• nbk • nbk (cid:51) •• nbk • nbk (cid:51) •• nbknbk • (cid:51) •• nbk •• (cid:51) Figure 5: Orchestration of
Client ⊗ Client ⊗ Broker ⊗ Hotel ⊗ PrivilegedHotel
The orchestration of A is depicted in Fig. 5 and the time needed to compute it by usingFMCAT is reported in Table 1 (on page 17). We recall that the orchestration is the largestsub-portion of the composition that is in agreement, i.e. in which requests are matched byoffers.From the initial (and final) state there are two possible evolutions: either one of theclients is served while the other one does not interact. Without loss of generality, assume thatthe first client is served. The orchestration continues with the broker enquiring the hotels (inboth possible orders). After these enquiries, the reached state is (cid:126)q = ( c , c (cid:48) , b , h , h (cid:48) ) . From (cid:126)q , the broker sends the best offer received from one of the hotels to the client, and the clientdecides whether or not to accept this best offer. The broker then communicates the selected :12 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 choice to the hotels it interacted with. Note that in the orchestration it is possible that theclient does not book any room.We now explain why the mpc is empty (cf. Example 2.5). First, note that (cid:126)q must betraversed to reach a final successful state. The composition A (which is not displayed forspace limitations) contains the transition t = (cid:126)q ( • , • , • , • , bk ) (cid:50) −−−−−−−−→ ( c , c (cid:48) , b , h , h (cid:48) ) . The state (cid:126)q isthen forbidden, since its outgoing transition t is uncontrollable and cannot be pruned. Itfollows that all states traversed from the initial state to (cid:126)q would eventually become danglingduring the mpc synthesis, and thus the mpc is empty.On the converse, for the case of synthesising the orchestration, we have that t is semi-controllable and it is controllable via t (cid:48) = ( c , c (cid:48) , b , h , h (cid:48) ) ( • , • , bk , • , bk ) (cid:50) −−−−−−−−−→ ( c , c (cid:48) , b , h , h (cid:48) ) .Thus, t is pruned by the orchestration synthesis algorithm. Intuitively, in the orchestrationthere exists a trace in which the necessary request bk is matched.This example shows that the notion of semi-controllability is best suited for necessaryrequests of service contracts. We argue that semi-controllability is not specific to the contextof service contracts; rather it is independent of the used formalism and can be applied inother contexts as well. Semi-controllability can be interpreted as the ‘existentially quantified’counterpart of the universally quantified notion of uncontrollability, originally stemming fromSupervisory Control Theory, in much the same way that Computation Tree Logic allowsexistential quantification of paths that can only be universally quantified in Linear TemporalLogic.However, in the next section we will see that the notion of semi-controllability is toorelaxed for the case of choreography, which thus demands a revisited version.3.1. On encoding semi-controllability.
We now show, by means of an example adaptedfrom [13], that the encoding of an automaton A with semi-controllable actions into anautomaton A (cid:48) without, such that the same synthesised orchestrations are obtained, resultsin an exponential blow-up of the state space. More precisely, the encoding is intended topreserve safety: the orchestration of A equals that of A (cid:48) .The encoding is sketched in Fig. 6. Intuitively, the encoded automaton A (cid:48) is obtainedby first applying the following construction to the automaton A from Fig. 4 (right):if the synchronisation on a specific semi-controllable action a occurs in n different transitions in A (two in our example), then the encoding createsan automaton A (cid:48) that is the union of n − automata (three in our example),which are obtained by all possible combinations of pruning a subset of the n semi-controllable transitions of A , minus the one in which all n semi-controllable transitions are pruned;and then turning all semi-controllable transitions into uncontrollable transitions.We now explain why, without knowing a priori the set of forbidden and successful states,it is impossible to provide a more efficient encoding and refer to [13, Theorems 3 and 4] fora formal account. Assume, by contradiction, that there exists an encoding that results ina ‘smaller’ automaton A (cid:48)(cid:48) , in which one of the n − combinations of pruned transitions(say, P ) is discarded. It then suffices to specify as a counterexample a property in A suchthat all source states of transitions in P are forbidden and all target states of the remainingsemi-controllable transitions are successful. The synthesis of A against such a property wouldprune exactly the semi-controllable transitions in P . However, in the synthesis of A (cid:48)(cid:48) suchan orchestration would not be present, a contradiction. ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:13 ( · , · ) (cid:8) (cid:8) (cid:15) (cid:15) (cid:22) (cid:22) ( · , · ) ( • ,b ) (cid:51) (cid:47) (cid:47) ( · , · ) ( a , a ) (cid:50) u n c (cid:34) (cid:34) ( · , · ) ( a , a ) (cid:50) u n c (cid:34) (cid:34) ( • ,b ) (cid:51) (cid:47) (cid:47) ( · , · ) ( a , a ) (cid:50) u n c (cid:34) (cid:34) ( · , · ) ( a , a ) (cid:50) u n c (cid:34) (cid:34) ( • ,b ) (cid:51) (cid:47) (cid:47) ( · , · )( · , · ) ( · , · ) ( · , · ) ( · , · ) Figure 6: Automaton A (cid:48) uses uncontrollable transitions to encode automaton A from Fig. 44. Synthesis of Choreographies
In the previous section, we have seen that the orchestration of MSCA is similar to a mostpermissive controller. The orchestrator is however implicit, in the sense that its interactionswith the principals are hidden. Basically, one could assume that before interacting, eachprincipal expects a message from the orchestrator and answers with an acknowledgementafter the interaction terminates. The main intuition behind switching from an orchestratedto a choreographic coordination of contracts is that there is no longer the need for such‘hidden’ interactions. Ideally, the principals moving autonomously are able to accomplishthe behaviour foreseen by the synthesis, which in this case acts as a global type. Differentlyfrom the traditional choreographic approach, where the starting point is a global type, inMSCA the global type is synthesised automatically.The requirements for ensuring that the synthesised automaton is a (form of) choreographywere studied in [10, 37]. Roughly, they amount to the so-called branching condition requiringthat principals perform their offers/outputs independently of the other principals in thecomposition. To formalise this notion, we let snd ( (cid:126)a ) = i when (cid:126)a is a match action or an offeraction and (cid:126)a ( i ) ∈ O . Definition 4.1 (Branching condition [10]) . An MSCA A satisfies the branching condition ifand only if the following holds for each pair of states (cid:126)q , (cid:126)q reachable in A : ∀ (cid:126)a match action . ( (cid:126)q (cid:126)a −→ ∧ snd ( (cid:126)a ) = i ∧ (cid:126)q i ) = (cid:126)q i ) ) implies (cid:126)q (cid:126)a −→ . The branching condition is related to a phenomenon known as ‘state sharing’ in othercoordination models (cf., e.g., [45]) according to which system components can influencepotential synchronisations through their local (component) states even if they are not involvedin the actual global (system) transition.In [10], it is proved that the synthesised automaton corresponds to a well-behavingchoreography if and only if it satisfies the branching condition and is strongly safe. Notably,in case the two conditions are not satisfied, that paper does not provide any algorithmfor automatically synthesising a choreography; rather, the contracts have to be manuallyamended. Instead, in the remainder of this section, we introduce a novel algorithm forautomatically synthesising a well-behaving choreography. Note that, differently from theorchestration and the controller synthesis, in this case there could be more than one possiblechoreography (cf. Example 4.6).The property to be enforced during the synthesis is strong agreement: all offers andrequests have to be matched, because all messages have to be read (i.e. offers matched).Moreover, in the case of choreography, service contract requests are always permitted whereas :14
D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 ( q , · , · ) ( a , a , • ) (cid:120) (cid:120) ( a , • , a ) (cid:39) (cid:39) ... (cid:47) (cid:47) ( q , · , · ) ( a , a , • ) (cid:38) (cid:38) (cid:55) (cid:51) Figure 7: Fragment of a possible service compositionservice contract offers can be necessary. That is, the roles of service requests and offers areswapped with respect to the case of orchestration.In principle, the synthesis could trivially introduce a coordinator component and itsinteractions to coordinate the principals. However, this would reduce the choreography to acentralised coordination of contracts. To prevent this, the synthesis can only remove andnever add behaviour. Hence, a choreography can only be synthesised if all principals arecapable of interacting on their own without resorting to a central coordinator.Similarly to orchestration synthesis, indicating transitions as either controllable oruncontrollable does not suffice for synthesising a choreography. Moreover, the notion ofsemi-controllability introduced for the orchestration case does not suffice for expressingnecessary offers. Indeed, orchestration synthesis does not ensure the branching condition tobe satisfied by the synthesised automaton, as the following example shows.
Example 4.2.
In Fig. 7, a fragment of a service composition is shown. Two global statesare depicted, and in both the first service, say
Alice , is in its initial local state (say, q ). Alice performs an output (i.e. offer) a that can be directed to either Bob (second service) or
Carol (third service), from the initial global state, or only to
Bob from the other state. It is possibleto reach either a successful ( (cid:51) ) or a bad ( (cid:55) ) state, left unspecified for the moment. Notably,the output of
Alice is neither controllable, nor uncontrollable, nor semi-controllable by thesynthesis.Now assume that the a is controllable and from the initial global state both interactionseventually lead to a bad state ( (cid:55) ). In this case, those transitions are pruned by the synthesis,and the resulting automaton is erroneously approved. Indeed, Alice has no mean to understandwhen her output a is enabled, because she has not changed state. The branching condition,which is necessary for obtaining a well-behaving choreography, would be violated. Note thatthis would happen also if a were semi-controllable. In fact, to satisfy the branching condition,the synthesis should remove all outputs a .Conversely, assume that the a is uncontrollable and that it is possible from the initialglobal state to reach a successful state ( (cid:51) ) if the message a is received by Bob . In this case,it would not be possible to prune the transition from the initial state leading to (cid:55) , because itis also uncontrollable. The synthesis would thus be empty, an erroneous rejection, because achoreography exists in which
Alice autonomously interacts with
Bob .In conclusion, a necessary action is rendered neither as uncontrollable nor as semi-controllable, and permitted actions require extra pruning operations during the synthesis.A novel notion of semi-controllability for a necessary action is required, which is weakerthan uncontrollable but stronger than the semi-controllable notion used in the synthesis oforchestration.Basically, for the choreography synthesis, a (semi-controllable) necessary transition t = ( (cid:126)q (cid:126)a −→ ) ∈ T (cid:50) is detected to be uncontrollable if and only if no necessary transition ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:15 t (cid:48) = ( (cid:126)q (cid:126)a −→ ) ∈ T (cid:50) exists from the same source state such that in both t and t (cid:48) the same offeris provided by the same principal, but possibly with different receivers. We now define thisformally. Definition 4.3.
Let A be an MSCA and let t = ( (cid:126)q, (cid:126)a , (cid:126)q (cid:48) ) ∈ T A . Then:- if (cid:126)a is an action on a ∈ A (cid:51) , then t is controllable (in A );- if (cid:126)a is an offer or match on a ∈ A (cid:50) , then t is semi-controllable (in A ).Moreover, given A (cid:48) ⊆ A , if t is semi-controllable and ∃ t (cid:48) = ( (cid:126)q, (cid:126)a , (cid:126)q (cid:48) ) ∈ T (cid:50) A (cid:48) such that (cid:126)a is amatch, (cid:126)q, (cid:126)q (cid:48) (cid:54)∈ Dangling ( A (cid:48) ) , and (cid:126)a i ) = (cid:126)a i ) where i = snd ( (cid:126)a ) , then t is controllable in A (cid:48) (via t (cid:48) ); otherwise, t is uncontrollable in A (cid:48) .Hence, again a necessary transition is a particular type of transition that switches frombeing controllable to uncontrollable in case a condition on the global automaton is not met.Note that this condition is stronger than the one required for the case of orchestration (semi-controllability), because for the case of choreography transitions t and t (cid:48) in Definition 4.3share the source state. Moreover, also in this case it can be shown that the encoding of thistype of semi-controllable transition into an uncontrollable one would result in an exponentialgrowth of the state space of the model.Similarly to the orchestration synthesis in Definition 3.2, when a semi-controllabletransition previously removed by the synthesis switches from controllable to uncontrollable,its source state is detected to be bad. Apart from the different notion of semi-controllability,another difference with respect to the orchestration synthesis is that the transitions violatingthe branching condition must also be removed. Depending on which transitions violatingthe branching condition are pruned at a certain iteration, different choreographies can beobtained (cf. Example 4.6). Indeed, a maximal choreography is not always guaranteed toexist (as is the case for the running example). A concrete implementation should fix thecriterion under which transitions are selected for the set ˆ T K i ,R i (cf. Definition 4.4).Finally, according to the property of strong agreement, both request and offer transitionsare forbidden. The formalisation is provided next. Definition 4.4 (MSCA choreography synthesis) . Let A be an MSCA, and let K = A and R = Dangling ( K ) . We let a choreography synthesis function f c : MSCA × Q → MSCA × Q be defined as follows: f c ( K i − , R i − ) = ( K i , R i ) , with T K i = T K i − \ ( { ( (cid:126)q −→ (cid:126)q (cid:48) ) = t ∈ T K i − | (cid:126)q (cid:48) ∈ R i − ∨ t is a request or offer } ∪ ˆ T K i − ,R i − ) R i = R i − ∪ { (cid:126)q | ( (cid:126)q −→ ) ∈ T A is uncontrollable in K i } ∪ Dangling ( K i ) where, at each iteration i , ˆ T K i ,R i ⊆ T bc = { ( (cid:126)q (cid:126)a −→ ) ∈ T K i | ∃ (cid:126)q : ( snd ( (cid:126)a ) = j ∧ (cid:126)q j ) = (cid:126)q j ) ) ∧ ( (cid:126)q (cid:126)a −→ ) (cid:54)∈ T K i ∧ (cid:126)q , (cid:126)q (cid:54)∈ R i } and whenever f c ( K i , R i ) = ( K i , R i ) then T bc = ∅ . Theorem 4.5 (MSCA choreography) . A choreography synthesis function f c is monotone onthe cpo ( MSCA × Q , ≤ ) and its least fixed point is: ( K s , R s ) = sup( { f nc ( K , R ) | n ∈ N } ) A choreography K A of A is: K A = (cid:26) (cid:104) (cid:105) if (cid:126)q ∈ R s (cid:104) Q \ R s , (cid:126)q , A (cid:51) , A (cid:50) , A o , T K s \ T (cid:48) , F \ R s (cid:105) otherwise :16 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 where T (cid:48) = { t = (cid:126)q −→ ∈ K s | t is controllable in K s , (cid:126)q ∈ R s } .Moreover, K A satisfies the branching condition.Proof. The algorithm terminates because at each iteration either some transition is prunedor a state becomes forbidden, and both sets of transitions and states are finite. We nowprove that the synthesised automaton is (i) non-blocking, (ii) controllable, (iii) strongly safe,and (iv) satisfies the branching condition. In case K A = (cid:104) (cid:105) , the properties hold trivially,thus we assume that the synthesised controller is non-empty.For (i), trivially all dangling states are pruned, so it is always possible to reach a finalstate. Similarly, bad states (i.e. states in the set R s ) are never traversed by construction, i.e.transitions with target in R s are pruned.For (ii), by construction all uncontrollable transitions have source state in R s , andthus are not reachable. Note that by Definition 4.3 uncontrollable transitions are necessaryrequirements that are not met and thus are always removed by the synthesis.For (iii), all transitions eventually violating strong safety are requests or offers and arepruned by the synthesis.For (iv), the transitions violating the branching condition are { ( (cid:126)q (cid:126)a −→ ) = t ∈ T K A | ∃ (cid:126)q : ( snd ( (cid:126)a ) = i ∧ (cid:126)q i ) = (cid:126)q i ) ) ∧ ( (cid:126)q (cid:126)a −→ ) (cid:54)∈ T K A } and these are pruned by definition.Returning to Example 4.2, the erroneously accepted case is removed because, duringthe synthesis, the operation of pruning the transitions leading to bad states causes theremoval of the remaining transition. Thus, the obtained choreography is empty. Similarly,the erroneously rejected case is not possible because, assuming that the output from theinitial state is necessary, this necessary action is not rendered as uncontrollable as long asthe output is matched by some other principal from the same initial state.We now estimate also the complexity of the choreography synthesis. With respect to theorchestration synthesis, in the choreography synthesis at each iteration a transition violatingthe branching condition can be removed. In the worst case, deciding if a transition violatesthe branching condition requires to check all other transitions. Hence, an upper bound ofthe procedure for selecting a transition violating the branching condition is O ( | T | ) . Notethat, in the unlikely event that all transitions share the same source state, the upper-boundcomplexity for computing the set of uncontrollable transitions is the same as in the case oforchestration synthesis. Thus, a first upper bound of the complexity of the choreographysynthesis algorithm is O (( | T | + | Q | ) × | Q | × | T | ) . We can refine this first approximationto O (( | T | + | Q | ) × | Q | ) . Indeed, similar to the case of orchestration synthesis, at eachiteration in a single traversal of the automaton it is possible to compute the set of danglingstates, the set of uncontrollable transitions, and the set of transitions violating the branchingcondition. Also in this case, as for the other syntheses, our complexity estimation refers tothe abstract specification of the algorithm resulting from Definition 4.4 and Theorem 4.5.The implementation of the algorithm could be optimised to perform even better. Example 4.6.
We once more continue the running example by discussing the choreographysynthesis of the running example for the composition A = Client ⊗ PrivilegedClient ⊗ Broker ⊗ Hotel ⊗ Hotel
The choreography of A is depicted in Fig. 8 and the time needed to compute A and itschoreography by using FMCAT is reported in Table 1. Note that differently from A in ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:17 c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) c c (cid:48) b h h (cid:48) • qryqry •• (cid:50) •• chkchk • (cid:51) •• rsprsp • (cid:51) •• chk • chk (cid:51) •• rsp • rsp (cid:51) • bstbst •• (cid:51) • okok •• (cid:51) • noknok •• (cid:51) •• bkbk • (cid:51) •• nbk • nbk (cid:51) •• nbknbk • (cid:51) •• nbk • nbk (cid:51) Figure 8: Choreography of
Client ⊗ PrivilegedClient ⊗ Broker ⊗ Hotel ⊗ Hotel
Num. statescomposition Time(ms) Num. statesmpc Time(ms) Num. statesorchestration Time(ms) Num. stateschoreography Time(ms) A A Table 1: Results of computing the compositions A and A and their syntheses. Example 2.5 and Example 3.4, in A there is a privileged client and no privileged hotel.Indeed, PrivilegedHotel is not a valid contract for the choreography case. The choreographydoes not need the overhead of interactions with the orchestrator and, most importantly,the synthesis of choreography does not introduce any additional behaviour. Indeed, withdue adjustment of necessary transitions of
PrivilegedClient and
Hotel , the choreographycould be considered a sub-automaton of the orchestration.We now use the example to discuss the differences between orchestration and choreography,and in particular the requirement that the branching condition is satisfied. In the orchestration,from the initial state either one of the two clients can interact. This decision is internallytaken by the orchestrator (whose communications are abstracted away in the orchestration).On the converse, in the choreography only the
PrivilegedClient is allowed to interact.This is because the clients are not able to decide on their own which one of them shouldstart the interactions. This can be explained as follows. If both clients were allowed tointeract, a deadlock could be reached upon the following steps. Initially,
PrivilegedClient offers qry . Afterwards, for the interactions to continue such offer must be received bysome principal (i.e. the underlining choreographed model is synchronous [10]). In this case,
Broker receives the offer qry . At this point,
Client is allowed to offer its qry message. Theinteractions are now deadlocked, because
Broker cannot receive such message, nor can anyother contract. This is an example of violation of the branching condition. Consider theinitial state (cid:126)q = ( c , c (cid:48) , b , h , h (cid:48) ) and state (cid:126)q = ( c , c (cid:48) , b , h , h (cid:48) ) . In the orchestration, thebranching condition is violated because from state (cid:126)q the match ( qry , • , qry , • , • ) is allowed,while it is not in state (cid:126)q , and in both states Client is in c . During the choreographysynthesis, the match ( qry , • , qry , • , • ) from state (cid:126)q is pruned. Likewise, in the choreographythe broker enquires the hotels in a fixed order, whereas in the orchestration all possible ordersare allowed, or else the branching condition would be violated. The evaluation was carried out on a machine with Processor Intel(R) Core(TM) i7-8500Y CPU at1.50 GHz, 1601 Mhz, 2 Core(s), 4 Logical Processor(s) with 16 GB of RAM, running 64-bit Windows 10. :18
D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2
Note that an alternative choreography can be obtained by swapping the order in whichthe hotels are enquired by the broker. Indeed, from state (cid:126)q the orchestration allows bothmatches ( • , • , chk , chk , • ) and ( • , • , chk , • , chk ) . During the choreography synthesis, boththese outgoing matches are violating the branching condition. By pruning one of them,the other is automatically amended, because the states causing violation of the branchingcondition become dangling. In particular, the synthesis prunes the transition ( • , • , chk , • , chk ) in favour of ( • , • , chk , chk , • ) .Finally, concerning semi-controllability, note that it is not possible to have a choreographyin which PrivilegedClient is not served in favour of
Client , because the qry offer of
PrivilegedClient is necessary and thus must be matched.5. Abstract Synthesis
In Section 2, Section 3, and Section 4, we have presented three slightly different synthesisalgorithms, and in the previous section we have illustrated their differences. As said before,to bridge the gap between standard synthesis and orchestration and choreography syntheses,the controllable and uncontrollable actions from SCT are related to permitted and necessarymodalities, respectively, of MSCA.The main intuition for this is that the SCT assumption of an unpredictable environmentresponsible for the uncontrollable transitions is not realistic in the case of coordinationof services whose behaviour is known and observable. As a result, necessary actions arenot in correspondence with uncontrollable actions, but rather require the introduction ofa milder notion of controllability. The condition under which a controllable transitionbecomes uncontrollable varies depending on the particular synthesis algorithm (orchestrationor choreography). Conversely, in the standard mpc synthesis such information is local, i.e. atransition is declared to be uncontrollable.In this section, we discuss an abstract synthesis algorithm that generalises the previousalgorithms by abstracting away the conditions under which a transition is pruned or astate is deemed bad, thus encapsulating and extrapolating the notion of controllability andsafety. These two conditions, called pruning predicate ( φ p ) and forbidden predicate ( φ f )are parameters to be instantiated by the corresponding instance of the synthesis algorithm(e.g. orchestration or choreography). Predicate φ p is used for selecting the transitions to bepruned. Depending on the specific instance, non-local information about the automaton orthe set of bad states is needed by φ p . Therefore, φ p takes as input the current transitionto be checked, the automaton, and the set of bad states. If φ p evaluates to true, then thecorresponding transition will be pruned. Predicate φ f is used for deciding whether a statebecomes bad. The input parameters are the same as φ p . However, φ f only inspects necessarytransitions ( T (cid:50) ). If φ f evaluates to true, then the source state is deemed bad and added tothe set R i . The abstract synthesis algorithm is formally defined below. Definition 5.1 (Abstract synthesis) . Let A be an MSCA, and let K = A and R = Dangling ( K ) . Given two predicates φ p , φ f : T × M SCA × Q → Bool , we let the abstractsynthesis function f ( φ p ,φ f ) : MSCA × Q → MSCA × Q be defined as follows: f ( φ p ,φ f ) ( K i − , R i − ) = ( K i , R i ) , with T K i = T K i − \ { t ∈ T K i − | φ p ( t, K i − , R i − ) = true } R i = R i − ∪ { (cid:126)q | ( (cid:126)q −→ ) = t ∈ T (cid:50) A , φ f ( t, K i − , R i − ) = true } ∪ Dangling ( K i ) ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:19 As in the previous cases, the mpc relative to the pair ( φ p , φ f ) is obtained by computingthe least fixed point ( K s , R s ) of f ( φ p ,φ f ) and removing the states R s from K s . Theorem 5.2 (Abstract controller synthesis) . The abstract synthesis function f ( φ p ,φ f ) ismonotone on the cpo ( MSCA × Q , ≤ ) and its least fixed point is: ( K ( φ p ,φ f ) s , R ( φ p ,φ f ) s ) = sup( { f n ( φ p ,φ f ) ( K , R ) | n ∈ N } ) The abstract controller of A for predicates ( φ p , φ f ) , denoted by K ( φ p ,φ f ) A , is: K ( φ p ,φ f ) A = (cid:104) (cid:105) if (cid:126)q ∈ R ( φ p ,φ f ) s (cid:104) Q \ R ( φ p ,φ f ) s , (cid:126)q , A (cid:51) , A (cid:50) , A o , T K ( φp,φf ) s , F \ R ( φ p ,φ f ) s (cid:105) otherwiseProof. The algorithm terminates because at each iteration either some transition is prunedor a state becomes forbidden, and both sets of transitions and states are finite. We now provethat the synthesised automaton is (i) non-blocking, (ii) controllable, (iii) most-permissive,and (iv) safe. In case K ( φ p ,φ f ) A = (cid:104) (cid:105) , the properties hold trivially, thus we assume that thesynthesised controller is non-empty.For (i), trivially all dangling states are pruned, so it is always possible to reach a finalstate. Similarly, bad states (i.e. states in the set R s ) are never traversed by construction, i.e.transitions with target in R s are pruned.For (ii) and (iv), the forbidden predicate φ f codifies exactly when controllability or safetyis violated by a state. By construction, it is never the case that such a state is reached.For (iii), by construction a state is deemed bad or a transition is pruned exactly wheneither forbidden or pruning predicates are satisfied, respectively. Thus, maximality followsby the fact that each controller greater than the one synthesised will admit some forbiddenstate or transition.In the remainder of this section, we show how to instantiate the abstract synthesisfunction to the standard synthesis function, to the orchestration synthesis function, or to thechoreography synthesis function, and prove their correspondences. Theorem 5.3 (Abstract mpc synthesis) . The standard synthesis function of Definition 2.3coincides with the instantiation of the abstract synthesis function of Definition 5.1 where, fora generic transition t = ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) , predicates φ p and φ f are defined as follows: φ mpc p ( t, K , R ) = ( (cid:126)q (cid:48) ∈ R ) ∨ ( (cid:126)q is forbidden ) φ mpc f ( t, K , R ) = ( (cid:126)q (cid:48) ∈ R ) Proof.
Let K mpc A and K abs A be the controllers computed through Theorems 2.4 and 5.2,respectively. The proof proceeds by induction on the fixed point iterations and by caseanalysis.For the base case, by definition K mpc = K abs = A and R abs = R mpc = Dangling ( K ) .For the inductive case, let i be a fixed point iteration. Assuming K mpc i − = K abs i − and R mpc i − = R abs i − , we prove K mpc i = K abs i and R mpc i = R abs i .The equivalence K mpc i = K abs i follows because at the i th iteration, φ mpc p detects exactlythe same transitions that are pruned by the mpc synthesis algorithm. :20 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2
For the equivalence R mpc i = R abs i , we have R mpc i = R mpc i − ∪ Dangling ( K mpc i ) ∪ { (cid:126)q | ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) ∈ T (cid:50) K mpc i , (cid:126)q (cid:48) ∈ R mpc i − } and R abs i = R abs i − ∪ Dangling ( K abs i ) ∪ { (cid:126)q | ( (cid:126)q a −→ ) = t ∈ T (cid:50) A ,φ mpc f ( t, K abs i − , R abs i − ) = true } .Since K mpc i = K abs i , also the dangling states are equivalent. It remains to prove that { (cid:126)q | ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) ∈ T (cid:50) K mpc i , (cid:126)q (cid:48) ∈ R mpc i − } = { (cid:126)q | ( (cid:126)q a −→ ) = t ∈ T (cid:50) A , φ mpc f ( t, K abs i − , R abs i − ) = true } . This equivalence is straightforward by the definition of φ mpc f and the inductive hypothesis.Note that in Theorem 5.3 the predicates do not use any non-local information related tothe parameter K . For both orchestration and choreography, two different semi-controllabilityconditions are used to decide whether a state has become forbidden. These conditions aretranslated into the corresponding forbidden predicates. Theorem 5.4 (Abstract orchestration synthesis) . The orchestration synthesis function ofDefinition 3.2 coincides with the instantiation of the abstract synthesis function of Defini-tion 5.1 where, for a generic transition t = ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) , predicates φ p and φ f are defined asfollows: φ orc p ( t, K , R ) = ( t is a request ) ∨ ( (cid:126)q (cid:48) ∈ R ) φ orc f ( t, K , R ) = (cid:64) ( (cid:126)q (cid:126)a −→ (cid:126)q (cid:48) ) ∈ T (cid:50) K : ( (cid:126)a is a match ) ∧ ( (cid:126)q , (cid:126)q (cid:48) (cid:54)∈ Dangling ( K )) ∧ ( (cid:126)q ( i ) = (cid:126)q i ) ) ∧ ( (cid:126)a ( i ) = (cid:126)a i ) = a ) Proof (sketch).
The proof is analogous to that of Theorem 5.3 but relying on Theorem 3.2instead of Theorem 2.4. The full proof can be found in the appendix.The pruning predicate of Theorem 5.4 does not use any information coming from theglobal automaton K , whereas this is no longer the case for the forbidden predicate that indeedspecifies the semi-controllability condition for the necessary transitions of an orchestration(cf. Definition 3.1). Theorem 5.5 (Abstract choreography synthesis) . The choreography synthesis function ofDefinition 4.4 coincides with the instantiation of the abstract synthesis function of Defini-tion 5.1, where given a generic transition t = ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) , the predicates φ p and φ f are definedas follows, where ˆ T K ,R is defined in Definition 4.4: φ cor p ( t, K , R ) = ( t is a request or offer ) ∨ ( (cid:126)q (cid:48) ∈ R ) ∨ t ∈ ˆ T K ,R φ cor f ( t, K , R ) = (cid:64) ( (cid:126)q (cid:126)a −→ (cid:126)q (cid:48) ) ∈ T (cid:50) K : ( (cid:126)a is a match ) ∧ ( (cid:126)q, (cid:126)q (cid:48) (cid:54)∈ Dangling ( K )) ∧ ( (cid:126)a ( i ) = (cid:126)a i ) = a ) Proof (sketch).
The proof is analogous to that of Theorem 5.3 but relying on Theorem 4.4instead of Theorem 2.4. The full proof can be found in the appendix.Notably, in Theorem 5.5 both predicates require global information on the whole au-tomaton. Similarly to Theorem 5.4, the forbidden predicate codifies the semi-controllabilitycondition of Definition 4.3. Moreover, the pruning predicate removes all transitions violatingthe branching condition (cf. Definition 4.1). ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:21 A Partial Order on Controllers
In Theorem 5.3, Theorem 5.4, and Theorem 5.5, we have proved that the three previouslypresented synthesis algorithms are instantiations of the abstract synthesis algorithm ofDefinition 5.1. This abstraction provides us the mean to formally relate the various algorithmspresented so far, as detailed in this section.To begin with, we define a partial order on predicates. Intuitively, a pair ( φ p , φ f ) isgreater than another pair ( φ p , φ f ) if and only if ( φ p , φ f ) is (pairwise) entailed by ( φ p , φ f ) . Definition 6.1 (Partial order on predicates) . Let A be an MSCA and let Pr be the set ofpairs of pruning and forbidden predicates of Definition 5.1 with ( φ p , φ f ) , ( φ p , φ f ) ∈ Pr .The partial order on predicates ( Pr , ≤ ) is defined as: ( φ p , φ f ) ≤ ( φ p , φ f ) iff ∀ i ∈ N . ( φ p ( t, K i , R i ) ⇒ ( φ p ( t, K i , R i ) ∨ t (cid:54)∈ K i )) ∧ ( φ f ( t, K i , R i ) ⇒ ( φ f ( t, K i , R i )) ∨ (cid:126)q ∈ Dangling ( K i )) ,where t = ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) .By Definition 5.1, we know that such predicates are used to refine an MSCA during thesynthesis. Indeed, states and transitions are removed when such predicates are satisfied bythem. The partial order on predicates induces an ordering on the various abstract controllers,as the following result shows. Proposition 6.2 (Ordering controllers) . Let A be an MSCA and let ( φ p , φ f ) , ( φ p , φ f ) ∈ Pr be such that ( φ p , φ f ) ≤ ( φ p , φ f ) . Then: K ( φ p ,φ f ) A ⊆ K ( φ p ,φ f ) A Proof.
By Definition 5.1, both K ( φ p ,φ f ) A and K ( φ p ,φ f ) A are sub-automata of A , and theyonly differ in the sets of states and transitions.By contradiction, assume that there exists a transition t in T K ( φp ,φf A \ T K ( φp ,φf A . ByDefinition 5.1, let i be the iteration where t is removed from T K i . By hypothesis, it holdsthat φ p ( t, K i , R i ) ⇒ φ p ( t, K i , R i ) ∨ t (cid:54)∈ K i , hence by Definition 5.1, t must also have beenremoved from T K i or it is not present, a contradiction.Similarly, assume that there exists a state (cid:126)q in Q K ( φp ,φf A \ Q K ( φp ,φf A . By Definition 5.1,let i be the iteration where (cid:126)q is added to R K i . By hypothesis, it holds that φ f ( t, K i , R i ) ⇒ φ f ( t, K i , R i ) ∨ (cid:126)q ∈ Dangling ( K i ) , hence by Definition 5.1, (cid:126)q must also have been added to R K i . Finally, Q K ( φp ,φf A = Q A \ R s and R K i ⊆ R s , thus a contradiction is reached.This result has an immediate application in performing abstraction of syntheses, inthe sense that the lesser the pair of predicates the more abstract (in refinement terms)the corresponding synthesised automaton. This can be useful to perform partial synthesesand skip unnecessary checks or even potentially undecidable computations. For example,if K ( φ p , φ f ) = (cid:104) (cid:105) , for a given pair ( φ p , φ f ) , then by Proposition 6.2 we know that for all ( φ p i , φ f i ) such that ( φ p , φ f ) ≤ ( φ p i , φ f i ) it will hold that K ( φ pi , φ fi ) = (cid:104) (cid:105) .While the orchestration synthesis of Definition 3.2 is enforcing agreement, the mpcsynthesis of Definition 2.3 is enforcing a generic predicate modelled as forbidden states.Whenever the mpc synthesis is also enforcing agreement, as an instantiation of Proposition 6.2,we can prove that the two syntheses are related. Moreover, agreement identifies forbidden :22 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 transitions as those labelled by requests. On the converse, the mpc synthesis identifiesforbidden states rather than forbidden transitions. Therefore, to enable a comparison of thempc and the orchestration synthesis, we need to (i) transform the automaton such that thepredicate on forbidden transitions (i.e. agreement in this case) can be expressed by means offorbidden states and (ii) instantiate the generic predicate expressed by forbidden states. Forpoint (i), the synthesis of the mpc is applied to the automaton A (cid:48) obtained from the originalautomaton A by erasing controllable forbidden transitions. For point (ii), forbidden statesare those states that are sources of uncontrollable forbidden transitions. This is what thefollowing lemma states. Lemma 6.3 (Orchestration vs. mpc synthesis) . Given an MSCA A , let A (cid:48) be obtained from A by removing all controllable request transitions and considering as forbidden the states of A (cid:48) with outgoing uncontrollable request transitions. Let K orc A and K mpc A (cid:48) be the orchestrationand mpc of Definitions 3.2 and 2.3, respectively. Then: K mpc A (cid:48) ⊆ K orc A Proof.
By Theorems 5.4 and 5.3, K orc A and K mpc A (cid:48) are equivalent to K ( φ orc p , φ orc f ) A and K ( φ mpc p , φ mpc f ) A (cid:48) ,respectively. Moreover, both controllers are sub-automata of A , and they only differ in thesets of states and transitions.Recall that, given t = ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) , φ mpc p ( t, K mpc i , R mpc i ) = ( (cid:126)q (cid:48) ∈ R mpc i ) ∨ ( (cid:126)q is forbidden ) , φ mpc f ( t, K mpc i , R mpc i ) = ( (cid:126)q (cid:48) ∈ R mpc i ) and φ orc p ( t, K orc i , R orc i ) = ( t is a request ) ∨ ( (cid:126)q (cid:48) ∈ R orc i ) , φ orc f ( t, K orc i , R orc i ) = (cid:64) ( (cid:126)q (cid:126)a −→ (cid:126)q (cid:48) ) ∈ T (cid:50) K orc i : ( (cid:126)a is a match ) ∧ ( (cid:126)q , (cid:126)q (cid:48) (cid:54)∈ Dangling ( K orc i )) ∧ ( (cid:126)q ( i ) = (cid:126)q i ) ) ∧ ( (cid:126)a ( i ) = (cid:126)a i ) = a ) .We proceed by induction on i . For the base case, it holds that K A (cid:48) ⊆ K and Dangling ( K ) ⊆ Dangling ( K A (cid:48) ) . By hypothesis, φ orc p ( t, K orc , R orc ) is true. Then either t is a request or (cid:126)q (cid:48) ∈ Dangling ( K ) . If t is a request, then t has been already pruned.Otherwise, (cid:126)q (cid:48) ∈ Dangling ( K ) (or both), and so it is in Dangling ( K A (cid:48) ) and the pruningpredicate of the mpc is satisfied. Similarly, by hypothesis φ orc f ( t, K orc , R orc ) is true. Sinceno transitions have been pruned in K , it must be the case that the source state of t is in Dangling ( K ) , and so it is in Dangling ( K A (cid:48) ) .For the inductive step, the implication on the pruning predicate is satisfied by noticingthat R orc i − ⊆ R mpc i − . The implication on the forbidden predicate is satisfied because trivially t (cid:54)∈ T (cid:50) K orc i , and hence t (cid:54)∈ T (cid:50) K mpc i , and this is because either the target is dangling or the sourceis forbidden. In both cases the forbidden predicate of the mpc is satisfied.Thus, for example, given an MSCA A , from K orc A = (cid:104) (cid:105) we can conclude that K mpc A = (cid:104) (cid:105) by Lemma 6.3, without actually computing it. Example 6.4.
Concluding the running example, one can observe that the mpc of A is asub-automaton (formed of only the initial and final state) of the orchestration of A .7. Related Work
Our contributions to bridging the gap between SCT and coordination of services concernadaptations of the classical synthesis algorithm from SCT in order to synthesise orchestrationsand choreographies of service contracts formalised as MSCA. In the literature, there existmany formalisms for modelling and analysing (service) contracts, ranging from behavioural ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:23 type systems, including behavioural contracts [21, 1, 36] and session types [17, 32, 27, 20,40], to automata-based formalisms, including interface automata [26] and (timed) (I/O)automata [39, 2, 25]. Foundational models for service contracts and session types are surveyedin [44, 7, 33].The MSCA formalism used in this paper differs fundamentally from these models,which typically study notions of contract compliance involving only two parties, since MSCAprimitively support multi-party compliance of contracts that compete on offering or requestingthe same service. Furthermore, the above models do not consider modalities of serviceswhereas MSCA provide primitive support for permitted and necessary service actions, whichresulted in the introduction of a novel notion of semi-controllability in the context of SCT.Modal Transition Systems (MTS) and their extensions [35], as adopted for instance inSoftware Product Line Engineering (SPLE [42, 3]), like modal I/O automata [38] and MTSwith variability constraints [47], do natively distinguish may and must modalities, but theother differences remain. In particular, they cannot explicitly handle dynamic compositionby allowing new services that join composite services to intercept already matched actions.We are only aware of two other applications of SCT to MTS. In [24], there is no directrelation between may/must and controllable/uncontrollable, and the modal automaton (i.e.MTS with final states) is seen as a predicate that is satisfied if the plant automaton (i.e.the system to be refined against the predicate) is a sort of alternate refinement of thepredicate. Similarly, in [28], the control objectives (i.e. the predicate) is a modal automaton,non-blockingness is not considered, and another modal automaton describes which actionsare controllable and which are uncontrollable in the plant automaton. In this paper, thepredicate is an invariant (i.e. forbidden states and forbidden transitions are given), the modalautomaton (i.e. MSCA) is the plant, and a necessary transition induces different notions ofcontrollability according to the adopted coordination paradigm.SCT was first applied to SPLE in [48] by showing how the
CIF 3 toolset [50] canautomatically synthesise a single (global, family) model representing an automaton for eachof the valid products of a product line from (i) a feature constraint with attributes (e.g.cost), (ii) behavioural component models associated with the features, and (iii) additionalbehavioural requirements like state invariants, action orderings, and guards on actions(reminiscent of the Featured Transition Systems of [22]). The resulting
CIF 3 model satisfiesall feature-related constraints as well as all given behavioural requirements. Since
CIF 3 allows the export of such models in a format accepted by the mCRL2 model checker [23],the latter can be used to verify arbitrary behavioural properties expressed in the modal µ -calculus with data or its feature-oriented variant of [46]. An important advantage is thatboth CIF 3 and mCRL2 can be used off-the-shelf, meaning that no additional tools are required.Differently from our approach, all actions are controllable and orchestration is not considered.In [9], the prototypical tool CAT supporting orchestration synthesis for CA is presented.The only approach by others to bridge the gap between SCT and coordination of servicesthat we are aware of is that of [5], where services are formalised as so-called Service LabelledTransition Systems (SLTS), which are a kind of guarded automata with data. To thisaim, SCT is adapted to deal with conditions and variables as well as with a means toenforce services based on runtime information. However, service composition through SLTSis based on the standard synchronous product, whilst the contract composition expressescompeting contracts. More importantly, in [5], input actions are considered uncontrollablewhereas output actions are controllable, in the standard view of a service interacting with theenvironment. Our contribution induces novel notions of controllability to express necessary :24
D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 requirements that are semi-controllable. The standard controller synthesis algorithm is usedin [30] to synthesise adapters between services. These adapters act like proxies and are used toenforce properties such as deadlock-freedom. Compared to our work, the interactions betweenservices are driven by their contracts rather than by adapters. The standard controllersynthesis algorithm cannot be applied to synthesise a correct composition of contracts.We conclude this section by describing two recent extensions of MSCA, developed fordifferent purposes, and for which we also defined adapted synthesis algorithms. In [12], wepresented Featured Modal Contract Automata (FMCA). Technically, we extended MSCAwith a variability mechanism concerning structural constraints that operate on the servicecontract, used to define different configurations. This reflects the fact that services aretypically reused in configurations that vary over time and need to dynamically adapt tochanging environments [51]. Configurations were characterised by which service actions aremandatory and which forbidden. The valid configurations were defined as those respectingall structural constraints. We followed the well-established paradigm of SPLE, which aimsat efficiently managing a product line (family) of highly (re)configurable systems to allowfor mass customisation [42, 3]. To compactly represent a product line, i.e. the set of validproduct configurations, we used a so-called feature constraint, a propositional formula ϕ whose atoms are features [15], and we identified features as service actions (offers as wellas requests). A valid product then distinguishes a set of mandatory and a set of forbiddenactions. Consequently, we defined an algorithm to compute the FMCA K A p as the mpcfor a valid product p of an FMCA A . The main adaptation of the synthesis algorithm forMSCA was to consider as bad states also those that cannot prevent a forbidden action tobe eventually executed and to discard the transitions labelled with actions forbidden by p .Moreover, if some action that is mandatory in p is unavailable in the automaton that resultsfrom the fixed point iteration, then the mpc results empty. In [12], we also presented anevaluation of FMCA with the prototypical tool FMCAT. Building on CAT [9], FMCAT cansynthesise the orchestration of an FMCA in terms of its mpc. The results clearly show thegain in expressiveness due to the notion of semi-controllability, as well as the reduction ofthe number of configurations needed to compute the orchestration due to the introduction ofa partial order of products of FMCA. This inspired us to consider semi-controllability alsoin MSCA and to develop a partial order of controllers for MSCA in this paper.In [13], we presented Timed Service Contract Automata (TSCA) as an extension of theFMCA from [12] with real-time constraints. Formally, a configuration of a TSCA is a tripleconsisting of a recognised trace, a state, and a valuation of clocks. The (finite) behaviourrecognised by a TSCA are traces of alternating time and discrete transitions, i.e. in a givenconfiguration either time progresses (a silent action in the languages recognised by TSCA) ora discrete step to a new configuration is performed. Consequently, we defined an algorithmto compute the orchestration synthesis of TSCA. To respect the timing constraints, we usedthe notion of zones from timed games [4, 19]. The resulting synthesis algorithm resembles atimed game, but it differs from classical timed game algorithms [4, 19, 25] by combining twoseparate games, viz. reachability games (to ensure that marked states must be reachable)and safety games (to ensure that forbidden states are never traversed). A TSCA might besuch that all bad configurations are unreachable (i.e. it is safe), while at the same time nofinal configuration is reachable (i.e. the resulting orchestration is empty). ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:25 Conclusion
This paper presents our recent efforts, originally published in [14], concerning bridging thegap between the most permissive controller synthesis from Supervisory Control Theorywith synthesis algorithms of orchestrations and choreographies for a formal model of servicecontracts called Modal Service Contract Automata. This includes a novel algorithm capable ofsynthesising a safe non-blocking composition of service contracts that is directly translatableinto a choreographed formalism. A further contribution is an abstract synthesis algorithmthat generalises the synthesis of the choreography, as well as that of the orchestration and thatof the most permissive controller. This paper includes the proofs of all statements from [14].Furthermore, it contains a formal demonstration that the different synthesis algorithms arerelated through a notion of refinement, which allows us to formally prove that, under mildassumptions, the orchestration synthesis is an abstraction of the mpc synthesis. Finally, thepaper includes an extensive running example from the service domain that illustrates ourcontributions.The properties to be enforced in the algorithms presented in this paper are all invariantsspecified through either forbidden states or forbidden transitions. Future work is neededto investigate the abstract syntheses under other non-invariant properties. Another avenuefor future research is to investigate the different features of micro-services with respect toservices, and to study what is needed to adapt the formalism of (timed/modal service)contract automata and our results to deal with micro-services.
Acknowledgments
We acknowledge useful comments from the reviewers and funding from the MIUR PRIN2017FTXR7S project IT MaTTerS (Methods and Tools for Trustworthy Smart Systems).
References [1] L. Acciai, M. Boreale, and G. Zavattaro. Behavioural contracts with request-response operations.
Sci.Comp. Program. , 78(2):248–267, 2013. doi:10.1016/j.scico.2011.10.007 .[2] R. Alur and D. Dill. A Theory of Timed Automata.
Theoret. Comp. Sci. , 126(2):183–235, 1994. doi:10.1016/0304-3975(94)90010-8 .[3] S. Apel, D. S. Batory, C. Kästner, and G. Saake.
Feature-Oriented Software Product Lines: Conceptsand Implementation . Springer, 2013. doi:10.1007/978-3-642-37521-7 .[4] E. Asarin, O. Maler, A. Pnueli, and J. Sifakis. Controller Synthesis for Timed Automata.
IFAC Proc.Vol. , 31(18):447–452, 1998. doi:10.1016/S1474-6670(17)42032-5 .[5] F. Atampore, J. Dingel, and K. Rudie. Automated Service Composition Via Supervisory Control Theory.In
WODES , pages 28–35. IEEE, 2016. doi:10.1109/WODES.2016.7497822 .[6] S. Azzopardi, G. J. Pace, F. Schapachnik, and G. Schneider. Contract automata: An operationalview of contracts between interactive parties.
Artif. Intell. Law , 24(3):203–243, 2016. doi:10.1007/s10506-016-9185-2 .[7] M. Bartoletti, T. Cimoli, and R. Zunino. Compliance in Behavioural Contracts: A Brief Survey. In
Programming Languages with Applications to Biology and Security , volume 9465 of
LNCS , pages 103–121.Springer, 2015. doi:10.1007/978-3-319-25527-9_9 .[8] D. Basile, P. Degano, and G. L. Ferrari. Automata for Specifying and Orchestrating Service Contracts.
Log. Meth. Comp. Sci. , 12(4:6):1–51, 2016. doi:10.2168/LMCS-12(4:6)2016 .[9] D. Basile, P. Degano, G. L. Ferrari, and E. Tuosto. Playing with Our
CAT and Communication-Centric Applications. In
FORTE , volume 9688 of
LNCS , pages 62–73. Springer, 2016. doi:10.1007/978-3-319-39570-8_5 . :26 D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2 [10] D. Basile, P. Degano, G. L. Ferrari, and E. Tuosto. Relating two automata-based models of orchestrationand choreography.
J. Log. Algebr. Meth. Program. , 85(3):425–446, 2016. doi:10.1016/j.jlamp.2015.09.011 .[11] D. Basile, F. Di Giandomenico, S. Gnesi, P. Degano, and G. L. Ferrari. Specifying Variability in ServiceContracts. In
VaMoS , pages 20–27. ACM, 2017. doi:10.1145/3023956.3023965 .[12] D. Basile, M. H. ter Beek, P. Degano, A. Legay, G. L. Ferrari, S. Gnesi, and F. Di Giandomenico.Controller synthesis of service contracts with variability.
Science of Computer Programming , 187, 2020. doi:10.1016/j.scico.2019.102344 .[13] D. Basile, M. H. ter Beek, and A. Legay. Timed service contract automata.
Innovations Syst. Softw.Eng. , 2020. doi:10.1007/s11334-019-00353-3 .[14] D. Basile, M. H. ter Beek, and R. Pugliese. Bridging the Gap Between Supervisory Control andCoordination of Services: Synthesis of Orchestrations and Choreographies. In
COORDINATION , volume11533 of
LNCS , pages 129–147. Springer, 2019. doi:10.1007/978-3-030-22397-7_8 .[15] D. S. Batory. Feature Models, Grammars, and Propositional Formulas. In
SPLC , volume 3714 of
LNCS ,pages 7–20. Springer, 2005. doi:10.1007/11554844_3 .[16] A. Bouguettaya, M. Singh, M. Huhns, Q. Z. Sheng, H. Dong, Q. Yu, A. G. Neiat, S. Mistry, B. Benatallah,B. Medjahed, M. Ouzzani, F. Casati, X. Liu, H. Wang, D. Georgakopoulos, L. Chen, S. Nepal, Z. Malik,A. Erradi, Y. Wang, B. Blake, S. Dustdar, F. Leymann, and M. Papazoglou. A Service ComputingManifesto: The Next 10 Years.
Commun. ACM , 60(4):64–72, 2017. doi:10.1145/2983528 .[17] R. Bruni, I. Lanese, H. C. Melgratti, and E. Tuosto. Multiparty Sessions in SOC. In
COORDINATION ,volume 5052 of
LNCS , pages 67–82. Springer, 2008. doi:10.1007/978-3-540-68265-3_5 .[18] C. G. Cassandras and S. Lafortune.
Introduction to Discrete Event Systems . Springer, 2006. doi:10.1007/978-0-387-68612-7 .[19] F. Cassez, A. David, E. Fleury, K. G. Larsen, and D. Lime. Efficient On-the-Fly Algorithms forthe Analysis of Timed Games. In
CONCUR , volume 3653 of
LNCS , pages 66–80. Springer, 2005. doi:10.1007/11539452_9 .[20] G. Castagna, M. Dezani-Ciancaglini, and L. Padovani. On Global Types and Multi-Party Sessions.
Log.Meth. Comp. Sci. , 8(1:24):1–45, 2012. doi:10.2168/LMCS-8(1:24)2012 .[21] G. Castagna, N. Gesbert, and L. Padovani. A Theory of Contracts for Web Services.
ACM Trans.Program. Lang. Syst. , 31(5):19:1–19:61, 2009. doi:10.1145/1538917.1538920 .[22] A. Classen, M. Cordy, P. - Y. Schobbens, P. Heymans, A. Legay, and J. - F. Raskin. Featured TransitionSystems: Foundations for Verifying Variability-Intensive Systems and Their Application to LTL ModelChecking.
IEEE Trans. Softw. Eng. , 39(8):1069–1089, 2013. doi:10.1109/TSE.2012.86 .[23] S. Cranen, J. F. Groote, J. J. A. Keiren, F. P. M. Stappers, E. P. de Vink, W. Wesselink, and T. A. C.Willemse. An Overview of the mCRL2 Toolset and Its Recent Advances. In
TACAS , volume 7795 of
LNCS , pages 199–213. Springer, 2013. doi:10.1007/978-3-642-36742-7_15 .[24] P. Darondeau, J. Dubreil, and H. Marchand. Supervisory Control for Modal Specifications of Services.
IFAC Proc. Vol. , 43(12):418–425, 2010. doi:10.3182/20100830-3-DE-4013.00069 .[25] A. David, K. G. Larsen, A. Legay, U. Nyman, and A. Wąsowski. Timed I/O Automata: A CompleteSpecification Theory for Real-time Systems. In
HSCC , pages 91–100. ACM, 2010. doi:10.1145/1755952.1755967 .[26] L. de Alfaro and T. Henzinger. Interface Automata. In
ESEC/FSE , pages 109–120. ACM, 2001. doi:10.1145/503209.503226 .[27] M. Dezani-Ciancaglini and U. de’Liguoro. Sessions and Session Types: An Overview. In
WS-FM , volume6194 of
LNCS , pages 1–28. Springer, 2010. doi:10.1007/978-3-642-14458-5_1 .[28] G. Feuillade and S. Pinchinat. Modal Specifications for the Control Theory of Discrete Event Systems.
Discrete Event Dyn. Syst. , 17(2):211–232, 2007. doi:10.1007/s10626-006-0008-6 .[29] S. T. J. Forschelen, J. M. van de Mortel-Fronczak, R. Su, and J. E. Rooda. Application of supervisorycontrol theory to theme park vehicles.
Discrete Event Dyn. Syst. , 22(4):511–540, 2012. doi:10.1007/s10626-012-0130-6 .[30] C. Gierds, A. J. Mooij, and K. Wolf. Reducing Adapter Synthesis to Controller Synthesis.
IEEE Trans.Services Computing , 5(1):72–85, 2012. doi:10.1109/TSC.2010.57 .[31] P. Gohari and W. M. Wonham. On the complexity of supervisory control design in the RW framework.
IEEE Trans. Syst., Man, Cybern. B, Cybern. , 30(5):643–652, 2000. doi:10.1109/3477.875441 . ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:27 [32] K. Honda, N. Yoshida, and M. Carbone. Multiparty Asynchronous Session Types. In POPL , pages273–284. ACM, 2008. doi:10.1145/1328438.1328472 .[33] H. Hüttel, I. Lanese, V. T. Vasconcelos, L. Caires, M. Carbone, P. - M. Deniélou, D. Mostrous,L. Padovani, A. Ravara, E. Tuosto, H. Torres Vieira, and G. Zavattaro. Foundations of Session Typesand Behavioural Contracts.
ACM Comput. Surv. , 49(1):3:1–3:36, 2016. doi:10.1145/2873052 .[34] N. Kavantzas, D. Burdett, G. Ritzinger, T. Fletcher, Y. Lafon, and C. Barreto. Web Services Choreogra-phy Description Language v1.0. , 2005.[35] J. Křetínský. 30 Years of Modal Transition Systems: Survey of Extensions and Analysis. In
Models,Algorithms, Logics and Tools , volume 10460 of
LNCS , pages 36–74. Springer, 2017. doi:10.1007/978-3-319-63121-9_3 .[36] C. Laneve and L. Padovani. An algebraic theory for web service contracts.
Form. Asp. Comp. , 27(4):613–640, 2015. doi:10.1007/s00165-015-0334-2 .[37] J. Lange, E. Tuosto, and N. Yoshida. From Communicating Machines to Graphical Choreographies. In
POPL , pages 221–232. ACM, 2015. doi:10.1145/2676726.2676964 .[38] K. G. Larsen, U. Nyman, and A. Wąsowski. Modal I/O Automata for Interface and Product Line Theories.In
ESOP , volume 4421 of
LNCS , pages 64–79. Springer, 2007. doi:10.1007/978-3-540-71316-6_6 .[39] N. Lynch and M. Tuttle. An Introduction to Input/Output Automata.
CWI Q. , 2:219–246, 1989. URL: https://ir.cwi.nl/pub/18164/18164A.pdf .[40] J. Michaux, E. Najm, and A. Fantechi. Session types for safe Web service orchestration.
J. Log. Algebr.Program. , 82(8):282–310, 2013. doi:10.1016/j.jlap.2013.05.004 .[41] C. Peltz. Web Services Orchestration and Choreography.
IEEE Comp. , 36(10):46–52, 2003. doi:10.1109/MC.2003.1236471 .[42] K. Pohl, G. Böckle, and F. J. van der Linden.
Software Product Line Engineering: Foundations, Principles,and Techniques . Springer, 2005. doi:10.1007/3-540-28901-1 .[43] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of discrete event processes.
SIAM J.Control Optim. , 25(1):206–230, 1987. doi:10.1137/0325013 .[44] M. H. ter Beek, A. Bucchiarone, and S. Gnesi. Web Service Composition Approaches: From IndustrialStandards to Formal Methods. In
ICIW . IEEE, 2007. doi:10.1109/ICIW.2007.71 .[45] M. H. ter Beek, J. Carmona, R. Hennicker, and J. Kleijn. Communication Requirements for TeamAutomata. In
COORDINATION , volume 10319 of
LNCS , pages 256–277. Springer, 2017. doi:10.1007/978-3-319-59746-1_14 .[46] M. H. ter Beek, E. P. de Vink, and T. A. C. Willemse. Family-Based Model Checking with mCRL2. In
FASE , volume 10202 of
LNCS , pages 387–405. Springer, 2017. doi:10.1007/978-3-662-54494-5_23 .[47] M. H. ter Beek, A. Fantechi, S. Gnesi, and F. Mazzanti. Modelling and analysing variability in productfamilies: Model checking of modal transition systems with variability constraints.
J. Log. Algebr. Meth.Program. , 85(2):287–315, 2016. doi:10.1016/j.jlamp.2015.11.006 .[48] M. H. ter Beek, M. A. Reniers, and E. P. de Vink. Supervisory Controller Synthesis for ProductLines Using CIF 3. In
ISoLA , volume 9952 of
LNCS , pages 856–873. Springer, 2016. doi:10.1007/978-3-319-47166-2_59 .[49] R. J. M. Theunissen, D. A. van Beek, and J. E. Rooda. Improving evolvability of a patient communicationcontrol system using state-based supervisory control synthesis.
Adv. Eng. Inform. , 26(3):502–515, 2012. doi:10.1016/j.aei.2012.02.009 .[50] D. A. van Beek, W. J. Fokkink, D. Hendriks, A. Hofkamp, J. Markovski, J. M. van de Mortel-Fronczak,and M. A. Reniers. CIF 3: Model-Based Engineering of Supervisory Controllers. In
TACAS , volume8413 of
LNCS , pages 575–580. Springer, 2014. doi:10.1007/978-3-642-54862-8_48 .[51] Q. Yi, X. Liu, A. Bouguettaya, and B. Medjahed. Deploying and managing Web services: issues, solutions,and directions.
VLDB J. , 17(3):735–572, 2008. doi:10.1007/s00778-006-0020-3 . Appendix A. Proofs
We provide the proofs of Theorem 5.4 and Theorem 5.5 only sketched in Section 5. :28
D. Basile, M.H. ter Beek, and R. Pugliese
Vol. 16:2
Theorem 5.4 (Abstract orchestration synthesis) . The orchestration synthesis function ofDefinition 3.2 coincides with the instantiation of the abstract synthesis function of Defini-tion 5.1 where, for a generic transition t = ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) , predicates φ p and φ f are defined asfollows: φ orc p ( t, K , R ) = ( t is a request ) ∨ ( (cid:126)q (cid:48) ∈ R ) φ orc f ( t, K , R ) = (cid:64) ( (cid:126)q (cid:126)a −→ (cid:126)q (cid:48) ) ∈ T (cid:50) K : ( (cid:126)a is a match ) ∧ ( (cid:126)q , (cid:126)q (cid:48) (cid:54)∈ Dangling ( K )) ∧ ( (cid:126)q ( i ) = (cid:126)q i ) ) ∧ ( (cid:126)a ( i ) = (cid:126)a i ) = a ) Proof.
The proof is analogous to that of Theorem 5.3 but relying on Theorem 3.2 instead ofTheorem 2.4. The full proof follows.Let K orc A and K abs A be the controllers computed through Theorems 3.2 and 5.2, respectively.The proof proceeds by induction on the fixed point iterations and by case analysis.For the base case, by definition K orc = K abs = A and R abs = R orc = Dangling ( K ) .For the inductive case, let i be a fixed point iteration. Assuming K orc i − = K abs i − and R orc i − = R abs i − , we prove K orc i = K abs i and R orc i = R abs i .The equivalence K orc i = K abs i follows because at the i th iteration φ orc p detects exactly thesame transitions that are pruned by the orchestration synthesis algorithm.For the equivalence R orc i = R abs i , we have R orc i = R orc i − ∪ { (cid:126)q | ( (cid:126)q −→ ) ∈ T (cid:50) A is un - controllable in K orc i } ∪ Dangling ( K orc i ) , and R abs i = R abs i − ∪ Dangling ( K abs i ) ∪ { (cid:126)q | ( (cid:126)q a −→ ) = t ∈ T (cid:50) A , φ orc f ( t, K abs i − , R abs i − ) = true } .Since K orc i = K abs i , also the dangling states are equivalent. It remains to prove that { (cid:126)q | ( (cid:126)q −→ ) ∈ T (cid:50) A is uncontrollable in K orc i } = { (cid:126)q | ( (cid:126)q −→ ) = t ∈ T (cid:50) A , φ orc f ( t, K abs i − , R abs i − ) = true } .This equivalence is straightforward by the definition of φ orc f , Definition 3.1, and the inductivehypothesis. Theorem 5.5 (Abstract choreography synthesis) . The choreography synthesis function ofDefinition 4.4 coincides with the instantiation of the abstract synthesis function of Defini-tion 5.1, where given a generic transition t = ( (cid:126)q, (cid:126)a, (cid:126)q (cid:48) ) , the predicates φ p and φ f are definedas follows, where ˆ T K ,R is defined in Definition 4.4: φ cor p ( t, K , R ) = ( t is a request or offer ) ∨ ( (cid:126)q (cid:48) ∈ R ) ∨ t ∈ ˆ T K ,R φ cor f ( t, K , R ) = (cid:64) ( (cid:126)q (cid:126)a −→ (cid:126)q (cid:48) ) ∈ T (cid:50) K : ( (cid:126)a is a match ) ∧ ( (cid:126)q, (cid:126)q (cid:48) (cid:54)∈ Dangling ( K )) ∧ ( (cid:126)a ( i ) = (cid:126)a i ) = a ) Proof.
The proof is analogous to that of Theorem 5.3 but relying on Theorem 4.4 instead ofTheorem 2.4. The full proof follows.Let K cor A and K abs A be the controllers computed through Theorems 4.4 and 5.2, respectively.The proof proceeds by induction on the fixed point iterations and by case analysis.For the base case, by definition K cor = K abs = A and R abs = R cor = Dangling ( K ) .For the inductive case, let i be a fixed point iteration. Assuming K cor i − = K abs i − and R cor i − = R abs i − , we prove K cor i = K abs i and R cor i = R abs i .The equivalence K cor i = K abs i follows because at the i th iteration φ cor p detects exactly thesame transitions that are pruned by the choreography synthesis algorithm (and takes thesame non-deterministic choices). ol. 16:2 SYNTHESIS OF ORCHESTRATIONS AND CHOREOGRAPHIES 9:29 For the equivalence R cor i = R abs i , we have R cor i = R cor i − ∪ { (cid:126)q | ( (cid:126)q −→ ) ∈ T (cid:50) A is un - controllable in K cor i } ∪ Dangling ( K cor i ) , and R abs i = R abs i − ∪ Dangling ( K abs i ) ∪ { (cid:126)q | ( (cid:126)q a −→ ) = t ∈ T (cid:50) A , φ cor f ( t, K abs i − , R abs i − ) = true } .Since K cor i = K abs i , also the dangling states are equivalent. It remains to prove that { (cid:126)q | ( (cid:126)q −→ ) ∈ T (cid:50) A is uncontrollable in K cor i } = { (cid:126)q | ( (cid:126)q −→ ) = t ∈ T (cid:50) A , φ cor f ( t, K abs i − , R abs i − ) = true } .This equivalence is straightforward by the definition of φ cor f , Definition 4.3, and the inductivehypothesis. This work is licensed under the Creative Commons Attribution License. To view a copy of thislicense, visit https://creativecommons.org/licenses/by/4.0/https://creativecommons.org/licenses/by/4.0/