main - cs.unibo.itlanese/publications/fulltext/ioc.pdf · Title: main.dvi Created Date: 12/19/2012 10:04:16 AM

Classifying Relationships between

Interaction- and Process-Oriented

Choreographies†

IVAN LANESE1, FABRIZ IO MONTESI2 and GIANLUIGI ZAVATTARO1

1Focus Research Team, Computer Science Department, University of Bologna/INRIA – Italy.2IT University of Copenhagen – Denmark.

In the area of service-oriented computing, choreography languages are used to specify

multiparty service compositions. Two main approaches have been followed in the design

of these languages: the interaction-oriented approach at the basis of WS-CDL and the

process-oriented approach of BPEL4Chor. In this paper we investigate the relationships

between the two approaches. In particular, we point out several possible interpretations

for interaction-oriented choreographies: one synchronous and various asynchronous,

differing in the kind of observable event (either send, or receive, or both). Under each of

these possible interpretations we characterize the class of interaction-oriented

choreographies which have a direct process-oriented counterpart, and we formalize the

corresponding notion of equivalence between the initial interaction-oriented

choreography and the corresponding process-oriented counterpart. We also show how to

amend interaction-oriented choreographies which have no direct process-oriented

counterpart, preserving their observable behavior.

1. Introduction

Choreography languages are an attempt at tackling the complexity of communication-

based software design. The basic idea is that the programmer defines the composition

of the independent entities of a system in a global description, where the different peers

exchange messages with each other in order to complete a predefined task. The paradigm

is particularly suitable for the programming of multiparty communication flows, i.e.,

interaction patterns that (possibly) comprehend more than two entities.

Choreography languages are attracting a lot of attention within the Service-Oriented

Computing (SOC) community, where two main distinct approaches are currently being

followed in the search for standard languages. On the one hand, the World Wide Web

Consortium (W3C) has developed the Web Services Choreography Description Language

WS-CDL (WS-CDL, 2005). On the other hand, the research community around the Web

† Research partially funded by the project ANR-10-SEGI-013-02 Aeolus.

I. Lanese, F. Montesi and G. Zavattaro 2

Service Business Process Execution Languages WS-BPEL (WS-BPEL, 2007) has pro-

posed BPEL4Chor (Decker et al., 2007), an extension of WS-BPEL for the description

of choreographies. The two approaches are fundamentally different in how they represent

communications. In WS-CDL the basic activity in a choreography is an interaction, that

is, the atomic exchange of a message between two communicating partners, similarly to

interaction diagrams in UML. Interactions are then composed in a single description that

represents the whole system. For this reason, we say that WS-CDL follows an interaction-

oriented approach. On the contrary, in BPEL4Chor each entity of a system is represented

by a separate description, i.e. a business process specified using an abstract version of

BPEL. In these processes, the basic activities are the classical send and receive actions

for message transmission. A choreography is then obtained as the parallel composition of

the independently specified business processes. For this reason, we say that BPEL4Chor

follows a process-oriented approach. In the sequel, we respectively refer to choreogra-

phies based on the interaction- and process-oriented approaches with the terms IOC (for

Interaction-Oriented Choreography) and POC (for Process-Oriented Choreography).

We clarify the difference between IOCs and POCs with a simple example. Let us model

a system where a buyer b can ask to a seller s a quotation for a product. This can be

described by the following IOC

askb→s; quotes→b

where b sends a message to s on operation† ask and, subsequently, s sends a message to

b on operation quote. The following is a POC representing the same system:

(ask; quote)b ‖ (ask; quote)s

where b sends a message on operation ask and then waits for a message on operation

quote, and s waits for a message on operation ask and then sends a message on operation

quote. The two choreographies can be considered equivalent, since the communications

in their executions coincide.

The interaction- and process-oriented solutions come with different advantages. An

IOC offers a clearer global description of the communication flows in a system, since

interactions are syntactically explicit. This clarity is lost in the second approach, where

the order of interactions must be derived by analyzing the possible matches between the

input and output actions of the different peers. However, the gap between a POC and

a corresponding system implementation is smaller. Given the abstract description of the

behavior of a specific entity, it is easier to check whether an actual component complies

with such a description, or in some cases the abstract description could be enriched with

additional information in order to make it directly executable (as it happens, for instance,

in the relationship between WS-BPEL and its abstract version). In other words, an IOC

is more suitable for the specification of the communication flows in a system, while a

POC is a good tool for checking (or generating) the local code for each entity.

The separation of the positive aspects offered by IOCs and POCs leads naturally to

† In service-oriented computing, operations are labels used to distinguish the kinds of transmittedmessages.

IOC vs POC 3

the question of whether they can be successfully combined. This question is at the base

of recent work (Carbone et al., 2007; Bravetti and Zavattaro, 2007; Zongyan et al., 2007;

Bultan and Fu, 2007; Honda et al., 2008; Castagna et al., 2011). In there, a programmer

can design a system using an IOC and then automatically generate a corresponding POC

by means of a projection function. An IOC may not be coherent, meaning that it cannot

be projected correctly onto an equivalent POC. Consider, for instance, the following IOC

oa→b; o′c→d

whose naturally correspondent POC is‡:

(o)a ‖ (o)b ‖ (o′)c ‖ (o′)d

It is not difficult to see that the two above choreographies could give rise to different

behaviors: in the POC, the communication between c and d could happen before the

interaction between a and b. In other words, the two choreographies are not conformant.

This problem arises because the two interactions are not connected, i.e., there is no

dependency between them enforced by any of the participants. Based on this intuition,

in this work we will use connectedness as a formalization of coherence for IOCs.

IOCs that are not connected are obviously undesirable, and can be automatically in-

dividuated through a static analysis. The exact definition of connectedness of an IOC,

however, is influenced by two factors: the underlying communication semantics of refer-

ence and the conformance (or type of equivalence) of interest between IOCs and POCs.

For this reason, different definitions of conformance and connectedness are given in each

of the works cited above. Unfortunately, the literature does not offer a systematic anal-

ysis of the different alternatives. This work offers such a comparison. Our first step is

to identify a set of different communication semantics (synchronous or asynchronous)

and conformance notions (based on message send, receive, or both). Then, we proceed

by developing a notion of coherence for all the possible configurations. For each such

configuration we obtain the following: (i) the precise characterization of the IOCs which

have a direct POC counterpart and (ii) the formalization of the corresponding notion of

conformance between the initial IOC and the corresponding POC.

A major contribution of the present paper is the identification of a relationship between

these different configurations. This relationship has driven the development of their no-

tions of coherence, which share a common structure. Furthermore, each one of them is

built on top of the previous ones.

We also show, given a disconnected IOC, how to amend it by transforming it into a

connected IOC with equivalent behavior. Exploiting our relationship between the settings

of interest, we are able to give a single transformation definition that ensures that the

resulting IOC is connected for every setting. This enables a design procedure where the

programmer writes a very high-level description of a system through a possibly discon-

nected IOC, as the one shown above, describing only the desired order of the interactions

and abstracting completely from how this order will be enforced. Then, our framework

‡ Actually, the projection is slightly more complex, but has the same behavior.


transforms it into an equivalent connected IOC, applying all the necessary modifications

for making the description given by the programmer implementable. Finally, a corre-

sponding POC counterpart can be obtained through our notion of projection.

Structure of the paper§ Section 2 introduces syntax and semantics for IOC and

POC. Section 3 presents the projection from IOC to POC and discusses informally the

different settings we consider. The various configurations in the synchronous and asyn-

chronous cases are formalized respectively in Section 4 and Section 5. Section 6 shows

how to amend IOCs which have no direct POC counterpart. Section 7 discusses possible

extensions of the work. Section 8 reports a practical interpretation of our different set-

tings, showing some examples of their usage. Section 9 compares with related work and

concludes.

2. Calculi

In this section we define two basic choreography languages, an Interaction-Oriented

Choreography (IOC) language and a Process-Oriented Choreography (POC) language.

Both the languages are used for modeling choreographies, thus they share a few basic

elements. We consider in fact for them the same two sets of names: the set of participants

in the choreography, called roles, and ranged over by a, b, r, . . ., and the set of operations

that can be used for sending and receiving. We will consider two kinds of such operations:

public operations, ranged over by o, which represent observable activities of the system,

and private operations, ranged over by o∗, which are used for internal synchronization.

We use o? to range over both public and private operations.

2.1. Interaction-Oriented Choreography

This subsection describes the syntax and the operational semantics of IOCs. IOCs, ranged

over by I, I ′, . . ., are defined as follows:

I ::= o?a→b | 1 | 0 | I; I ′ | I ‖ I ′ | I + I ′

The basic construct is the interaction between two distinct roles a and b on operation

o?, denoted by o?a→b, meaning that role a sends a message on operation o? of role b. Roles a

and b should not coincide. Public and private interactions (i.e. interactions on public and

private operations) have the same operational semantics, but they will be distinguished

by the observational semantics, in particular weak observational semantics will abstract

away private interactions. In addition to interactions there are the empty IOC 1, the

deadlocked IOC 0, sequential and parallel composition of IOCs and nondeterministic

choice between IOCs. For instance (oa→b ‖ o′a→c); o′′b→c specifies that interactions oa→b

and o′a→c can be performed in any order, and after both of them have been performed

then interaction o′′b→c can be executed. The deadlocked IOC 0 is only needed for defining

§ The paper is an extended and revised version of (Lanese et al., 2008). In particular, Section 6 andSection 8 are completely new.

IOC vs POC 5

(Interaction)

o?a→b

o?a→b−−−−→ 1

(End)

1

√−→ 0

(Sequence)

I σ−→ I′ σ 6= √

I;J σ−→ I′;J

(Parallel)

I σ−→ I′ σ 6= √

I ‖ J σ−→ I′ ‖ J(Choice)

I σ−→ I′

I + J σ−→ I′

(Seq-end)

I√−→ I′ J σ−→ J ′

I;J σ−→ J ′

(Par-end)

I√−→ I′ J

√−→ J ′

I ‖ J√−→ I′ ‖ J ′

Table 1. IOC semantics (symmetric rules omitted).

the operational semantics, and is not expected to be used in the description of systems.

We call initial an IOC where 0 is never used.

We now define the operational semantics of IOCs. IOC transitions are defined as the

smallest labeled transition system (LTS) closed under the rules in Table 1. Symmetric

rules for parallel composition and choice have been omitted. The rules are in the style of,

e.g., (Bravetti and Zavattaro, 2007). We use σ to range over labels. We have two kinds of

labels: label o?a→b denotes the execution of an interaction o?a→b while label√

represents

the termination of the IOC.

Rule Interaction executes an interaction. Rule End terminates an empty IOC. Rule

Sequence executes a step in the first component of a sequential composition. Rule

Parallel executes an interaction from a component of a parallel composition while

rule Choice starts the execution of an alternative in a nondeterministic choice. Rule

Seq-end acknowledges the termination of the first component of a sequential composi-

tion, starting the second component. Rule Par-end synchronizes the termination of two

parallel components.

We can now define IOC traces. We consider both strong traces, where all the performed

interactions are observed, and weak traces, where only interactions on public operations

are visible.

Definition 2.1 (IOC traces). A (strong maximal) trace of an IOC I1 is a sequence

of labels σ1, . . . , σn such that there is a sequence of IOC transitions I1 σ1−→ . . .σn−−→ In+1

and such that In+1 has no outgoing transitions.

A weak trace of an IOC I1 is a sequence of labels σ1, . . . , σn obtained by removing all

the labels of the form o∗a→b from a strong trace of I1.An IOC trace is complete iff its last label is

√.

Initial IOCs capture well-behaved systems, in the sense that they never deadlock, as

shown by the following proposition.

Proposition 2.1. Let I be an initial IOC. Each maximal trace of I is complete.

Proof. By structural induction on I.

The proposition above holds since 0 cannot occur inside an initial IOC.

The function roles(I) that computes the set of roles in a given IOC I is inductively

defined as:

roles(o?a→b) = {a, b}


(In)

o?o?−−→ 1

(Out)

o?o?−−→ 1

(Async-Out)

〈o?〉〈o?〉−−−→ 1

(One)

1

√−→ 0

(Sequence)

Pγ−→ P ′ γ 6= √

P ;Qγ−→ P ′;Q

(Inner Parallel)

Pγ−→ P ′ γ 6= √

P | Q γ−→ P ′ | Q

(Choice)

Pγ−→ P ′

P +Qγ−→ P ′

(Seq-end)

P

√−→ P ′ Q

γ−→ Q′

P ;Qγ−→ Q′

(Inner Par-end)

P

√−→ P ′ Q

√−→ Q′

P | Q√−→ P ′ | Q′

(Lift)

Pγ−→ P ′ γ 6= o?,

√

(P )aγ:a−−→ (P ′)a

(Lift-Tick)

P

√−→ P ′

(P )a

√−→ (P ′)a

(Msg)

Po?−−→ P ′

(P )ao?:a−−−→ (P ′ | 〈o?〉)a

(Synch)

S 〈o?〉:a−−−−→ S′ S′′ o?:b−−−→ S′′′

S ‖ S′′ o?a→b−−−−→ S′ ‖ S′′′

(Ext-Parallel)

S γ−→ S′ γ 6= √

S ‖ S′′ γ−→ S′ ‖ S′′

(Ext-Par-End)

S√−→ S′ S′′

√−→ S′′′

S ‖ S′′√−→ S′ ‖ S′′′

Table 2. POC asynchronous semantics (symmetric rules omitted).

roles(1) = roles(0) = ∅roles(I; I ′) = roles(I ‖ I ′) = roles(I + I ′) = roles(I) ∪ roles(I ′)

2.2. Process-Oriented Choreography

This subsection describes the syntax and the operational semantics of POCs. POCs

include processes, ranged over by P , P ′, . . ., describing the behavior of participants, and

grouped into systems, ranged over by S, S ′, . . ..

P : : = o? | o? | 1 | P ;P ′ | P | P ′ | P + P ′ | 〈o?〉 | 0S : : = (P )a | S ‖ S ′

Processes include input action o? and output action o? on a specific operation o?

(either public or private), the empty process 1, sequential and parallel composition, and

nondeterministic choice. The runtime syntax includes also messages 〈o?〉, used in the

definition of the asynchronous semantics, and the deadlocked process 0. We call initial

a POC where 0 and messages are never used. POC systems are parallel compositions of

roles. Each role has a role name and executes a process. We require role names to be

unique.

We define two LTS semantics for POCs, synchronous and asynchronous. In the syn-

chronous semantics input actions and output actions interact atomically, while in the

asynchronous one the sending event creates a message that, later, may interact with the

corresponding input generating a receiving event.

The asynchronous LTS for POC is the smallest LTS closed under the rules in Table 2.

We use γ to range over labels. Symmetric rules for parallel compositions (both inter-

nal and external) and choice have been omitted. The semantics is in the style of, e.g.,

(Bravetti and Zavattaro, 2007).

Rules In andOut execute input actions and output actions respectively. RuleAsynch-

IOC vs POC 7

Out makes messages available for a corresponding input action. Rule One terminates

an empty process. Rule Sequence executes a step in the first component of a sequential

composition. Rule Inner Parallel executes an action from a component of a parallel

composition while rule Choice starts the execution of an alternative in a nondetermin-

istic choice. Rule Seq-end acknowledges the termination of the first component of a

sequential composition, starting the second component. Rule Inner Par-end synchro-

nizes the termination of two parallel components. Rule Lift lifts actions to the system

level, tagging them with the name of the role executing them. Action√

instead is dealt

with by rule Lift-Tick, which lifts it without adding the role name. Outputs instead

are stored as messages by rule Msg. Rule Synch synchronizes a message with the cor-

responding input action, producing an interaction. Rule Ext-Parallel allows parallel

systems to stay idle. Finally rule Ext-Par-End synchronizes the termination of parallel

systems.

The synchronous LTS for POC is the smallest LTS closed under the rules in Table 2,

where rules Out, Async-Out and Msg are deleted and the new rule Sync-Out below

is added:

(Sync-Out)

o?〈o?〉−−→s 1

This rule allows outputs in the synchronous semantics to send messages that can directly

interact with the corresponding input at the system level.

Synchronous transitions are denoted asγ−→s instead of

γ−→, to distinguish them from

the asynchronous ones.

As for IOCs, we define POC traces. We have different possibilities: in addition to the

distinction between strong and weak traces, we distinguish synchronous, asynchronous,

sender and receiver traces.

Definition 2.2 (POC traces). A (strong maximal) synchronous trace of a POC S1 is

a sequence of labels γ1, . . . , γn, where γi is of the form o?a→b, or√

for each i ∈ {1, . . . , n},such that there is a sequence of synchronous POC transitions S1

γ1−→s . . .γn−→s Sn+1 and

such that Sn+1 has no outgoing transitions of the same form.

A (strong maximal) asynchronous trace of a POC S1 is a sequence of labels γ1, . . . , γn,

where γi is of the form o? : a, o?a→b, or√

for each i ∈ {1, . . . , n}, such that there is a

sequence of asynchronous POC transitions S1γ1−→ . . .

γn−→ Sn+1 and such that Sn+1 has

no outgoing transitions of the same form.

A strong sender trace of a POC S1 is obtained by removing all labels of the form o?a→b

from a strong asynchronous trace of S1.

A strong receiver trace of a POC S1 is obtained by removing all labels of the form

o? : a from a strong asynchronous trace of S1.

A weak (synchronous/asynchronous/receiver/sender) trace of a POC S1 is obtained by

removing all labels o∗ : a and o∗a→b from a strong (synchronous/asynchronous/sender/re-

ceiver) trace of S1.

A POC trace is complete iff its last label is√.

In the definition of POC traces, input actions and messages are never considered,


since they represent interactions with the external world, while we are interested in

the behavior of closed systems. Also, sender traces consider only output events, while

receiver traces consider only input events. Finally, weak traces disregard events of any

kind concerning private operations.

Note that, in general, POCs can deadlock, e.g. (o)a is a deadlocked system since its

only trace is empty, and, in particular, does not end with√.

3. Projecting IOCs onto POCs

In this section we show how to relate the Interaction-Oriented and the Process-Oriented

description of a choreography. In particular, given an IOC I we want to define a system

S implementing it. The idea is to project the IOC on the different roles, and build the

system S as parallel composition of the projections on the different roles.We consider here

the most natural projection, which is essentially an homomorphism on most operators.

As we will see, the POC resulting from such a projection is behaviorally related to the

starting IOC only under some syntactic conditions on the IOC itself. Also, POCs resulting

from the projection of initial IOCs will not deadlock. We will see in Section 6 how to

transform IOCs so to ensure that they will satisfy those syntactic conditions, preserving

the observable behavior.

Definition 3.1 (Projection function). Given an IOC I and a role a, the projection

proj(I, a) of IOC I on role a is defined by structural induction on I:

proj(o?a→b, a) = o?

proj(o?a→b, b) = o?

proj(o?a→b, c) = 1 if c 6= a, b

proj(1, a) = 1

proj(0, a) = 0

proj(I; I ′, a) = proj(I, a); proj(I ′, a)proj(I ‖ I ′, a) = proj(I, a) | proj(I ′, a)proj(I + I ′, a) = proj(I, a) + proj(I ′, a)

We denote with ‖i∈I Si the parallel composition of systems Si for each i ∈ I.

Definition 3.2. Given an IOC I, the projection of I is the system S defined by:

proj(I) =‖a∈roles(I) (proj(I, a))aWe now want to analyze the relationships between an IOC and the projected POC,

proving that the projection proj(I) of a given IOC I behaves according to the IOC

I. However, “behaves according to” can be formalized in different ways, depending on

the kind of properties that one wants to preserve. We call the “behaves according to”

relation a conformance relation. To ensure that an IOC and the projected POC satisfy

one of the different conformance relations, we find some syntactic conditions on the

form of the IOC, which we call connectedness conditions. Each conformance relation

will require its particular connectedness conditions. We now give an informal description

IOC vs POC 9

of the possible conformance relations, while the following sections are devoted to fully

formalize the correspondence in terms of different kinds of trace equivalences, and to

discuss the necessary connectedness conditions.

Let us consider the simple IOC I = oa→b; o′c→d from the Introduction, where a, b, c

and d may or may not be distinct. In the system proj(I) there are two possibly distinct

events for each interaction oa→b in the IOC: the sending o : a of the message by role a

and the reception oa→b of the message by role b. Let us denote with s1 and s2 the sending

events from oa→b and o′c→d respectively, and similarly let us denote with r1 and r2 the

corresponding receive events. We denote with e an arbitrary event, write e1 = e2 when

the two events are synchronized and e1 < e2 when e1 happens before e2. We may use the

same notation to denote both the label corresponding to the action execution and the

action itself.

The condition that oa→b has to be executed before o′c→d, expressed by the ; in the

IOC, has to be mapped into a condition relating the corresponding events in the POC.

We consider the following possibilities, one synchronous and four asynchronous:

Synchronous conformance: it guarantees that the POC, when executed using the syn-

chronous LTS, behaves as specified by the IOC. Because of synchronous semantics

s1 = r1 and s2 = r2, thus the sequentiality condition can be expressed, e.g., as

s1 < s2 ∨ s1 < r2 ∨ r1 < s2 ∨ r1 < r2;Sender conformance: it guarantees that the POC, when executed using the asyn-

chronous LTS, behaves as specified by the IOC from a sender perspective, i.e. that

s1 < s2;Receiver conformance: it guarantees that the POC, when executed using the asyn-

chronous LTS, behaves as specified by the IOC from a receiver perspective, i.e. that

r1 < r2;Sender-receiver conformance: it guarantees that the POC, when executed using the

asynchronous LTS, behaves as specified by the IOC from both a sender and a receiver

perspective, i.e. that s1 < s2∧r1 < r2; in the following we will not discuss this kind of

conformance in details, since an IOC and a POC are in a relation of sender-receiver

conformance iff they are both in a relation of sender conformance and of receiver

conformance;Disjoint conformance: it requires that, when the POC is executed using the asyn-

chronous LTS, the intervals of execution of the first interaction (from s1 to r1) and

of the second one (from s2 to r2) are completely disjoint: this can be formalized by

r1 < s2.

The conditions presented above form a partial order w.r.t. implication, e.g., if a system

satisfies the connectedness conditions for the disjoint conformance then it also satisfies

the connectedness conditions for the other forms of conformance. The partial order is

represented in Figure 1. In the partial order, going from top to bottom, connectedness

conditions become more relaxed, but behavioral guarantees become weaker. The same

implications are still satisfied when we generalize the conditions to take into account

IOCs which are more complex than the simple one above.

Since in the POC different roles are executing in parallel, sequentiality conditions

between events should be enforced by a single role, which thus should occur in more


Disjoint

Sender−receiver

Sender Receiver

Synchronous

Strongerconditionsand guarantees

Weakerconditionsand guarantees

Fig. 1. Partial order for conformance.

than one interaction. We show below the conditions required on roles to make the simple

example above behave as expected, according to the different notions of conformance:

Synchronous conformance : {a, b} ∩ {c, d} 6= ∅;Sender conformance : c = a ∨ c = b;

Receiver conformance : d = b ∨ c = b;

Disjoint conformance : b = c.

Let us analyze, for instance, the condition for sender conformance: we require that the

sending from c happens after the sending from a. Clearly, if a = c then a can enforce

this condition. However if b = c then b, when it receives the message, knows that the

message has already been sent, and thus can enforce the sequentiality condition. We call

this condition connectedness for sequence.

We require also two other kinds of conditions: existence of unique points of choice

to ensure that all the participants are aware of which branch of a nondeterministic

choice has been taken, and causality safety to ensure that different interactions using the

same operation do not mix up. We refer the three conditions together as connectedness

conditions.

The next sections discuss the different notions of conformance and the corresponding

connectedness conditions.

4. Synchronous conformance

In this section we discuss synchronous conformance and the corresponding connectedness

conditions. This case is important since, while being simpler than the asynchronous ones,

it introduces most of the relevant concepts. For this reason we will describe it in details.

We will reuse most of the concepts in the following section.

We formalize the notion of conformance between an IOC and a POC using (variations

of) trace equivalence (Hoare, 1985). To simplify our proofs, we also use a (stronger)

characterization of conformance in terms of bisimilarity (Milner, 1989).

Definition 4.1 (Synchronous trace equivalence).

An IOC I and a POC S are synchronous trace equivalent iff the set of strong maximal

traces of I coincides with the set of strong maximal synchronous traces of S.

IOC vs POC 11

The aim of this section is to give all the tools to (make formal and) prove the following

theorem:

Theorem 4.1 (Synchronous conformance). Let I be an IOC and S = proj(I) be itsprojection. If I satisfies the connectedness conditions for the synchronous conformance,

then I and S are synchronous trace equivalent.

We start by formalizing the connectedness conditions required to guarantee the syn-

chronous conformance. A few auxiliary functions are needed. Functions transI(•) and

transF(•) compute respectively the sets of initial and final interactions in an IOC:

transI(o?a→b) = transF(o?a→b) = {o?a→b}transI(1) = transI(0) = transF(1) = transF(0) = ∅transI(I ‖ I ′) = transI(I + I ′) = transI(I) ∪ transI(I ′)transF(I ‖ I ′) = transF(I + I ′) = transF(I) ∪ transF(I ′)

transI(I; I ′) = transI(I ′) if I√−→, transI(I) otherwise

transF(I; I ′) = transF(I) if I ′√−→, transF(I ′) otherwise

The first connectedness condition that we present concerns sequential composition. It

generalizes the condition discussed in Section 3 for the synchronous conformance from

the case of sequential composition of interactions to the case of sequential composition

of arbitrary terms.

Definition 4.2 (Synchronous connectedness for sequence). An IOC I is syn-

chronous connected for sequence if for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈transF(I ′), ∀o′?c→d ∈ transI(I ′′), {a, b} ∩ {c, d} 6= ∅.

The second condition ensures that, for each nondeterministic choice in the IOC, all

the participants agree on which branch of the choice has been taken.

Definition 4.3 (Synchronous unique points of choice). An IOC I has synchronous

unique points of choice if for each subterm of the form I ′ + I ′′ we have:

— ∀o?a→b ∈ transI(I ′), ∀o′?c→d ∈ transI(I ′′), {a, b} ∩ {c, d} 6= ∅;— roles(I ′) = roles(I ′′).

The first condition ensures that any pair of initial interactions in different branches

of a choice shares a participant. In this way, as soon as an event of an interaction in a

branch of a choice has been performed, all the events in the other branch are disabled.

To understand the need for the additional condition roles(I ′) = roles(I ′′) consider thefollowing example.

Example 4.1. Consider the IOC I = (oa→b + o′a→c); o′′b→c. No trace of this IOC starts

with the interaction o′′b→c. However its projection is:

proj(I) = ((o+ o′; 1))a ‖ ((o+ 1); o′′)b ‖ ((1+ o′); o′′)c


In this POC both the actions o′′ and o′′ are enabled, thus the interaction o′′b→c can be

performed immediately, while this is not the case for IOC I.

The two conditions above are enough to guarantee a correct behavior when each in-

teraction of the IOC is performed on a different operation o?. If different interactions

are performed over the same operation o?, special care is needed to ensure that the dif-

ferent occurrences of o? do not interfere. This is formalized below using the concept of

causality safety, requiring a causality relation or a full conflict relation between events of

interactions performed on the same operation.

For defining the causality relation and the full conflict relation we need to index inter-

actions inside IOCs and events inside POCs. We will call annotated IOC (resp. annotated

POC) an IOC (resp. POC) with indexes. However, not all the assignments of indexes

are good for us: we will call well-annotated IOC (resp. POC) an IOC (resp. POC) whose

indexes satisfy some conditions.

Definition 4.4 (Well-annotated IOC). Annotated IOCs are derived by a grammar

obtained by replacing o?a→b with n : o?a→b where n is a natural number (called index of

the interaction) in the grammar for IOCs. An IOC is well-annotated if all the indexes

are different.

Definition 4.5 (Annotated POC). Annotated POCs are derived by a grammar ob-

tained by replacing o?, o? and 〈o?〉 with n : o?, n : o? and n : 〈o?〉 respectively, where n

is a natural number (called index of the event) in the grammar for POCs.

The definition of well-annotated POC is deferred to Definition 4.11, since some pre-

liminary definitions are needed.

The semantics is trivially extended from IOCs to annotated IOCs and from POCs to

annotated POCs: indexes are just decorations and they have no effect on the semantics.

Also, transitions preserve indexes (for interactions and actions which are not discarded).

Similarly, one can easily extend the projection of an IOC into a POC to a projection of

an annotated IOC into an annotated POC: the input and the output actions obtained by

projecting interaction i have both index i. For instance, the projection of the annotated

IOC 1 : oa→b; 2 : o′c→d is (1 : o;1)a ‖ (1 : o;1)b ‖ (1; 2 : o′)c ‖ (1; 2 : o′)d.

We can use indexes of events to define matching events.

Definition 4.6 (Matching events). A POC input and a POC output with the same

index are called matching events. We denote with e an event matching event e. An event

is unmatched if it has no matching event.

We can now define the causality relation and the full conflict relation. We will also

define the conflict relation, characterizing pairs of events in different branches of a choice.

Definition 4.7 (Synchronous causality relation). Let us consider an annotated IOC

I. A synchronous causality relation ≤I is a partial order among events in the (derivatives

of the) projection S of I. We define ≤I as the minimum partial order satisfying:

sequentiality: for each subterm of the form I ′; I ′′ and each role a, if e′ is an event in

IOC vs POC 13

proj(I ′, a), e′′ is an event in proj(I ′′, a), and proj(I ′, a) has no transition of the form

proj(I ′, a)√−→ then e′ ≤I e′′;

synchronization: for each pair of events e and e′, e ≤I e′ implies e ≤I e′.

A pair e ≤I e′ formalizes the fact that event e should occur before event e′, eitherbecause the two events are in the same role and composed sequentially, or because some

synchronization involving e has to be performed before e′ can become enabled.

Definition 4.8 (Synchronous conflict relation). Let us consider an annotated IOC

I. A synchronous conflict relation #I is a relation among events in the (derivatives of

the) projection S of I. We define #I as the relation containing all pairs (e′, e′′) of eventssuch that e′ is in proj(I ′, a) for some role a and e′′ is in proj(I ′′, b) for some role b for

some subterm of the form I ′ + I ′′ of I. A synchronous full conflict relation f#I is a

relation among events in the (derivatives of the) projection S of I. We define f#I as the

relation containing all pairs (e, e′) of events such that (e, e′) ∈ #I and both e and e′ arenot minimal according to ≤I′+I′′ .

Definition 4.9 (Synchronous causality safety).

An IOC I is synchronous causality safe iff for each pair of interactions i and j performed

on the same operation the two conditions below hold:

— sif#I rj ∨ si ≤I rj ∨ rj ≤I si;

— sjf#I ri ∨ sj ≤I ri ∨ ri ≤I sj .

The following example shows the need for causality safety.

Example 4.2. Consider the annotated IOC I = 1 : oa→b ‖ 2 : oc→d. Here the two

interactions are performed on the same operation o, but there are no causal dependencies

or full conflicts between the events corresponding to the two interactions, i.e., the IOC

I is not causality safe. In fact, the projection of I has the transition (1 : o)a ‖ (1 : o)b ‖(2 : o)c ‖ (2 : o)d

oa→d−−−→ (1)a ‖ (1 : o)b ‖ (2 : o)c ‖ (1)d which is not allowed by the IOC

itself. Note that this POC interaction involves two events with different indexes.

In the projection of causality safe IOCs, one input and one output in different inter-

actions (thus with different indexes) on the same operation are never enabled together

and thus can not interact. This is proved in Lemma 4.2.

Annotated IOCs and POCs are also used in the proof of our main theorem to deal with

nondeterministic choice: when a choice is performed in the POC, some garbage is kept

in form of events whose matching events have been discarded, as shown by the following

example.

Example 4.3. Consider the annotated IOC transition:

(1 : oa→b; 2 : o′b→c) + (3 : o′′b→c; 4 : o′′′c→a)oa→b−−−→ (2 : o′b→c)

The corresponding annotated POC transition is:

(1 : o;1+ 1; 4 : o′′′)a ‖ (1 : o; 2 : o′ + 3 : o′′;1)b ‖ (1; 2 : o′ + 3 : o′′; 4 : o′′′)coa→b−−−→

(1;1)a ‖ (1; 2 : o′)b ‖ (1; 2 : o′ + 3 : o′′; 4 : o′′′)c


In the result, events 3 : o′′ and 4 : o′′′ are unmatched, i.e. there is no other event with

the same index, thus they can never be executed and can be discarded.

We define the function rem(•) below to remove unmatched events.

Definition 4.10. Let S be an annotated POC. We denote with rem(S) the annotated

POC obtained from S by repeating the following pruning operations while possible:

1 replace an unmatched event e in S with 0;

2 replace each subterm 0;P by 0, each subterm 0 + P by P and each subterm 0 | Zwhere Z is a composition of 0s and 1s by 0.

POCs obtained projecting annotated connected IOCs enjoy particular properties.

Definition 4.11 (Synchronous well-annotated POC). An annotated POC S is

synchronous well-annotated for a causality relation ≤, a conflict relation # and a full

conflict relation f# iff for each index i there are at most two events with index i and, in

this case, they are matching events. Furthermore, for each pair of events e1 and e2 on the

same operation o? with indexes i, j such that i 6= j, either (e1, e2) ∈ f#, or e1 ≤ e2 or

e2 ≤ e1. Finally, if e1 ≤ e2 then e2 can become enabled only after e1 has been executed

or discarded and if (e1, e2) ∈ # then if e1 is executed then e2 does not occur in rem(S)where S is the system after e1 has been executed.

We now prove some basic properties of synchronous well-annotated POCs.

Lemma 4.1. If S is a synchronous well-annotated POC w.r.t. a causality relation ≤then only events which are minimal w.r.t. ≤ can be enabled in S.

Proof. The proof is by contradiction. Suppose ei is enabled but not minimal, i.e. there

is ej such that ej ≤ ei. If there is more than one such ej consider the one such that

the length of the derivation of ej ≤ ei is minimal. This should have length one, and this

should result from an application of the sequentiality rule. Thus from the definition of

the projection function and since the projection of the first component has no√

action

ei cannot be enabled.

Lemma 4.2. If S is a synchronous well-annotated POC and S o?a→b−−−→ S ′ then the two

executed events are matching events.

Proof. Because of the definition of the semantics the two events are on the same

operation. Assume that they are not matching events. Then they are either in causality

relation or in full conflict relation. In both the cases thanks to Lemma 4.1 at least one

of them cannot be enabled since it is not minimal. This is absurd, thus they have to be

matching events.

We will now prove that all the POCs we work with are synchronous well-annotated.

The proof is in two steps: in Lemma 4.3 we show that all the projections of synchronous

connected IOCs are synchronous well-annotated, and in Lemma 4.4 we show that syn-

chronous well-annotated POCs reduce to synchronous well-annotated POCs.

IOC vs POC 15

Lemma 4.3. Let I be a synchronous connected IOC. Then S = proj(I) is a synchronouswell-annotated POC w.r.t. ≤I , #I and f#I .

Proof. The first condition is trivially satisfied. The second condition trivially follows

from the definition of synchronous causality safety. The third condition follows from

Lemma 4.1.

Let us prove the last condition. Assume that e1 is in the projection of the branch I ′

of a choice I ′ + I ′′. We will prove that if e1 is executed then all the events in I ′′ donot occur in rem(S) where S is the system after e1 has been executed. For events in the

same role of e1 the thesis follows by the definition of the semantics. Also, e1 interacts

with a matching event e1 thanks to Lemma 4.2, thus the thesis follows trivially also for

the role of e1. For other roles, if the event is in the projection of an initial interaction

then it can be discarded by rem(•). In fact, because of the existence of unique points

of choice one of the two events of the interaction is at the same role of e1 or of e1, and

it is discarded by the semantics. Thus the other event becomes unmatched and can be

discarded too (first pruning operation of function rem(•)). We prove by induction on

the structure of the term that if all the events in the projection of initial interactions

of a term can be discarded, then all the events in the projection of the term can be

discarded. The only difficult case is sequential composition. Let J ;J ′ be the term. For

interactions in J the thesis follows by inductive hypothesis. It is enough to prove that

the initial interactions in J ′ can be discarded. Let o?a→b be such an interaction. Because

of synchronous connectedness for sequence then either a or b occurs also in each final

interaction of J . Let us take one such interaction, and let us assume that the event is

at a. By inductive hypothesis this event is discarded, i.e. replaced by 0. The projection

of J on a is composed only by 0s, for unmatched events, and 1s, for projections of

interactions not involving the role, and it includes at least a 0. Thus the projection of

J on a is reduced to 0 by rem(•) (second pruning operation). Since 0;P is replaced by

0, the event at a is discarded. The event at b becomes unmatched and can be discarded

too. The thesis follows.

Lemma 4.4. If S is a synchronous well-annotated POC w.r.t. ≤, # and f# and S o?a→b−−−→s

S ′ or S√−→s S ′ then S ′ is a synchronous well-annotated POC w.r.t. the restrictions of ≤,

# and f# to the events in S ′.

Proof. The first two conditions trivially hold. For the second one, if e1 is executed or

discarded then the relation e1 ≤ e2 is removed and nothing has to be proved. Otherwise

the thesis holds for the new relation. A similar reasoning can be done for the conflict

relation.

The next lemma proves the correctness of function rem(•), i.e. that applying function

rem(•) to a synchronous well-annotated POC does not change its semantics.

Lemma 4.5. Let S be a synchronous well-annotated POC. The following properties

hold:

— if S σ−→s S ′ for σ = o?a→b or σ =√, then rem(S) σ−→s rem(S ′);


— if rem(S) σ−→s S ′′ for σ = o?a→b or σ =√, then there exists S ′ such that S σ−→s S ′ and

rem(S ′) = S ′′.

Proof. All cases are proved by induction on the number of pruning operations in

rem(S). The base case is trivial. Let us consider the inductive case. If the last prun-

ing operation has been applied, it is trivial to see that it does not affect the operational

semantics. If the first one has been applied, we have to prove that the event e replaced

with 0 is not involved in the transition. From Lemma 4.2 e can interact only with a

matching event. However, this is impossible since e is unmatched.

We now prove a few properties of transitions with label√.

Lemma 4.6. If I√−→ then, for each role r ∈ roles(I), proj(I, r)

√−→s and vice versa.


Lemma 4.7. If transF(I) is empty, then I√−→.


The next lemma shows that if two matching events are enabled in the projection of an

IOC, then the corresponding interaction is initial.

Lemma 4.8. Let I be a well-annotated, synchronous connected IOC and i : o?a→b be an

interaction in I. If i : o? and i : o? are matching events and are both enabled in proj(I)then i : o?a→b ∈ transI(I).

Proof. By structural induction on I. The cases for 1, 0 and interactions are trivial.

For parallel composition and choice just consider that since the two events have the

same index then they are from the same component, and the thesis follows by inductive

hypothesis. Let us consider sequential composition. Suppose I = I ′; I ′′. If i : o?a→b ∈ I ′

the thesis follows by inductive hypothesis. Otherwise by inductive hypothesis i : o?a→b ∈transI(I ′′). Thus from synchronous connectedness for sequence {c, d} ∩ {a, b} 6= ∅ for all

o′?c→d ∈ transF(I ′). Assume transF(I ′) not empty and take one such o′?c→d. Suppose, e.g.,

d = b (the other cases are analogous). If o′? inside d is not part of a choice then i : o? is

not enabled, since it is guarded by an input on the same role, and we get a contradiction.

If it is part of a choice, then role d should occur in all the other branches of the choice

too, thus in each branch there is an event concerning d to be executed. Again i : o? is not

enabled and we have a contradiction. If instead transF(I ′) is empty, then from Lemma 4.7

I ′√−→. Thus transI(I) = transI(I ′′) and the thesis follows by inductive hypothesis.

As a technical tool for proving our conformance result, we exploit a characterization

of conformance based on bisimilarity, to be able to exploit coinductive techniques in the

proof.

Definition 4.12 (Synchronous bisimilarity).

A synchronous bisimulation is a relation R between IOCs and POCs such that if (I,S) ∈R then:

IOC vs POC 17

— if I o?a→b−−−→ I ′ then S o?a→b−−−→s S ′ and (I ′,S ′) ∈ R;

— if I√−→ I ′ then S

√−→s S ′ and (I ′,S ′) ∈ R;

— if S o?a→b−−−→s S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;

— if S√−→s S ′ then I

√−→ I ′ and (I ′,S ′) ∈ R.

Synchronous bisimilarity ∼s is the largest synchronous bisimulation.

Synchronous bisimilarity implies synchronous trace equivalence.

Lemma 4.9. Let I be an IOC and S be a POC. If I ∼s S then I and S are synchronous

trace equivalent.

Proof. Easy, by coinduction.

Remember that an IOC I is synchronous connected if it is synchronous connected for

sequence, has synchronous unique points of choice and is synchronous causality safe.

We can now prove Theorem 4.1.

Proof of Theorem 4.1 We will show that the relation

R = {(I,S)| rem(S) = proj(I)}

where I is a well-annotated, synchronous connected IOC and S is a synchronous well-

annotated POC is a bisimulation. Thus the thesis will follow from Lemma 4.9. Thanks to

Lemma 4.3 all proj(I) are well-annotated. Thanks to Lemma 4.5 it is enough to consider

the case S = proj(I). Thanks to Lemma 4.4, all the obtained POCs are synchronous

well-annotated. The proof is by structural induction on the IOC I. All the subterms

of a synchronous connected IOC are synchronous connected, thus the induction can be

performed. The case for labels√

follows from Lemma 4.6. Let us consider the other

labels.

Case 1, 0, o?a→b: trivial;

Case I; I ′: from the definition of the projection function S =‖r (proj(I, r); proj(I ′, r))r .

Suppose that I; I ′ o?a→b−−−→ I ′′. There are two possibilities: either I o?a→b−−−→ I ′′′ and

I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis

‖r (proj(I, r))ro?a→b−−−→‖r (proj(I ′′′, r))r , thus:

‖r (proj(I, r); proj(I ′, r))ro?a→b−−−→‖r (proj(I ′′′, r); proj(I ′, r))r

and the thesis follows.

If I√−→ and I ′ o?a→b−−−→ I ′′ then by inductive hypothesis proj(I ′)

o?a→b−−−→ proj(I ′′). The

thesis follows since thanks to Lemma 4.6 also proj(I; I ′)o?a→b−−−→ proj(I ′′).

Let us consider the other condition. Suppose:

S =‖r (proj(I, r); proj(I ′, r))ro?a→b−−−→‖r (Pr)r

Thus proj(I; I ′, a)〈o?〉−−→ Pa and proj(I; I ′, b)

o?−→ Pb. The two events should have the

same index thanks to Lemma 4.2. Thus they are either both from I or both from I ′.

In the first case we have also ‖r (proj(I, r))ro?a→b−−−→‖r (P ′′

r )r with Pr = P ′′r ; proj(I ′, r).


Thus by inductive hypothesis I o?a→b−−−→ I ′′ and ‖r (P ′′r )r is the projection of I ′′. Also

I; I ′ o?a→b−−−→ I ′′; I ′. The thesis follows.

In the second case thanks to Lemma 4.8 o?a→b ∈ transI(I; I ′). Thus I√−→ and

I ′ o?a→b−−−→ I ′′. Thanks to Lemma 4.6 then we have proj(I, a)√−→ and proj(I, b)

√−→.

Thus proj(I ′, a)〈o?〉−−→ Pa, proj(I ′, b)

o?−→ Pb and proj(I ′)o?a→b−−−→‖r (Pr)r. The thesis

follows by inductive hypothesis.

Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . If I ‖I ′ can perform an interaction then one of its two components can perform the same

interaction and the thesis follows by inductive hypothesis. For the other direction, an

input and an output on the same operation should be enabled. Thanks to Lemma 4.2

they should have the same index. Thus they are from the same component and the

thesis follows by inductive hypothesis.

Case I + I ′: from the definition of the projection S =‖r (proj(I, r)+proj(I ′, r))r . If I+I ′ can perform an interaction, i.e. I+I ′ o?a→b−−−→ I ′′, then one of its two components can

perform the same interaction. Let it be I. Thus I o?a→b−−−→ I ′′. By inductive hypothesis

‖r (proj(I, r))ro?a→b−−−→‖r (proj(I ′′, r))r . Thus ‖r (proj(I, r) + proj(I ′, r))r

o?a→b−−−→‖r(P ′′

r )r. We have to show that rem(‖r (P ′′r )r) =‖r (proj(I ′′, r))r . We show that the

equality holds for each role. For roles a and b this is trivial. For other roles, the

transition leaves them unchanged. However, thanks to the definition of synchronous

well-annotated POC and of conflict relation, all the events in proj(I ′, r) are removed

by rem(•). No event in proj(I, r) is removed, since only the executed pair of matching

events is removed, and no unmatched event remains.

For the other direction, we have an input and an output on the same operation o?

enabled. Suppose they are both in proj(I). Then proj(I) has the same transition, i.e.

proj(I) o?a→b−−−→ S ′′, and by inductive hypothesis I o?a→b−−−→ I ′′ and thus I + I ′ o?a→b−−−→ I ′′.

Also proj(I+I ′)o?a→b−−−→ S ′′′. We have to show that rem(S ′′′) = proj(I ′′). The technique

is the same as for the other direction.

It is not possible that the input and output events are one in I and the other in I ′

because of Lemma 4.2.

Since synchronous bisimilarity implies synchronous trace equivalence (Lemma 4.9) then

the thesis follows.

As a consequence, each POC obtained by projecting an initial synchronous connected

IOC is deadlock free.

Proposition 4.1. Let I be an initial synchronous connected IOC and proj(I) its pro-

jection. All maximal synchronous traces of proj(I) are complete.

Proof. This follows from the synchronous conformance between IOC and POC (The-

orem 4.1) and from Proposition 2.1, guaranteeing that the same property holds for the

IOC.

IOC vs POC 19

In the next section we show how these techniques have to be extended to deal with

the various possibilities emerging when the asynchronous semantics for POC is used.

5. Asynchronous conformance notions

In this section we discuss the different possibilities of conformance and connectedness

that arise when the asynchronous semantics for POC is used. In fact, while in the IOC

an interaction is an atomic event, in the POC, using the asynchronous LTS, for each

interaction two events are performed: the sending and the receiving of the correspond-

ing message. Thus different conformance relations are possible, depending on whether

the IOC is used to specify the ordering of sending events, of receiving events, or both

the orderings. These correspond respectively to the sender, receiver and sender-receiver

semantics. We also discuss the disjoint semantics, which considers also the ordering of

sending and receiving events together.

Some of the technicalities of the different asynchronous cases are similar, and discussed

below. The distinctive traits are analyzed in the following subsections.

Definition 5.1 (Asynchronous unique points of choice). An IOC I has asyn-

chronous unique points of choice iff for each subterm of the form I ′ + I ′′ we have:

— ∀o?a→b ∈ transI(I ′), ∀o′?c→d ∈ transI(I ′′).a = c;

— roles(I ′) = roles(I ′′).

Differently from synchronous unique points of choice, in the asynchronous case the

sender of all the starting interactions is the same. We call it the role that makes the

choice. Such a constraint is needed since in the asynchronous semantics senders can send

messages even if the corresponding receive is not available yet.

In order to define causality and well-annotated POCs, in addition to input and output

events as in the synchronous case, we have to consider also messages 〈o?〉. Messages are

events, they inherit the index of the output that generates them, and are matched with

inputs with the same index. Thus an input is matched iff there exists either an output

or a message with the same index.

Definition 5.2 (Asynchronous causality relation). Let us consider an annotated

IOC I. An asynchronous causality relation ≤aI is a partial order among events in the

derivatives of the projection S of I. We define≤aI as the minimum partial order satisfying:

sequentiality: for each subterm of the form I ′; I ′′ and each role a, if r′ is a receive event

in proj(I ′, a), e′′ is a generic event in proj(I ′′, a), and proj(I ′, a) has no transition of

the form proj(I ′, a)√−→ then r′ ≤a

I e′′;synchronization: for each receive event n : r and generic event m : e′, n : r ≤a

I m : e′

implies both n : s ≤aI m : e′ and n : 〈s〉 ≤a

I m : e′, where n : s is the sending event

with index n and n : 〈s〉 is the message with index n.

Differently from the synchronous case, here outputs cannot enforce sequentiality, since

they can be executed asynchronously.


The definition of asynchronous conflict #aI is equal to the synchronous one (see Defini-

tion 4.8). The definition of asynchronous full conflict f#a

I is equal to the synchronous one

(see Definition 4.8), but exploiting the asynchronous causality relation ≤aI . The definition

of asynchronous causality safety is equal to the synchronous one (see Definition 4.9), but

exploiting the asynchronous causality relation ≤aI . For function rem(•), the same defini-

tion used in the synchronous case can be used too, using the new definition of unmatched

events.

POCs obtained projecting annotated connected IOCs enjoy particular properties.

Definition 5.3 (Asynchronous well-annotated POC). A POC S is asynchronous

well-annotated for a causality relation≤a, a conflict relation #a and a full conflict relationf#

aiff it is synchronous well-annotated w.r.t. ≤a, #a and f#

aand for each output event s

inside a choice, either s is in the role that makes the choice, or s is not minimal according

to ≤a in the choice term.

The next lemma proves the correctness of function rem(•) in the asynchronous case.

Lemma 5.1. Let S be an asynchronous well-annotated POC. The following properties

hold:

— if S σ−→ S ′ for σ = o?a→b, σ = o? : a, or σ =√, then rem(S) σ−→ rem(S ′);

— if rem(S) σ−→ S ′′ for σ = o?a→b, σ = o? : a, or σ =√, then there exists S ′ such that

S σ−→ S ′ and rem(S ′) = S ′′.

Proof. Similar to the proof of Lemma 4.5. Additionally we have to show that the first

pruning operation does not remove sending events, to ensure that all the transitions

of the form S o?:a−−→ S ′ are preserved. For a sending event sj to be removed, it should

be unmatched, i.e. the corresponding input rj should have been consumed. The only

possibility is that the input has been discarded by a choice (either directly or via pruning).

This requires that an event e in conflict with rj has been performed. From the definition of

conflict relation, this event should be in conflict also with sj . According to the definition

of asynchronous well-annotated POC we have to consider two cases: either the output sjis in the role that makes the choice, or it is not minimal in the choice term. In the first

case, as soon as the choice has been made, the output has been discarded, thus it cannot

be enabled. If instead it is not minimal in the choice term, let us consider the minimal

event e′ in the same role and in the same branch of the choice as sj . The event e′ is in

conflict with e. It should be an input, since no output in the role can be minimal because

of the properties of asynchronous well-annotated POC. It should also be matched with

an output in the role that makes the choice, which is discarded. Thus such an input can

never be executed, and sj can never become enabled.

We prove now that asynchronous well-annotated POCs reduce to asynchronous well-

annotated POCs. The proof that projections of well-annotated, asynchronous connected

IOCs are asynchronous well-annotated POCs will be done separately for each notion of

asynchronous conformance.

Lemma 5.2. If S is an asynchronous well-annotated POC w.r.t. ≤a, #a and f#aand

IOC vs POC 21

S σ−→ S ′ with σ ∈ {o?a→b, o? : a,

√}, then S ′ is an asynchronous well-annotated POC

w.r.t. the restrictions of ≤a, #a and f#ato the events in S ′.

Proof. Similar to the proof of Lemma 4.4. In addition we have to show that for each

output event e inside a choice, either e is in the role that makes the choice, or e is not

minimal in the choice term. The condition holds for S. If e is in the role that makes the

choice then it is in the role that makes the choice also in S ′, unless the choice is executed.However in this last case the choice is discarded and nothing has to be proved. Let us

consider the case e not minimal in S. Assume by contradiction that e is minimal in S ′.This means that all the events on which it was causally dependent have been performed.

However, the last such event is in the same role, thus performing it discards the choice.

Thus nothing has to be proved.

We proceed now to analyze the peculiar features of each asynchronous conformance

notion.

5.1. Sender conformance

According to the sender conformance, the IOC determines the order in which messages

are sent, disregarding when they are received. This is matched by the notion of sender

trace equivalence, based on strong maximal sender traces, which only include output

events.

Definition 5.4 (Sender trace equivalence). An IOC I and a POC S are sender trace

equivalent iff there is a bijection between strong maximal traces of I and strong maximal

sender traces of S such that, given a strong maximal trace t of I, the corresponding

strong maximal trace of S is obtained by replacing in t each label of the form o?a→b with

o? : a.

The translation on the labels is needed since o? : a is the POC label of the output

event that corresponds to the full interaction o?a→b.

We will develop the tools to prove:

Theorem 5.1 (Sender conformance). Let I be an IOC and S = proj(I) be its

projection. If I satisfies the connectedness conditions for the sender conformance, then

I and S are sender trace equivalent.

We start by formalizing the connectedness for sequence for the sender conformance.

Definition 5.5 (Sender connectedness for sequence). An IOC I is sender con-

nected for sequence iff for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈ transF(I ′),∀o′?c→d ∈ transI(I ′′).a = c ∨ b = c.

In the following, when we say that an IOC is sender connected, we mean that it satisfies,

besides sender connectedness for sequence, also the asynchronous unique points of choice

property and the asynchronous causality safety property.

The next lemma shows that if an output event is enabled in the projection of an IOC,

then the corresponding interaction is initial.


Lemma 5.3. Let I be a sender connected IOC and i : o?a→b be an annotated interaction

in I. If i : o? is enabled in proj(I) then i : o?a→b ∈ transI(I).

Proof. By structural induction on I. The cases for 1, interactions, parallel composition

and choice are trivial. Let us consider sequential composition. Suppose I = I ′; I ′′. Ifi : o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by inductive

hypothesis the interaction is in transI(I ′′). Thus from sender connectedness for sequence

for each o′?c→d ∈ transF(I ′) we have c = a or d = a. If transF(I ′) is not empty, in both

the cases we get a contradiction since i : o? cannot be enabled. If instead transF(I ′) is

empty, then thanks to Lemma 4.7 I ′√−→ and the thesis follows by inductive hypothesis.

We show now that projections of well-annotated, sender connected IOCs are asyn-

chronous well-annotated POCs.

Lemma 5.4. Let I be a well-annotated, sender connected IOC. Then proj(I) is an

asynchronous well-annotated POC w.r.t. ≤aI , #

aI and f#

a

I .

Proof. Similar to the proof of Lemma 4.3. In addition we have to show that for each

output event e inside a choice, either e is in the role that makes the choice, or e is not

minimal in the choice term. Assume that e is not in the role that makes the choice, but

in a generic role a. In particular, e is not in an initial interaction of the choice, since all

the senders of these interactions are in the role that makes the choice. Thus, it should

be in the projection on a of the second component of a sequence I; I ′ such that there

is no transition of the form I√−→. Take the smallest such sequence. Then e is initial in

the component I ′ of the sequence. Because of sender connectedness for sequence, all the

final interactions in the first component should have an event at role a. There is at least

one such interaction otherwise from Lemma 4.7 I√−→. If this interaction is not inside a

choice inside I then proj(I, a) has no transition of the form proj(I, a)√−→ and e cannot

be minimal. If the interaction is inside a choice, because of unique points of choice the

role a is involved in all the branches and again proj(I, a) has no transition of the form

proj(I, a)√−→ and e cannot be minimal.



proof.

As auxiliary notation we will write ⇒i for a sequence of zero or more input transitionso1,?

a1→b1−−−−−→ · · ·on,?

an→bn−−−−−→.

Definition 5.6 (Sender bisimilarity). A sender bisimulation is a relation R between

IOCs and POCs such that if (I,S) ∈ R then:

— if I o?a→b−−−→ I ′ then S ⇒io?:a−−→ S ′ and (I ′,S ′) ∈ R;

— if I√−→ I ′ then S ⇒i

√−→ S ′ and (I ′,S ′) ∈ R;

— if S o?:a−−→ S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;

IOC vs POC 23

— if S√−→ S ′ then I

√−→ I ′ and (I ′,S ′) ∈ R;

— if S o?a→b−−−→ S ′ then (I,S ′) ∈ R.

Sender bisimilarity ∼n is the largest sender bisimulation.

The following lemmas will simplify the proof of the conformance result. Below, by

mixed choice we mean a choice between two POC terms, one able to perform as its first

action an input, and another one able to start with an output action. By input choice,

we mean a choice between two POC terms able to perform, as their first action, only

inputs.

Lemma 5.5. Let S be a POC without mixed choice. If S o?:a−−→ S ′ and S ⇒i S ′′ thenS ′ ⇒i S ′′′ and S ′′ o:a−−→ S ′′′.

Proof. Trivial, by induction on the number of transitions in ⇒i.

Lemma 5.6. Let S be a POC. Suppose that for each input choice, there is at most one

branch such that a message able to interact with it exists. If S o?a→b−−−→ S ′ and S o′?c→d−−−→ S ′′

with o? 6= o′? then S ′ o′?c→d−−−→ S ′′′ and S ′′ o?a→b−−−→ S ′′′.

Proof. Trivial, by case analysis.

The next lemma defines an auxiliary relation for proving sender bisimilarity.

Lemma 5.7. Let R′ be a relation between IOCs and POCs. Let R = {(I,S ′′)|S ′′ ⇒i

S ∧ (I,S) ∈ R′}. Suppose that in each POC S ′′ there is no mixed choice and that for

each input choice, there is at most one branch such that a message able to interact with

it exists. If R′ is such that if (I,S) ∈ R′ then:

— if I o?a→b−−−→ I ′ then S o?:a−−→ S ′ and (I ′,S ′) ∈ R;


√−→ S ′ and (I ′,S ′) ∈ R;

— if S o?:a−−→ S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;


√−→ I ′ and (I ′,S ′) ∈ R;

— S has no input transitions.

then R is a sender bisimilarity.

Proof. The proof is by coinduction. Let (I,S ′′) ∈ R. Thus S ′′ ⇒i S ∧ (I,S) ∈ R′. We

have to show that (I,S ′′) satisfies the bisimilarity conditions.

Suppose I o?a→b−−−→ I ′. We know that S ′′ ⇒i S and since (I,S) ∈ R′ then S o?:a−−→ S ′

with (I ′,S ′) ∈ R. The case of√

is similar.

Suppose now S ′′ o?:a−−→ S ′. We know that S ′′ ⇒i S and (I,S) ∈ R′. From Lemma 5.5

S o?:a−−→ S ′′′ and S ′ ⇒i S ′′′. From the second bisimilarity condition I o?a→b−−−→ I ′ and

(I ′,S ′′′) ∈ R. Since S ′ ⇒i S ′′′ also (I ′,S ′) ∈ R as desired. The case of√

is similar.

For the last condition we know that S ′′ ⇒i S and S ′′ o?a→b−−−→ S ′. We prove that (I,S ′) ∈R by induction on the number of inputs in ⇒i. The base case is vacuously true. For the


inductive case if the first input in ⇒i is not on operation o? we can apply Lemma 5.6

and the thesis follows by inductive hypothesis. Assume now that both the transitions

are on the same operation. Then there should be either two inputs or two messages (or

both) on the same operation concurrently enabled. At least one of them has not the same

index of an event it can interact with. Thus because of asynchronous causality safety,

the two events are either in causal relation or in full conflict relation. Thus because of

the properties of asynchronous well-annotated POC at least one of them is not enabled.

This means that this case can never happen.

Sender bisimilarity implies sender trace equivalence.

Lemma 5.8. Let I be an IOC and S be a POC. If I ∼n S then I and S are sender trace

equivalent.



Proof of Theorem 5.1 The proof shows that the relation

R = {(I,S)|S ⇒i S ′ ∧ rem(S ′) = proj(I)}

where I is a well-annotated, sender connected IOC and S is an asynchronous well-

annotated POC is a sender bisimulation. Consider the relation

R′ = {(I,S ′)| rem(S ′) = proj(I)}

The conditions of Lemma 5.7 on choice are satisfied thanks to the existence of asyn-

chronous unique points of choice. In fact, there is no mixed choice since for each term

I + I ′ all the interactions have the same sender, i.e. all the outputs are in the same role,

which cannot have enabled inputs. Also, for each input choice there is at most one branch

such that a message able to interact with it exists since as soon as a message is created,

all the other outputs are discarded.

Thus it is enough to show that the conditions of Lemma 5.7 on R′ are satisfied.

Thanks to Lemma 5.1, Lemma 5.4 and Lemma 5.2 one can just consider the case S ′ =proj(I). First, rem(S ′) has no input transitions since projections contain no messages.

For the other conditions the proof is by structural induction on I:Case 0, 1: trivial.

Case o?a→b: the only possible transition is o?a→b

o?a→b−−−→ 1. The associated POC is (o?)a ‖(o?)b, which has as only transition (o?)a ‖ (o?)b

o?:a−−→ (〈o?〉)a ‖ (o)b. This satisfies

the first condition since (〈o?〉)a ‖ (o?)bo?a→b−−−→ (1)a ‖ (1)b = proj(1) thus (1, (〈o?〉)a ‖

(o?)b) ∈ R. The other conditions are satisfied too.



I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis ‖r

IOC vs POC 25

(proj(I, r))r o?:a−−→⇒i‖r (proj(I ′′′, r))r . As a consequence ‖r (proj(I, r); proj(I ′, r))ro?:a−−→⇒i‖r (proj(I ′′′, r); proj(I ′, r))r and the thesis follows. The second case is similar.

Let us consider now the case ‖r (proj(I, r); proj(I ′, r))ro?:a−−→ S. We should have

o? enabled. Thus thanks to Lemma 5.3 we have o?a→b ∈ transI(I; I ′). We have two

cases: either o? is in the projection of I or it is in the projection of I ′ (thanks to

asynchronous causality safety and Lemma 5.4 exactly one o? is enabled).

Suppose o? is in proj(I). Then I; I ′ o?a→b−−−→ I ′′′; I ′ and by inductive hypothesis ‖r(proj(I, r))r o?:a−−→ S ⇒i‖r (proj(I ′′′, r))r . Then ‖r (proj(I; I ′, r))r

o?:a−−→ S ′′ ⇒i‖r(proj(I ′′′; I ′, r))r . Note that the inputs in ⇒i are the same ones as before since from

asynchronous causality safety and Lemma 5.4 at most one input on any operation

can be enabled.

The case o? in proj(I ′) is possible only if I√−→, and follows trivially by inductive

hypothesis.

The cases for√

actions are trivial.

Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition and

the thesis follows from inductive hypothesis. Let us consider the other direction. Sup-

pose the output is from proj(I), i.e. proj(I) o?:a−−→ S ′′ =‖r (P ′′r )r. Then by inductive

hypothesis I o?a→b−−−→ I ′′ with (I ′′,S ′′) ∈ R. This means that S ′′ ⇒i proj(I ′′). Also

proj(I ‖ I ′)o?:a−−→‖r (P ′′

r | proj(I ′, r))r . All the inputs can be done by ‖r (P ′′r )r. Thus:

‖r (P ′′r | proj(I ′, r))r ⇒i proj(I ′′ ‖ I ′)

as desired.

Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . IfI+I ′ has a transition then one of its two components has the same transition. Suppose

that I is such a component. Then we have ‖r (proj(I, r) + proj(I ′, r))ro?a→b−−−→⇒i‖r

(proj(I, r)+P ′′r )r. We have to show that rem(‖r (proj(I, r)+P ′′

r )r) =‖r (proj(I, r))r .We show that the equality holds for each role. For role a this is trivial. For other roles,

the output transition leaves them unchanged. However, thanks to the definition of

asynchronous well-annotated POC and of conflict relation, all the events in proj(I ′, r)are removed by rem(•). No event in proj(I, r) is removed but the event matching the

output which is removed by the following input transition, since there is no unmatched

event inside proj(I). The case for√

is similar.

Consider the other direction. Suppose the output is from proj(I), i.e. proj(I) o?:a−−→S ′′ =‖r (P ′′

r )r. Then by inductive hypothesis we have I o?a→b−−−→ I ′′ with (I ′′,S ′′) ∈ R.

This means that S ′′ ⇒i proj(I ′′). Also proj(I + I ′)o?:a−−→‖r (P ′′

r + P ′′′′r )r. All the

inputs can be done by ‖r (P ′′r )r. Thus ‖r (P ′′

r + P ′′′′r )r ⇒i‖r (proj(I ′′, r) + P ′′′′′

r )r.

We have to show that rem(‖r (P ′′′′′)r) =‖r (0)r. The technique is the same as for the

other direction.

Since sender bisimilarity implies sender trace equivalence (Lemma 5.8) then the thesis

follows.


As a consequence, each POC obtained by projecting an initial sender connected IOC

is deadlock free.

Proposition 5.1. Let I be an initial sender connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.

Proof. This follows from the sender conformance between IOC and POC (Theorem 5.1)

and from Proposition 2.1, guaranteeing that the same property holds for the IOC.

5.2. Receiver conformance

According to the receiver conformance, the IOC determines the order in which messages

are received, disregarding when they are sent. This is matched by the notion of receiver

trace equivalence, based on strong maximal receiver traces, which only include input

events.

Definition 5.7 (Receiver trace equivalence). An IOC I and a POC S are receiver

trace equivalent iff the strong maximal traces of I coincide with the strong maximal

receiver traces of S.


Theorem 5.2 (Receiver conformance). Let I be an IOC and S = proj(I) be its

projection. If I satisfies the connectedness conditions for the receiver conformance, then

I and S are receiver trace equivalent.

We start by formalizing the connectedness for sequence for the receiver conformance.

Definition 5.8 (Receiver connectedness for sequence). An IOC I is receiver con-

nected for sequence iff for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈ transF(I ′),∀o′?c→d ∈ transI(I ′′).b = c ∨ b = d.

In the receiver case, we also have to strengthen the definition of unique points of choice.

Definition 5.9 (Asynchronous receiver unique points of choice). An IOC I has

asynchronous receiver unique points of choice iff for each subterm of the form I ′+I ′′ wehave:

— ∀o?a→b ∈ transI(I ′), ∀o′?c→d ∈ transI(I ′′).a = c;

— roles(I ′) = roles(I ′′);— no output outside the role that makes the choice is minimal in the choice term ac-

cording to the causality relation.

The last condition is necessary to avoid that outputs in the wrong branch of the choice

are executed before the choice is made.

Remark 5.1. The last condition in the definition of asynchronous receiver unique points

of choice is not necessary in the other asynchronous cases, since it follows from the

asynchronous unique points of choice property and the sender connectedness for sequence

(cfr. the proof of Lemma 5.4). Thanks to this implication, even if we will not require

IOC vs POC 27

this condition for the sender-receiver conformance and the disjoint conformance, sender-

receiver and disjoint connectedness will imply receiver connectedness.

In the following, when we say that an IOC is receiver connected, we mean that it sat-

isfies, besides receiver connectedness for sequence, also the asynchronous receiver unique

points of choice property and the asynchronous causality safety property.

We show now that projections of well-annotated, receiver connected IOCs are asyn-


Lemma 5.9. Let I be a well-annotated, receiver connected IOC. Then proj(I) is an


aI and f#

a

I .

Proof. Similar to the proof of Lemma 5.4. Just note that the fact that for each output

event e inside a choice, either e is in the role that makes the choice, or e is not minimal in

the choice term follows from the additional condition required for asynchronous receiver

unique points of choice.

As auxiliary notation we write ⇒o for a sequence of zero or more output transitionso?1:a1−−−→ · · · o?n:an−−−−→.

The next lemma shows that if in the projection of an IOC, after a sequence of out-

put events, an input and a message on the same operation are both enabled, then the

corresponding interaction is initial.

Lemma 5.10. Let I be a receiver connected IOC and i : o?a→b be an interaction in I. Ifthere exists S such that proj(I) ⇒o S and i : o? and i : 〈o?〉 are both enabled in S then

i : o?a→b ∈ transI(I).

Proof. By structural induction on I. The cases for 0, 1, interactions, parallel compo-

sition and choice are trivial. Let us consider sequential composition. Suppose I = I ′; I ′′.If i : o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by inductive hy-

pothesis the interaction is in transI(I ′′). Thus from receiver connectedness for sequence

for each o′?c→d ∈ transF(I ′) we have d = a or d = b. If d = b then i : o? could never

become enabled. Also, no j : o? with j 6= i can be enabled if i : 〈o?〉 is enabled because of

asynchronous causality safety and Lemma 5.9. If d = a then i : 〈o?〉 could never be cre-

ated. No j : 〈o?〉 with j 6= i could be enabled if i : o? is enabled because of asynchronous

causality safety and Lemma 5.9. Thus we have a contradiction and this case can never

happen.

The next lemma shows that output events which are not part of a given interaction

can always be postponed after the interaction.

Lemma 5.11. Let I be a receiver connected IOC. If we have proj(I) ⇒o S ′ o?a→b−−−→ S ′′

and I o?a→b−−−→ I ′ then proj(I ′) ⇒o rem(S ′′).

Proof. The proof is by structural induction on I. The cases for 0, 1 and interactions

are trivial.

Let us consider I = I ′′ ‖ I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.


Because of asynchronous causality safety and Lemma 5.9 in the projection just one input

for o? can be enabled if an output is. Thus ‖r (proj(I ′′, r)| proj(I ′′′, r))r ⇒o

o?a→b−−−→‖r(P ′′

r |P ′′′r )r with ‖r (proj(I ′′, r))r ⇒o

o?a→b−−−→‖r (P ′′r )r and ‖r (proj(I ′′′, r))r ⇒o‖r (P ′′′

r )r.

By inductive hypothesis proj(I ′′′′) ⇒o‖r (P ′′r )r. Thus proj(I ′′′′ ‖ I ′′′) ⇒o‖r (P ′′

r |P ′′′r )r

as desired.

Let us consider I = I ′′; I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.Because of asynchronous causality safety and Lemma 5.9 in the projection just one input

for o? can be enabled if an output is. Thus we have:

‖r (proj(I ′′, r); proj(I ′′′, r))r ⇒o

o?a→b−−−→‖r (P ′′r ;P

′′′r )r

with ‖r (proj(I ′′, r))r ⇒o

o?a→b−−−→‖r (P ′′r )r and also ‖r (proj(I ′′′, r))r ⇒o‖r (P ′′′

r )r. By in-

ductive hypothesis we have proj(I ′′′′) ⇒o‖r (P ′′r )r. Thus proj(I ′′′′; I ′′′) ⇒o‖r (P ′′

r ;P′′′r )r

as desired. The other case is analogous.

Let us consider I = I ′′+I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.Because of asynchronous causality safety and Lemma 5.9 in the projection just one input

for o? can be enabled if an output is. Thus ‖r (proj(I ′′, r) + proj(I ′′′, r))r ⇒o

o?a→b−−−→‖r(P ′′

r + P ′′′r )r with ‖r (proj(I ′′, r))r ⇒o

o?a→b−−−→‖r (P ′′r )r and ‖r (proj(I ′′′, r))r ⇒o‖r (P ′′′

r )r.

By inductive hypothesis proj(I ′′′′) ⇒o‖r (P ′′r )r. Thus proj(I ′′′′ +I ′′′) ⇒o‖r (P ′′

r +P ′′′r )r.

To prove the thesis we have to show that rem(P ′′′r ) = 0 for each r. This follows from the

definition of asynchronous well-annotated POC and of conflict relation.



proof.

Definition 5.10 (Receiver bisimilarity). A receiver bisimulation is a relation R be-

tween IOCs and POCs such that if (I,S) ∈ R then:

— if I o?a→b−−−→ I ′ then S ⇒o

o?a→b−−−→ S ′ and (I ′,S ′) ∈ R;

— if I√−→ I ′ then S ⇒o

√−→ S ′ and (I ′,S ′) ∈ R;

— if S o?a→b−−−→ S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;


√−→ I ′ and (I ′,S ′) ∈ R;

— if S o?:a−−→ S ′ then (I,S ′) ∈ R.

Receiver bisimilarity ∼r is the largest receiver bisimulation.

Receiver bisimilarity implies receiver trace equivalence.

Lemma 5.12. Let I be an IOC and S be a POC. If I ∼r S then I and S are receiver

trace equivalent.



IOC vs POC 29


R = {(I,S ′)| proj(I) ⇒o S ∧ rem(S) = S ′}

where I is a well-annotated, receiver connected IOC and S ′ is an asynchronous well-

annotated POC is a receiver bisimulation. Thanks to Lemma 5.1, Lemma 5.9 and Lem-

ma 5.2 it is enough to consider the case S ′ = S.The proof is by structural induction on I.

Case 0, 1: trivial;

Case o?a→b: the associated POC is (o?)a ‖ (o?)b, which has as only computation (o?)a ‖(o?)b

o?:a−−→ (〈o?〉)a ‖ (o?)bo?a→b−−−→ 1. This satisfies the bisimulation condition. Also, the

only process obtainable via ⇒o is (〈o?〉)a ‖ (o?)b which satisfies the condition.



I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis ‖r

(proj(I, r))r ⇒o

o?a→b−−−→‖r (proj(I ′′′, r))r , thus ‖r (proj(I, r); proj(I ′, r))r ⇒o

o?a→b−−−→‖r(proj(I ′′′, r); proj(I ′, r))r and the thesis follows. The second case is similar. The case

for√

is similar too.

Let us consider the case ‖r (proj(I, r); proj(I ′, r))r ⇒o S and S o?a→b−−−→ S ′. In S both

o? and 〈o?〉 are enabled. Thus thanks to Lemma 5.10 we have o?a→b ∈ transI(I; I ′).

If I√−→ then o?a→b ∈ transI(I ′) and the thesis follows trivially by induction. Otherwise

the thesis follows from Lemma 5.11. The case for√

is similar.

The last condition is trivially satisfied.

Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition and

the thesis follows from inductive hypothesis. The case for√

is similar.

Suppose S o?a→b−−−→ S ′. We have that proj(I ‖ I ′) ⇒o S. In S both o? and 〈o?〉 are

enabled. From Lemma 5.10 o?a→b ∈ transI(I ‖ I ′). Suppose o?a→b is from I, i.e.

I o?a→b−−−→ I ′′′. Thanks to asynchronous causality safety there is only one o? that can do

the receive. Thus by inductive hypothesis proj(I) ⇒o S ′′ o?a→b−−−→ S ′′′ and (I ′′′,S ′′′) ∈R. Also, proj(I ′) ⇒o S ′′′′. We have P ′

r = P ′′′r | P ′′′′

r with S ′ =‖r (P ′r)r, S ′′′ =‖r (P ′′′

r )rand S ′′′′ =‖r (P ′′′′

r )r. Thus (I ′ ‖ I ′′′,S ′) ∈ R as desired. The case for√

is similar.


Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . IfI+I ′ has a transition then one of its two components has the same transition. Suppose

that I is such a component. In order to prove the thesis we have to show that proj(I ′)is discarded. This follows from the definition of asynchronous well-annotated POC

and conflict relation.

The case for√

is similar.

Suppose S o?a→b−−−→ S ′. We have that proj(I + I ′) ⇒o S. In S both o? and 〈o?〉 are

enabled. From Lemma 5.10 o?a→b ∈ transI(I + I ′). Suppose o?a→b is from I, i.e.


I o?a→b−−−→ I ′′′. Thanks to asynchronous causality safety there is only one o? that can do

the receive. Thus by inductive hypothesis proj(I) ⇒o S ′′ o?a→b−−−→ S ′′′ and (I ′′′,S ′′′) ∈R.

We have P ′r = P ′′′

r + P ′′′′r with S ′ =‖r (P ′

r)r, S ′′′ =‖r (P ′′′r )r and S ′′′′ =‖r (P ′′′′

r )r.

We have to show that rem(P ′′′′r ) = 0 for each r. The technique is the same as for the

other direction. Thus (I ′,S ′) ∈ R as desired. The case for√

is similar.


Since sender bisimilarity implies sender trace equivalence (Lemma 5.12) then the thesis

follows.

As a consequence, each POC obtained by projecting an initial receiver connected IOC

is deadlock free.

Proposition 5.2. Let I be an initial receiver connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.

Proof. This follows from the conformance between IOC and POC (Theorem 5.2) and

from Proposition 2.1, guaranteeing that the same property holds for the IOC.

5.3. Sender-receiver conformance

According to the sender-receiver conformance, the IOC determines the order in which

messages are sent and the order in which messages are received. However, there is no

constraint relating sending events to receiving events.

We will not describe sender-receiver connectedness conditions in details: simply, an IOC

is connected according to the sender-receiver conformance iff it is connected according

to both the sender conformance and the receiver conformance. In particular, thanks

to Remark 5.1 it is enough to require asynchronous unique points of choice instead of

asynchronous receiver unique points of choice. Similarly, the sender-receiver conformance

ensures that both the results for the sender conformance and the receiver conformance

hold.

We can thus state the conformance theorem for the sender-receiver semantics:

Theorem 5.3 (Sender-receiver conformance). Let I be an IOC and S = proj(I)be its projection. If I satisfies the connectedness conditions for the sender-receiver con-

formance, then I and S are sender-receiver trace equivalent.

Proof. It follows from Theorem 5.1 and Theorem 5.2.

5.4. Disjoint conformance

According to the disjoint conformance, the IOC determines both when messages are

sent and when they are received. Differently from the sender-receiver conformance which

considers sending and receiving events separately, the disjoint conformance considers also

their interplay.

IOC vs POC 31

In order to formalize the disjoint trace equivalence we need to add some more infor-

mation to POC traces.

Definition 5.11 (Indexed POC trace). An indexed POC trace is a POC trace where

a label index is associated to each label different from√, as described below. Output

labels have increasing label indexes: the first output label has index 1, the second one

index 2, and so on. Indexes are given to input labels considering for each operation o?

their position in the subsequence containing the inputs on operation o?. The index given

to the input label on operation o? in position i is the same index of the i-th output on

operation o?.

Indexes of labels are not to be confused with indexes of interactions and of events. The

next lemma shows that a POC trace can always be indexed.

Lemma 5.13. Let S be a POC without messages, and t a trace of S. Then it is possible

to give label indexes to all the labels in t different from√, transforming it to an indexed

trace.

Proof. One only has to check that for each operation o? there are at least as many

output labels on o? as input labels on o?. Since each input on operation o? consumes a

message on operation o?, and only outputs on operation o? can create such messages the

thesis follows.

We can now define disjoint trace equivalence.

Definition 5.12 (Disjoint trace equivalence). An IOC I and a POC S are disjoint

trace equivalent iff:

1 for each strong maximal trace t of I there is an asynchronous strong maximal trace

of S obtained from t by replacing each label o?a→b with a sequence of two labels, o? : a

and o?a→b;

2 for each indexed asynchronous strong maximal trace of S each trace obtained by

leaving only one label for each label index can be obtained from a strong maximal

trace of I by replacing some labels o?a→b with o? : a.


Theorem 5.4 (Disjoint conformance). Let I be an IOC and S = proj(I) be its

projection. If I satisfies the connectedness conditions for the disjoint conformance, then

I and S are disjoint trace equivalent.

We start by formalizing the connectedness for sequence for the disjoint conformance.

Definition 5.13 (Disjoint connectedness for sequence). An IOC I is disjoint con-

nected for sequence if for each subterm of the form J ;J ′ we have ∀o?a→b ∈ transF(J ),

∀o′?c→d ∈ transI(J ′).b = c.

In the following, when we say that an IOC is disjoint connected, we mean that it

satisfies, besides disjoint connectedness for sequence, also the asynchronous unique points

of choice property and the asynchronous causality safety property.


We show now that projections of well-annotated, disjoint connected IOCs are asyn-


Lemma 5.14. Let I be a well-annotated, disjoint connected IOC. Then proj(I) is an


aI and f#

a

I .

Proof. Similar to the proof of Lemma 5.4.

The next lemma shows that if an output event is enabled in the projection of an IOC,

then the corresponding input is enabled too and the corresponding interaction is initial.

Lemma 5.15. Let I be a disjoint connected IOC and i : o?a→b be an interaction in I.If i : o? is enabled in proj(I) then the action i : o? is enabled in proj(I). Furthermore

o?a→b ∈ transI(I).

Proof. By structural induction on I. The cases for 0, 1 and interactions are trivial.

For parallel composition and choice, asynchronous causality safety and Lemma 5.14 en-

sure that the input and the corresponding output are from the same component, thus

inductive hypothesis can be applied. Let us consider sequential composition. Suppose

I = I ′; I ′′. If o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by

inductive hypothesis the interaction is in transI(I ′′). Thus from disjoint connectedness

for each o′?c→d ∈ transF(I ′) we have d = a. If transF(I ′) is not empty we have an absurd

since o? cannot be enabled. If it is empty then from Lemma 4.7 I ′√−→ and the thesis

follows.



proof.

Definition 5.14 (Disjoint bisimilarity). A disjoint bisimulation is a relation R be-

tween IOCs and POCs such that if (I,S) ∈ R then:

— if I o?a→b−−−→ I ′ then S o?:a−−→ S ′′ o?a→b−−−→ S ′ and (I ′,S ′) ∈ R; furthermore if S ′′ γ−→ S ′′′

then S γ−→ o?:a−−→ S ′′′;


√−→ S ′ and (I ′,S ′) ∈ R;

— if S o?:a−−→ S ′ then S ′ o?a→b−−−→ S ′′ and I o?a→b−−−→ I ′ and (I ′,S ′′) ∈ R;


√−→ I ′ and (I ′,S ′′) ∈ R.

Disjoint bisimilarity ∼d is the largest disjoint bisimulation.

The diamond property condition in the first item is needed to ensure that the output

does not make any new transition enabled, but for the corresponding input. Without this

condition e.g. the IOC oa→b; o′a→c would be bisimilar to its projection (o; o)a ‖ (o;1)b ‖

(1; o′)c, but the projection can perform the output on o′ before the input of o, thus

violating the disjointness property we want to guarantee.

The following lemma relates label indexes and indexes from interactions.

IOC vs POC 33

Lemma 5.16. Let I be a disjoint connected IOC and S be its projection. Let t be an

indexed asynchronous maximal trace of S. If two events in t have the same label index,

then they also have the same interaction index.

Proof. If two events have the same label index then they are on the same operation,

and they are one output and one input. Let us prove the thesis for all the events on some

operation o?, by induction on the number of such events. The base case of no outputs

is trivial. Let us consider the inductive case. Let us take the first output. We will show

that it has the same index i of the first input. Suppose by contradiction that this is not

the case, i.e. it has an index j 6= i. Then there should be another output with index i,

and this should be before the input with index i and after the first output. Also, there

should be an input with index j after the one with index i. This violates the causality

safety conditions, thus we have a contradiction. This ensures that the first input on o?

and the first output on o? are from the same interaction. The thesis follows by inductive

hypothesis, considering the trace without those two events (which can be obtained by

projecting the IOC where the corresponding interaction has been removed).

The following proposition shows that executions of components of a sequential com-

position are disjoint. Actually, this is the property that gives its name to the disjoint

conformance. Note that to state this property one has to refer the starting IOC.

Lemma 5.17. Let I = I ′; I ′′ be an IOC connected according to the disjoint semantics.

Then each asynchronous maximal trace of proj(I) is obtained by concatenating an asyn-

chronous maximal trace of proj(I ′) (without the final√

action) and an asynchronous

maximal trace of proj(I ′′).

Proof. Take a maximal trace t of proj(I). If the trace is obtained by executing only

events in proj(I ′) followed by only events in proj(I ′′) we are done. Assume towards a

contradiction that this is not the case. Take the first event in proj(I ′′) to be executed.

Let e be such an event, and let a be its role. If e is not minimal in I ′′ then it cannot be

enabled, since the event it depends on has not been executed yet. If it is minimal, then

the corresponding interaction is in transI(I ′′).We have two cases: either e is an output event, or it is an input event. Assume e is an

output event. Then the input of all transitions in transF(I ′) should be in the same role

because of disjoint connectedness for sequence. By hypothesis, at least one such event

has not been executed yet. Also, if such event is inside a choice then an event in the same

role occurs in each branch of the choice because of asynchronous unique points of choice,

thus the event e is not minimal in the term and cannot be enabled. We have the desired

contradiction. If the event is an input event then it cannot be executed since there is no

enabled message that can interact with it. Again, we have a contradiction.

The next lemma shows that output events can be postponed unless the generated

message is read by the next event.

Lemma 5.18. Let I be a disjoint connected IOC and S its projection. Let t be one of


its traces. If t includes a subtrace S ′ o?:a−−→ γ−→ S ′′ where γ and o? : a are not matching

events then it also includes a subtrace S ′ γ−→ o?:a−−→ S ′′.

Proof. By structural induction on I. The cases of 0, 1 and interactions are trivial.

Let us consider parallel composition. If the two actions are from the same component

then the thesis follows by inductive hypothesis, otherwise it is trivial. For choice note

that the two actions should come from the same component, since after an action in a

component has been executed, the ones from the other component are not executable any

more. Thus inductive hypothesis can be applied. Let us consider sequential composition.

If the two actions are from the same component then the thesis follows from inductive

hypothesis. Assume that they are in different components. Thanks to Lemma 5.17 they

should be the last action of the first component and the first action of the second. One

can prove that the last action of the projection of an IOC (before the√) is always an

input (the proof is by structural induction on the IOC). Thus we have a contradiction

and this case can never happen.

Similarly, input events can be anticipated unless they read a newly generated message.

Lemma 5.19. Let I be a disjoint connected IOC and S its projection. Let t be one of

its traces. If t includes a subtrace S ′ γ−→ o?a→b−−−→ S ′′ where o?a→b and γ are not matching

events then it also includes a subtrace S ′ o?a→b−−−→ γ−→ S ′′.

Proof. By structural induction on I. The cases of 0, 1 and interactions are trivial. Let

us consider parallel composition. If the two actions are from the same component then

the thesis follows by inductive hypothesis, otherwise it is trivial. For choice note that the

two actions should come from the same component, since after an action in a component

has been executed, the other ones from the other component are not executable any

more. Thus inductive hypothesis can be applied. Let us consider sequential composition.

If the two actions are from the same component then the thesis follows from inductive

hypothesis. Assume that they are in different components. Thanks to Lemma 5.17 they

should be the last action of the first component and the first action of the second. One

can prove that the first action of the projection of an IOC is always an output (the proof

is by structural induction on the IOC). Thus we have a contradiction and this case can

never happen.

Disjoint bisimilarity implies disjoint trace equivalence.

Lemma 5.20. Let I be an IOC and S be a POC. If I ∼d S then I and S are disjoint

trace equivalent.

Proof. The first condition can be proved easily by coinduction.

For the second condition, take an indexed asynchronous strong maximal trace of S.Thanks to Lemma 5.16 actions with the same label index are from the same interac-

tion. Consider the events to be discarded while creating the desired IOC trace. Using

Lemma 5.18 and Lemma 5.19 these events can be moved next to their matching event.

The trace obtained in this way corresponds to the same IOC trace as the previous one (by

IOC vs POC 35

performing the same choice about which events to preserve), but it has all the outputs

immediately followed by the corresponding input. One can easily prove by coinduction

that a corresponding IOC trace exists.



R = {(I,S)| rem(S) = proj(I)}

where I is a well-annotated, disjoint connected IOC and S is an asynchronous well-

annotated POC is a disjoint bisimulation. Thanks to Lemma 5.1, Lemma 5.14 and

Lemma 5.2 one can just consider the case S = proj(I). The proof is by structural

induction on I.Case 0,1: trivial;

Case o?a→b: the associated POC is (o?)a ‖ (o?)b, which has as only computation (o?)a ‖(o?)b

o?:a−−→ (〈o?〉)a ‖ (o?)bo?a→b−−−→ 1. This satisfies the bisimulation conditions.

Case I; I ′: from the definition of the projection function S =‖r (proj(S, r); proj(S ′, r))r .


I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis:

‖r (proj(I, r))r o?:a−−→‖r (P ′′r )r

o?a→b−−−→‖r (proj(I ′′′, r))rthus:

‖r (proj(I, r); proj(I ′, r))ro?:a−−→‖r (P ′′

r ; proj(I ′, r))ro?a→b−−−→‖r (proj(I ′′′, r); proj(I ′′, r))r

as desired.

Assume ‖r (P ′′r ; proj(I ′, r))r

γ−→‖r (P ′′′r )r. If the event is from ‖r (P ′′

r )r then ‖r(P ′′

r )rγ−→‖r (P ′′′′

r )r with ‖r (P ′′′r )r =‖r (P ′′′′

r ; proj(I ′, r))r and the thesis follows by

inductive hypothesis. If this is not the case then we have a contradiction, since there

are still events in P ′′r for some r to be performed, thus no event in proj(I ′, r) can be

enabled thanks to Lemma 5.17. The second case is similar. The case of√

is similar

too.

Let us consider now the case ‖r (proj(I, r); proj(I ′, r))ro?:a−−→ S. We should have

o? enabled in the starting process. Thus thanks to Lemma 5.15 we have that also

o? is enabled and o?a→b ∈ transI(I; I ′). If I√−→ then the thesis follows trivially by

induction. Otherwise S o?a→b−−−→ S ′, and the thesis follows by inductive hypothesis using

the definition of projection. Note that because of asynchronous causality-safety and

Lemma 5.4 we know that we have just one input on o? enabled.

Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition

and the thesis follows from inductive hypothesis. The other direction is similar, using

asynchronous causality-safety and Lemma 5.4 to ensure that the input and the output

come from the same parallel component.

Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . If


I+I ′ has a transition then one of its two components has the same transition. Suppose

that I is such a component. In order to prove the thesis we have to show that proj(I ′)is discarded. This follows from the definition of asynchronous well-annotated POC

and conflict relation. The case for√

is similar.

The other direction is similar, using asynchronous causality safety and Lemma 5.14

to ensure that the input and the output come from the same component.

Since disjoint bisimilarity implies disjoint trace equivalence (Lemma 5.20) then the thesis

follows.

As a consequence, each POC obtained by projecting an initial disjoint connected IOC

is deadlock free.

Proposition 5.3. Let I be an initial disjoint connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.

Proof. This follows from the conformance between IOC and POC (Theorem 5.4) and

from Proposition 2.1, guaranteeing that the same property holds for the IOC.

6. Connecting IOCs

Until now, we have seen how to derive POCs from IOCs that satisfy the connectedness

conditions. In this section we discuss how to deal with IOCs that are not connected

(or not connected w.r.t. the desired notion of conformance). Let I be such an IOC.

We want to derive an IOC I ′ which is equivalent to I but which is connected, so that

the theory developed so far can be applied. However to this end we have to relax our

observational semantics. In particular, we will move from strong to weak traces, so that

we can add private interactions to synchronize the different roles. We also define weak

trace equivalence among IOCs, instead of between IOCs and POCs as done till now.

Definition 6.1 (Weak IOC trace equivalence).

An IOC I and an IOC I ′ are weak IOC trace equivalent iff the set of weak maximal

traces of I coincides with the set of weak maximal traces of I ′.

Let us consider our example from the Introduction: I = oa→b; o′c→d. I is not connected

since it does not satisfy connectedness for sequence (in this case, this does not depend

on the chosen notion of connectedness). A possible solution is to introduce a private

operation o∗ and transform I into oa→b; o∗b→c; o

′c→d, which is instead connected w.r.t all

the notions of conformance, and which is weak IOC trace equivalent to I. To get a more

easy to generalize pattern however we will consider a slightly more complex approach,

transforming I into oa→b; o∗b→e; o

∗′e→c; o

′c→d. The transformation introduces an auxiliary

role e acting as a coordinator. We introduce similar patterns to ensure existence of asyn-

chronous unique points of choice. Concerning causality safety, we distinguish parallel

causality safety, sequential causality safety and choice causality safety according to the

relation between the interfering interactions. For parallel causality safety, we use a form

of expansion law removing the undesired parallel composition. For sequential causality

safety we show that this never occurs for IOCs which are disjoint connected for sequence

IOC vs POC 37

and have asynchronous unique points of choice. For choice causality safety we show that

this never occurs for IOCs which are disjoint connected for sequence, have asynchronous

unique points of choice and where for each nondeterministic choice all the initial interac-

tions are on distinct operations not used elsewhere. If an IOC enjoys this last property

we say that it has distinct choice operations. One can ensure that an IOC has distinct

choice operations using the same pattern used for ensuring asynchronous unique points

of choice. For each pattern we present a correctness result ensuring that the transformed

IOC and the starting one are weak IOC trace equivalent. We consider the disjoint con-

nectedness, since it is the most demanding: if we can make our IOC disjoint connected,

then it will also comply with all the other notions of connectedness.

Since the transformations we present below preserve weak traces, the following results

combined allow to transform any IOC into an equivalent IOC which is disjoint connected.

The basic idea is to apply first the pattern for parallel causality safety, then, by proceeding

from the smallest subterms to the largest, the two other patterns. One of them will ensure

asynchronous unique points of choice and distinct choice operations, the other one disjoint

connectedness for sequence. In this way, while reasoning on parallel causality safety (the

most complex), we do not have to bother about the other connectedness conditions, which

will be satisfied by the following steps. Since disjoint connected IOCs can be projected

by preserving traces, we can conclude that our procedure transforms a given IOC into

another one that can be projected obtaining a POC which is weak trace equivalent to

the starting IOC.

The patterns are presented in reverse order, from the simplest one to the most complex,

to help the understanding.

6.1. Disjoint connectedness for sequence

Let I be an IOC that is not disjoint connected for sequence but has asynchronous unique

points of choice, has distinct choice operations, and is parallel causality safe. We will

transform I into an IOC which is disjoint connected for sequence, and which still enjoys

all the other properties.

Since I is not disjoint connected for sequence, there are subterms of the form I ′; I ′′

that do not satisfy ∀o′?a→b ∈ transF(I ′), ∀o′′?c→d ∈ transI(I ′′).b = c. The reconfiguration

pattern will be applied to those subterms, in any order that respects the subterm relation.

This ensures that we always deal with terms whose subterms are disjoint connected for

sequence.

Take one such term I ′; I ′′. Choose a fresh role e. Consider all the interactions o?a→b

contributing to transF(I ′) in the term. For each of them choose a fresh operation o∗

and replace o?a→b with o?a→b; o∗b→e. Similarly, for each interaction o?c→d contributing to

transI(I ′′) choose a fresh operation o∗ and replace o?a→b with o∗e→c; o?c→d.

Proposition 6.1. Let I = I ′; I ′′ be an IOC which has asynchronous unique points of

choice and distinct choice operations, and is parallel causality safe. Assume that I ′ andI ′′ are disjoint connected for sequence, have asynchronous unique points of choice and


distinct choice operations, and are parallel causality safe. Let J = J ′;J ′′ be the IOC

obtained by applying the pattern above to I ′; I ′′. Then:

— J is disjoint connected for sequence, has asynchronous unique points of choice and

distinct choice operations, and is parallel causality safe;

— J and I are weak IOC trace equivalent.

Proof. Let us start by proving parallel causality safety. For interactions introduced by

the transformation, they are all performed on operations with different fresh names, thus

the condition is trivially satisfied. For existing interactions, relations of causality and

conflict are preserved by the transformation, thus the conditions hold by hypothesis.

Let us consider asynchronous unique points of choice. We consider the condition on

roles first. Take a subterm K′ + K′′ of J . It is the transformed version of a subterm

H′ +H′′ of I. By hypothesis H′ +H′′ has asynchronous unique points of choice. There

are two cases: the interactions inside H′ and H′′ have been modified or not. In the second

case the thesis follows by hypothesis. The first case may happen only if the interaction

is a final interaction in I ′ or an initial interaction in I ′′. In both the cases also the

interactions in the other subterm have been modified by adding the same role, thus the

condition still holds.

Let us consider the condition on the sender of the interactions. As before, either the

interactions have not been modified, and the thesis follows by hypothesis, or all of them

have been modified. If they were in transF(I ′) then the sender is unchanged and the thesis

follows by hypothesis. If they were in transI(I ′′) then the new sender of all the initial

interactions in the term K′ + K′′ is the role e freshly introduced by the transformation,

thus the thesis holds.

Let us consider distinctness of choice operations. This holds by inductive hypothesis

for old interactions, and new ones do not interfere since they use fresh distinct operations.

Let us consider disjoint connectedness for sequence. We have to show that each subterm

satisfies the condition. The new subterms introduced by the transformation have the

form o?a→b; o∗b→e and o∗e→c; o

?c→d, thus they satisfy the condition. Let us take a subterm

K′;K′′ obtained by transforming a subterm H′;H′′ of I of the same shape. By hypothesis

the condition was satisfied by H′;H′′. It is easy to check however that transF(K′) =

transF(H′) and transI(K′′) = transI(H′′), thus the term is still disjoint connected for

sequence. Finally, for term J ′;J ′′ the thesis holds by construction.

The second point is easily proved since the transformation does not change the weak

traces of the IOC.

6.2. Asynchronous unique points of choice

Let I be an IOC that does not have asynchronous unique points of choice and/or does

not have distinct choice operations, but is parallel causality safe. This means that there

is a subterm of the form J +J ′ that either does not satisfy ∀o?a→b ∈ transI(J ), ∀o′?c→d ∈transI(J ′).a = c, or that does not satisfy roles(J ) = roles(J ′), or with two initial

interactions on the same operation. The reconfiguration pattern will be applied to those

subterms, in any order that respects the subterm relation. This ensures that we always

IOC vs POC 39

deal with terms whose subterms have asynchronous unique points of choice and distinct

choice operations.

Take one such term J + J ′. If the first condition and/or the third condition are not

satisfied then choose a fresh role e. Consider all the interactions o?a→b contributing to

transI(J ) or to transI(J ′) in the term. For each of them choose a fresh operation o∗ and

replace o?a→b with o∗e→a; o?a→b.

Suppose now that the first and third conditions are satisfied, while the second one is

not. Then we can assume a role e which is the sender of all the interactions in transI(J +

J ′). Consider each role a that occurs in J but not in J ′ (the other case is symmetric).

For each of them add in parallel to J ′ the interaction o∗e→a where o∗ is a fresh operation.

Proposition 6.2. Let I = I ′ + I ′′ be an IOC which is parallel causality safe. Assume

that I ′ and I ′′ are disjoint connected for sequence, have asynchronous unique points of

choice and distinct choice operations, and are parallel causality safe. Let J = J ′ + J ′′

be the IOC obtained by applying the pattern above to I ′ + I ′′. Then:

— J is disjoint connected for sequence, has asynchronous unique points of choice and

distinct choice operations, and is parallel causality safe;


Proof. Let us start by proving parallel causality safety. For interactions introduced by

the transformation, they are all performed on operations with different fresh names, thus

the condition is trivially satisfied. For existing interactions, relations of causality and

conflict are preserved by the transformation, thus the conditions hold by hypothesis.

Let us consider asynchronous unique points of choice. We consider the two transfor-

mations separately. Let us start with the transformation ensuring that the roles in the

two branches are the same. Take a subterm K′ +K′′ of J . It is the transformed version

of a subterm H′ +H′′ of I. By hypothesis H′ +H′′ has asynchronous unique points of

choice and distinct choice operations. Since interactions may only be added in parallel to

the whole term the thesis follows by hypothesis. For the whole term the condition holds

by construction.

Let us consider now the transformation ensuring that all the senders coincide and all

initial interactions are on distinct operations not reused elsewhere. There are two cases:

either the interactions inside H′ and H′′ have been modified or not. In the second case

the thesis follows by hypothesis. The first case may happen only if one such interaction

is initial in the whole term. In this case however all the initial interactions have been

changed, and the freshly introduced role is the new sender in all of them. Also, all the

used operations are distinct and fresh. Thus the two conditions are satisfied. For the

whole term the two conditions are satisfied by construction.

For disjoint connectedness for sequence, note that all the subterms enjoy the property

either by hypothesis or by construction. Since the top-level operator is a nondeterministic

choice the same property holds for the whole term.

The last condition can be easily proved since the transformation does not change the

weak traces.


6.3. Causality safety

Let I be an IOC that is not causality safe. This means that there are two interactions i

and j using the same operation such that neither si ≤s rj∧ri ≤s sj nor sj ≤s ri∧rj ≤s si

nor they are in full conflict. Let o?a→b be interaction i′ and o?c→d be interaction i′′. Notethat the problem is immediately solved by renaming one of the operations. However, this

will change the specification. We show how to stick to the original (weak) behavior, while

solving the causality safety issue.

Take the smallest subterm of I including both interaction i′ and interaction i′′. We

have a case analysis on its top-level operator. We have three cases corresponding to

parallel causality safety, sequential causality safety and choice causality safety.

Let us consider parallel causality safety. Thus I = I ′ ‖ I ′′, and we can assume that

interaction i′ is in I ′ and interaction i′′ is in I ′′. To solve this issue we will apply a form

of expansion law that transforms the parallel composition into nondeterminism, thus

either removing completely the causality safety issue or transforming it into sequential

causality safety or choice causality safety, discussed later on.

We define now the expansion law and prove its correctness. We also show that using

the expansion law one can transform any IOC into a normal form defined as below.

Definition 6.2 (Normal form). An IOC I is in normal form if it is written as:∑

i

o?i ai→bi; Ii

where∑

i is ennary nondeterministic choice and for each i also Ii is in normal form (we

can see the empty sum as 0).

The expansion law is defined below.

Definition 6.3 (Expansion law).

(∑

i

o?i ai→bi; Ii) ‖ (

∑

j

o?jaj→bj; Ij) = (

∑

i

o?i ai→bi; (Ii ‖ (

∑

j

o?jaj→bj; Ij)))

+(∑

j

o?jaj→bj; (Ij ‖ (

∑

i

o?i ai→bi; Ii)))

The expansion law is correct w.r.t. IOC trace equivalence, in the sense that applying

the expansion law to an IOC does not change the set of its traces (neither strong nor

weak), as proved by the lemma below.

Lemma 6.1. Let I be an IOC and J an IOC obtained by applying the expansion law

to a subterm of I. Then I and J have the same set of (strong or weak) traces.

Proof. Labels not involving the subterm are easily mimicked. Consider the first label

involving the subterm. If no such label exists the thesis follows. Otherwise, the label

corresponds to the execution of one of the interactions o?i ai→bior o?jaj→bj

. Executing any

of these interactions reduces both the terms to the same term. The thesis follows.

Using the expansion law we can transform any IOC I into an IOC J with the same

weak traces which is in normal form.

IOC vs POC 41

Proposition 6.3 (Normalization). Given an IOC I there is an IOC J in normal form

such that I and J are weak IOC trace equivalent.

Proof. The proof is by structural induction on the number of interactions occurring

in I. The cases of interactions and 0 are trivial. IOC 1 can be replaced by any private

interaction without changing the set of weak traces. For sequential composition note

that (∑

i o?i ai→bi

; Ii); I ′ and (∑

i o?i ai→bi

; Ii; I ′) have the same set of traces. Ii; I ′ canbe transformed in normal form by inductive hypothesis. For nondeterministic choice the

thesis is trivial (it is easy to check that nondeterministic choice is associative). For parallel

composition one can apply the expansion law, and the thesis follows from Lemma 6.1

and inductive hypothesis.

Let us consider sequential composition. Thus I = I ′; I ′′, and we can assume that

interaction i′ is in I ′ and interaction i′′ is in I ′′. We show that if I is disjoint connected

for sequence and has asynchronous unique points of choice, then no sequential causality

safety issue can occur.

Lemma 6.2. Let I = I ′; I ′′ be an IOC which is disjoint connected for sequence and has

asynchronous unique points of choice. Let i′ be an interaction in I ′ and i′′ an interaction

in I ′′. If e′ is an event of interaction i′ and e′′ is an event of interaction i′′, then e′ ≤aI e′′.

Proof. We will prove the thesis by induction on the structure of the term.

From disjoint connectedness for sequence all the receiving events in final interactions

of I ′ and all the sending events in initial interactions of I ′′ are performed by the same

role. Thus, from the sequentiality condition in the definition of causality relation, they

are causally related (the only possibility for the term to perform a√

is to have a 1 branch

in a nondeterministic choice, but this is forbidden because of existence of asynchronous

unique points of choice). Thanks to the synchronization condition the same holds for the

other events inside the same interactions. This proves the thesis for final interactions in

I ′ and initial interactions in I ′′.Assume now that the interaction i′ is not final inside I ′ (the case of i′′ not initial in I ′′

is similar). Then there exists a sequential composition J ;J ′ such that interaction i′ is inJ and a final interaction of I ′ is in J ′. Since J ;J ′ is a subterm of I ′ the thesis follows

by inductive hypothesis for events of interaction i′ and events of the final interaction.

The thesis follows by transitivity.

Let us consider nondeterministic choice. Thus I = I ′ + I ′′, and we can assume that

interaction i′ is in I ′ and interaction i′′ is in I ′′. We show that if I is disjoint connected

for sequence, has asynchronous unique points of choice and distinct choice operations,

then no choice causality safety issue can occur.

Lemma 6.3. Let I = I ′ + I ′′ be an IOC which is disjoint connected for sequence,

has asynchronous unique points of choice and distinct choice operations. Let i′ be an

interaction in I ′ and i′′ an interaction in I ′′. If e′ is an event of interaction i′ and e′′ isan event of interaction i′′, then e′ f#

a

I e′′.


Proof. The events in the two interactions are in conflict. Since by hypothesis the two

interactions are not initial then the events are also in full conflict.

6.4. Putting the pieces together

Till now we have shown that given a subterm of an IOC which fails to satisfy one of the

connectedness conditions, we can transform it into an equivalent term that satisfies this

connectedness condition. Some care is required to avoid that while ensuring the condition

is satisfied, violations of other conditions are introduced, thus creating the possibility that

the connecting procedure would not terminate. The following theorem proves that we can

combine the connecting steps to get a terminating algorithm transforming a generic IOC

into a disjoint connected IOC.

Theorem 6.1 (Making IOCs connected). There is a terminating procedure that

given any IOC I creates a new IOC J such that:

— J is disjoint connected;


Proof. We can apply the normalization procedure to all the subterms of IOC I that

does not satisfy parallel causality safety, starting from the smallest subterms to the

largest, to get an IOC I ′ which is parallel causality safe (since the undesired parallel

compositions have been removed) and which is weak IOC trace equivalent to I thanks

to Proposition 6.3.

Now, again from the smallest subterms to the largest, we can apply to I ′ the procedurefor providing asynchronous unique points of choice and distinct choice operations to those

subterms which have a top-level nondeterministic choice operator and the procedure for

making them disjoint connected for sequence to those subterms which have a top-level

sequential composition operator.

For terms of the first kind, thanks to Proposition 6.2, we obtain terms which have

asynchronous unique points of choice and distinct choice operations, and are parallel

causality safe and disjoint connected for sequence. The same holds for terms of the

second kind by Proposition 6.1. In both the cases, the resulting term is weak IOC trace

equivalent to the starting one. Moreover, by applying these transformations to subterms,

we do not create new parallel causality safety issues in larger terms, since we only add

interactions on fresh operations.

From Lemma 6.2 and Lemma 6.3 we know that the obtained IOC J has no sequential

causality safety issues or choice causality safety issues, thus the thesis follows.

Example 6.1. We now apply our procedure to the IOC I = oa→b ‖ oc→d presented in

Example 4.2. First note that I does not satisfy parallel causality safety. By application of

the expansion law we obtain I1 = oa→b; oc→d+ oc→d; oa→b. Proceedings from smallest to

largest subterms, we first encounter the subterms oa→b; oc→d and oc→d; oa→b which are

not disjoint connected for sequence (and are not sequential causality safe). By applying

the corresponding pattern to the two subterms, we obtain I2 = oa→b; o∗1b→e′ ; o

∗2e′→c; oc→d+

oc→d; o∗3d→e′′ ; o

∗4e′′→a; oa→b. Now the internal terms are disjoint connected, but the whole

IOC vs POC 43

term does not have asynchronous unique points of choice nor distinct choice operations,

and is not choice causality safe. By application the transformation ensuring asynchronous

unique points of choice, we obtain:

I3 = o∗5e→a; oa→b; o∗1b→e′ ; o

∗2e′→c; oc→d + o∗6e→c; oc→d; o

∗3d→e′′ ; o

∗4e′′→a; oa→b

Finally, by applying the transformation ensuring that both the branches have the same

roles, we obtain:

I4 =(

o∗5e→a; oa→b; o∗1b→e′ ; o

∗2e′→c; oc→d ‖ o∗7e→e′′

)

+(

o∗6e→c; oc→d; o∗3d→e′′ ; o

∗4e′′→a; oa→b ‖ o∗8e→e′

)

which is disjoint connected.

6.5. Application: Two-buyers protocol

We show now how our transformation for connecting IOCs can be used as an effective

design tool for the programming of multiparty choreographies. We model the example

reported in (Honda et al., 2008), the two-buyers protocol, where two buyers – b1 and b2

– combine their finances for buying a product from a seller s. The protocol starts with

b1 asking the price for the product of interest to s. Then, s communicates the price to

both b1 and b2. Subsequently, b1 notifies b2 of how much she is willing to contribute to

the purchase. Finally, the choreography may either terminate (the product will not be

sent) or s may send a delivery date for the product to b2. We do not deal here with how

this choice is performed, as our IOCs abstract from data.

To create a quick prototype IOC I for the two-buyers protocol, we focus only on the

main interactions and we do not worry about our connectedness conditions. The code

follows naturally:

I = priceb1→s; ( quote1s→b1‖ quote2s→b2

); contribb1→b2 ; ( deliverys→b2+ 1 )

The code above is just a direct translation of our explanation in natural language into an

IOC. We can immediately observe that the IOC is not connected in three points w.r.t.

the rules ensuring disjoint conformance:

— the subterm ( quote1s→b1| quote2s→b2

); contribb1→b2 is not disjoint connected for

sequence; thus, e.g., b1 may send the contrib message before b2 receives the message

for quote2;

— the subterm ( deliverys→b2+ 1 ) has not asynchronous unique points of choice;

— the subterm contribb1→b2 ; ( deliverys→b2+ 1 ) is not disjoint connected for sequence.

We can apply our transformation for amending our IOC prototype, transforming it into

a disjoint connected IOC which is weak IOC trace equivalent to I, obtaining:priceb1→s; ( quote1s→b1

; o∗1b1→e1‖ quote2s→b2

; o∗2b2→e1);

o∗3e1→b1; contribb1→b2 ; o∗4b2→e2

; ( o∗5e2→s; deliverys→b2+ 1 ‖ o∗6e2→s ‖ o∗7e2→b2

)

The IOC above is disjoint connected, thus it can be projected, and the projection will

be conformant to the IOC, and weak conformant to the original IOC I.


7. Possible extensions

Till now we considered in detail notions of connectedness for IOCs, and of conformance

between IOCs and POCs, but we focused on minimal calculi for both IOCs and POCs

to avoid unnecessary complexity. Here we discuss some possible extensions to the calculi,

and their impact on the developed theory. We also illustrate how conformance can be

combined with notions of equivalence and/or refinement at the level of IOCs and/or of

POCs. We plan to analyze this aspects in more detail in future work.

7.1. Other operators

In the main part of the paper we stick to the smallest set of operators necessary to write

interesting IOCs, but most of the developed theory can be extended to deal with other

operators. We consider here internal actions τa, and guarded recursion.

An internal action τa abstracts a computation performed by role a with no interaction

with other roles. E.g., role a can perform some mathematical computation, whose result

may be later on sent to some other role c via a communication. Such an activity cannot

be easily projected as if it was o?a→a, since the projection of such a term is not defined.

In order to model such an activity, one has to decide whether the activity is visible to

the outside or not. From the point of view of the projection, the interesting case is when

the activity is visible, and thus constraints imposed by sequentialization or choices have

to be satisfied. E.g., the projection of τa; τb should execute the internal activity at a first,

and then the internal activity at b. Using a natural projection, with proj(τa, a) = τ and

proj(τa, b) = 1 for b 6= a, the constraint above would not be satisfied. In fact, such an

IOC would not be connected, since the (sets of) roles involved in the two activities are

disjoint. One can make this IOC connected by transforming it into the equivalent IOC

τa; o∗a→b; τb. The theory discussed so far can be easily extended to consider this kind of

activity.

A more interesting challenge is given by guarded recursion, which allows one to describe

infinite choreographies. E.g., the IOC defined as recX.aska→b; answerb→a;X models an

infinite conversation where role a asks something to role b and receives an answer, then

the communication pattern restarts. It is easy to check that an homomorphic projection

of such an IOC has the desired behavior. Indeed, the IOC is disjoint connected. Actually,

we can apply here a result from (Honda et al., 2008) (reformulated for our calculus),

which states that a recursive IOC is connected iff its one level unfolding is connected.

E.g., the IOC above is disjoint connected since aska→b; answerb→a; aska→b; answerb→a is

disjoint connected.

The theory for amending IOCs which are not connected instead cannot be always

applied. In fact, some recursive IOCs allow infinitely many interactions on the same

operation, as in the case of IOC I = recX.oc→d ‖ (o′a→b; o′′b→a;X). Such an IOC does

not satisfy causality safety, since different instances of oc→d can be enabled in parallel.

One can imagine to apply the connecting procedure to the infinite term generated by the

unfolding of the recursion, but no finite representation of such a term can be given inside

the language. One can try to solve the problem by requiring all the roles to synchronize

IOC vs POC 45

on the end of each iteration. E.g., the IOC above can be transformed into:

J = recX.(o∗e→c; oc→d; o′∗d→e) ‖ (o′′∗e→a; o

′a→b; o

′′b→a; o

′′′∗a→e;X)

This approach however does not preserve weak traces, since e.g. the weak trace starting

with o′a→b, o′′b→a, o

′a→b, o

′′b→a, oc→d, . . . is legal in I but not in J .

It is worth noting that a similar approach has been taken in (Zongyan et al., 2007),

where infinite IOCs can be expressed with a repetition operator that repeats the execution

of a sub-IOC an arbitrary number of times. The repetition must be decorated with the

indication of a participant called the dominant role. In the projection, the dominant

role is in charge to detect the completion of a run of the sub-IOC, to decide whether

to execute another run or not, and then to communicate the decision to all the other

participants in the IOC. A complete comparison between our work and (Zongyan et al.,

2007) can be found in Section 9.

7.2. Adding data

Input and output events in the choreographies analyzed till now model message passing

communications, but the actual values to be sent have been abstracted away.

One can imagine to use the same approach at the more concrete level, where commu-

nicated data are explicitly described both at the IOC and at the POC level. A similar

problem has been considered in (Bocchi et al., 2010). Consider, e.g., the simple IOC

with data fact(n)a→b; answer(n!)b→a where role a asks to role b to compute the fac-

torial of some natural number n. One can easily project such an IOC obtaining the

POC (fact(na); answer(nfa))a ‖ (fact(nb); answer(!nb))b. The main point here is that

variables have to be introduced to store the received values and to enable their later

reuse. An interesting effect of the introduction of data is that nondeterministic choice

can be converted into deterministic choice: the IOC oa→b+o′a→b can be refined into, e.g.,

if n > 10 then oa→b else o′a→b. If we assume existence of asynchronous unique points of

choice, the role that makes the choice is the one that must evaluate the condition (and

thus must know the value of the involved variables). The projection of a deterministic

choice is still a deterministic choice on the role that makes the choice, while it is an input

guarded choice on the other roles.

An important aspect to keep into account is that in addition to the control depen-

dencies considered till now, data values introduce data dependencies that have to be

satisfied. This is relevant, in particular, if we assume that each participant has a private

state. Consider, e.g., the IOC oa→b(n) ‖ o′c→d(n). Here roles a and c should agree on

the value to be sent, but this is impossible in case of private states since there is no

communication between them. We will see in the next section that some of the notions

of conformance ensure that data dependencies can be more easily satisfied.


7.3. Equivalences and refinements

We have considered till now mainly equivalences between an IOC and a POC. However,

standard notions of bisimilarity or trace equivalence can be defined also among IOCs or

among POCs, as we did for weak IOC trace equivalence in Section 6.

A similar definition can be given at the POC level, considering e.g. weak synchronous

traces. As already hinted at in Section 6, such notions of equivalence are compatible with

synchronous conformance and projection. In fact, considering two IOCs I and I ′ whichare IOC trace equivalent, and two POCs S and S ′ synchronous conformant respectively

to I and I ′, it is easy to prove that S and S ′ are synchronous trace equivalent. This

happens, in particular, if S and S ′ are the projections of I and I ′.

The same reasoning can be applied to the other notions of conformance (sender/rece-

iver/sender-receiver/disjoint), but the trace equivalence on POCs should be tailored ac-

cordingly. E.g., if we consider sender conformance then IOCs which are trace equivalent

correspond to POCs which are sender trace equivalent, i.e. have the same set of sender

traces.

Also, the reasoning can be applied to trace inclusions, which correspond to a form of

refinement: if an IOC I has a subset of the maximal traces of an IOC I ′, i.e. I is more

deterministic, it can be seen as an implementation of I ′. Such a notion corresponds to

analogous notions of trace inclusions on the projected POCs.

8. Practical interpretation

This section reports examples that show a practical interpretation of some of our different

settings. Giving a formalization of this interpretation goes beyond the scope of this paper,

but we believe its description to be sufficiently intuitive and interesting for motivating

our work. We will concentrate on the asynchronous cases of receiver, sender, and disjoint

connectedness notions. Therefore, in the following, we always assume an asynchronous

communication semantics. To simplify the presentation, we remove from POCs some 1s

which have no effect on the POC semantics.

8.1. Receiver connectedness

Receiver connectedness ensures that global invariants on the state of the participants

involved in an IOC are satisfied also in its projected POC. Here, we assume that a local

state can change only on message reception. Let us consider the following IOC, which is

sender connected but not receiver connected:

withdrawcustomer→bank; paycustomer→shop

Above, a customer wants to buy something from a shop. In order to pay, she first with-

draws some money from her bank and then uses it to pay the shop. The invariant holding

in this IOC that we would like to preserve in the corresponding POC is that the sum of

the amounts of money possessed by the customer and the shop should not increase. Let

IOC vs POC 47

us see now the projected POC:

(withdraw; pay)customer ‖ (withdraw)bank ‖ (pay)shop

Assume now that when the bank receives the withdrawal message it decreases the amount

of money in the bank account, while the shop increases its income upon reception of the

payment. Since communications are asynchronous, the shop may receive the message

for operation pay before the bank receives that for withdraw. During that in-between

moment, the total amount of money would be superior to that at the beginning, thus

breaking our invariant. In order to correct this problem, we could add an intermediary

interaction between the bank and the shop that makes the IOC receiver connected:

withdrawalcustomer→bank;withdrawalCompletedbank→shop; paymentcustomer→shop

This new version ensures that the projected POC will not break the invariant, since

the shop will accept the payment message (and thus update its state) only after the

withdrawal has been confirmed by the bank.

8.2. Sender connectedness

Sender connectedness is useful to satisfy data dependencies discussed in Section 7.2.

In fact, if role a has to send a value based on a message communicated in a previous

stage of the execution (i.e., before a sequential composition in the IOC), then there is

a sequence of communications that can be used to communicate such a value to a, and

this information will reach a before its sending can become enabled.

As an example, consider a scenario in which a shop initially sends an offer to the

customer, the bank offers to the customer to finance him in the purchase, and finally

the customer confirms to both the shop and the bank whether or not she accepts. This

scenario is another variant of the two-buyers protocol shown in (Carbone et al., 2007).

We represent it with the following IOC:

offershop→customer ; financebank→customer ;(

(

confirmShopcustomer→shop ‖ confirmBankcustomer→bank

)

+(

cancelShopcustomer→shop ‖ cancelBankcustomer→bank

)

)

This IOC is receiver connected but not sender connected. In the IOC, the financing from

the bank is defined after the offer from the shop has been performed. Assume now that

the financing option from the bank depends on the price contained in the offer from

the shop, e.g., the bank is willing to cover 30% of the cost if the price is below 20.000

euros, and 20% if it is above. This implies that the bank must know the offer from the

shop before sending its financing option to the customer, but our projected POC will not

guarantee this. We can solve this problem by adding an intermediary interaction between

the shop and the bank:

offershop→customer ; offerEmittedshop→bank; financebank→customer ;(

(

confirmShopcustomer→shop ‖ confirmBankcustomer→bank

)

+(

cancelShopcustomer→shop ‖ cancelBankcustomer→bank

)

)


The IOC is now sender connected, and in the projected POC we have the guarantee that

the bank has received from the shop indications about the offer, before preparing the

message to send to the client the financing proposal.

8.3. Disjoint connectedness

As receiver connectedness, disjoint connectedness guarantees in the projected POC the

preservation of global invariants on the state of the roles involved in the choreography.

However, in disjoint connectedness the property is made more robust because it is pre-

served even in the presence of message loss.

To better understand the potential impact of message loss consider the following re-

ceiver connected IOC, in which a user contacts in parallel a shop and a bank in order to

organize a purchase. Afterwards, the bank notifies the shop of the payment.

( purchasecustomer→shop ‖ paycustomer→bank ); paymentbank→shop

The corresponding projected POC is:

(purchase ‖ pay)customer ‖ (pay; payment)bank ‖ (purchase; payment)shop

Let us assume now that the message for operation purchase sent from the customer

to the shop is lost. Then, the bank could still receive the message for operation pay

(thus subtracting the money from the bank account of the customer). Since we are

assuming asynchronous communications, the bank will send the message for payment

without noticing that the shop will not receive it, as the latter will remain blocked on

purchase. Therefore, the system would reach an incoherent state. This problem can be

solved by adding, in the IOC, an interaction between the shop and the bank before the

payment is completed:(

( purchasecustomer→shop; requirePaymentshop→bank ) ‖ paycustomer→bank

)

;

paymentbank→shop

Observe that this last IOC is disjoint connected. Disjoint connectedness solves the prob-

lem of message loss, because it checks that the execution of the projected POC coun-

terpart of the first part of a sequence is completed before the execution can proceed.

Therefore, the failure of a message communication immediately blocks the execution of

the POC implementation of a sequence in an IOC. This happens without having any

“pending” state update, i.e. a message in the network that still has to be received that

was part of an interaction specified before in the sequence, as can happen in the POCs

projected by receiver connected IOCs.

9. Conclusions and related work

In this paper we have discussed the relationships between IOCs and POCs, analyzing

both the synchronous and the asynchronous cases. In the asynchronous case we have

considered different possibilities, according to whether the focus is on the sender, on the

receiver or on both. For each possibility we have studied the conditions to make the

IOC vs POC 49

projection behave as expected, and we have proved a behavioral correspondence. When

an IOC is not projectable, we have presented a procedure that modifies the IOC by

adding interactions in such a way that all the conditions described above are satisfied

while preserving the observational semantics of the initially given IOC.

The problem of conformance between a POC and an IOC has been considered many

times in the literature. In both (Carbone et al., 2007) and (Honda et al., 2008) a global

calculus and an endpoint calculus are used to describe IOC and POC respectively. Since

the language is quite complex types are used as abstractions to check the conformance be-

tween POC and IOC. The language has prefix instead of general sequential composition

as in our case, and labeled choice in the session types style (Honda et al., 1998) instead of

nondeterministic choice. In (Carbone et al., 2007) a synchronous semantics is used, and

the relation between IOC and POC corresponds to our synchronous bisimulation. The

constraints imposed on IOCs are however stricter than ours, since for sequence they cor-

respond to our disjoint connectedness. In (Honda et al., 2008) instead the asynchronous

case is considered. The semantics therein corresponds to our receiver semantics, but they

preserve the order of messages from the same sender and on the same operation. Also

in this case their conditions are stricter than ours, since they do not allow the same role

to occur in different parallel components, while we do, and they require projections of

non initiator roles in choice to coincide in every branch, while we allow different (but not

empty) projections.

In (Bravetti and Zavattaro, 2007) trace inclusion (with a synchronous semantics) is

used to relate service contracts and an IOC. This is similar to our synchronous confor-

mance, but in (Bravetti and Zavattaro, 2007) the participants may provide additional

functionalities, provided that they are not used inside the IOC. Also, connectedness is

defined only from a behavioral point of view, but no syntactic criterion ensuring this

is presented. Syntactic criteria have been proposed in (Bravetti et al., 2009) following

the approach reported in the preliminary version of this work (Lanese et al., 2008). The

extension of the approach in (Bravetti and Zavattaro, 2007) to the asynchronous case

has been proposed in (Bravetti and Zavattaro, 2008).

In (Castagna et al., 2011) an intermediary approach between trace inclusion and trace

equivalence is used to relate global types (expressed with a language similar to our IOC

calculus) and multiparty sessions (expressed with a language similar to our POC cal-

culus). Namely, a multiparty session is an implementation of a global type if its traces

are included in the traces of the global type, and for every trace of the global type the

multiparty session exhibits at least one trace which is the same up to reordering. The

communication model for multiparty sessions is asynchronous, based on FIFO queues,

and the receiving events are observed: for this reason their approach is similar to our

receiver conformance. The approach we present in this paper is syntax based, while the

approach in (Castagna et al., 2011) is based on the semantics defined in terms of traces.

Namely, the conditions that a global type should satisfy in order to be projectable are

defined on its traces and not on its syntax. Due to the different notion of correspondence

between IOCs and POCs, their notion of well-formedness for sequences is weaker than

our connectedness for sequence: two subsequent interactions in a trace of an IOC should

either satisfy our connectedness for sequence condition, or the trace in which the two


interactions are swapped should still be in the semantics of the IOC. This latter condi-

tion checks, at the level of the trace semantics, whether the two interactions are indeed

parallel, as they can be executed in any order.

In (Li et al., 2007) a language similar to ours is used, and constraints similar to disjoint

connectedness are required. User-defined POCs are checked to be a refinement of the

projection of the IOC, but no behavioral relation between an IOC and its projection is

presented.

In (Busi et al., 2005) and (Busi et al., 2006) different bisimilarities are used to charac-

terize conformance of a POC w.r.t. an IOC. These bisimilarities generalize respectively

our synchronous and receiver conformance notions, allowing a role in an IOC to be imple-

mented by many processes in a POC. However, the problems of automatically generating

the processes via projection and of deciding whether an IOC can be implemented are not

considered.

In (Kazhamiakin and Pistore, 2006) a taxonomy of different relationships between

IOCs and POCs is proposed. Starting from a fully asynchronous communication model,

four observational criteria are proposed: the first two criteria correspond to our disjoint

and sender-receiver notions of conformance, while the other two criteria consider the

preservation of the order of the send events projected to a single participant, or to the

interactions between two participants. Each observation criterion is characterized by a

corresponding communication model indicating the capacity of the message buffers and

their connections to processes. In order to verify the possibility to project an IOC accord-

ing to a given observation criterion, it is then possible to check whether the corresponding

semantics is preserved when moving from the asynchronous communication model to the

communication model corresponding to the observation criterion. This theory is devel-

oped by considering the choreographies represented as labeled transition systems. For

this reason there are no syntactic well-formedness conditions like tho ones we propose in

this paper.

Another approach working at the level of labeled transition system is presented in

(Basu et al., 2012), where a decidable criterion is presented to check whether an IOC

can be projected preserving the sender traces. Such criterion is based on two conditions.

The first condition checks whether the observable behavior of the choreography does not

change when moving from a synchronous semantics to an asynchronous semantics with

buffers of capacity 1. This condition was already proposed in (Basu and Bultan, 2011) as

a criterion to guarantee synchronizability, that is the observational equivalence between

the synchronous and the asynchronous semantics of a POC. The second condition is a

temporal property of the system: for every reachable configuration in which there is one

message in one buffer, there exists a subsequent reachable configuration in which such

message is consumed.

To the best of our knowledge, only two other papers consider the possibility to add

messages to an IOC in order to make it correctly projectable (Zongyan et al., 2007;

Salaun et al., 2011).

In (Zongyan et al., 2007) by exploiting a POC and an IOC calculus similar to ours,

a notion of conformance is defined which resembles our synchronous conformance. Con-

cerning the problem of sequences, it is formalized by a condition corresponding to our

IOC vs POC 51

connectedness for sequence. In case this condition is not satisfied by an IOC, the pro-

jection adds the following communications: all the roles involved in a final interaction

preceding the sequential composition send a message to all the roles involved in an initial

interaction after the sequential composition. In order to reduce the number of commu-

nications, in this case we amend the IOC by adding a coordinator for the sequential

composition, and the involved roles exchange only one message with the coordinator.

Concerning the problem of unique points of choice, in (Zongyan et al., 2007) the IOC

specification should be extended by decorating each problematic choice with the indica-

tion of a dominant role. The projection, in this case, adds an interaction between such

role and all the other roles in the IOC in order to globally agree on the selected branch.

Differently, we add a coordinator for the choice which sends a message only to the actu-

ally involved roles. Concerning the problem of causality safety, in (Zongyan et al., 2007)

there is no corresponding well-formedness condition. To the best of our understanding of

the paper this is problematic. In fact, the IOC (written according to our syntax, which

is slightly different w.r.t. to the one adopted in (Zongyan et al., 2007))

(ai→j ; bj→k; ck→l) ‖ (ei→j ; bj→k; fk→l)

is well-formed according to the conditions in (Zongyan et al., 2007), but the projected

POC¶

((a;1;1) | (e;1;1))i ‖ ((a; b;1) | (e; b;1))j ‖ ((1; b; c) | (1; b; f))k ‖ ((1;1; c) | (1;1; f))lhas the following wrong trace

ai→jbj→kfk→lei→jbj→kck→l.

In (Salaun et al., 2011) collaboration diagrams are considered as the language for the

description of IOCs. Collaboration diagrams have been proposed in (Bultan and Fu,

2007) as a graphical notation in which the interactions decorate a graph which has one

node for each role, and one edge for each pair of interacting roles. Interactions are or-

ganized in threads representing sub-choreographies. Messages are totally ordered within

the same thread, while a partial order can be defined among interactions belonging to

different threads. The connectedness problem we have considered in this paper has been

defined also for collaboration diagrams and called realizability. In collaboration diagrams

synchronous and asynchronous interactions coexist, and in the case of asynchronous com-

munication between peers, only the sender event is observed. Realizability is proved to

be guaranteed under conditions that resemble our sender connectedness for sequence. In

(Salaun et al., 2011) a tool support for the analysis of collaboration diagrams is presented.

This is obtained by translation of collaboration diagrams and their projection into the

process algebra LOTOS (Brinksma, 1985), thus allowing for the exploitation of the cor-

responding tool suite (in particular the CADP toolbox (Garavel et al., 2007)). In case the

tool detects that the collaboration diagram is not realizable (by checking conditions cor-

responding to our synchronous and sender connectedness for sequence) both the diagram

¶ To be more precise, in (Zongyan et al., 2007) the projected actions explicitly indicate the names ofthe sender and of the receiver.


and the projection are modified in order to restore the well-formedness conditions. In the

context of collaboration diagrams there is no global choice composition operator among

sub-choreographies: for this reason there is no need for conditions like our unique points

of choice. Moreover, as in (Zongyan et al., 2007), there are no conditions corresponding

to our causality safety, but in this case this is not problematic as collaboration diagrams

make the stronger assumption that a message cannot occur among the events of two

distinct threads. Finally, in (Salaun et al., 2011) the main focus is on the implementation

of specific tools and their application to test suites instead of on the definition of general

and foundational results. In particular, there are no formal statements and proofs about

the correctness of the modifications applied to the choreographies in order to make them

connected.

Acknowledgments We thank Claudio Guidi for his contribution as co-author of the con-

ference version of this paper (Lanese et al., 2008). We are also grateful to Luca Padovani

for fruitful discussions about the related work (Castagna et al., 2011).

References

Basu, S. and Bultan, T. (2011). Choreography conformance via synchronizability. In Proc. of

WWW’11, pages 795–804. ACM Press.

Basu, S., Bultan, T., and Ouederni, M. (2012). Deciding choreography realizability. In Proc. of

POPL’12. ACM Press. To appear.

Bocchi, L., Honda, K., Tuosto, E., and Yoshida, N. (2010). A theory of design-by-contract for

distributed multiparty interactions. In Proc. of CONCUR 2010, volume 6269 of LNCS, pages

162–176. Springer.

Bravetti, M., Lanese, I., and Zavattaro, G. (2009). Contract-driven implementation of chore-

ographies. In Proc. of TGC’08, volume 5474 of LNCS, pages 1–18. Springer.

Bravetti, M. and Zavattaro, G. (2007). Towards a unifying theory for choreography conformance

and contract compliance. In Proc. of SC’07, volume 4829 of LNCS, pages 34–50. Springer.

Bravetti, M. and Zavattaro, G. (2008). Contract compliance and choreography conformance in

the presence of message queues. In Proc. of WS-FM’08, volume 5387 of LNCS, pages 37–54.

Springer.

Brinksma, E. (1985). A tutorial on lotos. In Proc. of Protocol Specification, Testing and Verifi-

cation V, pages 171–194. North-Holland.

Bultan, T. and Fu, X. (2007). Specification of realizable service conversations using collaboration

diagrams. In Proc. of SOCA’07, pages 122–130. IEEE Computer Society Press.

Busi, N., Gorrieri, R., Guidi, C., Lucchi, R., and Zavattaro, G. (2005). Choreography and

orchestration: A synergic approach for system design. In Proc. of ICSOC’05, volume 3826 of

LNCS, pages 228–240. Springer.

Busi, N., Gorrieri, R., Guidi, C., Lucchi, R., and Zavattaro, G. (2006). Choreography and

orchestration conformance for system design. In Proc. of Coordination’06, volume 4038 of

LNCS, pages 63–81. Springer.

Carbone, M., Honda, K., and Yoshida, N. (2007). Structured communication-centred program-

ming for web services. In Proc. of ESOP’07, volume 4421 of LNCS, pages 2–17. Springer.

Castagna, G., Dezani-Ciancaglini, M., and Padovani, L. (2011). On global types and multi-party

sessions. In Proc. of FMOODS/FORTE’11, volume 6722 of LNCS, pages 1–28. Springer.

IOC vs POC 53

Decker, G., Kopp, O., Leymann, F., and Weske, M. (2007). Bpel4chor: Extending bpel for

modeling choreographies. In Proc. of ICWS’07, pages 296–303. IEEE Computer Society

Press.

Garavel, H., Mateescu, R., Lang, F., and Serwe, W. (2007). CADP 2006: A toolbox for the

construction and analysis of distributed processes. In Proc. of CAV’07, volume 4590 of LNCS,

pages 158–163. Springer.

Hoare, C. (1985). Communicating Sequential Processes. Prentice-Hall.

Honda, K., Vasconcelos, V., and Kubo, M. (1998). Language primitives and type disciplines for

structured communication-based programming. In Proc. of ESOP’98, volume 1381 of LNCS,

pages 22–138. Springer.

Honda, K., Yoshida, N., and Carbone, M. (2008). Multiparty asynchronous session types. In

Proc. of POPL’08, pages 273–284. ACM Press.

Kazhamiakin, R. and Pistore, M. (2006). Analysis of realizability conditions for web service

choreographies. In Proc. of FORTE’06, volume 4229 of LNCS, pages 61–76. Springer.

Lanese, I., Guidi, C., Montesi, F., and Zavattaro, G. (2008). Bridging the gap between

interaction- and process-oriented choreographies. In Proc. of SEFM’08, pages 323–332. IEEE

Computer Society Press.

Li, J., Zhu, H., and Pu, G. (2007). Conformance validation between choreography and orches-

tration. In Proc. of TASE’07, pages 473–482. IEEE Computer Society Press.

Milner, R. (1989). Communication and Concurrency. Prentice Hall.

Salaun, G., Bultan, T., and Roohi, N. (2011). Realizability of choreographies using process

algebra encodings. IEEE Transactions on Services Computing, to appear.

WS-BPEL (2007). Web Services Business Process Execution Language Version 2.0 OASIS

Standard. OASIS. http://docs.oasis-open.org/wsbpel/2.0/OS/wsbpel-v2.0-OS.pdf.

WS-CDL (2005). Web Services Choreography Description Language Version 1.0. World Wide

Web Consortium. http://www.w3.org/TR/ws-cdl-10/.

Zongyan, Q., Xiangpeng, Z., Chao, C., and Hongli, Y. (2007). Towards the theoretical foundation

of choreography. In Proc. of WWW’07, pages 973–982. ACM Press.

main - cs.unibo.itlanese/publications/fulltext/ioc.pdf · Title: main.dvi Created Date: 12/19/2012 10:04:16 AM

Documents