Classifying Relationships between Interaction- and Process-Oriented Choreographies † IVAN LANESE 1 , FABRIZIO MONTESI 2 and GIANLUIGI ZAVATTARO 1 1 Focus Research Team, Computer Science Department, University of Bologna/INRIA – Italy. 2 IT University of Copenhagen – Denmark. In the area of service-oriented computing, choreography languages are used to specify multiparty service compositions. Two main approaches have been followed in the design of these languages: the interaction-oriented approach at the basis of WS-CDL and the process-oriented approach of BPEL4Chor. In this paper we investigate the relationships between the two approaches. In particular, we point out several possible interpretations for interaction-oriented choreographies: one synchronous and various asynchronous, differing in the kind of observable event (either send, or receive, or both). Under each of these possible interpretations we characterize the class of interaction-oriented choreographies which have a direct process-oriented counterpart, and we formalize the corresponding notion of equivalence between the initial interaction-oriented choreography and the corresponding process-oriented counterpart. We also show how to amend interaction-oriented choreographies which have no direct process-oriented counterpart, preserving their observable behavior. 1. Introduction Choreography languages are an attempt at tackling the complexity of communication- based software design. The basic idea is that the programmer defines the composition of the independent entities of a system in a global description, where the different peers exchange messages with each other in order to complete a predefined task. The paradigm is particularly suitable for the programming of multiparty communication flows, i.e., interaction patterns that (possibly) comprehend more than two entities. Choreography languages are attracting a lot of attention within the Service-Oriented Computing (SOC) community, where two main distinct approaches are currently being followed in the search for standard languages. On the one hand, the World Wide Web Consortium (W3C) has developed the Web Services Choreography Description Language WS-CDL (WS-CDL, 2005). On the other hand, the research community around the Web † Research partially funded by the project ANR-10-SEGI-013-02 Aeolus.
53
Embed
main - cs.unibo.itlanese/publications/fulltext/ioc.pdf · Title: main.dvi Created Date: 12/19/2012 10:04:16 AM
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Classifying Relationships between
Interaction- and Process-Oriented
Choreographies†
IVAN LANESE1, FABRIZ IO MONTESI2 and GIANLUIGI ZAVATTARO1
1Focus Research Team, Computer Science Department, University of Bologna/INRIA – Italy.2IT University of Copenhagen – Denmark.
In the area of service-oriented computing, choreography languages are used to specify
multiparty service compositions. Two main approaches have been followed in the design
of these languages: the interaction-oriented approach at the basis of WS-CDL and the
process-oriented approach of BPEL4Chor. In this paper we investigate the relationships
between the two approaches. In particular, we point out several possible interpretations
for interaction-oriented choreographies: one synchronous and various asynchronous,
differing in the kind of observable event (either send, or receive, or both). Under each of
these possible interpretations we characterize the class of interaction-oriented
choreographies which have a direct process-oriented counterpart, and we formalize the
corresponding notion of equivalence between the initial interaction-oriented
choreography and the corresponding process-oriented counterpart. We also show how to
amend interaction-oriented choreographies which have no direct process-oriented
counterpart, preserving their observable behavior.
1. Introduction
Choreography languages are an attempt at tackling the complexity of communication-
based software design. The basic idea is that the programmer defines the composition
of the independent entities of a system in a global description, where the different peers
exchange messages with each other in order to complete a predefined task. The paradigm
is particularly suitable for the programming of multiparty communication flows, i.e.,
interaction patterns that (possibly) comprehend more than two entities.
Choreography languages are attracting a lot of attention within the Service-Oriented
Computing (SOC) community, where two main distinct approaches are currently being
followed in the search for standard languages. On the one hand, the World Wide Web
Consortium (W3C) has developed the Web Services Choreography Description Language
WS-CDL (WS-CDL, 2005). On the other hand, the research community around the Web
† Research partially funded by the project ANR-10-SEGI-013-02 Aeolus.
I. Lanese, F. Montesi and G. Zavattaro 2
Service Business Process Execution Languages WS-BPEL (WS-BPEL, 2007) has pro-
posed BPEL4Chor (Decker et al., 2007), an extension of WS-BPEL for the description
of choreographies. The two approaches are fundamentally different in how they represent
communications. In WS-CDL the basic activity in a choreography is an interaction, that
is, the atomic exchange of a message between two communicating partners, similarly to
interaction diagrams in UML. Interactions are then composed in a single description that
represents the whole system. For this reason, we say that WS-CDL follows an interaction-
oriented approach. On the contrary, in BPEL4Chor each entity of a system is represented
by a separate description, i.e. a business process specified using an abstract version of
BPEL. In these processes, the basic activities are the classical send and receive actions
for message transmission. A choreography is then obtained as the parallel composition of
the independently specified business processes. For this reason, we say that BPEL4Chor
follows a process-oriented approach. In the sequel, we respectively refer to choreogra-
phies based on the interaction- and process-oriented approaches with the terms IOC (for
Interaction-Oriented Choreography) and POC (for Process-Oriented Choreography).
We clarify the difference between IOCs and POCs with a simple example. Let us model
a system where a buyer b can ask to a seller s a quotation for a product. This can be
described by the following IOC
askb→s; quotes→b
where b sends a message to s on operation† ask and, subsequently, s sends a message to
b on operation quote. The following is a POC representing the same system:
(ask; quote)b ‖ (ask; quote)s
where b sends a message on operation ask and then waits for a message on operation
quote, and s waits for a message on operation ask and then sends a message on operation
quote. The two choreographies can be considered equivalent, since the communications
in their executions coincide.
The interaction- and process-oriented solutions come with different advantages. An
IOC offers a clearer global description of the communication flows in a system, since
interactions are syntactically explicit. This clarity is lost in the second approach, where
the order of interactions must be derived by analyzing the possible matches between the
input and output actions of the different peers. However, the gap between a POC and
a corresponding system implementation is smaller. Given the abstract description of the
behavior of a specific entity, it is easier to check whether an actual component complies
with such a description, or in some cases the abstract description could be enriched with
additional information in order to make it directly executable (as it happens, for instance,
in the relationship between WS-BPEL and its abstract version). In other words, an IOC
is more suitable for the specification of the communication flows in a system, while a
POC is a good tool for checking (or generating) the local code for each entity.
The separation of the positive aspects offered by IOCs and POCs leads naturally to
† In service-oriented computing, operations are labels used to distinguish the kinds of transmittedmessages.
IOC vs POC 3
the question of whether they can be successfully combined. This question is at the base
of recent work (Carbone et al., 2007; Bravetti and Zavattaro, 2007; Zongyan et al., 2007;
Bultan and Fu, 2007; Honda et al., 2008; Castagna et al., 2011). In there, a programmer
can design a system using an IOC and then automatically generate a corresponding POC
by means of a projection function. An IOC may not be coherent, meaning that it cannot
be projected correctly onto an equivalent POC. Consider, for instance, the following IOC
oa→b; o′c→d
whose naturally correspondent POC is‡:
(o)a ‖ (o)b ‖ (o′)c ‖ (o′)d
It is not difficult to see that the two above choreographies could give rise to different
behaviors: in the POC, the communication between c and d could happen before the
interaction between a and b. In other words, the two choreographies are not conformant.
This problem arises because the two interactions are not connected, i.e., there is no
dependency between them enforced by any of the participants. Based on this intuition,
in this work we will use connectedness as a formalization of coherence for IOCs.
IOCs that are not connected are obviously undesirable, and can be automatically in-
dividuated through a static analysis. The exact definition of connectedness of an IOC,
however, is influenced by two factors: the underlying communication semantics of refer-
ence and the conformance (or type of equivalence) of interest between IOCs and POCs.
For this reason, different definitions of conformance and connectedness are given in each
of the works cited above. Unfortunately, the literature does not offer a systematic anal-
ysis of the different alternatives. This work offers such a comparison. Our first step is
to identify a set of different communication semantics (synchronous or asynchronous)
and conformance notions (based on message send, receive, or both). Then, we proceed
by developing a notion of coherence for all the possible configurations. For each such
configuration we obtain the following: (i) the precise characterization of the IOCs which
have a direct POC counterpart and (ii) the formalization of the corresponding notion of
conformance between the initial IOC and the corresponding POC.
A major contribution of the present paper is the identification of a relationship between
these different configurations. This relationship has driven the development of their no-
tions of coherence, which share a common structure. Furthermore, each one of them is
built on top of the previous ones.
We also show, given a disconnected IOC, how to amend it by transforming it into a
connected IOC with equivalent behavior. Exploiting our relationship between the settings
of interest, we are able to give a single transformation definition that ensures that the
resulting IOC is connected for every setting. This enables a design procedure where the
programmer writes a very high-level description of a system through a possibly discon-
nected IOC, as the one shown above, describing only the desired order of the interactions
and abstracting completely from how this order will be enforced. Then, our framework
‡ Actually, the projection is slightly more complex, but has the same behavior.
I. Lanese, F. Montesi and G. Zavattaro 4
transforms it into an equivalent connected IOC, applying all the necessary modifications
for making the description given by the programmer implementable. Finally, a corre-
sponding POC counterpart can be obtained through our notion of projection.
Structure of the paper§ Section 2 introduces syntax and semantics for IOC and
POC. Section 3 presents the projection from IOC to POC and discusses informally the
different settings we consider. The various configurations in the synchronous and asyn-
chronous cases are formalized respectively in Section 4 and Section 5. Section 6 shows
how to amend IOCs which have no direct POC counterpart. Section 7 discusses possible
extensions of the work. Section 8 reports a practical interpretation of our different set-
tings, showing some examples of their usage. Section 9 compares with related work and
concludes.
2. Calculi
In this section we define two basic choreography languages, an Interaction-Oriented
Choreography (IOC) language and a Process-Oriented Choreography (POC) language.
Both the languages are used for modeling choreographies, thus they share a few basic
elements. We consider in fact for them the same two sets of names: the set of participants
in the choreography, called roles, and ranged over by a, b, r, . . ., and the set of operations
that can be used for sending and receiving. We will consider two kinds of such operations:
public operations, ranged over by o, which represent observable activities of the system,
and private operations, ranged over by o∗, which are used for internal synchronization.
We use o? to range over both public and private operations.
2.1. Interaction-Oriented Choreography
This subsection describes the syntax and the operational semantics of IOCs. IOCs, ranged
over by I, I ′, . . ., are defined as follows:
I ::= o?a→b | 1 | 0 | I; I ′ | I ‖ I ′ | I + I ′
The basic construct is the interaction between two distinct roles a and b on operation
o?, denoted by o?a→b, meaning that role a sends a message on operation o? of role b. Roles a
and b should not coincide. Public and private interactions (i.e. interactions on public and
private operations) have the same operational semantics, but they will be distinguished
by the observational semantics, in particular weak observational semantics will abstract
away private interactions. In addition to interactions there are the empty IOC 1, the
deadlocked IOC 0, sequential and parallel composition of IOCs and nondeterministic
choice between IOCs. For instance (oa→b ‖ o′a→c); o′′b→c specifies that interactions oa→b
and o′a→c can be performed in any order, and after both of them have been performed
then interaction o′′b→c can be executed. The deadlocked IOC 0 is only needed for defining
§ The paper is an extended and revised version of (Lanese et al., 2008). In particular, Section 6 andSection 8 are completely new.
IOC vs POC 5
(Interaction)
o?a→b
o?a→b−−−−→ 1
(End)
1
√−→ 0
(Sequence)
I σ−→ I′ σ 6= √
I;J σ−→ I′;J
(Parallel)
I σ−→ I′ σ 6= √
I ‖ J σ−→ I′ ‖ J(Choice)
I σ−→ I′
I + J σ−→ I′
(Seq-end)
I√−→ I′ J σ−→ J ′
I;J σ−→ J ′
(Par-end)
I√−→ I′ J
√−→ J ′
I ‖ J√−→ I′ ‖ J ′
Table 1. IOC semantics (symmetric rules omitted).
the operational semantics, and is not expected to be used in the description of systems.
We call initial an IOC where 0 is never used.
We now define the operational semantics of IOCs. IOC transitions are defined as the
smallest labeled transition system (LTS) closed under the rules in Table 1. Symmetric
rules for parallel composition and choice have been omitted. The rules are in the style of,
e.g., (Bravetti and Zavattaro, 2007). We use σ to range over labels. We have two kinds of
labels: label o?a→b denotes the execution of an interaction o?a→b while label√
represents
the termination of the IOC.
Rule Interaction executes an interaction. Rule End terminates an empty IOC. Rule
Sequence executes a step in the first component of a sequential composition. Rule
Parallel executes an interaction from a component of a parallel composition while
rule Choice starts the execution of an alternative in a nondeterministic choice. Rule
Seq-end acknowledges the termination of the first component of a sequential composi-
tion, starting the second component. Rule Par-end synchronizes the termination of two
parallel components.
We can now define IOC traces. We consider both strong traces, where all the performed
interactions are observed, and weak traces, where only interactions on public operations
are visible.
Definition 2.1 (IOC traces). A (strong maximal) trace of an IOC I1 is a sequence
of labels σ1, . . . , σn such that there is a sequence of IOC transitions I1 σ1−→ . . .σn−−→ In+1
and such that In+1 has no outgoing transitions.
A weak trace of an IOC I1 is a sequence of labels σ1, . . . , σn obtained by removing all
the labels of the form o∗a→b from a strong trace of I1.An IOC trace is complete iff its last label is
√.
Initial IOCs capture well-behaved systems, in the sense that they never deadlock, as
shown by the following proposition.
Proposition 2.1. Let I be an initial IOC. Each maximal trace of I is complete.
Proof. By structural induction on I.
The proposition above holds since 0 cannot occur inside an initial IOC.
The function roles(I) that computes the set of roles in a given IOC I is inductively
roles(1) = roles(0) = ∅roles(I; I ′) = roles(I ‖ I ′) = roles(I + I ′) = roles(I) ∪ roles(I ′)
2.2. Process-Oriented Choreography
This subsection describes the syntax and the operational semantics of POCs. POCs
include processes, ranged over by P , P ′, . . ., describing the behavior of participants, and
grouped into systems, ranged over by S, S ′, . . ..
P : : = o? | o? | 1 | P ;P ′ | P | P ′ | P + P ′ | 〈o?〉 | 0S : : = (P )a | S ‖ S ′
Processes include input action o? and output action o? on a specific operation o?
(either public or private), the empty process 1, sequential and parallel composition, and
nondeterministic choice. The runtime syntax includes also messages 〈o?〉, used in the
definition of the asynchronous semantics, and the deadlocked process 0. We call initial
a POC where 0 and messages are never used. POC systems are parallel compositions of
roles. Each role has a role name and executes a process. We require role names to be
unique.
We define two LTS semantics for POCs, synchronous and asynchronous. In the syn-
chronous semantics input actions and output actions interact atomically, while in the
asynchronous one the sending event creates a message that, later, may interact with the
corresponding input generating a receiving event.
The asynchronous LTS for POC is the smallest LTS closed under the rules in Table 2.
We use γ to range over labels. Symmetric rules for parallel compositions (both inter-
nal and external) and choice have been omitted. The semantics is in the style of, e.g.,
(Bravetti and Zavattaro, 2007).
Rules In andOut execute input actions and output actions respectively. RuleAsynch-
IOC vs POC 7
Out makes messages available for a corresponding input action. Rule One terminates
an empty process. Rule Sequence executes a step in the first component of a sequential
composition. Rule Inner Parallel executes an action from a component of a parallel
composition while rule Choice starts the execution of an alternative in a nondetermin-
istic choice. Rule Seq-end acknowledges the termination of the first component of a
sequential composition, starting the second component. Rule Inner Par-end synchro-
nizes the termination of two parallel components. Rule Lift lifts actions to the system
level, tagging them with the name of the role executing them. Action√
instead is dealt
with by rule Lift-Tick, which lifts it without adding the role name. Outputs instead
are stored as messages by rule Msg. Rule Synch synchronizes a message with the cor-
responding input action, producing an interaction. Rule Ext-Parallel allows parallel
systems to stay idle. Finally rule Ext-Par-End synchronizes the termination of parallel
systems.
The synchronous LTS for POC is the smallest LTS closed under the rules in Table 2,
where rules Out, Async-Out and Msg are deleted and the new rule Sync-Out below
is added:
(Sync-Out)
o?〈o?〉−−→s 1
This rule allows outputs in the synchronous semantics to send messages that can directly
interact with the corresponding input at the system level.
Synchronous transitions are denoted asγ−→s instead of
γ−→, to distinguish them from
the asynchronous ones.
As for IOCs, we define POC traces. We have different possibilities: in addition to the
distinction between strong and weak traces, we distinguish synchronous, asynchronous,
sender and receiver traces.
Definition 2.2 (POC traces). A (strong maximal) synchronous trace of a POC S1 is
a sequence of labels γ1, . . . , γn, where γi is of the form o?a→b, or√
for each i ∈ {1, . . . , n},such that there is a sequence of synchronous POC transitions S1
γ1−→s . . .γn−→s Sn+1 and
such that Sn+1 has no outgoing transitions of the same form.
A (strong maximal) asynchronous trace of a POC S1 is a sequence of labels γ1, . . . , γn,
where γi is of the form o? : a, o?a→b, or√
for each i ∈ {1, . . . , n}, such that there is a
sequence of asynchronous POC transitions S1γ1−→ . . .
γn−→ Sn+1 and such that Sn+1 has
no outgoing transitions of the same form.
A strong sender trace of a POC S1 is obtained by removing all labels of the form o?a→b
from a strong asynchronous trace of S1.
A strong receiver trace of a POC S1 is obtained by removing all labels of the form
o? : a from a strong asynchronous trace of S1.
A weak (synchronous/asynchronous/receiver/sender) trace of a POC S1 is obtained by
removing all labels o∗ : a and o∗a→b from a strong (synchronous/asynchronous/sender/re-
ceiver) trace of S1.
A POC trace is complete iff its last label is√.
In the definition of POC traces, input actions and messages are never considered,
I. Lanese, F. Montesi and G. Zavattaro 8
since they represent interactions with the external world, while we are interested in
the behavior of closed systems. Also, sender traces consider only output events, while
receiver traces consider only input events. Finally, weak traces disregard events of any
kind concerning private operations.
Note that, in general, POCs can deadlock, e.g. (o)a is a deadlocked system since its
only trace is empty, and, in particular, does not end with√.
3. Projecting IOCs onto POCs
In this section we show how to relate the Interaction-Oriented and the Process-Oriented
description of a choreography. In particular, given an IOC I we want to define a system
S implementing it. The idea is to project the IOC on the different roles, and build the
system S as parallel composition of the projections on the different roles.We consider here
the most natural projection, which is essentially an homomorphism on most operators.
As we will see, the POC resulting from such a projection is behaviorally related to the
starting IOC only under some syntactic conditions on the IOC itself. Also, POCs resulting
from the projection of initial IOCs will not deadlock. We will see in Section 6 how to
transform IOCs so to ensure that they will satisfy those syntactic conditions, preserving
the observable behavior.
Definition 3.1 (Projection function). Given an IOC I and a role a, the projection
proj(I, a) of IOC I on role a is defined by structural induction on I:
proj(o?a→b, a) = o?
proj(o?a→b, b) = o?
proj(o?a→b, c) = 1 if c 6= a, b
proj(1, a) = 1
proj(0, a) = 0
proj(I; I ′, a) = proj(I, a); proj(I ′, a)proj(I ‖ I ′, a) = proj(I, a) | proj(I ′, a)proj(I + I ′, a) = proj(I, a) + proj(I ′, a)
We denote with ‖i∈I Si the parallel composition of systems Si for each i ∈ I.
Definition 3.2. Given an IOC I, the projection of I is the system S defined by:
proj(I) =‖a∈roles(I) (proj(I, a))aWe now want to analyze the relationships between an IOC and the projected POC,
proving that the projection proj(I) of a given IOC I behaves according to the IOC
I. However, “behaves according to” can be formalized in different ways, depending on
the kind of properties that one wants to preserve. We call the “behaves according to”
relation a conformance relation. To ensure that an IOC and the projected POC satisfy
one of the different conformance relations, we find some syntactic conditions on the
form of the IOC, which we call connectedness conditions. Each conformance relation
will require its particular connectedness conditions. We now give an informal description
IOC vs POC 9
of the possible conformance relations, while the following sections are devoted to fully
formalize the correspondence in terms of different kinds of trace equivalences, and to
discuss the necessary connectedness conditions.
Let us consider the simple IOC I = oa→b; o′c→d from the Introduction, where a, b, c
and d may or may not be distinct. In the system proj(I) there are two possibly distinct
events for each interaction oa→b in the IOC: the sending o : a of the message by role a
and the reception oa→b of the message by role b. Let us denote with s1 and s2 the sending
events from oa→b and o′c→d respectively, and similarly let us denote with r1 and r2 the
corresponding receive events. We denote with e an arbitrary event, write e1 = e2 when
the two events are synchronized and e1 < e2 when e1 happens before e2. We may use the
same notation to denote both the label corresponding to the action execution and the
action itself.
The condition that oa→b has to be executed before o′c→d, expressed by the ; in the
IOC, has to be mapped into a condition relating the corresponding events in the POC.
We consider the following possibilities, one synchronous and four asynchronous:
Synchronous conformance: it guarantees that the POC, when executed using the syn-
chronous LTS, behaves as specified by the IOC. Because of synchronous semantics
s1 = r1 and s2 = r2, thus the sequentiality condition can be expressed, e.g., as
s1 < s2 ∨ s1 < r2 ∨ r1 < s2 ∨ r1 < r2;Sender conformance: it guarantees that the POC, when executed using the asyn-
chronous LTS, behaves as specified by the IOC from a sender perspective, i.e. that
s1 < s2;Receiver conformance: it guarantees that the POC, when executed using the asyn-
chronous LTS, behaves as specified by the IOC from a receiver perspective, i.e. that
r1 < r2;Sender-receiver conformance: it guarantees that the POC, when executed using the
asynchronous LTS, behaves as specified by the IOC from both a sender and a receiver
perspective, i.e. that s1 < s2∧r1 < r2; in the following we will not discuss this kind of
conformance in details, since an IOC and a POC are in a relation of sender-receiver
conformance iff they are both in a relation of sender conformance and of receiver
conformance;Disjoint conformance: it requires that, when the POC is executed using the asyn-
chronous LTS, the intervals of execution of the first interaction (from s1 to r1) and
of the second one (from s2 to r2) are completely disjoint: this can be formalized by
r1 < s2.
The conditions presented above form a partial order w.r.t. implication, e.g., if a system
satisfies the connectedness conditions for the disjoint conformance then it also satisfies
the connectedness conditions for the other forms of conformance. The partial order is
represented in Figure 1. In the partial order, going from top to bottom, connectedness
conditions become more relaxed, but behavioral guarantees become weaker. The same
implications are still satisfied when we generalize the conditions to take into account
IOCs which are more complex than the simple one above.
Since in the POC different roles are executing in parallel, sequentiality conditions
between events should be enforced by a single role, which thus should occur in more
I. Lanese, F. Montesi and G. Zavattaro 10
Disjoint
Sender−receiver
Sender Receiver
Synchronous
Strongerconditionsand guarantees
Weakerconditionsand guarantees
Fig. 1. Partial order for conformance.
than one interaction. We show below the conditions required on roles to make the simple
example above behave as expected, according to the different notions of conformance:
Synchronous conformance : {a, b} ∩ {c, d} 6= ∅;Sender conformance : c = a ∨ c = b;
Receiver conformance : d = b ∨ c = b;
Disjoint conformance : b = c.
Let us analyze, for instance, the condition for sender conformance: we require that the
sending from c happens after the sending from a. Clearly, if a = c then a can enforce
this condition. However if b = c then b, when it receives the message, knows that the
message has already been sent, and thus can enforce the sequentiality condition. We call
this condition connectedness for sequence.
We require also two other kinds of conditions: existence of unique points of choice
to ensure that all the participants are aware of which branch of a nondeterministic
choice has been taken, and causality safety to ensure that different interactions using the
same operation do not mix up. We refer the three conditions together as connectedness
conditions.
The next sections discuss the different notions of conformance and the corresponding
connectedness conditions.
4. Synchronous conformance
In this section we discuss synchronous conformance and the corresponding connectedness
conditions. This case is important since, while being simpler than the asynchronous ones,
it introduces most of the relevant concepts. For this reason we will describe it in details.
We will reuse most of the concepts in the following section.
We formalize the notion of conformance between an IOC and a POC using (variations
of) trace equivalence (Hoare, 1985). To simplify our proofs, we also use a (stronger)
characterization of conformance in terms of bisimilarity (Milner, 1989).
Definition 4.1 (Synchronous trace equivalence).
An IOC I and a POC S are synchronous trace equivalent iff the set of strong maximal
traces of I coincides with the set of strong maximal synchronous traces of S.
IOC vs POC 11
The aim of this section is to give all the tools to (make formal and) prove the following
theorem:
Theorem 4.1 (Synchronous conformance). Let I be an IOC and S = proj(I) be itsprojection. If I satisfies the connectedness conditions for the synchronous conformance,
then I and S are synchronous trace equivalent.
We start by formalizing the connectedness conditions required to guarantee the syn-
chronous conformance. A few auxiliary functions are needed. Functions transI(•) and
transF(•) compute respectively the sets of initial and final interactions in an IOC:
transI(o?a→b) = transF(o?a→b) = {o?a→b}transI(1) = transI(0) = transF(1) = transF(0) = ∅transI(I ‖ I ′) = transI(I + I ′) = transI(I) ∪ transI(I ′)transF(I ‖ I ′) = transF(I + I ′) = transF(I) ∪ transF(I ′)
transI(I; I ′) = transI(I ′) if I√−→, transI(I) otherwise
transF(I; I ′) = transF(I) if I ′√−→, transF(I ′) otherwise
The first connectedness condition that we present concerns sequential composition. It
generalizes the condition discussed in Section 3 for the synchronous conformance from
the case of sequential composition of interactions to the case of sequential composition
of arbitrary terms.
Definition 4.2 (Synchronous connectedness for sequence). An IOC I is syn-
chronous connected for sequence if for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈transF(I ′), ∀o′?c→d ∈ transI(I ′′), {a, b} ∩ {c, d} 6= ∅.
The second condition ensures that, for each nondeterministic choice in the IOC, all
the participants agree on which branch of the choice has been taken.
Definition 4.3 (Synchronous unique points of choice). An IOC I has synchronous
unique points of choice if for each subterm of the form I ′ + I ′′ we have:
We can use indexes of events to define matching events.
Definition 4.6 (Matching events). A POC input and a POC output with the same
index are called matching events. We denote with e an event matching event e. An event
is unmatched if it has no matching event.
We can now define the causality relation and the full conflict relation. We will also
define the conflict relation, characterizing pairs of events in different branches of a choice.
Definition 4.7 (Synchronous causality relation). Let us consider an annotated IOC
I. A synchronous causality relation ≤I is a partial order among events in the (derivatives
of the) projection S of I. We define ≤I as the minimum partial order satisfying:
sequentiality: for each subterm of the form I ′; I ′′ and each role a, if e′ is an event in
IOC vs POC 13
proj(I ′, a), e′′ is an event in proj(I ′′, a), and proj(I ′, a) has no transition of the form
proj(I ′, a)√−→ then e′ ≤I e′′;
synchronization: for each pair of events e and e′, e ≤I e′ implies e ≤I e′.
A pair e ≤I e′ formalizes the fact that event e should occur before event e′, eitherbecause the two events are in the same role and composed sequentially, or because some
synchronization involving e has to be performed before e′ can become enabled.
Definition 4.8 (Synchronous conflict relation). Let us consider an annotated IOC
I. A synchronous conflict relation #I is a relation among events in the (derivatives of
the) projection S of I. We define #I as the relation containing all pairs (e′, e′′) of eventssuch that e′ is in proj(I ′, a) for some role a and e′′ is in proj(I ′′, b) for some role b for
some subterm of the form I ′ + I ′′ of I. A synchronous full conflict relation f#I is a
relation among events in the (derivatives of the) projection S of I. We define f#I as the
relation containing all pairs (e, e′) of events such that (e, e′) ∈ #I and both e and e′ arenot minimal according to ≤I′+I′′ .
Definition 4.9 (Synchronous causality safety).
An IOC I is synchronous causality safe iff for each pair of interactions i and j performed
on the same operation the two conditions below hold:
— sif#I rj ∨ si ≤I rj ∨ rj ≤I si;
— sjf#I ri ∨ sj ≤I ri ∨ ri ≤I sj .
The following example shows the need for causality safety.
Example 4.2. Consider the annotated IOC I = 1 : oa→b ‖ 2 : oc→d. Here the two
interactions are performed on the same operation o, but there are no causal dependencies
or full conflicts between the events corresponding to the two interactions, i.e., the IOC
I is not causality safe. In fact, the projection of I has the transition (1 : o)a ‖ (1 : o)b ‖(2 : o)c ‖ (2 : o)d
oa→d−−−→ (1)a ‖ (1 : o)b ‖ (2 : o)c ‖ (1)d which is not allowed by the IOC
itself. Note that this POC interaction involves two events with different indexes.
In the projection of causality safe IOCs, one input and one output in different inter-
actions (thus with different indexes) on the same operation are never enabled together
and thus can not interact. This is proved in Lemma 4.2.
Annotated IOCs and POCs are also used in the proof of our main theorem to deal with
nondeterministic choice: when a choice is performed in the POC, some garbage is kept
in form of events whose matching events have been discarded, as shown by the following
example.
Example 4.3. Consider the annotated IOC transition:
Definition 4.11 (Synchronous well-annotated POC). An annotated POC S is
synchronous well-annotated for a causality relation ≤, a conflict relation # and a full
conflict relation f# iff for each index i there are at most two events with index i and, in
this case, they are matching events. Furthermore, for each pair of events e1 and e2 on the
same operation o? with indexes i, j such that i 6= j, either (e1, e2) ∈ f#, or e1 ≤ e2 or
e2 ≤ e1. Finally, if e1 ≤ e2 then e2 can become enabled only after e1 has been executed
or discarded and if (e1, e2) ∈ # then if e1 is executed then e2 does not occur in rem(S)where S is the system after e1 has been executed.
We now prove some basic properties of synchronous well-annotated POCs.
Lemma 4.1. If S is a synchronous well-annotated POC w.r.t. a causality relation ≤then only events which are minimal w.r.t. ≤ can be enabled in S.
Proof. The proof is by contradiction. Suppose ei is enabled but not minimal, i.e. there
is ej such that ej ≤ ei. If there is more than one such ej consider the one such that
the length of the derivation of ej ≤ ei is minimal. This should have length one, and this
should result from an application of the sequentiality rule. Thus from the definition of
the projection function and since the projection of the first component has no√
action
ei cannot be enabled.
Lemma 4.2. If S is a synchronous well-annotated POC and S o?a→b−−−→ S ′ then the two
executed events are matching events.
Proof. Because of the definition of the semantics the two events are on the same
operation. Assume that they are not matching events. Then they are either in causality
relation or in full conflict relation. In both the cases thanks to Lemma 4.1 at least one
of them cannot be enabled since it is not minimal. This is absurd, thus they have to be
matching events.
We will now prove that all the POCs we work with are synchronous well-annotated.
The proof is in two steps: in Lemma 4.3 we show that all the projections of synchronous
connected IOCs are synchronous well-annotated, and in Lemma 4.4 we show that syn-
chronous well-annotated POCs reduce to synchronous well-annotated POCs.
IOC vs POC 15
Lemma 4.3. Let I be a synchronous connected IOC. Then S = proj(I) is a synchronouswell-annotated POC w.r.t. ≤I , #I and f#I .
Proof. The first condition is trivially satisfied. The second condition trivially follows
from the definition of synchronous causality safety. The third condition follows from
Lemma 4.1.
Let us prove the last condition. Assume that e1 is in the projection of the branch I ′
of a choice I ′ + I ′′. We will prove that if e1 is executed then all the events in I ′′ donot occur in rem(S) where S is the system after e1 has been executed. For events in the
same role of e1 the thesis follows by the definition of the semantics. Also, e1 interacts
with a matching event e1 thanks to Lemma 4.2, thus the thesis follows trivially also for
the role of e1. For other roles, if the event is in the projection of an initial interaction
then it can be discarded by rem(•). In fact, because of the existence of unique points
of choice one of the two events of the interaction is at the same role of e1 or of e1, and
it is discarded by the semantics. Thus the other event becomes unmatched and can be
discarded too (first pruning operation of function rem(•)). We prove by induction on
the structure of the term that if all the events in the projection of initial interactions
of a term can be discarded, then all the events in the projection of the term can be
discarded. The only difficult case is sequential composition. Let J ;J ′ be the term. For
interactions in J the thesis follows by inductive hypothesis. It is enough to prove that
the initial interactions in J ′ can be discarded. Let o?a→b be such an interaction. Because
of synchronous connectedness for sequence then either a or b occurs also in each final
interaction of J . Let us take one such interaction, and let us assume that the event is
at a. By inductive hypothesis this event is discarded, i.e. replaced by 0. The projection
of J on a is composed only by 0s, for unmatched events, and 1s, for projections of
interactions not involving the role, and it includes at least a 0. Thus the projection of
J on a is reduced to 0 by rem(•) (second pruning operation). Since 0;P is replaced by
0, the event at a is discarded. The event at b becomes unmatched and can be discarded
too. The thesis follows.
Lemma 4.4. If S is a synchronous well-annotated POC w.r.t. ≤, # and f# and S o?a→b−−−→s
S ′ or S√−→s S ′ then S ′ is a synchronous well-annotated POC w.r.t. the restrictions of ≤,
# and f# to the events in S ′.
Proof. The first two conditions trivially hold. For the second one, if e1 is executed or
discarded then the relation e1 ≤ e2 is removed and nothing has to be proved. Otherwise
the thesis holds for the new relation. A similar reasoning can be done for the conflict
relation.
The next lemma proves the correctness of function rem(•), i.e. that applying function
rem(•) to a synchronous well-annotated POC does not change its semantics.
Lemma 4.5. Let S be a synchronous well-annotated POC. The following properties
hold:
— if S σ−→s S ′ for σ = o?a→b or σ =√, then rem(S) σ−→s rem(S ′);
I. Lanese, F. Montesi and G. Zavattaro 16
— if rem(S) σ−→s S ′′ for σ = o?a→b or σ =√, then there exists S ′ such that S σ−→s S ′ and
rem(S ′) = S ′′.
Proof. All cases are proved by induction on the number of pruning operations in
rem(S). The base case is trivial. Let us consider the inductive case. If the last prun-
ing operation has been applied, it is trivial to see that it does not affect the operational
semantics. If the first one has been applied, we have to prove that the event e replaced
with 0 is not involved in the transition. From Lemma 4.2 e can interact only with a
matching event. However, this is impossible since e is unmatched.
We now prove a few properties of transitions with label√.
Lemma 4.6. If I√−→ then, for each role r ∈ roles(I), proj(I, r)
√−→s and vice versa.
Proof. By structural induction on I.
Lemma 4.7. If transF(I) is empty, then I√−→.
Proof. By structural induction on I.
The next lemma shows that if two matching events are enabled in the projection of an
IOC, then the corresponding interaction is initial.
Lemma 4.8. Let I be a well-annotated, synchronous connected IOC and i : o?a→b be an
interaction in I. If i : o? and i : o? are matching events and are both enabled in proj(I)then i : o?a→b ∈ transI(I).
Proof. By structural induction on I. The cases for 1, 0 and interactions are trivial.
For parallel composition and choice just consider that since the two events have the
same index then they are from the same component, and the thesis follows by inductive
hypothesis. Let us consider sequential composition. Suppose I = I ′; I ′′. If i : o?a→b ∈ I ′
the thesis follows by inductive hypothesis. Otherwise by inductive hypothesis i : o?a→b ∈transI(I ′′). Thus from synchronous connectedness for sequence {c, d} ∩ {a, b} 6= ∅ for all
o′?c→d ∈ transF(I ′). Assume transF(I ′) not empty and take one such o′?c→d. Suppose, e.g.,
d = b (the other cases are analogous). If o′? inside d is not part of a choice then i : o? is
not enabled, since it is guarded by an input on the same role, and we get a contradiction.
If it is part of a choice, then role d should occur in all the other branches of the choice
too, thus in each branch there is an event concerning d to be executed. Again i : o? is not
enabled and we have a contradiction. If instead transF(I ′) is empty, then from Lemma 4.7
I ′√−→. Thus transI(I) = transI(I ′′) and the thesis follows by inductive hypothesis.
As a technical tool for proving our conformance result, we exploit a characterization
of conformance based on bisimilarity, to be able to exploit coinductive techniques in the
proof.
Definition 4.12 (Synchronous bisimilarity).
A synchronous bisimulation is a relation R between IOCs and POCs such that if (I,S) ∈R then:
IOC vs POC 17
— if I o?a→b−−−→ I ′ then S o?a→b−−−→s S ′ and (I ′,S ′) ∈ R;
— if I√−→ I ′ then S
√−→s S ′ and (I ′,S ′) ∈ R;
— if S o?a→b−−−→s S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;
— if S√−→s S ′ then I
√−→ I ′ and (I ′,S ′) ∈ R.
Synchronous bisimilarity ∼s is the largest synchronous bisimulation.
If I√−→ and I ′ o?a→b−−−→ I ′′ then by inductive hypothesis proj(I ′)
o?a→b−−−→ proj(I ′′). The
thesis follows since thanks to Lemma 4.6 also proj(I; I ′)o?a→b−−−→ proj(I ′′).
Let us consider the other condition. Suppose:
S =‖r (proj(I, r); proj(I ′, r))ro?a→b−−−→‖r (Pr)r
Thus proj(I; I ′, a)〈o?〉−−→ Pa and proj(I; I ′, b)
o?−→ Pb. The two events should have the
same index thanks to Lemma 4.2. Thus they are either both from I or both from I ′.
In the first case we have also ‖r (proj(I, r))ro?a→b−−−→‖r (P ′′
r )r with Pr = P ′′r ; proj(I ′, r).
I. Lanese, F. Montesi and G. Zavattaro 18
Thus by inductive hypothesis I o?a→b−−−→ I ′′ and ‖r (P ′′r )r is the projection of I ′′. Also
I; I ′ o?a→b−−−→ I ′′; I ′. The thesis follows.
In the second case thanks to Lemma 4.8 o?a→b ∈ transI(I; I ′). Thus I√−→ and
I ′ o?a→b−−−→ I ′′. Thanks to Lemma 4.6 then we have proj(I, a)√−→ and proj(I, b)
√−→.
Thus proj(I ′, a)〈o?〉−−→ Pa, proj(I ′, b)
o?−→ Pb and proj(I ′)o?a→b−−−→‖r (Pr)r. The thesis
follows by inductive hypothesis.
Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . If I ‖I ′ can perform an interaction then one of its two components can perform the same
interaction and the thesis follows by inductive hypothesis. For the other direction, an
input and an output on the same operation should be enabled. Thanks to Lemma 4.2
they should have the same index. Thus they are from the same component and the
thesis follows by inductive hypothesis.
Case I + I ′: from the definition of the projection S =‖r (proj(I, r)+proj(I ′, r))r . If I+I ′ can perform an interaction, i.e. I+I ′ o?a→b−−−→ I ′′, then one of its two components can
perform the same interaction. Let it be I. Thus I o?a→b−−−→ I ′′. By inductive hypothesis
Definition 5.3 (Asynchronous well-annotated POC). A POC S is asynchronous
well-annotated for a causality relation≤a, a conflict relation #a and a full conflict relationf#
aiff it is synchronous well-annotated w.r.t. ≤a, #a and f#
aand for each output event s
inside a choice, either s is in the role that makes the choice, or s is not minimal according
to ≤a in the choice term.
The next lemma proves the correctness of function rem(•) in the asynchronous case.
Lemma 5.1. Let S be an asynchronous well-annotated POC. The following properties
hold:
— if S σ−→ S ′ for σ = o?a→b, σ = o? : a, or σ =√, then rem(S) σ−→ rem(S ′);
— if rem(S) σ−→ S ′′ for σ = o?a→b, σ = o? : a, or σ =√, then there exists S ′ such that
S σ−→ S ′ and rem(S ′) = S ′′.
Proof. Similar to the proof of Lemma 4.5. Additionally we have to show that the first
pruning operation does not remove sending events, to ensure that all the transitions
of the form S o?:a−−→ S ′ are preserved. For a sending event sj to be removed, it should
be unmatched, i.e. the corresponding input rj should have been consumed. The only
possibility is that the input has been discarded by a choice (either directly or via pruning).
This requires that an event e in conflict with rj has been performed. From the definition of
conflict relation, this event should be in conflict also with sj . According to the definition
of asynchronous well-annotated POC we have to consider two cases: either the output sjis in the role that makes the choice, or it is not minimal in the choice term. In the first
case, as soon as the choice has been made, the output has been discarded, thus it cannot
be enabled. If instead it is not minimal in the choice term, let us consider the minimal
event e′ in the same role and in the same branch of the choice as sj . The event e′ is in
conflict with e. It should be an input, since no output in the role can be minimal because
of the properties of asynchronous well-annotated POC. It should also be matched with
an output in the role that makes the choice, which is discarded. Thus such an input can
never be executed, and sj can never become enabled.
We prove now that asynchronous well-annotated POCs reduce to asynchronous well-
annotated POCs. The proof that projections of well-annotated, asynchronous connected
IOCs are asynchronous well-annotated POCs will be done separately for each notion of
asynchronous conformance.
Lemma 5.2. If S is an asynchronous well-annotated POC w.r.t. ≤a, #a and f#aand
IOC vs POC 21
S σ−→ S ′ with σ ∈ {o?a→b, o? : a,
√}, then S ′ is an asynchronous well-annotated POC
w.r.t. the restrictions of ≤a, #a and f#ato the events in S ′.
Proof. Similar to the proof of Lemma 4.4. In addition we have to show that for each
output event e inside a choice, either e is in the role that makes the choice, or e is not
minimal in the choice term. The condition holds for S. If e is in the role that makes the
choice then it is in the role that makes the choice also in S ′, unless the choice is executed.However in this last case the choice is discarded and nothing has to be proved. Let us
consider the case e not minimal in S. Assume by contradiction that e is minimal in S ′.This means that all the events on which it was causally dependent have been performed.
However, the last such event is in the same role, thus performing it discards the choice.
Thus nothing has to be proved.
We proceed now to analyze the peculiar features of each asynchronous conformance
notion.
5.1. Sender conformance
According to the sender conformance, the IOC determines the order in which messages
are sent, disregarding when they are received. This is matched by the notion of sender
trace equivalence, based on strong maximal sender traces, which only include output
events.
Definition 5.4 (Sender trace equivalence). An IOC I and a POC S are sender trace
equivalent iff there is a bijection between strong maximal traces of I and strong maximal
sender traces of S such that, given a strong maximal trace t of I, the corresponding
strong maximal trace of S is obtained by replacing in t each label of the form o?a→b with
o? : a.
The translation on the labels is needed since o? : a is the POC label of the output
event that corresponds to the full interaction o?a→b.
We will develop the tools to prove:
Theorem 5.1 (Sender conformance). Let I be an IOC and S = proj(I) be its
projection. If I satisfies the connectedness conditions for the sender conformance, then
I and S are sender trace equivalent.
We start by formalizing the connectedness for sequence for the sender conformance.
Definition 5.5 (Sender connectedness for sequence). An IOC I is sender con-
nected for sequence iff for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈ transF(I ′),∀o′?c→d ∈ transI(I ′′).a = c ∨ b = c.
In the following, when we say that an IOC is sender connected, we mean that it satisfies,
besides sender connectedness for sequence, also the asynchronous unique points of choice
property and the asynchronous causality safety property.
The next lemma shows that if an output event is enabled in the projection of an IOC,
then the corresponding interaction is initial.
I. Lanese, F. Montesi and G. Zavattaro 22
Lemma 5.3. Let I be a sender connected IOC and i : o?a→b be an annotated interaction
in I. If i : o? is enabled in proj(I) then i : o?a→b ∈ transI(I).
Proof. By structural induction on I. The cases for 1, interactions, parallel composition
and choice are trivial. Let us consider sequential composition. Suppose I = I ′; I ′′. Ifi : o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by inductive
hypothesis the interaction is in transI(I ′′). Thus from sender connectedness for sequence
for each o′?c→d ∈ transF(I ′) we have c = a or d = a. If transF(I ′) is not empty, in both
the cases we get a contradiction since i : o? cannot be enabled. If instead transF(I ′) is
empty, then thanks to Lemma 4.7 I ′√−→ and the thesis follows by inductive hypothesis.
We show now that projections of well-annotated, sender connected IOCs are asyn-
chronous well-annotated POCs.
Lemma 5.4. Let I be a well-annotated, sender connected IOC. Then proj(I) is an
asynchronous well-annotated POC w.r.t. ≤aI , #
aI and f#
a
I .
Proof. Similar to the proof of Lemma 4.3. In addition we have to show that for each
output event e inside a choice, either e is in the role that makes the choice, or e is not
minimal in the choice term. Assume that e is not in the role that makes the choice, but
in a generic role a. In particular, e is not in an initial interaction of the choice, since all
the senders of these interactions are in the role that makes the choice. Thus, it should
be in the projection on a of the second component of a sequence I; I ′ such that there
is no transition of the form I√−→. Take the smallest such sequence. Then e is initial in
the component I ′ of the sequence. Because of sender connectedness for sequence, all the
final interactions in the first component should have an event at role a. There is at least
one such interaction otherwise from Lemma 4.7 I√−→. If this interaction is not inside a
choice inside I then proj(I, a) has no transition of the form proj(I, a)√−→ and e cannot
be minimal. If the interaction is inside a choice, because of unique points of choice the
role a is involved in all the branches and again proj(I, a) has no transition of the form
proj(I, a)√−→ and e cannot be minimal.
As a technical tool for proving our conformance result, we exploit a characterization
of conformance based on bisimilarity, to be able to exploit coinductive techniques in the
proof.
As auxiliary notation we will write ⇒i for a sequence of zero or more input transitionso1,?
a1→b1−−−−−→ · · ·on,?
an→bn−−−−−→.
Definition 5.6 (Sender bisimilarity). A sender bisimulation is a relation R between
IOCs and POCs such that if (I,S) ∈ R then:
— if I o?a→b−−−→ I ′ then S ⇒io?:a−−→ S ′ and (I ′,S ′) ∈ R;
— if I√−→ I ′ then S ⇒i
√−→ S ′ and (I ′,S ′) ∈ R;
— if S o?:a−−→ S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;
IOC vs POC 23
— if S√−→ S ′ then I
√−→ I ′ and (I ′,S ′) ∈ R;
— if S o?a→b−−−→ S ′ then (I,S ′) ∈ R.
Sender bisimilarity ∼n is the largest sender bisimulation.
The following lemmas will simplify the proof of the conformance result. Below, by
mixed choice we mean a choice between two POC terms, one able to perform as its first
action an input, and another one able to start with an output action. By input choice,
we mean a choice between two POC terms able to perform, as their first action, only
inputs.
Lemma 5.5. Let S be a POC without mixed choice. If S o?:a−−→ S ′ and S ⇒i S ′′ thenS ′ ⇒i S ′′′ and S ′′ o:a−−→ S ′′′.
Proof. Trivial, by induction on the number of transitions in ⇒i.
Lemma 5.6. Let S be a POC. Suppose that for each input choice, there is at most one
branch such that a message able to interact with it exists. If S o?a→b−−−→ S ′ and S o′?c→d−−−→ S ′′
with o? 6= o′? then S ′ o′?c→d−−−→ S ′′′ and S ′′ o?a→b−−−→ S ′′′.
Proof. Trivial, by case analysis.
The next lemma defines an auxiliary relation for proving sender bisimilarity.
Lemma 5.7. Let R′ be a relation between IOCs and POCs. Let R = {(I,S ′′)|S ′′ ⇒i
S ∧ (I,S) ∈ R′}. Suppose that in each POC S ′′ there is no mixed choice and that for
each input choice, there is at most one branch such that a message able to interact with
it exists. If R′ is such that if (I,S) ∈ R′ then:
— if I o?a→b−−−→ I ′ then S o?:a−−→ S ′ and (I ′,S ′) ∈ R;
— if I√−→ I ′ then S
√−→ S ′ and (I ′,S ′) ∈ R;
— if S o?:a−−→ S ′ then I o?a→b−−−→ I ′ and (I ′,S ′) ∈ R;
— if S√−→ S ′ then I
√−→ I ′ and (I ′,S ′) ∈ R;
— S has no input transitions.
then R is a sender bisimilarity.
Proof. The proof is by coinduction. Let (I,S ′′) ∈ R. Thus S ′′ ⇒i S ∧ (I,S) ∈ R′. We
have to show that (I,S ′′) satisfies the bisimilarity conditions.
Suppose I o?a→b−−−→ I ′. We know that S ′′ ⇒i S and since (I,S) ∈ R′ then S o?:a−−→ S ′
with (I ′,S ′) ∈ R. The case of√
is similar.
Suppose now S ′′ o?:a−−→ S ′. We know that S ′′ ⇒i S and (I,S) ∈ R′. From Lemma 5.5
S o?:a−−→ S ′′′ and S ′ ⇒i S ′′′. From the second bisimilarity condition I o?a→b−−−→ I ′ and
(I ′,S ′′′) ∈ R. Since S ′ ⇒i S ′′′ also (I ′,S ′) ∈ R as desired. The case of√
is similar.
For the last condition we know that S ′′ ⇒i S and S ′′ o?a→b−−−→ S ′. We prove that (I,S ′) ∈R by induction on the number of inputs in ⇒i. The base case is vacuously true. For the
I. Lanese, F. Montesi and G. Zavattaro 24
inductive case if the first input in ⇒i is not on operation o? we can apply Lemma 5.6
and the thesis follows by inductive hypothesis. Assume now that both the transitions
are on the same operation. Then there should be either two inputs or two messages (or
both) on the same operation concurrently enabled. At least one of them has not the same
index of an event it can interact with. Thus because of asynchronous causality safety,
the two events are either in causal relation or in full conflict relation. Thus because of
the properties of asynchronous well-annotated POC at least one of them is not enabled.
Lemma 5.8. Let I be an IOC and S be a POC. If I ∼n S then I and S are sender trace
equivalent.
Proof. Easy, by coinduction.
We can now prove Theorem 5.1.
Proof of Theorem 5.1 The proof shows that the relation
R = {(I,S)|S ⇒i S ′ ∧ rem(S ′) = proj(I)}
where I is a well-annotated, sender connected IOC and S is an asynchronous well-
annotated POC is a sender bisimulation. Consider the relation
R′ = {(I,S ′)| rem(S ′) = proj(I)}
The conditions of Lemma 5.7 on choice are satisfied thanks to the existence of asyn-
chronous unique points of choice. In fact, there is no mixed choice since for each term
I + I ′ all the interactions have the same sender, i.e. all the outputs are in the same role,
which cannot have enabled inputs. Also, for each input choice there is at most one branch
such that a message able to interact with it exists since as soon as a message is created,
all the other outputs are discarded.
Thus it is enough to show that the conditions of Lemma 5.7 on R′ are satisfied.
Thanks to Lemma 5.1, Lemma 5.4 and Lemma 5.2 one can just consider the case S ′ =proj(I). First, rem(S ′) has no input transitions since projections contain no messages.
For the other conditions the proof is by structural induction on I:Case 0, 1: trivial.
Case o?a→b: the only possible transition is o?a→b
o?a→b−−−→ 1. The associated POC is (o?)a ‖(o?)b, which has as only transition (o?)a ‖ (o?)b
o?:a−−→ (〈o?〉)a ‖ (o)b. This satisfies
the first condition since (〈o?〉)a ‖ (o?)bo?a→b−−−→ (1)a ‖ (1)b = proj(1) thus (1, (〈o?〉)a ‖
(o?)b) ∈ R. The other conditions are satisfied too.
Case I; I ′: from the definition of the projection function S =‖r (proj(I, r); proj(I ′, r))r .
Suppose that I; I ′ o?a→b−−−→ I ′′. There are two possibilities: either I o?a→b−−−→ I ′′′ and
I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis ‖r
IOC vs POC 25
(proj(I, r))r o?:a−−→⇒i‖r (proj(I ′′′, r))r . As a consequence ‖r (proj(I, r); proj(I ′, r))ro?:a−−→⇒i‖r (proj(I ′′′, r); proj(I ′, r))r and the thesis follows. The second case is similar.
Let us consider now the case ‖r (proj(I, r); proj(I ′, r))ro?:a−−→ S. We should have
o? enabled. Thus thanks to Lemma 5.3 we have o?a→b ∈ transI(I; I ′). We have two
cases: either o? is in the projection of I or it is in the projection of I ′ (thanks to
asynchronous causality safety and Lemma 5.4 exactly one o? is enabled).
Suppose o? is in proj(I). Then I; I ′ o?a→b−−−→ I ′′′; I ′ and by inductive hypothesis ‖r(proj(I, r))r o?:a−−→ S ⇒i‖r (proj(I ′′′, r))r . Then ‖r (proj(I; I ′, r))r
o?:a−−→ S ′′ ⇒i‖r(proj(I ′′′; I ′, r))r . Note that the inputs in ⇒i are the same ones as before since from
asynchronous causality safety and Lemma 5.4 at most one input on any operation
can be enabled.
The case o? in proj(I ′) is possible only if I√−→, and follows trivially by inductive
hypothesis.
The cases for√
actions are trivial.
Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition and
the thesis follows from inductive hypothesis. Let us consider the other direction. Sup-
pose the output is from proj(I), i.e. proj(I) o?:a−−→ S ′′ =‖r (P ′′r )r. Then by inductive
hypothesis I o?a→b−−−→ I ′′ with (I ′′,S ′′) ∈ R. This means that S ′′ ⇒i proj(I ′′). Also
proj(I ‖ I ′)o?:a−−→‖r (P ′′
r | proj(I ′, r))r . All the inputs can be done by ‖r (P ′′r )r. Thus:
‖r (P ′′r | proj(I ′, r))r ⇒i proj(I ′′ ‖ I ′)
as desired.
Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . IfI+I ′ has a transition then one of its two components has the same transition. Suppose
that I is such a component. Then we have ‖r (proj(I, r) + proj(I ′, r))ro?a→b−−−→⇒i‖r
(proj(I, r)+P ′′r )r. We have to show that rem(‖r (proj(I, r)+P ′′
r )r) =‖r (proj(I, r))r .We show that the equality holds for each role. For role a this is trivial. For other roles,
the output transition leaves them unchanged. However, thanks to the definition of
asynchronous well-annotated POC and of conflict relation, all the events in proj(I ′, r)are removed by rem(•). No event in proj(I, r) is removed but the event matching the
output which is removed by the following input transition, since there is no unmatched
event inside proj(I). The case for√
is similar.
Consider the other direction. Suppose the output is from proj(I), i.e. proj(I) o?:a−−→S ′′ =‖r (P ′′
r )r. Then by inductive hypothesis we have I o?a→b−−−→ I ′′ with (I ′′,S ′′) ∈ R.
This means that S ′′ ⇒i proj(I ′′). Also proj(I + I ′)o?:a−−→‖r (P ′′
r + P ′′′′r )r. All the
inputs can be done by ‖r (P ′′r )r. Thus ‖r (P ′′
r + P ′′′′r )r ⇒i‖r (proj(I ′′, r) + P ′′′′′
r )r.
We have to show that rem(‖r (P ′′′′′)r) =‖r (0)r. The technique is the same as for the
other direction.
Since sender bisimilarity implies sender trace equivalence (Lemma 5.8) then the thesis
follows.
I. Lanese, F. Montesi and G. Zavattaro 26
As a consequence, each POC obtained by projecting an initial sender connected IOC
is deadlock free.
Proposition 5.1. Let I be an initial sender connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.
Proof. This follows from the sender conformance between IOC and POC (Theorem 5.1)
and from Proposition 2.1, guaranteeing that the same property holds for the IOC.
5.2. Receiver conformance
According to the receiver conformance, the IOC determines the order in which messages
are received, disregarding when they are sent. This is matched by the notion of receiver
trace equivalence, based on strong maximal receiver traces, which only include input
events.
Definition 5.7 (Receiver trace equivalence). An IOC I and a POC S are receiver
trace equivalent iff the strong maximal traces of I coincide with the strong maximal
receiver traces of S.
We will develop the tools to prove:
Theorem 5.2 (Receiver conformance). Let I be an IOC and S = proj(I) be its
projection. If I satisfies the connectedness conditions for the receiver conformance, then
I and S are receiver trace equivalent.
We start by formalizing the connectedness for sequence for the receiver conformance.
Definition 5.8 (Receiver connectedness for sequence). An IOC I is receiver con-
nected for sequence iff for each subterm of the form I ′; I ′′ we have ∀o?a→b ∈ transF(I ′),∀o′?c→d ∈ transI(I ′′).b = c ∨ b = d.
In the receiver case, we also have to strengthen the definition of unique points of choice.
Definition 5.9 (Asynchronous receiver unique points of choice). An IOC I has
asynchronous receiver unique points of choice iff for each subterm of the form I ′+I ′′ wehave:
— roles(I ′) = roles(I ′′);— no output outside the role that makes the choice is minimal in the choice term ac-
cording to the causality relation.
The last condition is necessary to avoid that outputs in the wrong branch of the choice
are executed before the choice is made.
Remark 5.1. The last condition in the definition of asynchronous receiver unique points
of choice is not necessary in the other asynchronous cases, since it follows from the
asynchronous unique points of choice property and the sender connectedness for sequence
(cfr. the proof of Lemma 5.4). Thanks to this implication, even if we will not require
IOC vs POC 27
this condition for the sender-receiver conformance and the disjoint conformance, sender-
receiver and disjoint connectedness will imply receiver connectedness.
In the following, when we say that an IOC is receiver connected, we mean that it sat-
isfies, besides receiver connectedness for sequence, also the asynchronous receiver unique
points of choice property and the asynchronous causality safety property.
We show now that projections of well-annotated, receiver connected IOCs are asyn-
chronous well-annotated POCs.
Lemma 5.9. Let I be a well-annotated, receiver connected IOC. Then proj(I) is an
asynchronous well-annotated POC w.r.t. ≤aI , #
aI and f#
a
I .
Proof. Similar to the proof of Lemma 5.4. Just note that the fact that for each output
event e inside a choice, either e is in the role that makes the choice, or e is not minimal in
the choice term follows from the additional condition required for asynchronous receiver
unique points of choice.
As auxiliary notation we write ⇒o for a sequence of zero or more output transitionso?1:a1−−−→ · · · o?n:an−−−−→.
The next lemma shows that if in the projection of an IOC, after a sequence of out-
put events, an input and a message on the same operation are both enabled, then the
corresponding interaction is initial.
Lemma 5.10. Let I be a receiver connected IOC and i : o?a→b be an interaction in I. Ifthere exists S such that proj(I) ⇒o S and i : o? and i : 〈o?〉 are both enabled in S then
i : o?a→b ∈ transI(I).
Proof. By structural induction on I. The cases for 0, 1, interactions, parallel compo-
sition and choice are trivial. Let us consider sequential composition. Suppose I = I ′; I ′′.If i : o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by inductive hy-
pothesis the interaction is in transI(I ′′). Thus from receiver connectedness for sequence
for each o′?c→d ∈ transF(I ′) we have d = a or d = b. If d = b then i : o? could never
become enabled. Also, no j : o? with j 6= i can be enabled if i : 〈o?〉 is enabled because of
asynchronous causality safety and Lemma 5.9. If d = a then i : 〈o?〉 could never be cre-
ated. No j : 〈o?〉 with j 6= i could be enabled if i : o? is enabled because of asynchronous
causality safety and Lemma 5.9. Thus we have a contradiction and this case can never
happen.
The next lemma shows that output events which are not part of a given interaction
can always be postponed after the interaction.
Lemma 5.11. Let I be a receiver connected IOC. If we have proj(I) ⇒o S ′ o?a→b−−−→ S ′′
and I o?a→b−−−→ I ′ then proj(I ′) ⇒o rem(S ′′).
Proof. The proof is by structural induction on I. The cases for 0, 1 and interactions
are trivial.
Let us consider I = I ′′ ‖ I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.
I. Lanese, F. Montesi and G. Zavattaro 28
Because of asynchronous causality safety and Lemma 5.9 in the projection just one input
for o? can be enabled if an output is. Thus ‖r (proj(I ′′, r)| proj(I ′′′, r))r ⇒o
By inductive hypothesis proj(I ′′′′) ⇒o‖r (P ′′r )r. Thus proj(I ′′′′ ‖ I ′′′) ⇒o‖r (P ′′
r |P ′′′r )r
as desired.
Let us consider I = I ′′; I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.Because of asynchronous causality safety and Lemma 5.9 in the projection just one input
for o? can be enabled if an output is. Thus we have:
‖r (proj(I ′′, r); proj(I ′′′, r))r ⇒o
o?a→b−−−→‖r (P ′′r ;P
′′′r )r
with ‖r (proj(I ′′, r))r ⇒o
o?a→b−−−→‖r (P ′′r )r and also ‖r (proj(I ′′′, r))r ⇒o‖r (P ′′′
r )r. By in-
ductive hypothesis we have proj(I ′′′′) ⇒o‖r (P ′′r )r. Thus proj(I ′′′′; I ′′′) ⇒o‖r (P ′′
r ;P′′′r )r
as desired. The other case is analogous.
Let us consider I = I ′′+I ′′′. Suppose the interaction comes from I ′′, i.e. I ′′ o?a→b−−−→ I ′′′′.Because of asynchronous causality safety and Lemma 5.9 in the projection just one input
for o? can be enabled if an output is. Thus ‖r (proj(I ′′, r) + proj(I ′′′, r))r ⇒o
o?a→b−−−→‖r(proj(I ′′′, r); proj(I ′, r))r and the thesis follows. The second case is similar. The case
for√
is similar too.
Let us consider the case ‖r (proj(I, r); proj(I ′, r))r ⇒o S and S o?a→b−−−→ S ′. In S both
o? and 〈o?〉 are enabled. Thus thanks to Lemma 5.10 we have o?a→b ∈ transI(I; I ′).
If I√−→ then o?a→b ∈ transI(I ′) and the thesis follows trivially by induction. Otherwise
the thesis follows from Lemma 5.11. The case for√
is similar.
The last condition is trivially satisfied.
Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition and
the thesis follows from inductive hypothesis. The case for√
is similar.
Suppose S o?a→b−−−→ S ′. We have that proj(I ‖ I ′) ⇒o S. In S both o? and 〈o?〉 are
enabled. From Lemma 5.10 o?a→b ∈ transI(I ‖ I ′). Suppose o?a→b is from I, i.e.
I o?a→b−−−→ I ′′′. Thanks to asynchronous causality safety there is only one o? that can do
the receive. Thus by inductive hypothesis proj(I) ⇒o S ′′ o?a→b−−−→ S ′′′ and (I ′′′,S ′′′) ∈R. Also, proj(I ′) ⇒o S ′′′′. We have P ′
r = P ′′′r | P ′′′′
r with S ′ =‖r (P ′r)r, S ′′′ =‖r (P ′′′
r )rand S ′′′′ =‖r (P ′′′′
r )r. Thus (I ′ ‖ I ′′′,S ′) ∈ R as desired. The case for√
is similar.
The last condition is trivially satisfied.
Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . IfI+I ′ has a transition then one of its two components has the same transition. Suppose
that I is such a component. In order to prove the thesis we have to show that proj(I ′)is discarded. This follows from the definition of asynchronous well-annotated POC
and conflict relation.
The case for√
is similar.
Suppose S o?a→b−−−→ S ′. We have that proj(I + I ′) ⇒o S. In S both o? and 〈o?〉 are
enabled. From Lemma 5.10 o?a→b ∈ transI(I + I ′). Suppose o?a→b is from I, i.e.
I. Lanese, F. Montesi and G. Zavattaro 30
I o?a→b−−−→ I ′′′. Thanks to asynchronous causality safety there is only one o? that can do
the receive. Thus by inductive hypothesis proj(I) ⇒o S ′′ o?a→b−−−→ S ′′′ and (I ′′′,S ′′′) ∈R.
We have P ′r = P ′′′
r + P ′′′′r with S ′ =‖r (P ′
r)r, S ′′′ =‖r (P ′′′r )r and S ′′′′ =‖r (P ′′′′
r )r.
We have to show that rem(P ′′′′r ) = 0 for each r. The technique is the same as for the
other direction. Thus (I ′,S ′) ∈ R as desired. The case for√
is similar.
The last condition is trivially satisfied.
Since sender bisimilarity implies sender trace equivalence (Lemma 5.12) then the thesis
follows.
As a consequence, each POC obtained by projecting an initial receiver connected IOC
is deadlock free.
Proposition 5.2. Let I be an initial receiver connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.
Proof. This follows from the conformance between IOC and POC (Theorem 5.2) and
from Proposition 2.1, guaranteeing that the same property holds for the IOC.
5.3. Sender-receiver conformance
According to the sender-receiver conformance, the IOC determines the order in which
messages are sent and the order in which messages are received. However, there is no
constraint relating sending events to receiving events.
We will not describe sender-receiver connectedness conditions in details: simply, an IOC
is connected according to the sender-receiver conformance iff it is connected according
to both the sender conformance and the receiver conformance. In particular, thanks
to Remark 5.1 it is enough to require asynchronous unique points of choice instead of
asynchronous receiver unique points of choice. Similarly, the sender-receiver conformance
ensures that both the results for the sender conformance and the receiver conformance
hold.
We can thus state the conformance theorem for the sender-receiver semantics:
Theorem 5.3 (Sender-receiver conformance). Let I be an IOC and S = proj(I)be its projection. If I satisfies the connectedness conditions for the sender-receiver con-
formance, then I and S are sender-receiver trace equivalent.
Proof. It follows from Theorem 5.1 and Theorem 5.2.
5.4. Disjoint conformance
According to the disjoint conformance, the IOC determines both when messages are
sent and when they are received. Differently from the sender-receiver conformance which
considers sending and receiving events separately, the disjoint conformance considers also
their interplay.
IOC vs POC 31
In order to formalize the disjoint trace equivalence we need to add some more infor-
mation to POC traces.
Definition 5.11 (Indexed POC trace). An indexed POC trace is a POC trace where
a label index is associated to each label different from√, as described below. Output
labels have increasing label indexes: the first output label has index 1, the second one
index 2, and so on. Indexes are given to input labels considering for each operation o?
their position in the subsequence containing the inputs on operation o?. The index given
to the input label on operation o? in position i is the same index of the i-th output on
operation o?.
Indexes of labels are not to be confused with indexes of interactions and of events. The
next lemma shows that a POC trace can always be indexed.
Lemma 5.13. Let S be a POC without messages, and t a trace of S. Then it is possible
to give label indexes to all the labels in t different from√, transforming it to an indexed
trace.
Proof. One only has to check that for each operation o? there are at least as many
output labels on o? as input labels on o?. Since each input on operation o? consumes a
message on operation o?, and only outputs on operation o? can create such messages the
thesis follows.
We can now define disjoint trace equivalence.
Definition 5.12 (Disjoint trace equivalence). An IOC I and a POC S are disjoint
trace equivalent iff:
1 for each strong maximal trace t of I there is an asynchronous strong maximal trace
of S obtained from t by replacing each label o?a→b with a sequence of two labels, o? : a
and o?a→b;
2 for each indexed asynchronous strong maximal trace of S each trace obtained by
leaving only one label for each label index can be obtained from a strong maximal
trace of I by replacing some labels o?a→b with o? : a.
We will develop the tools to prove:
Theorem 5.4 (Disjoint conformance). Let I be an IOC and S = proj(I) be its
projection. If I satisfies the connectedness conditions for the disjoint conformance, then
I and S are disjoint trace equivalent.
We start by formalizing the connectedness for sequence for the disjoint conformance.
Definition 5.13 (Disjoint connectedness for sequence). An IOC I is disjoint con-
nected for sequence if for each subterm of the form J ;J ′ we have ∀o?a→b ∈ transF(J ),
∀o′?c→d ∈ transI(J ′).b = c.
In the following, when we say that an IOC is disjoint connected, we mean that it
satisfies, besides disjoint connectedness for sequence, also the asynchronous unique points
of choice property and the asynchronous causality safety property.
I. Lanese, F. Montesi and G. Zavattaro 32
We show now that projections of well-annotated, disjoint connected IOCs are asyn-
chronous well-annotated POCs.
Lemma 5.14. Let I be a well-annotated, disjoint connected IOC. Then proj(I) is an
asynchronous well-annotated POC w.r.t. ≤aI , #
aI and f#
a
I .
Proof. Similar to the proof of Lemma 5.4.
The next lemma shows that if an output event is enabled in the projection of an IOC,
then the corresponding input is enabled too and the corresponding interaction is initial.
Lemma 5.15. Let I be a disjoint connected IOC and i : o?a→b be an interaction in I.If i : o? is enabled in proj(I) then the action i : o? is enabled in proj(I). Furthermore
o?a→b ∈ transI(I).
Proof. By structural induction on I. The cases for 0, 1 and interactions are trivial.
For parallel composition and choice, asynchronous causality safety and Lemma 5.14 en-
sure that the input and the corresponding output are from the same component, thus
inductive hypothesis can be applied. Let us consider sequential composition. Suppose
I = I ′; I ′′. If o?a→b is in I ′ the thesis follows by inductive hypothesis. Otherwise by
inductive hypothesis the interaction is in transI(I ′′). Thus from disjoint connectedness
for each o′?c→d ∈ transF(I ′) we have d = a. If transF(I ′) is not empty we have an absurd
since o? cannot be enabled. If it is empty then from Lemma 4.7 I ′√−→ and the thesis
follows.
As a technical tool for proving our conformance result, we exploit a characterization
of conformance based on bisimilarity, to be able to exploit coinductive techniques in the
proof.
Definition 5.14 (Disjoint bisimilarity). A disjoint bisimulation is a relation R be-
tween IOCs and POCs such that if (I,S) ∈ R then:
— if I o?a→b−−−→ I ′ then S o?:a−−→ S ′′ o?a→b−−−→ S ′ and (I ′,S ′) ∈ R; furthermore if S ′′ γ−→ S ′′′
then S γ−→ o?:a−−→ S ′′′;
— if I√−→ I ′ then S
√−→ S ′ and (I ′,S ′) ∈ R;
— if S o?:a−−→ S ′ then S ′ o?a→b−−−→ S ′′ and I o?a→b−−−→ I ′ and (I ′,S ′′) ∈ R;
— if S√−→ S ′ then I
√−→ I ′ and (I ′,S ′′) ∈ R.
Disjoint bisimilarity ∼d is the largest disjoint bisimulation.
The diamond property condition in the first item is needed to ensure that the output
does not make any new transition enabled, but for the corresponding input. Without this
condition e.g. the IOC oa→b; o′a→c would be bisimilar to its projection (o; o)a ‖ (o;1)b ‖
(1; o′)c, but the projection can perform the output on o′ before the input of o, thus
violating the disjointness property we want to guarantee.
The following lemma relates label indexes and indexes from interactions.
IOC vs POC 33
Lemma 5.16. Let I be a disjoint connected IOC and S be its projection. Let t be an
indexed asynchronous maximal trace of S. If two events in t have the same label index,
then they also have the same interaction index.
Proof. If two events have the same label index then they are on the same operation,
and they are one output and one input. Let us prove the thesis for all the events on some
operation o?, by induction on the number of such events. The base case of no outputs
is trivial. Let us consider the inductive case. Let us take the first output. We will show
that it has the same index i of the first input. Suppose by contradiction that this is not
the case, i.e. it has an index j 6= i. Then there should be another output with index i,
and this should be before the input with index i and after the first output. Also, there
should be an input with index j after the one with index i. This violates the causality
safety conditions, thus we have a contradiction. This ensures that the first input on o?
and the first output on o? are from the same interaction. The thesis follows by inductive
hypothesis, considering the trace without those two events (which can be obtained by
projecting the IOC where the corresponding interaction has been removed).
The following proposition shows that executions of components of a sequential com-
position are disjoint. Actually, this is the property that gives its name to the disjoint
conformance. Note that to state this property one has to refer the starting IOC.
Lemma 5.17. Let I = I ′; I ′′ be an IOC connected according to the disjoint semantics.
Then each asynchronous maximal trace of proj(I) is obtained by concatenating an asyn-
chronous maximal trace of proj(I ′) (without the final√
action) and an asynchronous
maximal trace of proj(I ′′).
Proof. Take a maximal trace t of proj(I). If the trace is obtained by executing only
events in proj(I ′) followed by only events in proj(I ′′) we are done. Assume towards a
contradiction that this is not the case. Take the first event in proj(I ′′) to be executed.
Let e be such an event, and let a be its role. If e is not minimal in I ′′ then it cannot be
enabled, since the event it depends on has not been executed yet. If it is minimal, then
the corresponding interaction is in transI(I ′′).We have two cases: either e is an output event, or it is an input event. Assume e is an
output event. Then the input of all transitions in transF(I ′) should be in the same role
because of disjoint connectedness for sequence. By hypothesis, at least one such event
has not been executed yet. Also, if such event is inside a choice then an event in the same
role occurs in each branch of the choice because of asynchronous unique points of choice,
thus the event e is not minimal in the term and cannot be enabled. We have the desired
contradiction. If the event is an input event then it cannot be executed since there is no
enabled message that can interact with it. Again, we have a contradiction.
The next lemma shows that output events can be postponed unless the generated
message is read by the next event.
Lemma 5.18. Let I be a disjoint connected IOC and S its projection. Let t be one of
I. Lanese, F. Montesi and G. Zavattaro 34
its traces. If t includes a subtrace S ′ o?:a−−→ γ−→ S ′′ where γ and o? : a are not matching
events then it also includes a subtrace S ′ γ−→ o?:a−−→ S ′′.
Proof. By structural induction on I. The cases of 0, 1 and interactions are trivial.
Let us consider parallel composition. If the two actions are from the same component
then the thesis follows by inductive hypothesis, otherwise it is trivial. For choice note
that the two actions should come from the same component, since after an action in a
component has been executed, the ones from the other component are not executable any
more. Thus inductive hypothesis can be applied. Let us consider sequential composition.
If the two actions are from the same component then the thesis follows from inductive
hypothesis. Assume that they are in different components. Thanks to Lemma 5.17 they
should be the last action of the first component and the first action of the second. One
can prove that the last action of the projection of an IOC (before the√) is always an
input (the proof is by structural induction on the IOC). Thus we have a contradiction
and this case can never happen.
Similarly, input events can be anticipated unless they read a newly generated message.
Lemma 5.19. Let I be a disjoint connected IOC and S its projection. Let t be one of
its traces. If t includes a subtrace S ′ γ−→ o?a→b−−−→ S ′′ where o?a→b and γ are not matching
events then it also includes a subtrace S ′ o?a→b−−−→ γ−→ S ′′.
Proof. By structural induction on I. The cases of 0, 1 and interactions are trivial. Let
us consider parallel composition. If the two actions are from the same component then
the thesis follows by inductive hypothesis, otherwise it is trivial. For choice note that the
two actions should come from the same component, since after an action in a component
has been executed, the other ones from the other component are not executable any
more. Thus inductive hypothesis can be applied. Let us consider sequential composition.
If the two actions are from the same component then the thesis follows from inductive
hypothesis. Assume that they are in different components. Thanks to Lemma 5.17 they
should be the last action of the first component and the first action of the second. One
can prove that the first action of the projection of an IOC is always an output (the proof
is by structural induction on the IOC). Thus we have a contradiction and this case can
Lemma 5.20. Let I be an IOC and S be a POC. If I ∼d S then I and S are disjoint
trace equivalent.
Proof. The first condition can be proved easily by coinduction.
For the second condition, take an indexed asynchronous strong maximal trace of S.Thanks to Lemma 5.16 actions with the same label index are from the same interac-
tion. Consider the events to be discarded while creating the desired IOC trace. Using
Lemma 5.18 and Lemma 5.19 these events can be moved next to their matching event.
The trace obtained in this way corresponds to the same IOC trace as the previous one (by
IOC vs POC 35
performing the same choice about which events to preserve), but it has all the outputs
immediately followed by the corresponding input. One can easily prove by coinduction
that a corresponding IOC trace exists.
We can now prove Theorem 5.4.
Proof of Theorem 5.4 The proof shows that the relation
R = {(I,S)| rem(S) = proj(I)}
where I is a well-annotated, disjoint connected IOC and S is an asynchronous well-
annotated POC is a disjoint bisimulation. Thanks to Lemma 5.1, Lemma 5.14 and
Lemma 5.2 one can just consider the case S = proj(I). The proof is by structural
induction on I.Case 0,1: trivial;
Case o?a→b: the associated POC is (o?)a ‖ (o?)b, which has as only computation (o?)a ‖(o?)b
o?:a−−→ (〈o?〉)a ‖ (o?)bo?a→b−−−→ 1. This satisfies the bisimulation conditions.
Case I; I ′: from the definition of the projection function S =‖r (proj(S, r); proj(S ′, r))r .
Suppose that I; I ′ o?a→b−−−→ I ′′. There are two possibilities: either I o?a→b−−−→ I ′′′ and
I ′′ = I ′′′; I ′ or I√−→ and I ′ o?a→b−−−→ I ′′. In the first case by inductive hypothesis:
inductive hypothesis. If this is not the case then we have a contradiction, since there
are still events in P ′′r for some r to be performed, thus no event in proj(I ′, r) can be
enabled thanks to Lemma 5.17. The second case is similar. The case of√
is similar
too.
Let us consider now the case ‖r (proj(I, r); proj(I ′, r))ro?:a−−→ S. We should have
o? enabled in the starting process. Thus thanks to Lemma 5.15 we have that also
o? is enabled and o?a→b ∈ transI(I; I ′). If I√−→ then the thesis follows trivially by
induction. Otherwise S o?a→b−−−→ S ′, and the thesis follows by inductive hypothesis using
the definition of projection. Note that because of asynchronous causality-safety and
Lemma 5.4 we know that we have just one input on o? enabled.
Case I ‖ I ′: from the definition of the projection S =‖r (proj(I, r) | proj(I ′, r))r . IfI ‖ I ′ has a transition then one of its two components has the same transition
and the thesis follows from inductive hypothesis. The other direction is similar, using
asynchronous causality-safety and Lemma 5.4 to ensure that the input and the output
come from the same parallel component.
Case I + I ′: from the definition of the projection S =‖r (proj(I, r) + proj(I ′, r))r . If
I. Lanese, F. Montesi and G. Zavattaro 36
I+I ′ has a transition then one of its two components has the same transition. Suppose
that I is such a component. In order to prove the thesis we have to show that proj(I ′)is discarded. This follows from the definition of asynchronous well-annotated POC
and conflict relation. The case for√
is similar.
The other direction is similar, using asynchronous causality safety and Lemma 5.14
to ensure that the input and the output come from the same component.
Since disjoint bisimilarity implies disjoint trace equivalence (Lemma 5.20) then the thesis
follows.
As a consequence, each POC obtained by projecting an initial disjoint connected IOC
is deadlock free.
Proposition 5.3. Let I be an initial disjoint connected IOC and proj(I) its projection.All maximal asynchronous traces of proj(I) are complete.
Proof. This follows from the conformance between IOC and POC (Theorem 5.4) and
from Proposition 2.1, guaranteeing that the same property holds for the IOC.
6. Connecting IOCs
Until now, we have seen how to derive POCs from IOCs that satisfy the connectedness
conditions. In this section we discuss how to deal with IOCs that are not connected
(or not connected w.r.t. the desired notion of conformance). Let I be such an IOC.
We want to derive an IOC I ′ which is equivalent to I but which is connected, so that
the theory developed so far can be applied. However to this end we have to relax our
observational semantics. In particular, we will move from strong to weak traces, so that
we can add private interactions to synchronize the different roles. We also define weak
trace equivalence among IOCs, instead of between IOCs and POCs as done till now.
Definition 6.1 (Weak IOC trace equivalence).
An IOC I and an IOC I ′ are weak IOC trace equivalent iff the set of weak maximal
traces of I coincides with the set of weak maximal traces of I ′.
Let us consider our example from the Introduction: I = oa→b; o′c→d. I is not connected
since it does not satisfy connectedness for sequence (in this case, this does not depend
on the chosen notion of connectedness). A possible solution is to introduce a private
operation o∗ and transform I into oa→b; o∗b→c; o
′c→d, which is instead connected w.r.t all
the notions of conformance, and which is weak IOC trace equivalent to I. To get a more
easy to generalize pattern however we will consider a slightly more complex approach,
transforming I into oa→b; o∗b→e; o
∗′e→c; o
′c→d. The transformation introduces an auxiliary
role e acting as a coordinator. We introduce similar patterns to ensure existence of asyn-
chronous unique points of choice. Concerning causality safety, we distinguish parallel
causality safety, sequential causality safety and choice causality safety according to the
relation between the interfering interactions. For parallel causality safety, we use a form
of expansion law removing the undesired parallel composition. For sequential causality
safety we show that this never occurs for IOCs which are disjoint connected for sequence
IOC vs POC 37
and have asynchronous unique points of choice. For choice causality safety we show that
this never occurs for IOCs which are disjoint connected for sequence, have asynchronous
unique points of choice and where for each nondeterministic choice all the initial interac-
tions are on distinct operations not used elsewhere. If an IOC enjoys this last property
we say that it has distinct choice operations. One can ensure that an IOC has distinct
choice operations using the same pattern used for ensuring asynchronous unique points
of choice. For each pattern we present a correctness result ensuring that the transformed
IOC and the starting one are weak IOC trace equivalent. We consider the disjoint con-
nectedness, since it is the most demanding: if we can make our IOC disjoint connected,
then it will also comply with all the other notions of connectedness.
Since the transformations we present below preserve weak traces, the following results
combined allow to transform any IOC into an equivalent IOC which is disjoint connected.
The basic idea is to apply first the pattern for parallel causality safety, then, by proceeding
from the smallest subterms to the largest, the two other patterns. One of them will ensure
asynchronous unique points of choice and distinct choice operations, the other one disjoint
connectedness for sequence. In this way, while reasoning on parallel causality safety (the
most complex), we do not have to bother about the other connectedness conditions, which
will be satisfied by the following steps. Since disjoint connected IOCs can be projected
by preserving traces, we can conclude that our procedure transforms a given IOC into
another one that can be projected obtaining a POC which is weak trace equivalent to
the starting IOC.
The patterns are presented in reverse order, from the simplest one to the most complex,
to help the understanding.
6.1. Disjoint connectedness for sequence
Let I be an IOC that is not disjoint connected for sequence but has asynchronous unique
points of choice, has distinct choice operations, and is parallel causality safe. We will
transform I into an IOC which is disjoint connected for sequence, and which still enjoys
all the other properties.
Since I is not disjoint connected for sequence, there are subterms of the form I ′; I ′′
that do not satisfy ∀o′?a→b ∈ transF(I ′), ∀o′′?c→d ∈ transI(I ′′).b = c. The reconfiguration
pattern will be applied to those subterms, in any order that respects the subterm relation.
This ensures that we always deal with terms whose subterms are disjoint connected for
sequence.
Take one such term I ′; I ′′. Choose a fresh role e. Consider all the interactions o?a→b
contributing to transF(I ′) in the term. For each of them choose a fresh operation o∗
and replace o?a→b with o?a→b; o∗b→e. Similarly, for each interaction o?c→d contributing to
transI(I ′′) choose a fresh operation o∗ and replace o?a→b with o∗e→c; o?c→d.
Proposition 6.1. Let I = I ′; I ′′ be an IOC which has asynchronous unique points of
choice and distinct choice operations, and is parallel causality safe. Assume that I ′ andI ′′ are disjoint connected for sequence, have asynchronous unique points of choice and
I. Lanese, F. Montesi and G. Zavattaro 38
distinct choice operations, and are parallel causality safe. Let J = J ′;J ′′ be the IOC
obtained by applying the pattern above to I ′; I ′′. Then:
— J is disjoint connected for sequence, has asynchronous unique points of choice and
distinct choice operations, and is parallel causality safe;
— J and I are weak IOC trace equivalent.
Proof. Let us start by proving parallel causality safety. For interactions introduced by
the transformation, they are all performed on operations with different fresh names, thus
the condition is trivially satisfied. For existing interactions, relations of causality and
conflict are preserved by the transformation, thus the conditions hold by hypothesis.
Let us consider asynchronous unique points of choice. We consider the condition on
roles first. Take a subterm K′ + K′′ of J . It is the transformed version of a subterm
H′ +H′′ of I. By hypothesis H′ +H′′ has asynchronous unique points of choice. There
are two cases: the interactions inside H′ and H′′ have been modified or not. In the second
case the thesis follows by hypothesis. The first case may happen only if the interaction
is a final interaction in I ′ or an initial interaction in I ′′. In both the cases also the
interactions in the other subterm have been modified by adding the same role, thus the
condition still holds.
Let us consider the condition on the sender of the interactions. As before, either the
interactions have not been modified, and the thesis follows by hypothesis, or all of them
have been modified. If they were in transF(I ′) then the sender is unchanged and the thesis
follows by hypothesis. If they were in transI(I ′′) then the new sender of all the initial
interactions in the term K′ + K′′ is the role e freshly introduced by the transformation,
thus the thesis holds.
Let us consider distinctness of choice operations. This holds by inductive hypothesis
for old interactions, and new ones do not interfere since they use fresh distinct operations.
Let us consider disjoint connectedness for sequence. We have to show that each subterm
satisfies the condition. The new subterms introduced by the transformation have the
form o?a→b; o∗b→e and o∗e→c; o
?c→d, thus they satisfy the condition. Let us take a subterm
K′;K′′ obtained by transforming a subterm H′;H′′ of I of the same shape. By hypothesis
the condition was satisfied by H′;H′′. It is easy to check however that transF(K′) =
transF(H′) and transI(K′′) = transI(H′′), thus the term is still disjoint connected for
sequence. Finally, for term J ′;J ′′ the thesis holds by construction.
The second point is easily proved since the transformation does not change the weak
traces of the IOC.
6.2. Asynchronous unique points of choice
Let I be an IOC that does not have asynchronous unique points of choice and/or does
not have distinct choice operations, but is parallel causality safe. This means that there
is a subterm of the form J +J ′ that either does not satisfy ∀o?a→b ∈ transI(J ), ∀o′?c→d ∈transI(J ′).a = c, or that does not satisfy roles(J ) = roles(J ′), or with two initial
interactions on the same operation. The reconfiguration pattern will be applied to those
subterms, in any order that respects the subterm relation. This ensures that we always
IOC vs POC 39
deal with terms whose subterms have asynchronous unique points of choice and distinct
choice operations.
Take one such term J + J ′. If the first condition and/or the third condition are not
satisfied then choose a fresh role e. Consider all the interactions o?a→b contributing to
transI(J ) or to transI(J ′) in the term. For each of them choose a fresh operation o∗ and
replace o?a→b with o∗e→a; o?a→b.
Suppose now that the first and third conditions are satisfied, while the second one is
not. Then we can assume a role e which is the sender of all the interactions in transI(J +
J ′). Consider each role a that occurs in J but not in J ′ (the other case is symmetric).
For each of them add in parallel to J ′ the interaction o∗e→a where o∗ is a fresh operation.
Proposition 6.2. Let I = I ′ + I ′′ be an IOC which is parallel causality safe. Assume
that I ′ and I ′′ are disjoint connected for sequence, have asynchronous unique points of
choice and distinct choice operations, and are parallel causality safe. Let J = J ′ + J ′′
be the IOC obtained by applying the pattern above to I ′ + I ′′. Then:
— J is disjoint connected for sequence, has asynchronous unique points of choice and
distinct choice operations, and is parallel causality safe;
— J and I are weak IOC trace equivalent.
Proof. Let us start by proving parallel causality safety. For interactions introduced by
the transformation, they are all performed on operations with different fresh names, thus
the condition is trivially satisfied. For existing interactions, relations of causality and
conflict are preserved by the transformation, thus the conditions hold by hypothesis.
Let us consider asynchronous unique points of choice. We consider the two transfor-
mations separately. Let us start with the transformation ensuring that the roles in the
two branches are the same. Take a subterm K′ +K′′ of J . It is the transformed version
of a subterm H′ +H′′ of I. By hypothesis H′ +H′′ has asynchronous unique points of
choice and distinct choice operations. Since interactions may only be added in parallel to
the whole term the thesis follows by hypothesis. For the whole term the condition holds
by construction.
Let us consider now the transformation ensuring that all the senders coincide and all
initial interactions are on distinct operations not reused elsewhere. There are two cases:
either the interactions inside H′ and H′′ have been modified or not. In the second case
the thesis follows by hypothesis. The first case may happen only if one such interaction
is initial in the whole term. In this case however all the initial interactions have been
changed, and the freshly introduced role is the new sender in all of them. Also, all the
used operations are distinct and fresh. Thus the two conditions are satisfied. For the
whole term the two conditions are satisfied by construction.
For disjoint connectedness for sequence, note that all the subterms enjoy the property
either by hypothesis or by construction. Since the top-level operator is a nondeterministic
choice the same property holds for the whole term.
The last condition can be easily proved since the transformation does not change the
weak traces.
I. Lanese, F. Montesi and G. Zavattaro 40
6.3. Causality safety
Let I be an IOC that is not causality safe. This means that there are two interactions i
and j using the same operation such that neither si ≤s rj∧ri ≤s sj nor sj ≤s ri∧rj ≤s si
nor they are in full conflict. Let o?a→b be interaction i′ and o?c→d be interaction i′′. Notethat the problem is immediately solved by renaming one of the operations. However, this
will change the specification. We show how to stick to the original (weak) behavior, while
solving the causality safety issue.
Take the smallest subterm of I including both interaction i′ and interaction i′′. We
have a case analysis on its top-level operator. We have three cases corresponding to
parallel causality safety, sequential causality safety and choice causality safety.
Let us consider parallel causality safety. Thus I = I ′ ‖ I ′′, and we can assume that
interaction i′ is in I ′ and interaction i′′ is in I ′′. To solve this issue we will apply a form
of expansion law that transforms the parallel composition into nondeterminism, thus
either removing completely the causality safety issue or transforming it into sequential
causality safety or choice causality safety, discussed later on.
We define now the expansion law and prove its correctness. We also show that using
the expansion law one can transform any IOC into a normal form defined as below.
Definition 6.2 (Normal form). An IOC I is in normal form if it is written as:∑
i
o?i ai→bi; Ii
where∑
i is ennary nondeterministic choice and for each i also Ii is in normal form (we
can see the empty sum as 0).
The expansion law is defined below.
Definition 6.3 (Expansion law).
(∑
i
o?i ai→bi; Ii) ‖ (
∑
j
o?jaj→bj; Ij) = (
∑
i
o?i ai→bi; (Ii ‖ (
∑
j
o?jaj→bj; Ij)))
+(∑
j
o?jaj→bj; (Ij ‖ (
∑
i
o?i ai→bi; Ii)))
The expansion law is correct w.r.t. IOC trace equivalence, in the sense that applying
the expansion law to an IOC does not change the set of its traces (neither strong nor
weak), as proved by the lemma below.
Lemma 6.1. Let I be an IOC and J an IOC obtained by applying the expansion law
to a subterm of I. Then I and J have the same set of (strong or weak) traces.
Proof. Labels not involving the subterm are easily mimicked. Consider the first label
involving the subterm. If no such label exists the thesis follows. Otherwise, the label
corresponds to the execution of one of the interactions o?i ai→bior o?jaj→bj
. Executing any
of these interactions reduces both the terms to the same term. The thesis follows.
Using the expansion law we can transform any IOC I into an IOC J with the same
weak traces which is in normal form.
IOC vs POC 41
Proposition 6.3 (Normalization). Given an IOC I there is an IOC J in normal form
such that I and J are weak IOC trace equivalent.
Proof. The proof is by structural induction on the number of interactions occurring
in I. The cases of interactions and 0 are trivial. IOC 1 can be replaced by any private
interaction without changing the set of weak traces. For sequential composition note
that (∑
i o?i ai→bi
; Ii); I ′ and (∑
i o?i ai→bi
; Ii; I ′) have the same set of traces. Ii; I ′ canbe transformed in normal form by inductive hypothesis. For nondeterministic choice the
thesis is trivial (it is easy to check that nondeterministic choice is associative). For parallel
composition one can apply the expansion law, and the thesis follows from Lemma 6.1
and inductive hypothesis.
Let us consider sequential composition. Thus I = I ′; I ′′, and we can assume that
interaction i′ is in I ′ and interaction i′′ is in I ′′. We show that if I is disjoint connected
for sequence and has asynchronous unique points of choice, then no sequential causality
safety issue can occur.
Lemma 6.2. Let I = I ′; I ′′ be an IOC which is disjoint connected for sequence and has
asynchronous unique points of choice. Let i′ be an interaction in I ′ and i′′ an interaction
in I ′′. If e′ is an event of interaction i′ and e′′ is an event of interaction i′′, then e′ ≤aI e′′.
Proof. We will prove the thesis by induction on the structure of the term.
From disjoint connectedness for sequence all the receiving events in final interactions
of I ′ and all the sending events in initial interactions of I ′′ are performed by the same
role. Thus, from the sequentiality condition in the definition of causality relation, they
are causally related (the only possibility for the term to perform a√
is to have a 1 branch
in a nondeterministic choice, but this is forbidden because of existence of asynchronous
unique points of choice). Thanks to the synchronization condition the same holds for the
other events inside the same interactions. This proves the thesis for final interactions in
I ′ and initial interactions in I ′′.Assume now that the interaction i′ is not final inside I ′ (the case of i′′ not initial in I ′′
is similar). Then there exists a sequential composition J ;J ′ such that interaction i′ is inJ and a final interaction of I ′ is in J ′. Since J ;J ′ is a subterm of I ′ the thesis follows
by inductive hypothesis for events of interaction i′ and events of the final interaction.
The thesis follows by transitivity.
Let us consider nondeterministic choice. Thus I = I ′ + I ′′, and we can assume that
interaction i′ is in I ′ and interaction i′′ is in I ′′. We show that if I is disjoint connected
for sequence, has asynchronous unique points of choice and distinct choice operations,
then no choice causality safety issue can occur.
Lemma 6.3. Let I = I ′ + I ′′ be an IOC which is disjoint connected for sequence,
has asynchronous unique points of choice and distinct choice operations. Let i′ be an
interaction in I ′ and i′′ an interaction in I ′′. If e′ is an event of interaction i′ and e′′ isan event of interaction i′′, then e′ f#
a
I e′′.
I. Lanese, F. Montesi and G. Zavattaro 42
Proof. The events in the two interactions are in conflict. Since by hypothesis the two
interactions are not initial then the events are also in full conflict.
6.4. Putting the pieces together
Till now we have shown that given a subterm of an IOC which fails to satisfy one of the
connectedness conditions, we can transform it into an equivalent term that satisfies this
connectedness condition. Some care is required to avoid that while ensuring the condition
is satisfied, violations of other conditions are introduced, thus creating the possibility that
the connecting procedure would not terminate. The following theorem proves that we can
combine the connecting steps to get a terminating algorithm transforming a generic IOC
into a disjoint connected IOC.
Theorem 6.1 (Making IOCs connected). There is a terminating procedure that
given any IOC I creates a new IOC J such that:
— J is disjoint connected;
— J and I are weak IOC trace equivalent.
Proof. We can apply the normalization procedure to all the subterms of IOC I that
does not satisfy parallel causality safety, starting from the smallest subterms to the
largest, to get an IOC I ′ which is parallel causality safe (since the undesired parallel
compositions have been removed) and which is weak IOC trace equivalent to I thanks
to Proposition 6.3.
Now, again from the smallest subterms to the largest, we can apply to I ′ the procedurefor providing asynchronous unique points of choice and distinct choice operations to those
subterms which have a top-level nondeterministic choice operator and the procedure for
making them disjoint connected for sequence to those subterms which have a top-level
sequential composition operator.
For terms of the first kind, thanks to Proposition 6.2, we obtain terms which have
asynchronous unique points of choice and distinct choice operations, and are parallel
causality safe and disjoint connected for sequence. The same holds for terms of the
second kind by Proposition 6.1. In both the cases, the resulting term is weak IOC trace
equivalent to the starting one. Moreover, by applying these transformations to subterms,
we do not create new parallel causality safety issues in larger terms, since we only add
interactions on fresh operations.
From Lemma 6.2 and Lemma 6.3 we know that the obtained IOC J has no sequential
causality safety issues or choice causality safety issues, thus the thesis follows.
Example 6.1. We now apply our procedure to the IOC I = oa→b ‖ oc→d presented in
Example 4.2. First note that I does not satisfy parallel causality safety. By application of
the expansion law we obtain I1 = oa→b; oc→d+ oc→d; oa→b. Proceedings from smallest to
largest subterms, we first encounter the subterms oa→b; oc→d and oc→d; oa→b which are
not disjoint connected for sequence (and are not sequential causality safe). By applying
the corresponding pattern to the two subterms, we obtain I2 = oa→b; o∗1b→e′ ; o
∗2e′→c; oc→d+
oc→d; o∗3d→e′′ ; o
∗4e′′→a; oa→b. Now the internal terms are disjoint connected, but the whole
IOC vs POC 43
term does not have asynchronous unique points of choice nor distinct choice operations,
and is not choice causality safe. By application the transformation ensuring asynchronous
unique points of choice, we obtain:
I3 = o∗5e→a; oa→b; o∗1b→e′ ; o
∗2e′→c; oc→d + o∗6e→c; oc→d; o
∗3d→e′′ ; o
∗4e′′→a; oa→b
Finally, by applying the transformation ensuring that both the branches have the same
roles, we obtain:
I4 =(
o∗5e→a; oa→b; o∗1b→e′ ; o
∗2e′→c; oc→d ‖ o∗7e→e′′
)
+(
o∗6e→c; oc→d; o∗3d→e′′ ; o
∗4e′′→a; oa→b ‖ o∗8e→e′
)
which is disjoint connected.
6.5. Application: Two-buyers protocol
We show now how our transformation for connecting IOCs can be used as an effective
design tool for the programming of multiparty choreographies. We model the example
reported in (Honda et al., 2008), the two-buyers protocol, where two buyers – b1 and b2
– combine their finances for buying a product from a seller s. The protocol starts with
b1 asking the price for the product of interest to s. Then, s communicates the price to
both b1 and b2. Subsequently, b1 notifies b2 of how much she is willing to contribute to
the purchase. Finally, the choreography may either terminate (the product will not be
sent) or s may send a delivery date for the product to b2. We do not deal here with how
this choice is performed, as our IOCs abstract from data.
To create a quick prototype IOC I for the two-buyers protocol, we focus only on the
main interactions and we do not worry about our connectedness conditions. The code
follows naturally:
I = priceb1→s; ( quote1s→b1‖ quote2s→b2
); contribb1→b2 ; ( deliverys→b2+ 1 )
The code above is just a direct translation of our explanation in natural language into an
IOC. We can immediately observe that the IOC is not connected in three points w.r.t.
the rules ensuring disjoint conformance:
— the subterm ( quote1s→b1| quote2s→b2
); contribb1→b2 is not disjoint connected for
sequence; thus, e.g., b1 may send the contrib message before b2 receives the message
for quote2;
— the subterm ( deliverys→b2+ 1 ) has not asynchronous unique points of choice;
— the subterm contribb1→b2 ; ( deliverys→b2+ 1 ) is not disjoint connected for sequence.
We can apply our transformation for amending our IOC prototype, transforming it into
a disjoint connected IOC which is weak IOC trace equivalent to I, obtaining:priceb1→s; ( quote1s→b1
; o∗1b1→e1‖ quote2s→b2
; o∗2b2→e1);
o∗3e1→b1; contribb1→b2 ; o∗4b2→e2
; ( o∗5e2→s; deliverys→b2+ 1 ‖ o∗6e2→s ‖ o∗7e2→b2
)
The IOC above is disjoint connected, thus it can be projected, and the projection will
be conformant to the IOC, and weak conformant to the original IOC I.
I. Lanese, F. Montesi and G. Zavattaro 44
7. Possible extensions
Till now we considered in detail notions of connectedness for IOCs, and of conformance
between IOCs and POCs, but we focused on minimal calculi for both IOCs and POCs
to avoid unnecessary complexity. Here we discuss some possible extensions to the calculi,
and their impact on the developed theory. We also illustrate how conformance can be
combined with notions of equivalence and/or refinement at the level of IOCs and/or of
POCs. We plan to analyze this aspects in more detail in future work.
7.1. Other operators
In the main part of the paper we stick to the smallest set of operators necessary to write
interesting IOCs, but most of the developed theory can be extended to deal with other
operators. We consider here internal actions τa, and guarded recursion.
An internal action τa abstracts a computation performed by role a with no interaction
with other roles. E.g., role a can perform some mathematical computation, whose result
may be later on sent to some other role c via a communication. Such an activity cannot
be easily projected as if it was o?a→a, since the projection of such a term is not defined.
In order to model such an activity, one has to decide whether the activity is visible to
the outside or not. From the point of view of the projection, the interesting case is when
the activity is visible, and thus constraints imposed by sequentialization or choices have
to be satisfied. E.g., the projection of τa; τb should execute the internal activity at a first,
and then the internal activity at b. Using a natural projection, with proj(τa, a) = τ and
proj(τa, b) = 1 for b 6= a, the constraint above would not be satisfied. In fact, such an
IOC would not be connected, since the (sets of) roles involved in the two activities are
disjoint. One can make this IOC connected by transforming it into the equivalent IOC
τa; o∗a→b; τb. The theory discussed so far can be easily extended to consider this kind of
activity.
A more interesting challenge is given by guarded recursion, which allows one to describe
infinite choreographies. E.g., the IOC defined as recX.aska→b; answerb→a;X models an
infinite conversation where role a asks something to role b and receives an answer, then
the communication pattern restarts. It is easy to check that an homomorphic projection
of such an IOC has the desired behavior. Indeed, the IOC is disjoint connected. Actually,
we can apply here a result from (Honda et al., 2008) (reformulated for our calculus),
which states that a recursive IOC is connected iff its one level unfolding is connected.
E.g., the IOC above is disjoint connected since aska→b; answerb→a; aska→b; answerb→a is
disjoint connected.
The theory for amending IOCs which are not connected instead cannot be always
applied. In fact, some recursive IOCs allow infinitely many interactions on the same
operation, as in the case of IOC I = recX.oc→d ‖ (o′a→b; o′′b→a;X). Such an IOC does
not satisfy causality safety, since different instances of oc→d can be enabled in parallel.
One can imagine to apply the connecting procedure to the infinite term generated by the
unfolding of the recursion, but no finite representation of such a term can be given inside
the language. One can try to solve the problem by requiring all the roles to synchronize
IOC vs POC 45
on the end of each iteration. E.g., the IOC above can be transformed into:
J = recX.(o∗e→c; oc→d; o′∗d→e) ‖ (o′′∗e→a; o
′a→b; o
′′b→a; o
′′′∗a→e;X)
This approach however does not preserve weak traces, since e.g. the weak trace starting
with o′a→b, o′′b→a, o
′a→b, o
′′b→a, oc→d, . . . is legal in I but not in J .
It is worth noting that a similar approach has been taken in (Zongyan et al., 2007),
where infinite IOCs can be expressed with a repetition operator that repeats the execution
of a sub-IOC an arbitrary number of times. The repetition must be decorated with the
indication of a participant called the dominant role. In the projection, the dominant
role is in charge to detect the completion of a run of the sub-IOC, to decide whether
to execute another run or not, and then to communicate the decision to all the other
participants in the IOC. A complete comparison between our work and (Zongyan et al.,
2007) can be found in Section 9.
7.2. Adding data
Input and output events in the choreographies analyzed till now model message passing
communications, but the actual values to be sent have been abstracted away.
One can imagine to use the same approach at the more concrete level, where commu-
nicated data are explicitly described both at the IOC and at the POC level. A similar
problem has been considered in (Bocchi et al., 2010). Consider, e.g., the simple IOC
with data fact(n)a→b; answer(n!)b→a where role a asks to role b to compute the fac-
torial of some natural number n. One can easily project such an IOC obtaining the
POC (fact(na); answer(nfa))a ‖ (fact(nb); answer(!nb))b. The main point here is that
variables have to be introduced to store the received values and to enable their later
reuse. An interesting effect of the introduction of data is that nondeterministic choice
can be converted into deterministic choice: the IOC oa→b+o′a→b can be refined into, e.g.,
if n > 10 then oa→b else o′a→b. If we assume existence of asynchronous unique points of
choice, the role that makes the choice is the one that must evaluate the condition (and
thus must know the value of the involved variables). The projection of a deterministic
choice is still a deterministic choice on the role that makes the choice, while it is an input
guarded choice on the other roles.
An important aspect to keep into account is that in addition to the control depen-
dencies considered till now, data values introduce data dependencies that have to be
satisfied. This is relevant, in particular, if we assume that each participant has a private
state. Consider, e.g., the IOC oa→b(n) ‖ o′c→d(n). Here roles a and c should agree on
the value to be sent, but this is impossible in case of private states since there is no
communication between them. We will see in the next section that some of the notions
of conformance ensure that data dependencies can be more easily satisfied.
I. Lanese, F. Montesi and G. Zavattaro 46
7.3. Equivalences and refinements
We have considered till now mainly equivalences between an IOC and a POC. However,
standard notions of bisimilarity or trace equivalence can be defined also among IOCs or
among POCs, as we did for weak IOC trace equivalence in Section 6.
A similar definition can be given at the POC level, considering e.g. weak synchronous
traces. As already hinted at in Section 6, such notions of equivalence are compatible with
synchronous conformance and projection. In fact, considering two IOCs I and I ′ whichare IOC trace equivalent, and two POCs S and S ′ synchronous conformant respectively
to I and I ′, it is easy to prove that S and S ′ are synchronous trace equivalent. This
happens, in particular, if S and S ′ are the projections of I and I ′.
The same reasoning can be applied to the other notions of conformance (sender/rece-
iver/sender-receiver/disjoint), but the trace equivalence on POCs should be tailored ac-
cordingly. E.g., if we consider sender conformance then IOCs which are trace equivalent
correspond to POCs which are sender trace equivalent, i.e. have the same set of sender
traces.
Also, the reasoning can be applied to trace inclusions, which correspond to a form of
refinement: if an IOC I has a subset of the maximal traces of an IOC I ′, i.e. I is more
deterministic, it can be seen as an implementation of I ′. Such a notion corresponds to
analogous notions of trace inclusions on the projected POCs.
8. Practical interpretation
This section reports examples that show a practical interpretation of some of our different
settings. Giving a formalization of this interpretation goes beyond the scope of this paper,
but we believe its description to be sufficiently intuitive and interesting for motivating
our work. We will concentrate on the asynchronous cases of receiver, sender, and disjoint
connectedness notions. Therefore, in the following, we always assume an asynchronous
communication semantics. To simplify the presentation, we remove from POCs some 1s
which have no effect on the POC semantics.
8.1. Receiver connectedness
Receiver connectedness ensures that global invariants on the state of the participants
involved in an IOC are satisfied also in its projected POC. Here, we assume that a local
state can change only on message reception. Let us consider the following IOC, which is
sender connected but not receiver connected:
withdrawcustomer→bank; paycustomer→shop
Above, a customer wants to buy something from a shop. In order to pay, she first with-
draws some money from her bank and then uses it to pay the shop. The invariant holding
in this IOC that we would like to preserve in the corresponding POC is that the sum of
the amounts of money possessed by the customer and the shop should not increase. Let