350 likes | 606 Views
XVII Escuela de Ciencias Informaticas (ECI 2003), Buenos Aires, July 21-26 2003. Formal Models for Distributed Negotiations A Calculus of Compensations . Roberto Bruni Dipartimento di Informatica Università di Pisa. Compensations.
E N D
XVII Escuela de Ciencias Informaticas (ECI 2003), Buenos Aires, July 21-26 2003 Formal Models forDistributed NegotiationsA Calculus of Compensations Roberto Bruni Dipartimento di Informatica Università di Pisa
Compensations • Long running transactions may abort also when some of their sub-transactions have been committed • Committed sub-transactions should be undone • Not always possible: visible events cannot be canceled • e.g. when booking holiday (flights, hotels, cars, shows), only partial refund can be obtained by canceling • e.g. when negotiating services and goods, some fines must be for canceling the contract • To Compensate = • to amends for, to make up for Formal Models for Distributed Negotiations
Objectives • Clear understanding of long running transactions (LRT) and of their compositions • Formal models to clarify assumptions and obligations of the various components of a business system • Visual rendering of control structures • Algebra of LRTs • Design automatic analysis tools for checking coherence of business systems and guard against deadlocks and race conditions Formal Models for Distributed Negotiations
LRTs are not ACID • LRTs • are composed out of a collection of traditional atomic transactions • for them, roll-back is supplied automatically • usually engage in externally visible events • these events cannot be undone automatically • user-defined (application-dependent) compensations are needed • approximately atomic and consistent, not isolated and globally durable, no automatic roll-back Formal Models for Distributed Negotiations
Inspiration • From XLANG • context P exception E compensation C failure normal entry point compensation exit normal exit point compensation entry Formal Models for Distributed Negotiations
Sound Traces • Normal flow is vertical, from top to bottom • Compensation flow is still vertical, but in the reversed direction (from bottom to top) • For the moment we regard internal failures just as compensations • Sound traces • OK: normal in (nin) – normal out (nout) • FAIL: nin – compensation out (cout) • COMP: nin – nout – cin - cout Formal Models for Distributed Negotiations
Tree of Traces • Traces can be conveniently represented as a tree • Nodes are labeled by events • A trace is a path from the root of the tree • Sound transactions • tree of traces must be conform to nin nout cout cin cout Formal Models for Distributed Negotiations
Succeed and Fail • Straight arrows have no effects nin nin nout cout cin cout Formal Models for Distributed Negotiations
nin & R.nin R.nout & S.nin R.cout & cout S.nout & nout S.cout & R.cin cin & S.cin R.cout & cout S.cout & R.cin R.cout & cout Sequential Composition • sequence R S • Compound events • nin & R.nin • R.nout & S.nin • S.nout & nout • cin & S.cin • S.cout & R.cin • R.cout & cout • Simultaneous occurrence of joint events R;S R S Formal Models for Distributed Negotiations
Sequential Composition is Sound for R nin & R.nin • sequence R S • Compound events • nin & R.nin • R.nout & S.nin • S.nout & nout • cin & S.cin • S.cout & R.cin • R.cout & cout • Simultaneous occurrence of joint events R;S R R.nout & S.nin R.cout & cout S.nout & nout S.cout & R.cin S cin & S.cin R.cout & cout S.cout & R.cin R.cout & cout Formal Models for Distributed Negotiations
Sequential Composition is Sound for S nin & R.nin • sequence R S • Compound events • nin & R.nin • R.nout & S.nin • S.nout & nout • cin & S.cin • S.cout & R.cin • R.cout & cout • Simultaneous occurrence of joint events R;S R R.nout & S.nin R.cout & cout S.nout & nout S.cout & R.cin S cin & S.cin R.cout & cout S.cout & R.cin R.cout & cout Formal Models for Distributed Negotiations
Sequential Composition is Sound nin & R.nin • sequence R S • Compound events • nin & R.nin • R.nout & S.nin • S.nout & nout • cin & S.cin • S.cout & R.cin • R.cout & cout • Simultaneous occurrence of joint events R;S R R.nout & S.nin R.cout & cout S.nout & nout S.cout & R.cin S cin & S.cin R.cout & cout S.cout & R.cin R.cout & cout Formal Models for Distributed Negotiations
Notes About Sequence • Dynamic behaviour uniquely defined by the flowchart • Only tree that satisfies all three conditions of soundness • Sequential composition is associative • We can • omit outer boxes in nested serializations • omit parentheses in algebraic expressions • investigate properties by considering two operands at a time Formal Models for Distributed Negotiations
Sequential Choice (Pick) • In sequential composition, a failure of a single component triggers the compensations of all previous activities • The pick operation allows to specify two or more alternatives for the same goal • tried sequentially • until one succeeds • or all have failed Formal Models for Distributed Negotiations
nin & R.nin R.nout & nout R.cout & S.nin cin & R.cin S.nout & nout S.cout & cout R.cout & cout cin & S.cin S.cout & cout Sequential Choice (Pick) • pick R S • (associative) S R The tree is more informative than the flowchart Formal Models for Distributed Negotiations
Parallel Composition (All) • Two or more transactions can be executed concurrently • The all operation allows to specify two or more concurrent activities • initiated together • fail if any of them fail • completed when all succeed • roll-back all on subsequent failures Formal Models for Distributed Negotiations
The tree is trivial nin & R.nin & S.nin R.cout & S.cout & cout R.nout & S.nout & nout The implementation is difficult! What if, after R.nin and S.nin, it happens that R.nout but S.cout? Deadlock? (dealt with exceptions) cin & R.cin & S.cin R.cout & S.cout & cout Parallel Composition (All) • all R S • Petri net–like flowchart • (assoc., comm.) S R Formal Models for Distributed Negotiations
Concurrent Waiting (Parallel Pick) • Speculation • local extra work in anticipation it may need later • Two or more transactions can be attempted concurrently • take the one that succeeds first • compensate all the others • alternatives must be independent each other and with no interaction Formal Models for Distributed Negotiations
Concurrent Waiting (Parallel Pick) nin & R.nin & S.nin non-determinism R.nout & S.nout R.nout & S.cout & nout R.cout & S.nout & nout R.cout & S.cout & cout S.cin R.cin S.cout & nout R.cout & nout cin & R.cin cin & S.cin cin & R.cin cin & S.cin R.cout & cout S.cout & cout R.cout & cout S.cout & cout Formal Models for Distributed Negotiations
The Pi-Calculus Approach • The pi-calculus is the most famous calculus for (name) mobility • Similar to join • many receivers on the same channel • hiding (x) and binding input prefix x(y).P instead of def xyPin … • Similar to CCS (with value passing) • outputs carry values xy • inputs have (bound) arguments x(y) Formal Models for Distributed Negotiations
Compensation Primitives • Asynchronous pi-calculus • P ::= 0 | xy | x(y).P | (x)P | !P | P|P • Additional primitives • done – successful termination of transaction • abort – internal failure • context(P,Q,R) – Process P with exception handler Q and compensation R • Some structural laws • P | done = P • abort | abort = abort • context(xy|P, Q, R) = xy | context(P, Q, R) Formal Models for Distributed Negotiations
Handling Failures • Compensations are remembered after commit by attaching them to on-failure processes of outer contexts • context(P|context(done,Q’,R’), Q, R) context(P, R’|Q, R) • context(abort, Q, R) Q • This allows for • Establishing abstract equivalences • e.g. if P is abort-free, then P is equivalent to any context(P,Q,R) • Formal encoding and comparison with other calculi • extended processes can be “compiled” in the pi-calculus Formal Models for Distributed Negotiations
Extending Compensations • Standard approach • Compensations associated with primary activities of LRTs • When required, all compensations of successful activities are executed (in reversal order) • If savepoints are reached (committed choices), then compensations are no longer required and can be forgotten • StAC (Structured Activity Compensation) • In the spirit of Sagas • More general mechanisms (concurrent and non-atomic activities) • Multiple compensations (selective / alternative) Formal Models for Distributed Negotiations
Business Process Beans • Business Processes • model activities that are useful to the business • must be composable • hierarchy of abstractions • IBM’s BPBeans Application • hierarchy of nested components • bottom level: primitive Java beans components • activities act on a global set of shared variables • composed via the Application Builder for Components (ABC) tool Formal Models for Distributed Negotiations
StAC Syntax • P ; P (sequential composition) • P | P (parallel composition) • par i in S do i.P (generalized parallel comp.) • if C then P else P (conditional) • (early termination) • {P} (termination scoping) • P P (compensation pair) • [P] (compensation scoping) • (accept) • (reverse) Formal Models for Distributed Negotiations
Sequential and Concurrent Activities • P ; Q • P is executed first. When P completes, Q is executed • associative • P | Q • associative • par i in S do i.P • used for generating many concurrent instances uniquely indexed by i • e.g. par i in 1..10 do i.P • creates 10 distinct concurrent instances of P Formal Models for Distributed Negotiations
Early Termination • • termination is limited by scoping brackets • e.g. {P;;Q} ; R • first executes P, then terminator prevents Q from being executed, but being termination limited within brackets, then R will be executed • also concurrent activities are terminated • maybe not immediately, but at a later stage • either prematurely or at completion • e.g. {(P;;Q) | S} | R • the termination causes S to terminate (not R, which is outside the scoping) • Termination scoping can be nested Formal Models for Distributed Negotiations
Compensations I • P Q • P is the primary task • Q is the compensation task for P • First the primary task is executed, when completed, the compensation task is remembered for later use (in reversal) • • executes available compensations • e.g. (P Q) ; • executes P and remembers Q, then reverse by executing Q • e.g. (P1 Q1); (P2 Q2);(P3 Q3); • executes P1 then P2 then P3 then Q3 then Q2 and finally Q1 Formal Models for Distributed Negotiations
Compensations II • e.g. ((P1 Q1)|(P2 Q2)|(P3 Q3)) ; • executes P1, P2 and P3 concurrently, and then compensates with Q1, Q2 and Q3 concurrently • Invoked compensations are then cleared • e.g. (P Q) ; ; is the same as (P Q) ; • • forgets all currently remembered compensations (committed choice) • e.g. (P1 Q1) ; ; (P2 Q2) ; • executes P1 then P2and finally Q2 (Q1 is not performed because it has been removed by the accept operation) Formal Models for Distributed Negotiations
Compensations III • Compensations can be nested • e.g. (P (P1 Q1) ) ; • executes P and remembers (P1 Q1), then on reversal executes P1 but remembers Q1 for later use • Square brackets delimit the scope of the accept and reverse operators • Restrictions in BPBeans • nested compensations are not allowed • each level in the hierarchy overrides lower levels (as if P was modeled by [P;]) • concurrent activities have separated compensation scopes (as if P|Q was modeled by [P]|[Q]) Formal Models for Distributed Negotiations
Multiple Compensations • Aim: to allow processes to remember several simultaneous compensation tasks • Individual tasks can then be accepted or reversed • Facilitate reuse of processes • Language extension • P i P (indexed compensation pair) • i (indexed accept) • i (indexed reverse) Formal Models for Distributed Negotiations
Selective and Alternative Compensations • Selective compensations • reversals select some activities to be compensated for, while preserving the compensations for other activities • Alternative compensations • several alternative compensations are attached to the same activity and the reversal picks one of these alternatives for invocation and forget the others Formal Models for Distributed Negotiations
StAC vs Other Models • Sagas • non hierarchical and purely sequential • compensations invoked on system failure • assumption of perfect compensation • Nested transactions • compensations invoked on system failure • rigid scoping • multiple compensations are not allowed • ConTracts • single compensations • implicit accept and reversal Formal Models for Distributed Negotiations
Recap • We have seen • Different approaches to the formal modeling of compensations • Difficulties • Advantages • Mismatching • Basis for implementations Formal Models for Distributed Negotiations
References • Notes by T. Hoare, C. Fournet, A. Gordon, L. Bocchi, C. Laneve, G. Zavattaro • Extending the concept of transaction compensation (IBM System Journal 41(4), 2002, pp. 743-758) • M. Chessell, C. Griffin, D. Vines, M. Butler, C. Ferreira, P. Henderson Formal Models for Distributed Negotiations