Amending Contracts for Choreographies

Bliudze, S., Bruni, R., Carbone, M., Silva, A. (Eds.); ICE 2011 EPTCS 59, 2011, pp. 111–129, doi:10.4204/EPTCS.59.10 Amending Contracts f or Chor eographies ∗ Laura Bocchi Julien Lange Emilio T uosto Department of Computer Science, Univ ersity of Leicester , UK bocchi@mcs.le.ac.uk jlange@mcs.le.ac.uk emilio@mcs.le.ac.uk Distributed interactions can be suitably designed in terms of chor eogr aphies . Such abstractions can be thought of as global descriptions of the coordination of se veral distributed parties. Global as- sertions define contracts for choreographies by annotating multiparty session types with logical for- mulae to validate the content of the exchanged messages. The introduction of such constraints is a critical design issue as it may be hard to specify contracts that allo w each party to be able to progress without violating the contract. In this paper , we propose three methods that automatically correct inconsistent global assertions. The methods are compared by discussing their applicability and the relationships between the amended global assertions and the original (inconsistent) ones. 1 Intr oduction Choreographies are high lev el models that describe the con versations among distributed parties from a global perspecti ve. Global types [6] and global assertions [3] provide an effecti ve methodology for the design of distributed choreographies (as e.g., in [5]) by allo wing static checking of a number of properties such as deadlock freedom and session fidelity . Intuiti vely , global types establish the interaction pattern for the harmonious coordination of dis- tributed parties while global assertions combine global types with logic to feature design-by-contr act [8]. Basically , global assertions decorate global types with logical formulae ( pr edicates ) that constrain inter- actions, declaring senders’ obligations and recei vers’ requirements on e xchanged data and on the choice of the branches to follo w . This adds fine-grained constraints to the specification of the interaction struc- ture. For instance, the global assertion Alice → Bob : { a | a > 0 } . Bob → Carol : { b | b > a } (1.1) describes a protocol with three participants, Alice , Bob , and Carol , who agree on a “contract” con- straining the interaction variables a and b . The contract stipulates that ( i ) Alice has to send a positiv e v alue to Bob in the first interaction, and that ( ii ) Bob is obliged to send Carol a v alue strictly greater than the one fixed for a in the first interaction. Notice that Bob can fulfill his pledge (i.e., the assertion b > a in the second interaction abov e) only after he has receiv ed the value a from Alice . Once designed, a global assertion G is pr ojected on endpoint assertions that are local types – mod- elling the behaviour of a specific participant – constrained according to the predicates of G . For instance, the projection for Alice in the example (1.1) above is an endpoint assertion prescribing that Alice has to send a positi ve value to Bob . Endpoint assertions can be used for static validation of the actual pro- cesses implementing one or more roles in a choreography represented by G , and/or to synthesise monitor processes for run-time checking/enforcement. ∗ This work has been supported by the project Le verhulme T rust A ward T racing Networks. 112 Amending Contracts for Choreographies The methodology described above can be applied only when global assertions are well-asserted [3], namely when global assertions obe y two precise design principles: history-sensitivity (HS for short) and temporal satisfiability (TS for short). Informally , HS demands that a party having an obligation on a predicate has enough information for choosing a set of values that guarantees it. Instead, TS requires that the v alues sent in each interaction do not make predicates of future interactions unsatisfiable. The main moti vation of our interest in HS and TS is that, in global assertions, they are the tech- nical counterparts of the fundamental coordination issue that could be summarized in the slogan “who does what and when does (s)he do it”. In fact, HS pertains to when variables are constrained and who constrains them, while TS pertains to whic h values variables take. The contracts specified in global asser - tions are, on the one hand, “global” as they pertain to the whole choreography while, on the other hand, they are also “local” in (at least) two aspects. The first is that they assign responsibilities to participants ( who ) at definite moments of the computation ( when ). The second aspect is that the values assigned to v ariables are critical because either one could ov er-constrain variables fixed in the past or over -restrict the range of those assigned in the future ( which ). These conditions (especially TS) are rather crucial as global assertions that violate them may be infeasible or fallacious. F or instance, if the predicate for Bob in the second interaction in (1.1) were 3 > b > a then Bob could not fulfill his contract if Alice had fix ed the v alue 2 for a in the first interaction. Guaranteeing HS and TS is often non-tri vial, and this burden is on the software architect; using tools like the ones described in [7], one only highlights the problems but does not help to fix them. HS and TS are global semantic properties that may be hard to achie ve. Namely , TS requires to trace back for “under-constrained” interactions (i.e., which allo w values causing future predicates to be unsatisfiable) and re-distribute there the unsatisfiable constraints. Contributions W e sho w a fe w techniques that help software architects to amend global assertions during the design of distrib uted choreographies. The preliminary notions used in the rest of the paper are gi ven in § 2. In § 3 we gi ve two algorithms which, if applicable, automatically fix HS in global assertions; the first algorithm strengthens a predicate while the second one is based on variable propagation. In § 4 we gi ve an algorithm which, if possible, mov es predicates up in the global assertion in order to remove TS violations. § 5 outlines a methodology based on the three algorithms. Conclusions and future work are discussed in § 6. 2 Pr eliminaries Let P (ranged over by p , q , s , r , . . . ) and V (ranged over by u , v , x , y , . . . ) be tw o infinitely countable sets of identifiers. W e assume P ∩ V = ∅ and call their elements participants and interaction variables , respec- ti vely . Hereafter , ~ represents a list of some elements (for instance, ~ v is a list of interaction variables); the concatenation of ~ x and ~ y is denoted by the juxtaposition ~ x ~ y , and, abusing notation, we confound lists with the underlying sets of their elements (e.g., a ∈ ~ x indicates that a occurs in the list ~ x ). Also, expressions (ranged over by e ) include v ariables in V , basic data types (e.g., inte gers, booleans, etc.), and usual arithmetic operations/relations; var ( e ) is the set of (free) v ariables in e ; and, we denote logic implication with the symbol ⊃ . As in [3], we parametrise our constructions wrt a logical language Ψ , which we assume to be a decidable fragment of a first-order logic with expressions and quantifiers on v ariables; the set of free interaction v ariables of ψ ∈ Ψ is denoted as var ( ψ ) and we write ψ ( ~ v ) to emphasise that var ( ψ ) ⊆ ~ v . L. Bocchi, J. Lange and E. T uosto 113 The main ingredients of global assertions are interactions , abbre viated ι , which hav e the form: s → r : { ~ v | ψ } (2.1) where s , r ∈ P are the sender and the r eceiver , ~ v ⊆ V is a pairwise-distinct list of variables, and ψ ∈ Ψ . V ariables ~ v are called interaction variables and, in (2.1), we say that they are intr oduced by s . The interaction (2.1) reads as “ s has to send to r some v alues for ~ v that satisfy ψ ” or as “ r relies that the v alues fixed by s for ~ v satisfy ψ ”. For instance, 1 s → r : { v w | ∃ u . v = u × w } states that s has the obligation to send r two values such that the first is a multiple of the second. Remark 1. In [3], interactions specify a channel over whic h participants communicate. In (2.1) we omit channels since the y are inconsequential to our r esults ([2] shows that channels can indeed be r emoved). Gi ven ι as in (2.1), we define snd ( ι ) def = s , r cv ( ι ) def = r , var ( ι ) def = ~ v , and cst ( ι ) def = ψ Def. 2 belo w is essentially borrowed from [3] b ut for a slightly simplified syntax. Definition 2 (Global Assertions) . Global assertions are defined by the following pr oductions. G :: = ι . G Pr efix | s → r :   { ψ j } l j : G j   j ∈ J Branc hing | µ t h ~ e i{ ~ v | ψ } . G Recursive definition | t h ~ e i Recursive call | end End session wher e ψ , ψ j ∈ Ψ and l j rang es over a set of labels. W e let G , G 0 , G j rang e over global assertions. The first production in Def. 2 represents an interaction prefix; interaction v ariables var ( ι ) are bound in the continuation of the prefix and in cst ( ι ) . The second production allo ws the selector s to choose one of the labels { l j } j ∈ J and send it to r ; the choice of label l j is guarded by ψ j (guaranteed by s ) and is follo wed by G j . The formal parameters ~ v ⊆ V in recursi ve definitions 2 are constrained by the inv ariant ψ which must be satisfied at each recursiv e call (this is guaranteed when the global assertion satisfies TS). The initialisation vector ~ e (of the same length as ~ v ) specifies the initial values of the formal parameters. Recursi ve calls must be prefix-guarded. The termination of the session is represented by end (trailing occurrences are often omitted). W e denote with var ( G ) the set of interaction variables and recursion parameters in G . Remark 3. F or simplicity , we assume Bar endr e gt’ s con vention (i.e., bound variables ar e all distinct and the y dif fer fr om any free variable). Mor eover , global assertions G ar e closed , i.e., each fr ee occurrence of v ∈ var ( G ) is either preceded by an interaction ι such that v ∈ var ( ι ) or by a r ecursive definition having v as one of its formal parameter s. A participant p knows a v ariable v ∈ var ( G ) if either 1 For simplicity , we assume the typing of variables understood. 2 V ariables ~ v are pairwise distinct and their free occurrences in the body of the recursion are bound by the recursiv e definition. 114 Amending Contracts for Choreographies • there is ι in G such that v ∈ var ( ι ) and p ∈ { snd ( ι ) , r cv ( ι ) } • or there is a recursiv e definition µ t h ~ e 1 e ~ e 2 i{ ~ v 1 v ~ v 2 | ψ } . G 0 in G such that p knows all the variables 3 in var ( e ) and, for each recursive in vocation t h ~ e 0 1 e 0 ~ e 0 2 i in G 0 , p kno ws all variables in var ( e 0 ) . W e denote with knows p ( G ) ⊆ var ( G ) the set of variables in G that p knows. Example 4. Consider the following global assertion G ex 4 = µ t h 10 i{ v | ψ } . Alice → Bob : { v 1 | ψ 1 } . Bob → Carol : { v 2 | ψ 2 } . t h v 1 i r epeatedly e xecuting a computation wher e (i) Alice sends a variable v 1 to Bob and (ii) Bob sends a variable v 2 to Carol . At each step, the in variant ψ must be satisfied, namely at the first in vocation ψ [ 10 / v ] must hold and in all subsequent invocations ψ [ v 1 / v ] must hold. In G ex4 , Alice knows v 1 , since she sends it, while v 1 , v 2 ∈ knows Bob ( G ex4 ) , since Bob receiv es v 1 and sends v 2 , respectiv ely . Carol kno ws v 2 , since she receiv es it. Also, v ∈ knows Alice ( G ex4 ) ∩ knows Bob ( G ex4 ) , since Alice and Bob know v 1 , the unique v ariable in the expression of the recursi ve call (and they trivially know all the variables in the initial expression, i.e. the constant 10). Ho wev er , Carol does not kno w v since she does not know v 1 . It is con venient to treat global assertions as trees whose nodes are dra wn from a set N (ranged over by n , n 0 , . . . ) and labelled with information on the syntactic categories of Def. 2. Hereafter , we write n ∈ T if n is a node of a tree T , n to denote the label of n , and T • for the root of T . Definition 5 (Assertion T ree) . The assertion tree T ( G ) of a global assertion G is defined as follows: • If G = ι . G 0 then T ( G ) • has label ι and its unique child is T ( G 0 ) • . • If G = s → r :   { ψ j } l j : G j   j ∈ J then T ( G ) • has label s → r and its childr en ar e { n j } j ∈ J ⊆ N such that, for eac h j ∈ J , n j = { ψ j } l j and T ( G j ) • is the unique child of n j . • If G = µ t h ~ e i{ ~ v | ψ } . G 0 then T ( G ) • has label µ t h ~ e i{ ~ v | ψ } and its unique child is T ( G 0 ) • . • If G = t h ~ e i then T ( G ) consists of one node with label t h ~ e i . • If G = end then T ( G ) consists of one node with label end . W e denote the set of assertion trees as T and let T , T 0 , . . . range over T . For con venience, gi ven T ∈ T , we will use the partial functions var T : N → 2 V , cst T : N → Ψ , and snd T , r cv T : N → P that are undefined 4 on N \ { n | n ∈ T } and defined as follows otherwise: var T ( n ) =  var ( ι ) , if n = ι / 0 , otherwise cst T ( n ) = ( ψ , if n = ι and cst ( ι ) = ψ , or n = { ψ } l true , otherwise snd T ( n ) = ( snd ( ι ) , if n = ι s , if n = s → r r cv T ( n ) = ( r cv ( ι ) , if n = ι r , if n = s → r Moreov er , we shall use the following functions: 3 Assume that the lenght of ~ e i and ~ e 0 i is the same of ~ v i for i ∈ { 1 , 2 } . 4 W e write f ( x ) = ⊥ when the function f is undefined on x . L. Bocchi, J. Lange and E. T uosto 115 • par ent T ( n ) returning ε if n = T • , the parent of n in T if n ∈ T , and ⊥ otherwise. • n ↑ T returning the path from T • to n if n ∈ T , and ⊥ otherwise. Gi ven T ∈ T , let A ( T ) be the global assertion obtained by appending the labels of the nodes in (depth-first) preorder trav ersal visit of T . F act 6. A ( T ( G )) = G Fact 6 allo ws us to extend knows p ( ) to T by knows p ( T ) def = knows p ( A ( T )) . F act 7. If T ∈ T then T ( A ( T )) = T Facts 6 and 7 basically induce an isomorphism between global assertions and their parsing trees. 3 T owards a Better Past In a distributed choreography , parties hav e to make local choices on the communicated values; such choices impact on the graceful coordination of the distributed parties. It is therefore crucial that the responsible party has “enough information” to commit to an “appropriate” local choice, in each point of the choreography . For global assertions, this distills into history sensitivity (HS), a property defined in [3] demanding each sender/selector to know all the variables in volved in the predicates (s)he must guarantee. W e illustrate HS with Example 8 below . Example 8. The global assertion G ex 8 violates HS. G ex 8 = Alice → Bob : { v 1 | v 1 > 0 } . Bob → Carol : { v 2 | v 2 > 0 } . Carol → Alice : { v 3 | v 3 > v 1 } In fact, Carol ’ s obligation v 3 > v 1 cannot be fulfilled because v 1 6∈ knows Carol ( G ex 8 ) . Gi ven a global assertion G , the function HS ( G ) belo w returns the nodes of T ( G ) where HS is violated HS ( G ) def = { n ∈ T ( G ) | var ( cst T ( n )) 6⊆ knows s ( n ↑ T ) and s = resp T ( G ) ( n ) } where resp T ( ) : N → P yields the responsible party of a node and is defined as resp T ( n ) def =      snd T ( n ) , if n = ι snd T ( par ent T ( n )) , if n = { ψ } l ⊥ , otherwise Intuiti vely , to determine whether a node n ∈ T ( G ) violates HS, one checks if the responsible party of n kno ws all the variables in volved in cst T ( G ) ( n ) . Gi ven T ∈ T , varHS T ( ) : N → 2 V is defined as varHS T ( n ) def = var ( cst T ( n )) \ knows s ( n ↑ T ) where s = resp T ( n ) Namely , varHS T ( n ) yields the variables of n not known to the responsible party of n . It is a simple observ ation that if HS is violated in a node n , then there exists a v ariable in the predicate of n which is not kno wn to the responsible party of n (namely if n ∈ HS ( G ) then varHS T ( n ) 6 = ∅ ). 116 Amending Contracts for Choreographies Example 9. Consider the following global assertion: G ex 9 = µ t h 10 i{ v | v > 0 } . Alice → Bob : { v 1 | v ≥ v 1 } . Bob → Carol : { v 2 | v 2 > v 1 } . Carol → Alice : { v 3 | v 3 > v 1 } . Carol → Bob : { v 4 | v 4 > v } . t h v 1 i HS ( G ex 9 ) = { n 3 , n 4 } wher e n 3 and n 4 ar e the nodes in T ( G ex 9 ) corr esponding to the third and fourth interactions of G ex 9 , i.e. n 3 = Carol → Alice : { v 3 | v 3 > v 1 } and n 4 = Carol → Bob : { v 4 | v 4 > v } . In Example 9, Carol is responsible for both violations (i.e., resp T ( G ex9 ) ( n 3 ) = resp T ( G ex9 ) ( n 4 ) = Carol ). varHS T ( G ex 9 ) ( n 3 ) = { v 1 } (i.e., Carol has an obligation on v 3 > v 1 without knowing v 1 ) and the violation in n 4 is on varHS T ( G ex 9 ) ( n 4 ) = { v } (i.e., Carol has an obligation on v 4 > v without kno wing v ). Note that the violation on HS does not imply that Carol will actually violate the condition v 3 > v 1 . In fact, Carol could unknowingly choose either a violating or a non violating v alue for v 3 . In § 3.1 and § 3.2, we present two algorithms that fix, when possible, violations of HS in a global assertion. W e discuss and compare their applicability , as well as the relationship between the amended global assertion and the original one. W e shall use Example 9 as the running e xample of § 3.1 and § 3.2. 3.1 Strengthening Fix a global assertion G and its assertion tree T = T ( G ) . Assume HS is violated at n ∈ T and cst T ( n ) = ψ . V iolations occur when the responsible party s of n is ignorant of at least one variable v ∈ var ( ψ ) . The strengthening algorithm (cf. Def. 11) replaces ψ in G with an assertion ψ [ v 0 / v ] so that (1) v 0 is a v ariable that s knows, (2) if ψ [ v 0 / v ] and the predicates occurring from T • to par ent T ( n ) are satisfied then also ψ is satisfied. If there is no variable v 0 that ensures (1) and (2) then we say that str engthening is not applicable . Intu- iti vely , the method abo ve str engthens ψ with ψ [ v 0 / v ] . Due to (2), ψ can be still guaranteed relying on the information pro vided by all the predicates occurring before n . Let PRED T : N → Ψ yield the conjunction of the predicates on the path from T • to the parent of a node: PRED T ( n ) def =      ⊥ , if par ent T ( n ) = ⊥ true , if par ent T ( n ) = ε cst T ( par ent T ( n )) ∧ PRED T ( par ent T ( n )) , otherwise The function strengthen ( G ) uses PRED T to compute a global assertion G 0 by replacing in G , if possible, the assertion violating HS with a stronger predicate. Definition 10 ( strengthen ) . If HS ( G ) = ∅ then strengthen ( G ) r eturns G . If n ∈ HS ( G ) , v ∈ varHS T ( n ) and ther e exists v 0 ∈ knows s ( n ↑ T ) such that PRED T ( n ) ∧ ψ [ v 0 / v ] ⊃ ψ with ψ = cst T ( n ) (3.1) then strengthen ( G ) r eturns A ( T 0 ) where T 0 is obtained fr om T by replacing ψ with ψ [ v 0 / v ] in n. F inally , when the two cases above cannot be applied, strengthen ( G ) r eturns G n , namely it indi- cates that G violates HS at n ∈ HS ( G ) . L. Bocchi, J. Lange and E. T uosto 117 The algorithm Φ 1 in Def. 11 recursiv ely applies strengthen ( ) until either the global assertion satisfies HS or Φ 1 is not applicable anymore. Definition 11 ( Φ 1 ) . The algorithm Φ 1 is defined as follows Φ 1 ( G ) def = ( strengthen ( G ) , if strengthen ( G ) ∈ { G , G n } Φ 1 ( strengthen ( G )) , otherwise Example 12. Consider G ex 9 fr om Example 9 and r ecall that HS ( G ex 9 ) = { n 3 , n 4 } . Str engthening is applicable to n 3 wher e we can substitute v 1 with v 2 in v 3 > v 1 to satisfy condition (3.1) in Def. 10: ( v > 0 ∧ v ≥ v 1 ∧ v 2 > v 1 ) ∧ ( v 3 > v 2 ) ⊃ ( v 3 > v 1 ) The in vocation of strengthen ( G ex 9 ) returns G 0 = µ t h 10 i{ v | v > 0 } . Alice → Bob : { v 1 | v ≥ v 1 } . Bob → Carol : { v 2 | v 2 > v 1 } . Carol → Alice : { v 3 | v 3 > v 2 } . Carol → Bob : { v 4 | v 4 > v } . t h v 1 i The invocation of strengthen ( G 0 ) returns G 0 n 4 since G 0 has still one violating node n 4 for which str engthening is not applicable e.g ., ( v > 0 ∧ v ≥ v 1 ∧ v 2 > v 1 ∧ v 3 > v 2 ) ∧ ( v 4 > v 2 ) 6⊃ ( v 4 > v ) . 3.2 V ariable Propagation An alternati ve approach to solve HS problems is based on the modification of global assertions by letting responsible parties of the violating nodes know the v ariables causing the violation. The idea is that such v ariables are propagated within a “chain of interactions”. Definition 13 ( ≺ T ) . Let n , n 0 ∈ T , n ≺ T n 0 iff n appears in n 0 ↑ T and rcv T ( n ) = snd T ( n 0 ) . A vector of nodes n 1 , . . . , n t is a chain in T iff n i ≺ T n i + 1 for all i ∈ { 1 , . . . , t − 1 } . The relation ≺ T is similar to the IO-dependency defined in [6] but does not consider branching, since a branching does not carry interaction v ariables. Fix a global assertion G ; let T = T ( G ) , n ∈ HS ( G ) , v ∈ varHS T ( n ) , and s = resp T ( n ) . The pr opagation algorithm (cf. Def. 17) is applicable only if there exists a ≺ T -chain in n ↑ T through which v can be propagated from a node whose sender kno ws v to n , in which s = resp T ( n ) can receive it. Giv en a chain ~ n = n 1 · · · n t in T , let the pr opagation of v in ~ n be the tree T 0 ∈ T obtained by updating the nodes in T as follows: • var T 0 ( n 1 ) = var T ( n 1 ) ∪ { v 1 } and cst T 0 ( n 1 ) = cst T ( n 1 ) ∧ ( v 1 = v ) , with v 1 ∈ V fresh. • for i = 2 . . . t − 1, var T 0 ( n i ) = var T ( n i ) ∪ { v i } and cst T 0 ( n i ) = cst T ( n i ) ∧ ( v i = v i − 1 ) , with v 2 , . . . , v t − 1 ∈ V fresh. • cst T 0 ( n t ) = cst T ( n t )[ v t − 1 / v ] • all the other nodes of T remain unchanged. For a sequence of nodes ~ n , P T ( v , ~ n ) denotes T 0 as computed abov e if ~ n is a ≺ T -chain and ⊥ otherwise. 118 Amending Contracts for Choreographies Example 14. In the global assertion G ex 14 below assume Alice knows v fr om pr evious interactions (the ellipsis in G ex 14 ). G ex 14 = . . . Alice → Bob : { u 1 | ψ 1 } . Bob → Carol : { u 2 | ψ 2 } . Bob → Dave : { u 3 | ψ 3 } . Dave → Alice : { u 4 | u 4 > v } F or the chain ~ n = n 1 n 3 n 4 in T ( G ex 14 ) (wher e n i corr esponds to the i-th interaction in G ex 14 ), P T ( G ex 14 ) ( v , ~ n ) r eturns T 0 such that A ( T 0 ) is simply G ex 14 with ψ 1 r eplaced by ψ 1 ∧ v = v 1 , ψ 3 r eplaced by ψ 3 ∧ v 1 = v 2 , and ψ 4 r eplaced by u 4 > v 2 and the fr esh variables v 1 and v 2 is added to the interaction variables of the first and thir d interactions, r espectively . W e define a function propagate which takes a global assertion G and returns: (1) G itself if HS is satisfied, (2) G n if HS is violated at n ∈ T ( G ) and propagation is not applicable, (3) G 0 otherwise, where G 0 is obtained by propagating a violating v ariable v of node n ; in the latter case, observe that v has been surely introduced in a node n 0 ∈ n ↑ T ( G ) from which v can be propagated, since we assume G closed. Definition 15 ( propagate ) . The function propagate ( G ) r eturns • G , if HS ( G ) = ∅ • P T ( v , ~ n ) , if T = T ( G ) and there exists n ∈ HS ( G ) with v ∈ varHS T ( n ) and ther e exists ~ n = n 0 ~ n 1 n chain in T such that snd T ( n 0 ) knows v • G n with n ∈ HS ( G ) otherwise. Example 16. Consider again the global assertion G 0 obtained after the in vocation strengthen ( G ex 9 ) in Example 12. In this case HS ( G 0 ) = { n 4 } with n 4 = Carol → Bob : { v 4 | v 4 > v } . Pr opagation is applicable to n 4 and propagate ( G 0 ) returns G 00 = µ t h 10 i{ v | v > 0 } . Alice → Bob : { v 1 | v ≥ v 1 } . Bob → Carol : { v 2 u 1 | v 2 > v 1 ∧ u 1 = v } . Carol → Alice : { v 3 | v 3 > v 2 } . Carol → Bob : { v 4 | v 4 > u 1 } . t h v 1 i by pr opagating v fr om the second interaction where the sender Bob knows v to Carol , G 00 satisfies HS. The pr edicate of the last interaction derives fr om the substitution ( v 4 > v )[ u 1 / v ] . The propagation algorithm is defined belo w and is based on a repeated application of propagate ( ) . Definition 17 ( Φ 2 ) . Given a global assertion G , the function Φ 2 is defined as follows: Φ 2 ( G ) =  propagate ( G ) , if propagate ( G ) ∈ { G , G n } Φ 2 ( propagate ( G )) , otherwise 3.3 Properties of Φ 1 and Φ 2 W e now discuss the properties of the global assertions amended by each algorithm and we compare them. Hereafter , we say Φ 1 (resp. Φ 2 ) returns G if either it returns G or it returns G n for some n . The applicability of Φ 1 depends on whether it is possible to find a variable known by the responsible party of the violating node such that condition (3.1) in Def. 10 is satisfied. The applicability of Φ 2 depends on whether there exists a chain through which the problematic v ariable can be propagated. 5 5 Linearity of the underlying multiparty session types (i.e., a property that ensures the existence of a dependency chain between the interactions) [6] does not guarantee that Φ 2 is always applicable. The reason is that n 1 ≺ n 2 in the sense of [6] does not imply n 1 ≺ T n 2 since ≺ T does not take into account branching b ut only interactions. L. Bocchi, J. Lange and E. T uosto 119 Notably , there are cases in which Φ 1 is applicable and Φ 2 is not, and vice versa. Also, Φ 1 and Φ 2 return, respecti vely , two different global assertions from the original one; hence it may not always be clear which one should be preferred. Remark 18. In distrib uted applications it is often necessary to guarantee that e xchanged information is accessible only to intended participants. It is worth observing that Φ 2 discloses information about the pr opagated variable to the participants in volved in the pr opagation chain. The ar chitect should ther efor e evaluate when it is appr opriate to use Φ 2 . First we sho w that both Φ 1 and Φ 2 do not change the structure of the gi ven global assertion. Proposition 19. Let G be a global assertion. If Φ 1 ( G ) or Φ 2 ( G ) r eturn G 0 then T ( G ) and T ( G 0 ) are isomorphic, namely the y have the same tr ee structur e, but dif fer ent labels. Whereas Φ 1 does not change the underlying type of the global assertion, Φ 2 does. Indeed, in the resulting global assertion, more variables are exchanged in each interaction in volv ed in the propagation. Ho wev er , the structure of the tree remains the same. Let er ase ( G ) be the function that returns the underlying global type [6] corresponding to G (i.e. a global assertion without predicates). Proposition 20 (Underlying T ype Structure) . Let G be a global assertion, • if Φ 1 ( G ) r eturns G 0 then erase ( G ) = erase ( G 0 ) • if Φ 2 ( G ) r eturns G 0 then for all n ∈ T ( G ) and its corr esponding node n 0 ∈ T ( G 0 ) , var T ( G ) ( n ) ⊆ var T ( G 0 ) ( n 0 ) Pr oof sketch. The proof is by induction on the structure of G and it trivially follows from the fact that neither Φ 1 nor Φ 2 changes the structure of the assertion tree. In fact, Φ 1 changes only the predicates. On the other hand, Φ 2 changes the predicates and adds fresh variables to interaction nodes, therefore changing the type of the exchanged data. The application of Φ 1 and Φ 2 af fects the predicates of the original global assertion. In Φ 1 , strengthen- ing allo ws less v alues for the interaction v ariables of the amended interaction. Con versely , the predicates computed by Φ 2 are equiv alent to the original ones (i.e., they allow sender and recei ver to chose/expect the same set of values). Nev ertheless, such predicates are syntactically different as Φ 2 adds the equality predicates on the propagated v ariables. Proposition 21 (Assertion Predicates) . Let G be a global assertion, 1. if Φ 1 ( G ) returns G 0 then for all n ∈ T ( G ) whose label is modified by Φ 1 and its corr esponding node n 0 ∈ T ( G 0 ) (cf. Pr oposition 20), it holds that PRED T ( G 0 ) ( n 0 ) ∧ cst T ( G 0 ) ( n 0 ) ⊃ cst T ( G ) ( n ) 2. if Φ 2 ( G ) returns G 0 then for all n ∈ T ( G ) whose label is modified by Φ 2 and its corr esponding node n 0 ∈ T ( G 0 ) (a) cst T ( G 0 ) ( n 0 ) is the predicate cst T ( G ) ( n ) ∧ ψ (b) PRED T ( G ) ( n ) ⊃ cst T ( G ) ( n ) ∧ ψ ⇐ ⇒ PRED T ( G 0 ) ( n 0 ) ⊃ cst T ( G 0 ) ( n 0 ) F or some ψ ∈ Ψ satisfiable. Pr oof sketch. The proof of item 1 relies on the fact that Φ 1 either does not change G or replaces a problematic variable by a variables for which (3.1) holds. The proof of item 2 relies on Def.13, i.e. a predicate of the form v 1 = v or v i = v i − 1 is added to each predicate of the nodes in the chain. The additional predicates are satisfiable since they constrain only fresh v ariables (i.e. v i ). 120 Amending Contracts for Choreographies The statement 2b in Proposition 21 amounts to say that cst T ( G ) ( n ) ∧ ψ is equiv alent to cst T ( G 0 ) ( n 0 ) when such predicates are taken in their respecti ve conte xts. Finally , we sho w that Φ 1 and Φ 2 do not add violations (of either HS or TS) to the amended global assertions (Proposition 22) and that if the return v alue is not of the type G n then the amended global assertion satisfies HS (Theorem 23). Proposition 22 (Properties Preservation) . Assume Φ i ( G ) r eturns G 0 with i ∈ { 1 , 2 } . If HS ( G ) = ∅ then HS ( G 0 ) = ∅ and if TS ( G ) = ∅ then TS ( G 0 ) = ∅ . Pr oof sketch. The proof of HS preservation by both algorithms follows by the fact that the y both return G if HS ( G ) = ∅ . TS preservation in Φ 1 follo ws from the fact that predicates may only be changed by a v ariable substitution. For T = T ( G ) , such that TS ( G ) = ∅ , we have that, for an y n ∈ T PRED T ( n ) ⊃ ∃ var T ( n ) . φ by definition of TS. And, by (3.1), we hav e that PRED T ( n ) ⊃ ∃ var T ( n ) . φ [ v / v 0 ] i.e. TS is preserved by Φ 1 . TS preservation in Φ 2 follo ws from the fact that the predicates of a global assertions are only modified by adding equalities between problematic v ariables and fresh variables (see statement 2b in Propostion 21). Theorem 23 (Correctness) . If ther e is G 0 such that Φ 1 ( G ) = G 0 or Φ 2 ( G ) = G 0 then HS ( G 0 ) = ∅ . Pr oof sketch. W e only consider the cases where the algorithms do return a different tree. The proof for Φ 1 follo ws simply from the f act that, at each iteration of the algorithm, the v ariable chosen to replace the problematic one is selected so that the responsible party knows it. The proof for Φ 2 is by induction on the length of the ≺ T -chain at each iteration, and follows from the condition to form such a chain. Let T be an assertion tree, ~ n = n 1 . . . n t be the ≺ T -chain used to solv e a HS problem at n ∈ T on a v ariable v . By construction, the sender of n 1 kno ws v , and each variable v i added at n i is kno wn to the sender of n i (by definition of knows ). In addition, the recei ver of the n t is the r esponsible party of n , who therefore knows the v ariable v t which replaces v in n . 4 Back to the Futur e In a distributed choreography , the local choices made by some parties may restrict later choices of other parties to the point that no suitable values is av ailable. This would lead to an abnormal termination since the choreography cannot continue. For global assertions, this distills into temporal satisfiability (TS) which requires that the values sent in each interaction do not compromise the satisfiability of future interactions. The formal definition of temporal satisfiability is adapted from [3]. Definition 24 (TS [3]) . A global assertion G satisfies TS (in symbols TS ( G ) ) iff GSat ( G , true ) holds wher e GSat ( G , ψ ) iff                    GSat ( G 0 , ψ ∧ cst ( ι )) , if G = ι . G 0 and ψ ⊃ ∃ var ( ι ) . cst ( ι ) ^ j ∈ J GSat ( G j , ψ ∧ ψ j ) , if G = s → r :   { ψ j } l j : G j   j ∈ J and ψ ⊃ _ j ∈ J ( ψ j ) GSat ( G 0 , ψ ∧ ψ 0 ) , if G = µ t h ~ e i{ ~ v | ψ 0 } . G 0 or G = t ψ 0 ( ~ v ) h ~ e i , and ψ ⊃ ψ 0 [ ~ e / ~ v ] G = end , otherwise L. Bocchi, J. Lange and E. T uosto 121 F or an assertion tr ee T ∈ T , TS ( T ) holds iff GSat ( A ( T ) , tr ue ) . Intuiti vely , ψ in GSat is equiv alent to the conjunction of all the predicates that precede an interaction. In the first case, all the values satisfying ψ allow to instantiate the interaction variables var ( ι ) so to satisfy the constraint cst ( ι ) of ι . For branching, GSat requires that at least one branch can be chosen and that each possible path satisfies GSat . The recursiv e definition requires that the initial parameters satisfy the inv ariant ψ 0 . In recursiv e calls, we assume an annotation giving the inv ariant of the corresponding recursi ve definition (i.e. ψ 0 ( ~ v ) ). Often, TS problems appear when one tries to restrict the domain of a v ariable after its introduction. T o illustrate this, we introduce the follo wing running example. Example 25. Consider G ex 25 below , wher e p constraints x and y: G ex 25 = p → q : { x | x < 10 } . p → q : { y | y > 8 } . q → p : { z | x > z ∧ z > 6 ∧ y 6 = z } When q intr oduces z, both x and y are further restricted. Noticeably , in Example 25, if p chooses, e.g . x = 6 then q cannot choose a value for z. Possibly , TS can be regained by rearranging some predicates. In particular , we can “lift” a predicate to a previous interaction node. For instance, in Example 25, one could lift the predicate ∃ z . x > z > 6 (adapted from the last interaction) to the first interaction’ s predicate. W ithout loss of generality , we assume that only one variable is introduced at the nodes where TS is violated. Also, we first consider TS violations occurring in interactions and recursive definitions. Amending violations arising in branching and recursi ve calls is similar b ut complicates the presentation. Hence, for the sake of simplicity , such violations are considered in § 4.2. 4.1 Lifting algorithm W e formalise the lifting algorithm. First, we giv e a function telling us whether a node violates TS. Definition 26 ( TSnode ) . Given T ∈ T , TSnode T ( n ) holds iff n ∈ T , and TS ( T 0 ) holds wher e T 0 is the assertion tr ee consisting of the path n ↑ T wher e the childr en of n (if any) ar e r eplaced by nodes with label end . In addition, we assume that TSnode holds for nodes with label s → r . W e can no w define a function that returns a set of nodes violating TS such that all the previous nodes in the tree do not violate TS. Definition 27 ( TS ) . The function TS : T → N is defined as follows: TS ( T ) def =  n ∈ T | TSnode T ( n ) is false, and TSnode T ( n 0 ) is true for all n 0 ∈ par ent T ( n ) ↑ T  For instance, in Example 25, we have that TS ( T ex25 ) is the singleton { n ex25 } where T ex25 = T ( G ex25 ) and n ex25 is the node corresponding to the last interaction of G ex25 . Once an inter action node n ∈ TS ( T ) is chosen, we rearrange its predicate as two sub-predicates such that the first one constraints only the v ariable introduced at n , and the second one in volv es other variables (which hav e been introduced previously in T ). Definition 28 ( rewrite ) . Let rewrite : Ψ × V → Ψ × Ψ be defined as follows: rewrite ( ψ , v ) =  φ ( v ) , ψ 0 ( ~ w )  wher e ψ ( ~ w ) ⇐ ⇒ φ ( v ) ∧ ψ 0 ( ~ w ) . 122 Amending Contracts for Choreographies Note that rewrite is a non-deterministic total function as φ ( v ) could simply be true . The application of rewrite to Example 25 yields rewrite ( cst ( n ex25 ) , var ( n ex25 )) = ( z > 6 , x > z ∧ y 6 = z ) . Remark 29. F or a tr ee T ∈ T and n ∈ TS ( T ) such that rewrite ( cst T ( n ) , v ) = ( φ , ψ 0 ) , we may have PRED T ( n ) 6⊃ ∃ v . φ . F or instance, if the predicate defined on v alone is not satisfiable, e.g., φ = v < 7 ∧ v > 7 . In this case the algorithm is not applicable. W e can define a relation among predicates ψ and φ in a context ψ 0 to identify the problematic part of an assertion in an interaction node. Definition 30 (Conflict) . The predicate ψ ∈ Ψ is in conflict on ~ v ⊆ V with φ in ψ 0 iff ψ 0 ⊃ ∃ ~ v . φ and ψ 0 6⊃ ∃ ~ v . ( φ ∧ ψ ) Using Def. 30 and PRED T ( n ) (cf. § 3), we define split T ( n , φ , ψ ) def = { ψ 0 | ψ ⇐ ⇒ ψ 0 ∧ ψ 00 and ψ 0 is in conflict on var ( n ) with φ ∧ ψ 00 in PRED T ( n ) } which returns a set of problematic predicates. Considering again Example 25, the application of split yields split T ex25 ( n ex25 , z > 6 , x > z ∧ y 6 = z ) = { x > z } since y 6 = z allows to choose a suitable value for z . The next definition formalises the construction of a new assertion tree which possibly regains TS, gi ven a node and an assertion to be “lifted” (i.e. a “problematic” predicate). Definition 31 ( build ) . The function build T ( n , ψ ) r eturns • ˆ T ∈ T , if we can construct ˆ T isomorphic to T except that, each node n 0 ∈ par ent T ( n ) ↑ T such that n 0 = s → r : { ~ u | θ } and ~ u ∩ var ( ψ ) 6 = ∅ , is r eplaced by a node ˆ n with label s → r : { ~ u | θ ∧ ∀ ~ x . ∃ ~ y . ψ } such that θ ∧ ∀ ~ x . ∃ ~ y . ψ is satisfiable wher e – ~ x ⊆ var ( ψ ) \ knows s ( T ) are intr oduced in a node in n 0 ↑ T – ~ y ⊆ var ( ψ ) ar e intr oduced in a node in the subtr ee r ooted at n 0 and ther e is no n 0 ∈ par ent T ( n ) ↑ T such that n 0 = µ t h ~ e i{ ~ v | ψ } and ~ v ∩ var ( ψ ) 6 = ∅ . • ⊥ otherwise. Remark 32. In the definition of build , we assume that if either ~ x or ~ y is empty , the corr esponding unnecessary quantifier is r emoved. Recall that global assertions are closed (cf. § 2). Therefor e all the variables in var ( ψ ) are tak en into account in the construction of the new assertion tr ee. In Example 25, we would in voke build T ex25 ( n ex25 , z > 6 ∧ x > z ) which returns a new assertion tree. The new tree can be transformed into a global assertion isomorphic to G ex25 with line 1 updated to: p → q : { x | x < 10 ∧ ∃ z . x > z > 6 } . The function TSres : T × N → T ∪ ⊥ either solves a TS problem n or returns ⊥ . Definition 33 ( TSres ) . Given T ∈ T and n ∈ TS ( T ) , we define TSres T ( n ) =                build T ( n , φ ∧ ψ 0 ) , if n = ι and ( φ , ψ ) = rewrite ( cst T ( n ) , var T ( n )) and there is ψ 0 ∈ split T ( n , φ , ψ ) s.t. build T ( n , φ ∧ ψ 0 ) 6 = ⊥ build T ( n , ψ [ ~ e / ~ v ]) , if n = µ t h ~ e i{ ~ v | ψ } ⊥ , otherwise L. Bocchi, J. Lange and E. T uosto 123 The second case of Definition 33 handles TS violations in recursiv e definitions. The problem is similar to the interaction case, b ut in this case, the values assigned to the recursion parameters are kno wn (i.e., ~ e ). It may be possible to lift the recursion inv ariant, where we replace the recursion parameters by the corresponding initialisation vector . Example 34 illustrates this case. Example 34. F or the global assertion G ex 34 given below , TS ( G ex 34 ) does not hold because true 6⊃ ( x > y > 6 ) . G ex 34 = p → q : { x | true } . µ t h 8 i{ y | x > y > 6 } . G 0 However , using the initialisation parameters, we can lift x > 8 > 6 , i.e ., the original predicate wher e we r eplaced y by 8 , to the inter action preceding the r ecursion. TS now holds in the new global assertion (assuming that TS ( G 0 ) holds as well). Remark 35. In Example 34, if we had only lifted x > y > 6 , as in the inter action case, it would not have solved the TS pr oblem. Indeed, the pr edicate of the first interaction would have become ∃ y . x > y > 6 which does not e xclude values for x which ar e incompatible with the invariant (e .g., x = 8 ). The ov erall lifting procedure is given. It relies on a repeated application of TSres until either the assertion tree validates TS or the function fails to solve the problem. In the latter case, the function returns the most improv ed version of the tree and the node at which it failed. Definition 36 ( Φ 3 ) . Φ 3 is defined as follows, given a global assertion G . Φ 3 ( G ) =      G , if TS ( G ) Φ 3 ( TSres T ( G ) ( n )) , if there is n ∈ TS ( T ( G )) s.t. TSres T ( G ) ( n ) 6 = ⊥ G n , otherwise 4.2 A pplying Φ 3 to branching and recursion Branching. According to Def. 24, TS fails on branching nodes only when all the branches are not satisfiable. The underlying idea being that the architect may want to design their choreography in such a way that a branch cannot be taken when some v ariables have a particular v alue. Therefore, the architect should be in volv ed in the resolution of the problem. T wo options are possible; either the disjunction of all the predicates found in the branches is lifted, or one of the branches predicate is lifted. Arguably , the latter may also prohibit the other branches to be chosen, as sho wn in Example 37. Example 37. As an illustration, we consider the following assertion: G ex 37 = p → q : { x | true } . p → q : { v > 5 } l 1 : G 1 { v < 5 } l 2 : G 2 Assuming that TS ( G 1 ) and TS ( G 2 ) hold, we have that TS ( G ex 37 ) does not hold because true 6⊃ ( v > 5 ∨ v < 5 ) . It is obvious that if v = 5 no branc h may be selected. Let’ s call ˆ n the node corresponding to the branching in the second line of G ex37 . Depending on the intention of the architect the problem could be fix ed by one of these in vocations to build (where, in both cases, superfluous quantifiers are remov ed). • build T ( G ex37 ) ( ˆ n , v > 5 ∨ v < 5 ) replaces the predicate in the first line by tr ue ∧ ( v > 5 ∨ v < 5 ) • build T ( G ex37 ) ( ˆ n , v < 5 ) replaces the predicate in the first line by true ∧ ( v < 5 ) . Both solutions solve the TS problem, ho we ver the second one pre vents the first branch to be e ver taken. Gi ven an assertion tree T and a branching node 6 n ∈ T such that TS does not hold. One can inv oke 6 W e also assume that TS is not violated in par ent T ( n ) ↑ T as in Def. 27. 124 Amending Contracts for Choreographies build T ( n , ψ ) where ψ is either the disjunction of all the branching predicates or one of the branches predicate. If the function does not return ⊥ , then the TS problem is solved. Notice that we do not have to use neither rewrite or split to solve problems in branching. Recursion. W e have seen that when a TS violation is detected in a recursion definition, lifting may be applied. Howe ver , lifting a predicate in volving a recursion parameter v would require to strengthen the in variant where v is introduced. This is quite dangerous, therefore the lifting algorithm does not apply in this case. In fact, for recursive definition and calls, Def. 24 requires ψ ⊃ ψ 0 [ ~ e / ~ v ] , where ψ 0 is the recursion in variant and ψ is the conjunction of the previous predicates. Hence, lifting a predicate in volving a recursion parameter may strengthen the inv ariant, and possibly create a ne w problem in a corresponding recursiv e call. Moreov er , notice that, in recursi ve calls, GSat (Def. 24) requires that ψ ∧ ψ 0 ⊃ ψ 0 [ ~ e / ~ v ] ; namely , strenghtening ψ 0 would automatically strenghten ψ 0 [ ~ e / ~ v ] and therefore lea ve the TS problem unsolved. On the other hand, TS problems can be solved when they occur in recursiv e calls. In fact, let a TS problem appear at a node n ∈ T such that n = t h ~ e i and let the inv ariant of the definition of t being ψ ( ~ v ) , then if the in vocation of build T ( n , ψ [ ~ e / ~ v ]) succeeds, the problem is solved. In order to giv e a more complex example of the application of Φ 3 , with TS problems in recursive calls, we consider the follo wing example. Example 38. Consider the global assertion below G ex 38 = Generator → Server : { n | n > 0 } . Player → Server : { x | true } . µ t h x i{ r | r > 0 } . Server → Player : { r > n } less : Player → Server : { y | true } . t h y i { r < n } greater : Player → Server : { z | true } . t h z i { r = n } win : end modelling a small game wher e a Player has to guess an integ er n, following the hints given by a Server . The number is fixed by a Generator . Each time Player sends Server a number , Server says whether n is less or gr eater than that number . Let T ex38 be the tree generated from T ( G ex38 ) . There is a TS problem at the node corresponding to the recursi ve definition, indeed if x ≤ 0, the inv ariant is not respected. After the first loop of Φ 3 ( T ex38 ) , the predicate x > 0 is added in the second interaction. Then, the algorithm loops tw o more times to solve the problems appearing before the recursiv e calls. It adds y > 0 and z > 0 in the interaction of the less and gr eater branch, respectively . The global assertion no w validates temporal satisfiability . 4.3 Properties of Φ 3 Similarly to the algorithms of § 3, Φ 3 does not modify the structure of the tree and preserves the proper- ties of the initial assertion. Proposition 39 (Underlying T ype Structure - Φ 3 ) . Let G be a global assertion. If Φ 3 ( G ) r eturns G 0 then erase ( G ) = er ase ( G 0 ) . 7 Pr oof sketch. The proof is by induction on the structure of G , similarly to the one of Propostion 20. Also, Φ 3 does not introduce ne w HS or TS problems. 7 See Section 3.3 for the definition of erase . L. Bocchi, J. Lange and E. T uosto 125 Proposition 40 (Properties Preservation - Φ 3 ) . Assume Φ 3 ( G ) = G 0 . If HS ( G ) = ∅ then HS ( G 0 ) = ∅ , and if TS ( G ) = ∅ then TS ( G 0 ) = ∅ . Pr oof sketch. The preserv ation of HS follo ws from the fact that all the v ariables which are not kno wn to a participant are quantified (either uni versally or existentially) in the modified predicates. The proof of TS preserv ation follows tri vially from the first case of Def.36. In addition, we hav e that Φ 3 preserves the domain of possible values for each variable from the initial assertion. Proposition 41 (Assertion predicates) . If Φ 3 ( G ) = G 0 then for all n ∈ T ( G ) such that n is a leaf , and its corr esponding node n 0 ∈ T ( G 0 ) (cf. Pr oposition 39) PRED T ( n ) ⇐ ⇒ PRED T 0 ( n 0 ) Pr oof sketch. The proof follows from the observ ation that predicates are only duplicated in the tree, i.e. the lifting algorithm does not add any ne w constraints in the conjunction of the predicates found on the path from the root to a leaf. Finally , Proposition 42 establishes an intermediate result for the correctness of Φ 3 . It says that a successful in vocation of TSres on a node remov es the problem at that node. Proposition 42 (Correctness - TSres ) . Let T be an assertion tr ee, and N = TS ( T ) . F or each n ∈ N such that TSres T ( n ) 6 = ⊥ , then n / ∈ TS ( TSres T ( n )) . Pr oof sketch. W e sketch the key part of the proof, i.e. the proof of the correctness of build for interaction nodes. Let T be an assertion tree with a node n such that n ∈ TS ( T ) , and n = s → r : { v | φ ∧ β ∧ γ } such that β is in conflict on var ( n ) with φ ∧ γ in PRED T ( n ) . Then φ ∧ γ is the predicate to be lifted. Assume ˆ T = build T ( n , φ ∧ β ) . By Def.31, we hav e that, for suitable ~ x 1 ,~ y 1 . . .~ x k ,~ y k , PRED ˆ T ( n ) = PRED T ( n ) ∧ ∀ ~ x 1 . ∃ ~ y 1 . ( φ ∧ β ) σ 1 ∧ . . . ∧ ∀ ~ x k . ∃ ~ y k . ( φ ∧ β ) σ k (4.1) ⇐ ⇒ ∀ ~ x 1 . . .~ x k . PRED T ( n ) ∧ ∃ ~ y 1 . ( φ ∧ β ) σ 1 ∧ . . . ∧ ∃ ~ y k . ( φ ∧ β ) σ k (4.2) Where we assume k substitutions σ i such that the v ariables bound by ∀ ~ x i . ∃ ~ y i in φ ∧ β are pairwise distinct. W e ha ve that a quantified v ersion of φ ∧ β is added k times in the assertion tree, above n . Note that there must be a i such that ∃ ~ y i . ( φ ∧ β ) σ i ⇐ ⇒ ∃ v . ( φ ∧ β ) . Indeed, the variables which are quantified existentially are the ones that ( i ) appear in φ ∧ β , and ( ii ) are fixed below in tree. Therefore, the predicate which is added in the last node before n must quantify existentially v , only . If there were another v ariable to be quantified existentially then it would not be the last node to be updated. By Def.31, we also kno w that ev ery ∃ ~ y i . ( φ ∧ β ) σ i is satisfiable. By the definition of conflict (Def.30), we ha ve that PRED T ( n ) ⊃ ∃ v . ( φ ∧ γ ) and PRED T ( n ) 6⊃ ∃ v . ( φ ∧ β ) (hence, PRED T ( n ) is satisfiable). Therefore, by weakening, we hav e that PRED ˆ T ( n ) ⊃ ∃ v . ( φ ∧ γ ) (4.3) By (4.1), we hav e that PRED ˆ T ( n ) ⊃ ∃ v . ( φ ∧ β ) (4.4) 126 Amending Contracts for Choreographies since ∃ v . ( φ ∧ β ) (modulo renaming) is one of the conjuncts of PRED ˆ T ( n ) . TS must hold for n , which implies that n 6∈ TS ( ˆ T ) and TSnode ˆ T ( n ) holds, i.e. PRED ˆ T ( n ) ⊃ ∃ v . ( φ ∧ β ∧ γ ) Otherwise, that would imply that PRED ˆ T ( n ) ∧ ∀ v . ( ¬ φ ∨ ¬ β ∨ ¬ γ ) which is in contradiction with (4.3) ( φ and γ ) and (4.4) ( β ). Finally , we can say that, if a repeated application of lifting succeeds, the global assertion which is returned satisfies temporal satisfiability . Theorem 43 (Correctness - Φ 3 ) . If Φ 3 ( G ) = G 0 then TS ( G 0 ) = ∅ . Pr oof sketch. The proof is by induction on the number of problematic nodes and the minimum depth of these nodes in the tree. It relies on Proposition 42, i.e. the fact that TSres T ( n ) either solves the problem at n or fails. Let T = T ( G ) and N be the set of nodes in T which violates TS. W e write | n | for the depth of n in T (with | T • | = 0). 1. If N = ∅ , then T is TS. 2. If N 6 = ∅ , let n ∈ TS ( T ) ⊆ N , after an inv ocation to TSres T ( n ) , we hav e (a) If | n | > 1 then either i. N : = N \ { n } , i.e. the node is simply remov ed from the set of problematic nodes, ii. N : = N ∪ N 0 \ { n } with ∀ n 0 i ∈ N 0 . | n 0 i | < | n | , i.e. the problem at n is solved but other problematic nodes, above n in T , are added, or , iii. the algorithm fails on n (b) If | n | ≤ 1 then either N : = N \ { n } , or the algorithm fails. In fact, once the algorithm reaches a problem located at a child of the root, then it either f ails or solves the problem. Indeed, there cannot be a TS problem at the root node unless the predicate is unsatisfiable (see Def.24), in which case, the algorithm fails. Note that selecting n ∈ TS ( T ) implies that the depth of n is smaller or equal to the depth of the nodes in N . It can be sho wn by induction that the algorithm terminates either with TS ( T ) = ∅ , or a failure. Regarding step 2(a)ii, note that the algorithm cannot loop on a problematic node indefinitely . Indeed, the number of (sub)predicates av ailable for lifting is finite and, by Def.30, the algorithm moves only the predicates from which the problem originates, e.g. an equi valent constraint cannot be lifted twice. 5 A methodology f or amending choreographies The algorithms Φ 1 , Φ 2 , and Φ 3 in § 3 and § 4 can be used to support a methodology for amending contracts in choreographies. The methodology mainly consists of the follo wing steps: ( i ) the architect design a choreography b G , ( ii ) the architect is notified if there are an y HS or TS problems in b G , ( iii ) using Φ 1 and Φ 2 solutions may be offered for HS problems, while Φ 3 can be used to offer solutions and/or hints on how to solve TS problems; ( iv ) the architect picks one of the solutions offered in ( iii ) . Steps L. Bocchi, J. Lange and E. T uosto 127 ( ii ) to ( iv ) are repeated until all the problems hav e been solved. W e sketch our methodology using the follo wing global assertion: b G = µ t h 10 i{ v | v > 0 } . Alice → Bob : { v 1 | v ≥ v 1 } . Bob → Carol : { v 2 | v 2 > v 1 } . Carol → Alice : { v 3 | v 3 > v 1 } . Carol → Bob : { v 4 | v 4 > v } . Alice → Bob : { true } cont : t h v 1 i , { true } finish : Alice → Bob : { v 5 | v 1 < v 5 < v 3 − 2 } which extends the global assertion in Example 9. First, b G is inspected by history sensitivity and temporal satisfiability checkers, such as the ones implemented in [7]. If there are any HS problems, the Φ 1 and Φ 2 algorithms are used, while Φ 3 is used for TS problems. This allo ws the architect to detect all the problems and consider the ones for which (at least) one of the algorithms is applicable. W e assume here that the architect focuses on HS problems first. In b G there are two HS problems, both of them can be solved automatically , and the methodology will return that 1. At line 4, v 1 is not kno wn by Carol ; the problem is solvable by either • replacing v 3 > v 1 by v 3 > v 2 (algorithm Φ 1 ) at line 4, or • by rev ealing v 1 to Carol (algorithm Φ 2 ); in this case, line 3 becomes Bob → Carol : { v 2 u 1 | v 2 > v 1 ∧ u 1 = v 1 } and the assertion at line 4 becomes v 3 > u 1 . 2. At line 5, v is not known by Carol ; the problem is solvable by rev ealing the value of v to Carol (algorithm Φ 2 ) in which case line 3 becomes Bob → Carol : { v 2 u 2 | v 2 > v 1 ∧ u 2 = v } and the assertion at line 5 becomes v 4 > u 2 . In the pr opagation case (i.e., Φ 2 ), the methodology gi ves the architect information on which participants the v alue of a variable may be disclosed to. Indeed, as discussed in Remark 18, it may not be appropriate to use the suggested solution. Therefore, the actual adoption of the proposed solutions should be left to the architect. In addition, the order in which problems are tacked is also left to the architect (e.g., the same variable may be in volved in sev eral problems and solving one of them may automatically fix the others). Assuming that Φ 1 is used to solve the first problem and Φ 2 to solve the second, the first five lines of the ne w global assertion are those in Example 16 and HS is fixed. No w HS is satisfied in b G , b ut TS problems are still there. In case a TS problem cannot be solved automatically , additional information can be returned: ( a ) at which node the problem occurred, ( b ) which v ariables or recursion parameters are posing problems (i.e. using split and build ), and ( c ) where liftings are not possible (i.e. when build fails to add a satisfiable predicate to a node). For b G there are two TS problems which are dealt with sequentially . The methodology would report that 1. At line 6, v 1 does not satify the in variant v > 0. This can be solved by lifting v 1 > 0 (i.e. the in v ariant where v is replaced by the actual parameter v 1 ) to the interaction at line 2, which would yield the ne w assertion v ≥ v 1 ∧ v 1 > 0. 128 Amending Contracts for Choreographies 2. At line 7, there might be no value for v 5 such that v 1 < v 5 < v 3 − 2. The assertion is in conflict (cf. Def. 30) with the previous predicates; this problem cannot be solved since lifting would add the follo wing predicates in line 2 and 4, respectiv ely . • ∃ v 3 , v 5 . v 1 < v 5 < v 3 − 2 which is indeed satisfiable, b ut remarkably does not constraint v 1 more than the initial predicate. • ∀ v 1 . ∃ v 5 . v 1 < v 5 < v 3 − 2 which is not satisfiable, therefore the algorithm fails. The failure of Φ 3 is due to the fact that v 5 is constrained by v 1 and v 3 which are fixed by two dif ferent participants. They would have to somehow interact in order to guarantee that there exists a value for v 5 , this cannot be done automatically . Notice that in this case the methodology tells the architect that v 5 , fix ed by Alice , is constrained by v 1 and v 3 which are fixed by Alice and Carol , respecti vely . Our methodology can also suggest that the node introducing v 3 , or (the part of) the assertion ov er v 3 may be the source of the problem since v 3 is the only v ariable not known by Alice . Remark 44. The application of an algorithm could compr omise the application of another one due to some “interfer ence” ef fect that may arise. F or instance, applying str engthening ( Φ 1 ) could spoil the application of lifting ( Φ 3 ) and vice versa (cf . § 6 for an intuitive explanation). 6 Conclusions In this paper , we in vestigated the problem of designing consistent assertions. W e focused on two consis- tency criteria from [3]: history sensiti vity and temporal satisfiability . W e proposed and compared three algorithms ( Φ 1 , Φ 2 , and Φ 3 ) to amend global assertions. Since each algorithm is applicable only in certain circumstances, we proposed a methodology that supports the architect when violations are not automatically amendable. On the theoretical side, the algorithms Φ 1 , Φ 2 , and Φ 3 address the general problem of guaranteeing the satisfiability of predicates when: (1) the parts of the system hav e a dif ferent perspectiv e/knowledge of the av ailable information (in the case of history sensiti vity), and (2) the constraints are introduced progressi vely (in the case of temporal satisfiability). The proposed solutions can be adapted and used, for instance, to amend processes (rather than types), orchestrations (rather than choreographies, when we want to check for local constraints), e.g., expressed in formalisms as CC-Pi [4], a language for distributed processes with constraints. Interestingly , temporal satisfiability is similar to the feasibility property in [1] requiring that any initial segment of a computation must be possibly extended to a full computation to prevent “a scheduler from ‘painting itself into a corner’ with no possible continuation”. A promising future de velopment is to in vestigate more general accounts of satisfiability which is applicable to dif ferent application scenarios. In scope of future work, we will study the “interference” issues of the three algorithms (see Re- mark 44) so to refine our methodology and use them more effecti vely . W e conjecture, for instance, that conflicts between Φ 1 and Φ 3 appear only when the variable introduced where an HS problem is solv ed by Φ 1 is also in volv ed in a TS problem. More precisely , let v be introduced at a node n ha ving an HS problem. If Φ 1 is used to solv ed such problem the constraint at n will be strengthened. No w , if a node n 0 –further down than n in the tree– has a TS problem with a conflict in volving v , the predicate at n will be updated (i.e. strengthened) by Φ 3 . Therefore, the predicate at n w ould be strengthened by each algorithm in an independent way . This may render the predicate at n unsatisfiable. W e will also study the applicability of our methodology in more realistic cases in order to assess the quality of the solutions of fered by our algorithms. L. Bocchi, J. Lange and E. T uosto 129 W e plan to implement our algorithms and support for the methodology by integrating it in the tool introduced in [7]. Refer ences [1] Krzysztof R. Apt, Nissim Francez & Shmuel Katz (1988): Appraising fairness in languages for distributed pr ogr amming . Distrib uted Computing 2, pp. 226–241. [2] Lorenzo Bettini, Mario Coppo, Loris D’Antoni, Marco De Luca, Mariangiola Dezani-Ciancaglini & Nobuko Y oshida (2008): Global Pr ogr ess in Dynamically Interleaved Multiparty Sessions . In Franck van Breugel & Marsha Chechik, editors: CONCUR , Lecture Notes in Computer Science 5201, Springer , pp. 418–433. A v ailable at http://dx.doi.org/10.1007/978- 3- 540- 85361- 9_33 . [3] Laura Bocchi, K ohei Honda, Emilio T uosto & Nobuk o Y oshida (2010): A Theory of Design-by-Contract for Distributed Multiparty Interactions . In Paul Gastin & Franc ¸ ois Laroussinie, editors: CONCUR , Lecture Notes in Computer Science 6269, Springer, pp. 162–176, doi:10.1007/978-3-642-15375-4 12. A vailable at http://dx.doi.org/10.1007/978- 3- 642- 15375- 4_12 . [4] Maria Grazia Buscemi & Ugo Montanari (2007): CC-Pi: a constraint-based language for specifying service level agr eements . In: Proceedings of the 16th European conference on Programming , ESOP’07, Springer - V erlag, Berlin, Heidelberg, pp. 18–32, doi:10.1007/978-3-540-71316-6. A v ailable at http://portal.acm. org/citation.cfm?id=1762174.1762179 . [5] Marco Carbone, K ohei Honda & Nobuk o Y oshida (2007): Structur ed Communication-Centr ed Pro gramming for W eb Services . In: 19th International Conference on Concurrency Theory (Concur’08) , Springer, pp. 2– 17, doi:10.1007/978-3-540-71316-6. A v ailable at http://www.eecs.qmul.ac.uk/ ˜ carbonem/cdlpaper/ esop2007.pdf . [6] K ohei Honda, Nobuk o Y oshida & Marco Carbone (2008): Multiparty asynchr onous session types . In: POPL , pp. 273–284, doi:10.1145/1328438.1328472. A vailable at http://doi.acm.org/10.1145/1328438. 1328472 . [7] Julien Lange & Emilio T uosto (2010): A Modular T oolkit for Theories of Distributed Interactions . In: PLA CES . T o appear . [8] Bertrand Meyer (1997): Object-Oriented Software Construction (Chapter 31) . Prentice Hall.