Contracts in distributed systems

Bliudze, S., Bruni, R., Carbone, M., Silva, A. (Eds.); ICE 2011 EPTCS 59, 2011, pp. 130–147, doi:10.4204/EPTCS.59.11 Contract s in distributed systems Massimo Bartoletti Dipartimento di Matematica e Informatica, Uni versit ` a degli Studi di Cagliari, Italy Emilio T uosto Department of Computer Science, Univ ersity of Leicester , UK Roberto Zunino DISI-Univ ersit ` a degli Studi di T rento and COSBI, Italy W e present a pa rametric calculus fo r con tract-based computing in distributed systems. By a bstract- ing from the actual contract langu age, our calculus generalises both the contracts-as-pr ocesses and contracts-as-formulae paradigms. The calculus features prim iti ves for advertising contracts, for reaching agreemen ts, an d for querying the fulfilment of contracts. Coordinatio n among principa ls happen s via multi-p arty sessions, which ar e created once agreements are reached. W e p resent two instances of our calculus, by mo delling co ntracts as ( i ) pr ocesses in a variant of CCS, an d ( ii ) as formu lae in a log ic. W ith the help of a few examples, we discuss the primitives of ou r calculus, as well as some possible variants. 1 Introd uction What are contracts for distrib u ted services ? How shou ld the y be used? These questions are intri guing not only research ers b ut also prac titione rs and ven dors. In fact , contract s are paramount for cor rectly design ing, implementin g, and composing distrib uted softwar e services. I n such settings, con tracts are used at diffe rent lev els of abstraction, and with dif ferent purposes. Contrac ts are used to m odel the possib le interac tion pattern s of services, with the typical goal of composing those servi ces only which guaran tee deadlo ck-fre e interaction s. At a differe nt lev el of abstra ction, contracts are used to model Service Lev el Agree ments ( SLAs), spec ifying what has to be expected fr om a se rvice, an d what fro m the client. A lso in this case, a typical goal is that of matching clients and services, so that they agree on the respec ti ve rights and obligation s. Contract s hav e been in v estigat ed from a v ariety of persp ecti v es and using a va riety of diffe rent for - malisms a nd an alysis tech nique s, ranging fro m c-semir ings [7, 8, 1 5], to beha v ioural types [6, 10, 11], t o formulae in sui table logic s [1, 3, 2 1], to cate gorie s [9], etc . This hete rogene ous ecosystem of forma lisms makes it dif ficult to und erstan d the essen ce of those methods, and how the y are related . As a first step t o wards r emedying thi s situati on, w e propos e a gener ic calculus for Con tract-Orie nted COmputing (in short , CO 2 ). By a bstrac ting away from the actual co ntract lang uage, our cal culus can en- compass a v ari ety o f d if feren t con tract par adigms. W e p rov ide a co mmon set of pr imiti ve s for co mputing with cont racts: they allow for adve rtising and querying contra cts, for reaching agreements, and for ful- filling them w ith the needed actions . All these primiti ves are indepen dent from the chosen langua ge of contra cts, and they only pi v ot on some general requir ements fixed in the contr act model propos ed here. A remarkable feature of our approach is that contracts are not supposed to be always respec ted after the y ha v e been stipulated. Indeed , we can model the quite rea listic situation where promises may be possib ly rene ged. Therefo re, in CO 2 contra cts are not dischar ged after they hav e been used to coup le servic es and pu t them in a sessio n, as usu ally do ne e.g. in the a pproa ches dealin g with be ha viou ral types. M. Bartoletti, E. T uo sto, R. Zunino 131 In our appr oach, cont racts are also used to driv e computatio ns after sessions ha v e been established , e.g. to detect violatio ns and to provi de the agreed compensation s. Synopsis. The o vera ll con trib utio n of th e pape r i s a c alculu s for computing with contracts i n dist rib uted systems. The calculus is designed around two main princip les. The fi rst is the separation of concern s between the way contracts are modelled and the way they are used in distri b uted compu tations . Indeed, w e abstract from the actual contract lang uage by only impos- ing a fe w g eneral require ments. In this way , we e n visage our calculu s as a gen eric frame work which can be tuned by inst antiati ng the co ntract mod el to concre te formali sations of con tracts. In § 2 we pre sent the abstra ct contrac t model, foll o w ed by two conc retisat ions: in § 2.1 we adopt the contracts-a s-proc esses paradi gm whereby CCS-like p rocess es represent contra cts that dri ve the b eha viour of distrib uted partici- pants; i n § 2.2 we embra ce instea d the contracts- as-formu lae paradigm, b y inst antiati ng our cal culus with contra cts expressed in a suitable logic. W e relate the two concrete models in § 2.3, first with the help of a few examples, and then by sho w ing that contracts-as -formulae, ex presse d in a significan t fragment of our logic, can be suitabl y encoded into contracts -as-pr ocesses (Theorem 2.7). The second design principle of our calc ulus is that its primiti ves must be reasonably implementa ble i n a dis trib uted setting. T o t his p urpose , we blen d in § 3 a fe w primiti ves inspire d by Concurren t Constraint Programming (CC P [22]) to other primit i ves inspired by session type s [17]. The key notions aro und which our primiti ves are concei ved are principal s and sessions . The former represent distrib uted units of computation that can advertis e contra cts, exe cute the corresp onding ope rations, and establish /check agreemen ts. Each agr eement corr espond s to a fresh sess ion, containing right s and obliga tions of each stipul ating part y . Principa ls use sessions to coordinat e with each other and fulfil their obligations . Also, sessio ns ena ble us to formulate a general notion of “misbeha viour” which pa ves the way for automatic ver ification. W e finally sugg est possible varia nts of our primiti ves and of the contrac t model (§ 3.6). Related W ork. Multi-part y sess ion types [18] are integrate d in [5] with decidable fragments of first- order logic (e.g., Presb urge r arithmetic) to transfe r the design-by -contract of object-ori ented program- ming to the design of distrib uted interactio ns. W e follo w a m ethodo logically opposite direction. In fact, in [5] on e star ts from a g lobal assert ion ( i.e., gl obal cho reograp hy and cont racts) to arriv e to a se t of lo cal assert ions ; distrib uted proc esses ab iding with local asserti ons are gu arantee d to ha ve corr ect interaction s (and moni tors can be sy nthesi zed from local asse rtions to contro l execu tion in untr usted settings ). In our frame work inste ad, a principal declares its contract independ ently of the others and then adv ertises it; a CO 2 primiti ve tries then to harmonise contracts by searching for a suita ble agreements. In other wor ds, one could think of our approa ch as based on orchestrati on rather than choreo graphy . The same consid- eration s abo ve apply to [19] where prot ocol modelling (state machines with memory) represent s global choreo graph ies. There , contrac ts are represent ed as parall el state machines (acc ording to a C SP-like semantic s). Basically , the contract model of [19] coincid es with its choreogra phy model. In cc -pi [8], CCP is mixe d with communica tion through name fusion . In th is mode l, in v olv ed parties establ ish SLA by mer ging the constrain ts representin g their requirement s. Cons traints are v alues in a c-semirin g adverti sed in a global store. It is not permitted to merge constraints making the global store incons istent , since an agreement cannot be reached in that case. C on ve rsely , CO 2 en visag es con tracts as bindin g promises rather than requi rements. Actually , ev en if a principal A tells an absurdum, this will result in a contract like : “ A is stating a con tradict ion” added to the en vironme nt. When this happens, our approach is not “contract s are incon sistent , do not ope n a session” , bu t rather “ A is promisin g the impossib le, she will not be able to ke ep her pro mise, and she will be b lamed f or tha t”. The cc -p i calc ulus 132 Contract s in distrib uted systems is further de velo ped in [7] to inclu de long running tran sactions and compensa tions. There, besides the global con straint store, a loc al store for eac h transa ction is feature d. Local inco nsisten cies are then used to trigg er compensati ons. I n CO 2 , compensat ions do not represen t except ional beha viour to be automati cally triggered by inco nsiste ncies; rather , compen sation s fall withi n “normal” beh a viour and ha ve to be spe lt ou t i nside co ntract s. Indee d, after a sessi on has bee n est ablish ed, each ho nest pri ncipal A either mai ntains h er pro m ises, or she is culpa ble of a v iolation; she ca nnot simply tr y to e xecute arb itrary compens ations in place of the due actions. Of course, other principals may deem this promise too weak and a v oid establishin g a session with A . In [13] a calculu s is proposed to mode l SLAs w hich combines π -ca lculus communic ation, co ncurren t constr aints, and sessions. There, the con straint store is global and sess ions are established between two proces ses whene ver the stated re quiremen ts are con sistent. Interacti on in ses sions happ ens thro ugh com- municati on and label branc hing/s electio n. A type system is provid ed to guarantee safe communication, althou gh not ensu ring progress . Essential ly , the main ro le of c onstrai nts in this ca lculus is tha t of dri ving sessio n est ablishme nt. Instead , in CO 2 the contr acts of an a greement lead ing to a ses sion are sti ll rele vant e.g. to detect violatio ns. A “boolean” noti on of complian ce between two contrac ts is introduce d in [12 ]: eith er the contra ct of the client and one of the service are compliant, or the y are not. In Ex. 3.4 we discuss a “multi-le vel” notion of complia nce encompas sing more than two c ontrac ts. Also, in [12] n ot compliant cont racts, may become co mpliant by adju sting the or der o f asy nchron ous actions. When this is pos sible, an orchest rator can be synthesise d from the client and service contracts . In some sense, the orch estrato r acts as an “adapt er” between the client and the service . In our appro ach, the orchestrato r beha ves as a “pla nner” which finds a suitable set of contr acts and puts in a session all the principal s in volv ed in these cont racts. CO 2 tak es inspirat ion from [3, 4]. There, the contract langua ge is the logic P CL , and contrac ts are recorded into a global const raint store. CO 2 instea d features loca l en vironmen ts for principa ls and sessio ns to enable possible distrib uted implemen tations . Our appr oach diff ers from those discu ssed abo ve, as well as from all the other approac hes we are awa re of (e.g. [6, 10, 11]), w .r .t. two genera l principles. First, we depa rt from the common principle that contra cts are alwa ys respec ted after their stipulation. W e represent inste ad the more reali stic situatio n where promises are not alway s maintained. As a consequen ce, in CO 2 we do not discard cont racts after the y h a ve been used to couple services and put them in a session , as done e.g. in all the app roache s d ealing with beh a vioura l types. In our approach, contra cts are also used to driv e co mputatio ns after sessions ha ve been establis hed (cf.§ 3), e.g. to detect violations and to provi de the agreed compensation s. The second general dif ference is that CO 2 smoothly allo w s for handling con tracts-as-pro cesses (cf.§ 2.1). T o the best of our kno wledge, it seems hard to accomodate these contr acts within frame - works bas ed on constraint systems ([4, 13]), logics ([3, 5]), or c-semirings (e.g. [8, 7, 15]). 2 An abstract contract model W e no w sketch the basic ingred ients of a generic contract model, before provid ing a formal definition. W e start by introd ucing some preliminary notions and definitio ns; some of them will only be used later on in § 3 . Principal s are those agents which may adverti se contracts, establish agreements, and re- alise them. Session s are crea ted u pon r eachin g an agree ment, and pro vide the conte xt in which prin cipals can interact to fulfil their contracts. Let N and V be countabl y infinite, disjoint sets of names and va ri- ables, respecti vely . Assume N partitioned into two infinite sets N P and N S , for names of principal s and of sess ions, respecti vely . Similarly , V is partitione d into infinite sets V P and V S for variab le identifier s M. Bartoletti, E. T uosto, R. Zunino 133 n , m , . . . ∈ N names, union of: A , B , . . . ∈ N P principal names s , t , . . . ∈ N S session names V variables, u nion of: a , b , . . . ∈ V P principal variables x , y , . . . ∈ V S session v ariables u , v , . . . ∈ N ∪ V names or variables A , B , . . . ∈ N P ∪ V P principal names/variables a , b , . . . ∈ A atoms h A 1 says a 1 , . . . , A j says a j i action c , c ′ , . . . ∈ C contracts C multisets of contrac ts φ , ψ , . . . ∈ Φ observables µ , µ ′ , . . . labels T able 1: Notation of pr incipa ls and sessions . A su bstitut ion is a p artial map σ from V to N ; we write u ∈ dom σ when σ is defined at u , and require that σ maps a ∈ dom σ ∩ V P to N P and s ∈ dom σ ∩ V S to N S . Our main notatio nal con ven tions are displayed in T able 1. The first ingredien t of our con tract model is a set C of contr acts . W e are quit e liberal about it: we only requi re that A sa ys c ∈ C for all principals A and for all c ∈ C . The con tract A says c can be th ought of as “ c is adv ertised by A ”. A labelled tran sition relatio n µ − → on contra cts models their e v olutio n under the actions perfor med by principa ls. T wo fu rther ingred ients ar e a set Φ of o bserva bles (prope rties of contracts) a nd an en tailment relati on ⊢ between contracts and observ ables. Not e that we keep distinct contra cts fro m observ ables in our frame work. This has the same motiv ations as the tradi tional distin ction between beha viours (systems) and their propert ies (formula e pred icating on behav iours), which brought in plenty of adv antages in the design /implement ation of systems. The last ingredient of our contract model is a relation , between contracts and principal s. W e write C , A to mean that , with respect to contracts C , all the obligation s of the principal A ha ve been fulfille d. Def. 2.1 formalis es the abov e concepts . Definition 2.1. A contra ct model is a tuple h C , A , − → , Φ , ⊢ , , i wher e • C is a set of cont racts , forming a subalg ebra of a ter m-alge bra T V ∪ N ( Σ ) for some signa tur e Σ which i nclude s the operatio ns u sa ys for each u ∈ V P ∪ N P • A is a set of atoms (rang ed over by a , b , . . . ) • C µ − → C ′ is a labell ed tra nsition r elation ov er finite multisets on C . The set of labels compr ises action s , i.e. tup les of the form h A 1 says a 1 , . . . , A j says a j i • Φ is a se t of observ ables , forming a sub alge bra of a term-alg ebra T V ∪ N ( Σ ′ ) for so me sign atur e Σ ′ • ⊢ is a c ontrac t entailment r elation between finite multisets of C and Φ • , is a contract fulfilment r elatio n between finite multisets of C and principa ls. Example 2.1. W e illustr ate the contract model with the help of an informal example . A seller A and a b uyer B stipulate a cont rac t c 0 , which binds A to s hip an item after B has paid . Let pay be the atom whic h models the actio n of paying . The transiti on c 0 B says pa y − − − − − → c 1 models the evolutio n of c 0 into a cont rac t c 1 wher e A is oblig ed to ship, while B has no mor e duties. Now , let φ be the obse rvable “ A must ship”. Then, w e would have c 0 6⊢ φ , because A does not have to ship anything yet, while c 1 ⊢ φ , because B has paid and so A must ship . It would not be the case that c 1 , A , beca use B has paid, while A has not yet fulfille d her obligation to ship. 134 Contract s in distrib uted systems µ :: = a   h A says a 0 i   h A says a − , A says a + i ∑ i a i . c i a i − → c i ( Sum ) c 1 µ − → c ′ 1 c 1 | c 2 µ − → c ′ 1 | c 2 ( P ar ) X def = c c µ − → c ′ X µ − → c ′ ( Def ) c a 0 − → c ′ µ = h A says a 0 i A says c µ − → A says c ′ ( Auto ) c 1 a − − → c ′ 1 c 2 a + − → c ′ 2 µ = h A 1 says a − , A 2 says a + i A 1 says c 1 | A 2 says c 2 µ − → A 1 says c ′ 1 | A 2 says c ′ 2 ( Com ) T able 2: Labelled transition relation of contract- as-pro cesses W e remar k that the use of term-alge bras in D ef. 2.1 allo ws us to smoothly apply v ariable sub stituti ons to co ntracts and observ ables. Accordi ngly , we assu m e defined the sets f v ( c ) and fv ( φ ) of (fre e) v ariables of contracts and observ ables. Note that actions are not required to be in C . Depending on the actu al instan tiation of the contract model, it can be us eful to inclu de them in C , so that cont racts can record the histor y of the past actions. 2.1 Contracts as pr o cesses The first instance of our contract model appe als to the con tracts-a s-processes paradigm. A contract is repres ented as a CC S-like p rocess [20], the ex ecution of which dictates obligat ions to principal s. Definition 2.2. W e defi ne a contracts-as -processes langua ge as follows • C is the set of pr ocess terms defined by the following grammar: c :: = ∑ i a i . c i   A says c   c | c   X and Σ is the s ignatu r e corr espondi ng to the s yntax abo ve; in this sectio n, multisets of co ntra cts ar e identi fied with their par allel compo sition, and accor ding ly we use the metavaria ble c to deno te them. W e assume varia bles X to be defin ed thr ough (pr efix-guar ded re cursive) equations. • A is the union o f thr ee d isjoint sets: the “input s” (r ang ed ov er by a − ), th e “outputs” (r ang ed ov er by a + ), and the “autonomou s activities” (rang ed over by a 0 ). • µ − → is the least r elation closed under the rules in T able 2 and structu ral equiva lence ≡ (defin ed with the usual rules and A says 0 ≡ 0 , wher e 0 denotes the empty sum and trailin g occu rr ences of 0 may be omitte d). • Φ is the set of LTL [1 4] formulae (on a signatu r e Σ ′ ), wher e the constants ar e the atoms in A . • c ⊢ φ (for closed c and φ ) hol ds when c | = LT L φ accor ding to the standa r d L TL semanti cs wher e, given a g eneric trace η of c, the semantic s of atoms is: η | = a 0 ⇐ ⇒ ∃ A , η ′ . η = h A say s a 0 i η ′ η | = a + ⇐ ⇒ η | = a − ⇐ ⇒ ∃ A 1 , A 2 , η ′ . η = h A 1 says a − , A 2 says a + i η ′ • c , A holds if f for all c ′ , c ′′ suc h that c ≡ ( A sa ys c ′ ) | c ′′ we have that c ′ ≡ 0 . M. Bartoletti, E. T uosto, R. Zunino 135 W e briefly comment on the rules in T able 2. Intuiti vely , the relation µ − → either carries labels of the form h A says a 0 i , which instr uct A to fulfil the obl igation a 0 , or labe ls h A 1 says a − , A 2 says a + i , which requir e partici pants A 1 and A 2 to fulfil the obl igation s a − and a + , respe cti vely . Rules ( S U M ), ( P A R ), and ( D E F ) are standard. By rule ( A U T O ), a contrac t willing to perform an autonomous actio n a 0 can do so and e xhibit the labe l h A say s a 0 i . Rule ( C O M ) is reminiscen t of the sync hronis ation mechanism of CCS; when two co mplementa ry actions a − and a + can be fired in pa rallel, then the parall el composition of con tracts emits the tuple h A 1 says a − , A 2 says a + i . N ote that the rules in T able 2 gi ve semantic s to closed contracts, i.e. contracts with no occurrenc es of fre e vari ables. Example 2.2. Recall the b uyer- seller scenario fr om Ex. 2.1. The selle r A pr omises to ship an item if b uyer B pr omises to pay . The bu yer B pr omises to pay . The contr acts of A and B ar e as follows: c A = A says pa y − . ship 0 c B = B says pa y + A possible computa tion is then: c A | c B h A says pa y − , B says pay + i − − − − − − − − − − − − − − − → A says ship 0 | 0 h A says ship 0 i − − − − − − − → 0 . It is evid ent that the contract of B in Ex. 2.2 is rath er naiv e; the b uyer pays without requirin g any guaran tee to the seller (cf. E x. 3.6). A possible solution is to use a (trusted) escro w serv ice. Example 2.3. In the same scenario of Ex. 2.2, conside r an escr ow service E whic h mediates between A and B . B asical ly , A and B trust the escr ow service E , and the y pr omise to ship to E and to pay E , r espectivel y . The escr ow service pr omises to ship to B and to pay A only after both the obligatio ns of A and B have bee n fulfilled. T he contr acts of A , B , and E ar e define d as follows: c A def = A says ship E + . pa y − c B def = B says pa yE + . ship − c E def = E says shipE − . pa yE − . ( pa y + | ship + ) + pa yE − . ship E − . ( pa y + | ship + ) 2.2 Contracts as for mulae For the secon d specializ ation of our gener ic model, we choo se the contrac t logic PCL [3]. A compreh en- si ve present ation of PCL is beyond the scop e of this paper , so we gi ve her e just a brief ov erview , and we refer the reader to [3, 2] for more detail s. PCL extend s intuiti onisti c propo sition al logic IPC [23] with the con necti ve ։ , call ed contract ual implicati on . Dif ferently from IPC, a contr act b ։ a implies a not only when b is true , like IPC impli- cation , b ut also in the case that a “compa tible” contract, e.g. a ։ b , holds. So, P CL allo w s for a sort of “circular” assume-guara ntee reasoning, summarized by the theorem ⊢ ( b ։ a ) ∧ ( a ։ b ) → a ∧ b . Also, PCL is equipped with an index ed lax modality says , similarly to the one in [16]. The pro of syste m of PCL exten ds that o f IPC wit h the follo wing axioms, while remain ing decida ble: ⊤ ։ ⊤ φ → ( A says φ ) ( φ ։ φ ) → φ ( A says A say s φ ) → A say s φ ( φ ′ → φ ) → ( φ ։ ψ ) → ( ψ → ψ ′ ) → ( φ ′ ։ ψ ′ ) ( φ → ψ ) → ( A says φ ) → ( A say s ψ ) Follo wing Def. 2.1, we now define a con tract language which bui lds upon P CL . 136 Contract s in distrib uted systems Definition 2.3. W e defi ne a contracts-as -formula e lang uag e as foll ows: • C is the set of P CL formulae . Accor dingly , Σ comprises all the atoms A (see below), all the conne ctives of P CL , a nd the says modality . • A is partitio ned in promises , written as a , and facts , written as ! a . • The labelle d rela tion µ − → is defined by the rule: C h A say s a i − − − − − → C , A says a , A says ! a • Φ = C , and Σ ′ = Σ . • ⊢ is th e pr ovab ility re lation of PCL . • C , A holds iff C ⊢ A says a implie s C ⊢ A says ! a , for all pr omises a , i.e . each obligation for A entail ed by C has been fulfilled . Note tha t the definit ion of µ − → allows prin cipals to perform any acti ons: the resu lt is that C is aug- mented with the correspon ding f act ! a . W e incl ude the promise a as well, follo wing the intuition that a fact may safely imply the corr espond ing promise. Example 2.4. T he contr acts of seller A and b uyer B fr om E x. 2.1 can be modelled as follows: c A = A say s (( B sa ys pa y ) → ship ) c B = B says pa y By the pr oof system of PCL , we have that : c A ∧ c B ⊢ ( A say s ship ) ∧ ( B says pa y ) . 2.3 On contracts-as-pr ocesses vs. contracts-as-formu lae W e no w compare contracts- as-pro cesses with contracts- as formula e. W e start with an empiric al argu- ment, by comparin g in T able 3 a set of arch etypal agreements which use contrac ts from both paradigms. Our main technical result is Theor em 2.7, where we sho w that contracts -as-formulae, expr essed in a significa nt fragment of P CL , ca n be encoded into contracts-a s-proc esses. F inally , we further discuss the dif ferences between the two contra ct models in some specific examples. Sketching a corr espondence. W e no w discu ss T able 3. Contracts yielding similar con sequen ces lay on the same ro w . Each ro w tells when inte rac tion is po ssible, i.e. when pro cesses wil l e vent ually re ach 0 , and when the formulae entail the observ able A sa ys a ∧ B say s b . In ro w 1, B perfo rms b unconditi onally . Instead, A specifies in her contract s a causal dep endenc y between b and a — using a prefix in the world of processes, or an implication in the world of formulae. Note that this exchange offers no protecti on for B , i.e., c A could be replaced w ith any thing else and B would stil l be require d to provid e b . In ro w 2, B protects himself by using a causa l dependen cy , using the dual contract of c A . Now ho weve r inte raction /entailment is lost: e very princi pal require s the o ther one to “make the first ste p”, an d circula r dependenc ies forbid any agreement. In row 3, B m ake s the fi rst step by in vertin g the order of the causal dependenc y in c B . The outcome is similar to ro w 1, except that now the contra ct of B mentions that B expec ts a to be performed. The meaning of the process is roug hly “of fer b first, then requ ire a ” which has no analogo us contract-as - formula. In ro w 4, B is offe ring b asynchrono usly , so remov ing the causal dependenc y . In the world of proces ses, this is d one using para llel compo sition instead of a prefix; in the w orld of (PCL ) for mulae this M. Bartoletti, E. T uosto, R. Zunino 137 Contracts-as-pr ocesses Contracts-as-fo rmulae 1 . c A c B A says b − . a 0 B says b + no protection , in teraction A says ( B says b ) → a B says b no protection , e ntailment 2 . c A c B A says b − . a + B says a − . b + no interaction A says ( B says b ) → a B says ( A says a ) → b no entailment 3 . c A c B A says b − . a + B says b + . a − asymmetric, interaction (no equivalent) 4 . c A c B A says b − . a + B says b + | a − asymmetric, interaction A says ( B says b ) → a B says ( A says a ) ։ b asymmetric, entailment 5 . c A c B A says b − | a + B says b + | a − symmetric, interaction A says ( B says b ) ։ a B says ( A says a ) ։ b symmetric, entailment T able 3: Contracts-a s-proc esses vs. cont racts-a s-formul ae is don e using ։ inste ad of → . Interac tion/e ntailment is still possib le. T he con tracts c A and c B are not symmetric, in which case c A specifies a causal depend enc y , while c B does not. In row 5, caus al depend enc y is removed from c A as well. Both A and B are using parallel composi- tion/c ontract ual implication . This resu lts in symmetric contracts which yield interactio n/enta ilment. A f ormal corr espondence between contra ct models. W e now provide a precis e correspond ence be- tween two fragmen ts of con tracts-a s-formul ae and contracts- as-proc esses, bui lding upon the intuition underl ying the cases sho wn in T able 3. Concrete ly , we consid er a fra gment ( PCL − ) o f PCL con tracts compris ing atoms, conj unctio ns, says, and non-nested (contractu al) implication s. Then, we provi de an encoding of PC L − into contract-as- proces ses (Def. 2.5) and formally relate them. Definition 2.4. W e defi ne PCL − as the fra gment of PCL wher e formulae c have the following syntax: c :: = V i ∈ I A i says α i α :: = V j ∈ J q j    ( V i ∈ I B i says p i ) → V j ∈ J q j    ( V i ∈ I B i says p i ) ։ V j ∈ J q j Definition 2.5. F o r all formulae c of PC L − , we define the contr act-as- pr ocess [ c ] as foll ows, wher e, for all atoms q , OUT ( q ) is a r ecur sive pr ocess defined by the equation OUT ( q ) = τ 0 . 0 + q + . OUT ( q ) . Also, we assume an injectiv e function / that maps all atoms q and all princip als A into the atom q / A . [ V i ∈ I A i says α i ] = || i ∈ I A i says [ α i ] A i [ V j ∈ J q j ] A = || j ∈ J OUT ( q j / A ) [( V i ∈{ 1 ,.. . , n } B i says p i ) → V j ∈ J q j ] A = p − 1 / B 1 . · · · . p − n / B n .  || j ∈ J OUT ( q j / A )  [( V i ∈{ 1 ,.. . , n } B i says p i ) ։ V j ∈ J q j ] A =  || j ∈ J OUT ( q j / A )     p − n / B 1 . · · · . p − n / B n . 0 In Def. 2.6 belo w we e xtract from a P CL − contra ct c the associated latent action s , i.e. the set of all atoms occurr ing in c paired with the participan t who may ha ve to abide by . 138 Contract s in distrib uted systems Definition 2.6. The functio n λ fr om PCL − formulae to sets of action s is defined as follows: λ ( V i ∈ I A i says α i ) = S i ∈ I λ A i ( α i ) λ A ( V j ∈ J q j ) = { A says q j | j ∈ J } λ A (( V i ∈ I B i says p i ) → V j ∈ J q j ) = { A says q j | j ∈ J } ∪ { B i says p i | i ∈ I } λ A (( V i ∈ I B i says p i ) ։ V j ∈ J q j ) = { A says q j | j ∈ J } ∪ { B i says p i | i ∈ I } The followin g resul t establishes a correspond ence betwee n our contract models. A PCL − contra ct c requir es to perform all the latent actions iff it s encoding [ c ] can be fulfilled . Theor em 2.7. F or a ll PCL − formulae c in volvin g princip als { A i } i ∈ I , the followin g ar e equivalent: • (contr acts-as-for mulae) ∀ c ′ , µ 1 , . . . , µ n .  ( c µ 1 − → · · · µ n − → c ′ ∧ ∀ i ∈ I . c ′ , A i ) = ⇒ λ ( c ) ⊆ { µ 1 , . . . , µ n }  • (contr acts-as-pr ocesses) ∃ c ′ . ([ c ] − → ∗ c ′ ∧ ∀ i ∈ I . c ′ , A i ) The above statemen t can in fact be reduced to the result below by consideri ng the definition of , in both contract models. Theor em 2.8. F or a ll PCL − formulae c, c ⊢ λ ( c ) if and only if [ c ] − → ∗ 0 . The “if ” direction mainly fo llo ws from the f act that, un less a τ 0 is fired, the resi duals of [ c ] are of the form [ c ′ ] where c ′ is a formula eq uiv alent to c . The “on ly if ” dire ction is pro ved by consid ering the order of applicat ions of m odus ponens in a proof of c ⊢ λ ( c ) an d conseque ntly firing the inputs correspond ing to premises of implications. T his makes their consequ ences/ outputs av ailable. The case of contractua l implicati ons is simpler because outputs are immediate ly a v ailable, hence their gene rated inp uts can be fired last. 3 A basic calculus f or contract-oriented computing W e no w int roduce the synt ax and semantic s of CO 2 . It general ises the con tract cal culus in [ 3] by mak ing it ind epende nt of th e actu al contra ct lan guage . In fact, CO 2 assumes th e abstr act mod el of contracts intro- duced i n § 2, which can be instan tiated to a v ariety of actua l con tract lan guage s. While taking i nspirat ion from Concu rrent Constr aint Programming, CO 2 makes use of more concrete communication primiti ves which do not assume a global constrai nt store, so reduc ing the gap to wards a pos sible distri b uted im- plementa tion. The main differe nces between CO 2 and CCP are: ( i ) in C O 2 constr aints are multisets of contra cts, ( ii ) in CO 2 there is no global store of constraint s: all the prefixes act on sessions, ( iii ) the pre- fix ask of C O 2 also insta ntiates varia bles to names, and ( iv ) the prefixe s do (which mak es a multise t of constr aints ev olve) and fuse (which establi shes a new s ession ) hav e no counterpart in CC P . 3.1 Syntax First, let us define the syntax of CO 2 . Definition 3.1. The abstr act syntax of C O 2 is given by the follo wing pr oduction s: Systems S :: = 0   A [ P ]   s [ C ]   S | S   ( u ) S Pr ocesses P :: = ↓ u c   ∑ i π i . P i   P | P   ( u ) P   X ( ~ u ) Pr efixes π :: = τ   do u a   tell u ↓ v c   ask u , ~ v φ   fuse u φ W e stipulat e that the following cond itions always hold : in a sys tem || i ∈ I n i [ P i ] , n i 6 = n j for eac h i 6 = j ∈ I ; in a pr ocess ( u ) P and a system ( u ) S, u 6∈ N P . M. Bartoletti, E. T uosto, R. Zunino 139 commutative mon oidal la ws f or | on processes and systems u [( v ) P ] ≡ ( v ) u [ P ] if u 6 = v Z | ( u ) Z ′ ≡ ( u )( Z | Z ′ ) if u 6∈ fv ( Z ) ∪ f n ( Z ) ( u )( v ) Z ≡ ( v )( u ) Z ( u ) Z ≡ Z if u 6∈ fv ( Z ) ∪ fn ( Z ) ↓ n c ≡ 0 tell u ↓ n c . P ≡ 0 ask u , ~ v φ . P ≡ 0 if ~ v ∩ N 6 = / 0 fuse n φ . P ≡ 0 T able 4: Structural equiv alence ( Z , Z ′ range ov er systems or processes) W e distinguish between pr ocesses and systems . S ystems S consis t of a set of a gen ts A [ P ] and of sessio ns s [ C ] , composed in parallel. Processe s P comprise latent contracts, guarded summation, parallel composi tion, scope delimitation , and process identifiers. A latent contr act ↓ x c rep resents a contra ct c which has not bee n stip ulated yet; upon stipulat ion, the variab le x will be boun d to a fresh sessi on name. W e allo w finite pr efix-guar ded sums of proce sses; as usual , we write π 1 . P 1 + π 2 . P 2 for ∑ i = 1 , 2 π i . P i . Processe s can be composed in parallel, and can be put under the scope of binder s ( u ) . W e use process identi fiers X to expre ss recurs i ve processes, and we assume that each identifier has a correspo nding defining equation X ( u 1 , . . . , u j ) def = P such that fv ( P ) ⊆ { u 1 , . . . , u j } ⊆ V and each occurrence of process identi fiers Y in P is prefix-guarde d. Note th at prin cipal na mes cann ot be bound, b ut ca n be communicated if permitted by the contract language. The empty system and the empty sum are both denote d by 0 . As usual, we may omit trailing occurrences of 0 in processes . Free/bou nd occ urrenc es of v ariable s/names are defined as e xpected. V aria bles and ses sion names can be bound ; in ( u ) S all fre e occurr ences of u in S are b ound; S i s clo sed when it has no fre e v ariables. Prefixes inclu de the silent pr efix τ , action e xecutio n do u a , contrac t adv ertisement tell u ↓ v c , contr act query a sk u , ~ v φ , and contrac t stip ulation fuse u φ . The inde x u indicates the targ et agent/ses sion where the prefix will be fired or the session where stipu lations are kept, in the case of fuse . W e shall refer to the set of latent contracts within an agen t A [ P ] as its en vir onment ; similarly , in a session s [ C ] we shall refer to C as the en viron m ent of s . Note that the en viron ment of agents can only contain latent contra cts, adver tised through the primiti ve tell , w hile sessio ns can only contain contracts , obtained either upon reaching an agree ment w ith f use , or possi bly upon princip als performing some do pre fixes. 3.2 Semantics The seman tics of CO 2 is formalised by a redu ction relati on on sys tems which relies on the structur al congru ence laws in T able 4. Only the last row in T able 4 contain s non-stan dard laws: they allo w for collec ting garbage terms which may possib ly arise after varia ble substituti ons. Definition 3.2. The binar y rela tion → on closed syste ms is th e smallest r elatio n closed unde r structu ral congr uence and un der the rule s in T able 5, wher e t he r elation K ⊲ σ x φ in ( F U S E ) is intr oduced in D ef. 3.3, and ↑ K is obtained by r emovin g all the ↓ fr om K , i.e. if K = || i ∈ I ↓ x i c i , the n ↑ K = || i ∈ I c i . Also, we identi fy the parallel composit ion of contra cts C = c 1 | . . . | c j with the multiset { c 1 , . . . , c j } (s imilarly for latent contr acts). Axiom ( T A U ) and rules (P A R ), (D E L ), and (D E F ) are stand ard. Axioms ( T E L L 1 ) and (T E L L 2 ) state that a pr incipa l A can advertis e a late nt contra ct ↓ x c eith er in her o wn en vironme nt, or in a remote on e. In 140 Contract s in distrib uted systems A [ τ . P + P ′ | Q ] − → A [ P | Q ] ( T AU ) A [ tell A ↓ x c . P + P ′ | Q ] − → A [ ↓ x A says c | P | Q ] ( T E L L 1 ) A [ tell B ↓ x c . P + P ′ | Q ] | B [ R ] − → A [ P | Q ] | B [ R |↓ x A says c ] ( T E L L 2 ) C h A 1 says a 1 ,..., A j says a j i − − − − − − − − − − − − − − → C ′ j ≥ 1 s [ C ] | || 1 ≤ i ≤ j A i [ do s a i . P i + P ′ i | Q i ] − → s [ C ′ ] | || 1 ≤ i ≤ j A i [ P i | Q i ] ( D O ) dom σ = ~ u ⊆ V C σ ⊢ φσ ( ~ u )( A [ ask s , ~ u φ . P + P ′ | Q ] | s [ C ] | S ) − → A [ P | Q ] σ | s [ C ] σ | S σ ( A S K ) K ⊲ σ x φ ~ u = dom σ ⊆ V s = σ ( x ) fresh ( ~ u )( A [ fuse x φ . P + P ′ | K | Q ] | S ) − → ( s )( A [ P | Q ] σ | s [ ↑ K ] σ | S σ ) ( F U S E ) X ( ~ u ) def = P P { ~ v / ~ u } − → P ′ X ( ~ v ) − → P ′ ( D E F ) S − → S ′ S | S ′′ − → S ′ | S ′′ ( P A R ) S − → S ′ ( u ) S − → ( u ) S ′ ( D E L ) T able 5: Reduction semantics of CO 2 M. Bartoletti, E. T uosto, R. Zunino 141 (D O ), the principals A i are participat ing in the contracts C stipulated on session s . Basically , the system e v olves when all the in vol ved princ ipals are ready to fire the required actio n. R ule ( A S K ) allows A to check if an observ able φ is entailed by the contract s C in sess ion s ; notice that the entailment is subjec t to an instantiat ion σ of the v ariables m ention ed in the ask prefix. Rule ( F U S E ) establishes a multi-party sessio n s among all the partie s tha t reac h an ag reement on the late nt co ntracts K . Roughly , the a gr eement relatio n K ⊲ σ x φ (Def. 3.3) hold s w hen, upon some substi tution σ , the latent contracts K entail φ , and the fresh session name s substitu tes for the v ariable x . The simplest typical usage of these primiti ves is as follo ws. First, a group of principa ls exch anges latent contracts using tell , henc e shari ng thei r inten tions. Then, one of them opens a new session using the fuse primit i ve. Once this ha ppens , each in v olved princip al A ca n i nspect the session u sing ask , he nce disco vering her actual duties w ithin that session: in general, these depend not only on the contract of A , b ut als o on those o f t he oth er princi pals (see e.g. Ex.3.4). Finally , primiti ve do is used to actu ally perfor m the duties. Example 3.1. The sale scenario betwee n seller A and buyer B fr om Ex. 2.4 c an be fo rmalized a s follo w s. S = A [( x , b ) tell A ↓ x (( b says pa y ) → ship ) . fuse x ( A says ship ) . do x ship ] | B [( y ) tell A ↓ y pa y . a sk y ( B says pa y ) . do y pa y ] The b uyer t ells A a contr act whic h bin ds B to pay , then waits until disco vering that he actually has to pa y , and ev entual ly doe s that. A session between the b uyer and the seller is cr eated and pr oceed s smoothly as ex pected : S − → ( x , b , y )  A [ ↓ x A says (( b says pa y ) → ship ) | fuse x ( A says ship ) . do x ship ] | B [ tell A ↓ y pa y . ask y ( B says pa y ) . do y pa y ]  − → ( x , b , y )  A [ ↓ y B says pa y | ↓ x A says (( b says pa y ) → ship ) | fuse x ( A says ship ) . do x ship ] | B [ ask y ( B says pa y ) . do y pa y ]  − → ( s )  A [ do s ship ] | B [ ask s ( B says pa y ) . do s pa y ] | s [ A says (( B sa ys pa y ) → ship ) , B says pa y ]  − → ( s )  A [ do s ship ] | B [ do s pa y ] | s [ A says (( B sa ys pa y ) → ship ) , B says pa y ]  − → ( s )  A [ 0 ] | B [ do s pa y ] | s [ A says (( B says pa y ) → ship ) , B say s p ay , A say s ! ship , . . . ]  − → ( s )  A [ 0 ] | B [ 0 ] | s [ A say s (( B says pa y ) → ship ) , B says pa y , A says ! ship , B says ! p a y , . . . ]  In the pre vious example, w e hav e modelled the system outlin ed in Ex. 2.1 using a contrac ts-as- formulae a pproac h. In t he follo wing exa mple, we adop t instea d the c ontrac ts-as-p rocesses paradigms. In the meanwhile, we introduc e a further participa nt to our system: a brok er C whic h collects the contracts from A and B , and the n uses a fuse to find when an agree ment is possible. Example 3.2. R ecall the contr act of E x. 2.2. W e spec ify the behaviour of the system as: S def = A [( x )( tell C ( ↓ x pa y − . ship 0 ) . ask x 3 pa y + . do x pa y − . do x ship 0 ] | B [( y )( tell C ↓ y pa y + . do y pa y + ] | C [( z )( fuse z 3 ( pa y + ∧ 3 ship 0 ))] The principals A and B advertise their contrac ts to the br oker C , which ope ns a session for their inter - action . As e xpected, as soo n as the pay ment is r eceived, the goods ar e shipped . After adver tising such contr act in her en vir onment, the seller waits until finding that she has pr omised to ship; after that, she actual ly ships the item. S − → ∗ ( s )  A [ 0 ] | B [ 0 ] | s [ 0 ]  142 Contract s in distrib uted systems 3.3 On agree ments T o find agreement s ( K ⊲ σ x φ ), we use the relat ion ⊢ of the con tract model. Definition 3 .3. F or a ll multi sets K of latent co ntr acts, for a ll sub stituti ons σ : V → N , for all x ∈ V , for all observ ables φ , we write K ⊲ σ x φ if f the following condition s hold: • x ∈ dom σ • fv ( K σ ) = fv ( φσ ) = / 0 • ∃ s ∈ N S : ∀ y ∈ dom σ ∩ V S : σ ( y ) = s • ( ↑ K ) σ ⊢ φσ • no σ ′ ⊂ σ satis fies the condi tions above , i.e. σ is minimal . Basically , Def. 3.3 states that an agreement is reac hed w hen the laten t contracts in K entail, under a suitab le subst itution , an obs erv able φ . Recall that φ is the condition use d by the princ ipal act ing a s brok er when searching for an agreement (cf. rule ( F U S E ) in T able 5). A v alid agreement has to instantiate with a minimal substi tution σ all the va riables appeari ng in the latent contracts in K as well as the session v ariable x ; the latt er , together with any othe r sess ion v ariables in the domain of the subs titutio n σ , is mapped to a (fresh ) session name s . The m inimality conditio n on σ forces brokers to include in agreements only “rele v ant” participan ts. For instanc e, let ↓ x 1 c 1 , ↓ x 2 c 2 , and ↓ x 3 c 3 be the late nt contr acts adv ertised to a brok er; if there is an agreemen t on ↓ x 1 c 1 and ↓ x 2 c 2 , the laten t con tract ↓ x 3 c 3 would n ot be in cluded . Basically , the minimal ity condit ion allo ws brokers to tell apa rt unre lated contra cts. This is illustrate d by the followin g informal exa mple. Example 3.3. L et φ be the observa ble “ A shall ship the goods ”, and consider the following latent contr acts, adve rtised by A , B , and C , r espectively: • ↓ x 1 c 1 = “ in sessio n x 1 , if some principa l b pays, then I shall ship the goods” • ↓ x 2 c 2 = “ in sessio n x 2 , I shall pay” • ↓ x 3 c 3 = “ in sessio n x 3 , I shall kiss a fr og ”. Note that the first two latent contr acts do entail φ when σ ( b ) = B , and σ ( x 1 ) = σ ( x 2 ) = s. W ithout the minimality cond ition, σ ( x 3 ) = s would hav e been inclu ded in the a gre ement of A and B , de spite the of fer of C b eing somewhat immateria l. Example 3.4. Our appr oach allo ws for co ntract models with multipl e leve ls of compliance . F or ins tance , let c A , c B , and c B ′ be the follo wing PCL contr acts: c A = ↓ x 1 A says  ( b says b ) → a ∧ ( b say s b ’ ) → a’  c B = ↓ x 2 B says b c B ′ = ↓ x 3 B ′ says b ∧ b’ The contrac t c A is intuitively compli ant w ith both c B and c B ′ . When couple d with c B ′ , the contr act c A entail s both the obligati ons a and a’ for A . Con versely , when coupled with c B , we obtain a weaker agr eement , since only the obligation a is enta iled. Although both lev els of ag r eement ar e possib le, in some sense the contra ct c B ′ pr ov ides c A with a better Service-Le vel Agr eement tha n c B . T hr ough the primitive ask , principal A can detec t the actua l service level she has to pr ovide . M. Bartoletti, E. T uosto, R. Zunino 143 3.4 On violations In Def. 3.4 belo w we set out when a principal A is honest in a gi ven system S . Intuiti vely , we conside r all th e po ssible ru ns o f S , a nd re quire th at in e very sessio n the p rincipal A ev entually fulfils all her d uties. T o this aim, we shall explo it the fu lfilment relation C , A from the contr act model. T o do that, we need to cope with a few technical issues . F irst, the α -con versio n of session names makes it hard to track the same sess ion at dif ferent point s in a trace . S o, we conside r traces “without α -con version of names”. T echnically , let fr eezeNames ( S ) = { S ′ | S ≡ ( s 1 , . . . , s j ) S ′ and S ′ free from ( s ) de limitatio ns } and define S S ′′ whene ver S − → S ′ and S ′′ ∈ fr eezeNames ( S ′ ) . A -trace is a trace w .r .t. . Such a -trace is maximal if f it is either infinite or endin g with S j 6 . Another tech nical issue is tha t a pri ncipal could no t get a c hance to act in all the tra ces. For in stance , consid er the system S = A [ do s pa y ] | B [ X ] | S ′ where S ′ enable s A ’ s action and X def = τ . X ; no te that S genera tes the infinite trace S S S · · · in which A ne ver pays, despite her hones t intenti on. T o accoun t for this fac t, we w ill check the honesty of a principal in fair trace s, only , i.e. thos e obtai ned by runnin g S accor ding to a fair schedu ling algo rithm. More precisel y , w e say that -trace ( S i ) i is fair if no single prefix can be fired in an infinite number of S i . Definition 3.4. A princi pal A is hones t in S iff for all maximal fair -tra ces ( S i ) i ∈ I , ∀ s . ∃ j ∈ I . ∀ i ≥ j , ~ n , C , S ′ .  S i ≡ ( ~ n )( s [ C ] | S ′ ) = ⇒ C , A  In other words, a principal A misbeha ves if in v olved in a session s such that the contrac ts C of s do not settle the obligati ons of A . Example 3.5. C onside r the variatio n of E x. 3.1, wher e the seller is modified as follows: S = A [( x , b ) tell A ↓ x (( b says pa y ) → ship ) . fus e x ( A says ship ) . do x snak eOil ] | B [( y ) tell A ↓ y pa y . ask y ( B says pa y ) . do y pa y ] The fraudul ent seller A pr omises to ship — bu t eventual ly only pr ovid es the buyer with some snake oil. The inter action betwee n A and B le ads to a violatio n: S → ∗ ( s )  A [ 0 ] | B [ 0 ] | s [ A says (( B sa ys pa y ) → ship ) , A says ! snak eOil , B says pa y , B say s ! pa y , . . . ]  The b uyer has not obtained what he has paid for . Indeed , the seller is disho nest acco rdin g to Def. 3.4, becau se the contr acts in s entail the pr omise A says ship , w hic h is not fulfilled by any fact. A judge may thus event ually punish A for her miscondu ct. 3.5 On pr o tection W e no w illustrate some example s w here one of the partie s is fraudul ent. Example 3.6. Recall Ex. 3.5 and consider a fraudul ent seller A , which pr omises in her contrac t some snak e oil. The bu yer B is uncha nged fr om that example . S = A [( x , b ) tell A ↓ x (( b s ays pa y ) → snak eOil ) . fuse x ( A says snak eOil ) . do x snak eOil ] | B [ . . . ] 144 Contract s in distrib uted systems The inter action between A a nd B now goes unhap pily for B : he will pay for so me snak e oil, and A is no t eve n classified as dishonest accor ding to Def. 3.4: indeed, A has e ventua lly fulfilled all her pr omises. S − → ∗ ( s )  A [ 0 ] | B [ 0 ] | s [ A says ! snak eOil , B says ! pa y , . . . ]  Example 3.7. T o pr otect the buye r fr om the fraud ou tlined in Ex. 3.6, we chang e the co ntr act o f the b uyer B as fol lows: S = A [( x , b ) tell A ↓ x (( b says pa y ) → snak eOil ) . fuse x ( A says snak eOil ) . do x snak eOil ] | B [( a , y ) tell A ↓ y ( a says ship ) ։ pa y . ask y ( B says pa y ) . do y pa y ] Note that we ha ve used con trac tual implication ։ , rather than s tandar d implica tion → , which allows B to re ach an agr eement also w ith the hon est seller contract ( b says pa y ) → s hip . Inste ad, the inter action between the above fraudulent seller A and the b uyer B will now get stuc k on the fuse in A , becau se the availa ble latent contra cts do not entail A says sn ak eOil . When using contrac ts-as-p rocesses, a brok er can parti cipate in decei ving a principal. Example 3.8. C onside r a simple e-commer ce scenario: S def = A 1 [( x ) tell B ↓ x ( pa y + . ship − ) . do x pa y + . do x ship − ] | A 2 [( y ) tell B ↓ y ( pa y − . ( ship + + frau d 0 )) . do y pa y − . do y fraud 0 ] | B [( z ) fuse z 3 ( ship + ∨ fraud 0 )] Abov e, the broker B and A 2 dishon estly coop erate and op en a session to swindle A 1 . The principal A 2 will be able to fulfil her contra ct ( C , A 2 ), while A 1 will ne ver recei ve her goods . Neve rtheles s, A 1 is consid ered culpab le, bec ause he cannot perform the promised action ship − . In Sect. 3.6 we propose a v ariant of the con tracts-as-pro cesses model all o w ing p rincipa ls to prot ect fr om s uch kind of misb ehavio r . Example 3.9. C onside r the following formaliza tion of the e-commer ce scenario: S def = A 1 [( x , a 2 ) tell B ↓ x ( a 2 says ship ։ pa y ) . ask x A 1 says pa y . do x pa y ] | A 2 [( y , a 1 ) tell B ↓ y ( a 1 says pa y ։ ( shi p ∨ fraud )) . do y fraud ] | B [( z ) fuse z φ ] Her e, choo se φ so to cause A 1 and A 2 to initiate a sessio n (the actual formula is immaterial). In Ex. 3.9, e ven if a session is estab lished by the dish onest broker , A 1 will not pay , and he w ill not be considere d culpabl e for that. Indeed, the prefix ask x A 1 says pa y is stuck beca use the contracts in the sessio n do not ent ail any obligatio n for A 1 to pay . For the same reason, A 1 will fulfil he r cont ract ( C , A 1 ). In the follo wing example, we sho w a dif ferent flav our of “pr otectio n”: the princi pals A and B are not protec ted by their contracts , b ut by the trusted escrow ser vice that acts as a broker . Example 3.10. Recall the scenari o in Ex.2.3. T he syste m is modelled as follows: S def = A [( x )( tell E ↓ x ( shipE + . pa y − ) . do x shipE + . ask x 3 pa y + . do x pa y − )] | B [( y )( tell E ↓ y ( pa yE + . ship − ) . do y pa yE + . ask y 3 ship + . do x ship − )] | E [( z )( tell E ↓ z c E . fuse z φ ′ . P )] c E def = shipE − . pa yE − . ( pa y + | ship + ) + pa yE − . shipE − . ( pa y + | ship + ) wher e P is the obvious re alizati on of the c E , and φ ′ = 3 ( shipE + ∧ 3 pa y + ) ∧ 3 ( payE + ∧ 3 ship + ) . The escr ow service guara ntees each of the participa nts A and B that the other part y has to fulfi l its obliga tion for the contr act to be completed. The systems S can perform the wanted interac tion: S → ∗ ( s )( A [ 0 ] | B [ 0 ] | E [ 0 ] | s [ 0 ] ) M. Bartoletti, E. T uosto, R. Zunino 145 3.6 V ariants to the basic calculus Sev eral vari ants and extens ions are germane to CO 2 . W e mention a few bel o w . Pro tectio n for contracts-as- pro cesses. The contr acts-as -processes m odel can be adap ted so tha t CO 2 proces ses can protect themsel ves from untrus ted brok ers. In this v ariant, contra ctual oblig ations would d eri ve only fro m mutu ally complia nt contract s, i.e. c ⊢ φ should hol d only w hen al l the (fair) traces of c lead to 0 , in addit ion to c | = LT L φ . Similarly , c , A should also hold on non-mutually -complia nt c , since in this case no obl igatio n arises. W ith this chan ge, e ven if a princ ipal A is someh o w put in a session with fraudulent partie s, A can disco ver (via ask ) that no actua l obliga tion is present and av oid being swindled . Contracts-a s-process es w ith explicit sender and recei ver . The syntax of contracts-as -proce sses (Def. 2.2) can be ext ended so to m ake expli cit the intended sender s/recip ients of inp uts/ou tputs (per- mitting e.g. to clear ly state who is paying whom). For this, we could use e.g. pay + @ B as atoms, and adapt the semantics µ − → acc ording ly . Note tha t t he log ic for ob serv ables Φ in Def. 2.2 sho uld b e adap ted a s well . Indeed, L TL does n ot dis - tingui sh between actions perfo rmed by distinct prin cipals. T o this purpos e, we would allo w A says a + @ B (and related a − , a 0 v ariants) as prime formul ae, s o that it is no w po ssible to observ e wh o ar e the princ ipals in v olved by an action. Note that the chan ges discussed abov e do not alter the general calculus CO 2 , b ut merely propose a dif ferent contract model. Local actio ns. In C O 2 , agents A [ P ] only carry latent contracts in P . Hence, communi cation between princi pals is limited to latent contract exchange . Allo wing general data exchang e in C O 2 can be done in a natural way by follo wing CCP . Basically , P wou ld include C CP contraint s t , ranging over a constrain t system h T , ˜ ⊢i , a furth er paramete r to CO 2 . Assume that A says t ∈ T for all t ∈ T and for all A . The follo wing rules will augment the semantics of CO 2 (the syntax is exten ded accor dingly ): A [ tell A t . P + P ′ | Q ] − → A [ A says t | P | Q ] A [ tell B t . P + P ′ | Q ] | B [ R ] − → A [ P | Q ] | B [ A says t | R ] A [ ask A t . P + P ′ | T | Q ] → A [ P | T | Q ] provid ed th at T ˜ ⊢ t Note that the abov e semantics does not allo w A to corrupt the con straint store of B augmenti ng it with arbitra ry constra ints. Indee d, excha nged data is automatically tagge d on reception with the name of the sender . So, in the w orst case , a malicious A ca n o nly inse rt ga rbage A says t into t he const raint sto re of B . Retracting latent contracts . A retract primiti ve could allow a princi pal A to remov e a latent contract of hers after its adver tisement. T herefo re, A could change her mind until her latent contr act is actually used to establi sh a session, where A is bound to her duties . Consistency check. The usual check t primiti ve from C CP , w hich checks the consistenc y of the con- straint sto re with t , can a lso b e added t o CO 2 . When check t is ex ecuted by a pri ncipal A [ P ] , t is check ed for consisten cy against the constraints in P . Note that che cking the whole world would be unfeasible in a distrib uted system. 146 Contract s in distrib uted systems For warding latent contract s. A fo rw ard primit i ve could allo w a brok er A to move a latent contrac t from her en vironment to that of another bro ker B , withou t tagging it with A says . In th is way A delega tes to B the actu al opening of a session. Remote q ueries. More primitiv es to access the remote principals could be added. Note howe ver that while it would be easy e.g. to allow A [ ask B t ] to query the constraint of B , this would probably be undes irable for security reason s. Ideally , B should be allowed to expres s whether A can access his own constr aint store. T his requ ires some access control mechanism. 4 Conclusions W e ha ve de velope d a formal model for reasoning about contract -orient ed dis trib uted programs. The ov erall contrib ution of this paper is a contra ct calculus (CO 2 ) tha t is parametr ic in the choi ce of contrac t model. In C O 2 , prin cipals can advertise their own contracts, find othe r princip als with compa tible con- tracts, and establi sh a new multi-party se ssion with those which co mply with the global cont ract. W e ha ve set out two crucial issu es: how to reach agreements , and how to detect violati ons. W e hav e presented two concretisati ons of the abstract con tract model. The first is an instance of the contract s-as-pr ocesses paradi gm, while the second is an instance of the contracts-a s-proc esses paradigm. As a first step to wards relating contract-as -proce sses and contract s-as-fo rmulae, we ha ve devis ed a mapping from contracts based on the logic P CL [3] into CCS-like contract s. One can then use contract- as-formu lae at design-t ime, reason about them using the entailment relation of PCL, and then con cretise them to contra cts-as -proces ses through the gi ven mapping. Theorem 2.7 guar antees that contracts -as- proces ses can reach success in those cases in which an agreement would be possible in the logic model, hence prov iding a connectio n between the two worlds . Acknowledgments. This work has b een partially sup ported by Autonomou s Reg ion of Sardinia Project L.R. 7/2007 T E S L A, by PRIN Project S O F T (T ecniche Forma li Orientate alla Sicurezza) and by the Lev erhulme Trus t Programme A ward “T racing Netwo rks”. Refer ences [1] Alexander Artikis, Marek J. Sergot & Jeremy V . Pitt (2 009): S pecifying norm-governed computation al soc i- eties . A CM T rans. Comput. Log. 10(1) , doi: 10.114 5/1459010.1459011 . [2] Massimo Barto letti & Roberto Zunino (2009 ): A logic for c ontracts . T echnical Repo rt DI SI-09-0 34, DISI - Universit ` a di T rento. [3] Massimo Bartoletti & Rob erto Zunino (20 10): A C alculus of Contracting Pr ocesses . In: LICS , doi: 10.110 9/ LICS.2010.25 . [4] Massimo Bartoletti & Roberto Zunino (2010 ): Primitives for Contract-based Synchr onization . In: ICE . [5] Laura Bocchi, K ohei Ho nda, Emilio Tuosto & Nobuko Y o shida (201 0): A theory of design- by-con tract for distributed multiparty inter actions . In: CONCUR , doi: 10.100 7/978- 3- 642- 15375- 4_ 12 . [6] Mario Bravetti & Gian luigi Zav a ttaro (200 7): T owar ds a Unifying Th eory for Chor eography Conformanc e and Contract Compliance . In : Software Composition , d oi: 10.100 7/978- 3- 540- 77351- 1_ 4 . [7] Maria Grazia Buscemi & Her n ´ an C. Melgratti (200 7): T ransactiona l S ervice Level Agr eement . In: TGC , doi: 10.100 7/978- 3- 540- 78663- 4_ 10 . M. Bartoletti, E. T uosto, R. Zunino 147 [8] Maria Gr azia Buscemi & Ugo M ontanari (20 07): CC-Pi: A Constraint-Based Lang uage for Specifying S er - vice Level Agr eements . In: ESOP , doi: 10.100 7/978- 3- 540- 71316- 6_3 . [9] Felice Cardone (201 1): The geometry and algebr a of comm itment . In : Ludics, dialogue and interaction . [10] Samuele Carpineti & Cosimo Laneve (2006 ): A Basic Contract Language for W eb Services . In : ESOP , doi: 10.100 7/11693024_ 14 . [11] Giuseppe Castagna, Nils Gesbert & Luca Padov an i (2009 ): A theory of contracts for W eb services . A CM T r ansactions on Programmin g Lan guages and Systems 31(5) , d oi: 10.114 5/1538917.1538920 . [12] Giuseppe Castagna & Luca Padovani (20 09): Contracts f or Mob ile Pr ocesses . In: Proc. CONCUR , doi: 10. 1007/978- 3- 642- 04081- 8_15 . [13] Mario Coppo & Mariangio la Dezani-Ciancaglini (2008): Structur e d Communications with Concurr ent Con- straints . I n: TGC , doi: 10.100 7/978- 3- 642- 00945- 7_ 7 . [14] E. Allen Emerson (1 990): T emp oral an d Mod al Logic . In: Handbo ok of Theoretical Computer Science, V olume B: F ormal Models and Sematics (B) , North-Hollan d Pu b . Co./MIT Press. [15] Gian Luig i Fer rari & Alberto Lluc h-Lafue nte (200 6): A Logic for Graphs with QoS . ENTCS 142, do i: 10. 1016/j.entcs . 2004.10.030 . [16] Deepak Garg & M art´ ın Abad i (2008) : A Modal Decon struction of Access Con tr ol Logics . In : FoSSaCS , doi: 10.100 7/978- 3- 540- 78499- 9_ 16 . [17] K o hei Hon da, V asco T . V asconcelos & Makoto Kubo (199 8): La nguage Primitives and T yp e Disciplines for Structur ed Communication-b ased Pr ogramming . In: ESOP , doi: 10.100 7/BFb005356 7 . [18] K o hei Hon da, Nobuko Y oshida & Marco Carb one (20 08): Multiparty asynchr ono us session type s . I n: POPL , doi: 10.114 5/1328438.1328472 . [19] Ashley McNeile (2 010): Pr otoco l contracts with ap plication to choreo graphed m ultiparty collab orations . SOCA 4, doi: 10.100 7/s11761- 010- 0060- 9 . [20] Robin Milner (1989 ): Communicatio n a nd concurr ency . Pre ntice-Hall, Inc. [21] Cristian Prisacariu & Ger ardo Schneider (2007 ): A F ormal Langu age for Electr onic Contracts . In: FMOODS , doi: 10.1007/978- 3- 540- 72952 - 5 _11 . [22] V ijay Saraswat, Prakash Panangaden & Martin Rinard (1991 ): Semantic F ound ations o f Concurr e nt Con- straint Pr ogramming . In: POPL , doi: 10.114 5/99583.99627 . [23] Anne Troelstra & Dirk van Dalen (1988) : Constructivism in Mathematics, vol. 1 . North-Holland .