An Event-Based Approach to Runtime Adaptation in - - PowerPoint PPT Presentation

An Event-Based Approach to Runtime Adaptation in Communication-Centric Systems

Jorge A. P´ erez University of Groningen (NL) Joint work with Cinzia Di Giusto Universit´ e de Nice Sophia-Antipolis (FR) 11th International Workshop on Web Services and Formal Methods (WS-FM) Eindhoven, September 12th, 2014

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

A Model of Communication With Adaptation

Communica)on ¡ External ¡request ¡ Internal ¡request ¡ Adapta)on ¡

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

A Challenge

• Distributed software systems are inherently communication-centric.

As they run on open-ended platforms, they’re subject to requirements of runtime adaptation.

• Session-based concurrency: a type-based approach to correctness
• f interacting software artifacts:

⋆ dialogues are structured into sessions ⋆ interaction patterns are abstracted as session types ⋆ types are checked against specifications [usually, π-calculus processes]

• Session frameworks are useful to certify correct structured

communications, but inadequate to handle runtime adaptation. Q1: Can we conciliate session correctness with expressive mechanisms for runtime adaptation?

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Yes We Can!

A First Answer: [Di Giusto and P´

erez - SAC’13]

• Organize your process specification into distributed locations
• Define adaptation routines targeted to location names
• Keep track of the open sessions in each location
• Allow runtime adaptation only on locations without open sessions

+ Rich forms of adaptation, disciplined by types + Syntax of session types is kept unchanged + Typing ensures consistency: running sessions are never jeopardized − External/unsolicited adaptation requests hard to express − Precludes “hot updates” in the middle of an established session Q2: Can we do better?

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Yes We Can! (bis)

This Work: A Second Answer

• Organize your process specification into distributed locations
• Define adaptation routines targeted to location names
• Keep track of the current protocol state for each open session
• Runtime adaptation using type-directed checks on protocol states

Main features: + Rich forms of adaptation, disciplined by types + Syntax of session types is kept unchanged + Typing ensures consistency: running sessions are never jeopardized Adaptation requests are made explicit via adaptation events. An event detector may then be used to trigger adaptation routines. Enables consistent “hot updates” for sessions

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

This Work

A typed framework for binary sessions with runtime adaptation. A session π-calculus with transparent locations, enhanced with:

• adaptation signals/events and location queues (“how”)
• event detectors on expressions (“when”)
• monitors and type update processes (“what”)

We retain a standard session type syntax, considering subtyping. A type system ensures safety and consistency. Well-typed programs:

• do not exhibit communication errors (e.g., mismatched messages)
• do not allow adaptation steps that disrupt established sessions

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Session Types: Syntax

A standard syntax for binary session types [cf. Honda et al.’98]: α, β ::= ?(T).β input a T, continue as β

|

!(T).β

• utput a T, continue as β

|

&{n1:α1 . . . nm:αm} branching (external choice)

|

⊕{n1:α1 . . . nm:αm} selection (internal choice)

|

µt.α | t recursive session

|

ε terminated session where T stands for basic types (e.g., booleans) and session types α.

• Example. The session type for a client: α = !item. ?amnt. αpay,

where item and amnt are base types and αpay = ⊕{addItem : ⊕{ccard : αcc , payp : αpp} , cancel : ε}.

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Session Types: Duality

• To ensure protocol compatibility and absence of communication

errors, the session types of two interacting partners should be dual.

• Intuition: every action from one partner must be matched by a

complementary action from the other.

• Example. The following session types are dual:

α = !item. ?amnt. ⊕ {addItem : ⊕{ccard : αcc , payp : αpp} , cancel : ε} β = ?item. !amnt. &{addItem : &{ccard : βcc , payp : βpp} , cancel : ε} This is written α ⊥C β.

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Session Types: Subtyping

• Subtyping ≤C on session types formalizes a principle of

safe substitution for typed processes [Gay and Hole’05].

• Example. Consider the session type:

βpay = &{addItem : &{ccard : βcc , payp : βpp} , cancel : ε} An extended interface: βgift = &{addItem : &{giftc : βgc , ccard : βcc , payp : βpp} , cancel : ε} An implementation of βpay can be safely replaced with one of βgift (but not the other way around). This is written βpay ≤C βgift.

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Process Syntax (1): Base Language

e ::= v | x, y, z | k = k | a = a expressions P ::= u(x : α).P

|

u(x : α).P session request / acceptance

|

k(e).P

|

k(x).P data output /input

|

k ⊳ n; P

|

k ⊲ {ni:Pi}i∈I selection / branching

|

µX.P | X recursion / rec. variable

|

P | P

|

composition / inaction

|

(νκ)P | (νu)P channel / name hiding

|

if e then P else Q conditional

|

close (k).P session closure

• Example. A process specification of a client:

P = u(x : α).x(book).x(a). if a < 50 then x ⊳ addItem; x ⊳ ccard; Rb else x ⊳ cancel; Rc

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Process Syntax (2): Full Language

• 1. Located processes, using transparent, nested locations:

loc[P] “process P resides at loc”

• 2. Typeful update processes:

loc

• case x1, . . . , xm of {(x1:βi

1; · · · ; xm:βi m) : Qi}i∈I

• 3. Session monitors, runtime entities (given a session channel k):

k⌊α⌋ “type α denotes the current protocol state for k”

• 4. Adaptation events and queues (given an adaptation request r):

loc(r) loc⌊ r⌋

• 5. Arrival predicate in expressions—an event detector:

arrive(loc, r)

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Example: A Distributed Buyer / Seller

• Explicit distribution using locations sys, buyer, and seller:

W = sys

• buyer
• u(x : α).P
• | seller
• u(y : β).Q
• A typeful adaptation routine with two possibilities:

Uxy = sys

• case x, y of
• (x:α ; y:β) : buyer[R] | seller[Q]

(x:αpay ; y:βpay) : buyer[P ∗] | seller[Q∗]

• A persistent adaptation routine, based on external request updE:

U ∗

xy = µX.if arrive(sys, updE) then Uxy else X

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Process Semantics: Key Ideas

• A reduction semantics based on synchronous communication.
• Contexts C, D, . . . used to handle nested, transparent locations.
• Synchronization on names leads to session establishment:

⋆ A fresh session polarized channel κp is generated for each endpoint. ⋆ A monitor on κp is put in parallel with the type for each endpoint.

• Session synchronizations are enabled by the types in the monitors.
• Adaptation requires matching (up to subtyping ≤C) between

declared types and current protocol state.

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Reduction Semantics: Some Rules (1)

• Session establishment (with α ⊥C β):

C

• u(x : α).P
• | D
• u(y : β).Q
• −

→ (νκ)

• C
• P[κp/x] | κp⌊α⌋
• | D
• Q[κp/y] | κp⌊β⌋
• where p and p denote opposing polarities.
• Session communication:

C

• κ p(v).P | κp⌊!(T).α⌋
• | D
• κ p(x).Q | κp⌊?(T).β⌋
• −

→ (νκ)

• C
• P | κp⌊α⌋
• | D
• Q[v/x] | κp⌊β⌋
• Event-Based Adaptation in Communication-Centric Systems
• J. A. P´

erez (Groningen)

Reduction Semantics: Some Rules (2)

• A typeful update on location loc:

fc(P) = {κp

1, . . . , κp m}

∀j ∈ [1, .., m].(κp

j⌊αj⌋ ∈ P)

(V = P) ∃l.

• matchI(l, {α1, . . . , αm}, {βi

1, . . . , βi m}i∈I)

∧ V = Ql [κp

1, . . . , κp m/ x1, . . . , xm]

• C
• loc[P]
• |D
• loc
• case

x of {(x1:βi

1;· · ·; xm:βi m) : Qi}i∈I

• −

→ C

• loc[V ]
• | D
• Intuitively, match enforces monotonic adaptation, using ≤C.
• Impossibility of matching leaves the location as it is (no update)

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Reduction Semantics: Some Rules (3)

• Adaptation Request:

C

• loc⌊

r1⌋

• | D
• loc(r)
• −

→ C

• loc⌊

r1 · r⌋

• | D
• Arrival Predicate:
• r = r1 ·

r0 C

• E[arrive(loc, r1)]
• | D
• loc⌊

r⌋

• −

→ C

• E[true]
• | D
• loc⌊

r0⌋

• (

r = r2 · r0 ∧ r1 = r2) ∨ r = ǫ C

• E[arrive(loc, r1)]
• | D
• loc⌊

r⌋

• −

→ C

• E[false]
• | D
• loc⌊

r⌋

• Event-Based Adaptation in Communication-Centric Systems
• J. A. P´

erez (Groningen)

Example

Recall: α = !item. ?amnt. αpay β = ?item. !amnt. βpay W = sys

• buyer
• u(x : α).P
• | seller
• u(y : β).Q

Then we have: W − →(νκ)

• sys
• buyer
• P[κp/x] | κp⌊α⌋
• | seller
• Q[κp/y] | κp⌊β⌋

− →2 (νκ)

• sys
• buyer
• P ′ | κp⌊αpay⌋
• | seller
• Q′ | κp⌊βpay⌋

= W ′ Process W ′ may synchronize with the following update process: sys

• case x, y of {(x:αpay ; y:βpay) : buyer
• P ′ |x⌊α1⌋
• |seller
• Q′′ | y⌊β1⌋
• }
• Event-Based Adaptation in Communication-Centric Systems
• J. A. P´

erez (Groningen)

Type System: Key Ideas

Derived guarantees:

• adherence of processes to ascribed session protocols
• correct use of monitors attached to sessions
• conformance of adaptation routines to the declared types
• consistency of adaptation steps with respect to established sessions

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Type System: Environments and Judgments

• The type system includes an interface I.

It describes the services u(x:α) and u(y:α) declared in a process.

• Typing environments (q ranges over type qualifiers lin and un):

Sessions ∆ ::= ∅ | ∆, k : α | ∆, k : ⌊α⌋ FO environment Γ ::= ∅ | Γ, e : τ | Γ, u : αq, βq (αq ⊥C βq) HO environment Θ ::= ∅ | Θ, X : ∆; I | Θ, loc : I

• A type judgment is of form

Γ ; Θ ⊢ P ⊲ ∆; I Under Γ and Θ, process P has active sessions ∆ and interface I.

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Type System: Sample Rules

Θ ⊢ loc ⊲ I Γ ; Θ ⊢ P ⊲ ∆; I′ I′ ⊑ I Γ ; Θ ⊢ loc[P] ⊲ ∆; I′ Θ ⊢ loc ⊲ I ∀j ∈ J, fv(Qj) \ {x1, . . . , xm} = ∅ Γ ; Θ ⊢ Qj ⊲ x1: βj

1

; · · · ; xm: βj

m

; Ij Ij ⊑ I Γ ; Θ ⊢ loc

• case

x of {(x1:βj

1; · · · ; xm:βj m) : Qj}j∈J

• ⊲ ∅; ∅

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Main Results

• P is an error if it contains unmatched prefixes on some session
• channel. P is safe if it does not reduce into an error.
• P is consistent if adaptation steps do not affect its potential for

reductions.

Theorem (Subject Reduction)

If Γ ; Θ ⊢ P ⊲ ∆; I with ∆ balanced and P − → Q then Γ ; Θ ⊢ Q ⊲ ∆′; I′, for some I′ and balanced ∆′. A program is a process without free elements.

Theorem (Typing Ensures Safety and Consistency)

Let P be a program. If Γ ; Θ ⊢ P ⊲ ∆; I with ∆ balanced then P is consistent and safe.

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Related Work

• Kouzapas et al: typecase and event detectors for binary sessions.

Type-directed checks on a single session, not aimed at adaptation.

• Several related efforts on adaptation for multiparty communications

(Bravetti et al, Dalla Preda et al, Coppo et al, Castellani et al, ...)

⋆ The distinction between internal/external adaptation requests is implicit at best. ⋆ The use of adaptation events, event detectors, and type-directed checks appears original to this work.

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

Concluding Remarks

• A session framework with runtime adaptation
• Key novelties: adaptation requests as events, event detectors,

update processes based on type-directed checks, runtime monitors

• Enhanced expressiveness: ongoing sessions can be adapted
• Typing ensures communication safety and consistency

Future Work

• Extension to multiparty communication with asynchrony
• Integration of access control and information flow guarantees
• Trust and partial typing [Hennessy and Riely’99], reputation tracking
• A communication model based on compartments (cf. first slide)
• Validation — a formal semantics for BPMN-like standards?

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)

An Event-Based Approach to Runtime Adaptation in Communication-Centric Systems

Jorge A. P´ erez University of Groningen (NL) Joint work with Cinzia Di Giusto Universit´ e de Nice Sophia-Antipolis (FR) 11th International Workshop on Web Services and Formal Methods (WS-FM) Eindhoven, September 12th, 2014

Event-Based Adaptation in Communication-Centric Systems

• J. A. P´

erez (Groningen)