Compliance and testing preorders differ Giovanni Bernardi, Matthew - - PowerPoint PPT Presentation

Compliance and testing preorders differ

Giovanni Bernardi, Matthew Hennessy

TRINITY COLLEGE DUBLIN

COL ´

AISTE NA TR´ ION ´ OIDE, BAILE ´

ATHA CLIATH Compliance and testing preorders differ 1

Why preorders?

formalisms for web services, 2006 onwards

Client/server setting interactions satisfy clients

(server satisfaction disregarded)

client server

||

Scenario:

◮ server p satisfies a client r (complies, must, should, . . . ) ◮ server p′ better than server p

p ⊑ p′

• bjects of study

Many approaches...

Aims: equivalences, flexibility (subtyping), applications

Precise comparison

Compliance and testing preorders differ 2

satisfies

Must testing

greatest relation st

server

p must r

client

whenever

Compliance

greatest relation st

client

r ⊣ p

server

whenever

r reaches in maximal computations

• f r || p,

r || p

τ

− → r1 || p1

τ

− → . . .

τ

− →

• −

→ rk || pk

τ

− →

a) p ⇑ implies r

• −

→ b) r || p

τ

• −

→ implies r

• −

→ c) r || p

τ

− → r ′ || p′ implies r ′ ⊣ p′

Compliance and testing preorders differ 3

satisfies

Must testing

greatest relation st

server

p must r

client

whenever

Compliance

greatest relation st

client

r ⊣ p

server

whenever

r reaches in maximal computations

• f r || p,

r || p

τ

− → r1 || p1

τ

− → . . .

τ

− →

• −

→ rk || pk

τ

− →

a) p ⇑ implies r

• −

→ b) r || p

τ

• −

→ implies r

• −

→ c) r || p

τ

− → r ′ || p′ implies r ′ ⊣ p′

r

a τ

• must

p

a

livelocks

:-( r

a τ

⊣

p

a

livelocks

:-)

Compliance and testing preorders differ 4

Server preorders ( ≤ )

Standard definitions

p1 ❁ ∼

tst

svr p2 if p1 must r implies p2 must r

for every client r

p1 ⊑cpl

svr p2 if

r ⊣ p1 implies r ⊣ p2

for every client r

❁ ∼

tst

svr

Must server preorder (30 years old)

De Nicola, Hennessy; Cleaveland, Hennessy

◮ behavioural characterisation ◮ axiomatisation ◮ decidable

⊑cpl

svr

Compliance server preorder (toplas 2009, tcs 2010)

Castagna at el.; Padovani

◮ filters, orchestrators ◮ weak subcontract

Compliance and testing preorders differ 5

How similar are testing and compliance theories?

Partial standpoint! Why, aren’t clients out there? ≤ ≤

Compliance and testing preorders differ 6

Client preorders ( ≤ )

Obvious definitions

r1 ❁ ∼

tst

clt r2 if p must r1 implies p must r2

for every server p

r1 ⊑cpl

clt r2 if

r1 ⊣ p implies r2 ⊣ p

for every server p

❁ ∼

tst

clt

Must client preorder (concur 2013)

Bernardi, Hennessy

◮ behavioural characterisation ◮ axiomatisation

⊑cpl

clt

Compliance client preorder (ppdp 2010, sac 2012)

Barbanera, De’Liguoro; Bernardi, Hennessy

◮ used to model first-order session types

full abstraction

⊑cpl

svr ∩ ⊑cpl clt ∼

= gh

Compliance and testing preorders differ 7

Testing theory Compliance theory

❁ ∼

tst

svr, ❁

∼

tst

clt

⊑cpl

svr, ⊑cpl clt

How similar are testing and compliance theories? ❁ ∼

tst

svr

?

= ⊑cpl

svr,

❁ ∼

tst

clt

?

= ⊑cpl

clt

Answer depends on the language

• 1. General CCS1 (infinite branching, divergent processes)
• 2. Contracts for web services (finite branching, strongly convergent processes)
• 3. Finite CCS1 (no livelocks)
• 4. Finite session behaviours (∼ finite GH session types)

Compliance and testing preorders differ 8

General CCS1

Infinite branching, divergent processes

Server preorders not comparable ⊑cpl

svr ⊆ ❁

∼

tst

svr ❁

∼

tst

svr ⊆ ⊑cpl svr

Compliance and testing preorders differ 9

General CCS1

Infinite branching, divergent processes

Server preorders not comparable ⊑cpl

svr ⊆ ❁

∼

tst

svr

❁ ∼

tst

svr ⊆ ⊑cpl svr

p p1 p2 . . .

a a a a a a a

⊑cpl

svr

q

a

p p1 p2 . . .

a a a a a a a

❁ ∼

tst

svr

q

a

Compliance and testing preorders differ 10

General CCS1

Infinite branching, divergent processes

Server preorders not comparable ⊑cpl

svr ⊆ ❁

∼

tst

svr

❁ ∼

tst

svr ⊆ ⊑cpl svr

p p1 p2 . . .

a a a a a a a

⊑cpl

svr

q

a

p p1 p2 . . .

a a a a a a a

❁ ∼

tst

svr

q

a Let r ⊣ p r || q = ⇒ r ′ || q

τ

• −

→ r || p = ⇒ r ′ || p′

τ

• −

→, so r ′

• −

→

livelocks

:-)

Compliance and testing preorders differ 11

General CCS1

Infinite branching, divergent processes

Server preorders not comparable ⊑cpl

svr ⊆ ❁

∼

tst

svr

❁ ∼

tst

svr ⊆ ⊑cpl svr

p p1 p2 . . .

a a a a a a a

⊑cpl

svr

q

a

p p1 p2 . . .

a a a a a a a

❁ ∼

tst

svr

q

a Let r ⊣ p

r 1

a τ

• r || q =

⇒ r ′ || q

τ

• −

→ r || p = ⇒ r ′ || p′

τ

• −

→, so r ′

• −

→

p must r q

• must r

livelocks

:-)

livelocks

:-(

Compliance and testing preorders differ 12

General CCS1

Infinite branching, divergent processes

Server preorders not comparable ⊑cpl

svr ⊆ ❁

∼

tst

svr

❁ ∼

tst

svr ⊆ ⊑cpl svr

Ω

τ ❁ ∼

tst

svr

p

a

Ω

τ ⊑cpl

svr

p

a

Compliance and testing preorders differ 13

General CCS1

Infinite branching, divergent processes

Server preorders not comparable ⊑cpl

svr ⊆ ❁

∼

tst

svr

❁ ∼

tst

svr ⊆ ⊑cpl svr

Ω

τ ❁ ∼

tst

svr

p

a

Ω

τ ⊑cpl

svr

p

a

Let Ω must r; r

• −

→ p must r

livelocks

:-(

Compliance and testing preorders differ 14

General CCS1

Infinite branching, divergent processes

Server preorders not comparable ⊑cpl

svr ⊆ ❁

∼

tst

svr

❁ ∼

tst

svr ⊆ ⊑cpl svr

Ω

τ ❁ ∼

tst

svr

p

a

Ω

τ ⊑cpl

svr

p

a

Let Ω must r; r

• −

→

r

a

• p must r

r ⊣ Ω r ⊣ p

livelocks

:-(

livelocks

:-)

Compliance and testing preorders differ 15

General CCS1

Infinite branching, divergent processes

Server preorders not comparable ⊑cpl

svr ⊆ ❁

∼

tst

svr

❁ ∼

tst

svr ⊆ ⊑cpl svr

Ω

τ ❁ ∼

tst

svr

p

a

Ω

τ ⊑cpl

svr

p

a

Let Ω must r; r

• −

→

r

a

• p must r

r ⊣ Ω r ⊣ p

axiom

(BOT) Ω ≤ x (BOT) not sound for ⊑cpl

svr

livelocks

:-(

livelocks

:-)

Compliance and testing preorders differ 16

General CCS1

Infinite branching, divergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt ❁

∼

tst

clt ⊆ ⊑cpl clt

Compliance and testing preorders differ 17

General CCS1

Infinite branching, divergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

Ω

τ ❁ ∼

tst

clt

Ω

τ ⊑cpl

clt

Compliance and testing preorders differ 18

General CCS1

Infinite branching, divergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

Ω

τ ❁ ∼

tst

clt

Ω

τ ⊑cpl

clt

p

• must Ω for every p

livelocks

:-(

Compliance and testing preorders differ 19

General CCS1

Infinite branching, divergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

Ω

τ ❁ ∼

tst

clt

Ω

τ ⊑cpl

clt

p

• must Ω for every p

Ω ⊣ 0 0 ⊣ 0

livelocks

:-(

livelocks

:-)

Compliance and testing preorders differ 20

General CCS1

Infinite branching, divergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

Ω

τ ❁ ∼

tst

clt

Ω

τ ⊑cpl

clt

p

• must Ω for every p

Ω ⊣ 0 0 ⊣ 0

axiom

(BOT) Ω ≤ x (BOT) not sound for ⊑cpl

clt

livelocks

:-(

livelocks

:-)

Compliance and testing preorders differ 21

❁ ∼

tst

svr

?

= ⊑cpl

svr,

❁ ∼

tst

clt

?

= ⊑cpl

clt

Answer depends on language 1 General CCS1

infinite branching processes

⊑cpl

svr ⊆ ❁

∼

tst

svr

⊑cpl

clt ⊆ ❁

∼

tst

clt

divergent processes

❁ ∼

tst

svr ⊆ ⊑cpl svr

❁ ∼

tst

clt ⊆ ⊑cpl clt

2

Contracts for web services (finite branching, strongly convergent processes)

3

Finite CCS1

4

Finite session behaviours (∼ finite GH session types)

Compliance and testing preorders differ 22

❁ ∼

tst

svr

?

= ⊑cpl

svr,

❁ ∼

tst

clt

?

= ⊑cpl

clt

Answer depends on language 1 General CCS1

infinite branching processes

⊑cpl

svr ⊆ ❁

∼

tst

svr

⊑cpl

clt ⊆ ❁

∼

tst

clt

divergent processes

❁ ∼

tst

svr ⊆ ⊑cpl svr

❁ ∼

tst

clt ⊆ ⊑cpl clt

2

Contracts for web services (finite branching, strongly convergent processes)

3

Finite CCS1

4

Finite session behaviours (∼ finite GH session types)

Compliance and testing preorders differ 23

Contracts for web services

Finite branching, strongly convergent processes

Server preorders coincide ⊑cpl

svr = ❁

∼

tst

svr

◮ hinted at in concur 2007 Laneve, Padovani ◮ stated in toplas 2009, tcs 2010 Castagna et al.; Padovani ◮ proof to appear in MSCS Bernardi, Hennessy

Compliance and testing preorders differ 24

Contracts for web services

Finite branching, strongly convergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt ❁

∼

tst

clt ⊆ ⊑cpl clt

Compliance and testing preorders differ 25

Contracts for web services

Finite branching, strongly convergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r

• τ

⊑cpl

clt

r

• τ

❁ ∼

tst

clt

Compliance and testing preorders differ 26

Contracts for web services

Finite branching, strongly convergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r

• τ

⊑cpl

clt

r

• τ

❁ ∼

tst

clt

Let r ⊣ p r || p

τ

− → 0 || p implies 0 ⊣ p

Compliance and testing preorders differ 27

Contracts for web services

Finite branching, strongly convergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r

• τ

⊑cpl

clt

r

• τ

❁ ∼

tst

clt

Let r ⊣ p r || p

τ

− → 0 || p implies 0 ⊣ p 0 must r 0 must 0

Compliance and testing preorders differ 28

Contracts for web services

Finite branching, strongly convergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r

• τ

⊑cpl

clt

r

• τ

❁ ∼

tst

clt

Let r ⊣ p r || p

τ

− → 0 || p implies 0 ⊣ p 0 must r 0 must 0

axiom

(TOPb) not sound for ⊑cpl

clt

(TOPb) 1 ≤ x + 1

• therwise 1 ⊑cpl

clt r ⊑cpl clt 0 Compliance and testing preorders differ 29

Contracts for web services

Finite branching, strongly convergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r1 r ′

1

a τ

❁ ∼

tst

clt

r2 r ′

2

b τ

r1 r ′

1

a τ

⊑cpl

clt

r2 r ′

2

b τ

Compliance and testing preorders differ 30

Contracts for web services

Finite branching, strongly convergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r1 r ′

1

a τ

❁ ∼

tst

clt

r2 r ′

2

b τ

r1 r ′

1

a τ

⊑cpl

clt

r2 r ′

2

b τ

p

• must r1 for every p

livelocks

:-(

Compliance and testing preorders differ 31

Contracts for web services

Finite branching, strongly convergent processes

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r1 r ′

1

a τ

❁ ∼

tst

clt

r2 r ′

2

b τ

r1 r ′

1

a τ

⊑cpl

clt

r2 r ′

2

b τ

p

• must r1 for every p

p

a

r1 ⊣ p r2 ⊣ p

livelocks

:-(

livelocks

:-)

Compliance and testing preorders differ 32

❁ ∼

tst

svr

?

= ⊑cpl

svr,

❁ ∼

tst

clt

?

= ⊑cpl

clt

Answer depends on the language 1 General CCS1 ⊑cpl

svr = ❁

∼

tst

svr

⊑cpl

clt = ❁

∼

tst

clt

2

Contracts for web services

• fin. branching, str. convergent

⊑cpl

svr = ❁

∼

tst

svr

meaning

⊑cpl

clt ⊆ ❁

∼

tst

clt

livelocks

❁ ∼

tst

clt ⊆ ⊑cpl clt

3

Finite CCS1

4

Finite session behaviours (∼ finite GH session types) Notation: A = B whenever A ⊆ B, B ⊆ A

Compliance and testing preorders differ 33

❁ ∼

tst

svr

?

= ⊑cpl

svr,

❁ ∼

tst

clt

?

= ⊑cpl

clt

Answer depends on the language 1 General CCS1 ⊑cpl

svr = ❁

∼

tst

svr

⊑cpl

clt = ❁

∼

tst

clt

2

Contracts for web services

• fin. branching, str. convergent

⊑cpl

svr = ❁

∼

tst

svr

meaning

⊑cpl

clt ⊆ ❁

∼

tst

clt

livelocks

❁ ∼

tst

clt ⊆ ⊑cpl clt

3

Finite CCS1

4

Finite session behaviours (∼ finite GH session types) Notation: A = B whenever A ⊆ B, B ⊆ A

Compliance and testing preorders differ 34

Finite CCS1

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r1 1

a

• ❁

∼

tst

clt

r2

a

• r1

1

a

• ⊑cpl

clt

r2

a

• Compliance and testing preorders differ

35

Finite CCS1

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r1 1

a

• ❁

∼

tst

clt

r2

a

• r1

1

a

• ⊑cpl

clt

r2

a

• p must r2 for every p

Compliance and testing preorders differ 36

Finite CCS1

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r1 1

a

• ❁

∼

tst

clt

r2

a

• r1

1

a

• ⊑cpl

clt

r2

a

• p must r2 for every p

p

a

r1 ⊣ p r2 ⊣ p

Compliance and testing preorders differ 37

Finite CCS1

Client preorders not comparable ⊑cpl

clt ⊆ ❁

∼

tst

clt

❁ ∼

tst

clt ⊆ ⊑cpl clt

r1 1

a

• ❁

∼

tst

clt

r2

a

• r1

1

a

• ⊑cpl

clt

r2

a

• p must r2 for every p

p

a

r1 ⊣ p r2 ⊣ p

axiom

(ANTE) µ.(1 + x) ≤ 1 + µ.x

(ANTE) not sound for ⊑cpl

clt

Compliance and testing preorders differ 38

❁ ∼

tst

svr

?

= ⊑cpl

svr,

❁ ∼

tst

clt

?

= ⊑cpl

clt

Answer depends on the language 1 General CCS1 ⊑cpl

svr = ❁

∼

tst

svr

⊑cpl

clt = ❁

∼

tst

clt

2 Contracts for web services ⊑cpl

svr = ❁

∼

tst

svr

⊑cpl

clt = ❁

∼

tst

clt

3

Finite CCS1 meaning

❁ ∼

tst

clt ⊆ ⊑cpl clt

meaning

⊑cpl

clt ⊆ ❁

∼

tst

clt

4

Finite session behaviours (∼ finite GH session types) Notation: A = B whenever A ⊆ B, B ⊆ A

Compliance and testing preorders differ 39

Finite session behaviours

T, S ::= end | & l1 : T1, . . . , li : Ti | ⊕ l1 : T1, . . . , li : Ti

• r, p ::= 1 |

i∈[1;n]?li.ri | i∈[1;n] τ.!li.ri (li’s pairwise distinct labels)

p must r implies r ⊣ p depends on r

• −

→ implies r = 1

• Lemma. p must r iff r ⊣ p.

Theorem.

⊑cpl

svr = ❁

∼

tst

svr,

⊑cpl

clt = ❁

∼

tst

clt.

Compliance and testing preorders differ 40

Finite session behaviours

T, S ::= end | & l1 : T1, . . . , li : Ti | ⊕ l1 : T1, . . . , li : Ti

• r, p ::= 1 |

i∈[1;n]?li.ri | i∈[1;n] τ.!li.ri (li’s pairwise distinct labels)

p must r implies r ⊣ p depends on r

• −

→ implies r = 1

• Lemma. p must r iff r ⊣ p.

Theorem.

⊑cpl

svr = ❁

∼

tst

svr,

⊑cpl

clt = ❁

∼

tst

clt.

Compliance and testing preorders differ 41

❁ ∼

tst

svr

?

= ⊑cpl

svr,

❁ ∼

tst

clt

?

= ⊑cpl

clt

Answer depends on the language 1 General CCS1 ⊑cpl

svr = ❁

∼

tst

svr

⊑cpl

clt = ❁

∼

tst

clt

2 Contracts for web services ⊑cpl

svr = ❁

∼

tst

svr

⊑cpl

clt = ❁

∼

tst

clt

3 Finite CCS1 ⊑cpl

clt = ❁

∼

tst

svr

4 Finite session behaviours ⊑cpl

svr = ❁

∼

tst

svr

⊑cpl

clt = ❁

∼

tst

clt

Notation: A = B whenever A ⊆ B, B ⊆ A

Compliance and testing preorders differ 42

in general Compliance and testing preorders differ

Web Services

Server preorders coincide (lucky coincidence)

results on ❁ ∼

tst

clt do not hold for ⊑cpl clt

(axiomatisation, behav. char.)

more work needed to understand ⊑cpl

clt

≤ simple

satisfaction disregarded

≤ intricate

satisfaction matters impacts on

◮ properties ◮ reasoning techniques

Compliance and testing preorders differ 43

That’s the story. Thank you :-) Questions?

Compliance and testing preorders differ 44

Client preorders

Thorny business

◮ usability

(a. 1 + b. 0) + (a. 0 + b. 1) ❁ ∼

tst

clt 0 ◮ broken axioms

• a. 1 ❁

∼

tst

clt a.τ. 1 ◮ not compositional

0 ❁ ∼

tst

clt b. 0

• a. 1 ❁

∼

tst

clt a. 1

• a. 1 + 0 ❁

∼

tst

clt a. 1 + b. 0 ◮ no Park Induction (compliance, should)

Park Induction: if f (r) ≤ r then rec x.f (x) ≤ r

f (0) ⊑cpl

clt 0

rec x.f (x) ⊑cpl

clt 0

f (x) = (a. 1) + (a.x)

f (0) = (a. 1) + (a. 0) ⊑cpl

clt 0

rec x.f (x) = rec x.((a. 1) + a.x) ⊑cpl

clt 0 (witness: rec x.a.x) Compliance and testing preorders differ 45