ArticlePDF Available

Reduction Semantics and Formal Analysis of Orc Programs

Authors:
Musab Alturki at King Fahd University of Petroleum and Minerals
Musab Alturki
Jose Meseguer at University of Illinois Urbana-Champaign
Jose Meseguer
Download full-text PDFDownload full-text PDF
Read full-text
Download citation

Abstract

Orc is a language for orchestration of web services developed by J. Misra that oers simple, yet powerful and elegant, constructs to program sophisticated web orchestration applications. The formal semantics of Orc poses interesting challenges, because of its real-time nature and the dierent priorities of external and internal actions. In this paper, building upon our previous SOS semantics of Orc in rewriting logic, we present a much more ecient reduction semantics of Orc, which is provably equivalent to the SOS semantics thanks to a strong bisimulation. We view this reduction semantics as a key intermediate stage towards a future, provably correct distributed implementation of Orc, and show how it can naturally be extended to a distributed actor-like semantics. We show experiments demonstrating the much better performance of the reduction semantics when compared to the SOS semantics. Using the Maude rewriting logic language, we also illustrate how the reduction semantics can be used to endow Orc with useful formal analysis capabilities, including an LTL model checker. We illustrate these formal analysis features by means of an online auction system, which is modeled as a distributed system of actors that perform Orc computations.
5648f17c08ae9f9c13ebbe
45.pdf
Content uploaded by Musab Alturki
Author content
All content in this area was uploaded by Musab Alturki on Nov 15, 2015
Content may be subject to copyright.
Reduction Semantics and Formal Analysis of Orc Progra
ms.pdf
Available via license: CC BY-NC-ND 3.0
Content may be subject to copyright.
A preview of the PDF is not available
... Compared with our previous work in [3,5], the work presented here provides new results and substantial improvements and extensions. Specifically, since the initial versions in [3,5], both the SOS-based and the reduction rewriting semantics of Orc have been thoroughly refined and extended to achieve a more complete, elegant, and efficiently executable specification. ...
... Compared with our previous work in [3,5], the work presented here provides new results and substantial improvements and extensions. Specifically, since the initial versions in [3,5], both the SOS-based and the reduction rewriting semantics of Orc have been thoroughly refined and extended to achieve a more complete, elegant, and efficiently executable specification. In particular, using order-sorted structures for Orc values and order-sorted declarations for Orc expressions and action labels, and using membership equations enables a simpler and more elegant specification of the synchronous semantics of Orc that can be executed and analyzed more efficiently than with just the many-sorted specifications used before. ...
... We focus our attention here on the subset of these algebraic properties shown in Figure 3. Our choice of this subset is motivated by the fact that the equations (6)-(11) are confluent and terminating modulo the axioms (1)- (5), so that ...
Executable rewriting logic semantics of Orc and formal analysis of Orc programs
Article
Full-text available
  • Apr 2015
The Orc calculus is a simple, yet powerful theory of concurrent computations with great versatility and practical applicability to a very wide range of applications, as it has been amply demonstrated by the Orc language, which extends the Orc calculus with powerful programming constructs that can be desugared into the underlying formal calculus. This means that for: (i) theoretical, (ii) program verification, and (iii) language implementation reasons, the formal semantics of Orc is of great importance. Furthermore, having a semantics of Orc that is executable is essential to provide: (i) a formally-defined interpreter against which language implementations can be validated, and (ii) a (semi-)automatic way of generating a wide range of semantics-based program verification tools, including model checkers and theorem provers.
View
... In Section 4, we present a serialization procedure that implements the synchronous extension of the relation induced by a set rewrite system, and prove its soundness and completeness (for the case in which the relation is deterministic). Specification of synchronous languages in rewriting logic has been previously studied (see, for example, [1,17,19]), but having an executable specification general enough to be instantiated for many particular cases brings an interesting challenge to the intrinsically asynchronous Maude system. ...
... Synchronous rewriting is often related to parallel rewriting because of their similar nature. Semantics of synchronous and parallel languages have been already considered and specified in rewriting logic (see, for example, [1,17,19]). The Coq system is used in [4] to give the formal foundations of the synchronous language Esterel. ...
... we have that A(0) → B(0) and A(1) → B(1). On the other hand, A(0), A(1) is not a redex for →.The synchronous extension of a relation → challenges the standard asynchronous interpretation of rewrite systems. ...
A Formal Framework of Set Relations and Its Application to Synchronous Languages
Article
Full-text available
  • Jan 2010
Set relations are particularly suitable for specifying the small- step operational semantics of synchronous languages. We present a frame- work for the denition, formal verication of properties, and execution of binary set relations. The framework consists of two parts. The rst part is a library in the Prototype Verication System (PVS) that contains deni- tions and proofs of properties, such as determinism and compositionality, for synchronous relations. The second part is a rewriting logic specica- tion that animates in the Maude system synchronous binary relations on sets. We illustrate the use of this framework with the operational se- mantics of the Plan Execution Interchange Language (PLEXIL), a rich concurrent and reactive plan execution language developed by NASA to support autonomous spacecraft operations.
View
... Besides KLAIM and Linda [20,36], several other calculi and formal languages that can express and analyze mobile and distributed computing have been proposed. Three examples that also influenced the work in this article are Mobile Ambients [19], Mobile Maude [30], and the rewriting logic semantics of Orc [4,5]: Mobile Ambients is a calculus that describes the movement of processes and devices; Mobile Maude is a mobile agent language that extends Maude with the support for mobile computation. With the rise of the Internet and distributed systems in general came a great demand to automate business processes and workflows among organizations and individuals. ...
... Orc [53] describes a theory for the orchestration of such services and provides a timed and concurrent programming language. AlTurki et al. formally specified and analyzed the Orc language using the Maude system in [4], proved the Orc SOS semantics bisimilar to a much more efficient reduction semantics in [3,5], and provided a distributed implementation with formal analysis in [6]. ...
Semantics, distributed implementation, and formal analysis of KLAIM models in Maude
Article
  • Jan 2014
  • SCI COMPUT PROGRAM
Emerging distributed systems such as cloud-based services are characterized by computations over different explicit localities, moving code and data, and a high degree of concurrency. KLAIM is a well-established language that can naturally describe such systems. The KLAIM language is process algebra flavored, allows Linda-based asynchronous communication through distributed tuple spaces, and supports explicit localities as well as code and data mobility. In this work we take some first steps in the quest for a correct-by-construction design process for secure and reliable distributed systems. Such a design process is necessary as more and more safety- and security-critical tasks that need to satisfy mission-critical formal requirements are executed in a distributed setting. We use a rewriting-based approach to formally specify and analyze KLAIM specifications of distributed systems. In particular we: (i) specify the reduction semantics of KLAIM in Maude, (ii) extend the Maude-based specification by making messages first-class citizens, and (iii) describe a second extension that allows true distributed execution of Maude-based KLAIM specifications. We prove that under appropriate weak fairness assumptions all these specifications are stuttering bisimilar and that large classes of logic temporal formulas, namely all CTL⁎∖XCTL⁎∖X formulas, are preserved. By means of an example we show that our approach allows specifying aspects of a distributed system in a Maude-based KLAIM dialect, verifying these specifications using Maude's LTL model checking capabilities, and then executing the verified specifications in a distributed environment. This marks a first step in the quest for a correct-by-construction design process for secure and reliable distributed systems.
View
... Rewriting logic has been used previously as a testbed for specifying and animating the semantics of synchronous languages. M. AlTurki and J. Meseguer [1] have studied the rewriting logic semantics of the language Orc, which includes a synchronous reduction relation. T. Serbanuta et.al. ...
Rewriting Logic Semantics of a Plan Execution LanguageRewriting
Technical Report
Full-text available
  • Jun 2009
Since its founding, NASA has been dedicated to the advancement of aeronautics and space science. The NASA scientific and technical information (STI) program plays a key part in helping NASA maintain this important role. The NASA STI program operates under the auspices of the Agency Chief Information Officer. It collects, organizes, provides for archiving, and disseminates NASA's STI. The NASA STI program provides access to the NASA Aeronautics and Space Database and its public interface, the NASA Technical Report Server, thus providing one of the largest collections of aeronautical and space science STI in the world. Results are published in both non-NASA channels and by NASA in the NASA STI Report Series, which includes the following report types: • TECHNICAL PUBLICATION. Reports of completed research or a major significant phase of research that present the results of NASA programs and include extensive data or theoretical analysis. Includes compilations of significant scientific and technical data and information deemed to be of continuing reference value. NASA counterpart of peer-reviewed formal professional papers, but having less stringent limitations on manuscript length and extent of graphic presentations. • TECHNICAL MEMORANDUM. Scientific and technical findings that are preliminary or of specialized interest, e.g., quick release reports, working papers, and bibliographies that contain minimal annotation. Does not contain extensive analysis.
View
... Dong et al. employed timed automata and the model checker tool UPPAL to model and verify the correctness of the Orc programs [32]. The research of AlTurki also uses model checking techniques to verify Orc programs [33,34]. ...
A UTP semantic model for Orc language with execution status and fault handling
Article
Full-text available
  • Oct 2014
The Orc language is a concurrency calculus proposed to study the orchestration patterns in service oriented computing. Its special features, such as high concurrency and asynchronism make it a brilliant subject for studying web applications that rely on web services. The conventional semantics for Orc does not contain the execution status of services so that a program cannot determine whether a service has terminated normally or halted with a failure after it published some results. It means that this kind of failure cannot be captured by the fault handler. Furthermore, such a semantic model cannot establish an order saying that a program is better if it fails less often. This paper employs UTP methods to propose a denotational semantic model for Orc that contains execution status information. A failure handling semantics is defined to recover a failure execution back to normal. A refinement order is defined to compare two systems based on their execution failures. Based on this order, a system that introduces a failure recovery mechanism is considered better than one without. An extended operational semantics is also proposed and proven to be equivalent to the denotational semantics.
View
... Rewriting logic has been used previously as a test bed for specifying and animating synchronous rewrite relations. M. AlTurki and J. Meseguer [1] have studied the rewriting logic semantics of the language Orc, which includes a synchronous reduction relation. T. Serbanuta et al. [18] and C. Chira et al. [3] define the execution of P -systems with structured data with continuations. ...
Synchronous set relations in rewriting logic
Article
  • Oct 2014
  • SCI COMPUT PROGRAM
This paper presents a mathematical foundation and a rewriting logic infrastructure for the execution and property verification of synchronous set relations. The mathematical foundation is given in the language of abstract set relations. The infrastructure, which is written in the Maude system, enables the synchronous execution of a set relation provided by the user. By using the infrastructure, algorithm verification techniques such as reachability analysis and model checking, already available in Maude for traditional asynchronous rewriting, are automatically available to synchronous set rewriting. In this way, set-based synchronous languages and systems such as those built from agents, components, or objects can be naturally specified and simulated, and are also amenable to formal verification in the Maude system. The use of the infrastructure and some of its Maude-based verification capabilities are illustrated with an executable operational semantics of the Plan Execution Interchange Language (PLEXIL), a synchronous language developed by NASA to support autonomous spacecraft operations.
View
On the verification of SCOOP programs
Article
  • Apr 2015
  • SCI COMPUT PROGRAM
In this paper we focus on the development of a toolbox for the verification of programs in the context of SCOOP -- an elegant concurrency model, recently formalized based on Rewriting Logic (RL) and Maude. SCOOP is implemented in Eiffel and its applicability is demonstrated also from a practical perspective, in the area of robotics programming. Our contribution consists in devising and integrating an alias analyzer and a Coffman deadlock detector under the roof of the same RL-based semantic framework of SCOOP. This enables using the Maude rewriting engine and its LTL model-checker "for free", in order to perform the analyses of interest. We discuss the limitations of our approach in the context of deadlock detection and provide solutions to the state explosion problem. The latter is mainly caused by the size of the SCOOP formalization which incorporates all the aspects of a real concurrency model. On the aliasing side, we propose an extension of a previously introduced alias calculus based on program expressions, to the setting of unbounded program executions such as infinite loops and recursive calls. Moreover, we devise a corresponding executable specification easily implementable on top of the SCOOP formalization. An important property of our extension is that, in non-concurrent settings, the corresponding alias expressions can be over-approximated in terms of a notion of regular expressions. This further enables us to derive an algorithm that always stops and provides a sound over-approximation of the "may aliasing" information, where soundness stands for the lack of false negatives.
View
Design and Analysis of Cloud-Based Architectures with KLAIM and Maude
Conference Paper
  • Mar 2012
  • Lect Notes Comput Sci
Cloud computing is a modern paradigm for offering and utilizing distributed infrastructure resources in a dynamic way. Cloud-based systems are safety- and security-critical; they need to satisfy time-critical performance-based quality of service properties and to dynamically adapt to changes in the potentially hostile and uncertain environment they operate in. In this paper we propose the coordination language KLAIM and a composite actor approach for modelling Cloud-based architectures whereas for formally analyzing such architectures we use a rewritingbased approach. We specify the operational semantics of KLAIM in Maude, show how to realize KLAIM programs in a distributed implementation of Maude, and simulate and analyze three simple Cloud architectures with Maude and the Maude LTL model checker. Moreover, we report shortly on the Maude specification and analysis of three larger Cloud case studies using the composite actor model, where statistical model checking with the Maude-based tool PVeStA is successfully used for detecting bugs and performance issues and for analyzing a defense mechanism against distributed denial-of-service attacks.
View
Rewriting logic bibliography by topic: 1990–2011
Article
  • Oct 2012
  • J LOGIC ALGEBR PROGR
This bibliography compiles, to the best of our knowledge, all the papers on rewriting logic and its applications which have been written during the more than 20 years that have passed since the introduction of rewriting logic in 1990. The papers are classified according to five main areas: foundations, logical and semantic framework, languages, tools, and applications.
View
Towards verification of computation orchestration
Article
  • Jul 2013
Recently, a promising programming model called Orc has been proposed to support a structured way of orchestrating distributed Web Services. Orc is intuitive because it offers concise constructors to manage concurrent communication, time-outs, priorities, failure of Web Services or communication and so forth. The semantics of Orc is precisely defined. However, there is no automatic verification tool available to verify critical properties against Orc programs. Our goal is to verify the orchestration programs (written in Orc language) which invoke web services to achieve certain goals. To investigate this problem and build useful tools, we explore in two directions. Firstly, we define a Timed Automata semantics for the Orc language, which we prove is semantically equivalent to the operational semantics of Orc. Consequently, Timed Automata models are systematically constructed from Orc programs. The practical implication is that existing tool supports for Timed Automata, e.g., Uppaal, can be used to simulate and model check Orc programs. An experimental tool has been implemented to automate this approach. Secondly, we start with encoding the operational semantics of Orc language in Constraint Logic Programming (CLP), which allows a systematic translation from Orc to CLP. Powerful constraint solvers like CLP (R){(\mathcal{R})} are then used to prove traditional safety properties and beyond, e.g., reachability, deadlock-freeness, lower or upper bound of a time interval, etc. Counterexamples are generated when properties are not satisfied. Furthermore, the stepwise execution traces can be automatically generated as the simulation steps. The two different approaches give an insight into the verification problem of Web Service orchestration. The Timed Automata approach has its merits in visualized simulation and efficient verification supported by the well developed tools. On the other hand, the CPL approach gives better expressiveness in both modeling and verification. The two approaches complement each other, which gives a complete solution for the simulation and verification of Computation Orchestration.
View
View
Translating Orc Features into Petri Nets and the Join Calculus
Conference Paper
Full-text available
  • Dec 2006
  • Lect Notes Comput Sci
Cook and Misra’s Orc is an elegant language for orchestrating distributed services, able to cover e.g. van der Aalst’s workflow patterns. We aim to understand the key novel features of Orc by comparing it with variations of Petri nets. The comparison shows that Orc hides powerful mechanisms for name handling (creation and passing) and for atomic distributed termination. Petri nets with static topology can encode Orc under severe restrictions while the full language (up to a more realistic cancellation strategy) can be encoded in Join (that can be seen as a higher-order extension of Petri nets). As an overall result, we promote Join calculus as an elegant language embedding orchestration and computation.
View
All About Maude - A High-Performance Logical Framework: How to Specify, Program and Verify Systems in Rewriting Logic
Book
  • Jan 2007
  • Lect Notes Comput Sci
This book gives a comprehensive account of Maude, a language and system based on rewriting logic. Many examples are used throughout the book to illustrate the main ideas and features of Maude, and its many possible uses. Maude modules are rewrite theories. Computation with such modules is - cient deduction by rewriting. Because of its logical basis and its initial model semantics,aMaudemodulede?nesaprecisemathematicalmodel.Thismeans that Maude and its formal tool environment can be used in three, mutually reinforcing ways: • as a declarative programming language; • as an executable formal speci?cation language; and • as a formal veri?cation system. Maude’s rewriting logic is simple, yet very expressive. This gives Maude good representational capabilities as a semantic framework to formally represent a wide range of systems, including models of concurrency, distributed al- rithms, network protocols, semantics of programming languages, and models of cell biology. Rewriting logic is also an expressive universal logic,making Maude a ?exible logical framework in which many di?erent logics and - ference systems can be represented and mechanized. This makes Maude a useful metatool to build many other tools, including those in its own formal tool environment. Thanks to the logic’s simplicity and the use of advanced semi-compilation techniques, Maude has a high-performance implementation, making it competitive with other declarative programming languages.
View
Computation orchestration: A basis for wide-area computing
Article
  • Mar 2006
The widespread deployment of networked applications and adoption of the internet has fostered an environment in which many distributed services are available. There is great demand to automate business processes and workflows among organizations and individuals. Solutions to such problems require orchestration of concurrent and distributed services in the face of arbitrary delays and failures of components and communication. We propose a novel approach, called Orc for orchestration, that supports a structured model of concurrent and distributed programming. This model assumes that basic services, like sequential computation and data manipulation, are implemented by primitive sites. Orc provides constructs to orchestrate the concurrent invocation of sites to achieve a goal – while managing time-outs, priorities, and failure of sites or communication.
View
View
View
View
A Tree Semantics of an Orchestration Language
Chapter
  • Jan 2005
This paper presents a formal semantics of a language, called Orc, which is described in a companion paper[3] in this volume. There are many styles of presentation of programming language semantics. The more operational styles give more concrete guidance to the implementer on how a program should be executed. The more abstract styles are more helpful in proving the correctness of particular programs. The style adopted in this paper is neutral between implementer and programmer. Its main achievement is to permit simple proofs of familiar algebraic identities that hold between programs with different syntactic forms.
View
Rewriting Logic Semantics: From Language Specifications to Formal Analysis Tools
Conference Paper
  • Jun 2004
  • Lect Notes Comput Sci
Formal semantic definitions of concurrent languages, when specified in a well-suited semantic framework and supported by generic and efficient formal tools, can be the basis of powerful software analysis tools. Such tools can be obtained for free from the semantic definitions; in our experience in just the few weeks required to define a language’s semantics even for large languages like Java. By combining, yet distinguishing, both equations and rules, rewriting logic semantic definitions unify both the semantic equations of equational semantics (in their higher-order denotational version or their first-order algebraic counterpart) and the semantic rules of SOS. Several limitations of both SOS and equational semantics are thus overcome within this unified framework. By using a high-performance implementation of rewriting logic such as Maude, a language’s formal specification can be automatically transformed into an efficient interpreter. Furthermore, by using Maude’s breadth first search command, we also obtain for free a semi-decision procedure for finding failures of safety properties; and by using Maude’s LTL model checker, we obtain, also for free, a decision procedure for LTL properties of finite-state programs. These possibilities, and the competitive performance of the analysis tools thus obtained, are illustrated by means of a concurrent Caml-like language; similar experience with Java (source and JVM) programs is also summarized.
View
An interleaving model for real-time systems
Chapter
  • Apr 2006
In this paper, we present a timed calculus, Timed CCS, which is an extension of Milner's CCS with time. We allow time to be discrete, such as the integers or the natural numbers, or dense, such as the rationals or the reals. We extend the notion of strong bisimulation to timed processes and show that the largest strong bisimulation is decidable. The decidability is independent of the choice of the time domain.
View