Conference PaperPDF Available

Lending Petri Nets and Contracts



Choreography-based approaches to service composition typically assume that, after a set of services has been found which correctly play the roles prescribed by the choreography, each service respects his role. Honest services are not protected against adversaries. We propose a model for contracts based on a extension of Petri nets, which allows services to protect themselves while still realizing the choreography. We relate this model with Propositional Contract Logic, by showing a translation of formulae into our Petri nets which preserves the logical notion of agreement, and allows for compositional verification.
arXiv:1211.3624v2 [cs.LO] 30 May 2013
Lending Petri nets and contracts
Massimo Bartoletti, Tiziana Cimoli, and G. Michele Pinna
Dipartimento di Matematica e Informatica, Universit`a degli Studi di Cagliari, Italy
Abstract. Choreography-based approaches to service composition typ-
ically assume that, after a set of services has been found which correctly
play the roles prescribed by the choreography, each service respects his
role. Honest services are not protected against adversaries. We propose
a model for contracts based on an extension of Petri nets, which allows
services to protect themselves while still realizing the choreography. We
relate this model with Propositional Contract Logic, by showing a trans-
lation of formulae into our Petri nets which preserves the logical notion
of agreement, and allows for compositional verification.
1 Introduction
Many of today’s human activities, from business and financial transactions, to
collaborative and social applications, run over complex interorganizational sys-
tems, based on service-oriented computing (SOC) and cloud computing tech-
nologies. These technologies foster the implementation of complex software sys-
tems through the composition of basic building blocks, called services. Ensuring
reliable coordination of such components is fundamental to avoid critical, pos-
sibly irreparable problems, ranging from economic losses in case of commercial
activities, to risks for human life in case of safety-critical applications.
Ideally, in the SOC paradigm an application is constructed by dynamically
discovering and composing services published by different organizations. Services
have to cooperate to achieve the overall goals, while at the same time they have
to compete to achieve the specific goals of their stakeholders. These goals may be
conflicting, especially in case of mutually distrusted organizations. Thus, services
must play a double role: while cooperating together, they have to protect them-
selves against other service’s misbehavior (either unintentional or malicious).
The lack of precise guarantees about the reliability and security of services is
a main deterrent for industries wishing to move their applications and business
to the cloud [3]. Quoting from [3], “absent radical improvements in security
technology, we expect that users will use contracts and courts, rather than clever
security engineering, to guard against provider malfeasance”.
Indeed, contracts are already a key ingredient in the design of SOC appli-
cations. A choreography is a specification of the overall behavior of an interor-
ganizational process. This global view of the behavior is pro jected into a set of
local views, which specify the behavior expected from each service involved in
the whole process. The local views can be interpreted as the service contracts: if
the actual implementation of each service respects its contract, then the overall
application must be guaranteed to behave correctly.
There are many proposals of formal models for contracts in the literature,
which we may roughly divide into “physical” and “logical” models. Physical con-
tracts take inspiration mainly from formalisms for concurrent systems (e.g. Petri
nets [21], event structures [15, 5], and various s orts of pro cess algebras [8–10 , 12,
16]), and they allow to describe the interaction of services in terms of response to
events, message exchanges, etc. On the other side, logical contracts are typically
expressed as formulae of suitable logics, which take inspiration and extend e.g.
modal [1, 14], intuitionistic [2,7], linear [2], deontic [18] logics to model high-level
concepts such as promises, obligations, prohibitions, authorizations, etc.
Even though logical contracts are appealing, since they aim to provide for-
mal models and reasoning tools for real-world Service Level Agreements, ex-
isting logical approaches have not had a great impact on the design of SOC
applications. A reason is that there is no evidence on how to relate high-level
properties of a contract with properties of the services which have to realize it.
The situation is decidedly better in the realm of physical contracts, where the
gap between contracts and services is narrower. Several papers, e.g. [9–11, 16,
21], address the issue of relating properties of a choreography with properties
of the services which implement it (e.g. deadlock freedom, communication error
freedom, session fidelity), in some cases providing automatic tools to project the
choreography to a set services which correctly implements it.
A common assumption of most of these approaches is that services are honest,
i.e. their behavior always adheres to the local view. For instance, if the local view
takes the form of a behavioral type, it is assumed that the service is typeable,
and that its type is a subtype of the local view. Contracts are only used in the
“matchmaking” phase: once, for each local view projected from the choreography,
a compliant service has been found, then all the contracts can be discarded.
We argue that the honesty assumption is not suitable in the case of interor-
ganizational processes, where services may pursue their providers goals to the
detriment to the other ones. For instance, consider a choreography which pre-
scribes that a participant Aperforms action a(modeling e.g. “pay $100 to B”),
and that Bperforms b(e.g. “provide Awith 5GB disk storage”). If both Aand
Bare honest, then each one will perform its due action, so leading to a correct
execution of the choreography. However, since providers have full control of the
services they run, there is no authority which can force services to be honest.
So, a malicious provider can replace a service validated w.r.t. its contract, with
another one: e.g., Bcould wait until Ahas done a, and then “forget” to do b.
Note that Bmay perform his scam while not being liable for a contract violation,
since contracts have been discarded after validation.
In such competitive scenarios, the role of contracts is twofold. On the one
hand, they must guarantee that their composition complies with the choreogra-
phy: hence, in contexts where services are honest, the overall execution is correct.
On the other hand, contracts must protect services from malicious ones: in the
example above, the contract of Amust ensure that, if Aperforms a, then Bwill
either do b, or he will be considered culpable of a contract violation.
In this paper, we consider physical contracts modeled as Petri nets, along the
lines of [21]. In our approach we can both start from a choreography (modeled
as a Petri net) and then obtain the local views by pro jection, as in [21], or
start from the local views, i.e. the contracts published by each participant, to
construct a choreography which satisfies the goals of everybody. Intuitively, when
this happens the contracts admit an agreement.
A crucial observation of [6] is that if contracts admit an agreement, then
some participant is not protected, and vice-versa. The archetypical example is
the one outlined above. Intuitively, if each participant waits until someone else
has performed her action, then everyone is protected, but the contracts do not
admit an agreement because of the deadlock. Otherwise, if a participant does
her action without waiting, then the contracts admit an agreement, but the
participant who makes the first step is not protected. This is similar to the proof
of impossibility of fair exchange protocols without a trusted third party [13].
To overcome this problem, we introduce lending Petri nets (in short, LPN).
Roughly, an LPN is a Petri net where some places may give tokens “on credit”.
Technically, when a place gives a token on credit its marking will become nega-
tive. This differs from standard Petri nets, where markings are always nonneg-
ative. The intuition is that if a participant takes a token on credit, then she is
obliged to honour it otherwise she is culpable of a contract violation.
Differently from the Petri nets used in [21], LPNs allow for modeling contracts
which, at the same time, admit an agreement (more formally, weakly terminate)
and protect their participants. LPNs preserve one of the main results of [21],
i.e. the possibility of proving that an application respects a choreography, by
only locally verifying the services which compose it. More precisely, we project a
choreography to a set of local views, independently refine each of them, and be
guaranteed then the composition of all refinements respects the choreography.
This is stated formally in Theorem 8.
The other main contribution is a relation between the logical contracts of [7]
and LPN contracts. More precisely, we consider contracts expressed in (a frag-
ment of) Propositional Contract Logic (PCL), and we compile them into LPNs.
Theorem 23 states that a PCL contract admits an agreement if and only if its
compilation weakly terminates. Summing up, Theorem 24 states that one can
start from a choreography represented as a logical contract, compile it to a phys-
ical one, and then use Theorem 8 to project it to a set services which correctly
implement it, and which are protected against adversaries. Finally, Theorem 25
relates logical and physical characterizations of urgent actions, i.e. those actions
which must be performed in a given state of the contract.
2 Nets
We briefly review Petri nets [19] and the token game. We consider Petri nets
labeled on a set T, and (perhaps a bit unusually) the labeling is also on places.
Alabeled Petri net is a 5-tuple hS, T , F, Γ, Λi, where Sis a set of places, and T
is a set of transitions (with ST=), F(S×T)(T×S) is the flow relation,
and Γ:ST,Λ:TTare partial labeling function for places and transitions,
respectively. Ordinary (non labeled) Petri nets are those where the two labeling
functions are always undefined (i.e. equal to ). We require that for each tT,
F(t, s)>0 for some place sS, i.e. a transition cannot happen spontaneously.
Subscripts on the net name carry over the names of the net components. As
usual, we define the pre-set and post-set of a transition/place: x={yTS|
F(y, x)>0}and x={yTS|F(x, y)>0}, respectively. These are
extended to subsets of transitions/places in the obvious way.
Amarking is a function mfrom places to natural numbers (i.e. a multiset
over places), which represents the state of the system modeled by the net. A
marked Petri net is a pair N= (hS, T, F , Γ, Λi, m0), where hS, T, F, Γ, Λiis a
labelled Petri net, and m0:SNis the initial marking.
The dynamic of a net is described by the execution of transitions at markings.
Let Nbe a marked net (hereafter we will just call net a marked net). A transition
tis enabled at a marking mif the places in the pre-set of tcontains enough
tokens (i.e. if mcontains the pre-set of t). Formally, tTis enabled at mif
m(s)F(s, t) for all st. In this case, to indicate that the execution of tin
mproduces the new marking m(s) = m(s)F(s, t) + F(t, s), we write m[tim,
and we call it a step1. This notion is lifted, as usual, to multisets of transitions.
The notion of step leads to that of execution of a net. Let N= (hS, T, F, Γ, Λi,
m0) be a net, and let mbe a marking. The firing sequences starting at mare
defined as follows: (a) mis a firing sequence, and (b) if m[t1im1···mn1[tnimn
is a firing sequence and mn[timis a step, then m[t1im1···mn1[tnimn[tim
is a firing sequence. A marking mis reachable iff there exists a firing sequence
starting at m0leading to it. The set of reachable markings of a net Nis denoted
with M(N). A net N= (hS, T, F, Γ, Λi, m0) is safe when each marking mM(N)
is such that m(s)1 for all sS.
Atrace can be associated to each firing sequence, which is the word on T
obtained by the firing sequence considering just the (labels of the) transitions
and forgetting the markings: if m0[t1im1···mn1[tnimnis a firing sequence of
N, the associated trace is Λ( The trace associated to m0is the empty
word ε. If the label of a transition is undefined then the associated word is the
empty one. The traces of a net Nare denoted with Traces(N).
Asubnet is a net obtained by restricting places and transitions of a net, and
correspondingly the flow relation and the initial marking. Let N= (hS, T, F, Γ, Λi,
m0) be a net, and let TT. We define the subnet generated by Tas the net
N|T= (hS, T , F , Γ , Λi, m
0), where S={sS|F(t, s)>0 or F(s, t)>0
for tT} {sS|m0(s)>0},Fis the flow relation restricted to Sand T,
Γis obtained by Γrestricting to places in S,Λis obtained by Λrestricting to
transitions in T, and m
0is obtained by m0restricting to places in S
1The word step is usually reserved to the execution of a subset of transitions, but
here we prefer to stress the computational interpretation.
A net property (intuitively, a property of the system modeled as a Petri net)
can be characterized in several ways, e.g. as a set of markings (states of the
system). The following captures the intuition that, notwithstanding the state
(marking) reached by the system, it is always possible to reach a state satisfying
the property. A net Nweakly terminates in a set of markings Miff mM(N),
there is a firing sequence starting at mand leading to a marking in M. Hereafter,
we shall sometimes say that Nweakly terminates (without referring to any M)
when the property is not relevant or clear from the context.
We now introduce occurrence nets. The intuition behind this notion is the
following: regardless how tokens are produced or consumed, an occurrence net
guarantees that each transition can occur only once (hence the reason for calling
them occurrence nets). We adopt the notion proposed by van Glabbeek and
Plotkin in [22], namely 1-occurrence nets. For a multiset M, we denote by [[M]]
the multiset defined as [[M]](a) = 1 if M(a)>0 and [[M]](a) = 0 otherwise. A
state of a net N= (hS, T , F, Γ, Λi, m0) is any finite multiset Xof Tsuch that the
function mX:SZgiven by mX(s) = m0(s) + PtTX(t)·(F(t, s)F(s, t)),
for all sS, is a reachable marking of the net. We denote by St(N) the states
of N. A state contains (in no order) all the occurrence of the transitions that
have been fired to reach a marking. Observe that a trace of a net is a suitable
linearization of the elements of a state X. We use the notion of state to formalize
occurrence nets. An occurrence net O= (hS, T , F, Γ, Λi, m0) is a net where each
state is a set, i.e. XSt(N). X = [[X]].
A net is correctly labeled iff s.t, ts. Γ (s)6==Λ(t) = Λ(t) = Γ(s).
Intuitively, this requires that all the transitions putting a token in a labeled place
represent the same action.
3 Nets with lending places
We now relax the conditions under which transitions may be executed, by allow-
ing a transition to consume tokens from a place seven if the sdoes not contain
enough tokens. Consequently, we allow markings with negative numbers. When
the number of tokens associated to a place becomes negative, we say that they
have been done on credit. We do not permit this to happen in all places, but
only in the lending places (a subset Lof S). Lending places are depicted with a
double circle.
Definition 1. Alending Petri net (LPN) is a triple (hS, T, F, Γ, Λi, m0,L)where
(hS, T, F, Γ, Λi, m0)is a marked Petri net, and LSis the set of lending places.
Example 1. Consider the LPN N1in Fig. 1. The places p2and p4are lending
places. The set of labels of the transitions is T={a,b,c}, and the set of labels of
the places is G=T. The labeling is Γ(p1) = c, Γ (p2) = aand Γ(p4) = Γ(p3) = b
(the place p0is unlabeled).
The notion of step is adapted to take into account this new kind of places.
Let Nbe an LPN, let tbe a transition in T, and let mbe a marking. We say that
Fig. 1. Two lending Petri nets.
tis enabled at miff st. m(s)0 =sL. The evolution of Nis defined
as before, with the difference that the obtained marking is now a function from
places to Z(instead of N). This notion matches the intuition behind of lending
places: we allow a transition to be executed even when some of the transitions
that are a pre-requisite have not been executed yet.
Definition 2. Let mbe a reachable marking of an LPN N. We say that mis
honored iff m(s)0for all places sof N.
An honored firing sequence is a firing sequence where the final marking is
honored. Note that if the net has no lending places, then all the reachable mark-
ings are honored.
Example 2. In the net of Ex. 1, the transition cis enabled even though there
are no tokens in the places p2and p4in its pre-set, as they are lending places.
The other transitions are not enabled, hence at the initial marking only cmay
be executed (on credit). After firing c, only bcan be executed. This results in
putting one token in p3and one in p4, hence giving back the one taken on credit.
After this, only acan be executed. Upon firing c,band a, the marking is honored.
The net is clearly a (correctly labeled) occurrence net.
We now introduce a notion of composition of LPNs. The idea is that the
places with a label are places in an interface of the net (though we do not put
any limitation on such places, as done instead e.g. in [21]) and they never are
initially marked. The labelled transitions of a net are connected with the places
bearing the same label of the other.
Definition 3. Let N= (hS, T , F, Γ, Λi, m0,L)and N= (hS, T , F , Γ , Λi,
0,L)be two LPNs. We say that N, N are compatible whenever (a)they have
the same set of labels, (b)SS=,(c)TT=,(d)m0(s) = 1 implies
Γ(s) = , and (e)m
0(s) = 1 implies Γ(s) = . If Nand Nare compatible,
their composition NNis the LPN (hˆ
S, T T,ˆ
F , ˆ
Γ , ˆ
L)in Fig. 2.
The underlying idea of LPN composition is rather simple: the sink places in
a net bearing a label of a transition of the other net are removed, and places
and transitions with the same label are connected accordingly (the removed sink
places have places with the same label in the other net). All the other ingredients
of the compound net are trivially inherited from the components. Observe that,
S=(S\ {sS|Γ(s)Λ(T) and s=∅})
(S\ {sS|Γ(s)Λ(T) and s′• =∅})
Fs, ˆ
t) ˆs=s1Sˆ
t=t1TF(s1, t1)
t=t2TF(s2, t2)
t, ˆs) ˆs=s1Sˆ
t=t1TF(t1, s1)
t=t2TF(t2, s2)
t=tTΛ(t) = Γ(s)6=
t=tTΛ(t) = Γ(s)6=
Γs) = (Γ(s1)if ˆs=s1S
Γ(s2)if ˆs=s2S
t) = (Λ(t1)if ˆ
Λ(t2)if ˆ
ˆm0(ˆs) = (1 if ˆs=s1Sand m0(s1) = 1, or ˆs=s2Sand m
0(s2) = 1
0 otherwise
L= (LL)ˆ
Fig. 2. Composition of two LPNs.
when composing two compatible nets Nand Nsuch that Γ(S)Γ(S) = ,
we obtain the disjoint union of the two nets. Further, if the common label a
Γ(S)Γ(S) is associated in Nto a place swith empty post-set and in Nto
a place swith empty post-set (or vice versa) and the labelings are injective, we
obtain precisely the composition defined in [21]. If the components Nand N
may satisfy some properties (sets of markings Mand M), the compound net
NNmay satisfy the compound property (which is the set of markings ˆ
obtained obviously from Mand M).
Example 3. Consider the nets in Fig. 3. Net Nfires aafter bhas been performed;
dually, net Nwaits for bbefore firing a. These nets model two participants which
protect themselves by waiting the other one to make the first step (the properties
being that places p3and p
3, respectively, are not marked). Clearly, no agreement
is possible in this scenario. This is modelled by the deadlock in the composition
NN, where neither transitions anor bcan be fired. Consider now the LPN
N′′, which differs from Nonly for the lending place p′′
1. This models a participant
which may fire aon credit, under the guarantee that the credit will be eventually
honoured by the other participant performing b(hence, the participant modeled
by N′′ is still protected), and the property is then place p′′
3unmarked and p′′
with a non negative marking. The composition N′′ Nweakly terminates wrt
the above properties, because transition acan take a token on credit from p′′
and then transition bcan be fired, so honouring the debit in p′′
N′′ N
Fig. 3. Three LPNs (top) and their pairwise compositions (bottom).
The operation is clearly associative and commutative.
Proposition 4 Let N1,N2and N3be three compatible LPNs. Then, N1N2=
N2N1and N1(N2N3) = (N1N2)N3.
The composition does not have the property that, in general, considering
only the transitions of one of the components, we obtain the LPN we started
with, i.e. (N1N2)|Ti6=Ni. This is because the number of places with labels
increases and new arcs may be added, and these places are not forgotten when
considering the subnet generated by Ti. However these added places are not
initially marked, hence it may be that the nets have the same traces.
Definition 5. Let Nand Ntwo LPNs on the same sets of labels. We say that
Napproximates N(N.N) iff Traces(N)Traces(N). We write NN
when N.Nand N.N.
Proposition 6 For two compatible LPNs N1, N2,Ni(N1N2)|Ti,i= 1,2.
Following [21] we introduce a notion of refinement (called accordance in [21])
between two LPNs. We say that M(with a property MM) is a strategy for an
LPN N(with a property M) if NMis weakly terminating. With S(N) we
denote the set of all strategies for N. In the rest of the paper we assume that
properties are always specified, even when not done explicitly.
Definition 7. An LPN Nrefines Nif S(N)S(N).
Observe that if Nrefines Nand Nweakly terminates, then Nweakly
terminates as well.
If a weakly terminating LPN Nis obtained by composition of several nets,
i.e. N=LiNi, we can ask what happens if there is an N
iwhich refines Ni, for
each i. The following theorem gives the desired answer.
Theorem 8 Let N=LiNibe a weakly terminating LPN, and assume that N
refines Ni, for all i. Then, N=LiN
iis a weakly terminating LPN.
The theorem above gives a compositional criterion to check weak termination
of a SOC application. One starts from an abstract specification (e.g. a choreog-
raphy), projects it into a set of local views, and then refines each of them into a
service implementation. These services can be verified independently (for refine-
ment), and it is guaranteed that their composition still enjoys weak termination.
We now define, starting from a marking m, which actions may be performed
immediately after, while preserving the ability to reach an honored marking. We
call these actions urgent.
Definition 9. For an LPN Nand marking m, we say aurgent at miff there
exists a firing sequence m[t1i · · · [tnimnwith Λ(t1) = aand mnhonored.
Example 4. Consider the nets in Ex. 3. In N′′ Nthe only urgent action at the
initial marking is a, while bis urgent at the marking where p
1is marked. In N′′
there are no urgent actions at the initial marking, since no honored marking is
reachable. In the other nets (N,N,NN) no actions are urgent in the initial
marking, since these nets are deadlocked.
4 Physical contracts
We now present a model for physical contracts based on LPNs. Let a,b,... T
be actions, performed by participants A,B,... Part . We assume that actions
may only be performed once. Hence, we consider a subclass of LPNs, namely
occurrence nets, where all the transitions with the same label are mutually ex-
clusive. A physical contract is an LPN, together with a set Aof participants
bound by the contract, a mapping πfrom actions to participants, and a set
modeling the states where all the participant in Aare satisfied.
Definition 10. Acontract net Dis a tuple (O, A, π, ), where Ois an oc-
currence LPN (hS, T, F, Γ, Λi, m0,L)labeled on T,APart, π:TPart ,
(T)is the set of goals of the participants, and where:
(a) sS. (m0(s) = 1 =s= Γ(s) = )(sL=Γ(s)T),
(b) tT. (st. Λ(t) = Γ(s)) (st. s 6∈ L),
(c) t, tT.Λ(t) = Λ(t) = stt. m0(s) = 1,
(d) π(Λ(T)) A.
The last constraint models the fact that only the participants in Amay
perform actions in D.
Given a state Xof the component Oof D, the reached marking mtells us
which actions have been performed, and which tokens have been taken on credit.
The configuration µ(m) associated to a marking mis the pair (C, Y ) defined as:
C={aT| sS. {s}=TtT{t|Λ(t) = a}and m(s) = 0}, and
Y={aT| sS. a=Γ(s)and m(s)<0}
The first component is the set of the labels of the transitions in X. The marking
mis honored whenever the second component of µ(m) is empty.
We now state the conditions under which two contract nets can be composed.
We require that an action can be performed only by one of the components (the
other may use the tokens produced by the execution of such action).
Definition 11. Two contracts nets D= (O, A, π, )and D= (O,A, π, )
are compatible whenever OOis defined and AA=.
The composition of Dand Dis then the obvious extension of the one on LPNs:
Definition 12. Let D= (O, A, π, )and D= (O,A, π, )be two compat-
ible contract nets. Then DD= (OO,AA, π π, ′′ )where ′′ =
{XX|XΩ, X }.
We lift the notion of weak termination to contract nets D= (O, A, π, ok, ).
The set of markings obtained by is M={mM(O)|µ(m) = (C, ), C }.
We say that Dweakly terminates w.r.t. when Oweakly terminates w.r.t. M.
We also extend to contract nets the notion of urgent actions given for LPNs
(Def. 9). Here, the set of urgent actions UC
Dis parameterized by the set Cof
actions already performed.
Definition 13. Let Dbe a contract net, and let CT. We define:
D={aT| YT.m. µ(m) = (C, Y )ais urgent at m}
Example 5. Interpret the LPN N
1in Fig. 1 as a contract net where the actions a,
b,care associated, respectively, to participants A,B, and C, and is immaterial.
Then, aand care urgent at the initial marking, whereas bis not (the token
borrowed from p1cannot be given back). In the state where ahas been fired,
only bis urgent; in the state where chas been fired, no actions are urgent.
5 Logical contracts
In this section we briefly review Propositional Contract Logic (PCL [7]), and we
exploit it to model contracts. PCL extends intuitionistic propositional logic IPC
with a connective ։, called contractual implication. Intuitively, a formula b։a
implies anot only when bis true, like IPC implication, but also in the case that
a “compatible” formula, e.g. a։b, holds. PCL allows for a sort of “circular”
assume-guarantee reasoning, hinted by (b։a)(a։b)ab, which is a
theorem in PCL . We assume that the prime formulae of PCL coincide with the
atoms in T. PCL formulae, ranged over greek letters ϕ, ϕ,..., are defined as:
ϕ::= | | a| ¬ϕ|ϕϕ|ϕϕ|ϕϕ|ϕ։ϕ
Two proof systems have been presented for PCL: a sequent calculus [7], and
an equivalent natural deduction system [4], the main rules of which are shown
in Fig. 4. Provable formulae are contractually implied, according to rule (։I1).
ϕ։ψ(։I1) ϕ։ψ
∆, ϕ ϕ
∆, ψϕ։ψ
∆, ψ ϕ
Fig. 4. Natural deduction for PCL (rules for ։).
Rule (։I2) provides ։with the same weakening properties of . The crucial
rule is (։E), which allows for the elimination of ։. Compared to the rule for
elimination of in IPC, the only difference is that in the context used to deduce
the antecedent ϕ, rule (։E) also allows for using as hypothesis the consequence ψ.
The decidability of the provability relation of PCL has been proved in [7], by
exploiting the cut elimination property enjoyed by the sequent calculus.
To model contracts, we consider the Horn fragment of PCL , which comprises
atoms, conjunctions, and non-nested (intuitionistic/contractual) implications.
Definition 14. APCL contract is a tuple h∆, A, π, i, where is a Horn PCL
theory, APart, π:TPart associates each atom with a participant, and
(T)is the set of goals of the participants.
The component Aof Ccontains the participants which can promise to do
something in C. Consequently, we shall only consider PCL contracts such that
if αa, for {→,։}, then π(a)A.
Example 6. Suppose three kids want to play together. Alice has a toy airplane,
Bob has a bike, and Carl has a toy car. Each of the kids is willing to share
his toy, but they have different constraints: Alice will lend her airplane only
after Bob has allowed her ride his bike; Bob will lend his bike after he has
played with Carl’s car; Carl will lend his car if the other two kids promise to
eventually let him play with their toys. Let π={a7→ A,b7→ B,c7→ C}. The kids
contracts are modeled as follows: hba,{A}, π, {{b}}i,hcb,{B}, π, {{c}}i,
and h(ab)։c,{C}, π, {{a,b}}i.
A contract admits an agreement when all the involved participants can reach
their goals. This is formalized in Def. 15 below.
Definition 15. APCL contract admits an agreement iff XΩ. VX.
We now define composition of PCL contracts. If Cis the contract of an
adversary of C, then a na¨ıve composition of the two contracts could easily lead
to an attack, e.g. when Mallory’s contract says that Alice is obliged to give him
her airplane. To prevent from such kinds of attacks, contract composition is a
partial operation. We do not compose contracts which bind the same participant,
or which disagree on the association between atoms and participants.
Definition 16. Two PCL contracts C=h∆, A, π, iand C=h,A, π, i
are compatible whenever AA=, and AAA. π1(A) = π 1(A). If
C,Care compatible, the contract C|C=h,AA, π π, |i, where
|={XX|XΩ, X }, is their composition.
εJK(ε)αa σ JKασ
σaJK()α։a σ J∆, aKασ
Fig. 5. Proof traces of Horn PCL .
Example 7. The three contracts in Ex. 6 are compatible, and their composition
is C=h∆, {A,B,C},{a7→ A,b7→ B,c7→ C},{{a,b,c}}i where is the theory
{ba,cb,(ab)։c}.Chas an agreement, since abc. The
agreement exploits the fact that Carl’s contract allows the action cto happen
“on credit”, before the other actions are performed.
We now recap from [4] the notion of proof traces, i.e. the sequences of atoms
respecting the order imposed by proofs in PCL . Consider e.g. rule (E):
The rule requires a proof of all the atoms in αin order to construct a proof of a.
Accordingly, if σis a proof trace of , then σa if a proof trace of . Instead,
in the rule (։E), the antecedent αneeds not necessarily be proved before a: it
suffices to prove αby taking aas hypothesis.
Definition 17 (Proof traces [4]). For a Horn PCL theory , we define the
set of proof traces JKby the rules in Fig. 5, where for σ, η Ewe denote with
σthe set of atoms in σ, with ση the concatenation of σand η, and with σ|ηthe
interleavings of σand η. We assume that both concatenation and interleaving
remove duplicates from the right, e.g. aba |ca =ab |ca ={abc, acb, cab}.
The set UX
Cin Def. 18 contains, given a set Xof atoms, the atoms which
may be proved immediately after, following some proof trace of C.
Definition 18 (Urgent actions [4]). For a contract C=h∆, . . .iand a set of
atoms X, we define UX
C={a6∈ X| σ, σ.σ=XσaσJ∆, XK}.
Example 8. For the contract Cspecified by the theory =ab,b։a, we
have JK={ε, ab}, and U
={a}, and U{a,b}
6 From logical to physical contracts
In this section we show, starting from a logical contract, how to construct a
physical one which preserves the agreement property. Technically, we shall re-
late provability in PCL to reachability of suitable configurations in the associ-
ated LPN. The idea of our construction is to translate each Horn clause of a
PCL formula into a transition of an LPN, labelled with the action in the con-
clusion of the clause.
S= (T×T)({a|VXa} {a|VX։a} {a|a})× {∗}
T={(X, a,#)|VXa} {(X, a,)|VX։a}
F={(s, t)|s= (a,), t = (X, a, z)} {(s, t)|s= (a, t), t = (X, c, z),aX}
{(t, s)|s= (a, x), t = (X, a, z), x 6=∗}
Γ(s) = if s= (a, x) with xTthen aelse
Λ(t) = if t= (X, a, z ) then aelse
m0(s) = if s= (a,) then 1 else 0
L={sS|s= (a, t)and t= (X, c,)with X6=∅}
Fig. 6. Translation from logical to physical contracts.
Definition 19. Let C=h∆, A, π, ibe a PCL contract. We define the contract
net P(C)as ((hS, T, F, Γ, Λi, m0,L),A, π, )in Fig. 6.
The transitions associated to Care a subset Tof (T)×T× {,#}. For each
intuitionistic/contractual implication, we introduce a transition as follows. A
clause VX։amaps to (X, a,)T, while VXamaps to (X, a,#)T. A
formula ais dealt with as the clause V a. Places in Scarry the information
on which transition may actually put/consume a token from them (even on
credit). The lending places are those places (a, t) where t= (X, c,). Observe
that a transition t= (X, a, z) puts a token in each place (a, x) with x6=, and all
the transitions bearing the same labels, say a, are mutually excluding each other,
as they share the unique input place (a,). The initial marking will contains all
the places in T× {∗}, and if a token is consumed from one of these places then
the place will be never marked again. Furthermore the lending places are never
initially marked.
Example 9. Consider the PCL contract with formula a։a(the other compo-
nents are immaterial for the sake of the example). The associated LPN is in
Fig. 7, left. The transition ({a},a,)), labeled a, can be executed at the initial
marking, as the unmarked place in the preset is a lending place. The reached
marking contains no tokens, hence it is honored. This is coherent with the fact
that a։aaholds in PCL .
(a, t1)
(b, t1)
(a, t3)
(a, t2)
(c, t1)
(c, t2)(c,)
(c, t3)
(b, t3)
(b, t2)(b,)
Fig. 7. Two contract nets constructed from PCL contracts.
Example 10. Consider the PCL contract specified by the theory
The associated LPN is the one on the right depicted in Fig. 7. The transitions
are t1= ({b},a,), t2= ({a},c,#) and t3= ({a},b,#). Initially only t1is
enabled, lending a token from place (b, t1). This leads to a marking where both
t2and t3are enabled, but only the execution of t3ends up with an honored
marking. The marking reached after executing all the actions is honored. This
is coherent with the fact that abcholds in PCL .
Since all the transitions consume the token from the places (a,) (where ais
the label of the transition), and these places cannot be marked again, it is easy
to see that each transition may occur only once. Hence, the net associated to a
contract is an occurrence net. If two transitions t, thave the same label (say a),
then they cannot belong to the same state of the net. In fact, transitions with
the same label share the same input place (a,). This place is not a lending one,
and has no ingoing arcs, hence only one of the transitions with the same label
may happen. The notion of correctly labeled net lifts obviously to contract nets.
Proposition 20 For all PCL contracts C, the net P(C)is correctly labeled.
A relevant property of Pis that it is an homomorphism with respect to con-
tracts composition. Thus, since both |and are associative and commutative,
we can construct a physical contract from a set of logical contracts C1···Cn
componentwise, i.e. by composing the contract nets P(C1)···P(Cn).
Proposition 21 For all C1,C2, we have that P(C1|C2)P(C1)P(C2).
In Theorem 23 below we state the main result of this section, namely that
our construction maps the agreement property of PCL contracts into weak ter-
mination of the associated contract nets. To prove Theorem 23, we exploit the
fact that Cis a set of provable atoms in the logic iff (C, ) is a configuration of
the associated contract net.
Lemma 22 Let C=h∆, A, π, ibe a PCL contract, and let P(C) = (O, A, π, ).
For all CT,VCiff there exists mM(O)such that µ(m) = (C, ).
Theorem 23 Cadmits an agreement iff P(C)weakly terminates in .
We now specialize Theorem 8, which allows for compositional verification
of choreographies. Assuming a choreography specified as a PCL contract C, we
can (i) project it into the contracts C1···Cnof its participants, (ii) construct
the corresponding LPN contracts P(C1)···P(Cn), and (iii) individually refine
each of them into a service implementation. If the original choreography admits
an agreement, then the composition of the services weakly terminates, i.e. it is
correct w.r.t. the choreography.
Theorem 24 Let C=C1| · · · | Cnadmit an agreement, with igoals of Ci. If
Direfines P(Ci)for i1..n, then D1⊕· · ·⊕Dnweakly terminates in 1∪· · ·∪ n.
The notion of urgency in contract nets correspond to that in the associated
PCL contracts (Theorem 25).
Theorem 25 For all PCL contracts C, and for all XT,UX
Example 11. Recall from Ex. 8 that, for C=h{ab,b։a},...i, we have:
This is coherent with the fact that, in the corresponding contract net N′′ N
in Fig. 3, only ais urgent at the initial marking, while bbecomes urgent after a
has been fired.
7 Related work and conclusions
We have investigated how to compile logical into physical contracts. The source
of the compilation is the Horn fragment of Propositional Contract Logic [7],
while the target is a contract model based on lending Petri nets (LPNs). Our
compilation preserves agreements (Theorem 23), as well as the possibility of
protecting services against misbehavior of malevolent services. LPN contracts
can be used to reason compositionally about the realization of a choreography
(Theorem 24), so extending a result of [21]. Furthermore, we have given a logical
characterization of those urgent actions which have to be performed in a given
state. This notion, which was only intuitively outlined in [7], is now made formal
through our compilation into LPNs (Theorem 25).
Contract nets seem a promising model for reasoning on contracts: while hav-
ing a clear relation with PCL contracts, they may inherit as well the whole realm
of tools that are already available for Petri nets.
The notion of places with a negative marking is not a new one in the Petri
nets community, though very few papers tackle this notion, as the interpretation
of negative tokens does not match the intuition of Petri nets, where tokens are
generally intended as resources. In this paper we have used negative tokens
to model situations where actions are in a circular dependency, like the ones
arising in PCL contracts. Lending places model the intuition that an action can
be performed on a promise, and a negative token in a place can be interpreted
as the promise made, which must be, sooner or later, honored. Indeed, the net
obtained from a PCL contract is an occurrence net which may contain cycles,
e.g. in the net of Ex. 10 the transition t1depends on t3, which in turn depends
on t1(and to execute t1we required to lend a token which is after supplied
by t3). In [20] the idea of places with negative marking is realized using a new
kind of arc, called debit arcs. Under suitable conditions, these nets are Turing
powerful, whereas our contract nets do not add expressiveness (while for LPNs
the issue has to be investigated). In [17] negative tokens arise as the result of
certain linear assumptions. The relations with LPNs have to be investigated.
Acknowledgments. We thank Philippe Darondeau, Eric Fabre and Roberto Zunino for
useful discussions and suggestions. This work has been partially supported by Aut. Reg.
of Sardinia grants L.R.7/2007 CRP2-120 (TESLA) CRP-17285 (TRICS) and P.I.A.
2010 (“Social Glue”), and by MIUR PRIN 2010-11 project “Security Horizons”.
1. M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control
in distributed systems. ACM TOPLAS, 4(15), 1993.
2. M. Abadi and G. D. Plotkin. A logical view of composition. TCS, 114(1), 1993.
3. M. Armbrust et al. A view of cloud computing. Comm. ACM, 53(4):50–58, 2010.
4. M. Bartoletti, T. Cimoli, P. D. Giamberardino, and R. Zunino. Contract agree-
ments via logic. In Proc. ICE, 2013.
5. M. Bartoletti, T. Cimoli, G. M. Pinna, and R. Zunino. An event-based model for
contracts. In Proc. PLACES, 2012.
6. M. Bartoletti, T. Cimoli, and R. Zunino. A theory of agreements and protection.
In Proc. POST, 2013.
7. M. Bartoletti and R. Zunino. A calculus of contracting processes. In LICS, 2010.
8. L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida. A theory of design-by-contract
for distributed multiparty interactions. In CONCUR, 2010.
9. M. Bravetti, I. Lanese, and G. Zavattaro. Contract-driven implementation of chore-
ographies. In Proc. TGC, pages 1–18, 2008.
10. M. Bravetti and G. Zavattaro. Contract based multi-party service composition. In
Proc. FSEN, pages 207–222, 2007.
11. M. Bravetti and G. Zavattaro. Towards a unifying theory for choreography con-
formance and contract compliance. In Software Composition, 2007.
12. G. Castagna, N. Gesbert, and L. Padovani. A theory of contracts for web services.
ACM Transactions on Programming Languages and Systems, 31(5), 2009.
13. S. Even and Y. Yacobi. Relations among public key signature systems. Technical
Report 175, Computer Science Department, Technion, Haifa, 1980.
14. D. Garg and M. Abadi. A modal deconstruction of access control logics. In
FoSSaCS, 2008.
15. T. T. Hildebrandt and R. R. Mukkamala. Declarative event-based workflow as
distributed dynamic condition response graphs. In Proc. PLACES, 2010.
16. K. Honda, N. Yoshida, and M. Carbone. Multiparty asynchronous session types.
In POPL, 2008.
17. N. Mart´ı-Oliet and J. Meseguer. An algebraic axiomatization of linear logic models.
In Topology and category theory in computer science, 1991.
18. C. Prisacariu and G. Schneider. A dynamic deontic logic for complex contracts.
The Journal of Logic and Algebraic Programming (JLAP), 81(4), 2012.
19. W. Reisig. Petri Nets: An Introduction, volume 4 of Monographs in Theoretical
Computer Science. An EATCS Series. Springer, 1985.
20. P. D. Stotts and P. Godfrey. Place/transition nets with debit arcs. Inf. Proc. Lett.,
41(1), 1992.
21. W. M. P. van der Aalst, N. Lohmann, P. Massuthe, C. Stahl, and K. Wolf. Multi-
party contracts: Agreeing and implementing interorganizational processes. Com-
put. J., 53(1), 2010.
22. R. J. van Glabbeek and G. D. Plotkin. Configuration structures. In LICS, 1995.
... For the above two kinds of Petri net modeling methods, it is difficult to judge which method is better, because different models have different advantages and disadvantages for the same system with different network modeling methods. Bartoletti et al. (2017) used a generalized Petri net to study a supply chain dynamic construction model technique. Raghavan used a generalized discrete Petri net to analyze the supply chain network. ...
... Raghavan used a generalized discrete Petri net to analyze the supply chain network. It assumes that the customer order arrival process obeys the Poisson distribution and the service procedures of each service desk obey the exponential distribution [6]. The established model takes into account the procurement process and the logistics transfer between the two supply chain members. ...
Full-text available
In order to solve the problem of supply of agricultural products, the current mode of decentralized agricultural product supply is described with the Petri net formalized modeling method. A corresponding Petri net model is established. Based on this, combined with mathematical methods, the supply chain is divided into different links, and a quantitative analysis of the operation cycle and the operational efficiency of each link is carried out. The construction of the program has changed the previous scattered farmer operating model, integrated the information of farmers and related products, and completed the production and processing of agricultural products in the form of task distribution. The circulation of information in the entire supply chain has been realized, thus ensuring the production benefits of each farmer, reducing the previous business risks that a single farmer needs to bear, and improving the operational efficiency of the entire supply chain.
... Third, in Kanovich's encoding of Horn LL in Petri nets, all implications are under a !, while we have also allowed transitions to be consumed. Another variant of Petri nets where tokens can be taken " on credit " has been presented in [21]. This model, called Lending Petri nets (LPNs), is similar to our version of DPNs: a main difference is that we have adopted a delayed annihilation policy, while that of LPNs is instantaneous, i.e. tokens and antitokens cannot coexist in the same place. ...
... Roughly, a contractual implication a → (b c) can be interpreted as a non-linear variant of a (b ⊥ ⊗ c). This logic is related to Lending Petri nets: indeed, Lending Petri nets form a sound and complete model of the Horn fragment of the logic [21], analogously to the relation between Horn ILL mix and DPNs studied in this paper. In [22] the correspondence between PCL and LPNs is pushed further, by showing that proof traces [6] of a Horn PCL theory ∆ are exactly the honoured firing sequences in N(∆). ...
Exchanging resources often involves situations where a participant gives a resource without obtaining immediately the expected reward. For instance, one can buy an item without paying it in advance, but contracting a debt which must be eventually honoured. Resources, credits and debits can be represented, either implicitly or explicitly, in several formal models, among which Petri nets and linear logic. In this paper we study the relations between two of these models, namely intuitionistic linear logic with mix and Debit Petri nets. In particular, we establish a natural correspondence between provability in the logic, and marking reachability in nets.
... This may lead to a circularity, as shown by the example below, because, e.g. one principal first requires something from the other and then is willing to fulfil the request of the other principal, who in turn behaves in the same way. This is a common scenario in contract composition, and variants of weak agreement have been studied using many different formal techniques, among which Process Algebras, Petri Nets, non-classical Logics, Event Structures [13, 8, 5, 12]. The circularity in the requests/offers is solved by weakening the notion of agreement, allowing a request to be performed on credit and making sure that in the future a complementary offer will occur, giving rise to a trace in weak agreement. ...
... In words, the composition of the two contracts entails all the requests (bike by Alice and airplane by Bob). We now formally introduce the fragment of H-PCL [5, 7] that has a neat interpretation in contract automata, under the assumption that a principal cannot offer and require the same. Definition 5.1 (H-PCL). ...
Full-text available
An approach to the formal description of service contracts is presented in terms of automata. We focus on the basic property of guaranteeing that in the multi-party composition of principals each of them gets his requests satisfied, so that the overall composition reaches its goal. Depending on whether requests are satisfied synchronously or asynchronously, we construct an orchestrator that at static time either yields composed services enjoying the required properties or detects the principals responsible for possible violations. To do that in the asynchronous case we resort to Linear Programming techniques. We also relate our automata with two logically based methods for specifying contracts.
... Circularity issues have been investigated in assume-guarantee reasoning [1,2,13,20], in models of workflow systems [11], in logic programming [18,17]. Circularity is also a common situation when reasoning about contracts [7,5,4]: circular dependencies arise when two or more tasks mutually rely on the guarantees provided by each other. We briefly discuss some of these approaches below. ...
... The issue of circular dependencies among events has been addressed also in the Petri nets' world. In [4] a notion of lending Petri nets (LPNs) has been introduced. In LPNs places are partitioned into two sets: lending places and normal ones. ...
Full-text available
We propose a model of events with circular causality, in the form of a conservative extension of Winskel's event structures. We study the relations between this new kind of event structures and Propositional Contract Logic. Provable atoms in the logic correspond to reachable events in our event structures. Furthermore, we show a correspondence between the configurations of this new brand of event structures and the proofs in a fragment of Propositional Contract Logic.
... Software behavioral models can be applied not only to describe software requirement specifications but also to automatically generate test cases [1]- [3]. Thus, several methods have been proposed to model software behavior, such as controlflowdiagram [4],finitestatemachine(FSM) [5],label transition system [6], and Petri nets [7], [8]. As test cases are derived from behavioral models, and not from program codes, software development and software testing can be done simultaneously, thereby saving costs associated with software testing. ...
Full-text available
MTTool is a novel model-based test tool. It is developed for modeling complex software behavior and generating test cases from the model. Different from existing model-based test tools, the proposed tool realizes the ERE-based testing, where the model is an extended regular expression (ERE). In ERE-based testing, test cases are generated from some decomposed subexpressions, thus alleviating the state-spaceexplosion problem in model-based testing. This paper introduces the modeling theory of the tool and two modeling ways: constructing regular finite state machine and writing R language. Additionally, three key algorithms in the tool are presented to construct the ERE model, decompose the ERE model, and generate test cases from submodels on the basis of test coverage criteria. Through an example, we demonstrate the application of the three algorithms. MTTool is found to well support the ERE-based test method and can be helpful in popularizing the application of this test method. INDEX TERMS ERE-based testing, model-based testing, ERE, RFSM, MTTool.
... We are more interested in characterising in an operational way the capability of a place to lend tokens allowing in this way the execution of a transition otherwise blocked. To this aim we present Lending Petri nets, defined in [4] and further studied in [5], which are basically debit nets with some additional constraints. A Petri net is a tuple S, T, F, m 0 , where S is a set of places, T is a set of transitions (such that that S ∩ T = ∅), F : (S × T ) ∪ (T × S) → N is a weight function, and m 0 : S → N is a function from places to natural numbers, called marking, which models the initial state of the net. ...
Conference Paper
Full-text available
Causality is often interpreted as establishing dependencies between events. The standard view is that an event b causally depends on an event a if, whenever b occurs, then a has already occurred. If the occurrences of a and b mutually depend on each other, i.e. a depends on b and vice versa, then (under the standard notion of causality) neither of them can ever occur. This does not faithfully capture systems where, for instance, an agent promises to do event a provided that b will be eventually done, and vice versa. In this case, the circularity between the causal dependencies should allow both a and b to occur, in any order. In this paper we review three models for circular causality, one based on logic (declarative), one based on event structures (semantical), and one based on Petri nets (operational). We will cast them in a coherent picture pointing out their relationships.
... The issue of circular dependencies among events has been addressed also in the Petri nets' world. In [BCP13] a notion of lending Petri nets (LPNs) has been introduced. In LPNs places are partitioned into two sets: lending places and normal ones. ...
Full-text available
In this thesis we propose a theory of contracts. Contracts are modelled as interacting processes with an explicit association of obligations and objectives. Obligations are specified using event structures. In this model we formalise two fundamental notions of contracts, namely agreement and protection. These notions arise naturally by interpreting contracts as multi-player concurrent games. A participant agrees on a contract if she has a strategy to reach her objectives (or to make another participant sanctionable for a violation), whatever the moves of her counterparts. A participant is protected by a contract when she has a strategy to defend herself in all possible contexts, even in those where she has not reached an agreement. When obligations are represented using classical event structures, we show that agreement and protection mutually exclude each other for a wide class of contracts. To reconcile agreement with protection we propose a novel formalism for modelling contractual obligations: event structures with circular causality. We study this model from a foundational perspective, and we relate it with classical event structures. Using this model, we show how to construct contracts which guarantee both agreement and protection. We relate our contract model with Propositional Contract Logic, by establishing a correspondence between provability in the logic and the notions of agreement and strategies. This is a first step towards reducing the gap between two main paradigms for modelling contracts, that is the one which interprets them as interactive systems, and the one based on logic.
... This is not an easy task, because the ecosystem of notions proposed in the literature is wide and heterogeneous. Indeed, many different compliance relations have been considered in the literature, and they have been defined on, or applied to, a variety of different languages and formalisms, among which session-types[17,22,23], Petri nets[8,56], process algebras[26][27][28]34,47]and various automata-based models[20,21,37,51], among others. In this paper we start a systematic investigation of compliance relations between behavioural contracts. ...
Full-text available
Behavioural contracts are formal specifications of interaction protocols between two or more distributed services. Despite the heterogeneous nature of the formalisms for behavioural contracts that have appeared in the literature, most of them feature a notion of compliance, which characterises when two or more contracts lead to correct interactions between services respecting them. We discuss and compare a selection of these notions in four different models of contracts: \(\tau \)-less CCS, session types, interface automata, and contract automata.
Full-text available
italic xmlns:mml="" xmlns:xlink="">MTTool is a novel model-based test tool. It is developed for modeling complex software behavior and generating test cases from the model. Different from existing model-based test tools, the proposed tool realizes the ERE-based testing, where the model is an extended regular expression (ERE). In ERE-based testing, test cases are generated from some decomposed subexpressions, thus alleviating the state-space-explosion problem in model-based testing. This paper introduces the modeling theory of the tool and two modeling ways: constructing regular finite state machine and writing R language. Additionally, three key algorithms in the tool are presented to construct the ERE model, decompose the ERE model, and generate test cases from submodels on the basis of test coverage criteria. Through an example, we demonstrate the application of the three algorithms. MTTool is found to well support the ERE-based test method and can be helpful in popularizing the application of this test method.
We address the problem of modelling and verifying contract-oriented systems, wherein distributed agents may advertise and stipulate contracts, but — differently from most other approaches to distributed agents — are not assumed to always respect them. A key issue is that the honesty property, which characterises those agents which respect their contracts in all possible execution contexts, is undecidable in general. The main contribution of this paper is a sound verification technique for honesty, targeted at agents modelled in a value-passing version of the calculus CO2. To do that, we safely over-approximate the honesty property by abstracting from the actual values and from the contexts a process may be engaged with. Then, we develop a model-checking technique for this abstraction, we describe its implementation in Maude, and we discuss some experiments with it.
Conference Paper
Full-text available
We present a theory of contracts. Contracts are interacting processes with an explicit notion of obligations and objectives. We model processes and their obligations as event structures. We define a general notion of agreement, by interpreting contracts as multi-player concurrent games. A participant agrees on a contract if she has a strategy to reach her objectives (or make another participant chargeable for a violation), whatever the moves of her adversaries. We then tackle the problem of protection. A participant is protected by a contract when she has a strategy to defend herself in all possible contexts, even in those where she has not reached an agreement. We show that, in a relevant class of contracts, agreements and protection mutually exclude each other. We then propose a novel formalism for modelling contractual obligations: event structures with circular causality. Using this model, we show how to construct contracts which guarantee both agreements and protection.
Full-text available
We relate two contract models: one based on event structures and game theory, and the other one based on logic. In particular, we show that the notions of agreement and winning strategies in the game-theoretic model are related to that of provability in the logical model.
Full-text available
We introduce a basic model for contracts. Our model extends event structures with a new relation, which faithfully captures the circular dependencies among contract clauses. We establish whether an agreement exists which respects all the contracts at hand (i.e. all the dependencies can be resolved), and we detect the obligations of each participant. The main technical contribution is a correspondence between our model and a fragment of the contract logic PCL. More precisely, we show that the reachable events are exactly those which correspond to provable atoms in the logic. Despite of this strong correspondence, our model improves previous work on PCL by exhibiting a finer-grained notion of culpability, which takes into account the legitimate orderings of events.
Conference Paper
Full-text available
We study some of the concepts, protocols, and algorithms for access control in distributed systems, from a logical perspective. We account for how a principal may come to believe that another principal is making a request, either on his own or on someone else’s behalf. We also provide a logical language for access control lists, and theories for deciding whether requests should be granted.
We present a dynamic deontic logic for specifying and reasoning about complex contracts. The concepts that our contract logic CLCL captures are drawn from legal contracts, as we consider that these are more general and expressive than what is usually found in computer science (like in software contracts, web services specifications, or communication protocols). CLCL is intended to be used in specifying complex contracts found in computer science. This influences many of the design decisions behind CLCL. We adopt an ought-to-do approach to deontic logic and apply the deontic modalities exclusively over complex actions. On top, we add the modalities of dynamic logic so to be able to reason about what happens after an action is performed. CLCL can reason about regular synchronous actions capturing the notion of actions done at the same time. CLCL incorporates the notions of contrary-to-duty and contrary-to-prohibition by attaching to the deontic modalities explicitly a reparation which is to be enforced in case of violations. Results of decidability and tree model property are given as well as specific properties for the modalities.