Content uploaded by G. Michele Pinna
Author content
All content in this area was uploaded by G. Michele Pinna on Aug 27, 2014
Content may be subject to copyright.
arXiv:1211.3624v2 [cs.LO] 30 May 2013
Lending Petri nets and contracts
Massimo Bartoletti, Tiziana Cimoli, and G. Michele Pinna
Dipartimento di Matematica e Informatica, Universit`a degli Studi di Cagliari, Italy
Abstract. Choreography-based approaches to service composition typ-
ically assume that, after a set of services has been found which correctly
play the roles prescribed by the choreography, each service respects his
role. Honest services are not protected against adversaries. We propose
a model for contracts based on an extension of Petri nets, which allows
services to protect themselves while still realizing the choreography. We
relate this model with Propositional Contract Logic, by showing a trans-
lation of formulae into our Petri nets which preserves the logical notion
of agreement, and allows for compositional verification.
1 Introduction
Many of today’s human activities, from business and financial transactions, to
collaborative and social applications, run over complex interorganizational sys-
tems, based on service-oriented computing (SOC) and cloud computing tech-
nologies. These technologies foster the implementation of complex software sys-
tems through the composition of basic building blocks, called services. Ensuring
reliable coordination of such components is fundamental to avoid critical, pos-
sibly irreparable problems, ranging from economic losses in case of commercial
activities, to risks for human life in case of safety-critical applications.
Ideally, in the SOC paradigm an application is constructed by dynamically
discovering and composing services published by different organizations. Services
have to cooperate to achieve the overall goals, while at the same time they have
to compete to achieve the specific goals of their stakeholders. These goals may be
conflicting, especially in case of mutually distrusted organizations. Thus, services
must play a double role: while cooperating together, they have to protect them-
selves against other service’s misbehavior (either unintentional or malicious).
The lack of precise guarantees about the reliability and security of services is
a main deterrent for industries wishing to move their applications and business
to the cloud [3]. Quoting from [3], “absent radical improvements in security
technology, we expect that users will use contracts and courts, rather than clever
security engineering, to guard against provider malfeasance”.
Indeed, contracts are already a key ingredient in the design of SOC appli-
cations. A choreography is a specification of the overall behavior of an interor-
ganizational process. This global view of the behavior is pro jected into a set of
local views, which specify the behavior expected from each service involved in
the whole process. The local views can be interpreted as the service contracts: if
the actual implementation of each service respects its contract, then the overall
application must be guaranteed to behave correctly.
There are many proposals of formal models for contracts in the literature,
which we may roughly divide into “physical” and “logical” models. Physical con-
tracts take inspiration mainly from formalisms for concurrent systems (e.g. Petri
nets [21], event structures [15, 5], and various s orts of pro cess algebras [8–10 , 12,
16]), and they allow to describe the interaction of services in terms of response to
events, message exchanges, etc. On the other side, logical contracts are typically
expressed as formulae of suitable logics, which take inspiration and extend e.g.
modal [1, 14], intuitionistic [2,7], linear [2], deontic [18] logics to model high-level
concepts such as promises, obligations, prohibitions, authorizations, etc.
Even though logical contracts are appealing, since they aim to provide for-
mal models and reasoning tools for real-world Service Level Agreements, ex-
isting logical approaches have not had a great impact on the design of SOC
applications. A reason is that there is no evidence on how to relate high-level
properties of a contract with properties of the services which have to realize it.
The situation is decidedly better in the realm of physical contracts, where the
gap between contracts and services is narrower. Several papers, e.g. [9–11, 16,
21], address the issue of relating properties of a choreography with properties
of the services which implement it (e.g. deadlock freedom, communication error
freedom, session fidelity), in some cases providing automatic tools to project the
choreography to a set services which correctly implements it.
A common assumption of most of these approaches is that services are honest,
i.e. their behavior always adheres to the local view. For instance, if the local view
takes the form of a behavioral type, it is assumed that the service is typeable,
and that its type is a subtype of the local view. Contracts are only used in the
“matchmaking” phase: once, for each local view projected from the choreography,
a compliant service has been found, then all the contracts can be discarded.
We argue that the honesty assumption is not suitable in the case of interor-
ganizational processes, where services may pursue their providers goals to the
detriment to the other ones. For instance, consider a choreography which pre-
scribes that a participant Aperforms action a(modeling e.g. “pay $100 to B”),
and that Bperforms b(e.g. “provide Awith 5GB disk storage”). If both Aand
Bare honest, then each one will perform its due action, so leading to a correct
execution of the choreography. However, since providers have full control of the
services they run, there is no authority which can force services to be honest.
So, a malicious provider can replace a service validated w.r.t. its contract, with
another one: e.g., Bcould wait until Ahas done a, and then “forget” to do b.
Note that Bmay perform his scam while not being liable for a contract violation,
since contracts have been discarded after validation.
In such competitive scenarios, the role of contracts is twofold. On the one
hand, they must guarantee that their composition complies with the choreogra-
phy: hence, in contexts where services are honest, the overall execution is correct.
On the other hand, contracts must protect services from malicious ones: in the
2
example above, the contract of Amust ensure that, if Aperforms a, then Bwill
either do b, or he will be considered culpable of a contract violation.
In this paper, we consider physical contracts modeled as Petri nets, along the
lines of [21]. In our approach we can both start from a choreography (modeled
as a Petri net) and then obtain the local views by pro jection, as in [21], or
start from the local views, i.e. the contracts published by each participant, to
construct a choreography which satisfies the goals of everybody. Intuitively, when
this happens the contracts admit an agreement.
A crucial observation of [6] is that if contracts admit an agreement, then
some participant is not protected, and vice-versa. The archetypical example is
the one outlined above. Intuitively, if each participant waits until someone else
has performed her action, then everyone is protected, but the contracts do not
admit an agreement because of the deadlock. Otherwise, if a participant does
her action without waiting, then the contracts admit an agreement, but the
participant who makes the first step is not protected. This is similar to the proof
of impossibility of fair exchange protocols without a trusted third party [13].
To overcome this problem, we introduce lending Petri nets (in short, LPN).
Roughly, an LPN is a Petri net where some places may give tokens “on credit”.
Technically, when a place gives a token on credit its marking will become nega-
tive. This differs from standard Petri nets, where markings are always nonneg-
ative. The intuition is that if a participant takes a token on credit, then she is
obliged to honour it — otherwise she is culpable of a contract violation.
Differently from the Petri nets used in [21], LPNs allow for modeling contracts
which, at the same time, admit an agreement (more formally, weakly terminate)
and protect their participants. LPNs preserve one of the main results of [21],
i.e. the possibility of proving that an application respects a choreography, by
only locally verifying the services which compose it. More precisely, we project a
choreography to a set of local views, independently refine each of them, and be
guaranteed then the composition of all refinements respects the choreography.
This is stated formally in Theorem 8.
The other main contribution is a relation between the logical contracts of [7]
and LPN contracts. More precisely, we consider contracts expressed in (a frag-
ment of) Propositional Contract Logic (PCL), and we compile them into LPNs.
Theorem 23 states that a PCL contract admits an agreement if and only if its
compilation weakly terminates. Summing up, Theorem 24 states that one can
start from a choreography represented as a logical contract, compile it to a phys-
ical one, and then use Theorem 8 to project it to a set services which correctly
implement it, and which are protected against adversaries. Finally, Theorem 25
relates logical and physical characterizations of urgent actions, i.e. those actions
which must be performed in a given state of the contract.
2 Nets
We briefly review Petri nets [19] and the token game. We consider Petri nets
labeled on a set T, and (perhaps a bit unusually) the labeling is also on places.
3
Alabeled Petri net is a 5-tuple hS, T , F, Γ, Λi, where Sis a set of places, and T
is a set of transitions (with S∩T=∅), F⊆(S×T)∪(T×S) is the flow relation,
and Γ:S→T,Λ:T→Tare partial labeling function for places and transitions,
respectively. Ordinary (non labeled) Petri nets are those where the two labeling
functions are always undefined (i.e. equal to ⊥). We require that for each t∈T,
F(t, s)>0 for some place s∈S, i.e. a transition cannot happen spontaneously.
Subscripts on the net name carry over the names of the net components. As
usual, we define the pre-set and post-set of a transition/place: •x={y∈T∪S|
F(y, x)>0}and x•={y∈T∪S|F(x, y)>0}, respectively. These are
extended to subsets of transitions/places in the obvious way.
Amarking is a function mfrom places to natural numbers (i.e. a multiset
over places), which represents the state of the system modeled by the net. A
marked Petri net is a pair N= (hS, T, F , Γ, Λi, m0), where hS, T, F, Γ, Λiis a
labelled Petri net, and m0:S→Nis the initial marking.
The dynamic of a net is described by the execution of transitions at markings.
Let Nbe a marked net (hereafter we will just call net a marked net). A transition
tis enabled at a marking mif the places in the pre-set of tcontains enough
tokens (i.e. if mcontains the pre-set of t). Formally, t∈Tis enabled at mif
m(s)≥F(s, t) for all s∈•t. In this case, to indicate that the execution of tin
mproduces the new marking m′(s) = m(s)−F(s, t) + F(t, s), we write m[tim′,
and we call it a step1. This notion is lifted, as usual, to multisets of transitions.
The notion of step leads to that of execution of a net. Let N= (hS, T, F, Γ, Λi,
m0) be a net, and let mbe a marking. The firing sequences starting at mare
defined as follows: (a) mis a firing sequence, and (b) if m[t1im1···mn−1[tnimn
is a firing sequence and mn[tim′is a step, then m[t1im1···mn−1[tnimn[tim′
is a firing sequence. A marking mis reachable iff there exists a firing sequence
starting at m0leading to it. The set of reachable markings of a net Nis denoted
with M(N). A net N= (hS, T, F, Γ, Λi, m0) is safe when each marking m∈M(N)
is such that m(s)≤1 for all s∈S.
Atrace can be associated to each firing sequence, which is the word on T∗
obtained by the firing sequence considering just the (labels of the) transitions
and forgetting the markings: if m0[t1im1···mn−1[tnimnis a firing sequence of
N, the associated trace is Λ(t1t2...tn). The trace associated to m0is the empty
word ε. If the label of a transition is undefined then the associated word is the
empty one. The traces of a net Nare denoted with Traces(N).
Asubnet is a net obtained by restricting places and transitions of a net, and
correspondingly the flow relation and the initial marking. Let N= (hS, T, F, Γ, Λi,
m0) be a net, and let T′⊆T. We define the subnet generated by T′as the net
N|T′= (hS′, T ′, F ′, Γ ′, Λ′i, m′
0), where S′={s∈S|F(t, s)>0 or F(s, t)>0
for t∈T′} ∪ {s∈S|m0(s)>0},F′is the flow relation restricted to S′and T′,
Γ′is obtained by Γrestricting to places in S′,Λ′is obtained by Λrestricting to
transitions in T′, and m′
0is obtained by m0restricting to places in S′
1The word step is usually reserved to the execution of a subset of transitions, but
here we prefer to stress the computational interpretation.
4
A net property (intuitively, a property of the system modeled as a Petri net)
can be characterized in several ways, e.g. as a set of markings (states of the
system). The following captures the intuition that, notwithstanding the state
(marking) reached by the system, it is always possible to reach a state satisfying
the property. A net Nweakly terminates in a set of markings Miff ∀m∈M(N),
there is a firing sequence starting at mand leading to a marking in M. Hereafter,
we shall sometimes say that Nweakly terminates (without referring to any M)
when the property is not relevant or clear from the context.
We now introduce occurrence nets. The intuition behind this notion is the
following: regardless how tokens are produced or consumed, an occurrence net
guarantees that each transition can occur only once (hence the reason for calling
them occurrence nets). We adopt the notion proposed by van Glabbeek and
Plotkin in [22], namely 1-occurrence nets. For a multiset M, we denote by [[M]]
the multiset defined as [[M]](a) = 1 if M(a)>0 and [[M]](a) = 0 otherwise. A
state of a net N= (hS, T , F, Γ, Λi, m0) is any finite multiset Xof Tsuch that the
function mX:S→Zgiven by mX(s) = m0(s) + Pt∈TX(t)·(F(t, s)−F(s, t)),
for all s∈S, is a reachable marking of the net. We denote by St(N) the states
of N. A state contains (in no order) all the occurrence of the transitions that
have been fired to reach a marking. Observe that a trace of a net is a suitable
linearization of the elements of a state X. We use the notion of state to formalize
occurrence nets. An occurrence net O= (hS, T , F, Γ, Λi, m0) is a net where each
state is a set, i.e. ∀X∈St(N). X = [[X]].
A net is correctly labeled iff ∀s.∀t, t′∈•s. Γ (s)6=⊥=⇒Λ(t) = Λ(t′) = Γ(s).
Intuitively, this requires that all the transitions putting a token in a labeled place
represent the same action.
3 Nets with lending places
We now relax the conditions under which transitions may be executed, by allow-
ing a transition to consume tokens from a place seven if the sdoes not contain
enough tokens. Consequently, we allow markings with negative numbers. When
the number of tokens associated to a place becomes negative, we say that they
have been done on credit. We do not permit this to happen in all places, but
only in the lending places (a subset Lof S). Lending places are depicted with a
double circle.
Definition 1. Alending Petri net (LPN) is a triple (hS, T, F, Γ, Λi, m0,L)where
(hS, T, F, Γ, Λi, m0)is a marked Petri net, and L⊆Sis the set of lending places.
Example 1. Consider the LPN N1in Fig. 1. The places p2and p4are lending
places. The set of labels of the transitions is T={a,b,c}, and the set of labels of
the places is G=T. The labeling is Γ(p1) = c, Γ (p2) = aand Γ(p4) = Γ(p3) = b
(the place p0is unlabeled).
The notion of step is adapted to take into account this new kind of places.
Let Nbe an LPN, let tbe a transition in T, and let mbe a marking. We say that
5
p1
c
c
ba
p2
a
p3
b
p0
p4
b
N1
p0
p1
b
p2
b
c
a
p3
c
p4
a
p0
N′
1
Fig. 1. Two lending Petri nets.
tis enabled at miff ∀s∈•t. m(s)≤0 =⇒s∈L. The evolution of Nis defined
as before, with the difference that the obtained marking is now a function from
places to Z(instead of N). This notion matches the intuition behind of lending
places: we allow a transition to be executed even when some of the transitions
that are a pre-requisite have not been executed yet.
Definition 2. Let mbe a reachable marking of an LPN N. We say that mis
honored iff m(s)≥0for all places sof N.
An honored firing sequence is a firing sequence where the final marking is
honored. Note that if the net has no lending places, then all the reachable mark-
ings are honored.
Example 2. In the net of Ex. 1, the transition cis enabled even though there
are no tokens in the places p2and p4in its pre-set, as they are lending places.
The other transitions are not enabled, hence at the initial marking only cmay
be executed (on credit). After firing c, only bcan be executed. This results in
putting one token in p3and one in p4, hence giving back the one taken on credit.
After this, only acan be executed. Upon firing c,band a, the marking is honored.
The net is clearly a (correctly labeled) occurrence net.
We now introduce a notion of composition of LPNs. The idea is that the
places with a label are places in an interface of the net (though we do not put
any limitation on such places, as done instead e.g. in [21]) and they never are
initially marked. The labelled transitions of a net are connected with the places
bearing the same label of the other.
Definition 3. Let N= (hS, T , F, Γ, Λi, m0,L)and N′= (hS′, T ′, F ′, Γ ′, Λ′i,
m′
0,L′)be two LPNs. We say that N, N ′are compatible whenever (a)they have
the same set of labels, (b)S∩S′=∅,(c)T∩T′=∅,(d)m0(s) = 1 implies
Γ(s) = ⊥, and (e)m′
0(s′) = 1 implies Γ′(s′) = ⊥. If Nand N′are compatible,
their composition N⊕N′is the LPN (hˆ
S, T ∪T′,ˆ
F , ˆ
Γ , ˆ
Λi,ˆm0,ˆ
L)in Fig. 2.
The underlying idea of LPN composition is rather simple: the sink places in
a net bearing a label of a transition of the other net are removed, and places
and transitions with the same label are connected accordingly (the removed sink
places have places with the same label in the other net). All the other ingredients
of the compound net are trivially inherited from the components. Observe that,
6
ˆ
S=(S\ {s∈S|Γ(s)∈Λ′(T′) and s•=∅})∪
(S′\ {s′∈S′|Γ′(s′)∈Λ(T) and s′• =∅})
ˆ
F(ˆs, ˆ
t)⇐⇒ ˆs=s1∈S∧ˆ
t=t1∈T∧F(s1, t1)
∨ˆs=s2∈S′∧ˆ
t=t2∈T′∧F′(s2, t2)
ˆ
F(ˆ
t, ˆs)⇐⇒ ˆs=s1∈S∧ˆ
t=t1∈T∧F(t1, s1)
∨ˆs=s2∈S′∧ˆ
t=t2∈T′∧F′(t2, s2)
∨ˆs=s∈S∧ˆ
t=t′∈T′∧Λ′(t′) = Γ(s)6=⊥
∨ˆs=s′∈S′∧ˆ
t=t∈T∧Λ(t) = Γ′(s′)6=⊥
ˆ
Γ(ˆs) = (Γ(s1)if ˆs=s1∈S
Γ′(s2)if ˆs=s2∈S′
ˆ
Λ(ˆ
t) = (Λ(t1)if ˆ
t=t1∈T
Λ′(t2)if ˆ
t=t2∈T′
ˆm0(ˆs) = (1 if ˆs=s1∈Sand m0(s1) = 1, or ˆs=s2∈S′and m′
0(s2) = 1
0 otherwise
ˆ
L= (L∪L′)∩ˆ
S
Fig. 2. Composition of two LPNs.
when composing two compatible nets Nand N′such that Γ(S)∩Γ′(S′) = ∅,
we obtain the disjoint union of the two nets. Further, if the common label a∈
Γ(S)∩Γ′(S′) is associated in Nto a place swith empty post-set and in N′to
a place s′with empty post-set (or vice versa) and the labelings are injective, we
obtain precisely the composition defined in [21]. If the components Nand N′
may satisfy some properties (sets of markings Mand M′), the compound net
N⊕N′may satisfy the compound property (which is the set of markings ˆ
M
obtained obviously from Mand M′).
Example 3. Consider the nets in Fig. 3. Net Nfires aafter bhas been performed;
dually, net N′waits for bbefore firing a. These nets model two participants which
protect themselves by waiting the other one to make the first step (the properties
being that places p3and p′
3, respectively, are not marked). Clearly, no agreement
is possible in this scenario. This is modelled by the deadlock in the composition
N⊕N′, where neither transitions anor bcan be fired. Consider now the LPN
N′′, which differs from Nonly for the lending place p′′
1. This models a participant
which may fire aon credit, under the guarantee that the credit will be eventually
honoured by the other participant performing b(hence, the participant modeled
by N′′ is still protected), and the property is then place p′′
3unmarked and p′′
1
with a non negative marking. The composition N′′ ⊕N′weakly terminates wrt
the above properties, because transition acan take a token on credit from p′′
1,
and then transition bcan be fired, so honouring the debit in p′′
1.
7
p1
b
a
p2
a
p3
N
p′
1
a
b
p′
2
b
p′
3
N′
p′′
1
b
a
p′′
2
a
p′′
3
N′′
p1
b
a
p′
1
a
p3
b
p′
3
N⊕N′
p′′
1
b
a
p′
1
a
p′′
3
b
p′
3
N′′ ⊕N′
Fig. 3. Three LPNs (top) and their pairwise compositions (bottom).
The operation ⊕is clearly associative and commutative.
Proposition 4 Let N1,N2and N3be three compatible LPNs. Then, N1⊕N2=
N2⊕N1and N1⊕(N2⊕N3) = (N1⊕N2)⊕N3.
The composition ⊕does not have the property that, in general, considering
only the transitions of one of the components, we obtain the LPN we started
with, i.e. (N1⊕N2)|Ti6=Ni. This is because the number of places with labels
increases and new arcs may be added, and these places are not forgotten when
considering the subnet generated by Ti. However these added places are not
initially marked, hence it may be that the nets have the same traces.
Definition 5. Let Nand N′two LPNs on the same sets of labels. We say that
Napproximates N′(N.N′) iff Traces(N)⊆Traces(N′). We write N∼N′
when N.N′and N′.N.
Proposition 6 For two compatible LPNs N1, N2,Ni∼(N1⊕N2)|Ti,i= 1,2.
Following [21] we introduce a notion of refinement (called accordance in [21])
between two LPNs. We say that M(with a property MM) is a strategy for an
LPN N(with a property M) if N⊕Mis weakly terminating. With S(N) we
denote the set of all strategies for N. In the rest of the paper we assume that
properties are always specified, even when not done explicitly.
Definition 7. An LPN N′refines Nif S(N′)⊇S(N).
Observe that if N′refines Nand Nweakly terminates, then N′weakly
terminates as well.
If a weakly terminating LPN Nis obtained by composition of several nets,
i.e. N=LiNi, we can ask what happens if there is an N′
iwhich refines Ni, for
each i. The following theorem gives the desired answer.
Theorem 8 Let N=LiNibe a weakly terminating LPN, and assume that N′
i
refines Ni, for all i. Then, N′=LiN′
iis a weakly terminating LPN.
8
The theorem above gives a compositional criterion to check weak termination
of a SOC application. One starts from an abstract specification (e.g. a choreog-
raphy), projects it into a set of local views, and then refines each of them into a
service implementation. These services can be verified independently (for refine-
ment), and it is guaranteed that their composition still enjoys weak termination.
We now define, starting from a marking m, which actions may be performed
immediately after, while preserving the ability to reach an honored marking. We
call these actions urgent.
Definition 9. For an LPN Nand marking m, we say aurgent at miff there
exists a firing sequence m[t1i · · · [tnimnwith Λ(t1) = aand mnhonored.
Example 4. Consider the nets in Ex. 3. In N′′ ⊕N′the only urgent action at the
initial marking is a, while bis urgent at the marking where p′
1is marked. In N′′
there are no urgent actions at the initial marking, since no honored marking is
reachable. In the other nets (N,N′,N⊕N′) no actions are urgent in the initial
marking, since these nets are deadlocked.
4 Physical contracts
We now present a model for physical contracts based on LPNs. Let a,b,... ∈T
be actions, performed by participants A,B,... ∈Part . We assume that actions
may only be performed once. Hence, we consider a subclass of LPNs, namely
occurrence nets, where all the transitions with the same label are mutually ex-
clusive. A physical contract is an LPN, together with a set Aof participants
bound by the contract, a mapping πfrom actions to participants, and a set Ω
modeling the states where all the participant in Aare satisfied.
Definition 10. Acontract net Dis a tuple (O, A, π, Ω), where Ois an oc-
currence LPN (hS, T, F, Γ, Λi, m0,L)labeled on T,A⊆Part, π:T→Part ,
Ω⊆℘(T)is the set of goals of the participants, and where:
(a) ∀s∈S. (m0(s) = 1 =⇒•s=∅ ∧ Γ(s) = ⊥)∧(s∈L=⇒Γ(s)∈T),
(b) ∀t∈T. (∀s∈t•. Λ(t) = Γ(s)) ∧(∃s∈•t. s 6∈ L),
(c) ∀t, t′∈T.Λ(t) = Λ(t′) =⇒ ∃s∈•t∩•t′. m0(s) = 1,
(d) π(Λ(T)) ⊆A.
The last constraint models the fact that only the participants in Amay
perform actions in D.
Given a state Xof the component Oof D, the reached marking mtells us
which actions have been performed, and which tokens have been taken on credit.
The configuration µ(m) associated to a marking mis the pair (C, Y ) defined as:
–C={a∈T| ∃s∈S. {s}=Tt∈T{•t|Λ(t) = a}and m(s) = 0}, and
–Y={a∈T| ∃s∈S. a=Γ(s)and m(s)<0}
9
The first component is the set of the labels of the transitions in X. The marking
mis honored whenever the second component of µ(m) is empty.
We now state the conditions under which two contract nets can be composed.
We require that an action can be performed only by one of the components (the
other may use the tokens produced by the execution of such action).
Definition 11. Two contracts nets D= (O, A, π, Ω)and D′= (O′,A′, π′, Ω′)
are compatible whenever O⊕O′is defined and A∩A′=∅.
The composition of Dand D′is then the obvious extension of the one on LPNs:
Definition 12. Let D= (O, A, π, Ω )and D′= (O′,A′, π′, Ω′)be two compat-
ible contract nets. Then D⊕D′= (O⊕O′,A∪A′, π ◦π′, Ω′′ )where Ω′′ =
{X∪X′|X∈Ω, X ′∈Ω′}.
We lift the notion of weak termination to contract nets D= (O, A, π, ok, Ω).
The set of markings obtained by Ωis MΩ={m∈M(O)|µ(m) = (C, ∅), C ∈Ω}.
We say that Dweakly terminates w.r.t. Ωwhen Oweakly terminates w.r.t. MΩ.
We also extend to contract nets the notion of urgent actions given for LPNs
(Def. 9). Here, the set of urgent actions UC
Dis parameterized by the set Cof
actions already performed.
Definition 13. Let Dbe a contract net, and let C⊆T. We define:
UC
D={a∈T| ∃Y⊆T.∃m. µ(m) = (C, Y )∧ais urgent at m}
Example 5. Interpret the LPN N′
1in Fig. 1 as a contract net where the actions a,
b,care associated, respectively, to participants A,B, and C, and Ωis immaterial.
Then, aand care urgent at the initial marking, whereas bis not (the token
borrowed from p1cannot be given back). In the state where ahas been fired,
only bis urgent; in the state where chas been fired, no actions are urgent.
5 Logical contracts
In this section we briefly review Propositional Contract Logic (PCL [7]), and we
exploit it to model contracts. PCL extends intuitionistic propositional logic IPC
with a connective ։, called contractual implication. Intuitively, a formula b։a
implies anot only when bis true, like IPC implication, but also in the case that
a “compatible” formula, e.g. a։b, holds. PCL allows for a sort of “circular”
assume-guarantee reasoning, hinted by (b։a)∧(a։b)→a∧b, which is a
theorem in PCL . We assume that the prime formulae of PCL coincide with the
atoms in T. PCL formulae, ranged over greek letters ϕ, ϕ′,..., are defined as:
ϕ::= ⊥ | ⊤ | a| ¬ϕ|ϕ∨ϕ|ϕ∧ϕ|ϕ→ϕ|ϕ։ϕ
Two proof systems have been presented for PCL: a sequent calculus [7], and
an equivalent natural deduction system [4], the main rules of which are shown
in Fig. 4. Provable formulae are contractually implied, according to rule (։I1).
10
∆⊢ψ
∆⊢ϕ։ψ(։I1) ∆⊢ϕ′։ψ′
∆, ϕ ⊢ϕ′
∆, ψ′⊢ϕ։ψ
∆⊢ϕ։ψ(։I2)
∆⊢ϕ։ψ
∆, ψ ⊢ϕ
∆⊢ψ(։E)
Fig. 4. Natural deduction for PCL (rules for ։).
Rule (։I2) provides ։with the same weakening properties of →. The crucial
rule is (։E), which allows for the elimination of ։. Compared to the rule for
elimination of →in IPC, the only difference is that in the context used to deduce
the antecedent ϕ, rule (։E) also allows for using as hypothesis the consequence ψ.
The decidability of the provability relation of PCL has been proved in [7], by
exploiting the cut elimination property enjoyed by the sequent calculus.
To model contracts, we consider the Horn fragment of PCL , which comprises
atoms, conjunctions, and non-nested (intuitionistic/contractual) implications.
Definition 14. APCL contract is a tuple h∆, A, π, Ωi, where ∆is a Horn PCL
theory, A⊆Part, π:T→Part associates each atom with a participant, and
Ω⊆℘(T)is the set of goals of the participants.
The component Aof Ccontains the participants which can promise to do
something in C. Consequently, we shall only consider PCL contracts such that
if α◦a∈∆, for ◦ ∈ {→,։}, then π(a)∈A.
Example 6. Suppose three kids want to play together. Alice has a toy airplane,
Bob has a bike, and Carl has a toy car. Each of the kids is willing to share
his toy, but they have different constraints: Alice will lend her airplane only
after Bob has allowed her ride his bike; Bob will lend his bike after he has
played with Carl’s car; Carl will lend his car if the other two kids promise to
eventually let him play with their toys. Let π={a7→ A,b7→ B,c7→ C}. The kids
contracts are modeled as follows: hb→a,{A}, π, {{b}}i,hc→b,{B}, π, {{c}}i,
and h(a∧b)։c,{C}, π, {{a,b}}i.
A contract admits an agreement when all the involved participants can reach
their goals. This is formalized in Def. 15 below.
Definition 15. APCL contract admits an agreement iff ∃X∈Ω. ∆ ⊢VX.
We now define composition of PCL contracts. If C′is the contract of an
adversary of C, then a na¨ıve composition of the two contracts could easily lead
to an attack, e.g. when Mallory’s contract says that Alice is obliged to give him
her airplane. To prevent from such kinds of attacks, contract composition is a
partial operation. We do not compose contracts which bind the same participant,
or which disagree on the association between atoms and participants.
Definition 16. Two PCL contracts C=h∆, A, π, Ωiand C′=h∆′,A′, π′, Ω ′i
are compatible whenever A∩A′=∅, and ∀A∈A∪A′. π−1(A) = π′ −1(A). If
C,C′are compatible, the contract C|C′=h∆∪∆′,A∪A′, π ◦π′, Ω |Ω′i, where
Ω|Ω′={X∪X′|X∈Ω, X ′∈Ω′}, is their composition.
11
ε∈J∆K(ε)α→a∈∆ σ ∈J∆Kα⊆σ
σa∈J∆K(→)α։a∈∆ σ ∈J∆, aKα⊆σ
σ|a⊆J∆K(։)
Fig. 5. Proof traces of Horn PCL .
Example 7. The three contracts in Ex. 6 are compatible, and their composition
is C=h∆, {A,B,C},{a7→ A,b7→ B,c7→ C},{{a,b,c}}i where ∆is the theory
{b→a,c→b,(a∧b)։c}.Chas an agreement, since ∆⊢a∧b∧c. The
agreement exploits the fact that Carl’s contract allows the action cto happen
“on credit”, before the other actions are performed.
We now recap from [4] the notion of proof traces, i.e. the sequences of atoms
respecting the order imposed by proofs in PCL . Consider e.g. rule (→E):
∆⊢α→a∆⊢α
∆⊢a(→E)
The rule requires a proof of all the atoms in αin order to construct a proof of a.
Accordingly, if σis a proof trace of ∆, then σa if a proof trace of ∆. Instead,
in the rule (։E), the antecedent αneeds not necessarily be proved before a: it
suffices to prove αby taking aas hypothesis.
Definition 17 (Proof traces [4]). For a Horn PCL theory ∆, we define the
set of proof traces J∆Kby the rules in Fig. 5, where for σ, η ∈E∗we denote with
σthe set of atoms in σ, with ση the concatenation of σand η, and with σ|ηthe
interleavings of σand η. We assume that both concatenation and interleaving
remove duplicates from the right, e.g. aba |ca =ab |ca ={abc, acb, cab}.
The set UX
Cin Def. 18 contains, given a set Xof atoms, the atoms which
may be proved immediately after, following some proof trace of C.
Definition 18 (Urgent actions [4]). For a contract C=h∆, . . .iand a set of
atoms X, we define UX
C={a6∈ X| ∃σ, σ′.σ=X∧σaσ′∈J∆, XK}.
Example 8. For the contract Cspecified by the theory ∆=a→b,b։a, we
have J∆K={ε, ab}, and U∅
∆={a},U{a}
∆={b},U{b}
∆={a}, and U{a,b}
∆=∅.
6 From logical to physical contracts
In this section we show, starting from a logical contract, how to construct a
physical one which preserves the agreement property. Technically, we shall re-
late provability in PCL to reachability of suitable configurations in the associ-
ated LPN. The idea of our construction is to translate each Horn clause of a
PCL formula into a transition of an LPN, labelled with the action in the con-
clusion of the clause.
12
S= (T×T)∪({a|VX→a∈∆} ∪ {a|VX։a∈∆} ∪ {a|a∈∆})× {∗}
T={(X, a,#)|VX→a∈∆} ∪ {(X, a,⊚)|VX։a∈∆}
F={(s, t)|s= (a,∗), t = (X, a, z)} ∪ {(s, t)|s= (a, t), t = (X, c, z),a∈X} ∪
{(t, s)|s= (a, x), t = (X, a, z), x 6=∗}
Γ(s) = if s= (a, x) with x∈Tthen aelse ⊥
Λ(t) = if t= (X, a, z ) then aelse ⊥
m0(s) = if s= (a,∗) then 1 else 0
L={s∈S|s= (a, t)and t= (X, c,⊚)with X6=∅}
Fig. 6. Translation from logical to physical contracts.
Definition 19. Let C=h∆, A, π, Ωibe a PCL contract. We define the contract
net P(C)as ((hS, T, F, Γ, Λi, m0,L),A, π, Ω )in Fig. 6.
The transitions associated to Care a subset Tof ℘(T)×T× {⊚,#}. For each
intuitionistic/contractual implication, we introduce a transition as follows. A
clause VX։amaps to (X, a,⊚)∈T, while VX→amaps to (X, a,#)∈T. A
formula ais dealt with as the clause V∅ → a. Places in Scarry the information
on which transition may actually put/consume a token from them (even on
credit). The lending places are those places (a, t) where t= (X, c,⊚). Observe
that a transition t= (X, a, z) puts a token in each place (a, x) with x6=∗, and all
the transitions bearing the same labels, say a, are mutually excluding each other,
as they share the unique input place (a,∗). The initial marking will contains all
the places in T× {∗}, and if a token is consumed from one of these places then
the place will be never marked again. Furthermore the lending places are never
initially marked.
Example 9. Consider the PCL contract with formula a։a(the other compo-
nents are immaterial for the sake of the example). The associated LPN is in
Fig. 7, left. The transition ({a},a,⊚)), labeled a, can be executed at the initial
marking, as the unmarked place in the preset is a lending place. The reached
marking contains no tokens, hence it is honored. This is coherent with the fact
that a։a⊢aholds in PCL .
(a,∗)
a
(a,({a},a,⊚))
({a},a,⊚))
(a,∗)
c
t2
b
t3
a
t1
(a, t1)
(b, t1)
(a, t3)
(a, t2)
(c, t1)
(c, t2)(c,∗)
(c, t3)
(b, t3)
(b, t2)(b,∗)
Fig. 7. Two contract nets constructed from PCL contracts.
13
Example 10. Consider the PCL contract specified by the theory
∆={b։a,a→c,a→b}
The associated LPN is the one on the right depicted in Fig. 7. The transitions
are t1= ({b},a,⊚), t2= ({a},c,#) and t3= ({a},b,#). Initially only t1is
enabled, lending a token from place (b, t1). This leads to a marking where both
t2and t3are enabled, but only the execution of t3ends up with an honored
marking. The marking reached after executing all the actions is honored. This
is coherent with the fact that ∆⊢a∧b∧cholds in PCL .
Since all the transitions consume the token from the places (a,∗) (where ais
the label of the transition), and these places cannot be marked again, it is easy
to see that each transition may occur only once. Hence, the net associated to a
contract is an occurrence net. If two transitions t, t′have the same label (say a),
then they cannot belong to the same state of the net. In fact, transitions with
the same label share the same input place (a,∗). This place is not a lending one,
and has no ingoing arcs, hence only one of the transitions with the same label
may happen. The notion of correctly labeled net lifts obviously to contract nets.
Proposition 20 For all PCL contracts C, the net P(C)is correctly labeled.
A relevant property of Pis that it is an homomorphism with respect to con-
tracts composition. Thus, since both |and ⊕are associative and commutative,
we can construct a physical contract from a set of logical contracts C1···Cn
componentwise, i.e. by composing the contract nets P(C1)···P(Cn).
Proposition 21 For all C1,C2, we have that P(C1|C2)∼P(C1)⊕P(C2).
In Theorem 23 below we state the main result of this section, namely that
our construction maps the agreement property of PCL contracts into weak ter-
mination of the associated contract nets. To prove Theorem 23, we exploit the
fact that Cis a set of provable atoms in the logic iff (C, ∅) is a configuration of
the associated contract net.
Lemma 22 Let C=h∆, A, π, Ωibe a PCL contract, and let P(C) = (O, A, π, Ω).
For all C⊆T,∆⊢VCiff there exists m∈M(O)such that µ(m) = (C, ∅).
Theorem 23 Cadmits an agreement iff P(C)weakly terminates in Ω.
We now specialize Theorem 8, which allows for compositional verification
of choreographies. Assuming a choreography specified as a PCL contract C, we
can (i) project it into the contracts C1···Cnof its participants, (ii) construct
the corresponding LPN contracts P(C1)···P(Cn), and (iii) individually refine
each of them into a service implementation. If the original choreography admits
an agreement, then the composition of the services weakly terminates, i.e. it is
correct w.r.t. the choreography.
14
Theorem 24 Let C=C1| · · · | Cnadmit an agreement, with Ωigoals of Ci. If
Direfines P(Ci)for i∈1..n, then D1⊕· · ·⊕Dnweakly terminates in Ω1∪· · ·∪ Ωn.
The notion of urgency in contract nets correspond to that in the associated
PCL contracts (Theorem 25).
Theorem 25 For all PCL contracts C, and for all X⊆T,UX
C=UX
P(C).
Example 11. Recall from Ex. 8 that, for C=h{a→b,b։a},...i, we have:
U∅
C={a}U{a}
C={b}U{b}
C={a}U{a,b}
C=∅
This is coherent with the fact that, in the corresponding contract net N′′ ⊕N′
in Fig. 3, only ais urgent at the initial marking, while bbecomes urgent after a
has been fired.
7 Related work and conclusions
We have investigated how to compile logical into physical contracts. The source
of the compilation is the Horn fragment of Propositional Contract Logic [7],
while the target is a contract model based on lending Petri nets (LPNs). Our
compilation preserves agreements (Theorem 23), as well as the possibility of
protecting services against misbehavior of malevolent services. LPN contracts
can be used to reason compositionally about the realization of a choreography
(Theorem 24), so extending a result of [21]. Furthermore, we have given a logical
characterization of those urgent actions which have to be performed in a given
state. This notion, which was only intuitively outlined in [7], is now made formal
through our compilation into LPNs (Theorem 25).
Contract nets seem a promising model for reasoning on contracts: while hav-
ing a clear relation with PCL contracts, they may inherit as well the whole realm
of tools that are already available for Petri nets.
The notion of places with a negative marking is not a new one in the Petri
nets community, though very few papers tackle this notion, as the interpretation
of negative tokens does not match the intuition of Petri nets, where tokens are
generally intended as resources. In this paper we have used negative tokens
to model situations where actions are in a circular dependency, like the ones
arising in PCL contracts. Lending places model the intuition that an action can
be performed on a promise, and a negative token in a place can be interpreted
as the promise made, which must be, sooner or later, honored. Indeed, the net
obtained from a PCL contract is an occurrence net which may contain cycles,
e.g. in the net of Ex. 10 the transition t1depends on t3, which in turn depends
on t1(and to execute t1we required to lend a token which is after supplied
by t3). In [20] the idea of places with negative marking is realized using a new
kind of arc, called debit arcs. Under suitable conditions, these nets are Turing
powerful, whereas our contract nets do not add expressiveness (while for LPNs
the issue has to be investigated). In [17] negative tokens arise as the result of
certain linear assumptions. The relations with LPNs have to be investigated.
15
Acknowledgments. We thank Philippe Darondeau, Eric Fabre and Roberto Zunino for
useful discussions and suggestions. This work has been partially supported by Aut. Reg.
of Sardinia grants L.R.7/2007 CRP2-120 (TESLA) CRP-17285 (TRICS) and P.I.A.
2010 (“Social Glue”), and by MIUR PRIN 2010-11 project “Security Horizons”.
References
1. M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control
in distributed systems. ACM TOPLAS, 4(15), 1993.
2. M. Abadi and G. D. Plotkin. A logical view of composition. TCS, 114(1), 1993.
3. M. Armbrust et al. A view of cloud computing. Comm. ACM, 53(4):50–58, 2010.
4. M. Bartoletti, T. Cimoli, P. D. Giamberardino, and R. Zunino. Contract agree-
ments via logic. In Proc. ICE, 2013.
5. M. Bartoletti, T. Cimoli, G. M. Pinna, and R. Zunino. An event-based model for
contracts. In Proc. PLACES, 2012.
6. M. Bartoletti, T. Cimoli, and R. Zunino. A theory of agreements and protection.
In Proc. POST, 2013.
7. M. Bartoletti and R. Zunino. A calculus of contracting processes. In LICS, 2010.
8. L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida. A theory of design-by-contract
for distributed multiparty interactions. In CONCUR, 2010.
9. M. Bravetti, I. Lanese, and G. Zavattaro. Contract-driven implementation of chore-
ographies. In Proc. TGC, pages 1–18, 2008.
10. M. Bravetti and G. Zavattaro. Contract based multi-party service composition. In
Proc. FSEN, pages 207–222, 2007.
11. M. Bravetti and G. Zavattaro. Towards a unifying theory for choreography con-
formance and contract compliance. In Software Composition, 2007.
12. G. Castagna, N. Gesbert, and L. Padovani. A theory of contracts for web services.
ACM Transactions on Programming Languages and Systems, 31(5), 2009.
13. S. Even and Y. Yacobi. Relations among public key signature systems. Technical
Report 175, Computer Science Department, Technion, Haifa, 1980.
14. D. Garg and M. Abadi. A modal deconstruction of access control logics. In
FoSSaCS, 2008.
15. T. T. Hildebrandt and R. R. Mukkamala. Declarative event-based workflow as
distributed dynamic condition response graphs. In Proc. PLACES, 2010.
16. K. Honda, N. Yoshida, and M. Carbone. Multiparty asynchronous session types.
In POPL, 2008.
17. N. Mart´ı-Oliet and J. Meseguer. An algebraic axiomatization of linear logic models.
In Topology and category theory in computer science, 1991.
18. C. Prisacariu and G. Schneider. A dynamic deontic logic for complex contracts.
The Journal of Logic and Algebraic Programming (JLAP), 81(4), 2012.
19. W. Reisig. Petri Nets: An Introduction, volume 4 of Monographs in Theoretical
Computer Science. An EATCS Series. Springer, 1985.
20. P. D. Stotts and P. Godfrey. Place/transition nets with debit arcs. Inf. Proc. Lett.,
41(1), 1992.
21. W. M. P. van der Aalst, N. Lohmann, P. Massuthe, C. Stahl, and K. Wolf. Multi-
party contracts: Agreeing and implementing interorganizational processes. Com-
put. J., 53(1), 2010.
22. R. J. van Glabbeek and G. D. Plotkin. Configuration structures. In LICS, 1995.
16
