Content uploaded by G. Michele Pinna

Author content

All content in this area was uploaded by G. Michele Pinna on Aug 27, 2014

Content may be subject to copyright.

arXiv:1211.3624v2 [cs.LO] 30 May 2013

Lending Petri nets and contracts

Massimo Bartoletti, Tiziana Cimoli, and G. Michele Pinna

Dipartimento di Matematica e Informatica, Universit`a degli Studi di Cagliari, Italy

Abstract. Choreography-based approaches to service composition typ-

ically assume that, after a set of services has been found which correctly

play the roles prescribed by the choreography, each service respects his

role. Honest services are not protected against adversaries. We propose

a model for contracts based on an extension of Petri nets, which allows

services to protect themselves while still realizing the choreography. We

relate this model with Propositional Contract Logic, by showing a trans-

lation of formulae into our Petri nets which preserves the logical notion

of agreement, and allows for compositional veriﬁcation.

1 Introduction

Many of today’s human activities, from business and ﬁnancial transactions, to

collaborative and social applications, run over complex interorganizational sys-

tems, based on service-oriented computing (SOC) and cloud computing tech-

nologies. These technologies foster the implementation of complex software sys-

tems through the composition of basic building blocks, called services. Ensuring

reliable coordination of such components is fundamental to avoid critical, pos-

sibly irreparable problems, ranging from economic losses in case of commercial

activities, to risks for human life in case of safety-critical applications.

Ideally, in the SOC paradigm an application is constructed by dynamically

discovering and composing services published by diﬀerent organizations. Services

have to cooperate to achieve the overall goals, while at the same time they have

to compete to achieve the speciﬁc goals of their stakeholders. These goals may be

conﬂicting, especially in case of mutually distrusted organizations. Thus, services

must play a double role: while cooperating together, they have to protect them-

selves against other service’s misbehavior (either unintentional or malicious).

The lack of precise guarantees about the reliability and security of services is

a main deterrent for industries wishing to move their applications and business

to the cloud [3]. Quoting from [3], “absent radical improvements in security

technology, we expect that users will use contracts and courts, rather than clever

security engineering, to guard against provider malfeasance”.

Indeed, contracts are already a key ingredient in the design of SOC appli-

cations. A choreography is a speciﬁcation of the overall behavior of an interor-

ganizational process. This global view of the behavior is pro jected into a set of

local views, which specify the behavior expected from each service involved in

the whole process. The local views can be interpreted as the service contracts: if

the actual implementation of each service respects its contract, then the overall

application must be guaranteed to behave correctly.

There are many proposals of formal models for contracts in the literature,

which we may roughly divide into “physical” and “logical” models. Physical con-

tracts take inspiration mainly from formalisms for concurrent systems (e.g. Petri

nets [21], event structures [15, 5], and various s orts of pro cess algebras [8–10 , 12,

16]), and they allow to describe the interaction of services in terms of response to

events, message exchanges, etc. On the other side, logical contracts are typically

expressed as formulae of suitable logics, which take inspiration and extend e.g.

modal [1, 14], intuitionistic [2,7], linear [2], deontic [18] logics to model high-level

concepts such as promises, obligations, prohibitions, authorizations, etc.

Even though logical contracts are appealing, since they aim to provide for-

mal models and reasoning tools for real-world Service Level Agreements, ex-

isting logical approaches have not had a great impact on the design of SOC

applications. A reason is that there is no evidence on how to relate high-level

properties of a contract with properties of the services which have to realize it.

The situation is decidedly better in the realm of physical contracts, where the

gap between contracts and services is narrower. Several papers, e.g. [9–11, 16,

21], address the issue of relating properties of a choreography with properties

of the services which implement it (e.g. deadlock freedom, communication error

freedom, session ﬁdelity), in some cases providing automatic tools to project the

choreography to a set services which correctly implements it.

A common assumption of most of these approaches is that services are honest,

i.e. their behavior always adheres to the local view. For instance, if the local view

takes the form of a behavioral type, it is assumed that the service is typeable,

and that its type is a subtype of the local view. Contracts are only used in the

“matchmaking” phase: once, for each local view projected from the choreography,

a compliant service has been found, then all the contracts can be discarded.

We argue that the honesty assumption is not suitable in the case of interor-

ganizational processes, where services may pursue their providers goals to the

detriment to the other ones. For instance, consider a choreography which pre-

scribes that a participant Aperforms action a(modeling e.g. “pay $100 to B”),

and that Bperforms b(e.g. “provide Awith 5GB disk storage”). If both Aand

Bare honest, then each one will perform its due action, so leading to a correct

execution of the choreography. However, since providers have full control of the

services they run, there is no authority which can force services to be honest.

So, a malicious provider can replace a service validated w.r.t. its contract, with

another one: e.g., Bcould wait until Ahas done a, and then “forget” to do b.

Note that Bmay perform his scam while not being liable for a contract violation,

since contracts have been discarded after validation.

In such competitive scenarios, the role of contracts is twofold. On the one

hand, they must guarantee that their composition complies with the choreogra-

phy: hence, in contexts where services are honest, the overall execution is correct.

On the other hand, contracts must protect services from malicious ones: in the

2

example above, the contract of Amust ensure that, if Aperforms a, then Bwill

either do b, or he will be considered culpable of a contract violation.

In this paper, we consider physical contracts modeled as Petri nets, along the

lines of [21]. In our approach we can both start from a choreography (modeled

as a Petri net) and then obtain the local views by pro jection, as in [21], or

start from the local views, i.e. the contracts published by each participant, to

construct a choreography which satisﬁes the goals of everybody. Intuitively, when

this happens the contracts admit an agreement.

A crucial observation of [6] is that if contracts admit an agreement, then

some participant is not protected, and vice-versa. The archetypical example is

the one outlined above. Intuitively, if each participant waits until someone else

has performed her action, then everyone is protected, but the contracts do not

admit an agreement because of the deadlock. Otherwise, if a participant does

her action without waiting, then the contracts admit an agreement, but the

participant who makes the ﬁrst step is not protected. This is similar to the proof

of impossibility of fair exchange protocols without a trusted third party [13].

To overcome this problem, we introduce lending Petri nets (in short, LPN).

Roughly, an LPN is a Petri net where some places may give tokens “on credit”.

Technically, when a place gives a token on credit its marking will become nega-

tive. This diﬀers from standard Petri nets, where markings are always nonneg-

ative. The intuition is that if a participant takes a token on credit, then she is

obliged to honour it — otherwise she is culpable of a contract violation.

Diﬀerently from the Petri nets used in [21], LPNs allow for modeling contracts

which, at the same time, admit an agreement (more formally, weakly terminate)

and protect their participants. LPNs preserve one of the main results of [21],

i.e. the possibility of proving that an application respects a choreography, by

only locally verifying the services which compose it. More precisely, we project a

choreography to a set of local views, independently reﬁne each of them, and be

guaranteed then the composition of all reﬁnements respects the choreography.

This is stated formally in Theorem 8.

The other main contribution is a relation between the logical contracts of [7]

and LPN contracts. More precisely, we consider contracts expressed in (a frag-

ment of) Propositional Contract Logic (PCL), and we compile them into LPNs.

Theorem 23 states that a PCL contract admits an agreement if and only if its

compilation weakly terminates. Summing up, Theorem 24 states that one can

start from a choreography represented as a logical contract, compile it to a phys-

ical one, and then use Theorem 8 to project it to a set services which correctly

implement it, and which are protected against adversaries. Finally, Theorem 25

relates logical and physical characterizations of urgent actions, i.e. those actions

which must be performed in a given state of the contract.

2 Nets

We brieﬂy review Petri nets [19] and the token game. We consider Petri nets

labeled on a set T, and (perhaps a bit unusually) the labeling is also on places.

3

Alabeled Petri net is a 5-tuple hS, T , F, Γ, Λi, where Sis a set of places, and T

is a set of transitions (with S∩T=∅), F⊆(S×T)∪(T×S) is the ﬂow relation,

and Γ:S→T,Λ:T→Tare partial labeling function for places and transitions,

respectively. Ordinary (non labeled) Petri nets are those where the two labeling

functions are always undeﬁned (i.e. equal to ⊥). We require that for each t∈T,

F(t, s)>0 for some place s∈S, i.e. a transition cannot happen spontaneously.

Subscripts on the net name carry over the names of the net components. As

usual, we deﬁne the pre-set and post-set of a transition/place: •x={y∈T∪S|

F(y, x)>0}and x•={y∈T∪S|F(x, y)>0}, respectively. These are

extended to subsets of transitions/places in the obvious way.

Amarking is a function mfrom places to natural numbers (i.e. a multiset

over places), which represents the state of the system modeled by the net. A

marked Petri net is a pair N= (hS, T, F , Γ, Λi, m0), where hS, T, F, Γ, Λiis a

labelled Petri net, and m0:S→Nis the initial marking.

The dynamic of a net is described by the execution of transitions at markings.

Let Nbe a marked net (hereafter we will just call net a marked net). A transition

tis enabled at a marking mif the places in the pre-set of tcontains enough

tokens (i.e. if mcontains the pre-set of t). Formally, t∈Tis enabled at mif

m(s)≥F(s, t) for all s∈•t. In this case, to indicate that the execution of tin

mproduces the new marking m′(s) = m(s)−F(s, t) + F(t, s), we write m[tim′,

and we call it a step1. This notion is lifted, as usual, to multisets of transitions.

The notion of step leads to that of execution of a net. Let N= (hS, T, F, Γ, Λi,

m0) be a net, and let mbe a marking. The ﬁring sequences starting at mare

deﬁned as follows: (a) mis a ﬁring sequence, and (b) if m[t1im1···mn−1[tnimn

is a ﬁring sequence and mn[tim′is a step, then m[t1im1···mn−1[tnimn[tim′

is a ﬁring sequence. A marking mis reachable iﬀ there exists a ﬁring sequence

starting at m0leading to it. The set of reachable markings of a net Nis denoted

with M(N). A net N= (hS, T, F, Γ, Λi, m0) is safe when each marking m∈M(N)

is such that m(s)≤1 for all s∈S.

Atrace can be associated to each ﬁring sequence, which is the word on T∗

obtained by the ﬁring sequence considering just the (labels of the) transitions

and forgetting the markings: if m0[t1im1···mn−1[tnimnis a ﬁring sequence of

N, the associated trace is Λ(t1t2...tn). The trace associated to m0is the empty

word ε. If the label of a transition is undeﬁned then the associated word is the

empty one. The traces of a net Nare denoted with Traces(N).

Asubnet is a net obtained by restricting places and transitions of a net, and

correspondingly the ﬂow relation and the initial marking. Let N= (hS, T, F, Γ, Λi,

m0) be a net, and let T′⊆T. We deﬁne the subnet generated by T′as the net

N|T′= (hS′, T ′, F ′, Γ ′, Λ′i, m′

0), where S′={s∈S|F(t, s)>0 or F(s, t)>0

for t∈T′} ∪ {s∈S|m0(s)>0},F′is the ﬂow relation restricted to S′and T′,

Γ′is obtained by Γrestricting to places in S′,Λ′is obtained by Λrestricting to

transitions in T′, and m′

0is obtained by m0restricting to places in S′

1The word step is usually reserved to the execution of a subset of transitions, but

here we prefer to stress the computational interpretation.

4

A net property (intuitively, a property of the system modeled as a Petri net)

can be characterized in several ways, e.g. as a set of markings (states of the

system). The following captures the intuition that, notwithstanding the state

(marking) reached by the system, it is always possible to reach a state satisfying

the property. A net Nweakly terminates in a set of markings Miﬀ ∀m∈M(N),

there is a ﬁring sequence starting at mand leading to a marking in M. Hereafter,

we shall sometimes say that Nweakly terminates (without referring to any M)

when the property is not relevant or clear from the context.

We now introduce occurrence nets. The intuition behind this notion is the

following: regardless how tokens are produced or consumed, an occurrence net

guarantees that each transition can occur only once (hence the reason for calling

them occurrence nets). We adopt the notion proposed by van Glabbeek and

Plotkin in [22], namely 1-occurrence nets. For a multiset M, we denote by [[M]]

the multiset deﬁned as [[M]](a) = 1 if M(a)>0 and [[M]](a) = 0 otherwise. A

state of a net N= (hS, T , F, Γ, Λi, m0) is any ﬁnite multiset Xof Tsuch that the

function mX:S→Zgiven by mX(s) = m0(s) + Pt∈TX(t)·(F(t, s)−F(s, t)),

for all s∈S, is a reachable marking of the net. We denote by St(N) the states

of N. A state contains (in no order) all the occurrence of the transitions that

have been ﬁred to reach a marking. Observe that a trace of a net is a suitable

linearization of the elements of a state X. We use the notion of state to formalize

occurrence nets. An occurrence net O= (hS, T , F, Γ, Λi, m0) is a net where each

state is a set, i.e. ∀X∈St(N). X = [[X]].

A net is correctly labeled iﬀ ∀s.∀t, t′∈•s. Γ (s)6=⊥=⇒Λ(t) = Λ(t′) = Γ(s).

Intuitively, this requires that all the transitions putting a token in a labeled place

represent the same action.

3 Nets with lending places

We now relax the conditions under which transitions may be executed, by allow-

ing a transition to consume tokens from a place seven if the sdoes not contain

enough tokens. Consequently, we allow markings with negative numbers. When

the number of tokens associated to a place becomes negative, we say that they

have been done on credit. We do not permit this to happen in all places, but

only in the lending places (a subset Lof S). Lending places are depicted with a

double circle.

Deﬁnition 1. Alending Petri net (LPN) is a triple (hS, T, F, Γ, Λi, m0,L)where

(hS, T, F, Γ, Λi, m0)is a marked Petri net, and L⊆Sis the set of lending places.

Example 1. Consider the LPN N1in Fig. 1. The places p2and p4are lending

places. The set of labels of the transitions is T={a,b,c}, and the set of labels of

the places is G=T. The labeling is Γ(p1) = c, Γ (p2) = aand Γ(p4) = Γ(p3) = b

(the place p0is unlabeled).

The notion of step is adapted to take into account this new kind of places.

Let Nbe an LPN, let tbe a transition in T, and let mbe a marking. We say that

5

p1

c

c

ba

p2

a

p3

b

p0

p4

b

N1

p0

p1

b

p2

b

c

a

p3

c

p4

a

p0

N′

1

Fig. 1. Two lending Petri nets.

tis enabled at miﬀ ∀s∈•t. m(s)≤0 =⇒s∈L. The evolution of Nis deﬁned

as before, with the diﬀerence that the obtained marking is now a function from

places to Z(instead of N). This notion matches the intuition behind of lending

places: we allow a transition to be executed even when some of the transitions

that are a pre-requisite have not been executed yet.

Deﬁnition 2. Let mbe a reachable marking of an LPN N. We say that mis

honored iﬀ m(s)≥0for all places sof N.

An honored ﬁring sequence is a ﬁring sequence where the ﬁnal marking is

honored. Note that if the net has no lending places, then all the reachable mark-

ings are honored.

Example 2. In the net of Ex. 1, the transition cis enabled even though there

are no tokens in the places p2and p4in its pre-set, as they are lending places.

The other transitions are not enabled, hence at the initial marking only cmay

be executed (on credit). After ﬁring c, only bcan be executed. This results in

putting one token in p3and one in p4, hence giving back the one taken on credit.

After this, only acan be executed. Upon ﬁring c,band a, the marking is honored.

The net is clearly a (correctly labeled) occurrence net.

We now introduce a notion of composition of LPNs. The idea is that the

places with a label are places in an interface of the net (though we do not put

any limitation on such places, as done instead e.g. in [21]) and they never are

initially marked. The labelled transitions of a net are connected with the places

bearing the same label of the other.

Deﬁnition 3. Let N= (hS, T , F, Γ, Λi, m0,L)and N′= (hS′, T ′, F ′, Γ ′, Λ′i,

m′

0,L′)be two LPNs. We say that N, N ′are compatible whenever (a)they have

the same set of labels, (b)S∩S′=∅,(c)T∩T′=∅,(d)m0(s) = 1 implies

Γ(s) = ⊥, and (e)m′

0(s′) = 1 implies Γ′(s′) = ⊥. If Nand N′are compatible,

their composition N⊕N′is the LPN (hˆ

S, T ∪T′,ˆ

F , ˆ

Γ , ˆ

Λi,ˆm0,ˆ

L)in Fig. 2.

The underlying idea of LPN composition is rather simple: the sink places in

a net bearing a label of a transition of the other net are removed, and places

and transitions with the same label are connected accordingly (the removed sink

places have places with the same label in the other net). All the other ingredients

of the compound net are trivially inherited from the components. Observe that,

6

ˆ

S=(S\ {s∈S|Γ(s)∈Λ′(T′) and s•=∅})∪

(S′\ {s′∈S′|Γ′(s′)∈Λ(T) and s′• =∅})

ˆ

F(ˆs, ˆ

t)⇐⇒ ˆs=s1∈S∧ˆ

t=t1∈T∧F(s1, t1)

∨ˆs=s2∈S′∧ˆ

t=t2∈T′∧F′(s2, t2)

ˆ

F(ˆ

t, ˆs)⇐⇒ ˆs=s1∈S∧ˆ

t=t1∈T∧F(t1, s1)

∨ˆs=s2∈S′∧ˆ

t=t2∈T′∧F′(t2, s2)

∨ˆs=s∈S∧ˆ

t=t′∈T′∧Λ′(t′) = Γ(s)6=⊥

∨ˆs=s′∈S′∧ˆ

t=t∈T∧Λ(t) = Γ′(s′)6=⊥

ˆ

Γ(ˆs) = (Γ(s1)if ˆs=s1∈S

Γ′(s2)if ˆs=s2∈S′

ˆ

Λ(ˆ

t) = (Λ(t1)if ˆ

t=t1∈T

Λ′(t2)if ˆ

t=t2∈T′

ˆm0(ˆs) = (1 if ˆs=s1∈Sand m0(s1) = 1, or ˆs=s2∈S′and m′

0(s2) = 1

0 otherwise

ˆ

L= (L∪L′)∩ˆ

S

Fig. 2. Composition of two LPNs.

when composing two compatible nets Nand N′such that Γ(S)∩Γ′(S′) = ∅,

we obtain the disjoint union of the two nets. Further, if the common label a∈

Γ(S)∩Γ′(S′) is associated in Nto a place swith empty post-set and in N′to

a place s′with empty post-set (or vice versa) and the labelings are injective, we

obtain precisely the composition deﬁned in [21]. If the components Nand N′

may satisfy some properties (sets of markings Mand M′), the compound net

N⊕N′may satisfy the compound property (which is the set of markings ˆ

M

obtained obviously from Mand M′).

Example 3. Consider the nets in Fig. 3. Net Nﬁres aafter bhas been performed;

dually, net N′waits for bbefore ﬁring a. These nets model two participants which

protect themselves by waiting the other one to make the ﬁrst step (the properties

being that places p3and p′

3, respectively, are not marked). Clearly, no agreement

is possible in this scenario. This is modelled by the deadlock in the composition

N⊕N′, where neither transitions anor bcan be ﬁred. Consider now the LPN

N′′, which diﬀers from Nonly for the lending place p′′

1. This models a participant

which may ﬁre aon credit, under the guarantee that the credit will be eventually

honoured by the other participant performing b(hence, the participant modeled

by N′′ is still protected), and the property is then place p′′

3unmarked and p′′

1

with a non negative marking. The composition N′′ ⊕N′weakly terminates wrt

the above properties, because transition acan take a token on credit from p′′

1,

and then transition bcan be ﬁred, so honouring the debit in p′′

1.

7

p1

b

a

p2

a

p3

N

p′

1

a

b

p′

2

b

p′

3

N′

p′′

1

b

a

p′′

2

a

p′′

3

N′′

p1

b

a

p′

1

a

p3

b

p′

3

N⊕N′

p′′

1

b

a

p′

1

a

p′′

3

b

p′

3

N′′ ⊕N′

Fig. 3. Three LPNs (top) and their pairwise compositions (bottom).

The operation ⊕is clearly associative and commutative.

Proposition 4 Let N1,N2and N3be three compatible LPNs. Then, N1⊕N2=

N2⊕N1and N1⊕(N2⊕N3) = (N1⊕N2)⊕N3.

The composition ⊕does not have the property that, in general, considering

only the transitions of one of the components, we obtain the LPN we started

with, i.e. (N1⊕N2)|Ti6=Ni. This is because the number of places with labels

increases and new arcs may be added, and these places are not forgotten when

considering the subnet generated by Ti. However these added places are not

initially marked, hence it may be that the nets have the same traces.

Deﬁnition 5. Let Nand N′two LPNs on the same sets of labels. We say that

Napproximates N′(N.N′) iﬀ Traces(N)⊆Traces(N′). We write N∼N′

when N.N′and N′.N.

Proposition 6 For two compatible LPNs N1, N2,Ni∼(N1⊕N2)|Ti,i= 1,2.

Following [21] we introduce a notion of reﬁnement (called accordance in [21])

between two LPNs. We say that M(with a property MM) is a strategy for an

LPN N(with a property M) if N⊕Mis weakly terminating. With S(N) we

denote the set of all strategies for N. In the rest of the paper we assume that

properties are always speciﬁed, even when not done explicitly.

Deﬁnition 7. An LPN N′reﬁnes Nif S(N′)⊇S(N).

Observe that if N′reﬁnes Nand Nweakly terminates, then N′weakly

terminates as well.

If a weakly terminating LPN Nis obtained by composition of several nets,

i.e. N=LiNi, we can ask what happens if there is an N′

iwhich reﬁnes Ni, for

each i. The following theorem gives the desired answer.

Theorem 8 Let N=LiNibe a weakly terminating LPN, and assume that N′

i

reﬁnes Ni, for all i. Then, N′=LiN′

iis a weakly terminating LPN.

8

The theorem above gives a compositional criterion to check weak termination

of a SOC application. One starts from an abstract speciﬁcation (e.g. a choreog-

raphy), projects it into a set of local views, and then reﬁnes each of them into a

service implementation. These services can be veriﬁed independently (for reﬁne-

ment), and it is guaranteed that their composition still enjoys weak termination.

We now deﬁne, starting from a marking m, which actions may be performed

immediately after, while preserving the ability to reach an honored marking. We

call these actions urgent.

Deﬁnition 9. For an LPN Nand marking m, we say aurgent at miﬀ there

exists a ﬁring sequence m[t1i · · · [tnimnwith Λ(t1) = aand mnhonored.

Example 4. Consider the nets in Ex. 3. In N′′ ⊕N′the only urgent action at the

initial marking is a, while bis urgent at the marking where p′

1is marked. In N′′

there are no urgent actions at the initial marking, since no honored marking is

reachable. In the other nets (N,N′,N⊕N′) no actions are urgent in the initial

marking, since these nets are deadlocked.

4 Physical contracts

We now present a model for physical contracts based on LPNs. Let a,b,... ∈T

be actions, performed by participants A,B,... ∈Part . We assume that actions

may only be performed once. Hence, we consider a subclass of LPNs, namely

occurrence nets, where all the transitions with the same label are mutually ex-

clusive. A physical contract is an LPN, together with a set Aof participants

bound by the contract, a mapping πfrom actions to participants, and a set Ω

modeling the states where all the participant in Aare satisﬁed.

Deﬁnition 10. Acontract net Dis a tuple (O, A, π, Ω), where Ois an oc-

currence LPN (hS, T, F, Γ, Λi, m0,L)labeled on T,A⊆Part, π:T→Part ,

Ω⊆℘(T)is the set of goals of the participants, and where:

(a) ∀s∈S. (m0(s) = 1 =⇒•s=∅ ∧ Γ(s) = ⊥)∧(s∈L=⇒Γ(s)∈T),

(b) ∀t∈T. (∀s∈t•. Λ(t) = Γ(s)) ∧(∃s∈•t. s 6∈ L),

(c) ∀t, t′∈T.Λ(t) = Λ(t′) =⇒ ∃s∈•t∩•t′. m0(s) = 1,

(d) π(Λ(T)) ⊆A.

The last constraint models the fact that only the participants in Amay

perform actions in D.

Given a state Xof the component Oof D, the reached marking mtells us

which actions have been performed, and which tokens have been taken on credit.

The conﬁguration µ(m) associated to a marking mis the pair (C, Y ) deﬁned as:

–C={a∈T| ∃s∈S. {s}=Tt∈T{•t|Λ(t) = a}and m(s) = 0}, and

–Y={a∈T| ∃s∈S. a=Γ(s)and m(s)<0}

9

The ﬁrst component is the set of the labels of the transitions in X. The marking

mis honored whenever the second component of µ(m) is empty.

We now state the conditions under which two contract nets can be composed.

We require that an action can be performed only by one of the components (the

other may use the tokens produced by the execution of such action).

Deﬁnition 11. Two contracts nets D= (O, A, π, Ω)and D′= (O′,A′, π′, Ω′)

are compatible whenever O⊕O′is deﬁned and A∩A′=∅.

The composition of Dand D′is then the obvious extension of the one on LPNs:

Deﬁnition 12. Let D= (O, A, π, Ω )and D′= (O′,A′, π′, Ω′)be two compat-

ible contract nets. Then D⊕D′= (O⊕O′,A∪A′, π ◦π′, Ω′′ )where Ω′′ =

{X∪X′|X∈Ω, X ′∈Ω′}.

We lift the notion of weak termination to contract nets D= (O, A, π, ok, Ω).

The set of markings obtained by Ωis MΩ={m∈M(O)|µ(m) = (C, ∅), C ∈Ω}.

We say that Dweakly terminates w.r.t. Ωwhen Oweakly terminates w.r.t. MΩ.

We also extend to contract nets the notion of urgent actions given for LPNs

(Def. 9). Here, the set of urgent actions UC

Dis parameterized by the set Cof

actions already performed.

Deﬁnition 13. Let Dbe a contract net, and let C⊆T. We deﬁne:

UC

D={a∈T| ∃Y⊆T.∃m. µ(m) = (C, Y )∧ais urgent at m}

Example 5. Interpret the LPN N′

1in Fig. 1 as a contract net where the actions a,

b,care associated, respectively, to participants A,B, and C, and Ωis immaterial.

Then, aand care urgent at the initial marking, whereas bis not (the token

borrowed from p1cannot be given back). In the state where ahas been ﬁred,

only bis urgent; in the state where chas been ﬁred, no actions are urgent.

5 Logical contracts

In this section we brieﬂy review Propositional Contract Logic (PCL [7]), and we

exploit it to model contracts. PCL extends intuitionistic propositional logic IPC

with a connective ։, called contractual implication. Intuitively, a formula b։a

implies anot only when bis true, like IPC implication, but also in the case that

a “compatible” formula, e.g. a։b, holds. PCL allows for a sort of “circular”

assume-guarantee reasoning, hinted by (b։a)∧(a։b)→a∧b, which is a

theorem in PCL . We assume that the prime formulae of PCL coincide with the

atoms in T. PCL formulae, ranged over greek letters ϕ, ϕ′,..., are deﬁned as:

ϕ::= ⊥ | ⊤ | a| ¬ϕ|ϕ∨ϕ|ϕ∧ϕ|ϕ→ϕ|ϕ։ϕ

Two proof systems have been presented for PCL: a sequent calculus [7], and

an equivalent natural deduction system [4], the main rules of which are shown

in Fig. 4. Provable formulae are contractually implied, according to rule (։I1).

10

∆⊢ψ

∆⊢ϕ։ψ(։I1) ∆⊢ϕ′։ψ′

∆, ϕ ⊢ϕ′

∆, ψ′⊢ϕ։ψ

∆⊢ϕ։ψ(։I2)

∆⊢ϕ։ψ

∆, ψ ⊢ϕ

∆⊢ψ(։E)

Fig. 4. Natural deduction for PCL (rules for ։).

Rule (։I2) provides ։with the same weakening properties of →. The crucial

rule is (։E), which allows for the elimination of ։. Compared to the rule for

elimination of →in IPC, the only diﬀerence is that in the context used to deduce

the antecedent ϕ, rule (։E) also allows for using as hypothesis the consequence ψ.

The decidability of the provability relation of PCL has been proved in [7], by

exploiting the cut elimination property enjoyed by the sequent calculus.

To model contracts, we consider the Horn fragment of PCL , which comprises

atoms, conjunctions, and non-nested (intuitionistic/contractual) implications.

Deﬁnition 14. APCL contract is a tuple h∆, A, π, Ωi, where ∆is a Horn PCL

theory, A⊆Part, π:T→Part associates each atom with a participant, and

Ω⊆℘(T)is the set of goals of the participants.

The component Aof Ccontains the participants which can promise to do

something in C. Consequently, we shall only consider PCL contracts such that

if α◦a∈∆, for ◦ ∈ {→,։}, then π(a)∈A.

Example 6. Suppose three kids want to play together. Alice has a toy airplane,

Bob has a bike, and Carl has a toy car. Each of the kids is willing to share

his toy, but they have diﬀerent constraints: Alice will lend her airplane only

after Bob has allowed her ride his bike; Bob will lend his bike after he has

played with Carl’s car; Carl will lend his car if the other two kids promise to

eventually let him play with their toys. Let π={a7→ A,b7→ B,c7→ C}. The kids

contracts are modeled as follows: hb→a,{A}, π, {{b}}i,hc→b,{B}, π, {{c}}i,

and h(a∧b)։c,{C}, π, {{a,b}}i.

A contract admits an agreement when all the involved participants can reach

their goals. This is formalized in Def. 15 below.

Deﬁnition 15. APCL contract admits an agreement iﬀ ∃X∈Ω. ∆ ⊢VX.

We now deﬁne composition of PCL contracts. If C′is the contract of an

adversary of C, then a na¨ıve composition of the two contracts could easily lead

to an attack, e.g. when Mallory’s contract says that Alice is obliged to give him

her airplane. To prevent from such kinds of attacks, contract composition is a

partial operation. We do not compose contracts which bind the same participant,

or which disagree on the association between atoms and participants.

Deﬁnition 16. Two PCL contracts C=h∆, A, π, Ωiand C′=h∆′,A′, π′, Ω ′i

are compatible whenever A∩A′=∅, and ∀A∈A∪A′. π−1(A) = π′ −1(A). If

C,C′are compatible, the contract C|C′=h∆∪∆′,A∪A′, π ◦π′, Ω |Ω′i, where

Ω|Ω′={X∪X′|X∈Ω, X ′∈Ω′}, is their composition.

11

ε∈J∆K(ε)α→a∈∆ σ ∈J∆Kα⊆σ

σa∈J∆K(→)α։a∈∆ σ ∈J∆, aKα⊆σ

σ|a⊆J∆K(։)

Fig. 5. Proof traces of Horn PCL .

Example 7. The three contracts in Ex. 6 are compatible, and their composition

is C=h∆, {A,B,C},{a7→ A,b7→ B,c7→ C},{{a,b,c}}i where ∆is the theory

{b→a,c→b,(a∧b)։c}.Chas an agreement, since ∆⊢a∧b∧c. The

agreement exploits the fact that Carl’s contract allows the action cto happen

“on credit”, before the other actions are performed.

We now recap from [4] the notion of proof traces, i.e. the sequences of atoms

respecting the order imposed by proofs in PCL . Consider e.g. rule (→E):

∆⊢α→a∆⊢α

∆⊢a(→E)

The rule requires a proof of all the atoms in αin order to construct a proof of a.

Accordingly, if σis a proof trace of ∆, then σa if a proof trace of ∆. Instead,

in the rule (։E), the antecedent αneeds not necessarily be proved before a: it

suﬃces to prove αby taking aas hypothesis.

Deﬁnition 17 (Proof traces [4]). For a Horn PCL theory ∆, we deﬁne the

set of proof traces J∆Kby the rules in Fig. 5, where for σ, η ∈E∗we denote with

σthe set of atoms in σ, with ση the concatenation of σand η, and with σ|ηthe

interleavings of σand η. We assume that both concatenation and interleaving

remove duplicates from the right, e.g. aba |ca =ab |ca ={abc, acb, cab}.

The set UX

Cin Def. 18 contains, given a set Xof atoms, the atoms which

may be proved immediately after, following some proof trace of C.

Deﬁnition 18 (Urgent actions [4]). For a contract C=h∆, . . .iand a set of

atoms X, we deﬁne UX

C={a6∈ X| ∃σ, σ′.σ=X∧σaσ′∈J∆, XK}.

Example 8. For the contract Cspeciﬁed by the theory ∆=a→b,b։a, we

have J∆K={ε, ab}, and U∅

∆={a},U{a}

∆={b},U{b}

∆={a}, and U{a,b}

∆=∅.

6 From logical to physical contracts

In this section we show, starting from a logical contract, how to construct a

physical one which preserves the agreement property. Technically, we shall re-

late provability in PCL to reachability of suitable conﬁgurations in the associ-

ated LPN. The idea of our construction is to translate each Horn clause of a

PCL formula into a transition of an LPN, labelled with the action in the con-

clusion of the clause.

12

S= (T×T)∪({a|VX→a∈∆} ∪ {a|VX։a∈∆} ∪ {a|a∈∆})× {∗}

T={(X, a,#)|VX→a∈∆} ∪ {(X, a,⊚)|VX։a∈∆}

F={(s, t)|s= (a,∗), t = (X, a, z)} ∪ {(s, t)|s= (a, t), t = (X, c, z),a∈X} ∪

{(t, s)|s= (a, x), t = (X, a, z), x 6=∗}

Γ(s) = if s= (a, x) with x∈Tthen aelse ⊥

Λ(t) = if t= (X, a, z ) then aelse ⊥

m0(s) = if s= (a,∗) then 1 else 0

L={s∈S|s= (a, t)and t= (X, c,⊚)with X6=∅}

Fig. 6. Translation from logical to physical contracts.

Deﬁnition 19. Let C=h∆, A, π, Ωibe a PCL contract. We deﬁne the contract

net P(C)as ((hS, T, F, Γ, Λi, m0,L),A, π, Ω )in Fig. 6.

The transitions associated to Care a subset Tof ℘(T)×T× {⊚,#}. For each

intuitionistic/contractual implication, we introduce a transition as follows. A

clause VX։amaps to (X, a,⊚)∈T, while VX→amaps to (X, a,#)∈T. A

formula ais dealt with as the clause V∅ → a. Places in Scarry the information

on which transition may actually put/consume a token from them (even on

credit). The lending places are those places (a, t) where t= (X, c,⊚). Observe

that a transition t= (X, a, z) puts a token in each place (a, x) with x6=∗, and all

the transitions bearing the same labels, say a, are mutually excluding each other,

as they share the unique input place (a,∗). The initial marking will contains all

the places in T× {∗}, and if a token is consumed from one of these places then

the place will be never marked again. Furthermore the lending places are never

initially marked.

Example 9. Consider the PCL contract with formula a։a(the other compo-

nents are immaterial for the sake of the example). The associated LPN is in

Fig. 7, left. The transition ({a},a,⊚)), labeled a, can be executed at the initial

marking, as the unmarked place in the preset is a lending place. The reached

marking contains no tokens, hence it is honored. This is coherent with the fact

that a։a⊢aholds in PCL .

(a,∗)

a

(a,({a},a,⊚))

({a},a,⊚))

(a,∗)

c

t2

b

t3

a

t1

(a, t1)

(b, t1)

(a, t3)

(a, t2)

(c, t1)

(c, t2)(c,∗)

(c, t3)

(b, t3)

(b, t2)(b,∗)

Fig. 7. Two contract nets constructed from PCL contracts.

13

Example 10. Consider the PCL contract speciﬁed by the theory

∆={b։a,a→c,a→b}

The associated LPN is the one on the right depicted in Fig. 7. The transitions

are t1= ({b},a,⊚), t2= ({a},c,#) and t3= ({a},b,#). Initially only t1is

enabled, lending a token from place (b, t1). This leads to a marking where both

t2and t3are enabled, but only the execution of t3ends up with an honored

marking. The marking reached after executing all the actions is honored. This

is coherent with the fact that ∆⊢a∧b∧cholds in PCL .

Since all the transitions consume the token from the places (a,∗) (where ais

the label of the transition), and these places cannot be marked again, it is easy

to see that each transition may occur only once. Hence, the net associated to a

contract is an occurrence net. If two transitions t, t′have the same label (say a),

then they cannot belong to the same state of the net. In fact, transitions with

the same label share the same input place (a,∗). This place is not a lending one,

and has no ingoing arcs, hence only one of the transitions with the same label

may happen. The notion of correctly labeled net lifts obviously to contract nets.

Proposition 20 For all PCL contracts C, the net P(C)is correctly labeled.

A relevant property of Pis that it is an homomorphism with respect to con-

tracts composition. Thus, since both |and ⊕are associative and commutative,

we can construct a physical contract from a set of logical contracts C1···Cn

componentwise, i.e. by composing the contract nets P(C1)···P(Cn).

Proposition 21 For all C1,C2, we have that P(C1|C2)∼P(C1)⊕P(C2).

In Theorem 23 below we state the main result of this section, namely that

our construction maps the agreement property of PCL contracts into weak ter-

mination of the associated contract nets. To prove Theorem 23, we exploit the

fact that Cis a set of provable atoms in the logic iﬀ (C, ∅) is a conﬁguration of

the associated contract net.

Lemma 22 Let C=h∆, A, π, Ωibe a PCL contract, and let P(C) = (O, A, π, Ω).

For all C⊆T,∆⊢VCiﬀ there exists m∈M(O)such that µ(m) = (C, ∅).

Theorem 23 Cadmits an agreement iﬀ P(C)weakly terminates in Ω.

We now specialize Theorem 8, which allows for compositional veriﬁcation

of choreographies. Assuming a choreography speciﬁed as a PCL contract C, we

can (i) project it into the contracts C1···Cnof its participants, (ii) construct

the corresponding LPN contracts P(C1)···P(Cn), and (iii) individually reﬁne

each of them into a service implementation. If the original choreography admits

an agreement, then the composition of the services weakly terminates, i.e. it is

correct w.r.t. the choreography.

14

Theorem 24 Let C=C1| · · · | Cnadmit an agreement, with Ωigoals of Ci. If

Direﬁnes P(Ci)for i∈1..n, then D1⊕· · ·⊕Dnweakly terminates in Ω1∪· · ·∪ Ωn.

The notion of urgency in contract nets correspond to that in the associated

PCL contracts (Theorem 25).

Theorem 25 For all PCL contracts C, and for all X⊆T,UX

C=UX

P(C).

Example 11. Recall from Ex. 8 that, for C=h{a→b,b։a},...i, we have:

U∅

C={a}U{a}

C={b}U{b}

C={a}U{a,b}

C=∅

This is coherent with the fact that, in the corresponding contract net N′′ ⊕N′

in Fig. 3, only ais urgent at the initial marking, while bbecomes urgent after a

has been ﬁred.

7 Related work and conclusions

We have investigated how to compile logical into physical contracts. The source

of the compilation is the Horn fragment of Propositional Contract Logic [7],

while the target is a contract model based on lending Petri nets (LPNs). Our

compilation preserves agreements (Theorem 23), as well as the possibility of

protecting services against misbehavior of malevolent services. LPN contracts

can be used to reason compositionally about the realization of a choreography

(Theorem 24), so extending a result of [21]. Furthermore, we have given a logical

characterization of those urgent actions which have to be performed in a given

state. This notion, which was only intuitively outlined in [7], is now made formal

through our compilation into LPNs (Theorem 25).

Contract nets seem a promising model for reasoning on contracts: while hav-

ing a clear relation with PCL contracts, they may inherit as well the whole realm

of tools that are already available for Petri nets.

The notion of places with a negative marking is not a new one in the Petri

nets community, though very few papers tackle this notion, as the interpretation

of negative tokens does not match the intuition of Petri nets, where tokens are

generally intended as resources. In this paper we have used negative tokens

to model situations where actions are in a circular dependency, like the ones

arising in PCL contracts. Lending places model the intuition that an action can

be performed on a promise, and a negative token in a place can be interpreted

as the promise made, which must be, sooner or later, honored. Indeed, the net

obtained from a PCL contract is an occurrence net which may contain cycles,

e.g. in the net of Ex. 10 the transition t1depends on t3, which in turn depends

on t1(and to execute t1we required to lend a token which is after supplied

by t3). In [20] the idea of places with negative marking is realized using a new

kind of arc, called debit arcs. Under suitable conditions, these nets are Turing

powerful, whereas our contract nets do not add expressiveness (while for LPNs

the issue has to be investigated). In [17] negative tokens arise as the result of

certain linear assumptions. The relations with LPNs have to be investigated.

15

Acknowledgments. We thank Philippe Darondeau, Eric Fabre and Roberto Zunino for

useful discussions and suggestions. This work has been partially supported by Aut. Reg.

of Sardinia grants L.R.7/2007 CRP2-120 (TESLA) CRP-17285 (TRICS) and P.I.A.

2010 (“Social Glue”), and by MIUR PRIN 2010-11 project “Security Horizons”.

References

1. M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control

in distributed systems. ACM TOPLAS, 4(15), 1993.

2. M. Abadi and G. D. Plotkin. A logical view of composition. TCS, 114(1), 1993.

3. M. Armbrust et al. A view of cloud computing. Comm. ACM, 53(4):50–58, 2010.

4. M. Bartoletti, T. Cimoli, P. D. Giamberardino, and R. Zunino. Contract agree-

ments via logic. In Proc. ICE, 2013.

5. M. Bartoletti, T. Cimoli, G. M. Pinna, and R. Zunino. An event-based model for

contracts. In Proc. PLACES, 2012.

6. M. Bartoletti, T. Cimoli, and R. Zunino. A theory of agreements and protection.

In Proc. POST, 2013.

7. M. Bartoletti and R. Zunino. A calculus of contracting processes. In LICS, 2010.

8. L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida. A theory of design-by-contract

for distributed multiparty interactions. In CONCUR, 2010.

9. M. Bravetti, I. Lanese, and G. Zavattaro. Contract-driven implementation of chore-

ographies. In Proc. TGC, pages 1–18, 2008.

10. M. Bravetti and G. Zavattaro. Contract based multi-party service composition. In

Proc. FSEN, pages 207–222, 2007.

11. M. Bravetti and G. Zavattaro. Towards a unifying theory for choreography con-

formance and contract compliance. In Software Composition, 2007.

12. G. Castagna, N. Gesbert, and L. Padovani. A theory of contracts for web services.

ACM Transactions on Programming Languages and Systems, 31(5), 2009.

13. S. Even and Y. Yacobi. Relations among public key signature systems. Technical

Report 175, Computer Science Department, Technion, Haifa, 1980.

14. D. Garg and M. Abadi. A modal deconstruction of access control logics. In

FoSSaCS, 2008.

15. T. T. Hildebrandt and R. R. Mukkamala. Declarative event-based workﬂow as

distributed dynamic condition response graphs. In Proc. PLACES, 2010.

16. K. Honda, N. Yoshida, and M. Carbone. Multiparty asynchronous session types.

In POPL, 2008.

17. N. Mart´ı-Oliet and J. Meseguer. An algebraic axiomatization of linear logic models.

In Topology and category theory in computer science, 1991.

18. C. Prisacariu and G. Schneider. A dynamic deontic logic for complex contracts.

The Journal of Logic and Algebraic Programming (JLAP), 81(4), 2012.

19. W. Reisig. Petri Nets: An Introduction, volume 4 of Monographs in Theoretical

Computer Science. An EATCS Series. Springer, 1985.

20. P. D. Stotts and P. Godfrey. Place/transition nets with debit arcs. Inf. Proc. Lett.,

41(1), 1992.

21. W. M. P. van der Aalst, N. Lohmann, P. Massuthe, C. Stahl, and K. Wolf. Multi-

party contracts: Agreeing and implementing interorganizational processes. Com-

put. J., 53(1), 2010.

22. R. J. van Glabbeek and G. D. Plotkin. Conﬁguration structures. In LICS, 1995.

16