Nested Commits for Mobile Calculi: Extending Join

Nested commits for mobile calculi: extending Join(Cover Page)

Authors:Roberto Bruni Dipartimento di Informatica, Universita di Pisa, ItaliaHernan Melgratti Dipartimento di Informatica, Universita di Pisa, ItaliaUgo Montanari Dipartimento di Informatica, Universita di Pisa, Italia

Submission totrack 2 of IFIP-TCS 2004

Corresponding author:First name HernanLast name MelgrattiAffiliation Dipartimento di Informatica, Universit a di Pisa

Address Via F. Buonarroti n.2, 56127 Pisa, ItaliaPhone +39 050 2213146

Fax +39 050 2212726email [email protected]

Abstract: In global computing applications the availability of a mechanism for some form of committedchoice can be useful, and sometimes necessary. It can conveniently handle, e.g., contract stipulation, dis-tributed agreements, and negotiations with nested choice points to be carried out concurrently. We proposea linguistic extension of theJoin calculus for programming nested commits, calledCommittedJoin (cJoin).It provides primitives for explicit abort, programmable compensations and interactions between ongoingnegotiations. We give the operational semantics ofcJoin in the reflexiveCHAM style. Then we discuss itsexpressiveness on the basis of a few examples and of thecJoin encoding of other paradigms with similaraims but designed in different contexts, namelyAKL andZero-Safenets. Finally, we provide a big-stepsemantics forcJoin processes that can be typed asshallow. We show that shallow processes are serializableby proving the correspondence betweenCHAM and big-step semantics.

Keywords: Join calculus, distributed transactions, nested negotiations, compensation on abort, committedchoice languages, zero-safe nets.

Nested commits for mobile calculi:extending Join?

Roberto Bruni, Hernan Melgratti, and Ugo Montanari

Dipartimento di Informatica, Universita di Pisa, Italia.fbruni,melgratt,[email protected]. In global computing applications the availability of a mechanism for some form of commit-ted choice can be useful, and sometimes necessary. It can conveniently handle, e.g., contract stipulation,distributed agreements, and negotiations with nested choice points to be carried out concurrently. Wepropose a linguistic extension of theJoin calculus for programming nested commits, calledCommit-tedJoin (cJoin). It provides primitives for explicit abort, programmable compensations and interactionsbetween ongoing negotiations. We give the operational semantics ofcJoin in thereflexiveCHAM style.Then we discuss its expressiveness on the basis of a few examples and of thecJoin encoding of otherparadigms with similar aims but designed in different contexts, namelyAKL andZero-Safenets. Finally,we provide a big-step semantics forcJoin processes that can be typed asshallow. We show that shallowprocesses are serializable by proving the correspondence betweenCHAM and big-step semantics.

1 Introduction

In recent years, wide area network computing, web programming, and, more generally,global comput-ing (GC) are attracting the interest of many researchers in an attempt of laying the foundations for largelydistributed applications. Such applications often require a coordination layer to orchestrate their compo-nents, which are designed and implemented separately, run on different platforms and communicate asyn-chronously (e.g. e-commerce or on-line auction systems). Though orchestration can be interpreted as theatomic execution of certain control activities (e.g. in terms of transactions, like in [15,6]), more generally,the problem is that of committing the results of long distributed decision processes as soon as the par-ticipants reach partial agreements (also calledcontractsor negotiations). In this context the terminology“commit” is maybe more appropriate than “transaction” because the ordinaryACID (Atomicity, Consis-tency, Isolation, and Durability) properties of transactions must be relaxed. For example, regarding atomic-ity, the fact that local commits are executed in all sites at the same time can hardly be ensured in a largelydistributed system.

Process description languages(PDLs), e.g. theπ-calculus [13], are mathematical models of computationdesigned for isolating and studying phenomena that can occur in concurrent languages. In the spirit ofPDL,it would be desirable to extend well-known calculi with primitives for distributed nested commits. Two keyoperations are the “abort with compensation” (e.g., to stop a negotiation when some participants withdrawtheir interest in carrying out the contract) and the “commit” (to store a partial agreement before movingto the next phase of a long negotiation). In this paper we propose a linguistic extension, calledCommittedJoin (cJoin), for theJoin calculus, a well-knownPDL which has running distributed implementations, e.g.Jocaml [9] andPolyphonic C℄ [1]. The design ofcJoin is guided by the intuitive requirements (i)–(vi) below.

Contracts are decision processes distributed on several nodes, each with the possibility of consultingboth local and global resources and generating local sub-contracts (e.g. modeling decisions internal to anorganization). However: (i) each internal sub-decision should not be made public before a common agree-ment is achieved, therefore only local resources should store such information; (ii) global resources might? Research supported by the MSR Cambridge Project NAPI, by the FET-GC Project IST-2001-32747 AGILE, by the

MIUR Project COFIN 2001013518 COMETA, and by the MURST-CNR 1999 Project,Software Architectures onCooperative WAN.

2 R. Bruni, H. Melgratti, and U. Montanari

be made available to partners upon commits, marking the conclusion of some contract; (iii) decision pro-cesses can be aborted, in which case all participants should be informed and suitable compensation pro-cedures should be activated (e.g., upon a failure, new attempts for finding an agreement can be initiated) ;(iv) though divergence is possible in principle, well designedGC applications should guarantee that eachcontract eventually leads to an abort or a commit; (v) when two processes involved in separate negotiationsexchange some information, then their contracts should be merged into a unique one. Similarly, new par-ticipants should be allowed to dynamically join an ongoing contract, taking part in the final decision. Aparticipant interested in carrying out two separate contracts should instead be able to emit two independentagents, carrying out the two negotiations autonomously in a concurrent way. From what said above, (vi)it should be possible to have nested contracts. In general, an internal abort can be compensated in such away that the main contract can be successfully completed. On the other hand, a failure of the main contractshould cause the abort of all ongoing internal activities.

The operational semantics ofcJoin is given in thereflexiveCHAM style introduced in [10]. Moreover,we define a big-step semantics for a sub-calculus of serializable processes, calledshallowprocesses. Weare interested onserializability, which is a standard requirement about correct executions of concurrenttransactions, because it allows us to reason about a system at different levels of abstractions by consideringtransactions as single transitions at the abstract level. We show that shallow processes are serializable incJoin by proving a correspondence betweenCHAM and big-step semantics.

In this paper we also compare the features ofcJoin against those of other two paradigms with similaraims, namelyAKL [12] andZero-Safenets (ZS nets) [7]. A commit incJoin resembles that of theAKL , e.g.it takes place when a local activity ends (i.e., when a guard is proved) and it makes local results availableto the rest of the system (i.e., local constraints are promoted to the global environment). Our interest inZS

nets is mainly due to the fact that they naturally model multi-way transactions and can be implemented inJoin by using a fullydistributed two-phase commit protocol[6].

Synopsis.In § 2 we recall the principles of theCHAM and the syntax and semantics ofJoin. CommittedJoin is introduced in § 3. In § 4 we illustrate the main features ofcJoin by showing a simple application forbooking trips and the encoding ofAKL . The implementationZS nets is presented in § 5. Finally, we studyserializability in § 6. For referees’ convenience, proof of main results are sketched in Appendices A–C.

2 Background

2.1 The Chemical Abstract Machine

TheCHAM was proposed in [3] as a suitable framework to model concurrent computations. Basically, states(calledsolutions) are finite multisets of terms (calledmolecules), and computations are multiset rewrites.Multisets are written asm1; : : : ;mn. Consequently, ; is associative and commutative. We usually abbrevi-atem1; : : : ;mn withi mi . Solutions can be structured in a hierarchical way by using the operatormembranef[:℄g, grouping a solution into a molecule. In [3] molecules can also be built by usingairlock constructor,but it is not needed in our presentation.

Transformations are described by a set ofchemical rules, which specify how solutions may react. In aCHAM there are two different kinds of chemical rules:Heating / cooling(or structural) rules� representingsyntactical rearrangements of molecules in a solution, andreactionrules! stating basic computation steps.Structural rules are reversible: a solution obtained by applying a cooling rule can be heated back to theoriginal state, and vice versa (those rules closely correspond to the usual notion of structural congruencebetween terms). On the other hand, reaction rules cannot be undone.

The laws that ruleCHAM computations state that whenever an instance of a left-hand-side of a rule isfound into a solution, it can be replaced by the corresponding instance of the right-hand-side. ChemicalrulesS1! S2 have no premises and are purely local, specifying only the part of the solution that actuallychanges. Consequently, they can be applied freely in every solutionS;S1! S;S2 (chemical law) and also

Nested commits for mobile calculi: extending Join 3

(PROC)P;Q ::= 0 j xh~yi j def D in P j PjQ

(DEF)D;E ::= J.P jDÊ

(PAT)J;K ::= xh~yi j JjK (STR-NULL ) 0 �

(STR-JOIN) P jQ � P;Q(STR-AND) D ^ E � D;E(STR-DEF) def D in P � Dσdn(D);Pσdn(D)(with range(σdn(D)) globally fresh)(RED) J.P;Jσ ! J.P;Pσ

Fig. 1. Join Calculus. (a) Syntax. (b) Semantics.

dn(xh~yi) = fxg dn(JjK) = dn(J)[dn(K)dn(J.P) = dn(J) dn(DÊ) = dn(D)[dn(E)rn(xh~yi) = f~yg rn(JjK) = rn(J)[ rn(K)

fn(DÊ) = fn(D)[ fn(E) fn(J.P) = dn(J)[ (fn(P)nrn(J))fn(0) = /0 fn(xh~yi) = fxg[f~yg

fn(PjQ) = fn(P)[ fn(Q) fn(def D in P) = (fn(P)[ fn(D))ndn(D)Fig. 2. Defined, received, and free names.

in sub-solutions, e.g.f[S;S1℄g ! f[S;S2℄g. In particular, they can be nested at any level of the hierarchicalstructure of the chemical solution. Note that, since solutions are multisets, rules can be applied concurrently.

2.2 The Join calculus

The Join calculus [10] is a PDL with asynchronous name-passing communication and it has the sameexpressive power as the asynchronousπ-calculus.Join relies on an infinite set of namesx;y; :::;u;v; :::. Nametuples are written~u. Join processes, definitions and patterns are given in Figure 1(a): Aprocessis either theinert process 0, the asynchronous emissionxh~yi of message~y on portx, the processdef D in P equippedwith local ports defined byD, or a parallel composition of processesPjQ. A definitionis a conjunction ofelementary reaction rulesJ.P that associatejoin-patterns Jwith guarded processes P. Names introducedby the definitionD of def D in P are bound in the whole processP as well as in the guarded processescontained inD. The sets of defined namesdn, received namesrn and free namesfn are defined in Figure 2.

The semantics of theJoin calculus relies on thereflexiveCHAM. It is called reflexive because active re-action rules are represented by molecules present in solutions, which are activated dynamically. Molecules,generated bym ::= P j D, correspond to terms of theJoin calculus denoting processes or definitions.The chemical rules are shown in Figure 1(b). We remind that all reactions can be applied inside any largersolution surrounded by membranes. A processP can start its computation when is put into a solution, i.e.the initial state has the formf[P℄g. RuleSTR-NULL states that 0 can be added or removed from any solution.RulesSTR-JOIN and STR-AND stand for the associativity and commutativity ofj and^, because ; issuch.STR-DEF denotes the activation of a local definition, which implements a static scoping discipline byproperly renaming defined ports byglobally freshnames. A namex is fresh w.r.t. a processP (respectivelya definitionD) if x 62 fn(P) (resp.x 62 fn(D)). Moreover,x (respectively a set of names) is fresh w.r.t. asolution if it (resp. every name) is fresh w.r.t. every term in the solution. We write the substitution of namesx1 : : :xn by namesy1 : : :yn asσ = fy1:::yn=x1:::xng, with dom(σ) = fx1; : : : ;xng andrange(σ) = fy1; : : : ;yng.We indicate withσN an injective substitutionσ such thatdom(σ) = N. We require names to be globallyfresh, which means fresh w.r.t the implicit context in which rule is applied. Note that the version consideringcontext would bei mi ;def D in P � i mi ;Dσdn(D);Pσdn(D) where range(σdn(D))\ f n(i mi) = /0:

Consider, for instance, the solutionf[zhx;zi;def xhyi.zhy;xi in xhai℄g, whose second molecule containsa local definition ofx different from the homonym (free) port in the first molecule. WhenSTR-DEF is


dno(DÊ) = dno(D)[dno(E) dno(J.P) = dn(J) dno(JI P) = /0dnm(DÊ) = dnm(D)[dnm(E) dnm(J.P) = /0 dnm(JI P) = dn(J)

Fig. 3.Ordinary and merge names.

applied, the local definition ofx is renamed by using a fresh name, obtaining, for instance, the solutionf[zhx;zi;x1hyi.zhy;x1i;x1hai℄g.Finally, RED describes the use of an active reaction rule (J.P) to consume messages forming an instance

of J (for a suitable substitutionσ, with dom(σ) = rn(J)), and produce a new instancePσ of its guarded pro-cessP. By applyingRED for σ = fa=yg, the previous solution reduces tof[zhx;zi;x1hyi.zhy;x1i;zha;x1i℄g.Note that the local portx1 has been extruded because it appears in a message on the free channelz.

3 Committed Join

In this section we presentcJoin, its CHAM semantics and compare its features against the informal require-ments (i)-(vi) in the Introduction.

3.1 Syntax

We extend the syntax of the join calculus by adding terms to denote negotiation processes. They are repre-sented by[P : Q℄, whereP is the normal execution of the activity andQ is its compensation, to be executedin the case of an abort. A negotiation process is executed in isolation until reaching either a commit state oran abort condition. In the case of commit, the result is delivered to the outside, whereas its compensationis given control in the case of abort. The abort decision is caused by the presence of the special constantabort. A process can define the creation of new negotiations by using reaction rules such asJ. [P : Q℄, i.e.,a rule that would produce a new instance of the negotiation processP with compensationQ. To allow in-teractions among ongoing negotiations we introduce a new kind of reaction rules, calledmerge definitions.These definitions have the formJ I P and allow the consumption of messages produced in the scope ofdifferent contracts by joining all participants to such negotiations in a unique larger one.

The following grammar defines processes and definitions. In order to further simplify the description,we syntactically distinguish processes without definitions, i.e., a parallel composition of messages (M),from processes that can contain definitions (P).

M;N ::= 0 j xh~yi j MjNP;Q ::= M j abort j def D in P j [P : Q℄ j PjQD;E ::= J.P j JI P jDÊJ;K ::= xh~yi j JjK

The definition of fn is extended withfn(abort) = /0, fn([P : Q℄) = fn(P) [ fn(Q) and fn(J I P) =dn(J)[ (fn(P)nrn(J)). For definitionD, we redefinedn(D) = dno(D)[ dnm(D), wheredno denotes thedefined ordinarynames anddnm thedefined mergenames (Figure 3). We assume names introduced by ordi-nary patterns different from names appearing in merge patterns, i.e.,dno(D)\dnm(D) = /0 holds for everydefinitionD.

3.2 Operational Semantics

The operational semantics ofcJoin is defined in the reflexiveCHAM style. Moleculesm and solutionsSaregiven by the following grammar:

m ::= P j D j xPy j f[S℄g S::= m j m;S


STR-NULL 0 �STR-JOIN P jQ � P;QSTR-AND D ^ E � D;ESTR-DEF def D in P� Dσdn(D);Pσdn(D) (range(σdn(D)) globally fresh)RED J.P;Jσ ! J.P;Pσ

STR-CONT [P : Q℄ � f[P;xQy℄gCOMMIT f[Mjdef D in 0;xQy℄g ! MABORT f[abortjP;xQy℄g ! QMERGE J1j : : : jJn I P;Nif[Jiσ;Si ;xQiy℄g ! J1j : : : jJn I P;f[Ni Si ;Pσ;xQ1j : : : jQny℄g

Fig. 4. Operational semantics ofcJoin.

As in ordinaryJoin, processes and definitions are molecules. Additionally, we consider molecules ofthe formxPy denoting compensations that are frozen inside a solution. The chemical rules are in Figure 4.The first five chemical rules are the ordinary ones forJoin. RuleSTR-CONT describes how a term denotinga contract corresponds to a sub-solution consisting of two molecules: the processP and its compensationQ, which is frozen (because the operatorx:y forbids the enclosed process to compute).

COMMIT can be executed only when all internal computations have finished, i.e., all participants havedone their tasks reaching a (local) state that does not contain locally defined names, which would representinternal states of a negotiation. In this way, a commit means clean termination, where all names denotinginternal states of contracts have been consumed. Note that all definitions belonging to a contract can bediscarded at commit time, because the messages that are being released do not contain those names, andthose names cannot be extruded. Additionally, the compensation procedure is discarded at commit time.Note that a negotiation cannot commit whenabort is within the solution. In fact, a processP� abort j P 0cannot reduce toM j def D in 0 becauseabort is not a message. On the other hand, abort condition ishandled withABORT, which states that whenabort is part of a solution the compensation can be released.Compensations are not predefined to be executed atomically. Nevertheless, as they are ordinary processes,they can be defined by the programmer as negotiations themselves.

Interactions among negotiations are specified by ruleMERGE, which consumes messages from differentcontracts and creates a new larger negotiation by combining the definitions and messages of the originalones with a new instance of the guarded processPσ, wheredom(σ) = rn(J). Special attention should be putat merging negotiations in order not to capture names among local definitions belonging to different nego-tiations. Name clashes are avoided by imposing the following side conditiondn(Si)\ (dn(Sj)[ fn(Sj)) = /0for i 6= j. However, if we are guaranteed thatSTR-DEF generates globally fresh names (and not just lo-cally fresh names) then this side condition can be safely omitted, as it is trivially satisfied. Additionally, thecompensation for the joint negotiation is the parallel composition of all the original compensations.

In the case of nested contracts only negotiations at the same level can be joined. In practice, it might beuseful to have the possibility of applying a top merge definition at an arbitrary depth in the hierarchy of thechemical solution. To this purpose, the ruleSTR-MOVE below might be added, so that merge patterns couldfloat across contract boundaries, and sibling sub-contracts could be merged using a global merging rule.

STR-MOVE JI P;f[S℄g� f[JI P;S℄gIt should be noted that previous reduction rules do not consider stall situations. Consider for instance

the following process[def xhijyhi.0 in xhi : Q℄, clearly the negotiation cannot compute, because there areno active reaction rules to apply. Neither it can commit, because there is a message (xhi) on a local port.In this situation the contract is blocked and should be aborted. Some of these situations can be recognizedand handled locally to promote the abort (i.e., when no local rules can be applied). These situations canbe represented by ad hoc rules or by a general rule to generate nondeterministically the abort (situationsthat real implementations typically handle with timeouts). Nevertheless, we cannot expect to axiomatize


stall situations because it would mean to write axioms recognizing a non-termination condition, which is anundecidable problem. On the other hand, we do not want to limit the expressiveness of the language.

Proposition 3.1. cJoin is a conservative extension ofJoin.

With respect to the informal requirements discussed in the Introduction, we have that, as expected,membranes are exploited to define the boundaries of negotiations. Process likePj[P1j[P2 : Q2℄j[P3 : Q3℄ : Q1℄straightforwardly model sub-negotiations. The decisions taken internally byP2 can influenceP3 only if somemerging definition is available at the level ofP1, in which case the sub-negotiations would be joined together.In absence of merge definitions, global and local resources are kept separate in each sub-negotiation. Thecommit ofP2 can only happen when the internal state contains only global resources . At commit time, theresult of the negotiation is made available toP1. An abort generated inP2 activates the compensation atQ2 at the level ofP1, neither forcing the abort of any other sub-negotiations (P3) nor the abort of the maincontract (P1). Note that if[P2 : Q2℄ was the result of the merging of several negotiations, thenQ2 is the unionof all the compensations of the participants. SinceJoin is Turing complete, nontermination is undecidable,and it is left to the programmer’s skill to design applications that eventually lead to an abort or a commit.

An important restriction is that local resources cannot cross negotiations boundaries and made known tosiblings sub-negotiations. The only way to exchange information between siblings sub-negotiations is viamerging definition, that however merge all participants into a unique negotiation that must then commit orabort (or diverge) as such.

4 Examples

4.1 Trip booking

The goal of the first example is to show the encoding of a common application incJoin. It shows how threecomponents can interact in order to allow a customer to book flights and accommodations. We model thehotel component as follows:

H � def WaitBookinghi . [def requesthoi . oh$i j priceh$i^ priceh$i j confirmhvi . BookedRoomhvi^ priceh$i . abortin offerRoomhrequest;confirmi : Q℄^ BookedRoomhvi.R in WaitBookinghi j : : :

The definition of H includes a rule that creates a negotiation to attend a customer request. This nego-tiation begins by publishing in the merging portofferRoomthe names of the services a client should useto make a reservation (i.e.,requestto ask for a quote andconfirm to accept an offer). For simplicity, weuseBookedRoomto denote the change in the state of the hotel component when a successful reservationends (performed byR). The Airline component (A) can be written similarly but using the merging nameofferFlight to publish services instead ofofferRoom. The component Customer C can be written as below.

C � def BookHotelhi . [def HotelMsghr;ci .def offerh$i . chvisai j hotelOKhhConfi^ offerh$i . abort^ hConfhi . HotelFoundhiin rhofferi in searchRoomhHotelMsgi : Q0℄^ BookFlighthi . [def FlightMsghr;ci .def offerh$i . chvisai j flightOKhfConfi^ offerh$i . abort^ fConfhi . FlightFoundhiin rhofferi in searchFlighthFlightMsgi : Q00℄^ flightOKhfci j hotelOKhrciI fchi j rchi

in BookHotelhi j BookFlighthi j :::


This component defines two different rules for creating negotiations, one for booking rooms and theother for buying flight tickets. Both processes are quite similar. In particular, the negotiation for bookinga room starts by sending a message to the merging portsearchRoomin order to get the appropriate namesfor interacting with a hotel. These names will be received as a message on the local portHotelMsg. Whensuch message arrives, a request for a quote is sent to the portr, which has been defined and publishedby the component H to attend client requests. After that, a particular offer from the hotel will be receivedas a message onoffer. Whether the customer accepts or not a particular quote is modeled by the multiplereaction rules for the patternofferh$i. A customer can confirm a received offer using the namec receivedearlier, i.e. the local port where the hotel negotiation expects a confirmation. Additionally, to be sure thatalso flight tickets were found before committing, a messagehotelOKhhConfi is produced to wait until aflight can be successfully booked. This message will be managed by the merging rule defined in C. Thecontract will be blocked until a running negotiation for buying flight tickets sends a message toflightOK.At this time, the merging definition can be fired and both contracts merged. Eventually the negotiation willcommit by releasing the messages onHotelFoundandFlightFound, which denote changes in the state of thecustomer. The process representing the whole system (including the rules for merging requests and offersof services) can be written as below

def searchRoomhhmi j offerRoomhr;ci I hmhr;ci^ searchFlighthfmi j offerFlighthr;ciI f mhr;ci in H j A jC4.2 Andorra Kernel Language

AKL [12] is a concurrent logic programming language that includes the Prolog and committed choice lan-guages (for referees’ convenience, a short description ofAKL is in Appendix D). In this section we showhow nested agreements and merging definitions can encode some computational features ofAKL . We con-sider guarded rules of the formA G j B, where thehead Ais an atom, theguard Gand thebody Bare(possibly empty) sequences of atoms, andj is the commit operator. AnAKL programP is a list of guardedrules. An execution ofP is initiated by providing agoalG , which is a conjunction of atoms. AcJoin processthat simulates the behavior ofP starting fromG is:

def D^ Jdefs(P )K^ Jundef(P )K in Jand(G)KtrueG; f alseGj unifhfinal; trueiwhereD is a set of general definitions (described later in this section),defs(P ) is a partition ofP , whereevery class contains all rules ofP that define a particular atom. For instance,defs(A j;A jB;B j) = fA j;A jBg;fB jg. Additionally, undef(P ) denotes the set of all atoms appearing inP forwhich there are not defining rules, i.e., atoms whose proof will fail. Constraints or unifiers are encodedconveniently ascJoin processes, and denoted byθ, and we usetrue for the empty set. We will denote theconstraints associated to a particular running proof byunifhfinal;θi.

Roughly, program rules are encoded as definitions that consume a message denoting an atom to beproved and producing new processes denoting the parallel proofs of the guarded goals of its defining rules.When the whole proof completes successfully, both messagestrueGhi and f inalhθi signal the completionof the proof ofG for the computed constraintsθ. Otherwise, the messagefalseGhi is sent to notify thatGcannot be proved. Encoding rules for program clauses and goals are given in Figure 5.

An atomA defined by program rulesA B1 j C1; : : : ;A Bn j Cn is encoded as a merging rule thatsubstitutes a tokenJAKt;f by the proof of its defining rules in a choice-configuration. Instead, an undefinedatom is encoded as a rule that always fails.

A conjunctionand(A1; : : : ;An) is encoded as a process that activates a negotiation containing the par-allel composition of atoms that should be proved, i.e. theJA iKti ; fi that can activate the proof of individualsub-atoms in the conjunction. Additionally, the negotiation contains the constraints that have been com-puted locallyunifhw;θi corresponding to the proof of the conjunction. Note that every sub-proof initiated


(DEF) JA B1 jC1; : : : ;A Bn jCnK = JAKt;f I Jchoice(B1 jC1; : : : ;Bn jCn)Kt;f(UNDEF) JAK = JAKt;f I f hi(GOAL) JAKt;f = Aht; f i(AND) Jand(A1; : : : ;An)Kt;f = def andhi. [def whi.0^ jji21::n tihi.provedhwi j thiV

i21::n fihi.andhi j failedhi...Rules for handling abortion...

in jji21::n JAiKti ; fi j unifhw;θi : f hi℄in andhi

(CHOICE) Jchoice(A1jB1; : : : ;AnjBn)Kt;f = defV

i21::n ihi. Jand(Bi)Kt;fin [def jji21::n fihi j provinghi.abortV

i21::n tihi j provinghi. ihi j chosenhi...Rules for handling abortion...

in jji21::n Jand(Ai)Kti ; fi j provinghi : f hi℄Fig. 5.Encoding of AKL committed rules.

(1) unifhw;θiI [unifhw;θi : unifhw;θi℄ (2) unifhw;θi j provedhwiI tellhw;θi(3) failhiI abort (4) tellhw;θ1i j unifhz;θ2iI andhθ1;θ2;z; faili

Fig. 6. Constraint handling rules.

by JAiKti ; fi eventually will end by notifying its successful or failed termination by using portst i and fi ,respectively. Rulewhi . 0 is a convenient way to define a local identifier for the negotiation and has nocomputational meaning. The second rule handles the case when all sub-proofs end successfully: messagethi is produced to signal the successful proof of the conjunction, although it is not released until the com-mit; provedhwi is generated to activate the promotion of the computed constraints (rules for promotion aredefined inD and are explained below). The last set of rules defines the behavior of a contract when one ofthe sub-atoms reports a failure, i.e., a message on a portf i is received. In this case, all running sub-contractsshould be aborted and the contract should commit by releasing the activation of another instance of thewhole negotiation. Note that instead of reporting a failure, a new activation of the proof is generated be-causecJoin is not aimed at providing mechanisms for exhaustive search, and consequently we cannot assurethat different possibilities for evaluating subgoals are explored in a proper manner.

A choice-configurationchoice(A1jB1; : : : ;AnjBn) is encoded as a process that starts a contract containingthe parallel proof of all guardsAi . Differently fromand, the whole negotiation in choice-configuration canend as soon as one of the parallel proofs completes successfully (t ihi j provinghi . ihi j chosenhi). In thiscase, the produced messageihi, which will be released at commit, identifies the body corresponding to therule whose guard has been proved. Additionally, messagechosenhi activates the abortion of all runningsub-contract. The remaining definitions handle the abortion and the consumption of messages notifying thefailed termination of aborted sub-proofs. The whole contract produces at commit time only one messageihi, which will activate the corresponding bodyJand(Bi)Kt;f . At this point, one rule has been chosen (i.e.committed) and the final result for the whole choice-configuration depends on the result of the execution ofJand(Bi)Kt;f , i.e. the body of the committed choice.

The rules for merging constraints are presented in Figure 6. Rule (4) describes the activation ofand, aprocess that computes atomicallyθ1^θ2. If θ1 andθ2 are consistent, it will produceunifhz;θ1^θ2i; if not,the computation will finish withfailhi. Consider the following negotiation that is ready to promote its localconstraints[def : : : in unifhw;θ0i jprovedhwi j truehi : failhi℄ junifhz;θi (by (2) reduces to)[def : : : in tellhw;θ0i j truehi : failhi℄ junifhz;θi (by (1) and (4) reduces to)[def : : : in andhθ0;θ;z; f aili j truehi : unifhz;θi j failhi℄:


(FIRING)

S+Z [i S0+Z0 2 T(S+S00;Z+Z00)!T (S0+S00;Z0+Z00) (STEP)(S1;Z1)!T (S01;Z01) (S2;Z2)!T (S02;Z0

2)(S1+S2;Z1+Z2)!T (S01+S02;Z01+Z0

2)(CONCATENATION)(S1;Z)!T (S01;Z00) (S2;Z00)!T (S02;Z0)(S1+S2;Z)!T (S01+S02;Z0) (CLOSE)(S; /0)!T (S0; /0)(S; /0))T (S0; /0)

Fig. 7.Operational semantics ofZS nets (+ denotes multiset union).

Whenθ andθ0 are consistent, the last process reduces to[def : : : in unifhz;θ0^θi j truehi : unifhθi j failhi℄and finally it can commit and releaseunifhz;θ0^θi, i.e., the updated constraints for the enclosing solution,andtruehi, i.e., the notification that the sub-goal has been proved. On the other hand, whenθ andθ 0 are notconsistent the messagefailhi will be produced and then, by rule (3), theabortcan be generated. In this casethe negotiation may abort by releasing its compensationunifhz;θijfailhi, which will restore the originalconstraints and notify failed termination of the proof.

5 Encoding Zero-Safe nets

Zero-safe nets (ZS nets) have been introduced to model transactions in concurrent systems [7]. The basicmodel extends Place/Transition Petri nets (PT nets) with a mechanism for expressing serializable concur-rent (multiway) transactions. Recently, they have been used in [6] to encode short-running transactionsof Microsoft BiztalkR , a commercial workflow management system [15].ZS nets additionally providesa “dynamic” specification of transactions boundaries (as opposed to the “static” one of BizTalk) support-ing multiway transactions, which retain several entry and exit points, and admit a number of participantswhich is statically unknown. Nevertheless,ZS nets are not suitable to express some interesting aspects ofnegotiations in global computing, such as mobility, programmable compensations and nesting.

We recall that, in Petri nets,placesare repositories oftokens(i.e. resources, messages) andtransitionsfetch and produce tokens. Net configurations, calledmarkings, are multisets of places, recording the numberof tokens available. The places of zero-safe nets are partitioned into ordinary and transactional ones (calledstableandzero, respectively). Correspondingly, markingsU can be seen as pairs(S;Z) with U = S+Z,whereS andZ are the multisets of stable and zero resources, respectively. Transitions are writtenU [iU 0,with U andU 0 multisets of stable and zero places. A transaction goes from a multiset of stable places (stablemarking) to another stable marking. The key point is that stable tokens produced during a transaction aremade available only at commit time, when no zero tokens are left. We write(T;S) for a ZS net with set oftransitionsT and initial stable markingS.

The operational semantics ofZS nets is defined by the two relations)T and!T in Figure 7. RulesFIRING andSTEPare the ordinary ones for Petri nets, for the execution of one/many transition(s). However,sequences of steps differ from the ordinary transitive closure of!T : The ruleCONCATENATION composeszero tokens in series but stable tokens in parallel, hence stable tokens produced by the first step cannot beconsumed by the second step. Transactions are step sequences from stable markings to stable markings,whenCLOSE can be applied. The moves(S; /0))T (S0; /0) define all the atomic activities of the net, andhence they can be performed in parallel and sequentially as the transitions of an ordinary net. It is worthnoting that a step(S; /0))T (S0; /0) can be itself the parallel composition of several transactions (by ruleSTEP).

In this section we show thatZS nets can be straightforwardly encoded incJoin. A distributedJoin im-plementation ofZS nets has been already presented in [6]. However, the encoding inJoin is complicated bythe need of creating a local manager for each transition and implementing the commit and abort protocols.


As done in [6], and without loss of generality, we restrict to nets made with the basic shapes in Figure 8(a)(which are as expressive as the general nets), forE any stable place ande;e1;e2 any zero places.

The translation in Figure 5 associates acJoin definition with each basic shape of transitions. Places areseen as ports and tokens as messages. Tokens in stable places carry no value, while tokens in zero placescarry the identifier of the transaction they belong to. ForT the set of transitions andS the initial state ofthe ZS nets, we letJTK = Vt2TJtK and then consider thecJoin processdef JTK in JSK, which consists ofthe translation of the initial markingS in the environment containing all the definitions associated withtransitions inT. Note that transitions whose pre-sets contain zero places are translated as merge definitions,otherwise as ordinaryJoin definitions. This is because zero places serve for orchestration, while stableplaces are the main resources.

A transaction can be opened by firing a transition of the formE open e. In cJoin, this means open-ing a new negotiation whose internal state contains the definition of a fresh namez (the identifier of thetransaction), the messageehzi, and whose compensation is set by default to give back the stable resourcesconsumed so far (Ehi). The dummy definitionzhi .0 declares a local identifierz, similar tow in the rule(AND) in Figure 5. Sincee is a name defined externally via merge definitions, then the reactionMERGEcanbe used to compute inside negotiations and merge them. When two transactions are merged by applyinge.g.e1hz1ije2hz2i I ehz1i, then the identifiersz1 andz2 become part of the same transaction and have thesame scope, becoming equivalent identifiers for the same larger negotiation. When computing inside a ne-gotiation, each zero token carries one of the (possibly many) equivalent identifiers for that negotiation. Inthe given definition we arbitrarily usez1 to identify the larger negotiation (we could have usedz2 as well). Ifstable messagesEhi are released inside the negotiation, e.g., by firinge lose E, then they cannot be useduntil commit, because all the rules that can consume them are outside the negotiation boundaries, in the topchemical soup. The commit can happen if and only if the negotiation reaches a local state containing onlystable messagesEhi and definitions of transactions identifiers. Then, the reactionCOMMIT can take place,closing the negotiations and releasing the stable tokens to the top level. SinceZS nets cannot be nested, thechemical ruleSTR-MOVE is useless.

The following result assures the correctness and completeness of our encoding.

Theorem 5.1. (S; /0))�T (S0; /0) iff def JTK in JSK!� def JTK in JS0K.

The main behavioral difference between thecJoin encoding in Figure 5 and theJoin encoding in [6]relies on the treatment of failures, as here no abort can be generated (and consequently compensationscannot be activated). A possible solution would be to add atimeoutcomponent each time a new negotiationis open, which is able to produce the abort via the ruleA = timeouthi I abort. In this case, we should letJE open eK= Ehi. [def zhi.0 in ehzijtimeouthi : Ehi℄ and encode the netN = (T;S) asdef A^ JTK in JSK.6 Serializability and Big-Step Semantics

Traditionally, any concurrent executionT1 jj : : : jj Tn of severalACID transactions is considered correct if itis serializable, i.e., if there exists a sequenceTi1; Ti2; : : : ;Tin that executes all transactions one at a time(without interleaving steps from different transactions) and produces the same result [2]. Serializabilityallows to reason about the behavior of a system by considering just the execution of one transaction at atime provided that transactions do not interfere each other. The semantics ofcJoin presented in Figure 4allows the cooperation among several negotiations. Nevertheless, we would like to be able to reason aboutthe behavior of a process by analyzing interacting negotiations independently from the rest of the system.

Serializable transactions can be described in an abstract representation of a system as single transitionsbetween stable states, i.e., from the state that begins a transaction to the state obtained after the commit.By analogy, we would like to think about a set of cooperating negotiations as a transition mapping the stateprevious to the independent creation of each cooperating negotiation to the state obtained after the jointcommit. Moreover, we would like this property to hold at every level of the nesting hierarchy. Therefore, we


E e1 eopen al forke

Eopenee2

e1 al e2

e1 e2eforke1;e2

e1 e2 e ejoin lose drope

e1;e2joineE

e loseE edrop(a) Basic shapes ofZS nets

JE open eK ::= Ehi. [def zhi.0 in ehzi : Ehi℄Je1 al e2K ::= e1hziI e2hziJefork e1;e2K ::= ehziI e1hzije2hziJe1;e2 join eK ::= e1hz1ije2hz2iI ehz1iJe lose EK ::= ehziI EhiJedrop K ::= ehziI 0JEK ::= EhiJS1+S2K ::= JS1KjJS2K(b) Translation of basic shapes and markings.

Fig. 8.Encoding ofZS Nets in CJOIN.

will consider negotiations to be serializable when the start of a sub-negotiation can be postponed until all thecooperating sub-negotiations needed to commit can be generated inside its parent negotiation. After beingcreated, all interacting sub-negotiations compute isolated from the system, although interactions amongthem are possible by exploiting merge definitions. Well-programmed negotiations eventually will decideto commit or abort, producing a stable state. At the abstract level, those computations can be viewed astransitions starting with the consumption of messages needed to initiate all interacting sub-negotiations andfinishing by generating all processes released at commit or abort.

In this section we introduce a syntactical restriction on processes, calledshallowness, that guaranteesserializability. We characterize serializability by giving the big-step semantics of shallow processes.

Definition 6.1 (Shallowness).Thenesting degreenest(P) of a process P is defined by:

nest(0) = nest(abort) = nest(xhyi) = 0 nest([P : Q℄) = nest(P)+1nest(def D in P) = nest(P) nest(P jQ) =maxfnest(P);nest(Q)g

A process P isshallowif any basic definition D in P satisfies one of the two conditions:

1. D� J.P, where nest(P) = 0 or P= [R : Q℄ and nest(RjQ) = 02. D� JI P and nest(P) = 0

We refer definitions in shallow processes asshallow definitions. Moreover, we call a processP stableiff P is shallow andnest(P) = 0.

Shallow property imposes a discipline for activating sub-negotiations. In particular, condition 1 assuresthat the firing of an ordinary rule increases the height of the nesting structure by at most one level. Moreover,every definition produces just stable processes or a unique sub-negotiation without nesting sub-contracts.The second condition forbids the creation of sub-negotiations and merging of negotiations at the same time.This prevents the possibility of postponing the activation of the created sub-negotiations until all interactingsub-negotiations could be activated.

Shallow condition forbids rules such asJ1.P j [P1 : Q℄ andJ2. [[P1 : Q1℄ : Q℄. Nevertheless, they can beeasily encoded as shallow definitions by using new local ports. For instance, the previous examples can bewritten respectively asD1� J1.xhijP ^ xhi. [P1 : Q℄ andD2� J2. [def xhi. [P1 : Q1℄ in xhi : Q℄. It shouldbe clear that we are not limiting the nesting depth of a running negotiation. In fact, the shallow processdef D2 in J2σ reduces todef D2 in [def xhi. [P1σ : Q1σ℄ in xhi : Qσ℄, and then todef D2 in [def xhi. [P1σ :Q1σ℄ in [P1σ : Q1σ℄ : Qσ℄, which has nested negotiations.


(PAR)

D ` P _ D ` P 0 D ` Q _ D ` Q 0D ` P j Q _ D ` P 0 j Q 0 (SEQ)

D ` P _ D ` P 00 D ` P 00 _ D ` P 0D ` P _ D ` P 0

(GLOBAL FIRING)

D ^J.P ` Jσ _ D ^J.P ` Pσ

(LOCAL FIRING)eB ` S _ eB ` S 0D ^B ` [S : Q ℄ _ D^B ` [S 0 : Q ℄

(MERGE)

D ^jji Ji I S ` jji [Di ` Jiσ j Si : Qi ℄ _ D ^jji Ji I S ` [ViDi ` (jji Si )j Sσ : jji Qi ℄(LOCAL COMMIT)

D ` [M jD 0 ` 0 : S ℄ _ D `M(ABORT)

D ` [abortjP : S ℄ _ D ` S (IDLE)

D ` P _ D ` PFig. 9. Big-step semantics ofcJoin.

In the following,P andQ will denote shallow processes,D a shallow definition,S a stable process,andB a shallow definition containing just merging rules. We abbreviatedefD in P asD ` P , and` P asP . Moreover, we take terms up-to structural equivalence, generated by closure w.r.t the equation

D ` P j defD 0 in Q � D ^D 0σdn ` P j Q σdn

range(σdn)\ ( f n(D) [ f n(P ) [ f n(defD 0 in Q )) = /0

plus equations stating that 0 is the unit forj and that the operatorsj and^ are associative and commutative.These rules are analogous to the heating / cooling rules ofJoin.

We characterize the serializability property by the big-step reduction relation between shallow processespresented in Figure 9. Steps can be composed in parallel (PAR) and sequentially (SEQ), even with idletransitions (IDLE). RuleGLOBAL FIRING corresponds to the firing of an ordinary definition in a top-levelprocess. InsteadLOCAL FIRING states possible internal transitions of a running contract.LOCAL FIRING

captures the idea that certain computations of sub-negotiations can be represented as ordinary transitions atan abstract level. In fact, the computations occurring at a lower level in the nesting hierarchy (premise ofLOCAL FIRING) that are relevant to its containing negotiation are those relating stable processes, i.e.,S andS 0.

Any negotiation has available, in addition to its own definitions, the merging definitions introduced byits containing process. In fact, a merging definition can be applied on a single contract, behaving in thiscase as an ordinary reduction defined in the global scope. The operatore transforms merging definitions inordinary ones:JI P � J.P andB ^B 0 � eB ^fB 0 . Note thatLOCAL FIRING in Figure 9 corresponds to theversion ofcJoin without structural ruleSTR-MOVE. When such rule is added, the premise ofLOCAL FIRING

should beeB ^B ` S _ eB ^B ` S 0 , which allows merging definitions to be used at any level of the nestingstructure.

RulesLOCAL COMMIT andABORT handle the termination of a negotiation, whereasMERGE describesthe interaction among sibling negotiations. Note that negotiations can be joined only if they do not containrunning contracts.

Note that the big-step relation defined previously corresponds to our notion of serializability. In fact,the completed negotiations at a particular level are represented as ordinary transitions at the upper leveland all interacting transactions can be analyzed independently from the rest of the system. The followingresult states the correspondence between both semantics for shallow processes, and consequently assuresthat shallow processes are serializable incJoin.

Theorem 6.1. LetS ;S 0 be stable processes. ThenS !� S 0 iff ` S 0 _ ` S 0.


7 Concluding remarks

We have proposed a linguistic extension ofJoin with natural primitives for modeling nested negotiations.The expressiveness of the resultingPDL, calledcJoin, has been demonstrated by means of: (1) an infor-mal discussion about the satisfaction of the general requirements enumerated in the Introduction; (2) twodifferent examples; and (3) the encoding incJoin of zero-safe nets. Additionally, we defined a syntacticalrestriction of processes that assures serializability, which has been characterized through a big-step seman-tics.

In cJoin all dependencies between negotiations (commit or abort dependencies) must be programmedexplicitly by defining appropriate merging rules. Unlikeworkflow systems, cJoin does not fix a set of con-structors to describe dependencies in the style of, e.g., CONTRACTSmodel [14]. The actual dependencies ofa negotiation are known at execution time and are consequence of its interaction with other contracts. Thisfeature distinguishescJoin from the approach introduced in [4], where processes running as transactionscan interact freely with the environment. On the other hand,cJoin is aimed at providing a way to modelmulti-party transactions by describing their interacting agents and not their global structure, such as [5,8].Nevertheless, our language does not provide default mechanisms for undoing pre-committed activities ofaborted transactions as in [11,8,4]. This is an interesting problem that bears further investigation. In partic-ular, in which order compensations should be executed in a multi-party application? Is such an order givenby the sequence in which transactions commit or in which they are created? Or, on the contrary, is it givenby the causal relation established by the production and consumption of messages?

Negotiations incJoin have the flavour of multiway transactions inZS-Nets, where participants are notstatically fixed. Moreover, our extension distinguishes between local and global resources (i.e., names),and the notion of negotiation relies mainly on this distinction. In [6], an encoding ofZS nets in theJoinwas proposed, providing a distributed implementation of transactions, centered on the novel DistributedTwo Phase Commit (D2PC) protocol. We plan to reuse or to extend the D2PC in order to have a fullimplementation ofcJoin in Join itself. This would allow us to extend distributed implementations of theJoin, such asJocaml or Polyphonic C℄, by providing primitives for handling negotiations in distributedapplications.

Acknowledgements.We would like to thank Nick Benton, Luca Cardelli, Cedric Fournet and Cosimo Lanevewith whom we discussed preliminary versions ofcJoin.

References

1. N. Benton, L. Cardelli, and C. Fournet. Modern concurrency abstractions for C℄. In B. Magnusson, editor,Pro-ceedings of ECOOP 2002, volume 2374 ofLect. Notes in Comput. Sci., pages 415–440, Spain, June 2002. SpringerVerlag.

2. P.A. Bernstein, V. Hadzilacos, and N. Goodman.Concurrency, Control and Recovery in Database Systems.Addison-Wesley Longman, 1987.

3. G. Berry and G. Boudol. The chemical abstract machine.Theoret. Comput. Sci., 96(1):217–248, 1992.4. L. Bocchi, C. Laneve, and G. Zavattaro. A calculus for long-running transactions. InProceedings of FMOODS’03,

Lect. Notes in Comput. Sci. Springer Verlag, 2003. To appear.5. BPEL Specification. version 1.1, May 2003. Available athttp://www-106.ibm.com/developerworks/

webservices/library/ws-bpel/.6. R. Bruni, C. Laneve, and U. Montanari. Orchestrating transactions in join calculus. In L. Brim, P. Jancar,

M. Kretinsky, and A. Kucera, editors,Proceedings of CONCUR 2002, volume 2421 ofLect. Notes in Comput.Sci., pages 321–336. Springer Verlag, 2002.

7. R. Bruni and U. Montanari. Zero-safe nets: Comparing the collective and individual token approaches.Inform.and Comput., 156(1-2):46–89, 2000.

8. M. Butler, M. Chessell, C. Ferreira, C. Griffin, P. Henderson, and D. Vines. Extending the concept of transactioncompensation.IBM Systems Journal, 41(4):743–758, 2002.


9. S. Conchon and F. Le Fessant. Jocaml: Mobile agents for Objective-Caml. InProceedings of ASA’99/MA’99,1999.

10. C. Fournet and G. Gonthier. The reflexive chemical abstract machine and the Join calculus. InProceedings ofPOPL’96, pages 372–385. ACM Press, 1996.

11. H. Garcia-Molina and K. Salem. Sagas. In U. Dayal and I.L. Traiger, editors,Proceedings of the ACM SIGMOD1987, pages 249–259. ACM Press, 1987.

12. S. Haridi, S. Janson, and C. Palamidessi. Structural operational semantics of akl.Journal of Future GenerationComputer Systems, 8:409–421, 1992.

13. R. Milner, J. Parrow, and J. Walker. A calculus of mobile processes, I and II.Inform. and Comput., 100(1):1–40,41–77, 1992.

14. A. Reuter and H. Wachter. The contract model. In A.K. Elmagarmid, editor,Transaction Models for AdvancedApplications. Morgan Kaufmann, 1992.

15. U. Roxburgh. Biztalk orchestration: Transactions, exceptions, and debugging, 2001. Available athttp://msdn.microsoft.com/library/en-us/dnbiz/html/btsorch.asp.

A Proof of Proposition 3.1

Proof. We want to prove thatcJoin is a conservative extension ofJoin. It is obvious from the syntax that anyJoin process is also acJoin process. It remains to show that: (1) for anyJoin processesP andQ, if P! Qin Join, thenP!Q in cJoin; and (2) for anyJoin processesP, if P!Q in cJoin, thenQ is aJoin processandP!Q in Join. Both implications follow straightforwardly from the fact that the chemical rules ofcJoincan be partitioned in two sets: one consisting exactly of the chemical rules ofJoin, and the other containingstructural rules involving non-Join operators on both sides and reaction rules involving non-Join operatorsin the left-hand side. utB Correspondence ofZS encoding

We devote this section to prove the correspondence between the encoding presented in Figure 8(b) andZS nets semantics. The following lemmata relateZS movements involving non stable configurations, withreductions incJoin.

Lemma B.1. Let JzKw = zhwi andJZ1+Z2Kw = JZ1Kw j JZ2Kw. If (S;Z)!T (S0;Z0) thendef JTK in JSK j jji [def ^k wkhi.0 in jjkJZk

i Kwk : :::℄!�def JTK in JS 00K j jj j [def ^l wl hi.0 in JZ 0l

j Kwk jJS 0j K : :::℄;where Z=Si

SkZ

ki , Z0 =S j

Sl Z

0lj , S0 =S j S

0j [S 00 andJ Kw is defined as follow:

Proof (sketch).By induction on the structure of the proof. The base case corresponds to ruleFIRING andfollows by analyzing the shape of the fired transition (according to Figure 8(a)). The inductive step followsby rule case analysis. RuleSTEPcorresponds to parallel computations inCHAM. The proof forCONCATE-NATION follows by applying inductive hypothesis on both premises obtaining two derivations and notingthat, byCHAM semantics, a derivation is also valid when processes are added into a solution, i.e., if

def JTK in JS1K j jji [def ^k wkhi.0 in JZki Kwk : :::℄!�

def JTK in JS 0001 K j jj j [def ^l wl hi.0 in JZ 00lj Kwl j JS 0jK : :::℄

then also the following derivation is possible:

def JTK in JS2K jJS1K j jji [def ^k wkhi.0 in JZki Kwk : :::℄!�

defJTK in JS2K jJS 0001 K j jj j [def ^l wl hi.0 in JZ 00lj Kw jJS 0j K : :::℄

Analogously,S 0j andS 0001 can be added to the derivation associated to the second premise. Finally, the deriva-tion corresponding to the whole proof can be constructed by combining sequentially the two extendedderivations. ut


Corollary B.1. If (S; /0))T (S0; /0) thendef JTK in JSK!� def JTK in JS0K.Proof (sketch).By Lemma B.1, there exists a derivation for(S; /0)!T (S0; /0) containing negotiations. Nev-ertheless, those negotiations do not contain messages to ports encoding zero-safe places, and therefore theycan commit and release all messages to ports denoting stable places. Consequently, ruleCOMMIT can beapplied repeatedly to finish all running negotiations. utLemma B.2. If there existsdef JTK in JS00K j jji [def ^k wkhi.0 in JZk

i Kwk j JSiK : :::℄!�def JTK in JS 000K j jj j [def ^l wl hi.0 in JZ 0l

j Kwl j JS 0 jK : :::℄ without using rule(COMMIT)

then(S;Z)!T (S0;Z0) , where Z=SiS

kZki , Z0 =S j

Sl Z

0lj , S=Si Si [S 00 and S0 =S j S

0j [S 000

Proof (sketch).By induction on the length of the derivation. The base case corresponds to an idle movementof the net. The inductive step follows by analyzing the last applied rule in the reduction. ForRED andMERGE, the proof is constructed by using inductive hypothesis on the initial derivation until the last step,and also for the final step. Then by analyzing the different shapes of the definition used for the last reduction(Figure 5) conclude that the only possible cases correspond to ruleCONCATENATION. Note that, there areno ABORT steps, because the encoding cannot generate processabort. utLemma B.3. If def JTK in JSK!� def JTK in JS0K then(S; /0))�

T (S0; /0).Proof (sketch).The proof follows by using the results presented in Section 6 and proved in Appendix C.Note that all definitions generated by the encoding are shallow, and consequently negotiations are serial-izable by Theorem 6.1. Therefore, it is enough to consider reductions where steps from different trans-actions are not interleaved. Consequently, the whole reduction is equivalent to a sequence that computestransactions one at a time, i.e., it can be decomposed in subsequences of the formdef JTK in JSiK !�def JTK in JSi+1K, whereCOMMIT can be applied only as the last step. By Lemma B.2, any sub-reductionwithout considering the application ofCOMMIT corresponds to a movement(Si ; /0)!T (Si+1; /0) on theZS

net. Hence, any of this sub-reductions corresponds to a transaction(Si ; /0))T (Si+1; /0). Consequently, thewhole reduction is a sequence of transactions on theZS net. ut

Note that Theorem 5.1, follows from Corollary B.1 and Lemma B.3.

C Serializability of shallow processes

In this section we prove Theorem 6.1 as a straight consequence of the technically involved Lemma C.1,which states a stronger relation between big-step semantics and reduction semantics. In particular, the big-step relation corresponds to reductions between shallow processes without nested negotiations.

Proposition C.1. If D;S ;k[S 0k : S 00k ℄ !� D;i [Pi : Si ℄ ! D; [P : jjiSi ℄, then there exists a derivationD;S ;k[S 0k : S 00k ℄!� D;i [S 000i : Si ℄!D; [S 0 : jjiSi ℄!� D; [P : jjiSi ℄.

Proposition C.1 states that for any derivation starting from a process without nested negotiations thereexists an equivalent reduction that merges only negotiations without sub-negotiations.

Lemma C.1. D;i [Si : Pi ℄;S !� D; j [S 0j : P 0j ℄;S 0 if and only ifD ` jji [Si : Pi ℄ j S _ D ` jj j [S 0j : P 0

j ℄ j S 0.Proof (sketch).()) By induction on the length of the derivation. The base case corresponds to theIDLE

axiom. The inductive step follows by rule case analysis of the first applied reduction. The interesting caseis the application ofRED, which presents two cases: (i) when it is applied at top level, i.e., producing a newnegotiation or a new stable process, and (ii) when it generates a sub-negotiation in one of the existing nego-tiations. First case is immediate by inductive hypothesis andSEQ. In the second case, there is a negotiationk, i.e. [Sk : Pk℄, that reduces to[[S 00 : P 0℄;S 0k : Pk℄. At this point, there are two possibilities. First, consider


... GLOBAL FIRING,IDLE ,PAReB ` Sk _ eB ^D 00 ` [S 00 : P 0℄ j S 0k eB ^D 00 ` [S 00 : P 0℄ j S 0k _ eB ` S 00k IND . HYP.eB ` Sk _ eB ` S 00k SEQ

D 0^B ` [Sk : Pk℄ _ D 0^B ` [S 00k : Pk℄ LOCAL FIRING

Fig. 10.Proof sketch for Lemma C.1

that [[S 00 : P 0℄;S 0k : Pk℄ reduces to[S 00k : Pk℄, then it is possible to build the proof shown in Figure 10, andthen the proof follows by usingIDLE for the non-modified processes and inductive hypothesis andSEQ.The remaining possibility is when sub-negotiation[S 00 : P 0℄ can finish only after the parent negotiation ismerged. Then by Proposition C.1 an equivalent derivationD; i [Si : Pi ℄;S!� D; [S00 : jjiPi ℄;S000!� D; [P :jjiPi ℄;S000!� D; j [S 0j : P 0

j ℄;S 0 that merges only negotiations not containing sub-negotiations can be found.Then, proof follows by applying inductive hypothesis for both partsD; i [Si : Pi ℄;S!� D; [S00 : jjiPi ℄;S000andD; [S00 : jjiPi ℄;S000!� D; [P : jjiPi ℄;S000!� D; j [S 0j : P 0

j ℄;S 0.(() By induction on the structure of the proof. ut

D The Andorra Kernel Language (AKL ).

We describe the computation model ofAKL following the presentation in [12], but considering onlycom-mit(‘ j’) as guard operator.

Syntax of Clauses and Goals.Program clauses and goals are defined as follows.hguarded clausei ::= hheadi :�hguardihguard operatorihbodyihheadi ::= hprogram atomihguardi;hbodyi ::= hsequence of atomsihatomi ::= hprogram atomi j hconstraint atomihguard operatori ::= ‘ j’ (commit)

A program atomis an atomic formulap(x1; : : : ;xn) wherex1; : : : ;xn are variables. In the head allxi mustbe different, while in the body they may occur several times. Aconstraint atomis an atomic formula insome constraint language.

Computation Model.Computation states are given by the following grammar.hconfigurationi ::= hand-boxihand-boxi ::= and(hsequence of local goalsi;hconstrainti) hset of variablesihlocal goali ::= hatomic goali j hchoice-boxihchoice-boxi ::= choice(hsequence of guarded goalsi)hguarded goali ::= hand-boxihguard operatorihsequence of atomsiIn the following, the lettersC andD stand for sequences of local goals,σ andθ for constraints;B andG

for a sequence of atomic goals;G for a goal;P, Q for sequences of goals;SandT for sequences of guardedgoals;V andW for set of variables; andβ for a single goal. The symbol ‘%’ denotes a guard operator.And-boxes of the formand(;σ) are written asσ. The termtrue denotes a variable-free constraint formulathat is true in the constraint theory. The symbolfail will be used to denote the empty or-box and the emptychoice-box regarded as collapsing to the same object. Each subgoal has anenvironment, defined as theconjunction of the constraints of all the and-boxes in which the goal occurs. The notationop(σ) denotes aconstraint operationop (e.g.,askor tell) applied to the primitive constraintσ.


(CI) and(C;op(σ);D;θ)) and(C;D;θ^σ) if θ^σ is satisfiableandop(σ) is satisfied

(CF) and(C;op(σ);D;θ)) failif σ is inconsistent with the environment ofop(σ)

(FK) A) choice(and(G1; true)V1%B1; : : : ;and(Gn; true)Vn%Bn)whereA unifies withHi for rulesHi :�Gi%Bi

(PD) and(C;choice(θV%B);D;σ)W) and(C;B;D;θ^σ)V[Wif θ^σ is satisfiable

(j) choice(P;σjB;Q)) choice(σjB)(SC) and(B;σ)) fail if σ is unsatisfiable with the environment(F1) and(B; fail ;C;σ)) fail(F2) choice(S;(fail%B);T)) choice(S;T)

Table 1.Operational semantics ofAKL .

Note that a configuration given by anand-boxand(P1; :::;Pn;σ)V1 represents the proof ofP1^ :::^Pn

with the associated satisfiable constraintσ. The set of variables attached to an and-box contains the variableslocal to that box, i.e., variables in a clause that do not occur on the head.

Rewriting rules are summarised in Table 1. Rules (CI) and (CF) denote the effects of a goal that hasbeen proved by producing the constraintσ. Whenσ is consistent with the enclosing environment, the goalis reduced and the constraint of the enclosing and-box is updated, otherwise the whole goal fails. Localforking (FK) on an atomic goal initiates the parallel proof of all definitions. The deterministic promotion(DP) communicates the results of a local computation to the siblings of the goal that started the localcomputation. Rule (j) describes the pruning to be applied when the guard of a commit rule is proven.Note that the actual promotion is performed by the deterministic promotion rule. The last three rules arenormalization rules that describe the propagation of failures (rules (F1) and (F2)), and the synchronizationwith the environment (SC).

Documents

Nested Commits for Mobile Calculi: Extending Join