SCC: a Service Centered Calculus
?
M. Boreale, R. Bruni, L. Caires, R. De Nicola,
I. Lanese, M. Loreti, F. Martins, U. Montanari,
A. Ravara, D. Sangiorgi, V. Vasconcelos, G. Zavattaro
EU Integrated Project Sensoria
sensoria-core@di.unipi.it
Abstract. We seek for a small set of primitives that might serve as a
basis for formalising and programming service oriented applications over
global computers. As an outcome of this study we introduce here SCC,
a process calculus that features explicit notions of service definition, ser-
vice invocation and session handling. Our proposal has been influenced
by Orc, a programming model for structured orchestration of services,
but the SCC’s se ssion handling mechanism allows for the definition of
structured interaction protocols, more complex than the basic reque st-
response provided by Orc. We present syntax and operational semantics
of SCC and a number of simple but nontrivial programming examples
that demonstrate flexibility of the chosen set of primitives. A few encod-
ings are also provided to relate our proposal with existing ones.
1 Introduction
The Sensoria project [17], funded by the European Union, aims at develop-
ing a novel, comprehensive approach to the engineering of software systems for
service-oriented overlay computers. Specifically, Sensoria focuses on methods
and tools for the development of global services that are context adaptive, per-
sonalisable, possibly with diffe rent constraints on resources and performance,
and to be deployed on significatively different global computers. Sensoria seeks
for full integration of foundational theories, techniques and methods in a prag-
matic software engineering approach.
A crucial role in the project will be played by formalisms for service de-
scription that lay the mathematical basis for analysing and experimenting with
components interactions, for combining se rvices and formalising crucial aspects
of service level agreements.
Industrial consortia are developing orchestration languages, targeting the
standardization of Web services and xml-centric technologies. However, exist-
ing standards lack clear semantic foundations. We aim at developing a general
theory of services that should lead to calculi based on process algebras but en-
riched with primitives for manipulating semi-structured data (such as pattern
matching or unification). The theory should encompass techniques for deriving
?
Research supported by the Project FET-GC II IST-2005-16004 Sensoria.
contracts, tools for querying and discovery of service specifications, transactional
mechanisms to aggregate unreliable services. The c alculi will be equipp ed with
rigorous semantic foundations and analytical tools to prove correctness of system
specifications and enable formal verification of properties.
Herewith we present a name passing process calculus with explicit notions
of service definition, service invocation and bi-directional sessioning. During the
first year of the project a few other work-in-progress proposals emerged [8, 10,
14, 4], and their comparison, refinement and integration will constitute a promi-
nent research activity for the prosecution of the project. Our proposal has b ee n
influenced by Cook and Misra’s Orc [16], a basic programming model for struc-
tured orchestration of services, for which we show a rather natural encoding. In
particular, Orc is paticularly appealing because of its simplicity and yet great
generality: its three basic composition operators can be used to model the most
common workflow patterns, identified by van der Aalst et al. in [18].
Our calculus, called SCC (for Service Centered Calculus), has novel features
for programming and composing services, while taking into account their dy-
namic behaviour. In particular, SCC supports explicit modeling of sessions both
on client- and on service-side, including protocols executed by each side dur-
ing an interaction and mechanisms for session naming and scoping, the latter
inspired by the π-calculus. Sess ions allow us to describe and reason about inter-
action modalities more structured than the simple one-way and request-response
modalities provided by Orc and typical of a producer / consumer pattern. More-
over, in SCC sessions can be closed thus providing a mechanism for process
interruption and service cancellation and update which has no counterpart in
most process calculi.
Summarising, SCC combines the service oriented flavour of Orc with the name
passing communication mechanism of the π-calculus. One may argue that we
could, in our analysis of service oriented computing, exploit directly π-calculus
instead of introducing yet another process calculus. It can be easily seen, from the
encoding of a fragment of our calculus in the π-calculus reported in Figure 5, that
all the information pertaining to sessioning and client-service protocols get mixed
up (if not lost) with the other communication primitives, making it difficult to
reason on the resulting process. The motivation behind the introduction of a
new calculus is that a small set of well-disciplined primitives will favor and make
more scalable the development of typing systems and proof techniques centered
around the notions of service and session, for ensuring, e.g., c ompatibility of
client and service behaviour, or the absence of deadlock in service composition.
Within SCC, services are seen as sort of interacting functions (and even
stream processing functions) that can be invoked by clients. Service definitions
take the form s ⇒ (x)P , where s is the service name, x is a formal parameter,
and P is the actual implementation of the service. For instance, succ ⇒ (x)x+1
models a service that, received an integer returns its successor. Service invoca-
tions are written as s{(x)P } ⇐ Q: each new value v produced by the client
Q will trigger a new invocation of service s; for each invocation, an instance
of the process P , with x bound to the actual invocation value v, implements
the client-side protocol for interacting with the new instance of s. As an exam-
ple, a client for the simple service described above will be written in SCC as
succ{(x)(y)return y} ⇐ 5: after the invocation x is bound to the argument 5,
the client waits for a value from the server and the rec eived value is substituted
for y and hence returned as the result of the service invocation.
A service invocation causes activation of a new session. A pair of dual fresh
names, r and r, identifies the two sides of the session. Client and service protocols
are instantiated each at the prop e r side of the session. For instance, interaction
of the client and of the service described above triggers the session
(νr)
r B 5 + 1 | r B (y)return y
(in this case, the client side makes no use of the formal parameter). The value 6
is computed on the service-side and then received at the client side, that reduces
first to r B return 6 and then to 6 | r B 0 (where 0 denotes the nil process).
More generally, within sessions communication is bi-directional, in the sense
that the interacting protocols can exchange data in both directions. Values re-
turned outside the session to the enclosing e nvironment can be used for invoking
other services. For instance, what follows is a client that invokes the service succ
and then prints the obtained result:
print{(z)0} ⇐ ( succ{(x)(y)return y} ⇐ 5 ) .
(in this case, the service print is invoked with vacuous protoc ol (z)0).
A protoc ol, both on client-side and on service-side, can be interrupted (e.g.
due to the occurrence of an unexpected event), and interruption can be notified
to the environment. More generally, the keyword clos e can be used to terminate
a protocol on one side and to notify the termination status to a suitable handler
at the partner site. For example, the above client is extended below for exploiting
a suitable service fault that can handle printer failures:
print{(z)0} ⇐
fault
( succ{(x)(y)return y} ⇐ 5 ) .
The formal presentation of SCC involves some key notational and technical
solutions that must be well motivated and explained. For this reason, our choice
is to give a gentle, step-by-step presentation of the various ingredients.
Synopsis. The paper is organized as follows. Syntax and reduction semantics of
the close -free fragment of SCC are presented in Section 2, together with a few
motivating examples and encodings. The full calculus is discussed in Section 3.
In Section 4 we show how to encode Orc programs into SCC. Some concluding
remarks are in Section 5.
2 Persistent sessions: The close -free fragment of SCC
We start by presenting the close -free fragment of SCC, based on three main
concepts: (i) service definition, (ii) service invocation, and (iii) bi-directional
P, Q ::= 0 Nil
| a.P Concretion
| (x)P Abstraction
| return a.P Return Value
| a ⇒ (x)P Service Definition
| a{(x)P } ⇐ Q Service Invocation
| a B P Session
| P |Q Parallel Composition
| (νa)P New Name
Fig. 1. Syntax of processes.
(P |Q)|R ≡ P |(Q|R) P |0 ≡ P P |Q ≡ Q|P
(νx)(νy)P ≡ (νy)(νx)P (νx)0 ≡ 0 a B 0 ≡ 0
P |(νx)Q ≡ (νx)(P |Q) if x /∈ fn(P ) a B (νx)P ≡ (νx)(a B P ) if x 6= a, a
a{(x)P } ⇐ (νy)Q ≡ (νy)(a{(x)P } ⇐ Q) if y /∈ fn((x)P ) ∪ {a, a}
Fig. 2. Structural congruence.
sessioning. We call it PSC for persistent session calculus: sessions can be estab-
lished and garbage collected when the protocol has run entirely, but can neither
be aborted nor closed by one of the parties.
Syntax. We presuppose a countable set N of names a, b, c, ..., r, s, ..., x, y, .... A
bijection · on N is presupposed s.t. a = a for each name a. Note that contrary
to common use of the notation, a for input and a denoting output, in SCC a and
a denote dual session names, that can be used for communicating in both direc-
tions. The syntax of PSC is in Figure 1, with the operators listed in decreasing
order of precedence. Free occurrences of x in P (including x) are bound in (νx)P
and (x)P . Capture-avoiding substitution of the free occurrences of x with v (and
of x with v) in P is denoted by P [
v
/x]. Moreover, we identify processes up to
alpha-equivalence and we omit trailing 0.
Structural congruence. Structural congruence ≡ is defined as the least congru-
ence relation induced by the rules in Figure 2. We include the expected structural
laws for parallel composition and restriction, and one rule for garbage collection
of completed sessions (aB 0 ≡ 0). Note that scope extrusion for restriction comes
in three different forms.
Well-formedness. Assuming by alpha conversion that all bound names in a pro-
cess P are different from each other and from the free names, the process P
is well-formed if each session name a occurs only once (occurrences that can
be deleted using s tructural congruence do not count), but it is allowed to have
both sess ions a B Q and a B Q
0
. In the remainder of this paper, all processes
are well-formed. It is straightforward to check that the semantic rules preserve
well-formedness. Note that, for the economy of this paper, it is not stricly nec-
essary to introduce dual names, but we prefer to keep this distinction to make
evident that once the protocol is started there might still be some reasons for
CJ s ⇒ (x)P K |
DJ s{(y)P
0
} ⇐ (Q|u.R) K
→ (νr)
„
CJ r B P [
u
/x] | s ⇒ (x)P K |
DJ r B P
0
[
u
/y] | s{(y)P
0
} ⇐ (Q|R) K
«
if r is fresh and u, s not bound by C,D
CJ r B (P |u.Q) K | DJ r B (R|(z)S) K → CJ r B (P |Q) K | DJ r B (R|S[
u
/z]) K
if u, r not bound by C,D
r B (P |return u .Q) → u | r B (P |Q)
CJP K → CJP
0
K if P ≡ Q, Q → Q
0
, Q
0
≡ P
0
where C, D ::= J·K | C|P | a{(x)P } ⇐ C | a B C | (νa)C
Fig. 3. Reduction semantics.
distinguishing the two side ends (e.g., when typing is considered).
Operational semantics. Restriction and parallel composition have the standard
meaning. Informally, the meaning of the other primitives listed in Figure 1 can
be explained as follows. Service definitions take the form s ⇒ (x)P , where s
is the name of the service and (x)P is the body of the service: a (service-side)
interaction protocol with formal parameter x. Service definitions are persistent,
i.e., each new invocation is served by a fresh instance of the protocol (process
calculists may think of an implicit replication prefixing each service definition).
A service invocation s{(x)P
0
} ⇐ Q invokes s for any concretion (value) u pro-
duced by the execution of Q. The process (x)P
0
is the client-side protocol for
interacting with (the instance of) s. For example if after some steps Q reduces
to Q
0
|u, then a fresh session can be established, that takes the form
(νr)(r B P [
u
/x] | r B P
0
[
u
/x])
and that runs in parallel with s{(x)P
0
} ⇐ Q
0
and s ⇒ (x)P . The session r has
two sides: one for the client and one for the service. Note that value u serves as
the actual parameter of both P and P
0
. Within the session r, the protocols P [
u
/x]
and P
0
[
u
/x] can communicate whenever a concretion a is available on one side and
an abstraction (z)R
0
is ready on the other side, i.e., abstractions and concretions
model input and output, resp e ctively. For example, r B (a|R) | r B (z)R
0
would
reduce to r B R | r B R
0
[
a
/z]. The primitive return a can then be used to return a
value outside the current session (just one level up, not to the top level). Sessions,
service definitions and service invocations can be nested at arbitrary depth, but
in any interaction just the innermost service or session name counts.
Formally, the reduction semantics is defined in Figure 3. The reduction rules
are defined using the active contexts C, D that sp e cify where the processes that
interact can be located. An active context is s imply a process with a hole in an
active position, i.e., a place where a process can execute. With CJP K we denote
the process obtained by filling the hole in C with P . In PSC only two kinds of
interactions are permitted: service invocation and session communication mod-
