Workshop presentation given by Niels Lohmann on September 28, 2009 in Brisbane, Australia at the 4th International Workshop on Web Services and Formal Methods (WS-FM 2007).

2. BPEL
Analyzing BPEL4Chor - Verification and Partner Synthesis
 designed to describe a service orchestration
 … respectively a single service
 invoked services’ behaviors are not described
 BPEL
processes can be automatically analyzed
(BPM 2006; project Tools4BPEL)
2

3. BPEL4Chor
Analyzing BPEL4Chor - Verification and Partner Synthesis
 extension to describe choreographies
behaviors topology grounding
3

4. An Example Choreography
Analyzing BPEL4Chor - Verification and Partner Synthesis
 taken from the paper introducing BPEL4Chor
 one traveler, one agency, several airline instances
4

5. Analyzing BPEL4Chor - Verification and Partner Synthesis
5

6. Analyzing BPEL4Chor Choreographies
Analyzing BPEL4Chor - Verification and Partner Synthesis
 “Classical” properties:
 deadlock-freedom, livelock-freedom,
no dead activities (a.k.a. Soundness)
 Messages:
 Does there exist a state in which more than one
message is pending on a communication channel?
 What is the minimal/maximal number of messages
to be sent to reach a final state?
 Behavior:
 Will a participant always receive an answer?
 Can a participant enforce the execution of an
activity?
6

7. Translating BPEL4Chor into a Petri Net
Analyzing BPEL4Chor - Verification and Partner Synthesis
 Extend compiler BPEL2oWFN
BPEL2oWFN
Static Analysis
BPEL processes Translation
Instantiation
Composition
Structural Reduction
Petri net
topology
 BPEL4Chor requires instantiation and composition
7

8. Instantiation
Analyzing BPEL4Chor - Verification and Partner Synthesis
…
 example for two airline instances
t1
…
trip
<receive wsu:id="ReceiveTripOrder" />
price.1
<forEach wsu:id="fe_RequestPrice„ t2 t3 price.2
parallel="yes">
<scope>
quote.1
<sequence>
<invoke wsu:id="RequestPrice" />
t4 t5 quote.2
<receive wsu:id="ReceiveQuote" />
</sequence>
</scope>
t6
</forEach>
order.1
<opaqueActivity name="SelectAirline" />
<invoke wsu:id="OrderTickets" />
t7 t8 order.2
…
…
8

9. Composition
Analyzing BPEL4Chor - Verification and Partner Synthesis
 each service is translated into an open workflow net
with an interface
 open workflow nets can be composed
 resulting net has no interface (standard Petri net)
9

10. Analysis Result
Analyzing BPEL4Chor - Verification and Partner Synthesis
 Choreography can deadlock!
 each participant is correct (controllable, sound…)
 deadlock very subtle!
10

11. Case Study
airline instances
Analyzing BPEL4Chor - Verification and Partner Synthesis
1 5 10 100 1000
places 20 63 113 1013 10013
transitions 10 41 76 706 7006
states  14 3483 9806583  
exponential
states  14 561 378096 growth 
states  11 86 261 18061 1752867
states  11 30 50 410 4010
 complete/unreduced linear
 symmetry reduction growth 
 partial order reduction
 symmetry reduction and partial order reduction
 out of memory (>2 GB)
11

12. Analyzing BPEL4Chor - Verification and Partner Synthesis
12

13. Partner Synthesis
Analyzing BPEL4Chor - Verification and Partner Synthesis
 new setting: design phase of choreography
 one participant description is missing
 goal: synthesize missing participant description
13

14. Translation
Analyzing BPEL4Chor - Verification and Partner Synthesis
 incomplete
choreography is translated with
BPEL2oWFN
 translationyields an open workflow net
with interface to missing participant
14

15. Partner Synthesis (1)
Analyzing BPEL4Chor - Verification and Partner Synthesis
Fiona
Partner synthesis
open workflow net open workflow net
(incomplete choreography) (synthesized participant)
 Fiona can synthesize a partner if one exists
 partner is correct by design
 partner’s behavior is based on communication
 no internal behavior is synthesized
 order of messages is as relaxed as possible
15

16. Partner Synthesis (2)
Analyzing BPEL4Chor - Verification and Partner Synthesis
oWFN2BPEL
Retranslation
open workflow net abstract BPEL process
(synthesized participant) (synthesized participant)
 partner’s behavior can be described using BPEL
 derived BPEL process is abstract
 has to be refined to an executable process
16

17. Limits of the Partner Synthesis
Analyzing BPEL4Chor - Verification and Partner Synthesis
 can only synthesize one partner:
 If more than one airline instance is synthesized, the
generated partners explicitly synchronize.
 airline instances would communicate timeouts:
one instance would be forced to wait for a message
 can be a starting point for diagnosis
 causalitiesof messages might be ignored
 order and invoice messages might be concurrent
 can be fixed using constraints
17

18. Take-home Points
Analyzing BPEL4Chor - Verification and Partner Synthesis
 BPEL4Chor choreographies can be analyzed
 … to find very subtle errors
 … even with thousands of participants
 … automatically using the proposed tool chain
 BPEL4Chor choreographies can be completed
 … by synthesizing the missing participant
 … to guarantee a deadlock-free choreography
 ... automatically using the proposed tool chain
Thank you very much!
18