The global interaction behavior in message-based systems can be specified as a finite-state machine defining acceptable sequences of messages exchanged by a group of peers. Realizability analysis determines if there exist local implementations for each peer, such that their composition produces exactly the intended global behavior. Although there are existing sufficient conditions for realizability, we show that these earlier results all fail for a particular class of specifications called arbitrary-initiator protocols. We present a novel algorithm for deciding realizability by computing a finite-state model that keeps track of the information about the global state of a conversation protocol that each peer can deduce from the messages it sends and receives. By searching for disagreements between each peer's deduced states, we provide a sound analysis for realizability that correctly classifies realizability of arbitrary-initiator protocols.

1. Sylvain Hallé
Sylvain Hallé and Tevfik Bultan
Realizability Analysis for
Message-Based Interactions
Using Shared-State Projections
Université du Québec à Chicoutimi
CANADA
University of California Santa Barbara
USA

2. Sylvain Hallé
Context: communicating with messages
Alice
Bob
Carl

3. Sylvain Hallé
Coordination problem in Service-Oriented
Architecture (SOA)
?Choreography specification and analysis
Choreography and orchestration conformance
Process isolation in Operating Systems
Message-based communication instead of shared data
Channel contracts in Singularity OS
Channel contract analysis and conformance
Session types
?
?
?
?
?
Motivation for message-based communication

4. Sylvain Hallé
Conversation protocol ( )C
Finite-state machine describing global sequences of messages
sent between peers
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
Context

5. Sylvain Hallé
Examples of conversation protocols:
Web service choreographies
Channel contracts in Microsoft Singularity OS
Context
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®
S C : AckStartSend®
S C : SendComplete®
S C : TpmStatus®
IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®

6. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
C
C C ... C

7. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp

8. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
{ }0
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp

9. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
{ }1
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp

10. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
{1, }3
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp

11. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1 B®A: m2
{1,3} { }2
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp

12. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4
B®A: m2
{ }4
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp

13. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4
B®A: m2
{4, }5
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp

14. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
C p( )A C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp

15. Sylvain Hallé
Problem
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
C
From a conversation protocol and peers A, B, ..., synthesize
‘‘local’’ protocols , , whose composition produces L( )A B
Let’s compute the projection of for Alice ( )
C
C C ... C
Cp
p( )A C

16. Sylvain Hallé
Composing the projections
Alice
Bob
Carl
p( )A C
p( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}

17. Sylvain Hallé
Alice
Bob
Carl
p( )A C
p( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Composing the projections

18. Sylvain Hallé
Alice
Bob
Carl
p( )A C
p( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m3
Composing the projections

19. Sylvain Hallé
Alice
Bob
Carl
p( )A C
p( )B C
p( )C C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0} A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m5
Composing the projections

20. Sylvain Hallé
Alice
Bob
Carl synchronous
communication
Composing the projections

21. Sylvain Hallé
Alice
Bob
Carl asynchronous
communication
Composing the projections

22. Sylvain Hallé
Alice
Bob
Carl asynchronous
communication
message queues
Composing the projections

23. Sylvain Hallé
Alice
Bob
Carl asynchronous
communication
message queues
From , we create a
channel system
(peer states +
queues)
C
C
.
Composing the projections

24. Sylvain Hallé
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Channel system

25. Sylvain Hallé
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Channel system

26. Sylvain Hallé
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
Channel system

27. Sylvain Hallé
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
Channel system

28. Sylvain Hallé
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
Channel system

29. Sylvain Hallé
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
?m2
Channel system

30. Sylvain Hallé
What happened?
It is easy to show that
L( ) ÍL( )
i.e. each peer p follows its projection ( ), but the resultingp
interaction may not be part of !
A protocol is realizable when L( ) =L( )
C
C
C
C
C
C
p
Realizability
.
.

31. Sylvain Hallé
What happened?
It is easy to show that
L( ) ÍL( )
i.e. each peer p follows its projection ( ), but the resultingp
interaction may not be part of !
A protocol is realizable when L( ) =L( )
How can we determine if a conversation protocol is
realizable?
C
C
C
C
C
C
p
Realizability
.
.
?
?

32. Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a
‘‘bad sequence’’
channel system
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®

33. Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a
‘‘bad sequence’’
channel system
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®

34. Sylvain Hallé
How can we determine (un)realizability?
Solution A
Compute the from the projections; look for a
‘‘bad sequence’’
Problem: in some cases, the channel system is
channel system
infinite
A B : m1®, !
A B : m1®, ?
A B : m1®, ?A B : m1®, !
A B : m4®, !
A B : m4®, ? B C : m3®, !
B C : m3®, !
B C : m3®, ?
C A : m , !2®
C A : m2®, !
C A : m2®, !
C A : m2®, !
C A : m2®, ?
({0},{0,2},{0,1}), ((A,e),(B, ),(C, ))ee
({1,3},{3},{3}), ((A,e),(B, ),(C, ))ee
({2},{0,2},{2,4}), ((A,e),(B, ),(C, ))ee
({4},{4},{2,4}), ((A,e),(B, ),(C, ))ee
({1,3},{1},{0,1}), ((A,e),(B, ),(C, ))ee
({0},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({4},{0,2},{2,4}), ((A, ),(B, ),(C, ))eA B : m e4® ({1,3},{1},{2,4}), ((A, ),(B, ),(C, ))C A : m ee2®
({1,3},{0,2},{2,4}), ((A, ),(B, ),(C, ))C A : m A B : m e2 1®®
({1,3},{3},{2,4}), ((A, ),(B, ),(C, ))C A : m eB C : m2 3® ®
({1,3},{0,2},{0,1}), ((A, ),(B, ),(C, ))eA B : m e1®
({1,3},{3},{0,1}), ((A, ),(B, ),(C, ))eeB C : m3®

35. Sylvain Hallé
How can we determine (un)realizability?
Solution B: devise on the original protocol
1. Three realizability conditions (Fu, Bultan, Su, TSE 2005)
1) Synchronous compatible
Every time a peer can send a message m, its recipient
must be in (or reach) a state where m can be received
2) Autonomous
At any moment, a peer cannot be both sender and
receiver
3) Lossless-join
The ‘‘Cartesian product’’ of the ( ) produces L( )p
conditions
.
.
pC C
3

36. Sylvain Hallé
How can we determine (un)realizability?
Solution B: devise on the original protocol
2. Session types (Honda et al., ESOP 1998, POPL 2008)
A programmer describes a scenario as a type G
Each component of the interaction is developed
independently and periodically checked to make sure it is
typable against its projection on G
conditions
3

37. Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for
realizability
3
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4

38. Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for
realizability
3
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails
autonomous
condition’’
Honda et al.:
‘‘not typable’’

39. Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for
realizability
3
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Realizable!
Fu et al.: ‘‘fails
autonomous
condition’’
Honda et al.:
‘‘not typable’’

40. Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for
realizability
Both approaches incorrectly classify all protocols with an
arbitrary initiator
3
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails
autonomous
condition’’
Honda et al.:
‘‘not typable’’
Realizable!

41. Sylvain Hallé
How can we determine (un)realizability?
Problem: both sets are sufficient, but not necessary for
realizability
Both approaches incorrectly classify all protocols with an
arbitrary initiator
3
C S : c®
C S : c®S C : f®
S C : f®
C S : s®
0
1
2 3
4
Fu et al.: ‘‘fails
autonomous
condition’’
Honda et al.:
‘‘not typable’’
Realizable!

42. Sylvain Hallé
How can we determine (un)realizability?
3
The key observation

43. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}

44. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept as
the current global state of ?C

45. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept as
the current global state of ?C
{0}

46. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept as
the current global state of ?C
{0} {0}

47. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept as
the current global state of ?C
{0} {0} {0,1,2}

48. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
Is there a state that every peer can accept as
the current global state of ?C
{0} {0} {0,1,2} = {0}ÇÇ

49. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m1

50. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2

51. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept as
the current global state of ?C

52. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept as
the current global state of ?C
{1,3}

53. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept as
the current global state of ?C
{1,3} {2,4}

54. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept as
the current global state of ?C
{1,3} {2,4} {0,1,2}

55. Sylvain Hallé
Key observation
Alice
Bob
Carl
p( )A C
A®B: m1
A®C: m4C®A: m5
B®A: m2
{4,5}
{1,3} {2}
{0}
p( )B C
A®B: m1
C®B: m6B®C: m3
B®A: m2
{3,5}
{1} {2,4}
{0}
p( )C C
B®C: m3
C®B: m6C®A: m5
A®C: m4
{5}
{3} {4}
{0,1,2}
m1
m2
m2
Is there a state that every peer can accept as
the current global state of ?C
{1,3} {2,4} {0,1,2} = ÆÇÇ

56. Sylvain Hallé
Key observation
3
Alice Bob, &
don't agree on a common
global protocol state
"problems"
Intuitively...
Carl

57. Sylvain Hallé
Key observation
3
Alice Bob, &
don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the
possible state that Bob and Carl be in...can
Carl

58. Sylvain Hallé
Key observation
3
Alice Bob, &
don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the
possible state that Bob and Carl be in...
...and check if we ever reach a moment where they
disagree
can
might
Carl

59. Sylvain Hallé
Key observation
3
Alice Bob, &
don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the
possible state that Bob and Carl be in...
...and check if we ever reach a moment where they
disagree
can
might
shared-state projections
Carl

60. Sylvain Hallé
Key observation
3
Alice Bob, &
don't agree on a common
global protocol state
"problems"
Intuitively...
When computing a projection for Alice, let’s keep track of the
possible state that Bob and Carl be in...
...and check if we ever reach a moment where they
disagree
can
might
shared-state projections
Carl
conservative
approximations

61. Sylvain Hallé
Proof sketch
1. Start from a conversation protocol C

62. Sylvain Hallé
Proof sketch
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
C
C
.
p^ finite

63. Sylvain Hallé
Proof sketch
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ).p
C
C
C
C
.
.
.
p
p
p

64. Sylvain Hallé
Proof sketch
. .^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). ÞL( ) ÍL( )p
C
C
C
C
.
.
.
p
p
Cp C

65. Sylvain Hallé
Proof sketch
. .^
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). ÞL( ) ÍL( )p
4. Define a condition for ‘‘bad’’ states of ( )p
C
C
C
C
C
.
.
.
p
p
C
p
p C

66. Sylvain Hallé
Proof sketch
. .^
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). ÞL( ) ÍL( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
C
C
C
C
C
C
.
.
.
.
p
p
C
p
p C

67. Sylvain Hallé
Proof sketch
. .^
^
^
^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). ÞL( ) ÍL( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C

68. Sylvain Hallé
Proof sketch
.
.
.^
^
^
^
L( ) ÍL( ) ÍL( )C C C
{
already
seen
{
by 3
.^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). ÞL( ) ÍL( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C

69. Sylvain Hallé
Proof sketch
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). ÞL( ) ÍL( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C
.
.
.^
^
^
^
L( ) ÍL( ) ÍL( ) ÍL( )C CC C
{
already
seen
{
by 3
{
by 5
.^
finite

70. Sylvain Hallé
Proof sketch
.
. .
.^
^
^
^
L( ) ÍL( ) ÍL( ) ÍL( )C CC C
{
already
seen
{
by 3
{
by 5
ÞL( ) =L( )C C
.^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). ÞL( ) ÍL( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C

71. Sylvain Hallé
Proof sketch
.
. .
.^
^
^
^
L( ) ÍL( ) ÍL( ) ÍL( )C CC C
{
already
seen
{
by 3
{
by 5
ÞL( ) =L( )
Þis realizable!
C
C
C
.^
finite
1. Start from a conversation protocol
2. For each peer p, define a projection ( )p
3. Show that ( ) is an over-approximation of thep
‘‘standard’’ projection ( ). ÞL( ) ÍL( )p
4. Define a condition for ‘‘bad’’ states of ( )p
5. Show that no trace in L( ) ever visits a bad state
6. Consequence: if no bad state is ever generated, then
C
C
C
C
C
C
.
.
.
.
.
p
p
C
p
p C

72. Sylvain Hallé
A realizability condition
Workflow for evaluating realizability of :C

73. Sylvain Hallé
A realizability condition
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
C
Cp^

74. Sylvain Hallé
A realizability condition
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer
‘ might be unrealizable’ as soon as one is found
C
C
C
p^

75. Sylvain Hallé
A realizability condition
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer
‘ might be unrealizable’ as soon as one is found
3. Otherwise, repeat 1-2 for another peer
C
C
C
p^

76. Sylvain Hallé
A realizability condition
Workflow for evaluating realizability of :
1. For some peer p, compute the shared-state projection.
Guaranteed to terminate, as ( ) is finitep
2. In that projection, look for a bad state. Answer
‘ might be unrealizable’ as soon as one is found
3. Otherwise, repeat 1-2 for another peer
4. Answer ‘ is realizable’ if no conflict state could be found for
any of the peers
C
C
C
C
p^

77. Sylvain Hallé
Shared-state projection
3
Shared-state projection
focus peer
one one
( )p
Let P be a set of peers and a conversation protocol with states
S. Select one peer p as the .
S
?A state of ( ) is a mapping P ®2 that defines onep
subset of S for each peer: the possible states of
?A transition from to , sending message m, is taken
whenever of the peers can send m from of its
current possible states of
?The consequences of that transition yield the next possible
states of for each peer
p
p
C
C
C
C
C
C
s
s s’
.
.
^
^
^ ^

78. Sylvain Hallé
Shared-state projection
3
If A is the focus peer and the conversation has just started, what
state can B be in, in addition to 0?
: since A cannot distinguish
between them
: since for B it is merged with 0
: since B may have already
sent A a message
: this would require
A to send a message
: also depends on A to be reachable
3, 5
2
4
Not 1
Not 6
.
.
.
.
A B : m1® A C : m2®
C B : m6®
B C : m5®
B C : m3®B A : m4®0
6
534
21

79. Sylvain Hallé
Shared-state projection
3
With a similar reasoning for C, we can deduce that, from A’s
point of view in state 0...
{0,2,3,4,5} are possible states for B
{0,1,3,4,5} are possible states for C
The initial state of ( )p
is therefore:
A:{0,3,5} B:{0,2,3,4,5} C:{0,1,3,4,5}
pC
A B : m1® A C : m2®
C B : m6®
B C : m5®
B C : m3®B A : m4®0
6
534
21
^

80. Sylvain Hallé
Shared-state projection
3
Conflict state (i.e. ‘‘bad’’ state)
In a shared-state projection, take the intersection of the set of
states for each peer. A state is a conflict state if this intersection
is empty.
Intuition: the peers have reached a point where they have
diverging views of the current state of the conversation (and of
what to do next)
Exact construction in the paper!
{1,3} {2,4} {0,1,2} = ÆÇÇ

81. Sylvain Hallé 3
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
Back to Alice and Bob

82. Sylvain Hallé 3
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4}
C:{0,1,2}
Back to Alice and Bob

83. Sylvain Hallé 3
B®C: m3
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4}
C:{0,1,2}
A:{3} B:{3} C:{3}
Back to Alice and Bob

84. Sylvain Hallé 3
B®C: m3
A:{3,5} B:{3,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4}
C:{0,1,2}
A:{3} B:{3} C:{3}
Back to Alice and Bob

85. Sylvain Hallé 3
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4}
C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
Back to Alice and Bob

86. Sylvain Hallé 3
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4}
C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
C®B: m6
Back to Alice and Bob

87. Sylvain Hallé 3
B®C: m3 A®C: m4
A:{3,5} B:{3,5} C:{5} A:{4,5} B:{4,5} C:{5}
A®B: m1
B®C: m3 A®C: m4
C®A: m5
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )C C^
A:{0,1,2,3,4} B:{0,1,2,3,4}
C:{0,1,2}
A:{3} B:{3} C:{3} A:{4} B:{4} C:{4}
C®B: m6
Carl cannot be the cause of a
violation
Back to Alice and Bob

88. Sylvain Hallé
Back to Alice and Bob
3
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^

89. Sylvain Hallé 3
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob

90. Sylvain Hallé 3
A®B: m1
A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob

91. Sylvain Hallé 3
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}
A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A®B: m1
B®C: m3 A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob

92. Sylvain Hallé 3
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}
A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A:{4,5} B:{2,4,5} C:{2,4,5}
A®B: m1
B®C: m3 A®C: m4
A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
Back to Alice and Bob

93. Sylvain Hallé 3
A®B: m1 B®A: m2
A:{2} B:{2} C:{2}
A:{1,3} B:{0,1,2,3,5,#}
C:{0,1,2,3,5}
A:{4,5} B:{2,4,5} C:{2,4,5}
A®B: m1
B®C: m3 A®C: m4
A®C: m4
C®B: m6C®A: m5
B®A: m2
0
1 2
5
3 4
C
p( )A C^
A:{0} B:{0,2} C:{0,2}
If Alice waits for Bob, she
cannot cause a violation
Back to Alice and Bob

94. Sylvain Hallé
Experimental results
3
SSPCalc: PHP tool computing shared-state projections +
graphs and statistics

95. Sylvain Hallé
Experimental results
3
Tool tested on 100 real-world protocols taken from web service
specifications and Singularity OS channel contracts
?91% of protocols
analyzed in less
than 1 s
?95% in less than 10 s
2
?Time µstate space
104
10-3
100 101
101
100
10-1
10-2
102
103
104
102 103
Number of explored states
Validationtime(s)

96. Sylvain Hallé
Experimental results
3
With P peers and S states in , the shared-state projection has a
2 S
maximal size of P ?2 states.
?Bound seldom
reached in practice
?Very few protocols
required more than
10,000 states
C
1010
108
106
104
104
102
100
100 101 102 103
Number of explored states
Theoreticalupperbound y x=

97. Sylvain Hallé
Experimental results
3
Provides on protocols with arbitrary initiator.
Example: Singularity OS’ TPMContract.
Original version: unrealizable.
tighter conditions
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®
S C : AckStartSend®
S C : SendComplete®
S C : TpmStatus®
IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®

98. Sylvain Hallé
Experimental results
3
IO_RUNNINGS1
C S : GetTpmStatus®C S : GetTpmStatus®
ReadyStateS0
ReadyStateS1
ReadyState
C S : Send®
S C : AckStartSend®
S C : SendComplete®
S C : SendComplete®
S C : TpmStatus®
S C : TpmStatus® IO_RUNNINGS0
IO_RUNNING
S C : TpmStatus®
Provides on protocols with arbitrary initiator.
Example: Singularity OS’ TPMContract.
Corrected version: realizable, yet existing conditions still yield
false positive!
tighter conditions

99. Sylvain Hallé
Conclusion
3
?
?
?
?
Asychronous communication can make a conversation
protocol
No and condition for realizability is currently
known
A (SSP) is a projection of that
keeps track of the possible state for the remaining peers
The absence of a conflict state in an SSP is a sufficient
condition for realizability of ; the computation is guaranteed
to terminate
C
C
C
unrealizable
exact universal
shared-state projection

100. Sylvain Hallé
Conclusion
3
Open questions:
?Do SSPs define an over queue
contents?
The paper presents a method for producing
of sufficient realizability conditions. What other
conditions could we devise?
Is the condition for a restricted subset, e.g.
two-party protocols?
Can we unrealizable protocols automatically
using SSPs?
equivalence relation
families
necessary
repair
.
?
?
?
.
.