Compatibility Checking for Asynchronously Communicatin - PDF document

CompatibilityCheckingforAsynchronouslyCommunicatingSoftwareMeriemOuederni1,GwenSalaun2,andTevkBultan31ToulouseINP,IRIT,Francemeriem.ouederni@irit.fr2GrenobleINP,Inria,LIG,Francegwen.salaun@inria.fr3UCSB,USAbultan@cs.ucsb.eduAbstract.Compatibilityisacrucialproblemthatisencounteredwhileconstructingnewsoftwarebyreusingandcomposingexistingcompo-nents.Asetofsoftwarecomponentsiscalledcompatibleiftheircompo-sitionpreservescertainproperties,suchasdeadlockfreedom.However,checkingcompatibilityforsystemscommunicatingasynchronouslyisanundecidableproblem,andasynchronouscommunicationisacommoninteractionmechanismusedinbuildingsoftwaresystems.Atypicalap-proachinanalyzingsuchsystemsistoboundthestatespace.Inthispaper,wetakeadierentapproachanddonotimposeanyboundsonthenumberofparticipantsorthesizesofthemessagebuers.Instead,wepresentasucientconditionforcheckingcompatibilityofasetofasynchronouslycommunicatingcomponents.Ourapproachreliesonthesynchronizabilitypropertywhichidentiessystemsforwhichinterac-tionbehaviorremainsthesamewhenasynchronouscommunicationisreplacedwithsynchronouscommunication.Usingthesynchronizabilityproperty,wecancheckthecompatibilityofsystemswithunboundedmessagebuersbyanalyzingonlyanitepartoftheirbehavior.Wehaveimplementedaprototypetooltoautomateourapproachandwehaveappliedittomanyexamples.1IntroductionAwidelyacceptedviewinsoftwaredevelopmentisthatthesoftwaresystemsshouldbebuiltbyreusingandcomposingexistingpiecesofcode.Moreover,recenttrendsincomputingtechnologypromotedevelopmentofsoftwareappli-cationsthatareintrinsicallyconcurrentanddistributed.Forexample,service-orientedcomputingpromotesdevelopmentofWeb-accessiblesoftwaresystemsthatarecomposedofdistributedservicesthatinteractwitheachotherbyex-changingmessagesovertheInternet.Cyber-physicalsystems,ontheotherhand,involveintegrationofphysicalandcomputationalcomponentsthatinteractinavarietyofwaystoimplementacommonfunctionality.Finally,pervasivesystemscombinelargenumbersofsensorsandcomputationalelementsintegratedintoeverydayenvironmentandrequiretheircoordinationinadynamicsetting.All 2M.Ouederni,G.Salaun,andT.Bultanthesecomputingparadigmsinvolveconcurrentexecutionofdistributedcompo-nentsthatarerequiredtointeractwitheachothertoachieveasharedgoal.Acentralproblemincomposingdistributedcomponentsischeckingtheircompatibility.Compatibilitycheckingisusedtoidentifyifcomposedcomponentscaninteroperatewithouterrors.Thisvericationiscrucialforensuringcorrectexecutionofadistributedsystematruntime.Compatibilityerrorsthatarenotidentiedduringthedesignphasecanmakeadistributedsystemmalfunctionordeadlockduringitsexecution,whichcanresultindelays,nancialloss,andevenphysicaldamageinthecaseofcyber-physicalsystems.Inthispaper,wefocusonthecompatibilitycheckingproblemforclosedsys-temsinvolvingcompositionofdistributedcomponents.Wecallthecomponentsthatparticipateinacomposedsystempeers.Asetofpeersiscompatibleif,whentheyarecomposed,theysatisfyacertainproperty.Wecallsuchapropertyacompatibilitynotion.Itisworthobservingthatthecompatibilityproblemde-pendsonseveralparameters:thebehavioralmodelusedtodescribethepeers(-nitestatemachines,Petrinets,etc.),thecommunicationmodel(synchronousvs.asynchronous,pairwisevs.broadcast/multicast,orderedvs.unorderedbuers,lossychannels,etc.),andthecompatibilitynotion.Inthispaper,weuseLabeledTransitionSystems(LTSs)todescribepeerbehaviors.Wefocusonpairwiseasynchronouscommunicationmodel(whichcorrespondstomessage-basedcom-municationviaFIFObuers).Pairwisecommunicationmeansthateachindi-vidualmessageisexchangedbetweentwopeers(nobroadcastcommunication).Asforcompatibility,thereareseveralcompatibilitynotionsexistinginthelit-erature.Here,wefocusontwowidelyusednotions,namelydeadlock-freedom(DF)[15]andunspeciedreceptions(UR)[11,34].AsetofpeersisDFcompat-ibleiftheircompositiondoesnotcontainanydeadlock,i.e.,startingfromtheirinitialstatespeerscaneitherprogressbyfollowingtransitionsintheirrespectiveLTSsorterminateiftheyareinnalstates.AsetofpeersisURcompatibleiftheydonotdeadlockandforeachmessagethatissentthereisapeerthatcanreceivethatmessage.Mostresultsintheliteratureforverifyingthecompatibilityofbehavioralmodelsassumetwointeractingpeersandsynchronouscommunication,e.g.,[34,15,13,9].However,asynchronouscommunicationismoresuitablethansyn-chronouscommunicationinadistributedsetting,sinceasynchronouscommu-nicationisnon-blocking.Inasynchronouscommunicationthesenderdoesnothavetowaitforthereceiverwhenitneedstoemitamessage.Analyzingasyn-chronouslycommunicatingsystemsismorecomplicatedthansynchronouslycommunicatingsystemssinceitisnecessarytorepresentthecontentsofthemessagebuersduringanalysisofasystemthatusesasynchronouscommunica-tion.Moreover,asynchronouscommunicationwithunboundedmessagebuersleadstoinnitestatespaces.Thismeansthat,ingeneral,vericationtechniquesbasedonexplicitstatespaceexplorationwillnotbesoundforsuchsystems.Analysisofasynchronouslycommunicatingsystemshasbeeninvestigatedex-tensivelyduringthelast30years,e.g.,[11,24,26,14,31].Acommonapproachusedinanalyzingasynchronouslycommunicatingsystemsistoboundthestate CompatibilityCheckingforAsynchronouslyCommunicatingSoftware3spacebyboundingthenumberofcycles,peers,orbuers.Boundingbuerstoanarbitrarysizeduringitsexecutionisnotasatisfactorysolutionsince,ifatsomepointbuers'sizeschange(duetochangesinmemoryrequirementsforexample),itisnotpossibletoknowhowthesystemwouldbehavecomparedtoitsformerversionandnewunexpectederrorscanshowup.ThisisthecaseforinstanceofthesimpliednewsserverprotocolshowninFigure1.Transitionsarelabeledwitheitheremissions(exclamationmarks)orreceptions(questionmarks).Initialstatesaremarkedwithincominghalf-arrowandnalstateshavenooutgoingtransitions.Withbuersize1,thesystemexecutescorrectly(nodeadlock).However,ifweincreasethebuersizeto2,adeadlockappearswhenthenewsserversendsmessagesendnews!followedbystop!.Inthatsituation,thenewsserverisinanalstate,butthereaderisnotabletoreadthestopmessagefromitsbuerandcannotinteractproperlywiththenewsserver. Fig.1.MotivatingExample(1)Figure2showsanothersimpleexampleinvolvingthreepeers:aclient(cl),aserver(sv),andadatabase(db),whichexchangethreemessagesrequest,result,andlog.Peersvreceivesarequest,sendsaresult,andloops.Peerclsendsarequest,receivesaresult,sendsalogmessage,andloops.Peerdbreceiveslogmessages.IfwetrytogeneratetheLTScorrespondingtothecompositionofthesethreepeersinteractingasynchronouslythroughunboundedbuers,thisresultsinaninnitestatesystem.Indeed,thepeerssvandclcanloopinnitely,andthepeerdbcanconsumefromitsinputbuerwheneveritwants,meaningthatitsbuercangrowarbitrarilylarge.Analyzingsuchsystemisthereforeacomplicatedtask(undecidableingeneral[11]),andtothebestofourknowledge,existingapproachescannotanalyzecompatibilityofsuchsystems,becausetheycannothandlesystemsthatcommunicatewithasynchronouscommunicationviaunboundedbuers.Itwasrecentlyshownthatitisdecidabletocheckcertainpropertiesofdis-tributedsystemsinteractingasynchronouslythroughunboundedbuersusingthesynchronizabilityproperty[3,4].Asetofpeersissynchronizableifandonlyifthesystemgeneratesthesamesequencesofmessagesundersynchronousandunboundedasynchronouscommunication(consideringonlytheorderingofthesendactionsandignoringtheorderingofreceiveactions).Itwasshownthatsynchronizabilitycanbeveriedbycheckingtheequivalenceofsynchronousand1-boundedasynchronous(wherebuersizesareboundedtobe1)versions 4M.Ouederni,G.Salaun,andT.Bultan Fig.2.MotivatingExample(2)ofthegivensystem[3,4].Hence,synchronizabilitycheckingcanbeachievedusingequivalencecheckingtechniquesfornitestatespaces,althoughthesys-temconsistingofpeersinteractingasynchronouslycanresultininnitestatespaces.Forexample,thesystemdescribedinFigure2issynchronizablebecausethesynchronoussystemconsistsofsequencesofinteractionsonrequest,result,andlog,andthisorderisthesameinthe1-boundedasynchronoussystemcon-sideringonlysendactions.Focusingonlyonsendactionsandignoringreceiveactionsmakessenseforcheckingsynchronizabilitybecause:(i)sendactionsaretheactionsthattransfermessagestothenetworkandarethereforeobservable,(ii)receiveactionscorrespondtolocalconsumptionsbypeersfromtheirbuersandcanthereforebeconsideredtobelocalandprivateinformation.Inthispaper,weproposeanewapproachforcheckingthecompatibilityofasetofpeersinteractingasynchronouslythroughunboundedFIFObuers.PeersaredescribedusingLTSsandexhibittheirinternalbehaviorsinthesemodels(e.g.,replacingconditionalconstructswithnon-deterministicchoicesofinternalactions).Compatibilitycheckingreliesonsynchronizability,whichensuresthatthesynchronoussystembehavesliketheasynchronousoneforanybuersize.Thus,wecancheckthecompatibilityonthesynchronousversionofthesystemandtheresultsholdfortheasynchronousversions.Weproposeabranchingnotionofsynchronizabilitytotakeinternalactionspresentinthepeermodelsintoaccount.Wealsoneedtocheckthatthesystemiswell-formed,meaningthateverymessagesenttoabuerwillbeeventuallyconsumed.WeshowthatourapproachcanbeusedtocheckDFandURcompatibility.Manysystemsinvolvingloopsdorespectthesynchronizabilityproperty.Thus,thesesystemscanbeanalyzedusingtheapproachproposedinthispaper,whereastheycouldnotbeanalyzedusingexistingapproaches.ThisisthecasefortheexamplegiveninFigure2.Thissetofpeersissynchronizableandthesynchronoussystemisdeadlock-freeforinstance.Therefore,wecanconcludeusingourresultthattheasynchronousversionofthissystemisalsodeadlock-freecompatibleevenifbuersareunbounded.OurapproachisfullyautomatedthroughanencodingofthepeermodelintotheprocessalgebraLOTOS[23],oneoftheinputlanguagesoftheCADPveri-cationtoolbox[19].Bydoingso,wecanreuseallCADPtoolsandparticularlystatespaceexplorationtoolsforgeneratingsynchronousandasynchronoussys-tems,equivalencecheckingtechniquesforverifyingsynchronizability,andmodelcheckingtechniquesforsearchingdeadlocks.Wehavevalidatedourapproachon CompatibilityCheckingforAsynchronouslyCommunicatingSoftware5manycasestudies,mostofthemborrowedfromreal-worldscenariosfoundintheliterature.Theevaluationshowsthat(i)mostsystemsaresynchronizableandcanbeanalyzedusingourapproach,and(ii)thischeckisachievedinareasonabletime(secondsforexamplesinvolvinguptotenpeers,andminutesforsystemsupto18peers).Ourcontributionswithrespecttoearlierresultsonformalanalysisofbehav-ioralmodelsforsynchronizabilityandcompatibilitycheckingarethefollowing:{Ageneralframeworkforverifyingthecompatibilityofsynchronizablesys-temsinteractingasynchronouslythroughunboundedbuers;{Ageneralizationofsynchronizabilityandwell-formednessresultstobranch-ingtimeequivalencesforpeermodelsinvolvinginternalactions;{Afullyautomatedtoolsupportthatimplementsthepresentedapproachforcheckingasynchronouscompatibility.Theorganizationoftherestofthispaperisasfollows.Section2denesourmodelsforpeersandtheircomposition.Section3presentsabranchingnotionofsynchronizability.InSection4,wepresentoursolutionforcheckingasynchronouscompatibility.Section5illustratesourapproachonacasestudy.Section6describesourtoolsupportandexperimentswecarriedouttoevaluateourapproach.Finally,Section7reviewsrelatedworkandSection8concludes.2BehavioralModels2.1PeerModelWeuseLabeledTransitionSystems(LTSs)formodelingpeers.Thisbehavioralmodeldenestheorderinwhichapeerexecutesthesendandreceiveactions.Denition1(Peer).ApeerisanLTSP=(S;s0;;T)whereSisanitesetofstates,s02Sistheinitialstate,=![?[fgisanitealphabetpartitionedintoasetofsendmessages,receivemessages,andtheinternalaction,andTSSisatransitionrelation.Wewritem!forasendmessagem2!andm?forareceivemessagem2?.Weusethesymbol(tauingures)forrepresentinginternalactivities.Atransitionisrepresentedas(s;l;s0)2Twherel2.Finally,weassumethatpeersaredeterministiconobservablemessagesmean-ingthatifthereareseveraltransitionsgoingoutfromonepeerstate,andifallthetransitionlabelsareobservable,thentheyarealldierentfromonean-other.However,nondeterminismcanresultfrominternalactionswhenseveraltransitions(atleasttwo)outgoingfromasamestatearelabeledwith.Itiscrucialtorepresentinternalactivitiesinthepeermodelusingactions,particularlywhenwereasonintermsofsynchronouscommunication.Theseinternalactionsareusedtomodelinternalchoices,thatis,if/whileconstructsinprogramminglanguagesforinstance.Figure3showsasimpleexamplewhereweseethattwopeersp1andp2aredeadlock-freeifwedonotexplicitlyshowtheinternalactions.Ifweconsideranabstractionclosertorealitybymodelingtheinternalactions,weobservethatthepeers(p1'andp2)actuallydeadlock. 6M.Ouederni,G.Salaun,andT.Bultan Fig.3.p1andp2areDeadlock-free;p1'andp2Deadlock2.2SynchronousCompositionThesynchronouscompositionofasetofpeerscorrespondstothesysteminwhichthepeerLTSscommunicateusingsynchronouscommunication.Inthiscontext,acommunicationbetweentwopeersoccursifbothagreeonasynchronizationlabel,i.e.,ifonepeerisinastateinwhichamessagecanbesent,thentheotherpeermustbeinastateinwhichthatmessagecanbereceived.Onepeercanevolveindependentlyfromtheothersthroughaninternalaction.Denition2(SynchronousComposition).GivenasetofpeersfP1;:::;PngwithPi=(Si;s0i;i;Ti),thesynchronouscomposition(P1j:::jPn)isthelabeledtransitionsystemLTSs=(Ss;s0s;s;Ts)where:{Ss=S1:::Sn{s0s2Sssuchthats0s=(s01;:::;s0n){s=[ii{TsSssSs,andfors=(s1;:::;sn)2Ssands0=(s01;:::;s0n)2Ss(interact)sm!s02Tsif9i;j2f1;:::;ngwherei=j:m2!i\?jwhere9sim!!s0i2Ti,andsjm?!s0j2Tjsuchthat8k2f1;:::;ng;k=i^k=j)s0k=sk(internal)s!s02Tsif9i2f1;:::;ng,9si!s0i2Tisuchthat8k2f1;:::;ng;k=i)s0k=sk2.3AsynchronousCompositionIntheasynchronouscomposition,thepeerscommunicatewitheachotherasyn-chronouslythroughFIFObuers.EachpeerPiisequippedwithanunboundedmessagebuerQi.Apeercaneithersendamessagem2!tothetailofthereceiverbuerQjatanystatewherethissendmessageisavailable,readames-sagem2?fromitsbuerQiifthemessageisavailableatthebuerhead,orevolveindependentlythroughaninternalaction.Sincereadingfromthebuerisnotconsideredasanobservableaction,itisencodedasaninternalactionintheasynchronoussystem. CompatibilityCheckingforAsynchronouslyCommunicatingSoftware7Denition3(AsynchronousComposition).GivenasetofpeersfP1;:::;PngwithPi=(Si;s0i;i;Ti),andQibeingitsassociatedbuer,theasynchronouscomposition((P1;Q1)jj:::jj(Pn;Qn))isthelabeledtransitionsystemLTSa=(Sa;s0a;a;Ta)where:{SaS1Q1:::SnQnwhere8i2f1;:::;ng;Qi(?i){s0a2Sasuchthats0a=(s01;;:::;s0n;)(wheredenotesanemptybuer){a=[ii{TaSaaSa,andfors=(s1;Q1;:::;sn;Qn)2Saands0=(s01;Q01;:::s0n;Q0n)2Sa(send)sm!!s02Taif9i;j2f1;:::;ngwherei=j:m2!i\?j,(i)sim!!s0i2Ti,(ii)Q0j=Qjm,(iii)8k2f1;:::;ng:k=j)Q0k=Qk,and(iv)8k2f1;:::;ng:k=i)s0k=sk(consume)s!s02Taif9i2f1;:::;ng:m2?i,(i)sim?!s0i2Ti,(ii)mQ0i=Qi,(iii)8k2f1;:::;ng:k=i)Q0k=Qk,and(iv)8k2f1;:::;ng:k=i)s0k=sk(internal)s!s02Taif9i2f1;:::;ng,(i)si!s0i2Ti,(ii)8k2f1;:::;ng:Q0k=Qk,and(iii)8k2f1;:::;ng:k=i)s0k=skWeuseLTSkatodenetheboundedasynchronouscomposition,whereeachmessagebuerisboundedtosizek.ThedenitionofLTSkacanbeobtainedfromDef.3byallowingsendtransitionsonlyifthemessagebuerthatthemessageisbeingwrittentohaslessthankmessagesinit.3BranchingSynchronizabilityandWell-FormednessAlthoughpeersarerepresentedwithnitemodels,theirparallelexecutioncouldbeaninnitestatesystemduetothecommunicationoverunboundedbuers.Thismakestheexhaustiveanalysisofallexecutedcommunicationtracesimpos-sibleandmostvericationtasksinthissettingareundecidable[11].However,thisissuecanbeavoidedforsystemsthataresynchronizable,i.e.,ifthese-quencesofsendactionsgeneratedbythepeercompositionremainsthesameundersynchronousandasynchronouscommunicationsemantics.Thus,thesyn-chronizabilitycondition[4]enablesustoanalyzeasynchronoussystems,eventhosegeneratinganinnitestatespace,usingthesynchronousversionofthegivensystem(whichhasanitestatespace).Theresultspresentedbelowshowthatsynchronizabilitycanbecheckedbyboundingbuerstok=1andcom-paringinteractionsinthesynchronoussystemwiththeinteractionsintheasyn-chronoussystem.Inthispaper,thepeermodelandcorrespondingcompositionstakeinter-nalbehaviorsintoaccount.Therefore,weneedtoextendsynchronizabilitytobranchingtimesemantics[32]4.Thisiscrucialforconsideringmodelscloserto 4Weassumethatthereaderisfamiliarwithbranchingtimebisimulations,referto[32]otherwise. 8M.Ouederni,G.Salaun,andT.Bultanreality(seeFig.3)andforanalyzingtheinternalstructuretodetectpossibleissuesatthislevel.Inthispaper,werefertobranchingequivalenceasbr.Denition4(BranchingSynchronizability).GivenasetofpeersfP1;:::;Png,theirsynchronouscompositionLTSs=(Ss;s0s;Ls;Ts),andtheirasynchronouscompositionLTSa=(Sa;s0a;La;Ta),wesaythatLTSaisbranch-ingsynchronizable,SYNCbr(LTSa),ifandonlyifLTSsbrLTSa.Theorem1.ALTSadenedoverasetofpeersfP1;:::;Pngisbranchingsyn-chronizableifandonlyifLTSsbrLTS1a.Inotherwords:LTSsbrLTS1a,LTSsbrLTSaProofsofthetheoremsfromthissectionareavailableontherstauthorWebpage.Belowwedenethewell-formednesspropertyandpresenttwotheoremsre-latedtowell-formedness.Denition5.Anasynchronoussystemiswell-formedifandonlyifeverymes-sagethatissentiseventuallyconsumed.GivenalabeledtransitionsystemLTSadenedoverasetofpeersfP1;:::;Png,weuseWF(LTSa)todenotethatLTSaiswell-formed.Theorem2.AsynchronizablesystemLTSaiswell-formedifandonlyifLTS1aiswell-formed,i.e.,WF(LTS1a),WF(LTSa).Theorem3.EveryasynchronoussystemLTSathatisbranchingsynchronizableandcomposedofobservationallydeterministicpeersisalwayswell-formed.4CompatibilityInthissection,wepresenthowtocheckthecompatibilityofasetofpeerscom-municatingasynchronouslyoverunboundedFIFObuers.Thisproblemisunde-cidableinthegeneralcase[11]sinceunboundedbuersmayleadtoinnitestatespaces.Wepresentthecompatibilitycheckingforsynchronouscommunication,andthenshowhowweextendtheseresultstoasynchronouscommunication.WerstfocusonDFandURcompatibilitynotions.WeuseDFtodetectblockingbehaviorswheresystemremainsinnitelyinapendingstatewithnofurtherex-ecution.WeuseURtodetectcaseswheresomeemissionsareneverreceived.Asasecondstep,weshowhowothercompatibilitynotionscanalsobeconsideredsuchasbidirectionalcomplementarityandgoalorientedcompatibility(BCandGOCforshort,respectively).BCrequiresthateveryemissionmustbereceivedandeverymessagethatisexpectedtobereceivedmustbesentduringpeercom-munication.GOCdescribesatemporallogic-basedcompatibility(expressedinLinearTimeLogicforexample),thatmustberespectedbythepeers.Itisworthnotingthatherewefocusoncheckingpropertiesrelatedtoorderingofmessageexchangesamongpeers,leavingpropertiessuchasstatereachabilityoutofthescopeofthispaper. CompatibilityCheckingforAsynchronouslyCommunicatingSoftware94.1SynchronousCompatibilityGivenncommunicatingpeersdescribedusingLTSs(Si;s0i;i;Ti),wedeneaglobalstateasatupleofstates(s1;:::;sn)wheresiisthecurrentstateofLTSi.Werefertoalabellasamessageintogetherwithitsdirection(d2f!;?g),i.e.,l=m!jm?.Twolabelsl1=m1d1andl2=m2d2areconsideredcompatible,lab-comp(l1;l2),ifandonlyifm1=m2and d1=d2where !=?and ?=!.Compatibilitycheckingrequirestoverifytheinteractionateveryglobalstatereachableduringsystemexecution.Reachabilityreturnsthesetofglobalstatesthatninteroperatingpeerscanreachfromacurrentglobalstate(s1;:::;sn)throughindependentevolutions(internalbehaviors)orsynchronizations.TheDFcompatibilityisdenedasfollows.Givenasetofpeers,wecallthemDFcompatibleifandonlyif,startingfromtheirinitialglobalstate,theycanalwaysevolveuntilreachingaglobalstatewhereeverypeerstatehasnooutgoingtransition(correcttermination).TheURcompatibilityisdenedasfollows.Givenasetofpeers,wecallthemURcompatibleif,whenonepeercansendamessageatareachablestate,thereisanotherpeerwhichmusteventuallyreceivethatemission,andthesystemisdeadlock-free.Asetofpeerscanbecompatibleevenifonepeerisabletoreceiveamessagethatcannotbesentbyanyoftheotherpeers,i.e.,theremightbeadditionalreceptions.Itisalsopossiblethatonepeerholdsanemissionthatwillnotbereceivedbyitspartnersaslongasthestatefromwhichthisemissiongoesoutisunreachablewhenthosepeersinteracttogether.Moredetailsaboutthesecompatibilitynotions(DFandURbutalsoBCandGOC)aswellastheirformaldenitionscanbefoundin[17].4.2AsynchronousCompatibilityInthissectionwepresentsucientconditionsforcheckingasynchronouscompat-ibility.Thebehaviorsofsynchronizablesystemsremainidenticalforanybuersize,therefore,wecancheckcompatibilityofsynchronizablesystemsusingexist-ingtechniquesforcheckingsynchronouscompatibility.AsetofcommunicatingpeersfP1;:::;Pngisasynchronouscompatibleifthefollowingconditionshold:{Synchronizability.PeercompositionLTSsarebranchingsynchronizable(Theorem1).{Well-formedness.Everymessagesenttoabueriseventuallyconsumed(Theorems2and3).{Compatibility.Thesetofpeersiscompatibleundersynchronouscommu-nicationsemantics(Section4.1).Intherestofthissection,wedenetheasynchronousDFandURcompati-bility(DFaandURaforshort,resp.)andwenallyshowhowourasynchronouscheckingcanbegeneralizedtocheckothernotions,e.g.,BCaandOGCa.Deadlock-Freedom.AnasynchronoussystemLTSadenedoverasetofpeersfP1;:::;Png,isDFacompatibleifSYNCbr(LTSa)andWF(LTSa),andthecorrespondingLTSsisDF(referredtoasDF(LTSs)). 10M.Ouederni,G.Salaun,andT.BultanTheorem4.(SYNC(LTSa)^WF(LTSa)^DF(LTSs)))DFa(LTSa)Proof.LTSsbrLTSafollowsfromSYNC(LTSa)(Theorem1).Then,wehaveDF(LTSs))DFa(LTSa).UnspeciedReceptions.AlthoughbothDFandURcompatibilityaredif-ferentunderthesynchronouscommunicationsemantics,intheasynchronoussetting,theycanbecheckedsimilarly.RecallthatURcompatibilityrequiresustocheckthat(i)everyreachablesentmessagemustbereceived(i.e.,con-sumedfromthebuerwhereithasbeenstored),and(ii)thesystemmustbedeadlock-free.Theorem5.(SYNC(LTSa)^WF(LTSa)^DF(LTSs)))URa(LTSa)Proof.Condition(i)forURcompatibilityisensuredbywell-formedness.Thus,thisclaimfollowsdirectlyfromURcompatibilitydenitionandTheorem1.Property1.OurconditionforcheckingDFaandURaisnotanecessarycondi-tion.Proof.LetusconsidertheexamplegiveninFigure4.Theasynchronoussystemstartswithaninterleavingofbothemissionsthatcanbeexecutedinpeer1andpeer2,whereasnosynchronizationispossibleundersynchronouscommunica-tion.Thus,thisexampleisnotsynchronizableandwecannotconcludeanythingaboutitscompatibility.Yettheasynchronousversionofthissystemisdeadlock-freecompatible.Asaresult,ourconditionforasynchronouscompatibilityissucientbutnotnecessary. Fig.4.AsynchronousbutnotSynchronousDFCompatibleExampleNotethatndinganecessaryandsucientconditionforasynchronouscom-patibilityofbehavioralpeersisstillanopenproblem.Generalization.TheformerresultscanbegeneralizedtodeneasucientconditionforverifyinganynotionofcompatibilityCNaonsynchronizablesys-tems.ExamplesofothernotionsthatcanbederivedareBCaandOGCa.Forinstance,OGCacanbeformalizedintermsoflivenessandsafetyproperties,e.g.,G()F )andG(:)inLTL,resp. CompatibilityCheckingforAsynchronouslyCommunicatingSoftware11Theorem6.(SYNC(LTSa)^WF(LTSa)^CN(LTSs)))CNa(LTSa)Proof.TheclaimfollowsfromTheorems1and3.Complexity.Thecomplexityofourasynchronouscompatibilitycheckingliesonthecostofcheckingthesynchronizabilityandthecompatibilityonthesyn-chronouscomposition.BranchingbisimulationcomplexityisO(S0T0)[20]whereS0andT0arethetotalnumberofstatesandtransitionsinLTSsandLTS1a.Asforcompatibilitychecking,givennLTSs(S;s0;;T),S=Qni=1jSijrepresentsanupperboundofthenumberofpossibleglobalstates,andT=Pni=1jTijrepresentsanupperboundforthenumberoftransitionsavailablefromanyparticularglobalstate.SandTaregreaterthanorequaltothenumberofstatesreachablefrom(I1;:::;In).BothURaandDFacompati-bilitieshaveatimecomplexityofO(ST)andBCahasatimecomplexityofO(S2T2).5IllustrativeExampleWeconsiderasimpliedversionofaWebapplicationinvolvingfourpeers:aclient,aWebinterface,aWebserver,andadatabase.Figure5showsthepeerLTSs.Theclientstartswitharequest(request!),andexpectsanacknowledg-ment(ack?).Then,theclienteitherinteractswiththeWebserveraslongasitneeds(access!),ordecidestoterminateitsprocessing(terminate!).Thisinternalchoiceismodeledusingabranchingofinternalactions.Finally,theclientwaitsforaninvoice(invoice?).Theserverrstreceivesasetuprequest(setup?).Then,theserverisaccessedbytheclient(access?)anditexpectstoeitherbereleased(free?)orreceiveanalarmifanerroroccurs(alarm?).Finally,theserversubmitsinformationtobestored(log!),e.g.,start/endtimeandusedresources.Everytimeaclientrequestisreceived(request?),theinterfacetriggersasetuprequest(setup!)andsendsbackanacknowledgment(ack!)totheclient.Then,ifater-minationmessageisreceived(terminate?),theinterfaceaskstheWebservertobefreed(free!).Ifanerroroccurs(error?),theinterfacesendsanalarmmessage(alarm!).Finally,thedatabasewaitsforsomeinformationtobestored(log?).Synchronizability.LTSsandLTS1aarebranchingequivalentandthereforeSYNCbr(LTSa).Figure6(left)showsLTSs,wheretransitionsarelabeledwiththemessagesonwhichthepeerscansynchronizeaspresentedinDenition2.Well-formedness.ThesetofpeersareobservationallydeterministicandSYNCbr(LTSa),henceWF(LTSa).SynchronousCompatibility.Thissystemcannotbecompatiblewrt.DF,UR,andBCnotionssincethepeersdeadlockatthelaststateinFigure6(left).Inthatsituation,allpeersareintheirinitialstatesandmaycontinueinteractingwitheachother,excepttheclient,whichisexpectinganinvoicethatisnotprovidedbyanyofthepartners.AsynchronousCompatibility.SinceLTSaisbranchingsynchronizableandwell-formed,wecanuseresultsforsynchronouscompatibilityforthissystem. 12M.Ouederni,G.Salaun,andT.Bultan Fig.5.PeerLTSs Fig.6.SynchronousPeerComposition,V1(left),WebServerPeer,V2(right)ThesystemisnotDFaandURacompatiblebecausethereisadeadlockinLTSs.Wecanxthisissueby,e.g.,addingthemissinginvoice!messagetotheserverpeer(Fig.6,right).Thus,thenewsystemisbranchingsynchronizable(seetheresultingsynchronouscompositioninFig.7),well-formed,andLTSsisdeadlock-free,soitisDFaandURacompatible.However,LTSaisstillnotcompatiblewrt.BCa,becausetherearestillmessages,e.g.,error?intheinterfacepeer,thathavenocounterpartinanyotherpeer.ThisissuecouldalsobedetectedusingGOCcompatibilityandcheckingthefollowingLTLformula:LTSsj=error. Fig.7.SynchronousPeerComposition,V2Notethatthesecondversionofourexamplewithpeerscommunicatingoverunboundedbuershasaninnitestatespacesincetheclient,theserver,andtheinterfacepeerscanlooparbitrarymanytimeswhilethedatabasepeerdoes CompatibilityCheckingforAsynchronouslyCommunicatingSoftware13neverconsumethelog?messagesfromitsbuer.Althoughthisisnotanitestatesystem,wecananalyzeitusingthetechniquesweproposeinthispaper.6ToolSupportandEvaluationOurapproachforcheckingtheasynchronouscompatibilityisfullyautomated.ThisisachievedbyatranslationweimplementedfrompeermodelstotheLO-TOSprocessalgebra.TheCADPvericationtoolbox[19]acceptsLOTOSasin-putandprovidesecienttoolsforgeneratingLTSsfromLOTOSspecicationsandforanalyzingtheseLTSsusingequivalenceandmodelcheckingtechniques,whichenableustocheckallthenotionsofcompatibilitypresentedinthispaper.6.1LOTOSEncodingLOTOS[23]isanabstractformallanguageforspecifyingconcurrentprocesses,communicatingviamessages.WechoseLOTOSbecause(i)itprovidesexpres-siveoperatorsforencodingLTSsandgeneratingtheircompositions,and(ii)itissupportedbystate-of-the-artvericationtools(CADP)thatcanbeusedforan-alyzingLOTOSspecications.Withregardstocompatibilitychecking,werstencodepeerLTSsintoLOTOSprocessesfollowingthestatemachinepattern(oneprocessisgeneratedperstateintheLTS).Eachpeercomeswithaninputbuer.Buersareprocesses,whichinteractwiththepeersandstore/handlemes-sagesusingclassicstructures(lists)andoperationsonthem(add,remove,etc.).Finally,weusetheLOTOSparallelcompositionforspecifyingthesynchronousandasynchronouscompositionofpeers.Basedonthisencoding,werstusestatespaceexplorationtoolstogenerateLTSscorrespondingtotheLOTOSspecication,inparticularforsynchronousand1-boundedasynchronoussystem.Then,wecheckthesynchronizabilitycon-ditionusingbranchingequivalencechecking,andnallywecheckcompatibilityconditionsusingthedeadlock-freedomcheckormodelcheckingofpropertieswritteninMCL[29],whichsubsumesbothLTLandCTL.6.2ExperimentsWecarriedoutexperimentsonaMacOSmachinerunningona2.53GHzInteldualcoreprocessorwith4GBofRAM.Ourdatabaseofexamplesincludes160examplesofcommunicatingsystems:10casestudiestakenfromtheliterature(Webservices,cloudcomputing,e-commerce,etc.),86examplesofSingularitychannelcontracts[1],whichisacontractnotationforMicrosoft'sSingularityoperatingsystem,and64hand-craftedexamples.Weemphasizethatoutofthe96real-worldexamples,only5arenotbranchingsynchronizableandwell-formed.Thus,91examplesoutof96canbeanalyzedusingourapproach.Tables1,2,and3presentexperimentsforsomeexamplesfromourdatabase.EachtableconsidersDFacompatibilityforillustrationpurposes,butwerecallthatDFaisequivalenttoURaforasynchronoussystems.Eachtableshows,for 14M.Ouederni,G.Salaun,andT.Bultaneachexample,thenumberofpeers,thetotalnumberoftransitionsandstatesinvolvedinthesepeers,thesizeofthesynchronoussystem,thesizeofthe1-boundedasynchronoussystem,thecompatibilityresult(\p"denotesthatthesystemiscompatible,\"denotesthatthesystemisnotcompatible,and\-"denotesthatthesystemdoesnotsatisfythesucientcondition,i.e.,itisnotsynchronizable),thesuccessivetimeforcomputingthesynchronousand1-boundedasynchronoussystem,andforcheckingsynchronizabilityanddeadlock-freedom,respectively.WecanseethatanalyzingtheexamplesgiveninTables1and2onlytakesafewseconds.Thisisduetosystemsinvolvingareasonablenumberofpeers(upto6inTable1),whichresultsinquitesmallLTSs,evenforthe1-boundedasynchronouscomposition(upto100statesand200transitionsinTable1).Table3presentsafewexampleswithmorethan10peers.Thenumberofinteractingpeersisthemainfactorofstatespaceexplosion,becauseitinducesmoreparallelisminthecorrespondingcomposition.Thecostintermsofcompu-tationtimemainlyliesonthegenerationofthe1-boundedasynchronoussystem,thatiscompilingLOTOScodeintoLTSsbyenumeratingallthepossiblebe-haviors(interleavingsofconcurrentemissions/receptions)andminimizingtheresultingLTSusingCADPtools.Inparticular,reducingLTSswithrespecttoabranchingrelationneedsacertainamountoftime(seeexamples0115,0153,and0159).Incontrast,checkingsynchronizabilityanddeadlock-freedomusingequivalenceandmodelcheckingtechniquestakesonlyfewsecondsbecauseLTSsobtainedafterreductionaremuchsmaller.Wehavealsomadeafewexperiments,increasingthebuersize(k=5,k=10,etc.).Wehaveobservedthattheresulting,reducedLTSremainsthesameduetothesynchronizabilityproperty,butthegenerationtimeincreasesbecausetherearemorepossibilitiesofadding/removingmessagesfrombuers.Consequently,computationtimeforoursolutionismuchlowerthanapproachesusingarbitraryboundsforbuers.Table1.CaseStudiesFromtheLiterature Example jpeersj jTj=jSj LTSs LTS1a DF AnalysisTime jTj=jSj jTj=jSj Comp. Gen. Sync. DF SupplyChainManagementApplication[7] 6 20/25 20/17 216/97  5.05s 0.35s 0.15s HealthSystem[12] 6 21/20 10/11 22/21  4.48s 1.99s 2.26s CloudSystem[21] 4 19/15 10/9 29/22  4.65s 2.25s 1.88s CloudSystem(V2)[21] 4 20/16 12/10 78/43 p 4.44s 1.96s 1.60s SanitaryAgency[30] 4 37/27 26/21 159/100 - 4.76s 2.28s - E-Marketplace[18] 3 8/11 6/7 15/14 p 4.35s 1.96s 1.49s FilterCollaboration[34] 2 10/11 10/10 14/14 p 4.18s 2.22s 1.51s CarRental[8] 4 17/17 9/9 59/44 - 4.99s 2.04s - Client/Server[11] 2 10/6 9/6 19/14 - 4.68s 2.09s - AirlineTicketReservation[33] 2 9/9 7/7 15/13  4.30s 2.01s 1.49s CompatibilityCheckingforAsynchronouslyCommunicatingSoftware15Table2.SingularityChannelsContracts[1] Example jpeersj jTj=jSj LTSs LTS1a DF AnalysisTime jTj=jSj jTj=jSj Comp. Gen. Sync. DF SmbClientManager 2 40/18 21/10 41/30 p 6,83s 3.30s 2.53s Calculator 2 12/10 7/6 13/12 p 6.89s 2.40s 2.51s FileSystemController 2 16/10 9/6 17/14 p 6,87s 2.21s 2.30s TcpContract 2 8/8 5/5 9/9 p 6.61 2.55s 2.26s PipeMultiplexControl 2 4/4 2/2 5/5 p 6.44s 2.10s 2.27s UdpConnectionContract 2 134/60 69/32 136/99 p 7.26s 2.52s 2.14s IPContract 2 64/28 33/15 65/47 p 7.07 2.30s 2.23s RoutingContract 2 44/20 23/11 45/33 p 6.65s 2.10s 2.27s ReservationSession 2 16/12 9/7 23/19 - 6.66s 2.37s - TpmContract 2 38/24 20/13 44/35 - 6.80 2.36s - Table3.Hand-CraftedExamples Example jpeersj jTj=jSj LTSs LTS1a LTSared. DF AnalysisTime jTj=jSj jTj=jSj jTj=jSj Comp. Gen. Red. Sync. DF 0097 9 19/19 103/27 1,543/387 98/26 p 4.59s 2.2s 2.45s 1.43s 0101 14 42/29 4,277/649 334,379/54,433 3,402/486 p 1m15s 4m2s 2.46s 1.80s 0115 16 48/41 14,754/1,945 2,332,812/326,593 11,664/1,458 p 3m34s 11m33s 2.44s 1.45s 0153 18 38/38 4,616/577 1,179,656/147,457 4,608/576 p 7.51s 18m52s 2.60s 1.43s 0159 20 45/43 15,561/1,729 7,962,633/884,737 15,552/1,728 p 24.28s 5h58m 2.62s 1.64s 7RelatedWorkOneoftherstapproachesoncompatibilitycheckingisproposedbyBrandandZaropulo[11].ItdenestheunspeciedreceptionscompatibilitynotionforinteractionprotocolsdescribedusingCommunicatingFiniteStateMachines(CFSMs).Thisworkfocusesonthecompatibilityofninteractingprocessesex-ecutedinparallelandexchangingmessagesviaFIFObuers.Whenconsideringunboundedbuers,theauthorsshowthattheresultingstatespacesmaybeinnite,andtheproblembecomesundecidable.Theapproachesusedin[15,6]dealwithtwokindsofprocessescompatibility,namelyoptimisticandpessimisticnotions.DeAlfaroandHenzinger[15]arguefortheuseoftheoptimisticnotionthatconsiderstwoprocessesP1andP2(I/Oautomata)ascompatibleifthereisanenvironmentthatcanproperlycommuni-catewiththeircompositeprocess.Notethatanenvironmentisalsocomposedofoneormoreprocesses.ApropercommunicationholdsifthecompositionoftheinterfaceproductP1\nP2withitsenvironmentisdeadlock-free.Theap-proachintroducedin[6]addressesthepessimisticnotionwhichstatesthattwoprocessesP1andP2arecompatibleifnodeadlockoccursbetweenP1andP2,inanyenvironmentofP1\nP2.[5]denesanasynchronouscompatibilityformodalI/Otransitionsystems.Theauthorsdonotproposeanydecisioncriterionbuttheyclaimthatthisvericationisundecidableinthegeneralcaseduetothebueringmechanismwhichmayleadtoinnitestatespaces.[22]treatsdierentcompatibilityproblemsfornon-orderedbuersandforopensystemsusingPetrinets.[28,31,25,27]relyonanextensionofPetrinets, 16M.Ouederni,G.Salaun,andT.Bultannamelyopennetstomodelandverifybehavioralinterfacesofprocessesdescribedaswork\rows,assumingasynchronouscommunicationovermessagebuers.Thismodelprovidesagraphicalrepresentation,andcanbecomputedfromexistingprogramminglanguages.[28]relyontheusabilityconcepttoanalyzethecom-patibilityofprocessesrepresentedaswork\rows.Thiscompatibilitynotionisanenvironment-awarecompatibilitywheretwoprocessesAandBareconsideredcompatibleifthereisanenvironmentE,whichusesthecomposedsystemA\nB.Insuchacase,A\nBisconsideredusable,meaningthatitscompositionwithEisdeadlock-free.Thecondition,yetnecessary,isnotsucientinthecaseofnprocesses.Asimilarcompatibilitydenitionusedintheliteratureisthatofcontrollability[31,25,27].AprocessAiscontrollableifithasacompatiblepartnerBinthesensethatthecompositeprocessA\nBisdeadlock-free.Asfarasasynchronoussemanticsisconsidered,controllabilityhasproventobeundecidableforunboundedopennets.Forimplementingcontrollability,theau-thorsrequirethatopennetsareboundedandsatisfyk-limitedcommunication,forsomegivenk.Consequently,usingaPetrinet-basedmodelrequiresamuchhighercomputationalandspacecomplexitythanourapproach.Darondeauandcolleagues[14]identifyadecidableclassofsystemsconsist-ingofnon-deterministiccommunicatingprocessesthatcanbescheduledwhileensuringboundednessofbuers.Abdullaetal.[2]proposesomevericationtechniquesforCFSMs.Theypresentamethodforperformingsymbolicforwardanalysisofunboundedlossychannelsystems.JeronandJard[24]proposeasucientconditionfortestingunboundedness,whichcanbeusedasadecisionprocedureforcheckingreachabilityforCFSMs.In[26],theauthorspresentanincompleteboundednesstestforcommunicationchannelsinPromelaandUMLRTmodels.Theyalsoprovideamethodtoderiveupperboundestimatesforthemaximaloccupancyofeachindividualmessagebuer.Morerecently,[16]proposedacausalchainanalysistodetermineupperboundsonbuersizesformulti-partysessionswithasynchronouscommunication.Recently,BouajjaniandEmmi[10]consideraboundedanalysisformessage-passingprograms,whichdoesnotlimitthenumberofcommunicatingprocessesnorthebuers'size.However,theylimitthenumberofcommunicationcycles.Theyproposeadecisionpro-cedureforreachabilityanalysiswhenprogramscanbesequentialized.Bydoingso,programanalysiscaneasilyscalewhilepreviousrelatedtechniquesquicklyexplode.8ConclusionInthispaper,wehavepresentedresultsthatgobeyondallexistingworksoncheckingthecompatibilityofsystemscommunicatingasynchronouslybymes-sageexchangeoverunboundedbuers.Inourapproach,wedonothaveanyrestrictionsonthenumberofparticipants,onthepresenceofcommunicationcyclesinbehavioralmodels,oronthebuersizes.Instead,wefocusontheclassofsynchronizablesystemsandproposeasucientconditionforanalyzingasyn-chronouscompatibility.Thisresultsinagenericframeworkforverifyingwhether CompatibilityCheckingforAsynchronouslyCommunicatingSoftware17asetofpeersrespectsomepropertysuchasdeadlock-freedomorunspeciedreceptions.Inordertoobtaintheseresultsforpeermodelsinvolvinginternalbe-haviors,wehaveextendedsynchronizabilityresultstobranchingtime.Finally,wehaveimplementedaprototypetoolwhichenablesustoautomaticallychecktheasynchronouscompatibilityusingtheCADPtoolbox,andwehaveconductedexperimentsonmanyexamples.Inthefutureweplantodeveloptechniquesforenforcingtheasynchronouscompatibilityofasetofpeerswhenthecompati-bilitycheckfails,byautomaticallygeneratingasetofdistributedcontrollersasadvocatedin[21]forenforcingchoreographyrealizability.References1.SingularityDesignNote5:ChannelContracts.SingularityRDKDocumentation(v1.1).http://www.codeplex.com/singularity,2004.2.P.A.Abdulla,A.Bouajjani,andB.Jonsson.On-the-FlyAnalysisofSystemswithUnbounded,LossyFIFOChannels.InProc.CAV'98,volume1427ofLNCS,pages305{318.Springer,1998.3.S.BasuandT.Bultan.ChoreographyConformanceviaSynchronizability.InProc.ofWWW'11,pages795{804.ACMPress,2011.4.S.Basu,T.Bultan,andM.Ouederni.DecidingChoreographyRealizability.InProc.ofPOPL'12,pages191{202.ACM,2012.5.S.S.Bauer,R.Hennicker,andS.Janisch.InterfaceTheoriesfor(A)synchronouslyCommunicatingModalI/O-TransitionSystems.InProc.ofFIT'10,volume46ofEPTCS,pages1{8,2010.6.S.S.Bauer,P.Mayer,A.Schroeder,andR.Hennicker.OnWeakModalCompat-ibility,Renement,andtheMIOWorkbench.InProc.ofTACAS'10,volume6015ofLNCS,pages175{189.Springer,2010.7.D.Beyer,A.Chakrabarti,andT.Henzinger.WebServiceinterfaces.InProc.ofWWW'05,pages148{159.ACM,2005.8.D.Bianculli,D.Giannakopoulou,andC.S.Pasareanu.InterfaceDecompositionforServiceCompositions.InProc.ofICSE'11,pages501{510.ACM,2011.9.L.Bordeaux,G.Salaun,D.Berardi,andM.Mecella.WhenareTwoWebServicesCompatible?InProc.ofTES'04,volume3324ofLNCS,pages15{28.Springer,2004.10.A.BouajjaniandM.Emmi.BoundedPhaseAnalysisofMessage-PassingPro-grams.InProc.ofTACAS'12,volume7214ofLNCS,pages451{465.Springer,2012.11.D.BrandandP.Zaropulo.OnCommunicatingFinite-StateMachines.J.ACM,30(2):323{342,1983.12.A.Bucchiarone,H.Melgratti,andF.Severoni.TestingServiceComposition.InProc.ofASSE'07,2007.13.C.Canal,E.Pimentel,andJ.M.Troya.CompatibilityandInheritanceinSoftwareArchitectures.ScienceofComputerProgramming,41(2):105{138,2001.14.P.Darondeau,B.Genest,P.S.Thiagarajan,andS.Yang.Quasi-StaticSchedulingofCommunicatingTasks.InProc.CONCUR'08,volume5201ofLNCS,pages310{324.Springer,2008.15.L.deAlfaroandT.Henzinger.InterfaceAutomata.InProc.ofESEC/FSE'01,pages109{120.ACMPress,2001. 18M.Ouederni,G.Salaun,andT.Bultan16.P.-M.DenielouandN.Yoshida.BueredCommunicationAnalysisinDistributedMultipartySessions.InProc.CONCUR'10,volume6269ofLNCS,pages343{357.Springer,2010.17.F.Duran,M.Ouederni,andG.Salaun.AGenericFrameworkforN-ProtocolCom-patibilityChecking.ScienceofComputerProgramming,77(7-8):870{886,2012.18.H.Foster,S.Uchitel,J.Kramer,andJ.Magee.CompatibilityVericationforWebServiceChoreography.InProc.ofICWS'04.IEEEComputerSociety,2004.19.H.Garavel,F.Lang,R.Mateescu,andW.Serwe.CADP2010:AToolboxfortheConstructionandAnalysisofDistributedProcesses.InProc.ofTACAS'11,volume6605ofLNCS,pages372{387.Springer,2011.20.J.F.GrooteandF.W.Vaandrager.AnEcientAlgorithmforBranchingBisim-ulationandStutteringEquivalence.InProc.ofICALP'90,volume443ofLNCS,pages626{638.Springer,1990.21.M.Gudemann,G.Salaun,andM.Ouederni.CounterexampleGuidedSynthesisofMonitorsforRealizabilityEnforcement.InProc.ofATVA'12,volume7561ofLNCS,pages238{253.Springer,2012.22.S.Haddad,R.Hennicker,andM.H.Mller.ChannelPropertiesofAsynchronouslyComposedPetriNets.InProc.ofPetriNets2013,volume7927ofLNCS,pages369{388.Springer,2013.23.ISO/IEC.LOTOS|AFormalDescriptionTechniqueBasedontheTemporalOrderingofObservationalBehaviour.InternationalStandard8807,ISO,1989.24.T.JeronandC.Jard.TestingforUnboundednessofFIFOChannels.Theor.Comput.Sci.,113(1):93{117,1993.25.K.KaschnerandK.Wolf.SetAlgebraforServiceBehavior:ApplicationsandCon-structions.InProc.ofBPM'09,volume5701ofLNCS,pages193{210.Springer,2009.26.S.Leue,R.Mayr,andW.Wei.AScalableIncompleteTestforMessageBuerOver\rowinPromelaModels.InProc.SPIN'04,volume2989ofLNCS,pages216{233.Springer,2004.27.N.Lohmann.WhyDoesMyServiceHaveNoPartners?InProc.ofWS-FM'08,volume5387ofLNCS,pages191{206.Springer,2008.28.A.Martens,S.Moser,A.Gerhardt,andK.Funk.AnalyzingCompatibilityofBPELProcesses.InProc.ofAICT/ICIW'06,pages147{156.IEEEComputerSociety,2006.29.R.MateescuandD.Thivolle.AModelCheckingLanguageforConcurrentValue-PassingSystems.InProc.ofFM'08,volume5014ofLNCS.Springer,2008.30.G.Salaun,L.Bordeaux,andM.Schaerf.DescribingandReasoningonWebSer-vicesusingProcessAlgebra.InternationalJournalonBusinessProcessandInte-grationManagement,1(2):116{128,2006.31.W.M.P.vanderAalst,A.J.Mooij,C.Stahl,andK.Wolf.ServiceInteraction:Patterns,Formalization,andAnalysis.InProc.ofSFM'09,volume5569ofLNCS,pages42{88.Springer,2009.32.R.J.vanGlabbeekandW.P.Weijland.BranchingTimeandAbstractioninBisimulationSemantics.J.ACM,43(3):555{600,1996.33.P.WongandJ.Gibbons.VerifyingBusinessProcessCompatibility.InProc.ofQSIC'08,pages126{131.IEEEComputerSociety,2008.34.D.M.YellinandR.E.Strom.ProtocolSpecicationsandComponentAdaptors.ACMTransactionsonProgrammingLanguagesandSystems,19(2):292{333,1997.