1 Ivan Lanese Computer Science Department University of Bologna Italy On the Interplay between Fault Handling and Request-response Service Invocations Joint work with Claudio Guidi, Fabrizio Montesi and Gianluigi Zavattaro
Roadmap l Idea of the work l Our approach to error handling –Extending SOCK –Dynamic installation of handlers –Interplay with request-response l The automotive case study l Conclusive remarks
Roadmap l Idea of the work l Our approach to error handling –Extending SOCK –Dynamic installation of handlers –Interplay with request-response l The automotive case study l Conclusive remarks
Service Oriented Computing (SOC) l SOC is a paradigm to program distributed applications –Based on the composition of dynamically discovered, loosely- coupled services –Services interact using the notification and request-response patterns l Allows integration of services from different companies –Great code reusability l Has to deal with interoperability, dynamicity, security, Quality of Service, reconfiguration… l Based on standards for data (XML), communication (SOAP), discovery (WSDL and UDDI) and orchestration (BPEL)
Error handling l Safe composition of services requires to deal with faults –Scarce guarentees on components’ behaviour because of loose coupling –Unexpected events can happen l A fault is an abnormal situation that forbids the continuation of an activity –An activity that generates a fault is terminated l Faults should be managed so that the whole system can reach a consistent state l BPEL offers various mechanisms for error handling
Fault handling mechanisms l Based on the idea of long running transactions –ACID transactions impossible to obtain –Compensations are used to reach a consistent state l Faults terminate the current activity and trigger recovery activities specified by suitable handlers l Fault handler: executed as answer to a fault l Termination handler: executed to smoothly terminate a parallel activity l Compensation handler: executed to undo the effect of an already completed activity
What we propose? l A formal model for faults and compensations in SOC –Based on the process calculus SOCK –Rigorous LTS semantics 1. Expressive high-level primitives –Mimicking BPEL ones –Allowing for easy management of different kinds of faults 2. Dynamic installation of handlers –The fault handling code is always up-to-date 3. Faults do not spoil request-response communications –Automatic notification in case of server fault –The client always waits the reply from the server –Possible to recover from remote errors
Why process calculi? l Formal methods are necessary to master the complexity of SOC –Different implementations of BPEL have different behaviours –Standards are only informally defined –Difficult to understand the interplay between different features l Process calculi allow to unequivocally specify the behaviour of the different mechanisms… –Clarify their semantics and their interactions –Drive the implementations l … and prove properties of the resulting system –Good behaviour guarenteed
The underlying language l SOCK (Service Oriented Computing Kernel) is a process calculus for SOC l Explores service interactions –Based on notification and request-response primitives –Composed using standard operators from imperative languages (while, …) and process calculi (parallel composition, …) l Strongly related to current technologies –WSDL, BPEL l But with full formal semantics l Driving the implementation of the language JOLIE
Roadmap l Idea of the work l Our approach to error handling –Extending SOCK –Dynamic installation of handlers –Interplay with request-response l The automotive case study l Conclusive remarks
Extending SOCK with faults and compensations l Code boxed into scopes {P} q –Provide a hierarchical structure –Define the boundaries of error handling activities l Primitives for: –Throwing faults: throw(f) –Installing handlers: inst(u,P) –Invoking compensations: comp(q) l A few other things
The scope hierarchy P H q P H q P H q P H q P H q At runtime the scopes contain handlers H
Throwing a fault q1q1 q2q2 (f,Q) Throw (f) (q 2,T 2 ) (q 1,T 1 )
Throwing a fault q1q1 q2q2 (f,Q) (q 2,T 2 ) (q 1,T 1 ) f Faults kill activities while propagating
Throwing a fault T1T1 q1q1 T2T2 q2q2 (f,Q) f Termination handlers of parallel activities are executed
Throwing a fault T1T1 q1q1 T2T2 q2q2 Q f When found, the fault handler is executed
More on fault propagation l Recovery activities cannot be killed by other faults –Error recovery activities are always completed l But termination overrides fault handling –Global errors more important than internal ones l After having been killed a scope smoothly terminates –Ongoing communications are terminated –No more faults can be thrown
Compensation handlers l Allow to undo the effect of an already completed activity –The fault handler of a purchase activity could ask to annul a previously done payment l Has to be explicitly programmed and invoked –Primitive comp(q) –Available only inside handlers –Only child activities can be compensated
Roadmap l Idea of the work l Our approach to error handling –Extending SOCK –Dynamic installation of handlers –Interplay with request-response l The automotive case study l Conclusive remarks
Dynamic fault handling l In all the languages we are aware of handlers are statically installed while programming –Java throw … catch … –BPEL handlers l Not always easy to write the desired compensation
Example l { throw(f) | while (i <100) if i%2=0 then P else Q, H} q l We want to compensate each completed execution of P and Q in the reverse order of execution l We need auxiliary variables to track the executions of P and Q –Complex and error-prone l Atomicity problem –Suppose P has been executed but the auxiliary variables have not been updated yet –If a fault occurs then the last execution of P is not compensated
Our solution l { throw(f) | while (i <100) if i%2=0 then P ; inst(f,P’;cH) else Q ; inst(f,Q’;cH), H 0 } q l P’ compensates P, Q’ compensates Q l The handlers are dynamically installed l cH (for current handler) allows to recover the previous handler for updating l inst is a special primitive that has higher priority than fault execution –No atomicity problem
Installing an handler Inst (f,Q) As soon as inst is enabled it is executed
Installing an handler (f,Q)
Compensation handlers l When an activity terminates the last defined termination handler becomes its compensation handler l Same handling for faults immediatly before activity termination and immediatly after activity termination
Installing compensation handlers q q’ Inst (q,Q)
Installing compensation handlers q (q,Q) Q terminates q’
Installing compensation handlers (q,Q) Handlers in q’ can compensate q using comp(q) q’
Roadmap l Idea of the work l Our approach to error handling –Extending SOCK –Dynamic installation of handlers –Interplay with request-response l The automotive case study l Conclusive remarks
Fault handling and request-response l Request-response is a long lasting interaction l Faults on one side influence the other side l Two possibilities: –Faults on server side during the interaction –Faults on client side while waiting for the answer
Faults on server side l A client asks a payment to the bank, the bank fails l In ActiveBPEL the client receives a generic “missing- reply” exception l Our approach –The exact fault is notified to the client –The notification acts as a fault for the client –Suitable actions can be taken to manage the remote fault
Faults on client side l A client asks a payment to the bank, then fails before the answer l In BPEL the return message is discarded l Our approach –The return message is waited for –The handlers can be updated according to whether or not a non-faulty message is received –The remote activity can be compensated if necessary
Roadmap l Idea of the work l Our approach to error handling –Extending SOCK –Dynamic installation of handlers –Interplay with request-response l The automotive case study l Conclusive remarks
Automotive case study l A car failure forces the car to stop l The car service system looks for –A garage to repair the car –A tow truck to take the car to the garage –A car rental to take the driver home l The suitability of the services is checked l The services are booked and paid via a bank
(Part of) the automotive case study in SOCK
Adding tow truck faults
Screenshot from JOLIE
Feedback from the case study l Easy to write the desired error handling policies l All the mechanisms are used –Useful to allow for frozen variables in handlers code l All unexpected behaviours catched
Roadmap l Idea of the work l Our approach to error handling –Extending SOCK –Dynamic installation of handlers –Interplay with request-response l The automotive case study l Conclusive remarks
Conclusions l Formal framework for error handling in SOC –Near to current technologies (BPEL)… –… but with formal semantics l Dynamic installation of handlers –Allows to update the termination handler as the activity progresses l Errors do not spoil the request-response protocol –Either the fault or the normal answer is sent back –The answer can be used during error recovery
Future work l Check whether the approach can be applied to other languages –Other languages for SOC (COWS, SSCC, CASPIS) –π-calculus l Study the relationships between different kinds of primitives for fault handling –Static vs dynamic –Hierarchical vs flat
End of talk