Control Flow

The invocation of services and operations in the form of request-reply or one-way inter- actions essentially constitutes a discrete process with discrete state changes over time. This makes the PN formalism an almost natural choice to describe such processes be- cause their state-transition semantics fits well to that. Moreover, the PN formalism is general enough to (i) represent concurrency and to (ii) map control constructs exist- ing in prominent process modeling frameworks onto PNs (e.g., BPEL [SS04, OVA+07, Loh08, LVOS09], OWL-S [NM02, BCI09]), thereby ascribing precise operational execu- tion semantics to the control constructs existing in these languages.

Before we introduce the formal model of the control flow, we will introduce the basics of the PETRInet formalism subsequently required, which follows closely [Mur89,

EKR95, Aal98]. Readers familiar with PNs and the notion of WorkFlow nets might skim through the following sub section.

Petri Nets and WorkFlow Nets

In its basic form, a PETRInet (PN) is a bipartite directed graph G = (P, T, F). Nodes are divided into the finite set of place nodes P and the finite set of transition nodes T

P= {p1, p2, . . . , pm} and T= {t1, t2, . . . , tn} .

The set of edges F for such graphs is is called the flow relation and either connects a place node to a transition node or vice versa (but never two transitions or two places). Formally,

F⊆ (P×T) ∪ (T×P) .

Observe that F restricts every pair of nodes to be connected by at most one edge. F is acyclic iff for each pair(x, y) ∈Fthen(y, x) 6∈F∗where F∗ is the transitive closure of F. A path W from a node x1 to a node xk is a sequence W = hx1, x2, . . . , xki such that

(xi, xi+1) ∈ Ffor 1 ≤i <k (i.e.,(x1, xk) ∈ F∗). A node y is said to be on a path between node x and node z iff (x, y) ∈ F∗ and (y, z) ∈ F∗. A path W is elementary [Aal98, Definition 6] iff all nodes on W are unique; that is, iff for any two nodes xi, xj on W and i 6= j implies xi 6= xj. Observe that an elementary path is acyclic. A PN is strongly connected iff there exists a path from every node to every other node in P∪T.

If there is a directed edge from one node to another, the former is called the input node for the latter, while the latter is called the output node of the former. More generally, the pre-set and post-set of a place p ∈ Pis denoted with•p and p•, respectively. Analogously, the pre-set and post-set of a transition t ∈ T is denoted with •t and t•, respectively. Formally, these sets are defined as follows:

•p= {t| t∈ Tand(t, p) ∈F}, p• = {t| t∈ Tand(p, t) ∈F}, and

•t = {p | p ∈ Pand(p, t) ∈ F}, t• = {p | p ∈ Pand(t, p) ∈ F} .

The set of initial and final places (a.k.a. source and sink places) is denoted with Pi and

P_f, respectively, and defined as follows

Pi= {p | p ∈Pand •p=∅} and Pf = {p | p ∈ Pand p• =∅} . Inspired by [EKR95], we call the union Pi∪Pfthe interface of G.24

A free-choice PN is a PN where every arc is either the only incoming arc to a transition or is the only outgoing arc from a place, that is,

∀p1, p2∈ P: p1• ∩ p2• 6=∅ implies |p1•| = |p2•| =1 .

24_{This slightly differs from [EKR95, Definition 5.1] where the authors essentially consider PNs with} exactly one initial and final place each (similar to WorkFlow nets) and define the interface as the union of these two places.

A marking M of a PN is an assignment of a number of tokens to a place node (i.e., the distribution of tokens over place nodes). Formally, it is described as the function

M : P →N0

and where M(p) denotes the number of tokens at place p ∈ P and marking M. A marking can equally be understood as a multiset over the place nodes or as an element of the Cartesian product(N0)|P|. A marked PN is denoted with G = (P, T, F, M0)where M0is the initial marking.

The algebraic structure of a PN G = (P, T, F) can be graphically represented. The common convention is to represent a place p ∈ P by a circle, a transition t ∈ T by a rectangle, a pair of nodes (x, y) ∈ F by a directed arc pointing from x to y, and the number of tokens at a place p by an equal number of points drawn inside the circle representing p (seeFigure 4.5for an example).

There are various extensions to the basic formalism such as token capacities for places, associating duration or delay with places/transitions/tokens, or Coloured Petri nets [Jen87] where tokens are distinguishable by associating them with a value. None of these extensions is required in the context of this thesis. Instead of extending the basic formalism, there are also well known restrictions such as the ones already seen (acyclic, free-choice) or state machines where transitions are restricted to have at most one incom- ing and outgoing edge, which essentially rules out concurrency. In the process model, we particularly consider a simplified form of so-called WorkFlow nets [vdA97, Aal98].25 For this reason, we quote its definition here (notation and terminology slightly adapted). Definition 4.9(WorkFlow Net [Aal98, Definition 6]). A Petri net G = (P, T, F)is a Work- Flow net iff:

(1) G has two special places: piand pf. Place piis the initial place:•pi =∅. Place pfis the final place: pf• =∅.

(2) If we add a transition t∗ to G which connects place pf with pi (i.e., •t∗ = {pf} and t∗• = {pi}), then the resulting PN is strongly connected.

The transition t∗ can be seen as an ancillary tool used to short-circuit a PN.

We adopt another reasonable structural restriction from [Aal98] that ensures that a place with multiple output transitions (i.e., a split into multiple paths) is complemented by a place (rather than a transition) at which the previously spawned paths join even- tually; analogous for transitions. In other words, this restriction precludes that two different paths spawned at a place join at a transition and vice versa. Letbe the unary operator that short-circuits a WorkFlow net G as defined byItem (2) inDefinition 4.9. LetΣ(W)be the alphabet of a path W; that is, the set of unique nodes that occur in W. Definition 4.10 (Well-handled, well-structured [Aal98, Definition 9]). A PN is well- handled iff for any pair of nodes x and y such that one of the nodes is a place and the other a transition and for any pair of elementary paths W1 and W2 leading from x to y, Σ(W1) ∩Σ(W2) = {x, y}implies W1=W2. A WorkFlow net G is well-structured iffG is well-handled.

25_{WorkFlow nets also have the concept of triggers (which are basically external conditions) and work-} flow attributes (which are modeled using Coloured Petri nets), both of which we do not use.

Well-structuredness is necessary for proper realization of conditional routing and synchronization for parallel routing, which will become clear later when the execution semantics is introduced. Free-choiceness, in turn, inhibits improper mixing of parallel and conditional routing since they cannot occur both at the same time. What is more, these two properties are orthogonal since a PN may have neither, either, or both. How- ever, the property of being free-choice and cyclic implies well-structuredness (i.e., if a PN is not well-structured while cyclic then it is not free-choice).

Structure

The syntax of the control flow captures the static dimension of a process – its structure – and is represented by a control flow graph. The dynamic dimension of execution se- mantics over the control flow graph is introduced afterwards. In short, the control flow graph is a PN that satisfies the constraints of a free-choice and well-structured Work- Flow net. In addition, the control flow graph includes a mapping that assigns each transition to a single service or a single operation of which the service whose process is being described is composed of. Given a service Sc, its control flow graph is defined as follows.

Definition 4.11 (Control Flow Graph). A control flow graph (or control flow for short) for a service Sc is an enhanced, marked PN Gcf = (P, T, F, M0, f u)where

• P, T, F are defined as for a WorkFlow net and F additionally satisfies the properties of a free-choice and well-structured PN,

• M0 is the initial marking such that M0(pi) = 1 and M0(p) = 0 for every other place p ∈P\ {pi}, and

• f u : T →Sc.U ∪ {NOP}is a surjective mapping that assigns each transition t∈ T either to the no-op operation or an operation/sub service of which Sc is composed of.

A node x ∈ P∪T is anordinary node (or ordinary place, ordinary transition) iff|•x| = |x•| = 1; it is a split node denoted with xsplit iff |•xsplit| = 1 and |xsplit•| > 1; it is a join node denoted with xjoiniff|•xjoin| >1 and|xjoin•| =1.

Finally, f u(t) ∈Sc.U for t an ordinary transition and f u(tsplit) = f u(tjoin) = NOPfor split and join transitions.

The initial and final place pi, pf correspond to instantiation and completing termina- tion of execution, thereby framing the lifecycle of a service instance. Moreover, all places and transitions are on a path between piand pf, which is ensured by the constraint that all transitions and places except pi, pf have non-empty pre-sets and post-sets. In other words, there are no dangling transitions nor places, which would actually not contribute to the behavior of the process.

It is easy to see that for Gcf a control flow graph, if Gcf contains ordinary transitions that map to a service then one can always unfold Gcf in linear time into a control flow graph G_cf0 in which all ordinary transitions map to an operation and that preserves the overall structure. More precisely, let t be an ordinary transition in Gcfthat is mapped to a

t1identify person

tjoin

pi pf

activate ambulance tfork

t3select ambulance t4trigger ambulance

t5transfer documents

t2query medical record

Figure 4.5: Unfolded control flow graph of the emergency assistance service (cf. Fig- ure 2.2) with initial marking. The dashed rectangle frames the activate ambulance sub service.

service Sct, let i be the input place of t, o the output place of t, Gt_cfthe control flow graph of Sct that has the initial and final place pt_i, p_ft, respectively. In addition, we assume that the set of places (transitions) in Sc is mutually disjoint from the set of places (transitions) in Sct. Then, unfolding of t results in a control flow graph G_cf0 = (P0, T0, F0, M0₀, f u0)

where P0 = P∪Pt
\ {p_it, pt_f} T0 = T∪Tt
\ {t} F0 = F∪Ft∪ {(i, x),(y, o) | x ∈ pt_i•, y∈ •pt_f}
\{(i, t),(t, o),(pt_i, x),(y, pt_f) | x ∈ pt_i•, y∈ •pt_f} M₀0 = M0 f u0 : T0 →Sc.U ∪Sct.U ∪ {NOP} (4.15)

such that f u0preserves the mappings of all ordinary transitions other than t; that is, f u0(u) =

(

f u(u) if u∈ T

f ut(u) if u∈ Tt . (4.16) Unfolding is to be repeated iteratively until there are no more ordinary transitions that can be unfolded. The completely unfolded control flow graph is taken as the basis for execution because all ordinary transitions map to an operation invocation. Figure 4.5

provides an example of an unfolded control flow graph depicting the process of the emergency assistance service fromSection 2.2.

It is also easy to see that the smallest valid control flow graph contains one transition T = {t}, has the initial and final place only, and where F = {(pi, t),(t, pf)}, which resembles the process of an atomic service.

Finally, we define the notion of a sub control flow or subflow for short as follows. Definition 4.12 (Sub Control Flow Graph). Let Gcf = (P, T, F, M0, f u) and G_cf0 =

(P0, T0, F0, M₀0, f u0) be control flow graphs. We define the binary relation E on control flow graphs by setting G_cf0 E Gcf iff P0 ⊆ P, T0 ⊆ T, F0 ⊆ F, f u0 ⊆ f u, and the following holds

∀t ∈ T: t∈ T0 implies•t⊆P0and t• ⊆ P0.

As an example, suppose Gcf is the control flow depicted in Figure 4.5. Then the dashed rectangle frames a subflow G0_cf E Gcf consisting of t3, t4, the three adjacent places, and the connecting arcs. Conversely, the path that begins with the input place of t3and that ends in pf is not a subflow because not all places of tjoinare included.

Execution Semantics

The execution semantics of the control flow graph builds on the standard PN state- transition semantics.26 Subsequently we always consider unfolded control flow graphs. Intuitively, a transition corresponds to the invocation of the operation to which it is mapped. A transition is said to be enabled if and only if

1. there is a token in all its incoming places and

2. all preconditions of the associated operation are satisfied.

The first item should be clear: a marking M of a control flow is one part that determines whether a transition is enabled or not. The second item is actually relevant only for ordinary transitions because split and join transitions map to the no-op operation, which does not has preconditions per se. Since precondition checking is made against some KB

K and since K is updated in the course of execution by effects of completed operation invocations, we combine M andKinto what we call the execution state, which is denoted with s and defined as the pair

s= (M,K) . (4.17)

The marking M represents the local control state and therefore scopes an execution state to a single service instance. As mentioned already, K might have a broader scope be- yond a single service instance if the world state that it represents spans multiple inde- pendent and concurrent service executions (and possibly other actors that query and update it). We define the global state ˆs over all executions in the system as the pair

ˆs= (M,b K) (4.18)

where bM is a finite set of markings. Notice thatK is understood as the same in s and ˆs. Details regarding advancement of execution states in the course of execution follows later after the execution semantics has been defined and explained.

An enabled transition can fire. The firing rule defines when it does fire. In our set- ting, firing depends on whether the invocation/execution of the operation to which a transition is mapped by f u succeeds or fails. For now it is not important what exactly the discriminating criterion for success versus failure is. This will be detailed in Sec- tion 5.2.2. We denote the success and failure case with

exec(f u(t)) =succ and exec(f u(t)) = fail

for a transition t. Again, split transitions are special insofar as they always and instantly fire if they are enabled because exec(NOP) = succ per definition (i.e., the no-op op- eration never fails). The failure of an operation invocation/execution is the event that triggers a recovery procedure. Discussion of this topic is postponed toChapter 5.

26_{PN state-transition semantics is sometimes referred to as a token game, which is a more vivid analog} for the flow of tokens through the net by moving tokens from places to other places.

Firing of a transition removes a token from all incoming places and adds a token in all outgoing places (i.e., the token flow), which is called the transition rule. Formally, execution semantics of a control flow graph is defined as follows.

Definition 4.13(Control Flow Graph Execution Semantics). Let Sc be a service and Gcf =

(P, T, F, M0, f u) its unfolded control flow graph. Let PS = (LPS, fchk) be a precondition system used by Sc and P a finite set of PS-preconditions. We overload the precondition checking function fchk for a set of preconditions P as follows:

fchk(K, P) =    true if P=∅ V ϕ∈P fchk(K, ϕ) if|P| ≥1 . (4.19)

An execution state for an instanceSc• is a pair s = (M,K)where M is a marking for Gcf and

K is the corresponding knowledge base. A transition t∈ T isenabled in s iff (1) ∀p ∈P: p∈ •t implies M(p) ≥ 1 and

(2) fchk(K, P) = true

where P = f u(t).Pr.P (i.e., the set of preconditions in the profile Pr of the operation associated with t). Besides, we say that t is token-enabled in s ifItem (1)is satisfied (thereby disregarding

Item (2)).

A transition t ∈Tfires only if it is enabled and exec(f u(t)) =succ.

Given a marking M of Gcfand a transition t ∈ T, M0 is the new marking resulting from firing of t if the following holds

∀p∈ P: M0(p) =      M(p) −1 if p∈ •t and p /∈ t•, M(p) +1 if p /∈ •t and p ∈ t•, M(p) otherwise. (4.20)

We write M −→t M0 to denote the transition from marking M to M0 by firing of t. We write M1

e

−→ Mn to denote a firing sequence e = ht1, . . . , tni with Mi ti

−→ Mi+1 for 1 ≤ i < n, leading from marking M1 to Mn. In this case we say that execution from M1has reached Mn. Execution of the control flow graph completes only if, starting from the initial marking M0, execution has reached the final marking Mf such that Mf(pf) = 1 and Mf(p) = 0 for any other place p ∈ P\ {pf}.

Finally, we say that Mn is token-reachable from M1 if there is a firing sequence leading from M1 to Mn so that transitions are enabled and fire by disregarding precondition checking and execution of associated operations (i.e., a dry-run); token-prefixed terms are understood analo- gously (e.g., token-firing sequence).

In essence, a split place psplit models a choice between its output transitions psplit•. Each output transition t ∈ psplit• is an exclusive alternative, which is due to the fact that there can be at most one token in any place p ∈ Pof a control flow graph. If t fires

then it consumes the only token in psplit; hence, all other transitions psplit• \ {t} are no longer token-enabled. As a consequence, if there is more than one output transition for the initial place pi (i.e., |pi•| > 1) then the first transition t ∈ pi• that fires consumes the only token of the initial marking M0 in pi. In other words, in a control flow graph there is always exactly one output transition (which can be either an ordinary or a split transition) of the initial place pithat fires. This will become important later inChapter 5 when discussing structural modifications of control flow graphs.

Note here thatDefinition 4.13abstracts from conditions determining one of the out- put transitions of a split place; hence, a nondeterministic choice is modeled. More pre- cisely, not making conditions explicit in the process results in internal nondeterminism as opposed to external nondeterminism (seeFootnote 3onPage 44). Indeed, if we want to ensure execution in a practical system to be uniquely determined then we need to avoid internal nondeterminism; hence, all choices must be explicit rather than abstract. As the way such choices are represented is not relevant subsequently, we have moved details toAppendix A.2. In short, one way of extendingDefinition 4.13to represent de- terministic processes in which choices at split places are made based on service-specific conditions is to (i) assign edges with a condition and (ii) extend the transition-enabling rule such that at most one output transition of a split place is enabled. Summing up, if we speak of a deterministic process, we refer to the case of no internal nondeterminism (while there can be external nondeterminism).

A split transition tsplit spawns independent concurrent paths because all output places tsplit• receive a token if tsplit fires. Conversely, a join transition tjoin represents synchronization among concurrent paths because it becomes token-enabled only if all its input places •tjoin have a token. However, a join place pjoin represents no synchro- nization because it receives a token as soon as one of its input transitions •pjoin fires. All its output transitions pjoin•become token-enabled as soon as a token arrives in pjoin. This explains why the property of being well-structured is important for proper real- ization of synchronization. If two concurrent paths spawned by a split transition were joined by a join place then there is no synchronisation taking place among the paths at the join place: control proceeds as soon as control reaches the place on either path. In turn, if a choice among alternative paths spawned at a split place were joined by a join transition then control gets stuck at the transition because it never becomes token- enabled (i.e., synchronization is modeled where nothing can be synchronized since con- currency does not exist).

It follows from the syntactic restrictions that the maximum degree of parallelism within a control flow, which we denote with Q, corresponds to the number of unique start-to- end paths:

Q= |{W |W = hpi, . . . , pfiand W is elementary}| (4.21) In summary, the structure defined for control flow graphs together with its execu- tion semantics provides the possibility to represent processes that may include the most important control flow patterns, namely:

• Sequential. Subflows are executed one after the other (strict precedence order). • Conditional. A choice is made for either of two or more subflows (xor).

• Parallel. Subflows are executed concurrently (partial precedence order). • Iteration. Repeated execution of a subflow (do while).

It should be clear that these constructs might be nested (e.g., a sequence executed re- peatedly).

In addition, the structural restrictions on control flow graphs ensure that they are sound. Soundness [vdA97] is a highly desired correctness property regarding the dy- namic dimension of a process. More specifically, soundness of a WorkFlow net G is the property that its short-circuited net G is live and bounded [vdA97, Theorem 11]. Liveness is essentially the absence of deadlocks, meaning that for any marking that has been token-reached from the initial marking M0 there is a token-firing sequence that can token-fire any transition of the net. Boundedness in the context of WorkFlow nets refers to proper termination, that is, starting from the initial marking M0 it is al- ways possible to token-reach the final marking Mf. Soundness of control flow graphs follows from [vdA97, Corollary 19]. In short, this corollary states that there exist four soundness-preserving expansion27rules:

• Sequential expansion: Replace a transition by two consecutive transitions. • Conditional expansion: Replace a transition by two conditional transitions. • Parallel expansion: Replace a transition by two parallel transitions.

• Iteration expansion: Replace a transition by an iteration of a transition.

Applying a sequence of these expansions, one can create any control flow graph starting