Formal Methods in System Design

, Volume 46, Issue 3, pp 197–225 | Cite as

Practical interruptible conversations: distributed dynamic verification with multiparty session types and Python

  • Romain Demangeon
  • Kohei Honda
  • Raymond HuEmail author
  • Rumyana Neykova
  • Nobuko Yoshida


The rigorous and comprehensive verification of communication-based software is an important engineering challenge in distributed systems. Drawn from our industrial collaborations (Ocean Observatories Initative,, JBoss Savara Project, on Scribble, a choreography description language based on multiparty session types, and its theoretical foundations (Honda et al., in POPL, pp 273–284, 2008), this article proposes a dynamic verification framework for structured interruptible conversation programming. We first present our extension of Scribble to support the specification of asynchronously interruptible conversations. We then implement a concise API for conversation programming with interrupts in Python that enables session types properties to be dynamically verified for distributed processes. Finally, we expose the underlying theory of our interrupt mechanism, studying its syntax and semantics, its integration in MPST theory and proving the correctness of our design. Our framework ensures the global safety of a system in the presence of asynchronous interrupts through independent runtime monitoring of each endpoint, checking the conformance of the local execution trace to the specified protocol. The usability of our framework for describing and verifying choreographic communications has been tested by integration into the large scientific cyberinfrastructure developed by the Ocean Observatories Initiative. Asynchronous interrupts have proven expressive enough to represent and verify their main classes of communication patterns, including asynchronous streaming and various timeout-based protocols, without introducing any implicit synchronisations. Benchmarks show conversation programming and monitoring can be realised with little overhead.


Session types Runtime monitoring Python Distributed systems 



We thank Gary Brown, Matthew Arrot and the Scribble team for discussions and collaborations. This work has been partially sponsored by the Ocean Observatories Initiative, VMWare, Pivotal, Cognizant, EPSRC EP/K034413/1, EP/K011715/1, EP/L00058X/1, EP/G015635/1 and EP/G015481/1, EU project FP7-612985 UpScale and ICT COST Action IC1201 BETTY.


  1. 1.
    Allan C, Avgustinov P, Christensen AS, Hendren L, Kuzins S, Lhoták O, de Moor O, Sereni D, Sittampalam G, Tibble J (2005) Adding trace matching with free variables to aspectj. SIGPLAN Not 40(10):345–364CrossRefGoogle Scholar
  2. 2.
    Advanced Message Queuing protocols (AMQP) homepage.
  3. 3.
    Ancona D, Drossopoulou S, Mascardi V (2012) Automatic generation of self-monitoring mass from multiparty global session types in Jason. In: DALT. Springer, BerlinGoogle Scholar
  4. 4.
    Avgustinov P, Tibble J, de Moor O (2007) Making trace monitors feasible. SIGPLAN Not 42(10):589–608CrossRefGoogle Scholar
  5. 5.
    Baresi L, Ghezzi C, Guinea S (2004) Smart monitors for composed services. In: ICSOC. ACM, New York, pp 193–202Google Scholar
  6. 6.
    Bettini L, et al. (2008) Global progress in dynamically interleaved multiparty sessions. In: CONCUR. LNCS, vol 5201. Springer, Berlin, pp 418–433Google Scholar
  7. 7.
    Bocchi L, Chen T-C, Demangeon R, Honda K, Yoshida N (2013) Monitoring networks through multiparty session types. In: FMOODS. LNCS, vol 7892. Springer, Berlin, pp 50–65Google Scholar
  8. 8.
    Bocchi L, Laneve C, Zavattaro G (2003) A calculus for long-running transactions. In: FMOODS. LNCS, vol 2884, Springer, Berlin, pp 124–138Google Scholar
  9. 9.
    Boreale M, Bruni R, Nicola R, Loreti M (2008) Sessions and pipelines for structured service programming. In: Barthe G, Boer F (eds) FMOODS. LNCS, vol 5051. Springer, Berlin, pp 19–38Google Scholar
  10. 10.
    Cambronero M-E et al (2011) Validation and verification of web services choreographies by using timed automata. J Log Algebraic Program 80(1):25–49zbMATHCrossRefGoogle Scholar
  11. 11.
    Capecchi S, Giachino E, Yoshida N (2010) Global escape in multiparty session. In: FSTTCS. LNCS, vol 8, pp 338–351Google Scholar
  12. 12.
    Carbone M (2009) Session-based choreography with exceptions. Electron Notes Theor Comput Sci 241:35–55CrossRefGoogle Scholar
  13. 13.
    Carbone M, Honda K, Yoshida N (2008) Structured interactional exceptions in session types. In: CONCUR. LNCS, vol 5201. Springer, Berlin, pp 402–417Google Scholar
  14. 14.
  15. 15.
    Chen T-C (2013) Theories for session-based governance for large-scale distributed systems. PhD thesis, Queen Mary, University of London, LondonGoogle Scholar
  16. 16.
    Deniélou P-M, Yoshida N (2012) Multiparty session types meet communicating automata. In: ESOP. LNCS. Springer, Berlin, pp 194–213Google Scholar
  17. 17.
    Gan Y, Chechik M, Nejati S, Bennett J, O’Farrell B, Waterhouse J (2007) Runtime monitoring of web service conversations. In: CASCON. ACM, New York, pp 42–57Google Scholar
  18. 18.
    Ghezzi C, Guinea S (2007) Run-time monitoring in service-oriented architectures. In: Test and analysis of web services. Springer, Berlin, pp 237–264Google Scholar
  19. 19.
    Hallé S, Bultan T, Hughes G, Alkhalaf M, Villemaire R (2010) Runtime verification of web service interface contracts. Computer 43(3):59–66CrossRefGoogle Scholar
  20. 20.
    Honda K, Yoshida N, Carbone M (2008) Multiparty Asynchronous Session Types. In: POPL. ACM, New York, pp 273–284Google Scholar
  21. 21.
    Hu R, Kouzapas D, Pernet O, Yoshida N, Honda K (2010) Type-safe eventful sessions in Java. In: ECOOP’10. LNCS, vol 6183. Springer-Verlag, New York, pp 329–353Google Scholar
  22. 22.
    Hu R, Neykova R, Yoshida N, Demangeon R, Honda K (2013) Practical interruptible conversations—distributed dynamic verification with session types and python. In: RV. LNCS, vol 8174. Springer, Berlin, pp 130–148Google Scholar
  23. 23.
    Jakšić S, Padovani L (2012) Exception handling for copyless messaging. In: PPDP. ACM, New York, pp 151–162Google Scholar
  24. 24.
  25. 25.
  26. 26.
    Krüger IH, Meisinger M, Menarini M (2007) Runtime verification of interactions: from mscs to aspects. In: RV, RV. Springer-Verlag, Berlin, pp 63–74Google Scholar
  27. 27.
    Krüger IH, Meisinger M, Menarini M (2010) Interaction-based runtime verification for systems of systems integration. J Log Comput 20(3):725–742CrossRefGoogle Scholar
  28. 28.
    Lapadula A, Pugliese R, Tiezzi F (2007) A calculus for orchestration of web services. In: ESOP. LNCS, vol 4421. Springer, Berlin, pp 33–47Google Scholar
  29. 29.
  30. 30.
    Li Z, Han J, Jin Y (2005) Pattern-based specification and validation of web services interaction properties. In: ICSOC’05, pp 73–86Google Scholar
  31. 31.
    Li Z, Jin Y, Han J (2006) A runtime monitoring and validation framework for web service interactions. In: ASWEC, IEEEGoogle Scholar
  32. 32.
    Minsky NH, Ungureanu V (2000) Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems. TOSEM 9:273–305CrossRefGoogle Scholar
  33. 33.
    Ng N, Yoshida N, Honda K (2012) Multiparty session c: Safe parallel programming with message optimisation. In: TOOLS. LNCS, vol 7304. Springer, Berlin, pp 202–218Google Scholar
  34. 34.
    Ocean Observatories Initative.
  35. 35.
  36. 36.
  37. 37.
  38. 38.
    Rubira CMF, Wu Z (1995) Fault tolerance in concurrent object-oriented software through coordinated error recovery. In: IEEE Computer Society, FTCS ’95, Washington, DC, pp 499–509Google Scholar
  39. 39.
    Salaün G (2010) Analysis and verification of service interaction protocols - a brief survey. In: TAV-WEB. EPTCS, vol 35, pp 75–86Google Scholar
  40. 40.
    JBoss Savara Project.
  41. 41.
    Scribble Project homepage.
  42. 42.
    Full version of this paper.
  43. 43.
    Tartanoglu F, Issarny V, Romanovsky A, Levy N (2003) Coordinated forward error recovery for compositeweb services. In: IEEE symposium on reliable distributed systems, pp 167–176Google Scholar
  44. 44.
    Vieira HT, Caires L, Seco JC (2008) The conversation calculus: a model of service-oriented computation. In: ESOP. LNCS, vol 4960. Springer, Berlin, pp 269–283Google Scholar
  45. 45.
    Xu J, Romanovsky A, Randell B (1998) Coordinated exception handling in distributed object systems: From model to system implementation. In: ICDCS, IEEE Computer Society, Washington, DC, pp 12–21Google Scholar
  46. 46.
    Zhang W, Serban C, Minsky N (2007) Establishing global properties of multi-agent systems via local laws. In: E4MAS, pp 170–183Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  • Romain Demangeon
    • 1
  • Kohei Honda
    • 2
  • Raymond Hu
    • 3
    Email author
  • Rumyana Neykova
    • 3
  • Nobuko Yoshida
    • 3
  1. 1.Sorbonne Universités, UPMCParisFrance
  2. 2.Queen Mary, University of LondonLondonUK
  3. 3.Imperial College LondonLondonUK

Personalised recommendations