2011 International Conference on Computational and Information Sciences

Generic Web Services Composition Verification

Based on Batch Proof Method

Jie Zhai ZhiQing Shao

Department of Computer Science and Engineering Department of Computer Science and Engineering
ECUST, Shanghai, China ECUST, Shanghai, China
zhbzj@ecust.edu.cn zshao@ecust.edu.cn

Abstract—Present verification techniques only verify the

property of composition specification in one situation every
time, there will be a substantial waste of effort. We propose
batch proof method for verifying the property of generic
services composition specification in all situations
simultaneously. The main advantage of this method is to
improve the efficiency of proof. The verified generic
composition specification at an abstract level will be used in a
variety of instances without repeating the proof.
Keywords- Generic form; Services component; Batch proof
method
A. Motivating Example
The process of order management (see fig.1) includes
three important steps:
(1)One customer sends an order to the supplier and
receives the confirmation or rejects receipt normally
according to different conditions (see table I). If the order
details aren’t complete, the customer must send the order
again. If the customer cancels the order for some reason, the
supplier must have a compensation handle.
TABLE I. CONDITIONS AND RECEIPTS

label condition receipt

I. INTRODUCTION c1 (client-id has existed) and confirmation
(client-credit is ok)
With the development of SOA[1], web services c2 (client-id has existed) and reject
composition provides the feature flexibility and scalability to (client-credit isn’t ok)
meet the complex requirements. Technique with concepts is c3 (client-id hasn’t existed) and confirmation
also known for generic technique[2], it can capture the (creditworthiness is ok)
c4 (client-id hasn’t existed) and reject
general properties of ordinary services composition to be (creditworthiness isn’t ok)
generic form. Proof can be done at an abstract level, and the
results can be used in a variety of instances without verifying
repeatedly. Its main goal is to improve the reusability of
specification and reduce the need of proof.
The verification techniques aim at ensuring services
composition reliability throughout the life cycle. There’re
attempts of verification techniques based on TLA (Temporal
Logic of Actions)[3], Petri-net[4], OWL-ES[5], Pi-Calculus
[6], BPM (Business Process Management)[7], CPN[8] and
so on. Unfortunately, these techniques wouldn’t think about
verifying generic form of services composition. What’s more,
these approaches only verify the property of composition
specification in one situation every time.
Therefore, we pay more attention to verification
techniques through which important or expected properties
of generic services composition in all situations can be
proved at the same time. We propose batch proof method for
validating the property of generic composition specification
in all situations simultaneously. There will be plenty of
savings of time and resources.
In this paper, formal specification of generic services
Fig.1 the process of order-management
composition is defined based on Tecton[9] language
(2)The supplier checks store according to the quantity of
expressed using “concept descriptions”. Then we verify the
products and applies for the logistics provider to dispatch
completeness of specification mainly using batch proof
goods. The logistics provider sends the dispatching details to
method.
the supplier and the customer.
(3) The customer gets the invoice from the supplier and
accepts goods from the logistics provider and pays for goods.

978-0-7695-4501-1/11 $26.00 © 2011 IEEE 843

DOI 10.1109/ICCIS.2011.157
B. Overview
The paper is organized as follows. In Section 2, we
illustrate the specification of generic composition. In Section
3, we present the description of batch proof method. Finally,
conclusion and future research are drawn in Section 4.
II. SPECIFICATION OF GENERTIC SERVICES COMPOSITION
IN TECTON
Specification of generic composition is created in
Tecton. Tecton[9] is a language for describing and using
abstract concepts to foster structured development, using
abstraction and specialization as the key structuring
mechanisms.
We describe the model (see fig.2) of generic services
composition specification. Data flow transfer between web
services by variables. Control flow definite selective state
transitions by control process. Once exception happens, fault
handle or compensation handle starts up. Status function is
made up of name, role, input, output and serv-seq. Concept
instance can reuse generic composition specification. Let’s
give the specification (see definition 1) of order management
(see fig.1) composition.
Fig.2 model of generic composition specification
Definition 1: Order Management
Uses string, order, request-var, response-var, boolean,
order-sequences……;
Introduces
Status(name(string), role(string), input(request-var),
output(response-var), serv-seq(order-sequences,
order-sequences)) → boolean;
Requires(for x: order; s1:order-sequences;……)
(1)Status(name(SendOrder), role(Customer), input(Requirement),
output(OrderDetail), serv-seq(x-|s1,null)) =
Status(name(ReceiveOrder), role(Supplier), input(OrderDetail),
output(OrderIfComplete), serv-seq(x-|s1,null))
(2) Status(name(ReceiveOrder), role(Supplier), input(OrderDetail),
output(OrderIfComplete), serv-seq(x-|s1,null)) =
While order isn’t complete
Status(name(FaultHandler), role(Supplier), input(NotCompleteDetail),
output(OrderNotComplete), serv-seq(x-s1,null)) =
Status(name(SendOrder), role(Customer), input(Requirement),
output(OrderDetail), serv-seq(x-|s1,null)) =
Status(name(ReceiveOrder), role(Supplier), input(OrderDetail),
output(OrderIfComplete), serv-seq(x-|s1,null))
otherwise
Status(name(ReceiveOrder), role(Supplier), input(OrderDetail),
output(OrderComplete), serv-seq(x-|s1,null))
(3) Status(name(ReceiveOrder), role(Supplier), input(OrderDetail),
output(OrderComplete), serv-seq(x-|s1,null)) =
if client-id hasn’t existed then
Status(name(CheckCreditworthiness), role(Supplier),
844
input(ClientDetail), output(Creditworthiness),
serv-seq(x-|s1,null))
else
if Client-credit is ok then
Status(name(OrderConfirm),role(Supplier),input(CreditIsOk),
output(Confirm), serv-seq(x-|s1,null))
else
Status(name(OrderReject),role(Supplier),input(CreditNotOk),
output(Reject), serv-seq(x-|s1,null))
(4)Status(name(CheckCreditworthiness),role(Supplier),
input(ClientDetail),output(Creditworthiness),serv-seq(x-|s1,null)) =
if Creditworthiness is ok then
Status(name(OrderConfirm), role(Supplier), input(CreditIsOk),
output(Confirm), serv-seq(x-|s1,null))
else
Status(name(OrderReject), role(Supplier), input(CreditNotOk),
output(Reject), serv-seq(x-|s1,null))
(5) Status(name(OrderReject), role(Supplier), input(CreditNotOk),
output(Reject), serv-seq(x-|s1,null)) =
Status(name(SendOrderReject), role(Supplier), input(Reject),
output(RejectNotice), serv-seq(s1,null))
(6) Status(name(OrderConfirm), role(Supplier), input(CreditIsOk),
output(Confirm), serv-seq(x-|s1,null)) =
Flow split
Status(name(SendOrderConfirm), role(Supplier), input(Confirm),
output(ConfirmNotice), serv-seq(x-|s1,null))
And
Status(name(CheckStock), role(Supplier), input(ProductNum),
output(ProductNum), serv-seq(x-|s1,null))
(7) Status(name(CheckStock), role(Supplier), input(ProductNum),
output(ProductNum), serv-seq(x-|s1,null)) =
Status(name(ApplyDelivery), role(supplier), input(ProductNum),
output(Reserves),serv-seq(x-|s1,null))
(8) Status(name(ApplyDelivery), role(Supplier), input(ProductNum),
output(Reserves), serv-seq(x-|s1,null)) =
Status(name(ConfirmDispatch), role(LogisticsProvider),
input(Reserves), output(DispatchGoodsDetail),
serv-seq(x-|s1,null))
(9)Status(name(ConfirmDispatch),role(LogisticsProvider),
input(Reserves),output(DispatchGoodsDetail),serv-seq(x-|s1,null)) =
Flow split
Status(name(SendAccountant), role(Supplier),
input(DispatchGoodsDetail), output(Invoice),
serv-seq(x-|s1, null))
And
Status(name(DispatchGoods), role(LogisticsProvider),
input(DispatchGoodsDetail), output(DispatchGoodsDetail),
serv-seq(x-|s1,null))
(10) Status(name(SendAccountant), role(Supplier),
input(DispatchGoodsDetail),output(Invoice),serv-seq(x-|s1,null)) =
Status(name(ReceiveAccountant), role(Customer), input(Invoice),
output(Invoice), serv-seq(x-|s1,null))
(11) Status(name(DispatchGoods), role(LogisticsProvider),
input(DispatchGoodsDetail), output(DispatchGoodsDetail),
serv-seq(x-|s1,null)) =
Status(name(ReceiveGoods), role(Customer),
input(DispatchGoodsDetail), output(GoodsDetail),
serv-seq(x-|s1,null))
(12)Flow join
Status(name(ReceiveAccountant), role(Customer), input(Invoice),
output(Invoice), serv-seq(x-|s1,null))
And
Status(name(ReceiveGoods), role(Customer),
input(DispatchGoodsDetail), output(GoodsDetail),
serv-seq(x-|s1,null))
= Status(name(Payment), role(Customer),
input(Invoice,GoodsDetail), output(PayDetail),
serv-seq(s1, singleton(x)))
(13)Status(name(Payment),role(Customer),input(Invoice,GoodsDetail),
output(PayDetail), serv-seq(s1, singleton(x))) =
Status(name(SendOrder), role(Customer), input(Requirement),
output(OrderDetail), serv-seq(s1, singleton(x)))
(14) Status(name(SendOrder), role(Customer), input(Requirement),
output(OrderDetail), serv-seq(x-|s1,null)) =
 On-message CancelOrderMessage if (sit1∈sit) then
Status(name(CancelOrder), role(Customer), input(OrderDetail),
output(CancelDetail), serv-seq(s1,null))
{ if exists( ((stax1=stay1)∈p_sta) and
(15) Status(name(CancelOrder), role(Customer), input(OrderDetail), get p_numx1: the label of (stax1=stay1))
output(CancelDetail),serv-seq(s1,null)) = then
Status(name(Compensation), role(Supplier), input(OrderDetail), { sit-path1=sit_path1∪[p_numx1];
output(CompensationDetail), serv-seq(s1,null))
(16) Status(name(Compensation), role(Supplier), input(OrderDetail), if stay1∈sta-end then
output(CompensationDetail), serv-seq(s1,null)) = {sit=sit-[sit1];
Status(name(SendOrder), role(Customer), input(Requirement), output sit_path1;}
output(OrderDetail), serv-seq(s1,null))
(17) Status(name(SendOrderReject), role(Supplier), input(Reject), else
output(RejectNotice), serv-seq(s1,null)) = stax1=stay1;
Status(name(SendOrder), role(Customer), input(Requirement), }
output(OrderDetail), serv-seq(s1,null))
else
III. BATCH PROOF METHOD { sit-path1=[failure]
sit=sit-[sit1];
We want to prove the general property of generic output sit_path1;
services composition specification. The general property is: }
Status(name(sx), role(rx), input(inx), output(outx), }
serv-seq(x-|s, null)) = True ……
This property means appliers can invoke the generic in the situation sitn;
composition in sequence successfully.
……
Let’s prove it by structural induction [10]. We need to
}
prove:
If (sit-path1=[failure]) or…or (sit-pathn=[failure]) then
(1) basis case:
output “This specification isn’t complete!”
Status(name(sx), role(rx), input(inx), output(outx),
else
serv-seq(null, null)) = True
(2) inductive case: output “This specification is complete!”.
Status(name(sx), role(rx), input(inx), output(outx), /* Batch Proof Method finishes*/
serv-seq(s, null)) = True ⇒ Theorem 1. Batch Proof Method is correct if it can
Status(name(sx), role(rx), input(inx), output(outx), ensure termination and integrality.
serv-seq(x-|s, null)) = True Proof. First we need to prove that Batch Proof Method
When we prove the inductive case considering all should possess termination.
situations, batch proof method is a good choice. We propose In any situation, if stayx∈sta-end, the running path will
batch proof method for verifying the property of generic end in a terminating state; otherwise the path will be in a
services composition specification in all situations failure state. So every path will terminate successfully.
simultaneously. By this method we can reduce the need for Therefore, the conclusion holds.
proof. The details of this method are introduced as fellows. Then we need to prove that Batch Proof Method should
Batch proof method ensure Integrality. This method takes into account all the
sta: the set of all states of status function[sta0,sta1,…,stam]; situations the composition may experience in. If all running
sta_end: the set of terminating states of status function paths succeed, it means the inductive case has been proved
[sta_end1,sta_end2, …], it’s subset of sta; and the specification is complete. Once some paths fail, the
p_sta: the set of all properties of status function [sta1=sta2, specification isn’t complete. Therefore, the conclusion holds.
sta2=sta3,…]； So Batch Proof Method is correct.
This completes the proof.
p_num: the label of every property of status function；
For example, we want to prove the property of order
sit: the set of all situations which the web services
management composition specification (see definition 1).
composition may experience in [sit1,sit2,…,sitn];
We need to prove:
sit_path1,sit_path2,…,sit_pathn: the proof path in the In any situation of order management composition (see
respective situation; table II)
input: sta, sta_end, p_sta, p_num, sit; Status(name(SendOrder), role(customer),
output: sit_path1, sit_path2,…, sit_pathn and whether the input(Requirement), output(OrderDetail),
specification is complete; serv-seq(s1, null)) = True
step: Proof. By structural induction we can prove:
sta0 is the initial state; (1)basis case:
stax1=stax2=…=staxn=sta0 In any situation of order management composition
sit_path1=sit_path2=…=sit_pathn=null Status(name(SendOrder), role(customer),
while sit<>NULL do input(Requirement), output(OrderDetail),
{ in the situation sit1; serv-seq(null, null)) = True

845
 Because no applier invokes the composition, the the specification in all situations at the same time. This
equation is validated. method is an effective way of avoiding proof time and time
(2)inductive case: according to various situations. So it can improve the
In any situation of order management composition efficiency of proof. By means of the example of order
Status(name(SendOrder), role(customer), management, this paper shows how to describe generic
input(Requirement), output(OrderDetail), composition specification in Tecton. Then induction aims to
serv-seq(s1, null)) = True ⇒ the verification details of the specification at an abstract
Status(name(SendOrder), role(customer), level by batch proof method. Finally, we also explain how
input(Requirement), output(OrderDetail), the generic specification can be used in a variety of
serv-seq(x-|s1, null)) = True instances by concept instances.
we prove the inductive case by batch proof method. All In our future work, we are working on improving
running paths (see table IV) of this specification succeed in Violet[11] system to prove properties of generic composition
various terminating states (see table III). specification by batch proof method automatically for the
This completes the proof. purpose of building libraries of verified generic composition
specification.
TABLE II. ALL SITUATION OF THIS COMPOSITION
ACKNOWLEDGMENT
condition Sit1 Sit2 Sit3 Sit4 Sit5 Sit6 This work was supported by of the National Natural
order is complete yes yes yes yes no
client-id has existed yes yes no no Science Foundation of China under Grant No. 61003126 and
client-credit is ok yes no the Shanghai Natural Science Foundation of China under
creditworthiness yes no Grant No. 09ZR1408400 .
is ok
on-message no no no no yes REFERENCES
cancelOrderMessage
[1] N. Bieberstein et al., “Impact of Service-Oriented Architecture on
TABLE III. TERMINATING STATES OF THIS COMPOSITION Enterprise Systems,Organizational Structures, and Individuals,”IBM
Systems Journal,vol. 44,no.4,2005,pp.691-708.
sta_end1 Status(name(SendOrder),role(customer),input(Requirement),
[2] D. R. Musser, Z. Shao, “Concept use or Concept refinement: an
output(OrderDetail),serv-seq(s1, singleton(x)))
Status(name(ReceiveOrder),role(supplier),input(OrderDetail),
important distinction in building Generic Specifications,” Proc. 4th
sta_end2
output(OrderComplete),serv-seq(x-|s1,null)) International Conference on Formal Engineering Methods, LNCS
sta_end3 Status(name(SendOrder),role(customer),input(Requirement), 2495, Springer-Verlag, 2002,pp.132-143.
output(OrderDetail),serv-seq(s1,null)) [3] Hongbing Wang,Chen Wang,Yan Liu, “A Logic-based Approach to
Web Services Composition and Verification,” World Conference on
TABLE IV. ALL PATHS OF THE COMPOSITION Services-II,2009,pp.103-110.
situation sit-path sta-end
[4] JianTao Zhou, MeiLin Shi, XinMing Ye, “A Method for Semantic
Sit1 1,3,6,7,8,9,10,11,12,13 sta_end1
Verification of Workflow Processes Based on Petri Net Reduction
Techniques,” Journal of Software,vol.16, no.7,2005, pp. 1242-1251
Sit2 1,3,5,17 sta_end3
Sit3 1,3,4,6,7,8,9,10,11,12,13 sta_end1 [5] Chao Ma,Yanxiang He, “An Approach for Visualization and
Sit4 1,3,4,5,17 sta_end3 Formalization of Web Service Composition,” International
Sit5 1,2 sta_end2 Conference on Web Information Systems and Mining, 2009, pp. 342-
Sit6 14,15,16 sta_end3 346
[6] Yong-Lian Wang, Xue-Li Yu, “Formalization and Verification of
So we get a conclusion that the specification of order Automatic Composition Based on Pi-Calculus for Semantic Web
management composition is complete. Service ,” Second International Symposium on Knowledge
Acquisition and Modeling, 2009, pp. 103-106
The verified generic composition specification at an
[7] Walid Gaaloul, Sami Bhiri, and Mohsen Rouached, “ Event-Based
abstract level will be used in a variety of instances without Design and Runtime Verification of Composite Service Transational
repeating the proof. Suppose a book store wants to reuse the Behavior,” IEEE Transactions on Services Computing, vol. 3, no. 1,
specification of generic order management composition 2010, pp. 32-45
according to its characteristic. We can introduce a new [8] John C.Sloan, Taghi M.Khoshgoftaar, “ From Web Service Arfifact
to a Readable and Verifiable Model,” IEEE Transactions on Services
concept name about the book store for a concept instance by Computing, vol. 2, no. 4, 2009, pp. 277-288
using Tecton abbreviation[9] sentence (see Abbreviation 1).
[9] David R. Musser , Zhiqing Shao, “The Tecton Concept Description
Abbreviation 1: Book Order Management is Language (Revised Version) ,” http://www.cs.rpi.edu/~zshao/ , 2003
Order Management [with Book Order as Order, Book Order [10] R.Burstall, “Proving properties of programs by structural induction,”
Sequences as Order Sequences,…].. Computer Journal ,vol. 12, no. 1,1969, pp. 41-48.
[11] Jie Zhai, ZhiQing Shao, “ The Proof System based on Tecton——
IV. CONCLUSION AND FUTURE RESEARCH Violet,” Journal of ECUST, vol. 31, no. 2, 2005, pp. 198-202 .
With respect to generic services composition, we have
presented batch proof method for verifying the property of

846