- From: Tony Fletcher <tony.fletcher@choreology.com>
- Date: Mon, 8 Nov 2004 17:42:49 -0000
- To: "'Nickolas Kavantzas'" <nickolas.kavantzas@oracle.com>, <public-ws-chor@w3.org>
- Message-ID: <001001c4c5ba$5e358050$0201a8c0@corp.choreology.com>
Dear Nick and others,
This reply is made on behalf of myself, Bob and Peter and is a compilation
of our individual thoughts. We hope it is helpful, increases understanding
of our proposals and generally moves us forward. For convenience I have
embedded the answers below your questions below.
Best Regards Tony
A M Fletcher
Cohesions (TM)
Business transaction management software for application coordination
www.choreology.com <http://www.choreology.com/>
Choreology Ltd., 68 Lombard Street, London EC3V 9LJ UK
Tel: +44 (0) 1473 729537 Mobile: +44 (0) 7801 948219
tony.fletcher@choreology.com (Home: amfletcher@iee.org)
-----Original Message-----
From: public-ws-chor-request@w3.org [mailto:public-ws-chor-request@w3.org]
On Behalf Of Nickolas Kavantzas
Sent: 03 November 2004 22:20
To: Haugen Robert; public-ws-chor@w3.org
Subject: Questions on Choreology's Coordinated Choreographies Proposals 1,
3, 4
***Oracle's Questions on Choreology's Proposals 1, 3, 4***
Our questions below are based on the assumption that this is an all or
nothing grand proposal
even though we understand that the three proposals could be discussed
independently:
>>That is one view although actaully some of the proposals, or parts
thereof, could make sense on their own.
[Q1] What is the difference between this proposal and the previous
Choreology proposal
regarding coordination of transaction cancel and confirm?
>> With regard to Tony's original proposal the syntax is quite different
although the end effect is intended to be the same. With regard to the
proposals made at the New York F2F, just a filling out of the detailed spec
changes as Peter said on the teleconference held 2 Nov 04.
However, these questions are really for historians, we would urge getting to
grips with the current proposal and the proposed detailed changes to the
specification.
[Q2] What are the detailed requirements on the underlying coordination
protocol? For example,
where are the coordination points of the Choreography, i.e. end of main
block, beginning
and/or end of Exception block and/or Finalizer block?
>>The coordination promise (which we assume is what is meant) applies at the
very end - after finalization if there are finalizers, at the end of the
choreography, including exceptions if there are no finalizers. It's not
generally required that the end of the main block is a coordination point
when there are finalizers - or rather, there is no promised signal at that
point. In practice, when the whole transaction goes prepared, it will be
coordinated (in the provisional state) but the parties don't all know when
that is, and they may get to that state at different times, before getting
hit by a finalizer.
[Q3] What impact does the Choreography coordination attribute have on the
isolation
semantics? Does the isolation semantics end at the end of the main
Choreography block
and the end of the Exception block or at the end of the Finalizer block?
>>As detailed below on Q4, it's the same as happens now with existing
exceptions and finalizers. I suspect the answer is end of main. Possibly the
finalizer re-asserts it. It would normally continue to apply during the
exception handling.
[Q4] In proposal 1 we don't understand the following section.
1.4.3.1. Note: coordination does not guarantee that all roles
will experience the same exception or exception block. In fact, if an
interaction throws two roles into an exception state, which is caught by
a guarded exception block, any other roles will experience a different,
unguarded exception block catching the silent fault thrown by the
coordination mechanism.
Isn't a Choreography incorrect if there are situations where different
exceptions may
be thrown and propagated?
>>That section and other similar ones were based on our interpretation of
Nick's exception proposal, which appears to throw at-most two roles into an
exception state at once. If other roles are involved in the choreography,
how would they experience the same exception? That's not a rhetorical
question, we are trying to figure it out. Could the same
exceptionType-variable be assigned to the other roles? But if so, wouldn't
the choreography need to do that explicitly, and couldn't it be omitted, or
fault? In general, we smell something fishy about the assertions of an
exception aborting the choreography, but the exception only being
experienced by at most two roles.
If we misunderstood, and Nick intends that all roles experience the same
exception (somehow), then our specification task may be easier, but you
still need a coordination mechanism to make it so.
In n > 3 party, the initial detector of the problem might see one exception,
his immediate neighbour see the resulting fault message, and the other
party(s) see a general "something has gone wrong" exception - which would in
fact be transaction cancel.
[Q5] Proposal 3 states:
* Choreography Finalizer Block describes how to specify
additional interactions that should occur to modify the effect of an
earlier successfully completed Choreography, for example to confirm or
undo the effect
Should there be rules for from where "confirm" and "undo" Finalizer Blocks
may be
triggered, i.e. "undo" only from enclosed Choreography's Exception Block?
>>We don't distinguish an "undo" block. And even if we did, there are
business reasons for cancelling a transaction that have nothing to do with
exceptions. For example, in the TWIST case, the Buyer decides which
Seller's priceResponse to accept, and all transactions for other Sellers are
cancelled.
[Q6] Proposal 3 states:
In section 2.4.7 Choreography Life-line:
Insert after the paragraph starting with "A Choreography completes
successfully...":
After a Choreography completes successfully, any Finalizer blocks
specified in the Choreography are enabled. In other words, as long as
Finalizer blocks are enabled, the Choreography is still alive until one
of the enabled Finalizers is fired and completes its own Work Unit, at
which time the Choreography is closed.
What does 'AFTER the Choreography COMPLETES successfully
it is still ALIVE' means? Does it imply that the isolation semantics are
still in effect?
Could we get a definition for COMPLETES SUCCESSFULLY and ALIVE?
>>We didn't define COMPLETES SUCCESSFULLY, and wish it had a different name
and clearer semantics. ALIVE is true in the current CDL finalizer scheme as
well as our multiple finalizer proposal. When the choreography completes
successfully, whatever that means, the finalizer or finalizers are enabled.
The current Finalizer spec says "The actions within the Finalizer Work Unit
MAY use Variable information visible in the Visibility Horizon of the
Choreography it belongs to as they were at the time the Choreography
completed or as they stand at the current time." Don't know how the
finalizer will distinguish between "as-they-were" and "as-they-stand", but
clearly the variables in the scope of the choreography must be kept alive
until the finalizer(s) finish.
>From a business viewpoint, the situation is even trickier: outside
observers cannot tell when the values they saw at the choreography's
"successful completion" can be trusted, until a finalizer finishes, because
the finalizer may undo anything and everything. So, as in the examples Peter
gave, if a seller has an order, it is not safe to commit resources until a
finalizer finishes.
What happens if the Finalizers are never fired?
>>That's the same issue, now as well as with our proposal. Under the
current spec, the single Finalizer will only be fired if an exception occurs
in the enclosing choreography. In other words, it may never fire. The
same would be true of a single "undo" choreography under our proposal. If
you had "undo" and "close", if "close" fired, all roles could be sure that
"undo" would not fire.
If only one "undo" Finalizer, and it never fires, then an implicit "close"
will happen at the completion of the root choreography. And only then can
the seller in the previous example be sure it is safe to commit resources,
that is, the order will not be undone.
[Q7] Proposal 3 states:
Finalizers may implement whatever actions are appropriate for the
particular Choreography. Common patterns might include:
* A single Finalizer to semantically "undo" the Choreography,
typically called "compensation".
* Two Finalizers, e.g. name="confirm" and name="cancel", to
implement a two-phase outcome protocol.
* One "undo" Finalizer along with a "close" Finalizer to signal
that the "undo" Finalizer is no longer able to fire, that is, the
Choreography is now closed.
In the first case, does this mean that it is optional to fire the Finalizer
Block or
does it mean that the Choreography has to be "compensated"?
>>Not sure we fully understand the question but first case is the present
one isn't it ? There's an empty, implicit "close" finalizer, which fires at
the end of time (or, perhaps, the completion of the root choreography).
Maybe it would be clearer if we removed the clause ",typically called
"compensation".
[Q8] Proposal 4 states:
A Choreography SHOULD have at least one finalize element for each
finalizer in an immediate inner choreography that it encompasses.
Why is this not a MUST?
>>Because it seemed right to make a strong recommendation, but it is not a
necessity. Therefore it is not a 'must', in fact one could argue that the
language should be weakened rather than made stronger. If a finalizer
element does not a have a finalize that references it then it can never by
followed (activated) in the choreography, but this is no worse than have a
method / procedure in a programming language which is never called. It is
not actually a compile error though a compiler may issue a warning. I would
expect CDL tools / compilers to do the same - maybe issue a warning that
there is no corresponding finalize, but not to indicate a hard error. In
terms of use cases, I can envisage people developing extra finalizer
routines and trying them out and not want to delete an 'old' one until
testing completed successfully. More cogently perhaps the inner
choreography is designed and intended to be composable and different
enclosing (or using) choreographies could make use of alternate finalizers.
Many people minimizes how difficult it will be for normal people to develop
bulletproof choreographies, and in B2B cases, for trading partners to
negotiate, test and implement them. One way or another, better methods
than one-off bespoke development-from-scratch will be required. Patterns
will be part of those better methods, and so will adaptive evolution, and so
will the usual cut-and-paste.
We hope this is clear and makes sense now.
[Q9] Proposal 4 states:
A Choreography MAY have more than one finalize element for a named
finalizer in an immediate inner choreography that it encompasses, as
long as those finalize elements are contained in different Work Units
with different guards.
Is this not to strong a restriction? Shouldn't the semantics be that ONE and
ONLY ONE
finalizer block MUST be triggered ONCE and ONLY ONCE?
>>Yes, that is the semantics that we wanted to achieve and intended this
text and other text in proposal 4 to achieve that. Internally (Tony)
suggested having conditional statements (guards) on the finalize element so
you could think of what it was going to do and when it should do it
together, but that idea was vetoed in favour of using the existing guards
on the Work Unit element, hence this restriction, plus that on mutual
exclusivity of all the guards that apply to a particular inner choreography.
To summarise this : we wanted to specify the dynamic restrictions (which is
indeed only one finalizer fires, once), and were trying to state it via
static constraints. We are not sure one can, and it may be better to just
state the dynamic rule.
[Q10] Could you please describe, with examples, where the Finalize element
must
be defined in different situations, i.e in the enclosing Choreography's main
block,
Exception Block when present and Finalizer Blocks when present.
>> Our understanding is that the finalize element is an 'activity' and can
be used in an enclosing choreography wherever it would be valid to have
other activity elements. There is an example of the use of finalize in
proposal 4 (the examples in the other proposals are snippets of choreography
descriptions that concentrate on the enclosed choreography and the finalizer
elements and do not show the enclosing choreography and its finalize
elements). Yes to all three: main block,
Exception Block when present and Finalizer Blocks when present.
[Q11] What are the consequences with respect to the Finalize element when
the enclosing
Choreography lacks an Exception Block and/or Finalizer Blocks?
>>None, the finalize element(s) will just be part of the activities of that
choreography.
[Q12] What impact does the enclosing Choreography's Complete condition, if
present, have on
the rules for defining the Finalize element?
>>We think we need to discuss and understand how the complete condition
works first. One of the worrying things about the complete condition is
that it seems to be able to cut into the operation of a choreography at any
arbitrary point, so the first question is what effect does the complete
condition have on an interaction that is part way through. Current feeling
is that the complete condition becoming true should still allow the finalize
element(s) to operate before the choreography is fully completed and left
behind.
[Q13] It seems to us that there is an inconsistency between the way an
Exception Block is
defined today in CDL and how its Exception WorkUnits are considered for
matching a fault
and the way you propose the Finalizer block should be defined. As I said in
the NY F2F
wouldn't be better if the two mechanisms were made more similar?
>>The two situations are different. Exceptions are thrown and caught by
Exception Blocks, where an unguarded Exception Block can catch any loose
cannons. Finalize explicitly fires a particulare Finalizer block by name.
There is no default and there are no loose cannons.
Nick are you suggesting a single finalizer with a set of catchers in it,
and finalize passes in a value that is caught. That would seem to be a
distinction only in syntax.
Thanks in advance.
Received on Monday, 8 November 2004 17:44:10 UTC