A Logic for Choreographies

We explore logical reasoning for the global calculus, a coordination model based on the notion of choreography, with the aim to provide a methodology for specification and verification of structured communications. Starting with an extension of Hennessy-Milner logic, we present the global logic (GL), a modal logic describing possible interactions among participants in a choreography. We illustrate its use by giving examples of properties on service specifications. Finally, we show that, despite GL is undecidable, there is a significant decidable fragment which we provide with a sound and complete proof system for checking validity of formulae.

💡 Research Summary

The paper introduces a modal logic, called Global Logic (GL), specifically designed for reasoning about the Global Calculus (GC), a formal model of service choreographies. Choreographies describe the overall flow of interactions among participants, abstracting away from the local behavior of each endpoint. While this high‑level view simplifies design, it also makes verification of correctness properties challenging. To address this, the authors extend Hennessy‑Milner logic with first‑order quantification and three action modalities that correspond to the labels of the GC labelled transition system: session initiation (init), in‑session communication (com), and branch selection (sel).

The paper first revisits the syntax and operational semantics of GC. Terms include inaction, session initiation, message exchange, labelled choice, parallel composition, conditional, and recursion. A labelled transition system (LTS) defines how a configuration (state, choreography) evolves via the three basic actions. Notably, parallel composition in GC is “global”: two parallel sub‑choreographies never interact directly, which justifies the use of a spatial operator (|) in the logic to denote non‑interfering composition.

GL’s syntax (Table 2) comprises standard first‑order connectives (∧, ¬, ∃), an equality predicate on expressions, a termination constant (end), a “may” modality (♦) borrowed from linear temporal logic, and the spatial parallel operator. The central construct is the action modality h  i φ, where is one of the three GC labels; it reads “after performing action `, the formula φ holds”. The authors also define a shorthand for existential quantification over action labels, allowing concise specifications such as “there exists an init action leading to φ”.

To illustrate GL, the authors model an online booking scenario involving a customer, an airline, and a partner airline. The choreography is expressed in GC, and a GL formula captures a property like “whenever the customer sends a booking request, eventually a matching offer is received”. This example demonstrates that GL can specify essential interaction patterns without committing to all implementation details, thereby supporting partial specifications.

A major theoretical result is that the full GL, when combined with recursion in GC, is undecidable. The proof follows standard reductions showing that the logic can encode Turing‑complete computations. Consequently, the authors identify a decidable fragment—called the “fragment”—by restricting recursion, limiting the depth of the ♦ operator, and allowing only linear sequences of actions. Within this fragment they present a sound and complete proof system. The proof rules mirror the LTS semantics: action rules decompose modalities, logical rules handle ∧, ¬, ∃, and the spatial rule splits parallel composition. They prove termination of the proof search algorithm and establish completeness by constructing a proof tree for any semantically valid formula in the fragment.

The paper concludes with a discussion of future work: extending the fragment to cover richer patterns (nested choices, more complex concurrency), integrating the proof system into automated verification tools, and exploring bidirectional translations between global choreographies and local orchestrations.

Overall, the contribution is twofold: (1) a tailored modal logic that can express a wide range of global interaction properties while respecting the semantics of the Global Calculus, and (2) a practically usable verification framework for a substantial decidable subset of that logic. This bridges the gap between high‑level choreography design and formal verification, offering a foundation for building reliable service‑oriented systems.