11institutetext: TU Berlin/TU Darmstadt, Germany
Taming Concurrency for Verification
Using Multiparty Session Types (Technical Report)
Kirstin Peters
Christoph Wagner
Uwe Nestmann
Abstract
The additional complexity caused by concurrently communicating processes in distributed systems render the verification of such systems into a very hard problem.
Multiparty session types were developed to govern communication and concurrency in distributed systems.
As such, they provide an efficient verification method w. r. t. properties about communication and concurrency, like communication safety or progress.
However, they do not support the analysis of properties that require the consideration of concrete runs or concrete values of variables.
We sequentialise well-typed systems of processes guided by the structure of their global type to obtain interaction-free abstractions thereof.
Without interaction, concurrency in the system is reduced to sequential and completely independent parallel compositions.
In such abstractions, the verification of properties such as e. g. data-based termination that are not covered by multiparty session types, but rely on concrete runs or values of variables, becomes significantly more efficient.
This technical report provides proofs and additional material for the paper [13].
Keywords:
concurrency, verification, multiparty session types
1 Introduction
Modern society is increasingly dependent on large-scale software systems that are distributed, collaborative, and communication-centred.
One of the techniques developed to handle the additional complexity caused by distributed actors are multiparty session types (MPST) [8]. MPST allow to specify the desired behaviour of communication protocols as by-design correct types that are used to verify the communication structure of software products. The properties guaranteed by well-typed processes cover communication safety (all processes conform to globally agreed communication protocols) and liveness properties such as deadlock-freedom. Their main advantage is that their verification method is extremely efficient—in comparison to e. g. standard model checking.
MPST were developed to govern communication and concurrency in distributed systems.
However, as it is typical for type systems, standard MPST variants (without dependable types) do not support the analysis of properties that require the consideration of concrete runs or concrete values of variables.
The hardest part about the verification of distributed systems is the state space explosion that results from concurrent communication attempts, i. e., the exponential blow-up that results from computing all possible combinations of potential communication partners.
The problem of concurrency mainly lies in the communication structure, which is already completely captured by MPST.
We show that the knowledge of a program/system to be well-typed, allows us to sequentialise it following the structure of its global type and thereby to remove all communication.
Accordingly, we show how we can benefit from the effort we spend on an MPST analysis of a system also for the verification of its properties that go beyond its communication structure.
We use the global type of a well-typed system to guide its sequentialisation.
We refer to the result as sequential global process (SGP), although it might still contain parallel compositions, albeit only on completely independent parts.
Since the structure of communication was already verified by the well-typedness proof, we can reduce communication to value updates.
More precisely, we map well-typed systems that interact concurrently, to SGP-systems without any interaction mechanisms or name binders.
Such SGP-systems consist of a vector of variables with values and a SGP-process that simulates the data flow of the original system.
Therefore, we translate the reception of data in communication into updates of the vector in the SGP-system.
By removing the communication we remove also the problem of state space explosion.
Our translation is valid if the considered process is well-typed w. r. t. a (set of) global type(s).
Thereby, we sequentialise communications that may happen concurrently in the original system but are sequential in global types.
Note that such communications are always causally independent of each other, thus ordering them does not significantly influence the behaviour of the system, e. g. it does not influence what values are computed.
Apart from such sequentialisations the original system and its abstraction into a SGP-system behave similarly.
Contributions.
We provide an algorithm to remove communication from well-typed systems and thereby sequentialise them, while preserving the evolution of data of the original system.
Deriving this algorithm was technically challenging but the result is a simple rewriting function and easy to automate.
Then we prove that, provided that the original system was well-typed, the algorithm produces a SGP-system that is closely related to the original system:
the original system and its abstraction are related by a variant of operational correspondence [5] and are coupled similar [11].
With that, the derived SGP-system is a good abstraction of the original system that can be used instead of the original to verify properties on concrete data.
Since the mapping into SGP-systems is usually linear and because SGP-systems do not contain any form of interaction or binders, properties can be checked more efficiently.
Finally, we provide a mapping—that is again a simple rewriting algorithm—from SGP-processes into Promela, the input language of the model checker Spin [7, 6].
With that, the properties that are not already guaranteed by the MPST analysis but require the consideration of concrete runs or concrete data can be checked.
Since the main challenge here is the sequentialisation of concurrent systems into interaction-free abstractions, the translation of SGP-systems into Promela is simple and can be used as a role model to obtain similar mappings for other model checkers.
Overview.
In Section 2 we extend Section 2 of [13] and introduce multiparty session types (including the things that are missing in [13] such as local types, projection, and typing rules).
Section 2.4 proves the basic properties of the introduced type system.
Section 3 of [13] introduces SGP-systems and a mapping that translates well-typed systems into SGP-systems.
In Section 3 we prove the relations between the original systems and their abstractions into SGP-systems as they are described in Section 4 of [13].
Then, Section 5 of [13] illustrates how the sequentialisation can be used to verify properties of the original system.
Section 4 introduces some small examples to illustrate this method.
2 Multiparty Session Types
In the following we extend Section 2 of [13]. In particular, we introduce some additional concepts of multiparty session types such as local types, derive the notion of well-typedness, and show some standard properties.
Multiparty session types describe global behaviours as sessions, i. e., units of conversations. The participants of such sessions are called roles. Global types specify protocols from a global point of view, whereas local types describe the behaviour of individual roles within a protocol. Projection ensures that a global type and its local types are consistent. These types are used to reason about processes formulated in a session calculus. Most of the existing session calculi are extensions of the well-known π-calculus [10] with specific operators adapted to correlate with local types.
Similar to [1, 14], we assume that roles, i. e., the identifiers for participants, are natural numbers.
Assume a countably infinite set of names. Names are used to denote channels and variables that may stand for a channel or some value. In the session calculus we distinguish shared channels that are used outside of sessions (to initialise sessions) and session channels that are used within sessions.
2.1 Global Types, Local Types, and Projection
Global types describe protocols from a global point of view on systems by interactions between roles. They are used to formalise specifications that describe the desired properties of a system.
We inherit the definition of global types from [1], but unify the transmission of values and branching into a single construct as done in [4].
Definition 1 (Global Types)
The global types are given by
[TABLE]
where r1,r2 are roles, li are labels, U~i are sequences of sorts, I are non-empty finite index sets, and t are type variables.
The global type r1→r2:{li⟨U~⟩.Gi}i∈I specifies a communication from role r1 to r2, where r1 picks a label li, i. e., one of the indexed set of options, transmits values of the sorts U~i and then the type proceeds with Gi.
The parallel composition G1,G2 allows to combine two independent global types G1 and G2, where independence means that these two global types do not share roles.
The operators (μt)G and t introduce recursion,
whereas successful termination of a global type is specified by end.
Let r(⋅) return the roles used in a global type (or a process as introduced later).
Global types describe systems from a global point of view.
To link them with the local points of view of processes they are projected onto their roles to obtain local types.
Again, we use the local types of [1], where we combine communication and branching into single constructs for the sender and the receiver as done in [4].
Definition 2 (Local Types)
The local types are given by
[TABLE]
where r are roles, li are labels, U~i are sequences of sorts, I are non-empty finite index sets, and t are type variables.
The two local end points of communication are the types [rmissing]!{li⟨U~i⟩.Ti}i∈I for the sender, where the role r indicates the receiver, and [rmissing]?{li⟨U~i⟩.Ti}i∈I for the receiver, where the role r indicates the sender.
Recursion with the constructs (μt)T and t and successful termination represented by end are similar to global types.
The partial mapping from global types onto their roles is called projection.
It is undefined for parallel global types that share a role and communications that branch such that roles that are neither the sender nor the receiver have to behave differently.
The first case reflects that parallel composition on global types defines independence, i. e., parallel global types specify the behaviour of partitions of distributed systems that do not interact.
The latter case ensures that if a process—the sender of this communication—decides to branch then only processes that are informed about this decision can adapt their behaviour accordingly.
If for a global type G projection is defined for all its roles then we call this type projectable.
Definition 3 (Projection)
Projection of a global type G onto a role p, written as G↾p is defined as:
[TABLE]
and undefined for all missing cases.
In the last case of the rule for communication—when projecting onto a role that does not participate in this communication—we map to:
[TABLE]
The operation ⊔p is (similar to [14]) inductively defined as:
[TABLE]
where l∈/I is short hand for ∄U~′,T′.l⟨U~′⟩.T′∈I, and is undefined in all other cases.
The projection of the global type GAS in Example 3 onto the Roles A, B1, and B2 is given below by the local types TA, TB1, and TB2, respectively.
[TABLE]
2.2 Session Calculus
Global types (and the local types that are derived from them) can be considered as specifications that describe the desired properties of the considered distributed system. To analyse such systems they are implemented in a session calculus. Again we use a version of the session calculus in [1], where we unify communication and branching into a single construct as done in [4]. Moreover, instead of using different session channels, we annotate the session channel that is unique for each session with the roles (as it was done in [4, 3]).
Definition 4 (Processes)
The processes of the session calculus are given by
[TABLE]
where a are shared channels, 2,…,n,r,r1,r2 are roles, s are session channels, l,li are labels, e~ are sequences of expressions to calculate values, x~i are sequences of variables, I are non-empty finite index sets, c are boolean conditions, and X are process variables.
A process initialises a session with a[2..n](s).P inviting via the shared channel a other processes to play the roles 2,…,n in a session s, i. e., with the session channels s. Then the inviting process itself becomes 1 in this session and proceeds after transmitting the invitations as P.
Processes can accept such an invitation to play role r in a session s that they receive on a shared channel a with a(s[rmissing]).P and then proceed as P.
Within session s role r1 can transmit to role r2 with s[r1,r2]!lmissing⟨e~⟩.P a label l and a sequence of values e~ and then proceed as P or
r1 can receive from r2 with s[r1,r2]?{li(x~i).Pi}i∈I one of the labels li from an indexed set of options together with a sequence of values to substitute x~i in the continuation Pi.
The conditional if c then P1 else P2 allows a process to proceed as P1 if c holds or else as P2.
Since we want to use the model checker Spin later, we restrict expressions e and conditions c to functions that are known by Promela, the input language of Spin.
Promela captures a wide range of functions such as basic logical and arithmetical operators.
With P1∣P2 the processes P1 and P2 are composed in parallel.
Successful termination is denoted by 0.
With (νs)P we restrict the scope of the session channel s to P.
With (μX)P we define recursion using process variables X.
We usually omit the curly brackets in branching with only one alternative, i. e., abbreviate r1→r2:{l⟨U~⟩.G} by r1→r2:l⟨U~⟩.G and s[r1,r2]?{lmissing(x~).P} by s[r1,r2]?lmissing(x~).P.
We also often omit trailing 0.
Throughout the paper we use ’.’ to denote sequential composition, where the part before the ’.’ is called prefix and the sub-term(s) in the scope of the ’.’ are guarded by this prefix.
Moreover, conditionals guard both of their sub-terms.
Similarly, we use round brackets to denote binders, where the variables (for names, types, or processes) within the brackets are bound in the following sub-term.
A name is free if it is not bounded.
Let n(M) denote the set of names and fn(M) denote the set of free names in M, where M is a type or a process.
We assume that all process variables in processes and type variables in types are bounded and guarded, where process variables have to be guarded by communication prefixes.
A substitution {\nicefracy1x1,…\nicefracynxn}={\nicefracy~x~} is a finite mapping from names to names, where the names in x~ are pairwise distinct. The application of a substitution on a term P{\nicefracy~x~} is defined as the result of simultaneously replacing all free occurrences of xi by yi, possibly applying alpha-conversion to avoid capture or name clashes. For all names n∈/x~ the substitution behaves as the identity mapping.
We naturally extend substitution of names to the substitution of process variables by terms.
We use structural congruence (≡) to abstract from syntactically different but semantically similar processes, where ≡ is the least congruence that satisfies alpha-conversion (≡α) and the rules:
[TABLE]
The reduction semantics of the session calculus is given by the rules in Figure 1.
The Rule Link initialises a session s on the roles 1,…,n, where 1 requested the session on channel a and each i participates in the session as Pi.
Communication within a session s is described by Rule Com, where in the case of matching roles and labels the continuations of sender and receiver are unguarded and the variables x~ are replaced by the values e~ in the receiver.
The Rules If-T and If-F reduce conditionals as expected.
The remaining rules allow for steps in various contexts and are standard.
In contrast to the standard π-calculus (as e. g. in [10]) the communication prefixes of the session calculus mention an explicit acting role next to the channel, regardless whether the prefix is used to initialise a session or to transmit a message within a session.
Definition 5 (Actor)
A process P has an actor on c[r1] if P has an unguarded subterm of the form c[2..n](s).P with r1=1 or c(s[r1]).P (for session invitations) or an unguarded subterm of the form c[r1,r2]!lmissing⟨e~⟩.P or c[r1,r2]?{li(x~i).Pi}i∈I (for communication).
Let act(P) be set of actors in P.
If unambiguous, i. e., if there is only one session, we omit the session channel and abbreviate actors by their role.
As described in [1, 8, 9], global types are projected onto to their roles into so-called local types (compare to Section 2.1) that are then used to build type environments.
Intuitively, a process is well-typed w. r. t. a global type if it behaves as specified in the type.
Therefore, the process is compared in a static analysis with type environments that are derived from the global type.
Similarly, a system that implements more than a single session is well-typed w. r. t. {(Gi,si)}i∈I if each session si behaves as specified in the global type Gi and if the interleaving of different sessions does not introduce deadlocks (compare to [2]).
We formally define well-typed processes for the above variant of MPST in Section 2.3 and show basic properties—in particular subject reduction, linearity, and error-freedom—in Section 2.4.
Moreover, we rely on the observation that in well-typed processes different actors of the same session are composed in parallel, whereas all actions of the same actor are composed sequentially.
Lemma 1 (Actors are Sequential)
If P is well-typed then all actions of the same actor are composed sequentially in P.
2.3 Well-Typed Processes
Processes are combined with type environments into type judgements.
A judgement is of the form Γ⊢P▹Δ, where Γ is a global type environment connecting shared channels with their global types and values with their sorts, P is a process, and Δ is a session environment containing the projections of global types onto their roles and some additional control information.
Type environments are sets of assignments, but we usually omit the curly brackets and write Γ,A (or Δ,A) for the union of Γ (or Δ) and {A}.
Definition 6 (Type Environments)
The global type environments and the session environments are given by
[TABLE]
where a are shared channels, G are global types, s are session channels, x are names, U are sorts, X are process variables, r are roles, and T are local types.
Assignments a:G connect a global type of a session with the shared channel that is used to initialise this session.
The type system ensures that shared channels are used exactly once.
Therefore, we add the session channel s, i. e., rewrite a:G into a:G⟨s⟩, after the shared channel was used and require that Γ,a:G implies ∄G′,s.a:G′∈Γ∨a:G′⟨s⟩∈Γ.
Similarly, we assume that Γ,a:G⟨s⟩ implies ∄a′,G′,s′.a:G′∈Γ∨a:G′⟨s′⟩∈Γ∨a′:G′⟨s⟩∈Γ.
Assignments x:U state that variable x is of sort U, which implies that x is no session channel.
We assume that the sort of variables is unique, i. e., that Γ,x:U implies ∄U′.x:U′∈Γ.
We write Γ⊩e:U if for all names v in e there is some v:Uv in Γ and if with these sorts for its variables e is of sort U for all possible evaluations.
We abbreviate Γ,e1:U1,…,en:Un by Γ,e~:U~ and Γ⊩e1:U1,…,Γ⊩en:Un by Γ⊩e~:U~.
Assignments X:Δ save the current state of a session environment connected to a process variable X, in order to check recursive processes.
We assume that Γ,X:Δ implies ∄Δ′.X:Δ′∈Γ.
The obligation a⟨r⟩ tells us that the considered process needs to invite role r via the shared channel a.
We assume that Δ,a⟨r⟩ implies a⟨r⟩∈/Δ.
Assignments s[r]:T connect the local type T to the role r in the session s.
We assume that Δ,s[r]:T implies that ∄T′.s[r]:T′∈Δ.
Let Δ1⊗Δ2=Δ1∪Δ2 if Δ1∩Δ2=∅ and undefined else.
Type judgements are derived from the typing rules in Figure 2, where we equate within type judgements processes modulo alpha conversion, local types modulo the unfolding of their recursion by the rule (μt)T=T{\nicefrac(μt)Tt}, and session environments modulo terminated types by the rule Δ,s[rmissing]:end=Δ.
For each session invitation a[2..n](s).P, Rule Req requires a:G in the global environment and rewrites it into a:G⟨s⟩ to mark that a was used to invite the session s.
Then it checks whether the global type has the invited number of roles, consumes the obligation a⟨1⟩ from the session environment and adds s[1]:G↾1, i. e., requires that the continuation P behaves as specified by the projection of G to role 1 in the session environment.
Rule Acc is similar for a process that accepts to participate as role r in the invited session.
Rule Send checks whether the process sends if its local type requires this, the roles of the process and the local type match, the transmitted label is one of the labels specified in the local type by j∈I, the transmitted expressions are of the required sorts by Γ⊩e~:U~j, and the continuation P behaves as specified by Tj.
Rule Get checks whether the process receives if its local type requires this, the roles of the process and the local type match, and each branch Pi with the variables x~i:U~i behaves as specified by Ti.
Note that in contrast to e. g. [1, 4, 3, 8, 9] we allow that receivers implement unnecessary branches, to allow types to follow the reductions of the system and to deal with branches already ruled out by a former step.
However, since the sender is checked as well, the type system ensures that only branches that are specified by the type can happen.
Rule End states that type judgements on successful termination are valid w. r. t. arbitrary global environments but only the empty session environment.
Rule Cond checks whether both branches of a conditional behave similarly.
Instead, to check a parallel composition in processes, Rule Par requires that it is possible to split the session environment into disjoint parts such that each parallel branch behaves as specified by one part of the session environment.
Rule Res requires that there is an unused shared channel connected to a global type and that the current session environment extended by the projections of this global type can evolve such that P behaves as specified by the remainder of this extended session environment, where the relation ⟼ on session environments is given by the Rules Com’ and Cut below.
It is necessary to analyse systems that already entered a session.
To check recursion, the Rules Rec and Var check whether the body of a recursive process reaches the same session environment after one iteration.
Coherence is used to describe the fact that a system implements all roles of the global types that belong the the considered sessions.
Definition 7 (Coherence)
A session environment Δ is coherent w. r. t. a set of pairs of global types and pairwise distinct names {(Gi,ni)}i∈I, if for all session channels s in Δ there exists j∈I such that nj=s and Δ∩{s[rmissing]:T∣r is a role and T is a local type}={s[rmissing]:Gj↾r∣r∈r(Gj)} and for all its shared channels a there exists j∈I such that nj=a and {r∣a⟨r⟩∈Δ}=r(Gj).
Moreover, Δ is coherent w. r. t. a global type G missing if Δ is coherent w. r. t. {(G,n)} for some name n and Δ is coherent if Δ is coherent w. r. t. some {(Gi,ni)}i∈I.
We map the reduction of communications in Rule Com of Figure 1 on the rule
[TABLE]
and add a rule to remove superfluous branches of receivers
[TABLE]
such that session environments can follow the evolution of processes.
We call a process role-distributed if it composes different actors of the same session in parallel (for all sessions and all actors of a session).
Definition 8 (Well-Typed Processes, Single Session)
Let P be a process, G a global type, Γ a global type environment, and Δ a session environment.
For processes with a single session we have:
P is well-typed w. r. t. Γ and Δ if P is role-distributed, Δ is coherent, and Γ⊢P▹Δ.
P is well-typed if there are Γ,Δ such that P is well-typed w. r. t. Γ,Δ.
P is well-typed w. r. t. G missing if there are Γ,Δ such that P is role-distributed, G is the only global type in Γ, Δ is coherent w. r. t. G, and Γ⊢P▹Δ.
The definition of well-typed processes is more difficult for several interleaved sessions.
As described in [2], we have to ensure that actions of different sessions do not cause deadlocks by cyclic dependencies.
Therefore, [2] introduce an interaction type system for global progress in dynamically interleaved multiparty sessions.
The interaction type system introduced in [2] considers an asynchronous variant of MPST there senders release their messages onto message queues from which receivers can read in a subsequent step.
To check for global progress in dynamically interleaved multiparty sessions, the interaction type system collects dependencies between interactions of different services, i. e., different sessions and their associated shared channels.
Since [2] considers asynchronous communication, they collect the dependencies of a receiver to the interactions with other services in its continuation.
To obtain an interaction type system for the above synchronous MPST variant, we have to consider dependencies also for senders, i. e., treat senders in the same way as receivers.
Moreover, we have to extend the collection of dependencies also to session invitations, i. e., session requests a[2..n](s).P and their corresponding receivers a(s[rmissing]).P have to produce the same kind of dependencies towards interactions of other services as the communication prefixes within the respective session.
A process P is globally progressing if it can be typed in the interaction type system.
Definition 9 (Well-Typed Processes, Interleaved Sessions)
Let P be a process without name clashes on session channels, {(Gi,si)}i∈I a set of pairs of global types and pairwise distinct session channels, Γ a global type environment, and Δ a session environment.
For processes with interleaved sessions we have:
P is well-typed w. r. t. Γ and Δ if P is role-distributed, Δ is coherent, Γ⊢P▹Δ, and P is globally progressing.
P is well-typed if there are Γ,Δ such that P is well-typed w. r. t. Γ,Δ.
P is well-typed w. r. t. {(Gi,si)}i∈I if there are Γ,Δ such that P is role-distributed, {Gi}i∈I are the global types in Γ, Δ is coherent w. r. t. the types {(Gi,ni)}i∈I for some ni, Γ⊢P▹Δ, P is globally progressing, and for all i∈I either ni=si or Γ⊢P▹Δ connects the shared channel ni with si, i. e., ni:G∈Γ is transferred into ni:G⟨si⟩ by one of the Rules Req, Acc, or Res.
2.4 Basic Properties
Type judgements are preserved modulo structural congruence.
Lemma 2 (Structural Congruence)
If Γ⊢P▹Δ and P≡P′ then Γ⊢P′▹Δ.
Proof
The proof is by induction on the rules of structural congruence that are used to obtain P≡P′.
In each case we derive from the structure of P and Figure 2 information about the proof of Γ⊢P▹Δ and use them to show Γ⊢P′▹Δ.
Thereby, we rely on the commutativity and associativity of ⊗, the fact that a judgement for the process 0 can be derived if and only if the considered session environment is empty, and that we equate in judgements local types modulo the unfolding of recursion.
Type judgements are preserved modulo the substitution of values by values of the same sort.
Lemma 3 (Substitution)
If Γ,x:U,y:U⊢P▹Δ then Γ,y:U⊢P{\nicefracyx}▹Δ.
Proof
The proof is by induction on the typing rules used to obtain Γ,x:U,y:U⊢P▹Δ.
Since local types do not contain names, they are not affected by the substitution.
Rule Send is the only typing rule that checks for sorts of names.
This case follows from the observation that Γ,x:U,y:U⊩e implies Γ,y:U⊩e{\nicefracyx}.
The sorts of fresh names are not relevant for type judgements.
Lemma 4 (Fresh Name)
If Γ,x:U⊢P▹Δ and x∈/fn(P) then Γ⊢P▹Δ.
Proof
The proof is by induction on the typing rules used to obtain Γ,x:U⊢P▹Δ.
Subject reduction is a fundamental property of type systems that allows for static type checking.
It shows that if a type judgement for a process can be derived with a coherent session environment then we can also derive type judgements for its derivatives.
Lemma 5 (Subject Reduction)
If Γ⊢P▹Δ, Δ is coherent, and P⟼P′ then there is Δ′ such that Γ⊢P′▹Δ′, Δ′ is coherent, and Δ⟼Δ′.
Proof
Assume Γ⊢P▹Δ and that Δ is coherent.
The proof is by induction on the reduction rules of Figure 1 that are used to obtain P⟼P′.
Case of Rule Link:
In this case P=a[2..n](s).P1∣a(s[2]).P2∣…∣a(s[n]).Pn and P′=(νs)(P1∣P2∣…∣Pn).
By Figure 2, then the proof of Γ⊢P▹Δ starts with n−1 applications of Rule Par that splits the judgement into Γ⊢a[2..n](s).P1▹Δ1 and Γ⊢a(s[i]).Pi▹Δi for 2≤i≤n such that Δ=Δ1⊗…⊗Δn.
By the Rules Req and Acc, then r(G)={1,…,n}, Γ=Γ′,a:G, Δi=Δi′,a⟨i⟩, and Γ′,a:G⟨s⟩⊢Pi▹Δi′,s[i]:G↾i for all 1≤i≤n.
Because of Δ1⊗…⊗Δn and Δi=Δi′,a⟨i⟩, Δ′=Δ1′⊗…⊗Δn′ is defined.
By n−1 applications of Rule Par and since Δi′,s[i]:G↾i implies that Δi′ does not contain an assignment for smissing[i], then Γ′,a:G⟨s⟩⊢P1∣…∣Pn▹Δ′,s[1]:G↾1,…,s[n]:G↾n.
By Rule Res and the reflexivity of ⟼∗, then Γ⊢P′▹Δ.
By the reflexivity of ⟼∗, then Δ⟼∗Δ.
Case of Rule Com:
In this case P=s[r1,r2]!lj⟨e~⟩.Q∣s[r2,r1]?{li(x~i).Pi}i∈I, j∈I, and P′=Q∣(Pj{\nicefrace~x~j}).
By Figure 2, then the proof of Γ⊢P▹Δ starts with Rule Par that splits the judgement into Γ⊢s[r1,r2]!lj⟨e~⟩.Q▹ΔQ and Γ⊢s[r2,r1]?{li(x~i).Pi}i∈I▹ΔP such that Δ=ΔQ⊗ΔP.
By the Rules Send and Get and coherence, then Γ⊩e~:U~j, ΔQ=ΔQ′,s[r1]:[r2]!{li⟨U~j⟩.Ti}i∈I, Γ⊢Q▹ΔQ′,s[r1]:Tj, ΔP=ΔP′,s[r2]:[r1]?{li⟨U~j⟩.Ti′}i∈I, and Γ,x~j:U~j⊢Pj▹ΔP′,s[r2]:Tj′.
By the Lemmata 3 and 4, then Γ⊢Pj{\nicefracex~j}▹ΔP′,s[r2]:Tj′.
Because ΔQ⊗ΔP is defined, ΔQ=ΔQ′,s[r1]:[r2]!{li⟨U~j⟩.Ti}i∈I, and ΔP=ΔP′,s[r2]:[r1]?{li⟨U~j⟩.Ti′}i∈I, Δ′=ΔQ′,s[r1]:Tj⊗ΔP′,s[r2]:Tj′ is defined and is coherent.
By Rule Par, then Γ⊢P′▹Δ′.
By Rule Com’, then Δ⟼∗Δ′.
Case of Rule If-T:
In this case P=if c then P1 else P2, P′=P1, and c is satisfied.
By Figure 2, then the proof of Γ⊢P▹Δ starts with Rule Cond and, thus, Γ⊢P′▹Δ.
By the reflexivity of ⟼∗, then Δ⟼∗Δ.
Case of Rule If-F:
In this case P=if c then P1 else P2, P′=P2, and c is not satisfied.
By Figure 2, then the proof of Γ⊢P▹Δ starts with Rule Cond and, thus, Γ⊢P′▹Δ.
By the reflexivity of ⟼∗, then Δ⟼∗Δ.
Case of Rule Par:
In this case P=P1∣P2, P′=P1′∣P2, and P1⟼P1′.
By Figure 2, then the proof of Γ⊢P▹Δ starts with Rule Par that splits the judgement into Γ⊢P1▹Δ1 and Γ⊢P2▹Δ2 such that Δ=Δ1⊗Δ2.
By the induction hypothesis, Γ⊢P1▹Δ1 and P1⟼P1′ imply that there is Δ1′ such that Γ⊢P1′▹Δ1′, Δ1′ is coherent, and Δ1⟼∗Δ1′.
Because Δ1⊗Δ2 is defined and since Rule Com’ can only reduce local types, then Δ′=Δ1′⊗Δ2 is defined but not necessarily coherent.
If Δ′ is not coherent then this is because of superfluous branches in receivers that we remove with Rule Cut, while Rule Get ensures that the validity of the type judgement is not affected by removing superfluous branches in the type.
Let Δ′′ be the result of removing all superfluous branches from Δ′ such that Δ′′ is coherent and, with the Rules Com’ and Cut, Δ⟼∗Δ′′.
By Rule Par, then Γ⊢P′▹Δ′′.
Case of Rule Res:
In this case P=(νs)Q, P′=(νs)Q′, and Q⟼Q′.
By Figure 2, then the proof of Γ⊢P▹Δ starts with Rule Res such that Γ=Γ′,a:G, Δ=ΔQ,a⟨1⟩,…,a⟨n⟩, ΔQ,s[1]:G↾1,…,s[n]:G↾n⟼∗ΔQ′′, r(G)={1,…,n}, and Γ′,a:G⟨s⟩⊢Q▹ΔQ′′.
By the induction hypothesis, Γ′,a:G⟨s⟩⊢Q▹ΔQ′′ and Q⟼Q′ imply that there is ΔQ′′′ such that Γ′,a:G⟨s⟩⊢Q▹ΔQ′′′, ΔQ′′′ is coherent, and ΔQ′′⟼∗ΔQ′′′.
By Rule Res, then Γ⊢P′▹Δ.
By the reflexivity of ⟼∗, then Δ⟼∗Δ.
Case of Rule Struc:
This case follows from Lemma 2.
In the above proof we use the assumption that Δ is coherent only to prove that then also Δ′ is coherent.
The proof of subject reduction without coherence in Theorem 1 of [13] is obtained as special case of the above proof by removing the parts about coherence and the step relation on session environments.
Session invitations ensure by definition, that the implementation of a session composes its actors in parallel.
If a process is role-distributed then so are all its derivatives.
Lemma 6
If Γ⊢P▹Δ, P⟼P′, and P is role-distributed then P′ is role-distributed.
Proof
The proof is by induction on the reduction rules of Figure 1 to obtain P⟼P′, since no reduction rule unifies parallel branches.
If P is well-typed then all actions of the same actor are composed sequentially in P.
Proof (Proof of Lemma 1)
By the Definitions 2 and 3, local types are sequential and projection maps global types for each role on a single sequential local type T.
By coherence, for each role there is initially either exactly one a⟨r⟩ that is replaced later by the sequential local type T or there is exactly one s[r]:T in the session environment.
By Figure 2, then T cannot be split between different parallel branches and communication prefixes require a corresponding assignment of the respective actor.
Thus, a single local type T cannot be implemented in different parallel branches.
Well-typedness ensures that there are no conflicts between communication prefixes for both session invitations and communications within sessions.
Lemma 7 (Linearity)
If P is well-typed then P contains, for each shared channel a, at most one invitation a[2..n](s).P′ and no two a(s[rmissing]).P′ for the same role r and, for each pair of a session channel s and a role r, at most one sender s[rmissing,r′]!lmissing⟨e~⟩.P′ and at most one receiver s[rmissing,r′]?{li(x~i).Pi′}i∈I that are guarded only by conditionals.
Proof
Assume that P is well-typed.
Assume that P contains an invitation a[2..n](s).P′ that is guarded only by conditionals.
By Figure 2 and Γ⊢P▹Δ, then a⟨1⟩∈Δ.
Because a⟨1⟩ is consumed in Rule Req, cannot be introduced by typing rules, and cannot be duplicated for different parallel branches, P can contain at most one such prefix.
The case of a(s[rmissing]).P′ is similar.
The cases of s[rmissing,r′]!lmissing⟨e~⟩.P′ and s[rmissing,r′]?{li(x~i).Pi′}i∈I follow from Lemma 1.
Moreover, well-typedness ensures that, for all unguarded communication prefixes, the respective communication partner exists in a parallel branch but might be guarded.
Lemma 8 (Error-Freedom)
If P is well-typed and P contains an unguarded
-
a[2..n](s).P′* then P also contains a(s[i]).Pi′ for all 2≤i≤n that are guarded only by conditionals or prefixes on channels different form a.*
2. 2.
a(s[rmissing]).P′* then there is some n such that 2≤r≤n and P also contains a[2..n](s).P′ and a(s[i]).Pi′ for all 2≤i≤n with r=i that are guarded only by conditionals or prefixes on channels different form a.*
3. 3.
s[rmissing,r′]!lj⟨e~⟩.P′* then P also contains s[rmissing,r′]?{li(x~i).Pi′}i∈I with j∈I in parallel with the sender.*
4. 4.
s[rmissing,r′]?{li(x~i).Pi′}i∈I* then P also contains s[rmissing,r′]!lj⟨e~⟩.P′ with j∈I in parallel with the receiver.*
Proof
Assume that P is well-typed and that P contains an unguarded
-
invitation a[2..n](s).P′.
By Figure 2 and Γ⊢P▹Δ, then a⟨1⟩∈Δ and a:G∈Γ for some G such that r(G)={1,…,n}.
By coherence, then a⟨2⟩,…,a⟨n⟩∈Δ.
By Lemma 1 and Figure 2, then P also contains a(s[i]).Pi′ for all 2≤i≤n that are guarded only by conditionals or prefixes on channels different from a.
2. 2.
a(s[rmissing]).P′.
By Figure 2 and Γ⊢P▹Δ, then a⟨rmissing⟩∈Δ and a:G∈Γ for some G such that r(G)={1,…,n} and 1≤r≤n.
By coherence, then a⟨1⟩,…,a⟨n⟩∈Δ.
By Lemma 1 and Figure 2, then P also contains a[2..n](s).P′ and a(s[i]).Pi′ for all 2≤i≤n with r=i that are guarded only by conditionals or prefixes on channels different from a.
3. 3.
s[rmissing,r′]!lmissing⟨e~⟩.P′.
By Figure 2 and Γ⊢P▹Δ, then s[rmissing]:[r′]!{lj⟨U~j⟩.Tj′}j∈J∈Δ.
By coherence, then there is some T such that s[r′]:T∈Δ and T has a sub-type [rmissing]?{lj⟨U~j⟩.Tj′′}j∈J.
By Lemma 1 and Figure 2, then P contains also s[rmissing,r′]?{li(x~i).Pi′}i∈I with j∈I in parallel with the sender.
4. 4.
s[rmissing,r′]?{li(x~i).Pi′}i∈I.
By Figure 2 and Γ⊢P▹Δ, then there is some J⊆I such that s[rmissing]:[r′]?{lj⟨U~j⟩.Tj′}j∈J∈Δ.
By coherence, then there is some T such that s[r′]:T∈Δ and T has a sub-type [rmissing]!{lj⟨U~j⟩.Tj′}j∈J.
By Lemma 1 and Figure 2, then P also contains s[rmissing,r′]!lj⟨e~⟩.P′ with j∈I in parallel with the receiver.
Progress, i. e., the absence of local deadlocks, is a simple consequence of the above results.
Lemma 9 (Progress)
If P is well-typed and P⟼∗P′ then either P′≡0 or there is some P′′ such that P′⟼P′′.
Proof
Assume Γ⊢P▹Δ, Δ is coherent, and P⟼∗P′.
By Lemma 5, then there is some Δ′ such that Γ⊢P′▹Δ′, Δ′ is coherent, and Δ⟼∗Δ′.
If Δ′=∅ then, by Figure 2, P′≡0.
Else Δ′ contains an assignment of the form a⟨r⟩ or of the form s[r]:T.
By Figure 2, then P contains a corresponding a[2..n](s).Q, a(s[rmissing]).Q, s[rmissing,r′]!lmissing⟨e~⟩.Q, or s[rmissing,r′]?{li(x~i).Qi′}i∈I that is guarded only by conditionals.
Let P1 be a process such that the sequence P′⟼∗P1 resolves these conditionals and unguards the respective action prefix.
By Lemma 8, then there is a matching communication partner that is guarded only by conditionals.
Let P2 be a process such that the sequence P1⟼∗P2 resolves these conditionals and unguards the respective action prefix of the communication partner.
Then P2⟼P′′ is the step that reduces the respective communication.
3 Processes versus SGP-Processes
In [13] we introduce two algorithms.
The first allows to map systems that are well-formed w. r. t. to a synchronous global type for the case of a single session.
Definition 10
The partial mapping SGP({Pi}i∈I,G) is defined inductively as:
-
0, if G=end
2. 2.
Xt, else if G=t
3. 3.
SGP({Pj′}∪{Pi}i∈I∖{j},G),
h else if there is some j∈I such that Pj=(νs)Pj′
4. 4.
SGP({Pj1,Pj2}∪{Pi}i∈I∖{j},G),
h else if there is some j∈I such that Pj=Pj1∣Pj2
5. 5.
SGP({Pj′{\nicefrac(μX)Pj′X}}∪{Pi}i∈I∖{j},G),
h else if there is j∈I such that Pj=(μX)Pj′
6. 6.
x~m@s[r]:=e~.SGP({Qm{\nicefracx~m@s[r]x~m},Q}∪{Pi}i∈I∖{k,l},Gm),
h else if there are k,l∈I, m∈J⊆J′ such that
h G=r1→r2:{lj⟨U~j⟩.Gj}j∈J, Pk=s[r1,r2]!lm⟨e~⟩.Q,
h and Pl=s[r2,r1]?{lj(x~j).Qj}j∈J′
7. 7.
SGP({Pi}i∈I1,G1)∥SGP({Pj}j∈I2,G2),
h else if there are some I1∪I2=I such that G=G1,G2,
h ⋃i∈I1r(Pi)=r(G1), and ⋃j∈I2r(Pj)=r(G2)
8. 8.
(μXt)SGP({Pi}i∈I,G′), else if G=(μt)G′
9. 9.
τ.SGP({P1′,…,Pn′},G),
h else if {Pi}i∈I={a[2..n](s).P1′,a(s[2]).P2′,…,a(s[n]).Pn′}
10. 10.
if cmissing then SGP({Pj1}∪{Pi}i∈I∖{j},G) else SGP({Pj2}∪{Pi}i∈I∖{j},G),
h else if there is some j∈I such that Pj=if c then Pj1 else Pj2
The second mapping extends the first to asynchronous session types and multiple sessions.
Definition 11
SGP′({Pi}i∈I,{(Gj,sj)}j∈J) is defined inductively as:
-
-
(a)
0, if J=∅
2. (b)
SGP′({Pi}i∈I,{(Gj,sj)}j∈J∖{k}),
h else if there is some k∈J such that Gk=end
2. 2.
XG, else if G={Gj}j∈J={tj}j∈J
3. 3.
SGP′({Pk′}∪{Pi}i∈I∖{k},{(Gj,sj)}j∈J),
h else if there is k∈I such that Pk=(νs)Pk′
4. 4.
SGP′({Pk1,Pk2}∪{Pi}i∈I∖{k},{(Gj,sj)}j∈J),
s else if there is some k∈I such that Pk=Pk1∣Pk2
5. 5.
SGP′({Pk′{\nicefrac(μX)Pk′X}}∪{Pi}i∈I∖{k},{(Gj,sj)}j∈J),
s else if there is k∈I such that Pk=(μX)Pk′
6. 6.
x~n@s[r]:=e~.SGP′(P,G) with P={Qn{\nicefracx~n@s[r]x~n},Q}∪{Pi}i∈I∖{m,o} and G={(Gl,n)}∪{(Gj,sj)}j∈j∖{l},
h else if there are m,o∈I, l∈J, n∈K⊆K′ such that
h Gl=r1→r2:{lk⟨U~k⟩.Gl,k}k∈K, Pm=s[r1,r2]!ln⟨e~⟩.Q,
h and Po=s[r2,r1]?{lk(x~k).Qk}k∈K′
7. 7.
- (a)
SGP′({Pi}i∈I1,{(Gj,sj)}j∈J1)∥SGP′({Pi}i∈I2,{(Gj,sj)}j∈J2),
s else if there are some I1∪I2=I, J1∪J2=J such that J1∩J2=∅ and
h ⋃i∈Ikact(Pi)={sj[r]∣j∈Jk∧r∈r(Gj)} for k∈{1,2}
2. (b)
SGP′({Pi}i∈I,{(Gk1,sk),(Gk2,sk)}∪{(Gj,sj)}j∈J),
s else if there is k∈J such that Gk=Gk1,Gk2
8. 8.
(μXG)SGP′({Pi}i∈I,{(Gj′,sj)}j∈J),
s else if Gj=(μtj)Gj′ for all j∈J and G={tj}j∈J
9. 9.
τ.SGP′({P1′,…,Pn′}∪{Pi}i∈I∖{k1,…,kn},{(Gj,sj)}j∈J),
s else if there are k1,…,kn∈I such that Pk1=a[2..n](s).P1′,
h Pk2=a(s[2]).P2′, …, Pkn=a(s[n]).Pn′
10. 10.
if cmissing then SGP′({Pk1}∪P,G) else SGP′({Pk2}∪P,G)
with P={Pi}i∈I∖{k} and G={(Gj,sj)}j∈J,
s else if there is k∈I such that Pk=if c then Pk1 else Pk2
We observe that each of the Cases 1a, 1b, 2–4, 6, 7b, and 8–9 reduces either the set of global types or the considered set of processes.
By unfolding recursion, Case 5 blows up one of the considered processes.
This is necessary, because the typing system allows that a process and its global type do not loop at the same points but in the same way.
Because of that, the global type (μt)(r1→r2:l⟨U⟩.r2→r1:l⟨U⟩.t) can e. g. be implemented for role r1 by the process a[r2](s).s[r1,r2]!lmissing⟨z⟩.(μX)(s[r1,r2]?lmissing(x).s[r1,r2]!lmissing⟨z⟩.X).
Case 5 allows to unfold recursion in processes until the current recursive set of global types is reduced to recursion variables in Case 2.
Note that Case 2 drops the remainder of the process as soon as the loops in the global types are reduced.
With that, the number of unfoldings of recursion in processes in Case 5 that is necessary to compute SGP′({P},{(Gj,sj)}j∈J) is bounded by the size of the loops in the global types.
Case 7a introduces a parallel composition in the SGP-process if the considered sets of processes can be partitioned into two sets that implement the actors of different sessions.
This case can be applied if we can split the set of sessions into two disjoint sets such that there are no dependencies between the sessions in different sets.
Since the number of sessions is bounded, where session invitations under recursion introduce only a single session w. r. t. well-typedness, also the number of applications of Case 7a that are necessary to compute SGP′({P},{(Gj,sj)}j∈J) is bounded.
Case 10 globalizes conditionals and therefore copies all other actors to both cases.
Because of that, we apply this case only if it is necessary to unguard a communication partner.
In well-typed systems both cases of a conditional need to follow the same type, i. e., need to implement the same communication structure.
Conditionals are a local form of branching, i. e., implement alternative behaviours of a single actor.
Only by transmitting information about the outcome of a conditional as sender in a communication can a local conditional influence the remaining actors of the system.
Accordingly, conditionals are usually used to choose between alternatives directly before sending in process implementations (compare to Example 4) or process implementations can easily be optimized to satisfy this property.
By design, the algorithms in Definition 10 and 11 map such a local conditional only if this is necessary to unguard a communication partner.
Since we give precedence to conditionals that guard senders, we indeed map only necessary conditionals.
Nonetheless, since Case 10 copies the remaining processes and the type(s), we cannot avoid a blow-up of the size of the generated system in this case that is in the worst case exponentially larger than the original system.
However, if a conditional guides the choice between different branches of an immediately following send-action, then all of the copied actors that are input guarded in the global type will reduce to different cases for the respective two branches.
This explains why the size of our toy example does not grow then we map the conditionals in Example 4 to the SGP-process in Example 5 in Section 4.1.
The copies of processes in Case 10 increase the size of the resulting SGP-process—in comparison to the original system—only with respect to conditionals that do not implement a choice between different labels of a sender or with respect to actors that are in their next step not influenced by the outcome of this conditional as in the type.
Example 1
As example consider the process
[TABLE]
that is well-typed with respect to
[TABLE]
Since the actors s[3] and s[4] act independent of the outcome of the conditional of s[1], the algorithm in Definition 10 copies the translation of the actors s[3] and s[4]:
[TABLE]
However, we observe that in this case the duplication of the behaviour of the actors s[3] and s[4] is already visible in the type.
So, if conditionals are used only to guide the choice between labels of an immediately following send-action, then again the corresponding increase of the size of the system in the algorithm is bounded by the size of the global types.
Finally, we observe that the size of a well-typed process is larger or equal to the sum of the sizes of its global types.
We conclude that—except for the conditionals—the algorithm in Definition 11, takes a linear amount of steps and, thus, constructs a SGP-process of a size that is linear w. r. t. the size of the original system.
Corollary 1
Let P be well-typed w. r. t. {(Gj,sj)}j∈J.
Assume that P uses conditionals only to branch between alternative labels of a sender.
Then the computation of the SGP-process SGP′({P},{(Gj,sj)}j∈J) is linear in the size of P combined with the sum of the sizes of the types in {(Gj,sj)}j∈J and produces a SGP-process that is linear in this size.
This is very important.
We map well-typed systems onto SGP-systems in order to avoid the problem of state space explosion that is caused by the concurrency of communication attempts, i. e., to avoid the in the worst case exponential blow-up of states that need to be considered in verification.
MPST are a very efficient method to analyse the communication structure of the original system.
Corollary 1 ensures that also the computation of the SGP-system is efficient, i. e., fast, and that the construction does not suffer from the problem of state space explosion, i. e., the generated SGP-system is not considerably larger than the original system.
Since the construction sequentialises the original system and thereby removes all forms of interaction and restriction, the verification of the SGP-abstraction is much easier than the verification of the original system.
For the remainder of this section we assume that no alpha conversion is used to rename input binders.
Before we prove Theorem 2 of [13], i. e., that the mapping of Definition 11 returns a SGP-process whenever it is applied on a well-typed process and its global types, we show some properties on the different cases of Definition 11 (and implicitly also Definition 10).
In particular we show that most of the cases preserve well-typedness, i. e., if their input is well-typed then so are the inputs of its recursive calls.
The first case replaces the set of considered processes by 0 if the global type is terminated and removes empty global types.
This is safe, because processes that are well-typed w. r. t. end cannot contain communication prefixes.
Lemma 10 (Case 1a)
If P is well-typed w. r. t. ∅ then P contains only parallel compositions, conditionals, successful termination, and restriction.
Proof
Assume that P is well-typed w. r. t. ∅, i. e., there are Γ,Δ such that P is role-distributed, Γ⊢P▹Δ, there are no global types in Γ, Δ is coherent w. r. t. ∅, and Γ⊢P▹Δ is globally progressing.
Since there are no global types in Γ, the derivation of Γ⊢P▹Δ cannot use the Rules Req or Acc and, thus, P cannot contain communication on shared channels.
Because the other typing rules of Figure 2 can only reduce local types, neither the Rule Send nor Rule Get can be used and, thus, P does not contain prefixes for sending or receiving within sessions.
Because of that, P cannot contain process variables and, thus, no recursion.
Lemma 11 (Case 1b)
If P is well-typed w. r. t. {(Gj,sj)}j∈J, k∈J, and Gk=end then P contains no communication prefixes on sk and cannot invite the session sk.
Proof
Assume that P is well-typed w. r. t. {(Gj,sj)}j∈J, k∈J, and Gk=end, i. e., there are Γ,Δ such that P is role-distributed, Γ⊢P▹Δ, {Gj}j∈J are the global types in Γ, Δ is coherent w. r. t. {(Gj,nj)}j∈J, Γ⊢P▹Δ is globally progressing, and for all j∈J either nj=sj or Γ⊢P▹Δ connects nj with sj.
Because r(end)=∅ and Δ is coherent w. r. t. {(Gj,nj)}j∈J, the session environment does not contain the (shared or session) channel nk, i. e., nk∈/Δ.
Then, the derivation of Γ⊢P▹Δ cannot use the Rules Req or Acc and, thus, P cannot contain communication on nk.
Hence, the session sk cannot be invited.
Because the other typing rules of Figure 2 can only reduce local types, neither the Rule Send nor Rule Get can be used and, thus, P does not contain prefixes for sending or receiving within the session sk.
Since P is well-typed w. r. t. end is a special case of the conditions P is well-typed w. r. t. {(Gj,sj)}j∈J, k∈J, and Gk=end, Lemma 11 holds also for Case 1 of Definition 10.
Note that the restriction of session channels without communication is always useless, i. e., can be removed modulo structural congruence.
The Cases 3, 4, 5, and 10 are used to decompose and unfold processes to make them accessible for the other cases.
In all of these cases all recursive calls of the mapping are on sets of processes that—combined by parallel composition—are well-typed to the former global types.
Thus, none of these cases allows the mapping to reduce the global types or to create any SGP-operators except for conditionals that are not reflected in global types.
Instead they can be seen as preparation cases.
Case 3 removes restriction, but preserves well-typedness w. r. t. the same global types in its recursive call.
Lemma 12 (Case 3)
If ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there is some k∈I such that Pk=(νs)Pk′ then (Pk′∣(∏i∈I∖{k}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J.
Proof
Assume that P=∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there is some k∈I such that Pk=(νs)Pk′, i. e., there are Γ,Δ such that P is role-distributed, {Gj}j∈J are the global types in Γ, Δ is coherent w. r. t. {(Gj,nj)}j∈J, Γ⊢P▹Δ, P is globally progressing, and for all j∈J either nj=sj or Γ⊢P▹Δ connects nj with sj.
By Figure 2 and coherence, then there is some l∈J such that nl is a shared channel, {a⟨r⟩∣r∈r(G)}⊆Δ, and nl:Gl∈Γ.
Then the derivation of Γ⊢P▹Δ starts with Rule Par to separate the judgement into Γ⊢(νs)Pj′▹Δj and the judgements for the Γ⊢Pi▹Δi with i=j.
Let Γ=Γ′,nl:Gl.
Since nl is not relevant for the derivations Γ⊢Pi▹Δi with i=j, we have Γ′,nl:Gl⟨sl⟩⊢Pi▹Δi with i=j.
From Γ⊢(νs)Pj′▹Δj and the typing rules, we get Γ′,nl:Gl⟨sl⟩⊢Pj′▹Δj′, where Δj′={sl[r]:Gl↾r∣r∈r(Gl)}.
By Rule Par, then Γ′,nl:Gl⟨sl⟩⊢Pk′∣(∏i∈I∖{k}Pi)▹Δj′,⋃i=jΔi.
By coherence, Δj′,⋃i=jΔi is coherent w. r. t. {(Gj,nj)}j∈J,j=l∪{(Gl,sl)}.
Then, (Pk′∣(∏i∈I∖{k}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J.
Case 4 splits parallel composition and preserves well-typedness w. r. t. the same global types in its recursive call.
Lemma 13 (Case 4)
If ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there is some k∈I such that Pk=Pk1∣Pk2 then (Pk1∣Pk2∣(∏i∈I∖{k}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J.
Proof
Follows from the typing rules in Figure 2 and Rule Par in particular.
Case 5 unfolds recursion in a process and preserves well-typedness w. r. t. the same global type in its recursive call.
Lemma 14 (Case 5)
If ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there is some k∈I such that Pk=(μX)Pk′ then (Pk′{\nicefrac(μX)Pk′X}∣(∏i∈I∖{k}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J.
Proof
Assume that P=∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there is some k∈I such that Pk=(μX)Pk′, i. e., there are Γ,Δ such that P is role-distributed, {Gj}j∈J are the global types in Γ, Δ is coherent w. r. t. {(Gj,nj)}j∈J, Γ⊢P▹Δ, P is globally progressing, and for all j∈J either nj=sj or Γ⊢P▹Δ connects nj with sj.
By Lemma 2, then Γ⊢Pj′{\nicefrac(μX)Pj′X}∣(∏i∈I∖{j}Pi)▹Δ.
Then, (Pj′{\nicefrac(μX)Pj′X}∣(∏i∈I∖{j}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J.
Case 10 maps a conditional of the original system on a SGP-conditional and preserves well-typedness w. r. t. the same global types in both of its recursive calls.
Lemma 15 (Case 10)
If ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there is some k∈I such that Pk=if c then Pk1 else Pk2 then (Pk1∣(∏i∈I∖{k}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J and (Pk2∣(∏i∈I∖{k}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J.
Proof
Assume that P=∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there is some k∈I such that Pk=if c then Pk1 else Pk2, i. e., there are Γ,Δ such that P is role-distributed, {Gj}j∈J are the global types in Γ, Δ is coherent w. r. t. {(Gj,nj)}j∈J, Γ⊢P▹Δ, P is globally progressing, and for all j∈J either nj=sj or Γ⊢P▹Δ connects nj with sj.
By Figure 2, the derivation of Γ⊢P▹Δ starts with some applications of Rule Par that split the judgement into Γ⊢Pk▹Δk and Γ⊢Pi▹Δi for all i=k such that Δ is the disjoint union of Δk and all Δi.
By Rule Cond, then Γ⊢Pk1▹Δk and Γ⊢Pk2▹Δk.
By Rule Par, then Γ⊢Pk1∣(∏i∈I∖{k}Pi)▹Δ and Γ⊢Pk2∣(∏i∈I∖{k}Pi)▹Δ.
Then (Pk1∣(∏i∈I∖{k}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J and (Pk2∣(∏i∈I∖{k}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J.
If a process is well-typed w. r. t. a set of types containing a communication guarded global type and that communication guard is according to the interaction type system of [2] not dependent on another session, then it contains a corresponding sender and receiver that are guarded only by conditionals.
Case 6 preserves well-typedness but may introduce superfluous input branches that are not matched by the global type Gn of the continuation of this communication guard.
Because of Rule Get, the type system abstracts from such superfluous branches of receivers.
Lemma 16 (Case 6)
If ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J, none of the Cases 3, 4, or 5 can be applied, there is l∈J such that the session sl is initialised, Gl=r1→r2:{lk⟨U~k⟩.Gl,k}k∈K′, and this communication does not depend on another session, then there are m,o∈I, n∈K and K⊆K′ such that every conditional branch of Pm is a version of s[r1,r2]!ln⟨e~⟩.Q, every conditional branch of Po is a version of s[r2,r1]?{lk(x~k).Qk}k∈K′,
and (Qn{\nicefracx~n@s[r]x~n}∣Q∣(∏i∈I∖{m,o}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J∖{l}∪{(Gl,k,sl)}.
Proof
Assume that P=∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J, none of the Cases 3, 4, or 5 can be applied, there is l∈J such that the session sl is initialised, Gl=r1→r2:{lk⟨U~k⟩.Gl,k}k∈K′, and this communication does not depend on another session, i. e., there are Γ,Δ such that P is role-distributed, {Gj}j∈J are the global types in Γ, Δ is coherent w. r. t. {(Gj,nj)}j∈J, Γ⊢P▹Δ, P is globally progressing, and for all j∈J either nj=sj or Γ⊢P▹Δ connects nj with sj.
By Figure 2 and coherence, then there is a such that {s[r]:Gl↾r∣r∈r(Gl)}⊆Δ and a:Gl⟨sl⟩∈Γ or a:Gl∈Γ, where we have sl[r1]:[r2]!{lk⟨U~k⟩.(Gl,k↾r1)}k∈K for role r1 and sl[r2]:[r1]?{lk⟨U~k⟩.(Gl,k↾r2)}k∈K for role r2.
By the Lemmata 1 and 8 and since this communication does not depend on another session, then there are m,o∈I, n∈K, K⊆K′ such that every conditional branch of Pm is a version of Pm′=sl[r1,r2]!ln⟨e~⟩.Q and every conditional branch of Po is a version of Po′=sl[r2,r1]?{lk(x~k).Qk}k∈K′.
By Figure 2, the derivation of Γ⊢P▹Δ starts with some applications of the Rules Par and Cond to split the judgement into Γ⊢Pm′▹sl[r1]:[r2]!{lk⟨U~k⟩.(Gl,k↾r1)}k∈K, Γ⊢Po′▹sl[r2]:[r1]?{lk⟨U~k⟩.(Gl,k↾r2)}k∈K, and Γ⊢Pi▹Δi for all m=i=o.
By the Rule Send and n∈K, then the judgement for m implies Γ⊢Q▹sl[r1]:Gl,n↾r1.
By Lemma 2, with the Rule Get and n∈K, then Γ⊢Qn{\nicefracx~n@sl[r2]x~n}▹s[r2]:Gn↾r2.
By Definition 3, then Gl↾ri is similar to Gl,n↾ri except for unnecessary branches of receivers for all m=i=o.
By Rule Get, then Γ⊢Pi▹Δi implies Γ⊢Pi▹Δi′ for all m=i=o, where Δi′=Δi or Δi=sl[ri]:Gl↾ri and Δi′=sl[ri]:Gl,n↾ri.
Since P is role-distributed, so is (Qn{\nicefracx~n@sl[r2]x~n}∣Q∣(∏i∈I∖{m,o}Pi)).
By the Rules Par and Cond, then (Qn{\nicefracx~n@sl[r2]x~n}∣Q∣(∏i∈I∖{m,o}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J∖{l}∪{(Gl,k,sl)}.
Well-typedness w. r. t. a parallel global type implies that the respective system can be separated into two parallel partitions.
When considering the interleaving of several sessions, this separation is possible if the two partitions do not share actors.
Lemma 17 (Case 7a)
If ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there are some J1,J2 such that J1∪J2=J, J1∩J2=∅, and there are no dependencies between the sessions in J1 and the sessions in J2 then there are I1,I2 such that I1∪I2=I, ⋃i∈Ikact(Pi)={sj[r]∣j∈Jk∧r∈r(Gj)}, and {Pi}i∈Ik is well-typed w. r. t. {(Gj,sj)}j∈Jk for all k∈{1,2}.
Proof
Assume that ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J and there are some J1,J2 such that J1∪J2=J, J1∩J2=∅, and there are no dependencies between the sessions in J1 and the sessions in J2, i. e., there are Γ,Δ such that P is role-distributed, {Gj}j∈J are the global types in Γ, Δ is coherent w. r. t. {(Gj,nj)}j∈J, Γ⊢P▹Δ, P is globally progressing, and for all j∈J either nj=sj or Γ⊢P▹Δ connects nj with sj.
By Figure 2, then the derivation of Γ⊢P▹Δ starts with Rule Par that splits the judgement into parallel components.
Then, there are I1,I2 such that I1∪I2=I and ⋃i∈Ikact(Pi)={sj[r]∣j∈Jk∧r∈r(Gj)} for all k∈{1,2}.
Then, there are Δ1,Δ2 such that Δ=Δ1⊗Δ2, Γ⊢∏i∈I1Pi▹Δ1, and Γ⊢∏j∈I2Pj▹Δ2.
Since Δ is coherent w. r. t. {(Gj,sj)}j∈J and the actors of the partitions are distinct, Δk is coherent w. r. t. {(Gj,sj)}j∈Jk for k∈{1,2}.
Hence, {Pi}i∈I1 is well-typed w. r. t. {(Gj,sj)}j∈J1 and {Pi}i∈I2 is well-typed w. r. t. {(Gj,sj)}j∈J2.
If a system is well-typed w. r. t. a set of types containing a parallel global type then the actors of these two parallel types are separated such that we can replace the session channel for one side (Case 7b).
Accordingly we strengthen Case 7b to:
-
-
(b)
SGP′({Pi′}i∈I1∪{Pi}i∈I2,{(Gk1,s),(Gk2,sk)}∪{(Gj,sj)}j∈J),
else if there are k∈J, I1,I2 such that Gk=Gk1,Gk2, I1∪I2=I, I1∩I2=∅, {Pi}i∈I1 implements all actors of (Gk1,sk) but no actor of (Gk2,sk), and Pi′ is obtained from Pi by substituting or alpha converting sk by some fresh s.
Note that the result of the algorithm, i. e., the SGP-process, does not contain session channels.
Because of that, the above modification of Case 7b does not change the result of the algorithm.
We use it only for the proof.
Lemma 18 (Case 7b)
If ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J, none of the Cases 3, 4, or 5 can be applied, and there is k∈J such that Gk=Gk1,Gk2 then there are I1,I2 such that I1∪I2=I, I1∩I2=∅, {Pi}i∈I1 implements all actors of (Gk1,sk) but no actor of (Gk2,sk), and Pi′ is obtained from Pi by substituting or alpha converting sk by some fresh s, and {Pi′}i∈I1∪{Pi}i∈I2 is well-typed w. r. t. {(Gk1,s),(Gk2,sk)}∪{(Gj,sj)}j∈J.
Proof
Assume that P=∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J, none of the Cases 3, 4, or 5 can be applied, and there is k∈J such that Gk=Gk1,Gk2, i. e., there are Γ,Δ such that P is role-distributed, {Gj}j∈J are the global types in Γ, Δ is coherent w. r. t. {(Gj,nj)}j∈J, Γ⊢P▹Δ, P is globally progressing, and for all j∈J either nj=sj or Γ⊢P▹Δ connects nj with sj.
Since P is role-distributed, there are I1∪I2=I such that ∏i∈I1Pi is role-distributed, ∏j∈I2Pj is role-distributed, ⋃i∈I1act(Pi)∩act(Gk)=act(Gk1), and ⋃j∈I2act(Pj)∩act(Gk)=act(Gk2).
By Figure 2, then the derivation of Γ⊢P▹Δ starts with Rule Par that splits the judgement into parallel components.
Then there are Δ1,Δ2 such that Δ=Δ1⊗Δ2, Γ⊢∏i∈I1Pi▹Δ1, and Γ⊢∏j∈I2Pj▹Δ2.
Let s be fresh.
Since we removed already all top-level restrictions with Case 3, sk is free in P.
Then, Γ{\nicefracssk}⊢∏i∈I1Pi{\nicefracssk}▹Δ1{\nicefracssk}.
By Rule Par, then Γ′⊢P▹Δ′, where Γ′=Γ,a1:Gk1⟨s⟩,a2:Gk2⟨sk⟩ for some fresh a1,a2 and Δ′=Δ1{\nicefracssk}⊗Δ2.
Since Δ is coherent w. r. t. {(Gj,nj)}j∈J and the actors of the partitions are distinct, Δ′ is coherent w. r. t. {(Gk1,s),(Gk2,sk)}∪{(Gj,nj)}j∈J.
Hence, {Pi′}i∈I1∪{Pi}i∈I2 is well-typed w. r. t. {(Gk1,s),(Gk2,sk)}∪{(Gj,sj)}j∈J.
Case 9 maps the communication partners of a session invitation on an empty value update.
It preserves well-typedness in its recursive call w. r. t. the same global types.
By Lemma 8, if one of the necessary prefixes for a session invitation is unguarded and this invitation is according to the interaction type system of [2] not dependent on another session then all other necessary prefixes are composed in parallel and are guarded by conditionals only.
Lemma 19 (Case 9)
If ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J, l∈J, none of the Cases 3, 4, or 5 can be applied, the session sl is not initialised, and this session initialisation does not depend on another session then there are k1,…,kn∈I such that every conditional branch of Pk1 is a version of a[2..n](s).P1′, every conditional branch of Pk2 is a version of a(s[2]).P2′, …, every conditional branch of Pkn is a version of a(s[n]).Pn′, and {P1′,…,Pn′}∪{Pi}i∈I∖{k1,…,kn} is well-typed w. r. t. {(Gj,sj)}j∈J.
Proof
Assume ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J, l∈J, none of the Cases 3, 4, or 5 can be applied, the session sl is not initialised, and this session initialisation does not depend on another session, i. e., there are Γ,Δ such that P is role-distributed, {Gj}j∈J are the global types in Γ, Δ is coherent w. r. t. {(Gj,nj)}j∈J, Γ⊢P▹Δ, P is globally progressing, and for all j∈J either nj=sj or Γ⊢P▹Δ connects nj with sj.
By coherence and since there is no dependency to other sessions, there are k1,…,kn∈I such that every conditional branch of Pk1 is a variant of a[2..n](s).P1′, every conditional branch of Pk2 is a variant of a(s[2]).P2′, …, every conditional branch of Pkn is a variant of a(s[n]).Pn′.
By the Rules If-T, If-F, and Link of Figure 1, P⟼∗(νsl)(∏i∈{k1,…,kn}Pi′∣∏i∈I∖{k1,…,kn}Pi).
By Lemma 5, Lemma 6, and since only conditionals and a session initialisation is performed in these steps, then (νsl)(∏i∈{k1,…,kn}Pi′∣∏i∈I∖{k1,…,kn}Pi) is well-typed w. r. t. {(Gj,sj)}j∈J.
By Lemma 12, then {P1′,…,Pn′}∪{Pi}i∈I∖{k1,…,kn} is well-typed w. r. t. the types {(Gj,sj)}j∈J.
Finally, we prove Theorem 2 of [13]:
If P is well-typed w. r. t. {(Gj,sj)}j∈J then the abstraction SGP′({P},{(Gj,sj)}j∈J) is defined and returns a SGP-process.
Proof (Proof of Theorem 2 of [13])
Assume P is well-typed w. r. t. {(Gj,sj)}j∈J.
We proceed with an induction over the set {(Gj,sj)}j∈J and the structure of the types in this set (Definition 1).
Case of J=∅:
By Case 1a, then SGP′({Pi}i∈I,{(Gj,sj)}j∈J) is defined and returns 0.
Case of J=J1∪J2, J1∩J2=∅, and J1,J2 are independent:
By Lemma 17, then there are I1,I2,k∈{1,2} such that I1∪I2=I, ⋃i∈Ikact(Pi)={sj[r]∣j∈Jk∧r∈r(Gj)}, and the composition {Pi}i∈Ik is well-typed w. r. t. {(Gj,sj)}j∈Jk.
Since the two parts do not share actors and we indicate input variables with actors, S1 and S2 are independent.
By the induction hypothesis, then both SGP′({Pi}i∈Ik,{(Gj,sj)}j∈Jk) for k∈{1,2} are defined and return the SGP-processes S1 and S2.
By Case 7a, then SGP′({Pi}i∈I,{(Gj,sj)}j∈J) is defined and returns S1∥S2.
Case of Gl=r1→r2:{li⟨U~i⟩.Gi}i∈I with l∈J and Gl is independent:
By the Lemmata 12, 13, 14, and 19, the mapping can remove restrictions, split parallel compositions, unfold recursions, and initialise the session sl of Gl of the process without altering the global types or violating well-typedness.
Let ∏i∈IPi be the result of these cases such that ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J.
By Lemma 16, there are m,o∈I, n∈K and K⊆K′ such that in every conditional branch of Pm there is a version of Pm′=sl[r1,r2]!ln⟨e~⟩.Q and in every conditional branch of Po there is a version of Po′=sl[r2,r1]?{lk(x~k).Qk}k∈K′.
By Lemma 15, all conditionals that guard either Pm′ or Po′ can be mapped on SGP-conditionals without violating well-typedness, where we possibly have to apply the Lemmata 12, 13, and 14 in between and the order of cases in Definition 11 allows to resolve exactly these conditionals before resolving the communication in Gl.
This is because the structure of Gl rules out the Cases 1a, 2, 7b, and 8, the fact that the communication that guards Gl is not dependent on another session rules out Case 9, and Case 6 becomes applicable as soon as all of these conditionals are resolved.
By Lemma 16, then (Qn{\nicefracx~n@sl[r2]x~n}∣Q∣(∏i∈I∖{m,o}Pi)) is well-typed w. r. t. {(Gj,sj)}j∈J∖{l}∪{(Gl,k,sl)}.
By Figure 2, all branches of the conditionals are well-typed w. r. t. {(Gj,sj)}j∈J∖{l}∪{(Gl,k,sl)}, i. e., we unguard versions of Pm′ and Po′—that may differ in their labels but only implement labels that are specified in the type—in all branches.
By the induction hypothesis, then
SGP′(P,G) with P={Qm{\nicefracx~m@sl[r2]x~m},Q}∪{Pi}i∈I∖{m,o} and G={(Gj,sj)}j∈J∖{l}∪{(Gl,k,sl)} is defined and returns a SGP-process S′ for each of these branches.
Let S be the result of putting the respective version of x~m@sl[r2]:=e~.S′ in the respective branch of the generated SGP-conditionals.
By the Cases 6 and 10, then SGP′({Pi}i∈I,G) is defined and returns S.
Case of Gl=G1,G2 with l∈J:
By the Lemmata 12, 13, and 14, the mapping can remove restrictions, split parallel compositions, and unfold recursions of the process without altering the global type or violating well-typedness.
Let ∏i∈IPi be the result of these cases such that ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J.
By Lemma 18, then there are I1,I2 such that I1∪I2=I, I1∩I2=∅, {Pi}i∈I1 implements all actors of (Gk1,sk) but no actor of (Gk2,sk), and Pi′ is obtained from Pi by substituting or alpha converting sk by some fresh s, and {Pi′}i∈I1∪{Pi}i∈I2 is well-typed w. r. t. {(Gk1,s),(Gk2,sk)}∪{(Gj,sj)}j∈J.
By the induction hypothesis, then SGP′(P,G) with P={Pi′}i∈I1∪{Pi}i∈I2 and G={(Gk1,s),(Gk2,sk)}∪{(Gj,sj)}j∈J is defined and returns a SGP-process S.
By Case 7b, then SGP′({Pi}i∈I,{(Gj,sj)}j∈J) is defined and returns S.
Case of Gl=(μtl)Gl′ with l∈J:
By the dependency relation, the loops of different interleaved session are unified, i. e., by performing the other cases we can reduce the types such that Gj=(μtj)Gj′ for all j∈J.
By the Lemmata 12, 13, 14, and 19 the mapping can remove restrictions, split parallel compositions, unfold recursions, and initialise sessions of the process without altering the global type or violating well-typedness.
Let ∏i∈IPi be the result of these cases such that ∏i∈IPi is well-typed w. r. t. {(Gj,sj)}j∈J.
Since type variables are bound and guarded in global types, Gl can reduce to a type variable only after Case 8 has introduced a SGP-recursion.
Note that neither Case 8 nor Case 2 introduce requirements on the considered process.
Unfortunately, the arguments of the recursive call of Case 8 do not preserve well-typedness, i. e., {Pi}i∈I is not well-typed w. r. t. {(Gj′,sj)}j∈J, because we removed the recursion binder from the type but not the system.
By Figure 2, {Pi}i∈I will behave as required by {(Gj′,sj)}j∈J until {(Gj′,sj)}j∈J is reduced to G={tj}j∈J and, thus, there are Pi′ such that {Pi′}i∈I is well-typed w. r. t. {(Gj′,sj)}j∈J.
By the induction hypothesis, then SGP′({Pi′}i∈I,{(Gj′,sj)}j∈J) is defined and returns a SGP-process S.
By Definition 11, the mapping will follow the structure of {(Gj′,sj)}j∈J to reduce the system until {(Gj′,sj)}j∈J is reduced to G and then Case 2 will ignore the remainder of the system.
Thus, the mapping considers only the parts of {Pi}i∈I that are already captured in {Pi′}i∈I, i. e., we have SGP′({Pi}i∈I,{(Gj′,sj)}j∈J)=SGP′({Pi′}i∈I,{(Gj′,sj)}j∈J)=S.
By Case 8, then SGP′({Pi}i∈I,{(Gj,sj)}j∈J) is defined and returns (μXG)S.
Case of Gl=t with j∈J:
By the dependency relation, the loops of different interleaved session are unified, i. e., by performing the other cases we can reduce the types such that Gj=tj for all j∈J.
By Case 2, then SGP({Pi}i∈I,{(Gj,sj)}j∈J) is defined and returns XG with G={tj}j∈J.
Case of Gl=end with l∈J:
By Lemma 11, then P contains no communication prefixes on sk and cannot invite the session sk.
Then, {Pi}i∈I is well-typed w. r. t. {(Gj,sj)}j∈J∖{l}.
By the induction hypothesis, then we know that SGP′({Pi}i∈I,{(Gj,sj)}j∈J∖{l}) is defined and returns a SGP-process S.
By Case 1b, then SGP′({Pi}i∈I,{(Gj,sj)}j∈J) is defined and returns S.
Alpha conversion may influence the outcome of the mapping, i. e., P≡αP′ does not necessarily imply SGP∗({P},{(Gj,sj)}j∈J)=SGP∗({P′},{(Gj,sj)}j∈J), because the renaming of input bounded variables changes the names in the vector of the generated SGP-system.
Because of that, we assume in this section that no sequence of steps will use alpha conversion to rename input binders.
Apart from that, structural congruence does not influence this mapping, because of the Cases 3, 4, and 5.
Lemma 20
*Let G={(Gj,sj)}j∈J.
If SGP∗({P},G) is defined and P≡P′, where no alpha conversion is used to rename input binders, then SGP∗({P},G)=SGP∗({P′},G).*
Proof
Assume that SGP∗({P},G) is defined.
We proceed with an induction over the rules of structural congruence that are used to obtain P≡P′.
Case of Alpha Conversion:
In this case P≡αP′, i. e., P and P′ differ only by renamings of names used for restriction binders.
By Definition 11 and Lemma 12, then SGP′({P},G)=SGP′({P′},G).
Hence, SGP∗({P},G)=SGP∗({P′},G).
Case of Q∣0≡Q:
In this case P=Q∣0 and P′=Q.
By Definition 11, SGP′({P},G)=SGP′({Q,0},G)=SGP′({Q},G).
Then SGP∗({P},G)=SGP∗({P′},G).
Case of Q1∣Q2≡Q2∣Q1:
In this case P=Q1∣Q2 and P′=Q2∣Q1.
By Definition 11, then SGP′({P},G)=SGP′({Q1,Q2},G)=SGP′({P′},G).
Then, we have SGP∗({P},G)=SGP∗({P′},G).
Case of Q1∣(Q2∣Q3)≡(Q1∣Q2)∣Q3:
In this case P=Q1∣(Q2∣Q3) and P′=(Q1∣Q2)∣Q3.
Then SGP′({P},G)=SGP′({Q1,Q2,Q3},G)=SGP′({P′},G), because of Definition 11.
Then, SGP∗({P},G)=SGP∗({P′},G).
Case of (νs)(νs′)Q≡(νs′)(νs)Q:
In this case we have P=(νs)(νs′)Q and P′=(νs′)(νs)Q.
By Definition 11, then SGP′({P},G)=SGP′({Q},G)=SGP′({P′},G).
Then, we have SGP∗({P},G)=SGP∗({P′},G).
Case of (νs)0≡0:
In this case P=(νs)0 and P′=0.
By Definition 11, SGP′({P},G)=SGP′({0},G).
Then SGP∗({P},G)=SGP∗({P′},G).
Case of (μX)Q≡Q{\nicefrac(μX)QX}:
In this case we have P=(μX)Q and P′=Q{\nicefrac(μX)QX}.
Then SGP′({P},G)=SGP′({(μX)Q},G)=SGP′({Q{\nicefrac(μX)QX}},G), because of Definition 11.
Then, we have SGP∗({P},G)=SGP∗({P′},G).
Case of (νs)(Q1∣Q2)≡Q1∣(νs)Q2 if s∈/fn(Q1):
In this case P=(νs)(Q1∣Q2) and P′=Q1∣(νs)Q2.
By Definition 11, then SGP′({P},G)=SGP′({Q1,Q2},G)=SGP′({P′},G).
Finally, we have SGP∗({P},G)=SGP∗({P′},G).
Now we analyse how the original system and its sequentialisation into a SGP-system are related.
First we prove that SGP-systems introduce no new behaviour in Theorem 3 of [13]:
Let G={(Gj,sj)}j∈J.
If P is well-typed w. r. t. G then for all SGP∗({P},G)⟼S′ there exist P′,G′ such that P⟼P′, P′ is well-typed w. r. t. G′, and SGP∗({P′},G′)≡SS′.
Proof (Proof of Theorem 3 of [13])
Assume that P is well-typed w. r. t. G.
We proceed by an induction on the reduction rules that are used to derive the step SGP∗({P},G)⟼S′.
Case of Rule Ass:
In this case we have SGP∗({P},G)=⟨V;v~:=e~.S⟩ and S′=eval(⟨V(v~):=e~;S⟩).
By Lemma 16, then either v~:=e~.S is the empty assignment τ that resulted from mapping a session initialisation (Case 9) or this assignment is not empty and resulted from mapping a communication of an initialised session (Case 6).
Case of v~:=e~.S=τ.S:
Since the value assignment is unguarded,
[TABLE]
where we do not alpha-convert input binders but use alpha conversion to ensure that s is not contained in (s~∪bn(P1∣P2∣…∣Pn)∪n(Q)).
By Figure 1, then P⟼P′=(νs~)(νs)(P1∣P2∣…∣Pn∣Q), where we do again not alpha-convert input bounded names.
By the Lemmata 5 and 19, then P′ is well-typed w. r. t. G.
By Definition 11 and Theorem 1 of [13], then SGP∗({P′},G)=S′.
Case of v~:=e~.S=τ.S:
By Definition 11, Gl=r1→r2:{li⟨U~i⟩.Gl,i}i∈I for some l∈J and sl is minimal w. r. t. to the dependency relation. Since the value assignment is unguarded,
[TABLE]
with m∈I and I⊆J, where we do not alpha-convert input bounded names.
By Figure 1, then P⟼P′=(νs~)(P2,m{\nicefrace~x~m}∣P1∣Q), where we do again not alpha-convert input bounded names.
By the Lemmata 5 and 16, then (νs~)(P2,m∣P1∣Q) is well-typed w. r. t. the types G′={(Gj,sj)}j∈J∖{l}∪{Gl,m}.
By Definition 11 and Theorem 1 of [13], then we have SGP∗({P′},G′)=S′.
Case of Rule Par:
In this case S=⟨V;S1∥S2⟩, ⟨V;S1⟩⟼⟨V′;S1′⟩, and S′=⟨V′;S1′∥S2⟩.
By Definition 11, Lemma 17, and Lemma 18, then there are some Gsplit, I1∪I2=I, J1∪J2=Jsplit such that G′={(Gj′,sj)}j∈Jsplit results from G by applications of Case 7b, J1∩J2=∅, P≡(νs~)(P1∣P2), act(Pk)={sj[r]∣j∈Jk∧r∈r(Gj′)}, and SGP′({Pk},{(Gj′,sj)}j∈Jk)=Sk for k∈{1,2}.
By the induction hypothesis, SGP′({P1},{(Gj′,sj)}j∈J1)=S1 and ⟨V;S1⟩⟼⟨V′;S1′⟩ imply that there are P1′,G1′ such that P1⟼P1′, P1′ is well-typed w. r. t. G1′, and SGP∗({P1′},G1′)≡S⟨V′;S1′⟩.
By Figure 1, then P⟼P′=(νs~)(P1′∣P2), where we do not alpha-convert input bounded names.
By the Lemmata 5, 12, and 13, then P′ is well-typed w. r. t. G′=G1′∪{(Gj′,sj)}j∈J2.
By Definition 11 and Theorem 1 of [13], then SGP∗({P′},G′)≡SS′.
Case of Rule If-T:
In this case we have S=⟨V;if cmissing then S1 else S2⟩ and S′=⟨V;S1⟩.
By Definition 11, then P≡(νs~)(if c then P1 else P2∣Q), where substitutions of variables to indicate their actor in Case 6 do not change c because the conditional is unguarded, i. e., not under an input binder.
By Figure 1, then P⟼P′=(νs~)(P1∣Q), where we do not need to apply alpha conversion.
By the Lemmata 5 and 15, then P′ is well-typed w. r. t. G.
By Definition 11 and Theorem 1 of [13], then SGP∗({P′},G)=S′.
Case of Rule If-F:
This case is similar to the previous case.
Case of Rule Struc:
In this case S≡SS2, S2⟼S2′, and S′≡SS2′.
Let S2=⟨V;S2⟩.
By Lemma 2 and since ≡S⊆≡, then S2 is well-typed w. r. t. G.
By the induction hypothesis, then there are P′,G′ such that P⟼P′, P′ is well-typed w. r. t. G′, and SGP∗({P′},G′)≡SS2′.
Because of S′≡SS2′, then SGP∗({P′},G′)≡SS′.
We define a reduction semantics for global types in Figure 3, where we equate global types by the rules: (end,G)=G=(G,end) and (μt)G=G{\nicefrac(μt)Gt}.
We show that well-typed processes can follow the reductions of global types.
Lemma 21
Let G={(Gj,sj)}j∈J, l∈J, and let Gl be guarded by a communication that does not depend on another session.
If P is well-typed w. r. t. G and Gl⟼Gl′ then there is some P′ such that G′={(Gj,sj)}j∈J∖{l}∪{Gl′}, SGP∗({P},G)⟼∗SGP∗({P′},G′), P⟼∗P′, and P′ is well-typed w. r. t. G′.
Proof
Assume that P is well-typed w. r. t. G and Gl⟼Gl′ for some l∈J and the communication that is reduced in Gl⟼Gl′ does not depend on another session.
We proceed by an induction on the reduction rules of Figure 3 that are used to obtain Gl⟼Gl′.
Case of Rule Com:
In this case Gl=r1→r2:{li⟨U~i⟩.Gl,i}i∈I, j∈I, and Gl′=Gl,j.
By the Lemmata 16 and 19, then P⟼∗≡(νs~)(P1∣P2∣P3) such that the steps only initialise sessions, m∈I, I⊆J, every conditional branch of P1 is a version of sl[r1,r2]!lm⟨e~⟩.Q, every conditional branch of P2 is a version of sl[r2,r1]?{li(x~i).Qi}i∈J, and (Qj{\nicefracx~m@sl[r2]x~j}∣Q∣Q) is well-typed w. r. t. G′={(Gj,sj)}j∈J∖{l}∪{Gl,j}.
Since P is well-typed w. r. t. G, then m=j.
By Definition 11, then SGP′({P},G) is such that every of its conditional branches contains a version of v~:=e~′.SGP′({Q∣Qj∣P3},G′).
By the reduction semantics, then we can reduce the guarding conditionals and the value assignment in the respective branch such that SGP∗({P},G)⟼∗S′=SGP∗({Qj{\nicefracx~m@sl[r2]x~j},Q,P3},G′).
Then, there is some P′ such that P⟼∗P′ initialises sessions, reduces the same conditionals, and then performs the communication step, i. e., we have P′≡(νs~)(Qj{\nicefrace~x~j}∣Q∣P3).
By Figure 2, then P′ is well-typed w. r. t. G′.
Since S′≡SSGP′({P′},G′), then SGP∗({P},G)⟼∗SGP∗({P′},G′).
Case of Rule Par-L:
In this case Gl=Gl1,Gl2, Gl1⟼Gl1′, and Gl′=Gl1′,Gl2.
By Lemma 18, then P≡(νs~)(P1∣P2) such that r(Gl1)⊆r(P1), r(Gl2)⊆r(P2).
By Figure 1, then P⟼∗P′=P1′∣P2.
By Theorem 5 and Figure 2, then P′ is well-typed w. r. t. G′={(Gj,sj)}j∈J∖{l}∪{Gl1′,Gl2}.
By Definition 11 and the reduction semantics, then SGP∗({P},G)⟼∗SGP∗({P′},G′).
Case of Rule Par-R:
This case is similar to the case above.
The reverse direction of Theorem 3 of [13] does not hold.
Intuitively, a well-typed system and its sequentionalisation into a SGP-system have the same steps, but SGP-systems may force an order on steps that are unordered in the original system.
This happens for global types such as 1→2:l⟨N⟩.3→4:l⟨N⟩.end that combine causally unrelated communications sequentially.
Example 2
Consider the global type G=1→2:l⟨N⟩.3→4:l⟨N⟩.end that consists of two causally independent communications.
The system
[TABLE]
is a well-typed implementation of this global type.
The algorithm of Definition 10 maps this process to the SGP-system SGP∗(P,G)=⟨(x2,x4);S⟩, where S=τ.x2:=5.x4:=4.0.
The process P has, modulo structural congruence, two maximal runs
P$$P^{\prime}$$\left(\nu\mathsf{s}\right)\!\left(\mathsf{s}\!\left[\mathrm{3},\mathrm{4}\right]!\mathsf{l}\!\left<4\right>\!.\mathbf{0}\mid\mathsf{s}\!\left[\mathrm{3},\mathrm{4}\right]?\mathsf{l}\!\left(x\right)\!.\mathbf{0}\right)$$\left(\nu\mathsf{s}\right)\!\left(\mathsf{s}\!\left[\mathrm{1},\mathrm{2}\right]!\mathsf{l}\!\left<5\right>\!.\mathbf{0}\mid\mathsf{s}\!\left[\mathrm{2},\mathrm{1}\right]?\mathsf{l}\!\left(x\right)\!.\mathbf{0}\right)$$\mathbf{0}
where P′=(νs)(s[1,2]!l⟨5⟩.0∣s[2,1]?l(x).0∣s[3,4]!l⟨4⟩.0∣s[3,4]?l(x).0).
But the abstraction SGP∗(P,G) simulates only the sequence of steps at the top
[TABLE]
in that first process 2 receives the value 5—and the SGP-process accordingly updates the variable x2 of 2—and then 4 receives the value 4.
Nonetheless, we can show that each step of the original system can be completed into a sequence that can be simulated.
Assume a step P⟼P′ of the original system.
We need to find a way to simulate this step in the SGP-system.
Well-typedness of P ensures that the step P⟼P′ respects the specification, i. e., the global types, of this process.
Accordingly, either the types are not influenced by the step P⟼P′ or the step reduces some part of the global types.
In the first case, the step P⟼P′ is a session initialisation or reduces a conditional and is simulated by an empty value update or the corresponding reduction of a SGP-conditional.
If the step P⟼P′ reduces an unguarded part of one of its global types, i. e., performs a communication within a session, then it is simulated by the corresponding value updates in the SGP-system.
Otherwise, the situation is as described in Example 2, i. e., we have to find an extension P′⟼∗P′′ of the step P⟼P′ such that the sequence P⟼∗P′′ can be simulated by the SGP-system.
Therefore, we reduce all guards in the global types that are necessary to unguard the part of the global type that is reduced in the step P⟼P′ or that on that this guard depends.
By Lemma 21, P′ can reduce accordingly in a sequence P′⟼∗P′′.
The SGP-system can simulate steps of the global type by construction.
Thus, we can relate P′′ to the corresponding reduction of the SGP-system.
Theorem 4 of [13]:
Let G={(Gj,sj)}j∈J.
If P is well-typed w. r. t. G then for all P⟼P′ there exist P′′,G′′ such that P′⟼∗P′′, P′′ is well-typed w. r. t. G′′, and SGP∗({P},G)⟼∗SGP∗({P′′},G′′).
Proof (Proof of Theorem 4 of [13])
Assume that P is well-typed w. r. t. G and P⟼P′.
By Figure 1, P⟼P′ uses exactly one of the axioms:
Case of Rule Link:
In this case:
[TABLE]
By Definition 11, we have SGP′({P},G)=τ.SGP′({P1,…,Pn,Q},G) and we have SGP′({P′},G)=SGP′({P1,…,Pn,Q},G).
By reflexivity, P′⟼∗P′.
By Lemma 19, P′ is well-typed w. r. t. G.
By the reduction semantics, SGP∗({P},G)⟼SGP∗({P′},G).
Case of Rule Com:
In this case
[TABLE]
and j∈I.
By Definition 11, then SGP({P},G) maps this communication on a SGP-value-assignment but may guard it by other conditionals from P3 or value assignments due to communications in P3.
Note that, therefore, all these conditionals and communication prefixes have to be consecutively unguarded in the remainder of P3 and that the communications are captured in G.
By Figure 3 and Definition 11, then there exists Gl′′ such that Gl⟼∗Gl′′ for some l∈J reduces the communications in P3 that correspond to the value assignments that guard SGP-value-assignment x~j@s[r2]:=e~.SGP({P2,j{\nicefracx~j@s[r2]x~j},P1,P3′},G′′).
By Lemma 21, then there is some P′′ such that we have SGP∗({P},G)⟼∗SGP∗({P′′},G′′) and P⟼∗P′′.
Since well-typedness ensures that there are no conflicts and since s[r1,r2]!lj⟨e~⟩.P1∣s[r2,r1]?{li(x~i).P2,i}i∈I is reduced in both of the sequences P⟼P′ and P⟼∗P′′, then confluence implies that also P′⟼∗P′′.
Case of Rule If-T:
In this case P≡(νs~)(if c then P1 else P2∣P3) and P′≡(νs~)(P1∣P3).
By Definition 11, SGP′({P},G) maps this conditional on a SGP-conditional but may guard it by other conditionals from P3 or value assignments due to communications in P3.
Note that all these conditionals and communication prefixes have to be consecutively unguarded in the remainder of P3 and that the communications are captured in G.
By Figure 3 and Definition 11, then there exists G′′ such that Gl⟼∗Gl′′ reduces the communications in P3 that correspond to the value assignments that guard the SGP-conditional if cmissing then SGP′({P1,P3′},G′′) else SGP({P2,P3′},G′′), where G′′={(Gj,sj)}j∈J∖{l}∪{Gl′′}.
By Lemma 21, then there is P′′ such that SGP∗({P},G)⟼∗SGP∗({P′′},G′′) and P⟼∗P′′.
Since well-typedness ensures that there are no conflicts and since if c then P1 else P2 is reduced in both of the sequences P⟼P′ and P⟼∗P′′, then confluence implies that also P′⟼∗P′′.
Case of Rule If-F:
This case is similar to the case above.
Interestingly, the combination of Theorem 3 and Theorem 4 of [13] is similar to (weak) operational correspondence as it is introduced in [5] as criterion for the quality of encodings.
Encodings are mappings from a source language PS into a target language PT.
Definition 12 (Weak Operational Correspondence, [12])
An encoding
enc(⋅):PS→PT is weakly operationally corresponding w. r. t. RT if it is:
Complete:
∀S,S′.S⟼∗S′ implies (∃T.enc(S)⟼∗T∧(enc(S′),T)∈RT)
Weakly Sound:
∀S,T.enc(S)⟼∗T implies
(∃S′,T′.S⟼∗S′∧T⟼∗T′∧(enc(S′),T′)∈RT)
We observe that completeness is similar to Theorem 3 of [13] and weak soundness is similar to Theorem 4 of [13], but with the roles of the languages exchanged.
Accordingly, we change the above definition and use a weak variant of completeness.
Definition 13
An encoding enc(⋅):PS→PT is reversed weakly operationally corresponding w. r. t. RT⊆PT2 if it is:
Weakly Complete:
∀S,S′.S⟼∗S′ implies
(∃S′′,T′′.S′⟼∗S′′∧enc(S)⟼∗T′′∧(enc(S′′),T′′)∈RT)
Sound:
∀S,T.enc(S)⟼∗T implies (∃S′.S⟼∗S′∧(enc(S′),T)∈RT)
Then the mapping SGP∗(⋅,⋅) from well-typed processes into SGP-systems is reversed weakly operationally corresponding w. r. t. ≡S.
The paper [12] relates weak operational correspondence with so-called correspondence simulation.
Definition 14 (Correspondence Simulation, [12])
A relation R is a (weak reduction) correspondence simulation if for each (P,Q)∈R:
P⟼∗P′ implies ∃Q′.Q⟼∗Q′∧(P′,Q′)∈R
Q⟼∗Q′ implies ∃P′′,Q′′.P⟼∗P′′∧Q′⟼∗Q′′∧(P′′,Q′′)∈R
Two terms P,Q are correspondence similar, denoted as P≾Q, if a correspondence simulation relates them.
With a similar argumentation as in [12] to show that if enc(⋅) is weakly operationally corresponding w. r. t. a correspondence simulation then S≾enc(S), we conclude that if enc(⋅) is reversed weakly operationally corresponding w. r. t. a correspondence simulation then enc(S)≾S.
By the Theorems 3 and 4 of [13], then the sequentialisation of a system is correspondence similar to the system.
4 Examples
4.1 Toy Example
Similar to the two Buyer example of [8], we illustrate our approach by a small example of an auctioneer system consisting of an auctioneer A and two alternating bidders B1 and B2.
The two bidders alternate in offering bids towards the auctioneer and the auctioneer continues to inform the next bidder about the last bid until the current bid exceeds the maximum of one of the bidders.
As soon as one bidder refuses to offer another bid, the auctioneer informs the respective other bidder that the item was sold to him.
We illustrate the communication structure for the case that B2 wins the auction:
\mathrm{B1}$$\mathrm{A}$$\mathrm{B2}……bidlast bidbidlast bidnosold
Assume a program that implements such an auctioneer system.
An analysis of such a program may want to check e. g. whether the bidders indeed alternate in offering bids, i. e., no bidder is allowed or forced to bid twice without the other bidder in between, or whether no bid exceeds the internal maximum of a bidder, i. e., the amount that he or she is willing to pay.
The former property is clearly a property of the communication structure and can easily be checked with MPST.
The latter property, however, requires to analyse concrete data.
Since the maximum a bidder is willing to pay is some data that is specific to the bidder or may even be specific to a concrete run, this property does not fit into the set of static properties MPST were designed for.
We show that if one is willing to pay the price of verifying the communication structure of the program with MPST, one gets as a side-effect a massive reduction in checking properties about the state of the program, i. e., properties that require the consideration of concrete runs or concrete values of variables.
An important property that often requires the consideration of concrete runs or concrete values is termination.
MPST ensure progress for well-typed systems, i. e., there are no deadlocks and all runs of the system will follow its specification that is provided by the global type(s).
Progress immediately implies termination, if the considered system does not contain recursion.
But, as in our toy example, many algorithms to compute some value or some decision, rely on a loop that runs until a suitable value was found or a decision was made.
The progress property, that we can obtain by MPST for such cases, is a crucial argument for a proof of termination, but does not directly imply termination.
The presented method allows us to prove termination, by analysing the evolution of data in concrete runs, automatically and in an efficient way.
To provide a global type for our example of the auctioneer system, we use different labels to convey the intention of actions of the participants:
bid indicates a new bid,
no indicates that the bidder refuses to make another bid,
l precedes the forwarding of the last bid, and
s indicates that the item was sold.
Since the only kind of values that are transmitted in this protocol are bids, we use Int as only sort for integer values.
Let A=1 be the role of the auctioneer, B1=2 be the role of the first bidder, and B2=3 be the role of the second bidder.
The global type GAS describes the communication structure of this example from a global point of view.
Example 3 (Global Type of the Auctioneer System)
[TABLE]
An example of a well-typed implementation of the global type GAS of Example 3 is given below, i. e., PAS is well-typed w. r. t. GAS.
The names inc and max are place-holders for the actual functions and natural constants that are provided by Promela.
The functions incB1,incB2 are used by the respective bidder to increase the last bid and the constants maxB1,maxB2 denote the maximum a bidder is willing to pay.
Example 4 (Implementation of the Auctioneer System)
[TABLE]
To sequentialise the given implementation utilising our algorithm, let P be a process that is well-typed w. r. t. a global type G and S=SGP({P},G).
Then the corresponding SGP-system is SGP∗({P},G)=⟨V;S⟩, where V is the vector of names in S.
Accordingly, the auctioneer system PAS of Example 4 that is well-typed w. r. t. GAS in Example 3 translates into the SGP-system ⟨(bA,bB1,bB2);SAS⟩, where SAS=SGP({PAS},GAS) is given below.
Example 5 (Sequentialisation of the Auctioneer System)
[TABLE]
Since the causal relation of the communications of GAS in Example 3 is a total order, all properties that hold for SAS are also satisfied by PAS.
4.2 Translating SGP-Systems into Promela
To illustrate the verification of system properties, we use the model checker Spin [7, 6] and implement the SGP-system SAS in Example 5 using Promela, the input language of Spin.
Therefore, we provide an algorithm to translate a SGP-process into Promela code.
First we generate a preamble for the Promela program, i. e., declare variables and set their initial values.
The variables are obtained from the vector of variables V in a SGP-system ⟨V;S⟩.
Sometimes the initial values are directly specified by the implementation or are given as parameters of the implementation.
Otherwise, the developer has to pick suitable initial values respecting their respective sorts.
The preamble for SAS of Example 5 is given in Figure 4.
It introduces the three variables bA,bB1,bB2 of the knowledge vector in our example and initialises them with [math].
Moreover, the preamble introduces five more variables that are used for the implementation and verification of the LTL-Formula that specify the properties we want to check.
We provide in [13] an algorithm for the translation of SGP-processes into Promela but expect that the desired properties are already specified as LTL-Formula.
Figure 5 presents the Promela implementation of SAS from Example 5.
Following the translation into Promela of [13], first a proctype with the name Model is introduced.
The τ at the beginning of SAS that resulted from the translation of the session initialisation is translated to skip.
Then there are two subsequent value updates on bA and bB2 that precede the loop.
The loop is introduced by declaring its recursion variable LX.
Then the if-then-else statements with their respective value updates follow.
Another instance of the loop is generated by goto LX, whereas goto LEnd terminates the program by jumping to its end.
In addition Figure 5 declares the domains of the variables incB1, incB2, maxB1, and maxB2.
Note that these variables were not specified by the implementation in PAS of Example 4 and thus are not provided by SAS.
The variables incB1 and incB2 denote the value by that bidders increment the last bid.
The domain 1..10 tells us, that this value to increment the last bid is chosen non-deterministically between 1 and 10.
The variables maxB1 and maxB2 specify the internal maximum a bidder is willing to pay.
We use arbitrary values between 50 and 100.
Similar to the initial values of the variables in the knowledge vector of SAS, we expect that the developer provides suitable domains.
4.3 Analysing the Properties of Implementations
Finally, the developer has to add to the Promela program the LTL-formula for the properties that he or she is interested in.
We add the following six LTL-formulae, where Figure 6 presents their Promela representation:
[TABLE]
These formulae have following meanings:
-
there exists one state from which onward all participants always have the same bid value,
2. 2.
the bidder always bid higher than the other one until both have always the same bid,
3. 3.
the auctioneer has always the same bid as one bidder,
4. 4.
only one process can win the auction,
5. 5.
the winner did not bid more than its limit, and
6. 6.
eventually one bidder will win.
As checked by SPIN, only Property P3 is not satisfied.
This is because only one variable assignment can happen at any time, thus updating two variables to a new value would take at least two steps.
More precisely, Property P3 is violated then the auctioneer receives a new bid.
If A receives a bid from B2 then bA is updated with the value incB2+bB2.
In the next step, the variable bB1 is updated with bA which restores Property P3.
But in between these two value updates the value of bA is neither equal to bB2 (unless incB2=0) nor equal to bB2.
Above we validated some interesting properties of our toy example such as that no bidder exceeds its internal maximum (Property P5) or termination (Property P6).
Does that means, that our implementation is a good implementation of the auctioneer algorithm?
Unfortunately, this is not so easy.
Consider a malicious bidder B2 that instead of increasing the bid always resubmits the last bid of B1.
This way the chances to win the auction, if the internal maxima of the two bidders are close, is significantly increased by B2 in a very unfair way.
Moreover, if B2 is willing to pay more, i. e., if he or she is supposed to win the auction, than this strategy ensures that the bid of B2 also stays below the limit of B1, i. e., reduces the amount of money B2 needs to pay.
Obviously, this behaviour is malicious and should be rejected by the auctioneer.
To implement this malicious behaviour it suffices to instantiate incB2 with [math].
This kind of malicious behaviour is detected by the properties in Figure 6.
More precisely, by setting incB2=0, the Property P2 is violated.
Thus, we can detect that there are implementations of this algorithm, that are not acceptable.
We can now use this knowledge to improve the specification.
Indeed we observe, that in our specification GAS in Example 3, the auctioneer does not decide anything, i. e., this specification does not provide the communication structure that the auctioneer need to check the validity of bids and to reject them.
We provide a revised version of this auctioneer system, where the auctioneer checks the validity of the bids and rejects a bid that was not valid.
Example 6 (Global Type of the Revised Auctioneer System)
[TABLE]
Here, the auctioneer can send two kinds of messages, i. e., initiates a branching, after receiving a bid.
Either the auctioneer considers the bid as valid and forwards it to the respective other role using a message with label l—as we already encountered in the previous example.
Or the auctioneer detects an invalid bid and transmits a message with the label r, signalling the bidder that the bid was rejected and, hence, that the other bidder won the auction.
4.4 Promela
In Example 6 we present GRAS; a revised version of the global type of our toy example.
The Promela implementation of this global type is presented below.
Note that the differences between the Figure 5 and the code below reflect the additional choice implemented by the auctioneer that allows him to reject invalid bids.
Due to the interleaving of independent actions, the state space of a concurrent system is in the worst case exponentially larger than of its sequentialisation.
As an example, we implemented the Needham-Schroeder public key protocol with 10 pairs of processes that interact with the same server.
Next we present the Promela implementation of the implementation of its sequentialisation.