Noname manuscript No. (will be inserted by the editor)

A semantic deconstruction of session types Massimo Bartoletti · Alceste Scalas · Roberto Zunino

the date of receipt and acceptance should be inserted later

Keywords concurrency, session types, contracts Abstract Session types are a well-established typing discipline for verifying that a process correctly implements a structured protocol (i.e., a session). Their main property is that typed processes “never go wrong”: they interact correctly, without communication mismatches. In this paper, we revisit the theory of session types starting from their semantic foundations, with the goal of capturing and generalising their underlying notions of “correct interaction” and “safe process substitution”. We develop a unified semantic framework based on labelled transition systems, encompassing session types and more general behaviours, endowed with both synchronous and asynchronous (i.e., buffered) semantics. In this framework, we formalise the notion of “correct interaction” by introducing the I/O compliance and safety relations: I/O compliance refines the notion of progress between behaviours, while safety is inspired by Communicating Finite State Machines. We prove that I/O compliance and safety coincide on session types (both synchronous and asynchronous), and that they are preserved when passing from synchronous to asynchronous semantics. We then study two preorders between behaviours, aimed at safe process substitution: the standard semantic subtyping, and the novel I/O simulation. The latter generalises the usual syntax-directed notions of typing Massimo Bartoletti Universit` a di Cagliari E-mail: [email protected] Alceste Scalas Universit` a di Cagliari and Imperial College London E-mail: [email protected] Roberto Zunino Universit` a di Trento E-mail: [email protected]

and subtyping on session types, and it coincides with semantic subtyping on synchronous session types. We show that such preorders are preserved (under suitable conditions) when passing from synchronous to asynchronous semantics. Finally, we exploit the semantic properties of I/O simulation and compliance to construct a syntax-driven type system, combining typical session typing rules with a more flexible handling of buffered communication. Notably, we derive the type system correctness without an explicit subject reduction result, by relying instead on the general properties of I/O simulation and compliance.

1 Introduction Session typing is a well-established approach to the design of concurrent applications [50, 51,53,72]. In a nutshell, a (binary) session type specifies a communication protocol, and dictates how two components are expected to interact through a bi-directional communication channel. The structure of the resulting interaction, called session, includes choices and recursion. In order to guarantee correct interaction, each endpoint of the channel is associated with a session type, so that the two endpoint types are compliant. Intuitively, this means that whenever one endpoint sends some data, the other endpoint is able to receive it — and conversely, whenever one endpoint expects to receive some data, the other one is willing to send something. While a session type specifies the interaction protocol between two components, the actual implementation of a component is represented by a process, usually formalised in a dialect of the π-calculus [60, 71]. The correspondence between a session type T and a process P can be statically established by a type system,

2

M. Bartoletti, A. Scalas, R. Zunino

i.e. a set of syntax-driven rules that relate processes with types. Intuitively, the process P is typeable when it is possible to construct a proof of ` P : T , for some T , using the typing rules. If P is typeable, then its runtime interactions will respect those statically described by T . As a consequence, if both processes at the endpoints of a session type-check, and their types are compliant, then the interaction between the processes is deadlock-free. Another relation typically studied in the session types community is that of subtyping: the desideratum is that if a session type T is subtype of U , and we have two processes P , Q such that ` P : T and ` Q : U , then P can safely “replace” Q: i.e., any process that interacts correctly with Q will also interact correctly with P . Similarly to the typing relation, also the subtyping relation is typically defined through syntax-driven rules. Now, assume that both processes and types are endowed with an operational semantics, in the form of a Labelled Transition System (LTS), as usually done in concurrency theory [59]. In this perspective, it is tempting to interpret the syntactic typing/subtyping relations as semantic relations, that would only depend on the LTS of process P and the LTS of type T , disregarding their syntax. This would follow the tradition of observational equivalences and preorders between processes, initiated by the study on bisimulation [68,59], where the fundamental relations are given on arbitrary LTSs. This insight opens several research directions, that we discuss below. Question 1. Can we reason on session-based interactions in a language-independent way? When ` P : T holds, the relation between P and T may resemble a simulation: T simulates P iff, when` ` ever P → − P 0 , then T → − T 0 , for some T 0 which still 0 simulates P . To elaborate further on this idea, consider a session type T = !a ⊕ !b, which models an internal choice between two outputs !a and !b. Further, consider the process P = !a which just wants to output !a. Intuitively, the process P has type T , because any client who interacts correctly with T does so also with P . More concretely, assume that the processes P and T above are associated with the following LTSs: P

!a

T

τ

!a

τ

!b

We can observe that P is (weakly) simulated by T , in symbols P w T , because each move of P is matched by a (weak) move of T . This may suggest that weak simulation P w T is a suitable semantic counterpart of the (syntactic) typing relation ` P : T .

To assess this semantic notion of typing, let us consider another example. Let U = ?a & ?b be the type modelling an external choice between two inputs ?a and ?b, and let Q = ?a + ?b + ?c (where + is the standard CCS choice operator) be the process which allows for an additional input ?c. Intuitively, Q has type U : indeed, any client interacting correctly with U will send either !a of !b, and so it will interact correctly also with Q, since the process is able to receive those messages. Assume that Q and U are associated with the LTSs: ?a

Q

?a

?c

U

?b

?b

Differently from the previous example, we observe that Q is not weakly simulated by U (whereas the converse U w Q holds). This dismantles our idea of semantically interpreting the session typing relation as weak simulation. On the positive side, the two examples above seem to suggest that a semantical typing relation should treat input and output capabilities differently: it should be covariant w.r.t. outputs and contravariant w.r.t. inputs. Question 2. Can we devise new syntactic typing rules as instances of some general relation? A drawback of the syntax-driven approaches to session types is that they do not usually consider some common programming patterns for communication-oriented applications. For example, consider a server waiting some input which may not arrive on time. In Erlang [43], for instance, one can write: receive P1 -> Body1 . . . Pk -> Bodyk after 10 -> BodyT The receive statement is aborted if no messages matching P1 ,. . . ,Pk arrive within 10 milliseconds; in this case, BodyT is executed. Such a program blurs the distinction between internal/external choices. Intuitively, its LTS has the form: Body1

?P1 ?Pk τ

Bodyk BodyT

where the initial state has k input moves ?P1 , . . . , ?Pk , and an internal τ -move which abstracts the timeout. This pattern eludes the notion of structured programming at the roots of the session types approach [49,50]. However, the example above shows a use case that one would like to typecheck. This pattern cannot be usually

A semantic deconstruction of session types

written in session calculi (like e.g. in many works extending [49, 50]), since their grammar does not include τ -branches. Can a syntax-independent approach handle patterns like the one above? Question 3. Can we reason on synchronous and asynchronous interactions in a uniform semantic setting? Distributed components usually interact in an asynchronous fashion via FIFO buffers. Now, consider a type T = !a.?b, where ?b is fired after !a: the “natural” corresponding process is P = !a . ?b, which performs the expected actions in the same order. However, in an asynchronous setting, the sequentiality of the resulting interactions cannot be enforced: i.e., if P fires !a asynchronously, then it will immediately start waiting for ?b, without knowing whether !a is still buffered, or was actually received by the other endpoint. Hence, one might argue that the parallel composition P 0 = ?b | !a also conforms to T in the presence of asynchrony. Although many works on asynchronous session types relate P with T , they do not usually relate P 0 with T . How can we formalise the intuition that both P and P 0 correctly implement T , in the asynchronous setting? Question 4. Is there a language-independent notion of “correct” interaction? In the discussion so far, we relied on the intuition of a “correct” interaction between processes. This notion can be defined in different ways, depending on the calculus in use, and what is considered to be an error. In the realm of synchronous session types a typical notion of correct interaction is progress, which holds when two processes keep interacting until they terminatation [4, 6]. Instead, in the realm of asynchronous interactions, like e.g. in Communicating Finite State Machines (CFSM) [19], progress is too large, since it relates e.g. two machines which just send outputs without ever synchronising. In the asynchronous setting, correct interactions are usually defined in terms of the absence of orphan messages [56, 42,36] and unspecified reception configurations [34]. Can we achieve, in the semantic framework we are envisioning, a general notion of “correct” interaction which is coherent with the usual ones, both in the synchronous and in the asynchronous settings? Contributions. To address the questions above, we introduce a behavioural theory of (first-order) session types, which unifies the notions of typing and subtyping, in both the synchronous and asynchronous cases. We represent processes (called behaviours in this work) as states in an LTS whose labels are inputs, outputs, or τ -actions. We treat input and output labels in an asymmetric way, similarly to the semantics of CFSMs

3

and interface automata [3]. All the notions sought after in our questions are formalised as relations between behaviours, in a purely semantic fashion. To the best of our knowledge, ours is the first approach that extends session types theory to arbitrary behaviours in an LTS. Our theory unifies synchronous and asynchronous behaviours within the same semantic framework, by defining relations which can be applied to both settings. This allows us to obtain several results about the preservation of our relations when passing from synchronous to asynchronous semantics. More specifically, our main contributions are the following: – a unifying semantic framework wherein we give synchronous/asynchronous semantics to session types (Definition 2.9) and CCS (Definition 2.14). – a syntax-independent notion of “correct” interaction between behaviours, that we call I/O compliance (Definition 4.4). We prove that I/O compliance is stricter than progress, albeit coinciding with it on synchronous session types (Theorem 4.9). – a formalisation in our semantic setting of the notion of safety in CFSMs [56] (Definition 5.15). We prove that I/O compliance is stricter than safety (Theorem 5.17), and that the two relations are equivalent on asynchronous session types (Theorem 5.20). – preservation results showing that both I/O compliance and safety are preserved when passing from synchronous to asynchronous semantics of session types (Theorems 4.13 and 5.19). – a syntax-independent notion of refinement between behaviours, that we call I/O simulation (Definition 6.4). We show that it is an I/O compliancepreserving preorder (Theorems 6.10 and 6.12), and that is coincides with the semantic subtyping relation [27,44] on synchronous session types (Theorem 6.13). Under suitable conditions, I/O simulation is preserved when passing from synchronous to asynchronous semantics of session types (Theorem 6.20). – a syntax-driven session-type systems derived from the semantic properties of I/O simulation (Section 7). We show in Corollary 7.11 that the typing relation obtained in this way is stricter than I/O simulation. The main correctness property of our type system is stated in Theorem 7.14: in the asynchronous setting, if two CCS processes are typeable with I/O compliant session types, then also the processes are I/O compliant, and therefore they can safely interact. This result does not require a proof of subject reduction, but it only relies upon the soundness of the type system w.r.t. the I/O simulation relation, and on the general semantic properties of I/O simulation.

4

M. Bartoletti, A. Scalas, R. Zunino

We prove all our results either in the main text or in the appendix.

2 Behaviours We consider a labelled transition system (LTS) where labels are partitioned into internal, input, and output actions. We call it I/O LTS, and we refer to its states as behaviours. In Section 2.1 we introduce some basic relations and operators on behaviours. We then define the synchronous and asynchronous semantics of binary session types (Section 2.2) and of CCS (Section 2.3) in terms of I/O LTSs.

Definition 2.3 (Weak transitions). We define the rela-

`

Definition 2.4 (Weak barbs). We ⇒}. Sdefine p⇓ as {` | p= By extension, we define Q⇓ as q∈Q q⇓. Definition 2.5 (Weakly persistent inputs/outputs). ??a

!!a

We write p==⇒ (resp. p= ⇒) iff for all p0 , we have that 0 ?a

Definition 2.6 (Weakly persistent barbs). We define: ??a

We assume a universal I/O LTS, which includes all possible LTSs one can be interested in. We denote it as:  n o `τ U, Aτ , −→ `τ ∈ Aτ where: – U is the set of all behaviours (ranged over by p, q, . . .); – Aτ is the set of all labels; `τ – −→ ⊆ U × U is the transition relation. We partition Aτ into input actions A? = {?a, ?b, . . .}, output actions A! = {!a, !b, . . .}, and the internal action τ . We postulate an involution co(·) such that co(?a) = !a and co(!a) = ?a. Table 1 summarises the main syntactic categories and some notation. Hereafter, unless explicitly stated otherwise, we will always consider behaviours upto (label-preserving) isomorphism ∼ =. Notation 2.1. We write: – – – – –

`

`

τ τ p −→ when ∃p0 . p −→ p0 `τ p→ − when ∃`τ . p−→ ! !a p→ − q when ∃a . p − → p0 0 for any behaviour without outgoing transitions L? = L ∩ A? and L! = L ∩ A! , for all L ⊆ A

Definition 2.2 (Parallel composition of behaviours). For all p, q ∈ U, we define the parallel composition p k q as the behaviour in U with transitions given by the rules: `

τ q −→ q0

`

τ p k q −→ p k q0

τ p −→ p0 τ p k q −→ p0 k q

` `

co(`)

`

p→ − p0

q −−−→ q 0 τ

pkq − → p0 k q 0

We introduce below all the basic relations that will be used along the paper.

!a

p= ⇒ p0 implies p = ⇒ (resp. p0 = ⇒).

p⇓?? = {?a | p==⇒} 2.1 The I/O LTS

`

`

τ

τ τ tion = ⇒ as (− as = ⇒−→= ⇒. Given →)∗ , and the relation = ⇒ w a sequence of actions w = `1 , . . . , `n , we write = ⇒ for `1 `n ! ! ⇒→ −= ⇒, and for a set = ⇒ · · · =⇒. Further, we write = ⇒ for = `τ `τ 0 of behaviours Q, we write Q = ⇒ q iff ∃q ∈ Q . q = ⇒ q0 , 0 and similarly for Q = ⇒q.

and, by extension: T Q⇓?? = q∈Q q⇓??

!!a

p⇓!! = {!a | p= ⇒}

Q⇓!! =

T

q∈Q

q⇓!!

Definition 2.7 (Set transition relation). We write q V Q iff ∅ = 6 Q ⊆ {q 0 | q = ⇒ q 0 }. We write Q V Q0 iff ∀q 0 ∈ Q0 . ∃q ∈ Q . q = ⇒ q0 . Proposition 2.8 recalls inclusions between standard observational relations, where ∼/≈ stand for strong/weak bisimilarity, and w is weak similarity [59]. Proposition 2.8. ∼ = ( ∼ ( ≈ ( w. 2.2 Session types A session type abstractly describes the behaviour of a process interacting with other parties. Here we consider the simple case of binary session types, where only two parties are involved. Our formalisation slightly adapts (and extends to the asynchronous case) the one in [4]. L Formally, a session type is either ˘ an internal choice !a .T , an external choice i i i∈I i∈I ?ai .Ti , or a recursion. In an internal choice, the process can choose one of the branches (say, the i-th), fire the output (!ai ), and then proceed with the continuation Ti . In an external choice, instead, the branch is chosen by the context; the process waits until receiving an input (?ai ), and then continues as Ti . Empty choices (either internal or external) represent successful termination. Definition 2.9 (Session types). Session types are terms with the syntax: L ˘ recX T X T ::= i∈I ?ai .Ti i∈I !ai .Ti where (i) the set I is finite, (ii) actions in internal/external choices are pairwise distinct, and (iii) recursion is guarded. We omit the symbol ⊕/& in singleton choices. We write 0

A semantic deconstruction of session types

5

?a, ?b, . . . ∈ A? !a, !b, . . . ∈ A! A = A? ∪ A! co(·)

Input actions Output actions Set of I/O actions Involution of I/O actions

`, `0 , . . . ∈ A τ Aτ = A ∪ {τ } `τ , `0τ , . . . ∈ Aτ

Actions (visible labels) Internal action Set of labels Labels

`

!

τ − − → ,− →, − → = ⇒

UST UaST UaCCS p, q, r, . . . ∈ U T , U , V . . . ∈ UST T [σ ], U [ρ ], . . . ∈ UaST P [σ ], Q[ρ], . . . ∈ UaCCS P, Q, R, . . . ⊆ U

Transitions Weak τ transition

`τ

=⇒ ??a

U

p⇓ p⇓? , p⇓! p⇓?? , p⇓!!

Weak transition !!a

==⇒, =⇒ V

Weakly persistent I/O actions Set transition

Set of all behaviours: Sync session behaviours Async session behaviours Async CCS behaviours Behaviours Session types (sync) Session types (async) Async CCS behaviours Sets of behaviours

Weak barbs Weak I/O barbs Weakly persistent I/O barbs

∼ = ∼ ≈

w

Isomorphism Strong bisimilarity Weak bisimilarity Weak similarity

Table 1: Summary of notation. for the empty (internal/external) choice, and will usually omit its trailing occurrences. Unless otherwise specified, we assume session types to be closed, i.e. without free recursion variables.

Rule (TIntA) enqueues the selected output with a τ -move, while rule (TOutA) dequeues an output !a with a !a-transition. The rules (TExtA) and (TRecA) are similar to their synchronous counterparts.

We present a synchronous semantics for session types (Definition 2.10), and one asynchronous (Definition 2.11). In both cases, internal choices first commit to one of the branches !a.T before enabling !a, while external choices enable all their actions.

Example 2.12. Let T1 = !a.?b ⊕ !a0 .?b0 , and let T2 = ?a.(!b ⊕ !c). Their LTSs are shown in Figure 1 (note that the sync/async behaviours of T2 are isomorphic).

Definition 2.10 (Synchronous session behaviours). We denote with UST the set of behaviours of the form T , with transitions given by the rules: ˘

k∈I i∈I ?ak .Ti

k∈I

(TExt)

?ak

L

−−→ Tk

|I| > 1

i∈I !ai .Ti

τ

− → !ak .Tk

(TInt)

Proposition 2.13. UaST 6⊆6⊇ UST .

`

τ T [recX T/X ] −→ T0

(TOut)

!a

Similarly to [36], we adopt an equi-recursive view [69], by considering session types equivalent (denoted by the relation ≡) up-to unfolding of recursion (see Definition A.1 and Proposition A.2). Proposition 2.13 says that (up-to isomorphism) asynchronous session behaviours are not more general than synchronous ones, and vice versa: e.g., for the session types in Example 2.12, T1 6∈ UaST while T 1 [] 6∈ UST .

(TRec)

`

τ recX T −→ T0

!a.T − →T

For the asynchronous semantics, we consider behaviours of the form T [σ] where σ is a finite sequence of output actions, modelling an unbounded FIFO buffer. We denote with  the empty buffer, and with [!a.σ] a buffer with head !a and tail σ. Definition 2.11 (Asynchronous session behaviours). We denote with UaST the set of behaviours of the form T [σ], with transition given by the rules: k∈I
τ → Tk [σ .!ak ] i∈I !ai .Ti [σ] −

L

2.3 CCS We consider a fragment of CCS [59] without delimitations and relabelling, and we provide it with synchronous and asynchronous semantics. Definition 2.14. CCS terms have the syntax: P , Q, R, S ::= 0 `τ .P P + Q P | Q X µX P where recursion is guarded.

(TIntA)

!a

T [!a.σ] − → T [σ]

k∈I
?ak −→ Tk [σ] i∈I ?ai .Ti [σ] −

˘

(TExtA)

(TOutA)

Definition 2.15 (Synchronous CCS behaviours). We denote with UCCS the set of behaviours of the form P , with transitions given by the following rules (symmetric ones are omitted):

`

τ T [recX T/X ][σ] −→ T 0 [σ 0 ]

`

τ recX T [σ] −→ T 0 [σ 0 ]

`

(TRecA)

τ P −→ P0

`

`

`

`

τ P [µX P/X ] −→ P0

`

τ µX P −→ P0

τ P −→ P0

τ τ τ `τ .P −→ P P + Q −→ P 0 P | Q −→ P0 | Q

`

6

M. Bartoletti, A. Scalas, R. Zunino !a

?b

T1 [ ]

T1

τ

τ

?b

!a

τ

?b0

!a0

T2

!a0

?b0

∼ T2 [ ] =

τ !a0

!b

?b

!a

τ

?b0

?a

τ

!c

Figure 1: Three session behaviours. The synchronous semantics of CCS terms is standard, except that the operator | allows interleaving but not synchronisation, which instead is allowed by the LTSlevel operator k. Definition 2.16 (Asynchronous CCS behaviours). We denote with UaCCS the set of behaviours of the form P [σ], with transitions given by the following rules (symmetric ones are omitted): `τ ∈ {τ } ∪ A? `

τ (`τ .P ) [σ] −→ P [σ]

τ

(!a.P ) [σ] − → P [σ.!a]

`

τ P [µX P/X ][σ] −→ P 0 [σ 0 ]

`

τ µX P [σ] −→ P 0 [σ 0 ]

`

τ P [σ] −→ P 0 [σ 0 ]

`

τ (P + Q)[σ] −→ P 0 [σ 0 ]

!a

P [!a.σ] − → P [σ]

the session type !a ⊕ !b[σ] in UaST is encoded in UaCCS as the isomorphic behaviour !a + !b[σ], while ?a & ?b[σ] is encoded as ?a + ?b[σ]. Instead, ?a + !b in UCCS is not isomorphic to any session type in UST (due to the mixed choice between an input and an output), nor to any behaviour in UaCCS (because buffered semantics would introduce a τ -transition on the !b-branch). Moreover, ?a + τ in UCCS and ?a + τ [] in UaCCS are not isomorphic to any asynchronous session type in UST , nor in UaST (due to the choice between an input and an internal move without continuation). Finally, !a . ?b from UST is not isomorphic to any behaviour in UaCCS (because the buffered semantics of the latter do not allow the !a-transition to preempt the ?b-transition).

`

τ P [σ] −→ P 0 [σ 0 ]

`

τ (P | Q)[σ] −→ (P 0 | Q)[σ 0 ]

As in async session behaviours, an output !a is enqueued before it can be fired, and behaviours cannot read from their own buffers. In fact, in P [σ] k Q[σ 0 ] each behaviour reads from the other’s buffer. Example 2.17. The behaviour of !a.τ [] is shown as p1 in Figure 2 at page 8. Proposition 2.18 states that async CCS behaviours strictly include async session behaviours, while they do not include synch CCS, and synch session behaviours. Proposition 2.18. UaST ( UaCCS 6⊇ UCCS ) UST , and UaCCS 6⊆6⊇ UST and UCCS 6⊆ UaST . Session types can be encoded into CCS as follows. Definition 2.19. We define an encoding JK of session types into CCS terms as follows: qL y P JrecX T K = µX JT K i∈I !ai .Ti = i∈I !ai .JTi K q˘ y P JXK = X i∈I ?ai .Ti = i∈I ?ai .JTi K Proposition 2.20 states that, in the asynchronous semantics, a session type is isomorphic to its encoding. Proposition 2.20. T [] = JT K[].

Example 2.21. The session type !a ⊕ !b in UST is encoded in UCCS as the isomorphic behaviour τ .!a + τ .!b, while ?a & ?b is encoded as ?a + ?b. By Definition 2.19,

3 A motivating example: Alice and bartender We now introduce a running example, used throughout the paper. The following types describe the behaviours of a bartender (B), and of a customer Alice (A): UB = recX (?aCoffee.!coffee.X & ?aBeer.(!beer.X ⊕ !no.X) & ?pay) TA = !aCoffee.?coffee.!pay ⊕ !aBeer.(?beer.!pay & ?no.!pay)

The bartender presents an external choice &, allowing a customer to order either coffee or beer, or to eventually pay; in the first case, he will serve the coffee and then recursively wait for more orders; in the second case, he uses the internal choice ⊕ to decide whether to serve the beer or not — and then waits for more orders; in the third case, after the due amount (possibly 0) is paid, the interaction ends. Alice internally chooses between coffee or beer; in the first case, she waits to get the coffee and then pays; in the second case, she lets the bartender choose between serving the beer, or saying no — and in both cases, she will check out. Intuitively, TA and UB are compliant — i.e., their parallel composition TA kUB (under Definitions 2.2 and 2.10) gives rise to a “correct” interaction such that: 1. each output of TA is matched by an input of UB (and vice versa), and 2. when they stop synchronising (after pay), they are both “successful” — i.e., they reach a final configuration 0 k 0 without further enabled transitions.

A semantic deconstruction of session types

Moreover, the following processes type-check — roughly, because the pairs UB , QB and TA , PA expose the same interaction labels, and have similar branching structures: QB = µY (?aCoffee.!coffee.Y + ?aBeer . (!beer.Y + !no.Y ) + ?pay) PA = !aCoffee.?coffee.!pay + !aBeer . (?beer.!pay + ?no.!pay)

From typing and compliance, we can deduce that PA [] k QB [] synchronise “correctly” (reflecting the “correct” interaction of TA k UB ), and reach the successful configuration 0[] k 0[], where Alice and the bartender agree in stopping their interaction. Alice may also implement a subtype of T A only asking for coffee: TA0 = !aCoffee.?coffee.!pay, with a corresponding process PA0 = !aCoffee.?coffee.!pay: also in this case, we would have that TA0 and UB are compliant, and thus PA0 [] k QB [] also gives rise to a “correct” interaction. So far, the structure of A’s and B’s processes have matched the structure of the respective types. This is a common situation in the session types literature: processes are usually written using calculi inheriting the structured communication approach pioneered by Honda et al. [49, 50], thus reflecting the internal/external choices of types. However, sometimes things may be more complex. The bartender might have other incumbencies, and he may need to stop selling beer after a certain hour: Q00B = µY (?aCoffee.!coffee.Y + ?aBeer . (!beer.Y + !no.Y ) +
?pay) + τ .µZ (?aCoffee.!coffee.Z + ?aBeer.!no.Z + ?pay)

This reminds us of the small Erlang code sample given in Question 1: the τ branch represents the bartender’s decision to stop waiting for customer orders, perform some internal duties (e.g. clean up the bar) and then serve again — this time, refusing to sell beer. Intuitively, we would like Q00B to still have the type UB , since compliant customer processes (e.g. Alice’s one) will still be able to interact (either before or after the τ ). A process like Q00B , however, cannot usually be written (and typed) using classical session calculi: their grammar does not offer a τ prefix, since it would allow for processes where the distinction between internal/external choices is blurred (contrary to the expected program structure). Let us consider another scenario: Alice is late for work. But she realises that the bartender-customer system is asynchronous: the counter is a bidirectional buffer where drinks and money can be placed. Thus, she tries to save time by implementing the following type and process: TA00 = !aCoffee.!pay.?coffee

PA00 = !aCoffee.(?coffee | !pay)

i.e., in her type she plans to order a coffee, put her money on the counter while the bartender prepares her drink, and take it as soon as it is ready; in her process, she orders a coffee, and tries to grab the coffee with one hand, while putting the money on the counter with the other. PA00 represents an optimised program exploiting

7

buffered communication semantics, thus diverging from the syntactic structure of TA00 , and reminds us of the issues discussed in Question 3. Therefore, is TA00 a type for PA00 ? Is TA00 compliant with UB , and will PA00 interact smoothly with QB and Q00B ? We shall answer these questions later on in Section 7.

4 I/O compliance We introduce I/O compliance, a language-independent relation between arbitrary behaviours which formalises the intuitive notion of “correct interaction”. We start by reviewing progress, a standard notion of compliance which identifies “correct interaction” with the absence of deadlock. Then, we observe its limitations in Section 4.1, as well as some limitations of other well-known notions of compliance. In Sections 4.2 and 4.3 we show how I/O compliance overcomes these limitations.

4.1 Compliance as progress We start by discussing progress, a notion of compliance which interprets correctness as the absence of (unsuccessful) stuck states. To model the client/server asymmetry [31,4], we consider the asymmetric progress relation: a behaviour can stop interacting whenever it reaches success (regardless of the state of its counterpart). Definition 4.1 (Progress). We write p a q whenever τ pkq = ⇒ p0 k q 0 − 6 → implies p0 = 0. We write ` for a−1 , and a` for a ∩ `. Example 4.2. We have the following relations: !a.?b a` ?a.!b !a.?b 6a 6` !b.?a !a.!b 6a 6` ?c !a.?b 6a ` ?a recX !a.X 6a ` ?a

recX !a.X a` recY ?a.Y (!a.?b) [] a` (!b.?a) [] (!a.!b) [] a 6` ?c [] (recX ?a.X) [] 6a 6` !b [] (recX !a.X) [] a` ?b[]

We now restate a result from [4]: progress between two synchronous session behaviours can be characterised in a syntactic way. Proposition 4.3 (a/a`-induced shapes of session types). If T a U , then exactly one of the following cases holds: a. T = 0; ˘ L b. T ≡ i∈I ?ai .T i and U ≡ j∈J !aj .U j , with ∅ = 6 J ⊆ I, and ∀j ∈ J . T a U ; j j ˘ L c. T ≡ i∈I !ai .T i and U ≡ j∈J ?aj .U j , with ∅ = 6 I ⊆ J, and ∀i ∈ I . T i a U i . Furthermore, if T a` U , we have either: a. T = U = 0;

8

˘ L b. T ≡ i∈I ?ai .T i and U ≡ j∈J !aj .U j , with ∅ 6= J ⊆ I, ; Land ∀j ∈ J . T j a` U j˘ c. T ≡ i∈I !ai .T i and U ≡ j∈J ?aj .U j , with ∅ 6= I ⊆ J, and ∀i ∈ I . T i a` U i . Note that, when leaving synchronous session types, progress also relate behaviours with arguably incorrect interactions. For instance, we have (recX !a.X) [] a` ?b[], because the two asynchronous behaviours never reach a stuck state, even if no interaction ever happens. Ideally, we would like a stricter compliance relation, avoiding such “vacuous” progress. To this aim one may consider, e.g., the may-, mustor should -testing compliance [10,24,38]. These relations do not hold in the above-mentioned case, since they all require that the success state 0 k 0 is reachable. On the other hand, these relations do not consider as compliant the asynchronous behaviours (recX !a.X) [] and (recY ?a.Y ) [], precisely because they never reach success. The last pair of behaviours models a producer/consumer system, where each produced message is consumed. Indeed, in the CFSM literature [19,56] these two behaviours would be considered compliant.

4.2 I/O compliance: definition and examples We now introduce I/O compliance (recall from Section 2 that p⇓! = (p⇓)! = p⇓ ∩ A! ). Definition 4.4 (I/O compliance). We say that a relation R is an I/O compliance iff, whenever p R q: a.  p⇓! ⊆ co(q⇓? ) and  (p⇓! = ∅ ∧ p⇓? 6= ∅) implies ∅ = 6 q⇓! ⊆ co(p⇓? ) ; co(`) ` b. p → − p0 ∧ q −−−→ q 0 implies p0 R q 0 ; τ c. p − → p0 implies p0 R q; τ d. q − → q 0 implies p R q 0 . ¨ for the largest I/O compliance relation, B ¨ for We write C ¨ −1 , and ./ ¨ for the largest symmetric I/O compliance. (C) ¨ q. We say that p and q are I/O compliant iff p ./ Item a captures the different role of inputs and outputs: each weak output must be matched by a corresponding input, so that the output can be dispatched. Although it is not required to match every weak input, the presence of weak inputs (without weak outputs) requires the counterpart to offer some matching weak ¨ q, item a output. Similarly to Proposition 4.3, when p ./ allows to enlarge the inputs of p (when non-empty), or to restrict its outputs (to a non-empty subset), while preserving I/O compliance. Items b, c, d require I/O compliance to be preserved if p and q synchronise or do internal moves.

M. Bartoletti, A. Scalas, R. Zunino τ !a

?a

τ

τ

?a

!a

τ ?a

!a

!b

τ

?b

p1

?c

p2

p3

!b

p4

Figure 2: Some (non-session) behaviours. p5 0

?a

τ p5 τ p5 00

?b

p5

Figure 3: A behaviour without an I/O compliant one.

¨ Lemma 4.5 states that the symmetric relation ./ can be obtained by intersecting the two asymmetric relations (unlike e.g. bisimilarity [59]). ¨ ∩ C. ¨ ¨ = B Lemma 4.5. ./ Example 4.6. Consider the behaviours in Figure 2. ¨ p3 , and p2 C ¨ p3 , ¨ p2 , p2 ./ ¨ p4 , p1 C We have that p1 ./ while all the other pairs of behaviours are not compliant. The following example shows that some behaviours do not admit a (symmetric) I/O compliant one. Example 4.7. Consider the behaviour p5 in Figure 3. We show that, for all behaviours q, it must be q ./ 6 ¨ p5 . ¨ p5 , for some q. Since By contradiction, assume that q ./ τ τ p5 − → p5 0 and p5 − → p5 00 , by applying twice clause d ¨ p5 0 and q ./ ¨ p5 00 . of Definition 4.4 it follows that q ./ Now, by applying twice the first part of clause a, we get: q⇓! ⊆ co(p5 0 ⇓? ) ∩ co(p5 00 ⇓? ) = {?a} ∩ {?b} = ∅ ¨ q and p5 0 ⇓! = ∅ 6= p5 0 ⇓? , by the second And since p5 0 ./ part of clause a we would get ∅ = 6 q⇓! (contradiction). The following example shows that I/O compliance does not hold when the progress is vacuous. Example 4.8. We have that (recX !a.X) [] a ?b [], but (recX !a.X) [] C 6 ¨ ?b[]: in fact, the weak output barbs of the LHS contain !a, not matched by the weak input barbs of the RHS (that only contain ?b) — thus violating item a of Definition 4.4. In CCS, let P = !a + !b, and let Q = ?a. We have that P a Q (because the LHS and RHS can synchronise on a, and then terminate), but P C 6 ¨ Q (because !b on the LHS is not matched by the inputs of the RHS).

A semantic deconstruction of session types

¨ q, then p a q; (b) if p, q ∈ UST Theorem 4.9. (a) If p C ¨ q. and p a q, then p C Example 4.10 (Alice and bartender). Recall the types and processes in Section 3. In the sync case, UB a` TA , ¨ TA , UB a` TA0 and UB ./ ¨ TA0 . The same holds for UB ./ their async versions. When Alice is late for work, in the sync case we have UB 6a` TA00 and UB ./ 6 ¨ TA00 , due to the wrong order of Alice’s actions. In the async case, ¨ TA00 []. The instead, we have UB [] a` TA00 [] and UB [] ./ latter relation is detailed in Table 2. Note that UB [] has an input (?aBeer) which is not matched by an output of TA00 [], and therefore leads to states not considered in the relation (omitted in the Table). The same goes for UB (3) , with two unmatched inputs (?aBeer and ?aCoffee). When two synchronous session behaviours are I/O compliant, the following lemma characterises the form of buffers in their asynchronous computations. In particular, in each reachable configuration one of the queues must be empty (thus resulting in a half-duplex communication [34]). ¨ B, ¨ ./}. ¨ Lemma 4.11. Let T ◦ U , with ◦ ∈ {a, `, a`, C, If T [] k U [] ⇒ = T 0 [σ] k U 0 [ρ], then: (i) σ =  or ρ = . (ii) if σ = ρ =  then T 0 ◦ U 0 . Lemma 4.12 states that if two synchronous session behaviours are I/O compliant, then they are such also when passing to the asynchronous semantics. The inverse implication is false: I/O compliance relates asynchronous session behaviours which are not compliant under the ¨ (!b.?a) []. synchronous semantics, e.g. (!a.?b) [] ./ ¨ U , then T [] C ¨ U []. Lemma 4.12. If T C The following theorem extends Lemma 4.12 to all the notions of compliance studied in this section. ¨ ./, ¨ If T ◦ U , ¨ C}. Theorem 4.13. Let ◦ ∈ {`, a`, a, B, then T [] ◦ U [].

Theorem 4.9(b)

T aU

T [] a U [] ⇒=

Theorem 4.9 relates I/O compliance with progress. If two behaviours are I/O compliant, then they enjoy progress, while the vice versa is false (see Example 4.8). Still, ¨ and a coincide for synchronous session behaviours. C The intuition is the following. Take T , U ∈ UST : by Definition 2.10, they cannot generate infinite τ -traces, and whenever they output, they always commit to a single output transition. These properties allow to avoid situations similar to the ones in Example 4.8.

¨ follows by Lemma 4.12. For Proof. The case ◦ = C ◦ = a, we have: ⇒=

4.3 Main properties

9

Theorem 4.9(a)

Lemma 4.12 ¨ U == ¨ U [] T C =======⇒ T [] C

¨ follow by symmetry. Instead, the The case for ◦ ∈ {`, B} ¨ follow respectively from a` = `∩a cases for ◦ ∈ {a`, ./} ¨ ∩C ¨ (by Lemma 4.5). ¨ =B (by Definition 4.1) and ./ 5 Safety In the realm of Communicating Finite State Machines, where communication is asynchronous, the notion of correct interaction (called safety in [56]) is stricter than progress: e.g., it requires that enqueued messages are eventually consumed. In this section we interpret safety in our semantic setting, and we relate it with I/O compliance. The main result is that I/O compliance implies safety (Theorem 5.17), and that the two notions coincide on asynchronous session behaviours (Theorem 5.20).

5.1 Orphan messages In CFSMs, orphan messages are outputs that are sent, but never received. To formalise this notion in our semantic setting, consider a parallel composition p k q. If p !!a

always exposes a (weak) output transition !a (i.e., p= ⇒, as per Definition 2.5) but q does not expose a matching input transition ?a, then we can say that !a is “orphan”. Definition 5.1 (Orphan message configuration). We say that p k q is an orphan message configuration of p !!a

?a

iff ∃a . p=⇒ and q6=⇒. In this case we say that !a is an orphan message of p. Proposition 5.2. Let p k q be an orphan message configuration, with !a orphan message of p. If p = ⇒ p0 and 0 0 0 q= ⇒ q , then p k q is an orphan message configuration, with !a orphan message of p0 . !!a

?a

Proof. By Definition 5.1, we have p=⇒ and q6=⇒. From !!a ?a Definition 2.5, we have p0 =⇒; furthermore, q6=⇒ implies ?a q0 = 6 ⇒. Therefore, by Definition 5.1 we conclude that 0 p kq 0 is an orphan message configuration, with !a orphan message of p0 . Note that the usual notion of orphan message from CFSM literature [56,42] requires that there exists at least a non-empty buffer, and each machine is in a final state. Our definition relaxes the second requirement, while it uses persistent outputs to formalise the first one.

10

M. Bartoletti, A. Scalas, R. Zunino

UB []

?pay

?aCoffee !coffee

?aBeer

TA00 []

···

τ

UB (1)

UB (3) ···

!aCoffee 00 (2) !aCoffee ?coffee

τ ?pay

UB (4)

!coffee

TA00 (6)

UB (5)

!pay

?aBeer

TA00 (7)

···

I/O compliance relation

τ

TA00 (1) τ TA

UB (2)

?aCoffee

TA00 (8)

(UB [], TA00 (1) )

(UB [], TA00 []) )

(UB (2) , TA00 (8) )

(UB (2) , TA00 (3) )

(UB (3) , TA00 (8) )

00 (2)

(UB [], TA

TA00 (3) !pay

00 (3)

)

(UB (4) , TA00 (4) )

(UB (5) , TA00 (5) )

(UB [], TA00 (6) )

(UB (3) , TA

TA00 (4) ?coffee

TA00 (5)

00 (7)

(UB (1) , TA

)

Table 2: I/O compliance for the asynchronous Alice and bartender. The intuition is clear when considering asynchronous session behaviours: there, persistent outputs exist whenever the buffer is non-empty. In those behaviours, orphan messages are characterised by Lemma 5.3. Lemma 5.3. T [σ] k U [ρ] is an orphan message configuration with !a orphan message of T [σ] iff both the following conditions hold: (i) σ = !a.σ 0 , or σ =  and T ≡ !a.T 0 ;

Definition 5.7 (Input behaviour). We say that p is an ??

input behaviour (written p= ⇒) whenever: p⇓! = ∅

?a

(ii) U [ρ] = 6 ⇒.

and

p= ⇒ p0 implies p0 ⇓? 6= ∅

Proposition 5.8 below states that an input behaviour can only τ -reduce to an input behaviour.

Proof. Direct by Definition 5.1 and Proposition A.6. Lemma 5.4 states that, in asynchronous session behaviours, orphan messages are preserved not only after individual τ -moves (as ensured by Proposition 5.2), but even after synchronisation. Lemma 5.4. Let T [σ] k U [ρ] be an orphan message configuration, with !a orphan message of T [σ]. Then, T [σ] k U [ρ] = ⇒ T 0 [σ 0 ] k U 0 [ρ0 ] implies that T 0 [σ 0 ] k U 0 [ρ0 ] is an orphan message configuration, with !a orphan message of T 0 [σ 0 ]. Furthermore, σ 0 = σ .σ 00 (for some σ 00 ). The following lemma states that I/O compliance does not hold in orphan message configurations. Lemma 5.5. If pkq is an orphan message configuration for p, then p C 6 ¨ q. !!a

our setting, we say that a parallel composition p k q is an unspecified reception when p can only interact via input transitions, but q is not going to offer any matching output. Before formalising this in Definition 5.10, we study the auxiliary notion of input behaviours.

?a

Proof. By Definition 5.1, we have p= ⇒ and q6= ⇒: this implies !a ∈ p⇓! 6⊆ q⇓? , which violates clause a of Definition 4.4. Therefore, p C 6 ¨ q. Example 5.6. The inverse implication of Lemma 5.5 does not hold in general. E.g., let P = !a + τ.0. We have P C 6 ¨ 0, because !a ∈ P ⇓! 6⊆ co(0⇓? ) = ∅. However, P k 0 !!a

is not an orphan message configuration, because P = 6 ⇒.

5.2 Unspecified reception In CFSMs, unspecified receptions are configurations where some machine can only perform receptions, but the heads of buffers do not match the required input. In

??

??

Proposition 5.8. If p= ⇒ and p = ⇒ p0 , then p0 = ⇒. Proof. From p⇓! = ∅ we have p0 ⇓! = ∅; moreover, since ∀p00 . p = ⇒ p00 implies p00 ⇓? 6= ∅, and p = ⇒ p0 (by hypothe00 0 00 00 ? sis), we have ∀p . p = ⇒ p implies p ⇓ 6= ∅. Hence, by ??

Definition 5.7, we conclude p0 = ⇒. In synchronous session types, input behaviours correspond to external choices; in asynchronous session types, they must also have an empty buffer. ˘ ?? Proposition 5.9. T [σ]= ⇒ iff T ≡ i∈I ?ai .T i with I 6= ∅, and σ = . Proof. Straightforward, by Definition 2.11. We can now formalise unspecified reception. Definition 5.10 (Unspecified reception configuration). We say that pkq is an unspecified reception configuration ??

?a

!a

for p iff p= ⇒ and 6 ∃a . p= ⇒ ∧ q= ⇒. Example 5.11. We have that: – recX !a.X[] k ?b[] is an unspecified reception configuration for the RHS behaviour (and also an orphan message configuration for the LHS behaviour).1 – 0[] k ?b[] is an unspecified reception configuration for the RHS behaviour 1 In [56, 42] orphan message configuration only contain final states, hence this configuration would not be considered an orphan message in CFSMs.

A semantic deconstruction of session types

11

– ?a[] k ?b[] is an unspecified reception configuration for both LHS and RHS behaviours.

!a

0

k

τ

Proposition 5.12 shows that unspecified reception is preserved by τ -transitions. Proposition 5.12. Let p k q be an unspecified reception configuration for p. If p k q = ⇒ p0 k q 0 then p0 k q 0 is an unspecified reception configuration for p0 . Proof. Note that, by Definition 5.10, p and q cannot synchronise, because no output of q matches p’s inputs, — and p has no weakly reachable outputs. Therefore, the τ transitions along p k q = ⇒ p0 k q 0 can only be originated by internal moves. Now, since p = ⇒ p0 , by Proposition 5.8 we ?? ?a !a have p0 = ⇒; furthermore, since 6 ∃a.p= ⇒ ∧ q= ⇒, considering ? ! 0 ? 0 ! that p ⇓ ⊆ p⇓ and q ⇓ ⊆ q⇓ (because q = ⇒ q 0 ), we ?a

!a

q

Figure 4: The behaviour 0 k q is safe, but 0 and q are not I/O compliant.

5.3 Safety: definition and main properties Definition 5.15 (Safety). We say that p k q is safe iff pkq = ⇒ p0 k q 0 implies that p0 k q 0 is neither an orphan message nor an unspecified reception configuration. We relate safety with progress and I/O compliance. Proposition 5.16. If p k q is safe, then p a` q.

obtain 6 ∃a . p0 = ⇒ ∧ q0 = ⇒. Lemma 5.13 syntactically characterises unspecified reception configurations for asynchronous session types (similarly to Lemma 5.3 for orphan messages). Lemma 5.13. T [σ] k U [ρ] is an unspecified reception ˘ configuration for T [σ] iff T ≡ i∈I ?ai .T i with I = 6 ∅, σ =  and one of the following holds: a. ρ = !b.ρ0 , for some ρ0 and b such that ∀i ∈ I . ai 6= b; L b. ρ =  and U ≡ j∈J !bj .Uj , where ∀i ∈ I, j ∈ J . ai 6= bj ; ˘ c. ρ =  and U ≡ j∈J ?bj .Uj . Proof. The =⇒ direction follows from Proposition 5.9 and Definition 2.11, considering that, by Definition 5.10: ??

(i) since T [σ]= ⇒, by Proposition 5.9 T can only be equivalent to a non-empty external choice, and σ = ; (ii) U [ρ] does not offer any output matching T ’s inputs: hence, either U is equivalent to a (possibly empty) external choice and ρ =  (case c. in the statement), or ρ’s head exposes an unmatching output — either immediately (case a.) or after a τ -move (case b.). The ⇐= direction follows from Definition 2.11: in all cases a.–c. of the statement, we conclude that T [σ]kU [ρ] is an unspecified reception configuration. Lemma 5.14 shows that two behaviours in an unspecified reception configuration are not I/O compliant. Lemma 5.14. If p k q is an unspecified reception configuration for p, then p C 6 ¨ q. ??

?a

⇒ and 6 ∃a . p= ⇒∧ Proof. By Definition 5.10 we have p= !a q= ⇒. Then, by Definition 5.7 we have p⇓! = ∅ and p⇓? = 6 ! ? ∅. Furthermore, q⇓ ∩ co(p⇓ ) = ∅: this violates clause a of Definition 4.4. Therefore, we have p C 6 ¨ q.

Proof. We prove the contrapositive. Assume that p 6a` q. By definition of progress, there exist p0 and q 0 such that τ pkq = ⇒ p0 k q 0 − 6 → and p0 6= 0 or q 0 6= 0. Therefore: p0 k q 0 → −

τ

p0 − 6→

and

and

τ

q0 − 6→

(1)

Since p0 k q 0 → − , at least one of the behaviours p0 , q 0 must take a move, which cannot be labelled τ . Without loss of generality, assume that p0 moves. There are two possible (not mutually exclusive) cases: !a

τ

?a

τ

6 →, then by Definition 2.5 it must be – p0 − →. Since p0 − !!a ?a p= ⇒. Now, by (1) it follows that q 0 − 6 →, otherwise p0 0 0 τ and q would synchronise. Since q − 6 →, this implies 0 ?a that q = 6 ⇒. By Definition 5.1, we obtain that p0 k q 0 is an orphan message configuration, hence by Definition 5.15 we conclude that p k q is not safe. – p0 −→. Since p0 − 6 →, then by Definition 5.7 it must be ?b !b 0 ?? p= ⇒. Now, by (1) it follows that @b : p0 = ⇒ ∧ q0 = ⇒, otherwise p0 and q 0 would synchronise. By Definition 5.10, we obtain that p0 k q 0 is an unspecified reception configuration, hence by Definition 5.15 we conclude that p k q is not safe. ¨ q, then p k q is safe. Theorem 5.17. If p ./ Proof. Let p k q = ⇒ p0 k q 0 . By Lemmas 4.5 and 5.5, 0 0 p k q is not an orphan message configuration. By Lemmas 4.5 and 5.14, p0 k q 0 is not an unspecified reception configuration. Hence, by Definition 5.15, pkq is safe. The following example shows that the converse of Theorem 5.17 does not hold in general. Example 5.18. The behaviour 0 k q in Figure 4 is safe: – neither 0 nor q have persistent outputs, hence 0 k q has no orphan messages;

12

M. Bartoletti, A. Scalas, R. Zunino

– ρ0 = !a.ρ00 . Then, by item a. of Lemma 5.13, it follows that T 0 [σ 0 ] k U 0 [ρ0 ] is an unspecified reception configuration. By Definition 5.15 we conclude that T [σ] k U [ρ] is not safe. – ρ0 =  and U 0 ≡ !a . U 00 ⊕ U 000 . By Definition 2.11 we have the transition:

– neither 0 nor q is an input state, hence 0 k q is not an unspecified reception configuration. Note however that 0 ./ 6 ¨ q. Indeed, !a ∈ q⇓! 6⊆ co(0⇓? ) = ∅, and therefore item a of Definition 4.4 is false. The following theorem extends Theorem 4.13 to the notion of safety. Namely, if the composition of two synchronous session behaviours is safe, then it is such also when passing to the asynchronous semantics.

τ

T 0 [] k U 0 [] − → T 0 [] k U 00 [!a] and we fall back to the previous case.

Theorem 5.19. If T k U is safe, then T [] k U [] is safe. Proof. If T k U is safe, then by Proposition 5.16 T a` U , ¨ U. and so by item (b) of Theorem 4.9 we also have T ./ ¨ By Theorem 4.13, T [] ./ U [], and so by Theorem 5.17 we conclude that T [] k U [] is safe. Theorem 5.20 shows that the converse of Theorem 5.17 holds for asynchronous session behaviours. Summing up, safety and I/O compliance coincide in the setting of asynchronous session types. ¨ U [ρ]. Theorem 5.20. If T [σ]kU [ρ] is safe, then T [σ] ./ Proof. We prove the contrapositive. Assume T [σ] ./ 6¨ U [ρ]. By Definition 4.4, this implies that there exist T 0 , U 0 , σ 0 , ρ0 such that T [σ] k U [ρ] ⇒ = T 0 [σ 0 ] k U 0 [ρ0 ] 0 0 and item a is false for p = T [σ ] and q = U 0 [ρ0 ]. There are the following two cases: !

?

1. p⇓ 6⊆ co(q⇓ ). Then, there exists some a such that !a ∈ p⇓! and ?a 6∈ q⇓? . Since !a ∈ p⇓! , one of the following two cases must hold: (i) σ 0 = !a.σ 00 . By Proposition A.6 it follows that 0

0 !!a

?

0

0

?a

T [σ ]=⇒. Since ?a 6∈ q⇓ , we have that U [ρ ] = 6 ⇒. Therefore, by Lemma 5.3 we obtain that T 0 [σ 0 ] k U 0 [ρ0 ] is an orphan message configuration. By Definition 5.15, T [σ] k U [ρ] is not safe. (ii) σ 0 =  and T 0 ≡ !a.T 00 ⊕ T 000 . By Definition 2.11 we have the transition: 0

0

0

τ

00

0

0

T [] k U [ρ ] − → T [!a] k U [ρ ] and we fall back to the previous case.
2. (p⇓! = ∅ ∧ p⇓? 6= ∅) 6 =⇒ ∅ 6= q⇓! ⊆ co(p⇓? ) . Then, p⇓! = ∅ ∧ p⇓? 6= ∅. This implies that T 0 is equivalent to an external choice, and that σ 0 = . Further, one of the following two cases must hold: – q⇓! = ∅. This implies that ρ0 = , and U 0 is equivalent to an external choice (possibly empty). By item c. of Lemma 5.13, it follows that T 0 [σ 0 ] k U 0 [ρ0 ] is an unspecified reception configuration. By Definition 5.15, T [σ] k U [ρ] is not safe. – there exists some a such that !a ∈ q⇓! and ?a 6∈ p⇓? . Therefore, either one of the following subcases applies:

6 I/O simulation We now introduce a preorder between behaviours that generalises the usual notions of session typing and subtyping, with the typical co/contra-variance of outputs and inputs. We define the relation in Section 6.1, and study its main properties in Sections 6.2 and 6.3 — notably, proving that it preserves I/O compliance. In Section 6.4, we study its preservation when passing to the asynchronous semantics. We start by adapting to our framework a classical preorder from the literature on behavioural contracts: intuitively, p is a subcontract of q when p can replace q in all possible contexts while preserving I/O compliance2 . Definition 6.1 (Subcontract relation). We define the relation vR between behaviours as: p vR q

iff

¨ r implies p ./ ¨ r ∀r ∈ R . q ./

We write p v q when p vR q with R = U. The following lemma syntactically characterises the subcontract relation on synchronous session behaviours. Lemma 6.2 (vUST -induced shapes of session types). T vUST U implies either: a. T = U ˘= 0; ˘ b. T ≡ k∈K ?ak .T k and U ≡ i∈I ?ai .T i , with ∅ 6= I ⊆ KLand ∀i ∈ I . T i vUST UL i; c. T ≡ k∈K !ak .T k and U ≡ i∈I !ai .T i , with ∅ 6= K ⊆ I, and ∀k ∈ K . T k vUST U k . To determine if two synchronous session behaviours are in the subcontract relation (i.e., T v U ), we do not need to consider all possible behaviours r ∈ U such that ¨ r: indeed, we can restrict ourselves to the case U ./ where r is a synchronous session behaviour itself. Lemma 6.3. T v U ⇐⇒ T vUST U . 2 Note that the direction of v is opposite w.r.t. the strong subcontract relation in [31]. The other difference between v and the strong subcontract relation is that v requires to preserve I/O compliance, while [31] requires progress.

A semantic deconstruction of session types

6.1 I/O simulation: definition and examples Despite its elegance, Definition 6.1 cannot be directly exploited to establish whether two behaviours are related, due to the universal quantification over all contexts. We aim at extending the syntax-based coinductive characterisation on session types (Lemma 6.2) to arbitrary behaviours, without resorting to a universal quantification over contexts. To do that, we define an I/O simulation ¨ We show that relation on behaviours, denoted by 6. it is a preorder (Theorem 6.10), and it preserves I/O ¨ is equivalent to the subcompliance (Theorem 6.12). 6 type relation on sync session behaviours (Theorem 6.13), albeit stricter on arbitrary behaviours. ¨ is an Definition 6.4 (I/O simulation). We say that R ¨ q, then ∃Q (called I/O simulation iff, whenever p R predictive set) such that q V Q, and: a. b. c. d. e.

p⇓! = ∅ implies Q⇓! = ∅ Q⇓?? ⊆ p⇓? ∧ (Q⇓? = ∅ implies p⇓? = ∅) τ ¨ q0 p− → p0 implies ∃q 0 . Q = ⇒ q 0 ∧ p0 R !a !a 0 0 0 0 ¨ 0 p− → p implies ∃q . Q = ⇒q ∧ p Rq ?a ??a ?a 0 ¨ q0 . p −→ p ∧ Q==⇒ implies ∃q 0 . Q = ⇒ q 0 ∧ p0 R

¨ for the largest I/O simulation, ≈ ¨ for the We write 6 ¨ for its inverse, and largest symmetric I/O simulation, > ¨ ∩ >. ¨ = ¨ for 6 Definition 6.4 generalises to our semantic setting the (syntax-based) coinductive subtyping rules for session types (Lemma 6.2). Similarly to Lemma 6.2, adding further external choices (inputs) or removing some internal choices (outputs) leads to a subtype. However, I/O simulation is more permissive than this, as it can relate general behaviours. These can have mixed choices, made of both inputs and outputs. Further, choices (possibly of inputs) are internal when led by τ transitions; dually, choices of outputs can be external. To cope with this complexity, in Definition 6.4 we use the predictive set Q as a subset of the internal choices of q. Once this set is fixed, the simulation game occurs between p and Q. ¨ The first Example 6.5. In Table 3 we exemplify 6. pair of behaviours correspond to the sync session types T = ?a.!b & ?c and U = ?a.(!b ⊕ !c). The other pairs deal with behaviours outside UST . The third one corresponds to Alice’s asynchronous type TA00 and her process PA00 , from Section 3: we show that the former I/O simulates the latter. The last one shows an I/O simulation where ¨ contains more the predictive set for the pair (p, q) ∈ 6 than one element. ¨ q, Example 6.6. To establish whether, in Figure 5, p 6 we choose a predictive set Q that mandates the inputs of p, and includes its outputs (note that p has an additional

13

input ?c0 not offered by Q). The same happens with the ¨ r. Note that R and the predictive set R, establishing q 6 ¨ r. small set inside are also predictive sets for p 6

6.2 Basic properties The following lemma ensures that the largest I/O simu¨ indeed exists. lation 6 ¨ be a set of I/O simulations. Then, Lemma 6.7. Let R S¨ R is an I/O simulation. We now study preservation of I/O simulation under ¨ q, the relation 6 ¨ is preserved weak moves. When p 6 by forward τ -moves of p and backward τ -moves of q. ¨ q, p = ¨ q0 . Lemma 6.8. If p 6 ⇒ p0 and q 0 = ⇒ q, then p0 6 A consequence of Lemma 6.8 is that we can obtain a behaviour I/O simulated by p by reducing the internal non-determinism of p (i.e., by making p take τ moves). ¨ p. Corollary 6.9. If p = ⇒ p0 , then p0 6 ¨ (Lemma D.1) we have p 6 ¨ p. Proof. From reflexivity of 6 0 ¨ From Lemma 6.8 we conclude p 6 p. ¨ is a preorder. The Theorem 6.10 establishes that 6 proof is not as straightforward as proving that v is a preorder, because we have to deal with the existential quantification on the predictive set Q. Note that constructing the set Q is not always as easy as in Ex¨ r was ample 6.6, where the predictive set used for q 6 ¨ r. Our general construction valid also for proving p 6 of Q is detailed in the proof of Theorem 6.10. ¨ is a preorder. Theorem 6.10. (U, 6) Weak simulation w and I/O simulation are unrelated, ¨ 6⊆ w 6⊆ 6 ¨ (see Proposition D.8). However, weak i.e. 6 bisimulation ≈ is strictly stronger than I/O bisimulation. ¨ Theorem 6.11. ≈ ( ≈

6.3 On I/O simulation and I/O compliance Theorem 6.12 is one of our main results: it states that ¨ preserves I/O compliance. Instead, 6 ¨ does not pre6 serve progress a. For instance, consider the behaviours ¨ p7 and p7 a p8 . However, in Figure 6. We have that p6 6 p6 6a p8 : indeed, if p8 chooses the branch !b, then p6 is stuck waiting for ?c. ¨ q ◦ r =⇒ p ◦ r, for ◦ ∈ {B, ¨ ./}. ¨ Theorem 6.12. p 6

14

M. Bartoletti, A. Scalas, R. Zunino ?a

T

!b

T (1)

?c

T (2)

T (3) !b

?a

U (1) τ !c

U (3) ?a

p p

!b

p(1)

?d τ

(5)

U (4)

U (5)

p(2)

!c

p(3)

!e

p(6) q (8)

?d

τ ?a

q

q (9)

τ τ

q (1)

τ

q (2)

q (4)

!b

τ

q (3)

q (5)

?a

q (6)

!c

τ

q (7) !pay

PA00 (10)

(T (1) , U (1) )

U

(T (1) , U (2) )



U (2)



(T (2) , U (4) )



U (4)



(1)

Relation

Pred. set

(p, q )

{q}

(p, q (3) )



q (3)



(p(1) , q (1) )



q (1)



(p(1) , q (5) )



q (5)



(p(2) , q (4) )



q (4)



)



q

(2)



(p(3) , q (7) )



q (7)



(p(4) , q (6) )



q (6)



(p

(3)

,q

(2)

the latter match the outputs of the first. T (3) is not in the relation: it is reached via an input ?c unmatched by U . U (3) , U (5) are not in the relation: they are reached via a τ and an output !c unmatched by T .

{U }



p(4)

T (1) is in relation with U (1) , U (2) : both

Pred. set

(T , U ) (2) τ U

U

Relation

p is in relation with q, q (3) , matching their ?a. Then, p(1) can either perform !b, !c, ?d or quit: this is matched by q (1) , q (5) ; if p(1) follows its τ -branch to p(3) , the latter is related with q (2) , q (7) . Note that q (2) does not stop, but performs τ -loop. Also note that the rela?d

tion does not include p(5) since q (1) =⇒  ??d but q (1) = 6 =⇒; indeed, it cannot in(5) clude p , due to its !e (unmatched in q ’s reductions).

PA00 (11)

τ

PA00 (9)

?coffee

Relation

PA00 (8)

!aCoffee τ 00 (1)

PA00 []

τ

PA00 (2) τ

PA

!aCoffee

· · · ?coffee 00 (7)

PA

!pay

00 (6)

PA

?coffee

00 (3)

PA

!pay

PA00 (5) TA00 []

?coffee

TA00 (8)

τ

τ

!aCoffee 00 (2) !aCoffee

TA00 (1) τ TA

TA00 (3) !pay

?coffee

TA00 (6)

TA00 (4)

!pay

TA00 (7) p

?a

p(1)

PA00 (4)

!x

Pred. set  00 (1)

(PA00 [], TA00 []) (PA00 (1) , TA00 (1) ) (PA00 (2) , TA00 (2) ) (PA00 (3) , TA00 (3) ) (PA00 (4) , TA00 (4) ) (PA00 (5) , TA00 (5) ) (PA00 (6) , TA00 (6) ) (PA00 (7) , TA00 (7) ) (PA00 (8) , TA00 (3) ) (PA00 (9) , TA00 (6) ) (PA00 (10) , TA00 (6) ) (PA00 (11) , TA00 (7) )

TA



TA00 (1)





TA00 (2)





TA00 (3)





TA00 (4)





TA00 (5)



TA00 (6)  00 (7) TA  00 (3) TA  00 (6) TA  00 (6) TA  00 (7) TA





TA00 [] = !aCoffee. !pay. ?coffee [] TA00 (1) = !pay. ?coffee [!aCoffee] TA00 (2) = ?coffee [!aCoffee. !pay] TA00 (3) = ?coffee [!pay] TA00 (4) = ?coffee [] TA00 (5) = 0 [] = TA00 (7) TA00 (6) = 0 [!pay] TA00 (7) = 0 [] = TA00 (5) TA00 (8) = !pay. ?coffee []

?coffee

TA00 (5) p(2) p is related with q , with a predictive set

?b

p(3)

q

(5)

!y !c

p(4)

Relation q

(p, q )

(6)

τ

q

Note that PA00 (1) and PA00 (2) have an input branch (?coffee) unmatched by TA00 (1) and TA00 (2) , and thus leading to states not considered in the relation (and here omitted).

τ

q (01)

?a

q (1)

!x

q (2)

?b

τ

q

(31)

?a

q (02)

?b

q (3)

!y

Pred. set 

q (01) , q (02)

(p(1) , q (1) )



q (1)



(p(2) , q (2) )



q (2)



(p(3) , q (3) )



q (3)



(p(4) , q (4) )



q (4)





containing 2 elements. This is the only possible predictive set supporting the relation: in fact, if the predictive set included q or q (5) , then p would be forced to offer some output (by clause a of Definition 6.4); moreover, if the predictive set did not contain q (01) , then the ?a-branch of p would need to match the ?a-branch of q (02) (by clause e of Definition 6.4) — but in this case we ¨ which is would need (p(1) , q (31) ) ∈ 6, false. A similar problem would arise if the predictive set did not contain q (02) .

q (4)

Table 3: Examples of I/O simulation. For each pair of behaviours on the left, the table shows an I/O simulation relation, and the predictive sets supporting each pair of related states.

A semantic deconstruction of session types

15

?d !a

!a ?b

τ

!a ?b

Q τ

!b

p τ

¨ 6

?c

τ

!b

q τ τ

?c0

?b

τ

¨ 6

?c

!b

r τ

?c

τ

τ

R

¨ q and q 6 ¨ r. Figure 5: I/O simulation. Q, R are the predictive sets resp. for p 6 ?a

!a

?b

p6

!b

?a

?c

¨ 6

p7

a

!a

!a ?c

Figure 6: Progress is not preserved by I/O simulation (on general behaviours). Theorem 6.13 below establishes that I/O simulation can be seen as a subtyping/subcontract relation on ¨ q allows p to be always general behaviours, that is p 6 used in place of q. For instance, assume that p is an asynchronous CCS process typed with a session type q, which in turn complies with the session type r. Then, Theorem 6.12 states that I/O compliance is preserved by ¨ i.e. p is also I/O compliant with r, notwithstanding 6, with the fact that p and r are specified in different calculi. Although I/O simulation is stricter than the subcontract relation on general behaviours, the two relations coincide on synchronous session behaviours, ¨ can be interpreted as the subtyping relation hence 6 in [44] (albeit in the inverse direction, corresponding to that adopted e.g. in [27]). ¨ ( v. (b) T 6 ¨ U iff T v U . Theorem 6.13. (a) 6 ¨ Theorem 6.12 above does not generally hold for C. ¨ qC ¨ r: intuitively, C ¨ does not guarantee that Let p 6 r’s outputs will be matched by q’s inputs; therefore, if p adds an input branch which is matched by an output of r, then their synchronisation may reduce to non-compliant behaviours, as shown in Example 6.14 below. ¨ and C). ¨ The behaviours p10 Example 6.14 (On 6 ¨ compliant. Indeed, even and p11 in Figure 7 are C though p11 offers an additional !c output, this is immaterial for I/O compliance, since it only checks that the !a output of p10 is received by a corresponding ?a ¨ we of p11 . If we add a ?c branch to p10 , e.g. as in p9 , by 6 obtain a behaviour which is simulated by p10 . However p9 and p11 are not I/O compliant, since the c-branches now can synchronise, leading to a stuck output !e. The situation described in Example 6.14 does not arise on synchronous session behaviours, as established

?b

?b

p8

?a !c

!e

p9

p10

¨ 6

p11

¨ C

¨ is not preserved by I/O simulation (on Figure 7: C general behaviours). !a

!a

p12

p13 τ

?b

p12

?a p14

?b

!b

p13

p14

Figure 8: Three compliant-admitting behaviours show¨ ( v. ing that 6 in Lemma 6.15 below, which extends Theorem 6.12. Its proof exploits the fact that synchronous session behaviours do not have mixed choices. ¨ UC ¨ V implies T C ¨ V. Lemma 6.15. T 6

6.4 I/O simulation and asynchrony We now address the problem of establishing whether I/O simulation and the subcontract relation are preserved by ¨ U , (resp. T v U ), is it the case buffering. That is, if T 6 ¨ U [] (T [] v U [])? Were the answer positive, we that T [] 6 could reason about I/O simulation/subcontracting in the (finite-state) synchronous semantics, and then transfer these results to the asynchronous setting, where both I/O simulation and subcontracting are undecidable. Unfortunately, the answer to both questions is negative, as shown in the following examples. Example 6.16. Consider the following session types: T = recX !a.X

U = recY !a.X ⊕ !b.?c

¨ U , but T [] 6 We have T 6 6 ¨ U []. To prove it, assume by ¨ contradiction that T [] 6 U [], with some predictive set U.

16

M. Bartoletti, A. Scalas, R. Zunino ??c

??c

Since U []=⇒, we must have U=⇒ (see Proposition D.6). Then, by the first part of clause b in Definition 6.4, it must be ?c ∈ T []⇓? = ∅ — contradiction.

Theorem 6.20. If T (◦ ∩ ? ) U then T [] ◦ U [], for ◦ ∈  ¨ v . 6,

Example 6.17. Let T , U as in Example 6.16, from ¨ U : hence, by item (a) of Theowhich we know that T 6 rem 6.13 we also know that T v U . We now prove that T [] 6v U []. To this purpose, define:

¨ q, each weak sequence of outputs of p 1. whenever p 6 is I/O simulated by q (Proposition D.12); 2. whenever p ? q, and the two behaviours reach p0 , q 0 through the same weak transitions, then p0 ? q 0 (Proposition D.13); 3. each weak sequence of ouptuts from a session behaviour T corresponds to a sequence of τ s in its asynchronous version T [σ], for all σ (Proposition D.14); 4. vice versa, each sequence of τ s from T [σ] corresponds to a weak sequence of outputs from T (Proposition D.15).

V = !c.recY ?a.Y & ?b ¨ V [] (albeit U 6./ ¨ V ). However, T [] ./ Note that U [] ./ 6 ¨ V [], !c

since clause a of Definition 4.4 is violated because V []= ⇒ ?c 3

but T []6= ⇒ . Therefore, T [] 6v U []. ¨ under buffering Intuitively, the non-preservation of 6 is due to the fact that, in the asynchronous semantics, output prefixes can always be fired. Consequently, the inputs that are guarded by a sequence of outputs in a session type T may become weakly persistent (as per Definition 2.5), and thus relevant for clauses b and e of Definition 6.4. Similarly, v is not preserved because output-guarded inputs may become weakly reachable in T [σ] and thus relevant for clause a of Definition 4.4. Following this intuition, we provide in Definition 6.18 below a sufficient condition which guarantees the preser¨ when passing from the synchronous to the vation of 6 asynchronous semantics of session types. Definition 6.18 (Input-preserving behaviours). We say that p is input-preserving w.r.t. q (in symbols p ? q) iff for all w = `1 , . . . , `n , p0 , q 0 , a, whenever w

w

p= ⇒ p0 and q = ⇒ q0   ! ! ?a and ∀q 00 . q 0 ⇒ = ∗ q 00 implies q 00 ⇒ = ∗ −→ , !

?a

then p0 ⇒ = ∗ −→ .

(2a) (2b)

¨ exploits four key properties: Proof. The proof for ◦ = 6

To prove ◦ = v we exploit the previous case and Theorem 6.13. See Appendix D.3 for full details. We now show how the three main notions studied so far (I/O simulation, I/O compliance and safety) can be combined in order to determine that two pro¨ U and cesses can safely interact. Assume that T 6 ¨ V . Using Theorem 6.12 we can deduce T ./ ¨ V; U ./ ¨ then, from Lemma 4.12 we obtain T [] ./ V [], and so by Theorem 5.17, we conclude that T [] k V [] is safe. ¨ U ./ ¨ V , then T [] k V [] is safe. Corollary 6.21. If T 6 7 Session types without types In this section we show how typing rules can arise by applying I/O simulation on specific process and type languages — in our case, (a)sync CCS and session types.

(2c) 7.1 From semantics to syntax

Intuitively, p ? q requires that, whenever p and q reach some states p0 , q 0 through the same weak transitions and ?a is persistent in q 0 (possibly after some outputs), then it must also be reachable in p0 (possibly after some outputs). Example 6.19. Consider T and U from Example 6.16. We have that: a. b. c. d.

T 6? U
¨ ∩ ? U !a.!a.!b.?c 6
¨ ∩ ? recY !a.?c0 .Y ⊕ !b.?c recX !a.?c0 .X 6 ¨ does not hold). !a.?c ? !b.?c0 ⊕ !b0 (while 6

When the relation ? holds, both I/O simulation and the subcontract relation are preserved by buffering. 3 Note also that T [] k V [] is not safe: in fact, according to Definition 5.1, it is an orphan message configuration, with !c orphan message of V [].

Our treatment so far does not depend on a syntactic representation of behaviours in U. In the resulting unifying view, there are no inherent distinctions between processes and types: they are just behaviours in an LTS. This allows us to define relations between objects which ¨ q may relate, say, an belong to different realms: e.g. p 6 async CCS process with a session type. The price for this generalisation seems to be the loss of compositional type systems, which assign types to processes by only reasoning on their syntax. However, we can restore this feature in our framework as follows: 1. choosing a process language and a type language (with their syntax and semantics); 2. encoding types into processes; ¨ on processes, and 3. devising a set of properties for 6 interpreting them as syntax-based typing rules.

A semantic deconstruction of session types

17 P

¨ P +0 P ≈ ¨ Q+P P +Q ≈ ¨ (P + Q) + R P + (Q + R) ≈ ¨ P +P P ≈

¨ P |0 P ≈ ¨ Q|P P |Q ≈ ¨ (P | Q) | R P | (Q | R) ≈

P

i∈I

¨ Qi ∀i ∈ I . Pi 6 (+Ctx) P ¨ `τ i .Pi 6 `τ i .Qi i∈I

P

Q = i∈I ?ai .Qi ¨ Qi ∀i ∈ I . Pi 6

¨ in UaCCS (recall that ≈ ¨ is Table 4: Some properties of ≈ the largest symmetric I/O simulation, by Definition 6.4).

j∈J (?aj .Pj )

Lemma 7.1. The relations in Table 4 hold in UaCCS . We then interpret the semantic equivalences in Table 4 between UaCCS behaviours as a set of syntactic axioms for a relation ≡ between UaCCS terms 5 . Definition 7.2. We define ≡ as the least congruence relation on UaCCS satisfying the axioms in Table 4 (by ¨ with ≡). replacing ≈ As usual, ≡ embodies the commutative monoidal laws for + and | (with 0 as neutral element), and the absorption law for +. We now follow a similar approach, by selecting in Ta¨ on UaCCS beble 5 a set of properties satisfied by 6 haviours. We present these properties as a set of inference rules, whose correctness is established by Lemma 7.3. The intuition behind these rules is the following: ¨ is a precongruence with respect says that 6 to guarded choices; – (+Int) and (+Ext) with K = ∅ correspond to the typical session typing rules for internal/external choices, which add inputs and remove outputs on the LHS; – (+Ext) with K 6= ∅ handles an external choice with timeout (modelled as a τ action), similarly to the Erlang-style receive. . . after. . . behaviour discussed in Question 2; –

4

(+Ctx)

The process calculi used in session types literature are typically variants of the π -calculus. In this work, we focus on the behavioural properties of structured first-order interaction; we thus focus on (async) CCS, abstracting orthogonal aspects such as value and channel passing (see also Section 8.1). 5 We overload the symbol ≡, which was already introduced as a relation between session types in Definition A.1. The relation being used is always clear from the context.

i∈I τ .Pi

k∈K τ .Pk

¨ S R6

(+τ )

¨ Q 6

P

P

¨ Q P 6

¨ Q ∀i ∈ I . Pi 6

We apply this methodology to a concrete case, where at step 1 we choose async CCS (UaCCS ) for processes4 , and async session behaviours (UaST ) for types. For step 2, the encoding J·K from types to processes is just the one given in Definition 2.19. To improve readability, hereafter we shall sometimes omit the buffers [σ] appearing in UaCCS processes. Moreover, when P , Q ∈ UaCCS , ¨ Q to mean ∀σ . P [σ] 6 ¨ Q[σ]. we will write P 6 ¨ For step 3, we aim at a 6-based inductive relation for UaCCS . We start by selecting in Table 4 a few semantic equivalences between UaCCS behaviours.

+

I 6= ∅ (+Int) ¨ Q + !b.Q0 ! a .P 6 i i i∈I

P

¨ Q ∀k ∈ K . Pk 6 ∀j ∈ J \I .aj 6∈ {ai }i∈I

∅ 6= I ⊆ J

P

Q = i∈I !ai .Qi ¨ Qi ∀i ∈ I . Pi 6

¨ Q 6

(+Ext)

ins(P ) ∩ ins(R) = ∅ ins(Q) ∩ ins(S ) = ∅ (|LR)

¨ Q|S P |R 6

P

Q = i∈I !ci .Qi ¨ !a P 00 6 ¨ ?b P0 6

¨ !a. ?b + Q P 0 | P 00 6 P ≡ P0

¨ ?b.Q P 6 (|L)

R=

P

i∈I !ci .Ri

¨ !a + R | ?b.Q !a.P 6

¨ Q0 P0 6

(|R)

Q0 ≡ Q (Congr)

¨ Q P 6

¨ in UaCCS . We denote with ins(P ) Table 5: Rules for 6 the set of inputs appearing in the body of P . allows the LHS to aggregate internal choices, provided that all of them are I/O simulated by Q; ¨ is almost a precongruence w.r.t. – (|LR) states that 6 parallel composition — but further requires that the inputs of the parallel components do not overlap (and thus, cannot compete for synchronising on the same output); – (|L) exploits the asynchronicity of UaCCS , by allowing an output and an input in parallel on the LHS, when they are sequentially composed in the RHS; – (|R) is roughly symmetrical, by allowing the LHS to be the sequential composition !a.P when !a and ?b are in parallel on the RHS. –

(+τ )

Lemma 7.3. The rules in Table 5 hold in UaCCS . As prescribed by step 3, we now interpret the properties in Table 5 as syntax-based typing rules for UaCCS . ¨ as the least relation beDefinition 7.4. We define 4 tween UaCCS terms satisfying the rules in Table 5. Example 7.5. From Section 3, recall Alice’s type TA00 and process PA00 when she is late for work. TA00 = !aCoffee.!pay.?coffee

PA00 = !aCoffee.(?coffee | !pay)

We have the following type encoding in CCS: JTA00 K = !aCoffee.!pay.?coffee We have the following typing derivation: (+Ctx)

¨ J0K 04 ¨ J!payK !pay 4

?coffee | !pay ≡

(+Ctx)

¨ J0K 04 (+Ctx) P ¨ J?coffeeK ?coffee 4 0 ≡ i∈∅ !ci .Qi ¨ J!pay.?coffeeK + 0 ≡ J!pay.?coffeeK !pay | ?coffee 4 ¨ J!pay.?coffeeK ?coffee | !pay 4

(+Ctx)

¨ JTA00 K !aCoffee.(?coffee | !pay) 4

(+Ctx)

(|L) (Congr)

18

M. Bartoletti, A. Scalas, R. Zunino

7.2 Handling recursion The typing rules introduced so far can be applied to all UaCCS terms (including those involving recursion), yet no rule allows to operate under recursion. In this section we show how to overcome this limitation. E.g., consider: P = µX !a.X

Q = µX !a.X + !b

(3)

¨ X (based on X 6 ¨ X, that If we add the axiom X 4 holds since X has no transitions), by applying rule (+Int) ¨ !a.X + !b; from this, we would we would obtain !a.X 4 ¨ like to deduce P 4 Q — coherently with the fact that ¨ Q holds. By considering this example, it would P 6 be tempting to also add a typing rule which allows to ¨ µX Q0 whenever P 0 4 ¨ Q0 . However, in deduce µX P 0 4 the general case, this would be unsound. For instance: P = µX !a.X

R = µX !a.X + !b.?c

(4)

would be a counterexample. Indeed, using the proposed axiom and rule, together with (+Int), we would obtain ¨ R — yet we do not have P 6 ¨ R. Recall that we P 4 chose to operate in the asynchronous setting, and we ??c ?c have R[σ]=⇒ but P [σ]6= ⇒. To rule out these problematic cases, we restrict our syntax-based typing to CCS – , a fragment of async CCS which is expressive enough for the examples in Section 3. Definition 7.6 (CCS – ). CCS – terms have the syntax: P P | Q X µX P P , Q ::= i∈I `τ i .Pi where we stipulate that: a. in µX P , each P X is guarded in some subterm `.X; b. if a choice i∈I Pi appears under µX , and some Pi contains an input, then each X occurs after an input. The semantics of CCS – is inherited from that of CCS. − We denote by UaCCS the resulting async behaviours. – CCS processes not containing | are said sequential. Unless otherwise specified, hereafter we will use P , Q, R, S to denote CCS – terms, only. We will also adopt the Barendregt convention [7, §2.1.13] that no bound X can occur free or in two different bindings. The issue highlighted in Equation (4) is solved, because R does not satisy condition b. Note that, e.g., both Q in Equation (3) and Q0 = µX !a.0 + !b.?c.!d.X are CCS – terms. Indeed, in Q0 the branch without inputs is non-recursive, while X occurs after an input. The guardedness condition for recursion variables (clause a) comes from our original CCS fragment. ¨ Lemma 7.7 provides an induction principle for 6. –

Lemma 7.7. Let µX P and Q be sequential CCS terms. ¨ Q, then µX P 6 ¨ Q. If P [Q/X ] 6

Intuitively, Lemma 7.7 is reminiscent of the standard argument in domain theory, stating that if x is a prefixed point of f , i.e. f (x) v x, then fix f v x. ¨ of Section 7.1 to We now extend the type system 4 – deal with recursive CCS terms. Definition 7.8. Let Γ be a mapping from recursion ¨ Γ is the relation bevariables to CCS – terms. Then, 4 tween CCS – terms inductively defined by the rules ob¨ with 4 ¨ Γ in Table 5, and by the tained by replacing 6 following additional rules: Γ (X) = Q ¨Γ Q X4

(S-Var)

¨ Γ ,X:Q Q P 4

P , Q sequential ¨ µX P 4Γ Q

(S-µL)

¨ Γ Q[µX Q/X ] P 4 ¨ Γ µX Q P 4

(S-µR)

¨ Q instead of P 4 ¨ ∅ Q. We will often write P 4 The rules in Definition 7.8 are mostly straightforward: uses the environment, requiring the hypothesis that X expands into a behaviour I/O simulated by Q; – (S-µL) consumes such an hypothesis, introducing recursion on the LHS: the intuition is that, in the rule premise, the LHS is I/O simulated by the RHS when Q replaces X in P ’s body, similarly to the premise of Lemma 7.7; – (S-µR) allows to unfold a recursion on the RHS, when going upwards in a derivation.

–

(S-Var)

¨ satisfies the following weakening property. The relation 4 ¨ For all Γ such Proposition 7.9 (Weakening for 4). ¨ Γ Q implies P 4 ¨ Γ ,X:R Q. that X 6∈ dom (Γ ), P 4 ¨ Γ Q, the Proof. By induction on the derivation of P 4 result is immediate on all rules.

7.3 An I/O simulation-based type system ¨ Γ can We can now show that the syntactic rules for 4 − be a basis for a type system for UaCCS . The correctness ¨ w.r.t. 6 ¨ is formalised in Corollary 7.11 below; this, of 4 in turn, is based on Theorem 7.10, which shows how the environment in each derivation step is used to construct an intermediate I/O simulation relation. ¨ Γ Q, then P Γ 6 ¨ Q. Theorem 7.10. If P 4 When Γ = ∅, Theorem 7.10 has the following corollary: ¨ Q, then P 6 ¨ Q. Corollary 7.11. If P 4 We can now define a syntax-directed typing judgement, relating CCS – terms with session types. To this purpose, we exploit the encoding in Definition 2.19.

A semantic deconstruction of session types

Definition 7.12 (Type system). When JT K is a CCS – ¨ Γ JT K. term, we write Γ ` P : T whenever P 4

The condition on JT K in Definition 7.12 is necessary because the encoding of recursive session types does not always respect condition b of Definition 7.6: see, for instance, U = recY !a.X ⊕ !b.?c (from Example 6.16) and its encoding JU K = µX !a.X + !b.?c.

Example 7.13. From Section 3, recall the bartender’s process Q00B that stops selling beer after a certain hour, the bartender type UB , and its encoding in CCS (which is also a CCS – term): Q00B = µY (?aCoffee.!coffee.Y + ?aBeer . (!beer.Y + !no.Y ) + ?pay)
+ τ .µZ (?aCoffee.!coffee.Z + ?aBeer.!no.Z + ?pay) UB = recX (?aCoffee.!coffee.X & ?aBeer.(!beer.X ⊕ !no.X) & ?pay) JUB K = µX (?aCoffee.!coffee.X + ?aBeer . (!beer.X + !no.X) + ?pay)

We want to prove ` Q00B : UB . First of all, for Q00B we show a typing derivation for the term under Z-recursion µZ ?aCoffee.. . .. Letting Γ = Z : JUB K, we have the derivation shown in Table 6. Secondly, let D indicate such a derivation, starting from the instance of rule (S-µL) (i.e., excluding the application of Definition 7.12). We reuse D in the derivation for the term under Y recursion in Q00B , where it provides a premise for applying rule (+Ext) from Table 5. Letting Γ 0 = Y : JUB K, we obtain the derivation in Table 7. Theorem 7.14 below states the correctness of our typing discipline. Suppose you have a process P with type T , and a process Q with type U . If T [] and U [] are I/O compliant, then P [] and Q[] are I/O compliant, too. Thus, we have that P [] k Q[] is safe (by Theorem 5.17). Theorem 7.14 (Correctness). If ` P : T and ` Q : U ¨ U [], then P [] ./ ¨ Q[]. with T [] ./ ¨ JT K; by PropoProof. From Definition 7.12 we have P 4 sition 2.20, Definition 7.8 and Corollary 7.11 it follows ¨ T []. Similarly, Q[] 6 ¨ U []. Since P [] 6 ¨ T [] ./ ¨ U [], by P [] 6 ¨ U [] ./ ¨ U []. Since Q[] 6 ¨ P [], Theorem 6.12 it follows P [] ./ ¨ P []. then by Theorem 6.12 we conclude Q[] ./ We stress that the above result is obtained just by exploiting the properties of I/O simulation, without explicitly proving subject reduction. ¨ U In the synchronous setting we can deduce T ./ either via model checking (since T and U are finite state), or using syntax-driven techniques (e.g., those in [4]); this result is lifted to the async case by Lemma 4.12. If both T and U can be encoded in CCS – , we can reason on ` P : T and ` Q : U on a syntax-driven basis, through the rules in Definition 7.8. Note, however, that Theorem 7.14 does not require compliance between synchronous session types. Therefore, the result also holds e.g. for T = !a.?b and U = !b.?a

19

¨ U [] — since in the asynchronous setting we have T [] ./ (even though T ./ 6 ¨ U ). This is a departure from traditional session typing systems, that restrict compliance to (synchronous) duality; for further discussion, see Examples 7.15 and 7.16 below. Example 7.15. Recall ` PA00 : TA00 from Example 7.5, and consider the bartender processes QB , Q00B and type UB from Section 3. We can easily obtain ` QB : UB . There¨ TA00 [], fore, since in Example 4.10 we determined UB [] ./ 00 ¨ PA []; hence, by Theoby Theorem 7.14 we have QB [] ./ rem 5.17 we have that QB [] k PA00 [] is safe. Note that this result exploits asynchrony both via I/O compliance and ¨ TA00 [], albeit via typing: in fact, this is based on UB [] ./ UB ./ 6 ¨ TA00 (as discussed in Example 4.10); moreover, the typing judgement ` PA00 : TA00 uses rule (|L). Example 7.16. Recall ` PA00 : TA00 from Example 7.5, and consider Example 7.13, where we show ` Q00B : UB . ¨ PA00 [], and by TheoBy Theorem 7.14 we have Q00B [] ./ 00 rem 5.17 we conclude that QB [] k PA00 [] is safe. Note that this result, as in Example 7.15, is based on asynchronous semantics, and would not hold in the synchronous setting. The previous examples (in particular, Example 7.13) show that our syntax-driven rules allow to type an Erlang-style receive. . . after. . . behaviour, featured in the bartender process.

8 Related work This work corresponds to a thoroughly revised and improved version of [12]. The main differences between the two papers are summarized as follows: – the definition and results on safety (Section 5) are new; ¨ is now larger, and thus able – the I/O simulation 6 to relate more compliance-preserving behaviours; – the typing relation in Section 7 has been also enlarged, and its definition streamlined and simplified, bringing it closer to an algorithm; – we correct a mistake in [12], i.e. the fact that the counterpart of Theorem 6.20 lacked the ? relation in its hypotheses; – we include the proofs of all results. Session types were introduced by Honda et al. in [49, 50,72], as a type system for communication channels in a variant of the π-calculus. The resulting concept of structured communication-based programming has been the cornerstone on which a thriving research trend has been developed throughout the following decades. Beyond the π-calculus, session types have been later on applied

20

M. Bartoletti, A. Scalas, R. Zunino

Γ (Z ) = JUB K Γ (Z ) = JUB K

¨ Γ JUB K Z4

¨ Γ JUB K Z4

(S-Var) (+Ctx)

¨ Γ J!no.UB K !no.Z 4 (+Int) ¨ !no.Z 4Γ J!beer.UB ⊕ !no.UB K

(S-Var) (+Ctx)

(+Ctx)

¨ Γ J0K 04

(+Ctx) (+Ctx)

¨ Γ J?aBeer. (!beer.UB ⊕ !no.UB )K ¨ Γ J?payK ¨ Γ J!coffee.UB K ?aBeer. !no.Z 4 ?pay 4 !coffee.Z 4 (+Ctx) (+Ctx) ¨ ¨ ?aCoffee. !coffee.Z 4Γ J?aCoffee. !coffee.UB K ?aBeer. !no.Z + ?pay 4Γ J?aBeer. (!beer.UB ⊕ !no.UB ) & ?payK (+Ext) ¨ Γ J?aCoffee. !coffee.UB & ?aBeer. (!beer.UB ⊕ !no.UB ) & ?payK ?aCoffee. !coffee.Z + ?aBeer. !no.Z + ?pay 4 (S-µR) ¨ Γ JUB K ?aCoffee. !coffee.Z + ?aBeer. !no.Z + ?pay 4 ¨ JUB K µY ?aCoffee. !coffee.Z + ?aBeer. !no.Z + ?pay 4 ` µZ ?aCoffee. !coffee.Z + ?aBeer. !no.Z + ?pay : UB

(S-µL)

(Definition 7.12)

Table 6: Typing derivation for the running example (I). Γ 0 (Y ) = JUB K Γ 0 (Y

) = JUB K

¨ Γ 0 JUB K Y 4

¨ Γ 0 JUB K Y 4

(S-Var)

¨ Γ 0 J!coffee.UB K !coffee.Y 4

(+Ctx)

Γ 0 (Y ) = JUB K

(S-Var)

¨ Γ 0 J!beer.UB K !beer.Y 4

(+Ctx)

¨ Γ 0 JUB K Y 4

(S-Var)

¨ Γ 0 J!no.UB K !no.Y 4

(+Ctx) (+Ctx)

¨ Γ 0 J!beer.UB ⊕ !no.UB K !beer.Y + !no.Y 4 (+Ctx) ¨ Γ 0 J?aBeer. (!beer.UB ⊕ !no.UB )K ?aBeer. (!beer.Y + !no.Y ) 4

¨ Γ 0 J0K 04

(+Ctx)

¨ Γ 0 J?payK ?pay 4

(+Ctx)

¨ Γ 0 JUB K ?aCoffee. !coffee.Y + ?aBeer. (!beer.Y + !no.Y ) + ?pay + τ .µZ ?aCoffee. !coffee.Z + ?aBeer. !no.Z + ?pay 4 (S-µL) ¨ JUB K Q00 4 B

` Q00 B : UB

D (+Ext, S-µR)

(Definition 7.12)

Table 7: Typing derivation for the running example (II). D is the derivation starting from (S-µL) in Table 6. Note that in this derivation, the environment Γ 0 is larger than the empty environment at the root of D. However, D “still works”, and can be simply rewritten with Γ 0 at its root, by Proposition 7.9. to other calculi and programming languages. However, most approaches do not allow to express the Erlang receive. . . after. . . construct discussed in Question 1. Also in [62], which devises a session type system for the featherweight Erlang language, such problematic pattern is omitted. While adapting the type system of [62] to cope with the receive. . . after. . . construct should be feasible, our approach allows the construction of the ¨ to be driven by type system (in our case, the rules for 4) an explicit underlying semantic notion (I/O simulation).

8.1 Other foundational approaches to session types Most approaches to session types (like e.g. [73]) focus on a specific syntax of processes, which constrains their LTS; further, they often give semantics to processes, but not to types. A more semantics-oriented approach is the one in [29]. While types and processes follow a given syntax, they are both equipped with a higher-order LTS semantics, and most definitions depend on the LTS semantics, only, without inspecting the syntax of types and processes. For instance, the duality and subtyping relations are based on the “may output” and “must input” relations, which only rely on the LTS semantics. Our approach shares similar insights: for instance, also

our theory deals with inputs and outputs in an asymmetric way, and uses “persistent inputs” in key definitions, such as I/O simulation and safety. The main difference between our work and [29] is that we do not fix a syntax of processes/types, by focusing instead on a first-order I/O LTS populated by both processes and types. In this way, we can reason on behaviours which are not directly expressible in [29], e.g. the Erlang pattern receive. . . after. . . . However, while our types are first-order LTSs, those in [29] are higher order, as action labels can be types themselves. Both our theory and [29] consider some form of asynchrony: while we deal (in the same framework) with synchronous and FIFO-buffered behaviours, [29] implements a weaker form of asynchrony, inspired by [33]. Our approach is similar to [28,31, 32] with respect to various aspects: for instance, (a) the common inspiration to [39] for the (synchronous) session types semantics, (b) the idea of representing processes and contracts/types in the same LTS, (c) the aim to overcome the rigid internal/external choices dichotomy required by session types, emerging both at type and process levels. In [31], it is assumed that some type system can abstract processes P, Q (expressed in any calculus) into contracts. This type system must be “consistent” and “informative”, by preserving some essential properties

A semantic deconstruction of session types

like e.g. visible actions and internal non-determinism. A result in [31] is that if the abstractions of P, Q are compliant, then P, Q will be compliant as well. A similar abstraction is at the root of our approach. The works [47,44] study subtyping for binary session types, focussing on communication channel replaceability [70]. The intuition is the following: consider a type U and its subtype T , and a program P interacting through a channel; then, a channel typed with T is “less demanding” for P w.r.t. a channel typed with U — i.e., if P correctly uses an U -typed channel, then it can also correctly use a T -typed channel. This holds because T allows P to choose among “more” possible outputs, and mandates “less” inputs to be enabled, w.r.t. U . In the present work, we look at behaviours as if we were on the other endpoint of a channel, and so the co/contravariance rules are reversed. As a consequence, a subtype of a behaviour q is I/O compliant with all the behaviours compliant with q (and possibly with more, see Theorem 6.12). Subtyping relations with the same ordering ¨ are studied in [26, 27, 40], while the direction of the of 6 subcontract relations in [29,31] is opposite to ours. A discussion on the channel-oriented and process-oriented views of subtyping is in [46]. Besides the direction of the relation, there are other differences between [31] and this paper. For instance, some desirable subtypings like ?a & ?b 6v ?a do not hold in the strong subcontract relation of [31]. However, these are restored through a “weak” subcontract relation, which exploits filters to resolve external non-determinism. In [4,5,6], session types are equipped with first-order and higher-order LTS semantics, and studied under different notions of client-server compliance (e.g., allowing the client to terminate interaction or to skip messages). A similar line of research is taken in [14, 15], which shows an encoding of session types into the contracts of [31], which preserves (and reflects) a subtype relation. Our paper is also focussed on preorders, but compared to [4, 5, 6,14, 15] we work in a language-independent setting, restricting to first-order behaviours. 8.2 Multiple participants and multiple sessions Many recent works extend the session types discipline to the multiparty case, starting from [51]. In this setting, the application designer specifies the overall communication behaviour of a set of participants through a choreography, which enjoys some correctness properties (e.g., safety and progress). The overall application is the result of the composition of a set of processes, which are distributed over the network, and interact through a multiparty session. To ensure the correctness of this composition, the choreography is projected into a set of local ses-

21

sion types, which abstract the end-point communication behaviour of processes: if each process is type-checked against its session type, the composition of services preserves the properties enjoyed by the choreography. The crucial technical difference w.r.t. binary session types is that, in local multiparty session types, input/output actions target the specific participant from/to which a message should be received/sent; correspondingly, a process typechecks only if its input/output actions target the correct participants. Extending our theory of binary session types to the multiparty case would require to extend the compliance and subtyping relations to capture the role of each type/process, and then to produce the syntax-based typing rules. Some insights come from [30], which aims at a semantic understanding of choreographies. Another orthogonal issue of the multiparty case is how to guarantee correct interactions in the presence of multiple interleaved sessions. To deal with this case, one could take inspiration from [11,67], which introduce type systems for ensuring liveness in the presence of multiple interleaved sessions, and [13], which relates deadlockfreedom within single sessions to deadlock-freedom of processes which juggle with multiple sessions. 8.3 Asynchrony and session types Asynchronous binary session types have been addressed in [65], where type equivalence up-to buffering was defined over traces, and then approximated via syntaxbased rules. In the setting of multiparty session types, [61, 63, 64] study subtyping with “safe” partial commutativity allowed by asynchrony. These works also tackle possible optimisations allowed by buffering, similarly to our asynchronous Alice-Bartender interaction (Section 3). In [35,36] it is noted that the asynchronous subtyping of [61] guarantees progress, but does not offer guarantees about orphan messages: e.g., in case of recursive types, a program matching the subtype may never read some messages from its queues. For this reason, [35,36] propose a new asynchronous subtyping relation for binary session types, and they prove it to be precise w.r.t. orphan messages and other errors. While our focus is on preservation of compliance and subtyping under buffering, the work [54] studies a bisimulation to relate processes which communicate via unbounded buffers. The expressiveness of (multiparty) session types with different kinds of FIFO buffers is investigated in [41]. In particular, they prove that, in the binary case, one output FIFO buffer per participant (as in our Definition 2.11) allows to obtain the same communication traces as other, more complex representations — e.g., adding both input and output FIFOs,

22

as in [54]. Several other works address asynchronous session types, e.g. [45, 37, 18].

8.4 Compliance and safety Many different notions of “correct interaction” have been considered in the literature. These notions typically restrict progress, by preventing infinite traces of two behaviours which never interact [55], or by exploiting must-testing [2] and should -testing [21,1]. Our I/O compliance is related in [10] to some of these notions. The notion of compliance in [66] can relate behaviours which enjoy progress after a (finite-state) orchestrator has rearranged their messages. This notion is unrelated to I/O compliance: on the one hand, the latter cannot rearrange messages; on the other hand, I/O compliance has no fixed bound on the size of the buffers. For instance, the async behaviours !a.?b.!a2 .?b2 · · · !an .?bn · · · and !b.?a.!b2 .?a2 · · · !bn .?an · · · (where !am is a sequence of m !a) are I/O compliant, but they are not compliant according to [66], as orchestrators must be finite-state. Several works define notions of compliance for multiparty interactions [22,23,9,42]. For instance, the notions in [22,23] are based on should-testing on CCS-like processes which interact through FIFO buffers. This approach is similar to our pairing of session types and CCS terms with queues, except that we embed buffers within processes, and represent enqueueing with an internal action, whereas [23] adds explicit labels signalling enqueueing/dequeueing of messages. Compliance among CFSMs [19] is usually called safety, and it typically requires deadlock-freedom and the absence of orphan message and unspecified reception configurations. In our framework, two behaviours with unbounded buffers can be seen as a system of CFSMs, albeit the resulting LTS is slightly different: e.g., in our setting, an output is added to a buffer with a τ -transition, and consumed with a τ -synchronisation; in CFSMs, an output !a is buffered with a visible !a-transition, and is consumed with a visible ?a-transition. The notion of safety introduced in Section 5 is inspired to those for CFSMs, although deadlock-freedom is not explicitly mentioned in Definition 5.15, as it is already implied by the other requirements (Proposition 5.16). As discussed in Example 5.11, our notion of orphan message is stricter than the ones in [56,42]. For instance, consider T = recX !a.X and U = recY !b.Y . The composition T [] k U [] is deadlock-free and does not reach unspecified reception configurations; by Definition 5.1, however, it is an orphan message configuration (because outputs are sent but never received), and therefore not safe. According to the definitions in [56,42],

M. Bartoletti, A. Scalas, R. Zunino

instead, such a configuration is considered safe: in fact, a message is an “orphan” when the machines terminate with non-empty buffers. A notion of “orphan message” closer to ours is studied in [36,35], where a process is said to “orphan” a buffered message when it has no chance to read it in the future — even though the process itself is not terminated. A difference w.r.t. our approach is that, in [36, 35], buffers are not introduced at the types level, but at the level of π-calculus processes. The asynchronous subtyping in [36,35] allows to swap the order of input/output actions under certain conditions. Our subtyping (i.e., ¨ is generally more restrictive in the I/O simulation 6) reordering of input/output actions, even in presence of buffers: e.g., !a.?b[] 6 6 ¨ ?b.!a[], but the two behaviours would be related by the subtyping in [36, 35]. However, in our setting, we support a similar kind of swapping ¨ !b.?a[], which through I/O compliance: e.g., !a.?b[] ./ is not allowed by the “compliance” (i.e., the session types duality) adopted in [36,35]. Hence, we conjecture that the type relations captured by type duality and asynchronous subtyping in [36,35] correspond to those ¨ on session types with ¨ and 6 captured by combining ./ asynchronous semantics; the latter, however, can cover more general cases of asynchrony (e.g., the parallel composition in Question 3).

8.5 Timeouts and exceptions The works [8,17,16,25,52] enrich session types with new constructs and messages for handling timeouts and exceptions. In particular, [25,52] mark where an exceptional event might occur within a protocol, how it can be handled at runtime; moreover, they introduce run-time monitoring to ensure proper coordination of the communicating processes. The works [8,17,16] add timing constraints to, respectively, binary session types, multi-party session types, and CFSMs. Although the present work does not fully address these problems, we can model some simple cases of exception handling without requiring dedicated constructs. For instance, our running example in Section 3 shows a case in which a timeout event (abstracted as a τ -transition) interrupts an external choice. Such events can also be expressed in the CCS – fragment used in Section 7, where subtyping ¨Γ. is syntactically defined by the relation 4

9 Conclusions We have studied session types from a semantic perspective. To this purpose, we have interpreted some standard

A semantic deconstruction of session types

notions on session types on the general semantic framework of Labelled Transition Systems. This allowed us to extend some notions and results beyond session types, in a syntax-agnostic way. While we mostly focused on behaviours arising from (synchronous and asynchronous) session types and CCS, we believe that our approach can be applied to analyse the properties of other behaviours — e.g. the LTS semantics of other process calculi and programming languages.

9.1 Summary of the main results We now briefly recap the main results of our paper. For simplicity, here we only use the symmetric I/O com¨ A first remarkable result, following pliance relation ./. from Theorem 4.9, is that I/O compliance is stricter than progress, and that the two relations coincide on synchronous session types: ¨ q, then p a` q. If p, q are synchronous Theorem. If p ./ ¨ q. session types and p a` q, then p ./ In Theorems 5.17 and 5.20 we have shown that, on general behaviours, I/O compliance implies safety, i.e. absence of deadlocks, orphan messages and unspecified reception configurations. Moreover, the two relations coincide for asynchronous session types: ¨ q, then p k q is safe. If p, q are asynTheorem. If p ./ ¨ q. chronous session types and p k q is safe, then p ./ In Theorems 6.10 and 6.12 we have shown that I/O ¨ is an I/O compliance-preserving (and thus, simulation 6 safety-preserving) preorder for general behaviours. ¨ is a preorder, and p 6 ¨ q ./ ¨ r Theorem. The relation 6 ¨ r. implies p ./ In Theorems 4.13 and 6.20 we have shown that I/O compliance is preserved when passing from synchronous to asynchronous semantics of session types; to preserve I/O simulation, an additional relation ? (Definition 6.18) is required. Theorem. For all session types T , U : ¨ U , then ¨ U []. – If T ./
T [] ./ ¨ ∩ ? U , then T [] 6 ¨ U []. – If T 6 ¨ Our typing system is semantically grounded on 6 ¨ and ./, and it enjoys the following correctness property: in the asynchronous setting, if two CCS processes are typeable with session types which are I/O compliant, then also the processes are I/O compliant. Therefore, they can safely interact. Theorem 7.14 (Correctness). If ` P : T and ` Q : U ¨ U [], then P [] ./ ¨ Q[]. with T [] ./

23

Remarkably, our type system allows to syntactically type our examples from Section 3. Since these examples feature asynchronous semantics and external choices mixed with τ -transitions, at least in this case we can say that our approach gives a positive answer to Questions 2 and 3 in Section 1. 9.2 Future work A possible extension to our work is to allow for the communication of channels, which is a common feature in many works on session types [53]. This should be feasible by enriching the labels of I/O LTSs to also cater for channel transmission. Modelling higher-order calculi could be feasible by employing a translation of higherorder LTSs into first-order ones, as done e.g. in [58]. Some questions about I/O compliance/simulation and our type system remain open. For instance, in this work we have not dealt with the decidability of these notions. Clearly, I/O compliance/simulation are decidable for finite-state behaviours, while they seem to be undecidable in the general case, and also in the specific case of asynchronous session types. For instance, the works [48,11] prove that, for (binary, first-order) asynchronous session types, some compliance relations which are close to our notion of safety are undecidable. Instead, the works [57,20] prove undecidability of asynchronous subtyping. We do not expect that these results apply ¨ on asynchronous session types, since 6 ¨ directly to 6 is more restrictive and closer to the (decidable) synchronous subtyping (as discussed in Section 8). Some works propose decidable, sound approximate techniques to check safety in CFSMs [56]. Since asynchronous session types are a special case of CFSMs, these techniques can also be applied in this setting. We expect that analogous results can be obtained for I/O simulation: in particular, is should be possible to soundly approximate I/O simulation via an axiomatization, in the spirit of ¨ which we conjecture to be our syntactic relation 4, decidable. ¨ is not a precongruence on CCS: for Note that 6 ¨ ?a.P but ?b + τ .?a.P 6 instance, τ .?a.P 6 6 ¨ ?b + ?a.P . A relevant question on I/O simulation is how to devise a stricter relation which is also a precongruence on an expressive calculus, like CCS or CCS – . In CCS – , the task is simplified by the requirement of guarded sums (Definition 7.6), that rules out the example above. The main difficulties, however, are due to parallel composi¨ ?a and ?b.!c 6 ¨ ?b.!c, but tion: e.g., we have ?a + ?b.0 6 ?a + ?b.0 | ?b.!c 6 6 ¨ ?a | ?b.!c — because the (persistent) ?b-prefix of ?b.0 (on the LHS) and ?b.!c (on the RHS) ¨ ?a | !c (which is cause Definition 6.4 to require ?b.!c | 0 6 false). For this reason, rule (|LR) (Table 5) constrains the

24

M. Bartoletti, A. Scalas, R. Zunino

inputs of the composed processes; different approaches might be possible, and can be investigated — albeit ¨ they seem to lead to rather strict subsets of 6. ¨ Finally, the syntactic relation 4 in Section 7.1 can be extended in several directions. The addition of new rules is generally possible and pretty straightforward, under the approach we followed in Table 5: assuming some I/O simulations in the premises, and constructing a new one in the conclusions. As an example, the “τ laws” from [59, §3.2] can be integrated. Another possible ¨ is an additional rule for “interruptible” extension to 4 external choices, such as: P Q ≡ i∈I ?ai .Qi K 6= ∅ ¨ Q ¨ Qi ∀k ∈ K . Pk 6 ∀j ∈ J, i ∈ I . aj = ai =⇒ Pj 6 P P ¨ (?a .P ) + τ .P 6 Q j j k j∈J k∈K

(+Ext2)

The difference between (+Ext) in Table 5 and (+Ext2) above is that the latter does not require the “immediate” input transitions of P to be a superset of those of Q — provided that the continuations of overlapping inputs are within the relation, and also the continuation after each τ -branch (of which at least one must exist) is within the relation. With such rule, the following bartender process has also type UB (Section 3): µY ?aCoffee. !coffee.Y
+ τ .µZ (?aCoffee. !coffee.Z + ?aBeer. !beer.Z + ?pay)

This process models a bartender that initially only serves coffees, and after an internal move τ , starts serving both coffees and beers. The further investigation of these ¨ is left as future work. extensions of 4 References 1. van der Aalst, W.M.P., Lohmann, N., Massuthe, P., Stahl, C., Wolf, K.: Multiparty contracts: Agreeing and implementing interorganizational processes. Comput. J. 53(1), 90–106 (2010). DOI 10.1093/comjnl/bxn064 2. Acciai, L., Boreale, M., Zavattaro, G.: Behavioural contracts with request-response operations. In: COORDINATION, LNCS, vol. 6116, pp. 16–30. Springer (2010). DOI 10.1007/978-3-642-13414-2 2 3. de Alfaro, L., Henzinger, T.A.: Interface automata. In: ACM SIGSOFT, pp. 109–120. ACM (2001). DOI 10.1145/ 503209.503226 4. Barbanera, F., de’Liguoro, U.: Two notions of subbehaviour for session-based client/server systems. In: PPDP, pp. 155–164. ACM (2010). DOI 10.1145/1836089. 1836109 5. Barbanera, F., de’Liguoro, U.: Sub-behaviour relations for session-based client/server systems. Mathematical Structures in Computer Science 25(6), 1339–1381 (2015). DOI 10.1017/S096012951400005X 6. Barbanera, F., de’ Liguoro, U.: Loosening the notions of compliance and sub-behaviour in client/server systems. In: ICE, EPTCS, vol. 166, pp. 94–110 (2014). DOI 10.4204/EPTCS.166.10 7. Barendregt, H.: The Lambda Calculus: Its Syntax and Semantics. North Holland (1984)

8. Bartoletti, M., Cimoli, T., Murgia, M., Podda, A.S., Pompianu, L.: Compliance and subtyping in timed session types. In: FORTE 2015, pp. 161–177 (2015). DOI 10.1007/978-3-319-19195-9 11 9. Bartoletti, M., Cimoli, T., Pinna, G.M., Zunino, R.: Contracts as games on event structures. J. Log. Algebr. Meth. Program. 85(3), 399–424 (2016). DOI 10.1016/j.jlamp.2015.05.001 10. Bartoletti, M., Cimoli, T., Zunino, R.: Compliance in behavioural contracts: a brief survey. In: Programming Languages with Applications to Biology and Security, LNCS, vol. 9465. Springer (2015). DOI 10.1007/ 978-3-319-25527-9 9 11. Bartoletti, M., Scalas, A., Tuosto, E., Zunino, R.: Honesty by Typing. Logical Methods in Computer Science Volume 12, Issue 4 (2016). DOI 10.2168/LMCS-12(4:7)2016 12. Bartoletti, M., Scalas, A., Zunino, R.: A semantic deconstruction of session types. In: CONCUR, LNCS, vol. 8704, pp. 402–418. Springer (2014). DOI 10.1007/ 978-3-662-44584-6 28 13. Bartoletti, M., Zunino, R.: On the decidability of honesty and of its variants. In: Web Services, Formal Methods, and Behavioral Types, LNCS, vol. 9421, pp. 143–166. Springer (2015). DOI 10.1007/978-3-319-33612-1 9 14. Bernardi, G., Hennessy, M.: Modelling session types using contracts. In: SAC, pp. 1941–1946. ACM (2012). DOI 10.1145/2245276.2232097 15. Bernardi, G., Hennessy, M.: Using higher-order contracts to model session types (extended abstract). In: CONCUR, LNCS, vol. 8704, pp. 387–401. Springer (2014). DOI 10.1007/978-3-662-44584-6 27 16. Bocchi, L., Lange, J., Yoshida, N.: Meeting deadlines together. In: CONCUR, LIPIcs, vol. 42, pp. 283–296. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2015). DOI 10.4230/LIPIcs.CONCUR.2015.283 17. Bocchi, L., Yang, W., Yoshida, N.: Timed multiparty session types. In: CONCUR, LNCS, vol. 8704, pp. 419– 434. Springer (2014). DOI 10.1007/978-3-662-44584-6\ 29 18. Bonelli, E., Compagnoni, A.: Multipoint session types for a distributed calculus. In: Trustworthy Global Computing, LNCS, vol. 4912, pp. 240–256. Springer (2008). DOI 10.1007/978-3-540-78663-4 17 19. Brand, D., Zafiropulo, P.: On communicating finite-state machines. J. ACM 30(2), 323–342 (1983). DOI 10.1145/ 322374.322380 20. Bravetti, M., Carbone, M., Zavattaro, G.: Undecidability of asynchronous session subtyping. CoRR abs/1611.05026 (2016). URL http://arxiv.org/abs/ 1611.05026

21. Bravetti, M., Zavattaro, G.: Contract based multi-party service composition. In: FSEN, LNCS, vol. 4767, pp. 207– 222. Springer (2007). DOI 10.1007/978-3-540-75698-9 14 22. Bravetti, M., Zavattaro, G.: Towards a unifying theory for choreography conformance and contract compliance. In: Software Composition, LNCS, vol. 4829, pp. 34–50. Springer (2007). DOI 10.1007/978-3-540-77351-1 4 23. Bravetti, M., Zavattaro, G.: Contract compliance and choreography conformance in the presence of message queues. In: WS-FM, LNCS, vol. 5387, pp. 37–54. Springer (2008). DOI 10.1007/978-3-642-01364-5 3 24. Brinksma, E., Rensink, A., Vogler, W.: Fair testing. In: CONCUR, LNCS, vol. 962, pp. 313–327. Springer (1995). DOI 10.1007/3-540-60218-6 23 25. Capecchi, S., Giachino, E., Yoshida, N.: Global Escape in Multiparty Sessions. In: FSTTCS, Leibniz International Proceedings in Informatics (LIPIcs), vol. 8, pp. 338–351 (2010). DOI 10.4230/LIPIcs.FSTTCS.2010.338

A semantic deconstruction of session types 26. Carbone, M., Honda, K., Yoshida, N.: Structured communication-centred programming for web services. In: ESOP, LNCS, vol. 4421, pp. 2–17. Springer (2007). DOI 10.1007/978-3-540-71316-6 2 27. Carbone, M., Honda, K., Yoshida, N.: Structured communication-centered programming for web services. ACM Trans. Program. Lang. Syst. 34(2), 8:1–8:78 (2012). DOI 10.1145/2220365.2220367 28. Carpineti, S., Castagna, G., Laneve, C., Padovani, L.: A formal account of contracts for Web Services. In: WS-FM (2006) 29. Castagna, G., Dezani-Ciancaglini, M., Giachino, E., Padovani, L.: Foundations of session types. In: Proceedings of the 11th ACM SIGPLAN Conference on Principles and Practice of Declarative Programming, PPDP ’09, pp. 219–230. ACM (2009). DOI 10.1145/1599410.1599437 30. Castagna, G., Dezani-Ciancaglini, M., Padovani, L.: On global types and multi-party session. Logical Methods in Computer Science 8(1) (2012) 31. Castagna, G., Gesbert, N., Padovani, L.: A theory of contracts for Web services. ACM TOPLAS 31(5) (2009) 32. Castagna, G., Padovani, L.: Contracts for mobile processes. In: CONCUR, LNCS, vol. 5710. Springer (2009). DOI 10.1007/978-3-642-04081-8 15 33. Castellani, I., Hennessy, M.: Testing theories for asynchronous languages. In: V. Arvind, S. Ramanujam (eds.) FSTTCS, LNCS, vol. 1530, pp. 90–101. Springer (1998). DOI 10.1007/978-3-540-49382-2 9 ec´ e, G., Finkel, A.: Verification of programs with half34. C´ duplex communication. Inf. Comput. 202(2), 166–190 (2005). DOI 10.1016/j.ic.2005.05.006 35. Chen, T.C., Dezani-Ciancaglini, M., Scalas, A., Yoshida, N.: On the preciseness of subtyping in session types. Logical Methods in Computer Science (2017). To appear 36. Chen, T.C., Dezani-Ciancaglini, M., Yoshida, N.: On the preciseness of subtyping in session types. In: PPDP, pp. 146–135. ACM Press (2014) 37. Coppo, M., Dezani-Ciancaglini, M., Yoshida, N.: Asynchronous session types and progress for object oriented languages. In: FMOODS, LNCS, vol. 4468. Springer (2007). DOI 10.1007/978-3-540-72952-5 1 38. De Nicola, R., Hennessy, M.: Testing equivalences for processes. Theor. Comput. Sci. 34, 83–133 (1984). DOI 10.1016/0304-3975(84)90113-0 39. De Nicola, R., Hennessy, M.: CCS without tau’s. In: TAPSOFT, Vol.1 (1987) 40. Demangeon, R., Honda, K.: Full abstraction in a subtyped pi-calculus with linear types. In: CONCUR, pp. 280–296 (2011). DOI 10.1007/978-3-642-23217-6 19 41. Demangeon, R., Yoshida, N.: On the Expressiveness of Multiparty Sessions. In: FSTTCS (2015). DOI 10.4230/ LIPIcs.FSTTCS.2015.560 42. Deni´ elou, P.M., Yoshida, N.: Multiparty compatibility in communicating automata: Characterisation and synthesis of global session types. In: ICALP (2013) 43. Ericsson Computer Science Laboratory: The Erlang programming language (2015). http://erlang.org/ 44. Gay, S., Hole, M.: Subtyping for session types in the Pi calculus. Acta Inf. 42(2) (2005). DOI 10.1007/ s00236-005-0177-z 45. Gay, S., Vasconcelos, V.T.: Asynchronous functional session types. Tech. Rep. 2007–251, University of Glasgow (2007) 46. Gay, S.J.: Subtyping Supports Safe Session Substitution, pp. 95–108. Springer International Publishing, Cham (2016). DOI 10.1007/978-3-319-30936-1 5

25 47. Gay, S.J., Hole, M.: Types and subtypes for client-server interactions. In: ESOP, pp. 74–90 (1999). DOI 10.1007/ 3-540-49099-X 6 48. Gouda, M., Manning, E., Yu, Y.: On the progress of communication between two finite state machines. Information and Control 63(3), 200–216 (1984). DOI 10.1016/S0019-9958(84)80014-5 49. Honda, K.: Types for dyadic interaction. In: CONCUR (1993) 50. Honda, K., Vasconcelos, V.T., Kubo, M.: Language primitives and type discipline for structured communicationbased programming. In: ESOP (1998) 51. Honda, K., Yoshida, N., Carbone, M.: Multiparty asynchronous session types. In: POPL (2008). DOI 10.1145/1328438.1328472 52. Hu, R., Neykova, R., Yoshida, N., Demangeon, R., Honda, K.: Practical interruptible conversations - distributed dynamic verification with session types and python. In: RV, pp. 130–148 (2013). DOI 10.1007/978-3-642-40787-1 8 53. H¨ uttel, H., Lanese, I., Vasconcelos, V.T., Caires, L., Carbone, M., Deni´ elou, P., Mostrous, D., Padovani, L., Ravara, A., Tuosto, E., Vieira, H.T., Zavattaro, G.: Foundations of session types and behavioural contracts. ACM Comput. Surv. 49(1), 3:1–3:36 (2016). DOI 10.1145/2873052 54. Kouzapas, D., Yoshida, N., Honda, K.: On asynchronous session semantics. In: FMOODS/FORTE (2011) 55. Laneve, C., Padovani, L.: The Must preorder revisited. In: Proc. CONCUR, pp. 212–225 (2007). DOI 10.1007/ 978-3-540-74407-8 15 56. Lange, J., Tuosto, E., Yoshida, N.: From communicating machines to graphical choreographies. In: Proc. POPL, pp. 221–232. ACM (2015). DOI 10.1145/2676726.2676964 57. Lange, J., Yoshida, N.: On the undecidability of asynchronous session subtyping. In: FoSSaCS (2017) 58. Madiot, J.M., Pous, D., Sangiorgi, D.: Bisimulations upto: Beyond first-order transition systems. In: P. Baldan, D. Gorla (eds.) CONCUR 2014 – Concurrency Theory, LNCS, vol. 8704, pp. 93–108. Springer (2014). DOI 10.1007/978-3-662-44584-6 8 59. Milner, R.: Communication and concurrency. PrenticeHall, Inc. (1989) 60. Milner, R., Parrow, J., Walker, D.: A Calculus of Mobile Processes, I and II. Information and Computation 100(1) (1992) 61. Mostrous, D.: Session types in concurrent calculi: Higherorder processes and objects. Ph.D. thesis, Imperial College London (2009) 62. Mostrous, D., Vasconcelos, V.T.: Session typing for a featherweight Erlang. In: COORDINATION (2011) 63. Mostrous, D., Yoshida, N.: Session-based communication optimisation for higher-order mobile processes. In: TLCA, pp. 203–218 (2009). DOI 10.1007/978-3-642-02273-9 16 64. Mostrous, D., Yoshida, N., Honda, K.: Global principal typing in partially commutative asynchronous sessions. In: ESOP, pp. 316–332 (2009). DOI 10.1007/ 978-3-642-00590-9 23 65. Neubauer, M., Thiemann, P.: Session types for asynchronous communication. Universit¨ at Freiburg (2004) 66. Padovani, L.: Contract-based discovery of web services modulo simple orchestrators. Theor. Comput. Sci. 411(37) (2010) 67. Padovani, L., Vasconcelos, V.T., Vieira, H.T.: Typing liveness in multiparty communicating systems. In: COORDINATION (2014) 68. Park, D.: Concurrency on automata and infinite sequences. In: Conf. on Theoretical Computer Science, LNCS, vol. 104, p. 167–183. Springer (1981)

26

M. Bartoletti, A. Scalas, R. Zunino

69. Pierce, B.: Types and programming languages. MIT Press, Cambridge, Mass (2002) 70. Pierce, B.C., Sangiorgi, D.: Typing and subtyping for mobile processes. Mathematical Structures in Computer Science 6(5), 409–453 (1996) 71. Sangiorgi, D., Walker, D.: The π -calculus: A Theory of Mobile Processes. Cambridge University Press (2001) 72. Takeuchi, K., Honda, K., Kubo, M.: An interaction-based language and its typing system. In: PARLE (1994) 73. Vasconcelos, V.: Fundamentals of session types. In: M. Bernardo, L. Padovani, G. Zavattaro (eds.) Formal Methods for Web Services, LNCS, vol. 5569, pp. 158–186. Springer (2009). DOI 10.1007/978-3-642-01918-0 4

A Proofs for Section 2 Definition A.1. ≡ is the largest relation between session types coinductively defined by the rules: U ≡ T [recX T/X ]

˘

∀i ∈ I . Ti ≡ Ti0 ˘

i∈I ?ai .Ti ≡

T [recX T/X ] ≡ U (Eq-RecR)

U ≡ recX T

0 i∈I ?ai .Ti

(Eq-Ctx&)

recX T ≡ U

(Eq-RecL)

∀i ∈ I . Ti ≡ Ti0

L

i∈I !ai .Ti ≡

L

0 i∈I !ai .Ti

b. by rule (TRec) (inductive case). Then, T = recX T 00 , τ with premise T 00 [recX T 00/X ]− →. By the L induction hy00 rec T pothesis, we have T [ X 00/X ] ≡ i∈I !bi .Ti , with |I| > 1; by reflexivity of ≡ (Proposition A.2) and (Eq00 RecR), we have T ≡ T 00 [recX T /X ] — and we conclude by transitivity of ≡ (Proposition A.2); – item (iii) . The !a-transition of T can be generated in two

ways: a. by rule (TOut) (base case). Then, T = !a.T 0 . We conclude by reflexivity of ≡ (Proposition A.2); b. by rule (TRec) (inductive case). Then, T = recX T 00 , !a

with premise T 00 [recX T 00/X ]−→. By the induction hypothesis, we have T 00 [recX T 00/X ] ≡ !a.T 0 ; by reflexivity of ≡ (Proposition A.2) and (Eq-RecR), we have T ≡ T 00 [recX T 00/X ] — and we conclude by transitivity of ≡ (Proposition A.2). The main semantic differences between synchronous and asynchronous session types are formalised in Proposition A.4 below: roughly, asynchrony turns sequences of outputs into sequences of τ s, but input transitions and τ -transitions are preserved. For example, we have: ?a

?a

(Eq-Ctx⊕)

(i) ?a.0 −→ 0 becomes ?a.0[] −→ 0[] (i.e., input transitions

are preserved by buffering); τ

τ

Proposition A.2. ≡ is an equivalence relation for session types.

(ii) !a.0⊕!b.0 − → !a.0 becomes !a.0⊕!b.0[] − → 0[!a], and similarly for the !b-branch (i.e., the τ -transition of a non-deterministic

Proof. Reflexivity of ≡ is proved by showing that each pair (T , T ) in the identity relation between session types satisfies the rules in Definition A.1. Symmetry of ≡ is proved by showing that each pair (T , U ) in the relation R = {(T , U ) | U ≡ T } satisfies the rules in Definition A.1. Transitivity of ≡ is proved by showing that each pair (T , U ) in the relation R = {(T , U ) | ∃T 0 : T ≡ T 0 and T 0 ≡ U } satisfies the rules in Definition A.1.

internal choice is preserved in the asynchronous behaviour — where it signals the buffering of the selected prefix); !a

τ

!b

τ

→ !b.0[!a] − → 0[!a. !b] (iii) !a.!b.0 −→ !b.0 −→ 0 becomes !a.!b.0[] −

(i.e., deterministic output transitions are “replaced” with τ s in the asynchronous behaviour). By observing the transitions and the buffer of an asynchronous session behaviour, we can recover information about ?a the corresponding synchronous behaviour: e.g., from T [σ ] −→ ?a

Proposition A.3 below shows that the syntactic form of synchronous session types can be determined by observing their transitions. Proposition A.3. For all T : ˘ ?a (i) T −→ iff T ≡ ?a.T 0 & i∈I ?bi .Ti ; τ

(ii) T − → iff T ≡

L

i∈I !bi .Ti ,

with |I| > 1;

!a

(iii) T −→ iff T ≡ !a.T 0 .

T 0 [σ ] we can infer T −→ T 0 (and therefore, by item (i) of Proposition A.3, T is an external choice). Proposition A.4. For all T , T 0 and σ, ?a

?a

!a

τ

(i) T −→ T 0 iff T [σ ] −→ T 0 [σ ]; τ τ τ (ii) for all a 6= b, T − → !a . T 0 and T − → !b . T 00 iff T [σ ] − → τ 0 00 T [σ . !a ] ∧ T [ σ ] − → T [σ . !b ]; τ

(iii) T −→ T 0 iff T [σ ] − → T 0 [σ . !a] ∧ 6 ∃b 6= a . T [σ ] − → T 0 [σ . !b ]. Proof. =⇒ direction:

Proof. For all items (i) –(iii) , the ⇐= direction follows from

Definition 2.10. For the =⇒ direction, we proceed by induction on the rules in Definition 2.10 generating the transitions: – item (i) .

The ?a-transition of T can be generated in two

ways: ˘ a. by rule (TExt) (base case). Then, T = ?a.T 0 & i∈I ?bi .Ti . We conclude by reflexivity of ≡ (Proposition A.2); b. by rule (TRec) (inductive case). Then, T = recX T 00 , ?a

with premise T 00 [recX T 00/X ]−→. By the induction hy˘ pothesis, we have T 00 [recX T 00/X ] ≡ ?a.T 0 & i∈I ?bi .Ti ; by reflexivity of ≡ (Proposition A.2) and (Eq-RecR), we have T ≡ T 00 [recX T 00/X ] — and we conclude by transitivity of ≡ (Proposition A.2); – item (ii) . The τ -transition of T can be generated in two ways: L a. by rule (TInt) (base case). Then, T = i∈I !bi .Ti , with |I| > 1. We conclude by reflexivity of ≡ (Proposition A.2);

– item (i) : by Proposition A.3 (item (i) ), T is equivalent to a (possibly recursive) external choice with a ?a-branch. From such T , by rules (ruleCExtA) and (TRecA), we obtain

the thesis; – item (ii) : by Proposition A.3 (item (ii) ), T is equivalent

to a (possibly recursive) internal choice with 2 or more branches. From such T , by rules (TIntA) and (TRecA), we obtain the thesis, with !a, !b being the distinct guards of two of the branches of T ; – item (iii) : by Proposition A.3 (item (iii) ), T is equivalent to a (possibly recursive) single-branch internal choice !a.T 00 . From such T , by rules (TOutA) and (TRecA), we obtain the thesis. For the ⇐= direction, we proceed by induction on the rules in Definition 2.11 generating the transitions. The development is similar to the =⇒ direction in the proof of Proposition A.3: we determine the possible syntactic form of T , which may be (up-to recursion) an external choice for item (i) , or an internal choice for items (ii) –(iii) (resp. with

A semantic deconstruction of session types

27

multiple branches including !a and !b, or with just one !abranch). Then, we conclude by the rules in Definition 2.10 (i.e., (TExt) for item (i) , (TInt) for item (ii) , and (TOut) for item (iii) ). The following propositions state that, in an asynchronous session behaviour, an output is only visible when it is at the head of the buffer, and is persistent. !b

!a

Proposition A.5. T [σ ]−→ iff ∃σ 0 . σ = !a.σ 0 . If T = ⇒ T 0 , then τ

∃a . T [σ ] − →

!a T 0 [σ . !b]−→.

Proof. The first part of the statement follows by Definition 2.11. !b

T 0,

For the second part, since ⇒ then by Definition 2.10 it L T = must be T ≡ !b.T 0 ⊕ i∈I !ci .Ti (and in particular, I = ∅ iff !b

T −→ T 0 ). We then conclude by Definition 2.11.

a. T = U˘= 0; L b. T ≡ i∈I ?ai .T i and U ≡ 6 J ⊆ I, j∈J !aj .U j , with ∅ = and ∀j L∈ J . T j a` U j ; ˘ 6 I ⊆ J, j∈J ?aj .U j , with ∅ = i∈I !ai .T i and U ≡ and ∀i ∈ I . T i a` U i .

c. T ≡

Proof. See [4]: the statement for a derives from the proof of Proposition 2.9 therein, while the statement for a` derives from Lemma 3.3 in the same work (modulo two minor differences: in this paper, we postulate that 0 is the success state, and the unfolding of recX · · · does not emit a τ -transition).

¨ ∩C ¨. ¨ = B Lemma 4.5. ./ ¨ ∩ C). ¨ To prove the ¨ ⊆ (B Proof. By Definition 4.4, we have ./ ¨ ∩ C). ¨ Whenever (p, q ) ∈ R, we inverse inclusion, let R = (B ¨ q and q C ¨ p, and: have p B a.

!!a

Proposition A.6. T [σ ]=⇒ iff ∃T 0 . T ≡ !a.T 0

∃σ 0

.σ =

!a.σ 0 ,

or σ =  and

p⇓! ⊆ co(q⇓? )

and p⇓! = ∅ ∧ p⇓? 6= ∅ implies ∅ 6= q⇓! ⊆ co(p⇓? )

and q⇓! ⊆ co(p⇓? )

and q⇓! = ∅ ∧ q⇓? 6= ∅ implies ∅ 6= p⇓! ⊆ co(q⇓? ) ;

Proof. See page 27. Proof. For the ⇐= direction, we have the following two cases: – σ = !a.σ 0 . By Proposition A.5, whenever T [!a.σ 0 ] = ⇒ T 0 [σ 00 ], each τ -transition corresponds to an output of T being enqueued to the buffer. Therefore, σ 00 = !a.σ 0 .σ 000 (for !a

some σ 000 ), and we have T 0 [σ 00 ]−→, from which the thesis follows. – σ =  and T ≡ !a.T 0 . The thesis follows from Definition 2.11. For the =⇒ direction, we proceed by cases on the structure of σ : – σ = !a.σ 0 . The thesis follows trivially; – σ = !b.σ 0 (with b 6= a). In this case, by Definition 2.11 !a

!!a

we have T [σ ]= 6 ⇒ — and therefore, T [σ ]= 6 ⇒ (contradiction); – σ = . Then either: ˘ !c – T ≡ i∈I ?bi .T i . Then, by Definition 2.11, ∀c . T [σ ]= 6⇒ !!a

— and 6 ⇒ (contradiction); Ltherefore, T [σ ]= – T ≡ i∈I !bi .T i . If |I| 6= 1, we have either: • |I| = 0. Then, T = 0 (since I = ∅), and therefore !!a

T []= 6 ⇒ (contradiction); • |I| > 1. Then, since the guards of ⊕ are pairwise !a

τ

distinct, ∃i ∈ I . bi = 6 a. Hence, T [] − → Ti [!bi ]= 6⇒ !!a

(by Definition 2.11), and therefore T [σ ]= 6 ⇒ (contradiction). We are left to examine the case |I| = 1: we have τ T [] ≡ !b.T 0 [] − → T 0 [!b] for some b ∈ I = {b} and T 0 . !a

If b 6= a, by Definition 2.11 we have T 0 [!b]= 6 ⇒, and thus !!a

T [σ ]6=⇒ (contradiction). Therefore, we conclude that T ≡ !a.T 0 (for some T 0 ).

co(`)

`

¨ q0 b. p − → p0 ∧ q −−−−→ q 0 implies p0 B co(`0 )

0

` ¨ p0 ; and q −→ q 0 ∧ p −−−−→ p0 implies q 0 C τ τ 0 0 0 ¨ ¨ p; c. p − → p implies p B q and q − → q implies q 0 C τ τ ¨ q 0 and p − ¨ p0 . d. q − → q 0 implies p B → p0 implies q C

With some simplifications and rearrangements, for all (p, q ) ∈ R, we have: a. p⇓! ⊆ co(q⇓? ) and q⇓! ⊆ co(p⇓? )
and p⇓! = ∅ ∧ p⇓? 6= ∅ implies ∅ 6= q⇓! ⊆ co(p⇓? )
and q⇓! = ∅ ∧ p⇓? 6= ∅ implies ∅ 6= p⇓! ⊆ co(q⇓? ) ; co(`)

`

¨ q0 ∧ q0 C ¨ p0 , b. p − → p0 ∧ q −−−−→ q 0 implies p0 B p0 R q 0 ; τ ¨ q ∧qC ¨ p0 , i.e. p0 R q ; c. p − → p0 implies p0 B τ ¨ q0 ∧ q0 C ¨ p, i.e. p R q 0 . d. q − → q 0 implies p B

Therefore, each (p, q ) ∈ R satisfies items a –d of Definition 4.4 — hence, R is an I/O compliance relation. Further¨ ∩ C) ¨ ⊆ ./ ¨. more, R is symmetric. Thus, R = (B  ¨, B ¨ , ./ ¨ . Then, p = Proposition B.1. Let p ◦ q, with ◦ ∈ C ⇒ p0

implies p0 ◦ q.

¨ We proceed Proof. We first prove the statement for ◦ = C. by induction on the length of the sequence of τ -transitions in p = ⇒ p0 . The base case (n = 0) follows from the hypothesis. τ For the inductive case, let p = ⇒ p∗ − → p0 : by the induction ∗ ¨ q — and we conclude by item c of hypothesis, we have p C Definition 4.4. ¨ is similar, except that we conclude The proof for ◦ = B by item d of Definition 4.4. ¨ follows from Lemma 4.5. Finally, the thesis for ◦ = ./ Proposition B.2. Let p ◦ q, with ◦ ∈ p0 ∧ q = ⇒ q 0 implies p0 ◦ q 0 .

Proposition 4.3 (a/a`-induced shapes of session types). If T a U , then exactly one of the following cases holds:

Proof. Let:

and ∀j L∈ J . T j a U j ; ˘ c. T ≡ 6 I ⊆ J, j∈J ?aj .U j , with ∅ = i∈I !ai .T i and U ≡ and ∀i ∈ I . T i a U i . Furthermore, if T a` U , we have either:



!a ¨, B ¨ , ./ ¨ . Then, p = C ⇒

?a

B Proofs for Section 4

a. T = 0; L ˘ b. T ≡ i∈I ?ai .T i and U ≡ 6 J ⊆ I, j∈J !aj .U j , with ∅ =

i.e.

!a

p= ⇒ p0 −→ p00 = ⇒ p0 ?a

q = ⇒ q0 −→ q00 = ⇒ q0

¨ We first consider the case ◦ = C.By Proposition B.1 on p = ⇒ p0 , ¨ q ; then, by applying Proposition B.1 on q = we have p0 C ⇒ q0 , ¨ q0 . Now, by item b of Definition 4.4), we obtain we have p0 C

28

M. Bartoletti, A. Scalas, R. Zunino

¨ q00 ; finally, again by applying Proposition B.1 on p00 = p00 C ⇒ p0 ¨ q0 . and then on q00 = ⇒ q 0 , we conclude p0 C ¨ is similar. The proof for ◦ = B ¨ follows from Lemma 4.5. Finally, the thesis for ◦ = ./ !a

??a

¨ q and p= Proposition B.3. Let p C ⇒. Then, q ==⇒. Proof. Let q 0 be such that q = ⇒ q 0 . By Proposition B.1 we have ¨ q 0 ; thus, by item a of Definition 4.4, it follows that that p C ?a

p⇓! ⊆ co(q 0 ⇓? ). Therefore, q 0 = ⇒ — from which we conclude ??a

that q ==⇒. w

¨ q implies Corollary B.4. Let w ∈ (A! )∗ , and let p= ⇒. Then, p C co(w)

co(w)

w

¨ q0 . q ===⇒. Moreover, ∀p0 , q 0 . p = ⇒ p0 ∧ q ===⇒ q 0 implies p0 C Proof. The first part of the statemen is proved by induction on w, and follows from Proposition B.1, Proposition B.3 and Proposition B.2. The “moreover. . . ” part, again by induction on w, follows from Proposition B.3. !a ¨ q, with p⇓! = ∅, p⇓? = Proposition B.5. Let p C 6 ∅ and q = ⇒:

co(`)

`

– p− → p0 and q −−−−→ q 0 , for some label `. By definition of k, τ this implies p k q − → p0 k q 0 . By item b of Definition 4.4, we 0 ¨ q0 . conclude that p C

¨ q 0 , thus In all three cases, we have concluded that p0 C satisfying the second clause of F . ¨ U , for all session We now prove that T a U implies T C types T , U . To do that, it suffices to show that a is an I/O compliance relation. Assume that T a U . We show that all the clauses of Definition 4.4 are satisfied: – recall the 3 possible forms of T and U from LProposition 4.3: modulo unfolding, ˘ either T = 0, or T = i∈I !ai .T i (with |I| ≥ 1) and U = j∈J ?aj .U j with I ⊆ J , or vice versa (i.e., T is an external choice and U is an internal choice). Each of these three possible forms satisfies item a in Definition 4.4; – when the premise of item b of Definition 4.4 holds, we have τ T kU − → T 0 k U 0 ; by Definition 4.1, we conclude T 0 a U 0 ; τ – when T − → T 0 (premise of item c of Definition 4.4), by Definition 4.1, we conclude T 0 a U ; τ – similarly, when U − → U 0 (premise of item d of Definition 4.4), by Definition 4.1, we conclude T a U 0 .

??a

then, p==⇒.

B.1 I/O compliance and asynchrony Proof. ∀p0 . p = ⇒ p0 , by Proposition B.1 we have p⇓! = ∅ and ¨ q ; hence, by item a of Definition 4.4), we have ∀p0 . p = p0 C ⇒ p0 !

implies q⇓ ⊆

co(p0 ⇓? ),

i.e.

?a p0 = ⇒.

??a

We conclude that p==⇒.

¨ q, then p a q; (b) if p, q ∈ UST and Theorem 4.9. (a) If p C ¨ q. p a q, then p C ¨ ⊆ a. Let: Proof. We first prove C   τ ∼0 pkq− and 6 → implies p = F (X) = (p, q ) τ pkq − → p0 k q 0 implies (p0 , q 0 ) ∈ X It is easy to check that gfp(F ) = a. By the coinduction proof ¨ ⊆ F (C), ¨ we can deduce that C ¨ ⊆ gfp(F ) = a. principle, if C ¨ ⊆ F (C). ¨ Let p C ¨ q. So, we show that C τ For the first clause of the definition of F , assume p k q6− →. ∼ We show that p has no outgoing transitions (i.e., p = 0) by showing the absurdity of the following cases: τ

– p− →. Not possible, because it would contradict the assumpτ tion p k q6− →. !a

– p−→. By item a of Definition 4.4, we have that p⇓! ⊆ ?a

τ

co(q⇓? ), hence q = ⇒. Note that q6− →, because otherwise τ we would contradict the assumption p k q6− →. Therefore, it ?a

must be q −→, and so by definition of k we would obtain τ p k q− → — contradiction. ?a

!b

τ

τ

– p−→ and @b . p−→. Note that p6− → and q6− →, because otherτ wise we would contradict the assumption p k q6− →. Since ! ? p⇓ = ∅ and p⇓ 6= ∅, by item a of Definition 4.4 we have τ

Lemma B.7 (Sync session behaviours  and async I/O com¨, C ¨ , ./ ¨ . Then, pliance (I)). Let T ◦ U , for some ◦ ∈ `, a, a`, B T [] = ⇒ T 0 [σ ] implies σ .T 0 ◦ U . Proof. We first prove the statement for ◦ = a, and therefore we show that: T a U ∧ T [] = ⇒ T 0 [σ ]

Thus, since p cannot have outgoing transitions, we con∼ 0. clude that p = For the second clause of the definition of F , assume that τ pkq − →. We have the following three cases: τ

– p− → p0 . By definition of k, this implies p k q − → p0 k q . By ¨ q. item c of Definition 4.4, we conclude that p0 C τ – q− → q 0 . Similar to the previous case.

σ .T 0 a U

implies

(5)

If T is equivalent to a (possibly empty) external choice, we τ have T []− 6 →, and hence T 0 = T and σ = : therefore, the thesis coincides with the hypothesis. Otherwise, if T is a non-empty internal choice, we proceed by induction on the length of σ , which (by the semantics in Definition 2.11) corresponds to the number of τ -transitions along T [] = ⇒ T 0 [σ ]: – base case: σ = . Then, T 0 = T and σ = , and therefore

the thesis coincides with the hypothesis; – inductive case: σ = σ 0 . !a, with σ 0 = !b1.. . ..!bn . In this case, τ we have T [] = ⇒ T 00 [σ 0 ] − → T 0 [σ 0 . !a], and by applying the induction hypothesis, σ 0 .T 00 a U . Therefore, by applying Proposition 4.3 for n times along the synchronisations of σ 0 .T 00 and U , we have: ˘ !b1 . !b2 .. . .. !bn .T 00 a U = U1 = ?b1 .U2 & i∈I1 ?bi .U i ˘ !b2 .. . .. !bn .T 00 a U2 = ?b2 .U3 & i∈I2 ?bi .U i ···

!a

that ∅ 6= q⇓! ⊆ co(p⇓? ). Since q6− →, it must be q −→, and so τ by definition of k we would obtain p k q − → — contradiction.

τ

Notation B.6. We write σ .T 0 for the session type obtained by prefixing T 0 with the sequence of outputs σ.

!b n

.T 00 T 00

a

Un

= ?bn .Un+1 &

˘

i∈In ?bi .U i

a Un+1 τ

At this point, since T 00 [σ 0 ] − → T 0 [σ 0 . !a] (i.e., T 00 enqueues an output in its buffer), by the semantics in Definition 2.11 we have: ! M τ 00 0 0 T [σ ] = !a.T ⊕ !ai .T i [σ 0 ] − → T 0 [σ 0 . !a ] i∈I

A semantic deconstruction of session types i.e., T 00 must be a non-empty internal choice with a !aguarded branch; correspondingly, from T 00 a Un+1 and Proposition 4.3, we have: Un+1 = ?a.U 0 &

¯

?ak .U 0k

with I ⊆ K and T 0 a U 0

29 Proof. We first consider the case ◦ = a, showing that: T a U ∧ T [] k U [] = ⇒ T 0 [σ ] k U 0 [ρ ] implies σ =  or ρ = 

(6)

the premise above and σ = ρ =  implies T 0 a U 0

(7)

We proceed by induction on the length of the sequence of

k∈K

σ 0 . !a.T 0

But then, of Equation (5).

=

σ .T 0

a U . This concludes the proof

With the proof above, the other possible values of ◦ can be verified in a straightforward way: – case ◦ = ` can be proved in a similar way, noticing that in the inductive case, U may also become 0, i.e. it may terminate at any point without consuming T ’s output with

an external choice; – case ◦ = a` holds because (by Definition 4.1) a` = ` ∩ a; ¨ follows by Equation (5) and Theorem 4.9; case – case ◦ = C ¨ is similar; ◦=B ¨ follows by the previous item, because – finally, case ◦ = ./ ¨ ∩ C. ¨ ¨ =B (by Lemma 4.5) ./

τ -transitions in T [] k U [] = ⇒ T 0 [σ ] k U 0 [ρ ]. In the base case (i.e.,

when there are no transitions) the thesis coincides with the hypothesis, and both Equations (6) and (7) trivially hold. In the inductive case, let: τ

T [] k U [] = ⇒ T 00 [σ 00 ] k U 00 [ρ00 ] − → T 0 [σ 0 ] k U 0 [ρ0 ]

(8)

and by the induction hypothesis, (σ 00 =  or ρ00 = ) and (σ 00 = ρ00 =  implies T 00 a U 00 ) (9) We have the following cases: – σ 00 = 6  and ρ00 = . By Lemma B.9, the computation T [] k U [] = ⇒ T 00 [σ 00 ] k U 00 [ρ00 ] can be rearranged as follows

(while maintaining the original length): T [] k U [] = ⇒ T 000 [] k U 00 [] = ⇒ T 00 [σ 00 ] k U 00 []

Notation B.8. Given a sequence of outputs σ = !a1 .. . ..!an , we

σ 00

write = ⇒ for =⇒ · · · ==⇒.

where T 000 =⇒ T 00 (by item 4 of Lemma B.9). Since the length of the computation

Lemma B.9 (Diamond lemma for asynchronous session types). Let:

T [] k U [] = ⇒ T 000 [] k U 00 []

σ

! a1

! an

is shorter than the the length of the original computation, by the induction hypothesis we have T 000 a U 00 . Let σ 00 = !a.σ 000 . Then, by Proposition 4.3, U 00 must be (up-to unfolding) an external choice with a ?a-branch. Hence, the rightmost τ -transition in Equation (8) can only be generated in two ways: – via synchronisation, i.e.:

τ

T0 [] k U0 [] (− →)n Tn [σ n ] k Un [ρn ] with σ n 6= , ρn = , and ∀i ≤ n : (σ i =  or ρi = ). Let m be the length of σ n . Then, there exists some k ≤ n such that: 1. σ k =  and ∀i > k : σ i 6=  2. ∀i ≥ k : ρi =  3. there exist Tj0 , Uj0 (for all j ∈ k..n) such that: T k [σ k ] k U k [ρ k ] =

τ

T 00 [!a.σ 000 ] k U 00 [] − → T 0 [σ 000 ] k U 0 []

Tk0 [] k Uk0 [] τ (− →)n−k−m τ

(− →)m

where T 0 = T 00 . We can notice that item (i) of the thesis is already satisfied. For item (ii) , assume that σ 000 = . Then, !a is the only output transition from

0 0 Tn−m [] k Un−m [] Tn0 [σ n ] k Un0 [] = Tn [σ n ] k Un []

!a

σn

0 4. Tn−m =⇒ Tn

(i) σ =  or ρ = . (ii) if σ = ρ =  then T 0 ◦ U 0 .

?a

T 000 to T 00 — i.e., T 000 = ⇒ T 00 = T 0 ; and since U 00 −→ U 0 , from T 000 a U 00 , we deduce T 0 a U 0 . – via buffering, i.e., for some b:

where ∀i ∈ 0..m : U(0n−m)+i = Un

Proof. (Sketch ) Let k be the greatest index such that both queues σ k and ρk are empty. Since σ n is not empty, then Items 1 and 2 follow. For Item 3, we observe that Tk performs some outputs (and no inputs, since the queues ρi are persistently empty for i ≥ k). These outputs can be split in two parts: in the first one (called σ ˜ ) the inputs are read later on by Uk , while in the second part (called σ˜0 ) the inputs remain enqueued (and so, σ˜0 = σ n ). It is possible to reorder the moves without altering the length of the computation, and so that: (i) at the beginning, σ ˜ is enqueued and read by U ; (ii) then, the second part is enqueued, and never read. The terms Tj0 , Uj0 (for all j ∈ k..n) are defined according to this reordering. After the steps (i), both queues are empty, and the component U no longer moves, hence it is equal to Un until the end of the computation. Item 4 is a direct consequence of Item 3.  ¨, B ¨ , ./ ¨ . If T [] k Lemma 4.11. Let T ◦ U , with ◦ ∈ a, `, a`, C U [] = ⇒ T 0 [σ ] k U 0 [ρ ], then:

(with σ 000 = σ 0 )

τ

T 00 [!a.σ 000 ] k U 00 [] − → T 0 [!a.σ 000 . !b] k U 0 []

(where U 0 = U 00 ) Then, we satisfy item (i) and (vacuously) item (ii) of the thesis; – σ 00 =  and ρ00 6= . The proof is similar to the previous case, by swapping the roles of T 00 and U 00 , and the roles of σ and ρ . – σ 00 = ρ00 = . Item (i) holds because in a single τ move, at most one of the two queues can become non-empty. Item (ii) holds vacuously, because the only way of reaching σ 0 = ρ0 =  would be through a synchronisation, which is not possible because σ 00 = ρ00 = . This concludes the proof of Equations (6) and (7), in case ◦ = a. The other possible values of ◦ can be verified as follows: – – – –

¨ follows ¨ (Theorem 4.9); ◦ = C by Equation (6) and a = C ¨ follow by symmetry; ◦ ∈ `, B ◦ = a` holds because (by Definition 4.1) a` = ` ∩ a; ¨ ∩C ¨ (by Lemma 4.5). ¨ holds because ./ ¨ =B finally, ◦ = ./

30

M. Bartoletti, A. Scalas, R. Zunino

C Proofs for Section 5

¨ U , then T [] C ¨ U []. Lemma 4.12. If T C ¨ U , and let: Proof. Assume that T C R=



⇒ T 0 [σ ] k U 0 [ ρ ] (T 0 [σ ], U 0 [ρ ]) T [] k U [] =

We prove that R is an I/O compliance relation, i.e. it satisfies all the items of Definition 4.4. The thesis will then follow by the fact that (T [], U []) ∈ R. Let (T 0 [σ ], U 0 [ρ ]) ∈ R. Note that items b –d of Definition 4.4 follow directly by definition of k, so we only need to prove item a . By Lemma 4.11, we have σ =  or ρ = , and so we have the following three cases: – σ 6=  and ρ = . Let σ = !a.σ 0 . Then: T 0 [σ ]⇓! = {!a}

(10)

By items (ii) and (iii) of Proposition A.4 we know that each output in σ has been generated by some T 00 such σ that T 00 = ⇒ T 0 ; let us take such T 00 so that: T [] k U [] = ⇒ T 00 [] k U 0 [] = ⇒ T 0 [σ ] k U 0 []

¨ U , T [] k U [] = From T C ⇒ T 00 [] k U 0 [] and Lemma 4.11 we ¨ U 0 . By items (ii) and (iii) of Proposition A.3, get T 00 C we know that T 00 is an internal choice, hence by Theorem 4.9 and Proposition 4.3 we know that U 0 must be a (larger) external choice, i.e. T 00 ⇓! ⊆ co(U 0 ⇓? ). Hence, from Equation (10) we obtain: {!a} = T 0 [σ ]⇓! ⊆ T 00 ⇓! ⊆ co(U 0 ⇓? ) = co(U 0 []⇓? )

This proves the first part of item a in Definition 4.4. The second part holds vacuously, since T 0 [σ ]⇓! 6= ∅. – σ =  and ρ = 6 . If T 0 = 0, then item a in Definition 4.4 is trivially satisfied. Otherwise, the reasoning is similar to the case above, by swapping the role of T 0 and U 0 , and considering the queue ρ instead of σ . More in detail, we let ρ = !a.ρ0 , and so we obtain: 0

!

U [ρ ]⇓ = {!a}

(11)

As in the previous item, via Proposition A.4 we take U 00 ρ such that U 00 = ⇒ U 0 , from which we have: T [] k U [] = ⇒ T 0 [] k U 00 [] = ⇒ T 0 [] k U 0 [ρ ]

¨ U and T [] k U [] = Since T C ⇒ T 0 [] k U 00 [], from Lemma 4.11 ¨ U 00 . we obtain that T 0 C By Proposition A.3 we have that U 00 is a non-empty internal choice, and by Theorem 4.9 and Proposition 4.3 we know that T 0 is a (larger) external choice, i.e. ∅ 6= U 00 ⇓! ⊆ co(T 0 ⇓? ). Since T 0 is an external choice, then T 0 []⇓! = ∅, which vacuously satisfies the first part of item a in Definition 4.4. For the second part of the item, from Equation (11) we have: ∅ 6= {!a} = U 0 [ρ ]⇓! ⊆ U 00 ⇓! ⊆ co(T 0 ⇓? ) = co(T 0 []⇓? )

¨ U 0. By Lemma 4.11, it follows that T 0 C Hence, by Theorem 4.9 and Proposition 4.3, we can proceed by cases on the form of T 0 and U 0 : – T 0 = 0. Then, item a of Definition 4.4 is trivially satisfied. L ˘ 0 – T0 = i∈I ?ai .Ti and U = j∈J !aj .U j , with ∅ 6= J ⊆ I . Then, T 0 []⇓! = ∅, which satisfies the first part of item a . Further, ∅ 6= U 0 []⇓! ⊆ co(T 0 []⇓? ), thus satisfying L the second part0 of the ˘ item. – T0 = j∈J ?aj .U j , with ∅ 6= i∈I !ai .Ti and U = I ⊆ J . Then, T 0 []⇓! ⊆ co(U 0 []⇓? ), which satisfies the first part of item a ; the second part of the item is vacuously true, since T 0 []⇓! 6= ∅.

– σ = ρ = .

Lemma 5.4. Let T [σ ] k U [ρ ] be an orphan message configuration, with !a orphan message of T [σ ]. Then, T [σ ] k U [ρ ] = ⇒ T 0 [σ 0 ] k U 0 [ρ0 ] implies that T 0 [σ 0 ] k U 0 [ρ0 ] is an orphan message configuration, with !a orphan message of T 0 [σ 0 ]. Furthermore, σ 0 = σ .σ 00 (for some σ 00 ). !!a

Proof. By hypothesis and Definition 5.1 we have T [σ ]=⇒ and ?a

U [ρ ]= 6 ⇒. Moreover, by Lemma 5.3 we have either σ = !a.σ 00 (for some σ 00 ), or σ =  and T = !a.T 0 : therefore, after at most one τ -step (when σ = ), !a is at the head of T ’s buffer and becomes only output (weakly) reachable from T [σ ] (by Propo?a

sition A.6). At that point, since U [ρ ]= 6 ⇒, the two behaviours cannot synchronise on such !a, and thus it cannot be removed from the head of the buffer. Hence, each τ -move along the trace T [σ ] k U [ρ ] = ⇒ T 0 [σ 0 ] k U 0 [ρ0 ] may be generated in only two ways, by Definition 2.11: a. T or U add new outputs to their respective buffers; b. T reaches an external choice which synchronises with the head of U ’s queue, consuming it. (Note that case b. prevents us from resorting to Proposition 5.2, since the latter only considers the internal τ -transitions of the behaviours, without synchronisations). Therefore, σ 0 = σ .σ 00 for some σ 00 deriving from case a. above (which proves ?a

the “furthermore. . . ” part of the statement), and U 0 [ρ0 ]= 6 ⇒: by Definition 5.1, we conclude that T 0 [σ 0 ] kU 0 [ρ0 ] is still an orphan message configuration, with !a orphan message of T 0 [σ 0 ]. Proposition C.1 below states that an input behaviour cannot stop interacting after some τ -moves. Proposition C.1. If p is an input behaviour, then p = ⇒ p0 implies p0 w 6 0. ?a

Proof. From Definition 5.7, we have that ∃p00 , a . p0 = ⇒ p00 −→: hence, p00 w 6 0, which in turn implies p0 6w 0.

D Proofs for Section 6 Lemma 6.2 (vUST -induced shapes of session types). T vUST U implies either: a. T = U ˘= 0; ˘ b. T ≡ k∈K ?ak .T k and U ≡ i∈I ?ai .T i , with ∅ = 6 I ⊆K and ∀i L∈ I . T i vUST U i ; L c. T ≡ 6 K ⊆ I, k∈K !ak .T k and U ≡ i∈I !ai .T i , with ∅ = and ∀k ∈ K . T k vUST U k . Proof. In the following, when no ambiguity arises, we will write v instead of vUST . ¨ When T v U , by Definition 6.1 we know that ∀V . U ./ ¨ V . By Theorem 4.9, this is equivalent to saying V =⇒ T ./ that ∀V . U a` V =⇒ T a` V . Hence, the possible forms of the pairs U , V and T , V (up-to unfolding) are given by Proposition 4.3 (case for a`). Therefore, by cases on U , we have: U =˘ 0. Then, we have V = 0, and T = 0. L U = i∈I ?ai .U i , with I 6= ∅. Then, we have V = j∈J !aj .V j , ¨ with ∅ 6= J ⊆ I , and ∀j ∈ J.U a` V (i.e., U ./ V ). Since j j j j ˘ T a` V , we also have T = k∈K ?ak .T k , with ∅ 6= J ⊆ K , ¨ V j ). Furthermore, we and ∀j ∈ J . T j a` V j (i.e., T j ./ have I ⊆ K : otherwise, ∃i ∈ I . i 6∈ K , and if we take a V such that J = I , we would have the contradiction J 6⊆ K . ¨ V j and Finally, since (as seen above) ∀j ∈ J we have U j ./ ¨ V j , we conclude ∀j ∈ J . T j v U j ; T j ./

A semantic deconstruction of session types L

31 ˘

with I 6= ∅. Then, we have V = j∈J !aj .V j , ¨ V i ). Since with I ⊆ J , and ∀i ∈ I . UL i a` V i (i.e., U i ./ T a` V , we also have T = 6 K ⊆ J, k∈K ?ak .T k , with ∅ = ¨ V k ). Furthermore, we and ∀k ∈ K . T k a` V k (i.e., T k ./ have K ⊆ I : otherwise, ∃k ∈ K . k 6∈ I , and if we take a V such that J = I , we would have the contradiction K 6⊆ J . ¨ Vk Finally, since (as seen above) ∀k ∈ K we have U k ./ ¨ V k , we conclude ∀k ∈ K . T k v U k . and T k ./

U =

i∈I ?ai .U i ,

Lemma 6.3. T v U ⇐⇒ T vUST U . Proof. ( =⇒ ). Follows from Definition 6.1, since UST ⊆ U. ( ⇐= ). Let:

R =



Hence, R is a symmetric I/O compliance relation. Now, ¨ r we observe that for all T , U and r ∈ U, T vUST U and U ./ ¨ r. By Definition 6.1, we imply (T , r) ∈ R 3 (r, T ), and so T ./ conclude T v U . ¨ be a set of I/O simulations. Then, S R ¨ is Lemma 6.7. Let R an I/O simulation.

S¨ R), all conditions in DefiS¨ nition 6.4 hold. We simply notice that when p ( R) q , then S ¨ ⊆ ( R) ¨ q , for ¨ such that p R there exists an I/O simulation R some predictive set Q; using such a predictive set, clauses a –b of Definition 6.4 hold — and moreover, theSpairs of reducts ¨ from clauses c –e also belong to ( R). ¨ (p0 , q 0 ) ∈ R Proof. We show that ∀(p, q ) ∈ (

¨ r ∪ symmetric (T , r) ∃U . T vUST U ∧ U ./

We show that R is a symmetric I/O compliance relation. For ¨ r. each (T , r) ∈ R, there exists U such that T vUST U and U ./ For all such U , we have (from the proof of Lemma 4.5): a. U ⇓! ⊆ co(r⇓? ) and r⇓! ⊆ co(U ⇓? )
and U ⇓! = ∅ ∧ U ⇓? 6= ∅ =⇒ r⇓! 6= ∅
and r⇓! = ∅ ∧ r⇓? 6= ∅ =⇒ U ⇓! 6= ∅ ; `

¨ is reflexive. Lemma D.1. 6 ¨ = {(p, p) | p ∈ U}. We Proof. Consider the identity relation: R ¨ is an I/O simulation, with {p} can easily verify that that R ¨ p. being the predictive supporting each pair p R

co(`)

¨ r0 ; b. U − → U 0 ∧ r −−−−→ r0 =⇒ U 0 ./ τ ¨ r; c. U − → U 0 =⇒ U 0 ./ τ ¨ r0 . d. r − → r0 =⇒ U ./ Before proceeding, we also observe that, since T vUST U ¨ r we have the following by hypothesis, by Lemma 6.2 and U ./ possibilities (up-to unfolding): 1. U = T this case, r⇓ = r⇓? = r⇓! = ∅; ˘= 0. Therefore, in ˘ 2. U = i∈I ?ai .T i and T = k∈K ?ak .T k , with ∅ 6= I ⊆ K and ∀i ∈ I . (T i , U i ) ∈ vUST . Therefore, in this case, ?a

i ∅ 6= r⇓! ⊆ co(U ⇓? ) ⊆ co(T ⇓? ). Furthermore, ∀i ∈ I . T −−→

!ai

¨ as a preorder for U D.1 On 6

? ai

¨ r0 (from U ==⇒ U i and T i and r = =⇒ r0 implies U i ./ ! aj

¨ r and Proposition B.2), while ∀j ∈ K \ I . r6=⇒ (from U ./ Proposition B.3); L L 3. U = 6 K ⊆ I, i∈I !ai .T i and T = k∈K !ak .T k , with ∅ = and ∀k ∈ K . (T k , U k ) ∈ vUST . Therefore, in this case, !ak

T ⇓! ⊆ U ⇓! ⊆ co(r⇓? ) 6= ∅. Furthermore, ∀k ∈ K . T = =⇒

¨ and τ -moves (I)). Let p 6 ¨ q, with predictive Lemma D.2 (6 ¨ q, with predictive set Q0 such set Q. Then, p = ⇒ p0 implies p0 6 that Q V Q0 . Proof. We proceed by induction on the length of the sequence of τ -transitions in p = ⇒ p0 . The base case (n = 0) is trivial. τ For the inductive case, let p = ⇒ p∗ − → p0 . By the induction ∗ ¨ q with predictive set Q∗ such that hypothesis, we have p 6 ¨ q , we observe that, (by item c of Q V Q∗ . To show that p0 6 τ ¨ q0 ; Definition 6.4) p∗ − → p0 implies that ∃q 0 . Q∗ = ⇒ q 0 ∧ p0 6 ¨ q 0 is supported by some predictive set Q0 furthermore, p0 6 ¨ =6 ¨ ¨ ∪ {(p0 , q )}: we show that R such that q 0 V Q0 . Let now R

is an I/O simulation. This claim trivially holds for the subset ¨ and thus we only need to check whether the clauses of ¨ ⊆ R, 6 Definition 6.4 hold for the additional pair (p0 , q ). Since q = ⇒ q0 0 0 0 0 and q V Q , we have q V Q . Then, using Q as a predictive set for (p0 , q ), we have:

item a : p0 ⇓! = ∅ =⇒ Q0 ⇓! = ∅ (since Q0 is a predictive set ¨ q 0 ); for p0 6 ¨ r0 (from U ./ ¨ r and and ∀r0 . r ==⇒ r0 implies U k ./ 0 item b : Q ⇓?? ⊆ p0 ⇓? and Q0 ⇓? = ∅ =⇒ p0 ⇓? = ∅ (since Proposition B.2). Finally, by Proposition B.3, we have ¨ q 0 ); Q0 is a predictive set for p0 6 r⇓! = ∅. τ 0 00 0 ¨ item c let p − → p . Since p 6 q 0 , we have that ∃q 00 . Q0 = ⇒ ¨ q 00 , which is the thesis; We can now prove that R is a I/O compliance relation, q 00 ∧ p00 6 !a !a examining the clauses of Definition 4.4: ¨ q 0 , we have that ∃q 00 . Q0 = item d let p0 −→ p00 . Since p0 6 ⇒ ! ? ! ? 00 00 00 ¨ q , which is the thesis; a : we need to show that T ⇓ ⊆ co(r⇓ ) and q ∧ p 6
r⇓ ⊆ co(T ⇓ ) ??a ?a and T ⇓! = ∅ ∧ T ⇓? 6= ∅ =⇒ r⇓! 6= ∅ 0 − ¨ q 0 , we have that item e let p → p00 ∧ Q0 ==⇒. Since p0 6
? a and r⇓! = ∅ ∧ r⇓? 6= ∅ =⇒ T ⇓! 6= ∅ : these requirements ¨ q 00 , which is the thesis. ∃q 00 . Q0 = ⇒ q 00 ∧ p00 6 are satisfied in all cases 1.–3. above; ¨ is an I/O simulation, and (p0 , q ) ∈ R. ¨ co(`) ` Therefore, R b : assume that T − → T 0 and r −−−−→ r0 . From cases 2. and 3. We conclude by observing that, from Q V Q∗ , Q∗ = ⇒ q0 ` ¨ r0 . above, it follows that ∃U 0 . U = ⇒ U 0 and T 0 vUST U 0 ./ 0 V Q0 , we have Q V Q0 . and q Therefore, we conclude (T 0 , r0 ) ∈ R and, by symmetry of R, (r0 , T 0 ) ∈ R; ¨ and τ -moves (II)). Let p 6 ¨ q, with predictive Lemma D.3 (6 τ ¨ q 0 , again with predictive set Q. c : assume that T − → T 0 . By the semantics in Definition 2.10 set Q. Then, q 0 = ⇒ q implies p 6 we are in case 3. above (i.e., both T and U are internal τ Proof. We proceed by induction on the length of the sequence choices with multiple branches). Hence, ∃U 0 . U − → U0 of τ -transitions in q 0 = ⇒ q . The base case (n = 0) is trivial. ¨ r (by Proposition B.1). Therefore, we and T 0 vUST U 0 ./ τ conclude (T 0 , r) ∈ R and, by symmetry of R, (r, T 0 ) ∈ R; For the inductive case, let q 0 − → q∗ = ⇒ q . By the induction τ ∗ , with predictive set Q. Let now ¨ 0 hypothesis, we have p 6 q d : assume that r − → r . By Proposition B.1 we have T vUST ¨ =6 ¨ is an I/O simulation. This ¨ ∪ {(p, q 0 )}: we show that R R ¨ r0 . Therefore, we conclude (T , r0 ) ∈ R and, by symU ./ 0 ¨ and thus we only ¨ ⊆ R, metry of R, (r , T ) ∈ R; claim trivially holds for the subset 6 ?a

! ak

T k implies r= ⇒ (from U = =⇒ U k and Proposition B.3) ? ak

32

M. Bartoletti, A. Scalas, R. Zunino

need to check whether the clauses of Definition 6.4 hold for τ the additional pair (p, q 0 ). Since q 0 − → q ∗ and q ∗ V Q, we have q 0 V Q. Then, using Q as a predictive set for (p, q 0 ), we have:

?a

item a : p⇓! = ∅ =⇒ Q⇓! = ∅ (since Q is a predictive set for ¨ q ∗ ); p6 item b : Q⇓?? ⊆ p⇓? and Q⇓? = ∅ =⇒ p⇓? = ∅ (since Q is ¨ q ∗ ); a predictive set for p 6 τ ¨ q ∗ , we have that ∃q 00 . Q = item c let p − → p0 . Since p 6 ⇒ ¨ q 00 , which is the thesis; q 00 ∧ p0 6 !a !a ¨ q ∗ , we have that ∃q 00 . Q = item d let p −→ p0 . Since p 6 ⇒ 00 0 00 ¨ q ∧ p 6 q , which is the thesis; ??a ?a ¨ q ∗ , we have that ∃q 00 . item e let p −→ p0 ∧ Q==⇒. Since p 6 ?a 00 0 00 ¨ Q= ⇒ q ∧ p 6 q , which is the thesis.

τ

– when Q⇓?? 3 ?a 6∈ Q1 ⇓?? , then the premise of clause e of Definition 6.4 becomes false; otherwise, when ?a ∈ Q1 ⇓?? ∩ Q⇓?? , we notice (as in the previous point) that all

¨ is an I/O simulation; we conclude by observing Therefore, R ¨ that (p, q 0 ) ∈ R.

states reachable from Q are still reachable from Q1 with the same transitions. Therefore, in both cases, clause e of Definition 6.4 is satisfied.

?a0

τ ?b

p13

?b

p14

¨ p14 but p13 6≈ p14 . Figure 9: p13 ≈

¨ q, p = ¨ q0 . Lemma 6.8. If p 6 ⇒ p0 and q 0 = ⇒ q, then p0 6

¨ vs. w). 6 ¨ ⊆ ¨. Proposition D.8 (6 6 w 6⊆ 6

¨ q holds, Proof. By Lemma D.2 we have that, whenever p 6 ¨ q ; therefore, by Lemma D.3, q 0 = then p = ⇒ p0 implies p0 6 ⇒q ¨ q0 . implies p0 6

Proof. Consider the following CCS processes, where a 6= b:

D.2 Properties of predictive sets

¨ is a preorder. Theorem 6.10. (U, 6)

Proposition D.4. For all Q ⊆ U, if ?a ∈ Q⇓?? then:

Proof. Reflexivity follows by Lemma D.1. For transitivity, let:

¨ Q and P 6w Q; – let P = ?a + ?b and Q = ?a. We have P 6 – let P = τ .?a + τ .?b and Q = ?a + ?b. We have P w Q and P 6 6 ¨ Q.

¨ = R

??a

(i) ∀q ∈ Q . q ==⇒



¨ q ∧q6 ¨ r (p, r) ∃q . p 6

??a

(ii) ∀q 0 . Q = ⇒ q 0 implies q 0 ==⇒.

¨ is an I/O simulation. Let (p, r) ∈ R, ¨ and let q We show that R ¨ q and q 6 ¨ r. Then, let: be such that p 6 Proof. Direct consequences of Definition 2.5. ¨ 1 be an I/O simulation such that p R ¨ 1 q , with Q as (i) R predictive set. So, we have q V Q, and: ¨ q with pred. set Q, then Q⇓?? ⊆ p⇓?? . Proposition D.5. If p 6 a. p⇓! = ∅ =⇒ Q⇓! = ∅; b. Q⇓?? ⊆ p⇓? ∧ Q⇓? = ∅ =⇒ p⇓? = ∅; ??a Proof. Assume Q==⇒, and let p0 such that p = ⇒ p0 . By Lemma D.2, τ ¨ 1 q0 ; c. p − → p0 =⇒ ∃q 0 . Q = ⇒ q 0 ∧ p0 R ¨ q , with a predictive set Q0 such that Q V Q0 . we have p0 6 !a 0 !a 0 0 0 ¨ 1 q0 ; ?? a d. p −→ p =⇒ ∃q . Q = ⇒q ∧ p R This, by Proposition D.4, means Q0 ==⇒, and therefore (by ??a ?a 0 ?a 0 0 ¨ 1 q0 ; ?a e. p −→ p ∧ Q==⇒ =⇒ ∃q . Q = ⇒ q ∧ p0 R item b of Definition 6.4), p0 = ⇒. Hence, by Definition 2.5, we ¨ 2 be an I/O simulation such that q R ¨ 2 r. (ii) R ??a conclude p==⇒. In the following, let I index the elements of Q — i.e., Q = {qi }i∈I . Before proceeding, we highlight some results and ??a ¨ q with predictive set Q. Then, q ==⇒ Proposition D.6. Let p 6 definitions that we will reuse throughout this proof. ??a implies Q==⇒. ¨ r. Proposition D.9. ∀i ∈ I, we have qi 6 Proof. By Definition 6.4, ∀q 0 ∈ Q . q = ⇒ q 0 . Therefore, by ??a

??a

Definition 2.5, we have q 0 ==⇒, and we conclude Q==⇒. Lemma D.7 (“Neutral elements” in a predictive set). Let ¨ q, for some predictive set Q. Then, for all q0 such that p 6 q= ⇒ q0 and q0 ⇓! ⊆ Q⇓! , we have that Q1 = Q ∪ {q0 } is still a ¨ q. predictive set for p 6

Proof. Since ∀i ∈ I . q = ⇒ qi , the statement follows

from Lemma D.2. Definition D.10. ∀i ∈ I, we fix Ri as a predictive ¨ r. Furthermore, we define: set supporting qi 6

R =

[

Ri

i∈I

Proof. Immediate, by noticing that for all weak barbs of q0

allowed by the hypotheses, we have: – Q⇓! = Q1 ⇓! , and therefore p⇓! = ∅ =⇒ Q1 ⇓! = ∅, thus satisfying clause a of Definition 6.4. – Q1 ⇓?? ⊆ Q⇓?? — and so Q1 does not require more inputs to p w.r.t. Q, thus satisfying the first part of clause b

of Definition 6.4. For the second part, we notice that Q1 ⇓? = ∅ implies Q⇓? = ∅, which implies p⇓? = ∅; – all states reachable from Q are still reachable from Q1 with the same transitions, thus satisfying clauses c –d of Definition 6.4;

Corollary D.11. R⇓?? ⊆ Q⇓?? . Proof. Let ?a ∈ R⇓?? . Then, ?a ∈ r˜⇓?? , for all ¨ r (by Propor˜ ∈ R, and so ?a ∈ Ri ⇓?? . Since qi 6

sition D.9) with predictive set Ri (by Definition D.10), then by Proposition D.5 it follows that ?a ∈ qi ⇓?? . Since the above holds for all i ∈ I , we conclude that ?a ∈ Q⇓?? . We now show that R is a predictive set for the pair (p, r) ∈ ¨ according to Definition 6.4: R,

A semantic deconstruction of session types

33

item a : assume that p⇓! = ∅. Then, by item (i)a., we have ¨ r, Q⇓! = ∅ — and therefore, qi ⇓! = ∅ for all i ∈ I . Since qi 6 by item a of Definition 6.4, this implies that Ri ⇓! = ∅, for all i ∈ I . Therefore R⇓! = ∅. item b : for the first part of the item, from Corollary D.11, we have R⇓?? ⊆ Q⇓?? . Furthermore, by item (i)b., we have Q⇓?? ⊆ p⇓? . So, we conclude R⇓?? ⊆ p⇓? . For the second part of item b , assume R⇓? = ∅: for all i ∈ I , this implies Ri ⇓? = ∅; by item b of Definition 6.4, we have ∀i ∈ I . qi ⇓? = ∅, which in turn implies Q⇓? = ∅; and from item (i)b., we have p⇓? = ∅. Therefore, we conclude p⇓? = ∅. τ item c : we have to show that, whenever p − → p0 , then ∃r0 . R = ⇒ 0 0 0 ¨ r ∧ (p , r ) ∈ R. From item (i)c. we know that whenever τ ¨ 1 ; therefore, for some p − → p0 , ∃q 0 . Q = ⇒ q 0 ∧ (p0 , q 0 ) ∈ R ¨ qi . i ∈ I , qi = ⇒ q 0 . Now, from Lemma D.3, we have p0 6 ¨ r, we choose Since (by Proposition D.9) we also have qi 6 ¨ r0 = r, and we conclude (p0 , r0 ) ∈ R. !a

item d : we have to show that, whenever p −→ p0 , then ∃r0 . !a ¨ By item (i)d. above, we know R = ⇒ r0 and (p0 , r0 ) ∈ R. !a

that whenever p −→ p0 , then ∃i ∈ I, q∗ , q∗0 , q 0 such that !a ¨ 1 q 0 . Since p0 6 ¨ q0 Q 3 qi = ⇒ q∗ −→ q∗0 = ⇒ q 0 and p0 R 0 0 ¨ q∗0 . and q∗ = ⇒ q , then by Lemma D.3 it follows that p0 6 ¨ r By Proposition D.9 and Definition D.10, we have qi 6 with some predictive set Ri ⊆ R; and by Lemma D.2, we ¨ r with some predictive set R∗ such that also have q∗ 6 Ri V R∗ — and therefore (by item d of Definition 6.4): !a

¨ r00 ∃r00 . Ri V R∗ = ⇒ r00 ∧ q∗0 6

(12)

Combining R V Ri and Equation (12) above, we obtain: ∃r

00

!a

. R= ⇒r

00

∧

q∗0

¨ r00 6

¨ q∗0 and q∗0 6 ¨ r0 , we conclude that Let = Since p0 6 0 0 ¨ (p , r ) ∈ R. r0

r00 .

??a

?a

item e : we have to show that, whenever p −→ p0 and R==⇒, ?a ?a ¨ Assume that p − then ∃r0 . R = ⇒ r0 and (p0 , r0 ) ∈ R. → p0 ??a

`-transitions emanating from q . From this, it is immediate to see that p⇓? = q⇓? and p⇓! = q⇓! , and using the former in an inductive argument we also obtain p⇓?? = q⇓?? . Hence, for all (p, q ) ∈ ≈, we can satisfy clauses a –e in Definition 6.4 by taking as predictive set Q = {q}.

¨ q ◦ r =⇒ p ◦ r, for ◦ ∈ B ¨ , ./ ¨ . Theorem 6.12. p 6 



¨ Let: Proof. We first prove the statement for ◦ = B. R =



¨ q ∧qB ¨ r (p, r) ∃q . p 6

We will show that R is an I/O compliance relation between p and r (in the inverse order). Let (p, r) ∈ R, via some q ¨ q and r C ¨ q . Now, let Q be the predictive set such that p 6 ¨ and let us examine the clauses supporting the pair (p, q ) ∈ 6, of Definition 4.4. ¨ q (item b of Definition 6.4) we have Q⇓?? ⊆ item a From p 6 ¨ q (by Proposition B.3) we have p⇓? ; furthermore, from r C r⇓! ⊆ co(q⇓?? ), and from Proposition D.6 we obtain: r⇓! ⊆ co(Q⇓?? )

(14)

¨ q and Furthermore, since ∀q 0 ∈ Q . q = ⇒ q 0 , from r C ¨ q 0 . Hence, by item b Proposition B.1 we have ∀q 0 ∈ Q . r C of Definition 6.4:
∀q 0 ∈ Q . r⇓! = ∅ ∧ r⇓? 6= ∅ =⇒ ∅ = 6 q 0 ⇓! ⊆ co(r⇓? ) and therefore: r⇓! = ∅ ∧ r⇓? 6= ∅ =⇒ ∅ = 6 Q⇓! ⊆ co(r⇓? )

(15)

¨ q , by Definition 6.4 we have: From p 6 – p⇓! = ∅ =⇒ Q⇓! = ∅ (item a of Definition 6.4), and therefore Q⇓! 6= ∅ =⇒ p⇓! 6= ∅; – p⇓! ⊆ Q⇓! (item d ) – Q⇓?? ⊆ p⇓? (item b ). Summing up: Q⇓?? ⊆ p⇓?

and

Q⇓! 6= ∅ =⇒ ∅ = 6 p⇓! ⊆ Q⇓!

(16)

??a

and R==⇒. By Corollary D.11, we have Q==⇒. Therefore, by item (i)e. above, ∃i ∈ I, q∗ , q∗0 , q 0 such that Q 3 qi = ⇒ ?a ¨ 1 q 0 . By Proposition D.9 and q∗ −→ q∗0 = ⇒ q 0 and p0 R ¨ r with some predictive set Definition D.10, we have qi 6 ¨ r with Ri ⊆ R; and by Lemma D.2, we also have q∗ 6 some predictive set R∗ such that Ri V R∗ . Therefore, by item e of Definition 6.4: ??a ?a 00 ¨ r00 R∗ ==⇒ implies ∃r00 . Ri V R∗ = ⇒ r ∧ q∗0 6 ??a

(13)

??a

Finally, we notice that since R==⇒ implies Ri ==⇒, we have ??a R∗ ==⇒; this, combined with R V Ri and Equation (13) above, gives us: ?a

¨ r00 ∃r00 . R = ⇒ r00 ∧ q∗0 6 ¨ r00 . Let r0 = r00 . Since p0 6 ¨ q0 By Lemma D.2, we have q 0 6 ¨ ¨ r0 , we conclude that (p0 , r0 ) ∈ R. and q 0 6 ¨ Theorem 6.11. ≈ ( ≈ ¨ , consider Figure 9: we have that Proof. To show that ≈ 6= ≈ ¨ p14 , but p13 ≈ ¨ , since the p13 ≈ 6 p14 . To show that ≈ ⊂ ≈ weak bisimulation relation is symmetric, it is enough to prove ` that it is an I/O simulation. Let p ≈ q . We have that p − → p0 `

implies ∃q 0 . q = ⇒ q 0 ∧ p0 ≈ q 0 , and the converse holds for the

and combining Equation (16) with Equations (14) and (15), we conclude: r⇓! ⊆ co(p⇓? ) ∧ r⇓! = ∅ ∧ r⇓? 6= ∅ implies ∅ 6= p⇓! ⊆ co(r⇓? )







`

co(`)

item b We have to show that p − → p0 and r −−−−→ r0 implies (p0 , r0 ) ∈ R. Assuming the premise, we have two cases, depending on whether ` is an input or an output action: !a – ` = !a. Then, by item d of Definition 6.4, ∃q 0 . Q = ⇒ 0 0 0 ¨ ¨ q ∧ p 6 q . Now, from q B r and Proposition B.2 we ¨ r0 : we conclude (p0 , r0 ) ∈ R; have q 0 B !a ¨ r and Propo– ` = ?a. Then, r −→ r0 ; hence, from q B ??a

sition B.3 we have q ==⇒, and by Proposition D.6 ??a we obtain Q==⇒. Thus, by item e of Definition 6.4, ? a ¨ q 0 . Now, from q B ¨ r and Proposi∃q 0 . Q = ⇒ q 0 ∧ p0 6 ¨ r0 : we conclude (p0 , r0 ) ∈ R; tion B.2 we have q 0 B τ ¨ q and Lemma D.2, we have that p − item c From p 6 → p0 0 0 ¨ implies p 6 q : we conclude (p , r) ∈ R; ¨ r, by item d of Definition 4.4, we know that item d From q B τ ¨ r0 : we conclude (p, r0 ) ∈ R. r− → r0 implies q B ¨ This concludes the proof for ◦ = B. ¨ follows a similar approach, but this The proof for ◦ = ./ time we let:  ¨ q ∧ q ./ ¨ r R = (p, r) ∃q . p 6 (17)

34

M. Bartoletti, A. Scalas, R. Zunino

Now, we prove that R is a symmetric I/O compliance relation. ¨ ∩C ¨ (by Lemma 4.5), most of the proof is already ¨ =B Since ./ ¨ The only difference is that, in developed above, when ◦ = B. the symmetric version of item a of Definition 4.4, we have the ¨ that needs to be following additional clause, introduced by C, satisfied: p⇓! ⊆ co(r⇓? ) ∧ p⇓! = ∅ ∧ p⇓? 6= ∅ implies ∅ 6= r⇓! ⊆ co(p⇓? )





(18)

We proceed by proving such a clause, for each (p, r) ∈ R and ¨ q (item d of corresponding q from Equation (17). From p 6 ¨ r Definition 6.4) we have p⇓! ⊆ Q⇓! ⊆ q⇓! , and from q C (item a of Definition 4.4) we have q⇓! ⊆ co(r⇓? ); therefore, p⇓! ⊆ co(r⇓? )

(19)

¨ r (item a of Definition 4.4) we Furthermore, from q C have: q⇓! = ∅ ∧ q⇓? 6= ∅ =⇒ ∅ = 6 r⇓! ⊆ co(q⇓? )

(20)

¨ r and Proposition B.5, If the premise holds, from q C we have r⇓! ⊆ co(q⇓?? ), and from Proposition D.6 we have q⇓?? ⊆ Q⇓?? — and therefore r⇓! ⊆ co(Q⇓?? ). Combining these observations with Equation (20), we obtain: q⇓! = ∅ ∧ q⇓? 6= ∅ =⇒ ∅ = 6 r⇓! ⊆ co(Q⇓?? ) ∀q 0

(21)

¨ UC ¨ V implies T C ¨ V. Lemma 6.15. T 6 Proof. We adapt the proof of Theorem 6.12 as follows: – for clause a of Definition 4.4, we can proceed as in the

¨ proof of Equation (18) on page 34, which only relies on C; – for clause b , the proof of Equation (18) for the sub-case ` = ¨ because Proposition B.3 ?a (page 33) does not hold for C,

cannot be applied. We then deal with such case as follows: !a – Since V −→ V 0 , by Proposition A.3 (item (iii) ) then V is equivalent to an internal choice. Then, by The¨ V implies U a V , and so Proposiorem 4.9, U C tion 4.3 we have that U is a external choice. By The¨ U implies T vU U , orem 6.13 and Lemma 6.3, T 6 ST and so by Lemma 6.2 we have that T is a larger (pos?a

sibly empty) external choice. Since T −→, such choice is not empty, and so by Lemma 6.2 we have that !a also U is not empty. Since V −→, then by the second ?a part of clause a of Definition 4.4 it follows that U −→. ??a From Definition 2.10, this implies U ==⇒ — which in ??a turn implies Q==⇒. Thus, by item e of Definition 6.4, ? a ¨ U 0 . Now, from U C ¨ V and Propo∃U 0 . Q = ⇒ U0 ∧ T 0 6 ¨ V 0 : we conclude (T 0 , V 0 ) ∈ R. sition B.2 we have U 0 C – the proofs of clauses c and d are unmodified.

q0 ,

Since ∈ Q.q = ⇒ by Proposition B.1 we have ∀q 0 ∈ ¨ r. Then, from Equation (21) we have: Q . q0 C ∀q 0 ∈ Q . q 0 ⇓! = ∅ ∧ q 0 ⇓? 6= ∅ =⇒ ∅ = 6 r⇓! ⊆ co(Q⇓?? ) (22)

and therefore:

w

Q⇓! = ∅ ∧ Q⇓? 6= ∅ =⇒ ∅ = 6 r⇓! ⊆ co(Q⇓?? )

(23)

¨ q , by Definition 6.4 we have: From p 6 ! – p⇓ = ∅ =⇒ Q⇓! = ∅ (item a ); – Q⇓?? ⊆ p⇓? (item b ), and therefore co(Q⇓?? ) ⊆ co(p⇓? ); – Q⇓? = ∅ =⇒ p⇓? = ∅ (item b ), and therefore p⇓? 6= ∅ =⇒ Q⇓? 6= ∅. Summing up: p⇓! = ∅ ∧ p⇓? 6= ∅ =⇒ Q⇓! = ∅ ∧ Q⇓? 6= ∅ ∧ co(Q⇓?? ) ⊆ co(p⇓? )



p⇓ ⊆ co(r⇓ ) ∧ p⇓! = ∅ ∧ p⇓? 6= ∅ implies ∅ 6= r⇓! ⊆ co(p⇓? ) ?

which corresponds to Equation (18). The proofs for the remaining items b –d can be obtained ¨ simply by replacing all from the ones provided for ◦ = B, ¨ with ./ ¨ . We conclude that the statement also occurrences of B ¨. holds for ◦ = ./ ¨ ( v. (b) T 6 ¨ U iff T v U . Theorem 6.13. (a) 6 ¨ q , then by Theorem 6.12 we have Proof. For item (a), if p 6 ¨ r =⇒ p ./ ¨ r, i.e. p v q according to Definition 6.1. that ∀r . q ./ To prove that the inclusion is strict, recall the behaviour p5 from Example 4.7. Since p5 does not admit I/O compliant behaviours, it vacuously follows that r v p5 , for all r. In particular, let r be the behaviour which loops onto itself via a ¨ p5 , (say, !a-transition, and assume, by contradiction, that r 6 via predictive set Q). By clause d of Definition 6.4, there exists !a

¨ q. Then, for all w ∈ (A! )∗ , p = ⇒ p0 Proposition D.12. Let p 6 w 0 0 0 0 ¨ implies ∃q . q = ⇒ q and p 6 q . Proof. By induction on w. In the base case (when w is empty) ¨ q0 : we need to prove that p = ⇒ p0 implies ∃q 0 . q = ⇒ q 0 and p0 6 this follows from Lemma D.2, letting q 0 = q . For the inductive step, let w = w0 !a (where w0 is a sequence w0 w0 ¨ q 00 (by of outputs). We have p =⇒ p00 and q =⇒ q 00 , with p00 6 the induction hypothesis); we need to show that:

(24)

and combining Equation (24) with Equations (16) and (19), we conclude: !

D.3 I/O simulation and asychrony

p0 such that Q = ⇒ p0 — contradiction, since Q⇓! ⊆ p5 ⇓! = ∅. For item (b), direction ⇐= , let T v U . By Lemma 6.3, we have T vUST U , hence by Lemma 6.2 we can reason (up-to unfolding) by cases on the syntax T and U , verifying that (T , U ) satisfies all clauses in Definition 6.4, via predictive set Q = {U }. The =⇒ direction is already proved by item (a).

!a

∀p0 , p1 . p00 = ⇒ p0 −→ p1 = ⇒ p0

!a ¨ q0 implies ∃q 0 .q 00 = ⇒ q 0 and p0 6

¨ q 00 ; by clause d of DefiNow, by Lemma D.2, we have p0 6 !a nition 6.4, we have that for some predictive set Q, p0 −→ p1 ! a ¨ q 000 ; since (by Definition 6.4) implies ∃q 000 . Q = ⇒ q 000 and p1 6 !a

q 00 V Q, we have q 00 = ⇒ q 000 ; finally, by Lemma D.2, we obtain ¨ q 000 . We conclude by letting q 0 = q 000 . p0 6 w

w

Proposition D.13. Let p ? q. Then, ∀w . p = ⇒ p0 and q = ⇒ q0 implies p0 ? q 0 . w

⇒ Proof. We prove the contrapositive. We have that ∃w . p = w p0 and q = ⇒ q 0 but p0 6? q 0 . This means that ∃w0 , p000 , q 000 , a

such that: w0

w0

– p0 =⇒ p000 and q 0 =⇒ q 000 (item 2a of Definition 6.18), and !

!

?a

– ∀q 00 .q 000 = ⇒∗ q 00 implies q 00 = ⇒∗ −→ (item 2b of Definition 6.18), !

?a

and p000 = ⇒∗ −→. is false. Then, under the same existential quantifications, we also have: ww0

ww0

– p ==⇒ p000 and q ==⇒ q 000 (item 2a of Definition 6.18), and !

!

?a

– ∀q 00 .q 000 = ⇒∗ q 00 implies q 00 = ⇒∗ −→ (item 2b of Definition 6.18), !

?a

and p000 = ⇒∗ −→. is false. Therefore, we conclude p 6? q .

A semantic deconstruction of session types

35 w

⇒ T0 Proposition D.14. For all σ, T , T 0 , w ∈ (A! )∗ : T = implies ∃σ 0 . T [σ ] = ⇒ T 0 [σ 0 ]. Proof. We proceed by induction on the length of the sequence w of transitions in T = ⇒ T 0 . The base case is trivial: since we have no transitions, then T 0 = T and we conclude by letting σ 0 = σ . For the inductive cases, we have: w

T 00

τ

T 0.

– T = ⇒ − → By the induction hypothesis, we have ∃σ 00 . T [σ ] = ⇒ T 00 [σ 00 ]. By item (ii) of Proposition A.4, τ ∃b . T 00 [σ 00 ] − → T 0 [σ 00 . !b]. We conclude by letting σ 0 = σ 00 . !b; w0

!b

– T =⇒ T 00 −→ T 0 . By the induction hypothesis, we have ∃σ 00 . T [σ ] = ⇒ T 00 [σ 00 ]. By item (iii) of Proposition A.4, τ 00 00 T [σ ] − → T 0 [σ 00 . !b]. Choosing σ 0 = σ 00 . !b concludes.

Summing up, ∀a we have: ??a

?a

?a

?a

?a

?a

U [σ ]==⇒ ⇐⇒ U [σ ]−→ ⇐⇒ U −→ ⇓ T [σ ]= ⇒ ⇐⇒ T [σ ]−→ ⇐⇒ T −→

and therefore, since U = {U [σ ]}, U [σ ]⇓?? = U⇓?? ⊆ T [σ ]⇓?

Furthermore, we also have that U⇓? = ∅ implies T [σ ]⇓? = ∅ (vacuously); – both non -empty internal choices. We first prove U⇓?? ⊆ T [σ ]⇓? . If U⇓?? = ∅, the thesis is immediate. Other??a

wise, assume ∃a . U==⇒; since U = {U [σ ]}, this holds ??a

w

⇒ T 0. Proposition D.15. If T [σ ] = ⇒ T 0 [σ 0 ], then ∃w ∈ (A! )∗ .T = Proof. We proceed by induction on the length of the sequence of transitions in T [σ ] = ⇒ T 0 [σ 0 ]. The base case is trivial: since we have no transitions, then T 0 = T and σ 0 = σ — and we conclude by letting w be the empty sequence. For the inductive τ case, let T [σ ] = ⇒ T 00 [σ 00 ] − → T 0 [σ 0 ]. By the induction hypothesis, w0

there exists a sequence of outputs w0 such that T =⇒ T 00 . Now, τ from T 00 [σ 00 ] − → T 0 [σ 0 ], by Definition 2.11 we have that T 00 is equivalent to a non-empty internal choice with some !bguarded branch, and σ 0 = σ 00 . !b; moreover, by Proposition A.4 τ

!b

!b

(items (ii) and (iii) ), we have either T 00 − →−→ T 0 or T −→ T 0 !b

w

0

!b

— and therefore, T 00 = ⇒ T 0 . Hence, from T =⇒ T 00 = ⇒ T 0 , we conclude by letting w = w0 !b.

iff U [σ ]==⇒ — and by Definition 2.5, this means: ∀U 0 , σ 0 . U [σ ] = ⇒ U 0 [σ 0 ] ?a

implies ∃U 00 , σ 00 . U 0 [σ 0 ] = ⇒ U 00 [σ 00 ] −→ By Proposition D.15, each τ -sequence between U [σ ] and U 0 [σ 0 ] above corresponds to some sequence of w outputs w such that U = ⇒ U 0 ; similarly, the τ -sequence between U 0 [σ 0 ] and U 00 [σ 00 ] above corresponds to some w0

sequence of outputs w0 such that U 0 =⇒ U 00 . Thus, w

∀U 0 , w = !b1 , . . . , !bn . U = ⇒ U0 w0

?a

implies ∃U 00 , w0 = !c1 , . . . , !cn0 . U 0 =⇒ U 00 −→ and therefore, by Notation 2.1,

¨, v . Theorem 6.20. If T (◦ ∩ ? ) U then T [] ◦ U [], for ◦ ∈ 6 



!

!

?a

∀U 0 . U = ⇒∗ U 0 implies ∃U 00 . U 0 = ⇒∗ U 00 −→

(25)

Proof. Let us define:

¨ = R



¨ ∩ ? ) U (T [σ ] , U [σ ]) T (6

¨ is an I/O By the coinduction proof principle, we show that R ¨ we define U = {U [σ ]} simulation. For each (T [σ ] , U [σ ]) ∈ R, as predictive set, and verify the clauses of Definition 6.4: item a assume T [σ ]⇓! = ∅. Then, by Definition 2.11 we have σ = , and T can only be a (possibly empty) external ¨ U , we have that U is also an external choice. Since T 6

choice (by Theorem 6.13, Lemma 6.3 and Lemma 6.2) — and thus, since U = {U [σ ]}, we conclude U⇓! = ∅; ¨ U , from Theorem 6.13, Lemma 6.3 and item b since T 6 Lemma 6.2 we can determine that (up-to unfolding) T and U can be either: – both empty choices, i.e. T = U = 0. Then, since ?? ? U = {U [σ ]}, we have ∅ =
U⇓ ⊆ T [σ ]⇓ = ∅ and ? ? U⇓ = ∅ =⇒ T [σ ]⇓ = ∅ ; – both non -empty external choices, with all branches of U included in T . We notice that, by Proposition A.4 (item (i) ), we have: ?a

?a

?a

?a

– ∀a . T −→ iff T [σ ]−→, and – ∀a . U −→ iff U [σ ]−→. ?a

?a

Therefore, ∀a . U [σ ]−→ implies T [σ ]−→. We also notice that, by Definition 2.11, we have: ??a ?a – ∀a . U [σ ]−→ iff U [σ ]==⇒ (i.e., all inputs of external choices are persistent); ?a

?a

– ∀a . T [σ ]= ⇒ iff T [σ ]−→ (i.e., all weakly reachable

inputs are also immediately enabled).

Now, since T ? U , we have: – an empty sequence of actions w0 matches item 2a w0 w0 of Definition 6.18 for T =⇒ T and U =⇒ U ; – from Equation (25), we have that ?a is “persistent” in U by item 2b of Definition 6.18; ! ?a ⇒∗ T 0 −→. – so, by item 2c of Definition 6.18, ∃T 0 . T = w00

?a

Hence, ∃w00 = !d1 , . . . , !dm such that T ==⇒ T 0 −→; and then, by Proposition D.14, we have ∃σ 0 . T [σ ] = ⇒ ??a

?a

T 0 [σ 0 ]−→. Summing up, we have shown that ∀a, U==⇒ ?a

implies T [σ ]= ⇒: we conclude U⇓?? ⊆ T [σ ]⇓? . We are left to prove that U⇓? = ∅ implies T [σ ]⇓? = ∅. We first observe that since U = {U [σ ]}, then U⇓? = ∅ implies U [σ ]⇓? = ∅, which in turn gives: ∀U 0 , σ 00 . U [σ ] = ⇒ U 0 [σ 00 ] implies U 0 [σ 00 ]⇓? = ∅

(26)

Let us now examine the possible weak transitions of T [σ ]. From Proposition D.15 we know that ∀T 0 , σ 0 . w T [σ ] = ⇒ T 0 [σ 0 ] implies ∃w = !b1 , . . . , !bn . T = ⇒ T 0 . More¨ over, since T 6 U , by Proposition D.12 we have that w ¨ U 0 ; and by for all such w, ∃U 0 . U = ⇒ U 0 and T 0 6 w Proposition D.14, U = ⇒ U 0 implies ∃σ 00 . U [σ ] = ⇒ U 0 [σ 00 ]. ? 0 00 From this, Equation (26), gives U [σ ]⇓ = ∅ — i.e., by item (i) of Proposition A.4, U 0 ⇓? = ∅. But then, ¨ U 0 is supported by some predictive set U0 such T0 6 that U0 ⇓? = ∅; and so, by item b of Definition 6.4, we have T 0 ⇓? = ∅ — and by item (i) of Proposition A.4, T 0 [σ 0 ]⇓? = ∅. Thus, we conclude T [σ ]⇓? = ∅.

36

M. Bartoletti, A. Scalas, R. Zunino τ

item c assume T [σ ] − → T 0 [σ 0 ]. Notice that, by Definition 2.11, T [σ ] can only generate a τ -transition when T is equivalent to an internal choice with some !a-branch, and !a is appended to σ : hence, σ 0 = σ . !a. Then, by Definition 2.10, !a ¨ U , by Proposition D.12 we we have T = ⇒−→ T 0 . Since T 6 !a 00 0 ¨ U 000 . By have ∃U , U , U 000 . U = ⇒ U 00 −→ U 0 = ⇒ U 000 and T 0 6 00 Proposition A.3, U is a single-branch internal choice, and τ by item (iii) of Proposition A.4, U [σ ] − → U 0 [σ . !a] = U 0 [σ 0 ]. 0 ¨ Moreover, by Lemma D.3 we have T 6 U 0 , and by Proposition D.13 we have T 0 ? U 0 . Therefore, from the definition ¨ U 0 [σ 0 ]; of U above, we conclude ∃U 0 . U = ⇒ U 0 [σ 0 ] ∧ T 0 [σ 0 ] R !a

item d assume T [σ ] −→ T 0 [σ 0 ]. Notice that, by the semantics in Definition 2.11, T [σ ] can only generate a !a-transition when an output is removed from the head of σ , turning it into σ 0 , without changing T : so, T 0 = T . The same observation holds for U [σ ]. Since U = {U }, we have ∃U 0 . !a ¨ U= ⇒ U 0 [σ 0 ] with U 0 = U , from which we obtain T = T 0 6 0 U ; moreover, by Proposition D.13 we have T 0 ? U 0 : we ¨ U 0 [σ 0 ]; conclude T 0 [σ 0 ] R ?a

item e assume T [σ ] −→

T 0 [σ 0 ]

??a

∧ U==⇒. Notice that, by the semantics in Definition 2.11, T [σ ] can only generate a ?a-transition when T is an external choice, and σ is unchanged by the reduction — i.e., σ 0 = σ . Now, since ¨ U , by Theorem 6.13, Lemma 6.3 and Lemma 6.2 T 6 we have that U is an external choice, too — and by ??a ?a Definition 2.10, we can verify that U −→ iff U ==⇒, and since U is an external choice, by Definition 2.11 we have ??a ?a ¨ U , again by U [σ ]−→ implies U [σ ]==⇒. Moreover, since T 6 Theorem 6.13, Lemma 6.3 and Lemma 6.2 we also have ?a ?a ¨ U 0 . Finally, we ob∀U 0 . T −→ T 0 ∧ U −→ U 0 implies T 0 6 ?a ?a 0 serve that by Proposition D.13, ∀U . T −→ T 0 ∧ U −→ U 0 0 0 implies T ? U . Therefore, by definition of R, we con?a ¨ U 0 [σ 0 ]. clude ∃U 0 . U = ⇒ U 0 [ σ 0 ] ∧ T 0 [σ 0 ] R

¨ is an I/O simulation. Thus, ∀σ , T (6 ¨ ∩ ? ) U implies Hence, R ¨ U [σ ], and so T [σ ] 6 ¨ U [σ ]. Then, T [] 6 ¨ U []. T [σ ] R

E Proofs for Section 7 Lemma 7.1. The relations in Table 4 hold in UaCCS . Proof. The transition diagrams of the LHS and RHS of each

relation are isomorphic, by Definition 2.16. Then, they are also (strongly/weakly) bisimilar: we conclude by Theorem 6.11. Remark E.1. In the following, we will only consider restricted I/O simulation relations such that for each pair of elements (P [σ ], Q[ρ]), we have σ = ρ. This property is assumed for the I/O simulations given by hypothesis, and guaranteed when new I/O simulations are produced as part of a thesis. Notation E.2. We write {P [σ ], Q[σ ]}∀σ for:

S

σ {P [σ ], Q[σ ]}

¨ Q[σ ] and R[σ ] 6 ¨ S [σ ], with Lemma E.3. For all σ, let P [σ ] 6 ¨ Q | S [σ ] . ins(P ) ∩ ins(R) = ins(Q) ∩ ins(S ) = ∅. Then, P | R[σ ] 6 ¨ 1, R ¨ 2 be I/O simulations Proof. From the hypothesis, let R ¨ ¨ 2 S [σ ]. Let: such that for all σ , P [σ ] R1 Q[σ ] and R[σ ] R ¨ = R

 (P 0 | R0 [ρ] , Q0 | S 0 [ρ])

 ¨1 (P 0 [ρ0 ], Q0 [ρ0 ]) ∈ R ∧ (R0 [ρ00 ], S 0 [ρ00 ]) ∈ R ¨2 ∀ρ

¨ is an I/O simulation, where the predictive set for Note that R each pair (P 0 | R0 [ρ] , Q0 | S 0 [ρ]) is:  00 00 Q | S [ρ] Q00 [ρ] ∈ Q ∧ S 00 [ρ] ∈ S where Q, S are respectively the predictive sets supporting ¨ 1 Q0 [ρ0 ] and R0 [ρ0 ] R ¨ 2 S 0 [ρ0 ]. The key observation is P 0 [ρ 0 ] R that by Proposition D.12, P 0 ’s (resp. R0 ’s) τ and output moves are matched by Q0 (resp. S 0 ) — and the corresponding pairs of ¨ 1 (resp. R ¨ 2 ), are also contained reducts, being contained in R ¨ The same matching also holds for input moves shared in R. by P 0 , Q0 (resp. R0 , S 0 ) under clause e of Definition 6.4. The only problematic case is the following: ?a

?a

– P 0 [ρ]−→ and Q0 [ρ]= 6 ⇒; ?a

??a

– R 0 [ρ ]= ⇒ and S 0 [ρ]==⇒; – hence,

P0

|

?a R0 [ρ]−→;

??a

– Q0 | S 0 [ρ]==⇒.

In this case, by clause e of Definition 6.4, the ?a-transition of P 0 | R0 [ρ] (arising from P 0 ) would need to be I/O simulated by some weak ?a-transition of Q0 | S 0 [ρ] (arising from S 0 ) — albeit the ?a-transition of P 0 [σ ] was not I/O simulated by Q0 [σ ]! However, by hypothesis, we have that the inputs of P 0 , R0 and Q0 , S 0 cannot overlap; therefore, a persistent input of S 0 (resp. Q0 ), which is weakly reachable in R0 (resp. P 0 ), cannot be enabled in P 0 (resp. R0 ): we conclude that the case is impossible. Lemma 7.3. The rules in Table 5 hold in UaCCS . Proof. Recall that all related behaviours in the statement are ¨ Q in UaCCS paired with a generic buffer [σ ], and that P 6 ¨ Q[σ ]. means: ∀σ . P [σ ] 6 ¨ Q[σ ] (for For rule (+Ctx), we first prove that, when P [σ ] 6 ¨ `τ .Q[σ ] (for all σ ). We have three cases: all σ ), then `τ .P [σ ] 6

¨ `τ .Q[σ ] is proved Let σ ∈ (A! )∗ . Then, `τ .P [σ ] 6 ¨ where R ¨ is by the I/O simulation {(`τ .P [σ ], `τ .Q[σ ])} ∪ R, ¨ an I/O simulation such that P [ρ] R Q[ρ] (for all ρ), and {`τ .Q[σ ]} is the predictive set for the additional pair; – `τ = ?a. The proof is similar to the previous case; ¨ `τ .Q[σ ] is proved – `τ = !a. Let σ ∈ (A! )∗ . Then, `τ .P [σ ] 6 ¨ where R ¨ is by the I/O simulation {(`τ .P [σ ], `τ .Q[σ ])} ∪ R, ¨ an I/O simulation such that P [ρ. !a] R Q[ρ. !a] (for all ρ), and {`τ .Q[σ ]} is the predictive set for the additional pair. ¨ Qi [σ ] for Therefore, when for all σ we have ∀i ∈ I . Pi [σ ] 6 ¨ some I/O simulation Ri (byPthe premise of rule (+Ctx)), we P ¨ have that i∈I `τ i .Pi [σ ] 6 i∈I `τ i .Qi [σ ] (in the conclusion of rule (+Ctx)) holds by the following I/O simulation: ( !) X X [ ¨i `τ i .Pi [σ ], `τ i .Q [σ ] ∪ R – `τ = τ .

i

i∈I

i∈I

∀σ

i∈I

where pair is supported by the predictive set P each additional i∈I `τ i .Qi [σ ] . To prove rule (+τ ), we simply observe that, for all σ , when the premise holds, {Q[σ ]} is a predictive set supporting the conclusion. P For rule (|L), by hypothesis we have Q ≡ i∈I !ci .Qi , we ¨ 1, R ¨ 2 such that ∀σ 0 . P 0 [σ 0 ] R ¨1 have two I/O simulations R 0 0 00 0 0 ¨ !a[σ ] and ∀σ . P [σ ] R2 ?b[σ ]. Then, for all σ , we have ¨ !a. ?b + Q[σ ] is proved by the following I/O that P 0 | P 00 [σ ] 6 simulation:

A semantic deconstruction of session types 

(P 000 [σ ], !a.?b+Q[σ ]) P 000 ∈{P

1 |P2

|

37

P 0= ⇒P1 = ⇒!a+··· ∧ P 00 = ⇒P2 = ⇒?b+···}

¨1 ∪ R ¨2 ∪R

Intuitively, P 000 ranges over all the intermediate CCS – terms that P 0 | P 00 [σ ] may reach via τ transitions, before reaching respectively an !a-summation and ?b-summation (which must exist — otherwise, one of the two relations in the hypotheses would be false); then, all such intermediate terms are paired with the RHS of the relation we are proving — and the predictive set for all these additional pairs is {?b[σ. !a]}. ¨ P For rule (|R), when P [σ ] 6 ?b . Q[σ ] (for all σ ) and R ≡ ¨ !a + R | ?b . Q[σ ] is , then we have that !a . P [σ ] 6 ! c .R i i∈I i proved by the following I/O simulation: 

¨ (!a.P [σ ], !a + R | ?b.Q[σ ]) ∀σ ∪ R

¨ is an I/O simulation such that P [σ. !a] R ¨ ?b.Q[σ. !a] where R (which exists by hypothesis). The predictive set for each additional pair is {!a + R | ?b.Q[σ ]}. ¨ Q and R 6 ¨ S with ins(P ) ∩ For rule (|LR), when P 6 ¨ Q | S [σ ] holds by ins(R) = ins(Q) ∩ ins(S ) = ∅, then P | R[σ ] 6 Lemma E.3. For rule (+Int), where Q is an output -guarded choice, let: [ ¨ = {(P [σ ], Q[σ ])} ∪ ¨i R R ∀σ i∈I

¨ i is an I/O simulation such that ∀σ . P i [σ ] 6 ¨ Qi [ σ ] where R (which exists by the rule premises), and for a given σ , Q = {Q[σ ]} is the predictive set for the additional pair (P [σ ], Q[σ ]). ¨ is an I/O simulation, which ignores the We can verify that R new branch !b.Q0 , since its initial τ -move (for enqueuing !b) is not matched in the LHS. For rule (+Ext), Q is an input -guarded choice. Note that whenever j = i, since (by premises) there exists an I/O sim¨ Qi [σ ], by rule (+Ctx) there is also ulation such that P j [σ ] 6 ¨ ?ai .Qi [σ ]: therefore, an I/O simulation such that ?aj .P j [σ ] 6 ¨ 1 be the union of all such I/O simulations. Finally, let let R us consider, for each k ∈ K , an I/O simulation such that ¨ 2 be the union of these I/O simulations. ¨ Q, and let R Pk 6 Then, the relation in the conclusion is proved by the following I/O simulation:    X  X ¨ =  ¨1 ∪ R ¨2 R τ .Pk [σ ], Q[σ ] ∪ R (?aj .Pj ) +   j∈J

k∈K

∀σ

where the predictive set for each additional pair is {Q[σ ]}. Proposition E.4. Let P be a CCS – term with some occurrence of X that is output-guarded, and not input-guarded. Let Q be a sequential CCS – term, with Q[σ ]⇓?? = 6 ∅ (for any σ). Then, P [Q/X ] 6 6 ¨ Q. Proof. We prove the statement by contradiction, assuming ¨ Q. This, in particular, implies P [Q/X ][] 6 ¨ Q[]. Let P [Q/X ] 6 Q0 = Q. From the hypotheses on P , there exists a sequence !a

1 of outputs !a1 , . . . , !an and some P 0 such that P [Q0/X ][] =⇒ ! an ¨ Q0 [], by clauses c · · · =⇒ Q0 | P 0 []. Since P [Q0/X ][] 6 and d of Definition 6.4, Q0 [] must simulate such transitions: hence, reminding Remark E.1, there exists Q1 such ! a1 ! an ¨ Q1 []. But that Q0 [] =⇒ · · · =⇒ Q1 [] and Q0 | P 0 [] 6 then, the same sequence of transitions can be fired by the LHS of the latter relation, and the RHS must simulate it:

!a

!a

1 n hence, there exists Q2 such that Q1 [] =⇒ · · · =⇒ Q2 [] and 0 ¨ Q2 []. By iterating this reasoning, we can see that Q1 | P [] 6 there exists an infinite sequence of processes (Qm )m≥0 such

!a

!a

1 n ¨ Qm+1 []: this that Qm [] =⇒ · · · =⇒ Qm+1 [] and Qm | P 0 [] 6 implies that Q = Q0 is recursive, and for some k ≥ 0, the outputs being fired by (Qm )m≥k occur under some recursive subterms of Q. Notice that the persistent inputs of Q (that exist by the hypothesis Q[σ ]⇓?? 6= ∅) are never fired throughout the transitions above — i.e., ∀m ≥ 0, Qm []⇓?? ⊇ Q[]⇓?? 6= ∅. But then, from the sequentiality hypothesis, Q must contain a recursive subterm µY Q0 , which in turn must contain a subterm P 0 0 0 i∈I Qi where, for some j, j ∈ I , Qj contains some inputs, and Q0j 0 has an occurrence of Y that is not input-guarded. Hence, we must conclude that Q does not respect clause b of Definition 7.6, i.e., Q is not a CCS – term: contradiction.

Lemma 7.7. Let µX P and Q be sequential CCS – terms. If ¨ Q, then µX P 6 ¨ Q. P [Q/X ] 6

Proof. If X 6∈ fv(P ), the thesis trivially holds. Otherwise, when X ∈ fv(P ), we need to produce an I/O simulation containing the pairs {(µX P [σ ], Q[σ ])}∀σ . Before proceeding, we introduce

some technical machinery:

1. we write Q (i.e., Q underlined) to “tag” the occurrences of term Q arising in P [Q/X ] due to variable substitution: e.g., if P = ?a + !b.X and Q = ?a, we have P [Q/X ] = ?a + !b.?a; 2. P [R/Q] is the term substitution which replaces each occurrence of Q in P with the tagged term R: for instance, if P = ?a + !b. ?a we have P [R/?a] = ?a + !b.R (notice that the first, untagged occurrence of ?a is unchanged); 3. we naturally extend the semantics of async CCS so that

such syntactic tags are preserved along transitions, without altering the labels. E.g., taking P and Q from item 1. above, τ ?a we have P [Q/X ][] − → ?a[!b] −→ 0[!b] (note that the tag is discarded when the occurrence of Q = ?a.0 is reduced). ¨ =R ¨0 ∪ R ¨ 00 , where: Now, let R   0 Q →∗ P 0 [σ 0 ] ¨ 0 = (P 0 [µX P/Q][σ 0 ], Q0 [σ 0 ]) ∃σ 0 , σ . P [ /X ][σ 0 ] − R ¨ Q0 [σ 0 ] ∧ P 0 [σ 0 ] 6 ( ) ∃P 00 , Q00 . P 00 6= µ P and X ¨ 00 = (P 0 [σ 0 ], Q0 [σ 0 ]) R ¨ 0 Q00 [σ 0 ] 6 ¨ P 00 [σ 0 ] R ¨ Q0 [ σ 0 ] P 0 [σ 0 ] 6 ¨ contains: Intuitively, R ¨ 0: – from R

for all σ 0 , all pairs (P 0 [σ 0 ], Q0 [σ 0 ]), given by the following procedure: 1. take P 00 [σ 0 ], Q0 [σ 0 ] such that P [Q/X ][σ ] − →∗ P 00 [σ 0 ] and ¨ Q0 [ σ 0 ] P 00 [σ 0 ] 6 2. obtain P 0 by replacing all occurrences of Q in P 00 with µX P (note that Q0 is taken as-is);

¨ 00 : – from R

¨ 0 w.r.t. 6, ¨0 ¨ for all pairs in R the closure of R such that the LHS is not yielded by an instance of Q replaced by µX P .

¨ is an I/O simulation. Let: We prove that R

38

M. Bartoletti, A. Scalas, R. Zunino

                          ∃Q00 .  00 P [σ ], 00 F (X)= Q [σ ] V Q00 Q00 [σ ]     and                     

 a.        b .             c.     

P 00 [σ ]⇓! = ∅ implies Q00 ⇓! = ∅; Q00 ⇓?? ⊆ P 00 [σ ]⇓? ∧ (Q00 ⇓? = ∅ implies P 00 [σ ]⇓? = ∅); τ P 00 [σ ] − → P 000 [σ ] implies ∃Q000 [σ ] . Q00 = ⇒ Q000 [σ ] ∧ (P 000 [σ ], Q000 [σ ]) ∈ X;

   d.               e .       

P 00 [σ ] −→ P 000 [σ 0 ] implies

!a

!a Q00 = ⇒

∃Q000 [σ 0 ] . Q000 [σ 0 ] ∧ (P 000 [σ 0 ], Q000 [σ 0 ]) ∈ X; ??a

?a

P 00 [σ ] −→ P 000 [σ ] ∧ Q00 ==⇒ ∃Q000 [σ ]

?a Q00 = ⇒

Q000 [σ ]

. ∧ (P 000 [σ ], Q000 [σ ]) ∈ X.

                                                  

By the coinduction proof principle, we have to show that ¨ ⊆ F (R). ¨ When (P 00 [σ ], Q00 [σ ]) ∈ R, ¨ we have two cases: R 0

¨ , then P 00 = P 0 [µX P/Q], for some A. if (P 00 [σ ], Q00 [σ ]) ∈ R ¨ Q00 [σ ]. Regardσ 0 , P 0 [σ ] such that P [Q/X ][σ 0 ] − →∗ P 0 [σ ] 6 0 ing such P , we have two possibilities: (i) P 0 6= Q. By clause a of Definition 7.6, X is always guarded in some subterm `.X of P , and thus, all occurrences of Q in P 0 are guarded by some input or output `, and the same holds for all occurrences of µX P in P 0 [µX P/Q] = P 00 . Now, let Q00 be a predictive

¨ Q00 [σ ]: we show that Q00 is also set supporting P 0 [σ ] 6 a predictive set for the pair (P 0 [µX P/Q][σ ], Q00 [σ ]) = (P 00 [σ ], Q00 [σ ]). In detail: – clause a . Assume P 00 [σ ]⇓! = P 0 [µX P [σ]/Q]⇓! = ∅. It suffices to show that this implies P 0 [σ ]⇓! = ∅, ¨ Q00 [σ ] with and therefore Q00 ⇓! 6= ∅ (since P 0 [σ ] 6 00 00 predictive set Q ). Note that P [σ ]⇓! = ∅ implies σ = . By contradiction, assume P 0 []⇓! 6= ∅: this means that the weakly reachable outputs of P 0 [] must occur in Q, but are removed when replacing it with µX P in P 00 . For such outputs to be part of P 0 []⇓! , we have two possibilities: – some Q in P 0 is unguarded. Then, since P 0 = 6 Q, we must have P 0 ≡ Q | P00 (for some P00 ), which implies that P [Q/X ][σ 0 ] can reduce to a parallel term, i.e., µX P is not sequential: contradiction; – some Q in P 0 is guarded by τ s only. Then, some X is P is not guarded in some subterm `.X , thus violating clause a of Definition 7.6. Hence, µX P is not a CCS – term: contradiction; – clause b , first part. By Proposition D.5 we have Q00 ⇓?? ⊆ P 0 [σ ]⇓?? . By contradiction, let Q00 ⇓?? 6⊆ P 00 [σ ]⇓? , and therefore, Q00 ⇓?? 6⊆ P 0 [µX P/Q][σ ]⇓? . It means that some persistent input of Q00 that is also persistent in P 0 [σ ] is not weakly reachable in P 0 [µX P/Q][σ ]. Since P 0 is sequential, it follows that such an input occurs in Q as persistent (i.e., it belongs to Q[σ ]⇓?? ), but it is not weakly reachable in P . Hence, we have ∅ 6= Q[σ ]⇓?? 6⊆ P [σ ]⇓? . Then, considering P [Q/X ][σ ] and the sequentiality of P , we have two possibilities: – all X in P are input-guarded. Then, we have P [Q/X ][σ ]⇓? = P [σ ]⇓? . Now, note that for any set Q such that Q[σ ] V Q, we also have Q[σ ]⇓?? ⊆ Q⇓?? 6⊆ P [σ ]⇓? = P [Q/X ][σ ]⇓? . ¨ Thus, we obtain the contradiction P [Q/X ][σ ] 66 Q[σ ], because no predictive set could satisfy the first part of clause b of Definition 6.4;

– some X in P is output-guarded and not inputguarded. Since Q[σ ]⇓?? = 6 ∅, by Proposition E.4 we get the contradiction P [Q/X ][σ ] 6 6 ¨ Q[σ ]; – clause b , second part. Assume Q00 ⇓? = ∅: this implies P 0 [σ ]⇓? = ∅. By contradiction, assume P 00 [σ ]⇓? = P 0 [µX P/Q][σ ]⇓? = 6 ∅. This implies that Q[σ ]⇓? = ∅, while µX P [σ ]⇓? = P [σ ]⇓? = 6 ∅. This means P [Q/X ][σ ]⇓? = 6 ∅. Moreover, since Q[σ ]⇓? = ∅, for any set Q such that Q[σ ] V Q we have Q⇓? = ∅. But then, we obtain the contradiction P [Q/X ][σ ] 6 6 ¨ Q[σ ], since no predictive set could satisfy the second part of clause b of Definition 6.4. ¨ For the remaining clauses of F , reminding that P 0 [σ ] 6 ¨ Q000 [σ 0 ] that satisfy Q00 [σ ], we take all pairs P 000 [σ 0 ] 6 Definition 6.4 after a transition of P 0 [σ ], apply the substitution P 000 [Q/X ][σ 0 ], and show that the resulting pair satisfies clauses c –e of F . More precisely, take all `

τ `τ , P 000 [σ 0 ] such that P 0 [σ ] − − → P 000 [σ 0 ], and all Q000 [σ 0 ] such that:

`τ

`

τ P 0 [σ ] − − → P 000 [σ 0 ] and Q00 [σ ] V Q00 =⇒ Q000 [σ 0 ] ¨ Q000 [σ 0 ] and P 000 [σ 0 ] 6

Observe that, since `

τ ¨ Q000 [σ 0 ] P [Q/X ][σ 0 ] − →∗ P 0 [σ ] − − → P 000 [σ 0 ] and P 000 [σ 0 ] 6

¨ 0 contains a pair (P 000 [µX P/Q][σ 0 ], Q000 [σ 0 ]), and thus: R `

τ P 00 [σ ] = P 0 [µX P/Q][σ ] − − → P 000 [µX P/Q][σ 0 ] 0 000 000 ¨0 ⊆ R ¨ µ P and (P [ X /Q][σ ], Q [σ 0 ]) ∈ R

We can verify that such pairs (P 000 [µX P/Q][σ 0 ], Q000 [σ 0 ]) satisfy the existentials in clauses c –e of F (depending on whether `τ is a τ , an output, or an input). Therefore, ¨ we conclude (P 00 [σ ], Q00 [σ ]) ∈ F (R); 0 00 (ii) P = Q. Then, we have P = µX P and P 0 [σ ] = ¨ Q00 [σ ]. We observe: Q [σ ] 6 ¨ Q, then from the 1. since by hypothesis P [Q/X ] 6 ¨ 0 contains: ¨ Q pair (P [ /X ][σ ], Q[σ ]) ∈ 6, the set R ¨0 (P [Q/X ][µX P/Q][σ ], Q[σ ]) = (P [µX P/X ][σ ], Q[σ ]) ∈ R 2. since P 00 [σ ] and P [µX P/X ][σ ] are bisimilar, then ¨ P [µX P/X ][σ ]. by Theorem 6.11 we have P 00 [σ ] 6

Summing up: 0

¨ Q [σ ] 6 ¨ P [µX P/X ][σ ] R ¨ Q00 [σ ] P 00 [σ ] = µX P [σ ] 6 Hence, noticing that P [µX P/X ] = 6 µX P (since X is 00 ¨ 00 : this guarded in P ), we also have (P [σ ], Q00 [σ ]) ∈ R is studied in case B. below; ¨ 00 , then there exist P 0 6= µ P and Q0 B. if (P 00 [σ ], Q00 [σ ]) ∈ R X such that: 00 0 0 0 0 ¨ P [σ ], for some predictive set P ; – P [σ ] 6 ¨ 0 Q0 [σ 0 ], for some predictive set Q0 , determined – P 0 [σ 0 ] R as per case A.(i) above (since P 0 6= µX P ); ¨ Q00 [σ 0 ], for some predictive set Q00 . – Q0 [ σ 0 ] 6 Now, applying the technique in the proof of Theorem 6.10 (transitivity, page 32), we can: – use P0 and Q0 to build a predictive set Q000 such that the pair (P 00 [σ 0 ], Q0 [σ 0 ]) satisfies clauses a –e of F (note that the substitutions [µX P/Q] in P 00 are handled similarly to case A.(i) above);

A semantic deconstruction of session types

39

– use Q000 and Q00 to build a predictive set Q∗ such that the pair (P 00 [σ 0 ], Q00 [σ 0 ]) satisfies clauses a –e of F . E.g., for clause e of F , we have: ?a

P 00 [σ ] −→ P 000 [σ ] ?a

??a

Q∗ ==⇒

and ?a

implies ?a

000 ∃P0000 , Q000 0 ,Q .

∗ P0 = ⇒ P0000 and Q0 = ⇒ Q000 ⇒ Q000 [σ ] 0 and Q =

and

¨ 1 Q000 [σ ] 6 ¨ P0000 [σ ] R ¨ Q000 [σ ] P [σ ] 6 0 000

¨ 00 ⊆ R; ¨ otherand if P 000 6= µX P , then (P 000 [σ ], Q000 [σ ]) ∈ R 000 µ P wise, P = µX P is bisimilar to P [ X /X ], and we have: 0

¨ Q000 [σ ] 6 ¨ P [µX P/X ][σ ] R ¨ Q000 [σ ] P 000 [σ ] 6 0 and thus, since P [µX P/X ] 6= µX P , we get (P 000 [σ ], Q000 [σ ]) ∈ ¨ 00 ⊆ R. ¨ Hence, we conclude (P 00 [σ ], Q00 [σ ]) ∈ F (R). ¨ R ¨ is an I/O simulation; further, since 6 ¨ is the largest I/O Then, R ¨ ⊆ 6. ¨ Finally, we are left to prove that simulation, we have R ¨ Q[σ ]: we simply observe that ∀σ.(µX P [σ ], Q[σ ]) ∈ ∀σ. µX P [σ ] 6 ¨0 ⊆ R ¨ ⊆ 6. ¨ R