Compliance and subtyping in timed session types
Massimo Bartoletti
Tiziana Cimoli
Alessandro Sebastian Podda
Maurizio Murgia
Livio Pompianu
University of Cagliari (Italy)
Grenoble, Jun 4th, 2015
Session types in a nutshell (1) Formal description of interaction protocols: p = ?zip. (!weather + !abort) Compliance = “correct interaction” (deadlock freedom, or variants) q = !zip. (?weather & ?abort) p is compliant with q (in symbols: p ./ q)
?zip p
τ
!weather !zip q
?weather
Session types in a nutshell (1) Formal description of interaction protocols: p = ?zip. (!weather + !abort) Compliance = “correct interaction” (deadlock freedom, or variants) q = !zip. (?weather & ?abort) p is compliant with q (in symbols: p ./ q)
?zip p
τ τ
!weather !zip !abort
q
?weather ?abort
Session types in a nutshell (1) Formal description of interaction protocols: p = ?zip. (!weather + !abort) Compliance = “correct interaction” (deadlock freedom, or variants) q = !zip. (?weather & ?abort) p is compliant with q (in symbols: p ./ q)
?zip p
τ τ
!weather !zip !abort
q
?weather
Session types in a nutshell (1) Formal description of interaction protocols: p = ?zip. (!weather + !abort) Compliance = “correct interaction” (deadlock freedom, or variants) q = !zip. (?weather & ?abort) p is compliant with q (in symbols: p ./ q)
?zip p
τ
!weather !zip q
?weather ?abort
Session types in a nutshell (2)
Subtyping = safe replacement If p 0 is subtype of p, then all services interacting correctly with p must interact correctly also with p 0 . Formally, let p ./ = {q | p ./ q} p0 v p
whenever
p0
./
⊇ p ./
Example:
v
p = ?zip. (!weather + !abort) p 0 = ?zip. !weather & ?gps. !weather
Issues Deadlock freedom ??
p = ?zip. (!weather + !abort) ./ q = !zip. (?weather & ?abort) A possible interaction: 1. q sends zip, then waits to receive a msg from p 2. p receives zip... then dies Question: is p respecting its contract? Problem: p is not declaring a DEADLINE for !weather or !abort
Timed session types
TSTs = session types + clocks + guards/resets
p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1}) Internal choice: p chooses action AND time (within constraints)
q = !zip {y} . (?weather {y < 7} & ?abort {y < 5}) External choice: q accepts action AND time (within constraints)
Timed session types
TSTs = session types + clocks + guards/resets
p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1}) Internal choice: p chooses action AND time (within constraints)
q = !zip {y} . (?weather {y < 7} & ?abort {y < 5}) External choice: q accepts action AND time (within constraints)
Compliance
p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1})
q = !zip {y} . (?weather {y < 7} & ?abort {y < 5})
Compliance
p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1}) 6./ q = !zip {y} . (?weather {y < 7} & ?abort {y < 5})
Compliance
p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1}) ./ q = !zip {y} . (?weather {y < 12} & ?abort {y < 5})
Timed session types
p ::=
1 rec X. p X L
i∈I
!ai {g i , R i } . pi
P
i∈I
?ai {g i , R i } . pi
(pairwise disjoint branch labels, guarded recursion variables)
Example: Paypal User Protection Agreement
p = ?pay {tpay } . ?ok & // open a dispute � ?dispute {tpay < 180, td } . p 0 p 0 = ?ok {td < 20} & // escalate the dispute to a claim ?claim {td < 20 ∧ tpay > 7, tc } . ?rcpt {tc < 3, tc } . !refund {tc < 7} & ?abort
(full version at co2.unica.it/tst)
Semantics by examples (1) Clock evaluation: function ν from clocks to R≥0
(!a + !b {t < 3} , ν0 )
|
(?a&?b {t < 5} , ν0 )
2.1
−−→ (!a + !b {t < 3} , ν0 + 2.1) | (?a&?b {t < 5} , ν0 + 2.1) τ
− → τ
− →
([!b {t < 3}] 1, ν0 + 2.1) (1, ν0 + 2.1)
| (?a&?b {t < 5} , ν0 + 2.1) |
(1, ν0 + 2.1)
1st τ -step possible because: ν0 + 2.1 ∈ Jt < 3K 2nd τ -step possible because: ν0 + 2.1 ∈ Jt < 5K
Semantics by examples (2)
Passing of time cannot exclude all the internal choices: 3.5
(!a {t < 2} + !b {t < 3} , ν0 ) | · · · − 6 −→
...but it can exclude all the external ones: (!a + !b, ν0 ) 3.5
|
(?a {t < 2} & ?b {t < 3} , ν0 )
−−→ (!a + !b, ν0 + 3.5) | (?a {t < 2} & ?b {t < 3} , ν0 + 3.5) τ
6→ −
deadlock
Compliance by examples ?
1.
!a + !b {t ≤ 3}
2.
?a {t < 5} .!b {t < 3}
!a {t < 2} .?b {t < 3}
3.
?a {t < 5} .!b {t < 3}
!a {t < 5} .?b {t < 3}
./
?a & ?b {t < 2}
4. rec X. !a + !b {x ≤ 1} . ?c. X
�
?a & ?b {y ≤ 1} . !c {y > 1} . ?a
Compliance by examples
1.
!a + !b {t ≤ 3}
6./
2.
?a {t < 5} .!b {t < 3}
3.
?a {t < 5} .!b {t < 3}
?a & ?b {t < 2}
?
./
!a {t < 2} .?b {t < 3}
!a {t < 5} .?b {t < 3}
4. rec X. !a + !b {x ≤ 1} . ?c. X
�
?a & ?b {y ≤ 1} . !c {y > 1} . ?a
Compliance by examples
1.
!a + !b {t ≤ 3}
6./
?a & ?b {t < 2}
2.
?a {t < 5} .!b {t < 3}
./
3.
?a {t < 5} .!b {t < 3}
./
?
!a {t < 2} .?b {t < 3}
!a {t < 5} .?b {t < 3}
4. rec X. !a + !b {x ≤ 1} . ?c. X
�
?a & ?b {y ≤ 1} . !c {y > 1} . ?a
Compliance by examples
1.
!a + !b {t ≤ 3}
6./
?a & ?b {t < 2}
2.
?a {t < 5} .!b {t < 3}
./
!a {t < 2} .?b {t < 3}
3.
?a {t < 5} .!b {t < 3}
6./
!a {t < 5} .?b {t < 3}
4. rec X. !a + !b {x ≤ 1} . ?c. X
�
?
./ ?a & ?b {y ≤ 1} . !c {y > 1} . ?a
Compliance by examples
1.
!a + !b {t ≤ 3}
6./
?a & ?b {t < 2}
2.
?a {t < 5} .!b {t < 3}
./
!a {t < 2} .?b {t < 3}
3.
?a {t < 5} .!b {t < 3}
6./
!a {t < 5} .?b {t < 3}
4. rec X. !a + !b {x ≤ 1} . ?c. X
�
./ ?a & ?b {y ≤ 1} . !c {y > 1} . ?a
On semantic preservation
p ./ q
=⇒
untime p ./ untime q
??
p = !a {t < 5} + !b {t < 0} ./ q = ?a {t < 7}
On semantic preservation
p ./ q
=⇒
untime p ./ untime q
??
p = !a {t < 5} + !b {t < 0} ./ q = ?a {t < 7}
untime p = !a 6./ untime q = ?a
+ !b
On compliance
The state space of TSTs is infinite, but...
Theorem: compliance is decidable Idea: 1. reduce compliance in TSTs to deadlock freedom in TAs 2. model-check deadlock freedom in Uppaal
Tool: co2.unica.it/tst
Session types for MOMs
Session types for MOMs
Session types for MOMs
On the existence of duals
Is it possible to accept this?
q = !zip {y < 10} . (?weather {y < 7} &?abort {y < 5})
NO: q does not admit a compliant!
Less trivial example: p = rec X. ?a {x ≤ 1 ∧ y ≤ 1} . !a {x ≤ 1, {x}} . X
On the existence of duals
Is it possible to accept this?
q = !zip {y < 10} . (?weather {y < 7} &?abort {y < 5})
NO: q does not admit a compliant!
Less trivial example: p = rec X. ?a {x ≤ 1 ∧ y ≤ 1} . !a {x ≤ 1, {x}} . X
A kind system for TSTs
Kind system: p ` K implies p admits a compliant in all ν ∈ K
p = !a {x ≤ 2} + !b {x ≤ 1} . ?a {x ≤ 0} We have: p ` J(x > 1) ∧ (x ≤ 2)K Theorem: For all closed p, there exists some K such that ` p : K
Theorem: Kind inference is decidable.
Dual of a TST For all kindable p, we define the dual of p as: ! co
X
?ai {g i , T i } . pi
i∈I
=
M
!ai g i ∧ Ki [T i ]−1 , T i . co(pi )
�
i∈I
if ` pi : Ki , for all i ∈ I (other cases homomorphic)
q = ?a {x ≤ 2} . ?b {x ≤ 1} co(q) = !a {x ≤ 1} . !b {x ≤ 1}
Properties of the dual
Soundness: If ` p : K and ν ∈ K, then (p, ν) ./ (co(p) , ν)
Completeness: If ` p : K and ∃q, η. (p, ν) ./ (q, η), then ν ∈ K
(co-)Transitivity: If p ./ p 0 and co(p 0 ) ./ q, then p ./ q
Decidability: it is decidable whether p admits a compliant
Subtyping Let p ./ = {q | p ./ q}. Subtyping relation: p0 v p
p0
whenever
./
⊇ p ./
Theorem: q ./ p =⇒ q v co(p) Theorem: If q admits a compliant, then: pvq
⇐⇒
p ./ co(q)
This implies decidability of subtyping!
Subtyping Let p ./ = {q | p ./ q}. Subtyping relation: p0 v p
p0
whenever
./
⊇ p ./
Theorem: q ./ p =⇒ q v co(p) Theorem: If q admits a compliant, then: pvq
⇐⇒
p ./ co(q)
This implies decidability of subtyping!
Conclusions I
I
I
Timed extension of binary (synchronous) session types I
Internal choices !a {t < 7, {t}} + !b {5 < t < 10}
I
External choice ?a {t < 10} & ?b {7 < t < 10}
Decidable notions for: I
compliance
I
dual construction
I
subtyping
I
runtime monitoring of send() and receive()
Tools + MOM: co2.unica.it/tst
Thanks!
