Compliance and subtyping in timed session types

Massimo Bartoletti

Tiziana Cimoli

Alessandro Sebastian Podda

Maurizio Murgia

Livio Pompianu

University of Cagliari (Italy)

Grenoble, Jun 4th, 2015

Session types in a nutshell (1) Formal description of interaction protocols: p = ?zip. (!weather + !abort) Compliance = “correct interaction” (deadlock freedom, or variants) q = !zip. (?weather & ?abort) p is compliant with q (in symbols: p ./ q)

?zip p

τ

!weather !zip q

?weather

Session types in a nutshell (1) Formal description of interaction protocols: p = ?zip. (!weather + !abort) Compliance = “correct interaction” (deadlock freedom, or variants) q = !zip. (?weather & ?abort) p is compliant with q (in symbols: p ./ q)

?zip p

τ τ

!weather !zip !abort

q

?weather ?abort

Session types in a nutshell (1) Formal description of interaction protocols: p = ?zip. (!weather + !abort) Compliance = “correct interaction” (deadlock freedom, or variants) q = !zip. (?weather & ?abort) p is compliant with q (in symbols: p ./ q)

?zip p

τ τ

!weather !zip !abort

q

?weather

Session types in a nutshell (1) Formal description of interaction protocols: p = ?zip. (!weather + !abort) Compliance = “correct interaction” (deadlock freedom, or variants) q = !zip. (?weather & ?abort) p is compliant with q (in symbols: p ./ q)

?zip p

τ

!weather !zip q

?weather ?abort

Session types in a nutshell (2)

Subtyping = safe replacement If p 0 is subtype of p, then all services interacting correctly with p must interact correctly also with p 0 . Formally, let p ./ = {q | p ./ q} p0 v p

whenever

p0

./

⊇ p ./

Example:

v

p = ?zip. (!weather + !abort) p 0 = ?zip. !weather & ?gps. !weather

Issues Deadlock freedom ??

p = ?zip. (!weather + !abort) ./ q = !zip. (?weather & ?abort) A possible interaction: 1. q sends zip, then waits to receive a msg from p 2. p receives zip... then dies Question: is p respecting its contract? Problem: p is not declaring a DEADLINE for !weather or !abort

Timed session types

TSTs = session types + clocks + guards/resets

p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1}) Internal choice: p chooses action AND time (within constraints)

q = !zip {y} . (?weather {y < 7} & ?abort {y < 5}) External choice: q accepts action AND time (within constraints)

Timed session types

TSTs = session types + clocks + guards/resets

p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1}) Internal choice: p chooses action AND time (within constraints)

q = !zip {y} . (?weather {y < 7} & ?abort {y < 5}) External choice: q accepts action AND time (within constraints)

Compliance

p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1})

q = !zip {y} . (?weather {y < 7} & ?abort {y < 5})

Compliance

p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1}) 6./ q = !zip {y} . (?weather {y < 7} & ?abort {y < 5})

Compliance

p = ?zip {x} . (!weather {5 < x < 10} + !abort {x < 1}) ./ q = !zip {y} . (?weather {y < 12} & ?abort {y < 5})

Timed session types

p ::=

1 rec X. p X L

i∈I

!ai {g i , R i } . pi

P

i∈I

?ai {g i , R i } . pi

(pairwise disjoint branch labels, guarded recursion variables)

Example: Paypal User Protection Agreement

p = ?pay {tpay } . ?ok & // open a dispute
?dispute {tpay < 180, td } . p 0 p 0 = ?ok {td < 20} & // escalate the dispute to a claim ?claim {td < 20 ∧ tpay > 7, tc } . ?rcpt {tc < 3, tc } . !refund {tc < 7} & ?abort

(full version at co2.unica.it/tst)

Semantics by examples (1) Clock evaluation: function ν from clocks to R≥0

(!a + !b {t < 3} , ν0 )

|

(?a&?b {t < 5} , ν0 )

2.1

−−→ (!a + !b {t < 3} , ν0 + 2.1) | (?a&?b {t < 5} , ν0 + 2.1) τ

− → τ

− →

([!b {t < 3}] 1, ν0 + 2.1) (1, ν0 + 2.1)

| (?a&?b {t < 5} , ν0 + 2.1) |

(1, ν0 + 2.1)

1st τ -step possible because: ν0 + 2.1 ∈ Jt < 3K 2nd τ -step possible because: ν0 + 2.1 ∈ Jt < 5K

Semantics by examples (2)

Passing of time cannot exclude all the internal choices: 3.5

(!a {t < 2} + !b {t < 3} , ν0 ) | · · · − 6 −→

...but it can exclude all the external ones: (!a + !b, ν0 ) 3.5

|

(?a {t < 2} & ?b {t < 3} , ν0 )

−−→ (!a + !b, ν0 + 3.5) | (?a {t < 2} & ?b {t < 3} , ν0 + 3.5) τ

6→ −

deadlock

Compliance by examples ?

1.

!a + !b {t ≤ 3}

2.

?a {t < 5} .!b {t < 3}

!a {t < 2} .?b {t < 3}

3.

?a {t < 5} .!b {t < 3}

!a {t < 5} .?b {t < 3}

./

?a & ?b {t < 2}

4. rec X. !a + !b {x ≤ 1} . ?c. X




?a & ?b {y ≤ 1} . !c {y > 1} . ?a

Compliance by examples

1.

!a + !b {t ≤ 3}

6./

2.

?a {t < 5} .!b {t < 3}

3.

?a {t < 5} .!b {t < 3}

?a & ?b {t < 2}

?

./

!a {t < 2} .?b {t < 3}

!a {t < 5} .?b {t < 3}

4. rec X. !a + !b {x ≤ 1} . ?c. X




?a & ?b {y ≤ 1} . !c {y > 1} . ?a

Compliance by examples

1.

!a + !b {t ≤ 3}

6./

?a & ?b {t < 2}

2.

?a {t < 5} .!b {t < 3}

./

3.

?a {t < 5} .!b {t < 3}

./

?

!a {t < 2} .?b {t < 3}

!a {t < 5} .?b {t < 3}

4. rec X. !a + !b {x ≤ 1} . ?c. X




?a & ?b {y ≤ 1} . !c {y > 1} . ?a

Compliance by examples

1.

!a + !b {t ≤ 3}

6./

?a & ?b {t < 2}

2.

?a {t < 5} .!b {t < 3}

./

!a {t < 2} .?b {t < 3}

3.

?a {t < 5} .!b {t < 3}

6./

!a {t < 5} .?b {t < 3}

4. rec X. !a + !b {x ≤ 1} . ?c. X




?

./ ?a & ?b {y ≤ 1} . !c {y > 1} . ?a

Compliance by examples

1.

!a + !b {t ≤ 3}

6./

?a & ?b {t < 2}

2.

?a {t < 5} .!b {t < 3}

./

!a {t < 2} .?b {t < 3}

3.

?a {t < 5} .!b {t < 3}

6./

!a {t < 5} .?b {t < 3}

4. rec X. !a + !b {x ≤ 1} . ?c. X




./ ?a & ?b {y ≤ 1} . !c {y > 1} . ?a

On semantic preservation

p ./ q

=⇒

untime p ./ untime q

??

p = !a {t < 5} + !b {t < 0} ./ q = ?a {t < 7}

On semantic preservation

p ./ q

=⇒

untime p ./ untime q

??

p = !a {t < 5} + !b {t < 0} ./ q = ?a {t < 7}

untime p = !a 6./ untime q = ?a

+ !b

On compliance

The state space of TSTs is infinite, but...

Theorem: compliance is decidable Idea: 1. reduce compliance in TSTs to deadlock freedom in TAs 2. model-check deadlock freedom in Uppaal

Tool: co2.unica.it/tst

Session types for MOMs

Session types for MOMs

Session types for MOMs

On the existence of duals

Is it possible to accept this?

q = !zip {y < 10} . (?weather {y < 7} &?abort {y < 5})

NO: q does not admit a compliant!

Less trivial example: p = rec X. ?a {x ≤ 1 ∧ y ≤ 1} . !a {x ≤ 1, {x}} . X

On the existence of duals

Is it possible to accept this?

q = !zip {y < 10} . (?weather {y < 7} &?abort {y < 5})

NO: q does not admit a compliant!

Less trivial example: p = rec X. ?a {x ≤ 1 ∧ y ≤ 1} . !a {x ≤ 1, {x}} . X

A kind system for TSTs

Kind system: p ` K implies p admits a compliant in all ν ∈ K

p = !a {x ≤ 2} + !b {x ≤ 1} . ?a {x ≤ 0} We have: p ` J(x > 1) ∧ (x ≤ 2)K Theorem: For all closed p, there exists some K such that ` p : K

Theorem: Kind inference is decidable.

Dual of a TST For all kindable p, we define the dual of p as: ! co

X

?ai {g i , T i } . pi

i∈I

=

M

!ai g i ∧ Ki [T i ]−1 , T i . co(pi )



i∈I

if ` pi : Ki , for all i ∈ I (other cases homomorphic)

q = ?a {x ≤ 2} . ?b {x ≤ 1} co(q) = !a {x ≤ 1} . !b {x ≤ 1}



Properties of the dual

Soundness: If ` p : K and ν ∈ K, then (p, ν) ./ (co(p) , ν)

Completeness: If ` p : K and ∃q, η. (p, ν) ./ (q, η), then ν ∈ K

(co-)Transitivity: If p ./ p 0 and co(p 0 ) ./ q, then p ./ q

Decidability: it is decidable whether p admits a compliant

Subtyping Let p ./ = {q | p ./ q}. Subtyping relation: p0 v p

p0

whenever

./

⊇ p ./

Theorem: q ./ p =⇒ q v co(p) Theorem: If q admits a compliant, then: pvq

⇐⇒

p ./ co(q)

This implies decidability of subtyping!

Subtyping Let p ./ = {q | p ./ q}. Subtyping relation: p0 v p

p0

whenever

./

⊇ p ./

Theorem: q ./ p =⇒ q v co(p) Theorem: If q admits a compliant, then: pvq

⇐⇒

p ./ co(q)

This implies decidability of subtyping!

Conclusions I

I

I

Timed extension of binary (synchronous) session types I

Internal choices !a {t < 7, {t}} + !b {5 < t < 10}

I

External choice ?a {t < 10} & ?b {7 < t < 10}

Decidable notions for: I

compliance

I

dual construction

I

subtyping

I

runtime monitoring of send() and receive()

Tools + MOM: co2.unica.it/tst

Thanks!