A Decentralized Analysis of Multiparty Protocols
aa r X i v : . [ c s . P L ] J a n A Decentralized Analysis of Multiparty Protocols
Bas van den Heuvel and Jorge A. Pérez
University of Groningen, The Netherlands
January 28, 2021
Abstract
Protocols provide the unifying glue in concurrent and distributed software today; verifying thatmessage-passing programs conform to such governing protocols is important but difficult. Staticapproaches based on multiparty session types (MPST) use protocols as types to avoid protocolviolations and deadlocks in programs. An elusive problem for MPST is to ensure both protocolconformance and deadlock freedom for implementations with interleaved and delegated protocols.We address this relevant problem by proposing a decentralized analysis of multiparty session protocolsfor asynchronous processes with recursion. Our solution rests upon APCP, a new type system thatensures protocol conformance and deadlock freedom with respect to binary protocols. Our analysisenables the sound and complete transfer of correctness from APCP to multiparty session protocols.
This paper presents a new approach to the analysis of the protocols that pervade concurrent and dis-tributed software. Such protocols provide an essential unifying glue between communicating programs;ensuring that communicating programs implement protocols correctly, avoiding protocol violations anddeadlocks, is an important but difficult problem. Here we study multiparty session types (MPST) [34], anapproach to correctness in message-passing programs that uses governing multiparty protocols as typesin program verification.As a motivating example, let us consider an authorization protocol , adapted from [50]. It involves threeparticipants: a Client, a Server, and an Authorization service. The Server can request the Client either to login or to quit the protocol; in the former case, the Client sends a password to the Authorization service,who may then allow the login with the Server. Each participant is implemented as a distributed processthat communicates asynchronously. Each process must correctly implement its corresponding portion ofthe protocol; these individual guarantees ensure that the interactions between processes conform to theintended protocol.In MPST, correctness follows from protocol fidelity (processes interact as stipulated by the protocol), communication safety (no errors or mismatches in messages), and deadlock freedom (processes neverget stuck waiting for each other). Establishing these properties is a challenging problem; two commonfeatures in interacting processes, delegation and interleaving , further compound it. We motivate thesefeatures in the context of our example:
Delegation, or higher-order channel passing, can effectively express that the Client transparently re-configures its involvement by asking a Password manager to act on its behalf;
Interleaving arises when a single process implements more than one role, as in, e.g., a single imple-mentation that impersonates both the Server and the Authorization service.Note that in contrast to delegation, which is explicitly specified in protocols, interleaving is not part ofprotocol specifications; it allows a degree of freedom in implementing a protocol as interacting processes.MPST specify multiparty protocols using global types . In our example, we can use the following globaltype between Client (‘ c ’), Server (‘ s ’), and Authorization service (‘ a ’): G auth = µX.s ։ c (cid:26) login .c ։ a (cid:8) passwd h str i .a ։ s { auth h bool i .X } (cid:9) , quit .c ։ a { quit . end } (cid:27) (1)1e explain how the global type in (1) specifies the authorization protocol. After declaring a recursionon the variable X (‘ µX ’), the protocol G auth stipulates that s sends to c (‘ s ։ c ’) a label login or quit .The rest of the protocol depends on this choice by s . In the login -branch, c sends to a a label passwd along with a str ing value (‘ h str i ’) and a sends to s a label auth and a bool ean value, after which theprotocol loops to the beginning of the recursion (‘ X ’). In the quit -branch, c sends to a a label quit afterwhich the protocol ends (‘ end ’).MPST have been widely studied from foundational and applied angles; see, e.g. [7, 19, 35, 49, 5,6, 50, 20, 38, 43]. The original theory in [33] defines a behavioral type system [36, 3] for a π -calculus,which exploits linearity to ensure protocol fidelity and communication safety; most derived works retainthis approach and target the same properties. The combination of deadlock freedom, delegation, andinterleaving is hard to ensure by typing. Without interleaving and/or delegation, deadlock freedom is easy(it concerns a single-threaded protocol). In contrast, deadlock freedom for processes running multipleprotocols (possibly delegated) is a much harder problem, addressed only by some works [7, 46, 22]. To ourknowledge, the only analyses of global types that support deadlock freedom, delegation, and interleavingare [12, 17]. However, they have serious drawbacks: they are centralized (based on a coordinator process),do not support recursive protocols, and assume synchronous communication. Our Contributions
We develop a new analysis of multiparty session protocols, which enforcesprotocol fidelity, communication safety, and deadlock freedom while uniformly supporting delegation,interleaving, and asynchrony. Here ‘analysis’ refers to (i) ways of specifying multiparty protocols asinteracting processes and (ii) techniques to verify that those processes satisfy the intended correctnessproperties. To this end, rather than reasoning about multiparty protocols directly using a complex typesystem, we rely on a simple type system based on binary protocols. We present two main contributions:
APCP, a new type system for an asynchronous π -calculus that ensures deadlock-freedom for processnetworks that implement cyclic communication topologies. A decentralized analysis of multiparty protocols, whereby a global type is considered as a network of routed implementations , one per participant. Each routed implementation is an APCP process inwhich the protocol implementation is coupled with a router that uses the given global type to guidethe interaction with the other participants. The router captures the structure of communicationsbetween a single participant and the rest; the multiparty protocol is realized by the compositionof routed implementations.Unlike prior works [12, 17], our analysis is decentralized: it does not rely on a centralized processnetwork; it resorts to APCP’s type system to guarantee the intended properties (protocol fidelity, com-munication safety, deadlock freedom) for the network of routed implementations. That is, our analysisrealizes the principled transfer of these key properties from APCP to multiparty protocols. First, be-cause all well-typed APCP processes are deadlock free, the composition of routed implementations willbe deadlock free as well (Theorem 33). Second, we show that the network of routed implementationsbehaves as prescribed by the given global type, thus entailing protocol fidelity and communication safety(Theorem 37).
We describe our two contributions by discussing the design choices involved in each case. These choicesare guided by our aim of developing a decentralized analysis of expressive multiparty protocols, with fullsupport for delegation, interleaving, and asynchrony.
APCP stands for
Asynchronous Priority-based Classical Processes (Asynchronous PCP). It encompassesa π -calculus with asynchronous communication, together with a type system for processes that endowseach channel with a type that specifies its intended sequence of communications—its protocol, defining aform of binary session type [32]. APCP extends and simplifies Dardha and Gay’s PCP [23]; we motivateits distinguishing features: 2 A A A A A P P P P P P Figure 1: Cyclic schedulerwith n = 6 (cf. § 1.1.1). R c R s R a P c P s P a Figure 2: Process networkfor G auth (1), with all rolesimplemented independently. R c R s R a P c P a + s Figure 3: Process networkfor G auth (1), with roles a and s interleaved in P a + s . Asynchronous communication
While PCP considers synchronous communication, APCP considersnon-blocking output actions based on continuation channels, as formalized by DeYoung et al. [26].This is well-aligned with realistic models of MPST which, as mentioned above, rely on asynchronousinteractions between distributed participants.
Deadlock freedom by typing
As in PCP [23], the type system for APCP ensures that well-typedprocesses implement the prescribed protocols in a deadlock free manner. Following the approachdeveloped by Kobayashi [41], types for channels come with priority annotations, which providean effective method of statically preventing circular dependencies. We show that asynchronouscommunication in APCP greatly simplifies priority checks.
Flexible composition
Decentralized models of MPST inherently lead to process networks with cyclicstructures. Thanks to deadlock freedom by typing, well-typed APCP processes can be composed inflexible forms, thus enabling the modelling of global types without the central coordinating agentsthat break decentralized analyses.
Recursion
While PCP lacks recursion, APCP includes recursion in both processes and types for chan-nels. This results in increased expressivity, as illustrated next.
Milner’s Cyclic Scheduler
Following [23], we discuss Milner’s cyclic scheduler [44]. This exampleis interesting because it features the kind of cyclic process networks that underpin our decentralizedanalysis of global types. Our specification in APCP uses asynchronous communication; also, as inMilner’s description, it uses recursive processes (not present in [23]). Next we discuss this specificationinformally; see § 2 (Example 15) for details.Suppose n > agents that repeatedly perform some task when triggered and acknowledge whenfinished. We specify a scheduler that concurrently lets each agent perform their task, starting over onlyonce every agent is finished. Following [44, 23], this is a distributed scheduler: for < i ≤ n , each agent P i gets a partial scheduler A i , and the schedulers are connected in a cyclic ring structure. This way, e.g.,when n = 6 the resulting network will be as in Figure 1, where lines denote connecting channels. Each A i uses three channels: one to communicate with P i and another two to communicate with its left andright neighbor. A triggers each round: it repeatedly (1) signals A to start, (2) signals P to perform its task andwait for acknowledgement, (3) signals A it is finished, (4) awaits A n ’s signal to start, and (5) awaits A n ’s termination signal. Asynchrony is of the essence: waiting for A n ’s signal to start after performingthe task does not prevent A n from performing its task, because A n ’s signal is non-blocking. In APCP,process A is specified as follows: A = ( µX ( a , c n , d ) .d [ u ] · a [ v ] · a ( w ) .d [ x ] · c n ( y ) .c n ( z ) .X h a , c n , d i ) h a , c n , d i Above, c n and d are the channel with the left and right neighbor, respectively, and a is the channel with P . Process c n ( z ) .P denotes an input along c n that blocks P ’s execution ( z is a placeholder); process d [ u ] · Q denotes the asynchronous output of u along d that does not block Q . In APCP, recursion isparameterized: given sequences of channels ˜ x and ˜ y , we write ( µX (˜ x ) .P ) h ˜ y i to define a recursive processwith body P , and X h ˜ x i is a recursion call. This way, a , c n , and d are the three parameters for therecursion in process A . 3or < i < n , schedulers A i +1 are defined accordingly: they repeatedly (1) await A i ’s signal to start,(2) signal A (( i +1 mod n )+1) to start, (3) signal P i +1 to perform its task and wait for acknowledgement,(4) await A i ’s signal, and (5) signal A (( i +1 mod n )+1) it is finished.In Example 15 we show that the process network consisting of the composition of all A , P , . . . , A n , P n is typable, and therefore deadlock free. In our priority-based type system, this means that the types ofall a i , c i , d i can be assigned appropriate priorities to statically ensure that the cyclic ring of schedulersconnected to their worker processes exhibits no cyclic dependencies. Every scheduler A i +1 has to waitfor a finish-signal from its left neighbor in order to send a finish-signal to its right neighbor. Interestingly,in the asynchronous setting of APCP, A does not wait for a finish-signal from A n in order to send afinish-signal to A , thus enabling all A i +1 to send a finish-signal when necessary. This way, eventuallythe finish-signal from A n will reach A , who can then initiate a new round of computation. We leverage the expressiveness and deadlock freedom by typing of APCP to analyze multiparty protocolsspecified as global types. This contribution involves several innovations:
Relative Types that describe the global type as pertaining to two specific participants, i.e., the protocolfor dedicated channels between them.
Dependencies that make explicit the non-local choices between participants as dictated by the globaltype. These uncovered dependencies are recorded in relative types.
Router Processes (or simply routers) that govern direct interactions between participants as per theglobal type. There is a router per participant, which connects with the routers of all other partic-ipants. Given a global type and a participant, we provide an algorithm that synthesizes its routerconsidering relative types and the dependencies they contain.
Relative Types, Relative Projection, and Dependencies
Our decentralized analysis usesdedicated channels between a participant’s routed implementation and the routed implementations ofevery other protocol participant. To analyze G auth in (1), we use three channels (six endpoints) connecting a , c , and s directly to each other (Figure 2). Relative types describe the protocols for these channels: theycan be understood as “semi-global types”—the portion of the global type that defines the interactionsbetween two specific participants.We obtain relative types using relative projection . A central design choice concerns non-local choices ,i.e., choices between two participants that influence the ensuing interactions for other participants. Forinstance, in G auth , the initial exchange between s and c is a non-local choice that influences a : indeed, theprotocol between c and a in the login -branch is different from that in the quit -branch. A trivial approachto non-local choices is simply to disallow them altogether. In our view, this would be an overly drasticstance, that would significantly limit the class of supported protocols. Consequently, we opt to allowsome forms of non-local choice by making them explicit in the relative type produced by projection. Notethat this decision does not change the protocol: relative projection merely uncovers non-local choicesalready specified in the global type, and enables them as much as possible.To analyze protocols with non-local choices, we introduce the notion of a dependency between apair of participants. When a projection onto a pair of participants is influenced by a non-local choiceinvolving one of them, a dependency makes this non-local choice explicit in their relative type. Considerthe relative projection of G auth onto c and a . We just discussed how the initial choice between s and c is non-local. Hence, this initial choice is projected in the relative type for c and a as a dependency,indicating that c must forward to a the choice made by s before c and a can interact. This way, ourtechnique makes implicit protocol information explicit: dependencies in relative types indicate messagesthat must be added to enable protocol analysis. Our rationale behind projection can be seen as relatedto known approaches that add messages to realize otherwise unrealizable protocols (cf. [48]). Routers Enable Delegation and Interleaving
As already mentioned, our analysis is basedon routed implementations, one per participant, each consisting of a router coupled with a processimplementation for the participant. The router forwards values and choices between the implementationand the rest of the process network, while conforming to the message causality specified by the global4ype. This setup enables us to interleave the roles of multiple participants in one process, and to delegate a participant’s role to another participant.Consider again G auth in (1). Since there are three participants ( c , s , and a ), any decentralized processnetwork in our analysis will include three routers (denoted R c , R s , and R a , respectively) connected toeach other. Now, a router alone does not implement a participant’s protocol; it needs to be connectedto some implementation.There are multiple designs/topologies for process networks of routed implementations. Figure 2 showsa decentralized network, similar to that in Figure 1 for the cyclic scheduler, with separate implementationsfor each participant, denoted P c , P s , and P a . Here R s and P s together define the routed implementationfor the Server (and similarly for c and a ). This way, the three routed implementations in this networkdo not require a coordinator process.Figure 3 shows an alternative network, featuring interleaving: there are two processes: P c (whichimplements the Client) and P a + s (which implements both the Authorization service and the Server). Asthe network in Figure 2, this process network is decentralized: P a + s is composed with R a and R s andwill interact with P c (via R c ) in a deadlock free manner.We synthesize a router for each participant: this allows us to analyze protocols at an appropriatelevel of abstraction, while preserving the intended causality between messages. Our routed implementa-tions couple together synthesized routers with well-typed implementations, thus striking a good balancebetween flexibility and correctness. Routed implementations are organized into networks (Definition 32),which do not impose on participants a specific topology for realizing the global type. As we will see,both Figure 2 and Figure 3 define different yet valid networks for G auth . • Section 2 introduces APCP, illustrates its expressiveness, and establishes the properties derivedfrom typing: subject reduction (Theorem 8) and deadlock freedom (Theorem 13).• Section 3 recalls global types, introduces relative types and relative projection, and defines well-formed global types, a class that includes protocols with non-local choices.• Section 4 introduces the synthesis of routers, and establishes their typability in APCP (Theo-rem 31). We establish deadlock freedom for networks of routed implementations (Theorem 33),which we transfer to multiparty protocols via an operational correspondence (Theorem 37). More-over, we assert that our approach strictly generalizes prior analyses based on centralized orches-tration [12] (Theorem 38).• Section 5 demonstrates the flexible support for delegation and interleaving enabled by our router-based approach and APCP, using an example by Toninho and Yoshida [52].We additionally discuss related works in § 6 and conclude the paper in § 7. The appendices contain extramaterial: a full analysis of G auth (App. A) with a deadlock free implementation (Prop. 39), an extraexample of interleaving (App. B), full proofs for § 2 (App. D), an omitted definition for § 4 (App. C), fullanalysis of mediums (App. E), and an informal comparison between relative and the usual merge-basedlocal projection (App. F). We use colors to improve readability. APCP defines a linear type system for asynchronous π -calculus processes, in which channels are as-signed types that specify two-party protocols, as in binary session types. APCP can thus be seen as asession-typed π -calculus with asynchronous communication (non-blocking outputs), recursion, and cyclicconnections (via flexible process composition).APCP is based on Dardha and Gay’s PCP [23], adapting the asynchronous communication semanticsby DeYoung et al. [26]. Recursion—not present in [23, 26]—is an orthogonal feature, syntacticallyinspired by Toninho et al. [51].Following [23], in APCP types include priority annotations. Priorities rule out circular dependenciesbetween sessions, enabling APCP’s support for cyclic connections. Asynchrony leads to improvementsover [23]. Because in APCP output actions are non-blocking, priorities need only be checked on input5ctions. In contrast, as PCP is synchronous, it requires checks on both inputs and outputs. The mainproperties derived from typing are subject reduction (type preservation, Theorem 8) and deadlock freedom (Theorem 13). These properties will be central to the analysis of multiparty protocols to be developedin § 4. The Process Language
We consider an asynchronous π -calculus [31, 9]. We write x, y, z, . . . to denote channels (or, names ), and write ˜ x, ˜ y, ˜ z, . . . to denote sequences of channels. Also, we write i, j, k, . . . todenote labels for choices and I, J, K, . . . to denote sets of labels. We write
X, Y, . . . to denote recursionvariables , and use
P, Q, . . . to denote processes. The syntax of processes follows:
P, Q ::= x [ y, z ] output | x ( y, z ) .P input | x [ z ] ⊳ i selection | x ( z ) ⊲ { i : P i } i ∈ I branching | ( ν xy ) P restriction | ( P | Q ) parallel | inaction | x A y forwarder | ( µX (˜ x ) .P ) h ˜ y i define recursion | X h ˜ x i call recursionThe output action x [ y, z ] sends a message y and a continuation channel z along x . The input prefix x ( y, z ) .P blocks until a message y and a continuation channel z are received on x , binding y and z in P .The selection action x [ z ] ⊳ ℓ sends a label ℓ and a continuation channel z along x . The branching prefix x ( z ) ⊲ { i : P i } i ∈ I blocks until it receives a label i ∈ I and a continuation channel z on x , binding z in P i .Restriction ( ν xy ) P binds x and y in P , thus declaring them as the two endpoints of the same channeland enabling communication. The process ( P | Q ) denotes the parallel composition of P and Q . Theprocess denotes inaction. The forwarder construct x A y is a primitive copycat process that linkstogether x and y ; for technical reasons, it is annotated with the type A of y . Recursion is defined with ( µX (˜ x ) .P ) h ˜ y i , binding occurrences of X and names ˜ x in P : it takes channels ˜ x to form a context for P ,initially provided by the channels ˜ y . The construct X h ˜ x i is used to call a recursion (i.e. to loop to thedefinition µX ), providing the channels ˜ x as context.Unlike [23], our syntax does not include the empty input and output prefixes that explicitly denotethe closure of a channel; this helps us simplify the type system. Note that [23, 26] include an operatorfor replicated servers, denoted ! x ( y ) .P , not needed for our purposes: we adopt recursion to analyze the(standard) syntax of multiparty protocols in Definition 16.Channels that are not bound by input, branching, restriction, or recursion definitions are free . Sim-ilarly, recursion variables not bound by recursion definition are free. We write fn( P ) and frv( P ) forthe sets of free names and free recursion variables of P , respectively. A process P with fn( P ) = ∅ is closed . Also, we write P { x/y } to denote the capture-avoiding substitution of the free occurrences of y in P with x . We write P { Q/X h ˜ x i} to denote the substitution of occurrences of recursion calls X h ˜ x i in P with Q , substituting the free names of Q with the names in ˜ x . We write sequences of substitutions P { x /y } . . . { x n /y n } as P { x /y ,...,x n /y n } .In x [ y, z ] , both y and z are free; they can be bound to a continuation process using parallel compositionand restriction, as in ( ν ya )( ν zb )( x [ a, b ] | P ) . The same applies to x [ z ] ⊳ ℓ . We introduce useful notationsthat elide the restrictions and continuation channels: Notation (Derivable Actions and Prefixes) . We use the following syntactic sugar: x [ y ] · P := ( ν ya )( ν zb )( x [ a, b ] | P { z/x } ) x ( y ) .P := x ( y, z ) .P { z/x } x ⊳ ℓ · P := ( ν zb )( x [ b ] ⊳ ℓ | P { z/x } ) x ⊲ { i : P i } i ∈ I := x ( z ) ⊲ { i : P i { z/x } } i ∈ I y We use ‘ · ’ instead of ‘ . ’ in output and selection actions to stress that they are not blocking. Thesenotations will be fully justified by typing; see Proposition 7. Operational semantics
We define a reduction relation on processes ( P −→ Q ) that formalizesthe computational steps that a process performs on its own. As usual in the π -calculus, reduction relieson structural congruence ( P ≡ Q ), a syntactical equivalence on processes: Definition 1 (Structural Congruence) . Structural congruence is the smallest congruence relation satis-fying | P ≡ P P | Q ≡ Q | P P | ( Q | R ) ≡ ( P | Q ) | R x A y ≡ y A ⊥ x ( ν xy ) P ≡ ( ν yx ) P ( ν xy )( ν zw ) P ≡ ( ν zw )( ν xy ) P ( ν xy ) x A y ≡ ( ν xy )( P | Q ) ≡ P | ( ν xy ) Q [if x, y / ∈ fn( P ) ] ( µX (˜ x ) .P ) h ˜ y i ≡ P { ˜ y/ ˜ x }{ ( µX (˜ x ) .P ) h ˜ z i /X h ˜ z i} y A ⊥ denotes the dual oftype A (cf. Definition 6). The axiom for recursion unfolds a recursion by replacing any occurrences ofthe recursion variable by copies of the entire recursion (cf. [47]).Reduction includes commuting conversions , which allow to pull prefixes on free channels out ofrestrictions; they are not necessary for deadlock freedom. Definition 2 (Reduction) . The reduction relation P −→ Q is defined by the following synchronizationrules and commuting conversions: β Id ( ν yz )( x A y | P ) −→ P { x/z } ( z, y = x ) β ⊗ & ( ν xy )( x [ a, b ] | y ( v, z ) .P ) −→ P { a/v,b/z } β ⊕ & ( ν xy )( x [ b ] ⊳ j | y ( z ) ⊲ { i : P i } i ∈ I ) −→ P j { b/z } (for every j ∈ I ) κ & ( ν ˜ v ˜ w )( x ( y, z ) .P | Q ) −→ x ( y, z ) . ( ν ˜ v ˜ w )( P | Q ) ( x / ∈ ˜ v, ˜ w ) κ & ( ν ˜ v ˜ w )( x ( z ) ⊲ { i : P i } i ∈ I | Q ) −→ x ( z ) ⊲ { i : ( ν ˜ v ˜ w )( P i | Q ) } i ∈ I ( x / ∈ ˜ v, ˜ w )Reduction is closed under the following rules: → ≡ : ( P ≡ P ′ ) ∧ ( P ′ −→ Q ′ ) ∧ ( Q ′ ≡ Q ) P −→ Q → ν : P −→ Q ( ν xy ) P −→ ( ν xy ) Q → | : P −→ QP | R −→ Q | R We write −→ β for β -reductions, and −→ ∗ for the reflexive, transitive closure of −→ . y Rule β Id implements the forwarder as a substitution. Rule β ⊗ & synchronizes an output and an inputon connected endpoints and substitutes the message and continuation channel. Rule β ⊕ & synchronizesa selection and a branch: the sent label determines what process to continue with, substituting thecontinuation channel appropriately. Rule κ & (resp. κ & ) pulls an input prefix (resp. a branching) onfree channels out of an enclosing restriction. Rules → ≡ , → ν , and → | close reduction under structuralcongruence, restriction, and parallel composition, respectively. Notice how output and selection actionssend free names. This is different from [23, 26], where, following an internal mobility discipline [8],communication involves bound names only. This kind of bound output is derivable. Binary Session Types for Asynchronous Processes
Our type system for APCP assigns sessiontypes to the channel endpoints of processes. Following, e.g., [53, 13, 23], we present them as linear logicpropositions, extended with recursion and priority annotations on connectives, denoted o , κ, . . . . Wewrite ω to denote a priority that obeys (i) ω > t and (ii) ω + t = ω for every t ∈ N . Definition 3 (Session Types) . Session types
A, B are defined as follows, where o ∈ N ∪ { ω } : A, B ::= A ⊗ o B | A & o B | ⊕ o { i : A i } i ∈ I | & o { i : A i } i ∈ I | • | µX.A | X y The type A ⊗ o B (resp. A & o B ) is assigned to a channel that first outputs (resp. inputs) a channel oftype A and subsequently behaves according to B . The type & o { i : A i } i ∈ I is assigned to a channel thatoffers a choice: after receiving a label i ∈ I , the channel behaves according to A i . The type ⊕ o { i : A i } i ∈ I is assigned to a channel that selects a label i ∈ I and subsequently behaves according to A i . The type • is assigned to a closed channel. Because closed channels never block other channels, it does not requirea priority. We define • as a single type for closed channels, following [11]; notice that the units ⊥ and in linear logic (used in [14, 23] for session closing) are interchangeable in the absence of explicit closing.Type µX.A denotes a recursive type, in which A may contain occurrences of the recursion variable X . As customary, µ is a binder: it induces the standard notions of α -equivalence, substitution (denoted { A/X } ), and free recursion variables (denoted frv( A ) for a type A ). We work with tail-recursive types thatare contractive (i.e. we disallow types of the form µX.X ). We adopt an equi-recursive view: a recursivetype is equal to its unfolding. To define equi-recursive types precisely, we require some additionaldefinitions. Notice that contractiveness has a slightly different meaning for processes: non-contractiveprocesses are allowed as long as their types are contractive as in, e.g., (cid:0) µX ( x ) . (( ν zz ′ )(( ν yy ′ ) x [ y, z ] | X h z ′ i )) (cid:1) h x i is allowed because the type of x is contractive: µX. • ⊗ o X .The priority of a type is determined by the priority of the type’s outermost connective.7 efinition 4 (Priorities) . For session type A , pr ( A ) denotes its priority : pr ( • ) := ω pr ( A ⊗ o B ) := o pr ( ⊕ o { i : A i } i ∈ I ) := o pr ( µX.A ) := pr ( A ) pr ( A & o B ) := o pr (& o { i : A i } i ∈ I ) := o pr ( X ) := ω y The priority of • and X is ω for they denote the “last” non-blocking actions in a protocol. Although ⊗ and ⊕ also denote non-blocking actions, their priority is not constant: duality (cf. Def. 6) will ensurethat the priority for ⊗ (resp. ⊕ ) matches the priority of a corresponding & (resp. & ), which does denotea blocking action.Intuitively, actions typed with lower priority should be performed before those with higher priority.Based on this rationale, we observe that unfolding should increase the priorities of the unfolded type.This is because the actions related to the unfolded recursion should be performed after the prefix. Thefollowing definition lifts priorities in types: Definition 5 (Lift) . For proposition A and t ∈ N , we define ↑ t A as the lift operation: ↑ t • := • ↑ t ( µX.A ) := µX. ↑ t ( A ) ↑ t ( X ) := X ↑ t ( A ⊗ o B ) := ( ↑ t A ) ⊗ o + t ( ↑ t B ) ↑ t ( ⊕ o { i : A i } i ∈ I ) := ⊕ o + t { i : ↑ t A i } i ∈ I ↑ t ( A & o B ) := ( ↑ t A ) & o + t ( ↑ t B ) ↑ t (& o { i : A i } i ∈ I ) := & o + t { i : ↑ t A i } i ∈ I We write ↑ t Γ to denote the component-wise extension of lift to typing contexts. y In APCP, the recursive type µX.A and A {↑ t µX.A/X } denote the same type, for any t ∈ N . Duality of session types ensures that the two endpoints of a channel have matching actions. Wefurther require dual types to have matching priority annotations. The following inductive definition,informed by the notion of duality for linear logic propositions, suffices for our purposes, for we considertail-recursive types (cf. [29]):
Definition 6 (Duality) . The duality relation on session types is defined as: ( • ) ⊥ = • ( A ⊗ o B ) ⊥ = A ⊥ & o B ⊥ ( ⊕ o { i : A i } i ∈ I ) ⊥ = & o { i : A i ⊥ } i ∈ I ( A & o B ) ⊥ = A ⊥ ⊗ o B ⊥ (& o { i : A i } i ∈ I ) ⊥ = ⊕ o { i : A i ⊥ } i ∈ I ( µX.A ) ⊥ = µX.A ⊥ X ⊥ = X y Typing rules
As in [23], typing rules ensure that actions with lower priority are performed beforethose with higher priority. To this end, they enforce the following laws:1. an action with priority o must be prefixed only by inputs and branches with priority strictly smallerthan o (output and selection are exempted, because they are not prefixes);2. the dual actions leading to a synchronization must have equal priorities (cf. Def. 6).Judgments are of the form P ⊢ Ω; Γ , where P is a process, Γ is a context that assigns types to channels(‘ x : A ’), and Ω is a context that assigns natural numbers to recursion variables (‘ X : n ’). Both contexts Γ and Ω obey exchange , which allows type assignments to be silently reordered. Γ is linear : weakening (assignments need not be used) and contraction (assignments may be duplicated) are not allowed. For Ω , weakening is allowed. An empty context is written ∅ . We write pr (Γ) to denote the lowest priority ofall types in Γ . Notation ( x i : A i ) I stands for Γ when its assignments are indexed by I .Figure 4 (top) gives the typing rules. Axiom Empty types an inactive process with no channels. Rule • silently adds a closed channel to the typing context. Axiom Id types forwarding between channels ofdual type. Rule Mix types the parallel composition of two processes that do not share assignmentson the same channels. Rule
Cycle removes two channels of dual type from the context by adding arestriction on them. Notice how the combination of
Mix and
Cycle coincides with the usual
Cut -rulein type systems based on linear logic [14, 53]. Axiom ⊗ types an output action; this rule does not havepremises to provide a continuation process, requiring the free channels to be bound to a continuationprocess using Mix and
Cycle . Similarly, axiom ⊕ types a selection action. In APCP, priority checksare confined to Rules & and & . The former types an input prefix, with a priority lower than those in8 mpty ⊢ Ω; ∅ P ⊢ Ω; Γ • P ⊢ Ω; Γ , x : • Id x A y ⊢ Ω; x : A ⊥ , y : AP ⊢ Ω; Γ Q ⊢ Ω; ∆
Mix P | Q ⊢ Ω; Γ , ∆ P ⊢ Ω; Γ , x : A, y : A ⊥ Cycle ( ν xy ) P ⊢ Ω; Γ ⊗ x [ y, z ] ⊢ Ω; x : A ⊗ o B, y : A ⊥ , z : B ⊥ j ∈ I ⊕ x [ z ] ⊳ j ⊢ Ω; x : ⊕ o { i : A i } i ∈ I , z : A j ⊥ P ⊢ Ω; Γ , y : A, z : B o < pr (Γ) & x ( y, z ) .P ⊢ Ω; Γ , x : A & o B ∀ i ∈ I. P i ⊢ Ω; Γ , z : A i o < pr (Γ) & x ( z ) ⊲ { i : P i } i ∈ I ⊢ Ω; Γ , x :& o { i : A i } i ∈ I P ⊢ Ω , X : | I | ; ( x i : A i ) I ∀ i ∈ I. A i = X Rec ( µX (( x i ) I ) .P ) h ( y i ) I i ⊢ Ω; ( y i : µX.A i ) I Var X h ( x i ) I i ⊢ Ω , X : | I | ; ( x i : X ) I ...................................................................................................................................................... ⊗ ⋆ : P ⊢ Ω; Γ , y : A, x : Bx [ y ] · P ⊢ Ω; Γ , x : A ⊗ o B ⊕ ⋆ : P ⊢ Ω; Γ , x : A j j ∈ Ix ⊳ j · P ⊢ Ω; Γ , x : ⊕ o { i : A i } i ∈ I Lift : P ⊢ Ω; Γ t ∈ N P ⊢ Ω; ↑ t Γ Figure 4: The typing rules of APCP (top) and admissible rules (bottom).the continuation’s typing context; the latter types a branching prefix, again with a priority lower thanthose in the typing contexts of all branches.Rule
Rec types a recursion definition by eliminating a recursion variable from the recursion contextwhose value concurs with the size of the typing context, as long as the eliminated recursion variableonly appears guarded in all the typing context’s types. Axiom
Var types a recursion call by adding arecursion variable to the recursion context assigned the amount of introduced channels. The value ofthe introduced and consequently eliminated recursion variable is crucial in ensuring that a recursion iscalled with the same amount of channels as required by its definition. Typing is closed under structuralcongruence.Besides our support for recursion, the main difference between our typing rules and those of [23, 26]is that our rules for output and selection are axioms. Therefore, priority checking for APCP is muchsimpler than in PCP [23]: outputs and selections have no typing context to check priorities against,and • types have no priority at all. Although in [26] output and selection are atomic actions too, theircorresponding rules are similar to the rules in [23]: continuation processes are required as premises,immediately binding the sent channels.In APCP, the composition of an atomic action and a continuation process is derivable and thecorresponding typing rules—given in Figure 4 (bottom), similar to those in [23, 26]—are admissibleusing Mix and
Cycle . Rule
Lift is admissible, too.
Proposition 7.
The rules ⊗ ⋆ , ⊕ ⋆ , and Lift in Figure 4 are admissible. y This result highlights how asynchrony in APCP uncovers a more primitive, lower-level view ofmessage-passing. Consider, e.g., the process x [ y, z ] : we will see that the distinction between the high-level binding of x for communication and the low-level binding of y and z to a continuation process iscritical in the deadlock freedom result of APCP. Type Preservation and Deadlock Freedom
Well-typed processes satisfy protocol fidelity, com-munication safety, and deadlock freedom. The first two properties follow from subject reduction , whichensures that reduction preserves typing. Whereas in [14, 53] subject reduction corresponds to (top-level)elimination of cut, in PCP and APCP, it corresponds to the more general (top-level) elimination of
Cycle . Theorem 8 (Subject Reduction) . If P ⊢ Ω; Γ and P −→ Q , then Q ⊢ Ω; ↑ t Γ for t ∈ N . y Proof (Sketch).
By induction on the reduction −→ , by analyzing the last applied rule (Definition 2).The key cases are the β - and κ -rules; Figure 5 shows two representative instances, omitting the recursioncontext Ω : Rule β ⊗ & (top), a synchronization, and Rule κ & (bottom), a commuting conversion. Notehow, in the case of Rule κ & , the lift ↑ t ensures consistent priority checks.9 x [ a, b ] ⊢ x : A ⊗ o B, a : A ⊥ , b : B ⊥ P ⊢ Γ , v : A ⊥ , z : B ⊥ o < pr (Γ) & y ( v, z ) .P ⊢ Γ , y : A ⊥ & o B ⊥ Mix + Cycle ∗ ( ν xy )( x [ a, b ] | y ( v, z ) .P ) ⊢ Γ , a : A ⊥ , b : B ⊥ −→ P { a/v,b/z } ⊢ Ω; Γ , a : A ⊥ , b : B ⊥ ...................................................................................................................................................... P ⊢ Ω; Γ , Γ ′ , y : A, z : B o < pr (Γ) & x ( y, z ) .P ⊢ Ω; Γ , Γ ′ , x : A & o B Q ⊢ Ω; ∆ , ∆ ′ Mix + Cycle ∗ ( ν ˜ v ˜ w )( x ( y, z ) .P | Q ) ⊢ Ω; Γ , ∆ , x : A & o B −→ P ⊢ Γ , Γ ′ , y : A, z : B Q ⊢ ∆ , ∆ ′ Mix + Cycle ∗ ( ν ˜ v ˜ w )( P | Q ) ⊢ Γ , ∆ , y : A, z : B Lift ( ν ˜ v ˜ w )( P | Q ) ⊢ ↑ o +1 Γ , ↑ o +1 ∆ , y : ↑ o +1 A, z : ↑ o +1 B o < pr ( ↑ o +1 Γ , ↑ o +1 ∆) & x ( y, z ) . ( ν ˜ v ˜ w )( P | Q ) ⊢ ↑ o +1 Γ , ↑ o +1 ∆ , x :( ↑ o +1 A ) & o ( ↑ o +1 B ) Above, the contexts Γ ′ and ∆ ′ together contain ˜ v and ˜ w , i.e. Γ ′ , ∆ ′ = ( v i : C i ) v i ∈ ˜ v , ( w i : C i ⊥ ) w i ∈ ˜ w . Figure 5: Subject Reduction (cf. Theorem 8) in Rule β ⊗ & (top) and Rule κ & (bottom).Our proof of deadlock freedom for APCP follows that for PCP, which involves three steps. First, Cycle -elimination states that all applications of
Cycle in a proof can be removed without affecting theproof’s assumptions and conclusion. But only top-level
Cycle s are relevant: their elimination suffices tocapture the intended process semantics (which does not permit reduction behind prefixes) [53, 23]. Thisleads to the second step, top-level deadlock freedom , which states that a process with a top-level
Cycle reduces until there are no top-level
Cycle s left. Third, deadlock freedom for closed processes follows.Here, we address cycle-elimination and top-level deadlock-freedom in one proof. As mentioned above,in APCP, binding asynchronous output and selection actions to continuations involves additional, low-level uses of
Cycle , which cannot be eliminated through process reduction. Therefore, we establishtop-level deadlock freedom for live processes (Theorem 12). A process is live if it is structurally congruentto a restriction on the active names that perform unguarded actions. This way, e.g., in x [ y, z ] name x isactive, but y, z are not. Definition 9 (Active Names) . The set of active names of P , denoted an( P ) , contains the (free) namesthat are used for unguarded actions (output, input, selection, branching): an( x [ y, z ]) := { x } an( x ( y, z ) .P ) := { x } an( x [ z ] ⊳ ℓ ) := { x } an( x ( z ) ⊲ { i : P i } i ∈ I ) := { x } an(( P | Q )) := an( P ) ∪ an( Q ) an(( ν xy ) P ) := an( P ) \ { x, y } an( ) := ∅ an( x A y ) := { x, y } an(( µX (˜ x ) .P ) h ˜ y i ) := an( P { ˜ y/ ˜ x } ) an( X h ˜ x i ) := ∅ y Definition 10 (Live Process) . Process P is live , denoted live( P ) , if there are x , y , and P ′ such that P ≡ ( ν xy ) P ′ with x, y ∈ an( P ′ ) . y Additionally, we also need to account for recursion. As recursion definitions do not entail reductions, wemust fully unfold them before eliminating
Cycle s: Lemma 11 (Unfolding) . If P ⊢ Ω; Γ , then there is P ⋆ ≡ P s.t. P ⋆ is not of the form ( µX (˜ x ) .P ′ ) h ˜ y i and P ⋆ ⊢ Ω; Γ . y Proof (Sketch).
By induction on the number of consecutive recursive definitions in P , using structuralcongruence (Def. 1), the equi-recursiveness and contractiveness of types, and Lift (Def. 5) to ensure theconsistency of priorities.Top-level deadlock freedom concerns a single reduction step because recursive processes might alwaysstay live after reduction. 10 heorem 12 (Top-level Deadlock Freedom) . If P ⊢ ∅ ; Γ and live( P ) , then there is Q s.t. P −→ Q . y Proof (Sketch).
Using structural congruence (Def. 1), transform P to a process in which restrictionsoccur at top-level, enclosing a composition of restriction-free processes. Among these processes, considerthe unguarded occurrences of forwarding, input and branching prefixes; because live( P ) , there is at leastone of them. Take the unguarded process whose name x has the type with the least priority (if there aremultiple processes with the same priority, any of them suffices). W.l.o.g. suppose the unguarded processis an input prefix:• If x ∈ fn( P ) , we infer P −→ Q using Rule κ & from Def. 2 (i.e. a commuting conversion).• Otherwise, by well-typedness, x is bound to a name y used for output. Necessarily, the outputon y occurs unguarded. This is a consequence of (i) x having the least priority and (ii) dualityrequiring matching priorities for the types of x and y . Indeed, if the output on y were guarded,by well-typedness, the priority associated to the type of the guard would be lower than that for y ;consequently, the priority of x would not be the least among those of the unguarded processes. Asthe input on x and the output on y both occur unguarded, we infer P −→ Q using Rule β ⊗ & fromDef. 2, possibly using Lemma 11 to unfold recursions.We now state our deadlock freedom result. It concerns well-typed closed processes, i.e., processeswithout free names (as in, e.g., [14, 23]): therefore, the guaranteed reduction step corresponds to amessage-passing synchronization, rather than to a commuting conversion. Theorem 13 (Deadlock Freedom for Closed Processes) . If P ⊢ ∅ ; ∅ , then either P ≡ , or live( P ) and P −→ β Q for some Q . y Proof. If P is not live, it would be a parallel composition of inactive processes, i.e. P ≡ typable with Mix and
Empty . Otherwise, if P is live, by Theorem 12 there is Q s.t. P −→ Q . Moreover, P −→ β Q ,because commuting conversions apply only to free names. Examples
We adapt the following example from [52] to showcase APCP’s clean support for sessiondelegation and interleaving, which transfers naturally to multiparty protocols:
Example 14 (Example 6.8 in [52]) . Consider the following typed processes: P := x P [ y ] · y ( n ) . ⊢ ∅ ; x P :( • & o • ) ⊗ o • Q := z Q [ w ] · w [ ] · ⊢ ∅ ; z Q :( • ⊗ o • ) & o • R := x R ( y ) .z R ( w ) .w ( n ) .y [ n ′ ] · n • n ′ ⊢ ∅ ; x R :( • ⊗ o • ) & o • , z R :( • & o • ) ⊗ o • where is a closed channel representing the number 1. Processes P and Q are well-typed, withoutrequiring checks on priorities. By letting o = 2 , o = o = 0 , and o = 1 , process R is well-typed as well,satisfying any priority checks. Because their composition is typable as ( ν x P x R )( ν z Q z R )( P | Q | R ) ⊢ ∅ ; ∅ ,by Theorem 13, it is deadlock free. y We close this section by detailing the cyclic scheduler discussed in § 1.1.1:
Example 15 (Milner’s Cyclic Scheduler) . Suppose n > . Our goal is to structure the cycle of partialschedulers A , . . . , A n and worker processes P , . . . , P n as follows: ( ν c i d i )
Definition 20 (Participants of Relative Types) . The set of participants prt ( R ) of relative type R isdefined as: prt ( end ) := ∅ prt ( skip .R ) := prt ( R ) prt ( µX.R ) := prt ( R ) prt ( X ) := ∅ prt ( p { i h S i i .R i } i ∈ I ) := { p } ∪ ( S i ∈ I prt ( R i )) prt ( p ? r { i.R i } i ∈ I ) := { p } ∪ ( S i ∈ I prt ( R i )) prt ( p ! r { i.R i } i ∈ I ) := { p } ∪ ( S i ∈ I prt ( R i )) y To define relative projection for global types, we use a mechanism to detect dependencies:
Definition 21 (Relative Projection) . Given a global type G , we define its relative projection onto a pairof participants p and q , denoted ‘ G ↾ ( p, q ) ’, by induction on the structure of G as given in Figure 7(bottom), using the auxiliary function ddep (cf. Figure 7, top). y The most interesting case of Definition 21 concerns a direct exchange s ։ r { i h S i i .G i } i ∈ I that isprojected onto ( p, q ) . The first two cases in Figure 7 (bottom) apply when the exchange involves both p and q . If it involves only one of p and q , we use the function ddep to detect dependencies. We discussthe definition in Figure 7 (top):• If the relative projections of all branches are equal, a dependency is unnecessary: projection yieldsthe unobservable relative type skip , followed by the projection of any branch.• Otherwise, if branches have different projections, the exchange represents a non-local choice, soa dependency is necessary. If p or q is involved in the exchange, ddep yields an appropriatedependency (e.g., p ! r if p is the sender, or q ? s if q is the recipient). If neither p nor q are involved,then ddep cannot yield a dependency and projection is undefined.In the case of µX.G ′ , we consider the projection of the body G ′ ↾ ( p, q ) : if p and q do not interact—if G ′ ↾ ( p, q ) is a (possibly empty) sequence of skip s followed by end or X —then the projection yields end .Otherwise, if p and q do interact, then the recursion is preserved in the projection. Note that equi-recursiveness is key here: e.g., if G ′ ↾ ( p, q ) = skip .µY. skip .X = skip . skip .X , then ( µX.G ′ ) ↾ ( p, q ) = end .The projection of a recursive call X is simply X . 14he case for ( G | G ) is standard [33]: projection ensures that G and G do not share participantsand only continues with either global type if both p and q are participants. The cases for end and skip are projected homomorphically.Example 19 already gives the projections of G auth (1) onto ( s, a ) , ( c, a ) , and ( s, c ) . By the followingproperty, which follows by construction, we have that, e.g., G auth ↾ ( s, a ) = G auth ↾ ( a, s ) , i.e., the order ofparticipants does not matter for projection: Proposition 22.
For global type G and distinct participants p, q ∈ prt ( G ) , • if G ↾ ( p, q ) is defined, then G ↾ ( p, q ) = G ↾ ( q, p ) and prt ( G ↾ ( p, q )) ⊆ { p, q } ; • G ↾ ( p, q ) is undefined if and only if G ↾ ( q, p ) is undefined. y Notation.
We introduce some useful notation: • We write p ։ q : i h S i .G for a global type with a single branch p ։ q { i h S i .G } (and similarly forexchanges and dependencies in relative types). • We omit unit message types from global and relative types, writing i.G for i h unit i .G . • Given k > , we write skip k for a sequence of k skip s. y Example 23 (Two-Buyer-Seller) . As additional example of projection, consider a protocol in which Alice( a ) and Bob ( b ) attempt to buy a product from Seller ( s ). First, a sends a title to s , who sends a priceto a and b . Then, a sends to b her contribution, after which b sends to s a decision to proceed or not. If b decides to proceed, a sends s her address. G := a ։ s : title h str i .s ։ a : price h int i .s ։ b : price h int i .a ։ b : contr h int i .b ։ s { ok .a ։ s : addr h str i . end , cancel . skip . end } The relative projection of G onto ( b, s ) is straightforward. In the case of ( a, s ) , the choice from b to s is non-local and thus yields a dependency. The skip in b ’s cancel branch avoids a dependency in theprojection onto ( a, b ) . G ↾ ( b, s ) = skip .s : price h int i .b { ok . skip . end , cancel . skip . end } G ↾ ( a, s ) = a : title h str i .s : price h int i . skip .s ? b { ok .a : addr h str i . end , cancel . skip . end } G ↾ ( a, b ) = skip .a : contr h int i . skip . end y Well-formed Global Types
We may now define well-formedness for global types. Unlike usualMPST approaches, our definition relies exclusively on (relative) projection, and does not appeal toexternal notions such as merge and subtyping [35, 54].
Definition 24 (Relative Well-Formedness) . A global type G is relative well-formed if, for every distinct p, q ∈ prt ( G ) , the projection G ↾ ( p, q ) is defined. y The following contrasts this new notion of relative well-formedness with notions of well-formednessbased on local types [33, 25], which we discuss in § 6:
Example 25.
Consider the following global type involving participants p, q, r, s : G := p ։ q (cid:26) h S a i .p ։ r : 1 h S b i .p ։ s : 1 h S c i .q ։ r : 1 h S d i .q ։ s : 1 h S e i . end , h S f i .r ։ p : 2 h S g i .s ։ p : 2 h S h i .r ։ q : 2 h S i i .s ։ q : 2 h S j i . end (cid:27) The initial exchange between p and q is a non-local choice influencing the protocols between other pairsof participants. Well-formedness as in [33, 25] forbids non-local choices. In contrast, G is relativewell-formed: p and q must both forward the selected label to both r and s . The dependencies in thefollowing relative projections express precisely this: G ↾ ( p, r ) = p ! q { .p : 1 h S b i . skip . end , .r : 2 h S g i . skip . end } G ↾ ( p, s ) = p ! q { . skip .p : 1 h S c i . skip . end , . skip .s : 2 h S h i . skip . end } G ↾ ( q, r ) = q ? p { . skip .q : 1 h S d i . skip . end , . skip .r : 2 h S i i . skip . end } G ↾ ( q, s ) = q ? p { . skip .q : 1 h S e i . end , . skip .s : 2 h S j i . end } y n participants, the amount of messages percommunication is O ( n ) —an upper-bound following from the worst-case scenario in which both senderand recipient have to forward a label to n − participants due to dependencies, as in the example above.However, in practice, sender and recipient will rarely both have to forward labels, let alone both to allparticipants. Here we develop our second technical contribution: a decentralized analysis of multiparty protocols (§ 3)using APCP (§ 2). The intended setup is as follows. Each participant’s role in a global type is im-plemented by a process, which is connected to a router : a process that orchestrates the participant’sinteractions in the global type. The resulting routed implementations can then be directly connected toeach other on dedicated channels to form a decentralized network of routed implementations implement-ing the global type.Key in our analysis is the synthesis of a participant’s router from a global type. To assert the well-typedness (and thus deadlock freedom) of networks of routed implementations, we extract binary sessiontypes from the global type and its associated relative types:• from the global type we extract types for channels between implementations and routers;• from the relative types we extract types for channels between pairs of routers.Our approach to router synthesis decomposes each exchange in the global type into four sub-steps,which we motivate by considering the initial exchange from s to c in G auth (1): s ։ c { login . . . , quit . . . } .As explained in Example 19, this exchange induces a dependency in the relative projections of G auth onto ( s, a ) and ( c, a ) . We decompose this exchange as follows, writing P x for the implementation and R x forthe router of each x ∈ { s, c, a } , where the multiple actions in one step happen concurrently:1. P s sends ℓ ∈ { login , quit } to R s .2. R s sends ℓ to R c (recipient) and R a (output dependency). P s sends unit value v to R s .3. R c sends ℓ to P c and R a (input dependency). R s forwards v to R c .4. R c forwards v to P c . R a sends ℓ to P a .We follow this decomposition in assigning to each consecutive step a consecutive priority: this ensuresthe consistent priority checks required to establish deadlock freedom by typing.We first prepare the ground for synthesis by defining the extraction of binary session types fromglobal and relative types (§ 4.1). Next, we give the synthesis of a participant’s router from a globaltype (§ 4.2). Routers are typable in APCP under the extracted binary types (Theorem 31), thus showingthat networks of routed implementations inherit protocol fidelity, communication safety, and deadlockfreedom from APCP. An operational correspondence between global types and networks of routers en-ables the transference of deadlock freedom from APCP to multiparty protocols (§ 4.3). Finally, we showthat routers strictly generalize centralized mediums (§ 4.4). § 5 shows routers in action. We begin by extracting session types (Def. 3) from messages types (Def. 16). Priorities are left unspecified:they do not matter for the typability of routers, which forward messages between implementations andother routers. Note that one must still specify these priorities when typechecking implementations,making sure they concur between sender and recipient.
Definition 26 (From Message Types to Session Types) . We extract a session type from message type S , denoted ‘ L S M ’, by induction on the structure of S as in Figure 8 (top). y elow, o ∈ N is arbitrary: L end M := • L ! T.S M := L T M ⊗ o L S M L ⊕{ i : S i } i ∈ I M := ⊕ o { i : L S i M } i ∈ I L µX.S M := µX. L S ML ? T.S M := L T M & o L S M L & { i : S i } i ∈ I M := & o { i : L S i M } i ∈ I L X M := X ......................................................................................................................................................Predicate hdep( p, q, G ) is true if• G = s ։ r { i h S i i .G i } i ∈ I and q ∈ { s, r } , and• ddep(( p, q ) , G ) = skip .R for any relative type R , where ddep is as in Fig. 7 (top).......................................................................................................................................................If G = s ։ r { i h S i i .G i } i ∈ I , G ⇂ o p := ⊕ o { i : L S i M ⊗ o +1 ( G i ⇂ o +4 p ) } i ∈ I if p = s & o +2 { i : L S i M ⊥ & o +3 ( G i ⇂ o +4 p ) } i ∈ I if p = r & o +2 { i : ( G i ⇂ o +4 p ) } i ∈ I if p / ∈ { s, r } and hdep( p, s, G )& o +3 { i : ( G i ⇂ o +4 p ) } i ∈ I if p / ∈ { s, r } and ¬ hdep( p, s, G ) and hdep( p, r, G ) G i ′ ⇂ o +4 p [any i ′ ∈ I ] otherwiseOtherwise, end ⇂ o p := end ( skip .G ′ ) ⇂ o p := G ′ ⇂ o +4 p ( G | G ) ⇂ o p := G ⇂ o p if p ∈ prt ( G ) G ⇂ o p if p ∈ prt ( G ) • otherwise X ⇂ o p := X ( µX.G ′ ) ⇂ o p := ( µX. ( G ′ ⇂ o p ) if G ′ ⇂ o p = X and G ′ ⇂ p = •• otherwise Figure 8: Extracting Session Types from Message Types (top), Predicate hdep (middle),and Local Projection: Extracting Session Types from a Global Type (bottom, cf. Definition 27).For the types for channels between implementations and routers, we define the local projection from aglobal type onto a participant. Local projection incorporates dependencies, similar to relative projection(cf. Def. 21), and yields binary session types. In contrast, the usual definitions of local projection (as in,e.g., [33, 34, 35]) use merge and yield local types.
Definition 27 (Local Projection: From Global Types to Session Types) . Given a global type G , wedefine its local projection onto a participant p with priority o , denoted ‘ G ⇂ o p ’, by induction on thestructure of G as in Figure 8 (bottom), using message type extraction (cf. Def. 26), and the auxiliarypredicate hdep (cf. Fig. 8, middle). y We discuss the local projection of a global type onto a participant p with priority o . Local projectionyields a type for the perspective of p ’s implementation. The priorities in local projection reflect the foursub-steps into which we decompose exchanges in global types.• If p is the sender, local projection specifies a choice ( ⊕ ) between the exchange’s labels at priority o and an output ( ⊗ ) of the associated message type at priority o + 1 , followed by the projection ofthe chosen branch at priority o + 4 .• If p is the recipient, local projection specifies a branch ( & ) on the exchange’s labels at priority o + 2 and an input ( & ) of the associated message type at priority o + 3 , followed by the projection of thechosen branch at priority o + 4 .• If p is neither sender nor recipient, local projection uses the predicate hdep to detect a dependencyon the sender’s output or the recipient’s input. If there is a dependency on the output, localprojection specifies a branch on the exchange’s labels at priority o + 2 . If there is a dependencyon the input, local projection specifies a branch at priority o + 3 . Otherwise, when there is nodependency at all, local projection simply continues with the projection of any branch at priority o + 4 .Projection only preserves recursion definitions if they contain actual behavior (i.e. the projection of therecursion’s body is not X or • ). The projection of G | G considers the component in which p occurs.The cases of end , skip , and recursion variables are straightforward.17 r { i h S i i .R i } i ∈ I M o p i q := ⊕ o +1 n i : L S i M ⊗ o +2 L R i M o +4 p i q o i ∈ I if p = r & o +1 n i : ( L S i M ) ⊥ & o +2 L R i M o +4 p i q o i ∈ I if q = r L r ? s { i.R i } i ∈ I M o p i q := ⊕ o +2 n i : L R i M o +4 p i q o i ∈ I if p = r & o +2 n i : L R i M o +4 p i q o i ∈ I if q = r L r ! s { i.R i } i ∈ I M o p i q := ⊕ o +1 n i : L R i M o +4 p i q o i ∈ I if p = r & o +1 n i : L R i M o +4 p i q o i ∈ I if q = r L end M o p i q := • L skip .R M o p i q := L R M o +4 p i q L µX.R M o p i q := µX. L R M o p i q L X M o p i q := X Figure 9: Extracting Session Types from Relative Types (cf. Definition 28).As we have seen, local projection gives types for channels between implementations and routers. Forchannels between routers, we extract session types from relative types (Def. 18). Considering a relativetype that describes the protocol between p and q , this entails decomposing it into a type for p and a dualtype for q . Definition 28 (From Relative Types to Session Types) . We extract a session type from relative type R between p and q , for p with priority o , denoted ‘ L R M o p i q ’, by induction on the structure of R as inFigure 9. y Here extraction is directional : in L R M o p i q , the annotation p i q says that the session type describes theperspective of p ’s router with respect to q ’s. Messages from p are decomposed into selection ( ⊕ ) atpriority o + 1 followed by output ( ⊗ ) at priority o + 2 . Dependencies on p become selection types ( ⊕ ) atpriority o + 1 for output and at priority o + 2 for input. Messages from q and dependencies on q yielddual types. Extraction from end , skip , and recursion is straightforward.This way, the channel of p ’s router that connects to q ’s uses L G ↾ ( p, q ) M o p i q , i.e., the session typeextracted from the relative projection of G onto p, q . Similarly, the endpoint of this channel at q ’s routerwill have the type L G ↾ ( p, q ) M o q i p . To show that networks of routed implementations are well-typed, thesesession types must be dual: this is ensured by Def. 28, which follows inductively by construction: Proposition 29.
For relative well-formed global type G and participants p, q ∈ prt ( G ) , L G ↾ ( p, q ) M o p i q = ( L G ↾ ( p, q ) M o q i p ) ⊥ . y We now define the algorithm that synthesizes a router process for a given global type and a participant.Given a global type G with n participants, our analysis relies on n routers, one per participant. Given G , a participant p , and ˜ q = prt ( G ) \{ p } , the algorithm generates a process denoted J G K ˜ qp , which connectswith a process implementing p ’s role in G on channel µ p ; we shall write such channels in purple. Thisrouter for p also connects with the routers of each other participant q i ∈ ˜ q on channels p q , . . . , p q n ; weshall write these in blue. Definition 30 (Router Synthesis) . Given a global type G , a participant p , and participants ˜ q , Algorithm 1defines the synthesis of a router process , denoted ‘ J G K ˜ qp ’, that orchestrates p ’s interactions with G ’s otherparticipants according to G .In the algorithm, we write ‘ x ← v ’ to assign value v to variable x . y We often write R p for J G K prt ( G ) \{ p } p when G is clear from the context.Algorithm 1 distinguishes cases depending on the syntax of G (Def. 16). The key case is if G = s ։ r { i h U i i .G i } i ∈ I (line 3). First, the algorithm computes a set deps of participants that depend on theexchange using hdep (cf. Fig. 8, middle). Then, the algorithm considers the three possibilities for p :18 lgorithm 1: Synthesis of Router Processes (Def. 30). def J G K ˜ qp as switch G do case s ։ r { i h S i i .G i } i ∈ I do deps ← { q ∈ ˜ q | hdep( q, p, G ) } if p = s then return µ p ⊲ (cid:8) i : p r ⊲ i · ( p q ⊲ i ) q ∈ deps · µ p ( v ) .p r [ w ] · ( v L S i M w | J G i K ˜ qp ) (cid:9) i ∈ I else if p = r then return p s ⊳ (cid:8) i : µ p ⊳ i · ( p q ⊳ i ) q ∈ deps · p s ( v ) .µ p [ w ] · ( v L S i M ⊥ w | J G i K ˜ qp ) (cid:9) i ∈ I else if p / ∈ { s, r } then depon s = ( s ∈ ˜ q ∧ hdep( p, s, G )) depon r = ( r ∈ ˜ q ∧ hdep( p, r, G )) if depon s and ¬ depon r then return p s ⊲ (cid:8) i : µ p ⊳ i · J G i K ˜ qp (cid:9) i ∈ I else if depon r and ¬ depon s then return p r ⊲ (cid:8) i : µ p ⊳ i · J G i K ˜ qp (cid:9) i ∈ I else if depon s and depon r then return p s ⊲ (cid:8) i : µ p ⊳ i · p r ⊲ { i : J G i K ˜ qp } ∪ C i (cid:9) i ∈ I // cf. Equation (3) for C i else return J G j K ˜ qp for any j ∈ I case µX.G ′ do ˜ q ′ ← { q ∈ ˜ q | G ↾ ( p, q ) = end } if J G ′ K ˜ q ′ p = and J G ′ K ˜ q ′ p = X h . . . i then return ( µX (( p q ) q ∈ ˜ q ′ , µ p ) . J G ′ K ˜ q ′ p ) h ( p q ) q ∈ ˜ q ′ , µ p i else return case X do return X h ( p q ) q ∈ ˜ q , µ p i case ( G | G ) do return J G K prt ( G ) \ pp if p ∈ prt ( G ) else( J G K prt ( G ) \ pp if p ∈ prt ( G ) else ) case skip .G ′ do return J G ′ K ˜ qp case end do return
1. If p = s then p is the sender (line 5): the algorithm returns a process that receives a label i ∈ I over µ p ; sends i over p r and over p q for every q ∈ deps ; receives a channel v over µ p ; forwards v as w over p r ; and continues as J G i K ˜ qp .2. If p = r then p is the recipient (line 6): the algorithm returns a process that receives a label i ∈ I over p s ; sends i over µ p and over p q for every q ∈ deps ; receives a channel v over p s ; forwards v as w over µ p ; and continues as J G i K ˜ qp .3. Otherwise, if p is not involved (line 7), we use hdep to determine whether p depends on an outputfrom s , an input from r , or on both (lines 8 and 9). If p only depends on the output from s , thealgorithm returns a process that receives a label i ∈ I over p s ; sends i over µ p ; and continues as J G i K ˜ qp (line 10). If p only depends on an input from r , the returned process is similar; the onlydifference is that i is received over p r (line 11).When p depends on both the output from s output and on the input from r (line 12), the algorithmreturns a process that receives a label i ∈ I over p s ; sends i over µ p ; receives a label i ′ ∈ I over p r ;and, if i = i ′ , continues as J G i K ˜ qp .An edge case is when i = i ′ , i.e., when the labels received over p s and p r are different. This onlyoccurs if p s or p r is connected to a process not synthesized by our algorithm; our analysis excludesthis possibility, but we handle it to ensure typability (Theorem 31). On line 12, processes relatedto this case are included in the set C i , which produces the behavior of G i on µ p and p s , of G i ′ for i ′ ∈ I \ { i } on p r , and of G on p q for q ∈ ˜ q \ { s, r } : C i = (cid:8) i ′ : {| ( G i ⇂ o +4 p ) ⊥ |} µ p | {| L G i ↾ ( p, s ) M o +4 p i s |} p s | {| L G i ′ ↾ ( p, r ) M o +4 p i r |} p r | Q q ∈ ˜ q \{ s,r } {| L G ↾ ( p, q ) M o p i q |} p q (cid:9) i ′ ∈ I \{ i } (3)19bove, we use characteristic processes : process {| A |} x performs the actions described by type A onchannel x (cf. Def. 41 in App. C). We have {| A |} x ⊢ Ω; x : A for some Ω .If there are no dependencies, the returned process is J G j K ˜ qp , for any j ∈ I (line 13).If G = µX.G ′ (line 14), the algorithm stores in ˜ q ′ those q ∈ ˜ q that interact with p in G ′ (i.e. µX.G ′ ↾ ( p, q ) = end ), and stores the router for G ′ as rtr (line 15). Then, if rtr defines some actual behavior (i.e. is not or a recursion call; line 16), the algorithm returns a recursion definition with as context the channels p q for q ∈ ˜ q ′ and µ p . Otherwise, the algorithm returns (line 17). If G = X (line 18), the algorithmreturns a recursive call with as context the channels p q for q ∈ ˜ q and µ p . Finally, if G = ( G | G ) (line 19), it proceeds with G or G depending on p ’s role—if p prt ( G | G ) , the algorithm returns .If G = skip .G ′ (line 20), it continues with G ′ immediately; if G = end (line 21), the algorithm returns .The following result connects all of relative projection, local projection, and type extraction in thetypability of routers synthesized from global types: Theorem 31.
Suppose a relative well-formed global type G and a priority o . For any participant p ∈ prt ( G ) , let R p := J G K prt ( G ) \{ p } p . Then, R p ⊢ µ p :( G ⇂ o p ) ⊥ , (cid:0) p q : L G ↾ ( p, q ) M o p i q (cid:1) q ∈ prt ( G ) \{ p } y Proof.
By induction on the structure of G , with six cases as in Algorithm 1.The complexity of the synthesis algorithm is linear in the size of global types (the sum of the amount ofcommunications over all branches). It relies on relative projection, which works on pairs of participants;synthesizing routers for a global type with n participants thus requires n ( n − ∈ O ( n ) projections.However, projection is easy to automate, and due to the theorem above, it is not needed for typecheckingrouted implementations. As hinted at before, we analyze a global type (which specifies a multiparty protocol) in terms of itsrouted implementations (an implementation coupled with participants’ routers). Precisely, we consider networks of routed implementations:
Definition 32 (Networks) . Suppose a relative well-formed global type G . • For participants ˜ p ⊆ prt ( G ) , the set of routed implementations of ˜ p in G is defined as ri( G, ˜ p ) := (cid:8) ( ν µ p p µ ) p ∈ ˜ p ( Q | Q p ∈ ˜ p R p ) (cid:12)(cid:12) Q ⊢ ( p µ :( G ⇂ p )) p ∈ ˜ p (cid:9) . • Let P G be the set of all complete partitions of prt ( G ) with elements π, π ′ , . . . . The set of networks of G (with elements N , N ′ , . . . ) is defined as net( G ) := (cid:8) ( ν p q q p ) p,q ∈ prt ( G ) ( Q ˜ p ∈ π N ˜ p ) (cid:12)(cid:12) π ∈ P G ∧ ∀ ˜ p ∈ π. N ˜ p ∈ ri( G, ˜ p ) (cid:9) . y This way, e.g., Figure 2 and Figure 3 both depict networks in net( G auth ) , although related to differentpartitions of prt ( G auth ) , namely (cid:8) { a } , { s } , { c } (cid:9) and (cid:8) { a, s } , { c } (cid:9) , respectively.All networks of routed implementations are typable and thus deadlock free: Theorem 33.
For relative well-formed global type G , every N ∈ net( G ) is deadlock free. y Proof.
By the typability of routers (Theorem 31) and the duality of the types of router channels (Propo-sition 22),
N ⊢ ∅ ; ∅ . Hence, by Theorem 13, N is deadlock free.Given a global type G , to transfer the correctness properties from net( G ) to G (in particular, deadlockfreedom), we define an operational correspondence between processes and global types, in both directions.To this end, we define a labeled transition system (LTS) for global types and a notion of annotatedreduction for processes: Definition 34 (LTS for Global Types) . The relation G α −→ G ′ is defined by the rules in Figure 10 (top),where labels α are of the form p i q : ℓ h S i . y ∈ Ip ։ q { i h U i i .G i } i ∈ I p i q : j h U j i −−−−−−→ G j G α −→ G ′ ( G | G ) α −→ ( G ′ | G ) G α −→ G ′ ( G | G ) α −→ ( G | G ′ ) G α −→ G ′ skip .G α −→ G ′ ...................................................................................................................................................... ( ν yz )( x A y | P ) x y −−− ⇁P { x/z } ( ν xy )( x [ a, b ] | y ( v, z ) .P ) x i y : a −−− ⇁P { a/v,b/z } ( ν xy )( x [ b ] ⊳ j | y ( z ) ⊲ { i : P i } i ∈ I ) x i y : j −−− ⇁P j { b/z } (if j ∈ I ) ( P ≡ P ′ ) ∧ ( P ′ α − ⇁Q ′ ) ∧ ( Q ′ ≡ Q ) P α − ⇁Q P α − ⇁Q ( ν xy ) P α − ⇁ ( ν xy ) Q P α − ⇁QP | R α − ⇁Q | R Figure 10: LTS for Global Types (top, cf. Def. 34), and Labeled Reductions (bottom, cf. Def. 35).
Definition 35 (Labeled Reductions for APCP) . Consider the labels α ::= x y | x i y : a | x i y : ℓ (forwarding, output/input, select/branch)The labeled reduction P α − ⇁Q is defined by the rules in Figure 10 (bottom). y Proposition 36. P α − ⇁P ′ for some P, P ′ and label α if and only if P −→ P ′ . y Operational correspondence states: (1) every transition of a global type is mimicked by a precisesequence of labeled reductions originating from an associated network ( soundness ), and (2) for everylabeled reduction originated in a network there is a corresponding global type transition ( completeness ).We write ρ ρ for the composition of relations ρ and ρ , and −→ ∗ for the reflexive, transitive closureof −→ . Also, we write ∗ α ∗ −− ⇁ for −→ ∗ α − ⇁ −→ ∗ . Theorem 37 (Operational Correspondence) . Suppose a relative well-formed global type G .1. If G p i s : j h S j i −−−−−−→ G ′ , then there exist N ∈ net( G ) and N ′ ∈ net( G ′ ) such that N ∗ p µ i µ p : j ∗ −−−−−− ⇁ p s i s p : j −−−− ⇁ −→ ∗ ∗ p µ i µ p : v ∗ −−−−−− ⇁ ∗ µ s i s µ : j ∗ −−−−−− ⇁ −→ ∗ p s i s p : v −−−− ⇁ ∗ µ s i s µ : v ∗ −−−−−− ⇁ N ′ .
2. For
N ∈ net( G ) , if N −→ ∗ p µ µ p : ℓ −−−− ⇁ N for p ∈ prt ( G ) where −→ ∗ is of minimal length, then G p i q : ℓ h S i −−−−−→ G ′ for q ∈ prt ( G ) , S , and G ′ such that N −→ ∗ N ′ with N ′ ∈ net( G ′ ) . y Proof (Sketch).
1. By Theorem 31 and the definition of net( G ) , the implementation process for p in N correctly implements the actions by p as depicted in G . Then, by Theorem 13, N is deadlockfree, so the implementation process for p will eventually send the label j over p µ . The rest of thesteps follow similar reasoning.2. Since −→ ∗ is of minimal length, ℓ is the first label sent by p ’s implementation to p ’s router. Therouters in N are synthesized by Algorithm 1, so, by Theorem 31, the input of ℓ on µ p originatesfrom such an input in G . Hence, the transition of G follows by definition (Def. 34). The rest of theproof follows item 1 of this proof. Unlike our decentralized analysis, previous analyses of global types using binary session types rely on asingle, centralized orchestrator (mediums/arbiters [12, 16]). We can easily modify Algorithm 1 to syn-thesize the medium process of a global type G , similar to [12], yielding M [ G ] ⊢ ∅ ; (cid:0) µ p :( G ⇂ p ) ⊥ (cid:1) p ∈ prt ( G ) .Provided a process context C supplying implementations for all protocol participants, such a medium is weakly bisimilar (denoted ‘ ≈ ’) to the composition of all routers synthesized from G . Appendix E detailsthe following: Theorem 38.
Given a relative well-formed global type G , there is a process context C such that C [( ν p q q p ) p,q ∈ prt ( G ) ( Q p ∈ prt ( G ) R p )] ≈ C [ M [ G ]] . y Routers in Action: Delegation and Interleaving
We demonstrate our approach by analyzing a global type with delegation and interleaving, based on anexample by Toninho and Yoshida [52, Ex. 6.9]. Consider the global type: G intrl := p ։ q : 1 h ! int . end i .r ։ t : 2 h int i .p ։ q : 3 . end Following Toninho and Yoshida [52], we give implementations of the roles of the four participants ( p, q, r, t )of G intrl using three processes ( P , P , and P ): P and P implement the roles of q and r , respectively,and P interleaves the roles of p and t by sending a channel s to q and receiving an int value v from r ,which it should forward to q over s . P := p µ ⊳ ℓ · p µ [ s ] · ( t µ ⊲ { ℓ : t µ ( v ) .s [ w ] · v • w } | p µ ⊳ ℓ · p µ [ z ] · ) ⊢ p µ : ⊕ (cid:8) ℓ : L ! int . end M ⊗ ⊕ { ℓ : • ⊗ •} (cid:9) , t µ :& { ℓ : • & •} P := q µ ⊲ { ℓ : q µ ( y ) .y ( x ) .q µ ⊲ { ℓ : q µ ( u ) . }} ⊢ q µ :& (cid:8) ℓ : L ! int . end M ⊥ & & { ℓ : • & •} (cid:9) P := r µ ⊳ ℓ · r µ [ ] · ⊢ r µ : ⊕ { ℓ : • ⊗ •} where denotes a closed channel representing the number 33.To prove that P , P , and P correctly implement G intrl , we compose them with routers synthesizedfrom G intrl . To this end, we assign values to the priorities in L ! int . end M = • ⊗ o • to ensure that P and P are well-typed; assigning o = 8 works, because the output on s in P occurs after the inputon t µ (which has priority 6–7) and the input on y in P occurs before the second input on q µ (whichhas priority 10–11). The types assigned to p µ and t µ in P coincide with ( G intrl ⇂ p ) and ( G intrl ⇂ t ) ,respectively (cf. Def. 27). Therefore, by Theorem 31, ( ν p µ µ p )( ν t µ µt )( P |R p |R t ) is well-typed. Similarly, ( ν q µ µ q )( P | R q ) and ( ν r µ µ r )( P | R r ) are well-typed as well. Their composition forms the followingnetwork of routed implementations (cf. Def. 32), which, by Theorem 13, is deadlock free: ( ν p q q p )( ν p r r p )( ν p t t p )( ν q r r q )( ν q t t q )( ν r t t r ) (cid:18) ( ν p µ µ p )( ν t µ µ t )( P | R p | R t ) | ( ν q µ µ q )( P | R q ) | ( ν r µ µ r )( P | R r ) (cid:19) ⊢ ∅ ; ∅ Types for Deadlock Freedom
APCP guarantees deadlock freedom by typing, which is prerequi-site to analyze a global type as a network of routed implementations (cf. Def. 32). Deadlock freedom bytyping in APCP extends and streamlines that of PCP [23]: we add recursion and support asynchronouscommunication, which simplifies typing. In turn, PCP adopts the priority-based approach to deadlockfreedom pioneered by Kobayashi and Igarashi [37, 39, 40, 41]. Padovani [45] gives a type system for thelinear π -calculus that improves over Kobayashi’s by using a single annotation called levels ; his systemcan type cyclic process networks with recursive processes. Balzer et al. [4] develop an advanced analy-sis of deadlock freedom for binary sessions, inspired by Kobayashi’s approach, which targets the cycliccomposition of processes with manifest sharing between linear and shared sessions.Toninho and Yoshida [52] also analyze binary sessions, leveraging on deadlock freedom results formultiparty sessions to extend Wadler’s CLL [53] with cyclic networks. Their process language is syn-chronous and uses replication rather than recursion. We note that their Examples 6.8 and 6.9 can betyped in APCP (cf. Ex. 14 and § 5); a detailed comparison between their extended CLL and APCP isinteresting future work.Our analysis of global types based on APCP is related to type systems that ensure deadlock freedomfor multiparty sessions with delegation and interleaving [7, 46, 22]. Unlike these works, we rely on a typesystem for binary sessions which is simple and enables an expressive analysis of global types. Coppo etal. [7, 21, 22] give type systems for multiparty protocols, with asynchrony and support for interleavedsessions by tracking of mutual dependencies between them; as per [52], our Example 14 is typable inAPCP but is untypable in their system. Padovani et al. [46] develop a type system that enforces livenessproperties for multiparty sessions, defined on top of a π -calculus with labeled communication. Ratherthan global types, their type structure follows approaches based on conversation types [15].22 PST and Binary Analyses of Global Types
There are many works on MPST and theirintegration into programming languages; see [36, 3] for surveys. Triggered by flawed proofs of type safetyand limitations of usual theories, Scalas and Yoshida [50] define a meta-framework of multiparty protocolsbased on local types, without global types and projection. We address similar issues by adopting relativetypes, instead of cutting ties with global types.As already mentioned, Caires and Pérez [12] and Carbone et al. [16] reduce the analysis of globaltypes to binary session type systems based on intuitionistic and classical linear logic, respectively. Ourrouters strictly generalize the centralized mediums of [12] (cf. § 4.4). We substantially improve overthe expressivity of the decentralized approach of [16] based on coherence, but reliant on encodings intocentralized arbiters; for instance, their approach does not support the example from [52] we discuss in§ 5. Also, [12, 16] do not support recursive global types nor asynchronous communication.Scalas et al. [49] leverage on an encoding of binary session types into linear types [24, 42] to reducemultiparty sessions to processes typable with linear types, with applications in Scala programming. Theiranalysis is decentralized but covers processes with synchronous communication only; also, their deadlockfreedom result is limited with respect to ours: it does not support interleaving, such as in the examplein § 5.
Other Approaches to Multiparty Protocols
In a broader context, Message Sequence Charts(MSCs) provide graphical specifications of multiparty protocols. Alur et al. [2] and Abdallah et al. [1]study the decidability of model-checking properties such as implementability of MSC Graphs and High-level MSCs (HMSCs) as Communicating FSMs (CFSMs). Genest et al. [30] study the synthesis ofimplementations of HMSCs as CFSMs; as we do, they use extra synchronization messages in some cases.We follow an entirely different research strand: our analysis is type-based and targets well-formed globaltypes that are implementable by design. We note that the decidability of key notions for MPST (suchas well-formedness and typability) has been addressed in [34].Collaboration diagrams are another visual model for communicating processes (see, e.g. [10]). Salaün et al. [48] encode collaboration diagrams into the LOTOS process algebra [27] to enable model-check-ing [28], realizability checks for synchronous and asynchronous communication, and synthesis of partic-ipant implementations. Their implementation synthesis is reminiscent of our router synthesis, and alsoadds extra synchronization messages to realize otherwise unrealizable protocols with non-local choices.
We developed a new analysis of multiparty protocols specified as global types. Our work covers protocolconformance (protocol fidelity, communication safety) and deadlock freedom, which is notoriously hardto establish for global types involving delegation and interleaving.Our analysis rests upon several innovations, including:
APCP , a type system for deadlock free,asynchronous π -calculus processes; relative types that capture protocols between pairs of participants; relative projection , which admits global types with non-local choices; routers , which enable global typeanalysis as decentralized networks (cf. Figures 2 and 3). Relative types are interesting on their own,as they shed new light on more expressive protocol specifications than usual MPST, which are tied tonotions of local types and merge/subtyping. In ongoing work , we are comparing relative and merge-based well-formedness (cf. App. F for initial findings) and developing tool support in order to assess ouranalysis in practice. 23 eferences [1] Rouwaida Abdallah, Loïc Hélouët, and Claude Jard. Distributed implementation ofmessage sequence charts. Software & Systems Modeling , 14(2):1029–1048, May 2015. doi:10.1007/s10270-013-0357-1 .[2] Rajeev Alur, Kousha Etessami, and Mihalis Yannakakis. Realizability and verifica-tion of MSC graphs.
Theoretical Computer Science , 331(1):97–114, February 2005. doi:10.1016/j.tcs.2004.09.034 .[3] Davide Ancona, Viviana Bono, Mario Bravetti, Joana Campos, Giuseppe Castagna, Pierre-MaloDeniélou, Simon J. Gay, Nils Gesbert, Elena Giachino, Raymond Hu, Einar Broch Johnsen,Francisco Martins, Viviana Mascardi, Fabrizio Montesi, Rumyana Neykova, Nicholas Ng, LucaPadovani, Vasco T. Vasconcelos, and Nobuko Yoshida. Behavioral Types in ProgrammingLanguages.
Foundations and Trends® in Programming Languages , 3(2-3):95–230, July 2016. doi:10.1561/2500000031 .[4] Stephanie Balzer, Bernardo Toninho, and Frank Pfenning. Manifest Deadlock-Freedom forShared Session Types. In Luís Caires, editor,
Programming Languages and Systems , LectureNotes in Computer Science, pages 611–639, Cham, 2019. Springer International Publishing. doi:10.1007/978-3-030-17184-1_22 .[5] Franco Barbanera and Mariangiola Dezani-Ciancaglini. Open Multiparty Sessions.
ElectronicProceedings in Theoretical Computer Science , 304:77–96, September 2019. arXiv:1909.05972 , doi:10.4204/EPTCS.304.6 .[6] Andi Bejleri, Elton Domnori, Malte Viering, Patrick Eugster, and Mira Mezini. Comprehensive Mul-tiparty Session Types. The Art, Science, and Engineering of Programming , 3(3):6:1–6:59, February2019. doi:10.22152/programming-journal.org/2019/3/6 .[7] Lorenzo Bettini, Mario Coppo, Loris D’Antoni, Marco De Luca, Mariangiola Dezani-Ciancaglini,and Nobuko Yoshida. Global Progress in Dynamically Interleaved Multiparty Sessions.In Franck van Breugel and Marsha Chechik, editors,
CONCUR 2008 - Concurrency The-ory , Lecture Notes in Computer Science, pages 418–433, Berlin, Heidelberg, 2008. Springer. doi:10.1007/978-3-540-85361-9_33 .[8] Michele Boreale. On the expressiveness of internal mobility in name-passing calculi.
TheoreticalComputer Science , 195(2):205–226, March 1998. doi:10.1016/S0304-3975(97)00220-X .[9] Gérard Boudol. Asynchrony and the Pi-calculus. Research Report RR-1702, INRIA, 1992.[10] Tevfik Bultan and Xiang Fu. Specification of realizable service conversations using col-laboration diagrams.
Service Oriented Computing and Applications , 2(1):27–39, April 2008. doi:10.1007/s11761-008-0022-7 .[11] Luís Caires. Types and Logic, Concurrency and Non-Determinism. Technical Report MSR-TR-2014-104, In Essays for the Luca Cardelli Fest, Microsoft Research, September 2014.[12] Luís Caires and Jorge A. Pérez. Multiparty Session Types Within a Canonical Binary Theory,and Beyond. In Elvira Albert and Ivan Lanese, editors,
Formal Techniques for Distributed Objects,Components, and Systems , Lecture Notes in Computer Science, pages 74–95. Springer InternationalPublishing, 2016. doi:10.1007/978-3-319-39570-8_6 .[13] Luís Caires and Jorge A. Pérez. Linearity, Control Effects, and Behavioral Types. In Hongseok Yang,editor,
Programming Languages and Systems , Lecture Notes in Computer Science, pages 229–259,Berlin, Heidelberg, 2017. Springer. doi:10.1007/978-3-662-54434-1_9 .[14] Luís Caires and Frank Pfenning. Session Types as Intuitionistic Linear Propositions. In Paul Gastinand François Laroussinie, editors,
CONCUR 2010 - Concurrency Theory , Lecture Notes in ComputerScience, pages 222–236, Berlin, Heidelberg, 2010. Springer. doi:10.1007/978-3-642-15375-4_16 .2415] Luís Caires and Hugo Torres Vieira. Conversation types.
Theoretical Computer Science ,411(51):4399–4440, December 2010. doi:10.1016/j.tcs.2010.09.010 .[16] Marco Carbone, Sam Lindley, Fabrizio Montesi, Carsten Schürmann, and Philip Wadler. Co-herence Generalises Duality: A Logical Explanation of Multiparty Session Types. In Josée De-sharnais and Radha Jagadeesan, editors, , volume 59 of
Leibniz International Proceedings in Informatics (LIPIcs) ,pages 33:1–33:15, Dagstuhl, Germany, 2016. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. doi:10.4230/LIPIcs.CONCUR.2016.33 .[17] Marco Carbone, Fabrizio Montesi, Carsten Schürmann, and Nobuko Yoshida. Multiparty SessionTypes as Coherence Proofs. In Luca Aceto and David de Frutos Escrig, editors, , volume 42 of
Leibniz International Proceed-ings in Informatics (LIPIcs) , pages 412–426, Dagstuhl, Germany, 2015. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. doi:10.4230/LIPIcs.CONCUR.2015.412 .[18] Marco Carbone, Nobuko Yoshida, and Kohei Honda. Asynchronous Session Types: Exceptionsand Multiparty Interactions. In Marco Bernardo, Luca Padovani, and Gianluigi Zavattaro, editors,
Formal Methods for Web Services: 9th International School on Formal Methods for the Designof Computer, Communication, and Software Systems, SFM 2009, Bertinoro, Italy, June 1-6, 2009,Advanced Lectures , Lecture Notes in Computer Science, pages 187–212. Springer, Berlin, Heidelberg,2009. doi:10.1007/978-3-642-01918-0_5 .[19] Giuseppe Castagna, Mariangiola Dezani-Ciancaglini, and Luca Padovani. On Global Typesand Multi-Party Session.
Logical Methods in Computer Science , 8(1), March 2012. doi:10.2168/LMCS-8(1:24)2012 .[20] Ilaria Castellani, Mariangiola Dezani-Ciancaglini, Paola Giannini, and Ross Horne. Globaltypes with internal delegation.
Theoretical Computer Science , 807:128–153, February 2020. doi:10.1016/j.tcs.2019.09.027 .[21] Mario Coppo, Mariangiola Dezani-Ciancaglini, Luca Padovani, and Nobuko Yoshida. Inference ofGlobal Progress Properties for Dynamically Interleaved Multiparty Sessions. In Rocco De Nicola andChristine Julien, editors,
Coordination Models and Languages , Lecture Notes in Computer Science,pages 45–59, Berlin, Heidelberg, 2013. Springer. doi:10.1007/978-3-642-38493-6_4 .[22] Mario Coppo, Mariangiola Dezani-Ciancaglini, Nobuko Yoshida, and Luca Padovani. Globalprogress for dynamically interleaved multiparty sessions.
Mathematical Structures in ComputerScience , 26(2):238–302, February 2016. doi:10.1017/S0960129514000188 .[23] Ornela Dardha and Simon J. Gay. A New Linear Logic for Deadlock-Free Session-Typed Processes.In Christel Baier and Ugo Dal Lago, editors,
Foundations of Software Science and ComputationStructures , Lecture Notes in Computer Science, pages 91–109. Springer International Publishing,2018. doi:10.1007/978-3-319-89366-2_5 .[24] Ornela Dardha, Elena Giachino, and Davide Sangiorgi. Session types revisited. In Danny DeSchreye, Gerda Janssens, and Andy King, editors,
Principles and Practice of Declarative Pro-gramming, PPDP’12, Leuven, Belgium - September 19 - 21, 2012 , pages 139–150. ACM, 2012. doi:10.1145/2370776.2370794 .[25] Pierre-Malo Deniélou and Nobuko Yoshida. Multiparty Compatibility in Communicating Au-tomata: Characterisation and Synthesis of Global Session Types. In Fedor V. Fomin, R¯usin , šFreivalds, Marta Kwiatkowska, and David Peleg, editors, Automata, Languages, and Program-ming , Lecture Notes in Computer Science, pages 174–186, Berlin, Heidelberg, 2013. Springer. doi:10.1007/978-3-642-39212-2_18 .[26] Henry DeYoung, Luís Caires, Frank Pfenning, and Bernardo Toninho. Cut Reduction in Lin-ear Logic as Asynchronous Session-Typed Communication. In Patrick Cégielski and Arnaud Du-rand, editors,
Computer Science Logic (CSL’12) - 26th International Workshop/21st Annual Con-ference of the EACSL , volume 16 of
Leibniz International Proceedings in Informatics (LIPIcs) ,25ages 228–242, Dagstuhl, Germany, 2012. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. doi:10.4230/LIPIcs.CSL.2012.228 .[27] Ed Brinksma. LOTOS — A formal description technique based on the temporal ordering of observa-tional behaviour. Technical Report ISO 8807:1989, International Organization for Standardization,February 1989.[28] Hubert Garavel, Radu Mateescu, Frédéric Lang, and Wendelin Serwe. CADP 2006: A Toolbox forthe Construction and Analysis of Distributed Processes. In Werner Damm and Holger Hermanns,editors,
Computer Aided Verification , Lecture Notes in Computer Science, pages 158–163, Berlin,Heidelberg, 2007. Springer. doi:10.1007/978-3-540-73368-3_18 .[29] Simon J. Gay, Peter Thiemann, and Vasco T. Vasconcelos. Duality of Session Types: The Final Cut.
Electronic Proceedings in Theoretical Computer Science , 314:23–33, April 2020. arXiv:2004.01322 , doi:10.4204/EPTCS.314.3 .[30] Blaise Genest, Anca Muscholl, Helmut Seidl, and Marc Zeitoun. Infinite-state high-level MSCs:Model-checking and realizability. Journal of Computer and System Sciences , 72(4):617–647, June2006. doi:10.1016/j.jcss.2005.09.007 .[31] Kohei Honda and Mario Tokoro. An object calculus for asynchronous communication. In PierreAmerica, editor,
ECOOP’91 European Conference on Object-Oriented Programming , Lecture Notesin Computer Science, pages 133–147, Berlin, Heidelberg, 1991. Springer. doi:10.1007/BFb0057019 .[32] Kohei Honda, Vasco T. Vasconcelos, and Makoto Kubo. Language primitives and type discipline forstructured communication-based programming. In Chris Hankin, editor,
Programming Languagesand Systems , Lecture Notes in Computer Science, pages 122–138, Berlin, Heidelberg, 1998. Springer. doi:10.1007/BFb0053567 .[33] Kohei Honda, Nobuko Yoshida, and Marco Carbone. Multiparty asynchronous session types. In
Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of ProgrammingLanguages , POPL ’08, pages 273–284, San Francisco, California, USA, January 2008. Associationfor Computing Machinery. doi:10.1145/1328438.1328472 .[34] Kohei Honda, Nobuko Yoshida, and Marco Carbone. Multiparty asynchronous session types.
Journalof the ACM , 63(1), March 2016. doi:10.1145/2827695 .[35] Raymond Hu, Andi Bejleri, Nobuko Yoshida, and Pierre-Malo Denielou. Parameterised Multi-party Session Types.
Logical Methods in Computer Science , Volume 8, Issue 4, October 2012. doi:10.2168/LMCS-8(4:6)2012 .[36] Hans Hüttel, Ivan Lanese, Vasco T. Vasconcelos, Luís Caires, Marco Carbone, Pierre-Malo Deniélou,Dimitris Mostrous, Luca Padovani, António Ravara, Emilio Tuosto, Hugo Torres Vieira, and Gian-luigi Zavattaro. Foundations of Session Types and Behavioural Contracts.
ACM Comput. Surv. ,49(1):3:1–3:36, April 2016. doi:10.1145/2873052 .[37] Atsushi Igarashi and Naoki Kobayashi. Type-based analysis of communication for concurrent pro-gramming languages. In Pascal Van Hentenryck, editor,
Static Analysis , Lecture Notes in ComputerScience, pages 187–201, Berlin, Heidelberg, 1997. Springer. doi:10.1007/BFb0032742 .[38] Keigo Imai, Rumyana Neykova, Nobuko Yoshida, and Shoji Yuen. Multiparty Session Program-ming With Global Protocol Combinators. In Robert Hirschfeld and Tobias Pape, editors, , volume 166 of
Leibniz In-ternational Proceedings in Informatics (LIPIcs) , pages 9:1–9:30, Dagstuhl, Germany, 2020. SchlossDagstuhl–Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.ECOOP.2020.9 .[39] N. Kobayashi. A partially deadlock-free typed process calculus. In
Proceedings ofTwelfth Annual IEEE Symposium on Logic in Computer Science , pages 128–139, June 1997. doi:10.1109/LICS.1997.614941 . 2640] Naoki Kobayashi. Type Systems for Concurrent Programs. In Bernhard K. Aichernig andTom Maibaum, editors,
Formal Methods at the Crossroads. From Panacea to Foundational Sup-port: 10th Anniversary Colloquium of UNU/IIST, the International Institute for Software Tech-nology of The United Nations University, Lisbon, Portugal, March 18-20, 2002. Revised Pa-pers , Lecture Notes in Computer Science, pages 439–453. Springer, Berlin, Heidelberg, 2003. doi:10.1007/978-3-540-40007-3_26 .[41] Naoki Kobayashi. A New Type System for Deadlock-Free Processes. In Christel Baier and HolgerHermanns, editors,
CONCUR 2006 – Concurrency Theory , Lecture Notes in Computer Science,pages 233–247. Springer Berlin Heidelberg, 2006. doi:10.1007/11817949_16 .[42] Naoki Kobayashi, Benjamin C. Pierce, and David N. Turner. Linearity and the pi-calculus.
ACM Transactions on Programming Languages and Systems , 21(5):914–947, September 1999. doi:10.1145/330249.330251 .[43] Rupak Majumdar, Nobuko Yoshida, and Damien Zufferey. Multiparty motion coordination:From choreographies to robotics programs.
Proceedings of the ACM on Programming Languages ,4(OOPSLA):134:1–134:30, November 2020. doi:10.1145/3428202 .[44] R. Milner.
Communication and Concurrency . Prentice-Hall, Inc., USA, 1989.[45] Luca Padovani. Deadlock and Lock Freedom in the Linear π -calculus. In Proceedings of the JointMeeting of the Twenty-Third EACSL Annual Conference on Computer Science Logic (CSL) and theTwenty-Ninth Annual ACM/IEEE Symposium on Logic in Computer Science (LICS) , CSL-LICS’14, pages 72:1–72:10, New York, NY, USA, 2014. ACM. doi:10.1145/2603088.2603116 .[46] Luca Padovani, Vasco Thudichum Vasconcelos, and Hugo Torres Vieira. Typing Liveness in Multi-party Communicating Systems. In Eva Kühn and Rosario Pugliese, editors,
Coordination Models andLanguages , Lecture Notes in Computer Science, pages 147–162, Berlin, Heidelberg, 2014. Springer. doi:10.1007/978-3-662-43376-8_10 .[47] Benjamin C. Pierce.
Types and Programming Languages . MIT Press, 2002.[48] G. Salaün, T. Bultan, and N. Roohi. Realizability of Choreographies Using Process Al-gebra Encodings.
IEEE Transactions on Services Computing , 5(3):290–304, Third 2012. doi:10.1109/TSC.2011.9 .[49] Alceste Scalas, Ornela Dardha, Raymond Hu, and Nobuko Yoshida. A Linear Decomposition of Mul-tiparty Sessions for Safe Distributed Programming. In Peter Müller, editor, , volume 74 of
Leibniz International Proceed-ings in Informatics (LIPIcs) , pages 24:1–24:31, Dagstuhl, Germany, 2017. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. doi:10.4230/LIPIcs.ECOOP.2017.24 .[50] Alceste Scalas and Nobuko Yoshida. Less is more: Multiparty session types revisited.
Proceedingsof the ACM on Programming Languages , 3(POPL):30:1–30:29, January 2019. Revised, extendedversion at . doi:10.1145/3290343 .[51] Bernardo Toninho, Luis Caires, and Frank Pfenning. Corecursion and Non-divergence in Session-Typed Processes. In Matteo Maffei and Emilio Tuosto, editors, Trustworthy Global Comput-ing , Lecture Notes in Computer Science, pages 159–175, Berlin, Heidelberg, 2014. Springer. doi:10.1007/978-3-662-45917-1_11 .[52] Bernardo Toninho and Nobuko Yoshida. Interconnectability of Session-Based Logical Processes.
ACM Transactions on Programming Languages and Systems (TOPLAS) , 40(4):17, December 2018. doi:10.1145/3242173 .[53] Philip Wadler. Propositions As Sessions. In
Proceedings of the 17th ACM SIGPLAN InternationalConference on Functional Programming , ICFP ’12, pages 273–286, New York, NY, USA, 2012.ACM. doi:10.1145/2364527.2364568 . 2754] Nobuko Yoshida and Lorenzo Gheri. A Very Gentle Introduction to Multiparty Session Types. InDang Van Hung and Meenakshi D´Souza, editors,
Distributed Computing and Internet Technology ,Lecture Notes in Computer Science, pages 73–93, Cham, 2020. Springer International Publishing. doi:10.1007/978-3-030-36987-3_5 . 28 able of Contents G auth A.1 Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30A.2 Process Implementations in APCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30A.3 Different Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
B Additional Example of Interleaving 31C Omitted Definition of Characteristic Processes 32D Appendix to § 2 32E Routers Strictly Generalize Centralized Mediums 34F Comparing Merge-based Well-formedness and Relative Well-formedness 36
F.1 Relative Well-Formed, Not Merge Well-Formed . . . . . . . . . . . . . . . . . . . . . . . . 37F.2 Merge Well-Formed, Not Relative Well-Formed . . . . . . . . . . . . . . . . . . . . . . . . 3729
More Routers in Action: G auth Let us repeat the global type from § 1: G auth = µX.s ։ c (cid:26) login .c ։ a : passwd h str i .a ։ s : auth h bool i .X, quit .c ։ a : quit . end (cid:27) The relative projections of G are as follows: G ↾ ( s, a ) = µX.s ! c { login . skip .a : auth h bool i .X, quit . skip . end } G ↾ ( c, a ) = µX.c ? s { login .c : passwd h str i . skip .X, quit .c : quit . end } G ↾ ( s, c ) = µX.s { login . skip . skip .X, quit . skip . end } A.1 Routers
The typed routers synthesized from G are given in Figure 11. Notice how the open channel types coincidewith local projections, and how the router channel types coincide with the types extracted from relativeprojections. This demonstrates Theorem 31. A.2 Process Implementations in APCP
Next, we provide implementations for c , s , and a . The following implementations ( P for c , Q for s , and R for a ) are just one, simple possibility, where s continuously chooses the login branch: P := (cid:18) µX ( c µ ) .c µ ⊲ (cid:26) login : c µ ( u ) .c µ ⊳ passwd · c µ [ logmein ] · X h c µ i , quit : c µ ( w ) .c µ ⊳ quit · c µ [ z ] · (cid:27)(cid:19) h c µ i⊢ c µ : µX. & (cid:26) login : • & ⊕ { passwd : • ⊗ X } , quit : • & ⊕ { quit : • ⊗ •} (cid:27) = G ⇂ cQ := (cid:0) µX ( s µ ) .s µ ⊳ login · s µ [ u ] · s µ ⊲ { auth : s µ ( v ) .X h s µ i} (cid:1) h s µ i⊢ s µ : µX. ⊕ { login : • ⊗ & { auth : • & X } , quit : • ⊗ •} = G ⇂ sR := (cid:18) µX ( a µ ) .a µ ⊲ (cid:26) login : a µ ⊲ { passwd : a µ ( u ) .a µ ⊳ auth · a µ [ v ] · X h a µ i} , quit : a µ ⊲ { quit : a µ ( w ) . } (cid:27)(cid:19) h a µ i⊢ a µ : µX. & (cid:26) login : & { passwd : • & ⊕ { auth : • ⊗ X }} , quit : & { quit : • & •} (cid:27) = G ⇂ a A.3 Different Topologies
Now that we have routers and implementations for every participant of G , we can explore how to composethem. The order of composition determines the network topology. Decentralized Topology
Figure 12 represents a decentralized topology of an implementation of aglobal type with six participants. It can be achieved by first composing each router with theirrespective implementation, and then composing the resulting routed implementations. In the caseof G auth , the resulting composition is as follows: N auth = ( ν c s s c )( ν c a a c )( ν s a a s ) (cid:0) ( ν µ c c µ )( R c | P ) | ( ν µ s s µ )( R s | Q ) | ( ν µ a a µ )( R a | R ) (cid:1) This specific composition is in fact a network of G (cf. Def. 32), so Theorems 33 and 37 apply: thecomposition behaves as specified by G and is deadlock free. Proposition 39. N auth ∈ N ( G ) is deadlock free. y Centralized Topology
Figure 13 represents a centralized topology of an implementation of a globaltype with six participants. It can be achieved by first composing the routers, and then compos-ing the resulting hub of routers with each implementation. In the case of G auth , the resultingcomposition is as follows: ( ν µ c c µ )( ν µ s s µ )( ν µ a a µ ) (cid:0) P | Q | R | ( ν c s s c )( ν c a a c )( ν s a a s )( R c | R s | R a ) (cid:1) G (cf. Theorem 38).We crucially rely on APCP’s ability to compose processes with more than one session in common whilepreserving deadlock freedom. Indeed, neither composition above is typable in previous type systems thatcan only compose processes with a single common session, such as CP [53] and π DILL [14].
B Additional Example of Interleaving
The following example further demonstrates our support for interleaving as illustrated in § 5, showingthat it is even possible for a participant to delegate the rest of its interactions in a protocol:
Example 40 (Interleaving II) . The following global type formalizes a protocol in which a Client ( c ) asksan online Password Manager ( p ) to login with a Server ( s ): G := c ։ p : login h S i .G ′ where S := !(? bool . end ) .S ′ S ′ := & { passwd : ? str . ⊕{ auth : ! bool . end }} G ′ := c ։ s : passwd h str i .s ։ c : auth h bool i . end The intension of this protocol is that S ′ expresses the type of R c ’s channel µ c . This means that we cangive implementations for c and p such that c can send its channel c µ to p , after which p logs in with s in c ’s place, forwarding the authorization boolean received from s to c . Giving such implementations isrelatively straightforward, demonstrating the flexibility of our global types and analysis using APCP androuters.Using local projection, we can compute a type for c ’s implementation to safely connect with its router G ⇂ c = ⊕ { login : L S M ⊗ ( G ′ ⇂ c ) } , where L S M = ( • & o • ) ⊗ o L S ′ ML S ′ M = & o { passwd : • & o ⊕ o { auth : • ⊗ o •}} G ′ ⇂ c = ⊕ { passwd : • ⊗ & { auth : • & •}} Notice how L S ′ M ⊥ = G ′ ⇂ c , given the assignments o = 4 , o = 5 , o = 10 , o = 11 . This means thatwe can use G ′ ⇂ c to type the following implementation for c : Q := c µ ⊳ login · c µ [ u ] · u [ v ] · ( u ( G ′ ⇂ c ) c µ | v ( a ) . ) ⊢ ∅ ; c µ : G ⇂ c This implementation is interesting: after the first exchange in G —sending a fresh channel u (to p )— c sends another fresh channel v over u ; then, c delegates the rest of its exchanges in G ′ by forwarding alltraffic on c µ over u ; in the meantime, c awaits an authorization boolean over v .Again, using local projection, we can compute a type for p ’s implementation to connect with its router G ⇂ p = & { login : L S M ⊥ & •} . We can then use it to type the following implementation for p : P := p µ ⊲ login : p µ ( c µ ) .c µ ( v ) .c µ ⊳ passwd · c µ [ pwd ] · c µ ⊲ { auth : c µ ( a ) .v [ a ′ ] · a • a ′ } ⊢ ∅ ; p µ : G ⇂ p In this implementation, p receives a channel c µ (from c ) over which it first receives a channel v . Then, itbehaves over c µ according to c ’s role in G ′ . Finally, p forwards the authorization boolean received from s over v , effectively sending the boolean to c .Given an implementation for s , say S ⊢ ∅ ; s µ : G ⇂ s , what remains is to assign values to theremaining priorities in L S M : assigning o = 12 , o = 4 works. Now, we can compose the implementations P , Q and S with their respective routers and then compose these routed implementations together to forma deadlock free network of G . y Omitted Definition of Characteristic Processes
Definition 41 (Characteristic Process) . For binary session type A and name x , we define the charac-teristic process for A , denoted {| A |} x , as follows: {|•|} x := {| µX.A |} x := ( µX ( x ) . {| A |} x ) h x i {| X |} x := X h x i{| A ⊗ o B |} x := x [ y ] · ( {| A |} y | {| B |} x ) {|⊕ o { ℓ i : A i } i ∈ I |} x := x ⊳ ℓ j · {| A j |} x [ j ∈ I ] {| A & o B |} x := x ( y ) . ( {| A |} y | {| B |} x ) {| & o { ℓ i : A i } i ∈ I |} x := x ⊲ { ℓ i : {| A i |} x } i ∈ I y Proposition 42.
For binary session types A and A ′ s.t. A and A ′ are equal up to priorities, and channelname x , we have {| A |} x ⊢ x : A ′ . y D Appendix to § 2
Proposition 7.
The rules ⊗ ⋆ , ⊕ ⋆ , and Lift in Figure 4 are admissible. y Proof.
We show the admissibility of rules ⊗ ⋆ and ⊕ ⋆ by giving their derivations: P ⊢ Ξ; Γ , y : A, x : B ⊗ ⋆ x [ y ] · P ⊢ Ξ; Γ , x : A ⊗ o B ⇓ ⊗ x [ a, b ] ⊢ Ξ; x : A ⊗ o B, a : A ⊥ , b : B ⊥ P ⊢ Ξ; Γ , y : A, x : B ≡ P { z/x } ⊢ Ξ; Γ , y : A, z : B Mix x [ a, b ] | P { z/x } ⊢ Ξ; Γ , x : A ⊗ o B, y : A, a : A ⊥ , z : B, b : B ⊥ Cycle ( ν ya )( ν zb )( x [ a, b ] | P { z/x } ) | {z } x [ y ] · P ⊢ Ξ; Γ , x : A ⊗ o BP ⊢ Ξ; Γ , x : A j j ∈ I ⊕ ⋆ x ⊳ ℓ j · P ⊢ Ξ; Γ , x : ⊕ o { ℓ i : A i } i ∈ I ⇓ j ∈ I ⊕ x [ b ] ⊳ ℓ j ⊢ Ξ; x : ⊕ o { ℓ i : A i } i ∈ I , b : A j ⊥ P ⊢ Ξ; Γ , x : A j ≡ P { z/x } ⊢ Ξ; Γ , z : A j Mix x [ b ] ⊳ ℓ j | P { z/x } ⊢ Ξ; Γ , x : ⊕ o { ℓ i : A i } i ∈ I , z : A j , b : A j ⊥ Cycle ( ν zb )( x [ b ] ⊳ ℓ j | P { z/x } ) | {z } x⊳ℓ j · P ⊢ Ξ; Γ , x : ⊕ o { ℓ i : A i } i ∈ I Let us recall the rule
Lift : P ⊢ Ξ; Γ t ∈ N Lift P ⊢ Ξ; ↑ t Γ This rule is admissible because, following [23], P ⊢ Ξ; Γ implies P ⊢ Ξ; ↑ t Γ : this is a simple transformationof the typing derivation of P , increasing all priorities by t . Lemma 11 (Unfolding) . If P ⊢ Ω; Γ , then there is P ⋆ ≡ P s.t. P ⋆ is not of the form ( µX (˜ x ) .P ′ ) h ˜ y i and P ⋆ ⊢ Ω; Γ . y Proof.
By induction on the amount n of consecutive recursion definitions in P . If n = 0 , the thesisfollows immediately by letting P ⋆ := P .Otherwise, n ≥ . Then P = ( µX (( x i ) i ∈ I ) .P ′ ) h ( y i ) i ∈ I i ⊢ Ξ; ( y i : µX.A i ) i ∈ I . Generally speaking, proofs of such typing judgments have the following shape:32 ar X h ( z i ) i ∈ I i ⊢ Ξ , X : | I | ; ( z i : X ) i ∈ I ... ... ... P ′ ⊢ Ξ , X : | I | ; ( x i : A i ) i ∈ I Rec ( µX (( x i ) i ∈ I ) .P ′ ) h ( y i ) i ∈ I i ⊢ Ξ; ( y i : µX.A i ) i ∈ I By unfolding the recursion in P through structural congruence (cf. Def. 1), we obtain the followingprocess: P ∗ := P ′{ ( y i ) i ∈ I / ( x i ) } i ∈ I { ( µX (( x i ) i ∈ I ) .P ′ ) h ( z i ) i ∈ I i /X h ( z i ) i ∈ I i} . This process is typable by taking the above proof, removing the final application of the
Rec rule andreplacing any uses of the
Var axiom on X by a copy of the proof above. For the final step, we apply α -conversion whenever necessary. Moreover, we lift the priorities of all types by the highest priorityoccurring in any type in Γ using rule Lift , ensuring that priority conditions on typing rules are remainvalid. Writing the highest priority in Γ as max pr (Γ) , the resulting proof is as follows: Var X h ( z i ) i ∈ I i ⊢ Ξ , X : | I | ; ( z i : X ) i ∈ I ... ... ... P ′ ⊢ Ξ , X : | I | ; ( x i : A i ) i ∈ I Rec ( µX (( x i ) i ∈ I ) .P ′ ) h ( z i ) i ∈ I i ⊢ Ξ; ( z i : µX.A i ) i ∈ I Lift ( µX (( x i ) i ∈ I ) .P ′ ) h ( z i ) i ∈ I i ⊢ Ξ; ( z i : ↑ max pr (Γ) µX.A i ) i ∈ I ... ... ... P ∗ ⊢ Ξ; ( y i : A i {↑ max pr (Γ) µX.A i /X } ) i ∈ I Since types are equi-recursive, A i {↑ max pr (Γ) µX.A i /X } = A i for every i ∈ I . Hence, ( y i : A i {↑ max pr (Γ) µX.A i /X } ) i ∈ I = Γ . Thus, the above is a valid proof of P ∗ ⊢ Ξ; Γ .By assumption, all recursion variables in Γ are guarded. It is easy to see that this means that thecorresponding recursion variables in P ′ appear under an input or branching prefix (if guarded by & or & respectively), or under a restriction and parallel to an output or selection atom (if guarded by ⊗ or ⊕ ). This means that in the proof above, somewhere between the final judgment and the application of Rec there is at least one input/branching prefix or restriction and parallel composition. Therefore, theamount of recursion definitions at the beginning of P ∗ is smaller than in P . Hence, we can apply theinduction hypothesis to find a process P ⋆ without recursion prefixes s.t. P ⋆ ≡ P ∗ ≡ P ⊢ Ξ; Γ . Theorem 12 (Top-level Deadlock Freedom) . If P ⊢ ∅ ; Γ and live( P ) , then there is Q s.t. P −→ Q . y Proof.
Using structural congruence, we have P ≡ P c = ( ν x i y i ) i ( ν ˜ n ˜ m ) P m with P m = Q k P k and P m ⊢∅ ; Ψ , ( x i : A i , y i : A i ⊥ ) i s.t. for every i , x i and y i are active names in P m , and Ψ consists of Γ and thechannels ˜ n, ˜ m which are pairs of which at least one channel is inactive in P m . There is always at leastone pair x i , y i because P is live.Next, we take the x j : A j with the lowest priority (any suffices if there are multiple to choose from).If there is an input/branching type in Γ with lower priority, we apply a commuting conversion to pullthe associated prefix out of the restrictions, and we are done. Output/selection types in Γ are associatedwith non-blocking actions, so they are of no consequence. So if there are no input/branching types in Γ with lower priority, we continue with x j : A j .By duality, A j and A j ⊥ have the same priority, so conditions on priorities prevent an input prefix on x j ( y j ) from blocking an output on y j ( x j ). Hence, P m = P x j | P y j | P R s.t. P x j ⊢ ∅ ; Ψ x j , x j : A j , P y j ⊢ ∅ ; Ψ y j , y j : A j ⊥ , and P R ⊢ ∅ ; Ψ R , where Ψ x j , Ψ y j , Ψ R , x j : A j , y j : A j ⊥ = Ψ , ( x i : A i , y i : A i ⊥ ) i .By Lemma 11 (Unfolding), P x j ≡ P ⋆x j and P y j ≡ P ⋆y j s.t. P ⋆x j and P ⋆y j are not recursion definitionsand P ⋆x j ⊢ ∅ ; Ψ x j , x j : A j and P ⋆y j ⊢ ∅ ; Ψ y j , y j : A j ⊥ . 33 lgorithm 2: Synthesis of Medium Processes (Def. 45). def M ˜ q [ G ] as switch G do case s ։ r { i h S i i .G i } i ∈ I do deps snd ← { q ∈ ˜ q | hdep( q, s, G ) } deps rcv ← { q ∈ ˜ q | hdep( q, r, G ) } deps ← deps snd ∪ deps rcv return µ s ⊲ { i : µ r ⊳ i · ( µ q ⊳ i ) q ∈ deps · µ s ( v ) · µ r [ w ] · ( v L S i M w | M ˜ q [ G i ]) case µX.G ′ do ˜ q ′ ← { q ∈ ˜ q | G ⇂ q = •} if ˜ q ′ = ∅ then return ( µX (( µ q ) q ∈ ˜ q ′ ) . M ˜ q ′ [ G ′ ]) h ( µ q ) q ∈ ˜ q ′ i else return case X do return X h ( µ q ) q ∈ ˜ q i case ( G | G ) do return M ˜ q ∩ prt ( G ) [ G ] | M ˜ q ∩ prt ( G ) [ G ] case skip .G ′ do return M ˜ q [ G ′ ] case end do return We take the unfolded form of A j and w.l.o.g. assume that either (a) A j = B & o C or (b) A i = & o { ℓ r : B r } r . Note that the assumption that there is at least one connective is valid by the contractivenessof recursive types. Since pr ( A j ) = o is the least of the priorities in Γ , we know that either (a) P ⋆x j ≡ x j ( v, z ) .Q x j or (b) P ⋆x j ≡ x j ( z ) ⊲ { ℓ r : Q rx j } r . Moreover, since either (a) A j ⊥ = B ⊥ ⊗ o C ⊥ or (b) A j ⊥ = ⊕ o { ℓ r : B r ⊥ } r , we have that either (a) P ⋆y j ≡ y j [ a, b ] | Q y j or (b) P ⋆y j ≡ y j [ b ] ⊳ ℓ r ⋆ | Q y j . In case(a), let Q ′ x j := Q x j { a/v,b/z } ; in case (b), let Q ′ x j := Q r ⋆ x j { b/z } . Then, in both cases (a) and (b), by thedefinition of β -reduction (Def. 2), P ≡ ( ν x i y i ) i ( ν ˜ n ˜ m )( P ⋆x j | P ⋆y j | P R ) ≡ ( ν x i y i ) i \ j ( ν ˜ n ˜ m )(( ν x j y j )( P ⋆x j | P ⋆y j ) | P R ) −→ ( ν x i y i ) i \ j ( ν ˜ n ˜ m )( Q ′ x j | Q y j | P R ) . E Routers Strictly Generalize Centralized Mediums
We develop the result stated in § 4.4. We compare our approach based on routers against previousanalyses of multiparty session types using a sequential, centralized orchestrator (e.g., mediums in [12]or arbiters in [16]). To this end, consider again the fully centralized topology illustrated in Figure 13.It can be formalized as a hub : the centralized composition of all routers generated from a given globaltype.
Definition 43 (Hub of a Global Type) . Given global type G , the hub for G , denoted H G , is defined asfollows: ( ν p q q p ) p,q ∈ prt ( G ) (cid:0)Q p ∈ prt ( G ) R p (cid:1) y Proposition 44.
For relative well-formed global type G and priority o , H G ⊢ ∅ ; ( µ p :( G ⇂ o p ) ⊥ ) p ∈ prt ( G ) Process H G is just a specific composition of routers; as we will see, it is behaviorally equivalent toa sequential, centralized orchestrator in the sense of [12], which we define below. As hubs realize aspecific form of composition for individual routers, this equivalence result establishes that routers strictlygeneralize the centralized approaches in [12, 16].We define an algorithm to generate an asynchronous medium from a global type. The medium of G will have channels µ p i for every p i ∈ prt ( G ) . Definition 45 (Medium) . Given a global type G and participants ˜ q , Algorithm 2 defines the synthesisof a medium process , denoted ‘ M ˜ q [ G ] ’, that orchestrates interactions according to G . y M ˜ q [ G ] follows the same pattern as the router algorithm (cf. Definition 30).The input parameter ˜ q keeps track of active participants, making sure recursions are well-defined; itshould be initialized as prt ( G ) .We briefly discuss how the medium process is generated. The interesting case is communication p ։ q { ℓ i h U i i .G i } i ∈ I (line 3). The algorithm combines the several cases of the router’s algorithm. First,the sets of participants that depend on the sender and on the recipient are computed using relativeprojection ( deps snd and deps rcv on lines 4 and 5, resp.). The union of these sets is then stored as deps (line 6). Then, the algorithm returns a process (line 7) that receives a label i ∈ I over µ s ; forwards itover µ r and over µ q for all q ∈ deps ; receives a channel over µ s ; forwards it over µ r ; and continues as M ˜ q [ G i ] . If G = µX.G ′ (line 8), determining the parameters for the recursion requires delicacy. In orderto decide which q ∈ ˜ q are active in G ′ , the algorithm computes the local projection of G onto each q ∈ ˜ q ,creating a new set ˜ q ′ with those q ∈ ˜ q for which the projection is different from • (line 9). Then, thealgorithm returns a process that defines a recursion with as context the channels µ q for q ∈ ˜ q ′ , using M ˜ q ′ [ G ′ ] as body. If G = X (line 12), the algorithm returns a recursive call with as context the channels µ q for q ∈ ˜ q . Finally, if G = ( G | G ) (line 13), it returns the mediums for G and G in parallel; if G = skip .G ′ (line 14), the algorithm returns the medium for G ′ ; if G = end (line 15), the algorithmreturns . Results
Our first result concerns the typability of mediums. Similar to routers, we can assign tothe medium’s channels the types extracted from global types using local projection:
Theorem 46.
For relative well-formed global type G and priority o , M prt ( G ) [ G ] ⊢ ∅ ; ( µ p :( G ⇂ o p ) ⊥ ) p ∈ prt ( G ) y To prepare for our behavioral equivalence result, we define an LTS for APCP:
Definition 47 (LTS for APCP) . The labels α for transitions for processes are defined as follows: α ::= τ communication | x [ a, b ] output | ( ν ya )( ν zb ) x [ a, b ] bound output | x [ b ] ⊳ ℓ selection | ( ν zb ) x [ b ] ⊳ ℓ bound selection | x ( v, w ) input | x ( w ) ⊲ ℓ branchThe relation labeled transition ( P α −→ Q ) is then defined by the rules in Figure 15. y Notation.
We write ⇒ for the reflexive, transitive closure of τ −→ . We write α = ⇒ for ⇒ α −→⇒ if α = τ and for ⇒ otherwise. y Our equivalence result shall relate the behavior of a medium and a hub on a single but arbitrarychannel. More specifically, our result will demonstrate that the actions on a particular participant’simplementation channel are the same in both settings. In order to isolate such a channel, we place therouters in a reduction context consisting of channel restrictions and parallel compositions with arbitraryprocesses:
Definition 48 (Context) . We define a context as an unguarded process with a single hole [ ] as follows: C ::= ( ν xy ) C | ( P | C ) | [ ] Given a context C ∈ C , we define C [ P ] as C with the hole replaced by P . y We can place the composed routers in a specific context that connects every participant’s implemen-tation channel with some implementation, except for one participant. For example, given a global type G , we can use characteristic processes (cf. Def. 41) to provide implementations for all q ∈ prt ( G ) \ { p } : C := ( ν µ q q µ ) q ∈ prt ( G ) \ p (cid:0)Q q ∈ prt ( G ) \ p {| G ⇂ q |} q µ | [ ] (cid:1) Replacing the hole in this context with the centralized composition of all routers in G leaves one channelfree: the channel µ p for the implementation of p . By placing the medium process in that same context,we obtain another process with µ p as the only free channel. Now, we can observe the behavior of thesetwo processes on µ p . The final ingredient to state our behavioral equivalence result is the following,standard notion of weak bisimilarity : 35 efinition 49 (Weak bisimilarity) . A binary relation B on processes is a weak bisimulation if whenever ( P, Q ) ∈ B , • P α −→ P ′ implies that there is Q ′ such that Q α = ⇒ Q ′ and ( P ′ , Q ′ ) ∈ B , and • Q α −→ Q ′ implies that there is P ′ such that P α = ⇒ P ′ and ( P ′ , Q ′ ) ∈ B .Two processes P and Q are weakly bisimilar if there exists a bisimulation B such that ( P, Q ) ∈ B . y Finally, we can state the behavioral equivalence between hubs of routers and mediums:
Theorem 50.
Suppose a relative well-formed global type G and a priority o . Let H G be the hub of G asin Definition 43. Also, let M := M prt ( G ) [ G ] be the medium of G as in Definition 45. Take any participant p ∈ prt ( G ) and any context C ∈ C such that C [ H G ] ⊢ µ p :( G ⇂ o p ) ⊥ . Then, C [ H G ] and C [ M ] are weakly bisimilar. y Proof (Sketch).
By Theorem 46, C [ M ] also has µ p as its only free channel. By the same theorem, thischannel has the same type in C [ M ] as in C [ H G ] . The labeled transitions follow from the equal types. F Comparing Merge-based Well-formedness and Relative Well-formedness
It is instructive to examine how the notion of well-formed global types induced by our relative projectioncompares to merge-based well-formedness, the notion induced by (usual) local projection [35, 18].Before we recall the definition of merge-based well-formedness, we define the projection of global typesto local types. Local types express one particular participant’s perspective of a global protocol. Although skip is not part of standard definitions of local types, we do include it to enable a fair comparison withrelative types.
Definition 51 (Local types) . Local types L are defined as follows, where the S i are the message typesfrom Def. 16: L ::= end | ? p { ℓ i h S i i .L i } i ∈ I | ! p { ℓ i h S i i .L i } i ∈ I | µX.L | X | skip .L y The local types p { ℓ i h S i i .L i } i ∈ I and ! p { ℓ i h S i i .L i } i ∈ I represent receiving a choice from p and sendinga choice to p , respectively. All of end , µX.L , X , and skip are just as before.Instead of external dependencies, the projection onto local types relies on an operation on local typescalled merge . Intuitively, merge allows to combine overlapping but not necessarily identical receivingconstructs. This is one main difference with respect to our relative projection. Definition 52 (Merge of Local Types) . For local types L and L , we define L ⊔ L as the merge of L and L : skip .L ⊔ skip .L := L ⊔ L end ⊔ end := end µX.L ⊔ µX.L := µX. ( L ⊔ L ) X ⊔ X := X ! p { ℓ i h S i i .L i } i ∈ I ⊔ ! p { ℓ i h S i i .L i } i ∈ I := ! p { ℓ i h S i i .L i } i ∈ I ? p { ℓ i h S i i .L i } i ∈ I ⊔ ? p { ℓ j h S ′ j i .L ′ j } j ∈ J := ? p (cid:0) { ℓ i h S i i .L i } i ∈ I \ J ∪ { ℓ j h S ′ j i .L ′ j } j ∈ J \ I ∪ { ℓ k h S k ⊔ S ′ k i . ( L k ⊔ L ′ k ) } k ∈ I ∩ J (cid:1) The merge between message types S ⊔ S corresponds to the identity function. If the local types do notmatch the above definition, their merge is undefined. y We can now define: 36 efinition 53 (Merge-based Local Projection) . For global type G and participant p , we define G ↾ p asthe merge-based local projection of G under p : end ↾ p := end skip .G ↾ p := skip . ( G ↾ p ) X ↾ p := XµX.G ↾ p := ( end if G ↾ p = skip ∗ . end or G ↾ p = skip ∗ .XµX. ( G ↾ p ) otherwise r ։ s { ℓ i h U i i .G i } i ∈ I ↾ p := ? r { ℓ i h U i i . ( G i ↾ p ) } i ∈ I if p = s ! s { ℓ i h U i i . ( G i ↾ p ) } i ∈ I if p = r skip . ( ⊔ i ∈ I ( G i ↾ p )) otherwise ( G | G ) ↾ p := G ↾ p if p ∈ prt ( G ) and p / ∈ prt ( G ) G ↾ p if p ∈ prt ( G ) and p / ∈ prt ( G ) end if p / ∈ prt ( G ) ∪ prt ( G ) y Definition 54 (Merge Well-Formedness) . A global type G is merge well-formed if, for every p ∈ prt ( G ) ,the merge-based local projection G ↾ p is defined. y The classes of relative and merge-based well-formed global types overlap: there are protocols that canbe expressed using dependencies in relative types, as well as using merge in local types. Interestingly,the classes are incomparable : some relative well-formed global types are not merge-based well-formed,and vice versa. We now explore these differences.
F.1 Relative Well-Formed, Not Merge Well-Formed
The merge of local types with outgoing messages of different labels is undefined. Therefore, if a globaltype has communications, e.g., from s to a with different labels across branches of a prior communicationbetween b and a , the global type is not merge well-formed. In contrast, such global types can be relativewell-formed, because the prior communication may induce a dependency. Similarly, global types withcommunications with different participants across branches of a prior communication are never mergewell-formed, but may be relative well-formed. The following example demonstrates a global type withmessages of different labels across branches of a prior communication: Example 55.
We give an adaptation of the two-buyer-seller protocol (cf. Example 23), in which Seller( s ) tells Alice ( a ) to pay or not, depending on whether Bob ( b ) tells a to buy or not. G := b ։ a (cid:26) ok .s ։ a : pay h int i . end , cancel .s ։ a : cancel . end (cid:27) This protocol is relative well-formed, as the relative projections under every combination of participantsare defined. Notice how there is a dependency in the relative projection under s and a : G ↾ ( s, a ) = a ? b (cid:26) ok .s : pay h int i . end , cancel .s : cancel . end (cid:27) However, we do not have merge well-formedness: the merge-based local projection under s is not defined: G ↾ s = skip . (! a : pay h int i . end ⊔ ! a : cancel . end ) y F.2 Merge Well-Formed, Not Relative Well-Formed