Correctly Implementing Synchronous Message Passing in the Pi-Calculus By Concurrent Haskell's MVars
OO. Dardha and J. Rot (Eds.): Combined Workshop on Expressiveness inConcurrency and Structural Operational Semantics (EXPRESS/SOS 2020).EPTCS 322, 2020, pp. 88–105, doi:10.4204/EPTCS.322.8 c (cid:13)
M. Schmidt-Schauß & D. SabelThis work is licensed under theCreative Commons Attribution License.
Correctly Implementing Synchronous Message Passing in thePi-Calculus By Concurrent Haskell’s MVars
Manfred Schmidt-Schauß
Goethe-University, Frankfurt am Main, Germany [email protected]
David Sabel
LMU, Munich, Germany [email protected] ∗ Comparison of concurrent programming languages and correctness of program transformations inconcurrency are the focus of this research. As criterion we use contextual semantics adapted toconcurrency, where may- as well as should-convergence are observed. We investigate the relationbetween the synchronous pi-calculus and a core language of Concurrent Haskell (CH). The contex-tual semantics is on the one hand forgiving with respect to the details of the operational semantics,and on the other hand implies strong requirements for the interplay between the processes aftertranslation. Our result is that CH embraces the synchronous pi-calculus. Our main task is to findand prove correctness of encodings of pi-calculus channels by CH’s concurrency primitives, whichare MVars. They behave like (blocking) 1-place buffers modelling the shared-memory. The firstdeveloped translation uses an extra private MVar for every communication. We also automaticallygenerate and check potentially correct translations that reuse the MVars where one MVar containsthe message and two additional MVars for synchronization are used to model the synchronized com-munication of a single channel in the pi-calculus. Our automated experimental results lead to theconjecture that one additional MVar is insufficient.
Our goals are the comparison of programming languages, correctness of transformations, compilationand optimization of programs, in particular of concurrent programs. We already used the contextualsemantics of concurrent (functional) programming languages to effectively verify correctness of trans-formations [16, 23, 24], also under the premise not to worsen the runtime [30]. We propose to test may-and should-convergence in the contextual semantics, since, in particular, it rules out transformations thattransform an always successful process into a process that may run into an error, for example a deadlock.There are also other notions of program equivalence in the literature, like bisimulation based programequivalences [27], however, these tend to take also implementation specific behavior of the operationalsemantics into account, whereas contextual equivalence abstracts from the details of the executions.In [28, 31] we developed notions of correctness of translations w.r.t. contextual semantics, and in[32] we applied them in the context of concurrency, but for quite similar source and target languages.In this paper we translate a synchronous message passing model into a shared memory model, namely asynchronous π -calculus into a core-language of Concurrent Haskell, called CH .The contextual semantics of concurrent programming languages is a generalization of the extension-ality principle of functions. The test for a program P is whether C [ P ] – i.e. P plugged into a programcontext – successfully terminates (converges) or not, which usually means that the standard reduction se-quence ends with a value. For a concurrent program P , we use two observations: may-convergence ( P ↓ ) ∗ This research is supported by the Deutsche Forschungsgemeinschaft (DFG) under grant SA2908/3-1 . Schmidt-Schauß & D. Sabel
89– at least one execution path terminates successfully, and should-convergence ( P ⇓ ) – every intermediatestate of a reduction sequence may-converges. For two processes P and Q , P ≤ c Q holds iff for all con-texts C [ · ] : ( C [ P ] ↓ = ⇒ C [ Q ] ↓ ) , and P and Q are contextually equivalent, P ∼ c Q , iff P ≤ c Q and Q ≤ c P .Showing equal expressivity of two (concurrent) calculi by a translation τ requires that may- and should-convergence make sense in each calculus. Important properties are convergence-equivalence (may- andshould-convergencies are preserved and reflected by the translation) and adequacy (see Definition 4.4),which holds if τ ( P ) ≤ c , CH τ ( Q ) implies P ≤ c , π Q , for all π -calculus processes P , Q . Full-abstraction, i.e. ∀ P , Q : τ ( P ) ≤ c τ ( Q ) iff P ≤ c Q , only holds if the two calculi are more or less the same. Source and Target Calculi.
The well-known π -calculus [15, 14, 27] is a minimal model for mobileand concurrent processes . Dataflow is expressed by passing messages between them via named chan-nels, where messages are channel names. Processes and links between processes can be dynamicallycreated and removed which makes processes mobile. The interest in the π -calculus is not only due tothe fact that it is used and extended for various applications, like reasoning about cryptographic proto-cols [1], applications in molecular biology [21], and distributed computing [13, 7]. The π -calculus alsopermits the study of intrinsic principles and semantics of concurrency and the inherent nondeterministicbehavior of mobile and communicating processes. We investigate a variant of the π -calculus which is thesynchronous π -calculus with replication, but without sums, matching operators, or recursion. To observetermination of a process, the calculus has a constant Stop which signals successful termination.The calculus CH , a core language of Concurrent Haskell, is a process calculus where threads eval-uate expressions from a lambda calculus extended by data constructors, case-expressions, recursive let-expressions, and Haskell’s seq-operator. Also monadic operations (sequencing and creating threads) areavailable. The shared memory is modelled by MVars (mutable variables) which are one-place buffersthat can be either filled or empty. The operation takeMVar tries to empty a filled MVar and blocks ifthe MVar is already empty. The operation putMVar tries to fill an empty MVar and blocks if the MVaris already filled. The calculus CH is a variant (or a subcalculus) of the calculus CHF [23, 24] whichextends Concurrent Haskell with futures. A technical advantage of this approach is that we can reusestudies and results on the contextual semantics of
CHF also for CH . Details and Variations of the Translation.
One main issue for a correct translation from π -processesto CH -programs is to encode the synchronous communication of the π -calculus. The problem is that theMVars in CH have an asynchronous behavior (communication has to be implemented in two steps: thesender puts the message into an MVar, which is later taken by the receiver). To implement synchronouscommunication, the weaker synchronisation property of MVars has to be exploited, where we must beaware of the potential interferences of the executions of other translated communications on the samechannel. The task of finding such translations is reminiscent of the channel-encoding used in [20], but,however, there an asynchronous channel is implemented while we look for synchronous communication.We provide a translation τ which uses a private MVar per channel and per communication to ensurethat no other process can interfere with the interaction. A similar idea was used in [12, 3] for keepingchannel names private in a different scenario (see [10, 9] for recent treatments of these encodings). Weprove that the translation τ is correct. Since we are also interested in simpler translations, we lookedfor correct translations with a fixed and static number of MVars per channel in the π -calculus. Since this An alternative observation is must-convergence (all execution paths terminate). The advantages of equivalence notionsbased on may- and should-convergence are invariance under fairness restrictions, preservation of deadlock-freedom, and equiv-alence of busy-wait and wait-until behavior (see e.g. [32]). Implementing Synchronous Message-Passing by MVars task is too complex and error-prone for hand-crafting, we automated it by implementing a tool to rule outincorrect translations . Thereby we fix the MVars used for every channel: a single MVar for exchangingthe channel-name and perhaps several additional MVars of unit type to perform checks whether themessage was sent or received (we call them check-MVars, they behave like binary semaphores that areadditionally blocking for signal-operations on an unlocked semaphore). The outcomes of our automatedsearch are: a further correct translation that uses two check-MVars, where one is used as a mutex betweenall senders or receivers on one channel, and further correct translations using three additional MVarswhere the filling and emptying operations for each MVar need not come from the same sender or receiver.The experiments lead to the conjecture that there is no translation using only one check-MVar. Results.
Our novel result is convergence-equivalence and adequacy of the open translation τ (Theo-rems 4.5 and 4.8), translating the π -calculus into CH . The comparison of the π -calculus with a concurrentprogramming language (here CH ) using contextual semantics for may- and should-convergence in bothcalculi exhibits that the π -calculus is embeddable in CH where we can prove that the semantical proper-ties of interest are kept. The adaptation of the adequacy and full abstraction notions (Definition 4.4) foropen processes is a helpful technical extension of our work in [28, 31].We further define a general formalism for the representation of translations with global names andanalyze different classes of such translations using an automated tool. In particular, we show correctnessof two particular translations in Theorems 5.9 and 5.12. The discovered correct translations look quitesimple and their correctness seems to be quite intuitive. However, our experience is that searching forcorrect translations is quite hard, since there are apparently correct (and simple) translations which werewrong. Our automated tool helped us to rule out wrong translations and to find potentially correct ones. Discussion of Related Work on Characterizing Encodings.
There are five criteria for valid trans-lations resp. encodings proposed and discussed in [11, 9], which mainly restrict the translations w.r.t.language syntax and reduction semantics of the source and target language, called: compositionality,name invariance, operational correspondence, divergence reflection and success sensitiveness. Compo-sitionality and name invariance restrict the syntactic form of the translated processes; operational cor-respondence means that the transitive closure of the reduction relation is transported by the translation,modulo the syntactic equivalence; and divergence reflection and success sensitiveness are conditions onthe semantics.In our approach, we define semantical congruence (and precongruence) relations on the source andtarget language. Thus the first two conditions are not part of our notion of contextual equivalence,however, may be used as restrictions in showing non-encodability. We also omit the third conditionand only use stronger variants of the fourth and fifth condition. Convergence equivalence as a tool forfinding out may-and should-convergence is our replacement of Gorla’s divergence reflection and successsensitiveness. We do not define an infinite reduction sequence as an error, which has as nice consequencethat synchronization could be implemented by busy-wait techniques.
Further Related Work.
Encodings of synchronous communication by asynchronous communicationusing a private name mechanism are given in [12, 3] for (variants of the) π -calculus. Our idea of thetranslation τ similarly uses a private MVar to encode the channel based communication, but our settingis different, since our target language is Concurrent Haskell. Encodings between π -calculi with syn-chronous and with asynchronous communication were, for instance, already considered in [12, 3, 19, 18] The tool and some output generated by the tool are available via https://gitlab.com/davidsabel/refute-pi. . Schmidt-Schauß & D. Sabel P , Q ∈ Π Stop :: = ν x . P | xy . P | x ( y ) . P | ! P | P | Q | | Stop C ∈ Π Stop , C :: = [ · ] | ¯ x ( y ) . C | x ( y ) . C | C | P | P | C | ! C | ν x . C D ∈ PCtxt π :: = [ · ] | D | P | P | D | ν x . D . Figure 1: Syntax of processes Π Stop , process contexts Π Stop , C and reduction contexts PCtxt π where x , y are names. Interaction rule: (ia) x ( y ) . P | xz . Q ia −→ P [ z / y ] | Q Closure: If P ≡ D [ P (cid:48) ] , P (cid:48) ia −→ Q (cid:48) , D [ Q (cid:48) ] ≡ Q , and D ∈ PCtxt π then P sr −→ Q Figure 2: Reduction rule and standard reduction in Π Stop P ≡ Q , if P = α QP | ( Q | R ) ≡ ( P | Q ) | R ν x . ( P | Q ) ≡ P | ν x . Q , if x / ∈ FN ( P ) P | ≡ P ν x . ≡ ν x . Stop ≡ Stop ν x . ν y . P ≡ ν y . ν x . PP | Q ≡ Q | P ! P ≡ P | ! P Figure 3: Structural congruence in Π Stop where encodability results are obtained for the π -calculus without sums [12, 3], while in [18, 19] theexpressive power of synchronous and asynchronous communication in the π -calculus with mixed sums was compared and non-encodability is a main result. Translations of the π -calculus into programmingcalculi and logical systems are given in [2], where a translation into a graph-rewriting calculus is givenand soundness and completeness w.r.t. the operational behavior is proved. The article [33] shows a trans-lation and a proof that the π -calculus is exactly operationally represented. There are several works onsession types which are related to the π -calculus, e.g., [17] studies encodings from a session calculus intoPCF extended by concurrency and effects and also an embedding in the other direction, mapping PCFextended by effects into a session calculus. The result is a (strong) operational correspondence betweenthe two calculi. In [4] an embedding of a session π -calculus into ReactiveML is given and operationalcorrespondence between the two languages is shown. Encodings of CML-events in Concurrent Haskellusing MVars are published in [22, 5]. This approach is more high-level than ours (since it considersevents, while we focus the plain π -calculus). In [5] correctness of a distributed protocol for selective-communication w.r.t. an excerpt of CML is shown and a correct implementation of the protocol in the π -calculus is given. The protocol is implemented in Concurrent-Haskell, but no correctness of this partis shown, since [5] focuses to show that CML-events are implementable in languages with first-ordermessage-passing which is different from our focus (translating the π -calculus into CH ). Outline.
We introduce the source and target calculi in Sections 2 and 3, the translation using privatenames in Section 4, and in Section 5 we treat translations with global names. We conclude and discussfuture work in Section 6. Due to space constraints most proofs are in the technical report [29]. π -Calculus with Stop We explain the synchronous π -calculus [15, 14, 27] without sums, with replication, extended with aconstant Stop [25], that signals successful termination. The π -calculus with Stop and the π -calculuswithout Stop but with so-called barbed convergences [26] are equivalent w.r.t. contextual semantics[29]. Thus, adding the constant
Stop is not essential, but our arguments are easier to explain with
Stop . Definition 2.1 (Calculus Π Stop ) . Let N be a countable set of (channel) names. The syntax of processes is shown in Fig. 1. Name restriction ν x . P restricts the scope of name x to process P, P | Q is the parallelcomposition of P and Q, the process xy . P waits on channel x to output y over channel x and then becomingP, the process x ( y ) . P waits on channel x to receive input, after receiving the input z, the process turns Implementing Synchronous Message-Passing by MVars into P [ z / y ] (where P [ z / y ] is the substitution of all free occurrences of name y by name z in process P), theprocess ! P is the replication of process P, i.e. it behaves like an infinite parallel combination of processP with itself, the process is the silent process, and Stop is a process constant that signals success. Wesometimes write x ( y ) instead of x ( y ) . as well as xy instead of xy . .Free names FN ( P ) , bound names BN ( P ) , and α -equivalence = α in Π Stop are as usual in the π -calculus. A process P is closed if FN ( P ) = /0 . Let Π c Stop be the closed processes in Π Stop . Structuralcongruence ≡ is the least congruence satisfying the laws shown in Fig. 3. Process contexts Π Stop , C and reduction contexts PCtxt π are defined in Fig. 1. Let C [ P ] be the substitution of the hole [ · ] in C by P. Thereduction rule ia −→ performs interaction and standard reduction sr −→ is its closure w.r.t. reduction contextsand ≡ (see Fig. 2). Let sr , n −−→ denote n sr −→ -reductions and sr , ∗ −−→ denotes the reflexive-transitive closure of sr −→ . A process P ∈ Π Stop is successful , if P ≡ D [ Stop ] for some D ∈ PCtxt π . Remark 2.2.
We do not include “new” laws for structural congruences on the constant
Stop , like
Stop|Stop equals
Stop , since this would require to re-develop a lot of theory known from the π -calculus without Stop . In our view,
Stop is a mechanism for a notion of success that can be easilyreplaced by other similar notions (e.g. observing an open input or output as in barbed testing). However,it is easy to prove those equations on the semantic level . (i.e. w.r.t. ∼ c as defined below in Definition 2.5). As an example for a reduction sequence, consider sending name y over channel x and then sendingname u over channel y : ( x ( z ) . zu . | xy . y ( x ) . ) ia −→ ( zu . [ y / z ] | y ( x ) . ) ≡ ( y ( x ) . | yu . ) ia −→ ( | ) ≡ . For the semantics of processes, we observe whether standard reductions successfully terminate ornot. Since reduction is nondeterministic, we test whether there exists a successful reduction sequence(may-convergence), and we test whether all reduction possibilities are successful (should-convergence).
Definition 2.3.
Let P be a Π Stop -process. We say process P is may-convergent and write P ↓ , if and onlyif there is a successful process P (cid:48) with P sr , ∗ −−→ P (cid:48) . We say P is should-convergent and write P ⇓ if and onlyif for all P (cid:48) : P sr , ∗ −−→ P (cid:48) implies P (cid:48) ↓ . If P is not may-convergent, then P we say is must-divergent (writtenP ⇑ ). If P is not should-convergent, then we say it is may-divergent (written P ↑ ). Example 2.4.
The process P : = ν x , y . ( x ( z ) . | xy . Stop ) is may-convergent (P ↓ ) and should-convergent(P ⇓ ), since P sr −→ | Stop is the only sr −→ -sequence for P. The process P (cid:48) : = ν x , y . ( x ( z ) . | xy . ) is may-and must-divergent (i.e. P (cid:48) ↑ and P (cid:48) ⇑ ), since P (cid:48) sr −→ is the only sr −→ -sequence for P (cid:48) .For P (cid:48)(cid:48) : = ν x , y . ( xy . | x ( z ) . Stop | x ( z ) . ) , we have P (cid:48)(cid:48) sr −→ ν x , y . ( Stop | x ( z ) . ) and P (cid:48)(cid:48) sr −→ ν x , y . x ( z ) . Stop .The first result is successful, and the second result is not successful. Hence, for P (cid:48)(cid:48) we have P (cid:48)(cid:48) ↓ and P (cid:48)(cid:48) ↑ . Should-convergence implies may-convergence, and must-divergence implies may-divergence.
Definition 2.5.
For P , Q ∈ Π Stop and observation ξ ∈ {↓ , ⇓ , ↑ , ⇑} , we define P ≤ ξ Q iff P ξ = ⇒ Q ξ . The ξ -contextual preorders ≤ c , ξ and then ξ -contextual equivalences ∼ c , ξ are defined asP ≤ c , ξ Q iff ∀ C ∈ Π Stop , C : C [ P ] ≤ ξ C [ Q ] and P ∼ c , ξ Q iff P ≤ c , ξ Q ∧ Q ≤ c , ξ P Contextual equivalence of Π Stop -processes is defined as P ∼ c Q iff P ∼ c , ↓ Q ∧ P ∼ c , ⇓ Q . Example 2.6.
For Q : = ν x , y . ( xy . | x ( z ) . Stop | x ( z ) . ) , we have Stop ∼ c , ↓ Q (which can be proved usingthe methods in [25]), but
Stop (cid:54)∼ c Q, since
Stop ⇓ and Q ↑ and thus Stop (cid:54)∼ c , ⇓ Q. Note that ≤ c , ⇓ = ≤ c holds in Π Stop , since there is a context C such that for all processes P: C [ P ] ⇓ ⇐⇒ P ↓ (see [25]).For instance, the equivalence ∼ c , ⇓ Q does not hold, since !0 ⇑ and ! Q ⇓ and thus the context C = ! [ · ] distinguishes and Q w.r.t. should-convergence. Contextual preorder and equivalence are (pre)-congruences. Contextual preorder remains unchangedif observation is restricted to closing contexts:
Lemma 2.7.
Let ξ ∈ {↓ , ↑ , ⇓ , ⇑} , P , Q be Π Stop -processes. Then P ≤ c , ξ Q if, and only if ∀ C ∈ Π Stop , C such that C [ P ] and C [ Q ] are closed: C [ P ] ≤ ξ C [ Q ] . . Schmidt-Schauß & D. Sabel P ∈ Proc CH :: = ( P | P ) | ⇐ e | ν x . P | x m e | x m − | x = ee ∈ Expr CH :: = x | λ x . e | ( e e ) | c e . . . e ar ( c ) | letrec x = e , . . . , x n = e n in e | m | seq e e | case T e of ( c T , x . . . x ar ( c T , ) -> e ) . . . ( c T , | T | x . . . x ar ( c T , | T | ) -> e | T | ) m ∈ MExpr CH :: = return e | e >>= e (cid:48) | forkIO e | takeMVar e | newMVar e | putMVar e e (cid:48) t ∈ Typ CH :: = IO t | ( T t . . . t n ) | MVar t | t → t D ∈ PCtxt CH :: = [ · ] | D | P | P | D | ν x . DM ∈ MCtxt CH :: = [ · ] | M >>= e E ∈ ECtxt CH :: = [ · ] | ( E e ) | ( seq E e ) | ( case E of alts ) F ∈ FCtxt CH :: = E | ( takeMVar E ) | ( putMVar E e ) Figure 4: Syntax of processes, expressions, types, and context classes of CH Functional Evaluation: (cpce) ⇐ M [ F [ x ]] | x = e sr −→ ⇐ M [ F [ e ]] | x = e (mkbinds) ⇐ M [ F [ letrec x = e , . . . , x n = e n in e ]] sr −→ ν x . . . x n . ( ⇐ M [ F [ e ]] | x = e | . . . | x n = e n ) (beta) ⇐ M [ F [(( λ x . e ) e )]] sr −→ ⇐ M [ F [ e [ e / x ]]] (case) ⇐ M [ F [ case T ( c e . . . e n ) of . . . ( c y . . . y n -> e ) . . . ]] sr −→ ⇐ M [ F [ e [ e / y , . . . , e n / y n ]]] (seq) ⇐ M [ F [( seq v e )]] sr −→ ⇐ M [ F [ e ]] where v is a functional value Monadic Computations: (lunit) ⇐ M [ return e >>= e ] sr −→ ⇐ M [ e e ] (tmvar) ⇐ M [ takeMVar x ] | x m e sr −→ ⇐ M [ return e ] | x m − (pmvar) ⇐ M [ putMVar x e ] | x m − sr −→ ⇐ M [ return ()] | x m e (nmvar) ⇐ M [ newMVar e ] sr −→ ν x . ( ⇐ M [ return x ] | x m e ) (fork) ⇐ M [ forkIO e ] sr −→ ⇐ M [ return ()] | ⇐ e Closure w.r.t. D -contexts and ≡ : If P ≡ D [ P (cid:48) ] , P ≡ D [ P (cid:48) ] , and P (cid:48) sr −→ P (cid:48) then P sr −→ P . Capture avoidance:
We assume capture avoiding reduction for all reductions.Figure 5: Standard reduction rules of CH (call-by-name-version) CH The calculus CH (a variant of the language CHF , [23, 24]) models a core language of Concurrent Haskell[20]. We assume a partitioned set of data constructors c where each family represents a type T . Thedata constructors of type T are c T , , . . . , c T , | T | where each c T , i has an arity ar ( c T , i ) ≥
0. We assume thatthere is a type () with data constructor () , a type Bool with constructors
True , False , a type
List withconstructors
Nil and : (written infix), and a type Pair with a constructor ( , ) written ( a , b ) .Processes P ∈ Proc CH in CH have expressions e ∈ Expr CH as subterms. See Fig. 4 where u , w , x , y , z are variables from an infinite set Var . Processes are formed by parallel composition “ | ”. The ν -binderrestricts the scope of a variable. A concurrent thread ⇐ e evaluates e . In a process there is (at most one)unique distinguished thread, called main thread , written as main ⇐ == e . MVars are mutable variables whichare empty or filled. A thread blocks if it wants to fill a filled MVar x m e or empty an empty MVar x m − .Here x is called the name of the MVar . Bindings x = e model the global heap, of shared expressions,where x is called a binding variable . If x is a name of an MVar or a binding variable, then x is called an introduced variable . In Q | ν x . P the scope of x is P . A process is well-formed , if all introduced variablesare pairwise distinct and there exists at most one main thread main ⇐ == e .Expressions Expr CH consist of functional and monadic expressions MExpr CH . Functional expres-4 Implementing Synchronous Message-Passing by MVars sions are variables, abstractions λ x . e , applications ( e e ) , seq -expressions ( seq e e ) , constructorapplications ( c e . . . e ar ( c ) ) , letrec -expressions ( letrec x = e , . . . , x n = e n in e ) , and case T -expressions for every type T . We abbreviate case -expressions as case T e of alts where alts are the case -alternatives such that there is exactly one alternative ( c T , i x . . . x ar ( c T , i ) -> e i ) for every constructor c T , i of type T , where x , . . . , x ar ( c T , i ) (occurring in the pattern c T , i x . . . x ar ( c T , i ) ) are pairwise distinct vari-ables that become bound with scope e i . We often omit the type index T in case T . In letrec x = e , . . . , x n = e n in e the variables x , . . . , x n are pairwise distinct and the bindings x i = e i are recursive, i.e. thescope of x i is e , . . . , e n and e . Monadic operators newMVar , takeMVar , and putMVar are used to create,to empty and to fill MVars, the “bind”-operator >>= implements sequential composition of IO-operations,the forkIO -operator performs thread creation, and return lifts expressions into the monad. Monadic values are newMVar e , takeMVar e , putMVar e e , return e , e >>= e , or forkIO e . Func-tional values are abstractions and constructor applications. A value is a functional or a monadic value.Abstractions, letrec -expressions, case -alternatives, and ν x . P introduce variable binders. This in-duces bound and free variables (dentoted by FV ( · ) ), α -renaming, and α -equivalence = α . If FV ( P ) = /0,then we call process P closed . We assume the distinct variable convention : free variables are distinctfrom bound variables, and bound variables are pairwise distinct. We assume that α -renaming is appliedto obey this convention. Structural congruence ≡ of CH -processes is the least congruence satisfying thelaws P | P ≡ P | P , ( P | P ) | P ≡ P | ( P | P ) , ν x . ν x . P ≡ ν x . ν x . P , P ≡ P if P = α P , and ( ν x . P ) | P ≡ ν x . ( P | P ) if x (cid:54)∈ FV ( P ) .We assume expressions and processes to be well-typed w.r.t. a monomorphic type system: the typingrules are standard (they can be found in [29]). The syntax of types is in Fig. 4 where ( IO t ) is the type ofa monadic action with return type t , ( MVar t ) is the type of an MVar with content type t , and t → t is afunction type. We treat constructors like overloaded constants to use them in a polymorphic way.We introduce a call-by-name small-step reduction for CH . This operational semantics can be shownto be equivalent to a call-by-need semantics (see [23] for the calculus CHF ). However, the equivalenceof the reduction strategies is not important for this paper. That is why we do not include it.In CH , a context is a process or an expression with a (typed) hole [ · ] . We introduce several classes ofcontexts in Fig. 4. They are used by the reduction rules. Definition 3.1.
The standard reduction sr −→ is defined by the rules and the closure in Fig. 5. It is onlypermitted for well-formed processes which are not successful. Functional evaluation includes β -reduction (beta), copying shared bindings into needed positions(cpce), evaluating case - and seq -expressions (case) and (seq), and moving letrec -bindings into theglobal bindings (mkbinds). For monadic computations, rule (lunit) implements the monadic evaluation.Rules (nmvar), (tmvar), and (pmvar) handle the MVar creation and access. A takeMVar -operation canonly be performed on a filled MVar, and a putMVar -operation needs an empty MVar. Rule (fork) spawnsa new thread. A concurrent thread of the form ⇐ return e is terminated (where e is of type () ). Example 3.2.
The process main ⇐ == newMVar () >>= ( λ y . forkIO ( takeMVar y )) >>= λ . putMVar y () createsa filled MVar, that is emptied by a spawned thread, and then again filled by the main thread. We say that a CH -process P is successful if P ≡ ν x . . . x n . ( main ⇐ == return e | P (cid:48) ) and if P is well-formed. This captures Haskell’s behavior that termination of the main-thread terminates all threads. Definition 3.3.
Let P be a CH-process. Then P may-converges (denoted as P ↓ ), iff P is well-formed and ∃ P (cid:48) : P sr , ∗ −−→ P (cid:48) such that P (cid:48) is successful. If P ↓ does not hold, then P must-diverges and we write P ⇑ .Process P should-converges (written as P ⇓ ), iff P is well-formed and ∀ P (cid:48) : P sr , ∗ −−→ P (cid:48) = ⇒ P (cid:48) ↓ . If P is notshould-convergent, then we say P may-diverges written as P ↑ . . Schmidt-Schauß & D. Sabel τ ( P ) = main ⇐ == do { stop ← newMVar () ; forkIO τ ( P ) ; putMVar stop () } τ ( xy . P ) = do { checkx ← newMVar () ; putMVar ( unchan x ) ( y , checkx ) ; putMVar checkx () ; τ ( P ) } τ ( x ( y ) . P ) = do { ( y , checkx ) ← takeMVar ( unchan x ) ; takeMVar checkx ; τ ( P ) }} τ ( P | Q ) = do { forkIO τ ( Q ) ; τ ( P ) } τ ( ν x . P ) = do { chanx ← newEmptyMVar ; letrec x = Chan chanx in τ ( P ) } τ ( ) = return () τ ( Stop ) = takeMVar stop τ ( ! P ) = letrec f = do { forkIO τ ( P ) ; f } in f Figure 6: Translations τ and τ Definition 3.4.
Contextual approximation ≤ c and equivalence ∼ c on CH-processes are defined as ≤ c : = ≤ c , ↓ ∩ ≤ c , ⇓ and ∼ c : = ≤ c ∩ ≥ c where P ≤ c , ↓ P iff ∀ D ∈ PCtxt CH : D [ P ] ↓ = ⇒ D [ P ] ↓ and P ≤ c , ⇓ P iff ∀ D ∈ PCtxt CH : D [ P ] ⇓ = ⇒ D [ P ] ⇓ . For CH- expressions , let e ≤ c e iff for all process-contextsC with a hole at expression position: C [ e ] ≤ c C [ e ] and e ∼ c e iff e ≤ c e ∧ e ≤ c e . As an example, we consider the processes P : = ν m . ( main ⇐ == takeMVar m | ⇐ takeMVar m | m m ()) P : = main ⇐ == return () P : = main ⇐ == letrec x = x in x Process P is may-convergent and may-divergent (and thus not should-convergent), since either the main-thread succeeds in emptying the MVar m , or (if the other threads empties the MVar m ) the main-threadis blocked forever. The process P is sucessful. The process P is must-divergent. The equivalence P ∼ c , ↓ P holds, but P (cid:54)∼ c P , since P is should-convergent and thus P (cid:54)∼ c , ⇓ P . As a further example, itis easy to verify that P ∼ c , ⇓ P holds, since both processes are not should-convergent and a surroundingcontext cannot change this. However, P (cid:54)∼ c , ↓ P , since P ⇑ .Contextual approximation and equivalence are (pre)-congruences. The following equivalence willhelp to prove properties of our translation. Lemma 3.5.
The relations in Definition 3.4 are unchanged, if we add closedness: for ξ ∈ {↓ , ⇓} , letP ≤ c , ξ P iff ∀ D ∈ PCtxt CH such that D [ P ] , D [ P ] are closed: D [ P ] ξ = ⇒ D [ P ] ξ . τ with Private MVars We present a translation τ that encodes Π Stop -processes as CH -programs. It establishes correct syn-chronous communication by using a private MVar, which is created by the sender and its name is sent tothe receiver. The receiver uses it to acknowledge that the message was received. Since only the senderand the receiver know this MVar, no other thread can interfere the communication.The approach hassimilarities with Boudol’s translation [3] from the π -calculus into an asynchronous one, where a privatechannel name of the π -calculus was used to guarantee safe communication between sender and receiver.For translating π -calculus channels into CH , we use a recursive data type Channel (with constructor
Chan ), which is defined in Haskell-syntax as data Channel = Chan ( MVar ( Channel , ( MVar ()))) Implementing Synchronous Message-Passing by MVars
We abbreviate ( case Chan e of ( Chan m -> m )) as ( unchan e ) .We use a >> b for a >>= ( λ . b ) and also use Haskell’s do-notation with the following meaning: do { x ← e ; e } = e >>= λ x . ( do { e } ) do { ( x , y ) ← e ; e } = e >>= λ z . case Pair z of ( x , y ) -> ( do { e } ) do { e ; e } = e >> ( do { e } ) do { e } = e As a further abbreviation, we write y ← newEmptyMVar inside a do -block to abbreviate the sequence y ← newMVar ⊥ ; takeMVar y , where ⊥ is a must-divergent expression. Our translation uses one MVarper channel which contains a pair consisting of the (translated) name of the channel and a further MVarused for the synchronization, which is private, i.e. only the sender and the receiver know it. Privacy isestablished by the sender: it creates a new MVar for every send operation. Message y is sent over channel x by sending a pair ( y , check ) where check is an MVar containing (). The receiver waits for a message ( y , check ) by the sender. After sending the message, the sender waits until check is emptied, and thereceiver acknowledges by emptying the MVar check Definition 4.1.
We define the translation τ and its inner translation τ from the Π Stop -calculus into theCH-calculus in Fig. 6. For contexts, the translations are the same where the context hole is treated likea constant and translated as τ ([ · ]) = [ · ] . The translation τ generates a main-thread and an MVar stop . The main thread is then waitingfor the MVar stop to be emptied. The inner translation τ translates the constructs and constants ofthe Π Stop -calculus into CH -expressions. Except for the main-thread (and using keyword let instead of letrec ), the translation τ generates a valid Concurrent Haskell-program, i.e. if we write τ ( P ) = main ⇐ == e as main = e , we can execute the translation in the Haskell-interpreter. Example 4.2.
We consider the Π Stop -process P : = ν x , y , y , z . ( x ( y ) . | x ( y ) . Stop| xz . ) which ismay-convergent and may-divergent: depending on which receiver communicates with the sender, the re-sult is the successful process ν x , y . ( x ( y ) . |Stop ) or the must-divergent process ν x , y . ( x ( y ) . Stop ) .The CH-process τ ( P ) reduces after several steps to the process ν stop , chanx , chany , chany , chanz , checkx , x , y , y , z . ( chanx m ( z , checkx ) | chany m − | chany m − | chanz m − | checkx m () | stop m () | x = Chan chanx | z = Chan chanz | y = Chan chany | y = Chan chany | main ⇐ == putMVar stop () | ⇐ do { putMVar checkx () ; return () } | ⇐ do { ( y , checkx ) ← takeMVar chanx ; takeMVar checkx ; return () } | ⇐ do { ( y , checkx ) ← takeMVar chanx ; takeMVar checkx ; takeMVar stop } ) Now the first thread (which is the translation of sender xz . ) is blocked, since it tries to fill the full MVarcheckx. The second thread (the encoding of x ( y ) . ) and the third thread (the encoding of x ( y ) . Stop )race for emptying the MVar chanx. If the second thread wins, then it will fill the MVar checkx which isthen emptied by the first thread, and all other threads are blocked forever. If the third thread wins, then itwill fill the MVar checkx which is then emptied by the first thread, and then the second thread will emptythe MVar stop. This allows the main-thread to fill it, resulting in a successful process.
For the following definition of τ being compositional, adequate, or fully abstract, we adopt the viewthat τ is a translation from Π Stop into the CH -language with a special initial evaluation context C τ out . A variant of the translation would be to change the roles for the acknowledgement such that an empty MVar is created,which is filled by the receiver and emptied by the sender. The reasoning on the correctness of the translation is very similar tothe one presented here. . Schmidt-Schauß & D. Sabel Definition 4.3.
Let C τ out : = ν stop . main ⇐ == do { stop ← newMVar () ; forkIO [ · ] ; putMVar stop () } . Variants ↓ , ⇓ of may- and should-convergence of expressions e within the context C τ out in CH are defined ase ↓ iff C τ out [ e ] ↓ and e ⇓ iff C τ out [ e ] ⇓ . The relation ∼ c , τ is defined by ∼ c , τ : = ≤ c , τ ∩ ≥ c , τ , where e ≤ c , τ e iff ∀ C : if FV ( C [ e ] , C [ e ]) ⊆ { stop } , then C [ e ] ↓ = ⇒ C [ e ] ↓ and C [ e ] ⇓ = ⇒ C [ e ] ⇓ . Since ≤ c , CH is a subset of ≤ c , τ , we often can use the more general relations for reasoning. Definition 4.4.
Let Π Stop , C be the contexts of Π Stop . We define the following properties for τ and τ (see[31] for a general framework of properties of translations under observational semantics). For openprocesses P , P (cid:48) , we say that translation τ is convergence-equivalent iff for all P ∈ Π Stop : P ↓ ⇐⇒ τ ( P ) ↓ and P ⇓ ⇐⇒ τ ( P ) ⇓ , compositional upto {↓ , ⇓ } iff for all P ∈ Π Stop , all C ∈ Π Stop , C , and all ξ ∈ {↓ , ⇓ } : if FV ( C [ P ]) ⊆ { stop } , then τ ( C [ P ]) ξ ⇐⇒ τ ( C )[ τ ( P )] ξ , adequate iff for all processes P , P (cid:48) ∈ Π Stop : τ ( P ) ≤ c , τ τ ( P (cid:48) ) = ⇒ P ≤ c P (cid:48) , and fully abstract iff for all processes P , P (cid:48) ∈ Π Stop : P ≤ c P (cid:48) ⇐⇒ τ ( P ) ≤ c , τ τ ( P (cid:48) ) . Convergence-equivalence of translation τ for may- and should-convergence holds. For readabilitythe proof is omitted, but given in the technical report [29], where we show: Theorem 4.5.
Let P ∈ Π Stop be closed. Then τ is convergence-equivalent for ↓ and ⇓ , i.e. P ↓ isequivalent to τ ( P ) ↓ . and P ⇓ is equivalent to τ ( P ) ⇓ . This also shows convergence-equivalence of τ w.r.t. ↓ , ⇓ , i.e. P ↓ ⇐⇒ τ ( P ) ↓ and P ⇓ ⇐⇒ τ ( P ) ⇓ . We show that the translation is adequate (see Theorem 4.8 below). The interpretation of this result isthat the π -calculus with the concurrent semantics is semantically represented within CH . This result ison a more abstract level, since it is based on the property whether the programs (in all contexts) producevalues or may run into failure, or get stuck; or not. Since the π -calculus does not have a notion of values,also the translated processes cannot be compared w.r.t. values other than a single form of value.The translation τ is not fully abstract (see Theorem 4.9 below), which is rather natural, since it onlymeans that it is mapped into a subset of the CH -expressions and that this is a proper subset w.r.t. thesemantics. For proving both theorems, we first use a simple form of a context lemma: Lemma 4.6.
Let e , e (cid:48) be CH-expressions, where the only free variable in e , e (cid:48) is stop.Then C τ out [ e ] ≤ c C τ out [ e (cid:48) ] holds, if and only if C τ out [ e ] ↓ = ⇒ C τ out [ e (cid:48) ] ↓ and C τ out [ e ] ⇓ = ⇒ C τ out [ e (cid:48) ] ⇓ . Proposition 4.7.
The translation τ is compositional upto {↓ , ⇓ } . We show that the translation τ transports Π Stop -processes into CH , such that adequacy holds. Thusthe translated processes also correctly mimic the behavior of the original Π Stop -processes when pluggedinto contexts. If the translated open processes cannot be distinguished by ≤ c , τ , i.e. there is no test thatdetects a difference w.r.t. may- and should-convergence, then the original processes are equivalent in the π -calculus. However, this open translation is not fully abstract, which means that there are CH -contexts(not in the image of the translation) that can see and exploit too much of the details of the translation. Theorem 4.8.
The translation τ is adequate.Proof. We prove the adequacy for the preorder ≤ c , τ , for ∼ c , τ and ∼ c the claim follows by symmetry. Let P , P (cid:48) be Π Stop -processes, such that τ ( P ) ≤ c , τ τ ( P (cid:48) ) . We show that P ≤ c P (cid:48) . We use Lemma 3.5 to restrictconsiderations to closed C [ P ] , C [ P (cid:48) ] below. Let C be a context in Π Stop , such that C [ P ] , C [ P (cid:48) ] are closedand C [ P ] ↓ . Then τ ( C [ P ]) = C τ out [ τ ( C [ P ])] . Closed convergence-equivalence implies C τ out [ τ ( C [ P ])] ↓ . ByProposition 4.7. we have C τ out [ τ ( C )[ τ ( P )]] ↓ . Now τ ( P ) ≤ c , τ τ ( P (cid:48) ) implies C τ out [ τ ( C )[ τ ( P (cid:48) )]] ↓ , which isthe same as C τ out [ τ ( C [ P (cid:48) ])] ↓ using Proposition 4.7. Closed convergence-equivalence implies C [ P (cid:48) ] ↓ . Thesame arguments hold for ⇓ instead of ↓ . In summary, we obtain P ≤ c P (cid:48) .8 Implementing Synchronous Message-Passing by MVars
Theorem 4.9.
The translation τ is not fully abstract, but it is fully abstract on closed processes, i.e. forclosed processes P , P ∈ Π Stop , we have P ≤ c P ⇐⇒ τ ( P ) ≤ c , τ τ ( P ) .Proof. The first part holds, since an open translation can be closed by a context without initializingthe ν -bound MVars. For P = ¯ x ( y ) . Stop| x ( z ) . Stop , we have P ∼ c Stop but τ ( P ) (cid:54)∼ c , τ ( Stop ) : let D be a context that does not initialize the MVars for x (as the translation does). Then D [ τ ( P )] ⇑ , but D [ τ ( Stop )] ⇓ . Restricted to closed processes, full abstraction holds: P ≤ c P = ⇒ τ ( P ) ≤ c , τ τ ( P ) follows from Lemma 4.6, since τ produces closed processes in context C τ out . Theorem 4.8 implies theother direction. In this section we investigate translations that do not use private MVars, but use a fixed number of globalMVars. We first motivate this investigation. The translation τ is quite complex and thus we want to figureout whether there are simpler translations. A further reason is that τ is not optimal, since it generates oneMVar per communication which can be garbage-collected after the communication, however, generationand garbage collection require resources and thus the translation τ may be inefficient in practice.To systematically search for small global translations we implemented an automated tool. It searchesfor translations with global MVars (abstracting from a lot of other aspects of the translation) and tries torefute the correctness. As we show, most of the small translations are shown as incorrect by our tool.Analyzing correctness of the remaining translations can then be done by hand.We only consider the aspect of how to encode the synchronous message passing of the π -calculus,the other aspects (encoding parallel composition, replication and the Stop -constant) are not discussedand we assume that they are encoded as before (as the translation τ did). We also keep the main ideato translate a channel of the π -calculus into CH by representing it as an object of a user-defined datatype Channel that consists of an MVar for transferring the message (which again is a
Channel ), andadditional MVars for implementing a correct synchronization mechanism. For the translation τ , we useda private MVar (created by the sender, and transferred together with the message). Now we investigatetranslations where this mechanism is replaced by one or several public MVars, which are created oncetogether with the channel object. To restrict the search space for translations, only the synchronizationmechanism of MVars (by emptying and filling them) is used, but we forbid to transfer specific data (likenumbers etc.). Hence, we restrict these MVars (which we call check-MVars ) to be of type MVar () . SuchMVars are comparable to binary semaphores, where filling and emptying correspond to operations signaland wait. In summary, we analyze translations of π -calculus channels into a CH -data type Channel defined in Haskell-syntax as data Channel = Chan (MVar Channel) ( MVar () ) . . . ( MVar () ) A π -calculus channel x is represented as a CH -binding x = Chan content check . . . check n where content , check , . . . , check n are appropriately initialized (i.e. empty) MVars. The MVars are public (orglobal), since all processes which know x have access to the components of the channel. After fixingthis representation of a π -channel in CH , the task is to translate the input- and output-actions x ( y ) and xz into CH -programs such that the interaction reduction is performed correctly and synchronously. Wecall the translation of x ( y ) , the receiver (program) and the translation of xz the sender (program). As asimplification, we restrict the allowed operations of the sender and receiver allowing only the operations: . Schmidt-Schauß & D. Sabel φ , T ( P ) = main ⇐ == do { stop ← newMVar () ; forkIO φ T ( P ) ; putMVar stop () } φ T ( xy . P ) = do { T x , ysend ; φ T ( P ) } φ T ( x ( y ) . P ) = do { T x , yreceive ; φ T ( P ) } φ T ( P | Q ) = do { forkIO φ T ( Q ) ; φ T ( P ) } φ T ( ν x . P ) = do { contx ← newEmptyMVar ; checkx ← newEmptyMVar ; . . . ; checkx n ← newEmptyMVar ; letrec x = Chan contx checkx . . . checkx n in φ T ( P ) } φ T ( ) = return () φ T ( Stop ) = takeMVar stop φ T ( ! P ) = letrec f = do { forkIO φ T ( P ) ; f } in f Figure 7: Induced translations φ T and φ , T where T = ( T send , T recieve ) uses n check-MVars putS : The sender puts its message into the contents -MVar of the channel. It represents the expression case
Channel x of ( Chan c a . . . a n -> putMVar c z >> e ) in CH where e is the remaining programof the sender. The operation occurs exactly once in the sender program. We write it as putS x z , oras putS , if x and z are clear. takeS : The receiver takes the message from the contents -MVar of channel x and replaces name y bythe received name in the subsequent program. The operation occurs exactly once in the receiverprogram. We write it as takeS x y , or as takeS , if x and y are clear. It represents the CH -expression case Channel x of ( Chan c a . . . a n -> takeMVar c >>= λ y . e ) where e is the remaining program ofthe receiver. In do -notation, we write do { y ← takeS x ; e } to abbreviate the above CH -expression. putC and takeC : The sender and the receiver may synchronize on a check-MVar check i by putting () into it or by emptying the MVar. These operations are written as putC ix and takeC ix , or also as putC i , takeC i if the name x is clear. We write putC and takeC if there is only one check-MVar.Let e be the remaining program of the sender or receiver. Then putC ix represents the CH -expression case Channel x of ( Chan c a . . . a n -> putMVar a i () >> e ) and takeC ix represents the expression case Channel x of ( Chan c a . . . a n -> takeMVar a i >> e ) . We restrict our search for translations to the case that the sender and the receiver programs aresequences of the above operations, assuming that they are independent of the channel name x . With thisrestriction, we can abstractly write the translation of the sender and the receiver as a pair of sequences,where only putS , takeS , putC i and takeC i operations are used. We make some more restrictions: Definition 5.1.
Let n > be a number of check-MVars. A standard global synchronized-to-buffer transla-tion (or gstb-translation ) is a pair ( T send , T receive ) of a send-sequence T send and a receive-sequence T receive consisting of putS , takeS , putC i and takeC i operations, where the send-sequence contains putS once,the receive-sequence contains takeS once, and for every putC i -action in ( T send , T receive ) , there is also a takeC i -action in ( T send , T receive ) . W.l.o.g., we assume that in the send-sequence the indices i are ascend-ing. I.e. if putC i or takeC i is before putC j or takeC j , then i < j holds. We often say translation instead of gstb-translation, if this is clear from the context.
Definition 5.2.
Let T = ( T send , T receive ) be a gstb-translation. We write T x , ysend for the program T send instan-tiated for xy, i.e. putS is putS x y, and all other operations are indexed with x. We write T x , yreceive for theprogram T receive instantiated for x ( y ) , i.e. takeS is takeS x y, and all other operations are indexed withx. The induced translations φ , T and φ T of ( T send , T receive ) are defined in Fig. 7. Implementing Synchronous Message-Passing by MVars
The induced translations are defined similar to the translations τ and τ , where the differences are therepresentations of the channel. The translation of ν x , x ( y ) , and xy is different, but the other cases remainthe same. Since φ , T ( P ) = C τ out [ φ T ( P )] and by the same arguments as in Theorem 4.8, we have: Proposition 5.3. If φ T is closed convergence-equivalent, then φ T is adequate. An execution of a translation ( T send , T receive ) for name x is the simulation of the abstract program,i.e. a program that starts with empty MVars x , x , . . . , x n , and is an interleaved sequence of actions fromthe send and receive-sequence T send and T receive , respectively.To speak about the translations we make further classifications: We say that a translation allows multiple uses , if a check-MVar is used more than once, i.e. the sender or receiver may contain takeC i or putC i more than once for the same i . A translation has the interprocess check restriction , if for every i : takeC i and putC i do not occur both in T send , and also not both in T receive . Definition 5.4.
A translation T = ( T send , T receive ) according to Definition 5.1 is • executable if there is a deadlock free execution of T ; • communicating , if T send contains at least one takeC i -action; • overlap-free if for a fixed name x, starting with empty MVars, every interleaved (concurrent)execution of ( T send , T receive ) cannot be disturbed by starting another execution of T send and/orT receive . More formally, let (( s ; ... ; s i ) ; ( r ; .... r j )) and (( s (cid:48) ; ... ; s (cid:48) i ) ; ( r (cid:48) ; .... r (cid:48) j )) be two copies of ( T send , T receive ) for a fixed name x. We call a command a k from one of the four sequences, ana-action for a ∈ { s , s (cid:48) , r , r (cid:48) } . The translation T is overlap-free if every execution of the four se-quences has the property that it can be split into a prefix and a suffix (called parts in the following)such that one of the following properties holds1. One part contains only s- and r-actions, and the other part contains only s (cid:48) - and r (cid:48) -actions.2. One part contains only s- and r (cid:48) -actions and the other part contains only s (cid:48) - and r-actions. We implemented a tool to enumerate translations and to test whether each translation preserves andreflects may- and should-convergence for a (given) finite set of processes. Hence, our tool can refute thecorrectness of translations, but it can also output (usually small) sets of translations which are not refutedand which are promising candidates for correct translations. The above mentioned parallel execution of T send and T receive is not sufficient to refute most of the translations, since it corresponds to the evaluationof the π -program ν x . ( x ( y ) | xz ) (which is must-divergent). Thus, we apply the translation to a subsetof π -processes, which we view as critical and for which we can automatically decide may- and should-convergence (before and after the translation). We consider only π -programs of the form ( ν x , . . . , x n . P ) where P contains only 0, Stop , parallel composition, and input- and output-prefixes. These programsare replication free and the ν -binders are on the top, and hence terminate. In the following we omit the ν -binders, but always mean them to be present. We also implemented techniques to generates all suchprograms until a bound on the size of the program is reached.Our simulation tool can execute all possible evaluations of those π -processes and – since all eval-uation paths are finite – the tool can check for may- and should-convergence of the π -program. Forthe translated program, we do not generate a full CH -program, but generate a sequence of sequencesof takeS x , putS x , takeC ix , putC ix z and Stop -operations by applying the translation to all action prefixesin the π -program and by encoding Stop as Stop , 0 into an empty sequence. We get a sequence of se-quences, since we have several threads and each thread is represented by one sequence. For executingthe translated program, we simulate the global store (of MVars) and execute all possible interleavings Available via https://gitlab.com/davidsabel/refute-pi. . Schmidt-Schauß & D. Sabel
Stop eventually occurs at thebeginning of the sequence. This simulates the behavior of the real CH -program in a controllable manner.With the encoding of the sender- and receiver program and a π -calculus process P we1. translate P with the encodings in the sequence of sequences consisting of takeS x , putS x , takeC ix , putC ix z and Stop -operations;2. simulate the execution on all interleavings;3. test may- and should convergence of the original π -program P as well as the encoded program(w.r.t. the simulation);4. compare the convergence before and after the translation. If there is a difference in the convergencebehavior, then P is a counter-example for the correctness of the encodings. Example 5.5.
Let us consider the gstb-translation ( T send , T receive ) = ([ takeC , putS ] , [ putC , takeS ]) andthe π -process P = ν x , y , z , w ( xy . x ( z ) . Stop| x ( w ) . ) . Our tool recognizes that P ↑ and P ⇑ holds, since Preduces to the must-divergent process ν x , z . ( x ( z ) . Stop ) and there are no other reduction possibilities.Applying ( T send , T receive ) to P yields the abstract programq : = [[ takeC x , putS x y , putC x , takeS x z , Stop ] , [ putC x , takeS x w ]] . For q, our tool inspects all executions. Among them there is the sequence putC x ; takeC x ; putS x y ; putC x ; takeS x z ; Stop which can be executed ending in
Stop . Thus q is may-convergent, and thus the process P is a counter-example that refutes the correctness of the translation.
The case that there is no check-MVar leads to one possible translation ([ putS ] , [ takeS ]) which meansthat xz is translated into putS x y and x ( y ) is translated into takeS x y . This translation is not correct,since for instance the π -process xz . x ( y ) . Stop is neither may- nor should-convergent, but the translation(written as an abstract program) is [[ putS x z , takeS x y , Stop ]] . I.e., it consists of one process whichis may- and should-convergent (since putS x z ; takeS x y ; Stop is the only evaluation sequence and itsexecution ends in
Stop ). Note that the translation into CH will generate two threads: the main threadsthat will wait until the MVar stop is filled, and a concurrent thread that will do the above operations. We consider translations with the interprocess check restriction (each takeC i and putC i must be dis-tributed between the sender and the receiver). There are n ! · n · ( n + ) different translations (for n check-MVars). For a single check-MVar, all 8 translations are rejected by our tool, Table 1 shows thetranslations and the obtained counter examples. For 2 check-MVars, our tool refutes all 72 translations.Compared to Table 1, there are two further π -programs used as counterexample. However, also theprograms xy . Stop| x ( y ) and xy . x ( z ) . zq | x ( z ) | x ( z ) | xz | y ( u ) . Stop suffice to refute all 72 translations.
Theorem 5.6.
There is no valid gstb-translation with the interprocess check restriction for less thanthree check-MVars.
A reason for the failure of translations with less than three check-MVars may be:
Theorem 5.7.
There is no executable, communicating, and overlap-free gstb-translation with the inter-process check restriction for n < . Implementing Synchronous Message-Passing by MVars
Translation (sender,receiver) Counter-example ( π -process) ↓ before ⇓ before ↓ after ⇓ after ([ putC , putS ] , [ takeC , takeS ]) xy . x ( y ) . Stop
N N Y Y ([ putC , putS ] , [ takeS , takeC ]) xy . x ( y ) . Stop
N N Y Y ([ putS , putC ] , [ takeC , takeS ]) xy . x ( y ) . Stop
N N Y Y ([ putS , putC ] , [ takeS , takeC ]) xy . x ( y ) . Stop
N N Y Y ([ takeC , putS ] , [ putC , takeS ]) xy . x ( z ) . Stop | x ( w ) N N Y N ([ takeC , putS ] , [ takeS , putC ]) xy . Stop | x ( y ) Y Y N N ([ putS , takeC ] , [ putC , takeS ]) xy . x ( z ) . Stop | x ( w ) N N Y N ([ putS , takeC ] , [ takeS , putC ]) xz . za . Stop | xw . wa . Stop | x ( y ) . y ( u ) Y Y Y NTable 1: Translations using one check-MVar and with the interprocess check restriction
Proof.
For n =
1, we check the translations in Table 1. The first four are non-communicating. For thetranslation ([ takeC , putS ] , [ takeS , putC ]) a deadlock occurs. For ([ takeC , putS ] , [ putC , takeS ]) , after putC , takeC , we can execute putC again. For ([ putS , takeC ] , [ takeS , putC ]) , after executing putS , takeS we can execute putS again. For ([ putS , takeC ] , [ putC , takeS ]) , after putC , putS , takeC wecan execute putC again. For n =
2, the simulator finds no executable, communicating, and overlap-freetranslation: 18 translations are non-communicating, 21 lead to a deadlock, and 33 may lead to an overlap.For 3 MVars, our tool rejects 762 out of 768 translations (using the same counter examples as for 2check-MVars) and the following 6 translations remain: T = ([ putS , putC , takeC , putC ] , [ takeC , putC , takeC , takeS ]) T = ([ takeC , putS , takeC , takeC ] , [ putC , putC , takeS , putC ]) T = ([ putC , putS , takeC , putC ] , [ takeS , putC , takeC , takeC ]) T = ([ putC , putC , takeC , putS ] , [ takeC , putC , takeS , takeC ]) T = ([ takeC , putS , takeC , takeC ] , [ putC , putC , takeS , putC ]) T = ([ putC , takeC , putS , takeC ] , [ takeC , putC , takeS , putC ]) Proposition 5.8.
The translations T , T , T , and T are executable, communicating, and overlap-free,whereas the translations T and T are executable, communicating, but overlapping.Proof. We only consider overlaps. For T - T , only if all 8 actions are finished, the next send or receivecan start. For T , T , after executing putC , takeC , we can again execute putC .In [29] we argue that the induced translation φ T leaves may- and should-convergence invariant. Themain help in reasoning is that there is no unintended interleaving of send and receive sequences accordingto Proposition 5.8. Application of Proposition 5.3 then shows: Theorem 5.9.
Translation φ T is adequate. For 4 MVars, our tool refutes 9266 and there remain 334 candidates for correct translations.
We now consider gstb-translations without the interprocess check restriction, i.e. putC i and takeC i bothmay occur in the sender-program (or the receiver program, resp.). If we allow one check-MVar withoutreuse, then there are 20 candidates for translations. All are refuted by our simulation. Allowing reuse ofthe single check-MVar seems not to help to construct a correct translation: We simulated this for up to 6uses, leading to 420420 candidates for a correct translation – our simulation refutes all of them. . Schmidt-Schauß & D. Sabel Conjecture 5.10.
We conjecture that there is no correct translation for one check-MVar where re-usesare permitted and the interprocess check restriction is dropped, i.e., T send is a word over { putS , putC , takeC } and T receive a word over { takeS , putC , takeC } , where putS , takeS occur exactly once. For two MVars, one use and without the interprocess check restriction there are 420 translations.Our tool refutes all except for two: T = ([ putC , putS , takeC , takeC ] , [ takeS , putC ]) and T =([ takeC , putS ] , [ putC , putC , takeS , takeC ]) . In T the second check-MVar is used as a mutex forthe senders, ensuring that only one sender can operate at a time. T does the same on the receiver side. Proposition 5.11.
The translations T , T are executable, communicating, overlap-free.Proof. The translations are executable and communicating. For T , putC , putS and takeS are per-formed in this order. An additional sender cannot execute its first command before the original senderperforms takeC and this again is only possible after the receiver program is finished. An additionalreceiver can only be executed after a putS is performed, which cannot be done by the current senderand receivers. For T , putC , putC and takeC are performed in this order. An additional receiver canonly start after takeC was executed by the original receiver, which can only occur after the originalsender and receiver program are fully evaluated. An additional sender can only start after putC hasbeen executed again, but the current sender and receiver cannot execute this command.The induced translation φ T is (closed) convergence-equivalent [29]. With Proposition 5.3 this shows: Theorem 5.12.
Translation φ T is adequate. We are convinced that the same holds for T . We conclude the statistics of our search for translationswithout the interprocess restriction: For 3 MVars, there are 10080 translations and 9992 are refuted,i.e. 98 are potentially correct. One is ([ putC , putS , takeC , takeC ] , [ putC , takeS , putC , takeC ]) which is quite intuitive: check-MVar 1 is used as a mutex for all senders on the same channel, check-MVar 3 is used as a mutex for all receivers, and check-MVar 2 is used to send an acknowledgement. For4 MVars, there are 277200 translations and 273210 are refuted, i.e. 3990 are potentially correct. We investigated translating the π -calculus into CH and showed correctness and adequacy of a transla-tion τ with private MVars for every translated communication. For translations with global names, westarted an investigation on exhibiting (potentially) correct translations. We identified several minimalpotentially correct translations and characterized all incorrect “small” translations. For two particularglobal translations, we have shown that they are convergence-equivalent and we proved their adequacyon open processes. The exact form of the translations were found by our tool to search for translationsand to refute their correctness. The tool showed that there is no correct gstb-translation with the inter-process check restriction for less than 3 check-MVars. We also may consider extended variants of the π -calculus. We are convinced that adding recursion and sums can easily be built into the translation,while it might be challenging to encode mixed sums or (name) matching operators. For name matchingoperators, our current translation would require to test usual bindings in CH for equality which is notavailable in core-Haskell. Solutions may either use an adapted translation or a target language that sup-ports observable sharing [6, 8]. The translation of mixed-sums into CH appears to require more complextranslations, where the send- and receive-parts are not linear lists of actions. We already have a proof in the meantime, not yet published. Implementing Synchronous Message-Passing by MVars
Acknowledgments
We thank the anonymous reviewers for their valuable comments. In particular, wethank an anonymous reviewer for advises to improve the construction of translations, and for providingthe counter-example in the last row of Table 1.
References [1] Mart´ın Abadi & Andrew D. Gordon (1997):
A Calculus for Cryptographic Protocols: The Spi Calculus . In:
CCS 1997 , ACM, pp. 36–47, doi:10.1145/266420.266432.[2] Richard Banach, J. Bal´azs & George A. Papadopoulos (1995):
A Translation of the Pi-Calculus Into MON-STR . J.UCS
Asynchrony and the Pi-calculus . Technical Report Research Report RR-1702,inria-00076939, INRIA, France. Available at https://hal.inria.fr/inria-00076939 .[4] Mauricio Cano, Jaime Arias & Jorge A. P´erez (2017):
Session-Based Concurrency, Reactively . In:
FORTE2017 , LNCS
A concurrent ML library in concurrent Haskell . In:
ICFP 2009 , ACM, pp. 269–280,doi:10.1145/1596550.1596589.[6] Koen Claessen & David Sands (1999):
Observable Sharing for Functional Circuit Description . In:
ASIAN1999 , LNCS
The Join Calculus: A Language for Distributed Mobile Pro-gramming . In:
APPSEM 2000 , LNCS
Type-safe observable sharing in Haskell . In:
Haskell 2009 , ACM, pp. 117–128,doi:10.1145/1596638.1596653.[9] Rob van Glabbeek, Ursula Goltz, Christopher Lippert & Stephan Mennicke (2019):
Stronger Validity Criteriafor Encoding Synchrony . In:
The Art of Modelling Computational Systems: A Journey from Logic andConcurrency to Security and Privacy - Essays Dedicated to Catuscia Palamidessi on the Occasion of Her60th Birthday , LNCS
On the validity of encodings of the synchronous in the asynchronous π -calculus . Inf. Process. Lett.
Towards a unified approach to encodability and separation results for process calculi . Inf. Comput.
An Object Calculus for Asynchronous Communication . In:
ECOOP1991 , Springer-Verlag, pp. 133–147, doi:10.1007/BFb0057019.[13] Cosimo Laneve (1996):
On testing equivalence: May and Must Testing in the Join-Calculus . Technical Re-port UBLCS 96-04, University of Bologna. Available at .[14] Robin Milner (1999):
Communicating and mobile systems - the Pi-calculus . Cambridge University Press.[15] Robin Milner, Joachim Parrow & David Walker (1992):
A Calculus of Mobile Processes, I & II . Inform. andComput.
ObservationalSemantics for a Concurrent Lambda Calculus with Reference Cells and Futures . Electron. Notes Theor.Comput. Sci.
Effects as sessions, sessions as effects . In:
POPL 2016 ,ACM, pp. 568–581, doi:10.1145/2837614.2837634.[18] Catuscia Palamidessi (1997):
Comparing the Expressive Power of the Synchronous and the Asynchronouspi-calculus . In:
POPL 1997 , ACM Press, pp. 256–265, doi:10.1145/263699.263731. . Schmidt-Schauß & D. Sabel [19] Catuscia Palamidessi (2003):
Comparing The Expressive Power Of The Synchronous And AsynchronousPi-Calculi . Math. Structures Comput. Sci.
Concurrent Haskell . In:
POPL 1996 ,ACM, pp. 295–308, doi:10.1145/237721.237794.[21] Corrado Priami (1995):
Stochastic pi-Calculus . Comput. J.
Events in Haskell, and How to Implement Them . In:
ICFP 2001 , ACM, pp. 157–168,doi:10.1145/507635.507655.[23] David Sabel & Manfred Schmidt-Schauß (2011):
A contextual semantics for Concurrent Haskell with futures .In:
PPDP 2011 , ACM, pp. 101–112, doi:10.1145/2003476.2003492.[24] David Sabel & Manfred Schmidt-Schauß (2012):
Conservative Concurrency in Haskell . In:
LICS 2012 ,IEEE, pp. 561–570, doi:10.1109/LICS.2012.66.[25] David Sabel & Manfred Schmidt-Schauß (2015):
Observing Success in the Pi-Calculus . In:
WPTE 2015 , OASICS
46, pp. 31–46, doi:10.4230/OASIcs.WPTE.2015.31.[26] Davide Sangiorgi & David Walker (2001):
On Barbed Equivalences in pi-Calculus . In:
CONCUR 200 , LNCS
The π -calculus: a theory of mobile processes . Cambridge univer-sity press.[28] Manfred Schmidt-Schauß, Joachim Niehren, Jan Schwinghammer & David Sabel (2008): Adequacy of Com-positional Translations for Observational Semantics . In:
IFIP TCS 2008 , IFIP
Embedding the Pi-Calculus into a Concurrent FunctionalProgramming Language . Frank report 60, Institut f¨ur Informatik. Fachbereich Informatik und Mathematik. J.W. Goethe-Universit¨at Frankfurt am Main. Available at .[30] Manfred Schmidt-Schauß, David Sabel & Nils Dallmeyer (2018):
Sequential and Parallel Improve-ments in a Concurrent Functional Programming Language . In:
PPDP 2018 , ACM, pp. 20:1–20:13,doi:10.1145/3236950.3236952.[31] Manfred Schmidt-Schauß, David Sabel, Joachim Niehren & Jan Schwinghammer (2015):
Observa-tional program calculi and the correctness of translations . Theor. Comput. Sci.
Correctly trans-lating concurrency primitives . In:
ML 2009 , ACM, pp. 27–38, doi:10.1145/1596627.1596633.[33] Ping Yang, C. R. Ramakrishnan & Scott A. Smolka (2004):