Manifestly Phased Communication via Shared Session Types
aa r X i v : . [ c s . P L ] J a n Manifestly Phased Communication via Shared Session Types
Chuta Sano, Stephanie Balzer, and Frank PfenningJanuary 18, 2021
Abstract
Session types denote message protocols between concurrent processes, allowing a type-safe for-malization of inter-process communication. Although previous works demonstrate a well-definednotion of subtyping where processes have different perceptions of the protocol, these formulationswere limited to linear session types where each channel of communication has a unique providerand client. In our work, we extend these previous formulations into the shared session type settingwhere channels can now have multiple clients instead of a single client. We demonstrate that thisallows shared sessions to be released at a different type, allowing the encoding of phases in a sharedprotocol to be manifest in the session type. ontents A Subtyping Relation 33
A.1 Subtyping of session types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33A.2 Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33A.2.1 Extended Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34A.3 Subtyping of contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Configuration 36
B.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36B.2 Configuration Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37B.2.1 Shared Fragment Λ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37B.2.2 Linear Fragment Θ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37B.3 Meta Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
C Safely Synchronizing 40
C.1 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40C.2 Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
D Statics 49
D.1 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
E Dynamics 51F Preservation 51G Progress 59 Introduction
Session types prescribe bidirectional communication protocols between concurrent processes [Hon93;HVK98]. Variations of this type system were later given logical correspondences to intuitionistic [CP10]and classical [Wad12] linear logic where proofs correspond to programs and cut reduction to communi-cation.The correspondence to linear logic mainly provided an interpretation of linear session types , whichdenote sessions with exactly one client and one provider. A shared session type , with multiple clients andone provider, was given a copying semantics interpretation from the exponential operator in linear logic,where processes providing a shared channel effectively duplicated itself for every client. In particular,under this interpretation, a server providing a shared channel to n clients would create a total of n independent copies of itself that communicate with the n clients linearly.Unfortunately, the copying semantics cannot model scenarios that demand sharing of resources sinceclients receive their own unique provider. To model these scenarios, prior work [BP17] proposed a sharing semantics by stratifying session types into shared and linear modalities and decomposing theaforementioned exponential operator into modal shifts between the two modalities. Although we believethat both copying and sharing semantics are compatible with each other in the sense that they can co-exist in the same system, in this paper, we assume “shared” to refer to the sharing semantics approachas opposed to copying semantics unless explicitly stated.Communication adhering to shared session types follow an acquire-release discipline where a clientfirst acquires exclusive access to the provider, continues linearly, and then finally releases the exclusiveaccess, allowing the channel to be acquired by another client. One of the key requirements to guaranteesoundness in that system is that processes must be released at the same type that it was acquired sincethere could be multiple clients waiting to acquire a particular shared channel. Prior work [BP17] demon-strated that this requirement, or equi-synchronizing constraint can be formulated from the provider’sviewpoint as a static constraint on the session type.In a previous work [San19], we identified many practical scenarios, which we highlight in Section 4,where clients using a shared channel often follow particular phases across successive acquire-releasecycles. However, we noted that this cannot be expressed directly in the type system since the equi-synchronizing constraint requires that types remain consistent across acquire-release cycles. We also allow termination vacuously
4n this paper, we introduce a formulation of subtyping compatible with shared session types. Inthis system, we statically relax the constraint that clients and providers must have the same view of achannel’s type and instead allow clients to locally view a channel’s type as a supertype of the channeltype that is provided. We also generalize the equi-synchronizing constraint, taking into account thesubtle consequences that emerge due to the disagreement of the type of a shared channel betweenclients and the provider. This gives us a rich session type system that allows manifestation of phases incommunication directly in the type system.The main contributions of this paper include: • a full formalization of a subtyping relation for shared session types and their meta theory • the formulation of the safely synchronizing constraint, which is a relaxation of the equi-synchronizingconstraint that takes advantage of subtyping • a detailed description of SILL S ≤ , which incorporates the subtyping that we propose, consist-ing of its type system, synchronous operational semantics, and meta theory including the usualpreservation and progress proofsThe rest of the paper will proceed as follows: • In Section 2 we give a brief introduction to both linear and shared session-typed message-passingconcurrency. • In Section 3 we present our system along with the preservation and progress theorem statements. • In Section 4 we provide examples of scenarios that take advantage of the new subtyping system. • In Section 5 we outline related works and their connections to our paper. • In Section 6 we conclude the main part of the paper with discussions of limitations, furthergeneralizations, and some conjectures. • In the Appendix we provide a formal presentation of our system along with the technical proofsof relevant theorems and lemmas, notably the preservation F and modified progress G theorems.
The core observation behind the theory of session types is that the (intuitionistic) linear sequent A , A , . . . , A n ⊢ B P by annotating the linear propositions with channelnames: a : A , a : A , . . . , a n : A n ⊢ P :: b : B Here we say that process P provides a session of type B across channel b while using channels a , . . . , a n with session types A , . . . , A n respectively. We say that P provides b and is a client to a , . . . , a n .Since the session type associated with a channel denotes a bidirectional protocol, each type connectivehas two operational interpretations – one from the perspective of a provider and one from the client.For example, a channel of type A ⊗ B requires that the provider send a channel of type A and proceed as B while the client receive a channel of type A and proceed as A . As shown in Table 1, this operationallydual interpretation culminates in a style where for any connective, either the client or provider will sendwhile the other will receive.Type Operational interpretation from provider Operational interpretation from client1 End of protocol – close channel Wait for the provider to close the channel A ⊗ B Send channel of type A and proceed as B Receive channel of type A and proceed as BA ⊸ B Receive channel of type A and proceed as B Send channel of type A and proceed as B ⊕{ l : A } Send a label i ∈ l and proceed as A i Receive and branch on i ∈ l and proceed as A i & { l : A } Receive and branch on i ∈ l and proceed as A i Send a label i ∈ l and proceed as A i Table 1: A summary of the linear connectives and their operational interpretationsAnother point we would like to emphasize is that all connectives follow a pattern where they send orreceive and then proceed as some type A . This type A is referred to as the continuation type . Example
Taking int as a primitive , we can denote a session type for a simple server that performsarithmetic operations and communicates back the result. The protocol should begin with the clientchoosing an operation – add or sub , then for both branches, sending two ints, and then finally receivingan int. This can be expressed as:arith = & { add :int ⊸ int ⊸ int ⊗ ,sub :int ⊸ int ⊸ int ⊗ } This is due to the privileged position of the right side of the sequent in intuitionistic logic. It is important to note that int is a session type and therefore is encoded as a channel. For simplicity, we will treat itas a channel carrying an integer. add or sub . After sending a label, theclient proceeds to use the channel which is now of type int ⊸ int ⊸ int ⊗ ⊸ int ⊗ ⊗
1. This time, the clientmust receive an int and proceed as 1. At this point, the client must wait for the session to terminate.The operational interpretation from the provider’s point of view is similar, with sending and receivingflipped. For example, the provider must first receive a label, and so on.To emphasize that the different branches from the external choice & can be different, we will add anegation operation, which require the client to send one int (instead of two) and then receive the result:arith = & { add :int ⊸ int ⊸ int ⊗ ,sub :int ⊸ int ⊸ int ⊗ ,neg :int ⊸ int ⊗ } Currently, we can only terminate a session through the unit type 1, but for this example, it mightmake more sense for the process to recurse, allowing clients to perform as many operations as it desires.We adopt an equi-recursive [CHP99] interpretation which require that recursive session types be con-tractive [GH05], guaranteeing that there are no messages associated with the unfolding of a recursivetype. Adding recursion to our ongoing example, we havearith = & { add :int ⊸ int ⊸ int ⊗ arith ,sub :int ⊸ int ⊸ int ⊗ arith ,neg :int ⊸ int ⊗ arith } Readers familiar with linear logic might notice that the linear session type arith will never terminate,which means that any clients using the channel can also never terminate. For completeness sake, wewill provide one final modification to safely allow termination by adding an “exit” label to the externalchoice. arith = & { add :int ⊸ int ⊸ int ⊗ arith ,sub :int ⊸ int ⊸ int ⊗ arith ,neg :int ⊸ int ⊗ arith ,exit :1 } .1.1 Type judgments We say that a linear process term P offers a channel z of type C by using client channels∆ = x : A , . . . , x n : A n . This is expressed as a judgment:∆ ⊢ P :: ( z : C )These judgments have direct correspondence with the sequent calculus presentation of dual intuition-istic linear logic, where process terms are given intuitive names following a C-like syntax.∆ ⊢ P :: ( z : C )∆ , x : 1 ⊢ wait x ; P :: ( z : C ) 1 L · ⊢ close x :: ( x : 1) 1 R ∆ , x : B, y : A ⊢ P :: ( z : C )∆ , x : A ⊗ B ⊢ y ← recv x ; P :: ( z : C ) ⊗ L ∆ ⊢ P :: ( x : B )∆ , y : A ⊢ send x y ; P :: ( x : A ⊗ B ) ⊗ R where for example the process term in 1 L , wait x ; P denotes a process that waits for channel x toterminate and then continue executing the remaining statement P .One important point is that contraction and weakening are rejected. In particular, this means thatlinear channels that a process is using cannot be duplicated and must be fully consumed before termi-nating as shown in 1 R . We give a more complete presentation of the type judgments in Section 2.2.1after introducing shared session types. Since process calculi consist of many concurrent processes that interact with each other, we reasonabout not just one process calculi term but a collection of terms by introducing a process configuration,or a collection of linear process terms. For the purely linear setting, a configuration can be viewed as aforest where the parent are clients to its children.Figure 1 demonstrates a simple configuration for linear process terms. In the paper, we represent theconfiguration as a list of processes with an ordering constraint that processes using channels providedby other processes must appear before those processes – for example, the configuration matching theone in the figure can be written as a list P , Q , Q , P . There are many valid permutations to this list,since the only constraint we have is that P appear before Q and Q because P uses channels providedby Q and Q ( a and a respectively). We will later expand on this in Section 2.2.2.8 Q a Q a b P b Figure 1: A visualization of a linear configuration consisting of four process terms. The top levelconfiguration processes P and P collectively provide channels b and b (represented by an edge to anabsent root node), while the channels a and a provided by Q and Q respectively are used by P .Thus, we say that P is a client to a and a .A configuration is well-typed if each process is well-typed according to the previously introduced typejudgments. For this particular example, we require that · ⊢ Q :: ( a : A ) · ⊢ Q :: ( a : A ) a : A , a : A ⊢ P :: ( b : B ) · ⊢ P :: ( b : B )for some linear session types A , A , B , and B . Although linear session types and their corresponding process calculi provide strong guarantees such as session fidelity (preservation) and deadlock freedom (progress), they are not expressive enough to modelsystems with shared resources. Following prior work [BP17], we extend the system to support sharedchannels, which connect a single provider with multiple clients, and stratify session types into sharedand linear types. In the remaining sections, we will make this distinction explicit by marking channelnames and session type meta-variables with the subscripts S and L respectively where appropriate. Forexample, a linear channel is marked a L , while a shared channel is marked b S .We next introduce modal shift operators that allow session types to transition from linear to shared( ↑ SL ) and from shared to linear ( ↓ SL ). In summary, we have: A S ::= ↑ SL A L A L , B L ::= ↓ SL A S | | A L ⊗ B L | A L ⊸ B L | & { l : A L } | ⊕ { l : A L } ⊗ remain only at thelinear layer – a shared session type can only be constructed by a modal upshift ↑ SL of some linear sessiontype A L .What remains are the operational interpretations of the modal shifts ↑ SL and ↓ SL . From the client’sperspective, encountering a channel of type ↑ SL A L means that they must acquire exclusive access of thechannel and then continue the session as specified by A L . From the provider’s perspective, ↑ SL A L meansthat it must accept an acquire request by a client and then transition to a linear process, now offeringa linear channel A L . On the other hand, when encountering ↓ SL A S , the client must release the exclusiveaccess it had and then continue the session as A S whereas the provider must detach from its linear stateand transition back to a shared process. This is summarized in Table 2.Type Operational interpretation from provider Operational interpretation from client1 End of protocol – close channel Wait for the provider to close the channel A L ⊗ B L Send channel of type A L and proceed as B L Receive channel of type A L and proceed as B L A L ⊸ B L Receive channel of type A L and proceed as B L Send channel of type A L and proceed as B L ⊕{ l : A L } Send a label i ∈ l and proceed as A i L Receive and branch on i ∈ l and proceed as A i L & { l : A L } Receive and branch on i ∈ l and proceed as A i L Send a label i ∈ l and proceed as A i L ↓ SL A S Detach from a linear session and proceed as A S Release exclusive access and proceed as A S ↑ SL A L Accept an acquire request and proceed as A L Acquire and proceed as A L Table 2: An extension to Table 1, adding in the new modality distinctions and two new type operators ↑ SL and ↓ SL One of the key observations with this addition is that clients of shared channels generally follow anacquire-release pattern – they must first acquire exclusive access to the channel, then proceed linearly,and then finally release the exclusive access that they had, allowing other clients of the same sharedchannel to potentially acquire exclusive access.There remains one obstacle to session fidelity with shared session types as we have formulated thusfar; consider for example a shared session type such as A S = ↑ SL & { a : ↓ SL A S , b : ↓ SL B S } for some unrelated B S . Suppose there are two clients M and N to some a S : A S , where M is blocked waiting to acquire a S while N successfully acquires a S . Since N transitions linearly according to the protocol, it must sendone of two labels a or b due to the external choice. If N sends the label b , then it must release a S tosome unrelated type B S . Now M , who thinks it is trying to acquire a S : A S will instead acquire a S : B S ,violating session fidelity. 10revious work [BP17] addresses this problem by adding an additional constraint that if a channel wasacquired at some type C S , all possible future releases (by looking at the continuation types) must releaseat C S . This is formulated as an equi-synchronizing constraint on session types directly. For example, C S = ↑ SL & { a : ↓ SL C S , b : 1 ⊗ ↓ SL C S } would be an equi-synchronizing type because it releases at C S in allpossible continuations whereas the previously defined A S would not because not all continuations (the b branch) lead to releasing at A S . Type judgments of a process are now of form:Γ; ∆ ⊢ P :: ( z L : C L )Γ ⊢ Q :: ( z S : C S )The former is read as “linear process term P offers a (linear) channel z L of type C L using sharedchannels Γ and linear channels ∆.” The latter is read as “shared process term Q offers a (shared) channel z S of type C S using shared channels Γ,” where there must be no dependency on any linear channels dueto the independence principle [BP17]. Global signature
In the following sections, we will implicitly assume a global signature Σ, which isa set of process definitions that can be thought as the process calculi analogue to a signature consistingof function definitions. A process definition consists of the offering channel name and its type, the clientchannel names and their types, and the process term: x L : A L ← X L ← y L : B L , w S : E S = Pz S : C S ← Z L ← v S : D S = Q The former denotes a linear process definition of a process named X L that offers a channel x L : A L while using linear channels y L : B L , . . . , y n L : B n L and shared channels w S : E S , . . . , w m S : E m S for some n and m , where P consists of its implementation. Similarly, the latter denotes a shared process definitionof a process named Z S that offers a channel z S : C S while using shared channels v S : D S , . . . , v n S : D n S forsome n , where Q consists of its implementation. Again, it is important that shared process definitionsdo not depend on linear channels due to the independence principle.We complete the type judgments for the purely linear operators that we introduced previously.Γ; y L : A L ⊢ fwd x L y L :: ( x L : A L ) ID L S : E S ∈ Γ (cid:0) x ′ L : A L ← X L ← y ′ L : B L , w ′ S : E S = P (cid:1) ∈ Σ Γ; ∆ , x L : A L ⊢ Q :: ( z L : C L )Γ; ∆ , y L : B L ⊢ x L ← X L ← y L , w S ; Q :: ( z L : C L ) SP LL Γ; ∆ ⊢ P :: ( z L : C L )Γ; ∆ , x L :1 ⊢ wait x L ; P :: ( z L : C L ) 1 L Γ; · ⊢ close x L :: ( x L :1) 1 R Γ; ∆ , x L : B L , y L : A L ⊢ P :: ( z L : C L )Γ; ∆ , x L : A L ⊗ B L ⊢ y L ← recv x L ; P :: ( z L : C L ) ⊗ L Γ; ∆ ⊢ P :: ( x L : B L )Γ; ∆ , y L : A L ⊢ send x L y L ; P :: ( x L : A L ⊗ B L ) ⊗ R Γ; ∆ , x L : B ⊢ P :: ( z L : C L )Γ; ∆ , x L : A L ⊸ B L , y L : A L ⊢ send x L y L ; P :: ( z L : C L ) ⊸ L Γ; ∆ , y L : A L ⊢ P :: ( x L : B L )Γ; ∆ ⊢ y L ← recv x L ; P :: ( x L : A L ⊸ B L ) ⊸ R ∀ i ∈ l Γ; ∆ , x L : A i L ⊢ P i :: ( c L : Z L )Γ; ∆ , x L : ⊕ { l : A L } ⊢ case x L of { l ⇒ P } :: ( c L : Z L ) ⊕ L i ∈ l Γ; ∆ ⊢ P :: ( x L : A i L )Γ; ∆ ⊢ x.i ; P :: ( x L : ⊕ { l : A L } ) ⊕ Ri ∈ l Γ; ∆ , x L : A i L ⊢ P :: ( z L : C L )Γ; ∆ , x L :& { l : A L } ⊢ x.i ; P :: ( z L : C L ) & L ∀ i ∈ l Γ; ∆ ⊢ P i :: ( x L : A i L )Γ; ∆ ⊢ case x L of { l ⇒ P } :: ( x L :& { l : A L } ) & R where structural rules, consisting of exchange, contraction, and weakening of Γ and exchange of ∆ aretaken to be implicit.Adopting the modalities give rise to seven additional typing rules; an ID for shared processes, spawn-ing a shared channel from a linear process, spawning a shared channel from a shared process, and fourjudgments for the two new shift operators with their left and right rules:Γ , y S B ⊢ fwd x S y S :: ( x S : A S ) ID S y S : B S ∈ Γ (cid:0) x ′ S : A S ← X S ← y ′ S : B S = P (cid:1) ∈ Σ Γ , x S : A S ; ∆ ⊢ Q :: ( z L : C L )Γ; ∆ ⊢ x S ← X S ← y S ; Q :: ( z L : C L ) SP LS y S B ∈ Γ (cid:0) x ′ S : A S ← X S ← y ′ S : B ′ S = P (cid:1) ∈ Σ Γ , x S : A S ⊢ Q :: ( z S : C S )Γ ⊢ x S ← X S ← y S ; Q :: ( z S : C S ) SP SS Γ , x S A ; ∆ , x L : A L ⊢ P :: ( z L : C L )Γ , x S A ; ∆ ⊢ x L ← acq S x S ; P :: ( z L : C L ) ↑ SL L Γ; · ⊢ P :: ( x L : A L )Γ ⊢ x L ← acc S x S ; P :: ( x S : ↑ SL A L ) ↑ SL R , x S : A S ; ∆ ⊢ P :: ( z L : C L )Γ; ∆ , x L : ↓ SL A S ⊢ x S ← rel S x S ; P :: ( z L : C L ) ↓ SL L Γ ⊢ P :: ( x S : A S )Γ; · ⊢ x S ← det S x S ; P :: ( x L : ↓ SL A S ) ↓ SL R We will later modify this system to take into account the safely synchronizing constraint and the extendedtype system in Section 3.
We similarly stratify the configuration Ω into a shared fragment Λ and a linear fragment Θ. A sharedconfiguration consists of a collection of shared processes proc( a S , P ) and placeholders for unavailablechannels (for example, due to it currently being acquired and in the linear state) unavail( a S ). Followingthis pattern, we also update our previous formulation of the linear configuration Θ to a list of linearprocesses proc( a L , P ). The first argument in the proc terms denotes the channel name that the processis providing. For visualization purposes, it is helpful to think of the shared configuration to be freegraphs and the linear configuration to be forests.As demonstrated in Figure 2, the linear fragment of the configuration still maintains the linearityconstraint – there is only one arrow to a given linear process with a strict forest-ordering. However, theshared fragment of the configuration loosely allow any dependencies – as showcased, multiple processescan be clients to S , and a shared process can even be a client to itself as shown in S . If P successfullyacquires d S , then proc( d S , S ) transitions to unavail( d S ) and a proc( d L , − ) with the appropriate processterm will appear as a child to P . Taking nat to be a primitive compatible with int , we consider a (linear) session type nat ⊗ A L .According to this protocol, the provider must first send a channel of type nat, which we informally taketo be primitive for the sake of this example. In previous works, the client must act according to thesame protocol; they must receive a channel of type nat. However, it seems reasonable for a client toinstead act according to a slightly different protocol. Instead of receiving a channel of type nat, theycan receive a channel of type int, which we again take as a primitive, since anything of type nat can beinterpreted as an int. Thus, the client can safely interpret this channel’s protocol to be a session of formint ⊗ A L . Although there is nothing computationally interesting about it – S will deadlock if it tries to acquire itself For example, let nat = ⊕{ pos : num } , int = ⊕{ pos : num, neg : num } , and num = ⊕{ s : num, z : 1 } a L , P )proc( b L , P ) proc( c L , P )proc( d S , S ) proc( e S , S )Figure 2: A visualization of a configuration consisting of linear processes P , P , and P , represented ascircles, and shared processes S and S , represented as rectangles. The direction of the arrow indicatethat the destination is the provider; for example, P uses channels provided by P , P , and S . Thearrow to P indicates that P is a top level process term.On the other hand, consider a session type int ⊸ A L . The provider must receive a channel of type intwhile the client must send a channel of type int. In this example, the client can instead send a channelof type nat. Therefore, the client can safely interpret the session to be of type nat ⊸ A L .Now consider a session type & { a : A L , b : B L } . Since the provider is waiting for one of two choices, a or b , the client can take the type to be a subset of the available choices, for example, & { b : B L } .Similarly, for ⊕{ a : A L , b : B L } , since the provider makes a decision between a and b , a client can waiton additional choices, for example, ⊕{ a : A L , b : B L , c : C L , d : D L } .14n general, if A ≤ B , then a provider viewing its offering channel as A can safely communicate witha client viewing the channel as B . The following subtyping rules, interpreted coinductively, generalizethe examples noted above.1 ≤ ≤ A L ≤ A ′ L B L ≤ B ′ L A L ⊗ B L ≤ A ′ L ⊗ B ′ L ≤ ⊗ A ′ L ≤ A L B L ≤ B ′ L A L ⊸ B L ≤ A ′ L ⊸ B ′ L ≤ ⊸ ∀ i ∈ l A i L ≤ A ′ i L ⊕{ l : A L } ≤ ⊕{ l : A ′ L , m : B L } ≤ & ∀ i ∈ l A i L ≤ A ′ i L & { l : A L , m : B L } ≤ & { l : A ′ L } ≤ & One key observation is that subtyping of session types are covariant in their continuations.
Example
Since priority queues can be used to sort a list of n objects by repeatedly inserting all n objects first and then popping as in heapsort, we can use subtyping to make this behavior explicit. Webegin by sketching the session type of a (priority) queue of some linear type A L :queue = & { insert : A L ⊸ queue ,pop : ⊕ { some : A L ⊗ queue , none : 1 }} The session type begins with an external choice, forcing the client to choose between an insert, whichrequires the client to further send a channel of type A L and continue as a queue, and a pop, which allowsthe provider to send a channel of type A L and continue as a queue or terminate if the queue is alreadyempty. At the current stage, clients using these queues can arbitrarily choose a sequence of insert/popcommands, such as inserting twice, popping once, inserting three times, and so on. To enforce theaforementioned behavior of inserting everything first and then only popping, we define two phases ofcommunication for the client. In the first phase, it can insert as many times as the client wants untilthe client chooses to pop. Upon the first pop, the client transitions to the second phase where it canonly pop and never insert.queue one = & { insert : A L ⊸ queue one ,pop : ⊕ { some : A L ⊗ queue two , none : 1 }} queue two = & { pop : ⊕ { some : A L ⊗ queue two , none : 1 }} Where the client begins in the first phase, or queue one, and we can indeed verify that queue ≤ queue one. A client with this view can begin by inserting as many times as it wants. However, once itpops once, it must commit to popping because the session type switches to queue two which only allowspop, allowing us to encode the two phases of communication.15owever, it is important to note that in this particular situation, the provider can also adopt queue oneas its view on the session type. This does not however make subtyping on purely linear types useless; aprovider implementing a generic priority queue can be reused to implement a heapsort using subtyping,which a system without subtyping cannot do without re-implementing the provider with queue one.Once shared channels come to play however, the idea that the provider simply adopts the client’s viewcannot apply since there can be multiple clients each with different views of the type of a shared channel. We will begin this section with a motivating example and develop the theory. Consider a sharedprocess that implements a binary choice voting machine. A potential session type to represent thiscommunication begins with an upshift followed by an external choice with three options:voting = ↑ SL & { vote ↓ SL voting ,vote ↓ SL voting ,result :nat ⊗ nat ⊗ ↓ SL voting } where the first two labels encode a particular vote and the final result label makes the provider respondwith the voting counts of the two voting choices.We can immediately observe that if a process was given a channel of this type, it can vote as manytimes as it likes, which is not the intention of the voting machine – we would like to enforce that clientsonly vote once (but can view the result as many times as they like). Thus, from the client’s perspective,there are two phases to the protocol. The first phase allows the client to see results as many times asit wants and make a vote. Once the client makes a vote, it transitions to the second phase where itcan no longer vote but can still view results as many times as it likes. There are two obvious subtypingrelations using the shifts that follow our pattern of subtyping so far that we can try to take advantageof: A L ≤ B L ↑ SL A L ≤ ↑ SL B L ≤ ↑ SL A S ≤ B S ↓ SL A S ≤ ↓ SL B S ≤ ↓ SL Using these rules, we first attempt to follow the previous queue example and limit the labels thatthe client can send. For example, we can construct a candidate supertype of voting, voting one thataims to capture the “each client can only vote once” constraint:voting one = ↑ SL & { vote ↓ SL voting two ,vote ↓ SL voting two ,result :nat ⊗ nat ⊗ ↓ SL voting one } voting two = ↑ SL & { result :nat ⊗ nat ⊗ ↓ SL voting two } ↑ LL and ↓ LL that are operationally equivalent to ↑ SL and ↓ SL , respectively, from a protocol perspective. Thus, the protocol denoted by ↑ LL A L requires theclient to acquire as in the shared case. If the provider happens to implement the same ↑ LL A L , then thereis no merit to this connective since a linear channel already enforces exclusive access between the clientand provider. The more interesting case is when the provider is actually providing a shared channel,some ↑ SL A L , a client should be able to view that the session type is ↑ LL A L without any trouble. This ideaformalizes the following subtyping relations: A L ≤ B L ↑ SL A L ≤ ↑ LL B L ≤ ↑ SL ↑ LL A S ≤ B L ↓ SL A S ≤ ↓ LL B L ≤ ↓ SL ↓ LL A L ≤ B L ↑ LL A L ≤ ↑ LL B L ≤ ↑ LL A L ≤ B L ↓ LL A L ≤ ↓ LL B L ≤ ↓ LL Using the new connectives, we can finish our voting machine example; a client must actually view thevoting machine as a linear channel!voting one = ↑ LL & { vote ↓ LL voting two ,vote ↓ LL voting two ,result :nat ⊗ nat ⊗ ↓ LL voting one } voting two = ↑ LL & { result :nat ⊗ nat ⊗ ↓ LL voting two } Therefore, the addition of the “trivial” purely linear shift operators ↑ LL and ↓ LL allows us to relateshared session types and linear session types. Although these operators are not useful by themselvesbecause the acquire-release paradigm for purely linear session types provide no practical value, theyserve a relevant role in a system with subtyping. 17 .3 Safely Synchronizing With the adoption of manifest sharing, shared session types are required to adhere to an equi-synchronizing constraint as formulated in [BP17] with the intention that we must release a chan-nel to the same state at which it was acquired. For example, a shared session type such as A S = ↑ SL & { a : ↓ SL A S , b : ↓ SL B S } for some unrelated B S would not be equi-synchronizing since there is a releasepoint B S that does not return A S to its initial type before the acquire.The adoption of subtyping to our system allows us to relax the constraint that the channel mustreturn to its original type; this is equivalent to the formulation of sub-synchronizing types [San20;Das+21] (see Section 5) except we take a provider-centric judgment as opposed to the client-centricjudgment. Consider some provider that provides a channel x S of type A S and n clients of x S each withtheir own perception of the type of x : A , A , . . . , A n such that for all i ≤ n , A S ≤ A i . Then it seemsperfectly reasonable to allow future release points of A S to be a smaller type B S , since by transitivity, B S ≤ A i for all i ≤ n . Therefore, we modify the equi-synchronizing constraint to allow types to bereleased at a smaller type. More generally, we extend shared types ˆ A ::= ⊥ | A S | ⊤ with ⊥ ≤ A S ≤ ⊤ for any A S . Intuitively, ⊤ indicates a channel that has never been acquired (no constraints on a futurerelease), A S indicates the previous presentation of shared channels, and ⊥ indicates a channel that willnever be available (hence, any client attempting to acquire from this channel will never succeed and beblocked).With the introduction of subtyping, it is now important to further refine the notion of equi-synchronizingtypes to take into account the possibility that a provider and client of a channel have different viewsof its session type, where the provider’s view is a subtype of the client’s view. Recall the example A S = ↑ SL & { a : ↓ SL A S , b : ↓ SL B S } where B S is unrelated to A S which we claimed is not equi-synchronizing.However, suppose a provider offering a channel x S : A S only has one client which views x S as A ′ S where A ′ S = ↑ SL & { a : ↓ SL A S } (we can verify that A S ≤ A ′ S ). In this case, we are aware that the label b willnever be sent by the client, and therefore, the provider will never receive a label b . To take advantage ofthese scenarios where the provider and client do not view a channel as the same type, the synchronizingconstraint is no longer a restriction on a session type but instead a restriction on a pair of session types C and D such that C ≤ D where we interpret a provider to provide a channel of type C and a client tolocally view the channel as type D .We are now ready to present the safely synchronizing judgment, interpreted coinductively, which isof form ⊢ ( A, B, ˆ D ) dfsync for some A and B such that A ≤ B , which asserts that a provider providinga channel of type A and a client using that channel with type B is safely synchronizing with respect to18ome constraint ˆ D : ⊢ (1 , , ˆ D ) dfsync D ⊢ ( B L , B ′ L , ˆ D ) dfsync ⊢ ( A L ⊗ B L , A ′ L ⊗ B ′ L , ˆ D ) dfsync D ⊗ ⊢ ( B L , B ′ L , ˆ D ) dfsync ⊢ ( A L ⊸ B L , A ′ L ⊸ B ′ L , ˆ D ) dfsync D ⊸ ∀ i ∈ l ⊢ ( A i L , A ′ i L , ˆ D ) dfsync ⊢ ( ⊕{ l : A L } , ⊕{ l : A ′ L , m : B L } , ˆ D ) dfsync D ⊕ ∀ i ∈ l ⊢ ( A i L , A ′ i L , ˆ D ) dfsync ⊢ (& { l : A L , m : B L } , & { l : A ′ L } , ˆ D ) dfsync D & ⊢ ( A L , A ′ L , ˆ D ) dfsync ⊢ ( ↑ LL A L , ↑ LL A ′ L , ˆ D ) dfsync D ↑ LL ⊢ ( A L , A ′ L , ˆ D ) dfsync ⊢ ( ↓ LL A L , ↓ LL A ′ L , ˆ D ) dfsync D ↓ LL ⊢ ( A L , A ′ L , ↑ SL A L ) dfsync ⊢ ( ↑ SL A L , ↑ SL A ′ L , ⊤ ) dfsync D ↑ SL ⊢ ( A S , A ′ S , ⊤ ) dfsync ↓ SL A S ≤ ˆ D ⊢ ( ↓ SL A S , ↓ SL A ′ S , ˆ D ) dfsync D ↓ SL ⊢ ( A L , A ′ L , ↑ SL A L ) dfsync ⊢ ( ↑ SL A L , ↑ LL A ′ L , ⊤ ) dfsync D ↑ SL ↑ LL ⊢ ( A S , A ′ L , ⊤ ) dfsync ↓ SL A S ≤ ˆ D ⊢ ( ↓ SL A S , ↓ LL A ′ L , ˆ D ) dfsync D ↓ SL ↓ LL where the general intuition is that when encountering internal and external choices, we take the inter-section of the choices – after all, the branches that the two types do not have in common will neveroccur during communication. Finally, we can present our system
SILL S ≤ . For economic reasons, we will only present some interestingrules – the full system along with the technical details of the relevant meta theory are presented in theAppendix: Appendix A for the subtyping rules including extended types, Appendix C for the safelysynchronizing judgments, Appendix D for the type judgments, Appendix E for the operational semantics,and Appendix B for the configuration judgments. A configuration consists of a list of shared processes Λ and a list of linear processes Θ. The order ofshared processes have no structure, but the order of linear processes can be seen to form a tree structure;a linear process can use channels offered by processes to its right, and due to linearity, if it is using a19hannel, it must be the unique process doing so.Ω ::= Λ; ΘΛ ::= · | Λ , Λ | proc( a S , P ) | unavail( a S )Θ ::= · | proc( a L , P ) , Θ ′ | connect( a L , b S ) , Θ ′ The connect term is a new addition compared to
SILL S [BP17] and is used as a primitive to makesubtyping between linear channels and shared channels explicit.We also introduce the meta variable Ψ as a shorthand to represent a linear process:Ψ a ::= proc( a L , P ) | connect( a L , b S )Ψ is parametrized by a subscript, such as a in Ψ a , to make explicit the offering channel name a L . Usesof Ψ without a subscript generally means the name of the offering channel is not relevant in the contextand therefore can be considered a shorthand for “Ψ a for some a ”.A (well-formed ) configuration Ω ::= Λ; Θ is typed by its shared and linear fragments. Γ | = Λ :: (Γ) Γ | = Θ :: (∆)Γ | = Λ; Θ :: (Γ; ∆) Ω Λ Γ | = · :: ( · ) Λ1 Γ | = Λ :: (Γ ) Γ | = Λ :: (Γ )Γ | = Λ , Λ :: (Γ , Γ ) Λ2 ⊢ ( A ′ S , A S , ⊤ ) dfsync Γ ⊢ P :: ( a S : A ′ S )Γ | = proc( a S , P ) :: ( a S : A S ) Λ3 Γ | = unavail( a S ) :: ( a S : ˆ A ) Λ4 see Appendix B .4.3 Linear Fragment Θ Γ | = · :: ( · ) Θ1 b S : ˆ B ∈ Γ b S ≤ A L Γ | = Θ ′ :: (∆ ′ )Γ | = connect( a L , b S ) , Θ ′ :: ( a : A L , ∆ ′ ) Θ2 a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync Γ; ∆ a ⊢ P :: ( a L : A ′ L ) Γ | = Θ ′ :: (∆ a , ∆ ′ )Γ | = proc( a L , P ) , Θ ′ :: ( a : A L , ∆ ′ ) Θ3 Some notable rules are Λ3 and Θ3, where in both cases, the process typing judgment in the premiseoffers a channel type A ′ that is different from the one offered in the configuration A . The subtypingrelation of A ′ ≤ A is implicit through the safely synchronizing constraint ⊢ ( A ′ , A, ˆ A ) dfsync. Anothernotable rule is Θ2, which formalizes the role of the connect term as a “middleman” between a linearchannel and a shared channel. Many of the rules are very similar to the ones defined in Section 2.2.1. We present some cases that differdue to our subtyping system. First, we relax the two identity rules to allow forwarding with a smallertype. We also allow a linear process to forward using a shared channel if the appropriate subtypingrelation holds. B L ≤ A L Γ; y L : B L ⊢ fwd x L y L :: ( x L : A L ) ID L ˆ B ≤ A S Γ , y S : ˆ B ⊢ fwd x S y S :: ( x S : A S ) ID S ˆ B ≤ A L Γ , y S : ˆ B ; · ⊢ fwd x L y S :: ( x L : A L ) ID LS Shared channels in the context may now have an extended type, needed to express the subtle constraintsimposed by safe synchronization. For the most part, there is not much loss in the high level details ifone were to interpret these constraints as just shared session types A S .A linear to linear spawn (a named cut) now divides the channel substitutions to three parts: linearto linear substitutions, shared to linear substitutions, and shared to shared substitutions. The sharedto linear substitution in particular occurs when a process definition expects a linear channel (or sometype ↑ LL . . . ) and is instead given a smaller shared channel, and is in fact the key to the expressivenessof our system. v S : ˆ D ∈ Γ w S : ˆ E ∈ Γ B L ≤ B ′ L ˆ D ≤ D ′ L ˆ E ≤ E ′ S (cid:0) x ′ L :( A L ≤ A ′ L ) ← X L ← y ′ L : B ′ L , v ′ L : D ′ L , w ′ S : E ′ S = P (cid:1) ∈ Σ Γ; ∆ , x L : A ′ L ⊢ Q :: ( z L : C L )Γ; ∆ , y L : B L ⊢ x L ← X L ← y L , v S , w S ; Q :: ( z L : C L ) SP LL X L in the signature being defined by a pair of types x ′ L :( A L ≤ A ′ L ). This makes explicit the perspective that from the provider’s perspective ( X L ), the chan-nel is viewed as type A L and from the client’s perspective, the channel is viewed as type A ′ L where A L ≤ A ′ L .We also allow sending of channels with smaller types:Γ; ∆ , x L : B L , y L : A L ⊢ P :: ( z L : C L )Γ; ∆ , x L : A L ⊗ B L ⊢ y L ← recv x L ; P :: ( z L : C L ) ⊗ L A ′ L ≤ A L Γ; ∆ ⊢ P :: ( x L : B L )Γ; ∆ , y L : A ′ L ⊢ send x L y L ; P :: ( x L : A L ⊗ B L ) ⊗ R Similar to the rules presented before, there is also a version where we can send a shared channel as longas its type is smaller than the expected (linear) type.
Remark
Since typing judgments are purely local to a process, most of the subtyping occurs as specialcases of certain connectives; the configuration keeps track of persisting any subtyping that arises.
We adopt a synchronous communication pattern in our system. As noted in [PG15], asynchronouscommunication can be easily adopted in this system aside from the acquire step. Following Cervesatoand Scedrov [CS09] and prior work [BP17], we formalize the operational semantics as multiset rewritingrules , which is of the form S , . . . , S n → T , . . . , T m and denote a computational step from the left terms to the right terms. In our paper, the terms S and T correspond to terms in the configuration, namely proc( a S , P ) , unavail( a S ) , proc( a L , P ) , andconnect( a L , b S ). We present some interesting operational semantics rules in this section; the completelisting of the rules are available in Appendix E.If a linear process is waiting on some channel b L to close and another linear process offering b L isattempting to close the channel, then the process offering b L can safely terminate:proc( a L , wait b L ; P ) , proc( b L , close b L ) → proc( a L , P ) (D-1)22imilarly, if a linear process is waiting to receive a channel from b L and a process offering b L is sendinga channel through b L , the channel is sent from one process to another:proc( a L , y L ← recv b L ; P ) , proc( b L , send b L c L ; Q ) , Ψ c (D- ⊗ ) → proc( a L , [ c L /y L ] P ) , proc( b L , Q ) , Ψ c proc( a L , y L ← recv b L ; P ) , proc( b L , send b L c S ; Q ) (D- ⊗ → proc( a L , [ d L /y L ] P ) , proc( b L , Q ) , connect( d L , c S ) , unavail( d S ) ( d fresh)The second rule handles the case when a shared channel is sent in place of a linear channel – in thatcase, a connect term appears and connects a fresh channel d L to the sent channel c S . In general, connectterms appear whenever shared channels are interpreted as linear channels due to subtyping.If a linear process is trying to acquire a channel b S while a shared process is accepting, then the sharedprocess transitions to its linear form while an unavail( b S ) is left behind to signify that the b S cannot beacquired by another client in the meantime. The second rule consumes the connect – if similar to thefirst case, a client is trying to (linearly) acquire a channel b L that is being connected to some c S by aconnect( b L , c S ) term, similar results to the first rule occur.proc( a L , x L ← acq S b S ; P ) , proc( b S , x L ← acc S b S ; Q ) (D- ↑ SL ) → proc( a L , [ b L /x L ] P ) , proc( b L , [ b L /x L ] Q ) , unavail( b S )proc( a L , x L ← acq L b L ; P ) , connect( b L , c S ) , proc( c S , x L ← acc S c S ; Q ) (D- ↑ SL → proc( a L , [ c L /x L ] P ) , proc( c L , [ c L /x L ] Q ) , unavail( c S ) We begin with the preservation theorem, which guarantees session fidelity: a process communicatingalong a channel will follow the protocol as denoted by the channel.
Theorem 1. If Γ | = Λ; Θ :: (Γ; ∆) and Λ; Θ → Λ ′ ; Θ ′ , then Γ ′ | = Λ ′ ; Θ ′ :: (Γ ′ ; ∆) for some Λ ′ , Θ ′ , and Γ ′ such that Γ ′ (cid:22) Γ .Proof. See Appendix F.The Γ ′ (cid:22) Γ captures the idea that the configuration can gain additional shared processes and thatthe types of shared channels can become smaller (see Appendix A). For example, if a process spawnsan additional shared process, then the configuration will gain an additional channel in Γ and if a sharedchannel is released to a smaller type, the type of the shared channel in Γ can become smaller. Notethat although it is indeed true that linear processes can be spawned, it will never appear in ∆ since thelinear channel that the newly spawned process offers must be consumed by another process for it to bespawned. 23o state the progress theorem, we need to introduce two additional concepts: poised processes [PG15]and blocked processes [BP17].
Definition . A shared and linear process term proc( a, P ) is poised if P is currently communicatingalong its providing channel a . Poised process terms in SILL S ≤ are shown in the table below.Receiving Sendingproc( a L , close a L )proc( a L , x L ← recv a L ; P ) proc( a L , send a L c L ; P )proc( a L , x S ← recv a L ; P ) proc( a L , send a L c S ; P )proc( a L , case a L of { l ⇒ P } ) proc( a L , a.i ; P )proc( a L , x L ← acc L a L ; P ) proc( a L , x L ← det L a L ; P )proc( a S , x L ← acc S a S ; P ) proc( a S , x L ← det S a S ; P )In particular, we say that a configuration is poised if all of its proc( − , − ) members are poised. Definition . A linear process is blocked along a S if it is attempting to acquire access to a S which iscurrently provided by an unavail( a S ) term. Formally, proc( c L , − ) is blocked along a S if the configurationis of form:1. proc( c L , x L ← acq S a S ) , unavail( a S ) or2. proc( c L , x L ← acq L b L ) , connect( b L , a S ) , unavail( a S )The first form captures the case when proc( c L , − ) is directly trying to acquire a S , while the second formcaptures the case when proc( c L , − ) is indirectly trying to acquire a S through a connect term.Now we are ready to state the progress theorem, which states that the only way the configuration canbe stuck is through a blocked process (for example, a deadlock). Theorem 2. If Γ | = Λ; Θ :: (Γ; ∆) then either:1. Λ → Λ ′ for some Λ ′ or2. Λ poised and one of:(a) Λ; Θ → Λ ′ ; Θ ′ for some Λ ′ and Θ ′ or(b) Θ poised or(c) some linear process Ψ ∈ Θ is blockedProof. See Appendix G 24
Examples
We base this example from a previous work [San19; WPP17] of a centralized form of Mitchell and Mer-ritt’s distributed deadlock detection algorithm [MM84]. The algorithm assumes a distributed systemwith shared resources and linear nodes, where the intended behavior is that the linear nodes, encoded aslinear processes, acquire particular resources, encoded as shared processes, perform appropriate compu-tations, and then release unneeded resources as in typical distributed systems. Both nodes and resourcesare identified by a unique identification of type pid (process id) and rid (resource id) respectively, whichas in previous examples, we take as primitives. In this system, a deadlock in the usual sense is detectedwhen there is a cycle in the dependency graph generated by the algorithm. The centralized deadlockdetection algorithm consists of a shared process that acts as an overseer that all nodes report to.The type of this global deadlock detection overseer is given asdd = ↑ SL & { tryacq :pid ⊸ rid ⊸ ↓ SL dd ,didacq :pid ⊸ rid ⊸ ↓ SL dd ,willrel :pid ⊸ rid ⊸ ↓ SL dd } where the intention is that clients are expected to inform the overseer before attempting to acquirea resource ( tryacq ), after successfully acquiring a resource ( didacq ), and before releasing a resource( willrel ).As discussed in a previous work [San19], there are two phases of the protocol across successive acquire-release cycles. Using subtyping, we can represent this constraint statically:dd one = ↑ LL & { tryacq :pid ⊸ rid ⊸ ↓ LL dd two ,willrel :pid ⊸ rid ⊸ ↓ LL dd one } dd two = ↑ LL & { didacq :pid ⊸ rid ⊸ ↓ LL dd one } where dd ≤ dd one. This session type enforces that the message following tryacq must be didacq and that didacq cannot be sent before a tryacq . It is important to note that we are not enforcingother desirable constraints such as whether the resource id sent by the client matches in a sequence of tryacq → didacq (it is nonsensical for a client to attempt to acquire resource r and after claim thatit successfully acquired a different resource r ′ ). We believe that those additional constraints can benaturally expressed by extending refinement types [DP20] to be compatible with this system.25 linear node is a process that uses a channel of type dd one; since we allow subtyping across modal-ities, we can spawn such a node by passing a reference to the global overseer offering a shared channelof type dd, which the node can safely view to be dd one since dd ≤ dd one.Since the overseer is locally seen as a linear channel for the nodes, the linearity condition along withdd one being infinite means that the nodes can never terminate, which is a difference from standardimplementations without subtyping where nodes can terminate freely since in that setting, the clientshold shared references to the overseer. To resolve this, we can attempt to expand the protocol tointroduce explicit join and exit messages:dd = ↑ SL & { tryacq :pid ⊸ rid ⊸ ↓ SL dd ,didacq :pid ⊸ rid ⊸ ↓ SL dd ,willrel :pid ⊸ rid ⊸ ↓ SL dd ,join :pid ⊸ ↓ SL dd ,exit :pid ⊸ ↓ SL dd } From the client’s perspective, we have:dd entry = ↑ SL & { join :pid ⊸ ↓ LL dd one } dd one = ↑ LL & { tryacq :pid ⊸ rid ⊸ ↓ LL dd two ,willrel :pid ⊸ rid ⊸ ↓ LL dd one ,exit :pid ⊸ ↓ SL dd entry } dd two = ↑ LL & { didacq :pid ⊸ rid ⊸ ↓ LL dd one } where dd ≤ dd entry. Nodes now begin with a channel of type dd entry, a shared type. The keychange is that in dd one, clients can now send exit , which brings back a shared type, allowing nodes toterminate.Unfortunately, although forcing the client to view the channel’s type as dd entry seems to give acomplete solution to the exiting dilemma, this creates a vulnerability in the system. For example,malicious clients can join twice since the initial dd entry is a shared channel and therefore can beduplicated. Although there is still value in this extension if we assume innocent clients, we believe thata full general solution requires incorporating affine modality to our system which we leave for futurework (see Section 6.1). 26 .2 Auction Next we consider a variation of the auction protocol described by Das et al. [Das+21], where an auctionconsists of a shared provider acting as the auctioneer and its multiple clients acting as bidders. Theauction transitions between the betting phase where clients are allowed to place bets and the collectingphase where a winner is given the auctioned item while all the losers are refunded their respective bids.Taking the linear types id, money, and item as primitives, we have:auction = ↑ SL & { bid : ⊕ { ok : id ⊸ money ⊸ ↓ SL auction ,collecting : ↓ SL auction } ,collect : ⊕ { prize : id ⊸ item ⊗ ↓ SL auction ,ref und : id ⊸ money ⊗ ↓ SL auction ,bidding : ↓ SL auction }} From the perspective of the client, it must first acquire, then either choose between bid or collect . Ifit chooses bid , the auctioneer will either respond with an ok , indicating that the auction is currently inthe bidding phase, allowing the client to send its id, money, and then release back to the auction type,or a collecting , indicating that the auction is in the collect phase, making the client release back to theauction type. If the client chooses collect , then the auctioneer will respond with one of prize, ref und, or bidding . The prize branch covers the case where the client won the previous bid, the ref und branchcovers the case where the client lost the bid, and the bidding branch informs the client that the auctionis currently in the bidding phase.Like in previous examples, the auction protocol has distinct phases of communication, in particularthe bidding phase and the collecting phase. Following previous examples, we can construct a supertypeof the auction type, auction bidding to make these phases more explicit for the client:auction bidding = ↑ LL & { bid : ⊕ { ok : id ⊸ money ⊸ ↓ LL auction bidding ,collecting : ↓ LL auction collecting }} auction collecting = ↑ LL & { collect : ⊕ { prize : id ⊸ item ⊗ ↓ LL auction bidding ,ref und : id ⊸ money ⊗ ↓ LL auction bidding ,bidding : ↓ LL auction bidding }} where auction ≤ auction bidding.Aside from making the phases in the protocol more explicit, the adoption of auction bidding guar-antees that clients take into account the collecting and bidding responses of the provider and allows27he programming pattern of the provider “choosing” the subsequent phase to be manifest in the typeitself. Furthermore, this particular presentation of the auction protocol paves way for future extensionsinvolving refinement types [DP20] that can allow static verification of more intricate properties of theprotocol for example a property such as if a participant puts in n units of money in the bidding phaseand does not win, it will be refunded exactly n units of money. Although we face a similar exit problemas in the previous example, similar strategies can be taken to allow clients to terminate. Our work serves as an extension to
SILL S defined in [BP17] by introducing a notion of subtyping to thesystem which allows us to statically relax the equi-synchronizing constraint present in SILL S . Earlyglimpses of subtyping can be seen in the previous system with the introduction of ⊥ and ⊤ as theminimal and maximal constraints, which happened to coincide with the minimal and maximal sharedtypes ⊥ and ⊤ in our much more expansive subtyping relation.More generally, our work is based on many past works on session types, with a proposal for a typesystem for the π -calculus [Hon93; HVK98], and amongst many works that further develop this theory, asubtyping extension to the system [GH05]. Variations of the earlier type system was later given a corre-spondence with intuitionistic linear logic [CP10; Ton15] and classical linear logic [Wad12]. The sharingsemantics that we investigate in this paper was introduced in [BP17] by decomposing the exponentialmodality, which was previously known to provide a copying semantics through association with the ex-ponential operator in linear logic. The type system arising from the correspondence with intuitionisticlinear logic was later given a subtyping extension [AP16], which covered all linear connectives along withunion and intersect types (still linear) that we omitted in our work. One stylistic difference betweenthe two is that our subtyping is present directly in the type system, whereas the subtyping in [AP16] isimplicitly present through a subsumption rule (and corresponding meta theory to prove its safety).Sub-synchronizing types [San20; Das+21] is another relaxation of the equi-synchronizing constraintthat allows types to be released at a smaller type as initiated by the client. This is captured preciselyby the subtyping aspect of our safely synchronizing constraint where the main difference between thetwo approaches is that our approach incorporates full subtyping, which fixes the provider’s type. Wetherefore take a provider-centric view of the synchronization constraint, which we point is equivalentto the client-centric approach that sub-synchronizing types take had we removed full subtyping in oursystem since both providers and clients see the equivalent session types. In particular, if A S is sub-synchronizing, then ⊢ ( A S , A S , ⊤ ) dfsync in our system. A drawback to sub-synchronizing types is thatshared session types can only get smaller, meaning cyclic phases cannot be expressed. In our system,we avoid this issue by fixing the provider type and only maintaining the invariant that the client’s view28f the type is bigger, we allow the client to release at not only smaller types but also bigger types andeven unrelated types.There have also been many recent developments in subtyping in the context of multiparty session types[CDCY14; Che+17; Ghi+19; Ghi+20], which are a different class of type systems that describe protocolsbetween an arbitrary number of participants from a neutral global point of view. Understanding therelation of our work to these systems is an interesting item for future work. We have demonstrated a subtyping extension to a subset of
SILL S and showed many examples highlight-ing the expressiveness that this new system provides. Because we worked on a relatively minimalisticsystem to isolate and demonstrate the principal ideas behind subtyping, there is more work to be doneto adopt the notion of subtyping that we proposed to some of the recent discoveries and proposalswith session typed process calculi. Although we believe that our notion of subtyping is consistent withother extensions (to linear logic based typed process calculi), a verification that our proposed form ofsubtyping is indeed compatible with different extensions such as asynchronous communication [PG15],refinement types [DP20], etc. would set this subtyping relation onto a firmer ground.One of the biggest technical contributions that we have made in this work is the careful relaxationof the previously formulated equi-synchronizing constraint, now formulated as the safely synchronizingconstraint, which we find is a key step in making the sharing semantics of shared channels practical forprogramming languages that support message passing concurrency such as Rust [KN19]. It is not clearwhether more relaxations can be made at static level, but a more focused investigation on the topic mayreveal more natural extensions. Another technical discovery we have made is that the extended sharedsession types ˆ A form a lattice. We have found use of the meet operation in our proofs due to the needto find lower bounds of two shared session types when working with the preservation theorem, but wehave not yet found a use for the join operation nor a satisfying interpretation for it.We have demonstrated the need of the trivial shift ↑ LL and ↓ LL to reason about subtyping of modalshifts, which we find is the most insightful discovery in this paper from a foundational perspective. Inparticular, we have not yet considered in detail the meaning of subtyping in other disciplines that areidentified with session types, such as linear logic and modalities from a proof theory perspective andsymmetric monoidal closed categories and adjoints from a category theory perspective. In particular,we believe that we can immediately extend our subtyping discipline to adjoint logic [PP19]; we expandon this in the following section. 29 .1 Affine Mode In many of our examples, shared to linear subtyping made it such that clients can never terminate,requiring us to add explicit exit branches in the external choice. We believe we can include an affinemode F that lies between the shared mode S and the linear mode L which rejects contraction butpermits weakening. We can stratify the affine mode and add appropriate shifts ↑ FL and ↓ FL ; we omit S to F , F to S , and F to F shifts for this presentation for economic reasons, with the following subtypingrelations: A L ≤ B L ↑ SL A L ≤ ↑ FL B L ≤ ↑ SL ↑ FL A L ≤ B L ↑ FL A L ≤ ↑ LL B L ≤ ↑ FL ↑ LL A S ≤ B F ↓ SL A S ≤ ↓ FL B F ≤ ↓ SL ↓ FL A F ≤ B L ↓ FL A F ≤ ↓ LL B L ≤ ↓ FL ↓ LL We can follow the pattern to define the subtyping relation for the remaining shifts ↑ SF , ↑ FF , ↓ SF , and ↓ FF ,although they are not required for this particular example.We now use these new shifts to fix the termination issue with the voting example in Section 3.2. Theprovider’s view is unchanged: voting = ↑ SL & { vote ↓ SL voting ,vote ↓ SL voting ,result :nat ⊗ nat ⊗ ↓ SL voting } However, the client’s view now uses affine modality:voting one = ↑ FL & { vote ↓ FL voting two ,vote ↓ FL voting two ,result :nat ⊗ nat ⊗ ↓ FL voting one } voting two = ↑ FL & { result :nat ⊗ nat ⊗ ↓ FL voting two } where the client views the type of the channel as voting one, which is affine. Since contraction is rejectedin the affine mode, we do not have to worry about the issue with shared modes where clients can ignorethe freshly released channels and repeatedly use the initial channel. However, since weakening is allowedin the affine mode, (linear) clients can freely terminate while holding a reference to the affine channel.More generally, we can work in adjoint logic which allows us to reason about arbitrary modalitiesfollowing a partial order that is monotonic in the set of substructural rules that it allows. For example,in the affine extension we have described, the partial order of modalities go L ≤ F ≤ S , and we canindeed verify that the set of substructural rules for each modality respects the partial order: { E } ⊆{ E, W } ⊆ {
E, W, C } where E stands for exchange, W for weakening, and C for contraction.30 eferences [AP16] Co¸sku Acay and Frank Pfenning. “Intersections and Unions of Session Types”. In: . Ed. by N. Kobayashi.Porto, Portugal: EPTCS 242, June 2016, pp. 4–19.[BP17] Stephanie Balzer and Frank Pfenning. “Manifest Sharing with Session Types”. In: Inter-national Conference on Functional Programming (ICFP) . Extended version available asTechnical Report CMU-CS-17-106R, June 2017. ACM, Sept. 2017, 37:1–37:29.[CDCY14] Tzu-Chun Chen, Mariangiola Dezani-Ciancaglini, and Nobuko Yoshida. “On the Precisenessof Subtyping in Session Types”. In:
Proceedings of the Conference on Principles and Practiceof Declarative Programming (PPDP’14) . Canterbury, UK: ACM, Sept. 2014.[Che+17] Tzu-chun Chen et al. “On the Preciseness of Subtyping in Session Types”. In:
Logical Meth-ods in Computer Science
Volume 13, Issue 2 (June 2017). doi : . url : https://lmcs.episciences.org/3752 .[CHP99] Karl Crary, Robert Harper, and Sidd Puri. “What is a Recursive Module?” In: In SIG-PLAN Conference on Programming Language Design and Implementation . ACM Press,1999, pp. 50–63.[CP10] Lu´ıs Caires and Frank Pfenning. “Session Types as Intuitionistic Linear Propositions”. In:
Proceedings of the 21st International Conference on Concurrency Theory (CONCUR 2010) .Paris, France: Springer LNCS 6269, Aug. 2010, pp. 222–236.[CS09] Iliano Cervesato and Andre Scedrov. “Relating State-Based and Process-Based Concurrencythrough Linear Logic”. In:
Information and Computation . IEEE. 2021, forthcoming.[DP20] Ankush Das and Frank Pfenning. “Session Types with Arithmetic Refinements”. In: . Ed. by I. Konnov andL. Kov´acs. Vienna, Austria: LIPIcs 171, Sept. 2020, 13:1–13:18.[GH05] Simon J. Gay and Malcolm Hole. “Subtyping for Session Types in the π -Calculus”. In: ActaInformatica
Journalof Logical and Algebraic Methods in Programming
104 (2019), pp. 127 –173. issn : 2352-2208. doi : https://doi.org/10.1016/j.jlamp.2018.12.002 . url : .[Ghi+20] Silvia Ghilezan et al. Precise Subtyping for Asynchronous Multiparty Sessions . 2020. arXiv: . 31Hon93] Kohei Honda. “Types for Dyadic Interaction”. In: . CONCUR’93. Springer LNCS 715, 1993, pp. 509–523.[HVK98] Kohei Honda, Vasco T. Vasconcelos, and Makoto Kubo. “Language Primitives and TypeDiscipline for Structured Communication-Based Programming”. In: . Springer LNCS 1381, 1998,pp. 122–138.[KN19] Steve Klabnik and Carol Nichols. “The Rust Programming Language (Covers Rust 2018)”.In: No Starch Process, Aug. 2019. Chap. 16.[MM84] Don P. Mitchell and Michael Merritt. “A Distributed Algorithm for Deadlock Detectionand Resolution”. In:
Symposium on Principles of Distributed Computation (PODC 1984) .ACM. Vancouver, British Columbia, Aug. 1984, pp. 282–284.[PG15] Frank Pfenning and Dennis Griffith. “Polarized Substructural Session Types”. In:
Proceed-ings of the 18th International Conference on Foundations of Software Science and Compu-tation Structures (FoSSaCS 2015) . Ed. by A. Pitts. Invited talk. London, England: SpringerLNCS 9034, Apr. 2015, pp. 3–22.[PP19] Klaas Pruiksma and Frank Pfenning. “A Message-Passing Interpretation of Adjoint Logic”.In:
Workshop on Programming Language Approaches to Concurrency and Communication-Centric Software (PLACES) . Ed. by F. Martins and D. Orchard. Prague, Czech Republic:EPTCS 291, Apr. 2019, pp. 60–79.[San19] Chuta Sano. “On Session Typed Contracts for Imperative Languages”. Available as Techni-cal Report CMU-CS-19-13. M.S. Thesis. Department of Computer Science, Carnegie MellonUniversity, Dec. 2019.[San20] Ishani Santurkar. Personal communication. Oct. 2020.[Ton15] Bernardo Toninho. “A Logical Foundation for Session-based Concurrent Computation”.Available as Technical Report CMU-CS-15-109. PhD thesis. Carnegie Mellon Universityand Universidade Nova de Lisboa, May 2015.[Wad12] Philip Wadler. “Propositions as Sessions”. In:
Proceedings of the 17th International Con-ference on Functional Programming . ICFP 2012. Copenhagen, Denmark: ACM Press, Sept.2012, pp. 273–286.[WPP17] Max Willsey, Rokhini Prabhu, and Frank Pfenning. “Design and Implementation of Con-current C0”. In:
Electronic Proceedings in Theoretical Computer Science
238 (Jan. 2017),pp. 73–82. doi : .32 Subtyping Relation
A.1 Subtyping of session types
As mentioned previously, the subtyping rules are defined coinductively. ≤ ≤ A L ≤ A ′ L B L ≤ B ′ L A L ⊗ B L ≤ A ′ L ⊗ B ′ L ≤ ⊗ A ′ L ≤ A L B L ≤ B ′ L A L ⊸ B L ≤ A ′ L ⊸ B ′ L ≤ ⊸ ∀ i ∈ l A i L ≤ A ′ i L ⊕{ l : A L } ≤ ⊕{ l : A ′ L , m : B L } ≤ & ∀ i ∈ l A i L ≤ A ′ i L & { l : A L , m : B L } ≤ & { l : A ′ L } ≤ & A L ≤ B L ↑ SL A L ≤ ↑ SL B L ≤ ↑ SL A L ≤ B L ↑ LL A L ≤ ↑ LL B L ≤ ↑ LL A L ≤ B L ↑ SL A L ≤ ↑ LL B L ≤ ↑ SL ↑ LL A S ≤ B S ↓ SL A S ≤ ↓ SL B S ≤ ↓ SL A L ≤ B L ↓ LL A L ≤ ↓ LL B L ≤ ↓ LL A S ≤ B L ↓ SL A S ≤ ↓ LL B L ≤ ↓ SL ↓ LL A.2 Lemmas
For the following lemmas, we will switch to a set-based formulation of subtyping: A ≤ B is representedas ( A, B ) ∈ st Lemma 1.
Subtyping is a partial orderProof.
We want to show that1. Reflexivity: A ≤ A for any A
2. Anti-symmetricity: A ≤ B ∧ B ≤ A = ⇒ A = B
3. Transitivity: A ≤ B ∧ B ≤ C = ⇒ A ≤ C All cases follow from coinduction on the subtyping rules.33 .2.1 Extended Types
Recall in the safe synchronization formulation, we introduce the extended (shared) typesˆ A ::= ⊥ | ⊤ | A S where ⊥ ≤ A S ≤ ⊤ for any A S . The constants ⊥ and ⊤ are compatible with our subtyping relation so farexcept we emphasize that ⊥ and ⊤ must be taken to be the minimal and maximal shared session typesand not session types in general. For example, it is not the case that ⊥ ≤ ⊥ ≤ ↑ LL A L by transitivity since ↑ SL A ′ L ≤ ↑ LL A L for some A ′ L ≤ A L .In any case, when we fix our elements to constraints, we can define a meet semilattice with the meetoperator ∧ .The meet operator ∧ is defined coinductively from the structure of its arguments. Note that thereare many cases where these rules do not apply – in that case the result of the meet is ⊥ . ∧ → A L ⊗ A ′ L ∧ B L ⊗ B ′ L → ( A L ∧ B L ) ⊗ ( A ′ L ∧ B ′ L ) A L ⊸ A ′ L ∧ B L ⊸ B ′ L → ( A L ∧ B L ) ⊸ ( A ′ L ∧ B ′ L )& { l : A L , m : B L } ∧ & { l : A ′ L , n : C L } → & { l : ( A L ∧ A ′ L ) , m : B L , n : C L }⊕{ l : A L , m : B L } ∧ ⊕{ l : A ′ L , n : C L } → ⊕{ l : ( A L ∧ A ′ L ) } ( l not empty) ↑ SL A L ∧ ↑ SL B L → ↑ SL ( A L ∧ B L ) ↑ SL A L ∧ ↑ LL B L → ↑ SL ( A L ∧ B S ) ↑ LL A L ∧ ↑ SL B L → ↑ SL ( A S ∧ B L ) ↑ LL A L ∧ ↑ LL B L → ↑ LL ( A S ∧ B S ) ↓ SL A S ∧ ↓ SL B S → ↓ SL ( A S ∧ B S ) ↓ SL A S ∧ ↓ LL B L → ↓ SL ( A S ∧ B L ) ↓ LL A L ∧ ↓ SL B S → ↓ SL ( A L ∧ B S ) ↓ LL A L ∧ ↓ LL B L → ↓ LL ( A L ∧ B L ) Intuitively, the idea with this construction is that on external choices, we take the union of the labelson both sides whereas on internal choices, we take the intersection of the labels on both sides. Sincewe do not allow the nullary internal choice ⊕{} in the language, we require that the meet betweentwo internal choices to be non-empty, that is, they must share at least one label. Otherwise, the meetconstruction should fail and therefore produce a ⊥ .34 emma 2. ˆ A ∧ ˆ B is the greatest lower bound between ˆ A and ˆ B .Proof. Commutativity, associativity, and idempotency follows from coinduction on the constructionrules.We next want to show that for any ˆ A and ˆ B ,1. ˆ A ∧ ˆ B ≤ ˆ A
2. ˆ A ∧ ˆ B ≤ ˆ B which again follows from coinduction. Intuitively, this is due to the the set of labels growing on externalchoices (union) and shrinking on internal choices (intersect), which directly align with the subtypingrelation we desire.The final condition is that for any ˆ A and ˆ B , if there exists a ˆ C such that ˆ C ≤ ˆ A and ˆ C ≤ ˆ B , thenˆ C ≤ ˆ A ∧ ˆ B . Remark
We believe that a join operation can be similarly defined except we switch the union andintersects in the external and internal choices respectively while taking the smaller modal shifts insteadof the bigger ones with its maximal type being ⊤ . As of this moment, it is not clear whether thisoperator is immediately applicable, but we mention its existence to complete the lattice. A.3 Subtyping of contexts · ≤ · ≤ · ∆ ≤ ∆ ′ A L ≤ A ′ L ∆ , x L : A L ≤ ∆ ′ , x L : A ′ L ≤ ∆ Γ (cid:22) · (cid:22) · Γ (cid:22) Γ ′ ˆ A ≤ ˆ A ′ Γ , x S : ˆ A (cid:22) Γ ′ , x S : ˆ A ′ (cid:22) Γ Lemma 3.
Type judgments are stable under a smaller shared context.Let Γ ′ (cid:22) Γ , then Γ; ∆ ⊢ P :: ( z L : C L ) → Γ ′ ; ∆ ⊢ P :: ( z L : C L ) .Proof. We first prove the admissibility of the substitution of a shared channel by a smaller type ina typing judgment. In particular, we will begin by showing that if Γ , x S : ˆ A ; ∆ ⊢ P :: ( z L : C L ), thenΓ , x S : ˆ B ; ∆ ⊢ P :: ( z L : C L ) for some ˆ B ≤ ˆ A by induction on the derivation of Γ , x S : ˆ A ; ∆ ⊢ P :: ( z L : C L ).35irst, we begin by pointing out that rules that do not use a S (most of them) are trivial since we canjust appeal to the induction hypothesis on the premise(s) in the appropriate derivation. The rules thatcan use a S are ID S , ID LS , SP LL , SP LS , SP SS , ↑ SL L, ⊸ L S , and ⊗ R S . For these cases, we can confirm thatthe substitution is valid by using the induction hypothesis and using transitivity of ≤ . We will presentone such case: Case . ˆ A ≤ A L Γ , x S : ˆ A ; ∆ ⊢ P :: ( y L : B L )Γ , x S : ˆ A ; ∆ ⊢ send y L x S ; P :: ( y L : A L ⊗ B L ) ⊗ R S Then by induction hypothesis, Γ , x S : ˆ B ; ∆ ⊢ P :: ( y L : B L ). Furthermore, by transitivity, ˆ B ≤ A L . There-fore by ⊗ R S , Γ , x S : ˆ A ; ∆ ⊢ send y L x S ; P :: ( y L : A L ⊗ B L )After showing that substitution by a smaller type in the shared context Γ is admissible, we proceedby induction on Γ ′ (cid:22) Γ. Case . Γ ′ (cid:22) · (cid:22) · Then we have · ; ∆ ⊢ P :: ( z L : C L ). By weakening, we conclude Γ ′ ; ∆ ⊢ P :: ( z L : C L ) Case . Γ (cid:22) Γ ′ ˆ A ≤ ˆ A ′ Γ , x S : ˆ A (cid:22) Γ ′ , x S : ˆ A ′ (cid:22) Γ Then we have Γ , x S : ˆ A ; ∆ ⊢ P :: ( z L : C L ). By induction hypothesis, we have Γ , x S : ˆ A ; ∆ ⊢ P :: ( z L : C L ).Then, since ˆ A ′ ≤ ˆ A , we have Γ , x S : ˆ A ′ ; ∆ ⊢ P :: ( z L : C L ) by previously proved admissibility of substitutionby smaller type for shared context. B Configuration
B.1 Definitions
A configuration consists of a list of shared processes Λ and a list of linear processes Θ. The order ofshared processes have no structure, but the order of linear processes can be seen to form a tree structure;a linear process can use channels offered by processes to its right, and due to linearity, if it is using a36hannel, it must be the unique process doing so.Ω ::= Λ; ΘΛ ::= · | Λ , Λ | proc( a S , P ) | unavail( a S )Θ ::= · | proc( a L , P ) , Θ ′ | connect( a L , b S ) , Θ ′ Well-formedness
Λ is well-formed if for any channel name a , proc( a S , P ) , unavail( a S ) / ∈ Λ. Simi-larly, Θ is well-formed if for any a , Ψ a , Ψ ′ a / ∈ Θ. The configuration Λ; Θ is well-formed if Ψ a ∈ Θ → unavail( a S ) ∈ Λ. B.2 Configuration Typing
A well-formed configuration Λ; Θ is typed by its shared and linear fragments. Γ | = Λ :: (Γ) Γ | = Θ :: (∆)Γ | = Λ; Θ :: (Γ; ∆) Ω B.2.1 Shared Fragment Λ Γ | = · :: ( · ) Λ1 Γ | = Λ :: (Γ ) Γ | = Λ :: (Γ )Γ | = Λ , Λ :: (Γ , Γ ) Λ2 ⊢ ( A ′ S , A S , ⊤ ) dfsync Γ ⊢ P :: ( a S : A ′ S )Γ | = proc( a S , P ) :: ( a S : A S ) Λ3 Γ | = unavail( a S ) :: ( a S : ˆ A ) Λ4 B.2.2 Linear Fragment Θ Γ | = · :: ( · ) Θ1 b S : ˆ B ∈ Γ b S ≤ A L Γ | = Θ ′ :: (∆ ′ )Γ | = connect( a L , b S ) , Θ ′ :: ( a : A L , ∆ ′ ) Θ2 a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync Γ; ∆ a ⊢ P :: ( a L : A ′ L ) Γ | = Θ ′ :: (∆ a , ∆ ′ )Γ | = proc( a L , P ) , Θ ′ :: ( a : A L , ∆ ′ ) Θ3 .3 Meta Theory Lemma 4. If Γ | = Ψ , Θ :: (∆) , then Γ | = Θ :: (∆ ′ ) for some ∆ ′ .More generally, if Γ | = Θ , Θ :: (∆) , then Γ | = Θ :: (∆ ′ ) for some ∆ ′ .Proof. For the first part, by case analysis on the derivation of Γ | = Ψ , Θ :: (∆). In both cases (Θ2 andΘ3), we directly see that Γ | = Θ :: (∆ ′ ) for some ∆ ′ .For the second part, we can repeatedly apply the first part sequentially for every Ψ ∈ Θ . Lemma 5. If Γ | = Ψ , Θ :: (∆) , Γ | = Θ :: (∆ p ) , and Γ | = Θ ′ :: (∆ p ) , then Γ | = Ψ , Θ ′ :: (∆) More generally, if Γ | = Θ , Θ :: (∆) , Γ | = Θ :: (∆ p ) , and Γ | = Θ ′ :: (∆ p ) , then Γ | = Θ , Θ :: ( a L : A L , ∆) Proof.
For the first part, by case analysis on the derivation of Γ | = Ψ , Θ :: (∆). In both cases (Θ2 andΘ3), we can directly substitute Θ ′ for Θ where it appears in the configuration judgment.For the second part, we can repeatedly apply the first part sequentially for every Ψ ∈ Θ . Remark
It turns out that we can prove a stronger property that we can replace Θ with Θ ′ that offersa subtype of what Θ offers, but we will only need this weaker lemma that requires the offering types tobe equivalent for this paper. Lemma 6. If Γ | = Ψ a , Θ , Ψ b , Θ :: ( a L : A L , ∆) and Ψ a uses b L , then Γ | = Ψ a , Ψ b , Θ , Θ :: ( a L : A L , ∆) Proof.
By well-formedness, Ψ b is the only process in the configuration offering b L . Furthermore bylinearity, there can only be one process that use b L , which is Ψ a by assumption, so b L will not beconsumed by any processes in Θ . Therefore, we can repeatedly move Ψ b to the left in the configurationuntil it is to the right of Ψ a , the unique process using b L . Lemma 7. If Γ | = Ψ a , Θ ′ :: ( a L : A ′ L , ∆ ′ ) , then for any B L such that A ′ L ≤ B L , Γ | = Ψ a , Θ ′ :: ( a L : B L , ∆ ′ ) .Proof. By inversion on the derivation of Γ | = Ψ a , Θ ′ :: ( a L : A ′ L , ∆).38 ase . b S : ˆ B ∈ Γ ˆ b ≤ A L Γ | = Θ ′ :: (∆ ′ )Γ | = connect( a L , b S ) , Θ ′ :: ( a : A L , a L : A ′ L , ∆ ′ ) Θ2By transitivity, ˆ B ≤ B L therefore Γ | = connect( a L , b S ) , Θ ′ :: ( a : A L , a L : B L , ∆ ′ ) Case . a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync Γ; ∆ a ⊢ P :: ( a L : A ′ L ) Γ | = Θ ′ :: (∆ a , ∆ ′ )Γ | = proc( a L , P ) , Θ ′ :: ( a : A L , ∆ ′ ) Θ3By transitivity, A ′ L ≤ B L and therefore ⊢ ( A ′ L , B L , ˆ A ) dfsync by Lemma 10.Therefore, Γ | = proc( a L , P ) , Θ ′ :: ( a : A L , ∆ ′ ) Lemma 8.
Substitution by a smaller shared context is admissible. Let Γ ′ (cid:22) Γ then1. If Γ | = Θ :: (∆) for some Θ , ∆ , then Γ ′ | = Θ :: (∆)
2. If Γ | = Λ :: (Γ ′′ ) for some Λ , Γ ′′ , then Γ ′ | = Θ :: (Γ ′′ ) Proof.
For the first part, by induction on the derivation of Γ | = Θ :: (∆). Case . Γ | = · :: ( · ) Θ1Any Γ applies, so in particular any Γ ′ (cid:22) Γ will as well.
Case . b S : ˆ B ∈ Γ ˆ B ≤ A L Γ | = Θ ′ :: (∆ ′ )Γ | = connect( a L , b S ) , Θ ′ :: ( a : A L , ∆ ′ ) Θ2By exchange, we can assume without loss of generality that Γ = b S : ˆ B, Γ r . Similarly, we can assumewithout loss of generality that Γ ′ = b S : ˆ B ′ , Γ ′ r where ˆ B ′ ≤ ˆ B and Γ ′ r (cid:22) Γ.ˆ B ′ ≤ A L follows by transitivity of ≤ and Γ ′ | = Θ ′ :: (∆ a , ∆ ′ ) follows from induction hypothesis. There-fore, Γ ′ | = connect( a L , b S ) , Θ ′ :: ( a : A L , ∆ ′ ) Case . a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync Γ; ∆ a ⊢ P :: ( a L : A ′ L ) Γ | = Θ ′ :: (∆ a , ∆ ′ )Γ | = proc( a L , P ) , Θ ′ :: ( a : A L , ∆ ′ ) Θ3By exchange, we can assume without loss of generality that Γ = a S : ˆ A, Γ r . Similarly, we can assumewithout loss of generality that Γ ′ = a S : ˆ A ′ , Γ ′ r where ˆ B ′ ≤ ˆ B and Γ ′ r (cid:22) Γ. ⊢ ( A ′ L , A L , ˆ A ′ ) dfsync follows from Lemma 12, Γ ′ ; ∆ a ⊢ P :: ( a L : A ′ L ) follows from Lemma 3, andΓ ′ | = Θ ′ :: (∆ a , ∆ ′ ) follows from induction hypothesis. Therefore,Γ ′ | = proc( a L , P ) , Θ ′ :: ( a : A L , ∆ ′ )39or the second part, by induction on the derivation of Γ | = Λ :: (∆ ′ ) Case . Γ | = · :: ( · ) Λ1Any Γ applies, so in particular any Γ ′ (cid:22) Γ will as well.
Case . Γ | = Λ :: (Γ ) Γ | = Λ :: (Γ )Γ | = Λ , Λ :: (Γ , Γ ) Λ2Both Γ ′ | = Λ :: (Γ ) and Γ ′ | = Λ :: (Γ ) follow from induction hypothesis. Therefore,Γ ′ | = Λ , Λ :: (Γ , Γ ) Case . ⊢ ( A ′ S , A S , ⊤ ) dfsync Γ ⊢ P :: ( a S : A ′ S )Γ | = proc( a S , P ) :: ( a S : A S ) Λ3Γ ′ ⊢ P :: ( a S : A ′ S ) follows from Lemma 3. Therefore,Γ | = proc( a S , P ) :: ( a S : A S ) Case . Γ | = unavail( a S ) :: ( a S : ˆ A ) Λ4Any Γ applies, so in particular any Γ ′ (cid:22) Γ will as well.
Lemma 9.
Given a well-formed
Λ; Θ , ∀ proc ( a S , − ) ∈ Λ , Ψ a / ∈ Θ Proof.
By well-formedness of Λ, proc( a S , − ) ∈ Λ means that unavail( a S ) / ∈ Λ. By the contrapositive ofwell-formedness of Λ; Θ, unavail( a S ) / ∈ Λ = ⇒ Ψ a / ∈ Θ C Safely Synchronizing
C.1 Rules
As introduced previously, the safely synchronizing judgment rules are defined coinductively. ⊢ (1 , , ˆ D ) dfsync D ⊢ ( B L , B ′ L , ˆ D ) dfsync ⊢ ( A L ⊗ B L , A ′ L ⊗ B ′ L , ˆ D ) dfsync D ⊗ ⊢ ( B L , B ′ L , ˆ D ) dfsync ⊢ ( A L ⊸ B L , A ′ L ⊸ B ′ L , ˆ D ) dfsync D ⊸ i ∈ l ⊢ ( A i L , A ′ i L , ˆ D ) dfsync ⊢ ( ⊕{ l : A L } , ⊕{ l : A ′ L , m : B L } , ˆ D ) dfsync D ⊕ ∀ i ∈ l ⊢ ( A i L , A ′ i L , ˆ D ) dfsync ⊢ (& { l : A L , m : B L } , & { l : A ′ L } , ˆ D ) dfsync D & ⊢ ( A L , A ′ L , ˆ D ) dfsync ⊢ ( ↑ LL A L , ↑ LL A ′ L , ˆ D ) dfsync D ↑ LL ⊢ ( A L , A ′ L , ˆ D ) dfsync ⊢ ( ↓ LL A L , ↓ LL A ′ L , ˆ D ) dfsync D ↓ LL ⊢ ( A L , A ′ L , ↑ SL A L ) dfsync ⊢ ( ↑ SL A L , ↑ SL A ′ L , ⊤ ) dfsync D ↑ SL ⊢ ( A S , A ′ S , ⊤ ) dfsync ↓ SL A S ≤ ˆ D ⊢ ( ↓ SL A S , ↓ SL A ′ S , ˆ D ) dfsync D ↓ SL ⊢ ( A L , A ′ L , ↑ SL A L ) dfsync ⊢ ( ↑ SL A L , ↑ LL A ′ L , ⊤ ) dfsync D ↑ SL ↑ LL ⊢ ( A S , A ′ L , ⊤ ) dfsync ↓ SL A S ≤ ˆ D ⊢ ( ↓ SL A S , ↓ LL A ′ L , ˆ D ) dfsync D ↓ SL ↓ LL C.2 Lemmas
To prove the following lemmas, we switch to a set-based formulation of safe synchronization; ⊢ ( A, B, ˆ D ) dfsyncis written as ( A, B, ˆ D ) ∈ dfsync. We also define a monotone map F from the coinductive definition ofdfsync, giving us dfsync ∈ F (dfsync); that is, dfsync is F -consistent.The first lemma says that we can replace the second argument with a bigger type: Lemma 10. If A ≤ B ≤ C with all same modalities (that is, A, B, C are either all linear or all shared)and ⊢ ( A, B, ˆ D ) dfsync, then ⊢ ( A, C, ˆ D ) dfsync for some ˆ D .Proof. We want to show that dfsync ′ ::= dfsync ∪ dfsync ⇑ is F -consistent with dfsync ⇑ ::= { ( A, C, ˆ D ) | ∃ B.B ≤ C ∧ ( A, B, ˆ D ) ∈ dfsync } Again, where
A, B, C must all be of the same modality.We will prove F -consistency of dfsync ′ , that is, dfsync ′ ∈ F (dfsync ′ ) by showing that each of the twosets dfsync and dfsync ⇑ are subsets of F (dfsync ′ ).First, dfsync ⊆ F (dfsync ′ ) immediately follows because dfsync ⊆ F (dfsync) and F (dfsync) ⊆ F (dfsync ′ ) by monotonicity of F given dfsync ⊆ dfsync ′ .We will now consider dfsync ⇑ ∈ F (dfsync ′ ) by case analysis on the structure of A . We can uniquelyinfer the structure of B and C from the structure of A by inversion on the appropriate subtyping rulefor most cases. 41 ase . A = ↑ LL A ′ L ; then B = ↑ LL B ′ L and C = ↑ LL C ′ L with A ′ L ≤ B ′ L ≤ C ′ L .( ↑ LL A ′ L , ↑ LL C ′ L , ˆ D ) ∈ dfsync ⇑ , ( ↑ LL A ′ L , ↑ LL B ′ L , ˆ D ) ∈ dfsync (this case)( A ′ L , B ′ L , ˆ D ) ∈ dfsync (by inversion on D ↑ LL )( A ′ L , C ′ L , ˆ D ) ∈ dfsync ⇑ (by definition of dfsync ⇑ with B ′ L ≤ C ′ L )( A ′ L , C ′ L , ˆ D ) ∈ dfsync ′ (since dfsync ⇑ ⊆ dfsync ′ )( ↑ LL A ′ L , ↑ LL C ′ L , ˆ D ) ∈ F (dfsync ′ ) (by D ↑ LL ) ↓ LL , ⊗ , and ⊸ follow a similar pattern of appealing to the covariance of subtyping on the continuationtypes. Case . A = ⊕{ l : A L } ; then B = ⊕{ l : B L , m : B L } and C = ⊕{ l : C L , m : C L , n : C L } with A i L ≤ B i L ≤ C i L ∀ i ∈ l and B i L ≤ C i L ∀ i ∈ m .( ⊕{ l : A L } , ⊕{ l : C L , m : C L , n : C L } , ˆ D ) ∈ dfsync ⇑ ( ⊕{ l : A L } , ⊕{ l : B L , m : B L } , ˆ D ) ∈ dfsync (this case)( ∀ i ∈ l ) ( A i L , B i L , ˆ D ) ∈ dfsync (by inversion on D ⊕ )( ∀ i ∈ l ) ( A i L , C i L , ˆ D ) ∈ dfsync ⇑ (by definition of dfsync ⇑ with B i L ≤ C i L )( ∀ i ∈ l ) ( A i L , C i L , ˆ D ) ∈ dfsync ′ (since dfsync ⇑ ⊆ dfsync ′ )( ⊕{ l : A L } , ⊕{ l : C L , m : C L , n : C L } , ˆ D ) ∈ F (dfsync ′ ) (by D ⊕ ) D & follows a similar pattern. Case . A = ↓ SL A S ; then there are three possible assignments to B and C that satisfies the subtypingconstraints, so we will continue by subcasing on the structure of B and C . Subcase . B = ↓ SL B S and C = ↓ SL C S with A S ≤ B S ≤ C S .( ↓ SL A S , ↓ SL C S , ˆ D ) ∈ dfsync ⇑ , ( ↓ SL A S , ↓ SL B S , ˆ D ) ∈ dfsync (this case)( A S , B S , ⊤ ) ∈ dfsync , A S ≤ ˆ D (by inversion on D ↓ SL )( A S , C S , ⊤ ) ∈ dfsync ⇑ (by definition of dfsync ⇑ with B S ≤ C S )( A S , C S , ⊤ ) ∈ dfsync ′ (since dfsync ⇑ ⊆ dfsync ′ )( ↓ SL A S , ↓ SL C S , ˆ D ) ∈ F (dfsync ′ ) (by D ↓ SL )42 ubcase . B = ↓ SL B S and C = ↓ LL C L with A S ≤ B S ≤ C L .( ↓ SL A S , ↓ LL C L , ˆ D ) ∈ dfsync ⇑ , ( ↓ SL A S , ↓ SL B S , ˆ D ) ∈ dfsync (this case)( A S , B S , ⊤ ) ∈ dfsync , A S ≤ ˆ D (by inversion on D ↓ SL )( A S , C L , ⊤ ) ∈ dfsync ⇑ (by definition of dfsync ⇑ with B S ≤ C L )( A S , C L , ⊤ ) ∈ dfsync ′ (since dfsync ⇑ ⊆ dfsync ′ )( ↓ SL A S , ↓ LL C L , ˆ D ) ∈ F (dfsync ′ ) (by D ↓ SL ) Subcase . B = ↓ LL B L and C = ↓ LL C L with A S ≤ B L ≤ C L .( ↓ SL A S , ↓ LL C L , ˆ D ) ∈ dfsync ⇑ , ( ↓ SL A S , ↓ LL B L , ˆ D ) ∈ dfsync (this case)( A S , B L , ⊤ ) ∈ dfsync , A S ≤ ˆ D (by inversion on D ↓ SL ↓ LL )( A S , C L , ⊤ ) ∈ dfsync ⇑ (by definition of dfsync ⇑ with B L ≤ C L )( A S , C L , ⊤ ) ∈ dfsync ′ (since dfsync ⇑ ⊆ dfsync ′ )( ↓ SL A S , ↓ LL C L , ˆ D ) ∈ F (dfsync ′ ) (by D ↓ SL ) Case . A = ↑ SL A L ; then there are three possible assignments to B and C that satisfies the subtypingconstraints, so we will continue by subcasing on the structure of B and C . Subcase . B = ↑ SL B L and C = ↑ SL C L with A L ≤ B L ≤ C L .( ↑ SL A L , ↑ SL C L , ⊤ ) ∈ dfsync ⇑ , ( ↑ SL A L , ↑ SL B L , ⊤ ) ∈ dfsync (this case)( A L , B L , ↑ SL A L ) ∈ dfsync (by inversion on D ↑ SL )( A L , C L , ↑ SL A L ) ∈ dfsync ⇑ (by definition of dfsync ⇑ with A L ≤ B L )( A L , C L , ↑ SL A L ) ∈ dfsync ′ (since dfsync ⇑ ⊆ dfsync ′ )( ↑ SL A L , ↑ SL C L , ⊤ ) ∈ F (dfsync ′ ) (by D ↑ SL ) Subcase . B = ↑ SL B L and C = ↑ LL C L with A L ≤ B L ≤ C L .( ↑ SL A L , ↑ LL C L , ⊤ ) ∈ dfsync ⇑ , ( ↑ SL A L , ↑ SL B L , ⊤ ) ∈ dfsync (this case)( A L , B L , ↑ SL A L ) ∈ dfsync (by inversion on D ↑ SL )( A L , C L , ↑ SL A L ) ∈ dfsync ⇑ (by definition of dfsync ⇑ with A L ≤ B L )( A L , C L , ↑ SL A L ) ∈ dfsync ′ (since dfsync ⇑ ⊆ dfsync ′ )( ↑ SL A L , ↑ LL C L , ⊤ ) ∈ F (dfsync ′ ) (by D ↑ SL )43 ubcase . B = ↑ LL B L and C = ↑ LL C L with A L ≤ B L ≤ C L .( ↑ SL A L , ↑ LL C L , ⊤ ) ∈ dfsync ⇑ , ( ↑ SL A L , ↑ LL B L , ⊤ ) ∈ dfsync (this case)( A L , B L , ↑ SL A L ) ∈ dfsync (by inversion on D ↑ SL ↑ LL )( A L , C L , ↑ SL A L ) ∈ dfsync ⇑ (by definition of dfsync ⇑ with A L ≤ B L )( A L , C L , ↑ SL A L ) ∈ dfsync ′ (since dfsync ⇑ ⊆ dfsync ′ )( ↑ SL A L , ↑ LL C L , ⊤ ) ∈ F (dfsync ′ ) (by D ↑ SL )We missed one case, when A = B = C = 1, but this case is trivial since dfsync ⇑ does not add anynew members to the set.The next lemma says that we can replace the first argument with a smaller type if the result is alreadysafely synchronizing with some other constraint: Lemma 11. If A ≤ B ≤ C with all same modalities, ⊢ ( B, C, ˆ D ) dfsync, and ⊢ ( A, C, ˆ E ) dfsync, then ⊢ ( A, C, ˆ D ) dfsync for some ˆ D and ˆ E .Proof. We want to show that dfsync ′ ::= dfsync ∪ dfsync ⇓ is F -consistent withdfsync ⇓ ::= { ( A, C, ˆ D ) | ∃ B.A ≤ B ∧ ( B, C, ˆ D ) ∈ dfsync ∧ ∃ ˆ E. ( A, C, ˆ E ) ∈ dfsync } The proof is very similar in style to the previous lemma, but there is one additional constraint that(
A, C, ˆ E ) ∈ dfsync for any constraint ˆ E . This assumption is only necessary for the ↑ SL case.In any case, we will prove F -consistency of dfsync ′ , that is, dfsync ′ ∈ F (dfsync ′ ) by showing that eachof the three sets dfsync and dfsync ⇓ are subsets of F (dfsync ′ ).First, dfsync ⊆ F (dfsync ′ ) immediately follows from the same argument as in the previous proof.We will now consider dfsync ⇓ ∈ F (dfsync ′ ) by case analysis on the structure of B . Because all of A, B, C have the same modality, we can uniquely infer the structure of A and C from the structure of B by inversion on the appropriate subtyping rule. 44 ase . A = ↑ LL A ′ L ; then B = ↑ LL B ′ L and C = ↑ LL C ′ L with A ′ L ≤ B ′ L ≤ C ′ L .( ↑ LL A ′ L , ↑ LL C ′ L , ˆ D ) ∈ dfsync ⇓ , ( ↑ LL B ′ L , ↑ LL C ′ L , ˆ D ) ∈ dfsync (this case)( B ′ L , C ′ L , ˆ D ) ∈ dfsync (by inversion on D ↑ LL )( A ′ L , C ′ L , ˆ D ) ∈ dfsync ⇓ (by definition of dfsync ⇓ with A ′ L ≤ B ′ L )( A ′ L , C ′ L , ˆ D ) ∈ dfsync ′ (since dfsync ⇓ ⊆ dfsync ′ )( ↑ LL A ′ L , ↑ LL C ′ L , ˆ D ) ∈ F (dfsync ′ ) (by D ↑ LL ) ↓ LL , ⊗ , and ⊸ follow a similar pattern of appealing to the covariance of subtyping on the continuationtypes. Case . A = ⊕{ l : A L } ; then B = ⊕{ l : B L , m : B L } and C = ⊕{ l : C L , m : C L , n : C L } with A i L ≤ B i L ≤ C i L ∀ i ∈ l and B i L ≤ C i L ∀ i ∈ m .( ⊕{ l : A L } , ⊕{ l : C L , m : C L , n : C L } , ˆ D ) ∈ dfsync ⇓ ( ⊕{ l : B L , m : B L } , ⊕{ l : C L , m : C L , n : C L } , ˆ D ) ∈ dfsync (this case)( ∀ i ∈ l, m ) ( B i L , C i L , ˆ D ) ∈ dfsync (by inversion on D ⊕ )( ∀ i ∈ l ) ( A i L , C i L , ˆ D ) ∈ dfsync ⇓ (by definition of dfsync ⇓ with A i L ≤ B i L )( ∀ i ∈ l ) ( A i L , C i L , ˆ D ) ∈ dfsync ′ (since dfsync ⇓ ⊆ dfsync ′ )( ⊕{ l : A L } , ⊕{ l : C L , m : C L , n : C L } , ˆ D ) ∈ F (dfsync ′ ) (by D ⊕ ) D & follows a similar pattern. Case . A = ↓ SL A S ; similar to the proof of Lemma 10, there are three possible assignments for B and C . We will present one of those subcases: let B = ↓ SL B S and C = ↓ SL C S with A S ≤ B S ≤ C S . The othertwo cases are similar.( ↓ SL A S , ↓ SL C S , ˆ D ) ∈ dfsync ⇓ , ( ↓ SL B S , ↓ SL C S , ˆ D ) ∈ dfsync (this case)( B S , C S , ⊤ ) ∈ dfsync , B S ≤ ˆ D (by inversion on D ↓ SL )( A S , C S , ⊤ ) ∈ dfsync ⇓ (by definition of dfsync ⇓ with A S ≤ B S )( A S , C S , ⊤ ) ∈ dfsync ′ (since dfsync ⇓ ⊆ dfsync ′ ) A S ≤ ˆ D (because A S ≤ B S ≤ ˆ D )( ↓ SL A S , ↓ SL C S , ˆ D ) ∈ F dfsync ′ (by D ↓ SL ) Case . A = ↑ SL A L ; again, there are three possible assignments for B and C , and we will take the subcasewhen B = ↑ SL B L and C = ↑ SL C L with A L ≤ B L ≤ C L . The other two cases are similar. This case finally45ses our assumption that ( A, C, ˆ E ) ∈ dfsync – ˆ E must be ⊤ due to A = ↑ SL A L .( ↑ SL A L , ↑ SL C L , ⊤ ) ∈ dfsync ⇓ , ( ↑ SL B L , ↑ SL C L , ⊤ ) ∈ dfsync (this case)( ↑ SL A L , ↑ SL C L , ⊤ ) ∈ dfsync (By assumption with ˆ E = ⊤ )( A L , C L , ↑ SL A L ) ∈ dfsync (by inversion on D ↑ SL )( A L , C L , ↑ SL A L ) ∈ dfsync ′ (since dfsync ⊆ dfsync ′ )( ↑ SL A L , ↑ SL C L , ⊤ ) ∈ F (dfsync ′ ) (by D ↑ SL )We missed one case, when A = B = C = 1, but this case is trivial since dfsync ⇓ does not add anynew members to the set.The next lemma allows us to replace the third argument (the constraint) with a smaller one if thefirst argument is linear: Lemma 12. If ⊢ ( A L , B L , ˆ C ) dfsync and ˆ D ≤ ˆ C , then ⊢ ( A L , B L , ˆ D ) dfsync for some A L , B L , ˆ C, and ˆ D .Proof. By coinduction where dfsync ′ = dfsync ∪ dfsync ˆ ⇓ such thatdfsync ˆ ⇓ = { ( A L , B L , ˆ D ) | ∃ ˆ C. ˆ D ≤ ˆ C ∧ ( A L , B L , ˆ C ) ∈ dfsync } We proceed by case analysis on the structure of A L ; most of the cases are trivial and follow a similarstyle to the previous proofs. An important case that we will present is when A L = ↓ SL A S for some A S .We will take the case when B L = ↓ SL B S for some B S since the case when B L = ↓ LL B ′ L follows a similarpattern. ( ↓ SL A S , B L , ˆ D ) ∈ dfsync ˆ ⇓ , ( ↓ SL A S , B L , ˆ C ) ∈ dfsync (this case)( A S , B S , ⊤ ) ∈ dfsync , A S ≤ ˆ C (by inversion on D ↓ SL )( A S , B S , ⊤ ) ∈ dfsync ′ (since dfsync ⊆ dfsync ′ )( ↓ SL A S , ↓ SL C S , E S ) ∈ F (dfsync ′ ) (by D ↓ SL with A S ≤ ˆ D by transitivity of ≤ )The final lemma again deals with the constraint; if we find that the same pair of types is safelysynchronizing with respect to two constraints, we can replace it with its meet defined in Lemma 2: Lemma 13. If ⊢ ( A L , B L , ˆ C ) dfsync and ⊢ ( A L , B L , ˆ D ) dfsync, then ⊢ ( A L , B L , ˆ C ∧ ˆ D ) dfsync for some A L , B L , ˆ C, and ˆ D . roof. First, recall that ⊢ ( A L , B L , − ) dfsync requires that A L ≤ B L . We want to show thatdfsync ′ ::= dfsync ∪ dfsync ∧ is F -consistent withdfsync ∧ ::= { ( A L , B L , ˆ C ∧ ˆ D ) | ( A L , B L , ˆ C ) ∈ dfsync ∧ ( A L , B L , ˆ D ) ∈ dfsyncAs per usual, we will prove F -consistency of dfsync ′ , that is, dfsync ′ ∈ F (dfsync ′ ) by showing thateach of the two sets dfsync and dfsync ∧ are subsets of F (dfsync ′ ).dfsync ⊆ F (dfsync ′ ) immediately follows from the same argument as in previous lemmas.We will now consider dfsync ∧ ∈ F (dfsync ′ ) by case analysis on the structure of A L . We can infer thestructure of B L by inversion on the appropriate subtyping rule. For ease of presentation, let ˆ E = ˆ C ∧ ˆ D ;we will expand ˆ E whenever necessary. Case . A L = ↑ LL A ′ L ; then B L = ↑ LL B ′ L with A ′ L ≤ B ′ L .( ↑ LL A ′ L , ↑ LL B ′ L , ˆ E ) ∈ dfsync ∧ , ( ↑ LL A ′ L , ↑ LL B ′ L , ˆ C ) ∈ dfsync , ( ↑ LL A ′ L , ↑ LL B ′ L , ˆ D ) ∈ dfsync (this case)( A ′ L , B ′ L , ˆ C ) ∈ dfsync , ( A ′ L , B ′ L , ˆ D ) ∈ dfsync (by inversion on D ↑ LL )( A ′ L , B ′ L , ˆ E ) ∈ dfsync ∧ (by definition of dfsync ∧ )( A ′ L , B ′ L , ˆ E ) ∈ dfsync ′ (since dfsync ∧ ⊆ dfsync ′ )( ↑ LL A ′ L , ↑ LL B ′ L , ˆ E ) ∈ F (dfsync ′ ) (by D ↑ LL ) ↓ LL , ⊗ , and ⊸ follow a similar pattern of appealing to the continuation types. Case . A L = ⊕{ l : A L } ; then B L = ⊕{ l : B L , m : B L } ; with A i L ≤ B i L ∀ i ∈ l .( ⊕{ l : A L } , ⊕{ l : B L , m : B L } , ˆ E ) ∈ dfsync ∧ ( ⊕{ l : A L } , ⊕{ l : B L , m : B L } , ˆ C ) ∈ dfsync , ( ⊕{ l : A L } , ⊕{ l : B L , m : B L } , ˆ D ) ∈ dfsync (this case)( ∀ i ∈ l ) ( A i L , B i L , ˆ C ) ∈ dfsync , ( A i L , B i L , ˆ D ) ∈ dfsync , (by inversion on D ⊕ )( ∀ i ∈ l ) ( A i L , B i L , ˆ E ) ∈ dfsync ∧ (by definition of dfsync ∧ )( ∀ i ∈ l ) ( A i L , B i L , ˆ E ) ∈ dfsync ′ (since dfsync ∧ ⊆ dfsync ′ )( ⊕{ l : A L } , ⊕{ l : B L , m : B L } , ˆ E ) ∈ F (dfsync ′ ) (by D ⊕ ) D & follows a similar pattern. 47 ase . A L = ↓ SL A S ; then there are two subcases for the structure of B L . We shall take the case when B L = ↓ SL B S with A S ≤ B S , but the other case, when B L = ↓ LL B ′ L follows a similar pattern.At this point we realize what ˆ E has to be – either ˆ E = ⊥ , in which case we want to derive a contradictionfor this case (the ⊥ constraint requires that there be no releases) or ˆ E = E S meaning ˆ E is a non-trivialmeet. Subcase . ˆ E = ⊥ .( ↓ SL A S , ↓ SL B S , ⊥ ) ∈ dfsync ∧ , ( ↓ SL A S , ↓ SL B S , ˆ C ) ∈ dfsync , ( ↓ SL A S , ↓ SL B S , ˆ D ) ∈ dfsync (this case)( A S , B S , ⊤ ) ∈ dfsync , A S ≤ ˆ C (by inversion on D ↓ SL )( A S , B S , ⊤ ) ∈ dfsync , A S ≤ ˆ D (by inversion on D ↓ SL )Contradiction (since A S is a lower bound of ˆ C ∧ ˆ D but A S is strictly greater than ⊥ ) Subcase . ˆ E = E S for some E S .( ↓ SL A S , ↓ SL B S , E S ) ∈ dfsync ∧ , ( ↓ SL A S , ↓ SL B S , ˆ C ) ∈ dfsync , ( ↓ SL A S , ↓ SL B S , ˆ D ) ∈ dfsync (this case)( A S , B S , ⊤ ) ∈ dfsync , A S ≤ ˆ C, A S ≤ ˆ D (by inversion on D ↓ SL )( A S , B S , ⊤ ) ∈ dfsync ′ (since dfsync ⊆ dfsync ′ )( ↓ SL A S , ↓ SL C S , E S ) ∈ F (dfsync ′ )(by D ↓ SL with A S ≤ E S because A S is a lower bound of ˆ C and ˆ D and E S is the greatest lower bound)Unlike the previous lemmas, we require A L to be linear, so we do not need to consider ↑ SL . The casewhen A = B = 1 is trivial. 48 Statics
D.1 Rules B L ≤ A L Γ; y L : B L ⊢ fwd x L y L :: ( x L : A L ) ID L ˆ B ≤ A S Γ , y S : ˆ B ⊢ fwd x S y S :: ( x S : A S ) ID S ˆ B ≤ A L Γ , y S : ˆ B ; · ⊢ fwd x L y S :: ( x L : A L ) ID LS v S : ˆ D ∈ Γ w S : ˆ E ∈ Γ B L ≤ B ′ L ˆ D ≤ D ′ L ˆ E ≤ E ′ S (cid:0) x ′ L :( A L ≤ A ′ L ) ← X L ← y ′ L : B ′ L , v ′ L : D ′ L , w ′ S : E ′ S = P (cid:1) ∈ Σ Γ; ∆ , x L : A ′ L ⊢ Q :: ( z L : C L )Γ; ∆ , y L : B L ⊢ x L ← X L ← y L , v S , w S ; Q :: ( z L : C L ) SP LL y S : ˆ B ∈ Γˆ B ≤ B ′ S (cid:0) x ′ S :( A S ≤ A ′ S ) ← X S ← y ′ S : B ′ S = P (cid:1) ∈ Σ Γ , x S : A ′ S ; ∆ ⊢ Q :: ( z L : C L )Γ; ∆ ⊢ x S ← X S ← y S ; Q :: ( z L : C L ) SP LS y S : ˆ B ∈ Γˆ B ≤ B ′ S (cid:0) x ′ S :( A S ≤ A ′ S ) ← X S ← y ′ S : B ′ S = P (cid:1) ∈ Σ Γ , x S : A ′ S ⊢ Q :: ( z S : C S )Γ ⊢ x S ← X S ← y S ; Q :: ( z S : C S ) SP SS ˆ A ≤ ↑ SL A L Γ , x S : ˆ A ; ∆ , x L : A L ⊢ P :: ( z L : C L )Γ , x S : ˆ A ; ∆ ⊢ x L ← acq S x S ; P :: ( z L : C L ) ↑ SL L Γ; · ⊢ P :: ( x L : A L )Γ ⊢ x L ← acc S x S ; P :: ( x S : ↑ SL A L ) ↑ SL R Γ , x S : A S ; ∆ ⊢ P :: ( z L : C L )Γ; ∆ , x L : ↓ SL A S ⊢ x S ← rel S x S ; P :: ( z L : C L ) ↓ SL L Γ ⊢ P :: ( x S : A S )Γ; · ⊢ x S ← det S x S ; P :: ( x L : ↓ SL A S ) ↓ SL R Γ; ∆ , y L : A L ⊢ P :: ( z L : C L )Γ; ∆ , x L : ↑ LL A L ⊢ y L ← acq L x L ; P :: ( z L : C L ) ↑ LL L Γ; ∆ ⊢ P :: ( x L : A L )Γ; ∆ ⊢ y L ← acc L x L ; P :: ( x L : ↑ LL A L ) ↑ LL R Γ; ∆ , y L : A L ⊢ P :: ( z L : C L )Γ; ∆ , x L : ↓ LL A L ⊢ y L ← rel L x L ; P :: ( z L : C L ) ↓ LL L Γ; ∆ ⊢ P :: ( y L : A L )Γ; ∆ ⊢ y L ← det L x L ; P :: ( x L : ↓ LL A L ) ↓ LL R Γ; ∆ ⊢ P :: ( z L : C L )Γ; ∆ , x L :1 ⊢ wait x L ; P :: ( z L : C L ) 1 L Γ; · ⊢ close x L :: ( x L :1) 1 R Γ; ∆ , x L : B L , y L : A L ⊢ P :: ( z L : C L )Γ; ∆ , x L : A L ⊗ B L ⊢ y L ← recv x L ; P :: ( z L : C L ) ⊗ L A ′ L ≤ A L Γ; ∆ ⊢ P :: ( x L : B L )Γ; ∆ , y L : A ′ L ⊢ send x L y L ; P :: ( x L : A L ⊗ B L ) ⊗ RA ′ L ≤ A L Γ; ∆ , x L : B ⊢ P :: ( z L : C L )Γ; ∆ , x L : A L ⊸ B L , y L : A ′ L ⊢ send x L y L ; P :: ( z L : C L ) ⊸ L Γ; ∆ , y L : A L ⊢ P :: ( x L : B L )Γ; ∆ ⊢ y L ← recv x L ; P :: ( x L : A L ⊸ B L ) ⊸ R A ≤ A L Γ , y S : ˆ A ; ∆ , x L : B ⊢ P :: ( z L : C L )Γ , y S : ˆ A ; ∆ , x L : A L ⊸ B L ⊢ send x L y S ; P :: ( z L : C L ) ⊸ L S ˆ A ≤ A L Γ , y S : ˆ A ; ∆ ⊢ P :: ( x L : B L )Γ , y S : ˆ A ; ∆ ⊢ send x L y S ; P :: ( x L : A L ⊗ B L ) ⊗ R S ∀ i ∈ l Γ; ∆ , x L : A i L ⊢ P i :: ( c L : Z L )Γ; ∆ , x L : ⊕ { l : A L } ⊢ case x L of { l ⇒ P } :: ( c L : Z L ) ⊕ L i ∈ l Γ; ∆ ⊢ P :: ( x L : A i L )Γ; ∆ ⊢ x.i ; P :: ( x L : ⊕ { l : A L } ) ⊕ Ri ∈ l Γ; ∆ , x L : A i L ⊢ P :: ( z L : C L )Γ; ∆ , x L :& { l : A L } ⊢ x.i ; P :: ( z L : C L ) & L ∀ i ∈ l Γ; ∆ ⊢ P i :: ( x L : A i L )Γ; ∆ ⊢ case x L of { l ⇒ P } :: ( x L :& { l : A L } ) & R Dynamics proc( a L , fwd a L b L ) , Ψ b → Ψ b ( b L := a L , b S := a S ) (D-FWDLL)proc( a L , fwd a L b S ) → connect( a L , b S ) (D-FWDLS)proc( a S , fwd a S b S ) → unavail( a S ) ( b S := a S ) (D-FWDSS) proc( a L ,x L ← X L ← b L ,d S ,e S ; Q )!def(( x ′ L :( A L ≤ A ′ L ) ← X L ← y ′ L : B ′ L ,v ′ L : D ′ L ,w ′ S : E ′ S )= P ) → proc( a L , [ c L /x L ] Q ) , proc( b L , [ c L /x ′ L ,b L /y ′ L ,d ′ L /v ′ L ,e S /w ′ S ] P )connect( d ′ L ,d S ) , unavail( d ′ S ) ( d ′ ,c fresh) (D-SPAWNLL) proc( a L ,x S ← X S ← b S ; Q )!def(( x ′ S :( A S ≤ A ′ S ) ← X S ← y ′ S : B ′ S )= P ) → proc( a L , [ c S /x S ] Q ) , proc( c S , [ c S /x ′ S , b S /y ′ S ] P ) ( c fresh) (D-SPAWNLS) proc( a S ,x S ← X S ← b S ; Q )!def(( x ′ S :( A S ≤ A ′ S ) ← X S ← y ′ S : B ′ S )= P ) → proc( a S , [ c S /x S ] Q ) , proc( c S , [ c S /x ′ S , b S /y ′ S ] P ) ( c fresh) (D-SPAWNSS)proc( a L , x L ← acq S b S ; P ) , proc( b S , x L ← acc S b S ; Q ) → proc( a L , [ b L /x L ] P ) , proc( b L , [ b L /x L ] Q ) , unavail( b S )(D- ↑ SL )proc( a L , x S ← rel S b S ; P ) , proc( b L , x S ← det S b S ; Q ) , unavail( b S ) → proc( a L , [ b S /x S ] P ) , proc( b S , [ b S /x S Q )(D- ↓ SL )proc( a L , x L ← acq L b L ; P ) , proc( b L , x L ← acc L b L ; Q ) → proc( a L , [ b L /x L ] P ) , proc( b L , [ b L /x L ] Q ) (D- ↑ LL )proc( a L , x L ← rel L b L ; P ) , proc( b L , x L ← det L b L ; Q ) → proc( a L , [ b L /x L ] P ) , proc( b L , [ b L /x L Q ) (D- ↓ LL ) proc( a L ,x L ← acq L b L ; P ) , connect( b L ,c S )proc( c S ,x L ← acc S c S ; Q ) → proc( a L , [ c L /x L ] P ) , proc( c L , [ c L /x L ] Q )unavail( c S ) (D- ↑ SL proc( a L ,x L ← rel L c L ; P ) , proc( c L ,x S ← det S c S ; Q ) , unavail( c S ) → proc( a L , [ b L /x L ] P ) , connect( b L ,c S ) , unavail( b S ) (D- ↓ SL c S , [ c S /x S ] Q ) ( b fresh)proc( a L , wait b L ; P ) , proc( b L , close b L ) → proc( a L , P ) (D-1)proc( a L , y L ← recv b L ; P ) , proc( b L , send b L c L ; Q ) , Ψ c → proc( a L , [ c L /y L ] P ) , proc( b L , Q ) , Ψ c (D- ⊗ )proc( a L , send b L c L ; P ) , proc( b L , y L ← recv b L ; Q ) , Ψ c → proc( a L , P ) , proc( b L , [ c L /y L ] Q ) , Ψ c (D- ⊸ ) proc( a L , y L ← recv b L ; P ) , proc( b L , send b L c S ; Q ) → proc( a L , [ d L /y L ] P ) , proc( b L , Q ) , connect( d L , c S ) , unavail( d S ) ( d fresh) (D- ⊗ proc( a L , send b L c S ; P ) , proc( b L , y L ← recv b L ; Q ) → proc( a L , P )proc( b L , [ d L /y L ] Q ) , connect( d L , c S ) , unavail( d S ) ( d fresh) (D- ⊸ a L , case b L of { l ⇒ P , m ⇒ P } ) , proc( b L , b.i ; Q ) → proc( a L , P i ) , proc( b L , Q ) ( i ∈ l ) (D- ⊕ )proc( a L , b.i ; P ) , proc( b L , case b L of { l ⇒ Q, m ⇒ Q } ) → proc( a L , P ) , proc( b L , Q i ) ( i ∈ l ) (D-&) F Preservation
Theorem 1. If Γ | = Λ; Θ :: (Γ; ∆) and Λ; Θ → Λ ′ ; Θ ′ , then Γ ′ | = Λ ′ ; Θ ′ :: (Γ ′ ; ∆) for some Λ ′ , Θ ′ , and Γ ′ such that Γ ′ (cid:22) Γ . roof. By induction on the dynamics to construct a well-formed and well-typed configuration startingwith Γ | = Λ; Θ :: (Γ; ∆). Notation
Many of the proof cases involve transitions between linear process terms (either proc orconnect). When reasoning with these transitions, we adopt the notation that Ψ a → Ψ ′ a that is, Ψ a represents the process term offering a before the transition and Ψ ′ a represents the process term offering a after the transition. Case . D-FWDLS proc( a L , fwd a L b S ) → connect( a L , b S )where Ψ a = proc( a L , fwd a L b S ) and Ψ ′ a = connect( a L , b S ) (for the remaining cases, these metavariableassignments are implicit). Let Θ = Θ , Ψ a , Θ . Then by Lemma 9, Λ = unavail( a S ) , Λ .Γ | = Λ; Θ , Ψ a , Θ :: (Γ; ∆) (assumption)Γ | = Λ :: (Γ) Γ | = Θ , Ψ a , Θ :: (∆) (by inversion on Ω)Γ | = proc( a L , fwd a L b S ) , Θ :: ( a L : A L , ∆ p ) (by Lemma 4 and expanding Ψ a )Γ | = Θ :: (∆ p ) Γ; · ⊢ fwd a L b S :: ( a L : A ′ L ) (by inversion on Θ3) b S : ˆ B ∈ Γ ˆ B ≤ A ′ L (by inversion on ID LS )ˆ B ≤ A L (by transitivity of ≤ )Γ | = connect( a L , b S ) , Θ :: ( a : A L , ∆ p ) (by Θ2)Γ | = Θ , Ψ ′ a , Θ :: (∆) (by Lemma 5)Γ | = Λ; Θ , Ψ ′ a , Θ :: (Γ; ∆) (by Ω)The well-formedness conditions are maintained because only Ψ a ∈ Θ was replaced by Ψ ′ a . Case . D-&proc( a L , b.i ; P ) , proc( b L , case b L of { l ⇒ Q, m ⇒ Q } ) → proc( a L , P ) , proc( b L , Q i ) ( i ∈ l )Then Θ = Θ , Ψ a , Θ , Ψ b , Θ | = Λ; Θ , Ψ a , Θ , Ψ b , Θ :: (Γ; ∆) (assumption)Γ | = Λ :: (Γ) Γ | = Θ , Ψ a , Θ , Ψ b , Θ :: (∆) (by inversion on Ω)Γ | = Ψ a , Θ , Ψ b , Θ :: ( a L : A L , ∆ r ) (by Lemma 4)Γ | = Ψ a , Ψ b , Θ r :: ( a L : A L , ∆ r ) (by Lemma 6 and Θ r = Θ , Θ )Γ | = Ψ b , Θ r :: ( b L :& { l : B L } , ∆ a , ∆ r ) Γ; ∆ a ⊢ b.i ; P :: ( a L : A ′ L ) a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync(by inversion on Θ3)Γ | = Θ r :: (∆ a , ∆ b , ∆ r ) Γ; ∆ b ⊢ case b L of { l ⇒ Q, m ⇒ Q } :: ( b L :& { l : B ′ L , m : B ′ L } ) b S : ˆ B ∈ Γ ⊢ (& { l : B ′ L , m : B ′ L } , & { l : B L } , ˆ B ) dfsync (by inversion on Θ3)Γ; ∆ b ⊢ Q i :: ( b L : B i ′ L ) (inversion on & R ) B i ′ L ≤ B i L ⊢ ( B ′ i L , B i L , ˆ B ) dfsync (by inversion on ≤ & and E& respectively)Γ | = Ψ ′ b , Θ r :: ( b L : B i L , ∆ r , ∆ a ) (by Θ3)Γ; ∆ a , b L : B i L ⊢ P :: ( a L : A ′ L ) (inversion on & L )Γ | = Ψ ′ a , Ψ ′ b , Θ r :: ( a L : A L , ∆ r ) (by Θ3)Γ | = Θ , Ψ ′ a , Ψ ′ b , Θ r :: (∆) (by Lemma 5)Γ | = Λ; Θ , Ψ ′ a , Ψ ′ b , Θ r :: (Γ; ∆) (by Ω)The well-formedness conditions are maintained because Ψ a and Ψ b were replaced by Ψ ′ a and Ψ ′ b respec-tively in Θ.The proof of D- ⊕ is similar to D-&. Case . D- ⊗ proc( a L , y L ← recv b L ; P ) , proc( b L , send b L c L ; Q ) , Ψ c → proc( a L , [ c L /y L ] P ) , proc( b L , Q ) , Ψ c , Ψ a , Θ , Ψ b , Θ , Ψ c , Θ .Γ | = Λ; Θ , Ψ a , Θ , Ψ b , Θ , Ψ c , Θ :: (Γ; ∆) (assumption)Γ | = Λ :: (Γ) Γ | = Θ , Ψ a , Θ , Ψ b , Θ , Ψ c , Θ :: (∆) (by inversion on Ω)Γ | = Ψ a , Θ , Ψ b , Θ , Ψ c , Θ :: ( a L : A L , ∆ r ) (by Lemma 4)Γ | = Ψ a , Ψ b , Ψ c , Θ r :: ( a L : A L , ∆ r ) (by Lemma 6 and Θ r = Θ , Θ , Θ )Γ | = Ψ b , Ψ c , Θ r :: ( b L : C a L ⊗ B L , ∆ a , ∆ r ) Γ; ∆ a , b L : B L ⊢ y L ← recv b L ; P :: ( a L : A ′ L ) a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync (by inversion on Θ3)Γ; ∆ a , b L : B L , c L : C a L ⊢ [ c L /y L ] P :: ( a L : A ′ L ) (by inversion on ⊗ L and α equivalance)Γ | = Ψ c , Θ r :: ( c L : C L , ∆ a , ∆ b , ∆ r ) Γ; ∆ b , c L : C L ⊢ send b L c L ; Q :: ( b L : C b L ⊗ B ′ L ) b S : ˆ B ∈ Γ ⊢ ( C b L ⊗ B ′ L , C a L ⊗ B L , ˆ B ) dfsync (by inversion on Θ3)Γ; ∆ b ⊢ Q :: ( b L : B ′ L ) C L ≤ C b L (by inversion on ⊗ R ) C b L ≤ C a L B ′ L ≤ B L ⊢ ( B ′ L , B L , ˆ B ) dfsync (by inversion on ≤ ⊗ and E ⊗ respectively)Γ | = Ψ c , Θ r :: ( c L : C a L , ∆ a , ∆ b , ∆ r ) (by Lemma 7 since C L ≤ C b L ≤ C a L .)Γ | = Ψ ′ b , Ψ c , Θ r :: ( b L : B L , c L : C a L , ∆ a , ∆ r ) (by Θ3)Γ | = Ψ ′ a , Ψ ′ b , Ψ c , Θ r :: ( a L : A L , ∆ r ) (by Θ3)Γ | = Θ , Ψ ′ a , Ψ ′ b , Ψ c , Θ r :: (∆) (by Lemma 5)Γ | = Λ; Θ , Ψ ′ a , Ψ ′ b , Ψ c , Θ r :: (Γ; ∆) (by Ω)The well-formedness conditions are maintained because Ψ a and Ψ b were replaced by Ψ ′ a and Ψ ′ b respec-tively in Θ. Case . D- ⊗ a L , y L ← recv b L ; P ) , proc( b L , send b L c S ; Q ) → proc( a L , [ d L /y L ] P ) , proc( b L , Q ) , connect( d L , c S ) , unavail( d S ) ( d fresh)54hen Θ = Θ , Ψ a , Θ , Ψ b , Θ .Γ | = Λ; Θ , Ψ a , Θ , Ψ b , Θ :: (Γ; ∆) (assumption)Γ | = Λ :: (Γ) Γ | = Θ , Ψ a , Θ , Ψ b , Θ :: (∆) (by inversion on Ω)Γ | = Ψ a , Θ , Ψ b , Θ :: ( a L : A L , ∆ r ) (by Lemma 4)Γ | = Ψ a , Ψ b , Θ r :: ( a L : A L , ∆ r ) (by Lemma 6 and Θ r = Θ , Θ )Γ | = Ψ b , Θ r :: ( b L : C a L ⊗ B L , ∆ a , ∆ r ) Γ; ∆ a , b L : B L ⊢ y L ← recv b L ; P :: ( a L : A ′ L ) a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync (by inversion on Θ3)Γ; ∆ a , b L : B L , d L : C a L ⊢ [ d L /y L ] P :: ( a L : A ′ L ) (by inversion on ⊗ L and α equivalance)Γ | = Θ r :: (∆ a , ∆ b , ∆ r ) Γ; ∆ b , c L : C L ⊢ send b L c S ; Q :: ( b L : C b L ⊗ B ′ L ) b S : ˆ B ∈ Γ ⊢ ( C b L ⊗ B ′ L , C a L ⊗ B L , ˆ B ) dfsync (by inversion on Θ3)Γ; ∆ b ⊢ Q :: ( b L : B ′ L ) ˆ C ≤ C b L (by inversion on ⊗ R S )Γ | = connect( d L , c S ) , Θ r :: ( d : C a L , ∆ a , ∆ b , ∆ r )Γ | = Ψ ′ b , Ψ d , Θ r :: ( b L : B L , d L : C a L , ∆ a , ∆ r ) (by Θ3 where Ψ d = connect( d L , c S ))Γ | = Ψ ′ a , Ψ ′ b , Ψ d , Θ r :: ( a L : A L , ∆ r ) (by Θ3)Γ | = Θ , Ψ ′ a , Ψ ′ b , Ψ d , Θ r :: (∆) (by Lemma 5)Γ ′ | = Θ , Ψ ′ a , Ψ ′ b , Ψ d , Θ r :: (∆) (by Lemma 8 with Γ ′ = Γ , d S : ⊥ )Γ ′ | = Λ :: (Γ) (by Lemma 8)Γ ′ | = unavail( d S ) :: ( d S : ⊥ ) (by Λ4)Γ ′ | = Λ , unavail( d S ) :: (Γ ′ ) (by Λ2)Γ ′ | = Λ , unavail( d S ); Θ , Ψ ′ a , Ψ ′ b , Ψ d , Θ r :: (Γ ′ ; ∆) (by Ω)The well-formedness conditions are maintained because Ψ a and Ψ b were replaced by Ψ ′ a and Ψ ′ b re-spectively in Θ and a Ψ d was added in Θ where d is fresh along with a corresponding unavail( d S ) inΛ ′ = Λ , unavail( d S ).The proofs of D- ⊸ and D- ⊸ ⊗ and D- ⊗ Case . D-FWDLL proc( a L , fwd a L b L ) , Ψ b → Ψ b ( a L := b L , a S := b S )55hen Θ = Θ , Ψ a , Θ , Ψ b , Θ and Λ = unavail( a S ) , unavail( b S ) , Λ by Lemma 9.Γ | = Λ; Θ , Ψ a , Θ , Ψ b , Θ :: (Γ; ∆) (assumption)Γ | = Λ :: (Γ) Γ | = Θ , Ψ a , Θ , Ψ b , Θ :: (∆) (by inversion on Ω)Γ | = Ψ a , Θ , Ψ b , Θ :: ( a L : A L , ∆ r ) (by Lemma 4)Γ | = Ψ a , Ψ b , Θ r :: ( a L : A L , ∆ r ) (by Lemma 6 and Θ r = Θ , Θ )Γ | = Ψ b , Θ r :: ( b L : b L : B L , ∆ r ) Γ; b L : B L ⊢ fwd a L b L :: ( a L : A ′ L ) a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync(by inversion on Θ3) B L ≤ A ′ L (by inversion on ID L )At this point we need to case on the structure of Ψ b . In both cases we will show that Γ ′ | = Ψ ′ a , Θ r :: ( a L : A L , ∆ r )for some Γ ′ (cid:22) Γ and Ψ ′ a being directly defined from Ψ b . Subcase . Ψ b = connect( b L , c S ) for some c S .Γ | = connect( b L , c S ) , Θ r :: ( b : B L , ∆ r ) c S : ˆ C ∈ Γ ˆ C ≤ B L (by inversion on Θ2)ˆ C ≤ A L (by transitivity of ≤ )Γ | = connect( b L , c S ) , Θ r :: ( b : A L , ∆ r ) (by Θ2)Γ | = connect( a L , c S ) , Θ r :: ( a : A L , ∆ r ) (from renaming) Subcase . Ψ b = proc( b L , P ) for some process term P .Γ | = Θ r :: (∆ b , ∆ r ) Γ; ∆ b ⊢ P :: ( b L : B ′ L ) b S : ˆ B ∈ Γ ⊢ ( B ′ L , B L , ˆ B ) dfsync (by inversion on Θ3) B ′ L ≤ B L ≤ A ′ L ≤ A L ⊢ ( B ′ L , A L , ˆ B ) dfsync ⊢ ( B ′ L , A L , ˆ A ) dfsync (by Lemma 10 and Lemma 11 respectively) ⊢ ( B ′ L , A L , ˆ B ∧ ˆ A ) dfsync (by Lemma 13)Γ ′ | = Θ r :: (∆ b , ∆ r ) (by Lemma 8 with Γ ′ = [ a S : ˆ B ∧ ˆ A/a S : ˆ A ]Γ)Γ ′ ; ∆ b ⊢ P :: ( b L : B ′ L ) (by Lemma 3)Γ ′ ; ∆ b ⊢ [ a L /b L , a S /b S ] P :: ( a L : B ′ L )(by α equivalence for a L /b L and a combination of α equivalence and Lemma 8 for a S /b S )Γ ′ | = proc( a L , [ a L /b L , a S /b S ] P ) , Θ r :: ( a : A L , ∆ r ) (by Θ3)We will now continue assuming Γ ′ | = Ψ ′ a , Θ r :: ( a L : A L , ∆ r ) with Γ ′ (cid:22) Γ and Ψ ′ a = [ a L /b L , a S /b S ]Ψ b .56or the connect case that did not require a smaller Γ, simply set Γ ′ = Γ since Γ ′ (cid:22) Γ by reflexivity.Γ ′ | = Θ , Ψ a , Θ r :: (∆) (by Lemma 8)Γ ′ | = Θ , Ψ ′ a , Θ r :: (∆) (by Lemma 5)Γ ′ | = Λ :: (Γ) (by Lemma 5)Γ ′ | = unavail( a S ) :: ( a S : ⊥ ) (by Λ4)Γ ′ | = unavail( b S ) , Θ :: (Γ ′′ ) (by inversion on Λ2 where Γ ′ = Γ ′′ , a S : ⊥ )Γ ′ | = Λ :: (Γ ′ ) (by Λ2)Γ ′ | = [ a S /b S ]Λ :: (Γ ′ ) (by α equivalence)Γ ′ | = [ a S /b S ]Θ , Ψ ′ a , [ a S /b S ]Θ r :: (∆) (by α equivalence)Γ ′ | = Λ; [ a S /b S , a L /b L ]Θ , Ψ ′ a , [ a S /b S ]Θ r :: (Γ ′ ; ∆) (by Ω)Well-formedness is easily maintained because we only removed something from the linear fragment (itis okay to have dangling unavail terms in the shared fragment). Case . D- ↑ SL proc( a L , x L ← acq S b S ; P ) , proc( b S , x L ← acc S b S ; Q ) → proc( a L , [ b L /x L ] P ) , proc( b L , [ b L /x L ] Q ) , unavail( b S )Then Λ = Λ b , Λ and Θ = Θ , Ψ a , Θ with Λ b = proc( b S , x L ← acc S b S ; Q ).57e also define Ψ ′ b = proc( b L , [ b L /x L ] Q ).Γ | = Λ b , Λ ; Θ , Ψ a , Θ :: (Γ; ∆) (assumption)Γ | = Λ b , Λ :: (Γ) Γ | = Θ , Ψ a , Θ :: (∆) (by inversion on Ω)Γ | = Λ b :: ( b S : ↑ SL B L ) Γ | = Λ :: (Γ ′ ) (by inversion on Λ2 with Γ = b S : ↑ SL B L , Γ ′ ) ⊢ ( ↑ SL B ′ L , ↑ SL B L , ⊤ ) dfsync Γ ⊢ x L ← acc S b S ; Q :: ( b S : ↑ SL B ′ L ) (by inversion on Λ3)Γ; · ⊢ [ b L /x L ] Q :: ( b L : B ′ L ) (by inversion on ↑ SL R and α equivalence) ⊢ ( B ′ L , B L , ↑ SL B ′ L ) dfsync (by inversion on D ↑ SL )Γ | = Ψ a , Θ :: ( a L : A L , ∆ p ) (by Lemma 4)Γ | = Θ :: (∆ a , ∆ p ) Γ; ∆ a ⊢ x L ← acq S b S :: ( a L : A ′ L ) a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync (by inversion on Θ3)Γ; ∆ a , b L : B a L ⊢ [ b L /x L ] P :: ( a L : A ′ L ) ↑ SL B L ≤ ↑ SL B a L (by inversion on ↑ SL L and α equivalence)Γ | = Ψ ′ b , Θ :: ( b L : B L , ∆ a , ∆ p ) (by Λ3)Γ | = Ψ ′ b , Θ :: ( b L : B a L , ∆ a , ∆ p ) (by Lemma 7)Γ | = Ψ ′ a , Ψ ′ b , Θ :: ( a L : A, ∆ p ) (by Θ3)Γ | = Θ , Ψ ′ a , Ψ ′ b , Θ :: (∆) (by Lemma 5)Γ | = unavail( b S ) :: ( b S : ↑ SL B L ) (by Λ4)Γ | = unavail( b S ) , Λ :: (Γ) (by Λ2)Γ | = Λ; Θ , Ψ ′ a , Ψ ′ b , Θ :: (Γ; ∆) (by Ω)Well-formedness is maintained because Ψ b / ∈ Θ and there is a corresponding unavail( b S ) to the newlyadded Ψ ′ b . Case . D- ↑ SL a L , x L ← acq L b L ; P ) , connect( b L , c S ) , proc( c S , x L ← acc S c S ; Q ) → proc( a L , [ c L /x L ] P ) , proc( c L , [ c L /x L ] Q ) , unavail( c S )Then Λ = Λ c , Λ and Θ = Θ , Ψ a , Θ , Ψ b , Θ with Λ c = proc( c S , x L ← acc S c S ; Q ).58e also define Ψ ′ c = proc( c L , [ c L /x L ] Q ).Γ | = Λ c , Λ ; Θ , Ψ a , Θ , Ψ b , Θ :: (Γ; ∆) (assumption)Γ | = Λ c , Λ :: (Γ) Γ | = Θ , Ψ a , Θ , Ψ b , Θ :: (∆) (by inversion on Ω)Γ | = Λ c :: ( c S : ↑ SL C L ) Γ | = Λ :: (Γ ′ ) (by inversion on Λ2 with Γ = c S : ↑ SL C L , Γ ′ ) ⊢ ( ↑ SL C ′ L , ↑ SL C L , ⊤ ) dfsync Γ ⊢ x L ← acc S c S ; Q :: ( c S : ↑ SL C ′ L ) (by inversion on Λ3)Γ; · ⊢ [ c L /x L ] Q :: ( c L : C ′ L ) (by inversion on ↑ SL R and α equivalence) ⊢ ( C ′ L , C L , ↑ SL C ′ L ) dfsync (by inversion on D ↑ SL )Γ | = Ψ a , Θ , Ψ b , Θ :: ( a L : A L , ∆ p ) (by Lemma 4)Γ | = Ψ a , Ψ b , Θ r :: ( a L : A L , ∆ p ) (by Lemma 6 with Θ r = Θ , Θ )Γ | = connect( b L , c S ) , Θ :: ( b S : ↑ LL B L , ∆ a , ∆ p ) Γ; ∆ a , b S : ↑ LL B L ⊢ x L ← acq L b L :: ( a L : A ′ L ) a S : ˆ A ∈ Γ ⊢ ( A ′ L , A L , ˆ A ) dfsync (by inversion on Θ3)Γ | = Θ r :: (∆ a , ∆ p ) ↑ SL C L ≤ ↑ LL B L (by inversion on Θ2) C L ≤ B L ⊢ ( C ′ L , B L , ↑ SL C ′ L ) dfsync (by inversion on ≤ ↑ SL ↑ LL and Lemma 10 respectively)Γ | = Ψ ′ c , Θ r :: ( c L : C L , ∆ a , ∆ p ) (by Λ3)Γ; ∆ a , c L : C L ⊢ [ c L /x L ] P :: ( a L : A ′ L ) (by inversion on ↑ SL L and α equivalence)Γ | = Ψ ′ a , Ψ ′ c , Θ :: ( a L : A, ∆ p ) (by Θ3)Γ | = Θ , Ψ ′ a , Ψ ′ b , Θ :: (∆) (by Lemma 5)Γ | = unavail( c S ) :: ( c S : ↑ SL C L ) (by Λ4)Γ | = unavail( c S ) , Λ :: (Γ) (by Λ2)Γ | = Λ; Θ , Ψ ′ a , Ψ ′ c , Θ :: (Γ; ∆) (by Ω)Well-formedness is maintained because Ψ c / ∈ Θ and there is a corresponding unavail( c S ) to the newlyadded Ψ ′ c .Other omitted cases follow a similar strategy as presented. G Progress
Theorem 2. If Γ | = Λ; Θ :: (Γ; ∆) then either:1. Λ → Λ ′ for some Λ ′ or2. Λ poised and one of: a) Λ; Θ → Λ ′ ; Θ ′ for some Λ ′ and Θ ′ or(b) Θ poised or(c) some Ψ ∈ Θ is blockedProof. Γ | = Λ; Θ :: (Γ; ∆) (by assumption)Γ | = Λ :: (Γ) Γ | = Θ :: (∆) (by inversion on Ω)for some Γ , Λ , Θ , and ∆.We first show that either Λ → Λ ′ for some Λ ′ or that Λ is poised by induction on the derivation ofΓ | = Λ :: (Γ). Case . Γ | = · :: ( · ) Λ1( · ) is poised since there is no proc term. Case . Γ | = Λ :: (Γ ) Γ | = Λ :: (Γ )Γ | = Λ , Λ :: (Γ , Γ ) Λ2Then either Λ → Λ ′ or Λ is poised by induction hypothesis, and similarly, either Λ → Λ ′ or Λ ispoised by induction hypothesis. If both Λ and Λ are poised, then the concatenation Λ , Λ is poised.Otherwise, we take the concatenation of the components that progresses. In particular, if Λ → Λ ′ andΛ is poised, Λ , Λ → Λ ′ , Λ (and similarly for the other two combinations). Case . ⊢ ( A ′ S , A S , ⊤ ) dfsync Γ ⊢ P :: ( a S : A ′ S )Γ | = proc( a S , P ) :: ( a S : A S ) Λ3We proceed by case analysis on the syntactic form of P inferred from inversion on the appropriate typingrule on the derivation of Γ ⊢ P :: ( a S : A ′ S ). Subcase . P = fwd a S b S . This case requires a global substitution on the top level Λ. Since there is noordering constraint on Λ, let Λ = proc( a S , fwd a S b S ) , Λ without loss of generality. Then by D-FWDSS,Λ → [ a S /b S ]Λ Subcase . P = x S ← X S ← b S ; Q , then by D-SPAWNSS,proc( a S , x S ← X S ← b S ; Q ) → proc( a S , [ c S /x S ] Q ) , proc( c S , [ c S /x ′ S , b S /y ′ S ] P ) ( c fresh)60 ubcase . P = a L ← acc S a S ; Q , then proc( a S , P ) is poised by definition. Case . Γ | = unavail( a S ) :: ( a S : ˆ A ) Λ4unavail( a S ) is poised since there is no proc term.That concludes the first part of the proof. Now to show the second part, we will assume that Λ ispoised and proceed by induction on the derivation of Γ | = Θ :: (∆) to show one of:(a) Λ; Θ → Λ ′ ; Θ ′ for some Λ ′ and Θ ′ (b) Θ poised(c) some Ψ ∈ Θ is strongly blockedWe will showcase the style of the proof along with the interesting cases.
Case . Γ | = · :: ( · ) Θ1( · ) is poised since there is no proc term. Case . b S : ˆ B ∈ Γ b S ≤ A L Γ | = Θ :: (∆ )Γ | = connect( a L , b S ) , Θ :: ( a : A L , ∆ ) Θ2By the induction hypothesis, Θ either steps, is poised, or contains a Ψ that is strongly blocked.If Θ steps, then Λ; Θ → Λ ′ ; Θ ′ for some Λ ′ and Θ ′ . Then Λ; connect( a L , b S ) , Θ → Λ ′ ; connect( a L , b S ) , Θ ′ .If Θ is poised, then connect( a L , b S ) , Θ is poised because connect( − L , − S ) is not a proc term.Finally, if there is some Ψ ∈ Θ that is strongly blocked, then of course the same Ψ ∈ (connect( a L , b S ) , Θ )is strongly blocked. Case . c S : ˆ C ∈ Γ ⊢ ( C ′ L , C L , ˆ C ) dfsync Γ; ∆ c ⊢ P :: ( c L : C ′ L ) Γ | = Θ :: (∆ c , ∆ )Γ | = proc( c L , P ) , Θ :: ( c : C L , ∆ ) Θ3By the induction hypothesis, Θ either steps, is poised, or contains a Ψ that is strongly blocked. Wefirst cover two of the cases:If Θ steps, then Λ; Θ → Λ ′ ; Θ ′ for some Λ ′ and Θ ′ . Then Λ; proc( c L , P ) , Θ → Λ ′ ; proc( c L , P ) , Θ ′ .61f there is some Ψ ∈ Θ that is strongly blocked, then of course the same Ψ ∈ (proc( c L , P ) , Θ ) isstrongly blocked.For the final case, we will assume that Θ is poised and proceed by case analysis on the derivationof Γ; ∆ c ⊢ P :: ( c L : C ′ L ). Unlike in the first part, we make the step between identifying the appropriatetyping rule and inferring the form of P explicit because some of the cases are more complicated. In thetype judgement, we replace instantiated channel variables in the context such as x by actual channelnames since they must already exist in the configuration. Subcase . The form of P inferred from all linear right rules (1 R, ⊗ R, ⊗ R S , ⊸ R, ⊕ R, & R, ↑ LL R, ↓ LL R )directly coincide with the definition of poised. For example, 1 R implies that P = close a L , which ispoised, and so on. Since Θ is poised, proc( a L , P ) , Θ is poised. Subcase . Γ; ∆ ′ c , b L : B L , y L : A L ⊢ P :: ( c L : C ′ L )Γ; ∆ ′ c , b L : A L ⊗ B L ⊢ y L ← recv b L ; P :: ( c L : C ′ L ) ⊗ L where ∆ c = ∆ ′ c , b L : A L ⊗ B L . Then Θ = Θ , proc( b L , − ) , Θ for some Θ and Θ (we know b L is notprovided by a connect term since connect terms offer channels of type ↑ LL D L ). Since proc( b L , − ) is poisedand must offer a channel of type A L ⊗ B L , it must be of form proc( b L , send b L a L ; Q ). Thus, by D- ⊗ ,Λ; proc( c L , y L ← recv b L ; P ) , Θ , proc( b L , send b L a L ; Q ) , Θ → Λ; proc( c L , [ a L /y L ] P ) , Θ , proc( b L , Q ) , Θ All the remaining linear left rules except ↑ LL L and ↑ LL R (1 L, ⊸ L, ⊸ L S , ⊕ L, & L ) follow a similar pattern. Subcase . ˆ A ≤ ↑ SL A L Γ , a S : ˆ A ; ∆ , x L : A L ⊢ P :: ( c L : C ′ L )Γ , a S : ˆ A ; ∆ c ⊢ x L ← acq S a S ; P :: ( c L : C ′ L ) ↑ SL L Since Λ is poised, either Λ = unavail( a S ) , Λ or Λ = proc( a S , x L ← acc S a S ; Q ) , Λ for some Λ . In thefirst case, proc( c L , a L ← acq S a S ; P ) is strongly blocked, so we are done. In the second case, by D- ↑ SL ,we have proc( a S , x L ← acc S a S ; Q ) , Λ ; proc( c L , a L ← acq S a S ; P ) , Θ → unavail( a S ) , Λ ; proc( c L , [ a L /x L ] P ) , proc( a L , [ a L /x L ] Q ) , Θ Subcase . Γ , x S : A S ; ∆ ′ c ⊢ P :: ( c L : C ′ L )Γ; ∆ ′ c , a L : ↓ SL A S ⊢ x S ← rel S a S ; P :: ( c L : C ′ L ) ↓ SL L where ∆ c = ∆ ′ c , a L : ↓ SL A S . Then Θ = Θ , proc( a L , − ) , Θ for some Θ and Θ . Since there is aproc( a L , − ) in the linear configuration, by well-formedness condition, there must be a corresponding62navail( a S ) ∈ Λ, so Λ = unavail( a S ) , Λ . Furthermore, since Θ is poised, the proc term must be of formproc( a L , x S ← det S a S ; Q ). By D- ↓ SL , we haveunavail( a S ) , Λ ; proc( c L , x S ← rel S a S ; P ) , Θ , proc( a L , x S ← det S a S ; Q ) , Θ → proc( a S , [ a S /x S ] Q ) , Λ ; proc( c L , [ a L /x L ] P ) , Θ , Θ Subcase . Γ; ∆ ′ c , x L : A L ⊢ P :: ( c L : C ′ L )Γ; ∆ ′ c , a L : ↑ LL A L ⊢ x L ← acq L a L ; P :: ( c L : C ′ L ) ↑ LL L where ∆ c = ∆ ′ c , a L : ↑ LL A L . Then Θ = Θ , Ψ a , Θ where Ψ a is either of form connect( a L , b S ) for some b S or proc( a L , − ). In the latter case, we appeal to the term being poised and the proof proceeds likethe other left rules. In the former case, there must be a term in Λ that provides b S . Since Λ is poised,either Λ = unavail( b S ) , Λ or Λ = proc( b S , x L ← acc S b S ; Q ) , Λ . In the former case, we can conclude thatproc( c L , − ) is strongly blocked, so we are done. In the latter case, by D- ↑ SL
2, we haveproc( b S , x L ← acc S b S ; Q ) , Λ ; proc( c L , x L ← acq L a L ; P ) , Θ , connect( a L , b S ) , Θ → unavail( b S ) , Λ ; proc( c L , [ b L /x L ] P ) , proc( b L , [ b L /x L ] Q ) , Θ , Θ Subcase . Γ; ∆ ′ c , x L : A L ⊢ P :: ( c L : C ′ L )Γ; ∆ ′ c , a L : ↓ LL A L ⊢ x L ← rel L a L ; P :: ( c L : C ′ L ) ↓ LL L where ∆ c = ∆ ′ c , a L : ↓ LL A L . Then Θ = Θ , proc( a L , − ) , Θ . Since Θ is poised, there are two possibleforms of proc( a L , − ). If we have proc( a L , x L ← det L a L ; Q ), then we appeal to the term being poisedlike the other left rules. If we instead have proc( a L , x S ← det S a S ; Q ), then we first identify thatΛ = unavail( a S ) , Λ for some Λ by the well-formedness condition. By D- ↓ SL
2, we haveunavail( a S ) , Λ ; proc( c L , x L ← rel L a L ; P ) , Θ , proc( a L , x S ← det S a S ; Q ) , Θ → proc( a S , [ a S /x S ] Q ) , Λ ; proc( c L , [ b L /x L ] P ) , connect( b L , a S ) , Θ , Θ ( bb