OO. Dardha and J. Rot (Eds.): Combined Workshop on Expressiveness inConcurrency and Structural Operational Semantics (EXPRESS/SOS 2020).EPTCS 322, 2020, pp. 69–87, doi:10.4204/EPTCS.322.7 c (cid:13)
R. Kavanagh
Substructural Observed Communication Semantics
Ryan Kavanagh
Computer Science DepartmentCarnegie Mellon UniversityPittsburgh, Pennsylvania, 15213-3891, USA [email protected]
Session-types specify communication protocols for communicating processes, and session-typedlanguages are often specified using substructural operational semantics given by multiset rewritingsystems. We give an observed communication semantics [2] for a session-typed language with recur-sion, where a process’s observation is given by its external communications. To do so, we introduce fair executions for multiset rewriting systems, and extract observed communications from fair processexecutions. This semantics induces an intuitively reasonable notion of observational equivalencethat we conjecture coincides with semantic equivalences induced by denotational semantics [15],bisimulations [13], and barbed congruences [16, 27] for these languages.
A proofs-as-processes correspondence between linear logic and the session-typed π -calculus is thebasis of many programming languages for message-passing concurrency [4, 5, 26, 28]. Session typesspecify communication protocols, and all communication with session-typed processes must respect theseprotocols. If we take seriously the idea that we can only interact with processes through session-typedcommunication, then the only thing we can observe about them is their communications. Indeed, timingdifferences in communication are not meaningful due to the non-deterministic scheduling of processreductions, and “forwarding” or “linking” of channels renders process termination meaningless, even inthe presence of recursion. It follows that processes should be observationally indistinguishable only ifthey always send the same output given the same input.These ideas underlie Atkey’s [2] novel observed communication semantics (OCS) for Wadler’sClassical Processes [28]. Atkey’s OCS uses a big-step evaluation semantics to observe communicationson channels deemed “observable”. Processes are then observationally equivalent whenever they have thesame observed communications in all contexts.Building on these ideas, we give an OCS for session-typed languages that are specified using sub-structural operational semantics (SSOS), a form of multiset rewriting. Our work differs from Atkey’son several key points. First, we assume that communication is asynchronous rather than synchronous.This assumption costs us nothing, for synchronous communication can be encoded in asynchronoussystems [20], and it simplifies the semantics by eliminating the need for “configurations” and “visible”cuts. More importantly, our OCS supports recursive and non-terminating processes . To do so, weobserve communications from process traces in (a conservative extension of) the usual SSOSs, instead ofdefining a separate big-step semantics.To ensure that observed communications are well-defined in the presence of non-termination, werequire that process executions be fair . Intuitively, fairness ensures that if a process can make progress,then it eventually does so. Fairness is also motivated by ongoing efforts to relate existing SSOSs todomain-theoretic semantics for this style of language [15]. There, processes denote continuous functions0 Substructural Observed Communication Semantics between domains of session-typed communications, and fairness is built-in. To this end, we introduce fair executions of multiset rewriting systems (MRS) and give sufficient conditions for an MRS to havefair executions. We also introduce a new notion of trace equivalence, union-equivalence , that is key todefining our OCS.We study fair executions of MRSs and their properties in section 2. In section 3, we give an SSOS fora session-typed language arising from a proofs-as-processes interpretation of intuitionistic linear logic. Itsupports recursive processes and types. Though it is limited, it represents the core of other SSOS-specifiedsession-typed languages [3, 13, 15, 20, 25], and the techniques presented in this paper scale to their richersettings. In section 4, we give our observed communication semantics, where we use a coinductivelydefined judgment to extract observations from fair executions.
In this section, we introduce fairness and fair executions for multiset rewriting systems. We begin byrevisiting (first-order) multiset rewriting systems, as presented by Cervesato et al. [9]. We present a notionof fairness for sequences of rewriting steps, and constructively show that under reasonable hypotheses, allfair sequences from the same multiset are permutations of each other. We introduce a new notion of traceequivalence, “union-equivalence”, and give sufficient conditions for traces to be union-equivalent. Fairnessand union-equivalence will be key ingredients for defining the observed communication semantics ofsection 4.A multiset M is a pair ( S , m ) where S is a set (the underlying set ) and m : S → N is a function. Itis finite if ∑ s ∈ S m ( s ) is finite. We say s is an element of M , s ∈ M , if m ( s ) >
0. When consideringseveral multisets, we assume without loss of generality that they have equal underlying sets. The sum M , M of multisets M = ( S , m ) and M = ( S , m ) is the multiset ( S , λ s ∈ S . m ( s ) + m ( s )) . Their intersection M ∩ M is the multiset ( S , λ s ∈ S . min ( m ( s ) , m ( s ))) . Their difference M \ M is themultiset ( S , λ s ∈ S . max ( , m ( s ) − m ( s ))) . We say that M is included in M , written M ⊆ M , if m ( s ) ≤ m ( s ) for all s ∈ S .Consider finite multisets M of first-order atomic formulas over some signature whose constants aredrawn from some countably infinite set. We call closed formulas judgments . Judgments represent facts,some of which we may deem to be persistent. To this end, we partition formulas as persistent (indicatedby bold face, p ) and ephemeral (indicated by sans serif face, p ). We write M ( (cid:126) x ) to mean that the formulasin M draw their variables from (cid:126) x . A multiset rewrite rule r is an ordered pair of multisets F ( (cid:126) x ) and G ( (cid:126) x ,(cid:126) n ) , where the multiset π ( (cid:126) x ) of persistent formulas in F ( (cid:126) x ) is included in G ( (cid:126) x ,(cid:126) n ) . We interpret thevariables (cid:126) x as being universally quantified and the variables (cid:126) n as being existentially quantified. Thisrelation is made explicit using the syntax r : ∀ (cid:126) x . F ( (cid:126) x ) → ∃ (cid:126) n . G ( (cid:126) x ,(cid:126) n ) . In practice, we often elide ∀ (cid:126) x and do not repeat the persistent formulas π ( (cid:126) x ) ⊆ F ( (cid:126) x ) on the right side ofthe arrow. A multiset rewriting system (MRS) is a set R of multiset rewrite rules.Multiset rewrite rules describe localized changes to multisets of judgments. Given a rule r : ∀ (cid:126) x . F ( (cid:126) x ) →∃ (cid:126) n . G ( (cid:126) x ,(cid:126) n ) in R and some choice of constants (cid:126) c for (cid:126) x , we say that the instantiation r ( (cid:126) c ) : F ( (cid:126) c ) →∃ (cid:126) n . G ( (cid:126) c ,(cid:126) n ) is applicable to a multiset M of judgments if there exists a multiset M (cid:48) such that M = F ( (cid:126) c ) , M (cid:48) .The rule r is applicable to M if r ( (cid:126) c ) is applicable to M for some (cid:126) c . In these cases, the result of applying r ( (cid:126) c ) to M is the multiset G ( (cid:126) c , (cid:126) d ) , M (cid:48) , where (cid:126) d is a choice of fresh constants. In particular, we assume thatthe constants (cid:126) d do not appear in M or in R . We call θ = [ (cid:126) c /(cid:126) x ] the matching substitution and ξ = [ (cid:126) d /(cid:126) n ] . Kavanagh fresh-constant substitution . The instantiating substitution for r relative to M is the compositesubstitution δ = ( θ , ξ ) . We capture this relation using the syntax F ( (cid:126) c ) , M (cid:48) ( r ; δ ) −−→ G ( (cid:126) c ,(cid:126) n ) , M (cid:48) . For conciseness, we often abuse notation and write r ( θ ) , F ( θ ) , and G ( θ , ξ ) for r ( (cid:126) c ) , F ( (cid:126) c ) , and G ( (cid:126) c , (cid:126) d ) .We call F ( (cid:126) c ) the active multiset and M (cid:48) the stationary multiset.Given an MRS R and a multiset M , a trace from M is a countable sequence of steps M ( r ; δ ) −−−→ M ( r ; δ ) −−−→ M ( r ; δ ) −−−→ · · · (1)such that, where δ i = ( θ i , ξ i ) ,1. for all i , ξ i is one-to-one;2. for all i < j , the constants in M i and ξ j are disjoint.The notation ( M , ( r i ; δ i ) i ∈ I ) abbreviates the trace (1), where I always ranges over N + or n = { , . . . , n } for some n ∈ N . An execution is a maximally long trace. Example 1.
We model queues using an MRS. Let the judgment que ( q , $ ) mean that q is the empty queue,and let que ( q , v → q (cid:48) ) mean that the queue q has value v at its head and that its tail is the queue q (cid:48) . Thenthe multiset Q = que ( q , → q (cid:48) ) , que ( q (cid:48) , $ ) describes a one-element queue containing . The followingtwo rules capture enqueuing values on empty and non-empty queues, respectively, where the formula enq ( q , v ) is used to enqueue v onto the queue q:e : ∀ x , y . enq ( x , y ) , que ( x , $ ) → ∃ z . que ( x , y → z ) , que ( z , $ ) , e : ∀ x , y , z , w . enq ( x , y ) , que ( x , z → w ) → que ( x , z → w ) , enq ( w , y ) . The following sequence is an execution from Q , enq ( q , ) , and it captures enqueuing 1 on the queue q:Q , enq ( q , ) ( e ; ([ q , , , q (cid:48) / x , y , z , w ] , /0 )) −−−−−−−−−−−−−→ Q , enq ( q (cid:48) , ) ( e ; ([ q (cid:48) , / x , y ] , [ a / z ])) −−−−−−−−−−−→ que ( q , → q (cid:48) ) , que ( q (cid:48) , → a ) , que ( a , $ ) . The constants in fresh-constant substitutions are not semantically meaningful, so we identify traces upto refreshing substitutions. A refreshing substitution for a trace T = ( M , ( r i ; ( θ i , ξ i )) i ) is a collectionof fresh-constant substitutions η = ( η i ) i such that [ η ] T = ( M , ( r i ; ( θ i , η i )) i ) is also a trace. Explicitly,we identify traces T and T (cid:48) if there exists a refreshing substitution η such that T (cid:48) = [ η ] T .Given rules r i : ∀ (cid:126) x i . F i ( (cid:126) x i ) → ∃ (cid:126) n i . G i ( (cid:126) x i ,(cid:126) n i ) and matching substitutions θ i for i = ,
2, we say that theinstantiations r ( θ ) and r ( θ ) are equivalent , r ( θ ) ≡ r ( θ ) , if both F ( θ ) = F ( θ ) and (up torenaming of bound variables) ∃ (cid:126) n . G ( θ ,(cid:126) n ) = ∃ (cid:126) n . G ( θ ,(cid:126) n ) ; otherwise they are distinct . Applicationdoes not distinguish between equivalent instantiations: if r ( θ ) ≡ r ( θ ) are applicable to M , thenapplying each to M gives the same result up to refreshing substitution.Given an MRS R , we say that an execution ( M , ( r i ; δ i ) i ∈ I ) is fair if for all i ∈ I , r ∈ R , and θ ,whenever r ( θ ) is applicable to M i , there exists a j > i such that r j ( θ j ) ≡ r ( θ ) . Given a fair trace T , wewrite φ T ( i , r , θ ) for the least such j . In the case of MRSs specifying SSOSs of session-typed languages,this notion of fairness implies strong process fairness [11, 12, 18], which guarantees that if a process cantake a step infinitely often, then it does so infinitely often. In particular, it implies that if a process cantake a step, then it eventually does so. Example 2.
The execution of example 1 is fair. Substructural Observed Communication Semantics
Proposition 1 (Fair Tail Property) . If ( M , ( t i ; δ i ) i ∈ I ) is fair, then so is ( M n , ( t i ; δ i ) n < i , i ∈ I ) for all n ∈ I. We consider various criteria that imply fairness. The first will be interference-freedom, which roughlymeans that at any given point, the order in which we apply applicable rules does not matter. It will holdwhenever the rules do not “overlap”. In general, given an MRS R and a property P , we say P holds from M if for all traces ( M , ( r i ; δ i ) i ∈ I ) , P holds for M and for M i for all i ∈ I .Write S I for the group of bijections on I ; its elements are called permutations. A permutation σ ∈ S I acts on a trace T = ( M , ( t i ; δ i ) i ∈ I ) to produce a sequence σ · T = ( M , ( t σ ( i ) ; δ σ ( i ) ) i ∈ I ) . This sequence σ · T is a permutation of T whenever it is also a trace. We adopt group-theoretic notation for cyclicpermutations and write ( x , σ ( x ) , σ ( σ ( x )) , . . . ) for a cyclic permutation σ : I → I ; implicit is that allelements not in the orbit of x are fixed by σ . Cycles of length two are called transpositions.Consider an MRS R and let r ( θ ) , . . . , r n ( θ n ) enumerate all distinct instantiations of rules in R applicable to M . We say that R commutes on M or is interference-free on M if for all correspondingpairwise-disjoint fresh-constant substitutions ξ i , the following diagram commutes for all permutations σ ∈ S n , and both paths around it are traces: M · · · M n − M M n M (cid:48) · · · M (cid:48) n − ( r ; ( θ , ξ )) ( r n − ; ( θ n − , ξ n − )) ( r n ; ( θ n , ξ n ))( r ; ( θ , ξ ))( r σ ( ) ; ( θ σ ( ) , ξσ ( ) )) ( r σ ( ) ; ( θ σ ( ) , ξ σ ( ) )) ( r σ ( n − ) ; ( θ σ ( n − ) , ξ σ ( n − ) )) ( r σ ( n ) ; ( θ σ ( n ) , ξ σ ( n ) )) We note that interference-freedom is only defined if the enumeration of distinct applicable instantiationsis finite. The following proposition is an immediate consequence of the definition of commuting rules:
Proposition 2.
Let R commute on M , and let r i ( θ i ) with ≤ i ≤ n be the distinct instantiations applicableon M . If M ( r ; ( θ , ξ )) −−−−−−→ M , then r ( θ ) , . . . , r n ( θ n ) are applicable to and commute on M . Interference-freedom implies the existence of fair executions:
Proposition 3 (Fair Scheduler) . Assume the axiom of countable choice. If R is interference-free from M ,then there is a fair execution from M .Proof (Sketch). Let Q be a queue of rule instantiations applicable to M . Given M n , dequeue a rule r n + ( θ n + ) from Q and use the axiom of countable choice to choose a suitably disjoint fresh-constantsubstitution ξ n + . By interference-freedom, it is applicable to M n , and let M n + be the result of doing so.Enqueue all newly-applicable rule instantiations. If Q is ever empty, then the trace is finite but maximallylong. In all cases, the trace gives a fair execution: every distinct applicable rule instantiation is enqueuedand then applied after some finite number of steps.Though interference-freedom simplifies fair scheduling, it is primarily of interest for reasoning aboutexecutions. For example, it is useful for showing confluence properties. It also lets us safely permutecertain steps in a trace without affecting observations for session-typed processes (see section 4). This cansimplify process equivalence proofs, because it lets us assume that related steps in an execution happenone after another.Interference-freedom is a strong property, but it arises frequently in nature. This is because manysystems can be captured using rules whose active multisets do not overlap, and rules whose active multisetsare non-overlapping commute. In fact, even if their active multisets overlap, the rules do not disable eachother so long as they preserve these overlaps. . Kavanagh M i ⊆ M for 1 ≤ i ≤ n . Their overlap in M is Ω M ( M , . . . , M n ) = M , . . . , M n \ M . Consider an MRS R and let r i ( θ i ) : F i ( θ i ) → ∃ (cid:126) n i . G i ( θ i ,(cid:126) n i ) , 1 ≤ i ≤ n ,enumerate all distinct instantiations of rules in R applicable to M . We say that R is non-overlapping on M if for all 1 ≤ i ≤ n and fresh-constant substitutions ξ i , F i ( θ i ) ∩ Ω M ( F ( θ ) , . . . , F n ( θ n )) ⊆ G i ( θ i , ξ i ) . Example 3.
The MRS given by example 1 is non-overlapping from any multiset of the form Q , E where Qis a queue rooted at q, and E contains at most one judgment of the form enq ( q , v ) . Proposition 4 characterizes the application of non-overlapping rules, while proposition 5 characterizesthe relationship between commuting and non-overlapping rules.
Proposition 4.
Let R be non-overlapping on M and let r i ( θ i ) : F i ( θ i ) → ∃ (cid:126) n i . G ( θ i ,(cid:126) n i ) with ≤ i ≤ n bethe distinct instantiations applicable to M . If M ( r ; ( θ , ξ )) −−−−−−→ M and r , . . . , r n are non-overlapping onM , then r ( θ ) , . . . , r n ( θ n ) are applicable to and non-overlapping on M .In particular, set O = Ω M ( F , . . . , F n ) ∩ F . There exist F (cid:48) and G (cid:48) be such that F = O , F (cid:48) andG = O , G (cid:48) , and there exists an M such that M = O , F (cid:48) , M and M = O , G (cid:48) , M. The instantiationsr ( θ ) , . . . , r n ( θ n ) are all applicable to O , M ⊆ M . Proposition 5.
An MRS commutes on M if it is non-overlapping on M ; the converse is false. For the remainder of this section, assume that if ( M , ( r i ; δ i ) i ) is a fair trace, then its MRS isinterference-free from M . Interference-freedom implies the ability to safely permute finitely manysteps that do not depend on each other. However, it is not obvious that finite permutations, let aloneinfinite permutations, preserve fairness. To show that they do, we use the following lemma to reducearguments about infinite permutations to arguments about finite permutations: Lemma 1.
For all n ∈ N and permutations σ : N → N , set χ σ ( n ) = sup k ≤ n σ − ( k ) . Then there existpermutations τ , ρ : N → N such that σ = ρ ◦ τ , τ ( k ) = k for all k > χ σ ( n ) , and ρ ( k ) = k for all k ≤ n. The following proposition shows that permutations of prefixes of traces preserve fairness. Its proof usesa factorization of permutations into cycles permuting adjacent steps, where each cycle preserves fairness.
Proposition 6.
Consider an MRS R that is interference-free from M and let T = ( M , ( r i ; ( θ i , ξ i )) i ∈ I ) bea trace, an execution, or a fair execution. Let σ ∈ S I be such that for some n ∈ I, σ ( i ) = i for all i > n.Then σ · T is respectively a trace, an execution, or a fair execution.
Corollary 1.
Fairness is invariant under permutation, that is, if R is interference-free from M , T is afair trace from M , and Σ = σ · T is a permutation of T , then Σ is also fair.Proof. Let T = ( M , ( t i ; δ i ) i ) and δ i = ( θ i , ξ i ) , and let Σ be the trace M = Σ ( t σ ( ) ; δ σ ( ) ) −−−−−−→ Σ ( t σ ( ) ; δ σ ( ) ) −−−−−−→ · · · .Consider some rule r ∈ R such that Σ i ( r ; ( θ , ξ )) −−−−−→ Σ (cid:48) i . We must show that there exists a j such that σ ( j ) > σ ( i ) , t σ ( j ) ( θ σ ( j ) ) ≡ r ( θ ) .Let the factorization σ = ρ ◦ τ be given by lemma 1 for n = σ ( i ) . By proposition 6, we get that τ · T isfair. Moreover, by construction of τ , τ · T and Σ agree on the first n steps and n + k > σ ( i ) such that the k -th step in τ · T is r ( θ ) . By construction of ρ , ρ ( k ) > σ ( i ) , so thisstep appears after Σ i in Σ as desired. We conclude that Σ is fair.Corollary 1 established that permutations preserve fairness. Relatedly, all fair traces from a givenmultiset are permutations of each other. To do show this, we construct a potentially infinite sequence ofpermutations and use the following lemma to compose them:4 Substructural Observed Communication Semantics
Lemma 2.
Let ( σ n ) n ∈ I be a family of bijections on I such that for all m < n, ( σ n ◦ · · · ◦ σ )( m ) = ( σ m ◦ · · · ◦ σ )( m ) . Let σ : I → I be given by σ ( m ) = ( σ m ◦ · · · ◦ σ )( m ) . Then σ is injective, but need not be surjective. Lemma 3.
Let R be interference-free from M . Consider a fair execution T = ( M , ( r i ; ( θ i , ξ i )) i ∈ I ) and astep M ( t ; ( τ , ρ )) −−−−→ M (cid:48) . Set n = φ T ( , t , τ ) (so t ( τ ) ≡ r n ( θ n ) ). Then ( , . . . , n ) · T is a permutation of T with ( t ; ( τ , ξ n )) as its first step, and it is a fair execution. Proposition 7. If R is interference-free from M , then all fair executions from M are permutations ofeach other.Proof (Sketch). Consider traces R = ( R , ( r i ; ( θ i , ξ i )) i ∈ I ) and T = ( T , ( t j ; ( τ j , ζ j )) j ∈ J ) where R = M = T . We construct a sequence of permutations σ , σ , . . . , where Φ = R and the step Φ n + = σ n + · Φ n is given by lemma 3 such that Φ n + agrees with T on the first n + σ n into an injection σ using lemma 2; fairness ensures that it is a surjection. We have T = σ · R by construction.Let the support of a multiset M = ( S , m ) be the set supp ( M ) = { s ∈ S | m ( s ) > } . We say that twotraces T = ( M ; ( r i , δ i ) I ) and T (cid:48) are union-equivalent if T (cid:48) can be refreshed to a trace ( N ; ( s j , ρ j ) j ) suchthat the unions of the supports of the multisets in the traces are equal, i.e., such that (cid:91) i ≥ supp ( M i ) = (cid:91) j ≥ supp ( N j ) Lemma 4.
Consider an MRS and assume T is a permutation of S. Then T and S are union-equivalent.Proof.
Consider a trace ( M , ( r i ; δ i ) i ) . For all n , each judgment in M n appears either in M or in the resultof some rule r i with i ≤ n . Traces T and S start from the same multiset and have the same rules. It followsthat they are union-equivalent.Corollary 2 will be key in section 4 to showing that processes have unique observations. Corollary 2. If R is interference-free from M, then all fair executions from M are union-equivalent. Session types specify communication protocols between communicating processes. In this section, wepresent a session-typed language arising from a proofs-as-programs interpretation of intuitionistic linearlogic [4] extended to support recursive processes and recursive types.We let A , B , C range over session types and a , b , c range over channel names. A process P providesa distinguished service A over some channel c , and may use zero or more services A i on channels c i .In this sense, a process P is a server for the service A , and a client of the services A i . The channels c : A , . . . , c n : A n form a linear context ∆ . We write ∆ (cid:96) P :: c : A to capture these data. We also allow P to depend on process variables p i of type { b : B ← ∆ } . Values of type { b : B ← ∆ } are processes Q suchthat ∆ (cid:96) Q :: b : B . We write Π for structural contexts of process variables p i : { a i : A i ← ∆ i } . These dataare captured by the judgment Π ; ∆ (cid:96) P :: c : A , and we say that P is closed if Π is empty.At any given point in a computation, communication flows in a single direction on a channel c : A .The direction of communication is determined by the polarity of the type A , where session types are . Kavanagh Π ; ∆ (cid:96) P :: c : A . Communicationon positively-typed channels flows from left-to-right in this judgment: if A is positive, then P can onlysend output on c , while if A i is positive for 1 ≤ i ≤ n , then P can only receive input on c i . Symmetrically,communication on negatively-typed channels flows from right-to-left in the judgment. Bidirectionalcommunication arises from the fact that the type of a channel evolves over the course of a computation,sometimes becoming positive, sometimes becoming negative.Most session types have a polar dual, where the direction of communication is reversed. With oneexception, we only consider positive session types here. Negative session types pose no difficulty andcan be added by dualizing the constructions. To illustrate this dualization, we also consider the (negative)external choice type & { l : A l } l ∈ L , the polar dual of the (positive) internal choice type ⊕{ l : A l } l ∈ L .The operational behaviour of closed processes is given by a substructural operational semantics(SSOS) in the form of a multiset rewriting system. The judgment proc ( c , P ) means that the closed process P provides a channel c . The judgment msg ( c , m ) means the channel c is carrying a message m . Processcommunication is asynchronous: processes send messages without synchronizing with recipients. Toensure that messages on a given channel are received in order, the msg ( c , m ) judgment encodes a queue-likestructure similar to the queues of example 1, and we ensure that each channel name c is associated with atmost one msg ( c , m ) judgment. For example, the multiset msg ( c , m ; c ← c ) , msg ( c , m ; c ← c ) , . . . captures the queue of messages m , m , . . . on c . There is no global ordering on sent messages: messagessent on different channels can be received out of order. We extend the usual SSOS with a new persistentjudgment, type ( c : A ) , which means that channel c has type A .The initial configuration of · ; c : A , . . . , c n : A n (cid:96) P :: c : A is the multiset proc ( c , P ) , type ( c : A ) , . . . , type ( c n : A n ) . A process trace is a trace from the initial configuration of a process, and a multiset in it is a configura-tion . A fair execution of · ; ∆ (cid:96) P :: c : A is a fair execution from its initial configuration.We give the typing rules and the substructural operational semantics in section 3.1. In section 3.2,we study properties of process traces and fair executions. In particular, we show that each step in thesetraces preserves various invariants, that the MRS of section 3.1 is non-interfering from initial processconfigurations, and that every process has a fair execution. The process a → b forwards all messages from the channel a to the channel b ; it assumes that both channelhave the same positive type. It is formed by (F WD + ) and its operational behaviour is given by (2). Π ; a : A (cid:96) a → b :: b : A ( F WD + ) msg ( a , m ) , proc ( b , a → b ) −→ msg ( b , m ) (2)Process composition a : A ← P ; Q spawns processes P and Q that communicate over a shared privatechannel a of type A . It captures Milner’s “parallel composition plus hiding” operation [17, pp. 20f.]. Toensure that the shared channel is truly private, we generate a globally fresh channel b for P and Q tocommunicate over. Π ; ∆ (cid:96) P :: a : A Π ; a : A , ∆ (cid:96) Q :: c : C Π ; ∆ , ∆ (cid:96) a : A ← P ; Q :: c : C ( C UT ) proc ( c , a : A ← P ; Q ) −→ ∃ b . proc ( b , [ b / a ] P ) , proc ( c , [ b / a ] Q ) , type ( b : A ) (3)6 Substructural Observed Communication Semantics
The process close a closes a channel a of type by sending the “close message” ∗ over a . Dually, theprocess wait a ; P blocks until it receives the close message on the channel a , and then continues as P . Π ; · (cid:96) close a :: a : ( R ) Π ; ∆ (cid:96) P :: c : C Π ; ∆ , a : (cid:96) wait a ; P :: c : C ( L ) proc ( a , close a ) −→ msg ( a , ∗ ) (4) msg ( a , ∗ ) , proc ( c , wait a ; P ) −→ proc ( c , P ) (5)Processes can communicate channels over channels of type B ⊗ A , where the transmitted channelhas type B and subsequent communication has type A . The process send a b ; P sends a channel b overchannel a and then continues as P . To ensure a queue-like structure for messages on a , we generate afresh channel name d for the “continuation channel” that will carry subsequent communications. Theprocess b ← recv a ; P blocks until it receives a channel over a , binds it to the name b , and continuesas P . Operationally, we rename a in P to the continuation channel d carrying the remainder of thecommunications. Π ; ∆ (cid:96) P :: a : A Π ; ∆ , b : B (cid:96) send a b ; P :: a : B ⊗ A ( ⊗ R ∗ ) Π ; ∆ , a : A , b : B (cid:96) P :: c : C Π ; ∆ , a : B ⊗ A (cid:96) b ← recv a ; P :: c : C ( ⊗ L ) proc ( a , send a b ; P ) , type ( a : B ⊗ A ) −→ ∃ d . proc ( d , [ d / a ] P ) , msg ( a , send a b ; a ← d ) , type ( d : A ) (6) msg ( a , send a e ; a ← d ) , proc ( c , b ← recv a ; P ) −→ proc ( c , [ e , d / b , a ] Q ) (7)The internal choice type ⊕{ l : A l } l ∈ L offers a choice of services A l . The process a . k ; P sends a label k on a to signal its choice to provide the service A k on a . The process case a { l ⇒ P l } l ∈ L blocks until itreceives a label k ∈ L on a , and then continues as P k . Π ; ∆ (cid:96) P :: a : A k ( k ∈ L ) Π ; ∆ (cid:96) a . k ; P :: a : ⊕{ l : A l } l ∈ L ( ⊕ R k ) Π ; ∆ , a : A l (cid:96) P l :: c : C ( ∀ l ∈ L ) Π ; ∆ , a : ⊕{ l : A l } l ∈ L (cid:96) case a { l ⇒ P l } l ∈ L :: c : C ( ⊕ L ) proc ( a , a . k ; P ) , type ( a : ⊕{ l : A l } l ∈ L ) −→ ∃ d . msg ( a , a . k ; a ← d ) , proc ( d , [ d / a ] P ) , type ( d : A k ) (8) msg ( a , a . k ; a ← d ) , proc ( c , case a { l ⇒ P l } l ∈ L ) −→ proc ( c , [ d / a ] P k ) (9)To illustrate the duality between positive and negative types, we consider the (negative) external choicetype. It is the polar dual of the (positive) internal choice type. The external choice type & { l : A l } l ∈ L provides a choice of services A l . The process case a { l ⇒ P l } l ∈ L blocks until it receives a label k ∈ L on a , and then continues as P k . The process a . k ; P sends a label k on a to signal its choice to use the service A k on a . Observe that, where a provider of an internal choice type sends a label in (8), a provider of theexternal choice type receives a label in (10). Analogously, a client of an internal choice type receives receives a label in (9), and a client of an external choice type sends a label in (11). Ψ ; ∆ (cid:96) P l :: a : A l ( ∀ l ∈ L ) Ψ ; ∆ (cid:96) case a { l ⇒ P l } l ∈ L :: a : & { l : A l } l ∈ L ( & R ) Ψ ; ∆ , a : A k (cid:96) P :: c : C ( k ∈ L ) Ψ ; ∆ , a : & { l : A l } l ∈ L (cid:96) a . k ; P :: c : C ( & L k ) msg ( a , a . k ; a ← d ) , proc ( a , case a { l ⇒ P l } l ∈ L ) −→ proc ( d , [ d / a ] P k ) (10) proc ( c , a . k ; P ) , type ( a : ⊕{ l : A l } l ∈ L ) −→ ∃ d . msg ( a , a . k ; a ← d ) , proc ( c , [ d / a ] P ) , type ( d : A k ) (11)A communication of type ρα . A is an unfold message followed by a communication of type [ ρα . A / α ] A .The process send a unfold ; P sends an unfold message and continues as P . The process unfold ← recv a ; P . Kavanagh a and continues as P . Π ; ∆ (cid:96) P :: a : [ ρα . A / α ] A Π ; ∆ (cid:96) send a unfold ; P :: a : ρα . A ( ρ + R ) Π ; ∆ , a : [ ρα . A / α ] A (cid:96) P :: c : C Π ; ∆ , a : ρα . A (cid:96) unfold ← recv a ; P :: c : C ( ρ + L ) proc ( a , send a unfold ; P ) , type ( a : ρα . A ) −→∃ d . msg ( a , send a unfold ; a ← d ) , proc ( d , [ d / a ] P ) , type ( d : [ ρα . A / α ] A ) (12) msg ( a , send a unfold ; a ← d ) , proc ( c , unfold ← recv a ; P ) −→ proc ( c , [ d / a ] P ) (13)Finally, recursive processes are formed in the standard way. The SSOS is only defined on closedprocesses, so there are no rules for process variables. Recursive processes step by unfolding. Π , p : { c : C ← ∆ } ; ∆ (cid:96) p :: c : C ( V AR ) Π , p : { c : C ← ∆ } ; ∆ (cid:96) P :: c : C Π ; ∆ (cid:96) fix p . P :: c : C ( R EC ) proc ( c , fix p . P ) −→ proc ( c , [ fix p . P / p ] P ) (14) Example 4.
The protocol conat = ρα . ( z : ) ⊕ ( s : α ) encodes conatural numbers. Indeed, a communi-cation is either an infinite sequence of successor labels s , or some finite number of s labels followed bythe zero label z and termination. The following process receives a conatural number i and outputs itsincrement on o: · ; i : conat (cid:96) send o unfold ; s . o ; o → i :: o : conat . It works by outputting a successor label on o, and then forwarding the conatural number i to o. It has thefollowing fair execution, where we elide type ( c : A ) judgments and annotations on the arrows: proc ( o , send o unfold ; s . o ; o → i ) −→ msg ( c , send o unfold ; o ← o ) , proc ( o , s . o ; o → i ) −→ msg ( o , send o unfold ; o ← o ) , msg ( o , s . o ; s ← o ) , proc ( o , o ← i ) . The following recursive process outputs the infinite conatural number s ( s ( s ( · · · ))) on o: · ; · (cid:96) fix ω . send o unfold ; s . o ; ω :: o : conat . It has an infinite fair execution where for n ≥ , the rules r n − , r n − , and r n are respectively instantia-tions of (14) , (12) , and (8) . Let P be MRS given by the above rules. We prove various invariants maintained by process traces.Let fc ( P ) be the set of free channel names in P . The following result follows by an induction on n anda case analysis on the rule used in the last step: Proposition 8.
Let T = ( M , ( r i ; δ i ) i ) be a process trace. For all n, if proc ( c , P ) ∈ M n , then1. c ∈ fc ( P ) ;2. for all c i ∈ fc ( P ) , there exists an A i such that type ( c i : A i ) ∈ M n ; and3. where fc ( P ) = { c , . . . , c m } , we have · ; c : A , . . . , c m : A m (cid:96) P :: c : A .If msg ( c , m ) ∈ M n , then • if m = msg ( c , ∗ ) , then type ( c : ) ∈ M n ; Substructural Observed Communication Semantics • if m = c . l j ; c ← d, then either type ( c : ⊕{ l i : A i } i ∈ I ) ∈ M n or type ( c : & { l i : A i } i ∈ I ) ∈ M n for someA i (i ∈ I), and type ( d : A j ) ∈ M n for some j ∈ I. • if m = send c a ; c ← b, then type ( c : A ⊗ B ) , type ( a : A ) , type ( b : B ) ∈ M n for some A and B; • if m = send c unfold ; c ← d, then type ( c : ρα . A ) , type ( d : [ ρα . A / α ] A ) ∈ M n for some ρα . A. The MRS P differs from the usual MRSs given for this style session-typed languages [13, 20, 25]in the addition of type ( c : A ) judgments. Corollary 3 shows that their addition does not change theoperational behaviour of the semantics. Let | M | , | P | , | T | , etc., be the result of erasing all type ( c : A ) judgments. Corollary 3.
Consider a process · ; ∆ (cid:96) P :: c : A with initial state M . If T is a trace from M under P ,then | T | is a trace from | M | under | P | . If T is a trace from | M | under | P | , then there exists a trace T (cid:48) from M under P such that | T (cid:48) | = T .
Proposition 8 showed that there were enough type ( c : A ) judgments in a trace. Proposition 9 showsthat there are not too many: Proposition 9.
Let ( M , ( r i ; δ i ) i ) be a process trace. For all channels c and all i , j ≥ , if type ( c : A i ) appears in M i and type ( c : A j ) appears in M j , then A i = A j . We show an analogous uniqueness result for msg ( c , m ) judgments. It implies that each channel namein an execution carries at most one message. To prove it, we begin by partitioning a process’s free channelsinto “input” and “output” channels and show that at all times, a channel is an output channel of at mostone process. Given a process P , let oc ( P ) be the subset of fc ( P ) recursively defined by:oc ( a → b ) = { b } oc ( a ← P ; Q ) = ( oc ( P ) ∪ oc ( Q )) \ { a } oc ( close a ) = { a } oc ( wait a ; P ) = oc ( P ) oc ( a . k ; P ) = { a } ∪ oc ( P ) oc ( case a ( l ⇒ P l ) l ∈ L ) = (cid:32) (cid:91) l ∈ L oc ( P l ) (cid:33) \ { a } oc ( send a b ; P ) = { a } ∪ oc ( P ) oc ( b ← recv a ; P ) = oc ( P ) \ { a , b } oc ( send a unfold ; P ) = { a } ∪ oc ( P ) oc ( unfold ← recv a ; P ) = oc ( P ) \ { a } oc ( p ) = /0 oc ( fix p . P ) = oc ( P ) Intuitively, c ∈ oc ( P ) if the next time P communicates on c , P sends a message on c . Given a configuration C , let oc ( C ) be the union of the sets oc ( P ) for proc ( c , P ) in C . Analogously, let ic ( P ) and ic ( C ) be theset of input channels of P and of C . Lemma 5.
If F ( (cid:126) k ) ( r ; ( (cid:126) k ,(cid:126) a )) −−−−→ G ( (cid:126) k ,(cid:126) a ) by a rule r of section 3.1, then • if msg ( c , m ) ∈ F ( (cid:126) k ) , then c ∈ ic ( F ( (cid:126) k )) ; • if msg ( c , m ) ∈ G ( (cid:126) k ,(cid:126) a ) , then c ∈ oc ( F ( (cid:126) k )) ; • if msg ( c , m ; c ← d ) ∈ G ( (cid:126) k ,(cid:126) a ) , then d ∈ (cid:126) a and d ∈ fc ( G ( (cid:126) k ,(cid:126) a )) ; and • oc ( G ( (cid:126) k ,(cid:126) a )) ⊆ oc ( F ,(cid:126) k ) ∪ (cid:126) a and ic ( G ( (cid:126) k ,(cid:126) a )) ⊆ ic ( F ,(cid:126) k ) ∪ (cid:126) a.Proof. Immediate by a case analysis on the rules.An induction with lemma 5 implies the desired disjointness result: . Kavanagh Lemma 6.
Let ( M , ( r i ; δ i ) i ) be a process trace. For all n, if proc ( c , P ) and proc ( d , Q ) appear in M n , then oc ( P ) ∩ oc ( Q ) = /0 and ic ( P ) ∩ ic ( Q ) = /0 . The following lemma shows that processes do not send messages on channels c already associatedwith a msg ( c , m ) judgment: Lemma 7.
Let ( M , ( r i ; δ i ) i ) be a process trace. For all n ≤ k, if msg ( c , m ) ∈ M n and proc ( d , P ) ∈ M k ,then c / ∈ oc ( P ) . The desired result then follows by induction and the above results:
Corollary 4.
Let ( M , ( r i ; δ i ) i ) be a process trace. For all channels c and all i , j ≥ , if msg ( c , m i ) appearsin M i and msg ( c , m j ) appears in M j , then m i = m j . We now turn our attention to showing that all well-typed, closed processes have fair executions. Thisfact will follow easily from the following proposition:
Proposition 10.
The MRS P is non-overlapping from the initial configuration of · ; ∆ (cid:96) P :: c : A for all · ; ∆ (cid:96) P :: c : A.Proof.
Consider a trace ( M , ( r i ; ( θ i , ξ i ))) from the initial configuration of · ; ∆ (cid:96) P :: c : A and somearbitrary n . It is sufficient to show that if s ( φ ) and s ( φ ) are distinct instantiations applicable to M n , then F ( φ ) and F ( φ ) are disjoint multisets: F ( φ ) ∩ F ( φ ) = /0. Indeed, if this is the case and s ( φ ) , . . . , s k ( φ k ) are the distinct rule instantiations applications to M n , then F ( θ ) , . . . , F k ( φ k ) ⊆ M n , so Ω M n ( F ( φ ) , . . . , F k ( φ k )) = /0.We proceed by case analysis on the possible judgments in F ( φ ) ∩ F ( φ ) . Case msg ( c , m ) . Then c ∈ ic ( F ( φ )) and c ∈ ic ( F ( φ )) by lemma 5. This is a contradiction by lemma 6. Case proc ( c , P ) . Then s = s by a case analysis on the rules. We show that φ = φ . If s is one of(2) to (6), (8), (11), (12) and (14), then we have φ = φ , because all constants matched by φ and φ appear in proc ( c , P ) . If s is one of (7), (9), (10) and (13), then F i ( φ i ) contain a judgment msg ( d , m i ) where there is a constant e i ∈ m i that appears in φ i , but not in proc ( c , P ) (explicitly, e i is the name of the continuation channel). By corollary 4, m = m , so e = e . All other channelnames in φ i appear in proc ( c , P ) , so φ = φ . So s ( φ ) and s ( φ ) are not distinct rule instantiations,a contradiction. Case type ( c : A ) . By case analysis on the rules, s = s and there exist judgments proc ( d i , P i ) ∈ F i ( φ i ) .Suppose to the contrary that P (cid:54) = P . By case analysis on the rules, s is one of (6), (8), (11)and (12). This implies that c ∈ oc ( P ) ∩ oc ( P ) , a contradiction of lemma 6. So P = P . Because allconstants in φ and φ appear in P , we conclude that φ = φ . So s ( φ ) and s ( φ ) are not distinctrule instantiations, a contradiction. Corollary 5.
Every process · ; ∆ (cid:96) P :: c : A has a fair execution. Its fair executions are all permutationsof each other and they are all union-equivalent.Proof.
By proposition 10, P is non-overlapping from the initial configuration M of · ; ∆ (cid:96) P :: c : A . It isthen interference-free from M by proposition 5, so a fair execution exists by proposition 3. All of its fairexecutions are permutations of each other by proposition 7. They are union-equivalent by corollary 2.0 Substructural Observed Communication Semantics
Consider a closed process · ; c : A , . . . , c n : A n (cid:96) P :: c : A . In this section, we will define the observationof P to be a tuple ( c i : v i ) ≤ i ≤ n , where v i is the communication of type A i observed on channel c i in a fairexecution of P . We extract communications from fair executions using a coinductively defined judgment.We colour-code the modes of judgments, where inputs to a judgment are in blue and outputs are in red.We begin by defining session-typed communications. Let a communication v be a (potentiallyinfinite) tree generated by the following grammar, where k and l i range over labels. We explain thesecommunications v below when we associate them with session types. For convenience, we also give agrammar generating the session types A of section 3.1. Session types are always finite expressions, andwe treat ρα . A as a binding operator. v , v (cid:48) : = ⊥ A | ∗ | ( k , v ) | ( v , v (cid:48) ) | ( unfold , v ) A , A i , B : = α | | A ⊗ B | ⊕ ( l : A , . . . , l n : A n ) | & ( l : A , . . . , l n : A n ) | ρα . A . As in section 3.1, we abbreviate ⊕ ( l : A , . . . , l n : A n ) and & ( l : A , . . . , l n : A n ) by ⊕{ l : A l } l ∈ L and& { l : A l } l ∈ L , respectively, where L is the finite set of labels.Next, we associate communications with session types. The judgment v ε A means that the syntacticcommunication v has type A . It is coinductively defined by the following rules, where A is assumed tohave no unbound occurrences of α . The rule forming ( k , v k ) ε ⊕{ l : A l } l ∈ L has the side condition k ∈ L . ⊥ ε ∗ ε ⊥ A ⊗ B ε A ⊗ B v ε A v (cid:48) ε B ( v , v (cid:48) ) ε A ⊗ B ⊥ ρα . A ε ρα . A v ε [ ρα . A / α ] A ( unfold , v ) ε ρα . A ⊥ ⊕{ l : A l } l ∈ L ε ⊕{ l : A l } l ∈ L v k ε A k ( k , v k ) ε ⊕{ l : A l } l ∈ L ⊥ & { l : A l } l ∈ L ε & { l : A l } l ∈ L v k ε A k ( k , v k ) ε & { l : A l } l ∈ L Every closed session type A has an empty communication ⊥ A representing the absence of communicationof that type. The communication ∗ represents the close message. A communication of type ⊕{ l : A l } l ∈ L or ⊕{ l : A l } l ∈ L is a label k ∈ L followed by a communication v k of type A k , whence the communication ( k , v k ) . Though by itself the communication ( k , v k ) does not capture the direction in which the label k travelled, this poses no problem to our development: we never consider communications without anassociated session type, and the polarity of the type specifies the direction in which k travels. We cannotdirectly observe channels, but we can observe communications over channels. Consequently, we observea communication of type A ⊗ B as a pair ( v , v (cid:48) ) of communications v of type A and v (cid:48) of type B . Acommunication of type ρα . A is an unfold message followed by a communication of type [ ρα . A / α ] A .Given a trace T = ( M , ( r i ; ( θ i , ξ i )) i ) , we write T for the set-theoretic union of the M i , that is, x ∈ T if and only if x ∈ supp ( M i ) for some i . Write T (cid:96) c : A if type ( c : A ) ∈ T . This judgment is defined on allchannel names c that appear in T by proposition 8 and it is a function by proposition 9.Assuming the channel c appears in T , the judgment T (cid:32) v ε A / c means that we observed acommunication v of type A on the channel c during T . We will show below that whenever T (cid:32) v ε A / c ,we also have T (cid:96) c : A and v ε A . Fixing T , the judgment T (cid:32) v ε A / c is coinductively defined by thefollowing rules, i.e., T (cid:32) v ε A / c is the largest set of triples ( v , c , A ) closed under the following rules.We observe no communications on a channel c if and only if msg ( c , m ) does not appear in the tracefor any m . Subject to the side condition that for all m , msg ( c , m ) / ∈ T , we have the rule T (cid:96) c : AT (cid:32) ⊥ A ε A / c ( O- ⊥ ) . Kavanagh c if and only if the close message was sent on c : msg ( c , ∗ ) ∈ T T (cid:32) ∗ ε / c ( O- ) We observe label transmission as labelling communications on the continuation channel. We rely on thejudgment T (cid:96) c : ⊕{ l : A l } l ∈ L or T (cid:96) c : & { l : A l } l ∈ L to determine the type of c : msg ( c , c . l ; c ← d ) ∈ T T (cid:32) v ε A l / d T (cid:96) c : ⊕{ l : A l } l ∈ L T (cid:32) ( l , v ) ε ⊕{ l : A l } l ∈ L / c ( O- ⊕ ) msg ( c , c . l ; c ← d ) ∈ T T (cid:32) v ε A l / d T (cid:96) c : & { l : A l } l ∈ L T (cid:32) ( l , v ) ε & { l : A l } l ∈ L / c ( O-& ) As described above, we observe channel transmission as pairing of communications: msg ( c , send c a ; c ← d ) ∈ T T (cid:32) u ε A / a T (cid:32) v ε B / dT (cid:32) ( u , v ) ε A ⊗ B / c ( O- ⊗ ) Finally, we observe the unfold message as an unfold message: msg ( c , send c unfold ; c ← d ) ∈ T T (cid:32) v ε [ ρα . A / α ] A / dT (cid:32) ( unfold , v ) ε ρα . A / c ( O- ρ ) The following three propositions imply that for any T , T (cid:32) v ε A / c is a total function from channelnames c in T to session-typed communications v ε A . Proposition 11.
If T (cid:32) v ε A / c, then v ε A.Proof.
Immediate by rule coinduction.
Proposition 12.
If T is a process trace, then for all c, if T (cid:96) c : A, then T (cid:32) v ε A / c for some v.Proof (Sketch). Let S be the set of all triples ( v , A , c ) for session-typed communications v ε A and channelnames c . Let Φ : ℘ ( S ) → ℘ ( S ) be the rule functional defining T (cid:32) v ε A / c . Then the judgment T (cid:32) v ε A / c is given by the greatest fixed point gfp ( Φ ) of Φ on the complete lattice ℘ ( S ) , where T (cid:32) v ε A / c if and only if ( v , A , c ) ∈ gfp ( Φ ) . The functional Φ is cocontinuous by [23, Theorem 2.9.4],so gfp ( Φ ) = (cid:84) n ≥ Φ n ( S ) by [23, Theorem 2.8.5]. It is sufficient to show that if T (cid:96) c : A , then there existsa v such that ( c , v , A ) ∈ Φ n ( S ) for all n . This v can be constructed using a coinductive argument and a caseanalysis on msg ( c , m ) ∈ T . Proposition 13.
If T is a trace from the initial configuration of a process, then for all c, if T (cid:32) v ε A / cand T (cid:32) w ε B / c, then v = w and A = B.Proof (Sketch).
Let R = { ( T (cid:32) v ε A / c , T (cid:32) w ε B / c ) | ∃ v , w , c , A , B . T (cid:32) v ε A / c ∧ T (cid:32) w ε B / c } .We claim that R is a bisimulation. Indeed, let ( T (cid:32) v ε A / c , T (cid:32) w ε B / c ) ∈ R be arbitrary. Bycorollary 4, at most one rule is applicable to form a judgment of the form T (cid:32) u ε C / c (with c fixed), so T (cid:32) v ε A / c and T (cid:32) w ε B / c were both formed by the same rule. A case analysis shows on this ruleshows that R satisfies the definition of a bisimulation.Consider arbitrary T (cid:32) v ε A / c and T (cid:32) w ε B / c . They are related by R , so they are bisimilar. By[14, Theorem 2.7.2], bisimilar elements of the terminal coalgebra are equal, so v = w and A = B .2 Substructural Observed Communication Semantics
Corollary 6 gives the converse of proposition 12:
Corollary 6.
If T is a process trace, then for all c, if T (cid:32) v ε A / c, then T (cid:96) c : A.Proof.
We show by case analysis on the rules that if T (cid:32) v ε A / c , then T (cid:96) c : B for some B . The case(O- ⊥ ) is obvious, while for each other case, if T (cid:32) v ε A / c , then msg ( c , m ) ∈ T for some m . For eachof these cases, proposition 8 implies type ( c : B ) ∈ T for some B , i.e., T (cid:96) c : B .Assume T (cid:32) v ε A / c . By the claim, T (cid:96) c : B for some B . By proposition 12, there exists a w suchthat T (cid:32) w ε B / c . By proposition 13, A = B , so T (cid:96) c : A . Theorem 1.
Let T be a fair execution of · ; c : A , . . . , c n : A n (cid:96) P :: c : A . For all ≤ i ≤ n, there existunique v i such that v i ε A i and T (cid:32) v i ε A i / c i .Proof. By definition of fair execution, we have type ( c i : A i ) ∈ T for all 0 ≤ i ≤ n , i.e., T (cid:96) c i : A i for all0 ≤ i ≤ n . By proposition 12, for all 0 ≤ i ≤ n , there exists a v i such that T (cid:32) v i ε A i / c i , and v i ε A i byproposition 11. Each v i is unique by proposition 13.The following theorem captures the confluence property typically enjoyed by SILL-style languages: Theorem 2.
Let T and T (cid:48) be a fair executions of · ; c : A , . . . , c n : A n (cid:96) P :: c : A . For all ≤ i ≤ n, ifT (cid:32) v i ε A i / c i and T (cid:48) (cid:32) w i ε A i / c i , then v i = w i .Proof. Assume T (cid:32) v i ε A i / c i and T (cid:48) (cid:32) w i ε A i / c i . By corollary 5, traces T and T (cid:48) are union-equivalent,i.e., T = T (cid:48) . It immediately follows that T (cid:48) (cid:32) w i ε A i / c i if and only if T (cid:32) w i ε A i / c i . So v i = w i byproposition 13.We use theorems 1 and 2 to define the operational observation (cid:76) · ; c : A , . . . , c n : A n (cid:96) P :: c : A (cid:77) of · ; c : A , . . . , c n : A n (cid:96) P :: c : A . It is the tuple of observed communications (cid:76) · ; c : A , . . . , c n : A n (cid:96) P :: c : A (cid:77) = ( c : v , . . . , c n : v n ) where T (cid:32) v i ε A i / c i for 0 ≤ i ≤ n for some fair execution T of · ; c : A , . . . , c n : A n (cid:96) P :: c : A . Sucha T exists by corollary 5, and (cid:76) · ; c : A , . . . , c n : A n (cid:96) P :: c : A (cid:77) does not depend on the choice of T bytheorem 2. The v i such that T (cid:32) v i ε A i / c i exist by proposition 9, and they are unique by proposition 13.Uniqueness of operational observations and theorem 2 crucially depend on fairness. Indeed, withoutfairness a process can have infinitely many observations. To see this, let Ω and B respectively be given by · ; · (cid:96) fix ω . ω :: a : · ; a : (cid:96) fix p . send b unfold ; b . l ; p :: b : ρβ . ⊕ { l : β } Rule (3) is the first step of any execution of their composition · ; · (cid:96) a : ← Ω ; B :: b : ρβ . ⊕ { l : β } . Itspawns Ω and B as separate processes. Without fairness, an execution could then consist exclusively ofapplications of rule (14) to Ω . This would give the observation ( b : ⊥ ) . Alternatively, B could take finitelymany steps, leading to observations where b is a tree of correspondingly finite height. Fairness ensures that B and Ω both take infinitely many steps, leading to the unique observation ( b : ( unfold , ( l , ( unfold , . . . )))) .Operational observation does not take into account the order in which a process sends on channels.For example, the following processes have the same operational observation ( a : ( l , ⊥ ) , b : ( r , ⊥ )) , eventhough they send on a and on b in different orders: · ; a : & { l : } (cid:96) a . l ; b . r ; a → b :: b : ⊕{ r : }· ; a : & { l : } (cid:96) b . r ; a . l ; a → b :: b : ⊕{ r : } . . Kavanagh UT ) rule organizes processes in a tree-like structure.This means that two processes communicating with a process R cannot at the same time also directlycommunicate with each other to compare the order in which R sent them messages. In other words, theordering cannot be distinguished by other processes.Our notion of operational observation scales to support language extensions. Indeed, for each newsession type one first defines its corresponding session-typed communications. Then, one specifies how toobserve message judgments msg ( c , m ) in a trace as communications. Informally, it seems desirable toensure that if two message judgments msg ( c , m ) can be distinguished by a receiving process, then theyare observed as different session-typed communications.A typed context · ; ∆ (cid:96) C [ · ] ∆ (cid:48) a : A :: b : B is a context derived using the process typing rules of section 3.1,plus exactly one instance of the axiom · ; ∆ (cid:48) (cid:96) [ · ] ∆ (cid:48) a : A :: a : A ( H OLE ) Given a context · ; ∆ (cid:96) C [ · ] ∆ (cid:48) a : A :: b : B and a process · ; ∆ (cid:48) (cid:96) P :: a : A , we let · ; ∆ (cid:96) C [ P ] :: b : B be the resultof “plugging” P into the hole, that is, of replacing the axiom (H OLE ) by the derivation ∆ (cid:48) (cid:96) P :: a : A inthe derivation ∆ (cid:96) C [ · ] ∆ (cid:48) a : A :: b : B .We say that processes · ; ∆ (cid:96) P :: c : C and · ; ∆ (cid:96) Q :: c : C are observationally congruent , P ≈ Q ,if (cid:76) · ; ∆ (cid:48) (cid:96) C [ P ] :: b : B (cid:77) = (cid:76) · ; ∆ (cid:48) (cid:96) C [ Q ] :: b : B (cid:77) for all typed contexts · ; ∆ (cid:48) (cid:96) C [ · ] ∆ c : C :: b : B . Intuitively,this means that no context C can differentiate processes P and Q .To illustrate observational congruence, we show that process composition is associative: Proposition 14.
We have c : C ← P ; ( c : C ← P ; P ) ≈ c : C ← ( c : C ← P ; P ) ; P for all · ; ∆ (cid:96) P :: c : C , all · ; c : C , ∆ (cid:96) P :: c : C , and all · ; c : C , ∆ (cid:96) P :: c : C .Proof (Sketch). Let L = c : C ← P ; ( c : C ← P ; P ) and R = c : C ← ( c : C ← P ; P ) ; P .Consider some arbitrary observation context C [ · ] and a fair execution T of C [ L ] . It is sufficient to showthat T agrees on message judgments with a fair execution C [ R ] . Union-equivalence of process tracesis invariant under permutation, so we can assume without loss of generality that whenever proc ( c , L ) appears in some M n of T , then the next two steps are applications (3) to decompose L : proc ( c , L ) −→ proc ( c (cid:48) , [ c (cid:48) / c ] P ) , proc ( c , [ c (cid:48) / c ]( c : C ← P ; P )) −→ proc ( c (cid:48) , [ c (cid:48) / c ] P ) , proc ( c (cid:48) , [ c (cid:48) , c (cid:48) / c , c ] P ) , proc ( c (cid:48) , [ c (cid:48) / c ] P ) (For conciseness, we elide the type ( c : A ) judgments.) There exists a fair execution T (cid:48) of C [ R ] that agreeswith T on all steps, except for those involving R , where we make the same assumption: proc ( c , R ) −→ proc ( c (cid:48) , [ c (cid:48) / c ]( c : C ← P ; P )) , proc ( c , [ c (cid:48) / c ] P ) −→ proc ( c (cid:48) , [ c (cid:48) / c ] P ) , proc ( c (cid:48) , [ c (cid:48) , c (cid:48) / c , c ] P ) , proc ( c (cid:48) , [ c (cid:48) / c ] P ) So traces T and T (cid:48) agree on all message judgments, whence (cid:76) C [ L ] (cid:77) = (cid:76) C [ R ] (cid:77) . Multiset rewriting systems with existential quantification were first introduced by Cervesato et al. [8].They were used to study security protocols and were identified as the first-order Horn fragment of linear4
Substructural Observed Communication Semantics logic. Since, MRSs have modelled other security protocols, and strand spaces [7, 9]. Cervesato andScedrov [10] studied the relationship between MRSs and linear logic. These works do not explore fairness.Weak and strong fairness were first introduced by Apt and Olderog [1] and Park [18] in the contextof do-od languages, and were subsequently adapted to process calculi, e.g., by Costa and Stirling [11]for Milner’s CCS. Our novel notion of fairness for multiset rewriting systems in section 2 implies strongprocess fairness (so also weak process fairness) for the session-typed processes of section 3. We conjecturethat this notion of fairness is stronger than required for many applications. In future work, we intend toexplore other formulations of fairness for MRSs and their impact on applications.Substructural operational semantics [24] based on multiset rewriting are widely used to specify theoperational behaviour of session-typed languages arising from proofs-as-processes interpretations of linearlogic and adjoint logic. Examples include functional languages with session-typed concurrency [25],languages with run-time monitoring [13], message-passing interpretations of adjoint logic [22], andsession-typed languages with sharing [3]. The fragment of section 3.1 illustrates some of the key ideas ofthis approach, and extends to these richer settings.Some of these languages are already equipped with observational equivalences. For example, Pérezet al. [19] introduced typed context bisimilarity , a labelled bisimilarity for session-typed processes. Itdoes not support recursive processes or recursive session types. Toninho [27] explored barbed congruencefor session-typed processes and shows that it coincides with logical equivalence. Kokke, Montesi, andPeressotti [16] showed that the usual notions of bisimilarity and barbed congruence carry over from the π -calculus. They also gave a denotational semantics using Brzozowski derivatives to “hypersequentclassical processes” that built on Atkey’s denotational semantics for CP, and showed that all three notionsof equivalence agreed on well-typed programs. In future work, we intend to show that our observationalcongruence agrees with barbed congruence. Gommerstadt, Jia, and Pfenning [13] define a bisimulation-style observational equivalence on multisets in process traces. It deems two configurations equivalent ifwhenever both configurations send an externally visible message, then the messages are equivalent. It iseasy to adapt this bisimulation to also require that one configuration sends an externally visible message ifand only if the other does. We conjecture that this modified observational equivalence coincides with theone defined in section 4.Session-typed languages enjoy other notions of process equivalence. Several session-typed languagesare equipped with denotational semantics, and denotational semantics induce a compositional notion ofprogram equivalence. For example, Castellan and Yoshida [6] gave a game semantics to a session-typed π -calculus with recursion, where session types denote event structures that encode games, and processesdenote maps that encode strategies. Kavanagh [15] gave a domain-theoretic semantics to a full-featuredfunctional language with session-typed message passing concurrency, where session types denote domainsof communications and processes are continuous functions between these.Atkey’s observed communication semantics [2] for Wadler’s CP [28] was motivated by two problems.Because CP uses a synchronous communication semantics, processes need partners to communicate withand get stuck if they try to communicate on a free channel. On the one hand, if processes have partners,then their communication are hidden by the (C UT ) rule and cannot be observed, while on the other hand,if we leave the channels free, then we need to introduce reduction rules (“commuting conversions”) forstuck processes, and these rules do not correspond to operationally justified communication steps. Atkey’selegant solution to this tension was to give communication partners to processes with free channels viaclosing “configurations”, and then observing communications on these channels. Our task in section 4is made easier by the fact that we use an asynchronous communication semantics. In our setting, aprocess can send messages on free channels, and we can observe these without having to provide it withcommunication partners via configurations. Atkey’s observational equivalence and ours suffer from the . Kavanagh We studied fair executions of multiset rewriting systems, and gave various conditions for an MRS to havefair executions. We used these results to define an observed communication semantics for session-typedlanguages that are defined by substructural operational semantics: the observation of a process is itscommunications on its free channels. Processes are then observationally equivalent if they cannot bedistinguished through communication. We believe this work lays the foundation for future work on thesemantics of session-typed processes, and in particular, we hope that it will be useful for exploring othernotions of process equivalence.The author thanks Stephen Brookes, Iliano Cervesato, Frank Pfenning, and the anonymous reviewersfor their helpful comments.
References [1] Krzysztof R. Apt & Ernst-Rüdiger Olderog (1982):
Proof Rules Dealing With Fairness . ExtendedAbstract. In Dexter Kozen, editor:
Logics of Programs , Logics of Programs Workshop,
LectureNotes in Computer Science .[2] Robert Atkey (2017):
Observed Communication Semantics for Classical Processes . In HongseokYang, editor:
Programming Languages and Systems , 26th European Symposium on Programming(ESOP 2017),
Lecture Notes in Computer Science .[3] Stephanie Balzer & Frank Pfenning (2017):
Manifest Sharing With Session Types . Proceedings ofthe ACM on Programming Languages .[4] Luís Caires & Frank Pfenning (2010):
Session Types as Intuitionistic Linear Propositions . In PaulGastin & François Laroussinie, editors:
CONCUR 2010 — Concurrency Theory , 21st InternationalConference, CONCUR 2010,
Lecture Notes in Computer Science .[5] Luís Caires, Frank Pfenning & Bernardo Toninho (2016):
Linear Logic Propositions As SessionTypes . Mathematical Structures in Computer Science . Behavioural Types Part 2 . Luís Caires & Frank Pfenning (2010):
Session Typesas Intuitionistic Linear Propositions . In Paul Gastin & François Laroussinie, editors:
CONCUR2010 — Concurrency Theory , 21st International Conference, CONCUR 2010,
Lecture Notes inComputer Science .6 Substructural Observed Communication Semantics [6] Simon Castellan & Nobuko Yoshida (2019):
Two Sides of the Same Coin: Session Types andGame Semantics: A Synchronous Side and an Asynchronous Side . Proceedings of the ACM onProgramming Languages .[7] I. Cervesato, N. Durgin, M. Kanovich & A. Scedrov (2000):
Interpreting Strands in Linear Logic .In .[8] I. Cervesato, N. A. Durgin, P. D. Lincoln, J. C. Mitchell & A. Scedrov (1999):
A Meta-Notationfor Protocol Analysis . In
Proceedings of the 12th IEEE Computer Security Foundations Workshop ,12th IEEE Computer Security Foundations Workshop (CSFW’99), IEEE Computer Society, LosAlamitos, California, pages 55–69, doi: .[9] Iliano Cervesato, Nancy A. Durgin, Patrick D. Lincoln, John C. Mitchell & Andre Scedrov (2005):
A Comparison Between Strand Spaces and Multiset Rewriting for Security Protocol Analysis . Journal of Computer Security .[10] Iliano Cervesato & Andre Scedrov (2009):
Relating State-Based and Process-Based ConcurrencyThrough Linear Logic (full-Version) . Information and Computation . .[11] Gerardo Costa & Colin Stirling (1987): Weak and Strong Fairness in CCS . Information andComputation .[12] Nissim Francez (1986):
Fairness , xiii+295 pages.
Texts and Monographs in Computer Science ,Springer-Verlag New York Inc. doi: .[13] Hannah Gommerstadt, Limin Jia & Frank Pfenning (2018):
Session-Typed Concurrent Contracts .In Amal Ahmed, editor:
Programming Languages and Systems , 27th European Symposium onProgramming (ESOP 2018),
Lecture Notes in Computer Science .[14] Bart Jacobs & Jan Rutten (2012):
An Introduction to (Co)algebra and (Co)induction . In DavideSangiorgi & Jan Rutten, editors:
Advanced Topics in Bisimulation and Coinduction , pages 38–99.
Cambridge Tracts in Theoretical Computer Science
52, Cambridge University Press, Cambridge,United Kingdom, doi: .[15] Ryan Kavanagh (2020):
A Domain Semantics for Higher-Order Recursive Processes , arXiv: .[16] Wen Kokke, Fabrizio Montesi & Marco Peressotti (2019):
Better Late Than Never: A Fully-Abstract Semantics for Classical Processes . Proceedings of the ACM on Programming Languages .[17] Robin Milner (1980):
A Calculus of Communicating Systems , vi+171 pages.
Lecture Notes inComputer Science
92, Springer-Verlag Berlin Heidelberg. doi: .[18] David Park (1982):
A Predicate Transformer for Weak Fair Iteration . RIMS Kôkyûroku
ISSN : 1880-2818, HDL: . Also appears in [21].[19] Jorge A. Pérez, Luís Caires, Frank Pfenning & Bernardo Toninho (2014):
Linear Logical Relationsand Observational Equivalences for Session-Based Concurrency . Information and Computation .[20] Frank Pfenning & Dennis Griffith (2015):
Polarized Substructural Session Types . In AndrewPitts, editor:
Foundations of Software Science and Computation Structures , 18th InternationalConference, FOSSACS 2015,
Lecture Notes in Computer Science . . Kavanagh Proceedings of the Sixth IBM Symposium on Mathematical Foundations of ComputerScience: Logic Aspects of Programs , 6th IBM Symposium on Mathematical Foundations ofComputer Science, Corporate & Scientific Programs, IBM Japan, Tokyo, Japan.[22] Klaas Pruiksma & Frank Pfenning (2019):
A Message-Passing Interpretation of Adjoint Logic . InFrancisco Martins & Dominic Orchard, editors:
Proceedings: Programming Language Approachesto Concurrency- and Communication-cEntric Software , Programming Language Approachesto Concurrency- and Communication-cEntric Software (PLACES),
Electronic Proceedings inTheoretical Computer Science , arXiv: .[23] Davide Sangiorgi (2012):
Introduction to Bisimulation and Coinduction , xii+247 pages. CambridgeUniversity Press, Cambridge, United Kingdom, doi: .[24] Robert J. Simmons (2012):
Substructural Logical Specifications , PhD thesis, xvi+300 pages.Computer Science Department, Carnegie Mellon University, Pittsburgh, Pennsylvania.[25] Bernardo Toninho, Luis Caires & Frank Pfenning (2013):
Higher-Order Processes, Functions, andSessions: A Monadic Integration . In Matthias Felleisen & Philippa Gardner, editors:
ProgrammingLanguages and Systems , 22nd European Symposium on Programming, ESOP 2013,
Lecture Notesin Computer Science .[26] Bernardo Toninho, Luís Caires & Frank Pfenning (2011):
Dependent Session Types Via IntuitionisticLinear Type Theory . In
PPDP’11 , 13th International ACM SIGPLAN Symposium on Principlesand Practices of Declarative Programming (PPDP’11), Association for Computing Machinery, Inc.,New York, New York, pages 161–172, doi: .[27] Bernardo Parente Coutinho Fernandes Toninho (2015):
A Logical Foundation for Session-basedConcurrent Computation , PhD thesis, xviii+178 pages. Universidade Nova de Lisboa.[28] Philip Wadler (2014):
Propositions As Sessions . Journal of Functional Programming10.1017/s095679681400001x