Tải bản đầy đủ - 0 (trang)

1 Names, Terms and Assertions

98

H. Hăuttel

can be affected by names being bound or swapped. If x is an element of a nominal set

and a ∈ N , we write a x, to denote that a is fresh for x; the notion extends to sets of

names in the expected way.

Psi-calculus processes can contain terms M, N, . . .; these must form a nominal data

type [2] T [11] which is a nominal set with internal structure. If Σ is a signature, a

nominal data type is then a Σ -algebra, whose carrier set is a nominal set. In the nominal

data types of ψ -calculi we use simultaneous term substitution X[z := Y ] which is to be

read as stating that the terms in Y replace the names in z in X in a capture-avoiding

fashion.

Processes can also contain assertions Ψ , that must form a nominal datatype A.

We require a partial composition operator on A, a symmetric and transitive binary

relation on A and a special unit assertion 1 such that

Ψ1 Ψ2

Ψ 1

Ψ2

Ψ

Ψ1

Ψ1

(Ψ2 Ψ3 ) (Ψ1 Ψ2 ) Ψ3

Ψ Ψ ⇒ Ψ Ψ1 Ψ Ψ1

An assertion Ψ is unlimited if Ψ Ψ Ψ . We have a partial order on assertions induced

by Ψ ≤ Ψ Ψ , and we write Ψ < Ψ iff Ψ ≤ Ψ and Ψ Ψ .

2.2

Processes

Unlike the π -calculus, channels can be arbitrary terms in a psi-calculus. We therefore

˙ N denotes that terms M and N

assume a notion of channel equivalence; Ψ |= M ↔

represent the same channel, given the assertion Ψ . That channel equivalence can in the

general case depend on the global knowledge, represented by Ψ , is due to the fact that

psi-calculus instances may use assertions that involve identities on names.

We extend psi-calculi with the selection and branching primitives of Honda et

al. [18], as these are standard in session calculi. Branching now becomes M {l1 :

P1 , . . . , lk : Pk } and selection is written as M l.P1 , where l ranges over a set of selector

label names. As in [18], these label names cannot be bound by input or restriction.

We introduce session channels by means of dual endpoints as in Giunti and Vasconcelos [14]. The construct (ν c)P can be used to set up a new session channel with

the session constructor c that can be used to build channels from terms. The notion of

session constructor is explained in Sect. 4.1.

All in all, this gives us the untyped formation rules

˜

| MN.P | P1 | P2 | (ν c)P | ! P | (|Ψ |) | case ϕ1 : P1 , . . . , ϕk : Pk

P :: = M(λ x)X.P

| M l.P1 | M {l1 : P1 , . . . , lk : Pk }

Restriction and input are the binding constructs; we use bn(P) and n(P) to denote the

sets of bound names in P and names in P, respectively.

˜

contains the pattern X; this is to be thought of as a

The input process M(λ x)X.P

term with free pattern variables x. We allow patterns to be arbitrary and simply require

that they form a nominal datatype. The input process can receive a term M if and only

if M matches the pattern X. The bound names of this process are x ∪ bn(P).

The output process MN.P sends out the term N on the channel M and continues as

P. The selector construct case ϕ1 : P1 , . . . , ϕk : Pk describes a conditional process that

Binary Session Types for Psi-Calculi

99

continues as Pi if condition ϕi is true. Any assertion Ψ can be embedded as the process

(|Ψ |), and in this way it is possible to express the notion of inaction (a ‘nil’ process).

The remaining process constructs are those of the π -calculus.

Moreover, processes can contain conditions ϕ that are used in the case-construct;

these are also assumed to form a nominal datatype.

3 An Annotated Semantics

α

Our labelled transition semantics has transitions are of the form Ψ P −

→ P . This is

to be read as stating that, given the global knowledge represented by the assertion Ψ ,

process P can evolve to process P by performing the action α .

In the semantics, we need to give an account of pattern matching for input processes.

Like [5] we assume the existence of a match relation that describes the conditions

on pattern variables needed for a term N to match a pattern X. This match relation is particular to the actual psi-calculus instance under consideration. In any case,

L ∈ MATCH(N, y, X) if the term N can match the pattern X with pattern variables y in

such a way that these variables are instantiated with the corresponding subterms of L.

Moreover, the semantics must describe when and how conditions in a case-construct

hold. We therefore assume the existence of an entailment relation Ψ |= ϕ that describes

when a condition ϕ is true, given an assertion Ψ . This relation is also particular to the

actual psi-calculus instance under consideration.

Finally, assertions are important in the semantics. We sometimes need to extract the

assertion information of a process P; we call this its frame F (P) = ΨP , where ΨP is the

composition of assertions in P. We let

F (P | Q) = F (P)

F ((|Ψ |)) = Ψ

F (Q)

F ((ν b)P) = (ν b)F (P)

F (P) = 1

otherwise

The semantics is specially tailored for stating and proving the safety properties of

our type system. The structure of actions is given by the formation rules

α :: = M

l|M

l | M(ν a)N | KN | (ν a)τ @(ν b)(M N K) | (ν a)τ @(M

l

N)

The labels for observable actions are as in [2]: M(ν a)N denotes an output on channel

M of N that extrudes the names in a, and KN denotes an input on channel K of term N.

The transition rules for observable transitions are given in Table 1.

On the other hand, τ -actions now record usage of bound names. This is a major

difference from the presentation in [2] and is introduced, since we have to describe how

the session type of a bound name that is used as a session constructor will evolve as the

result of a τ -action. The rules for τ -transitions are shown in Table 2.

In the label (ν a)τ @(ν b)(M N K) we record the set of private names a that are used

in the channel subject pair (M, K) communication as well as the set of private names b

that are extruded from the output process. This is expressed by the side condition of the

rules (C OM ) and (R ES -C OM ).

In the label (ν a)τ @(M l N) we record the set of private names a that are used

to build the selector pair (M, N). This is captured by the side conditions of the rules

(C HOOSE ) and (R ES -C HOOSE ). If any of the sets in a label is empty, we omit it.

100

H. Hăuttel

Table 1. Labelled transition rules for observable transitions. The symmetric versions of C OM,

C HOOSE and PAR are omitted. In PAR we assume F (Q) = (ν bQ )ΨQ where bQ Ψ , P and α .

4 Types in the Generic Type System

In this and the following section we present our generic type system; our account of session types does not rely on a particular type language and is inspired by the transitionbased approach of [6].

4.1

Session Types and Endpoint Types

We let T range over the set of types and distinguish between base types B, session types

S and endpoint types TE . An endpoint type TE describes the behaviour at one end of a

channel. A session type S describes the behaviour at both ends of a channel and is a pair

(T1 , T2 ) of endpoint types.

In psi-calculi channels can be arbitrary terms; in our setting we use special names

called session constructors; this is a term constructor that can be applied to an appropriate number of terms. The result of this is a term that can be used as session channel. A

term M can contain more than one session constructor; if the principal session constructor of the term is c, M will have a type of the form T @c. The type rules for terms depend

on the specific psi-calculus instance, and these rules must describe what is meant by the

principal session constructor and how the type of a composite term to be used as a

session channel is determined.

Binary Session Types for Psi-Calculi

101

Table 2. Labelled transition rules for τ -transitions. Symmetric versions of C OM and C HOOSE are

omitted. In C OM and C HOOSE we assume that F (P) = (ν bP )ΨP and F (Q) = (ν bQ )ΨQ where

bP Ψ , bQ , Q, M and P, and bQ Ψ , bP , P, K and Q.

Types may contain free names. A type with free names x is denoted T (x), while a

type with names instantiated by the terms M is denoted T [M].

We assume an additive structure on types [17].

.

Definition 1 (Type structure [17]). A type structure is a triple (T, +, =) where T is a

.

set of types, + is a partial binary operation on T and = is a partial equivalence relation

.

.

on T such that T1 +T2 = T2 +T1 and (T1 +T2 )+T3 = T1 +(T2 +T3 ) for all T1 , T2 , T3 ∈ T.

We say that an endpoint type TE is unlimited if TE = TE + TE and assume the existence of a type end; this is the type of a completed session. Following [14], we also

assume that the additive structure on types satisfies the axioms

.

(1)

(T1 , T2 ) = (T1 , T2 ) + (end, end) if T1 , T2 are not unlimited

.

(T1 , T2 ) = T1 + T2

(2)

In all other cases, summation of session types is undefined.

The summation axiom (2) ensures that a session type can be split into its two endpoints, as will be clear from the type rule for parallel composition. Note that, because of

the axiom (2) and the commutativity requirement for structures, we identify the session

types (T1 , T2 ) and (T2 , T1 ).

Definition 2. Let T1 and T2 be types. We write T1 ≤ T2 if either T1 = T2 or for some T

we have T1 + T = T2 . We write T1 ≤min T2 if T1 is a least type T such that T T2 .

102

H. Hăuttel

Note that the least type defined above need not be unique.

Transitions for Types. We assume a deterministic labelled transition relation defined on

λ

→ T where

the set of endpoint types. Transitions are of the form TE −

λ :: = !T1 | ?T1 | l | l

?T

1

If a channel has endpoint type TE with a transition TE −−→

TE , then following an input

of a term of type T1 , the channel will now have endpoint type TE . For a given type

language, we must give transition rules that describe how these transitions arise. The

type end has no transitions.

We assume a duality condition for labels in labelled type transitions; we define

!T1 = ?T2 and l = l and vice versa, and we require that λ = λ .

We assume an involution T on endpoint types. For base types (ranged over by B),

λ

λ

→ TE ⇐⇒ TE −

→ TE . Since

duality is not defined. For transitions we require that TE −

an unlimited type T satisfies that T = T + T , any type of this kind is only allowed to

have labelled transitions leading back to itself. That is, if T is unlimited, then whenever

λ

T−

→ T for some λ we require T = T . A session type is balanced if the types of its

endpoint are dual to each other.

Definition 3. A session type S is balanced if S = (TE , TE ) for some TE .

4.2

Type Environments

A type environment Γ is a finite function from names to types, often written as x : T .

We denote the empty type environment by 0.

/ Addition is defined by

Definition 4. Let Γ1 and Γ2 be type environments. The sum of Γ1 and Γ2 is defined as

the type environment Γ1 + Γ2 that is given by

⎧

⎪

x ∈ dom(Γ1 )\ dom(Γ2 )

⎨Γ1 (x)

(Γ1 + Γ2 )(x) = Γ2 (x)

x ∈ dom(Γ2 )\ dom(Γ1 )

⎪

⎩

Γ1 (x) + Γ2 (x) otherwise, i f this sum is de f ined

We write Γ1 ≤ Γ2 if there exists a Γ such that Γ1 + Γ = Γ2 .

/ dom(Γ ) and Γ + c : T if Γ = Γ + c : U

We write Γ ± c : T to denote Γ + c : T if c ∈

for some type U; this operation is used to denote how the type information for a session

constructor c is updated when a session channel built using the session constructor c

evolves. If c is already present in Γ , the session behaviour is updated. Otherwise, the

behaviour is added to Γ .

A type environment Γ is balanced if for every x ∈ dom(Γ ) we have that whenever

Γ (x) = S, then S is balanced. Similarly, Γ is unlimited if for every x ∈ dom(Γ ) we have

that Γ (x) is an unlimited type.

Binary Session Types for Psi-Calculi

103

4.3 A Typed Syntax and Its Semantics

From now on we will use a typed syntax for ψ -calculi, where restrictions are of the form

(ν x : T )P and state that x has type T in P. If P is a process in the untyped syntax with all

bound names distinct and Γ is a type environment where dom(Γ ) = bn(P), then PΓ is

the corresponding typed process which has been annotated according to the bindings in

Γ . If P1 and P2 are typed processes, we write P1 P2 if P1 and P2 differ only in their type

annotations for bound names, i.e. for some P and Γ1 , Γ2 where dom(ΓP1 ) = dom(ΓP2 ) we

have P1 = PΓ1 and P2 = PΓ2 .

We extend the semantics to the typed case as follows. For a typed process P we

α

write Ψ P −

→ P if there exists a type environment Γ such that P = PΓ where P is

α

an untyped process and Ψ P −

→ P where P = P Γ for some Γ . When no confusion

arises, we say that a typed transition follows from a given transition rule in the untyped

semantics if the corresponding untyped transition was concluded using this rule.

α

Note that in this typed interpretation we can have that Ψ P −

→ P for more than

one P for any given α , since there can be several different type annotations of the

result of a transition in the untyped semantics. All our results on type preservation are

therefore stated up to and must be read as saying that there exists a type annotation

P if there exists a P1 where

such that the conclusion holds. We therefore write Γ , Ψ

P1 P such that Γ , Ψ P1 .

5 Type Judgements in the Generic Type System

Since the type system is generic, some parts of the type system depend on the specific

psi-calculus instance under consideration. The type rules for processes are common to

all instances, since the syntax for processes is always the same. On the other hand, the

structure and interpretation of terms, patterns, assertions, and conditions is specific to

each psi-calculus instance and must be defined separately. In the following sections we

describe the requirements that any such instance of the type system must follow.

The type judgements in any instance of the system are of the form Γ , Ψ J where

J is built using the formation rules

J :: =M : T | X : T → U | Ψ | ϕ | P

Type judgments must satisfy the standard well-formedness requirement: whenever free

names occur, their types must be declared in the type environment. More specifically,

we require that judgements Γ , Ψ J must always be well-formed, i.e. that fn(J ) ⊆

dom(Γ ), and that the environment-assertion pair Γ , Ψ must be similarly well-formed,

i.e. that fn(Ψ ) ⊆ dom(Γ ).

In order for our generic type system to be safe, we must keep track of the resources

used in communication and selections to ensure that they are only those needed. We

capture this by requiring certain judgements to be minimal.

Definition 5. We write Γ , Ψ

we have Γ , Ψ J .

min

J if Γ , Ψ

J and for every Γ < Γ and Ψ < Ψ

We require minimality to be unique up to assertion equivalence.

Requirement 1. If Γ1 , Ψ1

min

J and Γ2 , 2

min

J then 1 = 2 and 1

2 .

104

5.1

H. Hăuttel

Typing Session Channels

Since arbitrary terms can be used as session channels as long as they contain session

constructors, we need a special notation for describing that a term is a well-typed session channel. We write Γ , Ψ M : T @c if the term M has type T when using session

constructor c. The rules defining this judgement depend on the instance of the type

system but we require that the session constructor must have an endpoint type for the

resulting channel to be typeable.

Requirement 2. If Γ , Ψ

5.2

M : T @c then Γ (c) = TE for some endpoint type TE .

Typing Patterns

For patterns, judgments are of the form

Γ ,Ψ

X :T →U

The intended interpretation is that the pattern X has type T → U if the pattern variables

will be bound to terms of types T whenever the pattern matches a term of type U.

In our treatment of typing patterns we again appeal to the matching predicate. The

type rules for patterns must be defined for each instance. However, we require the following application rule which says that if a term N matches a pattern of type T → U,

binding the pattern variables to terms of types T , then N must be of type U.

Γ ,Ψ

(A PP )

X : T → U L ∈ MATCH(N, x, X)

Γi , Ψi Li : Ti for 1 ≤ i ≤ |T |

|T |

Γ + ∑i=1 Γi , Ψ

where Ψ = Ψ ⊗

N :U

Ψi

1≤i≤|T |

Moreover, the type rules must satisfy the converse requirement: If a term M matches

a pattern X, then all subterms N that instantiate the pattern variables will have the types

required by the type of X. Moreover, the type environments and assertions required to

type these subterms are exactly those needed to type the corresponding parts of M.

Requirement 3. Suppose N ∈ MATCH(M, x, X) and Γ1 + x : T , Ψ1 min X : T → U. Then

there exist Γ2i , Ψ2i such that Γ2i , Ψ2i min Ni : Ti for all 1 ≤ i ≤ |x| = n.

5.3

Type Rules for Terms, Assertions and Conditions

The sets of terms, assertions and conditions are specific to each psi-calculus instance,

so the type rules are also specific for the instance.

The type rules for terms must always satisfy the requirement that equivalent channels either have the same session type (in which case the channels are session channels)

or dual endpoint types (in which case the channels are the two endpoints of the same

session channel).

˙ K and Γ , Ψ

Requirement 4. If Ψ |= M ↔

and Γ , Ψ M : T then Γ , Ψ K : T .

M : S then Γ , Ψ

K : S. If Ψ |= M ↔

˙ K

The unit assertion must be typeable using no assumptions, i.e. we must have 0,

/ 1 1.

Binary Session Types for Psi-Calculi

105

5.4 Type Rules for Processes

Type judgements for processes are of the form Γ , Ψ P, where Ψ is an assertion.

Table 3 contains the type rules for processes. In the type rules, and notably in (PAR ),

we use a typed notion of frames for processes; the qualified frame of a process P is still

denoted F (P) but is now a pair ΓP , ΨP , where ΨP is the composition of assertions in

P and ΓP records the types of the names local to ΨP . We define this as follows

F (P | Q) = ΓP + ΓQ , ΨP ΨQ

where F (P) = ΓP , ΨP , F (Q) = ΓQ , ΨQ

F ((ν b : T )P) = b : T + ΓP , ΨP where F (P) = (ΓP , ΨP )

F ((|Ψ |)) = 0,

/ Ψ

F (P) = 0,

/ 1

otherwise

For patterns, judgments are of the form Γ , Ψ X : T → U. The intended interpretation is that pattern X has type T → U if the pattern variables are bound to terms of

types T whenever the pattern matches a term of type U. An important rule is (PAR ); the

type addition axiom (2) enables us to split a session type into two endpoint types, one

for each parallel component; this follows Giunti and Vasconcelos [14].

The type rules for input and output generalize those of usual session type systems

such as [14]. In particular, the subject and the object of the prefix are typed in separate

subenvironments and the type of the subject is updated when typing the continuation.

As subjects in the psi-calculus setting can be arbitrary terms, one cannot simply update

the session type of a channel by updating the type bound to the channel in the type

environment. Instead, we update the type of the channel constructor used to construct

the channel.

6 A Type Preservation Theorem

We now establish a fidelity result that will ensure that whenever a process P is welltyped in a balanced environment, then in any τ -transition that is the result of a communication or selection on a session channel constructed using session constructor c, the

resulting process will also be well-typed in a balanced environment – only now the type

of c has evolved according to the protocol specified by the session type.

The direction of a visible action α in the labelled semantics is either ! or ? for a

communication and or for a selection; we denote this by d(α ).

Definition 6 (Well-typed label). Let α be a label. We call (α , (T,U)) a typed label if

U is either a type or •. We define Γ , Ψ α : (T @c,U) as follows:

!U

1. If Γ1 , Ψ1 M : T @c and Γ2 + a : T , Ψ2 N : U and T −→ T then Γ1 + Γ2 , Ψ1

M(ν a)N : (T @c,U).

?U

2. if Γ1 , Ψ1 K : T @c and Γ2 , Ψ2 N : U and T −→ T then Γ1 + Γ2 , Ψ1 Ψ2

(T @c,U) .

3. If Γ , Ψ

,l

M : T @c and T −−→ T then Γ , Ψ

M

l : (T @c, •).

Ψ2

KN :

## Programming languages and systems 14th asian symposium, APLAS 2016

## 1 Propositions, Contexts, and Sequents

## 4 Completing the Isomorphism: From Cut-Free Proofs to SFTs

## 1 Including and in Subsingleton Logic

## 3 AUSPICE: Hoare Logic-Based Safety Property Proofs

## 3 Type Rules for Terms, Assertions and Conditions

## 2 Open Call-by-Value 2: The Value Substitution Calculus

## 4 Open Call-by-Value 4: The Value Sequent Calculus

## 1 The Taming of Russell's and Curry's Paradoxes

## 2 Environment Classifiers, Binding Abstractions, and Lexical Scope

## 2 Proof Pattern: Combining Mathematical and Spatial Reasoning

Tài liệu liên quan