1 Names, Terms and Assertions
Tải bản đầy đủ - 0trang
98
H. Hăuttel
can be affected by names being bound or swapped. If x is an element of a nominal set
and a ∈ N , we write a x, to denote that a is fresh for x; the notion extends to sets of
names in the expected way.
Psi-calculus processes can contain terms M, N, . . .; these must form a nominal data
type [2] T [11] which is a nominal set with internal structure. If Σ is a signature, a
nominal data type is then a Σ -algebra, whose carrier set is a nominal set. In the nominal
data types of ψ -calculi we use simultaneous term substitution X[z := Y ] which is to be
read as stating that the terms in Y replace the names in z in X in a capture-avoiding
fashion.
Processes can also contain assertions Ψ , that must form a nominal datatype A.
We require a partial composition operator on A, a symmetric and transitive binary
relation on A and a special unit assertion 1 such that
Ψ1 Ψ2
Ψ 1
Ψ2
Ψ
Ψ1
Ψ1
(Ψ2 Ψ3 ) (Ψ1 Ψ2 ) Ψ3
Ψ Ψ ⇒ Ψ Ψ1 Ψ Ψ1
An assertion Ψ is unlimited if Ψ Ψ Ψ . We have a partial order on assertions induced
by Ψ ≤ Ψ Ψ , and we write Ψ < Ψ iff Ψ ≤ Ψ and Ψ Ψ .
2.2
Processes
Unlike the π -calculus, channels can be arbitrary terms in a psi-calculus. We therefore
˙ N denotes that terms M and N
assume a notion of channel equivalence; Ψ |= M ↔
represent the same channel, given the assertion Ψ . That channel equivalence can in the
general case depend on the global knowledge, represented by Ψ , is due to the fact that
psi-calculus instances may use assertions that involve identities on names.
We extend psi-calculi with the selection and branching primitives of Honda et
al. [18], as these are standard in session calculi. Branching now becomes M {l1 :
P1 , . . . , lk : Pk } and selection is written as M l.P1 , where l ranges over a set of selector
label names. As in [18], these label names cannot be bound by input or restriction.
We introduce session channels by means of dual endpoints as in Giunti and Vasconcelos [14]. The construct (ν c)P can be used to set up a new session channel with
the session constructor c that can be used to build channels from terms. The notion of
session constructor is explained in Sect. 4.1.
All in all, this gives us the untyped formation rules
˜
| MN.P | P1 | P2 | (ν c)P | ! P | (|Ψ |) | case ϕ1 : P1 , . . . , ϕk : Pk
P :: = M(λ x)X.P
| M l.P1 | M {l1 : P1 , . . . , lk : Pk }
Restriction and input are the binding constructs; we use bn(P) and n(P) to denote the
sets of bound names in P and names in P, respectively.
˜
contains the pattern X; this is to be thought of as a
The input process M(λ x)X.P
term with free pattern variables x. We allow patterns to be arbitrary and simply require
that they form a nominal datatype. The input process can receive a term M if and only
if M matches the pattern X. The bound names of this process are x ∪ bn(P).
The output process MN.P sends out the term N on the channel M and continues as
P. The selector construct case ϕ1 : P1 , . . . , ϕk : Pk describes a conditional process that
Binary Session Types for Psi-Calculi
99
continues as Pi if condition ϕi is true. Any assertion Ψ can be embedded as the process
(|Ψ |), and in this way it is possible to express the notion of inaction (a ‘nil’ process).
The remaining process constructs are those of the π -calculus.
Moreover, processes can contain conditions ϕ that are used in the case-construct;
these are also assumed to form a nominal datatype.
3 An Annotated Semantics
α
Our labelled transition semantics has transitions are of the form Ψ P −
→ P . This is
to be read as stating that, given the global knowledge represented by the assertion Ψ ,
process P can evolve to process P by performing the action α .
In the semantics, we need to give an account of pattern matching for input processes.
Like [5] we assume the existence of a match relation that describes the conditions
on pattern variables needed for a term N to match a pattern X. This match relation is particular to the actual psi-calculus instance under consideration. In any case,
L ∈ MATCH(N, y, X) if the term N can match the pattern X with pattern variables y in
such a way that these variables are instantiated with the corresponding subterms of L.
Moreover, the semantics must describe when and how conditions in a case-construct
hold. We therefore assume the existence of an entailment relation Ψ |= ϕ that describes
when a condition ϕ is true, given an assertion Ψ . This relation is also particular to the
actual psi-calculus instance under consideration.
Finally, assertions are important in the semantics. We sometimes need to extract the
assertion information of a process P; we call this its frame F (P) = ΨP , where ΨP is the
composition of assertions in P. We let
F (P | Q) = F (P)
F ((|Ψ |)) = Ψ
F (Q)
F ((ν b)P) = (ν b)F (P)
F (P) = 1
otherwise
The semantics is specially tailored for stating and proving the safety properties of
our type system. The structure of actions is given by the formation rules
α :: = M
l|M
l | M(ν a)N | KN | (ν a)τ @(ν b)(M N K) | (ν a)τ @(M
l
N)
The labels for observable actions are as in [2]: M(ν a)N denotes an output on channel
M of N that extrudes the names in a, and KN denotes an input on channel K of term N.
The transition rules for observable transitions are given in Table 1.
On the other hand, τ -actions now record usage of bound names. This is a major
difference from the presentation in [2] and is introduced, since we have to describe how
the session type of a bound name that is used as a session constructor will evolve as the
result of a τ -action. The rules for τ -transitions are shown in Table 2.
In the label (ν a)τ @(ν b)(M N K) we record the set of private names a that are used
in the channel subject pair (M, K) communication as well as the set of private names b
that are extruded from the output process. This is expressed by the side condition of the
rules (C OM ) and (R ES -C OM ).
In the label (ν a)τ @(M l N) we record the set of private names a that are used
to build the selector pair (M, N). This is captured by the side conditions of the rules
(C HOOSE ) and (R ES -C HOOSE ). If any of the sets in a label is empty, we omit it.
100
H. Hăuttel
Table 1. Labelled transition rules for observable transitions. The symmetric versions of C OM,
C HOOSE and PAR are omitted. In PAR we assume F (Q) = (ν bQ )ΨQ where bQ Ψ , P and α .
4 Types in the Generic Type System
In this and the following section we present our generic type system; our account of session types does not rely on a particular type language and is inspired by the transitionbased approach of [6].
4.1
Session Types and Endpoint Types
We let T range over the set of types and distinguish between base types B, session types
S and endpoint types TE . An endpoint type TE describes the behaviour at one end of a
channel. A session type S describes the behaviour at both ends of a channel and is a pair
(T1 , T2 ) of endpoint types.
In psi-calculi channels can be arbitrary terms; in our setting we use special names
called session constructors; this is a term constructor that can be applied to an appropriate number of terms. The result of this is a term that can be used as session channel. A
term M can contain more than one session constructor; if the principal session constructor of the term is c, M will have a type of the form T @c. The type rules for terms depend
on the specific psi-calculus instance, and these rules must describe what is meant by the
principal session constructor and how the type of a composite term to be used as a
session channel is determined.
Binary Session Types for Psi-Calculi
101
Table 2. Labelled transition rules for τ -transitions. Symmetric versions of C OM and C HOOSE are
omitted. In C OM and C HOOSE we assume that F (P) = (ν bP )ΨP and F (Q) = (ν bQ )ΨQ where
bP Ψ , bQ , Q, M and P, and bQ Ψ , bP , P, K and Q.
Types may contain free names. A type with free names x is denoted T (x), while a
type with names instantiated by the terms M is denoted T [M].
We assume an additive structure on types [17].
.
Definition 1 (Type structure [17]). A type structure is a triple (T, +, =) where T is a
.
set of types, + is a partial binary operation on T and = is a partial equivalence relation
.
.
on T such that T1 +T2 = T2 +T1 and (T1 +T2 )+T3 = T1 +(T2 +T3 ) for all T1 , T2 , T3 ∈ T.
We say that an endpoint type TE is unlimited if TE = TE + TE and assume the existence of a type end; this is the type of a completed session. Following [14], we also
assume that the additive structure on types satisfies the axioms
.
(1)
(T1 , T2 ) = (T1 , T2 ) + (end, end) if T1 , T2 are not unlimited
.
(T1 , T2 ) = T1 + T2
(2)
In all other cases, summation of session types is undefined.
The summation axiom (2) ensures that a session type can be split into its two endpoints, as will be clear from the type rule for parallel composition. Note that, because of
the axiom (2) and the commutativity requirement for structures, we identify the session
types (T1 , T2 ) and (T2 , T1 ).
Definition 2. Let T1 and T2 be types. We write T1 ≤ T2 if either T1 = T2 or for some T
we have T1 + T = T2 . We write T1 ≤min T2 if T1 is a least type T such that T T2 .
102
H. Hăuttel
Note that the least type defined above need not be unique.
Transitions for Types. We assume a deterministic labelled transition relation defined on
λ
→ T where
the set of endpoint types. Transitions are of the form TE −
λ :: = !T1 | ?T1 | l | l
?T
1
If a channel has endpoint type TE with a transition TE −−→
TE , then following an input
of a term of type T1 , the channel will now have endpoint type TE . For a given type
language, we must give transition rules that describe how these transitions arise. The
type end has no transitions.
We assume a duality condition for labels in labelled type transitions; we define
!T1 = ?T2 and l = l and vice versa, and we require that λ = λ .
We assume an involution T on endpoint types. For base types (ranged over by B),
λ
λ
→ TE ⇐⇒ TE −
→ TE . Since
duality is not defined. For transitions we require that TE −
an unlimited type T satisfies that T = T + T , any type of this kind is only allowed to
have labelled transitions leading back to itself. That is, if T is unlimited, then whenever
λ
T−
→ T for some λ we require T = T . A session type is balanced if the types of its
endpoint are dual to each other.
Definition 3. A session type S is balanced if S = (TE , TE ) for some TE .
4.2
Type Environments
A type environment Γ is a finite function from names to types, often written as x : T .
We denote the empty type environment by 0.
/ Addition is defined by
Definition 4. Let Γ1 and Γ2 be type environments. The sum of Γ1 and Γ2 is defined as
the type environment Γ1 + Γ2 that is given by
⎧
⎪
x ∈ dom(Γ1 )\ dom(Γ2 )
⎨Γ1 (x)
(Γ1 + Γ2 )(x) = Γ2 (x)
x ∈ dom(Γ2 )\ dom(Γ1 )
⎪
⎩
Γ1 (x) + Γ2 (x) otherwise, i f this sum is de f ined
We write Γ1 ≤ Γ2 if there exists a Γ such that Γ1 + Γ = Γ2 .
/ dom(Γ ) and Γ + c : T if Γ = Γ + c : U
We write Γ ± c : T to denote Γ + c : T if c ∈
for some type U; this operation is used to denote how the type information for a session
constructor c is updated when a session channel built using the session constructor c
evolves. If c is already present in Γ , the session behaviour is updated. Otherwise, the
behaviour is added to Γ .
A type environment Γ is balanced if for every x ∈ dom(Γ ) we have that whenever
Γ (x) = S, then S is balanced. Similarly, Γ is unlimited if for every x ∈ dom(Γ ) we have
that Γ (x) is an unlimited type.
Binary Session Types for Psi-Calculi
103
4.3 A Typed Syntax and Its Semantics
From now on we will use a typed syntax for ψ -calculi, where restrictions are of the form
(ν x : T )P and state that x has type T in P. If P is a process in the untyped syntax with all
bound names distinct and Γ is a type environment where dom(Γ ) = bn(P), then PΓ is
the corresponding typed process which has been annotated according to the bindings in
Γ . If P1 and P2 are typed processes, we write P1 P2 if P1 and P2 differ only in their type
annotations for bound names, i.e. for some P and Γ1 , Γ2 where dom(ΓP1 ) = dom(ΓP2 ) we
have P1 = PΓ1 and P2 = PΓ2 .
We extend the semantics to the typed case as follows. For a typed process P we
α
write Ψ P −
→ P if there exists a type environment Γ such that P = PΓ where P is
α
an untyped process and Ψ P −
→ P where P = P Γ for some Γ . When no confusion
arises, we say that a typed transition follows from a given transition rule in the untyped
semantics if the corresponding untyped transition was concluded using this rule.
α
Note that in this typed interpretation we can have that Ψ P −
→ P for more than
one P for any given α , since there can be several different type annotations of the
result of a transition in the untyped semantics. All our results on type preservation are
therefore stated up to and must be read as saying that there exists a type annotation
P if there exists a P1 where
such that the conclusion holds. We therefore write Γ , Ψ
P1 P such that Γ , Ψ P1 .
5 Type Judgements in the Generic Type System
Since the type system is generic, some parts of the type system depend on the specific
psi-calculus instance under consideration. The type rules for processes are common to
all instances, since the syntax for processes is always the same. On the other hand, the
structure and interpretation of terms, patterns, assertions, and conditions is specific to
each psi-calculus instance and must be defined separately. In the following sections we
describe the requirements that any such instance of the type system must follow.
The type judgements in any instance of the system are of the form Γ , Ψ J where
J is built using the formation rules
J :: =M : T | X : T → U | Ψ | ϕ | P
Type judgments must satisfy the standard well-formedness requirement: whenever free
names occur, their types must be declared in the type environment. More specifically,
we require that judgements Γ , Ψ J must always be well-formed, i.e. that fn(J ) ⊆
dom(Γ ), and that the environment-assertion pair Γ , Ψ must be similarly well-formed,
i.e. that fn(Ψ ) ⊆ dom(Γ ).
In order for our generic type system to be safe, we must keep track of the resources
used in communication and selections to ensure that they are only those needed. We
capture this by requiring certain judgements to be minimal.
Definition 5. We write Γ , Ψ
we have Γ , Ψ J .
min
J if Γ , Ψ
J and for every Γ < Γ and Ψ < Ψ
We require minimality to be unique up to assertion equivalence.
Requirement 1. If Γ1 , Ψ1
min
J and Γ2 , 2
min
J then 1 = 2 and 1
2 .
104
5.1
H. Hăuttel
Typing Session Channels
Since arbitrary terms can be used as session channels as long as they contain session
constructors, we need a special notation for describing that a term is a well-typed session channel. We write Γ , Ψ M : T @c if the term M has type T when using session
constructor c. The rules defining this judgement depend on the instance of the type
system but we require that the session constructor must have an endpoint type for the
resulting channel to be typeable.
Requirement 2. If Γ , Ψ
5.2
M : T @c then Γ (c) = TE for some endpoint type TE .
Typing Patterns
For patterns, judgments are of the form
Γ ,Ψ
X :T →U
The intended interpretation is that the pattern X has type T → U if the pattern variables
will be bound to terms of types T whenever the pattern matches a term of type U.
In our treatment of typing patterns we again appeal to the matching predicate. The
type rules for patterns must be defined for each instance. However, we require the following application rule which says that if a term N matches a pattern of type T → U,
binding the pattern variables to terms of types T , then N must be of type U.
Γ ,Ψ
(A PP )
X : T → U L ∈ MATCH(N, x, X)
Γi , Ψi Li : Ti for 1 ≤ i ≤ |T |
|T |
Γ + ∑i=1 Γi , Ψ
where Ψ = Ψ ⊗
N :U
Ψi
1≤i≤|T |
Moreover, the type rules must satisfy the converse requirement: If a term M matches
a pattern X, then all subterms N that instantiate the pattern variables will have the types
required by the type of X. Moreover, the type environments and assertions required to
type these subterms are exactly those needed to type the corresponding parts of M.
Requirement 3. Suppose N ∈ MATCH(M, x, X) and Γ1 + x : T , Ψ1 min X : T → U. Then
there exist Γ2i , Ψ2i such that Γ2i , Ψ2i min Ni : Ti for all 1 ≤ i ≤ |x| = n.
5.3
Type Rules for Terms, Assertions and Conditions
The sets of terms, assertions and conditions are specific to each psi-calculus instance,
so the type rules are also specific for the instance.
The type rules for terms must always satisfy the requirement that equivalent channels either have the same session type (in which case the channels are session channels)
or dual endpoint types (in which case the channels are the two endpoints of the same
session channel).
˙ K and Γ , Ψ
Requirement 4. If Ψ |= M ↔
and Γ , Ψ M : T then Γ , Ψ K : T .
M : S then Γ , Ψ
K : S. If Ψ |= M ↔
˙ K
The unit assertion must be typeable using no assumptions, i.e. we must have 0,
/ 1 1.
Binary Session Types for Psi-Calculi
105
5.4 Type Rules for Processes
Type judgements for processes are of the form Γ , Ψ P, where Ψ is an assertion.
Table 3 contains the type rules for processes. In the type rules, and notably in (PAR ),
we use a typed notion of frames for processes; the qualified frame of a process P is still
denoted F (P) but is now a pair ΓP , ΨP , where ΨP is the composition of assertions in
P and ΓP records the types of the names local to ΨP . We define this as follows
F (P | Q) = ΓP + ΓQ , ΨP ΨQ
where F (P) = ΓP , ΨP , F (Q) = ΓQ , ΨQ
F ((ν b : T )P) = b : T + ΓP , ΨP where F (P) = (ΓP , ΨP )
F ((|Ψ |)) = 0,
/ Ψ
F (P) = 0,
/ 1
otherwise
For patterns, judgments are of the form Γ , Ψ X : T → U. The intended interpretation is that pattern X has type T → U if the pattern variables are bound to terms of
types T whenever the pattern matches a term of type U. An important rule is (PAR ); the
type addition axiom (2) enables us to split a session type into two endpoint types, one
for each parallel component; this follows Giunti and Vasconcelos [14].
The type rules for input and output generalize those of usual session type systems
such as [14]. In particular, the subject and the object of the prefix are typed in separate
subenvironments and the type of the subject is updated when typing the continuation.
As subjects in the psi-calculus setting can be arbitrary terms, one cannot simply update
the session type of a channel by updating the type bound to the channel in the type
environment. Instead, we update the type of the channel constructor used to construct
the channel.
6 A Type Preservation Theorem
We now establish a fidelity result that will ensure that whenever a process P is welltyped in a balanced environment, then in any τ -transition that is the result of a communication or selection on a session channel constructed using session constructor c, the
resulting process will also be well-typed in a balanced environment – only now the type
of c has evolved according to the protocol specified by the session type.
The direction of a visible action α in the labelled semantics is either ! or ? for a
communication and or for a selection; we denote this by d(α ).
Definition 6 (Well-typed label). Let α be a label. We call (α , (T,U)) a typed label if
U is either a type or •. We define Γ , Ψ α : (T @c,U) as follows:
!U
1. If Γ1 , Ψ1 M : T @c and Γ2 + a : T , Ψ2 N : U and T −→ T then Γ1 + Γ2 , Ψ1
M(ν a)N : (T @c,U).
?U
2. if Γ1 , Ψ1 K : T @c and Γ2 , Ψ2 N : U and T −→ T then Γ1 + Γ2 , Ψ1 Ψ2
(T @c,U) .
3. If Γ , Ψ
,l
M : T @c and T −−→ T then Γ , Ψ
M
l : (T @c, •).
Ψ2
KN :