Session-Typed Concurrent Programming1

Stephanie Balzer Carnegie Mellon University

POPL 2019 TutorialFest

1 Supported by a Mozilla Research Grant and an NSF grant (No. CCF-1718267)

Content of tutorial

Message-passing programming and session types • types for typing such programs

Linear logic and session types • benefits and limitations

Manifest sharing • controlled sharing for concurrency (non-determinism)

Manifest sharing and the pi-calculus • expressiveness of untyped asynchronous pi-calculus recovered

Current & future research

�2

Learning objectives of tutorial

• How to program with session types • What linearity is good for in programming • How logic can guide programming language design • Expressiveness of session-typed programming • Hands-on experience with Concurrent C0

�3

Session-typed message-passing programming

Message-passing concurrent programming

�5

P1

P2

P3

P4

P5

Legend: channel messageprocess

Computation: by message exchange along channels

Program: network of processes connected by channels

a

b

c

N-ary channels: e.g., a connects P1, P2, and P3

Message-passing concurrent programming

�5

P1

P2

P3

P4

P5

Legend: channel messageprocess

Computation: by message exchange along channels

Program: network of processes connected by channels

a

b

c

M

N-ary channels: e.g., a connects P1, P2, and P3

Message-passing concurrent programming

�5

P1

P2

P3

P4

P5

Legend: channel messageprocess

Computation: by message exchange along channels

Program: network of processes connected by channels

a

b

c

M

N-ary channels: e.g., a connects P1, P2, and P3

Message-passing concurrent programming

�6

P1

P2

P3

P4

P5

Legend: channel messageprocess

Computation: by message exchange along channels

Program: network of processes connected by channels

a

b

c

N-ary channels: e.g., a connects P1, P2, and P3

Message-passing concurrent programming

�6

P1

P2

P3

P4

P5

Legend: channel messageprocess

Computation: by message exchange along channels

Program: network of processes connected by channels

a

b

c

M

N-ary channels: e.g., a connects P1, P2, and P3

Message-passing concurrent programming

�6

P1

P2

P3

P4

P5

Legend: channel messageprocess

Computation: by message exchange along channels

Program: network of processes connected by channels

a

b

c

M N-ary channels: e.g., a connects P1, P2, and P3

Message-passing concurrent programming

�6

P1

P2

P3

P4

P5

Legend: channel messageprocess

Computation: by message exchange along channels

Program: network of processes connected by channels

a

b

c

N-ary channels: e.g., a connects P1, P2, and P3

non-determinism

Message-passing concurrent programming

�6

P1

P2

P3

P4

P5

Legend: channel messageprocess

Computation: by message exchange along channels

Program: network of processes connected by channels

a

b

c

N-ary channels: e.g., a connects P1, P2, and P3

non-determinism

formal model: pi-calculus[Milner 1992]

Example: queue

�7

“P” “O” “P”

queueclient

q t1 t2 t3

Example: queue

�7

“P” “O” “P”

queueclient

enqueue

q t1 t2 t3

Example: queue

�7

“P” “O” “P”

queueclient

dequeue enqueue

q t1 t2 t3

Example: queue

�7

“P” “O” “P”

queueclient

dequeue enqueue

enqueue: client sends “enq” followed by “L” along q

q t1 t2 t3

Example: queue

�8

“P” “O” “P”

queueclient

q t1 t2 t3

enqueue: client sends “enq” followed by “L” along q

Example: queue

�9

enqueue: client sends “enq” followed by “L” along q

“P” “O” “P”

queueclient

q t1 t2 t3

“P” “O” “P” “L”q t1 t2 t3 t4

Example: queue

�9

enqueue: client sends “enq” followed by “L” along q

“P” “O” “P”

queueclient

q t1 t2 t3

“P” “O” “P” “L”q t1 t2 t3 t4

dequeue: client sends “deq”, then receives “P”

Example: queue

�9

enqueue: client sends “enq” followed by “L” along q

“P” “O” “P”

queueclient

q t1 t2 t3

“P” “O” “P” “L”q t1 t2 t3 t4

dequeue: client sends “deq”, then receives “P”

“O” “P” “L”q t2 t3 t4

Example: queue

• In our example, we’ve stored characters in the queue • However, we can also store channel references:

�10

Example: queue

• In our example, we’ve stored characters in the queue • However, we can also store channel references:

�10

q t1 t2 t3

Example: queue

• In our example, we’ve stored characters in the queue • However, we can also store channel references:

�10

q t1 t2 t3

“higher-order” channels (session types)

Example: queue

• In our example, we’ve stored characters in the queue • However, we can also store channel references:

�10

q t1 t2 t3

“higher-order” channels (session types)

“mobility” (pi-calculus)

Types for protocols of message exchange

�11

Types for protocols of message exchange

Session types [Honda 1993]

�11

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

Types for protocols of message exchange

Session types [Honda 1993]

�11

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

input: receive message of type T, continue as type A’

Types for protocols of message exchange

Session types [Honda 1993]

�12

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

Types for protocols of message exchange

Session types [Honda 1993]

�12

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

output: send message of type T, continue as type A’

Types for protocols of message exchange

Session types [Honda 1993]

�13

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

Types for protocols of message exchange

Session types [Honda 1993]

�13

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

external choice: receive label li, continue as type Ai

Types for protocols of message exchange

Session types [Honda 1993]

�14

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

Types for protocols of message exchange

Session types [Honda 1993]

�14

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

internal choice: send label li, continue as type Ai

Types for protocols of message exchange

Session types [Honda 1993]

�15

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

Types for protocols of message exchange

Session types [Honda 1993]

�15

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

termination: close session and terminate

Types for protocols of message exchange

Session types [Honda 1993]

�16

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

Types for protocols of message exchange

Session types [Honda 1993]

�16

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

recursive session types

Types for protocols of message exchange

Session types [Honda 1993]

�17

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

Types for protocols of message exchange

Session types [Honda 1993]

�17

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

A , ?[T ].A0 | ![T ].A0 |N{l1 : A1, . . . , ln : An} | �{l1 : A1, . . . , ln : An} |end | X | µX.A0

T , A | int | . . .

Example:

Session types change with protocol

�18

Session types change with protocol

�18

“P” “O” “P”

queueclient

q

Session types change with protocol

�18

“P” “O” “P”

queueclient

q

What is the type of channel q?

Session types change with protocol

�18

“P” “O” “P”

queueclient

q

What is the type of channel q?

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Action: Type:

q: queue

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Action: Type:

q: queue

send “enq” along q q:

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Action: Type:

q: queue

send “enq” along q q: ?[char].queue

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Action: Type:

q: queue

send “enq” along q q: ?[char].queue

send “L” along q q:

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Action: Type:

q: queue

send “enq” along q q: ?[char].queue

send “L” along q q: queue

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Action: Type:

q: queue

send “enq” along q q: ?[char].queue

send “L” along q q: queue

send “deq” along q q:

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

Action: Type:

q: queue

send “enq” along q q: ?[char].queue

send “L” along q q: queue

send “deq” along q q: �{none : end, some : ![char].queue}

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

receive “some” along q q:

Action: Type:

q: queue

send “enq” along q q: ?[char].queue

send “L” along q q: queue

send “deq” along q q: �{none : end, some : ![char].queue}

Session types change with protocol

�19

queue = N{enq : ?[char].queue,deq : �{none : end, some : ![char].queue}}

receive “some” along q q:

Action: Type:

q: queue

send “enq” along q q: ?[char].queue

send “L” along q q: queue

send “deq” along q q: �{none : end, some : ![char].queue}![char].queue

Session types change with protocol

�20

Session types change with protocol

�20

What if?

“P” “O” “P”

queueclient 1

q

client 2

Session types change with protocol

�20

What if?

“P” “O” “P”

queueclient 1

q

client 2

Action: Type:q: queue

Session types change with protocol

�20

What if?

“P” “O” “P”

queueclient 1

q

client 2

Action: Type:q: queue

client 1 sends “enq” along q q:

Session types change with protocol

�20

What if?

“P” “O” “P”

queueclient 1

q

client 2

Action: Type:q: queue

client 1 sends “enq” along q q: ?[char].queue

Session types change with protocol

�20

What if?

“P” “O” “P”

queueclient 1

q

client 2

Action: Type:q: queue

client 1 sends “enq” along q q: ?[char].queue

client 2 sends “enq” along q

Session types change with protocol

�20

What if?

“P” “O” “P”

queueclient 1

q

client 2

Action: Type:q: queue

client 1 sends “enq” along q q: ?[char].queue

client 2 sends “enq” along q q is not at expected type!

Preservation (session fidelity)

• Expectations of client and provider match, if they do initially.

• How can we recover preservation?

�21

Preservation (session fidelity)

• Expectations of client and provider match, if they do initially.

• How can we recover preservation?

�21

Use linear logic as a foundation for session types

Preservation (session fidelity)

• Expectations of client and provider match, if they do initially.

• How can we recover preservation?

�21

Use linear logic as a foundation for session types

Let’s view session types as linear propositions

Preservation (session fidelity)

• Expectations of client and provider match, if they do initially.

• How can we recover preservation?

�21

Use linear logic as a foundation for session types

Linear logic allows us to treat channels as “resources”

Let’s view session types as linear propositions

Preservation (session fidelity)

• Expectations of client and provider match, if they do initially.

• How can we recover preservation?

�21

Use linear logic as a foundation for session types

Linear logic allows us to treat channels as “resources”

What does that mean?

Let’s view session types as linear propositions

Linear session types

Linear logic

�23

� ` C

�, A ` Cweaken

�, A,A ` C

�, A ` Ccontract

Rejects the following two structural rules:

“drop resource” “duplicate resource”

Linear logic

�23

� ` C

�, A ` Cweaken

�, A,A ` C

�, A ` Ccontract

Rejects the following two structural rules:

“drop resource” “duplicate resource”

Presented work based on intuitionistic linear logic

Linear logic

�23

� ` C

�, A ` Cweaken

�, A,A ` C

�, A ` Ccontract

Rejects the following two structural rules:

“drop resource” “duplicate resource”

Presented work based on intuitionistic linear logic

Distinction of provider (right) from clients (left) of turnstile

Weakening

�24

� ` C

�, A ` Cweaken

Weakening

�24

� ` C

�, A ` Cweaken

“P” “O” “P”

queueclient

q

Weakening

�25

� ` C

�, A ` Cweaken

“P” “O” “P”

queueclient

q

Weakening

�25

� ` C

�, A ` Cweaken

“P” “O” “P”

queueclient

q

Terminating client without terminating or passing on queue

Weakening

�25

� ` C

�, A ` Cweaken

“P” “O” “P”

queueclient

q

Terminating client without terminating or passing on queue

“P” “O” “P”q

Weakening

�25

� ` C

�, A ` Cweaken

“P” “O” “P”

queueclient

q

Terminating client without terminating or passing on queue

“P” “O” “P”q

Providing process without a client

Contraction

�26

�, A,A ` C

�, A ` Ccontract

Contraction

�26

“P” “O” “P”

queueclient

q

�, A,A ` C

�, A ` Ccontract

Contraction

�26

“P” “O” “P”

queueclient

q

Passing on channel reference and keeping it

�, A,A ` C

�, A ` Ccontract

Contraction

�26

“P” “O” “P”

queueclient

q

Passing on channel reference and keeping it

�, A,A ` C

�, A ` Ccontract

“P” “O” “P”q

Contraction

�26

“P” “O” “P”

queueclient

q

Passing on channel reference and keeping it

Providing process has multiple clients

�, A,A ` C

�, A ` Ccontract

“P” “O” “P”q

Tree structure

�27

Without weakening and contraction, process graph forms a tree.

Tree structure

�27

Without weakening and contraction, process graph forms a tree.

parent: client

Tree structure

�27

Without weakening and contraction, process graph forms a tree.

parent: client

child: provider

Tree structure

�27

Without weakening and contraction, process graph forms a tree.

parent: client

child: provider

Every providing process has exactly one client.

Tree structure

�27

Without weakening and contraction, process graph forms a tree.

parent: client

child: provider

Every providing process has exactly one client.

Session fidelity restored.

Reconstructing session types from linear propositions [Caires & Pfenning 2010, Wadler 2012]

�28

Curry-Howard correspondence: intuitionistic linear logic - session-typed pi-calculus [Caires & Pfenning 2010]

Logic: Type theory:

Linear propositions Session types

Proofs Programs

Cut reduction Communication

Reconstructing session types from linear propositions [Caires & Pfenning 2010, Wadler 2012]

�28

Curry-Howard correspondence: intuitionistic linear logic - session-typed pi-calculus [Caires & Pfenning 2010]

Logic: Type theory:

Linear propositions Session types

Proofs Programs

Cut reduction Communication

Let’s discover this correspondence together!

Intuitionistic linear logic

�29

Connectives:A,B , A⌦B multiplicative conjunction

A ( B multiplicative implication

ANB additive conjunction

A�B additive disjunction

!A ”of course”, persistent truth

Intuitionistic linear logic

�29

Connectives:A,B , A⌦B multiplicative conjunction

A ( B multiplicative implication

ANB additive conjunction

A�B additive disjunction

!A ”of course”, persistent truth

Judgment: x1 : A1, . . . , xn : An ` P :: (x : A)

Intuitionistic linear logic

�29

Connectives:A,B , A⌦B multiplicative conjunction

A ( B multiplicative implication

ANB additive conjunction

A�B additive disjunction

!A ”of course”, persistent truth

Judgment: x1 : A1, . . . , xn : An ` P :: (x : A)

Intuitionistic linear logic

�29

Connectives:A,B , A⌦B multiplicative conjunction

A ( B multiplicative implication

ANB additive conjunction

A�B additive disjunction

!A ”of course”, persistent truth

Judgment: x1 : A1, . . . , xn : An ` P :: (x : A)

Intuitionistic linear logic

�29

Connectives:A,B , A⌦B multiplicative conjunction

A ( B multiplicative implication

ANB additive conjunction

A�B additive disjunction

!A ”of course”, persistent truth

Judgment: x1 : A1, . . . , xn : An ` P :: (x : A)

Intuitionistic linear logic

�29

Connectives:A,B , A⌦B multiplicative conjunction

A ( B multiplicative implication

ANB additive conjunction

A�B additive disjunction

!A ”of course”, persistent truth

Judgment: x1 : A1, . . . , xn : An ` P :: (x : A)

“Process P offers a session of type A along channel x using the sessions A1, …, An provided along channels x1, …, xn.”

Intuitionistic linear logic

�30

Judgment: x1 : A1, . . . , xn : An ` P :: (x : A)

“Process P offers a session of type A along channel x using the sessions A1, …, An provided along channels x1, …, xn.”

Intuitionistic linear logic

�30

Judgment: x1 : A1, . . . , xn : An ` P :: (x : A)

“Process P offers a session of type A along channel x using the sessions A1, …, An provided along channels x1, …, xn.”

P

x : A

x1 : A1 xn : An

Additive conjunction

�31

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

Additive conjunction

�31

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

Additive conjunction

�31

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

Additive conjunction

�31

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

Additive conjunction

�31

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

Additive conjunction

�32

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

�, x : A ` Q :: (z : C)

�, x : ANB ` x.inl;Q :: (z : C)(T-NL1)

Additive conjunction

�32

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

�, x : A ` Q :: (z : C)

�, x : ANB ` x.inl;Q :: (z : C)(T-NL1)

Additive conjunction

�32

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

�, x : A ` Q :: (z : C)

�, x : ANB ` x.inl;Q :: (z : C)(T-NL1)

Additive conjunction

�32

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

�, x : A ` Q :: (z : C)

�, x : ANB ` x.inl;Q :: (z : C)(T-NL1)

Additive conjunction

�32

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

�, x : A ` Q :: (z : C)

�, x : ANB ` x.inl;Q :: (z : C)(T-NL1)

Additive conjunction

�33

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

�, x : A ` Q :: (z : C)

�, x : ANB ` x.inl;Q :: (z : C)(T-NL1)

�, x : B ` Q :: (z : C)

�, x : ANB ` x.inr;Q :: (z : C)(T-NL2)

Additive conjunction

�33

� ` P1 :: (x : A) � ` P2 :: (x : B)

� ` casex of(P1, P2) :: (x : ANB)(T-NR)

�, x : A ` Q :: (z : C)

�, x : ANB ` x.inl;Q :: (z : C)(T-NL1)

�, x : B ` Q :: (z : C)

�, x : ANB ` x.inr;Q :: (z : C)(T-NL2)

External choice: client chooses. Generalizes to .N{l : A}

Additive disjunction

�34

� ` P :: (x : A)

� ` x.inl;P :: (x : A�B)(T-�R1)

� ` P :: (x : B)

� ` x.inr;P :: (x : A�B)(T-�R2)

Internal choice: provider chooses. Generalizes to .�{l : A}

�, x : A ` Q1 :: (z : C) �, x : B ` Q2 :: (z : C)

�, x : A�B ` casex of(Q1, Q2) :: (z : C)(T-�L)

Multiplicative implication

�35

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

Multiplicative implication

�35

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

Multiplicative implication

�35

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

Multiplicative implication

�35

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

Multiplicative implication

�35

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

Multiplicative implication

�35

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

Multiplicative implication

�36

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

� ` Q :: (y : A) �0, x : B ` Q0 :: (z : C)

�,�0, x : A ( B ` send x (y Q);Q0 :: (z : C)(T-(L)

Channel input: provider receives a channel.

Multiplicative implication

�36

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

� ` Q :: (y : A) �0, x : B ` Q0 :: (z : C)

�,�0, x : A ( B ` send x (y Q);Q0 :: (z : C)(T-(L)

Channel input: provider receives a channel.

Multiplicative implication

�36

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

� ` Q :: (y : A) �0, x : B ` Q0 :: (z : C)

�,�0, x : A ( B ` send x (y Q);Q0 :: (z : C)(T-(L)

Channel input: provider receives a channel.

Multiplicative implication

�36

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

� ` Q :: (y : A) �0, x : B ` Q0 :: (z : C)

�,�0, x : A ( B ` send x (y Q);Q0 :: (z : C)(T-(L)

Channel input: provider receives a channel.

Multiplicative implication

�36

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

� ` Q :: (y : A) �0, x : B ` Q0 :: (z : C)

�,�0, x : A ( B ` send x (y Q);Q0 :: (z : C)(T-(L)

Channel input: provider receives a channel.

Multiplicative implication

�36

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

� ` Q :: (y : A) �0, x : B ` Q0 :: (z : C)

�,�0, x : A ( B ` send x (y Q);Q0 :: (z : C)(T-(L)

Channel input: provider receives a channel.

Multiplicative implication

�36

�, y : A ` P :: (x : B)

� ` y recv x;P :: (x : A ( B)(T-(R)

� ` Q :: (y : A) �0, x : B ` Q0 :: (z : C)

�,�0, x : A ( B ` send x (y Q);Q0 :: (z : C)(T-(L)

Channel input: provider receives a channel.

Multiplicative conjunction

�37

� ` Q :: (y : A) �0 ` P :: (x : B)

�,�0 ` send x (y Q);P :: (x : A⌦B)(T-⌦R)

�, x : B, y : A ` Q0 :: (z : C)

�, x : A⌦B ` y recv x;Q0 :: (z : C)(T-⌦L)

Channel output: provider sends a channel.

Unit of multiplicative conjunction

�38

· ` close x :: (x : 1)(T-1R)

Unit of multiplicative conjunction

�38

· ` close x :: (x : 1)(T-1R)

Unit of multiplicative conjunction

�38

· ` close x :: (x : 1)(T-1R)

Unit of multiplicative conjunction

�39

· ` close x :: (x : 1)(T-1R)

� ` Q :: (z : C)

�, x : 1 ` wait x;Q :: (z : C)(T-1L)

Unit of multiplicative conjunction

�39

· ` close x :: (x : 1)(T-1R)

� ` Q :: (z : C)

�, x : 1 ` wait x;Q :: (z : C)(T-1L)

Unit of multiplicative conjunction

�39

· ` close x :: (x : 1)(T-1R)

� ` Q :: (z : C)

�, x : 1 ` wait x;Q :: (z : C)(T-1L)

Unit of multiplicative conjunction

�39

· ` close x :: (x : 1)(T-1R)

� ` Q :: (z : C)

�, x : 1 ` wait x;Q :: (z : C)(T-1L)

Unit of multiplicative conjunction

�39

· ` close x :: (x : 1)(T-1R)

� ` Q :: (z : C)

�, x : 1 ` wait x;Q :: (z : C)(T-1L)

Unit of multiplicative conjunction

�39

· ` close x :: (x : 1)(T-1R)

� ` Q :: (z : C)

�, x : 1 ` wait x;Q :: (z : C)(T-1L)

Termination

Unit of multiplicative conjunction

�39

· ` close x :: (x : 1)(T-1R)

� ` Q :: (z : C)

�, x : 1 ` wait x;Q :: (z : C)(T-1L)

Termination

and must consist of at least one label.N �

Recap

�40

Recap

�40

Connectives:A,B , A⌦B channel output

A ( B channel input

�{l : A} internal choice

N{l : A} external choice

1 termination

Recap

�40

queueA = N{enq : A ( queueA,deq : �{none : 1, some : A⌦ queueA}}

Example:

Connectives:A,B , A⌦B channel output

A ( B channel input

�{l : A} internal choice

N{l : A} external choice

1 termination

Judgmental rules

�41

Judgmental rules

�41

� ` P (x : A) �0, x : A ` Q :: (z : C)

�,�0 ` x P ;Q :: (z : C)(T-cut)

Judgmental rules

�41

� ` P (x : A) �0, x : A ` Q :: (z : C)

�,�0 ` x P ;Q :: (z : C)(T-cut)

Parallel composition (spawning new process)

Judgmental rules

�41

� ` P (x : A) �0, x : A ` Q :: (z : C)

�,�0 ` x P ;Q :: (z : C)(T-cut)

Parallel composition (spawning new process)

y : A ` fwd x y :: (x : A)(T-id)

Judgmental rules

�41

� ` P (x : A) �0, x : A ` Q :: (z : C)

�,�0 ` x P ;Q :: (z : C)(T-cut)

Parallel composition (spawning new process)

Forward: process offering along x terminates, client henceforth interacts with process offering along y.

y : A ` fwd x y :: (x : A)(T-id)

Let’s program in Concurrent C0!

C0 [Pfenning 2010, Arnold 2010] • safe subset of C supporting contracts • teaching language developed at CMU • http://c0.typesafety.net

Concurrent C0 [Willsey & Prabhu & Pfenning 2016] • extends C0 with session types

Installing Concurrent C0 • see http://www.cs.cmu.edu/~balzers/popl_tutorial_2019

�42

What about type safety?

�43

What about type safety?

Preservation (aka session fidelity)

�43

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree

�43

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

�43

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

�43

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress

�43

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?

�43

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?• 2 scenarios:

�43

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?• 2 scenarios:

• provider ready to synchronize, client not

�43

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?• 2 scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

�43

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?• 2 scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

�43

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?• 2 scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

�43a b “a waits for b”

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?• 2 scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

�43a b “a waits for b”

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?• 2 scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

• green arrows can only go along edges, thus there are no cycles

�43a b “a waits for b”

✓

What about type safety?

Preservation (aka session fidelity)• no weakening and contraction: process graph forms a tree• every provider has a unique client

Progress• What are the dangers to progress?• 2 scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

• green arrows can only go along edges, thus there are no cycles

�43a b “a waits for b”

✓

✓

Of course!

�44

Of course!

�44

ConnectivesA,B , A⌦B channel output

A ( B channel input

�{l : A} internal choice

N{l : A} external choice

1 termination

!A persisten truth

Of course!

�44

ConnectivesA,B , A⌦B channel output

A ( B channel input

�{l : A} internal choice

N{l : A} external choice

1 termination

!A persisten truth

Of course!

�44

ConnectivesA,B , A⌦B channel output

A ( B channel input

�{l : A} internal choice

N{l : A} external choice

1 termination

!A persisten truth

Unrestricted proposition, can be used arbitrarily often

Of course!

�44

ConnectivesA,B , A⌦B channel output

A ( B channel input

�{l : A} internal choice

N{l : A} external choice

1 termination

!A persisten truth

Unrestricted proposition, can be used arbitrarily often

;� ` P :: (x : A)

Of course!

�44

ConnectivesA,B , A⌦B channel output

A ( B channel input

�{l : A} internal choice

N{l : A} external choice

1 termination

!A persisten truth

Unrestricted proposition, can be used arbitrarily often

;� ` P :: (x : A)

structural context (weakening and contraction)

Of course!

�45

What is the computational meaning of “of course”?

Of course!

�45

What is the computational meaning of “of course”?

PQ

Of course!

�45

What is the computational meaning of “of course”?

PQ copy

Of course!

�45

What is the computational meaning of “of course”?

PQ copy PQ

P’

Of course!

�45

What is the computational meaning of “of course”?

PQ copy PQ

P’

Copy: obtain linear copy from linear server process

Of course!

�45

What is the computational meaning of “of course”?

PQ copy PQ

P’

Copy: obtain linear copy from linear server process

Corresponds to replication in the pi-calculus

Of course!

�45

What is the computational meaning of “of course”?

PQ copy PQ

P’

Copy: obtain linear copy from linear server process

Corresponds to replication in the pi-calculus

For some applications, a copying semantics is sufficient. For other applications, sharing is necessary.

Manifest sharing

Manifest sharing - key ideas [Balzer & Pfenning 2017]

�47

Manifest sharing - key ideas [Balzer & Pfenning 2017]

Acquire-release • Multiple aliases (shared channels) to a process permitted, but

communication requires exclusive access.

�47

Manifest sharing - key ideas [Balzer & Pfenning 2017]

Acquire-release • Multiple aliases (shared channels) to a process permitted, but

communication requires exclusive access.

Manifestation in type structure • Enrich type structure with adjoint modalities to prescribe acquire and

release points.

�47

Manifest sharing - key ideas [Balzer & Pfenning 2017]

Acquire-release • Multiple aliases (shared channels) to a process permitted, but

communication requires exclusive access.

Manifestation in type structure • Enrich type structure with adjoint modalities to prescribe acquire and

release points.

Equi-synchronizing session type • Invariant guaranteeing that a process is released to the same type at

which it was previously acquired, should it be released at all. • Avoids run-time type checking upon acquire.

�47

Manifest sharing - key ideas [Balzer & Pfenning 2017]

Acquire-release • Multiple aliases (shared channels) to a process permitted, but

communication requires exclusive access.

Manifestation in type structure • Enrich type structure with adjoint modalities to prescribe acquire and

release points.

Equi-synchronizing session type • Invariant guaranteeing that a process is released to the same type at

which it was previously acquired, should it be released at all. • Avoids run-time type checking upon acquire.

�47

let’s look at each in turn

Programmatic working of acquire-release

�48

Programmatic working of acquire-release

�48

q1

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

Programmatic working of acquire-release

�48

q1

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

producer and consumer contend for access to queue

Programmatic working of acquire-release

�48

q1

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

producer and consumer contend for access to queue

acq

Programmatic working of acquire-release

�49

q2

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

Programmatic working of acquire-release

�49

q1’

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

Programmatic working of acquire-release

�49

q1’

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

consumer has exclusive access to queue

Programmatic working of acquire-release

�49

q1’

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

rel

consumer has exclusive access to queue

Programmatic working of acquire-release

�50

q2

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

Programmatic working of acquire-release

�50

q1

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

Programmatic working of acquire-release

�50

q1

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

Note: acquire and release messages by client have matching actions by provider

Programmatic working of acquire-release

�50

q1

q2

q

t2elem empty

a2

consumer:

producer:

c

p

Legend: x linear channel x y shared channel y

What should be the type of q?

Note: acquire and release messages by client have matching actions by provider

Manifestation of acquire-release in typing

�51

Manifestation of acquire-release in typing

�51

queue A = N{enq ∶ A� queue A,deq ∶ ⊕{none ∶ 1, some ∶ A⊗ queue A}}

Manifestation of acquire-release in typing

�52

queue A = N{enq ∶ A� queue A,deq ∶ ⊕{none ∶ queue A, some ∶ A⊗ queue A}}

Manifestation of acquire-release in typing

�53

queue A = N{enq ∶ A� queue A,deq ∶ ⊕{none ∶ queue A, some ∶ A⊗ queue A}}

Manifestation of acquire-release in typing

�53

acquire

queue A = N{enq ∶ A� queue A,deq ∶ ⊕{none ∶ queue A, some ∶ A⊗ queue A}}

Manifestation of acquire-release in typing

�53

acquire

queue A = N{enq ∶ A� queue A,deq ∶ ⊕{none ∶ queue A, some ∶ A⊗ queue A}}

release

release release

Manifestation of acquire-release in typing

�53

acquire

queue A = N{enq ∶ A� queue A,deq ∶ ⊕{none ∶ queue A, some ∶ A⊗ queue A}}

release

release release

Legend: process in linear phase process in shared phase

Adjoint stratification of session types1

�54

1 Generalization of [Benton 1994; Reed 2009; Pfenning and Griffith 2015]

Adjoint stratification of session types1

�54

stratify session types into a linear and shared layer, s.t. S > L

1 Generalization of [Benton 1994; Reed 2009; Pfenning and Griffith 2015]

Adjoint stratification of session types1

�54

stratify session types into a linear and shared layer, s.t. S > L

1 Generalization of [Benton 1994; Reed 2009; Pfenning and Griffith 2015]

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Adjoint stratification of session types1

�54

stratify session types into a linear and shared layer, s.t. S > L

1 Generalization of [Benton 1994; Reed 2009; Pfenning and Griffith 2015]

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Adjoint stratification of session types1

�54

stratify session types into a linear and shared layer, s.t. S > L

1 Generalization of [Benton 1994; Reed 2009; Pfenning and Griffith 2015]

connect layers with modalities going back and forth

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Adjoint stratification of session types1

�54

stratify session types into a linear and shared layer, s.t. S > L

1 Generalization of [Benton 1994; Reed 2009; Pfenning and Griffith 2015]

connect layers with modalities going back and forth

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Adjoint stratification of session types1

�54

stratify session types into a linear and shared layer, s.t. S > L

1 Generalization of [Benton 1994; Reed 2009; Pfenning and Griffith 2015]

connect layers with modalities going back and forth

2 Based on [Cervesato et al. 2002; Watkins et al. 2001]

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

support of communication of shared channels, using for receive and for send2

⇧∃

Adjoint stratification of session types1

�54

stratify session types into a linear and shared layer, s.t. S > L

1 Generalization of [Benton 1994; Reed 2009; Pfenning and Griffith 2015]

connect layers with modalities going back and forth

2 Based on [Cervesato et al. 2002; Watkins et al. 2001]

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

support of communication of shared channels, using for receive and for send2

⇧∃

Adjoint stratification of session types1

�55

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Shared queue

�56

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Shared queue

�56

queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,deq ∶ ⊕{none ∶ ↓SL queue AS, some ∶ ∃x∶AS. ↓SL queue AS}}

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Shared queue

�56

queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,deq ∶ ⊕{none ∶ ↓SL queue AS, some ∶ ∃x∶AS. ↓SL queue AS}}

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Shared queue

�56

queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,deq ∶ ⊕{none ∶ ↓SL queue AS, some ∶ ∃x∶AS. ↓SL queue AS}}

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Shared queue

�56

queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,deq ∶ ⊕{none ∶ ↓SL queue AS, some ∶ ∃x∶AS. ↓SL queue AS}}

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Shared queue

�56

queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,deq ∶ ⊕{none ∶ ↓SL queue AS, some ∶ ∃x∶AS. ↓SL queue AS}}

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

and prescribe acquire-release points, resp.↑SL ↓SL

Equi-synchronizing session type

�57

Equi-synchronizing session type

�57

Invariant guaranteeing that a process is released to the same type at which it was previously acquired, should it be released at all.

Equi-synchronizing session type

�57

Invariant guaranteeing that a process is released to the same type at which it was previously acquired, should it be released at all.

Guarantees session fidelity w/o run-time checking upon acquire

Equi-synchronizing session type

�57

queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,deq ∶ ⊕{none ∶ ↓SL queue AS, some ∶ ∃x∶AS. ↓SL queue AS}}

Invariant guaranteeing that a process is released to the same type at which it was previously acquired, should it be released at all.

Examples of equi-synchronizing session types:

Guarantees session fidelity w/o run-time checking upon acquire

Equi-synchronizing session type

�57

queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,deq ∶ ⊕{none ∶ ↓SL queue AS, some ∶ ∃x∶AS. ↓SL queue AS}}

Invariant guaranteeing that a process is released to the same type at which it was previously acquired, should it be released at all.

Examples of equi-synchronizing session types:

queue A = N{enq ∶ A� queue A,deq ∶ ⊕{none ∶ 1, some ∶ A⊗ queue A}}

Guarantees session fidelity w/o run-time checking upon acquire

Equi-synchronizing session type

�57

queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,deq ∶ ⊕{none ∶ ↓SL queue AS, some ∶ ∃x∶AS. ↓SL queue AS}}

Invariant guaranteeing that a process is released to the same type at which it was previously acquired, should it be released at all.

Examples of equi-synchronizing session types:

queue A = N{enq ∶ A� queue A,deq ∶ ⊕{none ∶ 1, some ∶ A⊗ queue A}}

Guarantees session fidelity w/o run-time checking upon acquire

Non-equi-synchronizing:queue AS = ↑SL N{enq ∶ ⇧x∶AS. ↓SL queue AS,

deq ∶ ⊕{none ∶ ↓SL↑SL 1, some ∶ ∃x∶AS. ↓SL queue AS}}

Typing judgments

�58

Typing judgments

�58

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

Typing judgments

�58

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

�; � �⌃ P ∶∶ (xL ∶ AL) linear process P, providing session of type AL

along xL, using channels in Γ and Δ

� �⌃ P ∶∶ (xS ∶ AS) shared process P, providing session of type AS

along xS, using channels in Γ

� shared (structural) context

� linear context

Typing judgments

�58

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

�; � �⌃ P ∶∶ (xL ∶ AL) linear process P, providing session of type AL

along xL, using channels in Γ and Δ

� �⌃ P ∶∶ (xS ∶ AS) shared process P, providing session of type AS

along xS, using channels in Γ

� shared (structural) context

� linear context

Typing judgments

�58

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

�; � �⌃ P ∶∶ (xL ∶ AL) linear process P, providing session of type AL

along xL, using channels in Γ and Δ

� �⌃ P ∶∶ (xS ∶ AS) shared process P, providing session of type AS

along xS, using channels in Γ

� shared (structural) context

� linear context

Typing judgments

�59

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

�; � �⌃ P ∶∶ (xL ∶ AL) linear process P, providing session of type AL

along xL, using channels in Γ and Δ

� �⌃ P ∶∶ (xS ∶ AS) shared process P, providing session of type AS

along xS, using channels in Γ

� shared (structural) context

� linear context

Typing judgments

�60

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

�; � �⌃ P ∶∶ (xL ∶ AL) linear process P, providing session of type AL

along xL, using channels in Γ and Δ

� �⌃ P ∶∶ (xS ∶ AS) shared process P, providing session of type AS

along xS, using channels in Γ

� shared (structural) context

� linear context

Typing judgments

�61

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

+

-

�; � �⌃ P ∶∶ (xL ∶ AL) linear process P, providing session of type AL

along xL, using channels in Γ and Δ

� �⌃ P ∶∶ (xS ∶ AS) shared process P, providing session of type AS

along xS, using channels in Γ

� shared (structural) context

� linear context

Typing of acquire

�62

Typing of acquire

�62

�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)

Typing of acquire

�62

�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)

Typing of acquire

�62

�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)

�; ⋅ �⌃ PxL ∶∶ (xL ∶ AL)� �⌃ xL ← accept xS ;PxL ∶∶ (xS ∶↑SL AL) (T-↑SLR)

Typing of acquire

�62

�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)

�; ⋅ �⌃ PxL ∶∶ (xL ∶ AL)� �⌃ xL ← accept xS ;PxL ∶∶ (xS ∶↑SL AL) (T-↑SLR)

Typing of release

�63

Typing of release

�63

�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)

Typing of release

�63

�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)

Typing of release

�63

�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)

� �⌃ PxS ∶∶ (xS ∶ AS)�; ⋅ �⌃ xS ← detach xL ;PxS ∶∶ (xL ∶↓SL AS) (T-↓SLR)

Typing of release

�63

�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)

� �⌃ PxS ∶∶ (xS ∶ AS)�; ⋅ �⌃ xS ← detach xL ;PxS ∶∶ (xL ∶↓SL AS) (T-↓SLR)

Let’s program in Concurrent C0!

�64

What about type safety?

�65

What about type safety?

Preservation (aka session fidelity)

�65

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client

�65

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

�65

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

�65

✓

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

Progress

�65

✓

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

Progress• acquire-release amounts to “locking”

�65

✓

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

Progress• acquire-release amounts to “locking”• possibility of cyclic dependencies

�65

✓

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

Progress• acquire-release amounts to “locking”• possibility of cyclic dependencies

�65

R2

R1 R3

✓

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

Progress• acquire-release amounts to “locking”• possibility of cyclic dependencies

�65

R2

R1 R3

a b “a waits for b to release resource”

✓

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

Progress• acquire-release amounts to “locking”• possibility of cyclic dependencies

�65

R2

R1 R3

a b “a waits for b to release resource”

✓

What about type safety?

Preservation (aka session fidelity)• acquire-release and equi-synchronizing invariant guarantee that every

linear process has a unique client• state-altering exchange only along linear channels

Progress• acquire-release amounts to “locking”• possibility of cyclic dependencies

�65

R2

R1 R3

a b “a waits for b to release resource”

✓

progress must permit deadlock

Progress must permit deadlock

�66

Progress must permit deadlock

�66

For example, dining philosophers: 😋

😋 😋

😋 😋

🍴

🍴

🍴

🍴

🍴

🎂

Progress must permit deadlock

�66

For example, dining philosophers:

sfork = ↑SL↓SL sfork😋

😋 😋

😋 😋

🍴

🍴

🍴

🍴

🍴

🎂sfork

sfork

sfork sfork

sfork

Progress must permit deadlock

�66

For example, dining philosophers:

sfork = ↑SL↓SL sfork😋

😋 😋

😋 😋

🍴

🍴

🍴

🍴

🍴

🎂sfork

sfork

sfork sfork

sforkBoth potentially deadlocking and non-deadlocking version (Dijkstra’s solution) encodable in SILLS

Progress must permit deadlock

�66

For example, dining philosophers:

sfork = ↑SL↓SL sfork😋

😋 😋

😋 😋

🍴

🍴

🍴

🍴

🍴

🎂sfork

sfork

sfork sfork

sforkBoth potentially deadlocking and non-deadlocking version (Dijkstra’s solution) encodable in SILLS

Progress theorem:

blocked process: linear process attempting to acquire

configuration is stuck only if all processes are blocked

Curry-Howard isomorphism revisited

�67

Curry-Howard isomorphism revisited

Linear session types w/o manifest sharing: • linear propositions — session types • proofs — processes • cut reduction — communication

�67

Curry-Howard isomorphism revisited

Linear session types w/o manifest sharing: • linear propositions — session types • proofs — processes • cut reduction — communication

�67

Session types with manifest sharing: • linear propositions — session types • proofs — processes • interleaving of:

• proof construction —acquire • proof reduction — communication • proof deconstruction — release

Curry-Howard isomorphism revisited

Linear session types w/o manifest sharing: • linear propositions — session types • proofs — processes • cut reduction — communication

�67

deadlock: failure of proof construction

Session types with manifest sharing: • linear propositions — session types • proofs — processes • interleaving of:

• proof construction —acquire • proof reduction — communication • proof deconstruction — release

Recovering expressiveness of pi-calculus for session-typed concurrency

Expressiveness of linear session types

�69

Expressiveness of linear session types

• In the simply-typed λ-calculus, the addition of a recursive type recovers full expressiveness of the untyped λ-calculus.

�69

U = U ! U

Expressiveness of linear session types

• In the simply-typed λ-calculus, the addition of a recursive type recovers full expressiveness of the untyped λ-calculus.

• Unfortunately, recursion alone is insufficient to recover the expressiveness of the untyped π-calculus for linear session-typed π-calculus.

�69

U = U ! U

Expressiveness of linear session types

• In the simply-typed λ-calculus, the addition of a recursive type recovers full expressiveness of the untyped λ-calculus.

• Unfortunately, recursion alone is insufficient to recover the expressiveness of the untyped π-calculus for linear session-typed π-calculus.

�69

U = U ! U

both recursion and sharing are necessary [Balzer & Pfenning & Toninho 2018]

Expressiveness of linear session types

• In the simply-typed λ-calculus, the addition of a recursive type recovers full expressiveness of the untyped λ-calculus.

• Unfortunately, recursion alone is insufficient to recover the expressiveness of the untyped π-calculus for linear session-typed π-calculus.

�69

U = U ! U

both recursion and sharing are necessary [Balzer & Pfenning & Toninho 2018]

key: sharing of channels and acquire-release discipline

Expressiveness of linear session types

• In the simply-typed λ-calculus, the addition of a recursive type recovers full expressiveness of the untyped λ-calculus.

• Unfortunately, recursion alone is insufficient to recover the expressiveness of the untyped π-calculus for linear session-typed π-calculus.

�69

U = U ! U

both recursion and sharing are necessary [Balzer & Pfenning & Toninho 2018]

key: sharing of channels and acquire-release discipline

encoding of untyped asynchronous π-calculus into SILLS and proof of its operational and observational correspondence

Acquire-release introduces non-determinism

�70

Acquire-release introduces non-determinism

�70

coin = ↑SL ⊕{head ∶↓SL coin, tail ∶↓SL coin}}

Acquire-release introduces non-determinism

�70

coin = ↑SL ⊕{head ∶↓SL coin, tail ∶↓SL coin}}Processes:head: coin sends “head” and recurs as tail processtail: coin sends “tail” and recurs as head process

ndchoice: spawns new coin and flipper processes and then reads (“flips”) the coin and terminates

⊕{yes ∶ 1,no ∶ 1}filpper: reads (“flips”) given coin once and terminates 1← coin

Acquire-release introduces non-determinism

�70

coin = ↑SL ⊕{head ∶↓SL coin, tail ∶↓SL coin}}Processes:head: coin sends “head” and recurs as tail processtail: coin sends “tail” and recurs as head process

ndchoice: spawns new coin and flipper processes and then reads (“flips”) the coin and terminates

⊕{yes ∶ 1,no ∶ 1}filpper: reads (“flips”) given coin once and terminates 1← coin

coin flipping requires prior acquire

Acquire-release introduces non-determinism

�70

coin = ↑SL ⊕{head ∶↓SL coin, tail ∶↓SL coin}}Processes:head: coin sends “head” and recurs as tail processtail: coin sends “tail” and recurs as head process

ndchoice: spawns new coin and flipper processes and then reads (“flips”) the coin and terminates

⊕{yes ∶ 1,no ∶ 1}filpper: reads (“flips”) given coin once and terminates 1← coin

coin flipping requires prior acquire

value read by ndchoice depends on order of two acquires

Untyped, asynchronous π-calculus encoding

�71

Untyped, asynchronous π-calculus encoding

Characteristics of untyped, asynchronous π-calculus: • Arity: a π-calculus channel may connect arbitrarily many processes • Non-determinsm: e.g., • Untyped: π-calculus channels are untyped

�71

c(x ).P | chai | c(y).Q

Untyped, asynchronous π-calculus encoding

Characteristics of untyped, asynchronous π-calculus: • Arity: a π-calculus channel may connect arbitrarily many processes • Non-determinsm: e.g., • Untyped: π-calculus channels are untyped

�71

1

US

Basic idea: • π-calculus process → linear SILLS process of type • π-calculus channel → shared SILLS process of universal type

c(x ).P | chai | c(y).Q

Untyped, asynchronous π-calculus encoding

Characteristics of untyped, asynchronous π-calculus: • Arity: a π-calculus channel may connect arbitrarily many processes • Non-determinsm: e.g., • Untyped: π-calculus channels are untyped

�71

1

US

US = ↑SL N{ins ∶ ⇧x∶US. ↓SL US,del ∶ ⊕{none ∶↓SL US,

some ∶ ∃x∶US. ↓SL US}}

Basic idea: • π-calculus process → linear SILLS process of type • π-calculus channel → shared SILLS process of universal type

c(x ).P | chai | c(y).Q

Untyped, asynchronous π-calculus encoding

Characteristics of untyped, asynchronous π-calculus: • Arity: a π-calculus channel may connect arbitrarily many processes • Non-determinsm: e.g., • Untyped: π-calculus channels are untyped

�71

1

US

US = ↑SL N{ins ∶ ⇧x∶US. ↓SL US,del ∶ ⊕{none ∶↓SL US,

some ∶ ∃x∶US. ↓SL US}}unordered “buffer”

Basic idea: • π-calculus process → linear SILLS process of type • π-calculus channel → shared SILLS process of universal type

c(x ).P | chai | c(y).Q

Untyped, asynchronous π-calculus encoding

�72

US = ↑SL N{ins ∶ ⇧x∶US. ↓SL US,del ∶ ⊕{none ∶↓SL US,

some ∶ ∃x∶US. ↓SL US}}

Untyped, asynchronous π-calculus encoding

�72

US = ↑SL N{ins ∶ ⇧x∶US. ↓SL US,del ∶ ⊕{none ∶↓SL US,

some ∶ ∃x∶US. ↓SL US}}Processes:empty: empty bufferUS

elem: non-deterministically deletes channel from arbitrary point in buffer using ndchoice

US

send: attempts to acquire given buffer and inserts received channel

⇧x∶US.1← US

poll_receive: perpetually attempts to acquire given buffer for deletion until it succeeds

∃x∶US.1← US

Untyped, asynchronous π-calculus encoding

�72

US = ↑SL N{ins ∶ ⇧x∶US. ↓SL US,del ∶ ⊕{none ∶↓SL US,

some ∶ ∃x∶US. ↓SL US}}Processes:empty: empty bufferUS

elem: non-deterministically deletes channel from arbitrary point in buffer using ndchoice

US

send: attempts to acquire given buffer and inserts received channel

⇧x∶US.1← US

poll_receive: perpetually attempts to acquire given buffer for deletion until it succeeds

∃x∶US.1← US

P � 0 � x�y� � x(y).P � ⌫xP � P1 � P2 � !P

Untyped, asynchronous π-calculus:

Untyped, asynchronous π-calculus encoding

�72

US = ↑SL N{ins ∶ ⇧x∶US. ↓SL US,del ∶ ⊕{none ∶↓SL US,

some ∶ ∃x∶US. ↓SL US}}Processes:empty: empty bufferUS

elem: non-deterministically deletes channel from arbitrary point in buffer using ndchoice

US

send: attempts to acquire given buffer and inserts received channel

⇧x∶US.1← US

poll_receive: perpetually attempts to acquire given buffer for deletion until it succeeds

∃x∶US.1← US

P � 0 � x�y� � x(y).P � ⌫xP � P1 � P2 � !P

translate P in terms of processes

Untyped, asynchronous π-calculus:

Ongoing and future work

Deadlock-freedom [Balzer et al. 2019]

�74

Deadlock-freedom [Balzer et al. 2019]

Two forms of waiting: • waiting to synchronize: • waiting to release:

�74

Deadlock-freedom [Balzer et al. 2019]

Two forms of waiting: • waiting to synchronize: • waiting to release:

�74

a b “a waits for b to synchronize”

Deadlock-freedom [Balzer et al. 2019]

Two forms of waiting: • waiting to synchronize: • waiting to release:

�74

a b “a waits for b to release resource”a b “a waits for b to synchronize”

Deadlock-freedom [Balzer et al. 2019]

Two forms of waiting: • waiting to synchronize: • waiting to release:

�74

a b “a waits for b to release resource”a b “a waits for b to synchronize”

R2

R1 R3

Deadlock-freedom [Balzer et al. 2019]

Two forms of waiting: • waiting to synchronize: • waiting to release:

�74

a b “a waits for b to release resource”a b “a waits for b to synchronize”

R2

R1 R3 R1

Deadlock-freedom [Balzer et al. 2019]

Two forms of waiting: • waiting to synchronize: • waiting to release:

�74

a b “a waits for b to release resource”a b “a waits for b to synchronize”

R2

R1 R3 R1

plain “locking-up” is no longer sufficient

Deadlock-freedom [Balzer et al. 2019]

Two forms of waiting: • waiting to synchronize: • waiting to release:

�74

a b “a waits for b to release resource”a b “a waits for b to synchronize”

R2

R1 R3 R1

plain “locking-up” is no longer sufficient

see “manifest deadlock-freedom” [Balzer et al. 2019]

Session types for Rust (with Mozilla Research)

• Development of a library for Manifest Sharing in Rust • Explore application to Servo

�75

Digital contracts (with Das & Hoffmann & Pfenning)

• Development of Nomos, a new digital contract language • Static guarantees:

• protocol enforcement (shared session types) • control over resource usage (resource analysis) • tracking of assets (linear type system)

�76

Summary

• Message-passing concurrent programming • Session types are a natural fit for typing such programs • Session types have logical foundation via Curry-Howard

correspondence • linear session types • shared session types

• Manifest sharing recovers the expressiveness of the untyped asynchronous pi-calculus

�77

Summary

• Message-passing concurrent programming • Session types are a natural fit for typing such programs • Session types have logical foundation via Curry-Howard

correspondence • linear session types • shared session types

• Manifest sharing recovers the expressiveness of the untyped asynchronous pi-calculus

�77

Thank you for your attention!