Chaperone Contracts for Higher-Order Sessions Hernn Melgratti, - - PowerPoint PPT Presentation

Chaperone Contracts for Higher-Order Sessions

Hernán Melgratti, Buenos Aires, Argentina Luca Padovani, Torino, Italy

Dagstuhl Seminar 17051, 2017

A simple FuSe program

let server ep = let p, ep = receive ep in let root = ... in let ep = send root ep in close ep let math_service = register server

A simple FuSe program

let server ep = let p, ep = receive ep in let root = ... in let ep = send root ep in close ep let math_service = register server let user () = let ep = connect math_service in let ep = send (from_list [2.0; -3.0; 1.0]) ep in let _, ep = receive ep in close ep

A simple FuSe program + Contracts

let server ep = let p, ep = receive ep in let root = ... in let ep = send root ep in close ep let math_service = register server contract "Server" let user () = let ep = connect math_service "Client" in let ep = send (from_list [2.0; -3.0; 1.0]) ep in let _, ep = receive ep in close ep

Contracts

◮ A contract is a term that describes exchanged messages and

their relationships. flat_c : (t → bool) → [t] t :: ω end_c : [end] send_c : [t] → [T] → [!t.T] receive_c : [t] → [T] → [?t.T] send_d : [t] → (t → [T]) → [!t.T] t :: ω receive_d : [t] → (t → [T]) → [?t.T] t :: ω

Contracts

let contract = send_c (flat_c (fun p → degree p == 1)) @@ ... (* contract for the continuation *)

Contracts

let contract = send_c (flat_c (fun p → degree p == 1)) @@ any_c (* contract for the continuation *)

Contracts

let contract = send_d (flat_c (fun p → degree p == 1)) @@ fun p → receive_c (flat_c (root_of p)) @@ end_c

Contracts and the structure of the session

choice_c : [bool] → [T] → [S] → [T ⊕S] branch_c : [bool] → [T] → [S] → [T&S]

Contracts and the structure of the session

ep : !poly.rec A.(?float.A & end)

Contracts and the structure of the session

ep : !poly.rec A.(?float.A & end) let contract = send_d (flat_c (fun p → degree p > 0)) @@ fun p → let rec missing_roots n = if n > 0 then branch_c any_c (receive_c (flat_c (root_of p)) @@ missing_roots (n - 1)) end_c else branch_c (flat_c not) any_c end_c in missing_roots (degree p)

First order

Source User Operator x[v1, v2] y[w] y[v1, v2]

x : ?int.?int.end y : !int.!int.?int.end

First order

Source User Operator x[v1, v2] y[w] y[v1, v2]

x : ?int.?int.end y : !int.!int.?int.end src_c = any_c

• p_c = send_c any_c @@

send_c (flat_c ( = 0)) @@ receive_c (flat_c ( ≥ 0)) @@ end_c

Second order

Source User Operator x x[v1, v2] y[w] y[x]

x : ?int.?int.end y :!(?int.?int.end).?int.end

Second order

Source User Operator x x[v1, v2] y[w] y[x]

x : ?int.?int.end y :!(?int.?int.end).?int.end src_c = any_c

• p_c = send_c d_c @@

receive_c (flat_c ( ≥ 0)) @@ end_c d_c = receive_c any_c @@ receive_c (flat_c ( = 0)) @@ end_c

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]

   E[connect a p] a ⇐c

q v

    → (νs)    E[[s+]c,q,p] (v [s-]dual c,p,q)     | a ⇐c

q v

s fresh

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]

   E[connect a p] a ⇐c

q v

    → (νs)    E[[s+]c,q,p] (v [s-]dual c,p,q)     | a ⇐c

q v

s fresh    E[send v [aι]!c;d,σ] E′[receive [aι]?e;f,̺]     →    E[[aι]d,σ] E′[([[v]c,¬σ]e,̺,[aι]f,̺)]    

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]

   E[connect a p] a ⇐c

q v

    → (νs)    E[[s+]c,q,p] (v [s-]dual c,p,q)     | a ⇐c

q v

s fresh    E[send v [aι]!c;d,σ] E′[receive [aι]?e;f,̺]     →    E[[aι]d,σ] E′[([[v]c,¬σ]e,̺,[aι]f,̺)]     [v]flat_c w,p,q → v ⊳p wv

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]

   E[connect a p] a ⇐c

q v

    → (νs)    E[[s+]c,q,p] (v [s-]dual c,p,q)     | a ⇐c

q v

s fresh    E[send v [aι]!c;d,σ] E′[receive [aι]?e;f,̺]     →    E[[aι]d,σ] E′[([[v]c,¬σ]e,̺,[aι]f,̺)]     [v]flat_c w,p,q → v ⊳p wv v ⊳p true → v v ⊳p false → blame p

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]

     E[send v [aι]!c;d,σ] E′[receive [aι]?e;f,̺]      →      E[[aι]d,σ] E′[([[v]c,¬σ]e,̺,[aι]f,̺)]     

Locally correctness & blame safety

◮ p is locally correct in P if

◮ P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w, and ◮ P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c d, and ... ◮ P → Q implies p is locally correct in Q

Locally correctness & blame safety

◮ p is locally correct in P if

◮ P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w, and ◮ P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c d, and ... ◮ P → Q implies p is locally correct in Q

◮ Useful invariant: If P →∗ Pp[send v [_]c,_,q], then q = p

Locally correctness & blame safety

◮ p is locally correct in P if

◮ P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w, and ◮ P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c d, and ... ◮ P → Q implies p is locally correct in Q

◮ Useful invariant: If P →∗ Pp[send v [_]c,_,q], then q = p ◮ Blame safety: p is locally correct in P, then P →∗ Q implies

blame p ⊂ Q.

Final remarks

◮ The language is implemented on top of FuSe

◮ It avoids double checking of contracts ◮ It relies on a small-step semantics for unwinding monitors ◮ Monitors are communicated only when delegating

◮ Communication is restricted to unlimited values and

delegation