Typing Copyless Message Passing Viviana Bono Chiara Messa Luca - - PowerPoint PPT Presentation

Typing Copyless Message Passing

Viviana Bono Chiara Messa Luca Padovani

Dipartimento di Informatica, Universit` a di Torino

BTW 2011

Typing Copyless Message Passing (V. Bono) BTW 2011 1 / 25

Singularity OS: architecture

msg queue Exchange heap (µ) Processes (SIPs)

Typing Copyless Message Passing (V. Bono) BTW 2011 2 / 25

Sing# examples

void CLIENT() { (e, f) = open(); spawn { SERVER(f) } send(e, v1); send(e, v2); res = receive(e); close(e); } void SERVER(f) { a1 = receive(f); a2 = receive(f); ... send(f, OP(a1, a2)); close(f); }

Typing Copyless Message Passing (V. Bono) BTW 2011 3 / 25

Safety properties

1 no communication errors 2 no memory faults 3 no memory leaks 4 process isolation guaranteed by ownership

Typing Copyless Message Passing (V. Bono) BTW 2011 4 / 25

Contracts

contract OP_Service { initial state START { Arg! → WAIT_ARG_2 } state WAIT_ARG_2 { Arg! → WAIT_RES } state WAIT_RES { Res? → END } final state END { } } + recursion + branching

Typing Copyless Message Passing (V. Bono) BTW 2011 5 / 25

Exposing structures

expose (a) { send(*a, b); } expose (b) { send(a, *b); *b = new T(); } + records with named fields (not in the paper)

Typing Copyless Message Passing (V. Bono) BTW 2011 6 / 25

Enforcing safety properties

1 no communication errors 2 no memory faults 3 no memory leaks 4 process isolation guaranteed by ownership

LINEAR TYPE SYSTEM!

• too restrictive in some cases
• too permissive in others

Typing Copyless Message Passing (V. Bono) BTW 2011 7 / 25

Linearity is too restrictive

void CLIENT() { (e, f) = open(); spawn { SERVER(f) } send(e, v1); send(e, v2); res = receive(e); close(e); } expose (a) { send(a, *b); *b = new T(); }

• Typing Copyless Message Passing (V. Bono)

BTW 2011 8 / 25

Linearity is too permissive

void foo() { (e, f) = open(); send(e, f); close(e); }

Typing Copyless Message Passing (V. Bono) BTW 2011 9 / 25

Linearity is too permissive

void foo() { (e, f) = open(); send(e, f); close(e); } e f

Typing Copyless Message Passing (V. Bono) BTW 2011 9 / 25

Linearity is too permissive

void foo() { (e, f) = open(); send(e, f); close(e); } e f

Typing Copyless Message Passing (V. Bono) BTW 2011 9 / 25

Linearity is too permissive

void foo() { (e, f) = open(); send(e, f); close(e); } f

Typing Copyless Message Passing (V. Bono) BTW 2011 9 / 25

Modeling processes

void CLIENT() { (e, f) = open(); spawn { SERVER(f) } send(e, v1); send(e, v2); res = receive(e); close(e); }

• pen(e, f).(SERVER |

e!v1. e!v2. e?(res). free(e). )

• channel = peer endpoints
• explicit channel closure

Typing Copyless Message Passing (V. Bono) BTW 2011 10 / 25

Modeling exposures

expose (a) { send(*a, b); } expose(a, x). x!b. unexpose(a, x). . . . expose (b) { send(a, *b); *b = new T(); } expose(b, x). a!x. cell(c). unexpose(b, c). . . .

• expose/unexpose ∼ dereferentiation/assignment
• with type effects

Typing Copyless Message Passing (V. Bono) BTW 2011 11 / 25

Modeling contracts

contract OP_Service { initial state START { Arg! → WAIT_ARG_2 } state WAIT_ARG_2 { Arg! → WAIT_RES } state WAIT_RES { Res? → END } final state END { } } Client/Import Service/Export !Arg.!Arg.?Res.end ?Arg.?Arg.!Res.end

Typing Copyless Message Passing (V. Bono) BTW 2011 12 / 25

Types and endpoint types

t ::= Type ∗t (cell type) | ∗• (exposed cell type) | T (endpoint type) T ::= Endpoint Type end (termination) | X (variable) | !t.T (output) | ?t.T (input) | rec X.T (recursive type)

Typing Copyless Message Passing (V. Bono) BTW 2011 13 / 25

Typing message passing

(T-Open)

∆, a : T, b : T ⊢ P ∆ ⊢ open(a, b).P

(T-Send)

∆, u : T ⊢ P ∆, u : !t.T, v : t ⊢ u!v.P

(T-Receive)

∆, u : T, x : t ⊢ P ∆, u : ?t.T ⊢ u?(x).P

Typing Copyless Message Passing (V. Bono) BTW 2011 14 / 25

Typing exposures

(T-Expose)

∆, u : ∗•, x : t ⊢ P ∆, u : ∗t ⊢ expose(u, x).P

(T-Unexpose)

∆, u : ∗t ⊢ P ∆, u : ∗•, v : t ⊢ unexpose(u, v).P

Typing Copyless Message Passing (V. Bono) BTW 2011 15 / 25

Typing exposures: example

expose(a, x). x!b. unexpose(a, x). . . .

Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typing exposures: example

{a : ∗(!s.T), b : s} ⊢ expose(a, x). x!b. unexpose(a, x). . . .

Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typing exposures: example

{a : ∗(!s.T), b : s} ⊢ expose(a, x). {a : ∗•, x :!s.T, b : s} ⊢ x!b. unexpose(a, x). . . .

Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typing exposures: example

{a : ∗(!s.T), b : s} ⊢ expose(a, x). {a : ∗•, x :!s.T, b : s} ⊢ x!b. {a : ∗•, x : T} ⊢ unexpose(a, x). . . .

Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typing exposures: example

{a : ∗(!s.T), b : s} ⊢ expose(a, x). {a : ∗•, x :!s.T, b : s} ⊢ x!b. {a : ∗•, x : T} ⊢ unexpose(a, x). {a : ∗T} ⊢ . . .

Typing Copyless Message Passing (V. Bono) BTW 2011 16 / 25

Typable leak

void foo() { (e, f) = open(); send(e, f); close(e); }

• pen(e, f).

e!f. free(e). T = !T.end T = rec X.?X.end

Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Typable leak

void foo() { (e, f) = open(); send(e, f); close(e); } {} ⊢ open(e, f). e!f. free(e). T = !T.end T = rec X.?X.end

Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Typable leak

void foo() { (e, f) = open(); send(e, f); close(e); } {} ⊢ open(e, f). {e : T, f : T} ⊢ e!f. free(e). T = !T.end T = rec X.?X.end

Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Typable leak

void foo() { (e, f) = open(); send(e, f); close(e); } {} ⊢ open(e, f). {e : T, f : T} ⊢ e!f. {e : end} ⊢ free(e). T = !T.end T = rec X.?X.end

Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Typable leak

void foo() { (e, f) = open(); send(e, f); close(e); } {} ⊢ open(e, f). {e : T, f : T} ⊢ e!f. {e : end} ⊢ free(e). {} ⊢ 0 T = !T.end T = rec X.?X.end

Typing Copyless Message Passing (V. Bono) BTW 2011 17 / 25

Understanding the problem

“Improper” recursion? T = !T.end T = rec X.?X.end No, the following endpoint types are safe S = rec X.!X.end S = ?S.end It’s a matter of “ownership”

Typing Copyless Message Passing (V. Bono) BTW 2011 18 / 25

Understanding the problem

“Improper” recursion? T = !T.end T = rec X.?X.end No, the following endpoint types are safe S = rec X.!X.end S = ?S.end It’s a matter of “ownership”

Typing Copyless Message Passing (V. Bono) BTW 2011 18 / 25

Understanding the problem

“Improper” recursion? T = !T.end T = rec X.?X.end No, the following endpoint types are safe S = rec X.!X.end S = ?S.end It’s a matter of “ownership”

Typing Copyless Message Passing (V. Bono) BTW 2011 18 / 25

Type weight

In summary

• “receive state” = “has type ?T.S”
• only endpoints in “receive state” can have a non-empty queue

Solution

• T = “depth of the queue of an endpoint with type T”
• only endpoint types with finite weight are admitted

T = !T.end T = rec X.?X.end T = T = ∞ S = rec X.!X.end S = ?S.end S = S = 1

Typing Copyless Message Passing (V. Bono) BTW 2011 19 / 25

Type weight

In summary

• “receive state” = “has type ?T.S”
• only endpoints in “receive state” can have a non-empty queue

Solution

• T = “depth of the queue of an endpoint with type T”
• only endpoint types with finite weight are admitted

T = !T.end T = rec X.?X.end T = T = ∞ S = rec X.!X.end S = ?S.end S = S = 1

Typing Copyless Message Passing (V. Bono) BTW 2011 19 / 25

Type weight

In summary

• “receive state” = “has type ?T.S”
• only endpoints in “receive state” can have a non-empty queue

Solution

• T = “depth of the queue of an endpoint with type T”
• only endpoint types with finite weight are admitted

T = !T.end T = rec X.?X.end T = T = ∞ S = rec X.!X.end S = ?S.end S = S = 1

Typing Copyless Message Passing (V. Bono) BTW 2011 19 / 25

On weights and reachability

Proposition

If a : T, b : S and b ∈ reach(a, µ), then S < T. Finite weight = bounded queue T = rec X.?int.X T = 1 Finite weight = acyclic heap ∗(?∗•.end)

Typing Copyless Message Passing (V. Bono) BTW 2011 20 / 25

Well-behaved processes

P is well behaved if (∅; P) ⇒ (µ; Q) implies:

1 fn(Q) ⊆ dom(µ) 2 dom(µ) ⊆ reach(fn(Q), µ) 3 Q ≡ P1 | P2 implies reach(fn(P1), µ) ∩ reach(fn(P2), µ) = ∅ 4 Q ≡ P1 | P2 and (µ; P1) → where P1 does not have unguarded

parallel compositions imply either

• P1 = 0, or
• P1 = a?(x).P where the queue of a is empty

Typing Copyless Message Passing (V. Bono) BTW 2011 21 / 25

Well-behaved processes

P is well behaved if (∅; P) ⇒ (µ; Q) implies:

1 fn(Q) ⊆ dom(µ) 2 dom(µ) ⊆ reach(fn(Q), µ) 3 Q ≡ P1 | P2 implies reach(fn(P1), µ) ∩ reach(fn(P2), µ) = ∅ 4 Q ≡ P1 | P2 and (µ; P1) → where P1 does not have unguarded

parallel compositions imply either

• P1 = 0, or
• P1 = a?(x).P where the queue of a is empty

Typing Copyless Message Passing (V. Bono) BTW 2011 21 / 25

Well-behaved processes

P is well behaved if (∅; P) ⇒ (µ; Q) implies:

1 fn(Q) ⊆ dom(µ) 2 dom(µ) ⊆ reach(fn(Q), µ) 3 Q ≡ P1 | P2 implies reach(fn(P1), µ) ∩ reach(fn(P2), µ) = ∅ 4 Q ≡ P1 | P2 and (µ; P1) → where P1 does not have unguarded

parallel compositions imply either

• P1 = 0, or
• P1 = a?(x).P where the queue of a is empty

Typing Copyless Message Passing (V. Bono) BTW 2011 21 / 25

Well-behaved processes

P is well behaved if (∅; P) ⇒ (µ; Q) implies:

1 fn(Q) ⊆ dom(µ) 2 dom(µ) ⊆ reach(fn(Q), µ) 3 Q ≡ P1 | P2 implies reach(fn(P1), µ) ∩ reach(fn(P2), µ) = ∅

Q ≡ P1 | P2 implies fn(P1) ∩ fn(P2) = ∅

4 Q ≡ P1 | P2 and (µ; P1) → where P1 does not have unguarded

parallel compositions imply either

• P1 = 0, or
• P1 = a?(x).P where the queue of a is empty

Typing Copyless Message Passing (V. Bono) BTW 2011 21 / 25

Well-behaved processes

P is well behaved if (∅; P) ⇒ (µ; Q) implies:

1 fn(Q) ⊆ dom(µ) 2 dom(µ) ⊆ reach(fn(Q), µ) 3 Q ≡ P1 | P2 implies reach(fn(P1), µ) ∩ reach(fn(P2), µ) = ∅

Q ≡ P1 | P2 implies fn(P1) ∩ fn(P2) = ∅

4 Q ≡ P1 | P2 and (µ; P1) → where P1 does not have unguarded

parallel compositions imply either

• P1 = 0, or
• P1 = a?(x).P where the queue of a is empty

Typing Copyless Message Passing (V. Bono) BTW 2011 21 / 25

Results

Theorem (Subject reduction)

If ∆ ⊢ P and (µ; P) → (µ′; P′), then ∆′ ⊢ P′ for some ∆′.

Theorem (Soundness)

If ⊢ P, then P is well behaved.

Typing Copyless Message Passing (V. Bono) BTW 2011 22 / 25

Concluding remarks [BMP@ESOP2011]

Formalization of Sing#

• contracts ⇒ endpoint types (= session types)
• expose ⇒ opaque references ∗• (= simple behavioral types)

Sing# restrictions

• Sing# too forbids sending endpoints in “receive state”. . .
• . . . for implementative reasons
• Sing# is leak-free, incidentally?

Typing Copyless Message Passing (V. Bono) BTW 2011 23 / 25

A new extension: polymorphic endpoint types

Modeling parametric contracts !α(α).?(α).end

• But. . .

⊢ open(e, f).e!f.free(e).0 e : !α(α).end f : ?α(α).end Idea: bounded polymorphism

• !α T(α).end

(T has ∞ weight)

• T S implies T ≤ S

Typing Copyless Message Passing (V. Bono) BTW 2011 24 / 25

A new extension: polymorphic endpoint types

Modeling parametric contracts !α(α).?(α).end

• But. . .

⊢ open(e, f).e!f.free(e).0 e : !α(α).end f : ?α(α).end Idea: bounded polymorphism

• !α T(α).end

(T has ∞ weight)

• T S implies T ≤ S

Typing Copyless Message Passing (V. Bono) BTW 2011 24 / 25

A new extension: polymorphic endpoint types

Modeling parametric contracts !α(α).?(α).end

• But. . .

⊢ open(e, f).e!f.free(e).0 e : !α(α).end f : ?α(α).end Idea: bounded polymorphism

• !α T(α).end

(T has ∞ weight)

• T S implies T ≤ S

Typing Copyless Message Passing (V. Bono) BTW 2011 24 / 25

Thank you

Typing Copyless Message Passing (V. Bono) BTW 2011 25 / 25