Chaperone Contracts for Higher-Order Sessions Hernn Melgratti, - PowerPoint PPT Presentation

Chaperone Contracts for Higher-Order Sessions Hernán Melgratti, Buenos Aires, Argentina Luca Padovani, Torino, Italy Dagstuhl Seminar 17051, 2017

A simple FuSe program let server ep = let p, ep = receive ep in let root = ... in let ep = send root ep in close ep let math_service = register server

A simple FuSe program let server ep = let p, ep = receive ep in let root = ... in let ep = send root ep in close ep let math_service = register server let user () = let ep = connect math_service in let ep = send (from_list [2.0; -3.0; 1.0]) ep in let _, ep = receive ep in close ep

A simple FuSe program + Contracts let server ep = let p, ep = receive ep in let root = ... in let ep = send root ep in close ep let math_service = register server contract "Server" let user () = let ep = connect math_service "Client" in let ep = send (from_list [2.0; -3.0; 1.0]) ep in let _, ep = receive ep in close ep

Contracts ◮ A contract is a term that describes exchanged messages and their relationships. flat _ c : ( t → bool ) → [ t ] t :: ω end _ c : [end] send _ c : [ t ] → [ T ] → [! t . T ] receive _ c : [ t ] → [ T ] → [? t . T ] send _ d : [ t ] → ( t → [ T ] ) → [! t . T ] t :: ω receive _ d : [ t ] → ( t → [ T ] ) → [? t . T ] t :: ω

Contracts let contract = send_c (flat_c (fun p → degree p == 1)) @@ ... (* contract for the continuation *)

Contracts let contract = send_c (flat_c (fun p → degree p == 1)) @@ any_c (* contract for the continuation *)

Contracts let contract = send_d (flat_c (fun p → degree p == 1)) @@ fun p → receive_c (flat_c (root_of p)) @@ end_c

Contracts and the structure of the session choice _ c : [bool] → [ T ] → [ S ] → [ T ⊕ S ] branch _ c : [bool] → [ T ] → [ S ] → [ T & S ]

Contracts and the structure of the session ep : !poly.rec A .(?float. A & end)

Contracts and the structure of the session ep : !poly.rec A .(?float. A & end) let contract = send_d (flat_c (fun p → degree p > 0)) @@ fun p → let rec missing_roots n = if n > 0 then branch_c any_c (receive_c (flat_c (root_of p)) @@ missing_roots (n - 1)) end_c else branch_c (flat_c not) any_c end_c in missing_roots (degree p)

First order y [ v 1 , v 2 ] Source Operator User x [ v 1 , v 2 ] y [ w ] x : ?int.?int.end y : !int.!int.?int.end

First order y [ v 1 , v 2 ] Source Operator User x [ v 1 , v 2 ] y [ w ] x : ?int.?int.end y : !int.!int.?int.end op_c = send_c any_c @@ src_c = any_c send_c (flat_c ( � = 0)) @@ receive_c (flat_c ( ≥ 0)) @@ end_c

Second order x [ v 1 , v 2 ] Source Operator y [ x ] User x y [ w ] x : ?int.?int.end y : !(?int.?int.end).?int.end

Second order x [ v 1 , v 2 ] Source Operator y [ x ] User x y [ w ] x : ?int.?int.end y : !(?int.?int.end).?int.end op_c = send_c d_c @@ receive_c (flat_c ( ≥ 0)) @@ end_c src_c = any_c d_c = receive_c any_c @@ receive_c (flat_c ( � = 0)) @@ end_c

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]  �E [ [ s + ] c ,q,p ] �      �E [ connect a p ] �  | a ⇐ c  → ( νs ) q v     � ( v [ s - ] dual c ,p,q ) �  a ⇐ c    q v s fresh

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]  �E [ [ s + ] c ,q,p ] �      �E [ connect a p ] �  | a ⇐ c  → ( νs ) q v     � ( v [ s - ] dual c ,p,q ) �  a ⇐ c    q v s fresh  �E [ send v [ a ι ] ! c ; d ,σ ] �  �E [ [ a ι ] d ,σ ] �      →     �E ′ [ receive [ a ι ] ? e ; f ,̺ ] �    �E ′ [ ([[ v ] c , ¬ σ ] e ,̺ ,[ a ι ] f ,̺ ) ] �  

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]  �E [ [ s + ] c ,q,p ] �      �E [ connect a p ] �  | a ⇐ c  → ( νs ) q v     � ( v [ s - ] dual c ,p,q ) �  a ⇐ c    q v s fresh  �E [ send v [ a ι ] ! c ; d ,σ ] �  �E [ [ a ι ] d ,σ ] �      →     �E ′ [ receive [ a ι ] ? e ; f ,̺ ] �    �E ′ [ ([[ v ] c , ¬ σ ] e ,̺ ,[ a ι ] f ,̺ ) ] �   v ⊳ p wv [ v ] flat _ c w,p,q →

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]  �E [ [ s + ] c ,q,p ] �      �E [ connect a p ] �  | a ⇐ c  → ( νs ) q v     � ( v [ s - ] dual c ,p,q ) �  a ⇐ c    q v s fresh  �E [ send v [ a ι ] ! c ; d ,σ ] �  �E [ [ a ι ] d ,σ ] �      →     �E ′ [ receive [ a ι ] ? e ; f ,̺ ] �    �E ′ [ ([[ v ] c , ¬ σ ] e ,̺ ,[ a ι ] f ,̺ ) ] �   v ⊳ p wv [ v ] flat _ c w,p,q → v ⊳ p true → v v ⊳ p false → blame p

Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]  �E [ send v [ a ι ] ! c ; d ,σ ] �   �E [ [ a ι ] d ,σ ] �    →        �E ′ [ receive [ a ι ] ? e ; f ,̺ ] �    �E ′ [ ([[ v ] c , ¬ σ ] e ,̺ ,[ a ι ] f ,̺ ) ] �    

Locally correctness & blame safety ◮ p is locally correct in P if ◮ P = P p [ send v [_] ! flat _ c w ;_ , _ , _ ] implies v ∈ w , and ◮ P = P p [ send [ ε ] c , _ , _ [_] ! d ;_ , _ , _ ] implies c � d, and ... ◮ P → Q implies p is locally correct in Q

Locally correctness & blame safety ◮ p is locally correct in P if ◮ P = P p [ send v [_] ! flat _ c w ;_ , _ , _ ] implies v ∈ w , and ◮ P = P p [ send [ ε ] c , _ , _ [_] ! d ;_ , _ , _ ] implies c � d, and ... ◮ P → Q implies p is locally correct in Q ◮ Useful invariant: If P → ∗ P p [ send v [_] c , _ ,q ] , then q = p

Locally correctness & blame safety ◮ p is locally correct in P if ◮ P = P p [ send v [_] ! flat _ c w ;_ , _ , _ ] implies v ∈ w , and ◮ P = P p [ send [ ε ] c , _ , _ [_] ! d ;_ , _ , _ ] implies c � d, and ... ◮ P → Q implies p is locally correct in Q ◮ Useful invariant: If P → ∗ P p [ send v [_] c , _ ,q ] , then q = p ◮ Blame safety: p is locally correct in P , then P → ∗ Q implies blame p �⊂ Q .

Final remarks ◮ The language is implemented on top of FuSe ◮ It avoids double checking of contracts ◮ It relies on a small-step semantics for unwinding monitors ◮ Monitors are communicated only when delegating ◮ Communication is restricted to unlimited values and delegation