Machine-Checked Semantic Session Typing - Jonas Kastberg Hinrichsen - Iris Project
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Machine-Checked Semantic Session Typing Jonas Kastberg Hinrichsen Daniël Louwrink IT University of Copenhagen, Denmark University of Amsterdam, The Netherlands Robbert Krebbers Jesper Bengtson Radboud University and Delft University of Technology, IT University of Copenhagen, Denmark The Netherlands Abstract using logical relations defined in terms of a program logic Session types—a family of type systems for message-passing [Appel et al. 2007; Dreyer et al. 2009, 2019]. concurrency—have been subject to many extensions, where The semantic approach addresses the challenges above as each extension comes with a separate proof of type safety. (1) typing judgements are definitions in the program logic, These extensions cannot be readily combined, and their and typing rules are lemmas in the program logic (they are proofs of type safety are generally not machine checked, mak- not inductively defined), which means that extending the ing their correctness less trustworthy. We overcome these system with new typing rules boils down to proving the shortcomings with a semantic approach to binary asynchro- corresponding typing lemmas correct; (2) safe functions that nous affine session types, by developing a logical relations cannot be conventionally type checked can still be seman- model in Coq using the Iris program logic. We demonstrate tically type checked by manually proving a typing lemma the power of our approach by combining various forms of (3) all of our results have been mechanised in Coq using Iris polymorphism and recursion, asynchronous subtyping, ref- [Jung et al. 2016, 2018b, 2015; Krebbers et al. 2018, 2017a,b] erences, and locks/mutexes. As an additional benefit of the giving us a high degree of trust that they are correct. semantic approach, we demonstrate how to manually prove The syntactic approach requires global proofs of progress the typing judgements of racy, but safe, programs that cannot (well-typed programs are either values or can take a step) be type checked using only the rules of the type system. and preservation (steps taken by the program do not change types), culminating in type safety (well-typed programs do not get stuck). One key selling point of the semantic ap- 1 Introduction proach is that it does not require progress and preservation Session types [Honda et al. 1998] guarantee that message- proofs allowing snippets of safe code to be type checked passing programs comply to a protocol (session fidelity), and without requiring well-typed terms mid execution. Safety do not crash (type safety). While session types are an active proofs are deferred to the program logic, whose adequacy/- research area, we believe the following challenges have not soundness theorem states that proving a program correct for received the attention they deserve: any postcondition implies that the code will never get stuck. 1. There are many extensions of session types with e.g., A concrete example of a racy program that can be seman- polymorphism [Gay 2008], asynchronous subtyping tically, but not conventionally, type checked is: [Mostrous et al. 2009], and sharing via locks [Balzer . (recv || recv ) : chan (?Z. ?Z. end) ⊸ (Z × Z) and Pfenning 2017]. While type safety has been proven for each extension in isolation, existing proofs can- Two values are requested over channel in parallel, and not be readily composed with each other, nor with returned as a tuple (using the operator || for parallel com- other substructural type systems like Affe, Alms, Lin- position, and the type chan (?Z. ?Z. end) for a channel that ear Haskell, Plaid, Rust, Mezzo, Quill, or System F◦ . expects to receive two integers). This program cannot be 2. Session types use substructural types to enforce a strict type checked using conventional session-type systems as discipline of channel ownership. While conventional channels are substructural/ownership types and cannot be session-type systems can type check many functions, owned by multiple threads at the same time. Nevertheless, they inherently exclude some functions that do not this program is safe1 —the order in which the values are re- obey the ownership discipline, even if they are safe. ceived is irrelevant, as they have the same type. 3. Only few session-type systems and their safety proofs The fact that this program cannot be type checked is not a have been machine checked by a proof assistant, mak- shortcoming of conventional session-type systems. Since the ing their correctness less trustworthy. correctness relies on a subtle argument (the recv is executed exactly twice in parallel), it is unreasonable to expect having We address these challenges by eschewing the traditional syntactical typing rules that account for it. However, using syntactic approach to type safety (using progress and preser- vation) and embracing the semantic approach to type safety 1 For simplicity, we assume recv to be atomic, or a lock is needed. Even [Ahmed 2004; Ahmed et al. 2010; Appel and McAllester 2001], with a lock, conventional session-type systems cannot handle this program. 1
the semantic approach, we can prove the typing lemma ⊨ 2.1 Language . (recv || recv ) : chan (?Z. ?Z. end) ⊸ (Z × Z) by We use an untyped higher-order functional programming appealing to the full power of the program logic. language with concurrency, mutable references, and binary An important prerequisite for proving typing lemmas such asynchronous message passing, whose syntax is: as the above is to use an expressive program logic. The Iris concurrent separation logic [Jung et al. 2016, 2018b, 2015; ∈ Val ::= () | | | ℓ | | rec = | . . . Krebbers et al. 2017a] has proved to be sufficiently expressive ∈ Expr ::= | | rec = | 1 ( 2 ) | 1 || 2 | to define semantic type systems for e.g., Rust [Jung et al. 2018a, 2020] and Scala [Giarrusso et al. 2020], due to its ref ( ) | ! | 1 ← 2 | state-of-the-art built-in support for e.g., resource ownership, new_chan () | send 1 2 | recv | . . . recursion, polymorphism, and concurrency. In addition, we make use of the Actris framework for message-passing in We let ∈ B, ∈ Z, ℓ ∈ Loc, and ∈ Chan, where Loc and Iris [Hinrichsen et al. 2020a,b]. Actris includes the notion of Chan are countably infinite sets of identifiers. We omit the dependent separation protocols, which are similar to session standard operations on pairs, sums, etc. We write . for types in structure, but were developed to prove functional rec _ = , and let = 1 in 2 for ( . 2 ) 1 , and 1 ; 2 for correctness of message-passing programs. let _ = 1 in 2 . Message passing is given an asynchronous An additional advantage of Iris (and Actris) is that they semantics: new_chan () returns a pair ( 1, 2 ) of channel come with an existing mechanisation in Coq. This mecha- endpoints that operate on buffers (® 1, ®2 ) that are initially nisation not only includes an adequacy/soundness theorem, empty, send enqueues message in ® , while recv but also tactical support for separation logic proofs [Krebbers blocks until a message is available in ®(if =2 then 1 else 2) , and et al. 2018, 2017b]. then dequeues and returns . Parallel composition 1 || 2 executes 1 and 2 in parallel and returns the results as a Contributions and Outline. This paper presents an ex- tuple. The language also supports fork and compare-and-set. tensive machine-checked and semantic account of binary (two-party) asynchronous (sends are non-blocking) affine 2.2 Semantic Typing in Iris (resources may be discarded) session types. It makes the following contributions: The idea of semantic typing is to represent types as logical relations, which are predicates that describe the values that • We define a semantic session-type system as a logical inhabit the type. To model type systems with features like ref- relation in Iris using Actris’s notion of dependent sep- erences or session types, these predicates need to range over aration protocols (§2). As an additional conceptional program states. To avoid threading through program states contribution, this construction provides a concise con- explicitly, we do not use ordinary set-theoretic predicates, nection between session types and separation logic. but use predicates in a program logic, and use the connec- • We demonstrate the extensibility of our approach by tives of the program logic to give concise definitions of types. adding subtyping for term and session types, copyable The program logic that we use is Iris, whose propositions types, equi-recursive term and session types, polymor- , ∈ iProp implicitly range over an expressive notion of phic term and session types, and mutexes (§3). resources, which includes the program state. • We demonstrate the benefit of our type system being Iris is a higher-order separation logic, so it has the usual semantic by integrating the manual verification of safe logical connectives such as conjunction ( ∧ ), implication but not conventionally type-checkable programs (§4). ( ⇒ ), universal (∀ : . ) and existential (∃ : . ) • We provide insight on the benefits of a semantic type quantification, as well as the connectives of separation logic: system in regards to mechanisation efforts (§5). All of our results are mechanised in Coq and can be found • The points-to connective (ℓ ↦→ ) asserts resource own- in [Anonymous Authors 2020]. ership of a heap location ℓ ∈ Loc, stating that it holds the value ∈ Val. • The separating conjunction ( ∗ ) states that and 2 A Tour of Semantic Session Typing holds for disjoint sets of resources. We show how to build a semantic session-type system using • The separating implication ( −∗ ) states that by giv- logical relations on top of an untyped concurrent language ing up ownership of the resources described by , we with message-passing (§2.1). We provide a brief overview of obtain ownership of the resources described by . Sep- Iris (§2.2), and then present a lightweight affine type system arating implication is used similarly to implication (§ 2.3) as the core upon which we built our session-type since it enjoys entails −∗ iff ∗ entails . system (§2.4). Our affine type system is inspired by RustBelt • The weakest precondition (wp { }) states that given [Jung et al. 2018a, 2020], but drops Rust-specific features like a postcondition : Val → iProp, the expression is borrowing and lifetimes to focus on session types. safe, and, if reduces to a value , then holds. 2
Term types: Judgements: Type⋆ any ≜ Val → iProp ∗ Γ ⊨ ≜ ( , ) ∈Γ . ∃ . ( , ) ∈ ∗ ≜ . True Γ ⊨ : ⊨ Γ ′ ≜ ∀ . (Γ ⊨ ) −∗ wp [ ] { . ∗ (Γ ′ ⊨ )} 1 ≜ . ∈ {()} B ≜ . ∈ B Session types: Z ≜ . ∈ Z Type ♦ ≜ iProto refuniq ≜ . ∃ . ∈ Loc ∗ ( ↦→ ) ∗ ⊲( ) end ≜ end 1 × 2 ≜ . ∃ 1, 2 . = ( 1, 2 ) ∗ ⊲( 1 1 ) ∗ ⊲( 2 2 ) ! . ≜ ! ( : Val) ⟨ ⟩ { } . 1 + 2 ≜ . ∃ . ( = inl ∗ ⊲( 1 )) ∨ ( = inr ∗ ⊲( 2 )) ? . ≜ ? ( : Val) ⟨ ⟩ { } . ⊸ ≜ . ∀ . ⊲( ) −∗ wp ( ) { } ⊕{ } ≜ ! ( : Z) ⟨ ⟩ { ∈ dom( ) ® ® } . ®( ) chan ≜ . ↣ &{ } ≜ ? ( : Z) ⟨ ⟩ { ∈ dom( ) ® ® } . ®( ) Figure 1. Typing judgements and type formers of the semantic type system. As we see in §2.3 these connectives match up with the type The type former refuniq for uniquely-owned references, formers for unique references, products, and affine functions. 1 × 2 for products, and ⊸ for affine functions nicely Iris’s notion of resources is not limited to heap locations, demonstrate the advantage of separation logic—since types but can be extended with custom resources. This feature is are Iris predicates, they implicitly describe which resources used by Actris to extend Iris with a connective ( ↣ prot) are owned. The points-to connective ( ↦→ ) is used to that asserts resource ownership of a channel, to support describe that refuniq consists of the locations ∈ Loc reasoning about functional correctness of message-passing that hold a value ∈ Val for which the resources are programs (§2.4), and in this paper to semantically type safe owned. The separating conjunction (∗) is used to describe yet not conventionally type-checkable programs (§4). that 1 × 2 consists of tuples ( 1, 2 ), where the resources To define recursive types semantically (§3.3), Iris provides 1 1 and 2 2 are owned separately. The separating im- the later modality (⊲ ) and the guarded fixpoint operator plication (−∗) and weakest precondition are used to describe ( : . ), which enable (guarded) recursive definitions of that the affine function type ⊸ consists of values that Iris propositions and terms. The guarded fixpoint operator when applied to an argument consume the resources , requires all recursive occurrences of the variable to occur and in return, produce the resources for the result of . guarded in , where an occurrence is guarded if it appears We use Iris’s later modality (⊲) to ensure that type formers below a ⊲ modality. This ensures that is contractive in the are contractive, which is needed to model equi-recursive variable , which guarantees that a unique fixpoint exists. types using Iris’s guarded fixpoint operator in §3. Guarded fixpoints can be folded and unfolded using the equality ( : ). = [( ( : ). )/ ]. Typing Judgement. As is common in substructural type The proposition ⊲ is strictly weaker than , since en- systems with operations that perform strong updates, we tails ⊲ , while the reverse does not hold. The later (⊲) can use a typing judgement Γ ⊨ : ⊨ Γ ′ (defined in Figure 1) be eliminated by taking a program step, which is formalised with a pre- and post-context Γ, Γ ′ ∈ List(String × Type⋆ ), by Iris’s proof rule ⊲ ∗ wp { } entails wp { . ∗ } which describe the types of variables before and after execu- if ∉ Val. This means that ⊲ can also be read as “ holds tion of . As is standard in logical relations, we use closing after one more step of computation.” substitutions ∈ String ⇀ Val and an auxiliary judgement In this paper we will not further detail the semantics of Γ ⊨ . The definition of this auxiliary judgement employs Iris, but refer the interested reader to Jung et al. [2018b]. ∗ the iterated separation conjunction ( , ) ∈Γ to ensure that for each variable binding ( , ) in Γ there is a binding ( , ) 2.3 Term Types in for which the resources are owned separately. The definitions of our semantic type system are shown in The typing judgement Γ ⊨ : ⊨ Γ ′ is defined in terms Figure 1. Types Type are indexed by kinds; ⋆ for term types, of Iris’s weakest precondition. That is, given a closing sub- and ♦ for session types. Meta-variables , ∈ Type⋆ are used stitution and resources Γ ⊨ for the pre-context Γ, the for term types, ∈ Type♦ for session types, and ∈ Type weakest precondition holds for (under substitution with ), for types of any kind. Term types Type⋆ are defined as Iris with the postcondition stating that the resources for the predicates over values, and session types Type♦ are defined resulting value are owned separately from the resources as dependent separation protocols of Actris (§2.4). Γ ′ ⊨ for the post-context Γ ′. Type Formers. The ground types (the unit type 1, Boolean Typing Rules. Now that the type formers and the typing type B, and integer type Z) are defined through member- judgement are in place, we state the conventional typing ship of the corresponding set ({()}, B, and Z, respectively). rules as lemmas. We prove these lemmas by unfolding the 3
Selection of Iris’s proof rules for weakest preconditions: −∗ wp { } (wp-val) ℓ ↦→ −∗ wp !ℓ { . ( = ) ∗ (ℓ ↦→ )} (wp-load) −∗ wp (let = 1 in 2 ) { } wp 1 . wp 2 [ / ] { } (wp-let) wp 1 { 1 } ∗ wp 2 { 2 } −∗ wp ( 1 || 2 ) { . ∃ 1, 2 . ( = ( 1, 2 )) ∗ 1 1 ∗ 2 2 } (wp-par) Selection of semantic typing rules: Γ ⊨ :Z Γ, ( : ) ⊨ : ⊨ Γ, ( : any) Γ, ( : refuniq ) ⊨ ! : ⊨ Γ, ( : refuniq any) Γ1 ⊨ 1 : ⊨ Γ2 Γ2, ( : ) ⊨ 2 : ⊨ Γ3 Γ1 ⊨ 1 : 1 ⊨ Γ1′ Γ2 ⊨ 2 : 2 ⊨ Γ2′ Γ1 ⊨ (let = 1 in 2 ) : ⊨ Γ3 \ Γ1 · Γ2 ⊨ 1 || 2 : 1 × 2 ⊨ Γ1′ · Γ2′ Figure 2. A selection of Iris’s proof rules and semantic typing rules. definition of the semantic typing judgement Γ ⊨ : ⊨ Γ ′, ? . , the choice primitives for selection ⊕{ ®} and branching and proving the corresponding proposition in Iris using Iris’s &{ ®}, and the terminator end. We let ® : Z ⇀ Type♦ , and rules for weakest preconditions. A selection of typing rules, often write ® = 1 : 1, . . . : . The term type chan dictates along with Iris’s weakest precondition rules used to prove that a term is a channel that follows the session type . them, is presented in Figure 2. Session types are defined in terms of Actris’s dependent The typing rule for integer literals follows immediately separation protocols [Hinrichsen et al. 2020b], which are sim- from wp-val, which states that the weakest precondition of ilar to session types in structure, but can express functional a value holds if the postcondition ( ) holds. The typing properties of the transferred data. Dependent separation pro- rule for variables also uses wp-val. Since the pre-context is tocols prot ∈ iProto are streams of ! ® : ® ⟨ ⟩ { } . prot and Γ, ( : ), we can assume ownership of for some value , ? ® : ® ⟨ ⟩ { } . prot constructors that are either infinite or fi- and should prove a weakest precondition for . After using nite. Here, is the value that is being sent or received, is wp-val, we prove the postcondition by giving up . Note an Iris proposition denoting the ownership of the resources that the post-context is Γ, ( : any) as ownership of has being transferred as part of the message, and the logical vari- been moved out. For substructural type systems this is crucial ables ® : ® bind into , , and prot to constrain the message. Fi- as in expressions such as let = in , it is generally not nite protocols are ultimately terminated by an end construc- allowed to use in as ownership of the type of has moved tor. As an example, the dependent separation protocol ! (ℓ : to . This is formalised by giving the variable type any in Loc) ( : Z) ⟨ℓ⟩ {ℓ ↦→ ∗ 10 ≤ } . ? ⟨()⟩ {ℓ ↦→ ( + 1) } . end ex- . The typing rules for load, let, and parallel composition presses that an integer reference whose value is at least 10 is are proved using the Iris rules wp-load, wp-let, and wp-par. sent, after which the recipient increments it by one and sends The rule for parallel composition moreover relies on the back a unit token () along with the reference ownership. property (Γ1 · Γ2 ⊨ ) iff (Γ1 ⊨ ) ∗ (Γ2 ⊨ ), which allows Actris’s connective ↣ prot denotes ownership of a chan- us to subdivide and recombine ownership of the pre- and nel with a dependent separation protocol prot. The Actris post-contexts between both operands. proof rules are shown in Figure 3. The rule for new_chan () Type Safety. Type safety means: if [ ] ⊨ : ⊨ Γ, then is allows ascribing any protocol to a new channel, obtaining safe, i.e., will not get stuck w.r.t. the operational semantics. ownership of ↣ prot and ′ ↣ prot for the respective For syntactic type systems, type safety is usually proven via endpoints. Here, prot is the dual of prot in which any re- progress and preservation theorems. For our semantic type ceive (?) is turned into a send (!), and vice versa. The rule for system, we get type safety from Iris’s adequacy theorem, send requires the head of the protocol to be a send (!), which states that a closed proof of a weakest precondition and the value that is sent to match up with the ascribed implies safety [Jung et al. 2018b; Krebbers et al. 2017a]. Note value. Concretely, to send a message , one needs to give that our type system is affine (resources are not explicitly up ownership of ↣ ! ® : ® ⟨ ⟩ { } . prot, pick an appropriate deallocated), and thus the post-context Γ in the type safety instantiation ® for the variables ® : ® so that = [ ®/® ], statement need not be empty. We use an affine type system and give up ownership of the associated resources [ ®/® ]. as that allows more practical safe programs to be typeable. Subsequently, one gets back ownership of the protocol tail ↣ prot [ ®/® ]. The rule for recv is essentially dual to 2.4 Session Types the rule for send . One needs to give up ownership of ↣ ? ® : ® ⟨ ⟩ { } . prot, and in return acquires the resources We extend our core type system with the basic session-type [ /® ® ], the return value where = [ /® ® ], and finally formers for sending a message ! . , receiving a message 4
Actris’s proof rules for dependent separation protocols: wp new_chan () . ∃ , ′ . ( = ( , ′)) ∗ ↣ prot ∗ ′ ↣ prot (wp-newchan) ] −∗ wp send ( [ ®/® ↣ ! ® : ® ⟨ ⟩ { } . prot ∗ ⊲ [ ®/® ]) ↣ prot [ ®/® ] (wp-send) ↣ ? ® : ® ⟨ ⟩ { } . prot −∗ wp recv { . ∃® . ( = [ /® ® ]) ∗ ↣ prot [ /® ® ] ∗ [ /® ® ]} (wp-recv) Semantic typing rules for channels: Γ ⊨ new_chan () : chan × chan ⊨ Γ Γ ⊨ : ⊨ Γ ′, ( : chan (! . )) Γ, ( : chan (? . )) ⊨ recv : ⊨ Γ, ( : chan ) Γ ⊨ send : 1 ⊨ Γ ′, ( : chan ) 1≤ ≤ Γ, ( : chan (⊕{ 1 : 1, . . . , : })) ⊨ select : 1 ⊨ Γ, ( : chan ) Γ, ( : chan 1 ) ⊨ 1 : ⊨ Γ ′ ··· Γ, ( : chan ) ⊨ : ⊨ Γ ′ Γ, ( : chan (&{ 1 : 1, . . . , : })) ⊨ branch with 1 ⇒ 1 | . . . | ⇒ : ⊨ Γ ′ Figure 3. Actris’s proof rules for dependent separation protocols and semantic typing rules for channels. the ownership of the protocol tail prot [ /® ® ], where ® are as primitives, but they can be defined as macros: instances of the variables of the protocol. select ≜ send branch with ≜ let = recv in Semantics of Session Types. The definitions of session 1 ⇒ 1 | . . . | ⇒ if = 1 then 1 else · · · types are shown in Figure 1. Since session types (Type♦ ) are if = then else () () defined as dependent separation protocols iProto, the chan- Safety of the branch operation guarantees that the stuck nel type chan is defined in terms of Actris’s connective for expression () () is never executed, and hence, one of the channel ownership ↣ . The definition of the terminator branches is always found. (end), send (!), and receive (?) follow from their dependent separation protocol counterparts. For example ! . is de- Type Safety. Since the extension with session types did fined as ! ( : Val) ⟨ ⟩ { } . . It says that a value is sent not change the definition of the semantic typing judgement, along with ownership of . but merely added new type formers and typing rules, the type While the choice types ⊕{ ®} and &{ ®} do not have a direct safety result from §2.3 remains applicable without change. counterpart in Actris, they can be encoded. For example, ⊕{ ®} is defined as ! ( : Z) ⟨ ⟩ { ∈ dom( ) ® } . ®( ). It expresses 3 Extending the Type System that a valid label ∈ dom( ) ® (modelled as an integer) is We demonstrate the extensibility of our approach to session sent. This definition makes use of the fact that dependent types by adding term- and session-level subtyping (§3.1 and separation protocols are dependent, as the protocol tail ®( ) § 3.6), copyable types (§ 3.2), term- and session-level equi- depends on the label that is sent. recursive types (§3.3), term- and session-level polymorphism The duality of session types is inherited from Actris, (§ 3.4), and locks/mutexes (§ 3.5). While we only present a and our encoding of branch (&) and select (⊕) ensures that small representative selection of rules associated with each the dual of a session type turns all sends and selects respec- extension, all rules can be found in Appendix A. tively into receives and branches, and vice versa. 3.1 Term-Level Subtyping Subtyping
is essentially the pointwise lifting of the subtyping relation, always persistent, allowing the proposition to be freely du- applied to each type in the contexts Γ and Γ ′. It expresses plicated using the rule □ −∗ (□ ∗ ). This allows copyable that when we hold resources Γ ⊨ for the context Γ, then types occurring in the context to be duplicated: we can give those up to obtain the resources Γ ′ ⊨ for Γ ′. With these definitions at hand, we prove the usual sub- ( : )
Universal and existential types are defined as follows: We show ⊨ compute_service : chan compute_type → () using only the type inference rules of our semantic type ∀( : ). ≜ . ∀( : Type ). wp ( ()) { } system. In §4.2 we show a client that uses this service but ∃( : ). ≜ . ∃( : Type ). ⊲( ) which cannot itself be type checked using our inference rules As is custom for logical relations in Iris, these types are de- but rather requires a manual proof of its typing judgement. fined in the style of parametricity—they use Iris-level univer- 3.5 Locks and Mutexes sal and existential quantifiers over semantic types : Type . This is possible because Iris supports higher-order impredica- The substructural nature of channels (of type chan ) ensure tive quantification (i.e., quantification over Iris predicates). that they can be used by at most one thread at the same time. Note that universal types are inhabited by values that Balzer and Pfenning [2017] proposed a more liberal extension produce a value of the instantiated type when applied to of session types that allows channels to be shared between the unit value (), as indicated by the weakest precondition multiple threads via locks. We show that we can achieve a in the definition: that is, the inhabitants of universal types similar kind of sharing by extending our type system with a are all thunks. By using explicit thunks, we avoid having to type former mutex of mutexes (i.e., lock-protected values impose an ML-like value restriction [Wright 1995] to ensure of type ) inspired by Rust’s Mutex library. For example, type soundness in the presence of imperative side-effects. mutexes make it possible to share the channel to the com- The typing rules for term-level polymorphism are stan- putation service compute_type from §3.4 between multiple dard and can be found in Appendix A. clients—they can acquire the mutex (mutex compute_type), A more interesting extension is polymorphism in session send any number of computation requests, retrieve the cor- types [Gay 2008]. An example is the following type describ- responding results, and then release the mutex. ing the interaction with a polymorphic computation service: The mutex type former is copyable, and comes with op- erations newmutex to allocate a mutex, acquiremutex to compute_type ≜ (rec : ♦). acquire a mutex by blocking until no other thread holds it, ⊕{cont : ! ( :⋆) (1 ⊸ ). ? . rec, stop : end} and releasemutex to release the mutex. The typing rules The service can be used by sending computation requests are shown in Figure 4 and include the type former mutex, 1 ⊸ , and then awaiting their results . Different types can which signifies that the mutex is acquired. be picked for the type variable at each recursive iteration. To extend our type system with mutexes we make use of To extend our type system with polymorphism in session the locks library that is available in Iris. This library consists types, we redefine the send and receive session types to of operations newlock, acquire, and release, which are include binders ® for type variables: similar to the mutex operations, but do not protect a value. The mutex operations are defined in terms of locks as follows: ® ) ( : Val) ⟨ ⟩ { } . ! ® : ® . ≜ ! ( ® : Type newmutex ≜ . (newlock (), ref ) ? ® ® . ≜ ? ( ® : Type : ® ) ( : Val) ⟨ ⟩ { } . acquiremutex ≜ . acquire (fst ); ! (snd ) This definition relies on the fact that binders ® : ® in Actris’s releasemutex ≜ . (snd ) ← ; release (fst ) dependent separation protocols ! ® : ® ⟨ ⟩ { } . prot and ? ® : That is, newmutex creates a lock alongside a boxed value. The ® ⟨ ⟩ { } . prot are higher-order and impredicative (i.e., they value can then be acquired with acquiremutex, which first allow quantification over Iris predicates). The typing rules acquires the lock. Finally, releasemutex moves the value are extended to allow instantiation of binders when sending back into the box, and releases the lock. a message, and elimination of type variables when receiving The Iris rules for locks are shown in Figure 4 and make a message. The rule for receive becomes: use of the representation predicate isLock lk , which ex- presses that a lock lk guards the resources . When creating Γ, ( : chan ), ( : ) ⊨ : ⊨ Γ ′ ® ∉ (Γ, Γ ′, ) a new lock one has to give up ownership of , and in turn, Γ, ( : chan (? ® : ® . )) ⊨ let = recv in : ⊨ Γ ′ \ { } obtains the representation predicate isLock lk . The repre- sentation is persistent, so it can be freely duplicated. When This rule requires the result of recv to be let-bound to entering a critical section using acquire lk, a thread gets ensure that the type variables ® cannot escape into Γ ′ or . exclusive ownership of , which has to be given up when With this rule, we can type check the following function releasing the lock using release lk. Using the lock repre- that follows the computation service type compute_type: sentation predicate, we define type formers for mutexes: compute_service ≜ rec go = mutex ≜ . ∃lk, ℓ. ( = (lk, ℓ)) ∗ branch with isLock lk (∃ . (ℓ ↦→ ) ∗ ⊲( )) cont ⇒ let = recv in send ( ()) ; go | stop ⇒ () mutex ≜ . ∃lk, ℓ. ( = (lk, ℓ)) ∗ (ℓ ↦→ −) ∗ end isLock lk (∃ . (ℓ ↦→ ) ∗ ⊲( )) 7
Iris’s proof rules for locks: Semantic typing rules for mutexes: isLock lk −∗ □(isLock lk ) copyable (mutex ) Γ, ( : ) ⊨ newmutex : mutex ⊨ Γ −∗ wp newlock () {lk. isLock lk } Γ, ( : mutex ) ⊨ acquiremutex : ⊨ Γ, ( : mutex ) isLock lk −∗ wp acquire lk { } isLock lk ∗ −∗ wp release lk {True} Γ ⊨ : ⊨ Γ ′, ( : mutex ) Γ ⊨ releasemutex : 1 ⊨ Γ ′, ( : mutex ) Figure 4. Iris’s proof rules for locks and semantic typing rules for mutexes. The mutex type former states that its values are pairs of is possible to send more and receive less, while account- locks and boxed values. The mutex type former additionally ing for the protocol-level binders of dependent separation asserts ownership of the reference, implying that the lock protocols. In particular, we can (1) eliminate binders and has been acquired. The typing rules for mutexes as shown propositions of right-hand side sending protocols (sp-send- in Figure 4 are proven as lemmas. elim) and (2) left-hand side receiving protocols (sp-recv-elim), and (3) instantiate binders of right-hand side sending proto- 3.6 Session-Level Subtyping cols (sp-send-intro) and (4) left-hand side receiving protocols Session-level subtyping
Actris’s proof rules for subprotocols: : ®. −∗ prot 1 ⊑ ! ⟨ ⟩.prot 2 ∀® −∗ (prot 1 ⊑ ! ® : ® ⟨ ⟩ { } . prot 2 ) if each ∈ ® is inhabited (sp-send-elim) : ®. −∗ ? ⟨ ⟩.prot 1 ⊑ prot 2 ∀® −∗ (? ® : ® ⟨ ⟩ { } . prot 1 ⊑ prot 2 ) if each ∈ ® is inhabited (sp-recv-elim) [ ®/® ] −∗ (! ® : ® ⟨ ⟩ { } . prot ⊑ ! ⟨ [ ®/® ]⟩.prot [ ®/® ]) (sp-send-intro) [ ®/® ] −∗ (? ⟨ [ ®/® ]⟩.prot [ ®/® ] ⊑ ? ® : ® ⟨ ⟩ { } . prot) (sp-recv-intro) ? ⟨ 1 ⟩ { 1 } . ! ⟨ 2 ⟩ { 2 } . prot ⊑ ! ⟨ 2 ⟩ { 2 } . ? ⟨ 1 ⟩ { 1 } . prot (sp-swap) ⊲(prot 1 ⊑ prot 2 ) −∗ (! ⟨ ⟩ { } . prot 1 ⊑ ! ⟨ ⟩ { } . prot 2 ) (sp-send-mono) ⊲(prot 1 ⊑ prot 2 ) −∗ (? ⟨ ⟩ { } . prot 1 ⊑ ? ⟨ ⟩ { } . prot 2 ) (sp-recv-mono) (prot 1 ⊑ prot 2 ) −∗ ( ↣ prot 1 ) −∗ ( ↣ prot 2 ) (sp-chan-mono) Semantic subtyping rules for session polymorphism: 1
(ii) a similar step is taken leaving the invariant with the full is inherited from Actris). The invariant expresses that either fractional permission 1 in state (iii). (i) the channel is still open, which permits unfolding the recursive definition to send additional requests, or (ii) the 4.2 A Parallel Computation Client channel terminates with end, after the receive steps has In §3.4 we considered the session type compute_type for a been resolved. State (ii) requires the full fractional permission client of a polymorphic recursive computation service. We 1 , which must be released before closing the channel. now consider a client compute_client, shown in Figure 6, The proof is carried out by allocating the fractional per- that interacts with the service by sending a list of computa- mission 1 , after which the weakest precondition rules for tion requests and receiving their results in parallel, similar send_all, recv_all, and parallel composition are used. To to the producer-consumer patterns.3 We want to prove: close the proof, we weaken the list reference returned by ⊨ compute_client : list (1 ⊸ ) ⊸ recv_all to the list reference type list , by forgetting its chan compute_type ⊸ list ® The proof of the weakest precondition rule explicit values . for send_all follow as, (1) owning 1 means the channel where list ≜ rec. refuniq (1 + ( × rec)). is open so, (2) it can be unfolded, after which the select and The producer send_all and consumer recv_all race for send action can be swapped ahead of any arbitrary number a shared lock lk, to send computations and receive results on of receives, after which (3) incrementing the shared counter the shared channel endpoint (the computation service has cntr lets us close the invariant, and finally (4) we can close the the other endpoint), for each element in the linked list input l. channel by giving up 1 . The proof of the weakest precon- They respectively increment and decrement a shared counter dition rule for recv_all follow as, (1) we only receive when cntr, to keep track of how many requests that are being the shared counter cntr is non-zero so, (2) the head of the processed. The computation results are stored in a new list channel type will be a receive, and finally (3) decrementing l ′, which is returned once send_all and recv_all terminate. the shared counter cntr lets us close the invariant. The type system cannot type check such a program, as (1) its behaviour depends on the length of the list, which is not 5 Mechanisation in Coq available from the type, and (2) the channel is shared and the type changes between each concurrent access. In this paper, we have used what is often called the “foun- To type check the program compute_client, we unfold dational approach” to semantic type safety [Ahmed 2004; its typing judgement, and resolve each step of the program Ahmed et al. 2010; Appel and McAllester 2001]. That means in sequence, by applying the related weakest precondition that contrary to conventional logical relation developments, rules. We first use the weakest precondition rule for llength, types are not defined syntactically, and then given a semantic found in Figure 6, to convert the type predicate list (1 ⊸ ) interpretation. Instead, types are defined as combinators in of the list reference l into the separation-logic list represen- terms of their semantic interpretation. This approach gives list rise to an “open” system, that can easily be extended with tation predicate l ↦→ (1⊸ ) ®, which additionally makes the new type formers, and is thus particularly suitable for mech- contents of the list ® explicit. This predicate is defined as: anisation in a proof assistant like Coq. Furthermore, as we ℓ ↦→ inl () if ® = [ ] will show in this section, the foundational approach makes l ↦→ ® ≜ ∃ℓ2 . ℓ ↦→ inr ( 1, ℓ2 ) ∗ if ® = [ 1 ] · ®2 list it possible to reuse Coq’s variables to model type-level bind- list 1 ∗ ℓ2 ↦→ ®2 ing, avoiding boilerplate that would be necessary with a first-order representation of variable binding. The remainder of the proof then follows from reasoning Our mechanisation is built on top of the mechanisation of similar to that of the parallel receive, using a fractional per- Iris and Actris in Coq, which provides a number of notewor- mission 1 along with the shared counter cntr to determine thy advantages. First, we can reuse their libraries for various the state of the shared channel. To share the counter and the programming constructs, such as locks (from Iris) and chan- channel, they are put into the lock invariant chaninv: nels (from Actris). Second, we avoid reasoning about explicit chaninv ≜ ∃ . cntr ↦→ ∗ resources in Coq by making use of the Iris Proof Mode, which ( ↣ ((? ) · compute_type) ∨ ( ) provides tactics tailored for reasoning about the connectives ( ↣ ((? ) · end) ∗ 1 )) of separation logic, and thereby hides unnecessary details ( ) related to the embedding of separation logic [Krebbers et al. The invariant states that the session type of the channel 2018, 2017b]. starts with a sequence of receive actions (? ) , where is the value of the shared counter cntr. Here, the notation Coq Definitions. Term and session types are represented denotes appended to itself times (the append operation · as a dependent type indexed by a kind:4 3 For simplicity, our producer and consumer just iterate through a list, 4 Asis common in Iris, all definitions are parameterised by a Σ, which whereas in reality they would perform some computations so there is a describes the resources that are available. For the purpose of this paper, this point in having the producer and consumer operate in parallel. technicality can be ignored. 10
compute_client ≜ l . send_all ≜ rec go l cntr lk = recv_all ≜ rec go l cntr lk = let = llength l in if lisnil l then if = 0 then () else let cntr = ref 0 in acquire lk; select stop; acquire lk; let l ′ = lnil () in release lk; () if !cntr = 0 then let lk = newlock () in else release lk; go l cntr lk (send_all l cntr lk || acquire lk; else recv_all l ′ cntr lk ); select cont; send (lpop l); let = recv in l ′ cntr ← !cntr + 1 cntr ← !cntr − 1; release lk; go l cntr lk release lk; go l ( − 1) cntr lk ; lcons l n o list l −∗ wp llength l . = |® list | ∗ l ↦→ ® n o isLock lk chaninv ∗ 1 ∗ l ↦→ (1⊸ ) ® −∗ wp send_all l cntr lk l ↦→ (1⊸ ) [ ] list list n o isLock lk chaninv ∗ l ↦→ [ ] −∗ wp recv_all l cntr lk ∃ ® . | ® | = ∗ l ↦→ ® list list Figure 6. A producer-consumer client for the computation service (The operations on lists llength, lnil, lisnil, and lpop, are standard and their code have thus been elided). modality (■), which ensures that it does not capture any Inductive kind := tty_kind | sty_kind. (* ⋆ or ♦ *) Inductive lty Σ : kind → Type := separation logic resources.6 We define two notations so that | Ltty: (val → iProp Σ) → lty Σ tty_kind the typing judgement can be used internally and externally. | Lsty: iProto Σ → lty Σ sty_kind. Notation ltty Σ := (lty Σ tty_kind). The second notation uses the validity predicate of Iris (⊢), Notation lsty Σ := (lty Σ sty_kind). which turns an iProp into a Prop. The semantic term typing judgement is defined as: Lemma ltyped_let Γ1 Γ2 Γ3 x e1 e2 A1 A2 : (Γ1 ⊨ e1 : A1 ⊨ Γ2) -∗ (ctx_cons x A1 Γ2 ⊨ e2: A2 ⊨ Γ3) -∗ Inductive ctx_item Σ := (Γ1 ⊨ (let: x := e1 in e2) : A2 ⊨ CtxItem { ctx_item_name: string; ctx_item_type: ltty Σ }. ctx_filter_eq x Γ2 ++ ctx_filter_ne x Γ3). Notation ctx Σ := (list (ctx_item Σ)). (* ltty_car: ltty Σ → (val → iProp Σ) is the inverse of Ltty *) The typing rule of let shows the handling of shadowing of Definition ltyped (Γ1 Γ2: ctx Σ) (e: expr) (A: ltty Σ) : iProp Σ := variables: ctx_cons x A1 Γ2 removes all bindings of x from Γ2 ■ ∀ vs, ctx_ltyped vs Γ1 -∗ WP subst_map vs e {{ v, ltty_car A v ∗ ctx_ltyped vs Γ2 }}. before adding the new binding, and ctx_filter_eq x Γ2 makes Notation "Γ1 ⊨ e : A ⊨ Γ2" := (ltyped Γ1 Γ2 e A) : bi_scope. sure that potentially overshadowed variables are preserved. Notation "Γ1 ⊨ e : A ⊨ Γ2" := (⊢ ltyped Γ1 Γ2 e A) : type_scope. Dealing with shadowing in the proof is trivial due to some The typing judgement is defined for the deeply-embedded general-purpose lemmas for Γ ⊨ (ctx_ltyped Γ vs in Coq). expressions expr of the (untyped) language HeapLang, which The proof of the typing rule is 9 lines of Coq code. is the default language shipped with Iris, and which is ex- The term type for kinded universal types is defined as: tended by the Actris framework with connectives for mes- Definition lty_forall {k} (C: lty Σ k → ltty Σ) : ltty Σ := Ltty ( w, ∀ X, WP w #() {{ ltty_car (C X) }}). sage passing. HeapLang, and thus our typing contexts ctx, Notation "∀ X, C" := (lty_forall ( X, C)): lty_scope. use strings for variables. Compared to e.g., De Bruijn indices Lemma ltyped_tlam Γ1 Γ2 Γ' e k (C: lty Σ k → ltty Σ) : or locally nameless, this makes it possible to write programs (∀ K, Γ1 ⊨ e: C K ⊨ []) -∗ in a human-readable way.5 (Γ1 ++ Γ2 ⊨ ( : , e) : (∀ X, C X) ⊨ Γ2). The typing judgement is identical to the definition in §2.3, but is defined as an internal notion in Iris, i.e., it is an Iris The universal type shows how the semantic approach allows proposition iProp instead of a Coq proposition Prop. This pro- binders to be modelled using Coq’s binders. The argument C of lty_forall is a Coq function, and thus the binding in the vides some additional flexibility in manual typing proofs, e.g., it makes it possible to prove typing judgements using notation ∀ X, C is simply achieved using a Coq lambda abstrac- Löb induction, without having to unfold the definition. To tion. This approach gives the same feeling of working with ensure that the typing judgement can be used as a ordinary higher-order abstract syntax [Pfenning and Elliott 1988], al- proposition of higher-logic in Iris, it contains the plainly beit being semantical instead of syntactical. The typing rule for type abstraction similarly uses Coq’s binders, where the 5 Since HeapLang’s operational semantics is defined on closed terms, the use of strings does not cause issues with variable capture. See also [Pierce 6 The plainly modality (■) is like the persistent modality (□), but additionally et al. 2020, Section STLC] for a discussion on the use of strings for variables. makes sure no persistent resources are captured. 11
∀ K in the premise implicitly ensures that K is fresh. The proof Thiemann and Vasconcelos [2020] introduced label depen- of this typing rule is 4 lines of code. dent session types, where tails can depend on the communi- The session type for selection (⊕) and branching (&) is: cated message, which allows for encoding choice using send and receive. This is similar to the encoding of our semantic Inductive action := Send | Recv. Definition lty_choice (a: action) (Ss: gmap Z (lsty Σ)) : lsty Σ := choice types in terms of Actris’s dependent send and receive. Lsty ( MSG #x {{ ⌜is_Some (Ss !! i)⌝ }}; While their work does not have asynchronous subtyping lsty_car (Ss !!! i)). or polymorphism, it supports recursive types over natural Lemma ltyped_select Γ (x: string) (i: Z) S Ss : numbers, with a recurser for type checking of such types. Γ !! x = Some (chan (lty_select Ss)) → Ss !! i = Some S → Balzer and Pfenning [2017]; Balzer et al. [2019] proposed Γ ⊨ select x #i : () ⊨ env_cons x (chan S) Γ. a session-type system that allows sharing of channels via locks. Their system contains unrestricted types that can be Since ⊕ and & are dual, this definition (as well as in many shared, linear types that cannot, and modalities to move other dual definitions, lemmas, and proofs) are factorised between the two through the use of locks. Our mutex type using the inductive type action. The syntax MSG works similarly with copyable types, but our system is more {{ }}; prot expands to Actris’s ! ® : ® ⟨ ⟩ { } . prot or ? ® : general, as the copyable types tie into Iris’s general-purpose ® ⟨ ⟩ { } . prot depending on the action a. The definition uses mechanisms for sharing. We can also impose mutexes on the finite map library gmap of std++ [The Coq-std++ Team only one endpoint of a channel, while they require mutual 2020], to represent the choices Ss. The notation Ss !!! i is the locking on both ends, and integrate manual typing proofs lookup function on maps, whose result is only well-defined of racy programs. They provide proofs for subject reduction if i is in the map Ss, as required by is_Some (Ss !! i). The no- and type preservation, not just for type safety, but also for tation ⌜_⌝ embeds a Coq Prop into Iris. The typing rule for deadlock freedom, which we do not consider. select requires the label i to be in the map Ss, and updates the channel S based on the label. The proof makes use of Actris’s Logical Relations. Logical relations have been studied proof rules, and is 6 lines. extensively in the context of Iris, for type safety of type sys- tems [Giarrusso et al. 2020; Jung et al. 2018a; Krebbers et al. 6 Related Work 2017b], program refinement [Frumin et al. 2018; Krebbers Session Types. Seminal work on subtyping for binary re- et al. 2017b; Krogh-Jespersen et al. 2017; Tassarotti et al. 2017; cursive session types for a synchronous pi-calculus was done Timany et al. 2018], robust safety [Swasey et al. 2017], and by Gay and Hole [2005]. Mostrous et al. [2009] expand on non-interference [Frumin et al. 2020]. The most immediately this work by adding support for multi-party asynchronous related work in this area is the RustBelt project [Jung et al. recursive session types, and later for higher-order process cal- 2018a], which uses logical relations to prove type safety and culi [Mostrous and Yoshida 2015]. These two works present datarace-freedom of a large subset of Rust and its standard the session subtyping relation with inverted orientations, libraries, focusing on Rust’s lifetime and borrowing mecha- inverting the sub- and supertypes, which has been discussed nism. RustBelt employs the foundational approach to logical by Gay [2016]. Our semantic session subtyping relation uses relations in its Coq development, from which we have drawn the same orientation as Gay and Hole. Mostrous et al. [2009] much inspiration. Giarrusso et al. [2020] used logical rela- also present an output-input swapping rule, which inspired tions in Iris to prove type safety of a version of Scala’s core our swapping rule in § 3.6, even though their type system calculus DOT, which has a rich notion of subtyping, but is is multi-party, as the idea is compatible with both session different in nature from session subtyping. type variants. They additionally claim that their subtyping is The connection between logic and session types has been decidable, it was later proven to not be the case by Bravetti studied through the Curry-Howard correspondence by e.g., et al. [2017], precisely because of the swapping rule. Caires and Pfenning [2010], Wadler [2012], Carbone et al. Gay [2008] introduced bounded polymorphic session types [2017], and Dardha and Gay [2018]. As part of this line of where branches contain type variables for term types with work, Perez et al. used logical relations to prove termina- upper and lower bounds. This work neither supports re- tion (strong normalisation) [Pérez et al. 2012] and conflu- cursive types, session subtyping, nor delegation, but Gay ence [Pérez et al. 2014] of session-based concurrent systems. hypothesised that recursion could be done. Dardha et al. [2012] expanded on this work by adding subtyping and del- Mechanisation of Session Types. Mechanisations per- egation, while still only conjecturing that recursion was a taining to session types are all fairly recent. There are two possible extension. Caires et al. [2013] devised a polymor- other mechanisations of session types in Iris. Tassarotti et al. phic session type system for the synchronous pi-calculus [2017] proved termination preserving refinements for a com- with existential and universal quantifiers at the type-level, piler from a session-typed language to a functional language but not at the session-level. However, like Gay’s work, their where message buffers are modelled on the heap. Hinrichsen system supports neither recursive types nor subtyping. et al. [2020a,b] developed the Actris mechanisation that this 12
work is built on top of. Both lines of work focus on different 278–285. properties than type safety. Ornela Dardha and Simon J. Gay. 2018. A New Linear Logic for Deadlock- Gay et al. [2020] explored various notions of duality, mech- Free Session-Typed Processes. In FOSSACS (LNCS, Vol. 10803). 91–109. Ornela Dardha, Elena Giachino, and Davide Sangiorgi. 2012. Session Types anising their results in Agda, and demonstrate that allowing Revisited. In PPDP. 139–150. duality to distribute over the recursive -operator yields an Derek Dreyer, Amal Ahmed, and Lars Birkedal. 2009. Logical Step-Indexed unsound system when type variables appear in messages. In Logical Relations. In LICS. 71–80. our setup duality does not distribute over , but recursive Derek Dreyer, Amin Timany, Robbert Krebbers, Lars Birkedal, and Ralf definitions must be unfolded to expose the session type be- Jung. 2019. What Type Soundness Theorem Do You Really Want to Prove? SIGPLAN blog post, available at https://blog.sigplan.org/2019/ fore duality can be applied. Even so, we can drop down to 10/17/what-type-soundness-theorem-do-you-really-want-to-prove/. Actris and use Löb induction to prove (subtyping) properties Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2018. ReLoC: A Mecha- of recursive types and their duals. nised Relational Logic for Fine-Grained Concurrency. In LICS. 442–451. Castro et al. [2020] focused on the meta theory of binary Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2020. Compositional session types for synchronous communication, and prove in Non-Interference for Fine-Grained Concurrent Programs. To appear in S&P’21. Coq, using the locally nameless approach to variable binding, Simon J. Gay. 2008. Bounded polymorphism in session types. MSCS 18, 5 subject reduction and that typing judgements are preserved (2008), 895–930. by structural congruence. Simon J. Gay. 2016. Subtyping Supports Safe Session Substitution. In A Thiemann [2019] mechanised an intrinsically-typed defini- List of Successes That Can Change the World - Essays Dedicated to Philip Wadler on the Occasion of His 60th Birthday. 95–108. tional interpreter for a session-typed language with recursive Simon J. Gay and Malcolm Hole. 2005. Subtyping for session types in the pi types and subtyping in Agda. The mechanisation did, how- calculus. Acta Informatica 42, 2-3 (2005), 191–225. ever, require a substantial amount of manual book keeping, in Simon J. Gay, Peter Thiemann, and Vasco T. Vasconcelos. 2020. Duality of particular for properties about resource separation. Rouvoet Session Types: The Final Cut. In PLACES (EPTCS, Vol. 314). 23–33. et al. [2020] streamlined the intrinsically-typed approach by Paolo G. Giarrusso, Léo Stefanesco, Amin Timany, Lars Birkedal, and Rob- developing separation logic like abstractions in Agda. They bert Krebbers. 2020. Scala step-by-step: soundness for DOT with step- indexed logical relations in Iris. PACMPL 4, ICFP (2020), 114:1–114:29. applied these abstractions to a small session-typed language Jonas Kastberg Hinrichsen, Jesper Bengtson, and Robbert Krebbers. 2020a. without recursive types, subtyping, or polymorphism. Actris 2.0: Asynchronous session-type based reasoning in separation logic. (2020). https://itu.dk/people/jkas/papers/actris2.pdf Draft. References Jonas Kastberg Hinrichsen, Jesper Bengtson, and Robbert Krebbers. 2020b. Actris: Session-type based reasoning in separation logic. PACMPL 4, Amal Ahmed. 2004. Semantics of types for mutable state. Ph.D. Dissertation. POPL (2020), 6:1–6:30. Princeton University. Kohei Honda, Vasco Thudichum Vasconcelos, and Makoto Kubo. 1998. Lan- Amal Ahmed, Andrew W. Appel, Christopher D. Richards, Kedar N. Swadi, guage Primitives and Type Discipline for Structured Communication- Gang Tan, and Daniel C. Wang. 2010. Semantic foundations for typed Based Programming. In ESOP (LNCS, Vol. 1381). 122–138. assembly languages. TOPLAS 32, 3 (2010), 7:1–7:67. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. Anonymous Authors. 2020. Coq Mechanization of “Machine-Checked 2018a. RustBelt: Securing the Foundations of the Rust Programming Semantic Session Typing”. Available as anonymous supplementary Language. PACMPL 2, POPL (2018), 66:1–66:34. material in HotCRP. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2020. Andrew W. Appel and David A. McAllester. 2001. An indexed model of Safe systems programming in Rust: The promise and the challenge. To recursive types for foundational proof-carrying code. TOPLAS 23, 5 appear in CACM. (2001), 657–683. Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher- Andrew W. Appel, Paul-André Melliès, Christopher D. Richards, and Jérôme Order Ghost State. In ICFP. 256–269. Vouillon. 2007. A very modal model of a modern, major, general type Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars system. In POPL. 109–122. Birkedal, and Derek Dreyer. 2018b. Iris From the Ground Up: A Modu- Stephanie Balzer and Frank Pfenning. 2017. Manifest Sharing with Session lar Foundation for Higher-Order Concurrent Separation Logic. JFP 28 Types. PACMPL 1, ICFP (2017), 37:1–37:29. (2018), e20. Stephanie Balzer, Bernardo Toninho, and Frank Pfenning. 2019. Manifest Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Deadlock-Freedom for Shared Session Types. In ESOP (LNCS, Vol. 11423). Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as 611–639. an Orthogonal Basis for Concurrent Reasoning. In POPL. 637–650. Mario Bravetti, Marco Carbone, and Gianluigi Zavattaro. 2017. Undecidabil- Robbert Krebbers, Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan- ity of asynchronous session subtyping. Information and Computation Oliver Kaiser, Amin Timany, Arthur Charguéraud, and Derek Dreyer. 256 (2017), 300–320. 2018. MoSeL: A General, Extensible Modal Framework for Interactive Luís Caires, Jorge A. Pérez, Frank Pfenning, and Bernardo Toninho. 2013. Proofs in Separation Logic. PACMPL 2, ICFP (2018), 77:1–77:30. Behavioral Polymorphism and Parametricity in Session-Based Commu- Robbert Krebbers, Ralf Jung, Ales Bizjak, Jacques-Henri Jourdan, Derek nication. In ESOP (LNCS, Vol. 7792). 330–349. Dreyer, and Lars Birkedal. 2017a. The Essence of Higher-Order Concur- Luís Caires and Frank Pfenning. 2010. Session Types as Intuitionistic Linear rent Separation Logic. In ESOP (LNCS, Vol. 10201). 696–723. Propositions. In CONCUR (LNCS, Vol. 6269). 222–236. Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive Marco Carbone, Fabrizio Montesi, Carsten Schürmann, and Nobuko Yoshida. Proofs in Higher-Order Concurrent Separation Logic. In POPL. 205–217. 2017. Multiparty session types as coherence proofs. Acta Informatica 54, Morten Krogh-Jespersen, Kasper Svendsen, and Lars Birkedal. 2017. A rela- 3 (2017), 243–269. tional model of types-and-effects in higher-order concurrent separation David Castro, Francisco Ferreira, and Nobuko Yoshida. 2020. EMTST: Engi- logic. In POPL. 218–231. neering the Meta-theory of Session Types. In TACAS (LNCS, Vol. 12079). 13
Dimitris Mostrous and Nobuko Yoshida. 2015. Session typing and asyn- chronous subtyping for the higher-order -calculus. Information and Computation 241 (2015), 227–263. Dimitris Mostrous, Nobuko Yoshida, and Kohei Honda. 2009. Global Princi- pal Typing in Partially Commutative Asynchronous Sessions. In ESOP (LNCS, Vol. 5502). 316–332. Jorge A. Pérez, Luís Caires, Frank Pfenning, and Bernardo Toninho. 2012. Linear Logical Relations for Session-Based Concurrency. In ESOP (LNCS, Vol. 7211). 539–558. Jorge A. Pérez, Luís Caires, Frank Pfenning, and Bernardo Toninho. 2014. Linear logical relations and observational equivalences for session-based concurrency. Information and Computation 239 (2014), 254–302. Frank Pfenning and Conal Elliott. 1988. Higher-Order Abstract Syntax. In PLDI. 199–208. Benjamin C. Pierce et al. 2020. Programming Language Foundations. https: //softwarefoundations.cis.upenn.edu/plf-current/index.html Arjen Rouvoet, Casper Bach Poulsen, Robbert Krebbers, and Eelco Visser. 2020. Intrinsically-typed definitional interpreters for linear, session- typed languages. In CPP. ACM, 284–298. David Swasey, Deepak Garg, and Derek Dreyer. 2017. Robust and compo- sitional verification of object capability patterns. PACMPL 1, OOPSLA (2017), 89:1–89:26. Joseph Tassarotti, Ralf Jung, and Robert Harper. 2017. A Higher-Order Logic for Concurrent Termination-Preserving Refinement. In ESOP (LNCS, Vol. 10201). 909–936. The Coq-std++ Team. 2020. An extended “standard library” for Coq. Avail- able online at https://gitlab.mpi-sws.org/iris/stdpp. Peter Thiemann. 2019. Intrinsically-Typed Mechanized Semantics for Ses- sion Types. In PPDP. 19:1–19:15. Peter Thiemann and Vasco T. Vasconcelos. 2020. Label-dependent session types. Proc. ACM Program. Lang. 4, POPL (2020), 67:1–67:29. Amin Timany, Léo Stefanesco, Morten Krogh-Jespersen, and Lars Birkedal. 2018. A logical relation for monadic encapsulation of state: Proving contextual equivalences in the presence of runST. PACMPL 2, POPL (2018), 64:1–64:28. Philip Wadler. 2012. Propositions as sessions. In ICFP. 273–286. Andrew K. Wright. 1995. Simple Imperative Polymorphism. Lisp and Symbolic Computation 8, 4 (1995), 343–355. 14
You can also read