Shared Session Types for Safe, Practical Concurrencybalzers/publications/safe_concurrency.pdf ·...

Shared Session Types for Safe, Practical Concurrency1

Stephanie Balzer Carnegie Mellon University

Typelevel Summit Philadelphia 2019

1 Supported by a Mozilla Research Grant and NSF Grant No. CCF-1718267

Concurrency is ubiquitous

�2

Concurrency is ubiquitous

The world surrounding us is inherently concurrent

�2

Concurrency is ubiquitous

The world surrounding us is inherently concurrent

�2

Concurrency is ubiquitous

The world surrounding us is inherently concurrent

�2

Concurrency is ubiquitous

The world surrounding us is inherently concurrent

�2

Concurrency is ubiquitous

The world surrounding us is inherently concurrent

�2

Concurrency is ubiquitous

The world surrounding us is inherently concurrent

�2

Concurrency is ubiquitous

�3

The world surrounding us is inherently concurrent

Concurrency is ubiquitous

Many programming problems demand concurrency • Flight booking system, online store, search engines, etc.

�3

The world surrounding us is inherently concurrent

Concurrency is ubiquitous

Many programming problems demand concurrency • Flight booking system, online store, search engines, etc.

Computing devices themselves are concurrent • Run various apps concurrently

�3

The world surrounding us is inherently concurrent

Concurrency is ubiquitous

Many programming problems demand concurrency • Flight booking system, online store, search engines, etc.

Computing devices themselves are concurrent • Run various apps concurrently

�3

programming languages must support concurrency

The world surrounding us is inherently concurrent

Concurrency is ubiquitous

Many programming problems demand concurrency • Flight booking system, online store, search engines, etc.

Computing devices themselves are concurrent • Run various apps concurrently

�3

programming languages must support concurrency

concurrent programming is notoriously difficult and error-prone

The world surrounding us is inherently concurrent

Two models for concurrent programming

�4

Two models for concurrent programming

�4

Legend: concurrently executing component

shared dataread/write

Shared memory

Two models for concurrent programming

�4

Legend: concurrently executing component

shared dataread/write

Shared memory

message

Message-passing

Two models for concurrent programming

�4

Legend: concurrently executing component

shared dataread/write

Shared memory

message

Message-passing

• computation by reading fromand writing to shared data

Two models for concurrent programming

�4

Legend: concurrently executing component

shared dataread/write

Shared memory

message

Message-passing

• computation by reading fromand writing to shared data

• computation by exchangeof messages

Two models for concurrent programming

�4

Legend: concurrently executing component

shared dataread/write

Shared memory

message

Message-passing

• computation by reading fromand writing to shared data

• computation by exchangeof messages

message-passing offers higher-level of abstraction

Two models for concurrent programming

�4

Legend: concurrently executing component

shared dataread/write

Shared memory

message

Message-passing

• computation by reading fromand writing to shared data

• computation by exchangeof messages

message-passing offers higher-level of abstraction

message-passing adopted by practical languages such as Erlang, Go, and Rust.

My research

�5

My research

�5

Goal: make concurrent programming safe and practical

My research

�5

Goal: make concurrent programming safe and practical

message-passing model

session types to express protocols of message exchange and reason sequentially about communicating parties

My research

�5

Goal: make concurrent programming safe and practical

message-passing model

Contributions:

session types to express protocols of message exchange and reason sequentially about communicating parties

My research

�5

Goal: make concurrent programming safe and practical

message-passing model

Contributions:shared session types

session types to express protocols of message exchange and reason sequentially about communicating parties

My research

�5

Goal: make concurrent programming safe and practical

message-passing model

Contributions:shared session types

accommodate real-world programming scenarios

guarantee protocol adherence, data-race-freedom, and deadlock-freedom

session types to express protocols of message exchange and reason sequentially about communicating parties

Session types, what are they? Why do we need them in practice?

�6

Message-passing concurrency in Servo

�7

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�7

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�7

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�7

ImageCache

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�7

ImageCache Client

CmdReceiver

Legend: channelcomponent, runs in separate thread

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�7

ResourceThread ImageCache Client

CmdReceiver

Legend: channelcomponent, runs in separate thread

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�7

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�7

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

request

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�8

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�8

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

exit

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�9

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

Image loader:

Message-passing concurrency in Servo

• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.

• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.

�9

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

kill

Image loader:

Message-passing concurrency in Servo

�10

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

Image loader:

Message-passing concurrency in Servo

�10

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

To restrict the kinds of messages that can be sent over a channel, Rust channels are typed with enumeration types.

Image loader:

Message-passing concurrency in Servo

�10

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

To restrict the kinds of messages that can be sent over a channel, Rust channels are typed with enumeration types.

Image loader:

Example: enumeration for ImageCache

Message-passing concurrency in Servo

�11

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

Image loader:

Message-passing concurrency in Servo

�11

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

Image loader:

Message-passing concurrency in Servo

�11

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

Image loader:

Message-passing concurrency in Servo

�11

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

one variant for each message

Image loader:

Message-passing concurrency in Servo

�12

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

Image loader:

Message-passing concurrency in Servo

�12

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

Image loader:

Message-passing concurrency in Servo

�12

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

implicit protocolImage loader:

Message-passing concurrency in Servo

�12

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: channelcomponent, runs in separate thread

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

implicit protocolImage loader:

protocol breaches result in proliferation of panic! and

infinite waiting

Message-passing concurrency in Servo

�13

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

implicit protocol

protocol breaches result in proliferation of panic! and

infinite waiting

Message-passing concurrency in Servo

�13

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

implicit protocol

enumeration types ensure that only defined messages can be communicated along a channel

protocol breaches result in proliferation of panic! and

infinite waiting

Message-passing concurrency in Servo

�13

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

implicit protocol

enumeration types ensure that only defined messages can be communicated along a channel

enumeration types fail to ensure that messages are sent according to the intended protocol

protocol breaches result in proliferation of panic! and

infinite waiting

Message-passing concurrency in Servo

�13

pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }

implicit protocol

enumeration types ensure that only defined messages can be communicated along a channel

enumeration types fail to ensure that messages are sent according to the intended protocol

let’s use session types!

protocol breaches result in proliferation of panic! and

infinite waiting

Session types

�14

Session types

�14

Session types define protocols of message exchange.

Session types

�14

Session types define protocols of message exchange.

“protocol = sequence of actions”

Session types

�14

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

Session types

�14

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

client chooses among sending

one of the labels li

Session types

�15

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

Session types

�15

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

provider chooses among sending

one of the labels li

Session types

�16

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

Session types

�16

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

client sends channel reference of

type A

Session types

�17

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

Session types

�17

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

provider sends channel reference of

type A

Session types

�18

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

Session types

�18

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .provider terminates

Session types

�18

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

Session types

�19

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

Session types

�19

Session types define protocols of message exchange.

“protocol = sequence of actions”

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

support communication of

values

Session type for image loader

�20

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

Session type for image loader

�20

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Session type for image loader

�21

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Session type for image loader

�22

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Session type for image loader

�23

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Session type for image loader

�24

A,B , N{li : Ai} external choice

�{li : Ai} internal choice

A ( B channel input

A⌦B channel output

1 termination

T ! A value input

T ⇥A value output

T , int | string | . . .

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Session type for image loader

�25

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Session type for image loader

�25

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Session type for image loader

�25

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Session type for image loader

�25

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

ImgCacheCmd

Session type for image loader

�25

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

RequestImage

ImgCacheCmd

Session type for image loader

�26

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Session type for image loader

�26

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

string ! Requester ( ImgCacheCmd

Session type for image loader

�26

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

“http://…”

string ! Requester ( ImgCacheCmd

Session type for image loader

�27

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Requester ( ImgCacheCmd

Session type for image loader

�27

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

c

Requester ( ImgCacheCmd

Session type for image loader

�28

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

ImgCacheCmd

Session type for image loader

�28

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Exit

ImgCacheCmd

Session type for image loader

�29

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

�{Running : ImgCacheCmd,Done : ResourceThread⌦ 1}

Session type for image loader

�29

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Running

�{Running : ImgCacheCmd,Done : ResourceThread⌦ 1}

Session type for image loader

�30

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

ImgCacheCmd

Session type for image loader

�30

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

ImgCacheCmd

Session type for image loader

�31

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

ImgCacheCmd

components change their session type along with message exchange

Taking stock

�32

Taking stock

• Session types make explicit the protocols of message exchange between concurrently executing components.

�32

Taking stock

• Session types make explicit the protocols of message exchange between concurrently executing components.

• Typing ensures protocol adherence.

�32

Taking stock

• Session types make explicit the protocols of message exchange between concurrently executing components.

• Typing ensures protocol adherence.

• Types make explicit interdependencies between components, enabling sequential reasoning about a component.

�32

Taking stock

• Session types make explicit the protocols of message exchange between concurrently executing components.

• Typing ensures protocol adherence.

• Types make explicit interdependencies between components, enabling sequential reasoning about a component.

�32

Session types are the types of message-passing concurrency.

Session types in research and practice

�33

Session types in research and practice

Research • active research area since inception in 90s [Honda 1993] • logical reconstruction based on linear logic, providing strong

guarantees [Caires & Pfenning 2010, Wadler 2012] • extension of logical session types to sharing [Balzer & Pfenning ICFP

2017, Balzer et al. CONCUR 2018, Balzer et al. ESOP 2019]

�33

Session types in research and practice

Research • active research area since inception in 90s [Honda 1993] • logical reconstruction based on linear logic, providing strong

guarantees [Caires & Pfenning 2010, Wadler 2012] • extension of logical session types to sharing [Balzer & Pfenning ICFP

2017, Balzer et al. CONCUR 2018, Balzer et al. ESOP 2019]

Practice • Lightweight integration of session types or session libraries (with

varying static guarantees) into Scala, Java, Haskell, OCaml, Go, Rust, Python.

• Collaboration with Mozilla Research on integrating our work.

�33

Session types in research and practice

Research • active research area since inception in 90s [Honda 1993] • logical reconstruction based on linear logic, providing strong

guarantees [Caires & Pfenning 2010, Wadler 2012] • extension of logical session types to sharing [Balzer & Pfenning ICFP

2017, Balzer et al. CONCUR 2018, Balzer et al. ESOP 2019]

Practice • Lightweight integration of session types or session libraries (with

varying static guarantees) into Scala, Java, Haskell, OCaml, Go, Rust, Python.

• Collaboration with Mozilla Research on integrating our work.

�33

Logic-based shared session types

�34

Linear logic session types

�35

Linear logic session types

Provide strong guarantees: • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)

�35

Linear logic session types

Provide strong guarantees: • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)

�35

exactly one client

Linear logic session types

Provide strong guarantees: • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)

�35

exactly one client

processes graph forms a tree at run-time

Linear logic session types

Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)

But, they rule out sharing

�36

Linear logic session types

Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)

But, they rule out sharing

�36

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Linear logic session types

Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)

But, they rule out sharing

�36

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

both CmdReceiver and Client communicate with

ImageCache

Linear logic session types

Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)

But, they rule out sharing

�37

Linear logic session types cannot accommodate certain practical programming scenarios.

Linear logic session types

Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)

But, they rule out sharing

�37

Let’s introduce sharing while maintaining above guarantees.

Linear logic session types cannot accommodate certain practical programming scenarios.

Challenges of sharing

�38

Challenges of sharing

�38

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Challenges of sharing

�38

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

ImgCacheCmd

Challenges of sharing

�38

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

RequestImage

ImgCacheCmd

Challenges of sharing

�39

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

string ! Requester ( ImgCacheCmd

Challenges of sharing

�39

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ImageCache:

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Exit

string ! Requester ( ImgCacheCmd

protocol violated!

Challenges of sharing

�40

ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

How to restore protocol adherence in the presence of sharing (a.k.a. aliasing)?

Idea: acquire-release

�41

Idea: acquire-release

�41

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Idea: acquire-release

�41

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.

Idea: acquire-release

�41

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Idea: acquire-release

�42

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel

Idea: acquire-release

�42

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel

acquire

Idea: acquire-release

�43

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

Idea: acquire-release

�43

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

critical section

Idea: acquire-release

�43

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

release

Legend: shared channel linear channel

critical section

Idea: acquire-release

�44

Clients of shared channels must communicate along that channel in mutual exclusion from each other.

Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

Have we restored protocol adherence?

�45

Have we restored protocol adherence?

�45

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Have we restored protocol adherence?

�45

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache: ImgCacheCmd

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Have we restored protocol adherence?

�45

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

acquire

ImageCache: ImgCacheCmd

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Have we restored protocol adherence?

�46

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache: ImgCacheCmd

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

Have we restored protocol adherence?

�46

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache: ImgCacheCmd

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

RequestImage

Have we restored protocol adherence?

�47

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache:

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

string ! Requester ( ImgCacheCmd

Have we restored protocol adherence?

�47

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache:

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

release

string ! Requester ( ImgCacheCmd

Have we restored protocol adherence?

�48

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache:

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

string ! Requester ( ImgCacheCmd

Have we restored protocol adherence?

�48

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache:

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

string ! Requester ( ImgCacheCmd

acquire

Have we restored protocol adherence?

�49

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache:

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

string ! Requester ( ImgCacheCmd

Have we restored protocol adherence?

�49

ResourceThread ImageCache Client

CmdReceiver

Decoder1 Decodern

Legend: shared channel linear channel

ImageCache:

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,

Done : ResourceThread⌦ 1}}

string ! Requester ( ImgCacheCmd

Exit

protocol violated!

Idea: equi-synchronizing

�50

Idea: equi-synchronizing

�50

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

release

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

release✓

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

release

release

✓

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

release

release

✓

✓

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

release

release

release ✓

✓

Idea: equi-synchronizing

�50

i.e., shared channels must be released back to the same type at which they were acquired, if released.

In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

release

release

release ✓✗

✓

Taking stock

�51

Taking stock

�51

Acquire-release + equi-synchronizing:

Taking stock

�51

Acquire-release + equi-synchronizing:

restore protocol adherence;

Taking stock

�51

Acquire-release + equi-synchronizing:

restore protocol adherence;

guarantee freedom of (high-level) data races because execution between acquire-release is atomic.

Taking stock

�51

Acquire-release + equi-synchronizing:

restore protocol adherence;

guarantee freedom of (high-level) data races because execution between acquire-release is atomic.

We could state the policy of acquire-release and equi-synchronizing as a programming methodology.

Taking stock

�51

Acquire-release + equi-synchronizing:

restore protocol adherence;

guarantee freedom of (high-level) data races because execution between acquire-release is atomic.

We could state the policy of acquire-release and equi-synchronizing as a programming methodology.

But, why not lift this policy to the type level and have it enforced statically?

Manifest sharing

�52

Manifest sharing

�52

Manifest sharing

�52

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

release

release

Manifest sharing

�52

acquire

ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,

Running : ImgCacheCmd}}

release

release

Legend: shared phase linear phase

Manifest sharing

�53

Manifest sharing

�53

Stratify session types into a linear and shared layer

Manifest sharing

�53

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Stratify session types into a linear and shared layer

Manifest sharing

�53

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Stratify session types into a linear and shared layer

Connect layers with modalities going back and forth

Manifest sharing

�53

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Stratify session types into a linear and shared layer

Connect layers with modalities going back and forth

Manifest sharing

�53

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Stratify session types into a linear and shared layer

Connect layers with modalities going back and forth

Support communication of shared channels

Manifest sharing

�53

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Stratify session types into a linear and shared layer

Connect layers with modalities going back and forth

Support communication of shared channels

Manifest sharing

�54

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Manifest sharing

�54

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

ImgCacheCmd = "S

L N{RequestImage : string ! Requester ( #S

L ImgCacheCmd,

Exit : � {Done : ResourceThread⌦ 1,

Running : #S

L ImgCacheCmd}}

Manifest sharing

�54

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

ImgCacheCmd = "S

L N{RequestImage : string ! Requester ( #S

L ImgCacheCmd,

Exit : � {Done : ResourceThread⌦ 1,

Running : #S

L ImgCacheCmd}}

Manifest sharing

�54

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

ImgCacheCmd = "S

L N{RequestImage : string ! Requester ( #S

L ImgCacheCmd,

Exit : � {Done : ResourceThread⌦ 1,

Running : #S

L ImgCacheCmd}}

Manifest sharing

�54

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Up and down shifts denote acquire and release, resp.

ImgCacheCmd = "S

L N{RequestImage : string ! Requester ( #S

L ImgCacheCmd,

Exit : � {Done : ResourceThread⌦ 1,

Running : #S

L ImgCacheCmd}}

Typing judgments

�55

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Typing judgments

�55

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:

Typing judgments

�55

�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:

Typing judgments

�55

�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:

“Process P provides session of type Am along xm using channels in (� and) �.”

Typing judgments

�55

�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:

“Process P provides session of type Am along xm using channels in (� and) �.”

shared (structural) context

Typing judgments

�56

�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:

“Process P provides session of type Am along xm using channels in (� and) �.”

Typing judgments

�56

�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)

AS � ↑SLAL

AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL

Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:

“Process P provides session of type Am along xm using channels in (� and) �.”

linear (substructural) context

Typing of acquire

�57

Typing of acquire

�57

�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)

Typing of acquire

�57

�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)

Typing of acquire

�57

�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)

�; ⋅ �⌃ PxL ∶∶ (xL ∶ AL)� �⌃ xL ← accept xS ;PxL ∶∶ (xS ∶↑SL AL) (T-↑SLR)

Typing of acquire

�57

�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)

�; ⋅ �⌃ PxL ∶∶ (xL ∶ AL)� �⌃ xL ← accept xS ;PxL ∶∶ (xS ∶↑SL AL) (T-↑SLR)

Typing of release

�58

Typing of release

�58

�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)

Typing of release

�58

�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)

Typing of release

�58

�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)

� �⌃ PxS ∶∶ (xS ∶ AS)�; ⋅ �⌃ xS ← detach xL ;PxS ∶∶ (xL ∶↓SL AS) (T-↓SLR)

Typing of release

�58

�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)

� �⌃ PxS ∶∶ (xS ∶ AS)�; ⋅ �⌃ xS ← detach xL ;PxS ∶∶ (xL ∶↓SL AS) (T-↓SLR)

Taking stock

�59

Taking stock

�59

We have a session type system that allows shared and linear channels to coexist and guarantees:

data-race-freedom (low-level and high-level)

protocol adherence

Taking stock

�59

We have a session type system that allows shared and linear channels to coexist and guarantees:

data-race-freedom (low-level and high-level)

protocol adherence

What about deadlock-freedom?

Why are linear session types deadlock-free?

�60

Why are linear session types deadlock-free?

�60

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

�60

a

b c d

e f g

parent: client

child: provider

Linearity (“exactly one client”) turns process graph into a tree.

Legend: linear channel

Why are linear session types deadlock-free?

�61

a

b c d

e f g

Legend: linear channel

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

What are the threats to progress?

�61

a

b c d

e f g

Legend: linear channel

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

What are the threats to progress?• Two scenarios:

�61

a

b c d

e f g

Legend: linear channel

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

What are the threats to progress?• Two scenarios:

• provider ready to synchronize, client not

�61

a

b c d

e f g

Legend: linear channel

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

What are the threats to progress?• Two scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

�61

a

b c d

e f g

Legend: linear channel

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

What are the threats to progress?• Two scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

• Let’s visualize this waiting dependency with a green arrow

�61

a

b c d

e f g

Legend: linear channel

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

What are the threats to progress?• Two scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

• Let’s visualize this waiting dependency with a green arrow

�61

a

b c d

e f g

Legend: linear channel a b “a waits for b”

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

What are the threats to progress?• Two scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

• Let’s visualize this waiting dependency with a green arrow

�61

a

b c d

e f g

Legend: linear channel a b “a waits for b”

Linearity (“exactly one client”) turns process graph into a tree.

Why are linear session types deadlock-free?

What are the threats to progress?• Two scenarios:

• provider ready to synchronize, client not• client ready to synchronize, provider not

• Let’s visualize this waiting dependency with a green arrow

�61

a

b c d

e f g

Legend: linear channel a b “a waits for b”

No green cycles: green arrows can only go along linear channels, and client and provider cannot both be waiting for each other.

Linearity (“exactly one client”) turns process graph into a tree.

Let’s add sharing

�62

Let’s add sharing

�62

We get a graph of linear and shared processes, with a linear tree inside.

Let’s add sharing

�62

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Let’s add sharing

�62

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Acquire-release amounts to “locking”

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Acquire-release amounts to “locking”• Possibility of cyclic dependencies

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency

with a red arrow

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency

with a red arrow

a b “a waits for b to release resource”

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency

with a red arrow

a b “a waits for b to release resource”

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency

with a red arrow

a b “a waits for b to release resource”

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency

with a red arrow

a b “a waits for b to release resource”

Let’s add sharing

�63

a

b c d

e f g

We get a graph of linear and shared processes, with a linear tree inside.

Legend: linear channel linear process

shared channel

shared process

Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency

with a red arrow• Note: red arrows can connect arbitrary

nodes

a b “a waits for b to release resource”

Can we re-establish deadlock-freedom?

�64

Can we re-establish deadlock-freedom?

An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.

�64

Can we re-establish deadlock-freedom?

An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.

�64

However, cyclic dependencies between acquire requests are not the only source of deadlock!

Can we re-establish deadlock-freedom?

An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.

�64

However, cyclic dependencies between acquire requests are not the only source of deadlock!

Two Forms of waiting dependencies:

Can we re-establish deadlock-freedom?

An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.

�64

However, cyclic dependencies between acquire requests are not the only source of deadlock!

Two Forms of waiting dependencies:• waiting to synchronize: a b “a waits for b to synchronize”

Can we re-establish deadlock-freedom?

An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.

�64

However, cyclic dependencies between acquire requests are not the only source of deadlock!

Two Forms of waiting dependencies:• waiting to synchronize:• waiting to release:

a b “a waits for b to synchronize”a b “a waits for b to release resource”

Can we re-establish deadlock-freedom?

�65

Two Forms of waiting dependencies: • waiting to synchronize: • waiting to release:

a b “a waits for b to synchronize”a b “a waits for b to release resource”

Can we re-establish deadlock-freedom?

�65

Two Forms of waiting dependencies: • waiting to synchronize: • waiting to release:

a b “a waits for b to synchronize”a b “a waits for b to release resource”

a

b c d

e f g

Can we re-establish deadlock-freedom?

�65

Two Forms of waiting dependencies: • waiting to synchronize: • waiting to release:

a b “a waits for b to synchronize”a b “a waits for b to release resource”

a

b c d

e f g

a

b d d

e f g

Can we re-establish deadlock-freedom?

�65

Two Forms of waiting dependencies: • waiting to synchronize: • waiting to release:

a b “a waits for b to synchronize”a b “a waits for b to release resource”

a

b c d

e f g

a

b d d

e f g

Cycles can consist of red arrows only or a combination of red and green arrows.

Idea: competitors and collaborators

�66

Idea: competitors and collaborators

�66

Competitors: overlap in set of resources acquired

Idea: competitors and collaborators

�66

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

Idea: competitors and collaborators

�66

Notice: a resource acquired becomes a child of the acquirer

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

Idea: competitors and collaborators

�66

a

Notice: a resource acquired becomes a child of the acquirer

b c

12

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

Idea: competitors and collaborators

�67

a

Notice: a resource acquired becomes a child of the acquirer

b c

1

2

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

Idea: competitors and collaborators

�68

a

Notice: a resource acquired becomes a child of the acquirer

b c

1 2

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

Idea: competitors and collaborators

�69

a

Notice: a resource acquired becomes a child of the acquirer

b c

1 2

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

competitors tend to be siblings

Idea: competitors and collaborators

�69

a

Notice: a resource acquired becomes a child of the acquirer

b c

1 2

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

competitors tend to be siblings

{b, c}

Idea: competitors and collaborators

�69

a

Notice: a resource acquired becomes a child of the acquirer

b c

1 2

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

collaborators tend to be in the same branch

competitors tend to be siblings

{b, c}

Idea: competitors and collaborators

�69

a

Notice: a resource acquired becomes a child of the acquirer

b c

1 2

Competitors: overlap in set of resources acquired

Collaborators: do not overlap in set of resources acquired

collaborators tend to be in the same branch

competitors tend to be siblings

{a, b, 1} {a, b, 2} {a, c}

{b, c}

Manifest deadlock-freedom

�70

Manifest deadlock-freedom

�70

Define type system enforcing the following invariants:

collaborators

a

b c

1 2

competitors

Manifest deadlock-freedom

�70

Define type system enforcing the following invariants:

collaborators

a

b c

1 2

competitors

competitors employ locking-up for resources they compete forA

Manifest deadlock-freedom

�70

Define type system enforcing the following invariants:

collaborators

a

b c

1 2

competitors

collaborators acquire mutually disjoint sets of resourcesB

competitors employ locking-up for resources they compete forA

Manifest deadlock-freedom

�70

Define type system enforcing the following invariants:

collaborators

a

b c

1 2

competitors

collaborators acquire mutually disjoint sets of resourcesB

competitors employ locking-up for resources they compete forA

competitors have released all acquired resources when synchronizing with other competitors (“tallking-up”)

C

Manifest deadlock-freedom

�70

Define type system enforcing the following invariants:

collaborators

a

b c

1 2

competitors

collaborators acquire mutually disjoint sets of resourcesB

competitors employ locking-up for resources they compete forA

competitors have released all acquired resources when synchronizing with other competitors (“tallking-up”)

C

A rules out red-arrow cycles, B and C rule out red-green-arrow cycles.

Manifest deadlock-freedom

�71

Manifest deadlock-freedom

�71

Introduce a world, an abstract value equipped with a partial order.

Manifest deadlock-freedom

�71

Every process invariantly resides at a world.

Introduce a world, an abstract value equipped with a partial order.

Manifest deadlock-freedom

�71

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

Manifest deadlock-freedom

�71

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�71

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�71

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

worlds associated with process

Manifest deadlock-freedom

�72

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�72

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�72

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

self-world: world at which process

resides

Manifest deadlock-freedom

�73

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�73

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�73

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

min-world: world of minimal resource

to be acquired

Manifest deadlock-freedom

�74

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�74

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�74

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

max-world: world of maximal resource to be

acquired

Manifest deadlock-freedom

�75

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�75

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�75

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

world order

Manifest deadlock-freedom

�76

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�76

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�76

Every process invariantly resides at a world.

Every process indicates the range of worlds it may acquire.

Introduce a world, an abstract value equipped with a partial order.

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

possibly “aliased” linear channels

Manifest deadlock-freedom

�77

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Manifest deadlock-freedom

�77

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

Manifest deadlock-freedom

�77

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

Manifest deadlock-freedom

�77

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

Manifest deadlock-freedom

�77

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

collaborators

a

b c

1 2

competitors

no vertical red arrows

Manifest deadlock-freedom

�78

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

Manifest deadlock-freedom

�78

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

for an acquire: lock-up

Manifest deadlock-freedom

�78

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

for an acquire: lock-up

collaborators

a

b c

1 2

competitors

no red cycles

Manifest deadlock-freedom

�79

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

for an acquire: lock-up

Manifest deadlock-freedom

�79

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

for an acquire: lock-up

for right-rule: Φ must be empty

Manifest deadlock-freedom

�79

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

for an acquire: lock-up

for right-rule: Φ must be empty

collaborators

a

b c

1 2

competitors

no ingoing red and up-going green arrow

Manifest deadlock-freedom

�80

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

for an acquire: lock-up

for right-rule: Φ must be empty

Manifest deadlock-freedom

�80

; � `⌃ P :: (xS : AS[!kl!n!l

]) (where + irreflexive)

; �; �; � `⌃ P :: (xL : AL[!kl!n!l

]) (where + irreflexive)

Express invariants A, B, and C in terms of:

min(parent) ≤ self(acquired_child) ≤ max(parent)

max(parent) < min(child)

for an acquire: lock-up

for right-rule: Φ must be empty

These low-level invariants are enforced by typing.

Taking stock

�81

Taking stock

�81

We have a session type system that allows shared and linear channels to coexist and guarantees:

data-race-freedom (low-level and high-level)

protocol adherence

deadlock-freedom

Taking stock

�81

We have a session type system that allows shared and linear channels to coexist and guarantees:

data-race-freedom (low-level and high-level)

protocol adherence

deadlock-freedom

We have increased practicality of linear session types while maintaining their guarantees.

Current & future work

�82

Digital contracts (with Hoffmann, Pfenning, and Das)

�83

Digital contracts (with Hoffmann, Pfenning, and Das)

�83

Unique application field for shared session types:

Digital contracts (with Hoffmann, Pfenning, and Das)

�83

Unique application field for shared session types:

auction = "S

L � {running : N{bid : id ! money ( #S

Lauction,cancel : #S

Lauction},ended : id ! �{won : lot⌦ #S

Lauction,lost : money ⌦ #S

Lauction}}

Digital contracts (with Hoffmann, Pfenning, and Das)

�83

Unique application field for shared session types:

auction = "S

L � {running : N{bid : id ! money ( #S

Lauction,cancel : #S

Lauction},ended : id ! �{won : lot⌦ #S

Lauction,lost : money ⌦ #S

Lauction}}

Resource analysis for static prediction of execution cost.

Digital contracts (with Hoffmann, Pfenning, and Das)

�83

Unique application field for shared session types:

auction = "S

L � {running : N{bid : id ! money ( #S

Lauction,cancel : #S

Lauction},ended : id ! �{won : lot⌦ #S

Lauction,lost : money ⌦ #S

Lauction}}

Resource analysis for static prediction of execution cost.

Under development: Nomos, a digital contract language based on resource-aware shared session types.

Unifying parallelism and concurrency

�84

Unifying parallelism and concurrency

�84

Shared session types recover expressiveness of untyped asynchronous pi-calculus [Balzer et al. CONCUR 2018]

Unifying parallelism and concurrency

�84

Shared session types recover expressiveness of untyped asynchronous pi-calculus [Balzer et al. CONCUR 2018]

introduce nondeterminism

Unifying parallelism and concurrency

�84

Shared session types recover expressiveness of untyped asynchronous pi-calculus [Balzer et al. CONCUR 2018]

introduce nondeterminism

linear logic session types are deterministic

Unifying parallelism and concurrency

�84

Shared session types recover expressiveness of untyped asynchronous pi-calculus [Balzer et al. CONCUR 2018]

introduce nondeterminism

linear logic session types are deterministic

Opportunity for unifying framework that combines both deterministic (parallel) and nondeterministic (concurrent) computation.

Thank you for your attention!

Papers for this talk: • Stephanie Balzer and Frank Pfenning: Manifest Sharing with Session

Types. ICFP 2017. • Stephanie Balzer, Bernardo Toninho, and Frank Pfenning: Manifest

Deadlock-Freedom for Shared Session Types. ESOP 2019. • Stephanie Balzer, Frank Pfenning, and Bernardo Toninho: A Universal

Session Type for Untyped Asynchronous Communication. CONCUR 2019.

�85