Embed Size (px)
Citation preview
Chaperone Contracts for Higher-Order Sessions
Hernán Melgratti, Buenos Aires, ArgentinaLuca Padovani, Torino, Italy
Dagstuhl Seminar 17051, 2017
A simple FuSe program
let server ep =let p, ep = receive ep inlet root = ... inlet ep = send root ep inclose ep
let math_service = register server
let user () =let ep = connect math_service inlet ep = send (from_list [2.0; -3.0; 1.0]) ep inlet _, ep = receive ep inclose ep
A simple FuSe program
let server ep =let p, ep = receive ep inlet root = ... inlet ep = send root ep inclose ep
let math_service = register server
let user () =let ep = connect math_service inlet ep = send (from_list [2.0; -3.0; 1.0]) ep inlet _, ep = receive ep inclose ep
A simple FuSe program + Contracts
let server ep =let p, ep = receive ep inlet root = ... inlet ep = send root ep inclose ep
let math_service = register server contract "Server"
let user () =let ep = connect math_service "Client" inlet ep = send (from_list [2.0; -3.0; 1.0]) ep inlet _, ep = receive ep inclose ep
Contracts
I A contract is a term that describes exchanged messages andtheir relationships.
flat_c : (t → bool)→ [t] t :: ω
end_c : [end]
send_c : [t]→ [T]→ [!t.T]receive_c : [t]→ [T]→ [?t.T]
send_d : [t]→ (t → [T])→ [!t.T] t :: ω
receive_d : [t]→ (t → [T])→ [?t.T] t :: ω
Contracts
let contract = send_c (flat_c (fun p→degree p == 1)) @@... (* contract for the continuation *)
Contracts
let contract = send_c (flat_c (fun p→degree p == 1)) @@any_c (* contract for the continuation *)
Contracts
let contract = send_d (flat_c (fun p→degree p == 1)) @@fun p→receive_c (flat_c (root_of p)) @@
end_c
Contracts and the structure of the session
choice_c : [bool]→ [T]→ [S]→ [T ⊕S]branch_c : [bool]→ [T]→ [S]→ [T&S]
Contracts and the structure of the session
ep : !poly.rec A.(?float.A & end)
let contract =send_d (flat_c (fun p→degree p > 0)) @@fun p→
let rec missing_roots n =if n > 0 thenbranch_cany_c(receive_c (flat_c (root_of p)) @@
missing_roots (n - 1))end_c
elsebranch_c (flat_c not) any_c end_c
in missing_roots (degree p)
Contracts and the structure of the session
ep : !poly.rec A.(?float.A & end)
let contract =send_d (flat_c (fun p→degree p > 0)) @@fun p→
let rec missing_roots n =if n > 0 thenbranch_cany_c(receive_c (flat_c (root_of p)) @@
missing_roots (n - 1))end_c
elsebranch_c (flat_c not) any_c end_c
in missing_roots (degree p)
First order
Source
User
Operator
x[v1, v2] y[w ]
y[v1, v2]
x : ?int.?int.end y : !int.!int.?int.end
src_c = any_cop_c = send_c any_c @@
send_c (flat_c (6= 0)) @@receive_c (flat_c (≥ 0)) @@ end_c
First order
Source
User
Operator
x[v1, v2] y[w ]
y[v1, v2]
x : ?int.?int.end y : !int.!int.?int.end
src_c = any_cop_c = send_c any_c @@
send_c (flat_c (6= 0)) @@receive_c (flat_c (≥ 0)) @@ end_c
Second order
Source
User
Operator
x
x[v1, v2]
y[w ]
y[x]
x : ?int.?int.end y :!(?int.?int.end).?int.end
src_c = any_c
op_c = send_c d_c @@receive_c (flat_c (≥ 0)) @@end_c
d_c = receive_c any_c @@receive_c (flat_c (6= 0)) @@end_c
Second order
Source
User
Operator
x
x[v1, v2]
y[w ]
y[x]
x : ?int.?int.end y :!(?int.?int.end).?int.end
src_c = any_c
op_c = send_c d_c @@receive_c (flat_c (≥ 0)) @@end_c
d_c = receive_c any_c @@receive_c (flat_c (6= 0)) @@end_c
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [connect a p]〉a⇐c
q v
→ (νs)
〈E [[s+]c,q,p]〉〈(v [s-]dual c,p,q)〉
| a⇐cq v
s fresh
〈E [send v [aι]!c;d,σ]〉〈E ′[receive [aι]?e;f,%]〉
→ 〈E [[aι]d,σ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
[v]flat_c w,p,q → v /p wv
v /p true → v
v /p false → blame p
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [connect a p]〉a⇐c
q v
→ (νs)
〈E [[s+]c,q,p]〉〈(v [s-]dual c,p,q)〉
| a⇐cq v
s fresh〈E [send v [aι]!c;d,σ]〉〈E ′[receive [aι]?e;f,%]〉
→ 〈E [[aι]d,σ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
[v]flat_c w,p,q → v /p wv
v /p true → v
v /p false → blame p
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [connect a p]〉a⇐c
q v
→ (νs)
〈E [[s+]c,q,p]〉〈(v [s-]dual c,p,q)〉
| a⇐cq v
s fresh〈E [send v [aι]!c;d,σ]〉〈E ′[receive [aι]?e;f,%]〉
→ 〈E [[aι]d,σ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
[v]flat_c w,p,q → v /p wv
v /p true → v
v /p false → blame p
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [connect a p]〉a⇐c
q v
→ (νs)
〈E [[s+]c,q,p]〉〈(v [s-]dual c,p,q)〉
| a⇐cq v
s fresh〈E [send v [aι]!c;d,σ]〉〈E ′[receive [aι]?e;f,%]〉
→ 〈E [[aι]d,σ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
[v]flat_c w,p,q → v /p wv
v /p true → v
v /p false → blame p
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [send v [aι]!c;d,σ ]〉〈E ′[receive [aι]?e;f,%]〉
→〈E [[aι]d,σ ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
Locally correctness & blame safety
I p is locally correct in P ifI P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w , andI P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c 6 d, and ...I P → Q implies p is locally correct in Q
I Useful invariant: If P →∗ Pp[send v [_]c,_,q], then q = pI Blame safety: p is locally correct in P , then P →∗ Q impliesblame p 6⊂ Q.
Locally correctness & blame safety
I p is locally correct in P ifI P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w , andI P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c 6 d, and ...I P → Q implies p is locally correct in Q
I Useful invariant: If P →∗ Pp[send v [_]c,_,q], then q = p
I Blame safety: p is locally correct in P , then P →∗ Q impliesblame p 6⊂ Q.
Locally correctness & blame safety
I p is locally correct in P ifI P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w , andI P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c 6 d, and ...I P → Q implies p is locally correct in Q
I Useful invariant: If P →∗ Pp[send v [_]c,_,q], then q = pI Blame safety: p is locally correct in P , then P →∗ Q impliesblame p 6⊂ Q.
Final remarks
I The language is implemented on top of FuSeI It avoids double checking of contractsI It relies on a small-step semantics for unwinding monitorsI Monitors are communicated only when delegating
I Communication is restricted to unlimited values anddelegation
