A Logical Foundation for Session-based Concurrent Computation

Size: px

Start display at page:

Download "A Logical Foundation for Session-based Concurrent Computation"

Wesley Atkins
6 years ago
Views:

1 A Logical Foundation for Session-based Concurrent Computation Bernardo Toninho [Co-advised by: Luís Caires and Frank Pfenning] Computer Science Department Carnegie Mellon University Universidade Nova de Lisboa Thesis Defense Bernardo Toninho (UNL&CMU) Thesis Defense 1 / 40

2 Motivation Concurrency and Distribution Concurrent and Distributed Systems Systems composed of multiple logically and/or physically distinct interacting components. Pervasive in today s society. Quite error prone, with real consequences: Private information leaks due to security problems. Unavailability of services due to internal orchestration errors. Bernardo Toninho (UNL&CMU) Thesis Defense 2 / 40

3 Motivation Concurrency and Distribution Concurrent and Distributed Systems Systems composed of multiple logically and/or physically distinct interacting components. Pervasive in today s society. Quite error prone, with real consequences: Private information leaks due to security problems. Unavailability of services due to internal orchestration errors. Challenges Coordination of multiple interacting agents to offer a service. Resource availability and correct usage disciplines. How to ensure such a system is well-behaved? Bernardo Toninho (UNL&CMU) Thesis Defense 2 / 40

4 Motivation Goals When is a system well-behaved? System doesn t get stuck / deadlock. System is responsive (i.e. it exhibits some observable behavior). System behavior adheres to some specified protocol. Bernardo Toninho (UNL&CMU) Thesis Defense 3 / 40

5 Motivation Goals When is a system well-behaved? Goals System doesn t get stuck / deadlock. System is responsive (i.e. it exhibits some observable behavior). System behavior adheres to some specified protocol. Study and develop language-based models of concurrency. Developing a logical foundation for message-passing concurrent computation. Robust enough to account for a variety of relevant phenomena. Ensuring strong safety properties by construction. Bernardo Toninho (UNL&CMU) Thesis Defense 3 / 40

6 Motivation Language-based Models Process Calculi Algebraic model of concurrent message-passing processes. Enable study of behavior and interaction of systems. Enriched with types to enforce properties on processes. Bernardo Toninho (UNL&CMU) Thesis Defense 4 / 40

7 Motivation Language-based Models Process Calculi Algebraic model of concurrent message-passing processes. Enable study of behavior and interaction of systems. Enriched with types to enforce properties on processes. Types and Process Calculi Specify what data can be sent along channels (Simple types). Specify input/output capabilities of channels (I/O types). Specify communication behavior along channels (Session types). Bernardo Toninho (UNL&CMU) Thesis Defense 4 / 40

8 Motivation Connections with Logic Issues Many different, sometimes ad-hoc, language features. Hard to reason about these languages in a uniform way. Challenging concerns when compared to non-concurrent setting: Interactive behavior. Non-local state and irreversible actions. Resource awareness No deep connection with logic. Bernardo Toninho (UNL&CMU) Thesis Defense 5 / 40

9 Motivation Connections with Logic Issues Many different, sometimes ad-hoc, language features. Hard to reason about these languages in a uniform way. Challenging concerns when compared to non-concurrent setting: Interactive behavior. Non-local state and irreversible actions. Resource awareness No deep connection with logic. Why does logic matter? New means of reasoning about concurrent phenomena. Good metalogical properties map to good program properties. Enables compositional and incremental study of language features. Bernardo Toninho (UNL&CMU) Thesis Defense 5 / 40

10 Thesis Statement Thesis Statement Linear logic, specifically in its intuitionistic formulation, is a suitable logical foundation for message-passing concurrent computation, providing an elegant framework in which to express and reason about a multitude of naturally occurring phenomena in such a concurrent setting. Bernardo Toninho (UNL&CMU) Thesis Defense 6 / 40

11 Contributions Linear logic and message-passing concurrency: Background Basic interpretation Properties Extensions Bernardo Toninho (UNL&CMU) Thesis Defense 7 / 40

12 Contributions Linear logic and message-passing concurrency: Background Basic interpretation Properties Extensions A concurrent programming language: Monadic encapsulation of concurrent computation Recursion Reconciliation with Logic Bernardo Toninho (UNL&CMU) Thesis Defense 7 / 40

13 Contributions Linear logic and message-passing concurrency: Background Basic interpretation Properties Extensions A concurrent programming language: Monadic encapsulation of concurrent computation Recursion Reconciliation with Logic Reasoning Techniques: Linear logical relations Logical equivalence Bernardo Toninho (UNL&CMU) Thesis Defense 7 / 40

14 Background Linear Logic [Girard 87] A logic of resources and interaction. Resource independence captures parallelism. Linear logic as the logic of concurrency? Bernardo Toninho (UNL&CMU) Thesis Defense 8 / 40

15 Background Linear Logic [Girard 87] A logic of resources and interaction. Resource independence captures parallelism. Linear logic as the logic of concurrency? Linear Logic and Concurrency Initial efforts explored the connections to concurrency: Abramsky s computational interpretation [Abramsky 93] Bellin and Scott s refinement to a -calculus [BellinScott 94] No real Curry-Howard interpretation Bernardo Toninho (UNL&CMU) Thesis Defense 8 / 40

16 Session Types and Linear Logic Session Types [Honda 93] A structuring discipline for message passing concurrency. Session: Predetermined sequence of interactions along a channel. Session Types: Types are descriptions of communication behavior. Type correct programs adhere to the session discipline. Bernardo Toninho (UNL&CMU) Thesis Defense 9 / 40

17 Session Types and Linear Logic Session Types [Honda 93] A structuring discipline for message passing concurrency. Session: Predetermined sequence of interactions along a channel. Session Types: Types are descriptions of communication behavior. Type correct programs adhere to the session discipline. Example A server that receives login information from a client, on success, clients send a product name and receive back a purchase receipt: ServerT, login ( (suclogin badlogin) suclogin, prodname ( purchreceipt 1 Bernardo Toninho (UNL&CMU) Thesis Defense 9 / 40

18 Logical Interpretation Session Types and ILL (SILL) [CairesPfenning10] Its possible to interpret session types as linear logic propositions. Proofs as typing derivations. Proof dynamics as process dynamics. Bernardo Toninho (UNL&CMU) Thesis Defense 10 / 40

19 Logical Interpretation Session Types and ILL (SILL) [CairesPfenning10] Its possible to interpret session types as linear logic propositions. Proofs as typing derivations. Proof dynamics as process dynamics. SILL in hindsight Assigns -calculus processes to proofs Not syntax driven. Channel forwarding as a derived concept. A few key proof reductions do not map to process interactions. Bernardo Toninho (UNL&CMU) Thesis Defense 10 / 40

20 Logical Interpretation Session Types and ILL (SILL) [CairesPfenning10] Its possible to interpret session types as linear logic propositions. Proofs as typing derivations. Proof dynamics as process dynamics. SILL in hindsight Assigns -calculus processes to proofs Not syntax driven. Channel forwarding as a derived concept. A few key proof reductions do not map to process interactions. Deviating from SILL Explicit linear forwarders. Syntax-driven assignment. Consistently mapped to -calculus processes. Bernardo Toninho (UNL&CMU) Thesis Defense 10 / 40

21 Logical Interpretation Propositions as Types A B Output a session of type A and continue as B A ( B Input a session of type A and continue as B A N B Offer a choice between a session of type A or B A B Select a session of type A or B!A A persistent session of type A 1 Terminated session Bernardo Toninho (UNL&CMU) Thesis Defense 11 / 40

22 Logical Interpretation Propositions as Types A B Output a session of type A and continue as B A ( B Input a session of type A and continue as B A N B Offer a choice between a session of type A or B A B Select a session of type A or B!A A persistent session of type A 1 Terminated session Judgments Process expression typing: ; ` P :: x:a -calculus process typing: ; ) ˆP :: x:a Bernardo Toninho (UNL&CMU) Thesis Defense 11 / 40

23 Logical Interpretation - Judgmental Principles Typing Judgment z } { A 1,..., A m ; z } { A 1,..., A n ` A Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

24 Logical Interpretation - Judgmental Principles Typing Judgment z } { u 1 :A 1,...,u m :A m ; z x } { 1 :A 1,...,x n :A n ` P :: x:a Process P provides A along x if composed with sessions in and. Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

25 Logical Interpretation - Judgmental Principles Typing Judgment z } { u 1 :A 1,...,u m :A m ; z x } { 1 :A 1,...,x n :A n ` P :: x:a Process P provides A along x if composed with sessions in and. Cut as Composition ; ` A ; 0, A ` C ;, 0 ` C cut Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

26 Logical Interpretation - Judgmental Principles Typing Judgment z } { u 1 :A 1,...,u m :A m ; z x } { 1 :A 1,...,x n :A n ` P :: x:a Process P provides A along x if composed with sessions in and. Cut as Composition ; ` P :: x:a ; 0, A ` C ;, 0 ` C cut Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

27 Logical Interpretation - Judgmental Principles Typing Judgment z } { u 1 :A 1,...,u m :A m ; z x } { 1 :A 1,...,x n :A n ` P :: x:a Process P provides A along x if composed with sessions in and. Cut as Composition ; ` P :: x:a ; 0, x:a ` Q :: z:c ;, 0 ` C cut Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

28 Logical Interpretation - Judgmental Principles Typing Judgment z } { u 1 :A 1,...,u m :A m ; z x } { 1 :A 1,...,x n :A n ` P :: x:a Process P provides A along x if composed with sessions in and. Cut as Composition ; ` P :: x:a ; 0, x:a ` Q :: z:c ;, 0 ` new x.(p k Q) ::z:c cut Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

29 Logical Interpretation - Judgmental Principles Typing Judgment z } { u 1 :A 1,...,u m :A m ; z x } { 1 :A 1,...,x n :A n ` P :: x:a Process P provides A along x if composed with sessions in and. Cut as Composition ; ` P :: x:a ; 0, x:a ` Q :: z:c ;, 0 ` new x.(p k Q) ::z:c cut Parallel composition of P, offering x:a and Q, using x:a. Identity as Forwarding ; A ` A id Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

30 Logical Interpretation - Judgmental Principles Typing Judgment z } { u 1 :A 1,...,u m :A m ; z x } { 1 :A 1,...,x n :A n ` P :: x:a Process P provides A along x if composed with sessions in and. Cut as Composition ; ` P :: x:a ; 0, x:a ` Q :: z:c ;, 0 ` new x.(p k Q) ::z:c cut Parallel composition of P, offering x:a and Q, using x:a. Identity as Forwarding ; x:a ` A id Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

31 Logical Interpretation - Judgmental Principles Typing Judgment z } { u 1 :A 1,...,u m :A m ; z x } { 1 :A 1,...,x n :A n ` P :: x:a Process P provides A along x if composed with sessions in and. Cut as Composition ; ` P :: x:a ; 0, x:a ` Q :: z:c ;, 0 ` new x.(p k Q) ::z:c cut Parallel composition of P, offering x:a and Q, using x:a. Identity as Forwarding ; x:a ` fwd xz:: z:a id Bernardo Toninho (UNL&CMU) Thesis Defense 12 / 40

32 Logical Interpretation - Tensor as Output Session Output ; ` A ; 0 ` B ;, 0 ` A B R Bernardo Toninho (UNL&CMU) Thesis Defense 13 / 40

33 Logical Interpretation - Tensor as Output Session Output ; ` P :: y:a ; 0 ` Q :: z:b ;, 0 ` A B R Bernardo Toninho (UNL&CMU) Thesis Defense 13 / 40

34 Logical Interpretation - Tensor as Output Session Output ; ` P :: y:a ; 0 ` Q :: z:b ;, 0 ` output z (y.p); Q :: z:a B R Bernardo Toninho (UNL&CMU) Thesis Defense 13 / 40

35 Logical Interpretation - Tensor as Output Session Output ; ` P :: y:a ; 0 ` Q :: z:b ;, 0 ` output z (y.p); Q :: z:a B R ;, A, B ` C ;, A B ` C L Bernardo Toninho (UNL&CMU) Thesis Defense 13 / 40

36 Logical Interpretation - Tensor as Output Session Output ; ` P :: y:a ; 0 ` Q :: z:b ;, 0 ` output z (y.p); Q :: z:a B R ;, y : A, x : B ` R :: z:c ;, A B ` C L Bernardo Toninho (UNL&CMU) Thesis Defense 13 / 40

37 Logical Interpretation - Tensor as Output Session Output ; ` P :: y:a ; 0 ` Q :: z:b ;, 0 ` output z (y.p); Q :: z:a B R ;, y : A, x : B ` R :: z:c ;, x:a B ` y input x; R :: z:c L Bernardo Toninho (UNL&CMU) Thesis Defense 13 / 40

38 Logical Interpretation - Tensor as Output Session Output ; ` P :: y:a ; 0 ` Q :: z:b ;, 0 ` output z (y.p); Q :: z:a B R ;, y : A, x : B ` R :: z:c ;, x:a B ` y input x; R :: z:c L Proof Reduction ;, 0 ` new x.((output x (y.p); Q) k y input x; R) ::z:c Bernardo Toninho (UNL&CMU) Thesis Defense 13 / 40

39 Logical Interpretation - Tensor as Output Session Output ; ` P :: y:a ; 0 ` Q :: z:b ;, 0 ` output z (y.p); Q :: z:a B R ;, y : A, x : B ` R :: z:c ;, x:a B ` y input x; R :: z:c L Proof Reduction ;, 0 ` new x.((output x (y.p); Q) k y input x; R) ::z:c! ;, 0 ` new x.(q k new y.(p k R)) :: z:c Bernardo Toninho (UNL&CMU) Thesis Defense 13 / 40

40 Logical Interpretation - Implication as Input Session Input ;, A ` B ; ` A ( B (R Bernardo Toninho (UNL&CMU) Thesis Defense 14 / 40

41 Logical Interpretation - Implication as Input Session Input ;, x : A ` P :: z:b ; ` A ( B (R Bernardo Toninho (UNL&CMU) Thesis Defense 14 / 40

42 Logical Interpretation - Implication as Input Session Input ;, x : A ` P :: z:b ; ` x input z; P :: z:a ( B (R Bernardo Toninho (UNL&CMU) Thesis Defense 14 / 40

43 Logical Interpretation - Implication as Input Session Input ;, x : A ` P :: z:b ; ` x input z; P :: z:a ( B (R ; ` A ; 0, B ` C ;, 0, A ( B ` C (L Bernardo Toninho (UNL&CMU) Thesis Defense 14 / 40

44 Logical Interpretation - Implication as Input Session Input ;, x : A ` P :: z:b ; ` x input z; P :: z:a ( B (R ; ` Q 1 :: y:a ; 0, x:b ` Q 2 :: z:c ;, 0, A ( B ` C (L Bernardo Toninho (UNL&CMU) Thesis Defense 14 / 40

45 Logical Interpretation - Implication as Input Session Input ;, x : A ` P :: z:b ; ` x input z; P :: z:a ( B (R ; ` Q 1 :: y:a ; 0, x:b ` Q 2 :: z:c ;, 0, x:a ( B ` output x (y.q 1 ); Q 2 )::z:c (L Bernardo Toninho (UNL&CMU) Thesis Defense 14 / 40

46 Logical Interpretation - Implication as Input Session Input ;, x : A ` P :: z:b ; ` x input z; P :: z:a ( B (R ; ` Q 1 :: y:a ; 0, x:b ` Q 2 :: z:c ;, 0, x:a ( B ` output x (y.q 1 ); Q 2 )::z:c (L Linear Implication as input. Reduction is the same as for. Bernardo Toninho (UNL&CMU) Thesis Defense 14 / 40

47 Logical Interpretation - Multiplicative Unit as Termination Multiplicative Unit ; ` 1 1R Bernardo Toninho (UNL&CMU) Thesis Defense 15 / 40

48 Logical Interpretation - Multiplicative Unit as Termination Multiplicative Unit ; `close z :: z:1 1R Bernardo Toninho (UNL&CMU) Thesis Defense 15 / 40

49 Logical Interpretation - Multiplicative Unit as Termination Multiplicative Unit ; `close z :: z:1 1R ; ` C ;, 1 ` C 1L Bernardo Toninho (UNL&CMU) Thesis Defense 15 / 40

50 Logical Interpretation - Multiplicative Unit as Termination Multiplicative Unit ; `close z :: z:1 1R ; ` Q :: z:c ;, 1 ` C 1L Bernardo Toninho (UNL&CMU) Thesis Defense 15 / 40

51 Logical Interpretation - Multiplicative Unit as Termination Multiplicative Unit ; `close z :: z:1 1R ; ` Q :: z:c ;, x:1 ` wait x; Q :: z:c 1L Proof Reduction ; ` new x.(close x k (wait x; Q)) :: z:c Bernardo Toninho (UNL&CMU) Thesis Defense 15 / 40

52 Logical Interpretation - Multiplicative Unit as Termination Multiplicative Unit ; `close z :: z:1 1R ; ` Q :: z:c ;, x:1 ` wait x; Q :: z:c 1L Proof Reduction ; ` new x.(close x k (wait x; Q)) :: z:c! ; ` Q :: z:c Bernardo Toninho (UNL&CMU) Thesis Defense 15 / 40

53 Logical Interpretation - Additive Conjunction as Alternative Behavior Additive Conjunction ; ` A ; ` B ; ` A N B NR Bernardo Toninho (UNL&CMU) Thesis Defense 16 / 40

54 Logical Interpretation - Additive Conjunction as Alternative Behavior Additive Conjunction ; ` P 1 :: x:a ; ` P 2 :: x:b ; ` A N B NR Bernardo Toninho (UNL&CMU) Thesis Defense 16 / 40

55 Logical Interpretation - Additive Conjunction as Alternative Behavior Additive Conjunction ; ` P 1 :: x:a ; ` P 2 :: x:b ; ` x.case(p 1, P 2 )::x:a N B NR Bernardo Toninho (UNL&CMU) Thesis Defense 16 / 40

56 Logical Interpretation - Additive Conjunction as Alternative Behavior Additive Conjunction ; ` P 1 :: x:a ; ` P 2 :: x:b ; ` x.case(p 1, P 2 )::x:a N B NR ;, A ` C ;, A N B ` C NL 1 Bernardo Toninho (UNL&CMU) Thesis Defense 16 / 40

57 Logical Interpretation - Additive Conjunction as Alternative Behavior Additive Conjunction ; ` P 1 :: x:a ; ` P 2 :: x:b ; ` x.case(p 1, P 2 )::x:a N B NR ;, x:a ` Q :: z:c ;, A N B ` C NL 1 Bernardo Toninho (UNL&CMU) Thesis Defense 16 / 40

58 Logical Interpretation - Additive Conjunction as Alternative Behavior Additive Conjunction ; ` P 1 :: x:a ; ` P 2 :: x:b ; ` x.case(p 1, P 2 )::x:a N B NR ;, x:a ` Q :: z:c ;, x:a N B ` x.inl; Q :: z:c NL 1 Bernardo Toninho (UNL&CMU) Thesis Defense 16 / 40

59 Logical Interpretation - Additive Conjunction as Alternative Behavior Additive Conjunction ; ` P 1 :: x:a ; ` P 2 :: x:b ; ` x.case(p 1, P 2 )::x:a N B NR ;, x:a ` Q :: z:c ;, x:a N B ` x.inl; Q :: z:c NL 1 Proof Reduction ;, 0 ` new x.(x.case(p 1, P 2 ) k x.inl; Q) ::z:c! ;, 0 ` new x.(p 1 k Q) ::z:c Bernardo Toninho (UNL&CMU) Thesis Defense 16 / 40

60 Logical Interpretation - Additive Conjunction as Alternative Behavior Additive Conjunction ; ` P 1 :: x:a ; ` P 2 :: x:b ; ` x.case(p 1, P 2 )::x:a N B NR ;, x:a ` Q :: z:c ;, x:a N B ` x.inl; Q :: z:c NL 1 Proof Reduction ;, 0 ` new x.(x.case(p 1, P 2 ) k x.inl; Q) ::z:c! ;, 0 ` new x.(p 1 k Q) ::z:c Additive disjunction is dual. Bernardo Toninho (UNL&CMU) Thesis Defense 16 / 40

61 Example A Server and a Client ServerT, login ( (suclogin badlogin) suclogin, prodname ( purchreceipt 1 Bernardo Toninho (UNL&CMU) Thesis Defense 17 / 40

62 Example A Server and a Client ServerT, login ( (suclogin badlogin) suclogin, prodname ( purchreceipt 1 c:servert ` Client :: z:1 Bernardo Toninho (UNL&CMU) Thesis Defense 17 / 40

63 Example A Server and a Client ServerT, login ( (suclogin badlogin) suclogin, prodname ( purchreceipt 1 c:servert ` Client :: z:1 Client, output c login; c.case(buy, Error) Buy, output c ticket; r input c; wait c; close z Bernardo Toninho (UNL&CMU) Thesis Defense 17 / 40

64 Example A Server and a Client ServerT, login ( (suclogin badlogin) suclogin, prodname ( purchreceipt 1 c:servert ` Client :: z:1 Client, output c login; c.case(buy, Error) Buy, output c ticket; r input c; wait c; close z ` new c.(server k Client) ::z:1 Bernardo Toninho (UNL&CMU) Thesis Defense 17 / 40

65 Type Safety Type Preservation If ; ) P :: z:a and P! P 0 then ; ) P 0 :: z:a Bernardo Toninho (UNL&CMU) Thesis Defense 18 / 40

66 Type Safety Type Preservation If ; ) P :: z:a and P! P 0 then ; ) P 0 :: z:a Global Progress Let ; )P :: z:1. If P is live then P! Q. Bernardo Toninho (UNL&CMU) Thesis Defense 18 / 40

67 Extending the Interpretation - Value Dependencies and Session Polymorphism Limitations of (simple) Session Types Hard to extend beyond simple communication patterns. No uniform way of expressing properties of exchanged data. Can scale to richer settings, but technically challenging. Bernardo Toninho (UNL&CMU) Thesis Defense 19 / 40

68 Extending the Interpretation - Value Dependencies and Session Polymorphism Limitations of (simple) Session Types Hard to extend beyond simple communication patterns. No uniform way of expressing properties of exchanged data. Can scale to richer settings, but technically challenging. Logical Foundation New means of reasoning about concurrent phenomena. Compositional and incremental study of language features: Value-dependent Session Types Polymorphic Session Types Bernardo Toninho (UNL&CMU) Thesis Defense 19 / 40

69 Extending the Interpretation - Value Dependencies Value-dependent Session Types [Toninho et al.11] Two new types: 8x:.A and 9x:.A Parametric in the language of types. 8x:.A - Input a term M :, continue as A(M). 9x:.A - Output a term M :, continue as A(M). If s are dependent: proof communication. Bernardo Toninho (UNL&CMU) Thesis Defense 20 / 40

70 Extending the Interpretation - Value Dependencies Value-dependent Session Types [Toninho et al.11] Two new types: 8x:.A and 9x:.A Parametric in the language of types. 8x:.A - Input a term M :, continue as A(M). 9x:.A - Output a term M :, continue as A(M). If s are dependent: proof communication. Revisiting the Server-Client ServerT 89, 8u : uid.(suclogin 89 badlogin) suclogin 89, 8p : prodname.8c:cupon(u, p).9r : receipt(u, p).1 Bernardo Toninho (UNL&CMU) Thesis Defense 20 / 40

71 Extending the Interpretation - Value Dependencies Extend the Judgment ; ; ` P :: z:a accounts for variables from the language of. Bernardo Toninho (UNL&CMU) Thesis Defense 21 / 40

72 Extending the Interpretation - Value Dependencies Extend the Judgment Universal Quantification ; ; ` P :: z:a accounts for variables from the language of., ; ; ` A ; ; ` 8x:.A 8R Bernardo Toninho (UNL&CMU) Thesis Defense 21 / 40

73 Extending the Interpretation - Value Dependencies Extend the Judgment Universal Quantification ; ; ` P :: z:a accounts for variables from the language of., x : ; ; ` P :: z:a ; ; ` 8x:.A 8R Bernardo Toninho (UNL&CMU) Thesis Defense 21 / 40

74 Extending the Interpretation - Value Dependencies Extend the Judgment Universal Quantification ; ; ` P :: z:a accounts for variables from the language of., x : ; ; ` P :: z:a ; ; ` x input z; P :: z:8x:.a 8R ` M : ; ;, A{M/x} ` C ; ;, 8x:.A ` C 8L Bernardo Toninho (UNL&CMU) Thesis Defense 21 / 40

75 Extending the Interpretation - Value Dependencies Extend the Judgment Universal Quantification ; ; ` P :: z:a accounts for variables from the language of., x : ; ; ` P :: z:a ; ; ` x input z; P :: z:8x:.a 8R ` M : ; ;, A{M/x} ` C ; ;, 8x:.A ` C 8L Bernardo Toninho (UNL&CMU) Thesis Defense 21 / 40

76 Extending the Interpretation - Value Dependencies Extend the Judgment Universal Quantification ; ; ` P :: z:a accounts for variables from the language of., x : ; ; ` P :: z:a ; ; ` x input z; P :: z:8x:.a 8R ` M : ; ;, x:a{m/x} `Q :: z:c ; ;, 8x:.A ` C 8L Bernardo Toninho (UNL&CMU) Thesis Defense 21 / 40

77 Extending the Interpretation - Value Dependencies Extend the Judgment Universal Quantification ; ; ` P :: z:a accounts for variables from the language of., x : ; ; ` P :: z:a ; ; ` x input z; P :: z:8x:.a 8R ` M : ; ;, x:a{m/x} `Q :: z:c ; ;, x:8x:.a ` output xm; Q :: z:c 8L Bernardo Toninho (UNL&CMU) Thesis Defense 21 / 40

78 Extending the Interpretation - Value Dependencies Refining Quantification [Toninho et al.11, Pfenning et al.11] Proof Irrelevance: [ ] Proofs of are not used at runtime. Affirmation: K K affirms the existence of a proof of. Bernardo Toninho (UNL&CMU) Thesis Defense 22 / 40

79 Extending the Interpretation - Value Dependencies Refining Quantification [Toninho et al.11, Pfenning et al.11] Proof Irrelevance: [ ] Proofs of are not used at runtime. Affirmation: K K affirms the existence of a proof of. Refining the Example suclogin [], 8p : prodname.8c:[cupon(u, p)].9r : receipt(u, p).1 Bernardo Toninho (UNL&CMU) Thesis Defense 22 / 40

80 Extending the Interpretation - Value Dependencies Refining Quantification [Toninho et al.11, Pfenning et al.11] Proof Irrelevance: [ ] Proofs of are not used at runtime. Affirmation: K K affirms the existence of a proof of. Refining the Example suclogin [], 8p : prodname.8c:[cupon(u, p)].9r : receipt(u, p).1 suclogin, 8p : prodname.8c:[cupon(u, p)].9r : S [mreceipt(u, p)].1 Bernardo Toninho (UNL&CMU) Thesis Defense 22 / 40

81 Extending the Interpretation - Value Dependencies Refining Quantification [Toninho et al.11, Pfenning et al.11] Proof Irrelevance: [ ] Proofs of are not used at runtime. Affirmation: K K affirms the existence of a proof of. Refining the Example suclogin [], 8p : prodname.8c:[cupon(u, p)].9r : receipt(u, p).1 suclogin, 8p : prodname.8c:[cupon(u, p)].9r : S [mreceipt(u, p)].1 Type safety (preservation and progress) also entails adherence to constraints on data! Bernardo Toninho (UNL&CMU) Thesis Defense 22 / 40

82 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism [Pérez et al.11, Wadler11] Second-order quantification. Communication of session types / abstract protocols. Parametricity results in the style of System F. Universal Quantification (Second Order), X; ; ` A ; ; ` 8X.A 8R2 Bernardo Toninho (UNL&CMU) Thesis Defense 23 / 40

83 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism [Pérez et al.11, Wadler11] Second-order quantification. Communication of session types / abstract protocols. Parametricity results in the style of System F. Universal Quantification (Second Order), X; ; ` P :: z:a ; ; ` 8X.A 8R2 Bernardo Toninho (UNL&CMU) Thesis Defense 23 / 40

84 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism [Pérez et al.11, Wadler11] Second-order quantification. Communication of session types / abstract protocols. Parametricity results in the style of System F. Universal Quantification (Second Order), X; ; ` P :: z:a ; ; ` X input z; P :: z:8x.a 8R2 Bernardo Toninho (UNL&CMU) Thesis Defense 23 / 40

85 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism [Pérez et al.11, Wadler11] Second-order quantification. Communication of session types / abstract protocols. Parametricity results in the style of System F. Universal Quantification (Second Order), X; ; ` P :: z:a ; ; ` X input z; P :: z:8x.a 8R2 ` B type ; ;, A{B/X} ` C ; ;, 8X.A ` C 8L2 Bernardo Toninho (UNL&CMU) Thesis Defense 23 / 40

86 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism [Pérez et al.11, Wadler11] Second-order quantification. Communication of session types / abstract protocols. Parametricity results in the style of System F. Universal Quantification (Second Order), X; ; ` P :: z:a ; ; ` X input z; P :: z:8x.a 8R2 ` B type ; ;, x:a{b/x} `Q :: z:c ; ;, 8X.A ` C 8L2 Bernardo Toninho (UNL&CMU) Thesis Defense 23 / 40

87 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism [Pérez et al.11, Wadler11] Second-order quantification. Communication of session types / abstract protocols. Parametricity results in the style of System F. Universal Quantification (Second Order), X; ; ` P :: z:a ; ; ` X input z; P :: z:8x.a 8R2 ` B type ; ;, x:a{b/x} `Q :: z:c ; ;, x:8x.a ` output xb; Q :: z:c 8L2 Bernardo Toninho (UNL&CMU) Thesis Defense 23 / 40

88 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism CloudServer, 8X.!(api ( X) (!X Bernardo Toninho (UNL&CMU) Thesis Defense 24 / 40

89 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism CloudServer, 8X.!(api ( X) (!X Specifies a generic service that: Inputs any type (e.g. GMaps). Bernardo Toninho (UNL&CMU) Thesis Defense 24 / 40

90 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism Specifies a generic service that: CloudServer, 8X.!(api ( X) (!X Inputs any type (e.g. GMaps). Inputs a persistent session that, given an implementation of api, provides the previously input type (e.g.!(api ( GMaps)). Bernardo Toninho (UNL&CMU) Thesis Defense 24 / 40

91 Extending the Interpretation - Parametric Polymorphism Parametric Polymorphism Specifies a generic service that: CloudServer, 8X.!(api ( X) (!X Inputs any type (e.g. GMaps). Inputs a persistent session that, given an implementation of api, provides the previously input type (e.g.!(api ( GMaps)). Composes the received session accordingly, subsequently providing a persistent session of the given type (e.g.!gmaps). Bernardo Toninho (UNL&CMU) Thesis Defense 24 / 40

92 A Concurrent Programming Language Overview Programming using the Logical Interpretation Syntax focuses solely on communication behavior. No values nor functions. Hard to write interesting programs. Bernardo Toninho (UNL&CMU) Thesis Defense 25 / 40

93 A Concurrent Programming Language Overview Programming using the Logical Interpretation Syntax focuses solely on communication behavior. No values nor functions. Hard to write interesting programs. Towards a Concurrent Programming Language Approximate the syntax of the logical interpretation. Introduce recursion for expressiveness. Combine concurrent session-typed processes with -calculus. Bernardo Toninho (UNL&CMU) Thesis Defense 25 / 40

94 A Concurrent Programming Language Overview Programming using the Logical Interpretation Syntax focuses solely on communication behavior. No values nor functions. Hard to write interesting programs. Towards a Concurrent Programming Language Approximate the syntax of the logical interpretation. Introduce recursion for expressiveness. Combine concurrent session-typed processes with -calculus. Types A and ^ A Input and output of data. {a i :A i ` c:a} Monadic encapsulation of process expressions. Bernardo Toninho (UNL&CMU) Thesis Defense 25 / 40

95 A Concurrent Programming Language Integrating Concurrency in a Functional Language Contextual Monad Isolate concurrency (and linearity) in a contextual monad. Embed into a typical -calculus with recursive types. Functional programs can refer to processes and vice-versa: Process layer may send/receive functional values. Monadic objects may be executed (in the process layer). Functions can construct monadic objects. Bernardo Toninho (UNL&CMU) Thesis Defense 26 / 40

96 A Concurrent Programming Language Integrating Concurrency in a Functional Language Contextual Monad Isolate concurrency (and linearity) in a contextual monad. Embed into a typical -calculus with recursive types. Functional programs can refer to processes and vice-versa: Process layer may send/receive functional values. Monadic objects may be executed (in the process layer). Functions can construct monadic objects. Example - A Stream of Naturals We want to produce a stream of naturals, starting at a given number: Bernardo Toninho (UNL&CMU) Thesis Defense 26 / 40

97 A Concurrent Programming Language Integrating Concurrency in a Functional Language Contextual Monad Isolate concurrency (and linearity) in a contextual monad. Embed into a typical -calculus with recursive types. Functional programs can refer to processes and vice-versa: Process layer may send/receive functional values. Monadic objects may be executed (in the process layer). Functions can construct monadic objects. Example - A Stream of Naturals We want to produce a stream of naturals, starting at a given number: stype natstream = nat /\ natstream Bernardo Toninho (UNL&CMU) Thesis Defense 26 / 40

98 A Concurrent Programming Language Integrating Concurrency in a Functional Language Contextual Monad Isolate concurrency (and linearity) in a contextual monad. Embed into a typical -calculus with recursive types. Functional programs can refer to processes and vice-versa: Process layer may send/receive functional values. Monadic objects may be executed (in the process layer). Functions can construct monadic objects. Example - A Stream of Naturals We want to produce a stream of naturals, starting at a given number: stype natstream = nat /\ natstream init : nat -> {c:natstream} c <- init n = { output c n c <- init (n+1) } Bernardo Toninho (UNL&CMU) Thesis Defense 26 / 40

99 A Concurrent Programming Language Examples A Stream Filter Given a predicate on naturals p, erase from a stream d all naturals not satisfying the predicate. Bernardo Toninho (UNL&CMU) Thesis Defense 27 / 40

100 A Concurrent Programming Language Examples A Stream Filter Given a predicate on naturals p, erase from a stream d all naturals not satisfying the predicate. filter :(nat -> bool) -> {d:natstream - c:natstream} Bernardo Toninho (UNL&CMU) Thesis Defense 27 / 40

101 A Concurrent Programming Language Examples A Stream Filter Given a predicate on naturals p, erase from a stream d all naturals not satisfying the predicate. filter :(nat -> bool) -> {d:natstream - c:natstream} c <- filter p <- d = { n <- input d if (p n) then output c n c <- filter p <- d else c <- filter p <- d } Bernardo Toninho (UNL&CMU) Thesis Defense 27 / 40

102 A Concurrent Programming Language Examples A Stream Filter Given a predicate on naturals p, erase from a stream d all naturals not satisfying the predicate. filter :(nat -> bool) -> {d:natstream - c:natstream} c <- filter p <- d = { n <- input d if (p n) then output c n c <- filter p <- d else c <- filter p <- d } A stream of all the even natural numbers: {c. d <- init 0 ; filter (fn x => x % 2 = 0) <- d} Bernardo Toninho (UNL&CMU) Thesis Defense 27 / 40

103 A Concurrent Programming Language Examples A Stream Filter Given a predicate on naturals p, erase from a stream d all naturals not satisfying the predicate. filter :(nat -> bool) -> {d:natstream - c:natstream} c <- filter p <- d = { n <- input d if (p n) then output c n c <- filter p <- d else c <- filter p <- d } A stream of all the even natural numbers: {c. d <- init 0 ; filter (fn x => x % 2 = 0) <- d} Bernardo Toninho (UNL&CMU) Thesis Defense 27 / 40

104 A Concurrent Programming Language Examples Sending and Receiving Processes stype AppStore = Choice{weather: {d:api,g:gps - c:weather} /\ 1, travel: {d:api - c:travel} /\ 1} Bernardo Toninho (UNL&CMU) Thesis Defense 28 / 40

105 A Concurrent Programming Language Examples Sending and Receiving Processes stype AppStore = Choice{weather: {d:api,g:gps - c:weather} /\ 1, travel: {d:api - c:travel} /\ 1} ActivateGPS : unit -> {g:gps} WeatherClient : unit -> {a:appstore,d:api - c:weather} c <- WeatherClient () <- a,d = { a.weather w <- input a wait a g <- ActivateGPS () c <- w <- d,g } Bernardo Toninho (UNL&CMU) Thesis Defense 28 / 40

106 A Concurrent Programming Language Examples Sending and Receiving Processes stype AppStore = Choice{weather: {d:api,g:gps - c:weather} /\ 1, travel: {d:api - c:travel} /\ 1} ActivateGPS : unit -> {g:gps} WeatherClient : unit -> {a:appstore,d:api - c:weather} c <- WeatherClient () <- a,d = { a.weather w <- input a wait a g <- ActivateGPS () c <- w <- d,g } Deadlock-freedom/Global Progress in the presence of HO mobility. Bernardo Toninho (UNL&CMU) Thesis Defense 28 / 40

107 A Concurrent Programming Language Reconciling with Logic Divergence Recursive types introduce divergence. Logical soundness is therefore lost. What is the behavior of: {c. d <- init 0 ; filter (fn x => false) <- d} Bernardo Toninho (UNL&CMU) Thesis Defense 29 / 40

108 A Concurrent Programming Language Reconciling with Logic Divergence Recursive types introduce divergence. Logical soundness is therefore lost. What is the behavior of: {c. d <- init 0 ; filter (fn x => false) <- d} Recovering Non-Divergence [Toninho et al. 14] Restrict to coinductive types. Only allow productive definitions: Process definitions must be guarded. Self-interaction with recursive calls must be disallowed. Bernardo Toninho (UNL&CMU) Thesis Defense 29 / 40

109 Reasoning Techniques Using Logic Reasoning using Logic Up to this point we have identified concurrent features that can be justified logically. Can we do more? Can we use the logical foundation to reason about concurrent programs? Bernardo Toninho (UNL&CMU) Thesis Defense 30 / 40

110 Reasoning Techniques Using Logic Reasoning using Logic Up to this point we have identified concurrent features that can be justified logically. Can we do more? Can we use the logical foundation to reason about concurrent programs? Properties of Interest Does a (well-typed) concurrent program diverge? When do two programs have the same behavior? What are the behavioral consequences of polymorphism? When are different behaviors compatible? Bernardo Toninho (UNL&CMU) Thesis Defense 30 / 40

111 Reasoning Techniques Linear Logical Relations Linear Logical Relations [Pérez et al. 12, Caires et al. 13, Toninho et al. 14] Based on logical relations for -calculus. Uniform framework for our session-typed processes. Scales to handle polymorphism and coinductive types. Allow us to show that well-typed processes are compositionally non-divergent. Bernardo Toninho (UNL&CMU) Thesis Defense 31 / 40

112 Reasoning Techniques Linear Logical Relations Equivalence Process Equivalence Observational equivalence is a fundamental tool for reasoning about processes. Canonical observational equivalence: Barbed Congruence. Hard to reason about Quantification over all contexts. Bernardo Toninho (UNL&CMU) Thesis Defense 32 / 40

113 Reasoning Techniques Linear Logical Relations Equivalence Process Equivalence Observational equivalence is a fundamental tool for reasoning about processes. Canonical observational equivalence: Barbed Congruence. Hard to reason about Quantification over all contexts. Logical Equivalence Relational extension of unary formulation of LRs. Contextual typed bisimulation Logical Equivalence. Easy to reason about. Turns out to be a proof technique for barbed congruence. Bernardo Toninho (UNL&CMU) Thesis Defense 32 / 40

114 Reasoning Techniques Linear Logical Relations Equivalence Observational Equivalence ;, x:a B, z:c D ) x(y).z(w).p L z(w).x(y).p :: e:t For open processes, we must place them in a (typed) closed context. Actions along x and z will not be visible, only those along e. Prefix permutation is safe since actions are not observable. Bernardo Toninho (UNL&CMU) Thesis Defense 33 / 40

115 Reasoning Techniques Linear Logical Relations Equivalence Parametricity Recall our CloudServer example and consider: CloudServer, 8X.!(api ( X) (!X A restaurant finding service rest, relying on some maps app. Both C 1 and C 2 will use the CloudServer for its maps infrastructure to offer service rest. One wishes to use GMaps, the other AMaps (related but not quite the same). Bernardo Toninho (UNL&CMU) Thesis Defense 34 / 40

116 Reasoning Techniques Linear Logical Relations Equivalence Parametricity Recall our CloudServer example and consider: CloudServer, 8X.!(api ( X) (!X A restaurant finding service rest, relying on some maps app. Both C 1 and C 2 will use the CloudServer for its maps infrastructure to offer service rest. One wishes to use GMaps, the other AMaps (related but not quite the same). s:!(api ( X) (!X ) C 1 L C 2 :: z:rest[x 7! GMaps, X 7! AMaps] Regardless of the impl. of the CloudServer, parametricity ensures it behaves uniformly. Bernardo Toninho (UNL&CMU) Thesis Defense 34 / 40

117 Reasoning Techniques Linear Logical Relations Equivalence Session Type Isomorphisms Two session behaviors A and B may be different, but compatible... Can we construct A from B and vice-versa? Can we do it seamlessly? i.e. Are A and B isomorphic (written A ' B)? Bernardo Toninho (UNL&CMU) Thesis Defense 35 / 40

118 Reasoning Techniques Linear Logical Relations Equivalence Session Type Isomorphisms Two session behaviors A and B may be different, but compatible... Can we construct A from B and vice-versa? Can we do it seamlessly? i.e. Are A and B isomorphic (written A ' B)? Isomorphisms A B ' B A We have P hx,yi and Q hy,xi such that: (1) x:a B ) P hx,yi :: y:b A and y:b A ) Q hy,zi :: z:a B (2) x:a B ) ( y)(p hx,yi Q hy,zi ) L [x $ z] ::z:a B Bernardo Toninho (UNL&CMU) Thesis Defense 35 / 40

119 Reasoning Techniques Linear Logical Relations Equivalence Isomorphisms A B ' B A A ( (B ( C) ' (A B) ( C (A B) ( C ' (A ( C) N (B ( C)... Coercions can mediate between the two types, representing isomorphic behavior. Bernardo Toninho (UNL&CMU) Thesis Defense 36 / 40

120 Conclusion Summary of Contributions Logical foundation of session types using linear logic: Concurrent language features explained logically. Logical features explained using concurrency. A concurrent programming language: Monadic integration of session-based concurrency. General recursion and (re)connections with logic. Deadlock-freedom in a higher-order setting. Reasoning techniques: Non-trivial properties (e.g. Termination, Parametricity). Logical equivalence as behavioral equivalence. Session Type Isomorphisms Bernardo Toninho (UNL&CMU) Thesis Defense 37 / 40

121 Conclusion Open Problems / Future Work Logical equivalence in the higher-order setting. Full dependent types. Explicit distribution concerns. Non-determinism.... Bernardo Toninho (UNL&CMU) Thesis Defense 38 / 40

122 Bibliography B. Toninho, L. Caires, F. Pfenning. Dependent Session Types via Intuitionistic Linear Type Theory. PPDP 11 F. Pfenning, L. Caires, B. Toninho. Proof-Carrying Code in a Session-Typed Process Calculus. CPP 11 J. Pérez, L. Caires, F. Pfenning, B. Toninho. Linear Logical Relations for Session-Based Concurrency. ESOP 12 B. Toninho, L. Caires, F. Pfenning. Functions as Session-Typed Processes. FoSSaCS 12 L. Caires, J. Pérez, F. Pfenning, B. Toninho. Behavioral Polymorphism and Parametricity in Session-Based Communication. ESOP 13 B. Toninho, L. Caires, F. Pfenning. Higher-Order Processes, Functions, and Sessions: A Monadic Integration. ESOP 13 B. Toninho, L. Caires, F. Pfenning. Corecursion and Non-Divergence in Session Types. TGC 14 Bernardo Toninho (UNL&CMU) Thesis Defense 39 / 40

123 A Logical Foundation for Session-based Concurrent Computation Bernardo Toninho [Co-advised by: Luís Caires and Frank Pfenning] Computer Science Department Carnegie Mellon University Universidade Nova de Lisboa Thesis Defense Bernardo Toninho (UNL&CMU) Thesis Defense 40 / 40

A Rehabilitation of Message-Passing Concurrency

A Rehabilitation of Message-Passing Concurrency Frank Pfenning Carnegie Mellon University PWLConf 2018, St. Louis A Paper I Love Types for Dyadic Interaction, Kohei Honda, CONCUR 1993 With some newer developments