Rely-Guarantee Protocols for Safe Interference over Shared Memory

Transcription

1 Rely-Guarantee Protocols for Safe Interference over Shared Memory Thesis Defense Filipe Militão December 15, Co-advised by Jonathan Aldrich (CMU) and Luís Caires (UNL).

2 Software Defects Our over reliance on software aggravates the impact of software defects ( bugs ) on society: Mariner 1 Spacecraft (incorrect guidance signal transmission) Therac-25 radiation therapy machine (race condition) Patriot Missile Error (inaccurate tracking) Ariane 5 Flight 501 (overflow in 16-bit register) NASA s Mars Climate Orbiter (imperial to metrics conversion) Heathrow Terminal 5 Opening (baggage handling system) Microsoft Excel 2007 (wrong result on 850*77.1) Toyota vehicles (sudden unintended acceleration)... Thus, there is a clear and increasing need for mechanisms to improve software reliability. 2

3 Mutable State (I) Mutable state can be useful in certain cases such as to improve efficiency, clarity, or even to enable greater extensibility. We propose a new type-based technique to detect, at compile-time, a class of errors related to the unsafe use of shared mutable state. 3

4 Mutable State (II) We aim to precisely detect and avoid unsafe interference in the use of mutable state that is shared through aliasing. By precisely tracking the properties of mutable state we can avoid a class of state-related run-time errors and eliminates the need for some defensive run-time tests. 4

5 ! File file = new File( fillet );! file.write( foo );! file.close();! file.write( bar ); 5

6 ! File file = new File( fillet );! file.write( foo );! file.close();! file.write( bar ); Error: runtime exception! 6

7 ! File file = new File( fillet );! file.write( foo );! file.close();! file.write( bar ); 7

8 File file = new File( fillet ); file.write( foo ); file.close(); file.write( bar ); class File { FileDescriptor fd; File( File( string string filename filename ){ ){ fd fd = OS.createFile( OS.createFile( filename filename ); ); }} void write( string s ){ void if( fd write( == null string ) s ){ if( throw fd Exception( invalid == null ) file descriptor ); fd.write( throw Exception( invalid s ); file descriptor ); } fd.write( s ); void } close(){ void fd = close(){ null; } fd = null; } } } 8

9 File File File File File } class File { FileDescriptor fd; File( string filename ){ fd = OS.createFile( filename ); } void write( string s ){ if( fd == null ) throw Exception( invalid file descriptor ); fd.write( s ); } void close(){ fd = null; } The flat abstraction does not precisely express the changing properties of File s internal state (fd). 9

10 Closed class File { FileDescriptor fd; File( string filename ){ fd = OS.createFile( filename ); } void write( string s ){ if( fd == null ) throw Exception( invalid file descriptor ); fd.write( s ); Open Open Open Open } } void close(){ fd = null; } Unnecessary because we statically guarantee to only call write when Open. Types capture the precise, changing, type of the state. 10

11 Challenge: Interference Aliasing allows different names to refer to the same mutable state. YourFile MyFile TheirFile However, uncontrolled aliasing can lead to interference-related errors, where the actions of different aliases break each other s (precise) assumptions on the contents of the shared state. 11

12 x.open( ); x.write( ); x.read( ); 12

13 Open x.open( ); x.write( ); x.read( ); 13

14 Open x.open( ); x.write( ); x.read( ); 14

15 y.close( ); Open x.open( ); x.write( ); x.read( ); 15

16 y.close( ); Closed x.open( ); x.write( ); x.read( ); 16

17 Closed x.open( ); x.write( ); x.read( ); Broken local assumption: interference! 17

18 Thesis Statement Rely-Guarantee Protocols provide a modular, composable, expressive, and automatically verifiable mechanism to control the interference resulting from the interaction of non-local aliases that share access to mutable state. 18

19 Overview Aliasing Memory Locations Typestate Abstraction Sharing with Rely-Guarantee Protocols 19

20 Language Polymorphic λ-calculus with mutable references (and immutable records, tagged sums,...). We use a variant of L 3 [Ahmed, Fluet, and Morrisett. L 3 : A linear language with locations. Fundam. Inform ] adapted for usability and extended with new constructs, and our sharing mechanism. 20

21 State as a Linear Resource ref A 21

22 State as a Linear Resource ref A reference with contents of type A 21

23 State as a Linear Resource ref A reference with contents of type A ref p{ rw p A 21

24 State as a Linear Resource ref A reference with contents of type A duplicable reference to location p ref p{ rw p A 21

25 State as a Linear Resource ref A reference with contents of type A duplicable reference to location p p{ ref rw p A ref p ref p ref p ref p ref p ref p 21

26 State as a Linear Resource ref A reference with contents of type A duplicable reference to location p p{ ref rw p A ref p ref p ref p ref p ref p ref p 21 linear read+write capability of location p with contents of type A

27 State as a Linear Resource ref A reference with contents of type A duplicable reference to location p p{ ref rw p A ref p ref p p ref p links ref to capability ref p ref p ref p 21 linear read+write capability of location p with contents of type A

28 x : ref p let y = x in x := 1; delete y; x := false end rw p string 22

29 let y = x in y : ref p x : ref p x := 1; delete y; x := false end rw p string 23

30 y : ref p x : ref p let y = x in x := 1; delete y; x := false end rw p int 24

31 y : ref p let y = x in x := 1; delete y; x : ref p x := false end 25

32 y : ref p x : ref p let y = x in x := 1; delete y; end x := false Type Error: Missing capability to location p. 25

33 How to use capabilities in functions? y : ref p x : ref p let y = x in x := 1; delete y; end x := false Type Error: Missing capability to location p. 26

34 left : ref l fun( i : int :: rw l [] ). left := i 27

35 left : ref l fun( i : int :: rw l [] ). i : int :: rw l [] left := i 28

36 fun( i : int :: rw l [] ). left : ref l i : int rw l [] left := i 29

37 fun( i : int :: rw l [] ). left := i left : ref l i : int rw l int 30

38 fun( i : int :: rw l [] ). left := i int :: rw l [] [] :: rw l int ( ) ( ) 31

39 How to build typestate abstractions? fun( i : int :: rw l [] ). left := i int :: rw l [] [] :: rw l int ( ) ( ) 32

40 Pair Typestate 33

41 Pair Typestate Left Right 34

42 Pair Typestate Initialize each component separately. Sum both components, and destroy the pair. 35

43 Pair Typestate Initialize each component separately. Sum both components, and destroy the pair. 36

44 Pair Typestate Initialize each component separately. initl Sum both components, and destroy the pair. 37

45 Pair Typestate Initialize each component separately. initl Sum both components, and destroy the pair. sum 38

46 initl : ( int :: rw l [] ) ( [] :: rw l int ) 39

47 [ initl : ( int :: rw l [] ) ( [] :: rw l int ), initr : ( int :: rw r [] ) ( [] :: rw r int ), sum : ( [] :: ( rw l int * rw r int ) ) ( int :: ( rw l int * rw r int ) ), destroy : ( [] :: ( rw l int * rw r int ) ) [] ) ] 40

48 [ initl : ( int :: rw l [] ) ( [] :: rw l int ), initr : ( int :: rw r [] ) ( [] :: rw r int ), sum : ( [] :: ( rw l int * rw r int ) ) ( int :: ( rw l int * rw r int ) ), destroy : ( [] :: ( rw l int * rw r int ) ) [] ) ] :: ( rw l [] * rw r [] ) 41

49 [ initl : ( int :: rw EL l [] ) ( [] :: rw l int ), initr : ( int :: rw r [] ) ( [] :: rw r int ), ] sum : ( [] :: ( rw l int * rw r int ) ) ( int :: ( rw l int * rw r int ) ), destroy : ( [] :: ( rw l int * rw r int ) ) [] ) :: ( rw EL l [] * rw r [] ) 42

50 [ initl : ( int :: rw EL l [] ) ( [] :: rw l L int ), initr : ( int :: rw r [] ) ( [] :: rw r int ), sum : ( [] :: ( rw l L int * rw r int ) ) ( int :: ( rw l L int * rw r int ) ), destroy : ( [] :: ( rw l L int * rw r int ) ) [] ) ] :: ( rw EL l [] * rw r [] ) 43

51 [ initl : ( int :: rw EL l [] ) ( [] :: rw l L int ), initr : ( int :: rw ER r [] ) ( [] :: rw r int ), sum : ( [] :: ( rw l L int * rw r int ) ) ( int :: ( rw l L int * rw r int ) ), destroy : ( [] :: ( rw l L int * rw r int ) ) [] ) ] :: ( rw EL l [] * rw ER r [] ) 44

52 [ initl : ( int :: rw EL l [] ) ( [] :: rw l L int ), initr : ( int :: rw ER r [] ) ( [] :: rw r R int ), sum : ( [] :: ( rw l L int * rw r R int ) ) ( int :: ( rw l L int * rw r Rint ) ), destroy : ( [] :: ( rw l L int * rw r R int ) ) [] ) ] :: ( rw EL l [] * rw ER r [] ) 45

53 EL. L. ER. R.( [ initl :!( int :: EL [] :: L ), initr :!( int :: ER [] :: R ), sum :!( [] :: L * R int :: L * R ), destroy :!( [] :: L * R [] ) ] :: EL * ER ) 46

54 Pair Typestate newpair :!( [] EL. L. ER. R.(![ initl :!( int :: EL [] :: L ), initr :!( int :: ER [] :: R ), sum :!( [] :: L * R int :: L * R ), destroy :!( [] :: L * R [] ) ] :: EL * ER ) ) Type expresses the changing properties of the object s state, typestate (EmptyLeft, Left, EmptyRight and Right). The types states EL/L and ER/R correlate to separate (disjoint) internal state that can operate independently of the other. 47

55 So... Why sharing? The capability is linear: it cannot be used simultaneously from two different parts of the program. 48

56 So... Why sharing? The capability is linear: it cannot be used simultaneously from two different parts of the program. 48

57 Sharing We want to use state simultaneously, beyond linearly. We need a typing mechanism to safely coordinate access to shared state and avoid unsafe interference. 49

58 Sharing We want to use state simultaneously, beyond linearly. We need a typing mechanism to safely coordinate access to shared state and avoid unsafe interference. 49

59 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. I I Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. R G 50

60 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. Enter private use I I Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. R G 50

61 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. Enter private use I I Exit private use Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. R G 50

62 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. Enter private use I I Exit private use Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. Relied state R G 50

63 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. Enter private use I I Exit private use Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. Relied state R G Guaranteed state 50

64 Shared cell 51

65 Alias Local View Step1 ; Step2 ;... { rely-guarantee protocol 52

66 Alias Local View Relied type Empty Filled Guaranteed type Step1 ; Step2 ;... 53

67 Alias Local View Empty Filled Step1 ; Step2 ;... 54

68 Alias Local View Empty Filled Step1 ; Step2 ;... 55

69 Alias Local View Empty Filled Step1 ; Step2 ;... 56

70 Alias Local View Empty Filled Step1 ; Step2 ;... 57

71 Alias Local View Empty Filled Step1 ; Step2 ;... 58

72 Alias Local View Step2 ;... 59

73 Disjoint Linearity ensured the state was disjoint: only one capability to some cell may exist. A * B Sharing enables the same cell to be used through seemingly different name. Types that look disjoint, may in fact alias the same state - i.e. they are fictionally disjoint. 60

74 Fictionally Disjoint Linearity ensured the state was disjoint: only one capability to some cell may exist. shared A * B Sharing enables the same cell to be used through seemingly different name. Types that look disjoint, may in fact alias the same state - i.e. they are fictionally disjoint. 61

75 Alias Interleaving x := 1; dosomething();!x // what do we get? 62

76 Alias Interleaving dosomething : [] [] x := 1; dosomething();!x // what do we get? 63

77 Alias Interleaving fun().1 fun().x := false fun().delete x x := 1; dosomething();!x // what do we get? dosomething, although fictionally disjoint, may actually interleave zero or more uses of aliases to the same state as referenced by x. 64

78 Alias Interleaving x := 1; dosomething();!x // what do we get? Are the uses done in dosomething compatible with our local reasoning of how x changes? 65

79 Protocol Composition Checks if combining all local views creates a globally consistent, i.e. safe, use of the shared state mutable state independently of interleaving. ; ; 66

80 Protocol Composition Checks if combining all local views creates a globally consistent, i.e. safe, use of the shared state mutable state independently of interleaving. possible interleaving { ; ; ; ; ; ; ; ; ; ; 67

81 Protocol Composition Checks if combining all local views creates a globally consistent, i.e. safe, use of the shared state mutable state independently of interleaving. ; ; ; ; ; Ok! ;;; ; ; 68

82 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 69

83 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 70

84 Protocol Specification 71

85 Protocol Specification 72

86 Protocol Specification 73

87 Protocol Specification 74

88 Protocol Specification States that it is safe to assume that shared state satisfies R, and requires the alias to obey the guarantee P. 75

89 Protocol Specification Requires the client to establish (guarantee) that the shared state satisfies R before continuing the use of the protocol as P. 76

90 Protocol Specification 77

91 Shared Pipe Shared by two aliases interacting via a common buffer, here modeled as a singly linked list. 1. The Producer alias may put new elements in or close the pipe. 2. The Consumer alias may only trytake elements from the buffer. The result of trytake is one of the following: either there was some Result, or NoResult, or the pipe is fully Depleted. 78

92 Pipe 79

93 Producer Consumer 80

94 Producer Producer Protocol Shared Buffer Consumer Protocol Consumer 81

95 Producer tail : T 82

96 Producer tail : Empty ( Filled Closed ) ; none 83

97 Producer tail : Empty ( Filled Closed ) ; none 84

98 Producer tail : none 85

99 Producer tail : Empty ( Filled Closed ) ; none 86

100 Producer tail : Empty ( Filled Closed ) ; none head : H Consumer 87

101 Producer tail : Empty ( Filled Closed ) ; none head : ( Empty Empty ; H ) ( Filled none ) ( Closed none ) Consumer 88

102 Producer tail : Empty ( Filled Closed ) ; none head : ( Empty Empty ; H ) ( Filled none ) ( Closed none ) Consumer 89

103 Producer tail : Empty ( Filled Closed ) ; none head : none Consumer 90

104 Producer tail : Empty ( Filled Closed ) ; none head : ( Empty Empty ; H ) ( Filled none ) ( Closed none ) Consumer 91

105 Types 92

106 Types 93

107 Types 94

108 Types 95

109 Types 96

110 Producer (tail) Protocol: T[t] = rw t Empty#[] ( ( rw t Node#[...] ) ( rw t Closed#[] ) ); none Consumer (head) Protocol: H[h] = ( rw h Empty#[] rw h Empty#[] ; H[h] ) ( rw h Node#[...] none ; none ) ( rw h Closed#[] none ; none ) 97

111 Pipe Typestate P. C.(![ put :!( (!int :: P ) (![] :: P ) ), close :!( (![] :: P )![] ), trytake :!( (![] :: C ) Depleted#![] + NoResult#(![] :: C) + Result#(!int :: C) ) ] :: ( C * P ) ) 98

112 Pipe Typestate P. C.(![ put :!( (!int :: P ) (![] :: P ) ), close :!( (![] :: P )![] ), trytake :!( (![] :: C ) Depleted#![] + NoResult#(![] :: C) + Result#(!int :: C) ) ] :: ( C * P ) ) 98

113 Pipe Typestate P. C.(![ put :!( (!int :: P ) (![] :: P ) ), close :!( (![] :: P )![] ), trytake :!( (![] :: C ) Depleted#![] + NoResult#(![] :: C) + Result#(!int :: C) ) ] :: ( C * P ) ) rw p p.((!ref p) :: T[p]) 98

114 Pipe Typestate P. C.(![ put :!( (!int :: P ) (![] :: P ) ), close :!( (![] :: P )![] ), trytake :!( (![] :: C ) Depleted#![] + NoResult#(![] :: C) + Result#(!int :: C) ) ] :: ( C * P ) ) rw p p.((!ref p) :: T[p]) rw c p.((!ref p) :: H[p]) 98

115 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 99

116 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 100

117 Syntax 101

118 102

119 2. Protocol Use Protocols are used through focus and defocus constructs. They serve two purposes: a) Hide privates changes from the other aliases of that shared state. b) Advance the step of the protocol, by obeying the constraints on public changes. 103

120 Focus / Defocus focus Empty... defocus 104

121 Focus / Defocus Empty Filled ; Next focus Empty... defocus 104

122 Focus / Defocus Empty Filled ; Next focus Empty... defocus 104

123 Focus / Defocus focused state Empty Filled ; Next focus Empty defocus-guarantee... defocus 105

124 Focus / Defocus Empty Filled ; Next focus Empty... defocus 106

125 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus 106

126 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next PartiallyFilled..., Filled ; Next defocus 107

127 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus Filled, Filled ; Next 108

128 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus Filled, Filled ; Next 109

129 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus Filled, Filled ; Next 109

130 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus Filled, Filled ; Next Next 109

131 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 110

132 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 111

133 3. Protocol Composition Protocols are introduced explicitly, in pairs, through the share construct: share A as B C type A (either a capability or an existing protocol) can be safely split in types B and C (two protocols) Arbitrary aliasing is possible by continuing to split an existing protocol. share type checks only if the protocols compose safely (i.e. no unsafe interference is possible). 112

134 Checking share We must check that a protocol is aware of all possible states that may appear due to the interleaving of the actions of other aliases to that shared state. Checking a split is built from two components: a) simulating a single use of a protocols, a single focus-defocus block (i.e. a step of the protocol). b) ensuring that each protocol considers all possible protocol interleaving. 113

135 Protocol Composition Example share E as rec X.( E E;X N none C none ) E ( N C ) 114

136 Protocol Composition Example share E as Producer Consumer rec X.( E E;X N none C none ) E ( N C ) 114

137 Initial state. E C P C P C P C P C P 115

138 Initial state. E { possible interleaving C C C P P C P C P P 116

139 Initial state. { possible interleaving C C P E Up to this point protocols can only list a finite C number P of distinct Cstates, and P each protocol lists a finite number of distinct protocol steps. Thus, there is a finite number of different configurations representing the uses of the protocols. C P P 117

140 State: E Consumer Producer E E E N C C none N none Configurations: 118

141 State: Consumer Producer E E E N C C none N none Configurations: 118

142 State: Consumer Producer E E E N C C none N none Configurations: 118

143 State: E Consumer Producer E E E N C C none N none Configurations: 118

144 State: E Consumer Producer E E E N C C none N none Configurations: 119

145 State: E Consumer Producer E E E N C C none N none Configurations: 119

146 State: Consumer Producer E E E N C C none N none Configurations: 119

147 State: Consumer Producer E E E N C C none N none Configurations: 119

148 State: N C Consumer Producer E E E N C C none N none Configurations: 119

149 State: N C Consumer Producer E E none C none N none Configurations: 120

150 State: N C Consumer Producer E E none C none N none Configurations: 120

151 State: none Consumer Producer E E none C none N none Configurations: 120

152 State: none Consumer Producer none none Configurations: 121

153 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 122

154 Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition A few more details: Improved Locality of Protocol Specification Fork/Join Concurrency 123

155 T[t] = rw t Empty#[] ( ( rw t Node#[...] ) ( rw t Closed#[] ) ); none H[h] = ( rw h Empty#[] rw h Empty#[] ; H[h] ) ( rw h Node#[...] none ; none ) ( rw h Closed#[] none ; none ) 124

156 T[t] = rw t Empty#[] ( ( rw t Node#[...] ) ( rw t Closed#[] ) ); none From H s local perspective only the tag is important, not the tagged type. How can we model this? H[h] = ( rw h Empty#[] rw h Empty#[] ; H[h] ) ( rw h Node#[...] none ; none ) ( rw h Closed#[] none ; none ) 125

157 Protocol Specification

158 T = Empty# [] Full#int ; none H = ( Empty# [] Empty# []; H ) ( Full#int none ; none ) ( Close#[] none ; none ) 127

159 T = Empty# [] Full#int ; none H = X. ( Empty# X Empty# X; H ) ( Full#int none ; none ) ( Close#[] none ; none ) H no longer sees the content of Empty, and T can now use that part of the state unilaterally. 128

160 T = ( Empty# [] Empty# []; T ) & ( Empty# [] Full#int ; none) H = X. ( Empty# X Empty# X; H ) ( Full#int none ; none ) ( Close#[] none ; none ) 129

161 T remembers the local information. T is free to unilaterally change tagged type. T[Y] = ( Empty# Y Z.( Empty# Z ; T [ Z] ) ) & ( Empty# Y Full#int ; none) H = X. ( Empty# X Empty# X; H ) ( Full#int none ; none ) ( Close#[] none ; none ) 130

162 Improved Locality Protocols can be more generic and more isolated (decoupled) from other protocols actions, while remaining free from unsafe interference. Protocol re-splits can take advantage of this flexibility by means of more flexible specializations, such as via nested re-splits. 131

163 Protocol Specialization T[Y] = ( Empty# Y Z.( Empty# Z ; T [ Z] ) ) & ( Empty# Y Full#int ; none) re-split ( Empty#(Wait#[]) Empty#(Ready#int) ; none ) ( Empty#(Ready#int) Full#int ; none ) 132

164 Protocol Specialization T[Y] = ( Empty# Y Z.( Empty# Z ; T [ Z] ) ) & ( Empty# Y Full#int ; none) re-split ( Empty#(Wait#[]) Empty#(Ready#int) ; none ) ( Empty#(Ready#int) Full#int ; none ) Nesting, the specialization works within the original interference. 133

165 Protocol Composition 2.0 Configurations are checked symbolically, each representing a class of configurations, up to renaming and weakening. Q S P Well-formedness conditions on types ensures the number of different sub-terms of a type is bounded, guaranteeing decidability. 134 x Q[x] z Q[z] y Q[y]

166 Concurrency Protocol Composition protects against all possible interleaving that may occur. Same static set of possible interleaving, even if concurrency may non-deterministically pick different interleaving at run-time. focus/defocus >> lock/unlock, adds fork e Caveat: no deadlock avoidance, nor termination/liveness guarantees. 135

167 Overview of Main Technical Results Standard Progress and Preservation results. Data race freedom and memory safety (no dereference of null pointers, etc). Stepping of configurations preserves safe Protocol Composition. Protocol Composition is a partial commutative monoid. Protocol Composition is decidable. 136

168 Thesis also includes All technical details such as the axiomatic definition of Protocol Composition, algorithm, and formal system for sequential and concurrent settings. Additional examples, including: Full pipe code example Encoding (non-distributed) typeful message-passing concurrency (buyer-shipper-seller example) Soundness proof. Prototype implementations. 137

169 Prototypes JavaScript-based implementations, run in the browser. 138

170 Summary Typestates using existential abstraction. [Militão, Aldrich, Caires. Substructural Typestates. PLPV 14.] Rely-Guarantee Protocols for handling safe interference: 1. Protocol Specification ( local view on public changes ) 2. Protocol Use ( hidden, private changes ) 3. Protocol Composition ( ensure safe alias interleaving ) [Militão, Aldrich, Caires. Rely-Guarantee Protocols. ECOOP 14.] Safe, decidable composition of protocols even when parts of a protocol are abstracted. Interference control over sequential and concurrent settings. 139