191 research outputs found
Special Delivery: Programming with Mailbox Types (Extended Version)
The asynchronous and unidirectional communication model supported by
mailboxes is a key reason for the success of actor languages like Erlang and
Elixir for implementing reliable and scalable distributed systems. While many
actors may send messages to some actor, only the actor may (selectively)
receive from its mailbox. Although actors eliminate many of the issues stemming
from shared memory concurrency, they remain vulnerable to communication errors
such as protocol violations and deadlocks.
Mailbox types are a novel behavioural type system for mailboxes first
introduced for a process calculus by de'Liguoro and Padovani in 2018, which
capture the contents of a mailbox as a commutative regular expression. Due to
aliasing and nested evaluation contexts, moving from a process calculus to a
programming language is challenging.
This paper presents Pat, the first programming language design incorporating
mailbox types, and describes an algorithmic type system. We make essential use
of quasi-linear typing to tame some of the complexity introduced by aliasing.
Our algorithmic type system is necessarily co-contextual, achieved through a
novel use of backwards bidirectional typing, and we prove it sound and complete
with respect to our declarative type system. We implement a prototype type
checker, and use it to demonstrate the expressiveness of Pat on a factory
automation case study and a series of examples from the Savina actor benchmark
suite.Comment: Extended version of paper accepted to ICFP'2
Multiparty session typing in Java, deductively
Multiparty session typing (MPST) is a method to automatically prove safety and liveness of protocol implementations relative to specifications. We present BGJ: a new tool to apply the MPST method in combination with Java. The checks performed using our tool are purely static (all errors are reported early at compile-time) and resource-efficient (near-zero cost abstractions at run-time), thereby addressing two issues of existing tools. BGJ is built using VerCors, but our approach is general
Event structure semantics for multiparty sessions
We propose an interpretation of multiparty sessions as "Flow Event Structures", which allows concurrency within sessions to be explicitly represented. We show that this interpretation is equivalent, when the multiparty sessions can be described by global types, to an interpretation of such global types as "Prime Event Structures"
Complete Multiparty Session Type Projection with Automata
Multiparty session types (MSTs) are a type-based approach to verifying
communication protocols. Central to MSTs is a projection operator: a partial
function that maps protocols represented as global types to
correct-by-construction implementations for each participant, represented as a
communicating state machine. Existing projection operators are syntactic in
nature, and trade efficiency for completeness. We present the first projection
operator that is sound, complete, and efficient. Our projection separates
synthesis from checking implementability. For synthesis, we use a simple
automata-theoretic construction; for checking implementability, we present
succinct conditions that summarize insights into the property of
implementability. We use these conditions to show that MST implementability is
PSPACE-complete. This improves upon a previous decision procedure that is in
EXPSPACE and applies to a smaller class of MSTs. We demonstrate the
effectiveness of our approach using a prototype implementation, which handles
global types not supported by previous work without sacrificing performance.Comment: 24 pages, 44 pages including appendix; CAV 202
Realisability of Global Models of Interaction (Extended Version)
We consider global models of communicating agents specified as transition systems labelled by interactions in which multiple senders and receivers can participate. A realisation of such a model is a set of local transition systems—one per agent—which are executed concurrently using synchronous communication. Our core challenge is how to check whether a global model is realisable and, if it is, how to synthesise a realisation. We identify and compare two variants to realise global interaction models, both relying on bisimulation equivalence. Then we investigate, for both variants, realisability conditions to be checked on global models. We propose a synthesis method for the construction of realisations by grouping locally indistinguishable states. The paper is accompanied by a tool that implements realisability checks and synthesises realisations.
This document extends a publication accepted at the International Colloquium on Theoretical Aspects of Computing 2023 (ICTAC 2023), including the proofs of all results, more examples, and a more detailed explanation of the companion prototype tool
A Logical Account of Subtyping for Session Types
We study the notion of subtyping for session types in a logical setting,
where session types are propositions of multiplicative/additive linear logic
extended with least and greatest fixed points. The resulting subtyping relation
admits a simple characterization that can be roughly spelled out as the
following lapalissade: every session type is larger than the smallest session
type and smaller than the largest session type. At the same time, we observe
that this subtyping, unlike traditional ones, preserves termination in addition
to the usual safety properties of sessions. We present a calculus of sessions
that adopts this subtyping relation and we show that subtyping, while useful in
practice, is superfluous in the theory: every use of subtyping can be "compiled
away" via a coercion semantics.Comment: In Proceedings PLACES 2023, arXiv:2304.0543
Jornadas Nacionales de Investigación en Ciberseguridad: actas de las VIII Jornadas Nacionales de Investigación en ciberseguridad: Vigo, 21 a 23 de junio de 2023
Jornadas Nacionales de Investigación en Ciberseguridad (8ª. 2023. Vigo)atlanTTicAMTEGA: Axencia para a modernización tecnolóxica de GaliciaINCIBE: Instituto Nacional de Cibersegurida
Programming languages and tools with multiparty session
Distributed software systems are used in a wide variety of applications, including health care, telecommunications, finance, and entertainment. These systems typically consist of multiple software components, each with its own local memory, that are deployed across networks of hosts and communicate by passing messages in order to achieve a common goal. Distributed systems offer several benefits, including scalability — since computation happens independently on each component, it is easy and generally inexpensive to add additional components and functionality as necessary; reliability—since systems can be made up of hundreds of components working together, there is little disruption if a single component fails; performance—since work loads can be broken up and sent to multiple components, distributed systems tend to be very efficient. However, they can also be difficult to implement and analyze due to the need for heterogeneous software components to communicate and synchronize correctly and the potential for hardware or software failures.
Distributed and concurrent programming is challenging due to the complexity of coordinating the communication and interactions between the various components of a system that may be running on different machines or different threads. Behavioural types can help to address some of these difficulties by providing a way to formally specify the communication between components of a distributed system. This specification can then be used to verify the correctness of the communication between these components using static typechecking, dynamic monitoring, or a combination of the two. Perhaps the most well-known form of behavioural types are session types. They define the sequences of messages that are exchanged between two or more parties in a communication protocol, as well as the order in which these messages are exchanged. More generally, behavioural types include typestate systems, which specify the state-dependent availability of operations, choreographies, which specify collective communication behaviour, and behavioural contracts that specify the expected behaviour of a system. By using behavioural types, it is possible to ensure that the communication between components of a distributed system is well-defined and follows a set of predefined rules, which can help to prevent errors and ensure that the system behaves correctly.
The focus of this thesis is on using session type systems to provide static guarantees about the runtime behaviour of concurrent programs. We investigate two strands of work in this context. The first strand focuses on the relationship between session types and linearity. Linearity is a property of certain resources, in this case communication channels, that can only be used once. For instance a linear variable can only be assigned once, after which it cannot be changed. This property is useful for session types because it helps to prevent race conditions and guarantees that no messages are lost or duplicated. We look at relaxing the standard access control in multiparty session types systems. This is typically based on linear or affine types, that offer strong guarantees of communication safety and session. However, these exclude many naturally occurring scenarios that make use of shared channels or need to store channels in shared data structures. We introduce a new and more flexible session type system, which allows channel references to be shared and stored in persistent data structures. We prove that the resulting language satisfies type safety, and we illustrate our type system through examples.
The second strand of research in this thesis looks at the expressive power of session types, and their connection to typestate for safe distributed programming in the Java language. Typestates are a way of annotating objects with a set of operations that are valid to perform on them at a given state. We expand the expressive power of two existing tools, use them to represent real-world case studies, and end by considering language usability and human factors
AN EMPIRICAL STUDY OF CONCURRENT FEATURE USAGE IN GO
The Go language includes support for running functions or methods concurrently as goroutines, which are lightweight threads managed directly by the Go language runtime. Go is probably best known for the use of a channel-based, message-passing concurrency mechanism, based on Hoare's Communicating Sequential Processes (CSP), for inter-thread communication. However, Go also includes support for traditional concurrency features, such as mutexes and condition variables, that are commonly used in other languages. In this paper, we analyze the use of these traditional concurrency features, using a corpus of Go programs used in earlier work to study the use of message-passing concurrency features in Go. The goal of this work is to better support developers in using traditional concurrency features, or a combination of traditional and message-passing features, in Go
A model of actors and grey failures
Existing models for the analysis of concurrent processes tend to focus on
fail-stop failures, where processes are either working or permanently stopped,
and their state (working/stopped) is known. In fact, systems are often affected
by grey failures: failures that are latent, possibly transient, and may affect
the system in subtle ways that later lead to major issues (such as crashes,
limited availability, overload). We introduce a model of actor-based systems
with grey failures, based on two interlinked layers: an actor model, given as
an asynchronous process calculus with discrete time, and a failure model that
represents failure patterns to inject in the system. Our failure model captures
not only fail-stop node and link failures, but also grey failures (e.g.,
partial, transient). We give a behavioural equivalence relation based on weak
barbed bisimulation to compare systems on the basis of their ability to recover
from failures, and on this basis we define some desirable properties of
reliable systems. By doing so, we reduce the problem of checking reliability
properties of systems to the problem of checking bisimulation
- …