shared session types for safe, practical concurrencybalzers/publications/safe_concurrency.pdf ·...
TRANSCRIPT
Shared Session Types for Safe, Practical Concurrency1
Stephanie Balzer Carnegie Mellon University
Typelevel Summit Philadelphia 2019
1 Supported by a Mozilla Research Grant and NSF Grant No. CCF-1718267
Concurrency is ubiquitous
�2
Concurrency is ubiquitous
The world surrounding us is inherently concurrent
�2
Concurrency is ubiquitous
The world surrounding us is inherently concurrent
�2
Concurrency is ubiquitous
The world surrounding us is inherently concurrent
�2
Concurrency is ubiquitous
The world surrounding us is inherently concurrent
�2
Concurrency is ubiquitous
The world surrounding us is inherently concurrent
�2
Concurrency is ubiquitous
The world surrounding us is inherently concurrent
�2
Concurrency is ubiquitous
�3
The world surrounding us is inherently concurrent
Concurrency is ubiquitous
Many programming problems demand concurrency • Flight booking system, online store, search engines, etc.
�3
The world surrounding us is inherently concurrent
Concurrency is ubiquitous
Many programming problems demand concurrency • Flight booking system, online store, search engines, etc.
Computing devices themselves are concurrent • Run various apps concurrently
�3
The world surrounding us is inherently concurrent
Concurrency is ubiquitous
Many programming problems demand concurrency • Flight booking system, online store, search engines, etc.
Computing devices themselves are concurrent • Run various apps concurrently
�3
programming languages must support concurrency
The world surrounding us is inherently concurrent
Concurrency is ubiquitous
Many programming problems demand concurrency • Flight booking system, online store, search engines, etc.
Computing devices themselves are concurrent • Run various apps concurrently
�3
programming languages must support concurrency
concurrent programming is notoriously difficult and error-prone
The world surrounding us is inherently concurrent
Two models for concurrent programming
�4
Two models for concurrent programming
�4
Legend: concurrently executing component
shared dataread/write
Shared memory
Two models for concurrent programming
�4
Legend: concurrently executing component
shared dataread/write
Shared memory
message
Message-passing
Two models for concurrent programming
�4
Legend: concurrently executing component
shared dataread/write
Shared memory
message
Message-passing
• computation by reading fromand writing to shared data
Two models for concurrent programming
�4
Legend: concurrently executing component
shared dataread/write
Shared memory
message
Message-passing
• computation by reading fromand writing to shared data
• computation by exchangeof messages
Two models for concurrent programming
�4
Legend: concurrently executing component
shared dataread/write
Shared memory
message
Message-passing
• computation by reading fromand writing to shared data
• computation by exchangeof messages
message-passing offers higher-level of abstraction
Two models for concurrent programming
�4
Legend: concurrently executing component
shared dataread/write
Shared memory
message
Message-passing
• computation by reading fromand writing to shared data
• computation by exchangeof messages
message-passing offers higher-level of abstraction
message-passing adopted by practical languages such as Erlang, Go, and Rust.
My research
�5
My research
�5
Goal: make concurrent programming safe and practical
My research
�5
Goal: make concurrent programming safe and practical
message-passing model
session types to express protocols of message exchange and reason sequentially about communicating parties
My research
�5
Goal: make concurrent programming safe and practical
message-passing model
Contributions:
session types to express protocols of message exchange and reason sequentially about communicating parties
My research
�5
Goal: make concurrent programming safe and practical
message-passing model
Contributions:shared session types
session types to express protocols of message exchange and reason sequentially about communicating parties
My research
�5
Goal: make concurrent programming safe and practical
message-passing model
Contributions:shared session types
accommodate real-world programming scenarios
guarantee protocol adherence, data-race-freedom, and deadlock-freedom
session types to express protocols of message exchange and reason sequentially about communicating parties
Session types, what are they? Why do we need them in practice?
�6
Message-passing concurrency in Servo
�7
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�7
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�7
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�7
ImageCache
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�7
ImageCache Client
CmdReceiver
Legend: channelcomponent, runs in separate thread
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�7
ResourceThread ImageCache Client
CmdReceiver
Legend: channelcomponent, runs in separate thread
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�7
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�7
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
request
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�8
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�8
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
exit
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�9
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
Image loader:
Message-passing concurrency in Servo
• Servo is Mozilla’s next-generation browser engine under development and implemented in Rust.
• Servo uses message-passing concurrency for maximal parallelization of tasks, such as loading and rendering of webpage elements.
�9
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
kill
Image loader:
Message-passing concurrency in Servo
�10
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
Image loader:
Message-passing concurrency in Servo
�10
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
To restrict the kinds of messages that can be sent over a channel, Rust channels are typed with enumeration types.
Image loader:
Message-passing concurrency in Servo
�10
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
To restrict the kinds of messages that can be sent over a channel, Rust channels are typed with enumeration types.
Image loader:
Example: enumeration for ImageCache
Message-passing concurrency in Servo
�11
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
Image loader:
Message-passing concurrency in Servo
�11
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
Image loader:
Message-passing concurrency in Servo
�11
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
Image loader:
Message-passing concurrency in Servo
�11
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
one variant for each message
Image loader:
Message-passing concurrency in Servo
�12
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
Image loader:
Message-passing concurrency in Servo
�12
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
Image loader:
Message-passing concurrency in Servo
�12
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
implicit protocolImage loader:
Message-passing concurrency in Servo
�12
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: channelcomponent, runs in separate thread
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
implicit protocolImage loader:
protocol breaches result in proliferation of panic! and
infinite waiting
Message-passing concurrency in Servo
�13
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
implicit protocol
protocol breaches result in proliferation of panic! and
infinite waiting
Message-passing concurrency in Servo
�13
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
implicit protocol
enumeration types ensure that only defined messages can be communicated along a channel
protocol breaches result in proliferation of panic! and
infinite waiting
Message-passing concurrency in Servo
�13
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
implicit protocol
enumeration types ensure that only defined messages can be communicated along a channel
enumeration types fail to ensure that messages are sent according to the intended protocol
protocol breaches result in proliferation of panic! and
infinite waiting
Message-passing concurrency in Servo
�13
pub enum ImageCacheCommand { RequestImage (Url, ImageCacheChan, Option<ImageResponder>), GetImageIfAvailable (Url, UsePlaceholder, IpcSender<Result<Arc<Image>, ImageState>>), StoreDecodeImage (Url, Vec<u8>), … // Clients must wait for a response before shutting down ResourceThread Exit () }
implicit protocol
enumeration types ensure that only defined messages can be communicated along a channel
enumeration types fail to ensure that messages are sent according to the intended protocol
let’s use session types!
protocol breaches result in proliferation of panic! and
infinite waiting
Session types
�14
Session types
�14
Session types define protocols of message exchange.
Session types
�14
Session types define protocols of message exchange.
“protocol = sequence of actions”
Session types
�14
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
Session types
�14
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
client chooses among sending
one of the labels li
Session types
�15
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
Session types
�15
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
provider chooses among sending
one of the labels li
Session types
�16
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
Session types
�16
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
client sends channel reference of
type A
Session types
�17
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
Session types
�17
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
provider sends channel reference of
type A
Session types
�18
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
Session types
�18
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .provider terminates
Session types
�18
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
Session types
�19
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
Session types
�19
Session types define protocols of message exchange.
“protocol = sequence of actions”
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
support communication of
values
Session type for image loader
�20
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
Session type for image loader
�20
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Session type for image loader
�21
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Session type for image loader
�22
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Session type for image loader
�23
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Session type for image loader
�24
A,B , N{li : Ai} external choice
�{li : Ai} internal choice
A ( B channel input
A⌦B channel output
1 termination
T ! A value input
T ⇥A value output
T , int | string | . . .
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Session type for image loader
�25
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Session type for image loader
�25
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Session type for image loader
�25
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Session type for image loader
�25
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
ImgCacheCmd
Session type for image loader
�25
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
RequestImage
ImgCacheCmd
Session type for image loader
�26
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Session type for image loader
�26
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
string ! Requester ( ImgCacheCmd
Session type for image loader
�26
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
“http://…”
string ! Requester ( ImgCacheCmd
Session type for image loader
�27
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Requester ( ImgCacheCmd
Session type for image loader
�27
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
c
Requester ( ImgCacheCmd
Session type for image loader
�28
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
ImgCacheCmd
Session type for image loader
�28
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Exit
ImgCacheCmd
Session type for image loader
�29
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
�{Running : ImgCacheCmd,Done : ResourceThread⌦ 1}
Session type for image loader
�29
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Running
�{Running : ImgCacheCmd,Done : ResourceThread⌦ 1}
Session type for image loader
�30
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
ImgCacheCmd
Session type for image loader
�30
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
ImgCacheCmd
Session type for image loader
�31
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
ImgCacheCmd
components change their session type along with message exchange
Taking stock
�32
Taking stock
• Session types make explicit the protocols of message exchange between concurrently executing components.
�32
Taking stock
• Session types make explicit the protocols of message exchange between concurrently executing components.
• Typing ensures protocol adherence.
�32
Taking stock
• Session types make explicit the protocols of message exchange between concurrently executing components.
• Typing ensures protocol adherence.
• Types make explicit interdependencies between components, enabling sequential reasoning about a component.
�32
Taking stock
• Session types make explicit the protocols of message exchange between concurrently executing components.
• Typing ensures protocol adherence.
• Types make explicit interdependencies between components, enabling sequential reasoning about a component.
�32
Session types are the types of message-passing concurrency.
Session types in research and practice
�33
Session types in research and practice
Research • active research area since inception in 90s [Honda 1993] • logical reconstruction based on linear logic, providing strong
guarantees [Caires & Pfenning 2010, Wadler 2012] • extension of logical session types to sharing [Balzer & Pfenning ICFP
2017, Balzer et al. CONCUR 2018, Balzer et al. ESOP 2019]
�33
Session types in research and practice
Research • active research area since inception in 90s [Honda 1993] • logical reconstruction based on linear logic, providing strong
guarantees [Caires & Pfenning 2010, Wadler 2012] • extension of logical session types to sharing [Balzer & Pfenning ICFP
2017, Balzer et al. CONCUR 2018, Balzer et al. ESOP 2019]
Practice • Lightweight integration of session types or session libraries (with
varying static guarantees) into Scala, Java, Haskell, OCaml, Go, Rust, Python.
• Collaboration with Mozilla Research on integrating our work.
�33
Session types in research and practice
Research • active research area since inception in 90s [Honda 1993] • logical reconstruction based on linear logic, providing strong
guarantees [Caires & Pfenning 2010, Wadler 2012] • extension of logical session types to sharing [Balzer & Pfenning ICFP
2017, Balzer et al. CONCUR 2018, Balzer et al. ESOP 2019]
Practice • Lightweight integration of session types or session libraries (with
varying static guarantees) into Scala, Java, Haskell, OCaml, Go, Rust, Python.
• Collaboration with Mozilla Research on integrating our work.
�33
Logic-based shared session types
�34
Linear logic session types
�35
Linear logic session types
Provide strong guarantees: • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)
�35
Linear logic session types
Provide strong guarantees: • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)
�35
exactly one client
Linear logic session types
Provide strong guarantees: • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)
�35
exactly one client
processes graph forms a tree at run-time
Linear logic session types
Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)
But, they rule out sharing
�36
Linear logic session types
Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)
But, they rule out sharing
�36
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Linear logic session types
Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)
But, they rule out sharing
�36
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
both CmdReceiver and Client communicate with
ImageCache
Linear logic session types
Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)
But, they rule out sharing
�37
Linear logic session types cannot accommodate certain practical programming scenarios.
Linear logic session types
Provide strong guarantees • Data-race-freedom • Protocol adherence (a.k.a. session fidelity, preservation) • Deadlock-freedom (a.k.a. progress)
But, they rule out sharing
�37
Let’s introduce sharing while maintaining above guarantees.
Linear logic session types cannot accommodate certain practical programming scenarios.
Challenges of sharing
�38
Challenges of sharing
�38
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Challenges of sharing
�38
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
ImgCacheCmd
Challenges of sharing
�38
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
RequestImage
ImgCacheCmd
Challenges of sharing
�39
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
string ! Requester ( ImgCacheCmd
Challenges of sharing
�39
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ImageCache:
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Exit
string ! Requester ( ImgCacheCmd
protocol violated!
Challenges of sharing
�40
ImgCacheCmd = N {RequestImage : string ! Requester ( ImgCacheCmd,. . .Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
How to restore protocol adherence in the presence of sharing (a.k.a. aliasing)?
Idea: acquire-release
�41
Idea: acquire-release
�41
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Idea: acquire-release
�41
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.
Idea: acquire-release
�41
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Idea: acquire-release
�42
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel
Idea: acquire-release
�42
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel
acquire
Idea: acquire-release
�43
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
Idea: acquire-release
�43
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
critical section
Idea: acquire-release
�43
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
release
Legend: shared channel linear channel
critical section
Idea: acquire-release
�44
Clients of shared channels must communicate along that channel in mutual exclusion from each other.
Acquiring a shared channel gives exclusive access, releasing an acquired channel relinquishes exclusive access.
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
Have we restored protocol adherence?
�45
Have we restored protocol adherence?
�45
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Have we restored protocol adherence?
�45
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache: ImgCacheCmd
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Have we restored protocol adherence?
�45
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
acquire
ImageCache: ImgCacheCmd
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Have we restored protocol adherence?
�46
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache: ImgCacheCmd
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
Have we restored protocol adherence?
�46
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache: ImgCacheCmd
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
RequestImage
Have we restored protocol adherence?
�47
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache:
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
string ! Requester ( ImgCacheCmd
Have we restored protocol adherence?
�47
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache:
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
release
string ! Requester ( ImgCacheCmd
Have we restored protocol adherence?
�48
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache:
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
string ! Requester ( ImgCacheCmd
Have we restored protocol adherence?
�48
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache:
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
string ! Requester ( ImgCacheCmd
acquire
Have we restored protocol adherence?
�49
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache:
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
string ! Requester ( ImgCacheCmd
Have we restored protocol adherence?
�49
ResourceThread ImageCache Client
CmdReceiver
Decoder1 Decodern
Legend: shared channel linear channel
ImageCache:
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Running : ImgCacheCmd,
Done : ResourceThread⌦ 1}}
string ! Requester ( ImgCacheCmd
Exit
protocol violated!
Idea: equi-synchronizing
�50
Idea: equi-synchronizing
�50
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
release
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
release✓
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
release
release
✓
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
release
release
✓
✓
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
release
release
release ✓
✓
Idea: equi-synchronizing
�50
i.e., shared channels must be released back to the same type at which they were acquired, if released.
In addition to imposing acquire-release on shared channels, shared channels must be equi-synchronizing:
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
release
release
release ✓✗
✓
Taking stock
�51
Taking stock
�51
Acquire-release + equi-synchronizing:
Taking stock
�51
Acquire-release + equi-synchronizing:
restore protocol adherence;
Taking stock
�51
Acquire-release + equi-synchronizing:
restore protocol adherence;
guarantee freedom of (high-level) data races because execution between acquire-release is atomic.
Taking stock
�51
Acquire-release + equi-synchronizing:
restore protocol adherence;
guarantee freedom of (high-level) data races because execution between acquire-release is atomic.
We could state the policy of acquire-release and equi-synchronizing as a programming methodology.
Taking stock
�51
Acquire-release + equi-synchronizing:
restore protocol adherence;
guarantee freedom of (high-level) data races because execution between acquire-release is atomic.
We could state the policy of acquire-release and equi-synchronizing as a programming methodology.
But, why not lift this policy to the type level and have it enforced statically?
Manifest sharing
�52
Manifest sharing
�52
Manifest sharing
�52
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
release
release
Manifest sharing
�52
acquire
ImgCacheCmd = N{RequestImage : string ! Requester ( ImgCacheCmd,Exit : � {Done : ResourceThread⌦ 1,
Running : ImgCacheCmd}}
release
release
Legend: shared phase linear phase
Manifest sharing
�53
Manifest sharing
�53
Stratify session types into a linear and shared layer
Manifest sharing
�53
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Stratify session types into a linear and shared layer
Manifest sharing
�53
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Stratify session types into a linear and shared layer
Connect layers with modalities going back and forth
Manifest sharing
�53
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Stratify session types into a linear and shared layer
Connect layers with modalities going back and forth
Manifest sharing
�53
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Stratify session types into a linear and shared layer
Connect layers with modalities going back and forth
Support communication of shared channels
Manifest sharing
�53
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Stratify session types into a linear and shared layer
Connect layers with modalities going back and forth
Support communication of shared channels
Manifest sharing
�54
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Manifest sharing
�54
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
ImgCacheCmd = "S
L N{RequestImage : string ! Requester ( #S
L ImgCacheCmd,
Exit : � {Done : ResourceThread⌦ 1,
Running : #S
L ImgCacheCmd}}
Manifest sharing
�54
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
ImgCacheCmd = "S
L N{RequestImage : string ! Requester ( #S
L ImgCacheCmd,
Exit : � {Done : ResourceThread⌦ 1,
Running : #S
L ImgCacheCmd}}
Manifest sharing
�54
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
ImgCacheCmd = "S
L N{RequestImage : string ! Requester ( #S
L ImgCacheCmd,
Exit : � {Done : ResourceThread⌦ 1,
Running : #S
L ImgCacheCmd}}
Manifest sharing
�54
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Up and down shifts denote acquire and release, resp.
ImgCacheCmd = "S
L N{RequestImage : string ! Requester ( #S
L ImgCacheCmd,
Exit : � {Done : ResourceThread⌦ 1,
Running : #S
L ImgCacheCmd}}
Typing judgments
�55
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Typing judgments
�55
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:
Typing judgments
�55
�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:
Typing judgments
�55
�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:
“Process P provides session of type Am along xm using channels in (� and) �.”
Typing judgments
�55
�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:
“Process P provides session of type Am along xm using channels in (� and) �.”
shared (structural) context
Typing judgments
�56
�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:
“Process P provides session of type Am along xm using channels in (� and) �.”
Typing judgments
�56
�; � �⌃ P ∶∶ (xL ∶ AL)� �⌃ P ∶∶ (xS ∶ AS)
AS � ↑SLAL
AL,BL � ⊕{l ∶ AL} � AL ⊗BL � 1 � ∃x∶AS.BL �N{l ∶ AL} � AL � BL � ↓SLAS � ⇧x∶AS.BL
Based on correspondence between intuitionistic linear logic and session-typed pi-calculus:
“Process P provides session of type Am along xm using channels in (� and) �.”
linear (substructural) context
Typing of acquire
�57
Typing of acquire
�57
�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)
Typing of acquire
�57
�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)
Typing of acquire
�57
�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)
�; ⋅ �⌃ PxL ∶∶ (xL ∶ AL)� �⌃ xL ← accept xS ;PxL ∶∶ (xS ∶↑SL AL) (T-↑SLR)
Typing of acquire
�57
�, xS ∶↑SL AL; �, xL ∶ AL �⌃ QxL ∶∶ (zL ∶ CL)�, xS ∶↑SL AL; � �⌃ xL ← acquire xS ;QxL ∶∶ (zL ∶ CL) (T-↑SLL)
�; ⋅ �⌃ PxL ∶∶ (xL ∶ AL)� �⌃ xL ← accept xS ;PxL ∶∶ (xS ∶↑SL AL) (T-↑SLR)
Typing of release
�58
Typing of release
�58
�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)
Typing of release
�58
�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)
Typing of release
�58
�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)
� �⌃ PxS ∶∶ (xS ∶ AS)�; ⋅ �⌃ xS ← detach xL ;PxS ∶∶ (xL ∶↓SL AS) (T-↓SLR)
Typing of release
�58
�, xS ∶ AS; � �⌃ QxS ∶∶ (zL ∶ CL)�; �, xL ∶↓SL AS �⌃ xS ← release xL ;QxS ∶∶ (zL ∶ CL) (T-↓SLL)
� �⌃ PxS ∶∶ (xS ∶ AS)�; ⋅ �⌃ xS ← detach xL ;PxS ∶∶ (xL ∶↓SL AS) (T-↓SLR)
Taking stock
�59
Taking stock
�59
We have a session type system that allows shared and linear channels to coexist and guarantees:
data-race-freedom (low-level and high-level)
protocol adherence
Taking stock
�59
We have a session type system that allows shared and linear channels to coexist and guarantees:
data-race-freedom (low-level and high-level)
protocol adherence
What about deadlock-freedom?
Why are linear session types deadlock-free?
�60
Why are linear session types deadlock-free?
�60
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
�60
a
b c d
e f g
parent: client
child: provider
Linearity (“exactly one client”) turns process graph into a tree.
Legend: linear channel
Why are linear session types deadlock-free?
�61
a
b c d
e f g
Legend: linear channel
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
What are the threats to progress?
�61
a
b c d
e f g
Legend: linear channel
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
What are the threats to progress?• Two scenarios:
�61
a
b c d
e f g
Legend: linear channel
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
What are the threats to progress?• Two scenarios:
• provider ready to synchronize, client not
�61
a
b c d
e f g
Legend: linear channel
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
What are the threats to progress?• Two scenarios:
• provider ready to synchronize, client not• client ready to synchronize, provider not
�61
a
b c d
e f g
Legend: linear channel
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
What are the threats to progress?• Two scenarios:
• provider ready to synchronize, client not• client ready to synchronize, provider not
• Let’s visualize this waiting dependency with a green arrow
�61
a
b c d
e f g
Legend: linear channel
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
What are the threats to progress?• Two scenarios:
• provider ready to synchronize, client not• client ready to synchronize, provider not
• Let’s visualize this waiting dependency with a green arrow
�61
a
b c d
e f g
Legend: linear channel a b “a waits for b”
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
What are the threats to progress?• Two scenarios:
• provider ready to synchronize, client not• client ready to synchronize, provider not
• Let’s visualize this waiting dependency with a green arrow
�61
a
b c d
e f g
Legend: linear channel a b “a waits for b”
Linearity (“exactly one client”) turns process graph into a tree.
Why are linear session types deadlock-free?
What are the threats to progress?• Two scenarios:
• provider ready to synchronize, client not• client ready to synchronize, provider not
• Let’s visualize this waiting dependency with a green arrow
�61
a
b c d
e f g
Legend: linear channel a b “a waits for b”
No green cycles: green arrows can only go along linear channels, and client and provider cannot both be waiting for each other.
Linearity (“exactly one client”) turns process graph into a tree.
Let’s add sharing
�62
Let’s add sharing
�62
We get a graph of linear and shared processes, with a linear tree inside.
Let’s add sharing
�62
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Let’s add sharing
�62
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Acquire-release amounts to “locking”
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Acquire-release amounts to “locking”• Possibility of cyclic dependencies
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency
with a red arrow
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency
with a red arrow
a b “a waits for b to release resource”
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency
with a red arrow
a b “a waits for b to release resource”
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency
with a red arrow
a b “a waits for b to release resource”
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency
with a red arrow
a b “a waits for b to release resource”
Let’s add sharing
�63
a
b c d
e f g
We get a graph of linear and shared processes, with a linear tree inside.
Legend: linear channel linear process
shared channel
shared process
Acquire-release amounts to “locking”• Possibility of cyclic dependencies• Let’s visualize this waiting dependency
with a red arrow• Note: red arrows can connect arbitrary
nodes
a b “a waits for b to release resource”
Can we re-establish deadlock-freedom?
�64
Can we re-establish deadlock-freedom?
An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.
�64
Can we re-establish deadlock-freedom?
An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.
�64
However, cyclic dependencies between acquire requests are not the only source of deadlock!
Can we re-establish deadlock-freedom?
An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.
�64
However, cyclic dependencies between acquire requests are not the only source of deadlock!
Two Forms of waiting dependencies:
Can we re-establish deadlock-freedom?
An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.
�64
However, cyclic dependencies between acquire requests are not the only source of deadlock!
Two Forms of waiting dependencies:• waiting to synchronize: a b “a waits for b to synchronize”
Can we re-establish deadlock-freedom?
An enticing solution: “locking up” • Impose a partial order on resources. • Ensure that resources are acquired (“locked”) in increasing order.
�64
However, cyclic dependencies between acquire requests are not the only source of deadlock!
Two Forms of waiting dependencies:• waiting to synchronize:• waiting to release:
a b “a waits for b to synchronize”a b “a waits for b to release resource”
Can we re-establish deadlock-freedom?
�65
Two Forms of waiting dependencies: • waiting to synchronize: • waiting to release:
a b “a waits for b to synchronize”a b “a waits for b to release resource”
Can we re-establish deadlock-freedom?
�65
Two Forms of waiting dependencies: • waiting to synchronize: • waiting to release:
a b “a waits for b to synchronize”a b “a waits for b to release resource”
a
b c d
e f g
Can we re-establish deadlock-freedom?
�65
Two Forms of waiting dependencies: • waiting to synchronize: • waiting to release:
a b “a waits for b to synchronize”a b “a waits for b to release resource”
a
b c d
e f g
a
b d d
e f g
Can we re-establish deadlock-freedom?
�65
Two Forms of waiting dependencies: • waiting to synchronize: • waiting to release:
a b “a waits for b to synchronize”a b “a waits for b to release resource”
a
b c d
e f g
a
b d d
e f g
Cycles can consist of red arrows only or a combination of red and green arrows.
Idea: competitors and collaborators
�66
Idea: competitors and collaborators
�66
Competitors: overlap in set of resources acquired
Idea: competitors and collaborators
�66
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
Idea: competitors and collaborators
�66
Notice: a resource acquired becomes a child of the acquirer
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
Idea: competitors and collaborators
�66
a
Notice: a resource acquired becomes a child of the acquirer
b c
12
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
Idea: competitors and collaborators
�67
a
Notice: a resource acquired becomes a child of the acquirer
b c
1
2
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
Idea: competitors and collaborators
�68
a
Notice: a resource acquired becomes a child of the acquirer
b c
1 2
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
Idea: competitors and collaborators
�69
a
Notice: a resource acquired becomes a child of the acquirer
b c
1 2
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
competitors tend to be siblings
Idea: competitors and collaborators
�69
a
Notice: a resource acquired becomes a child of the acquirer
b c
1 2
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
competitors tend to be siblings
{b, c}
Idea: competitors and collaborators
�69
a
Notice: a resource acquired becomes a child of the acquirer
b c
1 2
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
collaborators tend to be in the same branch
competitors tend to be siblings
{b, c}
Idea: competitors and collaborators
�69
a
Notice: a resource acquired becomes a child of the acquirer
b c
1 2
Competitors: overlap in set of resources acquired
Collaborators: do not overlap in set of resources acquired
collaborators tend to be in the same branch
competitors tend to be siblings
{a, b, 1} {a, b, 2} {a, c}
{b, c}
Manifest deadlock-freedom
�70
Manifest deadlock-freedom
�70
Define type system enforcing the following invariants:
collaborators
a
b c
1 2
competitors
Manifest deadlock-freedom
�70
Define type system enforcing the following invariants:
collaborators
a
b c
1 2
competitors
competitors employ locking-up for resources they compete forA
Manifest deadlock-freedom
�70
Define type system enforcing the following invariants:
collaborators
a
b c
1 2
competitors
collaborators acquire mutually disjoint sets of resourcesB
competitors employ locking-up for resources they compete forA
Manifest deadlock-freedom
�70
Define type system enforcing the following invariants:
collaborators
a
b c
1 2
competitors
collaborators acquire mutually disjoint sets of resourcesB
competitors employ locking-up for resources they compete forA
competitors have released all acquired resources when synchronizing with other competitors (“tallking-up”)
C
Manifest deadlock-freedom
�70
Define type system enforcing the following invariants:
collaborators
a
b c
1 2
competitors
collaborators acquire mutually disjoint sets of resourcesB
competitors employ locking-up for resources they compete forA
competitors have released all acquired resources when synchronizing with other competitors (“tallking-up”)
C
A rules out red-arrow cycles, B and C rule out red-green-arrow cycles.
Manifest deadlock-freedom
�71
Manifest deadlock-freedom
�71
Introduce a world, an abstract value equipped with a partial order.
Manifest deadlock-freedom
�71
Every process invariantly resides at a world.
Introduce a world, an abstract value equipped with a partial order.
Manifest deadlock-freedom
�71
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
Manifest deadlock-freedom
�71
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�71
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�71
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
worlds associated with process
Manifest deadlock-freedom
�72
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�72
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�72
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
self-world: world at which process
resides
Manifest deadlock-freedom
�73
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�73
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�73
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
min-world: world of minimal resource
to be acquired
Manifest deadlock-freedom
�74
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�74
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�74
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
max-world: world of maximal resource to be
acquired
Manifest deadlock-freedom
�75
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�75
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�75
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
world order
Manifest deadlock-freedom
�76
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�76
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�76
Every process invariantly resides at a world.
Every process indicates the range of worlds it may acquire.
Introduce a world, an abstract value equipped with a partial order.
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
possibly “aliased” linear channels
Manifest deadlock-freedom
�77
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Manifest deadlock-freedom
�77
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
Manifest deadlock-freedom
�77
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
Manifest deadlock-freedom
�77
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
Manifest deadlock-freedom
�77
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
collaborators
a
b c
1 2
competitors
no vertical red arrows
Manifest deadlock-freedom
�78
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
Manifest deadlock-freedom
�78
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
for an acquire: lock-up
Manifest deadlock-freedom
�78
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
for an acquire: lock-up
collaborators
a
b c
1 2
competitors
no red cycles
Manifest deadlock-freedom
�79
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
for an acquire: lock-up
Manifest deadlock-freedom
�79
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
for an acquire: lock-up
for right-rule: Φ must be empty
Manifest deadlock-freedom
�79
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
for an acquire: lock-up
for right-rule: Φ must be empty
collaborators
a
b c
1 2
competitors
no ingoing red and up-going green arrow
Manifest deadlock-freedom
�80
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
for an acquire: lock-up
for right-rule: Φ must be empty
Manifest deadlock-freedom
�80
; � `⌃ P :: (xS : AS[!kl!n!l
]) (where + irreflexive)
; �; �; � `⌃ P :: (xL : AL[!kl!n!l
]) (where + irreflexive)
Express invariants A, B, and C in terms of:
min(parent) ≤ self(acquired_child) ≤ max(parent)
max(parent) < min(child)
for an acquire: lock-up
for right-rule: Φ must be empty
These low-level invariants are enforced by typing.
Taking stock
�81
Taking stock
�81
We have a session type system that allows shared and linear channels to coexist and guarantees:
data-race-freedom (low-level and high-level)
protocol adherence
deadlock-freedom
Taking stock
�81
We have a session type system that allows shared and linear channels to coexist and guarantees:
data-race-freedom (low-level and high-level)
protocol adherence
deadlock-freedom
We have increased practicality of linear session types while maintaining their guarantees.
Current & future work
�82
Digital contracts (with Hoffmann, Pfenning, and Das)
�83
Digital contracts (with Hoffmann, Pfenning, and Das)
�83
Unique application field for shared session types:
Digital contracts (with Hoffmann, Pfenning, and Das)
�83
Unique application field for shared session types:
auction = "S
L � {running : N{bid : id ! money ( #S
Lauction,cancel : #S
Lauction},ended : id ! �{won : lot⌦ #S
Lauction,lost : money ⌦ #S
Lauction}}
Digital contracts (with Hoffmann, Pfenning, and Das)
�83
Unique application field for shared session types:
auction = "S
L � {running : N{bid : id ! money ( #S
Lauction,cancel : #S
Lauction},ended : id ! �{won : lot⌦ #S
Lauction,lost : money ⌦ #S
Lauction}}
Resource analysis for static prediction of execution cost.
Digital contracts (with Hoffmann, Pfenning, and Das)
�83
Unique application field for shared session types:
auction = "S
L � {running : N{bid : id ! money ( #S
Lauction,cancel : #S
Lauction},ended : id ! �{won : lot⌦ #S
Lauction,lost : money ⌦ #S
Lauction}}
Resource analysis for static prediction of execution cost.
Under development: Nomos, a digital contract language based on resource-aware shared session types.
Unifying parallelism and concurrency
�84
Unifying parallelism and concurrency
�84
Shared session types recover expressiveness of untyped asynchronous pi-calculus [Balzer et al. CONCUR 2018]
Unifying parallelism and concurrency
�84
Shared session types recover expressiveness of untyped asynchronous pi-calculus [Balzer et al. CONCUR 2018]
introduce nondeterminism
Unifying parallelism and concurrency
�84
Shared session types recover expressiveness of untyped asynchronous pi-calculus [Balzer et al. CONCUR 2018]
introduce nondeterminism
linear logic session types are deterministic
Unifying parallelism and concurrency
�84
Shared session types recover expressiveness of untyped asynchronous pi-calculus [Balzer et al. CONCUR 2018]
introduce nondeterminism
linear logic session types are deterministic
Opportunity for unifying framework that combines both deterministic (parallel) and nondeterministic (concurrent) computation.
Thank you for your attention!
Papers for this talk: • Stephanie Balzer and Frank Pfenning: Manifest Sharing with Session
Types. ICFP 2017. • Stephanie Balzer, Bernardo Toninho, and Frank Pfenning: Manifest
Deadlock-Freedom for Shared Session Types. ESOP 2019. • Stephanie Balzer, Frank Pfenning, and Bernardo Toninho: A Universal
Session Type for Untyped Asynchronous Communication. CONCUR 2019.
�85