Chaperone Contracts for Higher-Order...
Transcript of Chaperone Contracts for Higher-Order...
![Page 1: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/1.jpg)
Chaperone Contracts for Higher-Order Sessions
Hernán Melgratti, Buenos Aires, ArgentinaLuca Padovani, Torino, Italy
Dagstuhl Seminar 17051, 2017
![Page 2: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/2.jpg)
A simple FuSe program
let server ep =let p, ep = receive ep inlet root = ... inlet ep = send root ep inclose ep
let math_service = register server
let user () =let ep = connect math_service inlet ep = send (from_list [2.0; -3.0; 1.0]) ep inlet _, ep = receive ep inclose ep
![Page 3: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/3.jpg)
A simple FuSe program
let server ep =let p, ep = receive ep inlet root = ... inlet ep = send root ep inclose ep
let math_service = register server
let user () =let ep = connect math_service inlet ep = send (from_list [2.0; -3.0; 1.0]) ep inlet _, ep = receive ep inclose ep
![Page 4: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/4.jpg)
A simple FuSe program + Contracts
let server ep =let p, ep = receive ep inlet root = ... inlet ep = send root ep inclose ep
let math_service = register server contract "Server"
let user () =let ep = connect math_service "Client" inlet ep = send (from_list [2.0; -3.0; 1.0]) ep inlet _, ep = receive ep inclose ep
![Page 5: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/5.jpg)
Contracts
I A contract is a term that describes exchanged messages andtheir relationships.
flat_c : (t → bool)→ [t] t :: ω
end_c : [end]
send_c : [t]→ [T]→ [!t.T]receive_c : [t]→ [T]→ [?t.T]
send_d : [t]→ (t → [T])→ [!t.T] t :: ω
receive_d : [t]→ (t → [T])→ [?t.T] t :: ω
![Page 6: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/6.jpg)
Contracts
let contract = send_c (flat_c (fun p→degree p == 1)) @@... (* contract for the continuation *)
![Page 7: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/7.jpg)
Contracts
let contract = send_c (flat_c (fun p→degree p == 1)) @@any_c (* contract for the continuation *)
![Page 8: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/8.jpg)
Contracts
let contract = send_d (flat_c (fun p→degree p == 1)) @@fun p→receive_c (flat_c (root_of p)) @@
end_c
![Page 9: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/9.jpg)
Contracts and the structure of the session
choice_c : [bool]→ [T]→ [S]→ [T ⊕S]branch_c : [bool]→ [T]→ [S]→ [T&S]
![Page 10: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/10.jpg)
Contracts and the structure of the session
ep : !poly.rec A.(?float.A & end)
let contract =send_d (flat_c (fun p→degree p > 0)) @@fun p→
let rec missing_roots n =if n > 0 thenbranch_cany_c(receive_c (flat_c (root_of p)) @@
missing_roots (n - 1))end_c
elsebranch_c (flat_c not) any_c end_c
in missing_roots (degree p)
![Page 11: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/11.jpg)
Contracts and the structure of the session
ep : !poly.rec A.(?float.A & end)
let contract =send_d (flat_c (fun p→degree p > 0)) @@fun p→
let rec missing_roots n =if n > 0 thenbranch_cany_c(receive_c (flat_c (root_of p)) @@
missing_roots (n - 1))end_c
elsebranch_c (flat_c not) any_c end_c
in missing_roots (degree p)
![Page 12: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/12.jpg)
First order
Source
User
Operator
x[v1, v2] y[w ]
y[v1, v2]
x : ?int.?int.end y : !int.!int.?int.end
src_c = any_cop_c = send_c any_c @@
send_c (flat_c (6= 0)) @@receive_c (flat_c (≥ 0)) @@ end_c
![Page 13: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/13.jpg)
First order
Source
User
Operator
x[v1, v2] y[w ]
y[v1, v2]
x : ?int.?int.end y : !int.!int.?int.end
src_c = any_cop_c = send_c any_c @@
send_c (flat_c (6= 0)) @@receive_c (flat_c (≥ 0)) @@ end_c
![Page 14: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/14.jpg)
Second order
Source
User
Operator
x
x[v1, v2]
y[w ]
y[x]
x : ?int.?int.end y :!(?int.?int.end).?int.end
src_c = any_c
op_c = send_c d_c @@receive_c (flat_c (≥ 0)) @@end_c
d_c = receive_c any_c @@receive_c (flat_c (6= 0)) @@end_c
![Page 15: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/15.jpg)
Second order
Source
User
Operator
x
x[v1, v2]
y[w ]
y[x]
x : ?int.?int.end y :!(?int.?int.end).?int.end
src_c = any_c
op_c = send_c d_c @@receive_c (flat_c (≥ 0)) @@end_c
d_c = receive_c any_c @@receive_c (flat_c (6= 0)) @@end_c
![Page 16: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/16.jpg)
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [connect a p]〉a⇐c
q v
→ (νs)
〈E [[s+]c,q,p]〉〈(v [s-]dual c,p,q)〉
| a⇐cq v
s fresh
〈E [send v [aι]!c;d,σ]〉〈E ′[receive [aι]?e;f,%]〉
→ 〈E [[aι]d,σ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
[v]flat_c w,p,q → v /p wv
v /p true → v
v /p false → blame p
![Page 17: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/17.jpg)
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [connect a p]〉a⇐c
q v
→ (νs)
〈E [[s+]c,q,p]〉〈(v [s-]dual c,p,q)〉
| a⇐cq v
s fresh〈E [send v [aι]!c;d,σ]〉〈E ′[receive [aι]?e;f,%]〉
→ 〈E [[aι]d,σ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
[v]flat_c w,p,q → v /p wv
v /p true → v
v /p false → blame p
![Page 18: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/18.jpg)
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [connect a p]〉a⇐c
q v
→ (νs)
〈E [[s+]c,q,p]〉〈(v [s-]dual c,p,q)〉
| a⇐cq v
s fresh〈E [send v [aι]!c;d,σ]〉〈E ′[receive [aι]?e;f,%]〉
→ 〈E [[aι]d,σ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
[v]flat_c w,p,q → v /p wv
v /p true → v
v /p false → blame p
![Page 19: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/19.jpg)
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [connect a p]〉a⇐c
q v
→ (νs)
〈E [[s+]c,q,p]〉〈(v [s-]dual c,p,q)〉
| a⇐cq v
s fresh〈E [send v [aι]!c;d,σ]〉〈E ′[receive [aι]?e;f,%]〉
→ 〈E [[aι]d,σ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
[v]flat_c w,p,q → v /p wv
v /p true → v
v /p false → blame p
![Page 20: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/20.jpg)
Chaperones [Strickland, Tobin-Hochstadt, Findler & Flatt, 12]
〈E [send v [aι]!c;d,σ ]〉〈E ′[receive [aι]?e;f,%]〉
→〈E [[aι]d,σ ]〉〈E ′[([[v]c,¬σ]e,%,[aι]f,%)]〉
![Page 21: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/21.jpg)
Locally correctness & blame safety
I p is locally correct in P ifI P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w , andI P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c 6 d, and ...I P → Q implies p is locally correct in Q
I Useful invariant: If P →∗ Pp[send v [_]c,_,q], then q = pI Blame safety: p is locally correct in P , then P →∗ Q impliesblame p 6⊂ Q.
![Page 22: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/22.jpg)
Locally correctness & blame safety
I p is locally correct in P ifI P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w , andI P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c 6 d, and ...I P → Q implies p is locally correct in Q
I Useful invariant: If P →∗ Pp[send v [_]c,_,q], then q = p
I Blame safety: p is locally correct in P , then P →∗ Q impliesblame p 6⊂ Q.
![Page 23: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/23.jpg)
Locally correctness & blame safety
I p is locally correct in P ifI P = Pp[send v [_]!flat_c w;_,_,_] implies v ∈ w , andI P = Pp[send [ε]c,_,_ [_]!d;_,_,_] implies c 6 d, and ...I P → Q implies p is locally correct in Q
I Useful invariant: If P →∗ Pp[send v [_]c,_,q], then q = pI Blame safety: p is locally correct in P , then P →∗ Q impliesblame p 6⊂ Q.
![Page 24: Chaperone Contracts for Higher-Order Sessionsmaterials.dagstuhl.de/files/17/17051/17051.HernánMelgratti.Slides.… · Chaperone Contracts for Higher-Order Sessions Hernán Melgratti,](https://reader030.fdocuments.net/reader030/viewer/2022040405/5e9e31843508db64c4111232/html5/thumbnails/24.jpg)
Final remarks
I The language is implemented on top of FuSeI It avoids double checking of contractsI It relies on a small-step semantics for unwinding monitorsI Monitors are communicated only when delegating
I Communication is restricted to unlimited values anddelegation