OCaml-MPST / Global Protocol Combinators

Keigo Imai1
(with Rumyana Neykova2, Nobuko Yoshida3 and Shoji Yuen4)
1Gifu University (JP) 2Brunel University London (UK)
3Imperial College London (UK) 4Nagoya University (JP)
PLAS Group Seminar, University of Kent
16th Sept. 2019
1
Global Protocol Combinators:
Static Structural Multiparty Sessions Over
Simply Typed Channels
in OCaml

2
(A supplemental slide at VeTSS 2019 workshop lightning talk)

Deadlocks in message-passing concurrency: Protocols prevent them!
3
A
B C
A ring-form
multiparty
communication:
Concurrent
programming is difficult!

4
A
B C
A ring-form
multiparty
communication:
Concurrent
C
wrong usage (direction)…
② input① output
order matters…

5
A
B C
A ring-form
multiparty
communication:
Concurrent
A B C
Communication protocol!
C
② input① output
order matters…

6
A
B C
A ring-form
multiparty
communication:
Concurrent
A B C
Communication protocol!
C
② input① output
order matters…
Best practice:
1. Design a communication protocol and check it
2. Focus on its local behaviours
3. Enforce protocol in the program code

deadlock-free?
Multiparty Session Types (MPSTs): Protocol-based deadlock freedom
7
C S
a "ping" protocol
③ Give concurrent processes (programs) and check their types
① Write a Global Type and check it
② Derive Local Types by End Point Projection (↾)
PC | PS
The system PC | PS is
[Honda et al., 2008]

deadlock-free?
8
C S
a "ping" protocol
PC | PS
"well-formed": protocol G iswf(G) ✔
G = C → S. S → C.end
deadlock-free

deadlock-free?
9
C S
a "ping" protocol
PC | PS
deadlock-free
G↾C = LC = LSG↾S
S! S?
C? C!
LC =
LS =
: "views" of the protocol

deadlock-free?
10
C S
a "ping" protocol
PC | PS
✔✔ : "these processes respect the protocol"PSPC LS ⊢LC ⊢
deadlock-free
S! S?
C? C!
LC =
LS =

deadlock-free?
11
C S
a "ping" protocol
PC | PS
deadlock-free
S! S?
C? C!
LC =
LS =
deadlock-free!

deadlock-free?
12
C S
a "ping" protocol
PC | PS
deadlock-free
S! S?
C? C!
LC =
LS =
deadlock-free!
How to implement MPSTs
in a programming language?
Question

③ LC ⊢ PC ?
Go
Thread
State of the art: Deadlock freedom via code generation
13
① wf(G) ?
② G↾C
Global
Protocol File
Go
Thread
Go
Thread
In a MPST toolchain for programming language Go [D. Castro et al., POPL 2019]:

③ LC ⊢ PC ?
Go
Thread
14
① wf(G) ?
② G↾C
Global
Protocol File
Go
Thread
Go
Thread
deadlock-free
(Well-formedness checking
and End Point Projection)
Go type
(Generated
code)
Go type
(Generated
code)
Go type
(Generated
code)
Code
generation
✔

③ LC ⊢ PC ?
Type checking
by
Go compiler
✔ (type checking to check
protocol conformance)
Go
Thread
15
① wf(G) ?
② G↾C
Global
Protocol File
Go
Thread
Go
Thread
deadlock-free
Go type
(Generated
code)
Go type
(Generated
code)
Go type
(Generated
code)
Code
generation
✔

③ LC ⊢ PC ?
Type checking
by
Go compiler
Go
Thread
16
① wf(G) ?
② G↾C
Global
Protocol File
Go
Thread
Go
Thread
deadlock-free
Go type
(Generated
code)
Go type
(Generated
code)
Go type
(Generated
code)
Code
generation
✔
deadlock-free

③ LC ⊢ PC ?
Type checking
by
Go compiler
Go
Thread
17
① wf(G) ?
② G↾C
Global
Protocol File
Go
Thread
Go
Thread
deadlock-free
Go type
(Generated
code)
Go type
(Generated
code)
Go type
(Generated
code)
Code
generation
✔
deadlock-free
Is it possible to implement MPSTs
without code generation?
Question

③ LC ⊢ PC ?
① wf(G) ?
② G↾C
Global Protocol Combinator : Deadlock freedom solely by Types!
18
Yes (!) How?

↓ A single OCaml program code file (.ml)
OCaml
Thread
OCaml
Thread
OCaml
Thread
Protocol
in OCaml
③ LC ⊢ PC ?
① wf(G) ?
② G↾C
19
Yes (!) How?

OCaml
Thread
OCaml
Thread
OCaml
Thread
Protocol
in OCaml
③ LC ⊢ PC ?
① wf(G) ?
② G↾C
20
✔
deadlock-free
OCaml types OCaml types OCaml types
Type
checking &
inference
Yes (!) How?

OCaml
Thread
OCaml
Thread
OCaml
Thread
Protocol
in OCaml
③ LC ⊢ PC ?
① wf(G) ?
② G↾C
21
Type checking
by
OCaml compiler
✔
✔
deadlock-free
Type
checking &
inference
Yes (!) How?

OCaml
Thread
OCaml
Thread
OCaml
Thread
Protocol
in OCaml
③ LC ⊢ PC ?
① wf(G) ?
② G↾C
22
Type checking
by
OCaml compiler
✔
✔
deadlock-free
Type
checking &
inference
Yes (!)
deadlock-free!
How?

OCaml
Thread
OCaml
Thread
OCaml
Thread
Protocol
in OCaml
③ LC ⊢ PC ?
① wf(G) ?
② G↾C
23
Type checking
by
OCaml compiler
✔
✔
deadlock-free
Type
checking &
inference
Yes (!)
deadlock-free!
How?
How/why do they work??

Global Combinators and well-formedness check
24
① wf(G) ✔
let oauth = (s --> c) login ((c --> a) password ((a --> c) auth finish))
(r1 --> r2) lab : send a label lab from r1 to r2 (with possible payloads)
Example: Simple OAuth protocol
s c a

25
① wf(G) ✔
s c a

26
① wf(G) ✔
s c a

27
① wf(G) ✔
s c a
let oauth_branch =
choice_at s (to_c login_or_cancel)
(s, (s --> c) login ((c --> a) password ((a --> c) auth finish)))
(s, (s --> c) cancel ((c --> a) quit finish))
choice_at r g1 g2 : decide a protocol branching at r, between g1 and g2
Example: Adding a branch to Simple OAuth protocol
(a few plumbings needed to convince the type checker)
Each branch must begin from s

28
① wf(G) ✔
s c a
let oauth_branch =
NB: Branching in a protocol is a source of concurrency issues

29
① wf(G) ✔
s c a
let oauth_branch =
Non-determinism/
Deadlock
in a protocol
a

30
① wf(G) ✔
s c a
let oauth_branch =
… is reported as a type error
Non-determinism/
Deadlock
in a protocol
a

(Deadlock and type errors: An analysis)
31
let oauth_branch =
(s, (s --> c) cancel ((c --> a) quit finish))a
poke a instead of c
The MPST theory rejects it: they are not "mergeable".
Forming a "mixed choice" (which causes nondeterminism)
c's first action is input from s
c's first action is output to a

Deriving local types via type inference
OCaml infers Local Types from global combinators.
32
② G↾C
Example (again): Simple OAuth protocol
s c a
All local types are inferred at once, as a cons-list of structural types (here, s=0, c=1, a=2):

33
② G↾C
s c a
val oauth :
[ `cons of
< role_C : < login : ('a * close) out lin > > *
[ `cons of
< role_S : [> `login of 'a *
< role_A : < password : ('b *
< role_A : [> `auth of 'c *
close ] inp lin >) out lin > > ] inp lin > *
[ `cons of
< role_C : [> `password of 'b *
< role_C : < auth : ('c *
close) out lin > > ] inp lin > *
([ `cons of close * 'x ] as 'x) ] ] ] Seq.t
c!login
s?login a!pass a?auth
s!pass s?auth
s
c
a

34
② G↾C
s c a
val oauth :
[ `cons of
[ `cons of
[ `cons of
c!login
s!pass s?auth
s
c
a
Destination role's names are a method of an object
< role_S
< role_A
< role_A

35
② G↾C
s c a
val oauth :
[ `cons of
[ `cons of
[ `cons of
c!login
s!pass s?auth
s
c
a
Output labels are methods in an object
< password
< role_S
< role_A
< role_A

36
② G↾C
s c a
val oauth :
[ `cons of
[ `cons of
[ `cons of
c!login
s!pass s?auth
s
c
a
Input labels are (polymorphic) variant type tags
[ `login
[ `auth
Output labels are methods in an object
< password
< role_S
< role_A
< role_A

let ch = get_ch c oauth (* get a MPST channel for s *)
val ch :
close ] inp lin >) out lin > > ] inp lin >
OCaml>
let thread_C () =
match receive ch#role_S with
| `login((u:string), ch)->
let ch = send ch#role_A#password "asdf" in
match receive ch#role_A with
| `auth((b:bool), ch) ->
close ch
Protocol conformance via OCaml's type checking
37
③ LC ⊢ PC ✔

val ch :
OCaml>
let thread_C () =
close ch
38
< role_S
Select destination role via method invocation (#)
role_S
③ LC ⊢ PC ✔

val ch :
OCaml>
let thread_C () =
close ch
39
< role_S
role_S
③ LC ⊢ PC ✔
[ `login
`login
… and receive on it, then pattern-match the value against variant tags (labels)
received payload

val ch :
OCaml>
let thread_C () =
close ch
40
< role_S
role_S
③ LC ⊢ PC ✔
[ `login
`login
received payload
"Next" channel is supplied as a part of the returned value

val ch :
OCaml>
let thread_C () =
close ch
41
< role_S
role_S
< role_A
role_A
③ LC ⊢ PC ✔
[ `login
`login
received payload

val ch :
OCaml>
let thread_C () =
close ch
42
< role_S
role_S
< role_A
role_A
③ LC ⊢ PC ✔
[ `login
`login
received payload
< password
#password
Select an output label via method invocation (#), then
send it with a payload

val ch :
OCaml>
let thread_C () =
close ch
43
< role_S
role_S
< role_A
role_A
role_A
< role_A
③ LC ⊢ PC ✔
[ `login
`login
received payload
< password
#password

val ch :
OCaml>
let thread_C () =
close ch
44
< role_S
role_S
< role_A
role_A
`auth
[ `auth
role_A
< role_A
③ LC ⊢ PC ✔
[ `login
`login
received payload
< password
#password

let ch = get_ch s oauth (* get a MPST channel for s *)
val ch :
OCaml>
let thread_C () =
close ch
45
Protocol conformance via OCaml's type checking③ LC ⊢ PC ✔
ro
If there is a
typo …
OCaml reports a type error at this point

↓ A single OCaml Source code file (.ml)
OCaml
Program
OCaml
Program
OCaml
Program
Protocol
in OCaml
③ LC ⊢ PC ?
① wf(G) ?
② G↾C
Global Protocol Combinator : Deadlock freedom by Types!
46
Type checking
by
OCaml compiler
✔
✔
deadlock-free
Type
checking
& inference
Recap
deadlock-free!

↓ A single OCaml Source code file (.ml)
OCaml
Program
OCaml
Program
OCaml
Program
Protocol
in OCaml
③ LC ⊢ PC ?
① wf(G) ?
② G↾C
Global Protocol Combinator : Deadlock freedom by Types!
47
Type checking
by
OCaml compiler
✔
✔
deadlock-free
Type
checking
& inference
Recap
deadlock-free!
Are they really correct??

GPC: Are they correct
48
A. Key idea: Global Combinators pre-generate channels
❖ Multiparty channels as nested sequence of simply-typed channels
B. Formalisation of GPC with Deadlock-freedom Theorem
❖ OCamlM: A minimal concurrent language
❖ Typing rules for Global Combinators
C. Implementation: GPC as a typed DSL in OCaml
❖ Based on a set of type manipulation techniques
(GADTs, field label encoding, and plumbings such as polymorphic record extension)
GPC key ingredients

GPC: Are they correct
49
B. Formalisation of GPC with Deadlock-freedom Theorem
❖ Typing rules for Global Combinators
(GADTs, label encoding, and plumbings such as polymorphic record extension)
GPC key ingredients

50
Let's start cooking!!

51
S
C A
⟨⟩ ⟨⟩
⟨⟩
let oAuth = finish

52
S
C A
Sauth
⟨?Sauth⟩ ⟨!Sauth⟩
⟨⟩
let oAuth = (A → C) auth finish

53
let oAuth = (C → A) password ((A → C) auth finish)
S
C A
Sauth
Spasswd
⟨!Spasswd; ?Sauth⟩ ⟨?Spasswd; !Sauth⟩
⟨⟩

54
let oAuth = (S → C) login ((C → A) password ((A → C) auth finish))
S
C
A
⟨?Slogin ; !Spasswd; ?Sauth.0 ⟩ ⟨?Spasswd; !Sauth⟩
Sauth
Spasswd
Slogin
⟨!Slogin ⟩

55
S
C
A
Sauth
Spasswd
Slogin
⟨!Slogin ⟩

Distribute them and start the communication
56
PS
PC
PA
!Slogin.0| ?Slogin ; !Spasswd; ?Sauth.0| ?Spasswd;!Sauth.0

57
PS
PC
PA
0| !Spasswd; ?Sauth.0| ?Spasswd;!Sauth.0

58
PS
PC
PA
0| ?Sauth.0| !Sauth.0

59
PS
PC
PA
0| 0| 0

60
PS
PC
PA
!Slogin.0| ?Slogin ; !Spasswd; ?Sauth.0| ?Spasswd;!Sauth.0
❖ All these channels are simply-typed (hence no type-errors)
❖ Global combinators aim to be deadlock-free
❖ The nested structure enforces usage order
Point

GPC: Are they correct? (cont.)
61
B. Formalisation of GPC (with Deadlock-freedom Theorem)
❖ Typing rules for Global Combinators (with hints to OCaml DSL)
❖ Session Type merging
(GADTs, field label encoding, and plumbings such as polymorphic record extension)
GPC key ingredients

B. OCamlM: Formalisation of GPC with Deadlock-freedom Theorem
• A minimal concurrent language with structural subtyping,
equi-recursive types and simply-typed channels
• Typing rules for global combinators
62

Typing rules
63
p1 pn
… … …
Point: give an index for each role (and order roles)
wf(G) ✔, G↾C

The typing rule for (-->)
64
p1 pn
…
pi pj
… …
wf(G) ✔, G↾C
i

65
p1 pn
…
pi pj
… …
Index-based type update
wf(G) ✔, G↾C
i

66
p1 pn
…
pi pj
… …
p1 pn
…
pi pj
… …
"Wrap" with opponent's role names and labels
wf(G) ✔, G↾C
i

67
p1 pn
…
pi pj
… …
p1 pn
…
pi pj
… …
Implement them by using GADTs and
polymorphic lens (explained later)
available in OCaml
wf(G) ✔, G↾C
i

68
p1 pn
…
pi pj
… …
p1 pn
…
pi pj
… …
Requires first-class record fields
(methods) and variant tags
⇒ Encode them as values
encode it in OCaml
Implement them by using GADTs and
polymorphic lens (explained later)
available in OCaml
wf(G) ✔, G↾C
i

The typing rule for branching (choice_at)
69
wf(G) ✔, G↾C

70
Ensure that pa is a sending
wf(G) ✔, G↾C

71
Output labels must be disjoint (deterministic)
wf(G) ✔, G↾C

72
Merge two records (objects) into one
wf(G) ✔, G↾C

73
Merge two records (objects) into one
Encode disjoint record merging
encode it in OCaml
wf(G) ✔, G↾C

74
wf(G) ✔, G↾C
Too restrictive for communication protocols
Solution: Subtyping!
Requires each role having the same type (behaviour) in each branch
→ seems standard wrt. if-then-else construct, but

75
wf(G) ✔, G↾C
Too restrictive for communication protocols
Solution: Subtyping!
Row polymorphism
(objects and polymorphic variants)
available in OCaml
Requires each role having the same type (behaviour) in each branch
→ seems standard wrt. if-then-else construct, but

Typing rules
76
…
p1 pn
…
pi
…
p1 pn
…
pi
…
p1 pn
…
pi
…
Γ ⊢ choice … {g1; g2} : ⋯×p&{m1:T1, m2:T2}×⋯
Γ ⊢ g1 : ⋯×p&{m1:T1}×⋯ Γ ⊢ g2 : ⋯×p&{m2:T2}×⋯
Desired type
(According to Full Merging in MPST)
A problem:
p&{m1:T1} ≠ p&{m2:T2}

Typing rules
77
…
p1 pn
…
pi
…
p1 pn
…
pi
…
p1 pn
…
pi
…
Γ ⊢ choice … {m1:g1; m2:g2} : ⋯×p&{m1:T1, m2:T2}×⋯
Γ ⊢ g1 : ⋯×p&{m1:T1}×⋯ Γ ⊢ g1 : ⋯×p&{m2:T2}×⋯
? ?

Typing rules
78
…
p1 pn
…
pi
…
p1 pn
…
pi
…
p1 pn
…
pi
…
Γ ⊢ g1 : ⋯×p&{m1:T1, m2:T2}×⋯ Γ ⊢ g2 : ⋯×p&{m1:T1, m2:T2}×⋯
Γ ⊢ g1 : ⋯×p&{m1:T1}×⋯ Γ ⊢ g1 : ⋯×p&{m2:T2}×⋯
Γ ⊢ choice … {g1; g2} : ⋯×p&{m1:T1, m2:T2}×⋯
p&{m1:T1} ≤ p&{m1:T1; m2:T2} p&{m2:T2} ≤ p&{m1:T1; m2:T2}
Subtyping!!

Deadlock and type errors: An analysis
79
let oauth_branch =
poke a instead of c

80
let oauth_branch =
poke a instead of c
c's first action is output to a <a: <quit: !bool*cont2>>

81
let oauth_branch =
poke a instead of c
c's first action is input from s <s: ?[login_str*cont1]>

82
let oauth_branch =
poke a instead of c
c's first action is input from s <s: ?[login_str*cont1]>
No least upper bound (common supertype)
⇒ type error
No least upper bound (common supertype)
⇒ type error

A note on typing
83
<r: ?[lab: T1*T2]>
<r: <lab: !T1*T2>>
Input and output session types are not symmetric with each other. Why?
sok : ?bool, scancel : ?int
: ?[ok_(bool×•); cancel_(int× …)] (← wanted)
Making a multiplexed channel from
simply-typed channels

A note on typing
84
<r: ?[lab: T1*T2]>
<r: <lab: !T1*T2>>
choose : List[?T] -> ?T
makes a (multiplexed) channel (external choice)
wrap : (α -> β) -> ?α -> ?β
makes a wrapped channel
Concurrent ML (Reppy, 1993)
Types are slightly modified, they uses "events" in reality

A note on typing
85
<r: ?[lab: T1*T2]>
<r: <lab: !T1*T2>>
wrap (λx.[ok=(x,•)]) sok
: ?[ok_(bool×•)]
wrap (λx.[cancel=(x,…)]) scancel
: ?[cancel_(int×…)]
wrap : (α -> β) -> ?α -> ?β

A note on typing
86
<r: ?[lab: T1*T2]>
<r: <lab: !T1*T2>>
: ?[ok_(bool×•)]
List(wrap (λx.[ok=(x,•)]) sok; wrap (λx.[cancel=(x,…)]) scancel)
: List[ ?[ok_(bool×•), cancel_(int×…)] ]
wrap : (α -> β) -> ?α -> ?β

A note on typing
87
<r: ?[lab: T1*T2]>
<r: <lab: !T1*T2>>
: ?[ok_(bool×•)]
choose (List(wrap (λx.[ok=(x,•)]) sok; wrap (λx.[cancel=(x,…)]) scancel))
wrap : (α -> β) -> ?α -> ?β

GPC: Are they correct? (cont.)
88
B. Formalisation of GPC (with Deadlock-freedom Theorem)
❖ Typing rules for Global Combinators (with hints to OCaml DSL)
❖ Session Type merging
(GADTs, field label encoding, and details of plumbings for polymorphic record extension)
❖ Benchmarks: Garbage collection matters
❖ Linearity monad
GPC key ingredients
Please ask me over beer!

GPC wrap up
89
Global Protocol Combinator: a DSL for writing global protocols
❖ Key Ingredients: Global Combinators
❖ Covers all basic MPST features (including full merging)
❖ Extensions: HTTP, and OAuth Example (on top of it), and more
OCamlM: fomalisation of a minimal programming language for GPC
❖ Subject Reduction, Operational Correspondence and Deadlock-freedom
❖ Types for global combinators
❖ Merging is a least upper bound in subtyping relation
Sauth
Spasswd
let oauth = (s --> c) login …
p1 pn
… … …

Future Work
90
A → B
B → C
A → B
• Deadlock-freedom proof on full global combinators
❖ Including more expressive ones (e.g. relaxed loop conditions)
❖ Scatter/Gather (broadcast), undirected internal choice, …
• Implementation in other programming languages
❖ TypeScript (structural subtyping from beginning, and will have recursive types as well)
❖ Haskell (automatically construct global combinators via type classes)
Thank you!

Loops are easy (for now)
92
S
C
A
Sauth
Spasswd
Slogin
⟨?Slogin ⟩

Loops are easy (for now)
93
let oAuth = fix (λx. (S → C) login ((C → A) password ((A → C) auth x))
S
C
A
μx.⟨?Slogin ; !Spasswd; ?Sauth; x ⟩
μx. ⟨?Spasswd; !Sauth; x⟩
Sauth
Spasswd
Slogin
μx. ⟨?Slogin; x⟩

Branchings?
94
S
C
A
Sauth
Spasswd
Slogin
(S → C) login ((C → A) password ((A → C) auth finish))
(S → C) cancel ((C → A) quit finish)
S
C A
Squit
Scancel
+?

Input / output primitives and row-polymorphism in OCaml
95
let thread_A () =
let `password((p:string), ch) = receive ch#role_C in
let ch = send ch#role_C#auth true in
close ch
(FP's type inference-friendly structural typing)

96
let thread_A () =
close ch
Input labels are
polymorphic variants
Input labels are

97
let thread_A () =
close ch
Input labels are
Input labels are
Output labels are methods in
an object (fields in a polymorphic record)

98
let thread_A () =
close ch
OCaml's row-polymorphism simulates session-type subtyping
Input labels are
Input labels are

99
let thread_A () =
close ch
Input labels are
Input labels are
val ch :
< role_C : [< `password of
string *
< role_C : < auth : (bool * close) out lin; .. >; .. >
] inp lin; .. >
-> unit

100
let thread_A () =
close ch
Input labels are
Input labels are
val ch :
string *
] inp lin; .. >
-> unit
Inferred polymorphic variant type: it can have less receiving labels
(= in this case it must have password at least since there must be one)

101
let thread_A () =
close ch
Input labels are
Input labels are
val ch :
string *
] inp lin; .. >
-> unit
Inferred polymorphic variant type: it can have less receiving labels
(= in this case it must have password at least since there must be one)
Inferred object type: it can have more sending labels

Branching
102
let oauth1 =
(s, (s --> c) login @@ (c --> a) password @@ (a --> c) auth finish)
(s, (s --> c) cancel @@ (c --> a) quit finish)
A protocol with branching:
let thread_C () =
| `cancel((code:int), ch) -> close (send chc#role_A#quit ())
| `login((), ch) ->
let `auth(b, ch) = receive ch#role_A in
close ch
Code for C (waiting for S with an external choice):

Branching
103
let oauth1 =
S will decide a branch, then C and A will follow
let thread_C () =
| `login((), ch) ->
close ch
Code for C (waiting for S with an external choice):

Branching
104
let oauth1 =
S will decide a branch, then C and A will follow
let thread_C () =
| `login((), ch) ->
close ch
Code for C (waiting for S with an external choice):An external choice is a pattern matching
(idiomatic OCaml)

Loops and delegations (1)
105
let oauth2 =
fix (fun self ->
choice_at s (to_c login_cancel_or_retry)
(s, oauth1 ())
(s, (s --> c) retry @@ (c --> a) retry self))
Thanks to OCaml's equi-recursive types (built in polymorphic variants and objects by default),
programmers can handle recursions very naturally:

106
let oauth2 =
fix (fun self ->
(s, oauth1 ())
recursionrecursion

107
let oauth2 =
fix (fun self ->
(s, oauth1 ())
recursionrecursion
protocol reuse

108
let oauth2 =
fix (fun self ->
(s, oauth1 ())
recursionrecursion
protocol reuse
val ch_S : < role_C : < cancel : ('_b * close) out lin;
login : ('_c * close) out lin;
retry : ('_d * 'a) out lin > > as 'a
OCaml>

109
let oauth2 =
fix (fun self ->
(s, oauth1 ())
recursionrecursion
protocol reuse
val ch_S : < role_C : < cancel : ('_b * close) out lin;
retry : ('_d * 'a) out lin > > as 'a
OCaml>
recursionrecursion

110
let oauth_deleg =
(mst --> wrk) (msg >: get_prot s oauth2)
finish
Delegation doesn't need any special treatment, since OCaml will just infer the delegated type.
However, you can annotate labels with a delegated protocol, like this:
val ch_Mst :
< role_Wrk : < msg :
(< role_C : < cancel : ('_b * close) out lin;
retry : ('_d * 'a) out lin > > as 'a *
close) out lin > >
OCaml>
Delegated type

Detecting protocol errors using types
111
Non-determinism/
Deadlock
in a protocol
let oauth1 =
(s, (s --> a) cancel @@ (c --> a) quit finish)
NB: Branching is a source of concurrency issues

112
Non-determinism/
Deadlock
in a protocol
let oauth1 =
… is also reported as a type error

113
Non-determinism/
Deadlock
in a protocol
let oauth1 =
Theorem: if a global type G is well-formed, its encoding
to a global combinator g =⟦G⟧ is well-typed in OCamlM.

114
Non-determinism/
Deadlock
in a protocol
let oauth1 =
Theorem: if a global type G is well-formed, its encoding
to a global combinator g =⟦G⟧ is well-typed in OCamlM.
Global Combinators have full expressivity of MPST Global Types

[Formalisation] OCamlM : a Minimal calculus for global combinators
Main results:
115
A calculus with structural subtyping, equi-recursive types and
i/o-typed channels
Theorem (Subject Reduction): if ⊢ e and e→* e' then ⊢ e'
Theorem (Operational Correspondence):
(Completeness)
(Soundness)
Corollary (Deadlock Freedom): If an MPST process P is
deadlock-free, OCamlM expression e=⟦P⟧ is deadlock-free.

Other features and Examples
✔ Branchings, loops, delegations
❖ Allows full merging in a branching (next slide)
✔ MPST as a wrapper
❖ Offers global protocol on top of HTTP, DNS, …
❖ Example: OAuth, DNS server, SMTP client, …
❖ Utilise concurrent/distributed libraries: Lwt (lightweight threads) and Unix IPC
✔ More Extensions
❖ Scatter/Gather (broadcast)
❖ Undirected choice (-nolive)
❖ Unbalanced Loops
116
B⊕m1 C⊕m2
B⊕m1C⊕m2
A → B
B → C
A → B

Full merging
117
let oauth1 =
Input labels are
polymorphic variantsA can have different
input branches
Example: A branch happens between S and C.
⇒ Merge A's two behaviours into one
Merging strategy Synopsis Implementations
Plain merging
All branches must have same
labels/continuation (restrictive)
Scalas et al.
(ECOOP 2017)
✔ Full merging
Different input labels/continuations
can be mergeable (more relaxed)
This work

• Benchmarks reflect our design decision to use
mutable long lived objects (e.g channel vectors)
❖ Our work: few mutable long lived objects, created at the start of the protocol
❖ State-of-the-art (linear-decomposition [Scala et.a]): many small channels, created on-demand
(during the protocol execution)
118

Benchmarks
• Comparison with Linear (Binary) Decomposition [Scalas et al., 2017]
❖ Translation from MPST to Linear Types
❖ Continuation Passing Style (CPS):
It creates (and exchanges) a fresh channel at each communication step
❖ Must be slower than us??
• Compete with ours in some cases (!), but CPS is slower in general
❖ OCaml's major GC is doing nice work
• Monad (static linearity checking with overhead) VS. Direct style (dynamic)
119

Put All Slides in right contexts!!
• Most surprising parts:
• (what is it) 簡単に？
programmers can write like this… select opponent role by method, then (a) send by method / (b) receive it and pattern match on variants.
Errors are detected like this… GC well-formedness errors and Local type conformance errors.
Bonus: recursive sessions, session subtyping and delegations are all free.
• (why/how gc-like typing is possible??)
(1) (why EPP is possible, it is operation on types!!: see onion and --> typing.)
(2) (why well-formedness checking is possible? What is well-formedness?: see typing rules)
• (key idea) タマネギ．2枚くらいにおさめる
• (how it is typed) --> typing and implementation (mention that OCaml do not have such first-class?)
• (how deadlock is detected: harder) choice, nondeterminisim and deadlock
choice is like an if-then-else. Two branches are merged into one.
(Sub)typing and global combinator typing prevents occasional wrong branching.
• (how it is imlpemented) lenses and first class record fields
• Choice_at typing and record extensions
❖ Least upper bound is merging
❖ We have more expressive GTs
❖ Subtyping and equi-recursive types
❖ Unguardedness and Unbalanced merging
• Linearity monad
• Deadlock freeness, syntax of local types, and undirected choice (sending and receiving)
• Benchmarks
• Meaning of type errors and relationship to deadlocks
❖ Mergeability and local type syntax
❖ Possibility to extension (i.e. non-directed merging)
❖ Why roles are record fields – what if it was variant tags
120

Channel Vectors: Inhabiting MPSTs as simple channel types
121
TA = B⊕{ok.•; cancel.B&cancel.•} TB = A&{ok.•; cancel.B⊕cancel.•}

Channel Vectors: Inhabiting MPSTs as simple channel types
122
sok scancel1
scancel2
sok scancel1
scancel2
Idea: Put simply-typed channels in a tree-like data structure
TA = B⊕{ok.•; cancel.B&cancel.•} TB = A&{ok.•; cancel.B⊕cancel.•}

Internal Choice is Record
A record having pairs of an output channel and "the rest" in its fields
123
⟦ B⊕{ok.•; cancel.B&cancel(int).•} ⟧s = <B = <ok= (sok, •); cancel= (scancel1, ⟦...⟧s)> >
Pictorially:

124
⟦ B⊕{ok.•; cancel.B&cancel(int).•} ⟧s = <B = <ok= (sok, •); cancel= (scancel1, ⟦...⟧s)> >
(scancel, )(sok, )
…
ok cancel
Pictorially:

125
⟦ B⊕{ok.•; cancel.B&cancel(int).•} ⟧s =
: ⟨B : ⟨ok: !(int*int)×•; cancel: !(bool) ×⟦…⟧⟩ ⟩
Provided that
• sok : Och, scancel : Och
(! is an output channel type)
<B = <ok= (sok, •); cancel= (scancel1, ⟦...⟧s)> >
(scancel, )(sok, )
…
ok cancel
Pictorially:

External choice is variant input
126
Variant input type: ?[ok_(bool×•); cancel_(int× …)]
Variant type: [ok_(bool×•); cancel_(int× …)]
("Either ok (with bool×•) or cancel (with int×…)")
("Receives either ok (with bool×•) or cancel (with int×…)")
cancel(_, )ok(_, )
scancel1sok
cancel
external choice
Pictorially: But how?

A Solution from Concurrent ML (Reppy, 1993)
127
… has a set of (event) primitives we need!
wrap : (α -> β) -> ?α -> ?β

128
wrap : (α -> β) -> ?α -> ?β
: ?[ok_(bool×•)]

129
wrap : (α -> β) -> ?α -> ?β
: ?[ok_(bool×•)]

130
wrap : (α -> β) -> ?α -> ?β
: ?[ok_(bool×•)]

131
wrap : (α -> β) -> ?α -> ?β
: ?[ok_(bool×•)]
cancel(_, )ok(_, )
scancel1
sok
(scancel2, )
cancel
choose

Putting them altogether
132
(scancel, )(sok, )
ok cancel
cancel(_, )ok(_, )
scancel1
sok
(scancel2, )
cancel
choose
B⊕{ok(bool).•; cancel(int).B&cancel(int).•} A&{ok(bool).•; cancel(int).A⊕cancel(int).•}
choice_at A {(A → B) ok finish, (A → B) cancel((B → A) cancel finish)}
cancel(_, )
scancel2

Putting them altogether
133
(scancel, )(sok, )
ok cancel
cancel(_, )ok(_, )
scancel1
sok
(scancel2, )
cancel
choose
B⊕{ok(bool).•; cancel(int).B&cancel(int).•} A&{ok(bool).•; cancel(int).A⊕cancel(int).•}
choice_at A {(A → B) ok finish, (A → B) cancel((B → A) cancel finish)}
cancel(_, )
scancel2

OCaml-MPST / Global Protocol Combinators

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie OCaml-MPST / Global Protocol Combinators

Ähnlich wie OCaml-MPST / Global Protocol Combinators (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

OCaml-MPST / Global Protocol Combinators