Verifying message-passing programs with dependent behavioural types

Concurrent and distributed programming is notoriously hard. Modern languages and toolkits ease this difficulty by offering message-passing abstractions, such as actors (e.g., Erlang, Akka, Orleans) or processes (e.g., Go): they allow for simpler reasoning w.r.t. shared-memory concurrency, but do not ensure that a program implements a given specification. To address this challenge, it would be desirable to specify and verify the intended behaviour of message-passing applications using types, and ensure that, if a program type-checks and compiles, then it will run and communicate as desired. We develop this idea in theory and practice. We formalise a concurrent functional language λ≤π, with a new blend of behavioural types (from π-calculus theory), and dependent function types (from the Dotty programming language, a.k.a. the future Scala 3). Our theory yields four main payoffs: (1) it verifies safety and liveness properties of programs via type-level model checking; (2) unlike previous work, it accurately verifies channel-passing (covering a typical pattern of actor programs) and higher-order interaction (i.e., sending/receiving mobile code); (3) it is directly embedded in Dotty, as a toolkit called Effpi, offering a simplified actor-based API; (4) it enables an efficient runtime system for Effpi, for highly concurrent programs with millions of processes/actors.

[1]  Nobuko Yoshida,et al.  A Linear Decomposition of Multiparty Sessions for Safe Distributed Programming , 2017, ECOOP.

[2]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[3]  Nobuko Yoshida,et al.  Distributed programming using role-parametric session types in go: statically-typed endpoint APIs for dynamically-instantiated communication structures , 2019, Proc. ACM Program. Lang..

[4]  Luca Padovani,et al.  Deadlock and lock freedom in the linear π-calculus , 2014, CSL-LICS.

[5]  Nobuko Yoshida,et al.  Lightweight Session Programming in Scala , 2016, ECOOP.

[6]  Luca Cardelli,et al.  An Extension of System F with Subtyping , 1991, TACS.

[7]  Alan Jeffrey A Symbolic Labelled Transition System for Coinductive Subtyping of Fµ< Types , 2001, LICS.

[8]  C.-H. Luke Ong,et al.  Automatic Verification of Erlang-Style Concurrency , 2013, SAS.

[9]  Atsushi Igarashi,et al.  A generic type system for the Pi-calculus , 2001, POPL '01.

[10]  Nobuko Yoshida,et al.  A Linear Decomposition of Multiparty Sessions for Safe Distributed Programming (Artifact) , 2017, Dagstuhl Artifacts Ser..

[11]  Martin Odersky,et al.  Spores: A Type-Based Foundation for Closures in the Age of Concurrency and Distribution , 2014, ECOOP.

[12]  Julian Rathke,et al.  safeDpi: a language for controlling mobile code , 2005, Acta Informatica.

[13]  Jakob Rehof,et al.  A Behavioral Module System for the Pi-Calculus , 2001, SAS.

[14]  Martin Odersky,et al.  The Essence of Dependent Object Types , 2016, A List of Successes That Can Change the World.

[15]  Jan Friso Groote,et al.  Modeling and Analysis of Communicating Systems , 2014 .

[16]  Javier Esparza,et al.  Decidability of model checking for infinite-state concurrent systems , 1997, Acta Informatica.

[17]  Cosimo Laneve,et al.  Deadlock Analysis of Unbounded Process Networks , 2014, CONCUR.

[18]  MORTEN KROGH-JESPERSEN,et al.  Aneris : A Logic for Node-Local , Modular Reasoning of Distributed Systems , 2018 .

[19]  Nobuko Yoshida,et al.  Less is more: multiparty session types revisited , 2019, Proc. ACM Program. Lang..

[20]  Ursula Goltz CCS and Petri Nets , 1990, Semantics of Systems of Concurrent Processes.

[21]  Ilya Sergey,et al.  Programming and proving with distributed protocols , 2017, Proc. ACM Program. Lang..

[22]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[23]  Luca Cardelli,et al.  On understanding types, data abstraction, and polymorphism , 1985, CSUR.

[24]  Luca Padovani,et al.  Mailbox Types for Unordered Interactions , 2018, ECOOP.

[25]  Alfons Laarman,et al.  LTSmin: High-Performance Language-Independent Model Checking , 2015, TACAS.

[26]  Davide Ancona,et al.  Behavioral Types in Programming Languages , 2016, Found. Trends Program. Lang..

[27]  Bernardo Toninho,et al.  A Static Verification Framework for Message Passing in Go Using Behavioural Types , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[28]  Bernardo Toninho,et al.  Fencing off go: liveness and safety for channel-based programming , 2016, POPL.

[29]  Stephanie Weirich,et al.  Total Haskell is reasonable Coq , 2017, CPP.

[30]  Colin Stirling,et al.  Modal and Temporal Properties of Processes , 2001, Texts in Computer Science.

[31]  Nobuko Yoshida,et al.  Channel dependent types for higher-order mobile processes , 2004, POPL.

[32]  Vivek Sarkar,et al.  Savina - An Actor Benchmark Suite: Enabling Empirical Evaluation of Actor Libraries , 2014, AGERE!@SPLASH.

[33]  Naoki Kobayashi A partially deadlock-free typed process calculus , 1998, TOPL.

[34]  Claude Kaiser,et al.  Chameneos, a concurrency game for Java, Ada and others , 2003 .

[35]  Bernardo Toninho,et al.  Dependent session types via intuitionistic linear type theory , 2011, PPDP.

[36]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[37]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[38]  Martin Odersky,et al.  Miniphases: compilation using modular and efficient tree transformations , 2017, PLDI.

[39]  Carl Hewitt,et al.  Actor induction and meta-evaluation , 1973, POPL.

[40]  Robert D. Blumofe,et al.  Scheduling multithreaded computations by work stealing , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[41]  Nobuko Yoshida,et al.  Parameterised Multiparty Session Types , 2010, Log. Methods Comput. Sci..

[42]  Nobuko Yoshida,et al.  Multiparty asynchronous session types , 2008, POPL '08.

[43]  Kenneth L. McMillan,et al.  Modularity for decidability of deductive verification with applications to distributed systems , 2018, PLDI.

[44]  Bernardo Toninho,et al.  Depending on Session-Typed Processes , 2018, FoSSaCS.

[45]  Jürgen Giesl,et al.  Automated termination proofs for haskell by term rewriting , 2011, TOPL.

[46]  Maurizio Gabbrielli,et al.  On the expressive power of recursion, replication and iteration in process calculi , 2009, Mathematical Structures in Computer Science.

[47]  Luca Padovani,et al.  A Gentle Introduction to Multiparty Asynchronous Session Types , 2015, SFM.

[48]  Martin Odersky,et al.  Simplicitly: foundations and applications of implicit function types , 2017, Proc. ACM Program. Lang..

[49]  Davide Sangiorgi,et al.  Typing and subtyping for mobile processes , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[50]  Kohei Honda,et al.  Types for Dyadic Interaction , 1993, CONCUR.

[51]  Flemming Nielson,et al.  Higher-order concurrent programs with finite communication topology (extended abstract) , 1994, POPL '94.

[52]  Luca Padovani,et al.  Global progress for dynamically interleaved multiparty sessions , 2014, Mathematical Structures in Computer Science.

[53]  Daniel Kroening,et al.  A Widening Approach to Multithreaded Program Verification , 2014, ACM Trans. Program. Lang. Syst..

[54]  Arthur Charguéraud,et al.  Scheduling parallel programs by work stealing with private deques , 2013, PPoPP '13.

[55]  Bernardo Toninho,et al.  Certifying data in multiparty session types , 2017, J. Log. Algebraic Methods Program..

[56]  Raheel Ahmad,et al.  The π-Calculus: A theory of mobile processes , 2008, Scalable Comput. Pract. Exp..

[57]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[58]  Javier Esparza,et al.  On the Decidability of Model Checking for Several µ-calculi and Petri Nets , 1994, CAAP.

[59]  Nobuko Yoshida,et al.  Lightweight Session Programming in Scala (Artifact) , 2016, Dagstuhl Artifacts Ser..

[60]  Naoki Kobayashi,et al.  A New Type System for Deadlock-Free Processes , 2006, CONCUR.

[61]  Davide Sangiorgi,et al.  A hybrid type system for lock-freedom of mobile processes , 2008, TOPL.

[62]  Frank Pfenning,et al.  Manifest sharing with session types , 2017, Proc. ACM Program. Lang..