A New Type System for Deadlock-Free Processeskoba/papers/concur2006-full.pdfA New Type System for...

A New Type System for Deadlock-FreeProcesses

Naoki Kobayashi

Graduate School of Information Sciences, Tohoku University

Abstract. We extend a previous type system for the π-calculus thatguarantees deadlock-freedom. The previous type systems for deadlock-freedom either lacked a reasonable type inference algorithm or were notstrong enough to ensure deadlock-freedom of processes using recursion.Although the extension is fairly simple, the new type system admits typeinference and is much more expressive than the previous type systemsthat admit type inference. In fact, we show that the simply-typed λ-calculus with recursion can be encoded into the deadlock-free fragmentof our typed π-calculus. To enable analysis of realistic programs, wealso present an extension of the type system to handle recursive datastructures like lists. Both extensions have already been incorporated intothe recent release of TyPiCal, a type-based analyzer for the π-calculus.

1 Introduction

Various type systems for the π-calculus have been proposed, some of which canguarantee that processes are deadlock-free in the sense that certain communica-tions will eventually succeed unless the process diverges [3, 5, 6, 8, 10, 15]. (Someof them guarantee even a stronger property.) Earlier type systems for deadlock-freedom [5, 6, 14, 15] required explicit type annotations, so that they were notsuitable for automatic analysis of deadlock-freedom. Kobayashi et al. [8, 10] latermodified the type systems so that the resulting type systems have a type infer-ence algorithm, and deadlock-freedom of processes can be automatically ana-lyzed through type inference.

Based on the type system of [8], Kobayashi has implemented the first versionof TyPiCal (ver. 1.0), a type-based analyzer for the π-calculus. Figure 1 showsa sample input and output of the deadlock analysis of TyPiCal. The first line inthe input program runs two servers, one of which waits for a request on channelserver1 and sends 1 back to the reply channel r, and the other of which waitsfor a request on channel server2 and may or may not send a reply, depending onthe value of b. (Here, ?, !, and | represent an input action, an output action, andparallel composition respectively. O represents an inaction.) The second line runsa client process, which creates a fresh communication channel r1 for receivinga reply, sends a request on server1, and waits for a reply. The client processon the third line behaves similarly, except that it sends a request on server2.Given that program, TyPiCal’s deadlock analyzer automatically finds input and

output operations that are guaranteed to succeed if they are ever executed and ifthe whole process does not diverge, and mark them with ?? and !!. The outputshown in the figure indicates that the first client can eventually receive a reply(note that r1?x has been replaced by r1??x), while the second client may notbe able to receive a reply (r2?x remains the same).

Input program:*(server1?r.r!1) | *(server2?r.if b then r!1 else O) /* Servers */

| new r1 in server1!r1.r1?x /* A client for the first server */

| new r2 in server2!r2.r2?x /* A client for the second server */

Output:*(server1?r.r!!1) | *(server2?r.if b then r!!1 else O)

| new r1 in server1!!r1.r1??x | new r2 in server2!!r2.r2?x

Fig. 1. A sample input and output of the deadlock analysis of TyPiCal

To enable type inference, however, we have traded the strength of the typesystem [8, 10]. In particular, the previous type systems for deadlock-freedomequipped with type inference algorithms cannot well handle recursive processes.For example, consider the following function server, which computes the factorial:

*fact?(n,r).if n=0 then r!1else new r1 in (fact!(n-1,r1) | r1?x.r!(x*n))

The server is deadlock-free in the sense that given a request, it will eventually re-turns a result unless the process diverges (actually, the process does not diverge,but the termination analysis is out of scope of this paper), but the previoustype systems fail to conclude that. Even the simply-typed λ-calculus (withoutrecursion) could not be encoded into the deadlock-free fragment of the previoustype systems [8, 10]. On the other hand, an earlier type system of Kobayashi [5]could handle the above recursive process, but it was so complicated that a typeinference algorithm could not be developed.

In this paper, we introduce a simple extension of the type system for deadlock-freedom [8, 10], which allows us to handle recursive processes like above, whilekeeping the existence of a type inference algorithm. Unlike the previous typesystems which deal with pure polyadic π-calculus, we also extend the target lan-guage with data structures like pairs and lists. We have already incorporatedthose extensions into the recent version of TyPiCal.

The rest of this paper is structured as follows. Section 2 introduces our targetlanguage (with only pairs as data structures). Section 3 introduces our newtype system for deadlock-freedom, and shows its soundness. To demonstrate thestrength of our type system, Section 4 shows that the simply-typed λ-calculuswith recursion can be encoded into the deadlock-free fragment of our typedcalculus. Section 5 informally explains how to deal with list data structures.

2 Target Language

This section introduces the target language of our deadlock analysis, which is asubset of π-calculus [12] extended with booleans, pairs, and conditionals.

2.1 Syntax

Definition 21 (processes) The set of processes, ranged over by P , is definedby:

P ::= 0 | x!tv. P | x?ty. P| (P |Q) | ∗P | (νx) P | if v then P else Q | let x = e in P

e ::= true | false | x | 〈e1, e2〉 | proj1(e) | proj2(e)v ::= true | false | x | 〈v1, v2〉

Here, x and y range over a countably infinite set Var of variables. t ranges overNat ∪ {∞}.

Notation 21 The prefix x?y binds variables y and (νx) binds x. As usual,we identify processes up to α-conversions (renaming of bound variables), andassume that α-conversions are implicitly applied so that bound variables are al-ways different from each other and from free variables. We write [x �→ v]P forthe process obtained by replacing all the free occurrences of x in P with v. Weoften omit 0 and write x!v and x?y for x!v.0 and x?y.0 respectively.

We assume that prefixes (x!v, x?y, (νx) , and ∗) bind tighter than the parallelcomposition operator | , so that x!y. P |Q means (x!y. P ) |Q, not x!y. (P |Q). Weoften write x?(y, z). P for x?p. let y = proj1(p) in let z = proj2(p) in P (wherewe assume p does not appear in P ).

Process 0 does nothing. Process x!tv. P sends v on x, and then (after v is re-ceived by some process) the process behaves like P . The label t indicates whetherthe output operation is deadlock-free: If t �= ∞, then the output is deadlock-free,i.e., if it is ever executed, v will eventually be received by some process or thewhole process diverges. The exact value of t can be ignored at this moment; itwill only be used in the type system. We call t a capability annotation. Notethat programmers actually need not supply capability annotations; They areautomatically inferred through type inference. We often omit t when it is unim-portant. Process x?ty. P waits to receive a value v on x and then behaves like[y �→ v]P . The label t indicates whether the input operation is deadlock-free: Ift �= ∞, then the input is deadlock-free, i.e., if it is ever executed, the process willeventually be able to receive a message on x or the whole process diverges. P |Qrepresents concurrent execution of P and Q. ∗P represents infinitely many copiesof the process P running in parallel, and (νx) P denotes a process that createsa fresh communication channel x and then behaves like P . if v then P else Qbehaves like P if v is true, and behaves like Q if v is false. let x = e in Pevaluates e to some value v, binds x to it, and then behaves like P .

2.2 Operational Semantics

As usual, we define the operational semantics using a structural relation P Q,and a reduction relation P −→ Q. The former relation means that P can berestructured to Q by using the commutativity and associativity laws on | , etc.The latter relation means that P is reduced to Q by one communication on achannel. The formal definition of the relations are given in the full paper [?]. Wewrite −→∗ for the reflexive and transitive closure of −→.

3 Type System

We introduce the new type system for deadlock-freedom in this section.

3.1 Overview

We first review the idea of previous type systems for deadlock-freedom [8, 10],identify the weakness of them, and then explain how to get rid of the weakness.

Ideas of previous type systems for deadlock-freedom The main idea ofprevious type systems for deadlock-freedom was to extend channel types withthe following information:

– Channel-wise usage information, which describes how often and in whichorder each channel is used for input and output.

– Capability and obligation of each input/output action, which captures cer-tain inter-channel dependency information.

We express channel-wise usage information by using a small, CCS-like processcalculus, which has two primitive actions ? and !. For example, usage of x inthe process x?y |x!1 |x!2 is expressed by ? | ! | !, which means that x is used oncefor input and twice for output possibly in parallel. The usage of x in x?y. x!y isexpressed by ?.!, which means that x is first used for input, and then used foroutput. The usage conveys some information about whether each action succeedsor not. For example, x having usage ? | ! | ! indicates that at least one of the twooutputs fails to succeed. Similarly, x having usage ?.! (in the whole process)indicates that neither an input action nor an output action succeeds, since theinput and output do not occur in parallel.

Channel-wise usage information alone is not sufficient for the analysis ofdeadlock. For example, it cannot distinguish between a deadlocked processx?z. y!z | y?z. x!1 and a non-deadlocked process x?z. y!z |x!1. y?z. . To controlthe dependency between communications on different channels, we have in-troduced the notion of capabilities and obligations [6, 8]. Let us explain whyx?z. y!z | y?z. x!1 deadlocks in terms of capabilities (to successfully receive orsend a message) and obligations (to wait for or to send a message). In orderfor the left sub-process x?z. y!z to succeed in receiving a message on x, someprocess has to fulfill an obligation to send a message on x. The right sub-process,

however, tries to exercise a capability to receive a message on y before fulfillingthe obligation. In order for the right sub-process to be able to exercise a ca-pability, the left process must fulfill an obligation to send a message on y, butthe left process tries to exercise a capability to receive a message on x beforefulfilling the obligation. Thus, the capability/obligation dependency is circular,so that no communication can succeed. To avoid such circular dependency, eachaction (? or !) in the channel-wise usage is associated with the levels of obliga-tions and capabilities, which range over {0, 1, 2, . . .} ∪ {∞}. The capability andobligation levels impose the following rules on the behavior of a process and itsenvironment.

A. An obligation of level n(�= ∞) must be fulfilled by using only capabilitiesof level less than n. For example, suppose that x has usage ?0

0 and y hasusage !11, where the subscript of an action describes its capability level andthe superscript describes its obligation level. Then, x?z. y!z and x?z | y!1 arevalid, but y!1. x?z is invalid: the last process tries to exercise a capability oflevel 1 before fulfilling the obligation of lower level.

B. For an action of capability level n(�= ∞), there must exist a co-action ofobligation level less than or equal to n (so as to guarantee that the capabilitycan be eventually exercised).

Therefore, the obligation level describes a requirement for the process beingconcerned, while the capability level describes an assumption about the environ-ment of the process being concerned. The two rules above ensure that there isno cyclic dependency between capabilities and obligations of finite levels; thus,deadlock-freedom is ensured for any action of a finite capability level.

Let us come back to the deadlocked process x?z. y!z | y?z. x!1. Suppose thatthe usages of x and y are ?ox1

cx1| !ox2

cx2and ?oy1

cy1 | !oy2cy2 , where cx1 and cy1 are finite.

Rule A above implies that cx1 < oy2 and cy1 < ox2, while rule B implies thatox2 ≤ cx1, ox1 ≤ cx2, oy2 ≤ cy1, and oy1 ≤ cy2. So, we get cx1 < oy2 ≤ cy1 <ox2 ≤ cx1, a contradiction.

Remark 1. A reader may wonder why a simpler approach of assigning a singlelevel to each name does not work. For example, one may be tempted to assignlevels lx and ly with lx < ly to x and y to conclude that x?z. y!z | y?z. x!1 iswrong (since the lefthand process violates the order). This naive approach breaksdown when one tries to deal with more complicated examples. For example,consider x?z. y?z. (x!z. | y!z), where x and y are lock channels [5, 8]. The processis innocent (it only tries to lock x and y in this order, and then release bothof them), but with the single level for each channel, we cannot assign a properorder between lx and ly, as the process performs a communication on x first,then on y, and again on x.

Weakness of previous type systems The main weakness of the previoustype systems based on the idea above was that they cannot handle recursiveprocesses well. Consider the following function server computing the factorial:

∗fact?(n, r). if n = 0 then r!1 else (νr′) (fact !(n − 1, r′) | r′?m. r!(m × n))

The second argument r of fact is assigned a type of the form chan(int , !totc

),which says that the channel is used for sending an integer, and the levels of theobligation and capability to do so are to and tc respectively. Since r′ is sent onfact , it is also assigned the type chan(int , !to

tc). Then, because of rule B, however,

the capability level of the input action on r′ in r′?m. · · · must be greater than to.So, the sub-process r′?m. r!(m × n) violates rule A (if to is not ∞). The sameproblem arises even in handling a process simulating a term of the simply-typedλ-calculus (without recursion). One way to overcome the problem above is touse dependent types, so that the obligation level of the second argument r candepend on the value of the first argument n [6]. The resulting type system would,however, require heavy type annotations.

The idea of the extension To get rid of the weakness mentioned above, weweaken rule A as follows:

A′. An obligation of level n on a channel x must be fulfilled by using onlycapabilities of level less than or equal to n, and if the capability level is n,the capability must be on a channel which has been created more recentlythan x.

For example, in the factorial server above, the level of an obligation to returna value on r and that of a capability to receive a value on r′ are the same,but since r′ has been created more recently, r′?m. r!(m × n) conforms to ruleA′. Rule A′ is sufficient to prevent deadlock by avoiding circular dependencybetween different channels. Since information about which channels has beencreated more recently is dynamic, a static analysis is required to estimate theinformation. In this paper, we use a simple syntactic analysis, which concludesthat, in the process (νx) P , x has been created more recently than any other freechannel of P . Fortunately, that turns out to be sufficient for handling recursiveprocesses like the factorial server and processes simulating λ-terms.

In the formal operational semantics, a channel x being created more recentlythan another channel y corresponds to the condition that the prefix (νx) is insidethe scope of the prefix (νy) . Note that our operational semantics disallows theusual structural rule (νx) (νy) P ≡ (νy) (νx) P . The condition in A′ could bethe other way around; we could require that the capability must be on a channelwhich has been created less recently than x. We, however, found the conditionabove more useful than this alternative requirement. That is because one of thecommon channel creation patterns is (νx) (P |x?y. Q), where P performs somesub-computation and sends the result on x.

3.2 Usages

This subsection introduces the syntax and semantics of usages more formally.They are almost identical to those of the previous type system [8].

Definition 31 (usages) The set U of usages, ranged over by U , is given by:

U ::= 0 | αt1t2 .U | (U1 |U2) | ∗U | ↑tU | U1 & U2 | ρ | µρ.U

α ::=? |!Here, t ranges over Nat ∪ {∞} (where Nat is the set of natural numbers).

We often omit 0 and write αt1t2 for αt1

t2 .0. We extend the usual binary relation≤ on Nat to that on Nat ∪ {∞} by ∀t ∈ Nat ∪ {∞}.t ≤ ∞. We also extend+ by ∞ + t = t + ∞ = ∞. We write min(x1, . . . , xn) for the least element of{x1, . . . , xn} (∞ if n = 0) with respect to ≤ and write max(x1, . . . , xn) for thegreatest element of {x1, . . . , xn} (0 if n = 0). We assume that µρ binds ρ. Wewrite [ρ �→ U1]U2 for the usage obtained by replacing the free occurrences of ρin U2 with U1. We write FV (U) for the set of free usage variables. A usage isclosed if FV (U) = ∅.

Usages Interpretation

0 Cannot be used at all

?totc

.U Used once for input, and then used according to U

!totc

.U Used once for output, and then used according to U

U1 |U2 Used according to U1 and U2, possibly in parallel

∗U Used according to U by infinitely many processes

↑tU The same as U , except that input and output obligation levelsare lifted to t.

U1 & U2 Used according to either U1 or U2

ρ Usage variable (used in combination with recursive usages below)

µρ.U Recursively used according to [ρ �→ µρ.U ]U .

Table 1. Meaning of Usage Expressions

Intuitive meaning of usages is summarized in Table 1. If to is finite, a channelof usage αto

tc.U must be used for the action α, while if to is ∞, the action need

not be performed. When tc is finite, the action will eventually succeed if it isever executed and the whole process does not diverge. If tc is ∞, there is nosuch guarantee. Note that a channel of usage αto

tc.U must be used according to

U only if it has been used for the action α and the action succeeds. For example,a channel of usage ?∞0 .!0∞ can be used for input (but need not be used), and if ithas been used for input and the input has succeeded, it must be used for output.That is similar to the usage of a lock: a lock may be acquired (but need not beacquired), and after the lock has been acquired, the lock must be released. Infact, a lock can be expressed as a channel of such usage: see Example 1. Usage↑tU lifts the obligation levels occurring in U (except for those guarded by ? or!) so that the input obligations and output obligations become greater than orequal to t. For example, ↑1(?0

0.!0∞) is the same as ?1

0.!0∞.

We give a higher precedence to prefixes (αtotc

and ∗) than to | . We write α

for the co-action of α (? =! and ! =?).

Example 1. Linear channels [9] are given a usage of the form ?n1n2

| !n3n4

. Affinechannels, which can be used at most once, are given a usage ?∞∞ | !∞∞. A referencecell can be implemented as a channel holding the current value as a message.Then, the read operation is expressed as x?y. (x!y | · · ·), while the write operationis expressed as x?y. (x!v | · · ·). The usage of a reference cell is thus represented as!0∞ | ∗?∞0 .!0∞. Similarly, a binary semaphore can be expressed as a channel holdingat most one message. The semaphore can be acquired by receiving the message,and released by sending the message back to the channel. Thus, the usage of asemaphore is represented as !0∞ | ∗?∞n .!n∞. Here, the level n controls which locksshould be acquired first when multiple locks need to be acquired.

Next, we define capability/obligation levels of a usage.

Definition 32 (capabilities) The input and output capability levels of usageU , written cap?(U) and cap!(U), are defined by:

capα(0) = capα(αtotc

.U) = capα(ρ) = ∞ capα(αtotc

.U) = tccapα(∗U) = capα(↑tU) = capα(µρ.U) = capα(U)capα(U1 |U2) = capα(U1 & U2) = min(capα(U1), capα(U2))

Definition 33 (obligations) The input and output obligation levels of a closedusage U , written ob?(U) and ob!(U), are defined by:

obα(0) = obα(αtotc

.U) = ∞ obα(ρ) = 0obα(αto

tc.U) = to obα(U1 |U2) = min(obα(U1), obα(U2))

obα(↑tU) = max(t, obα(U)) obα(U1 & U2) = max(obα(U1), obα(U2))obα(∗U) = obα(µρ.U) = obα(U)

We write ob(U) for max(ob?(U), ob!(U)).

We next introduce the usage reduction relation U −→ U ′. Intuitively, U −→U ′ means that if a channel of usage U has been used for a communication, thenit should be used according to U ′ afterwards. For example, !0∞ | ?∞0 .!0∞ −→!0∞holds. The formal definition of the relation is given in the full paper [?].

Relations and operations on usages As described in rule B in Subsec-tion 3.1, if some action has a capability of level n, the obligation level of itsco-action should be at most n. The relation rel(U) defined below ensures thatcondition.

Definition 34 (reliability) We write conα(U) when obα(U) ≤ capα(U). Wewrite con(U) when both con?(U) and con!(U) hold. A usage U is reliable, writtenrel(U), if con(U ′) holds for any U ′ such that U −→∗ U ′.

The subusage relation U1 ≤ U2 defined below means that U1 expresses moreliberal usage of channels than U2, so that a channel of usage U1 may be usedas that of usage U2. The first and second conditions require that the subusagerelation is closed under contexts and reduction. The third and fourth conditionsallow capabilities to be weakened and obligations to be strengthened.

Definition 35 (subusage) The subusage relation ≤ on closed usages is thelargest binary relation on usages such that the following conditions hold wheneverU1 ≤ U2.

1. [ρ �→ U1]U ≤ [ρ �→ U2]U for any usage U such that FV (U) = {ρ}.2. If U2 −→ U ′

2, then there exists U ′1 such that U1 −→ U ′

1 and U ′1 ≤ U ′

2.3. For each α ∈ {?, !}, capα(U1) ≤ capα(U2) holds.4. For each α ∈ {?, !}, if conα(U1), then obα(U1) ≥ obα(U2).

3.3 Types

Definition 36 (types) The set of types is given by:

τ (types) ::= bool | τ1 × τ2 | chan(τ, U)

Type bool is the type of booleans. The type τ1 × τ2 describes pairs consisting ofa value of type τ1 and a value of type τ2. The type chan(τ, U) describes channelsthat should be used according to U for transmitting values of type τ .

We extend relations and operations on usages to those on types.

Definition 37 (subtyping) A subtyping relation ≤ is the least reflexive rela-tion closed under the following rule:

U ≤ U ′

chan(τ, U) ≤ chan(τ, U ′)τ1 ≤ τ ′

1 τ2 ≤ τ ′2

τ1 × τ2 ≤ τ ′1 × τ ′

2

Definition 38 The obligation level of type τ , written ob(τ), is defined by:ob(bool) = ∞, ob(τ1×τ2) = min(ob(τ1), ob(τ2)), and ob(chan(τ, U)) = ob(U).

Definition 39 Unary operations ∗ and ↑t on types is defined by:∗bool = ↑tbool = bool, ∗(τ1 × τ2) = (∗τ1)×(∗τ2), ↑t(τ1 × τ2) = (↑tτ1)×(↑tτ2),∗(chan(τ, U)) = chan(τ, ∗U), and ↑t(chan(τ, U)) = chan(τ, ↑tU),

Definition 310 A (partial) binary operation | on types is defined by:bool |bool = bool, (τ11 × τ12) | (τ21 × τ22) = (τ11 | τ21) × (τ12 | τ22), and(chan(τ, U1)) | (chan(τ, U2)) = chan(τ, (U1 |U2)). τ1 | τ2 is undefined if it doesnot match any of the above rules.

3.4 Type Environment

A type environment is a mapping from a finite set of variables to types. Weuse metavariables Γ and ∆ for type environments. We write ∅ for the typeenvironment whose domain is empty. When x �∈ dom(Γ ), we write Γ, x : τ forthe type environment Γ ′ such that dom(Γ ′) = dom(Γ ) ∪ {x}, Γ ′(x) = τ , andΓ ′(y) = Γ (y) for all y ∈ dom(Γ ).

The operations and relations on types are pointwise extended to those ontype environments below.

For expressions

x : τ � x : τ(Tv-Var)

b ∈ {true, false}∅ � b : bool

(Tv-Bool)

Γ1 � e1 : τ1 Γ2 � e2 : τ2

Γ1 |Γ2 � 〈e1, e2〉 : τ1 × τ2

(Tv-Pair)

Γ � e : τ1 × τ2 i ∈ {1, 2}ob(τ3−i) = ∞

Γ � proji(e) : τi

(Tv-Proj)

Γ � e : τ Γ ′ ≤ Γ

Γ ′ � e : τ(Tv-Weak)

For Processes

Γ, x : chan(τ, U) �≺∪{(x,y)|y∈FV (P )\{x}} P rel(U)

Γ �≺ (νx) P(T-New)

∅ �≺ 0(T-Zero)

Γ1 �≺ P1 Γ2 �≺ P2

Γ1 |Γ2 �≺ P1 |P2

(T-Par)

Γ1 �≺ P Γ2 � v : τ

x : chan(τ, !0tc);≺(Γ1 |Γ2) �≺ x!tcv. P

(T-Out)

Γ1 � e : τ Γ2, x : τ �≺ P

Γ1 |Γ2 �≺ let x = e in P(T-Let)

Γ ′ �≺ P Γ ≤ Γ ′

Γ �≺ P(T-Weak)

Γ �≺ P

∗Γ �≺ ∗P (T-Rep)

Γ, y : τ �≺ P

x : chan(τ, ?0tc

);≺Γ �≺ x?tcy. P(T-In)

Γ1 � v : boolΓ2 �≺ P Γ2 �≺ Q

Γ1 |Γ2 �≺ if v then P else Q(T-If)

Fig. 2. Typing Rules

Definition 311 A binary relation ≤ on type environments is defined by: Γ1 ≤Γ2 if and only if (i) dom(Γ1) ⊇ dom(Γ2), (ii) Γ1(x) ≤ Γ2(x) for each x ∈dom(Γ2), and (iii) ob(Γ1(x)) = ∞ for each x ∈ dom(Γ1)\dom(Γ2).

Definition 312 The operations | and ∗ on type environments are defined by:

(Γ1 |Γ2)(x) =

Γ1(x) |Γ2(x) if x ∈ dom(Γ1) ∩ dom(Γ2)Γ1(x) if x ∈ dom(Γ1)\dom(Γ2)Γ2(x) if x ∈ dom(Γ2)\dom(Γ1)

(∗Γ )(x) = ∗(Γ (x))

3.5 Typing Rules

We have two kinds of judgments: Γ � e : τ for expressions, and Γ �≺ P forprocesses. The latter means that P uses free variables as specified by Γ . ≺ is a

partial order that statically estimates the order between the times when channelsare created. x ≺ y means that x must have been created more recently than y.Because of rule A′, x : chan(bool, ?0

1), y : chan(bool, !1∞) �{(x,y)} x?z. y!z andx : chan(bool, ?0

0), y : chan(bool, !1∞) �∅ x?z. y!z are valid judgments, whilex : chan(bool, ?0

1), y : chan(bool, !1∞) �∅ x?z. y!z is invalid.We assume that α-conversion is implicitly applied so that the variables in Γ

and ≺ are always different from the bound variables in P . The typing rules forderiving valid type judgments are given in Figure 2.

We explain some key rules. In T-New, ≺ is extended with the assumptionthat x has been created more recently than any other free channels in P .

In T-Out and T-In, we use the operation x : chan(τ, αtotc

);≺Γ on type envi-ronments. It represents the type environment ∆ defined by:

dom(∆) = {x} ∪ dom(Γ )

∆(x) ={

chan(τ, αtotc

.U) if Γ (x) = chan(τ, U)chan(τ, αto

tc) if x �∈ dom(Γ )

∆(y) ={↑tcΓ (y) if y �= x ∧ x ≺ y

↑tc+1Γ (y) if y �= x ∧ x �≺ y

For example, x : chan(τ, ?02);{(x,y)}(x : chan(τ, !00), y : chan(τ1, !00), z : chan(τ2, !00))

is x : chan(τ, ?02.!

00), y : chan(τ1, !20), z : chan(τ2, !30)).

Intuitively, the environment x : chan(τ, αtotc

);≺Γ means that x may be firstused for the action α, and then communications can be performed according toΓ . Since the capability of level tc is exercised before fulfilling obligations in Γ ,the level of each obligation in Γ are lifted either to tc or tc +1, depending on ≺.

In rule T-In, the premise means that P performs communications accordingto Γ . Since x?tcy. P tries to exercise a capability of level tc to receive a value onx, the process is well-typed under x : chan(τ, ?0

tc);≺Γ .

Example 2. Let us consider the following process P :

∗f?r. (if b then r!true else (νr′) (f !r′ | r′?x. r!x)).

It is typed as follows.

Γ �∅ r!true Γ �∅ (νr′) · · ·Γ �∅ if b then r!true else · · ·

f : chan(chan(bool, !1∞), ?0∞.!∞0 ), b :bool �∅ f?r. · · ·

f : chan(chan(bool, !1∞), ∗?0∞.!∞0 ), b :bool �∅ P

Here, Γ is f : chan(chan(bool, !1∞), !∞0 ), b :bool, r : chan(bool, !1∞), andΓ �∅ (νr′) · · · is derived by:

Γ1 �{(r′,r)} f !r′ r : chan(bool, !1∞), r′ : chan(bool, ?01) �{(r′,r)} r′?x. r!x

Γ, r′ : chan(bool, !1∞ | ?01) �{(r′,r)} f !r′ | r′?x. r!x

Γ �∅ (νr′) · · ·

Here, Γ1 = f : chan(chan(bool, !1∞), !∞0 ), r′ : chan(bool, !1∞). Note that if r′ ≺ rdid not hold, we could only obtain r : chan(bool, !2∞), r′ : chan(bool, ?0

1) �∅r′?x. r!x, so that f : chan(chan(bool, !1∞), ∗?0

∞.!∞0 ), b :bool �∅ P were notderivable.

3.6 Type Soundness

The following theorems imply that if a process is well-typed in our type system,an input or output process that is annotated with a finite capability level isdeadlock-free, in the sense that if the process is ready (i.e., it appears at thetop-level, without being guarded by any other input or output prefix), the wholeprocess can be reduced further.

We write Γ −→ Γ ′ when Γ = Γ1, x : chan(τ, U) and Γ ′ = Γ1, x : chan(τ, U ′)with U −→ U ′ for some Γ1, x, τ, U , and U ′.

Theorem 1 (type preservation). If Γ �≺ P and P −→ Q, then Γ ′ �≺ Q forsome Γ ′ such that Γ ′ = Γ or Γ −→ Γ ′.

Theorem 2. If ∅ �≺ P and either P (νx̃) (x!nv. Q1 | Q2) orP (νx̃) (x?ny. Q1 | Q2) with n ∈ Nat, then P −→ R for some R.

Corollary 1. Suppose ∅ �≺ P . If P −→∗ Q, and either Q (νx̃) (x!nv. Q1 |Q2) or Q (νx̃) (x?ny. Q1 | Q2) with n ∈ Nat, then Q −→ R for some R.

3.7 Type Inference

Given a closed process P (without any capability annotations on input and out-put processes), there is a complete algorithm to decide whether there exists P ′

such that ∅ �∅ P ′ holds and P and P ′ coincide except for capability annota-tions. Moreover, such an algorithm tries to infer the least capability for eachinput/output process. Since the algorithm is almost the same as that of the pre-vious type system [8], we do not re-describe the algorithm here; The algorithmfirst extract constraints on types, reduce them step by step to obtain constraintsof the form rel(U), and then solve rel(U) by reduction to Petri net reachabilityproblems [8]. The only extra work compared with the previous one is to expandthe relation ≺ when the algorithm encounters the ν-prefix. We have alreadyimplemented the algorithm in TyPiCal [4].

4 Encoding of λ-calculus

To demonstrate the power of the new type system, we show that the call-by-valuesimply-typed λ-calculus with recursion can be encoded into the deadlock-freefragment. Concurrent objects can also be encoded as in our previous paper [5].

Definition 41 The sets of types and terms of λ→,fix are given by the followingsyntax:

θ (types) ::= bool | θ1 → θ2

M (terms) ::= x | fix(f, x, M) | M1M2

Here, fix(f, x, M) represents a recursive function f defined by f(x)�= M . If f

does not appear in M , it is the same as the usual λ-abstraction λx.M .Typing rules are given as follows.

T , x : θ � x : θ(TL-Var)

T , f : θ1 → θ2, x : θ1 � M : θ2

T � fix(f, x, M) : θ1 → θ2

(TL-Fix)

T � M1 : θ1 → θ2 T � M2 : θ1

T � M1M2 : θ2

(TL-App)

We encode terms, types, and type environments into our typed π-calculus asfollows, in a standard manner [5, 11, 13].

[[ x ]]r = r!x[[fix(f, x, M) ]]r = (νy) (r!y | ∗y?(x, r′). [[ M ]]r

′)

[[ M1M2 ]]r = (νr1) (νr2) ([[ M1 ]]r1 | [[ M2 ]]r2 | r1?f. r2?x. f !(x, r))

[[bool ]] = bool[[ θ1 → θ2 ]] = chan( [[ θ1 ]] ×chan( [[ θ2 ]] , !1∞), ∗!∞0 )

[[ x1 : θ1, . . . , xn : θn ]] = x1 : [[ θ1 ]] , . . . , xn : [[ θn ]]

Intuitively, a term M is encoded into [[ M ]]r which evaluates M and sends theresult on channel r. The usage ∗!∞0 in the encoding of function types means thata function can be invoked an arbitrary number of times, and the usage !1∞ meansthat the function will eventually returns a result (or diverge).

It is easy to check that the typing is preserved by encoding.

Lemma 1. If T � M : θ, then [[ T ]] , r : chan( [[ θ ]] , !1∞) �∅ [[ M ]]r .

The following is an immediate corollary of the above lemma, which meansthat a process that simulates functional computation does not get deadlockedbefore returning a result.

Corollary 2. If ∅ � M : θ and [[ M ]]r −→∗ P , then P −→ Q for some Q orP (νx̃) (r!v. Q1 |Q2) for some v, Q1, Q2.

Proof. Suppose ∅ � M : θ and [[ M ]]r −→∗ P . By Lemma 1, r : chan( [[ θ ]] , !1∞) �∅[[ M ]]r . By Theorem 1, we have r : chan( [[ θ ]] , !1∞) �∅ P . Let R = (νr) (P | r?1x.0).Then, ∅ �∅ R. By Theorem 2, we have R −→ R′, which implies either P −→ Qor P (νx̃) (r!v. Q1 |Q2).

5 Extension for Recursive Data Structures

The language discussed so far is the π-calculus extended with pairs. We brieflydiscuss a subtle point that arises when dealing with recursive data structures,using the list data structure as an example.

Let us consider the following process, which waits to receive a list l of chan-nels, and sends true to all the channels in the list.

∗broadcast?l. if null(l) then 0 else(let x = hd(l) in (x!true | broadcast!tl(l)))

Here, hd(l) is the first element of the list l, and tl(l) is the rest.A naive way to handle lists is to introduce list types of the form list(τ), which

describes lists whose elements are of type τ , and the following typing rules:

Γ � e : list(τ)Γ � hd(e) : τ

Γ � e : list(τ)Γ � tl(e) : list(τ)

However, we have to add the condition that ob(τ) = ∞ in both rules (just likewe had to impose the condition ob(τ3−i) = ∞ in the rule for projections), sincehd(e) throws away the elements other than the head, and tl(e) throws away thehead. Thus, we can only assign list(chan(bool, !∞t )) to l in the above example,failing to infer that the server eventually sends messages to all the elements inthe list.

To overcome the problem above, we represent list types as list(τ1, τ2), whereτ1 is the type of the first element, and τ2 is the type of the rest of the elements,and use the following types:

Γ � e : list(τ1, τ2) ob(τ2) = ∞Γ � hd(e) : τ1

Γ � e : list(τ1, τ2) ob(τ1) = ∞Γ � tl(e) : list(τ2, τ2)

With these rules, we can assign list(chan(bool, !1∞), chan(bool, !1∞)) to l inthe example above, so that we can infer that the server eventually sends messagesto all the elements in the list.

The replacement of list(τ) with list(τ1, τ2) corresponds to the unfolding ofthe recursive type µα.(1 + (τ × α)) to 1 + τ × µα.(1 + (τ × α)). As in the caseof lists above, unfolding of recursive types in general seems to be useful to makeour type system for deadlock-freedom more robust.

6 Related Work

As already mentioned in Section 1, earlier type systems that can guaranteedeadlock-freedom [5, 14, 15] required explicit type annotations, having no rea-sonable type inference algorithm. We have later modified the type systems tomake type inference tractable [8, 10], with the sacrifice of some expressive power.

The type system proposed in this paper can be considered a reunion of the earliertype systems [5, 14] and recent ones [8, 10].

Some type systems [6, 8] can guarantee a stronger property that certain com-munications will eventually succeed no matter whether the process diverges.There are also type systems that guarantee the termination of processes [1, 16].Unfortunately, the idea proposed in the present paper does not work for guar-anteeing those stronger properties.

There are some studies of abstract interpretation for the π-calculus [2]. Tothe best of our knowledge, deadlock-freedom analysis has not been studied inthat context. Our type-based analysis relies on a syntactic analysis of the orderin which channels are created. Abstract interpretation [2] might be useful forobtaining more precise information about the order of channel creation.

7 Conclusion

We have proposed a new type system for deadlock-freedom of π-calculus pro-cesses. The new type system admits type inference, while it is strictly moreexpressive than the previous type systems that admit type inference. We havealso extended the type system to handle data structures like pairs and lists.

References

1. Y. Deng and D. Sangiorgi. Ensuring termination by typability. In Proceedings ofIFIP TCS 2004, pages 619–632, 2004.

2. J. Feret. Abstract interpretation of mobile systems. Journal of Logic and AlgebraicProgramming, 63(1), 2005.

3. K. Honda and N. Yoshida. A uniform type structure for secure information flow.In Proc. of POPL, pages 81–92, 2002.

4. N. Kobayashi. TyPiCal: A type-based static analyzer for the pi-calculus. Toolavailable at http://www.kb.ecei.tohoku.ac.jp/~koba/typical/.

5. N. Kobayashi. A partially deadlock-free typed process calculus. ACM Trans. Prog.Lang. Syst., 20(2):436–482, 1998.

6. N. Kobayashi. A type system for lock-free processes. Info. Comput., 177:122–159,2002.

7. N. Kobayashi. Type systems for concurrent programs. In Proceedings of UNU/IIST20th Anniversary Colloquium, volume 2757 of LNCS, pages 439–453. Springer-Verlag, 2003.

8. N. Kobayashi. Type-based information flow analysis for the pi-calculus. ActaInformatica, 42(4-5):291–347, 2005.

9. N. Kobayashi, B. C. Pierce, and D. N. Turner. Linearity and the pi-calculus. ACMTrans. Prog. Lang. Syst., 21(5):914–947, 1999.

10. N. Kobayashi, S. Saito, and E. Sumii. An implicitly-typed deadlock-free processcalculus. Technical Report TR00-01, Dept. Info. Sci., Univ. of Tokyo, January 2000.A summary has appeared in Proceedings of CONCUR 2000, Springer LNCS1877,pp.489-503, 2000.

11. R. Milner. Function as processes. In Automata, Language and Programming,volume 443 of LNCS, pages 167–180. Springer-Verlag, 1990.

12. R. Milner. The polyadic π-calculus: a tutorial. In F. L. Bauer, W. Brauer, andH. Schwichtenberg, editors, Logic and Algebra of Specification. Springer-Verlag,1993.

13. B. Pierce and D. Sangiorgi. Typing and subtyping for mobile processes. In Proc.of LICS, pages 376–385, 1993.

14. E. Sumii and N. Kobayashi. A generalized deadlock-free process calculus. InProc. of Workshop on High-Level Concurrent Language (HLCL’98), volume 16(3)of ENTCS, pages 55–77, 1998.

15. N. Yoshida. Graph types for monadic mobile processes. In FST/TCS’16, volume1180 of LNCS, pages 371–387. Springer-Verlag, 1996.

16. N. Yoshida, M. Berger, and K. Honda. Strong normalisation in the pi-calculus.Info. Comput., 191(2):145–202, 2004.

A Reduction semantics of processes

Definition A1 The evaluation relation e ⇓ v is the least relation closed underthe following rules:

x ⇓ x

b ∈ {true, false}b ⇓ b

e1 ⇓ v1 e2 ⇓ v2

〈e1, e2〉 ⇓ 〈v1, v2〉

e ⇓ 〈v1, v2〉 i ∈ {1, 2}proji(e) ⇓ vi

Definition A2 The structural preorder is the least reflexive and transitiverelation closed under the following rules (P ≡ Q denotes (P Q)∧ (Q P )):

P ≡ P |0 (S-Zero)

P |Q ≡ Q |P (S-Commut)

P | (Q |R) ≡ (P |Q) |R (S-Assoc)

(νx) P |Q ≡ (νx) (P |Q) (if x is not free in Q) (S-New)

if true then P else Q P (S-IfT)

if false then P else Q Q (S-IfF)

e ⇓ v

let x = e in P [x �→ v]P(S-Let)

∗P ∗P |P (S-Rep)

P P ′

P |Q P ′ |Q(S-Par)

P Q

(νx) P (νx) Q(S-CNew)

Definition A3 The reduction relation −→ is the least relation closed under thefollowing rules:

x!v. P |x?y. Q −→ P | [y �→ v]Q (R-Com)

P −→ Q

P |R −→ Q |R(R-Par)

P −→ Q

(νx) P −→ (νx) Q(R-New)

P P ′ P ′ −→ Q′ Q′ Q

P −→ Q(R-SP)

B Usage Reduction Semantics

Definition B1 is the least reflexive and transitive relation on usages satisfy-ing the following rules:

U1 |U2 U2 |U1

(U1 |U2) |U3 U1 | (U2 |U3)

U1 U ′1 U2 U ′

2

U1 |U2 U ′1 |U ′

2

∗U ∗U |U

↑tαt1t2 .U α

max(t1,t)t2 .U

↑t(U1 |U2) (↑tU1) | (↑tU2)

U1 & U2 Ui (i ∈ {1, 2})

µρ.U [ρ �→ µρ.U ]U

U U ′

↑tU ↑tU ′

Definition B2 (usage reduction) The binary relation −→ on usages is theleast relation closed under the following rules:

?totc

.U1 | !t′o

t′c.U2 −→ U1 |U2

U1 −→ U ′1

U1 |U2 −→ U ′1 |U2

U1 U ′1 U ′

1 −→ U ′2 U ′

2 U2

U1 −→ U2

C Proofs of Main Lemmas and Theorems

C.1 Proof of Theorem 1

The proof of the type preservation theorem is almost the same as that for theprevious type systems [6, 8].

We first note that the properties of the subusage relation in the previouswork [8] still hold for the subusage relation in the present paper, since they areessentially the same except that some usage constructor (↑) has been omittedin the present paper. In particular, the following law on the subusage relationplays an important role.

Lemma 2. α0n.U1 | ↑t+1U2 ≤ α0

n.(U1 |U2).

We prepare the substitution lemma. A little care is required for the conditionon ≺.

Lemma 3 (substitution). If Γ1, x : τ �≺ P and Γ2 � v : τ with ({x}×Vars)∩ ≺=(Vars× {x})∩ ≺= ∅, then Γ1 |Γ2 �≺ P .

Proof. The proof proceeds by induction on derivation of Γ1, x : τ �≺ P , withcase analysis on the last rule used. We do not describe the detail since the proofis boring and almost identical to the proof of the corresponding theorem. Weonly mention the case for T-In, where the condition on ≺ is crucial. SupposeΓ1, x : τ �≺ y?z. P1. There are two cases to consider: the case x = y and the casex �= y. We discuss only the first case, since the second case is simpler.

– Case x = y: In this case, we have:

Γ3, z : τ1 �≺ P1

Γ1, x : τ ≤ x : chan(τ1, ?0t );≺Γ3

We can assume without loss of generality that Γ3 = Γ ′3, v : chan(τ1, Uv), x : chan(τ1, Ux)

for some Ux, Uv, and Γ ′3. So, we have

Γ1, x : τ ≤ x : chan(τ1, ?0t );≺Γ3 = ↑t+1Γ ′

3, x : chan(τ1, ?0t .Ux), v : chan(τ1, ↑t+1Uv).

This implies

Γ1 | v : τ ≤ ↑t+1Γ ′3, v : chan(τ1, ↑t+1Uv | ?0

t .Ux)

Note that the equality comes from the condition that x(= y) is not relatedby ≺. (This is the very place where we need the condition on ≺.)By the assumption Γ2 � v : τ , it must be the case that v is a variable. So, byapplying the induction hypothesis to Γ ′

3, x : chan(τ1, Ux), v : chan(τ1, Uv), z : τ1 �≺P1, we obtain: (Γ ′

3, v : chan(τ1, Ux |Uv)), z : τ1 �≺ [x �→ v]P1. From this, weobtain

v : chan(τ1, ?0t );≺(Γ ′

3 | v : chan(τ1, Ux |Uv)) �≺ v?z. [x �→ v]P1.

By applying T-Weak, we further obtain

↑t+1Γ ′3, v : chan(τ1, ?0

t .(Ux |Uv) �≺ v?z. [x �→ v]P1.

By using Lemma 2 and T-Weak, we get:

↑t+1Γ ′3, v : chan(τ1, ↑t+1Uv | ?0

t .U) �≺ v?z. [x �→ v]P1.

Using the fact Γ1 | v : τ ≤ ↑t+1Γ ′3, v : chan(τ1, ↑t+1Uv | ?0

t .Ux), we can furtherapply T-Weak to obtain

Γ1 | v : τ �≺ v?z. [x �→ v]P1.

Since Γ2 ≤ v : τ , we finally obtain

Γ1 |Γ2 �≺ [x �→ v](x?z. P1).

– Case x �= y: In this case, we have:

Γ3, x : τ ′, z : σ �≺ P1

Γ1, x : τ ≤ y : chan(σ, ?0n);≺(Γ3, x : τ ′)

From the second condition, it must be the case that τ ≤ ↑n+1τ ′. Withτ ≤ ↑n+1τ ′ and Γ2 � v : τ , we can easily show (by induction on derivation ofΓ2 � v : τ) that there exists Γ ′

2 such that Γ ′2 � v : τ ′ and Γ2 ≤ ↑n+1Γ ′

2. So,by applying the induction hypothesis to Γ3, x : τ ′, z : σ �≺ P1, we get

Γ ′2 |Γ3, z : σ �≺ [x �→ v]P1.

By applying T-In, we obtain

y : chan(σ, ?0n);≺(Γ ′

2 |Γ3) �≺ y?z. [x �→ v]P1.

By Lemma 2 and Γ1, x : τ ≤ y : chan(σ, ?0n);≺(Γ3, x : τ ′), we have

Γ1 |Γ2 ≤ (y : chan(σ, ?0n);≺Γ3) |Γ2

≤ y : chan(σ, ?0n);≺(Γ ′

2 |Γ3)

Therefore, by applying T-Weak, we obtain

Γ1 |Γ2 �≺ y?z. [x �→ v]P1

as required.

The next lemma says that typing is preserved by the structural relation.

Lemma 4. If Γ �≺ P and P Q, then Γ �≺ Q.

Proof. Straightforward induction on derivation of P Q.

Lemma 5. If Γ ≤ Γ ′ −→ ∆′, then there exists ∆ such that Γ −→ ∆ and∆ ≤ ∆′.

Proof. This follows immediately from the definition of Γ −→ ∆ and the subusagerelation U −→ U ′.

Once we have prepared the above lemmas, we can prove the type preservationin a standard manner.

Proof of Theorem 1 The proof proceeds by induction on derivation of P −→ Q,with case analysis on the last rule used. We show only the case for R-Com,which is the only non-trivial case. Suppose Γ �≺ x!t1v. P1 |x?t2y. P2. Then, bythe typing rules, we must have:

Γ1 �≺ P1

Γ2 � v : τΓ3, y : τ �≺ P2

Γ ≤ (x : chan(τ, !0t1);≺(Γ1 |Γ2)) | (x : chan(τ, ?0t1);≺Γ3)

By the assumption on bound variables, we can assume without loss of gen-erality that y does not appear in ≺. Therefore, by applying the substitutionlemma (Lemma 3), we obtain Γ2 |Γ3 �≺ [y �→ v]P2. So, we obtain Γ1 |Γ2 |Γ3 �≺P1 | [x �→ v]P2. Since

Γ ≤ (x : chan(τ, !0t1);≺(Γ1 |Γ2)) | (x : chan(τ, ?0t1);≺Γ3) −→≤ Γ1 |Γ2 |Γ3

holds, by using Lemma 5, we obtain ∆ such that Γ −→ ∆ and ∆ ≤ Γ1 |Γ2 |Γ3.Thus, by using T-Weak, we get ∆ �≺ P1 | [x �→ v]P2 as required. �

C.2 Proof of Theorem 2

We need some preliminary definitions and lemmas.We first introduce the notion of normal forms.

Definition C1 A process N is in normal form if all the if-expressions and let-expressions are guarded by input or output prefixes, i.e., if it is generated by thefollowing syntax.

N ::= 0 | x!tv. P | x?ty. P | (N1 |N2) | ∗N | (νx) N

Here, P ranges over the set of (arbitrary) processes.

Definition C2 The extended structural relation ′ is the least relation closedunder the rules for (with being replaced by ′), plus the following rule.

P ′ Q

∗P ′ ∗Q

The following lemma means that the replacement of with ′ does not change(one-step) reducibility of a process.

Lemma 6. If P ′ P ′ −→ Q′, then there exists Q such that P −→ Q.

The following lemma means that a closed, well-typed process can be alwaysconverted to a process in normal form.

Lemma 7. If ∅ �≺ P , then there exists a normal form process N such thatP ′ N , and ∅ �≺ N holds.

In the proof of Theorem 2, we need to identify certain bound variables.Since α-conversion can be implicitly performed in type derivation, however, weneed to introduce a unique identifier of a bound variable. Index(x, P ) definedbelow serves as such a unique identifier. In the definition below, α-conversion isforbidden.

Definition C3 The index of x in P , Index(x, P ) is defined by:

Index(x, (νx) P ) = εIndex(x, (νy) P ) = 0.Index(x, P )

Index(x, P1 |P2) =

1.Index(x, P1) if (νx) appears in P1

2.Index(x, P2) if (νx) appears in P2

undefined otherwiseIndex(x, ∗P ) = Index(x, P )

If (νx) does not appear in P or is guarded by input or output prefixes, Index(x, P )is undefined.

We are now ready to prove the main theorem.

Proof of Theorem 2 Suppose that ∅ �≺ P and either P ′ Q = (νx̃) (x!nv. Q1 |Q2) or P ′ Q = (νx̃) (x?ny. Q1 | Q2) with n ∈ Nat. Since P is closed, we canassume without loss of generality that ≺= ∅. We can also assume without lossof generality that Q is in normal form. For a sub-process N in normal form, wedefine the set WaitingQ(N) inductively as follows.

WaitingQ(0) = ∅WaitingQ(x!mv. R) = {(n, Index(x, Q), x!mv. R)}WaitingQ(x?my. R) = {(n, Index(x, Q), x?my. R)}WaitingQ(N1 |N2) = WaitingQ(N1) ∪ WaitingQ(N2)WaitingQ(∗N) = WaitingQ(N)WaitingQ((νx) N) = WaitingQ(N)

Let (m, π, N) be a minimum element of WaitingQ(Q) with respect to the follow-ing order <:

(m, π, N) < (m′, π′, N ′) ⇐⇒ m < m′ or (m = m′ and π′ is a prefix of π)

Note that m is finite (i.e., m ∈ Nat), since Q is (νx̃) (x!nv. Q1 | Q2) or (νx̃) (x?ny. Q1 |Q2) with n ∈ Nat.

Assume that N is of the form x!mv. R. (The case where N is x?my. P issimilar.) By the assumptions, Q contains a process of the form (νx) Q1, andQ1 contains N as a sub-expression. Since ∅ �∅ Q, we have Γ, x : chan(τ, U) �≺′

Q1, where rel(U). Moreover, x1 ≺′ x2 holds only if Index(x2, Q) is a prefix ofIndex(x1, Q). Since N is unguarded by any input or output prefix in Q1, it mustbe the case that cap!(U) ≤ m. Therefore, since rel(U), it must be the case thatob?(U) ≤ cap!(U) ≤ m. That implies Q1 must contain an input or output processthat is typed under a context of the form Γ ′, x : chan(τ, U1), where ob?(U1) ≤ m.

Moreover, since (m, π, N) is the minimum element of WaitingQ(Q), such an inputor output process must be of the form x?ty. R. (Notice that if the outermost inputor output prefix were on another channel w, the capability annotation of theguard must have been either smaller than m, or equal to m and Index(x, Q) mustbe a prefix of Index(w, Q). That contradicts with the assumption that (m, π, N)is the minimum element.) Thus, Q1 −→ Q′

1, which implies P ′ Q −→ Q′. ByLemma 6, we have P −→ P ′ for some P ′ as required. �

C.3 Proof of Lemma 1

Lemma 8. If Γ �≺′ P and ≺′⊆≺, then Γ �≺ P .

Proof. Straightforward induction on derivation of Γ �≺′ P .

Proof of Lemma 1 The proof proceeds by induction on derivation of T � M : θ,with case analysis on the last rule used.

– Case TL-Var: In this case, M = x and T = T ′, x : θ. Using rule T-Out andT-Zero, we get

x : ↑∞ [[ θ ]] , r : chan( [[ θ ]] , !0∞) �∅ r!x

By using T-Weak, we obtain

[[ T ]] , r : chan( [[ θ ]] , !1∞) �∅ r!x

as required.– Case TL-Fix: In this case, M = fix(f, x, M1) and θ = θ1 → θ2, with

T , f : θ1 → θ2, x : θ1 � M1 : θ2.

By the induction hypothesis, we have

[[ T ]] , f : chan( [[ θ1 ]] ×chan( [[ θ2 ]] , !1∞), ∗!∞0 ), x : [[ θ1 ]] , r′ : chan( [[ θ2 ]] , !1∞) �∅ [[ M1 ]]r′.

Using T-In, T-Let and T-Rep, we obtain:

∗↑∞ [[ T ]] , f : chan( [[ θ1 ]] ×chan( [[ θ2 ]] , !1∞), ∗?0∞.∗!∞0 ) �∅ ∗f?x, r′. [[ M1 ]]r

′.

Since [[ T ]] ≤ ∗↑∞ [[ T ]] , we obtain

[[ T ]] , f : chan( [[ θ1 ]] ×chan( [[ θ2 ]] , !1∞), ∗?0∞.∗!∞0 ) �∅ ∗f?x, r′. [[ M1 ]]r

′

by using T-Weak. Using T-Out, T-Zero, we also obtain

f : ↑∞ [[ θ1 → θ2 ]] , r : chan( [[ θ1 → θ2 ]] , !1∞) �∅ r!f.

So, we get

[[ T ]] , f : chan( [[ θ1 ]] ×chan( [[ θ2 ]] , !1∞), ∗!∞0 | ∗?0∞.∗!∞0 ), r : chan( [[ θ1 → θ2 ]] , !1∞)

�∅ r!f | ∗f?x, r′. [[ M1 ]]r′

Since rel(∗!∞0 | ∗?0∞.∗!∞0 ) holds, we can apply T-New to obtain

[[ T ]] , r : chan( [[ θ1 → θ2 ]] , !1∞) �∅ [[fix(f, x, M1) ]]r

as required.– Case T-App: In this case, M = M1M2 with: T � M1 : θ1 → θ and T � M2 :

θ1. By the induction hypothesis, we have:

[[ T ]] , r1 : chan( [[ θ1 → θ ]] , !1∞) �∅ [[ M1 ]]r1

[[ T ]] , r2 : chan( [[ θ1 ]] , !1∞) �∅ [[ M2 ]]r2

Let ≺= {(r1, x) | x ∈ {r}∪FV (M)}∪{(r2, x) | x ∈ {r, r1}∪FV (M)}. Then,by using T-Out, T-Zero, and T-Weak, we get

f : [[ θ1 → θ ]] , x : [[ θ1 ]] , r : chan( [[ θ ]] , !1∞) �≺ f !(x, r).

By using T-In, we get

r2 : chan( [[ θ1 ]] , ?∞1 );≺(f : [[ θ1 → θ ]] , r : chan( [[ θ ]] , !1∞)) �≺ r2?∗1[x]. f !(x, r).

That is,

r2 : chan( [[ θ1 ]] , ?∞1 ), f : [[ θ1 → θ ]] , r : ↑1chan( [[ θ ]] , !1∞)) �≺ r2?∗1[x]. f !(x, r).

(Note that this is the very place where the relation r2 ≺ r is important. Byusing T-Weak, we obtain

r2 : chan( [[ θ1 ]] , ?∞1 ), f : [[ θ1 → θ ]] , r : chan( [[ θ ]] , !1∞)) �≺ r2?∗1[x]. f !(x, r).

By applying T-In and T-Weak again, we further obtain:

r2 : chan( [[ θ1 ]] , ?∞1 ), r1 : chan( [[ θ1 → θ ]] , ?∞1 ), r : chan( [[ θ ]] , !1∞)) �≺ r1?∗1[f ]. r2?∗1[x]. f !(x, r).

So, we obtain

[[ T ]] , r1 : chan( [[ θ1 → θ ]] , ?∞1 | !1∞), r2 : chan( [[ θ1 ]] , ?∞1 | !1∞), r : chan( [[ θ ]] , !1∞))�≺ [[ M1 ]]r1 | [[ M2 ]]r2 | r1?∗1[f ]. r2?∗1[x]. f !(x, r).

Since rel(?∞1 | !1∞) holds, by applying T-New twice, we obtain:

[[ T ]] , r : chan( [[ θ ]] , !1∞)) �≺ [[ M ]]r

as required.

�

A New Type System for Deadlock-Free Processeskoba/papers/concur2006-full.pdfA New Type System for...

Documents

Transcript of A New Type System for Deadlock-Free Processeskoba/papers/concur2006-full.pdfA New Type System for...