On Asynchronous Session Semantics · 1 Introduction Modern transports such as TCP in distributed...

On Asynchronous Session Semantics

Dimitrios Kouzapas∗, Nobuko Yoshida∗, Raymond Hu∗, and Kohei Honda†

∗Imperial College London †Queen Mary, University of London

Abstract. This paper studies a behavioural theory of the π-calculus with sessiontypes under the fundamental principles of the practice of distributed computing— asynchronous communication which is order-preserving inside each connec-tion (session), augmented with asynchronous inspection of events (message ar-rivals). A new theory of bisimulations is introduced, distinct from either standardasynchronous or synchronous bisimilarity, accurately capturing the semantic natureof session-based asynchronously communicating processes augmented with eventprimitives. The bisimilarity coincides with the reduction-closed barbed congruence.We examine its properties and compare them with existing semantics. Using the be-havioural theory, we verify that the program transformation of multithreaded intoevent-driven session based processes, using Lauer-Needham duality, is type and se-mantic preserving. Our benchmark results demonstrate the potential of the session-type based translation as semantically transparent optimisation techniques.

1 IntroductionModern transports such as TCP in distributed networks provide reliable, ordered deliv-ery of a stream of bytes from a program on one computer to another, once a connectionis established. In practical communications programming, two parties start a conver-sation by establishing a connection over such a transport and exchange semanticallymeaningful, formatted messages through this connection. The distinction between pos-sibly non order-preserving communications outside of connection and order-preservingones inside each connection is an essential feature of this practice: order preservation al-lows proper handling of a sequence of messages following an agreed-upon conversationstructure. Further, to enable asynchronous event processing [23], each arriving messageneeds to be buffered at the receiver’s end, which the receiver can asynchronously inspect(event inspection) and consume.

A buffer in the π-calculus serves as an intermediary between a process and itsenvironment. Operational semantics for buffers distill this nature, representing order-preserving, non-blocking communication for sessions; and non order-preserving, nonblocking communication for shared names, for both input and output.

This paper investigates semantic foundations of asynchronously communicatingprocesses, capturing these key elements of modern communications programming —distinction between non order-preserving communications outside connections and theorder-preserving ones inside each connection, as well as the incorporation of asyn-chronous inspection of message arrivals. We use the π-calculus augmented with ses-sion primitives and a simple event inspection primitive. Sessions offer typed, formallyfounded abstraction of connections, enabling well-structured description of messagepassing. The formalism is intended to be a small idealised but expressive communi-cations programming language, offering a basis for a tractable semantic study. Our

study reveals that the combination of the fundamental elements for modern commu-nications programming leads to a rich behavioural theory which differs from both thestandard synchronous communications semantics and the asynchronous one [10], man-ifest through its novel equational laws for asynchrony. These laws can then be usedas a semantic justification of a well-known program transformation based on Lauerand Needham’s duality principle [18], which translates multithreaded programs to theirequivalent single-threaded, event-based programs. This transformation is regularly usedin practice, albeit in an ad-hoc manner, playing a key role in e.g. high-performanceservers. Our translation is given formally and is backed up by a rigorous semantic jus-tification. It is applied to eventful Session Java [15, 16], a session-typed extension ofJava with asynchronous event primitives, using which we demonstrate the practical ef-fectiveness of our formal transformation through benchmark results.

Let us outline some of the key technical ideas informally. In the present theory,the asynchronous order-preserving communications over a connection are modelled asasynchronous session communication, extending the standard synchronous session cal-culus [11, 31] with message queues [6, 7, 14]. A message queue is written s [i :~h,o :~h′],which encapsulates both input buffer (i) with elements~h and output buffer (o) with~h′.Figure 1 represents the two end points of a session. A message v is first enqueued bya sender s!〈v〉;P at its output queue at s, which intuitively represents a communicationpipe extending from the sender’s locality to the receiver’s. The message will eventuallyreach the receiver’s locality, formalised as its transfer from the sender’s output buffer(at s) to the receiver’s input buffer (at s). For a receiver, only when this transfer takesplace a visible (and asynchronous) message reception takes place, since only then thereceiver can inspect and consume the message (as shown in Remote in Figure 1). Notethat dequeuing and enqueing actions inside a location are local to each process and istherefore invisible (τ-actions) (Local in Figure 1).

Local (the dashed arrows)s!〈v〉;Q | s [o :~h] τ−→ Q | s [o :~h·v]

s?(x).P | s [i :w·~h] τ−→ P{w/x} | s [i :~h]Remote (the solid arrows)

s [i :~h]s?〈v〉−→ s [i :~h·v] s [o :v·~h] s!〈v〉−→ s [o :~h]

Fig. 1. The transitions in the two locations.

The induced semantics captures the nature of asynchronous observables not investigatedbefore. For example, in weak asynchronous bisimilarity (≈a in [10, 12]), the messageorder is not observable (s!〈v1〉 | s!〈v2〉 ≈a s!〈v2〉 | s!〈v1〉) but in our semantics, messagesfor the same destination do not commute (s!〈v1〉;s!〈v2〉 6≈ s!〈v2〉;s!〈v1〉) as in the syn-chronous semantics [26] (≈s in [10, 12]); whereas two inputs for different targets com-mute (s1?(x);s2?(y);P ≈ s2?(x);s1?(y);P) since the dequeue action is un-observable,differing from the synchronous semantics, s1?(x);s2?(y);P 6≈s s2?(x);s1?(y);P.

Event-handling primitives [15] lead to further novel equational laws. Asynchronousevent-programming is characterised by reactive flows driven by the detection of events,that is message arrivals at local buffers. In our formalism, this facility is distilled as asimple arrived predicate: for example, Q = if arrived s then P1 else P2 reducesto P1 if the s input buffer contains one or more message; otherwise Q reduces to P2.By arrived, we can observe the movement of messages between two locations. For

2

(Identifiers) u ::= a,b | x,y k ::= s,s | x,y n ::= a,b | s,s (Values) v ::= tt,ff | a,b | s,s(Expressions) e ::= v | x,y,z | arrived u | arrived k | arrived k h

(Processes) P,Q ::= u(x).P | u(x);P | k!〈e〉;P | k?(x).P | k / l;P | k .{li :Pi}i∈I

| if e then P else Q | (ν a)P | P | Q | 0 | µX .P | X| a [~s] | a〈s〉 | (ν s)P | s [i :~h,o :~h′] (Messages) h ::= v | l

Fig. 2. The syntax of processes.

example, Q | s[i : /0] | s[o : v] is not equivalent with Q | s[i : v] | s[o : /0] because theformer can reduce to P2 (since v has not arrived at the local buffer at s yet) while thelatter cannot. To capture arrived, we need the IO-buffers at each session, with whichone has, for example, s1!〈v1〉;s2!〈v2〉 ≈ s2!〈v2〉;s1!〈v1〉 in the presence of the arrived(we cannot observe the remote process performing the output), while one would haves1!〈v1〉;s2!〈v2〉 6≈ s2!〈v2〉;s1!〈v1〉 with the arrived, if we were without local queues.

This way, our asynchronous session semantics captures asynchrony, locality, eventinspection and orders of actions at session channels, all being major elements of practi-cal communications programming. The induced event- and location-aware asynchronousbehavioural equivalence is essential for validating a well-known, effective but hithertounjustified program transformation.Contributions Section 3 defines a bisimulation for the asynchronous eventful ses-sion calculus, examines its properties against the standard bisimulations and provesthat it coincides with the barbed reduction-based congruence [12]. Section 4 providesthe semantics-preserving Lauer-Needham transformation of multithreaded into event-driven processes and proves its correctness. Section 5 discusses the performance withextensive benchmarks for justifying the transformation in Session-based Java imple-mentation [15]. The paper concludes with the related work with the detailed compar-isons with the existing semantics. Appendix lists the full definition of Lauer-Needhamtransformation, the detailed definitions and full proofs. The benchmark programs andresults are found in [29]. Appendix and [29] are provided only for the reviewers’ con-venience: the paper is self-contained and can be read without them.

2 Asynchronous Network Communications in Sessions2.1 SyntaxWe use a sub-calculus of the eventful session π-calculus [15]. In Figure 2, values v,v′, ...include the constants, shared channels a,b,c, and session channels s,s′. A session chan-nel designates one endpoint of a session, where s and s denote two ends of a singlesession, with s = s. Labels for branching and selection range over l, l′, ..., variablesover x,y,z, and process variables over X ,Y,Z. Shared channel identifiers u,u′ includeshared channels and variables; session identifiers k,k′ are session endpoints and vari-ables. Identifies n denotes either a or s. Expressions e are values, variables and the mes-sage arrival predicates (arrived u, arrived k and arrived k h: the last one checksfor the arrival of the specific message h at k). We write ~s and~h for vectors of sessionchannels and messages respectively, writing ε for the empty vector.

We distinguish two kinds of asynchronous communications, asynchronous sessioninitiation and asynchronous session communication (over an established session). The

3

[Request1]

[Request2]

[Accept]

[Send,Recv]

[Sel,Bra]

[Comm]

[Areq]

[Ases]

[Amsg]

a(x);P −→ (ν s)(P{s/x} | s [i :ε,o :ε] | a〈s〉) (s /∈ fn(P))a [~s] | a〈s〉 −→ a [~s·s]

a(x).P | a [s·~s] −→ P{s/x} | s [i :ε,o :ε] | a [~s]s!〈v〉;P | s [o :~h] −→ P | s [o :~h·v] s?(x).P | s [i :v·~h] −→ P{v/x} | s [i :~h]s/ li;P | s [o :~h] −→ P | s [o :~h·li] s.{l j :Pj} j∈J | s [i : li ·~h] −→ Pi | s [i :~h] (i ∈ J)

s [o :v·~h] | s [i :~h′] −→ s [o :~h] | s [i :~h′·v]E[arrived a] | a [~s] −→ E[b] | a [~s] (|~s| ≥ 1)↘ b

E[arrived s] | s [i :~h] −→ E[b] | s [i :~h] (|~h| ≥ 1)↘ b

E[arrived s h] | s [i :~h] −→ E[b] | s [i :~h] (~h = h·~h′)↘ b

Fig. 3. Selected reduction rules.

former involves the unordered delivery of a session request message a〈s〉, where a〈s〉represents an asynchronous message in transit towards an acceptor at a, carrying a freshsession channel s. As in actual network, a request message will first move through thenetwork and eventually get buffered at a receiver’s end. Only then a message arrivalcan be detected. This aspect is formalised by the introduction of a shared channel inputqueue a [~s], often called shared input queue for brevity, which denotes an acceptor’slocal buffer at a with pending session requests for~s. The intuitive meaning of the end-point configuration s [i :~h,o :~h′] is explained in Introduction.

Requester u(x);P requests a session initiation, while acceptor u(x).P accepts one.Through an established session, output k!〈e〉;P sends e through channel k asynchronously,input k?(x).P receives through k, selection k / l;P chooses the branch with label l, andbranching k . {li : Pi}i∈I offers branches. The (ν a)P binds a channel a, while (ν s)Pbinds the two endpoints, s and s, making them private within P. The conditional, par-allel composition, recursions and inaction are standard. 0 is often omitted. For brevity,one or more components may be omitted from a configuration when they are irrelevant,writing e.g. s [i :~h] which denotes the input part of s [i :~h,o :~h′]. The notions of freevariables and channels are standard [27]; we write fn(P) for the set of free channels inP. The syntax a〈s〉, (ν s)P and s [i :~h,o :~h′] only appear at runtime. A closed processwithout runtime syntax is called program.

2.2 Operational SemanticsReduction is defined over closed terms. The key rules are given in Figure 3. We use thestandard evaluation contexts E[ ] defined as E ::= − | s!〈E〉;P | if E then P else Q.The structural congruence ≡ and the rest of the reduction rules are standard.

The first three rules define the initialisation. In [Request1], a client requests a serverfor a fresh session via shared channel a. A fresh session channel, with two ends s(server-side) and s (client-side) as well as the empty configuration at the client side,are generated and the session request message a〈s〉 is dispatched. Rule [Request2] en-queues the request in the shared input queue at a. A server accepts a session requestfrom the queue using [Accept], instantiating its variable with s in the request message;the new session is now established.

Asynchronous order-preserving session communications are modelled by the nextfour rules. Rule [Send] enqueues a value in the o-buffer at the local configuration; rule[Receive] dequeues the first value from the i-buffer at the local configuration; rules [Sel]

4

and [Bra] similarly enqueue and dequeue a label. The arrival of a message at a remotesite is embodied by [Comm], which removes the first message from the o-buffer of thesender configuration and enqueues it in the i-buffer at the receiving configuration. Notethe first four rules manipulate only the local configurations.

Output actions are always non-blocking. An input action can block if no messageis available at the corresponding local input buffer. The use of the message arrivalscan avoid this blocking: [Areq] evaluates arrived a to tt iff the queue is non-empty;similarly for arrived k in [Areq]. [Amsg] evaluates arrived s h to tt iff the buffer isnonempty and its next message matches h. The notation e↘ b means e evaluates to b.We write→→= (−→∪≡)∗ (see Appendix A for detailed illustration).

2.3 Types and Typing

The type syntax follows the standard session types from [11].(Shared) U ::= bool | i〈S〉 | o〈S〉 | X | µ X.U (Value) T ::= U | S(Session) S ::= !(T );S | ?(T );S | ⊕{li : Si}i∈I | &{li : Si}i∈I | µ X.S | X | end

The shared types U include booleans bool (and, in examples, naturals nat); shared chan-nel types i〈S〉 (input) and o〈S〉 (output) for shared channels through which a sessionof type S is established; type variables (X,Y,Z, ..); and recursive types. The IO-types(often called server/client types) ensure a unique server and many clients [4, 13]. In thepresent work they are used for controlling locality (queues are placed only at the serversides) and associated typed transitions, playing a central role in our behavioural theorytogether with session types.

In session types, output type !(T );S represents outputting values of type T , thenperforming as S. Dually for input type ?(T );S. Selection type ⊕{li : Si}i∈I describes aselection of one of the labels say li then behaves as Ti. Branching type &{li : Si}i∈I waitswith I options, and behaves as type Ti if i-th label is chosen. End type end representsthe session completion and is often omitted. In recursive type µ X.S, type variables areguarded in the standard sense.

The typing judgement from [15] uses two environments:

Γ ::= /0 | Γ ·u :U | Γ ·X :~T ∆ ::= /0 | ∆ ·a | ∆ ·k :S | ∆ ·s :(S, [S′,i :~T ,o :~T ′])

Γ is called shared environment, which maps shared channels and process variables to,respectively, constant types and value types; ∆ is called linear environment mappingsession channels to session types and recording shared channels for acceptor’s inputqueues. The configuration element [S,i :~T ,o :~T ′] records the active type S of the con-figuration and types of messages enqueued in the buffers where, in this case only, weextend T with labels (T ::= U | S | l). The initial S in (S, [S′,i :~T ,o :~T ′]) denotes thesession type of a process. Now the typing judgement for a process is given as:

Γ ` P.∆

where program P, under shared environment Γ , uses channels as linear environment ∆ ,where we stipulate that, if a is in ∆ , Γ (a) should be an input shared type. The typingsystem is identical with [15], thus we leave them to Appendix B. The key properties oftyped processes stated in [15] are:

5

– (queues under hiding) The hiding of a shared (resp. session) channel is only possi-ble when a queue (resp. a pair of queues) at that channel is present.

– (subject reduction) if Γ ` P.∆ and P−→ Q then we have Γ ` P.∆ ′ for some ∆ ′

(where such ∆ ′ may not be uniquely determined by Γ and ∆ ).

In the following we study semantic properties of typed processes: however these devel-opments can be understood without knowing the details of the typing rules.1

〈Acc〉 a[~s]a〈s〉−→ a[~s·s] 〈Req〉 a〈s〉 a〈s〉−→ 0 〈In〉 s [i :~h]

s?〈v〉−→ s [i :~h·v]

〈Out〉 s [o :v·~h] s!〈v〉−→ s [o :~h] 〈Bra〉 s [i :~h] s&l−→ s [i :~h·l] 〈Sel〉 s [o : l·~h] s⊕l−→ s [o :h]

〈Local〉P −→ Q

P τ−→ Q〈Par〉P

`−→ P′ bn(`)∩ fn(Q) = /0

P|Q `−→ P′|Q〈Tau〉 P `−→ P′ Q `′−→ Q′ `� `′

P|Q τ−→ (ν bn(`,`′))(P′|Q′)

〈Res〉 P `−→ P′ n 6∈ fn(`)

(ν n)P `−→ (ν n)P′〈OpenS〉 P

a〈s〉−→ P′

(ν s)Pa(s)−→ P′

〈OpenN〉 Ps〈a〉−→ P′

(ν a)Ps(a)−→ P′

〈Alpha〉P≡α P′ P′ `−→ Q

P `−→ Q

Fig. 4. Labelled transition system (we omit the symmetric rule of Par).

3 Asynchronous Session Bisimulations and its Properties3.1 Labelled Transitions and BisimilarityUntyped and Typed LTS. This section studies the basic properties of behaviouralequivalences. We use the following labels (`,`′, ...):

` ::= a〈s〉 | a〈s〉 | a(s) | s?〈v〉 | s!〈v〉 | s!(a) | s&l | s⊕ l | τ

where the labels denote the session accept, request and bound request, input, output,bound output, branching, selection and the τ-action. We have the labels for both sharedand session channels. sbj(`) denotes the set of free subjects in `; and fn(`) (resp. bn(`))denotes the set of free (resp. bound) names in `. The symmetric operator ` � `′ onlabels that denotes that ` is a dual of `′, is defined as: a〈s〉 � a〈s〉, a〈s〉 � a(s), s?〈v〉 �s!〈v〉, s?〈a〉 � s!(a), and s&l � s⊕ l.

Figure 4 gives the untyped labelled transition system (LTS). 〈Acc〉/〈Req〉 are for thesession initialisation. The next four rules 〈In〉/〈Out〉/〈Bra〉/〈Sel〉 say the action is observ-able when it moves from its local queue to its remote queue. When the process accessesits local queue, the action is invisible from the outside, as formalised by 〈Local〉. Othercompositional rules are standard. Based on the LTS, we use the standard notations [24]

such as P `=⇒ Q, P

~=⇒ Q and P

ˆ=⇒ Q.

We define the typed LTS on the basis of the untyped one. The basic idea is touse the type information to control the enabling of actions. This is realised by intro-ducing the definition of the environment transition, defined in Figure 5. A transition

1 This is because the properties of the typing system are captured by typed reductions defined in Figure 5later.

6

(Γ ,∆)`−→ (Γ ′,∆ ′) means that an environment (Γ ,∆) allows an action ` to take place,

and the resulting environment is (Γ ′,∆ ′), constraining process transitions through thelinear and shared environments. This constraint is at the heart of our typed LTS, accu-rately capturing interactions in the presence of sessions and local buffers. The transitionis not deterministic, because the τ-action (reduction) of a process can alter its linear en-vironment in several different ways.

Γ (a) = i〈S〉,a ∈ ∆ ,s fresh implies (Γ ,∆)a〈s〉−→ (Γ ,∆ · s :S)

Γ (a) = o〈S〉,a 6∈ ∆ implies (Γ ,∆)a〈s〉−→ (Γ ,∆)

Γ (a) = o〈S〉,a 6∈ ∆ ,s fresh implies (Γ ,∆)a(s)−→ (Γ ,∆ · s :S)

Γ ` v : U implies (Γ ,∆ · s :(S, [?(U); S′,i : ~T ,o : ~T ′]))s?〈v〉−→ (Γ ,∆ · s :(S, [S′,i : ~TU,o : ~T ′]))

Γ ` v : U implies (Γ ,∆ · s :(S, [!〈U〉; S′,i : ~T ,o : U~T ′]))s!〈v〉−→ (Γ ,∆ · s :(S, [S′,i : ~T ,o : ~T ′]))

a is fresh implies (Γ ,∆ · s :(S, [!〈〈S′′〉〉; S′,i : ~T ,o : 〈S′′〉~T ′]))s!(a)−→ (Γ ·a : 〈S′′〉,∆ · s :(S, [S′,i : ~T ,o : ~T ′]))

(Γ ,∆ · s :S) τ−→ (Γ ,∆ · s :(S, [S,i : ε,o : ε]))

(Γ ,∆ · s :(!〈U〉; S, [S′,i : ~T ,o : ~T ′])) τ−→ (Γ ,∆ · s :(S, [S′,i : ~T ,o : ~T ′U ]))

(Γ ,∆ · s :(?(U); S, [S′,i : U~T ,o : ~T ′])) τ−→ (Γ ,∆ · s :(S, [S′,i : ~T ,o : ~T ′]))

(Γ ,∆ · s :(!〈S′〉; S, [S′′,i : ~T ,o : ~T ′])) τ−→ (Γ ,∆ · s :(S, [S′′,i : ~T ,o : ~T ′S′]))

(Γ ,∆ · s :(?(S′); S, [S′′,i : S′~T ,o : ~T ′])) τ−→ (Γ ,∆ · s :(S, [S′′,i : ~T ,o : ~T ′]))

(Γ ,∆ · s :(⊕{li : Si}, [S′,i : ~T ,o : ~T ′])) τ−→ (Γ ,∆ · s :(Si, [S′,i : ~T ,o : ~T ′li]))

(Γ ,∆ · s :(&{li : Si}, [S′,i : li~T ,o : ~T ′])) τ−→ (Γ ,∆ · s :(Si, [S′,i : ~T ,o : ~T ′]))

(Γ ,∆ · s′ :S′ · s :(S, [!〈S′〉; S′′,i : ~T ,o : S′~T ′]))s!〈s′〉−→ (Γ ,∆ · s :(S, [S′′,i : ~T ,o : ~T ′]))

(Γ ,∆ · s :(S, [?(S′); S′′,i : ~T ,o : ~T ′]))s?〈s′〉−→ (Γ ,∆ · s′ :S′ · s :(S, [S′′,i : ~T S′,o : ~T ′]))

(Γ ,∆ · s :(S, [&{li : Si},i : ~T ,o : ~T ′]))s&lk−→ (Γ ,∆ · s :(S, [Sk,i : ~T lk,o : ~T ′]))

(Γ ,∆ · s :(S, [⊕{li : Si},i : ~T ,o : lk~T ′]))s⊕lk−→ (Γ ,∆ · s :(S, [Sk,i : ~T ,o : ~T ′]))

Fig. 5. Labelled transition rules for environments.

The first rule says that reception of a message via a is possible only when a is input-typed (i-mode) and its queue is present (a ∈ ∆ ). The second is dual, saying that anoutput at a is possible only when a has o-mode and no queue exists. Similarly for abound output action. For session actions, we note that action types are changed beforeand after a transition. The first two rules (` = s!〈v〉 and ` = s?〈v〉) are standard valueinput and output rules, where an asynchronous input is possible only when a queue ispresent. The third rule (`= s!(a)) is a scope opening rule.

The next seven rules (`= τ) follow the reduction rules. The final three rules corre-spond to session channel output, label input and label output. Note that session channelinput is subsumed by the case of `= s?〈v〉.Equivalence ./ and Typed Relation. Before the introduction of typed bisimilarity, wedefine several preliminary notions, including a notion of typed relations over processes.First, the composition of two environments, say ∆1 and ∆2, is denoted by ∆1 � ∆2 [27],and is defined as:

∆1 � ∆2 = {s :(∆1(s)�∆2(s)) | s∈ dom(∆1)∩dom(∆2)}∪∆1 \dom(∆2)∪∆2 \dom(∆1)

7

where S� [S′,i :~T ,o :~T ′] = [S′,i :~T ,o :~T ′]� S = [S′,i :~T ,o :~T ′] if S ≤ S′; otherwiseundefined. We first introduce ∆ -ordering, which represents how session environmentsare updated as typable processes are reduced. We define:

1. s :!(T );S � s : [!(T );S,o :~T ] < s :S � s : [S,o :~T ·T ]2. s :?(T );S � s : [?(T );S,i :T ·~T ] < s :S � s : [S,i :~T ]3. s : [o :T ·~T ] � s : [i :~T ′] < s : [o :~T ] � s : [i :~T ′·T ]4. s :⊕{li :Si}i∈I � s : [⊕{li :Si}i∈I ,o :~T ] < s :Si � s : [Si,o :~T ·li]5. s :&{li :Si}i∈I � s : [&{li :Si}i∈I ,i : li ·~T ] < s :Si � s : [Si,i :~T ]6. s :{Si}i∈I � s : [Si] < s :Si � s : [Si]

7. s : µ X.S � s′ : [µ X.S,i :~T1,o :~T2] < s :S′ � s′ : [S′,i :~T ′1,o :~T ′2]if s :S{µ X.S/X} � s′ : [S{µ X.S/X},i :~T1,o :~T2] < s :S′ � s′ : [S′,i :~T ′1,o :~T ′2]

In (7), s′ is s or s. When ∆1 < ∆2 and ∆ � ∆1 defined, we define ∆ � ∆1 < ∆ � ∆2.Now writev for the reflexive and transitive closure of < and write ∆ ./ ∆ ′ if ∆ v∆ ′

or ∆ ′ v ∆ . Then we say a relation on typed processes is a typed relation if, wheneverit relates two typed processes, we have Γ ` P1 .∆1 and Γ ` P2 .∆2 and ∆1 ./ ∆2 underΓ . We write Γ ` P1 .∆1RP2 .∆2 if (Γ ` P1 .∆1,Γ ` P2 .∆2) are in a typed relation R.Further we often leave the environments implicit, writing simply P1RP2.Localisation and Bisimulation. A bisimulation we shall introduce is a typed relationover processes which are localised, in the sense that each process is equipped with itslocal queues. Formally, let P be closed and Γ ` P .∆ . Then we say P is Γ ` P .∆ islocalised if the following two conditions hold.

– For each s∈ dom(∆), we have ∆(s) = (S, [S,i :~T ,o :~T ′]) (i.e. P contains its buffer).– Similarly for shared channels, i.e. if Γ (a) = i〈S〉, then a ∈ dom(∆).

Substantively, being localised means that a process owns all necessary queues as speci-fied in environments: for this reason, it is natural to say P is localised w.r.t. Γ and ∆ ifΓ ` P.∆ is localised. Further we often simply say P is localised if it is so for a suitablepair of environments.

For example, s?(x);s!〈x + 1〉;0 is not localised: we need a queue at s. Howevers?(x);s!〈x + 1〉;0 | [s,i :~h1,o :~h2] is localised. Similarly, a(x).P is not localised, buta(x).P | a [~s] is. By composing buffers at appropriate channels, any typable closed pro-cess can become localised. If P is localised w.r.t. (Γ ,∆) then P −→ Q implies Q islocalised w.r.t. (Γ ,∆), since queues never go away. We can now introduce the asyn-chronous bisimilarity.

Definition 3.1 (Asynchronous Session Bisimulation). A typed relation R over lo-calised processes is a weak asynchronous session bisimulation or often a bisimulation if,whenever Γ ` P1 .∆1RP2 .∆2, the following two conditions holds: (1) Γ ` P1 .∆1

`−→Γ ′ ` P′1 .∆ ′1 implies Γ ` P2 .∆2

ˆ=⇒ Γ ′ ` P′2 .∆ ′2 such that Γ ′ ` P′1 .∆ ′1RP′2 .∆ ′2 with

∆ ′1 ./ ∆ ′2 holds and (2) the symmetric case of (1). The maximum bisimulation existswhich we call bisimilarity, denoted by ≈. We sometimes leave environments implicit,writing e.g. P≈ Q.

We extend ≈ to possibly non-localised closed terms by relating them when their mini-mal localisations are related by≈ (given Γ ` P.∆ , its minimal localisation adds emptyqueues to P for the input shared channels in Γ and session channels in ∆ which arewithout queues). Further ≈ is extended to open terms in the standard way [12].

8

3.2 Properties of Asynchronous Session Bisimilarity

Characterisation of Reduction Congruence. This subsection studies central proper-ties of asynchronous session semantics. We first show that the bisimilarity coincideswith the naturally defined reduction-closed congruence [12], given below.

Definition 3.2 (Reduction Congruence). We write P ↓ a if P ≡ (ν~n)(a〈s〉 | R) witha 6∈ ~n. Similarly we write P ↓ s if P ≡ (ν~n)(s [o : h·~h] | R) with s 6∈ ~n. P ⇓ n means∃P′.P→→ P′ ↓ n. A typed relation R is reduction congruence if it is a congruent andsatisfies the following conditions for each P1RP2 whenever they are localised w.r.t. theirgiven environments.

1. P1 ⇓ n iff P2 ⇓ n.2. Whenever Γ ` P1 .∆1 ∼= P2 .∆2 holds, P1 →→ P′1 implies P2 →→ P′2 such that Γ `

P′1 .∆ ′1RP′2 .∆ ′2 holds with ∆ ′1 ./ ∆ ′2 and the symmetric case.

The maximum reduction congruence which is not a universal relation exists [12] whichwe call reduction congruency, denoted by ∼=.

Theorem 3.3 (Soundness and Completeness). ≈ = ∼=.

The soundness (≈⊂∼=) is by showing≈ is congruent. The most difficult case is a closureunder parallel composition, which requires to check the side condition ∆ ′1 ./ ∆ ′2 for eachcase. The completeness (∼=⊂≈) follows [9, § 2.6] where we prove that every externalaction is definable by a testing process, see Appendix D.1.

Asynchrony and Session Determinacy. Let us call ` an output action if ` is one ofa〈s〉,a(s),s!〈v〉,s!(a),s⊕ l; and an input action if ` is one of a〈s〉,s?〈v〉,s&l. In the fol-lowing, the first property says that we can delay an output arbitrarily, while the secondsays that we can always immediately perform a (well-typed) input.

Lemma 3.4 (Input and Output Asynchrony). Suppose Γ ` P.∆`

=⇒ P′ .∆ ′.

– (input advance) If ` is an input action, then Γ ` P.∆`−→=⇒ P′ .∆ ′.

– (output delay) If ` is an output action, then Γ ` P.∆ =⇒ `−→ P′ .∆ ′.

The asynchronous environment interaction on the session buffers enables input actionsto happen before multi-internal steps and output actions to happen after multi-internalsteps.

Following [28], we define determinacy and confluence. Below and henceforth weoften omit the environments in typed transitions.

Definition 3.5 (Determinacy). We say Γ ′ ` Q .∆ ′ is derivative of Γ ` P .∆ if there

exists ~ such that Γ ` P.∆~

=⇒Γ ′ `Q.∆ ′. We say Γ ` P.∆ is determinate if for eachderivative Q of P and action `, if Q `−→ Q′ and Q `

=⇒ Q′′ then Q′ ≈ Q′′.

We then extend the above notions to session communications.

9

Definition 3.6 (Session Determinacy). Let us write P `−→s Q if P `−→Q where sbj(`)is a session channel; or `= τ and it is generated without using [Request1], [Request2], [Accept],[Areq] nor [Amsg] in Figure 3 (i.e. a communication is performed without arrival predicates

or shared name interactions). We extend the definition to~

=⇒s andˆ

=⇒s etc. We say P

is session determinate if P is typable and localised and if Γ ` P .∆~

=⇒ Q .∆ ′ then

Γ ` P.∆~

=⇒s Q.∆ ′. We call such Q a session derivative of P.

We define `1b`2 as (1) a〈s〉 if `1 = a(s′) and s′ ∈ bn(`2); (2) s!〈s′〉 if `1 = s!〈s′〉and s′ ∈ bn(`2); (3) s!〈a〉 if `1 = s!(a) and a ∈ bn(`2); and otherwise `1. We write thatl1 ./ l2 when l1 6= l2 and if l1, l2 are input actions then sbj(l1) 6= sbj(l2).

Definition 3.7 (Confluence). We say Γ ` P.∆ is confluent if for each derivative Q ofP and actions `1, `2 such that `1 ./ `2, (i) if Q `−→ Q1 and Q `

=⇒ Q2, then Q1 =⇒ Q′1and Q2 =⇒ Q′2 ≈ Q′1; and (ii) if Q

`1−→ Q1 and Q`2=⇒ Q2, then Q1

`2b`1=⇒ Q′1 and Q2

`1b`2=⇒

Q′2 ≈ Q′1.

Lemma 3.8. Let P be session determinate and Q be a session derivative of P. ThenP≈ Q.

Theorem 3.9 (Session Determinacy). Let P be session determinate. Then P is deter-minate and confluent.

The following relation is used to prove the thread elimination optimisation.

Definition 3.10 (Determinate Upto-expansion Relation). Let R be a typed relationsuch that if Γ ` P .∆ R Q .∆ ′ and (1) P,Q are determinate; (2) ∆ = ∆ ′; (3) If Γ `P.∆

l−→Γ ′ `P′′.∆ ′′ then Γ `Q.∆l

=⇒Γ ′ `Q′.∆ ′ and Γ ′ `P′′.∆ ′′=⇒Γ ′ `P′.∆ ′

with Γ ′ ` P′ .∆ ′R Q′ .∆ ′; and (4) If Γ ` Q.∆l−→ Γ ′′ ` Q′′ .∆ ′′ then Γ ` P.∆

l=⇒

Γ ′ ` P′ .∆ ′ and Γ ′ ` P′ .∆ ′ R Q′ .∆ ′ with Γ ′ ` Q′′ .∆ ′′ =⇒ Γ ′ ` Q′ .∆ ′. Then wecall R a determinate upto-expansion relation, or often simply upto-expansion relation.

Lemma 3.11. Let R be an upto-expansion relation. Then R ⊂≈.

The proof is by showing =⇒R⇐= is a bisimulation, using determinacy.

3.3 Examples of Induced Equations: Permutation and EventsThis subsection shows example equations (algebra of processes) pertaining to prop-erties of permutations of actions studied in § 3.2 and the semantic effects of arrivalpredicates. Significant equations induced by a behavioural equivalence offer insights onthe nature of process behaviours we are concerned with, and play a key role in reasoningabout processes.

We use the examples from § 1. Let Ri = si [i :~hi,o :~h′i] for some~hi,~h′i and assumes1 6= s2.

(1) Input and Output Permutations. The two actions at different channels are per-mutable up to≈, i.e. s1?(x);s2?(y);P |R1 |R2 ≈ s2?(y);s1?(x);P |R1 |R2. Similarly fortwo outputs: s1!〈v1〉;s2!〈v2〉;P |R1 |R2 ≈ s2!〈v2〉;s1!〈v1〉;P |R1 |R2. However, an inputand an output are not permutable: s1?(x);s2!〈v2〉;P |R1 |R2 6≈ s2!〈v2〉;s1?(x);P |R1 |R2.

10

(2) Input and Output Ordering. Two actions at the same session have the ordering,hence: s1?(x);s1?(y);P | R1 6≈ s1?(y);s1?(x);P | R1 for inputs, s1!〈v1〉;s1!〈v2〉;P | R1 6≈s1!〈v2〉;s1!〈v1〉;P | R1 for outputs and s1!〈v1〉;s2?(x2);P 6≈ s2?(x2);s1!〈v1〉;P.

(3) Non-Local Semantics. In the literature [6, 7, 27], the asynchronous session typesare modelled by the two end-point queues without distinction between input and outputentries in queues. We call this semantics non-local since the output process directlyputs the value into the input queue. The transition relation for non-local semantics isdefined by replacing the output and selection rules in Figure 4 (see Appendix E.3 forfull details) to:

〈Outn〉 s!〈v〉;Ps!〈v〉−→ P 〈Seln〉 s⊕ l;P s⊕l−→ P

We write the induced bisimilarity ≈2. The same (in)equalities hold except permutationof outputs, e.g. s1!〈v1〉;s2!〈v2〉;P | R1 | R2 6≈2 s2!〈v2〉;s1!〈v1〉;P | R1 | R2.

(4) Arrival Predicates. Let Q = if e then P1 else P2 with P1 6≈ P2. If the syntax doesnot include arrival predicates, we have Q | s[i : /0] | s[o : v]≈ Q | s[i : v] | s[o : /0]. In thepresence of the arrival predicate, we have Q | s[i : /0] | s[o : v] 6≈Q | s[i : v] | s[o : /0] withe = arrived s. However we have: if arrived s then P else P≈ P.

(5) Arrive Inspection Ordering. Let

P = µX .if arrived s1 then s1?(x).X else if arrived s2 then s2?(x).X else X

Q = µX .if arrived s2 then s2?(x).X else if arrived s1 then s1?(x).X else X

Then P | R1 | R2 ≈ Q | R1 | R2. An inspection of arrival of messages using recursion asabove makes no distinction between different orderings by which session endpoints areinspected. Later this equation plays a central role in the thread elimination later.

For more comparisons, see § 6.

4 Lauer-Needham TransformIn an early work [18], Lauer and Needham observed that a concurrent program may bewritten equivalently either in a thread-based programming style (with shared memoryprimitives) or in an event-based style (where a single-threaded event loop processesmessages sequentially). Following this framework and using high-level asynchronousevent primitives such as selectors [15, 19] for the event-based style, many studies com-pare these two programming styles, often focusing on performance of server archi-tectures, e.g. [2, 15, 20, 32]. These studies and implementations implicitly or explicitlyassume a transformation from a program written in the thread-based style, especiallythose which generate a new thread for each service request (as in thread-based webservers), to its equivalent event-based program, which treats concurrent services usinga single threaded event-loop (as in event-based web servers). However the precise se-mantic effects of such a transformation nor the exact meaning of the associated “equiv-alence” has not been clarified.

We study the semantic effects of such a transformation using the asynchronous ses-sion bisimulation. Not only is this transform hence its semantics has practical signif-icance, but also the semantic analysis of this transform demands the use of the key

11

elements of our asynchronous semantics, including asynchrony and events. We first in-troduce a formal mapping from a thread-based process to their event-based one, basedon Lauer and Needham and suggested by recent studies on event-based programming[2, 20, 32]. Assuming a server process whose code creates fresh threads at each serviceinvocation, the key idea of the transformation is to decompose this whole code into dis-tinct smaller code segments each handling the part of the original code starting from ablocking action. As in the standard event-based programs, such a blocking action is rep-resented as reception of a message (input or branching). Then a single global event-loopcan treat each message arrival by processing the corresponding code segment combinedwith an environment, returning to inspect the content of event/message buffers.

We first stipulate a class of processes which we consider for our translation. Below∗a(x);P denotes an input replication abbreviating µX .a(x).(P|X).

Definition 4.1 (Simple Server). A server at a is a replicated process ∗a(x);P with atyping of form a : 〈S〉. A server is simple if it has the form ∗a(w : S);P such that Pcontains neither parallel compositions (|) nor name hiding (ν), and each bound processvariable in P is guarded. We usually consider a simple server in a localised form, withthe empty queue a : [ε].

A simple server spawns an unbounded number of threads as it receives session requestsrepeatedly. Each thread may initiate other sessions with outside, and its interactions mayinvolve delegations and name passing. But it may not spawn further threads nor exporta new shared channel, and, by guardedness, it always goes through a blocking actionbefore recurring. Note a simple server does not involve accesses to internal shared stateamong threads: a simple server is stateless in this sense (as we shall see later, it isconfluent), as found in static web-servers — those which only serve static pages.

Example 4.2 (A Simple Server). As an example of a simple server, consider:

P = ∗a(x);x?(y).x!〈y+1〉;x?(z).x!〈y+ z〉;0 | a[ε]

This process has the session type ?(nat); !(nat)?(nat); !(nat) at a which can be read:a process should first expect to receive ? a message of type nat and send ! it, then toreceive (again ?) a nat, and finish by sending ! a result.

A simple server creates an unbounded number of threads as it processes services con-currently. The thread elimination transforms this process into an equivalent one whichuses a single thread for processing these unbounded number of services. Given a sim-ple server ∗a(w : S);P | a[ε], its translation, which we call Lauer-Needham transformor LN-transform for short, is written LN [[∗a(w : S);P | a[ε]]]. The formal mappingis given in Appendix G: here we outline the key constructions of the LN-transformedLN [[∗a(w : S);P | a[ε]]] and illustrate the key ideas through examples.

First, LN [[∗a(w : S);P]] consists of the following key elements:

1. An event loop Loop〈o,q〉 repeats the standard event-loop, inspecting its selectorqueue named q (see below), selects a message from a message arrived and processesit by sending it to the corresponding code block (see below).

2. A selector queue q〈a,c0〉 whose initial element is 〈a,c0〉. This data says: “if a mes-sage comes at a, jump to the code block (CPS procedure) whose subject is c0”.

12

3. A collection of code blocks CodeBlocks〈a,o,q,~c〉, CPS procedures handling in-coming messages. A code block originates from a blocking subterm of a(w);P, i.e.a subterm starting from an input or a branching, see Example 4.3 below.

The process uses a standard “select” primitive represented as a process, called selector[15]. It stores a collection of session channels, with each channel associated with an en-vironment, binding variables to values. It then picks up one of them at which a messagearrives, receives that message via that channel and has it be processed by the corre-sponding code block (which may alter the environment). Finally it stores the sessionand the associated environment back in the collection, and moves to the next iteration.Since a selector should handle channels of different types, it uses the typecase con-struct from [15]. typecase k of {(xi :Ti)Pi}i∈I takes a session endpoint k and a list ofcases (xi :Ti), each binding the free variable xi of type pattern Ti in Pi. The reduction oftypecase is defined as:

typecase s of {(xi :Ti)Pi}i∈I | s [S]−→ Pi{s/xi} | s [S]

where there exists i ∈ I such that (∀ j < i.Tj 6≤ S∧Ti ≤ S). We extend the calculus withthe selector operations, with the following reduction semantics.

new selector r in P−→ (ν r)(P | sel〈r, ε〉) register〈s′,r〉;P | sel〈r,~s〉 −→ P | sel〈r,~s · s′〉let x = select(r) in typecase x of {(xi :Ti) : Pi}i∈I | sel〈r, s′ ·~s〉 | s′ [S,i :~h]

−→ Pi{s′/xi} | sel〈r,~s〉 | s′ [S,i :~h] (~h 6= ε)let x = select(r) in typecase x of {(xi :Ti) : Pi}i∈I | sel〈r, s′ ·~s〉 | s′ [i :ε]

−→ let x = select(r) in typecase x of {(xi :Ti) : Pi}i∈I | sel〈r,~s · s′〉 | s′ [i :ε]

where in the third line S and Ti satisfies the condition for typecase in the reductionrule. We also include the structural rules with garbage collection rules for queues as(ν r)sel〈r, ε〉 ≡ 0. Operator new selector r in P (binding r in P) creates a new selectorsel〈r, ε〉, named r and with the empty queue ε . register〈s′,r〉;P registers a sessionchannel s

Operator register〈s′,r〉;P registers a session channel s to r, adding s′ to the orig-inal queue ~s. The next let retrieves a registered session and checks the availability totest if an event has been triggered. If so, find the match of the type of s′ among {Ti}and select Pi; if not, the next session is tested. As shown in [15], these primitives areencodable in the original calculus augmented with typecase. For a detailed encoding,see Appendix F. The bisimulations and their properties remain unchanged.

Example 4.3 (Lauer-Needham Transform). Recall the simple server in Example 4.2.We extract the blocking subterms from this process as follows.

Blocking Process Type at Blocking Prefixa(x).x?(y).x!〈y+1〉x?(z).x!〈y+ z〉;0 〈?(nat); !(nat); ?(nat); !(nat)〉x?(y).x!〈y+1〉x?(z).x!〈y+ z〉;0 ?(nat); !(nat); ?(nat); !(nat)x?(z).x!〈y+ z〉;0 ?(nat); !(nat)

These blocking processes are translated into code block processes or code blocks, de-noted CodeBlocks, given as:

∗c0(y);a(x).update(y,x,x); register 〈sel,x,y,c1〉;o |∗c1(x,y);x?(z);update(y,z,z); x!〈[[z]]y +1〉;register 〈sel,x,y,c2〉;o |∗c2(x,y);x?(z′);update(y,z′,z′);x!〈[[z]]y +[[z′]]y〉;o

13

which is used for processing each message. Above, the operation update(y,x,x); up-dates an environment, while register stores the blocking session channel, the associ-ated continuation ci and the current environment y in a selector queue sel.

Finally, using these code blocks, the centre of the event processing, the main event-loop denoted Loop, is given as:

Loop = ∗o.let (x,y,z) = select from sel in typecase x of {〈?(nat); !(nat); ?(nat); !(nat)〉 : new y : env in z(y)?(nat); !(nat); ?(nat); !(nat) : z(x,y)?(nat); !(nat) : z(x,y)

}

Above select from sel in selects a message from the selector queue sel, and treatsit in P. The new construct creates a new environment y. The typecase construct thenbranches into different processes depending on the session of the received message, anddispatch the task to each code block.

For the formal details, see Appendix G. Because a simple server does not allow, by con-struction, its internal shares state to be accessed by the threads it spawns, it is currentlystateless.2, we observe:

Lemma 4.4. ∗a(w : S);R | a [ε] is confluent.

On the other hand, the transformed process is essentially a sequential process. Hencewe can also establish:

Lemma 4.5. LN [[∗a(w : S);P | a [ε]]] is confluent.

Using these results, we can establish the fundamental result, which crucially relies onasynchronous nature of our bisimulations, noting that the original simple server andits translation generally have completely different timings at which the session in-put/branching subjects (prefixes) become active: in the former they are made activein parallel for all threads, while in the latter they are made active only sequentially.

Lemma 4.6. Let R = Loop | CodeBlocks | a[~s] | ∏m∈I sm [i : ~him,o : ~hom]. Assume

P1 = r〈(s1,ξ1,c1), . . . ,(si,ξi,ci), . . . ,(s j,ξ j,c j), . . . ,(sn,ξn,cn)〉P2 = r〈(s1,ξ1,c1), . . . ,(s j,ξ j,c j), . . . ,(si,ξi,ci), . . . ,(sn,ξn,cn)〉

Then (ν ~cor)(P1 | R)≈ (ν ~cor)(P2 | R).

The above lemma substantiates a generalisation of the observations behind Example3.3(5), which distills a nature of event-driven programming. With this lemma, we canpermute the sessions in a selector queue, still having the same behaviours (this permu-tation is possible w.r.t. bisimilarity because of the stateless nature of a simple server).Selector’s behaviour ties together threaded and event programs because there is no dif-ference between which event (resp. thread) is selected to be executed first.

2 The transform easily extends to the situation where threads share state, though its behavioural justificationtakes a different form.

14

Theorem 4.7 (Semantic Preservation). Let ∗a(w : S);R | a [ε] be a simple server. Then∗a(w : S);P | a [ε]≈LN [[a(w : S);P | a [ε]]].

The proof of the above theorem uses a determinate upto-expansion relation, cf. Defi-nition 3.10 and Lemma 3.11. We construct the target relation so that it contains eachprocess pair that has all the parallel processes on a blocking prefix for the threadedserver and starts from the Loop process for the thread eliminated process. We show theconditions needed Definition 3.10 by using Lemmas 4.4 and 4.5. We conclude the proofthrough Lemma 3.11. For details of the proof, see Appendix G.

5 Performance Evaluation of the LN-TransformThis section presents a benchmark evaluation of the type-directed transformation frommultithreaded to thread-eliminated (i.e. event-driven) programs by the LN-transform(§ 4). The benchmark compares the performance of implementations of the Server pro-cesses from Examples 4.2 and 4.3 under load from a varying number of concurrentclients, ranging up to 1000. As discussed earlier, event-driven concurrency is typicallyregarded as trading performance for more complex implementation; the present bench-mark examines these aspects from each side of the trade-off. First, the results showthat the LN-transformed Server exhibits the performance and scalability improvementsexpected of thread-elimination. The second and key point, however, is that the LN-transformation, with formal justification by asynchronous session bisimilarity (The-orem 4.7), ensures the thread-eliminated Server preserves equivalent behaviour to theoriginal. This benchmark thus demonstrates how the session-oriented behavioural equiv-alence theory presented in this paper can be directly applied to the development ofpractical tools for real-world concurrent programming.

Benchmark Programs. The implementation and execution of the session-typed bench-mark applications uses SJ (Session Java) [16] with extensions for event-driven sessionprogramming [15]. The session type implemented by the multithreaded Server (MT)is a slightly modified version of the type from Example 4.2 (to allow variation of themessage size), which written in SJ syntax is:

?(byte[]).!<byte[]>.?(byte[]).!<byte[]>

The MT Server spawns a new thread to execute a session of this type for each client thatconnects. The LN-transformed Server (TE) uses a single-threaded central event-loopto dispatch the input events of the above type across concurrent sessions one-by-one,following Example 4.3. The same Client program, which implements the dual of theabove type, is used to interact with both the MT and TE Servers.

Methodology and Environment. The benchmark measures Server throughput in termsof the number of Client sessions completed per millisecond. The benchmark parametersare the message size (100 Bytes and 1 KB), and the number (10, 100, 300, 500, 700 and900) of concurrent Clients, which simply request and execute repeated sessions withthe Server. After the execution of the benchmark configuration has stabilised, a mea-surement is taken by recording the number of sessions completed by the Server withina 30 s measurement window. For each parameter combination, we take measurementsfrom three windows to each Server instance, and repeat the whole benchmark 20 times.

15

● ● ● ●●

●

10 100 300 500 700 900

0

1

2

3

4

5

Number of Clients

Thr

ough

put (

sess

ions

/mill

isec

ond)

● MT.100MT.1000TE.100TE.1000

Fig. 6. Throughput of multithreaded (MT) and LN-transformed (TE) SJ Servers under increasingclient loads.

The benchmark is conducted in the following cluster environment: each node is aSun Fire x4100 with two 64-bit Opteron 275 processors at 2 GHz and 8 GB of RAM,running 64-bit Mandrakelinux 10.2 (kernel 2.6.11) and connected via gigabit Ethernet.Latency between each node is measured to be 0.5 ms on average (ping 64 bytes). Thebenchmark applications are compiled and executed using the Sun Java SE compiler andRuntime versions 1.6.0.

Results. Figure 6 gives the mean throughput for the multithreaded (MT) and thread-eliminated (TE) Server implementations for the increasing number of Clients. In allcases, as expected, the TE Server exhibits higher throughput than the MT server. Weobserve that the throughput of the MT Server decreases steadily due to the threadscheduling overhead. For the TE Server, there is first an increase in throughput, un-til the saturation point for the Server performance is reached, and then a decline as thenumber of Clients increases, due to the cost of the event selector handling more Clientconnections. We also observe higher throughput for the smaller message size: this isbecause more messages of the smaller size can be transmitted, and thus more sessionscan be completed, in the same period of time. Further micro and macrobenchmarkscomparing session-typed multithreaded and event-driven SJ applications, and also theiruntyped counterparts (standard Java threads and Java NIO) as base cases, can be foundat [30].

6 Discussions

Comparisons with Asynchronous/Synchronous Calculi. We briefly compared thepresent asynchronous bisimulation to related ones in Example 3.3 in § 3. Below wereport more comprehensive comparisons, clarifying the relationship between (1) thesession-typed asynchronous π-calculus [10] without queues (≈a, the asynchronous ver-sion of the labelled transition relation for the asynchronous π-calculus), (2) the session-typed synchronous π-calculus [11, 31] without queues (≈s), (3) the asynchronous ses-sion π-calculus with two end-point queues without IO queues [6, 7, 27] (≈2), see Ex-

16

ample 3.3; and (4) the asynchronous session π-calculus with two end-point IO-queues(≈), i.e. the one developed in this paper. See Appendix E for the full definitions.

The following figure summarises distinguishing examples. Non-Blocking Input/Out-put means inputs/outputs on different channels, while the Input/Output Order-Preservingmeans that the messages will be received/delivered preserving the order. The final tableexplains whether Lemma 3.4 (1) (input advance) or (2) (output delay) is satisfied or not.If not, we place a counterexample.

Non-Blocking Input Non-Blocking Output(1) s1?(x);s2?(y);P≈a s2?(y);s1?(x);P s1〈v〉 | s2〈w〉 | P≈a s1〈w〉 | s2〈v〉 | P(2) s1?(x);s2?(y);P 6≈s s2?(y);s1?(x);P s1!〈v〉;s2!〈w〉;P 6≈s s2!〈w〉;s1!〈v〉;P(3) s1?(x);s2?(y);P | s1 [ε] | s2 [ε]≈2 s1!〈v〉;s2!〈w〉;P | s1 [ε] | s2 [ε] 6≈2

s2?(y);s1?(x);P | s1 [ε] | s2 [ε] s2!〈w〉;s1!〈v〉;P | s1 [ε] | s2 [ε](4) s1?(x);s2?(y);P | [s1,i :ε,o :ε] | [s2,i :ε,o :ε]≈ s1!〈v〉;s2!〈w〉;P | [s1,i :ε,o :ε] | [s2,i :ε,o :ε]≈

s2?(y);s1?(x);P | [s1,i :ε,o :ε] | [s2,i :ε,o :ε] s2!〈w〉;s1!〈v〉;P | [s1,i :ε,o :ε] | [s2,i :ε,o :ε]

Input Order-Preserving Output Order-Preserving(1) s?(x);s?(y);P≈a s?(y);s?(x);P s〈v〉 | s〈w〉 | P≈a s〈w〉 | s〈v〉 | P(2) s?(x);s?(y);P 6≈s s?(y);s?(x);P s!〈v〉;s!〈w〉;P 6≈s s!〈w〉;s!〈v〉;P(3) s?(x);s?(y);P | s [ε] 6≈2 s!〈v〉;s!〈w〉;P | s [ε] 6≈b

s?(x);s?(y);s?(x);P | s [ε] s!〈w〉;s!〈v〉;P | s [ε](4) s?(x);s?(y);P | [s1,i :ε,o :ε] | [s2,i :ε,o :ε] 6≈ s!〈v〉;s!〈w〉;P | [s1,i :ε,o :ε] | [s2,i :ε,o :ε] 6≈

s?(x);s?(y);P | [s1,i :ε,o :ε] | [s2,i :ε,o :ε] s!〈w〉;s!〈v〉;P | [s1,i :ε,o :ε] | [s2,i :ε,o :ε]

Lemma 3.4 (1) Lemma 3.4 (2)(1) yes yes(2) (ν s)(s!〈v〉;s′?(x);0 | s?(x);0) (ν s)(s!〈v〉;s′!〈v′〉;0 | s′?(x);0)(3) yes s!〈v〉; s′?(x);0 | s′[v′](4) yes yes

Another technical interest is the effects of the arrived predicate on these combi-nations, which we carry out below. For precise comparisons, we define the synchronousand asynchronous π-calculi augmented with the arrived predicate and local buffers.For the asynchronous π-calculus, we add a[~h] and arrived a in the syntax, and definethe following rules for input and outputs.

a〈v〉 a〈v〉−→ 0 a[~h]a〈h〉−→ a[~h ·h] a?(x).P | a[~h1 ·hi · ~h2]−→ P{hi/x} | a[~h1 · ~h2]

if arrived a then P else Q|a[ε] τ−→ Q | a[ε]

if arrived a then P else Q|a[h ·~h] τ−→ P | a[h ·~h]

The above definition precludes the order preservation as the property of transport,but still keeps the non-blocking property as in the asynchronous π-calculus. The syn-chronous version is similarly defined by setting the buffer size to be one. The non-localversion is defined just by adding arrived predicate.

Figure 7 summarises the results which incorporate the arrived predicate. Inter-estingly in all of the calculi (1–4), the same examples as in Example 3.3(4), whichseparate semantics with/without the arrived, are effective. The IO queues providenon-blocking inputs and outputs, while preserving the input/output ordering, which dis-tinguishes the present framework from other known semantics.

17

With arrived Without arrived(1) if arrived s then P else Q | s [i :ε] | s〈v〉 if e then P else Q | s [i :ε] | s〈v〉

6≈ if arrived s then P else Q | s [i :v] ≈ if e then P else Q | s [i :v](2) if arrived s then P else Q | s[ε] | s〈v〉;0 if e then P else Q | s[ε] | s〈v〉;0

6≈ if arrived s then P else Q | s[v] ≈ if e then P else Q | s[v](3) if arrived s then P else Q | s [i :ε] | s〈v〉;0 if e then P else Q | s [i :ε] | s〈v〉;0

6≈ if arrived s then P else Q | s [i :v] ≈ if e then P else Q | s [i :v](4) if arrived s then P else Q | s [i :ε] | s [o :v] if e then P else Q | s [i :ε] | s [o :v]6≈ if arrived s then P else Q | s [i :v] | s [o :ε] ≈ if e then P else Q | s [i :v] | s [o :ε]

Fig. 7. Arrive inspection behaviour in synchronous/asynchronous calculi.

The formal definitions and proofs for the above results can be found in AppendixE. As a whole, we observe that the present semantic framework is closer to the asyn-chronous bisimulation (1) ≈a augmented with order-preserving nature per session. Itskey properties arise from local, buffered session semantics and typing. We have alsoseen the semantic significance of the arrived predicates, which enables processes toobserve the effects of fine-grained synchronisations.

Related Work. Some of the key proof methods of our work draw their ideas from[28], which study an extension of the confluence theory on the π-calculus. They applythe theory to reason about the correctness of the distributed protocol which can berepresented by constructing a collection of confluent processes. Our work differs in thatwe investigate the effect of asynchronous IO queues and its relationship to confluence.

The work [3] examines expressiveness of various messaging mediums by addingmessage bags (no ordering), stacks (LIFO policy) and message queues (FIFO policy)in the asynchronous π-calculus [10]. They show that the calculus with the messagebags is encodable into the asynchronous π-calculus, but it is impossible to encode themessage queues and stacks. Neither the effects of locality, queues, and typed transitionsare studied. Further neither of [3, 28] treats event-based programming, including suchexamples as thread elimination nor performance analysis.

Programming constructs that can test the presence of actions or events are studied inthe context of the Linda language [5] and CSP [21, 22]. The work [5] measures expres-sive powers between three variants of asynchronous Linda-like calculi, with a constructfor inspecting the output in the tuple space, which is reminiscent of the inp predicateof Linda. The first calculus (called instantaneous) corresponds to (1) [10], the secondone (called ordered) formalises emissions of messages to the tuple spaces, and the thirdone (called unordered) models unordered outputs in the tuple space by decomposingone messaging into two stages — emission from an output process and rendering fromthe tuple space. It shows that the instantaneous and ordered calculi are Turing powerful,while the unordered is not. The work [21] studies CSP with a construct that checks ifa parallel process is able to perform an output action on a given channel. It studies op-erational and denotational semantics, demonstrating a significance to investigate eventprimitives using process calculi. A subsequent work [22] studies the expressiveness ofits variants focussing on the full abstraction theorem of the trace equivalence. Due tothe difference of the base calculi and the aims of the primitives, direct comparisons aredifficult: for example, our calculi (1,2,3,4) are Turing powerful and we aim to examineproperties and applications of the typed bisimilarity characterised by buffered sessions:on the other hand, the focus of [5] is a tuple space where our input/output order pre-

18

serving examples (which treat different objects with the same session channel) cannotbe naturally (and efficiently) defined. The same point applies for [21, 22]. As anotherdifference, the nature of localities has not been considered either in [5, 21, 22] since nonotion of a local or remote tuple or environment is defined. Further, neither large ap-plications which include these constructs (§ 4), the equivalences as we treated, nor theperformance analysis of the proposed primitives had been discussed in [5, 21, 22].

Using the confluence and determinacy guaranteed by session types, and throughobservations on the semantics of the arrive predicate, we have demonstrated that thetheory is applicable, through the verification of the correctness of the Lauer-Needhamtransform. This well-known transform claims that threads and events are dual to eachother. Our LN-transform and the asynchronous, buffered bisimulation provide a formalframework and reasoning mechanisms for the conversion from the former to latter andfor establishing their equivalence. The asynchronous nature realised through IO mes-sage queues provides a precise analysis of local and eventful behaviours, found in majordistributed transports such as TCP. The benchmark results from high-performance clus-ters justify the effect of the type and semantic preserving LN-transformation.

Some preceding works approach the Lauer-Needham duality by combining multi-threaded and event-driven programming to obtain benefits from both categories. Thework [20] implements both multithreaded and event-driven components at the applica-tion level. A trace over blocking system calls is inferred from the threaded code and thescheduler invokes the user-supplied event handler when event points are reached in thetrace. Scala [8] offers both thread-blocking receive operations and actor-based eventhandlers as a library. Heuristics are used to determine whether a thread has becomeblocked on some external operation to prevent blocking other actors. Although thesestudies offer improved support for user-level threads, event-based systems currently re-tain the edge in terms of performance and scalability for highly concurrent applicationssuch as Web servers [17]. These preceding studies do not investigate either semanticfoundations or the formal correctness of their approaches.

In contrast, the present paper offers a semantic basis for asynchronous session com-munications with event primitives, which can justify the correct implementation of prac-tical communications-based applications, as we have seen in §4. It also applies the be-havioural theory to demonstrate a benefit of structured and type-safe transformationbased on session types. It is an interesting future work to use our bisimulation theoryin the higher-order setting [27] as well as for analysing more complex programs wherethreads and events co-exist.

References1. M. Abadi, L. Cardelli, B. C. Pierce, and G. D. Plotkin. Dynamic typing in a statically typed

language. TOPLAS, 13(2):237–268, 1991.2. A. Adya, J. Howell, M. Theimer, W. J. Bolosky, and J. R. Douceur. Cooperative task manage-

ment without manual stack management or, event-driven programming is not the opposite ofthreaded programming. In In Proceedings of the 2002 Usenix ATC, 2002.

3. R. Beauxis, C. Palamidessi, and F. D. Valencia. On the asynchronous nature of the asyn-chronous pi-calculus. In Concurrency, Graphs and Models, volume 5065 of LNCS, pages473–492. Springer, 2008.

4. M. Berger, K. Honda, and N. Yoshida. Sequentiality and the π-calculus. In Proc. TLCA’01,volume 2044 of LNCS, pages 29–45, 2001.

19

5. N. Busi, R. Gorrieri, and G. Zavattaro. Comparing three semantics for linda-like languages.Theor. Comput. Sci., 240(1):49–90, 2000.

6. M. Coppo, M. Dezani-Ciancaglini, and N. Yoshida. Asynchronous Session Types andProgress for Object-Oriented Languages. In FMOODS’07, volume 4468 of LNCS, pages1–31, 2007.

7. S. Gay and V. T. Vasconcelos. Linear type theory for asynchronous session types. JFP, 2009.8. P. Haller and M. Odersky. Scala actors: Unifying thread-based and event-based program-

ming. Theor. Comput. Sci., 410(2-3):202–220, 2009.9. M. Hennessy. A Distributed Pi-Calculus. CUP, 2007.

10. K. Honda and M. Tokoro. An object calculus for asynchronous communication. InECOOP’91, volume 512 of LNCS, pages 133–147, 1991.

11. K. Honda, V. T. Vasconcelos, and M. Kubo. Language primitives and type disciplines forstructured communication-based programming. In ESOP’98, volume 1381 of LNCS, pages22–138. Springer, 1998.

12. K. Honda and N. Yoshida. On reduction-based process semantics. TCS, 151(2):437–486,1995.

13. K. Honda and N. Yoshida. A uniform type structure for secure information flow. TOPLAS,29(6), 2007.

14. K. Honda, N. Yoshida, and M. Carbone. Multiparty Asynchronous Session Types. InPOPL’08, pages 273–284. ACM, 2008.

15. R. Hu, D. Kouzapas, O. Pernet, N. Yoshida, and K. Honda. Type-safe eventful sessions inJava. In ECOOP, volume 6183 of LNCS, pages 329–353. Springer-Verlag, 2010.

16. R. Hu, N. Yoshida, and K. Honda. Session-Based Distributed Programming in Java. InECOOP’08, volume 5142 of LNCS, pages 516–541. Springer, 2008.

17. M. Krohn. Building secure high-performance web services with OKWS. In ATEC’04, pages15–15. USENIX Association, 2004.

18. H. C. Lauer and R. M. Needham. On the duality of operating system structures. SIGOPSOper. Syst. Rev., 13(2):3–19, 1979.

19. D. Lea. Scalable IO in Java. http://gee.cs.oswego.edu/dl/cpjslides/nio.pdf,November 2003.

20. P. Li and S. Zdancewic. Combining events and threads for scalable network services imple-mentation and evaluation of monadic, application-level concurrency primitives. SIGPLANNot., 42(6):189–199, 2007.

21. G. Lowe. Extending csp with tests for availability. Procedings of Communicating ProcessArchitectures (CPA 2009), 2009.

22. G. Lowe. Models for CSP with availability information. Pre-proceeding for Express’10,2010.

23. S. Microsystems Inc. New IO APIs. http://java.sun.com/j2se/1.4.2/docs/guide/nio/index.html.

24. R. Milner. Communication and Concurrency. Prentics Hall, 1989.25. R. Milner. The polyadic π-calculus: A tutorial. In Proceedings of the International Summer

School on Logic Algebra of Specification. Marktoberdorf, 1992.26. R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes. Technical report, Lab-

oratory for Foundations of Computer Science, Department of Computer Science, Universityof Edinburgh, 1989.

27. D. Mostrous and N. Yoshida. Session-based communication optimisation for higher-ordermobile processes. In TLCA’09, volume 5608 of LNCS, pages 203–218. Springer, 2009.

28. A. Philippou and D. Walker. On confluence in the pi-calculus. In ICALP’97, volume 1256of Lecture Notes in Computer Science, pages 314–324. Springer, 1997.

29. On-line Appendix of this paper. http://www.doc.ic.ac.uk/~dk208/semantics.html.30. SJ homepage. http://www.doc.ic.ac.uk/~rhu/sessionj.html.

20

31. K. Takeuchi, K. Honda, and M. Kubo. An Interaction-based Language and its Typing Sys-tem. In PARLE’94, volume 817 of LNCS, pages 398–413, 1994.

32. M. Welsh, D. E. Culler, and E. A. Brewer. SEDA: An Architecture for Well-Conditioned,Scalable Internet Services. In SOSP’01, pages 230–243. ACM Press, 2001.

21

Table of Contents

On Asynchronous Session Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Dimitrios Kouzapas∗, Nobuko Yoshida∗, Raymond Hu∗, Kohei Honda†

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Asynchronous Network Communications in Sessions . . . . . . . . . . . . . . . . . . . . 3

2.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Types and Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Asynchronous Session Bisimulations and its Properties . . . . . . . . . . . . . . . . . . . 63.1 Labelled Transitions and Bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.2 Properties of Asynchronous Session Bisimilarity . . . . . . . . . . . . . . . . . . . 93.3 Examples of Induced Equations: Permutation and Events . . . . . . . . . . . . 10

4 Lauer-Needham Transform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Performance Evaluation of the LN-Transform. . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Comparisons with Asynchronous/Synchronous Calculi. . . . . . . . . . . . . 16Related Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

A Appendix for Section 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23A.1 Structural Congruence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23A.2 Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Reduction Relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23B Appendix to Section 2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

B.1 Subtyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23B.2 Program Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

C Typing Runtime Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26D Appendix for Section 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

D.1 Proof for Theorem 3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29D.2 Bisimulation Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Proof for Lemma 3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Proof for Lemma 3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Confluence by Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Proof for Lemma 3.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Proof for Lemma 3.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

E Comparison with Asynchronous/Synchronous Calculi . . . . . . . . . . . . . . . . . . . . 37E.1 Behavioural Theory for Session Type System with Input Buffer

Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37E.2 Proofs for Section 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37E.3 Arrived Operators in the π-Calculi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

F Appendix for Selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40F.1 Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40F.2 Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

G Appendix: Lauer-Needham Transform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41G.1 Lauer-Needham Transform properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

P ≡ Q if P =α Q (α-renaming)

P | 0 ≡ P (Idempotence)

P | Q ≡ Q | P (Commutativity)

(P | P′) | P′′ ≡ P | (P′ | P′′) (Associativity)

(ν a :〈S〉)a[ε] ≡ 0 (Shared channels)

(ν a :〈S〉)P | Q ≡ (ν a :〈S〉)(P | Q) (a 6∈ fn(Q))(ν s)0 ≡ 0 (Session channels)

(ν s)(s : [ε] | s : [ε]) ≡ 0 (Session queues)

(ν s)P | Q ≡ (ν s)(P | Q) (s 6∈ fn(Q))µX .P ≡ P{µX .P/X}

Fig. 8. Structural congruence.

Proof for Lemma 4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Proof for Lemma 4.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Proof for Lemma 4.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Proof for Theorem 4.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

A Appendix for Section 2

We give the definitions that were omitted from § 2 including the type case construct.

A.1 Structural Congruence

The notion of bound and free identifiers is extended to cover the subject and objectsof arrived u, arrived k, arrived k h, typecase k of {(xi :Ti)Pi}i∈I , a〈s〉, a [~s], ands [S,i :~h,o :~h′] in the expected way. We write fn(P) for the set of names that have a freeoccurrence in P. Then structural congruence is the smallest congruence on processesgenerated by the following rules in Figure 8.3

A.2 Reduction

Reduction Relation The binary single-step reduction relation, −→ is the smallest re-lation on closed terms generated by the rules in Figure 3 together with those in Figure 9.

B Appendix to Section 2.3

B.1 Subtyping

If P has a session channel s typed by S, P can interact at s at most as S (e.g. if Shas shape ⊕{l1 : S1, l2 : S2, l3 : S3} then P may send l1 or l3, but not a label differentfrom {l1, l2, l3}). Hence, S ≤ S′ means that a process with a session typed by S is morecomposable with a peer process than one by S′. Composability also characterises thesubtyping on shared channel types. Formally the subtyping relation is defined for the setT of all closed and contractive types as follows: T is a subtype of T ′, written T ≤ T ′,

3 For the recursion, it would be more natural to use a demand-driven input-guarded reduction for the LN-transformation. The choice does not affect the developments of this paper.

23

[Request1] a(x :S);P −→ (ν s)(P{s/x} | s [S,i :ε,o :ε] | a〈s〉) (s /∈ fn(P))[Request2] a [~s] | a〈s〉 −→ a [~s·s][Accept] a(x :S).P | a [s·~s] −→ P{s/x} | s [S,i :ε,o :ε] | a [~s][Send] s!〈v〉;P | s [!(T );S,o :~h] −→ P | s [S,o :~h·v][Receive] s?(x).P | s [?(T );S,i :v·~h] −→ P{v/x} | s [S,i :~h][Sel], [Bra] s/ li;P | s [⊕{li :Si}i∈I ,o :~h] −→ P | s [Si,o :~h·li] (i ∈ I)

s.{l j :Pj} j∈J | s [&{li :Si}i∈I ,i : li ·~h] −→ Pi | s [Si,i :~h] (i ∈ I ⊆ J)[Comm] s [o :v·~h] | s [i :~h′] −→ s [o :~h] | s [i :~h′·v][Arriv-req] E[arrived a] | a [~s] −→ E[b] | a [~s] (|~s| ≥ 1)↘ b

[Arriv-ses] E[arrived s] | s [i :~h] −→ E[b] | s [i :~h] (|~h| ≥ 1)↘ b

[Arriv-msg] E[arrived s h] | s [i :~h] −→ E[b] | s [i :~h] (~h = h·~h′)↘ b

[Typecase]

typecase s of {(xi :Ti)Pi}i∈I | s [S] −→ Pi{s/xi} | s [S] ∃i ∈ I.(∀ j < i.Tj 6≤ S∧Ti ≤ S)

[Unfold] P | s [S{µ X.S/X},i :~h1,o :~h′1]−→ P′ | s [S′,i :~h2,o :~h′2]=⇒ P | s [µ X.S,i :~h1,o :~h′1]−→ P′ | s [S′,i :~h2,o :~h′2]

[Eval] e −→ e′ =⇒ E[e] −→ E[e′][Chan] P −→ P′ =⇒ (ν a :〈S〉)P −→ (ν a :〈S〉)P′

[Sess] P −→ P′ =⇒ (ν s)P −→ (ν s)P′

[If-true] if tt then P else Q −→ P[If-false] if ff then P else Q −→ Q

[Par] P −→ P′ =⇒ P | Q −→ P′ | Q[Struct] P≡ P′ −→ Q′ ≡ Q =⇒ P −→ Q

Fig. 9. The reduction rules § 2.2.

if (T,T ′) is in the largest fixed point of the monotone function F : P(T ×T )→P(T ×T ), such that F (R) for each R ⊂T ×T is given as follows.

{(bool,bool),(nat,nat)}∪{(o〈S〉,o〈S′〉) | (S,S′),(S′,S) ∈R}∪ {(i〈S〉,i〈S′〉) | (S,S′),(S′,S) ∈R}∪ {(µ X.U,U ′) | (U{µ X.U/X},U ′) ∈R}∪{(U,µ X.U ′) | (U,U ′{µ X.U ′/X}) ∈R}∪ {(!(T1);S′1, !(T2);S′2) | (T2,T1),(S′1,S

′2) ∈R} ∪ {(?(T1);S′1,?(T2);S′2) | (T1,T2),(S′1,S

′2) ∈R}

∪ {(⊕{li :Si}i∈I ,⊕{l j :S′j} j∈J) | ∀i ∈ I ⊆ J.(Si,S′i) ∈R}∪ {(&{li :Si}i∈I ,&{l j :S′j} j∈J) | ∀ j ∈ J ⊆ I.(S j,S′j) ∈R}∪ {(µ X.S,S′) | (S{µ X.S/X},S′) ∈R}∪{(S,µ X.S′) | (S,S′{µ X.S′/X}) ∈R}∪ {({Si}i∈I ,{S′j} j∈J) | ¬(|I|= |J|= 1),∀ j ∈ J,∃i ∈ I.(Si,S′j) ∈R}

Line 1 is standard (〈S〉 is invariant at S since it logically contains both S and S). Line2/6 are the standard rule for recursion. In Line 3, the linear output (resp. input) is con-travariant (resp. covariant) on its carried types following [27]. In Line 4, the selection isco-variant since if a process may send more labels, it is less composable with its peer.Dually for branching in Line 5. Finally, the ordering of the set types says that if eachelement of the set type {S′j} j∈J has its subtype in {Si}i∈I , the former is less composableby the latter. The condition ¬(|I| = |J| = 1) avoids the case {Si}i∈I = S,{S′j} j∈J = S′,which makes the relation universal.

24

We now clarify the semantics of ≤ using duality. The dual of S, denoted S, is de-fined in the standard way: !(T );S =?(T );S, ?(T );S =!(T );S, µ X.S = µ X.S, X = X,⊕{li :Si}i∈I = &{li :Si}i∈I &{li :Si}i∈I =⊕{li :Si}i∈I and end= end.

B.2 Program Typing

We first define a typing system for programs (§ 2.1). Program typing can be considereda static typing phase performed by a compiler, on user-level code before execution.Program typing uses two environments:

Γ ::= /0 | Γ ·u :U | Γ ·X :∆ Σ ::= /0 | Σ ·a | Σ ·k :{Si}i∈I

Γ is called shared environment, which maps shared channels and process variables toshared channel types and linear environment respectively; Σ is called linear environ-ment mapping session channels to set types (writing k : S for k : {S}) and recordingshared channels for acceptor’s input queues. Σ ·a means a /∈ dom(Σ) and similarly forothers. Shared channel a is recorded in Σ to ensure that one and only one queue for aexists. Subtyping is extended to environments by Σ ≤ Σ ′ iff dom(Σ) = dom(Σ ′) and∀k ∈ dom(Σ).Σ(k)≤ Σ ′(k). The typing judgements for a process and an expression aregiven as:

Γ ` P.Σ Γ ,Σ ` e :T

where the program P, under shared environment Γ , features the channel usage speci-fied by linear environment Σ ; and similarly for the expression. The judgement can beshortened to, e.g. Γ ` e :T if Σ is not required.

Figure 10 presents the typing rules for programs. The first four rules are the standardexpression typing (note u : i〈S〉 and u : o〈S〉 allows both accept and request respectivelyvia u by (Shared), while u : i〈S〉 allows request via u by (Shared’)). The next four rulesare for the arrivals. Rule (Areq) is for a session request arrival. Rule (Asess) is for an in-session message arrival. Rule (Amsg) checks the message arrival and its value. Similarly(Alab) checks a branch label.

The remaining rules are standard. Rule (Subs) is the standard subsumption. Rule(Acc) (resp. Rule (Req)) says that the session following an accept (resp. request) shouldconform to a declared shared channel type. (Send) and (Recv) are for sending and re-ceiving values. (Send) is standard apart from using the extended expression judgementto handle occurrences of the arrival predicates within e: the relevant type prefix !(S) forthe output is composed with T in the conclusion’s session environment. (Recv) is a dualinput rule. (SSend) and (SRecv) are the standard rules for delegation of a session andits dual [27], observing (SSend) says that k′ : T does not appear in P, symmetrically to(SRecv) which uses the channels in P. (Select) and (Branching), identical with [27], arethe rules for selection and branching. (If) rule handles the conditional expression.

(Chan) records the a : 〈S〉 from the shared environment after checking the presenceof a (in effect unique) queue at a. (Par) prevents multiple queues for the same sharedchannel and processes with the same session channels from being composed. (Nil),(Rec) and (PVar) are standard from [11]. (Queue) records the presence of an emptyshared queue in a linear environment. “Σ end only” means Σ has the form s1 :end, ...,sn :end.

25

Γ ` tt,ff :bool(Bool)

Γ ·x :bool ` x :bool(Var)

Γ ·u :i〈S〉 ` u :o〈S〉(Shared’)

Γ ·u :T ` u :T(Shared)

Γ ` u :〈S〉Γ ` arrived u :bool

(Areq)Γ ,Σ ` arrived k h :bool

Γ ,Σ ` arrived k :bool(Asess)

Γ ` v :UΓ ,Σ ·k :?(U);S ` arrived k v :bool

(Amsg)l ∈ {li}i∈I

Γ ,Σ ·k :&{li :Si}i∈I ` arrived k l :bool(Alab)

Γ ` P.Σ ′ Σ ′ ≤ Σ

Γ ` P.Σ(Subs)

Γ ` u :i〈S〉 Γ ` P.Σ ·x :SΓ ` u(x :S).P.Σ

(Acc)Γ ` u :o〈S〉 Γ ` P.Σ ·x :S

Γ ` u(x :S);P.Σ(Req)

Γ ,Σ ` e :U Γ ` P.Σ ·k :SΓ ` k!〈e〉;P.Σ ·k :!(U);S

(Send)Γ ·x :U ` P.Σ ·k :S

Γ ` k?(x).P.Σ ·k :?(U);S(Recv)

Γ ` P.Σ ·k :SΓ ` k!〈k′〉;P.Σ ·k :!(T );S·k′ :T

(SSend)Γ ` P.Σ ·k :S·x :T

Γ ` k?(x).P.Σ ·k :?(T );S(SRecv)

1≤ i≤ n Γ ` P.Σ ·k :Si

Γ ` k / li;P.Σ ·k :⊕{li :Si}i∈I(Select)

∀i.1≤ i≤ n Γ ` Pi .Σ ·k :Si

Γ ` k .{li :Pi}n .Σ ·k :&{li :Si}i∈I(Branch)

Γ ,Σ ` e :bool Γ ` P.Σ Γ ` Q.Σ

Γ ` if e then P else Q.Σ(If)

Γ ·a :〈S〉 ` P.Σ ·aΓ ` (ν a :〈S〉)P.Σ

(Chan)Γ ` P.Σ Γ ` Q.Σ ′

Γ ` P | Q.Σ ·Σ ′(Par)

Σ end onlyΓ ` 0.Σ

(Nil)Γ ·X :∆ ` P.∆

Γ ` µX .P.∆(Rec)

Γ ·X :∆ ` X .∆(Pvar)

∀i ∈ I Γ ` Pi .Σ ·xi :Ti ∪i∈I Ti ≤ TΓ ` typecase k of {(xi :Ti)Pi}i∈I .Σ ·k :T

(Typecase)Σ end only

Γ ` a [ε].Σ ·a(Queue)

Fig. 10. Typing rules for programs.

Rule (Typecase) is an extension from the dynamic typing system of the λ -calculus[1] to session types. It checks the body Pi is typed under Σ with xi assigned to Ti. Thenthe whole process is typable with x assigned to T which is a supertype of all Ti.

C Typing Runtime ProcessesThis subsection gives typing for runtime processes following the presentation in [27].The judgement is extended as: Γ ` P . ∆ with ∆ ::= Σ | ∆ ·s : [S,i :~T ,o :~T ′] wherethe configuration element [S,i :~T ,o :~T ′] records the active type S of the configurationand types of values enqueued in the buffers. We extend T with labels (T ::= U | S | l).(S, [S′,i:~T ,o:~T ′]) pairs a type S for the session s and the type information [S,i:~T ,o:~T ′]for the associated configuration at s. We identify (S, [. . . ]) with ([. . . ],S).

The composition of ∆1 and ∆2, denoted by ∆1 � ∆2 [27], is defined as:

∆1 � ∆2 = {s :(∆1(s)�∆2(s)) | s ∈ dom(∆1)∩dom(∆2)}∪∆1 \dom(∆2)∪∆2 \dom(∆1)

where S� [S′,i :~T ,o :~T ′] = [S′,i :~T ,o :~T ′]� S = [S′,i :~T ,o :~T ′] if S ≤ S′; otherwiseundefined. Next, we define the session type remainder S′ obtained by subtracting avector of message types ~T from a session type S, denoted by S−~T = S′, by: (1) S−ε =

26

Γ ` P.∆ Γ ` Q.∆ ′

Γ ` P | Q.∆ � ∆′ (Par’)

Γ ` a :i〈S〉Γ ` a [〈S〉 :~s].∪s∈~s {s :(S, [S,i :ε,o :ε])},a

(Queue’)

Γ ,{s :S} ` s : S(ASreq’)

Γ ` a :o〈S〉Γ ` a〈s〉. s :(S, [S,i :ε,o :ε])

(Endpt)Γ ` P.∆ s,s ∈ dom(∆) wc(∆ ,s)

Γ ` (ν s)P.∆ \{s,s}(SRes)

∀i≤ m.Γ ,Σi ` hi : Ti ∀ j ≤ n.Γ ,Σ ′j ` h′j : T ′j Σ = Σ0·Σ1 · · ·Σm ·Σ ′1 · · ·Σ ′n ct(Σ0)

Γ ` s [S,i :~h,o :~h′].Σ � s : [S,i :~T ,o :~T ′](Config)

Fig. 11. Selected typing rules for runtime processes.

S; (2) ?(T );S− T ·~T if S− ~T = S′; and (3) &{li : Si}i∈I − li ·~T = S′ if for all i ∈ I,Si−~T = S′. Our session type remainder differs from that in [27] because we requirethe stronger condition that a well-formed configuration with an output prefixed activetype cannot have a non-empty local i-buffer or be composed with an configurationwith a non-empty o-buffer. We say a ∆ -environment is well-configured with respect toa session s, written wc(∆ ,s), if the following is satisfied:

∆(s) = [S1,i :~T1,o :~T ′2], ∆(s) = [S2,i :~T2,o :~T ′1] implies S′i = Si− (~Ti ·~T ′i ) (i ∈ {1,2}), S′1 ≤ S′2

These conditions say that, at any stage of execution of an established session, thetypes of the remaining session implementations on each endpoint, modulo any messagesbuffered (i.e. to be consumed by pending input actions) at the local i-buffer and oppos-ing o-buffer, should be subtypes of the active types in their respective configurations;and that the dual of the active type at one endpoint should be a supertype of the activetype at the other. We say that ∆ is well-configured, wc(∆), iff ∀s ∈ dom(∆),wc(∆ ,s).

Figure 11 lists the rules for typing runtime processes. The composition by (Par’)

pairs up the types of each session endpoint with the associated configurations to form(S, [S′,i :~T ,o :~T ′]). Rule (Queue’) creates a server-side type for each of the bufferedsession request messages, as well as recording the presence of the a-queue in the ∆ -environment like (Queue). Buffered session endpoints (i.e. endpoints being delegated)are typed using (Endpt), which creates a Σ -context holding the type of the endpoint; bytyping each buffered message under a separate Σ -context, the concatenation of thesecontexts ensures the linearity of buffered endpoints. (SRes) checks that the body of thesession restriction is well-configured with respect to the session, i.e. that the session im-plementations on each endpoint and the two session configurations together constitutea valid runtime state in the consistent execution of the session. Rule (Config) types allmessages enqueued within the i- and o-buffers of the endpoint configuration to con-struct the [S,i :~T ,o :~T ′] representation of the configuration. Using the properties of theordering between environments, ∆ < ∆ ′, we have:

Theorem 3.1 (Type Soundness) If Γ ` P .∆ , wc(∆) and P −→ Q, then Γ ` Q .∆ ′

and either ∆ = ∆ ′ or ∆ < ∆ ′.

Proof. The proof is done by using the induction on the structure of the typing rule,following each operational transition case.

27

Case [Request1].Let a(x).P−→ (ν s)(P{s/x} | s [i:ε,o:ε] | a〈s〉). By typing both sides of the transition,we have that Γ ` a(x).P.∆ and Γ ` (ν s)(P{s/x} | s [i :ε,o :ε] | a〈s〉).∆ as required.Note that Γ = Γ ′ ·a : o〈S〉.Case [Request2].Let a〈s〉 | a[~s]−→ a[~s · s]. If we type both sides of the transition, we get Γ ` a〈s〉 | a[~s].∆ ·~s :~S · s :S and Γ ` a[~s · s].∆ ·~s :~S · s :S as required.Case [Accept].Let a(x).P | a[s ·~s] −→ a(x).P{s/x} | s [i : ε,o : ε] | a[~s]. If we type both sides of thetransition we have Γ ` a(x).P | a[s ·~s].∆ ·a · s : S and Γ ` P{a/x} | a[~s].∆ ·a · s : S asrequired.Case [Send].Let 〈s〉v;P | s [o :~v] −→ P | s [o :~v · v]. If we type both sides of the transition, we haveΓ ` 〈s〉v;P | s [o :~v].∆ · s :!〈T 〉; S and Γ ` P | s [o :~v · v].∆ · s :S as required.Case [Send].Let s!〈s′〉;P | s [o :~v] | s′ [i :~v,o :~v′]−→ P | s [o :~v · s′] | s′ [i :~v,o :~v′]. If we type both sidesof the transition, we have Γ ` s!〈s′〉;P | s [o :~v] | s′ [i :~v,o :~v′] .∆ · s′ : S′ · s :!〈S′〉; S andΓ ` P | s [o :~v · v] | s′ [i :~v,o :~v′].∆ · s′ :S′ · s :S as required.

Below we assume the following as the inductive hypothesis (IH).Let P −→ P′ and Γ ` P .∆ and ∆ well configured, then Γ ` P′ .∆ ′ and ∆ = ∆ ′ or∆ < ∆ ′.Case [Par].Let P | Q −→ P | Q′. If we type both sides of the transition we have that Γ ` P | Q .∆P�∆Q and Γ ` P | Q′ .∆P�∆ ′Q. From the (IH), we have that ∆Q < ∆ ′Q and from thedefinition of � operator the result follows.Case [Chan].Let (ν a)(P)−→ (ν a)(P′). From the (IH), we have that Γ ·a :i〈S〉 ` P.∆ ·a and Γ ·a :i〈S〉 ` P′ .∆ ′ ·a and ∆ ·a < ∆ ′ ·a. From here we can see that Γ ·a :i〈S〉 ` (ν a)(P).∆

and Γ ·a :i〈S〉 ` (ν a)(P′).∆ ′ and ∆ < ∆ ′ as required.Case [Sess].Let (ν s)(P)−→ (ν s)(P′). From the (IH), we have that Γ `P.∆ ·s:S and Γ `P′.∆ ′ ·s:S′ and ∆ · s : S < ∆ ′ · s : S′. By runtime typing rule (SRes), we have that Γ ` (ν s)(P).∆

and Γ ` (ν s)(P′).∆ ′ and ∆ < ∆ ′ as required.

D Appendix for Section 3

Transitions: We write =⇒ for the reflexive and transitive closure of τ−→, `=⇒ for the

composition =⇒ `−→=⇒ andˆ

=⇒ for =⇒ if `= τ and `=⇒ otherwise. Furthermore we

writeˆ−→ for −→ if `= τ and `−→ otherwise.

Subject and Object: We define the subject (subj(`)) and object (obj(`)) for actions`. For session transitions, we have subj(a〈s〉) = subj(a〈s〉) = subj(a(s)) = {a} andobj(a〈s〉) = obj(a〈s〉) = obj(a(s)) = {s}. For sesion transitions, we have subj(s!〈v〉) =subj(s?〈x〉)= subj(s!(a))= subj(s⊕l)= subj(s&l)= {a} and obj(s!〈v〉)= {v}, obj(s?〈x〉)={x}, subj(s!(a)) = {a} subj(s⊕ l) = subj(s&l) = {l}.

28

Free and Bound Names: Free and bound names follow the definition, fn(a〈s〉) =fn(a〈s〉) = {a,s}, fn(a(s)) = {a}, bn(a〈s〉) = bn(a〈s〉) = /0, bn(a(s)) = {s} for sharedname actions. For session name actions, we have fn(s!〈v〉) = fn(s?〈x〉) = fn(s!(a)) =fn(s⊕ l) = fn(s&l) = {s}, where v is not a name, fn(s!〈a〉) = {s,a}, fn(s!〈s′〉) = {s,s′}and bn(s!〈v〉) = fn(s?〈x〉) = subj(s!〈a〉) = bn(s⊕ l) = bn(s&l) = /0, bn(s!(a)) = {a},bn(s!(s′)) = {s′}.

The names of an action (n(`)) is the union of fn(`) and bn(`), n(`) = fn(`)∪bn(`).

Contexts: We define the context of a process. Assume that α is a prefix:

– α ∈ {a(s). ,a(s). ,s!〈v〉; ,s?(x). ,s!� l; }.– C ::=− | C |C | C | D | (ν n)(C) | if e then C else C | α.C

| µX .C | s�{li : C}i∈I | X | 0– D ::= s [i :~hi,o :~ho] | a[~s].

D.1 Proof for Theorem 3.3Theorem (Coincidence) ≈ and ∼= coincide.

The above theorem requires to show the equality into two directions.

Lemma D.1 (Soundness). ≈ implies ∼=

Proof. The prove of the soundness direction follows P ≈ Q implies ∀ C, C[P] ≈C[Q]and ∀C, C[P]≈C[Q] implies ∀C, C[P]∼=C[Q]

To prove the above it is enough to show the first implication, that bisimulation is acongruence, meaning that bisimulation is preserved through parallel composition, pre-fixed processes and the restriction operator. The second implication is trivial.

To show that input prefixed processes are congruent, consider:

P≈ Q implies α.P≈ α.Q where α is an input prefix.

Assume that

S = {(α.P,α.Q)|P≈ Q,α.P,α.Q typable,α is an input prefix}

then S is a bisimulation.As a note here, consider the case where:

s!〈v〉; 0 | s [!〈T 〉; end,i :ε,o :ε]≈ 0 | s [!〈T 〉; end,i :ε,o :v]

If we prefix the above pair with s?(v′). Then we have

s?(v′).s!〈v〉; 0 | s [?(T ′); !〈T 〉; end,i :ε,o :ε] and s?(v′).0 | s [?(T ′); !〈T 〉; end,i :ε,o :v]

Obviously the second process is not typable. The runtime type of the s buffer doesnot agree with the process typing.

29

The proof that S is a bisimulation considers a simple reduction on the processes ofS to reach to their bisimilar point.

Output prefix and restriction are trivial.The interesting case is the parallel composition of processes:

P≈ Q implies P | R≈ Q | R (1)

We assume

S = {(P | R,Q | R)|P≈ Q,∀R such that P|R,Q|R are localised and typable}

We show that S is a bisimulation. There are three cases:

Case (1) Suppose Γ ` P | R.∆1`−→ P′ | R.∆ ′1. Then Γ ` P.∆P

`−→ P′ .∆ ′P.By the definition of S:

Γ ` Q.∆Q`

=⇒ Q′ .∆′Q and (2)

∆′P ./ ∆

′Q (3)

By (2) we have that Γ ` Q | R.∆2`

=⇒ Q′ | R.∆ ′2. It remains to show that ∆ ′1 ./ ∆ ′2.By composing parallel processes, we have that ∆ ′1 = ∆ ′P�∆R and ∆ ′2 = ∆ ′Q�∆R.From the definition of bisimulation (Definition 3.1), we have that P,Q,P′ and Q′ are

localised, hence: ∀ s∈ dom(∆ ′P), ∆ ′P(s)= (S, [S′,i :~hi,o :~ho]), ∀ a∈ dom(∆ ′P), ∆ ′P(a)=a, ∀ s ∈ dom(∆ ′Q), ∆ ′Q(s) = (S, [S′,i : ~hi,o : ~ho]) and ∀ a ∈ dom(∆ ′Q), ∆ ′Q(a) = a.

From the above, the definition of � operator and localisation of P and Q we canconclude that dom(∆ ′P)∩dom(∆R) = /0 and dom(∆ ′Q)∩dom(∆R) = /0. The last condi-tion, along with (3) gives that P | R≈ Q | R as required.

Case (2) Suppose Γ ` P | R.∆1`−→ P | R′ .∆ ′1. Then Γ ` R.∆R

`−→ R′ .∆ ′R.

By the above, we have that Γ ` Q | R .∆2`−→ Q | R′ .∆ ′2. It remains to show that

∆ ′1 ./ ∆ ′2.By composition of parallel processes, we have that ∆ ′1 =∆P�∆ ′R and ∆ ′2 =∆Q�∆ ′R.From the the definition of bisimulation (Definition 3.1),we have that P and Q′ are

localised, so: ∀ s∈ dom(∆P), ∆ ′P(s) = (S, [S′,i :~hi,o :~ho]), ∀ a∈ dom(∆P), ∆ ′P(a) = a,∀ s ∈ dom(∆Q), ∆ ′Q(s) = (S, [S′,i : ~hi,o : ~ho]) and ∀ a ∈ dom(∆Q), ∆ ′Q(a) = a.

From the above, the definition of� and localisation we can conclude that: dom(∆P)∩dom(∆ ′R) = /0 and dom(∆ ′Q)∩dom(∆ ′R) = /0.

From here, we conclude P | R≈ Q | R as required.

Case (3) Suppose Γ ` P | R.∆1 −→ P′ | R′ .∆ ′1. Then we have

Γ ` P.∆P`−→ P′ .∆

′P (4)

(5)

By the definition of S, we have:

Γ ` Q.∆Q =⇒ `−→ =⇒ Q′ .∆′Q (6)

∆′P ./ ∆

′Q (7)

30

By (6), we have that Γ ` Q | R .∆2 =⇒ Q′ | R′ .∆ ′2. Then it remains to show that∆ ′1 ./ ∆ ′2. By composing parallel processes, we have that ∆ ′1 = ∆ ′P�∆ ′R and ∆ ′2 = ∆ ′Q�∆ ′R

From the definition of the bisimulation we have that P,Q,P′ and Q′ are localised,so: ∀ s ∈ dom(∆ ′P), ∆ ′P(s) = (S, [S′,i : ~hi,o : ~ho]), ∀ a ∈ dom(∆ ′P), ∆ ′P(a) = a, ∀ s ∈dom(∆ ′Q), ∆ ′Q(s) = (S, [S′,i : ~hi,o : ~ho]) and ∀ a ∈ dom(∆ ′Q), ∆ ′Q(a) = a.

From the above and the definition of � and the localisation we can conclude:dom(∆ ′P)∩dom(∆ ′R) = /0 and dom(∆ ′Q)∩dom(∆ ′R) = /0. The last result along with (7)gives us that P | R≈ Q | R as required. ut

The proof for the completeness direction follows the technique shown in [9]. How-ever we need to adapt it to session and buffers.

Definition D.1. An external action ` is definable if for for a set of names N, actionssucc, f ail /∈ N there is a testing process T 〈N,succ, f ail, `〉 with the property that forevery process P and fn(P)⊆ N

– P `−→ P′ implies that T 〈N,succ, f ail, `〉 | P =⇒ (ν bn(`))(succ [o :bn(`)]|P′)– T 〈N,succ, f ail, `〉 |P=⇒Q, where Q⇓succ,Q 6⇓ f ail implies that Q=(νbn(`))(succ [o:

bn(`)]|P′)

Lemma D.2. Every external action is definable.

Proof. The input action cases are straightforward:

1. If Γ ` P.∆Pa〈s〉−→ P′ .∆P′ then T = a〈s〉 | succ [o :tt].

2. If Γ ` P.∆Ps?〈v〉−→ P′ .∆P′ then T = s [o :v] | succ [o :tt].

3. If Γ ` P.∆Ps&`−→ P′ .∆P′ then T = s [o :`] | succ [o :tt].

The requirements of Definition D.1 can be verified with simple transitions.

Output actions cases:

1. If Γ ` P.∆Pa〈s〉−→ P′ .∆P′ then we have,

T = f ail〈〉 | a[ε] | succ [o :ε] | a(y).(if y = s then ( f ail[ε] | succ!〈y〉; 0) else (ν b)(b(x).succ!〈y〉; 0 | b[ε]))

2. If Γ ` P.∆Pa(s)−→ P′ .∆P′ .

Then we have:

T = f ail〈〉 | a[ε] | succ [o :ε] | a(y).(if y ∈ N then (ν b)(b(x).succ!〈y〉; 0 | b[ε]) else ( f ail[ε] | succ!〈y〉; 0))

3. If Γ ` P.∆Ps!〈b〉−→ P′ .∆P′ or Γ ` P.∆P

s!〈s′〉−→ P′ .∆P′ then we have that:

T = f ail〈〉 | s [i :ε] | succ [o :ε] | s?(y).(if y = b then ( f ail[ε] | succ!〈y〉; 0) else (ν b)(b(x).succ!〈y〉; 0 | b[ε]))

respectively for s!〈s′〉 we have for the if expression y = s.

31

4. If Γ ` P.∆Ps⊕li−→ P′ .∆P′ then we have that:

T = f ail〈〉 | s [i :ε] | succ [o :ε] | s�{li : f ail[ε] | succ!〈y〉; 0}i∈I ,1≤ i≤ n

Again the requirements of Definition D.1 can be verified by simple transitions for eachcase.

Note that process (ν b)(b(x).succ!〈y〉; 0 | b[ε]) is used to maintain the entire processtypable. Obviously this process is bisimilar to 0.

ut

Lemma D.3. If succ is fresh, b ∈~a ·~s and

Γ ` (ν~a,~s)(P | succ [o :b]).∆1 ∼= (ν~a,~s)(Q | succ [o :b]).∆2 (8)

then

Γ ` P.∆P ∼= Q.∆Q (9)

Proof. Define

S = {(Γ ` P.∆P,Γ ` Q.∆Q) |Γ ` (ν~a,~s)(P | succ [o :b]).∆1 ∼= (ν~a,~s)(Q | succ [o :b]).∆2,succ is fresh}

We shall show that the contextual properties hold in S.

Reduction Closedness: S is reduction closed by the freshness of succ. We cannot ob-served a τ transition on succ, so we conclude that if Γ ` (ν~a,~s)(P | succ [o :b]).∆1 =⇒(ν~a,~s)(P′ | succ [o:b]).∆ ′1 implies Γ ` (ν~a,~s)(Q | succ [o:b]).∆2 =⇒ (ν~a,~s)(Q′ | succ [o:b]).∆ ′2 then Γ ` P.∆P =⇒ P′ .∆ ′P implies Γ ` Q.∆Q =⇒ Q′ .∆ ′Q

It remains to show that ∆ ′P ./ ∆ ′Q. From results (8) and (9) and the (Par) typing rulewe conclude that: ∆ ′1 ./ ∆ ′2, ∆ ′1 = ∆ ′P · succ : [o : T ] and ∆ ′2 = ∆ ′Q · succ : [o : T ].

We also have the assumption that succ is fresh, so: ∀ s ∈ dom(∆1), s 6= succ and∀ s ∈ dom(∆2), s 6= succ.

The result is immediate by the definition of the ./ operator.

Preserve Observation: If P ⇓ c then if c /∈~a ·~s then (ν~a,~s)(P | succ [o :b]) ⇓ c implies(ν~a,~s)(Q | succ [o :b]) ⇓ c. From the freshness of succ, we conclude Q ⇓ c

Suppose now the case where c ∈~a ·~s. We define T = succ?(x).OK!〈〉; 0. Under theassumption that P ⇓ c we conclude that T | (ν~a,~s)(P | succ [o :b]) ⇓ OK.

From the context property of (8) we have that Γ ` T | (ν~a,~s)(P | succ [o :b]).∆1 ∼=Γ ` T | (ν~a,~s)(Q | succ [o : b]) .∆2 and T | (ν~a,~s)(Q | succ [o : b]) ⇓ OK. But this canonly happen if Q ⇓ c as required.

Context Property: The interesting case is the parallel composition. We shall show thatif Γ `P.∆P S Q.∆Q. Then for arbitrary process R we have that Γ `P |R.∆PR S Q | R.∆QR and ∆PR ./ ∆QR.

If we consider that succ may occur in R, then to conclude the above it is enough toshow that: Γ ` (ν~a,~s)(P | succ′ [o : b]) | R .∆ ∼= (ν~a,~s)(Q | succ′ [o : b] | Q) .∆ ′ where

32

succ′ is fresh. Assume the process: T = succ?(x).succ′!〈tt〉; R | succ′ [o :ε], then fromthe contextual property of the theorem assumption, we have that: Γ ` (ν~a,~s)(P | succ [o:b]) | T .∆ ∼= (ν~a,~s)(Q | succ [o :b] | T ).∆ ′.

By the above, it is easy to prove (D.1).We now show the typing result. Due to localisation, we have ∆P∩∆R = /0 and ∆Q∩

∆R = /0. From the definition of ∼=, we have that ∆P ./ ∆Q This implies: ∆P � ∆R ./∆Q�∆R, as required. ut

We are know ready to prove the completeness direction.

Lemma D.4 (Completness). ∼= implies ≈

Proof. For the proof we show that if

Γ ` P.∆P ∼= Q.∆Q and (10)

Γ ` P.∆P`−→ P′ .∆

′P (11)

then Γ ` Q.∆Q`−→ Q′ .∆ ′Q and Γ ` P′ .∆ ′P

∼= Q′ .∆ ′Q

Suppose (10) and (11). Then there are two cases.If `= τ then by reduction closeness of ∼= the result follows.In the case where ` is an external action we can do a definability test for P by

choosing the appropriate test T .Because ∼= is context preserving we have that Γ ` P | T .∆PT ∼= Q | T .∆QT . By

Lemma D.1 we have that Γ ` P | T .∆PT =⇒ (ν bn(`))(succ [o : bn(`)]|P′) .∆ so bythe definition of∼= (Definition 3.2), we have that Γ ` T |Q.∆QT =⇒ R.∆ ′. Accordingto the second part of the Definition D.1, we can write:

Γ ` R.∆′ = Γ ` (ν bn(`))(succ [o :bn(`)]|Q′).∆

′ (12)

Γ ` Q.∆Q`

=⇒ Q′ .∆′Q (13)

Now we can derive Γ ` (ν bn(`))(succ [o:bn(`)]|P′).∆ ∼=R.∆ ′ and Γ ` (ν bn(`))(succ [o:bn(`)]|P′) .∆ ∼= Γ ` (ν bn(`))(succ [o : bn(`)]|Q′) .∆ ′. By Lemma D.3 we concludethat:

Γ ` P′ .∆′P∼= Q′ .∆

′Q (14)

∆′P ./ ∆

′Q (15)

We began with the assumption that Γ ` P.∆P ∼= Γ `Q.∆Q and we concluded to (13),(14) and (15). Thus ∼= implies ≈.

ut

D.2 Bisimulation PropertiesProof for Lemma 3.4 We define input and output actions.

Definition (Input/Output Actions).

1. ` is an input action if ` ∈ {a〈s〉,a〈s〉,s?〈v〉,s?(v),s&li}

33

2. ` is an output action if ` ∈ {a〈s〉,a(s),s!〈v〉,s!(v),s⊕ li}

Lemma (Input and Output Asynchrony).

Suppose Γ ` P.∆`

=⇒ P′ .∆ ′.

1. (input advance) If ` is an input action, then Γ ` P.∆`−→=⇒ P′ .∆ ′.

2. (output delay) If ` is an output action, then Γ ` P.∆ =⇒ `−→ P′ .∆ ′.

Proof. For the first part of Lemma 3.4, there are two cases.

Case (1) The action takes place on a shared channel. Process P has the form R | a[~s],thus Γ ` R | a[~s].∆

a〈s〉=⇒ R′ | a[~s′ · s].∆ ′ with~s · s =~sδ ·~s′,(~sδ =~s′δ · s∧~s′ = /0)∨~s′ =

~s′′ · s, ∆ ′ = ∆ ′R� s : S. So Γ ` R | a[~s] .∆a〈s〉−→ R | a[~s · s] .∆ ′′ =⇒ R′ | a[~s′] .∆ ′′′ with

~s · s =~sδ ·~s′,(~sδ =~s′δ · s∧~s′ = /0)∨~s′ = ~s′′ · s and ∆ ′′′ = ∆ ′R� s :S.We conclude the same processes with the same typing as required.

Case (2) Input communication takes place on a session channel. It is similar usinga session queue.

For the second part of Lemma 3.4, there are two cases.

The first case is the action happening on a shared channel. Then Γ ` P .∆ =⇒P′′ | a〈s〉 a!〈s〉−→ P′′ =⇒ P′ .∆ ′.

From this we can always conclude that Γ ` P.∆ =⇒ P′ | a〈s〉 a!〈s〉−→ P′ .∆ ′.It is obvious that ∆ = ∆ ′.For the second case, we have the action to be observed on a session channel. Γ `

P | s [o :v ·~h].∆s!〈v〉=⇒ P′ | s [o :~h′].∆ ′, where ~h′ =~h · ~hδ .

Thus we can see that Γ ` P | s [o : v ·~h].∆ =⇒ P′ | s [o : v ·~h′] s!〈v〉−→ P′ | s [o :~h′].∆ ′,where v ·~h′ = v ·~h · ~hδ , which concludes the same result as above, with ∆ = ∆ ′. ut

Proof for Lemma 3.8

Lemma. Let P be session determinate and Q be a session derivative of P. Then P≈Q.

Proof. The proof considers induction on the length of =⇒s transition. The basic step istrivial. For the induction step step we do a case analysis on −→s transition.Case Receive.. By the typability of P, we have that P′ = s?(x).Q | s [i : v ·~h] | R −→s

P′′ = Q{v/x} | s [i :~h] | R.From the induction step, we have that P≈ P′. To show that P≈ P′′ we need to show

that P′ ≈ P′′. We will use the fact that bisimulation is a congruence. Consider R ≈ Rand s?(x).Q | s [i :v ·~h]≈ Q | s [i :~h].

Due to s /∈ fn(R) we can compose in parallel bisimilar processes and get that P′≈P′′

as required.The rest of the cases follow similar arguments. ut

34

Confluence by Construction

Lemma D.1. 1. If P,Q be confluent processes and fn(P)∩ fn(Q) = /0 and P | Q istypable then P | Q is confluent.

2. If P is confluent and a /∈ fn(P) then a(x).P | a[ε] is confluent.

Proof. For the first part of the proof we need to show that if Γ ` P | Q.∆˜

=⇒ R.∆ ′,

then if R`1−→ R1 and R

`2=⇒ R2 then R1`2=⇒ R′, R2

`1=⇒ R′′ and R′ ≈ R′′.

Since fn(P)∩ fn(Q) = /0, we have that R = P′ | Q′, P˜′

=⇒ P′ and Q˜′′

=⇒ Q′ and P′

and Q′ are confluent.

We now do a case analysis on the possible`1=⇒,

`2=⇒ transitions and proof the bisim-ilarity of the resulting processes.

To present a case assume that `1, `2 happen on P′ but =⇒ transition is observed inboth P′ and Q′. Recall that the P′ and Q′ cannot interact because of free name disjoint-

ness. So we have that P′ |Q′ `1−→ P1 |Q′ and P′ |Q′ `2=⇒ P2 |Q2. Because P′ is confluent

we have that P1 |Q′`2=⇒ P′′ |Q′′ and P2 |Q2

`1=⇒ P′′′ |Q′′′ and P′′ ≈ P′′′ (because of theconfluence of P′).

We also conclude that: Q′ =⇒ Q′′ and Q′ =⇒ Q′′′ and from Lemma 3.8, we havethat Q′ ≈ Q′′ Q′ ≈ Q′′′ which concludes that Q′′ ≈ Q′′′.

To show that P′′ |Q′′ ≈ P′′′ |Q′′′ we need to check the actions that each process can

do. Again recall that P′′,Q′′ and P′′′,Q′′′ are free name disjoint. So if P′′ |Q′′ `−→ P0 |Q′′

and P′′ | Q′′ `′−→ P′′ | Q0 then P′′′ | Q′′′ `=⇒ P′0 | Q′′ and P′′′ | Q′′′ `′

=⇒ P′′′ | Q′0 becauseP′′ ≈ P′′′ and Q′′ ≈Q′′′. We apply a similar analysis for the other direction and the resultfollows as required.

For the second part of the proof, we have that a(x).P | a[ε] a〈s〉−→ a(x).P | a[s] −→P{s/x} | a[ε] and P{s/x} | a[ε] is confluent by Part 1 of this lemma. ut

Proof for Lemma 3.9

Lemma D.5. Let typable, localised P and actions `1, `2 such that subj(`1),subj(`2) are

session names and `1 ./ `2. If Γ ` P .∆`1−→ P1 .∆1 and Γ ` P .∆

`2−→ P1 .∆2 then

Γ ` P1 .∆`2b`1−→ P′ .∆ ′ and Γ ` P2 .∆

`1b`2−→ P′ .∆ ′

Proof. The result is an easy case analysis on all the possible comptations of `1, `2.

We give an interesting case. Let (ν a)(P | s1 [o : ~h1 · a] | s2 [o : ~h2 · a])s1!(a)−→ P | s1 [o :

~h1] | s2 [o :~h2 ·a] and (ν a)(P | s1 [o :~h1 ·a] | s2 [o :~h2 ·a])s2!(a)−→ P | s1 [o :~h1 ·a] | s2 [o :~h2].

Now it is easy to see that P | s1 [o : ~h1] | s2 [o : ~h2 · a]s2!〈a〉−→ P | s1 [o : ~h1] | s2 [o : ~h2] and

P | s1 [o :~h1 ·a] | s2 [o :~h2]s1!〈a〉−→ P | s1 [o :~h1] | s2 [o :~h2] as required. ut

Two useful lemmas follow.

Lemma D.6. Let P be session determinate. Then if Γ ` P . ∆`−→ P′ . ∆ ′ and Γ `

P.∆`

=⇒ P′′ .∆ ′′ then P′ ≈ P′′

35

Proof. There are two cases:Case τ:. Follow Lemma 3.8 to get P≈ P′ and P≈ P′′. The result then follows.

Case `:. Suppose that P `−→s P′ and P `=⇒s P′′ implies P=⇒s P1

`−→s P2 =⇒s P′′. FromLemma 3.8, we can conclude that P≈ P1 and because of the bisimulation definition, wehave P′ ≈ P2 to complete we call upon 3.8 once more to get P′ ≈ P′′ as required. ut

Lemma D.7. Let P be session determinate and `1 ./ `2. Then if Γ ` P.∆`1−→ P1 .∆1

and Γ ` P .∆`2=⇒ P2 .∆2. Then Γ ` P1 .∆1

`2b`1=⇒ P′ .∆ ′ and Γ ` P2 .∆2

`1b`2=⇒ P′′ .∆ ′′

and P′ ≈ P′′

Proof. The proof considers a case analysis on the combination of `1, `2.

Case `1 = s1!〈v1〉, `2 = s2?〈v2〉.

P | s1 [o :~h1 · v1] | s2 [i :~h2]`1−→s P1 | s1 [o :~h1] | s2 [i :~h2]

=⇒s P′1 | s1 [o :~h′1] | s2 [i :~h′2]`2−→s P′1 | s1 [o :~h′1] | s2 [i :~h′2 · v2]

=⇒s P′ | s1 [o : ~h′′1 ] | s2 [i : ~h′′2 ]

P | s1 [o :~h1 · v1] | s2 [i :~h2] =⇒s P0 | s1 [o :~h0 · v1] | s2 [i :~h′0]`2−→s P′0 | s1 [o :~h0 · v1] | s2 [i :~h′0 · v2]

=⇒s P2 | s1 [o :~h′2 · v1] | s2 [i : ~h′′2 · v2]

=⇒s P′2 | s1 [o :~h3 · v1] | s2 [i :~h′3]`2−→s P′2 | s1 [o :~h4] | s2 [i :~h′4]

=⇒s P′′ | s1 [o :~h′] | s2 [i : ~h′′]

By using Lemma 3.4, we have that P | s1 [o : ~h1 · v1] | s2 [i : ~h2] =⇒s`1−→s

`2−→s=⇒s

P′ | s1 [o:~h′′1 ] | s2 [i:~h′′2 ] and P | s1 [o:~h1 ·v1] | s2 [i:~h2]`2−→s=⇒s

`1−→s P′′ | s1 [o:~h′] | s2 [i:~h′′]. We use the lemmas D.5, 3.4 to get P | s1 [o:~h1 ·v1] | s2 [i:~h2]

`2−→s=⇒s`1−→s P′ | s1 [o:

~h′′1 ] | s2 [i : ~h′′2 ].The rest of the proof considers Lemma 3.8.

We summarise the above to prove Lemma 3.9.

Lemma. If P is session determinate then P is determinate and confluent.

Proof. From the definition of confluence (resp. determinacy) and from the definition ofP we have that

∀Γ ` P.∆0˜

=⇒s Q.∆

and Q can only do˜

=⇒s actions. By Lemma D.7 (resp. D.6 we can see that P gives usthe required property. ut

36

Proof for Lemma 3.11

Lemma. Let R be a determinate upto-expansion relation. Then R is inside a bisimu-lation.

Proof. The proof is easy by showing =⇒ R ⇐= is a bisimulation. If we write thisrelation S , we can easily check that this relation is a bisimulation, using determinacy(commutativity with other actions).

ut

E Comparison with Asynchronous/Synchronous CalculiE.1 Behavioural Theory for Session Type System with Input Buffer EndpointsBefore we prove the relations in § 6, we define a behavioural theory for the asyn-chronous session π-calculus with two end-point queues but without IO-queues [6, 7,27].

〈AccA〉 a[~s]a〈s〉−→ a[~s · s] 〈ReqA〉 a〈s〉 a〈s〉−→ 0 〈InA〉 s[~h]

s?〈v〉−→ s[~h · v]

〈OutA〉 s!〈v〉; Ps!〈v〉−→ P 〈BraA〉 s[~h] s&l−→ s[~h · l] 〈SelA〉 s!� l; P s⊕l−→ P

〈LocalA〉P −→ Q

P τ−→ Q〈ParA〉

P `−→ P′ bn(`)∩ fn(Q) = /0

P | Q `−→ P′ | Q〈TauA〉

P `−→ P′ Q `′−→ Q′ `� `′

P | Q τ−→ (ν bn(`,`′))(P′ | Q′)

〈ResA〉P `−→ P′ n 6∈ fn(`)

(ν n)P `−→ (ν n)P′〈OpenSA〉

Pa〈s〉−→ P′

(ν a)Pa(s)−→ P′

〈OpenNA〉P

s〈a〉−→ P′

(ν a)Ps(a)−→ P′

〈AlphaA〉P≡α P′ P′ `−→ Q

P `−→ Q

Fig. 12. Labelled Transition for Session Type System with Two Buffer Endpoint Without IO

A labelled transition system is given in Figure 12. The LTS is similar to the LTS ofthe calculus studied in this paper (4), except from the output actions. Shared channels,and input actions have identical transition labels. The output actions cannot be observedon the buffer since there is no output buffer defined. Instead they are observed in anoutput reduction of a process.

E.2 Proofs for Section 6We prove the results in § 6 for the two asynchronous session typed π-calculus, by eithergiving the bisimulation closures when a bisimulation holds or giving the counterexam-ple when bisimulation does not hold. The results for the synchronous and asynchronousπ-calculi are well-known, hence we omit.

1. Case s!〈v〉; s!〈w〉; P | s [o:ε] 6≈ s!〈w〉; s!〈v〉; P | s [o:ε]. On the left hand side process

we can observe a τ transition and get s!〈w〉; P | s [o : v]s!〈v〉−→ s!〈w〉; P | s [o : ε] but

s!〈w〉; s!〈v〉; P | s [o :ε] 6 s!〈v〉=⇒ as required.

37

2. Case s1!〈v〉; s2!〈w〉; P | s1 [o : ε] | s2 [o : ε] ≈ s2!〈w〉; s1!〈v〉; P | s1 [o : ε] | s2 [o : ε].Relation:

R = { (s1!〈v〉; s2!〈w〉; P | s1 [o :ε] | s2 [o :ε] , s2!〈w〉; s1!〈v〉; P | s1 [o :ε] | s2 [o :ε]),(s2!〈w〉; P | s1 [o :v] | s2 [o :ε] , P | s1 [o :v] | s2 [o :w]),(P | s1 [o :v] | s2 [o :w] , s1!〈v〉; P | s1 [o :ε] | s2 [o :w]),(P | s1 [o :v] | s2 [o :w] , P | s1 [o :v] | s2 [o :w]),(s2!〈w〉; P | s1 [o :ε] | s2 [o :ε] , P | s1 [o :ε] | s2 [o :w]),(P | s1 [o :ε] | s2 [o :ε] , P | s1 [o :ε] | s2 [o :ε]),(P | s1 [o :ε] | s2 [o :w] , P | s1 [o :ε] | s2 [o :w]),(P | s1 [o :v] | s2 [o :ε] , P | s1 [o :v] | s2 [o :ε])}

gives the result.3. Case s?(x).s?(y).P | s [i :ε] 6≈ s?(y).s?(x).P | s [i :ε].

On both processes we can observe a s?〈v〉 transition and get s?(x).s?(y).P | s [i :v] τ−→ s?(y).P{v/x} | s [i:ε] and s?(w).s?(v).P | s [i:v] τ−→ s?(x).P{v/y} | s [i:ε].From the substitution, we have that both processes are not bisimilar.

4. Case s1?(x).s2?(y).P | s1 [i :ε] | s2 [i :ε]≈ s2?(y).s1?(x).P | s1 [i :ε] | s2 [i :ε].Relation

R = { (s1?(x).s2?(y).P | s1 [i :ε] | s2 [i :ε] , s2?(y).s1?(x).P | s1 [i :ε] | s2 [i :ε]),(s1?(x).s2?(y).P | s1 [i :v] | s2 [i :ε] , s2?(y).s1?(x).P | s1 [i :v] | s2 [i :ε]),(s1?(x).s2?(y).P | s1 [i :ε] | s2 [i :w] , s2?(y).s1?(x).P | s1 [i :ε] | s2 [i :w]),(s1?(x).s2?(y).P | s1 [i :v] | s2 [i :w] , s2?(y).s1?(x).P | s1 [i :v] | s2 [i :w]),(s2?(y).P | s1 [i :ε] | s2 [i :ε] , s2?(y).s1?(x).P | s1 [i :v] | s2 [i :ε]),(s1?(x).s2?(y).P | s1 [i :ε] | s2 [i :w] , s1?(x).P | s1 [i :ε] | s2 [i :ε]),(s2?(y).P | s1 [i :ε] | s2 [i :w] , P | s1 [i :ε] | s2 [i :ε]),(P | s1 [i :ε] | s2 [i :ε] , s1?(x).P | s1 [i :v] | s2 [i :ε]),(s2?(y).P | s1 [i :ε] | s2 [i :w] , s2?(y).s1?(x).P | s1 [i :v] | s2 [i :w]),(s1?(x).s2?(y).P | s1 [i :v] | s2 [i :w] , s1?(x).P | s1 [i :v] | s2 [i :ε]),(P | s1 [i :ε] | s2 [i :ε] , P | s1 [i :ε] | s2 [i :ε])}

gives the result.

E.3 Arrived Operators in the π-CalculiIn this subsection, we define two arrive inspected calculi that try to simulate block-ing and order-preserving properties as the synchronous and asynchronous π-calculi,respectively.

For the synchronous π-calculus, we have blocking and order-preserving input andoutput and for the asynchronous π-calculus we have non-blocking and non-order pre-serving input and output.

In the context of the synchronous π-calculus, we cannot easily define the arrivedoperator without a slight compromise of the non blocking input property, due to theasynchronous nature of the arrived operator on the input queue of an endpoint.

The synchronous π-calculus can be represented asynchronously by having channelbuffers of size one.Syntax of the Synchronous-like π-Calculus with Arrive.

P ::= 0 | a[ε] | a(x).P | a〈v〉.P | P|P | (ν a)P | if arrived a then P else P

38

Labelled Transition Semantics of the Synchronous π-Calculus with Arrive.

a〈v〉.P a〈v〉−→ P a(x).P|a[ε] a〈v〉−→ a(x).P|a[v] a(x).P | a[v]−→ P{v/x}

P `−→ P′, fn(`)∩ fn(Q) = /0

P|Q `−→ P′|Q

P `−→ P′, Q `′−→ Q′, `� `′

P|Q τ−→ (ν bn(`,`′))(P′|Q′)P `−→ P′ n 6∈ fn(`)

(ν n)P `−→ (ν n)P′

Pa〈v〉−→ P′

(ν a)Pa(v)−→ P′

P≡α P′ P′ `−→ Q

P `−→ Q

if arrived a then P else Q|a[ε] τ−→ Q|a[ε]

if arrived a then P else Q|a[v] τ−→ P|a[v]

In the synchronous π-calculus with arrived operator, channel buffers have size ofone and we can receive a value from the environment, only if a corresponding processis ready to receive on the buffer channel.

To demonstrate the compromise done in to achieve this definition consider

a(x).Pa?〈v〉−→ P{v/x}

a(x).P | a[ε] a?〈v〉−→−→ P{v/x} | a[ε]

The first process is in the classic synchronous π calculus. We can only observe oneinput action. For the second system we observe an asynchronous input action. Firsta message is put in the communication buffer and then the actual receive happens.Between the two transition an arrive inspection can happen.

The asynchronous π-calculus with arrived operator is easier to be defined in aqueue context. The idea here is to have endpoints that use a random policy for messageexchange:

Syntax of the Asynchronous π-Calculus with Arrive.

P ::= 0 | a[ε] | a(x).P | a〈v〉 | P|P | (ν a)P | if arrived a then P else P

Labelled Transition Semantics of the Asynchronous π-Calculus with Arrive.

a〈v〉 a〈v〉−→ 0 a[~h]a〈h〉−→ a[~h ·h]

a?(x).P | a[~h1 ·hi · ~h2]−→ P{hi/x} | a[~h1 · ~h2]P `−→ P′ fn(`)∩ fn(Q) = /0

P|Q `−→ P′|QP `−→ P′ Q `′−→ Q′ `� `′

P|Q τ−→ (ν bn(`,`′))(P′|Q′)P `−→ P′ n 6∈ fn(`)

(ν n)P `−→ (ν n)P′

Pa〈v〉−→ P′

(ν v)Pa(v)−→ P′

P≡α P′ P′ `−→ Q

P `−→ Q

if arrived a then P else Q|a[ε] τ−→ Q|a[ε]

if arrived a then P else Q|a[h ·~h] τ−→ P|a[~h]

39

The above definition disallows the order preserving property in the system but keepsthe non blocking property as required by the asynchronous π-calculus.

Figure 7 shows that the arrive construct behaves the same on all of the calculi.

F Appendix for Selectors

F.1 Mapping

The selector operator is discussed in detailed along with its reduction properties andapplications in [15]. In this section we present an ESP encoding of the selector.

We can extend ESP with the selector operations, with the following reduction se-mantics.

new selector r in P−→ (ν r)(P | sel〈r, ε〉) register〈s′,r〉;P | sel〈r,~s〉 −→ P | sel〈r,~s · s′〉let x = select(r) in typecase x of {(xi :Ti) : Pi}i∈I | sel〈r, s′ ·~s〉 | s′ [S,i :~h]

−→ Pi{s′/xi} | sel〈r,~s〉 | s′ [S,i :~h] (~h 6= ε)let x = select(r) in typecase x of {(xi :Ti) : Pi}i∈I | sel〈r, s′ ·~s〉 | s′ [i :ε]

−→ let x = select(r) in typecase x of {(xi :Ti) : Pi}i∈I | sel〈r,~s · s′〉 | s′ [i :ε]

where in the third line S and Ti satisfies the condition for typecase in Figure 3. We alsoinclude the structural rules with garbage collection rules for queues as (ν r)sel〈r, ε〉 ≡ 0.Operator new selector r in P (binding r in P) creates a new selector sel〈r, ε〉, named rand with the empty queue ε . Operator register〈s′,r〉;P registers a session channel s tor, adding s′ to the original queue~s. let x= select(r) in typecase x of {(xi :Ti) : Pi}i∈Iretrieves a registered session and checks the availability to test if an event has been trig-gered. If so, find the match of the type of s′ among {Ti} and select Pi; if not, the nextsession is tested.

We now show this behaviour can be easily encoded by combining arrival predicatesand typecase. Below we omit type annotations.

[[new selector r in P]] def= (ν b)(b(r).b(r). [[P]] | b : [ε]) [[register〈s,r〉;P]] def

= r!〈s〉; [[P]][[let x = select(r) in typecase x of {(xi :Si) : Pi}i∈I ]]

def= Select(rr)

[[sel〈r,~s ·~s′〉]] def= r [o :~s′] | r [i :~s]

def Select(xx) = x?(y);if arrived y then typecase y of{(xi :Si) : [[Pi]]}i∈Ielse x!〈y〉;Select〈xx〉 in Select〈rr〉

The use of arrived is the key to avoid blocked inputs, allowing the system to proceedasynchronously. The operations on the collection need to carry session channels, hencethe use of delegation (linear channel passing) is essential [11]. We can easily checkthat the embedding operationally simulates the selector given above as the extension ofESP, and that, under a suitable bisimulation, that it is semantically faithful.

F.2 Typing

The typing rules for the selector are naturally suggested from the ESP-typing of itsencoding. We write the type for a user of a selector storing channels of type T , bysel(T ), and the type for a selector itself by sel(T ). For simplicity we assume these

40

types do not occur as part of other types. The linear environment ∆ now includes twonew type assignments, r :sel(T ) and r :sel(T ). The typing rules for the selector follow.

Γ ` P.∆ ·r :sel(T )Γ ` new selector r in T P.∆

(Selector)Γ ` P.∆ ·r :sel(T ) S≤ T

Γ ` register〈s,r〉;P.∆ ·r :sel(T )·s :S(Register)

∀i ∈ I.Γ ` Pi .∆ ·r :sel(T )·xi :Si Si ≤ TΓ ` let x = select(r) in typecase x of {(xi :Si) : Pi}i∈I .∆ ·r :sel(T )

(Select)

The typing rule for the selector queue is similar to the runtime typing for a sharedinput queue. cf. Appendix C. By setting [[∆ ]] as the compositional mapping such that[[r :sel(T )]] is given as r : Sr ·r : Sr where Sr = µ X.!(T );X, and otherwise identity, aswell as extending the notion of error to the internal typecase of the select command, weobtain, writing ESP+ for the extension of ESP with the selector:

Proposition F.1 (Soundness of Selector Typing Rules).

1. (Type Preservation) Γ ` P.Σ in ESP+if and only if Γ ` [[P]]. [[Σ ]].2. (Soundness) P≡ P′ implies [[P]]≡ [[P′]]; and P−→ P′ implies [[P]]−→∗ [[P′]].3. (Safety) A typable process in ESP+ never reduces to the error.

Full proofs and further discussion are given in [15].

G Appendix: Lauer-Needham TransformThis appendix gives the detailed illustration of the Lauer-Needham transformation. Ourtranslation uses the notations in Figure 13 for brevity, including: pairs, polyadic input-s/outputs [25], a refined typecase, a refined selector, and an environment as used in thestandard CPS transform. All of them are easily encodable in the eventful calculus in[15].

The formal mapping follows. Below we say a process is positive if it is either anacceptor, an input, a branching or a definition, and is blocking if it is positive and is nota definition. The subject of a positive term is the initial channel name if it is blocking,and the initial process variable if it is a definition.

Definition G.1 (Lauer-Needham Transform). Let ∗a(w : S);P be a simple server.Then the mapping LN [[∗a(w : S);P]] is inductively defined by the rules in Figure 13,assuming the following annotation on P: the subjects of distinct positive subterms in Pare labelled with distinct numerals from 1 to n, as in e.g. x(i)?(y);Q (then we say theprefix is blocking at x(i)), such that 1 to n−m are used for the prefixes and the restfor the definitions (n ≥ m ≥ 0). We also assume all environments have the same fieldsnamed by the (free and bound) variables occurring in P which we assume to be pairwisedistinct.

As outlined in the main section, the main map LN [[∗a(w : S);P]] consists of:

1. An event loop Loop〈o,q〉 which denotes a loop invoked at o without parameters. Italso uses a selector queue q. It is composed with o, initiating the loop.

2. A selector queue q〈a,c0〉 named q with a single element 〈a,c0〉.3. A collection of code blocks CodeBlocks〈a,o,q,~c〉, each defined using an auxiliary

map B[[R]] and [[Q,y]]. Its behaviour is illustrated below.

41

LN [[∗a(w :S);P]] def= (νo,q,~c)( Loop〈o,q〉 | o | q〈a,c0〉 | CodeBlocks〈a,o,q,~c〉 )

where P1, ..,Pn are the positive sub-terms of P; P1, ..,Pn−m theblocking ones whose subjets are respectively typed S1, ..,Sn−m;and o, q and~c = c1..cn are fresh and pairwise distinct.

Loop〈o,q〉 def= ∗o. let w = select(q) in typecase w of {

(x : S, z : env) : new y : env in z〈y〉,(x : S1, y : env, z : S1,env) : z〈x,y〉, . . .(x : Sn−m, y : env, z : Sn−m,env) : z〈x,y〉

}

CodeBlocks〈a,o,q,~c〉 def= B[[a(w :S);P]] |∏1≤i≤nB[[Pi]]

B[[∗a(w :S).P]] def= ∗c0(y).a(w′ :S).update(y,w,w′); register〈q,a,c0〉; [[P,y]]

B[[x(i)?(z : T ).Q]]def= ∗ci(x′,y).x′?(z′).update(y,z,z′); update(y,x,x′); [[Q,y]]

B[[x(i)�{l j : Q j} j]]def= ∗ci(x′,y).x′�{l j : update(y,x,x′); [[Q j,y]]} j

[[x!〈e〉;Q,y]] def= let x′ = [[x]]y in x′!〈[[e]]y〉;update(y,x,x′); [[Q,y]]

[[x!〈k〉;Q,y]] def= let x′ = [[x]]y in let k′ = [[k]]y in x′!〈k′〉;update(y,xk,x′k′); [[Q,y]]

[[x/ l j;Q,y]] def= let z = [[x]]y in z/ l j; [[Q,y]]

[[b(z : S);Q,y]] def= b(z′ : S);update(y,z,z′); [[Q,y]]

[[Q,y]] def= let x′=[[x]]y inregister〈q,x′, ci, y〉;o (Q is blocking at x(i))

[[0,y]] def= o

Fig. 13. Translation Function for Lauer-Needham Transform

The initial execution of LN [[∗a(w : S);P]] starts from the event-loop. It fetches a chan-nel at which a message has arrived by select: what it finds in the selector queue ischecked and typed by the typecase construct from [15] (as illustrated in Appendix A).Initially it will only find a request via a. After finding it, the loop then creates a brandnew environment and jumps to the initial code block at c0, passing the environment.

Once invoked, the initial code block, B[[a(w :S);P]], receives a fresh session chan-nel through the buffer of a, saves it in the environment, and moves to [[P,y]]. The code[[P,y]] carries out “instructions” from P, using the environment denoted by y to inter-pret variables. After completing all the consecutive non-blocking actions (invocations,outputs, selections, conditionals and recursions) starting from the initial input, the codewill reach a blocking prefix or 0. If the former is the case, it registers that blockingsession channel, the associated continuation and the current environment in a selectorqueue. Then the control flow returns to the event loop.

The event loop then tries to sense the arrival of a message again by scanning the reg-istered channels (shared and session). Assume it finds a message via a session channelthis time. It then decides its type by typecase and invokes the corresponding contin-uation code block, passing the session channel and the environment. The code block,which has the shape B[[Pi]] for a blocking sub-term Pi of P, now receives the messagevia the passed session channel, saves it in the passed environment, and continues withthe remaining behaviour until it reaches a blocking action, in the same way as illustrated

42

for the initial code block. The combination of a typecase and a session channel passingabove enables the protection of session type abstraction, ensuring type and communi-cation safety.

G.1 Lauer-Needham Transform propertiesThe translation T E[[∗a(w : S);P]] radically changes the original code organisation. How-ever the two technical underpinnings of our event-based formalism, types and bisimula-tions, offer a firm and tractable basis to reason about these processes, relating the event-based code to the original server. Below we discuss the key properties of our translationand its extensions. We say a closed typed process is sequential if its arbitrary well-typedmulti-step transition derivative has at most one redex pair.

Proof for Lemma 4.4

Lemma. ∗a(w : S);R | a[ε] is confluent.

Proof. R is confluent by definition.A derivative of ∗a(w : S);R | a[ε] is R1 | . . . | Rn | ∗ a(w : S);R | a[ε] | ∏k∈I si [i :

~hii,o : ~hoi]≡ R1 | . . . | Rn | ∗a(w : S);R | a(w : S);R | a[ε] | ∏m∈I sm [i : ~him,o : ~hom] whereI = {1, . . . ,n}, which counts the session endpoints in the system.

Processes R1, . . . ,Rn do not share any names, so process:R1 | . . . | Rn | a(w : S);R | a[ε] | ∏m∈I sm [i : ~him,o : ~hom] is confluent by Lemma (D.1).

From structural congruence we conclude that the entire process is confluent. ut

Proof for Lemma 4.5

Lemma. T E[[∗a(w : S);P | a[ε]]] is confluent.

Proof. The structure of the transformation is constructed out of session transitions =⇒sand transitions on shared names. As we will see the transitions on shared names areconfluent.

An ambiguous transition is the arrive transition defined in the selector used in theLoop process. We need to show that for the arrive derivative of the initial transformationthe process follows the definition of confluent processes. Consider the process:

P = if arrived si then typecase si of{. . .} else Select | a[~s]| sel〈(sk,ξk,ck), . . . ,(sk−1,ξk−1,ck−1)〉 | ∏

m∈Ism [i : ~him,o : ~hom] | CodeBlocks

where I = {1, . . . ,n}, which counts the session endpoints in the system.When vector ~hii 6= ε(for some i) then it is trivial to show the definition of confluence

processes by showing a bisimulation on the resulting processes.In the case where ~hii = ε and assuming that l1 = si?〈v〉we have to show the confluent

transitions and show that the resulting processes are bisimilar. We do a case analysis on

the possible transitionsl2=⇒.

43

Case l2 = s j?〈v′〉.

Psi?〈v〉−→ P1 = if arrived si then typecase si of{. . .} else Select | a[~s] |

sel〈(sk,ξk,ck), . . . ,(sk−1,ξk−1,ck−1)〉 | ∏m∈I−{i, j}

sm [i : ~him,o : ~hom] |

s j [i : ~hi j,o : ~ho j] | si [i : ~hii · v,o : ~hoi] | CodeBlocks

Ps j?〈v′〉=⇒ P2 = Q | a[~s2] | sel〈(s2k,ξ2k,c2k), . . . ,(s2k−1,ξ2k−1,c2k−1)〉 |

∏m∈I−{i, j}

sm [i : ~h2im,o : ~h2om] | si [i : ~h22ii,o : ~h2oi] | s j [i : ~h2i j · v′,o : ~h2o j]

with:

~s = ~s′2 ·~s2

m = j , ~him · v′ = ~h′2im · ~h2im

1≤ m≤ n , ~him = ~h′2im · ~h2im, ~h2om = ~h′2om · ~hom

From the confluence definition, we have that:

P1s j?〈v′〉=⇒ P′ = Q′ | a[~s′] | sel〈(s′k,ξ ′k,c′k), . . . ,(s′k−1,ξ

′k−1,c

′k−1)〉 |

∏m∈I−{i, j}

sm [i : ~h′im,o : ~h′om] | si [i : ~h′ii,o : ~h′oi] | s j [i : ~h′i j,o : ~h′o j]

P2si?〈v〉=⇒ P′′ = Q′′ | a[~s′′] | sel〈(s′k,ξ ′k,c′k), . . . ,(s′k−1,ξ

′k−1,c

′k−1)〉 |

∏m∈I−{i, j}

sm [i : ~h′im,o : ~h′om] | si [i : ~h′′ii,o : ~h′′oi] | s j [i : ~h′′i j,o : ~h′′o j]

with:

~s = ~s1 ·~s′

m = j ~him · v′ = ~h1im · ~h′im1≤ m≤ n ~him = ~h1im · ~h′im, ~h′om = ~h1om · ~hom

~s′′ = ~s2 ·~s′′

m = i ~h2im · v = ~h′′2im · ~h′′im1≤ m≤ n ~h2im = ~h′′2im · ~h′′im, ~h′′om = ~h′′2om · ~h2om

At this point we need to show that P′ ≈ P′′:Let the symmetric relation R such that:

R ={(P,Q)|P,Q have the form of P′,P′′ respectively

}Assume that PRQ and P

sk?〈v〉−→ P′. Then we can always observe Qsk?〈v〉=⇒ Q′ and

P′RQ′.

44

Suppose Psk!〈v〉−→ P′. Then by combining the relation between the buffers of P and Q,

we have Qsk!〈v〉−→ Q′ or if sk [o :ε] then Q =⇒sk!〈v〉−→ Q′ and P′RQ′ in both cases.

We have similar results for a〈s〉 and a〈s〉. as well as in the bounded objects actions.The last case is also trivial. Suppose P−→ P′. Then Q =⇒ Q′ and P′RQ′.This completes the case when l2 = si?〈v′〉. The case for l2 = si?(v′) is similar. So

is the case for l2 = a〈s〉. Cases l2 = si!〈v〉, l2 = si!(v) follow the same arguments. Casel2 = a〈s〉 cannot happen by the specification of thread elimination.

Shared transitions should also be confluent. Supposeci(s,ξ ) | sel〈 ~s,ξ ,ci〉 | Buffers〈I〉 | Codeblocks. From here the confluence definition istrivial to be observe.

All other derivatives of T E[[∗a(w : S);P | a[ε]]] are confluent due to the presence of=⇒s transition.

By the confluence definition the result follows. ut

Proof for Lemma 4.6

Lemma LetP1 =(ν~cor)(Loop |CodeBlocks | r〈(s1,ξ1,c1), . . . ,(si,ξi,ci),(s j,ξ j,c j), . . . ,(sn,ξn,cn)〉 | a[~s]| ∏m∈I sm [i : ~him,o : ~hom]) andP2 =(ν~cor)(Loop |CodeBlocks | r〈(s1,ξ1,c1), . . . ,(s j,ξ j,c j),(si,ξi,ci), . . . ,(sn,ξn,cn)〉 | a[~s]| ∏m∈I sm [i : ~him,o : ~hom]).

Then P1 ≈ P2.

Proof. Assume a relation R such that

Q1 = (ν ~cor)(Loop | CodeBlocks | r〈(sk,ξk,ck), . . . ,(si,ξi,ci),(s j,ξ j,c j), . . . ,(sk−1,ξk−1,ck−1)〉 |a[~s] | ∏

m∈Ism [i : ~him,o : ~hom]),

Q2 = (ν ~cor)(Loop | CodeBlocks | r〈(sk,ξk,ck), . . . ,(s j,ξ j,c j),(si,ξi,ci), . . . ,(sk−1,ξk−1,ck−1)〉 |a[~s] | ∏

m∈Ism [i : ~him,o : ~hom])

and P1RP2, Q1RQ2.We want to show that R is an upto-expansion relation.From Lemma 4.5 we have that Q1,Q2,P1 and P2 are confluent.The requirement of typing holds, since both processes have the same typing due to

the existence of the same endpoints in both related processes.For every observable action ` the case is trivial, since if Q1

`−→ Q′1 then Q2`−→

RQ′1.It remains to show the case for `= τ .If Q1 −→ Q′1 then

Q2 =⇒ Q′2 = (ν ~cor)(Loop | CodeBlocks | r〈. . . ,(sk−1,ξk−1,ck−1),(sk,ξk,ck), . . . ,

(s j,ξ j,c j),(si,ξi,ci)〉 | a[~s] | ∏m∈I

sm [i : ~h′im,o : ~h′om])

45

and

Q′1 =⇒ (ν ~cor)(Loop | CodeBlocks | r〈. . . ,(sk−1,ξk−1,ck−1),(sk,ξk,ck), . . . ,

(si,ξi,ci),(s j,ξ j,c j)〉 | a[~s] | ∏m∈I

sm [i : ~h′im,o : ~h′om])

and Q′1RQ′2 as required. ut

Proof for Theorem 4.7

Theorem Let ∗a(w : S);R | a[ε] be a simple server. Then ∗a(w : S);P ≈ T E[[∗a(w :S);P | a[ε]]].

Proof. Assume a relation S such that

P = R1 | . . . | Rn | ∗a(x).R | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om]Q = (ν ~cor)(Loop | CodeBlocks | r〈(s1,ξ1,c1), . . . ,(sn,ξn,cn)〉 | a[~s]

| ∏m∈I sm [i : ~h′im,o : ~h′om])

and (P,Q) ∈Swith R1, . . . ,Rn blocking subterms of RWe will show that S is an upto-expansion relation.From Lemmas 4.4 and 4.5, we verify the first requirement.

Γ ` a : 〈S〉,Γ ` R. x :S, Γ ` a[~s].~s :~S

Γ ` a(x).R | a[~s].a ·~s :~S

Γ `∏i∈I(Ri | si [i : ~hii,o : ~hoi]).∏i∈I~si :Si

Γ ` R1 | . . . | Rn | ∗a(x).R | Buffers〈I〉 | a[~s].a ·∏i∈I~si :Si ·~s :~S

∀ R ∈ InputSubTerms(R),Γ ` [[R,y]]. /0, Γ `I [[R]]. /0Γ ` CodeBlocks. /0

Γ ` Loop. r :Sr · r :Sr

Γ `∏i∈I(si [i : ~hii,o : ~hoi] | r[. . . ] | r[. . . ]).∏i∈I~si :Si · r :Sr · r :S′rΓ ` (ν o~cr)(Loop | CodeBlocks | a[~s] | Buffers〈I〉 | r〈 ~siyi〉).a ·∏i∈I~si :Si ·~s :~S

We can check both processes have the same typing.For the case when observing external actions, the result is trivial since one process

can simulate the other.For l = τ we have:

46

If

(ν ~cor) (Loop | CodeBlocks | r〈(s1,ξ1,c1), . . . ,(sn,ξn,cn)〉 | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om])−→(ν ~cor) (P | r〈(s1,ξ1,c1), . . . ,(sn,ξn,cn)〉 | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om])

thenR1 | . . . | Rn | ∗a(x).R | ∏m∈I sm [i : ~h′im,o : ~h′om] =⇒R′1 | . . . | Rn | ∗a(x).R | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om]

with R′1 to be a blocking subprocess of R and

(ν ~cor) (P | r〈(s1,ξ1,c1), . . . ,(sn,ξn,cn)〉 | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om]) =⇒(ν ~cor) (Loop | CodeBlocks | r〈(s2,ξ2,c2), . . . ,(s1,ξ1,c1)〉 | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om])

as required.Now for the symmetric direction we have that if:

R1 | . . . | Rn | ∗a(x).R | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om]−→R1 | . . . | R′i | . . . | Rn | ∗a(x).R | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om]

then we can use Lemma 4.6 to choose a bisimilar process to the event server with apermuted selector such that

(ν ~cor) (Loop | CodeBlocks | r〈(si,ξi,ci), . . .〉 | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om]) =⇒(ν ~cor) (Loop | CodeBlocks | r〈. . . ,(si,ξi,ci)〉 | a[~s′] | ∏m∈I sm [i : ~h′im,o : ~h′om]

andR1 | . . . | R′i | . . . | Rn | ∗a(x).R | a[~s] | ∏m∈I sm [i : ~h′im,o : ~h′om] =⇒R′1 | . . . | R′i | . . . | Rn | ∗a(x).R | a[~s′] | ∏m∈I sm [i : ~h′im,o : ~h′om]

The resulting processes are related by S .Then we conclude the case with Lemma 3.11.

47

On Asynchronous Session Semantics · 1 Introduction Modern transports such as TCP in distributed...

Documents

Transcript of On Asynchronous Session Semantics · 1 Introduction Modern transports such as TCP in distributed...