Acta Informatica

, Volume 54, Issue 3, pp 243–269 | Cite as

Multiparty session types as coherence proofs

  • Marco Carbone
  • Fabrizio Montesi
  • Carsten Schürmann
  • Nobuko Yoshida
Original Article

Abstract

We propose a Curry–Howard correspondence between a language for programming multiparty sessions and a generalisation of Classical Linear Logic (CLL). In this framework, propositions correspond to the local behaviour of a participant in a multiparty session type, proofs to processes, and proof normalisation to executing communications. Our key contribution is generalising duality, from CLL, to a new notion of n-ary compatibility, called coherence. Building on coherence as a principle of compositionality, we generalise the cut rule of CLL to a new rule for composing many processes communicating in a multiparty session. We prove the soundness of our model by showing the admissibility of our new rule, which entails deadlock-freedom via our correspondence.

1 Introduction

Session types are protocols for communications in concurrent systems [16, 26]. A recent line of work investigates Curry–Howard correspondences between the type theory of session types and linear logic, where proofs correspond to processes, propositions to types, and proof normalisation to communications [6, 28]. An important consequence of such correspondences is that several notions that usually require complex additional definitions and proofs, e.g., dependency relations for deadlock-freedom [12, 23], follow for free from the theory of linear logic, yielding a succinct formulation of the formal foundations of sessions.

The aforementioned correspondences cover only session types with exactly two participants, called binary session types. In practice, however, protocols often describe the behaviour of multiple participants [25]. Multiparty Session Types (MPSTs) have been proposed to capture such protocols, by matching the communications enacted by many participants with a global scenario [17]. Unfortunately, MPSTs are more involved than binary session types, since they include complex analyses on the structure of protocols and a mapping from global types, which describe multiparty protocols, to local types, which describe the local behaviour of each single participant. So far, it has been unclear whether a succinct logical formulation of MPSTs can be developed, as done for binary session types. Therefore, we ask:

Can we design a proof theory for reasoning about multiparty sessions?

A positive answer to our question would lead to a clearer understanding of the principles that underpin multiparty session programming. The main challenge lies in the foundational notion of duality found in linear logic, which, in a Curry–Howard interpretation of propositions as types, checks whether the session types of two respective participants are compatible. It is an open question how to generalise the notion of type duality to that of “multiparty compatibility” found in MPSTs, which allows to compose an arbitrary number of participants [14, 17, 20]. Therefore, differently from previous work, we are in a situation where the existing logic does not provide us with natural tools for dealing with the types we desire to capture.

The main contribution of this work is the development of Multiparty Classical Processes (MCP), a proof theory for reasoning on synchronous multiparty communications. The key aspect of MCP is that it generalises Classical Linear Logic (CLL) [15], by building on a new notion of type compatibility, called coherence, that replaces duality. Using MCP, we can provide a concise reconstruction of the foundations of MPSTs. In the following, we outline our investigation:
  • Coherence We start by formalising a language for local types and global types (Sect. 3, Types). As in MPSTs, a local type denotes the I/O actions of a single participant in a session, whereas a global type denotes the desired interactions among all participants in a session. We then present coherence, a proof system for determining whether a set of local types follow the scenario denoted by a global type (Sect. 3, Coherence). We prove the adequacy of coherence by showing that global types are proof terms for coherence proofs (Sect. 3, Fig. 2); equivalences between coherence proofs correspond to the equivalences between global types originally formulated with an auxiliary definition in [8] (Sect. 3, Proposition 1); and, the coherence proof system yields projection and extraction procedures from global types to local types and vice versa (Sect. 3, Proposition 2 and Proposition 3). Finally, we show that coherence generalises the notion of duality in CLL (Sect. 3, Proposition 4). Our extraction procedure is the first not requiring auxiliary conditions (e.g., dependency relations as in [19]) and capturing nested protocols [13].

  • Multiparty classical processes We present Multiparty Classical Processes (MCP), a proof theory that is in a Curry–Howard correspondence with a language for synchronous multiparty sessions (Sect. 4). The key aspect of MCP is using coherence as a new principle for compositionality in order to generalise the standard cut rule of linear logic, by allowing an arbitrary number of proofs to be composed (Sect. 4, Fig. 6). Such a generalisation gives us a consavative extension of the binary cut rule of Classical Linear Logic (CLL) (Sect. 7). From the proof theory of MCP, we derive logically-founded notions of structural equivalences and reductions for multiparty processes (Sect. 4, Figs. 7 and 8). Driven by the correspondence between processes and proofs, we show that: communications among processes always follow their session types (Sect. 5, Theorem 4); and, communications never get stuck (Sect. 5, Corollary 1), improving on previous techniques for analysing progress in multiparty sessions (Sect. 8).

2 Preview

We give an informal introduction to MCP with the 2-buyer protocol [17], where two buyers buy a book together from a seller. This can be described by the following global type:Above, \(\mathsf {B1}\) (the first buyer), \(\mathsf {B2}\) (the second buyer) and \(\mathsf {S}\) (the seller) are roles. In Line 1, \(\mathsf {B1}\) sends the book title to \(\mathsf {S}\), then \(\mathsf {S}\) sends a quote to \(\mathsf {B1}\) and \(\mathsf {B2}\). At this point, \(\mathsf {B1}\) sends to \(\mathsf {B2}\) the fraction of the price it wishes to pay. In Line 2, \(\mathsf {B2}\) communicates to \(\mathsf {S}\) whether (Open image in new window) to proceed with the purchase and, if so, also an address for the delivery.
In multiparty session types, each role in a global type is implemented by a different process. For example, the following three programs implement the roles in (1):The three processes above are defined in the \(\pi \)-calculus with (synchronous) multiparty sessions [12, 18], and communicate using the session (or channel) \(x\). In term \(\text {Buyer1}, \overline{x}^{\;\mathsf {B1}\, \mathsf {S}}(title)\) means “as role \(\mathsf {B1}\), send the book title over channel \(x\) to the process implementing role \(\mathsf {S}\)”; \({x}^{\mathsf {B1} \, \mathsf {S}}(quote)\) means “as role \(\mathsf {B1}\), receive a quote over channel \(x\) from the process implementing role \(\mathsf {S}\)”; finally, \(\overline{x}^{\;\mathsf {B1}\, \mathsf {B2}}(contr)\) means “as role \(\mathsf {B1}\), send to the process implementing role \(\mathsf {B2}\), over channel \(x\), the amount the first buyer is willing to contribute with”. Note that \(\text {Buyer2}\) makes a choice after receiving the contribution from \(\text {Buyer1}\), i.e., it either accepts or rejects the purchase by respectively selecting the left or right branch of the case construct in the code of \(\text {Seller}\).
Following the approach in [28], we can type channel x using CLL propositions (differently from [28], we use Open image in new window to type outputs and \(\otimes \) to type inputs, see Sect. 8):Above, each proposition states how \(x\) is used by each process. For instance, \(\text {Buyer1}\) outputs (Open image in new window) a string, receives (\(\otimes \)) an integer, sends another integer and finally terminates (\(\mathsf {end}\)).
CLL cannot compose our three processes using the above specifications, since its composition rule \(\mathsf {Cut}\) can only compose two processes, which communicate over the same channel x with compatible binary session types A and \(A^\perp \):Using the same channel among our three processes is essential for tracking the dependencies expressed by the global type in (1): for example, we need to ensure that \(\text {Seller}\) sends a quote to \(\text {Buyer2}\) only after it has received a request for a book from \(\text {Buyer1}\). Such constraints cannot be tracked by binary session types [17]. To overcome this issue, we annotate each connective in propositions with roles. For example, the type of \(x\) for \(\text {Buyer1}\) would become:Annotations identify the dual role of each action, e.g., the usage for \(\text {Buyer1}\) now reads: send a string to \(\mathsf {S}\) (Open image in new window); receive an integer from \(\mathsf {S}\) (\(\otimes ^{\mathsf {S}}\)); send an integer to \(\mathsf {B2}\) (Open image in new window); and, terminate (\(\mathsf {end}\)). We can then reformulate \(\mathsf {Cut}\) as:In our new multiparty cut rule \(\mathsf {MCut}\), if some processes \(P_i\) use session \(x\) as role \(p_i\) (denoted \(x^{p_i}\)), each according to some respective types \(A_i\), and such types coherently follow a global type specification \(G\) (formalised by the judgement \(G \vDash \{p_i\!:A_i\}_i\)), then we can compose them in parallel within the scope of session \(x\), written \((\varvec{\nu }x\!:G)\, (P_1\ \;\varvec{|}\ \;\ldots \ \;\varvec{|}\ \;P_n)\). In our example, for i ranging from 1 to 3, \(\{p_i\!:A_i\}_i\) would correspond to the types in (3), where \(p_1\), \(p_2\) and \(p_3\) would be, respectively, \(\text {Buyer1}\), \(\text {Buyer2}\) and \(\text {Seller}\). In Sect. 6, we will show that such types coherently follow the global type given in (1).
MCP goes beyond the original multiparty session types [17], capturing also multicasting and nested protocols [12, 13]. For example, we can enhance the 2-buyer protocol as:Above, \(\mathsf {S}\) multicasts the price to both \(\mathsf {B1}\) and \(\mathsf {B2}\); and \(\mathsf {B2}\) multicasts its decision to \(\mathsf {B1}\) and \(\mathsf {S}\). We have also updated the right branch of the choice using a nested protocol \(G_{\mathsf {sub}}\), which is private to \(\mathsf {B1}\) and \(\mathsf {S}\), where \(\mathsf {B1}\) tells \(\mathsf {S}\) whether it wants to purchase the product alone:In MCP, nested protocols can proceed in parallel to their originating protocols. For example, the last two communications, where \(\mathsf {B1}\) and \(\mathsf {B2}\) inform \(\mathsf {S}\) of their respective reasons for not completing the purchase, can be executed in parallel to \(G_{\mathsf {sub}}\). We will formalise this in Sect. 5.

3 Coherence

We give a proof-theoretical reconstruction of coherence, from [17]. Our theory generalises duality, from CLL, to checking the compatibility of multiple types. We define coherence as a proof system for deriving sets of (compatible) local types, which describe the local behaviours of participants in a multiparty session. Global types are proof terms for coherence proofs, yielding a correspondence between sets of compatible local types and their global descriptions.
Fig. 1

Local types (\(A, B, \ldots \)) and global types (\(G\))

Types The syntax of local and global types is given in Fig. 1, where \(p,q\) range over a set of roles. Global types are highlighted, to distinguish them as proof terms. Highlighting is also used in our syntax of local types, to show the difference with CLL. We will adopt the same convention in Sect. 4 when we present more terms. A local type A describes the local behaviour of a role in a session. Types \(1\) and \(\bot \) denote session termination, respectively representing the request and the acceptance for closing a session (which were informally abstracted by \(\mathsf {end}\) in our previous examples). A type Open image in new window denotes a multicast output of a session with type A to roles \(\tilde{p}\), with a continuation B. A type \(A\otimes ^{p} B\) represents an input of a session with type A from role \(p\), with continuation B. Types \(A\oplus ^{\tilde{p}} B\) and Open image in new window denote, respectively, the output of a choice between the continuations A and B to roles \(\tilde{p}\) and the input of a choice from role \(p\). The replicated type !A offers behaviour A as many times as requested. Finally, type ?A requests the execution of a replicated type and proceeds as A.

A global type \(G\) describes the behaviour of many participants. In the interaction \(p \; \texttt {->} \; \tilde{q} : \langle G' \rangle ;G\), role \(p\) sends to roles \(\tilde{q}\) a message to create a new session of type \(G'\), and then the protocol proceeds as \(G\). In Open image in new window, role \(p\) communicates to roles \(\tilde{q}\) its choice of either branch \(G_1\) or \(G_2\). A type \(? p \; \texttt {->} \; !\tilde{q} : \langle G \rangle \) denotes that role \(p\) may ask roles \(\tilde{q}\) to execute \(G\) many times. Finally, in \(\mathsf {end}^{p\tilde{q}}\), role \(p\) asks roles \(\tilde{q}\) to terminate the session (for brevity, we often write \(\mathsf {end}\)).

Judgements A role typing\(p\!:A\) states that role \(p\) behaves as specified by type A. Our judgements for coherence have the form \(G \vDash p_1\!:A_1,\ldots ,p_n\!:A_n\) which reads as “the types \(A_1,\ldots ,A_n\) of the respective roles \(p_1,\ldots ,p_n\) (assumed to be pairwise distinct) are compatible and follow the global type \(G\)”. We use \(\varTheta \) to range over sets of role typings, and make the standard assumption that we can write \(\varTheta ,p\!:A\) only if a role typing for \(p\) does not appear in \(\varTheta \). Given some roles \(\tilde{p}\), we use the notation \(\{p_i\!:A_i\}_i\) to denote the set of role typings \(p_1\!:A_1,\dots ,p_n\!:A_n\), assuming \(\tilde{p} = p_1,\dots ,p_n\) and i ranging from 1 to n. Given \(G\), we say that \(G\) is valid if there exists \(\varTheta \) such that \(G \vDash \varTheta \). Conversely, given \(\varTheta \), we say that \(\varTheta \) is coherent if there exists \(G\) such that \(G \vDash \varTheta \). Intuitively, the validity and coherency correspond to syntactic well-formedness or projectability in [17].
Fig. 2

Coherence

We report the rules for deriving coherence judgements in Fig. 2. Rule Open image in new window matches the output type from role \(p\) to roles \(\tilde{q}\) with the input types of roles \(\tilde{q}\), whenever (i) the types for the newly created session are coherent and (ii) the types of all continuations are also coherent. Rule Open image in new window checks that both possibilities in a choice are coherent, where all roles participating in the communication are allowed to have different behaviour and the other roles are not (a multicast generalisation of [17]). In rule !?, we check that a client requests the creation of a coherent session only from replicated services. Finally, rule \(1\bot \) checks that all participants agree on the termination of a protocol. As in CLL, we interpret type \(1\) as a terminated process and \(\bot \) as a process that has terminated its behaviour in a session and proceeds with other sessions. Therefore, we read rule \(1\bot \) as “a protocol terminates when one participant waits (type \(\bot \)) for the termination of all the others (type \(1\)), which execute in parallel”. This design choice simplifies our development; we discuss a generalisation in Sect. 8.

For example, Open image in new window is not valid since \(\mathsf {end}\) does not have correct participant annotation. Open image in new window is not valid either since a global type in the right branch does not contain the participants p and \(q_i\) (hence it does not match with rule Open image in new window).

Example 1

(2-Buyer Protocol) We can revisit the local types for the 2-buyer protocol in Sect. 2 (1), where now data types are abstracted by \(1\)’s and \(\bot \)’s.Let \(G\) be the global type in (1) with \(\mathsf {end}\) instead of data types; then, \(G \ \vDash \ \mathsf {B1}\!:A, \mathsf {B2}\!:B, \mathsf {S}\!:C\).

3.1 Properties of coherence

Swapping Immediately from our correspondence between global types and coherence proofs, we can reconstruct the standard notion of swapping \(\simeq ^{\mathsf {g}}\) for global types from [8]. Intuitively, two communications involving different roles can always be swapped, capturing the fact that separate roles execute concurrently. For example, the following coherence proof (for \(p,q,r,s\) different):is equivalent to (\(\simeq ^{\mathsf {g}}\))Such equivalence proves that a global type of the form \(p \; \texttt {->} \; q : \langle G' \rangle ;r \; \texttt {->} \; s : \langle G'' \rangle ;G\) is equivalent to \(r \; \texttt {->} \; s : \langle G'' \rangle ;p \; \texttt {->} \; q : \langle G' \rangle ; G\). Formally:

Definition 1

(Swapping congruence\(\simeq ^{\mathsf {g}}\)) The swapping congruence \(\simeq ^{\mathsf {g}}\) is the smallest congruence satisfying the rules in Fig. 3.

Fig. 3

Swapping relation \(\simeq ^{\mathsf {g}}\) for global types

In general, two global types are proof terms for the same set of local typings if and only if they are equivalent. To prove this, we first need to introduce two auxiliary lemmas.

Lemma 1

Let \(G \vDash \varTheta \). Then:

Proof

The thesis follows immediately from the definition of the rules for coherence, since there are no elimination rules and, e.g., rule Open image in new window is the only one that can introduce the propositions that we are interested in. The same argument holds for the other cases. \(\square \)

In the following Lemma, we consider a weight metric that will be useful later for reasoning inductively on coherence proofs. The reason for introducing this metric is that the swapping rule \((\rightarrow \!\oplus )\) from Fig. 3 does not preserve the size of the proof that it transforms: if we apply it from left to right, the communications at the beginning of both branches of the choice gets conflated to a single one; if we apply it from right to left, the communication before the choice gets duplicated in the branches of the choice. Even the height of the derivation tree for the proof changes when we apply this rule. However, we can define a weight metric that allows us to see that having a (swappable) communication before a choice is equivalent to having two instances of it in the two branches of the same choice. Formally, the weight \(\mathsf {w}(G)\) of a global type \(G\) is a natural number; the function \(\mathsf {w}\) is inductively defined as:A type \(? p \; \texttt {->} \; !\tilde{q} : \langle G \rangle \) has the weight of \(G\) plus 1. A choice weighs as the sum of its two branches. A communication \(p \; \texttt {->} \; \tilde{q} : \langle G' \rangle ;G\) weighs as the product of the respective weights of \(G'\) and \(G\). In other words, looking at the correspondence with coherence proofs, \(\otimes \) corresponds to product (of weights) and \(\oplus \) to sum (of weights). In the base case, the term \(\mathsf {end}^{p\tilde{q}}\) weighs 2, since we must ensure that the function is strictly monotonic on the inductive definition of a term \(G\).

Lemma 2

Let \(G_1\) be a valid global type. Then:
  • Open image in new window implies that there exists \(G_2 = p \; \texttt {->} \; \tilde{q} : \langle G''_2 \rangle ;G'_2\) such that \(G_1 \simeq ^{\mathsf {g}}G_2\), \(\mathsf {w}(G_1) = \mathsf {w}(G_2)\), and Open image in new window;

  • Open image in new window implies that there exists Open image in new window such that \(G_1 \simeq ^{\mathsf {g}}G_2\), \(\mathsf {w}(G_1) = \mathsf {w}(G_2)\), and Open image in new window;

  • \(G_1 \vDash \varTheta , p\!:?A, \{q_i\!:!B_i\}_i\) implies that there exists \(G_2 = ? p \; \texttt {->} \; !\tilde{q} : \langle G'_2 \rangle \) such that \(G_1 \simeq ^{\mathsf {g}}G_2\), \(\mathsf {w}(G_1) = \mathsf {w}(G_2)\), and \(G_2 \vDash \varTheta , p\!:?A, \{q_i\!:!B_i\}_i\).

Proof

The proof is by induction on the derivation of \(G_1\). We focus on the first implication; the others follow by similar reasoning. By Lemma 1, we know that the proof for deriving \(G_1\) must contain an application of rule Open image in new window that introduces Open image in new window.

We proceed by cases on the last applied rule in the derivation:
  • Case\(1\bot \) (Base case) This case is not applicable since there must be an application of Open image in new window (by Lemma 1).

  • CaseOpen image in new window introducing Open image in new window: The thesis follows trivially since \(G_1=G_2\).
  • CaseOpen image in new window not introducing Open image in new window: By induction hypothesis, we know that we can rewrite this proof as: where such that \(G'_1 \simeq ^{\mathsf {g}}p \; \texttt {->} \; \tilde{q} : \langle G''_2 \rangle ;G'_2\) and \(\mathsf {w}(G'_1) = \mathsf {w}(p \; \texttt {->} \; \tilde{q} : \langle G''_2 \rangle ;G'_2)\). Hence, by the fact that the swapping relation \(\simeq ^{\mathsf {g}}\) is a congruence, we have \(r \; \texttt {->} \; \tilde{s} : \langle G''_1 \rangle ;G'_1 \simeq ^{\mathsf {g}}r \; \texttt {->} \; \tilde{s} : \langle G''_1 \rangle ;p \; \texttt {->} \; \tilde{q} : \langle G''_2 \rangle ;G'_2\). Moreover, applying rule \((\rightarrow \rightarrow )\) from the definition of \(\simeq ^{\mathsf {g}}\), we obtain: where such that \(r \; \texttt {->} \; \tilde{s} : \langle G''_1 \rangle ;G'_1\simeq ^{\mathsf {g}}p \; \texttt {->} \; \tilde{q} : \langle G''_2 \rangle ;r \; \texttt {->} \; \tilde{s} : \langle G''_1 \rangle ;G'_2\) and \(\mathsf {w}(r \; \texttt {->} \; \tilde{s} : \langle G''_1 \rangle ;G'_1)=\mathsf {w}(p \; \texttt {->} \; \tilde{q} : \langle G''_2 \rangle ;r \; \texttt {->} \; \tilde{s} : \langle G''_1 \rangle ;G'_2) \) .
  • The cases for Open image in new window and !? are similar to the previous one. For case Open image in new window, we may have to apply the transformation \((\rightarrow \!\oplus )\). As anticipated, although this transformation changes the size of a proof, it does not change its weight (which is what we need to prove here). This follows from simple distribution of multiplication over addition. Rule \((\rightarrow \!\oplus )\) states (we report it verbatim, since our argument holds independently from this particular proof): We can easily verify that weight remains unaffected:
\(\square \)

Proposition 1

(Swapping) Let \(G_1 \vDash \varTheta \). Then, \(G_1 \simeq ^{\mathsf {g}}G_2\) if and only if \(G_2 \vDash \varTheta \).

Proof

(only if direction) For each rule defining \(G_1\simeq ^{\mathsf {g}}G_2\), we can expand \(G_1\) to its corresponding coherence proofs and commute its last applied rule to obtain a proof for \(G_2\) with the same \(\varTheta \). In each case, the two proofs prove the same \(\varTheta \). We report the representative case of \((\rightarrow \!\oplus )\). We have that:The proof for \(G_1\) is:whereandWe can rewrite the proof above to obtain one for \(G_2\), proving the thesis:where\(\square \)

Proof

(if direction) We prove that \(G_1 \vDash \varTheta \) and \(G_2 \vDash \varTheta \) imply \(G_1 \simeq ^{\mathsf {g}}G_2\). We proceed by mutual induction on the weights of the proof derivations of \(G_1\) and \(G_2\). For the base case where \(G_1\) is derived by rule \(1\bot \), then \(G_2\) must be derived in the same way, hence the two proofs are the same and the thesis follows. We now move to the inductive cases, looking first at the last applied rule used to derive \(G_1\).
  • CaseOpen image in new window. Here we have that \(G_1 = p \; \texttt {->} \; \tilde{q} : \langle G'_1 \rangle ;G''_1\) such that: If \(G_2\) ends with an application of Open image in new window that introduces the same principal formulas, we have that \(G_2 = p \; \texttt {->} \; \tilde{q} : \langle G''_2 \rangle ;G'_2\). Since \(G_2\) has the same typing of \(G_1\), from rule Open image in new window we know that also \(G''_2\) and \(G'_2\) have the same typings of \(G''_1\) and \(G'_1\) respectively, because the rule directs precisely the distribution of roles and types by looking at the role annotations. The thesis now follows directly by induction hypothesis (since the proofs for the premises are smaller). Otherwise, by Lemma 1 we know that we can apply Lemma 2 to obtain a \(G_3\) such that: Open image in new window; and, the weight of the derivation of \(G_3\) is the same as that of the derivation of \(G_2\). By the correspondence between global types and coherence proofs, we know that: The thesis now follows by induction hypothesis on \(G''_3\) and \(G'_3\).
  • CaseOpen image in new window. This case is similar to that for Open image in new window.

  • Case !?. Here we have that \(G_1 = ? p \; \texttt {->} \; !\tilde{q} : \langle G'_1 \rangle \) such that: By hypothesis, we know that \(G_2 \vDash p\!:?A, \{q_i\!:!B_i\}_i\). That means that \(G_2\) has !? as last applied rule: The thesis now follows by induction hypothesis. \(\square \)

Projection and extraction The hallmark of the theory of multiparty session types is projection: developers can write protocols as global types, and then automatically project a global type onto a set of local types that can be used to modularly verify the behaviour of each participant. As there is only one possible rule application for each production in the syntax of global types, we can construct an algorithm that traverses the structure of \(G\):

Proposition 2

(Projection) Given \(G\), we can compute in linear time \(\varTheta \) (if it exists) such that \(G\vDash \varTheta \).

We can also use coherence for the inverse procedure, i.e., the extraction of a global type from a set of local typings \(\varTheta \). If \(\varTheta \) is coherent, we can just apply the first applicable coherence rule, noting that the sizes of the local types in the premises always get smaller:

Proposition 3

(Extraction) Given \(\varTheta \), we can compute G (if it exists) such that \(G \vDash \varTheta \).

Example 2

In the 2-buyer protocol, \(G \ \vDash \ \mathsf {B1}\!:A, \mathsf {B2}\!:B, \mathsf {S}\!:C\) implies: (i) we can infer A, B and C from \(G\) (proposition 2) and (ii) we can extract \(G\) from \(\mathsf {B1}\!:A, \mathsf {B2}\!:B, \mathsf {S}\!:C\) (proposition 3). This observation follows directly from the proof coherence, which we describe now. Three applications of the axiom \(1\bot \) rule yield:
$$\begin{aligned} \mathsf {end}\vDash & {} \mathsf {B1}\!:\bot , \mathsf {S}\!:1 \end{aligned}$$
(5)
$$\begin{aligned} \mathsf {end}\vDash & {} \mathsf {B2}\!:1, \mathsf {S}\!:1 \end{aligned}$$
(6)
$$\begin{aligned} \mathsf {end}\vDash & {} \mathsf {B1}\!:\bot , \mathsf {B2}\!:1, \mathsf {S}\!:1 \end{aligned}$$
(7)
We omit the annotations to \(\mathsf {end}\) for better readability. Next, we combine (5) and (6) using Open image in new window.Next, we combine (7) and (8) using Open image in new window to obtainThe corresponding global type isAnother application of Open image in new window with an axiom application in the right premiss
$$\begin{aligned} \mathsf {end}\vDash \mathsf {B1}\!:\bot , \mathsf {S}\!:1 \end{aligned}$$
yieldswith global typeWe repeat this operation three more times using rule Open image in new window on (9) with the appropriate instances of the axiom rule as right premisses and obtain the coherence proof of
$$\begin{aligned} \begin{array}{c} \vDash \mathsf {B1}\!:A, \mathsf {B2}\!:B, \mathsf {S}\!:C \end{array} \end{aligned}$$
with the appropriate global type:
Fig. 4

Global types, reduction semantics

Global reductions We define reductions for global types, denoted \(\tilde{G} \rightsquigarrow \tilde{G'}\), where \(\tilde{G}\) is a multiset \(\{G_1,\ldots ,G_n\}\). Global type reductions are just a convention (recalling [8]), which we use in Sect. 5 to concisely formalise how processes follow their protocols. Formally, \(\rightsquigarrow \) is the smallest relation satisfying the rules in Fig. 4. Rule Open image in new window models a communication that creates a new session of type \(G'\), which will then proceed in parallel to the continuation \(G\). Rule \(\mathsf {g}_{1\bot }\) models session termination. Rules Open image in new window and Open image in new window model the execution of a choice. In rules \(\mathsf {g}_{!?}, \mathsf {g}_{!C}\) and \(\mathsf {g}_{!W}\), a replicated protocol can be respectively executed exactly once, multiple, or zero times. Rule \(\mathsf {g}_{\mathsf {ctx}}\) lifts the behaviour of a protocol to a multiset of protocols executing concurrently. We abuse the notation \(\tilde{G},\tilde{G}'\) to indicate the union of the two multisets \(\tilde{G}\) and \(\tilde{G}'\). Finally, rule \(\mathsf {g}_{\mathsf {eq}}\) allows for swappings in a global type. In this rule, \(\tilde{G} \simeq ^{\mathsf {g}}\tilde{G}'\) is the point-wise extension of the swapping relation \(\simeq ^{\mathsf {g}}\) to multisets. Formally, \(\tilde{G} \simeq ^{\mathsf {g}}\tilde{G}'\) if and only if \(\tilde{G} = \{G_1,\ldots ,G_n\}, \tilde{G}' = \{G'_1,\ldots ,G'_n\}\), and \(G_i \simeq ^{\mathsf {g}}G'_i\) for all \(i \in [1,n]\). Our semantics preserves validity. Below we write that \(\tilde{G}\) is valid if all the \(G_i\) in \(\tilde{G}\) are valid.

Theorem 1

(Coherence preservation) If \(\tilde{G}\) is valid and \(\tilde{G} \rightsquigarrow \tilde{G'}\), then \(\tilde{G'}\) is valid.

Remark 1

Rule \(\mathsf {g}_{!?}\) can be derived from rules \(\mathsf {g}_{!C}\) and \(\mathsf {g}_{!W}\). Including it simplifies our presentation, since each global type reduction corresponds to a communication in MCP (Sect. 5).

Coherence as generalised duality Coherence is a generalisation of duality (from CLL [15]): in the degenerate case of a session with two participants, the two notions coincide. We recall the definition of duality \(X^{\bot }\), defined inductively on the syntax of linear logic propositions:We define a partial encoding \([\![\cdot ]\!]\) from local types into linear logic propositions:The encoding \([\![\cdot ]\!]\) is defined only when Open image in new window and \(\oplus \) are annotated with a single role. We get:

Proposition 4

(Coherence as duality) Let AB be propositions where all subterms of the form Open image in new window or \(C \oplus ^{\tilde{p}} D\) are such that \(\tilde{p} = q\) for some \(q\). Then, \([\![A]\!] = [\![B]\!]^{\bot }\) if and only if there exists \(G\) such that \(G \vDash p\!:A, q\!:B\).

Observe that, in Proposition 4, the \(G\) corresponding to the coherence proof for the validity of \(p\!:A, q\!:B\) is necessarily unique, since coherence is deterministic in the case of two propositions – the structures of the propositions force the order in which the rules must be applied.

4 Multiparty classical processes

In this section, we present Multiparty Classical Processes (MCP). MCP captures dependencies among actions performed by different participants in a multiparty session, whereas, in previous work, actions among different pairs of participants must be independent [6, 28]. We use the synchronous semantics from [18] for a simplicity of the presentation.

Environments Let \(\varGamma ,\varDelta \) range over typing environments:
$$\begin{aligned} \begin{array}{lll} \varGamma ,\varDelta&\ :{:=}\quad&\cdot \quad | \quad \varGamma , x^p\!:A \end{array} \end{aligned}$$
Intuitively, \(x^p\!:A\) means that role \(p\) in session \(x\) follows behaviour A. We write \(?\varDelta \) whenever \(\varDelta \) contains only types of the form ?A, and write \(\varDelta ,x^p\!:A\) only when \(x^p\) does not appear in \(\varDelta \).
Fig. 5

MCP, syntax of processes

Processes We report the syntax of processes in Fig. 5. In MCP, both input and output names are bound, as in [28]. Term (send) creates a new session \(y\) and sends it, as role \(p\), to the processes respectively playing roles \(\tilde{q}\) in session \(x\); then, the process proceeds as \(P\). The dual operation (recv) receives, as role \(p\) in session \(x\), a fresh session \(y\) from the process playing role \(q\); the process then proceeds as the parallel composition of \(P\) (dedicated to session \(y\)) and \(Q\) (dedicated to continuing session \(x\)). Similarly, terms (left sel) and (right sel) multicast a selection of a left or right branch respectively to the processes playing roles \(\tilde{q}\) in session \(x\), as role \(p\). A selection is received by term (case), which offers the two selectable branches. Terms (close) and (wait) terminate a session. Term (choice) is the standard non-deterministic choice. In a restriction (res), \(x\) is bound in the processes \(P_i\); we use the standard type annotation (as in [28]) to show the relation between the semantics of processes and global types in Sect. 5. In term \({x}^{p\, q}(y);(P\ \;\varvec{|}\ \;Q)\), \(y\) is bound in \(P\) but not in \(Q\). In terms \(\overline{x}^{\;p\, \tilde{q}}(y);{P}\), \(!x^p(y);P\), and \(?x^p(y);P\), \(y\) is bound in \(P\).

Judgements Judgements in MCP have the form \(P \vdash x_1^{p_1}\!:A_1,\ldots , x_n^{p_n}\!:A_n\), meaning that process \(P\) implements roles \(p_i\) in the respective session \(x_i\) with behaviour \(A_i\).

Rules We report the rules of MCP in Fig. 6. Intuitively, a process is typed with local types; then, we use coherence to check that the local types of composed processes (rule \(\mathsf {MCut}\)) coherently implement a global type. All rules are defined up to context exchange.
Fig. 6

MCP, typing rules

Rule \(\mathsf {MCut}\) is central: it extends the \(\mathsf {Cut}\) of CLL to composing in parallel an arbitrary number of \(P_i\) that communicate using session \(x\). The rule checks that the composition of the respective local behaviours of the composed processes is coherent (\(G \vDash \{p_i\!:A_i\}_i\)). In the conclusion, \(\{\varGamma _i\}_i\) is the disjoint union of all \(\varGamma _i\) in the premise.

Rule \(\otimes \) types an input \({x}^{p\, \!q}(y);(P\ \;\varvec{|}\ \;Q)\), where the subprocess \(P\) plays role \(p\) with behaviour A in the received multiparty session \(y\); session \(x\) then proceeds by following behaviour B for role \(p\) in \(Q\). Observe that the \(\otimes \) is annotated with the role \(q\) that \(p\) wishes to receive from. The multicast output \(\overline{x}^{\;\!p\, \!\tilde{q}}(y);{P}\) in rule Open image in new window creates a new session \(y\) and sends it, as role \(p\) in session \(x\), to roles \(\tilde{q}\). The new session \(y\) is used by \(P\) as role \(p\) with type A, assuming that the other processes receiving it implement the other roles (this assumption is checked by coherence in \(\mathsf {MCut}\), when processes are composed). We discuss in Sect. 8 how to relax the constraint that the role \(p\) played in session \(y\) is the same.

Rules \(\oplus _1\) and \(\oplus _2\) type, respectively, the multicast of a left and right selection, by checking that the process continuation follows the expected local type. Similarly, rule Open image in new window types a branching by checking that the continuations implement the respective expected local types.

Rule \(+\) types the nondeterministic process \(P + Q\), by checking that both \(P\) and \(Q\) implement the same local behaviours. Observe that \(P\) and \(Q\) may still be substantially different, since they may (i) perform different selections on some sessions (as rules \(\oplus _1\) and \(\oplus _2\) can yield the same typing), and (ii) have different inner compositions of processes whose types have been hidden by rule \(\mathsf {MCut}\).

Rules \(1\) and \(\bot \) type, respectively, the request and the acceptance for closing a multiparty session. Rules ! and ? type, respectively, the replicated offering of a service and its repeated usage (a client). Since a service typed by ! may be used multiple times, we require that its continuation does not use any linear behaviour (\(?\varDelta \)). Rules \(\mathsf {Weaken}\) and \(\mathsf {Contract}\) type, respectively, the absence of clients or the presence of multiple clients. In rule \(\mathsf {Contract}\), sessions \(y\) and \(z\) are contracted into a single session \(x\) with a standard name substitution, provided that they have the same type ?A.

5 Semantics

In this section, we demonstrate the consistency of MCP, by establishing a cut-elimination result that yields an operational semantics and important properties, e.g., deadlock-freedom.

5.1 Structural equivalences as commuting conversions

MCP supports commuting conversions, permutations of applications of \(\mathsf {MCut}\) that maintain the validity of judgements. As an example, consider the following proof equivalence (\(\equiv \)):Above, an output is moved out of a restriction of a different session (or in it, reading in the other direction), as in [28]. In this example, the output process is the first in the parallel under the restriction; in general, this is not always the case since the process may be any of those in the parallel composition. In order to represent equivalences independently of the position of processes in a parallel, we use process contexts [24]. A context, denoted by \(\mathcal C\), is a parallel composition with a hole: \( \mathcal C[\cdot ] :{:=} \cdot \quad |\quad \mathcal C[\cdot ]\! \ \;\varvec{|}\ \;\! P \quad |\quad P \!\ \;\varvec{|}\ \;\! \mathcal {C}[\cdot ] \). All equivalences are reported in Fig. 7. The equivalence \(\kappa _\mathsf {par}\) permutes processes in a parallel, since the premises of rule \(\mathsf {MCut}\) can be in any order. In \(\kappa _\mathsf {cut}\), we can swap two restrictions, which corresponds to swapping two applications of rule \(\mathsf {MCut}\). The equivalence Open image in new window shows that a restriction can always be swapped with an output on a different session. Similarly, the equivalence \(\kappa _\otimes \) swaps a restriction with an input, requiring that the restricted name (\(z\) in this case) occurs free in \(P\). In the case of \(\oplus \), we have two equivalences, corresponding to the right and left selection respectively. For \( \kappa _{ \& }\), we can move a restriction to each branch of a case construct, also duplicating the context \(\mathcal C\). Equivalences \(\kappa _!\) and \(\kappa _?\) allow to swap a restriction with a service and a client respectively. Finally, \(\kappa _\bot \) is the case for \(\mathsf {wait}\, x^{p}\). There is no equivalence for the process \(\mathsf {close}\, x^{p}\) since it is only typable with the axiom \(1\).
Fig. 7

MCP, structural equivalences

5.2 Process reductions as MCut reductions

As for equivalences, we use our proof theory to derive reductions for processes, given in Fig. 8. The full proof derivations of such reductions are given in the Appendix. In the reduction Open image in new window, the output from role \(p\) to roles \(\tilde{q}\) on session \(x\) is matched with the inputs at such roles, creating a new session \(y\), following the global type of \(x\). Reductions Open image in new window and Open image in new window capture the left and right multicast selection of a branching, respectively. In \(\beta _{!?}\), a set of services with a single client is reduced to the composition of the bodies of such services with that of the client; the type \(? p \; \texttt {->} \; !\tilde{q} : \langle G \rangle \) of \(x\) is correspondingly reduced to \(G\). Reduction \(\beta _{!W}\) garbage collects a set of unused services. In \(\beta _{!C}\), instead, a set of services is replicated to handle multiple clients. Finally, reduction \(\beta _{1\bot }\) terminates a session \(x\).
Fig. 8

MCP, cut reductions

5.3 Properties

In the remainder, we abuse the notation \(P \rightarrow P'\) to refer to process reductions closed up to our structural equivalence \(\equiv \), as in standard process calculi. We restrict \(P \rightarrow P'\) to be a top-level reduction, i.e., we do not allow reductions of sub-terms in \(P\). This does not introduce any loss of generality, as in [28].

Processes and types Since both equivalences and reductions are derived from judgement-preserving proof transformations, we immediately obtain the following two properties:

Theorem 2

(Subject congruence) \(P \vdash \varDelta \) and \(P \equiv Q\) imply that \(Q \vdash \varDelta \).

Theorem 3

(Subject reduction) \(P \vdash \varDelta \) and \(P \rightarrow Q\) imply that \(Q \vdash \varDelta \).

In Fig. 8, global type annotations should not be mistaken for a requirement of our reductions; they are rather a guarantee given by our proof theory: if a process is reducible, then its sessions are surely typed with the respective global types reported in the rule. We use this property to reconstruct the result of session fidelity from multiparty session types [17]. In the following, \(\mathsf {gt}(P)\) denotes the multiset of global types used in the restrictions inside \(P\).

Theorem 4

(Session fidelity) \(P \vdash \varDelta \) and \(P \rightarrow P'\) imply that either \(\mathsf {gt}(P) \rightsquigarrow \mathsf {gt}(P')\) or \(\mathsf {gt}(P) \simeq ^{\mathsf {g}}\mathsf {gt}(P')\).

Proof

(Sketch) First, we observe that we can disregard structural equivalences (\(\equiv \)) without any loss of generality, because \(\equiv \) does not change the global types in \(P\). We now proceed by cases on the reduction applied to \(P\), from Fig. 8. For all such cases, we observe that the global types involved in the reduction are transformed according to the rules for the semantics of global types. \(\square \)

Deadlock freedom Processes in MCP are guaranteed to be deadlock free. We use the standard methodology from [6, 28]. First, we prove that the \(\mathsf {MCut}\) rule in MCP is admissible:

Theorem 5

(MCut Admissibility) \(P_i \vdash \varGamma _i, x^{p_i}\!:A_i\), for \(i\in [1,n]\), and \(G \vDash \{p_i\!:A_i\}_i\) imply that there exists \(Q\) such that \(Q \vdash \{\varGamma _i\}_i\).

Proof

By induction on the sizes of the proofs for \(P_i \vdash \varDelta _i, x^{p_i}\!:A_i\) and the formulae \(A_i\). If a reduction from Fig. 8 is applicable, then we apply it. For all such reductions, we can observe that the size of the proof and/or the formulae decrease in the right-hand side, and therefore the thesis follows by induction hypothesis. Otherwise, we can apply one of the commuting conversions from Fig. 7. In this case, the proof gets smaller while the formulae stay the same.

Our case coverage is complete, because when a commuting conversion cannot be applied we can always apply a reduction. In fact, commuting conversions cannot be applied only if all proofs for \(P_i\) end with an application of a rule with principal variable x. But if that is the case, then by coherence we have that there must be at least two proofs for \(P_k\) and \(P_j\) that have compatible types and can be reduced. \(\square \)

The admissibility of \(\mathsf {MCut}\) gives us a methodology for removing cuts from a proof, corresponding to executing communications in a process until all restrictions are eliminated. However, the indiscriminate application of cut reductions inside of proofs allows for executing communications under input prefixes. This is not in line with the standard operational formulation of process calculi, where this kind of reductions are usually not allowed. Therefore, it is also useful to prove that all restrictions that appear at the top-level can be eliminated without reducing prefixed sub-terms. Below, we say that \(P\) is a restriction if it is of the form \((\varvec{\nu }x\!:G)\,(\prod _i P_i)\), and we write \(\rightarrow ^+\) for one or more applications of \(\rightarrow \).

Corollary 1

(Deadlock freedom) \(P \!\vdash \!\!\varDelta \) and \(P\) is a restriction imply \(P \!\rightarrow ^+\! Q\) for some \(Q\) that is not a restriction.

Proof

The proof follows the same structure as that presented in [28] for the calculus CP, only generalised from the \(\mathsf {Cut}\) rule in Classical Linear Logic to rule \(\mathsf {MCut}\) in MCP.

Since \(P\) is a restriction, the last applied rule in the proof of \(P\) is \(\mathsf {MCut}\). We now proceed by cases on the last applied rules of the premises of such \(\mathsf {MCut}\). If one of the premises is itself an \(\mathsf {MCut}\), we recursively eliminate it. Otherwise, either: all premises are logical rules that act on the restriction variable, thus we can apply a reduction from Fig. 8; or, at least one premise is a logical rule that acts on a variable other than the restriction variable, thus we can apply a commuting conversion from Fig. 7. \(\square \)

6 The 2-buyer protocol example

We now formalise the 2-buyer protocol from Sect. 2 and expand it further.

Processes and types Roles \(\mathsf {B1}\), \(\mathsf {B2}\) and \(\mathsf {S}\) are implemented as the processes:The first process is the first buyer \(\text {Buyer1}\). In the second process, the second buyer \(\text {Buyer2}\), subterm \(P_{B2}\) implements the choice of whether to accept or reject the purchase:Finally, in the third process, the implementation of the seller, \(P_S\) is the process:At the level of types, the local types in Example 1 from Sect. 3 can be used to type the three processes above: \(\text {Buyer1}\vdash x^{\mathsf {B1}}\!:A, z^{\mathsf {Z}}\!:1\), \(\text {Buyer2}\vdash x^{\mathsf {B2}}\!:B\) and \(\text {Seller}\vdash x^{\mathsf {S}}\!:C\). If we apply our new cut rule, we obtain \( (\varvec{\nu }x:G)\,\big (\text {Buyer1}\ \ \;\varvec{|}\ \;\ \text {Buyer2}\ \ \;\varvec{|}\ \;\ \text {Seller}\big )\vdash z^{\mathsf {Z}}\!:1 \) where the global type \(G\), corresponding to equation (1) in Sect. 2, is such that \(G\ \vDash \ \mathsf {B1}\!:A, \mathsf {B2}\!:B, \mathsf {S}\!:C\).
Nested multiparty sessions We can extend the example above by implementing the global type (4) in Sect. 2, where the first buyer creates a sub-session with the seller if the second buyer decides not to contribute to the purchase. Below, we give an excerpt of the new seller:where \(\small P_{\mathsf {sub}}\ =\ {y^{\mathsf {S}\, \mathsf {B1}}}.\mathsf {case} \left( \begin{array}{lll} {y}^{\mathsf {S} \, \mathsf {B1}}(addr); (\mathsf {close}\, addr^{\mathsf {S}} \!\ \;\varvec{|}\ \;\! \mathsf {close}\, y^{\mathsf {S}}), \\ {y}^{\mathsf {S} \, \mathsf {B1}}(\textit{why}); (\mathsf {close}\, \textit{why}^{\mathsf {S}} \!\ \;\varvec{|}\ \;\! \mathsf {close}\, y^{\mathsf {S}}) \end{array} \right) \). Hence, the type of channel x, from the seller’s viewpoint, becomes:1We can then use coherence to infer the global type (4) in Sect. 2.
Services We extend the example to support multiple clients on a replicated session a:where \(\text {Buyers}\) is the process: \((\varvec{\nu }z\!:\!\mathsf {end})\,(\, ?a^\mathsf {B1}(x);\text {Buyer1} \!\ \;\varvec{|}\ \;\! ?a^\mathsf {B1}(x);\text {Buyer1}')\). Process \(\text {Buyer1}'\) initially behaves as \(\text {Buyer1}\), but we replaced the term \(\mathsf {close}\, z^{\mathsf {Z}}\) with the term \(\mathsf {wait}\, z^{\mathsf {Z}}; \mathsf {close}\, w^{\mathsf {W}}\). By applying \(\beta _{!C}\) once, \(\beta _{!?}\) twice, and commuting conversions, the process above can be reduced to the parallel composition of two sessions that follow the 2-buyer protocol:

7 Relation to linear logic

In this section, we elaborate on the relationship between MCP and Classical Linear Logic (CLL). For the reader’s convenience, the rules defining CLL are reported in Fig. 9. With a slight abuse of notation, we consider CLL without the axiom for initial sequents \(\vdash A,A^{\bot }\) and the rule for the additive unit \(\top \). We did not consider these rules in the development of MCP, since they do not contribute to our main aim of capturing multiparty session types but rather are interesting orthogonal extensions that we leave for future work. For example, adding the axiom has been shown to be useful in capturing polymorphism [28]. In the rest of this section, we also do not consider rule \(+\) in MCP since it does not add any expressivity to the underlying proof theory.
Fig. 9

Classical Linear Logic (CLL)

The rules of MCP and CLL look very similar. Thus, it is natural to ask whether there is any difference in the judgements that can be derived in the two systems. Interestingly, we find out that the sets of derivable judgements in the two systems are identical. Recall the encoding \([\![\cdot ]\!]\) from Sect. 3, which removes annotations from types in MCP. We extend it to environments \(\varGamma \) in MCP by adding the straightforward rules:
$$\begin{aligned} \begin{array}{ll} [\![\cdot ]\!] = \cdot&\qquad \qquad [\![\varGamma ,x^p\!:A]\!] = [\![\varGamma ]\!],[\![A]\!] \end{array} \end{aligned}$$
Let us write \(\vdash \varGamma \) in MCP whenever \(P \vdash \varGamma \) in MCP for some \(P\). Then, we can prove the following result.

Theorem 6

(Derivable Judgements in MCP and CLL) \(\vdash \varGamma \) in MCP if and only if \(\vdash [\![\varGamma ]\!]\) in CLL.

Proof

Observe that removing proof terms in MCP yields a pure logic that differs from CLL only for two aspects. Firstly, rule \(\mathsf {MCut}\) in MCP is different from rule \(\mathsf {Cut}\) in CLL. Secondly, propositions in MCP are annotated with roles and the channels they type. However, we know that rule \(\mathsf {MCut}\) is admissible in MCP (Theorem 5), just like rule \(\mathsf {Cut}\) is admissible in CLL [15]. Therefore, when evaluating the expressivity of the two systems wrt the derivability of judgements, we can limit our comparison to the cut-free fragments of MCP and CLL without loss of generality. The only difference between these two fragments is that MCP propositions are annotated with channels and roles. But such annotations are used only by rule \(\mathsf {MCut}\) and can be freely chosen in all other rules. As a consequence, cut-free MCP is completely equivalent to the system with the same rules but without annotations; CLL is that system. \(\square \)

Our proof of Theorem 6 relies on the fact that rule \(\mathsf {MCut}\) in MCP and rule \(\mathsf {Cut}\) in CLL do not add any new provable judgements to their respective systems. We now move from judgements to proofs. What is the difference between the sets of proofs that can be respectively constructed in MCP and CLL? Since coherence coincides with duality (Proposition 4) in the case of sessions with two participants, it is straightforward to show that an application of \(\mathsf {Cut}\) in CLL corresponds to an application of \(\mathsf {MCut}\) in MCP. Formally, let us write \(\mathcal {P}\vdash _{\mathsf {2}} \varGamma \) for a judgement derived in MCP with proof \(\mathcal {P}\) by using only “binary” applications of \(\mathsf {MCut}\), i.e., where the number of processes composed at each application of \(\mathsf {MCut}\) is exactly two. We write \([\![\mathcal {P}]\!]\) for the encoding of \(\mathcal {P}\) in MCP into a proof in CLL, defined as an homomorphism where the only relevant change is that each application of a binary \(\mathsf {MCut}\) is replaced with an equivalent application of rule \(\mathsf {Cut}\), as follows (we omit the proof terms):We can now prove:

Theorem 7

(Binary MCP and CLL) \(\mathcal {P}\vdash _{\mathsf {2}} \varGamma \) in MCP if and only if \([\![\mathcal {P}]\!] \vdash [\![\varGamma ]\!]\) in CLL.

Proof

By induction on the construction of \([\![\mathcal {P}]\!]\). The interesting case is that of \(\mathsf {MCut}\). The thesis follows from Proposition 4. \(\square \)

Theorem 7 cannot be generalised to all of MCP, since CLL cannot compose more than two proofs at the same time as done in our rule \(\mathsf {MCut}\). Hence, \(\mathsf {MCut}\) must be somehow simulated using a different proof structure. An interesting line of work in this direction is the notion of “medium processes” studied in [4]. Given some processes that have compatible local types for a multiparty session, as composed in our rule \(\mathsf {MCut}\), a medium process corresponds to a proof in (intuitionistic) linear logic that can be composed with such processes using the standard \(\mathsf {Cut}\) rule. This medium process is synthesised by the original global type used to type the processes and acts as a middleware: all communications over the session are centralised on the medium, which distributes messages to the processes by following the original global type. This approach adds a layer of indirection (processes do not communicate directly, but through the medium) that is not present in the original theory of multiparty session types, and is also not necessary in MCP. However, it points to an interesting relationship between global types and the class of proofs in linear logic that correspond to medium processes (P. Wadler, personal communication, 2015).

8 Related work and discussion

Curry–Howard correspondences for session types. The works closest to ours are the Curry–Howard correspondences between binary session types and linear logic [6, 28]. We extended this line of work considerably by introducing multiparty sessions, which required generalising the notion of type compatibility in linear logic to address multiple types (coherence). Coherence reconstructs the standard relationship between the global and local views found in multiparty session types. We then used coherence to develop a new proof theory that conservatively extends linear logic to capture multiparty interactions (all derivable judgements in linear logic are derivable also in our framework, and vice versa). Furthermore, our work provides, for the first time, a notion of session fidelity in the context of a Curry–Howard correspondence between linear logic and session types (Sect. 5, Theorem 4). In this work we have not treated polymorphism and existential/universal quantification, which we believe can be naturally added to MCP following the lines presented in [5, 28] for binary sessions.

Our work inverts the interpretation of \(\otimes \) as output and Open image in new window as input given in [3]. This makes our process terms in line with previous developments of multiparty session types, where communications go from one sender to many receivers [12]. Using the standard interpretation would yield a join mechanism where multiple senders synchronise with a single receiver. Formally, in the standard interpretation of \(\otimes \) as output and Open image in new window as input, the rules for \(\otimes \) and Open image in new window in MCP and Open image in new window in coherence would be as follows:Note that there would be no need to re-prove our results, since the proof theory would not change.

The standard cut rule in CLL forces the graph of connections among processes to be a tree [1], a known sufficient condition for deadlock-freedom in session types [7]. A multi-cut rule is proposed in [1] to allow two processes to share multiple channels. This enables reasoning on networks with cyclic inter-connections, but breaks the deadlock-freedom property guaranteed by linear logic, since duality is no longer a sufficient condition when multiple resources are involved (also noted in [28]). For the first time, MCP processes can have cyclic inter-connections (e.g., our example in Sect. 2), but they are still guaranteed to be deadlock-free. The key twist is to use coherence as a principle to check that the inter-connections are safely resolved by communications. This suggests that coherence may be useful also in other settings related to linear logic, for reasoning about the sharing of resources among multiple entities (in our case, sessions). We leave this investigation as interesting future work.

Multiparty session types (MPSTs) Our work concisely unifies many of the ideas found in separate developments of multiparty session types. Our global types with multicasting are inspired from [12], to which we added nested and replicated types; both additions arise naturally from our proof theory. Our nesting of global types can be seen as a logical reconstruction of (a simplification of) those originally presented in [13], while repetitions in global types reconstruct the concept presented in [10].

Our proof system for coherence is inspired by the notion of well-formedness found in MPSTs [12, 17], in the context of synchronous communications [2]. Since coherence is a proof system, projection and extraction are derived from proof equivalences, rather than being defined separately as in [17, 19]. A benefit is that our projection and extraction are guaranteed to be correct by construction, whereas in previous works they have to be proven correct separately wrt the auxiliary notion of well-formedness.

In [12], MPSTs are combined with an ordering on session names to guarantee deadlock-freedom. Our deadlock-freedom result, instead, is based on the structure of our proofs. In some cases, our technique is more precise; for example, consider the deadlock-free system:If we compose these processes in parallel, restricting sessions \(a\) and \(b\) accordingly, we obtain a typable MCP process. Instead, the system in [12] rejects it, since the actions performed by the first process create a cycle between the names \(x_a\) and \(x_b\). In [23], the approach in [12] is refined to type processes such as the one above by ordering the I/O actions of each session.

We conjecture that MCP can be used to naturally extend the work in [9], where linear logic is used to type choreography programs, obtaining a Curry–Howard correspondence for the calculus of compositional choreographies typed with multiparty session types [22].

Coherence Coherence can be generalised, e.g., in Fig. 2: (1) rule !? could allow for more than one client; (2) similarly, rule \(1\bot \) could be relaxed to allow for more than one \(\bot \) type; (3) rule Open image in new window could allow the involved participants to play different roles in the nested session they create, as in [13] (adding such roles as an extra annotation to each type respectively). We leave these extensions as interesting future work. Point (2) influences greatly the complexity of the cut admissibility proof for MCP (Theorem 5), because it would imply that the cut reduction of a terminated session could lead to having more than one process in the reductum (all the processes typed with \(\bot \)), whereas now we have only one. This means that we would have to type a parallel composition of processes without restriction, requiring to extend our framework in the fashion of the logic presented in [9]. While extending the proof theory of MCP would be easy, (extending coherence to allow for missing participants to be added later, as in [22]), it would also cause an explosion in the number of cases to consider in the proof [9]. As future work, we will investigate how our rule \(\mathsf {MCut}\) and the notion of coherence can affect the mapping from the functional language GV [21, 28].

In [11], a proof system similar to the multiplicative-additive fragment without channel passing of our coherence is embedded in the calculus of constructions. Differently from our approach, no correspondence between global types and proofs is provided; hence, extraction does not follow automatically from the theory (and is not presented).

Footnotes

  1. 1.

    \(1 \otimes B2 1\) or \(1 \otimes B2 \bot \)?

Notes

Acknowledgements

We thank Kim Skak Larsen and the anonymous reviewers for their useful comments. Montesi was supported by CRC (Choreographies for Reliable and efficient Communication software), grant no. DFF–4005-00304 from the Danish Council for Independent Research. Schürmann was partly supported by DemTech, grant no. 10-092309 from the Danish Council for Strategic Research. Yoshida was partially sponsored by the EPSRC EP/K011715/1, EP/K034413/1, EP/L00058X/1, and EU project FP7-612985 UpScale. This work is also supported by the COST Action IC1201 BETTY.

References

  1. 1.
    Abramsky, S., Gay, S.J., Nagarajan, R.: Interaction categories and the foundations of typed concurrent programming. In: NATO ASI DPD, pp. 35–113 (1996)Google Scholar
  2. 2.
    Bejleri, A., Yoshida, N.: Synchronous multiparty session types. Electr. Notes Theor. Comput. Sci. 241, 3–33 (2009)CrossRefGoogle Scholar
  3. 3.
    Bellin, G., Scott, P.J.: On the pi-calculus and linear logic. Theor. Comput. Sci. 135(1), 11–65 (1994)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Caires, L., Pérez, J.A.: A typeful characterization of multiparty structured conversations based on binary sessions. CoRR, abs/1407.4242 (2014)Google Scholar
  5. 5.
    Caires, L., Pérez, J.A., Pfenning, F., Toninho, B.: Behavioral polymorphism and parametricity in session-based communication. In: ESOP, pp. 330–349 (2013)Google Scholar
  6. 6.
    Caires, L., Pfenning, F.: Session types as intuitionistic linear propositions. In: CONCUR, pp. 222–236 (2010)Google Scholar
  7. 7.
    Carbone, M., Debois, S.: A graphical approach to progress for structured communication in web services. In: Proceedings of ICE’10 (2010)Google Scholar
  8. 8.
    Carbone, M., Montesi, F.: Deadlock-freedom-by-design: multiparty asynchronous global programming. In: POPL, pp. 263–274 (2013)Google Scholar
  9. 9.
    Carbone, M., Montesi, F., Schürmann, C.: Choreographies, logically. In: CONCUR, pp. 47–62 (2014)Google Scholar
  10. 10.
    Castagna, G., Dezani-Ciancaglini, M., Padovani, L.: On global types and multi-party session. LMCS, 8(1), 1–45 (2012)Google Scholar
  11. 11.
    Ciobanu, Gabriel, Horne, Ross: Behavioural analysis of sessions using the calculus of structures. In: Proceedings of the 10th International Andrei Ershov Informatics Conference, Perspectives of System Informatics (PSI 2015), volume to appear of LNCS. Springer (2016)Google Scholar
  12. 12.
    Coppo, M., Dezani-Ciancaglini, M., Yoshida, N., Padovani, L.: Global progress for dynamically interleaved multiparty sessions. MSCS 760, 1–65 (2015)MATHGoogle Scholar
  13. 13.
    Demangeon, R., Honda, K.: Nested protocols in session types. In: CONCUR, pp. 272–286 (2012)Google Scholar
  14. 14.
    Deniélou, P.-M., Yoshida, N.: Multiparty compatibility in communicating automata: characterisation and synthesis of global session types. ICALP 2, 174–186 (2013)MathSciNetMATHGoogle Scholar
  15. 15.
    Girard, J.-Y.: Linear logic. Theor. Comput. Sci. 50, 1–102 (1987)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Honda, K., Vasconcelos, V., Kubo, M.: Language primitives and type disciplines for structured communication-based programming. In: ESOP, pp. 22–138 (1998)Google Scholar
  17. 17.
    Honda, K., Yoshida, N., Carbone, M.: Multiparty asynchronous session types. In: Proceedings of POPL, vol. 43(1), pp. 273–284. ACM (2008)Google Scholar
  18. 18.
    Kouzapas, D., Yoshida, N.: Globally governed session semantics. LMCS 10 (2015)Google Scholar
  19. 19.
    Lange, J., Tuosto, E.: Synthesising choreographies from local session types. In: CONCUR, pp. 225–239 (2012)Google Scholar
  20. 20.
    Lange, J., Tuosto, E., Yoshida, N.: From communicating machines to graphical choreographies. In: POPL 2015, pp. 221–232. ACM (2015)Google Scholar
  21. 21.
    Lindley, S., Garrett M.J.: A semantics for propositions as sessions. In: ESOP, pp. 560–584 (2015)Google Scholar
  22. 22.
    Montesi, F., Yoshida, N.: Compositional choreographies. In: CONCUR, pp. 425–439 (2013)Google Scholar
  23. 23.
    Padovani, L., Vasconcelos, V.T., Vieira, H.T.: Typing liveness in multiparty communicating systems. In: COORDINATION, pp. 147–162 (2014)Google Scholar
  24. 24.
    Sangiorgi, D., Walker, D.: The \(\pi \)-calculus: A Theory of Mobile Processes. Cambridge University Press, Cambridge (2001)MATHGoogle Scholar
  25. 25.
    Scribble Project Home Page. http://www.scribble.org
  26. 26.
    Vasconcelos, V.T.: Fundamentals of session types. Inf. Comput. 217, 52–70 (2012)MathSciNetCrossRefMATHGoogle Scholar
  27. 27.
    Wadler, P.: Propositions as sessions. In: ICFP, pp. 273–286 (2012)Google Scholar
  28. 28.
    Wadler, P.: Propositions as sessions. J. Funct. Prog. 24(2–3), 384–418 (2014)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.IT University of CopenhagenCopenhagenDenmark
  2. 2.University of Southern DenmarkOdenseDenmark
  3. 3.Imperial College LondonLondonUK

Personalised recommendations