Characteristic Formulae for Session Types
 5 Citations
 1.2k Downloads
Abstract
Subtyping is a crucial ingredient of session type theory and its applications, notably to programming language implementations. In this paper, we study effective ways to check whether a session type is a subtype of another by applying a characteristic formulae approach to the problem. Our core contribution is an algorithm to generate a modal \(\mu \)calculus formula that characterises all the supertypes (or subtypes) of a given type. Subtyping checks can then be offloaded to model checkers, thus incidentally yielding an efficient algorithm to check safety of session types, soundly and completely. We have implemented our theory and compared its cost with other classical subtyping algorithms.
1 Introduction
Motivations. Session types [25, 26, 41] have emerged as a fundamental theory to reason about concurrent programs, whereby not only the data aspects of programs are typed, but also their behaviours wrt. communication. Recent applications of session types to the reverseengineering of large and complex distributed systems [13, 30] have led to the need of handling potentially large and complex session types. Analogously to the current trend of modern compilers to rely on external tools such as SMTsolvers to solve complex constraints and offer strong guarantees [17, 24, 32, 33], stateoftheart model checkers can be used to offload expensive tasks from session type tools such as [30, 38, 43].
A typical use case for session types in software (reverse) engineering is to compare the type of an existing program with a candidate replacement, so to ensure that both are “compatible”. In this context, a crucial ingredient of session type theory is the notion of subtyping [10, 15, 20] which plays a key role to guarantee safety of concurrent programs while allowing for the refinement of specifications and implementations. Subtyping for session types relates to many classical theories such as simulations and preorders in automata and process algebra theories; but also to subtyping for recursive types in the \(\lambda \)calculus [5]. The characteristic formulae approach [1, 2, 3, 12, 22, 39, 40], which has been studied since the late eighties as a method to compute simulationlike relations in process algebra and automata, appears then as an evident link between subtyping in session type theory and model checking theories. In this paper, we make the first formal connection between session type and model checking theories, to the best of our knowledge. We introduce a novel approach to session types subtyping based on characteristic formulae; and thus establish that subtyping for session types can be decided in quadratic time wrt. the size of the types. This improves significantly on the classical algorithm [21]. Subtyping can then be reduced to a model checking problem and thus be discharged to powerful model checkers. Consequently, any advance in model checking technology has an impact on subtyping.
In Sect. 3.2, we will see that a session type can be naturally transformed into a \(\mu \)calculus formula that characterises all its subtypes. The transformation notably relies on the diamond modality to make some branches mandatory, and the box modality to allow some branches to be made optional; see Example 2.
Contribution and Synopsis. In Sect. 2 we recall session types and give a new abstract presentation of subtyping. In Sect. 3 we present a fragment of the modal \(\mu \)calculus and, following [39], we give a simple algorithm to generate a \(\mu \)calculus formula from a session type that characterises either all its subtypes or all its supertypes. In Sect. 4, building on results from [10], we give a sound and complete modelchecking characterisation of safety for session types. In Sect. 5, we present two other subtyping algorithms for session types: Gay and Hole’s classical algorithm [21] based on inference rules that unfold types explicitly; and an adaptation of Kozen et al.’s automatatheoretic Algorithm [28]. In Sect. 6, we evaluate the cost of our approach by comparing its performances against the two algorithms from Sect. 5. Our performance analysis is notably based on a tool that generates arbitrary wellformed session types. We conclude and discuss related works in Sect. 7. Due to lack of space, full proofs are relegated to an online appendix [31]. Our tool and detailed benchmark results are available online [29].
2 Session Types and Subtyping
Session types are abstractions of the behaviour of a program wrt. the communication of this program on a given session (or conversation), through which it interacts with another program (or component).
2.1 Session Types
A session type \(T \in \mathcal {T}_{ c }\) induces a (finite) labelled transition system (LTS) according to the rules in Fig. 1. We write \(T \xrightarrow {{{{\mathrm{\dagger }}} a}}\) if there is \(T' \in \mathcal {T}\) such that \(T \xrightarrow {{{{\mathrm{\dagger }}} a}} T'\) and write \(T \!\!\nrightarrow \) if \(\forall {{{\mathrm{\dagger }}} a}\in \mathcal {A}\, : \,\lnot (T \xrightarrow {{{{\mathrm{\dagger }}} a}} )\).
2.2 Subtyping for Session Types
Subtyping for session types was first studied in [20] and further studied in [10, 15]. It is a crucial notion for practical applications of session types, as it allows for programs to be refined while preserving safety.
We give a definition of subtyping which is parameterised wrt. operators \(\oplus \) and Open image in new window , so to allow us to give a common characteristic formula construction for both the subtype and the supertype relations, cf. Sect. 3.2. Below, we let \(\maltese \) range over Open image in new window . When writing Open image in new window , we take the convention that \({{\mathrm{\dagger }}}\) refers to ! iff \(\maltese \) refers to \(\oplus \) (and viceversa for ? and Open image in new window ). We define the (idempotent) duality operator Open image in new window as follows: Open image in new window , Open image in new window , \(\overline{!} \overset{{\text {def}}}{=}?\), and \(\overline{?} \overset{{\text {def}}}{=}!\).
Definition 1
We comment Definition 1 assuming that \(\maltese \) is set to \(\oplus \). Rule Open image in new window says that a type Open image in new window can be replaced by a type that offers no more messages, e.g., \({{\mathrm{!}}} a {{\mathrm{\unlhd }}}^{{\small \,\oplus }} {{\mathrm{!}}} a \oplus {{\mathrm{!}}} b \). Rule Open image in new window says that a type Open image in new window can be replaced by a type that is ready to receive at least the same messages, e.g., Open image in new window . Rule Open image in new window is trivial. It is easy to see that Open image in new window . In fact, we can recover the subtyping of [10, 15] (resp. [20, 21]) from Open image in new window , by instantiating \(\maltese \) to \(\oplus \) (resp. Open image in new window ).
Example 1
Consider the session types from (3), we have \(T_1 {{\mathrm{\unlhd }}}^{{\small \,\oplus }} U_1\), Open image in new window , \(T_2 {{\mathrm{\unlhd }}}^{{\small \,\oplus }} U_2\), and Open image in new window .
Hereafter, we will write \({{\mathrm{\leqslant }}}\) (resp. \({{\mathrm{\geqslant }}}\)) for the preorder \({{\mathrm{\unlhd }}}^{{\small \,\oplus }}\) (resp. Open image in new window ).
3 Characteristic Formulae for Subtyping
We give the core construction of this paper: a function that given a (closed) session type T returns a modal \(\mu \)calculus formula [27] that characterises either all the supertypes of T or all its subtypes. Technically, we “translate” a session type T into a modal \(\mu \)calculus formula \(\phi \), so that \(\phi \) characterises all the supertypes of T (resp. all its subtypes). Doing so, checking whether T is a subtype (resp. supertype) of U can be reduced to checking whether U is a model of \(\phi \), i.e., whether \(U \models \phi \) holds.
The constructions presented here follow the theory first established in [39]; which gives a characteristic formulae approach for (bi)simulationlike relations over finitestate processes, notably for CCS processes.
3.1 Modal \(\mu \)calculus
3.2 Characteristic Formulae
We now construct a \(\mu \)calculus formula from a (closed) session types, parameterised wrt. a constructor \(\maltese \). This construction is somewhat reminiscent of the characteristic functional of [39].
Definition 2
Given \(T \in \mathcal {T}_{ c }\), \(\,{{{\varvec{F}}}}(T,\oplus )\) is a \(\mu \)calculus formula that characterises all the supertypes of T; while Open image in new window characterises all its subtypes. For the sake of clarity, we comment on Definition 2 assuming that \(\maltese \) is set to Open image in new window . The first case of the definition makes every branch mandatory. If \(T = \bigoplus _{i \in I} {{{\mathrm{!}}} a _{i}} . \, {T}_{i}\), then every internal choice branch that T can select must also be offered by a supertype, and the relation must hold after each selection. The second case makes every branch optional but requires at least one branch to be implemented. If Open image in new window , then (i) for each of the \({{\mathrm{?}}} a_i \)branch offered by a supertype, the relation must hold in its \({{\mathrm{?}}} a_i \)derivative, (ii) a supertype must offer at least one of the \({{\mathrm{?}}} a_i \) branches, and (iii) a supertype cannot offer anything else but the \({{\mathrm{?}}} a_i \) branches. If \(T = \mathtt {end}\), then a supertype cannot offer any behaviour (recall that \(\bot \) does not hold for any type). Recursive types are mapped to greatest fixpoint constructions.
Lemma 1 below states the compositionality of the construction, while Theorem 1, our main result, reduces subtyping checking to a model checking problem. A consequence of Theorem 1 is that the characteristic formula of a session type precisely specifies the set of its subtypes or supertypes.
Lemma 1
The proof is by structural induction, see appendix [31].
Theorem 1
The proof essentially follows the techniques of [39], see appendix [31].
Corollary 1
The proof is by Theorem 1 and \({{\mathrm{\leqslant }}}= {{\mathrm{\unlhd }}}^{{\small \,\oplus }}\), Open image in new window , \({{\mathrm{\leqslant }}}= {{\mathrm{\geqslant }}}^{1}\), and Open image in new window .
Proposition 1
For all \(T, U \in \mathcal {T}_{ c }\), deciding whether or not \(U \models \,{{{\varvec{F}}}}(T,\maltese )\) holds can be done in time complexity of \(\mathcal {O}(T \times U )\), in the worst case; where \(T \) stands for the number of states in the LTS induced by T.
This follows from [12], since the size of \(\,{{{\varvec{F}}}}(T,\maltese )\) increases linearly with \(T \).
Example 2
4 Safety and Duality in Session Types
A key ingredient of session type theory is the notion of duality between types. In this section, we study the relation between duality of session types, characteristic formulae, and safety (i.e., error freedom). In particular, building on recent work [10] which studies the preciseness of subtyping for session types, we show how characteristic formulae can be used to guarantee safety. A system (of session types) is a pair of session types T and U that interact with each other by synchronising over messages. We write \(T {{\mathrm{\,  \,}}}U\) for a system consisting of T and U and let S range over systems of session types.
Definition 3
Definition 3 says that two types interact whenever they fire dual operations.
Example 3
Definition 4
 (a)
Open image in new window and Open image in new window , with \(\maltese \) fixed;
 (b)
Open image in new window and Open image in new window ; and \(\exists i \in I \, : \,\forall j \in J \, : \,a_i \ne a_j\), with \(h \ne g \in \{1,2\}\); or
 (c)
\(T_h = \mathtt {end}\) and Open image in new window , with \(h \ne g \in \{1,2\}\).
We say that \(S = T {{\mathrm{\,  \,}}}U\) is safe if for all \(S' \, : \,S \xrightarrow {}^{*}S'\), \(S'\) is not an error. \(\diamond \)
A system of the form (a) is an error since both types are either attempting to send (resp. receive) messages. An error of type (b) indicates that some of the messages cannot be received by one of the types. An error of type (c) indicates a system where one of the types has terminated while the other still expects to send or receive messages.
Definition 5
In Definition 5, notice that the dual of a formula only rename labels.
Lemma 2
For all \(T \in \mathcal {T}_{ c }\) and \(\phi \in \mathcal {F}_{ c }\), \(T \models \phi \iff \overline{T} \models \overline{\phi }\).
The proof is direct using the definitions of \(\overline{T}\) and \(\overline{\phi }\).
Theorem 2
For all \(T \in \mathcal {T}\, : \,\overline{\,{{{\varvec{F}}}}(T,\maltese )} = \,{{{\varvec{F}}}}(\overline{T},\overline{\maltese })\).
The proof of Theorem 2 is by structural induction on T, see appendix [31]. Theorem 3 follows straightforwardly from [10] and allows us to obtain a sound and complete modelchecking based condition for safety, cf. Theorem 4.
Theorem 3
(Safety). \(T {{\mathrm{\,  \,}}}U\) is safe \(\iff \) \((T {{\mathrm{\leqslant }}}\overline{U} \vee U {{\mathrm{\leqslant }}}\overline{T})\).
The proof for \((\Longrightarrow )\) follows from [10, Table 7], while the direction \((\Longleftarrow )\) is by coinduction on the derivations of \(T {{\mathrm{\leqslant }}}\overline{U}\) and \( U {{\mathrm{\leqslant }}}\overline{T}\). See [31] for details.
Theorem 4, below, is a consequence of Corollary 1 and Theorems 2 and 3.
Theorem 4
5 Alternative Algorithms for Subtyping
In order to compare the cost of checking the subtyping relation via characteristic formulae to other approaches, we present two other algorithms: the original algorithm as given by Gay and Hole in [21] and an adaptation of Kozen, Palsberg, and Schwartzbach’s algorithm [28] for recursive subtyping for the \(\lambda \)calculus.
5.1 Gay and Hole’s Algorithm
Theorem 5
(Correspondence [21, Corollary 2]). \(T {{\mathrm{\leqslant }}}U\) if and only if \(\varnothing \vdash T {{\mathrm{\leqslant }}}_{c}U\) is derivable from the rules in Fig. 2.
Proposition 2, a contribution of this paper, states the algorithm’s complexity.
Proposition 2
For all \(T, U \in \mathcal {T}_{ c }\), the problem of deciding whether or not \(\varnothing \vdash T {{\mathrm{\leqslant }}}_{c}U\) is derivable has an \(\mathcal {O}(n^{2^n})\) time complexity, in the worst case; where n is the number of nodes in the parsing tree of the T or U (whichever is bigger).
Proof
Assume the bigger session type is T and its size is n (the number of nodes in its parsing tree). Observe that the algorithm in Fig. 2 needs to visit every node of T and relies on explicit unfolding of recursive types. Given a type of size n, its unfolding is of size \(\mathcal {O}(n^2)\), in the worst case. Hence, we have a chain \(\mathcal {O}(n) + \mathcal {O}(n^2) + \mathcal {O}(n^4) + \ldots \), or \(\mathcal {O}(\sum _{1 \le i \le k} n^{2^i})\), where k is a bound on the number of derivations needed for the algorithm to terminate. According to [21, Lemma 10], the number of derivations is bounded by the number of subterms of T, which is \(\mathcal {O}(n)\). Thus, we obtain a worst case time complexity of \(\mathcal {O}(n^{2^n})\). \(\square \)
5.2 Kozen, Palsberg, and Schwartzbach’s Algorithm
Considering that the results of [28] “generalise to an arbitrary signature of type constructors (...)”, we adapt Kozen et al.’s algorithm, originally designed for subtyping recursive types in the \(\lambda \)calculus. Intuitively, the algorithm reduces the problem of subtyping to checking the language emptiness of an automaton given by the product of two (session) types. The intuition of the theory behind the algorithm is that “two types are ordered if no common path detects a counterexample”. We give the details of our instantiation below.
Definition 6

\(Q\) is a (finite) set of states,

\(q_0 \in Q\) is the initial state,

\(\delta : Q\times \mathcal {A}\rightarrow Q\) is a (partial) function (the transition function), and

\(\ell : Q\rightarrow \mathfrak {C}_\mathcal {A}\) is a (total) labelling function
We assume that session types have been “translated” to term automata, the transformation is straightforward (see, [16] for a similar transformation). Given a session type \(T \in \mathcal {T}_{ c }\), we write \(\mathcal {M}(T)\) for its corresponding term automaton.
Definition 7
Definition 7 essentially maps the rules of Definition 1 to type constructors. The order \(\sqsubseteq \) is used in the product automaton to identify final states, see below.
Definition 8

\(P= Q^{\mathcal {M}} \times Q^{\mathcal {N}}\) are the states of \(\mathcal {M} \blacktriangleleft \mathcal {N}\),

\(p_0 = (q_0^{\mathcal {M}}, q_0^{\mathcal {N}})\) is the initial state,
 \(\varDelta : P\times \mathcal {A}\rightarrow P\) is the partial function which for \(q_1 \in Q^{\mathcal {M}}\) and \(q_2 \in Q^{\mathcal {N}}\) gives$$ \varDelta ( ( q_1, q_2 ), {{{\mathrm{\dagger }}} a}) = ( \delta ^{\mathcal {M}}(q_1, {{{\mathrm{\dagger }}} a}) , \delta ^{\mathcal {N}}(q_2, {{{\mathrm{\dagger }}} a}) ) $$

\(F\subseteq P\) is the set of accepting states: Open image in new window
Note that \(\varDelta ( ( q_1, q_2 ), {{{\mathrm{\dagger }}} a})\) is defined iff \(\delta ^{\mathcal {M}}(q_1, {{{\mathrm{\dagger }}} a})\) and \(\delta ^{\mathcal {N}}(q_2, {{{\mathrm{\dagger }}} a})\) are defined. \(\diamond \)
Following [28], we obtain Theorem 6.
Theorem 6
Let \(T, U \in \mathcal {T}_{ c }\), \( T {{\mathrm{\leqslant }}}U\) iff the language of \(\mathcal {M}(T) \blacktriangleleft \mathcal {M}(U)\) is empty.
Theorem 6 essentially says that \(T {{\mathrm{\leqslant }}}U\) iff one cannot find a “common path” in T and U that leads to nodes whose labels are not related by \(\sqsubseteq \), i.e., one cannot find a counterexample for them not being in the subtyping relation.
Example 4
Below we show the constructions for \(T_1\) (1) and \(U_1\) (3).
Where initial states are shaded and accepting states are denoted by a double line. Note that the language of \(\mathcal {M}(T_1) \blacktriangleleft \mathcal {M}(U_1)\) is empty (no accepting states).
Proposition 3
For all \(T, U \in \mathcal {T}_{ c }\), the problem of deciding whether or not the language of \(\mathcal {M}(T) \blacktriangleleft \mathcal {M}(U)\) is empty has a worst case complexity of \(\mathcal {O}(T \times U )\); where \(T \) stands for the number of states in the term automaton \(\mathcal {M}(T)\).
Proof
Follows from the fact that the algorithm in [28] has a complexity of \(\mathcal {O}(n^2)\), see [28, Theorem 18]. This complexity result applies also to our instantiation, assuming that checking membership of \(\sqsubseteq \) is relatively inexpensive, i.e., \(A \ll Q^\mathcal {M}\) for each \(q\) such that Open image in new window . \(\square \)
6 Experimental Evaluation
Proposition 2 states that Gay and Hole’s classical algorithm has an exponential complexity; while the other approaches have a quadratic complexity (Propositions 1 and 3). The rest of this section presents several experiments that give a better perspective of the practical cost of these approaches.
6.1 Implementation Overview and Metrics
We have implemented three different approaches to checking whether two given session types are in the subtyping relation given in Definition 1. The tool [29], written in Haskell, consists of three main parts: (i) A module that translates session types to the mCRL2 specification language [23] and generates a characteristic formula (cf. Definition 2), respectively; (ii) A module implementing the algorithm of [21], which relies on the Haskell \(\mathtt {bound}\) library to make session types unfolding as efficient as possible. (iii) A module implementing our adaptation of Kozen et al.’s algorithm [28]. Additionally, we have developed an accessory tool which generates arbitrary session types using Haskell’s QuickCheck library [11].
The tool invokes the mCRL2 toolset [14] (release version 201409.1) to check the validity of a \(\mu \)calculus formula on a given model. We experimented invoking mCRL2 with several parameters and concluded that the default parameters gave us the best performance overall. Following discussions with mCRL2 developers, we observed that the addition of “dummy fixpoints” while generating the characteristic formulae gave us the best results overall. The tool is thus based on a slight modification of Definition 2 where a modal operator \([ {{{\mathrm{\dagger }}} a} ] \phi \) becomes \([ {{{\mathrm{\dagger }}} a} ] \nu \mathbf {\mathbf {t}} .\,\phi \) (with \(\mathbf {t}\) fresh and unused) and similarly for \(\langle {{{\mathrm{\dagger }}} a} \rangle \phi \). Note that this modification does not change the semantics of the generated formulae.
6.2 Benchmark Results
The first set of benchmarks compares the performances of the three approaches when the pair of types given are identical, i.e., we measure the time it takes for an algorithm to check whether \(T {{\mathrm{\leqslant }}}T\) holds. The second set of benchmarks considers types that are “unfolded”, so that types have different sizes. Note that checking whether two equal types are in the subtyping relation is one of the most costly cases of subtyping since every branch of a choice must be visited.
Our results below show the performances of four algorithms: (i) our Haskell implementation of Gay and Hole’s algorithm (GH), (ii) our implementation of Kozen, Palsberg, and Schwartzbach’s algorithm (KPS), (iii) an invocation to mCRL2 to check whether Open image in new window holds, and (iv) an invocation to mCRL2 to check whether Open image in new window holds.
All the benchmarks were conducted on a 3.40 GHz Intel i7 computer with 16 GB of RAM. Unless specified otherwise, the tests have been executed with a timeout set to 2 h (7200 s). A gap appears in the plots whenever an algorithm reached the timeout. Times (yaxis) are plotted on a logarithmic scale, the scale used for the size of types (xaxis) is specified below each plot.
Arbitrary Session Types. Plots (a) and (b) in Fig. 3 shows how the algorithms perform with randomly generated session types. Plot (a) shows clearly that the execution time of KPS, Open image in new window , and Open image in new window mostly depends on \( num (T)\); while plot (b) shows that GH is mostly affected by the number of messages in the unfolding of a type (\( unf (T)\)).
Unsurprisingly, GH performs better for smaller session types, but starts reaching the timeout when \( num (T) \approx 700\). The other three algorithms have roughly similar performances, with the model checking based ones performing slightly better for large session types. Note that both Open image in new window and Open image in new window have roughly the same execution time.
The exponential time complexity of GH appears clearly in both plots: GH starts reaching the timeout when \( num (T) = 80\) (\(k=8\)). However, the other three algorithms deal well with larger session types of this form. Interestingly, due to the nature of these session types (consisting of either only internal choices or only external choices), the two model checking based algorithms perform slightly differently. This is explained by Definition 2 where the formula generated with Open image in new window for an internal choice is larger than for an external choice, and viceversa for \(\,{{{\varvec{F}}}}(T,\oplus )\). Observe that, Open image in new window (resp. Open image in new window ) performs better than KPS for large session types in plot (d) (resp. plot (e)).
7 Related Work and Conclusions
Related Work. Subtyping for recursive types has been studied for many years. Amadio and Cardelli [5] introduced the first subtyping algorithm for recursive types for the \(\lambda \)calculus. Kozen et al. gave a quadratic subtyping algorithm in [28], which we have adapted for session types, cf. Sect. 5.2. A good introduction to the theory and history of the field is in [19]. Pierce and Sangiori [36] introduced subtyping for IO types in the \(\pi \)calculus, which later became a foundation for the algorithm of Gay and Hole who first introduced subtyping for session types in the \(\pi \)calculus in [21]. The paper [15] studied an abstract encoding between linear types and session types, with a focus on subtyping. Chen et al. [10] studied the notion of preciseness of subtyping relations for session types. The present work is the first to study the algorithmic aspect of the problem.
Characteristic formulae for finite processes were first studied in [22], then in [39] for finitestate processes. Since then the theory has been studied extensively [1, 2, 3, 12, 18, 34, 40] for most of the van Glabbeek’s spectrum [42] and in different settings (e.g., time [4] and probabilistic [37]). See [2, 3] for a detailed historical account of the field. This is the first time characteristic formulae are applied to the field of session types. A recent work [3] proposes a general framework to obtain characteristic formula constructions for simulationlike relation “for free”. We chose to follow [39] as it was a better fit for session types as they allow for a straightforward inductive construction of a characteristic formula.
Chaki et al. [9] propose a framework consisting of a behavioural typeandeffect system for the \(\pi \)calculus and an assumeguarantee principle that allows (LTL) properties of \(\pi \)calculus processes to be checked via a model checker.
Conclusions. In this paper, we gave a first connection between session types and model checking, through a characteristic formulae approach based on the \(\mu \)calculus. We gave three new algorithms for subtyping: two are based on model checking and one is an instantiation of an algorithm for the \(\lambda \)calculus [28]. All of which have a quadratic complexity in the worst case and behave well in practice.
Our approach can be easily: (i) adapted to types for the \(\lambda \)calculus (see appendix [31]) and (ii) extended to session types that carry other (closed) session types, e.g., see [10, 21], by simply applying the algorithm recursively on the carried types. For instance, to check Open image in new window one can check the subtyping for the outermost types, while building constraints, i.e., Open image in new window , to be checked later on, by reapplying the algorithm.
The present work paves the way for new connections between session types and modal fixpoint logic or model checking theories. It is a basis for upcoming connections between model checking and classical problems of session types, such as the asynchronous subtyping of [10] and multiparty compatibility checking [16, 30]. We are also considering applying model checking approaches to session types with probabilistic, logical [6], or time [7, 8] annotations. Finally, we remark that [10] also establishes that subtyping (cf. Definition 1) is sound (but not complete) wrt. the asynchronous semantics of session types, which models programs that communicate through FIFO buffers. Thus, our new conditions (items (b)(e) of Theorem 4) also imply safety (a) in the asynchronous setting.
Notes
Acknowledgements
We would like to thank Luca Aceto, Laura Bocchi, and Alceste Scalas for their invaluable comments on earlier versions of this work. This work is partially supported by EPSRC projects EP/K034413/1, EP/K011715/1, and EP/ L00058X/1; and by EU FP7 project under grant agreement 612985 (UPSCALE).
References
 1.Aceto, L., Ingólfsdóttir, A.: A characterization of finitary bisimulation. Inf. Process. Lett. 64(3), 127–134 (1997)MathSciNetCrossRefGoogle Scholar
 2.Aceto, L., Ingólfsdóttir, A.: Characteristic formulae: from automata to logic. Bull. EATCS 91, 58–75 (2007)MathSciNetzbMATHGoogle Scholar
 3.Aceto, L., Ingólfsdóttir, A., Levy, P.B., Sack, J.: Characteristic formulae for fixedpoint semantics: a general framework. Math. Struct. Comput. Sci. 22(2), 125–173 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Aceto, L., Ingólfsdóttir, A., Pedersen, M.L., Poulsen, J.: Characteristic formulae for timed automata. ITA 34(6), 565–584 (2000)MathSciNetzbMATHGoogle Scholar
 5.Amadio, R.M., Cardelli, L.: Subtyping recursive types. ACM Trans. Program. Lang. Syst. 15(4), 575–631 (1993)CrossRefGoogle Scholar
 6.Bocchi, L., Honda, K., Tuosto, E., Yoshida, N.: A theory of designbycontract for distributed multiparty interactions. In: Gastin, P., Laroussinie, F. (eds.) CONCUR 2010. LNCS, vol. 6269, pp. 162–176. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 7.Bocchi, L., Lange, J., Yoshida, N.: Meeting deadlines together. In: CONCUR 2015, pp. 283–296 (2015)Google Scholar
 8.Bocchi, L., Yang, W., Yoshida, N.: Timed multiparty session types. In: Baldan, P., Gorla, D. (eds.) CONCUR 2014. LNCS, vol. 8704, pp. 419–434. Springer, Heidelberg (2014)Google Scholar
 9.Chaki, S., Rajamani, S.K., Rehof, J.: Types as models: model checking messagepassing programs. In: POPL 2002, pp. 45–57 (2002)Google Scholar
 10.Chen, T.C., DezaniCiancaglini, M., Yoshida, N.: On the preciseness of subtyping in session types. In: PPDP 2014, pp. 146–135. ACM Press (2014)Google Scholar
 11.Claessen, K., Hughes, J.: Quickcheck: a lightweight tool for random testing of Haskell programs. In: ICFP 2000, pp. 268–279 (2000)Google Scholar
 12.Cleaveland, R., Steffen, B.: Computing behavioural relations, logically. In: Leach Albert, J., Monien, B., RodríguezArtalejo, M. (eds.) ICALP 1991. LNCS, vol. 510, pp. 127–138. Springer, Heidelberg (1991)CrossRefGoogle Scholar
 13.Cognizant.: Zero Deviation Lifecycle. http://www.zdlc.co
 14.Cranen, S., Groote, J.F., Keiren, J.J.A., Stappers, F.P.M., de Vink, E.P., Wesselink, W., Willemse, T.A.C.: An overview of the mCRL2 toolset and its recent advances. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 199–213. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 15.Demangeon, R., Honda, K.: Full abstraction in a subtyped picalculus with linear types. In: Katoen, J.P., König, B. (eds.) CONCUR 2011. LNCS, vol. 6901, pp. 280–296. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 16.Deniélou, P.M., Yoshida, N.: Multiparty compatibility in communicating automata: characterisation and synthesis of global session types. In: Kwiatkowska, M., Peleg, D., Fomin, F.V., Freivalds, R. (eds.) ICALP 2013, Part II. LNCS, vol. 7966, pp. 174–186. Springer, Heidelberg (2013)Google Scholar
 17.Diatchki, I.S.: Improving Haskell types with SMT. In: Haskell 2015, pp. 1–10. ACM (2015)Google Scholar
 18.Fecher, H., Steffen, M.: Characteristic mucalculus formulas for underspecified transition systems. Electr. Notes Theor. Comput. Sci. 128(2), 103–116 (2005)CrossRefzbMATHGoogle Scholar
 19.Gapeyev, V., Levin, M.Y., Pierce, B.C.: Recursive subtyping revealed. J. Funct. Program. 12(6), 511–548 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
 20.Gay, S.J., Hole, M.: Types and subtypes for clientserver interactions. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, pp. 74–90. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 21.Gay, S.J., Hole, M.: Subtyping for session types in the pi calculus. Acta Inf. 42(2–3), 191–225 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Graf, S., Sifakis, J.: A modal characterization of observational congruence on finite terms of CCS. Inf. Control 68(1–3), 125–145 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
 23.Groote, J.F., Mousavi, M.R.: Modeling and Analysis of Communicating Systems. MIT Press, Cambridge (2014)zbMATHGoogle Scholar
 24.Gundry, A.: A typechecker plugin for units of measure: domainspecific constraint solving in GHC Haskell. In: Haskell 2015, pp. 11–22. ACM (2015)Google Scholar
 25.Honda, K., Vasconcelos, V.T., Kubo, M.: Language primitives and type discipline for structured communicationbased programming. In: Hankin, C. (ed.) ESOP 1998. LNCS, vol. 1381, pp. 122–138. Springer, Heidelberg (1998)CrossRefGoogle Scholar
 26.Hüttel, H., Lanese, I., Vasconcelos, V.T., Caires, L., Carbone, M., Deniélou, P.M., Mostrous, D., Padovani, L., Ravara, A., Tuosto, E., et al. Foundations of behavioural types. Report of the EU COST Action IC1201 (BETTY) (2014). www.behaviouraltypes.eu/publications/WG1StateoftheArt.pdf
 27.Results on the propositional mucalculus: D. Kozen. Theor. Comput. Sci. 27, 333–354 (1983)CrossRefGoogle Scholar
 28.Kozen, D., Palsberg, J., Schwartzbach, M.I.: Efficient recursive subtyping. Math. Struct. Comput. Sci. 5(1), 113–125 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
 29.Lange, J.: Tool and benchmark data (2015). http://bitbucket.org/julienlange/modelcheckingsessiontypesubtyping
 30.Lange, J., Tuosto, E., Yoshida, N.: From communicating machines to graphical choreographies. In: POPL 2015, pp. 221–232 (2015)Google Scholar
 31.Lange, J., Yoshida, N.: Extended version of this paper. CoRR, abs/1510.06879 (2015)Google Scholar
 32.Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR16 2010. LNCS, vol. 6355, pp. 348–370. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 33.Leino, K.R.M., Yessenov, K.: Stepwise refinement of heapmanipulating code in Chalice. Formal Asp. Comput. 24(4–6), 519–535 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 34.MüllerOlm, M.: Derivation of characteristic formulae. Electr. Notes Theor. Comput. Sci. 18, 159–170 (1998)MathSciNetCrossRefGoogle Scholar
 35.Pierce, B.C.: Types and Programming Languages. MIT Press, Cambridge (2002)zbMATHGoogle Scholar
 36.Pierce, B.C., Sangiorgi, D.: Typing and subtyping for mobile processes. Math. Struct. Comput. Sci. 6(5), 409–453 (1996)MathSciNetzbMATHGoogle Scholar
 37.Sack, J., Zhang, L.: A general framework for probabilistic characterizing formulae. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 396–411. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 38.Scribble Project homepage. www.scribble.org
 39.Steffen, B.: Characteristic formulae. In: Ronchi Della Rocca, S., Ausiello, G., DezaniCiancaglini, M. (eds.) ICALP 1989. LNCS, vol. 372, pp. 723–732. Springer, Heidelberg (1989)CrossRefGoogle Scholar
 40.Steffen, B., Ingólfsdóttir, A.: Characteristic formulae for processes with divergence. Inf. Comput. 110(1), 149–163 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
 41.Takeuchi, K., Honda, K., Kubo, M.: An interactionbased language and its typing system. In: Halatsis, C., Philokyprou, G., Maritsas, D., Theodoridis, S. (eds.) PARLE 1994. LNCS, vol. 817. Springer, Heidelberg (1994)Google Scholar
 42.van Glabbeek, R.J.: The linear time  branching time spectrum (extended abstract). In: Baeten, J.C.M., Klop, J.W. (eds.) CONCUR 1990. LNCS, vol. 458, pp. 278–297. Springer, Heidelberg (1990)Google Scholar
 43.Yoshida, N., Hu, R., Neykova, R., Ng, N.: The scribble protocol language. In: Abadi, M., Lluch Lafuente, A. (eds.) TGC 2013. LNCS, vol. 8358, pp. 22–41. Springer, Heidelberg (2014)CrossRefGoogle Scholar