Abstract
Asynchronous session subtyping has been studied extensively in [9, 10, 28,29,30,31] and applied in [23, 32, 33, 35]. An open question was whether this subtyping relation is decidable. This paper settles the question in the negative. To prove this result, we first introduce a new subclass of twoparty communicating finitestate machines (CFSMs), called asynchronous duplex (ADs), which we show to be Turing complete. Secondly, we give a compatibility relation over CFSMs, which is sound and complete wrt. safety for ADs, and is equivalent to the asynchronous subtyping. Then we show that the halting problem reduces to checking whether two CFSMs are in the relation. In addition, we show the compatibility relation to be decidable for three subclasses of ADs.
See [27] for a full version of this paper (with proofs and additional examples).
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Session types [22, 24, 34] specify the expected interaction patterns of concurrent systems and can be used to automatically determine whether communicating processes interact correctly with other processes. A crucial theory in session types is subtyping which makes the typing discipline more flexible and therefore easier to integrate in real programming languages and systems [1]. The first subtyping relations for session types targeted synchronous communications [6, 7, 18, 19], by allowing subtypes to make fewer selections and offer more branches. More recent relations treat asynchronous (buffered) communications [9, 10, 12, 13, 16, 28,29,30,31]. They include synchronous subtyping and additionally allow an optimisation by message permutations where outputs can be performed in advance without affecting correctness with respect to the delayed inputs (there are two buffers per session). Only the relative order of outputs (resp. inputs) needs to be preserved to avoid communication mismatches. The asynchronous subtyping is important in parallel and distributed sessionbased implementations [23, 32, 33, 35], as it reduces message synchronisations without safety violation.
Theoretically, the asynchronous subtyping has been shown to be precise, in the sense that: (i) if T is a subtype of U, then a process of type T may be used whenever a process of type U is required and (ii) if T is not a subtype of U, then there is a system, requiring a process of type U, for which using a process of type T leads to an error (e.g., deadlock). The subtyping is also denotationally precise taking the standard interpretation of type T as the set of processes typed by T [9, 16].
An open question in [9, 10, 28,29,30,31] was whether the asynchronous subtyping relation is decidable, i.e., is there an algorithm to decide whether two types are in the relation. The answer to that question was thought to be positive, see [10, Sect. 7] and Sect. 6.
Asynchronous Subtyping, Informally. In this work, we consider session types in the form of CFSMs [4], along the lines of [3, 14, 15, 25]. This enables us to characterise the asynchronous subtyping in CFSMs and reduce the undecidability problem to the Turing completeness of CFSMs. Consider a system of CFSMs consisting of machines \(M_s\) (server) and \(M_c\) (client) in Fig. 1, which communicate via two unbounded queues, one in each direction. A transition \(! a \) represents the (asynchronous) emission of a message a, while \(? a \) represents the receptions of a message a from a buffer. For instance, the transition labelled by \(! req \) in \(M_c\) says that the client sends a request to the server \(M_s\), later the server can consume this message from its buffer by firing the transition labelled by \(? req \). We say that the system \((M_s, M_c)\), i.e., the parallel composition of \(M_s\) and \(M_c\), is safe if (i) the pair never reaches a deadlock and (ii) whenever a message is sent by one party, it will eventually be received by the other.
The key property of session subtyping is that, e.g., if the system \((M_s, M'_c)\) is safe and \(M_c\) is a subtype of \(M'_c\), the system \((M_s, {M}_c)\) is also safe. We write \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) for the asynchronous subtyping relation, which intuitively requires that, if, e.g., \(M_c {{\mathrm{\leqslant _{\mathsf {a}}}}}M'_c\), then \(M_c\) is ready to receive no fewer messages than \(M'_c\) and it may not send more messages than \(M'_c\). For instance, \(M_c\) can receive all the messages that \(M'_c\) can handle, plus the message \( err \). Observe that \(M_c\) is an optimised version of \(M'_c\) wrt. asynchrony: the output action \(! data \) is performed in advance of the branching. Thus in the system \((M_s, M_c)\), when both machines are in state 2 (respectively), both queues contain messages. Instead, in the system \((M_s, M'_c)\), it is never the case that both queues are nonempty. Note that anticipating the sending of \( data \) in \(M_c\) does not affect safety as it is sent in both branches of \(M'_c\).
Our Approach. Using CFSMs, we give the first automata characterisation of asynchronous subtyping and the first proof of its undecidability. To do this, we introduce a new subclass of CFSMs, called asynchronous duplex (AD) which let us study directly the relationship between safety and asynchronous subtyping in CFSMs. Our development consists of the following steps:

Step 1. In Sect. 2, we define a new subclass of (twoparty) CFSMs, called asynchronous duplex (AD), which strictly includes halfduplex (HD) systems [8].

Step 2. In Sect. 3, we introduce a compatibility relation (\( {{\mathrm{\asymp }}}\)) for CFSMs which is sound and complete wrt. safety in AD CFSMs, i.e., an AD system has no deadlocks nor orphan messages if and only if its machines are \( {{\mathrm{\asymp }}}\)related.

Step 3. Adapting the result of [17], we show in Sect. 4 that AD systems are Turing complete, hence membership of \( {{\mathrm{\asymp }}}\) is generally undecidable.

Step 4. In Sect. 5, we show that the \( {{\mathrm{\asymp }}}\)relation for CFSMs is equivalent to the asynchronous subtyping for session types, thus establishing that the latter is also undecidable.
Throughout the paper, we also show that our approach naturally encompasses the correspondence between synchronous subtyping and safety in HD systems.
In Sect. 4.1, we show that the \( {{\mathrm{\asymp }}}\)relation is decidable for three subclasses of CFSMs (HD, alternating [21], and nonbranching) which are useful to specify realworld protocols. In Sect. 6, we discuss related works and conclude.
2 A New Class of CFSMs: Asynchronous Duplex Systems
This section develops Step 1 by defining a new subclass of CFSMs, called asynchronous duplex, which characterises machines that can only simultaneously write on their respective channels if they can only do so for finitely many consecutive send actions before executing a receive action. In Sect. 2.1, we recall definitions about CFSMs, then we give the definition of safety. In Sect. 2.2, we introduce the subclass of AD systems and give a few examples of such systems.
2.1 CFSMs and Their Properties
Let \(\mathbb {A}\) be a (finite) alphabet, ranged over by a, b, etc. We let \(\omega \), \(\pi \), and \(\varphi \) range over words in \(\mathbb {A}^{*}\) and write \(\cdot \) for the concatenation operator. The set of actions is \( Act = \{!,?\} \times \mathbb {A}\), ranged over by \(\ell \), \(! a \) represents the emission of a message \( a \), while \(? a \) represents the reception of \( a \). We let \(\psi \) range over \( Act ^{*}\) and define \( dir (! a ) \overset{{\text {def}}}{=}\, !\) and \( dir (? a ) \overset{{\text {def}}}{=}\, ?\).
Since our ultimate goal is to relate CFSMs and session types, we only consider deterministic communicating finitestate machines, without mixed states (i.e., states that can fire both send and receive actions) as in [14, 15].
Definition 2.1
(Communicating machine). A (communicating) machine M is a tuple \((Q, q_0, \delta )\) where \(Q\) is the (finite) set of states, \(q_0 \in Q\) is the initial state, and \(\delta \in Q\times Act \times Q\) is the transition relation such that \(\forall q, q' , q'' \in Q\, : \,\forall \ell , \ell ' \in Act \, : \,\) (1) \( (q, \ell , q'), (q, \ell ', q'') \in \delta \implies dir (\ell ) = dir (\ell ')\), and (2) \( (q, \ell , q') , (q, \ell , q'') \in \delta \implies q' = q'' \).
We write for \((q, \ell , q') \in \delta \), omit the label \(\ell \) when unnecessary, and write for the reflexive transitive closure of .
Given \(M = (Q, q_0, \delta )\), we say that \(q\in Q\) is final, written \(q\nrightarrow \), iff \(\forall q' \in Q\, : \,\forall \ell \in Act \, : \,(q, \ell , q') \notin \delta \). A state \(q\in Q\) is sending (resp. receiving) iff \(q\) is not final and \(\forall q' \in Q\, : \,\forall \ell \in Act \, : \,(q, \ell , q') \in \delta \, : \, dir (\ell ) = \, !\) (resp. \( dir (\ell ) = \, ?\)). The dual of M, written \(\overline{M}\), is M where each sending transition \((q, ! a , q') \in \delta \) is replaced by \((q, ? a , q')\), and viceversa for receive transitions, e.g., \(\overline{M}_s = M'_c\) in Fig. 1.
We write iff there are \(q_1, \ldots , q_{k1} \in Q\) such that for \(1 \le i \le k\). Given a list of messages \(\omega = a _1 \cdots a _k\) (\(k \ge 0\)), we write \(?\omega \) for the list \(? a _1 \cdots ? a _k\) and \(!\omega \) for \(! a _1 \cdots ! a _k\). We write iff and iff (note that \(\omega \) may be empty, in which case \(q= q'\)).
Definition 2.2
(System). A system \(S = (M_1, M_2)\) is a pair of machines \(M_i = (Q_i, q_{0_i}, \delta _i)\) with \(i \in \{1,2\}\).
Hereafter, we fix \(S = (M_1, M_2)\) and assume \(M_i = (Q_i, q_{0_i}, \delta _i)\) for \(i \in \{1,2\}\) such that \(Q_1 \cap Q_2 = \varnothing \). Hence, for \(q, q' \in Q_i\), we can write to refer unambiguously to \(\delta _i\).
We let \(\lambda \) range over the set and \(\phi \) range over (possibly empty) sequences of \(\lambda _1 \cdots \lambda _k\).
Definition 2.3
(Reachable configuration). A configuration of S is a tuple \(s = (q_1, \omega _1, q_2, \omega _2)\) such that \(q_i \in Q_i\), and \(\omega _i \in \mathbb {A}^{*}\). A configuration \(s' = (q'_1, \omega '_1, q'_2, \omega '_2)\) is reachable from \(s = (q_1, \omega _1, q_2, \omega _2)\), written , iff

1.
, \(\omega '_i = \omega _i \cdot a \), \(q_j = q'_j\), and \(\omega _j = \omega '_j\), , for \(i \ne j \in \{1,2\}\), or

2.
, \(\omega _j = a \cdot \omega '_j \), \(q_j = q'_j\), and \(\omega _i = \omega '_i\), , for \(i \ne j \in \{1,2\}\).
We write when the label is irrelevant and for the reflexive and transitive closure of .
In Definition 2.3, (1) says that machine \(M_i\) puts a message on queue i, to be received by machine \(M_j\), while (2) says that machine \(M_i\) consumes a message from queue j, which was sent by \(M_j\).
Given a system S, we write \(s_0\) for its initial configuration \((q_{0_1}, \epsilon , q_{0_2}, \epsilon )\) and let .
Definition 2.4
(Safety). A configuration \(s = (q_1, \omega _1, q_2, \omega _2)\) is a deadlock iff \(\omega _1 = \omega _2 = \epsilon \), \(q_i\) is a receiving state, and \(q_j\) is either receiving or final for \(i \ne j \in \{1,2\}\). System S satisfies eventual reception iff .
S is safe iff (i) for all \(s \in RS (S)\), s is not a deadlock, and (ii) S satisfies eventual reception (i.e., every sent message is eventually received).
Lemma 2.1 below shows that safety implies progress and that a configuration with at least one empty buffer is always reachable.
Lemma 2.1
If S is safe, then for all \(s = (q_1, \omega _1, q_2, \omega _2) \in RS (S)\)

1.
Either (i) \(q_1\) and \(q_2\) are final and \(\omega _1 = \omega _2 = \epsilon \), or (ii) .

2.
.
2.2 Asynchronous Duplex Systems
We define asynchronous duplex systems, a subclass of twoparty CFSMs. Below we introduce a predicate which guarantees that when a machine is in a given state, it cannot send infinitely many messages without executing receive actions periodically. This predicate mirrors one of the premises of the defining rules of the asynchronous subtyping (\({{\mathrm{\leqslant _{\mathsf {a}}}}}\)), cf. Lemma 5.1. Given \(M = (Q, q_0, \delta )\) and \(q\in Q\), we define \(\mathtt {fin}(q) \iff \mathtt {fin}(q,\varnothing )\), where
Definition 2.5
(Asynchronous duplex). A system \(S = (M_1, M_2)\) is Asynchronous Duplex (AD) if for each \( s = (q_1, \omega _1, q_2, \omega _2) \in RS (S) \, : \,\omega _1 \ne \epsilon \wedge \omega _2 \ne \epsilon \implies \mathtt {fin}(q_1) \wedge \mathtt {fin}(q_2) \).
AD systems are a strict extension of halfduplex systems [8]: S is halfduplex (HD) if for all \((q_1, \omega _1, q_2, \omega _2) \in RS (S) \, : \,\omega _1 = \epsilon \vee \omega _2 = \epsilon \). AD requires that for any reachable configuration either (i) at most one channel is nonempty (i.e., it is a halfduplex configuration) or (ii) each machine is in a state where the predicate \(\mathtt {fin}(\_)\) holds, i.e., each machine will reach a receiving state after firing finitely many send actions. The AD restriction is reasonable for realword systems. It intuitively amounts to say that if two parties are simultaneously sending data to each other, they should both ensure that they will periodically check what the other party has been sending.
Example 2.1
Consider the machines in Fig. 2. The system \((M_1, M_2)\) is AD: \(\mathtt {fin}(\_)\) holds for each state in \(M_1\) and \(M_2\). The system \((\hat{M}_1, \hat{M}_2)\) is not AD. For instance, the configuration \((0, a , 0, c )\) is reachable but we have \(\lnot \mathtt {fin}(0)\) for both initial states of \(\hat{M}_1\) and \(\hat{M}_2\). Observe that both systems are safe, cf. Definition 2.4.
3 A Compatibility Relation for CFSMs
This section develops Step 2: we introduce a binary relation \( {{\mathrm{\asymp }}}\) on CFSMs which is sound and complete wrt. safety (cf. Definition 2.4) for AD systems. That is \( M_1 {{\mathrm{\asymp }}}M_2\) holds if and only if \((M_1, M_2\)) is a safe asynchronous duplex system.
Definition 3.1
(Compatibility). Let \(M_i = (Q_i, q_{0_i}, \delta _i)\) for \(i \in \{1,2\}\) such that \(Q_1 \cap Q_2 = \varnothing \), and let \(p\in Q_1\), \(q\in Q_2\), and \(\pi \in \mathbb {A}^{*}\).
The compatibility relation is defined as follows: \( \pi {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}_{0} {q}\) always holds, and if \(k \ge 0\), then \(\pi {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}_{k+1} {q}\) holds iff

1.
if \(p\nrightarrow \) then \(\pi = \epsilon \) and \(q\nrightarrow \)

2.
if then

(a)
if \(\pi = \epsilon \) then, and ,

(b)
if \(\pi = b \cdot \pi '\) then,

(a)

3.
if then either

(a)
\(\pi = \epsilon \) and , or

(b)
\(\mathtt {fin}(p)\), \(\mathtt {fin}(q)\), and , there exist \(\pi '' \in \mathbb {A}^{*}\) and \(q'' \in Q_2 \) such that and \( \pi \cdot \pi ' \cdot \pi '' {{\mathrm{\blacktriangleright }}}p' {{\mathrm{\asymp }}}_{k} {q''}\)

(a)
Define \(\pi {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}{q} \overset{{\text {def}}}{=}\forall k \in \mathbb {N}\, : \,\pi {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}_{k} {q}\) and \( M_1 {{\mathrm{\asymp }}}M_2 \overset{{\text {def}}}{=}\epsilon {{\mathrm{\blacktriangleright }}}q_{0_1} {{\mathrm{\asymp }}}q_{0_2}\).
The relation \( M_1 {{\mathrm{\asymp }}}M_2\) checks that the two machines are compatible by executing \(M_1\) while recording what \(M_2\) asynchronously sends to \(M_1\) in the \(\pi \) message list. The definition first differentiates the type of state \(p\):

Final. Case (1) says that if \(M_1\) is in a final state, then \(M_2\) must also be in a final state and \(\pi \) must be empty (i.e., \(M_1\) has emptied its input buffer).

Receiving. Case (2) says that if \(M_1\) is in a receiving state, then either \(\pi \) is empty and \(M_1\) must be ready to receive any message sent by \(M_2\), cf. case (2a); otherwise, case (2b) must apply: \(M_1\) must consume the head of the message list \(\pi \), this models the FIFO consumption of messages sent by \(M_2\).

Sending. Case (3) says that if \(M_1\) is ready to send \( a \), then either \(M_2\) must be able to receive \( a \) directly, cf. case (3a). Otherwise, \(\mathtt {fin}(p)\) and \(\mathtt {fin}(q)\) must hold so that case (3b) applies. \(M_2\) may delay the reception of \( a \) by sending messages (which are recorded in \(\pi ' \cdot \pi ''\)). Whichever sending path \(M_2\) chooses, it must always eventually receive \( a \).
We write \( {{\mathrm{\asymp }}}_{s} \) for the synchronous compatibility relation, i.e., Definition 3.1 without cases (2b) and (3b).
Example 3.1
(1) Recall the machines from Fig. 1, we have \( M_s {{\mathrm{\asymp }}}M_c\), in particular: \(\epsilon {{\mathrm{\blacktriangleright }}}0 {{\mathrm{\asymp }}}{0}\) and \( data {{\mathrm{\blacktriangleright }}}2 {{\mathrm{\asymp }}}{0}\). The latter relation represents the fact that \(M_c\) and \(M_s\) have exchanged the messages \( req \) and \( ko \), but \(M_s\) has yet to process the reception of \( data \). Observe that we also have \( M'_s {{\mathrm{\asymp }}}M'_c\) and \( M'_s {{\mathrm{\asymp }}}_{s} M'_c\).
(2) Consider the systems in Fig. 2. We have \( M_1 {{\mathrm{\asymp }}}M_2\) and \( \hat{M}_1 {{\mathrm{\not \asymp }}}\hat{M}_2\). The latter does not hold since both initial states are sending states, but the predicate \(\mathtt {fin}(\_)\) does not hold for either state, e.g., we have \(\lnot \mathtt {fin}(0,\{0\})\) in \(\hat{M}_1\).
Soundness of \( {{\mathrm{\asymp }}}\) . We show the soundness of the \( {{\mathrm{\asymp }}}\)relation wrt. safety. More precisely we show that if \( M_1 {{\mathrm{\asymp }}}M_2\) holds, then the system \((M_1, {M_2})\) is a safe AD system. We first give two auxiliary definitions which are convenient to relate safety with the definition of \( {{\mathrm{\asymp }}}\). Fixing \(M = (Q,q_0, \delta )\), the predicate \( A (q,\omega )\) asserts when a list of messages \(\omega \) is “accepted” from a state \(q\in Q\), which implies eventual reception of the messages in \(\omega \). The function \( W (q,\omega )\) is used to connect a configuration to a triple in the \( {{\mathrm{\asymp }}}\)relation.
Definition 3.2
Let \(q\in Q\) and \(\omega \in \mathbb {A}^{*}\), we define
Given \(q\in Q\) and \(\omega \in \mathbb {A}^{*}\), the predicate \( A (q,\omega )\) is true iff the list of messages \(\omega \) can always be consumed entirely from state \(q\), for all paths reachable from \(q\) by send actions. Note the similarity with case (3b) of Definition 3.1.
Definition 3.3
Let \(q\in Q\) and \(\omega \in \mathbb {A}^{*}\), \( W (q,\omega ) \subseteq \mathbb {A}^{*}\times Q\) is the set such that
Each pair \((\pi , \hat{q})\) in \( W (q,\omega )\) represents a state \(\hat{q}\in Q\) reachable directly after having consumed the list of messages \(\omega \), while \(\pi \) is the list of messages that are sent along a path between \(q\) and \(\hat{q}\). For example, consider \(M_c\) from Fig. 1. We have \( A (0, ko \cdot ko \cdot { err })\) and \( W (0, ko \cdot ko \cdot { err }) = \{ ( req \cdot data \cdot req \cdot data , 3)\} \); instead, \( \lnot A (0, ok \cdot ko )\) and \(\lnot A (4, ko )\).
Lemma 3.1
Let \(M = (Q, q_0, \delta )\), \(q\in Q\) and \(\omega \in \mathbb {A}^{*}\). If \( A (q,\omega )\) and \( \forall ( \varphi , q') \in W (q,\omega ) \, : \, A (q', a ) \) then \( A (q,\omega \cdot a ) \).
Lemma 3.1, shown by induction on the size of \(\omega \), is useful in the proof of the main soundness lemma below.
Lemma 3.2
Let \(S = (M_1, {M_2})\). If \( M_1 {{\mathrm{\asymp }}}M_2\), then for all \(s = (p, \omega _1, {q}, \omega _2) \in RS (S)\) the following holds: (1) s is not a deadlock, \( \mathrm { (2) }\, A ({q},\omega _1), \) \( \mathrm { (3) } \, \forall (\varphi , {q'}) \in W ({q},\omega _1) \, : \, \omega _2 \cdot {\varphi } {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}{q'}, \) and \( \mathrm { (4) } \, A (p,\omega _2) \).
Lemma 3.2 states that for any configuration s: (1) s is not a deadlock; (2) \(M_2\) can consume the list \(\omega _1\) from state \(q\); (3) for each state \(q'\), reached after consuming \(\omega _1\), the relation \( \omega _2 \cdot {\varphi } {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}{q'}\) holds, where \(\varphi \) contains the messages that \(M_2\) sent while consuming \(\omega _1\); and (4) \(M_1\) can consume the list \(\omega _2\) from state \(p\). The proof of Lemma 3.2 is by induction on the length of an execution from \(s_0\) to s, then by case analysis on the last action fired to reach s. Lemma 3.1 is used for the case , i.e., to show that \( A ({q},\omega _1\cdot a )\) holds.
Lemma 3.3
Let \(S = (M_1, M_2)\). If for all \(s = (q_1 , \omega _1 , q_2, \omega _2) \in RS (S) \, : \, A (q_1,\omega _1)\) and \( A (q_2,\omega _2) \), then S satisfies eventual reception.
Lemma 3.3 simply shows a correspondence between eventual reception and Definition 3.2. The proof essentially shows that if \( A (q_i,\omega _j)\) holds, then we can always reach a configuration where the list \(\omega _j\) has been entirely consumed.
Finally, we state our final soundness results. Theorem 3.1 is a consequence of Lemmas 2.1, 3.2, 3.3, and 3.4. Theorem 3.2 essentially follows from Theorem 3.1 and the fact that \( {{\mathrm{\asymp }}}_{s} \subseteq {{\mathrm{\asymp }}}\).
Theorem 3.1
If \( M_1 {{\mathrm{\asymp }}}M_2\), then \((M_1, {M_2})\) is a safe AD system.
Theorem 3.2
If \( M_1 {{\mathrm{\asymp }}}_{s} M_2\), then \((M_1, {M_2})\) is a safe HD system.
Completeness of \( {{\mathrm{\asymp }}}\) . Our completeness result shows that for any safe asynchronous duplex system \(S = (M_1,M_2)\), \( M_1 {{\mathrm{\asymp }}}M_2\) holds. Below we show that any reachable configuration of S whose first queue is empty can be mapped to a triple that is in the relation of Definition 3.1.
Lemma 3.4
Let S be safe and AD, then \(\forall (p, \epsilon , q, \omega ) \in RS (S) \, : \,\omega {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}{{q}} \).
The proof of Lemma 3.4 is by induction on the k ^{th} approximation of \( {{\mathrm{\asymp }}}\), i.e., assuming that \(\omega {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}_{k} {{q}}\) holds, we show that \(\omega {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}_{k+1} {{q}}\) holds. The proof is a rather straightforward case analysis on the type of \(p\) and whether or not \(\omega = \epsilon \).
Theorem 3.3
If \((M_1, {M_2})\) is a safe AD system, then \( M_1 {{\mathrm{\asymp }}}M_2\).
Proof
Take \( (q_{0_1}, \epsilon , q_{0_2}, \epsilon ) \in RS (S)\), \(\epsilon {{\mathrm{\blacktriangleright }}}q_{0_1} {{\mathrm{\asymp }}}{q_{0_2}}\) holds by Lemma 3.4. \(\square \)
Following a similar (but simpler) argument, we have Theorem 3.4 below.
Theorem 3.4
If \((M_1, {M_2})\) is a safe HD system, then \( M_1 {{\mathrm{\asymp }}}_{s} M_2\).
Theorem 3.5
If \( M_1 {{\mathrm{\asymp }}}M_2\) (resp. \( M_1 {{\mathrm{\asymp }}}_{s} M_2\)), then \( M_2 {{\mathrm{\asymp }}}M_1\) (resp. \( M_2 {{\mathrm{\asymp }}}_{s} M_1\)).
Proof
We show the \( {{\mathrm{\asymp }}}\) part. By Theorem 3.1, \((M_1, {M_2})\) is safe, hence by definition of safety, \((M_2, {M_1})\) is also safe. Thus by Theorem 3.3, we have \( M_2 {{\mathrm{\asymp }}}M_1\). \(\square \)
4 Undecidability of the \( {{\mathrm{\asymp }}}\)relation
This section addresses Step 3: we show that the problem of checking \( M_1 {{\mathrm{\asymp }}}M_2\) is undecidable. We show that AD systems are Turing complete, then show that the halting problem reduces to deciding whether or not a system is safe.
Preliminaries. We adapt the relevant part of the proof of Finkel and McKenzie [17] to demonstrate that the problem of deciding whether two machines are \( {{\mathrm{\asymp }}}\)related is undecidable. For this we need to show that there is indeed a Turing machine encoding that is an AD system.
Definition 4.1
(Turing machine [17]). A Turing machine (T.M.) is a tuple \( TM = (V, \mathbb {A}, \varGamma , t_0, {\texttt {B} }, \gamma )\) where \(V\) is the set of states, \(\mathbb {A}\) is the input alphabet, \(\varGamma \) is the tape alphabet, \(t_0 \in V\) is the initial state, B is the blank symbol, and \(\gamma : V\times \varGamma \rightarrow V\times \varGamma \times \{ left , right \}\) is the (partial) transition function.
Assume \( TM \) accepts an input \(\omega \in \mathbb {A}^{*}\) iff \( TM \) halts on \(\omega \), and if \( TM \) does not halt on \(\omega \), then \( TM \) eventually moves its tape head arbitrarily far to the right.
Definition 4.2
(Configuration of a T.M. [17]). A configuration of the Turing machine \( TM \) is a word \(\omega _1 t\omega _2 \#\) with \(\omega _1 \omega _2 \in \mathbb {A}^{*}\), \(t\in V\), and \(\#\notin \varGamma \).
The word \(\omega _1 t\omega _2 \#\) represents \( TM \) in state \(t\in V\) with the tape content set to \(\omega _1 \omega _2\) and the rest blank, and \( TM \)’s head positioned under the first symbol to the right of \(\omega _1\). Symbol \(\#\) is a symbol used to mark the end of the tape.
T.M. Encoding. We present an AD system which encodes a Turing machine \( TM = (V, \mathbb {A}, \varGamma , t_0, \texttt {B} , \gamma )\) with initial tape \(\omega \) into a system of two CFSMs as in [17].
We explain the T.M. encoding. The two channels represent the tape of the Turing machine, with a marker \(\#\) separating the two ends of the tape. Each machine represents the control of the Turing machine as well as a transmitter from a channel to another. The head is represented by writing the current control state \(t\in V\) on the channel. Whenever a machine receives a message that is \(t\in V\), then it proceeds with one execution step of the Turing machine. Any other symbol is simply consumed from one channel and sent on the other. The only difference wrt. [17] is that we construct machines which are deterministic and which do not contain mixed states, cf. Definition 2.1. We also do not require the machines to be identical hence we encode the initial tape content as a sequence of transitions in the first machine. These slight modifications do not affect the rest of Finkel and McKenzie’s proof in [17]. The system consists of two CFSMs \(A_i = (Q_i, q_{0_i}, \delta _i)\), \(i \in \{1,2\}\) over the alphabet \(\mathbb {A}\cup \{\#\}\). The definitions of \(\delta _i\) are given below, the sets \(Q_i\) are induced by \(\delta _i\). The transition relation \(\delta _1\) consists in a sequence of transitions from the initial state \(q_{0_1}\) to a central state \(q\) and a number of elementary cycles around state \(q\), cf. Fig. 3; while \(\delta _2\) is like \(\delta _1\) without the initial sequence of transitions and \(q= q_{0_2}\). The initial sequence of transitions in \(\delta _1\) is of the form:
Both \(\delta _1\) and \(\delta _2\) contain six types of elementary cycles given in Fig. 3. For each type of cycle, we illustrate the behaviour of the system from the point view of machine \(A_2\) by giving the type of configuration this cycle applies to as well the configuration obtained after \(A_2\) has finished executing the cycle.
When computing each \(\delta _i\) and \(Q_i\) from the description above, we assume that each “anonymous” state maintain its own identity, while “named” states, i.e., \(q\), \(r_t\), \(r_x\) and \(r^t_x\) from Fig. 3, are to be identified and redundant transitions to be removed. This ensures that each machine so obtained is deterministic. Besides this determinisation, the only changes from [17] concerns the copying cycles. (1) Each copying cycle is expanded to receive (then send) two symbols so to ensure the absence of mixed states once merged with left head motion cycles. (2) We add a cycle which only reemits \(\#\) symbols (to make up for absence of it in the first reception of the copying cycles). (3) We add another blank insertion cycle to deal with the special case where the head is followed by the \(\#\) symbol.
Definition 4.3
(Turing machine encoding [17]). Given a Turing machine \( TM \) and an initial tape content \(\omega \), we write \(S( TM ,\omega )\) for the system \((A_1, A_2)\) with each \(A_i\) constructed as described above.
The rest follows the proof of [17]. Here we recall informally the final result: any execution of a Turing machine \( TM \) with initial word \(\omega \) can be simulated by \(S( TM ,\omega )\), and viceversa.
Lemma 4.1
For any \( TM \) and word \(\omega \), \(S( TM ,\omega ) = (A_1, A_2)\) is AD.
Proof
Take \(A_i = (Q_i, q_{0_i}, \delta _i)\), we show \(\forall q\in Q_i \, : \,\mathtt {fin}(q)\), which implies that the system is AD. If there was \(q\in Q_i\) such that \(\lnot \mathtt {fin}(q)\), there would a cycle of send actions only, the construction of \(A_i\) clearly prevents this (see Fig. 3). \(\square \)
Theorem 4.1
(Undecidability of \( {{\mathrm{\asymp }}}\) ). Given two machines \(M_1\) and \(M_2\), it is generally undecidable whether \( M_1 {{\mathrm{\asymp }}}M_2\) holds.
The proof of Theorem 4.1 shows that the following statements are equivalent: (1) \( TM \) accepts \(\omega \), (2) \(S( TM ,\omega ) = (A_1 , A_2)\) is not safe, and (3) \(\lnot ( A_1 {{\mathrm{\asymp }}}A_2 )\). We show (1) \(\Rightarrow \) (2) by Lemma 2.1, (2) \(\Rightarrow \) (1) from the definition of safety, and (2) \(\Leftrightarrow \) (3) by Theorems 3.1 and 3.3 and the fact that \((A_1 , A_2)\) is AD.
4.1 Decidable Subclasses of CFSMs
We now identify three subclasses of CFSMs for which the \( {{\mathrm{\asymp }}}\)relation is decidable. We say that \( M_1 {{\mathrm{\asymp }}}M_2\) is decidable iff it is decidable whether or not \( M_1 {{\mathrm{\asymp }}}M_2\) holds. The first subclass is HD systems: HD is a decidable property and safety is decidable within that class [8], hence \( {{\mathrm{\asymp }}}\) is decidable in HD and it is equivalent to \( {{\mathrm{\asymp }}}_{s} \) within HD. The second subclass is taken from the CFSMs literature and the third is limited to systems that contain at least one machine that has no branching. We define the last two subclasses below.
The following definition is convenient to formalise our decidability results. Given \(M_i = (Q_i , q_{0_i}, \delta _i)\) for \(i \in \{1,2\}\), the derivation tree of a triple \(\pi {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}{q}\) is a tree whose nodes are labelled by elements of \(\mathbb {A}^{*}\times Q_1 \times Q_2\) such that the children of a node are exactly the triple generated by applying one step of Definition 3.1.
For example, consider the machines \(M_1\) and \(M_2\) from Fig. 2, we have a tree which consists of a unique (infinite) branch:
Lemma 4.2
The derivation tree of \(\pi {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}{q}\) is finitely branching.
Lemma 4.2 follows from the fact that each machine is finitely branching and the predicate \(\mathtt {fin}(\_)\) guarantees finiteness for case (3b) of Definition 3.1.
Alternating Machines. Alternating machines were introduced in [21] where it is shown that the progress problem (corresponding to our notion of safety) is decidable for such systems. A machine is alternating if each of its sending transition is followed by a receiving transition, e.g., \(M_s\) and \(M'_s\) in Fig. 1 are alternating, as well as the specification of the alternatingbit protocol in [21]. Observe that alternating machines form AD systems.
Theorem 4.2
If \(M_1\) and \(M_2\) are alternating, then \( M_1 {{\mathrm{\asymp }}}M_2\) is decidable.
The proof simply shows that the \(\pi \) part of the relation (cf. Definition 3.1) is bounded by 1, by induction on the depth of the derivation tree.
Nonbranching Machines. Given \(M = (Q, q_0, \delta )\) we say that M is nonbranching if each of its state has at most one successor, i.e., if \(\forall q\in Q\, : \,\delta (q) \le 1\). For example, \(M'_s\) in Fig. 1 is nonbranching. Nonbranching machines are used notably in [33, 35] to specify parallel programs which can be optimised through asynchronous message permutations.
Theorem 4.3
Let \(M_1\) and \(M_2\) be two machines such that at least one of them is nonbranching, then \( M_1 {{\mathrm{\asymp }}}M_2\) is decidable.
The proof relies on the fact that (i) the derivation tree is finitely branching (Lemma 4.2), hence there is a semialgorithm to checker whether \(\lnot ( M_1 {{\mathrm{\asymp }}}M_2)\) and (ii) over any infinite branches we can find two nodes of the form \(\mathtt {c}= \pi ^n {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}{q}\) and \(\mathtt {c}' = \pi ^m {{\mathrm{\blacktriangleright }}}p {{\mathrm{\asymp }}}{q}\), with \(n \le m\). If n is large enough, this implies that the relation holds (i.e., the branch is indeed infinite).
5 Correspondence Between Compatibility and Subtyping
We show a precise correspondence between the asynchronous subtyping for session types and the \( {{\mathrm{\asymp }}}\)relation for CFSMs, i.e., Step 4. We first recall the syntax of session types and as well as the definition of asynchronous subtyping.
Session Types and Subtyping. The syntax of session types is given by
where \(I \ne \varnothing \) is finite and \( a _i \ne a _j\) for \(i \ne j\). Type \(\mathtt {end}\) indicates the end of a session. Type \(\oplus _{i \in I} {! a _{i}} . \, {T}_{i}\) specifies an internal choice, indicating that the program chooses to send one of the \( a _i\) messages, then behaves as \(T_i\). Type specifies an external choice, saying that the program waits to receive one of the \( a _i\) messages, then behaves as \(T_i\). Types \(\mathtt {rec}\, \mathbf {\mathbf {x}} . T\) and \(\mathbf {x}\) are used to specify recursive behaviours. We only consider closed types, i.e., without free variables.
Since our goal is to relate a binary relation defined on CFSMs to a binary relation on session types, we first introduce transformations from one to another.
Definition 5.1
Given a type T, we write \(\mathcal {M}(T)\) for the CFSM induced by T. Given a CFSM M, we write \(\mathcal {T}(M)\) for the type constructed from M.
We assume the existence of two algorithms such that \(T = \mathcal {T}( \mathcal {M}(T))\) and \(M = \mathcal {M}( \mathcal {T}(M))\) for any type T and machine M. These algorithms are rather trivial since each session type induces a finite automaton, see [15] for instance.
We write \(\overline{T}\) for the dual of type T, i.e., \(\overline{\mathtt {end}} = \mathtt {end}\), \(\overline{\mathbf {x}} = \mathbf {x}\), \(\overline{\mathtt {rec}\, \mathbf {\mathbf {x}} . T} = \mathtt {rec}\, \mathbf {\mathbf {x}} . \overline{T}\), , and \( \overline{ \& _{i \in I} {? a _{i}} . \, {T}_{i}} = \oplus _{i \in I} {! a _{i}} . \, {\overline{T}}_{i}\).
Hereafter, we write \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) for the relation in [9] (abstracting away from carried types) which we recall below. An asynchronous context [9] is defined by
We write \(\mathcal {A}[\,]^{n \in N}\) to denote a context with holes indexed by elements of N and \(\mathcal {A}[T_n]^{n \in N}\) to denote the same context when the hole \([ \, ]^{n}\) has been filled with \(T_n\).
The predicate holds if it can be derived from the following rules:
holds whenever T always eventually performs a receive action, i.e., it cannot loop on send actions only. It is the counterpart of the predicate \(\mathtt {fin}(\_)\) for CFSMs, cf. Lemma 5.1.
Definition 5.2
( \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) [9]). The asynchronous subtyping, \({{\mathrm{\leqslant _{\mathsf {a}}}}}\), is the largest relation that contains the rules:^{Footnote 1}
The double line in the rules indicates that the rules should be interpreted coinductively. We are assuming an equirecursive view of types.
Rule \(\textsc {[sel]}\) lets the subtype make fewer selections than its supertype, while rule \(\textsc {[bra]}\) allows the subtype to offer more branches. Rule \(\textsc {[async]}\) allows safe permutations of actions, by which a protocol can be refined to maximise asynchrony without violating safety. Note that the synchronous subtyping \({{\mathrm{\leqslant _{\mathsf {s}}}}}\) [11, 19, 20] is defined as Definition 5.2 without rule \(\textsc {[async]}\), hence \({{\mathrm{\leqslant _{\mathsf {s}}}}}\subseteq {{\mathrm{\leqslant _{\mathsf {a}}}}}\). In Fig. 1, \(\mathcal {T}(M'_s) {{\mathrm{\leqslant _{\mathsf {s}}}}}\mathcal {T}(M_s)\), \(\mathcal {T}(M'_s) {{\mathrm{\leqslant _{\mathsf {a}}}}}\mathcal {T}(M_s)\), and \(\mathcal {T}(M_c) {{\mathrm{\leqslant _{\mathsf {a}}}}}\mathcal {T}(M'_c)\).
The correspondence between \( {{\mathrm{\asymp }}}\) (Definition 3.1) and \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) (Definition 5.2) can be understood as follows. Case (1) of Definition 3.1 corresponds to rule \(\textsc {[end]}\). Case (2a) corresponds to rule \(\textsc {[bra]}\). Case (3a) corresponds to rule \(\textsc {[sel]}\). Cases (2b) and (3b) together correspond to rule \(\textsc {[async]}\).
Correspondences. We show that \( {{\mathrm{\asymp }}}\) on CFSMs and \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) on session types are equivalent, and, as a consequence, deciding whether two types are \({{\mathrm{\leqslant _{\mathsf {a}}}}}\)related is undecidable. We first introduce a few auxiliary lemmas and definitions.
Lemma 5.1
Let \(M = (Q, q_0, \delta )\) and T be a session type.

1.
For each \(q\in Q\), if \(\mathtt {fin}(q)\), then .

2.
If and \(\mathcal {M}(T) = (\hat{Q}, q, \hat{\delta })\), then \(\mathtt {fin}(q)\).

3.
If \(T = \overline{ \mathcal {A}[ \oplus _{i \in I} {! a _{i}} . \, {U_i^n} ]^{n \in N} }\) then .
Lemma 5.1 states the relationship between and \(\mathtt {fin}(\_)\) (cf. Sect. 2.2).
We write \(\pi \in \mathcal {A}\) if \(\pi \) is a branch in the context \(\mathcal {A}\). Formally, given \(\mathcal {A}\) and \(\pi \in \mathbb {A}^{*}\), we define the predicate \(\pi \in \mathcal {A}\) as follows:
The next lemma shows that the \({{\mathrm{\leqslant _{\mathsf {a}}}}}\)relation implies the \( {{\mathrm{\asymp }}}\)relation.
Lemma 5.2
Let T and U be two session types, such that \(\mathcal {M}(T) = (Q^T , q^T_0, \delta {}^T)\) and \(\mathcal {M}(U) = (Q^U , q^U_0, \delta {}^U)\), then \( T {{\mathrm{\leqslant _{\mathsf {a}}}}}\mathcal {A}[\overline{U}] \implies \forall \pi \in \mathcal {A}\, : \,\pi {{\mathrm{\blacktriangleright }}}q^T_0 {{\mathrm{\asymp }}}{q^U_0} \).
The proof of Lemma 5.2 is by coinduction on the derivation of \(\pi {{\mathrm{\blacktriangleright }}} p {{\mathrm{\asymp }}}{q}\). We use Lemma 5.1 to show that premise of rule \(\textsc {[async]}\) implies that \(\mathtt {fin}(q^T_0)\) and \(\mathtt {fin}(q^U_0)\) hold when necessary.
The next lemma shows that the \( {{\mathrm{\asymp }}}\)relation implies the \({{\mathrm{\leqslant _{\mathsf {a}}}}}\)relation.
Lemma 5.3
Let \(M_i = (Q_i , q_{0_i}, \delta {}_i)\), \(i \in \{1,2\}\) and \(\pi = a_1 \cdots a_k \in \mathbb {A}^{*}\), for all \(p\in Q_1\) and \(q\in Q_2\), \( \pi {{\mathrm{\blacktriangleright }}} p {{\mathrm{\asymp }}}{q} \implies \mathcal {T}(Q_1 , p, \delta {}_1) \, {{\mathrm{\leqslant _{\mathsf {a}}}}}\, ? a_1 \cdots ? a_k . [ \overline{ \mathcal {T}(Q_2 , q, \delta {}_2) } ] \).
The proof of Lemma 5.3 is by coinduction on the rules of Definition 5.2, using Lemma 5.1 to match the requirements of the respective relations.
We are now ready to state the final equivalence result.
Theorem 5.1
The relations \( {{\mathrm{\asymp }}}\) and \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) are equivalent in the following sense:

1.
Let \(T_1\) and \(T_2\) be two session types, then \( T_1 {{\mathrm{\leqslant _{\mathsf {a}}}}}\overline{T_2} \implies \mathcal {M}(T_1) {{\mathrm{\asymp }}}\mathcal {M}(T_2) \).

2.
Let \(M_1\) and \(M_2\) be two machines, then .
Proof
(1) follows from Lemma 5.2, with \(T_1 = T\), \(T_2 = U\), and \(\mathcal {A}= [ \, ]\). (2) follows from Lemma 5.3, with \(\pi = \epsilon \), \(p= q_{0_1}\), and \(q= q_{0_2}\). \(\square \)
A consequence of the correspondence between the two relations is that the \( {{\mathrm{\asymp }}}\)relation is transitive in the following sense:
Theorem 5.2
If \( M_1 {{\mathrm{\asymp }}}\overline{M}\) and \( M {{\mathrm{\asymp }}}{M_2}\), then \( M_1 {{\mathrm{\asymp }}}{M_2}.\)
Proof
By Theorem 5.1 we have (1) \( M_1 {{\mathrm{\asymp }}}\overline{M} \iff M_1 {{\mathrm{\leqslant _{\mathsf {a}}}}}M\) (2) \( M {{\mathrm{\asymp }}}{M_2} \iff M {{\mathrm{\leqslant _{\mathsf {a}}}}}\overline{M_2}\). Since \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) is transitive [10], we have \(M_1 {{\mathrm{\leqslant _{\mathsf {a}}}}}\overline{M_2}\). Thus, using Theorem 5.1 again, we have \(M_1 {{\mathrm{\leqslant _{\mathsf {a}}}}}\overline{M_2} \iff M_1 {{\mathrm{\asymp }}}{M_2}\). \(\square \)
As a consequence of Theorems 4.1 and 5.1, we have the undecidability of the asynchronous subtyping:
Theorem 5.3
(Undecidability of \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) ). Given two session types \(T_1\) and \(T_2\), it is generally undecidable whether \(T_1 {{\mathrm{\leqslant _{\mathsf {a}}}}}T_2\) holds.
We state the equivalence between \( {{\mathrm{\asymp }}}_{s} \) and \({{\mathrm{\leqslant _{\mathsf {s}}}}}\), and the transitivity of \( {{\mathrm{\asymp }}}_{s} \).
Theorem 5.4
The relations \( {{\mathrm{\asymp }}}_{s} \) and \({{\mathrm{\leqslant _{\mathsf {s}}}}}\) are equivalent in the following sense:

1.
Let \(T_1\) and \(T_2\) be two session types, then \( T_1 {{\mathrm{\leqslant _{\mathsf {s}}}}}\overline{T_2} \implies \mathcal {M}(T_1) {{\mathrm{\asymp }}}_{s} \mathcal {M}(T_2) \).

2.
Let \(M_1\) and \(M_2\) be two machines, then \( M_1 {{\mathrm{\asymp }}}_{s} M_2 \implies \mathcal {T}(M_1) {{\mathrm{\leqslant _{\mathsf {s}}}}}\overline{\mathcal {T}(M_2)} \).
Theorem 5.5
If \( M_1 {{\mathrm{\asymp }}}_{s} \overline{M}\) and \( M {{\mathrm{\asymp }}}_{s} {M_2}\), then \( M_1 {{\mathrm{\asymp }}}_{s} {M_2}.\)
Theorem 5.1 together with the soundness and completeness of \( {{\mathrm{\asymp }}}\) wrt. safety in AD systems (Theorems 3.1 and 3.3) imply a tight relationship between \({{\mathrm{\leqslant _{\mathsf {a}}}}}\) and session types corresponding to AD systems. A similar correspondence between \({{\mathrm{\leqslant _{\mathsf {s}}}}}\) and HD systems exists, by Theorems 3.2, 3.4, and 5.4.
6 Conclusions and Related Work
We have introduced a new subclass of CFSMs (AD), which includes HD, and a compatibility relation \( {{\mathrm{\asymp }}}\) (resp. \( {{\mathrm{\asymp }}}_{s} \)) that is sound and complete wrt. safety within AD (resp. HD) and equivalent to asynchronous (resp. synchronous) subtyping. Our results in Sect. 4.1 suggest that \( {{\mathrm{\asymp }}}\) is a convenient basis for designing safety checking algorithms for some subclasses of CFSMs. Given the results in the present paper, we plan to study bounded approximations of \( {{\mathrm{\asymp }}}\) that can be used for session typed applications. Such approximations would make asynchronous subtyping available for realworld programs and thus facilitate the integration of flexible session typing.
Related Work. The first (synchronous) subtyping for session types in the \(\pi \)calculus was introduced in [19] and shown to be decidable in [20]. Its complexity was further studied in [26] which encodes synchronous subtyping as a model checking problem. The first version of asynchronous subtyping was introduced in [31] for multiparty session types and further studied in [28,29,30] for binary session types in the higherorder \(\pi \)calculus. These works and [10] stated or conjectured the decidability of the relations. The technical report [5] (announced after the submission of the present paper) independently studied the undecidability of these relations. Note that the subtyping relation in [28, 30] only differs from the one in [9, 10] by the omission of the premise in rule \(\textsc {[async]}\). This subtyping is not sound wrt. our definition of safety as it does not guarantee eventual reception [9, 10]. We conjecture that it is sound and complete wrt. progress (either both machines are in a final state or one can eventually make a move) in (the full class of) CFSMs, hence it is also undecidable since progress corresponds to rejection of a word by a Turing machine, cf. Sect. 4.
The operational and denotational preciseness of (synchronous and asynchronous) subtyping for session types was studied in [9, 10] where the authors give soundness and completeness of each subtyping through the set of \(\pi \)calculus processes a type T can type. In this paper, we study the soundness and completeness of \( {{\mathrm{\asymp }}}\) (resp. \( {{\mathrm{\asymp }}}_{s} \)) in CFSMs through AD (resp. HD) systems.
CFSMs have long been known to be Turing complete [4, 17] even when restricted to deterministic machines without mixed states [21]. The first paper to relate formally CFSMs and session types was [14], which was followed by a series of work using CFSMs as session types [3, 15, 25]. The article [2] shows, in a similar fashion to [17], that the compliance of contracts based on asynchronous session types is undecidable. Here, we show that the encoding of [17] is indeed AD and that safety is equivalent to word acceptance by a Turing machine.
Notes
 1.
Note that in [9] rule \(\textsc {[async]}\) has a redundant additional premise, , which is only used to make the application of the rules deterministic.
References
Ancona, D., Bono, V., Bravetti, M., Campos, J., Castagna, G., Deniélou, P., Gay, S.J., Gesbert, N., Giachino, E., Hu, R., Johnsen, E.B., Martins, F., Mascardi, V., Montesi, F., Neykova, R., Ng, N., Padovani, L., Vasconcelos, V.T., Yoshida, N.: Behavioral types in programming languages. Found. Trends Program. Lang. 3(2–3), 95–230 (2016)
Bartoletti, M., Scalas, A., Tuosto, E., Zunino, R.: Honesty by typing. Log. Meth. Comput. Sci. 12(4) (2016)
Bocchi, L., Lange, J., Yoshida, N.: Meeting deadlines together. In: CONCUR 2015, pp. 283–296 (2015)
Brand, D., Zafiropulo, P.: On communicating finitestate machines. J. ACM 30(2), 323–342 (1983)
Bravetti, M., Carbone, M., Zavattaro, G.: Undecidability of asynchronous session subtyping. CoRR, abs/1611.05026 (2016)
Carbone, M., Honda, K., Yoshida, N.: Structured communicationcentred programming for web services. In: Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 2–17. Springer, Heidelberg (2007). doi:10.1007/9783540713166_2
Carbone, M., Honda, K., Yoshida, N.: Structured communicationcentered programming for web services. ACM Trans. Program. Lang. Syst. 34(2), 8 (2012)
Cécé, G., Finkel, A.: Verification of programs with halfduplex communication. Inf. Comput. 202(2), 166–190 (2005)
Chen, T.C., DezaniCiancaglini, M., Scalas, A., Yoshida, N.: On the preciseness of subtyping in session types. LMCS (2016)
Chen, T.C., DezaniCiancaglini, M., Yoshida, N.: On the preciseness of subtyping in session types. In: PPDP 2014, pp. 146–135. ACM Press (2014)
Demangeon, R., Honda, K.: Full abstraction in a subtyped picalculus with linear types. In: Katoen, J.P., König, B. (eds.) CONCUR 2011. LNCS, vol. 6901, pp. 280–296. Springer, Heidelberg (2011). doi:10.1007/9783642232176_19
Demangeon, R., Yoshida, N.: On the expressiveness of multiparty sessions. In: Harsha, P., Ramalingam, G. (eds.) FSTTCS 2015. LIPIcs, vol. 45, pp. 560–574. Schloss Dagstuhl  LeibnizZentrum fuer Informatik (2015)
Deniélou, P., Yoshida, N.: Buffered communication analysis in distributed multiparty sessions. In: CONCUR 2010, pp. 343–357 (2010)
Deniélou, P.M., Yoshida, N.: Multiparty session types meet communicating automata. In: Seidl, H. (ed.) ESOP 2012. LNCS, vol. 7211, pp. 194–213. Springer, Heidelberg (2012). doi:10.1007/9783642288692_10
Deniélou, P., Yoshida, N.: Multiparty compatibility in communicating automata: characterisation and synthesis of global session types. In: ICALP 2013, pp. 174–186 (2013)
DezaniCiancaglini, M., Ghilezan, S., Jaksic, S., Pantovic, J., Yoshida, N.: Denotational and operational preciseness of subtyping: a roadmap. In: Theory and Practice of Formal Methods  Essays Dedicated to Frank de Boer on the Occasion of His 60th Birthday, pp. 155–172 (2016)
Finkel, A., McKenzie, P.: Verifying identical communicating processes is undecidable. Theor. Comput. Sci. 174(1–2), 217–230 (1997)
Gay, S.J.: Subtyping supports safe session substitution. In: A List of Successes That Can Change the World  Essays Dedicated to Philip Wadler on the Occasion of His 60th Birthday, pp. 95–108 (2016)
Gay, S., Hole, M.: Types and subtypes for clientserver interactions. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, pp. 74–90. Springer, Heidelberg (1999). doi:10.1007/354049099X_6
Gay, S.J., Hole, M.: Subtyping for session types in the pi calculus. Acta Inf. 42(2–3), 191–225 (2005)
Gouda, M.G., Manning, E.G., Yu, Y.: On the progress of communications between two finite state machines. Inf. Control 63(3), 200–216 (1984)
Honda, K., Vasconcelos, V.T., Kubo, M.: Language primitives and type discipline for structured communicationbased programming. In: Hankin, C. (ed.) ESOP 1998. LNCS, vol. 1381, pp. 122–138. Springer, Heidelberg (1998). doi:10.1007/BFb0053567
Hu, R., Yoshida, N.: Hybrid session verification through endpoint API generation. In: FASE 2016, pp. 401–418 (2016)
Hüttel, H., Lanese, I., Vasconcelos, V.T., Caires, L., Carbone, M., Deniélou, P., Mostrous, D., Padovani, L., Ravara, A., Tuosto, E., Vieira, H.T., Zavattaro, G.: Foundations of session types and behavioural contracts. ACM Comput. Surv. 49(1), 3 (2016)
Lange, J., Tuosto, E., Yoshida, N.: From communicating machines to graphical choreographies. In: POPL 2015, pp. 221–232 (2015)
Lange, J., Yoshida, N.: Characteristic formulae for session types. In: Chechik, M., Raskin, J.F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 833–850. Springer, Heidelberg (2016). doi:10.1007/9783662496749_52
Lange, J., Yoshida, N.: On the undecidability of asynchronous session subtyping (with appendices). Technical report 2016/9, Imperial College London (2016). https://www.doc.ic.ac.uk/research/technicalreports/2016/DTRS169.pdf
Mostrous, D.: Session types in concurrent calculi: higherorder processes and objects. PhD thesis, Imperial College London, November 2009
Mostrous, D., Yoshida, N.: Sessionbased communication optimisation for higherorder mobile processes. In: Curien, P.L. (ed.) TLCA 2009. LNCS, vol. 5608, pp. 203–218. Springer, Heidelberg (2009). doi:10.1007/9783642022739_16
Mostrous, D., Yoshida, N.: Session typing and asynchronous subtyping for the higherorder \(\uppi \)calculus. Inf. Comput. 241, 227–263 (2015)
Mostrous, D., Yoshida, N., Honda, K.: Global principal typing in partially commutative asynchronous sessions. In: Castagna, G. (ed.) ESOP 2009. LNCS, vol. 5502, pp. 316–332. Springer, Heidelberg (2009). doi:10.1007/9783642005909_23
Ng, N., Figueiredo Coutinho, J.G., Yoshida, N.: Protocols by default. In: Franke, B. (ed.) CC 2015. LNCS, vol. 9031, pp. 212–232. Springer, Heidelberg (2015). doi:10.1007/9783662466636_11
Ng, N., Yoshida, N., Honda, K.: Multiparty session C: safe parallel programming with message optimisation. In: Furia, C.A., Nanz, S. (eds.) TOOLS 2012. LNCS, vol. 7304, pp. 202–218. Springer, Heidelberg (2012). doi:10.1007/9783642305610_15
Takeuchi, K., Honda, K., Kubo, M.: An interactionbased language and its typing system. In: Halatsis, C., Maritsas, D., Philokyprou, G., Theodoridis, S. (eds.) PARLE 1994. LNCS, vol. 817, pp. 398–413. Springer, Heidelberg (1994). doi:10.1007/3540581847_118
Yoshida, N., Vasconcelos, V., Paulino, H., Honda, K.: Sessionbased compilation framework for multicore programming. In: Boer, F.S., Bonsangue, M.M., Madelaine, E. (eds.) FMCO 2008. LNCS, vol. 5751, pp. 226–246. Springer, Heidelberg (2009). doi:10.1007/9783642041679_12
Acknowledgements
We thank A. Scalas, B. Toninho and G. Zavattaro for their comments on earlier versions of this paper, in particular G. Zavattaro for identifying the need for additional blank insertion cycles (in Fig. 3). This work is partially supported by EPSRC EP/K034413/1, EP/K011715/1, EP/L00058X/1, EP/N027833/1 and EP/N028201/1; and by EU FP7 612985 (UPSCALE).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 SpringerVerlag GmbH Germany
About this paper
Cite this paper
Lange, J., Yoshida, N. (2017). On the Undecidability of Asynchronous Session Subtyping. In: Esparza, J., Murawski, A. (eds) Foundations of Software Science and Computation Structures. FoSSaCS 2017. Lecture Notes in Computer Science(), vol 10203. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662544587_26
Download citation
DOI: https://doi.org/10.1007/9783662544587_26
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 9783662544570
Online ISBN: 9783662544587
eBook Packages: Computer ScienceComputer Science (R0)