Composable partial multiparty session types for open systems

Session types are a well-established framework for the speciﬁcation of interactions between components of a distributed systems. An important issue is how to determine the type for an open system, i.e., obtained by assembling subcomponents, some of which could be missing. To this end, we introduce partial sessions and partial (multiparty) session types . Partial sessions can be composed , and the type of the resulting system is derived from those of its components without knowing any suitable global type nor the types of missing parts. To deal with this incomplete information, partial session types represent the subjective views of the interactions from participants’ perspectives; when sessions are composed, different partial views can be merged if compatible, yielding a uniﬁed view of the session. Incompatible types, due to, e.g., miscommunications or deadlocks, are detected at the merging phase. In fact, in this theory the distinction between global and local types vanishes. We apply these types to a process calculus for which we prove subject reduction and progress , so that well-typed systems never violate the prescribed constraints. In particular, we introduce a generalization of the progress property, in order to accommodate the case when a partial session cannot progress not due to a deadlock, but because some participants are still missing. Therefore, partial session types support the development of systems by incremental assembling of components.

system will behave according to the global type if each component respects its local type, which can be ensured by means of, e.g., static type checking [19,27]. The global type is given beforehand by the programmer, and the type system checks that the local behavior of all the participants, given by local types conform to it. Therefore, session types support a topdown style of coding: first the designer specifies the behavior from a global perspective, then the programmers are given the specifications for their modules. On the other hand, these session types do not fit well bottom-up programming models, where systems are built incrementally by composing existing reusable components, possibly with dynamic bindings. Some examples are (micro)service-oriented and component-based architectures, and containers [24]. In these situations, components could offer "contracts" in the form of, e.g., session types; then, when these components are connected together, we would like to derive the contract for the resulting system from components' ones. The system becomes a new component which can be used in other assemblies, and so on.
To this end, we need to infer the type for an open system (i.e., where some parts may be still missing) using the types of the known components, in a compositional way and without knowing any global type. This is challenging. As an example, let us consider a protocol from [29] with three participants: a server s, an authorization server a and some client c. First, s sends to c either a request to login, or to cancel. In the first case, c sends a password to a, and a sends a Boolean to s (telling whether c is authorized). In the second case, c tells a to quit. Using the syntax of [29], the two server processes have the following types: S s := c⊕{login.a&auth(Bool), cancel} S a := c&{passwd(Str).s⊕auth (Bool), quit} Let us suppose that we have implementations a and s for S a , S s . To prevent miscommunications, we would like to verify that these two processes work well together, e.g., we have to ensure that a can send the message auth(Bool) to s iff s is waiting for it. This corresponds to see these two processes as a single system a|s, and to check that a|s is well-typed without knowing the behavior of clients; more precisely, we have to figure out a session type for a|s from S a and S s . This is difficult, because the link that propagates the choice made by s to a is the missing client c, so we have to "guess" its role without knowing it.
In this paper, we address this problem by introducing partial sessions and partial (multiparty) session types. Partial session types generalize global types with the possibility to type also partial (or open) sessions, i.e., where some participant may be missing. The key difference is that while a global type is a complete, "platonistic" description of the protocol, partial session types represent the subjective views from participants' perspectives. We can merge two sessions with the same name but from two different "point of views," whenever their types are compatible; in this case, we can compute the new, unified, session type from those of the components. In this way, we can guarantee important properties (e.g., absence of deadlocks) about partial session without knowing all participants beforehand, and without a complete global type. In fact, the distinction between local and global types vanishes: local types correspond to partial session types for sessions with a single participant, and global types correspond to finalized partial session types, i.e., in which no participant is missing.
Defining "compatibility" and how to merge partial session types is technically challenging. Intuitively, the semantics of a partial session type is the set of all possible execution traces (which depend on internal and external choices). We provide a merging algorithm computing a type covering all the possible synchronizations of these traces. Incompatible types, due to, e.g., miscommunications or deadlocks, are detected when no synchronization is possible. Also the notion of progress has to be revisited, to accommodate the case when a partial session cannot progress not due to a deadlock, but due to some missing participant.
Outline. The paper is organized as follows. We review some related work in Sect. 2. In Sect. 3, we introduce a formal calculus for processes communicating over multiparty sessions. Our theory of partial session types is presented in Sect. 4, and the type system for the process calculus is in Sect. 5. Central to this type system is the merging algorithm, which we describe in Sect. 6. A trace semantics of session types is given in Sect. 7, for which we show that the merging operation is sound and complete. The results about the semantics of session types will be useful also in Sect. 8, where we prove the crucial properties of subject reduction and progress for the process calculus under investigation. Finally, conclusions and directions for further work are in Sect. 9.

Related work
The present paper is a revised and significantly extended version of [30].
The problem of composing session types has been faced in several related work. Compositional choreographies are discussed in [26], with the same motivations as ours, but from a different perspective. The authors manage to compose choreographies using global types, but the global type of shared channels has to be the same. This is in contrast with our approach, where the processes may have different session types that we merge during the composition. Moreover, their typing judgments use the sets of all the participants (there called roles); more precisely, types for channels keep track of the "active" role, the set of all roles in the global type, and the roles actually implemented by the choreography under typing. On the other hand, we do not need to specify neither the complete set of participants nor the "active" role.
Synthesis of choreography from local types has been studied also in [22], but with no notion of "partial types" and no distinction between internal/external choice. Graphical representations of choreographies (as communicating finitestate machines) and global types have been used in [23], where an algorithm for constructing a global graph from asynchronous interactions is given.
An interesting approach for connecting systems via some intermediating agent has been investigated in [2][3][4][5][6]. Two independent global types G 1 , G 2 with different participants can be composed through participant h in G 1 and k in G 2 where h and k relay the message they receive to each other. In particular, in [5] behaviors of systems are represented by means of Communicating Finite State Machines (CFSMs); these can be connected along compatible interfaces by means of suitable gateway CFSMs, which can be effectively constructed.
Finally, Scalas and Yoshida [29] do not use global types altogether: behaviors of systems are represented by sets of local types, over which no consistency conditions are required, and behavioral properties can be verified using model checking techniques. The approach of [29] can model situations which are not captured by our partial session types, at least because it supports recursion; on the other hand, our approach allows for incremental, compositional verification, whereas [29] checks the correctness of sessions only after all participants' specifications are available.
A problem similar to ours is considered in [9], where the authors introduce a type system for the Conversation Calculus, a model for service-oriented computing. Conversation types of parallel processes can be merged like in our approach, but the underlying computational model is quite different.
Semantics of concurrent processes can be given using Mazurkiewicz trace languages [28]. Semantics can also be defined using event structures, as in [12], where they are used for defining equivalent semantics for processes and their global types. Interestingly, the semantics for global types proposed in [12] is similar to the representation of Mazurkiewicz trace languages as event structures given in [28]. Mazurkiewicz trace languages have also been used to characterize testing preorders on multiparty scenarios [14]. A denotational semantics based on Brzozowski derivatives that corresponds to bisimilarity is given in [21].
Another semantics of processes (but for binary session types) which records exchanged informations is given in [1]. This semantics is similar to the relation-based model of linear logic [7] and is not based on traces. It would be interesting to investigate if this alternative semantics can be extended to MPST and how the merging operation would be interpreted in it. The relationship between category theory and session types has also been investigated in [20,31].

A calculus for processes over multiparty sessions
Our language for processes is inspired by [11], which is in turn inspired by [32]; as in those works, we consider synchronous communications.
Simple data language Our process algebra is parametrized by an auxiliary language for simple data, that we will call D.
We suppose D to be a typed language whose types A, B, . . . are taken from some set B. The set of terms for D are ranged over by M, N , . . . , and contains variables x, y, . . . and values v 1 , v 2 , . . . In particular, we assume there is a type Bool with two values tt, ff. As usual, a (term typing) environment E is a map from a finite set of variables to types; then, we assume to have a (term) typing judgment E D M : A. We will omit the subscript D when clear from the context. We assume also a normalization relation M ↓ v between terms and values; it can be partial or non-deterministic, but we assume that D is normalizing for Booleans, i.e., for M Fig. 1 Syntax of the process calculus for multiparty session such that ∅ D M : Bool, then M ↓ tt or M ↓ ff (or both). This will be important for proving the progress property of our process calculus. Syntax of processes Let us note p, q, p 1 , p , . . . for participant names, taken from some set P, andp for a finite non-empty set of participants { p 1 , . . . , p n }. Given a simple data language D, the syntax of processes for multiparty sessions is provided in Fig. 1.
We provide a brief description of these constructors.
-The process x pq M .P executes a synchronous send of term M (belonging to D), as participant p, to all participantsq in session x; dually, x pq (y : A).P is a participant p waiting for an input (of type A) from q in session x, before continuing as P where the term variable y is replaced by the received term. -The process x pq l.P sends label l in session x, as participant p, toq, and proceeds as P. For each participant q ∈q, this label is received by process of the form x qp {l 1 : P 1 , . . . , l n : P n }, which then proceeds as P i if l = l i . -The process x pq (y).P creates a fresh subsession handler y, sends it toq, and proceeds as P. This handler is received by processes of the form x qp (y).(Q R) (for each q ∈q) which forks a process Q dedicated to the new session y, in parallel with the continuation R (on the previous session x). 1 -Parallel composition of processes P and Q through session x is denoted by P x Q. A participant executes close(x) to end its communications on session x; after close(x) no further actions are possible. Thus, close(x) is for x what 0 is for in CCS and the π -calculus. On the other hand, wait(x).P waits until all other participants on session x are gone, then it closes the session x and continues as P. -Finally, (νx)P is the usual restriction of session names, à la π -calculus, and "if M then P else Q" is the standard branching (i.e., "internal" choice).
Notice that D-terms are only used as data that is sent or received, and for if-then-else clauses. The session name y is bound in processes of the form (ν y)P, x pq (y).P, and x pq (y).(P Q), where it is bound only in P (i.e., Q does not receive the session y, but can keep communicating on x). Free names of a process P (noted fn(P)) are the set of free names of sessions appearing in P.
As for other process calculi, several syntactically different terms may denote the very same process. To simplify these alternative presentations, we introduce the usual notions of contexts and syntactic congruence. Definition 3.1 (Contexts) The contexts are defined as follows: ) satisfying the following rules (where x, y and z are different session names): We can see that processes with the operation | x have the structure of a commutative monoid (whose unit is close(x)), thus we will use Π x i P i as a shorthand for P 1 x . . . x P n , omitting n for the sake of readability. Operational Semantics The semantics of the process calculus is given by a labelled reduction system P α − → Q, where the label α allows to observe the kind of interaction: synchronization (with communication), external choice, internal choice, or internal (unobservable) move. We may write x : γ for either x : p →q : · , x : p →q : &l, or x : p →q : A.
We note P α − → Q for a transition from P to Q under the action α. This relation is defined by the rules in Fig. 2.
Most rules are standard and reflect the intuitive explanation of constructs given above. In rule (comm), communication follows a "call-by-name" approach, i.e., M is not evaluated before sending. 2 In reduction (send), we observe that the fresh session handle y is restricted to R and the P i 's, so if y appears in any Q i , the result would be ill formed. However, as we will see, the typing rules will ensure y does not appear in any Q i . Similarly, in reduction (wait), corresponding to the definitive closing of a (private) session, can happen only if x / ∈ fn(P), but again, the typing rules will ensure x does not escape its scope when reducing (νx)(wait(x).P) into P.
There is another possible execution, which is: Notice that p can start the session with just q and then wait for input from r : Example 3.2 A second running example is the well-known two-buyers problem, as in [17]. First Buyer 1 sends a book title to Seller, then Seller sends back a quote to both Buyer 1 and Buyer 2, then Buyer 1 tells Buyer 2 how much she wants to contribute, and Buyer 2 tells Seller if she accepts the quote or not. If the deal is drawn, Seller tells Buyer 2 the expected delivery date at her address.
To formalize this example, we need four base types: bool, int, string, and date. Buyer 2 knows a value address : string, and seller knows a value price : string → int and deliver y : string → date (the delivery date). There are also the global functions ≤: int → int → bool and /, − : int → int → int. We assume all of these values (local and global) are in an environment E. Then, the following are the processes P b 1 , P b 2 , P s of Buyer 1, Buyer 2 and Seller, respectively: else x b 2 s quit.close(x) P s :: =x sb 1 (title : string).x sb 1 b 2 price title .

Partial multiparty session types
In this section, we introduce partial multiparty session types (or just "session types"), which will be used to define the behavior of a partial session. The syntax of messages m and session types G is as follows: We pose G the set of session types with no occurrence of 0 and ω, and G ω the set of all session types. When not differently stated, we will use types from G ω , while G will be used in Sect. 5 to type processes. The set of participant names appearing in G is denoted by fn(G).
Informally, p →q : m; G means that the participant p sends the message m to the participants inq, then the session continues with G. This message can be either a term (from the language D) of type A, or a label l (noted &l); or a fresh handler for a session of type G (noted G ). The type end means that the session ends and the process survives, while close means that both the session and the process end. G 1 ⊕ G 2 (resp. G 1 & G 2 ) denotes an internal (resp. external) choice. Internal choices are made by local participants of the session, contrary to external choices; notice that, in contrast with standard practice, sending or receiving a label &l is unrelated from the choices done with ⊕ or &. Finally, we add the empty type 0, which denotes no possible executions (and it is the unit of ⊕), and the inconsistent type ω, which denotes an error in the session. Example 4.1 Continuing our running Example 3.1, the following are the types of session x for each process P p , P q , P r by the type system we will present in Sect. 5.
We will also be able to type compositions of these processes, e.g., the types of x in P p x P q and P q x P r are the following: Notice that G p,q describes also the behavior of P p x P q x P r . As we will see in the next section, these types can be compositionally derived from G p , G q , G r . We expect that in the environment E, for the three processes P b 1 , P b 2 , P s , session x will have the following types, respectively: In the end, the whole process P s x P b 1 x P b 2 will communicate on a session x following the type b 1 → s : Now, we aim to define when two session types are equivalent from the point of view of a set of participants. The idea is that a subset of all participants involved in a session may collect a limited knowledge of the events happening in the session, thus several possible types can be compatible with this limited knowledge-which can be already enough to tell possible incoherences. The events we can observe are communications C and are defined as follows: C:: = p →q : m end close 0 ω 1 We denote by C ω the set of all communications, and by C = C ω \ {ω, 0} the set of executable communications. The communications end, close, 0, ω are called terminal; the only non-terminal communications are p →q : m and 1, the latter representing any communication which is not observable from the current process. Thus, we can see terminal communications as types, and non-terminal communications as prefixes of types; in particular 1 is a "neutral" prefix for session types, i.e., for all G, we define 1; G = G.
In the following, we denote by S, S 1 , . . . ⊂ P finite sets of participants, which we call viewpoints.
The independence of communications relative to S is the smallest symmetric relation I S ⊆ C ω × C ω such that C I S 1 for any C, and ( p →q : m) I S ( p →q : m ) whenever Informally, C 1 I S C 2 means that the common participants of C 1 and C 2 are not in S. This independence is relative to the viewpoint S, because when C 1 I S C 2 , the participants in S cannot discriminate between C 1 ; C 2 ; G and C 2 ; C 1 ; G. In fact, we can define an equivalence relation between session types relative to S. Definition 4.2 (Equivalence relation) For any set of participants S, we define the relation S ⊆ G ω × G ω on session types as the smallest congruence satisfying the axioms in Fig. 3.
We can see that the operations ⊕ and &, together with the constants 0 and ω, form a unital commutative semiring. We The axiom (OOOE) allows an "out of order" execution of independent communications. Notice that in general G ⊕ ω S ω because the behavior of a process of type G ⊕ ω is not necessarily always inconsistent. 3

Fig. 3 Congruence equivalence for session types
The equation C; 0 S 0 corresponds to the fact that 0 means "no possible executions," not even the stuck one (as we will see in Sect. 7, the interpretation of 0 is the empty set); thus, prepending an execution to nothing yields nothing.
The fact that G 1 ⊕ G 2 or G 1 & G 2 are unrelated from the action of sending a choice allows us to move these operators around without changing the meaning of the type. Hence, we can introduce disjunctive normal forms of session types.

Definition 4.3 (Disjunctive Normal Form) A chain of communications is a session type of the form
In DNF, a type can be seen as a set of sets of traces (chains of communications), the intuition being that a trace describes a single possible interaction of a process. A set of traces defines a deterministic strategy followed by a single process P, describing how P reacts for any possible choice from other processes. A set of sets of traces describes all the possible strategies that P can follow once it has selected all its possible internal choices. So, describing a behavior in DNF is like saying that a process P starts by anticipating all possible internal choices for all possible interactions during execution. After that, P becomes deterministic and reacts in a single possible way to communications of other processes.
The equivalence relation on types allows us to rewrite any type in a DNF.

Proposition 4.1 For any type G and set of participants S, we can compute a G in DNF such that G S G.
Proof Given a type G, we can look at subterms inside G of the forms Each of them can be replaced by the corresponding equivalent subterm, i.e., ( . By repeatedly applying these rewritings, all ⊕ are moved at the top level and the ";" at the leaves of the type.

Type system
In this section, we introduce the type system for processes.
A key point of our approach is that types have always to be considered with respect to a set of participants, i.e., a viewpoint.
A (session typing) environment Γ is a finite set of typing declarations The main differences between our environments and those in [11,29] are that session types replace local types, and each session is endowed with a set of local participants, in addition to its session type.
We can extend internal choices and type equivalences to environments.

Definition 5.2 Let
. , x n : G n S n and Γ = x 1 : G 1 S 1 , . . . , x n : G n S n be two environments with the same domain and same sets of local participants. In this case, we define

Definition 5.3 (Equivalent environments)
We define on environments as the smallest equivalence relation satisfying the following rule: We can now introduce the typing judgment for processes E; P Γ , where E is a term typing environment and Γ is a session typing environment. Intuitively, it means "under the declarations in E, for each x : G S in Γ , the participants of P that interact on x are S and they follow the behavior G." Differently from most type systems (see, e.g., [11]), the send and receive actions are typed by the same global type, and not by dual types: in our approach the duality is given by the set of participants, i.e., the viewpoint, which is either the sender or the receiver.
Rule (⊕) types an internal choice between two processes. This choice is propagated to all sessions where the process is involved, so the sum is done componentwise between the types of the two branches, as per Definition 5.2. If the internal choice is irrelevant for some session x (i.e., we have x : G S in both premises) then in the conclusion we would have x : G ⊕ G S , which is equivalent to the former. We can rewrite types into equivalent ones with rule ( ).
Rules (close) and (wait) correspond, respectively, to the 1 and ⊥ rules in linear logic, and they both assume there is no named participant, therefore the set of participants in the conclusion is empty.
Rule (ν) allows us to create a local, restricted session. To correctly type the local session, we need to check that its type is complete with respect to the current participants, since no other participants will be able to join that session afterward. To this end, we introduce the notion of finalized session type. Intuitively, a type G is finalized for a viewpoint S, denoted G ↓ S, if all participants involved in the type are in the viewpoint, there are no occurrence of ω or close (because we need to avoid deadlocks and miscommunications), and that the end of the session is not the end of the process (because we are within a subsession). The rules for the auxiliary judgment G ↓ S are in Fig. 5.
The (extra) rule allows us to add participants which actually do not interact with the sessions; this is needed for the subject reduction.
Finally, rule ( ) is one of the key novelties of our type system. This rule allows us to connect two processes through a shared session x merging their respective types and viewpoints (which must be separated). The type G of the shared session is computed compositionally from G 1 , S 1 and G 2 , S 2 , by G 1 The definition of this operator is quite complex and is postponed to Sect. 6; for the moment it is enough to know that it is associative and symmetric, and the resulting type G is a "minimal" type from the viewpoint S 1 S 2 such that it is equivalent to G 1 from the viewpoint S 1 and to G 2 from the viewpoint S 2 . Moreover, if G 1 , G 2 are not compatible (e.g., due to a deadlock or a miscommunication) the type G 1 S 1 ∨ S 2 G 2 will contain some occurrence of ω, and thus G 1 To guarantee that only valid types are used for the merged session, rule ( ) requires to find hence, the parallel composition of incompatible processes cannot be typed.

Remark 5.1
It may be interesting to compare our rule for parallel composition with the cut rule for linear logic [15], that for binary session types [32], and that for multiparty session types [11]: Each of these rules corresponds to the applications of two rules of our system: the rule ( ) which merges partial sessions, and the rule (ν) which closes the session. This correspondence, albeit in a logical setting and for binary choreographies only, has been previously observed in [10], where the (Cut) rule is split into two rules (called (Conn) and (Scope)). For instance, if we assume that A 1 , A 2 , and G are suitable session types, we have the following derivation of the rule for binary session types (Bin Par) (we omit the environment E for the sake of simplicity): In the case of a multiparty session involving n participants, we can apply ( ) n −1 times, and then the (ν) rule to close the session. Notice that the compatibility check in the premises of (Multi Par) corresponds to a sequence of n − 1 binary merges followed by the finalization check. This allows to spot incompatible processes (e.g., due to a deadlock) as soon as possible: A 1 S 1 ∨ S 2 A 2 would yield a type containing some ω, and hence for no

Merging partial session types
The central part of the type system is the merging algorithm that infers the result of interaction of two partial session types.
In this section, we will define the merge function G 1 S 1 ∨ S 2 G 2 , where G 1 and G 2 describe the behavior of a session from the viewpoint of the local participants in the sets S 1 and S 2 , respectively. G 1 S 1 ∨ S 2 G 2 then describes the behavior of the session from the unified viewpoint S 1 ∪ S 2 . In particular, if G 1 and G 2 are incompatible then G 1 S 1 ∨ S 2 G 2 contains some occurrence of ω. 4 To merge two types, we can consider them in DNF; in this way we can recursively reduce the problem to merging chains of communications, by means of a function mcomm S 1 ,S 2 (C 1 , C 2 ). Informally, we merge two sequences of communications by considering all possible reorderings which are compatible with each other. This give us a set of all possible merged behaviors, which we glue together using external choices (&). Finally, for merging general types in DNF, we proceed by recursion until we have to merge sequences of communications. Thus, two types are compatible if they can agree on at least a pair of merged sequences of communications, whatever their internal choices; if no such sequences exist, we get ω as a result. Extra complexity is given by the fact that when we have to merge two communications of the form p →q : G 1 , p →q : G 2 , we have to merge also G 1 and G 2 ; therefore, the function mcomm S 1 ,S 2 (C 1 , C 2 ) and the function G 1 S 1 ∨ S 2 G 2 for merging session types are mutually recursive.
Before diving into the definition of mcomm S 1 ,S 2 and S 1 ∨ S 2 , let us mention that we will also need the following helper functions and predicates (which we will illustrate in Example 6.1 later on): • the continuation partial function cont S (G, C), which takes a chain of communications G and a communication C as input, and returns a type that corresponds (up to S ) to what remains in G after having executed C; • the mergeability predicate C 1 S 1 ♥ S 2 C 2 tells us whether two communications C 1 and C 2 are mergeable, from their respective viewpoints S 1 , S 2 ; takes a (partial) function f : C × C C, called merging function and describing how two communications can be merged, and two chains of communications G 1 and G 2 ; it returns the set of all possible tuples (C 1 , a (partial) function f : C × C C and two session types in DNF as arguments, and maps f on the pair (G 1 , G 2 ); the result is a session type obtained by merging G 1 and G 2 according to f (i.e., where possible).
With these functions and predicates, we will be able to define mcomm S 1 ,S 2 (C 1 , C 2 ) and G 1 S 1 ∨ S 2 G 2 . These functions are non-deterministic, but G 1 S 1 ∨ S 2 G 2 is deterministic up to (see Theorem 7.2).
In order to prove termination of these functions, we need to introduce the length l of session types, and the height h of communications and session types as the maximal number of nested subsessions. Formally, we have: h(C) := 0 otherwise. Note that dom(cont S (G, )) is finite, and can be computed using the "out-of-order execution" axiom (OOOE, Definition 4.2) repeatedly. This domain set represents the immediate communications that G allows for. Definition 6.2 (sync) Let G 1 , G 2 be chains of communications in DNF. We then define sync S 1 ,S 2 ( f )(G 1 , G 2 ) as the following set:

Mapping merging functions over session types
Intuitively, sync S 1 ,S 2 ( f )(G 1 , G 2 ) returns a set containing all possible pairs of immediate communications C 1 , C 2 in G 1 , G 2 , respectively, that can be merged (according to f ), as well as their continuations. Recall that 1 represents any communication which is not observable from the given viewpoint.

Definition 6.3 (Function map)
Let S 1 , S 2 be two sets of participants, G 1 , G 2 ∈ C two types in DNF and f : C × C C a partial map such that for any C 1 , C 2 : is termina+l if and only if it is defined and is defined then either both or none of C 1 and C 2 are terminal. G 2 ) is defined recursively over G 1 , G 2 as follows: -First cases: G1, G3) -If G 1 , G 2 are both chains of communications and at least one of them is not a terminal communication, we pose B := sync S 1 ,S 2 ( f )(G 1 , G 2 ) and we have: -If G 1 and G 2 are both terminal communications, then: The two conditions on f guarantee that map S 1 , is well-defined in the last two cases, when f is applied to G 1 , G 2 or to the chains C 1 , C 2 .

Proposition 6.2 Termination of map is ensured by induction
Note that, when we computing

Merging communications and session types
We now define the partial function mcomm S 1 ,S 2 (C 1 , C 2 ) which merges compatible communications C 1 (from the viewpoint S 1 ) and C 2 (from the viewpoint S 2 ) and returns, if possible, the new communication from the merged viewpoints S 1 ∪ S 2 . We also define by mutual recursion the merging function for session types, which is just a shorthand for map applied to mcomm: We suppose that G 1 and G 2 are in DNFs, but it can be applied to any session types by rewriting them in DNF thanks to Theorem 7.2. The definition of mcomm S 1 ,S 2 (C 1 , C 2 ) requires to check whether C 1 (from the viewpoint S 1 ) and a communication C 2 (from the viewpoint S 2 ) are actually mergeable. Formally, this notion is defined by the following relation. Definition 6.4 (Mergeability) We define C 1 S 1 ♥ S 2 C 2 as follows: The first rule deserves some explanations. In the first hypothesis, G 1 and G 2 describe sessions whose participants can be only in { p}∪q 1 ∪q 2 ; if all these participants are in S 1 ∪S 2 , then after the merge all the participants are present and therefore the communication must be safe, because no other participant may join later. This means that, in this case, we have to check that the merge of G 1 and G 2 is finalized. The second hypothesis (and dually the third one) corresponds to the fact that in the (send) rule of Fig. 4, the sender specifies all receiving participants, while in (recv) a receiver may not know about other receivers; therefore, if p →q 1 : G 1 describes the communication from the point of view of the sender (i.e., p ∈ S 1 ), thenq 2 is a set of receivers only, and must be contained inq 1 . The fourth (and dually the fifth) hypothesis means that if a participant which is known to a process (i.e., in S 1 ) appears as receiver for other process (i.e., inq 2 ), then it must appear as a receiver also by the first process. Notice that S 1 ♥ S 2 uses G 1 S 1 ∨ S 2 G 2 , so in the end S 1 ♥ S 2 is defined by mutual recursion together with mcomm. Otherwise, mcomm S 1 ,S 2 (C 1 , C 2 ) is undefined.

This proposition can be proved by simultaneous induction on h(C 1 ) + h(C 2 ).
Example 6.1 Continuing Example 4.1, let us recall the types of participants p, r : G p := p → q : &t; p → r : end ; close G p := p → q : &f; close G r := q → r : &ok; p → r : close ; close G r := q → r : &quit; close We have that: As an example of synchronization set, we have: and finally Also, we pose G := b 1 → s : string; s → b 1 , b 2 : int; b 1 → b 2 : int; (G 1 ⊕ G 2 ). We have the following mergings: considers two different cases: the case where s decides to send the quote separately, and the case where s sends the quote to both of them at once. Things get easier when we know the viewpoint of s. In the end, we have the following judgment: We can check that each process behaves well, according to the expected types: ∅; P p x : r → p : int; p → q : int; close p ∅; P q x : p → q : int; q → r : int; close q ∅; P r x : q → r : int; r → p : int; close r Also, every pair of process behaves well, as we can type them in our typing system: ∅; P p x P q x : r → p : int; p → q : int; q → r : int; close p, q ∅; P p x P r x : q → r : int; r → p : int; p → q : int; close p, r ∅; P q x P r x : p → q : int; q → r : int; r → p : int; close q, r However, the three processes together can deadlock, as it is witnessed by the merging operation; in fact ((r → p : int; p → q : int; close) p ∨ q ( p → q : int; q → r : int; close)) p,q ∨ r (q → r : int; r → p : int; close) = ω and hence P p x P q x P r cannot be typed.

y).x pq (z).wait(y).wait(z).close(x)
We pose the following four types: We can prove that the following typing judgments hold: ∅; P p x : G 1 p ∅; P q x : p → q : close ; p → q : close ; close q ∅; P r x : p → r : close ; close r ∅; P p x P q x : G 1 p, q ∅; P p x P r x : G 1 p, r ∅; P q x P r x : G 1 & G 2 & G 3 q, r ∅; P p x P q x P r x : G 1 p, q, r As we can see, P p is the process that imposes some particular synchronized scheduling for everyone. With the viewpoint of participants q and r , but without p, we cannot know if session x should follow G 1 , G 2 , or G 3 , hence the type G 1 & G 2 & G 3 for P q x P r . If we merge these session types with G 1 , we get three possible behaviors, two of which are not feasible: , which is the type we get for x when typing P p x (P q x P r ). We would get the same type (modulo equivalence) by combining these three processes in any different order.

A semantic interpretation of partial session types and the merge operator
In this section, we provide a semantic interpretation of session types and their operations, in particular the merge function defined above. Essentially, the type of a session tells us what happens in the session from a particular viewpoint, and merging session types requires us to merge interpretations from different viewpoints. To this end, we need to define suitable categories and constructions taking viewpoints into account. Let us summarize this section briefly. First, in Sect. 7.1 we introduce the category of communication structures, whose objects are sets of events (i.e., the basic communication steps) endowed with an independence relation; if two events are independent from a given viewpoint, the observer cannot tell the actual order of their execution. Maps between communication structures allow to move from one viewpoint to another.
Given a communication structure, we define schedulable sets as sets of traces taken up-to the equivalence induced by the independence relation (Sect. 7.2). Equivalent traces denote executions with different interleavings which cannot be distinguished from a given viewpoint. Intuitively, a chain of communications G = C 1 ; . . . ; C n is interpreted as an equivalence class of traces [G] S , where the equivalence relation S depends on the viewpoint S. Similarly, a conjunction of communication chains is interpreted as a schedulable set, i.e., a union of these equivalence classes. Thus, a schedulable set can be seen as a deterministic strategy represented by traces (up-to equivalence) generated by interacting with any possible scheduler. Finally, we introduce trace sets, which are collections of schedulable sets; trace sets are used to interpret the non-deterministic behavior given by internal choices in the types. Therefore, we anticipate all possible internal choices by choosing a schedulable set at the beginning, and then following deterministically the traces therein, depending on specific choices of the scheduler. This intuitive interpretation of types is formalized in Sect. 7.3. Leveraging these constructions, in Sect. 7.4 we give the interpretation of the merge operator as the structure of a lax monoidal functor from the category of viewpoints to that of communication structures; this provides important properties of the operator itself, such as associativity and stability under S .

Communication structures
We start with the fundamental elements of session types, i.e., communications. A = (E A , I A , 1 A ) where E A is a set, 1 A ∈ E A , I A ⊆ E A × E A is a symmetric relation called the independence relation such that ∀x, x I A 1 A . Intuitively, 1 A denotes a no-operation, or rather, a nocommunication.

Definition 7.2 (Category Comm)
We define Comm as a category where: -an object is a communication structure -a morphism f : (E A , I A , 1 A ) → (E B , I B , 1 B ) is a partial function from E A to E B such that f (1 A ) = 1 B , and, for any x, y ∈ E A such that both f (x) and f (y) are defined, we have that f (x) I B f (y) iff x I A y; -composition and identities are standard.
Intuitively, an object in the category can define all possible communications from some viewpoint, and morphisms allow us to change the viewpoint. and The unit of this product is J : Notice that this product is not cartesian, because projections are not morphisms.
The viewpoint of a session is the set of local participants of this session.

Definition 7.4 (Category View)
The thin category View is the partial order (℘ (P), ⊆) viewed as a strict symmetrical monoidal category, i.e., -objects are subsets of the set of participants P -there exists a unique morphism f : A functor from View to Comm would allow us to consider communication structures from different viewpoints, and to merge a pair of compatible communications from different viewpoints into a communication from a unified viewpoint. The functor must preserve the monoidal structure, and moreover, the merge morphism given by this functor is a partial function because incompatible communications are impossible to merge. The right notion for this is that of lax symmetric monoidal functor, which we recall next.

Traces
Let A = (E A , I A , 1 A ) be a communication structure. We note by E * A the set of finite sequences over E A , and Set * for the category of sets and partial functions. A trace (over A) is an element a 1 . . . a n ∈ E * A . We only consider traces where no error occurs, thus if a morphism f is undefined at some point in the trace s, there is an error, and as a consequencef (s) is undefined.

Definition 7.7 (Equivalence relation) For any communication structure A, we define A the smallest equivalence relation on E *
A such that sabt A sbat if a I A b, and s1t A st.

Definition 7.8 (Schedulable and trace sets) A schedulable set (over A) is a set C ⊆ E *
A closed under A , that is, for all s, t ∈ E * A , if s ∈ C and s A t then t ∈ C. A trace set (over A) is a set B of schedulable sets.
Intuitively, a trace set B over A denotes a process which selects a schedulable set C ∈ B and proposes it to a scheduler. The scheduler then chooses a trace s ∈ C and s is executed. C is closed under A , because the interleaving of the events is chosen by the scheduler.
This defines a functor T : Comm → Set, which we call the trace set functor. Definition 7.10 (Product of trace sets) If B 1 ∈ T(A 1 ) and as the following set of sets: 1 , b 1 ) . . . (a n , b n ) a 1 . . . a n ∈ C 1 , b 1 Informally, B 1 ⊗ B 2 corresponds to the synchronized threading of two processes, where a communication (a i , b i ) should be a pair containing the same communication from two different viewpoints. If it is not the case, then the trace containing (a i , b i ) is an incorrect synchronization, therefore a merger morphism should not be defined over it. Example 7.1 Let us see an example of the tensor product ⊗. Let A 1 = ({a, b}, I A 1 , 1), A 2 = ({a, c}, I A 2 , 1) with I A 1 and I A 2 being the smallest independence relations possible; e.g., {(a, 1), (b, 1), (1, a), (1, b), (1, 1)}. Then , 1)(b, 1)(1, a)(1, c)]} {[(a, 1)(b, a)(1, c) , 1)(1, a) a)(a, c) The elements of these equivalence classes are all possible linearizations of six "happens-before" orders, which can be represented graphically as follows: , 1) (1, a)   (b, 1) (1, c) (a, 1) {a, b, c}, I A 3 , 1), with I A 3 being the smallest independence relation such that b I A 3 c. Let us choose a merge function f : as f (a, a) = a,  f (1, c) = c and f (b, 1) = b; undefined otherwise. Then, we have that since only in the fourth equivalence class the function f is defined for all communications.
We conclude this section with some useful results about trace sets. A 1 → A 2 , and B, B ∈ T(A 1 ) then we have the following:

Lemma 7.2 If f :
Proof By double inclusion.
and a 1 ∈ A 1 such that for any a 2 ∈ A 2 , f (a 1 , a 2 ) is defined iff a 2 = 1. Then, for any B 1 ∈ T(A 1 ), Proof Using Lemmas 7.1 and 7.2, we proceed by Noetherian induction on the sum of the size of B 1 and B 2 . The base case is when B 1 = {C 1 } and B 2 = {C 2 }, then we proceed by Noetherian induction on the sum of the size of C 1 and C 2 . The base case is when C 1 = [w 1 ] A 1 and C 2 = [w 2 ] A 2 , then we proceed by Noetherian induction on the sum of the length of w 1 and w 2 . and a 2 ∈ A 2 such that f (a 1 , a 2 ) is defined and: f (a 1 , a) is undefined Then, for any B 1 ∈ T(A 1 ), B 2 ∈ T(A 2 ), we have that: Proof The proof is done the same way as in Lemma 7.3.

Interpreting session types as trace sets
Before defining the interpretation of session types, we need to consider types where every communication involves at least one participant of a given viewpoint, because those are the communications we can observe from the behavior of internal participants of a session. Also, the special case of a process with no participant will be seen as neutral for composition, so it can only close.

Definition 7.12 (Engaged communication and session type)
If S = ∅, we require also that C is either close or 1.
A session type is engaged on S when every communication it contains is engaged on S.
We denote by C S and G S the sets of communications and types engaged on S, respectively.
For a viewpoint S, we can consider the structure of all communications which are visible (i.e., engaged) from that viewpoint. Definition 7.14 (Interpretation of session types) Let S be a viewpoint. We define an interpretation function S : G S → T(L(S)) for session types engaged on S, as follows: Proof Thanks to Lemma 7.5, we can suppose that G 1 and G 2 are in DNF.
-If both G 1 and G 2 are chains of communications, then, using Lemma 7.6, we have that is of the form˘A 1 (respectively,˘A 2 ), where A 1 and A 2 are finite sets of chains of communications, then, using Lemma 7.7, we have that We can conclude by noting that equivalence classes are distinct and using point 1. We now can state that our semantics is sound and complete with respect to the relation S .
Proof By Lemmas 7.5 and 7.9.

Interpretation of the merge operator
We conclude this section with some useful properties about merge functions and in particular the merge operator S 1 ∨ S 2 . G 2 ) is defined, then we have: Proof By syntactic induction on (G 1 , G 2 ), using Lemmas 7.1 and 7.2.

Theorem 7.2 All the possible values of G
Proof By Lemmas 7.10 and 7.11, we have that map S 1 ,S 2 (mcomm S 1 ,S 2 ) corresponds to a morphism in Set(T(L(S 1 )⊗ L(S 2 )), T(L(S 1 ∪ S 2 ))), hence we can conclude using Theorem 7.1.
Thanks to the previous theorem, we can consider that G 1 S 1 ∨ S 2 G 2 is defined for any G 1 and G 2 by choosing any DNF of G 1 and G 2 . Theorem 7. 3 We have that: We conclude with two technical lemmas that will be useful in the following.

Subject reduction and progress
In this section, we state two main properties of session types, subject reduction and progress, which guarantee that "welltyped systems cannot go wrong." To this end, we first define a reduction semantics for partial session types. We write G 1 γ − → S G 2 for a transition from G 1 to G 2 from the viewpoint of S under the action γ . This relation is defined as follows: Note that transitions are not deterministic, in particular G S G ⊕ G, therefore we always have G ⊕ − → S G, which is useful in case we are reducing an internal choice which is irrelevant for G. Definition 8.2 (Reduction for environments) The reduction relation for process typing environments is Γ 1 α − → Γ 2 , labelled by actions for processes α (see Definition 3.3), and it is defined as follows: Then, the type system enjoys the following important properties.  Thanks to this result, from now on, we can consider processes equal modulo ≡. Lemma 8.2 If x ∈ fn(P) and E; P Γ then for some G, S: Proof By induction on E; P Γ .
We can now prove the important result of subject reduction.
We can show that p and all the q i belong to S, and, using Lemma 7.13, we can show that G is the merging of G and all the G i , while G is the merging of G and all of the G i . Moreover, G ↓ S. Therefore, we have that G S . (case) similarly; (comm) similarly; (wait) easy, using Lemma 8.1; (choice 1 ), easy, using Lemma 8.1; (choice 2 ) Contextual closure by ((νx) ): by induction hypothesis, and on case analysis whether the action has the form x : γ ; Contextual closure by ( x R): by induction hypothesis and on case analysis whether the action has the form x : γ . In this case, the action is on the session shared with R, and hence using Lemma 7.12 we have to move the action on top of the merged type. Otherwise, the process R is not involved in the communication and we can conclude by induction hypothesis.

Remark 8.1
In earlier work about MPST (see, e.g., [29]), subject reduction usually requires some consistency condition over the typing environment Γ . In our development, this condition is not explicitly needed because the typing rules for processes ensure that environments are consistent, i.e., the derivability of E; P 1 Γ 1 implies that no session in Γ 1 has the type ω.
Progress In usual session types, the progress property means that well-typed systems can always proceed, and in particular they are deadlock-free. In our case, well-typed systems can still contain processes which cannot proceed, not due to a deadlock or miscommunication, but due to some missing participant.

Example 8.1
Let us consider P = x pq &l.close(x). This process is typable (∅; P x : p → q : &l; close p ), yet it is stuck. It can be completed into a redex P x Q, with Q = x qp {l : Q }. In fact, P can be seen as the restriction of P x Q on session x with participants in { p}. Hence, P is preempted by x and so it can be considered a correct process, waiting for the missing participant.
Therefore, in order to define the progress property for our system, we need to define the restriction of a process to a given set of local participants.

Definition 8.3 (Restriction)
We define the restriction of a term P on session x with participants in S (noted P S x) as follows:

Definition 8.4 (Preemption)
We say that a session x with type G ∈ G and local participants S preempts P (noted x : G S g P) when one of these condition occurs: , and x : G S g P .
Intuitively, x : G S c P means that every local participant in S is ready to trigger its respective communication described in G. As a consequence, there is no deadlock for x: if all the concerned participants are present there is a redex, otherwise we are blocked due to the absence of some sender or receiver. Lemma 8.4 1. If x : G S 1 g P and S 2 ∩ fn(G) = ∅, then x : G S 1 ∪S 2 g P 2. If x : G S 1 c P and S 2 ∩ fn(G) = ∅, then x : Proof 1. By induction on x : G S 1 g P. 2. Trivial, using point 1.
if G 1 S G 2 and x : G 1 S c P, then x : G 2 S c P Proof 1. By induction on G 1 S G 2 . Some cases cannot happen, because G 1 , G 2 ∈ G, and therefore G 1 S ω 2. Trivial, using point 1. The following lemma states that if a session is finalized and preempted, then the process (with the session restricted) contains a redex. Lemma 8.7 1. If G ↓ S and x : G S g P, then (νx)P has a redex.
2. If G ↓ S and x : G S c P, then (νx)P has a redex.
Proof 1. By induction on x : G S g P, using the hypothesis G ↓ S to show we have a full redex. 2. We have that P ≡ C[P ] where x : G S g P and x / ∈ fn(C[ ]). We can show that (νx)P ≡ C[(νx)P ], and we can conclude using point 1.
We now can prove progress.
If x : G 1 S 1 c P and x : G 2 S 2 c Q, then, using Lemma 8.6, we have that x : G 3 S 1 S 2 c P x Q. Otherwise, we conclude by induction.
-Rule (ν): let's consider If x : G S g P, then, using Lemma 8.7, we have that that (νx)P has a redex. Otherwise, we conclude by induction.

Example 8.2
Continuing Example 6.3, we can see that there is no redex in P p P q , but there is a preemption: x : r → p : int; p → q : int; q → r : int; close p, q c P p P q That is, the first action that P p P q is ready to do on session x is x : r → p : int, but this is not possible because participant r for session x is not present. We can see that P r is also preempted, but in an incompatible way : x : q → r : int; r → p : int; close r c P r That is, the first action that P r is ready to do is x : q → r : int, and this means that P p P q P r cannot progress, and in fact it is not typable.

Example 8.3
Continuing Example 6.4, we have that P q x P r is preempted: We recall the definition of G 1 , G 2 , and G 3 : G 1 := p → qr : close ; p → q : close ; close G 2 := p → q : close ; p → qr : close ; close G 3 := p → q : close ; p → q : close ; p → r : close ; close The first communication given by G 1 is p → qr : close , the first communication given by G 2 is p → q : close , and the first communication given by G 3 is either p → q : close or p → r : close , because both of these communications are independent relatively to {q, r }. As a consequence, the preemption of P q x P r means that it is ready to the action x : p → qr : close , and it is also ready to do the action x : p → q : close , and also the action x : p → r : close . The action that will really be done is chosen externally. Of course, it does not mean that these three actions will be executed; in this example, participant r only expects one message from p, so if the action x : p → qr : close is executed, then x : p → r : close cannot be executed afterwards.

Conclusions
In this paper, we have introduced partial sessions and partial (multiparty) session types, extending global session types with the possibility to type also open systems, i.e., sessions with missing participants. Sessions with the same name but observed by different participants can be merged if their types are compatible; in this case, the type for the unified session can be derived compositionally from the types of components. To this end, we have provided a merging algorithm, which allows us to detect incompatible types, due to miscommunications or deadlocks, as early as possible; this differs from usual session type systems which delay all the checks to when the system is completed (i.e., at the restriction rule). Therefore, in this theory the distinction between local and global types vanishes: local types correspond to partial session types for sessions with a single participant, and global types correspond to finalized partial session types, i.e., in which no participant is missing. We have also generalized the notion of progress to accommodate the case when a par-tial session cannot progress not due to a deadlock, but to some missing participant. Future work. An interesting application of partial session types would be in the verification of composition of components, like, e.g., containers à la Docker; to this end, we can think of defining a typing discipline similar to the one presented in this paper, but tailored for a formal models of containers, like that in [8].
We conjecture that, for the type system presented in this paper, both type checking and type inference are decidable. The idea is that, in order to be typable, the structure of a process has to match the structure of the type(s), up-to type equivalence; hence, the typing derivation is bounded by the complexity of process terms. At worst, this bound is exponential, as in the application of type equivalence rule we have to explore a possibly exponential space of equivalent types; however, this limit could be improved by some algorithmic machinery concerning the normal form of types, which we leave to future work.
The current merging algorithm returns types that may contain many equivalent subterms; a future work could be to define shorter and more efficient representations. Another interesting aspect of this algorithm is that it is defined by two functions (map and mcomm), which can be updated separately in future variations; in particular, adding recursion only requires to update the function map, while adding new kinds of communication, or changing how communications are merged, only requires to update the function mcomm.
In this paper, we have considered a calculus with synchronous multicast, along the lines of [11,32] and others. However, it would be interesting to extend the definitions and results of this paper to an asynchronous version of the calculus, or a calculus where sessions can merge at runtime, akin the names in the Fusion calculus [25]. This is not immediate, as it requires non-trivial changes in the typing systems and especially in the (already quite complex) merging operation.
Following the Liskov substitution principle, we could define a subtyping relation by seeing & and ⊕ as the meet and join operator of a lattice, respectively. However, a semantical understanding of this subtyping relation is not clear yet.
One intriguing possible extension would be to add some form of encapsulation. For instance, if we have the type p → q : m 1 ; q → r : m 2 ; p → r : m 3 ; close from the viewpoint of {q, r }, then we could be tempted to "erase" the communication q → r : m 2 , since this communication is purely internal, but this erasure would not be compatible with equivalence: p → q : m 1 ; q → r : m 2 ; p → r : m 3 ; close {q,r } p → q : m 3 ; q → r : m 2 ; p → r : m 1 ; close but p → q : m 1 ; p → r : m 3 ; close {q,r } p → q : m 3 ; p → r : m 1 ; close. How to add a form of encapsulation to our type system is an open question.
Finally, to guarantee the correctness of most complex proofs and definitions of this paper, it would be useful to formalize them in a proof assistant, like Coq.
Acknowledgements This work has been supported by the Italian MIUR project PRIN 2017FTXR7S IT MATTERS (Methods and Tools for Trustworthy Smart Systems). The authors are grateful to Mariangiola Dezani-Ciancaglini, Marco Peressotti and the anonymous reviewers for their useful remarks on the preliminar version of this paper.
Funding Open access funding provided by Università degli Studi di Udine within the CRUI-CARE Agreement.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.