Polymorphic Endpoint Types for Copyless Message Passing

Bliudze, S., Bruni, R., Carbone, M., Silva, A. (Eds.); ICE 2011 EPTCS 59, 2011, pp. 52–67, doi:10.4204 /EPTCS. 59.5 c  V . Bono, L. Pado v ani This work is licensed under the Creativ e Commons Attribution License. P olymorphic Endpoint T ypes f or Copyless Message Passing V iviana Bono Luca Pado va ni Dipartimento di Informatica, Univ ersit ` a di T orino, Italy W e present PolySing ♯ , a calculus that mo dels proc ess interactio n based on copyless message passing, in the style of Singular ity OS. W e equip the calculus with a type system that accommodates polymo r- phic endpo int types, which are a variant of po lymorp hic session typ es, and we show that well-typed processes are fre e from faults, leak s, and c ommun ication errors. The ty pe system is essentially linear , although linearity alone m ay lea ve roo m for scenarios wh ere well-typed processes leak memor y . W e identify a condition on endpoint types that prevents these leaks from occur ring. 1 Introd uction Singular ity OS is the protot ype o f a depend able operating system where process es sh are the same addres s space an d in teract with each ot her sole ly by message passi ng o ver asynchro nous channels. The overh ead of communica tion-b ased interaction s is tamed by copy less message passing: only pointers to messages are physically transferr ed from one process to another . S tatic analysis of Singularity process es guarantees pr ocess isolat ion , namely that eve ry process can only access memory it o wns excl usi v ely . In [2] we p resen ted Co reSing ♯ , a fo rmalizati on of the core featu res of Sing ♯ – the la nguag e used for the implementation of Singular ity OS – along w ith a type system ensurin g that well-typed processes are free from co mmunicatio n errors , memory fa ults, and memory lea ks. At first si ght it might seem that the se properti es can be tri vi ally enforc ed through a linear type system bas ed on ses sion types [10, 11]. Ho wev er , in [2] we remarked how linearity a lone can be too restricti v e in some conte xts and too permissi ve in others. T o illustra te why linea rity can be too rest ricti v e, consider the code fragment exp ose (a) { send (b, arg, *a); *a := new T(); } which dereferenc es the pointer a and sends *a on the endpoi nt b . Linearity is violated right after the send (arg, b, *a) command, sinc e *a is owned both by the sender (in directl y , through a ) as well as by th e rec ei v er . The con struct expose is us ed by the Sing ♯ compil er to keep tra ck o f memory owner ship. In particular , Sing ♯ all o ws pointer dereferentia tion only withi n expose blo cks. The semantics of an exp ose (a) block is to temporarily tran sfer the o wnersh ip of * a from a to the process e xpos ing the pointe r . If th e proces s still o wns *a at the en d of t he ex p ose block, the con struct is well typed. In [2] we sho wed that all we need to capture the static semantics of exp ose ( a) blocks is to distinguis h cel ls with type ∗ t (whose con tent, of type t , is owned by the cell) from cells with type ∗ • (whose content is owned directl y by the process) . At the beg inning of the expose block , a is accessed and its type turns from ∗ t to ∗ • ; within the block it is possi ble to (linearly) use *a ; at the end of the block, *a is assigned with the pointe r to a newly al locate d object that the process owns , thus turn ing a ’ s type from ∗ • back to some ∗ s . An examp le where linearity can be too permissi v e is giv en by the code fragment (e, f) := op en (); send (e, arg, f); close (e); (1) which c reates t he tw o endpoints e and f of a chann el, sends f as t he ar gument of an arg -tagge d message on e , a nd clos es e . This cod e uses e and f linea rly and is well typed by asso ciatin g e and f with suitab le V . Bono, L. Pad ov ani 53 endpo int types T and S , where T = ! arg ( S ) . end and S = µ α . ? arg ( α ) . end . Observe that the code fragment (1) uses e in accordan ce with typ e T and tha t T and S are dual endpoin t types (the y describe complemen tary act ions). Y et, the code gener ates a m emory leak: after the cl ose instructio n, no re ferenc e to f is a v ailable, ther efore the arg -tagged message will ne ve r be recei v ed and f will ne v er be dealloca ted. In [2 ] we ha ve shown tha t the leak produce d by this cod e origin ates from the recursi v e type S and can be a v oide d by imposin g a simpl e restriction on endpoint types. The idea is to define a notion of weight for endp oint types which roughly gi ves t he “depth ” of the message queue s in the endpoin ts ha ving those types and to restrict endp oint types to those ha ving finite wei ght. Then, o ne can sh o w tha t the c ode (1) is well typed only if endpoi nt types with infinite weight are allo wed. In this work we present Po lySing ♯ , a va riant of Co reSing ♯ where w e add bounded polymorph ism to endpo int types, along t he lines o f [8], while preserv ing all the properties mentione d earlier . For i nstanc e, the polymorp hic endpoint type ! m h α i ( α ) . ? m ( α ) . end deno tes an endpoint on which it is possible to send an m -tagge d message with an arg ument of any typ e, and the n recei ve another m -tagg ed message w hose ar gument has the same type as t hat of the first message . It is possibl e to specify b ounds for type v ariable s, like in ! m h α 6 t i ( α ) . ? m ( α ) . end , to denote that the type va riable α ranges ov er any subtype of t , and to reco ve r unconstrain ed polymorphism by dev ising a type T op that is supe rtype of any other type. No w , it may come as a surpr ise that , when pol ymorphi c endpoint typ es are allo wed, the code frag- ment (1) can be d eclared well typed witho ut resortin g to recur si ve types by tak ing T = ! arg h α i ( α ) . end and S = ? arg h α i ( α ) . end . S ince the type T of e is polymorphic , e accept s a message with an argu ment of any type and, in particular , a message with argume nt f . Fortuna tely , a smooth exten sion of the fi nite- weight restric tion we ha v e introdu ced in the monomorph ic case rules out this prob lematic example. The idea is to estimate the weight of type v ariable s by looking at their bound. In T and S abov e, the type v ariabl e α has n o bo und (or , to be precis e, is boun ded by th e to p typ e T op ) and therefor e is gi v en i nfinite weight. W hen α occurs in a constraint α 6 t , we estimate the w eight of α to be the same as the weight of t . The estimatio n relies on a funda mental relatio nship between weights and subtyp ing, whereby the weight of s is al way s smaller th an or equal to th e weight of t if s 6 t . W e sho w that forbidd ing the out put of messages whose arg ument has a type with infinite weight allows us to prov e the absence of leaks, togeth er with t he ot her d esired p roper ties. Our wor k is the first to formalize poly morphic end point type s, which are effect i vel y described as a feature of Singularity contracts [13] ev en though, to the best of our kno wledg e, the y nev er made it to the prototype imple mentatio n of S ingula rity . Also, the a v ail ability of polymor phic endpoin t types allows us to encode linea r mutab le cells. This renders the ∗ t and ∗ • types superfluo us and make s our model ev en more esse ntial with respe ct to the one presented in [2]. The rest of the paper is org anized thus: S ection 2 presents an example to introduce all the fundamenta l concep ts (endpoint types, subtyping, bounded polymorphi sm) of this wor k; in Sectio n 3 we define the syntax and operational semantic s of P olySing ♯ and we formalize the no tion of wel l-beha ved process as a proces s where faults, leaks, a nd communicat ion erro rs do not occur; Sec tion 4 defines the type system for P olySing ♯ an d pre sents a sou ndnes s result (well-typed processes are well behav ed) . W e discuss related work in S ection 5 and we draw some concl usion s in Section 6. Proofs and addition al technica l materi al can be found in the long vers ion, which is av ailable at the author s’ home page s. 2 An example It has already bee n obs erv ed in the rece nt literature that session types can con v enie ntly describe the interf ace of distrib uted objects. For insta nce, the sessio n type SellerT = µ α . ( ! offer ( nat ) . ? response ( nat ) . α ⊕ ! buy ( string ) . end ⊕ ! leave () . end ) 54 Polymorph ic Endpoint T ypes for Copyles s Message Passin g may be used to describe (part of) the beha vi or of a Sell er object as it can be used by Buy er . Buy er m ay make an of fer regardi ng an ite m he or she is intere sted to b uy by send ing a offer message and rece i ving a counte rof fer from Seller . After this excha nge of messages, the protocol repeats itself. Alternati vely , Buy er may b uy the item by sending a message that con tains the deliv ery address, or it may lea ve the virtua l shop. Buyer and Sell er are con necte d by a pair ( c , d ) of relat ed endp oints: c : SellerT is giv en to Buy er which can use it acc ordin g to the protoc ol SellerT ; d : SellerT is use d by Seller and its type SellerT is the dual of SellerT , where inputs hav e been replaced by outputs and vice vers a. This guaran tees that Buy er and Seller interac t w ithout errors. Suppose no w t hat we w ant t o imple ment a Brok er to which Buy er ca n dele gate th e bar gai ning proto- col with Seller . W e may descr ibe Brok er in some pseudo-lan guage , as fol lo ws: 1 BROKER( b : BrokerT) { 2 p 0 := receive ( b , pric e); 3 x := receive ( b , se ller); 4 p := p 0 ; 5 while (bette r_deal( p 0 , p )) { 6 send ( x , offer, comput e_new_of fer ( p 0 , p )); 7 p := receive ( x , respon se); 8 } 9 send ( b , price, p ); 10 send ( b , seller, x ); 11 } Buy er and B rok er interact by means of another pair ( a , b ) of related endpoint s, a : Bro kerT in use by Buy er (not sho wn here) and b : BrokerT in use by Broke r . Brok er accep ts an initial p rice p 0 and the endpo int of Seller from Bu y er (lines 2–3). Then, it engages the barg aining protocol with S eller (lines 4–8) until t he best d eal p is ach ie v ed. Finally , it returns p and the Seller ’ s endp oint to Buy er (lines 9–10 ) so that Buye r can conclude the interaction with S eller appropriat ely . Buy er interacts with Brok er on the endpoint a , w hose type can be des cribed by: BrokerT = ! price ( nat ) . ! seller ( SellerT ) . ? price ( nat ) . ? seller ( Selle rT ) . end Observ e that Broke rT might be considere d too precise, since Brok er uses only a strict subset of the functi onaliti es supported by Seller and described in SellerT . T o maximize reusab ility , it could be more approp riate to repla ce the typ e S ellerT in BrokerT with BargainT = µ α . ! offer ( nat ) . ? respon se ( nat ) . α which specifies the minimum set of function alities of Seller that Broke r actually uses. Buy er can still dele gate an endpoint of type SellerT to Brok er since Se llerT is a subtype of Barg ainT , which we exp ress as the relation Selle rT 6 BargainT . This is consi stent with the notion of subtyping in object- orient ed languages: if we think of the messag e tags in SellerT as of the metho ds prov ided by Seller , then Bargain T is one possible inter face that Sell er implements and in fact is the least inte rfac e nee ded by Brok er . T he problem, in this case, is that when an endpoi nt is dele gate d, Buy er can no longer us e it (endpo ints are linear reso urces) . It is true that Brok er e v entu ally ret urns Seller ’ s endpoint to B uy er , but by that time its type has been widened to Bargai nT and Buyer can no longer access the functional ities in Se llerT that hav e been hidden in Ba rgainT . T his lost informatio n can be reco v ered using bound ed polymor phism and by gi ving a more prec ise type to a : BrokerT = ! price ( nat ) . ! seller h α 6 Bar gainT i ( α ) . ? price ( nat ) . ? seller ( α ) . end V . Bono, L. Pad ov ani 55 T able 1: Syntax of P olySing ♯ proce sses and of heap objects. P :: = Pro cess 0 (idle) | X (v ariab le) | close ( u ) (close channe l) | op en ( a , a ) . P (open channe l) | u ! m ( u ) . P ( send) | ∑ i ∈ I u ? m i ( x i ) . P i (recei ve) | P ⊕ P (choic e) | P | P (compos ition) | rec X . P (recurs ion) µ :: = Heap / 0 (empty) | a 7→ [ a , q ] (endpo int) | µ , µ (compos ition) q :: = Queue ε (empty) | m ( a ) (message ) | q :: q (comp ositio n) In thi s case, the protoco l still allo ws B uy er to send an y endp oint corres pondi ng to Seller whose type conforms to (is a subtyp e of) Bargai nT , but it also specifies that the endpoint eve ntuall y return ed to Buyer has the same type as the one sent earlier . In general, onc e an endpoin t has been delegated , the deleg ator loses acce ss to the endpoint as well as to any information about its type. This loss of informat ion, which alone justifies the interest for bounded polymorphis m in sequen tial progra mming, is like ly to occur much more frequentl y in our contex t where many resour ces are linear . 3 Language syntax and semantics W e fix some notation: we use P , Q , . . . to range ove r processes and a , b , . . . to range over heap pointer s (or simply pointer s ) taken from some infinite set Pointe rs ; we use x , y , . . . to range over variables tak en from some infinite set Va riables disjoint from Po inters and we let u , v , . . . ran ge ove r names , which are elements of Pointers ∪ Variable s ; fi nally , we let X range ov er pr ocess variables . The language of processes, defined by the grammar in T able 1, esse ntiall y is a monadic pi-calculus equipp ed with tag-base d message dispatch ing and primiti ve s for handling endpo ints. The process 0 is idle and performs no action. T erms rec X . P and X are used for bu ilding recursi ve proces ses, a s usual. The proces s u ! m ( v ) . P sen ds a message m ( v ) on t he en dpoin t u and continues as P . A mes sag e is made of a tag m along with it par ameter v . The term ∑ i ∈ I u ? m i ( x i ) . P i denote s a process that wa its for a message from the endpo int u . The tag m i of the recei v ed message determine s the continuati on P i where the vari able x i is instantiate d with the paramete r of the m essag e. W e assume that in ev ery such term the m i ’ s are pairwise distinct. Sometimes we will w rite u ? m 1 ( x 1 ) . P 1 + · · · + u ? m n ( x n ) . P n in place of ∑ n i = 1 u ? m i ( x i ) . P i . The term op en ( a , b ) . P denote s a process creating a chann el , repres ented as two peer endpoints a and b . The process close ( u ) closes the endp oint located at u . The processe s P ⊕ Q and P | Q are standa rd and respec ti ve ly denote the non-det erminist ic choice and the parallel compositi on of P and Q . T he sets of free and bound names of ev ery process P , respecti v ely denoted by f n ( P ) and bn ( P ) , are standa rd: the constr uct op en ( a , b ) . P binds both a and b in P , w hile ∑ i ∈ I u ? m i ( x i ) . P i binds x i in P i for each i ∈ I . The constr uct rec X is the only binder for process v ariab les. W e adop t the Barendre gt con vent ion for both v ariabl es and proces s varia bles. Example 3.1 (linear mutable cell) . The following pr oces s m odels a line ar mutable cell located at c: CELL ( c ) = rec X . ( c ? set ( x ) . c ! get ( x ) . X + c ? free () . close ( c )) 56 Polymorph ic Endpoint T ypes for Copyles s Message Passin g T able 2: Reductio n of systems . ( R - O P E N ) ( µ ; op en ( a , b ) . P ) → ( µ , a 7→ [ b , ε ] , b 7→ [ a , ε ] ; P ) ( R - R E C ) ( µ ; r ec X . P ) → ( µ ; P { rec X . P / X } ) ( R - C H O I C E ) ( µ ; P ⊕ Q ) → ( µ ; P ) ( R - S E N D ) ( µ , a 7→ [ b , q ] , b 7→ [ a , q ′ ] ; a ! m ( c ) . P ) → ( µ , a 7→ [ b , q ] , b 7→ [ a , q ′ :: m ( c )] ; P ) ( R - R E C E I V E ) k ∈ I ( µ , a 7→ [ b , m k ( c ) :: q ] ; ∑ i ∈ I a ? m i ( x i ) . P i ) → ( µ , a 7→ [ b , q ] ; P k { c / x k } ) ( R - P A R ) ( µ ; P ) → ( µ ′ ; P ′ ) ( µ ; P | Q ) → ( µ ′ ; P ′ | Q ) The user of the cel l interac ts w ith it on the peer endp oint of c. In itially , the cel l is empty an d offer s to its user the possibility of setting (with a s et -ta gg ed messa ge) the content of the cell with a pointer x, or dealloca ting (with a f ree -ta gg ed messag e) the cell. In the first case , the cell tra nsits into a ne w state wher e the only possibl e operatio n is r etr iev ing (with a get -tag g ed messag e) the conten t of the cell. At that point, the cell r etur ns to its original state. The cell is linear in the sense that it allows setting its conte nt only if the pr evious content has bee n r etrie ved. This cell implementati on r esembles that of a 1-plac e b uf fer , but we r eta in the name “cell” for contin uity with our pr evious work [2].  Heaps , ranged ov er by µ , . . . , are finite maps from pointers to heap objects represe nted as terms defined acc ording to the syntax in T able 1: t he heap / 0 is empty; the heap a 7→ [ b , q ] is made of an endpo int located at a which is a structure referring to the pee r endpo int b and contain ing a queue q of messages waiting to be read from a . Heap compositio ns µ , µ ′ are defined only when the domains of the heaps being compo sed, which we den ote by dom ( µ ) and dom ( µ ′ ) , are disjoin t. W e assume that heaps are equal up to commutati vity and associa ti vity of composit ion and that / 0 is neutral for compositio n. Queues , ranged over by q , . . . , are finite ordered sequence s of messages m 1 ( c 1 ) :: · · · :: m n ( c n ) . W e bu ild queue s from the empty queue ε and concate nation of messages by means of ::. W e assume that que ues are equal up to associat i vity of :: and that ε is neutr al for ::. W e define the opera tional semantics of proc esses as the combi nation of a struc tural congrue nce rela- tion and a reductio n rel ation. Structural congrue nce, deno ted by ≡ , is the least congruen ce relation that includ es alpha con versio n on bound names and the usual laws P | 0 ≡ P P | Q ≡ Q | P P | ( Q | R ) ≡ ( P | Q ) | R P olySing ♯ processe s communicate with each other by means of the hea p. Therefore , the redu ction relatio n defines the transitio ns of syste ms instea d of processes, where a system is a pair ( µ ; P ) of a heap µ and a process P . The reducti on relat ion → , indu cti v ely defined in T able 2, is de scribe d in the follo wing paragr aph. ( R - O P E N ) creates a ne w channe l consisting of two fresh endpoi nts which refer to each other and hav e an empty queue. ( R - C H O I C E ) (and its symmetric, omitted) states that a process P ⊕ Q may autono mously reduce to either P or Q lea ving the heap unchang ed. ( R - S E N D ) describes the output of a message m ( c ) on the endpoint a . The message is enqu eued at the right end of a ’ s peer endpoin t queue. ( R - R E C E I V E ) describes the input of a message from the endpo int a . The message at the left end of a ’ s que ue is remo ved from the queue, its tag is used for sele cting some bran ch k ∈ I , and its para meter instan tiates the v ariabl e x k . ( R - P A R ) (an d its symmetric, omitted) expr esses reductions under parallel composi tion. The heap is treated globa lly , e ve n when it is only a sub-process to reduce. ( R - R E C ) is the usual unfo lding of recurs i ve process es. Observe that the Barendre gt con ventio n makes sure that in the V . Bono, L. Pad ov ani 57 unfold ing P { rec X . P / X } of a recursi v e process no name occurring free in P is acciden tally captured, becaus e fn ( P ) ∩ bn ( P ) = / 0. Not shown in T able 2 is the usual rul e ( R - S T R U C T ) describing reduct ions modulo st ructur al congrue nce, which pl ays an essenti al role in ensuring that op en ( a , b ) . P is ne v er stuck, becaus e a and b can alway s be alpha con verted to some pointers not occurring in dom ( µ ) . T here is no reduction for close ( a ) process es. In principle, close ( a ) should deallocate the endpoint located at a by remov ing its asso ciatio n from the heap. Howe v er , sinc e pee r end points mutual ly refer to each other , removin g on e endpoint could lea ve a dangl ing refe rence from the corresp ondin g peer . Also, it is con venie nt to tre at close ( a ) pro cesse s as persistent because , in thi s way , we keep track of the pointe rs that hav e been properly de alloca ted. W e w ill see that this information is crucial in the definit ion of well-beh a ved pro cesses (Definiti on 3.2 ). A process w illing to deallocate a pointer a and to con tinue as P aft erward s can be modelled as close ( a ) | P . In the follo wing we write ⇒ for the reflexi v e, transi ti ve closur e of → and we write ( µ ; P ) X → if there ex ist no µ ′ and P ′ such that ( µ ; P ) → ( µ ′ ; P ′ ) . In thi s wo rk we characte rize well-beha v ed systems as those that are free from faults, leaks, and communica tion err ors: a fault is an attempt to use a pointer not correspon ding to an allocate d ob ject or to use a pointer in some way which is not allo wed by the object it refers to; a leak is a regio n of the heap that some process allo cates and tha t becomes unreachable because no referen ce to it is direc tly or indire ctly a vaila ble to the processes in the system; a communicati on er r or occur s i f some process recei v es a message of unexpec ted type. W e con clude this section for malizing these prop erties. T o do s o, we need to define the rea chabil ity of a heap object with respec t to a set of r oot po inters. Intuiti ve ly , a proces s P may direct ly reach any obj ect located at some poi nter in the set fn ( P ) (w e can thi nk of the poin ters in fn ( P ) as of the loc al va riables of the pro cess stored in its stack ); from these pointers, the proc ess may reach other heap objects by reading messages from other endpoi nts it can reach . Definition 3.1 (re achabl e pointers ) . W e say t hat c is rea chable f r om a in µ , no tation c ≺ µ a, i f a 7→ [ b , q :: m ( c ) :: q ′ ] ∈ µ . W e write c ≺ ∗ µ a for the r efle xive, tran sitive closur e of ≺ µ . Let reach ( A , µ ) = { c | ∃ a ∈ A : c ≺ ∗ µ a } . W e now define well-b eha v ed syste ms formall y . Definition 3.2 (well-beh a ve d process) . W e say that P is well beha ved if ( / 0; P ) ⇒ ( µ ; Q ) implies: 1. dom ( µ ) = reach ( fn ( Q ) , µ ) ; 2. Q ≡ P 1 | P 2 implies reach ( fn ( P 1 ) , µ ) ∩ reach ( fn ( P 2 ) , µ ) = / 0 ; 3. Q ≡ P 1 | P 2 and ( µ ; P 1 ) X → wher e P 1 does no t hav e ungua r de d para llel composit ions imply eith er P 1 = 0 or P 1 = close ( a ) or P 1 = ∑ i ∈ I a ? m i ( x i ) . P i and a 7→ [ b , ε ] ∈ µ . In w ords, a process P is well beha ve d if e very res idual of P reach able from a configur ation where th e heap is empty satisfies a number of cond itions . Conditions (1) and (2) guarantee the absence of fa ults and leaks. Indeed, conditi on (1) states that ev ery pointer to the heap is reachable by one process , and that ev ery reachable pointer correspond s to an object allocated on the heap. Con dition (2) states that proces ses are isolated, namely that t he se ts of reacha ble poi nters co rrespo nding to di f ferent p rocess es are disjoi nt. Since processes of the form close ( a ) are persistent , this also gua rantee s the absenc e of fault s where a process tries to use an e ndpoi nt that has already been de alloca ted, or wher e the same endpoi nt is deallo cated twice. Conditio n (3) guarantees the absence of communication errors, namely that if ( µ ; Q ) is stuck (no reduction is possible), the n it is because ev ery non-termina ted proces s in Q is waiting for a message on an endpoin t ha ving an empty queue . This configuration correspond s to a genuin e deadl ock where e very pr ocess in some set is wai ting for a message that is to be sent by another proc ess in the sa me set. W e only consider initial configur ations with an empty heap for two reasons : first, we take the point of vi e w that in itially there ar e no a llocat ed objects; second , since we will need a well-ty ped predi cate for 58 Polymorph ic Endpoint T ypes for Copyles s Message Passin g T able 3: Syntax of types. T :: = Endpoint T ype end (terminat ion) | α (v ariab le) | ! { m i h α i 6 t i i ( s i ) . T i } i ∈ I (intern al choice ) | ? { m i h α i 6 t i i ( s i ) . T i } i ∈ I (ex ternal choice) | µ α . T (recurs i ve type) t :: = T ype T op (top type) | T (endpo int type) heaps and we do not want to v erify hea p well-typedn ess at runtime, we will mak e sure that the empty heap is tri vially well typed. 4 T y pe system W e introduce some notation for the type system: we assume an infinite set of type variables ranged ov er by α , β , . . . . T ypes are range d ov er by t , s , . . . while endpoint types are ranged ov er by T , S , . . . . The syn tax of types and endpoint typ es is defined in T able 3. An endpoint type des cribes the beha vior of a process with respect to a particular endpo int. The process may send message s over the endpo int, recei v e m essage s from the endpoint, and deallo cate the endpoint. The endpoint type end denotes an endpo int on whic h no furthe r input/ outpu t operatio n is p ossibl e and tha t can be deal locate d. A n endpoint type ! { m i h α i 6 t i i ( s i ) . T i } i ∈ I denote s an endpoin t on which a process may sen d any message m i with i ∈ I . The message carries an ar gument of type s i and the type var iable α i can be inst antiat ed with an y subtyp e of the bound t i (subty ping will be defined shortly). D epend ing on the tag m i of the message, the endpo int can be used thereaft er according to the endpo int type T i . In a dual manner , an endpo int type ? { m i h α i 6 t i i ( s i ) . T i } i ∈ I denote s and endpoint from whi ch a proces s must b e ready to recei ve an y message m i with i ∈ I . Again, s i denote s the type of the message’ s argumen t, w hile t i is the bound for the type v ariabl e α i . Depending on the tag m i of the receiv ed message, the endpoint is to be used accordi ng to T i . T erms α and µ α . T can be used to specify recursi ve beha v iors, as usual. T ypes are either endpoint types or the top type T op , which is supertyp e of any oth er (endpoint) type. Here are some handy con ventio ns regard ing types and endpoint types: • we sometimes use an infix notation for internal and exte rnal choices and write ! m 1 h α 1 6 t 1 i ( s 1 ) . T 1 ⊕ · · · ⊕ ! m n h α n 6 t n i ( s n ) . T n instea d of ! { m i h α i 6 t i i ( s i ) . T i } i ∈{ 1 ,.. . , n } and ? m 1 h α 1 6 t 1 i ( s 1 ) . T 1 + · · · + ? m n h α n 6 t n i ( s n ) . T n instea d of ? { m i h α i 6 t i i ( s i ) . T i } i ∈{ 1 ,.. . , n } ; • we omit the bound when it is T op and w rite, for example , ! m h α i ( s ) . T in place of ! m h α 6 T op i ( s ) . T ; • we omit the bound specifica tion h·i altogether when useless (if the type varia ble occ urs no wher e else) and write, for ex ample, ! m ( s ) . T ; • we omit the type of the ar gument when irrele v ant . W e ha v e s tandar d notions o f f ree a nd b ound ty pe v ariables for (endpoint) typ es. The only binder s are µ and the bound cons traints for messages. In partic ular , µ α . T binds α in T and † m h α 6 t i ( s ) . T wher e † ∈ { ! , ? } binds α in s and in T bu t not in t . W e adopt the Barendre gt con vention for type var iables. In what follo ws we will consider e ndpoi nt ty pes modulo renaming of bo und va riable s a nd foldin g/unf olding of recursio ns, that is µ α . T = T { µ α . T / α } where T { µ α . T / α } is the endpoint type obtained from T by replac ing each free occurre nce of α with µ α . T . V . Bono, L. Pad ov ani 59 The dualit y between inputs and outputs induc es dual bounding modalitie s. In part icular , a proces s using an endpoint with type ! m h α 6 t i ( s ) . T may choose a particular t ′ 6 t to instant iate α and use T { t ′ / α } accordi ngly . In other words, the va riable α is univer sal ly quan tified ov er all the subtypes of t . Dually , a proc ess usin g an endp oint with type ? m h α 6 t i ( s ) . T does not kn o w the exa ct type t ′ 6 t with which α is instan tiated, since this type is chosen by the sender . In other words, the type varia bles of an ext ernal choice are exi stentia lly quantifi ed o ver all th e subtypes of the correspo nding bounds . Not ev ery term generated by the grammar in T able 3 makes sense. T ype variab les boun d by a recur - sion µ must be guarded by a prefix (therefo re a non-con tracti ve endpoint type s uch as µ α . α is forbidd en) and type va riables bound in a constrain t as in ! m h α 6 t i ( s ) . T can only occur in s and w ithin the prefixes of T . W e fo rmalize thi s last requi rement as a well-formedn ess condit ion for types de noted b y a ju dgment I , O ⊢ t where I is a set of so-call ed inner vari ables (those that can occur only within prefix es) and O is a set of so-calle d outer varia bles (those that can occur eve rywhere) : I , O ⊢ end I , O ⊢ T op α ∈ O \ I I , O ⊢ α I , O ∪ { α } ⊢ T I , O ⊢ µ α . T † ∈ { ! , ? } / 0 , I ∪ O ⊢ t i ( i ∈ I ) / 0 , I ∪ O ∪ { α i } ⊢ s i ( i ∈ I ) I ∪ { α i } , O ⊢ T i ( i ∈ I ) I , O ⊢ † { m i h α i 6 t i i ( s i ) . T i } i ∈ I W e say that t is well formed if / 0 , / 0 ⊢ t is deri vable . Observe that well-formed (end point ) types are closed . W ell formedn ess restricts the expres si ve ness of types, in particular types such as ! m h α 6 t i ( s ) . α and ? m h α 6 t i ( s ) . α are forbid den because ill formed. W e claim that ill-formed types hav e negli gible practic al utility: a p rocess tha t instan tiates α with S 6 T in ! m h α 6 T i ( s ) . α precis ely kno ws its beha vior after the output operation ; dually , a process that recei v es a message from an endpo int with type ? m h α 6 T i ( s ) . α canno t do any bet ter than assuming that α has bee n instantiated w ith T . Duality expre sses the fact that two processe s accessi ng peer endpoin ts intera ct without error s if they beha v e in complemen tary ways: if on e of the tw o proc esses sends a mess age, the other pro cess waits for a message; if one process waits for a messag e, the other proces s sends; if one process has fi nished using an endpoin t, the other proces s has fi nished too. Definition 4.1 (duali ty) . W e say that D is a dualit y relation if ( T , S ) ∈ D implies either • T = S = end , or • T = ? { m i h α i 6 t i i ( s i ) . T i } i ∈ I and S = ! { m i h α i 6 t i i ( s i ) . S i } i ∈ I and ( T i , S i ) ∈ D for e very i ∈ I , • T = ! { m i h α i 6 t i i ( s i ) . T i } i ∈ I and S = ? { m i h α i 6 t i i ( s i ) . S i } i ∈ I and ( T i , S i ) ∈ D for e very i ∈ I . W e say that T and S ar e dual if ( T , S ) ∈ D for some duality r ela tion D . It is easy to see that if T and S 1 are dual and T and S 2 are dual , then S 1 = S 2 . In other words , the dualit y relation induc es a function · such that T and T are dual for eve ry T . An importa nt property of well-formed endpo int types is that duality does not af fect their inner var i- ables. Therefor e, duality and the instantiatio n of inner varia bles commute, in the follo wing sense: Pro position 4.1. Let { α } , / 0 ⊢ T . Then T { s / α } = T { s / α } . W e no w define subtyping. Because of bo und constrain ts on type v ariab les, subtyp ing is relati v e to an en vironment ∆ = α 1 6 t 1 , . . . , α n 6 t n which is an orde red seq uence of constra ints such that eac h α i may only occu r in the t j ’ s with j > i . W e write dom ( ∆ ) for the domain of ∆ and ∆ ( α i ) to deno te the bound t i associ ated with the rightmost occurrenc e of α i ∈ dom ( ∆ ) ; we use • to denote the empty bound en vironment. Subtyping is fair ly standard, therefore we prov ide only a coinducti ve cha racteri zation (an equi v alent deduction system restricted to finite endpoint types can be found in [8]). 60 Polymorph ic Endpoint T ypes for Copyles s Message Passin g Definition 4.2 (subty ping) . W e say that S is a coin ducti ve subtypin g if ( ∆ , t , s ) ∈ S implies either : 1. t = s, or 2. s = T op , or 3. t = α ∈ dom ( ∆ ) and ( ∆ , ∆ ( α ) , s ) ∈ S , or 4. t = ? { m i h α i 6 t i i ( s i ) . T i } i ∈ I and s = ? { m i h α i 6 t i i ( s ′ i ) . S i } i ∈ J with I ⊆ J and (( ∆ , α i 6 t i ) , s i , s ′ i ) ∈ S and (( ∆ , α i 6 t i ) , T i , S i ) ∈ S fo r every i ∈ I , or 5. t = ! { m i h α i 6 t i i ( s i ) . T i } i ∈ I and s = ! { m i h α i 6 t i i ( s ′ i ) . S i } i ∈ J with J ⊆ I and (( ∆ , α i 6 t i ) , s ′ i , s i ) ∈ S and (( ∆ , α i 6 t i ) , T i , S i ) ∈ S fo r every i ∈ I . W e write ∆ ⊢ t 6 s if ( ∆ , t , s ) ∈ S for some coin ductiv e subtyp ing S and t 6 s if • ⊢ t 6 s. Item (1) states that subty ping is refle xi v e; item (2) states that T op is indeed the top type; items (4) and (5) are the usual cov arian t an d contra varian t rules for inputs and outputs respecti v ely . Observ e that subtyp ing is always co v ari ant with respect to the continu ations and tha t we require the bounds on type v ariabl es of related endpoin t types be the same. This correspo nds to the so-called “Kernel” v arian t of bound ed poly morphis m as opposed to the “Full” one. W e adopt the Kerne l v ariant for simplicity , since it is orthogona l to the rest of the theory . Also, the Full v arian t is kno wn to be undecidab le [8]. Final ly , item (3) allo ws one to deduce ∆ ⊢ α 6 s if ∆ ⊢ ∆ ( α ) 6 s ho lds. The read er may easi ly ve rify that su btypin g is transiti ve (it is enough to sho w that { ( ∆ , t 1 , t 2 ) | ∃ s : ∆ ⊢ t 1 6 s & ∆ ⊢ s 6 t 2 } is a coindu cti v e subtypin g). The follo wing property is standard and shows that dualit y is contra varian t with respect to subtyping . Pro position 4.2. T 6 S if and onl y if S 6 T . W ell-formedne ss of endpoi nt types is essential for P ropos ition 4.2 to hold in our setting. C onside r , for exa mple, the endpoint types T = ! m h α 6 ? m () . end i () . α and S = ! m h α 6 ? m () . end i () . ? m () . end where T is ill formed. Then T 6 S would hold b ut ? m h α 6 ? m () . end i () . ! m () . end = S 6 T = ? m h α 6 ? m () . end i () . α would not because α 6 ? m () . end ⊢ ! m () . end 6 6 α . An alternati v e theory w here well-formednes s is not necess ary f or proving Proposit ion 4 .2 is gi ven in [8] and consists in distin guishi ng dualize d type var iables α from type v ariab les and by ha ving type con strain ts of the form t 1 6 α 6 t 2 with both lo wer and upper bounds , so that the bounds of the corresp ondin g dualized type varia ble are known and giv en by t 2 6 α 6 t 1 . T yping the heap. The heap pla ys a primary role in our setting beca use inter -p rocess communicatio n utterly relies on heap-allo cated st ructur es; also, most properties of well-beha ved proce sses are direct con- sequen ces of related prope rties of the heap. There fore, just as we will check well typedne ss of a process P with respect to some en viron ment that associa tes the pointers occurring in P w ith the correspo nding types, we will also need to check that the heap is cons istent with respec t to the same en vironment. T his leads to a notion of well-typed heap that we de ve lop in this section. The mere fact that w e hav e this notion doe s not mean t hat we need to type -check the heap at runtime. W ell typed ness of the he ap will b e a conseq uence of w ell typed ness of processes , and the empty heap will be trivi ally well typed. W e will exp ress well-typ edness of a heap µ with res pect to a pair Γ 0 ; Γ of en viro nments where Γ represe nts the type of the r oots of µ (the pointers tha t are not referen ced by any other struc ture all ocated in the heap) and Γ 0 descri bes the type of the pointers to alloca ted structu res that are directly or ind irectly rea chable from one of the roots of the heap. Among the properties that a w ell-typ ed heap must enjoy is the c omplement arity between the endpoin t types associa ted with peer endpoints. This notion of complementar ity does not coinci de with duality V . Bono, L. Pad ov ani 61 becaus e of the communicati on model that we ha v e adop ted, which is async hronou s. Since message s can accumula te in t he q ueue of an en dpoin t before they ar e rec ei ve d, the t ype of the endpoint as percei v ed by the process using it and the actual type of the endpo int as assu med by the pro cess using its peer can be misalign ed. On the one hand, we want to enforc e the in v ar iant that the endpo int types of peer endpo ints are (and remain) dual, m odulo the subtyping relation . On the other hand, this can only happen when the two endpoi nts hav e empty queues. In general, w e need to compute the actual endpoin t type of an endpo int taking into account its type as percei ved by the process using it and the messages in its queue. This is accomplish ed by the tail ( · , · ) functio n belo w , which take s an endpoint type T and a sequenc e m 1 ( s 1 ) · · · m n ( s n ) of specificati ons correspond ing the messages enqueued into the endpo int with type T and compute s the resid ual endpo int type that assumes that all those messages hav e been recei v ed: tail ( T , ε ) = T k ∈ I t 6 t k s 6 s k { t / α k } tail ( T k { t / α k } , m 1 ( s ′ 1 ) · · · m n ( s ′ n )) = S tail ( ? { m i h α i 6 t i i ( s i ) . T i } i ∈ I , m k ( s ) m 1 ( s ′ 1 ) · · · m n ( s ′ n )) = S From a technical point of vie w ta il is a relation, since there can be sev eral pos sible choic es for in- stantia ting the type variab les in the end point type being processe d. For example, we ha v e tail ( ? m h α 6 t i ( α ) . ? m ( α ) . end , m ( s )) = ? m ( t ′ ) . end for e ver y s 6 t ′ 6 t . None theless we will sometimes use tail as a function and w rite tail ( T , m 1 ( s 1 ) · · · m m ( s n )) in place of some S such that ta il ( T , m 1 ( s 1 ) · · · m m ( s n )) = S . For instanc e, the not ation tail ( T , m 1 ( s 1 ) · · · m m ( s n )) 6 S ′ means that S 6 S ′ for some S such th at tail ( T , m 1 ( s 1 ) · · · m m ( s n )) = S . W e no w ha ve all the notions to expre ss the well-typedn ess of a heap µ with respect to a pair Γ 0 ; Γ of type en vironments. Definition 4.3 (well-typ ed heap) . W e write Γ 0 ; Γ ⊢ µ if: 1. for every a 7→ [ b , q ] ∈ µ we have b 7→ [ a , q ′ ] ∈ µ and either q = ε or q ′ = ε ; 2. for every a 7→ [ b , m 1 ( c 1 ) :: · · · :: m n ( c n )] ∈ µ and b 7→ [ a , ε ] we have tail ( T , m 1 ( s 1 ) · · · m m ( s n )) 6 S wher e a : T ∈ Γ and b : S ∈ Γ and c i : s i ∈ Γ for i ∈ { 1 , . . . , n } ; 3. dom ( µ ) = dom ( Γ 0 , Γ ) = reach ( dom ( Γ ) , µ ) ; 4. reach ( { a } , µ ) ∩ reach ( { b } , µ ) = / 0 for every a , b ∈ dom ( Γ ) with a 6 = b. Conditio n (1) requires that in a well-typed heap e v ery endp oint comes along with its peer and that at least one of the queues of peer endpo ints be empty . This in v aria nt is ensure d by duality , since a well- typed proc ess does not send mess ages on an en dpoin t until it ha s read all the p endin g messages from the corres pondin g queu e. Condition (2) requires that the endpoin t types of peer endpoin ts are dual, m odulo subtyp ing. M ore prec isely , for ev ery end point a whose peer b has an empty q ueue there exis ts a residua l tail ( T , m 1 ( s 1 ) · · · m n ( s n )) of its type T whose dual is a subtype of the peer’ s typ e S . C onditi on (3) states that the t ype e n vironment Γ 0 , Γ must specify a type fo r all of the alloc ated objec ts in the heap and, in additio n, e ver y objec t (locate d at) a in the heap must be reach able from a root b ∈ dom ( Γ ) . Since the roots will be distrib uted linearly to the processes of the system, this guarantees the absence of leaks, namely of alloca ted objects which are no longer reachable. F inally , conditi on (4) require s the uniquen ess of the root for e ver y allocated object. This guara ntees process isolation, namely the fact that e ver y allocated object belong s to one and only one proc ess. T yping proc esses. W e want to define a type system such that well-typed processes are well beha ved and, in particular , such that well-typed process es do not leak memory . As we ha ve anticipate d in the 62 Polymorph ic Endpoint T ypes for Copyles s Message Passin g introd uction , the critical situation that we must av oid is the possib ility that an endpo int is enqueu ed into its o wn queue, since this would cau se the creation of a circular structure not owned by an y proces s. The intuitio n beh ind our solution is to use some property of types to detect — and av oid — the configura tions in which the re e xists some potential to create such circul ar struct ures. T his property , which we dub weight of a type, gi v es an upper bound to the length o f chains of pointe rs li nking endpoints . Definition 4.4 (weight) . W e say that W is a coinducti v e weight bound if ( ∆ , t , n ) ∈ W implies either: • t = end , or • t = ! { m i h α i 6 t i i ( s i ) . T i } i ∈ I , or • t = α ∈ dom ( ∆ ) and ( ∆ , ∆ ( α ) , n ) ∈ W , or • t = ? { m i h α i 6 t i i ( s i ) . T i } i ∈ I and n > 0 and (( ∆ , α i 6 t i ) , s i , n − 1 ) ∈ W and (( ∆ , α i 6 t i ) , T i , n ) ∈ W for e very i ∈ I . W e writ e ∆ ⊢ t ↓ n if ( ∆ , t , n ) ∈ W for so me coin ducti ve weight boun d W . T he weight of a type t with r esp ect to ∆ , denoted by k t k ∆ , is defined by k t k ∆ = min { n ∈ N | ∆ ⊢ t ↓ n } wher e we let min / 0 = ∞ . W e omit the en vir onment ∆ when i t is empt y and simply write k t k inste ad of k t k • . W hen compa ring weights, we exte nd th e usual to tal o r de rs < and ≤ over natural nu mbers so that n < ∞ f or every n ∈ N and ∞ ≤ ∞ . Like other relatio ns in vo lving type s, the relation ∆ ⊢ t ↓ n is parametric on an en vironmen t ∆ spec- ifying the upper bound of type v ariabl es that may occur in t and expre sses the fact that n is an upper bound for the weigh t of t . The weight of t is then define d as the least of its upper boun ds, or ∞ if there is no such upper bound. A few weights are str aightfo rward to compute, for e xample we hav e k end k = k ! { m i h α i 6 t i i ( s i ) . T i } i ∈ I k = 0 and k T op k = ∞ . End points with type end and those in a send state ha v e a null weight b ecaus e their correspond ing queues are empty an d therefor e the chains of point- ers originatin g fro m them has zero length. I n the case of T op , it does not ha ve a fi nite weight since T op is the type of any endp oint, and in partic ular of any endpo int with an arbitrary weight. Only end- points in a recei ve state do ha ve a strictly positi ve weight. F or instance we ha ve k ? m ( end ) . end k = 1 and k ? m ( ? m ( end ) . end ) . end k = 2, while k µ α . ? m ( α ) . T k ∆ = k ? m ( T op ) . T k ∆ = ∞ . The weight of type v ariabl es occurring in a constraint α 6 t is gi v en by the weight of t . In particul ar , k α k α 6 t = k t k and k ? m h α 6 t i ( α ) . end k = 1 + k t k (this latter equality holds if k t k < ∞ ). In a sense, the (typ e) bound t for α determin es also a (weight) bound k t k for α . Since the actual type with which α will be instan tiated is not kno wn, this approximat ion works well on ly if the relation between the weights is cohere nt with subtyp ing. T his fund amental property does indeed hold, as stat ed in the follo wing propositi on. Pro position 4.3. t 6 s impl ies k t k ≤ k s k . The typing rules for processes are inducti vely defined in T able 4 . Judgments ha v e the form Σ ; ∆ ; Γ ⊢ P and state that process P is w ell typed under the specified e n vironments. The addition al en vironment Σ is a map from process variab les to pairs ( ∆ ; Γ ) and is used for typing recurs i ve proces ses. It plays a role in two rules only , ( T - V A R ) and ( T - R E C ) , which are standard exc ept for the unusua l premise dom ( Γ ) = f n ( P ) in rule ( T - R E C ) that enforces a weak form of contracti vi ty on recurs i ve processes . It states that rec X . P is well typed under Γ only if P actually uses the names in dom ( Γ ) . Normally , div er gent processes such as rec X . X can be type d in ev ery en vironmen t. If this were the case , the process op en ( a , b ) . rec X . X , which leaks a and b , would be well typed. T he idle proce ss is well typed in the empty en vi ronment / 0. Since w e will impose a corresp onden ce between the free names of a process and the roo ts of the heap, this rule sta tes that the terminated proc ess has no leaks. Rule ( T - C L O S E ) states that a process close ( u ) is well typed provid ed that u is the only name o wned by the process and that it corresp onds to an endpoint with type end , on which no further interaction is possib le. Rule ( T - O P E N ) types the crea tion of a new V . Bono, L. Pad ov ani 63 T able 4: T yping rules for processe s. ( T- I D L E ) Σ ; ∆ ; / 0 ⊢ 0 ( T- C L O S E ) Σ ; ∆ ; u : end ⊢ clos e ( u ) ( T- R E C ) Σ , { X 7→ ( ∆ ; Γ ) } ; ∆ ; Γ ⊢ P dom ( Γ ) = fn ( P ) Σ ; ∆ ; Γ ⊢ rec X . P ( T- O P E N ) Σ ; ∆ ; Γ , a : T , b : T ⊢ P Σ ; ∆ ; Γ ⊢ op en ( a , b ) . P ( T- S E N D ) ∆ ⊢ t ′ 6 t k s { t ′ / α }k ∆ < ∞ Σ ; ∆ ; Γ , u : S { t ′ / α } ⊢ P Σ ; ∆ ; Γ , u : ! m h α 6 t i ( s ) . S , v : s { t ′ / α } ⊢ u ! m ( v ) . P ( T- V A R ) Σ , { X 7→ ( ∆ ; Γ ) } ; ∆ ; Γ ⊢ X ( T- R E C E I V E ) Σ ; ∆ , α i 6 t i ; Γ , u : T i , x i : s i ⊢ P i ( i ∈ I ) Σ ; ∆ ; Γ , u : ? { m i h α i 6 t i i ( s i ) . T i } i ∈ I ⊢ ∑ i ∈ I u ? m i ( x i ) . P i ( T- C H O I C E ) Σ ; ∆ ; Γ ⊢ P Σ ; ∆ ; Γ ⊢ Q Σ ; ∆ ; Γ ⊢ P ⊕ Q ( T- P A R ) Σ ; ∆ ; Γ 1 ⊢ P Σ ; ∆ ; Γ 2 ⊢ Q Σ ; ∆ ; Γ 1 , Γ 2 ⊢ P | Q ( T- S U B ) Σ ; ∆ ; Γ , u : s ⊢ P ∆ ⊢ t 6 s Σ ; ∆ ; Γ , u : t ⊢ P chann el, which is visible in the contin uatio n process as two peer endpo ints typed by dual end point typ es. Rules ( T - C H O I C E ) and ( T - P A R ) are standard. In the latter , the type en vironment is split into disjoint en vironments to type the processes being composed. T ogether with heap well-typedn ess, thi s ensures proces s isolat ion. Rule ( T - S E N D ) states that a proce ss u ! m ( v ) . P is well typed if u is associated with an endpo int type ! m h α 6 t i ( s ) . S that permits the output of m -tagged messages. The rule guesses the type paramete r t ′ with which the typ e v ar iable α is instan tiated (an explic itly typ ed process m ight explici tly pro vide t ′ ). The type of the argu ment v must match the expe cted type in the endpoint type where α has been instanti ated with t ′ and the continuat ion P must be well typed in a con tex t where the messag e ar gument has disa ppeare d and the endpoint u is ty ped accord ing to a prop erly instan tiated S . This means that P can rely on the kno wled ge of t ′ , namely α is uni ve rsally quantified over all the subtyp es of t . The condit ion k s { t ′ / α }k ∆ < ∞ imposes that v ’ s type must hav e a finite weight. Sinc e the peer of u must be able to accept a message with an ar gument of type s { t ′ / α } , its weight will be strictly lar ger than that of s { t ′ / α } , or it will be infinite. In both cases, we are sure that the arg ument v being sent is not the peer of u . Rule ( T - R E C E I V E ) deals with inputs: a process waiting for a messag e from an endp oint u : ? { m i h α i 6 t i i ( s i ) . T i } i ∈ I is well typed if it can deal with any m i -tagge d messa ge. T he continuat ion proces s may use the endpo int u accordin g to the endpoint type T i and can access the message ar gument x i . T he en vironment Γ is enr iched with the assu mption α i 6 t i denoti ng the fact that P i does not kn o w the exact type with which α i has been inst antiate d, but only its upper bound, namely α i is existen tially quanti fied ov er all the sub types of t i . Finall y , rule ( T - S U B ) is a subs umption rule for assumption s: if a proces s P is well type d with respect to a conte xt Γ , u : s , it remains well type d if the type associa ted w ith u is more precis e than (is a subt ype of) s . Systems ( µ ; P ) are well typed if so are their component s: Definition 4.5 (well-typ ed system) . W e write Γ 0 ; Γ ⊢ ( µ ; P ) if Γ 0 ; Γ ⊢ µ and Γ ⊢ P. W e conclude with two standard res ults about ou r framewo rk: well-typ ednes s is preserv ed by re- ductio n, an d well-typed pro cess are well beha v ed. Subje ct red uction is slig htly non-standa rd, in the sense that types in the en vironment may chang e as the proces s reduces. This is common in session type theori es, since sessio n types are beha vioral types. 64 Polymorph ic Endpoint T ypes for Copyles s Message Passin g Theor em 4 .1 (subject r educti on) . Let Γ 0 ; Γ ⊢ ( µ ; P ) and ( µ ; P ) → ( µ ′ ; P ′ ) . T hen Γ ′ 0 ; Γ ′ ⊢ ( µ ′ ; P ′ ) for s ome Γ ′ 0 and Γ ′ . Theor em 4.2 (safety) . L et ⊢ P. Then P is well behaved. Example 4.1. Consider the endpoint type CellT = µ α . ( ! set h β i ( β ) . ? get ( β ) . α ⊕ ! free () . e nd ) modeling the interfa ce of a linear mutable cell. Then it is easy to ver ify that c : CellT ⊢ CELL ( c ) is deriv able , wher e CE LL is the pr ocess pr ese nted in Example 3.1 . Ther efor e, CELL is a cor r ec t imple- mentatio n of a linea r m utable cell. Since CellT be gin s with an internal choice we have k CellT k = 0 . This means that it is always safe to send an empty cell as the ar gu ment of a messag e since the second pr emise of rule ( T - S E N D ) will always be satisfied. On the contr ary , we have k ? get ( β ) . CellT k β 6 T op = ∞ , ther efo r e it seems like initial ized cel ls can never be sent as messag es. Howe ver , if sende r and initializ er ar e the same pr oces s, ther e might be just enough informat ion to deduce that the pr ocess is safe. F or exa mple, the judgment a : t , b : ! s end ( ? get ( t ) . CellT ) . end , c : CellT ⊢ c ! set ( a ) . b ! send ( c ) . close ( b ) is deriva ble if k t k < ∞ . In this case, the sub-pr ocess b ! send ( c ) . close ( b ) is typ e chec k ed in an en vir on - ment wher e the (r esid ual) endpoint type of c has been instant iated to ? get ( t ) . Cel lT w hose weight is k ? get ( t ) . CellT k = k t k + 1 < ∞ .  Example 4.2. Sup pose we want to i mplement a fo rwar der pr oces s that r eceiv es two endp oints with dual types and for war ds the str eam of messag es coming fr om the first endpoint to the secon d one . W e might implement the pr ocess thus: FWD ( a ) = a ? src ( x ) . a ? dest ( y ) . rec X . ( x ? m ( z ) . y ! m ( z ) . X + x ? eos () . y ! eos () . ( close ( x ) | close ( y ) | close ( a ))) However , the judg ment a : ? src h α i ( Stream ) . ? dest ( Stream ) . end ⊢ FWD ( a ) wher e Stream = µ β . ( ! m ( α ) . β ⊕ ! eo s () . end ) is not derivabl e because ther e is no upper bound to the weight of α and FW D ( a ) attempts at sendi ng z wher e z : α . H ad FWD ( a ) been typab le, it would b e possible to cr eat e a leak with the pr oc ess op en ( a , b ) . ( FWD ( a ) | op en ( c , d ) . op en ( e , f ) . b ! src ( d ) . b ! dest ( e ) . c ! m ( f ) . c ! eos () . ( close ( b ) | close ( c )) which has the ef fect to enqueu e f into its own queue . The pr ocess F WD becomes typab le as soon as α in a’ s type is given a bound with a finite weight.  5 Related work Copyl ess message passing is one of the key features adopted by the Singularity OS [12] to compensate the ov erhe ad of communication -based interactions between isolated proc esses. Communicatio n safety and V . Bono, L. Pad ov ani 65 deadlo ck freed om can be e nsured by checking proce sses aga inst channel c ontr acts t hat are d etermini stic , auton omous , and synchr onizin g [15]. As ar gue d in [7] and sho wn in [2], the first two conditio ns make it possible to split contracts into pairs of dual endpoint types , and to implement the static analysi s along the lines of well kno w n session type theories [10, 11]. In [2] it was also observ ed that these conditio ns are insuf ficient for prev ent ing memory leaks and it was sho wn ho w to address the issue by imposing a “finite-weig ht” restrictio n to endpoi nt types. In the pre sent paper , we further generali ze our solu tion by allo wing infinite-weight endpoint types in general, although only endpoint s with fi nite-weig ht can actual ly be sent as messages (see the extra premise of rul e ( T - S E N D ) ). As a matter of fact, [7] already noted that the implement ation of owne rship transfe r posed some consistenc y issues if endpoints not in a send-s tate were allo wed to be sent as messages, bu t no relation with memory leaks was observe d. Since our “ finite-weigh t” condition is a gene ralizat ion of the sen d-sta te conditio n ( send-state endpo ints alw ays ha v e null w eight) , our work pro vides a formal proof that the send-state condition is sufficien t also for a v oidin g memory leaks. Other works [7, 9] introduc e app arentl y similar , “finit e-weight ” restric tions on sessio n types t o make s ure t hat me ssage qu eues o f t he correspon ding channels are bounded . Our weight s are unrelat ed to the size of queues and conce rn the length of chain s of pointers in v olv ing queues. Polymorph ic contracts and endpoint types of the Singularity OS [13] ha ve ne ve r been formalize d before nor do the y appear to be supported by the Singulari ty RDK. Our polymor phic endpo int types are closel y related to the session types in [8], which was the first work to introduce bounded polymorphis m for sess ion types. There a re a few technical dif fere nces between our p olymorp hic endpoint types an d the sessio n types in [8]: we unify e xterna l and internal choic es re specti vely with input and o utput operatio ns, so as to m odel Singularity contracts more closely; w e admit recursi ve endp oint types, w hile the support for recursion wa s only info rmally sketched in [8]. T his led us to define subtyping coi nducti vely , rather than by m eans of an inducti ve deductio n system. Finally , we dropped lower type bounds and pref erred to work with a restric ted language of well-formed end point types which we clai m to be appropriate in practic e. Another work w here session types are enri ched with bound ed poly morphism is [6], but in that cas e polymor phism is restricte d to data, while in [8 ] and in the pres ent paper type varia bles range ov er beha vi ors as well. Interestingl y , all the critical endpoint types in [2] that violate the “finite-weight” restric tion are recursi ve. This is no longer the case when (bounded) polymorphism is added and in fact there are finite endpoi nt types that can cause memory leaks if sent as messag es. A radically differe nt approa ch for the static analysis of Singularity processes is giv en by [17, 18], where the authors dev elop a proof system based on a varian t of separ ation log ic [14]. H o we ver , leaks in [17] manifes t themselv es only when both endpo ints of any channel ha v e been close d. In part icular , it is possible to prove that the code fragment (1) is correc t, althou gh it does indeed leak some memory . This problem has been subsequen tly recogniz ed and solved in [16]. Roughly , the solutio n consists in forbid ding the outpu t of a message unle ss it is possible to prov e (in the logic) t hat the queue that i s goi ng to host the message is reachabl e from the content of the message itself. In principle this condition is optimal, in the sense that it should permit e ve ry safe output. H o we ver , it relies on the kno wledge of the ident ity of endpoin ts, tha t is a very preci se information that is not alway s av ailable. Fo r this reason, [16] also propose s an approximat ion of this conditio n, consisti ng in tagging endpo ints of a channel with distin ct r oles (bas ically , what are call ed importing and e xpo rting ends in Singul arity). Then, an endpo int can be safely sent as a message only if its role matches the one of the endpo int on w hich it is sent. This soluti on is incomparable to the one we advoc ate – restri cting the out put to endpoints with fi nite-weig ht type – suggest ing that it may be poss ible to work o ut a combinati on of the two. There ex ist a fe w works on sess ion types [1, 4] that guaran tee a glo bal progre ss property for well- typed systems where the basic idea is to impose an ord er on channels to prev ent circular depe ndenci es that could lead to a deadlock . Not sur prisin gly , the criti cal proc esses (such as (1)) that we rule out 66 Polymorph ic Endpoint T ypes for Copyles s Message Passin g thanks to the fi nite-weig ht restri ction on the type of messages are ill typed in these works. It turns out that a faithful encoding of (1) into the models proposed in these works is impossibl e, because the op en ( · , · ) primiti v e we adopt creates both endpoints of a channel within the same process , while the sessio n initiation primitiv es in [1, 4] associa te the fres h endpoint s of a ne wly opene d session to dif fe rent proces ses running in parallel. This in var iant – that the same proc ess cannot own more than one endpoin t of the same channe l – is preserv ed in well-typed proce sses becaus e of a se v ere restriction: whene v er an endpo int c is recei ved, the continu ation process cannot use any endpoin t other than c and the one from which c was rec ei ve d. 6 Conclusion and futur e work In [2] w e ha ve formalize d Co reSing ♯ , a core language of softwa re iso lated processes that communi- cate through copyles s message passing. W ell-typ ed proces ses are sho wn to be free from faults, leaks, and communicatio n errors. In the present paper we hav e exten ded the type system of Core Sing ♯ with bound ed polymor phism, on the lines on what has been done for session types in [8]. Bounde d poly- morphism increases the expr essi v enes s of types and impro v es modularity and reusabil ity of comp onents . In our setting , where resources – and endpoi nts in par ticula r – are linear , we claim that bounde d poly- morphism is e ve n more useful in order to av oid the loss of type informati on that occurs when endpoin ts are dele gated and therefore exit the scope of the sender proces s (Section 2 ). W e hav e sho wn that the finite- weight restrict ion we intro duced in [2] scales smoothly to t he riche r type lan guag e, despi te the f act that polymorphism augments the critical situat ions in which a leak may occur (recurs i ve types are no longer necess ary to find apparen tly well-typ ed processes that leak memory , as sho wn in Section 1). This is mostly due to a nice proper ty of weights (Propositi on 4.3). Unlik e [2], w e ha ve omitted cells and open cell types, basi cally because the y can be en coded thanks to the incr eased expressi veness giv en by (boun ded) polymorp hism (Examples 3.1 and 4.1). W it h res pect to Sing ♯ , our model stil l dif fers in a number of ways: first of all, PolySing ♯ processes are terms of a process algebra, while S ing ♯ is an imperati v e programming language similar to C ♯ . As a consequenc e, there is no direct m appin g of S ing ♯ programs onto P olySing ♯ processe s, ev en thoug h we claim that our calculus captures all of the peculiar features of Sing ♯ , namely the exp licit memory managemen t (with respect to the e xchan ge hea p), the controlled o wners hip of memory allocated in the exc hange heap, and the contract-b ased communic ation primiti ves . Second, in [2] and in the present paper we do not deal with mutable record structure s nor with mutable arrays but only with mutable cells. The ext ension to the general framew ork is straigh tforwa rd and does not p ose ne w technic al pro blems. Finall y , the fac t that we do not take into account non-linear va lues is indeed a limitation of the model presented here, b ut we plan to extend it in this dire ction as described next. W e en vision two de ve lopment s for this work. The fi rst one is to enrich the type system with non-linear types, those denotin g resources (such as permanent services ) that can be share d among processes. E ven thoug h it is plausib le to think that the technic al details are relati vely easy to work out (non-linear typ es are supported by [8] and in most other session type theories ) w e see this enhance ment as a necessary step for P olySing ♯ to be a useful model of S ingula rity process es. The second dev elopmen t, which looks much more challengin g, is the definition of an algorith m for deciding subtyping (Definition 4.2). As observ ed in [8], b ounde d polymorphic session typ es share man y prop erties with the t ype lan guage in the system F < : [3]. Therefore , while it is reason able to expe ct that proper ties and algorithms for extension s of F < : with recursi v e types [5] carry over t o our setting, the exa ct details may vary . V . Bono, L. Pad ov ani 67 Acknowledgments. W e are grateful to the anon ymous referees for their detailed comments and re- vie ws, and to the or ganiz ers of the ICE wor kshop for setting up the interacti ve rev ie wing process. Refer ences [1] Loren zo Bettini, Mario Co ppo, Loris D’Anto ni, Marco De Luca, Ma riangiola Dezani-Ciancaglini & Nobuko Y o shida (2008 ): Glo bal Pr ogress in Dynamically Interleaved Multiparty Sessions . In: CONCUR’08 , LNCS 5201, Springe r , pp. 418– 433, doi: 10.1007/978- 3- 5 40- 8536 1- 9_ 33 . [2] V iviana Bono , Chiara Messa & Luca P adovani (201 1): Typing Copyless Message Passing . In: ESOP’11 , LNCS 6602, Springe r , pp. 57–7 6, doi: 10.1007/978- 3- 6 42- 1971 8- 5_ 4 . [3] Luca Cardelli, Simone Martini, John C. Mitchell & And re Scedr ov ( 1994) : An Extension o f System F with Subtypin g . Inform ation an d Computation 109(1 /2), pp. 4 –56, doi: 10.1006/inco.1994.1013 . [4] Giuseppe Castagna, Mariangiola Dezani- Ciancaglini, Ele na Giachino & Luca P adovani (2009): F ou ndation s of Session T yp es . In: PPDP’09 , A CM, pp. 219–230, doi: 10.1145/1599410. 159943 7 . [5] Dario Colazzo & Gio rgio Ghelli (2005): Subtyp ing, recur sion, and parametric polymorph ism in k ernel Fun . Inform ation an d Computation 198(2 ), p p. 71–1 47, do i: 10.1016/j.ic.2004.11.003 . [6] Mariang iola Dezani-Ciancaglini, Sophia Drossopoulo u, Elen a Giachino & Nobuko Y oshida (2007) : Bou nded Session T ypes fo r Ob ject-Oriented Lan guages . In: FMCO’06 , LNCS 4 709, Sp ringer, pp. 2 07–24 5, doi: 10. 1007/978- 3- 54 0- 74792 - 5_ 1 0 . [7] Manuel F ¨ ahndrich , Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, James R. Larus & Ste ven Levi (2 006): Langu age supp ort fo r fa st and r eliable m essage-based co mmunication in S ingularity OS . In: EuroSys’0 6 , ACM, pp. 1 77–19 0, do i: 10.1145/1217935.1217953 . [8] Simon Ga y (200 8): Bo unded polymorp hism in session types . Mathematical Structur es in Compu ter Science 18(5) , pp . 895–9 30, do i: 10.1017/S096012 950800 6944 . [9] Simon Gay & V asco T . V asconce los (201 0): Lin ear type theory for asynchr onous session types . Journal of Functional Program ming 20(01 ), p p. 19–5 0, d oi: 10.1017/S09567 968099 90268 . [10] Kohei Honda (1 993): T ypes for d yadic interaction . In : CONCUR’93 , L NCS 71 5, Springer, pp. 5 09–52 3, doi: 10.1007/3- 540- 57 208- 2_ 35 . [11] Kohei Hond a, V asco T . V ascon celos & Makoto Kubo ( 1998) : Language p rimitives an d type disciplines for structur ed commu nication- based pr ogramming . In: ESOP’98 , LNCS 1 381, Spring er , pp. 1 22–13 8, doi: 10. 1007/BFb00 53567 . [12] Galen Hu nt, James Laru s, Mart´ ın Ab adi, Mark Aiken, Paul Barham, Manuel F ¨ ahn drich, Chris Hawblitzel, Orion Hodson , Steven Le vi, Nick Murph y , Bjarne Steensg aard, David T arditi, T e d W ob ber & Brian Zill (2005 ): An Overview of the Singularity Pr ojec t . T echnical Repor t MSR -TR-2005 -135, Microsoft R esearch. [13] Micro soft (200 4): Singu larity design n ote 5: Chan nel contracts . T echn ical Report, Micr osoft Research. A vailable at h ttp://www.codeplex . com/singula rity . [14] Peter W . O’Hear n, Jo hn C. Reynolds & Hong seok Y ang (2001 ): Local Reasoning about Pr ograms that Alter Data Structures . In: CSL ’01 , LNCS 2142, Springer, pp. 1–19 , do i: 10.1007/3- 5 40- 4480 2- 0_ 1 . [15] Zach ary Stengel & T evfik Bultan (200 9): Analyzing singularity chan nel contracts . In: ISST A ’ 09 , A CM, pp. 13–24 , d oi: 10.1145/157227 2. 157227 5 . [16] Jules V illard (201 1): Heaps and Ho ps . Ph.D. thesis, L aboratoir e Sp ´ ecification et V ´ erificatio n, ENS Cachan , France. [17] Jules V illard, ´ Etienne Lozes & Cristiano Calcagn o (2009 ): Pr oving Copyless Message P a ssing . In: APLAS’09 , LNCS 5904, Springer, pp. 194–20 9, doi: 1 0.1007/978- 3- 642- 10 672- 9_ 15 . [18] Jules V illard, ´ Etienne Lozes & Cristiano Calcag no (20 10): T racking Heaps That Hop with Heap-Hop . In: T A CAS’10 , LNCS 6015, Springer, pp. 275–27 9, d oi: 10.1007/978- 3- 642- 12 002- 2_ 2 3 .