Composition and decomposition of multiparty sessions

https://doi.org/10.1016/j.jlamp.2020.100620Get rights and content

Abstract

Multiparty sessions are systems of concurrent processes, which allow several participants to communicate by sending and receiving messages. Their overall behaviour can be described by means of global types. Typable multiparty sessions enjoy lock-freedom.

We look at multiparty sessions as open systems by allowing one to compose multiparty sessions by transforming two of their participants into a pair of coupled gateways, forwarding messages between the two sessions. Gateways need to be compatible. We show that the session resulting from the composition can be typed, and its type can be computed from the global types of the starting sessions. As a consequence, lock-freedom is preserved by composition. Compatibility between global types is necessary, since systems obtained by composing sessions with incompatible global types have locks (or they are not sessions). We also define direct composition, which allows one to connect two global types without using gateways. Finally, we propose a decomposition operator, to split a global type into two, which is the left inverse of direct composition. Direct composition and decomposition on global types prepare the ground for a novel framework allowing for the modular design and implementation of distributed systems.

Introduction

Distributed systems are seldom developed as independent entities. Indeed, in many cases they should be considered as open entities ready for interaction with an environment. Composition may be specified either statically, for a fixed environment, or dynamically, if the environment only becomes known upon deployment. In general, it is fairly natural to expect to connect open systems as if they were composable modules, and in doing that one should rely on ‘‘safe’’ methodologies and techniques, guaranteeing the composition not to ‘‘break’’ any relevant property of the single systems.

In [1] a methodology has been proposed for the composition of systems, consisting in replacing any two participants (one per system) - if their behaviours are ‘‘compatible’’ - by a pair of coupled forwarders, dubbed gateways, enabling the two systems to exchange messages. In this approach, the behaviour of any participant can be looked at as an interface. In this setting, the notion of interface is interpreted not as the description of the interactions ‘‘offered’’ by a system but, dually, as those ‘‘required’’ by a possible environment (usually another system).

A convenient way to tackle the complexity of message-passing applications is by means of global specifications. The idea is to devise an abstract representation of the system, the so-called global view, that can be used as the blueprint for the realisation of each participant. A neat formalisation of this idea are MultiParty Session Types (MPSTs), introduced in [31], [32]. The global view is rendered in MPSTs as a global type meant to capture the interactions among the participants of the protocol. We illustrate, by means of a simple example, how the general idea of composition of systems by gateways can be exploited in the setting of MPTSs.

Let us assume to have System 1 formed by two participants, Alice and Bob, where Alice sends Bob a request for some advice and receives back either the advice asked for or an apology (sorry) for not being of any help. Let us also assume to have System 2, with participants Carol and Donald, where Carol sends a message req to Donald who surely replies with an advice, since, in case he does not know what to say, he provides one good for any occasion. Fig. 1 shows the UML-like diagrams (following the intuitive notation introduced in [31]) of Systems 1 and 2, where the curly bracket is used to group possible choices. These diagrams yield the global views of our systems. The representation in terms of global types of these views is as follows:G1=AliceBob:req.BobAlice:{adv.End,sorry.End}G2=CarolDonald:req.DonaldCarold:adv.End Notice how G1 and G2 give a faithful textual representation of the diagrams in Fig. 1. An advantage of global types is that they can be equipped with a precise semantics that allows one to verify if a realisation is correct with respect to the specification. For instance, the interaction behaviour of (a realisation of) Bob and of Carol can be specified respectively as:Bob=Alice?req.Alice!{adv,sorry}Carol=Donald!req.Donald?adv where ?_ means input, !_ means output and between curly brackets we put possible input or output choices (those for input corresponding to external choices and those for output to internal choices).

Let us now think of System 1 and System 2 as open systems. Then, rather than looking at Bob and Carol as actual participants, we can consider them as interfaces. More precisely, the realisations in (1) represent the behaviour of advice-providing and advice-requesting interfaces of systems to which System 2 and System 1, respectively, are willing to connect. Since any request can be satisfied,5 System 1 and System 2 can be connected by simply refining Bob and Carol as ‘‘forwarding’’ processes (dubbed gateways):Bob=Alice?req.Carol!req.Carol?{adv.Alice!adv,sorry.Alice!sorry}Carol=Bob?req.Donald!req.Donald?adv.Bob!adv Notice that Bob's option of sending an apology is never used, since Donald never activates it, hence it will disappear from the global type describing the composition of G1 and G2 using Bob and Carol as gateways:G1BobCarolG2=AliceBob:req.BobCarol:req.CarolDonald:req.DonaldCarol:adv.CarolBob:adv.BobAlice:adv Fig. 2 shows the UML-like diagram corresponding to the above global type. In [1] it is shown that, by connecting systems of Communicating Finite State Machines (CFSMs) [9] as shown above, many relevant properties of communication, such as deadlock freedom, are preserved.

One of the contributions of the present paper is to provide a choreography formalism enabling the ‘‘lifting’’ of the composition-by-gateways approach in [1] from systems to protocol descriptions, represented as MPSTs. More precisely, we define a function that, given two MPSTs and two participants (one per MPST) to be used as interfaces, computes the MPST of the composed system, as informally shown above in the G1BobCarolG2 example. This allows one to lift to the composed system all the guarantees on the soundness of communication provided by the chosen MPST formalism.

In our formalism, in particular, typable systems are guaranteed to be lock-free [34]. Hence, the systems obtained by composing typable systems are lock-free too. Beyond this, the global type of the composed system also provides a global view of the new system. Both the benefits are direct consequences of one of our main contributions: the function from the global types of the original systems to the global type of the system obtained by the composition outlined above.

We remark that our approach does not change the syntax of the chosen MPST approach, but allows one to look at it as a formalism to describe open systems (while MPSTs normally describe only closed systems).

While the idea of the approach is rather general, not all MPST formalisms in the literature are suitable for its application. For instance, the requirements imposed by the type system in [19] are too strong for the gateway processes to be typed, thus we could not get any guarantee on the result of the composition.

In the present paper we apply the approach in a setting as simple as possible (inspired by [43]), to highlight its features and avoid non intrinsic complexity. In particular, the simplicity of the calculus allows us to get rid of channels and local types. Moreover, as discussed in Section 11, our treatment of infinitary computations avoids the hindering issues caused by a syntactic description of recursion.

In order to ensure the correctness of composition, we appeal to interface compatibility, a condition on the two participants chosen as interfaces. We show that the compatibility relation used in [1] can be relaxed to a relation closely connected to the observational preorder of [43], in turn corresponding to the subtyping relation for session types of [28], [22]. In particular, in [1] the interaction behaviour of Carol – in order to be compatible with Bob's one – should necessarily be Donald!req.Donald?{adv,sorry} (or Bob's should be Alice?req.Alice!adv). We show instead that the notion of compatibility can actually be relaxed so to allow our Bob and Carol in (1) to be compatible.

The notion of compatibility between global types is further investigated by showing it to be, not only a sufficient condition to get lock-freedom preservation under composition, but also a necessary condition.

The use of gateways enables a safe connection of systems by means of a minimal modification, corresponding to the transformation of interface participants into forwarders, while the other participants are unchanged. This property is quite important when composition happens dynamically. However this approach is less suitable when composition is performed statically, to support a modular design and development process. Indeed, in this case one would like to avoid the overhead due to gateways.

For instance, in our simple example, the composition of System 1 and System 2 could be obtained by ‘‘bypassing’’ the interface partecipants, so getting an MPST whose UML-like diagram is shown in Fig. 3.

To formalise such an idea, we define a second function which performs direct composition (both at the level of global types and at the level of systems), that is composition not mediated by gateways. One can see direct composition as a simplification of composition by gateways, where the behaviour of gateways is internalised in the participants willing to communicate with the other system, hence gateways are no more needed. Of course, this approach requires some (limited) changes to the other participants of the systems to be composed.

Moreover, we complement direct composition with an operation of decomposition, which is, on global types, its left inverse. Decomposition allows one to take a typed MPST and split its participants into two groups (to each group an interface participant is also added), thus creating two MPSTs. A MPST with the original global type can be recovered by direct composition. For example the decomposition of the system with the UML-diagram of Fig. 3 by adding Bob and Carol gives the systems represented in Fig. 4.

Direct composition and decomposition form the basis of a modular design and implementation development process, where one can take a global description, divide it into descriptions of subsystems to be implemented separately, and then safely compose the resulting implementations.

In the standard subtyping for session types, supertypes have less inputs and more outputs than their subtypes [22]. In our type system we use a preorder on processes in which larger processes have less inputs than smaller ones, but the same outputs. This allows us to get: (i) a stronger notion of session fidelity, (ii) a better correspondence between composition by gateways at the level of multiparty sessions and the one at the level of global types, (iii) the necessity of compatibility between global types to ensure that lock-freedom is preserved under composition. Besides, we show that such a restriction does not change the class of multiparty sessions that can be typed (but may change the types assigned to them).

Outline. Sections 2, 3 and 4 respectively introduce our calculus of multiparty sessions, their global types, and prove the properties that well-typed sessions enjoy. Sections 5 and 6 define the compatibility relation and the composition via gateways for sessions and global types, respectively. The key result that sessions obtained from composition are typable (and hence lock free) is presented in Theorem 6.10. In Section 7 compatibility between global types is shown to be not only a sufficient, but also a necessary condition for lock-freedom of composition. Direct composition, allowing one to compose systems without the need for gateways, is defined in Section 8, where related properties are also discussed and proved. The decomposition operation, which complements the direct composition operation, is defined and investigated in Section 9. In Section 10 we discuss how all previous results change if we consider a preorder on processes mimicking the standard subtyping relation on session types, that allows larger processes to have more outputs than smaller ones. Section 11 concludes by a recap of the paper and by discussing related and future work.

Comparison with the workshop version. The present paper is a revised and extended version of [3]. The definition of the composition operation, first presented in [3], is considerably improved here, enabling us to simplify and make more readable also the proofs of most of the related results. This paper includes also a number of new contributions. First, we show that compatibility between global types is not only a sufficient, but also a necessary condition in order to get lock-freedom preservation for composition of typable multiparty sessions. Also, both the direct composition and the decomposition operations, and all the related results, are new. Lastly, in the workshop version we did not consider how the results change when the processes are compared using a preorder mimicking the standard subtyping.

Section snippets

Processes and multiparty sessions

We use the following base sets and notation: messages, ranged over by ,,; session participants, ranged over by p,q,; processes, ranged over by P,Q,; multiparty sessions, ranged over by M,M,; integers, ranged over by n,m,i,j,.

Processes implement the behaviour of participants. The input process p?{i.Pi|1in} waits for one of the messages i from participant p; the output process p!{i.Pi|1in} non-deterministically chooses one message i for some i, 1in, and sends it to participant p

Global types and typing system

The behaviour of multiparty sessions can be disciplined by means of types. Global types describe the whole conversation scenarios of multiparty sessions. As in [43] we directly assign global types to multiparty sessions without the usual detour around session types and subtyping [31], [32].

The type pq:{i.Gi|1in} formalises a protocol where participant p must send to q a message i for some i, 1in, (and q must receive it) and then, depending on which i was chosen by p, the protocol

Properties of well-typed sessions

We start with the standard lemmas of inversion and canonical form, easily following from Rule [t-sess].

Lemma 4.1 Inversion Lemma

If M:G and pPM, then PGp.

Lemma 4.2 Canonical form Lemma

If M:G and pptg(G), then there is pPM and PGp.

To formalise the properties of Subject Reduction and Session Fidelity [31], [32], we use the standard LTS for global types given below.

Definition 4.3 LTS for global types

The labelled transition system (LTS) for global types is specified by the rules:

Rule [Icomm] makes sense since, in a projectable global type rs:Γ, behaviours involving

Composition of multiparty-sessions via gateways

Two multiparty sessions can be composed via gateways when they possess two compatible participants, i.e. participants that offer communications which can be paired. Hence, the two participants can be transformed into forwarders, that we dub ‘‘gateways’’.

We start by discussing the relation of compatibility between processes by elaborating on Example 2.4, Example 3.2. Consider the participant h in these examples as an interface; the messages sent by h have to be considered as those actually

Composition of global types via gateways

The composition defined in the previous section can be shown to be lock-freedom preserving by means of Theorem 4.10. In fact, it is possible to lift the composition via gateways of multiparty sessions in Definition 5.9 to the level of global types. We start by defining the compatibility of global types via two participants, which mimics the compatibility of multiparty sessions via two participants

Definition 6.1 Compatible global types

Two global types G, G are compatible via the participants h and k if ptg(G)ptg(G)= and GhGk

Compatibility of global types is necessary

We have shown that the composition of typeable multiparty sessions, via the transformation of two participants into gateways, does preserve lock-freedom in case the two participants are compatible. One could wonder whether session compatibility, besides being a sufficient condition for ensuring such a preservation property, is also necessary. Example 6.3 shows that this is not the case.

Example 7.1 Session compatibility is not necessary

Let us takeM=ph?|hp! and M=qk!|kq?{,} from Example 6.3. Then (M,h)(M,k) does not hold, and

Direct composition of typed multiparty sessions

The use of gateways enables us to get a ‘‘safe’’ composition of systems by modifying just the interface participants. Therefore such an approach is useful after implementation, since it minimally affects systems that are already implemented. On the other hand, gateways yield a communication overhead due to the forwarding of messages. At design time one could avoid such overhead by directly refining the behaviour of some participants while preserving their ‘‘crucial’’ interactions, and then

Decomposition of typed multiparty sessions

In order to use direct composition in the modular development of systems one needs first to decompose a global specification into modules, then to develop the various modules in isolation, and finally to combine the modules using direct composition. We still miss an operation to decompose a global specification: this will be introduced in the present section. In particular, we will define a function enabling the decomposition of a global type into two global types, whose direct composition

Standard preorder on processes

We now discuss the impact of adopting a structural preorder on processes mimicking the standard subtyping relation [22]. We dub standard preorder this preorder and we denote it as +.

The relation + is obtained by replacing [sub-out] with [sub-out+] below in Definition 3.9, and by replacing the symbol ‘⩽’ with ‘+’ in the other rules. The relation + hence allows more outputs in larger processes than in smaller ones.

Let + be the typing system obtained by using + in rule

(cf.

Concluding remarks, related work, and future developments

The distinguishing feature of an open system of concurrent components is its capacity of communicating with the ‘‘outside’’, i.e. with some environment of the system. This ability provides means for composing open systems into larger systems (which may still be open). In order to compose systems ‘‘safely’’, it is common practice to rely on interface descriptions.

MPST systems [32], [18], [39] are usually assumed to be closed, since all the components needed for the functioning of the system must

Declaration of Competing Interest

No conflicts of interest to declare.

Acknowledgements

We gratefully acknowledge the fruitful interactions and communications with the anonymous referees through the ICE Forum.

The present version of this paper strongly improved with respect to the journal submission thanks to the careful reports. The referees did a great job in pointing out many places where the technical details appeared without the needed explanations. The difference between the two versions are several illustrating discussions with enlightening examples.

References (43)

  • L. Bocchi et al.

    Resolving non-determinism in choreographies

  • L. Bocchi et al.

    On resolving non-determinism in choreographies

    Log. Methods Comput. Sci.

    (2020)
  • D. Brand et al.

    On communicating finite-state machines

    J. ACM

    (1983)
  • R. Bruni et al.

    Data-driven choreographies à la Klaim

  • L. Caires et al.

    Multiparty session types within a canonical binary theory, and beyond

  • M. Carbone et al.

    Coherence generalises duality: a logical explanation of multiparty session types

  • M. Carbone et al.

    Choreographies for reactive programming

  • F. Cardone et al.

    Recursive types

  • G. Castagna et al.

    A theory of contracts for web services

    ACM Trans. Program. Lang. Syst.

    (2009)
  • I. Castellani et al.

    Reversible sessions with flexible choices

    Acta Inform.

    (2019)
  • M. Coppo et al.

    A gentle introduction to multiparty asynchronous session types

  • Cited by (25)

    • Composition of synchronous communicating systems

      2023, Journal of Logical and Algebraic Methods in Programming
    • A type language for distributed reactive components governed by communication protocols

      2023, Journal of Logical and Algebraic Methods in Programming
    • Event structure semantics for multiparty sessions

      2023, Journal of Logical and Algebraic Methods in Programming
      Citation Excerpt :

      The main drawback would be that Theorem 8.18 would no longer hold: more precisely, the domains of network configurations would only be embedded in (and not isomorphic to) the domains of their global type configurations. Notably, typability is independent from the use of our preorder or of the standard one, as proved in [4]. As regards future work, we plan to define an asynchronous transition system (ATS) [5] for our calculus, along the lines of [10], and show that it provides a noninterleaving operational semantics for networks that is equivalent to their FES semantics.

    • Multicompatibility for Multiparty-Session Composition

      2023, ACM International Conference Proceeding Series
    • Partially Typed Multiparty Sessions

      2023, Electronic Proceedings in Theoretical Computer Science, EPTCS
    View all citing articles on Scopus
    1

    Partially supported by the Prog to di ateneo Piaceri 2020, Università di Catania.

    2

    Partially supported by Compagnia San Paolo Ateneo/CSP EX-POST 2018 Project ‘‘Aggregate Programming’’.

    3

    Partially supported by INdAM as members of GNCS (Gruppo Nazionale per il Calcolo Scientifico).

    4

    Research partly supported by the EU H2020 RISE programme under the Marie Sklodowska-Curie grant agreement No 778233 and by the MIUR project PRIN 2017FTXR7S “IT-MaTTerS” (Methods and Tools for Trustworthy Smart Systems).

    View full text