Abstract
Message passing is a useful abstraction to implement concurrent programs. For real-world systems, however, it is often combined with other programming and concurrency paradigms, such as higher-order functions, mutable state, shared-memory concurrency, and locks. We present Actris: a logic for proving functional correctness of programs that use a combination of the aforementioned features. Actris combines the power of modern concurrent separation logics with a first-class protocol mechanism—based on session types—for reasoning about message passing in the presence of other concurrency paradigms. We show that Actris provides a suitable level of abstraction by proving functional correctness of a variety of examples, including a distributed merge sort, a distributed load-balancing mapper, and a variant of the map-reduce model, using relatively simple specifications. Soundness of Actris is proved using a model of its protocol mechanism in the Iris framework. We mechanised the theory of Actris, together with tactics for symbolic execution of programs, as well as all examples in the paper, in the Coq proof assistant.
Supplemental Material
- Pierre America and Jan J. M. M. Rutten. 1989. Solving Reflexive Domain Equations in a Category of Complete Metric Spaces. JCSS 39, 3 (1989), 343–375.Google Scholar
- Andrew W Appel. 2014. Program logics for certified compilers. Cambridge University Press.Google Scholar
- Robert Atkey, Sam Lindley, and J. Garrett Morris. 2016. Conflation Confers Concurrency. In Essays Dedicated to Philip Wadler on the Occasion of His 60th Birthday (LNCS), Vol. 9600. 32–55.Google Scholar
- Stephanie Balzer and Frank Pfenning. 2017. Manifest Sharing with Session Types. PACMPL 1, ICFP (2017), 37:1–37:29.Google Scholar
- Stephanie Balzer, Bernardo Toninho, and Frank Pfenning. 2019. Manifest Deadlock-Freedom for Shared Session Types. In ESOP, Vol. 11423 LNCS. 611–639.Google Scholar
- Lars Birkedal, Rasmus Ejlers Møgelberg, Jan Schwinghammer, and Kristian Støvring. 2012. First Steps in Synthetic Guarded Domain Theory: Step-Indexing in the Topos of Trees. LMCS 8, 4 (2012).Google Scholar
- Ales Bizjak, Daniel Gratzer, Robbert Krebbers, and Lars Birkedal. 2019. Iron: Managing Obligations in Higher-Order Concurrent Separation Logic. PACMPL 3, POPL (2019), 65:1–65:30.Google Scholar
- Laura Bocchi, Kohei Honda, Emilio Tuosto, and Nobuko Yoshida. 2010. A Theory of Design-by-Contract for Distributed Multiparty Interactions. In CONCUR. 162–176.Google Scholar
- Coq Development Team. 2019. The Coq Proof Assistant Reference Manual, Version 8.9. (2019). https://coq.inria.fr/distrib/ current/refman/Google Scholar
- Andreea Costea, Wei-Ngan Chin, Shengchao Qin, and Florin Craciun. 2018. Automated Modular Verification for Relaxed Communication Protocols. In APLAS (LNCS), Vol. 11275. 284–305.Google Scholar
- Florin Craciun, Tibor Kiss, and Andreea Costea. 2015. Towards a Session Logic for Communication Protocols. In ICECCS. 140–149.Google Scholar
- Pedro da Rocha Pinto, Thomas Dinsdale-Young, and Philippa Gardner. 2014. TaDA: A Logic for Time and Data Abstraction. In ECOOP. 207–231.Google Scholar
- Ornela Dardha, Elena Giachino, and Davide Sangiorgi. 2012. Session Types Revisited. In PPDP. 139–150.Google Scholar
- Jeffrey Dean and Sanjay Ghemawat. 2004. MapReduce: Simplified Data Processing on Large Clusters. In OSDI. 137–150.Google Scholar
- Adrian Francalanza, Julian Rathke, and Vladimiro Sassone. 2011. Permission-Based Separation Logic for Message-Passing Concurrency. LMCS 7, 3 (2011).Google Scholar
- Jafar Hamin and Bart Jacobs. 2019. Transferring Obligations Through Synchronizations. In ECOOP.Google Scholar
- Carl Hewitt, Peter Bishop, and Richard Steiger. 1973. A Universal Modular ACTOR Formalism for Artificial Intelligence. In IJCAI. 235–245.Google Scholar
- Jonas Kastberg Hinrichsen, Jesper Bengtson, and Robbert Krebbers. 2019. Coq Mechanization of Actris. Available online at https://gitlab.mpi- sws.org/iris/actris .Google Scholar
- Kohei Honda, Vasco Thudichum Vasconcelos, and Makoto Kubo. 1998. Language Primitives and Type Discipline for Structured Communication-Based Programming. In proceedings of ESOP. 122–138.Google Scholar
- Kohei Honda, Nobuko Yoshida, and Marco Carbone. 2008. Multiparty Asynchronous Session Types. In POPL. 273–284.Google Scholar
- Raymond Hu, Dimitrios Kouzapas, Olivier Pernet, Nobuko Yoshida, and Kohei Honda. 2010. Type-Safe Eventful Sessions in Java. In ECOOP. 21–25.Google Scholar
- Keigo Imai, Nobuko Yoshida, and Shoji Yuen. 2019. Session-OCaml: A Session-Based Library with Polarities and Lenses. Science of Computer Programming 172 (2019), 135–159.Google Scholar
- Bart Jacobs and Frank Piessens. 2011. Expressive Modular Fine-Grained Concurrency Specification. In POPL. 271–282.Google Scholar
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018a. RustBelt: Securing the Foundations of the Rust Programming Language. PACMPL 2, POPL (2018), 66:1–66:34.Google Scholar
- Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-Order Ghost State. In ICFP. 256–269.Google Scholar
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018b. Iris From the Ground Up: A Modular Foundation for Higher-Order Concurrent Separation Logic. JFP 28 (2018), e20.Google Scholar
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In POPL. 637–650.Google Scholar
- Naoki Kobayashi. 2006. A New Type System for Deadlock-Free Processes. In CONCUR (LNCS), Vol. 4137. 233–247.Google Scholar
- Naoki Kobayashi, Benjamin C. Pierce, and David N. Turner. 1996. Linearity and the pi-Calculus. In POPL. 358–371.Google Scholar
- Robbert Krebbers, Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan-Oliver Kaiser, Amin Timany, Arthur Charguéraud, and Derek Dreyer. 2018. MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic. PACMPL 2, ICFP (2018), 77:1–77:30.Google Scholar
- Robbert Krebbers, Ralf Jung, Ales Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The Essence of Higher-Order Concurrent Separation Logic. In ESOP. 696–723.Google Scholar
- Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive Proofs in Higher-Order Concurrent Separation Logic. In POPL. 205–217.Google Scholar
- Morten Krogh-Jespersen, Amin Timany, Marit Edna Ohlenbusch, Simon Oddershede Gregersen, and Lars Birkedal. 2019. Aneris: A Mechanised Logic for Modular Reasoning about Distributed Systems. Submitted for publication.Google Scholar
- Julien Lange, Nicholas Ng, Bernardo Toninho, and Nobuko Yoshida. 2018. A Static Verification Framework for Message Passing in Go Using Behavioural Types. ICSE (2018), 1137–1148.Google Scholar
- William Mansky, Andrew W. Appel, and Aleksey Nogin. 2017. A Verified Messaging System. PACMPL 1, OOPSLA (2017), 87:1–87:28.Google Scholar
- Claude Marché, Christine Paulin-Mohring, and Xavier Urbain. 2004. The KRAKATOA Tool for Certification of JAVA/JAVAC-ARD Programs Annotated in JML. JLP 58, 1-2 (2004), 89–106.Google Scholar
- Dimitris Mostrous and Vasco Thudichum Vasconcelos. 2014. Affine Sessions. In COORDINATION. 115–130.Google Scholar
- Hiroshi Nakano. 2000. A Modality for Recursion. In LICS. 255–266.Google Scholar
- Aleksandar Nanevski, Ruy Ley-Wild, Ilya Sergey, and Germán Andrés Delbianco. 2014. Communicating State Transition Systems for Fine-Grained Concurrent Resources. In ESOP. 290–310.Google Scholar
- Kosuke Ono, Yoichi Hirai, Yoshinori Tanabe, Natsuko Noda, and Masami Hagiya. 2011. Using Coq in Specification and Program Extraction of Hadoop MapReduce Applications. In SEFM. 350–365.Google Scholar
- Wytse Oortwijn, Stefan Blom, and Marieke Huisman. 2016. Future-based Static Analysis of Message Passing Programs. In PLACES. 65–72.Google Scholar
- Luca Padovani. 2014. Deadlock and Lock Freedom in the Linear 𝜋 -Calculus. In CSL. 72:1–72:10.Google Scholar
- Luca Padovani. 2017. A Simple Library Implementation of Binary Sessions. JFP 27, 2010 (2017), e4.Google Scholar
- Ilya Sergey, James R. Wilcox, and Zachary Tatlock. 2018. Programming and Proving with Distributed Protocols. PACMPL 2, POPL (2018), 28:1–28:30.Google Scholar
- Kasper Svendsen and Lars Birkedal. 2014. Impredicative Concurrent Abstract Predicates. In ESOP. 149–168.Google Scholar
- Samira Tasharofi, Peter Dinges, and Ralph E. Johnson. 2013. Why Do Scala Developers Mix the Actor Model with Other Concurrency Models?. In ECOOP. 302–326.Google Scholar
- Joseph Tassarotti, Ralf Jung, and Robert Harper. 2017. A Higher-Order Logic for Concurrent Termination-Preserving Refinement. In ESOP. 909–936.Google Scholar
- Tengfei Tu, Xiaoyu Liu, Linhai Song, and Yiying Zhang. 2019. Understanding Real-World Concurrency Bugs in Go. In ASPLOS. 865–878.Google Scholar
- Jules Villard, Étienne Lozes, and Cristiano Calcagno. 2009. Proving Copyless Message Passing. In APLAS. 194–209.Google Scholar
Index Terms
Actris: session-type based reasoning in separation logic
Recommendations
Machine-checked semantic session typing
CPP 2021: Proceedings of the 10th ACM SIGPLAN International Conference on Certified Programs and ProofsSession types—a family of type systems for message-passing concurrency—have been subject to many extensions, where each extension comes with a separate proof of type safety. These extensions cannot be readily combined, and their proofs of type safety ...
Connectivity graphs: a method for proving deadlock freedom based on separation logic
We introduce the notion of a connectivity graph—an abstract representation of the topology of concurrently interacting entities, which allows us to encapsulate generic principles of reasoning about deadlock freedom. Connectivity graphs are parametric in ...
Proof Automation for Linearizability in Separation Logic
Recent advances in concurrent separation logic enabled the formal verification of increasingly sophisticated fine-grained (i.e., lock-free) concurrent programs. For such programs, the golden standard of correctness is linearizability, which expresses ...






Comments