Anson Miu,Francisco Ferreira,Nobuko Yoshida,Fangyi Zhou

DOI: https://doi.org/10.4204/EPTCS.314.2

2020-04-03

Abstract:Advancements in mobile device computing power have made interactive web applications possible, allowing the web browser to render contents dynamically and support low-latency communication with the server. This comes at a cost to the developer, who now needs to reason more about correctness of communication patterns in their application as web applications support more complex communication patterns. Multiparty session types (MPST) provide a framework for verifying conformance of implementations to their prescribed communication protocol. Existing proposals for applying the MPST framework in application developments either neglect the event-driven nature of web applications, or lack compatibility with industry tools and practices, which discourages mainstream adoption by web developers. In this paper, we present an implementation of the MPST framework for developing interactive web applications using familiar industry tools using TypeScript and the <a class="link-external link-http" href="http://React.js" rel="external noopener nofollow">this http URL</a> framework. The developer can use the Scribble protocol language to specify the protocol and use the Scribble toolchain to validate and obtain the local protocol for each role. The local protocol describes the interactions of the global communication protocol observed by the role. We encode the local protocol into TypeScript types, catering for server-side and client-side targets separately. We show that our encoding guarantees that only implementations which conform to the protocol can type-check. We demonstrate the effectiveness of our approach through a web-based implementation of the classic Noughts and Crosses game from an MPST formalism of the game logic.

Programming Languages,Software Engineering

Nicolas Lagaillardie,Rumyana Neykova,Nobuko Yoshida

DOI: https://doi.org/10.48550/arXiv.2204.13464

2022-04-28

Abstract:Communicating systems comprise diverse software components across networks. To ensure their robustness, modern programming languages such as Rust provide both strongly typed channels, whose usage is guaranteed to be affine (at most once), and cancellation operations over binary channels. For coordinating components to correctly communicate and synchronise with each other, we use the structuring mechanism from multiparty session types, extending it with affine communication channels and implicit/explicit cancellation mechanisms. This new typing discipline, affine multiparty session types (AMPST), ensures cancellation termination of multiple, independently running components and guarantees that communication will not get stuck due to error or abrupt termination. Guided by AMPST, we implemented an automated generation tool (MultiCrusty) of Rust APIs associated with cancellation termination algorithms, by which the Rust compiler auto-detects unsafe programs. Our evaluation shows that MultiCrusty provides an efficient mechanism for communication, synchronisation and propagation of the notifications of cancellation for arbitrary processes. We have implemented several usecases, including popular application protocols (OAuth, SMTP), and protocols with exception handling patterns (circuit breaker, distributed logging).

Programming Languages

Zak Cutner,Nobuko Yoshida,Martin Vassor

DOI: https://doi.org/10.48550/arXiv.2112.12693

2022-02-03

Abstract:Rust is a modern systems language focused on performance and reliability. Complementing Rust's promise to provide "fearless concurrency", developers frequently exploit asynchronous message passing. Unfortunately, arbitrarily ordering sending and receiving messages to maximise computation-communication overlap (a popular optimisation to message-passing applications) opens up a Pandora's box of further subtle concurrency bugs. To guarantee deadlock-freedom by construction, we present Rumpsteak: a new Rust framework based on multiparty session types. Previous session type implementations in Rust are either built upon synchronous and blocking communication and/or limited to two-party interactions. Crucially, none support the arbitrary ordering of messages for efficiency. Rumpsteak instead targets asynchronous async/await code. Its unique ability is allowing developers to arbitrarily order send/receive messages while preserving deadlock-freedom. For this, Rumpsteak incorporates two recent advanced session type theories: (1) k-multiparty compatibility (kmc), which globally verifies the safety of a set of participants, and (2) asynchronous multiparty session subtyping, which locally verifies optimisations in the context of a single participant. Specifically, we propose a novel algorithm for asynchronous subtyping that is both sound and decidable. We first evaluate the performance and expressiveness of Rumpsteak against three previous Rust implementations. We discover that Rumpsteak is around 1.7--8.6x more efficient and can safely express many more examples by virtue of offering arbitrary message ordering. Secondly, we analyse the complexity of our new algorithm and benchmark it against kmc and a binary session subtyping algorithm. We find they are exponentially slower than Rumpsteak's.

Programming Languages,Software Engineering

Ping Hou,Nicolas Lagaillardie,Nobuko Yoshida

2024-08-30

Abstract:Session types using affinity and exception handling mechanisms have been developed to ensure the communication safety of protocols implemented in concurrent and distributed programming languages. Nevertheless, current affine session types are inadequate for specifying real-world asynchronous protocols, as they are usually imposed by time constraints which enable timeout exceptions to prevent indefinite blocking while awaiting valid messages. This paper proposes the first formal integration of affinity, time constraints, timeouts, and time-failure handling based on multiparty session types for supporting reliability in asynchronous distributed systems. With this theory, we statically guarantee that asynchronous timed communication is deadlock-free, communication safe, while being fearless -- never hindered by timeout errors or abrupt terminations. To implement our theory, we introduce a Rust toolchain designed to facilitate the implementation of safe affine timed protocols. Our toolchain leverages generic types and the time library to handle timed communications, integrated with optional types for affinity. We evaluate our approach by extending diverse examples from the literature to incorporate time and timeouts, demonstrating that our solution incurs negligible overhead compared with an untimed implementation. We also showcase the correctness by construction of our approach by implementing various real-world use cases, including a remote data protocol from the Internet of Remote Things domain, as well as protocols from real-time systems like Android motion sensors and smartwatches.

Programming Languages

Nuno Burnay,Antónia Lopes,Vasco T. Vasconcelos

DOI: https://doi.org/10.48550/arXiv.2007.08048

2020-07-16

Software Engineering

Abstract:Consumption of REST services has become a popular means of invoking code provided by third parties, particularly in web applications. Nowadays programmers of web applications can choose TypeScript over JavaScript to benefit from static type checking that enables validating calls to local functions or to those provided by libraries. Errors in calls to REST services, however, can only be found at run-time. In this paper, we present SafeRESTScript (SRS, for short) a language that extends the support of static analysis to calls to REST services, with the ability to statically find common errors such as missing or invalid data in REST calls and misuse of the results from such calls. SafeRESTScript features a syntax similar to JavaScript and is equipped with (i) a rich collection of types (including objects, arrays and refinement types)and (ii) primitives to natively support REST calls that are statically validated against specifications of the corresponding APIs. Specifications are written in HeadREST, a language that also features refinement types and supports the description of semantic aspects of REST APIs in a style reminiscent of Hoare triples. We present SafeRESTScript and its validation system, based on a general-purpose verification tool (Boogie). The evaluation of SafeRESTScript and of the prototype implementations for its validator, available in the form of an Eclipse plugin, is also discussed.

Zekun Ji,Shuling Wang,Xiong Xu

2023-10-20

Abstract:Message passing is a fundamental element in software development, ranging from concurrent and mobile computing to distributed services, but it suffers from communication errors such as deadlocks. Session types are a typing discipline for enforcing safe structured interactions between multiple participants. However, each typed interaction is restricted to having one fixed sender and one fixed receiver. In this paper, we extend session types with existential branching types, to handle a common interaction pattern with multiple senders and a single receiver in a synchronized setting, i.e. a receiver is available to receive messages from multiple senders, and which sender actually participates in the interaction cannot be determined till execution. We build the type system with existential branching types, which retain the important properties induced by standard session types: type safety, progress (i.e. deadlock-freedom), and fidelity. We further provide a novel communication type system to guarantee progress of dynamically interleaved multiparty sessions, by abandoning the strong restrictions of existing type systems. Finally, we encode Rust multi-thread primitives in the extended session types to show its expressivity, which can be considered as an attempt to check the deadlock-freedom of Rust multi-thread programs.

Programming Languages

Nuno Alves,Raymond Hu,Nobuko Yoshida,Pierre-Malo Deniélou

DOI: https://doi.org/10.4204/EPTCS.69.1

2011-10-19

Abstract:The development of the SJ Framework for session-based distributed programming is part of recent and ongoing research into integrating session types and practical, real-world programming languages. SJ programs featuring session types (protocols) are statically checked by the SJ compiler to verify the key property of communication safety, meaning that parties engaged in a session only communicate messages, including higher-order communications via session delegation, that are compatible with the message types expected by the recipient. This paper presents current work on security aspects of the SJ Framework. Firstly, we discuss our implementation experience from improving the SJ Runtime platform with security measures to protect and augment communication safety at runtime. We implement a transport component for secure session execution that uses a modified TLS connection with authentication based on the Secure Remote Password (SRP) protocol. The key technical point is the delicate treatment of secure session delegation to counter a previous vulnerability. We find that the modular design of the SJ Runtime, based on the notion of an Abstract Transport for session communication, supports rapid extension to utilise additional transports whilst separating this concern from the application-level session programming task. In the second part of this abstract, we formally prove the target security properties by modelling the extended SJ delegation protocols in the pi-calculus.

Distributed, Parallel, and Cluster Computing,Cryptography and Security,Networking and Internet Architecture,Programming Languages

Adam D. Barwell,Ping Hou,Nobuko Yoshida,Fangyi Zhou

2024-08-21

Abstract:Session types provide a typing discipline for message-passing systems. However, their theory often assumes an ideal world: one in which everything is reliable and without failures. Yet this is in stark contrast with distributed systems in the real world. To address this limitation, we introduce a new asynchronous multiparty session types (MPST) theory with crash-stop failures, where processes may crash arbitrarily and cease to interact after crashing. We augment asynchronous MPST and processes with crash handling branches, and integrate crash-stop failure semantics into types and processes. Our approach requires no user-level syntax extensions for global types, and features a formalisation of global semantics, which captures complex behaviours induced by crashed/crash handling processes. Our new theory covers the entire spectrum, ranging from the ideal world of total reliability to entirely unreliable scenarios where any process may crash, using optional reliability assumptions. Under these assumptions, we demonstrate the sound and complete correspondence between global and local type semantics, which guarantee deadlock-freedom, protocol conformance, and liveness of well-typed processes by construction, even in the presence of crashes.

Logic in Computer Science,Programming Languages

Samuel Cavoj,Ivan Nikitin,Colin Perkins,Ornela Dardha

DOI: https://doi.org/10.4204/EPTCS.401.3

2024-04-08

Abstract:Session types are a typing discipline used to formally describe communication-driven applications with the aim of fewer errors and easier debugging later into the life cycle of the software. Protocols at the transport layer such as TCP, UDP, and QUIC underpin most of the communication on the modern Internet and affect billions of end-users. The transport layer has different requirements and constraints compared to the application layer resulting in different requirements for verification. Despite this, to our best knowledge, no work shows the application of session types at the transport layer. In this work, we discuss how multiparty session types (MPST) can be applied to implement the TCP protocol. We develop an MPST-based implementation of a subset of a TCP server in Rust and test its interoperability against the Linux TCP stack. Our results highlight the differences in assumptions between session type theory and the way transport layer protocols are usually implemented. This work is the first step towards bringing session types into the transport layer.

Programming Languages,Networking and Internet Architecture

Vassor Martin,Yoshida Nobuko

2024-08-09

Abstract:Multiparty message-passing protocols are notoriously difficult to design, due to interaction mismatches that lead to errors such as deadlocks. Existing protocol specification formats have been developed to prevent such errors (e.g. multiparty session types (MPST)). In order to further constrain protocols, specifications can be extended with refinements, i.e. logical predicates to control the behaviour of the protocol based on previous values exchanged. Unfortunately, existing refinement theories and implementations are tightly coupled with specification formats. This paper proposes a framework for multiparty message-passing protocols with refinements and its implementation in Rust. Our work decouples correctness of refinements from the underlying model of computation, which results in a specification-agnostic framework. Our contributions are threefold. First, we introduce a trace system which characterises valid refined traces, i.e. a sequence of sending and receiving actions correct with respect to refinements. Second, we give a correct model of computation named refined communicating system (RCS), which is an extension of communicating automata systems with refinements. We prove that RCS only produce valid refined traces. We show how to generate RCS from mainstream protocol specification formats, such as refined multiparty session types (RMPST) or refined choreography automata. Third, we illustrate the flexibility of the framework by developing both a static analysis technique and an improved model of computation for dynamic refinement evaluation. Finally, we provide a Rust toolchain for decentralised RMPST, evaluate our implementation with a set of benchmarks from the literature, and observe that refinement overhead is negligible.

Programming Languages

Ryoya Fukutani,Shusuke Okamoto,Shinji Sakamoto,Masaki Kohana

DOI: https://doi.org/10.1007/978-3-030-29029-0_73

2019-08-15

Abstract:We are developing a web system for learning Python programming. The multiple users can join the system simultaneously through programming battles. This system consists of two parts which are web browsers and a web server. The browser side program written in JavaScript uses an idea from Robocode, which is a open sourced programming learning tool. A user of Robocode plays a battle by writing robot programs in Java. On the other hand, the user of our system writes a program in Python, and the program is converted to a JavaScript of robot program. The conversion is done on the web sever as soon as the user changes his or her code in real-time. In our previous work, we used WebSocket to implement a client-server model that is one-on-one fight. However, since the CPU usage ratio of both browsers and server were high, it was difficult to increase the number of players. Therefore, in this implementation, we use WebRTC to build an application on communicating among browsers that supports more than two players efficiently. We will compare CPU usage ratio on WebSocket model over WebRTC model. Moreover, we will consider which method is suitable for our system.

Roland Kuhn,Alan Darmasaputra

DOI: https://doi.org/10.1145/3597926.3604917

2023-06-15

Abstract:A heterogeneous swarm system is a distributed system where participants come and go, communication topology may change at any time, data replication is asynchronous and partial, and local agents behave differently between nodes. These systems are hard to design and reason about, mainly because we desire a particular class of behaviors to emerge from the interplay of heterogeneous individual agents. Nevertheless, mission-critical operations like manufacturing process orchestration in factories use such systems due to their uncompromising availability and resilience of computing services. This paper presents a set of TypeScript libraries to model peer-to-peer workflows as state machines, execute them using the Actyx middleware, and check the shape of these machines for conformance to a swarm protocol. The swarm protocol describes an idealized global view of the cooperation of machines of different roles. It directly corresponds to a diagram a product manager would sketch on a whiteboard; this allows for verifying that the coded state machines correctly implement the product specification. A well-formed swarm protocol also guarantees that conforming machines will achieve eventual consensus on the overall state progression even in the absence of further coordination. This tool is for developers of business logic for heterogeneous swarm systems, helping them verify that their protocols and implementations are correct. Tool repo: <a class="link-external link-https" href="https://github.com/Actyx/machines" rel="external noopener nofollow">this https URL</a>

Distributed, Parallel, and Cluster Computing

Thien Udomsrirungruang,Nobuko Yoshida

2024-11-12

Abstract:Multiparty session types provide a type discipline for ensuring communication safety, deadlock-freedom and liveness for multiple concurrently running participants. The original formulation of MPST takes the top-down approach, where a global type specifies a bird's eye view of the intended interactions between participants, and each distributed process is locally type-checked against its end-point projection. A more recent one takes the bottom-up approach, where a desired property $\varphi$ of a set of participants is ensured if the same property $\varphi$ is true for an ensemble of end-point types (a typing context) inferred from each participant. This paper compares these two main procedures of MPST, giving their detailed complexity analyses. To this aim, we build several new algorithms missing from the bottom-up or top-down workflows by using graph representation of session types. We first propose a subtyping system based on type graphs, offering more efficient subtype-checking than the existing (exponential) inductive algorithm. Next for the top-down, we measure complexity of the four end-point projections from the literature. For bottom-up, we develop a novel type inference system from MPST processes which generates minimum type graphs, succinctly capturing covariance of internal choice and contravariance of external choice. For property-checking of typing contexts, we achieve PSPACE-hardness by reducing it from the quantified Boolean formula problem, and prove membership in PSPACE. Finally, we calculate the total complexity of the top-down and the bottom-up approaches. Our analyses reveal that the top-down based on global types is more efficient than the bottom-up in many realistic cases; liveness checking for typing contexts in the bottom-up has the highest complexity; and the type inference costs exponential against the size of a process, which impacts the total complexity.

Programming Languages

Yi Li,Xiyue Zhang,Yuanyi Ji,Meng Sun

DOI: https://doi.org/10.1016/j.scico.2019.02.005

IF: 1.039

2019-01-01

Science of Computer Programming

Abstract:Modern distributed systems are often coupled with flexible architectures, composed of heterogeneous components, and deployed on different execution nodes. In such architectures, connectors (or middlewares) are widely used to orchestrate the separated components and make them functioning. Apparently, correctness of such systems highly depends on the behavior of connectors. Reo is a channel-based coordination language where complex connectors are compositionally constructed from simpler ones. In this paper, we propose a stochastic and real-time extension of Reo, including a set of new primitive channels and an expressive semantics as Stochastic Timed Automata for Reo (STA(r)). Furthermore, a logical formalization of STA(r) for property analysis has been proposed and the transformation from STA(r) to PRISM and JANI has been implemented. Several case studies are presented to demonstrate how STA(r) and its corresponding logic can be used to capture coordination scenarios in the real world. (C) 2019 Elsevier B.V. All rights reserved.

Yufeng Chen

DOI: https://doi.org/10.48550/arXiv.2104.00142

2021-04-01

Abstract:<a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> is one of the most popular frameworks for building web applications. As software systems mature, the cost of running their entire regression test suite can become significant. Selective Regression Testing (SRT) is a technique that executes only a subset of tests the regression test suite can detect software failures more efficiently. Previous SRT studies mainly focused on standard desktop applications. <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> applications are considered hard to perform test reduction because of Node's asynchronous, event-driven programming model and because JavaScript is a dynamic programming language. In this paper, we present NodeSRT, a Selective Regression Testing framework for <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> applications. By performing static and dynamic analysis, NodeSRT identifies the relationship between changed methods and tests, then reduces the regression test suite to only tests that are affected by the change to improve the execution time of the regression test suite. To evaluate our selection technique, we applied NodeSRT to two open-source projects: Uppy and Simorgh, then compared our approach with the retest-all strategy and current industry-standard SRT technique: Jest OnlyChange. The results demonstrate that NodeSRT correctly selects affected tests based on changes and is 250% faster, 450% more precise than the Jest OnlyChange.

Software Engineering

Sung-Shik Jongmans

2024-06-30

Abstract:Multiparty session typing (MPST) is a formal method to make concurrent programming simpler. The idea is to use type checking to automatically prove safety (protocol compliance) and liveness (communication deadlock freedom) of implementations relative to specifications. Discourje is an existing run-time verification library for communication protocols in Clojure, based on dynamic MPST. The original version of Discourje can detect only safety violations. In this paper, we present an extension of Discourje to detect also liveness violations.

Programming Languages

Damien Cassou,Stéphane Ducasse,Nicolas Petton

DOI: https://doi.org/10.48550/arXiv.1309.3914

2013-09-16

Abstract:Isolating programs is an important mechanism to support more secure applications. Isolating program in dynamic languages such as JavaScript is even more challenging since reflective operations can circumvent simple mechanisms that could protect program parts. In this article we present SafeJS, an approach and implementation that offers isolation based on separate sandboxes and control of information exchanged between them. In SafeJS, sandboxes based on web workers do not share any data. Data exchanged between sandboxes is solely based on strings. Using different policies, this infrastructure supports the isolation of the different scripts that usually populate web pages. A foreign component cannot modify the main DOM tree in unexpected manner. Our SafeJS implementation is currently being used in an industrial setting in the context of the Resilience FUI 12 project.

Programming Languages,Cryptography and Security

Andi Bejleri,Raymond Hu,Nobuko Yoshida

DOI: https://doi.org/10.4204/EPTCS.17.2

2010-02-04

Abstract:This paper investigates session programming and typing of benchmark examples to compare productivity, safety and performance with other communications programming languages. Parallel algorithms are used to examine the above aspects due to their extensive use of message passing for interaction, and their increasing prominence in algorithmic research with the rising availability of hardware resources such as multicore machines and clusters. We contribute new benchmark results for SJ, an extension of Java for type-safe, binary session programming, against MPJ Express, a Java messaging system based on the MPI standard. In conclusion, we observe that (1) despite rich libraries and functionality, MPI remains a low-level API, and can suffer from commonly perceived disadvantages of explicit message passing such as deadlocks and unexpected message types, and (2) the benefits of high-level session abstraction, which has significant impact on program structure to improve readability and reliability, and session type-safety can greatly facilitate the task of communications programming whilst retaining competitive performance.

Programming Languages,Distributed, Parallel, and Cluster Computing

Bas van den Heuvel

2024-03-01

Abstract:Much of the software we use in everyday life consists of distributed components (running on separate cores or even computers) that collaborate through communication (by exchanging messages). It is crucial to develop robust methods that can give reliable guarantees about the behavior of such message-passing software. With a focus on session types as communication protocols and their foundations in logic, this thesis revolves around the following question: How can we push the boundaries of the logical foundations of session types (binary and multiparty), extending their expressiveness and applicability, while preserving fundamental correctness properties? In this context, this thesis studies several intertwined aspects of message-passing.

Logic in Computer Science

Nobuko Yoshida,Ping Hou

2024-02-27

Abstract:Multiparty session types (MPST) is a type discipline where a programmer or architect specifies a whole view of communications as a global protocol, and each distributed program is locally type-checked against its end-point projection. After 10 years from the birth of MPST, Scalas and Yoshida have discovered that the proofs of type safety in the literature which use the end-point projection with mergeability are flawed. After this paper, researchers wrongly believe that the end-point projection (with mergeability) is unsound. We correct this misunderstanding, proposing a new general proof technique for type soundness of multiparty session $\pi$-calculus, which uses an association relation between a global type and its end-point projection.

Programming Languages