The goal of this paper is to show how existing Curry-Howard interpretations of session types [9, 10] can be generalized to a domain-aware setting by relying on an extension of linear logic with features from hybrid logic [42, 5]. These extended logical foundations of message-passing concurrency allow us to analyze complex domain-aware concurrent systems (including those governed by multiparty protocols) in a precise and principled manner.
Software systems typically rely on communication between heterogeneous services; at their heart, these systems rely on message-passing protocols that combine mobility, concurrency, and distribution. As distributed services are often virtualized, protocols should span diverse software and hardware domains. These domains can have multiple interpretations, such as the location where services reside, or the principals on whose behalf they act. Concurrent behavior is then increasingly domain-aware: a partner’s potential for interaction is influenced not only by the domains it is involved in at various protocol phases (its context), but also by connectedness relations among domains. Moreover, domain architectures are rarely fully specified: to aid modularity and platform independence, system participants (e.g., developers, platform vendors, service clients) often have only partial views of actual domain structures. Despite their importance in communication correctness and trustworthiness at large, the formal status of domains within typed models of message-passing systems remains unexplored.
This paper contributes to typed approaches to the analysis of domain-aware communications, with a focus on session-based concurrency. This approach specifies the intended message-passing protocols as session types [29, 30, 23]. Different type theories for binary and multiparty (-ary) protocols have been developed. In both cases, typed specifications can be conveniently coupled with -calculus processes , in which so-called session channels connect exactly two subsystems. Communication correctness usually results from two properties: session fidelity (type preservation) and deadlock freedom (progress). The former says that well-typed processes always evolve to well-typed processes (a safety property); the latter says that well-typed processes will never get into a stuck state (a liveness property).
A key motivation for this paper is the sharp contrast between (a) the growing relevance of domain-awareness in message-passing, concurrent systems and (b) the expressiveness of existing session type frameworks, binary and multiparty, which cannot adequately specify (let alone enforce) domain-related requirements. Indeed, existing session types frameworks, including those based on Curry-Howard interpretations [9, 50, 13], capture communication behavior at a level of abstraction in which even basic domain-aware assertions (e.g., “Shipper resides in domain AmazonUS”) cannot be expressed. As an unfortunate consequence, the effectiveness of the analysis techniques derived from these frameworks is rather limited.
To better illustrate our point, consider a common distributed design pattern: a middleware agent () which answers requests from clients (), sometimes offloading the requests to a server () to better manage local resource availability. In the framework of multiparty session types  this protocol can be represented as the global type:
The client first sends a request to the middleware, which answers back with either a message containing the answer or a message, signaling that the server will be contacted to produce the final . While this multiparty protocol captures the intended communication behavior, it does not capture that protocols for the middleware and the server often involve some form of privilege escalation or specific authentication—ensuring, e.g., that the server interaction is adequately isolated from the client, or that the escalation must precede the server interactions. These requirements simply cannot be represented in existing frameworks.
Our work addresses this crucial limitation by generalizing Curry-Howard interpretations of session types by appealing to hybrid logic features. We develop a logically motivated typed process framework in which worlds from modal logics precisely and uniformly define the notion of domain in session-based concurrency. At the level of binary sessions, domains manifest themselves through point-to-point domain migration and communication. In multiparty sessions, domain migration is specified choreographically through the new construct , where participant leads a migration of participants to domain in order to perform protocol , who then migrate back to perform protocol .
Consider the global type in our previous example. Our framework allows us to refactor the global type above as:
By considering a first-class multiparty domain migration primitive at the type and process levels, we can specify that the offload portion of the protocol takes place after the middleware and the server migrate to a private domain , as well as ensuring that only accessible domains can be interacted with. For instance, the type for the server that is mechanically projected from the protocol above ensures that the server first migrates to the private domain, communicates with the middleware, and then migrates back to its initial domain.
Perhaps surprisingly, our domain-aware multiparty sessions are studied within a context of logical binary domain-aware sessions, arising from a propositions-as-types interpretation of hybrid linear logic [21, 17], with strong static correctness guarantees derived from the logical nature of the system. Multiparty domain-awareness arises through an interpretation of multiparty protocols as medium processes  that orchestrate the multiparty interaction while enforcing the necessary domain-level constraints and migration steps.
The key contributions of this work are:
A process model with explicit domain-based migration (§ 2). We present a session -calculus with domains that can be communicated via novel domain movement prefixes.
A session type discipline for domain-aware interacting processes (§ 3). Building upon an extension of linear logic with features from hybrid logic [21, 17] we generalize the Curry-Howard interpretation of session types [9, 10] by interpreting (modal) worlds as domains where session behavior resides. In our system, types can specify domain migration and communication; domain mobility is governed by a parametric accessibility relation. Judgments stipulate the services used and realized by processes and the domains where sessions should be present. Our type discipline statically enforces session fidelity, global progress and, notably, that communication can only happen between accessible domains.
As a specific application, we introduce a framework of domain-aware multiparty sessions (§ 4) that uniformly extends the standard multiparty session framework of  with domain-aware migration and communication primitives. Our development leverages our logically motivated domain-aware binary sessions (§ 3) to give a precise semantics to multiparty sessions through a (typed) medium process that acts as an orchestrator of domain-aware multiparty interactions, lifting the strong correctness properties of typed processes to the multiparty setting. We show that mediums soundly and completely encode the local behaviors of participants in a domain-aware multiparty session.
2 Process Model
We introduce a synchronous -calculus  with labeled choice and explicit domain migration and communication. We write to stand for a concrete domain () or a domain variable (). Domains are handled at a high-level of abstraction, with their identities being attached to session channels. Just as the -calculus allows for communication over names and name mobility, our model also allows for domain communication and mobility. These features are justified with the typing discipline of § 3.
Given infinite, disjoint sets of names , of labels , of domain tags and of domain variables , respectively, the set of processes is defined by
Domain-aware prefixes are present only in the last line. As we make precise in the typed setting of § 3, these constructs realize mobility and domain communication, in the usual sense of the -calculus: migration to a domain is always associated to mobility with a fresh name.
The operators (inaction), (parallel composition) and (name restriction) are standard. We then have (send on and proceed as ), (receive on and proceed as with parameter replaced by ), and which denotes replicated (persistent) input. The forwarding construct equates and ; it is a primitive representation of a copycat process. The last two constructs in the second line define a labeled choice mechanism: is a process that awaits some label (with ) and proceeds as . Dually, the process emits a label and proceeds as .
The first two operators in the third line define explicit domain migration: given a domain , denotes a process that is prepared to migrate the communication actions in on endpoint , to session on . Complementarily, process signals an endpoint to move to , providing with the appropriate session endpoint that is then bound to . In a typed setting, domain movement will be always associated with a fresh session channel. Alternatively, this form of coordinated migration can be read as an explicit form of agreement (or authentication) in trusted domains. Finally, the last two operators in the third line define output and input of domains, and , respectively. These constructs allow for domain information to be obtained and propagated across processes dynamically.
Following , we abbreviate and as and , respectively. In , , and the distinguished occurrence of name is binding with scope . Similarly for in . We identify processes up to consistent renaming of bound names and variables, writing for this congruence. denotes the capture-avoiding substitution of for in . While structural congruence expresses standard identities on the basic structure of processes (cf. [longversion]), reduction expresses their behavior.
Reduction () is the binary relation defined by the rules below and closed under structural congruence; it specifies the computations that a process performs on its own.
For the sake of generality, reduction allows dual endpoints with the same name to interact, independently of the domains of their subjects. The type system introduced next will ensure, among other things, local reductions, disallowing synchronisations among distinct domains.
3 Domain-aware Session Types via Hybrid Logic
This section develops a new domain-aware formulation of binary session types. Our system is based on a Curry-Howard interpretation of a linear variant of so-called hybrid logic, and can be seen as an extension of the interpretation of [9, 10] to hybrid (linear) logic. Hybrid logic is often used as an umbrella term for a class of logics that extend the expressiveness of propositional logic by considering modal worlds as syntactic objects that occur in propositions.
As in [9, 10], propositions are interpreted as session types of communication channels, proofs as typing derivations, and proof reduction as process communication. As main novelties, here we interpret: logical worlds as domains; the hybrid connective as the type of a session that migrates to an accessible domain ; and type-level quantification over worlds and as domain communication. We also consider a type-level operator (read “here”) which binds the current domain of the session to in . The syntax of domain-aware session types is given in Def. 3, where stand for domains drawn from , and where and are used as in the syntax of processes.
[Domain-aware Session Types] The syntax of types is defined by
Types are the propositions of intuitionistic linear logic where the additives and are generalized to a labelled -ary variant. Propositions take the standard interpretation as session types, extended with hybrid logic operators , with worlds interpreted as domains that are explicitly subject to an accessibility relation (in the style of ) that is tracked by environment . Intuitively, is made up of direct accessibility hypotheses of the form , meaning that domain is accessible from .
Types are assigned to channel names; a type assignment enforces the use of name according to session , in the domain . A type environment is a collection of type assignments. Besides the accessibility environment just mentioned, our typing judgments consider two kinds of type environments: a linear part and an unrestricted part . They are subject to different structural properties: weakening and contraction principles hold for but not for . Empty environments are written as ‘’. We then consider two judgments:
Judgment (i) states that can directly access under the hypotheses in . We write for the reflexive, transitive closure of , and when does not hold. Judgment (ii) states that process offers the session behavior specified by type on channel ; the session resides at domain , under the accessibility hypotheses , using unrestricted sessions in and linear sessions in . Note that each hypothesis in and is labeled with a specific domain. We omit when it is clear from context.
Selected typing rules are given in Fig. 1; see [longversion] for the full listing. Right rules (marked with ) specify how to offer a session of a given type, left rules (marked with ) define how to use a session. The hybrid nature of the system induces a notion of well-formedness of sequents: a sequent is well-formed if for every , which we abbreviate as , meaning that all domains mentioned in are accessible from (not necessarily in a single direct step). No such domain requirement is imposed on . If an end sequent is well-formed, every sequent in its proof will also be well-formed. All rules (read bottom-up) preserve this invariant; only (), (), (), () and () require explicit checks, which we discuss below. This invariant statically excludes interaction between sessions in accessible domains (cf. Theorem 3).
We briefly discuss some of the typing rules, first noting that we consider processes modulo structural congruence; hence, typability is closed under by definition. Type denotes a session that inputs a session of type and proceeds as . To offer at domain , we input along that will offer at and proceed, now offering at :
Dually, denotes a session that outputs a session that will offer and continue as . To offer , we output a fresh name with type along and proceed offering .
The () rule allows us to compose process , which offers , with process , which uses to offer . We require that domain is accessible from (i.e., ). We also require : the domains mentioned in (the context for ) must be accessible from , which follows from the transitive closure of the accessibility relation () using the intermediary domain . As in [9, 10], composition binds the name :
Type means that no further interaction will take place on the session; names of type may be passed around as opaque values. types a session channel that offers its partner a choice between the behaviors, each uniquely identified by a label . Dually, types a session that selects some behavior by emitting the corresponding label. For flexibility and consistency with merge-based projectability in multiparty session types, rules for choice and selection induce a standard notion of session subtyping .
Type types a shared (non-linear) channel, to be used by a server for spawning an arbitrary number of new sessions (possibly none), each one conforming to type .
Following our previous remark on well-formed sequents, the only rules that appeal to accessibility are (), (), (), and (). These conditions are directly associated with varying degrees of flexibility in terms of typability, depending on what relationship is imposed between the domain to the left and to the right of the turnstile in the left rules. Notably, our system leverages the accessibility judgment to enforce that communication is only allowed between processes whose sessions are in (transitively) accessible domains.
The type operator realizes a domain migration mechanism which is specified both at the level of types and processes via name mobility tagged with a domain name. Thus, a channel typed with denotes that behavior is available by first moving to domain , directly accessible from the current domain. More precisely, we have:
Hence, a process offering a behavior at ensures: (i) behavior is available at along a fresh session channel that is emitted along and (ii) is directly accessible from . To maintain well-formedness of the sequent we also must check that all domains in are still accessible from . Dually, using a service entails receiving a channel that will offer behavior at domain (and also allowing the usage of the fact that ).
Domain-quantified sessions introduce domains as fresh parameters to types: a particular service can be specified with the ability to refer to any existing directly accessible domain (via universal quantification) or to some a priori unspecified accessible domain:
Rule () states that a process seeking to offer denotes a service that is located at domain but that may refer to any fresh domain directly accessible from in its specification (e.g. through the use of ). Operationally, this means that the process must be ready to receive from its client a reference to the domain being referred to in the type, which is bound to (occurring fresh in the typing derivation). Dually, Rule () indicates that a process interacting with a service of type must make concrete the domain that is directly accessible from it wishes to use, which is achieved by the appropriate output action. Rules () and () for the existential quantifier have a dual reading.
Finally, the type-level operator allows for a type to refer to its current domain:
The typing rules that govern are completely symmetric and produce no action at the process level, merely instantiating the domain variable with the current domain of the session. As will be made clear in § 4, this connective plays a crucial role in ensuring the correctness of our analysis of multiparty domain-aware sessions in our logical setting.
By developing our type theory with an explicit domain accessibility judgment, we can consider the accessibility relation as a parameter of the framework. This allows changing accessibility relations and their properties without having to alter the entire system. To consider the simplest possible accessibility relation, the only defining rule for accessibility would be Rule () in Fig. 1. To consider an accessibility relation which is an equivalence relation we would add reflexivity, transitivity, and symmetry rules to the judgment.
Discussion and Examples
Being an interpretation of hybridized linear logic, our domain-aware theory is conservative wrt the Curry-Howard interpretation of session types in [9, 10], in the following sense: the system in [9, 10] corresponds to the case where every session resides at the same domain. As in [9, 10], the sequent calculus for the underlying (hybrid) linear logic can be recovered from our typing rules by erasing processes and name assignments.
Conversely, a fundamental consequence of our hybrid interpretation is that it refines the session type structure in non-trivial ways. By requiring that communication only occurs between sessions located at the same (or accessible) domain we effectively introduce a new layer of reasoning to session type systems. To illustrate this feature, consider the following session type , which specifies a simple interaction between a web store and its clients:
allows clients to checkout their shopping carts by emitting a message or to . In the former case, the client pays for the purchase by sending their credit card data. If a banking service (not shown) approves the transaction (via an message), a receipt is emitted. Representable in existing session type systems (e.g. [9, 50, 30]), types and describe the intended communications but fail to capture the crucial fact that in practice the client’s sensitive information should only be requested after entering a secure domain. To address this limitation, we can use type-level domain migration to refine and :
decrees that the interactions pertinent to type should be preceded by a migration step to the trusted domain , which should be directly accessible from ’s current domain. The type also specifies that the receipt must originate from a bank domain (e.g., ensuring that the receipt is never produced by the store without entering ). When considering the interactions with a client (at domain ) that checks out their cart, we reach a state that is typed with the following judgment:
At this point, it is impossible for a (typed) client to interact with the behavior that is protected by the domain , since it is not the case that . That is, no judgment of the form is derivable. This ensures, e.g., that a client cannot exploit the payment platform of the web store by accessing the trusted domain in unforeseen ways. The client can only communicate in the secure domain after the web store service has migrated accordingly, as shown by the judgment
We state the main results of type safety via type preservation (Theorem 3) and global progress (Theorem 3). These results directly ensure session fidelity and deadlock-freedom. Typing also ensures termination, i.e., processes do not exhibit infinite reduction paths (Theorem 3). We note that in the presence of termination, our progress result ensures that communication actions are always guaranteed to take place. Moreover, as a property specific to domain-aware processes, we show domain preservation, i.e., processes respect their domain accessibility conditions (Theorem 3). The formal development of these results relies on a domain-aware labeled transition system [longversion], defined as a simple generalization of the early labelled transition system for the session -calculus given in [9, 10].
[Domain Substitution] Suppose . Then we have:
Safe domain communication relies on domain substitution preserving typing (Lemma 3).
If and then
The proof mirrors those of [9, 10, 8, 46], relying on a series of lemmas relating the result of dual process actions (via our LTS semantics) with typable parallel compositions through the () rule [longversion]. For session type constructors of , the results are unchanged. For the domain-aware session type constructors, the development is identical that of  and , which deal with communication of types and data terms, respectively. ∎
Following [9, 10], the proof of global progress relies on a notion of a live process, which intuitively consists of a process that has not yet fully carried out its ascribed session behavior, and thus is a parallel composition of processes where at least one is a non-replicated process, guarded by some action. Formally, we define if and only if , for some , names and a non-replicated guarded process .
[Global Progress] If and then s.t. . Note that Theorem 3 is without loss of generality since using the cut rules we can compose arbitrary well-typed processes together and need not occur in due to Rule ().
Termination (strong normalization) is a relevant property for interactive systems: while from a global perspective they are meant to run forever, at a local level participants should always react within a finite amount of time, and never engage into infinite internal behavior. We say that a process terminates, noted , if there is no infinite reduction path from .
[Termination] If then .
By adapting the linear logical relations given in [40, 41, 8]. For the system in § 3 without quantifiers, the logical relations correspond to those in [40, 41], extended to carry over . When considering quantifiers, the logical relations resemble those proposed for polymorphic session types in , noting that no impredicativity concerns are involved. ∎
Domain Preservation. As a consequence of the hybrid nature of our system, well-typed processes are guaranteed not only to faithfully perform their prescribed behavior in a deadlock-free manner, but they also do so without breaking the constraints put in place on domain accessibility given by our well-formedness constraint on sequents.
Let be a derivation of . If is well-formed then every sub-derivation in well-formed.
While inaccessible domains can appear in , such channels can never be used and thus can not appear in a well-typed process due to the restriction on the rule. Combining Theorems 3 and 3 we can then show that even if a session in the environment changes domains, typing ensures that such a domain will be (transitively) accessible:
Let (1) , (2) , and (3) . If then: (a) , for some ; (b) ; (c) .
4 Domain-Aware Multiparty Session Types
We now shift our attention to multiparty session types . We consider the standard ingredients: global types, local types, and the projection function that connects the two. Our global types include a new domain-aware construct, ; our local types exploit the hybrid session types from Def. 3. Rather than defining a separate type system based on local types for the process model of § 2, our analysis of multiparty protocols extends the approach defined in , which uses medium processes to characterize correct multiparty implementations. The advantages are twofold: on the one hand, medium processes provide a precise semantics for global types; on the other hand, they enable the principled transfer of the correctness properties established in § 3 for binary sessions (type preservation, global progress, termination, domain preservation) to the multiparty setting. Below, participants are ranged over by ; we write to denote a finite set of participants .
Besides the new domain-aware global type, our syntax of global types includes constructs from [31, 20]. We consider value passing in branching (cf. below), fully supporting delegation. To streamline the presentation, we consider global types without recursion.
[Global and Local Types] Define global types () and local types () as
The completed global type is denoted . Given a finite and pairwise different labels, specifies that by choosing label , participant may send a message of type to participant , and then continue as . We decree , so reflexive interactions are disallowed. The global type specifies the migration of participants to domain in order to perform the sub-protocol ; this migration is lead by . Subsequently, all of migrate from back to their original domains and protocol is executed. This intuition will be made precise by the medium processes for global types (cf. Def. 4). Notice that and may involve different sets of participants. In writing we assume two natural conditions: (a) all migrating participants intervene in the sub-protocol (i.e., the set of participants of is exactly ) and (b) domain is accessible (via ) by all these migrating participants in . While subprotocols and session delegation may appear as similar, delegation supports a different idiom altogether, and has no support for domain awareness. Unlike delegation, with subprotocols we can specify a point where some of the participants perform a certain protocol within the same multiparty session and then return to the main session as an ensemble.
The set of participants of (denoted ) is defined as: , , . We sometimes write to mean .
Global types are projected onto participants so as to obtain local types. The terminated local type is . The local type denotes an offer of a set of labeled alternatives; the local type denotes a behavior that chooses one of such alternatives. Exploiting the domain-aware framework in § 3, we introduce four new local types. They increase the expressiveness of standard local types by specifying universal and existential quantification over domains ( and ), migration to a specific domain (), and a reference to the current domain (, with occurring in ).
We now define (merge-based) projection for global types . To this end, we rely on a merge operator on local types, which in our case considers messages .
[Merge] We define as the commutative partial operator on base and local types such that (and analogously for other base types), and
, where is one of the following: , , , , or ;
and is undefined otherwise.
Therefore, for to be defined there are two options: (a) and are identical base, terminated, selection, or “hybrid” local types; (b) and are branching types, but not necessarily identical: they may offer different options but with the condition that the behavior in labels occurring in both and must be mergeable.
To define projection and medium processes for the new global type , we require ways of “fusing” local types and processes. The intent is to capture in a single (sequential) specification the behavior of two distinct (sequential) specifications, i.e., those corresponding to protocols and . For local types, we have the following definition, which safely appends a local type to another: [Local Type Fusion] The fusion of and , written , is given by:
This way, e.g., if and , then . We can now define:
[Merge-based Projection ] Let be a global type. The merge-based projection of under participant , denoted , is defined as and
When no side condition holds, the map is undefined.
The projection for the type is one of the key points in our analysis. The local type for , the leader of the migration, starts by binding the identity of its current domain (say, ) to . Then, the (fresh) domain is communicated, and there is a migration step to , which is where protocol will be performed. Finally, there is a migration step from back to ; once there, the protocol will be performed. The local type for all of follows accordingly: they expect from ; the migration from their original domains to (and back) is as for . For participants in , the fusion on local types (Def. 4) defines a local type that includes the actions for but also for , if any: a participant in need not be involved in . Interestingly, the resulting local types and define a precise combination of hybrid connectives whereby each migration step is bound by a quantifier or the current domain.
The following notion of well-formedness for global types is standard:
[Well-Formed Global Types ] We say that global type is well-formed (WF, in the following) if the projection is defined for all .
Analyzing Global Types via Medium Processes
A medium process is a well-typed process from § 2 that captures the communication behavior of the domain-aware global types of Def. 4. Here we define medium processes and establish two fundamental characterization results for them (Theorems 4 and 4). We shall consider names indexed by participants: given a name and a participant , we use to denote the name along which the session behavior of will be made available. This way, if then . To define mediums, we need to append or fuse sequential processes, just as Def. 4 fuses local types:
[Fusion of Processes] We define as the partial operator on well-typed processes such that (with ) :
and is undefined otherwise. The previous definition suffices to define a medium process (or simply medium), which uses indexed names to uniformly capture the behavior of a global type:
[Medium Process] Let be a global type (cf. Def. 4), be a set of indexed names, and a set of domains. The medium of , denoted , is defined as:
where is as in Def. 4.
The medium for exploits four prefixes to mediate in the interaction between the implementations of and : the first two prefixes (on name ) capture the label selected by and the subsequently received value; the third and fourth prefixes (on name ) propagate the choice and forward the value sent by to . We omit the forwarding and value exchange when the interaction does not involve a value payload.
The medium for showcases the expressivity and convenience of our domain-aware process framework. In this case, the medium’s behavior takes place through the following steps: First, inputs a domain identifier (say, ) from which is forwarded to , the other participants of . Secondly, the roles migrate from their domains to . At this point, the medium for can execute, keeping track the current domain for all participants. Finally, the participants of migrate back to their original domains and the medium for executes.
Recalling the domain-aware global type of § 1, we produce its medium process: