Distributed systems are seldom developed as independent entities and, either directly in their design phase or even after their deployment, they should be considered as open entities ready for interaction with an environment. In general, it is fairly natural to expect to connect open systems as if they were composable modules, and in doing that we should rely on “safe” methodologies and techniques, guaranteeing the composition not to “break” any relevant property of the single systems.
In  a methodology has been proposed for the connection of open systems, consisting in replacing any two participants - if their behaviours are “compatible” - by two forwarders, dubbed gateways, enabling the systems to interact. The behaviour of any participant can be looked at as an interface since, without loss of generality, the notion of interface is interpreted not as the description of the interactions “offered” by a system but, dually, as those “required” by a possible environment (usually another system).
Inspired by , the aim of the present paper is to look for a choreography formalism enabling to “lift” the connection-by-gateways by means of a proper function definable on protocol descriptions. The function should yield the protocol of the system obtained by connecting the systems described by the arguments of the function itself. Connected systems would hence enjoy all the good communication properties guaranteed by the formalism itself, which - with no ad-hoc extension of the syntax - could be seen as a choreography formalism for open systems.
We took into account the choreography model of MultiParty Session Types (MPST) [18, 19]. Of course not all of the MPST formalisms are suitable for our aim. For instance, in the formalisn of  the requirements imposed by its type system are too strong for the gateway processes to be typed, so preventing the function we are looking for to be definable.
The MPST formalism that we introduce in the present paper (inspired by ) proved to be a
The simplicity of the calculus allows to get rid of channels and local types.
Moreover, its abstract point of view for what concerns global and local behaviours (looked at as infinite regular trees) also enables to focus on the relevant
aspects of the investigation without the hindering syntactic descriptions of recursion.
In particular, with respect to , we relax the conditions imposed on global types in order to be projectable, so ensuring projectability of “connected” global types.
(a property that does not hold in the formalism of ).
In our formalism, typable
systems are guaranteed to be lock-free .
The systems obtained by connecting typable systems are lock-free too. The main tool is a function from the global types of the original systems to the global type of the system obtained by connection.
In the present setting it is also possible to investigate in a clean way the notion of interface compatibility: we show that the compatibility relation used in  can be relaxed to a relation closely connected to the observational preorder of , in turn corresponding to the subtyping relation for session types of [15, 12].
Outline The first three sections introduce our calculus of multiparty sessions, together with their global types, and prove the properties of well-typed sessions. In the following two sections we define the compatibility relations and the gateway connections for sessions and global types, respectively. Our main result, i.e. the typability and hence the lock-freedom of the session obtained by gateway connection, is Theorem 6.7. Sections 7 and 8 conclude discussing related and future works, respectively.
2 Processes and Multiparty Sessions
We use the following base sets and notation: messages, ranged over by ; session participants, ranged over by ; processes, ranged over by ; multiparty sessions, ranged over by ; integers, ranged over by .
Processes implement the behaviours of single participants.
The input process
waits for one of the messages from participant ;
the output process
chooses one message and sends it to participant .
We use as shorthand for .
We define the multiset of messages in as
After sending or receiving the message the process reduces to ().
The set in acts as an external choice,
while the same set in acts as an internal choice.
In a full-fledged calculus, messages would carry values, namely
they would be of the form .
Here for simplicity we consider only pure messages. This agrees with the focus of session calculi, which is on process interactions that do not depend on actual transmitted values.
For the sake of abstraction, we do not take into account any explicit syntax for recursion, but rather consider processes as, possibly infinite, regular trees.
It is handy to first define pre-processes, since the processes must satisfy conditions which can be easily given using the tree representation of pre-processes.
Definition 2.1 (Processes)
We say that is a pre-process and is a pre-choice of messages if they are generated by the grammar:
and all messages in are pairwise distinct.
The tree representation of a pre-process is a directed rooted tree, where: (a) each internal node is labelled by or and has as many children as the number of messages, (b) the edge from or to the child is labelled by and (c) the leaves of the tree (if any) are labelled by .
We say that a pre-process is a process if the tree representation of is regular (namely, it has finitely many distinct sub-trees). We say that a pre-choice of messages is a choice of messages if all the pre-processes in are processes.
We identify processes with their tree representations and we shall sometimes refer to the trees as the processes themselves. The regularity condition implies that we only consider processes admitting a finite description. This is equivalent to writing processes with -notation and an equality which allows for an infinite number of unfoldings. This is also called the equirecursive approach, since it views processes as the unique solutions of (guarded) recursive equations [27, Section 20.2]. The existence and uniqueness of a solution follow from known results (see  and [6, Theorem 7.5.34]). It is natural to use coinduction as the main logical tool, as we do in most of the proofs. In particular, we adopt the coinduction style advocated in  which, without any loss of formal rigour, promotes readability and conciseness.
the set of participants of process by: and
The regularity of processes assures that the set of participants is finite.
We shall write for if and for if . We shall also omit curly brackets in choices with only one branch and trailing processes.
A multiparty session is the parallel composition of pairs participants/processes.
Definition 2.2 (Multiparty Sessions)
A multiparty session
is defined by the following grammar:
and it should
satisfy the following conditions:
(a) In all the ’s () are distinct;
(b) In we require (we do not allow self-communication).
We shall use
as shorthand for .
We define and .
The structural congruence between two multiparty sessions establishes that parallel composition is commutative, associative and has neutral elements for any fresh .
The reduction for multiparty sessions allows participants to choose and communicate messages.
Definition 2.3 (LTS for Multiparty Sessions)
The labelled transition system (LTS)
for multiparty sessions
is the closure under structural congruence of the reduction specified by the unique rule:
Rule [comm] makes the communication possible: participant sends message to participant . This rule is non-deterministic in the choice of messages. The condition assures that the sender can freely choose the message, since the receiver must offer all sender messages and possibly more. This allows us to distinguish in the operational semantics between internal and external choices. We use as shorthand for . We sometimes omit the label writing . As usual, denotes the reflexive and transitive closure of .
Let us consider a system (inspired by a similar one in ) with participants , , and interacting according the following protocol. Participant keeps on sending text messages to q, which has to deliver them to . After a message has been sent by , the next one can be sent only if the previous has been received by and its propriety of language ascertained, i.e if it does not contain, say, rude or offensive words. Participant acknowledges to the propriety of language of a received text by means of the message ack. In such a case sends to an ok message so that can proceed by sending a further message. More precisely:
sends a text message to in order to be delivered to , which accepts only texts possessing a good propriety of language;
sends an ack to certifying the reception of the text and its propriety. In this case sends back to an ok message and the protocol goes back to 1., so that can proceed by sending a further text message;
sends a nack message to inform that the text has not the required propriety of language. In such a case produces transf (a semantically invariant reformulation of the text), sends it back to and the protocol goes to 2. again. Before doing that, informs (through the notyet message) that the text has not been accepted yet and a reformulation has been requested;
sends a stop message to inform that no more text will be accepted. In such a case informs of that also .
A multiparty session implementing this protocol is:
We end this section by defining the property of lock-freedom for multiparty session as in . Lock-freedom ensures both progress and no starvation (under fairness assumption). I.e. it guarantees the absence of deadlock and that all participants willing to communicate can do it. Recall that is the neutral element of parallel composition.
Definition 2.5 ( Lock-Freedom)
We say that a multiparty session is a lock-free session if
implies either or , and
and imply and occurs in .
3 Global Types and Typing System
The behaviour of multiparty sessions can be disciplined by means of types, as usual. Global types describe the whole conversation scenarios of multiparty sessions. As in  we directly assign global types to multiparty sessions without the usual detour around session types and subtyping [18, 19].
The type formalises a protocol where participant must send to a message for some and then, depending on which was chosen by , the protocol continues as . We use as shorthand for and define the multiset . As for processes, we define first pre-global types and then global types.
Definition 3.1 (Global Types)
We say that is a pre-global type and is a pre-choice of communications if they are generated by the grammar:
and all messages in are pairwise distinct.
The tree representation of a pre-global type is built as follows: (a) each internal node is labelled by and has as many children as the number of messages, (b) the edge from to the child is labelled by and (c) the leaves of the tree (if any) are labelled by .
We say that a pre-global type is a global type if the tree representation of is regular. We say that a pre-choice of communications is a choice of communications if all the pre-global types in are global types.
We identify pre-global types and global types with their tree representations and we shall sometimes refer to the tree representation as the global types themselves. As for processes, the regularity condition implies that we only consider global types admitting a finite representation.
The set of participants of global type is defined similarly to that of processes. The regularity of global types assures that the set of participants is finite. We shall write for if and for if . We shall omit curly brackets in choices with only one branch and trailing s.
Since all messages in communication choices
are pairwise distinct, the set of paths in the trees representing global types
are determined by the labels of nodes and edges
found on the way, omitting the leaf label . Let range over paths of global types.
Formally the set of paths of a global type can be defined as a set of sequences
as follows ( is the empty sequence):
Note that every infinite path of a global type has infinitely many occurrences of .
A global type representing the protocol of Example 2.4 is:
In order to assure lock-freedom by typing we require that the first occurrences of participants in global types are at a bounded depth in all paths starting from the root. This is formalised by the following definition of .
Definition 3.3 (Weight)
Let if and
If is as in Example 3.2, then , and . If , then .
The standard projection of global types onto participants produces session types and session types are assigned to processes by a type system [18, 19]. The present simplified shape of messages allows us to define a projection of global types onto participants producing processes instead of local types.
The projection of a global type onto a participant returns, if any, the process that the participant should run to follow the protocol specified by the global type. If the global type begins by establishing a communication from to , then the projection onto should send one message to , and the projection onto should receive one message from . The projection onto a third participant skips the initial communication, that does not involve her. This implies that the behaviour of must be independent of the branch chosen by , that is the projections on of all the branches must be the same. However, in case of projections yielding input processes from the same sender, we can allow the process of to combine all these processes, proviso the messages are all distinct.
Definition 3.5 (Projection)
Given a global type and a participant ,
we define the
coinductively as follows:
We say that is the projection of onto if is defined. We say that is projectable if is defined for all participants .
As mentioned above, if is not involved in the first communication of , and starts with a choice between distinct messages, then in all branches the process of participant must either behave in the same way or be a different input, so that can understand which branch was chosen.
The global type of Example 3.2 is projectable, and by projecting it we obtain , , , where , , and are as defined in Example 2.4. Also the global type of Example 3.4 is projectable, , , . Notice that has two branches, the projection of the first branch onto is , the projection of the second branch onto is just the projection of onto , so is the (coinductive) projection of onto .
Definition 3.7 (Well-formed Global Types)
A global type is well formed if is finite and is defined for all .
To type multiparty sessions we use the preorder on processes below, inspired by the subtyping of .
Definition 3.8 (Structural Preorder)
We define the structural preorder on processes, , by coinduction:
The double line in rules indicates
that the rules are interpreted coinductively.
Rule [sub-in] allows bigger processes to offer fewer inputs, while
Rule [sub-out] requires the output messages to be the same.
The regularity condition on processes is crucial to guarantee the termination of
algorithms for checking structural preorder.
As it will be further discussed in Remark 6.8,
the current proof fails if we type processes used as gateways by means of
the preorder obtained by substituting
for rule [sub-out].
The typing judgments associate global types to sessions: they are of the shape .
Definition 3.9 (Typing system)
The only typing rule is:
This rule requires that the processes in parallel can play as participants of a whole communication protocol or they are the terminated process, i.e. they are smaller or equal (according to the structural preorder) to the projections of a unique global type. The condition allows to type also sessions containing , a property needed to assure invariance of types under structural congruence. Notice that this typing rule allows to type multiparty session only with global types which can be projected on all their participants. A session is well typed if there exists such that .
4 Properties of Well-Typed Sessions
We start with the standard lemmas of inversion and canonical form, easily following from Rule [t-sess].
Lemma 4.1 (Inversion Lemma)
If , then for all and .
Lemma 4.2 (Canonical Form Lemma)
If and , then and for all .
To formalise the properties of Subject Reduction and Session Fidelity [18, 19], we use the standard LTS for global types given below. Rule [Icomm] is justified by the fact that in a projectable global type , the behaviours of a participant different from and and starting with an output are the same in all branches, and hence they are independent from the choice of , and may be executed before it.
Definition 4.3 (LTS for Global Types)
The labelled transition system (LTS)
for global types
is specified by the rules:
The following lemma relates projections and reductions of global types.
Lemma 4.4 (Key Lemma)
If and , then . Moreover and and for all .
If , then and and .
1. The proof is by induction on .
If , then we have and
and and by definition of projection.
If , then and and and for all , , by definition of projection. By the induction hypothesis, . Moreover, again by the induction hypothesis, and and for all , . We get using rule [icomm], where . The definition of projection implies and .
2. The proof is by induction on and by cases on the reduction rules.
The case of rule [ecomm] is easy. For rule [icomm], by the induction hypothesis, and and for all , . By definition of projection and for . Again by definition of projection and .
Subject Reduction says that the transitions of well-typed sessions are mimicked by those of global types.
Theorem 4.5 (Subject Reduction)
If and , then and .
If , then
Since , by Lemma 4.1 we have that , and . By definition of , from we get and . Similarly from we get and . Lemma 4.41 implies and and . We show for each , by induction on and by cases on the reduction rules. For rule [ecomm] we get . By Definition 3.5 either or . For rule [icomm] for by the induction hypothesis. In both cases . We conclude .
Session fidelity assures that the communications in a session typed by a global type are done as prescribed by the global type.
Theorem 4.6 (Session Fidelity)
If , then and .
If , then and .
Let be the typing system obtained by using (as defined on page 3) in rule [t-sess].
Session Fidelity for is weaker than for . If and , then and with , but the only reduction of is . Notice that but and .
Clearly implies , and a weakening of the vice versa is shown below.
If , then for some .
Proof. The proof is by coinduction on . Let . Then, by Lemmas 4.2 and 4.1 (which easily extend to ), Definition 3.5 and the definition of , and and . Again by the definition of , . Let , and . Then and for all , . Since the proof of Theorem 4.5 easily adapts to , we get for all , . By coinduction there are such that for all , . We can choose .
We end this section by showing that the type system assures lock-freedom. By Subject Reduction it is enough to prove that well-typed sessions are deadlock-free and no participant waits forever. The former follows from Session Fidelity, while the latter follows from the following lemma that says that reducing by rule [ecomm] the weights of the not involved participants strictly decrease.
If by rule [ecomm] and and , then .
Proof. Rule [ecomm] implies . If is a path of , then is a path in . This gives .
Multiparty session typability guarantees lock-freedom.
Theorem 4.9 (Lock-Freedom)
If session is well typed, then is lock-free.
Proof. Let be a type for . If , then . Let . By definition of reduction for some , and this implies by Theorem 4.62. This shows condition 1 of Definition 2.5. The proof of condition 2 of Definition 2.5 is by induction on . If then either or and with in by rule [ecomm]. If then with and for all by rule [ecomm]. By Lemma 4.8 and induction applies.
5 Connection of Multiparty-Sessions via Gateways
Given two multiparty sessions, they can be connected via gateways when
they possess two compatible participants, i.e. participants that offer communications which can be paired
and can hence be transformed into forwarders, that we dub “gateways”.
We start by discussing
the relation of compatibility between processes
by elaborating on Examples 2.4 and 3.2.
If we decide to look at the participant as an interface, the messages sent by her have to be considered as those actually provided by an external environment; and the received messages as messages expected by such an environment. In a sense, this means that, if we abstract from participants’ names in the process , we get a description of an interface (in the more usual sense) of an external system, rather than an interface of our system.
In order to better grasp the notion of compatibility hinted at above, let us
dub “ers” the operation abtracting from the participants’ names inside processes.
So, in our example we would get
Let us now take into account another system that could work as the environment of the system having the of Example 3.2 as global type. Let assume such a system to be formed by participants