types for mobile ambients - aalborg...

Abstract

Java has demonstrated the utility of type systems for mobile

Types for Mobile Ambients

Luca Cardelli Andrew D. Gordon

Microsoft Research

code, and in particular their use and implications for security. Se- curity properties rest on the fact that a well-typed Java program (or the corresponding verified bytecode) cannot cause certain kinds of damage.

In this paper we provide a type system for mobile computation, that is, for computation that is continuously active before and after movement. We show that a well-typed mobile computation cannot cause certain kinds of run-time fault: it cannot cause the exchange of values of the wrong kind, anywhere in a mobile system.

1 Introduction

In previous work [4] we introduced the (untyped, monadic) ambient calculus, a process calculus for mobile computation and mobile devices. That calculus is able to express, via encodings, standard computational constructions such as channel-based communication, functions, and agents.

The type system presented in this paper is able to provide typings for those encodings, recovering familiar type systems for processes and functions. In addition, we obtain a type system for mobile agents and other mobile computations. The type system is obtained by decorating the untyped calculus with type information.

An ambient, in our sense, is a confined place where processes run. Each ambient has a name, and may contain multiple pro-

cesses and subambients. A process can cause its surrounding ambient to move in or out of other ambients, transporting all the subambients and active processes with it. A process may also

open an ambient, that is, it can dissolve an ambient boundary while preserving its contents. Finally, processes within the same ambient may exchange messages.

Our type system tracks the typing of messages exchanged within an ambient. For example, the following system consists of two ambients, named a and b:

a[(x:Znt).P I open b] I b[in a. (3)]

Permissiocl to 111&e digital or hard copies of all or part of rhis work for

personal or classroom use is granted without fee provided that copies

arc not made or distributed for profit or commercial advantage and that

topics bear this notice and the full citation on dlC fi!‘St pgC. ‘TO COPY

otherwise. to repl~hlish. to post on serwrs or to redistribute to lists,

requires prior specific permission and/or a fee.

POPL 99 San Antonio Texas USA Copyright ACM 1999 I-581 13-095-3/99/01...$5.00

The ambient named a contains a process (x:ht).P that is ready to read an integer message into a variable x and proceed with P, and a process open b that is ready to open (dissolve the boundary) of an ambient b found within a. The ambient named b contains a process in a. (3) that moves the ambient b inside a (by executing

in a) and then outputs the message 3. The ambient b is opened after moving into a, so the output comes into direct contact with

the reading process within a. The result is the binding of an integer message to an integer variable, yielding the state:

4Plx+311

The challenge of the type system is to verify that this exchange of messages is well-typed. Note that in the original system the input and the output were contained in separate locations.

Our ambient calculus is related to earlier distributed vari-

ants of the n-calculus, some of which have been equipped with type systems. The type system of Amadio [l] prevents a channel from being defined at more than one location. Sewell’s system [ 121 tracks whether communications are local or non-local, so as to allow efficient implementation of local communication. In Ri- ely and Hennessy’s calculus [l 11, processes need appropriate permissions to perform actions such as migration; a well-typed process is guaranteed to possess the appropriate permission for

any action it attempts. Other work on typing for mobile agents includes a type system by De Nicola, Ferrari, and Pugliese [5]

that tracks the access rights an agent enjoys at different localities; type-checking ensures that an agent complies with its access

rights.

2 The Polyadic Ambient Calculus

We begin by reviewing and slightly extending the ambient calculus of [4]. In that calculus, communication is based on the ex-

change of single values. Here we extend the calculus with communication based on tuples of values (polyadic communication), since this simple extension greatly facilitates the task of provid-

ing an expressive type system. In addition, we annotate bound variables with type information.

Four of our process constructions (restriction, inactivity,

composition and replication) are commonly found in process calculi. To these we add ambients, capabilities, and a simple

form of communication. We briefly discuss these constructions;

see [4] for a more detailed introduction. The restriction operator, (vn:W)P, creates a new (unique)

name n of type W within a scope P. The new name can be used

79

to name ambients and to operate on ambients by name. The in- active process, 0, does nothing. Parallel composition is denoted by a binary operator, P I Q, that is commutative and associative.

Replication is a technically convenient way of representing iter- ation and recursion: the process !P denotes the unbounded replication of the process P and is equivalent to P I !P.

An ambient is written M[P], where M is the name of the am-

bient, and P is the process running inside the ambient. The process M.P executes an action regulated by the capa-

bility M, and then continues as the process P. We consider three kinds of capabilities: one for entering an ambient, one for exiting

an ambient and one for opening up an ambient. (The latter requires special care in the type system.) Capabilities are obtained from names; given a name n, the capability in II allows entry into

n, the capability OUT n allows exit out of n and the capability open n allows the opening of n. Implicitly, the possession of one or all of these capabilities is insufficient to reconstruct the original

name n from which they were extracted. Capabilities can also be composed into paths, MM’, with E for the empty path.

Communication is asynchronous and local to an ambient. It is similar to channel communication in the asynchronous n-calculus [2, 61, except that the channel has no name: the surrounding ambient provides the context where the communication hap-

pens. The process (Ml, . . . . Mk) represents the output of a tuple of values, with no continuation. The process (nl:W1, . . . . nk:Wk).P

represents the input of a tuple of values, with continuation P. Communication is used to exchange both names and capa-

bilities, which share the same syntactic class M of expressions. One of the main tasks of our type system is to distinguish the MS that are names from the MS that are capabilities, so that each is guaranteed to be used in an appropriate context. In general, the type system might distinguish other kinds of expressions, such as integer and boolean expressions, but we do not include those in our basic calculus.

Polyadic Ambient Calculus r I

P,Q ::= processes

(vn: W)P restriction

0 inactivity

f’lQ composition

!P replication

MPI ambient

M.P action

(n,:W1, . . . . nk:W,).P input

(MI, . . . . M/J async output

M ::= expressions

n name

in M can enter into M

out M can exit out of M

open M can open M

E null path

M.M’ composite path 1 I

Syntactic conventions

Parentheses may be used for precedence.

(vn: W)P I Q is read ((vn: W)P) I Q

!PI Q is read (!P) I Q

M.PlQ is read (M.P) I Q

(nI:WI, . . . . nk:Wk).P I Q is read ((nl:W,, . . . . nk:Wk).P) I Q

(vn,:W1, . . . . n,:W,)P A (vn1: W,)...(vnk: Wk)P

41 4 n[O]

M ii M.0 (where appropriate)

The following tables describe the operational semantics of the calculus. The type annotations present in the syntax do not play a role in reduction; they are simply carried along by the re-

ductions and will be explained in the next section. Terms are identified up to an equivalence relation, =, called

structural congruence. This relation provides a way of rearrang- ing expressions so that interacting parts can be brought together. Then, a reduction relation, -, acts on the interacting parts to produce computation steps. The core of the calculus is given by the reduction rules (Red In), (Red Out), and (Red Open), for mobility, and (Red Comm), for communication.

Terms are also identified up to the consistent renaming of bound variables, in the restriction and input constructs. We write P{ntM} for the substitution of M for each free occurrence of the name n in the process P. Similarly for M( ntM’}.

Free names I 1

fi(@n:W)P) 2 fnm- In)

fm A G

f@ I Q, A fW’) ufn(Q> jq!P) & j%(P)

fnW[Pl) 4s fW0 ufW> f4M.P) 2 fn(M) u.fW’) fn((n1:W1, . ..? rI&W,).P) A fn(P) - {n,, . ..) rzk)

fn((M1, . ..t MA) 2 fn(Md u . . . ufn(Md

f+@) A {n)

@(in M) A 500 fn(outM) A fn(M)

f4open Ml 4 MM)

fn(E) 2 Id

fn(M.M’) AL J%(M) ufi(M’) I I

Structural Congruence I I

P-P (Struct Refl)

P=Q =s Q-P (Struct Symm)

P=Q,Q=R a P=R (Struct Trans)

P= Q + (vn:T)P= (vn:T)Q (Struct Res)

P=Q a PlR=QlR (Struct Par)

P-Q =ZJ !P=!Q (Struct Repl)

P=Q =s M[P]=M[Q] (Struct Amb)

P’Q a M.P=M.Q (Struct Action)

80

P=Q 3

(n,:T,, . . . . nk:Tk).P = (nl:T,, . . . . nk:Tk).Q

PlQ=QlP

(PIQ)IR-Pl(QlR)

!P = PI !P

(vn:T)(vm:U)P = (vm:ZJ)(vn:7JP if II f m

(vn:T)(P I Q) = P I (vn:T)Q if n L&(P)

(vn:T)m[P] = m[(vn:T)P] if n z tn

PIO-P

(vn:Amb[Tj)O = 0

!O = 0

(Struct Input)

(StructPatComm)

(StructParAssoc)

(Struct Rep1 Par)

(Struct Res Res)

(Struct Res Par)

(Struct Res Amb)

(Struct Zero Par)

(Struct Zero Res)

(StructZeroRepl)

&.P s P

(M.M’).P z M.M’.P

(Struct E)

(Struct .)

Reduction

n[in m. PI Q] I m[R] - m[n[P I Q] I R]

m[n[out m. P I Q] I R] - n[P I Q] I m[R]

open n. P I n[Q] - PI Q

(Red In)

(Red Out)

(Red Open)

(Red Comm) (n,:W,, . ..) r$W,).P I (M,, . . . . M/J -

P(n,tM1, . . . . n+MJJ

P+Q a (vn: W)P - (vn: W)Q (Red Res)

P--Q * 4pl - dQ1 (Red Amb)

P-Q =a PIR-QIR (Red Par)

P’-P,P-+Q,Q=Q j P’-+Q’ (Red -) L 1

3 Exchange Types

An ambient is a place where other ambients can enter and exit,

and where processes can exchange messages. The first aspect, mobility, is regulated by run-time capabilities and will not be restricted by our type system. The second aspect, communication, is what we now concentrate on.

3.1 Topics of Conversation

Within an ambient, multiple processes can freely execute input and output actions. Since the messages are undirected, it is easily

possible for a process to utter a message that is not appropriate for some receiver. The main idea of our type system is to keep track of the topic ofconversation that is permitted within a given ambient, so that talkers and listeners can be certain of exchang-

ing appropriate messages. The range of topics is described in the following table by

message types, W, and exchange types, T. The message types are Amb[Tj, the type of names of ambients that allow exchanges of

type T, and Cup[7J, the type of capabilities that when used may cause the unleashing of T exchanges (as a consequence of open-

ing ambients that exchange 2). The exchange types are Shh, the absence of exchanges, and WIx...xWk, the exchange of a tuple of

messages with elements of the respective message types. For k=O, the empty tuple type is called 1; it allows the exchange of

empty tuples, that is, it allows pure synchronization. The case

k=l allows any message type to be an exchange type.

Types I 1

w ::= message types

ANTI ambient name allowing T exchange

CapUl capability unleashing T exchange

T ::= exchange types

Shh noexchange

W,X...XWk tuple exchange I I

For example:

l A quiet ambient: Amb[Shh]

l A harmless capability: Cup[Shh]

l A synchronization ambient: Amb[l]

l An ambient that allows the exchange of harmless capabilities: Amb[Cup[Shh]]

l A capability that may unleash the exchange of names of quiet ambients: Cup[Amb[Shh]]

3.2 Intuitions

Before presenting the formal type rules, we discuss the intuitions that lead to them.

Typing of Processes

If a message M has message type W, then (M) is a process that outputs (exchanges) W messages. Therefore, we will have a rule stating that:

M:W * (M):W

If P is a process that may exchange W messages, then (x:W).P is also a process that may exchange W messages. Therefore:

P: w 3 (x:W).P: w

The process 0 exchanges nothing, so it naturally has exchange type Shh. However, we may also consider 0 as a process that may exchange any type. This is useful when we need to place 0 in a

context that is already expected to exchange some type.

0 : T for any T

If P and Q are processes that may exchange T, then P I Q is also

such a process. Similarly for !P.

P:T,Q:T j PIQ:T

P:T 3 !P:T

Therefore, by keeping track of the exchange type of a process, T- inputs and T-outputs are tracked so that they match correctly when placed in parallel.

7jping of Ambients

An ambient n[P] is a process that exchanges nothing at the cur-

rent level, so, like 0, it can have any exchange type, and can be placed in parallel with any process.

81

n[P] : T for any T

There needs to be, however, a connection between the type of n and the type of P. We give to each ambient name a type Amb[Tl, meaning that only T exchanges are allowed in any ambient of that name. Ambients of different names may permit internal ex-

changes of different types.

n:Amb[Tj,P:T ==a

n[P] is well-formed (and can have any type)

By tagging the name of an ambient with the type of exchanges, we know what kind of exchanges to expect in any ambient we

enter. Moreover, we can tell what happens when we open an ambient of a given name.

Typing of Open

Tracking the type of I/O exchanges is not enough by itself. We also need to worry about open, which might open an ambient and unleash its exchanges inside the surrounding ambient.

If ambients named n permit Texchanges, then the capability open n may unleash those T exchanges. We then say that open n has a capability type CuP[7J, meaning that it may unleash T exchanges when used:

n : Amb[Tj a open n : Cup[Tl

As a consequence, any process that uses a Cup[TJ must be a process that is already willing to participate in exchanges of type

T, because further T exchanges may be unleashed.

M: Cup[7J, P : T =a M.P : T

The capability types Cup[TJ do not keep track of any information concerning in and out capabilities; only the effect of open is tracked.

3.3 ljping Rules

We base our type system on three judgments. The main judgment tracks the exchange type of a process, that is the type of the

I/O operations of the process, and of the I/O operations that the process may unleash by opening other ambients.

Judgments

EFO good environment

EkM: W good expression of message type W

EkP:T good process of exchange type T

Based on the discussion in the previous section, we can formal-

ize the type system as described in the following table. Conven- tion: a list of assumptions E k J, . . . E k Jk for k=O means Et- 0.

Rules , I (Env @) (Env n) (EXP n)

E I- V nfdom(E) E’, n: W, E” k V

@kO E,n:Wk V E’, n: W, E” I- n : W

(EXP E) (EXP .)

El-0 EkM:Cup[TJ El-M’:Cup[fl

Et-&: Cup[Tj Et- M.M’ : Cup[7J

(Exp In) (Exp Out) (Exp Open)

El-M:Amb[fl El-M:Amb[Sj EkM:Amb[Tj

E F in M : Cup[fl E I- out M: Cup[Tl E I- open M : Cup[7J

(Proc Action) (Proc Amb)

Et-M: Cup[q El-P:T EkM:Amb[Tj El--P:T

EkM.P:T EkM[P]:S

(Proc Res) (Proc Zero)

E, n:Amb[Tj t- P : S El-0

Et- (vn:Amb[g)P : S EFO:T

(Proc Par) (Proc Repl)

El-P:T EkQ:T EkP:T

EFPIQ:T Et-!P:T

(Proc Input)

E, nl:Wl, . . . . nk:Wkl-P: Wlx...xWk

E F (n,:Wl, . . . . nk:W,).P : W1x...xWk

(Proc Output)

EFM,: W, . . . EkMk: W,

E k (Ml, . . . . Mk) : W,x...xWk 1 I

l Example: A process that outputs names of quiet ambients:

@ F !(vn:Amb[Shh])(n) : Amb[Shh]

l Example: A capability that may unleash S-exchanges. Note that the in n action contributes nothing to the type of the path;

only the open m action does:

@, n:Amb[a, m:Amb[fl I- in n. open m : Cup[g

The correctness of the type system is expressed by the following proposition (the proof is in Appendix 7):

3-l Proposition (Subject Reduction)

IfEl-P: UandPjQthenEFQ: U.

cl

Certain “run-time error” expressions are allowed in the syntax but are nonsensical because they confuse names with capabilities. Examples are in n[P], (vn:Amb[q)n.P, and (in (in n)). Such expressions are not initially typeable, and they cannot be produced by well-typed processes because Proposition 3-l says that the evolution of well-typed processes leads only to well-

typed processes.

4 Applications

4.1 Channel Types

We now begin to explore the expressiveness of our type system. The first test case is whether we can represent typed communi-

82

cation channels, that is, whether we can find a typed encoding of

the n-calculus [8]. The basic idea for the encoding of channels is to use an am-

bient as a buffer where input and output processes can exchange messages. An output operation generates an output packet that enters the buffer and (after being opened) deposits an output. An input operation generates an input packet that similarly enters the

buffer, reads an input, and creates a return packet that exits the buffer and continues with the rest of the process. Each name n of the n-calculus becomes a pair of names in the ambient calculus: the name n of the buffer and the name n” of the packets. There-

fore, communication of a x-calculus name becomes the communication of a pair of ambient calculus names. A n-calculus channel type Ch[ IVl for names of type W is translated as Am& WXW].

Encoding of the Typed Polyadic Asynchronous x-calculus I I

(Et-P] i? ~E~F~P~:Shh

CIChWl, . ..> W,lD A Amb[~W,Dx~W,Dx...x~W~Dx~W~Dl

t(v”n:Ch[W,, . . . . W,])PD 4

(vn,nQCh[W,, . . . . W/J)) (n[!open d’] I U’D)

{n(nl: W,, . . . . nk: W,).PD &

(vp:Amb[Shh]) (open p I

np[in n. (n,,nP,:gW,D, . . . . nk,d’&WkD). p[out n. {PD]])

@Z(n,, . . . . nk)D 2 nP[in n. (n,, n’,, . . . . nk, n’k)]

(PI QD 2 U'DltQD

(!PD k !(PD I I

The translation induces the following derived typing rules, which correspond to a fragment of Pierce and Sangiorgi’s system [lo] consisting only of bidirectional channels, with no subtyping. Each x-calculus process is given the type Shh, since no communication happens at the level of processes. Instead, communication happens within buffers, so each buffer receives the type of the corresponding 7c-calculus channel. Input and output packets

receive the same type as the buffers where they are opened.

tE,n:Ch[W,, . . . . W,] k PI =3 {El- (V’n:Ch[W,, . . . . w,])Pl

(Et- n : ch[w,, . . . . w,]j, @k n, : W,D, . . . . tfE k nk : W,D

* (Et- nh, .‘., nk)D (El-n : Ch[W,, . . . . Wk]D, (E, n,:W,, . . . . nk:Wk /- PI

* (Et- n(n,:W,, . . . . nk:W,).PD

Wb-D,Ct-QD - Wt--lQD {Et-PI - @F!PD

Georges Gonthier has devised two other encodings of the x-

calculus as ambients. The first encoding uses a single name n for both the buffer and the associated packets, instead of pairs of

names n, d. The packets are temporarily hidden inside another layer of ambients, so that there is no confusion between packets

and buffers. For the n-calculus this techniques leads to a nicer encoding, where a channel type maps simply to an ambient type. Still, the technique of passing packet names along with associated ambient names is often useful, as we show in later examples.

Gonthier’s Encoding r

lch[w,, . . . . w,]D 4 /hb[~W~~X...X~Wk~]

{(V”KCh[W,, . . . . w,])PD A

(vn:lCh[W,, . . . . Wk])) n[!open n] 1 (PI

I

(n(n,:w,, . . . . nk:w,).p~ A (vp:Amb[Shh]) (open p I

@k:~CfdWl, . ..> w/d)) k[in n. n[out k. open k.

h:W1D, . . . . nk:~WkD).pbutn. VDIII)

Qnhw,, ..', nkwk)D i+ (vk:tCh[W,, . . . . Wk]D) k[in n. n[out k. open k. (n,, . . . . nk)]]

WIQD 4 U'DllQD

(We use a subscript type to indicate the type of a term that, while not available in the term itself, is available in its type derivation.)

Gonthier’s second encoding also uses single names for buffers and packets. In addition, the encoding does not rely on buffers being generated at the place of v: buffers are generated whenever (and wherever!) needed by I/O operations. For the z-calcu-

lus this makes little difference, but if we imagine using channels freely within the ambient calculus, then it is important not to rely on a fixed location for the buffer: we may want I/O operations on a channel to interact whenever they occur within the same ambi-

ent. The potential problem with this idea is that, since there are multiple buffers, all the output packets may go in one buffer, and all the input packets may go in a different buffer. To solve this

problems, the buffers are designed to be self-coalescing. This technique is useful in general, when buffers need to be generated in a decentralized fashion.

Gonthier’s Coalescing Encoding I I

CIChWl, . . . . w,]) A Amb[~W,~x...X~Wk~]

t(v%:Ch[W,, . . . . Wk])PD b (vn:tCh[W,, . . . . Wk])) (PI

(n(nl:wl, . . . . nk:i’“,).p) ii

(vp:Amb[Shh]) (open p.p[] I

n[!open n I in n I

(n,:lW,D, . . . . nk:IWkj). p[!outn 1 openp.IPD]])

{n(n,, . . . . n&D 2 n[!open n I in n I (nl, . . . . nd]

U'IQD C WDltQD

I!PD A !((PD I I

83

4.2 Parent-Child Communication

It is often useful for an ambient to communicate with its parent

or its children, as when an agent enters a server and wants to ex-

change information with it. We now describe such a derived

communication mechanism, and how to type it.

Parent-Child I/O I I

‘n(W parent outputs to child n

“n(x: W).P child n inputs from parent

%M) child n outputs to parent

“n(x: w).P parent inputs from child n I I

We could adopt the following reduction rules as primitive:

“n(x:W).P I n[*n(M) I Q] - P(xtM} I n[Q]

Vn(M) I n[“n(x:W).P I Q] - n[P(xtM} I Q]

Instead of taking these operators as primitive, it is possible to ap-

proximate parent-child I/O with normal ambient I/O. The encod-

ing given below, however, fails to provide the same atomicity

guarantees as the reductions above. When using this encoding,

parent-child I/O operations are partially sensitive to disruptions

of the protocol due to sudden movement of the child. To avoid

this problem, the child has to implement its own synchroniza-

tion.

The encoding of parent-to-child messaging is quite simple,

using the child ambient as the communication buffer. Messages

from the parent down to a child nch use packets labeled ndn.

“n(M) A nd”[in rich. (M)]

‘n(x:W).P & open ndn. (x:W). P

This messaging is not sensitive to sudden movement of the child:

messages from parent to child may get blocked but do not get

lost.

The encoding of child-to-parent messaging, instead, is more

problematic. There is a choice of where to put the communica-

tion buffer: in the child or in the parent. If the buffer is in the

child, the parent has to send a process to fetch the message; such

a process may get lost on the way back if the child has moved. If

the buffer is in the parent, the child has to send a process to de-

posit the message; such a process may get lost if the child moves

before the (asynchronous) process can get out.

In both cases, though, the child can wait for a confirmation

from the parent that the message has reached the parent; this can

be done with parent-to-child communication, which is reliable.

After the confirmation, the child is free to move.

We describe the case where the buffer is kept in the parent.

This arrangement seems more interesting because, with a simple

modification, it can be extended to anonymous communication

between arbitrary children and a parent.

Each communication from a child nch to a parent happens

within a mailbox nhox within the parent; the mailboxes are self-

coalescing. Messages from a child nch up to the parent use pack-

ets labeled nup that are sent out of the child and then into nhox.

‘n(M).P & n”P[out rich. in nbox. (M)]

vn(x:W).Pw* 5

(vp:Amb[ W’]) (open p. p[] I

nbox[open nup. (x: W). p[out n box. openp. P] I

!open nbox I in nb”“])

(The idioms open p. p[] and p[ . . . open p. P] are used to delay the

activation of P until P reaches the proper position.)

The type of names of child ambients that admit parent-child

I/O may be denoted by Ambav[WJ. This notation can be translat-

ed to the ambient calculus by mapping each environment name

n : AmbAv[~ to four environment names rich, n”P, nd”, nbox :

Amb[Wl, and by mapping each restriction (vn:AmbAVIWl) P to

the restrictions (vrfh:Am6[Wj) (vn”P:Amb[ Wj) (vnd”:Am6[ Wj)

(vnbox :Amb[ Wj) P.

The derived type rules are as follows.

(n : AmbAv[Wj ti P : 7) =a (vn : AmbAv[Wj).P : T

M : W, n : AmbAv[Wj =a Vn(M) : U (any U)

M: W, n : AmbAv[Wj + *n(M) : U (any U)

n : AmbAv[Wj, (x : W d P : w) * ‘n(x:W).P : W

n : AmbAv[Wj, (x : W 3 P : W’) 3 Vn(x:W).P : W’

4.3 Function Qpes

By using a typed encoding of channels in the ambient calculus,

we can provide typed encodings of h-calculi simply by using the

known encodings of h-calculi into the K-calculus [9]. For exam-

ple:

Encoding of the Call-by-Value h-calculus

into the JC-calculus I I

tdk ii k(x)

{hr.bDk 4? (v’n) (k(n) I !n(x, k’). tblk’)

{b(a)Bk ?! (v”k’, k”) ({blk’ 1 k’(x). ({&” 1 k”(y). x(y, k))) I I

Encoding of the Typed Call-by-Value h-calculus

into the Ambient Calculus I I

(E k 659 & @‘) t- (vKk:Ch[{7D]) {blk : Shh

@, xl:A,, . . . . x/:AJ 4 pl, x,:{A& . . . . xl:{AAIl

@*BD 4 Ch[IAD, Ch[tBDII

bDk 45 k(x)

@x:A.6A+BDk 5

(v%:{A-d?D) (k(n) I !n(x:{Al, k’:Ch[{BD]). (6&)

t6/t+B(4& A

(v’k’:Ch[{A+BI)], k”:Ch[{AD])

({bDk* I k’(x:{A-+BD). ({UDk- I k”(y:{AD). x(y, k))) L I

Therefore, as in the n-calculus, a function is represented by a

channel that communicates an argument and a channel for the re-

sult. The derived types reflect this structure.

84

4.4 Records

We define operations for handling records of mutable cells; these will be useful in the next example.

A record r containing cells ci has the general structure r[ . . . I c;~“~[(M,) I !open c:p] I . . . 1, where r is the cell container, qbUf are the value containers for each cell, ci” are input packets for reading and writing cell contents, and M, are the cell contents. The operations consist of creating an empty record named r (record r), adding a cell named c with initial contents M to a record r (add r c M), reading the contents of cell c of record r and binding it to a variable x in a scope P (get r c (x:W). P), and setting the contents of a cell c of record r to a value M and continuing with P

(set r c (M). P).

(record rl 42 r[]

{addrcm 2 cbuf[!open c@ I in r. (M)]

@et r c (x: W). Psi SI

(vop:Amb[SJ) (open op. op[] I

ciP[in r. in cbufl (x: W).

((x) I op[out cbUJ. out r. open op. {PI])])

{set r c (Mw). Psi 4

(vop:Amb[q) (open op. op[] I

@[in r. in cbU/ (x: W).

((M) I op[out cbUf. out r. open op. (PI])])

The names cbUf and c’p related to a cell c are assigned the type Amb[Wj, where W is the type of the values held by the cell. The name r of a record is simply assigned the type Amb[.Shh]. A

record is able to hold cells of different types. The type of names of a record field holding W may be de-

noted by Field[Wj. This notation can be translated to the ambient calculus by mapping each environment name n : Field[Wj to two environment names nbuf, n’P : Amb[WJ, and by mapping each restriction (vn:Field[Wj) P to the restrictions (vnb”f:Amb[Wj) (vn@:Amb[ Wj) P.

4.5 Agents

One of the original motivations for the ambient calculus was to

provide a natural semantics for wide-area network languages. We now define a simple agent language inspired by Telescript [ 131. In the Telescript model, agents travel over the network be- tweenplaces (agent servers) where agents can meet and commu-

nicate with other agents. Agents carry with them a suitcase containing local agent data.

The syntax of our stripped-down agent language, Telestrip’d, is described in the following table, together with an

informal description of the various constructions. We give the

semantics of Telestrip’d by translation to the ambient calculus. The dynamic hierarchical structure of places, agents and suitcas-

es is preserved by our translation; it would not be preserved so

obviously by translations into standard process calculi. We are able to assign types to our definitions, yielding a

typed agent language: Agent[W,, . . . . WJ is the type of names of agents that accept communications of type W~x...xWk.

Telestrip’d Syntax

’ W ::= Agent[Wl, . . . . Wk]

Net ::=

noplace

place p[Arenn]

Net I Net

Arena :I=

empty agent (n:W)[Code]

Arena I Arena

Code :I=

stop

go p. Code

spawn (n’:W)[Code’].

Code

welcome (nl:Wl, . . . . nk:Wk).

Code

meet n(n,, . . . . nk). Code

folder n n’. Code

agent types (k 2 0)

the network

no place

a place called p

more places

inside a place

nobody there

an agent with fresh name n

more agents

agent code

stop

go to place p and continue

spawn a fresh agent n’ in the

current place

accept input from a local

agent

get n(x: W). Code

output to local agent n

add new folder n with con-

tents n’ to the suitcase

get contents of folder n from

the suitcase

set n(n’). Code set contents of folder n to n’ in

the suitcase

. . . other constructs (omitted)

Typed Telestrip’d Semantics I 1

{Agent[Wl, . . . . W& A Amb[(Wllx...x(WkD]

{Net) : Shh

(Arenalp : Shh if p : Amb[Shh]

(Code&, : (w$x...x(wk) if m : ((Agent[Wl, . . . . Wk])

(noplace) 2 0

@lace p[Arena]j S? p[tArena$] (for p:Amb[Shh])

{Net I Net) & (Net) I (Net)

@mptyDp A 0 {agent (n:Agent[W,, . . . . Wk])[Code]b 2

(vn:(IAgent[Wl, . . . . Wk]))

n[record sut I add sut at p I (Code),]

((Arena I Are@, 5 (ArenaDp I (ArenaI,,

@top& k 0

{gap. Code), A

get sut at(q:Amb[Shh]). set sut at(p). out q. in p. (Code),

{spawn (n’:Agent[W,, . . . . Wk])[COde’]. Code&, A (for n' # m)

get suf at@:Amb[%h]). (vn’,u:tAgent[ WI, . . . . Wk]))

(n’[recordsutIaddsutatpI outm. openu. (Code’D,,]

I open u. (Code&,

I (vt:Amb[Shh]) t[out m. in n’. out n’.

(u[out t. in n’] I u[out t. in ml)])

85

(meet n(nlw,, . . . . nkw,). Code), A

(vk:tAgent[W,, . . . . Wk]))

&out m. in n. n[out k. open k. (nl, . . . . n,)]] I (Code),

(welcome (nl: WI, . . . . nk:Wk). Code), 4l

open m 1 (nl:tW,D, . . . . nk:IWkl). (Code),

uolder n n ‘w. Code),,, &

(vn:Field[tm]) (add sut n n’ I (CodeD,)

@et n(x: W). Code),, 4% get sut n(x:(m). (Code),

{set n(n’). Code), c set sut n(n’). (Code),

No exchange happens at the network level, so the network

has type SM. Each arena has also type Shh, so the name of each

place has type Amb[Shh].

The type of an ambient reflects only the type of the exchanges performed within it; each agent welcomes (inputs) a single type of data, but can output to agents of several different types. The meet primitive given above is asynchronous; a (more natural) synchronous version is possible but more complicated.

The name of the agent suitcase, sut, is a distinguished name of type Amb[Shh]. A suitcase is a record containing a collection of cells. Each suitcase contains a cell named at, a distinguished name of type Amb[Amb[Shh]], containing the name of the agent’s current place.

5 Affine Capability Types

In this section, we describe an extension of our type system obtained by adding a new type of affine capabilities Cup’[TJ. We enforce the rule that whenever a process inputs a capability of this type, the process may exercise or output the capability at most once.

The motivation for this type system is that in some situa- tions we may want capabilities to play the role of tickets or stamps that may be used once to access a valuable resource (for example, a compute server, or a printer). We would like to guar-

antee that if a well-typed process is presented with k capabilities for accessing a resource, perhaps after a fee has been paid, then that resource is exercised at most k times.

5.1 Limiting the Use of Capabilities

Linear type systems for the z-calculus, beginning with the work

of Kobayashi, Pierce and Turner [7], restrict the usages of bound names in a variety of ways. Our system is analogous, but is affine (at most one use of names) rather than linear (exactly one use).

We modify the syntax of types by renaming Cup[7J to Cu$“[I’j and by introducing a new type, Cup’[fl, of affine capabilities. The multiplicities 0, 1 and o are used to count the num-

ber of occurrences of names in terms. We enforce the following

simple principles:

l An input name of type Cap’[7’j may be exercised at most once.

l An input name of type Cup”[q orAmb[T’J may be exercised as

often as desired, as before.

l A restricted name of type Amb[Tl may be exercised as often as

desired, as before. For example:

l Disallowed: (x:Cup’[7’J). ((1) I (x)), (x:Cup’[TJ). ((x) I n[x.P])

l Allowed: (n:C@‘[fl). ((x) I (x) I n[x.P]), (x:AmbP’l). (x[l 1 x[l), (x:AmbKl). HP1 1 -dQl), (vx:Amb[Tj). ((open x) I (open x) I (y:Cup’[fl). (y))

Here is the syntax of the extended type system:

QPes I I

w::= message types

AmbV’l ambient name

C~P’VI affine capability

C&V-l unlimited capability

T ::= exchange types

Shh noexchange

w,x...xwk tuple exchange

l.t ::= multiplicities

0 never

1 once

0 many I I

We let p+ range over { 1, 0). Let the multiplicity order, ~1 S cc’, be the least reflexive and

transitive relation to satisfy 0 I 1 5 w. Let the addition, /.t+/.~’ of multiplicities lt and u’ be the multiplicity defined by the equations p+O = O+p = u, 1 +l = O, and p+o = 0tl.t = W. Let the rep-

lication, !p, of a multiplicity be the multiplicity ~+I_I. The functions n occurs M and n occurs P, given by the fol-

lowing equations, count the occurrences of the name n in the term M and in the process P, respectively. Note that any name under a ! has multiplicity u.

n occurs m 2 1 if m=n; 0 otherwise

n occurs in M A noccurs M =

n occurs out M A n occurs M =

n occurs open M 4 n occurs M

n occurs M.M’ A (n occurs M) + (n occurs M’)

n occurs E A 0 =

n occurs M.P A (n occurs M) + (n occurs P)

n occurs M[P] G (n occurs M) + (n occurs P)

n occurs (vm:W)P 4 (n occurs hl) form # n

n occurs 0 A 0 =

n occurs P I Q 3 (n occurs P) + (n occurs Q)

n occurs !P ?! !(n occurs P)

n occurs (nl:Wl, .,., nk:Wk).P 4

n occurs P for n $ {ni, . . . . nk)

n occurs (Ml, . . . . Mk) 2

(n occurs Ml) + . . . + (n occurs Mk)

86

For example:

n 0ccurs (m[J I (vn:w) n[]) = 0

n occurs m[n.O] = 1

n occurs (m[n.O] I (n)) = w

We define a new type system using the same rules as before except for the modifications listed below.

Rules I I (Exp E) (Exp .)

EI-0 Et- M : C@+[7J E b M’ : CuP”+[7J

Et- E : Cq+‘+[7J E F M.M’ : Cq+‘+[7J

(EXP In) (Exp Out)

EtM:Amb[Sj EC-M:Amb[SJ

E I- in M : CuPp”[7J E F our M : CuP’+[fl

(Exp Open) (Proc Action)

EI-M:Amb[Tj EFM:CupCL+[Tj EI-P:T

E I- open M : Cupi’+[rJ EI-M.P: T

(P~oc Input) (where Vie 1 ..k. Wi =Cup’[Ti] * ni Occurs P 5 1)

E, n,:W,, . . . . nk:WktP: W~x...xWk

E I- (nl:Wl, . . . . nk:W,).P : W,x,..xWk

I I

A subject reduction result can be proven for the modified system (the proof is in Appendix 8).

5-l

q

5.2

Proposition (Subject Reduction) IfEl-P: UandP--*QthenEl-Q: U.

Avoiding a Synchronization Error Using Affine ‘Qpes

To illustrate the use of affine capability types, we describe a taxi protocol. This protocol uses affine typing to achieve proper

movement synchronization between two parties. The taxi pub- lishes a capability for a passenger to enter a seat in the back of

the taxi. The passenger enters and tells the taxi a route to follow. At the end of the trip the taxi door is unlocked, and the passenger may exit. The capabilities for entering and exiting the taxi, and

for the route, are given affine types. If the capability to enter the taxi were to be accidentally or

maliciously duplicated, a synchronization error could arise, in

which a passenger holding a valid capability would attempt to

enter the taxi, but would be left behind because another passen-

ger got the taxi first. This possibility is ruled out by affine typing.

In the following, the parameter M is the route the taxi is to follow, and the parameter P is the behavior of the passenger at

the destination.

passenger M P %

(enter:Cap’[ShhJ).

move[enter. tulk[out move. (M) I

tulk[(exit:Cup’[Shh]). move[exit. PI]]]

taxi &

(V tu.d:Amb[Shh], go:Amb[Shh],

lock:Amb[Shh], seut:Amb[Cup*[Shh]])

((in tari. in lock. in seat) I

taxi[open go I

lock[

seut[open talk. (route:Cup’[Shh]).

(open talk. (out seat. out tuxi) I

go[out seat. out lock. route. open lock])]]])

If we suppose there is some environment E with:

E F talk : Amb[Cup’[Shh]] E F M : Cup’[Shh]

Et- move : Amb[Shh] E!-P:Shh

then:

E I- (passenger M P I taxi) : Cup’[Shh]

(N.B.: the passenger-taxi system can also be Cup”[Shh]. We can force the Cup’[Shh] typing by system within an ambient whose name Amb[Cup’[Shh]].)

given type situating the

has type

Initially, the system reduces as follows, up to the point where the passenger has entered the taxi and the taxi is ready to follow the route M:

passenger M P I taxi --+*

(V taxi:Amb[ShhJ, lock:Amb[Shh], seut:Amb[Cup’[Shh]])

taxi[M. open lock I

lock[move[out taxi. P] I seut[move[]]] ]

Once the route M has been followed, the lock ambient is opened,

and the passenger exits.

5.3 Dispensing Transferrable Tokens Using Afflne ‘Qpes

A second example demonstrates that affine types allow capabilities to serve as consumable, transferrable tokens for a resource.

We consider a system consisting of several principals that are given access to a printer. Each principal has an API (inter- face) allowing it to print messages on the printer. Each time it ac-

cesses the AH, a principal must consume a token, the capability open upi. This capability is given the affine type Cup’[Msg], where Msg is the type of messages printed by the printer. By dispensing different numbers of these tokens to different principals,

we may selectively control the number of messages each princi-

pal has a right to print. The top-level of our system, sys, serves as a printer spool; any outputs here may be thought of as being

sent to a printer.

We describe each principal as follows:

87

principal n P k

n[open n I printAPI n I toks[!open toks I P]]

The process parameter P models the specific behavior of the principal. We assume that the names upi and print are not free in P. The ambient named t&s represents a channel on which the principal receives capabilities for printing. A token open api pro-

vides access to the printer API, which is defined by:

printAPf n L! !api[(x:Msg). print[out n. (x)]]

Our example system consists of two principals, named alice

and bob:

sys k

(v alice:Amb[Msg], bob:Amb[Msg], api:Amb[Msg],

print:Amb[Msg], toks:Amb[Cap’[Msg]])

(!open print I

toks[in alice. in toks I (open api) I (open api)] I

principal alice ((x1:Cap’[Msg]). (xz:Cap’[Msg]).

alice[out toks I x1. (M) I

toks[out alice. in bob. in toks. (xz)]])

principal bob ((y:Cap’[Msg]).

bob[out toks. y. (N)]))

In this example, we dispense two tokens to alice, via the

process tok.s[in alice. in toks I (open api) I (open api)]. but none to bob. Principal alice inputs the two tokens as variables xi and x2;

she uses xi herself to print M, but donates the other to bob, who inputs it as y, and uses it to print N.

The process sys has type Msg. We have:

SYS -b* (M) 109

We may easily add more principals to this example, and we

may dispense as many tokens as is appropriate to each new principal. By using affine types to regulate the use of printer tokens,

principals are free to transfer tokens amongst themselves, but the total number of messages printed is limited by the number of to-

kens dispensed initially. Without linear or affine types, it would be harder to allow the transfer of printer tokens between principals while still controlling their total number.

6 Conclusions

We have presented a type system for the ambient calculus. The types arising from this work are unusual in that they do not cor-

respond directly to channel or function types. The type system guarantees the soundness of message exchanges, while leaving

great flexibility in mobility. As an example, we have given a natural semantics for a typed agent language.

Our type system is rather basic, roughly corresponding to

the simply-typed discipline for the h-calculus. Much richer typing disciplines can be imagined, along the usual lines. Perhaps

more interestingly, it is appealing to try and use static type sys-

tems to restrict mobility; this is the subject of current work.

Acknowledgments

Georges Gonthier made useful remarks on an early draft, and discovered new x-calculus encodings that illustrate interesting techniques.

7 Appendix: Subject Reduction

Let E k J denote any judgment.

7-l

7-2

7-3

7-4

7-S

7-6

7-7

7-8

(I)

(2)

Lemma

If E’, n: W, E” k J then n $ dom(E’, E”).

Lemma IfEl-n: WandEl-n: W’,then W=W’.

Lemma (Implied Judgment)

If E’, E” I-J then E’ k 0.

Lemma (Exchange) If E’, n: W’, m: W”, E” I- J then E’, m: W”, n: W’, E” k J.

Lemma (Weakening)

IfE’,E”l-Jandn$dom(E’,E”)thenE’,n:W,E”kJ.

Lemma (Strengthening)

IfE’,n:W,E”tJandn$fn(J)thenE’,E”tJ.

Lemma (Substitution)

IfE’,n:W,E”tJandE’tM: WthenE’,E”kJ{ntM].

Proposition (Subject Congruence)

IfEtP: VandPEQthenEtQ: V.

IfEtP:VandQ=PthenEl-Q: V.

Proof

By mutual induction on the derivations of P = Q and Q = P.

(l)IfEl-P: VandPrQthenEl-Q: V.

(Struct Refl) Trivial.

(Struct Symm) Then Q = P. By induction hypothesis (2), we haveEtQ: V.

(Struct Trans) Then P = R, R = Q for some R. By induction hypothesis (1) E t R : V. Again by induction hypothesis (1) E I-

Q : V.

(Struct Res) Then P = (vn:W)P’ and Q = (vn:W)Q’, with P’ =

Q’. Assume Et P : V. This must have been derived from (Proc

Res), with E, n:Amb[7’l t P’ : V, where W=Amb[fl. By induction hypothesis, E, n:Amb[7’l I- Q’ : V. By (Proc Res) E l-

(vn:Amb[fl)Q’ : V.

(Struct Par) Then P = P’ I R, Q = Q’ I R, and P’ = Q’. Assume

Et P’ I R : V. This must have been derived from (Proc Par), with Et P’ : V and E I- R : V. By induction hypothesis Et Q’ : V.

By (Proc Par) Et Q’ I R : V.

(Struct Repl) Then P = !P’, Q = !Q’, and P’ = Q’. Assume Et

P : V. This must have been derived from (Proc Repl), with E k-

P’ : V. By induction hypothesis, E t Q’ : V. By (Proc Repl) E k-

!Q’ : V.

88

(Struct Amb) Then P = M[P’], Q = M[Q’], and P’ = Q’. As- sume E k P : II. This must have been derived from (Proc Amb), with E t- M : Amb[Tj and E I- P’ : T for some T. By induction

hypothesis, E I- Q’ : T. By (Proc Amb) we derive E I- M[Q’] : U.

(Struct Action) Then P = M.P’, Q = M.Q’, and P’ = Q’. Assume

E II P : U. This must have been derived from (Proc Action), with E I- M : Cup[ v] and E k P’ : U. By induction hypothesis, E k Q’ : U. By (Proc Action) E I- M[Q’] : U.

(Struct Input) Then P = (nl: WI, . . . . nk:Wk).P’, Q = (n,:W,, . . . . nk:Wk).Q’, and P’ E Q’. Assume E !- P : U. This must have been

derived from (PrOC InpUt), with E, nl:W,, . . . . nk:Wk i- P’ : U, where U = W+c...xWk. By induction hypothesis, E, nl:W,, . . . . nk: W, t- Q’ : u. By (PrOC IllpUt) E F (nl: WI, . . . . nk: W&Q : u.

(Struct Par Comm) Then P = P’ I P” and Q = P” I P’. Assume

E I- P’ I P” : U. This must have been derived from (Proc Par), withEl-P’: UandEl-P”: U.By(ProcPar)EkP”IP’: U.

(Struct Par Assoc) Then P = (P’ I P”) I P”’ and Q = P’ I (P” I P’“). Assume E k (P’ I P”) I P”’ : U. This must have been de-

rived from (Proc Par) twice, with Et- P’ : U, E k P” : U, and E t-P”‘: U.By(ProcPar)twice,Et-P’I(P”IP’“): U.

(Struct Rep1 Par) Then P = !P’ and Q = P’ I !P’. Assume E l- !P’ : U. This must have been derived from (Proc Repl), with El- P’ : U. By (Proc Par), E I- P’ I !P’ : U.

(Struct Res Res) Then P = (vn: W)(vm:V)P’ and Q =

(vm:V)(vn: W)P’ with n f m. Assume E I- (vn: W)(vm:V)P’ : U. This must have been derived from (Proc Res) twice, with E, n:Amb[TJ, m:Amb[S] I-P’ : U, where W=Amb[Tj and V=Amb[S]. By Lemma 7-4 we have E, m:Amb[Sj, n:Amb[Tj I- P’ : I/. By (Proc Res) twice we have E I- (vm:Amb[Sj)(vn:Amb[Tj)P’ : U.

(Struct Res Par) Then P = (vn:W)(P’ I P”) and Q = P’ I (vn:W)P”, with n @ fn(P’). Assume E t- P : U. This must have been derived from (Proc Res), with E, n:Amb[Tj I- P’ I P” : U and W=Amb[TJ, and from (Proc Par), with E, n:Amb[Tj I-P’ : U and E, n:Amb[Tj i- P” : U. By Lemma 7-6, since n $fn(P’), we have Et- P’ : U. By (Proc Res) we have E I- (vn:Amb[Tj)P” : II. By (Proc Par) we have E I- P’ I (vn:Amb[Tj)P” : U.

(Struct Res Amb) Then P= (vn:W)m[P’] and Q = m[(vn:W)P’], with n # m. Assume E I- P : U. This must have been derived from (Proc Res) with E,n:Amb[TJ k m[P’] : U with W = Amb[TJ, and

from (Proc Amb) with E, n:Amb[fl t- P’ : S and E, n:Amb[Tj l- m : Amb[S] for some S. By (Proc Res) we have E k (vn:Amb[TJ)P’ : S. By Lemma 7-6, since n # m, we have E t- m : Amb[Sl. By (Proc Amb) we can derive E k m[(vn:Amb[TJ)P’] : 0:

(Struct Zero Par) Then P = P’ I 0 and Q = P’. Assume E I- P : U. This must have been derived from (Proc Par) with E k P’ : U andEF0: U.

(Struct Zero Res) Then P = (vn: W)O and Q = 0. Assume E t- P : U. This must have been derived from (Proc Res) with E, n:Amb[TJ k 0 : U and W = Amb[TJ. By Lemma 7-6, E F 0 : U.

(Struct Zero Repl) Then P = !O and Q = 0. Assume Et- P : U. This must have been derived from (Proc Repl) with E I- 0 : U.

(Struct E) Then P = &.P’ and Q = P’. Assume E k P : U. This must have been derived from (Proc Action) with E I- P’ : U.

(Struct .) Then P = (M.M’).P’ and Q = M.M’.P’. Assume E I- P : U. This must have been derived from (Proc Action) with E k M.M’ : Cup[Uj and E F P’ : U. The former must come from (Exp .) with E k M : Cap[LJj and E I- M’ : Cap[UJ By (Proc Action) twice we have E k M.M’.P’ : U.

(Z)IfEl-P: UandQsPthenEFQ: U.


(Struct Symm) Then P E Q. By induction hypothesis (I), we haveEtQ: U.

(Struct Trans) Then Q = R, R 5 P for some R. By induction hy-

pothesis (2) Et R : U and E I- Q : U.

(Struct Res), (Struct Par), (Struct Repl), (Struct Amb),

(Struct Action), (Struct Input), (Struct Par Assoc) Symmet- rical to case (1).

(Struct Par Comm) Then Q = P’ I P” and P = P” I P’. Assume E I- P” I P’ : U. This must have been derived from (Proc Par), withEl-P”: UandEtP’: U.By(ProcPar)EtP’IP”: II.

(Struct Rep1 Par) Then Q = !P’ and P = P’ I !P’. Assume E k P’ I !P’ : II. This must have been derived from (Proc Par), with Et !P’: u.

(Struct Res Res) Then Q = (vn: W)(vm:V)P’ and P = (vm:V)(vn: W)P' with n # m. Assume E t- (vm:V)(vn: W)P' : U. This must have been derived from (Proc Res) twice, with E, m:Amb[S], n:Amb[TJ I- P’ : U, where W=Amb[Tj and V=Amb[S]. By Lemma 7-4 we have E, n:Amb[Tj, m:Amb[SJ I- P’ : U. By (Proc Res) twice we have E I- (vn:Amb[TJ)(vm:Amb[Sj)P’ : U.

(Struct Res Par) Then Q = (vn:W)(P’ I P”) and P = P’ I (vn:W)P”, with n $ fn(P’). Assume E t P : U. This must have been derived from (Proc Par), with Et P’ : U and E t (vn:W)P” : U, and the latter from (Proc Res), with E, n:Amb[Tj I- P” : U where W=Amb[Tj. By Lemma 7-5, since n 6 dom(E’), we have E, n:Amb[TJ I- P’ : U. By (Proc Par) we have E, n:Amb[Tj F P’ I P” : U. By (Proc Res) we have E k (vn:Amb[TJ)(P’ I P”) : U.

(Struct Res Amb) Then Q = (vn: W)m[P’] and P = m[(vn:W)P’], with n # m. Assume Et P : U. This must have been derived from

(Proc Amb) with E I- m : Amb[Sj and E I- (vn:W)P’ : S for some S. The latter must have been derived from (Proc Res) with E, n:Amb[q k P’ : S with W = Amb[Tj. By Lemma 7-5, since n 6 dam(E), we have E, n:Amb[Tj t- m : Am&S]. By (Proc Amb) we can derive E, n:Amb[Tj I- m[P’] : U. By (Proc Res) we have E t (vn:Amb[q)m[P’] : U.

(Struct Zero Par) Then Q = P’ I 0 and P = P’. Assume E t- P : U. By Lemma 7-3, E t 0. By (Proc Zero) E I- 0 : U. By (Proc

Par),Et-P’IO: U.

(Struct Zero Res) Then Q = (vn:Amb[TJ)O and P = 0. Assume E !- P : CJ. By Lemma 7-5, E, n:Amb[q k 0 : U. By (Proc Res) Et (vn:Amb[Tj)O : U.

(Struct Zero Repl) Then Q = !O and P = 0. Assume Et P : II. By (Proc Repl) with E k !O : U.

89

(Struct E) Then Q = &.P’ and P = P’. Assume E I- P : U. By Lem-

ma 7-3, Et- 0. By (Exp E), E k E : Cap[UJ By (Proc Action) with EFE.P’: U.

(Struct .) Then Q = (M.M’).P’ and P = M.M’.P’. Assume E I- P

: U. This must have been derived from (Proc Action) twice, with El-M:Cap[u,EkM’:Cap[fl,andEl-P’:U.By(Exp.)we have E I- M.M’ : Cap[UJ. By (Proc Action) we have E k

(M.M’).P’ : II.

0

7-9 Proof of Proposition 3-l (Subject Reduction)

IfEl-P: UandPjQthenEl-Q: U.

Proof

By induction on the derivation of P --+ Q.

(Red In) Then P = n[in m. P’ I P”] I m[P’“] and Q = m[n[P’ I P”] I P’“]. Assume E k P : CT. This must have been derived from (Proc Par), with E k n[in m. P’ I P”] : U and E I- m[P’“] : U.

Those two judgments must have been derived from (Proc Amb), withEkn:Amb[TJ,EFinm.P’IP”:TforsomeT,andEk-m : Amb[.S’j, Et- P”’ : S for some S. Moreover, E I- in m. P’ I P” : T must come from (Proc Par) with E I- in m. P’ : T and E I- P” : T, and E k in m. P’ : T must come from (Proc Action) with E I-

in m : Cap[Tj and E k P’ : T. Note that E F m : Amb[.SJ is consistent with E k in m : Cap[TJ, by (Exp In). By (Proc Par) we have E k P’ I P” : T, and by (Proc Amb) we can derive E F n[P’ I P”]

: S. Then, by (Proc Par) we have E I- n[P’ I P”] I P”’ : S, and by (Proc Amb) we can derive E I- m[n[P’ I P”] I P”‘] : U.

(Red Out) Then P = m[n[out m. P’ I P”] I P”‘] and Q = n[P’ I P”] I m[P”‘]. Assume E I- P : U. This must have been derived

from (Proc Amb), with E I- m : Amb[TJ and E k n[out m. P’ I P”]

I P”’ : T for some T. The latter must come from (Proc Par) with

E I- P”’ : T and E k n[out m. P’ I P”] : T. The latter must come from (Proc Amb) with E I- n : Amb[Sj and E k out m. P’ I P” : S for some S. The latter must come from (Proc Par) with E I- P” : S and E I- out m. P’ : S. The latter must come from (Proc Action) with E t- out m : Cap[SJ and E k P’ : S. Note that E k m : Amb[TJ

is consistent with E F out m : Cap[a, by (Exp Out). By (Proc

Par) we have E k P’ I P” : S, and by (Proc Amb) we can derive E I- n[P’ I P”] : U. Then, by (Proc Amb) we can derive E F

m[P’“] : II, and by (Proc Par) we have E k n[P’ I P”] I m[P’“] : U.

(Red Open) Then P = open n. P’ I n[P”] and Q = P’ I P”. As-

sume E I- P : U. This must have been derived from (Proc Par), with E I- open n. P’ : U and Et- n[P”] : U. The judgment E I-

open n. P’ : U must have been derived from (Proc Action), with

E k open n : Cap[Ul and E I- P’ : U, and from (Exp Open) with E k n : Amb[ UJ. The judgment E I- n[P”] : U must have then been

derived from (Proc Amb) with E t n : Amb[U’], and E t- P” : U’.

By Lemma 7-2, U’=U. By (Proc Par) we have E F P’ I P” : U.

(Red Comm) Then P = (nl:Wl, . . . . nk:W&P’ I (Ml, . . . . Mk) and Q

= P’{nltMl, . . . . nk+Mk}. Assume E I- P : U. This must have been derived from (Proc Par) with Et- (nl:W,, . . . . nk:W,).P’ : U

and E k (Ml, . . . . Mk) : U. The former must have been derived

from (Proc Input) with E, nl:Wl, . . . . nk:Wk t- P’ : W,x...xWk, and U = W1x...xWk. The latter must have been derived from (Proc

Output) with E t- Ml : W,’ . . . E !- Mk : W,‘, and U =

WI ‘x...xWk’. Hence, W, = WI ’ . . W, = W,‘. By k applications of Lemma 7-7, we have that E I- P’(nltM1, . . . . n+Mk} : U.

(Red Res) Then P = (vn:W)P’, Q = (vn:W)Q’, and P’ -+ Q’. As- sume E F P : U. This must have been derived from (Proc Res) with E, n:Amb[Tj I- P’ : U, where W = Amb[Tj. By induction hy-

pothesis E, n:Amb[Tl I- Q’ : U. By (Proc Res), E k

(vn:Amb[Tj)Q’ : U.

(Red Amb) Then P = n[P’], Q = n[Q’], and P’ + Q’. Assume E I- P : II. This must have been derived from (Proc Amb) with E

t- n : Amb[TJ and E I- P’ : T for some T. By induction hypothesis,

E I- Q’ : T. Then, by (Proc Amb) we can derive E I- n[Q’] : U.

(RedPar)ThenP=P’IR,Q=Q’IR,andP’--,Q’.AssumeE k P : U. This must have been derived from (Proc Par) with E I-

P’ : U and Et- R : U. By induction hypothesis, E I- Q’ : U. By (ProcPar)E!-Q’IR: U.

(Redr)ThenP=P’,Q-Q’,andP’--,Q’.AssumeEkP: U.

By Proposition 7-8, E k P’ : U. By induction hypothesis, E I- Q’

: (1. By Proposition 7-8, E I- Q : U.

0

8 Appendix: Subject Reduction for Affine Types

8-l Lemma p+p’ = p’+p

8-2 Lemma

(p+p’)+p” = p+(p’+j.l”)

8-3 Lemma

!p = /.I + !/.I

8-4 Lemma

If P i Q then n occurs P = n occurs Q.

Proof

By induction on the derivation of P = Q.


(Struct Symm) Then Q = P. By induction hypothesis, we have

n occurs Q = n occurs P.

(Struct Trans) Then P = R, R = Q for some R. By induction hy-

pothesis, n occurs P = n occurs R. Again by induction hypothesis, n occurs R = n occurs Q. Hence, n occurs P = n occurs Q.

(Struct Res) Then P = (vm:W)P’ and Q = (vm:W)Q’, with P’ E

Q’. Since m is bound, we may assume that m # n. By induction hypothesis, n occurs P’ = n occurs Q’. Therefore, n occurs P = n

occurs P’ = n occurs Q’ = n occurs Q.

(StructPar)ThenP=P’IR,Q=Q’IR,andP’=Q’.Byinduc- tion hypothesis, n occurs P’ = n occurs Q’. Therefore, n occurs

P = (n occurs P’) + (n occurs R) = (n occurs Q’) + (n occurs R)

= n occurs Q.

90

(Struct Repl) Then P = !P’, Q = !Q’, and P’ = Q’. By induction hypothesis, n occurs P’ = n occurs Q’. Therefore, n occurs P =

!(n occurs P’) = !(n occurs Q’) = n occurs Q.

(Struct Amb) Then P = M[P’], Q = M[Q’], and P’ = Q’. By in-

duction hypothesis, n occurs P’ = n occurs Q’. Therefore, n oc-

curs P = (n occurs M) + (n occurs P’) = (n occurs M) + (n occurs

Q’) = n occurs Q.

(Struct Action) Then P = M.P’, Q = M.Q’, and P’ = Q’. By induction hypothesis, n occurs P’ = n occurs Q’. Therefore, n oc-

curs P = (n occurs M) + (n occurs P’) = (n occurs M) + (n occurs

Q’) = n occurs Q.

(Struct Input) Then P = (nl:WI, . . . . nk:Wk).P’, Q = (nl: WI, . . . .

nk: Wk).Q’, and P’ = Q’. Since the names nl, . . . . nk are bound, we

may assume that n $ {nl, . . . . nk). By induction hypothesis, n oc-

curs P’ = n occurs Q’. Therefore, n occurs P = n occurs P’ = n

occurs Q’ = n occurs Q.

(Struct Par Comm) Then P = P’ I P” and Q = P” I P’. By Lem- ma 8-1, we have: n occurs P = (n occurs P’) + (n occurs P”) =

(n occurs P”)+(n occurs P’) = n occurs Q.

(Struct Par Assoc) Then P = (P’ I P”) I P”’ and Q = P’ I (P” I P”‘). By Lemma 8-2, we have: n occurs P = ((n occurs P’) + (n

occurs P’)) + (n occurs P”‘) = (n occurs P’)+((n occurs P”)+(n

occurs P' “)) = n occurs Q.

(Struct Rep1 Par) Then P = !P’ and Q = P’ I !P’. By Lemma 8- 3, we have: n occurs P = !(n occurs P’) = (n occurs P’) + !(n oc-

curs P’) = n occurs Q.

(Struct Res Res) Then P = (vm:W)(vm’:V)P’ and Q = (vm’:V) (vm:W)P’ with m # m’. Since the names m and m’ are bound, we may assume that n # m and n # m’. Therefore, n occurs P = n oc-

curs P’ = n occurs Q.

(Struct Res Par) Then P = (vm:W)(P’ I P”) and Q = P’ I (vm: W)P”, with m $ fn(P’). Since the name m is bound, we may

assume that n # m. Therefore, n occurs P = (n occurs P’) + (n oc-

curs P”) = n occurs Q.

(Struct Res Amb) Then P = (vm:W)m’[P’] and Q = m’[(vm: W)P’], with m z m’. Since the name m is bound, we may

assume that n # m. Therefore, n occurs P = (n occurs m’)+(n oc-

curs P’) = n occurs Q.

(Struct Zero Par) Then P = P’ I 0 and Q = P’. We have: n oc-

curs P = (n occurs P’) + 0 = n occurs P’ = n occurs Q.

(Struct Zero Res) Then P = (vm: W)O and Q = 0. We have, n oc-

curs P = n occurs Q.

(Struct Zero Repl) Then P = !O and Q = 0. We have n occurs P

= 0 = n occurs Q.

(Struct E) Then P = E.P’ and Q = P’. We have n occurs P = n oc-

curs P’ = n occurs Q.

(Struct .) Then P = (M.M’).P’ and Q = M.M’.P’. By Lemma 8- 2, we have n occurs P = ((n occurs M) + (n occurs M’)) + n oc-

curs P’ = n occurs M + (n occurs M’ + n occurs P’) = n occurs Q.

0

8-5 Lemma

If n P. fn(M) then n occurs M = 0.

Proof

By induction on the structure of M.

cl

8-6 Lemma

If n $ (m) u fn(M) then:

(1) n occurs N( mtM) = n occurs N.

(2) n occurs P( mtM) = n occurs P.

Proof

By inductions on the structure of N and P.

0

The extended type system is as follows: the judgments are

as in Section 3.3, and the rules are as in Section 3.3, except for the modifications described in Section 5. We now prove subject reduction for the extended system.

8-7 Lemma

If E t- M : Tthen fn(M) c dam(E).

8-8 Lemma

If E’, n:W, E’ F J then n $ dom(E’,E”).

8-9 Lemma IfEFn: WandEl-n: W’,then W= W’.

8-10 Lemma (Implied Judgment)

IfE’,E”kJthenE’!-0.

8-11 Lemma (Exchange)

If E’, n: W’, m: W”, E” !- I then E’, m: W”, n: W’, E” F J.

8-12 Lemma (Weakening) If E’, E” I-J and n 6 dom(E’,E”) then E’, n:W, E” F J.

8-13 Lemma (Strengthening)

If E’, n: W, E” I- J and n $ fn(J) then E’, E” I- J.

8-14 Lemma (Substitution) IfE’,n:W,E”FJandE’l-M: WthenE’,E”FJ{ntM).

Proof

By induction on the derivation of E’, n: W, E” F J.

(Proc Input) We have E’, n: W, E” /- (nl: WI, . . . . nk:Wk).P : Tde- rived from E’, n:W, E”, nl:W,, . . . . nk:Wk k P : T and T =

W1x...xWk. Moreover, for all i E l..k, if W; = Cup’[T;] then ni oc-

curs P < 1. By induction hypothesis, E’, E”, nl: W1, . . . . nk:Wk t-

P{ ntM) : T. By Lemma 8-7, fn(M) z dom(E’). Hence, by Lem-

ma 8-8, ((n) u fn(M)) f-7 {n,, . . . . nk) = @. By Lemma 8-6, ni OC-

curs P( ntM)) = n, occurs P, for all i E 1 ..k. By (Proc Input), E’,

E” t- (nl:Wl, . . . . nk:Wk).(P(ntM)) : T. Since ((n) Ufi(M)) f7

Inl, . . . . nk) = p.4, this is to say that E’, E” b- ((nl:WI, . . . .

nk: W,).P) (nthf)) : T.

91

Other cases. The other cases are almost exactly as before.

0

8-15 Proposition (Subject Congruence)

(1) IfEl-P: UandP-QthenEt-Q: I/.

(2) IfEl-P:UandQ-PthenEkQ:U.

Proof

By mutual inductions on derivations.

(Struct Input) Then P = (nl: WI, . . . . nk: W,).P’, P’ = Q’, and Q = (n,:W), . . . . nk:W,).Q’.

For part (l), assume E b P : U. This must have been derived from

(Proc Input), with E, nl:W,, . . . . nk:Wk t- P’: U, where U =

W~x...xWk. Moreover, for all i E l..k, if W, = Cup’[T;] then n; occurs P’ I 1. By induction hypothesis, E, nl:W1, . . . . nk:Wk b- Q’:

U. By Lemma 8-4, P’ = Q’ implies that n, occurs P’ = n; occurs

Q’ for each i E l..k. Therefore, for all i E l..k, if Wi =Cap’[T,]

then n; occurs Q’ 5 1. By (Proc Input), E k (nl: WI, . . . . nk:Wk).Q’

: u.

Part (2) follows by symmetric considerations.


0

8-16 Proof of Proposition 5-l (Subject Reduction)

IfEI-P: UandP-+QthenEkQ: U.

Proof

By induction on the derivation of E F P : U.

(Red Comm) Then P = (n,: W1, . . . . nk:Wk).P’ 1 (Ml, . . . . bfk) and Q = P’{n,tM1, . . . . nktMk]. Assume E k P : II. This must have been derived from (Proc Par) with E l- (n,: WI, . . . . nk:Wk).P’ : U

and Et-(MI, . . . . Mk): U. ThejudgmentEt-(nl:W1, . . . . nk:Wk).P’ : U must have been derived from (Proc Input) with E, nl:W1, . . . .

nk:Wk k P’ : u, u = wlx...xwk for SOme I/ = W&..xWk, and for all i E I..k, if Wi = Cap’[Ti] then n, occurs P’ I 1. The judgment Et- (Ml, . . . . Mk) : U must have been derived from (Proc Output) with Et M; : Wi’ for each i E I..k, for some W1’ . . . wk’, and U =

W1 ‘x...xWk’. Hence, W;’ = Wi for each i E l..k. By k applications

of Lemma 8- 14, we get E I- Q : U.


cl

References

HI

121

[31

[41

151

if51

171

PI

PI

[lOI

1111

[I21

[I31

Amadio, R. An asynchronous model of locality, failure, and process mobility. In COORDINATIONP7, LNCS 1282, Springer. 1997.

Boudol, G., Asynchrony and the n-calculus. Technical Re-

port 1702, INRIA, Sophia-Antipolis, 1992.

Cardelli, L., Abstractions for Mobile Computation. 1998. To appear. (See www.luca.demon.co.uk.)

Cardelli, L. and A.D. Gordon, Mobile Ambients. In Founda-

tions of Sofmare Science and Computational Structures,

Maurice Nivat (Ed.), LNCS 1378, 140-155, Springer. 1998.

De Nicola, R., G. Ferrari, M. Pugliese, Coordinating Mobile Agents via Blackboards and Access Rights. COORDINA-

TION’97, LNCS 1282, 220-237, Springer. 1997.

Honda., K. and M. Tokoro, An object calculus for asynchronous communication. Proc. ECOOP’91, LNCS 521, 133- 147, Springer Verlag, 1991.

Kobayashi, N., B.C. Pierce, and D.N. Turner, Linearity and the Pi-Calculus. Proc ACM POPL’96, 358-371. 1996.

Milner, R., J. Parrow and D. Walker, A calculus of mobile processes, Parts 1-2. Information and Computation, 100(l), l-77. 1992.

Odersky, M., Polarized Name Passing. Proc FST&TCS,

Springer. 1995.

Pierce, B., and D. Sangiorgi, Typing and Subtyping for Mo- bile Processes. Mathematical Structures in Computer Sci-

ence, 6(5), 409-454. 1996.

Riely, J. and M. Hennessy, A typed language for distributed mobile processes. In Proc ACM POPL’98, 378-390. 1998.

Sewell, P., Global/Local Subtyping and Capability Infer- ence for a Distributed Ir-calculus. In Proc ICALP’98,

Springer. 1998.

White, J.E., Mobile agents. In Software Agents, J. Bradshaw, ed. AAAI Press/The MIT Press. 1996.

92

types for mobile ambients - aalborg...

Documents